From j2 at mupp.net Sat Nov 1 00:16:48 2008 From: j2 at mupp.net (Jan Johansson) Date: Sat Nov 1 00:18:40 2008 Subject: New quarantain ot being created. Message-ID: <9CB5A76200029E439A44D2E52901D6A4174417@waldorf.Muppnet.local> HellO! I upgraded from 4.63.8-1 to 4.71.10-1 on a system running MailWatch 1.0.4 After the upgrade, Mailscanner failed because I had not copied the mailwatch functions. So, I did this; cp /opt/MailScanner-4.63.8-1/lib/MailScanner/CustomFunctions/MailWatch.pm MailScanner-4.71.10-1/lib/MailScanner/CustomFunctions/ cp /opt/MailScanner-4.63.8-1/lib/MailScanner/CustomFunctions/SQLBlackWhiteL ist.pm MailScanner-4.71.10-1/lib/MailScanner/CustomFunctions/ But, now the "today" quarantaine dir is not being created, and MailScanner fails. If I manually create the quarantine directory, everything works. What might I have forgotten to do here? -- Meddelandet har kontrollerats mot virus samt skadligt innehåll av MailScanner och förmodas vara säkert. From simon at kmun.gov.kw Sat Nov 1 07:07:29 2008 From: simon at kmun.gov.kw (Benedict simon) Date: Sat Nov 1 07:02:32 2008 Subject: help required in upgrading MS---thnksss In-Reply-To: References: <1388.91.198.134.226.1225476769.squirrel@webmail.baladia.gov.kw> <1553.91.198.134.226.1225479790.squirrel@webmail.baladia.gov.kw> Message-ID: <1389.91.198.134.226.1225523249.squirrel@webmail.baladia.gov.kw> > on 10-31-2008 12:03 PM Benedict simon spake the following: >>> on 10-31-2008 11:12 AM Benedict simon spake the following: >>>> Dear All, >>>> >>>> I Have the following setup running fine for about a year or so on a >>>> single >>>> server. >>>> >>>> Centos 5 (final) >>>> DNS bind-9.3.4-6.0.2.P1.el5_2 as my DNS server >>>> sendmail-8.13.8-2.el5 as my mail server >>>> MailScanner ver 4.66.5 >>>> jules easy package Clam-0.92-SA-3.2.4 >>>> pyzor-0.4.0 >>>> razor-agents-2.84 >>>> mailwatch-1.0.4 >>>> httpd-2.2.3-11.el5_1 >>>> >>>> all the above is workin fine . >>>> >>>> now i would like to upgrde to the latest MS stable version and also >>>> the >>>> stable clamav 0.94 nd SA 3.2.5 package >>>> >>>> since this is live server i wd highly apprecite if cd get some >>>> advice >>>> n >>>> steps about upgrading the MS version to the latest stable version and >>>> also >>>> the other required pckages >>>> >>>> i have gone throguh the wiki n upgrade instructions but was still a >>>> little >>>> confused >>>> >>>> wd relly apprecite your help >>>> >>>> MS was installed from tar.gz package >>>> >>>> >>>> regards >>>> >>>> simon >>>> >>>> >>>> >>>> >>> If the machine can be offline for about 10 minutes it is easy. >>> >>> stop mailscanner. If you don't have a backup MX you can start incoming >>> (service MailScanner startin) >>> >>> Back up current if you want (there is a script available on the wiki >>> http://wiki.mailscanner.info/doku.php?id=maq:index#upgrade_rpm ) >>> >>> Unpack and install clam-sa package >>> unpack and install MailScanner package >>> >>> service MailScanner restart >>> >>> tail maillog to see if everything is working >>> >>> Pat self on back and get cup of coffee. >>> >> Thanks Scott , >> >> really apprecite for your immediate quick reply >> by the way i cn get the Mil Server down even for 30 min or so .... >> simon >> smiles >> >> also i do have a secondary mail server >> >> jus wanna know about the pyxor n razor utilities .. can i jus upgrade >> them >> as per install docs?? >> any chnges need to be done in mailwatch >> >> thnks once again >> >> regards >> >> simon > I hadn't noticed that pyzor or Razor had an update. But you should be able > to > upgrade them at the same time. If you are installing them where they > haven't > been before, then you do have to enable them in spamassassin. > > When you install Julian's clam-sa package, I do believe it tells you what > you > have to do at the end of the install script. > Dear bScottt, Thnks and apprecite once agin.. u right .. jules clam-sa packge does tell u t the end.. jus slipped of my mind pprecite ur quik reply regards simon > -- > MailScanner is like deodorant... > You hope everybody uses it, and > you notice quickly if they don't!!!! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Network ADMIN ------------- KUWAIT MUNICIPALITY: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Sat Nov 1 19:10:50 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sat Nov 1 19:11:13 2008 Subject: MailScanner ANNOUNCE: 4.72 released Message-ID: <490CA9BA.9010904@ecs.soton.ac.uk> Hi folks! I have just release the latest stable release, 4.72. The main new improvements and changes are: - Added support for ClamAV 0.94. You *must* upgrade to ClamAV 0.94 at least if you are going to use this release of MailScanner and are already using ClamAV. - Filename and filetype check are now done before virus scanning. - Several improvements to the installer. Download it as usual from www.mailscanner.info The full Change Log is this: * New Features and Improvements * 1 Added support for ClamAV 0.94. Note that this has necessitated removal of complete support for earlier versions of ClamAV as the command-line settings are incompatible. So only use this version if you have upgraded to the latest ClamAV 0.94. 2 The "Found to be clean" header will not be added to the message at all if the relevant configuration setting is blank in MailScanner.conf. 2 Filename and filetype checks are now done before virus scanning. This means that you can use the "deny+delete" type of filename or filetype rule to selectively delete files that will choke your buggy virus scanner. 4 "install.sh" now logs all output to "install.log". 4 The RPM and SuSE versions of "install.sh" now have a "reinstall" command- line option which will make it attempt to remove the Perl RPMs before it installs them, in case you have changed your Perl version enough that the previous Perl modules were not being found by your new setup. Very handy for Fedora upgraders, among others. 4 Improvements to the "reinstall" command-line switch so it removes all the old versions first, before it starts installing anything new. 4 Updated MIME-tools to version 5.427. 4 Minor improvement to phishing net. 4 Added check to --lint for sufficiently correct /tmp permissions. 5 Remove dsbl.org blacklist from spam.lists.conf. 5 Added more comments to the "Remove These Headers" documentation. The suggested list of headers to remove is now all of these: Disposition-Notification-To Return-Receipt-To X-Confirm-Reading-To Disposition-Notification-To Receipt-Requested-To Confirm-Reading-To MDRcpt-To MDSend-Notifications-To Smtp-Rcpt-To Return-Receipt-To Read-Receipt-To X-Confirm-Reading-To X-Acknowledge-To Delivery-Receipt-To X-PMrqc Errors-To X-IMAPBase X-IMAP X-UID Status X-Status X-UIDL X-Keywords X-Mozilla-Status X-Mozilla-Status2 * Fixes * 1 Changed logging of clamd so that it reports the virus scanner name correctly. 2 Removed debug code from OLE unpacking code. 3 Fixed log handling bug in filename rules matching code, thanks to Derek Chee. 4 Fixed bug where whole message body was deleted if a file nested within 2 zip files failed filename tests. 4 Fixed reporting bug in 'service MailScanner status' where it would produce an error instead of saying the incoming sendmail process was working fine. 4 Fixed a parsing bug in the "Avast" scanner support. 4 Minor change to error message when /tmp has wrong permissions. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From hvdkooij at vanderkooij.org Sat Nov 1 22:22:01 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sat Nov 1 22:22:16 2008 Subject: MailScanner ANNOUNCE: 4.72 released In-Reply-To: <490CA9BA.9010904@ecs.soton.ac.uk> References: <490CA9BA.9010904@ecs.soton.ac.uk> Message-ID: <490CD689.7060804@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Julian Field wrote: > Hi folks! > > I have just release the latest stable release, 4.72. Yum repository is updated now as well. > 1 Added support for ClamAV 0.94. Note that this has necessitated removal of > complete support for earlier versions of ClamAV as the command-line > settings > are incompatible. So only use this version if you have upgraded to the > latest > ClamAV 0.94. I have not worked this into a requirement of the package. I may handle this later if I can find the right answer. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFJDNaGBvzDRVjxmYERAhSXAJ48jdB9ZV24TJ+44l/B+x9tjBxa2gCeL5PV ZDWUbb6mGbipJNqyCVYCm1w= =RDU/ -----END PGP SIGNATURE----- From rob at kettle.org.uk Sun Nov 2 18:16:04 2008 From: rob at kettle.org.uk (Rob Kettle) Date: Sun Nov 2 18:16:19 2008 Subject: Ruleset Help Message-ID: <490DEE64.6080501@kettle.org.uk> Hi, is it possible to use a 'not' condition in a rule ? ie. To: bill@mydomain.com and NOT From: fred@bloggs.com deliver could not find this sort of thing elsewhere but apologies if it's there and I've missed it. thanks Rob -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Sun Nov 2 20:07:34 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Nov 2 20:07:56 2008 Subject: Ruleset Help In-Reply-To: <490DEE64.6080501@kettle.org.uk> References: <490DEE64.6080501@kettle.org.uk> Message-ID: <490E0886.90707@ecs.soton.ac.uk> No there isn't, sorry. But you can do this: To: bill@mydomain.com and From: fred@bloggs.com delete To: bill@mydomain.com deliver which can be used to achieve the same thing. Rob Kettle wrote: > Hi, > > is it possible to use a 'not' condition in a rule ? > > ie. > To: bill@mydomain.com and NOT From: fred@bloggs.com deliver > > could not find this sort of thing elsewhere but apologies if it's > there and I've missed it. > > thanks > Rob > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From kate at rheel.co.nz Sun Nov 2 20:34:24 2008 From: kate at rheel.co.nz (Kate Kleinschafer) Date: Sun Nov 2 20:33:03 2008 Subject: New quarantain ot being created. In-Reply-To: <9CB5A76200029E439A44D2E52901D6A4174417@waldorf.Muppnet.local> References: <9CB5A76200029E439A44D2E52901D6A4174417@waldorf.Muppnet.local> Message-ID: <490E0ED0.7010704@rheel.co.nz> Jan Johansson wrote: > HellO! > > I upgraded from 4.63.8-1 to 4.71.10-1 on a system running MailWatch > 1.0.4 > > After the upgrade, Mailscanner failed because I had not copied the > mailwatch functions. So, I did this; > > cp > /opt/MailScanner-4.63.8-1/lib/MailScanner/CustomFunctions/MailWatch.pm > MailScanner-4.71.10-1/lib/MailScanner/CustomFunctions/ > cp > /opt/MailScanner-4.63.8-1/lib/MailScanner/CustomFunctions/SQLBlackWhiteL > ist.pm MailScanner-4.71.10-1/lib/MailScanner/CustomFunctions/ > > But, now the "today" quarantaine dir is not being created, and > MailScanner fails. > > If I manually create the quarantine directory, everything works. > > What might I have forgotten to do here? > > When I had this problem it was because of incorrect permissions on the parent quarantine directory. Kate From rob at kettle.org.uk Sun Nov 2 22:04:46 2008 From: rob at kettle.org.uk (Rob Kettle) Date: Sun Nov 2 22:05:14 2008 Subject: Ruleset Help In-Reply-To: <490E0886.90707@ecs.soton.ac.uk> References: <490DEE64.6080501@kettle.org.uk> <490E0886.90707@ecs.soton.ac.uk> Message-ID: <490E23FE.2030202@kettle.org.uk> Thanks Julian. I think I'm on the right track now. Just wasn't thinking beyond my first approach. Rob Julian Field wrote: > No there isn't, sorry. But you can do this: > To: bill@mydomain.com and From: fred@bloggs.com delete > To: bill@mydomain.com deliver > which can be used to achieve the same thing. > > Rob Kettle wrote: >> Hi, >> >> is it possible to use a 'not' condition in a rule ? >> >> ie. >> To: bill@mydomain.com and NOT From: fred@bloggs.com deliver >> >> could not find this sort of thing elsewhere but apologies if it's >> there and I've missed it. >> >> thanks >> Rob >> > > Jules > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From j2 at mupp.net Sun Nov 2 22:58:13 2008 From: j2 at mupp.net (Jan Johansson) Date: Sun Nov 2 22:58:50 2008 Subject: New quarantain ot being created. In-Reply-To: <490E0ED0.7010704@rheel.co.nz> References: <9CB5A76200029E439A44D2E52901D6A4174417@waldorf.Muppnet.local> <490E0ED0.7010704@rheel.co.nz> Message-ID: <9CB5A76200029E439A44D2E52901D6A4174419@waldorf.Muppnet.local> > >When I had this problem it was because of incorrect permissions on the >parent quarantine directory. So, if i am looking in the config file, I see; Run As User = postfix Run As Group = postfix Quarantine User = root Quarantine Group = www-data And I see; drwxr-xr-x 37 root www-data 4096 2008-11-01 01:13 quarantine This is the same settings as before the upgrade. -- Meddelandet har kontrollerats mot virus samt skadligt innehåll av MailScanner och förmodas vara säkert. From Daniel.Flensburg at iris.se Mon Nov 3 07:45:28 2008 From: Daniel.Flensburg at iris.se (Daniel Flensburg) Date: Mon Nov 3 07:48:30 2008 Subject: SV: New quarantain ot being created. In-Reply-To: <9CB5A76200029E439A44D2E52901D6A4174419@waldorf.Muppnet.local> References: <9CB5A76200029E439A44D2E52901D6A4174417@waldorf.Muppnet.local><490E0ED0.7010704@rheel.co.nz> <9CB5A76200029E439A44D2E52901D6A4174419@waldorf.Muppnet.local> Message-ID: <3DF8101092666E4A9020D949E419EB6F02AD6F01@ensms02.iris.se> I had the same problem after a recent upgrade and changed the permission to these settings: drwxrwx--- 17 root www-data 4096 2008-11-03 00:01 quarantine I think you need to run this command: chmod g+w quarantine It worked for me. /Daniel -----Ursprungligt meddelande----- Fr?n: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] F?r Jan Johansson Skickat: den 2 november 2008 23:58 Till: MailScanner discussion ?mne: RE: New quarantain ot being created. > >When I had this problem it was because of incorrect permissions on the >parent quarantine directory. So, if i am looking in the config file, I see; Run As User = postfix Run As Group = postfix Quarantine User = root Quarantine Group = www-data And I see; drwxr-xr-x 37 root www-data 4096 2008-11-01 01:13 quarantine This is the same settings as before the upgrade. -- Meddelandet har kontrollerats mot virus samt skadligt inneh?ll av MailScanner och f?rmodas vara s?kert. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From doc at maddoc.net Mon Nov 3 19:29:49 2008 From: doc at maddoc.net (Doc Schneider) Date: Mon Nov 3 19:30:11 2008 Subject: Clamav 0.94.1 released Message-ID: <490F512D.60900@maddoc.net> So Jules can add this to his CLAM-SA tarball. -- -Doc Lincoln, NE. http://www.fsl.com/ http://www.genealogyforyou.com/ http://www.cairnproductions.com/ From ssilva at sgvwater.com Mon Nov 3 21:35:52 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Nov 3 21:38:12 2008 Subject: MailScanner ANNOUNCE: 4.72 released In-Reply-To: <490CA9B7.5050706@ecs.soton.ac.uk> References: <490CA9B7.5050706@ecs.soton.ac.uk> Message-ID: on 11-1-2008 12:10 PM Julian Field spake the following: > Hi folks! > > I have just release the latest stable release, 4.72. > > The main new improvements and changes are: > - Added support for ClamAV 0.94. You *must* upgrade to ClamAV 0.94 at > least if you are going to use this release of MailScanner and are > already using ClamAV. > - Filename and filetype check are now done before virus scanning. > - Several improvements to the installer. > > Download it as usual from > www.mailscanner.info > > The full Change Log is this: > > * New Features and Improvements * > 1 Added support for ClamAV 0.94. Note that this has necessitated removal of > complete support for earlier versions of ClamAV as the command-line > settings > are incompatible. So only use this version if you have upgraded to the > latest > ClamAV 0.94. Just in time for ClamAV 0.94.1 ;-P It just never ends! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081103/99a7614e/signature.bin From jim.barber at ddihealth.com Tue Nov 4 02:27:20 2008 From: jim.barber at ddihealth.com (Jim Barber) Date: Tue Nov 4 02:27:38 2008 Subject: Sendmail Queue Groups. Message-ID: <490FB308.8090802@ddihealth.com> Hi all. I've successfully been using MailScanner with Exim. Now I am setting up a box that uses Sendmail. The Sendmail configuration uses queue groups. The relevant entries from the sendmail.mc file for this are: define(`QUEUE_DIR', `/var/spool/mqueue/main*')dnl QUEUE_GROUP(`mqueue', `Path=/var/spool/mqueue/incoming, Runners=0')dnl QUEUE_GROUP(`main', `Path=/var/spool/mqueue/main, Flags=f')dnl QUEUE_GROUP(`hourly', `Path=/var/spool/mqueue/hourly, Flags=f, Interval=1h')dnl Note the asterisk on the end of the QUEUE_DIR name. It specifies that the /var/spool/mqueue/ directory will be the base directory for all the queue groups. Without the asterisk, Sendmail will expect all queue groups to be under /var/spool/mqueue/main/ instead. The default mqueue queue group has been overridden to place emails into an incoming directory. It has no queue runners to try to pick up messages from this queue and deliver them. MailScanner is configured to do the processing of the incoming queue. The main queue group is where MailScanner will place good messages. Sendmail is configured with queue runners to check this queue every minute. The hourly queue is for jobs that will only attempt to be delivered every hour. A qtool.pl cronjob will move jobs into the hourly queue that have been sitting in the main queue for too long. The MTA part of Sendmail is invoked with the following command line options: -OPrivacyOptions=noetrn -ODeliveryMode=queueonly The DeliveryMode=queueonly will force the MTA not to attempt an immediate delivery of an incoming message. Queue runners are started for the main and hourly queues. The relevant MailScanner.conf configuration entries are: Incoming Queue Dir = /var/spool/mqueue/incoming Outgoing Queue Dir = /var/spool/mqueue/main MTA = sendmail The Sendmail2 variable has been commented out completely. When MailScanner has processed a message it moves it to the /var/spool/mqueue/main/ directory. Then it calls the KickMessage subroutine in the Sendmail.pm perl module. This has the following line of code: $args = " -OQueueDirectory=$queue " if $queue; I think KickMessage calls sendmail to attempt an immediately delivery after placing a job on the queue. This is so that the message doesn't have to wait for a queue runner to process it. As part of that it needs to tell Sendmail where the message is located. The problem with the configuration above is that it causes the following errors to be output by Sendmail: sendmail[2493]: NOQUEUE: SYSERR(root): QueuePath /var/spool/mqueue/incoming not subpath of QueueDirectory /var/spool/mqueue/main/ sendmail[2493]: NOQUEUE: SYSERR(root): QueuePath /var/spool/mqueue/hourly not subpath of QueueDirectory /var/spool/mqueue/main/: No such file or directory And the immediately delivery attempt doesn't happen. But the mail does get picked up by the queue runners up to a minute later so it isn't the end of the world. If I change the following in MailScanner.conf: Outgoing Queue Dir = /var/spool/mqueue/main to: Outgoing Queue Dir = /var/spool/mqueue/main* Then I suspect Sendmail will be happy. But MailScanner isn't happy with that. If I try it, I'll see messages like the following when I start MailScanner: Could not read directory /var/spool/mqueue/main* at /usr/share/MailScanner//MailScanner/Config.pm line 2488 Error in configuration file line 159, directory /var/spool/mqueue/main* for outqueuedir does not exist (or is not readable) at /usr/share/MailScanner//MailScanner/Config.pm line 2812 If I comment out the code in the Sendmail.pm file, then I get rid of the errors. But I'm not sure if the immediate delivery attempt happens if I do that. I could also butcher the code to say: $args = " -OQueueDirectory=/var/spool/mqueue/main* "; But that's pretty evil. Is there a good way to get MailScanner to play nicely with queue groups set up like this? Perhaps this could be a feature request to allow the * in the Outgoing Queue Dir setting and handle it accordingly? Regards, -- ---------- Jim Barber DDI Health From blaat0001 at gmail.com Tue Nov 4 09:11:08 2008 From: blaat0001 at gmail.com (BlaaT 0001) Date: Tue Nov 4 09:11:17 2008 Subject: Watermarking not working In-Reply-To: References: <254612fc0810310239q599fdcf1n1d9610ed3d1e7775@mail.gmail.com> Message-ID: <254612fc0811040111q16b63f22qa61001dbf3b7594b@mail.gmail.com> On Fri, Oct 31, 2008 at 6:49 PM, Scott Silva wrote: > > on 10-31-2008 2:39 AM BlaaT 0001 spake the following: > > Hello all, > > > > I'm still having problems using watermarking. My MailScanner settings > > related to watermarking are: > > > > Use Watermarking = yes > > Add Watermark = %rules-dir%/add.watermark.rules > > Check Watermarks With No Sender = > > %rules-dir%/check.watermarks.with.no.sender.rules > > Treat Invalid Watermarks With No Sender as Spam = 20 > > Check Watermarks To Skip Spam Checks = no > > Watermark Secret = *************** > > Watermark Lifetime = 604800 > > Watermark Header = X-%org-name%-WM: > > > > Why don't you try on ALL of your machines ; > > Watermark Header = X-Your-org-name-WM: > ^^^^^^ hard coded orgname > instead of letting it expand from %org-name% > Maybe a slight difference in systems encoding is munging the orgname part of > the watermark. > > > -- I've tried your suggestion but without any success. Every bounce email is still marked and shows up in the logs with: Message 4F55XXXX44F.62F03 had bad watermark, added XX to spam score; and: "(no watermark or sender address)". Is there anything else I can try? Thanks. From jim.barber at ddihealth.com Tue Nov 4 10:38:55 2008 From: jim.barber at ddihealth.com (Jim Barber) Date: Tue Nov 4 10:39:11 2008 Subject: Sendmail Queue Groups. In-Reply-To: <490FB308.8090802@ddihealth.com> References: <490FB308.8090802@ddihealth.com> Message-ID: <4910263F.4060509@ddihealth.com> Well I seem to have a work around... I now have the following in my sendmail.mc file: define(`QUEUE_DIR', `/var/spool/mqueue')dnl QUEUE_GROUP(`mqueue', `Path=/var/spool/mqueue/incoming, Runners=0')dnl QUEUE_GROUP(`main', `Path=/var/spool/mqueue, Flags=f')dnl QUEUE_GROUP(`hourly', `Path=/var/spool/mqueue/hourly, Flags=f, Interval=1h')dnl So now emails still come into the incoming queue. But when processed, rather than dropping them into a main/ directory at the same level as all the other queues, they are put into the parent directory. In MailScanner.conf I now have: Incoming Queue Dir = /var/spool/mqueue/incoming Outgoing Queue Dir = /var/spool/mqueue Obviously I also had to adjust my queue aging job to search for files in /var/spool/mqueue and move them to the hourly/ directory. It would have been nice if I could have had the other directory structure though since it leads to a cleaner separation. Regards, ---------- Jim Barber DDI Health From sandrews at andrewscompanies.com Tue Nov 4 13:58:06 2008 From: sandrews at andrewscompanies.com (Steven Andrews) Date: Tue Nov 4 13:58:19 2008 Subject: sendmail to exchange w/ldap problem slightly OT Message-ID: <1964AAFBC212F742958F9275BF63DBB0907711@winchester.andrewscompanies.com> I've been using a hunk of code to have MS/Sendmail query exchange 2000/2003 boxes for some time with no problems. Today, I'm setting up a nice little dell R200 and so I had to use Centos4.7 over my default 4.3 to get sata support. Any help, much appreciated... When I run the code, I get this silliness: [root@spamfilter mail]# ./sendmail-ldap.sh Name "main::EMAILS" used only once: possible typo at ./sendmail-ldap.sh line 57, line 275. Name "main::DOMAINS" used only once: possible typo at ./sendmail-ldap.sh line 60, line 275. starting ./sendmail-ldap.sh at Tue Nov 4 08:55:00 EST 2008 Undefined subroutine &main::extract_emails called at ./sendmail-ldap.sh line 51, line 466. [root@spamfilter mail]# Code here: #!/usr/bin/perl -w use strict; use Net::LDAP; print "starting $0 at ", `date`; my $debug = 0; my %mails = (); my $hostname = `hostname -f`; chomp $hostname; my %domains = ($hostname => 1); my $dir = "/etc/mail"; my $emails_file = "$dir/temp-emails"; my $domains_file = "$dir/temp-domains"; my $access_file = "$dir/access"; my @prefixes = ("postmaster", "abuse", "root"); my @servers = ( "mail.boogidy.com" ); sub extract_emails($); my $ldap = undef; my $mesg = undef; for my $server (@servers) { print STDERR "Connecting to server $server...\n" if $debug; $ldap = Net::LDAP->new( $server ) and last; } $ldap or die "Unable to connect to any LDAP servers."; print STDERR "Binding...\n" if $debug; $mesg = $ldap->bind( dn => 'BOOGIDY\Administrator', password => 'redacted' ) or die "Could not bind LDAP: $@"; $mesg->code and die $mesg->error; print STDERR "Searching...\n" if $debug; $mesg = $ldap->search( base => "dc=boogidy,dc=local", filter => "(|(objectClass=publicFolder)(&(sAMAccountName=*)(mail=*)))" ); print STDERR "Checking code...\n" if $debug; $mesg->code and die $mesg->error; extract_emails($mesg); print STDERR "Unbinding...\n" if $debug; $mesg = $ldap->unbind; # take down session open EMAILS, "> $emails_file" or die("Could not open > $emails_file\n$!"); open DOMAINS, "> $domains_file" or die("Could not open > $domains_file\n$!"); open ACCESS, "> $access_file" or die("Could not open > $access_file\n$!"); print ACCESS << "END"; ############################################################## # # This access database is generated by $0 # # This is regenerated by a cron job # Any change you make will be wiped out! # ############################################################## # Check the /usr/share/doc/sendmail/README.cf file for a description # of the format of this file. (search for access_db in that file) # The /usr/share/doc/sendmail/README.cf is part of the sendmail-doc # package. # # by default we allow relaying from localhost... Connect:localhost RELAY Connect:127.0.0.1 RELAY GreetPause:127.0.0.1 0 ClientConn:127.0.0.1 0 ClientConn: 10 END Steven R. Andrews, President Andrews Companies Incorporated Small Business Information Technology Consultants sandrews@andrewscompanies.com Phone: 317.536.1807 "If your only tool is a hammer, every problem looks like a nail." -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081104/8d147178/attachment.html From martinh at solidstatelogic.com Tue Nov 4 14:13:06 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Tue Nov 4 14:13:18 2008 Subject: sendmail to exchange w/ldap problem slightly OT In-Reply-To: <1964AAFBC212F742958F9275BF63DBB0907711@winchester.andrewscompanies.com> Message-ID: <1f49673ffdce0f41a8c24d1eeaaacdda@solidstatelogic.com> Stephen what ware you trying to achieve here? If you want to know if the end email address exists before accepting the email in the incoming sendmail then sendmail Sender Address Verification (http://smfs.sourceforge.net/smf-sav.html) will do this for you.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Steven Andrews Sent: 04 November 2008 13:58 To: MailScanner discussion Subject: sendmail to exchange w/ldap problem slightly OT I've been using a hunk of code to have MS/Sendmail query exchange 2000/2003 boxes for some time with no problems. Today, I'm setting up a nice little dell R200 and so I had to use Centos4.7 over my default 4.3 to get sata support. Any help, much appreciated... When I run the code, I get this silliness: [root@spamfilter mail]# ./sendmail-ldap.sh Name "main::EMAILS" used only once: possible typo at ./sendmail-ldap.sh line 57, line 275. Name "main::DOMAINS" used only once: possible typo at ./sendmail-ldap.sh line 60, line 275. starting ./sendmail-ldap.sh at Tue Nov 4 08:55:00 EST 2008 Undefined subroutine &main::extract_emails called at ./sendmail-ldap.sh line 51, line 466. [root@spamfilter mail]# Code here: #!/usr/bin/perl -w use strict; use Net::LDAP; print "starting $0 at ", `date`; my $debug = 0; my %mails = (); my $hostname = `hostname -f`; chomp $hostname; my %domains = ($hostname => 1); my $dir = "/etc/mail"; my $emails_file = "$dir/temp-emails"; my $domains_file = "$dir/temp-domains"; my $access_file = "$dir/access"; my @prefixes = ("postmaster", "abuse", "root"); my @servers = ( "mail.boogidy.com" ); sub extract_emails($); my $ldap = undef; my $mesg = undef; for my $server (@servers) { print STDERR "Connecting to server $server...\n" if $debug; $ldap = Net::LDAP->new( $server ) and last; } $ldap or die "Unable to connect to any LDAP servers."; print STDERR "Binding...\n" if $debug; $mesg = $ldap->bind( dn => 'BOOGIDY\Administrator', password => 'redacted' ) or die "Could not bind LDAP: $@"; $mesg->code and die $mesg->error; print STDERR "Searching...\n" if $debug; $mesg = $ldap->search( base => "dc=boogidy,dc=local", filter => "(|(objectClass=publicFolder)(&(sAMAccountName=*)(mail=*)))" ); print STDERR "Checking code...\n" if $debug; $mesg->code and die $mesg->error; extract_emails($mesg); print STDERR "Unbinding...\n" if $debug; $mesg = $ldap->unbind; # take down session open EMAILS, "> $emails_file" or die("Could not open > $emails_file\n$!"); open DOMAINS, "> $domains_file" or die("Could not open > $domains_file\n$!"); open ACCESS, "> $access_file" or die("Could not open > $access_file\n$!"); print ACCESS << "END"; ############################################################## # # This access database is generated by $0 # # This is regenerated by a cron job # Any change you make will be wiped out! # ############################################################## # Check the /usr/share/doc/sendmail/README.cf file for a description # of the format of this file. (search for access_db in that file) # The /usr/share/doc/sendmail/README.cf is part of the sendmail-doc # package. # # by default we allow relaying from localhost... Connect:localhost RELAY Connect:127.0.0.1 RELAY GreetPause:127.0.0.1 0 ClientConn:127.0.0.1 0 ClientConn: 10 END Steven R. Andrews, President Andrews Companies Incorporated Small Business Information Technology Consultants sandrews@andrewscompanies.com Phone: 317.536.1807 "If your only tool is a hammer, every problem looks like a nail." ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081104/3334fcd4/attachment.html From sandrews at andrewscompanies.com Tue Nov 4 14:28:41 2008 From: sandrews at andrewscompanies.com (Steven Andrews) Date: Tue Nov 4 14:28:52 2008 Subject: sendmail to exchange w/ldap problem slightly OT In-Reply-To: <1f49673ffdce0f41a8c24d1eeaaacdda@solidstatelogic.com> References: <1964AAFBC212F742958F9275BF63DBB0907711@winchester.andrewscompanies.com> <1f49673ffdce0f41a8c24d1eeaaacdda@solidstatelogic.com> Message-ID: <1964AAFBC212F742958F9275BF63DBB0907712@winchester.andrewscompanies.com> I've seen that but haven't played with it. The implementation I've used quite a number of times, but seemingly doesn't want to play ball on centos 4.7 (probably a perl thing, but I'm a perl-idiot), works well for us. I like it because it doesn't talk to the exchange box very often so if for whatever reason it can't nothing bounces except addresses that may have changed on the exchange side since that last time they talked. It appears that it's complaining about the declaration and/or use of the variables, but I didn't write the code in the first place and couldn't perl myself out of a paper bag so I'm a little stuck as to why it's kosher on 4.3 but fails on 4.7. From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Martin.Hepworth Sent: Tuesday, November 04, 2008 9:13 AM To: MailScanner discussion Subject: RE: sendmail to exchange w/ldap problem slightly OT Stephen what ware you trying to achieve here? If you want to know if the end email address exists before accepting the email in the incoming sendmail then sendmail Sender Address Verification (http://smfs.sourceforge.net/smf-sav.html) will do this for you.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Steven Andrews Sent: 04 November 2008 13:58 To: MailScanner discussion Subject: sendmail to exchange w/ldap problem slightly OT I've been using a hunk of code to have MS/Sendmail query exchange 2000/2003 boxes for some time with no problems. Today, I'm setting up a nice little dell R200 and so I had to use Centos4.7 over my default 4.3 to get sata support. Any help, much appreciated... When I run the code, I get this silliness: [root@spamfilter mail]# ./sendmail-ldap.sh Name "main::EMAILS" used only once: possible typo at ./sendmail-ldap.sh line 57, line 275. Name "main::DOMAINS" used only once: possible typo at ./sendmail-ldap.sh line 60, line 275. starting ./sendmail-ldap.sh at Tue Nov 4 08:55:00 EST 2008 Undefined subroutine &main::extract_emails called at ./sendmail-ldap.sh line 51, line 466. [root@spamfilter mail]# Code here: #!/usr/bin/perl -w use strict; use Net::LDAP; print "starting $0 at ", `date`; my $debug = 0; my %mails = (); my $hostname = `hostname -f`; chomp $hostname; my %domains = ($hostname => 1); my $dir = "/etc/mail"; my $emails_file = "$dir/temp-emails"; my $domains_file = "$dir/temp-domains"; my $access_file = "$dir/access"; my @prefixes = ("postmaster", "abuse", "root"); my @servers = ( "mail.boogidy.com" ); sub extract_emails($); my $ldap = undef; my $mesg = undef; for my $server (@servers) { print STDERR "Connecting to server $server...\n" if $debug; $ldap = Net::LDAP->new( $server ) and last; } $ldap or die "Unable to connect to any LDAP servers."; print STDERR "Binding...\n" if $debug; $mesg = $ldap->bind( dn => 'BOOGIDY\Administrator', password => 'redacted' ) or die "Could not bind LDAP: $@"; $mesg->code and die $mesg->error; print STDERR "Searching...\n" if $debug; $mesg = $ldap->search( base => "dc=boogidy,dc=local", filter => "(|(objectClass=publicFolder)(&(sAMAccountName=*)(mail=*)))" ); print STDERR "Checking code...\n" if $debug; $mesg->code and die $mesg->error; extract_emails($mesg); print STDERR "Unbinding...\n" if $debug; $mesg = $ldap->unbind; # take down session open EMAILS, "> $emails_file" or die("Could not open > $emails_file\n$!"); open DOMAINS, "> $domains_file" or die("Could not open > $domains_file\n$!"); open ACCESS, "> $access_file" or die("Could not open > $access_file\n$!"); print ACCESS << "END"; ############################################################## # # This access database is generated by $0 # # This is regenerated by a cron job # Any change you make will be wiped out! # ############################################################## # Check the /usr/share/doc/sendmail/README.cf file for a description # of the format of this file. (search for access_db in that file) # The /usr/share/doc/sendmail/README.cf is part of the sendmail-doc # package. # # by default we allow relaying from localhost... Connect:localhost RELAY Connect:127.0.0.1 RELAY GreetPause:127.0.0.1 0 ClientConn:127.0.0.1 0 ClientConn: 10 END Steven R. Andrews, President Andrews Companies Incorporated Small Business Information Technology Consultants sandrews@andrewscompanies.com Phone: 317.536.1807 "If your only tool is a hammer, every problem looks like a nail." ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081104/be162c92/attachment.html From Nikolaos.Pavlidis at beds.ac.uk Tue Nov 4 14:54:30 2008 From: Nikolaos.Pavlidis at beds.ac.uk (Nikolaos Pavlidis) Date: Tue Nov 4 14:54:44 2008 Subject: Solaris 10 Mail:ClamAV compile trouble In-Reply-To: <4910622602000027000247AD@gwiadom.oes.beds.ac.uk> References: <490C35D8020000570001F542@gwiadom.oes.beds.ac.uk> <4910622602000027000247AD@gwiadom.oes.beds.ac.uk> Message-ID: <4910622602000027000247AD@gwiadom.oes.beds.ac.uk> Dear All, ?I am trying to install the ClamAV + SA package following the directions from: http://wiki.mailscanner.info/doku.php?id=documentation:clamav_sa I installed clamav successfully and all the perl modules until I reached Mail::ClamAV I edited /usr/perl5/5.8.4/lib/i86pc-solaris-64int/Config.pm to remove temporarily the -KPIC and -xO3 flags (-xdepend was nowhere to be found btw) I used both paths and got respectively the below errors, any help will be much appreciated. the command procedure I followed was: perl Makefile.PL make make clean change $PATH perl Makefile.PL make Any help will be much appreciated. Thank you in advance. Nik The setup: Solaris 10 Sun Studio installed PATHs used: 1. PATH=/usr/sbin:/usr/bin:/usr/local/bin:/usr/sfw/bin:/usr/dt/bin:/usr/openwin/bin:/usr/ccs/bin:/usr/ucb LD_LIBRARY_PATH=/usr/lib:/usr/local/lib:/usr/sfw/lib:/opt/SUNWspro/lib:/usr/local/BerkeleyDB/lib 2. PATH=/opt/SUNWspro/bin:/usr/ccs/bin:/usr/sbin:/usr/bin:/usr/dt/bin:/usr/openwin/bin:/usr/local/bin:/usr/sfw/bin:/usr/ucb LD_LIBRARY_PATH=/opt/SUNWspro/lib:/usr/ccs/lib:/usr/lib:/usr/local/lib:/usr/sfw/lib:/usr/local/BerkeleyDB/lib 1. Starting "make" Stage make[1]: Entering directory `/sysnet/build/cpan/build/Mail-ClamAV-0.22/_Inline/build/Mail/ClamAV' /usr/perl5/5.8.4/bin/perl /usr/perl5/5.8.4/lib/ExtUtils/xsubpp -typemap /usr/perl5/5.8.4/lib/ExtUtils/typemap ClamAV.xs > ClamAV.xsc && mv ClamAV.xsc ClamAV.c cc -c -I/sysnet/build/cpan/build/Mail-ClamAV-0.22 -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -D_TS_ERRNO -xspace -xildoff -DVERSION=\"0.22\" -DXS_VERSION=\"0.22\" "-I/usr/perl5/5.8.4/lib/i86pc-solaris-64int/CORE" ClamAV.c cc: language ildoff not recognized cc: ClamAV.c: linker input file unused because linking not done Running Mkbootstrap for Mail::ClamAV () chmod 644 ClamAV.bs rm -f blib/arch/auto/Mail/ClamAV/ClamAV.so LD_RUN_PATH="/usr/lib:/usr/local/lib" cc -G ClamAV.o -o blib/arch/auto/Mail/ClamAV/ClamAV.so -L/usr/local/lib -lz -lbz2 -lclamav cc: ClamAV.o: No such file or directory make[1]: *** [blib/arch/auto/Mail/ClamAV/ClamAV.so] Error 1 make[1]: Leaving directory `/sysnet/build/cpan/build/Mail-ClamAV-0.22/_Inline/build/Mail/ClamAV' 2. Starting "make" Stage /usr/perl5/5.8.4/bin/perl /usr/perl5/5.8.4/lib/ExtUtils/xsubpp -typemap /usr/perl5/5.8.4/lib/ExtUtils/typemap ClamAV.xs > ClamAV.xsc && mv ClamAV.xsc ClamAV.c cc -c -I/sysnet/build/cpan/build/Mail-ClamAV-0.22 -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -D_TS_ERRNO -xspace -xildoff -DVERSION=\"0.22\" -DXS_VERSION=\"0.22\" "-I/usr/perl5/5.8.4/lib/i86pc-solaris-64int/CORE" ClamAV.c "ClamAV.xs", line 65: warning: implicit function declaration: cl_loaddbdir "ClamAV.xs", line 68: warning: implicit function declaration: cl_loaddb "ClamAV.xs", line 308: undefined symbol: CL_EFSYNC "ClamAV.xs", line 321: undefined symbol: CL_ELOCKDB "ClamAV.c", line 450: warning: statement not reached "ClamAV.c", line 633: warning: statement not reached "ClamAV.c", line 663: warning: statement not reached "ClamAV.c", line 693: warning: statement not reached cc: acomp failed for ClamAV.c *** Error code 2 make: Fatal error: Command failed for target `ClamAV.o' Current working directory /sysnet/build/cpan/build/Mail-ClamAV-0.22/_Inline/build/Mail/ClamAV From martinh at solidstatelogic.com Tue Nov 4 15:00:36 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Tue Nov 4 15:00:48 2008 Subject: Solaris 10 Mail:ClamAV compile trouble In-Reply-To: <4910622602000027000247AD@gwiadom.oes.beds.ac.uk> Message-ID: Nik I'd use clamd rather than the module are there's no wait for Mail::ClamAV to be updated to support the latest version of clamav. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Nikolaos Pavlidis > Sent: 04 November 2008 14:55 > To: mailscanner@lists.mailscanner.info > Subject: Solaris 10 Mail:ClamAV compile trouble > > Dear All, > > > ?I am trying to install the ClamAV + SA package following the > directions > from: http://wiki.mailscanner.info/doku.php?id=documentation:clamav_sa > > I installed clamav successfully and all the perl modules > until I reached Mail::ClamAV > > I edited /usr/perl5/5.8.4/lib/i86pc-solaris-64int/Config.pm > to remove temporarily the -KPIC and -xO3 flags (-xdepend was > nowhere to be found > btw) > > I used both paths and got respectively the below errors, any > help will be much appreciated. the command procedure I followed was: > perl Makefile.PL > make > make clean > change $PATH > perl Makefile.PL > make > > Any help will be much appreciated. > Thank you in advance. > > Nik > > The setup: > Solaris 10 > Sun Studio installed > > PATHs used: > > 1. > PATH=/usr/sbin:/usr/bin:/usr/local/bin:/usr/sfw/bin:/usr/dt/bi > n:/usr/openwin/bin:/usr/ccs/bin:/usr/ucb > LD_LIBRARY_PATH=/usr/lib:/usr/local/lib:/usr/sfw/lib:/opt/SUNW > spro/lib:/usr/local/BerkeleyDB/lib > > 2. > PATH=/opt/SUNWspro/bin:/usr/ccs/bin:/usr/sbin:/usr/bin:/usr/dt > /bin:/usr/openwin/bin:/usr/local/bin:/usr/sfw/bin:/usr/ucb > LD_LIBRARY_PATH=/opt/SUNWspro/lib:/usr/ccs/lib:/usr/lib:/usr/l > ocal/lib:/usr/sfw/lib:/usr/local/BerkeleyDB/lib > > > 1. > Starting "make" Stage > make[1]: Entering directory > `/sysnet/build/cpan/build/Mail-ClamAV-0.22/_Inline/build/Mail/ClamAV' > /usr/perl5/5.8.4/bin/perl /usr/perl5/5.8.4/lib/ExtUtils/xsubpp > -typemap /usr/perl5/5.8.4/lib/ExtUtils/typemap ClamAV.xs > > ClamAV.xsc > && mv ClamAV.xsc ClamAV.c > cc -c -I/sysnet/build/cpan/build/Mail-ClamAV-0.22 > -I/usr/local/include -D_LARGEFILE_SOURCE > -D_FILE_OFFSET_BITS=64 -D_TS_ERRNO -xspace -xildoff > -DVERSION=\"0.22\" -DXS_VERSION=\"0.22\" > "-I/usr/perl5/5.8.4/lib/i86pc-solaris-64int/CORE" ClamAV.c > cc: language ildoff not recognized > cc: ClamAV.c: linker input file unused because linking not > done Running Mkbootstrap for Mail::ClamAV () chmod 644 > ClamAV.bs rm -f blib/arch/auto/Mail/ClamAV/ClamAV.so > LD_RUN_PATH="/usr/lib:/usr/local/lib" cc -G ClamAV.o -o > blib/arch/auto/Mail/ClamAV/ClamAV.so -L/usr/local/lib -lz -lbz2 > -lclamav > cc: ClamAV.o: No such file or directory > make[1]: *** [blib/arch/auto/Mail/ClamAV/ClamAV.so] Error 1 > make[1]: Leaving directory > `/sysnet/build/cpan/build/Mail-ClamAV-0.22/_Inline/build/Mail/ClamAV' > > 2. > Starting "make" Stage > /usr/perl5/5.8.4/bin/perl /usr/perl5/5.8.4/lib/ExtUtils/xsubpp > -typemap /usr/perl5/5.8.4/lib/ExtUtils/typemap ClamAV.xs > > ClamAV.xsc && mv ClamAV.xsc ClamAV.c cc -c > -I/sysnet/build/cpan/build/Mail-ClamAV-0.22 > -I/usr/local/include -D_LARGEFILE_SOURCE > -D_FILE_OFFSET_BITS=64 -D_TS_ERRNO -xspace -xildoff > -DVERSION=\"0.22\" -DXS_VERSION=\"0.22\" > "-I/usr/perl5/5.8.4/lib/i86pc-solaris-64int/CORE" ClamAV.c > "ClamAV.xs", line 65: warning: implicit function declaration: > cl_loaddbdir > "ClamAV.xs", line 68: warning: implicit function declaration: > cl_loaddb "ClamAV.xs", line 308: undefined symbol: CL_EFSYNC > "ClamAV.xs", line 321: undefined symbol: CL_ELOCKDB > "ClamAV.c", line 450: warning: statement not reached > "ClamAV.c", line 633: warning: statement not reached > "ClamAV.c", line 663: warning: statement not reached > "ClamAV.c", line 693: warning: statement not reached > cc: acomp failed for ClamAV.c > *** Error code 2 > make: Fatal error: Command failed for target `ClamAV.o' > Current working > directory > /sysnet/build/cpan/build/Mail-ClamAV-0.22/_Inline/build/Mail/ClamAV > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From prandal at herefordshire.gov.uk Tue Nov 4 15:05:02 2008 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Tue Nov 4 15:05:50 2008 Subject: Solaris 10 Mail:ClamAV compile trouble In-Reply-To: <4910622602000027000247AD@gwiadom.oes.beds.ac.uk> References: <490C35D8020000570001F542@gwiadom.oes.beds.ac.uk><4910622602000027000247AD@gwiadom.oes.beds.ac.uk> <4910622602000027000247AD@gwiadom.oes.beds.ac.uk> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA0518D73D@HC-MBX02.herefordshire.gov.uk> Hve you applied this patch to Mail::ClamAV? http://rt.cpan.org/Public/Bug/Display.html?id=39301 Someone needs to prod Scott Beck to release Mail::ClamAV 0.23 Cheers, Phil -- Phil Randal | Networks Engineer Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: prandal@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Nikolaos Pavlidis Sent: 04 November 2008 14:55 To: mailscanner@lists.mailscanner.info Subject: Solaris 10 Mail:ClamAV compile trouble Dear All, ?I am trying to install the ClamAV + SA package following the directions from: http://wiki.mailscanner.info/doku.php?id=documentation:clamav_sa I installed clamav successfully and all the perl modules until I reached Mail::ClamAV I edited /usr/perl5/5.8.4/lib/i86pc-solaris-64int/Config.pm to remove temporarily the -KPIC and -xO3 flags (-xdepend was nowhere to be found btw) I used both paths and got respectively the below errors, any help will be much appreciated. the command procedure I followed was: perl Makefile.PL make make clean change $PATH perl Makefile.PL make Any help will be much appreciated. Thank you in advance. Nik The setup: Solaris 10 Sun Studio installed PATHs used: 1. PATH=/usr/sbin:/usr/bin:/usr/local/bin:/usr/sfw/bin:/usr/dt/bin:/usr/openwin/bin:/usr/ccs/bin:/usr/ucb LD_LIBRARY_PATH=/usr/lib:/usr/local/lib:/usr/sfw/lib:/opt/SUNWspro/lib:/usr/local/BerkeleyDB/lib 2. PATH=/opt/SUNWspro/bin:/usr/ccs/bin:/usr/sbin:/usr/bin:/usr/dt/bin:/usr/openwin/bin:/usr/local/bin:/usr/sfw/bin:/usr/ucb LD_LIBRARY_PATH=/opt/SUNWspro/lib:/usr/ccs/lib:/usr/lib:/usr/local/lib:/usr/sfw/lib:/usr/local/BerkeleyDB/lib 1. Starting "make" Stage make[1]: Entering directory `/sysnet/build/cpan/build/Mail-ClamAV-0.22/_Inline/build/Mail/ClamAV' /usr/perl5/5.8.4/bin/perl /usr/perl5/5.8.4/lib/ExtUtils/xsubpp -typemap /usr/perl5/5.8.4/lib/ExtUtils/typemap ClamAV.xs > ClamAV.xsc && mv ClamAV.xsc ClamAV.c cc -c -I/sysnet/build/cpan/build/Mail-ClamAV-0.22 -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -D_TS_ERRNO -xspace -xildoff -DVERSION=\"0.22\" -DXS_VERSION=\"0.22\" "-I/usr/perl5/5.8.4/lib/i86pc-solaris-64int/CORE" ClamAV.c cc: language ildoff not recognized cc: ClamAV.c: linker input file unused because linking not done Running Mkbootstrap for Mail::ClamAV () chmod 644 ClamAV.bs rm -f blib/arch/auto/Mail/ClamAV/ClamAV.so LD_RUN_PATH="/usr/lib:/usr/local/lib" cc -G ClamAV.o -o blib/arch/auto/Mail/ClamAV/ClamAV.so -L/usr/local/lib -lz -lbz2 -lclamav cc: ClamAV.o: No such file or directory make[1]: *** [blib/arch/auto/Mail/ClamAV/ClamAV.so] Error 1 make[1]: Leaving directory `/sysnet/build/cpan/build/Mail-ClamAV-0.22/_Inline/build/Mail/ClamAV' 2. Starting "make" Stage /usr/perl5/5.8.4/bin/perl /usr/perl5/5.8.4/lib/ExtUtils/xsubpp -typemap /usr/perl5/5.8.4/lib/ExtUtils/typemap ClamAV.xs > ClamAV.xsc && mv ClamAV.xsc ClamAV.c cc -c -I/sysnet/build/cpan/build/Mail-ClamAV-0.22 -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -D_TS_ERRNO -xspace -xildoff -DVERSION=\"0.22\" -DXS_VERSION=\"0.22\" "-I/usr/perl5/5.8.4/lib/i86pc-solaris-64int/CORE" ClamAV.c "ClamAV.xs", line 65: warning: implicit function declaration: cl_loaddbdir "ClamAV.xs", line 68: warning: implicit function declaration: cl_loaddb "ClamAV.xs", line 308: undefined symbol: CL_EFSYNC "ClamAV.xs", line 321: undefined symbol: CL_ELOCKDB "ClamAV.c", line 450: warning: statement not reached "ClamAV.c", line 633: warning: statement not reached "ClamAV.c", line 663: warning: statement not reached "ClamAV.c", line 693: warning: statement not reached cc: acomp failed for ClamAV.c *** Error code 2 make: Fatal error: Command failed for target `ClamAV.o' Current working directory /sysnet/build/cpan/build/Mail-ClamAV-0.22/_Inline/build/Mail/ClamAV -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From j2 at mupp.net Tue Nov 4 17:11:57 2008 From: j2 at mupp.net (Jan Johansson) Date: Tue Nov 4 17:13:16 2008 Subject: New quarantain ot being created. In-Reply-To: <3DF8101092666E4A9020D949E419EB6F02AD6F01@ensms02.iris.se> References: <9CB5A76200029E439A44D2E52901D6A4174417@waldorf.Muppnet.local><490E0ED0.7010704@rheel.co.nz><9CB5A76200029E439A44D2E52901D6A4174419@waldorf.Muppnet.local> <3DF8101092666E4A9020D949E419EB6F02AD6F01@ensms02.iris.se> Message-ID: <9CB5A76200029E439A44D2E52901D6A417441A@waldorf.Muppnet.local> >I had the same problem after a recent upgrade and changed the permission to these >settings: > >drwxrwx--- 17 root www-data 4096 2008-11-03 00:01 quarantine That sorted it, thanks! I still wonder what has changed tho... -- Meddelandet har kontrollerats mot virus samt skadligt innehåll av MailScanner och förmodas vara säkert. From symonc at gmail.com Tue Nov 4 18:01:45 2008 From: symonc at gmail.com (Symon Chalk) Date: Tue Nov 4 18:01:56 2008 Subject: Bug in SweepOther.pm? Message-ID: I had an issue come up today with MailScanner, quite why it only suddenly surfaced I don't know (I'm guessing someone did an update on the server and hasn't fessed up). Anyway, the issue was that MailScanner would continually cycle over the same messages time and again, never actually processing them (although it'd virus and SpamAssassin scan them, just not deliver them on). The only error was in /var/log/messages, being variations on the following: "Process did not exit cleanly, returned 255 with signal 0". Running check_MailScanner with Debug = yes and Debug SpamAssassin = yes turned up the following error: "Unmatched ) in regex; marked by <-- HERE in m/\.[a-z0-9]{3}) <-- HERE \1$/ at /usr/lib/MailScanner/MailScanner/SweepOther.pm line 273." I took a look at that file and couldn't see anything obviously wrong, although it's hard to tell as the regex is actually being passed in as a variable. To get round the problem I added the following: "$regex = quotemeta ($regex);" just before that line, which cured the problem and doesn't seem to have broken anything else (check_MailScanner returned no problems and the server is now processing mail correctly). Any thoughts on what could have caused this and whether my fix is okay? TIA, Symon. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081104/fd6f8379/attachment.html From sandrews at andrewscompanies.com Tue Nov 4 18:29:37 2008 From: sandrews at andrewscompanies.com (Steven Andrews) Date: Tue Nov 4 18:29:52 2008 Subject: sendmail to exchange w/ldap problem slightly OT SOLVED In-Reply-To: <1964AAFBC212F742958F9275BF63DBB0907712@winchester.andrewscompanies.com> References: <1964AAFBC212F742958F9275BF63DBB0907711@winchester.andrewscompanies.com><1f49673ffdce0f41a8c24d1eeaaacdda@solidstatelogic.com> <1964AAFBC212F742958F9275BF63DBB0907712@winchester.andrewscompanies.com> Message-ID: <1964AAFBC212F742958F9275BF63DBB0907719@winchester.andrewscompanies.com> I gave up on 4.7; found a way to install 4.3 on another box and shovel that drive into the R200. Now it works. Goofy computers. From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Steven Andrews Sent: Tuesday, November 04, 2008 9:29 AM To: MailScanner discussion Subject: RE: sendmail to exchange w/ldap problem slightly OT I've seen that but haven't played with it. The implementation I've used quite a number of times, but seemingly doesn't want to play ball on centos 4.7 (probably a perl thing, but I'm a perl-idiot), works well for us. I like it because it doesn't talk to the exchange box very often so if for whatever reason it can't nothing bounces except addresses that may have changed on the exchange side since that last time they talked. It appears that it's complaining about the declaration and/or use of the variables, but I didn't write the code in the first place and couldn't perl myself out of a paper bag so I'm a little stuck as to why it's kosher on 4.3 but fails on 4.7. From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Martin.Hepworth Sent: Tuesday, November 04, 2008 9:13 AM To: MailScanner discussion Subject: RE: sendmail to exchange w/ldap problem slightly OT Stephen what ware you trying to achieve here? If you want to know if the end email address exists before accepting the email in the incoming sendmail then sendmail Sender Address Verification (http://smfs.sourceforge.net/smf-sav.html) will do this for you.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Steven Andrews Sent: 04 November 2008 13:58 To: MailScanner discussion Subject: sendmail to exchange w/ldap problem slightly OT I've been using a hunk of code to have MS/Sendmail query exchange 2000/2003 boxes for some time with no problems. Today, I'm setting up a nice little dell R200 and so I had to use Centos4.7 over my default 4.3 to get sata support. Any help, much appreciated... When I run the code, I get this silliness: [root@spamfilter mail]# ./sendmail-ldap.sh Name "main::EMAILS" used only once: possible typo at ./sendmail-ldap.sh line 57, line 275. Name "main::DOMAINS" used only once: possible typo at ./sendmail-ldap.sh line 60, line 275. starting ./sendmail-ldap.sh at Tue Nov 4 08:55:00 EST 2008 Undefined subroutine &main::extract_emails called at ./sendmail-ldap.sh line 51, line 466. [root@spamfilter mail]# Code here: #!/usr/bin/perl -w use strict; use Net::LDAP; print "starting $0 at ", `date`; my $debug = 0; my %mails = (); my $hostname = `hostname -f`; chomp $hostname; my %domains = ($hostname => 1); my $dir = "/etc/mail"; my $emails_file = "$dir/temp-emails"; my $domains_file = "$dir/temp-domains"; my $access_file = "$dir/access"; my @prefixes = ("postmaster", "abuse", "root"); my @servers = ( "mail.boogidy.com" ); sub extract_emails($); my $ldap = undef; my $mesg = undef; for my $server (@servers) { print STDERR "Connecting to server $server...\n" if $debug; $ldap = Net::LDAP->new( $server ) and last; } $ldap or die "Unable to connect to any LDAP servers."; print STDERR "Binding...\n" if $debug; $mesg = $ldap->bind( dn => 'BOOGIDY\Administrator', password => 'redacted' ) or die "Could not bind LDAP: $@"; $mesg->code and die $mesg->error; print STDERR "Searching...\n" if $debug; $mesg = $ldap->search( base => "dc=boogidy,dc=local", filter => "(|(objectClass=publicFolder)(&(sAMAccountName=*)(mail=*)))" ); print STDERR "Checking code...\n" if $debug; $mesg->code and die $mesg->error; extract_emails($mesg); print STDERR "Unbinding...\n" if $debug; $mesg = $ldap->unbind; # take down session open EMAILS, "> $emails_file" or die("Could not open > $emails_file\n$!"); open DOMAINS, "> $domains_file" or die("Could not open > $domains_file\n$!"); open ACCESS, "> $access_file" or die("Could not open > $access_file\n$!"); print ACCESS << "END"; ############################################################## # # This access database is generated by $0 # # This is regenerated by a cron job # Any change you make will be wiped out! # ############################################################## # Check the /usr/share/doc/sendmail/README.cf file for a description # of the format of this file. (search for access_db in that file) # The /usr/share/doc/sendmail/README.cf is part of the sendmail-doc # package. # # by default we allow relaying from localhost... Connect:localhost RELAY Connect:127.0.0.1 RELAY GreetPause:127.0.0.1 0 ClientConn:127.0.0.1 0 ClientConn: 10 END Steven R. Andrews, President Andrews Companies Incorporated Small Business Information Technology Consultants sandrews@andrewscompanies.com Phone: 317.536.1807 "If your only tool is a hammer, every problem looks like a nail." ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081104/ad5ed549/attachment.html From richard.siddall at elirion.net Tue Nov 4 18:38:19 2008 From: richard.siddall at elirion.net (Richard Siddall) Date: Tue Nov 4 18:38:44 2008 Subject: sendmail to exchange w/ldap problem slightly OT In-Reply-To: <1964AAFBC212F742958F9275BF63DBB0907711@winchester.andrewscompanies.com> References: <1964AAFBC212F742958F9275BF63DBB0907711@winchester.andrewscompanies.com> Message-ID: <4910969B.2040609@elirion.net> Steven Andrews wrote: > I've been using a hunk of code to have MS/Sendmail query exchange > 2000/2003 boxes for some time with no problems. Today, I'm setting up a > nice little dell R200 and so I had to use Centos4.7 over my default 4.3 > to get sata support. > > Any help, much appreciated... > > When I run the code, I get this silliness: > > Name "main::EMAILS" used only once: possible typo at ./sendmail-ldap.sh > line 57, line 275. > Name "main::DOMAINS" used only once: possible typo at ./sendmail-ldap.sh > line 60, line 275. Looks like your script is truncated. Toward the end it opens two files and doesn't do anything with them. Regards, Richard Siddall From sandrews at andrewscompanies.com Tue Nov 4 19:00:54 2008 From: sandrews at andrewscompanies.com (Steven Andrews) Date: Tue Nov 4 19:01:04 2008 Subject: sendmail to exchange w/ldap problem slightly OT In-Reply-To: <4910969B.2040609@elirion.net> References: <1964AAFBC212F742958F9275BF63DBB0907711@winchester.andrewscompanies.com> <4910969B.2040609@elirion.net> Message-ID: <1964AAFBC212F742958F9275BF63DBB090771C@winchester.andrewscompanies.com> Aw crap...I was so ready to just blame it on the damn computer. That's freaking hilarious...I didn't even bother to copy the whole script to the box! I think I'll just push back from the keyboard for the rest of the day. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Richard Siddall Sent: Tuesday, November 04, 2008 1:38 PM To: MailScanner discussion Subject: Re: sendmail to exchange w/ldap problem slightly OT Steven Andrews wrote: > I've been using a hunk of code to have MS/Sendmail query exchange > 2000/2003 boxes for some time with no problems. Today, I'm setting up a > nice little dell R200 and so I had to use Centos4.7 over my default 4.3 > to get sata support. > > Any help, much appreciated... > > When I run the code, I get this silliness: > > Name "main::EMAILS" used only once: possible typo at ./sendmail-ldap.sh > line 57, line 275. > Name "main::DOMAINS" used only once: possible typo at ./sendmail-ldap.sh > line 60, line 275. Looks like your script is truncated. Toward the end it opens two files and doesn't do anything with them. Regards, Richard Siddall -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From ssilva at sgvwater.com Tue Nov 4 22:37:51 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Nov 4 22:38:10 2008 Subject: Watermarking not working In-Reply-To: <254612fc0811040111q16b63f22qa61001dbf3b7594b@mail.gmail.com> References: <254612fc0810310239q599fdcf1n1d9610ed3d1e7775@mail.gmail.com> <254612fc0811040111q16b63f22qa61001dbf3b7594b@mail.gmail.com> Message-ID: on 11-4-2008 1:11 AM BlaaT 0001 spake the following: > On Fri, Oct 31, 2008 at 6:49 PM, Scott Silva wrote: >> on 10-31-2008 2:39 AM BlaaT 0001 spake the following: >>> Hello all, >>> >>> I'm still having problems using watermarking. My MailScanner settings >>> related to watermarking are: >>> >>> Use Watermarking = yes >>> Add Watermark = %rules-dir%/add.watermark.rules >>> Check Watermarks With No Sender = >>> %rules-dir%/check.watermarks.with.no.sender.rules >>> Treat Invalid Watermarks With No Sender as Spam = 20 >>> Check Watermarks To Skip Spam Checks = no >>> Watermark Secret = *************** >>> Watermark Lifetime = 604800 >>> Watermark Header = X-%org-name%-WM: >>> >> >> Why don't you try on ALL of your machines ; >> >> Watermark Header = X-Your-org-name-WM: >> ^^^^^^ hard coded orgname >> instead of letting it expand from %org-name% >> Maybe a slight difference in systems encoding is munging the orgname part of >> the watermark. >> >> >> -- > > > I've tried your suggestion but without any success. Every bounce email > is still marked and shows up in the logs with: > Message 4F55XXXX44F.62F03 had bad watermark, added XX to spam score; > and: "(no watermark or sender address)". > > Is there anything else I can try? > > Thanks. The only thing left that I can think of is something in your ruleset that isn't firing the way you think it is. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081104/e911717e/signature.bin From ssilva at sgvwater.com Tue Nov 4 22:48:25 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Nov 4 22:48:46 2008 Subject: sendmail to exchange w/ldap problem slightly OT SOLVED In-Reply-To: <1964AAFBC212F742958F9275BF63DBB0907719@winchester.andrewscompanies.com> References: <1964AAFBC212F742958F9275BF63DBB0907711@winchester.andrewscompanies.com><1f49673ffdce0f41a8c24d1eeaaacdda@solidstatelogic.com> <1964AAFBC212F742958F9275BF63DBB0907712@winchester.andrewscompanies.com> <1964AAFBC212F742958F9275BF63DBB0907719@winchester.andrewscompanies.com> Message-ID: on 11-4-2008 10:29 AM Steven Andrews spake the following: > I gave up on 4.7; found a way to install 4.3 on another box and shovel > that drive into the R200. Now it works. > > > > Goofy computers. > Running an un-patched linux facing the "bad" side of the firewall is not a good thing either! I would update the method you use instead of running an older release. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081104/3cb00553/signature.bin From ssilva at sgvwater.com Tue Nov 4 22:52:01 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Nov 4 22:55:14 2008 Subject: Bug in SweepOther.pm? In-Reply-To: References: Message-ID: on 11-4-2008 10:01 AM Symon Chalk spake the following: > I had an issue come up today with MailScanner, quite why it only > suddenly surfaced I don't know (I'm guessing someone did an update on > the server and hasn't fessed up). > > Anyway, the issue was that MailScanner would continually cycle over the > same messages time and again, never actually processing them (although > it'd virus and SpamAssassin scan them, just not deliver them on). The > only error was in /var/log/messages, being variations on the following: > "Process did not exit cleanly, returned 255 with signal 0". > > Running check_MailScanner with Debug = yes and Debug SpamAssassin = yes > turned up the following error: "Unmatched ) in regex; marked by <-- HERE > in m/\.[a-z0-9]{3}) <-- HERE \1$/ at > /usr/lib/MailScanner/MailScanner/SweepOther.pm line 273." > > I took a look at that file and couldn't see anything obviously wrong, > although it's hard to tell as the regex is actually being passed in as a > variable. To get round the problem I added the following: "$regex = > quotemeta ($regex);" just before that line, which cured the problem and > doesn't seem to have broken anything else (check_MailScanner returned no > problems and the server is now processing mail correctly). > > Any thoughts on what could have caused this and whether my fix is okay? > > TIA, > > Symon. > Since you didn't state which version you are running, it could be an old bug, or it could be new. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081104/746b5021/signature.bin From kate at rheel.co.nz Wed Nov 5 00:08:53 2008 From: kate at rheel.co.nz (Kate Kleinschafer) Date: Wed Nov 5 00:07:29 2008 Subject: can't quite get clamd working properly Message-ID: <4910E415.4050502@rheel.co.nz> Hi all, First of thanks to all the people that help on this list. I have got a fair way through troubleshooting this issue using help of various threads. I am now a bit stuck though - i think it may have to do with permissions. I installed clamav from dag In MailScanner.conf Run As User = postfix Virus Scanners = clamd Clamd Port = 3310 Clamd Socket = /tmp/clamd.socket Clamd Lock File = # /var/lock/subsys/clamd Clamd Use Threads = yes in clamd.conf DatabaseDirectory /var/clamav LocalSocket /tmp/clamd.socket User postfix I made the user postfix becuase I run MailScanner as postfix (Don't know if this change is correct) Permissions: /tmp/clamd.socket 777 postfix:postfix I am getting the error Cannot find Socket (/tmp/clamd) Exiting! Any suggestions how I can fix this? I am unsure where it is getting the /tmp/clamd from as it is set as /tmp/clamd.socket in MailScanner.conf and clamd.conf I have done a service clamd stop then start and a MailScanner reload Thanks Kate From Jeff.Mills at versacold.com.au Wed Nov 5 00:22:53 2008 From: Jeff.Mills at versacold.com.au (Jeff Mills) Date: Wed Nov 5 00:23:07 2008 Subject: can't quite get clamd working properly In-Reply-To: <4910E415.4050502@rheel.co.nz> References: <4910E415.4050502@rheel.co.nz> Message-ID: > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Kate Kleinschafer > Sent: Wednesday, 5 November 2008 11:09 AM > To: MailScanner discussion > Subject: can't quite get clamd working properly > > Hi all, > > First of thanks to all the people that help on this list. I > have got a fair way through troubleshooting this issue using > help of various threads. > > I am now a bit stuck though - i think it may have to do with > permissions. > > I installed clamav from dag > > In MailScanner.conf > Run As User = postfix > > Virus Scanners = clamd > > Clamd Port = 3310 > Clamd Socket = /tmp/clamd.socket > Clamd Lock File = # /var/lock/subsys/clamd Clamd Use Threads = yes > > > in clamd.conf > DatabaseDirectory /var/clamav > LocalSocket /tmp/clamd.socket > User postfix > > I made the user postfix becuase I run MailScanner as postfix > (Don't know if this change is correct) > > Permissions: > /tmp/clamd.socket 777 postfix:postfix > > I am getting the error Cannot find Socket (/tmp/clamd) Exiting! > > Any suggestions how I can fix this? I am unsure where it is > getting the /tmp/clamd from as it is set as /tmp/clamd.socket > in MailScanner.conf and clamd.conf > > I have done a service clamd stop then start and a MailScanner reload > > Thanks > Kate I run postfix/mailscanner also and my clamav user is clamav. It does not need to be the postfix user. My socket setup is: LocalSocket /var/run/clamav/clamd.sock However, I'm using TCP via 127.0.0.1 The port config in your setup, I believe, does not mean anything if you are using local socket as opposed to TCP (TCPSocket 3310). From r.berber at computer.org Wed Nov 5 00:57:56 2008 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Wed Nov 5 00:57:42 2008 Subject: can't quite get clamd working properly In-Reply-To: <4910E415.4050502@rheel.co.nz> References: <4910E415.4050502@rheel.co.nz> Message-ID: Kate Kleinschafer wrote: > I am getting the error Cannot find Socket (/tmp/clamd) Exiting! That means you have more then one installation (of whatever is "Exiting!") and the old version is the one writing that complaint (long, long ago, clamd used /tmp/clamd as default name for the socket, of course you could still use it with newer versions but since you showed your configuration is different...) -- Ren? Berber From kate at rheel.co.nz Wed Nov 5 02:01:41 2008 From: kate at rheel.co.nz (Kate Kleinschafer) Date: Wed Nov 5 02:00:37 2008 Subject: can't quite get clamd working properly In-Reply-To: References: <4910E415.4050502@rheel.co.nz> Message-ID: <4910FE85.1050807@rheel.co.nz> Jeff Mills wrote: > > > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >> Of Kate Kleinschafer >> Sent: Wednesday, 5 November 2008 11:09 AM >> To: MailScanner discussion >> Subject: can't quite get clamd working properly >> >> Hi all, >> >> First of thanks to all the people that help on this list. I >> have got a fair way through troubleshooting this issue using >> help of various threads. >> >> I am now a bit stuck though - i think it may have to do with >> permissions. >> >> I installed clamav from dag >> >> In MailScanner.conf >> Run As User = postfix >> >> Virus Scanners = clamd >> >> Clamd Port = 3310 >> Clamd Socket = /tmp/clamd.socket >> Clamd Lock File = # /var/lock/subsys/clamd Clamd Use Threads = yes >> >> >> in clamd.conf >> DatabaseDirectory /var/clamav >> LocalSocket /tmp/clamd.socket >> User postfix >> >> I made the user postfix becuase I run MailScanner as postfix >> (Don't know if this change is correct) >> >> Permissions: >> /tmp/clamd.socket 777 postfix:postfix >> >> I am getting the error Cannot find Socket (/tmp/clamd) Exiting! >> >> Any suggestions how I can fix this? I am unsure where it is >> getting the /tmp/clamd from as it is set as /tmp/clamd.socket >> in MailScanner.conf and clamd.conf >> >> I have done a service clamd stop then start and a MailScanner reload >> >> Thanks >> Kate >> > > I run postfix/mailscanner also and my clamav user is clamav. > It does not need to be the postfix user. > > My socket setup is: > > LocalSocket /var/run/clamav/clamd.sock > > However, I'm using TCP via 127.0.0.1 > The port config in your setup, I believe, does not mean anything if you > are using local socket as opposed to TCP (TCPSocket 3310). > If it runs as user clamav it can't access the queue file that is why I changed it to postfix. Any suggestions on the Cannot find Socket error? Thanks From kate at rheel.co.nz Wed Nov 5 02:12:29 2008 From: kate at rheel.co.nz (Kate Kleinschafer) Date: Wed Nov 5 02:11:24 2008 Subject: can't quite get clamd working properly In-Reply-To: References: <4910E415.4050502@rheel.co.nz> Message-ID: <4911010D.7080800@rheel.co.nz> Ren? Berber wrote: > Kate Kleinschafer wrote: > > >> I am getting the error Cannot find Socket (/tmp/clamd) Exiting! >> > > That means you have more then one installation (of whatever is > "Exiting!") and the old version is the one writing that complaint (long, > long ago, clamd used /tmp/clamd as default name for the socket, of > course you could still use it with newer versions but since you showed > your configuration is different...) > hmmm I think I have only installed clamav once. This is a new server that I have built and I don't think I have it installed twice. Is there a way I can tell if its still running as clamav? I think it was doing this before I changed it to clamd today. Thanks From Jeff.Mills at versacold.com.au Wed Nov 5 02:17:58 2008 From: Jeff.Mills at versacold.com.au (Jeff Mills) Date: Wed Nov 5 02:18:10 2008 Subject: can't quite get clamd working properly In-Reply-To: <4910FE85.1050807@rheel.co.nz> References: <4910E415.4050502@rheel.co.nz> <4910FE85.1050807@rheel.co.nz> Message-ID: > > > If it runs as user clamav it can't access the queue file that > is why I changed it to postfix. > Any suggestions on the Cannot find Socket error? > > Thanks > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Have you manually checked that the socket actually exists in /tmp? From kate at rheel.co.nz Wed Nov 5 03:00:07 2008 From: kate at rheel.co.nz (Kate Kleinschafer) Date: Wed Nov 5 02:58:48 2008 Subject: can't quite get clamd working properly In-Reply-To: References: <4910E415.4050502@rheel.co.nz> <4910FE85.1050807@rheel.co.nz> Message-ID: <49110C37.7060309@rheel.co.nz> Jeff Mills wrote: >>> >>> >> If it runs as user clamav it can't access the queue file that >> is why I changed it to postfix. >> Any suggestions on the Cannot find Socket error? >> >> Thanks >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > > Have you manually checked that the socket actually exists in /tmp? > Yes in /tmp the file is clamd.socket which privilege is postfix:postfix From r.berber at computer.org Wed Nov 5 04:30:54 2008 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Wed Nov 5 04:30:42 2008 Subject: can't quite get clamd working properly In-Reply-To: <4911010D.7080800@rheel.co.nz> References: <4910E415.4050502@rheel.co.nz> <4911010D.7080800@rheel.co.nz> Message-ID: Kate Kleinschafer wrote: > Is there a way I can tell if its still running as clamav? I think it was > doing this before I changed it to clamd today. Look at the clamd log, you won't find the user but the last "LOCAL: Unix socket file /tmp/clamd.socket" should tell you if its using the right socket name or not. -- Ren? Berber From r.berber at computer.org Wed Nov 5 04:36:25 2008 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Wed Nov 5 04:36:09 2008 Subject: can't quite get clamd working properly In-Reply-To: <4911010D.7080800@rheel.co.nz> References: <4910E415.4050502@rheel.co.nz> <4911010D.7080800@rheel.co.nz> Message-ID: Kate Kleinschafer wrote: > Ren? Berber wrote: >> Kate Kleinschafer wrote: >> >> >>> I am getting the error Cannot find Socket (/tmp/clamd) Exiting! >>> >> >> That means you have more then one installation (of whatever is >> "Exiting!") and the old version is the one writing that complaint (long, >> long ago, clamd used /tmp/clamd as default name for the socket, of >> course you could still use it with newer versions but since you showed >> your configuration is different...) >> > hmmm I think I have only installed clamav once. This is a new server > that I have built and I don't think I have it installed twice. Sorry for the double answer, but I don't think clamav is the one doing the complaining, it is something else (that's why I said *whatever* is "Exiting!") which should be clear with the complete log line. Whatever is complaining is the one that expects /tmp/clamd as a socket name. Do you have clamdwatch or similar? -- Ren? Berber From symon at symcar.com Wed Nov 5 05:57:26 2008 From: symon at symcar.com (Symon Chalk) Date: Wed Nov 5 05:57:35 2008 Subject: Bug in SweepOther.pm? In-Reply-To: References: Message-ID: On Tue, Nov 4, 2008 at 10:52 PM, Scott Silva wrote: > on 11-4-2008 10:01 AM Symon Chalk spake the following: > > I had an issue come up today with MailScanner, quite why it only > > suddenly surfaced I don't know (I'm guessing someone did an update on > > the server and hasn't fessed up). > > > > Anyway, the issue was that MailScanner would continually cycle over the > > same messages time and again, never actually processing them (although > > it'd virus and SpamAssassin scan them, just not deliver them on). The > > only error was in /var/log/messages, being variations on the following: > > "Process did not exit cleanly, returned 255 with signal 0". > > > > Running check_MailScanner with Debug = yes and Debug SpamAssassin = yes > > turned up the following error: "Unmatched ) in regex; marked by <-- HERE > > in m/\.[a-z0-9]{3}) <-- HERE \1$/ at > > /usr/lib/MailScanner/MailScanner/SweepOther.pm line 273." > > > > I took a look at that file and couldn't see anything obviously wrong, > > although it's hard to tell as the regex is actually being passed in as a > > variable. To get round the problem I added the following: "$regex = > > quotemeta ($regex);" just before that line, which cured the problem and > > doesn't seem to have broken anything else (check_MailScanner returned no > > problems and the server is now processing mail correctly). > > > > Any thoughts on what could have caused this and whether my fix is okay? > > > > TIA, > > > > Symon. > > > Since you didn't state which version you are running, it could be an old > bug, > or it could be new. D'oh! I'm running 4.72.5-1 on a CentOS 5.2 box. Symon. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081105/907509e6/attachment.html From glenn.steen at gmail.com Wed Nov 5 13:15:27 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Nov 5 13:15:37 2008 Subject: "Remove These Headers" in MailScanner.conf In-Reply-To: <4909E177.706@alexb.ch> References: <46b33847a059c8459b0995558d04db10@solidstatelogic.com> <4909E177.706@alexb.ch> Message-ID: <223f97700811050515q5b32a5ew5b2da8bc45c46fba@mail.gmail.com> 2008/10/30 Alex Broens : > On 10/30/2008 4:46 PM, Martin.Hepworth wrote: >> >> Hmm >> >> Not sure about the read/delivery reciept stuff in there. A lot of >> people like to spam themselves with this stuff....I know it's a bad >> idea along with OoO replies but 'user's who need educating may take a >> dim view. >> >> What do other folk think? > > Those who don't want them have already blocked them otherwise. > Those who don't know what they man/do should keep their fingers off. > > I wouldn't add them to any conf file, in any way, maybe a linkto a Wiki > article, not more. > > Alex > I've been removing the "tracking headers" for years (via PF header checks). IMO they fill no discernible purpose when crossing the administrative barrier (either going in or out). Since most of my (actually quite knowledgeable) lusers know, none have ever complained;-). If MS now can do it for those MTAs that might lack that ability... is sweet:-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From rcooper at dwford.com Wed Nov 5 13:37:16 2008 From: rcooper at dwford.com (Rick Cooper) Date: Wed Nov 5 13:37:30 2008 Subject: can't quite get clamd working properly In-Reply-To: <4910FE85.1050807@rheel.co.nz> References: <4910E415.4050502@rheel.co.nz> <4910FE85.1050807@rheel.co.nz> Message-ID: <4185BD95848843A89697824496016F9F@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Kate Kleinschafer > Sent: Tuesday, November 04, 2008 9:02 PM > To: MailScanner discussion > Subject: Re: can't quite get clamd working properly > > > Jeff Mills wrote: > > > > > > > >> -----Original Message----- > >> From: mailscanner-bounces@lists.mailscanner.info > >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > >> Of Kate Kleinschafer > >> Sent: Wednesday, 5 November 2008 11:09 AM > >> To: MailScanner discussion > >> Subject: can't quite get clamd working properly > >> > >> Hi all, > >> > >> First of thanks to all the people that help on this list. I > >> have got a fair way through troubleshooting this issue using > >> help of various threads. > >> > >> I am now a bit stuck though - i think it may have to do with > >> permissions. > >> > >> I installed clamav from dag > >> > >> In MailScanner.conf > >> Run As User = postfix > >> > >> Virus Scanners = clamd > >> > >> Clamd Port = 3310 > >> Clamd Socket = /tmp/clamd.socket > >> Clamd Lock File = # /var/lock/subsys/clamd Clamd Use Threads = yes > >> > >> > >> in clamd.conf > >> DatabaseDirectory /var/clamav > >> LocalSocket /tmp/clamd.socket > >> User postfix > >> > >> I made the user postfix becuase I run MailScanner as postfix > >> (Don't know if this change is correct) > >> > >> Permissions: > >> /tmp/clamd.socket 777 postfix:postfix > >> > >> I am getting the error Cannot find Socket (/tmp/clamd) Exiting! > >> > >> Any suggestions how I can fix this? I am unsure where it is > >> getting the /tmp/clamd from as it is set as /tmp/clamd.socket > >> in MailScanner.conf and clamd.conf > >> > >> I have done a service clamd stop then start and a > MailScanner reload > >> > >> Thanks > >> Kate > >> > > > > I run postfix/mailscanner also and my clamav user is clamav. > > It does not need to be the postfix user. > > > > My socket setup is: > > > > LocalSocket /var/run/clamav/clamd.sock > > > > However, I'm using TCP via 127.0.0.1 > > The port config in your setup, I believe, does not mean > anything if you > > are using local socket as opposed to TCP (TCPSocket 3310). > > > If it runs as user clamav it can't access the queue file > that is why I > changed it to postfix. > Any suggestions on the Cannot find Socket error? That error is tripped when MailScanner cannot find the socket file, or access the socket file. The value in parenthesis is the value in the MailScanner.conf file. Double check that you either do not have two MailScanner.conf files and it's not defined twice. The default value for the socket is 127.0.0.1 so it's not getting it from the default and it won't make up a file name on it's own so MailScanner is getting that value from somewhere and MailScanner is looking for /tmp/clamd not /tmp/clamd.socket or /var/run/clamav/clamd.sock depending upon which LocalSocket value you have posted above is correct. Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From maillists at conactive.com Wed Nov 5 14:31:18 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Wed Nov 5 14:31:30 2008 Subject: can't quite get clamd working properly In-Reply-To: <4910E415.4050502@rheel.co.nz> References: <4910E415.4050502@rheel.co.nz> Message-ID: Kate Kleinschafer wrote on Wed, 05 Nov 2008 13:08:53 +1300: > Clamd Port = 3310 > Clamd Socket = /tmp/clamd.socket > Clamd Lock File = # /var/lock/subsys/clamd remove comment > in clamd.conf > User postfix set it back to clamav, this is not correct! Why didn't you follow the instructions on the Mailscanner wiki? I followed them about a month ago and didn't have a single issue. > Permissions: > /tmp/clamd.socket 777 postfix:postfix see above > I am getting the error Cannot find Socket (/tmp/clamd) Exiting! "who" says that? Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Wed Nov 5 14:31:18 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Wed Nov 5 14:31:31 2008 Subject: can't quite get clamd working properly In-Reply-To: <4910FE85.1050807@rheel.co.nz> References: <4910E415.4050502@rheel.co.nz> <4910FE85.1050807@rheel.co.nz> Message-ID: Kate Kleinschafer wrote on Wed, 05 Nov 2008 15:01:41 +1300: > If it runs as user clamav it can't access the queue file that is why I > changed it to postfix. There's no need for this. Follow these instructions: http://wiki.mailscanner.info/doku.php? id=documentation:anti_virus:clamav:switch_to_rpm_clamd Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From clacroix at cegep-ste-foy.qc.ca Wed Nov 5 14:52:07 2008 From: clacroix at cegep-ste-foy.qc.ca (Charles Lacroix) Date: Wed Nov 5 14:52:20 2008 Subject: ClamAV In-Reply-To: References: <4910E415.4050502@rheel.co.nz> <4910FE85.1050807@rheel.co.nz> Message-ID: <4911B317.7060707@cegep-ste-foy.qc.ca> About clamav and MailScanner, in the past i found out that i had problems with MS/clamav while i updated one or the other. This is the only reason i decided to remove antivirus checking from MailScanner and use a little daemon called clamsmtp http://memberwebs.com/stef/software/clamsmtp/ I find it less problematic and with that i can update clam without breaking anything i've ran that for about 2 years now and i got zero problems related to updating clamav. Let me know what you think. From glenn.steen at gmail.com Wed Nov 5 15:03:26 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Nov 5 15:03:36 2008 Subject: ClamAV In-Reply-To: <4911B317.7060707@cegep-ste-foy.qc.ca> References: <4910E415.4050502@rheel.co.nz> <4910FE85.1050807@rheel.co.nz> <4911B317.7060707@cegep-ste-foy.qc.ca> Message-ID: <223f97700811050703x1704f9a5w71a8c61430c31321@mail.gmail.com> 2008/11/5 Charles Lacroix : > > About clamav and MailScanner, in the past i found out that i had problems > with MS/clamav > while i updated one or the other. This is the only reason i decided to > remove antivirus checking > from MailScanner and use a little daemon called clamsmtp > > http://memberwebs.com/stef/software/clamsmtp/ > > I find it less problematic and with that i can update clam without breaking > anything > i've ran that for about 2 years now and i got zero problems related to > updating clamav. > > Let me know what you think. Looks nice enough, but ... you do get the same "ease of upgrade" using MailScanner with clamd, and then have the added bonus of batch scanning, AFAICT (someone will correct me if I'm wrong, I'm sure:-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From maxsec at gmail.com Wed Nov 5 15:17:37 2008 From: maxsec at gmail.com (Martin Hepworth) Date: Wed Nov 5 15:17:47 2008 Subject: ClamAV In-Reply-To: <4911B317.7060707@cegep-ste-foy.qc.ca> References: <4910E415.4050502@rheel.co.nz> <4910FE85.1050807@rheel.co.nz> <4911B317.7060707@cegep-ste-foy.qc.ca> Message-ID: <72cf361e0811050717u1f39c2ebm2ba936c049cd63a5@mail.gmail.com> I find the clamd support in recent MailScanners 'just works'. The clammodule support is still a little fun as you have to wait for the module to be updated before you can upgrade clamav. -- Martin On Wed, Nov 5, 2008 at 2:52 PM, Charles Lacroix wrote: > > About clamav and MailScanner, in the past i found out that i had problems > with MS/clamav > while i updated one or the other. This is the only reason i decided to > remove antivirus checking > from MailScanner and use a little daemon called clamsmtp > > http://memberwebs.com/stef/software/clamsmtp/ > > I find it less problematic and with that i can update clam without breaking > anything > i've ran that for about 2 years now and i got zero problems related to > updating clamav. > > Let me know what you think. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From campbell at cnpapers.com Wed Nov 5 16:57:36 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Wed Nov 5 16:57:49 2008 Subject: can't quite get clamd working properly In-Reply-To: References: <4910E415.4050502@rheel.co.nz> <4910FE85.1050807@rheel.co.nz> Message-ID: <4911D080.8090906@cnpapers.com> Kai Schaetzl wrote: > Kate Kleinschafer wrote on Wed, 05 Nov 2008 15:01:41 +1300: > > >> If it runs as user clamav it can't access the queue file that is why I >> changed it to postfix. >> > > There's no need for this. Follow these instructions: > http://wiki.mailscanner.info/doku.php? > id=documentation:anti_virus:clamav:switch_to_rpm_clamd > > Kai > > Kai, Thanks for the specific link, but I'm a little confused about where I go to uninstall the old ClamAV if I used Julian's install script, install.sh. It might be hitting me in the face, but I'm not able to find mine using the documentation, and reading the install.sh doesn't seem to point me there either. Any help would be appreciated. Steve Campbell From cbarber at techquility.net Wed Nov 5 17:48:08 2008 From: cbarber at techquility.net (Chris Barber) Date: Wed Nov 5 17:48:19 2008 Subject: Message rules don't work, but if message forwarded, it does??? In-Reply-To: <4910E415.4050502@rheel.co.nz> References: <4910E415.4050502@rheel.co.nz> Message-ID: <43F62CA225017044BC84CFAF92B4333B035FB3@sbsserver.Techquility.net> Hi All, Having a strange issue, maybe someone has seen this before. I have some spam emails that are getting through the server. If a user then forwards that spam message to me, going through the server again, it does get caught. A specific example is this: Message comes through and hit no rules at all. Message is forwarded and hits two URIBL rules for a URL in the message. Strange thing is that the URL was in the message originally so it should have hit the rule. Can anyone help me shed some light onto this? Running MailScanner 4.72.5-1 on CentOS 5 Thanks, Chris From cbarber at techquility.net Wed Nov 5 17:52:56 2008 From: cbarber at techquility.net (Chris Barber) Date: Wed Nov 5 17:53:07 2008 Subject: ClamAV In-Reply-To: <72cf361e0811050717u1f39c2ebm2ba936c049cd63a5@mail.gmail.com> References: <4910E415.4050502@rheel.co.nz><4910FE85.1050807@rheel.co.nz><4911B317.7060707@cegep-ste-foy.qc.ca> <72cf361e0811050717u1f39c2ebm2ba936c049cd63a5@mail.gmail.com> Message-ID: <43F62CA225017044BC84CFAF92B4333B035FB4@sbsserver.Techquility.net> Martin, Do you have any speed comparison data as far as clamsmtp vs clamd with MailScanner? Chris >I find the clamd support in recent MailScanners 'just works'. > >The clammodule support is still a little fun as you have to wait for >the module to be updated before you can upgrade clamav. > >-- >Martin On Wed, Nov 5, 2008 at 2:52 PM, Charles Lacroix wrote: > > About clamav and MailScanner, in the past i found out that i had problems > with MS/clamav > while i updated one or the other. This is the only reason i decided to > remove antivirus checking > from MailScanner and use a little daemon called clamsmtp > > http://memberwebs.com/stef/software/clamsmtp/ > > I find it less problematic and with that i can update clam without breaking > anything > i've ran that for about 2 years now and i got zero problems related to > updating clamav. > > Let me know what you think. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From ssilva at sgvwater.com Wed Nov 5 17:58:02 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Nov 5 17:58:24 2008 Subject: Bug in SweepOther.pm? In-Reply-To: References: Message-ID: on 11-4-2008 9:57 PM Symon Chalk spake the following: > On Tue, Nov 4, 2008 at 10:52 PM, Scott Silva > wrote: > > on 11-4-2008 10:01 AM Symon Chalk spake the following: > > I had an issue come up today with MailScanner, quite why it only > > suddenly surfaced I don't know (I'm guessing someone did an update on > > the server and hasn't fessed up). > > > > Anyway, the issue was that MailScanner would continually cycle > over the > > same messages time and again, never actually processing them (although > > it'd virus and SpamAssassin scan them, just not deliver them on). The > > only error was in /var/log/messages, being variations on the > following: > > "Process did not exit cleanly, returned 255 with signal 0". > > > > Running check_MailScanner with Debug = yes and Debug SpamAssassin > = yes > > turned up the following error: "Unmatched ) in regex; marked by > <-- HERE > > in m/\.[a-z0-9]{3}) <-- HERE \1$/ at > > /usr/lib/MailScanner/MailScanner/SweepOther.pm line 273." > > > > I took a look at that file and couldn't see anything obviously wrong, > > although it's hard to tell as the regex is actually being passed > in as a > > variable. To get round the problem I added the following: "$regex = > > quotemeta ($regex);" just before that line, which cured the > problem and > > doesn't seem to have broken anything else (check_MailScanner > returned no > > problems and the server is now processing mail correctly). > > > > Any thoughts on what could have caused this and whether my fix is > okay? > > > > TIA, > > > > Symon. > > > Since you didn't state which version you are running, it could be an > old bug, > or it could be new. > > > D'oh! I'm running 4.72.5-1 on a CentOS 5.2 box. > > Symon. > What clues do you get if you run 'MailScanner --debug --debug-sa'? -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081105/8378a274/signature.bin From lists at tippingmar.com Wed Nov 5 18:10:07 2008 From: lists at tippingmar.com (Mark Nienberg) Date: Wed Nov 5 18:10:21 2008 Subject: can't quite get clamd working properly In-Reply-To: <4911D080.8090906@cnpapers.com> References: <4910E415.4050502@rheel.co.nz> <4910FE85.1050807@rheel.co.nz> <4911D080.8090906@cnpapers.com> Message-ID: <4911E17F.4050903@tippingmar.com> Steve Campbell wrote: > > Thanks for the specific link, but I'm a little confused about where I > go to uninstall the old ClamAV if I used Julian's install script, > install.sh. It might be hitting me in the face, but I'm not able to > find mine using the documentation, and reading the install.sh doesn't > seem to point me there either. > untar the install-Clam-SA.tar.gz file cd into the directory it creates cd into perl-tar directory untar the clamav.tar.gz file cd into the directory it creates ./configure make uninstall Mark Nienberg From campbell at cnpapers.com Wed Nov 5 18:15:48 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Wed Nov 5 18:16:05 2008 Subject: can't quite get clamd working properly In-Reply-To: <4911E17F.4050903@tippingmar.com> References: <4910E415.4050502@rheel.co.nz> <4910FE85.1050807@rheel.co.nz> <4911D080.8090906@cnpapers.com> <4911E17F.4050903@tippingmar.com> Message-ID: <4911E2D4.4020704@cnpapers.com> Thanks very much, Mark. Steve Mark Nienberg wrote: > Steve Campbell wrote: >> >> Thanks for the specific link, but I'm a little confused about where I >> go to uninstall the old ClamAV if I used Julian's install script, >> install.sh. It might be hitting me in the face, but I'm not able to >> find mine using the documentation, and reading the install.sh doesn't >> seem to point me there either. >> > untar the install-Clam-SA.tar.gz file > > cd into the directory it creates > > cd into perl-tar directory > > untar the clamav.tar.gz file > > cd into the directory it creates > > ./configure > make uninstall > > > > Mark Nienberg From MailScanner at ecs.soton.ac.uk Wed Nov 5 19:21:21 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Nov 5 19:21:43 2008 Subject: Clamav 0.94.1 released In-Reply-To: <490F512D.60900@maddoc.net> References: <490F512D.60900@maddoc.net> Message-ID: <4911F231.3070502@ecs.soton.ac.uk> Just done it. Thanks for the info. Doc Schneider wrote: > So Jules can add this to his CLAM-SA tarball. > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Wed Nov 5 19:17:00 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Nov 5 19:27:14 2008 Subject: Message rules don't work, but if message forwarded, it does??? In-Reply-To: <43F62CA225017044BC84CFAF92B4333B035FB3@sbsserver.Techquility.net> References: <4910E415.4050502@rheel.co.nz> <43F62CA225017044BC84CFAF92B4333B035FB3@sbsserver.Techquility.net> Message-ID: <223f97700811051117g2d4b91c5g4cda816ac8e2e862@mail.gmail.com> 2008/11/5 Chris Barber : > Hi All, > > Having a strange issue, maybe someone has seen this before. I have some > spam emails that are getting through the server. If a user then forwards > that spam message to me, going through the server again, it does get > caught. > > A specific example is this: > Message comes through and hit no rules at all. > Message is forwarded and hits two URIBL rules for a URL in the message. > > Strange thing is that the URL was in the message originally so it should > have hit the rule. > > Can anyone help me shed some light onto this? > > Running MailScanner 4.72.5-1 on CentOS 5 > > Thanks, > Chris Hi Chris, you wouldn't be whitelisting by email address alone, now would you? That would indeed explain such a thing....;-) When you look at it (in the logs etc), make sure you are looking at the envelope sender/recipient(s), since those are the ones MS use... Not the From:/To: headers... Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From MailScanner at ecs.soton.ac.uk Wed Nov 5 19:27:15 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Nov 5 19:27:37 2008 Subject: Bug in SweepOther.pm? In-Reply-To: References: Message-ID: <4911F393.8020707@ecs.soton.ac.uk> Symon Chalk wrote: > I had an issue come up today with MailScanner, quite why it only > suddenly surfaced I don't know (I'm guessing someone did an update on > the server and hasn't fessed up). > > Anyway, the issue was that MailScanner would continually cycle over > the same messages time and again, never actually processing them > (although it'd virus and SpamAssassin scan them, just not deliver them > on). The only error was in /var/log/messages, being variations on the > following: "Process did not exit cleanly, returned 255 with signal 0". > > Running check_MailScanner with Debug = yes and Debug SpamAssassin = > yes turned up the following error: "Unmatched ) in regex; marked by > <-- HERE in m/\.[a-z0-9]{3}) <-- HERE \1$/ at > /usr/lib/MailScanner/MailScanner/SweepOther.pm line 273." > > I took a look at that file and couldn't see anything obviously wrong, > although it's hard to tell as the regex is actually being passed in as > a variable. To get round the problem I added the following: "$regex = > quotemeta ($regex);" just before that line, which cured the problem > and doesn't seem to have broken anything else (check_MailScanner > returned no problems and the server is now processing mail correctly). > > Any thoughts on what could have caused this and whether my fix is okay? Your fix is not okay. You will have broken your filename.rules.conf filename rules. Check your rule for the double-extension trapping and see if you have deleted or added a bracket by mistake. Or else the 2 new rules above that which mention days of the week or months of the year. I suspect someone added the 2 new rules there, and didn't get it quite right when they were copying them into your customised filename.rules.conf. > > TIA, > > Symon. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From campbell at cnpapers.com Wed Nov 5 19:57:13 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Wed Nov 5 19:57:34 2008 Subject: can't quite get clamd working properly In-Reply-To: <4911E2D4.4020704@cnpapers.com> References: <4910E415.4050502@rheel.co.nz> <4910FE85.1050807@rheel.co.nz> <4911D080.8090906@cnpapers.com> <4911E17F.4050903@tippingmar.com> <4911E2D4.4020704@cnpapers.com> Message-ID: <4911FA99.8090401@cnpapers.com> Steve Campbell wrote: > Thanks very much, Mark. > > Steve > > Mark Nienberg wrote: >> Steve Campbell wrote: >>> >>> Thanks for the specific link, but I'm a little confused about where >>> I go to uninstall the old ClamAV if I used Julian's install script, >>> install.sh. It might be hitting me in the face, but I'm not able to >>> find mine using the documentation, and reading the install.sh >>> doesn't seem to point me there either. >>> >> untar the install-Clam-SA.tar.gz file >> >> cd into the directory it creates >> >> cd into perl-tar directory >> >> untar the clamav.tar.gz file >> >> cd into the directory it creates >> >> ./configure >> make uninstall >> >> >> >> Mark Nienberg OK, the fog is rolling in again. Some more explaining is in order. I see that I need to install the clamav, clamav-db, and clamd rpms. The clamav versions on Dag's repo is only at 0.92.1-1, while Julian just released 0.94.1. I've trashed my rpm DB, and am building it from scratch, so I can't tell if the rpmsource rpms are any newer. What versions of what should I be using, and does Julians ClamAV-SA install the proper clamd or just the clamavmodule and clamav stuff? Sorry to be so dense, but the fog is rolling. Thanks Steve From ssilva at sgvwater.com Wed Nov 5 20:10:14 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Nov 5 20:10:33 2008 Subject: can't quite get clamd working properly In-Reply-To: <4911FA99.8090401@cnpapers.com> References: <4910E415.4050502@rheel.co.nz> <4910FE85.1050807@rheel.co.nz> <4911D080.8090906@cnpapers.com> <4911E17F.4050903@tippingmar.com> <4911E2D4.4020704@cnpapers.com> <4911FA99.8090401@cnpapers.com> Message-ID: on 11-5-2008 11:57 AM Steve Campbell spake the following: > > > Steve Campbell wrote: >> Thanks very much, Mark. >> >> Steve >> >> Mark Nienberg wrote: >>> Steve Campbell wrote: >>>> >>>> Thanks for the specific link, but I'm a little confused about where >>>> I go to uninstall the old ClamAV if I used Julian's install script, >>>> install.sh. It might be hitting me in the face, but I'm not able to >>>> find mine using the documentation, and reading the install.sh >>>> doesn't seem to point me there either. >>>> >>> untar the install-Clam-SA.tar.gz file >>> >>> cd into the directory it creates >>> >>> cd into perl-tar directory >>> >>> untar the clamav.tar.gz file >>> >>> cd into the directory it creates >>> >>> ./configure >>> make uninstall >>> >>> >>> >>> Mark Nienberg > > OK, the fog is rolling in again. Some more explaining is in order. > > I see that I need to install the clamav, clamav-db, and clamd rpms. The > clamav versions on Dag's repo is only at 0.92.1-1, while Julian just > released 0.94.1. I've trashed my rpm DB, and am building it from > scratch, so I can't tell if the rpmsource rpms are any newer. > > What versions of what should I be using, and does Julians ClamAV-SA > install the proper clamd or just the clamavmodule and clamav stuff? > > Sorry to be so dense, but the fog is rolling. Thanks > > Steve > You can't download the files from Dag's website reliably anymore. You have to enable the rpmforge yum repo to get up-to-data clamav rpm's. I know it works, because I just did it less than an hour ago. I also converted my last holdout box from the perl module to clamd. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081105/5fc31c59/signature.bin From doc at maddoc.net Wed Nov 5 20:11:03 2008 From: doc at maddoc.net (Doc Schneider) Date: Wed Nov 5 20:11:19 2008 Subject: can't quite get clamd working properly In-Reply-To: <4911FA99.8090401@cnpapers.com> References: <4910E415.4050502@rheel.co.nz> <4910FE85.1050807@rheel.co.nz> <4911D080.8090906@cnpapers.com> <4911E17F.4050903@tippingmar.com> <4911E2D4.4020704@cnpapers.com> <4911FA99.8090401@cnpapers.com> Message-ID: <4911FDD7.2090204@maddoc.net> Steve Campbell wrote: > > > Steve Campbell wrote: >> Thanks very much, Mark. >> >> Steve >> >> Mark Nienberg wrote: >>> Steve Campbell wrote: >>>> >>>> Thanks for the specific link, but I'm a little confused about where >>>> I go to uninstall the old ClamAV if I used Julian's install script, >>>> install.sh. It might be hitting me in the face, but I'm not able to >>>> find mine using the documentation, and reading the install.sh >>>> doesn't seem to point me there either. >>>> >>> untar the install-Clam-SA.tar.gz file >>> >>> cd into the directory it creates >>> >>> cd into perl-tar directory >>> >>> untar the clamav.tar.gz file >>> >>> cd into the directory it creates >>> >>> ./configure >>> make uninstall >>> >>> >>> >>> Mark Nienberg > > OK, the fog is rolling in again. Some more explaining is in order. > > I see that I need to install the clamav, clamav-db, and clamd rpms. The > clamav versions on Dag's repo is only at 0.92.1-1, while Julian just > released 0.94.1. I've trashed my rpm DB, and am building it from > scratch, so I can't tell if the rpmsource rpms are any newer. > > What versions of what should I be using, and does Julians ClamAV-SA > install the proper clamd or just the clamavmodule and clamav stuff? > > Sorry to be so dense, but the fog is rolling. Thanks > > Steve > http://rpmforge.sw.be/redhat/ and pick your os versions. -- -Doc Lincoln, NE. http://www.fsl.com/ http://www.genealogyforyou.com/ http://www.cairnproductions.com/ From bbecken at aafp.org Wed Nov 5 20:13:42 2008 From: bbecken at aafp.org (Brad Beckenhauer) Date: Wed Nov 5 20:14:21 2008 Subject: Clamav 0.94.1 released In-Reply-To: <4911F231.3070502@ecs.soton.ac.uk> References: <490F512D.60900@maddoc.net> <4911F231.3070502@ecs.soton.ac.uk> Message-ID: Julian Field wrote: > Just done it. Thanks for the info. Installing the tarball now. Is this a new naming format for the tarball? install-Clam-SA-latest.tar.gz Old file name style was: install-Clam-0.94-SA-3.2.5.tar.gz Brad > > Doc Schneider wrote: >> So Jules can add this to his CLAM-SA tarball. >> >> > > Jules > From campbell at cnpapers.com Wed Nov 5 20:15:15 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Wed Nov 5 20:15:27 2008 Subject: can't quite get clamd working properly In-Reply-To: References: <4910E415.4050502@rheel.co.nz> <4910FE85.1050807@rheel.co.nz> <4911D080.8090906@cnpapers.com> <4911E17F.4050903@tippingmar.com> <4911E2D4.4020704@cnpapers.com> <4911FA99.8090401@cnpapers.com> Message-ID: <4911FED3.1030001@cnpapers.com> Scott Silva wrote: > on 11-5-2008 11:57 AM Steve Campbell spake the following: > >> Steve Campbell wrote: >> >>> Thanks very much, Mark. >>> >>> Steve >>> >>> Mark Nienberg wrote: >>> >>>> Steve Campbell wrote: >>>> >>>>> Thanks for the specific link, but I'm a little confused about where >>>>> I go to uninstall the old ClamAV if I used Julian's install script, >>>>> install.sh. It might be hitting me in the face, but I'm not able to >>>>> find mine using the documentation, and reading the install.sh >>>>> doesn't seem to point me there either. >>>>> >>>>> >>>> untar the install-Clam-SA.tar.gz file >>>> >>>> cd into the directory it creates >>>> >>>> cd into perl-tar directory >>>> >>>> untar the clamav.tar.gz file >>>> >>>> cd into the directory it creates >>>> >>>> ./configure >>>> make uninstall >>>> >>>> >>>> >>>> Mark Nienberg >>>> >> OK, the fog is rolling in again. Some more explaining is in order. >> >> I see that I need to install the clamav, clamav-db, and clamd rpms. The >> clamav versions on Dag's repo is only at 0.92.1-1, while Julian just >> released 0.94.1. I've trashed my rpm DB, and am building it from >> scratch, so I can't tell if the rpmsource rpms are any newer. >> >> What versions of what should I be using, and does Julians ClamAV-SA >> install the proper clamd or just the clamavmodule and clamav stuff? >> >> Sorry to be so dense, but the fog is rolling. Thanks >> >> Steve >> >> > You can't download the files from Dag's website reliably anymore. You have to > enable the rpmforge yum repo to get up-to-data clamav rpm's. > > I know it works, because I just did it less than an hour ago. > I also converted my last holdout box from the perl module to clamd. > > OK, thanks. The rpmsource repos is turned on. It sort of botched my DBs, so after rebuilding them, I'll see what goes on. Thanks Scott. From campbell at cnpapers.com Wed Nov 5 20:16:15 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Wed Nov 5 20:16:33 2008 Subject: can't quite get clamd working properly In-Reply-To: References: <4910E415.4050502@rheel.co.nz> <4910FE85.1050807@rheel.co.nz> <4911D080.8090906@cnpapers.com> <4911E17F.4050903@tippingmar.com> <4911E2D4.4020704@cnpapers.com> <4911FA99.8090401@cnpapers.com> Message-ID: <4911FF0F.3060702@cnpapers.com> That was supposed to say rpmforge repos. Steve Scott Silva wrote: > on 11-5-2008 11:57 AM Steve Campbell spake the following: > >> Steve Campbell wrote: >> >>> Thanks very much, Mark. >>> >>> Steve >>> >>> Mark Nienberg wrote: >>> >>>> Steve Campbell wrote: >>>> >>>>> Thanks for the specific link, but I'm a little confused about where >>>>> I go to uninstall the old ClamAV if I used Julian's install script, >>>>> install.sh. It might be hitting me in the face, but I'm not able to >>>>> find mine using the documentation, and reading the install.sh >>>>> doesn't seem to point me there either. >>>>> >>>>> >>>> untar the install-Clam-SA.tar.gz file >>>> >>>> cd into the directory it creates >>>> >>>> cd into perl-tar directory >>>> >>>> untar the clamav.tar.gz file >>>> >>>> cd into the directory it creates >>>> >>>> ./configure >>>> make uninstall >>>> >>>> >>>> >>>> Mark Nienberg >>>> >> OK, the fog is rolling in again. Some more explaining is in order. >> >> I see that I need to install the clamav, clamav-db, and clamd rpms. The >> clamav versions on Dag's repo is only at 0.92.1-1, while Julian just >> released 0.94.1. I've trashed my rpm DB, and am building it from >> scratch, so I can't tell if the rpmsource rpms are any newer. >> >> What versions of what should I be using, and does Julians ClamAV-SA >> install the proper clamd or just the clamavmodule and clamav stuff? >> >> Sorry to be so dense, but the fog is rolling. Thanks >> >> Steve >> >> > You can't download the files from Dag's website reliably anymore. You have to > enable the rpmforge yum repo to get up-to-data clamav rpm's. > > I know it works, because I just did it less than an hour ago. > I also converted my last holdout box from the perl module to clamd. > > > From MailScanner at ecs.soton.ac.uk Wed Nov 5 20:23:14 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Nov 5 20:23:35 2008 Subject: can't quite get clamd working properly In-Reply-To: <4911FDD7.2090204@maddoc.net> References: <4910E415.4050502@rheel.co.nz> <4910FE85.1050807@rheel.co.nz> <4911D080.8090906@cnpapers.com> <4911E17F.4050903@tippingmar.com> <4911E2D4.4020704@cnpapers.com> <4911FA99.8090401@cnpapers.com> <4911FDD7.2090204@maddoc.net> Message-ID: <491200B2.1000701@ecs.soton.ac.uk> Doc Schneider wrote: > Steve Campbell wrote: >> >> >> Steve Campbell wrote: >>> Thanks very much, Mark. >>> >>> Steve >>> >>> Mark Nienberg wrote: >>>> Steve Campbell wrote: >>>>> >>>>> Thanks for the specific link, but I'm a little confused about >>>>> where I go to uninstall the old ClamAV if I used Julian's install >>>>> script, install.sh. It might be hitting me in the face, but I'm >>>>> not able to find mine using the documentation, and reading the >>>>> install.sh doesn't seem to point me there either. >>>>> >>>> untar the install-Clam-SA.tar.gz file >>>> >>>> cd into the directory it creates >>>> >>>> cd into perl-tar directory >>>> >>>> untar the clamav.tar.gz file >>>> >>>> cd into the directory it creates >>>> >>>> ./configure >>>> make uninstall >>>> >>>> >>>> >>>> Mark Nienberg >> >> OK, the fog is rolling in again. Some more explaining is in order. >> >> I see that I need to install the clamav, clamav-db, and clamd rpms. >> The clamav versions on Dag's repo is only at 0.92.1-1, while Julian >> just released 0.94.1. I've trashed my rpm DB, and am building it from >> scratch, so I can't tell if the rpmsource rpms are any newer. >> >> What versions of what should I be using, and does Julians ClamAV-SA >> install the proper clamd or just the clamavmodule and clamav stuff? >> >> Sorry to be so dense, but the fog is rolling. Thanks >> >> Steve >> > > > http://rpmforge.sw.be/redhat/ and pick your os versions. > > > cd /usr/local find . -name '*clam*' -print Then delete everything it finds. That will remove everything related to the ClamAV installation created by my ClamAV+SpamAssassin package. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Wed Nov 5 20:24:48 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Nov 5 20:25:11 2008 Subject: Clamav 0.94.1 released In-Reply-To: References: <490F512D.60900@maddoc.net> <4911F231.3070502@ecs.soton.ac.uk> Message-ID: <49120110.1050409@ecs.soton.ac.uk> Brad Beckenhauer wrote: > Julian Field wrote: >> Just done it. Thanks for the info. > Installing the tarball now. > > Is this a new naming format for the tarball? It's just an addition, to make it easier for people who script the download. The new "-latest" file is just a link to the old naming convention with the version numbers in there. So you can use either. Making the links on the downloads page point to the "-latest" version just reduces the number of edits I need to make when I release a new version of it. You can use whichever you prefer. > > install-Clam-SA-latest.tar.gz > > Old file name style was: > install-Clam-0.94-SA-3.2.5.tar.gz > > Brad > >> >> Doc Schneider wrote: >>> So Jules can add this to his CLAM-SA tarball. >>> >>> >> >> Jules >> > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From cbarber at techquility.net Wed Nov 5 20:38:39 2008 From: cbarber at techquility.net (Chris Barber) Date: Wed Nov 5 20:38:50 2008 Subject: Message rules don't work, but if message forwarded, it does??? In-Reply-To: <223f97700811051117g2d4b91c5g4cda816ac8e2e862@mail.gmail.com> References: <4910E415.4050502@rheel.co.nz><43F62CA225017044BC84CFAF92B4333B035FB3@sbsserver.Techquility.net> <223f97700811051117g2d4b91c5g4cda816ac8e2e862@mail.gmail.com> Message-ID: <43F62CA225017044BC84CFAF92B4333B035FB8@sbsserver.Techquility.net> 2008/11/5 Chris Barber : > Hi All, > > Having a strange issue, maybe someone has seen this before. I have some > spam emails that are getting through the server. If a user then forwards > that spam message to me, going through the server again, it does get > caught. > > A specific example is this: > Message comes through and hit no rules at all. > Message is forwarded and hits two URIBL rules for a URL in the message. > > Strange thing is that the URL was in the message originally so it should > have hit the rule. > > Can anyone help me shed some light onto this? > > Running MailScanner 4.72.5-1 on CentOS 5 > > Thanks, > Chris >Hi Chris, > >you wouldn't be whitelisting by email address alone, now would you? >That would indeed explain such a thing....;-) >When you look at it (in the logs etc), make sure you are looking at >the envelope sender/recipient(s), since those are the ones MS use... >Not the From:/To: headers... > >Cheers >-- >-- Glenn >email: glenn < dot > steen < at > gmail < dot > com >work: glenn < dot > steen < at > ap1 < dot > se Glenn, Thanks for the reply. You had me scared for a second there, but no there was no white listing going on. I verified the envelope addresses. This issue seems to happen randomly a least a couple times a day to some users. Any other ideas? Thanks, Chris From bbecken at aafp.org Wed Nov 5 20:45:57 2008 From: bbecken at aafp.org (Brad Beckenhauer) Date: Wed Nov 5 20:46:32 2008 Subject: Clamav 0.94.1 released In-Reply-To: <49120110.1050409@ecs.soton.ac.uk> References: <490F512D.60900@maddoc.net> <4911F231.3070502@ecs.soton.ac.uk> <49120110.1050409@ecs.soton.ac.uk> Message-ID: Julian Field wrote: > > > Brad Beckenhauer wrote: >> Julian Field wrote: >>> Just done it. Thanks for the info. >> Installing the tarball now. >> >> Is this a new naming format for the tarball? > It's just an addition, to make it easier for people who script the > download. The new "-latest" file is just a link to the old naming > convention with the version numbers in there. So you can use either. > Making the links on the downloads page point to the "-latest" version > just reduces the number of edits I need to make when I release a new > version of it. You can use whichever you prefer. Yea! I've been hoping for that option for a long time. Any chance you also make a "-latest" for the MailScanner installs too? >> >> install-Clam-SA-latest.tar.gz >> >> Old file name style was: >> install-Clam-0.94-SA-3.2.5.tar.gz >> >> Brad >> >>> >>> Doc Schneider wrote: >>>> So Jules can add this to his CLAM-SA tarball. >>>> >>>> >>> >>> Jules >>> >> > > Jules > From kate at rheel.co.nz Wed Nov 5 21:40:03 2008 From: kate at rheel.co.nz (Kate Kleinschafer) Date: Wed Nov 5 21:38:46 2008 Subject: can't quite get clamd working properly In-Reply-To: References: <4910E415.4050502@rheel.co.nz> <4911010D.7080800@rheel.co.nz> Message-ID: <491212B3.2050704@rheel.co.nz> Ren? Berber wrote: > Kate Kleinschafer wrote: > > >> Ren? Berber wrote: >> >>> Kate Kleinschafer wrote: >>> >>> >>> >>>> I am getting the error Cannot find Socket (/tmp/clamd) Exiting! >>>> >>>> >>> That means you have more then one installation (of whatever is >>> "Exiting!") and the old version is the one writing that complaint (long, >>> long ago, clamd used /tmp/clamd as default name for the socket, of >>> course you could still use it with newer versions but since you showed >>> your configuration is different...) >>> >>> >> hmmm I think I have only installed clamav once. This is a new server >> that I have built and I don't think I have it installed twice. >> > > Sorry for the double answer, but I don't think clamav is the one doing > the complaining, it is something else (that's why I said *whatever* is > "Exiting!") which should be clear with the complete log line. > > Whatever is complaining is the one that expects /tmp/clamd as a socket > name. Do you have clamdwatch or similar? > I don't think I have clamdwatch - I checked the logs and the full lines were LOCAL: Removing stale socket file /tmp/clamd.socket LOCAL: Unix socket file /tmp/clamd.socket I'm wondering if it was becuase in the virus.scanners.conf i had the lines clamav /usr/lib/MailScanner/clamav-wrapper /usr/local clamd /bin/false /usr/local clamavmodule /bin/false /tmp I have now changed them to clamav /usr/lib/MailScanner/clamav-wrapper /usr clamd /bin/false /usr clamavmodule /bin/false /usr so hopefully this will fix the problem. Thank you very much for your help with this. Kate From Kevin_Miller at ci.juneau.ak.us Wed Nov 5 21:39:39 2008 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Wed Nov 5 21:39:51 2008 Subject: OT: Why out of office messages are evil. Message-ID: OK, for those of you having a bad day, here's a modicum of levity that is, well, sorta tangentially on topic. Enjoy. http://news.bbc.co.uk/2/hi/uk_news/wales/7702913.stm Hope it helps. With the bad day that is... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From glenn.steen at gmail.com Wed Nov 5 22:19:31 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Nov 5 22:19:42 2008 Subject: Message rules don't work, but if message forwarded, it does??? In-Reply-To: <43F62CA225017044BC84CFAF92B4333B035FB8@sbsserver.Techquility.net> References: <4910E415.4050502@rheel.co.nz> <43F62CA225017044BC84CFAF92B4333B035FB3@sbsserver.Techquility.net> <223f97700811051117g2d4b91c5g4cda816ac8e2e862@mail.gmail.com> <43F62CA225017044BC84CFAF92B4333B035FB8@sbsserver.Techquility.net> Message-ID: <223f97700811051419r7982975fi34b25598b91ed1ca@mail.gmail.com> 2008/11/5 Chris Barber : > 2008/11/5 Chris Barber : >> Hi All, >> >> Having a strange issue, maybe someone has seen this before. I have > some >> spam emails that are getting through the server. If a user then > forwards >> that spam message to me, going through the server again, it does get >> caught. >> >> A specific example is this: >> Message comes through and hit no rules at all. >> Message is forwarded and hits two URIBL rules for a URL in the > message. >> >> Strange thing is that the URL was in the message originally so it > should >> have hit the rule. >> >> Can anyone help me shed some light onto this? >> >> Running MailScanner 4.72.5-1 on CentOS 5 >> >> Thanks, >> Chris > >>Hi Chris, >> >>you wouldn't be whitelisting by email address alone, now would you? >>That would indeed explain such a thing....;-) >>When you look at it (in the logs etc), make sure you are looking at >>the envelope sender/recipient(s), since those are the ones MS use... >>Not the From:/To: headers... >> >>Cheers >>-- >>-- Glenn >>email: glenn < dot > steen < at > gmail < dot > com >>work: glenn < dot > steen < at > ap1 < dot > se > > > Glenn, > > Thanks for the reply. You had me scared for a second there, but no there > was no white listing going on. I verified the envelope addresses. This > issue seems to happen randomly a least a couple times a day to some > users. > > Any other ideas? > > Thanks, > Chris > Didn't mean to scare you, just point at one (semi-obvious:-) possibility....:-) When it happens do you see anything ... curious .... in the logs? Nothing about "Unscanned" messages or timeouts or suchlike? Also... Tell a bit about versions etc, since this just might be a known bug/issue... Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From hvdkooij at vanderkooij.org Wed Nov 5 22:57:03 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Wed Nov 5 22:57:19 2008 Subject: OT: Why out of office messages are evil. In-Reply-To: References: Message-ID: <491224BF.6000603@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kevin Miller wrote: > OK, for those of you having a bad day, here's a modicum of levity that > is, well, sorta tangentially on topic. Enjoy. > http://news.bbc.co.uk/2/hi/uk_news/wales/7702913.stm > > Hope it helps. With the bad day that is... It just might. But will it stop stupid auto responders? Perhaps they can add a X-I-am-a-braindead-autoresponder header to those messages? Then we can just filter them out and be done with them on mailinglists. Maybe we should write up a RFC to make it mandatory for any autoresponder. (BTW: anyone familiar with formatting a RFC style text?) Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. Nid wyf yn y swyddfa ar hyn o bryd. Anfonwch unrhyw waith i'w gyfieithu. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFJEiS9BvzDRVjxmYERAgY+AJ9ykhSscf+jfXAEFSo0k/T73rMyoACcDFSm zACgbYMc0MFXioyFYMWMucs= =1JLq -----END PGP SIGNATURE----- From jethro.binks at strath.ac.uk Wed Nov 5 23:12:11 2008 From: jethro.binks at strath.ac.uk (Jethro R Binks) Date: Wed Nov 5 23:12:42 2008 Subject: OT: Why out of office messages are evil. In-Reply-To: <491224BF.6000603@vanderkooij.org> References: <491224BF.6000603@vanderkooij.org> Message-ID: On Wed, 5 Nov 2008, Hugo van der Kooij wrote: > Perhaps they can add a X-I-am-a-braindead-autoresponder header to those > messages? Then we can just filter them out and be done with them on > mailinglists. > > Maybe we should write up a RFC to make it mandatory for any > autoresponder. (BTW: anyone familiar with formatting a RFC style text?) Someone already did, see: http://www.rfc-editor.org/rfc/rfc3834.txt and in particular the Auto-Submitted: header. Jethro. -- . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK From ssilva at sgvwater.com Wed Nov 5 23:17:08 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Nov 5 23:17:33 2008 Subject: can't quite get clamd working properly In-Reply-To: <491212B3.2050704@rheel.co.nz> References: <4910E415.4050502@rheel.co.nz> <4911010D.7080800@rheel.co.nz> <491212B3.2050704@rheel.co.nz> Message-ID: on 11-5-2008 1:40 PM Kate Kleinschafer spake the following: > Ren? Berber wrote: >> Kate Kleinschafer wrote: >> >> >>> Ren? Berber wrote: >>> >>>> Kate Kleinschafer wrote: >>>> >>>> >>>> >>>>> I am getting the error Cannot find Socket (/tmp/clamd) Exiting! >>>>> >>>> That means you have more then one installation (of whatever is >>>> "Exiting!") and the old version is the one writing that complaint >>>> (long, >>>> long ago, clamd used /tmp/clamd as default name for the socket, of >>>> course you could still use it with newer versions but since you showed >>>> your configuration is different...) >>>> >>> hmmm I think I have only installed clamav once. This is a new server >>> that I have built and I don't think I have it installed twice. >>> >> >> Sorry for the double answer, but I don't think clamav is the one doing >> the complaining, it is something else (that's why I said *whatever* is >> "Exiting!") which should be clear with the complete log line. >> >> Whatever is complaining is the one that expects /tmp/clamd as a socket >> name. Do you have clamdwatch or similar? >> > I don't think I have clamdwatch - I checked the logs and the full lines > were > LOCAL: Removing stale socket file /tmp/clamd.socket > LOCAL: Unix socket file /tmp/clamd.socket > > I'm wondering if it was becuase in the virus.scanners.conf i had the lines > clamav /usr/lib/MailScanner/clamav-wrapper /usr/local > clamd /bin/false /usr/local > clamavmodule /bin/false /tmp > > I have now changed them to > clamav /usr/lib/MailScanner/clamav-wrapper /usr > clamd /bin/false /usr > clamavmodule /bin/false /usr > > so hopefully this will fix the problem. > > Thank you very much for your help with this. > Kate > Editing that was also in the document on the wiki that was posted earlier in the thread. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081105/f347629a/signature.bin From ssilva at sgvwater.com Wed Nov 5 23:18:11 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Nov 5 23:20:13 2008 Subject: Message rules don't work, but if message forwarded, it does??? In-Reply-To: <43F62CA225017044BC84CFAF92B4333B035FB8@sbsserver.Techquility.net> References: <4910E415.4050502@rheel.co.nz><43F62CA225017044BC84CFAF92B4333B035FB3@sbsserver.Techquility.net> <223f97700811051117g2d4b91c5g4cda816ac8e2e862@mail.gmail.com> <43F62CA225017044BC84CFAF92B4333B035FB8@sbsserver.Techquility.net> Message-ID: on 11-5-2008 12:38 PM Chris Barber spake the following: > 2008/11/5 Chris Barber : >> Hi All, >> >> Having a strange issue, maybe someone has seen this before. I have > some >> spam emails that are getting through the server. If a user then > forwards >> that spam message to me, going through the server again, it does get >> caught. >> >> A specific example is this: >> Message comes through and hit no rules at all. >> Message is forwarded and hits two URIBL rules for a URL in the > message. >> Strange thing is that the URL was in the message originally so it > should >> have hit the rule. >> >> Can anyone help me shed some light onto this? >> >> Running MailScanner 4.72.5-1 on CentOS 5 >> >> Thanks, >> Chris > >> Hi Chris, >> >> you wouldn't be whitelisting by email address alone, now would you? >> That would indeed explain such a thing....;-) >> When you look at it (in the logs etc), make sure you are looking at >> the envelope sender/recipient(s), since those are the ones MS use... >> Not the From:/To: headers... >> >> Cheers >> -- >> -- Glenn >> email: glenn < dot > steen < at > gmail < dot > com >> work: glenn < dot > steen < at > ap1 < dot > se > > > Glenn, > > Thanks for the reply. You had me scared for a second there, but no there > was no white listing going on. I verified the envelope addresses. This > issue seems to happen randomly a least a couple times a day to some > users. > > Any other ideas? > > Thanks, > Chris > Do these messages have anything in common like being posted to many users at once? -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081105/24e5e195/signature.bin From ssilva at sgvwater.com Wed Nov 5 23:26:47 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Nov 5 23:27:05 2008 Subject: OT: Why out of office messages are evil. In-Reply-To: <491224BF.6000603@vanderkooij.org> References: <491224BF.6000603@vanderkooij.org> Message-ID: on 11-5-2008 2:57 PM Hugo van der Kooij spake the following: > Kevin Miller wrote: >> OK, for those of you having a bad day, here's a modicum of levity that >> is, well, sorta tangentially on topic. Enjoy. >> http://news.bbc.co.uk/2/hi/uk_news/wales/7702913.stm > >> Hope it helps. With the bad day that is... > > It just might. But will it stop stupid auto responders? > > Perhaps they can add a X-I-am-a-braindead-autoresponder header to those > messages? Then we can just filter them out and be done with them on > mailinglists. > > Maybe we should write up a RFC to make it mandatory for any > autoresponder. (BTW: anyone familiar with formatting a RFC style text?) > > Hugo. > http://www.rfc-editor.org/howtopub.html will give you everything you need, and probably a headache to go with it. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081105/be5dfd82/signature.bin From kate at rheel.co.nz Wed Nov 5 23:31:34 2008 From: kate at rheel.co.nz (Kate Kleinschafer) Date: Wed Nov 5 23:30:37 2008 Subject: can't quite get clamd working properly In-Reply-To: References: <4910E415.4050502@rheel.co.nz> <4911010D.7080800@rheel.co.nz> <491212B3.2050704@rheel.co.nz> Message-ID: <49122CD6.8010201@rheel.co.nz> Scott Silva wrote: > on 11-5-2008 1:40 PM Kate Kleinschafer spake the following: > >> Ren? Berber wrote: >> >>> Kate Kleinschafer wrote: >>> >>> >>> >>>> Ren? Berber wrote: >>>> >>>> >>>>> Kate Kleinschafer wrote: >>>>> >>>>> >>>>> >>>>> >>>>>> I am getting the error Cannot find Socket (/tmp/clamd) Exiting! >>>>>> >>>>>> >>>>> That means you have more then one installation (of whatever is >>>>> "Exiting!") and the old version is the one writing that complaint >>>>> (long, >>>>> long ago, clamd used /tmp/clamd as default name for the socket, of >>>>> course you could still use it with newer versions but since you showed >>>>> your configuration is different...) >>>>> >>>>> >>>> hmmm I think I have only installed clamav once. This is a new server >>>> that I have built and I don't think I have it installed twice. >>>> >>>> >>> Sorry for the double answer, but I don't think clamav is the one doing >>> the complaining, it is something else (that's why I said *whatever* is >>> "Exiting!") which should be clear with the complete log line. >>> >>> Whatever is complaining is the one that expects /tmp/clamd as a socket >>> name. Do you have clamdwatch or similar? >>> >>> >> I don't think I have clamdwatch - I checked the logs and the full lines >> were >> LOCAL: Removing stale socket file /tmp/clamd.socket >> LOCAL: Unix socket file /tmp/clamd.socket >> >> I'm wondering if it was becuase in the virus.scanners.conf i had the lines >> clamav /usr/lib/MailScanner/clamav-wrapper /usr/local >> clamd /bin/false /usr/local >> clamavmodule /bin/false /tmp >> >> I have now changed them to >> clamav /usr/lib/MailScanner/clamav-wrapper /usr >> clamd /bin/false /usr >> clamavmodule /bin/false /usr >> >> so hopefully this will fix the problem. >> >> Thank you very much for your help with this. >> Kate >> >> > Editing that was also in the document on the wiki that was posted earlier in > the thread. > > Yeah that was were I found it. The original document I followed wasn't as clear as this one on what to do. Thanks again Kate -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081106/240cce3c/attachment.html From maxsec at gmail.com Thu Nov 6 07:56:58 2008 From: maxsec at gmail.com (Martin Hepworth) Date: Thu Nov 6 07:57:08 2008 Subject: ClamAV In-Reply-To: <43F62CA225017044BC84CFAF92B4333B035FB4@sbsserver.Techquility.net> References: <4910E415.4050502@rheel.co.nz> <4910FE85.1050807@rheel.co.nz> <4911B317.7060707@cegep-ste-foy.qc.ca> <72cf361e0811050717u1f39c2ebm2ba936c049cd63a5@mail.gmail.com> <43F62CA225017044BC84CFAF92B4333B035FB4@sbsserver.Techquility.net> Message-ID: <72cf361e0811052356t1266c354m11fe5a7e12c485bd@mail.gmail.com> Chris in a word - no! never done any comparisons but with clamd support built into MS and MW is all hangs together alot nicer. -- martin On Wed, Nov 5, 2008 at 5:52 PM, Chris Barber wrote: > Martin, > > Do you have any speed comparison data as far as clamsmtp vs clamd with > MailScanner? > > Chris > > >>I find the clamd support in recent MailScanners 'just works'. >> >>The clammodule support is still a little fun as you have to wait for >>the module to be updated before you can upgrade clamav. >> >>-- >>Martin > > On Wed, Nov 5, 2008 at 2:52 PM, Charles Lacroix > wrote: >> >> About clamav and MailScanner, in the past i found out that i had > problems >> with MS/clamav >> while i updated one or the other. This is the only reason i decided to >> remove antivirus checking >> from MailScanner and use a little daemon called clamsmtp >> >> http://memberwebs.com/stef/software/clamsmtp/ >> >> I find it less problematic and with that i can update clam without > breaking >> anything >> i've ran that for about 2 years now and i got zero problems related to >> updating clamav. >> >> Let me know what you think. >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Martin Hepworth Oxford, UK From glenn.steen at gmail.com Thu Nov 6 12:05:46 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Nov 6 12:05:57 2008 Subject: ClamAV In-Reply-To: <43F62CA225017044BC84CFAF92B4333B035FB4@sbsserver.Techquility.net> References: <4910E415.4050502@rheel.co.nz> <4910FE85.1050807@rheel.co.nz> <4911B317.7060707@cegep-ste-foy.qc.ca> <72cf361e0811050717u1f39c2ebm2ba936c049cd63a5@mail.gmail.com> <43F62CA225017044BC84CFAF92B4333B035FB4@sbsserver.Techquility.net> Message-ID: <223f97700811060405o39d53550o78a0c5642846c365@mail.gmail.com> 2008/11/5 Chris Barber : > Martin, > > Do you have any speed comparison data as far as clamsmtp vs clamd with > MailScanner? > > Chris I'm not sure you need do that much comparing... Logically, since clamsmtp works as an SMTP proxy, it would suffer pretty much the same drawbacks as "big brother" amavis... When compared to MS and clamd, that is. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From housey at sme-ecom.co.uk Thu Nov 6 12:07:25 2008 From: housey at sme-ecom.co.uk (Paul Houselander (SME)) Date: Thu Nov 6 12:07:36 2008 Subject: all virus scanners reporting found virus Message-ID: <00df01c94008$3bbb3390$b3319ab0$@co.uk> Hi I'm using MailScanner version 4.72.5 with clamd, f-prot and kaspersky I'm using the sanesecurity clam sigs as well. I've just noticed that when Clamd finds an infection the other virus scanners also say they found an infection even though they didn't Nov 6 12:02:19 tokyo MailScanner[27046]: New Batch: Scanning 1 messages, 1269 bytes Nov 6 12:02:19 tokyo MailScanner[27046]: SpamAssassin cache hit for message mA6C2Gie027792 Nov 6 12:02:19 tokyo MailScanner[27046]: Spam Checks: Found 1 spam messages Nov 6 12:02:19 tokyo MailScanner[27046]: Virus and Content Scanning: Starting Nov 6 12:02:19 tokyo MailScanner[27046]: Clamd::INFECTED:: Sanesecurity.Hdr.8232.UNOFFICIAL :: ./mA6C2Gie027792/ Nov 6 12:02:19 tokyo MailScanner[27046]: Virus Scanning: Clamd found 2 infections Nov 6 12:02:21 tokyo MailScanner[27046]: Virus Scanning: F-Prot6 found 2 infections Nov 6 12:02:21 tokyo MailScanner[27046]: Virus Scanning: Kaspersky found 2 infections Nov 6 12:02:21 tokyo MailScanner[27046]: Infected message mA6C2Gie027792 came from 79.139.143.136 Nov 6 12:02:21 tokyo MailScanner[27046]: Virus Scanning: Found 2 viruses Is this expected behavior? I've only recently upgraded (and also only just started using clamd, I used to use clamavmodule) so not sure if it's always done it or since the upgrade. Cheers Paul -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081106/f084fd77/attachment.html From vincent at zijnemail.nl Thu Nov 6 12:43:26 2008 From: vincent at zijnemail.nl (Vincent Verhagen) Date: Thu Nov 6 12:43:33 2008 Subject: all virus scanners reporting found virus In-Reply-To: <00df01c94008$3bbb3390$b3319ab0$@co.uk> References: <00df01c94008$3bbb3390$b3319ab0$@co.uk> Message-ID: <4912E66E.4030907@zijnemail.nl> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5517 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081106/1d9a11a9/smime.bin From MailScanner at ecs.soton.ac.uk Thu Nov 6 14:19:41 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Nov 6 14:20:08 2008 Subject: all virus scanners reporting found virus In-Reply-To: <00df01c94008$3bbb3390$b3319ab0$@co.uk> References: <00df01c94008$3bbb3390$b3319ab0$@co.uk> Message-ID: <4912FCFD.2010309@ecs.soton.ac.uk> Please try the attached SweepViruses.pm file with the latest release of MailScanner. Hopefully this will fix the problem. It's actually just a reporting bug. Jules. Paul Houselander (SME) wrote: > > Hi > > I?m using MailScanner version 4.72.5 with clamd, f-prot and kaspersky > > I?m using the sanesecurity clam sigs as well. > > I?ve just noticed that when Clamd finds an infection the other virus > scanners also say they found an infection even though they didn?t > > Nov 6 12:02:19 tokyo MailScanner[27046]: New Batch: Scanning 1 > messages, 1269 bytes > > Nov 6 12:02:19 tokyo MailScanner[27046]: SpamAssassin cache hit for > message mA6C2Gie027792 > > Nov 6 12:02:19 tokyo MailScanner[27046]: Spam Checks: Found 1 spam > messages > > Nov 6 12:02:19 tokyo MailScanner[27046]: Virus and Content Scanning: > Starting > > Nov 6 12:02:19 tokyo MailScanner[27046]: Clamd::INFECTED:: > Sanesecurity.Hdr.8232.UNOFFICIAL :: ./mA6C2Gie027792/ > > Nov 6 12:02:19 tokyo MailScanner[27046]: Virus Scanning: Clamd found 2 > infections > > Nov 6 12:02:21 tokyo MailScanner[27046]: Virus Scanning: F-Prot6 found > 2 infections > > Nov 6 12:02:21 tokyo MailScanner[27046]: Virus Scanning: Kaspersky > found 2 infections > > Nov 6 12:02:21 tokyo MailScanner[27046]: Infected message > mA6C2Gie027792 came from 79.139.143.136 > > Nov 6 12:02:21 tokyo MailScanner[27046]: Virus Scanning: Found 2 viruses > > Is this expected behavior? I?ve only recently upgraded (and also only > just started using clamd, I used to use clamavmodule) so not sure if > it?s always done it or since the upgrade. > > Cheers > > Paul > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- A non-text attachment was scrubbed... Name: SweepViruses.pm.zip Type: application/x-zip-compressed Size: 33965 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081106/4cdb7525/SweepViruses.pm.bin From housey at sme-ecom.co.uk Thu Nov 6 15:29:08 2008 From: housey at sme-ecom.co.uk (Paul Houselander (SME)) Date: Thu Nov 6 15:33:41 2008 Subject: all virus scanners reporting found virus In-Reply-To: <4912FCFD.2010309@ecs.soton.ac.uk> References: <00df01c94008$3bbb3390$b3319ab0$@co.uk> <4912FCFD.2010309@ecs.soton.ac.uk> Message-ID: <014101c94024$6972c7a0$3c5856e0$@co.uk> > Please try the attached SweepViruses.pm file with the latest release of > MailScanner. > Hopefully this will fix the problem. It's actually just a reporting > bug. > > Jules. > Does the trick, virus scanners are now reporting correctly in the maillog. Thanks Paul From cbarber at techquility.net Thu Nov 6 17:23:33 2008 From: cbarber at techquility.net (Chris Barber) Date: Thu Nov 6 17:23:52 2008 Subject: Message rules don't work, but if message forwarded, it does??? In-Reply-To: <223f97700811051419r7982975fi34b25598b91ed1ca@mail.gmail.com> References: <4910E415.4050502@rheel.co.nz><43F62CA225017044BC84CFAF92B4333B035FB3@sbsserver.Techquility.net><223f97700811051117g2d4b91c5g4cda816ac8e2e862@mail.gmail.com><43F62CA225017044BC84CFAF92B4333B035FB8@sbsserver.Techquility.net> <223f97700811051419r7982975fi34b25598b91ed1ca@mail.gmail.com> Message-ID: <43F62CA225017044BC84CFAF92B4333B035FBC@sbsserver.Techquility.net> > > > Glenn, > > Thanks for the reply. You had me scared for a second there, but no there > was no white listing going on. I verified the envelope addresses. This > issue seems to happen randomly a least a couple times a day to some > users. > > Any other ideas? > > Thanks, > Chris > >Didn't mean to scare you, just point at one (semi-obvious:-) possibility....:-) >When it happens do you see anything ... curious .... in the logs? >Nothing about "Unscanned" messages or timeouts or suchlike? >Also... Tell a bit about versions etc, since this just might be a >known bug/issue... > >Cheers >-- >-- Glenn >email: glenn < dot > steen < at > gmail < dot > com >work: glenn < dot > steen < at > ap1 < dot > se I don't see anything unusual in the logs. No timeouts and nothing about unscanned that I can see. MailScanner processes the message normally it seems. It gets an SA score, but the only rules that hit are: 0.10 BAYES_50 Bayesian spam probability is 40 to 60% 0.00 HTML_MESSAGE HTML included in message -0.00 SPF_PASS SPF: sender matches SPF record Then when the same message is forwarded to me from the user, (Through the same MailScanner server) the rule hits show: -0.74 BAYES_20 Bayesian spam probability is 5 to 20% 0.00 HTML_MESSAGE HTML included in message 2.96 URIBL_BLACK Contains an URL listed in the URIBL blacklist 3.50 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist Notice that now the URL is beting detected, but why not before? Versions: Cent OS 5.2 MailScanner 4.72.5 Spamassassin 3.2.5 Perl 5.8.8 MIME::Tools 5.427 HTML::Parser 3.56 Let me know if there are versions of anything else you would like to see Thanks! Chris From cbarber at techquility.net Thu Nov 6 17:27:50 2008 From: cbarber at techquility.net (Chris Barber) Date: Thu Nov 6 17:28:06 2008 Subject: Message rules don't work, but if message forwarded, it does??? In-Reply-To: References: <4910E415.4050502@rheel.co.nz><43F62CA225017044BC84CFAF92B4333B035FB3@sbsserver.Techquility.net> <223f97700811051117g2d4b91c5g4cda816ac8e2e862@mail.gmail.com><43F62CA225017044BC84CFAF92B4333B035FB8@sbsserver.Techquility.net> Message-ID: <43F62CA225017044BC84CFAF92B4333B035FBD@sbsserver.Techquility.net> >> Hi All, >> >> Having a strange issue, maybe someone has seen this before. I have > some >> spam emails that are getting through the server. If a user then > forwards >> that spam message to me, going through the server again, it does get >> caught. >> >> A specific example is this: >> Message comes through and hit no rules at all. >> Message is forwarded and hits two URIBL rules for a URL in the > message. >> Strange thing is that the URL was in the message originally so it > should >> have hit the rule. >> >> Can anyone help me shed some light onto this? >> >> Running MailScanner 4.72.5-1 on CentOS 5 >> >> Thanks, >> Chris > >> Hi Chris, >> >> you wouldn't be whitelisting by email address alone, now would you? >> That would indeed explain such a thing....;-) When you look at it (in >> the logs etc), make sure you are looking at the envelope >> sender/recipient(s), since those are the ones MS use... >> Not the From:/To: headers... >> >> Cheers >> -- >> -- Glenn >> email: glenn < dot > steen < at > gmail < dot > com >> work: glenn < dot > steen < at > ap1 < dot > se > > > Glenn, > > Thanks for the reply. You had me scared for a second there, but no > there was no white listing going on. I verified the envelope > addresses. This issue seems to happen randomly a least a couple times > a day to some users. > > Any other ideas? > > Thanks, > Chris > >>Do these messages have anything in common like being posted to many users at once? No not really. There have only ever been a couple that went to multiple users and came back for me to see. I know not all users would forward them to me, but they are all supposed to. From glenn.steen at gmail.com Thu Nov 6 18:50:08 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Nov 6 18:50:19 2008 Subject: Message rules don't work, but if message forwarded, it does??? In-Reply-To: <43F62CA225017044BC84CFAF92B4333B035FBC@sbsserver.Techquility.net> References: <4910E415.4050502@rheel.co.nz> <43F62CA225017044BC84CFAF92B4333B035FB3@sbsserver.Techquility.net> <223f97700811051117g2d4b91c5g4cda816ac8e2e862@mail.gmail.com> <43F62CA225017044BC84CFAF92B4333B035FB8@sbsserver.Techquility.net> <223f97700811051419r7982975fi34b25598b91ed1ca@mail.gmail.com> <43F62CA225017044BC84CFAF92B4333B035FBC@sbsserver.Techquility.net> Message-ID: <223f97700811061050x5ca2b8a6t98d115ad27b450ea@mail.gmail.com> 2008/11/6 Chris Barber : >> >> >> Glenn, >> >> Thanks for the reply. You had me scared for a second there, but no > there >> was no white listing going on. I verified the envelope addresses. This >> issue seems to happen randomly a least a couple times a day to some >> users. >> >> Any other ideas? >> >> Thanks, >> Chris >> >>Didn't mean to scare you, just point at one (semi-obvious:-) > possibility....:-) >>When it happens do you see anything ... curious .... in the logs? >>Nothing about "Unscanned" messages or timeouts or suchlike? >>Also... Tell a bit about versions etc, since this just might be a >>known bug/issue... >> >>Cheers >>-- >>-- Glenn >>email: glenn < dot > steen < at > gmail < dot > com >>work: glenn < dot > steen < at > ap1 < dot > se > > > I don't see anything unusual in the logs. No timeouts and nothing about > unscanned that I can see. MailScanner processes the message normally it > seems. > > It gets an SA score, but the only rules that hit are: > 0.10 BAYES_50 Bayesian spam probability is 40 to 60% > 0.00 HTML_MESSAGE HTML included in message > -0.00 SPF_PASS SPF: sender matches SPF record > > Then when the same message is forwarded to me from the user, (Through > the same MailScanner server) the rule hits show: > -0.74 BAYES_20 Bayesian spam probability is 5 to 20% > 0.00 HTML_MESSAGE HTML included in message > 2.96 URIBL_BLACK Contains an URL listed in the URIBL blacklist > 3.50 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist > > Notice that now the URL is beting detected, but why not before? > > Versions: > Cent OS 5.2 > MailScanner 4.72.5 > Spamassassin 3.2.5 > Perl 5.8.8 > MIME::Tools 5.427 > HTML::Parser 3.56 > > Let me know if there are versions of anything else you would like to see > > Thanks! > Chris > Could perhaps be a "timing issue"....:-) Meaning the URI wasn't in the BL when MS first asked... but when the user resent it to you.... the BL had been updated. These things have a tendency to be really short-lived and ... bursty... so if there is any somewhat significant amount of time between the initial mail and the user forwarding it to you... say a few hours... that might explain it all. In which case... all is well ...:-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ssilva at sgvwater.com Thu Nov 6 20:14:44 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Nov 6 20:15:15 2008 Subject: Message rules don't work, but if message forwarded, it does??? In-Reply-To: <43F62CA225017044BC84CFAF92B4333B035FBC@sbsserver.Techquility.net> References: <4910E415.4050502@rheel.co.nz><43F62CA225017044BC84CFAF92B4333B035FB3@sbsserver.Techquility.net><223f97700811051117g2d4b91c5g4cda816ac8e2e862@mail.gmail.com><43F62CA225017044BC84CFAF92B4333B035FB8@sbsserver.Techquility.net> <223f97700811051419r7982975fi34b25598b91ed1ca@mail.gmail.com> <43F62CA225017044BC84CFAF92B4333B035FBC@sbsserver.Techquility.net> Message-ID: on 11-6-2008 9:23 AM Chris Barber spake the following: >> >> Glenn, >> >> Thanks for the reply. You had me scared for a second there, but no > there >> was no white listing going on. I verified the envelope addresses. This >> issue seems to happen randomly a least a couple times a day to some >> users. >> >> Any other ideas? >> >> Thanks, >> Chris >> >> Didn't mean to scare you, just point at one (semi-obvious:-) > possibility....:-) >> When it happens do you see anything ... curious .... in the logs? >> Nothing about "Unscanned" messages or timeouts or suchlike? >> Also... Tell a bit about versions etc, since this just might be a >> known bug/issue... >> >> Cheers >> -- >> -- Glenn >> email: glenn < dot > steen < at > gmail < dot > com >> work: glenn < dot > steen < at > ap1 < dot > se > > > I don't see anything unusual in the logs. No timeouts and nothing about > unscanned that I can see. MailScanner processes the message normally it > seems. > > It gets an SA score, but the only rules that hit are: > 0.10 BAYES_50 Bayesian spam probability is 40 to 60% > 0.00 HTML_MESSAGE HTML included in message > -0.00 SPF_PASS SPF: sender matches SPF record > > Then when the same message is forwarded to me from the user, (Through > the same MailScanner server) the rule hits show: > -0.74 BAYES_20 Bayesian spam probability is 5 to 20% > 0.00 HTML_MESSAGE HTML included in message > 2.96 URIBL_BLACK Contains an URL listed in the URIBL blacklist > 3.50 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist > > Notice that now the URL is beting detected, but why not before? > > Versions: > Cent OS 5.2 > MailScanner 4.72.5 > Spamassassin 3.2.5 > Perl 5.8.8 > MIME::Tools 5.427 > HTML::Parser 3.56 > > Let me know if there are versions of anything else you would like to see > > Thanks! > Chris > > Have you run the usual test tools like MailScanner --lint and spamassassin -D --lint? They will show things like mis detected trusted networks in spamassassin. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081106/06153854/signature-0001.bin From Denis.Beauchemin at USherbrooke.ca Thu Nov 6 20:53:51 2008 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Thu Nov 6 20:54:08 2008 Subject: Message rules don't work, but if message forwarded, it does??? In-Reply-To: <43F62CA225017044BC84CFAF92B4333B035FBC@sbsserver.Techquility.net> References: <4910E415.4050502@rheel.co.nz><43F62CA225017044BC84CFAF92B4333B035FB3@sbsserver.Techquility.net><223f97700811051117g2d4b91c5g4cda816ac8e2e862@mail.gmail.com><43F62CA225017044BC84CFAF92B4333B035FB8@sbsserver.Techquility.net> <223f97700811051419r7982975fi34b25598b91ed1ca@mail.gmail.com> <43F62CA225017044BC84CFAF92B4333B035FBC@sbsserver.Techquility.net> Message-ID: <4913595F.2020209@USherbrooke.ca> Chris Barber a ?crit : > > It gets an SA score, but the only rules that hit are: > 0.10 BAYES_50 Bayesian spam probability is 40 to 60% > 0.00 HTML_MESSAGE HTML included in message > -0.00 SPF_PASS SPF: sender matches SPF record > > Then when the same message is forwarded to me from the user, (Through > the same MailScanner server) the rule hits show: > -0.74 BAYES_20 Bayesian spam probability is 5 to 20% > 0.00 HTML_MESSAGE HTML included in message > 2.96 URIBL_BLACK Contains an URL listed in the URIBL blacklist > 3.50 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist > > Notice that now the URL is beting detected, but why not before? Chris, These don't look like MS' messages to me (at least they don't look like that on my servers). Are you sure your emails are not going through some other scanning process? Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From brose at med.wayne.edu Fri Nov 7 01:45:54 2008 From: brose at med.wayne.edu (Rose, Bobby) Date: Fri Nov 7 01:46:10 2008 Subject: all virus scanners reporting found virus In-Reply-To: <4912FCFD.2010309@ecs.soton.ac.uk> References: <00df01c94008$3bbb3390$b3319ab0$@co.uk> <4912FCFD.2010309@ecs.soton.ac.uk> Message-ID: I've noticed something different related to the AV logging. I'm using clamd and since I updated to 4.72.5, then ::INFECTED:: entry is missing Clamd ref. Before, even though I was using Clamd, it was reporting as ClamAVModule. For example, with 4.71.10, I'd see Nov 5 13:58:22 eeyore MailScanner[20251]: ClamAVModule::INFECTED:: Sanesecurity.Hdr.8338.UNOFFICIAL FOUND :: ./mA5IveLi001260/ After the upgrade to 4.72.5, I see Nov 5 14:13:49 eeyore MailScanner[8199]: ::INFECTED:: Phishing.Heuristics.Email.SpoofedDomain :: ./mA5JDfbU009742/ I've replaced my SweepViruses.pm with the one you posted and it didn't change anything. Also, I see the same thing on both of my inbound mail routers. I still see log entries like this so it is using clamd and getting the infected status code back from it. Nov 5 14:13:48 eeyore MailScanner[8199]: Virus Scanning: Clamd found 1 infections Any ideas? -=Bobby -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: Thursday, November 06, 2008 9:20 AM To: MailScanner discussion Subject: Re: all virus scanners reporting found virus Please try the attached SweepViruses.pm file with the latest release of MailScanner. Hopefully this will fix the problem. It's actually just a reporting bug. Jules. Paul Houselander (SME) wrote: > > Hi > > I'm using MailScanner version 4.72.5 with clamd, f-prot and kaspersky > > I'm using the sanesecurity clam sigs as well. > > I've just noticed that when Clamd finds an infection the other virus > scanners also say they found an infection even though they didn't > > Nov 6 12:02:19 tokyo MailScanner[27046]: New Batch: Scanning 1 > messages, 1269 bytes > > Nov 6 12:02:19 tokyo MailScanner[27046]: SpamAssassin cache hit for > message mA6C2Gie027792 > > Nov 6 12:02:19 tokyo MailScanner[27046]: Spam Checks: Found 1 spam > messages > > Nov 6 12:02:19 tokyo MailScanner[27046]: Virus and Content Scanning: > Starting > > Nov 6 12:02:19 tokyo MailScanner[27046]: Clamd::INFECTED:: > Sanesecurity.Hdr.8232.UNOFFICIAL :: ./mA6C2Gie027792/ > > Nov 6 12:02:19 tokyo MailScanner[27046]: Virus Scanning: Clamd found 2 > infections > > Nov 6 12:02:21 tokyo MailScanner[27046]: Virus Scanning: F-Prot6 found > 2 infections > > Nov 6 12:02:21 tokyo MailScanner[27046]: Virus Scanning: Kaspersky > found 2 infections > > Nov 6 12:02:21 tokyo MailScanner[27046]: Infected message > mA6C2Gie027792 came from 79.139.143.136 > > Nov 6 12:02:21 tokyo MailScanner[27046]: Virus Scanning: Found 2 > viruses > > Is this expected behavior? I've only recently upgraded (and also only > just started using clamd, I used to use clamavmodule) so not sure if > it's always done it or since the upgrade. > > Cheers > > Paul > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Nikolaos.Pavlidis at beds.ac.uk Fri Nov 7 09:15:49 2008 From: Nikolaos.Pavlidis at beds.ac.uk (Nikolaos Pavlidis) Date: Fri Nov 7 09:16:16 2008 Subject: Solaris 10 Mail:ClamAV compile trouble In-Reply-To: <491407450200002700024AED@gwiadom.oes.beds.ac.uk> References: <491065BE020000E70002E3FE@gwiadom.oes.beds.ac.uk> <491407450200002700024AED@gwiadom.oes.beds.ac.uk> Message-ID: <491407450200002700024AED@gwiadom.oes.beds.ac.uk> Hello all, After a bit more searching..I am going to have to agree with Phil. The problem is Mail::ClamAV, it does not support 0.94.1 ... it compiles great with 0.93 versions... Most people would suggest it is the compiler but no. I tried both GNU and SUN and the perlgcc way with all possible combinations. I tried to apply the patch but most hunks failed with no result (patch -p0 < patch). Thank you all for your support, I guess its up to us to keep "proding" Scott Beck for updates :) Regards, Nik On Tue, 2008-11-04 at 15:05 +0000, Randal, Phil wrote: > Hve you applied this patch to Mail::ClamAV? > > http://rt.cpan.org/Public/Bug/Display.html?id=39301 > > Someone needs to prod Scott Beck to release Mail::ClamAV 0.23 > > Cheers, > > Phil > > -- > Phil Randal | Networks Engineer > Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division > Thorn Office Centre, Rotherwas, Hereford, HR2 6JT > Tel: 01432 260160 > email: prandal@herefordshire.gov.uk > > Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. > > This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Nikolaos Pavlidis > Sent: 04 November 2008 14:55 > To: mailscanner@lists.mailscanner.info > Subject: Solaris 10 Mail:ClamAV compile trouble > > Dear All, > > > ?I am trying to install the ClamAV + SA package following the directions > from: http://wiki.mailscanner.info/doku.php?id=documentation:clamav_sa > > I installed clamav successfully and all the perl modules until I reached Mail::ClamAV > > I edited /usr/perl5/5.8.4/lib/i86pc-solaris-64int/Config.pm to remove temporarily the -KPIC and -xO3 flags (-xdepend was nowhere to be found > btw) > > I used both paths and got respectively the below errors, any help will be much appreciated. the command procedure I followed was: > perl Makefile.PL > make > make clean > change $PATH > perl Makefile.PL > make > > Any help will be much appreciated. > Thank you in advance. > > Nik > > The setup: > Solaris 10 > Sun Studio installed > > PATHs used: > > 1. > PATH=/usr/sbin:/usr/bin:/usr/local/bin:/usr/sfw/bin:/usr/dt/bin:/usr/openwin/bin:/usr/ccs/bin:/usr/ucb > LD_LIBRARY_PATH=/usr/lib:/usr/local/lib:/usr/sfw/lib:/opt/SUNWspro/lib:/usr/local/BerkeleyDB/lib > > 2. > PATH=/opt/SUNWspro/bin:/usr/ccs/bin:/usr/sbin:/usr/bin:/usr/dt/bin:/usr/openwin/bin:/usr/local/bin:/usr/sfw/bin:/usr/ucb > LD_LIBRARY_PATH=/opt/SUNWspro/lib:/usr/ccs/lib:/usr/lib:/usr/local/lib:/usr/sfw/lib:/usr/local/BerkeleyDB/lib > > > 1. > Starting "make" Stage > make[1]: Entering directory > `/sysnet/build/cpan/build/Mail-ClamAV-0.22/_Inline/build/Mail/ClamAV' > /usr/perl5/5.8.4/bin/perl /usr/perl5/5.8.4/lib/ExtUtils/xsubpp > -typemap /usr/perl5/5.8.4/lib/ExtUtils/typemap ClamAV.xs > ClamAV.xsc > && mv ClamAV.xsc ClamAV.c > cc -c -I/sysnet/build/cpan/build/Mail-ClamAV-0.22 -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -D_TS_ERRNO -xspace -xildoff -DVERSION=\"0.22\" -DXS_VERSION=\"0.22\" > "-I/usr/perl5/5.8.4/lib/i86pc-solaris-64int/CORE" ClamAV.c > cc: language ildoff not recognized > cc: ClamAV.c: linker input file unused because linking not done Running Mkbootstrap for Mail::ClamAV () chmod 644 ClamAV.bs rm -f blib/arch/auto/Mail/ClamAV/ClamAV.so > LD_RUN_PATH="/usr/lib:/usr/local/lib" cc -G ClamAV.o -o > blib/ar> make[1]: *** [blib/arch/auto/Mail/ClamAV/ClamAV.so] Error 1 > make[1]: Leaving directory > `/sysnet/build/cpan/build/Mail-ClamAV-0.22/_Inline/build/Mail/ClamAV' > > 2. > Starting "make" Stage > /usr/perl5/5.8.4/bin/perl /usr/perl5/5.8.4/lib/ExtUtils/xsubpp > -typemap /usr/perl5/5.8.4/lib/ExtUtils/typemap ClamAV.xs > ClamAV.xsc && mv ClamAV.xsc ClamAV.c cc -c -I/sysnet/build/cpan/build/Mail-ClamAV-0.22 -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -D_TS_ERRNO -xspace -xildoff -DVERSION=\"0.22\" -DXS_VERSION=\"0.22\" > "-I/usr/perl5/5.8.4/lib/i86pc-solaris-64int/CORE" ClamAV.c > "ClamAV.xs", line 65: warning: implicit function declaration: > cl_loaddbdir > "ClamAV.xs", line 68: warning: implicit function declaration: cl_loaddb "ClamAV.xs", line 308: undefined symbol: CL_EFSYNC "ClamAV.xs", line 321: undefined symbol: CL_ELOCKDB "ClamAV.c", line 450: warning: statement not reached "ClamAV.c", line 633: warning: statement not reached "ClamAV.c", line 663: warning: statement not reached "ClamAV.c", line 693: warning: statement not reached > cc: acomp failed for ClamAV.c > *** Error code 2 > make: Fatal error: Command failed for target `ClamAV.o' > Current working > directory > /sysnet/build/cpan/build/Mail-ClamAV-0.22/_Inline/build/Mail/ClamAV > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- ? Nikolaos Pavlidis BSc (Hons) MBCS NCLP System Administrator University Of Bedfordshire Park Square LU1 3JU Luton, Beds, UK Tel: +441582489277 From maxsec at gmail.com Fri Nov 7 09:29:23 2008 From: maxsec at gmail.com (Martin Hepworth) Date: Fri Nov 7 09:29:32 2008 Subject: Solaris 10 Mail:ClamAV compile trouble In-Reply-To: <491407450200002700024AED@gwiadom.oes.beds.ac.uk> References: <491065BE020000E70002E3FE@gwiadom.oes.beds.ac.uk> <491407450200002700024AED@gwiadom.oes.beds.ac.uk> <491407450200002700024AED@gwiadom.oes.beds.ac.uk> Message-ID: <72cf361e0811070129r738a1582l762151a97bcfe6c0@mail.gmail.com> On Fri, Nov 7, 2008 at 9:15 AM, Nikolaos Pavlidis wrote: > Hello all, > > After a bit more searching..I am going to have to agree with Phil. The > problem is Mail::ClamAV, it does not support 0.94.1 ... it compiles > great with 0.93 versions... Most people would suggest it is the compiler > but no. I tried both GNU and SUN and the perlgcc way with all possible > combinations. I tried to apply the patch but most hunks failed with no > result (patch -p0 < patch). > > Thank you all for your support, > > I guess its up to us to keep "proding" Scott Beck for updates :) > > Regards, > > Nik > > On Tue, 2008-11-04 at 15:05 +0000, Randal, Phil wrote: >> Hve you applied this patch to Mail::ClamAV? >> >> http://rt.cpan.org/Public/Bug/Display.html?id=39301 >> >> Someone needs to prod Scott Beck to release Mail::ClamAV 0.23 >> >> Cheers, >> >> Phil >> >> -- >> Phil Randal | Networks Engineer >> Herefordshire Council | Deputy Chief Executive's Office | I.C.T. > Services Division >> Thorn Office Centre, Rotherwas, Hereford, HR2 6JT >> Tel: 01432 260160 >> email: prandal@herefordshire.gov.uk >> >> Any opinion expressed in this e-mail or any attached files are those > of the individual and not necessarily those of Herefordshire Council. >> >> This e-mail and any attached files are confidential and intended > solely for the use of the addressee. This communication may contain > material protected by law from being passed on. If you are not the > intended recipient and have received this e-mail in error, you are > advised that any use, dissemination, forwarding, printing or copying of > this e-mail is strictly prohibited. If you have received this e-mail in > error please contact the sender immediately and destroy all copies of > it. >> >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > Nikolaos Pavlidis >> Sent: 04 November 2008 14:55 >> To: mailscanner@lists.mailscanner.info >> Subject: Solaris 10 Mail:ClamAV compile trouble >> >> Dear All, >> >> >> ?I am trying to install the ClamAV + SA package following the > directions >> from: http://wiki.mailscanner.info/doku.php?id=documentation:clamav_sa >> >> I installed clamav successfully and all the perl modules until I > reached Mail::ClamAV >> >> I edited /usr/perl5/5.8.4/lib/i86pc-solaris-64int/Config.pm to remove > temporarily the -KPIC and -xO3 flags (-xdepend was nowhere to be found >> btw) >> >> I used both paths and got respectively the below errors, any help will > be much appreciated. the command procedure I followed was: >> perl Makefile.PL >> make >> make clean >> change $PATH >> perl Makefile.PL >> make >> >> Any help will be much appreciated. >> Thank you in advance. >> >> Nik >> >> The setup: >> Solaris 10 >> Sun Studio installed >> >> PATHs used: >> >> 1. >> > PATH=/usr/sbin:/usr/bin:/usr/local/bin:/usr/sfw/bin:/usr/dt/bin:/usr/openwin/bin:/usr/ccs/bin:/usr/ucb >> > LD_LIBRARY_PATH=/usr/lib:/usr/local/lib:/usr/sfw/lib:/opt/SUNWspro/lib:/usr/local/BerkeleyDB/lib >> >> 2. >> > PATH=/opt/SUNWspro/bin:/usr/ccs/bin:/usr/sbin:/usr/bin:/usr/dt/bin:/usr/openwin/bin:/usr/local/bin:/usr/sfw/bin:/usr/ucb >> > LD_LIBRARY_PATH=/opt/SUNWspro/lib:/usr/ccs/lib:/usr/lib:/usr/local/lib:/usr/sfw/lib:/usr/local/BerkeleyDB/lib >> >> >> 1. >> Starting "make" Stage >> make[1]: Entering directory >> `/sysnet/build/cpan/build/Mail-ClamAV-0.22/_Inline/build/Mail/ClamAV' >> /usr/perl5/5.8.4/bin/perl /usr/perl5/5.8.4/lib/ExtUtils/xsubpp >> -typemap /usr/perl5/5.8.4/lib/ExtUtils/typemap ClamAV.xs > > ClamAV.xsc >> && mv ClamAV.xsc ClamAV.c >> cc -c -I/sysnet/build/cpan/build/Mail-ClamAV-0.22 > -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 > -D_TS_ERRNO -xspace -xildoff -DVERSION=\"0.22\" -DXS_VERSION=\"0.22\" >> "-I/usr/perl5/5.8.4/lib/i86pc-solaris-64int/CORE" ClamAV.c >> cc: language ildoff not recognized >> cc: ClamAV.c: linker input file unused because linking not done > Running Mkbootstrap for Mail::ClamAV () chmod 644 ClamAV.bs rm -f > blib/arch/auto/Mail/ClamAV/ClamAV.so >> LD_RUN_PATH="/usr/lib:/usr/local/lib" cc -G ClamAV.o -o >> blib/ar> make[1]: *** [blib/arch/auto/Mail/ClamAV/ClamAV.so] Error 1 >> make[1]: Leaving directory >> `/sysnet/build/cpan/build/Mail-ClamAV-0.22/_Inline/build/Mail/ClamAV' >> >> 2. >> Starting "make" Stage >> /usr/perl5/5.8.4/bin/perl /usr/perl5/5.8.4/lib/ExtUtils/xsubpp >> -typemap /usr/perl5/5.8.4/lib/ExtUtils/typemap ClamAV.xs > ClamAV.xsc > && mv ClamAV.xsc ClamAV.c cc -c > -I/sysnet/build/cpan/build/Mail-ClamAV-0.22 -I/usr/local/include > -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -D_TS_ERRNO -xspace -xildoff > -DVERSION=\"0.22\" -DXS_VERSION=\"0.22\" >> "-I/usr/perl5/5.8.4/lib/i86pc-solaris-64int/CORE" ClamAV.c >> "ClamAV.xs", line 65: warning: implicit function declaration: >> cl_loaddbdir >> "ClamAV.xs", line 68: warning: implicit function declaration: > cl_loaddb "ClamAV.xs", line 308: undefined symbol: CL_EFSYNC > "ClamAV.xs", line 321: undefined symbol: CL_ELOCKDB "ClamAV.c", line > 450: warning: statement not reached "ClamAV.c", line 633: warning: > statement not reached "ClamAV.c", line 663: warning: statement not > reached "ClamAV.c", line 693: warning: statement not reached >> cc: acomp failed for ClamAV.c >> *** Error code 2 >> make: Fatal error: Command failed for target `ClamAV.o' >> Current working >> directory >> /sysnet/build/cpan/build/Mail-ClamAV-0.22/_Inline/build/Mail/ClamAV >> >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > -- > ? > Nikolaos Pavlidis BSc (Hons) MBCS NCLP > System Administrator > University Of Bedfordshire > Park Square LU1 3JU > Luton, Beds, UK > Tel: +441582489277 > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Nik another reason why clamd support in MailScanner is useful. yes it's another daemon to worry about, but I've been using clamd since Jules added support for it and never had an issue with clamd failing. -- Martin Hepworth Oxford, UK From ms-list at alexb.ch Fri Nov 7 09:32:43 2008 From: ms-list at alexb.ch (Alex Broens) Date: Fri Nov 7 09:32:01 2008 Subject: Solaris 10 Mail:ClamAV compile trouble In-Reply-To: <491407450200002700024AED@gwiadom.oes.beds.ac.uk> References: <491065BE020000E70002E3FE@gwiadom.oes.beds.ac.uk> <491407450200002700024AED@gwiadom.oes.beds.ac.uk> <491407450200002700024AED@gwiadom.oes.beds.ac.uk> Message-ID: <49140B3B.3010607@alexb.ch> On 11/7/2008 10:15 AM, Nikolaos Pavlidis wrote: > Hello all, > > After a bit more searching..I am going to have to agree with Phil. The > problem is Mail::ClamAV, it does not support 0.94.1 ... it compiles > great with 0.93 versions... Most people would suggest it is the compiler > but no. I tried both GNU and SUN and the perlgcc way with all possible > combinations. I tried to apply the patch but most hunks failed with no > result (patch -p0 < patch). > > Thank you all for your support, > > I guess its up to us to keep "proding" Scott Beck for updates :) > Nik, Why not move to Clamd and forget Mail::ClamAV for good From Nikolaos.Pavlidis at beds.ac.uk Fri Nov 7 09:40:04 2008 From: Nikolaos.Pavlidis at beds.ac.uk (Nikolaos Pavlidis) Date: Fri Nov 7 09:40:24 2008 Subject: Solaris 10 Mail:ClamAV compile trouble In-Reply-To: <49140CF40200002700024AF6@gwiadom.oes.beds.ac.uk> References: <49140BFB02000009000235B4@gwiadom.oes.beds.ac.uk> <49140CF40200002700024AF6@gwiadom.oes.beds.ac.uk> Message-ID: <49140CF40200002700024AF6@gwiadom.oes.beds.ac.uk> Hello all, I am afraid that I will be forced to... Thank you for all your help everybody. Regards, Nik On Fri, 2008-11-07 at 10:32 +0100, Alex Broens wrote: > On 11/7/2008 10:15 AM, Nikolaos Pavlidis wrote: > > Hello all, > > > > After a bit more searching..I am going to have to agree with Phil. The > > problem is Mail::ClamAV, it does not support 0.94.1 ... it compiles > > great with 0.93 versions... Most people would suggest it is the compiler > > but no. I tried both GNU and SUN and the perlgcc way with all possible > > combinations. I tried to apply the patch but most hunks failed with no > > result (patch -p0 < patch). > > > > Thank you all for your support, > > > > I guess its up to us to keep "proding" Scott Beck for updates :) > > > > Nik, > > Why not move to Clamd and forget Mail::ClamAV for good -- ? Nikolaos Pavlidis BSc (Hons) MBCS NCLP System Administrator University Of Bedfordshire Park Square LU1 3JU Luton, Beds, UK Tel: +441582489277 From MailScanner at ecs.soton.ac.uk Fri Nov 7 09:49:30 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Nov 7 09:49:52 2008 Subject: all virus scanners reporting found virus In-Reply-To: References: <00df01c94008$3bbb3390$b3319ab0$@co.uk> <4912FCFD.2010309@ecs.soton.ac.uk> Message-ID: <49140F2A.1040800@ecs.soton.ac.uk> Can you just confirm you have Include Scanner Name In Reports = yes in your MailScanner.conf? If so, I can't see why you wouldn't get the right output. It's only a logging problem. Rose, Bobby wrote: > I've noticed something different related to the AV logging. I'm using clamd and since I updated to 4.72.5, then ::INFECTED:: entry is missing Clamd ref. Before, even though I was using Clamd, it was reporting as ClamAVModule. > > For example, with 4.71.10, I'd see > Nov 5 13:58:22 eeyore MailScanner[20251]: ClamAVModule::INFECTED:: Sanesecurity.Hdr.8338.UNOFFICIAL FOUND :: ./mA5IveLi001260/ > > After the upgrade to 4.72.5, I see > Nov 5 14:13:49 eeyore MailScanner[8199]: ::INFECTED:: Phishing.Heuristics.Email.SpoofedDomain :: ./mA5JDfbU009742/ > > I've replaced my SweepViruses.pm with the one you posted and it didn't change anything. Also, I see the same thing on both of my inbound mail routers. I still see log entries like this so it is using clamd and getting the infected status code back from it. > > Nov 5 14:13:48 eeyore MailScanner[8199]: Virus Scanning: Clamd found 1 infections > > Any ideas? > -=Bobby > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field > Sent: Thursday, November 06, 2008 9:20 AM > To: MailScanner discussion > Subject: Re: all virus scanners reporting found virus > > Please try the attached SweepViruses.pm file with the latest release of MailScanner. > Hopefully this will fix the problem. It's actually just a reporting bug. > > Jules. > > Paul Houselander (SME) wrote: > >> Hi >> >> I'm using MailScanner version 4.72.5 with clamd, f-prot and kaspersky >> >> I'm using the sanesecurity clam sigs as well. >> >> I've just noticed that when Clamd finds an infection the other virus >> scanners also say they found an infection even though they didn't >> >> Nov 6 12:02:19 tokyo MailScanner[27046]: New Batch: Scanning 1 >> messages, 1269 bytes >> >> Nov 6 12:02:19 tokyo MailScanner[27046]: SpamAssassin cache hit for >> message mA6C2Gie027792 >> >> Nov 6 12:02:19 tokyo MailScanner[27046]: Spam Checks: Found 1 spam >> messages >> >> Nov 6 12:02:19 tokyo MailScanner[27046]: Virus and Content Scanning: >> Starting >> >> Nov 6 12:02:19 tokyo MailScanner[27046]: Clamd::INFECTED:: >> Sanesecurity.Hdr.8232.UNOFFICIAL :: ./mA6C2Gie027792/ >> >> Nov 6 12:02:19 tokyo MailScanner[27046]: Virus Scanning: Clamd found 2 >> infections >> >> Nov 6 12:02:21 tokyo MailScanner[27046]: Virus Scanning: F-Prot6 found >> 2 infections >> >> Nov 6 12:02:21 tokyo MailScanner[27046]: Virus Scanning: Kaspersky >> found 2 infections >> >> Nov 6 12:02:21 tokyo MailScanner[27046]: Infected message >> mA6C2Gie027792 came from 79.139.143.136 >> >> Nov 6 12:02:21 tokyo MailScanner[27046]: Virus Scanning: Found 2 >> viruses >> >> Is this expected behavior? I've only recently upgraded (and also only >> just started using clamd, I used to use clamavmodule) so not sure if >> it's always done it or since the upgrade. >> >> Cheers >> >> Paul >> >> > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -- > This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. > > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Fri Nov 7 09:50:15 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Nov 7 09:50:38 2008 Subject: Solaris 10 Mail:ClamAV compile trouble In-Reply-To: <49140CF40200002700024AF6@gwiadom.oes.beds.ac.uk> References: <49140BFB02000009000235B4@gwiadom.oes.beds.ac.uk> <49140CF40200002700024AF6@gwiadom.oes.beds.ac.uk> <49140CF40200002700024AF6@gwiadom.oes.beds.ac.uk> Message-ID: <49140F57.8070106@ecs.soton.ac.uk> Nikolaos Pavlidis wrote: > Hello all, > > I am afraid that I will be forced to... > You won't regret it. I thought the Blastwave guys had this packaged up ready to go anyway? Jules. > Thank you for all your help everybody. > > Regards, > > Nik > > On Fri, 2008-11-07 at 10:32 +0100, Alex Broens wrote: > >> On 11/7/2008 10:15 AM, Nikolaos Pavlidis wrote: >> >>> Hello all, >>> >>> After a bit more searching..I am going to have to agree with Phil. >>> > The > >>> problem is Mail::ClamAV, it does not support 0.94.1 ... it compiles >>> great with 0.93 versions... Most people would suggest it is the >>> > compiler > >>> but no. I tried both GNU and SUN and the perlgcc way with all >>> > possible > >>> combinations. I tried to apply the patch but most hunks failed with >>> > no > >>> result (patch -p0 < patch). >>> >>> Thank you all for your support, >>> >>> I guess its up to us to keep "proding" Scott Beck for updates :) >>> >>> >> Nik, >> >> Why not move to Clamd and forget Mail::ClamAV for good >> Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Nikolaos.Pavlidis at beds.ac.uk Fri Nov 7 10:30:28 2008 From: Nikolaos.Pavlidis at beds.ac.uk (Nikolaos Pavlidis) Date: Fri Nov 7 10:31:06 2008 Subject: Solaris 10 Mail:ClamAV compile trouble In-Reply-To: <491418C40200002700024B14@gwiadom.oes.beds.ac.uk> References: <491410E9020000EB00020D84@gwiadom.oes.beds.ac.uk> <491418C40200002700024B14@gwiadom.oes.beds.ac.uk> Message-ID: <491418C40200002700024B14@gwiadom.oes.beds.ac.uk> Hello all, >From what I just saw "Feb 11 2008 clamav-0.92.1,REV=2008.02.11-SunOS5.8-%ARCH%-CSW.pkg.gz" is their latest release and in any case I would prefer a source build in this case. Anyway.. the more I search for clamd the more texts I find about how much more efficient it is... so clamd it is :) Regards, Nik On Fri, 2008-11-07 at 09:50 +0000, Julian Field wrote: > > Nikolaos Pavlidis wrote: > > Hello all, > > > > I am afraid that I will be forced to... > > > You won't regret it. I thought the Blastwave guys had this packaged up > ready to go anyway? > > Jules. > > Thank you for all your help everybody. > > > > Regards, > > > > Nik > > > > On Fri, 2008-11-07 at 10:32 +0100, Alex Broens wrote: > > > >> On 11/7/2008 10:15 AM, Nikolaos Pavlidis wrote: > >> > >>> Hello all, > >>> > >>> After a bit more searching..I am going to have to agree with Phil. > >>> > > The > > > >>> problem is Mail::ClamAV, it does not support 0.94.1 ... it compiles > >>> great with 0.93 versions... Most people would suggest it is the > >>> > > compiler > > > >>> but no. I tried both GNU and SUN and the perlgcc way with all > >>> > > possible > > > >>> combinations. I tried to apply the patch but most hunks failed with > >>> > > no > > > >>> result (patch -p0 < patch). > >>> > >>> Thank you all for your support, > >>> > >>> I guess its up to us to keep "proding" Scott Beck for updates :) > >>> > >>> > >> Nik, > >> > >> Why not move to Clamd and forget Mail::ClamAV for good > >> > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > -- ? Nikolaos Pavlidis BSc (Hons) MBCS NCLP System Administrator University Of Bedfordshire Park Square LU1 3JU Luton, Beds, UK Tel: +441582489277 From edward at tdcs.com.au Fri Nov 7 11:23:26 2008 From: edward at tdcs.com.au (Edward Dekkers) Date: Fri Nov 7 11:23:57 2008 Subject: Upgraded server Message-ID: Hey all, I just upgraded Ubuntu server 8.04 to 8.10. It completely broke dovecot and mailscanner. Dovecot I've fixed. My mailscanner was quite old anyway, so I removed what I think is all of it and followed the instructions on http://www.mailscanner.info/ubuntu.html. Now, firstly, it does seem to work. BUT there are a lot of complaints. I'll tackle the one which comes up at every scan first: WARNING: ignoring deprecated option -unzip Then there's other warnings like the above for -tar, -jar. About 8 or so in all. I've searched all the posts in my mailscanner inbox back to 1/6/2008 - cannot find a mention. Can someone point me in the right direction to silence some of these warnings? Regards, Ed. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Fri Nov 7 11:36:27 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Nov 7 11:36:46 2008 Subject: Upgraded server In-Reply-To: References: Message-ID: <4914283B.8070400@ecs.soton.ac.uk> Edward Dekkers wrote: > Hey all, I just upgraded Ubuntu server 8.04 to 8.10. It completely broke > dovecot and mailscanner. Dovecot I've fixed. > > My mailscanner was quite old anyway, so I removed what I think is all of it > and followed the instructions on http://www.mailscanner.info/ubuntu.html. > > Now, firstly, it does seem to work. BUT there are a lot of complaints. > > I'll tackle the one which comes up at every scan first: > > WARNING: ignoring deprecated option -unzip > You've got old *-wrapper scripts. In an RPM install they are in /usr/lib/MailScanner but I don't know where Ubuntu might have put them. > Then there's other warnings like the above for -tar, -jar. About 8 or so in > all. > > I've searched all the posts in my mailscanner inbox back to 1/6/2008 - > cannot find a mention. > > Can someone point me in the right direction to silence some of these > warnings? > > Regards, > Ed. > > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From brose at med.wayne.edu Fri Nov 7 12:16:24 2008 From: brose at med.wayne.edu (Rose, Bobby) Date: Fri Nov 7 12:16:47 2008 Subject: all virus scanners reporting found virus In-Reply-To: <49140F2A.1040800@ecs.soton.ac.uk> References: <00df01c94008$3bbb3390$b3319ab0$@co.uk> <4912FCFD.2010309@ecs.soton.ac.uk> <49140F2A.1040800@ecs.soton.ac.uk> Message-ID: It's set to no, but it always has been. I'll set it to yes to see if it makes a difference. I only noticed the logging problem when my stats script wasn't reporting that info after the upgrade. And I thought it odd that mine was broke but Paul Houselander's seemed to be working. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: Friday, November 07, 2008 4:50 AM To: MailScanner discussion Subject: Re: all virus scanners reporting found virus Can you just confirm you have Include Scanner Name In Reports = yes in your MailScanner.conf? If so, I can't see why you wouldn't get the right output. It's only a logging problem. Rose, Bobby wrote: > I've noticed something different related to the AV logging. I'm using clamd and since I updated to 4.72.5, then ::INFECTED:: entry is missing Clamd ref. Before, even though I was using Clamd, it was reporting as ClamAVModule. > > For example, with 4.71.10, I'd see > Nov 5 13:58:22 eeyore MailScanner[20251]: ClamAVModule::INFECTED:: Sanesecurity.Hdr.8338.UNOFFICIAL FOUND :: ./mA5IveLi001260/ > > After the upgrade to 4.72.5, I see > Nov 5 14:13:49 eeyore MailScanner[8199]: ::INFECTED:: Phishing.Heuristics.Email.SpoofedDomain :: ./mA5JDfbU009742/ > > I've replaced my SweepViruses.pm with the one you posted and it didn't change anything. Also, I see the same thing on both of my inbound mail routers. I still see log entries like this so it is using clamd and getting the infected status code back from it. > > Nov 5 14:13:48 eeyore MailScanner[8199]: Virus Scanning: Clamd found 1 infections > > Any ideas? > -=Bobby > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field > Sent: Thursday, November 06, 2008 9:20 AM > To: MailScanner discussion > Subject: Re: all virus scanners reporting found virus > > Please try the attached SweepViruses.pm file with the latest release of MailScanner. > Hopefully this will fix the problem. It's actually just a reporting bug. > > Jules. > > Paul Houselander (SME) wrote: > >> Hi >> >> I'm using MailScanner version 4.72.5 with clamd, f-prot and kaspersky >> >> I'm using the sanesecurity clam sigs as well. >> >> I've just noticed that when Clamd finds an infection the other virus >> scanners also say they found an infection even though they didn't >> >> Nov 6 12:02:19 tokyo MailScanner[27046]: New Batch: Scanning 1 >> messages, 1269 bytes >> >> Nov 6 12:02:19 tokyo MailScanner[27046]: SpamAssassin cache hit for >> message mA6C2Gie027792 >> >> Nov 6 12:02:19 tokyo MailScanner[27046]: Spam Checks: Found 1 spam >> messages >> >> Nov 6 12:02:19 tokyo MailScanner[27046]: Virus and Content Scanning: >> Starting >> >> Nov 6 12:02:19 tokyo MailScanner[27046]: Clamd::INFECTED:: >> Sanesecurity.Hdr.8232.UNOFFICIAL :: ./mA6C2Gie027792/ >> >> Nov 6 12:02:19 tokyo MailScanner[27046]: Virus Scanning: Clamd found 2 >> infections >> >> Nov 6 12:02:21 tokyo MailScanner[27046]: Virus Scanning: F-Prot6 found >> 2 infections >> >> Nov 6 12:02:21 tokyo MailScanner[27046]: Virus Scanning: Kaspersky >> found 2 infections >> >> Nov 6 12:02:21 tokyo MailScanner[27046]: Infected message >> mA6C2Gie027792 came from 79.139.143.136 >> >> Nov 6 12:02:21 tokyo MailScanner[27046]: Virus Scanning: Found 2 >> viruses >> >> Is this expected behavior? I've only recently upgraded (and also only >> just started using clamd, I used to use clamavmodule) so not sure if >> it's always done it or since the upgrade. >> >> Cheers >> >> Paul >> >> > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -- > This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. > > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From shuttlebox at gmail.com Fri Nov 7 12:17:32 2008 From: shuttlebox at gmail.com (shuttlebox) Date: Fri Nov 7 12:17:42 2008 Subject: Solaris 10 Mail:ClamAV compile trouble In-Reply-To: <491418C40200002700024B14@gwiadom.oes.beds.ac.uk> References: <491410E9020000EB00020D84@gwiadom.oes.beds.ac.uk> <491418C40200002700024B14@gwiadom.oes.beds.ac.uk> <491418C40200002700024B14@gwiadom.oes.beds.ac.uk> Message-ID: <625385e30811070417u34a007a9l3f2fd95b3d28f862@mail.gmail.com> On Fri, Nov 7, 2008 at 11:30 AM, Nikolaos Pavlidis wrote: > Hello all, > > >From what I just saw > "Feb 11 2008 clamav-0.92.1,REV=2008.02.11-SunOS5.8-%ARCH%-CSW.pkg.gz" > is their latest release and in any case I would prefer a source build in > this case. We're changing maintainers on some software relevant to MailScanner. Expect new versions of Clam, SpamAssassin and DCC soon. An updated MailScanner package is also coming with SMF support. -- /peter From brose at med.wayne.edu Fri Nov 7 13:03:35 2008 From: brose at med.wayne.edu (Rose, Bobby) Date: Fri Nov 7 13:03:54 2008 Subject: all virus scanners reporting found virus In-Reply-To: References: <00df01c94008$3bbb3390$b3319ab0$@co.uk> <4912FCFD.2010309@ecs.soton.ac.uk> <49140F2A.1040800@ecs.soton.ac.uk> Message-ID: Yep. Setting Include Scanner Name In Reports = yes is now logging the scanner name. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Rose, Bobby Sent: Friday, November 07, 2008 7:16 AM To: MailScanner discussion Subject: RE: all virus scanners reporting found virus It's set to no, but it always has been. I'll set it to yes to see if it makes a difference. I only noticed the logging problem when my stats script wasn't reporting that info after the upgrade. And I thought it odd that mine was broke but Paul Houselander's seemed to be working. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: Friday, November 07, 2008 4:50 AM To: MailScanner discussion Subject: Re: all virus scanners reporting found virus Can you just confirm you have Include Scanner Name In Reports = yes in your MailScanner.conf? If so, I can't see why you wouldn't get the right output. It's only a logging problem. Rose, Bobby wrote: > I've noticed something different related to the AV logging. I'm using clamd and since I updated to 4.72.5, then ::INFECTED:: entry is missing Clamd ref. Before, even though I was using Clamd, it was reporting as ClamAVModule. > > For example, with 4.71.10, I'd see > Nov 5 13:58:22 eeyore MailScanner[20251]: ClamAVModule::INFECTED:: Sanesecurity.Hdr.8338.UNOFFICIAL FOUND :: ./mA5IveLi001260/ > > After the upgrade to 4.72.5, I see > Nov 5 14:13:49 eeyore MailScanner[8199]: ::INFECTED:: Phishing.Heuristics.Email.SpoofedDomain :: ./mA5JDfbU009742/ > > I've replaced my SweepViruses.pm with the one you posted and it didn't change anything. Also, I see the same thing on both of my inbound mail routers. I still see log entries like this so it is using clamd and getting the infected status code back from it. > > Nov 5 14:13:48 eeyore MailScanner[8199]: Virus Scanning: Clamd found 1 infections > > Any ideas? > -=Bobby > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field > Sent: Thursday, November 06, 2008 9:20 AM > To: MailScanner discussion > Subject: Re: all virus scanners reporting found virus > > Please try the attached SweepViruses.pm file with the latest release of MailScanner. > Hopefully this will fix the problem. It's actually just a reporting bug. > > Jules. > > Paul Houselander (SME) wrote: > >> Hi >> >> I'm using MailScanner version 4.72.5 with clamd, f-prot and kaspersky >> >> I'm using the sanesecurity clam sigs as well. >> >> I've just noticed that when Clamd finds an infection the other virus >> scanners also say they found an infection even though they didn't >> >> Nov 6 12:02:19 tokyo MailScanner[27046]: New Batch: Scanning 1 >> messages, 1269 bytes >> >> Nov 6 12:02:19 tokyo MailScanner[27046]: SpamAssassin cache hit for >> message mA6C2Gie027792 >> >> Nov 6 12:02:19 tokyo MailScanner[27046]: Spam Checks: Found 1 spam >> messages >> >> Nov 6 12:02:19 tokyo MailScanner[27046]: Virus and Content Scanning: >> Starting >> >> Nov 6 12:02:19 tokyo MailScanner[27046]: Clamd::INFECTED:: >> Sanesecurity.Hdr.8232.UNOFFICIAL :: ./mA6C2Gie027792/ >> >> Nov 6 12:02:19 tokyo MailScanner[27046]: Virus Scanning: Clamd found 2 >> infections >> >> Nov 6 12:02:21 tokyo MailScanner[27046]: Virus Scanning: F-Prot6 found >> 2 infections >> >> Nov 6 12:02:21 tokyo MailScanner[27046]: Virus Scanning: Kaspersky >> found 2 infections >> >> Nov 6 12:02:21 tokyo MailScanner[27046]: Infected message >> mA6C2Gie027792 came from 79.139.143.136 >> >> Nov 6 12:02:21 tokyo MailScanner[27046]: Virus Scanning: Found 2 >> viruses >> >> Is this expected behavior? I've only recently upgraded (and also only >> just started using clamd, I used to use clamavmodule) so not sure if >> it's always done it or since the upgrade. >> >> Cheers >> >> Paul >> >> > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -- > This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. > > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From MailScanner at ecs.soton.ac.uk Fri Nov 7 14:36:39 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Nov 7 14:37:00 2008 Subject: all virus scanners reporting found virus In-Reply-To: References: <00df01c94008$3bbb3390$b3319ab0$@co.uk> <4912FCFD.2010309@ecs.soton.ac.uk> <49140F2A.1040800@ecs.soton.ac.uk> Message-ID: <49145277.8020302@ecs.soton.ac.uk> Yes, thought it might fix it. It logs the same text that goes in the reports, intentionally. Do you want me to break it so it always logs the scanner name, even if it doesn't report it? Rose, Bobby wrote: > Yep. Setting Include Scanner Name In Reports = yes is now logging the scanner name. > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Rose, Bobby > Sent: Friday, November 07, 2008 7:16 AM > To: MailScanner discussion > Subject: RE: all virus scanners reporting found virus > > It's set to no, but it always has been. I'll set it to yes to see if it makes a difference. I only noticed the logging problem when my stats script wasn't reporting that info after the upgrade. And I thought it odd that mine was broke but Paul Houselander's seemed to be working. > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field > Sent: Friday, November 07, 2008 4:50 AM > To: MailScanner discussion > Subject: Re: all virus scanners reporting found virus > > Can you just confirm you have > Include Scanner Name In Reports = yes > in your MailScanner.conf? > > If so, I can't see why you wouldn't get the right output. It's only a > logging problem. > > Rose, Bobby wrote: > >> I've noticed something different related to the AV logging. I'm using clamd and since I updated to 4.72.5, then ::INFECTED:: entry is missing Clamd ref. Before, even though I was using Clamd, it was reporting as ClamAVModule. >> >> For example, with 4.71.10, I'd see >> Nov 5 13:58:22 eeyore MailScanner[20251]: ClamAVModule::INFECTED:: Sanesecurity.Hdr.8338.UNOFFICIAL FOUND :: ./mA5IveLi001260/ >> >> After the upgrade to 4.72.5, I see >> Nov 5 14:13:49 eeyore MailScanner[8199]: ::INFECTED:: Phishing.Heuristics.Email.SpoofedDomain :: ./mA5JDfbU009742/ >> >> I've replaced my SweepViruses.pm with the one you posted and it didn't change anything. Also, I see the same thing on both of my inbound mail routers. I still see log entries like this so it is using clamd and getting the infected status code back from it. >> >> Nov 5 14:13:48 eeyore MailScanner[8199]: Virus Scanning: Clamd found 1 infections >> >> Any ideas? >> -=Bobby >> >> >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field >> Sent: Thursday, November 06, 2008 9:20 AM >> To: MailScanner discussion >> Subject: Re: all virus scanners reporting found virus >> >> Please try the attached SweepViruses.pm file with the latest release of MailScanner. >> Hopefully this will fix the problem. It's actually just a reporting bug. >> >> Jules. >> >> Paul Houselander (SME) wrote: >> >> >>> Hi >>> >>> I'm using MailScanner version 4.72.5 with clamd, f-prot and kaspersky >>> >>> I'm using the sanesecurity clam sigs as well. >>> >>> I've just noticed that when Clamd finds an infection the other virus >>> scanners also say they found an infection even though they didn't >>> >>> Nov 6 12:02:19 tokyo MailScanner[27046]: New Batch: Scanning 1 >>> messages, 1269 bytes >>> >>> Nov 6 12:02:19 tokyo MailScanner[27046]: SpamAssassin cache hit for >>> message mA6C2Gie027792 >>> >>> Nov 6 12:02:19 tokyo MailScanner[27046]: Spam Checks: Found 1 spam >>> messages >>> >>> Nov 6 12:02:19 tokyo MailScanner[27046]: Virus and Content Scanning: >>> Starting >>> >>> Nov 6 12:02:19 tokyo MailScanner[27046]: Clamd::INFECTED:: >>> Sanesecurity.Hdr.8232.UNOFFICIAL :: ./mA6C2Gie027792/ >>> >>> Nov 6 12:02:19 tokyo MailScanner[27046]: Virus Scanning: Clamd found 2 >>> infections >>> >>> Nov 6 12:02:21 tokyo MailScanner[27046]: Virus Scanning: F-Prot6 found >>> 2 infections >>> >>> Nov 6 12:02:21 tokyo MailScanner[27046]: Virus Scanning: Kaspersky >>> found 2 infections >>> >>> Nov 6 12:02:21 tokyo MailScanner[27046]: Infected message >>> mA6C2Gie027792 came from 79.139.143.136 >>> >>> Nov 6 12:02:21 tokyo MailScanner[27046]: Virus Scanning: Found 2 >>> viruses >>> >>> Is this expected behavior? I've only recently upgraded (and also only >>> just started using clamd, I used to use clamavmodule) so not sure if >>> it's always done it or since the upgrade. >>> >>> Cheers >>> >>> Paul >>> >>> >>> >> Jules >> >> -- >> Julian Field MEng CITP CEng >> www.MailScanner.info >> Buy the MailScanner book at www.MailScanner.info/store >> >> Need help customising MailScanner? >> Contact me! >> Need help fixing or optimising your systems? >> Contact me! >> Need help getting you started solving new requirements from your boss? >> Contact me! >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> >> >> -- >> This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. >> >> >> >> > > Jules > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Fri Nov 7 14:59:22 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Nov 7 14:59:42 2008 Subject: all virus scanners reporting found virus In-Reply-To: <49145277.8020302@ecs.soton.ac.uk> References: <00df01c94008$3bbb3390$b3319ab0$@co.uk> <4912FCFD.2010309@ecs.soton.ac.uk> <49140F2A.1040800@ecs.soton.ac.uk> <49145277.8020302@ecs.soton.ac.uk> Message-ID: <491457CA.9080002@ecs.soton.ac.uk> Try the attached SweepViruses.pm, it should now always log it, even if it won't include it in reports. Julian Field wrote: > Yes, thought it might fix it. It logs the same text that goes in the > reports, intentionally. Do you want me to break it so it always logs > the scanner name, even if it doesn't report it? > > Rose, Bobby wrote: >> Yep. Setting Include Scanner Name In Reports = yes is now logging >> the scanner name. >> >> >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of >> Rose, Bobby >> Sent: Friday, November 07, 2008 7:16 AM >> To: MailScanner discussion >> Subject: RE: all virus scanners reporting found virus >> >> It's set to no, but it always has been. I'll set it to yes to see if >> it makes a difference. I only noticed the logging problem when my >> stats script wasn't reporting that info after the upgrade. And I >> thought it odd that mine was broke but Paul Houselander's seemed to >> be working. >> >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of >> Julian Field >> Sent: Friday, November 07, 2008 4:50 AM >> To: MailScanner discussion >> Subject: Re: all virus scanners reporting found virus >> >> Can you just confirm you have >> Include Scanner Name In Reports = yes >> in your MailScanner.conf? >> >> If so, I can't see why you wouldn't get the right output. It's only a >> logging problem. >> >> Rose, Bobby wrote: >> >>> I've noticed something different related to the AV logging. I'm >>> using clamd and since I updated to 4.72.5, then ::INFECTED:: entry >>> is missing Clamd ref. Before, even though I was using Clamd, it was >>> reporting as ClamAVModule. >>> >>> For example, with 4.71.10, I'd see >>> Nov 5 13:58:22 eeyore MailScanner[20251]: >>> ClamAVModule::INFECTED:: Sanesecurity.Hdr.8338.UNOFFICIAL FOUND :: >>> ./mA5IveLi001260/ >>> After the upgrade to 4.72.5, I see >>> Nov 5 14:13:49 eeyore MailScanner[8199]: ::INFECTED:: >>> Phishing.Heuristics.Email.SpoofedDomain :: ./mA5JDfbU009742/ >>> I've replaced my SweepViruses.pm with the one you posted and it >>> didn't change anything. Also, I see the same thing on both of my >>> inbound mail routers. I still see log entries like this so it is >>> using clamd and getting the infected status code back from it. >>> >>> Nov 5 14:13:48 eeyore MailScanner[8199]: Virus Scanning: Clamd >>> found 1 infections >>> >>> Any ideas? >>> -=Bobby >>> >>> >>> -----Original Message----- >>> From: mailscanner-bounces@lists.mailscanner.info >>> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of >>> Julian Field >>> Sent: Thursday, November 06, 2008 9:20 AM >>> To: MailScanner discussion >>> Subject: Re: all virus scanners reporting found virus >>> >>> Please try the attached SweepViruses.pm file with the latest release >>> of MailScanner. >>> Hopefully this will fix the problem. It's actually just a reporting >>> bug. >>> >>> Jules. >>> >>> Paul Houselander (SME) wrote: >>> >>>> Hi >>>> >>>> I'm using MailScanner version 4.72.5 with clamd, f-prot and kaspersky >>>> >>>> I'm using the sanesecurity clam sigs as well. >>>> >>>> I've just noticed that when Clamd finds an infection the other >>>> virus scanners also say they found an infection even though they >>>> didn't >>>> >>>> Nov 6 12:02:19 tokyo MailScanner[27046]: New Batch: Scanning 1 >>>> messages, 1269 bytes >>>> >>>> Nov 6 12:02:19 tokyo MailScanner[27046]: SpamAssassin cache hit for >>>> message mA6C2Gie027792 >>>> >>>> Nov 6 12:02:19 tokyo MailScanner[27046]: Spam Checks: Found 1 spam >>>> messages >>>> >>>> Nov 6 12:02:19 tokyo MailScanner[27046]: Virus and Content Scanning: >>>> Starting >>>> >>>> Nov 6 12:02:19 tokyo MailScanner[27046]: Clamd::INFECTED:: >>>> Sanesecurity.Hdr.8232.UNOFFICIAL :: ./mA6C2Gie027792/ >>>> >>>> Nov 6 12:02:19 tokyo MailScanner[27046]: Virus Scanning: Clamd >>>> found 2 infections >>>> >>>> Nov 6 12:02:21 tokyo MailScanner[27046]: Virus Scanning: F-Prot6 found >>>> 2 infections >>>> >>>> Nov 6 12:02:21 tokyo MailScanner[27046]: Virus Scanning: Kaspersky >>>> found 2 infections >>>> >>>> Nov 6 12:02:21 tokyo MailScanner[27046]: Infected message >>>> mA6C2Gie027792 came from 79.139.143.136 >>>> >>>> Nov 6 12:02:21 tokyo MailScanner[27046]: Virus Scanning: Found 2 >>>> viruses >>>> >>>> Is this expected behavior? I've only recently upgraded (and also >>>> only just started using clamd, I used to use clamavmodule) so not >>>> sure if it's always done it or since the upgrade. >>>> >>>> Cheers >>>> >>>> Paul >>>> >>>> >>> Jules >>> >>> -- >>> Julian Field MEng CITP CEng >>> www.MailScanner.info >>> Buy the MailScanner book at www.MailScanner.info/store >>> >>> Need help customising MailScanner? >>> Contact me! >>> Need help fixing or optimising your systems? >>> Contact me! >>> Need help getting you started solving new requirements from your boss? >>> Contact me! >>> >>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>> >>> >>> -- >>> This message has been scanned for viruses and dangerous content by >>> MailScanner, and is believed to be clean. >>> >>> >>> >> >> Jules >> >> > > Jules > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- A non-text attachment was scrubbed... Name: SweepViruses.pm.zip Type: application/x-zip-compressed Size: 34065 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081107/6ee175b6/SweepViruses.pm.bin From ugob at lubik.ca Fri Nov 7 15:19:58 2008 From: ugob at lubik.ca (Ugo Bellavance) Date: Fri Nov 7 15:20:19 2008 Subject: sendmail to exchange w/ldap problem slightly OT In-Reply-To: <1964AAFBC212F742958F9275BF63DBB0907711@winchester.andrewscompanies.com> References: <1964AAFBC212F742958F9275BF63DBB0907711@winchester.andrewscompanies.com> Message-ID: Steven Andrews a ?crit : > I?ve been using a hunk of code to have MS/Sendmail query exchange > 2000/2003 boxes for some time with no problems. Today, I?m setting up a > nice little dell R200 and so I had to use Centos4.7 over my default 4.3 > to get sata support. You could use the LDAP support in sendmail: define(`confLDAP_DEFAULT_SPEC', `-h "exchangeserver" -d "CN=User User,CN=Users,DC=subdomain,DC=domain,DC=com" -M simple -P /etc/mail/ldap-secret -b "CN=Users,DC=subdomain,DC=domain,DC=com"')dnl (on one line) Please see the Sendmail config for details. From ssilva at sgvwater.com Fri Nov 7 19:42:37 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Nov 7 19:43:00 2008 Subject: Solaris 10 Mail:ClamAV compile trouble In-Reply-To: <49140F57.8070106@ecs.soton.ac.uk> References: <49140BFB02000009000235B4@gwiadom.oes.beds.ac.uk> <49140CF40200002700024AF6@gwiadom.oes.beds.ac.uk> <49140CF40200002700024AF6@gwiadom.oes.beds.ac.uk> <49140F57.8070106@ecs.soton.ac.uk> Message-ID: on 11-7-2008 1:50 AM Julian Field spake the following: > > > Nikolaos Pavlidis wrote: >> Hello all, >> >> I am afraid that I will be forced to... >> > You won't regret it. I thought the Blastwave guys had this packaged up > ready to go anyway? > I'm never going back to the perl module. It just takes too long for the updates. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081107/7fbc28b8/signature.bin From mikes at hartwellcorp.com Fri Nov 7 21:28:46 2008 From: mikes at hartwellcorp.com (Michael St. Laurent) Date: Fri Nov 7 21:29:08 2008 Subject: CentOS-5 and Perl Message-ID: <3BF93070B3D1B047BA7ABF612958950D049402A5@hcex.hartwellcorp.com> So, has a good workaround been found for the file conflicts with the Perl package? Every time I do a MailScanner update I see a bunch of messages such as "file /usr/bin/instmodsh from install of perl-ExtUtils-MakeMaker-6.32-1 conflicts with file from package perl-5.8.8-10.el5_2.3" Likewise, when I do a yum update and there is a new perl package available I do the clunky uninstall, update perl, then reinstall workaround. This e-mail may contain technical information which is controlled by the United States Government, Department of State, International Traffic & Arms Regulations (ITAR) (22 CFR 120-130) which requires an export license prior to sharing with foreign persons. Lacking such license, ITAR technical data is limited to US Legal Residents only. It is the responsibility of the organization and individual in control of this data to abide by US export laws. If you are not a US Legal Resident, immediately forward this e-mail to notify@hartwellcorp.com or reply to sender without reading any further. Take no other action with this e-mail until contacted. Notice: The information in this document and document itself, in whole or in part, in any form ("Information") is proprietary and/or confidential property of Hartwell Corporation, Placentia, California. Hartwell Corporation and its successors and assignees retain and reserve all right, title and interest in this information in whole or in part and in all forms. This Information is provided to the original recipient only for confidential use, with the understanding that it will not be used in any manner detrimental to the interests of Hartwell Corporation, and subject to return on request. Reproduction, transmission, distribution or publication of this Information in any form, in whole or in part, for any purpose without prior written permission of Hartwell Corporation is strictly prohibited. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From hvdkooij at vanderkooij.org Fri Nov 7 22:16:49 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Fri Nov 7 22:17:01 2008 Subject: CentOS-5 and Perl In-Reply-To: <3BF93070B3D1B047BA7ABF612958950D049402A5@hcex.hartwellcorp.com> References: <3BF93070B3D1B047BA7ABF612958950D049402A5@hcex.hartwellcorp.com> Message-ID: <4914BE51.5040903@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Michael St. Laurent wrote: > So, has a good workaround been found for the file conflicts with the > Perl package? Every time I do a MailScanner update I see a bunch of > messages such as "file /usr/bin/instmodsh from install of > perl-ExtUtils-MakeMaker-6.32-1 conflicts with file from package > perl-5.8.8-10.el5_2.3" Likewise, when I do a yum update and there is a > new perl package available I do the clunky uninstall, update perl, then > reinstall workaround. I could tell you that I am playing with rebuilding packages to live elsewhere so there is no longer a conflict. But it wil requre some more rainy weekends before anything will be available. Hugo. PS: Ever thought of using a normal sigline seperator (dash dash space) before the whole current disclaimer? - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. Nid wyf yn y swyddfa ar hyn o bryd. Anfonwch unrhyw waith i'w gyfieithu. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFJFL5PBvzDRVjxmYERAhEcAJ9if0uC8wLhd+Bp9nER1YKBZsCsBwCgm84Q oS662x8XBhzOLlJ2q+isiEY= =pGAc -----END PGP SIGNATURE----- From mikes at hartwellcorp.com Fri Nov 7 22:39:14 2008 From: mikes at hartwellcorp.com (Michael St. Laurent) Date: Fri Nov 7 22:39:53 2008 Subject: CentOS-5 and Perl References: <3BF93070B3D1B047BA7ABF612958950D049402A5@hcex.hartwellcorp.com> <4914BE51.5040903@vanderkooij.org> Message-ID: <3BF93070B3D1B047BA7ABF612958950D049402C3@hcex.hartwellcorp.com> > > So, has a good workaround been found for the file conflicts with the > > Perl package? Every time I do a MailScanner update I see a bunch of > > messages such as "file /usr/bin/instmodsh from install of > > perl-ExtUtils-MakeMaker-6.32-1 conflicts with file from package > > perl-5.8.8-10.el5_2.3" Likewise, when I do a yum update and there is a > > new perl package available I do the clunky uninstall, update perl, then > > reinstall workaround. > > I could tell you that I am playing with rebuilding packages to live > elsewhere so there is no longer a conflict. > > But it wil requre some more rainy weekends before anything will be > available. > > Hugo. > > PS: Ever thought of using a normal sigline seperator (dash dash space) > before the whole current disclaimer? Okay, thanks for the update Hugo. I'll pass on the sigline suggestion to our Exchange admin. This e-mail may contain technical information which is controlled by the United States Government, Department of State, International Traffic & Arms Regulations (ITAR) (22 CFR 120-130) which requires an export license prior to sharing with foreign persons. Lacking such license, ITAR technical data is limited to US Legal Residents only. It is the responsibility of the organization and individual in control of this data to abide by US export laws. If you are not a US Legal Resident, immediately forward this e-mail to notify@hartwellcorp.com or reply to sender without reading any further. Take no other action with this e-mail until contacted. Notice: The information in this document and document itself, in whole or in part, in any form ("Information") is proprietary and/or confidential property of Hartwell Corporation, Placentia, California. Hartwell Corporation and its successors and assignees retain and reserve all right, title and interest in this information in whole or in part and in all forms. This Information is provided to the original recipient only for confidential use, with the understanding that it will not be used in any manner detrimental to the interests of Hartwell Corporation, and subject to return on request. Reproduction, transmission, distribution or publication of this Information in any form, in whole or in part, for any purpose without prior written permission of Hartwell Corporation is strictly prohibited. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From edward at tdcs.com.au Sat Nov 8 01:27:21 2008 From: edward at tdcs.com.au (Edward Dekkers) Date: Sat Nov 8 01:28:02 2008 Subject: Upgraded server In-Reply-To: <4914283B.8070400@ecs.soton.ac.uk> References: <4914283B.8070400@ecs.soton.ac.uk> Message-ID: > > WARNING: ignoring deprecated option -unzip > > > You've got old *-wrapper scripts. In an RPM install they are in > /usr/lib/MailScanner but I don't know where Ubuntu might have put them. >From what I can tell they're in /etc/MailScanner/wrapper. See the attached file for an example of the ClamAV one, which I'm actively using. They are time stamped correctly (2008-10-02), because my old installation was way over a year old, and all the stuff used to be in /opt, so I really believe they are the current ones that came with the debian package here: http://debian.intergenia.de/debian/pool/main/m/mailscanner/mailscanner_4.71. 10-1_all.deb Which is what the Ubuntu installation instructions tell me to use: "Install MailScanner from the Debian .deb Source wget http://debian.intergenia.de/debian/pool/main/m/mailscanner/mailscanner_4.68. 8-1_all.deb dpkg -i mailscanner_4.68.8-1_all.deb Note that the 4.68.8-1 in the 2 commands above should be replaced by the version number you want to install. The version number of the latest distribution can be found on the Downloads page." So to continue on: 1> If the wrappers in the package are not suitable - should the maintainer be alerted? 2> Can I get the correct wrapper scripts somewhere without trashing everything, which I only just got working again? Regards, Ed. -------------- next part -------------- A non-text attachment was scrubbed... Name: clamav-wrapper Type: application/octet-stream Size: 6186 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081108/a16c3901/clamav-wrapper-0001.obj From edward at tdcs.com.au Sat Nov 8 06:02:18 2008 From: edward at tdcs.com.au (Edward Dekkers) Date: Sat Nov 8 06:02:47 2008 Subject: Upgraded server In-Reply-To: References: <4914283B.8070400@ecs.soton.ac.uk> Message-ID: > So to continue on: > > 1> If the wrappers in the package are not suitable - should the > maintainer > be alerted? > 2> Can I get the correct wrapper scripts somewhere without trashing > everything, which I only just got working again? > > Regards, > Ed. > Sorry to reply to my own e-mail, but I'd like to keep this in the thread too. I also don't have a /etc/MailScanner/bin folder - which used to hold the scripts to update the fishing filter, virus scanners, check whether mailscanner was still running, cleaned the quarantine, and I also don't have a lot of the /reports/en/ stuff - which throws up quite a few errors when MailScanner starts. Just 3 reports. I'm thinking this deb package isn't as complete as it should be??? Regards, Ed. From hvdkooij at vanderkooij.org Sat Nov 8 07:45:37 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sat Nov 8 07:45:47 2008 Subject: Upgraded server In-Reply-To: References: <4914283B.8070400@ecs.soton.ac.uk> Message-ID: <491543A1.3040803@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Edward Dekkers wrote: > I also don't have a /etc/MailScanner/bin folder - which used to hold the > scripts to update the fishing filter, virus scanners, check whether > mailscanner was still running, cleaned the quarantine, and I also don't have > a lot of the /reports/en/ stuff - which throws up quite a few errors when > MailScanner starts. Just 3 reports. > > I'm thinking this deb package isn't as complete as it should be??? Sounds like you need to see the packager. Little Jules can do about incomplete packages created by others. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. Nid wyf yn y swyddfa ar hyn o bryd. Anfonwch unrhyw waith i'w gyfieithu. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFJFUOfBvzDRVjxmYERAsuQAJ4h5hmbYkROQAI1/FAxW9LCMvXoRgCggAAJ Bj38DGKDbWYqt2BYL2Sf0c4= =r+wh -----END PGP SIGNATURE----- From samp at arial-concept.com Sat Nov 8 16:24:02 2008 From: samp at arial-concept.com (Sam Przyswa) Date: Sat Nov 8 16:24:24 2008 Subject: MS 4.55.10 and Clamscan 0.90 dosen't work Message-ID: <1226161442.8828.8.camel@arial-2> Hi, I have problems to use MS 4.55.10 with clamscan 0.90 clamscan stay running and take 99% of CPU I have to set timeout to 60sec and in the mail.log I got errors message about "clamav: Failed to complete, timed out" and "Virus Scanning: Denial Of Service attack is in message XXXXXX" Since sometimes I have some problems with Clamav and MS. What is the good antivir with MS to replace Clamav ? I use Debian stable ONLY don't tell me to use the last-of-last clamav version or the las-of-last MS version. Thanks in advance. Sam. -- Ce message a été vérifié par MailScanner pour des virus ou des polluriels et rien de suspect n'a été trouvé. For all your IT requirements visit: http://www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Sat Nov 8 18:18:54 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sat Nov 8 18:19:19 2008 Subject: CentOS-5 and Perl In-Reply-To: <4914BE51.5040903@vanderkooij.org> References: <3BF93070B3D1B047BA7ABF612958950D049402A5@hcex.hartwellcorp.com> <4914BE51.5040903@vanderkooij.org> Message-ID: <4915D80E.9050402@ecs.soton.ac.uk> Hugo van der Kooij wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Michael St. Laurent wrote: > >> So, has a good workaround been found for the file conflicts with the >> Perl package? Every time I do a MailScanner update I see a bunch of >> messages such as "file /usr/bin/instmodsh from install of >> perl-ExtUtils-MakeMaker-6.32-1 conflicts with file from package >> perl-5.8.8-10.el5_2.3" Likewise, when I do a yum update and there is a >> new perl package available I do the clunky uninstall, update perl, then >> reinstall workaround. >> The "clunky uninstall" is actually only about 4 modules. And the "./install.sh fast" makes the re-install only take a couple of minutes. It's not *that* bad, considering how infrequent Perl updates are. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Sat Nov 8 18:23:00 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sat Nov 8 18:23:23 2008 Subject: MS 4.55.10 and Clamscan 0.90 dosen't work In-Reply-To: <1226161442.8828.8.camel@arial-2> References: <1226161442.8828.8.camel@arial-2> Message-ID: <4915D904.4000108@ecs.soton.ac.uk> Sam Przyswa wrote: > Hi, > > I have problems to use MS 4.55.10 with clamscan 0.90 clamscan stay > running and take 99% of CPU I have to set timeout to 60sec and in the > mail.log I got errors message about "clamav: Failed to complete, timed > out" and "Virus Scanning: Denial Of Service attack is in message XXXXXX" > Since sometimes I have some problems with Clamav and MS. > > What is the good antivir with MS to replace Clamav ? > The MailScanner.conf file clearly lists the two dozen or so virus scanners that MailScanner supports. Use any combination you like. > I use Debian stable ONLY don't tell me to use the last-of-last clamav > version or the las-of-last MS version. > If you are having problems with old ClamAV versions that no longer detect most of the current viruses, and a MailScanner that is nearly two years old and totally unsupported by me, and you won't upgrade, you are destined to have a very poor system which leaks viruses like a sieve, and has all sorts of bugs and so on. I'm sure your customers just love all those viruses :-) Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From samp at arial-concept.com Sat Nov 8 18:55:28 2008 From: samp at arial-concept.com (Sam Przyswa) Date: Sat Nov 8 18:55:49 2008 Subject: MS 4.55.10 and Clamscan 0.90 dosen't work In-Reply-To: <4915D904.4000108@ecs.soton.ac.uk> References: <1226161442.8828.8.camel@arial-2> <4915D904.4000108@ecs.soton.ac.uk> Message-ID: <1226170528.8828.36.camel@arial-2> Le samedi 08 novembre 2008 à 18:23 +0000, Julian Field a écrit : > > Sam Przyswa wrote: > > Hi, > > > > I have problems to use MS 4.55.10 with clamscan 0.90 clamscan stay > > running and take 99% of CPU I have to set timeout to 60sec and in the > > mail.log I got errors message about "clamav: Failed to complete, timed > > out" and "Virus Scanning: Denial Of Service attack is in message XXXXXX" > > Since sometimes I have some problems with Clamav and MS. > > > > What is the good antivir with MS to replace Clamav ? > > > The MailScanner.conf file clearly lists the two dozen or so virus > scanners that MailScanner supports. Use any combination you like. Yes I know, I asked to free antivir MS compatible. > > I use Debian stable ONLY don't tell me to use the last-of-last clamav > > version or the las-of-last MS version. > > > If you are having problems with old ClamAV versions that no longer > detect most of the current viruses, and a MailScanner that is nearly two > years old and totally unsupported by me, and you won't upgrade, you are > destined to have a very poor system which leaks viruses like a sieve, > and has all sorts of bugs and so on. I'm sure your customers just love > all those viruses :-) To upgrade to the last clamav and MS version I have to switch to Debian unstable and I don't want to make my customers machines unstable. The last time I do that I got lot of troubles... Thanks anyway. Sam. -- Ce message a été vérifié par MailScanner pour des virus ou des polluriels et rien de suspect n'a été trouvé. For all your IT requirements visit: http://www.transtec.co.uk From hvdkooij at vanderkooij.org Sat Nov 8 22:24:42 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sat Nov 8 22:24:52 2008 Subject: MS 4.55.10 and Clamscan 0.90 dosen't work In-Reply-To: <1226170528.8828.36.camel@arial-2> References: <1226161442.8828.8.camel@arial-2> <4915D904.4000108@ecs.soton.ac.uk> <1226170528.8828.36.camel@arial-2> Message-ID: <491611AA.6060601@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sam Przyswa wrote: > > To upgrade to the last clamav and MS version I have to switch to Debian > unstable and I don't want to make my customers machines unstable. The > last time I do that I got lot of troubles... I would say you are running unstable ClamAV and unstable MailScanner by now. How do you customers like that? Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. Nid wyf yn y swyddfa ar hyn o bryd. Anfonwch unrhyw waith i'w gyfieithu. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFJFhGoBvzDRVjxmYERAvcmAJ9tyUVSa9BswySzAdZDiqqwfGifXwCgllqZ +OKCjkOJ4wVno96Ompd4hfs= =HT6a -----END PGP SIGNATURE----- From edward at tdcs.com.au Sat Nov 8 22:26:18 2008 From: edward at tdcs.com.au (Edward Dekkers) Date: Sat Nov 8 22:26:56 2008 Subject: Upgraded server In-Reply-To: <491543A1.3040803@vanderkooij.org> References: <4914283B.8070400@ecs.soton.ac.uk> <491543A1.3040803@vanderkooij.org> Message-ID: > > Edward Dekkers wrote: > > > I also don't have a /etc/MailScanner/bin folder - which used to hold > the > > scripts to update the fishing filter, virus scanners, check whether > > mailscanner was still running, cleaned the quarantine, and I also > don't have > > a lot of the /reports/en/ stuff - which throws up quite a few errors > when > > MailScanner starts. Just 3 reports. > > > > I'm thinking this deb package isn't as complete as it should be??? > > Sounds like you need to see the packager. Little Jules can do about > incomplete packages created by others. > > Hugo. Oh sorry Hugo, I absolutely did not mean to imply Jules needs to do anything about this. I also don't know how "officially" the package maintainer is integrated in the whole MailScanner project. I just thought because the .deb was a suggested method of installation for Ubuntu Server with instructions directly from the official MailScanner site, there may be some cross-communication between the MailScanner developer/documentation people/package maintainers. They may even be listening on this list :) I'll try to get on to the maintainer or at least the person who posted the Ubuntu installation instructions to see what's going on. In the meantime - would I be correct in suggesting that if I grab the same version tarball, I can just extract the missing wrappers/reports/scripts from there? This shouldn't mess up any future .deb package upgrades hopefully. Like I said, the main MailScanner seems to work fine, just with a lot of warnings about missing files etc. Do we still need the scripts that check whether MailScanner is still running/update ClamAV/phishing filters and put them in Cron like my old version of MailScanner or is this all automated now, and I'm chasing something that is now not necessary? Regards, Ed. P.S. Hope you're not working on your weekend. From hvdkooij at vanderkooij.org Sat Nov 8 22:51:04 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sat Nov 8 22:51:15 2008 Subject: Upgraded server In-Reply-To: References: <4914283B.8070400@ecs.soton.ac.uk> <491543A1.3040803@vanderkooij.org> Message-ID: <491617D8.4040505@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Edward Dekkers wrote: >> Edward Dekkers wrote: >> >>> I also don't have a /etc/MailScanner/bin folder - which used to hold >> the >>> scripts to update the fishing filter, virus scanners, check whether >>> mailscanner was still running, cleaned the quarantine, and I also >> don't have >>> a lot of the /reports/en/ stuff - which throws up quite a few errors >> when >>> MailScanner starts. Just 3 reports. >>> >>> I'm thinking this deb package isn't as complete as it should be??? >> Sounds like you need to see the packager. Little Jules can do about >> incomplete packages created by others. >> >> Hugo. > > Oh sorry Hugo, I absolutely did not mean to imply Jules needs to do anything > about this. I also don't know how "officially" the package maintainer is > integrated in the whole MailScanner project. I just thought because the .deb > was a suggested method of installation for Ubuntu Server with instructions > directly from the official MailScanner site, there may be some > cross-communication between the MailScanner developer/documentation > people/package maintainers. They may even be listening on this list :) > > I'll try to get on to the maintainer or at least the person who posted the > Ubuntu installation instructions to see what's going on. > > In the meantime - would I be correct in suggesting that if I grab the same > version tarball, I can just extract the missing wrappers/reports/scripts > from there? This shouldn't mess up any future .deb package upgrades > hopefully. Like I said, the main MailScanner seems to work fine, just with a > lot of warnings about missing files etc. Do we still need the scripts that > check whether MailScanner is still running/update ClamAV/phishing filters > and put them in Cron like my old version of MailScanner or is this all > automated now, and I'm chasing something that is now not necessary? I am not familiar with the exact workings of .deb files. I do know how I would check .rpm files and see if the package is build correctly. Even before installing one I can see if the proper files are there and a lot of other things that some may not notice. And in that way I manage to build a .rpm file with relative few bugs. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. Nid wyf yn y swyddfa ar hyn o bryd. Anfonwch unrhyw waith i'w gyfieithu. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFJFhfWBvzDRVjxmYERAhWZAJ0T3lR7PKC8VOhtNZgwJh4zaBdc1ACdHk8I DywdiTR5nO4DAgSfUyE5wxQ= =JuAs -----END PGP SIGNATURE----- From james at gray.net.au Sat Nov 8 22:59:27 2008 From: james at gray.net.au (James Gray) Date: Sat Nov 8 22:59:44 2008 Subject: MS 4.55.10 and Clamscan 0.90 dosen't work In-Reply-To: <1226170528.8828.36.camel@arial-2> References: <1226161442.8828.8.camel@arial-2> <4915D904.4000108@ecs.soton.ac.uk> <1226170528.8828.36.camel@arial-2> Message-ID: <53489551-3318-4269-94C0-57C18EF5DBA7@gray.net.au> On 09/11/2008, at 5:55 AM, Sam Przyswa wrote: > To upgrade to the last clamav and MS version I have to switch to > Debian > unstable and I don't want to make my customers machines unstable. The > last time I do that I got lot of troubles... Your logic is flawed although I understand your motivations. When it comes to security software (which I put MS/ClamAV etc into) you MUST stay up-to-date or the bad guys win by default; as in the defender doesn't show up for the prize fight. Have a read on Debian's packaging system. You can actually add the testing/unstable repositories to your /etc/apt/sources.list (or /etc/ apt/sources.list.d/) and then use /etc/apt/apt.conf to only pull specific packages from the unstable/testing repo's. Alternatively, you could forget Debian's SpamAssassing/ClamAV/ MailScanner packages and simply install from Julian's installer. This last approach is the one I have adopted and it has *never* caused any problems. Here's my /etc/apt/apt.conf on a production machine: $cat apt.conf APT::Default-Release "stable"; APT::Cache-Limit "16777216"; Acquire::http::Proxy "http://127.0.0.1:3128/"; Notice the "Default-Release" option? That means "apt" will only pull in a testing/unstable package if I tell it to like this: # apt-get -t testing install Voila! When you add stable/test/unstable all to the same apt configuration, you may get errors when updating the package list due to memory exhaustion. That's why the "Cache-Limit" is set to a larger value in my config. The proxy line means that after the first machine has updated itself, the remainder get the packages from the proxy which is faster and friendlier to the mirror operators :) Just have to make sure your repository and proxy config are consistent accross your machines and it works like a charm! Consider your customers, the rest of us netizens, and get your software updated :) Julian is a top guy and is passionate about his software, but he does provide his time and software for FREE. He can't be expected to support all versions of MS for all time, for free. Have some consideration ;) Cheers, James -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2417 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081109/e8fc7fea/smime.bin From sandrews at andrewscompanies.com Sun Nov 9 01:22:43 2008 From: sandrews at andrewscompanies.com (Steven Andrews) Date: Sun Nov 9 01:22:53 2008 Subject: MS 4.55.10 and Clamscan 0.90 dosen't work In-Reply-To: <1226161442.8828.8.camel@arial-2> References: <1226161442.8828.8.camel@arial-2> Message-ID: <1964AAFBC212F742958F9275BF63DBB09077A9@winchester.andrewscompanies.com> I use Debian stable ONLY don't tell me to use the last-of-last clamav version or the las-of-last MS version. Translation: don't tell me how to fix it. From james at gray.net.au Sun Nov 9 02:24:19 2008 From: james at gray.net.au (James Gray) Date: Sun Nov 9 02:24:40 2008 Subject: MS 4.55.10 and Clamscan 0.90 dosen't work In-Reply-To: <1964AAFBC212F742958F9275BF63DBB09077A9@winchester.andrewscompanies.com> References: <1226161442.8828.8.camel@arial-2> <1964AAFBC212F742958F9275BF63DBB09077A9@winchester.andrewscompanies.com> Message-ID: <30086C79-90EB-4F5E-99B7-2C8321E4FB96@gray.net.au> On 09/11/2008, at 12:22 PM, Steven Andrews wrote: > > I use Debian stable ONLY don't tell me to use the last-of-last clamav > version or the las-of-last MS version. > > Translation: don't tell me how to fix it. Was that sarcasm? Steven, if you honestly think you are doing anyone a favor by running waaaay out-of-date software, then that's fine - seriously. Just don't expect any support from anyone here - go get your support from your distribution and/or package maintainer. Holding onto the "I only install stable because that's what my linux distro supplies" logic, is like saying that because Ford don't send you new tyres for your car, you're not going to replace the bald ones ;) Cheers, James -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2417 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081109/110182e2/smime.bin From Neal at Morgan-Systems.com Sun Nov 9 06:53:20 2008 From: Neal at Morgan-Systems.com (Neal Morgan) Date: Sun Nov 9 06:54:03 2008 Subject: MS 4.55.10 and Clamscan 0.90 dosen't work In-Reply-To: <1226170528.8828.36.camel@arial-2> References: <1226161442.8828.8.camel@arial-2><4915D904.4000108@ecs.soton.ac.uk> <1226170528.8828.36.camel@arial-2> Message-ID: <7D1CC61717004141A57CA6CA1C8087EC38E76A@server-16.MorganSys.net> Sam Przyswa wrote: > To upgrade to the last clamav and MS version I have to switch to Debian > unstable and I don't want to make my customers machines unstable. The > last time I do that I got lot of troubles... > > Thanks anyway. > > Sam. > Sam and other Debian users on the list: For over a year I trudged through abysmal performance with clamav - seeing the responses from the list saying "upgrade to latest". Problem was, I already had the latest official release, and with more than a dozen servers, building from source and dealing with missing dependencies on multiple packages seemed like more trouble than it was worth. ...until one day I stumbled across a reference to the "Debian Volatile" repository. Some packages included in Debian are updated quickly by the group that writes them, but the main Debian packages for same update very slowly, if at all. This leaves a choice between compiling from source and risking missing security updates, or waiting a long time for Debian to release the new version. Packages where this is a problem include Clamav and Spamassassin. There is an alternative: use the Debian Volatile distribution in addition to the current stable one. Debian Package maintainers can release updates to these (and presumably other) packages without the full round of testing that is normally done. Steps to use this: 1) Edit /etc/apt/sources.list and add this line: deb http://volatile.debian.net/debian-volatile etch/volatile main 2) Edit (or create if it doesn't exist) /etc/apt/apt.conf APT::Default-Release "stable"; APT::Cache-Limit "16777216"; Note the first line helps apt know which is the main release, and the second line deals with running out of memory when updating package lists from multiple sources. 3) Run dselect as normal From raymond at prolocation.net Sun Nov 9 08:57:56 2008 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Sun Nov 9 08:58:05 2008 Subject: MS 4.55.10 and Clamscan 0.90 dosen't work In-Reply-To: <1226170528.8828.36.camel@arial-2> References: <1226161442.8828.8.camel@arial-2> <4915D904.4000108@ecs.soton.ac.uk> <1226170528.8828.36.camel@arial-2> Message-ID: Hi! > To upgrade to the last clamav and MS version I have to switch to Debian > unstable and I don't want to make my customers machines unstable. The > last time I do that I got lot of troubles... This is really a stupid thing. 'Unstable' ... you feel this is more stable? You understand this is dangerous? Running a 'Stable' version but leaving all your customers open to a very big risk to be infected? Your stoneaged version does not pick up a LOT of new virusses. You can also compile or package this one yourself, its just a matter of time and efford... Bye, Raymond. From MailScanner at ecs.soton.ac.uk Sun Nov 9 10:57:30 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Nov 9 10:58:04 2008 Subject: Upgraded server In-Reply-To: References: <4914283B.8070400@ecs.soton.ac.uk> <491543A1.3040803@vanderkooij.org> Message-ID: <4916C21A.10708@ecs.soton.ac.uk> Edward Dekkers wrote: >> Edward Dekkers wrote: >> >> >>> I also don't have a /etc/MailScanner/bin folder - which used to hold >>> >> the >> >>> scripts to update the fishing filter, virus scanners, check whether >>> mailscanner was still running, cleaned the quarantine, and I also >>> >> don't have >> >>> a lot of the /reports/en/ stuff - which throws up quite a few errors >>> >> when >> >>> MailScanner starts. Just 3 reports. >>> >>> I'm thinking this deb package isn't as complete as it should be??? >>> >> Sounds like you need to see the packager. Little Jules can do about >> incomplete packages created by others. >> >> Hugo. >> > > Oh sorry Hugo, I absolutely did not mean to imply Jules needs to do anything > about this. I also don't know how "officially" the package maintainer is > integrated in the whole MailScanner project. They're not at all. I don't even know who does it. > I just thought because the .deb > was a suggested method of installation for Ubuntu Server with instructions > directly from the official MailScanner site, there may be some > cross-communication between the MailScanner developer/documentation > people/package maintainers. They may even be listening on this list :) > That's because the official Ubuntu distribution of MailScanner doesn't even function at all (it didn't in Heron, anyway). Shame they never tried testing it :( > I'll try to get on to the maintainer or at least the person who posted the > Ubuntu installation instructions to see what's going on. > > In the meantime - would I be correct in suggesting that if I grab the same > version tarball, I can just extract the missing wrappers/reports/scripts > from there? You should be able to rip out the -wrapper and -autoupdate scripts, and the missing reports, without any problems. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From rob at kettle.org.uk Sun Nov 9 13:36:25 2008 From: rob at kettle.org.uk (rob@kettle.org.uk) Date: Sun Nov 9 13:36:39 2008 Subject: Change Recipient Message-ID: <073f600fca368c781a02927e78fd9b46.squirrel@www.kettle.org.uk> Hi, sorry if this is a dumb question but I just can't think of the answer (maybe having a mental block today).... is there a way in Sendmail/Mailscanner/Mailwatch to change the recipient based on a rule ? ie. if mail is from fred@bloggs.com and to joe@mycompany.com can I change to recipient so that joe doesn't get the mail but bill@mycompany does instead ? I need it to be rule based as most mail for joe needs to get through normally, it's only when it's from a certain sender that I want to change the recipient. Thanks in advance and apologies if I've overlooked the obvious. Rob From sandrews at andrewscompanies.com Sun Nov 9 13:57:32 2008 From: sandrews at andrewscompanies.com (Steven Andrews) Date: Sun Nov 9 13:57:43 2008 Subject: MS 4.55.10 and Clamscan 0.90 dosen't work In-Reply-To: <30086C79-90EB-4F5E-99B7-2C8321E4FB96@gray.net.au> References: <1226161442.8828.8.camel@arial-2><1964AAFBC212F742958F9275BF63DBB09077A9@winchester.andrewscompanies.com> <30086C79-90EB-4F5E-99B7-2C8321E4FB96@gray.net.au> Message-ID: <1964AAFBC212F742958F9275BF63DBB09077AA@winchester.andrewscompanies.com> Original poster was Sam. I've been wacked for using 4.3 centos (yummed) as the base for my spamfilters, but never for not keeping MS and clamav up to date! ;) I come from a windows world...we don't have this "stable" concept. All updates supposedly help you achive "stable". -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of James Gray Sent: Saturday, November 08, 2008 9:24 PM To: MailScanner discussion Subject: Re: MS 4.55.10 and Clamscan 0.90 dosen't work On 09/11/2008, at 12:22 PM, Steven Andrews wrote: > > I use Debian stable ONLY don't tell me to use the last-of-last clamav > version or the las-of-last MS version. > > Translation: don't tell me how to fix it. Was that sarcasm? Steven, if you honestly think you are doing anyone a favor by running waaaay out-of-date software, then that's fine - seriously. Just don't expect any support from anyone here - go get your support from your distribution and/or package maintainer. Holding onto the "I only install stable because that's what my linux distro supplies" logic, is like saying that because Ford don't send you new tyres for your car, you're not going to replace the bald ones ;) Cheers, James From MailScanner at ecs.soton.ac.uk Sun Nov 9 14:35:17 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Nov 9 14:35:40 2008 Subject: Change Recipient In-Reply-To: <073f600fca368c781a02927e78fd9b46.squirrel@www.kettle.org.uk> References: <073f600fca368c781a02927e78fd9b46.squirrel@www.kettle.org.uk> Message-ID: <4916F525.4000302@ecs.soton.ac.uk> rob@kettle.org.uk wrote: > Hi, > > sorry if this is a dumb question but I just can't think of the answer > (maybe having a mental block today).... > > is there a way in Sendmail/Mailscanner/Mailwatch to change the recipient > based on a rule ? ie. if mail is from fred@bloggs.com and to > joe@mycompany.com can I change to recipient so that joe doesn't get the > mail but bill@mycompany does instead ? > SpamAssassin Rule Actions could do this for you. RULE_NAME=>not delete,forward joe@mycompany.com or something similar, should do it. > I need it to be rule based as most mail for joe needs to get through > normally, it's only when it's from a certain sender that I want to change > the recipient. > > Thanks in advance and apologies if I've overlooked the obvious. > > Rob > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From shuttlebox at gmail.com Sun Nov 9 14:36:02 2008 From: shuttlebox at gmail.com (shuttlebox) Date: Sun Nov 9 14:36:11 2008 Subject: Change Recipient In-Reply-To: <073f600fca368c781a02927e78fd9b46.squirrel@www.kettle.org.uk> References: <073f600fca368c781a02927e78fd9b46.squirrel@www.kettle.org.uk> Message-ID: <625385e30811090636t379568i1a78e03c4b9724a0@mail.gmail.com> On Sun, Nov 9, 2008 at 2:36 PM, wrote: > Hi, > > sorry if this is a dumb question but I just can't think of the answer > (maybe having a mental block today).... > > is there a way in Sendmail/Mailscanner/Mailwatch to change the recipient > based on a rule ? ie. if mail is from fred@bloggs.com and to > joe@mycompany.com can I change to recipient so that joe doesn't get the > mail but bill@mycompany does instead ? > > I need it to be rule based as most mail for joe needs to get through > normally, it's only when it's from a certain sender that I want to change > the recipient. Yes, you can, with rulesets. Make a ruleset for normal non-spam actions and make the default deliver. Add your "from and to" rule with a forward to bill. That means the original recipient will not get it since you don't have a deliver there. If you want it to cover spam/high scoring spam as well you of course need to make rulesets for those too. -- /peter From samp at arial-concept.com Sun Nov 9 14:51:18 2008 From: samp at arial-concept.com (Sam Przyswa) Date: Sun Nov 9 14:51:37 2008 Subject: MS 4.55.10 and Clamscan 0.90 dosen't work In-Reply-To: <1964AAFBC212F742958F9275BF63DBB09077AA@winchester.andrewscompanies.com> References: <1226161442.8828.8.camel@arial-2> <1964AAFBC212F742958F9275BF63DBB09077A9@winchester.andrewscompanies.com> <30086C79-90EB-4F5E-99B7-2C8321E4FB96@gray.net.au> <1964AAFBC212F742958F9275BF63DBB09077AA@winchester.andrewscompanies.com> Message-ID: <1226242278.9789.19.camel@arial-2> Hi Steven, Le dimanche 09 novembre 2008 à 08:57 -0500, Steven Andrews a écrit : > Original poster was Sam. I've been wacked for using 4.3 centos (yummed) > as the base for my spamfilters, but never for not keeping MS and clamav > up to date! ;) > > I come from a windows world...we don't have this "stable" concept. All > updates supposedly help you achive "stable". That's ALL the difference who make that Windows is an UN-stable system :-) > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of James > Gray > Sent: Saturday, November 08, 2008 9:24 PM > To: MailScanner discussion > Subject: Re: MS 4.55.10 and Clamscan 0.90 dosen't work > > > On 09/11/2008, at 12:22 PM, Steven Andrews wrote: > > > > > I use Debian stable ONLY don't tell me to use the last-of-last clamav > > version or the las-of-last MS version. > > > > Translation: don't tell me how to fix it. > > Was that sarcasm? > > Steven, if you honestly think you are doing anyone a favor by running > waaaay out-of-date software, then that's fine - seriously. Just don't > expect any support from anyone here - go get your support from your > distribution and/or package maintainer. > > Holding onto the "I only install stable because that's what my linux > distro supplies" logic, is like saying that because Ford don't send you > new tyres for your car, you're not going to replace the bald ones ;) The problem is when you force to upgrade an app to the last up-to-date version, perhaps not very stable, you have to upgrade lot of piece of software (libs) sometime not absolutely stable who make the whole system unstable. That's all. I will try to upgrade Clamav to the last compatible version with MailScanner only if I don't have to upgrade to unstable libs. Thanks for the discussion. Sam. -- Sam Przyswa - Chef de projet Email: samp@arial-concept.com Arial Concept - Intégrateur Internet 36, rue de Turin - 75008 - Paris - France Tel: 01 40 54 86 04 - Fax: 01 40 54 83 01 Fax privé: 09 57 12 27 22 Skype ID: arial-concept Web: http://www.arial-concept.com -- Ce message a été vérifié par MailScanner pour des virus ou des polluriels et rien de suspect n'a été trouvé. For all your IT requirements visit: http://www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Sun Nov 9 21:19:29 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Nov 9 21:19:50 2008 Subject: MS 4.55.10 and Clamscan 0.90 dosen't work In-Reply-To: <1226242278.9789.19.camel@arial-2> References: <1226161442.8828.8.camel@arial-2> <1964AAFBC212F742958F9275BF63DBB09077A9@winchester.andrewscompanies.com> <30086C79-90EB-4F5E-99B7-2C8321E4FB96@gray.net.au> <1964AAFBC212F742958F9275BF63DBB09077AA@winchester.andrewscompanies.com> <1226242278.9789.19.camel@arial-2> Message-ID: <491753E1.3070606@ecs.soton.ac.uk> Sam Przyswa wrote: > The problem is when you force to upgrade an app to the last up-to-date > version, perhaps not very stable, you have to upgrade lot of piece of > software (libs) sometime not absolutely stable who make the whole system > unstable. That's all. > > I will try to upgrade Clamav to the last compatible version with > MailScanner only if I don't have to upgrade to unstable libs. > MailScanner hasn't used any new features in libraries for a long time now, so you shouldn't have to upgrade much at all. Upgrade the absolute minimum and see if you get away with it :-) I believe the same applies to ClamAV, but don't take that as gospel. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From samp at arial-concept.com Sun Nov 9 21:31:37 2008 From: samp at arial-concept.com (Sam Przyswa) Date: Sun Nov 9 21:31:55 2008 Subject: MS 4.55.10 and Clamscan 0.90 dosen't work In-Reply-To: <491753E1.3070606@ecs.soton.ac.uk> References: <1226161442.8828.8.camel@arial-2> <1964AAFBC212F742958F9275BF63DBB09077A9@winchester.andrewscompanies.com> <30086C79-90EB-4F5E-99B7-2C8321E4FB96@gray.net.au> <1964AAFBC212F742958F9275BF63DBB09077AA@winchester.andrewscompanies.com> <1226242278.9789.19.camel@arial-2> <491753E1.3070606@ecs.soton.ac.uk> Message-ID: <1226266297.6933.5.camel@arial-2> Le dimanche 09 novembre 2008 à 21:19 +0000, Julian Field a écrit : > > Sam Przyswa wrote: > > The problem is when you force to upgrade an app to the last up-to-date > > version, perhaps not very stable, you have to upgrade lot of piece of > > software (libs) sometime not absolutely stable who make the whole system > > unstable. That's all. > > > > I will try to upgrade Clamav to the last compatible version with > > MailScanner only if I don't have to upgrade to unstable libs. > > > MailScanner hasn't used any new features in libraries for a long time > now, so you shouldn't have to upgrade much at all. Upgrade the absolute > minimum and see if you get away with it :-) > > I believe the same applies to ClamAV, but don't take that as gospel. There is the apt-get -s -t testing install clamav result: Remv g++-2.95 (1:2.95.4-27 Debian:4.0r5/stable) [libstdc++2.10-dev ] Remv libstdc++2.10-dev (1:2.95.4-27 Debian:4.0r5/stable) Remv g++ (4:4.3.2-2 Debian:testing) Remv g++-3.3 (1:3.3.6-15 Debian:4.0r5/stable) [libstdc++5-3.3-dev ] Remv libstdc++5-3.3-dev (1:3.3.6-15 Debian:4.0r5/stable) Remv libfreetype6-dev (2.3.7-2 Debian:testing) Remv xlibs-dev (4.3.0.dfsg.1-4 ) Remv libxmu-dev (2:1.0.4-1 Debian:testing) Remv libpng12-dev (1.2.27-2 Debian:testing) Remv libpng10-dev (1.0.15-4 ) Remv libxtrap-dev (2:1.0.0-5 Debian:testing) Remv libxmuu-dev (2:1.0.4-1 Debian:testing) Remv libxt-dev (1:1.0.5-3 Debian:testing) Remv libxtst-dev (2:1.0.3-1 Debian:testing) Remv libxp-dev (1:1.0.0.xsf1-2 Debian:testing) Remv xlibs-static-dev (1:7.1.0-19 Debian:4.0r5/stable) [libx11-dev ] Remv libxv-dev (2:1.0.4-1 Debian:testing) [libx11-dev ] Remv libxrandr-dev (2:1.2.3-1 Debian:testing) [libx11-dev ] Remv libxrender-dev (1:0.9.4-2 Debian:testing) [libx11-dev ] Remv libxpm-dev (1:3.5.7-1 Debian:testing) [libx11-dev ] Remv libx11-dev (2:1.1.5-2 Debian:testing) [libxi-dev ] Remv libxi-dev (2:1.1.3-1 Debian:testing) Remv zlib1g-dev (1:1.2.3.3.dfsg-12 Debian:testing) Remv libjpeg62-dev (6b-14 Debian:testing) Remv libsm-dev (2:1.0.3-2 Debian:testing) Remv libice-dev (2:1.0.4-1 Debian:testing) Remv libxext-dev (2:1.0.4-1 Debian:testing) Remv libncurses5-dev (5.6+20080830-1 Debian:testing) Remv libc6-dev (2.7-15 Debian:testing) Inst locales [2.3.6.ds1-4] (2.7-15 Debian:testing) [] Inst gcc-4.3-base (4.3.2-1 Debian:testing) [] Remv tzdata (2008h-2 Debian:testing) [libc6 ] Inst libc6 [2.3.6.ds1-4] (2.7-15 Debian:testing) Conf libc6 (2.7-15 Debian:testing) Inst libgcc1 [1:4.0.1-2] (1:4.3.2-1 Debian:testing) Conf gcc-4.3-base (4.3.2-1 Debian:testing) Conf libgcc1 (1:4.3.2-1 Debian:testing) Remv xbase-clients (1:7.3+18 Debian:testing) Inst libncurses5 [5.4-9] (5.6+20080830-1 Debian:testing) Conf libncurses5 (5.6+20080830-1 Debian:testing) Inst libstdc++5 [1:3.3.4-2] (1:3.3.6-18 Debian:testing) Conf libstdc++5 (1:3.3.6-18 Debian:testing) Inst libstdc++6 (4.3.2-1 Debian:testing) Inst binutils [2.14.90.0.5-0.2] (2.18.1~cvs20080103-7 Debian:testing) Inst libclamav5 (0.94.dfsg-1 Debian:testing) Inst clamav [0.90.1dfsg-4etch15] (0.94.dfsg-1 Debian:testing) Inst libmpfr1ldbl (2.3.1.dfsg.1-2 Debian:testing) Inst cpp-4.3 (4.3.2-1 Debian:testing) Inst cpp [3:3.3-2] (4:4.3.2-2 Debian:testing) Inst gcc-3.3 [1:3.3.4-2] (1:3.3.6-15 Debian:4.0r5/stable) [] Inst cpp-3.3 [1:3.3.4-2] (1:3.3.6-15 Debian:4.0r5/stable) [] Inst gcc-3.3-base [1:3.3.4-2] (1:3.3.6-15 Debian:4.0r5/stable) Inst libexpat1 [1.95.6-6] (2.0.1-4 Debian:testing) Inst libfreetype6 [2.1.7-2.1] (2.3.7-2 Debian:testing) Inst fontconfig [2.2.2-2] (2.6.0-1 Debian:testing) [] Inst fontconfig-config (2.6.0-1 Debian:testing) [] Inst libfontconfig1 [2.2.2-2] (2.6.0-1 Debian:testing) Inst libgomp1 (4.3.2-1 Debian:testing) Inst gcc-4.3 (4.3.2-1 Debian:testing) Inst gcc [3:3.3-2] (4:4.3.2-2 Debian:testing) Inst libfontenc1 (1:1.0.4-3 Debian:testing) Inst libfs6 (2:1.0.1-1 Debian:testing) Inst libjpeg62 [6b-8] (6b-14 Debian:testing) Inst libpng12-0 [1.2.8rel-1] (1.2.27-2 Debian:testing) Inst libpthread-stubs0 (0.1-2 Debian:testing) Inst libpthread-stubs0-dev (0.1-2 Debian:testing) Inst libx11-data (2:1.1.5-2 Debian:testing) Inst libxau6 (1:1.0.3-3 Debian:testing) Inst libxdmcp6 (1:1.0.2-3 Debian:testing) Inst libxcb1 (1.1-1.1 Debian:testing) Inst libxcb-xlib0 (1.1-1.1 Debian:testing) Inst libxfont1 (1:1.3.3-1 Debian:testing) Inst libxinerama1 (2:1.0.3-2 Debian:testing) Inst libxkbfile1 (1:1.0.5-1 Debian:testing) Inst libxp6 [4.3.0.dfsg.1-4] (1:1.0.0.xsf1-2 Debian:testing) Inst libxrender1 [0.8.3-7] (1:0.9.4-2 Debian:testing) Inst libxrandr2 [4.3.0.dfsg.1-4] (2:1.2.3-1 Debian:testing) Inst libxxf86misc1 (1:1.0.1-3 Debian:testing) Inst libxxf86vm1 (1:1.0.2-1 Debian:testing) Inst xinit (1.0.9-2 Debian:testing) Conf mailscanner (4.68.8-1 Debian:testing) Conf locales (2.7-15 Debian:testing) Conf libstdc++6 (4.3.2-1 Debian:testing) Conf binutils (2.18.1~cvs20080103-7 Debian:testing) Conf libclamav5 (0.94.dfsg-1 Debian:testing) Conf clamav (0.94.dfsg-1 Debian:testing) Conf libmpfr1ldbl (2.3.1.dfsg.1-2 Debian:testing) Conf cpp-4.3 (4.3.2-1 Debian:testing) Conf cpp (4:4.3.2-2 Debian:testing) Conf gcc-3.3-base (1:3.3.6-15 Debian:4.0r5/stable) Conf cpp-3.3 (1:3.3.6-15 Debian:4.0r5/stable) Conf gcc-3.3 (1:3.3.6-15 Debian:4.0r5/stable) Conf libexpat1 (2.0.1-4 Debian:testing) Conf libfreetype6 (2.3.7-2 Debian:testing) Conf fontconfig-config (2.6.0-1 Debian:testing) Conf libfontconfig1 (2.6.0-1 Debian:testing) Conf fontconfig (2.6.0-1 Debian:testing) Conf libgomp1 (4.3.2-1 Debian:testing) Conf gcc-4.3 (4.3.2-1 Debian:testing) Conf gcc (4:4.3.2-2 Debian:testing) Conf libfontenc1 (1:1.0.4-3 Debian:testing) Conf libfs6 (2:1.0.1-1 Debian:testing) Conf libjpeg62 (6b-14 Debian:testing) Conf libpng12-0 (1.2.27-2 Debian:testing) Conf libpthread-stubs0 (0.1-2 Debian:testing) Conf libpthread-stubs0-dev (0.1-2 Debian:testing) Conf libx11-data (2:1.1.5-2 Debian:testing) Conf libxau6 (1:1.0.3-3 Debian:testing) Conf libxdmcp6 (1:1.0.2-3 Debian:testing) Conf libxcb1 (1.1-1.1 Debian:testing) Conf libxcb-xlib0 (1.1-1.1 Debian:testing) Conf libxfont1 (1:1.3.3-1 Debian:testing) Conf libxinerama1 (2:1.0.3-2 Debian:testing) Conf libxkbfile1 (1:1.0.5-1 Debian:testing) Conf libxp6 (1:1.0.0.xsf1-2 Debian:testing) Conf libxrender1 (1:0.9.4-2 Debian:testing) Conf libxrandr2 (2:1.2.3-1 Debian:testing) Conf libxxf86misc1 (1:1.0.1-3 Debian:testing) Conf libxxf86vm1 (1:1.0.2-1 Debian:testing) Conf xinit (1.0.9-2 Debian:testing) Just to upgrade to clamav 0.94 Sam. -- Sam Przyswa - Chef de projet Email: samp@arial-concept.com Arial Concept - Intégrateur Internet 36, rue de Turin - 75008 - Paris - France Tel: 01 40 54 86 04 - Fax: 01 40 54 83 01 Fax privé: 09 57 12 27 22 Skype ID: arial-concept Web: http://www.arial-concept.com -- Ce message a été vérifié par MailScanner pour des virus ou des polluriels et rien de suspect n'a été trouvé. For all your IT requirements visit: http://www.transtec.co.uk From rob at kettle.org.uk Sun Nov 9 22:07:23 2008 From: rob at kettle.org.uk (Rob Kettle) Date: Sun Nov 9 22:07:40 2008 Subject: Change Recipient In-Reply-To: <625385e30811090636t379568i1a78e03c4b9724a0@mail.gmail.com> References: <073f600fca368c781a02927e78fd9b46.squirrel@www.kettle.org.uk> <625385e30811090636t379568i1a78e03c4b9724a0@mail.gmail.com> Message-ID: <49175F1B.3040903@kettle.org.uk> shuttlebox wrote: > On Sun, Nov 9, 2008 at 2:36 PM, wrote: > >> Hi, >> >> sorry if this is a dumb question but I just can't think of the answer >> (maybe having a mental block today).... >> >> is there a way in Sendmail/Mailscanner/Mailwatch to change the recipient >> based on a rule ? ie. if mail is from fred@bloggs.com and to >> joe@mycompany.com can I change to recipient so that joe doesn't get the >> mail but bill@mycompany does instead ? >> >> I need it to be rule based as most mail for joe needs to get through >> normally, it's only when it's from a certain sender that I want to change >> the recipient. >> > > Yes, you can, with rulesets. > > Make a ruleset for normal non-spam actions and make the default > deliver. Add your "from and to" rule with a forward to bill. That > means the original recipient will not get it since you don't have a > deliver there. > > If you want it to cover spam/high scoring spam as well you of course > need to make rulesets for those too. > > Hi, thanks to Shuttlebox and Julian for your replies. They got me on the right track and I think I've now got it working how I need it to. thanks again Rob -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jeroen at intuxicated.org Sun Nov 9 22:38:47 2008 From: jeroen at intuxicated.org (Jeroen Koekkoek) Date: Sun Nov 9 22:39:50 2008 Subject: MS 4.55.10 and Clamscan 0.90 dosen't work In-Reply-To: <1226266297.6933.5.camel@arial-2> References: <1226161442.8828.8.camel@arial-2> <1964AAFBC212F742958F9275BF63DBB09077A9@winchester.andrewscompanies.com> <30086C79-90EB-4F5E-99B7-2C8321E4FB96@gray.net.au> <1964AAFBC212F742958F9275BF63DBB09077AA@winchester.andrewscompanies.com> <1226242278.9789.19.camel@arial-2> <491753E1.3070606@ecs.soton.ac.uk> <1226266297.6933.5.camel@arial-2> Message-ID: <000001c942bb$edf31c20$c9d95460$@org> Hi Sam, You should try the volatile repository. http://www.debian.org/volatile/. Regards, Jeroen Koekkoek -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Sam Przyswa Sent: Sunday, November 09, 2008 10:32 PM To: MailScanner discussion Subject: Re: MS 4.55.10 and Clamscan 0.90 dosen't work Le dimanche 09 novembre 2008 ? 21:19 +0000, Julian Field a ?crit : > > Sam Przyswa wrote: > > The problem is when you force to upgrade an app to the last up-to-date > > version, perhaps not very stable, you have to upgrade lot of piece of > > software (libs) sometime not absolutely stable who make the whole system > > unstable. That's all. > > > > I will try to upgrade Clamav to the last compatible version with > > MailScanner only if I don't have to upgrade to unstable libs. > > > MailScanner hasn't used any new features in libraries for a long time > now, so you shouldn't have to upgrade much at all. Upgrade the absolute > minimum and see if you get away with it :-) > > I believe the same applies to ClamAV, but don't take that as gospel. There is the apt-get -s -t testing install clamav result: Remv g++-2.95 (1:2.95.4-27 Debian:4.0r5/stable) [libstdc++2.10-dev ] Remv libstdc++2.10-dev (1:2.95.4-27 Debian:4.0r5/stable) Remv g++ (4:4.3.2-2 Debian:testing) Remv g++-3.3 (1:3.3.6-15 Debian:4.0r5/stable) [libstdc++5-3.3-dev ] Remv libstdc++5-3.3-dev (1:3.3.6-15 Debian:4.0r5/stable) Remv libfreetype6-dev (2.3.7-2 Debian:testing) Remv xlibs-dev (4.3.0.dfsg.1-4 ) Remv libxmu-dev (2:1.0.4-1 Debian:testing) Remv libpng12-dev (1.2.27-2 Debian:testing) Remv libpng10-dev (1.0.15-4 ) Remv libxtrap-dev (2:1.0.0-5 Debian:testing) Remv libxmuu-dev (2:1.0.4-1 Debian:testing) Remv libxt-dev (1:1.0.5-3 Debian:testing) Remv libxtst-dev (2:1.0.3-1 Debian:testing) Remv libxp-dev (1:1.0.0.xsf1-2 Debian:testing) Remv xlibs-static-dev (1:7.1.0-19 Debian:4.0r5/stable) [libx11-dev ] Remv libxv-dev (2:1.0.4-1 Debian:testing) [libx11-dev ] Remv libxrandr-dev (2:1.2.3-1 Debian:testing) [libx11-dev ] Remv libxrender-dev (1:0.9.4-2 Debian:testing) [libx11-dev ] Remv libxpm-dev (1:3.5.7-1 Debian:testing) [libx11-dev ] Remv libx11-dev (2:1.1.5-2 Debian:testing) [libxi-dev ] Remv libxi-dev (2:1.1.3-1 Debian:testing) Remv zlib1g-dev (1:1.2.3.3.dfsg-12 Debian:testing) Remv libjpeg62-dev (6b-14 Debian:testing) Remv libsm-dev (2:1.0.3-2 Debian:testing) Remv libice-dev (2:1.0.4-1 Debian:testing) Remv libxext-dev (2:1.0.4-1 Debian:testing) Remv libncurses5-dev (5.6+20080830-1 Debian:testing) Remv libc6-dev (2.7-15 Debian:testing) Inst locales [2.3.6.ds1-4] (2.7-15 Debian:testing) [] Inst gcc-4.3-base (4.3.2-1 Debian:testing) [] Remv tzdata (2008h-2 Debian:testing) [libc6 ] Inst libc6 [2.3.6.ds1-4] (2.7-15 Debian:testing) Conf libc6 (2.7-15 Debian:testing) Inst libgcc1 [1:4.0.1-2] (1:4.3.2-1 Debian:testing) Conf gcc-4.3-base (4.3.2-1 Debian:testing) Conf libgcc1 (1:4.3.2-1 Debian:testing) Remv xbase-clients (1:7.3+18 Debian:testing) Inst libncurses5 [5.4-9] (5.6+20080830-1 Debian:testing) Conf libncurses5 (5.6+20080830-1 Debian:testing) Inst libstdc++5 [1:3.3.4-2] (1:3.3.6-18 Debian:testing) Conf libstdc++5 (1:3.3.6-18 Debian:testing) Inst libstdc++6 (4.3.2-1 Debian:testing) Inst binutils [2.14.90.0.5-0.2] (2.18.1~cvs20080103-7 Debian:testing) Inst libclamav5 (0.94.dfsg-1 Debian:testing) Inst clamav [0.90.1dfsg-4etch15] (0.94.dfsg-1 Debian:testing) Inst libmpfr1ldbl (2.3.1.dfsg.1-2 Debian:testing) Inst cpp-4.3 (4.3.2-1 Debian:testing) Inst cpp [3:3.3-2] (4:4.3.2-2 Debian:testing) Inst gcc-3.3 [1:3.3.4-2] (1:3.3.6-15 Debian:4.0r5/stable) [] Inst cpp-3.3 [1:3.3.4-2] (1:3.3.6-15 Debian:4.0r5/stable) [] Inst gcc-3.3-base [1:3.3.4-2] (1:3.3.6-15 Debian:4.0r5/stable) Inst libexpat1 [1.95.6-6] (2.0.1-4 Debian:testing) Inst libfreetype6 [2.1.7-2.1] (2.3.7-2 Debian:testing) Inst fontconfig [2.2.2-2] (2.6.0-1 Debian:testing) [] Inst fontconfig-config (2.6.0-1 Debian:testing) [] Inst libfontconfig1 [2.2.2-2] (2.6.0-1 Debian:testing) Inst libgomp1 (4.3.2-1 Debian:testing) Inst gcc-4.3 (4.3.2-1 Debian:testing) Inst gcc [3:3.3-2] (4:4.3.2-2 Debian:testing) Inst libfontenc1 (1:1.0.4-3 Debian:testing) Inst libfs6 (2:1.0.1-1 Debian:testing) Inst libjpeg62 [6b-8] (6b-14 Debian:testing) Inst libpng12-0 [1.2.8rel-1] (1.2.27-2 Debian:testing) Inst libpthread-stubs0 (0.1-2 Debian:testing) Inst libpthread-stubs0-dev (0.1-2 Debian:testing) Inst libx11-data (2:1.1.5-2 Debian:testing) Inst libxau6 (1:1.0.3-3 Debian:testing) Inst libxdmcp6 (1:1.0.2-3 Debian:testing) Inst libxcb1 (1.1-1.1 Debian:testing) Inst libxcb-xlib0 (1.1-1.1 Debian:testing) Inst libxfont1 (1:1.3.3-1 Debian:testing) Inst libxinerama1 (2:1.0.3-2 Debian:testing) Inst libxkbfile1 (1:1.0.5-1 Debian:testing) Inst libxp6 [4.3.0.dfsg.1-4] (1:1.0.0.xsf1-2 Debian:testing) Inst libxrender1 [0.8.3-7] (1:0.9.4-2 Debian:testing) Inst libxrandr2 [4.3.0.dfsg.1-4] (2:1.2.3-1 Debian:testing) Inst libxxf86misc1 (1:1.0.1-3 Debian:testing) Inst libxxf86vm1 (1:1.0.2-1 Debian:testing) Inst xinit (1.0.9-2 Debian:testing) Conf mailscanner (4.68.8-1 Debian:testing) Conf locales (2.7-15 Debian:testing) Conf libstdc++6 (4.3.2-1 Debian:testing) Conf binutils (2.18.1~cvs20080103-7 Debian:testing) Conf libclamav5 (0.94.dfsg-1 Debian:testing) Conf clamav (0.94.dfsg-1 Debian:testing) Conf libmpfr1ldbl (2.3.1.dfsg.1-2 Debian:testing) Conf cpp-4.3 (4.3.2-1 Debian:testing) Conf cpp (4:4.3.2-2 Debian:testing) Conf gcc-3.3-base (1:3.3.6-15 Debian:4.0r5/stable) Conf cpp-3.3 (1:3.3.6-15 Debian:4.0r5/stable) Conf gcc-3.3 (1:3.3.6-15 Debian:4.0r5/stable) Conf libexpat1 (2.0.1-4 Debian:testing) Conf libfreetype6 (2.3.7-2 Debian:testing) Conf fontconfig-config (2.6.0-1 Debian:testing) Conf libfontconfig1 (2.6.0-1 Debian:testing) Conf fontconfig (2.6.0-1 Debian:testing) Conf libgomp1 (4.3.2-1 Debian:testing) Conf gcc-4.3 (4.3.2-1 Debian:testing) Conf gcc (4:4.3.2-2 Debian:testing) Conf libfontenc1 (1:1.0.4-3 Debian:testing) Conf libfs6 (2:1.0.1-1 Debian:testing) Conf libjpeg62 (6b-14 Debian:testing) Conf libpng12-0 (1.2.27-2 Debian:testing) Conf libpthread-stubs0 (0.1-2 Debian:testing) Conf libpthread-stubs0-dev (0.1-2 Debian:testing) Conf libx11-data (2:1.1.5-2 Debian:testing) Conf libxau6 (1:1.0.3-3 Debian:testing) Conf libxdmcp6 (1:1.0.2-3 Debian:testing) Conf libxcb1 (1.1-1.1 Debian:testing) Conf libxcb-xlib0 (1.1-1.1 Debian:testing) Conf libxfont1 (1:1.3.3-1 Debian:testing) Conf libxinerama1 (2:1.0.3-2 Debian:testing) Conf libxkbfile1 (1:1.0.5-1 Debian:testing) Conf libxp6 (1:1.0.0.xsf1-2 Debian:testing) Conf libxrender1 (1:0.9.4-2 Debian:testing) Conf libxrandr2 (2:1.2.3-1 Debian:testing) Conf libxxf86misc1 (1:1.0.1-3 Debian:testing) Conf libxxf86vm1 (1:1.0.2-1 Debian:testing) Conf xinit (1.0.9-2 Debian:testing) Just to upgrade to clamav 0.94 Sam. -- Sam Przyswa - Chef de projet Email: samp@arial-concept.com Arial Concept - Int?grateur Internet 36, rue de Turin - 75008 - Paris - France Tel: 01 40 54 86 04 - Fax: 01 40 54 83 01 Fax priv?: 09 57 12 27 22 Skype ID: arial-concept Web: http://www.arial-concept.com -- Ce message a t vrifi par MailScanner pour des virus ou des polluriels et rien de suspect n'a t trouv. For all your IT requirements visit: http://www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From root at doctor.nl2k.ab.ca Mon Nov 10 01:23:44 2008 From: root at doctor.nl2k.ab.ca (Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem) Date: Mon Nov 10 01:26:48 2008 Subject: anti-M$ and personalisation Message-ID: <20081110012344.GB6332@doctor.nl2k.ab.ca> 1) Is thiere a way for users to personalise MailScanner. 2) Apart from anti-word, is there an anti-excel , anti-powerpoint and/or anti-rtf we can attach? -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From james at gray.net.au Sun Nov 9 23:12:08 2008 From: james at gray.net.au (James Gray) Date: Mon Nov 10 02:22:45 2008 Subject: ** SPAM ** [ 5.1/5] Re: MS 4.55.10 and Clamscan 0.90 dosen't work In-Reply-To: <1226266297.6933.5.camel@arial-2> References: <1226161442.8828.8.camel@arial-2> <1964AAFBC212F742958F9275BF63DBB09077A9@winchester.andrewscompanies.com> <30086C79-90EB-4F5E-99B7-2C8321E4FB96@gray.net.au> <1964AAFBC212F742958F9275BF63DBB09077AA@winchester.andrewscompanies.com> <1226242278.9789.19.camel@arial-2> <491753E1.3070606@ecs.soton.ac.uk> <1226266297.6933.5.camel@arial-2> Message-ID: <39CB2AC1-6ADC-4D35-9852-C8472AFCBA6B@gray.net.au> Our MailScanner believes that the attachment to this message sent to you From: james@gray.net.au Subject: Re: MS 4.55.10 and Clamscan 0.90 dosen't work is Unsolicited Commercial Email (spam). Unless you are sure that this message is incorrectly thought to be spam, please delete this message without opening it. Opening spam messages might allow the spammer to verify your email address. If you believe that this message has been incorrectly marked as spam, please forward this email to postmaster@gray.net.au. Date: 20081110 pts rule name description ---- ---------------------- -------------------------------------------------- 1.7 TO_INFO To: info address (lower spam threshold) 0.0 DATE_IN_PAST_03_06 Date: is 3 to 6 hours before Received: date 1.9 BODY_GAPPY_TEXT BODY: Body contains g.a.p.p.y t-e-x-t, e_t_c 4.0 URI_NUM_ONLY URI: Link that only has numbers - probably spam -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% [score: 0.0000] -------------- next part -------------- An embedded message was scrubbed... From: James Gray Subject: Re: MS 4.55.10 and Clamscan 0.90 dosen't work Date: Mon, 10 Nov 2008 10:12:08 +1100 Size: 6628 Url: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081110/88402b17/attachment.mht From alex at rtpty.com Mon Nov 10 07:06:48 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Mon Nov 10 07:07:06 2008 Subject: anti-M$ and personalisation In-Reply-To: <20081110012344.GB6332@doctor.nl2k.ab.ca> References: <20081110012344.GB6332@doctor.nl2k.ab.ca> Message-ID: <30767E04-8F37-4CC2-AC0F-4A49B5153949@rtpty.com> Define "personalise" beyond the use of rulesets for every option... And have you googled around a bit? I found http://sourceforge.net/projects/antiexcel/ ... but for "anti powerpoint" I just found a bunch of sites about bad slides... :D On Nov 9, 2008, at 8:23 PM, Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem wrote: > 1) Is thiere a way for users to personalise MailScanner. > > 2) Apart from anti-word, is there an anti-excel , anti-powerpoint > and/or anti-rtf we can attach? From neilw at dcdata.co.za Mon Nov 10 08:12:31 2008 From: neilw at dcdata.co.za (Neil Wilson) Date: Mon Nov 10 08:17:04 2008 Subject: error when starting MS Message-ID: <4917ECEF.502@dcdata.co.za> Hi all, I'm sure the answer for this is quite a simple one, but I've tried a number of solutions that I've found on the lists as well as on google and none of them seemed to have worked so far. I'm getting the following error when trying to start MailScanner, I started getting this error after an upgrade from MailScanner-4.48.4 to MailScanner-4.72.5-1 Starting MailScanner...Can't locate Filesys/Df.pm in @INC (@INC contains: /opt/MailScanner/lib /usr/lib/perl5/5.8.6/i486-linux /usr/lib/perl5/5.8.6 /usr/lib/perl5/site_perl/5.8.6/i486-linux /usr/lib/perl5/site_perl/5.8.6 /usr/lib/perl5/site_perl . /opt/MailScanner/lib) at /opt/MailScanner/bin/MailScanner line 67. BEGIN failed--compilation aborted at /opt/MailScanner/bin/MailScanner line 67. I'm running perl version v5.8.6 and slackware 10.2. I have tried re-installing the perl module Filesys-Df from the perl-tar folder, as well as from cpan without any luck. A locate finds Df under /usr/lib/perl5/site_perl/5.8.6/i486-linux/auto/Filesys/Df so not quite sure why it "can't be found" Any help will be greatly appreciated. Thanks. Regards. Neil. This email and all contents are subject to the following disclaimer: http://www.dcdata.co.za/emaildisclaimer.html From jethro.binks at strath.ac.uk Mon Nov 10 09:41:26 2008 From: jethro.binks at strath.ac.uk (Jethro R Binks) Date: Mon Nov 10 09:41:35 2008 Subject: Change Recipient In-Reply-To: <49175F1B.3040903@kettle.org.uk> References: <073f600fca368c781a02927e78fd9b46.squirrel@www.kettle.org.uk> <625385e30811090636t379568i1a78e03c4b9724a0@mail.gmail.com> <49175F1B.3040903@kettle.org.uk> Message-ID: On Sun, 9 Nov 2008, Rob Kettle wrote: > > > is there a way in Sendmail/Mailscanner/Mailwatch to change the > > > recipient based on a rule ? ie. if mail is from fred@bloggs.com > > > and to joe@mycompany.com can I change to recipient so that joe > > > doesn't get the mail but bill@mycompany does instead ? > > > > > > I need it to be rule based as most mail for joe needs to get through > > > normally, it's only when it's from a certain sender that I want to > > > change the recipient. > > thanks to Shuttlebox and Julian for your replies. They got me on the right > track and I think I've now got it working how I need it to. Your email address ends in .uk. You should ensure your are legally entitled to do what want to do. Jethro. -- . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK From root at doctor.nl2k.ab.ca Mon Nov 10 13:22:12 2008 From: root at doctor.nl2k.ab.ca (Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem) Date: Mon Nov 10 13:22:54 2008 Subject: anti-M$ and personalisation In-Reply-To: <30767E04-8F37-4CC2-AC0F-4A49B5153949@rtpty.com> References: <20081110012344.GB6332@doctor.nl2k.ab.ca> <30767E04-8F37-4CC2-AC0F-4A49B5153949@rtpty.com> Message-ID: <20081110132212.GA5163@doctor.nl2k.ab.ca> On Mon, Nov 10, 2008 at 02:06:48AM -0500, Alex Neuman van der Hans wrote: > Define "personalise" beyond the use of rulesets for every option... > Exactly what I meant! In this case, I want a personalised MAilScanner to remove all HTML and convert to text. > And have you googled around a bit? I found > > http://sourceforge.net/projects/antiexcel/ Can we add to MAilScanner. > > ... but for "anti powerpoint" I just found a bunch of sites about bad > slides... :D LOL > > On Nov 9, 2008, at 8:23 PM, Dave Shariff Yadallee - System Administrator > a.k.a. The Root of the Problem wrote: > >> 1) Is thiere a way for users to personalise MailScanner. >> >> 2) Apart from anti-word, is there an anti-excel , anti-powerpoint >> and/or anti-rtf we can attach? > And kindly do not top-post. This must be eradicated from e-mail. This is worst habit out ever. If you M$ products, remove and replace!! Other set your E-amil client to civilised moethod. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jethro.binks at strath.ac.uk Mon Nov 10 13:53:38 2008 From: jethro.binks at strath.ac.uk (Jethro R Binks) Date: Mon Nov 10 13:53:47 2008 Subject: anti-M$ and personalisation In-Reply-To: <20081110132212.GA5163@doctor.nl2k.ab.ca> References: <20081110012344.GB6332@doctor.nl2k.ab.ca> <30767E04-8F37-4CC2-AC0F-4A49B5153949@rtpty.com> <20081110132212.GA5163@doctor.nl2k.ab.ca> Message-ID: On Mon, 10 Nov 2008, Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem wrote: > And kindly do not top-post. This must be eradicated from e-mail. > > This is worst habit out ever. > > If you M$ products, remove and replace!! > > Other set your E-amil client to civilised moethod. My head hurts. -- . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK From MailScanner at ecs.soton.ac.uk Mon Nov 10 14:30:07 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Nov 10 14:30:28 2008 Subject: Study shows how spammers cash in Message-ID: <4918456F.1030308@ecs.soton.ac.uk> Well done Quentin for finding this one today on the BBC: http://news.bbc.co.uk/1/hi/technology/7719281.stm Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mhw at WittsEnd.com Mon Nov 10 14:47:27 2008 From: mhw at WittsEnd.com (Michael H. Warfield) Date: Mon Nov 10 14:47:46 2008 Subject: Clamav 0.94.1 released In-Reply-To: <4911F231.3070502@ecs.soton.ac.uk> References: <490F512D.60900@maddoc.net> <4911F231.3070502@ecs.soton.ac.uk> Message-ID: <1226328447.7855.150.camel@canyon.wittsend.com> On Wed, 2008-11-05 at 19:21 +0000, Julian Field wrote: > Just done it. Thanks for the info. Good deal. They just announced that 0.94.1 fixes a potential remote execution vulnerability in ClamAV due to an off-by-one heap buffer overflow error. All prior versions vulnerable. Time to upgrade! http://secunia.com/Advisories/32663/ http://lists.grok.org.uk/pipermail/full-disclosure/2008-November/065530.html > Doc Schneider wrote: > > So Jules can add this to his CLAM-SA tarball. > > > > > > Jules > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > PGP public key: http://www.jules.fm/julesfm.asc Mike -- Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw@WittsEnd.com /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 307 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081110/1b8ab250/attachment.bin From t.d.lee at durham.ac.uk Mon Nov 10 15:27:05 2008 From: t.d.lee at durham.ac.uk (David Lee) Date: Mon Nov 10 15:27:38 2008 Subject: MS/perl segfaults Message-ID: Julian: Over the years MailScanner has served us extremely well, and we continue to rely on it and be thankful for your work on it. But I'm currently clearing a backlog of 66,000+ emails from the weekend. Occasionally (perhaps once a year) we get a particular class of problem (and from skim-reading the list I believe others see this also), namely, that a message, or messages, will arrive which cause MailScanner (more likely one of its perl modules) to segfault. A (quote) shouldn't happen (unquote) thing that, nevertheless, occasionally does happen. We've just had such an incident over the weekend. And there were enough such messages (about 100) to cause all the child MS processes (20) to segfault on most occasions that they processed a batch (30). The net result is that our inbound queue grew, and very little trickled through, because the MS processes segfaulted, re-tried, segfaulted, retried, ... (The failure of one message in the batch causes the whole batch to be delayed until the next child attempt; and the chances are that new batch will also suffer a segfault.) As I say, such instances are rare, but they do happen. And when they happen they can hit hard. For this particular instance, I'd be happy to send you (offlist?) details, including sample messages, "MailScanner -V", OS etc. (Let me know.) But that still leaves a general problem of MS (+/ modules) being susceptible to emails (possibly malformed HTML spams) that can cause this behaviour. So a suggestion for a _general_ fix against general segfaults (to allow the other emails not to become "collateral damage"). ====begin==== When an MS child starts processing a batch, for each email temporarily put its id (e.g. sendmail "df/qf" number) into a small "being processed" database (e.g. a trivial db/dbm). When the child finishes the batch, remove those ids of the batch from that database. So for a system of 'c' children and batch-size 'b', the maximum number of entries at any time in that database will be 'c*b': rarely more than a few hundred, and so trivial for a db/dbm thing. (And if the inbound mqueue is empty, the database should correspondingly be empty.) Now here's the crucial detail: When the child starts its batch it also quickly checks that those ids are not already present in the database. (In normal use, they would never be present, as MS's existing mechanisms already ensure that a child takes a batch from beginning right through to completion.) If it DOES find that id, this indicates that something has badly gone wrong (e.g. previous child segfaulted, so didn't remove ids in this batch from the database). Many of those ids, of course, will be innocent: they will be there because another email (id) in an earlier batch had failed. To counter that, the database could also store a timestamp. On finding such an email, a child would skip that id if it was relatively young (e.g. less than 10 minutes since last timestamp), or process it _on its own_ if relatively old (e.g. older than ten minutes). That way, the innocent email would only be held up for a short period (e.g. ten minutes). (There are probably some cleverer things that could be done (and additional things that ought to be done), but at this stage I'm simply trying to outline the general idea.) ====end==== How does that sound? Naturally I would be happy to assist beta-testing if you wish. -- : David Lee I.T. Service : : Senior Systems Programmer Computer Centre : : UNIX Team Leader Durham University : : South Road : : http://www.dur.ac.uk/t.d.lee/ Durham DH1 3LE : : Phone: +44 191 334 2752 U.K. : From jethro.binks at strath.ac.uk Mon Nov 10 15:42:37 2008 From: jethro.binks at strath.ac.uk (Jethro R Binks) Date: Mon Nov 10 15:42:46 2008 Subject: MS/perl segfaults In-Reply-To: References: Message-ID: On Mon, 10 Nov 2008, David Lee wrote: > We've just had such an incident over the weekend. And there were enough > such messages (about 100) to cause all the child MS processes (20) to > segfault on most occasions that they processed a batch (30). The net > result is that our inbound queue grew, and very little trickled through, > because the MS processes segfaulted, re-tried, segfaulted, retried, ... ... Having been bitten by similar problems from time to time, I lately wrote a rule for SEC which watches the syslogs from MailScanner, and should trigger if it sees a message id coming around again and again, which some people may find useful: type=singlewiththreshold ptype=regexp pattern=(\S+)\s+MailScanner\[\d+\]: Message (\S+) from desc=Mailscanner $1 MSGID $2 window=240 thresh=10 action=write /logs/net/secwatch %t | MailScanner repeated Message id $2 on $1 The window and threshold numbers probably need tweaking; I'm waiting for the next occurrence of the problem to fine-tune the rule. Jethro. -- . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK From Denis.Beauchemin at USherbrooke.ca Mon Nov 10 15:47:24 2008 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Mon Nov 10 15:47:45 2008 Subject: MS/perl segfaults In-Reply-To: References: Message-ID: <4918578C.3040201@USherbrooke.ca> David Lee a ?crit : > > Julian: Over the years MailScanner has served us extremely well, and > we continue to rely on it and be thankful for your work on it. > > But I'm currently clearing a backlog of 66,000+ emails from the weekend. > > > Occasionally (perhaps once a year) we get a particular class of > problem (and from skim-reading the list I believe others see this > also), namely, that a message, or messages, will arrive which cause > MailScanner (more likely one of its perl modules) to segfault. A > (quote) shouldn't happen (unquote) thing that, nevertheless, > occasionally does happen. > > We've just had such an incident over the weekend. And there were > enough such messages (about 100) to cause all the child MS processes > (20) to segfault on most occasions that they processed a batch (30). > The net result is that our inbound queue grew, and very little > trickled through, because the MS processes segfaulted, re-tried, > segfaulted, retried, ... > > (The failure of one message in the batch causes the whole batch to be > delayed until the next child attempt; and the chances are that new > batch will also suffer a segfault.) > > As I say, such instances are rare, but they do happen. And when they > happen they can hit hard. > > For this particular instance, I'd be happy to send you (offlist?) > details, including sample messages, "MailScanner -V", OS etc. (Let me > know.) > > But that still leaves a general problem of MS (+/ modules) being > susceptible to emails (possibly malformed HTML spams) that can cause > this behaviour. > > So a suggestion for a _general_ fix against general segfaults (to > allow the other emails not to become "collateral damage"). > > > ====begin==== > > When an MS child starts processing a batch, for each email temporarily > put its id (e.g. sendmail "df/qf" number) into a small "being > processed" database (e.g. a trivial db/dbm). > > When the child finishes the batch, remove those ids of the batch from > that database. > > So for a system of 'c' children and batch-size 'b', the maximum number > of entries at any time in that database will be 'c*b': rarely more > than a few hundred, and so trivial for a db/dbm thing. (And if the > inbound mqueue is empty, the database should correspondingly be empty.) > > Now here's the crucial detail: When the child starts its batch it > also quickly checks that those ids are not already present in the > database. (In normal use, they would never be present, as MS's > existing mechanisms already ensure that a child takes a batch from > beginning right through to completion.) > > If it DOES find that id, this indicates that something has badly gone > wrong (e.g. previous child segfaulted, so didn't remove ids in this > batch from the database). Many of those ids, of course, will be > innocent: they will be there because another email (id) in an earlier > batch had failed. > > To counter that, the database could also store a timestamp. On > finding such an email, a child would skip that id if it was relatively > young (e.g. less than 10 minutes since last timestamp), or process it > _on its own_ if relatively old (e.g. older than ten minutes). That > way, the innocent email would only be held up for a short period (e.g. > ten minutes). > > (There are probably some cleverer things that could be done (and > additional things that ought to be done), but at this stage I'm simply > trying to outline the general idea.) > > ====end==== > > How does that sound? > > Naturally I would be happy to assist beta-testing if you wish. > > I've never been bitten by that problem in the past but I nonetheless like this idea. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From brose at med.wayne.edu Mon Nov 10 16:08:50 2008 From: brose at med.wayne.edu (Rose, Bobby) Date: Mon Nov 10 16:09:13 2008 Subject: all virus scanners reporting found virus In-Reply-To: <491457CA.9080002@ecs.soton.ac.uk> References: <00df01c94008$3bbb3390$b3319ab0$@co.uk> <4912FCFD.2010309@ecs.soton.ac.uk> <49140F2A.1040800@ecs.soton.ac.uk> <49145277.8020302@ecs.soton.ac.uk> <491457CA.9080002@ecs.soton.ac.uk> Message-ID: Julian, this patched SweepVirus.pm took care of the issue. It now logs the scanner name in the logs even when the configs are to not include the scanner name in the email reports which is what I was looking for. Thanks -=B -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: Friday, November 07, 2008 9:59 AM To: MailScanner discussion Subject: Re: all virus scanners reporting found virus Try the attached SweepViruses.pm, it should now always log it, even if it won't include it in reports. Julian Field wrote: > Yes, thought it might fix it. It logs the same text that goes in the > reports, intentionally. Do you want me to break it so it always logs > the scanner name, even if it doesn't report it? > > Rose, Bobby wrote: >> Yep. Setting Include Scanner Name In Reports = yes is now logging >> the scanner name. >> >> >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of >> Rose, Bobby >> Sent: Friday, November 07, 2008 7:16 AM >> To: MailScanner discussion >> Subject: RE: all virus scanners reporting found virus >> >> It's set to no, but it always has been. I'll set it to yes to see if >> it makes a difference. I only noticed the logging problem when my >> stats script wasn't reporting that info after the upgrade. And I >> thought it odd that mine was broke but Paul Houselander's seemed to >> be working. >> >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of >> Julian Field >> Sent: Friday, November 07, 2008 4:50 AM >> To: MailScanner discussion >> Subject: Re: all virus scanners reporting found virus >> >> Can you just confirm you have >> Include Scanner Name In Reports = yes in your MailScanner.conf? >> >> If so, I can't see why you wouldn't get the right output. It's only a >> logging problem. >> >> Rose, Bobby wrote: >> >>> I've noticed something different related to the AV logging. I'm >>> using clamd and since I updated to 4.72.5, then ::INFECTED:: entry >>> is missing Clamd ref. Before, even though I was using Clamd, it was >>> reporting as ClamAVModule. >>> >>> For example, with 4.71.10, I'd see >>> Nov 5 13:58:22 eeyore MailScanner[20251]: >>> ClamAVModule::INFECTED:: Sanesecurity.Hdr.8338.UNOFFICIAL FOUND :: >>> ./mA5IveLi001260/ >>> After the upgrade to 4.72.5, I see >>> Nov 5 14:13:49 eeyore MailScanner[8199]: ::INFECTED:: >>> Phishing.Heuristics.Email.SpoofedDomain :: ./mA5JDfbU009742/ I've >>> replaced my SweepViruses.pm with the one you posted and it didn't >>> change anything. Also, I see the same thing on both of my inbound >>> mail routers. I still see log entries like this so it is using >>> clamd and getting the infected status code back from it. >>> >>> Nov 5 14:13:48 eeyore MailScanner[8199]: Virus Scanning: Clamd >>> found 1 infections >>> >>> Any ideas? >>> -=Bobby >>> >>> >>> -----Original Message----- >>> From: mailscanner-bounces@lists.mailscanner.info >>> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of >>> Julian Field >>> Sent: Thursday, November 06, 2008 9:20 AM >>> To: MailScanner discussion >>> Subject: Re: all virus scanners reporting found virus >>> >>> Please try the attached SweepViruses.pm file with the latest release >>> of MailScanner. >>> Hopefully this will fix the problem. It's actually just a reporting >>> bug. >>> >>> Jules. >>> >>> Paul Houselander (SME) wrote: >>> >>>> Hi >>>> >>>> I'm using MailScanner version 4.72.5 with clamd, f-prot and >>>> kaspersky >>>> >>>> I'm using the sanesecurity clam sigs as well. >>>> >>>> I've just noticed that when Clamd finds an infection the other >>>> virus scanners also say they found an infection even though they >>>> didn't >>>> >>>> Nov 6 12:02:19 tokyo MailScanner[27046]: New Batch: Scanning 1 >>>> messages, 1269 bytes >>>> >>>> Nov 6 12:02:19 tokyo MailScanner[27046]: SpamAssassin cache hit for >>>> message mA6C2Gie027792 >>>> >>>> Nov 6 12:02:19 tokyo MailScanner[27046]: Spam Checks: Found 1 spam >>>> messages >>>> >>>> Nov 6 12:02:19 tokyo MailScanner[27046]: Virus and Content Scanning: >>>> Starting >>>> >>>> Nov 6 12:02:19 tokyo MailScanner[27046]: Clamd::INFECTED:: >>>> Sanesecurity.Hdr.8232.UNOFFICIAL :: ./mA6C2Gie027792/ >>>> >>>> Nov 6 12:02:19 tokyo MailScanner[27046]: Virus Scanning: Clamd >>>> found 2 infections >>>> >>>> Nov 6 12:02:21 tokyo MailScanner[27046]: Virus Scanning: F-Prot6 >>>> found >>>> 2 infections >>>> >>>> Nov 6 12:02:21 tokyo MailScanner[27046]: Virus Scanning: Kaspersky >>>> found 2 infections >>>> >>>> Nov 6 12:02:21 tokyo MailScanner[27046]: Infected message >>>> mA6C2Gie027792 came from 79.139.143.136 >>>> >>>> Nov 6 12:02:21 tokyo MailScanner[27046]: Virus Scanning: Found 2 >>>> viruses >>>> >>>> Is this expected behavior? I've only recently upgraded (and also >>>> only just started using clamd, I used to use clamavmodule) so not >>>> sure if it's always done it or since the upgrade. >>>> >>>> Cheers >>>> >>>> Paul >>>> >>>> >>> Jules >>> >>> -- >>> Julian Field MEng CITP CEng >>> www.MailScanner.info >>> Buy the MailScanner book at www.MailScanner.info/store >>> >>> Need help customising MailScanner? >>> Contact me! >>> Need help fixing or optimising your systems? >>> Contact me! >>> Need help getting you started solving new requirements from your boss? >>> Contact me! >>> >>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>> >>> >>> -- >>> This message has been scanned for viruses and dangerous content by >>> MailScanner, and is believed to be clean. >>> >>> >>> >> >> Jules >> >> > > Jules > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jonas at vrt.dk Mon Nov 10 16:24:42 2008 From: jonas at vrt.dk (Jonas Akrouh Larsen) Date: Mon Nov 10 16:24:56 2008 Subject: MS/perl segfaults In-Reply-To: References: Message-ID: <00d301c94350$d67ed210$837c7630$@dk> In short, I have seen this 2 times in about 1? year, so while I agree that it is rare, I also agree that?s it has an extreme unfortunate impact. So I think finding a solution to not having MS "segfault loop" would be a great addition. Just my 5$. Med venlig hilsen / Best regards Jonas Akrouh Larsen TechBiz ApS Laplandsgade 4, 2. sal 2300 K?benhavn S Office: 7020 0979 Direct: 3336 9974 Mobile: 5120 1096 Fax: 7020 0978 Web: www.techbiz.dk From MailScanner at ecs.soton.ac.uk Mon Nov 10 17:11:03 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Nov 10 17:11:24 2008 Subject: MS/perl segfaults In-Reply-To: References: Message-ID: <49186B27.2060809@ecs.soton.ac.uk> One immediate thought: the only reproducible instance of this problem was caused by the HTML parser, and I wrote a solution to that in a recent release, it's in the Change Log. But yes, your idea is a possibility, now that I'm using SQLite. Doing it with a dbm file is not really practical due to high contention for the exclusive write locks on the file. SQLite may be able to do it rather better. There are quite a few routes that lead to a message leaving a batch, and I would have to catch all of those, time for a quick code review of a few chunks I think. If a message is more than 20 minutes old and still in the database, then we do a batch containing only 1 message, and log it. If we find a message more than 30 minutes old, then we log it and ignore it. How many ways could this process go wrong? All existing exclusion-locks would still apply, so if a message was more than 20 minutes old and is being re-tried and is still locked, that lock still applies. What are the failure modes of this scheme? I refuse to believe there aren't any. We need to cover as many of them as possible and come up with remedies for them. Jules. David Lee wrote: > > Julian: Over the years MailScanner has served us extremely well, and > we continue to rely on it and be thankful for your work on it. > > But I'm currently clearing a backlog of 66,000+ emails from the weekend. > > > Occasionally (perhaps once a year) we get a particular class of > problem (and from skim-reading the list I believe others see this > also), namely, that a message, or messages, will arrive which cause > MailScanner (more likely one of its perl modules) to segfault. A > (quote) shouldn't happen (unquote) thing that, nevertheless, > occasionally does happen. > > We've just had such an incident over the weekend. And there were > enough such messages (about 100) to cause all the child MS processes > (20) to segfault on most occasions that they processed a batch (30). > The net result is that our inbound queue grew, and very little > trickled through, because the MS processes segfaulted, re-tried, > segfaulted, retried, ... > > (The failure of one message in the batch causes the whole batch to be > delayed until the next child attempt; and the chances are that new > batch will also suffer a segfault.) > > As I say, such instances are rare, but they do happen. And when they > happen they can hit hard. > > For this particular instance, I'd be happy to send you (offlist?) > details, including sample messages, "MailScanner -V", OS etc. (Let me > know.) > > But that still leaves a general problem of MS (+/ modules) being > susceptible to emails (possibly malformed HTML spams) that can cause > this behaviour. > > So a suggestion for a _general_ fix against general segfaults (to > allow the other emails not to become "collateral damage"). > > > ====begin==== > > When an MS child starts processing a batch, for each email temporarily > put its id (e.g. sendmail "df/qf" number) into a small "being > processed" database (e.g. a trivial db/dbm). > > When the child finishes the batch, remove those ids of the batch from > that database. > > So for a system of 'c' children and batch-size 'b', the maximum number > of entries at any time in that database will be 'c*b': rarely more > than a few hundred, and so trivial for a db/dbm thing. (And if the > inbound mqueue is empty, the database should correspondingly be empty.) > > Now here's the crucial detail: When the child starts its batch it > also quickly checks that those ids are not already present in the > database. (In normal use, they would never be present, as MS's > existing mechanisms already ensure that a child takes a batch from > beginning right through to completion.) > > If it DOES find that id, this indicates that something has badly gone > wrong (e.g. previous child segfaulted, so didn't remove ids in this > batch from the database). Many of those ids, of course, will be > innocent: they will be there because another email (id) in an earlier > batch had failed. > > To counter that, the database could also store a timestamp. On > finding such an email, a child would skip that id if it was relatively > young (e.g. less than 10 minutes since last timestamp), or process it > _on its own_ if relatively old (e.g. older than ten minutes). That > way, the innocent email would only be held up for a short period (e.g. > ten minutes). > > (There are probably some cleverer things that could be done (and > additional things that ought to be done), but at this stage I'm simply > trying to outline the general idea.) > > ====end==== > > How does that sound? > > Naturally I would be happy to assist beta-testing if you wish. > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From simonmjones at gmail.com Mon Nov 10 17:15:01 2008 From: simonmjones at gmail.com (Simon Jones) Date: Mon Nov 10 17:15:10 2008 Subject: domain not scanned Message-ID: <70572c510811100915vc203310q7aabc2eb89abb3a0@mail.gmail.com> Hi all, fresh pair of eyes could be the solution but i'm struggling at the mo. i have a domain that seems to be being excluded from the spam scan - virus scanning is OK though. i've check /etc/MailScanner/scan.messages.rules and its not listed in there. the recipient and transport tables are good - what else could cause this? all other domains are being scanned and everything's working fine. cheers Si From maxsec at gmail.com Mon Nov 10 17:42:48 2008 From: maxsec at gmail.com (Martin Hepworth) Date: Mon Nov 10 17:42:57 2008 Subject: domain not scanned In-Reply-To: <70572c510811100915vc203310q7aabc2eb89abb3a0@mail.gmail.com> References: <70572c510811100915vc203310q7aabc2eb89abb3a0@mail.gmail.com> Message-ID: <72cf361e0811100942v236448a9xbc68225e884610b5@mail.gmail.com> 2008/11/10 Simon Jones : > Hi all, fresh pair of eyes could be the solution but i'm struggling at the mo. > > i have a domain that seems to be being excluded from the spam scan - > virus scanning is OK though. i've check > /etc/MailScanner/scan.messages.rules and its not listed in there. the > recipient and transport tables are good - what else could cause this? > all other domains are being scanned and everything's working fine. > > cheers > > Si > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > whitelisted in the SA config? Are you putting all SA scores etc in all emails so can see what's going on? -- Martin Hepworth Oxford, UK From MailScanner at ecs.soton.ac.uk Mon Nov 10 17:54:13 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Nov 10 17:54:34 2008 Subject: domain not scanned In-Reply-To: <70572c510811100915vc203310q7aabc2eb89abb3a0@mail.gmail.com> References: <70572c510811100915vc203310q7aabc2eb89abb3a0@mail.gmail.com> Message-ID: <49187545.4010307@ecs.soton.ac.uk> You can do a "MailScanner --help" which will show you how you can test your rules for their email address and IP address, to make sure your rules are working how you think they are. Simon Jones wrote: > Hi all, fresh pair of eyes could be the solution but i'm struggling at the mo. > > i have a domain that seems to be being excluded from the spam scan - > virus scanning is OK though. i've check > /etc/MailScanner/scan.messages.rules and its not listed in there. the > recipient and transport tables are good - what else could cause this? > all other domains are being scanned and everything's working fine. > > cheers > > Si > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From symon at symcar.com Mon Nov 10 18:23:44 2008 From: symon at symcar.com (Symon Chalk) Date: Mon Nov 10 18:23:54 2008 Subject: Bug in SweepOther.pm? In-Reply-To: <4911F393.8020707@ecs.soton.ac.uk> References: <4911F393.8020707@ecs.soton.ac.uk> Message-ID: On Wed, Nov 5, 2008 at 7:27 PM, Julian Field wrote: > > > Your fix is not okay. You will have broken your filename.rules.conf >> filename rules. Check your rule for the double-extension trapping and see if >> you have deleted or added a bracket by mistake. Or else the 2 new rules >> above that which mention days of the week or months of the year. I suspect >> someone added the 2 new rules there, and didn't get it quite right when they >> were copying them into your customised filename.rules.conf. >> > > Jules Here are those rules in the active filename.rules.conf: # Allow days of the week and months in doc names, e.g. blah.wed.doc allow \.(mon|tue|wed|thu|fri|sat|sun)\.[a-z0-9]{3}$ - -allow \.(jan|feb|mar|apr|may|jun|june|jul|july|aug|sep|sept|oct|nov|dec)\.[a-z0-9]{3}$ - - # Deny all other double file extensions. This catches any hidden filenames.deny \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filename hiding Attempt to hide real filename extension The only changes to that file that have been made are to remove the OE length checking (the site is Mac-only and that rule interferes with legitimate mail) and to add an allow for .svn files. Symon. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081110/99470e6c/attachment.html From hvdkooij at vanderkooij.org Mon Nov 10 19:08:51 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Mon Nov 10 19:09:02 2008 Subject: MS/perl segfaults In-Reply-To: <49186B27.2060809@ecs.soton.ac.uk> References: <49186B27.2060809@ecs.soton.ac.uk> Message-ID: <491886C3.4050504@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Julian Field wrote: > One immediate thought: the only reproducible instance of this problem > was caused by the HTML parser, and I wrote a solution to that in a > recent release, it's in the Change Log. > > But yes, your idea is a possibility, now that I'm using SQLite. Doing it > with a dbm file is not really practical due to high contention for the > exclusive write locks on the file. SQLite may be able to do it rather > better. > > There are quite a few routes that lead to a message leaving a batch, and > I would have to catch all of those, time for a quick code review of a > few chunks I think. > > If a message is more than 20 minutes old and still in the database, then > we do a batch containing only 1 message, and log it. If we find a > message more than 30 minutes old, then we log it and ignore it. > > How many ways could this process go wrong? All existing exclusion-locks > would still apply, so if a message was more than 20 minutes old and is > being re-tried and is still locked, that lock still applies. > > What are the failure modes of this scheme? I refuse to believe there > aren't any. We need to cover as many of them as possible and come up > with remedies for them. I think you need these timers configurable. Not every installation can reliably parse messages within 20 minutes. But beyond that little point it sounds like a good scheme. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. Nid wyf yn y swyddfa ar hyn o bryd. Anfonwch unrhyw waith i'w gyfieithu. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFJGIbBBvzDRVjxmYERAhbgAJwL0X2tc4JGvTAu7xVtdGDWaAoouwCgqF4Z flKSdmTcCZqTttnGGSs1CO0= =o3X8 -----END PGP SIGNATURE----- From lists at tippingmar.com Mon Nov 10 19:40:26 2008 From: lists at tippingmar.com (Mark Nienberg) Date: Mon Nov 10 19:40:44 2008 Subject: Sanesecurity sigs Message-ID: <49188E2A.1030609@tippingmar.com> I've started testing a little bit with the Sanesecurity signatures for clamav. The download script I am using from the sanesecurity site actually downloads all 4 databases from sanesecurity plus 2 more from MSRBL. Although I haven't methodically parsed the mail logs to be sure, my first impression is that these hit on many messages, but only a subset of messages already identified as spam by spamassassin. So far I haven't found a message that triggered sanesecurity but did not score at least my minimum of 5.5 on SA. Also, since a hit classifies as virus, rather than a contribution to a SA score, a false positive means nondelivery of the message, which is more serious than a false positive on a single SA rule. So I guess my questions are: Does the use of all these extra databases really improve overall spam detection? Would it make more sense to just use some of the databases? Which ones? Are there ever false positives? How often should I run the update process? Thanks, Mark Nienberg From MailScanner at ecs.soton.ac.uk Mon Nov 10 20:42:48 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Nov 10 20:43:08 2008 Subject: Sanesecurity sigs In-Reply-To: <49188E2A.1030609@tippingmar.com> References: <49188E2A.1030609@tippingmar.com> Message-ID: <49189CC8.5060707@ecs.soton.ac.uk> Mark Nienberg wrote: > I've started testing a little bit with the Sanesecurity signatures for > clamav. > > The download script I am using from the sanesecurity site actually > downloads all 4 databases from sanesecurity plus 2 more from MSRBL. > Although I haven't methodically parsed the mail logs to be sure, my > first impression is that these hit on many messages, but only a subset > of messages already identified as spam by spamassassin. So far I > haven't found a message that triggered sanesecurity but did not score > at least my minimum of 5.5 on SA. > > Also, since a hit classifies as virus, rather than a contribution to a > SA score, a false positive means nondelivery of the message, which is > more serious than a false positive on a single SA rule. > > So I guess my questions are: > In my view: > Does the use of all these extra databases really improve overall spam > detection? Yes. > Would it make more sense to just use some of the databases? Which ones? No, just use the lot. > Are there ever false positives? Never had any complaints of any. They really on scanning the whole message with ClamAV, so make sure you've got that option set in MailScanner.conf (look for "Whole Message"). > How often should I run the update process? I run it every hour. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From J.Ede at birchenallhowden.co.uk Mon Nov 10 21:02:27 2008 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Mon Nov 10 21:02:44 2008 Subject: MS/perl segfaults In-Reply-To: <49186B27.2060809@ecs.soton.ac.uk> References: <49186B27.2060809@ecs.soton.ac.uk> Message-ID: <4CAB0118AEC63A4FAAE77E6BCBDF760C7939968CD2@server02.bhl.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Julian Field > Sent: 10 November 2008 17:11 > To: MailScanner discussion > Subject: Re: MS/perl segfaults > > One immediate thought: the only reproducible instance of this problem > was caused by the HTML parser, and I wrote a solution to that in a > recent release, it's in the Change Log. > > But yes, your idea is a possibility, now that I'm using SQLite. Doing > it > with a dbm file is not really practical due to high contention for the > exclusive write locks on the file. SQLite may be able to do it rather > better. > > There are quite a few routes that lead to a message leaving a batch, > and > I would have to catch all of those, time for a quick code review of a > few chunks I think. > > If a message is more than 20 minutes old and still in the database, > then > we do a batch containing only 1 message, and log it. If we find a > message more than 30 minutes old, then we log it and ignore it. > > How many ways could this process go wrong? All existing exclusion-locks > would still apply, so if a message was more than 20 minutes old and is > being re-tried and is still locked, that lock still applies. > > What are the failure modes of this scheme? I refuse to believe there > aren't any. We need to cover as many of them as possible and come up > with remedies for them. > > Jules. It would also be nice if it was configurable to send an email to the admin either periodically (such as daily) or when it first detected that a mail was over 30 mins old and to be ignored... I just found a batch of 10 emails this weekend that had the font bug in and an upgrade of MailScanner sorted them all out and sent them on their way either to recipients or eventual oblivion. Jason From r.berber at computer.org Mon Nov 10 22:33:54 2008 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Mon Nov 10 22:34:09 2008 Subject: Sanesecurity sigs In-Reply-To: <49188E2A.1030609@tippingmar.com> References: <49188E2A.1030609@tippingmar.com> Message-ID: Mark Nienberg wrote: [snip] > So I guess my questions are: > > Does the use of all these extra databases really improve overall spam > detection? Yes, plus they have a faster response time to new spam, plus is not only spam what they catch (each database specializes in something). > Would it make more sense to just use some of the databases? Which ones? Depends on your objectives, needs, and you are better off if you read about what each database does. > Are there ever false positives? Yes. You should report those and, as I said, the response time is really fast. > How often should I run the update process? As said in http://www.sanesecurity.co.uk/clamav/usage.htm : no more than hourly. Once a day checking is what I use. -- Ren? Berber From alex at rtpty.com Tue Nov 11 01:11:13 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Tue Nov 11 01:11:27 2008 Subject: anti-M$ and personalisation In-Reply-To: <20081110132212.GA5163@doctor.nl2k.ab.ca> References: <20081110012344.GB6332@doctor.nl2k.ab.ca> <30767E04-8F37-4CC2-AC0F-4A49B5153949@rtpty.com> <20081110132212.GA5163@doctor.nl2k.ab.ca> Message-ID: <3EB63F9C-3123-4AED-82B7-547FB804C86E@rtpty.com> On Nov 10, 2008, at 8:22 AM, Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem wrote: > On Mon, Nov 10, 2008 at 02:06:48AM -0500, Alex Neuman van der Hans > wrote: >> Define "personalise" beyond the use of rulesets for every option... >> > > Exactly what I meant! ... but did not elaborate on. What you meant was not conveyed in an unambiguous manner. > > > In this case, I want a personalised MAilScanner to remove all HTML > and convert > to text. You can do it (mostly) with the included options. > > >> And have you googled around a bit? I found >> >> http://sourceforge.net/projects/antiexcel/ > > Can we add to MAilScanner. Sure. You can... 1. Wait for someone to add it, 2. Add it yourself, 3. Pay for someone to add it. > > >> >> ... but for "anti powerpoint" I just found a bunch of sites about bad >> slides... :D > > LOL > >> >> On Nov 9, 2008, at 8:23 PM, Dave Shariff Yadallee - System >> Administrator >> a.k.a. The Root of the Problem wrote: >> >>> 1) Is thiere a way for users to personalise MailScanner. >>> >>> 2) Apart from anti-word, is there an anti-excel , anti-powerpoint >>> and/or anti-rtf we can attach? >> > > And kindly do not top-post. This must be eradicated from e-mail. And so must bad grammar, spelling and punctuation. You don't see *me* complaining! :D > > > This is worst habit out ever. That's subjective. I, for one, find top-posting not as bad compared to ambiguous and incomplete writing, not googling around before "asking" the list, "requests" that sound like "orders" or "complaints", people who are not tolerant of other people's cultures, and the Dutch ;-) > > > If you M$ products, remove and replace!! You seem to be missing a verb here and there. Not too bad, but it distracts from whatever point it is you're trying to make. > > > Other set your E-amil client to civilised moethod. Yeah. Maybe I could get an e-mail client with a built-in spell checker. ;-) > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From simonmjones at gmail.com Tue Nov 11 11:13:54 2008 From: simonmjones at gmail.com (Simon Jones) Date: Tue Nov 11 11:14:03 2008 Subject: domain not scanned In-Reply-To: <70572c510811110115l6cd3f82bq90481e7b3f250359@mail.gmail.com> References: <70572c510811100915vc203310q7aabc2eb89abb3a0@mail.gmail.com> <72cf361e0811100942v236448a9xbc68225e884610b5@mail.gmail.com> <70572c510811110115l6cd3f82bq90481e7b3f250359@mail.gmail.com> Message-ID: <70572c510811110313y16f754ccy9a17bd52d111bc48@mail.gmail.com> 2008/11/11 Simon Jones : > 2008/11/10 Martin Hepworth : >> 2008/11/10 Simon Jones : >>> Hi all, fresh pair of eyes could be the solution but i'm struggling at the mo. >>> >>> i have a domain that seems to be being excluded from the spam scan - >>> virus scanning is OK though. i've check >>> /etc/MailScanner/scan.messages.rules and its not listed in there. the >>> recipient and transport tables are good - what else could cause this? >>> all other domains are being scanned and everything's working fine. >>> >>> cheers >>> >>> Si >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >> >> whitelisted in the SA config? Are you putting all SA scores etc in all >> emails so can see what's going on? >> >> -- >> Martin Hepworth >> Oxford, UK >> -- > Morning chaps, a bit more info - this was working OK and domain has been successfully scanned for a number of months but it stopped scanning over the weekend. Its a distributed setup (3 servers + db) and it appears that all servers are dropping the domain from the scan. S/A scores are zero on all scans, there's nothing whitelisted that I can see, I run MailWatch and the messages for this domain are all classed as clean. The only time i've seen this before is when the domain is listed in the /etc/MailScanner/rules/scan.messages.rules file - it is not listed in this case though. MailScanner --to @tbanda.co.uk or to MailScanner --to user@tbanda.co.uk doesn't return anything at all on any of the nodes. It seems to be affecting this domain globally but for no apparent reason, all others are OK though. Domains are stored in a mysql db as are transport maps and users, postfix reads from the (seperate) db without any problems. I can't see anything in maillog of relevance and a spamassassin -D --lint doesn't show any problems, anywhere else i can look? cheers, Si From maxsec at gmail.com Tue Nov 11 11:35:21 2008 From: maxsec at gmail.com (Martin Hepworth) Date: Tue Nov 11 11:35:31 2008 Subject: domain not scanned In-Reply-To: <70572c510811110313y16f754ccy9a17bd52d111bc48@mail.gmail.com> References: <70572c510811100915vc203310q7aabc2eb89abb3a0@mail.gmail.com> <72cf361e0811100942v236448a9xbc68225e884610b5@mail.gmail.com> <70572c510811110115l6cd3f82bq90481e7b3f250359@mail.gmail.com> <70572c510811110313y16f754ccy9a17bd52d111bc48@mail.gmail.com> Message-ID: <72cf361e0811110335p12683a25v578d7224ecc7c767@mail.gmail.com> 2008/11/11 Simon Jones : > 2008/11/11 Simon Jones : >> 2008/11/10 Martin Hepworth : >>> 2008/11/10 Simon Jones : >>>> Hi all, fresh pair of eyes could be the solution but i'm struggling at the mo. >>>> >>>> i have a domain that seems to be being excluded from the spam scan - >>>> virus scanning is OK though. i've check >>>> /etc/MailScanner/scan.messages.rules and its not listed in there. the >>>> recipient and transport tables are good - what else could cause this? >>>> all other domains are being scanned and everything's working fine. >>>> >>>> cheers >>>> >>>> Si >>>> -- >>>> MailScanner mailing list >>>> mailscanner@lists.mailscanner.info >>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>> >>>> Before posting, read http://wiki.mailscanner.info/posting >>>> >>>> Support MailScanner development - buy the book off the website! >>>> >>> >>> whitelisted in the SA config? Are you putting all SA scores etc in all >>> emails so can see what's going on? >>> >>> -- >>> Martin Hepworth >>> Oxford, UK >>> -- >> > Morning chaps, > > a bit more info - this was working OK and domain has been successfully > scanned for a number of months but it stopped scanning over the > weekend. Its a distributed setup (3 servers + db) and it appears that > all servers are dropping the domain from the scan. S/A scores are > zero on all scans, there's nothing whitelisted that I can see, I run > MailWatch and the messages for this domain are all classed as clean. > The only time i've seen this before is when the domain is listed in > the /etc/MailScanner/rules/scan.messages.rules file - it is not listed > in this case though. > > MailScanner --to @tbanda.co.uk or to MailScanner --to > user@tbanda.co.uk doesn't return anything at all on any of the nodes. > It seems to be affecting this domain globally but for no apparent > reason, all others are OK though. > Domains are stored in a mysql db as are transport maps and users, > postfix reads from the (seperate) db without any problems. > > I can't see anything in maillog of relevance and a spamassassin -D > --lint doesn't show any problems, anywhere else i can look? > > cheers, > > Si > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Simon Ok so you're definitely getting MS headers in the emails that aren't scanned, and you're seeing a zero score in the headers (not just mailwatch)?? I presume you have these set in MailScanner.conf so you can see what's happening? Always Include SpamAssassin Report = yes Spam Score Number Format = yes SpamScore Number Instead Of Stars = yes any timeouts in the logs for these emails? have you tried running a sample set in debug mode? -- Martin Hepworth Oxford, UK From simonmjones at gmail.com Tue Nov 11 12:01:48 2008 From: simonmjones at gmail.com (Simon Jones) Date: Tue Nov 11 12:01:57 2008 Subject: domain not scanned In-Reply-To: <72cf361e0811110335p12683a25v578d7224ecc7c767@mail.gmail.com> References: <70572c510811100915vc203310q7aabc2eb89abb3a0@mail.gmail.com> <72cf361e0811100942v236448a9xbc68225e884610b5@mail.gmail.com> <70572c510811110115l6cd3f82bq90481e7b3f250359@mail.gmail.com> <70572c510811110313y16f754ccy9a17bd52d111bc48@mail.gmail.com> <72cf361e0811110335p12683a25v578d7224ecc7c767@mail.gmail.com> Message-ID: <70572c510811110401p7422bd8aj2fa1495356510416@mail.gmail.com> 2008/11/11 Martin Hepworth : > 2008/11/11 Simon Jones : >> 2008/11/11 Simon Jones : >>> 2008/11/10 Martin Hepworth : >>>> 2008/11/10 Simon Jones : >>>>> Hi all, fresh pair of eyes could be the solution but i'm struggling at the mo. >>>>> >>>>> i have a domain that seems to be being excluded from the spam scan - >>>>> virus scanning is OK though. i've check >>>>> /etc/MailScanner/scan.messages.rules and its not listed in there. the >>>>> recipient and transport tables are good - what else could cause this? >>>>> all other domains are being scanned and everything's working fine. >>>>> >>>>> cheers >>>>> >>>>> Si >>>>> -- >>>>> MailScanner mailing list >>>>> mailscanner@lists.mailscanner.info >>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>> >>>>> Before posting, read http://wiki.mailscanner.info/posting >>>>> >>>>> Support MailScanner development - buy the book off the website! >>>>> >>>> >>>> whitelisted in the SA config? Are you putting all SA scores etc in all >>>> emails so can see what's going on? >>>> >>>> -- >>>> Martin Hepworth >>>> Oxford, UK >>>> -- >>> >> Morning chaps, >> >> a bit more info - this was working OK and domain has been successfully >> scanned for a number of months but it stopped scanning over the >> weekend. Its a distributed setup (3 servers + db) and it appears that >> all servers are dropping the domain from the scan. S/A scores are >> zero on all scans, there's nothing whitelisted that I can see, I run >> MailWatch and the messages for this domain are all classed as clean. >> The only time i've seen this before is when the domain is listed in >> the /etc/MailScanner/rules/scan.messages.rules file - it is not listed >> in this case though. >> >> MailScanner --to @tbanda.co.uk or to MailScanner --to >> user@tbanda.co.uk doesn't return anything at all on any of the nodes. >> It seems to be affecting this domain globally but for no apparent >> reason, all others are OK though. >> Domains are stored in a mysql db as are transport maps and users, >> postfix reads from the (seperate) db without any problems. >> >> I can't see anything in maillog of relevance and a spamassassin -D >> --lint doesn't show any problems, anywhere else i can look? >> >> cheers, >> >> Si >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > Simon > > Ok so you're definitely getting MS headers in the emails that aren't > scanned, and you're seeing a zero score in the headers (not just > mailwatch)?? > > I presume you have these set in MailScanner.conf so you can see what's > happening? > > Always Include SpamAssassin Report = yes > Spam Score Number Format = yes > SpamScore Number Instead Of Stars = yes > > any timeouts in the logs for these emails? > > have you tried running a sample set in debug mode? > > -- > Martin Hepworth > Oxford, UK > -- Hi Martin, just a zero score, here's an example from maillog; cat /var/log/maillog | grep 1B6906814F1.E8158 Nov 11 11:39:47 mailgate1 MailScanner[12279]: Requeue: 1B6906814F1.E8158 to D27525C0302 Nov 11 11:39:47 mailgate1 MailScanner[12279]: Logging message 1B6906814F1.E8158 to SQL Nov 11 11:39:47 mailgate1 MailScanner[11926]: 1B6906814F1.E8158: Logged to MailWatch SQL [root@server postfix]# cat /var/log/maillog | grep D27525C0302 Nov 11 11:39:47 mailgate1 MailScanner[12279]: Requeue: 1B6906814F1.E8158 to D27525C0302 Nov 11 11:39:47 mailgate1 postfix/qmgr[11829]: D27525C0302: from=, size=2566, nrcpt=1 (queue active) Nov 11 11:39:47 mailgate1 postfix/smtp[11872]: D27525C0302: to=, relay=xx.xx.xx.xx[xx.xx.xx.xx]:25, delay=23, delays=23/0/0/0, dsn=2.0.0, status=sent (250 Message queued) Nov 11 11:39:47 mailgate1 postfix/qmgr[11829]: D27525C0302: removed you can see it gets passed from mailscanner to the postfix queue manager before being sent which I guess is all normal. Always include.. was set to "no" so I changed this to "yes", the others look ok with the spam score number being %d No time-outs that I can see, I haven't really done anything in debug other than stop the service then restart in debug but everything looked OK, the fact that this only appears to affect one domain (there are about 300 on the system) is the strange part. Could it be something in SpamAssassin's cache? I've checked user configured black/white lists and that looks OK, 3 whitelist entries and 50 or so blacklists, nothing abnormal though. Where can I find the docs for "running a sample set in debug mode?" Simon From MailScanner at ecs.soton.ac.uk Tue Nov 11 12:19:24 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Nov 11 12:19:44 2008 Subject: domain not scanned In-Reply-To: <70572c510811110401p7422bd8aj2fa1495356510416@mail.gmail.com> References: <70572c510811100915vc203310q7aabc2eb89abb3a0@mail.gmail.com> <72cf361e0811100942v236448a9xbc68225e884610b5@mail.gmail.com> <70572c510811110115l6cd3f82bq90481e7b3f250359@mail.gmail.com> <70572c510811110313y16f754ccy9a17bd52d111bc48@mail.gmail.com> <72cf361e0811110335p12683a25v578d7224ecc7c767@mail.gmail.com> <70572c510811110401p7422bd8aj2fa1495356510416@mail.gmail.com> Message-ID: <4919784C.6010700@ecs.soton.ac.uk> Simon Jones wrote: > 2008/11/11 Martin Hepworth : > >> 2008/11/11 Simon Jones : >> >>> 2008/11/11 Simon Jones : >>> >>>> 2008/11/10 Martin Hepworth : >>>> >>>>> 2008/11/10 Simon Jones : >>>>> >>>>>> Hi all, fresh pair of eyes could be the solution but i'm struggling at the mo. >>>>>> >>>>>> i have a domain that seems to be being excluded from the spam scan - >>>>>> virus scanning is OK though. i've check >>>>>> /etc/MailScanner/scan.messages.rules and its not listed in there. the >>>>>> recipient and transport tables are good - what else could cause this? >>>>>> all other domains are being scanned and everything's working fine. >>>>>> >>>>>> cheers >>>>>> >>>>>> Si >>>>>> -- >>>>>> MailScanner mailing list >>>>>> mailscanner@lists.mailscanner.info >>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>>> >>>>>> Before posting, read http://wiki.mailscanner.info/posting >>>>>> >>>>>> Support MailScanner development - buy the book off the website! >>>>>> >>>>>> >>>>> whitelisted in the SA config? Are you putting all SA scores etc in all >>>>> emails so can see what's going on? >>>>> >>>>> -- >>>>> Martin Hepworth >>>>> Oxford, UK >>>>> -- >>>>> >>> Morning chaps, >>> >>> a bit more info - this was working OK and domain has been successfully >>> scanned for a number of months but it stopped scanning over the >>> weekend. Its a distributed setup (3 servers + db) and it appears that >>> all servers are dropping the domain from the scan. S/A scores are >>> zero on all scans, there's nothing whitelisted that I can see, I run >>> MailWatch and the messages for this domain are all classed as clean. >>> The only time i've seen this before is when the domain is listed in >>> the /etc/MailScanner/rules/scan.messages.rules file - it is not listed >>> in this case though. >>> >>> MailScanner --to @tbanda.co.uk or to MailScanner --to >>> user@tbanda.co.uk doesn't return anything at all on any of the nodes. >>> It seems to be affecting this domain globally but for no apparent >>> reason, all others are OK though. >>> Domains are stored in a mysql db as are transport maps and users, >>> postfix reads from the (seperate) db without any problems. >>> >>> I can't see anything in maillog of relevance and a spamassassin -D >>> --lint doesn't show any problems, anywhere else i can look? >>> >>> cheers, >>> >>> Si >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >>> >> Simon >> >> Ok so you're definitely getting MS headers in the emails that aren't >> scanned, and you're seeing a zero score in the headers (not just >> mailwatch)?? >> >> I presume you have these set in MailScanner.conf so you can see what's >> happening? >> >> Always Include SpamAssassin Report = yes >> Spam Score Number Format = yes >> SpamScore Number Instead Of Stars = yes >> >> any timeouts in the logs for these emails? >> >> have you tried running a sample set in debug mode? >> >> -- >> Martin Hepworth >> Oxford, UK >> -- >> > > Hi Martin, > > just a zero score, here's an example from maillog; > > cat /var/log/maillog | grep 1B6906814F1.E8158 > Nov 11 11:39:47 mailgate1 MailScanner[12279]: Requeue: > 1B6906814F1.E8158 to D27525C0302 > Nov 11 11:39:47 mailgate1 MailScanner[12279]: Logging message > 1B6906814F1.E8158 to SQL > Nov 11 11:39:47 mailgate1 MailScanner[11926]: 1B6906814F1.E8158: > Logged to MailWatch SQL > > [root@server postfix]# cat /var/log/maillog | grep D27525C0302 > Nov 11 11:39:47 mailgate1 MailScanner[12279]: Requeue: > 1B6906814F1.E8158 to D27525C0302 > Nov 11 11:39:47 mailgate1 postfix/qmgr[11829]: D27525C0302: > from=, size=2566, nrcpt=1 (queue active) > Nov 11 11:39:47 mailgate1 postfix/smtp[11872]: D27525C0302: > to=, relay=xx.xx.xx.xx[xx.xx.xx.xx]:25, > delay=23, delays=23/0/0/0, dsn=2.0.0, status=sent (250 Message queued) > Nov 11 11:39:47 mailgate1 postfix/qmgr[11829]: D27525C0302: removed > > you can see it gets passed from mailscanner to the postfix queue > manager before being sent which I guess is all normal. > > Always include.. was set to "no" so I changed this to "yes", the > others look ok with the spam score number being %d > > No time-outs that I can see, I haven't really done anything in debug > other than stop the service then restart in debug but everything > looked OK, the fact that this only appears to affect one domain (there > are about 300 on the system) is the strange part. Could it be > something in SpamAssassin's cache? I've checked user configured > black/white lists and that looks OK, 3 whitelist entries and 50 or so > blacklists, nothing abnormal though. Where can I find the docs for > "running a sample set in debug mode?" > V. simple. Running "MailScanner --debug" will run one batch of messages through then stop. See if it prints anything untoward. Check "MailScanner --lint" as well. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Tue Nov 11 12:21:10 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Nov 11 12:21:30 2008 Subject: domain not scanned In-Reply-To: <70572c510811110401p7422bd8aj2fa1495356510416@mail.gmail.com> References: <70572c510811100915vc203310q7aabc2eb89abb3a0@mail.gmail.com> <72cf361e0811100942v236448a9xbc68225e884610b5@mail.gmail.com> <70572c510811110115l6cd3f82bq90481e7b3f250359@mail.gmail.com> <70572c510811110313y16f754ccy9a17bd52d111bc48@mail.gmail.com> <72cf361e0811110335p12683a25v578d7224ecc7c767@mail.gmail.com> <70572c510811110401p7422bd8aj2fa1495356510416@mail.gmail.com> Message-ID: <491978B6.9010003@ecs.soton.ac.uk> Simon Jones wrote: > 2008/11/11 Martin Hepworth : > >> 2008/11/11 Simon Jones : >> >>> 2008/11/11 Simon Jones : >>> >>>> 2008/11/10 Martin Hepworth : >>>> >>>>> 2008/11/10 Simon Jones : >>>>> >>>>>> Hi all, fresh pair of eyes could be the solution but i'm struggling at the mo. >>>>>> >>>>>> i have a domain that seems to be being excluded from the spam scan - >>>>>> virus scanning is OK though. i've check >>>>>> /etc/MailScanner/scan.messages.rules and its not listed in there. the >>>>>> recipient and transport tables are good - what else could cause this? >>>>>> all other domains are being scanned and everything's working fine. >>>>>> >>>>>> cheers >>>>>> >>>>>> Si >>>>>> -- >>>>>> MailScanner mailing list >>>>>> mailscanner@lists.mailscanner.info >>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>>> >>>>>> Before posting, read http://wiki.mailscanner.info/posting >>>>>> >>>>>> Support MailScanner development - buy the book off the website! >>>>>> >>>>>> >>>>> whitelisted in the SA config? Are you putting all SA scores etc in all >>>>> emails so can see what's going on? >>>>> >>>>> -- >>>>> Martin Hepworth >>>>> Oxford, UK >>>>> -- >>>>> >>> Morning chaps, >>> >>> a bit more info - this was working OK and domain has been successfully >>> scanned for a number of months but it stopped scanning over the >>> weekend. Its a distributed setup (3 servers + db) and it appears that >>> all servers are dropping the domain from the scan. S/A scores are >>> zero on all scans, there's nothing whitelisted that I can see, I run >>> MailWatch and the messages for this domain are all classed as clean. >>> The only time i've seen this before is when the domain is listed in >>> the /etc/MailScanner/rules/scan.messages.rules file - it is not listed >>> in this case though. >>> >>> MailScanner --to @tbanda.co.uk or to MailScanner --to >>> user@tbanda.co.uk doesn't return anything at all on any of the nodes. >>> That's because you're not asking it to work out anything. MailScanner --to user@tbanda.co.uk --value=scanmessages should print something. Try that for other MailScanner.conf options you want to check. >>> It seems to be affecting this domain globally but for no apparent >>> reason, all others are OK though. >>> Domains are stored in a mysql db as are transport maps and users, >>> postfix reads from the (seperate) db without any problems. >>> >>> I can't see anything in maillog of relevance and a spamassassin -D >>> --lint doesn't show any problems, anywhere else i can look? >>> >>> cheers, >>> >>> Si >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >>> >> Simon >> >> Ok so you're definitely getting MS headers in the emails that aren't >> scanned, and you're seeing a zero score in the headers (not just >> mailwatch)?? >> >> I presume you have these set in MailScanner.conf so you can see what's >> happening? >> >> Always Include SpamAssassin Report = yes >> Spam Score Number Format = yes >> SpamScore Number Instead Of Stars = yes >> >> any timeouts in the logs for these emails? >> >> have you tried running a sample set in debug mode? >> >> -- >> Martin Hepworth >> Oxford, UK >> -- >> > > Hi Martin, > > just a zero score, here's an example from maillog; > > cat /var/log/maillog | grep 1B6906814F1.E8158 > Nov 11 11:39:47 mailgate1 MailScanner[12279]: Requeue: > 1B6906814F1.E8158 to D27525C0302 > Nov 11 11:39:47 mailgate1 MailScanner[12279]: Logging message > 1B6906814F1.E8158 to SQL > Nov 11 11:39:47 mailgate1 MailScanner[11926]: 1B6906814F1.E8158: > Logged to MailWatch SQL > > [root@server postfix]# cat /var/log/maillog | grep D27525C0302 > Nov 11 11:39:47 mailgate1 MailScanner[12279]: Requeue: > 1B6906814F1.E8158 to D27525C0302 > Nov 11 11:39:47 mailgate1 postfix/qmgr[11829]: D27525C0302: > from=, size=2566, nrcpt=1 (queue active) > Nov 11 11:39:47 mailgate1 postfix/smtp[11872]: D27525C0302: > to=, relay=xx.xx.xx.xx[xx.xx.xx.xx]:25, > delay=23, delays=23/0/0/0, dsn=2.0.0, status=sent (250 Message queued) > Nov 11 11:39:47 mailgate1 postfix/qmgr[11829]: D27525C0302: removed > > you can see it gets passed from mailscanner to the postfix queue > manager before being sent which I guess is all normal. > > Always include.. was set to "no" so I changed this to "yes", the > others look ok with the spam score number being %d > > No time-outs that I can see, I haven't really done anything in debug > other than stop the service then restart in debug but everything > looked OK, the fact that this only appears to affect one domain (there > are about 300 on the system) is the strange part. Could it be > something in SpamAssassin's cache? I've checked user configured > black/white lists and that looks OK, 3 whitelist entries and 50 or so > blacklists, nothing abnormal though. Where can I find the docs for > "running a sample set in debug mode?" > > Simon > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From simonmjones at gmail.com Tue Nov 11 12:53:54 2008 From: simonmjones at gmail.com (Simon Jones) Date: Tue Nov 11 12:54:02 2008 Subject: domain not scanned In-Reply-To: <491978B6.9010003@ecs.soton.ac.uk> References: <70572c510811100915vc203310q7aabc2eb89abb3a0@mail.gmail.com> <72cf361e0811100942v236448a9xbc68225e884610b5@mail.gmail.com> <70572c510811110115l6cd3f82bq90481e7b3f250359@mail.gmail.com> <70572c510811110313y16f754ccy9a17bd52d111bc48@mail.gmail.com> <72cf361e0811110335p12683a25v578d7224ecc7c767@mail.gmail.com> <70572c510811110401p7422bd8aj2fa1495356510416@mail.gmail.com> <491978B6.9010003@ecs.soton.ac.uk> Message-ID: <70572c510811110453td3f9c59n9b6150998e6b3a91@mail.gmail.com> 2008/11/11 Julian Field : > > > Simon Jones wrote: >> >> 2008/11/11 Martin Hepworth : >> >>> >>> 2008/11/11 Simon Jones : >>> >>>> >>>> 2008/11/11 Simon Jones : >>>> >>>>> >>>>> 2008/11/10 Martin Hepworth : >>>>> >>>>>> >>>>>> 2008/11/10 Simon Jones : >>>>>> >>>>>>> >>>>>>> Hi all, fresh pair of eyes could be the solution but i'm struggling >>>>>>> at the mo. >>>>>>> >>>>>>> i have a domain that seems to be being excluded from the spam scan - >>>>>>> virus scanning is OK though. i've check >>>>>>> /etc/MailScanner/scan.messages.rules and its not listed in there. >>>>>>> the >>>>>>> recipient and transport tables are good - what else could cause this? >>>>>>> all other domains are being scanned and everything's working fine. >>>>>>> >>>>>>> cheers >>>>>>> >>>>>>> Si >>>>>>> -- >>>>>>> MailScanner mailing list >>>>>>> mailscanner@lists.mailscanner.info >>>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>>>> >>>>>>> Before posting, read http://wiki.mailscanner.info/posting >>>>>>> >>>>>>> Support MailScanner development - buy the book off the website! >>>>>>> >>>>>>> >>>>>> >>>>>> whitelisted in the SA config? Are you putting all SA scores etc in all >>>>>> emails so can see what's going on? >>>>>> >>>>>> -- >>>>>> Martin Hepworth >>>>>> Oxford, UK >>>>>> -- >>>>>> >>>> >>>> Morning chaps, >>>> >>>> a bit more info - this was working OK and domain has been successfully >>>> scanned for a number of months but it stopped scanning over the >>>> weekend. Its a distributed setup (3 servers + db) and it appears that >>>> all servers are dropping the domain from the scan. S/A scores are >>>> zero on all scans, there's nothing whitelisted that I can see, I run >>>> MailWatch and the messages for this domain are all classed as clean. >>>> The only time i've seen this before is when the domain is listed in >>>> the /etc/MailScanner/rules/scan.messages.rules file - it is not listed >>>> in this case though. >>>> >>>> MailScanner --to @tbanda.co.uk or to MailScanner --to >>>> user@tbanda.co.uk doesn't return anything at all on any of the nodes. >>>> > > That's because you're not asking it to work out anything. > MailScanner --to user@tbanda.co.uk --value=scanmessages > should print something. Try that for other MailScanner.conf options you want > to check. > >>>> It seems to be affecting this domain globally but for no apparent >>>> reason, all others are OK though. >>>> Domains are stored in a mysql db as are transport maps and users, >>>> postfix reads from the (seperate) db without any problems. >>>> >>>> I can't see anything in maillog of relevance and a spamassassin -D >>>> --lint doesn't show any problems, anywhere else i can look? >>>> >>>> cheers, >>>> >>>> Si >>>> -- >>>> MailScanner mailing list >>>> mailscanner@lists.mailscanner.info >>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>> >>>> Before posting, read http://wiki.mailscanner.info/posting >>>> >>>> Support MailScanner development - buy the book off the website! >>>> >>>> >>> >>> Simon >>> >>> Ok so you're definitely getting MS headers in the emails that aren't >>> scanned, and you're seeing a zero score in the headers (not just >>> mailwatch)?? >>> >>> I presume you have these set in MailScanner.conf so you can see what's >>> happening? >>> >>> Always Include SpamAssassin Report = yes >>> Spam Score Number Format = yes >>> SpamScore Number Instead Of Stars = yes >>> >>> any timeouts in the logs for these emails? >>> >>> have you tried running a sample set in debug mode? >>> >>> -- >>> Martin Hepworth >>> Oxford, UK >>> -- >>> >> >> Hi Martin, >> >> just a zero score, here's an example from maillog; >> >> cat /var/log/maillog | grep 1B6906814F1.E8158 >> Nov 11 11:39:47 mailgate1 MailScanner[12279]: Requeue: >> 1B6906814F1.E8158 to D27525C0302 >> Nov 11 11:39:47 mailgate1 MailScanner[12279]: Logging message >> 1B6906814F1.E8158 to SQL >> Nov 11 11:39:47 mailgate1 MailScanner[11926]: 1B6906814F1.E8158: >> Logged to MailWatch SQL >> >> [root@server postfix]# cat /var/log/maillog | grep D27525C0302 >> Nov 11 11:39:47 mailgate1 MailScanner[12279]: Requeue: >> 1B6906814F1.E8158 to D27525C0302 >> Nov 11 11:39:47 mailgate1 postfix/qmgr[11829]: D27525C0302: >> from=, size=2566, nrcpt=1 (queue active) >> Nov 11 11:39:47 mailgate1 postfix/smtp[11872]: D27525C0302: >> to=, relay=xx.xx.xx.xx[xx.xx.xx.xx]:25, >> delay=23, delays=23/0/0/0, dsn=2.0.0, status=sent (250 Message queued) >> Nov 11 11:39:47 mailgate1 postfix/qmgr[11829]: D27525C0302: removed >> >> you can see it gets passed from mailscanner to the postfix queue >> manager before being sent which I guess is all normal. >> >> Always include.. was set to "no" so I changed this to "yes", the >> others look ok with the spam score number being %d >> >> No time-outs that I can see, I haven't really done anything in debug >> other than stop the service then restart in debug but everything >> looked OK, the fact that this only appears to affect one domain (there >> are about 300 on the system) is the strange part. Could it be >> something in SpamAssassin's cache? I've checked user configured >> black/white lists and that looks OK, 3 whitelist entries and 50 or so >> blacklists, nothing abnormal though. Where can I find the docs for >> "running a sample set in debug mode?" >> >> Simon >> > > Jules > > -- Aah, thanks Jules - this looks ok? MailScanner --to user@tbanda.co.uk --value=scanmessages Looked up internal option name "scanmail" With sender = recipient = s.bunker@tbanda.co.uk Client IP = Virus = Result is "1" 0=No 1=Yes From simonmjones at gmail.com Tue Nov 11 12:55:16 2008 From: simonmjones at gmail.com (Simon Jones) Date: Tue Nov 11 12:55:25 2008 Subject: domain not scanned In-Reply-To: <70572c510811110453td3f9c59n9b6150998e6b3a91@mail.gmail.com> References: <70572c510811100915vc203310q7aabc2eb89abb3a0@mail.gmail.com> <72cf361e0811100942v236448a9xbc68225e884610b5@mail.gmail.com> <70572c510811110115l6cd3f82bq90481e7b3f250359@mail.gmail.com> <70572c510811110313y16f754ccy9a17bd52d111bc48@mail.gmail.com> <72cf361e0811110335p12683a25v578d7224ecc7c767@mail.gmail.com> <70572c510811110401p7422bd8aj2fa1495356510416@mail.gmail.com> <491978B6.9010003@ecs.soton.ac.uk> <70572c510811110453td3f9c59n9b6150998e6b3a91@mail.gmail.com> Message-ID: <70572c510811110455pe5ce2a7y68daa878af790762@mail.gmail.com> 2008/11/11 Simon Jones : > 2008/11/11 Julian Field : >> >> >> Simon Jones wrote: >>> >>> 2008/11/11 Martin Hepworth : >>> >>>> >>>> 2008/11/11 Simon Jones : >>>> >>>>> >>>>> 2008/11/11 Simon Jones : >>>>> >>>>>> >>>>>> 2008/11/10 Martin Hepworth : >>>>>> >>>>>>> >>>>>>> 2008/11/10 Simon Jones : >>>>>>> >>>>>>>> >>>>>>>> Hi all, fresh pair of eyes could be the solution but i'm struggling >>>>>>>> at the mo. >>>>>>>> >>>>>>>> i have a domain that seems to be being excluded from the spam scan - >>>>>>>> virus scanning is OK though. i've check >>>>>>>> /etc/MailScanner/scan.messages.rules and its not listed in there. >>>>>>>> the >>>>>>>> recipient and transport tables are good - what else could cause this? >>>>>>>> all other domains are being scanned and everything's working fine. >>>>>>>> >>>>>>>> cheers >>>>>>>> >>>>>>>> Si >>>>>>>> -- >>>>>>>> MailScanner mailing list >>>>>>>> mailscanner@lists.mailscanner.info >>>>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>>>>> >>>>>>>> Before posting, read http://wiki.mailscanner.info/posting >>>>>>>> >>>>>>>> Support MailScanner development - buy the book off the website! >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> whitelisted in the SA config? Are you putting all SA scores etc in all >>>>>>> emails so can see what's going on? >>>>>>> >>>>>>> -- >>>>>>> Martin Hepworth >>>>>>> Oxford, UK >>>>>>> -- >>>>>>> >>>>> >>>>> Morning chaps, >>>>> >>>>> a bit more info - this was working OK and domain has been successfully >>>>> scanned for a number of months but it stopped scanning over the >>>>> weekend. Its a distributed setup (3 servers + db) and it appears that >>>>> all servers are dropping the domain from the scan. S/A scores are >>>>> zero on all scans, there's nothing whitelisted that I can see, I run >>>>> MailWatch and the messages for this domain are all classed as clean. >>>>> The only time i've seen this before is when the domain is listed in >>>>> the /etc/MailScanner/rules/scan.messages.rules file - it is not listed >>>>> in this case though. >>>>> >>>>> MailScanner --to @tbanda.co.uk or to MailScanner --to >>>>> user@tbanda.co.uk doesn't return anything at all on any of the nodes. >>>>> >> >> That's because you're not asking it to work out anything. >> MailScanner --to user@tbanda.co.uk --value=scanmessages >> should print something. Try that for other MailScanner.conf options you want >> to check. >> >>>>> It seems to be affecting this domain globally but for no apparent >>>>> reason, all others are OK though. >>>>> Domains are stored in a mysql db as are transport maps and users, >>>>> postfix reads from the (seperate) db without any problems. >>>>> >>>>> I can't see anything in maillog of relevance and a spamassassin -D >>>>> --lint doesn't show any problems, anywhere else i can look? >>>>> >>>>> cheers, >>>>> >>>>> Si >>>>> -- >>>>> MailScanner mailing list >>>>> mailscanner@lists.mailscanner.info >>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>> >>>>> Before posting, read http://wiki.mailscanner.info/posting >>>>> >>>>> Support MailScanner development - buy the book off the website! >>>>> >>>>> >>>> >>>> Simon >>>> >>>> Ok so you're definitely getting MS headers in the emails that aren't >>>> scanned, and you're seeing a zero score in the headers (not just >>>> mailwatch)?? >>>> >>>> I presume you have these set in MailScanner.conf so you can see what's >>>> happening? >>>> >>>> Always Include SpamAssassin Report = yes >>>> Spam Score Number Format = yes >>>> SpamScore Number Instead Of Stars = yes >>>> >>>> any timeouts in the logs for these emails? >>>> >>>> have you tried running a sample set in debug mode? >>>> >>>> -- >>>> Martin Hepworth >>>> Oxford, UK >>>> -- >>>> >>> >>> Hi Martin, >>> >>> just a zero score, here's an example from maillog; >>> >>> cat /var/log/maillog | grep 1B6906814F1.E8158 >>> Nov 11 11:39:47 mailgate1 MailScanner[12279]: Requeue: >>> 1B6906814F1.E8158 to D27525C0302 >>> Nov 11 11:39:47 mailgate1 MailScanner[12279]: Logging message >>> 1B6906814F1.E8158 to SQL >>> Nov 11 11:39:47 mailgate1 MailScanner[11926]: 1B6906814F1.E8158: >>> Logged to MailWatch SQL >>> >>> [root@server postfix]# cat /var/log/maillog | grep D27525C0302 >>> Nov 11 11:39:47 mailgate1 MailScanner[12279]: Requeue: >>> 1B6906814F1.E8158 to D27525C0302 >>> Nov 11 11:39:47 mailgate1 postfix/qmgr[11829]: D27525C0302: >>> from=, size=2566, nrcpt=1 (queue active) >>> Nov 11 11:39:47 mailgate1 postfix/smtp[11872]: D27525C0302: >>> to=, relay=xx.xx.xx.xx[xx.xx.xx.xx]:25, >>> delay=23, delays=23/0/0/0, dsn=2.0.0, status=sent (250 Message queued) >>> Nov 11 11:39:47 mailgate1 postfix/qmgr[11829]: D27525C0302: removed >>> >>> you can see it gets passed from mailscanner to the postfix queue >>> manager before being sent which I guess is all normal. >>> >>> Always include.. was set to "no" so I changed this to "yes", the >>> others look ok with the spam score number being %d >>> >>> No time-outs that I can see, I haven't really done anything in debug >>> other than stop the service then restart in debug but everything >>> looked OK, the fact that this only appears to affect one domain (there >>> are about 300 on the system) is the strange part. Could it be >>> something in SpamAssassin's cache? I've checked user configured >>> black/white lists and that looks OK, 3 whitelist entries and 50 or so >>> blacklists, nothing abnormal though. Where can I find the docs for >>> "running a sample set in debug mode?" >>> >>> Simon >>> >> >> Jules >> >> -- > Aah, thanks Jules - this looks ok? > > MailScanner --to user@tbanda.co.uk --value=scanmessages > Looked up internal option name "scanmail" > With sender = > recipient = s.bunker@tbanda.co.uk > Client IP = > Virus = > Result is "1" > > 0=No 1=Yes > and here's the debug output... MailScanner --Debug In Debugging mode, not forking... Trying to setlogsock(unix) SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp bayes: locker: safe_lock: cannot create lockfile /etc/MailScanner/bayes/bayes.mutex: Permission denied Building a message batch to scan... Have a batch of 3 messages. max message size is '40k' bayes: locker: safe_lock: cannot create lockfile /etc/MailScanner/bayes/bayes.mutex: Permission denied bayes: locker: safe_lock: cannot create lockfile /etc/MailScanner/bayes/bayes.mutex: Permission denied max message size is '40k' bayes: locker: safe_lock: cannot create lockfile /etc/MailScanner/bayes/bayes.mutex: Permission denied bayes: locker: safe_lock: cannot create lockfile /etc/MailScanner/bayes/bayes.mutex: Permission denied max message size is '40k' bayes: locker: safe_lock: cannot create lockfile /etc/MailScanner/bayes/bayes.mutex: Permission denied bayes: locker: safe_lock: cannot create lockfile /etc/MailScanner/bayes/bayes.mutex: Permission denied Stopping now as you are debugging me. commit ineffective with AutoCommit enabled at /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, line 118. Commmit ineffective while AutoCommit is on at /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, line 118. From maxsec at gmail.com Tue Nov 11 13:25:31 2008 From: maxsec at gmail.com (Martin Hepworth) Date: Tue Nov 11 13:25:40 2008 Subject: domain not scanned In-Reply-To: <70572c510811110455pe5ce2a7y68daa878af790762@mail.gmail.com> References: <70572c510811100915vc203310q7aabc2eb89abb3a0@mail.gmail.com> <72cf361e0811100942v236448a9xbc68225e884610b5@mail.gmail.com> <70572c510811110115l6cd3f82bq90481e7b3f250359@mail.gmail.com> <70572c510811110313y16f754ccy9a17bd52d111bc48@mail.gmail.com> <72cf361e0811110335p12683a25v578d7224ecc7c767@mail.gmail.com> <70572c510811110401p7422bd8aj2fa1495356510416@mail.gmail.com> <491978B6.9010003@ecs.soton.ac.uk> <70572c510811110453td3f9c59n9b6150998e6b3a91@mail.gmail.com> <70572c510811110455pe5ce2a7y68daa878af790762@mail.gmail.com> Message-ID: <72cf361e0811110525p7fedb7a0l702072d729f0bd73@mail.gmail.com> 2008/11/11 Simon Jones : > 2008/11/11 Simon Jones : >> 2008/11/11 Julian Field : >>> >>> >>> Simon Jones wrote: >>>> >>>> 2008/11/11 Martin Hepworth : >>>> >>>>> >>>>> 2008/11/11 Simon Jones : >>>>> >>>>>> >>>>>> 2008/11/11 Simon Jones : >>>>>> >>>>>>> >>>>>>> 2008/11/10 Martin Hepworth : >>>>>>> >>>>>>>> >>>>>>>> 2008/11/10 Simon Jones : >>>>>>>> >>>>>>>>> >>>>>>>>> Hi all, fresh pair of eyes could be the solution but i'm struggling >>>>>>>>> at the mo. >>>>>>>>> >>>>>>>>> i have a domain that seems to be being excluded from the spam scan - >>>>>>>>> virus scanning is OK though. i've check >>>>>>>>> /etc/MailScanner/scan.messages.rules and its not listed in there. >>>>>>>>> the >>>>>>>>> recipient and transport tables are good - what else could cause this? >>>>>>>>> all other domains are being scanned and everything's working fine. >>>>>>>>> >>>>>>>>> cheers >>>>>>>>> >>>>>>>>> Si >>>>>>>>> -- >>>>>>>>> MailScanner mailing list >>>>>>>>> mailscanner@lists.mailscanner.info >>>>>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>>>>>> >>>>>>>>> Before posting, read http://wiki.mailscanner.info/posting >>>>>>>>> >>>>>>>>> Support MailScanner development - buy the book off the website! >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> whitelisted in the SA config? Are you putting all SA scores etc in all >>>>>>>> emails so can see what's going on? >>>>>>>> >>>>>>>> -- >>>>>>>> Martin Hepworth >>>>>>>> Oxford, UK >>>>>>>> -- >>>>>>>> >>>>>> >>>>>> Morning chaps, >>>>>> >>>>>> a bit more info - this was working OK and domain has been successfully >>>>>> scanned for a number of months but it stopped scanning over the >>>>>> weekend. Its a distributed setup (3 servers + db) and it appears that >>>>>> all servers are dropping the domain from the scan. S/A scores are >>>>>> zero on all scans, there's nothing whitelisted that I can see, I run >>>>>> MailWatch and the messages for this domain are all classed as clean. >>>>>> The only time i've seen this before is when the domain is listed in >>>>>> the /etc/MailScanner/rules/scan.messages.rules file - it is not listed >>>>>> in this case though. >>>>>> >>>>>> MailScanner --to @tbanda.co.uk or to MailScanner --to >>>>>> user@tbanda.co.uk doesn't return anything at all on any of the nodes. >>>>>> >>> >>> That's because you're not asking it to work out anything. >>> MailScanner --to user@tbanda.co.uk --value=scanmessages >>> should print something. Try that for other MailScanner.conf options you want >>> to check. >>> >>>>>> It seems to be affecting this domain globally but for no apparent >>>>>> reason, all others are OK though. >>>>>> Domains are stored in a mysql db as are transport maps and users, >>>>>> postfix reads from the (seperate) db without any problems. >>>>>> >>>>>> I can't see anything in maillog of relevance and a spamassassin -D >>>>>> --lint doesn't show any problems, anywhere else i can look? >>>>>> >>>>>> cheers, >>>>>> >>>>>> Si >>>>>> -- >>>>>> MailScanner mailing list >>>>>> mailscanner@lists.mailscanner.info >>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>>> >>>>>> Before posting, read http://wiki.mailscanner.info/posting >>>>>> >>>>>> Support MailScanner development - buy the book off the website! >>>>>> >>>>>> >>>>> >>>>> Simon >>>>> >>>>> Ok so you're definitely getting MS headers in the emails that aren't >>>>> scanned, and you're seeing a zero score in the headers (not just >>>>> mailwatch)?? >>>>> >>>>> I presume you have these set in MailScanner.conf so you can see what's >>>>> happening? >>>>> >>>>> Always Include SpamAssassin Report = yes >>>>> Spam Score Number Format = yes >>>>> SpamScore Number Instead Of Stars = yes >>>>> >>>>> any timeouts in the logs for these emails? >>>>> >>>>> have you tried running a sample set in debug mode? >>>>> >>>>> -- >>>>> Martin Hepworth >>>>> Oxford, UK >>>>> -- >>>>> >>>> >>>> Hi Martin, >>>> >>>> just a zero score, here's an example from maillog; >>>> >>>> cat /var/log/maillog | grep 1B6906814F1.E8158 >>>> Nov 11 11:39:47 mailgate1 MailScanner[12279]: Requeue: >>>> 1B6906814F1.E8158 to D27525C0302 >>>> Nov 11 11:39:47 mailgate1 MailScanner[12279]: Logging message >>>> 1B6906814F1.E8158 to SQL >>>> Nov 11 11:39:47 mailgate1 MailScanner[11926]: 1B6906814F1.E8158: >>>> Logged to MailWatch SQL >>>> >>>> [root@server postfix]# cat /var/log/maillog | grep D27525C0302 >>>> Nov 11 11:39:47 mailgate1 MailScanner[12279]: Requeue: >>>> 1B6906814F1.E8158 to D27525C0302 >>>> Nov 11 11:39:47 mailgate1 postfix/qmgr[11829]: D27525C0302: >>>> from=, size=2566, nrcpt=1 (queue active) >>>> Nov 11 11:39:47 mailgate1 postfix/smtp[11872]: D27525C0302: >>>> to=, relay=xx.xx.xx.xx[xx.xx.xx.xx]:25, >>>> delay=23, delays=23/0/0/0, dsn=2.0.0, status=sent (250 Message queued) >>>> Nov 11 11:39:47 mailgate1 postfix/qmgr[11829]: D27525C0302: removed >>>> >>>> you can see it gets passed from mailscanner to the postfix queue >>>> manager before being sent which I guess is all normal. >>>> >>>> Always include.. was set to "no" so I changed this to "yes", the >>>> others look ok with the spam score number being %d >>>> >>>> No time-outs that I can see, I haven't really done anything in debug >>>> other than stop the service then restart in debug but everything >>>> looked OK, the fact that this only appears to affect one domain (there >>>> are about 300 on the system) is the strange part. Could it be >>>> something in SpamAssassin's cache? I've checked user configured >>>> black/white lists and that looks OK, 3 whitelist entries and 50 or so >>>> blacklists, nothing abnormal though. Where can I find the docs for >>>> "running a sample set in debug mode?" >>>> >>>> Simon >>>> >>> >>> Jules >>> >>> -- >> Aah, thanks Jules - this looks ok? >> >> MailScanner --to user@tbanda.co.uk --value=scanmessages >> Looked up internal option name "scanmail" >> With sender = >> recipient = s.bunker@tbanda.co.uk >> Client IP = >> Virus = >> Result is "1" >> >> 0=No 1=Yes >> > > and here's the debug output... > > MailScanner --Debug > In Debugging mode, not forking... > Trying to setlogsock(unix) > SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp > bayes: locker: safe_lock: cannot create lockfile > /etc/MailScanner/bayes/bayes.mutex: Permission denied > > Building a message batch to scan... > Have a batch of 3 messages. > max message size is '40k' > bayes: locker: safe_lock: cannot create lockfile > /etc/MailScanner/bayes/bayes.mutex: Permission denied > > bayes: locker: safe_lock: cannot create lockfile > /etc/MailScanner/bayes/bayes.mutex: Permission denied > > max message size is '40k' > bayes: locker: safe_lock: cannot create lockfile > /etc/MailScanner/bayes/bayes.mutex: Permission denied > > bayes: locker: safe_lock: cannot create lockfile > /etc/MailScanner/bayes/bayes.mutex: Permission denied > > max message size is '40k' > bayes: locker: safe_lock: cannot create lockfile > /etc/MailScanner/bayes/bayes.mutex: Permission denied > > bayes: locker: safe_lock: cannot create lockfile > /etc/MailScanner/bayes/bayes.mutex: Permission denied > > Stopping now as you are debugging me. > commit ineffective with AutoCommit enabled at > /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, > line 118. > Commmit ineffective while AutoCommit is on at > /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, > line 118. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Simon you need to run the debug as the postfix user really so it doesn't give you problems with permissions. a full debug "mailScanner --debug --debug-sa" might be useful. Obviously make sure there's email in the queue relating to the domain in question ;-) -- Martin Hepworth Oxford, UK From campbell at cnpapers.com Tue Nov 11 13:53:36 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Tue Nov 11 13:53:55 2008 Subject: Can't see the error of my ways - Clamd Message-ID: <49198E60.8020708@cnpapers.com> Really frustated, as I should be able to see this. I have installed the latest MS and the Clamd rpms on a machine, and then, after seeing that it is running fine, onto two other machines. The first is still running fine. The other two are reporting the error in my maillog: ::ERROR:: UNKNOWN CLAMD RETURN ./lstat() failed. ERROR :: /var/spool/MailScanner/incoming/10897 Now, I have tried to figure out where the ownership and permissions are going haywire, but haven't been able to. I am running sendmail. I can stop MS, change the ownership of the incoming directory to clamav.root on the bad machine as it is on the nicely-running machine. When I start MS and it creates the first temp directory under incoming, it changes the ownership back to root.clamav for the directory incoming and the temp directories. I have tried comparing the MS.conf files and the clamd.conf files, but see no difference. Does anyone have a clue? I installed all 3 machines following the wiki instructions. Thanks for any help Steve Campbell From MailScanner at ecs.soton.ac.uk Tue Nov 11 14:15:33 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Nov 11 14:15:53 2008 Subject: Can't see the error of my ways - Clamd In-Reply-To: <49198E60.8020708@cnpapers.com> References: <49198E60.8020708@cnpapers.com> Message-ID: <49199385.7030705@ecs.soton.ac.uk> Steve Campbell wrote: > Really frustated, as I should be able to see this. > > I have installed the latest MS and the Clamd rpms on a machine, and > then, after seeing that it is running fine, onto two other machines. > The first is still running fine. The other two are reporting the error > in my maillog: > > ::ERROR:: UNKNOWN CLAMD RETURN ./lstat() failed. ERROR :: > /var/spool/MailScanner/incoming/10897 > > Now, I have tried to figure out where the ownership and permissions > are going haywire, but haven't been able to. I am running sendmail. > > I can stop MS, change the ownership of the incoming directory to > clamav.root on the bad machine as it is on the nicely-running machine. > When I start MS and it creates the first temp directory under > incoming, it changes the ownership back to root.clamav for the > directory incoming and the temp directories. I have tried comparing > the MS.conf files and the clamd.conf files, but see no difference. > > Does anyone have a clue? Have you checked all the ownership and permissions settings in MailScanner.conf? I would suspect that's where your problem is, MailScanner will be overwriting your manually set permissions. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jvoorhees1 at gmail.com Tue Nov 11 14:32:15 2008 From: jvoorhees1 at gmail.com (Jason Voorhees) Date: Tue Nov 11 14:32:33 2008 Subject: Releasing messages from quarantine Message-ID: <4919976F.5010201@gmail.com> An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081111/75bf6451/attachment.html From campbell at cnpapers.com Tue Nov 11 14:40:33 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Tue Nov 11 14:40:47 2008 Subject: Can't see the error of my ways - Clamd In-Reply-To: <49199385.7030705@ecs.soton.ac.uk> References: <49198E60.8020708@cnpapers.com> <49199385.7030705@ecs.soton.ac.uk> Message-ID: <49199961.2030203@cnpapers.com> Julian Field wrote: > > > Steve Campbell wrote: >> Really frustated, as I should be able to see this. >> >> I have installed the latest MS and the Clamd rpms on a machine, and >> then, after seeing that it is running fine, onto two other machines. >> The first is still running fine. The other two are reporting the >> error in my maillog: >> >> ::ERROR:: UNKNOWN CLAMD RETURN ./lstat() failed. ERROR :: >> /var/spool/MailScanner/incoming/10897 >> >> Now, I have tried to figure out where the ownership and permissions >> are going haywire, but haven't been able to. I am running sendmail. >> >> I can stop MS, change the ownership of the incoming directory to >> clamav.root on the bad machine as it is on the nicely-running >> machine. When I start MS and it creates the first temp directory >> under incoming, it changes the ownership back to root.clamav for the >> directory incoming and the temp directories. I have tried comparing >> the MS.conf files and the clamd.conf files, but see no difference. >> >> Does anyone have a clue? > Have you checked all the ownership and permissions settings in > MailScanner.conf? I would suspect that's where your problem is, > MailScanner will be overwriting your manually set permissions. > > Jules > Well, that seems to be the problem. I had the options mixed up terribly, but when I fixed them, it still didn't correct the problem. (I had the group as 0640!!!!!). Gosh I hate bifocals. The comments in the conf file indicate that I cannot change the incoming directory user if I am running MS as user root, which I am, unless the clamav user is in the root group, which it is not. I had the user set blank and group set to clamav for the incoming dir. So just for the hell of it, I set both user and group to clamav, and the error went away. Still confused but working. Thanks Jules for the second set of eyes. I must have look at those 20 times before. Steve From davidj at synaq.com Tue Nov 11 14:58:16 2008 From: davidj at synaq.com (David Jacobson) Date: Tue Nov 11 14:58:36 2008 Subject: Releasing messages from quarantine In-Reply-To: <4919976F.5010201@gmail.com> Message-ID: Hi Jason, We had a similar requirement a long time ago. We made use of mailfeeder ( www.pldaniels.com/mailfeeder/) and changed the Mailwatch code to integrate that so it delivers the mail as was sent. Hope that helps you get started. Cheers, David On 2008/11/11 4:32 PM, "Jason Voorhees" wrote: > Hi there: > > I'm using MailScanner + MailWatch without problems but recently some users are > not happy when a released message says "Message released from quarantine" > coming from postmaster@domain.com. > > They would like to get the released message with the original sender and the > original subject instead of being replaced with the Postmaster address. > > Is it possible to achieve this? Is it possible to make transparent to end > users the releasing of messages from quarantine? > > I hope someone can help :( Thanks :) > > P.D.: My english is not good enough > > -- Regards, David Jacobson Technical Director SYNAQ (Pty) Ltd Tel: 011 262 3628 Direct: 011 262 3626 Fax: 086 637 8868 Cell: 083 235 0760 Mail: davidj@synaq.com Web: http://www.synaq.com Key Fingerprint 8246 FCE1 3C22 7EFB E61B 18DF 6E8B 65E8 BD50 78A1 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081111/8f04d9a3/attachment.html From simonmjones at gmail.com Tue Nov 11 15:09:57 2008 From: simonmjones at gmail.com (Simon Jones) Date: Tue Nov 11 15:10:05 2008 Subject: domain not scanned In-Reply-To: <72cf361e0811110525p7fedb7a0l702072d729f0bd73@mail.gmail.com> References: <70572c510811100915vc203310q7aabc2eb89abb3a0@mail.gmail.com> <72cf361e0811100942v236448a9xbc68225e884610b5@mail.gmail.com> <70572c510811110115l6cd3f82bq90481e7b3f250359@mail.gmail.com> <70572c510811110313y16f754ccy9a17bd52d111bc48@mail.gmail.com> <72cf361e0811110335p12683a25v578d7224ecc7c767@mail.gmail.com> <70572c510811110401p7422bd8aj2fa1495356510416@mail.gmail.com> <491978B6.9010003@ecs.soton.ac.uk> <70572c510811110453td3f9c59n9b6150998e6b3a91@mail.gmail.com> <70572c510811110455pe5ce2a7y68daa878af790762@mail.gmail.com> <72cf361e0811110525p7fedb7a0l702072d729f0bd73@mail.gmail.com> Message-ID: <70572c510811110709s774ee7ccn985ed102bf0b1a25@mail.gmail.com> 2008/11/11 Martin Hepworth : > 2008/11/11 Simon Jones : >> 2008/11/11 Simon Jones : >>> 2008/11/11 Julian Field : >>>> >>>> >>>> Simon Jones wrote: >>>>> >>>>> 2008/11/11 Martin Hepworth : >>>>> >>>>>> >>>>>> 2008/11/11 Simon Jones : >>>>>> >>>>>>> >>>>>>> 2008/11/11 Simon Jones : >>>>>>> >>>>>>>> >>>>>>>> 2008/11/10 Martin Hepworth : >>>>>>>> >>>>>>>>> >>>>>>>>> 2008/11/10 Simon Jones : >>>>>>>>> >>>>>>>>>> >>>>>>>>>> Hi all, fresh pair of eyes could be the solution but i'm struggling >>>>>>>>>> at the mo. >>>>>>>>>> >>>>>>>>>> i have a domain that seems to be being excluded from the spam scan - >>>>>>>>>> virus scanning is OK though. i've check >>>>>>>>>> /etc/MailScanner/scan.messages.rules and its not listed in there. >>>>>>>>>> the >>>>>>>>>> recipient and transport tables are good - what else could cause this? >>>>>>>>>> all other domains are being scanned and everything's working fine. >>>>>>>>>> >>>>>>>>>> cheers >>>>>>>>>> >>>>>>>>>> Si >>>>>>>>>> -- >>>>>>>>>> MailScanner mailing list >>>>>>>>>> mailscanner@lists.mailscanner.info >>>>>>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>>>>>>> >>>>>>>>>> Before posting, read http://wiki.mailscanner.info/posting >>>>>>>>>> >>>>>>>>>> Support MailScanner development - buy the book off the website! >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> whitelisted in the SA config? Are you putting all SA scores etc in all >>>>>>>>> emails so can see what's going on? >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Martin Hepworth >>>>>>>>> Oxford, UK >>>>>>>>> -- >>>>>>>>> >>>>>>> >>>>>>> Morning chaps, >>>>>>> >>>>>>> a bit more info - this was working OK and domain has been successfully >>>>>>> scanned for a number of months but it stopped scanning over the >>>>>>> weekend. Its a distributed setup (3 servers + db) and it appears that >>>>>>> all servers are dropping the domain from the scan. S/A scores are >>>>>>> zero on all scans, there's nothing whitelisted that I can see, I run >>>>>>> MailWatch and the messages for this domain are all classed as clean. >>>>>>> The only time i've seen this before is when the domain is listed in >>>>>>> the /etc/MailScanner/rules/scan.messages.rules file - it is not listed >>>>>>> in this case though. >>>>>>> >>>>>>> MailScanner --to @tbanda.co.uk or to MailScanner --to >>>>>>> user@tbanda.co.uk doesn't return anything at all on any of the nodes. >>>>>>> >>>> >>>> That's because you're not asking it to work out anything. >>>> MailScanner --to user@tbanda.co.uk --value=scanmessages >>>> should print something. Try that for other MailScanner.conf options you want >>>> to check. >>>> >>>>>>> It seems to be affecting this domain globally but for no apparent >>>>>>> reason, all others are OK though. >>>>>>> Domains are stored in a mysql db as are transport maps and users, >>>>>>> postfix reads from the (seperate) db without any problems. >>>>>>> >>>>>>> I can't see anything in maillog of relevance and a spamassassin -D >>>>>>> --lint doesn't show any problems, anywhere else i can look? >>>>>>> >>>>>>> cheers, >>>>>>> >>>>>>> Si >>>>>>> -- >>>>>>> MailScanner mailing list >>>>>>> mailscanner@lists.mailscanner.info >>>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>>>> >>>>>>> Before posting, read http://wiki.mailscanner.info/posting >>>>>>> >>>>>>> Support MailScanner development - buy the book off the website! >>>>>>> >>>>>>> >>>>>> >>>>>> Simon >>>>>> >>>>>> Ok so you're definitely getting MS headers in the emails that aren't >>>>>> scanned, and you're seeing a zero score in the headers (not just >>>>>> mailwatch)?? >>>>>> >>>>>> I presume you have these set in MailScanner.conf so you can see what's >>>>>> happening? >>>>>> >>>>>> Always Include SpamAssassin Report = yes >>>>>> Spam Score Number Format = yes >>>>>> SpamScore Number Instead Of Stars = yes >>>>>> >>>>>> any timeouts in the logs for these emails? >>>>>> >>>>>> have you tried running a sample set in debug mode? >>>>>> >>>>>> -- >>>>>> Martin Hepworth >>>>>> Oxford, UK >>>>>> -- >>>>>> >>>>> >>>>> Hi Martin, >>>>> >>>>> just a zero score, here's an example from maillog; >>>>> >>>>> cat /var/log/maillog | grep 1B6906814F1.E8158 >>>>> Nov 11 11:39:47 mailgate1 MailScanner[12279]: Requeue: >>>>> 1B6906814F1.E8158 to D27525C0302 >>>>> Nov 11 11:39:47 mailgate1 MailScanner[12279]: Logging message >>>>> 1B6906814F1.E8158 to SQL >>>>> Nov 11 11:39:47 mailgate1 MailScanner[11926]: 1B6906814F1.E8158: >>>>> Logged to MailWatch SQL >>>>> >>>>> [root@server postfix]# cat /var/log/maillog | grep D27525C0302 >>>>> Nov 11 11:39:47 mailgate1 MailScanner[12279]: Requeue: >>>>> 1B6906814F1.E8158 to D27525C0302 >>>>> Nov 11 11:39:47 mailgate1 postfix/qmgr[11829]: D27525C0302: >>>>> from=, size=2566, nrcpt=1 (queue active) >>>>> Nov 11 11:39:47 mailgate1 postfix/smtp[11872]: D27525C0302: >>>>> to=, relay=xx.xx.xx.xx[xx.xx.xx.xx]:25, >>>>> delay=23, delays=23/0/0/0, dsn=2.0.0, status=sent (250 Message queued) >>>>> Nov 11 11:39:47 mailgate1 postfix/qmgr[11829]: D27525C0302: removed >>>>> >>>>> you can see it gets passed from mailscanner to the postfix queue >>>>> manager before being sent which I guess is all normal. >>>>> >>>>> Always include.. was set to "no" so I changed this to "yes", the >>>>> others look ok with the spam score number being %d >>>>> >>>>> No time-outs that I can see, I haven't really done anything in debug >>>>> other than stop the service then restart in debug but everything >>>>> looked OK, the fact that this only appears to affect one domain (there >>>>> are about 300 on the system) is the strange part. Could it be >>>>> something in SpamAssassin's cache? I've checked user configured >>>>> black/white lists and that looks OK, 3 whitelist entries and 50 or so >>>>> blacklists, nothing abnormal though. Where can I find the docs for >>>>> "running a sample set in debug mode?" >>>>> >>>>> Simon >>>>> >>>> >>>> Jules >>>> >>>> -- >>> Aah, thanks Jules - this looks ok? >>> >>> MailScanner --to user@tbanda.co.uk --value=scanmessages >>> Looked up internal option name "scanmail" >>> With sender = >>> recipient = s.bunker@tbanda.co.uk >>> Client IP = >>> Virus = >>> Result is "1" >>> >>> 0=No 1=Yes >>> >> >> and here's the debug output... >> >> MailScanner --Debug >> In Debugging mode, not forking... >> Trying to setlogsock(unix) >> SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp >> bayes: locker: safe_lock: cannot create lockfile >> /etc/MailScanner/bayes/bayes.mutex: Permission denied >> >> Building a message batch to scan... >> Have a batch of 3 messages. >> max message size is '40k' >> bayes: locker: safe_lock: cannot create lockfile >> /etc/MailScanner/bayes/bayes.mutex: Permission denied >> >> bayes: locker: safe_lock: cannot create lockfile >> /etc/MailScanner/bayes/bayes.mutex: Permission denied >> >> max message size is '40k' >> bayes: locker: safe_lock: cannot create lockfile >> /etc/MailScanner/bayes/bayes.mutex: Permission denied >> >> bayes: locker: safe_lock: cannot create lockfile >> /etc/MailScanner/bayes/bayes.mutex: Permission denied >> >> max message size is '40k' >> bayes: locker: safe_lock: cannot create lockfile >> /etc/MailScanner/bayes/bayes.mutex: Permission denied >> >> bayes: locker: safe_lock: cannot create lockfile >> /etc/MailScanner/bayes/bayes.mutex: Permission denied >> >> Stopping now as you are debugging me. >> commit ineffective with AutoCommit enabled at >> /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, >> line 118. >> Commmit ineffective while AutoCommit is on at >> /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, >> line 118. >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > Simon > > you need to run the debug as the postfix user really so it doesn't > give you problems with permissions. > > a full debug "mailScanner --debug --debug-sa" might be useful. > > Obviously make sure there's email in the queue relating to the domain > in question ;-) > > -- > Martin Hepworth > Oxford, UK > -- Thanks Martin, doesn't show any problems so far as I can see which you would expect since it works for all other domains other than the one it refuses to scan. From steve.freegard at fsl.com Tue Nov 11 15:43:21 2008 From: steve.freegard at fsl.com (Steve Freegard) Date: Tue Nov 11 15:43:32 2008 Subject: Releasing messages from quarantine In-Reply-To: <4919976F.5010201@gmail.com> References: <4919976F.5010201@gmail.com> Message-ID: <4919A819.8080206@fsl.com> Jason Voorhees wrote: > Hi there: > > I'm using MailScanner + MailWatch without problems but recently some > users are not happy when a released message says "Message released from > quarantine" coming from postmaster@domain.com. > > They would like to get the released message with the original sender and > the original subject instead of being replaced with the Postmaster address. > > Is it possible to achieve this? Is it possible to make transparent to > end users the releasing of messages from quarantine? > > I hope someone can help :( Thanks :) > > P.D.: My english is not good enough > Sure - in MailWatch conf.php set QUARANTINE_USE_SENDMAIL to 'true' and it will send the original message without modification. Regards, Steve. From steve.freegard at fsl.com Tue Nov 11 15:52:09 2008 From: steve.freegard at fsl.com (Steve Freegard) Date: Tue Nov 11 15:52:20 2008 Subject: domain not scanned In-Reply-To: <70572c510811110709s774ee7ccn985ed102bf0b1a25@mail.gmail.com> References: <70572c510811100915vc203310q7aabc2eb89abb3a0@mail.gmail.com> <72cf361e0811100942v236448a9xbc68225e884610b5@mail.gmail.com> <70572c510811110115l6cd3f82bq90481e7b3f250359@mail.gmail.com> <70572c510811110313y16f754ccy9a17bd52d111bc48@mail.gmail.com> <72cf361e0811110335p12683a25v578d7224ecc7c767@mail.gmail.com> <70572c510811110401p7422bd8aj2fa1495356510416@mail.gmail.com> <491978B6.9010003@ecs.soton.ac.uk> <70572c510811110453td3f9c59n9b6150998e6b3a91@mail.gmail.com> <70572c510811110455pe5ce2a7y68daa878af790762@mail.gmail.com> <72cf361e0811110525p7fedb7a0l702072d729f0bd73@mail.gmail.com> <70572c510811110709s774ee7ccn985ed102bf0b1a25@mail.gmail.com> Message-ID: <4919AA29.8080707@fsl.com> Simon Jones wrote: >>>>>>>> a bit more info - this was working OK and domain has been successfully >>>>>>>> scanned for a number of months but it stopped scanning over the >>>>>>>> weekend. Its a distributed setup (3 servers + db) and it appears that >>>>>>>> all servers are dropping the domain from the scan. S/A scores are >>>>>>>> zero on all scans, there's nothing whitelisted that I can see, I run >>>>>>>> MailWatch and the messages for this domain are all classed as clean. >>>>>>>> The only time i've seen this before is when the domain is listed in >>>>>>>> the /etc/MailScanner/rules/scan.messages.rules file - it is not listed >>>>>>>> in this case though. >>>>>>>> >>>>>>>> MailScanner --to @tbanda.co.uk or to MailScanner --to >>>>>>>> user@tbanda.co.uk doesn't return anything at all on any of the nodes. >>>>>>>> Try running the following: grep -Ri tbanda /etc/MailScanner See if you get anything you don't expect. Regards, Steve. From simonmjones at gmail.com Tue Nov 11 15:58:24 2008 From: simonmjones at gmail.com (Simon Jones) Date: Tue Nov 11 15:58:34 2008 Subject: domain not scanned In-Reply-To: <4919AA29.8080707@fsl.com> References: <70572c510811100915vc203310q7aabc2eb89abb3a0@mail.gmail.com> <70572c510811110313y16f754ccy9a17bd52d111bc48@mail.gmail.com> <72cf361e0811110335p12683a25v578d7224ecc7c767@mail.gmail.com> <70572c510811110401p7422bd8aj2fa1495356510416@mail.gmail.com> <491978B6.9010003@ecs.soton.ac.uk> <70572c510811110453td3f9c59n9b6150998e6b3a91@mail.gmail.com> <70572c510811110455pe5ce2a7y68daa878af790762@mail.gmail.com> <72cf361e0811110525p7fedb7a0l702072d729f0bd73@mail.gmail.com> <70572c510811110709s774ee7ccn985ed102bf0b1a25@mail.gmail.com> <4919AA29.8080707@fsl.com> Message-ID: <70572c510811110758r4ed6eabeqc634c24a713d1e39@mail.gmail.com> 2008/11/11 Steve Freegard : > Simon Jones wrote: >>>>>>>>> >>>>>>>>> a bit more info - this was working OK and domain has been >>>>>>>>> successfully >>>>>>>>> scanned for a number of months but it stopped scanning over the >>>>>>>>> weekend. Its a distributed setup (3 servers + db) and it appears >>>>>>>>> that >>>>>>>>> all servers are dropping the domain from the scan. S/A scores are >>>>>>>>> zero on all scans, there's nothing whitelisted that I can see, I >>>>>>>>> run >>>>>>>>> MailWatch and the messages for this domain are all classed as >>>>>>>>> clean. >>>>>>>>> The only time i've seen this before is when the domain is listed in >>>>>>>>> the /etc/MailScanner/rules/scan.messages.rules file - it is not >>>>>>>>> listed >>>>>>>>> in this case though. >>>>>>>>> >>>>>>>>> MailScanner --to @tbanda.co.uk or to MailScanner --to >>>>>>>>> user@tbanda.co.uk doesn't return anything at all on any of the >>>>>>>>> nodes. >>>>>>>>> > > Try running the following: > > grep -Ri tbanda /etc/MailScanner > > See if you get anything you don't expect. > > Regards, > Steve. > -- not a sausage :( From support at systux.nl Tue Nov 11 15:59:41 2008 From: support at systux.nl (Wim Bakker) Date: Tue Nov 11 15:59:53 2008 Subject: Question about rule files Message-ID: <4919ABED.9000206@systux.nl> Hello Is it possible to include rule files in rule files. Eg. High Scoring Spam Actions = /opt/MailScanner/etc/rules/highspamaction.rules and the highspamaction.rules has include files for different domains like : include /opt/MailScanner/etc/rules/domainset1.rules include /opt/MailScanner/etc/rules/domainset2.rules etc. the include files than contain the actual rules Thanks Wim Bakker From J.Ede at birchenallhowden.co.uk Tue Nov 11 16:02:43 2008 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Tue Nov 11 16:03:01 2008 Subject: Releasing messages from quarantine In-Reply-To: <4919A819.8080206@fsl.com> References: <4919976F.5010201@gmail.com> <4919A819.8080206@fsl.com> Message-ID: <4CAB0118AEC63A4FAAE77E6BCBDF760C7939968D45@server02.bhl.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Steve Freegard > Sent: 11 November 2008 15:43 > To: MailScanner discussion > Subject: Re: Releasing messages from quarantine > > Jason Voorhees wrote: > > Hi there: > > > > I'm using MailScanner + MailWatch without problems but recently some > > users are not happy when a released message says "Message released > from > > quarantine" coming from postmaster@domain.com. > > > > They would like to get the released message with the original sender > and > > the original subject instead of being replaced with the Postmaster > address. > > > > Is it possible to achieve this? Is it possible to make transparent to > > end users the releasing of messages from quarantine? > > > > I hope someone can help :( Thanks :) > > > > P.D.: My english is not good enough > > > > Sure - in MailWatch conf.php set QUARANTINE_USE_SENDMAIL to 'true' and > it will send the original message without modification. > I've found that isn't always reliable (on mailwatch 1.0.4) if there are attachments on the email. Mailwatch says that the email has been released but nothing ever seems to reach the mail queue... I think its some form of memory issue to do with PHP? If can get it working reliably would be fantastic :-D Jason From simonmjones at gmail.com Tue Nov 11 16:06:57 2008 From: simonmjones at gmail.com (Simon Jones) Date: Tue Nov 11 16:07:05 2008 Subject: domain not scanned In-Reply-To: <70572c510811110758r4ed6eabeqc634c24a713d1e39@mail.gmail.com> References: <70572c510811100915vc203310q7aabc2eb89abb3a0@mail.gmail.com> <72cf361e0811110335p12683a25v578d7224ecc7c767@mail.gmail.com> <70572c510811110401p7422bd8aj2fa1495356510416@mail.gmail.com> <491978B6.9010003@ecs.soton.ac.uk> <70572c510811110453td3f9c59n9b6150998e6b3a91@mail.gmail.com> <70572c510811110455pe5ce2a7y68daa878af790762@mail.gmail.com> <72cf361e0811110525p7fedb7a0l702072d729f0bd73@mail.gmail.com> <70572c510811110709s774ee7ccn985ed102bf0b1a25@mail.gmail.com> <4919AA29.8080707@fsl.com> <70572c510811110758r4ed6eabeqc634c24a713d1e39@mail.gmail.com> Message-ID: <70572c510811110806r58a62c30ybd4e6478ab1e6f9a@mail.gmail.com> 2008/11/11 Simon Jones : > 2008/11/11 Steve Freegard : >> Simon Jones wrote: >>>>>>>>>> >>>>>>>>>> a bit more info - this was working OK and domain has been >>>>>>>>>> successfully >>>>>>>>>> scanned for a number of months but it stopped scanning over the >>>>>>>>>> weekend. Its a distributed setup (3 servers + db) and it appears >>>>>>>>>> that >>>>>>>>>> all servers are dropping the domain from the scan. S/A scores are >>>>>>>>>> zero on all scans, there's nothing whitelisted that I can see, I >>>>>>>>>> run >>>>>>>>>> MailWatch and the messages for this domain are all classed as >>>>>>>>>> clean. >>>>>>>>>> The only time i've seen this before is when the domain is listed in >>>>>>>>>> the /etc/MailScanner/rules/scan.messages.rules file - it is not >>>>>>>>>> listed >>>>>>>>>> in this case though. >>>>>>>>>> >>>>>>>>>> MailScanner --to @tbanda.co.uk or to MailScanner --to >>>>>>>>>> user@tbanda.co.uk doesn't return anything at all on any of the >>>>>>>>>> nodes. >>>>>>>>>> >> >> Try running the following: >> >> grep -Ri tbanda /etc/MailScanner >> >> See if you get anything you don't expect. >> >> Regards, >> Steve. >> -- > > not a sausage :( > Fixed - nothing complicated at all, someone had set the spam score limit to 127 in mailwatch :) bugger! thanks for your help lads - presently wacking myself about the head with something heavy whilst reciting "thou shalt check the easy stuff first next time" Si. From t.d.lee at durham.ac.uk Tue Nov 11 16:18:05 2008 From: t.d.lee at durham.ac.uk (David Lee) Date: Tue Nov 11 16:18:39 2008 Subject: MS/perl segfaults In-Reply-To: <49186B27.2060809@ecs.soton.ac.uk> References: <49186B27.2060809@ecs.soton.ac.uk> Message-ID: On Mon, 10 Nov 2008, Julian Field wrote: > One immediate thought: the only reproducible instance of this problem was > caused by the HTML parser, and I wrote a solution to that in a recent > release, it's in the Change Log. > > But yes, your idea is a possibility, now that I'm using SQLite. Doing it with > a dbm file is not really practical due to high contention for the exclusive > write locks on the file. SQLite may be able to do it rather better. > [...] Many thanks, Julian. I'm glad you think the idea is workable. As Jonas Larsen confirmed, although such events are rare, their impact on a site can be severe (we had 60,000+ emails delayed over the weekend). My mention of db/dbm was simply illustrative. Use whatever technology (preferably lightweight) that you think is best. (In my initial vague sketch, I was imagining two updates (an insert and delete) per email under normal conditions.) As I say, I'm happy to try to beta-test if you wish. -- : David Lee I.T. Service : : Senior Systems Programmer Computer Centre : : UNIX Team Leader Durham University : : South Road : : http://www.dur.ac.uk/t.d.lee/ Durham DH1 3LE : : Phone: +44 191 334 2752 U.K. : From MailScanner at ecs.soton.ac.uk Tue Nov 11 16:20:18 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Nov 11 16:20:41 2008 Subject: Question about rule files In-Reply-To: <4919ABED.9000206@systux.nl> References: <4919ABED.9000206@systux.nl> Message-ID: <4919B0C2.6070507@ecs.soton.ac.uk> On 11/11/08 15:59, Wim Bakker wrote: > Hello > > Is it possible to include rule files in rule files. No, sorry. But you can put a filename in a rule instead of an address to match, which will make it apply the rule to every address/domain/whatever listed in the file, one per line. Comments start with # and last to the end of the line. That may well be enough for your needs. Jules. > Eg. > High Scoring Spam Actions = > /opt/MailScanner/etc/rules/highspamaction.rules > > and the highspamaction.rules has include files > for different domains > like : > include /opt/MailScanner/etc/rules/domainset1.rules > include /opt/MailScanner/etc/rules/domainset2.rules > etc. > the include files than contain the actual rules > > Thanks > > Wim Bakker Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From steve.freegard at fsl.com Tue Nov 11 16:30:59 2008 From: steve.freegard at fsl.com (Steve Freegard) Date: Tue Nov 11 16:31:10 2008 Subject: Releasing messages from quarantine In-Reply-To: <4CAB0118AEC63A4FAAE77E6BCBDF760C7939968D45@server02.bhl.local> References: <4919976F.5010201@gmail.com> <4919A819.8080206@fsl.com> <4CAB0118AEC63A4FAAE77E6BCBDF760C7939968D45@server02.bhl.local> Message-ID: <4919B343.50505@fsl.com> Jason Ede wrote: >> Sure - in MailWatch conf.php set QUARANTINE_USE_SENDMAIL to 'true' and >> it will send the original message without modification. >> > > I've found that isn't always reliable (on mailwatch 1.0.4) if there are attachments on the email. Mailwatch says that the email has been released but nothing ever seems to reach the mail queue... I think its some form of memory issue to do with PHP? If can get it working reliably would be fantastic :-D > Actually the problem isn't with MailWatch - but the way MailScanner handles blocked attachment or file types. When MailScanner sends notices it uses the original Message-ID header and replaces the body with the notice. Certain mail servers (Exchange, Zimbra etc.) have duplicate message prevention built-in and they use the Message-ID header to determine duplicates, so if you send multiple messages with the same Message-ID - the first message will be delivered and the rest will go to /dev/null or NUL if you're a Windoze user ;-) For users of systems that do duplicate message checking you have to do something like the following: cat /path/to/message | grep -Ev '^Message-ID:' | sendmail -toi And your MTA should see the missing Message ID and create one for you. Kind regards, Steve. From J.Ede at birchenallhowden.co.uk Tue Nov 11 16:38:07 2008 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Tue Nov 11 16:38:39 2008 Subject: Releasing messages from quarantine In-Reply-To: <4919B343.50505@fsl.com> References: <4919976F.5010201@gmail.com> <4919A819.8080206@fsl.com> <4CAB0118AEC63A4FAAE77E6BCBDF760C7939968D45@server02.bhl.local> <4919B343.50505@fsl.com> Message-ID: <4CAB0118AEC63A4FAAE77E6BCBDF760C7939968D4F@server02.bhl.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Steve Freegard > Sent: 11 November 2008 16:31 > To: MailScanner discussion > Subject: Re: Releasing messages from quarantine > > Jason Ede wrote: > >> Sure - in MailWatch conf.php set QUARANTINE_USE_SENDMAIL to 'true' > and > >> it will send the original message without modification. > >> > > > > I've found that isn't always reliable (on mailwatch 1.0.4) if there > are attachments on the email. Mailwatch says that the email has been > released but nothing ever seems to reach the mail queue... I think its > some form of memory issue to do with PHP? If can get it working > reliably would be fantastic :-D > > > > Actually the problem isn't with MailWatch - but the way MailScanner > handles blocked attachment or file types. > > When MailScanner sends notices it uses the original Message-ID header > and replaces the body with the notice. > > Certain mail servers (Exchange, Zimbra etc.) have duplicate message > prevention built-in and they use the Message-ID header to determine > duplicates, so if you send multiple messages with the same Message-ID - > the first message will be delivered and the rest will go to /dev/null > or > NUL if you're a Windoze user ;-) > > For users of systems that do duplicate message checking you have to do > something like the following: > > cat /path/to/message | grep -Ev '^Message-ID:' | sendmail -toi > > And your MTA should see the missing Message ID and create one for you. > > Kind regards, > Steve. Steve, That makes sense. Does that mean we have to manually inject the mail back into the queue (we use postfix) or can we just hack the release mechanism to do this for us? Jason From jaearick at colby.edu Tue Nov 11 16:42:20 2008 From: jaearick at colby.edu (Jeff A. Earickson) Date: Tue Nov 11 16:42:36 2008 Subject: mip: mail fraud? Anybody seen this? Message-ID: Julian, First, I hope that you and your various internal organs are doing reasonably well. I got pinged by a user today who asked "why did this copied reply get munged up by MailScanner?" > From: claiming to be xxx@aol.com > > Date: Tue, 11 Nov 2008 08:14:40 EST > To: to be yyy@upanewtonma.org and so on for all of the other email addresses in the quoted reply. I would guess that the mip: construct is something that an AOL MTA or mail client added. I googled for it and found zilch. Anybody else seen this? BTW: running MS 4.72.5-1 on Solaris 10. Jeff Earickson Colby College From lists at tippingmar.com Tue Nov 11 17:08:21 2008 From: lists at tippingmar.com (Mark Nienberg) Date: Tue Nov 11 17:08:36 2008 Subject: Sanesecurity sigs In-Reply-To: <49188E2A.1030609@tippingmar.com> References: <49188E2A.1030609@tippingmar.com> Message-ID: <4919BC05.1030105@tippingmar.com> One thing I've noticed is that if a message triggers a sanesecurity header sig, then if MailScanner sends a notice to postmaster and if the notice includes the full headers, the notice itself triggers sanesecurity and gets quarantined instead of delivered to postmaster. This triggers another notification, but this one passes. This is kind of a false positive, but not really, because the bad header really is there. Should I exempt localhost from virus scanning to prevent this? Or maybe a ruleset for the notification would be better. Mark Nienberg From pippo at olidata.eu Tue Nov 11 17:09:42 2008 From: pippo at olidata.eu (pippo@olidata.eu) Date: Tue Nov 11 17:10:00 2008 Subject: MailScanner header tags added to message body Message-ID: <7A213AA442B273439E0162BEE06C8CF2310081@POSTA.olidata.it> Hi, I'm working on this since some days and can't figure out how to solve. I installed MailScanner few days ago on a Ubuntu Server 8.04 LTS + Postfix. The server acts as a gateway and sends scanned mails to an Exchange 2003 Server. Mail flow is correct and MailScanner seems to work (at least it adds the banner). The problem is that the various changes to message headers, are not made to message headers, but: - are not made at all if message is in HTML format - are added on top of message body if message is in text format. I could't find anything about this issue in documentation, nor in Google. Where am I wrong ? Thanks. Massimo. From MailScanner at ecs.soton.ac.uk Tue Nov 11 17:20:33 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Nov 11 17:20:54 2008 Subject: Releasing messages from quarantine In-Reply-To: <4919B343.50505@fsl.com> References: <4919976F.5010201@gmail.com> <4919A819.8080206@fsl.com> <4CAB0118AEC63A4FAAE77E6BCBDF760C7939968D45@server02.bhl.local> <4919B343.50505@fsl.com> Message-ID: <4919BEE1.4050201@ecs.soton.ac.uk> On 11/11/08 16:30, Steve Freegard wrote: > Jason Ede wrote: >>> Sure - in MailWatch conf.php set QUARANTINE_USE_SENDMAIL to 'true' and >>> it will send the original message without modification. >>> >> >> I've found that isn't always reliable (on mailwatch 1.0.4) if there >> are attachments on the email. Mailwatch says that the email has been >> released but nothing ever seems to reach the mail queue... I think >> its some form of memory issue to do with PHP? If can get it working >> reliably would be fantastic :-D >> > > Actually the problem isn't with MailWatch - but the way MailScanner > handles blocked attachment or file types. > > When MailScanner sends notices it uses the original Message-ID header > and replaces the body with the notice. Exactly what sort of notices are we talking about? I'm sure I can fix this problem, I don't remember anyone mentioning to directly to me before... Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Tue Nov 11 17:21:36 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Nov 11 17:21:57 2008 Subject: mip: mail fraud? Anybody seen this? In-Reply-To: References: Message-ID: <4919BF20.6040402@ecs.soton.ac.uk> If anyone else can tell me what mip: is, I'll think about adding it to the phishing net so it gets ignored as a URL. On 11/11/08 16:42, Jeff A. Earickson wrote: > Julian, > > First, I hope that you and your various internal organs are doing > reasonably well. > > I got pinged by a user today who asked "why did this copied > reply get munged up by MailScanner?" > >> From: > claiming to be xxx@aol.com > >> Date: Tue, 11 Nov 2008 08:14:40 EST >> To: > claiming >> to be yyy@upanewtonma.org > > and so on for all of the other email addresses in the quoted reply. > I would guess that the mip: construct is something that an AOL MTA > or mail client added. I googled for it and found zilch. Anybody > else seen this? > > BTW: running MS 4.72.5-1 on Solaris 10. > > Jeff Earickson > Colby College > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From steve.freegard at fsl.com Tue Nov 11 17:33:13 2008 From: steve.freegard at fsl.com (Steve Freegard) Date: Tue Nov 11 17:33:23 2008 Subject: Releasing messages from quarantine In-Reply-To: <4919BEE1.4050201@ecs.soton.ac.uk> References: <4919976F.5010201@gmail.com> <4919A819.8080206@fsl.com> <4CAB0118AEC63A4FAAE77E6BCBDF760C7939968D45@server02.bhl.local> <4919B343.50505@fsl.com> <4919BEE1.4050201@ecs.soton.ac.uk> Message-ID: <4919C1D9.9090601@fsl.com> Julian Field wrote: > On 11/11/08 16:30, Steve Freegard wrote: >> Jason Ede wrote: >>>> Sure - in MailWatch conf.php set QUARANTINE_USE_SENDMAIL to 'true' and >>>> it will send the original message without modification. >>>> >>> >>> I've found that isn't always reliable (on mailwatch 1.0.4) if there >>> are attachments on the email. Mailwatch says that the email has been >>> released but nothing ever seems to reach the mail queue... I think >>> its some form of memory issue to do with PHP? If can get it working >>> reliably would be fantastic :-D >>> >> >> Actually the problem isn't with MailWatch - but the way MailScanner >> handles blocked attachment or file types. >> >> When MailScanner sends notices it uses the original Message-ID header >> and replaces the body with the notice. > Exactly what sort of notices are we talking about? I'm sure I can fix > this problem, I don't remember anyone mentioning to directly to me > before... I've been meaning to mention it... It's any notice that you create and keep the original Message-ID header when you might want to release the message from quarantine later. So I guess that could affect any of the following: Stored Size Message Report = %report-dir%/stored.size.message.txt Sender Size Report = %report-dir%/sender.size.report.txt Sender Spam Report = %report-dir%/sender.spam.report.txt Sender Spam List Report = %report-dir%/sender.spam.rbl.report.txt Sender SpamAssassin Report = %report-dir%/sender.spam.sa.report.txt Recipient Spam Report = %report-dir%/recipient.spam.report.txt Recipient MCP Report = %report-dir%/recipient.mcp.report.txt Sender MCP Report = %report-dir%/sender.mcp.report.txt Kind regards, Steve. From maxsec at gmail.com Tue Nov 11 17:34:58 2008 From: maxsec at gmail.com (Martin Hepworth) Date: Tue Nov 11 17:35:08 2008 Subject: MailScanner header tags added to message body In-Reply-To: <7A213AA442B273439E0162BEE06C8CF2310081@POSTA.olidata.it> References: <7A213AA442B273439E0162BEE06C8CF2310081@POSTA.olidata.it> Message-ID: <72cf361e0811110934o4a18753dh3dbdb26bf42bba15@mail.gmail.com> 2008/11/11 : > Hi, > > I'm working on this since some days and can't figure out how to solve. > I installed MailScanner few days ago on a Ubuntu Server 8.04 LTS + > Postfix. The server acts as a gateway and sends scanned mails to an > Exchange 2003 Server. > Mail flow is correct and MailScanner seems to work (at least it adds the > banner). The problem is that the various changes to message headers, are > not made to message headers, but: > - are not made at all if message is in HTML format > - are added on top of message body if message is in text format. > I could't find anything about this issue in documentation, nor in > Google. > > Where am I wrong ? > > Thanks. > > Massimo. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Check the Org-name setting in MailScanner.conf. Make sure there's no spaces or other bad characters in there ( see the comments above it for reasons why) -- Martin Hepworth Oxford, UK From MailScanner at ecs.soton.ac.uk Tue Nov 11 18:05:30 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Nov 11 18:06:02 2008 Subject: Releasing messages from quarantine In-Reply-To: <4919C1D9.9090601@fsl.com> References: <4919976F.5010201@gmail.com> <4919A819.8080206@fsl.com> <4CAB0118AEC63A4FAAE77E6BCBDF760C7939968D45@server02.bhl.local> <4919B343.50505@fsl.com> <4919BEE1.4050201@ecs.soton.ac.uk> <4919C1D9.9090601@fsl.com> Message-ID: <4919C96A.8090409@ecs.soton.ac.uk> On 11/11/08 17:33, Steve Freegard wrote: > Julian Field wrote: >> On 11/11/08 16:30, Steve Freegard wrote: >>> Jason Ede wrote: >>>>> Sure - in MailWatch conf.php set QUARANTINE_USE_SENDMAIL to 'true' >>>>> and >>>>> it will send the original message without modification. >>>>> >>>> >>>> I've found that isn't always reliable (on mailwatch 1.0.4) if there >>>> are attachments on the email. Mailwatch says that the email has >>>> been released but nothing ever seems to reach the mail queue... I >>>> think its some form of memory issue to do with PHP? If can get it >>>> working reliably would be fantastic :-D >>>> >>> >>> Actually the problem isn't with MailWatch - but the way MailScanner >>> handles blocked attachment or file types. >>> >>> When MailScanner sends notices it uses the original Message-ID >>> header and replaces the body with the notice. > >> Exactly what sort of notices are we talking about? I'm sure I can fix >> this problem, I don't remember anyone mentioning to directly to me >> before... > > I've been meaning to mention it... > > It's any notice that you create and keep the original Message-ID > header when you might want to release the message from quarantine later. > > So I guess that could affect any of the following: > > Stored Size Message Report = %report-dir%/stored.size.message.txt > Sender Size Report = %report-dir%/sender.size.report.txt > Sender Spam Report = %report-dir%/sender.spam.report.txt > Sender Spam List Report = %report-dir%/sender.spam.rbl.report.txt > Sender SpamAssassin Report = %report-dir%/sender.spam.sa.report.txt > Recipient Spam Report = %report-dir%/recipient.spam.report.txt > Recipient MCP Report = %report-dir%/recipient.mcp.report.txt > Sender MCP Report = %report-dir%/sender.mcp.report.txt Not quite. When I remove the dangerous attachment from a message, I send the message on with its original Message-ID: header, which I believe is what I should be doing. Otherwise I'll break threads, among other things. Not every recipient of an attachment in (for example) a mailing list thread is interested in receiving that attachment, and having the thread broken as a result. When someone chooses to release a message from the MailWatch quarantine, they don't change the Message-ID: to a new value before sending it. So personally I reckon the ball is in your court. Sites without MailWatch wouldn't want their Message-ID: threads breaking for every message that happened to contain a dodgy attachment the recipient wasn't interested in anyway. Surely it's MailWatch's job to create a new Message-ID: when a message is re-posted with its attachments, now the user has chosen to retrieve them? I just see this as a problem for the implementers of quarantine release mechanisms, not for me. What do you think? What does anyone else on the list think? Cheers, Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jvoorhees1 at gmail.com Tue Nov 11 18:08:58 2008 From: jvoorhees1 at gmail.com (Jason Voorhees) Date: Tue Nov 11 18:10:05 2008 Subject: Releasing messages from quarantine In-Reply-To: <4919A819.8080206@fsl.com> References: <4919976F.5010201@gmail.com> <4919A819.8080206@fsl.com> Message-ID: <4919CA3A.1020408@gmail.com> Thanks. That was pretty simple and something I was looking for since long time ago. I always seen that option in conf.php but I never knew its purpose. Bytes Steve Freegard escribi?: > Jason Voorhees wrote: >> Hi there: >> >> I'm using MailScanner + MailWatch without problems but recently some >> users are not happy when a released message says "Message released >> from quarantine" coming from postmaster@domain.com. >> >> They would like to get the released message with the original sender >> and the original subject instead of being replaced with the Postmaster >> address. >> >> Is it possible to achieve this? Is it possible to make transparent to >> end users the releasing of messages from quarantine? >> >> I hope someone can help :( Thanks :) >> >> P.D.: My english is not good enough >> > > Sure - in MailWatch conf.php set QUARANTINE_USE_SENDMAIL to 'true' and > it will send the original message without modification. > > Regards, > Steve. From steve.freegard at fsl.com Tue Nov 11 18:52:18 2008 From: steve.freegard at fsl.com (Steve Freegard) Date: Tue Nov 11 18:53:20 2008 Subject: Releasing messages from quarantine In-Reply-To: <4919C96A.8090409@ecs.soton.ac.uk> References: <4919976F.5010201@gmail.com> <4919A819.8080206@fsl.com> <4CAB0118AEC63A4FAAE77E6BCBDF760C7939968D45@server02.bhl.local> <4919B343.50505@fsl.com> <4919BEE1.4050201@ecs.soton.ac.uk> <4919C1D9.9090601@fsl.com> <4919C96A.8090409@ecs.soton.ac.uk> Message-ID: <4919D462.5080007@fsl.com> Julian Field wrote: > Not quite. > When I remove the dangerous attachment from a message, I send the > message on with its original Message-ID: header, which I believe is what > I should be doing. Otherwise I'll break threads, among other things. Not > every recipient of an attachment in (for example) a mailing list thread > is interested in receiving that attachment, and having the thread broken > as a result. > > When someone chooses to release a message from the MailWatch quarantine, > they don't change the Message-ID: to a new value before sending it. So > personally I reckon the ball is in your court. Sites without MailWatch > wouldn't want their Message-ID: threads breaking for every message that > happened to contain a dodgy attachment the recipient wasn't interested > in anyway. Surely it's MailWatch's job to create a new Message-ID: when > a message is re-posted with its attachments, now the user has chosen to > retrieve them? > > I just see this as a problem for the implementers of quarantine release > mechanisms, not for me. > > What do you think? You're right of course - I'm forgetting that MailScanner can strip attachments and deliver the original message. I can strip the Message-ID on my end and get the MTA to generate a new one automatically; but this is going to break threading as well. I guess there is no clean way around this. Regards, Steve. From rcooper at dwford.com Tue Nov 11 19:48:42 2008 From: rcooper at dwford.com (Rick Cooper) Date: Tue Nov 11 19:48:55 2008 Subject: mip: mail fraud? Anybody seen this? In-Reply-To: <4919BF20.6040402@ecs.soton.ac.uk> References: <4919BF20.6040402@ecs.soton.ac.uk> Message-ID: That looks to be a MusicIP link see: http://www.musicip.com/mixer/mipprotocol.jsp > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Julian Field > Sent: Tuesday, November 11, 2008 12:22 PM > To: MailScanner discussion > Subject: Re: mip: mail fraud? Anybody seen this? > > If anyone else can tell me what mip: is, I'll think about > adding it to > the phishing net so it gets ignored as a URL. > > On 11/11/08 16:42, Jeff A. Earickson wrote: > > Julian, > > > > First, I hope that you and your various internal organs are doing > > reasonably well. > > > > I got pinged by a user today who asked "why did this copied > > reply get munged up by MailScanner?" > > > >> From: from "mip:" > >> claiming to be xxx@aol.com > > >> Date: Tue, 11 Nov 2008 08:14:40 EST > >> To: from "mip:" > >> claiming > >> to be yyy@upanewtonma.org > > > > and so on for all of the other email addresses in the quoted reply. > > I would guess that the mip: construct is something that an AOL MTA > > or mail client added. I googled for it and found zilch. Anybody > > else seen this? > > > > BTW: running MS 4.72.5-1 on Solaris 10. > > > > Jeff Earickson > > Colby College > > > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system > administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > PGP public key: http://www.jules.fm/julesfm.asc > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Tue Nov 11 21:18:23 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Nov 11 21:18:44 2008 Subject: Releasing messages from quarantine In-Reply-To: <4919D462.5080007@fsl.com> References: <4919976F.5010201@gmail.com> <4919A819.8080206@fsl.com> <4CAB0118AEC63A4FAAE77E6BCBDF760C7939968D45@server02.bhl.local> <4919B343.50505@fsl.com> <4919BEE1.4050201@ecs.soton.ac.uk> <4919C1D9.9090601@fsl.com> <4919C96A.8090409@ecs.soton.ac.uk> <4919D462.5080007@fsl.com> Message-ID: <4919F69F.4000506@ecs.soton.ac.uk> On 11/11/08 18:52, Steve Freegard wrote: > Julian Field wrote: >> Not quite. >> When I remove the dangerous attachment from a message, I send the >> message on with its original Message-ID: header, which I believe is >> what I should be doing. Otherwise I'll break threads, among other >> things. Not every recipient of an attachment in (for example) a >> mailing list thread is interested in receiving that attachment, and >> having the thread broken as a result. >> >> When someone chooses to release a message from the MailWatch >> quarantine, they don't change the Message-ID: to a new value before >> sending it. So personally I reckon the ball is in your court. Sites >> without MailWatch wouldn't want their Message-ID: threads breaking >> for every message that happened to contain a dodgy attachment the >> recipient wasn't interested in anyway. Surely it's MailWatch's job to >> create a new Message-ID: when a message is re-posted with its >> attachments, now the user has chosen to retrieve them? >> >> I just see this as a problem for the implementers of quarantine >> release mechanisms, not for me. >> >> What do you think? > > You're right of course - I'm forgetting that MailScanner can strip > attachments and deliver the original message. > > I can strip the Message-ID on my end and get the MTA to generate a new > one automatically; but this is going to break threading as well. I > guess there is no clean way around this. Absolutely. One of us has to break the threading, and I think the repeat message sent at a later date should be the one to do it. Sorry to give you more work... Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Tue Nov 11 21:24:00 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Nov 11 21:24:23 2008 Subject: mip: mail fraud? Anybody seen this? In-Reply-To: References: <4919BF20.6040402@ecs.soton.ac.uk> Message-ID: <4919F7F0.9090607@ecs.soton.ac.uk> Try this patch to the latest Message.pm and let me know if it helps: --- Message.pm 2008-10-24 12:11:57.000000000 +0100 +++ Message.pm.new 2008-11-11 21:23:14.000000000 +0000 @@ -7251,6 +7251,7 @@ $linkurl =~ s/^(https?:\/\/[^:]+):80/$1/i; # Remove http://....:80 $linkurl =~ s/^(https?|ftp)[:;]\/\///i; return ("",0) if $linkurl =~ /^ma[il]+to[:;]/i; + return ("",0) if $linkurl =~ /^mip[:;]/i; # Ignore MusicIP links #$linkurl = "" if $linkurl =~ /^ma[il]+to[:;]/i; $linkurl =~ s/[?\/].*$//; # Only compare up to the first '/' or '?' $linkurl =~ s/(\<\/?(br|p|ul)\>)*$//ig; # Remove trailing br, p, ul tags On 11/11/08 19:48, Rick Cooper wrote: > That looks to be a MusicIP link see: > > http://www.musicip.com/mixer/mipprotocol.jsp > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On > > Behalf Of Julian Field > > Sent: Tuesday, November 11, 2008 12:22 PM > > To: MailScanner discussion > > Subject: Re: mip: mail fraud? Anybody seen this? > > > > If anyone else can tell me what mip: is, I'll think about > > adding it to > > the phishing net so it gets ignored as a URL. > > > > On 11/11/08 16:42, Jeff A. Earickson wrote: > > > Julian, > > > > > > First, I hope that you and your various internal organs are doing > > > reasonably well. > > > > > > I got pinged by a user today who asked "why did this copied > > > reply get munged up by MailScanner?" > > > > > >> From: > from "mip:" > > >> claiming to be xxx@aol.com > > > >> Date: Tue, 11 Nov 2008 08:14:40 EST > > >> To: > from "mip:" > > >> claiming > > >> to be yyy@upanewtonma.org > > > > > > and so on for all of the other email addresses in the quoted reply. > > > I would guess that the mip: construct is something that an AOL MTA > > > or mail client added. I googled for it and found zilch. Anybody > > > else seen this? > > > > > > BTW: running MS 4.72.5-1 on Solaris 10. > > > > > > Jeff Earickson > > > Colby College > > > > > > > Jules > > > > -- > > Julian Field MEng CITP CEng > > www.MailScanner.info > > Buy the MailScanner book at www.MailScanner.info/store > > > > MailScanner customisation, or any advanced system > > administration help? > > Contact me at Jules@Jules.FM > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > PGP public key: http://www.jules.fm/julesfm.asc > > > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > > > > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jaearick at colby.edu Tue Nov 11 21:32:41 2008 From: jaearick at colby.edu (Jeff A. Earickson) Date: Tue Nov 11 21:33:09 2008 Subject: mip: mail fraud? Anybody seen this? In-Reply-To: <4919F7F0.9090607@ecs.soton.ac.uk> References: <4919BF20.6040402@ecs.soton.ac.uk> <4919F7F0.9090607@ecs.soton.ac.uk> Message-ID: Julian, Thank you, patch in place. I will now see if the user can try more email with the AOL person and see if the problem is gone. Thanks. Jeff Earickson Colby College On Tue, 11 Nov 2008, Julian Field wrote: > Date: Tue, 11 Nov 2008 21:24:00 +0000 > From: Julian Field > Reply-To: MailScanner discussion > To: MailScanner discussion > Subject: Re: mip: mail fraud? Anybody seen this? > > Try this patch to the latest Message.pm and let me know if it helps: > > --- Message.pm 2008-10-24 12:11:57.000000000 +0100 > +++ Message.pm.new 2008-11-11 21:23:14.000000000 +0000 > @@ -7251,6 +7251,7 @@ > $linkurl =~ s/^(https?:\/\/[^:]+):80/$1/i; # Remove http://....:80 > $linkurl =~ s/^(https?|ftp)[:;]\/\///i; > return ("",0) if $linkurl =~ /^ma[il]+to[:;]/i; > + return ("",0) if $linkurl =~ /^mip[:;]/i; # Ignore MusicIP links > #$linkurl = "" if $linkurl =~ /^ma[il]+to[:;]/i; > $linkurl =~ s/[?\/].*$//; # Only compare up to the first '/' or '?' > $linkurl =~ s/(\<\/?(br|p|ul)\>)*$//ig; # Remove trailing br, p, ul tags > > > > On 11/11/08 19:48, Rick Cooper wrote: >> That looks to be a MusicIP link see: >> >> http://www.musicip.com/mixer/mipprotocol.jsp >> >> > -----Original Message----- >> > From: mailscanner-bounces@lists.mailscanner.info >> > [mailto:mailscanner-bounces@lists.mailscanner.info] On >> > Behalf Of Julian Field >> > Sent: Tuesday, November 11, 2008 12:22 PM >> > To: MailScanner discussion >> > Subject: Re: mip: mail fraud? Anybody seen this? >> > >> > If anyone else can tell me what mip: is, I'll think about >> > adding it to >> > the phishing net so it gets ignored as a URL. >> > >> > On 11/11/08 16:42, Jeff A. Earickson wrote: >> > > Julian, >> > > >> > > First, I hope that you and your various internal organs are doing >> > > reasonably well. >> > > >> > > I got pinged by a user today who asked "why did this copied >> > > reply get munged up by MailScanner?" >> > > >> > >> From:> > from "mip:" >> > >> claiming to be xxx@aol.com > >> > >> Date: Tue, 11 Nov 2008 08:14:40 EST >> > >> To:> > from "mip:" >> > >> claiming >> > >> to be yyy@upanewtonma.org >> > > >> > > and so on for all of the other email addresses in the quoted reply. >> > > I would guess that the mip: construct is something that an AOL MTA >> > > or mail client added. I googled for it and found zilch. Anybody >> > > else seen this? >> > > >> > > BTW: running MS 4.72.5-1 on Solaris 10. >> > > >> > > Jeff Earickson >> > > Colby College >> > > >> > >> > Jules >> > >> > -- > Julian Field MEng CITP CEng >> > www.MailScanner.info >> > Buy the MailScanner book at www.MailScanner.info/store >> > >> > MailScanner customisation, or any advanced system >> > administration help? >> > Contact me at Jules@Jules.FM >> > >> > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> > PGP public key: http://www.jules.fm/julesfm.asc >> > >> > >> > -- > This message has been scanned for viruses and >> > dangerous content by MailScanner, and is >> > believed to be clean. >> > >> > -- > MailScanner mailing list >> > mailscanner@lists.mailscanner.info >> > http://lists.mailscanner.info/mailman/listinfo/mailscanner >> > >> > Before posting, read http://wiki.mailscanner.info/posting >> > >> > Support MailScanner development - buy the book off the website! >> > >> > -- >> > This message has been scanned for viruses and >> > dangerous content by MailScanner, and is >> > believed to be clean. >> > >> > >> > >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> >> > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > PGP public key: http://www.jules.fm/julesfm.asc > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From nwp at nz.lemon-computing.com Tue Nov 11 21:41:08 2008 From: nwp at nz.lemon-computing.com (Nick Phillips) Date: Tue Nov 11 21:41:21 2008 Subject: Releasing messages from quarantine In-Reply-To: <4919F69F.4000506@ecs.soton.ac.uk> References: <4919976F.5010201@gmail.com> <4919A819.8080206@fsl.com> <4CAB0118AEC63A4FAAE77E6BCBDF760C7939968D45@server02.bhl.local> <4919B343.50505@fsl.com> <4919BEE1.4050201@ecs.soton.ac.uk> <4919C1D9.9090601@fsl.com> <4919C96A.8090409@ecs.soton.ac.uk> <4919D462.5080007@fsl.com> <4919F69F.4000506@ecs.soton.ac.uk> Message-ID: <0AA7A857-7FD6-4435-9949-E579B2F4B909@nz.lemon-computing.com> On 12/11/2008, at 10:18 AM, Julian Field wrote: >> >> You're right of course - I'm forgetting that MailScanner can strip >> attachments and deliver the original message. >> >> I can strip the Message-ID on my end and get the MTA to generate a >> new one automatically; but this is going to break threading as >> well. I guess there is no clean way around this. > Absolutely. One of us has to break the threading, and I think the > repeat message sent at a later date should be the one to do it. > Sorry to give you more work... Seems to me that it would be a Good Thing to keep the original message- id in there somewhere, either by munging it to create the new ID, or by adding a separate header. That way at least there will be some link between the messages. Cheers, Nick From bcarruthers at iii.net.au Tue Nov 11 21:43:09 2008 From: bcarruthers at iii.net.au (Brett Carruthers) Date: Tue Nov 11 21:43:38 2008 Subject: MailScanner setup with BarricadeMX and Scalix Message-ID: Hi All, I have a MailScanner, MailWatch and Scalix setup which has been stable for quite some time now. I have now purchased BarricadeMX and need to run it on port 25 in front of Scalix, MailScanner, etc. I am confused on how to configure the MailScanner / Scalix setup to achieve what is necessary. At the moment it is working like this (please correct anything I get wrong) ------------------------- Scalix listens on port 25 for external mail Scalix passes mail to sendmail listening on internal smtp port 25 by way of scalix milter/filter option in smtpd.cfg file This is shown from lsof ?i:25 sendmail 2684 root 4u IPv4 7042 TCP localhost.localdomain:smtp (LISTEN) omsmtpd 7512 root 4u IPv4 296208 TCP mailserv.iii.net.au:smtp (LISTEN) Sendmail then put the mail into /var/queue/mqueue.in MailScanner scans it puts it into /var/queue/mqueue Sendmail passes mail back to Scalix for mailbox delivery. Eventual outcome is to set it up like this: ----------------------- BarricadeMX runs on port 25 for external and internal port bindings Scalix smtp daemon runs on port 26 Sendmail daemon runs on another free port Barricade scans mail passes it to scalix, scalix passes mail to sendmail via milter option (this part Im not sure of). Sendmail passes mail to MailScanner, MailScanner passes back through sendmail and mail delivered to scalix. Outgoing mail relayed to BarricadeMX port 25 from scalix smtp on port 26 for further scanning. Other option: ----------------- Is there a way to set this loop up so mail can go from BarricadeMX (25) -> sendmail/MailScanner -> Scalix? That way I could bypass the scalix milter/filter loop and make my life easier. Any suggestions are appreciated, we trialed BarricadeMX on another test host but due to its small footprint there is no need to run on a different host. Thanks, Brett -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081112/75ee937a/attachment.html From steve.freegard at fsl.com Wed Nov 12 00:10:52 2008 From: steve.freegard at fsl.com (Steve Freegard) Date: Wed Nov 12 00:11:04 2008 Subject: Releasing messages from quarantine In-Reply-To: <4919F69F.4000506@ecs.soton.ac.uk> References: <4919976F.5010201@gmail.com> <4919A819.8080206@fsl.com> <4CAB0118AEC63A4FAAE77E6BCBDF760C7939968D45@server02.bhl.local> <4919B343.50505@fsl.com> <4919BEE1.4050201@ecs.soton.ac.uk> <4919C1D9.9090601@fsl.com> <4919C96A.8090409@ecs.soton.ac.uk> <4919D462.5080007@fsl.com> <4919F69F.4000506@ecs.soton.ac.uk> Message-ID: <491A1F0C.7040800@fsl.com> Julian Field wrote: >> I can strip the Message-ID on my end and get the MTA to generate a new >> one automatically; but this is going to break threading as well. I >> guess there is no clean way around this. > Absolutely. One of us has to break the threading, and I think the repeat > message sent at a later date should be the one to do it. Sorry to give > you more work... No problem - it wasn't even a one-line change ;-) Cheers, Steve. From neilw at dcdata.co.za Wed Nov 12 06:19:52 2008 From: neilw at dcdata.co.za (Neil Wilson) Date: Wed Nov 12 06:24:46 2008 Subject: [Fwd: error when starting MS] Message-ID: <491A7588.5050307@dcdata.co.za> Sorry to repost the same thing, but does anyone have any ideas as to my query below? Thanks. -------- Original Message -------- Subject: error when starting MS Date: Mon, 10 Nov 2008 10:12:31 +0200 From: Reply-To: MailScanner discussion To: MailScanner discussion Hi all, I'm sure the answer for this is quite a simple one, but I've tried a number of solutions that I've found on the lists as well as on google and none of them seemed to have worked so far. I'm getting the following error when trying to start MailScanner, I started getting this error after an upgrade from MailScanner-4.48.4 to MailScanner-4.72.5-1 Starting MailScanner...Can't locate Filesys/Df.pm in @INC (@INC contains: /opt/MailScanner/lib /usr/lib/perl5/5.8.6/i486-linux /usr/lib/perl5/5.8.6 /usr/lib/perl5/site_perl/5.8.6/i486-linux /usr/lib/perl5/site_perl/5.8.6 /usr/lib/perl5/site_perl . /opt/MailScanner/lib) at /opt/MailScanner/bin/MailScanner line 67. BEGIN failed--compilation aborted at /opt/MailScanner/bin/MailScanner line 67. I'm running perl version v5.8.6 and slackware 10.2. I have tried re-installing the perl module Filesys-Df from the perl-tar folder, as well as from cpan without any luck. A locate finds Df under /usr/lib/perl5/site_perl/5.8.6/i486-linux/auto/Filesys/Df so not quite sure why it "can't be found" Any help will be greatly appreciated. Thanks. Regards. Neil. This email and all contents are subject to the following disclaimer: http://www.dcdata.co.za/emaildisclaimer.html From hvdkooij at vanderkooij.org Wed Nov 12 07:01:31 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Wed Nov 12 07:01:40 2008 Subject: mip: mail fraud? Anybody seen this? In-Reply-To: References: <4919BF20.6040402@ecs.soton.ac.uk> Message-ID: <491A7F4B.10504@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rick Cooper wrote: > That looks to be a MusicIP link see: > > http://www.musicip.com/mixer/mipprotocol.jsp Did they bother to play by the rules and file for a protocol type? My vote is to considere them hostile unless explicitly configured otherwise at least untill a proper RFC can be shown. Hugo - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. Nid wyf yn y swyddfa ar hyn o bryd. Anfonwch unrhyw waith i'w gyfieithu. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFJGn9JBvzDRVjxmYERApGGAJoC7XDL+xhTAeCDy+xlj7aVYr8fPQCeLTRp xPc82fkg9jHWKuYt5fsjzWw= =4hgh -----END PGP SIGNATURE----- From hvdkooij at vanderkooij.org Wed Nov 12 07:05:47 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Wed Nov 12 07:05:56 2008 Subject: [Fwd: error when starting MS] In-Reply-To: <491A7588.5050307@dcdata.co.za> References: <491A7588.5050307@dcdata.co.za> Message-ID: <491A804B.6040006@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Neil Wilson wrote: > Sorry to repost the same thing, but does anyone have any ideas as to my > query below? Reposting questions within 24 hours on a mailinglist means you loose credibility. If you are in a hurry. Get in contact with Jules, See if he has time and pay his fee. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. Nid wyf yn y swyddfa ar hyn o bryd. Anfonwch unrhyw waith i'w gyfieithu. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFJGoBJBvzDRVjxmYERAs+fAKCQVfpYYdRVTPlULACGdkIwji6TUwCgjsFb fumJMk9I6SH0lcKgQHDyU1I= =pbs+ -----END PGP SIGNATURE----- From neilw at dcdata.co.za Wed Nov 12 07:29:33 2008 From: neilw at dcdata.co.za (Neil Wilson) Date: Wed Nov 12 07:34:21 2008 Subject: [Fwd: error when starting MS] In-Reply-To: <491A804B.6040006@vanderkooij.org> References: <491A7588.5050307@dcdata.co.za> <491A804B.6040006@vanderkooij.org> Message-ID: <491A85DD.3090104@dcdata.co.za> Hugo van der Kooij wrote: > Reposting questions within 24 hours on a mailinglist means you loose > credibility. > Do I still lose credibility this if it's been 48hrs? :) This email and all contents are subject to the following disclaimer: http://www.dcdata.co.za/emaildisclaimer.html From J.Ede at birchenallhowden.co.uk Wed Nov 12 07:56:45 2008 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Wed Nov 12 07:57:18 2008 Subject: Releasing messages from quarantine In-Reply-To: <491A1F0C.7040800@fsl.com> References: <4919976F.5010201@gmail.com> <4919A819.8080206@fsl.com> <4CAB0118AEC63A4FAAE77E6BCBDF760C7939968D45@server02.bhl.local> <4919B343.50505@fsl.com> <4919BEE1.4050201@ecs.soton.ac.uk> <4919C1D9.9090601@fsl.com> <4919C96A.8090409@ecs.soton.ac.uk> <4919D462.5080007@fsl.com> <4919F69F.4000506@ecs.soton.ac.uk> <491A1F0C.7040800@fsl.com> Message-ID: <4CAB0118AEC63A4FAAE77E6BCBDF760C7952018A87@server02.bhl.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Steve Freegard > Sent: 12 November 2008 00:11 > To: MailScanner discussion > Subject: Re: Releasing messages from quarantine > > Julian Field wrote: > >> I can strip the Message-ID on my end and get the MTA to generate a > new > >> one automatically; but this is going to break threading as well. I > >> guess there is no clean way around this. > > > Absolutely. One of us has to break the threading, and I think the > repeat > > message sent at a later date should be the one to do it. Sorry to > give > > you more work... > > No problem - it wasn't even a one-line change ;-) > Is that patch available somewhere for 1.04? From maxsec at gmail.com Wed Nov 12 08:54:23 2008 From: maxsec at gmail.com (Martin Hepworth) Date: Wed Nov 12 08:54:33 2008 Subject: Fwd: [funsec] McColo: Major Source of Online Scams and Spams Knocked Offline (fwd) In-Reply-To: References: Message-ID: <72cf361e0811120054h5c69f50s5aa18b8428771f21@mail.gmail.com> Anyone else notice a drop in spam over last couple of days? -- Martin Hepworth Oxford, UK Via Security Fix. [snip] A U.S. based Web hosting firm that security experts say was responsible for facilitating more than 75 percent of the junk e-mail blasted out each day globally has been knocked offline following reports from Security Fix on evidence gathered about criminal activity emanating from the network. For the past four months, Security Fix has been gathering data from the security industry about McColo Corp., a San Jose, Calif., based Web hosting service whose client list experts say includes some of the most disreputable cyber-criminal gangs in business today. On Monday, Security Fix contacted the Internet providers that manage more than 90 percent of the company's connection to the larger Internet, sending them information about badness at McColo as documented by the security industry. [snip] More: http://voices.washingtonpost.com/securityfix/2008/11/major_source_of_online _scams_a.html Also, more details will become available real soon now... - - ferg "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/ _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. From uxbod at splatnix.net Wed Nov 12 08:54:56 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Wed Nov 12 08:55:27 2008 Subject: MailScanner setup with BarricadeMX and Scalix In-Reply-To: Message-ID: <23611855.4571226480096099.JavaMail.root@office.splatnix.net> Why not just move SendMail onto port 10025 and Scalix to 10026 ? BarricadeMX will then just deliver to 10025. Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 ----- "Brett Carruthers" wrote: > Hi All, > > > > I have a MailScanner, MailWatch and Scalix setup which has been stable > for quite some time now. I have now purchased BarricadeMX and need to > run it on port 25 in front of Scalix, MailScanner, etc. I am confused > on how to configure the MailScanner / Scalix setup to achieve what is > necessary. > > > > At the moment it is working like this (please correct anything I get > wrong) -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From email at ace.net.au Wed Nov 12 09:11:09 2008 From: email at ace.net.au (Peter Nitschke) Date: Wed Nov 12 09:11:32 2008 Subject: Fwd: [funsec] McColo: Major Source of Online Scams and Spams Knocked Offline (fwd) In-Reply-To: <72cf361e0811120054h5c69f50s5aa18b8428771f21@mail.gmail.com> References: <72cf361e0811120054h5c69f50s5aa18b8428771f21@mail.gmail.com> Message-ID: <200811121941090091.2CE34050@web.ace.net.au> On 12/11/2008 at 8:54 AM Martin Hepworth wrote: >Anyone else notice a drop in spam over last couple of days? > Not here, in fact today has the highest spam flow for a while, over 87,000 and still over 4 hours to go before midnight. Peter From twiztar at gmail.com Wed Nov 12 09:16:04 2008 From: twiztar at gmail.com (Erik Weber) Date: Wed Nov 12 09:16:14 2008 Subject: error when starting MS In-Reply-To: <4917ECEF.502@dcdata.co.za> References: <4917ECEF.502@dcdata.co.za> Message-ID: <491A9ED4.4070006@gmail.com> Neil Wilson wrote: > Hi all, > > A locate finds Df under > /usr/lib/perl5/site_perl/5.8.6/i486-linux/auto/Filesys/Df so not quite > sure why it "can't be found" > What's the output of 'perl -MFilesys::Df -e 1' ? -- Erik From pippo at olidata.eu Wed Nov 12 10:22:57 2008 From: pippo at olidata.eu (pippo@olidata.eu) Date: Wed Nov 12 10:23:18 2008 Subject: R: MailScanner header tags added to message body In-Reply-To: <72cf361e0811110934o4a18753dh3dbdb26bf42bba15@mail.gmail.com> Message-ID: <7A213AA442B273439E0162BEE06C8CF2310086@POSTA.olidata.it> > 2008/11/11 > > 2008/11/11 : > > Hi, > > > > I'm working on this since some days and can't figure out > how to solve. > > I installed MailScanner few days ago on a Ubuntu Server 8.04 LTS + > > Postfix. The server acts as a gateway and sends scanned mails to an > > Exchange 2003 Server. > > Mail flow is correct and MailScanner seems to work (at > least it adds > > the banner). The problem is that the various changes to message > > headers, are not made to message headers, but: > > - are not made at all if message is in HTML format > > - are added on top of message body if message is in text format. > > I could't find anything about this issue in documentation, nor in > > Google. > > > > Where am I wrong ? > > > > Thanks. > > > > Massimo. > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > Check the Org-name setting in MailScanner.conf. Make sure > there's no spaces or other bad characters in there ( see the > comments above it for reasons why) > > -- > Martin Hepworth > Oxford, UK > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Thanks for your reply Martin. That was the first think I checked. Only alfabetic chars, no spaces. Googling a while, I found that it may be due to extra newline chars on some header lines, making the client think that the header is finished. Effectively, I found that the header tag X-OriginalArrivalTime may have a double newline character at the end. Anyway, i don't know how to fix it. I suppose that this tag is added by Postfix, before putting the message on hold, but I cannot find any Postfix option regarding this tag. Another possible fix may be instructing MS to put its tags on top of the others instead of appending. Again I don't know how to do it (if possible). Any help will be very precious. Massimo. From neilw at dcdata.co.za Wed Nov 12 11:24:33 2008 From: neilw at dcdata.co.za (Neil Wilson) Date: Wed Nov 12 11:29:25 2008 Subject: error when starting MS In-Reply-To: <491A9ED4.4070006@gmail.com> References: <4917ECEF.502@dcdata.co.za> <491A9ED4.4070006@gmail.com> Message-ID: <491ABCF1.9060205@dcdata.co.za> Erik Weber wrote: > What's the output of 'perl -MFilesys::Df -e 1' ? > I get nothing returned when I try the above command. Thanks for your assistance so far. Neil. This email and all contents are subject to the following disclaimer: http://www.dcdata.co.za/emaildisclaimer.html From hvdkooij at vanderkooij.org Wed Nov 12 17:34:58 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Wed Nov 12 17:35:09 2008 Subject: R: MailScanner header tags added to message body In-Reply-To: <7A213AA442B273439E0162BEE06C8CF2310086@POSTA.olidata.it> References: <7A213AA442B273439E0162BEE06C8CF2310086@POSTA.olidata.it> Message-ID: <491B13C2.9040005@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 pippo@olidata.eu wrote: > Googling a while, I found that it may be due to extra newline chars > on some header lines, making the client think that the header is > finished. Effectively, I found that the header tag X-OriginalArrivalTime > may have a double newline character at the end. Anyway, i don't know > how to fix it. I suppose that this tag is added by Postfix, before > putting the message on hold, but I cannot find any Postfix option > regarding this tag. Another possible fix may be instructing MS to > put its tags on top of the others instead of appending. Again I don't > know how to do it (if possible). That is most definitly not a default postfix header. Google was kind enough to inform me that this is in fact a Hotmail header: http://www.google.nl/search?q=X-OriginalArrivalTime http://ask-leo.com/how_can_i_trace_where_email_came_from.html I have seen headers break up in situations where someone ignores the RFC and starts to use something besides the CR-LF combinations that one MUST use at the end of a line. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. Nid wyf yn y swyddfa ar hyn o bryd. Anfonwch unrhyw waith i'w gyfieithu. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFJGxPABvzDRVjxmYERAuGQAKCdjhfA9xyp1S8c5uDwTELxbZgEyQCfZvoY cmEby3KlbU7ZVLeb5t6+vjU= =V0B5 -----END PGP SIGNATURE----- From MailScanner at ecs.soton.ac.uk Wed Nov 12 18:07:35 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Nov 12 18:07:54 2008 Subject: [Fwd: error when starting MS] In-Reply-To: <491A7588.5050307@dcdata.co.za> References: <491A7588.5050307@dcdata.co.za> Message-ID: <491B1B67.7020200@ecs.soton.ac.uk> What does this produce? perl -MFilesys::Df -e 'print $Filesys::Df::VERSION;' It should print the version number of Filesys::Df. If it doesn't then try removing the Df.pm file you found, and re-install the module from CPAN. On 12/11/08 06:19, Neil Wilson wrote: > Sorry to repost the same thing, but does anyone have any ideas as to > my query below? > > Thanks. > > -------- Original Message -------- > Subject: error when starting MS > Date: Mon, 10 Nov 2008 10:12:31 +0200 > From: > Reply-To: MailScanner discussion > To: MailScanner discussion > > > Hi all, > > I'm sure the answer for this is quite a simple one, but I've tried a > number of solutions that I've found on the lists as well as on google > and none of them seemed to have worked so far. > > I'm getting the following error when trying to start MailScanner, I > started getting this error after an upgrade from MailScanner-4.48.4 to > MailScanner-4.72.5-1 > > Starting MailScanner...Can't locate Filesys/Df.pm in @INC (@INC > contains: /opt/MailScanner/lib /usr/lib/perl5/5.8.6/i486-linux > /usr/lib/perl5/5.8.6 /usr/lib/perl5/site_perl/5.8.6/i486-linux > /usr/lib/perl5/site_perl/5.8.6 /usr/lib/perl5/site_perl . > /opt/MailScanner/lib) at /opt/MailScanner/bin/MailScanner line 67. > BEGIN failed--compilation aborted at /opt/MailScanner/bin/MailScanner > line 67. > > I'm running perl version v5.8.6 and slackware 10.2. > > I have tried re-installing the perl module Filesys-Df from the > perl-tar folder, as well as from cpan without any luck. > > A locate finds Df under > /usr/lib/perl5/site_perl/5.8.6/i486-linux/auto/Filesys/Df so not quite > sure why it "can't be found" > > Any help will be greatly appreciated. > > Thanks. > > Regards. > > Neil. > > > This email and all contents are subject to the following disclaimer: > http://www.dcdata.co.za/emaildisclaimer.html > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From devonharding at gmail.com Wed Nov 12 19:18:33 2008 From: devonharding at gmail.com (Devon Harding) Date: Wed Nov 12 19:18:43 2008 Subject: SARE Rules worth it? Message-ID: <2baac6140811121118s7156791cw9d2cb051eb842880@mail.gmail.com> Is using the SARE rules in spamassassin still worth it? I'm still getting quite a few obvious spam coming through and bayes is not cutting it. I'm running MS 4.72 with SA 3.2.5 and all out of ideas. Any thoughts? -Devon -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081112/ad8f24ed/attachment.html From neilw at dcdata.co.za Thu Nov 13 06:16:37 2008 From: neilw at dcdata.co.za (Neil Wilson) Date: Thu Nov 13 06:21:34 2008 Subject: [Fwd: error when starting MS] In-Reply-To: <491B1B67.7020200@ecs.soton.ac.uk> References: <491A7588.5050307@dcdata.co.za> <491B1B67.7020200@ecs.soton.ac.uk> Message-ID: <491BC645.2070703@dcdata.co.za> Hi Julian, Julian Field wrote: > What does this produce? > > perl -MFilesys::Df -e 'print $Filesys::Df::VERSION;' > > It should print the version number of Filesys::Df. If it doesn't then > try removing the Df.pm file you found, and re-install the module from > CPAN. I get the following, should I try removing it anyway, and then re-installing it? perl -MFilesys::Df -e 'print $Filesys::Df::VERSION;' 0.92 Thanks, much appreciated. Regards Neil. This email and all contents are subject to the following disclaimer: http://www.dcdata.co.za/emaildisclaimer.html From maxsec at gmail.com Thu Nov 13 08:11:40 2008 From: maxsec at gmail.com (Martin Hepworth) Date: Thu Nov 13 08:11:48 2008 Subject: SARE Rules worth it? In-Reply-To: <2baac6140811121118s7156791cw9d2cb051eb842880@mail.gmail.com> References: <2baac6140811121118s7156791cw9d2cb051eb842880@mail.gmail.com> Message-ID: <72cf361e0811130011t67618addia6a65c7009f10473@mail.gmail.com> 2008/11/12 Devon Harding : > Is using the SARE rules in spamassassin still worth it? I'm still getting > quite a few obvious spam coming through and bayes is not cutting it. I'm > running MS 4.72 with SA 3.2.5 and all out of ideas. Any thoughts? > > -Devon > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > Definitely worth it, also consider the sought.cf ruleset and of course running sa-update on a regular (daily) basis. -- Martin Hepworth Oxford, UK From pippo at olidata.eu Thu Nov 13 08:23:21 2008 From: pippo at olidata.eu (pippo@olidata.eu) Date: Thu Nov 13 08:23:38 2008 Subject: R: R: MailScanner header tags added to message body In-Reply-To: <491B13C2.9040005@vanderkooij.org> Message-ID: <3447A6A75C58AE47BE98418A69A6EE71052AF4@POSTA.olidata.it> > > pippo@olidata.eu wrote: > > Googling a while, I found that it may be due to extra > newline chars on > > some header lines, making the client think that the header is > > finished. Effectively, I found that the header tag > > X-OriginalArrivalTime may have a double newline character > at the end. > > Anyway, i don't know how to fix it. I suppose that this tag > is added > > by Postfix, before putting the message on hold, but I > cannot find any > > Postfix option regarding this tag. Another possible fix may be > > instructing MS to put its tags on top of the others instead of > > appending. Again I don't know how to do it (if possible). > > That is most definitly not a default postfix header. Google > was kind enough to inform me that this is in fact a Hotmail header: > http://www.google.nl/search?q=X-OriginalArrivalTime > http://ask-leo.com/how_can_i_trace_where_email_came_from.html > > I have seen headers break up in situations where someone > ignores the RFC and starts to use something besides the CR-LF > combinations that one MUST use at the end of a line. > > Hugo. > > - -- > hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ > PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc > > A: Yes. > >Q: Are you sure? > >>A: Because it reverses the logical flow of conversation. > >>>Q: Why is top posting frowned upon? > > Bored? Click on http://spamornot.org/ and rate those images. > > Nid wyf yn y swyddfa ar hyn o bryd. Anfonwch unrhyw waith i'w > gyfieithu. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org > > iD8DBQFJGxPABvzDRVjxmYERAuGQAKCdjhfA9xyp1S8c5uDwTELxbZgEyQCfZvoY > cmEby3KlbU7ZVLeb5t6+vjU= > =V0B5 > -----END PGP SIGNATURE----- > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Thanks for the info Hugo. I investigated further more. Hotmail is not involved in my testing, but The X-OriginalArrivalTime comes from my Exchange Server. If I hold the message on Postfix (I simply mispelled the transport map, causing Postfix to retry) the headers are ok, and the X-OriginalArrivalTime is not present. As soon as I unhold it and deliver through Exchange, the header becomes corrupted (the X-OriginalArrivalTime appears). I think you found topics related to Hotmail because Hotmail is Microsoft and, for sure, runs on Exchange servers. I'll post on Exchange forum. Thanks again. Massimo. From MailScanner at ecs.soton.ac.uk Thu Nov 13 09:14:28 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Nov 13 09:14:49 2008 Subject: [Fwd: error when starting MS] In-Reply-To: <491BC645.2070703@dcdata.co.za> References: <491A7588.5050307@dcdata.co.za> <491B1B67.7020200@ecs.soton.ac.uk> <491BC645.2070703@dcdata.co.za> Message-ID: <491BEFF4.4020102@ecs.soton.ac.uk> On 13/11/08 06:16, Neil Wilson wrote: > Hi Julian, > > Julian Field wrote: >> What does this produce? >> >> perl -MFilesys::Df -e 'print $Filesys::Df::VERSION;' >> >> It should print the version number of Filesys::Df. If it doesn't then >> try removing the Df.pm file you found, and re-install the module from >> CPAN. > I get the following, should I try removing it anyway, and then > re-installing it? > > perl -MFilesys::Df -e 'print $Filesys::Df::VERSION;' > 0.92 So that worked. Try removing and reinstalling it anyway, just in case that helps. > > Thanks, much appreciated. > > Regards Neil. > > This email and all contents are subject to the following disclaimer: > http://www.dcdata.co.za/emaildisclaimer.html > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From dean.plant at roke.co.uk Thu Nov 13 10:41:02 2008 From: dean.plant at roke.co.uk (Plant, Dean) Date: Thu Nov 13 10:41:20 2008 Subject: [funsec] McColo: Major Source of Online Scams and SpamsKnocked Offline (fwd) In-Reply-To: <72cf361e0811120054h5c69f50s5aa18b8428771f21@mail.gmail.com> Message-ID: <2181C5F19DD0254692452BFF3EAF1D6803941461@rsys005a.comm.ad.roke.co.uk> Martin Hepworth wrote: > Anyone else notice a drop in spam over last couple of days? > Yep. Primary MX dropped significantly on Friday last week. Secondary MX dropped significantly yesterday. Total Spam at MTA has dropped to 25% of last Thursdays total. Dean From ajcartmell at fonant.com Thu Nov 13 11:33:08 2008 From: ajcartmell at fonant.com (Anthony Cartmell) Date: Thu Nov 13 11:33:06 2008 Subject: [funsec] McColo: Major Source of Online Scams and SpamsKnocked Offline (fwd) In-Reply-To: <2181C5F19DD0254692452BFF3EAF1D6803941461@rsys005a.comm.ad.roke.co.uk> References: <2181C5F19DD0254692452BFF3EAF1D6803941461@rsys005a.comm.ad.roke.co.uk> Message-ID: > Martin Hepworth wrote: >> Anyone else notice a drop in spam over last couple of days? >> > > Yep. > > Primary MX dropped significantly on Friday last week. > Secondary MX dropped significantly yesterday. > > Total Spam at MTA has dropped to 25% of last Thursdays total. Could be the lack of McColo: http://www.theregister.co.uk/2008/11/12/mccolo_goes_silent/ Good news, anyway. Anthony -- www.fonant.com - Quality web sites From garry at glendown.de Thu Nov 13 11:51:08 2008 From: garry at glendown.de (Garry) Date: Thu Nov 13 11:51:34 2008 Subject: MTA-blocked Spam percentag down? Message-ID: <491C14AC.4050308@glendown.de> Hi, just wondering - my stats show the percentage of spam that was blocked due to MTA measures being down from somewhere in the >95% range (which it has usually been) to around 60% since last Friday ... as I haven't made any changes, I was wondering whether anybody else seen this behaviour...!? Tnx, -garry From maxsec at gmail.com Thu Nov 13 12:02:22 2008 From: maxsec at gmail.com (Martin Hepworth) Date: Thu Nov 13 12:02:32 2008 Subject: MTA-blocked Spam percentag down? In-Reply-To: <491C14AC.4050308@glendown.de> References: <491C14AC.4050308@glendown.de> Message-ID: <72cf361e0811130402q33113efeh125ece8ea9fdbd56@mail.gmail.com> 2008/11/13 Garry : > Hi, > > just wondering - my stats show the percentage of spam that was blocked > due to MTA measures being down from somewhere in the >95% range (which > it has usually been) to around 60% since last Friday ... as I haven't > made any changes, I was wondering whether anybody else seen this > behaviour...!? > > Tnx, -garry > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > http://www.washingtonpost.com/wp-dyn/content/article/2008/11/12/AR2008111200658.html -- Martin Hepworth Oxford, UK From gmatt at nerc.ac.uk Thu Nov 13 12:24:24 2008 From: gmatt at nerc.ac.uk (Greg Matthews) Date: Thu Nov 13 12:24:37 2008 Subject: testing rules sets with --value= Message-ID: <491C1C78.7050605@nerc.ac.uk> Where can I find a list of options for --value=option when testing rulesets? The only one I know from reading this list is --value=virusscanning Is this documented anywhere? I didnt find it on the wiki (but I'm not sure one can search for non-alpha chars). ta GREG -- Greg Matthews 01491 692445 Head of UNIX/Linux, iTSS Wallingford -- This message (and any attachments) is for the recipient only. NERC is subject to the Freedom of Information Act 2000 and the contents of this email and any reply you make may be disclosed by NERC unless it is exempt from release under the Act. Any material supplied to NERC may be stored in an electronic records management system. From alex at rtpty.com Thu Nov 13 12:49:08 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Thu Nov 13 12:49:21 2008 Subject: R: R: MailScanner header tags added to message body In-Reply-To: <3447A6A75C58AE47BE98418A69A6EE71052AF4@POSTA.olidata.it> References: <3447A6A75C58AE47BE98418A69A6EE71052AF4@POSTA.olidata.it> Message-ID: <1C8862D4-CF81-4AFD-A56E-1534887C8CE1@rtpty.com> It "kinda does" now - but for a long time it ran on different flavors of Unix and MTAs. On Nov 13, 2008, at 3:23 AM, wrote: > I think you found topics related to Hotmail because Hotmail is > Microsoft > and, for sure, runs on Exchange servers. From steve.freegard at fsl.com Thu Nov 13 12:52:57 2008 From: steve.freegard at fsl.com (Steve Freegard) Date: Thu Nov 13 12:53:08 2008 Subject: testing rules sets with --value= In-Reply-To: <491C1C78.7050605@nerc.ac.uk> References: <491C1C78.7050605@nerc.ac.uk> Message-ID: <491C2329.40002@fsl.com> Greg Matthews wrote: > Where can I find a list of options for --value=option when testing > rulesets? Take the name of any option in MailScanner.conf and remove any whitespace and that is it's 'external' name which can be used for --value=. For example: Spam Checks = /path/to/ruleset.. $ MailScanner --value=spamchecks --to=blah@blah.com And MailScanner will return the result of the ruleset of the current value of the option. Hope that clears it up for you. Regards, Steve. From glenn.steen at gmail.com Thu Nov 13 13:44:32 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Nov 13 13:44:42 2008 Subject: testing rules sets with --value= In-Reply-To: <491C2329.40002@fsl.com> References: <491C1C78.7050605@nerc.ac.uk> <491C2329.40002@fsl.com> Message-ID: <223f97700811130544k6d949eb4i7ea88953ac49f421@mail.gmail.com> 2008/11/13 Steve Freegard : > Greg Matthews wrote: >> >> Where can I find a list of options for --value=option when testing >> rulesets? > > Take the name of any option in MailScanner.conf and remove any whitespace > and that is it's 'external' name which can be used for --value=. > > For example: > > Spam Checks = /path/to/ruleset.. > > $ MailScanner --value=spamchecks --to=blah@blah.com > > And MailScanner will return the result of the ruleset of the current value > of the option. > > Hope that clears it up for you. > > Regards, > Steve. I think the file enumerating the ... translation ... from "Human Readible" to "Jules Readible"(:-) has been mentioned at least *some* time... I'm not at even remotely close to any MS box ,,, Is it ConfigDefs.pl? My memory isn?t what it used to be:-). But as you say, Steve... One needn't bother with that, since all one needs do is forget the whitespace from the lval in MailScanner.conf:-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From garry at glendown.de Thu Nov 13 14:20:00 2008 From: garry at glendown.de (Garry) Date: Thu Nov 13 14:20:12 2008 Subject: MTA-blocked Spam percentag down? In-Reply-To: <72cf361e0811130402q33113efeh125ece8ea9fdbd56@mail.gmail.com> References: <491C14AC.4050308@glendown.de> <72cf361e0811130402q33113efeh125ece8ea9fdbd56@mail.gmail.com> Message-ID: <491C3790.3070604@glendown.de> Martin Hepworth wrote: > 2008/11/13 Garry : > >> Hi, >> >> just wondering - my stats show the percentage of spam that was blocked >> due to MTA measures being down from somewhere in the >95% range (which >> it has usually been) to around 60% since last Friday ... as I haven't >> made any changes, I was wondering whether anybody else seen this >> behaviour...!? >> >> > http://www.washingtonpost.com/wp-dyn/content/article/2008/11/12/AR2008111200658.html > a) the drop in MTA-blocked Spam dropped since last _Friday_, 4 days before the reported disconnection b) the total amount of spam received by the MS box did NOT drop Friday (though I did notice a decent amount of reduction since Wednesday ...) -garry From dave.list at pixelhammer.com Thu Nov 13 14:26:46 2008 From: dave.list at pixelhammer.com (DAve) Date: Thu Nov 13 14:27:03 2008 Subject: MTA-blocked Spam percentag down? In-Reply-To: <491C3790.3070604@glendown.de> References: <491C14AC.4050308@glendown.de> <72cf361e0811130402q33113efeh125ece8ea9fdbd56@mail.gmail.com> <491C3790.3070604@glendown.de> Message-ID: <491C3926.1040705@pixelhammer.com> Garry wrote: > Martin Hepworth wrote: >> 2008/11/13 Garry : >> >>> Hi, >>> >>> just wondering - my stats show the percentage of spam that was blocked >>> due to MTA measures being down from somewhere in the >95% range (which >>> it has usually been) to around 60% since last Friday ... as I haven't >>> made any changes, I was wondering whether anybody else seen this >>> behaviour...!? >>> >>> >> http://www.washingtonpost.com/wp-dyn/content/article/2008/11/12/AR2008111200658.html >> > a) the drop in MTA-blocked Spam dropped since last _Friday_, 4 days > before the reported disconnection > b) the total amount of spam received by the MS box did NOT drop Friday > (though I did notice a decent amount of reduction since Wednesday ...) > > > -garry We are not seeing any benefit either. We have seen a %50 reduction in spam making it to MS but that is because we starting using SIP November 1st, Tuesday showed no decrease at all here. DAve -- The whole internet thing is sucking the life out of me, there ain't no pony in there. From Kit at simplysites.co.uk Thu Nov 13 14:55:15 2008 From: Kit at simplysites.co.uk (Kit Wong) Date: Thu Nov 13 14:55:31 2008 Subject: SQLWhitelist for content.scanning.rules Message-ID: Hi All I was wondering whether there is a way to use &SQLWhitelist to skip scanning of messages? I currently have to manually put it in content.scanning.rules to skip scanning altogether. I have users that do not what any of their emails scanned when they send. In MailScanner.conf Is Definitely Not Spam = &SQLWhitelist Works fine But if I put Scan Message = &SQLWhitelist It doesn't work. The rules all look the same to me!! Does any have a modified pm file that will make this work> Kind Regards Kit Wong From devonharding at gmail.com Thu Nov 13 14:56:33 2008 From: devonharding at gmail.com (Devon Harding) Date: Thu Nov 13 14:56:43 2008 Subject: SARE Rules worth it? In-Reply-To: <72cf361e0811130011t67618addia6a65c7009f10473@mail.gmail.com> References: <2baac6140811121118s7156791cw9d2cb051eb842880@mail.gmail.com> <72cf361e0811130011t67618addia6a65c7009f10473@mail.gmail.com> Message-ID: <2baac6140811130656w36bc702ar6dbea4c2558343f6@mail.gmail.com> > > > > Definitely worth it, also consider the sought.cf ruleset and of course > running sa-update on a regular (daily) basis. > > -- > Martin Hepworth > Oxford, UK > Thanks, Which ones are a definite must have? -Devon -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081113/de779605/attachment.html From steve.freegard at fsl.com Thu Nov 13 15:09:01 2008 From: steve.freegard at fsl.com (Steve Freegard) Date: Thu Nov 13 15:09:12 2008 Subject: testing rules sets with --value= In-Reply-To: <223f97700811130544k6d949eb4i7ea88953ac49f421@mail.gmail.com> References: <491C1C78.7050605@nerc.ac.uk> <491C2329.40002@fsl.com> <223f97700811130544k6d949eb4i7ea88953ac49f421@mail.gmail.com> Message-ID: <491C430D.8000601@fsl.com> Glenn Steen wrote: > I think the file enumerating the ... translation ... from "Human > Readible" to "Jules Readible"(:-) has been mentioned at least *some* > time... I'm not at even remotely close to any MS box ,,, Is it > ConfigDefs.pl? My memory isn?t what it used to be:-). Yes - ConfigDefs.pl does the external to internal name translation (EtoI); but I didn't think it was worth mentioning as it confuses most people... > But as you say, Steve... One needn't bother with that, since all one > needs do is forget the whitespace from the lval in > MailScanner.conf:-). Yep - MailScanner will do the translation automagically ;-) Cheers, Steve. From J.Ede at birchenallhowden.co.uk Thu Nov 13 16:09:06 2008 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Thu Nov 13 16:09:42 2008 Subject: Releasing messages from quarantine In-Reply-To: <491A1F0C.7040800@fsl.com> References: <4919976F.5010201@gmail.com> <4919A819.8080206@fsl.com> <4CAB0118AEC63A4FAAE77E6BCBDF760C7939968D45@server02.bhl.local> <4919B343.50505@fsl.com> <4919BEE1.4050201@ecs.soton.ac.uk> <4919C1D9.9090601@fsl.com> <4919C96A.8090409@ecs.soton.ac.uk> <4919D462.5080007@fsl.com> <4919F69F.4000506@ecs.soton.ac.uk> <491A1F0C.7040800@fsl.com> Message-ID: <4CAB0118AEC63A4FAAE77E6BCBDF760C7952018B00@server02.bhl.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Steve Freegard > Sent: 12 November 2008 00:11 > To: MailScanner discussion > Subject: Re: Releasing messages from quarantine > > Julian Field wrote: > >> I can strip the Message-ID on my end and get the MTA to generate a > new > >> one automatically; but this is going to break threading as well. I > >> guess there is no clean way around this. > > > Absolutely. One of us has to break the threading, and I think the > repeat > > message sent at a later date should be the one to do it. Sorry to > give > > you more work... > > No problem - it wasn't even a one-line change ;-) Any chance can share the fix? Jason From telecaadmin at gmail.com Thu Nov 13 16:40:42 2008 From: telecaadmin at gmail.com (Ronny T. Lampert) Date: Thu Nov 13 16:43:42 2008 Subject: Releasing messages from quarantine In-Reply-To: <4919B343.50505@fsl.com> References: <4919976F.5010201@gmail.com> <4919A819.8080206@fsl.com> <4CAB0118AEC63A4FAAE77E6BCBDF760C7939968D45@server02.bhl.local> <4919B343.50505@fsl.com> Message-ID: <491C588A.3030908@gmail.com> > Certain mail servers (Exchange, Zimbra etc.) have duplicate message Exchange has the default of 1h to eliminate duplicates - so I just wait 1h before releasing the message (and this doesn't break threading, too :-) You could also lower that value (registry key). Cheers. From MailScanner at ecs.soton.ac.uk Thu Nov 13 16:57:35 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Nov 13 16:57:55 2008 Subject: SQLWhitelist for content.scanning.rules In-Reply-To: References: Message-ID: <491C5C7F.3030002@ecs.soton.ac.uk> On 13/11/08 14:55, Kit Wong wrote: > Hi All > I was wondering whether there is a way to use&SQLWhitelist to skip > scanning of messages? > > I currently have to manually put it in content.scanning.rules to skip > scanning altogether. I have users that do not what any of their emails > scanned when they send. > > In MailScanner.conf > Is Definitely Not Spam =&SQLWhitelist > Works fine > > But if I put > Scan Message =&SQLWhitelist > I assume your real conf file has Scan Messages = &SQLWhitelist in it, and not "Scan Message" ? And what do you mean by > It doesn't work. Have you tried evaluating the configuration option for various different addresses to see what it says? Start with "MailScanner --help" and use the command-line options to query the value for various different from addresses. Also, what did "MailScanner --lint" say? > The rules all look the same to me!! > Does any have a modified pm file that will make this work> > > Kind Regards > > Kit Wong > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From pippo at olidata.eu Thu Nov 13 17:17:36 2008 From: pippo at olidata.eu (M Piceni) Date: Thu Nov 13 17:25:15 2008 Subject: MailScanner header tags added to message body References: <7A213AA442B273439E0162BEE06C8CF2310081@POSTA.olidata.it> Message-ID: I finally decided to reinstall my Ubuntu box from scratch, and now the problem is no longer present. I fear Linux is becoming too much Windows like..... Massimo. From Kit at simplysites.co.uk Thu Nov 13 17:40:56 2008 From: Kit at simplysites.co.uk (Kit Wong) Date: Thu Nov 13 17:41:14 2008 Subject: SQLWhitelist for content.scanning.rules References: <491C5C7F.3030002@ecs.soton.ac.uk> Message-ID: On 13/11/08 14:55, Kit Wong wrote: > Hi All > I was wondering whether there is a way to use&SQLWhitelist to skip > scanning of messages? > > I currently have to manually put it in content.scanning.rules to skip > scanning altogether. I have users that do not what any of their emails > scanned when they send. > > In MailScanner.conf > Is Definitely Not Spam =&SQLWhitelist > Works fine > > But if I put > Scan Message =&SQLWhitelist > I assume your real conf file has Scan Messages = &SQLWhitelist in it, and not "Scan Message" ? And what do you mean by > It doesn't work. Have you tried evaluating the configuration option for various different addresses to see what it says? Start with "MailScanner --help" and use the command-line options to query the value for various different from addresses. Also, what did "MailScanner --lint" say? > The rules all look the same to me!! > Does any have a modified pm file that will make this work> > > Kind Regards > > Kit Wong > Jules -- Julian Field MEng CITP CEng www.MailScanner.info --------------------------------------------------------------------------- My real conf file has Scan Messages = content.scanning.rules which has been working fine. From:127.0.0.1no etc etc This skips any scanning from that ip. I am trying to use the MailWatch function &SQLWhitelist to skip scanning rather than whitelist. When I do change it to &SQLWhitelist no messages are scanned. They all get skipped. Hope this makes sense. TIA Kit Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- Scanned by MailScanner. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/ms-tnef Size: 5540 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081113/25fdad43/attachment.bin From hvdkooij at vanderkooij.org Thu Nov 13 17:43:25 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Thu Nov 13 17:43:35 2008 Subject: MailScanner header tags added to message body In-Reply-To: References: <7A213AA442B273439E0162BEE06C8CF2310081@POSTA.olidata.it> Message-ID: <491C673D.6090603@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 M Piceni wrote: > I finally decided to reinstall my Ubuntu box from scratch, and now the > problem is no longer present. > I fear Linux is becoming too much Windows like..... Perhaps Unbuntu is. Just curious what this has to do with the subject at hand. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. Nid wyf yn y swyddfa ar hyn o bryd. Anfonwch unrhyw waith i'w gyfieithu. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFJHGc7BvzDRVjxmYERAi4DAJ0XHsdhd8yXZ4W0/q9RPTlToKksiACeNcPz skNlBaO89EkuOyTHNI1cJzw= =+RTH -----END PGP SIGNATURE----- From glenn.steen at gmail.com Thu Nov 13 19:10:40 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Nov 13 19:18:56 2008 Subject: MailScanner header tags added to message body In-Reply-To: References: <7A213AA442B273439E0162BEE06C8CF2310081@POSTA.olidata.it> Message-ID: <223f97700811131110t5a1663a1yc4d6e5aaa2268d6a@mail.gmail.com> 2008/11/13 M Piceni : > I finally decided to reinstall my Ubuntu box from scratch, and now the > problem is no longer present. > I fear Linux is becoming too much Windows like..... ... or just the people...:-) > Massimo. > > Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From maxsec at gmail.com Thu Nov 13 19:24:08 2008 From: maxsec at gmail.com (Martin Hepworth) Date: Thu Nov 13 19:24:18 2008 Subject: SARE Rules worth it? In-Reply-To: <2baac6140811130656w36bc702ar6dbea4c2558343f6@mail.gmail.com> References: <2baac6140811121118s7156791cw9d2cb051eb842880@mail.gmail.com> <72cf361e0811130011t67618addia6a65c7009f10473@mail.gmail.com> <2baac6140811130656w36bc702ar6dbea4c2558343f6@mail.gmail.com> Message-ID: <72cf361e0811131124s1c82c5e0jf793946e09ce71c6@mail.gmail.com> 2008/11/13 Devon Harding : >> >> >> Definitely worth it, also consider the sought.cf ruleset and of course >> running sa-update on a regular (daily) basis. >> >> -- >> Martin Hepworth >> Oxford, UK > > Thanks, Which ones are a definite must have? > > -Devon > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > Very much dependent on your setup. I normally recommend just about all (and Jenifers rules in the other-rules section). Add then in one at a time and see how they help, if one makes little difference don't bother with it. -- Martin Hepworth Oxford, UK From ms-list at alexb.ch Thu Nov 13 19:41:20 2008 From: ms-list at alexb.ch (Alex Broens) Date: Thu Nov 13 19:40:13 2008 Subject: SARE Rules worth it? In-Reply-To: <72cf361e0811131124s1c82c5e0jf793946e09ce71c6@mail.gmail.com> References: <2baac6140811121118s7156791cw9d2cb051eb842880@mail.gmail.com> <72cf361e0811130011t67618addia6a65c7009f10473@mail.gmail.com> <2baac6140811130656w36bc702ar6dbea4c2558343f6@mail.gmail.com> <72cf361e0811131124s1c82c5e0jf793946e09ce71c6@mail.gmail.com> Message-ID: <491C82E0.2000504@alexb.ch> On 11/13/2008 8:24 PM, Martin Hepworth wrote: > 2008/11/13 Devon Harding : >>> >>> Definitely worth it, also consider the sought.cf ruleset and of course >>> running sa-update on a regular (daily) basis. >>> >>> -- >>> Martin Hepworth >>> Oxford, UK >> Thanks, Which ones are a definite must have? >> >> -Devon >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > > Very much dependent on your setup. I normally recommend just about all > (and Jenifers rules in the other-rules section). Add then in one at a > time and see how they help, if one makes little difference don't > bother with it. All means you have redundat... check the naming/numbering convention and the explanation. If you use SA 3.2.4 / 3.2.5 check my little http://www.rulesemporium.com/rules/90_2tld.cf need to know what it does? http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Conf.txt Alex From gdm at linuxpro.co.za Thu Nov 13 19:52:43 2008 From: gdm at linuxpro.co.za (Gregory Machin) Date: Thu Nov 13 19:52:55 2008 Subject: how do i fix -- WARNING: Ignoring deprecated option Message-ID: <30200a940811131152n2471d67ejf25b252b5b83dc3d@mail.gmail.com> hi I have got Mailscanner up and limping I'm now faced with the following errors in the log files : Nov 13 21:41:06 spam11 MailScanner[7309]: Virus and Content Scanning: Starting Nov 13 21:41:06 spam11 MailScanner[7309]: WARNING: Ignoring deprecated option --unzip Nov 13 21:41:06 spam11 MailScanner[7309]: WARNING: Ignoring deprecated option --jar Nov 13 21:41:06 spam11 MailScanner[7309]: WARNING: Ignoring deprecated option --tar Nov 13 21:41:06 spam11 MailScanner[7309]: WARNING: Ignoring deprecated option --tgz Nov 13 21:41:06 spam11 MailScanner[7309]: WARNING: Ignoring deprecated option --deb Nov 13 21:41:06 spam11 MailScanner[7309]: WARNING: Ignoring deprecated option --max-ratio [root@spam11 MailScanner]# clamd -V ClamAV 0.94.1/8628/Thu Nov 13 17:57:02 2008 MailScanner-4.55.9-1 Mail-SpamAssassin-3.1.4.tar.bz2 spamassassin-3.1.4-1.i386.rpm of fc8 I386 What do I do to fix this ? Thanks in advance Greg From maxsec at gmail.com Thu Nov 13 20:32:05 2008 From: maxsec at gmail.com (Martin Hepworth) Date: Thu Nov 13 20:32:15 2008 Subject: how do i fix -- WARNING: Ignoring deprecated option In-Reply-To: <30200a940811131152n2471d67ejf25b252b5b83dc3d@mail.gmail.com> References: <30200a940811131152n2471d67ejf25b252b5b83dc3d@mail.gmail.com> Message-ID: <72cf361e0811131232saa93130p4f96a644b526b5ea@mail.gmail.com> greg use a modern version of mailscanner than supports clamd. I guess you're using debian? I wonder why clamav is upto date when everything else is years old? -- martin 2008/11/13 Gregory Machin : > hi > I have got Mailscanner up and limping I'm now faced with the following > errors in the log files : > > > Nov 13 21:41:06 spam11 MailScanner[7309]: Virus and Content Scanning: Starting > Nov 13 21:41:06 spam11 MailScanner[7309]: WARNING: Ignoring deprecated > option --unzip > Nov 13 21:41:06 spam11 MailScanner[7309]: WARNING: Ignoring deprecated > option --jar > Nov 13 21:41:06 spam11 MailScanner[7309]: WARNING: Ignoring deprecated > option --tar > Nov 13 21:41:06 spam11 MailScanner[7309]: WARNING: Ignoring deprecated > option --tgz > Nov 13 21:41:06 spam11 MailScanner[7309]: WARNING: Ignoring deprecated > option --deb > Nov 13 21:41:06 spam11 MailScanner[7309]: WARNING: Ignoring deprecated > option --max-ratio > > > [root@spam11 MailScanner]# clamd -V > ClamAV 0.94.1/8628/Thu Nov 13 17:57:02 2008 > > MailScanner-4.55.9-1 > Mail-SpamAssassin-3.1.4.tar.bz2 > spamassassin-3.1.4-1.i386.rpm > > of fc8 I386 > > What do I do to fix this ? > > Thanks in advance > Greg > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Martin Hepworth Oxford, UK From MailScanner at ecs.soton.ac.uk Fri Nov 14 10:03:29 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Nov 14 10:03:48 2008 Subject: SQLWhitelist for content.scanning.rules In-Reply-To: References: <491C5C7F.3030002@ecs.soton.ac.uk> Message-ID: <491D4CF1.70107@ecs.soton.ac.uk> On 13/11/08 17:40, Kit Wong wrote: > > > On 13/11/08 14:55, Kit Wong wrote: > >> Hi All >> I was wondering whether there is a way to use&SQLWhitelist to skip >> scanning of messages? >> >> I currently have to manually put it in content.scanning.rules to skip >> scanning altogether. I have users that do not what any of their emails >> scanned when they send. >> >> In MailScanner.conf >> Is Definitely Not Spam =&SQLWhitelist >> Works fine >> >> But if I put >> Scan Message =&SQLWhitelist >> >> > I assume your real conf file has > Scan Messages =&SQLWhitelist > in it, and not "Scan Message" ? > > And what do you mean by > >> It doesn't work. >> > Have you tried evaluating the configuration option for various different > addresses to see what it says? Start with "MailScanner --help" and use > the command-line options to query the value for various different from > addresses. > > Also, what did "MailScanner --lint" say? > >> The rules all look the same to me!! >> Does any have a modified pm file that will make this work> >> >> Kind Regards >> >> Kit Wong >> >> > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > --------------------------------------------------------------------------- > > My real conf file has Scan Messages = content.scanning.rules > That's wrong, you haven't told it the directory name. It should say Scan Messages = %rules-dir%/content.scanning.rules > which has been working fine. > From:127.0.0.1no > They don't need to be tabs. The only time you need tabs is in filename.rules.conf and filetype.rules.conf. > etc > etc > > This skips any scanning from that ip. > > I am trying to use the MailWatch function&SQLWhitelist to skip scanning rather than whitelist. > > When I do change it to&SQLWhitelist no messages are scanned. They all get skipped. > > Hope this makes sense. > > TIA > > Kit > > > > > > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > PGP public key: http://www.jules.fm/julesfm.asc > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > Scanned by MailScanner. > > > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Fri Nov 14 10:06:11 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Nov 14 10:06:32 2008 Subject: how do i fix -- WARNING: Ignoring deprecated option In-Reply-To: <30200a940811131152n2471d67ejf25b252b5b83dc3d@mail.gmail.com> References: <30200a940811131152n2471d67ejf25b252b5b83dc3d@mail.gmail.com> Message-ID: <491D4D93.50004@ecs.soton.ac.uk> From the ChangeLog from the latest release of MailScanner: 1/11/2008 New in Version 4.72.5-1 ================================= * New Features and Improvements * 1 Added support for ClamAV 0.94. Note that this has necessitated removal of complete support for earlier versions of ClamAV as the command-line settings are incompatible. So only use this version if you have upgraded to the latest ClamAV 0.94. So if you are using ClamAV 0.94, you need to be using at least MailScanner 4.72.5. On 13/11/08 19:52, Gregory Machin wrote: > hi > I have got Mailscanner up and limping I'm now faced with the following > errors in the log files : > > > Nov 13 21:41:06 spam11 MailScanner[7309]: Virus and Content Scanning: Starting > Nov 13 21:41:06 spam11 MailScanner[7309]: WARNING: Ignoring deprecated > option --unzip > Nov 13 21:41:06 spam11 MailScanner[7309]: WARNING: Ignoring deprecated > option --jar > Nov 13 21:41:06 spam11 MailScanner[7309]: WARNING: Ignoring deprecated > option --tar > Nov 13 21:41:06 spam11 MailScanner[7309]: WARNING: Ignoring deprecated > option --tgz > Nov 13 21:41:06 spam11 MailScanner[7309]: WARNING: Ignoring deprecated > option --deb > Nov 13 21:41:06 spam11 MailScanner[7309]: WARNING: Ignoring deprecated > option --max-ratio > > > [root@spam11 MailScanner]# clamd -V > ClamAV 0.94.1/8628/Thu Nov 13 17:57:02 2008 > > MailScanner-4.55.9-1 > Mail-SpamAssassin-3.1.4.tar.bz2 > spamassassin-3.1.4-1.i386.rpm > > of fc8 I386 > > What do I do to fix this ? > > Thanks in advance > Greg > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jlcostinha at halla.pt Fri Nov 14 10:33:01 2008 From: jlcostinha at halla.pt (Jorge Luis Costinha) Date: Fri Nov 14 10:33:14 2008 Subject: how to block all email sent to outside email account? Message-ID: <491D53DD.9030401@halla.pt> Hello all, i wish to prevent outgoing email to a specific outside world account. I try to use the blacklist feature on MailScanner, but only works from incoming email to be delivery on internal accounts... i also try to catch outgoing emails with procmail, without success... here's what i try to do: on /etc/procmailrc added: :0 * To()emailaccount@domain\.com \dev\nul again this only works with incoming email... not outgoing email.. just like mailscanner blacklists... any ideia on how can i do this? perhaps on MTA level, how? my system specs: CentOS 5.2 MailScanner 4.65.3 Sendmail 8.14.1 Thanks in Advance. Jorge -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081114/ba32f3fb/attachment.html From Kit at simplysites.co.uk Fri Nov 14 10:35:27 2008 From: Kit at simplysites.co.uk (Kit Wong) Date: Fri Nov 14 10:35:44 2008 Subject: SQLWhitelist for content.scanning.rules In-Reply-To: <491D4CF1.70107@ecs.soton.ac.uk> References: <491C5C7F.3030002@ecs.soton.ac.uk> <491D4CF1.70107@ecs.soton.ac.uk> Message-ID: On 13/11/08 17:40, Kit Wong wrote: > > > On 13/11/08 14:55, Kit Wong wrote: > >> Hi All >> I was wondering whether there is a way to use&SQLWhitelist to skip >> scanning of messages? >> >> I currently have to manually put it in content.scanning.rules to skip >> scanning altogether. I have users that do not what any of their emails >> scanned when they send. >> >> In MailScanner.conf >> Is Definitely Not Spam =&SQLWhitelist >> Works fine >> >> But if I put >> Scan Message =&SQLWhitelist >> >> > I assume your real conf file has > Scan Messages =&SQLWhitelist > in it, and not "Scan Message" ? > > And what do you mean by > >> It doesn't work. >> > Have you tried evaluating the configuration option for various different > addresses to see what it says? Start with "MailScanner --help" and use > the command-line options to query the value for various different from > addresses. > > Also, what did "MailScanner --lint" say? > >> The rules all look the same to me!! >> Does any have a modified pm file that will make this work> >> >> Kind Regards >> >> Kit Wong >> >> > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > ------------------------------------------------------------------------ --- > > My real conf file has Scan Messages = content.scanning.rules > That's wrong, you haven't told it the directory name. It should say Scan Messages = %rules-dir%/content.scanning.rules > which has been working fine. > From:127.0.0.1no > They don't need to be tabs. The only time you need tabs is in filename.rules.conf and filetype.rules.conf. > etc > etc > > This skips any scanning from that ip. > > I am trying to use the MailWatch function&SQLWhitelist to skip scanning rather than whitelist. > > When I do change it to&SQLWhitelist no messages are scanned. They all get skipped. > > Hope this makes sense. > > TIA > > Kit > > > > > > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > PGP public key: http://www.jules.fm/julesfm.asc > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > Scanned by MailScanner. > > > > Jules -----snip---- Hi Julian Sorry about this, I do have it configured as you described. What I am trying to do is use the whitelist created within MailWatch. This is accessed via &SQLWhitelist in the MailScanner.conf. The whitelist works fine when its used where its supposed to be, ie Is Definitely not spam = &SQLWhitelist But when I use to at Scan Messages = &SQLWhitelist It doesn't scan any messages. Just wondering if it is possible to not scan messages in the whitelist rather than scanning them but never marking them as spam. (since whitelist still gets scanned for viruses and filenames etc). Thanks again Kit From maxsec at gmail.com Fri Nov 14 10:48:43 2008 From: maxsec at gmail.com (Martin Hepworth) Date: Fri Nov 14 10:48:52 2008 Subject: how to block all email sent to outside email account? In-Reply-To: <491D53DD.9030401@halla.pt> References: <491D53DD.9030401@halla.pt> Message-ID: <72cf361e0811140248q17c832e8k39f7c7ef27422adc@mail.gmail.com> 2008/11/14 Jorge Luis Costinha : > Hello all, > > > i wish to prevent outgoing email to a specific outside world > account. I try to use the blacklist feature on MailScanner, but only works > from incoming email to be delivery on internal accounts... i also try to > catch outgoing emails with procmail, without success... > > here's what i try to do: > > on /etc/procmailrc added: > > :0 > * To()emailaccount@domain\.com > \dev\nul > > again this only works with incoming email... not outgoing email.. just like > mailscanner blacklists... > > any ideia on how can i do this? perhaps on MTA level, how? > > my system specs: > > CentOS 5.2 > MailScanner 4.65.3 > Sendmail 8.14.1 > > > Thanks in Advance. > > Jorge > ________________________________ > This message has been scanned for viruses and dangerous content by HCC > MailScanner, and is believed to be clean. > Server: mx.halla.pt (mailbox) > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > HI if you're scanning outgoing email with MailScanner shouldn't be a problem. Also means you can put in the annoying corporate footer, use watermarking for anti-joe jobbing etc. -- Martin Hepworth Oxford, UK From steve.freegard at fsl.com Fri Nov 14 11:19:43 2008 From: steve.freegard at fsl.com (Steve Freegard) Date: Fri Nov 14 11:20:06 2008 Subject: SQLWhitelist for content.scanning.rules In-Reply-To: References: <491C5C7F.3030002@ecs.soton.ac.uk> <491D4CF1.70107@ecs.soton.ac.uk> Message-ID: <491D5ECF.9080505@fsl.com> Kit Wong wrote: > Sorry about this, I do have it configured as you described. What I am > trying to do is use the whitelist created within MailWatch. This is > accessed via &SQLWhitelist in the MailScanner.conf. > > The whitelist works fine when its used where its supposed to be, ie > Is Definitely not spam = &SQLWhitelist > > But when I use to at > Scan Messages = &SQLWhitelist > It doesn't scan any messages. Well thinking about it the reason is obvious: Value Is Definitely Not Spam Scan Messages yes Whitelisted Message is scanned no Not whitelisted Message is not scanned The logic for the options is inverted - so if you want to use SQLWhiteList for Scan Messages instead you will have to invert the return codes. In SQLWhitelist - change all occurrences of 'return 1' to 'return 0' and all occurrences of 'return 0' to 'return 1' and it will work correctly. > Just wondering if it is possible to not scan messages in the whitelist > rather than scanning them but never marking them as spam. (since > whitelist still gets scanned for viruses and filenames etc). Personally - I think that's a really bad idea; it lets your users side-step any rules that you have in-place for their/your own safety. Regards, Steve. From maillists at conactive.com Fri Nov 14 12:31:26 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Fri Nov 14 12:31:37 2008 Subject: how do i fix -- WARNING: Ignoring deprecated option In-Reply-To: <491D4D93.50004@ecs.soton.ac.uk> References: <30200a940811131152n2471d67ejf25b252b5b83dc3d@mail.gmail.com> <491D4D93.50004@ecs.soton.ac.uk> Message-ID: Julian Field wrote on Fri, 14 Nov 2008 10:06:11 +0000: > So if you are using ClamAV 0.94, you need to be using at least > MailScanner 4.72.5. apparently not if you use clamd. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From campbell at cnpapers.com Fri Nov 14 13:56:14 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Fri Nov 14 13:56:28 2008 Subject: SARE Rules worth it? In-Reply-To: <72cf361e0811130011t67618addia6a65c7009f10473@mail.gmail.com> References: <2baac6140811121118s7156791cw9d2cb051eb842880@mail.gmail.com> <72cf361e0811130011t67618addia6a65c7009f10473@mail.gmail.com> Message-ID: <491D837E.3090301@cnpapers.com> Martin Hepworth wrote: > 2008/11/12 Devon Harding : > >> Is using the SARE rules in spamassassin still worth it? I'm still getting >> quite a few obvious spam coming through and bayes is not cutting it. I'm >> running MS 4.72 with SA 3.2.5 and all out of ideas. Any thoughts? >> >> -Devon >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> >> > > Definitely worth it, also consider the sought.cf ruleset and of course > running sa-update on a regular (daily) basis. > > After visiting the taint.org site, and reviewing the sought.cf stuff, can someone explain to me whether I should somehow integrate this into my sa-update script that I already have, or whether I am supposed to use the script as standalone that the website provides. Thanks Steve Campbell From campbell at cnpapers.com Fri Nov 14 14:07:00 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Fri Nov 14 14:07:14 2008 Subject: SARE Rules worth it? In-Reply-To: <491D837E.3090301@cnpapers.com> References: <2baac6140811121118s7156791cw9d2cb051eb842880@mail.gmail.com> <72cf361e0811130011t67618addia6a65c7009f10473@mail.gmail.com> <491D837E.3090301@cnpapers.com> Message-ID: <491D8604.9050300@cnpapers.com> I think I found the answer in update_spamassassin - at least a leader to the answer. Steve Steve Campbell wrote: > > > Martin Hepworth wrote: >> 2008/11/12 Devon Harding : >> >>> Is using the SARE rules in spamassassin still worth it? I'm still >>> getting >>> quite a few obvious spam coming through and bayes is not cutting >>> it. I'm >>> running MS 4.72 with SA 3.2.5 and all out of ideas. Any thoughts? >>> >>> -Devon >>> >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >>> >>> >> >> Definitely worth it, also consider the sought.cf ruleset and of course >> running sa-update on a regular (daily) basis. >> >> > After visiting the taint.org site, and reviewing the sought.cf stuff, > can someone explain to me whether I should somehow integrate this into > my sa-update script that I already have, or whether I am supposed to > use the script as standalone that the website provides. > > Thanks > > Steve Campbell > From Kit at simplysites.co.uk Fri Nov 14 14:13:26 2008 From: Kit at simplysites.co.uk (Kit Wong) Date: Fri Nov 14 14:13:42 2008 Subject: SQLWhitelist for content.scanning.rules In-Reply-To: <491D5ECF.9080505@fsl.com> References: <491C5C7F.3030002@ecs.soton.ac.uk> <491D4CF1.70107@ecs.soton.ac.uk> <491D5ECF.9080505@fsl.com> Message-ID: Hi Steve Thank you, it works. I had to disable &SQLBlacklist otherwise everything was marked as blacklisted. Thanks again Kit -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Steve Freegard Sent: 14 November 2008 11:20 To: MailScanner discussion Subject: Re: SQLWhitelist for content.scanning.rules Kit Wong wrote: > Sorry about this, I do have it configured as you described. What I am > trying to do is use the whitelist created within MailWatch. This is > accessed via &SQLWhitelist in the MailScanner.conf. > > The whitelist works fine when its used where its supposed to be, ie > Is Definitely not spam = &SQLWhitelist > > But when I use to at > Scan Messages = &SQLWhitelist > It doesn't scan any messages. Well thinking about it the reason is obvious: Value Is Definitely Not Spam Scan Messages yes Whitelisted Message is scanned no Not whitelisted Message is not scanned The logic for the options is inverted - so if you want to use SQLWhiteList for Scan Messages instead you will have to invert the return codes. In SQLWhitelist - change all occurrences of 'return 1' to 'return 0' and all occurrences of 'return 0' to 'return 1' and it will work correctly. > Just wondering if it is possible to not scan messages in the whitelist > rather than scanning them but never marking them as spam. (since > whitelist still gets scanned for viruses and filenames etc). Personally - I think that's a really bad idea; it lets your users side-step any rules that you have in-place for their/your own safety. Regards, Steve. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- Scanned by MailScanner. No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.175 / Virus Database: 270.9.2/1783 - Release Date: 13/11/2008 18:01 From jeffrey at life.illinois.edu Fri Nov 14 14:18:29 2008 From: jeffrey at life.illinois.edu (Jeffrey Haas) Date: Fri Nov 14 14:18:41 2008 Subject: Mailscanner child freezes Message-ID: <491D88B5.4090804@life.illinois.edu> I'm having trouble with a MailScanner child process freezing up. If anyone has any suggestions on how to investigate this, I'd be grateful. On Tuesday, I upgraded a MailScanner/ClamAV installation to the latest versions hoping to get past the recently announced buffer overflow in ClamAV. I installed using the .tgz files for MailScanner & SpamAssassin/ClamAV on the mailscanner.info. I configured MailScanner to use clamd. Everything went well at the time (as it usually does - thanks Julian!). However this morning, I found that MailScanner had stopped processing mail. I was in a bit of a panic at the time, so I simply restarted MailScanner, and some mail started flowing, but then things froze up again. I was thinking that there was a message that was gumming up the works somewhere, so I set in MailScanner.conf: #Max Unscanned Messages Per Scan = 30 #Max Unsafe Messages Per Scan = 30 Max Unscanned Messages Per Scan = 1 Max Unsafe Messages Per Scan = 1 That kept the good mail from getting tangled up with the bad. Running 'ps auwx|grep MailScanner', I find: postfix 31809 0.0 0.4 25616 20088 ? Ss 17:59 0:00 MailScanner: starting child postfix 31810 95.1 1.1 50884 47328 ? R 17:59 333:13 MailScanner: cleaning messages postfix 21305 0.0 1.2 56152 51988 ? S 22:02 0:03 MailScanner: waiting for messages ... Process 31810 picks up a message to clean, but can't complete for some reason. Inspecting /var/spool/MailScanner/incoming, I can see the contents of the message. It is a bounce message from a Mailman list which contains an attachment, 'text.zip'. I can run clamscan manually on the files extracted from the message and it reports 'Worm.Mydoom.M FOUND'. I thought perhaps this was an issue with clamd, since that is a bit new to me. (I've used the Mail::ClamAV module for many years.) So, I reconfigured to 'Virus Scanners = clamav' to have MailScanner invoke clamscan. I still get the same behavior with that. One child process grabs the troublesome message, and then stays in the 'cleaning messages' state indefinitely. The CPU utilization is 100% for that process. I've left it running for about 6 hours now, but there's no change. I think my freeze up of the entire server this morning was perhaps, all of the children (5) getting tied up in this way. This is an Ubuntu 7.10 system with postfix 2.4.5 & perl 5.8.8 installed from .deb packages. I think everything else of importance came from the .tgz files. The last messages from process 31810 are: Nov 13 17:59:17 les MailScanner[31810]: MailScanner E-Mail Virus Scanner version 4.72.5 starting... Nov 13 17:59:17 les MailScanner[31810]: SpamAssassin temporary working directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp Nov 13 17:59:17 les MailScanner[31810]: Using SpamAssassin results cache Nov 13 17:59:17 les MailScanner[31810]: Connected to SpamAssassin cache database Nov 13 17:59:17 les MailScanner[31810]: Expired 6 records from the SpamAssassin cache Nov 13 17:59:18 les MailScanner[31810]: Using locktype = flock Nov 13 17:59:18 les MailScanner[31810]: New Batch: Found 40 messages waiting Nov 13 17:59:18 les MailScanner[31810]: New Batch: Scanning 1 messages, 45362 bytes Nov 13 17:59:18 les MailScanner[31810]: Spam Checks: Starting Nov 13 17:59:18 les MailScanner[31810]: Message 2D5154E85A3.D9D39 from 127.0.0.1 (mailman-bounces@life.illinois.edu) is whitelisted Nov 13 17:59:18 les MailScanner[31810]: SpamAssassin cache hit for message 2D5154E85A3.D9D39 Nov 13 17:59:18 les MailScanner[31810]: Message 2D5154E85A3.D9D39 from 127.0.0.1 (mailman-bounces@life.illinois.edu) to uiuc.edu is not spam (whitelisted), SpamAssassin (cached, score=-1.44, required 6, autolearn=not spam, ALL_TRUSTED -1.44) Nov 13 17:59:18 les MailScanner[31810]: Filename Checks: Possible MS-Dos program shortcut attack (2D5154E85A3.D9D39 text.htm .pif) Nov 13 17:59:18 les MailScanner[31810]: Filetype Checks: No executables (2D5154E85A3.D9D39 text.htm .pif) Nov 13 17:59:18 les MailScanner[31810]: Other Checks: Found 2 problems Nov 13 17:59:18 les MailScanner[31810]: Virus and Content Scanning: Starting Nov 13 17:59:19 les MailScanner[31810]: ./2D5154E85A3.D9D39.message: Worm.Mydoom.M FOUND Nov 13 17:59:19 les MailScanner[31810]: ./2D5154E85A3.D9D39/text1.zip: Worm.Mydoom.M FOUND Nov 13 17:59:19 les MailScanner[31810]: ./2D5154E85A3.D9D39/text.htm.pif: Worm.Mydoom.M FOUND Nov 13 17:59:19 les MailScanner[31810]: ./2D5154E85A3.D9D39/text.zip: Worm.Mydoom.M FOUND Nov 13 17:59:20 les MailScanner[31810]: Virus Scanning: ClamAV found 4 infections Any ideas how to prevent this from happening? Thanks for any suggestions. ---------------------------------------------------------------------- Jeffrey Haas Director - Office of Information Technology Life Sciences - University of Illinois at Urbana-Champaign ---------------------------------------------------------------------- From gdm at linuxpro.co.za Fri Nov 14 14:21:55 2008 From: gdm at linuxpro.co.za (Gregory Machin) Date: Fri Nov 14 14:22:05 2008 Subject: how do i fix -- WARNING: Ignoring deprecated option In-Reply-To: References: <30200a940811131152n2471d67ejf25b252b5b83dc3d@mail.gmail.com> <491D4D93.50004@ecs.soton.ac.uk> Message-ID: <30200a940811140621h6418f65aq747318175f8211ac@mail.gmail.com> Fixed I upgraded everything to the latest version . On Fri, Nov 14, 2008 at 2:31 PM, Kai Schaetzl wrote: > Julian Field wrote on Fri, 14 Nov 2008 10:06:11 +0000: > > >> So if you are using ClamAV 0.94, you need to be using at least >> MailScanner 4.72.5. > > apparently not if you use clamd. > > Kai > > -- > Kai Sch?tzl, Berlin, Germany > Get your web at Conactive Internet Services: http://www.conactive.com > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From maillists at conactive.com Fri Nov 14 16:31:21 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Fri Nov 14 16:31:35 2008 Subject: how do i fix -- WARNING: Ignoring deprecated option In-Reply-To: <30200a940811140621h6418f65aq747318175f8211ac@mail.gmail.com> References: <30200a940811131152n2471d67ejf25b252b5b83dc3d@mail.gmail.com> <491D4D93.50004@ecs.soton.ac.uk> <30200a940811140621h6418f65aq747318175f8211ac@mail.gmail.com> Message-ID: Gregory Machin wrote on Fri, 14 Nov 2008 16:21:55 +0200: > Fixed I upgraded everything to the latest version . You should have replied directly to the message from Jules as you weren't replying to me. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maxsec at gmail.com Fri Nov 14 18:05:16 2008 From: maxsec at gmail.com (Martin Hepworth) Date: Fri Nov 14 18:05:25 2008 Subject: SARE Rules worth it? In-Reply-To: <491D837E.3090301@cnpapers.com> References: <2baac6140811121118s7156791cw9d2cb051eb842880@mail.gmail.com> <72cf361e0811130011t67618addia6a65c7009f10473@mail.gmail.com> <491D837E.3090301@cnpapers.com> Message-ID: <72cf361e0811141005h33f0e3ffs825b2f116de96fbd@mail.gmail.com> 2008/11/14 Steve Campbell : > > > Martin Hepworth wrote: >> >> 2008/11/12 Devon Harding : >> >>> >>> Is using the SARE rules in spamassassin still worth it? I'm still >>> getting >>> quite a few obvious spam coming through and bayes is not cutting it. I'm >>> running MS 4.72 with SA 3.2.5 and all out of ideas. Any thoughts? >>> >>> -Devon >>> >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >>> >>> >> >> Definitely worth it, also consider the sought.cf ruleset and of course >> running sa-update on a regular (daily) basis. >> >> > > After visiting the taint.org site, and reviewing the sought.cf stuff, can > someone explain to me whether I should somehow integrate this into my > sa-update script that I already have, or whether I am supposed to use the > script as standalone that the website provides. > > Thanks > > Steve Campbell > steve the taint.org site tells you how to install the gpg key into sa-update and use sa-update to update it regularly. http://taint.org/2007/08/15/004348a.html -- Martin Hepworth Oxford, UK From campbell at cnpapers.com Fri Nov 14 18:37:35 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Fri Nov 14 18:37:53 2008 Subject: SARE Rules worth it? In-Reply-To: <72cf361e0811141005h33f0e3ffs825b2f116de96fbd@mail.gmail.com> References: <2baac6140811121118s7156791cw9d2cb051eb842880@mail.gmail.com> <72cf361e0811130011t67618addia6a65c7009f10473@mail.gmail.com> <491D837E.3090301@cnpapers.com> <72cf361e0811141005h33f0e3ffs825b2f116de96fbd@mail.gmail.com> Message-ID: <491DC56F.3070506@cnpapers.com> Martin Hepworth wrote: > 2008/11/14 Steve Campbell : > >> Martin Hepworth wrote: >> >>> 2008/11/12 Devon Harding : >>> >>> >>>> Is using the SARE rules in spamassassin still worth it? I'm still >>>> getting >>>> quite a few obvious spam coming through and bayes is not cutting it. I'm >>>> running MS 4.72 with SA 3.2.5 and all out of ideas. Any thoughts? >>>> >>>> -Devon >>>> >>>> -- >>>> MailScanner mailing list >>>> mailscanner@lists.mailscanner.info >>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>> >>>> Before posting, read http://wiki.mailscanner.info/posting >>>> >>>> Support MailScanner development - buy the book off the website! >>>> >>>> >>>> >>>> >>> Definitely worth it, also consider the sought.cf ruleset and of course >>> running sa-update on a regular (daily) basis. >>> >>> >>> >> After visiting the taint.org site, and reviewing the sought.cf stuff, can >> someone explain to me whether I should somehow integrate this into my >> sa-update script that I already have, or whether I am supposed to use the >> script as standalone that the website provides. >> >> Thanks >> >> Steve Campbell >> >> > > steve > > the taint.org site tells you how to install the gpg key into sa-update > and use sa-update to update it regularly. > > http://taint.org/2007/08/15/004348a.html > Thanks Martin, The problem is that there is fuzziness in my mind again. Mailscanner (I think by way of Julian's SA install.sh) places a script in cron.daily called update_spamassassin that calls sa-update. It makes reference someplace to review /etc/sysconfig/MailScanner for additions to the default. I can't remember where I saw that. So, do I run the example from taint.org as a standalone call from my crontab, or do I add something somewhere so that the update_spamassassin script incorporates the stuff from the taint page, and where and how do I do that? steve From campbell at cnpapers.com Fri Nov 14 19:28:09 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Fri Nov 14 19:28:26 2008 Subject: SARE Rules worth it? In-Reply-To: <491DC56F.3070506@cnpapers.com> References: <2baac6140811121118s7156791cw9d2cb051eb842880@mail.gmail.com> <72cf361e0811130011t67618addia6a65c7009f10473@mail.gmail.com> <491D837E.3090301@cnpapers.com> <72cf361e0811141005h33f0e3ffs825b2f116de96fbd@mail.gmail.com> <491DC56F.3070506@cnpapers.com> Message-ID: <491DD149.3080103@cnpapers.com> Steve Campbell wrote: > > > Martin Hepworth wrote: >> 2008/11/14 Steve Campbell : >> >>> Martin Hepworth wrote: >>> >>>> 2008/11/12 Devon Harding : >>>> >>>> >>>>> Is using the SARE rules in spamassassin still worth it? I'm still >>>>> getting >>>>> quite a few obvious spam coming through and bayes is not cutting >>>>> it. I'm >>>>> running MS 4.72 with SA 3.2.5 and all out of ideas. Any thoughts? >>>>> >>>>> -Devon >>>>> >>>>> -- >>>>> MailScanner mailing list >>>>> mailscanner@lists.mailscanner.info >>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>> >>>>> Before posting, read http://wiki.mailscanner.info/posting >>>>> >>>>> Support MailScanner development - buy the book off the website! >>>>> >>>>> >>>>> >>>>> >>>> Definitely worth it, also consider the sought.cf ruleset and of course >>>> running sa-update on a regular (daily) basis. >>>> >>>> >>>> >>> After visiting the taint.org site, and reviewing the sought.cf >>> stuff, can >>> someone explain to me whether I should somehow integrate this into my >>> sa-update script that I already have, or whether I am supposed to >>> use the >>> script as standalone that the website provides. >>> >>> Thanks >>> >>> Steve Campbell >>> >>> >> >> steve >> >> the taint.org site tells you how to install the gpg key into sa-update >> and use sa-update to update it regularly. >> >> http://taint.org/2007/08/15/004348a.html >> > Thanks Martin, > > The problem is that there is fuzziness in my mind again. Mailscanner > (I think by way of Julian's SA install.sh) places a script in > cron.daily called update_spamassassin that calls sa-update. It makes > reference someplace to review /etc/sysconfig/MailScanner for additions > to the default. I can't remember where I saw that. So, do I run the > example from taint.org as a standalone call from my crontab, or do I > add something somewhere so that the update_spamassassin script > incorporates the stuff from the taint page, and where and how do I do > that? > > steve What I did to test this all: as root > wget http://yerp.org/rules/GPG.KEY > sa-update --import GPG.KEY # To test that I got something - which it did > sa-update --gpgkey 6C6191E3 --channel sought.rules.yerp.org I then changed /etc/sysconfig/MailScanner as below SAUPDATEARGS="--gpgkey 6C6191E3 --channel sought.rules.yerp.org" I then changed /usr/sbin/update_spamassassin as below to keep the log file # rm -f $LOGFILE My /etc/cron.daily/update_spamassassin has in it the following: UPDATEMAXDELAY=300 The only thing the log file has it it is that MailScanner was reloaded. When I go to Mailwatch and update my rule descriptions, I cannot find a rule with JM_SOUGHT in it, so I'm guessing there is something else I need to do to move the rules into a rule folder and to make the sa-update work for the sought files as they weren't updated in /var/lib/spamassassin/3.002.005. Thanks for looking and helping steve From Dstraka at caspercollege.edu Fri Nov 14 20:22:23 2008 From: Dstraka at caspercollege.edu (Daniel Straka) Date: Fri Nov 14 20:22:54 2008 Subject: Watermark test working too good Message-ID: <491D7B47.61A0.0000.0@caspercollege.edu> I've got some users that subscribe to a state library newsletter sent out via distribution list. These messages arrive with a null sender and MailScanner' watermarking feature is marking them as spam (yes, I have it set to do that). Question is, if I add the relaying servers IP address to my spam.whitelist.rules file will the messages bypass MailScanners watermark test? Is there another way to have these messages bypass the watermark test? Thanks, -- Dan Straka Systems Coordinator Casper College 307.268.2399 http://www.caspercollege.edu From devonharding at gmail.com Fri Nov 14 22:08:36 2008 From: devonharding at gmail.com (Devon Harding) Date: Fri Nov 14 22:08:44 2008 Subject: SARE Rules worth it? In-Reply-To: <491C82E0.2000504@alexb.ch> References: <2baac6140811121118s7156791cw9d2cb051eb842880@mail.gmail.com> <72cf361e0811130011t67618addia6a65c7009f10473@mail.gmail.com> <2baac6140811130656w36bc702ar6dbea4c2558343f6@mail.gmail.com> <72cf361e0811131124s1c82c5e0jf793946e09ce71c6@mail.gmail.com> <491C82E0.2000504@alexb.ch> Message-ID: <2baac6140811141408x3f825758rb3d58675cab1c6b1@mail.gmail.com> > > >> > All means you have redundat... > > check the naming/numbering convention and the explanation. > > If you use SA 3.2.4 / 3.2.5 > > check my little http://www.rulesemporium.com/rules/90_2tld.cf > > need to know what it does? > http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Conf.txt > > Alex > > AWESOME! Followed Julian's 'HOWTO: Adding extra rulesets to SpamAssassin' and now everything is getting tagged correctly. -Devon -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081114/a0a9a2c3/attachment.html From hvdkooij at vanderkooij.org Fri Nov 14 22:45:14 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Fri Nov 14 22:45:24 2008 Subject: how to block all email sent to outside email account? In-Reply-To: <491D53DD.9030401@halla.pt> References: <491D53DD.9030401@halla.pt> Message-ID: <491DFF7A.1010103@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jorge Luis Costinha wrote: > Hello all, > > > i wish to prevent outgoing email to a specific outside > world account. I try to use the blacklist feature on MailScanner, but > only works from incoming email to be delivery on internal accounts... i > also try to catch outgoing emails with procmail, without success... Pardon me but any MTA can do this for you. Please consult your sendmail manual in regard to access tables and such. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. Nid wyf yn y swyddfa ar hyn o bryd. Anfonwch unrhyw waith i'w gyfieithu. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFJHf94BvzDRVjxmYERAoueAJ97oPKde8iRtTdCa4xOLoZOOwxpZgCgj1l+ lSDwEwHHpdrxrcpImNhm38g= =qbFs -----END PGP SIGNATURE----- From michael at huntley.net Fri Nov 14 23:55:20 2008 From: michael at huntley.net (Michael Huntley) Date: Fri Nov 14 23:55:40 2008 Subject: how to block all email sent to outside email account? In-Reply-To: <491DFF7A.1010103@vanderkooij.org> References: <491D53DD.9030401@halla.pt> <491DFF7A.1010103@vanderkooij.org> Message-ID: <491E0FE8.2090101@huntley.net> Hugo van der Kooij wrote: > Jorge Luis Costinha wrote: > > Hello all, > > > > i wish to prevent outgoing email to a specific outside > > world account. I try to use the blacklist feature on MailScanner, but > > only works from incoming email to be delivery on internal accounts... i > > also try to catch outgoing emails with procmail, without success... > > Pardon me but any MTA can do this for you. > > Please consult your sendmail manual in regard to access tables and such. > > Hugo. > > That is not what Jorge asked, I'm sure he is aware of what he can do at the MTA level. Jorge - you can use the Non Spam Actions within Mailscanner.conf Set it to a rule such as: Non Spam Actions = %rules-dir%/nonspam.rules inside of nonspam.rules make an entry for the default and the naughty address: FromOrTo: naughty@naughty.com delete FromOrTo: Default deliver header "X-Spam-Status: No" That's it. Cheers! m From hvdkooij at vanderkooij.org Sat Nov 15 07:33:17 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sat Nov 15 07:33:28 2008 Subject: how to block all email sent to outside email account? In-Reply-To: <491E0FE8.2090101@huntley.net> References: <491D53DD.9030401@halla.pt> <491DFF7A.1010103@vanderkooij.org> <491E0FE8.2090101@huntley.net> Message-ID: <491E7B3D.3090003@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Michael Huntley wrote: > Hugo van der Kooij wrote: >> Jorge Luis Costinha wrote: >> >> > i wish to prevent outgoing email to a specific outside >> > world account. I try to use the blacklist feature on MailScanner, but >> > only works from incoming email to be delivery on internal >> accounts... i >> > also try to catch outgoing emails with procmail, without success... >> >> Pardon me but any MTA can do this for you. >> >> Please consult your sendmail manual in regard to access tables and such. > That is not what Jorge asked, I'm sure he is aware of what he can do at > the MTA level. I am pretty sure of one thing. That you did not read the OP thouroughly. As you seemed to have missed: "any ideia on how can i do this? perhaps on MTA level, how?" Which translates roughly into "I have no idea where to begin." So I my book that means tackle this on the MTA level when ever possible and do not bother to hand them to MailScanner. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. Nid wyf yn y swyddfa ar hyn o bryd. Anfonwch unrhyw waith i'w gyfieithu. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFJHns8BvzDRVjxmYERAlzaAJ0e8uk/59FqZiCj9ORcfMAPc9lfLwCdFVbT ZWd4S4dCWSJuvT8fWNJawjg= =A6KB -----END PGP SIGNATURE----- From glenn.steen at gmail.com Sat Nov 15 09:35:23 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Nov 15 09:35:33 2008 Subject: Mailscanner child freezes In-Reply-To: <491D88B5.4090804@life.illinois.edu> References: <491D88B5.4090804@life.illinois.edu> Message-ID: <223f97700811150135y66b5d1bdue0c01801c4615a3b@mail.gmail.com> 2008/11/14 Jeffrey Haas : > I'm having trouble with a MailScanner child process freezing up. If > anyone has any suggestions on how to investigate this, I'd be grateful. > > On Tuesday, I upgraded a MailScanner/ClamAV installation to the latest > versions hoping to get past the recently announced buffer overflow in > ClamAV. I installed using the .tgz files for MailScanner & > SpamAssassin/ClamAV on the mailscanner.info. I configured MailScanner > to use clamd. > > Everything went well at the time (as it usually does - thanks Julian!). > However this morning, I found that MailScanner had stopped processing > mail. I was in a bit of a panic at the time, so I simply restarted > MailScanner, and some mail started flowing, but then things froze up > again. > > I was thinking that there was a message that was gumming up the works > somewhere, so I set in MailScanner.conf: > > #Max Unscanned Messages Per Scan = 30 > #Max Unsafe Messages Per Scan = 30 > Max Unscanned Messages Per Scan = 1 > Max Unsafe Messages Per Scan = 1 > > That kept the good mail from getting tangled up with the bad. > > Running 'ps auwx|grep MailScanner', I find: > > postfix 31809 0.0 0.4 25616 20088 ? Ss 17:59 0:00 > MailScanner: starting child > postfix 31810 95.1 1.1 50884 47328 ? R 17:59 333:13 > MailScanner: cleaning messages > postfix 21305 0.0 1.2 56152 51988 ? S 22:02 0:03 > MailScanner: waiting for messages > ... > > > Process 31810 picks up a message to clean, but can't complete for some > reason. Inspecting /var/spool/MailScanner/incoming, I can see the > contents of the message. > > It is a bounce message from a Mailman list which contains an attachment, > 'text.zip'. I can run clamscan manually on the files extracted from the > message and it reports 'Worm.Mydoom.M FOUND'. > > I thought perhaps this was an issue with clamd, since that is a bit new > to me. (I've used the Mail::ClamAV module for many years.) So, I > reconfigured to 'Virus Scanners = clamav' to have MailScanner invoke > clamscan. I still get the same behavior with that. One child process > grabs the troublesome message, and then stays in the 'cleaning messages' > state indefinitely. The CPU utilization is 100% for that process. I've > left it running for about 6 hours now, but there's no change. I think > my freeze up of the entire server this morning was perhaps, all of the > children (5) getting tied up in this way. > > This is an Ubuntu 7.10 system with postfix 2.4.5 & perl 5.8.8 installed > from .deb packages. I think everything else of importance came from the > .tgz files. > > The last messages from process 31810 are: > > Nov 13 17:59:17 les MailScanner[31810]: MailScanner E-Mail Virus Scanner > version 4.72.5 starting... > Nov 13 17:59:17 les MailScanner[31810]: SpamAssassin temporary working > directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp > Nov 13 17:59:17 les MailScanner[31810]: Using SpamAssassin results cache > Nov 13 17:59:17 les MailScanner[31810]: Connected to SpamAssassin cache > database > Nov 13 17:59:17 les MailScanner[31810]: Expired 6 records from the > SpamAssassin cache > Nov 13 17:59:18 les MailScanner[31810]: Using locktype = flock > Nov 13 17:59:18 les MailScanner[31810]: New Batch: Found 40 messages > waiting > Nov 13 17:59:18 les MailScanner[31810]: New Batch: Scanning 1 messages, > 45362 bytes > Nov 13 17:59:18 les MailScanner[31810]: Spam Checks: Starting > Nov 13 17:59:18 les MailScanner[31810]: Message 2D5154E85A3.D9D39 from > 127.0.0.1 (mailman-bounces@life.illinois.edu) is whitelisted > Nov 13 17:59:18 les MailScanner[31810]: SpamAssassin cache hit for > message 2D5154E85A3.D9D39 > Nov 13 17:59:18 les MailScanner[31810]: Message 2D5154E85A3.D9D39 from > 127.0.0.1 (mailman-bounces@life.illinois.edu) to uiuc.edu is not spam > (whitelisted), SpamAssassin (cached, score=-1.44, required 6, > autolearn=not spam, ALL_TRUSTED -1.44) > Nov 13 17:59:18 les MailScanner[31810]: Filename Checks: Possible MS-Dos > program shortcut attack (2D5154E85A3.D9D39 text.htm > .pif) > Nov 13 17:59:18 les MailScanner[31810]: Filetype Checks: No executables > (2D5154E85A3.D9D39 text.htm > .pif) > Nov 13 17:59:18 les MailScanner[31810]: Other Checks: Found 2 problems > Nov 13 17:59:18 les MailScanner[31810]: Virus and Content Scanning: > Starting > Nov 13 17:59:19 les MailScanner[31810]: ./2D5154E85A3.D9D39.message: > Worm.Mydoom.M FOUND > Nov 13 17:59:19 les MailScanner[31810]: ./2D5154E85A3.D9D39/text1.zip: > Worm.Mydoom.M FOUND > Nov 13 17:59:19 les MailScanner[31810]: > ./2D5154E85A3.D9D39/text.htm.pif: Worm.Mydoom.M FOUND > Nov 13 17:59:19 les MailScanner[31810]: ./2D5154E85A3.D9D39/text.zip: > Worm.Mydoom.M FOUND > Nov 13 17:59:20 les MailScanner[31810]: Virus Scanning: ClamAV found 4 > infections > > Any ideas how to prevent this from happening? Thanks for any suggestions. > Hi Jeffrey, If you attach to one of the children "getting stuck" with strace, what does it seem to be doing? Further, looking with something simple, like top or sar... Is it continually "eating memory" (ie leaking....)? Since you know which messages cause this, could you lift a couple from the hold queue and either send them to Jules or to me, so that we could look at what our systems think of them...? My gut feeling is that there is some problem with some perl module, but ... that's just a gut reaction:-). What does "MailScanner -v" say? Also, simple things like "MailScanner --lint" and definitely "MailScanner --debug" could perhaps reveal something interesting:). As I'm sure you know, we've had one ... instance of children "freezing up"/"looping forever" with the milter support (specific to PF, I missed a place to handle things:-), but that was fixed a while back and shouldn't be affecting things with something this new. Obligatory question is "do you run any milters?", more for completeness than anything:-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Sat Nov 15 09:42:48 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Nov 15 09:42:59 2008 Subject: Watermark test working too good In-Reply-To: <491D7B47.61A0.0000.0@caspercollege.edu> References: <491D7B47.61A0.0000.0@caspercollege.edu> Message-ID: <223f97700811150142j8c9bf06me94112243db1e6a2@mail.gmail.com> 2008/11/14 Daniel Straka : > I've got some users that subscribe to a state library newsletter sent out via distribution list. These messages arrive with a null sender and MailScanner' watermarking feature is marking them as spam (yes, I have it set to do that). > Question is, if I add the relaying servers IP address to my spam.whitelist.rules file will the messages bypass MailScanners watermark test? > > Is there another way to have these messages bypass the watermark test? > > Thanks, Dan, Why not have the state library do the right thing? They aren't sending these as part of the mailing system(s) housekeeping functions, that is ... they're abusing the RFCs in a way, so... Wouldn't it be better to get them to use a sane sender address? If they are afraid to have to handle bounces... well, then they shouldn't be using amailing list at all(!)...:-). Whitelisting "bad behaviour" == "accepting it"... Yeah, I know... the users/clients pay the beans, but ... you could at least ask them:-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From campbell at cnpapers.com Sat Nov 15 14:28:23 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Sat Nov 15 14:28:58 2008 Subject: SARE Rules worth it? In-Reply-To: <2baac6140811141408x3f825758rb3d58675cab1c6b1@mail.gmail.com> References: <2baac6140811121118s7156791cw9d2cb051eb842880@mail.gmail.com> <72cf361e0811130011t67618addia6a65c7009f10473@mail.gmail.com> <2baac6140811130656w36bc702ar6dbea4c2558343f6@mail.gmail.com> <72cf361e0811131124s1c82c5e0jf793946e09ce71c6@mail.gmail.com> <491C82E0.2000504@alexb.ch> <2baac6140811141408x3f825758rb3d58675cab1c6b1@mail.gmail.com> Message-ID: <1226759303.491edc8750b74@perdition.cnpapers.net> Quoting Devon Harding : > > > > > >> > > All means you have redundat... > > > > check the naming/numbering convention and the explanation. > > > > If you use SA 3.2.4 / 3.2.5 > > > > check my little http://www.rulesemporium.com/rules/90_2tld.cf > > > > need to know what it does? > > http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Conf.txt > > > > Alex > > > > > > AWESOME! Followed Julian's 'HOWTO: Adding extra rulesets to SpamAssassin' > and now everything is getting tagged correctly. > > -Devon > This seemed to do the trick for me, also. Thanks Devon, and Julian, and..... steve ------------------------------------------------- This mail sent through IMP: http://horde.org/imp/ From marc at marcsnet.com Sat Nov 15 23:15:08 2008 From: marc at marcsnet.com (Marc Lucke) Date: Sat Nov 15 23:15:29 2008 Subject: clamd - ./lstat() failed Message-ID: <491F57FC.5040902@marcsnet.com> Clamd::ERROR:: UNKNOWN CLAMD RETURN ./lstat() failed. ERROR :: /var/spool/MailScanner/incoming/30627 Hi everyone. Wondering if anyone can tell me what this means and how I can fix it. Regards Marc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From devonharding at gmail.com Sat Nov 15 23:35:39 2008 From: devonharding at gmail.com (Devon Harding) Date: Sat Nov 15 23:35:49 2008 Subject: SARE Rules worth it? In-Reply-To: <1226759303.491edc8750b74@perdition.cnpapers.net> References: <2baac6140811121118s7156791cw9d2cb051eb842880@mail.gmail.com> <72cf361e0811130011t67618addia6a65c7009f10473@mail.gmail.com> <2baac6140811130656w36bc702ar6dbea4c2558343f6@mail.gmail.com> <72cf361e0811131124s1c82c5e0jf793946e09ce71c6@mail.gmail.com> <491C82E0.2000504@alexb.ch> <2baac6140811141408x3f825758rb3d58675cab1c6b1@mail.gmail.com> <1226759303.491edc8750b74@perdition.cnpapers.net> Message-ID: <2baac6140811151535h3e2411fbj4fe36ba44cd04eba@mail.gmail.com> > > This seemed to do the trick for me, also. Thanks Devon, and Julian, > and..... > > steve > > > Here's my setup (In case no one wants to Google) /etc/sysconfig/MailScanner: SAUPDATEARGS="--channelfile /etc/mail/spamassassin/sire-channel-list.txt --gpgkey 856AA88A --gpgkey 6C6191E3" /etc/mail/spamassassin/sire-channel-list.txt: updates.spamassassin.org 70_sare_adult.cf.sare.sa-update.dostech.net 70_sare_bayes_poison_nxm.cf.sare.sa-update.dostech.net 70_sare_evilnum0.cf.sare.sa-update.dostech.net 70_sare_genlsubj0.cf.sare.sa-update.dostech.net 70_sare_genlsubj1.cf.sare.sa-update.dostech.net 70_sare_genlsubj2.cf.sare.sa-update.dostech.net 70_sare_header.cf.sare.sa-update.dostech.net 70_sare_html.cf.sare.sa-update.dostech.net 70_sare_obfu.cf.sare.sa-update.dostech.net 70_sare_oem.cf.sare.sa-update.dostech.net 70_sare_random.cf.sare.sa-update.dostech.net 70_sare_specific.cf.sare.sa-update.dostech.net 70_sare_spoof.cf.sare.sa-update.dostech.net 70_sare_stocks.cf.sare.sa-update.dostech.net 70_sare_unsub.cf.sare.sa-update.dostech.net 70_sare_uri0.cf.sare.sa-update.dostech.net 70_sare_uri1.cf.sare.sa-update.dostech.net 70_sare_uri2.cf.sare.sa-update.dostech.net 70_sare_whitelist_rcvd.cf.sare.sa-update.dostech.net 70_sare_whitelist_spf.cf.sare.sa-update.dostech.net 72_sare_bml_post25x.cf.sare.sa-update.dostech.net 72_sare_redirect_post3.0.0.cf.sare.sa-update.dostech.net 99_sare_fraud_post25x.cf.sare.sa-update.dostech.net 99_FVGT_Tripwire.cf.sare.sa-update.dostech.net sought.rules.yerp.org -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081115/ad1c10b7/attachment.html From shuttlebox at gmail.com Sat Nov 15 23:44:38 2008 From: shuttlebox at gmail.com (shuttlebox) Date: Sat Nov 15 23:44:47 2008 Subject: clamd - ./lstat() failed In-Reply-To: <491F57FC.5040902@marcsnet.com> References: <491F57FC.5040902@marcsnet.com> Message-ID: <625385e30811151544u2423b54ai82215c04df9843e6@mail.gmail.com> On Sun, Nov 16, 2008 at 12:15 AM, Marc Lucke wrote: > Clamd::ERROR:: UNKNOWN CLAMD RETURN ./lstat() failed. ERROR :: > /var/spool/MailScanner/incoming/30627 > > > Hi everyone. Wondering if anyone can tell me what this means and how I can > fix it. If you're not running clamd as root check your directory permissions at every step of the path in the error message. -- /peter From marc at marcsnet.com Sat Nov 15 23:46:56 2008 From: marc at marcsnet.com (Marc Lucke) Date: Sat Nov 15 23:47:13 2008 Subject: clamd - ./lstat() failed In-Reply-To: <491F57FC.5040902@marcsnet.com> References: <491F57FC.5040902@marcsnet.com> Message-ID: <491F5F70.3020401@marcsnet.com> Sorry - should have said: I did change the group to clamav and I did change the permissions to 0640 as per the instructions. I saw that an easy way out is to have clamav run as root, so I did that rather. I'm still interested in anyone's ideas as I'd like to be able to successfully run clamd as user clamav, but I don't care so much anymore. Cheers Marc Marc Lucke wrote: > Clamd::ERROR:: UNKNOWN CLAMD RETURN ./lstat() failed. ERROR :: > /var/spool/MailScanner/incoming/30627 > > > Hi everyone. Wondering if anyone can tell me what this means and how > I can fix it. > > > Regards > Marc > From jeffrey at life.illinois.edu Sun Nov 16 02:36:38 2008 From: jeffrey at life.illinois.edu (Jeffrey Haas) Date: Sun Nov 16 02:36:51 2008 Subject: Mailscanner child freezes In-Reply-To: <223f97700811150135y66b5d1bdue0c01801c4615a3b@mail.gmail.com> References: <491D88B5.4090804@life.illinois.edu> <223f97700811150135y66b5d1bdue0c01801c4615a3b@mail.gmail.com> Message-ID: <491F8736.1040600@life.illinois.edu> Hi Glenn - Thanks for your reply. I'll send you a URL where you could download the messages. I've collected three so far. I'm not familiar with the earlier issue with freezing. I've used MailScanner for years, and it has worked very well in our situation. I only recently joined the mailing list after I found answers there when we were upgrading to ClamAV 0.94 with an earlier version of MailScanner. We're not using any milters with Postfix. I have a secondary mail system set up on Ubuntu 8.04. I also upgraded this system using the latest .tgz files last Tuesday. And it also has had Mailscanner child processes freeze after I wrote my message to the list. Not as often, but this system receives much less mail. Not sure what that means exactly, but the problem doesn't seem related to Ubuntu versions anyway. On the original system --- /opt/MailScanner/bin# ./MailScanner -v Running on Linux les 2.6.22-15-server #1 SMP Fri Jul 11 19:54:13 UTC 2008 i686 GNU/Linux This is Perl version 5.008008 (5.8.8) This is MailScanner version 4.72.5 Module versions are: 1.00 AnyDBM_File 1.16 Archive::Zip 0.21 bignum 1.04 Carp 1.41 Compress::Zlib 1.119 Convert::BinHex 0.17 Convert::TNEF 2.121_08 Data::Dumper 2.27 Date::Parse 1.00 DirHandle 1.05 Fcntl 2.74 File::Basename 2.09 File::Copy 2.01 FileHandle 1.08 File::Path 0.20 File::Temp 0.90 Filesys::Df 1.35 HTML::Entities 3.56 HTML::Parser 2.37 HTML::TokeParser 1.23 IO 1.14 IO::File 1.13 IO::Pipe 2.02 Mail::Header 1.86 Math::BigInt 0.19 Math::BigRat 3.07 MIME::Base64 5.427 MIME::Decoder 5.427 MIME::Decoder::UU 5.427 MIME::Head 5.427 MIME::Parser 3.07 MIME::QuotedPrint 5.427 MIME::Tools 0.11 Net::CIDR 1.25 Net::IP 0.16 OLE::Storage_Lite 1.04 Pod::Escapes 3.05 Pod::Simple 1.09 POSIX 1.19 Scalar::Util 1.78 Socket 2.16 Storable 1.4 Sys::Hostname::Long 0.18 Sys::Syslog 1.26 Test::Pod 0.7 Test::Simple 1.9707 Time::HiRes 1.02 Time::localtime Optional module versions are: 1.29 Archive::Tar 0.21 bignum 1.82 Business::ISBN 1.10 Business::ISBN::Data 1.08 Data::Dump 1.814 DB_File 1.13 DBD::SQLite 1.56 DBI 1.15 Digest 1.01 Digest::HMAC 2.36 Digest::MD5 2.11 Digest::SHA1 missing Encode::Detect 0.17008 Error 0.18 ExtUtils::CBuilder 2.18 ExtUtils::ParseXS 2.36 Getopt::Long 0.44 Inline 1.08 IO::String 1.04 IO::Zlib 2.21 IP::Country missing Mail::ClamAV 3.002005 Mail::SpamAssassin v2.004 Mail::SPF 1.999001 Mail::SPF::Query 0.2808 Module::Build 0.20 Net::CIDR::Lite 0.63 Net::DNS 0.002.2 Net::DNS::Resolver::Programmable missing Net::LDAP 4.004 NetAddr::IP 1.94 Parse::RecDescent missing SAVI 2.64 Test::Harness 0.95 Test::Manifest 1.98 Text::Balanced 1.35 URI 0.7203 version 0.62 YAML --- /opt/MailScanner/bin# ./MailScanner --lint Trying to setlogsock(unix) Checking version numbers... Version number in MailScanner.conf (4.72.5) is correct. Your envelope_sender_header in spam.assassin.prefs.conf is correct. MailScanner setting GID to (112) MailScanner setting UID to (105) Checking for SpamAssassin errors (if you use it)... SpamAssassin temporary working directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp Using SpamAssassin results cache Connected to SpamAssassin cache database SpamAssassin reported no errors. Using locktype = posix MailScanner.conf says "Virus Scanners = clamd" Found these virus scanners installed: clamd =========================================================================== Filename Checks: Windows/DOS Executable (1 eicar.com) Other Checks: Found 1 problems Virus and Content Scanning: Starting Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com Virus Scanning: Clamd found 2 infections Infected message 1 came from 10.1.1.1 Virus Scanning: Found 2 viruses =========================================================================== Virus Scanner test reports: Clamd said "eicar.com was infected: Eicar-Test-Signature" If any of your virus scanners (clamd) are not listed there, you should check that they are installed correctly and that MailScanner is finding them correctly via its virus.scanners.conf. --- When things are running smoothly: /opt/MailScanner/bin# ./MailScanner --debug In Debugging mode, not forking... Trying to setlogsock(unix) SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp Building a message batch to scan... Have a batch of 1 message. max message size is '200k' Stopping now as you are debugging me. With the problem message: /opt/MailScanner/bin# ./MailScanner --debug |tee ms_debug In Debugging mode, not forking... Trying to setlogsock(unix) SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp Building a message batch to scan... Have a batch of 1 message. max message size is '200k' --- I can resend the body of one of the problem messages to myself, and then it sends the MailScanner process to 100% CPU. If I connect with "strace -p 26089" after the problem starts the only output is: Process 26089 attached - interrupt to quit 'top' shows: PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 26089 postfix 25 0 60508 55m 3116 R 100 1.4 4:07.21 MailScanner I was able to produce lots of strace output with: strace -f -o ms_strace /opt/MailScanner/bin/MailScanner From there I worked out that the problem PID was 27473. Then I grep'ed all the lines for this process. That data ends with: 27473 _llseek(8, 601088, [601088], SEEK_SET) = 0 27473 write(8, "\r\0\0\0\1\1\265\0\1\265\1E\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 1024) = 1024 27473 fsync(8) = 0 27473 close(11) = 0 27473 unlink("/var/spool/MailScanner/incoming/SpamAssassin.cache.db-journal") = 0 27473 fcntl64(8, F_SETLK64, {type=F_RDLCK, whence=SEEK_SET, start=1073741826, len=510}, 0xbf840964) = 0 27473 fcntl64(8, F_SETLK64, {type=F_UNLCK, whence=SEEK_SET, start=1073741824, len=2}, 0xbf840964) = 0 27473 fcntl64(8, F_SETLK64, {type=F_UNLCK, whence=SEEK_SET, start=0, len=0}, 0xbf840964) = 0 27473 gettimeofday({1226800996, 724335}, NULL) = 0 27473 brk(0xab17000) = 0xab17000 I'll send you an URL where you can download the full strace if you like. Thanks for your help! --jeff Glenn Steen wrote: > 2008/11/14 Jeffrey Haas : >> I'm having trouble with a MailScanner child process freezing up. If >> anyone has any suggestions on how to investigate this, I'd be grateful. >> >> On Tuesday, I upgraded a MailScanner/ClamAV installation to the latest >> versions hoping to get past the recently announced buffer overflow in >> ClamAV. I installed using the .tgz files for MailScanner & >> SpamAssassin/ClamAV on the mailscanner.info. I configured MailScanner >> to use clamd. >> >> Everything went well at the time (as it usually does - thanks Julian!). >> However this morning, I found that MailScanner had stopped processing >> mail. I was in a bit of a panic at the time, so I simply restarted >> MailScanner, and some mail started flowing, but then things froze up >> again. >> >> I was thinking that there was a message that was gumming up the works >> somewhere, so I set in MailScanner.conf: >> >> #Max Unscanned Messages Per Scan = 30 >> #Max Unsafe Messages Per Scan = 30 >> Max Unscanned Messages Per Scan = 1 >> Max Unsafe Messages Per Scan = 1 >> >> That kept the good mail from getting tangled up with the bad. >> >> Running 'ps auwx|grep MailScanner', I find: >> >> postfix 31809 0.0 0.4 25616 20088 ? Ss 17:59 0:00 >> MailScanner: starting child >> postfix 31810 95.1 1.1 50884 47328 ? R 17:59 333:13 >> MailScanner: cleaning messages >> postfix 21305 0.0 1.2 56152 51988 ? S 22:02 0:03 >> MailScanner: waiting for messages >> ... >> >> >> Process 31810 picks up a message to clean, but can't complete for some >> reason. Inspecting /var/spool/MailScanner/incoming, I can see the >> contents of the message. >> >> It is a bounce message from a Mailman list which contains an attachment, >> 'text.zip'. I can run clamscan manually on the files extracted from the >> message and it reports 'Worm.Mydoom.M FOUND'. >> >> I thought perhaps this was an issue with clamd, since that is a bit new >> to me. (I've used the Mail::ClamAV module for many years.) So, I >> reconfigured to 'Virus Scanners = clamav' to have MailScanner invoke >> clamscan. I still get the same behavior with that. One child process >> grabs the troublesome message, and then stays in the 'cleaning messages' >> state indefinitely. The CPU utilization is 100% for that process. I've >> left it running for about 6 hours now, but there's no change. I think >> my freeze up of the entire server this morning was perhaps, all of the >> children (5) getting tied up in this way. >> >> This is an Ubuntu 7.10 system with postfix 2.4.5 & perl 5.8.8 installed >> from .deb packages. I think everything else of importance came from the >> .tgz files. >> >> The last messages from process 31810 are: >> >> Nov 13 17:59:17 les MailScanner[31810]: MailScanner E-Mail Virus Scanner >> version 4.72.5 starting... >> Nov 13 17:59:17 les MailScanner[31810]: SpamAssassin temporary working >> directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp >> Nov 13 17:59:17 les MailScanner[31810]: Using SpamAssassin results cache >> Nov 13 17:59:17 les MailScanner[31810]: Connected to SpamAssassin cache >> database >> Nov 13 17:59:17 les MailScanner[31810]: Expired 6 records from the >> SpamAssassin cache >> Nov 13 17:59:18 les MailScanner[31810]: Using locktype = flock >> Nov 13 17:59:18 les MailScanner[31810]: New Batch: Found 40 messages >> waiting >> Nov 13 17:59:18 les MailScanner[31810]: New Batch: Scanning 1 messages, >> 45362 bytes >> Nov 13 17:59:18 les MailScanner[31810]: Spam Checks: Starting >> Nov 13 17:59:18 les MailScanner[31810]: Message 2D5154E85A3.D9D39 from >> 127.0.0.1 (mailman-bounces@life.illinois.edu) is whitelisted >> Nov 13 17:59:18 les MailScanner[31810]: SpamAssassin cache hit for >> message 2D5154E85A3.D9D39 >> Nov 13 17:59:18 les MailScanner[31810]: Message 2D5154E85A3.D9D39 from >> 127.0.0.1 (mailman-bounces@life.illinois.edu) to uiuc.edu is not spam >> (whitelisted), SpamAssassin (cached, score=-1.44, required 6, >> autolearn=not spam, ALL_TRUSTED -1.44) >> Nov 13 17:59:18 les MailScanner[31810]: Filename Checks: Possible MS-Dos >> program shortcut attack (2D5154E85A3.D9D39 text.htm >> .pif) >> Nov 13 17:59:18 les MailScanner[31810]: Filetype Checks: No executables >> (2D5154E85A3.D9D39 text.htm >> .pif) >> Nov 13 17:59:18 les MailScanner[31810]: Other Checks: Found 2 problems >> Nov 13 17:59:18 les MailScanner[31810]: Virus and Content Scanning: >> Starting >> Nov 13 17:59:19 les MailScanner[31810]: ./2D5154E85A3.D9D39.message: >> Worm.Mydoom.M FOUND >> Nov 13 17:59:19 les MailScanner[31810]: ./2D5154E85A3.D9D39/text1.zip: >> Worm.Mydoom.M FOUND >> Nov 13 17:59:19 les MailScanner[31810]: >> ./2D5154E85A3.D9D39/text.htm.pif: Worm.Mydoom.M FOUND >> Nov 13 17:59:19 les MailScanner[31810]: ./2D5154E85A3.D9D39/text.zip: >> Worm.Mydoom.M FOUND >> Nov 13 17:59:20 les MailScanner[31810]: Virus Scanning: ClamAV found 4 >> infections >> >> Any ideas how to prevent this from happening? Thanks for any suggestions. >> > Hi Jeffrey, > > If you attach to one of the children "getting stuck" with strace, what > does it seem to be doing? Further, looking with something simple, like > top or sar... Is it continually "eating memory" (ie leaking....)? > Since you know which messages cause this, could you lift a couple from > the hold queue and either send them to Jules or to me, so that we > could look at what our systems think of them...? > My gut feeling is that there is some problem with some perl module, > but ... that's just a gut reaction:-). What does "MailScanner -v" say? > Also, simple things like "MailScanner --lint" and definitely > "MailScanner --debug" could perhaps reveal something interesting:). > > As I'm sure you know, we've had one ... instance of children "freezing > up"/"looping forever" with the milter support (specific to PF, I > missed a place to handle things:-), but that was fixed a while back > and shouldn't be affecting things with something this new. Obligatory > question is "do you run any milters?", more for completeness than > anything:-). > > Cheers From craigwhite at azapple.com Sun Nov 16 03:13:04 2008 From: craigwhite at azapple.com (Craig White) Date: Sun Nov 16 03:13:36 2008 Subject: strange error message in my mail logs Message-ID: <1226805184.31040.75.camel@lin-workstation.azapple.com> Can anyone explain this (this is an installation that has been updated several times) Nov 15 20:09:59 srv MailScanner[17444]: New Batch: Scanning 1 messages, 3619 bytes Nov 15 20:09:59 srv MailScanner[17444]: Virus and Content Scanning: Starting Nov 15 20:09:59 srv MailScanner[17444]: WARNING: Ignoring deprecated option --unzip Nov 15 20:09:59 srv MailScanner[17444]: WARNING: Ignoring deprecated option --jar Nov 15 20:09:59 srv MailScanner[17444]: WARNING: Ignoring deprecated option --tar Nov 15 20:09:59 srv MailScanner[17444]: WARNING: Ignoring deprecated option --tgz Nov 15 20:09:59 srv MailScanner[17444]: WARNING: Ignoring deprecated option --deb Nov 15 20:09:59 srv MailScanner[17444]: WARNING: Ignoring deprecated option --unrar Thanks Craig From mark at msapiro.net Sun Nov 16 03:32:56 2008 From: mark at msapiro.net (Mark Sapiro) Date: Sun Nov 16 03:33:13 2008 Subject: SARE Rules worth it? In-Reply-To: <491DD149.3080103@cnpapers.com> Message-ID: Steve Campbell wrote: > >What I did to test this all: as root > > > wget http://yerp.org/rules/GPG.KEY > > sa-update --import GPG.KEY ># To test that I got something - which it did > > sa-update --gpgkey 6C6191E3 --channel sought.rules.yerp.org It worked for me, but I did sa-update --gpgkey 6C6191E3 --channel sought.rules.yerp.org \ --channel updates.spamassassin.org This added /var/lib/spamassassin/3.002005/sought_rules_yerp_org/20_sought_fraud.cf /var/lib/spamassassin/3.002005/sought_rules_yerp_org/20_sought.cf >I then changed /etc/sysconfig/MailScanner as below >SAUPDATEARGS="--gpgkey 6C6191E3 --channel sought.rules.yerp.org" And I included --channel updates.spamassassin.org in SAUPDATEARGS too. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From J.Ede at birchenallhowden.co.uk Sun Nov 16 08:29:08 2008 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Sun Nov 16 08:29:34 2008 Subject: strange error message in my mail logs In-Reply-To: <1226805184.31040.75.camel@lin-workstation.azapple.com> References: <1226805184.31040.75.camel@lin-workstation.azapple.com> Message-ID: <4CAB0118AEC63A4FAAE77E6BCBDF760C7952018B35@server02.bhl.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Craig White > Sent: 16 November 2008 03:13 > To: MailScanner discussion > Subject: strange error message in my mail logs > > Can anyone explain this (this is an installation that has been updated > several times) > > Nov 15 20:09:59 srv MailScanner[17444]: New Batch: Scanning 1 messages, > 3619 > bytes > Nov 15 20:09:59 srv MailScanner[17444]: Virus and Content Scanning: > Starting > Nov 15 20:09:59 srv MailScanner[17444]: WARNING: Ignoring deprecated > option > --unzip > Nov 15 20:09:59 srv MailScanner[17444]: WARNING: Ignoring deprecated > option > --jar > Nov 15 20:09:59 srv MailScanner[17444]: WARNING: Ignoring deprecated > option > --tar > Nov 15 20:09:59 srv MailScanner[17444]: WARNING: Ignoring deprecated > option > --tgz > Nov 15 20:09:59 srv MailScanner[17444]: WARNING: Ignoring deprecated > option > --deb > Nov 15 20:09:59 srv MailScanner[17444]: WARNING: Ignoring deprecated > option > --unrar > > Thanks > > Craig Are you using ClamAV (looks like it)? From Julian's post on 14/11 1/11/2008 New in Version 4.72.5-1 ================================= * New Features and Improvements * 1 Added support for ClamAV 0.94. Note that this has necessitated removal of complete support for earlier versions of ClamAV as the command-line settings are incompatible. So only use this version if you have upgraded to the latest ClamAV 0.94. Jason From hvdkooij at vanderkooij.org Sun Nov 16 08:34:24 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Nov 16 08:34:33 2008 Subject: strange error message in my mail logs In-Reply-To: <1226805184.31040.75.camel@lin-workstation.azapple.com> References: <1226805184.31040.75.camel@lin-workstation.azapple.com> Message-ID: <491FDB10.1030504@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Craig White wrote: > Can anyone explain this (this is an installation that has been updated > several times) > > Nov 15 20:09:59 srv MailScanner[17444]: New Batch: Scanning 1 messages, > 3619 > bytes > Nov 15 20:09:59 srv MailScanner[17444]: Virus and Content Scanning: > Starting > Nov 15 20:09:59 srv MailScanner[17444]: WARNING: Ignoring deprecated > option > --unzip This is yet another thread under the subject: I did not upgrade MailScanner and ClamAV to a supported combination. There are plenty of threads on this list that boil down to the same subject. And Google can find them for you: http://www.google.com/search?q=Mailscanner+WARNING%3A+Ignoring+deprecated+option Just before you upgrade them. What versions were you running? Hugo. PS: Can we add something like to the mailinglist tagline: ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. Nid wyf yn y swyddfa ar hyn o bryd. Anfonwch unrhyw waith i'w gyfieithu. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFJH9sOBvzDRVjxmYERArWiAJ9bpwp/6icq1Pm0qVZ6IXQ5wB1T0QCcDuqd oD2NKummxl1/vxYv73kBUaw= =l4QF -----END PGP SIGNATURE----- From maillists at conactive.com Sun Nov 16 11:31:16 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Sun Nov 16 11:31:29 2008 Subject: clamd - ./lstat() failed In-Reply-To: <491F5F70.3020401@marcsnet.com> References: <491F57FC.5040902@marcsnet.com> <491F5F70.3020401@marcsnet.com> Message-ID: Marc Lucke wrote on Sun, 16 Nov 2008 10:46:56 +1100: > Sorry - should have said: I did change the group to clamav and I did > change the permissions to 0640 as per the instructions. where what exactly? An ls of the directory might help ... You just need to follow the instructions on the wiki *exactly*. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From steve.freegard at fsl.com Sun Nov 16 12:50:38 2008 From: steve.freegard at fsl.com (Steve Freegard) Date: Sun Nov 16 12:50:49 2008 Subject: Releasing messages from quarantine In-Reply-To: <4CAB0118AEC63A4FAAE77E6BCBDF760C7952018B00@server02.bhl.local> References: <4919976F.5010201@gmail.com> <4919A819.8080206@fsl.com> <4CAB0118AEC63A4FAAE77E6BCBDF760C7939968D45@server02.bhl.local> <4919B343.50505@fsl.com> <4919BEE1.4050201@ecs.soton.ac.uk> <4919C1D9.9090601@fsl.com> <4919C96A.8090409@ecs.soton.ac.uk> <4919D462.5080007@fsl.com> <4919F69F.4000506@ecs.soton.ac.uk> <491A1F0C.7040800@fsl.com> <4CAB0118AEC63A4FAAE77E6BCBDF760C7952018B00@server02.bhl.local> Message-ID: <4920171E.1050806@fsl.com> Jason Ede wrote: > Any chance can share the fix? V1 was slightly more than a one-liner. Attached patch against functions.php will remove any Message-ID headers on input to the sendmail binary. Cheers, Steve. -------------- next part -------------- A non-text attachment was scrubbed... Name: functions.patch Type: text/x-patch Size: 1697 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081116/72002fb4/functions.bin From craigwhite at azapple.com Sun Nov 16 16:53:16 2008 From: craigwhite at azapple.com (Craig White) Date: Sun Nov 16 16:53:52 2008 Subject: strange error message in my mail logs In-Reply-To: <491FDB10.1030504@vanderkooij.org> References: <1226805184.31040.75.camel@lin-workstation.azapple.com> <491FDB10.1030504@vanderkooij.org> Message-ID: <1226854396.31040.109.camel@lin-workstation.azapple.com> On Sun, 2008-11-16 at 09:34 +0100, Hugo van der Kooij wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Craig White wrote: > > Can anyone explain this (this is an installation that has been updated > > several times) > > > > Nov 15 20:09:59 srv MailScanner[17444]: New Batch: Scanning 1 messages, > > 3619 > > bytes > > Nov 15 20:09:59 srv MailScanner[17444]: Virus and Content Scanning: > > Starting > > Nov 15 20:09:59 srv MailScanner[17444]: WARNING: Ignoring deprecated > > option > > --unzip > > This is yet another thread under the subject: I did not upgrade > MailScanner and ClamAV to a supported combination. > > There are plenty of threads on this list that boil down to the same > subject. And Google can find them for you: > http://www.google.com/search?q=Mailscanner+WARNING%3A+Ignoring+deprecated+option > > Just before you upgrade them. What versions were you running? > ---- sorry... # rpm -q mailscanner clamav mailscanner-4.71.10-1 clamav-0.94.1-1.el4.rf I would have thought that to be a 'supported combination' Craig From craigwhite at azapple.com Sun Nov 16 16:58:29 2008 From: craigwhite at azapple.com (Craig White) Date: Sun Nov 16 16:59:00 2008 Subject: strange error message in my mail logs In-Reply-To: <491FDB10.1030504@vanderkooij.org> References: <1226805184.31040.75.camel@lin-workstation.azapple.com> <491FDB10.1030504@vanderkooij.org> Message-ID: <1226854709.31040.112.camel@lin-workstation.azapple.com> On Sun, 2008-11-16 at 09:34 +0100, Hugo van der Kooij wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Craig White wrote: > > Can anyone explain this (this is an installation that has been updated > > several times) > > > > Nov 15 20:09:59 srv MailScanner[17444]: New Batch: Scanning 1 messages, > > 3619 > > bytes > > Nov 15 20:09:59 srv MailScanner[17444]: Virus and Content Scanning: > > Starting > > Nov 15 20:09:59 srv MailScanner[17444]: WARNING: Ignoring deprecated > > option > > --unzip > > This is yet another thread under the subject: I did not upgrade > MailScanner and ClamAV to a supported combination. > > There are plenty of threads on this list that boil down to the same > subject. And Google can find them for you: > http://www.google.com/search?q=Mailscanner+WARNING%3A+Ignoring+deprecated+option > > Just before you upgrade them. What versions were you running? ---- OK - I get it...now downloading 4.72.5-1 didn't realize that the update of ClamAV would generate so much logs and the google link above wasn't really all that helpful. Thanks Craig From maxsec at gmail.com Sun Nov 16 19:08:07 2008 From: maxsec at gmail.com (Martin Hepworth) Date: Sun Nov 16 19:08:16 2008 Subject: clamd - ./lstat() failed In-Reply-To: <491F5F70.3020401@marcsnet.com> References: <491F57FC.5040902@marcsnet.com> <491F5F70.3020401@marcsnet.com> Message-ID: <72cf361e0811161108i1e4ba180wc1fb6b2fbbb57af6@mail.gmail.com> 2008/11/15 Marc Lucke : > Sorry - should have said: I did change the group to clamav and I did change > the permissions to 0640 as per the instructions. > > I saw that an easy way out is to have clamav run as root, so I did that > rather. > > I'm still interested in anyone's ideas as I'd like to be able to > successfully run clamd as user clamav, but I don't care so much anymore. > > > Cheers > Marc > > > Marc Lucke wrote: >> >> Clamd::ERROR:: UNKNOWN CLAMD RETURN ./lstat() failed. ERROR :: >> /var/spool/MailScanner/incoming/30627 >> >> >> Hi everyone. Wondering if anyone can tell me what this means and how I >> can fix it. >> >> >> Regards >> Marc >> > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Check the clamd.conf settings that you the "user" set correctly and the "AllowSupplementaryGroups" set to yes. -- Martin Hepworth Oxford, UK From mark at msapiro.net Sun Nov 16 21:27:00 2008 From: mark at msapiro.net (Mark Sapiro) Date: Sun Nov 16 21:27:20 2008 Subject: MailScanner's /usr/sbin/update_spammassassin doesn't restart spamd Message-ID: /usr/sbin/update_spamassassin runs sa-update and possibly sa-compile and then reloads MailScanner, but if the site is using spamd, it seems that spamd should be restarted and isn't. I made the following change to /usr/sbin/update_spamassassin. --- /usr/sbin/update_spamassassin.orig 2008-11-01 12:07:02.000000000 -0700 +++ /usr/sbin/update_spamassassin 2008-11-16 13:07:58.000000000 -0800 @@ -28,6 +28,11 @@ /etc/init.d/MailScanner reload >>$LOGFILE 2>&1 +# If spamd is running, restart it +if [ -n "$(pidof spamd)" ] ; then + /etc/init.d/spamd restart >>$LOGFILE 2>&1 +fi + rm -f $LOGFILE exit 0 Is this the right thing to do? -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From ms-list at alexb.ch Sun Nov 16 21:40:13 2008 From: ms-list at alexb.ch (Alex Broens) Date: Sun Nov 16 21:38:53 2008 Subject: MailScanner's /usr/sbin/update_spammassassin doesn't restart spamd In-Reply-To: References: Message-ID: <4920933D.1030500@alexb.ch> On 11/16/2008 10:27 PM, Mark Sapiro wrote: > /usr/sbin/update_spamassassin runs sa-update and possibly sa-compile > and then reloads MailScanner, but if the site is using spamd, it seems > that spamd should be restarted and isn't. > > I made the following change to /usr/sbin/update_spamassassin. > > --- /usr/sbin/update_spamassassin.orig 2008-11-01 12:07:02.000000000 > -0700 > +++ /usr/sbin/update_spamassassin 2008-11-16 13:07:58.000000000 > -0800 > @@ -28,6 +28,11 @@ > > /etc/init.d/MailScanner reload >>$LOGFILE 2>&1 > > +# If spamd is running, restart it > +if [ -n "$(pidof spamd)" ] ; then > + /etc/init.d/spamd restart >>$LOGFILE 2>&1 > +fi > + > rm -f $LOGFILE > > exit 0 > > > Is this the right thing to do? dunno about the MS patch but suggest you HUP spamd so it only reloads the rules instead of having to restart completely Alex From mark at msapiro.net Sun Nov 16 23:02:01 2008 From: mark at msapiro.net (Mark Sapiro) Date: Sun Nov 16 23:02:11 2008 Subject: MailScanner's /usr/sbin/update_spammassassin doesn't restartspamd In-Reply-To: <4920933D.1030500@alexb.ch> Message-ID: Alex Broens wrote: >On 11/16/2008 10:27 PM, Mark Sapiro wrote: >> /usr/sbin/update_spamassassin runs sa-update and possibly sa-compile >> and then reloads MailScanner, but if the site is using spamd, it seems >> that spamd should be restarted and isn't. >> >> I made the following change to /usr/sbin/update_spamassassin. >> >> --- /usr/sbin/update_spamassassin.orig 2008-11-01 12:07:02.000000000 >> -0700 >> +++ /usr/sbin/update_spamassassin 2008-11-16 13:07:58.000000000 >> -0800 >> @@ -28,6 +28,11 @@ >> >> /etc/init.d/MailScanner reload >>$LOGFILE 2>&1 >> >> +# If spamd is running, restart it >> +if [ -n "$(pidof spamd)" ] ; then >> + /etc/init.d/spamd restart >>$LOGFILE 2>&1 >> +fi >> + >> rm -f $LOGFILE >> >> exit 0 >> >> >> Is this the right thing to do? > >dunno about the MS patch but suggest you HUP spamd so it only reloads >the rules instead of having to restart completely It doesn't seem to make much difference. Here are the log messages from /etc/init.d/spamd restart Nov 16 13:06:01 sbh16 spamd[10751]: spamd: server killed by SIGTERM, shutting down Nov 16 13:06:13 sbh16 spamd[11237]: spamd: server started on port 783/tcp (running version 3.2.5) Nov 16 13:06:13 sbh16 spamd[11237]: spamd: server pid: 11237 Nov 16 13:06:13 sbh16 spamd[11237]: spamd: server successfully spawned child process, pid 11246 Nov 16 13:06:13 sbh16 spamd[11237]: spamd: server successfully spawned child process, pid 11247 and here are the ones from kill -s SIGHUP `cat /var/run/spamd.pid` Nov 16 14:40:15 sbh16 spamd[11237]: spamd: server hit by SIGHUP, restarting Nov 16 14:40:15 sbh16 spamd[11237]: spamd: child 11247 killed successfully Nov 16 14:40:15 sbh16 spamd[11237]: spamd: child 11246 killed successfully Nov 16 14:40:24 sbh16 spamd[12643]: spamd: server started on port 783/tcp (running version 3.2.5) Nov 16 14:40:24 sbh16 spamd[12643]: spamd: server pid: 12643 Nov 16 14:40:24 sbh16 spamd[12643]: spamd: server successfully spawned child process, pid 12647 Nov 16 14:40:24 sbh16 spamd[12643]: spamd: server successfully spawned child process, pid 12648 Perhaps there is some savings, but it appears to be minimal. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From maillists at conactive.com Mon Nov 17 00:32:08 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Mon Nov 17 00:32:22 2008 Subject: MailScanner's /usr/sbin/update_spammassassin doesn't restart spamd In-Reply-To: References: Message-ID: Mark Sapiro wrote on Sun, 16 Nov 2008 13:27:00 -0800: > sa-update and possibly sa-compile doesn't look like an sa-update does an sa-compile, you have to do it yourself. > spamd since when does MS use it? Did I miss something? Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maxsec at gmail.com Mon Nov 17 08:07:56 2008 From: maxsec at gmail.com (Martin Hepworth) Date: Mon Nov 17 08:08:04 2008 Subject: MailScanner's /usr/sbin/update_spammassassin doesn't restart spamd In-Reply-To: References: Message-ID: <72cf361e0811170007g49903af8od7eefbd7ee9486ad@mail.gmail.com> 2008/11/17 Kai Schaetzl : > Mark Sapiro wrote on Sun, 16 Nov 2008 13:27:00 -0800: > >> sa-update and possibly sa-compile > > doesn't look like an sa-update does an sa-compile, you have to do it > yourself. > >> spamd > > since when does MS use it? Did I miss something? > > Kai > > -- > Kai Sch?tzl, Berlin, Germany > Get your web at Conactive Internet Services: http://www.conactive.com > > There is a patch Stevef put out to get MS to use spamd but the vast majority of people will use the perl API to spamassassin as per standard MailScanner. -- Martin Hepworth Oxford, UK From edward at tdcs.com.au Mon Nov 17 08:36:10 2008 From: edward at tdcs.com.au (Edward Dekkers) Date: Mon Nov 17 08:36:38 2008 Subject: MailScanner sometimes strips Outlook attachments? Message-ID: I keep thinking I've hit the nail on the head, then another customer complains there's no attachment. Basically we invoice customers using a program called MYOB, which converts the invoice to a pdf and attaches it to a message to be sent to your default e-mail client (Outlook in this case). This has worked up until we upgraded out server from Ubuntu 8.04 to Ubuntu 8.10. It killed mailscanner and dovecot completely, so I set up both from scratch. I used the deb package from the mailscanner Ubuntu page, then had to get the tarball to fill in the missing wrappers and reports etc. The deb package seems pretty incomplete. Anyway - most warnings are now gone (still complaining about deprecated unrar command even with the latest wrapper), and after installing tnef, it even expands then checks any TNEF attachments (according to the log anyway). IN ALL CASES it says "uninfected - delivered" etc. This was after modifying MailScanner.conf to NOT replace TNEF contents, as that was causing problems with winmail.dat as well. Now - it seems to keep the pdf attachments complete - about 50% of the time. No rhyme or reason, and the log always says all is OK, uninfected and properly delivered, yet it seems something (and I have to presume it's mailscanner), is stripping the pdfs about 50% of the time. I hate non-consistent problems as they are harder to diagnose, but does anyone have any idea what may be causing this? Regards, Ed. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jonas at vrt.dk Mon Nov 17 09:39:43 2008 From: jonas at vrt.dk (Jonas Akrouh Larsen) Date: Mon Nov 17 09:39:54 2008 Subject: Question about MS/MW/SA performance Message-ID: <004901c94898$6b680da0$423828e0$@dk> Hi List I recently saw a plugin for spamassassin that might be of interest to the MailScanner community. http://wiki.apache.org/spamassassin/DBIPlugin So as far as I can tell the advantage is that it will keep a persistent connection to any db spamassassin might use (AWL from sql, bayes from sql etc). But I cannot figure out how this relates when you run spamassassin from inside MailScanner (I run it the normal way, not involving spamd or anything else fancy) So would I benefit from this plugin, or does MailScanner already provides its own persistent connection? I run latest MailScanner and latest spamassassin, and I store bayes and awl in mysql. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081117/1ebfe445/attachment.html From jethro.binks at strath.ac.uk Mon Nov 17 10:14:18 2008 From: jethro.binks at strath.ac.uk (Jethro R Binks) Date: Mon Nov 17 10:14:29 2008 Subject: MailScanner sometimes strips Outlook attachments? In-Reply-To: References: Message-ID: On Mon, 17 Nov 2008, Edward Dekkers wrote: > I keep thinking I've hit the nail on the head, then another customer > complains there's no attachment. ... > I hate non-consistent problems as they are harder to diagnose, but does > anyone have any idea what may be causing this? I haven't paid much attention to your details, but I thought I would mention this. Something I used to see with Outlook Express users of old, and possibly Outlook users now: they often complained that attachments were missing from spam warning reports they were being sent (for low-scoring spam). They would complain by replying to the warning, but almost always I could see the attachment they claimed was missing attached to the reply as expected! It turns out there was a bug in Outlook Express where under some never-discovered circumstances the "paperclip" icon was not being displayed even though attachments were present, and users relied on that to know if an attachment was present. If they went to "File | Save Attachments", the attachments were listed for saving. Maybe something similar happens for Outlook users these days, but I have not heard of more than one report so have not looked into it. Jethro. -- . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK From traced at xpear.de Mon Nov 17 11:02:01 2008 From: traced at xpear.de (traced) Date: Mon Nov 17 11:02:14 2008 Subject: Mailscanner with Mailwatch / RPC Problem Message-ID: <49214F29.7060702@xpear.de> Hi you, sorry for mistakes, i?m new ot this list here ;) I try for at leat three days to get mailscanner and mailwatch working with XML RPC, but, everything i do, i geht this strange error in the webinterface: ---GOT--- HTTP/1.1 200 OK Date: Mon, 17 Nov 2008 10:58:10 GMT Server: Apache/2.2.9 (Debian) PHP/5.2.6-5 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g X-Powered-By: PHP/5.2.6-5 Content-Length: 176 Connection: close Content-Type: text/html; charset=UTF-8
Catchable fatal error: Object of class xmlrpcval could not be converted to string in /var/www/mailscanner/xmlrpc_1.2/xmlrpcs.inc on line 425
---END--- HEADER: Date: Mon, 17 Nov 2008 10:58:10 GMT HEADER: Server: Apache/2.2.9 (Debian) PHP/5.2.6-5 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g HEADER: X-Powered-By: PHP/5.2.6-5 HEADER: Content-Length: 176 HEADER: Connection: close HEADER: Content-Type: text/html; charset=UTF-8 XML error: Invalid document end at line 2 XML-RPC Error: Invalid return payload: enable debugging to examine incoming payload (XML error: Invalid document end at line 2) Is there someone out there having this setup (Debian Lenny, Mailscanner & Mailwatch newest version & XML RPC) running? Thanks, Bastian From MailScanner at ecs.soton.ac.uk Mon Nov 17 11:38:16 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Nov 17 11:38:38 2008 Subject: Mailscanner with Mailwatch / RPC Problem In-Reply-To: <49214F29.7060702@xpear.de> References: <49214F29.7060702@xpear.de> Message-ID: <492157A8.7050906@ecs.soton.ac.uk> As this is a MailWatch problem, I advise you ask on the MailWatch mailing list. Joining instructions are on the MailWatch website. Jules. On 17/11/08 11:02, traced wrote: > Hi you, > > sorry for mistakes, i?m new ot this list here ;) > I try for at leat three days to get mailscanner and mailwatch working > with XML RPC, > but, everything i do, i geht this strange error in the webinterface: > > ---GOT--- > HTTP/1.1 200 OK > Date: Mon, 17 Nov 2008 10:58:10 GMT > Server: Apache/2.2.9 (Debian) PHP/5.2.6-5 with Suhosin-Patch > mod_ssl/2.2.9 OpenSSL/0.9.8g > X-Powered-By: PHP/5.2.6-5 > Content-Length: 176 > Connection: close > Content-Type: text/html; charset=UTF-8 > >
> Catchable fatal error: Object of class xmlrpcval could not be > converted to string in > /var/www/mailscanner/xmlrpc_1.2/xmlrpcs.inc on line > 425
> > ---END--- > > HEADER: Date: Mon, 17 Nov 2008 10:58:10 GMT > HEADER: Server: Apache/2.2.9 (Debian) PHP/5.2.6-5 with Suhosin-Patch > mod_ssl/2.2.9 OpenSSL/0.9.8g > HEADER: X-Powered-By: PHP/5.2.6-5 > HEADER: Content-Length: 176 > HEADER: Connection: close > HEADER: Content-Type: text/html; charset=UTF-8 > > XML error: Invalid document end at line 2 > XML-RPC Error: Invalid return payload: enable debugging to examine > incoming payload (XML error: Invalid document end at line 2) > > Is there someone out there having this setup (Debian Lenny, > Mailscanner & Mailwatch newest version & XML RPC) running? > > Thanks, > Bastian Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From traced at xpear.de Mon Nov 17 11:53:38 2008 From: traced at xpear.de (traced) Date: Mon Nov 17 11:53:51 2008 Subject: Mailscanner with Mailwatch / RPC Problem In-Reply-To: <492157A8.7050906@ecs.soton.ac.uk> References: <49214F29.7060702@xpear.de> <492157A8.7050906@ecs.soton.ac.uk> Message-ID: <49215B42.2040103@xpear.de> Thanks for your reply! Bastian Julian Field schrieb: > As this is a MailWatch problem, I advise you ask on the MailWatch > mailing list. Joining instructions are on the MailWatch website. > > Jules. > > On 17/11/08 11:02, traced wrote: >> Hi you, >> >> sorry for mistakes, i?m new ot this list here ;) >> I try for at leat three days to get mailscanner and mailwatch working >> with XML RPC, >> but, everything i do, i geht this strange error in the webinterface: >> >> ---GOT--- >> HTTP/1.1 200 OK >> Date: Mon, 17 Nov 2008 10:58:10 GMT >> Server: Apache/2.2.9 (Debian) PHP/5.2.6-5 with Suhosin-Patch >> mod_ssl/2.2.9 OpenSSL/0.9.8g >> X-Powered-By: PHP/5.2.6-5 >> Content-Length: 176 >> Connection: close >> Content-Type: text/html; charset=UTF-8 >> >>
>> Catchable fatal error: Object of class xmlrpcval could not be >> converted to string in >> /var/www/mailscanner/xmlrpc_1.2/xmlrpcs.inc on line >> 425
>> >> ---END--- >> >> HEADER: Date: Mon, 17 Nov 2008 10:58:10 GMT >> HEADER: Server: Apache/2.2.9 (Debian) PHP/5.2.6-5 with Suhosin-Patch >> mod_ssl/2.2.9 OpenSSL/0.9.8g >> HEADER: X-Powered-By: PHP/5.2.6-5 >> HEADER: Content-Length: 176 >> HEADER: Connection: close >> HEADER: Content-Type: text/html; charset=UTF-8 >> >> XML error: Invalid document end at line 2 >> XML-RPC Error: Invalid return payload: enable debugging to examine >> incoming payload (XML error: Invalid document end at line 2) >> >> Is there someone out there having this setup (Debian Lenny, >> Mailscanner & Mailwatch newest version & XML RPC) running? >> >> Thanks, >> Bastian > > Jules > From maxsec at gmail.com Mon Nov 17 13:00:23 2008 From: maxsec at gmail.com (Martin Hepworth) Date: Mon Nov 17 13:00:32 2008 Subject: Question about MS/MW/SA performance In-Reply-To: <004901c94898$6b680da0$423828e0$@dk> References: <004901c94898$6b680da0$423828e0$@dk> Message-ID: <72cf361e0811170500p7ee7c07emc2dc5c99ae490d6e@mail.gmail.com> 2008/11/17 Jonas Akrouh Larsen : > Hi List > > > > I recently saw a plugin for spamassassin that might be of interest to the > MailScanner community. > > > > http://wiki.apache.org/spamassassin/DBIPlugin > > > > So as far as I can tell the advantage is that it will keep a persistent > connection to any db spamassassin might use (AWL from sql, bayes from sql > etc). > > > > But I cannot figure out how this relates when you run spamassassin from > inside MailScanner (I run it the normal way, not involving spamd or anything > else fancy) > > > > So would I benefit from this plugin, or does MailScanner already provides > its own persistent connection? > > > > I run latest MailScanner and latest spamassassin, and I store bayes and awl > in mysql. > > > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > Jonas worth a go. Set up as per the instructions and see if indeed your setup goes faster. if it does then it's worth adding it to the wiki - theres a section on getting most out of spamassassin which may be the best place to put info about this and mysql bayes etc. -- Martin Hepworth Oxford, UK From jonas at vrt.dk Mon Nov 17 13:19:03 2008 From: jonas at vrt.dk (Jonas Akrouh Larsen) Date: Mon Nov 17 13:19:17 2008 Subject: Question about MS/MW/SA performance In-Reply-To: <72cf361e0811170500p7ee7c07emc2dc5c99ae490d6e@mail.gmail.com> References: <004901c94898$6b680da0$423828e0$@dk> <72cf361e0811170500p7ee7c07emc2dc5c99ae490d6e@mail.gmail.com> Message-ID: <006801c948b7$0fe8cd60$2fba6820$@dk> References: <004901c94898$6b680da0$423828e0$@dk> <72cf361e0811170500p7ee7c07emc2dc5c99ae490d6e@mail.gmail.com> <006801c948b7$0fe8cd60$2fba6820$@dk> Message-ID: <72cf361e0811170529v29168b5evffb522e9d53bdf2b@mail.gmail.com> 2008/11/17 Jonas Akrouh Larsen : > > < > < > < > > Hehe well yes Martin I could do that, but I was hoping somebody else had > already tried it, or atleast had enough insight into the mailscanner code, > jules?, to be able to say if it would be an advantage... > > My time, like everyone else's, is limited :) > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > well If I ran mysql bayes or AWL at all (too many FP's for me with a 200+ users) then I'd try it. but as I don't... -- Martin Hepworth Oxford, UK From maillists at conactive.com Mon Nov 17 14:17:18 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Mon Nov 17 14:17:30 2008 Subject: Question about MS/MW/SA performance In-Reply-To: <006801c948b7$0fe8cd60$2fba6820$@dk> References: <004901c94898$6b680da0$423828e0$@dk> <72cf361e0811170500p7ee7c07emc2dc5c99ae490d6e@mail.gmail.com> <006801c948b7$0fe8cd60$2fba6820$@dk> Message-ID: Jonas Akrouh Larsen wrote on Mon, 17 Nov 2008 14:19:03 +0100: > Hehe well yes Martin I could do that, but I was hoping somebody else had > already tried it, or atleast had enough insight into the mailscanner code, > jules?, to be able to say if it would be an advantage... It indeed looks interesting. From looking at the code I fear it's working only with spamd. I just added it and I don't see such a persistent process, so I think it's indeed not getting invoked when run as part of MS. Ask on the sa-users list for more info, Michael Parker (who also authored the SQL storage module for SA) is listening there. Can you please change to the correct quotemark symbol? Thanks. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Mon Nov 17 14:38:41 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Mon Nov 17 14:38:53 2008 Subject: MailScanner's /usr/sbin/update_spammassassin doesn't restart spamd In-Reply-To: <72cf361e0811170007g49903af8od7eefbd7ee9486ad@mail.gmail.com> References: <72cf361e0811170007g49903af8od7eefbd7ee9486ad@mail.gmail.com> Message-ID: Martin Hepworth wrote on Mon, 17 Nov 2008 08:07:56 +0000: > There is a patch Stevef put out to get MS to use spamd Found that one and Matt Hampton's as well. May give them a try. Thanks! Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From uxbod at splatnix.net Mon Nov 17 16:03:08 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Mon Nov 17 16:03:31 2008 Subject: [OT] SA Rule Message-ID: <28962700.451226937788441.JavaMail.root@office.splatnix.net> Does anybody have a rule for matching sender/recipient combination being the same please ? Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From J.Ede at birchenallhowden.co.uk Mon Nov 17 16:03:25 2008 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Mon Nov 17 16:03:44 2008 Subject: Releasing messages from quarantine In-Reply-To: <4920171E.1050806@fsl.com> References: <4919976F.5010201@gmail.com> <4919A819.8080206@fsl.com> <4CAB0118AEC63A4FAAE77E6BCBDF760C7939968D45@server02.bhl.local> <4919B343.50505@fsl.com> <4919BEE1.4050201@ecs.soton.ac.uk> <4919C1D9.9090601@fsl.com> <4919C96A.8090409@ecs.soton.ac.uk> <4919D462.5080007@fsl.com> <4919F69F.4000506@ecs.soton.ac.uk> <491A1F0C.7040800@fsl.com> <4CAB0118AEC63A4FAAE77E6BCBDF760C7952018B00@server02.bhl.local> <4920171E.1050806@fsl.com> Message-ID: <4CAB0118AEC63A4FAAE77E6BCBDF760C7952018B91@server02.bhl.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Steve Freegard > Sent: 16 November 2008 12:51 > To: MailScanner discussion > Subject: Re: Releasing messages from quarantine > > Jason Ede wrote: > > Any chance can share the fix? > > V1 was slightly more than a one-liner. Attached patch against > functions.php will remove any Message-ID headers on input to the > sendmail binary. > > Cheers, > Steve. Steve, Many thanks for this! Jason From edward at tdcs.com.au Mon Nov 17 22:13:24 2008 From: edward at tdcs.com.au (Edward Dekkers) Date: Mon Nov 17 22:13:56 2008 Subject: MailScanner sometimes strips Outlook attachments? In-Reply-To: References: Message-ID: > I haven't paid much attention to your details, but I thought I would > mention this. > > Something I used to see with Outlook Express users of old, and possibly > Outlook users now: they often complained that attachments were missing > from spam warning reports they were being sent (for low-scoring spam). > They would complain by replying to the warning, but almost always I > could > see the attachment they claimed was missing attached to the reply as > expected! > > It turns out there was a bug in Outlook Express where under some > never-discovered circumstances the "paperclip" icon was not being > displayed even though attachments were present, and users relied on > that > to know if an attachment was present. If they went to "File | Save > Attachments", the attachments were listed for saving. Maybe something > similar happens for Outlook users these days, but I have not heard of > more > than one report so have not looked into it. > > Jethro. It's one thing to check at least Jethro - I'll see what the customer is running as a mail client. Thanks for the reply - at least I have some direction to look in to now. If this remains a problem (iow if that's not the problem), I'll come back to the list and see if there's any other explanation. Regards, Ed. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ssilva at sgvwater.com Tue Nov 18 00:18:35 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Nov 18 00:18:55 2008 Subject: MailScanner sometimes strips Outlook attachments? In-Reply-To: References: Message-ID: on 11-17-2008 12:36 AM Edward Dekkers spake the following: > I keep thinking I've hit the nail on the head, then another customer > complains there's no attachment. > > Basically we invoice customers using a program called MYOB, which converts > the invoice to a pdf and attaches it to a message to be sent to your default > e-mail client (Outlook in this case). > > This has worked up until we upgraded out server from Ubuntu 8.04 to Ubuntu > 8.10. It killed mailscanner and dovecot completely, so I set up both from > scratch. > > I used the deb package from the mailscanner Ubuntu page, then had to get the > tarball to fill in the missing wrappers and reports etc. The deb package > seems pretty incomplete. Since mailscanner doesn't seem to have an Ubuntu page, could you be looking at Ubuntu's mailscanner page? I see tons of posts about the Ubuntu packagers version of MailScanner. Since Julian only creates the tarballs, and the two RPM based packages, the Ubuntu packager is missing some things. I have heard that the Debian "backports" package is somewhat better, but I do not run Debian or Ubuntu. > > Anyway - most warnings are now gone (still complaining about deprecated > unrar command even with the latest wrapper), and after installing tnef, it > even expands then checks any TNEF attachments (according to the log anyway). > > IN ALL CASES it says "uninfected - delivered" etc. This was after modifying > MailScanner.conf to NOT replace TNEF contents, as that was causing problems > with winmail.dat as well. This might be perl module problems. MailScanner can be picky on which modules work properly. > > Now - it seems to keep the pdf attachments complete - about 50% of the time. > No rhyme or reason, and the log always says all is OK, uninfected and > properly delivered, yet it seems something (and I have to presume it's > mailscanner), is stripping the pdfs about 50% of the time. Again-- more than likely Mimetools or another perl module. Especially since you had it working before the upgrade to 8.10. If mailscanner strips an attachment, it logs it. > > I hate non-consistent problems as they are harder to diagnose, but does > anyone have any idea what may be causing this? > > Regards, > Ed. > > Maybe it would be easier to try the tarball of the latest version instead of the .deb package. The maintainer will probably get it fixed if he gets enough complaints and actually wants to fix it. All indications are that the Ubuntu package is horribly dysfunctional. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081117/8ade149c/signature.bin From ssilva at sgvwater.com Tue Nov 18 00:22:18 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Nov 18 00:25:14 2008 Subject: Question about MS/MW/SA performance In-Reply-To: <006801c948b7$0fe8cd60$2fba6820$@dk> References: <004901c94898$6b680da0$423828e0$@dk> <72cf361e0811170500p7ee7c07emc2dc5c99ae490d6e@mail.gmail.com> <006801c948b7$0fe8cd60$2fba6820$@dk> Message-ID: on 11-17-2008 5:19 AM Jonas Akrouh Larsen spake the following: > < > < > < > > Hehe well yes Martin I could do that, but I was hoping somebody else had > already tried it, or atleast had enough insight into the mailscanner code, > jules?, to be able to say if it would be an advantage... > > My time, like everyone else's, is limited :) > > Since the default for MailScanner is to use spamassassin modules directly, there is no persistence that can be capitalized on except for normal filesystem caching when things are repeatedly opened and closed. If you use the patches floating around to use spamd, it might be of more help. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081117/0934ee51/signature.bin From edward at tdcs.com.au Tue Nov 18 00:46:12 2008 From: edward at tdcs.com.au (Edward Dekkers) Date: Tue Nov 18 00:46:54 2008 Subject: MailScanner sometimes strips Outlook attachments? In-Reply-To: References: Message-ID: > Since mailscanner doesn't seem to have an Ubuntu page, could you be > looking at > Ubuntu's mailscanner page? I'm looking here: http://www.mailscanner.info/ubuntu.html This is part of the MailScanner web site - no? > I see tons of posts about the Ubuntu > packagers > version of MailScanner. Since Julian only creates the tarballs, and the > two > RPM based packages, the Ubuntu packager is missing some things. I have > heard > that the Debian "backports" package is somewhat better, but I do not > run > Debian or Ubuntu. > > > > Anyway - most warnings are now gone (still complaining about > deprecated > > unrar command even with the latest wrapper), and after installing > tnef, it > > even expands then checks any TNEF attachments (according to the log > anyway). > > > > IN ALL CASES it says "uninfected - delivered" etc. This was after > modifying > > MailScanner.conf to NOT replace TNEF contents, as that was causing > problems > > with winmail.dat as well. > This might be perl module problems. MailScanner can be picky on which > modules > work properly. > > > > Now - it seems to keep the pdf attachments complete - about 50% of > the time. > > No rhyme or reason, and the log always says all is OK, uninfected and > > properly delivered, yet it seems something (and I have to presume > it's > > mailscanner), is stripping the pdfs about 50% of the time. > Again-- more than likely Mimetools or another perl module. Especially > since > you had it working before the upgrade to 8.10. If mailscanner strips an > attachment, it logs it. > > > > I hate non-consistent problems as they are harder to diagnose, but > does > > anyone have any idea what may be causing this? > > > > Regards, > > Ed. > > > > > Maybe it would be easier to try the tarball of the latest version > instead of > the .deb package. The maintainer will probably get it fixed if he gets > enough > complaints and actually wants to fix it. All indications are that the > Ubuntu > package is horribly dysfunctional. Worse thing is - I can't seem to find anywhere which properly descries where things are supposed to go. The Ubuntu package seems to put the configuration in /etc/MailScanner, and the rest in /usr/share/MailScanner. On my previous setup, where I did use the tarball and some Ubuntu specific instructions, put everything in /opt, but even this caused eyebrow lifts when I discussed these directories on this very list. And the webmin MailScanner module certainly doesn't use the /opt directory by default either - I remember changing all of that the first time. I guess it comes down to who's logic you follow. I believe FIRMLY that all configuration should be in /etc, but as to the rest of MailScanner - whatever is given me is what I work with. I've even gone so far as to create symlinks and change wrapper scripts to make this all work. Anyway, going OT here. Will have a look at your suggestions and post back if I make any progress. Regards, Ed. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mark at msapiro.net Tue Nov 18 16:29:45 2008 From: mark at msapiro.net (Mark Sapiro) Date: Tue Nov 18 16:29:55 2008 Subject: MailScanner's /usr/sbin/update_spammassassin doesn't restart spamd In-Reply-To: References: Message-ID: <20081118162945.GA3364@msapiro> On Mon, Nov 17, 2008 at 01:32:08AM +0100, Kai Schaetzl wrote: > Mark Sapiro wrote on Sun, 16 Nov 2008 13:27:00 -0800: > > > sa-update and possibly sa-compile > > doesn't look like an sa-update does an sa-compile, you have to do it > yourself. It does the sa-compile if you have an uncommented loadplugin Mail::SpamAssassin::Plugin::Rule2XSBody in /etc/mail/spamassassin/*pre > > spamd > > since when does MS use it? Did I miss something? You're correct. It requires a patch. I was confused between spamd and clamd. -- Mark Sapiro mark at msapiro net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From maillists at conactive.com Tue Nov 18 22:31:21 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Tue Nov 18 22:31:30 2008 Subject: MailScanner's /usr/sbin/update_spammassassin doesn't restart spamd In-Reply-To: <20081118162945.GA3364@msapiro> References: <20081118162945.GA3364@msapiro> Message-ID: Mark Sapiro wrote on Tue, 18 Nov 2008 08:29:45 -0800: > It does the sa-compile if you have an uncommented > > loadplugin Mail::SpamAssassin::Plugin::Rule2XSBody > > in /etc/mail/spamassassin/*pre I don't see this. Where's your knowledge from? Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From rick at duvals.ca Wed Nov 19 15:45:32 2008 From: rick at duvals.ca (Rick Duval) Date: Wed Nov 19 15:45:41 2008 Subject: Cannot find Socket (/tmp/clamd) Message-ID: <4baa40ce0811190745t4367c707na3d62a864f8b1e65@mail.gmail.com> Tailing the maillog I get Cannot find Socket (/tmp/clamd) Exiting! I'm using MailSCanner 4.68.8 Can someone help me with this? THanks From mark at msapiro.net Wed Nov 19 15:46:55 2008 From: mark at msapiro.net (Mark Sapiro) Date: Wed Nov 19 15:47:03 2008 Subject: MailScanner's /usr/sbin/update_spammassassin doesn't restart spamd In-Reply-To: References: <20081118162945.GA3364@msapiro> Message-ID: <20081119154655.GA412@msapiro> On Tue, Nov 18, 2008 at 11:31:21PM +0100, Kai Schaetzl wrote: > Mark Sapiro wrote on Tue, 18 Nov 2008 08:29:45 -0800: > > > It does the sa-compile if you have an uncommented > > > > loadplugin Mail::SpamAssassin::Plugin::Rule2XSBody > > > > in /etc/mail/spamassassin/*pre > > I don't see this. Where's your knowledge from? > The following in /usr/sbin/update_spamassassin # If we have sa-compile and they are using the Rule2XSBody plugin then compile if test -x $SACOMPILE && grep -q '^loadplugin.*Rule2XSBody' /etc/mail/spamassassin/*pre 2>/dev/null ; then $SACOMPILE >>$LOGFILE 2>&1 fi -- Mark Sapiro mark at msapiro net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From maxsec at gmail.com Wed Nov 19 16:18:25 2008 From: maxsec at gmail.com (Martin Hepworth) Date: Wed Nov 19 16:18:34 2008 Subject: Cannot find Socket (/tmp/clamd) In-Reply-To: <4baa40ce0811190745t4367c707na3d62a864f8b1e65@mail.gmail.com> References: <4baa40ce0811190745t4367c707na3d62a864f8b1e65@mail.gmail.com> Message-ID: <72cf361e0811190818n715716e5q4808999a66ed3746@mail.gmail.com> 2008/11/19 Rick Duval : > Tailing the maillog I get > > Cannot find Socket (/tmp/clamd) Exiting! > > I'm using MailSCanner 4.68.8 > > Can someone help me with this? > > THanks > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Hi check your clamd setup (clamd.conf) has the socket in the same location as you've defined in MailScanner.conf -- Martin Hepworth Oxford, UK From stef at aoc-uk.com Wed Nov 19 16:21:32 2008 From: stef at aoc-uk.com (Stef Morrell) Date: Wed Nov 19 16:21:45 2008 Subject: Cannot find Socket (/tmp/clamd) In-Reply-To: References: Message-ID: <200811191621.mAJGLYDi018166@safir.blacknight.ie> Rick Duval wrote: > Tailing the maillog I get > > Cannot find Socket (/tmp/clamd) Exiting! > > I'm using MailSCanner 4.68.8 > > Can someone help me with this? You need to ensure that the settings in MailScanner.conf: # Clamd only: configuration options for using the clamd daemon. # 1. The port to use when communicating with clamd via TCP connection # 2. The Socket, or IP to use for communicating with the clamd Daemon. # You enter either the full path to the UNIX socket file or the IP # address the daemon is listening on. # 3. The ClamD Lock file should be created by clamd init script in most # cases. If it is not then the entry should be blank. # 4. If MailScanner is running on a system with more then 1 CPU core (or # more than 1 CPU) then you can set "Clamd Use Threads" to "yes" to # speed up the scanning, otherwise there is no advantage and it should # be set to "no". # # None of these options can be the filenames of rulesets, they must be just # simple values. Clamd Port = 3310 Clamd Socket = /tmp/clamd Are the same as the settings in clamd.conf: # Path to a local socket file the daemon will listen on. # Default: disabled LocalSocket /tmp/clamd Regards Stef -- Stefan Morrell | Operations Director Tel: 0845 3452820 | Alpha Omega Computers Ltd Fax: 0845 3452830 | Incorporating Level 5 Internet stef@aoc-uk.com | stef@l5net.net Standard Disclaimer: http://www.aoc-uk.com/16.asp Alpha Omega Computers Ltd, Unit 57, BBTC, Grange Road, Batley, WF17 6ER. Registered in England No. 3867142. VAT No. GB734421454 From maxsec at gmail.com Wed Nov 19 16:28:51 2008 From: maxsec at gmail.com (Martin Hepworth) Date: Wed Nov 19 16:29:01 2008 Subject: Cannot find Socket (/tmp/clamd) In-Reply-To: <200811191621.mAJGLYDi018166@safir.blacknight.ie> References: <200811191621.mAJGLYDi018166@safir.blacknight.ie> Message-ID: <72cf361e0811190828j529f3d2bm872e0048010ec5cc@mail.gmail.com> 2008/11/19 Stef Morrell : > Rick Duval wrote: >> Tailing the maillog I get >> >> Cannot find Socket (/tmp/clamd) Exiting! >> >> I'm using MailSCanner 4.68.8 >> >> Can someone help me with this? > > You need to ensure that the settings in MailScanner.conf: > > # Clamd only: configuration options for using the clamd daemon. > # 1. The port to use when communicating with clamd via TCP connection > # 2. The Socket, or IP to use for communicating with the clamd Daemon. > # You enter either the full path to the UNIX socket file or the IP > # address the daemon is listening on. > # 3. The ClamD Lock file should be created by clamd init script in most > # cases. If it is not then the entry should be blank. > # 4. If MailScanner is running on a system with more then 1 CPU core (or > # more than 1 CPU) then you can set "Clamd Use Threads" to "yes" to > # speed up the scanning, otherwise there is no advantage and it > should > # be set to "no". > # > # None of these options can be the filenames of rulesets, they must be > just > # simple values. > Clamd Port = 3310 > Clamd Socket = /tmp/clamd > > Are the same as the settings in clamd.conf: > > # Path to a local socket file the daemon will listen on. > # Default: disabled > LocalSocket /tmp/clamd > > Regards > > Stef > -- > Stefan Morrell | Operations Director > Tel: 0845 3452820 | Alpha Omega Computers Ltd > Fax: 0845 3452830 | Incorporating Level 5 Internet > stef@aoc-uk.com | stef@l5net.net > > Standard Disclaimer: http://www.aoc-uk.com/16.asp > > Alpha Omega Computers Ltd, Unit 57, BBTC, Grange Road, Batley, WF17 6ER. > Registered in England No. 3867142. VAT No. GB734421454 > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Stef and you're running clamd as what user? and is this user is consistent with what you've got setup in MailScanner.conf? -- Martin Hepworth Oxford, UK From ecasarero at gmail.com Wed Nov 19 17:05:40 2008 From: ecasarero at gmail.com (Eduardo Casarero) Date: Wed Nov 19 17:05:51 2008 Subject: Cannot find Socket (/tmp/clamd) In-Reply-To: <4baa40ce0811190745t4367c707na3d62a864f8b1e65@mail.gmail.com> References: <4baa40ce0811190745t4367c707na3d62a864f8b1e65@mail.gmail.com> Message-ID: <7d9b3cf20811190905x7fbddebdp1204be1587074cc6@mail.gmail.com> some clamav installations put the socket in /tmp/clamd.socket by default an MS config has /tmp/clamd make them match 2008/11/19 Rick Duval > Tailing the maillog I get > > Cannot find Socket (/tmp/clamd) Exiting! > > I'm using MailSCanner 4.68.8 > > Can someone help me with this? > > THanks > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081119/b33c3f8b/attachment.html From cbarber at techquility.net Wed Nov 19 17:08:37 2008 From: cbarber at techquility.net (Chris Barber) Date: Wed Nov 19 17:08:49 2008 Subject: Message rules don't work, but if message forwarded, it does??? In-Reply-To: <223f97700811061050x5ca2b8a6t98d115ad27b450ea@mail.gmail.com> References: <4910E415.4050502@rheel.co.nz><43F62CA225017044BC84CFAF92B4333B035FB3@sbsserver.Techquility.net><223f97700811051117g2d4b91c5g4cda816ac8e2e862@mail.gmail.com><43F62CA225017044BC84CFAF92B4333B035FB8@sbsserver.Techquility.net><223f97700811051419r7982975fi34b25598b91ed1ca@mail.gmail.com><43F62CA225017044BC84CFAF92B4333B035FBC@sbsserver.Techquility.net> <223f97700811061050x5ca2b8a6t98d115ad27b450ea@mail.gmail.com> Message-ID: <43F62CA225017044BC84CFAF92B4333B036074@sbsserver.Techquility.net> 2008/11/6 Chris Barber : >> >> >> Glenn, >> >> Thanks for the reply. You had me scared for a second there, but no > there >> was no white listing going on. I verified the envelope addresses. This >> issue seems to happen randomly a least a couple times a day to some >> users. >> >> Any other ideas? >> >> Thanks, >> Chris >> >>Didn't mean to scare you, just point at one (semi-obvious:-) > possibility....:-) >>When it happens do you see anything ... curious .... in the logs? >>Nothing about "Unscanned" messages or timeouts or suchlike? >>Also... Tell a bit about versions etc, since this just might be a >>known bug/issue... >> >>Cheers >>-- >>-- Glenn >>email: glenn < dot > steen < at > gmail < dot > com >>work: glenn < dot > steen < at > ap1 < dot > se > > > I don't see anything unusual in the logs. No timeouts and nothing about > unscanned that I can see. MailScanner processes the message normally it > seems. > > It gets an SA score, but the only rules that hit are: > 0.10 BAYES_50 Bayesian spam probability is 40 to 60% > 0.00 HTML_MESSAGE HTML included in message > -0.00 SPF_PASS SPF: sender matches SPF record > > Then when the same message is forwarded to me from the user, (Through > the same MailScanner server) the rule hits show: > -0.74 BAYES_20 Bayesian spam probability is 5 to 20% > 0.00 HTML_MESSAGE HTML included in message > 2.96 URIBL_BLACK Contains an URL listed in the URIBL blacklist > 3.50 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist > > Notice that now the URL is beting detected, but why not before? > > Versions: > Cent OS 5.2 > MailScanner 4.72.5 > Spamassassin 3.2.5 > Perl 5.8.8 > MIME::Tools 5.427 > HTML::Parser 3.56 > > Let me know if there are versions of anything else you would like to see > > Thanks! > Chris > >Could perhaps be a "timing issue"....:-) >Meaning the URI wasn't in the BL when MS first asked... but when the >user resent it to you.... the BL had been updated. These things have a >tendency to be really short-lived and ... bursty... so if there is any >somewhat significant amount of time between the initial mail and the >user forwarding it to you... say a few hours... that might explain it >all. >In which case... all is well ...:-) > >Cheers >-- >-- Glenn >email: glenn < dot > steen < at > gmail < dot > com >work: glenn < dot > steen < at > ap1 < dot > se I agree that this timing issue is probably the cause for some of these. However there are many of these for one of my users almost every day. I have her forwarding them to me right after she gets them and they are blocked. Scott mentioned running MailScanner --lint, MailScanner --debug --debug-sa I did this and I don't see any errors. I can see the URI_OB_SURBL rule (for example) run and successfully score the message. Is it possible that this is timing out sometimes? I have not seen a timeout but I am grasping at straws at this point to figure out why the URL in the message seems to be ignored the first time, then 5 min later when the message is forwarded back to me (Going through the same MailScanner server), it gets caught? Thanks, Chris From maillists at conactive.com Wed Nov 19 17:31:19 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Wed Nov 19 17:31:33 2008 Subject: MailScanner's /usr/sbin/update_spammassassin doesn't restart spamd In-Reply-To: <20081119154655.GA412@msapiro> References: <20081118162945.GA3364@msapiro> <20081119154655.GA412@msapiro> Message-ID: Mark Sapiro wrote on Wed, 19 Nov 2008 07:46:55 -0800: > The following in /usr/sbin/update_spamassassin Oh, I missed that part in your original message. I have an old version of that script in /etc/cron.daily which lacks this section and was assuming you meant to say that sa-update itself is compiling after the download. Thanks for reminding me of that location. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From stef at aoc-uk.com Wed Nov 19 17:39:27 2008 From: stef at aoc-uk.com (Stef Morrell) Date: Wed Nov 19 17:39:38 2008 Subject: Cannot find Socket (/tmp/clamd) In-Reply-To: References: <200811191621.mAJGLYDi018166@safir.blacknight.ie> Message-ID: <200811191739.mAJHdU2f020719@safir.blacknight.ie> Martin Hepworth wrote: > 2008/11/19 Stef Morrell : >> Rick Duval wrote: >>> Tailing the maillog I get >>> >>> Cannot find Socket (/tmp/clamd) Exiting! >>> >>> I'm using MailSCanner 4.68.8 >>> >>> Can someone help me with this? >> >> You need to ensure that the settings in MailScanner.conf: >> > > Stef > and you're running clamd as what user? and is this user is > consistent with what you've got setup in MailScanner.conf? > Martin - I'm confused. I was trying to answer Rick's question. Looks like we pressed "send" fairly well at the same time. My setup is working just fine :) Seeing as you ask, I suspect clamd is running as root. I installed it from Jules' SA+Clam then added a start stop script into /etc/rc. Possibly not the most secure, but as I have no local users to exploit it, I don't much care. MailScanner runs as Postfix. Stef -- Stefan Morrell | Operations Director Tel: 0845 3452820 | Alpha Omega Computers Ltd Fax: 0845 3452830 | Incorporating Level 5 Internet stef@aoc-uk.com | stef@l5net.net Standard Disclaimer: http://www.aoc-uk.com/16.asp Alpha Omega Computers Ltd, Unit 57, BBTC, Grange Road, Batley, WF17 6ER. Registered in England No. 3867142. VAT No. GB734421454 From ssilva at sgvwater.com Wed Nov 19 20:05:12 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Nov 19 20:05:33 2008 Subject: Message rules don't work, but if message forwarded, it does??? In-Reply-To: <43F62CA225017044BC84CFAF92B4333B036074@sbsserver.Techquility.net> References: <4910E415.4050502@rheel.co.nz><43F62CA225017044BC84CFAF92B4333B035FB3@sbsserver.Techquility.net><223f97700811051117g2d4b91c5g4cda816ac8e2e862@mail.gmail.com><43F62CA225017044BC84CFAF92B4333B035FB8@sbsserver.Techquility.net><223f97700811051419r7982975fi34b25598b91ed1ca@mail.gmail.com><43F62CA225017044BC84CFAF92B4333B035FBC@sbsserver.Techquility.net> <223f97700811061050x5ca2b8a6t98d115ad27b450ea@mail.gmail.com> <43F62CA225017044BC84CFAF92B4333B036074@sbsserver.Techquility.net> Message-ID: > I agree that this timing issue is probably the cause for some of these. > However there are many of these for one of my users almost every day. I > have her forwarding them to me right after she gets them and they are > blocked. > > Scott mentioned running MailScanner --lint, MailScanner --debug > --debug-sa > I did this and I don't see any errors. I can see the URI_OB_SURBL rule > (for example) run and successfully score the message. Is it possible > that this is timing out sometimes? I have not seen a timeout but I am > grasping at straws at this point to figure out why the URL in the > message seems to be ignored the first time, then 5 min later when the > message is forwarded back to me (Going through the same MailScanner > server), it gets caught? > > Thanks, > Chris > Is the server natted? Does it have a real public IP address or is it port forwarded from another server? Can you follow the chain of the headers back on both a missed message and after it has been forwarded to you? I am still leaning toward this being some sort of trust path issue in spamassassin, although it could be a net timeout. The lookup might time out just before the result comes back, and on the resend the lookup is in the local cache and hits. Have you tried setting your spammassassin timeouts longer? Do you have any full examples of a missed message, and one that hits right afterwards? Either full queue files or complete RFC 822 (2822) messages. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081119/e8082a6c/signature.bin From cbarber at techquility.net Thu Nov 20 01:20:21 2008 From: cbarber at techquility.net (Chris Barber) Date: Thu Nov 20 01:20:34 2008 Subject: Message rules don't work, but if message forwarded, it does??? In-Reply-To: References: <4910E415.4050502@rheel.co.nz><43F62CA225017044BC84CFAF92B4333B035FB3@sbsserver.Techquility.net><223f97700811051117g2d4b91c5g4cda816ac8e2e862@mail.gmail.com><43F62CA225017044BC84CFAF92B4333B035FB8@sbsserver.Techquility.net><223f97700811051419r7982975fi34b25598b91ed1ca@mail.gmail.com><43F62CA225017044BC84CFAF92B4333B035FBC@sbsserver.Techquility.net> <223f97700811061050x5ca2b8a6t98d115ad27b450ea@mail.gmail.com><43F62CA225017044BC84CFAF92B4333B036074@sbsserver.Techquility.net> Message-ID: <43F62CA225017044BC84CFAF92B4333B03607E@sbsserver.Techquility.net> > I agree that this timing issue is probably the cause for some of these. > However there are many of these for one of my users almost every day. > I have her forwarding them to me right after she gets them and they > are blocked. > > Scott mentioned running MailScanner --lint, MailScanner --debug > --debug-sa I did this and I don't see any errors. I can see the > URI_OB_SURBL rule (for example) run and successfully score the > message. Is it possible that this is timing out sometimes? I have not > seen a timeout but I am grasping at straws at this point to figure out > why the URL in the message seems to be ignored the first time, then 5 > min later when the message is forwarded back to me (Going through the > same MailScanner server), it gets caught? > > Thanks, > Chris > >Is the server natted? Does it have a real public IP address or is it port forwarded from another server? > >Can you follow the chain of the headers back on both a missed message and after it has been forwarded to you? > >I am still leaning toward this being some sort of trust path issue in spamassassin, although it could be a net timeout. The lookup might time out >just before the result comes back, and on the resend the lookup is in the local cache and hits. Have you tried setting your spammassassin timeouts >longer? > >Do you have any full examples of a missed message, and one that hits right afterwards? Either full queue files or complete RFC 822 (2822) messages. Thanks for the reply. Yes this server is natted behind a Cisco ASA. Port 25 is forwarded to the MailScanner machine. Out of curiosity, where are you headed with this question? I followed the headers and it looks correct. I can see the message travel to my MailScanner server and then on to the customers mail server. On the forwarded message, I see it go from the customers mail server directly to my MailScanner server and then on to my internal mail server. Is this what you mean by follow the chain? I actually have increased my Spamassassin timeout to 120 seconds. Is there some other type of timeout I should/could be watching for? I've attached the message queue files and named them accordingly. Let me know if this is not the format you requested. Thanks again for the assistance! Chris -------------- next part -------------- A non-text attachment was scrubbed... Name: messages.tar Type: application/x-tar Size: 9728 bytes Desc: messages.tar Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081119/95657bb8/messages.tar From cbarber at techquility.net Thu Nov 20 01:26:50 2008 From: cbarber at techquility.net (Chris Barber) Date: Thu Nov 20 01:27:02 2008 Subject: How to test RBL lookups in MailScanner? In-Reply-To: References: <4910E415.4050502@rheel.co.nz><43F62CA225017044BC84CFAF92B4333B035FB3@sbsserver.Techquility.net><223f97700811051117g2d4b91c5g4cda816ac8e2e862@mail.gmail.com><43F62CA225017044BC84CFAF92B4333B035FB8@sbsserver.Techquility.net><223f97700811051419r7982975fi34b25598b91ed1ca@mail.gmail.com><43F62CA225017044BC84CFAF92B4333B035FBC@sbsserver.Techquility.net> <223f97700811061050x5ca2b8a6t98d115ad27b450ea@mail.gmail.com><43F62CA225017044BC84CFAF92B4333B036074@sbsserver.Techquility.net> Message-ID: <43F62CA225017044BC84CFAF92B4333B03607F@sbsserver.Techquility.net> Hi All, This might be obvious and I apologize in advance, but how can I test if MailScanner is testing messages for RBL (Spam List)? I tried running MailScanner --debug --debug-sa and I don't see anything about it, unless I'm missing something. I normally have my MTA do RBL lookups but there are a few other lists I want to try out. I don't want to try a new list on the MTA since it outright rejects messages that hit the lists. For testing purposes, I want MailScanner to check these other RBL's and then quarantine the message. My users can then release the message if it is a false positive. Once satisfied with a list choice, I'll then move it to the MTA. Running MailScanner version 4.72.5 I have enabled the Spam List option and I populated the spam.lists.conf file with the new RBL I want to test. Thanks, Chris From maxsec at gmail.com Thu Nov 20 09:25:46 2008 From: maxsec at gmail.com (Martin Hepworth) Date: Thu Nov 20 09:25:55 2008 Subject: How to test RBL lookups in MailScanner? In-Reply-To: <43F62CA225017044BC84CFAF92B4333B03607F@sbsserver.Techquility.net> References: <4910E415.4050502@rheel.co.nz> <43F62CA225017044BC84CFAF92B4333B035FB3@sbsserver.Techquility.net> <223f97700811051117g2d4b91c5g4cda816ac8e2e862@mail.gmail.com> <43F62CA225017044BC84CFAF92B4333B035FB8@sbsserver.Techquility.net> <223f97700811051419r7982975fi34b25598b91ed1ca@mail.gmail.com> <43F62CA225017044BC84CFAF92B4333B035FBC@sbsserver.Techquility.net> <223f97700811061050x5ca2b8a6t98d115ad27b450ea@mail.gmail.com> <43F62CA225017044BC84CFAF92B4333B036074@sbsserver.Techquility.net> <43F62CA225017044BC84CFAF92B4333B03607F@sbsserver.Techquility.net> Message-ID: <72cf361e0811200125u3499ac00x3f7e979ff42df4d8@mail.gmail.com> 2008/11/20 Chris Barber : > Hi All, > > This might be obvious and I apologize in advance, but how can I test if MailScanner is testing messages for RBL (Spam List)? I tried running MailScanner --debug --debug-sa and I don't see anything about it, unless I'm missing something. > > I normally have my MTA do RBL lookups but there are a few other lists I want to try out. I don't want to try a new list on the MTA since it outright rejects messages that hit the lists. For testing purposes, I want MailScanner to check these other RBL's and then quarantine the message. My users can then release the message if it is a false positive. Once satisfied with a list choice, I'll then move it to the MTA. > > Running MailScanner version 4.72.5 > I have enabled the Spam List option and I populated the spam.lists.conf file with the new RBL I want to test. > > Thanks, > Chris > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > I find the best way to do the RBL's in spamassassin, they way it adds to the score. You can you multiple RBLs in mailscanner and then say it must at least 2 before it's marked as spam, but I prefer the spamassassin way. -- Martin Hepworth Oxford, UK From rick at duvals.ca Thu Nov 20 12:45:57 2008 From: rick at duvals.ca (Rick Duval) Date: Thu Nov 20 12:46:06 2008 Subject: Cannot find Socket (/tmp/clamd) In-Reply-To: <7d9b3cf20811190905x7fbddebdp1204be1587074cc6@mail.gmail.com> References: <4baa40ce0811190745t4367c707na3d62a864f8b1e65@mail.gmail.com> <7d9b3cf20811190905x7fbddebdp1204be1587074cc6@mail.gmail.com> Message-ID: <4baa40ce0811200445l4d9a403ekbb53ecb0a15afe7d@mail.gmail.com> In the /tmp dir there is a clamd.socket but no clamd. Should I just rename the file (Which is 0 bytes btw) or change both MS and clamd.conf? On Wed, Nov 19, 2008 at 12:05 PM, Eduardo Casarero wrote: > some clamav installations put the socket in /tmp/clamd.socket by default an From maxsec at gmail.com Thu Nov 20 12:57:16 2008 From: maxsec at gmail.com (Martin Hepworth) Date: Thu Nov 20 12:57:25 2008 Subject: Cannot find Socket (/tmp/clamd) In-Reply-To: <4baa40ce0811200445l4d9a403ekbb53ecb0a15afe7d@mail.gmail.com> References: <4baa40ce0811190745t4367c707na3d62a864f8b1e65@mail.gmail.com> <7d9b3cf20811190905x7fbddebdp1204be1587074cc6@mail.gmail.com> <4baa40ce0811200445l4d9a403ekbb53ecb0a15afe7d@mail.gmail.com> Message-ID: <72cf361e0811200457g27c0bbaag3ceae1b8aa6c6032@mail.gmail.com> 2008/11/20 Rick Duval : > In the /tmp dir there is a clamd.socket but no clamd. > > Should I just rename the file (Which is 0 bytes btw) or change both MS > and clamd.conf? > > On Wed, Nov 19, 2008 at 12:05 PM, Eduardo Casarero wrote: >> some clamav installations put the socket in /tmp/clamd.socket by default an > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Rick change either one, doesn't matter which as long as they are consistent. -- Martin Hepworth Oxford, UK From gulenler at boun.edu.tr Thu Nov 20 13:02:03 2008 From: gulenler at boun.edu.tr (Berk Gulenler) Date: Thu Nov 20 13:02:15 2008 Subject: Cannot find Socket (/tmp/clamd) In-Reply-To: <4baa40ce0811200445l4d9a403ekbb53ecb0a15afe7d@mail.gmail.com> References: <4baa40ce0811190745t4367c707na3d62a864f8b1e65@mail.gmail.com> <7d9b3cf20811190905x7fbddebdp1204be1587074cc6@mail.gmail.com> <4baa40ce0811200445l4d9a403ekbb53ecb0a15afe7d@mail.gmail.com> Message-ID: <49255FCB.2020803@boun.edu.tr> You have to change the conf file of MS like -> Clamd Socket = /tmp/clamd.socket Rick Duval wrote: > In the /tmp dir there is a clamd.socket but no clamd. > > Should I just rename the file (Which is 0 bytes btw) or change both MS > and clamd.conf? > > On Wed, Nov 19, 2008 at 12:05 PM, Eduardo Casarero wrote: > >> some clamav installations put the socket in /tmp/clamd.socket by default an >> -- Berk Gulenler System Administrator Bogazici University Computer Center Phone: +90 212 359 47 20 Fax: +90 212 257 50 21 E-mail: gulenler@boun.edu.tr From rick at duvals.ca Thu Nov 20 13:30:06 2008 From: rick at duvals.ca (Rick Duval) Date: Thu Nov 20 13:30:17 2008 Subject: Cannot find Socket (/tmp/clamd) In-Reply-To: <49255FCB.2020803@boun.edu.tr> References: <4baa40ce0811190745t4367c707na3d62a864f8b1e65@mail.gmail.com> <7d9b3cf20811190905x7fbddebdp1204be1587074cc6@mail.gmail.com> <4baa40ce0811200445l4d9a403ekbb53ecb0a15afe7d@mail.gmail.com> <49255FCB.2020803@boun.edu.tr> Message-ID: <4baa40ce0811200530n2e4838d7i731fc1557424f539@mail.gmail.com> Changed the MS and restarted. No error message now. Thanks All! On Thu, Nov 20, 2008 at 8:02 AM, Berk Gulenler wrote: > You have to change the conf file of MS like -> Clamd Socket = > /tmp/clamd.socket > > Rick Duval wrote: >> In the /tmp dir there is a clamd.socket but no clamd. >> >> Should I just rename the file (Which is 0 bytes btw) or change both MS >> and clamd.conf? >> >> On Wed, Nov 19, 2008 at 12:05 PM, Eduardo Casarero wrote: >> >>> some clamav installations put the socket in /tmp/clamd.socket by default an >>> > > > -- > Berk Gulenler > System Administrator > Bogazici University Computer Center > > Phone: +90 212 359 47 20 > Fax: +90 212 257 50 21 > E-mail: gulenler@boun.edu.tr > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for > viruses and dangerous content by > Accurate Anti-Spam Technologies > and is believed to be clean. > > From cbarber at techquility.net Thu Nov 20 14:25:13 2008 From: cbarber at techquility.net (Chris Barber) Date: Thu Nov 20 14:25:29 2008 Subject: How to test RBL lookups in MailScanner? In-Reply-To: <72cf361e0811200125u3499ac00x3f7e979ff42df4d8@mail.gmail.com> References: <4910E415.4050502@rheel.co.nz><43F62CA225017044BC84CFAF92B4333B035FB3@sbsserver.Techquility.net><223f97700811051117g2d4b91c5g4cda816ac8e2e862@mail.gmail.com><43F62CA225017044BC84CFAF92B4333B035FB8@sbsserver.Techquility.net><223f97700811051419r7982975fi34b25598b91ed1ca@mail.gmail.com><43F62CA225017044BC84CFAF92B4333B035FBC@sbsserver.Techquility.net><223f97700811061050x5ca2b8a6t98d115ad27b450ea@mail.gmail.com><43F62CA225017044BC84CFAF92B4333B036074@sbsserver.Techquility.net><43F62CA225017044BC84CFAF92B4333B03607F@sbsserver.Techquility.net> <72cf361e0811200125u3499ac00x3f7e979ff42df4d8@mail.gmail.com> Message-ID: <43F62CA225017044BC84CFAF92B4333B036082@sbsserver.Techquility.net> 2008/11/20 Chris Barber : > Hi All, > > This might be obvious and I apologize in advance, but how can I test if MailScanner is testing messages for RBL (Spam List)? I tried running MailScanner --debug --debug-sa and I don't see anything about it, unless I'm missing something. > > I normally have my MTA do RBL lookups but there are a few other lists I want to try out. I don't want to try a new list on the MTA since it outright rejects messages that hit the lists. For testing purposes, I want MailScanner to check these other RBL's and then quarantine the message. My users can then release the message if it is a false positive. Once satisfied with a list choice, I'll then move it to the MTA. > > Running MailScanner version 4.72.5 > I have enabled the Spam List option and I populated the spam.lists.conf file with the new RBL I want to test. > > Thanks, > Chris > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > > >I find the best way to do the RBL's in spamassassin, they way it adds >to the score. You can you multiple RBLs in mailscanner and then say it >must at least 2 before it's marked as spam, but I prefer the >spammassassin way. > >-- >Martin Hepworth >Oxford, UK Thank you Martin! I did not consider SA doing the lookups. I'll give that a try. From paulo-m-roncon at ptinovacao.pt Thu Nov 20 14:52:47 2008 From: paulo-m-roncon at ptinovacao.pt (Paulo Roncon) Date: Thu Nov 20 14:53:02 2008 Subject: Mailscanner - large deployment In-Reply-To: <200811201201.mAKC0LWn008296@safir.blacknight.ie> References: <200811201201.mAKC0LWn008296@safir.blacknight.ie> Message-ID: Hello, I'm thinking on building a farm of servers with mailscanner. My question is related to the quarantine mantainance: Should i implement a shared m?dium to store the files, or should every server in the farm have its on quarantine directory? This is important because i need to implement a way to inform the users that there's quarantined email, and its location. I'm thinking of mailscanner + sendmail + mailwatch Can you please advise? Paulo Sergio Portugal Telecom -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of mailscanner-request@lists.mailscanner.info Sent: quinta-feira, 20 de Novembro de 2008 12:02 To: mailscanner@lists.mailscanner.info Subject: MailScanner Digest, Vol 35, Issue 26 Send MailScanner mailing list submissions to mailscanner@lists.mailscanner.info To subscribe or unsubscribe via the World Wide Web, visit http://lists.mailscanner.info/mailman/listinfo/mailscanner or, via email, send a message with subject or body 'help' to mailscanner-request@lists.mailscanner.info You can reach the person managing the list at mailscanner-owner@lists.mailscanner.info When replying, please edit your Subject line so it is more specific than "Re: Contents of MailScanner digest..." Today's Topics: 1. Cannot find Socket (/tmp/clamd) (Rick Duval) 2. Re: MailScanner's /usr/sbin/update_spammassassin doesn't restart spamd (Mark Sapiro) 3. Re: Cannot find Socket (/tmp/clamd) (Martin Hepworth) 4. RE: Cannot find Socket (/tmp/clamd) (Stef Morrell) 5. Re: Cannot find Socket (/tmp/clamd) (Martin Hepworth) 6. Re: Cannot find Socket (/tmp/clamd) (Eduardo Casarero) 7. RE: Message rules don't work, but if message forwarded, it does??? (Chris Barber) 8. Re: MailScanner's /usr/sbin/update_spammassassin doesn't restart spamd (Kai Schaetzl) 9. RE: Cannot find Socket (/tmp/clamd) (Stef Morrell) 10. Re: Message rules don't work, but if message forwarded, it does??? (Scott Silva) 11. RE: Message rules don't work, but if message forwarded, it does??? (Chris Barber) 12. How to test RBL lookups in MailScanner? (Chris Barber) 13. Re: How to test RBL lookups in MailScanner? (Martin Hepworth) ---------------------------------------------------------------------- Message: 1 Date: Wed, 19 Nov 2008 10:45:32 -0500 From: "Rick Duval" Subject: Cannot find Socket (/tmp/clamd) To: "MailScanner discussion" Message-ID: <4baa40ce0811190745t4367c707na3d62a864f8b1e65@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1 Tailing the maillog I get Cannot find Socket (/tmp/clamd) Exiting! I'm using MailSCanner 4.68.8 Can someone help me with this? THanks ------------------------------ Message: 2 Date: Wed, 19 Nov 2008 07:46:55 -0800 From: Mark Sapiro Subject: Re: MailScanner's /usr/sbin/update_spammassassin doesn't restart spamd To: MailScanner discussion Message-ID: <20081119154655.GA412@msapiro> Content-Type: text/plain; charset=us-ascii On Tue, Nov 18, 2008 at 11:31:21PM +0100, Kai Schaetzl wrote: > Mark Sapiro wrote on Tue, 18 Nov 2008 08:29:45 -0800: > > > It does the sa-compile if you have an uncommented > > > > loadplugin Mail::SpamAssassin::Plugin::Rule2XSBody > > > > in /etc/mail/spamassassin/*pre > > I don't see this. Where's your knowledge from? > The following in /usr/sbin/update_spamassassin # If we have sa-compile and they are using the Rule2XSBody plugin then compile if test -x $SACOMPILE && grep -q '^loadplugin.*Rule2XSBody' /etc/mail/spamassassin/*pre 2>/dev/null ; then $SACOMPILE >>$LOGFILE 2>&1 fi -- Mark Sapiro mark at msapiro net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan ------------------------------ Message: 3 Date: Wed, 19 Nov 2008 16:18:25 +0000 From: "Martin Hepworth" Subject: Re: Cannot find Socket (/tmp/clamd) To: "MailScanner discussion" Message-ID: <72cf361e0811190818n715716e5q4808999a66ed3746@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1 2008/11/19 Rick Duval : > Tailing the maillog I get > > Cannot find Socket (/tmp/clamd) Exiting! > > I'm using MailSCanner 4.68.8 > > Can someone help me with this? > > THanks > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Hi check your clamd setup (clamd.conf) has the socket in the same location as you've defined in MailScanner.conf -- Martin Hepworth Oxford, UK ------------------------------ Message: 4 Date: Wed, 19 Nov 2008 16:21:32 -0000 From: "Stef Morrell" Subject: RE: Cannot find Socket (/tmp/clamd) To: "MailScanner discussion" Message-ID: <200811191621.mAJGLYDi018166@safir.blacknight.ie> Content-Type: text/plain; charset="us-ascii" Rick Duval wrote: > Tailing the maillog I get > > Cannot find Socket (/tmp/clamd) Exiting! > > I'm using MailSCanner 4.68.8 > > Can someone help me with this? You need to ensure that the settings in MailScanner.conf: # Clamd only: configuration options for using the clamd daemon. # 1. The port to use when communicating with clamd via TCP connection # 2. The Socket, or IP to use for communicating with the clamd Daemon. # You enter either the full path to the UNIX socket file or the IP # address the daemon is listening on. # 3. The ClamD Lock file should be created by clamd init script in most # cases. If it is not then the entry should be blank. # 4. If MailScanner is running on a system with more then 1 CPU core (or # more than 1 CPU) then you can set "Clamd Use Threads" to "yes" to # speed up the scanning, otherwise there is no advantage and it should # be set to "no". # # None of these options can be the filenames of rulesets, they must be just # simple values. Clamd Port = 3310 Clamd Socket = /tmp/clamd Are the same as the settings in clamd.conf: # Path to a local socket file the daemon will listen on. # Default: disabled LocalSocket /tmp/clamd Regards Stef -- Stefan Morrell | Operations Director Tel: 0845 3452820 | Alpha Omega Computers Ltd Fax: 0845 3452830 | Incorporating Level 5 Internet stef@aoc-uk.com | stef@l5net.net Standard Disclaimer: http://www.aoc-uk.com/16.asp Alpha Omega Computers Ltd, Unit 57, BBTC, Grange Road, Batley, WF17 6ER. Registered in England No. 3867142. VAT No. GB734421454 ------------------------------ Message: 5 Date: Wed, 19 Nov 2008 16:28:51 +0000 From: "Martin Hepworth" Subject: Re: Cannot find Socket (/tmp/clamd) To: "MailScanner discussion" Message-ID: <72cf361e0811190828j529f3d2bm872e0048010ec5cc@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1 2008/11/19 Stef Morrell : > Rick Duval wrote: >> Tailing the maillog I get >> >> Cannot find Socket (/tmp/clamd) Exiting! >> >> I'm using MailSCanner 4.68.8 >> >> Can someone help me with this? > > You need to ensure that the settings in MailScanner.conf: > > # Clamd only: configuration options for using the clamd daemon. > # 1. The port to use when communicating with clamd via TCP connection > # 2. The Socket, or IP to use for communicating with the clamd Daemon. > # You enter either the full path to the UNIX socket file or the IP > # address the daemon is listening on. > # 3. The ClamD Lock file should be created by clamd init script in most > # cases. If it is not then the entry should be blank. > # 4. If MailScanner is running on a system with more then 1 CPU core (or > # more than 1 CPU) then you can set "Clamd Use Threads" to "yes" to > # speed up the scanning, otherwise there is no advantage and it > should > # be set to "no". > # > # None of these options can be the filenames of rulesets, they must be > just > # simple values. > Clamd Port = 3310 > Clamd Socket = /tmp/clamd > > Are the same as the settings in clamd.conf: > > # Path to a local socket file the daemon will listen on. > # Default: disabled > LocalSocket /tmp/clamd > > Regards > > Stef > -- > Stefan Morrell | Operations Director > Tel: 0845 3452820 | Alpha Omega Computers Ltd > Fax: 0845 3452830 | Incorporating Level 5 Internet > stef@aoc-uk.com | stef@l5net.net > > Standard Disclaimer: http://www.aoc-uk.com/16.asp > > Alpha Omega Computers Ltd, Unit 57, BBTC, Grange Road, Batley, WF17 6ER. > Registered in England No. 3867142. VAT No. GB734421454 > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Stef and you're running clamd as what user? and is this user is consistent with what you've got setup in MailScanner.conf? -- Martin Hepworth Oxford, UK ------------------------------ Message: 6 Date: Wed, 19 Nov 2008 15:05:40 -0200 From: "Eduardo Casarero" Subject: Re: Cannot find Socket (/tmp/clamd) To: "MailScanner discussion" Message-ID: <7d9b3cf20811190905x7fbddebdp1204be1587074cc6@mail.gmail.com> Content-Type: text/plain; charset="iso-8859-1" some clamav installations put the socket in /tmp/clamd.socket by default an MS config has /tmp/clamd make them match 2008/11/19 Rick Duval > Tailing the maillog I get > > Cannot find Socket (/tmp/clamd) Exiting! > > I'm using MailSCanner 4.68.8 > > Can someone help me with this? > > THanks > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081119/b33c3f8b/attachment-0001.html ------------------------------ Message: 7 Date: Wed, 19 Nov 2008 12:08:37 -0500 From: "Chris Barber" Subject: RE: Message rules don't work, but if message forwarded, it does??? To: "MailScanner discussion" Message-ID: <43F62CA225017044BC84CFAF92B4333B036074@sbsserver.Techquility.net> Content-Type: text/plain; charset="us-ascii" 2008/11/6 Chris Barber : >> >> >> Glenn, >> >> Thanks for the reply. You had me scared for a second there, but no > there >> was no white listing going on. I verified the envelope addresses. This >> issue seems to happen randomly a least a couple times a day to some >> users. >> >> Any other ideas? >> >> Thanks, >> Chris >> >>Didn't mean to scare you, just point at one (semi-obvious:-) > possibility....:-) >>When it happens do you see anything ... curious .... in the logs? >>Nothing about "Unscanned" messages or timeouts or suchlike? >>Also... Tell a bit about versions etc, since this just might be a >>known bug/issue... >> >>Cheers >>-- >>-- Glenn >>email: glenn < dot > steen < at > gmail < dot > com >>work: glenn < dot > steen < at > ap1 < dot > se > > > I don't see anything unusual in the logs. No timeouts and nothing about > unscanned that I can see. MailScanner processes the message normally it > seems. > > It gets an SA score, but the only rules that hit are: > 0.10 BAYES_50 Bayesian spam probability is 40 to 60% > 0.00 HTML_MESSAGE HTML included in message > -0.00 SPF_PASS SPF: sender matches SPF record > > Then when the same message is forwarded to me from the user, (Through > the same MailScanner server) the rule hits show: > -0.74 BAYES_20 Bayesian spam probability is 5 to 20% > 0.00 HTML_MESSAGE HTML included in message > 2.96 URIBL_BLACK Contains an URL listed in the URIBL blacklist > 3.50 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist > > Notice that now the URL is beting detected, but why not before? > > Versions: > Cent OS 5.2 > MailScanner 4.72.5 > Spamassassin 3.2.5 > Perl 5.8.8 > MIME::Tools 5.427 > HTML::Parser 3.56 > > Let me know if there are versions of anything else you would like to see > > Thanks! > Chris > >Could perhaps be a "timing issue"....:-) >Meaning the URI wasn't in the BL when MS first asked... but when the >user resent it to you.... the BL had been updated. These things have a >tendency to be really short-lived and ... bursty... so if there is any >somewhat significant amount of time between the initial mail and the >user forwarding it to you... say a few hours... that might explain it >all. >In which case... all is well ...:-) > >Cheers >-- >-- Glenn >email: glenn < dot > steen < at > gmail < dot > com >work: glenn < dot > steen < at > ap1 < dot > se I agree that this timing issue is probably the cause for some of these. However there are many of these for one of my users almost every day. I have her forwarding them to me right after she gets them and they are blocked. Scott mentioned running MailScanner --lint, MailScanner --debug --debug-sa I did this and I don't see any errors. I can see the URI_OB_SURBL rule (for example) run and successfully score the message. Is it possible that this is timing out sometimes? I have not seen a timeout but I am grasping at straws at this point to figure out why the URL in the message seems to be ignored the first time, then 5 min later when the message is forwarded back to me (Going through the same MailScanner server), it gets caught? Thanks, Chris ------------------------------ Message: 8 Date: Wed, 19 Nov 2008 18:31:19 +0100 From: Kai Schaetzl Subject: Re: MailScanner's /usr/sbin/update_spammassassin doesn't restart spamd To: mailscanner@lists.mailscanner.info Message-ID: Content-Type: text/plain; charset=iso-8859-1 Mark Sapiro wrote on Wed, 19 Nov 2008 07:46:55 -0800: > The following in /usr/sbin/update_spamassassin Oh, I missed that part in your original message. I have an old version of that script in /etc/cron.daily which lacks this section and was assuming you meant to say that sa-update itself is compiling after the download. Thanks for reminding me of that location. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com ------------------------------ Message: 9 Date: Wed, 19 Nov 2008 17:39:27 -0000 From: "Stef Morrell" Subject: RE: Cannot find Socket (/tmp/clamd) To: "MailScanner discussion" Message-ID: <200811191739.mAJHdU2f020719@safir.blacknight.ie> Content-Type: text/plain; charset="us-ascii" Martin Hepworth wrote: > 2008/11/19 Stef Morrell : >> Rick Duval wrote: >>> Tailing the maillog I get >>> >>> Cannot find Socket (/tmp/clamd) Exiting! >>> >>> I'm using MailSCanner 4.68.8 >>> >>> Can someone help me with this? >> >> You need to ensure that the settings in MailScanner.conf: >> > > Stef > and you're running clamd as what user? and is this user is > consistent with what you've got setup in MailScanner.conf? > Martin - I'm confused. I was trying to answer Rick's question. Looks like we pressed "send" fairly well at the same time. My setup is working just fine :) Seeing as you ask, I suspect clamd is running as root. I installed it from Jules' SA+Clam then added a start stop script into /etc/rc. Possibly not the most secure, but as I have no local users to exploit it, I don't much care. MailScanner runs as Postfix. Stef -- Stefan Morrell | Operations Director Tel: 0845 3452820 | Alpha Omega Computers Ltd Fax: 0845 3452830 | Incorporating Level 5 Internet stef@aoc-uk.com | stef@l5net.net Standard Disclaimer: http://www.aoc-uk.com/16.asp Alpha Omega Computers Ltd, Unit 57, BBTC, Grange Road, Batley, WF17 6ER. Registered in England No. 3867142. VAT No. GB734421454 ------------------------------ Message: 10 Date: Wed, 19 Nov 2008 12:05:12 -0800 From: Scott Silva Subject: Re: Message rules don't work, but if message forwarded, it does??? To: mailscanner@lists.mailscanner.info Message-ID: Content-Type: text/plain; charset="utf-8" > I agree that this timing issue is probably the cause for some of these. > However there are many of these for one of my users almost every day. I > have her forwarding them to me right after she gets them and they are > blocked. > > Scott mentioned running MailScanner --lint, MailScanner --debug > --debug-sa > I did this and I don't see any errors. I can see the URI_OB_SURBL rule > (for example) run and successfully score the message. Is it possible > that this is timing out sometimes? I have not seen a timeout but I am > grasping at straws at this point to figure out why the URL in the > message seems to be ignored the first time, then 5 min later when the > message is forwarded back to me (Going through the same MailScanner > server), it gets caught? > > Thanks, > Chris > Is the server natted? Does it have a real public IP address or is it port forwarded from another server? Can you follow the chain of the headers back on both a missed message and after it has been forwarded to you? I am still leaning toward this being some sort of trust path issue in spamassassin, although it could be a net timeout. The lookup might time out just before the result comes back, and on the resend the lookup is in the local cache and hits. Have you tried setting your spammassassin timeouts longer? Do you have any full examples of a missed message, and one that hits right afterwards? Either full queue files or complete RFC 822 (2822) messages. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081119/e8082a6c/signature-0001.bin ------------------------------ Message: 11 Date: Wed, 19 Nov 2008 20:20:21 -0500 From: "Chris Barber" Subject: RE: Message rules don't work, but if message forwarded, it does??? To: "MailScanner discussion" Message-ID: <43F62CA225017044BC84CFAF92B4333B03607E@sbsserver.Techquility.net> Content-Type: text/plain; charset="utf-8" > I agree that this timing issue is probably the cause for some of these. > However there are many of these for one of my users almost every day. > I have her forwarding them to me right after she gets them and they > are blocked. > > Scott mentioned running MailScanner --lint, MailScanner --debug > --debug-sa I did this and I don't see any errors. I can see the > URI_OB_SURBL rule (for example) run and successfully score the > message. Is it possible that this is timing out sometimes? I have not > seen a timeout but I am grasping at straws at this point to figure out > why the URL in the message seems to be ignored the first time, then 5 > min later when the message is forwarded back to me (Going through the > same MailScanner server), it gets caught? > > Thanks, > Chris > >Is the server natted? Does it have a real public IP address or is it port forwarded from another server? > >Can you follow the chain of the headers back on both a missed message and after it has been forwarded to you? > >I am still leaning toward this being some sort of trust path issue in spamassassin, although it could be a net timeout. The lookup might time out >just before the result comes back, and on the resend the lookup is in the local cache and hits. Have you tried setting your spammassassin timeouts >longer? > >Do you have any full examples of a missed message, and one that hits right afterwards? Either full queue files or complete RFC 822 (2822) messages. Thanks for the reply. Yes this server is natted behind a Cisco ASA. Port 25 is forwarded to the MailScanner machine. Out of curiosity, where are you headed with this question? I followed the headers and it looks correct. I can see the message travel to my MailScanner server and then on to the customers mail server. On the forwarded message, I see it go from the customers mail server directly to my MailScanner server and then on to my internal mail server. Is this what you mean by follow the chain? I actually have increased my Spamassassin timeout to 120 seconds. Is there some other type of timeout I should/could be watching for? I've attached the message queue files and named them accordingly. Let me know if this is not the format you requested. Thanks again for the assistance! Chris -------------- next part -------------- A non-text attachment was scrubbed... Name: messages.tar Type: application/x-tar Size: 9728 bytes Desc: messages.tar Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081119/95657bb8/messages-0001.tar ------------------------------ Message: 12 Date: Wed, 19 Nov 2008 20:26:50 -0500 From: "Chris Barber" Subject: How to test RBL lookups in MailScanner? To: "MailScanner discussion" Message-ID: <43F62CA225017044BC84CFAF92B4333B03607F@sbsserver.Techquility.net> Content-Type: text/plain; charset="utf-8" Hi All, This might be obvious and I apologize in advance, but how can I test if MailScanner is testing messages for RBL (Spam List)? I tried running MailScanner --debug --debug-sa and I don't see anything about it, unless I'm missing something. I normally have my MTA do RBL lookups but there are a few other lists I want to try out. I don't want to try a new list on the MTA since it outright rejects messages that hit the lists. For testing purposes, I want MailScanner to check these other RBL's and then quarantine the message. My users can then release the message if it is a false positive. Once satisfied with a list choice, I'll then move it to the MTA. Running MailScanner version 4.72.5 I have enabled the Spam List option and I populated the spam.lists.conf file with the new RBL I want to test. Thanks, Chris ------------------------------ Message: 13 Date: Thu, 20 Nov 2008 09:25:46 +0000 From: "Martin Hepworth" Subject: Re: How to test RBL lookups in MailScanner? To: "MailScanner discussion" Message-ID: <72cf361e0811200125u3499ac00x3f7e979ff42df4d8@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1 2008/11/20 Chris Barber : > Hi All, > > This might be obvious and I apologize in advance, but how can I test if MailScanner is testing messages for RBL (Spam List)? I tried running MailScanner --debug --debug-sa and I don't see anything about it, unless I'm missing something. > > I normally have my MTA do RBL lookups but there are a few other lists I want to try out. I don't want to try a new list on the MTA since it outright rejects messages that hit the lists. For testing purposes, I want MailScanner to check these other RBL's and then quarantine the message. My users can then release the message if it is a false positive. Once satisfied with a list choice, I'll then move it to the MTA. > > Running MailScanner version 4.72.5 > I have enabled the Spam List option and I populated the spam.lists.conf file with the new RBL I want to test. > > Thanks, > Chris > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > I find the best way to do the RBL's in spamassassin, they way it adds to the score. You can you multiple RBLs in mailscanner and then say it must at least 2 before it's marked as spam, but I prefer the spamassassin way. -- Martin Hepworth Oxford, UK ------------------------------ -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read the Wiki (http://wiki.mailscanner.info/). Support MailScanner development - buy the book off the website! End of MailScanner Digest, Vol 35, Issue 26 ******************************************* From ms-list at alexb.ch Thu Nov 20 15:06:55 2008 From: ms-list at alexb.ch (Alex Broens) Date: Thu Nov 20 15:05:18 2008 Subject: Mailscanner - large deployment In-Reply-To: References: <200811201201.mAKC0LWn008296@safir.blacknight.ie> Message-ID: <49257D0F.3050202@alexb.ch> On 11/20/2008 3:52 PM, Paulo Roncon wrote: > Hello, > > I'm thinking on building a farm of servers with mailscanner. My > question is related to the quarantine mantainance: Should i implement > a shared m?dium to store the files, or should every server in the > farm have its on quarantine directory? This is important because i > need to implement a way to inform the users that there's quarantined > email, and its location. I'm thinking of mailscanner + sendmail + > mailwatch > > Can you please advise? avoid posting the daily digest is a good way to start off with From traced at xpear.de Thu Nov 20 15:09:42 2008 From: traced at xpear.de (traced@xpear.de) Date: Thu Nov 20 15:09:53 2008 Subject: Mailscanner - large deployment In-Reply-To: References: <200811201201.mAKC0LWn008296@safir.blacknight.ie> Message-ID: Hi, you could use the implemented XML-RPC function to do that. Every server has its own quarantine on hdd, and you have one database server where you can manage the others, and release messages etc. But this is rarely documented... Regards, Bastian On Thu, 20 Nov 2008 14:52:47 +0000, Paulo Roncon wrote: > Hello, > > I'm thinking on building a farm of servers with mailscanner. My question is > related to the quarantine mantainance: Should i implement a shared m?dium > to store the files, or should every server in the farm have its on > quarantine directory? > This is important because i need to implement a way to inform the users > that there's quarantined email, and its location. > I'm thinking of mailscanner + sendmail + mailwatch > > Can you please advise? > > Paulo Sergio > Portugal Telecom > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > mailscanner-request@lists.mailscanner.info > Sent: quinta-feira, 20 de Novembro de 2008 12:02 > To: mailscanner@lists.mailscanner.info > Subject: MailScanner Digest, Vol 35, Issue 26 > > Send MailScanner mailing list submissions to > mailscanner@lists.mailscanner.info > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.mailscanner.info/mailman/listinfo/mailscanner > or, via email, send a message with subject or body 'help' to > mailscanner-request@lists.mailscanner.info > > You can reach the person managing the list at > mailscanner-owner@lists.mailscanner.info > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of MailScanner digest..." > > > Today's Topics: > > 1. Cannot find Socket (/tmp/clamd) (Rick Duval) > 2. Re: MailScanner's /usr/sbin/update_spammassassin doesn't > restart spamd (Mark Sapiro) > 3. Re: Cannot find Socket (/tmp/clamd) (Martin Hepworth) > 4. RE: Cannot find Socket (/tmp/clamd) (Stef Morrell) > 5. Re: Cannot find Socket (/tmp/clamd) (Martin Hepworth) > 6. Re: Cannot find Socket (/tmp/clamd) (Eduardo Casarero) > 7. RE: Message rules don't work, but if message forwarded, it > does??? (Chris Barber) > 8. Re: MailScanner's /usr/sbin/update_spammassassin doesn't > restart spamd (Kai Schaetzl) > 9. RE: Cannot find Socket (/tmp/clamd) (Stef Morrell) > 10. Re: Message rules don't work, but if message forwarded, it > does??? (Scott Silva) > 11. RE: Message rules don't work, but if message forwarded, it > does??? (Chris Barber) > 12. How to test RBL lookups in MailScanner? (Chris Barber) > 13. Re: How to test RBL lookups in MailScanner? (Martin Hepworth) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Wed, 19 Nov 2008 10:45:32 -0500 > From: "Rick Duval" > Subject: Cannot find Socket (/tmp/clamd) > To: "MailScanner discussion" > Message-ID: > <4baa40ce0811190745t4367c707na3d62a864f8b1e65@mail.gmail.com> > Content-Type: text/plain; charset=ISO-8859-1 > > Tailing the maillog I get > > Cannot find Socket (/tmp/clamd) Exiting! > > I'm using MailSCanner 4.68.8 > > Can someone help me with this? > > THanks > > > ------------------------------ > > Message: 2 > Date: Wed, 19 Nov 2008 07:46:55 -0800 > From: Mark Sapiro > Subject: Re: MailScanner's /usr/sbin/update_spammassassin doesn't > restart spamd > To: MailScanner discussion > Message-ID: <20081119154655.GA412@msapiro> > Content-Type: text/plain; charset=us-ascii > > On Tue, Nov 18, 2008 at 11:31:21PM +0100, Kai Schaetzl wrote: >> Mark Sapiro wrote on Tue, 18 Nov 2008 08:29:45 -0800: >> >> > It does the sa-compile if you have an uncommented >> > >> > loadplugin Mail::SpamAssassin::Plugin::Rule2XSBody >> > >> > in /etc/mail/spamassassin/*pre >> >> I don't see this. Where's your knowledge from? >> > > > The following in /usr/sbin/update_spamassassin > > # If we have sa-compile and they are using the Rule2XSBody plugin then > compile > if test -x $SACOMPILE && grep -q '^loadplugin.*Rule2XSBody' > /etc/mail/spamassassin/*pre 2>/dev/null ; then > $SACOMPILE >>$LOGFILE 2>&1 > fi > > -- > Mark Sapiro mark at msapiro net The highway is for gamblers, > San Francisco Bay Area, California better use your sense - B. Dylan > > > ------------------------------ > > Message: 3 > Date: Wed, 19 Nov 2008 16:18:25 +0000 > From: "Martin Hepworth" > Subject: Re: Cannot find Socket (/tmp/clamd) > To: "MailScanner discussion" > Message-ID: > <72cf361e0811190818n715716e5q4808999a66ed3746@mail.gmail.com> > Content-Type: text/plain; charset=ISO-8859-1 > > 2008/11/19 Rick Duval : >> Tailing the maillog I get >> >> Cannot find Socket (/tmp/clamd) Exiting! >> >> I'm using MailSCanner 4.68.8 >> >> Can someone help me with this? >> >> THanks >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > > Hi > check your clamd setup (clamd.conf) has the socket in the same > location as you've defined in MailScanner.conf > > -- > Martin Hepworth > Oxford, UK > > > ------------------------------ > > Message: 4 > Date: Wed, 19 Nov 2008 16:21:32 -0000 > From: "Stef Morrell" > Subject: RE: Cannot find Socket (/tmp/clamd) > To: "MailScanner discussion" > Message-ID: <200811191621.mAJGLYDi018166@safir.blacknight.ie> > Content-Type: text/plain; charset="us-ascii" > > Rick Duval wrote: >> Tailing the maillog I get >> >> Cannot find Socket (/tmp/clamd) Exiting! >> >> I'm using MailSCanner 4.68.8 >> >> Can someone help me with this? > > You need to ensure that the settings in MailScanner.conf: > > # Clamd only: configuration options for using the clamd daemon. > # 1. The port to use when communicating with clamd via TCP connection > # 2. The Socket, or IP to use for communicating with the clamd Daemon. > # You enter either the full path to the UNIX socket file or the IP > # address the daemon is listening on. > # 3. The ClamD Lock file should be created by clamd init script in most > # cases. If it is not then the entry should be blank. > # 4. If MailScanner is running on a system with more then 1 CPU core (or > # more than 1 CPU) then you can set "Clamd Use Threads" to "yes" to > # speed up the scanning, otherwise there is no advantage and it > should > # be set to "no". > # > # None of these options can be the filenames of rulesets, they must be > just > # simple values. > Clamd Port = 3310 > Clamd Socket = /tmp/clamd > > Are the same as the settings in clamd.conf: > > # Path to a local socket file the daemon will listen on. > # Default: disabled > LocalSocket /tmp/clamd > > Regards > > Stef > -- > Stefan Morrell | Operations Director > Tel: 0845 3452820 | Alpha Omega Computers Ltd > Fax: 0845 3452830 | Incorporating Level 5 Internet > stef@aoc-uk.com | stef@l5net.net > > Standard Disclaimer: http://www.aoc-uk.com/16.asp > > Alpha Omega Computers Ltd, Unit 57, BBTC, Grange Road, Batley, WF17 6ER. > Registered in England No. 3867142. VAT No. GB734421454 > > > ------------------------------ > > Message: 5 > Date: Wed, 19 Nov 2008 16:28:51 +0000 > From: "Martin Hepworth" > Subject: Re: Cannot find Socket (/tmp/clamd) > To: "MailScanner discussion" > Message-ID: > <72cf361e0811190828j529f3d2bm872e0048010ec5cc@mail.gmail.com> > Content-Type: text/plain; charset=ISO-8859-1 > > 2008/11/19 Stef Morrell : >> Rick Duval wrote: >>> Tailing the maillog I get >>> >>> Cannot find Socket (/tmp/clamd) Exiting! >>> >>> I'm using MailSCanner 4.68.8 >>> >>> Can someone help me with this? >> >> You need to ensure that the settings in MailScanner.conf: >> >> # Clamd only: configuration options for using the clamd daemon. >> # 1. The port to use when communicating with clamd via TCP connection >> # 2. The Socket, or IP to use for communicating with the clamd Daemon. >> # You enter either the full path to the UNIX socket file or the IP >> # address the daemon is listening on. >> # 3. The ClamD Lock file should be created by clamd init script in most >> # cases. If it is not then the entry should be blank. >> # 4. If MailScanner is running on a system with more then 1 CPU core (or >> # more than 1 CPU) then you can set "Clamd Use Threads" to "yes" to >> # speed up the scanning, otherwise there is no advantage and it >> should >> # be set to "no". >> # >> # None of these options can be the filenames of rulesets, they must be >> just >> # simple values. >> Clamd Port = 3310 >> Clamd Socket = /tmp/clamd >> >> Are the same as the settings in clamd.conf: >> >> # Path to a local socket file the daemon will listen on. >> # Default: disabled >> LocalSocket /tmp/clamd >> >> Regards >> >> Stef >> -- >> Stefan Morrell | Operations Director >> Tel: 0845 3452820 | Alpha Omega Computers Ltd >> Fax: 0845 3452830 | Incorporating Level 5 Internet >> stef@aoc-uk.com | stef@l5net.net >> >> Standard Disclaimer: http://www.aoc-uk.com/16.asp >> >> Alpha Omega Computers Ltd, Unit 57, BBTC, Grange Road, Batley, WF17 6ER. >> Registered in England No. 3867142. VAT No. GB734421454 >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > > Stef > and you're running clamd as what user? and is this user is consistent > with what you've got setup in MailScanner.conf? > > -- > Martin Hepworth > Oxford, UK > > > ------------------------------ > > Message: 6 > Date: Wed, 19 Nov 2008 15:05:40 -0200 > From: "Eduardo Casarero" > Subject: Re: Cannot find Socket (/tmp/clamd) > To: "MailScanner discussion" > Message-ID: > <7d9b3cf20811190905x7fbddebdp1204be1587074cc6@mail.gmail.com> > Content-Type: text/plain; charset="iso-8859-1" > > some clamav installations put the socket in /tmp/clamd.socket by default an > MS config has /tmp/clamd make them match > > 2008/11/19 Rick Duval > >> Tailing the maillog I get >> >> Cannot find Socket (/tmp/clamd) Exiting! >> >> I'm using MailSCanner 4.68.8 >> >> Can someone help me with this? >> >> THanks >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081119/b33c3f8b/attachment-0001.html > > ------------------------------ > > Message: 7 > Date: Wed, 19 Nov 2008 12:08:37 -0500 > From: "Chris Barber" > Subject: RE: Message rules don't work, but if message forwarded, it > does??? > To: "MailScanner discussion" > Message-ID: > <43F62CA225017044BC84CFAF92B4333B036074@sbsserver.Techquility.net> > Content-Type: text/plain; charset="us-ascii" > > 2008/11/6 Chris Barber : >>> >>> >>> Glenn, >>> >>> Thanks for the reply. You had me scared for a second there, but no >> there >>> was no white listing going on. I verified the envelope addresses. > This >>> issue seems to happen randomly a least a couple times a day to some >>> users. >>> >>> Any other ideas? >>> >>> Thanks, >>> Chris >>> >>>Didn't mean to scare you, just point at one (semi-obvious:-) >> possibility....:-) >>>When it happens do you see anything ... curious .... in the logs? >>>Nothing about "Unscanned" messages or timeouts or suchlike? >>>Also... Tell a bit about versions etc, since this just might be a >>>known bug/issue... >>> >>>Cheers >>>-- >>>-- Glenn >>>email: glenn < dot > steen < at > gmail < dot > com >>>work: glenn < dot > steen < at > ap1 < dot > se >> >> >> I don't see anything unusual in the logs. No timeouts and nothing > about >> unscanned that I can see. MailScanner processes the message normally > it >> seems. >> >> It gets an SA score, but the only rules that hit are: >> 0.10 BAYES_50 Bayesian spam probability is 40 to 60% >> 0.00 HTML_MESSAGE HTML included in message >> -0.00 SPF_PASS SPF: sender matches SPF record >> >> Then when the same message is forwarded to me from the user, (Through >> the same MailScanner server) the rule hits show: >> -0.74 BAYES_20 Bayesian spam probability is 5 to 20% >> 0.00 HTML_MESSAGE HTML included in message >> 2.96 URIBL_BLACK Contains an URL listed in the URIBL blacklist >> 3.50 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist >> >> Notice that now the URL is beting detected, but why not before? >> >> Versions: >> Cent OS 5.2 >> MailScanner 4.72.5 >> Spamassassin 3.2.5 >> Perl 5.8.8 >> MIME::Tools 5.427 >> HTML::Parser 3.56 >> >> Let me know if there are versions of anything else you would like to > see >> >> Thanks! >> Chris >> >>Could perhaps be a "timing issue"....:-) >>Meaning the URI wasn't in the BL when MS first asked... but when the >>user resent it to you.... the BL had been updated. These things have a >>tendency to be really short-lived and ... bursty... so if there is any >>somewhat significant amount of time between the initial mail and the >>user forwarding it to you... say a few hours... that might explain it >>all. >>In which case... all is well ...:-) >> >>Cheers >>-- >>-- Glenn >>email: glenn < dot > steen < at > gmail < dot > com >>work: glenn < dot > steen < at > ap1 < dot > se > > I agree that this timing issue is probably the cause for some of these. > However there are many of these for one of my users almost every day. I > have her forwarding them to me right after she gets them and they are > blocked. > > Scott mentioned running MailScanner --lint, MailScanner --debug > --debug-sa > I did this and I don't see any errors. I can see the URI_OB_SURBL rule > (for example) run and successfully score the message. Is it possible > that this is timing out sometimes? I have not seen a timeout but I am > grasping at straws at this point to figure out why the URL in the > message seems to be ignored the first time, then 5 min later when the > message is forwarded back to me (Going through the same MailScanner > server), it gets caught? > > Thanks, > Chris > > > > ------------------------------ > > Message: 8 > Date: Wed, 19 Nov 2008 18:31:19 +0100 > From: Kai Schaetzl > Subject: Re: MailScanner's /usr/sbin/update_spammassassin doesn't > restart spamd > To: mailscanner@lists.mailscanner.info > Message-ID: > Content-Type: text/plain; charset=iso-8859-1 > > Mark Sapiro wrote on Wed, 19 Nov 2008 07:46:55 -0800: > >> The following in /usr/sbin/update_spamassassin > > Oh, I missed that part in your original message. I have an old version of > that script in /etc/cron.daily which lacks this section and was assuming > you meant to say that sa-update itself is compiling after the download. > Thanks for reminding me of that location. > > Kai > > -- > Kai Sch?tzl, Berlin, Germany > Get your web at Conactive Internet Services: http://www.conactive.com > > > > > > ------------------------------ > > Message: 9 > Date: Wed, 19 Nov 2008 17:39:27 -0000 > From: "Stef Morrell" > Subject: RE: Cannot find Socket (/tmp/clamd) > To: "MailScanner discussion" > Message-ID: <200811191739.mAJHdU2f020719@safir.blacknight.ie> > Content-Type: text/plain; charset="us-ascii" > > Martin Hepworth wrote: >> 2008/11/19 Stef Morrell : >>> Rick Duval wrote: >>>> Tailing the maillog I get >>>> >>>> Cannot find Socket (/tmp/clamd) Exiting! >>>> >>>> I'm using MailSCanner 4.68.8 >>>> >>>> Can someone help me with this? >>> >>> You need to ensure that the settings in MailScanner.conf: >>> > >> >> Stef >> and you're running clamd as what user? and is this user is >> consistent with what you've got setup in MailScanner.conf? >> > > Martin - I'm confused. I was trying to answer Rick's question. Looks > like we pressed "send" fairly well at the same time. My setup is working > just fine :) > > Seeing as you ask, I suspect clamd is running as root. I installed it > from Jules' SA+Clam then added a start stop script into /etc/rc. > Possibly not the most secure, but as I have no local users to exploit > it, I don't much care. MailScanner runs as Postfix. > > Stef > -- > Stefan Morrell | Operations Director > Tel: 0845 3452820 | Alpha Omega Computers Ltd > Fax: 0845 3452830 | Incorporating Level 5 Internet > stef@aoc-uk.com | stef@l5net.net > > Standard Disclaimer: http://www.aoc-uk.com/16.asp > > Alpha Omega Computers Ltd, Unit 57, BBTC, Grange Road, Batley, WF17 6ER. > Registered in England No. 3867142. VAT No. GB734421454 > > > ------------------------------ > > Message: 10 > Date: Wed, 19 Nov 2008 12:05:12 -0800 > From: Scott Silva > Subject: Re: Message rules don't work, but if message forwarded, it > does??? > To: mailscanner@lists.mailscanner.info > Message-ID: > Content-Type: text/plain; charset="utf-8" > > >> I agree that this timing issue is probably the cause for some of these. >> However there are many of these for one of my users almost every day. I >> have her forwarding them to me right after she gets them and they are >> blocked. >> >> Scott mentioned running MailScanner --lint, MailScanner --debug >> --debug-sa >> I did this and I don't see any errors. I can see the URI_OB_SURBL rule >> (for example) run and successfully score the message. Is it possible >> that this is timing out sometimes? I have not seen a timeout but I am >> grasping at straws at this point to figure out why the URL in the >> message seems to be ignored the first time, then 5 min later when the >> message is forwarded back to me (Going through the same MailScanner >> server), it gets caught? >> >> Thanks, >> Chris >> > Is the server natted? Does it have a real public IP address or is it port > forwarded from another server? > > Can you follow the chain of the headers back on both a missed message and > after it has been forwarded to you? > > I am still leaning toward this being some sort of trust path issue in > spamassassin, although it could be a net timeout. The lookup might time out > just before the result comes back, and on the resend the lookup is in the > local cache and hits. Have you tried setting your spammassassin timeouts > longer? > > Do you have any full examples of a missed message, and one that hits right > afterwards? Either full queue files or complete RFC 822 (2822) messages. > > > -- > MailScanner is like deodorant... > You hope everybody uses it, and > you notice quickly if they don't!!!! > > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: signature.asc > Type: application/pgp-signature > Size: 250 bytes > Desc: OpenPGP digital signature > Url : > http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081119/e8082a6c/signature-0001.bin > > ------------------------------ > > Message: 11 > Date: Wed, 19 Nov 2008 20:20:21 -0500 > From: "Chris Barber" > Subject: RE: Message rules don't work, but if message forwarded, it > does??? > To: "MailScanner discussion" > Message-ID: > <43F62CA225017044BC84CFAF92B4333B03607E@sbsserver.Techquility.net> > Content-Type: text/plain; charset="utf-8" > > > >> I agree that this timing issue is probably the cause for some of these. >> However there are many of these for one of my users almost every day. >> I have her forwarding them to me right after she gets them and they >> are blocked. >> >> Scott mentioned running MailScanner --lint, MailScanner --debug >> --debug-sa I did this and I don't see any errors. I can see the >> URI_OB_SURBL rule (for example) run and successfully score the >> message. Is it possible that this is timing out sometimes? I have not >> seen a timeout but I am grasping at straws at this point to figure out >> why the URL in the message seems to be ignored the first time, then 5 >> min later when the message is forwarded back to me (Going through the >> same MailScanner server), it gets caught? >> >> Thanks, >> Chris >> >>Is the server natted? Does it have a real public IP address or is it port >>forwarded from another server? >> >>Can you follow the chain of the headers back on both a missed message and >>after it has been forwarded to you? >> >>I am still leaning toward this being some sort of trust path issue in >>spamassassin, although it could be a net timeout. The lookup might time >>out >just before the result comes back, and on the resend the lookup is in >>the local cache and hits. Have you tried setting your spammassassin >>timeouts >longer? >> >>Do you have any full examples of a missed message, and one that hits right >>afterwards? Either full queue files or complete RFC 822 (2822) messages. > > Thanks for the reply. > > Yes this server is natted behind a Cisco ASA. Port 25 is forwarded to the > MailScanner machine. Out of curiosity, where are you headed with this > question? > > I followed the headers and it looks correct. I can see the message travel > to my MailScanner server and then on to the customers mail server. On the > forwarded message, I see it go from the customers mail server directly to > my MailScanner server and then on to my internal mail server. Is this what > you mean by follow the chain? > > I actually have increased my Spamassassin timeout to 120 seconds. Is there > some other type of timeout I should/could be watching for? > > I've attached the message queue files and named them accordingly. Let me > know if this is not the format you requested. > > Thanks again for the assistance! > Chris > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: messages.tar > Type: application/x-tar > Size: 9728 bytes > Desc: messages.tar > Url : > http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081119/95657bb8/messages-0001.tar > > ------------------------------ > > Message: 12 > Date: Wed, 19 Nov 2008 20:26:50 -0500 > From: "Chris Barber" > Subject: How to test RBL lookups in MailScanner? > To: "MailScanner discussion" > Message-ID: > <43F62CA225017044BC84CFAF92B4333B03607F@sbsserver.Techquility.net> > Content-Type: text/plain; charset="utf-8" > > Hi All, > > This might be obvious and I apologize in advance, but how can I test if > MailScanner is testing messages for RBL (Spam List)? I tried running > MailScanner --debug --debug-sa and I don't see anything about it, unless > I'm missing something. > > I normally have my MTA do RBL lookups but there are a few other lists I > want to try out. I don't want to try a new list on the MTA since it > outright rejects messages that hit the lists. For testing purposes, I want > MailScanner to check these other RBL's and then quarantine the message. My > users can then release the message if it is a false positive. Once > satisfied with a list choice, I'll then move it to the MTA. > > Running MailScanner version 4.72.5 > I have enabled the Spam List option and I populated the spam.lists.conf > file with the new RBL I want to test. > > Thanks, > Chris > > ------------------------------ > > Message: 13 > Date: Thu, 20 Nov 2008 09:25:46 +0000 > From: "Martin Hepworth" > Subject: Re: How to test RBL lookups in MailScanner? > To: "MailScanner discussion" > Message-ID: > <72cf361e0811200125u3499ac00x3f7e979ff42df4d8@mail.gmail.com> > Content-Type: text/plain; charset=ISO-8859-1 > > 2008/11/20 Chris Barber : >> Hi All, >> >> This might be obvious and I apologize in advance, but how can I test if >> MailScanner is testing messages for RBL (Spam List)? I tried running >> MailScanner --debug --debug-sa and I don't see anything about it, unless >> I'm missing something. >> >> I normally have my MTA do RBL lookups but there are a few other lists I >> want to try out. I don't want to try a new list on the MTA since it >> outright rejects messages that hit the lists. For testing purposes, I >> want MailScanner to check these other RBL's and then quarantine the >> message. My users can then release the message if it is a false positive. >> Once satisfied with a list choice, I'll then move it to the MTA. >> >> Running MailScanner version 4.72.5 >> I have enabled the Spam List option and I populated the spam.lists.conf >> file with the new RBL I want to test. >> >> Thanks, >> Chris >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > > > I find the best way to do the RBL's in spamassassin, they way it adds > to the score. You can you multiple RBLs in mailscanner and then say it > must at least 2 before it's marked as spam, but I prefer the > spamassassin way. > > -- > Martin Hepworth > Oxford, UK > > > ------------------------------ > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read the Wiki (http://wiki.mailscanner.info/). > > Support MailScanner development - buy the book off the website! > > > End of MailScanner Digest, Vol 35, Issue 26 > ******************************************* > From dave.list at pixelhammer.com Thu Nov 20 15:39:57 2008 From: dave.list at pixelhammer.com (DAve) Date: Thu Nov 20 15:40:14 2008 Subject: Mailscanner - large deployment In-Reply-To: References: <200811201201.mAKC0LWn008296@safir.blacknight.ie> Message-ID: <492584CD.9010702@pixelhammer.com> traced@xpear.de wrote: > Hi, > > you could use the implemented XML-RPC function to do that. > Every server has its own quarantine on hdd, and you have one database > server where you can manage > the others, and release messages etc. But this is rarely documented... > > Regards, > Bastian That is a solid setup, we have been using that method for over two years now. A single MailWatch server and XML-RPC quarantine access to each MailScanner installation works very very well. MailWatch has been changed considerably in the newest release, and we did a major rewrite on the old version, so I would be of little help to you. I would go ask this question on the mailWatch list. DAve > > On Thu, 20 Nov 2008 14:52:47 +0000, Paulo Roncon > wrote: >> Hello, >> >> I'm thinking on building a farm of servers with mailscanner. My question > is >> related to the quarantine mantainance: Should i implement a shared > m?dium >> to store the files, or should every server in the farm have its on >> quarantine directory? >> This is important because i need to implement a way to inform the users >> that there's quarantined email, and its location. >> I'm thinking of mailscanner + sendmail + mailwatch >> >> Can you please advise? >> >> Paulo Sergio >> Portugal Telecom -- The whole internet thing is sucking the life out of me, there ain't no pony in there. From mcornes at loreto.ac.uk Thu Nov 20 16:04:42 2008 From: mcornes at loreto.ac.uk (Mark) Date: Thu Nov 20 16:04:54 2008 Subject: Filename.rules Message-ID: This might seem to be a mail watch question but I think it's my .rules files that are at fault. I've followed the various pages http://sourceforge.net/forum/forum.php?thread_id=1373718&forum_id=298819 That describe filename.rules, filename.rules.allowall.conf, filetype.rules and filetype.rules.allowall.conf But despite that when I attempt to release a blocked mail with attachment mailscanner re-blocks it again. Can anyone offer idiot proof assistance ? Thanks M From maxsec at gmail.com Thu Nov 20 17:26:52 2008 From: maxsec at gmail.com (Martin Hepworth) Date: Thu Nov 20 17:27:01 2008 Subject: Filename.rules In-Reply-To: References: Message-ID: <72cf361e0811200926k169fece2jf42e17c1266235c0@mail.gmail.com> 2008/11/20 Mark : > This might seem to be a mail watch question but I think it's my .rules files > that are at fault. > > I've followed the various pages > http://sourceforge.net/forum/forum.php?thread_id=1373718&forum_id=298819 > That describe filename.rules, filename.rules.allowall.conf, filetype.rules > and filetype.rules.allowall.conf > > But despite that when I attempt to release a blocked mail with attachment > mailscanner re-blocks it again. Can anyone offer idiot proof assistance ? > > Thanks > M > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Mark you need a rule against "Scan messages" that is something like: From: 127.0.0.1 no FromOrTo: Default yes That way any email from the server itself won't get scanned. -- Martin Hepworth Oxford, UK From mmcintosh at infowall.com Thu Nov 20 17:42:46 2008 From: mmcintosh at infowall.com (mmcintosh Infowall) Date: Thu Nov 20 17:43:45 2008 Subject: Filename.rules In-Reply-To: <72cf361e0811200926k169fece2jf42e17c1266235c0@mail.gmail.com> References: <72cf361e0811200926k169fece2jf42e17c1266235c0@mail.gmail.com> Message-ID: <4925A196.5070806@infowall.com> Martin Hepworth wrote: > 2008/11/20 Mark : > >> This might seem to be a mail watch question but I think it's my .rules files >> that are at fault. >> >> I've followed the various pages >> http://sourceforge.net/forum/forum.php?thread_id=1373718&forum_id=298819 >> That describe filename.rules, filename.rules.allowall.conf, filetype.rules >> and filetype.rules.allowall.conf >> >> But despite that when I attempt to release a blocked mail with attachment >> mailscanner re-blocks it again. Can anyone offer idiot proof assistance ? >> >> Thanks >> M >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > > Mark > you need a rule against "Scan messages" that is something like: > > From: 127.0.0.1 no > FromOrTo: Default yes > > That way any email from the server itself won't get scanned. > I believe I had to white list my server 127.0.0.1 in MailWatch after which I could release correctly. Mark McIntosh -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ssilva at sgvwater.com Thu Nov 20 18:59:07 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Nov 20 19:00:16 2008 Subject: Message rules don't work, but if message forwarded, it does??? In-Reply-To: <43F62CA225017044BC84CFAF92B4333B03607E@sbsserver.Techquility.net> References: <4910E415.4050502@rheel.co.nz><43F62CA225017044BC84CFAF92B4333B035FB3@sbsserver.Techquility.net><223f97700811051117g2d4b91c5g4cda816ac8e2e862@mail.gmail.com><43F62CA225017044BC84CFAF92B4333B035FB8@sbsserver.Techquility.net><223f97700811051419r7982975fi34b25598b91ed1ca@mail.gmail.com><43F62CA225017044BC84CFAF92B4333B035FBC@sbsserver.Techquility.net> <223f97700811061050x5ca2b8a6t98d115ad27b450ea@mail.gmail.com><43F62CA225017044BC84CFAF92B4333B036074@sbsserver.Techquility.net> <43F62CA225017044BC84CFAF92B4333B03607E@sbsserver.Techquility.net> Message-ID: (cause I was chastised again for not trimming) ;-) > > Yes this server is natted behind a Cisco ASA. Port 25 is forwarded to the MailScanner machine. Out of curiosity, where are you headed with this question? > > I followed the headers and it looks correct. I can see the message travel to my MailScanner server and then on to the customers mail server. On the forwarded message, I see it go from the customers mail server directly to my MailScanner server and then on to my internal mail server. Is this what you mean by follow the chain? > > I actually have increased my Spamassassin timeout to 120 seconds. Is there some other type of timeout I should/could be watching for? > > I've attached the message queue files and named them accordingly. Let me know if this is not the format you requested. > > Thanks again for the assistance! > Chris > The spamassassin trust path can get confused when the server is natted. Do you have the trust path set up properly? http://wiki.apache.org/spamassassin/TrustPath -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081120/96aab19b/signature.bin From ssilva at sgvwater.com Thu Nov 20 19:19:00 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Nov 20 19:19:18 2008 Subject: How to test RBL lookups in MailScanner? In-Reply-To: <43F62CA225017044BC84CFAF92B4333B036082@sbsserver.Techquility.net> References: <4910E415.4050502@rheel.co.nz><43F62CA225017044BC84CFAF92B4333B035FB3@sbsserver.Techquility.net><223f97700811051117g2d4b91c5g4cda816ac8e2e862@mail.gmail.com><43F62CA225017044BC84CFAF92B4333B035FB8@sbsserver.Techquility.net><223f97700811051419r7982975fi34b25598b91ed1ca@mail.gmail.com><43F62CA225017044BC84CFAF92B4333B035FBC@sbsserver.Techquility.net><223f97700811061050x5ca2b8a6t98d115ad27b450ea@mail.gmail.com><43F62CA225017044BC84CFAF92B4333B036074@sbsserver.Techquility.net><43F62CA225017044BC84CFAF92B4333B03607F@sbsserver.Techquility.net> <72cf361e0811200125u3499ac00x3f7e979ff42df4d8@mail.gmail.com> <43F62CA225017044BC84CFAF92B4333B036082@sbsserver.Techquility.net> Message-ID: >> >> >> >> I find the best way to do the RBL's in spamassassin, they way it adds >> to the score. You can you multiple RBLs in mailscanner and then say it >> must at least 2 before it's marked as spam, but I prefer the >> spammassassin way. >> >> -- >> Martin Hepworth >> Oxford, UK > > Thank you Martin! I did not consider SA doing the lookups. I'll give > that a try. Spamassassin is much more efficient at doing the network tests because it will poll all the lists in parallel. MailScanner queries each list you add one at a time. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081120/2523c56c/signature.bin From ssilva at sgvwater.com Thu Nov 20 19:29:23 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Nov 20 19:29:46 2008 Subject: Message rules don't work, but if message forwarded, it does??? In-Reply-To: <43F62CA225017044BC84CFAF92B4333B03607E@sbsserver.Techquility.net> References: <4910E415.4050502@rheel.co.nz><43F62CA225017044BC84CFAF92B4333B035FB3@sbsserver.Techquility.net><223f97700811051117g2d4b91c5g4cda816ac8e2e862@mail.gmail.com><43F62CA225017044BC84CFAF92B4333B035FB8@sbsserver.Techquility.net><223f97700811051419r7982975fi34b25598b91ed1ca@mail.gmail.com><43F62CA225017044BC84CFAF92B4333B035FBC@sbsserver.Techquility.net> <223f97700811061050x5ca2b8a6t98d115ad27b450ea@mail.gmail.com><43F62CA225017044BC84CFAF92B4333B036074@sbsserver.Techquility.net> <43F62CA225017044BC84CFAF92B4333B03607E@sbsserver.Techquility.net> Message-ID: on 11-19-2008 5:20 PM Chris Barber spake the following: > >> I agree that this timing issue is probably the cause for some of these. >> However there are many of these for one of my users almost every day. >> I have her forwarding them to me right after she gets them and they >> are blocked. >> >> Scott mentioned running MailScanner --lint, MailScanner --debug >> --debug-sa I did this and I don't see any errors. I can see the >> URI_OB_SURBL rule (for example) run and successfully score the >> message. Is it possible that this is timing out sometimes? I have not >> seen a timeout but I am grasping at straws at this point to figure out >> why the URL in the message seems to be ignored the first time, then 5 >> min later when the message is forwarded back to me (Going through the >> same MailScanner server), it gets caught? >> >> Thanks, >> Chris >> >> Is the server natted? Does it have a real public IP address or is it port forwarded from another server? >> >> Can you follow the chain of the headers back on both a missed message and after it has been forwarded to you? >> >> I am still leaning toward this being some sort of trust path issue in spamassassin, although it could be a net timeout. The lookup might time out >just before the result comes back, and on the resend the lookup is in the local cache and hits. Have you tried setting your spammassassin timeouts >longer? >> >> Do you have any full examples of a missed message, and one that hits right afterwards? Either full queue files or complete RFC 822 (2822) messages. > > Thanks for the reply. > > Yes this server is natted behind a Cisco ASA. Port 25 is forwarded to the MailScanner machine. Out of curiosity, where are you headed with this question? > > I followed the headers and it looks correct. I can see the message travel to my MailScanner server and then on to the customers mail server. On the forwarded message, I see it go from the customers mail server directly to my MailScanner server and then on to my internal mail server. Is this what you mean by follow the chain? > > I actually have increased my Spamassassin timeout to 120 seconds. Is there some other type of timeout I should/could be watching for? > > I've attached the message queue files and named them accordingly. Let me know if this is not the format you requested. > > Thanks again for the assistance! > Chris > The HTML encoding seems different between messages. This might be why it gets caught the second time around. Also, the message you mark as missed has a RFC private IP address in it (Received: from [192.168.1.56] (unknown [192.168.1.56])) , but the one you marked as forwarded doesn't. Could they be mixed up? Never mind. They are mixed up because the one marked missed has a Fwd: prepended to the subject. The missed message is encoded with "quoted-printable" in the html section, but Thunderbird looks to be re-encoding it on the forward. Maybe you have a problem with your mime-tools module on the server. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081120/4cb2a471/signature-0001.bin From ljosnet at gmail.com Fri Nov 21 00:34:54 2008 From: ljosnet at gmail.com (=?ISO-8859-1?Q?Lj=F3snet?=) Date: Fri Nov 21 00:35:03 2008 Subject: SpamAssassin problem after update Message-ID: <910ee2ac0811201634se99a4daob2b8ff95088daf27@mail.gmail.com> Hello, I use FreeBSD 6.2 and I just did cvsup today and upgraded all my packages. Now I am having big problems with as it seems spamassassin,as soon as I kill it and disable in MailScanner.conf everything works and I get my mail delivered. I am getting this in my messages logs. Nov 21 00:29:28 mail kernel: pid 1120 (perl5.8.8), uid 0: exited on signal 6 Nov 21 00:29:33 mail root: Process did not exit cleanly, returned 0 with signal 6 I'm using the latest MailScanner, clamav and SpamAssAssin installed from ports. Any ideas what would cause this? From cbarber at techquility.net Fri Nov 21 06:33:03 2008 From: cbarber at techquility.net (Chris Barber) Date: Fri Nov 21 06:33:25 2008 Subject: Message rules don't work, but if message forwarded, it does??? In-Reply-To: References: <4910E415.4050502@rheel.co.nz><43F62CA225017044BC84CFAF92B4333B035FB3@sbsserver.Techquility.net><223f97700811051117g2d4b91c5g4cda816ac8e2e862@mail.gmail.com><43F62CA225017044BC84CFAF92B4333B035FB8@sbsserver.Techquility.net><223f97700811051419r7982975fi34b25598b91ed1ca@mail.gmail.com><43F62CA225017044BC84CFAF92B4333B035FBC@sbsserver.Techquility.net> <223f97700811061050x5ca2b8a6t98d115ad27b450ea@mail.gmail.com><43F62CA225017044BC84CFAF92B4333B036074@sbsserver.Techquility.net> <43F62CA225017044BC84CFAF92B4333B03607E@sbsserver.Techquility.net> Message-ID: <43F62CA225017044BC84CFAF92B4333B036090@sbsserver.Techquility.net> (cause I was chastised again for not trimming) ;-) > > Yes this server is natted behind a Cisco ASA. Port 25 is forwarded to the MailScanner machine. Out of curiosity, where are you headed with this question? > > I followed the headers and it looks correct. I can see the message travel to my MailScanner server and then on to the customers mail server. On the forwarded message, I see it go from the customers mail server directly to my MailScanner server and then on to my internal mail server. Is this what you mean by follow the chain? > > I actually have increased my Spamassassin timeout to 120 seconds. Is there some other type of timeout I should/could be watching for? > > I've attached the message queue files and named them accordingly. Let me know if this is not the format you requested. > > Thanks again for the assistance! > Chris > >The spamassassin trust path can get confused when the server is natted. Do you have the trust path set up properly? > >http://wiki.apache.org/spamassassin/TrustPath I did not have it set as I was not aware of this NAT issue. I have now set it and will see if this helps. Thanks for the tip! From cbarber at techquility.net Fri Nov 21 06:37:07 2008 From: cbarber at techquility.net (Chris Barber) Date: Fri Nov 21 06:37:29 2008 Subject: Message rules don't work, but if message forwarded, it does??? In-Reply-To: References: <4910E415.4050502@rheel.co.nz><43F62CA225017044BC84CFAF92B4333B035FB3@sbsserver.Techquility.net><223f97700811051117g2d4b91c5g4cda816ac8e2e862@mail.gmail.com><43F62CA225017044BC84CFAF92B4333B035FB8@sbsserver.Techquility.net><223f97700811051419r7982975fi34b25598b91ed1ca@mail.gmail.com><43F62CA225017044BC84CFAF92B4333B035FBC@sbsserver.Techquility.net> <223f97700811061050x5ca2b8a6t98d115ad27b450ea@mail.gmail.com><43F62CA225017044BC84CFAF92B4333B036074@sbsserver.Techquility.net> <43F62CA225017044BC84CFAF92B4333B03607E@sbsserver.Techquility.net> Message-ID: <43F62CA225017044BC84CFAF92B4333B036091@sbsserver.Techquility.net> >The HTML encoding seems different between messages. This might be why it gets caught the second time around. >Also, the message you mark as missed has a RFC private IP address in it >(Received: from [192.168.1.56] (unknown [192.168.1.56])) , but the one you marked as forwarded doesn't. Could they be mixed up? >Never mind. They are mixed up because the one marked missed has a Fwd: >prepended to the subject. >The missed message is encoded with "quoted-printable" in the html section, but Thunderbird looks to be re-encoding it on the forward. Maybe you >have a problem with your mime-tools module on the server. Oops, you are right I mixed up the folders. I am using MIME::Tools version 5.427. I think this was installed by Julian's install.sh script. Is there a way to test/debug this module? From maxsec at gmail.com Fri Nov 21 08:22:14 2008 From: maxsec at gmail.com (Martin Hepworth) Date: Fri Nov 21 08:22:23 2008 Subject: SpamAssassin problem after update In-Reply-To: <910ee2ac0811201634se99a4daob2b8ff95088daf27@mail.gmail.com> References: <910ee2ac0811201634se99a4daob2b8ff95088daf27@mail.gmail.com> Message-ID: <72cf361e0811210022j5e714bffj2159f2a32b943c3@mail.gmail.com> 2008/11/21 Lj?snet : > Hello, I use FreeBSD 6.2 and I just did cvsup today and upgraded all > my packages. Now I am having big problems with as it seems > spamassassin,as soon as I kill it and disable in MailScanner.conf > everything works and I get my mail delivered. I am getting this in my > messages logs. > > Nov 21 00:29:28 mail kernel: pid 1120 (perl5.8.8), uid 0: exited on signal 6 > Nov 21 00:29:33 mail root: Process did not exit cleanly, returned 0 > with signal 6 > > I'm using the latest MailScanner, clamav and SpamAssAssin installed from ports. > > Any ideas what would cause this? > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > What do you get if you stop mailscanner then run it in debug mode? 'MailScanner --debug --debug-sa" -- Martin Hepworth Oxford, UK From J.Ede at birchenallhowden.co.uk Fri Nov 21 08:44:32 2008 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Fri Nov 21 08:44:54 2008 Subject: Mailscanner - large deployment In-Reply-To: References: <200811201201.mAKC0LWn008296@safir.blacknight.ie> Message-ID: <4CAB0118AEC63A4FAAE77E6BCBDF760C7952018CFD@server02.bhl.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Paulo Roncon > Sent: 20 November 2008 14:53 > To: 'mailscanner@lists.mailscanner.info' > Subject: Mailscanner - large deployment > > Hello, > > I'm thinking on building a farm of servers with mailscanner. My > question is related to the quarantine mantainance: Should i implement a > shared m?dium to store the files, or should every server in the farm > have its on quarantine directory? > This is important because i need to implement a way to inform the users > that there's quarantined email, and its location. > I'm thinking of mailscanner + sendmail + mailwatch > > Can you please advise? If you're looking at a large server farm then I think it would be a good idea to look at BarricadeMX. http://www.fsl.com/barricademx.html Jason From Daniel.Flensburg at iris.se Fri Nov 21 09:57:47 2008 From: Daniel.Flensburg at iris.se (Daniel Flensburg) Date: Fri Nov 21 10:01:08 2008 Subject: Local State Dir - /var/lib/spamassassin - SARE rules no hits In-Reply-To: <910ee2ac0811201634se99a4daob2b8ff95088daf27@mail.gmail.com> References: <910ee2ac0811201634se99a4daob2b8ff95088daf27@mail.gmail.com> Message-ID: <3DF8101092666E4A9020D949E419EB6F02B7BABF@ensms02.iris.se> Can someone please help me with a strange problem. I noticed that my recently downloaded SARE-rules have no hits. I believe non of the rules in the /var/lib/spamassassin work. When running the command: spamassassin -D --lint I get the result (looks just right): [4446] dbg: config: using "/etc/spamassassin" for site rules pre files [4446] dbg: config: read file /etc/spamassassin/init.pre [4446] dbg: config: read file /etc/spamassassin/v310.pre [4446] dbg: config: read file /etc/spamassassin/v312.pre [4446] dbg: config: using "/var/lib/spamassassin/3.001004" for sys rules pre files [4446] dbg: config: read file /var/lib/spamassassin/3.001004/saupdates_openprotect_com.pre [4446] dbg: config: read file /var/lib/spamassassin/3.001004/updates_spamassassin_org.pre [4446] dbg: config: using "/var/lib/spamassassin/3.001004" for default rules dir ------------------- But when I run the command: /opt/MailScanner/bin/MailScanner --debug --debug-sa I get a different result (a bad one): [4329] dbg: config: using "/etc/mail/spamassassin" for site rules pre files [4329] dbg: config: read file /etc/mail/spamassassin/init.pre [4329] dbg: config: read file /etc/mail/spamassassin/v310.pre [4329] dbg: config: read file /etc/mail/spamassassin/v312.pre [4329] dbg: config: using "/usr/share/spamassassin" for sys rules pre files [4329] dbg: config: using "/usr/share/spamassassin" for default rules dir The setting in my /opt/MailScanner/etc/MailScanner.conf is: # The site-local rules are searched for here, and in prefix/etc/spamassassin, # prefix/etc/mail/spamassassin, /usr/local/etc/spamassassin, /etc/spamassassin, # /etc/mail/spamassassin, and maybe others. # Be careful of setting this: it may mean the spam.assassin.prefs.conf file # is missed out, you will need to insert a soft-link with "ln -s" to link # the file into mailscanner.cf in the new directory. # If this is set then it replaces the list of places that are searched; # otherwise it has no effect. #SpamAssassin Local Rules Dir = /opt/MailScanner/etc/mail/spamassassin SpamAssassin Local Rules Dir = # The rules created by the "sa-update" tool are searched for here. # This directory contains the 3.001001/updates_spamassassin_org # directory structure beneath it. # Only un-comment this setting once you have proved that the sa-update # cron job has run successfully and has created a directory structure under # the spamassassin directory within this one and has put some *.cf files in # there. Otherwise it will ignore all your current rules! # The default location may be /var/opt on Solaris systems. SpamAssassin Local State Dir = # /var/lib/spamassassin # The default rules are searched for here, and in prefix/share/spamassassin, # /usr/local/share/spamassassin, /usr/share/spamassassin, and maybe others. # If this is set then it adds to the list of places that are searched; # otherwise it has no effect. #SpamAssassin Default Rules Dir = /opt/MailScanner/share/spamassassin SpamAssassin Default Rules Dir = ------------ I tried to remove the # in the line below but the result is the same: SpamAssassin Local State Dir = # /var/lib/spamassassin What have I missed? I have a rather old version of SA 3.1.4 - but I do not want to upgrade until I have a backup MS server running, unless an upgrade is the fix for this strange behavior. /Daniel From prandal at herefordshire.gov.uk Fri Nov 21 10:14:12 2008 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Fri Nov 21 10:14:34 2008 Subject: Local State Dir - /var/lib/spamassassin - SARE rules no hits In-Reply-To: <3DF8101092666E4A9020D949E419EB6F02B7BABF@ensms02.iris.se> References: <910ee2ac0811201634se99a4daob2b8ff95088daf27@mail.gmail.com> <3DF8101092666E4A9020D949E419EB6F02B7BABF@ensms02.iris.se> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA05479755@HC-MBX02.herefordshire.gov.uk> > I have a rather old version of SA 3.1.4 - but I do not want to upgrade until I have a backup MS server running, > unless an upgrade is the fix for this strange behavior. It almost certainly is, if I recall correctly. Early implementations of the "Local State Dir" differed from the current one. Cheers, Phil -- Phil Randal | Networks Engineer Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: prandal@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Daniel Flensburg Sent: 21 November 2008 09:58 To: MailScanner discussion Subject: Local State Dir - /var/lib/spamassassin - SARE rules no hits Can someone please help me with a strange problem. I noticed that my recently downloaded SARE-rules have no hits. I believe non of the rules in the /var/lib/spamassassin work. When running the command: spamassassin -D --lint I get the result (looks just right): [4446] dbg: config: using "/etc/spamassassin" for site rules pre files [4446] dbg: config: read file /etc/spamassassin/init.pre [4446] dbg: config: read file /etc/spamassassin/v310.pre [4446] dbg: config: read file /etc/spamassassin/v312.pre [4446] dbg: config: using "/var/lib/spamassassin/3.001004" for sys rules pre files [4446] dbg: config: read file /var/lib/spamassassin/3.001004/saupdates_openprotect_com.pre [4446] dbg: config: read file /var/lib/spamassassin/3.001004/updates_spamassassin_org.pre [4446] dbg: config: using "/var/lib/spamassassin/3.001004" for default rules dir ------------------- But when I run the command: /opt/MailScanner/bin/MailScanner --debug --debug-sa I get a different result (a bad one): [4329] dbg: config: using "/etc/mail/spamassassin" for site rules pre files [4329] dbg: config: read file /etc/mail/spamassassin/init.pre [4329] dbg: config: read file /etc/mail/spamassassin/v310.pre [4329] dbg: config: read file /etc/mail/spamassassin/v312.pre [4329] dbg: config: using "/usr/share/spamassassin" for sys rules pre files [4329] dbg: config: using "/usr/share/spamassassin" for default rules dir The setting in my /opt/MailScanner/etc/MailScanner.conf is: # The site-local rules are searched for here, and in prefix/etc/spamassassin, # prefix/etc/mail/spamassassin, /usr/local/etc/spamassassin, /etc/spamassassin, # /etc/mail/spamassassin, and maybe others. # Be careful of setting this: it may mean the spam.assassin.prefs.conf file # is missed out, you will need to insert a soft-link with "ln -s" to link # the file into mailscanner.cf in the new directory. # If this is set then it replaces the list of places that are searched; # otherwise it has no effect. #SpamAssassin Local Rules Dir = /opt/MailScanner/etc/mail/spamassassin SpamAssassin Local Rules Dir = # The rules created by the "sa-update" tool are searched for here. # This directory contains the 3.001001/updates_spamassassin_org # directory structure beneath it. # Only un-comment this setting once you have proved that the sa-update # cron job has run successfully and has created a directory structure under # the spamassassin directory within this one and has put some *.cf files in # there. Otherwise it will ignore all your current rules! # The default location may be /var/opt on Solaris systems. SpamAssassin Local State Dir = # /var/lib/spamassassin # The default rules are searched for here, and in prefix/share/spamassassin, # /usr/local/share/spamassassin, /usr/share/spamassassin, and maybe others. # If this is set then it adds to the list of places that are searched; # otherwise it has no effect. #SpamAssassin Default Rules Dir = /opt/MailScanner/share/spamassassin SpamAssassin Default Rules Dir = ------------ I tried to remove the # in the line below but the result is the same: SpamAssassin Local State Dir = # /var/lib/spamassassin What have I missed? I have a rather old version of SA 3.1.4 - but I do not want to upgrade until I have a backup MS server running, unless an upgrade is the fix for this strange behavior. /Daniel -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From ljosnet at gmail.com Fri Nov 21 10:36:51 2008 From: ljosnet at gmail.com (=?ISO-8859-1?Q?Lj=F3snet?=) Date: Fri Nov 21 10:37:01 2008 Subject: SpamAssassin problem after update In-Reply-To: <72cf361e0811210022j5e714bffj2159f2a32b943c3@mail.gmail.com> References: <910ee2ac0811201634se99a4daob2b8ff95088daf27@mail.gmail.com> <72cf361e0811210022j5e714bffj2159f2a32b943c3@mail.gmail.com> Message-ID: <910ee2ac0811210236g661e22b3y4e942614fb9a16c6@mail.gmail.com> [root@mail ~]# MailScanner --debug --debug-sa In Debugging mode, not forking... Trying to setlogsock(unix) ***** If 'awk' (with support for the function strftime) was available on your $PATH then all the SpamAssassin debug output would have the current time added to the start of every line, making debugging far easier. ***** SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp Fatal error 'Recurse on a private mutex.' at line 986 in file /usr/src/lib/libpthread/thread/thr_mutex.c (errno = 22) Abort trap: 6 On Fri, Nov 21, 2008 at 8:22 AM, Martin Hepworth wrote: > 2008/11/21 Lj?snet : >> Hello, I use FreeBSD 6.2 and I just did cvsup today and upgraded all >> my packages. Now I am having big problems with as it seems >> spamassassin,as soon as I kill it and disable in MailScanner.conf >> everything works and I get my mail delivered. I am getting this in my >> messages logs. >> >> Nov 21 00:29:28 mail kernel: pid 1120 (perl5.8.8), uid 0: exited on signal 6 >> Nov 21 00:29:33 mail root: Process did not exit cleanly, returned 0 >> with signal 6 >> >> I'm using the latest MailScanner, clamav and SpamAssAssin installed from ports. >> >> Any ideas what would cause this? >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > > What do you get if you stop mailscanner then run it in debug mode? > > 'MailScanner --debug --debug-sa" > > -- > Martin Hepworth > Oxford, UK > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From john.clancy at businessworld.ie Fri Nov 21 10:38:28 2008 From: john.clancy at businessworld.ie (John Clancy) Date: Fri Nov 21 10:38:46 2008 Subject: Big drop in SPAM volume? Message-ID: <00de01c94bc5$4a6d5710$696078c1@JCSPC> Hi, Is anybody else seeing a big drop off in SPAM volume over the last week or so? or is it just me? I run the email server for a small company (approx 7,500 emails per day at peak) and I've been seeing big reductions in incoming SPAM volumes over the last 10 days. The following is taken from the Mailwatch "Total Messages by Date" report Date SPAM % 17/10 1,218 58.0% 18/10 844 79.7% 19/10 858 76.5% 20/10 1,688 66.0% 21/10 2,163 68.2% 22/10 2,372 74.4% 23/10 6,621 87.5% 24/10 2,162 71.3% 25/10 1,231 82.7% 26/10 966 79.2% 27/10 1,296 75.4% 28/10 1,733 66.2% 29/10 1,635 63.2% 30/10 3,443 78.6% 31/10 1,335 60.0% 01/11 1,260 84.3% 02/11 1,183 85.4% 03/11 1,417 64.4% 04/11 1,494 62.4% 05/11 1,159 60.5% 06/11 1,238 60.6% 07/11 1,009 52.6% 08/11 788 68.7% 09/11 678 75.3% 10/11 1,259 59.9% 11/11 1,213 56.4% 12/11 428 36.1% 13/11 363 28.7% 14/11 343 32.3% 15/11 327 57.7% 16/11 301 57.8% 17/11 448 33.5% 18/11 490 36.5% 19/11 422 34.1% 20/11 387 35.1% JC From ljosnet at gmail.com Fri Nov 21 10:47:12 2008 From: ljosnet at gmail.com (=?ISO-8859-1?Q?Lj=F3snet?=) Date: Fri Nov 21 10:47:22 2008 Subject: SpamAssassin problem after update In-Reply-To: <910ee2ac0811210236g661e22b3y4e942614fb9a16c6@mail.gmail.com> References: <910ee2ac0811201634se99a4daob2b8ff95088daf27@mail.gmail.com> <72cf361e0811210022j5e714bffj2159f2a32b943c3@mail.gmail.com> <910ee2ac0811210236g661e22b3y4e942614fb9a16c6@mail.gmail.com> Message-ID: <910ee2ac0811210247w599f4acud86479fd1b95cf63@mail.gmail.com> I found out what the problem was. I recompiled SQLite without threading support. Thanks! :) On Fri, Nov 21, 2008 at 10:36 AM, Lj?snet wrote: > [root@mail ~]# MailScanner --debug --debug-sa > In Debugging mode, not forking... > Trying to setlogsock(unix) > > > ***** > If 'awk' (with support for the function strftime) was > available on your $PATH then all the SpamAssassin debug > output would have the current time added to the start of > every line, making debugging far easier. > ***** > > SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp > Fatal error 'Recurse on a private mutex.' at line 986 in file > /usr/src/lib/libpthread/thread/thr_mutex.c (errno = 22) > Abort trap: 6 > > > On Fri, Nov 21, 2008 at 8:22 AM, Martin Hepworth wrote: >> 2008/11/21 Lj?snet : >>> Hello, I use FreeBSD 6.2 and I just did cvsup today and upgraded all >>> my packages. Now I am having big problems with as it seems >>> spamassassin,as soon as I kill it and disable in MailScanner.conf >>> everything works and I get my mail delivered. I am getting this in my >>> messages logs. >>> >>> Nov 21 00:29:28 mail kernel: pid 1120 (perl5.8.8), uid 0: exited on signal 6 >>> Nov 21 00:29:33 mail root: Process did not exit cleanly, returned 0 >>> with signal 6 >>> >>> I'm using the latest MailScanner, clamav and SpamAssAssin installed from ports. >>> >>> Any ideas what would cause this? >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >> >> >> What do you get if you stop mailscanner then run it in debug mode? >> >> 'MailScanner --debug --debug-sa" >> >> -- >> Martin Hepworth >> Oxford, UK >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > From ljosnet at gmail.com Fri Nov 21 10:48:56 2008 From: ljosnet at gmail.com (=?ISO-8859-1?Q?Lj=F3snet?=) Date: Fri Nov 21 10:49:07 2008 Subject: how do i fix -- WARNING: Ignoring deprecated option In-Reply-To: References: <30200a940811131152n2471d67ejf25b252b5b83dc3d@mail.gmail.com> <491D4D93.50004@ecs.soton.ac.uk> <30200a940811140621h6418f65aq747318175f8211ac@mail.gmail.com> Message-ID: <910ee2ac0811210248x4de67691rcc06875aadd4009e@mail.gmail.com> Hopefully someone will update the FreeBSD ports soon. It's still not in there. On Fri, Nov 14, 2008 at 4:31 PM, Kai Schaetzl wrote: > Gregory Machin wrote on Fri, 14 Nov 2008 16:21:55 +0200: > >> Fixed I upgraded everything to the latest version . > > You should have replied directly to the message from Jules as you weren't > replying to me. > > Kai > > -- > Kai Sch?tzl, Berlin, Germany > Get your web at Conactive Internet Services: http://www.conactive.com > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From prandal at herefordshire.gov.uk Fri Nov 21 11:12:05 2008 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Fri Nov 21 11:14:42 2008 Subject: Big drop in SPAM volume? In-Reply-To: <00de01c94bc5$4a6d5710$696078c1@JCSPC> References: <00de01c94bc5$4a6d5710$696078c1@JCSPC> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA05479788@HC-MBX02.herefordshire.gov.uk> Yes, Apart from a spike on the 18th, yes. It's releated to the shutdown of McColo: http://technology.timesonline.co.uk/tol/news/tech_and_web/the_web/articl e5183398.ece Cheers, Phil -- Phil Randal | Networks Engineer Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: prandal@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of John Clancy Sent: 21 November 2008 10:38 To: "MailScanner discussion" Subject: Big drop in SPAM volume? Hi, Is anybody else seeing a big drop off in SPAM volume over the last week or so? or is it just me? I run the email server for a small company (approx 7,500 emails per day at peak) and I've been seeing big reductions in incoming SPAM volumes over the last 10 days. The following is taken from the Mailwatch "Total Messages by Date" report Date SPAM % 17/10 1,218 58.0% 18/10 844 79.7% 19/10 858 76.5% 20/10 1,688 66.0% 21/10 2,163 68.2% 22/10 2,372 74.4% 23/10 6,621 87.5% 24/10 2,162 71.3% 25/10 1,231 82.7% 26/10 966 79.2% 27/10 1,296 75.4% 28/10 1,733 66.2% 29/10 1,635 63.2% 30/10 3,443 78.6% 31/10 1,335 60.0% 01/11 1,260 84.3% 02/11 1,183 85.4% 03/11 1,417 64.4% 04/11 1,494 62.4% 05/11 1,159 60.5% 06/11 1,238 60.6% 07/11 1,009 52.6% 08/11 788 68.7% 09/11 678 75.3% 10/11 1,259 59.9% 11/11 1,213 56.4% 12/11 428 36.1% 13/11 363 28.7% 14/11 343 32.3% 15/11 327 57.7% 16/11 301 57.8% 17/11 448 33.5% 18/11 490 36.5% 19/11 422 34.1% 20/11 387 35.1% JC -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From maillists at conactive.com Fri Nov 21 12:31:17 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Fri Nov 21 12:31:32 2008 Subject: Local State Dir - /var/lib/spamassassin - SARE rules no hits In-Reply-To: <3DF8101092666E4A9020D949E419EB6F02B7BABF@ensms02.iris.se> References: <910ee2ac0811201634se99a4daob2b8ff95088daf27@mail.gmail.com> <3DF8101092666E4A9020D949E419EB6F02B7BABF@ensms02.iris.se> Message-ID: Daniel Flensburg wrote on Fri, 21 Nov 2008 10:57:47 +0100: > I have a rather old version of SA 3.1.4 - but I do not want to upgrade > until I have a backup MS server running, unless an upgrade is the fix > for this strange behavior. I remember having had this problem once either earlier this year or last year. I don't remember how I solved it. You might be able to find this discussion by searching the archives. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maxsec at gmail.com Fri Nov 21 12:47:20 2008 From: maxsec at gmail.com (Martin Hepworth) Date: Fri Nov 21 12:47:28 2008 Subject: Local State Dir - /var/lib/spamassassin - SARE rules no hits In-Reply-To: <3DF8101092666E4A9020D949E419EB6F02B7BABF@ensms02.iris.se> References: <910ee2ac0811201634se99a4daob2b8ff95088daf27@mail.gmail.com> <3DF8101092666E4A9020D949E419EB6F02B7BABF@ensms02.iris.se> Message-ID: <72cf361e0811210447mcb8313bm1ce69fec6874a00f@mail.gmail.com> 2008/11/21 Daniel Flensburg : > Can someone please help me with a strange problem. I noticed that my > recently downloaded SARE-rules have no hits. I believe non of the rules > in the /var/lib/spamassassin work. > > When running the command: > > spamassassin -D --lint > > I get the result (looks just right): > > [4446] dbg: config: using "/etc/spamassassin" for site rules pre files > [4446] dbg: config: read file /etc/spamassassin/init.pre > [4446] dbg: config: read file /etc/spamassassin/v310.pre > [4446] dbg: config: read file /etc/spamassassin/v312.pre > [4446] dbg: config: using "/var/lib/spamassassin/3.001004" for sys rules > pre files > [4446] dbg: config: read file > /var/lib/spamassassin/3.001004/saupdates_openprotect_com.pre > [4446] dbg: config: read file > /var/lib/spamassassin/3.001004/updates_spamassassin_org.pre > [4446] dbg: config: using "/var/lib/spamassassin/3.001004" for default > rules dir > ------------------- > > But when I run the command: > > /opt/MailScanner/bin/MailScanner --debug --debug-sa > > I get a different result (a bad one): > > [4329] dbg: config: using "/etc/mail/spamassassin" for site rules pre > files > [4329] dbg: config: read file /etc/mail/spamassassin/init.pre > [4329] dbg: config: read file /etc/mail/spamassassin/v310.pre > [4329] dbg: config: read file /etc/mail/spamassassin/v312.pre > [4329] dbg: config: using "/usr/share/spamassassin" for sys rules pre > files > [4329] dbg: config: using "/usr/share/spamassassin" for default rules > dir > > The setting in my /opt/MailScanner/etc/MailScanner.conf is: > > # The site-local rules are searched for here, and in > prefix/etc/spamassassin, > # prefix/etc/mail/spamassassin, /usr/local/etc/spamassassin, > /etc/spamassassin, > # /etc/mail/spamassassin, and maybe others. > # Be careful of setting this: it may mean the spam.assassin.prefs.conf > file > # is missed out, you will need to insert a soft-link with "ln -s" to > link > # the file into mailscanner.cf in the new directory. > # If this is set then it replaces the list of places that are searched; > # otherwise it has no effect. > #SpamAssassin Local Rules Dir = /opt/MailScanner/etc/mail/spamassassin > SpamAssassin Local Rules Dir = > > # The rules created by the "sa-update" tool are searched for here. > # This directory contains the 3.001001/updates_spamassassin_org > # directory structure beneath it. > # Only un-comment this setting once you have proved that the sa-update > # cron job has run successfully and has created a directory structure > under > # the spamassassin directory within this one and has put some *.cf files > in > # there. Otherwise it will ignore all your current rules! > # The default location may be /var/opt on Solaris systems. > SpamAssassin Local State Dir = # /var/lib/spamassassin > > # The default rules are searched for here, and in > prefix/share/spamassassin, > # /usr/local/share/spamassassin, /usr/share/spamassassin, and maybe > others. > # If this is set then it adds to the list of places that are searched; > # otherwise it has no effect. > #SpamAssassin Default Rules Dir = /opt/MailScanner/share/spamassassin > SpamAssassin Default Rules Dir = > ------------ > I tried to remove the # in the line below but the result is the same: > SpamAssassin Local State Dir = # /var/lib/spamassassin > > What have I missed? > > I have a rather old version of SA 3.1.4 - but I do not want to upgrade > until I have a backup MS server running, unless an upgrade is the fix > for this strange behavior. > > > /Daniel > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Daniel try making the "SpamAssassin Local State Dir" blank .. SpamAssassin Local State Dir = depending on how you've installed the SARE rules you should either be in /var/lib/spamassassin/3.001004 or /etc/mail/spamassassin. another thing..check the user mailscanner runs as can access the SA rules in "/var/lib/spamassassin/3.001004" (file permissions). -- Martin Hepworth Oxford, UK From john.clancy at businessworld.ie Fri Nov 21 12:50:46 2008 From: john.clancy at businessworld.ie (John Clancy) Date: Fri Nov 21 12:51:07 2008 Subject: Big drop in SPAM volume? References: <00de01c94bc5$4a6d5710$696078c1@JCSPC> <7EF0EE5CB3B263488C8C18823239BEBA05479788@HC-MBX02.herefordshire.gov.uk> Message-ID: <012f01c94bd7$c5b1de70$696078c1@JCSPC> Thanks Phil, I remember reading about the shutdown of McColo but I'm amazed that shutting down just one would generate a 60 odd per cent drop in the volume of SPAM coming in:-) If only it was as simple as shutting down a few others and curing the whole SPAM problem. Of course it's only a matter of time before the ****ards find another route :-( JC ----- Original Message ----- From: "Randal, Phil" To: "MailScanner discussion" Sent: Friday, November 21, 2008 11:12 AM Subject: RE: Big drop in SPAM volume? > Yes, > > Apart from a spike on the 18th, yes. > > It's releated to the shutdown of McColo: > > http://technology.timesonline.co.uk/tol/news/tech_and_web/the_web/articl > e5183398.ece > > Cheers, > > Phil > > > -- > Phil Randal | Networks Engineer > Herefordshire Council | Deputy Chief Executive's Office | I.C.T. > Services Division > Thorn Office Centre, Rotherwas, Hereford, HR2 6JT > Tel: 01432 260160 > email: prandal@herefordshire.gov.uk > > Any opinion expressed in this e-mail or any attached files are those of > the individual and not necessarily those of Herefordshire Council. > > This e-mail and any attached files are confidential and intended solely > for the use of the addressee. This communication may contain material > protected by law from being passed on. If you are not the intended > recipient and have received this e-mail in error, you are advised that > any use, dissemination, forwarding, printing or copying of this e-mail > is strictly prohibited. If you have received this e-mail in error please > contact the sender immediately and destroy all copies of it. > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of John > Clancy > Sent: 21 November 2008 10:38 > To: "MailScanner discussion" > Subject: Big drop in SPAM volume? > > Hi, > > Is anybody else seeing a big drop off in SPAM volume over the last week > or so? or is it just me? > > I run the email server for a small company (approx 7,500 emails per day > at > peak) and I've been seeing big reductions in incoming SPAM volumes over > the last 10 days. > > The following is taken from the Mailwatch "Total Messages by Date" > report > > Date SPAM % > 17/10 1,218 58.0% > 18/10 844 79.7% > 19/10 858 76.5% > 20/10 1,688 66.0% > 21/10 2,163 68.2% > 22/10 2,372 74.4% > 23/10 6,621 87.5% > 24/10 2,162 71.3% > 25/10 1,231 82.7% > 26/10 966 79.2% > 27/10 1,296 75.4% > 28/10 1,733 66.2% > 29/10 1,635 63.2% > 30/10 3,443 78.6% > 31/10 1,335 60.0% > 01/11 1,260 84.3% > 02/11 1,183 85.4% > 03/11 1,417 64.4% > 04/11 1,494 62.4% > 05/11 1,159 60.5% > 06/11 1,238 60.6% > 07/11 1,009 52.6% > 08/11 788 68.7% > 09/11 678 75.3% > 10/11 1,259 59.9% > 11/11 1,213 56.4% > 12/11 428 36.1% > 13/11 363 28.7% > 14/11 343 32.3% > 15/11 327 57.7% > 16/11 301 57.8% > 17/11 448 33.5% > 18/11 490 36.5% > 19/11 422 34.1% > 20/11 387 35.1% > > JC > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From support-lists at petdoctors.co.uk Fri Nov 21 13:29:39 2008 From: support-lists at petdoctors.co.uk (Nigel Kendrick) Date: Fri Nov 21 13:30:32 2008 Subject: Big drop in SPAM volume? In-Reply-To: <012f01c94bd7$c5b1de70$696078c1@JCSPC> References: <00de01c94bc5$4a6d5710$696078c1@JCSPC><7EF0EE5CB3B263488C8C18823239BEBA05479788@HC-MBX02.herefordshire.gov.uk> <012f01c94bd7$c5b1de70$696078c1@JCSPC> Message-ID: <5DE9D66B16064EF9B6EF50F4C75D28B2@SUPPORT01V> -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of John Clancy Sent: Friday, November 21, 2008 12:51 PM To: MailScanner discussion Subject: Re: Big drop in SPAM volume? Thanks Phil, I remember reading about the shutdown of McColo but I'm amazed that shutting down just one would generate a 60 odd per cent drop in the volume of SPAM coming in:-) If only it was as simple as shutting down a few others and curing the whole SPAM problem. Of course it's only a matter of time before the ****ards find another route :-( Watch this space: http://www.theregister.co.uk/2008/11/21/mccolo_shutdown_analysis/ ..and this one... http://www.theregister.co.uk/2008/11/18/short_mccolo_resurrection/ From maxsec at gmail.com Fri Nov 21 13:52:03 2008 From: maxsec at gmail.com (Martin Hepworth) Date: Fri Nov 21 13:52:14 2008 Subject: Big drop in SPAM volume? In-Reply-To: <012f01c94bd7$c5b1de70$696078c1@JCSPC> References: <00de01c94bc5$4a6d5710$696078c1@JCSPC> <7EF0EE5CB3B263488C8C18823239BEBA05479788@HC-MBX02.herefordshire.gov.uk> <012f01c94bd7$c5b1de70$696078c1@JCSPC> Message-ID: <72cf361e0811210552r50f54c27v6ab0f32da1738454@mail.gmail.com> 2008/11/21 John Clancy : > Thanks Phil, > > I remember reading about the shutdown of McColo but I'm amazed that shutting > down just one would generate a 60 odd per cent drop in the volume of SPAM > coming in:-) > > If only it was as simple as shutting down a few others and curing the whole > SPAM problem. > > Of course it's only a matter of time before the ****ards find another route > :-( > > JC > ----- Original Message ----- From: "Randal, Phil" > > To: "MailScanner discussion" > Sent: Friday, November 21, 2008 11:12 AM > Subject: RE: Big drop in SPAM volume? > > >> Yes, >> >> Apart from a spike on the 18th, yes. >> >> It's releated to the shutdown of McColo: >> >> http://technology.timesonline.co.uk/tol/news/tech_and_web/the_web/articl >> e5183398.ece >> >> Cheers, >> >> Phil >> >> >> -- >> Phil Randal | Networks Engineer >> Herefordshire Council | Deputy Chief Executive's Office | I.C.T. >> Services Division >> Thorn Office Centre, Rotherwas, Hereford, HR2 6JT >> Tel: 01432 260160 >> email: prandal@herefordshire.gov.uk >> >> Any opinion expressed in this e-mail or any attached files are those of >> the individual and not necessarily those of Herefordshire Council. >> >> This e-mail and any attached files are confidential and intended solely >> for the use of the addressee. This communication may contain material >> protected by law from being passed on. If you are not the intended >> recipient and have received this e-mail in error, you are advised that >> any use, dissemination, forwarding, printing or copying of this e-mail >> is strictly prohibited. If you have received this e-mail in error please >> contact the sender immediately and destroy all copies of it. >> >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of John >> Clancy >> Sent: 21 November 2008 10:38 >> To: "MailScanner discussion" >> Subject: Big drop in SPAM volume? >> >> Hi, >> >> Is anybody else seeing a big drop off in SPAM volume over the last week >> or so? or is it just me? >> >> I run the email server for a small company (approx 7,500 emails per day >> at >> peak) and I've been seeing big reductions in incoming SPAM volumes over >> the last 10 days. >> >> The following is taken from the Mailwatch "Total Messages by Date" >> report >> >> Date SPAM % >> 17/10 1,218 58.0% >> 18/10 844 79.7% >> 19/10 858 76.5% >> 20/10 1,688 66.0% >> 21/10 2,163 68.2% >> 22/10 2,372 74.4% >> 23/10 6,621 87.5% >> 24/10 2,162 71.3% >> 25/10 1,231 82.7% >> 26/10 966 79.2% >> 27/10 1,296 75.4% >> 28/10 1,733 66.2% >> 29/10 1,635 63.2% >> 30/10 3,443 78.6% >> 31/10 1,335 60.0% >> 01/11 1,260 84.3% >> 02/11 1,183 85.4% >> 03/11 1,417 64.4% >> 04/11 1,494 62.4% >> 05/11 1,159 60.5% >> 06/11 1,238 60.6% >> 07/11 1,009 52.6% >> 08/11 788 68.7% >> 09/11 678 75.3% >> 10/11 1,259 59.9% >> 11/11 1,213 56.4% >> 12/11 428 36.1% >> 13/11 363 28.7% >> 14/11 343 32.3% >> 15/11 327 57.7% >> 16/11 301 57.8% >> 17/11 448 33.5% >> 18/11 490 36.5% >> 19/11 422 34.1% >> 20/11 387 35.1% >> >> JC >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > John http://www.spamcop.net/spamgraph.shtml?spammonth for a note. As has been posted they managed to get a backup circuit going for a few hours and managed to transfer the control centres to Russian based servers so expect the botnets to start again anytime soon. -- Martin Hepworth Oxford, UK From john.clancy at businessworld.ie Fri Nov 21 14:20:32 2008 From: john.clancy at businessworld.ie (John Clancy) Date: Fri Nov 21 14:20:53 2008 Subject: Big drop in SPAM volume? References: <00de01c94bc5$4a6d5710$696078c1@JCSPC><7EF0EE5CB3B263488C8C18823239BEBA05479788@HC-MBX02.herefordshire.gov.uk><012f01c94bd7$c5b1de70$696078c1@JCSPC> <72cf361e0811210552r50f54c27v6ab0f32da1738454@mail.gmail.com> Message-ID: <018701c94be4$50560090$696078c1@JCSPC> ----- Original Message ----- From: "Martin Hepworth" To: "MailScanner discussion" Sent: Friday, November 21, 2008 1:52 PM Subject: Re: Big drop in SPAM volume? > 2008/11/21 John Clancy : >> Thanks Phil, >> >> I remember reading about the shutdown of McColo but I'm amazed that >> shutting >> down just one would generate a 60 odd per cent drop in the volume of SPAM >> coming in:-) >> >> If only it was as simple as shutting down a few others and curing the >> whole >> SPAM problem. >> >> Of course it's only a matter of time before the ****ards find another >> route >> :-( >> >> JC >> ----- Original Message ----- From: "Randal, Phil" >> >> To: "MailScanner discussion" >> Sent: Friday, November 21, 2008 11:12 AM >> Subject: RE: Big drop in SPAM volume? >> >> >>> Yes, >>> >>> Apart from a spike on the 18th, yes. >>> >>> It's releated to the shutdown of McColo: >>> >>> http://technology.timesonline.co.uk/tol/news/tech_and_web/the_web/articl >>> e5183398.ece >>> >>> Cheers, >>> >>> Phil >>> >>> >>> -- >>> Phil Randal | Networks Engineer >>> Herefordshire Council | Deputy Chief Executive's Office | I.C.T. >>> Services Division >>> Thorn Office Centre, Rotherwas, Hereford, HR2 6JT >>> Tel: 01432 260160 >>> email: prandal@herefordshire.gov.uk >>> >>> Any opinion expressed in this e-mail or any attached files are those of >>> the individual and not necessarily those of Herefordshire Council. >>> >>> This e-mail and any attached files are confidential and intended solely >>> for the use of the addressee. This communication may contain material >>> protected by law from being passed on. If you are not the intended >>> recipient and have received this e-mail in error, you are advised that >>> any use, dissemination, forwarding, printing or copying of this e-mail >>> is strictly prohibited. If you have received this e-mail in error please >>> contact the sender immediately and destroy all copies of it. >>> >>> -----Original Message----- >>> From: mailscanner-bounces@lists.mailscanner.info >>> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of John >>> Clancy >>> Sent: 21 November 2008 10:38 >>> To: "MailScanner discussion" >>> Subject: Big drop in SPAM volume? >>> >>> Hi, >>> >>> Is anybody else seeing a big drop off in SPAM volume over the last week >>> or so? or is it just me? >>> >>> I run the email server for a small company (approx 7,500 emails per day >>> at >>> peak) and I've been seeing big reductions in incoming SPAM volumes over >>> the last 10 days. >>> >>> The following is taken from the Mailwatch "Total Messages by Date" >>> report >>> >>> Date SPAM % >>> 17/10 1,218 58.0% >>> 18/10 844 79.7% >>> 19/10 858 76.5% >>> 20/10 1,688 66.0% >>> 21/10 2,163 68.2% >>> 22/10 2,372 74.4% >>> 23/10 6,621 87.5% >>> 24/10 2,162 71.3% >>> 25/10 1,231 82.7% >>> 26/10 966 79.2% >>> 27/10 1,296 75.4% >>> 28/10 1,733 66.2% >>> 29/10 1,635 63.2% >>> 30/10 3,443 78.6% >>> 31/10 1,335 60.0% >>> 01/11 1,260 84.3% >>> 02/11 1,183 85.4% >>> 03/11 1,417 64.4% >>> 04/11 1,494 62.4% >>> 05/11 1,159 60.5% >>> 06/11 1,238 60.6% >>> 07/11 1,009 52.6% >>> 08/11 788 68.7% >>> 09/11 678 75.3% >>> 10/11 1,259 59.9% >>> 11/11 1,213 56.4% >>> 12/11 428 36.1% >>> 13/11 363 28.7% >>> 14/11 343 32.3% >>> 15/11 327 57.7% >>> 16/11 301 57.8% >>> 17/11 448 33.5% >>> 18/11 490 36.5% >>> 19/11 422 34.1% >>> 20/11 387 35.1% >>> >>> JC >>> >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > John > > http://www.spamcop.net/spamgraph.shtml?spammonth > > for a note. As has been posted they managed to get a backup circuit > going for a few hours and managed to transfer the control centres to > Russian based servers so expect the botnets to start again anytime > soon. > > -- > Martin Hepworth > Oxford, UK > -- Thanks for that Martin - I knew it was too good to last! I still have a fond day dream of seeing one of these big spammers being hauled into court and pleading guilty to 4 sample offences and asking for the judge to take 40 trillion similar offences into consideration :-) John From gesbbb at yahoo.com Fri Nov 21 14:26:37 2008 From: gesbbb at yahoo.com (Jerry) Date: Fri Nov 21 14:26:51 2008 Subject: how do i fix -- WARNING: Ignoring deprecated option In-Reply-To: <910ee2ac0811210248x4de67691rcc06875aadd4009e@mail.gmail.com> References: <30200a940811131152n2471d67ejf25b252b5b83dc3d@mail.gmail.com> <491D4D93.50004@ecs.soton.ac.uk> <30200a940811140621h6418f65aq747318175f8211ac@mail.gmail.com> <910ee2ac0811210248x4de67691rcc06875aadd4009e@mail.gmail.com> Message-ID: <20081121092637.7f35d881@scorpio> On Fri, 21 Nov 2008 10:48:56 +0000 "Lj?snet" wrote: [snip] >Hopefully someone will update the FreeBSD ports soon. It's still not >in there. That someone would be: j.koopmann@seceidos.de However, due the the ports freeze/slush that FBSD is currently going through, I would not hold my breath waiting for the update. I have personally been waiting for the updated 'claws-mail' for over two months now. -- Jerry gesbbb@yahoo.com It's pretty hard to tell what does bring happiness; poverty and wealth have both failed. Kim Hubbard -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081121/ff6df40d/signature.bin From glenn.steen at gmail.com Fri Nov 21 15:10:09 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Nov 21 15:10:19 2008 Subject: Fwd: Mailscanner child freezes In-Reply-To: <223f97700811210706k4a45724fscaf2a359f1806db0@mail.gmail.com> References: <491D88B5.4090804@life.illinois.edu> <223f97700811150135y66b5d1bdue0c01801c4615a3b@mail.gmail.com> <491F835C.9020901@life.illinois.edu> <223f97700811160433v3ee3d176ofedd4d344e8236e2@mail.gmail.com> <49224E2C.4090800@life.illinois.edu> <223f97700811201453i3b2abf65u1ff09d8d50af2aaf@mail.gmail.com> <492601CA.40007@life.illinois.edu> <223f97700811210615y2f90b87cwcebad06052d9aa6e@mail.gmail.com> <223f97700811210705o42415763h154d4630ce084ae3@mail.gmail.com> <223f97700811210706k4a45724fscaf2a359f1806db0@mail.gmail.com> Message-ID: <223f97700811210710v21b69206mfa5dc3439ed8453e@mail.gmail.com> Guys, I know my quoting style will drive you nuts, but ... please look at this. It's a heads up for 4.72.5, keep a lookout for children busy-looping while "cleaning messages". Hopefully Jules, or one of you, will have a solution ... really quick. Cheers -- Glenn ---------- Forwarded message ---------- From: Glenn Steen Date: 2008/11/21 Subject: Re: Mailscanner child freezes To: Jeffrey Haas 2008/11/21 Glenn Steen : > 2008/11/21 Glenn Steen : >> Right, I've now been able to reproduce this on a machine (I just >> thought I had updated to 4.72.5:-). It is as you say very consisten. >> The error is located in Message.pm around line 3837, where we enter a >> while loop trying to parse a message so that we reliably can "clean >> out" bad attachments. For some reason, this parsing never terminates >> (the call never return "") so it in effect become an endless loop. The >> code in question, whith a little added debug print, looks like: >> >> # Find the top-level parent's entity >> while ($this->{file2parent}{$file} ne "") { >> print STDERR "."; >> $file = $this->{file2parent}{$file}; >> } >> >> I haven't been able (yet) to determine what's wrong here, and am >> thinking of looking at the latest beta to try determine if that code >> looks the same there. >> Perhaps a smarter debug....:-). Hm. Seems that this is a hash >> constructed when parsing the MIME message, so that "" would be at the >> root... But in this case "letter.zip" point back to "letter.zip". No >> "" in sight... Maybe there was a blurb about this after the latest >> release, but I don't think so. Probably has something to do with MIME >> parsing etc, the code (at a glance) looks pretty solid. >> >> Jules! >> Could you take a look, pretty please? >> In the meantime, I'll download 4.73.1 to see if this code has changed. >> >> Cheers >> -- Glenn >> > > Jules and Jeff! > > I now think I know what's making these loop forever. The message > typically contain a zip file named XXXX which in turn contain a zip > file XXXX (that is: the same name), which all get handled by renaming > the "inner" zip file with a number tagged on to the "base name"... > That zip in turn contain an abfuscated executable file (long run of > whitespace before the double extension). > The filename is handled when unpacking, but not when constructing the > filename->parent hash chain. So we end up with a chain looking like > "letter.zip"->"letter.zip", since the second time we store the > filename ... it'll overwrite the preexisting "letter.zip"->"". > > I'm off to the last performance of Show Boat (www.showboat.se, if any > of you fancy reading about it ... in Swedish:-), so deciding on how to > fix this, either by using a sanitized name in the hash or by some > loop-detection when using it, is entirely in your court Jules... As > always:-):-). > > Strange that so few have noticed this bug. > > Cheers > -- Glenn > An example of how it looks in the quarantine: root@apmx06 52D0E1008122.7666A]# unzip -lv letter.zip Archive: letter.zip Length Method Size Ratio Date Time CRC-32 Name -------- ------ ------- ----- ---- ---- ------ ---- 29078 Stored 29078 0% 11-14-08 12:30 029488a5 letter.zip -------- ------- --- ------- 29078 29078 0% 1 file [root@apmx06 52D0E1008122.7666A]# unzip -lv letter1.zip Archive: letter1.zip Length Method Size Ratio Date Time CRC-32 Name -------- ------ ------- ----- ---- ---- ------ ---- 28864 Stored 28864 0% 11-14-08 12:30 6d9e5302 letter.htm .exe -------- ------- --- ------- 28864 28864 0% 1 file [root@apmx06 52D0E1008122.7666A]# ls -l totalt 131 -rw-rw---- 1 postfix apache 29078 nov 21 14:49 letter1.zip -rw-rw---- 1 postfix apache 28864 nov 21 14:49 letter.htm.exe -rw-rw---- 1 postfix apache 29196 nov 21 14:49 letter.zip -rw-rw---- 1 postfix apache 40492 nov 21 14:49 message [root@apmx06 52D0E1008122.7666A]# Cheers -- Glenn > >> 2008/11/21 Jeffrey Haas >>> >>> When the MailScanner process is stuck, 'ps auwx' shows: >>> postfix 6281 73.6 1.2 55256 51356 ? R 12:40 233:52 MailScanner: cleaning messages >>> >>> 'top' looks like: >>> PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND >>> >>> 6281 postfix 25 0 55256 50m 3820 R 100 1.3 235:41.34 MailScanner >>> >>> I installed MailScanner and clamd from the tarballs from mailscanner.info. >>> >>> I suppose I won't be surprised if it's something odd on my systems, but these systems are dedicated to running postfix and MailScanner, and I try to keep the configuration as simple as possible. The basic procedure to set them up is to load Ubuntu Server 8.04 (LTS) with default options. Then the minimal changes to configure postfix for our needs, then MailScanner/Perl modules/ClamAV/SpamAssassin from the tarballs and then minimal configuration changes again. That's about it. >>> >>> I think the spam.assassin.prefs.confs is the most heavily edited, since we add some rules there. I could send diffs or config options that are changed from the default for filename.rules.conf, MailScanner.conf and spam.assassin.prefs.conf if anyone would want to look at them. >>> >>> We continue to receive messages that cause the children to freeze. Usually 1 - 3 per day. >>> >>> Actually here are all the settings changed in MailScanner.conf as a start: >>> %org-name% = UIUC-Life-Sciences >>> %org-long-name% = UIUC Life Sciences >>> %web-site% = www.life.uiuc.edu >>> Max Children = 10 >>> Run As User = postfix >>> Run As Group = postfix >>> Incoming Queue Dir = /var/spool/postfix/hold >>> Outgoing Queue Dir = /var/spool/postfix/incoming >>> MTA = postfix >>> Incoming Work Group = clamav >>> Incoming Work Permissions = 0640 >>> Max Unscanned Messages Per Scan = 1 >>> Max Unsafe Messages Per Scan = 1 >>> Virus Scanners = clamd >>> Clamd Socket = /tmp/clamd.socket >>> Find Phishing Fraud = no >>> Use Stricter Phishing Net = no >>> Allow WebBugs = yes >>> SpamScore Number Instead Of Stars = yes >>> Information Header Value = Please contact help@life.illinois.edu for more information >>> Always Include SpamAssassin Report = yes >>> Sign Clean Messages = no >>> Notify Senders = no >>> Disarmed Modify Subject = no >>> Is Definitely Spam = %rules-dir%/spam.blacklist.rules >>> High SpamAssassin Score = 25 >>> SpamAssassin Auto Whitelist = no >>> Rebuild Bayes Every = 86400 >>> Wait During Bayes Rebuild = yes >>> High Scoring Spam Actions = delete >>> Syslog Facility = local0 >>> Log Spam = yes >>> Log Non Spam = yes >>> SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin >>> >>> The only configuration I've made to the clamav.conf file was to set: >>> LogFile /var/log/clamav/clamav.log >>> >>> and in freshclam.conf: >>> UpdateLogFile /var/log/clamav/freshclam.log >>> >>> As always, thanks for any ideas. >>> >>> --jeff >>> >>> Glenn Steen wrote: >>>> >>>> (Sorry for the resend... forgot to "Reply all"... Sigh:) >>>> >>>> 2008/11/18 Jeffrey Haas >>>>> >>>>> Hi Glenn - >>>>> >>>> Hi Jeff, >>>> >>>> Sorry for the somewhat late reply... I've been ... busy with work... >>>> >>>>> Hope you had a fun singing. That sounds like a great gig! >>>> >>>> Always fun... Last performance tomorrow (I've done 13-14 shows of the >>>> 40 they're giving), so it'll be a strange mix of loss (it's real fun) >>>> and releif (since it "eats" a lot of time and energy). Oh well. >>>> >>>> >>>>> I tried to test the SpamAssassin cache theory. >>>>> >>>>> My SpamAssassin cache settings are: >>>>> Cache SpamAssassin Results = yes >>>>> SpamAssassin Cache Database File = /var/spool/MailScanner/incoming/SpamAssassin.cache.db >>>>> >>>>> I tried stopping MailScanner, deleting the SpamAssassin.cache.db file (everything in /var/spool/MailScanner/incoming actually). Then I restarted MailScanner and sent myself the troublesome message with: >>>>> sendmail -t jeff@life.illinois.edu < bad.msg >>>>> >>>>> One MailScanner child process went to 100% and stopped processing mail. >>>>> >>>>> I stopped MailScanner, deleted the message with postsuper and set: >>>>> Cache SpamAssassin Results = no >>>>> to try eliminating the cache altogether. But that test had the same result. I connected to the troublesome process with strace, but there was no output. >>>>> >>>>> I also performed these tests on both our Ubuntu 7.10 & 8.04 systems. I find some comfort in the idea that the results are consistent and repeatable (on my systems anyway). >>>>> >>>> I've tested the ones you sent... none of them throws my system ... it >>>> detects the viruses quite OK actually... >>>> Might this be something to do with your clamd? What does the >>>> MailScanner process say it's doing while eating all the CPU (MS >>>> rewrite the command line, as you know, so hitting "c" in top... or >>>> using "ps -ef" or "ps auxww" would show what the child thinks it is >>>> supposed to do)? >>>> >>>> Might be that my testbed isnt enough like yours, so I'll see if I get >>>> any time for that tomorrow (had planned to look further at this this >>>> evening, but the SecurID ACE server and the VPN decided to hate each >>>> other:-). >>>> >>>>> I've cc'd Jules on this message in case he'd like to access the bad messages or the strace output. I'd be happy to provide more info or run tests. Just let me know what you think might be useful. >>>>> >>>>> --jeff >>>> >>>> If Jules can tear himself away from playing with Root and Cisco...:-). >>>> Anyway, all good things willing, I'll know more tomorrow. Gut feeling >>>> is that it is something specific to your installs, or else there would >>>> be more on the list about this... MyDoom variants are pretty common, >>>> after all. You installed MS from the tarball? And clamd from ...? >>>> >>>> Cheers >>>> -- >>>> -- Glenn >>>>> >>>>> Glenn Steen wrote: >>>>>> >>>>>> 2008/11/16 Jeffrey Haas : >>>>>>> >>>>>>> Here are the URLs >>>>>>> >>>>>>> Bad messages at: >>>>>>> >>>>>>> >>>>>>> strace output at: >>>>>>> >>>>>>> >>>>>>> Thanks again. >>>>>>> >>>>>>> --jeff >>>>>>> >>>>>> Hi eff, >>>>>> >>>>>> I'll not have time tolook into these until tomorrow, unfortunately.... >>>>>> Is on my way to my hobby project (singing backstage on a professional >>>>>> musical... Show Boat... with a mixed South African/Swedish crew... Lot >>>>>> of work,loads of fun:-), which'll take the rest of the day. You could >>>>>> try two things: >>>>>> - Send the same links to Jules (mailscanner@ecs.soton.ac.uk), and >>>>>> - clear your SpamAssassin result cache database. You do that by >>>>>> removing the SQLite files... Seeing as in the other message (that I >>>>>> don't hhave time to look thoroughly at now) your findings do point a >>>>>> finger at that... Then try dropping in the "problem queue files" >>>>>> again. >>>>>> >>>>>> Cheers >>>> >>>> >>>> >>>> >> >> >> >> -- >> -- Glenn >> email: glenn < dot > steen < at > gmail < dot > com >> work: glenn < dot > steen < at > ap1 < dot > se >> > > > > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From Daniel.Flensburg at iris.se Fri Nov 21 15:10:48 2008 From: Daniel.Flensburg at iris.se (Daniel Flensburg) Date: Fri Nov 21 15:14:12 2008 Subject: SV: Local State Dir - /var/lib/spamassassin - SARE rules no hits In-Reply-To: References: <910ee2ac0811201634se99a4daob2b8ff95088daf27@mail.gmail.com><3DF8101092666E4A9020D949E419EB6F02B7BABF@ensms02.iris.se> Message-ID: <3DF8101092666E4A9020D949E419EB6F02B7BCAA@ensms02.iris.se> Ok, I will try finding it after the weekend. You have no idea what you did? /Daniel -----Ursprungligt meddelande----- Fr?n: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] F?r Kai Schaetzl Skickat: den 21 november 2008 13:31 Till: mailscanner@lists.mailscanner.info ?mne: Re: Local State Dir - /var/lib/spamassassin - SARE rules no hits Daniel Flensburg wrote on Fri, 21 Nov 2008 10:57:47 +0100: > I have a rather old version of SA 3.1.4 - but I do not want to upgrade > until I have a backup MS server running, unless an upgrade is the fix > for this strange behavior. I remember having had this problem once either earlier this year or last year. I don't remember how I solved it. You might be able to find this discussion by searching the archives. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From ssilva at sgvwater.com Fri Nov 21 22:10:14 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Nov 21 22:10:42 2008 Subject: Message rules don't work, but if message forwarded, it does??? In-Reply-To: <43F62CA225017044BC84CFAF92B4333B036091@sbsserver.Techquility.net> References: <4910E415.4050502@rheel.co.nz><43F62CA225017044BC84CFAF92B4333B035FB3@sbsserver.Techquility.net><223f97700811051117g2d4b91c5g4cda816ac8e2e862@mail.gmail.com><43F62CA225017044BC84CFAF92B4333B035FB8@sbsserver.Techquility.net><223f97700811051419r7982975fi34b25598b91ed1ca@mail.gmail.com><43F62CA225017044BC84CFAF92B4333B035FBC@sbsserver.Techquility.net> <223f97700811061050x5ca2b8a6t98d115ad27b450ea@mail.gmail.com><43F62CA225017044BC84CFAF92B4333B036074@sbsserver.Techquility.net> <43F62CA225017044BC84CFAF92B4333B03607E@sbsserver.Techquility.net> <43F62CA225017044BC84CFAF92B4333B036091@sbsserver.Techquility.net> Message-ID: on 11-20-2008 10:37 PM Chris Barber spake the following: > >> The HTML encoding seems different between messages. This might be why it gets caught the second time around. >> Also, the message you mark as missed has a RFC private IP address in it >> (Received: from [192.168.1.56] (unknown [192.168.1.56])) , but the one you marked as forwarded doesn't. Could they be mixed up? >> Never mind. They are mixed up because the one marked missed has a Fwd: >> prepended to the subject. >> The missed message is encoded with "quoted-printable" in the html section, but Thunderbird looks to be re-encoding it on the forward. Maybe you >have a problem with your mime-tools module on the server. > > Oops, you are right I mixed up the folders. I am using MIME::Tools version 5.427. I think this was installed by Julian's install.sh script. Is there a way to test/debug this module? > > > It might not be the problem, it was just a possibility. I'm running 5.425 here. Not sure how to debug that. Maybe next time you can pipe the original message into spamassassin and see what happens. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081121/4b2676b6/signature.bin From ssilva at sgvwater.com Fri Nov 21 22:13:42 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Nov 21 22:15:11 2008 Subject: Fwd: Mailscanner child freezes In-Reply-To: <223f97700811210710v21b69206mfa5dc3439ed8453e@mail.gmail.com> References: <491D88B5.4090804@life.illinois.edu> <223f97700811150135y66b5d1bdue0c01801c4615a3b@mail.gmail.com> <491F835C.9020901@life.illinois.edu> <223f97700811160433v3ee3d176ofedd4d344e8236e2@mail.gmail.com> <49224E2C.4090800@life.illinois.edu> <223f97700811201453i3b2abf65u1ff09d8d50af2aaf@mail.gmail.com> <492601CA.40007@life.illinois.edu> <223f97700811210615y2f90b87cwcebad06052d9aa6e@mail.gmail.com> <223f97700811210705o42415763h154d4630ce084ae3@mail.gmail.com> <223f97700811210706k4a45724fscaf2a359f1806db0@mail.gmail.com> <223f97700811210710v21b69206mfa5dc3439ed8453e@mail.gmail.com> Message-ID: on 11-21-2008 7:10 AM Glenn Steen spake the following: > Guys, > > I know my quoting style will drive you nuts, but ... please look at this. > It's a heads up for 4.72.5, keep a lookout for children busy-looping > while "cleaning messages". > Hopefully Jules, or one of you, will have a solution ... really quick. > > Cheers > -- Glenn > Glenn, If you have a sample of this available, I can run it through my sendmail box and see if it is only postfix related or deeper. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081121/a7f7c78b/signature.bin From ssilva at sgvwater.com Fri Nov 21 22:21:43 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Nov 21 22:22:02 2008 Subject: Big drop in SPAM volume? In-Reply-To: <012f01c94bd7$c5b1de70$696078c1@JCSPC> References: <00de01c94bc5$4a6d5710$696078c1@JCSPC> <7EF0EE5CB3B263488C8C18823239BEBA05479788@HC-MBX02.herefordshire.gov.uk> <012f01c94bd7$c5b1de70$696078c1@JCSPC> Message-ID: on 11-21-2008 4:50 AM John Clancy spake the following: > Thanks Phil, > > I remember reading about the shutdown of McColo but I'm amazed that > shutting down just one would generate a 60 odd per cent drop in the > volume of SPAM coming in:-) > > If only it was as simple as shutting down a few others and curing the > whole SPAM problem. > > Of course it's only a matter of time before the ****ards find another > route :-( > It was estimated in one article that the McColo shutdown stranded around half a million bot infected machines. Without command and control the bots just sit idle. I'm sure the next big bot infection will have a backup system in place. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081121/0312483c/signature.bin From ssilva at sgvwater.com Fri Nov 21 22:23:45 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Nov 21 22:25:14 2008 Subject: Big drop in SPAM volume? In-Reply-To: <018701c94be4$50560090$696078c1@JCSPC> References: <00de01c94bc5$4a6d5710$696078c1@JCSPC><7EF0EE5CB3B263488C8C18823239BEBA05479788@HC-MBX02.herefordshire.gov.uk><012f01c94bd7$c5b1de70$696078c1@JCSPC> <72cf361e0811210552r50f54c27v6ab0f32da1738454@mail.gmail.com> <018701c94be4$50560090$696078c1@JCSPC> Message-ID: > > > Thanks for that Martin - I knew it was too good to last! > > I still have a fond day dream of seeing one of these big spammers being > hauled into court and pleading guilty to 4 sample offences and asking > for the judge to take 40 trillion similar offences into consideration :-) > > John Sounds like a new use for the Guantanamo Bay holding cells! Spam terrorists! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081121/99febfef/signature.bin From steve at fsl.com Fri Nov 21 23:10:58 2008 From: steve at fsl.com (Stephen Swaney) Date: Fri Nov 21 23:11:10 2008 Subject: Very OT - Big drop in SPAM volume? In-Reply-To: References: <00de01c94bc5$4a6d5710$696078c1@JCSPC><7EF0EE5CB3B263488C8C18823239BEBA05479788@HC-MBX02.herefordshire.gov.uk><012f01c94bd7$c5b1de70$696078c1@JCSPC> <72cf361e0811210552r50f54c27v6ab0f32da1738454@mail.gmail.com> <018701c94be4$50560090$696078c1@JCSPC> Message-ID: <49274002.6040501@fsl.com> Scott Silva wrote: >> Thanks for that Martin - I knew it was too good to last! >> >> I still have a fond day dream of seeing one of these big spammers being >> hauled into court and pleading guilty to 4 sample offences and asking >> for the judge to take 40 trillion similar offences into consideration :-) >> >> John >> > Sounds like a new use for the Guantanamo Bay holding cells! > Spam terrorists! > > > Scott, Don't even joke about this :) Most Americans really want that base CLOSED!!!! I was actually in GITMO in the 60's as an officer in th US Navy. It's a really dead-end place that should be given back to the Cubans but for the fact that their economy would suffer because many of the employees at the base now take home US dollar paychecks. But I have some cells available in a friend's cold, damp, rat / lice infected basement that they would love to rent out to any spammers who might be caught (good luck). We're really trying hard to set a new course with foreign relations over here. Any help / slack will be appreciated :) Best regards, Steve Steve Swaney steve@fsl.com www.fsl.com From sandrews at andrewscompanies.com Fri Nov 21 23:31:04 2008 From: sandrews at andrewscompanies.com (Steven Andrews) Date: Fri Nov 21 23:31:14 2008 Subject: Very OT - Big drop in SPAM volume? In-Reply-To: <49274002.6040501@fsl.com> References: <00de01c94bc5$4a6d5710$696078c1@JCSPC><7EF0EE5CB3B263488C8C18823239BEBA05479788@HC-MBX02.herefordshire.gov.uk><012f01c94bd7$c5b1de70$696078c1@JCSPC> <72cf361e0811210552r50f54c27v6ab0f32da1738454@mail.gmail.com> <018701c94be4$50560090$696078c1@JCSPC> <49274002.6040501@fsl.com> Message-ID: <1964AAFBC212F742958F9275BF63DBB09078FD@winchester.andrewscompanies.com> No we don't. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Stephen Swaney Sent: Friday, November 21, 2008 6:11 PM To: MailScanner discussion Subject: Very OT - Big drop in SPAM volume? Scott Silva wrote: >> Thanks for that Martin - I knew it was too good to last! >> >> I still have a fond day dream of seeing one of these big spammers being >> hauled into court and pleading guilty to 4 sample offences and asking >> for the judge to take 40 trillion similar offences into consideration :-) >> >> John >> > Sounds like a new use for the Guantanamo Bay holding cells! > Spam terrorists! > > > Scott, Don't even joke about this :) Most Americans really want that base CLOSED!!!! I was actually in GITMO in the 60's as an officer in th US Navy. It's a really dead-end place that should be given back to the Cubans but for the fact that their economy would suffer because many of the employees at the base now take home US dollar paychecks. But I have some cells available in a friend's cold, damp, rat / lice infected basement that they would love to rent out to any spammers who might be caught (good luck). We're really trying hard to set a new course with foreign relations over here. Any help / slack will be appreciated :) Best regards, Steve Steve Swaney steve@fsl.com www.fsl.com -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From michael at huntley.net Sat Nov 22 00:14:30 2008 From: michael at huntley.net (Michael Huntley) Date: Sat Nov 22 00:14:50 2008 Subject: Very OT - Big drop in SPAM volume? In-Reply-To: <49274002.6040501@fsl.com> References: <00de01c94bc5$4a6d5710$696078c1@JCSPC><7EF0EE5CB3B263488C8C18823239BEBA05479788@HC-MBX02.herefordshire.gov.uk><012f01c94bd7$c5b1de70$696078c1@JCSPC> <72cf361e0811210552r50f54c27v6ab0f32da1738454@mail.gmail.com> <018701c94be4$50560090$696078c1@JCSPC> <49274002.6040501@fsl.com> Message-ID: <49274EE6.9040506@huntley.net> Stephen Swaney wrote: > Scott Silva wrote: >>> Thanks for that Martin - I knew it was too good to last! >>> >>> I still have a fond day dream of seeing one of these big spammers being >>> hauled into court and pleading guilty to 4 sample offences and asking >>> for the judge to take 40 trillion similar offences into >>> consideration :-) >>> >>> John >>> >> Sounds like a new use for the Guantanamo Bay holding cells! >> Spam terrorists! >> >> >> > Scott, > > Don't even joke about this :) Most Americans really want that base > CLOSED!!!! > > I was actually in GITMO in the 60's as an officer in th US Navy. It's > a really dead-end place that should be given back to the Cubans but > for the fact that their economy would suffer because many of the > employees at the base now take home US dollar paychecks. > > But I have some cells available in a friend's cold, damp, rat / lice > infected basement that they would love to rent out to any spammers who > might be caught (good luck). > > We're really trying hard to set a new course with foreign relations > over here. Any help / slack will be appreciated :) > > Best regards, > > Steve > > Steve Swaney > steve@fsl.com > www.fsl.com > > Yeah, in Fantasy Land. m vinum vesco valens viscus From glenn.steen at gmail.com Sat Nov 22 09:58:13 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Nov 22 09:58:24 2008 Subject: Fwd: Mailscanner child freezes In-Reply-To: References: <491D88B5.4090804@life.illinois.edu> <223f97700811160433v3ee3d176ofedd4d344e8236e2@mail.gmail.com> <49224E2C.4090800@life.illinois.edu> <223f97700811201453i3b2abf65u1ff09d8d50af2aaf@mail.gmail.com> <492601CA.40007@life.illinois.edu> <223f97700811210615y2f90b87cwcebad06052d9aa6e@mail.gmail.com> <223f97700811210705o42415763h154d4630ce084ae3@mail.gmail.com> <223f97700811210706k4a45724fscaf2a359f1806db0@mail.gmail.com> <223f97700811210710v21b69206mfa5dc3439ed8453e@mail.gmail.com> Message-ID: <223f97700811220158q1df9a358p7f99d732a288145e@mail.gmail.com> 2008/11/21 Scott Silva : > on 11-21-2008 7:10 AM Glenn Steen spake the following: >> Guys, >> >> I know my quoting style will drive you nuts, but ... please look at this. >> It's a heads up for 4.72.5, keep a lookout for children busy-looping >> while "cleaning messages". >> Hopefully Jules, or one of you, will have a solution ... really quick. >> >> Cheers >> -- Glenn >> > Glenn, > If you have a sample of this available, I can run it through my sendmail box > and see if it is only postfix related or deeper. > The trouble is in Message.pm, so it probably affects all. You can easily create a testcase yourself: zip any file into an archive called "archive.zip" (or whatever you like:-), then zip "archive.zip" into a new zip file named "archive.zip"... then send it through .... Keep an eye on top and you'll see one MS child "get stuck" in "cleaning messages" eating close to 100% CPU. This bug only affect 4.72.5 (and later, from what it seems ... from reading the code), so all who run 4.71 are unaffected. Since this is easily and readily exploitable, I hesitated "going public" with this... I'm looking at finding a solution (it should be something simple, either safeguarding when constructing the hashes, or "loop-detecting" when travesing the "hash list"), but as always... Jules genius (and superior understanding of all nuances of the code) would likely find a simple solution to this in no time at all:-). I'd appreciate if you did do a test Scott. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Sat Nov 22 10:15:14 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Nov 22 10:15:24 2008 Subject: Fwd: Mailscanner child freezes In-Reply-To: <223f97700811220158q1df9a358p7f99d732a288145e@mail.gmail.com> References: <491D88B5.4090804@life.illinois.edu> <49224E2C.4090800@life.illinois.edu> <223f97700811201453i3b2abf65u1ff09d8d50af2aaf@mail.gmail.com> <492601CA.40007@life.illinois.edu> <223f97700811210615y2f90b87cwcebad06052d9aa6e@mail.gmail.com> <223f97700811210705o42415763h154d4630ce084ae3@mail.gmail.com> <223f97700811210706k4a45724fscaf2a359f1806db0@mail.gmail.com> <223f97700811210710v21b69206mfa5dc3439ed8453e@mail.gmail.com> <223f97700811220158q1df9a358p7f99d732a288145e@mail.gmail.com> Message-ID: <223f97700811220215r7d3724a7v70fb2649c1c870cd@mail.gmail.com> 2008/11/22 Glenn Steen : > 2008/11/21 Scott Silva : >> on 11-21-2008 7:10 AM Glenn Steen spake the following: >>> Guys, >>> >>> I know my quoting style will drive you nuts, but ... please look at this. >>> It's a heads up for 4.72.5, keep a lookout for children busy-looping >>> while "cleaning messages". >>> Hopefully Jules, or one of you, will have a solution ... really quick. >>> >>> Cheers >>> -- Glenn >>> >> Glenn, >> If you have a sample of this available, I can run it through my sendmail box >> and see if it is only postfix related or deeper. >> > The trouble is in Message.pm, so it probably affects all. You can > easily create a testcase yourself: > zip any file into an archive called "archive.zip" (or whatever you Any file that would require cleaning, that is ... Like an executable (don't need be an exe, just something named .exe). > like:-), then zip "archive.zip" into a new zip file named > "archive.zip"... then send it through .... Keep an eye on top and > you'll see one MS child "get stuck" in "cleaning messages" eating > close to 100% CPU. > This bug only affect 4.72.5 (and later, from what it seems ... from > reading the code), so all who run 4.71 are unaffected. > > Since this is easily and readily exploitable, I hesitated "going > public" with this... I'm looking at finding a solution (it should be > something simple, either safeguarding when constructing the hashes, or > "loop-detecting" when travesing the "hash list"), but as always... > Jules genius (and superior understanding of all nuances of the code) > would likely find a simple solution to this in no time at all:-). > > I'd appreciate if you did do a test Scott. > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From cbarber at techquility.net Sat Nov 22 15:34:28 2008 From: cbarber at techquility.net (Chris Barber) Date: Sat Nov 22 15:34:56 2008 Subject: How to test RBL lookups in MailScanner? In-Reply-To: References: <4910E415.4050502@rheel.co.nz><43F62CA225017044BC84CFAF92B4333B035FB3@sbsserver.Techquility.net><223f97700811051117g2d4b91c5g4cda816ac8e2e862@mail.gmail.com><43F62CA225017044BC84CFAF92B4333B035FB8@sbsserver.Techquility.net><223f97700811051419r7982975fi34b25598b91ed1ca@mail.gmail.com><43F62CA225017044BC84CFAF92B4333B035FBC@sbsserver.Techquility.net><223f97700811061050x5ca2b8a6t98d115ad27b450ea@mail.gmail.com><43F62CA225017044BC84CFAF92B4333B036074@sbsserver.Techquility.net><43F62CA225017044BC84CFAF92B4333B03607F@sbsserver.Techquility.net> <72cf361e0811200125u3499ac00x3f7e979ff42df4d8@mail.gmail.com><43F62CA225017044BC84CFAF92B4333B036082@sbsserver.Techquility.net> Message-ID: <43F62CA225017044BC84CFAF92B4333B0360A6@sbsserver.Techquility.net> >> >> >> >> I find the best way to do the RBL's in spamassassin, they way it adds >> to the score. You can you multiple RBLs in mailscanner and then say >> it must at least 2 before it's marked as spam, but I prefer the >> spamassassin way. >> >> -- >> Martin Hepworth >> Oxford, UK > > Thank you Martin! I did not consider SA doing the lookups. I'll give > that a try. >>Spamassassin is much more efficient at doing the network tests because it will poll all the lists in parallel. MailScanner queries each list you >>add one at a time. Thanks guys. Is there a specific rule file that I should be using to modify the Spamassassin RBL lists? Do I need to put these into mailscanner.cf in /etc/mail/spamassassin? From MailScanner at ecs.soton.ac.uk Sat Nov 22 15:46:15 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sat Nov 22 15:46:35 2008 Subject: 4.73.2 beta released, and new trend-autoupdate Message-ID: <49282947.6000302@ecs.soton.ac.uk> A potential security hole has been found in the trend-autoupdate script. If you do not have the Trend anti-virus package installed on your system, this does *NOT* affect you at all, as that script will never be run. If you do have the Trend anti-virus package installed on your system, you can download a replacement trend-autoupdate script from the MailScanner home page at www.mailscanner.info. Just read my News article about it. I have also just released a whole new MailScanner 4.73.2 including this new replacement file. It also fixes a logging issue, if you had changed a setting to "Include Scanner Name In Reports = no" and were not getting the scanner name in the system's syslog. Cheers guys! P.S. Spent an afternoon last week lying in an MRI scanner while they re-checked lots of things, but otherwise no more news from the hospitals. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From maillists at conactive.com Sat Nov 22 18:31:17 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Sat Nov 22 18:31:36 2008 Subject: How to test RBL lookups in MailScanner? In-Reply-To: <43F62CA225017044BC84CFAF92B4333B0360A6@sbsserver.Techquility.net> References: <4910E415.4050502@rheel.co.nz> <43F62CA225017044BC84CFAF92B4333B035FB3@sbsserver.Techquility.net> <223f97700811051117g2d4b91c5g4cda816ac8e2e862@mail.gmail.com> <43F62CA225017044BC84CFAF92B4333B035FB8@sbsserver.Techquility.net> <223f97700811051419r7982975fi34b25598b91ed1ca@mail.gmail.com> <43F62CA225017044BC84CFAF92B4333B035FBC@sbsserver.Techquility.net> <223f97700811061050x5ca2b8a6t98d115ad27b450ea@mail.gmail.com> <43F62CA225017044BC84CFAF92B4333B036074@sbsserver.Techquility.net> ger.gmane <43F62CA225017044BC84CFAF92B4333B0360A6@sbsserver.Techquility.net> Reply-To: mailscanner@lists.mailscanner.info Chris Barber wrote on Sat, 22 Nov 2008 10:34:28 -0500: > Do I need to put these into > mailscanner.cf in /etc/mail/spamassassin? FYI, that is only a symlink to the spamassassin config file in /e7c/MailScanner. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From MailScanner at ecs.soton.ac.uk Sat Nov 22 19:01:59 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sat Nov 22 19:02:22 2008 Subject: Fwd: Mailscanner child freezes In-Reply-To: <223f97700811220158q1df9a358p7f99d732a288145e@mail.gmail.com> References: <491D88B5.4090804@life.illinois.edu> <223f97700811160433v3ee3d176ofedd4d344e8236e2@mail.gmail.com> <49224E2C.4090800@life.illinois.edu> <223f97700811201453i3b2abf65u1ff09d8d50af2aaf@mail.gmail.com> <492601CA.40007@life.illinois.edu> <223f97700811210615y2f90b87cwcebad06052d9aa6e@mail.gmail.com> <223f97700811210705o42415763h154d4630ce084ae3@mail.gmail.com> <223f97700811210706k4a45724fscaf2a359f1806db0@mail.gmail.com> <223f97700811210710v21b69206mfa5dc3439ed8453e@mail.gmail.com> <223f97700811220158q1df9a358p7f99d732a288145e@mail.gmail.com> Message-ID: <49285727.9090806@ecs.soton.ac.uk> Please try the attached (gzipped) Message.pm file. Just drop it into /usr/lib/MailScanner/MailScanner/Message.pm if you are running the latest version, and restart MailScanner. On 22/11/08 09:58, Glenn Steen wrote: > 2008/11/21 Scott Silva: > >> on 11-21-2008 7:10 AM Glenn Steen spake the following: >> >>> Guys, >>> >>> I know my quoting style will drive you nuts, but ... please look at this. >>> It's a heads up for 4.72.5, keep a lookout for children busy-looping >>> while "cleaning messages". >>> Hopefully Jules, or one of you, will have a solution ... really quick. >>> >>> Cheers >>> -- Glenn >>> >>> >> Glenn, >> If you have a sample of this available, I can run it through my sendmail box >> and see if it is only postfix related or deeper. >> >> > The trouble is in Message.pm, so it probably affects all. You can > easily create a testcase yourself: > zip any file into an archive called "archive.zip" (or whatever you > like:-), then zip "archive.zip" into a new zip file named > "archive.zip"... then send it through .... Keep an eye on top and > you'll see one MS child "get stuck" in "cleaning messages" eating > close to 100% CPU. > This bug only affect 4.72.5 (and later, from what it seems ... from > reading the code), so all who run 4.71 are unaffected. > > Since this is easily and readily exploitable, I hesitated "going > public" with this... I'm looking at finding a solution (it should be > something simple, either safeguarding when constructing the hashes, or > "loop-detecting" when travesing the "hash list"), but as always... > Jules genius (and superior understanding of all nuances of the code) > would likely find a simple solution to this in no time at all:-). > > I'd appreciate if you did do a test Scott. > > Cheers > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- A non-text attachment was scrubbed... Name: Message.pm.gz Type: application/x-gzip Size: 70475 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081122/18716361/Message.pm-0001.gz From MailScanner at ecs.soton.ac.uk Sat Nov 22 19:05:07 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sat Nov 22 19:05:28 2008 Subject: Mailscanner - large deployment In-Reply-To: <4CAB0118AEC63A4FAAE77E6BCBDF760C7952018CFD@server02.bhl.local> References: <200811201201.mAKC0LWn008296@safir.blacknight.ie> <4CAB0118AEC63A4FAAE77E6BCBDF760C7952018CFD@server02.bhl.local> Message-ID: <492857E3.2090709@ecs.soton.ac.uk> On 21/11/08 08:44, Jason Ede wrote: >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Paulo Roncon >> Sent: 20 November 2008 14:53 >> To: 'mailscanner@lists.mailscanner.info' >> Subject: Mailscanner - large deployment >> >> Hello, >> >> I'm thinking on building a farm of servers with mailscanner. My >> question is related to the quarantine mantainance: Should i implement a >> shared m?dium to store the files, or should every server in the farm >> have its on quarantine directory? >> This is important because i need to implement a way to inform the users >> that there's quarantined email, and its location. >> I'm thinking of mailscanner + sendmail + mailwatch >> >> Can you please advise? >> > > If you're looking at a large server farm then I think it would be a good idea to look at BarricadeMX. > http://www.fsl.com/barricademx.html > Definitely. This will save you an awful lot of money, as your server farm will need to be a fraction of the size. You can easily run well over a million messages per day through one cheap server running BarricadeMX. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From hvdkooij at vanderkooij.org Sat Nov 22 20:19:01 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sat Nov 22 20:19:11 2008 Subject: 4.73.2 beta released, and new trend-autoupdate In-Reply-To: <49282947.6000302@ecs.soton.ac.uk> References: <49282947.6000302@ecs.soton.ac.uk> Message-ID: <49286935.1030109@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Julian Field wrote: > A potential security hole has been found in the trend-autoupdate script. > If you do not have the Trend anti-virus package installed on your > system, this does *NOT* affect you at all, as that script will never be > run. > > If you do have the Trend anti-virus package installed on your system, > you can download a replacement trend-autoupdate script from the > MailScanner home page at www.mailscanner.info. Just read my News article > about it. Just curious which Trend Micro software you support. Because it seems that with each new product update they make it harder to run from the commandline in a meaningfull way. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. Nid wyf yn y swyddfa ar hyn o bryd. Anfonwch unrhyw waith i'w gyfieithu. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFJKGkxBvzDRVjxmYERApdVAJ9vy0yz/x1HWXmJuFpoRvg4AsC6DwCfUBXh yVNJ0H/C2LQw+kVa4wfKEtc= =pU99 -----END PGP SIGNATURE----- From Heinrich-Peters at nurfuerspam.de Sat Nov 22 21:42:40 2008 From: Heinrich-Peters at nurfuerspam.de (Heinrich Christian Peters) Date: Sat Nov 22 21:50:13 2008 Subject: [Problem] "Other Bad Content Detected" - "Could not analyze message" Message-ID: Hello, I have some problems with my MailScanner installation. After upgrading to debian testing get these error messages when receiving mails generated by my Typo3 directmail plugin. In debian testing I use the following versions: mailscanner: 4.68.8-1 exim4: 4.69-9 I tried to disable the external TNEF Expander, Dangerous Content Scanning and some others - nothing helps. See the MailScanner -v output below [2]. An example message you can find here [1]. Thanks for your help! Yours, Heiner [1] [2] MailScanner -v > This is Perl version 5.010000 (5.10.0) > > This is MailScanner version 4.68.8 > Module versions are: > 1.00 AnyDBM_File > 1.18 Archive::Zip > 1.08 Carp > 2.012 Compress::Zlib > 1.119 Convert::BinHex > 2.27 Date::Parse > 1.01 DirHandle > 1.06 Fcntl > 2.76 File::Basename > 2.11 File::Copy > 2.01 FileHandle > 2.04 File::Path > 0.18 File::Temp > 0.92 Filesys::Df > 1.35 HTML::Entities > 3.56 HTML::Parser > 2.37 HTML::TokeParser > 1.23_01 IO > 1.14 IO::File > 1.13 IO::Pipe > 2.03 Mail::Header > 1.88 Math::BigInt > 3.07_01 MIME::Base64 > 5.427 MIME::Decoder > 5.427 MIME::Decoder::UU > 5.427 MIME::Head > 5.427 MIME::Parser > 3.07 MIME::QuotedPrint > 5.427 MIME::Tools > 0.11 Net::CIDR > 1.13 POSIX > 1.19 Scalar::Util > 1.80 Socket > 1.4 Sys::Hostname::Long > 0.26 Sys::Syslog > 1.9711 Time::HiRes > 1.02 Time::localtime > > Optional module versions are: > 1.38 Archive::Tar > 0.22 bignum > missing Business::ISBN > missing Business::ISBN::Data > 1.08 Data::Dump > 1.816_1 DB_File > 1.14 DBD::SQLite > 1.605 DBI > 1.15 Digest > 1.01 Digest::HMAC > 2.36_01 Digest::MD5 > 2.11 Digest::SHA1 > missing Encode::Detect > 0.17010 Error > 0.23 ExtUtils::CBuilder > 2.19 ExtUtils::ParseXS > 2.37 Getopt::Long > missing Inline > missing IO::String > 1.07 IO::Zlib > 2.23 IP::Country > missing Mail::ClamAV > 3.002005 Mail::SpamAssassin > missing Mail::SPF > 1.999001 Mail::SPF::Query > 0.280801 Module::Build > 0.20 Net::CIDR::Lite > 0.63 Net::DNS > missing Net::DNS::Resolver::Programmable > missing Net::LDAP > missing NetAddr::IP > missing Parse::RecDescent > missing SAVI > 2.64 Test::Harness > missing Test::Manifest > 2.0.0 Text::Balanced > 1.35 URI > 0.74 version > 0.66 YAML From ms-list at alexb.ch Sat Nov 22 22:02:57 2008 From: ms-list at alexb.ch (Alex Broens) Date: Sat Nov 22 22:01:13 2008 Subject: [Problem] "Other Bad Content Detected" - "Could not analyze message" In-Reply-To: References: Message-ID: <49288191.4090301@alexb.ch> On 11/22/2008 10:42 PM, Heinrich Christian Peters wrote: > Hello, > I have some problems with my MailScanner installation. After upgrading > to debian testing get these error messages when receiving mails > generated by my Typo3 directmail plugin. > In debian testing I use the following versions: > mailscanner: 4.68.8-1 > exim4: 4.69-9 > > I tried to disable the external TNEF Expander, Dangerous Content > Scanning and some others - nothing helps. See the MailScanner -v output > below [2]. An example message you can find here [1]. > > Thanks for your help! This is not a MailScanner bug/issue The latest Typo3 update has introduced a bug where there's a missing line between msg headers and content. this also causes fun issues with several other MTAs/Scanners. afaik, the bug has been reported. Suggest you watch the Typo3 forums. Ale From ms-list at alexb.ch Sat Nov 22 22:07:00 2008 From: ms-list at alexb.ch (Alex Broens) Date: Sat Nov 22 22:05:17 2008 Subject: [Problem] "Other Bad Content Detected" - "Could not analyze message" In-Reply-To: References: Message-ID: <49288284.3020606@alexb.ch> On 11/22/2008 10:42 PM, Heinrich Christian Peters wrote: > Hello, > I have some problems with my MailScanner installation. After upgrading > to debian testing get these error messages when receiving mails > generated by my Typo3 directmail plugin. > In debian testing I use the following versions: > mailscanner: 4.68.8-1 > exim4: 4.69-9 > > I tried to disable the external TNEF Expander, Dangerous Content > Scanning and some others - nothing helps. See the MailScanner -v output > below [2]. An example message you can find here [1]. > Should have added: http://bugs.typo3.org/view.php?id=9523 Apparently this malformed Content-Type bug also affects 2 Windows mail servers and Amavis. Definitely a Typo3 issue. Alex From Heinrich-Peters at nurfuerspam.de Sat Nov 22 22:58:36 2008 From: Heinrich-Peters at nurfuerspam.de (Heinrich Christian Peters) Date: Sat Nov 22 22:59:00 2008 Subject: [Problem] "Other Bad Content Detected" - "Could not analyze message" In-Reply-To: <49288284.3020606@alexb.ch> References: <49288284.3020606@alexb.ch> Message-ID: Hello Alex, Am 22.11.2008 23:07, Alex Broens schrieb: > On 11/22/2008 10:42 PM, Heinrich Christian Peters wrote: >> Hello, >> I have some problems with my MailScanner installation. After upgrading >> to debian testing get these error messages when receiving mails >> generated by my Typo3 directmail plugin. >> In debian testing I use the following versions: >> mailscanner: 4.68.8-1 >> exim4: 4.69-9 >> >> I tried to disable the external TNEF Expander, Dangerous Content >> Scanning and some others - nothing helps. See the MailScanner -v output >> below [2]. An example message you can find here [1]. >> > > Should have added: > http://bugs.typo3.org/view.php?id=9523 > > Definitely a Typo3 issue. thank you very much! For others with this problem: Here is the path for direct_mail: http://bugs.typo3.org/view.php?id=9605 Heiner From maillists at conactive.com Sun Nov 23 14:31:16 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Sun Nov 23 14:31:32 2008 Subject: Local State Dir - /var/lib/spamassassin - SARE rules no hits In-Reply-To: <3DF8101092666E4A9020D949E419EB6F02B7BCAA@ensms02.iris.se> References: <910ee2ac0811201634se99a4daob2b8ff95088daf27@mail.gmail.com> <3DF8101092666E4A9020D949E419EB6F02B7BABF@ensms02.iris.se> <3DF8101092666E4A9020D949E419EB6F02B7BCAA@ensms02.iris.se> Message-ID: Daniel Flensburg wrote on Fri, 21 Nov 2008 16:10:48 +0100: > You have no idea what you did? I found this snippet: http://lists.mailscanner.info/pipermail/mailscanner/2008-April/083684.html so SpamAssassin Local State Dir = /var/lib/spamassassin should work for you. Double-check that and don't forget to restart MailScanner. Btw, I just notice that your start message doesn't thread correctly. Please, if you send a question to a mailing list, do *not* hit reply, the "new message" button is for that! Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From nwl002 at shsu.edu Mon Nov 24 02:20:21 2008 From: nwl002 at shsu.edu (Norman Laskie) Date: Mon Nov 24 02:20:38 2008 Subject: Quarantine Messages SpamAssassin Custom Rule Message-ID: <5751D1D7-89FF-4A80-A0E2-1D6D6839B6A2@shsu.edu> We have setup a custom SpamAssassin rule to hopefully block some of the incoming phishing attempts that we have been receiving in the past few months. Is it possible to quarantine messages that hit this particular SpamAssassin rule? Thanks, Norman From nwl002 at shsu.edu Mon Nov 24 05:35:25 2008 From: nwl002 at shsu.edu (Norman Laskie) Date: Mon Nov 24 05:35:42 2008 Subject: Quarantine Messages SpamAssassin Custom Rule In-Reply-To: <5751D1D7-89FF-4A80-A0E2-1D6D6839B6A2@shsu.edu> References: <5751D1D7-89FF-4A80-A0E2-1D6D6839B6A2@shsu.edu> Message-ID: <96029CFD-CA65-4536-8A30-8A15DA3B2243@shsu.edu> Found it after a little more digging. # This next setting is very powerful. It allows you to adjust the list of # actions taken on a message by adding or removing any action or actions, # depending on what SpamAssassin rules it matched. # It can be used to replace the functionality of MCP, but without the large # processing overhead that involves. # # The setting consists of a comma-separated list of # SA_RULENAME=>action,action,... # pairs, where 'SA_RULENAME' is the name of any SpamAssassin rule (or # meta-rule), and 'action' is the name of any of the actions listed above # the 'Spam Actions' configuration setting or the word "not-" preceding any # of the action names. # Preceding the action name with "not-" as in "not-deliver" or "not- forward # user@domain.com" will cause the action to be removed from the list of # actions that would normally be taken on this message. # You can specify a comma-separated list of actions if you need more than 1 # action per rule. # # Example: Setting this to # SpamAssassin Rule Actions = FROM_BOSS_WIFE=>not-forward secretary@domain.com # would result in mail from the boss's wife not being forwarded to the boss's # secretary, which would be useful if the non-spam actions for the message # included forwarding to the boss's secretary. # # You can also trigger actions on the spam score of the message. You can # compare the spam score with a number and cause this to trigger an action. # For example, instead of a SA_RULENAME you can specify # SpamScore>number or SpamScore>=number or SpamScore==number or # SpamScore25=>delete # This would cause all messages with a total spam score of more than 25 to be # deleted. You can use this to implement multiple levels of spam actions in # addition to the normal spam actions and the high-scoring spam actions. # # Combining this with a ruleset makes it even more powerful, as different # recipients and/or senders can have different sets of rules applied to them. # # This can also be the filename of a ruleset, in which case the filename # must end in ".rule" or ".rules". SpamAssassin Rule Actions = On Nov 23, 2008, at 8:20 PM, Norman Laskie wrote: > We have setup a custom SpamAssassin rule to hopefully block some of > the incoming phishing attempts that we have been receiving in the past > few months. Is it possible to quarantine messages that hit this > particular SpamAssassin rule? > > Thanks, > Norman > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From glenn.steen at gmail.com Mon Nov 24 09:40:33 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Nov 24 09:40:44 2008 Subject: Fwd: Mailscanner child freezes In-Reply-To: <49285727.9090806@ecs.soton.ac.uk> References: <491D88B5.4090804@life.illinois.edu> <223f97700811201453i3b2abf65u1ff09d8d50af2aaf@mail.gmail.com> <492601CA.40007@life.illinois.edu> <223f97700811210615y2f90b87cwcebad06052d9aa6e@mail.gmail.com> <223f97700811210705o42415763h154d4630ce084ae3@mail.gmail.com> <223f97700811210706k4a45724fscaf2a359f1806db0@mail.gmail.com> <223f97700811210710v21b69206mfa5dc3439ed8453e@mail.gmail.com> <223f97700811220158q1df9a358p7f99d732a288145e@mail.gmail.com> <49285727.9090806@ecs.soton.ac.uk> Message-ID: <223f97700811240140q7ef21280hef296bce40cc7cdf@mail.gmail.com> 2008/11/22 Julian Field : > Please try the attached (gzipped) Message.pm file. Just drop it into > /usr/lib/MailScanner/MailScanner/Message.pm if you are running the latest > version, and restart MailScanner. > I suppose you mean 4.73.x then, not 4.72.5? I get a few ... error messages: # MailScanner --debug In Debugging mode, not forking... Trying to setlogsock(unix) SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp auto-whitelist: open of auto-whitelist file failed: locker: safe_lock: cannot create lockfile /var/spool/spamassassin/auto-whitelist.mutex: Filen eller katalogen finns inte Building a message batch to scan... Have a batch of 1 message. max message size is '3600000' pyzor: check failed: internal error auto-whitelist: open of auto-whitelist file failed: locker: safe_lock: cannot create lockfile /var/spool/spamassassin/auto-whitelist.mutex: Filen eller katalogen finns inte Use of uninitialized value in numeric eq (==) at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 365. /bin/ls: :long_cacheid:: Filen eller katalogen finns inte /bin/ln: m??let "/known_spam/" ??r inte en katalog: Filen eller katalogen finns inte ls: /known_spam/: Filen eller katalogen finns inte ls: /empty/: Filen eller katalogen finns inte /bin/ls: :long_cacheid:: Filen eller katalogen finns inte /bin/ln: m??let "/known_spam/" ??r inte en katalog: Filen eller katalogen finns inte ls: /known_spam/: Filen eller katalogen finns inte ls: /empty/: Filen eller katalogen finns inte Stopping now as you are debugging me. [root@apmx06 ~]# Basically all complaints (in mangled UTF8 rendition of Swedish:-) about missing directories and such. Other than that, it worked perfectly;-). Cheers -- Glenn > On 22/11/08 09:58, Glenn Steen wrote: >> >> 2008/11/21 Scott Silva: >> >>> >>> on 11-21-2008 7:10 AM Glenn Steen spake the following: >>> >>>> >>>> Guys, >>>> >>>> I know my quoting style will drive you nuts, but ... please look at >>>> this. >>>> It's a heads up for 4.72.5, keep a lookout for children busy-looping >>>> while "cleaning messages". >>>> Hopefully Jules, or one of you, will have a solution ... really quick. >>>> >>>> Cheers >>>> -- Glenn >>>> >>>> >>> >>> Glenn, >>> If you have a sample of this available, I can run it through my sendmail >>> box >>> and see if it is only postfix related or deeper. >>> >>> >> >> The trouble is in Message.pm, so it probably affects all. You can >> easily create a testcase yourself: >> zip any file into an archive called "archive.zip" (or whatever you >> like:-), then zip "archive.zip" into a new zip file named >> "archive.zip"... then send it through .... Keep an eye on top and >> you'll see one MS child "get stuck" in "cleaning messages" eating >> close to 100% CPU. >> This bug only affect 4.72.5 (and later, from what it seems ... from >> reading the code), so all who run 4.71 are unaffected. >> >> Since this is easily and readily exploitable, I hesitated "going >> public" with this... I'm looking at finding a solution (it should be >> something simple, either safeguarding when constructing the hashes, or >> "loop-detecting" when travesing the "hash list"), but as always... >> Jules genius (and superior understanding of all nuances of the code) >> would likely find a simple solution to this in no time at all:-). >> >> I'd appreciate if you did do a test Scott. >> >> Cheers >> > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > PGP public key: http://www.jules.fm/julesfm.asc > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From telecaadmin at gmail.com Mon Nov 24 09:56:41 2008 From: telecaadmin at gmail.com (Ronny T. Lampert) Date: Mon Nov 24 09:59:47 2008 Subject: Big drop in SPAM volume? In-Reply-To: <00de01c94bc5$4a6d5710$696078c1@JCSPC> References: <00de01c94bc5$4a6d5710$696078c1@JCSPC> Message-ID: <492A7A59.9040407@gmail.com> > Hi, > > Is anybody else seeing a big drop off in SPAM volume over the last week > or so? or is it just me? I'm down to "more normal levels" on - total connections - RBL blocks (= 50% of total connections for last 3 hours) - "is spam" by MS (down by about 20%). No way in hell we should allow McColo to go live again. But then again it's only Monday morning so spammers might wake up later... Cheers. From Daniel.Flensburg at iris.se Mon Nov 24 10:46:04 2008 From: Daniel.Flensburg at iris.se (Daniel Flensburg) Date: Mon Nov 24 10:49:31 2008 Subject: SV: Local State Dir - /var/lib/spamassassin - SARE rules no hits In-Reply-To: <72cf361e0811210447mcb8313bm1ce69fec6874a00f@mail.gmail.com> References: <910ee2ac0811201634se99a4daob2b8ff95088daf27@mail.gmail.com><3DF8101092666E4A9020D949E419EB6F02B7BABF@ensms02.iris.se> <72cf361e0811210447mcb8313bm1ce69fec6874a00f@mail.gmail.com> Message-ID: <3DF8101092666E4A9020D949E419EB6F02B9D3B4@ensms02.iris.se> Thank you for your reply! Tried blank setting as you suggested in the SpamAssasin Local State Dir = ...and I tried changing the owner of spamassassin dir and the files and folders beneath from root:root to postfix:postfix Still it's not working as I can see. Any more suggestions? /Daniel -----Ursprungligt meddelande----- Fr?n: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] F?r Martin Hepworth Skickat: den 21 november 2008 13:47 Till: MailScanner discussion ?mne: Re: Local State Dir - /var/lib/spamassassin - SARE rules no hits 2008/11/21 Daniel Flensburg : > Can someone please help me with a strange problem. I noticed that my > recently downloaded SARE-rules have no hits. I believe non of the rules > in the /var/lib/spamassassin work. > > When running the command: > > spamassassin -D --lint > > I get the result (looks just right): > > [4446] dbg: config: using "/etc/spamassassin" for site rules pre files > [4446] dbg: config: read file /etc/spamassassin/init.pre > [4446] dbg: config: read file /etc/spamassassin/v310.pre > [4446] dbg: config: read file /etc/spamassassin/v312.pre > [4446] dbg: config: using "/var/lib/spamassassin/3.001004" for sys rules > pre files > [4446] dbg: config: read file > /var/lib/spamassassin/3.001004/saupdates_openprotect_com.pre > [4446] dbg: config: read file > /var/lib/spamassassin/3.001004/updates_spamassassin_org.pre > [4446] dbg: config: using "/var/lib/spamassassin/3.001004" for default > rules dir > ------------------- > > But when I run the command: > > /opt/MailScanner/bin/MailScanner --debug --debug-sa > > I get a different result (a bad one): > > [4329] dbg: config: using "/etc/mail/spamassassin" for site rules pre > files > [4329] dbg: config: read file /etc/mail/spamassassin/init.pre > [4329] dbg: config: read file /etc/mail/spamassassin/v310.pre > [4329] dbg: config: read file /etc/mail/spamassassin/v312.pre > [4329] dbg: config: using "/usr/share/spamassassin" for sys rules pre > files > [4329] dbg: config: using "/usr/share/spamassassin" for default rules > dir > > The setting in my /opt/MailScanner/etc/MailScanner.conf is: > > # The site-local rules are searched for here, and in > prefix/etc/spamassassin, > # prefix/etc/mail/spamassassin, /usr/local/etc/spamassassin, > /etc/spamassassin, > # /etc/mail/spamassassin, and maybe others. > # Be careful of setting this: it may mean the spam.assassin.prefs.conf > file > # is missed out, you will need to insert a soft-link with "ln -s" to > link > # the file into mailscanner.cf in the new directory. > # If this is set then it replaces the list of places that are searched; > # otherwise it has no effect. > #SpamAssassin Local Rules Dir = /opt/MailScanner/etc/mail/spamassassin > SpamAssassin Local Rules Dir = > > # The rules created by the "sa-update" tool are searched for here. > # This directory contains the 3.001001/updates_spamassassin_org > # directory structure beneath it. > # Only un-comment this setting once you have proved that the sa-update > # cron job has run successfully and has created a directory structure > under > # the spamassassin directory within this one and has put some *.cf files > in > # there. Otherwise it will ignore all your current rules! > # The default location may be /var/opt on Solaris systems. > SpamAssassin Local State Dir = # /var/lib/spamassassin > > # The default rules are searched for here, and in > prefix/share/spamassassin, > # /usr/local/share/spamassassin, /usr/share/spamassassin, and maybe > others. > # If this is set then it adds to the list of places that are searched; > # otherwise it has no effect. > #SpamAssassin Default Rules Dir = /opt/MailScanner/share/spamassassin > SpamAssassin Default Rules Dir = > ------------ > I tried to remove the # in the line below but the result is the same: > SpamAssassin Local State Dir = # /var/lib/spamassassin > > What have I missed? > > I have a rather old version of SA 3.1.4 - but I do not want to upgrade > until I have a backup MS server running, unless an upgrade is the fix > for this strange behavior. > > > /Daniel > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Daniel try making the "SpamAssassin Local State Dir" blank .. SpamAssassin Local State Dir = depending on how you've installed the SARE rules you should either be in /var/lib/spamassassin/3.001004 or /etc/mail/spamassassin. another thing..check the user mailscanner runs as can access the SA rules in "/var/lib/spamassassin/3.001004" (file permissions). -- Martin Hepworth Oxford, UK -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From Daniel.Flensburg at iris.se Mon Nov 24 10:56:12 2008 From: Daniel.Flensburg at iris.se (Daniel Flensburg) Date: Mon Nov 24 10:59:37 2008 Subject: SV: Local State Dir - /var/lib/spamassassin - SARE rules no hits In-Reply-To: References: <910ee2ac0811201634se99a4daob2b8ff95088daf27@mail.gmail.com><3DF8101092666E4A9020D949E419EB6F02B7BABF@ensms02.iris.se><3DF8101092666E4A9020D949E419EB6F02B7BCAA@ensms02.iris.se> Message-ID: <3DF8101092666E4A9020D949E419EB6F02B9D3C8@ensms02.iris.se> Hi Kai! Sorry about the reply button, I think you are right. I tried the setting below and restarted the server. I cannot see any SARE hits yet. I'm pretty sure it's not working. (tried to send text that another working server get SARE hits on outgoing tests, no hits on "my"side) What is the best way to test if rules in /var/lib/spamassassin are working correctly? Why does the two commands below give different results? spamassassin -D --lint /opt/MailScanner/bin/MailScanner --debug --debug-sa Regards, /Daniel -----Ursprungligt meddelande----- Fr?n: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] F?r Kai Schaetzl Skickat: den 23 november 2008 15:31 Till: mailscanner@lists.mailscanner.info ?mne: Re: Local State Dir - /var/lib/spamassassin - SARE rules no hits Daniel Flensburg wrote on Fri, 21 Nov 2008 16:10:48 +0100: > You have no idea what you did? I found this snippet: http://lists.mailscanner.info/pipermail/mailscanner/2008-April/083684.html so SpamAssassin Local State Dir = /var/lib/spamassassin should work for you. Double-check that and don't forget to restart MailScanner. Btw, I just notice that your start message doesn't thread correctly. Please, if you send a question to a mailing list, do *not* hit reply, the "new message" button is for that! Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From J.Ede at birchenallhowden.co.uk Mon Nov 24 11:37:22 2008 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Mon Nov 24 11:37:51 2008 Subject: Local State Dir - /var/lib/spamassassin - SARE rules no hits In-Reply-To: <3DF8101092666E4A9020D949E419EB6F02B9D3C8@ensms02.iris.se> References: <910ee2ac0811201634se99a4daob2b8ff95088daf27@mail.gmail.com><3DF8101092666E4A9020D949E419EB6F02B7BABF@ensms02.iris.se><3DF8101092666E4A9020D949E419EB6F02B7BCAA@ensms02.iris.se> <3DF8101092666E4A9020D949E419EB6F02B9D3C8@ensms02.iris.se> Message-ID: <4CAB0118AEC63A4FAAE77E6BCBDF760C7952018D86@server02.bhl.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Daniel Flensburg > Sent: 24 November 2008 10:56 > To: MailScanner discussion > Subject: SV: Local State Dir - /var/lib/spamassassin - SARE rules no > hits > > Hi Kai! > > Sorry about the reply button, I think you are right. > > I tried the setting below and restarted the server. I cannot see any > SARE hits yet. > I'm pretty sure it's not working. (tried to send text that another > working server get SARE hits on outgoing tests, no hits on "my"side) > > What is the best way to test if rules in /var/lib/spamassassin are > working correctly? > > Why does the two commands below give different results? > > spamassassin -D --lint Try spamassassin -D --lint -p / On my system its spamassassin -D --lint -p /etc/MailScanner/spam.assassin.prefs.conf Jason > > /opt/MailScanner/bin/MailScanner --debug --debug-sa > > Regards, > > /Daniel > > -----Ursprungligt meddelande----- > Fr?n: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] F?r Kai Schaetzl > Skickat: den 23 november 2008 15:31 > Till: mailscanner@lists.mailscanner.info > ?mne: Re: Local State Dir - /var/lib/spamassassin - SARE rules no hits > > Daniel Flensburg wrote on Fri, 21 Nov 2008 16:10:48 +0100: > > > You have no idea what you did? > > I found this snippet: > http://lists.mailscanner.info/pipermail/mailscanner/2008- > April/083684.html > > so > > SpamAssassin Local State Dir = /var/lib/spamassassin > > should work for you. Double-check that and don't forget to restart > MailScanner. > > Btw, I just notice that your start message doesn't thread correctly. > Please, if you send a question to a mailing list, do *not* hit reply, > the > "new message" button is for that! > > Kai > > -- > Kai Sch?tzl, Berlin, Germany > Get your web at Conactive Internet Services: http://www.conactive.com > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From maxsec at gmail.com Mon Nov 24 12:25:19 2008 From: maxsec at gmail.com (Martin Hepworth) Date: Mon Nov 24 12:25:27 2008 Subject: Local State Dir - /var/lib/spamassassin - SARE rules no hits In-Reply-To: <4CAB0118AEC63A4FAAE77E6BCBDF760C7952018D86@server02.bhl.local> References: <910ee2ac0811201634se99a4daob2b8ff95088daf27@mail.gmail.com> <3DF8101092666E4A9020D949E419EB6F02B7BABF@ensms02.iris.se> <3DF8101092666E4A9020D949E419EB6F02B7BCAA@ensms02.iris.se> <3DF8101092666E4A9020D949E419EB6F02B9D3C8@ensms02.iris.se> <4CAB0118AEC63A4FAAE77E6BCBDF760C7952018D86@server02.bhl.local> Message-ID: <72cf361e0811240425i427cd85p28ea81ec884dbcca@mail.gmail.com> 2008/11/24 Jason Ede : >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Daniel Flensburg >> Sent: 24 November 2008 10:56 >> To: MailScanner discussion >> Subject: SV: Local State Dir - /var/lib/spamassassin - SARE rules no >> hits >> >> Hi Kai! >> >> Sorry about the reply button, I think you are right. >> >> I tried the setting below and restarted the server. I cannot see any >> SARE hits yet. >> I'm pretty sure it's not working. (tried to send text that another >> working server get SARE hits on outgoing tests, no hits on "my"side) >> >> What is the best way to test if rules in /var/lib/spamassassin are >> working correctly? >> >> Why does the two commands below give different results? >> >> spamassassin -D --lint > > Try spamassassin -D --lint -p / > > On my system its spamassassin -D --lint -p /etc/MailScanner/spam.assassin.prefs.conf > > Jason > >> >> /opt/MailScanner/bin/MailScanner --debug --debug-sa >> >> Regards, >> >> /Daniel >> >> -----Ursprungligt meddelande----- >> Fr?n: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] F?r Kai Schaetzl >> Skickat: den 23 november 2008 15:31 >> Till: mailscanner@lists.mailscanner.info >> ?mne: Re: Local State Dir - /var/lib/spamassassin - SARE rules no hits >> >> Daniel Flensburg wrote on Fri, 21 Nov 2008 16:10:48 +0100: >> >> > You have no idea what you did? >> >> I found this snippet: >> http://lists.mailscanner.info/pipermail/mailscanner/2008- >> April/083684.html >> >> so >> >> SpamAssassin Local State Dir = /var/lib/spamassassin >> >> should work for you. Double-check that and don't forget to restart >> MailScanner. >> >> Btw, I just notice that your start message doesn't thread correctly. >> Please, if you send a question to a mailing list, do *not* hit reply, >> the >> "new message" button is for that! >> >> Kai >> >> -- >> Kai Sch?tzl, Berlin, Germany >> Get your web at Conactive Internet Services: http://www.conactive.com /etc/mail/spamassassin/mailscanner.cf should be a sym link to spam.assassin.prefs.conf (whereever it is on your system) so spamassassin -D --lint -p /etc/MailScanner/spam.assassin.prefs.conf should make no difference at all -- Martin Hepworth Oxford, UK From Daniel.Flensburg at iris.se Mon Nov 24 12:34:28 2008 From: Daniel.Flensburg at iris.se (Daniel Flensburg) Date: Mon Nov 24 12:37:56 2008 Subject: SV: Local State Dir - /var/lib/spamassassin - SARE rules no hits In-Reply-To: <4CAB0118AEC63A4FAAE77E6BCBDF760C7952018D86@server02.bhl.local> References: <910ee2ac0811201634se99a4daob2b8ff95088daf27@mail.gmail.com><3DF8101092666E4A9020D949E419EB6F02B7BABF@ensms02.iris.se><3DF8101092666E4A9020D949E419EB6F02B7BCAA@ensms02.iris.se><3DF8101092666E4A9020D949E419EB6F02B9D3C8@ensms02.iris.se> <4CAB0118AEC63A4FAAE77E6BCBDF760C7952018D86@server02.bhl.local> Message-ID: <3DF8101092666E4A9020D949E419EB6F02B9D459@ensms02.iris.se> Thanks for the reply Jason! But... spamassassin -D --lint -p /opt/MailScanner/etc/spam.assassin.prefs.conf gives me the impression the SARE-rules are working, but still no SARE-hits, why?: [...] [5284] dbg: config: read file /etc/spamassassin/init.pre [5284] dbg: config: read file /etc/spamassassin/v310.pre [5284] dbg: config: read file /etc/spamassassin/v312.pre [5284] dbg: config: using "/var/lib/spamassassin/3.001004" for sys rules pre files [5284] dbg: config: read file /var/lib/spamassassin/3.001004/saupdates_openprotect_com.pre [5284] dbg: config: read file /var/lib/spamassassin/3.001004/updates_spamassassin_org.pre [5284] dbg: config: using "/var/lib/spamassassin/3.001004" for default rules dir [5284] dbg: config: read file /var/lib/spamassassin/3.001004/70_sare_adult_cf_sare_sa-update_dostech_net.cf [5284] dbg: config: read file /var/lib/spamassassin/3.001004/70_sare_bayes_poison_nxm_cf_sare_sa-update_dostech_net.cf [5284] dbg: config: read file /var/lib/spamassassin/3.001004/70_sare_evilnum0_cf_sare_sa-update_dostech_net.cf [5284] dbg: config: read file /var/lib/spamassassin/3.001004/70_sare_genlsubj0_cf_sare_sa-update_dostech_net.cf [5284] dbg: config: read file /var/lib/spamassassin/3.001004/70_sare_genlsubj1_cf_sare_sa-update_dostech_net.cf [5284] dbg: config: read file /var/lib/spamassassin/3.001004/70_sare_genlsubj2_cf_sare_sa-update_dostech_net.cf [5284] dbg: config: read file /var/lib/spamassassin/3.001004/70_sare_header_cf_sare_sa-update_dostech_net.cf [5284] dbg: config: read file /var/lib/spamassassin/3.001004/70_sare_html_cf_sare_sa-update_dostech_net.cf [5284] dbg: config: read file /var/lib/spamassassin/3.001004/70_sare_obfu_cf_sare_sa-update_dostech_net.cf [5284] dbg: config: read file /var/lib/spamassassin/3.001004/70_sare_oem_cf_sare_sa-update_dostech_net.cf [...] ...and: [...] [5547] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001004/updates_spamassassin_org/empty.pre [5547] dbg: config: using "/var/lib/spamassassin/3.001004/updates_spamassassin_org/empty.pre" for included file [5547] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001004/70_sare_adult_cf_sare_sa-update_dostech_net/200705210700.cf [5547] dbg: config: using "/var/lib/spamassassin/3.001004/70_sare_adult_cf_sare_sa-update_dostech_net/200705210700.cf" for included file [5547] dbg: config: read file /var/lib/spamassassin/3.001004/70_sare_adult_cf_sare_sa-update_dostech_net/200705210700.cf [5547] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001004/70_sare_bayes_poison_nxm_cf_sare_sa-update_dostech_net/200506020000.cf [5547] dbg: config: using "/var/lib/spamassassin/3.001004/70_sare_bayes_poison_nxm_cf_sare_sa-update_dostech_net/200506020000.cf" for included file [5547] dbg: config: read file /var/lib/spamassassin/3.001004/70_sare_bayes_poison_nxm_cf_sare_sa-update_dostech_net/200506020000.cf [...] /Daniel -----Ursprungligt meddelande----- Fr?n: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] F?r Jason Ede Skickat: den 24 november 2008 12:37 Till: MailScanner discussion ?mne: RE: Local State Dir - /var/lib/spamassassin - SARE rules no hits > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Daniel Flensburg > Sent: 24 November 2008 10:56 > To: MailScanner discussion > Subject: SV: Local State Dir - /var/lib/spamassassin - SARE rules no > hits > > Hi Kai! > > Sorry about the reply button, I think you are right. > > I tried the setting below and restarted the server. I cannot see any > SARE hits yet. > I'm pretty sure it's not working. (tried to send text that another > working server get SARE hits on outgoing tests, no hits on "my"side) > > What is the best way to test if rules in /var/lib/spamassassin are > working correctly? > > Why does the two commands below give different results? > > spamassassin -D --lint Try spamassassin -D --lint -p / On my system its spamassassin -D --lint -p /etc/MailScanner/spam.assassin.prefs.conf Jason > > /opt/MailScanner/bin/MailScanner --debug --debug-sa > > Regards, > > /Daniel > > -----Ursprungligt meddelande----- > Fr?n: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] F?r Kai Schaetzl > Skickat: den 23 november 2008 15:31 > Till: mailscanner@lists.mailscanner.info > ?mne: Re: Local State Dir - /var/lib/spamassassin - SARE rules no hits > > Daniel Flensburg wrote on Fri, 21 Nov 2008 16:10:48 +0100: > > > You have no idea what you did? > > I found this snippet: > http://lists.mailscanner.info/pipermail/mailscanner/2008- > April/083684.html > > so > > SpamAssassin Local State Dir = /var/lib/spamassassin > > should work for you. Double-check that and don't forget to restart > MailScanner. > > Btw, I just notice that your start message doesn't thread correctly. > Please, if you send a question to a mailing list, do *not* hit reply, > the > "new message" button is for that! > > Kai > > -- > Kai Sch?tzl, Berlin, Germany > Get your web at Conactive Internet Services: http://www.conactive.com > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From maxsec at gmail.com Mon Nov 24 13:00:56 2008 From: maxsec at gmail.com (Martin Hepworth) Date: Mon Nov 24 13:01:06 2008 Subject: Local State Dir - /var/lib/spamassassin - SARE rules no hits In-Reply-To: <3DF8101092666E4A9020D949E419EB6F02B9D459@ensms02.iris.se> References: <910ee2ac0811201634se99a4daob2b8ff95088daf27@mail.gmail.com> <3DF8101092666E4A9020D949E419EB6F02B7BABF@ensms02.iris.se> <3DF8101092666E4A9020D949E419EB6F02B7BCAA@ensms02.iris.se> <3DF8101092666E4A9020D949E419EB6F02B9D3C8@ensms02.iris.se> <4CAB0118AEC63A4FAAE77E6BCBDF760C7952018D86@server02.bhl.local> <3DF8101092666E4A9020D949E419EB6F02B9D459@ensms02.iris.se> Message-ID: <72cf361e0811240500k385530e5y3c830abc0cd5736e@mail.gmail.com> 2008/11/24 Daniel Flensburg : > Thanks for the reply Jason! > > But... > > spamassassin -D --lint -p /opt/MailScanner/etc/spam.assassin.prefs.conf > > gives me the impression the SARE-rules are working, but still no SARE-hits, why?: > > > [...] > [5284] dbg: config: read file /etc/spamassassin/init.pre > [5284] dbg: config: read file /etc/spamassassin/v310.pre > [5284] dbg: config: read file /etc/spamassassin/v312.pre > [5284] dbg: config: using "/var/lib/spamassassin/3.001004" for sys rules pre files > [5284] dbg: config: read file /var/lib/spamassassin/3.001004/saupdates_openprotect_com.pre > [5284] dbg: config: read file /var/lib/spamassassin/3.001004/updates_spamassassin_org.pre > [5284] dbg: config: using "/var/lib/spamassassin/3.001004" for default rules dir > [5284] dbg: config: read file /var/lib/spamassassin/3.001004/70_sare_adult_cf_sare_sa-update_dostech_net.cf > [5284] dbg: config: read file /var/lib/spamassassin/3.001004/70_sare_bayes_poison_nxm_cf_sare_sa-update_dostech_net.cf > [5284] dbg: config: read file /var/lib/spamassassin/3.001004/70_sare_evilnum0_cf_sare_sa-update_dostech_net.cf > [5284] dbg: config: read file /var/lib/spamassassin/3.001004/70_sare_genlsubj0_cf_sare_sa-update_dostech_net.cf > [5284] dbg: config: read file /var/lib/spamassassin/3.001004/70_sare_genlsubj1_cf_sare_sa-update_dostech_net.cf > [5284] dbg: config: read file /var/lib/spamassassin/3.001004/70_sare_genlsubj2_cf_sare_sa-update_dostech_net.cf > [5284] dbg: config: read file /var/lib/spamassassin/3.001004/70_sare_header_cf_sare_sa-update_dostech_net.cf > [5284] dbg: config: read file /var/lib/spamassassin/3.001004/70_sare_html_cf_sare_sa-update_dostech_net.cf > [5284] dbg: config: read file /var/lib/spamassassin/3.001004/70_sare_obfu_cf_sare_sa-update_dostech_net.cf > [5284] dbg: config: read file /var/lib/spamassassin/3.001004/70_sare_oem_cf_sare_sa-update_dostech_net.cf > [...] > > ...and: > > [...] > [5547] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001004/updates_spamassassin_org/empty.pre > [5547] dbg: config: using "/var/lib/spamassassin/3.001004/updates_spamassassin_org/empty.pre" for included file > [5547] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001004/70_sare_adult_cf_sare_sa-update_dostech_net/200705210700.cf > [5547] dbg: config: using "/var/lib/spamassassin/3.001004/70_sare_adult_cf_sare_sa-update_dostech_net/200705210700.cf" for included file > [5547] dbg: config: read file /var/lib/spamassassin/3.001004/70_sare_adult_cf_sare_sa-update_dostech_net/200705210700.cf > [5547] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001004/70_sare_bayes_poison_nxm_cf_sare_sa-update_dostech_net/200506020000.cf > [5547] dbg: config: using "/var/lib/spamassassin/3.001004/70_sare_bayes_poison_nxm_cf_sare_sa-update_dostech_net/200506020000.cf" for included file > [5547] dbg: config: read file /var/lib/spamassassin/3.001004/70_sare_bayes_poison_nxm_cf_sare_sa-update_dostech_net/200506020000.cf > [...] > > /Daniel > > -----Ursprungligt meddelande----- > Fr?n: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] F?r Jason Ede > Skickat: den 24 november 2008 12:37 > Till: MailScanner discussion > ?mne: RE: Local State Dir - /var/lib/spamassassin - SARE rules no hits > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Daniel Flensburg >> Sent: 24 November 2008 10:56 >> To: MailScanner discussion >> Subject: SV: Local State Dir - /var/lib/spamassassin - SARE rules no >> hits >> >> Hi Kai! >> >> Sorry about the reply button, I think you are right. >> >> I tried the setting below and restarted the server. I cannot see any >> SARE hits yet. >> I'm pretty sure it's not working. (tried to send text that another >> working server get SARE hits on outgoing tests, no hits on "my"side) >> >> What is the best way to test if rules in /var/lib/spamassassin are >> working correctly? >> >> Why does the two commands below give different results? >> >> spamassassin -D --lint > > Try spamassassin -D --lint -p / > > On my system its spamassassin -D --lint -p /etc/MailScanner/spam.assassin.prefs.conf > > Jason > >> >> /opt/MailScanner/bin/MailScanner --debug --debug-sa >> >> Regards, >> >> /Daniel >> >> -----Ursprungligt meddelande----- >> Fr?n: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] F?r Kai Schaetzl >> Skickat: den 23 november 2008 15:31 >> Till: mailscanner@lists.mailscanner.info >> ?mne: Re: Local State Dir - /var/lib/spamassassin - SARE rules no hits >> >> Daniel Flensburg wrote on Fri, 21 Nov 2008 16:10:48 +0100: >> >> > You have no idea what you did? >> >> I found this snippet: >> http://lists.mailscanner.info/pipermail/mailscanner/2008- >> April/083684.html >> >> so >> >> SpamAssassin Local State Dir = /var/lib/spamassassin >> >> should work for you. Double-check that and don't forget to restart >> MailScanner. >> >> Btw, I just notice that your start message doesn't thread correctly. >> Please, if you send a question to a mailing list, do *not* hit reply, >> the >> "new message" button is for that! >> >> Kai >> >> -- >> Kai Sch?tzl, Berlin, Germany >> Get your web at Conactive Internet Services: http://www.conactive.com >> >> >> > Daniel How are you checking for hits against the SARE set and where abouts are they installed to? -- Martin Hepworth Oxford, UK From Daniel.Flensburg at iris.se Mon Nov 24 13:19:39 2008 From: Daniel.Flensburg at iris.se (Daniel Flensburg) Date: Mon Nov 24 13:23:05 2008 Subject: SV: Local State Dir - /var/lib/spamassassin - SARE rules no hits In-Reply-To: <72cf361e0811240500k385530e5y3c830abc0cd5736e@mail.gmail.com> References: <910ee2ac0811201634se99a4daob2b8ff95088daf27@mail.gmail.com><3DF8101092666E4A9020D949E419EB6F02B7BABF@ensms02.iris.se><3DF8101092666E4A9020D949E419EB6F02B7BCAA@ensms02.iris.se><3DF8101092666E4A9020D949E419EB6F02B9D3C8@ensms02.iris.se><4CAB0118AEC63A4FAAE77E6BCBDF760C7952018D86@server02.bhl.local><3DF8101092666E4A9020D949E419EB6F02B9D459@ensms02.iris.se> <72cf361e0811240500k385530e5y3c830abc0cd5736e@mail.gmail.com> Message-ID: <3DF8101092666E4A9020D949E419EB6F02B9D4F0@ensms02.iris.se> I check with MailWatch, either in MessageDetail on the specific message or Reports > "SA Rule Hits" for a complete list of the rule hits: Rule - Description - Total - Ham - % - Spam - % The SARE-rules are in /var/lib/spamassassin/3.001004/saupdates_openprotect_com and, as a test I ran another sa-update script that put each ruleset in a subfolder of /var/lib/spamassassin/3.001004 /var/lib/spamassassin/3.001004 look like this: drwxr-xr-x 2 postfix postfix 1024 2008-11-17 11:09 70_sare_adult_cf_sare_sa-update_dostech_net -rw-r--r-- 1 postfix postfix 98 2008-11-17 11:09 70_sare_adult_cf_sare_sa-update_dostech_net.cf drwxr-xr-x 2 postfix postfix 1024 2008-11-17 11:09 70_sare_bayes_poison_nxm_cf_sare_sa-update_dostech_net -rw-r--r-- 1 postfix postfix 109 2008-11-17 11:09 70_sare_bayes_poison_nxm_cf_sare_sa-update_dostech_net.cf drwxr-xr-x 2 postfix postfix 1024 2008-11-17 11:09 70_sare_evilnum0_cf_sare_sa-update_dostech_net -rw-r--r-- 1 postfix postfix 101 2008-11-17 11:09 70_sare_evilnum0_cf_sare_sa-update_dostech_net.cf drwxr-xr-x 2 postfix postfix 1024 2008-11-17 11:09 70_sare_genlsubj0_cf_sare_sa-update_dostech_net -rw-r--r-- 1 postfix postfix 102 2008-11-17 11:09 70_sare_genlsubj0_cf_sare_sa-update_dostech_net.cf drwxr-xr-x 2 postfix postfix 1024 2008-11-17 11:09 70_sare_genlsubj1_cf_sare_sa-update_dostech_net -rw-r--r-- 1 postfix postfix 102 2008-11-17 11:09 70_sare_genlsubj1_cf_sare_sa-update_dostech_net.cf drwxr-xr-x 2 postfix postfix 1024 2008-11-17 11:09 70_sare_genlsubj2_cf_sare_sa-update_dostech_net -rw-r--r-- 1 postfix postfix 102 2008-11-17 11:09 70_sare_genlsubj2_cf_sare_sa-update_dostech_net.cf drwxr-xr-x 2 postfix postfix 1024 2008-11-17 11:09 70_sare_header_cf_sare_sa-update_dostech_net -rw-r--r-- 1 postfix postfix 99 2008-11-17 11:09 70_sare_header_cf_sare_sa-update_dostech_net.cf drwxr-xr-x 2 postfix postfix 1024 2008-11-17 11:09 70_sare_html_cf_sare_sa-update_dostech_net -rw-r--r-- 1 postfix postfix 97 2008-11-17 11:09 70_sare_html_cf_sare_sa-update_dostech_net.cf drwxr-xr-x 2 postfix postfix 1024 2008-11-17 11:09 70_sare_obfu_cf_sare_sa-update_dostech_net -rw-r--r-- 1 postfix postfix 97 2008-11-17 11:09 70_sare_obfu_cf_sare_sa-update_dostech_net.cf drwxr-xr-x 2 postfix postfix 1024 2008-11-17 11:09 70_sare_oem_cf_sare_sa-update_dostech_net -rw-r--r-- 1 postfix postfix 96 2008-11-17 11:09 70_sare_oem_cf_sare_sa-update_dostech_net.cf drwxr-xr-x 2 postfix postfix 1024 2008-11-17 11:09 70_sare_random_cf_sare_sa-update_dostech_net -rw-r--r-- 1 postfix postfix 99 2008-11-17 11:09 70_sare_random_cf_sare_sa-update_dostech_net.cf drwxr-xr-x 2 postfix postfix 1024 2008-11-17 11:09 70_sare_specific_cf_sare_sa-update_dostech_net -rw-r--r-- 1 postfix postfix 101 2008-11-17 11:09 70_sare_specific_cf_sare_sa-update_dostech_net.cf drwxr-xr-x 2 postfix postfix 1024 2008-11-17 11:09 70_sare_spoof_cf_sare_sa-update_dostech_net -rw-r--r-- 1 postfix postfix 98 2008-11-17 11:09 70_sare_spoof_cf_sare_sa-update_dostech_net.cf drwxr-xr-x 2 postfix postfix 1024 2008-11-17 11:09 70_sare_stocks_cf_sare_sa-update_dostech_net -rw-r--r-- 1 postfix postfix 99 2008-11-17 11:09 70_sare_stocks_cf_sare_sa-update_dostech_net.cf drwxr-xr-x 2 postfix postfix 1024 2008-11-17 11:09 70_sare_unsub_cf_sare_sa-update_dostech_net -rw-r--r-- 1 postfix postfix 98 2008-11-17 11:09 70_sare_unsub_cf_sare_sa-update_dostech_net.cf drwxr-xr-x 2 postfix postfix 1024 2008-11-17 11:09 70_sare_uri0_cf_sare_sa-update_dostech_net -rw-r--r-- 1 postfix postfix 97 2008-11-17 11:09 70_sare_uri0_cf_sare_sa-update_dostech_net.cf drwxr-xr-x 2 postfix postfix 1024 2008-11-17 11:09 70_sare_uri1_cf_sare_sa-update_dostech_net -rw-r--r-- 1 postfix postfix 97 2008-11-17 11:09 70_sare_uri1_cf_sare_sa-update_dostech_net.cf drwxr-xr-x 2 postfix postfix 1024 2008-11-17 11:09 70_sare_uri2_cf_sare_sa-update_dostech_net -rw-r--r-- 1 postfix postfix 97 2008-11-17 11:09 70_sare_uri2_cf_sare_sa-update_dostech_net.cf drwxr-xr-x 2 postfix postfix 1024 2008-11-17 11:09 70_sare_whitelist_rcvd_cf_sare_sa-update_dostech_net -rw-r--r-- 1 postfix postfix 107 2008-11-17 11:09 70_sare_whitelist_rcvd_cf_sare_sa-update_dostech_net.cf drwxr-xr-x 2 postfix postfix 1024 2008-11-17 11:10 70_sare_whitelist_spf_cf_sare_sa-update_dostech_net -rw-r--r-- 1 postfix postfix 106 2008-11-17 11:10 70_sare_whitelist_spf_cf_sare_sa-update_dostech_net.cf drwxr-xr-x 2 postfix postfix 1024 2008-11-17 11:10 72_sare_bml_post25x_cf_sare_sa-update_dostech_net -rw-r--r-- 1 postfix postfix 104 2008-11-17 11:10 72_sare_bml_post25x_cf_sare_sa-update_dostech_net.cf drwxr-xr-x 2 postfix postfix 1024 2008-11-17 11:10 72_sare_redirect_post3_0_0_cf_sare_sa-update_dostech_net -rw-r--r-- 1 postfix postfix 111 2008-11-17 11:10 72_sare_redirect_post3_0_0_cf_sare_sa-update_dostech_net.cf drwxr-xr-x 2 postfix postfix 1024 2008-11-17 11:10 99_fvgt_tripwire_cf_sare_sa-update_dostech_net -rw-r--r-- 1 postfix postfix 101 2008-11-17 11:10 99_fvgt_tripwire_cf_sare_sa-update_dostech_net.cf drwxr-xr-x 2 postfix postfix 1024 2008-11-17 11:10 99_sare_fraud_post25x_cf_sare_sa-update_dostech_net -rw-r--r-- 1 postfix postfix 106 2008-11-17 11:10 99_sare_fraud_post25x_cf_sare_sa-update_dostech_net.cf drwxr-xr-x 2 postfix postfix 1024 2008-10-07 08:45 saupdates_openprotect_com -rw-r--r-- 1 postfix postfix 1695 2008-10-07 08:45 saupdates_openprotect_com.cf -rw-r--r-- 1 postfix postfix 50 2008-10-07 08:45 saupdates_openprotect_com.pre drwxr-xr-x 2 postfix postfix 1024 2008-11-20 12:58 sought_rules_yerp_org -rw-r--r-- 1 postfix postfix 119 2008-11-20 12:58 sought_rules_yerp_org.cf -rw-r--r-- 1 postfix postfix 1335 2008-10-15 14:52 sought.txt drwxr-xr-x 2 postfix postfix 2048 2008-10-06 15:20 updates_spamassassin_org -rw-r--r-- 1 postfix postfix 2200 2008-10-06 15:20 updates_spamassassin_org.cf -rw-r--r-- 1 postfix postfix 43 2008-10-06 15:20 updates_spamassassin_org.pre The owner of the files used to be root:root but I changed this recently for testing purposes. /Daniel -----Ursprungligt meddelande----- Fr?n: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] F?r Martin Hepworth Skickat: den 24 november 2008 14:01 Till: MailScanner discussion ?mne: Re: Local State Dir - /var/lib/spamassassin - SARE rules no hits 2008/11/24 Daniel Flensburg : > Thanks for the reply Jason! > > But... > > spamassassin -D --lint -p /opt/MailScanner/etc/spam.assassin.prefs.conf > > gives me the impression the SARE-rules are working, but still no SARE-hits, why?: > > > [...] > [5284] dbg: config: read file /etc/spamassassin/init.pre > [5284] dbg: config: read file /etc/spamassassin/v310.pre > [5284] dbg: config: read file /etc/spamassassin/v312.pre > [5284] dbg: config: using "/var/lib/spamassassin/3.001004" for sys rules pre files > [5284] dbg: config: read file /var/lib/spamassassin/3.001004/saupdates_openprotect_com.pre > [5284] dbg: config: read file /var/lib/spamassassin/3.001004/updates_spamassassin_org.pre > [5284] dbg: config: using "/var/lib/spamassassin/3.001004" for default rules dir > [5284] dbg: config: read file /var/lib/spamassassin/3.001004/70_sare_adult_cf_sare_sa-update_dostech_net.cf > [5284] dbg: config: read file /var/lib/spamassassin/3.001004/70_sare_bayes_poison_nxm_cf_sare_sa-update_dostech_net.cf > [5284] dbg: config: read file /var/lib/spamassassin/3.001004/70_sare_evilnum0_cf_sare_sa-update_dostech_net.cf > [5284] dbg: config: read file /var/lib/spamassassin/3.001004/70_sare_genlsubj0_cf_sare_sa-update_dostech_net.cf > [5284] dbg: config: read file /var/lib/spamassassin/3.001004/70_sare_genlsubj1_cf_sare_sa-update_dostech_net.cf > [5284] dbg: config: read file /var/lib/spamassassin/3.001004/70_sare_genlsubj2_cf_sare_sa-update_dostech_net.cf > [5284] dbg: config: read file /var/lib/spamassassin/3.001004/70_sare_header_cf_sare_sa-update_dostech_net.cf > [5284] dbg: config: read file /var/lib/spamassassin/3.001004/70_sare_html_cf_sare_sa-update_dostech_net.cf > [5284] dbg: config: read file /var/lib/spamassassin/3.001004/70_sare_obfu_cf_sare_sa-update_dostech_net.cf > [5284] dbg: config: read file /var/lib/spamassassin/3.001004/70_sare_oem_cf_sare_sa-update_dostech_net.cf > [...] > > ...and: > > [...] > [5547] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001004/updates_spamassassin_org/empty.pre > [5547] dbg: config: using "/var/lib/spamassassin/3.001004/updates_spamassassin_org/empty.pre" for included file > [5547] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001004/70_sare_adult_cf_sare_sa-update_dostech_net/200705210700.cf > [5547] dbg: config: using "/var/lib/spamassassin/3.001004/70_sare_adult_cf_sare_sa-update_dostech_net/200705210700.cf" for included file > [5547] dbg: config: read file /var/lib/spamassassin/3.001004/70_sare_adult_cf_sare_sa-update_dostech_net/200705210700.cf > [5547] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001004/70_sare_bayes_poison_nxm_cf_sare_sa-update_dostech_net/200506020000.cf > [5547] dbg: config: using "/var/lib/spamassassin/3.001004/70_sare_bayes_poison_nxm_cf_sare_sa-update_dostech_net/200506020000.cf" for included file > [5547] dbg: config: read file /var/lib/spamassassin/3.001004/70_sare_bayes_poison_nxm_cf_sare_sa-update_dostech_net/200506020000.cf > [...] > > /Daniel > > -----Ursprungligt meddelande----- > Fr?n: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] F?r Jason Ede > Skickat: den 24 november 2008 12:37 > Till: MailScanner discussion > ?mne: RE: Local State Dir - /var/lib/spamassassin - SARE rules no hits > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Daniel Flensburg >> Sent: 24 November 2008 10:56 >> To: MailScanner discussion >> Subject: SV: Local State Dir - /var/lib/spamassassin - SARE rules no >> hits >> >> Hi Kai! >> >> Sorry about the reply button, I think you are right. >> >> I tried the setting below and restarted the server. I cannot see any >> SARE hits yet. >> I'm pretty sure it's not working. (tried to send text that another >> working server get SARE hits on outgoing tests, no hits on "my"side) >> >> What is the best way to test if rules in /var/lib/spamassassin are >> working correctly? >> >> Why does the two commands below give different results? >> >> spamassassin -D --lint > > Try spamassassin -D --lint -p / > > On my system its spamassassin -D --lint -p /etc/MailScanner/spam.assassin.prefs.conf > > Jason > >> >> /opt/MailScanner/bin/MailScanner --debug --debug-sa >> >> Regards, >> >> /Daniel >> >> -----Ursprungligt meddelande----- >> Fr?n: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] F?r Kai Schaetzl >> Skickat: den 23 november 2008 15:31 >> Till: mailscanner@lists.mailscanner.info >> ?mne: Re: Local State Dir - /var/lib/spamassassin - SARE rules no hits >> >> Daniel Flensburg wrote on Fri, 21 Nov 2008 16:10:48 +0100: >> >> > You have no idea what you did? >> >> I found this snippet: >> http://lists.mailscanner.info/pipermail/mailscanner/2008- >> April/083684.html >> >> so >> >> SpamAssassin Local State Dir = /var/lib/spamassassin >> >> should work for you. Double-check that and don't forget to restart >> MailScanner. >> >> Btw, I just notice that your start message doesn't thread correctly. >> Please, if you send a question to a mailing list, do *not* hit reply, >> the >> "new message" button is for that! >> >> Kai >> >> -- >> Kai Sch?tzl, Berlin, Germany >> Get your web at Conactive Internet Services: http://www.conactive.com >> >> >> > Daniel How are you checking for hits against the SARE set and where abouts are they installed to? -- Martin Hepworth Oxford, UK -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From maxsec at gmail.com Mon Nov 24 13:52:45 2008 From: maxsec at gmail.com (Martin Hepworth) Date: Mon Nov 24 13:52:54 2008 Subject: Local State Dir - /var/lib/spamassassin - SARE rules no hits In-Reply-To: <3DF8101092666E4A9020D949E419EB6F02B9D4F0@ensms02.iris.se> References: <910ee2ac0811201634se99a4daob2b8ff95088daf27@mail.gmail.com> <3DF8101092666E4A9020D949E419EB6F02B7BABF@ensms02.iris.se> <3DF8101092666E4A9020D949E419EB6F02B7BCAA@ensms02.iris.se> <3DF8101092666E4A9020D949E419EB6F02B9D3C8@ensms02.iris.se> <4CAB0118AEC63A4FAAE77E6BCBDF760C7952018D86@server02.bhl.local> <3DF8101092666E4A9020D949E419EB6F02B9D459@ensms02.iris.se> <72cf361e0811240500k385530e5y3c830abc0cd5736e@mail.gmail.com> <3DF8101092666E4A9020D949E419EB6F02B9D4F0@ensms02.iris.se> Message-ID: <72cf361e0811240552t4cfac396w8739bd81b674e533@mail.gmail.com> 2008/11/24 Daniel Flensburg : > I check with MailWatch, either in MessageDetail on the specific message or Reports > "SA Rule Hits" for a complete list of the rule hits: > Rule - Description - Total - Ham - % - Spam - % > > The SARE-rules are in /var/lib/spamassassin/3.001004/saupdates_openprotect_com > and, as a test I ran another sa-update script that put each ruleset in a subfolder of /var/lib/spamassassin/3.001004 > > /var/lib/spamassassin/3.001004 look like this: > drwxr-xr-x 2 postfix postfix 1024 2008-11-17 11:09 70_sare_adult_cf_sare_sa-update_dostech_net > -rw-r--r-- 1 postfix postfix 98 2008-11-17 11:09 70_sare_adult_cf_sare_sa-update_dostech_net.cf > drwxr-xr-x 2 postfix postfix 1024 2008-11-17 11:09 70_sare_bayes_poison_nxm_cf_sare_sa-update_dostech_net > -rw-r--r-- 1 postfix postfix 109 2008-11-17 11:09 70_sare_bayes_poison_nxm_cf_sare_sa-update_dostech_net.cf > drwxr-xr-x 2 postfix postfix 1024 2008-11-17 11:09 70_sare_evilnum0_cf_sare_sa-update_dostech_net > -rw-r--r-- 1 postfix postfix 101 2008-11-17 11:09 70_sare_evilnum0_cf_sare_sa-update_dostech_net.cf > drwxr-xr-x 2 postfix postfix 1024 2008-11-17 11:09 70_sare_genlsubj0_cf_sare_sa-update_dostech_net > -rw-r--r-- 1 postfix postfix 102 2008-11-17 11:09 70_sare_genlsubj0_cf_sare_sa-update_dostech_net.cf > drwxr-xr-x 2 postfix postfix 1024 2008-11-17 11:09 70_sare_genlsubj1_cf_sare_sa-update_dostech_net > -rw-r--r-- 1 postfix postfix 102 2008-11-17 11:09 70_sare_genlsubj1_cf_sare_sa-update_dostech_net.cf > drwxr-xr-x 2 postfix postfix 1024 2008-11-17 11:09 70_sare_genlsubj2_cf_sare_sa-update_dostech_net > -rw-r--r-- 1 postfix postfix 102 2008-11-17 11:09 70_sare_genlsubj2_cf_sare_sa-update_dostech_net.cf > drwxr-xr-x 2 postfix postfix 1024 2008-11-17 11:09 70_sare_header_cf_sare_sa-update_dostech_net > -rw-r--r-- 1 postfix postfix 99 2008-11-17 11:09 70_sare_header_cf_sare_sa-update_dostech_net.cf > drwxr-xr-x 2 postfix postfix 1024 2008-11-17 11:09 70_sare_html_cf_sare_sa-update_dostech_net > -rw-r--r-- 1 postfix postfix 97 2008-11-17 11:09 70_sare_html_cf_sare_sa-update_dostech_net.cf > drwxr-xr-x 2 postfix postfix 1024 2008-11-17 11:09 70_sare_obfu_cf_sare_sa-update_dostech_net > -rw-r--r-- 1 postfix postfix 97 2008-11-17 11:09 70_sare_obfu_cf_sare_sa-update_dostech_net.cf > drwxr-xr-x 2 postfix postfix 1024 2008-11-17 11:09 70_sare_oem_cf_sare_sa-update_dostech_net > -rw-r--r-- 1 postfix postfix 96 2008-11-17 11:09 70_sare_oem_cf_sare_sa-update_dostech_net.cf > drwxr-xr-x 2 postfix postfix 1024 2008-11-17 11:09 70_sare_random_cf_sare_sa-update_dostech_net > -rw-r--r-- 1 postfix postfix 99 2008-11-17 11:09 70_sare_random_cf_sare_sa-update_dostech_net.cf > drwxr-xr-x 2 postfix postfix 1024 2008-11-17 11:09 70_sare_specific_cf_sare_sa-update_dostech_net > -rw-r--r-- 1 postfix postfix 101 2008-11-17 11:09 70_sare_specific_cf_sare_sa-update_dostech_net.cf > drwxr-xr-x 2 postfix postfix 1024 2008-11-17 11:09 70_sare_spoof_cf_sare_sa-update_dostech_net > -rw-r--r-- 1 postfix postfix 98 2008-11-17 11:09 70_sare_spoof_cf_sare_sa-update_dostech_net.cf > drwxr-xr-x 2 postfix postfix 1024 2008-11-17 11:09 70_sare_stocks_cf_sare_sa-update_dostech_net > -rw-r--r-- 1 postfix postfix 99 2008-11-17 11:09 70_sare_stocks_cf_sare_sa-update_dostech_net.cf > drwxr-xr-x 2 postfix postfix 1024 2008-11-17 11:09 70_sare_unsub_cf_sare_sa-update_dostech_net > -rw-r--r-- 1 postfix postfix 98 2008-11-17 11:09 70_sare_unsub_cf_sare_sa-update_dostech_net.cf > drwxr-xr-x 2 postfix postfix 1024 2008-11-17 11:09 70_sare_uri0_cf_sare_sa-update_dostech_net > -rw-r--r-- 1 postfix postfix 97 2008-11-17 11:09 70_sare_uri0_cf_sare_sa-update_dostech_net.cf > drwxr-xr-x 2 postfix postfix 1024 2008-11-17 11:09 70_sare_uri1_cf_sare_sa-update_dostech_net > -rw-r--r-- 1 postfix postfix 97 2008-11-17 11:09 70_sare_uri1_cf_sare_sa-update_dostech_net.cf > drwxr-xr-x 2 postfix postfix 1024 2008-11-17 11:09 70_sare_uri2_cf_sare_sa-update_dostech_net > -rw-r--r-- 1 postfix postfix 97 2008-11-17 11:09 70_sare_uri2_cf_sare_sa-update_dostech_net.cf > drwxr-xr-x 2 postfix postfix 1024 2008-11-17 11:09 70_sare_whitelist_rcvd_cf_sare_sa-update_dostech_net > -rw-r--r-- 1 postfix postfix 107 2008-11-17 11:09 70_sare_whitelist_rcvd_cf_sare_sa-update_dostech_net.cf > drwxr-xr-x 2 postfix postfix 1024 2008-11-17 11:10 70_sare_whitelist_spf_cf_sare_sa-update_dostech_net > -rw-r--r-- 1 postfix postfix 106 2008-11-17 11:10 70_sare_whitelist_spf_cf_sare_sa-update_dostech_net.cf > drwxr-xr-x 2 postfix postfix 1024 2008-11-17 11:10 72_sare_bml_post25x_cf_sare_sa-update_dostech_net > -rw-r--r-- 1 postfix postfix 104 2008-11-17 11:10 72_sare_bml_post25x_cf_sare_sa-update_dostech_net.cf > drwxr-xr-x 2 postfix postfix 1024 2008-11-17 11:10 72_sare_redirect_post3_0_0_cf_sare_sa-update_dostech_net > -rw-r--r-- 1 postfix postfix 111 2008-11-17 11:10 72_sare_redirect_post3_0_0_cf_sare_sa-update_dostech_net.cf > drwxr-xr-x 2 postfix postfix 1024 2008-11-17 11:10 99_fvgt_tripwire_cf_sare_sa-update_dostech_net > -rw-r--r-- 1 postfix postfix 101 2008-11-17 11:10 99_fvgt_tripwire_cf_sare_sa-update_dostech_net.cf > drwxr-xr-x 2 postfix postfix 1024 2008-11-17 11:10 99_sare_fraud_post25x_cf_sare_sa-update_dostech_net > -rw-r--r-- 1 postfix postfix 106 2008-11-17 11:10 99_sare_fraud_post25x_cf_sare_sa-update_dostech_net.cf > drwxr-xr-x 2 postfix postfix 1024 2008-10-07 08:45 saupdates_openprotect_com > -rw-r--r-- 1 postfix postfix 1695 2008-10-07 08:45 saupdates_openprotect_com.cf > -rw-r--r-- 1 postfix postfix 50 2008-10-07 08:45 saupdates_openprotect_com.pre > drwxr-xr-x 2 postfix postfix 1024 2008-11-20 12:58 sought_rules_yerp_org > -rw-r--r-- 1 postfix postfix 119 2008-11-20 12:58 sought_rules_yerp_org.cf > -rw-r--r-- 1 postfix postfix 1335 2008-10-15 14:52 sought.txt > drwxr-xr-x 2 postfix postfix 2048 2008-10-06 15:20 updates_spamassassin_org > -rw-r--r-- 1 postfix postfix 2200 2008-10-06 15:20 updates_spamassassin_org.cf > -rw-r--r-- 1 postfix postfix 43 2008-10-06 15:20 updates_spamassassin_org.pre > > The owner of the files used to be root:root but I changed this recently for testing purposes. > > /Daniel > > -----Ursprungligt meddelande----- > Fr?n: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] F?r Martin Hepworth > Skickat: den 24 november 2008 14:01 > Till: MailScanner discussion > ?mne: Re: Local State Dir - /var/lib/spamassassin - SARE rules no hits > > 2008/11/24 Daniel Flensburg : >> Thanks for the reply Jason! >> >> But... >> >> spamassassin -D --lint -p /opt/MailScanner/etc/spam.assassin.prefs.conf >> >> gives me the impression the SARE-rules are working, but still no SARE-hits, why?: >> >> >> [...] >> [5284] dbg: config: read file /etc/spamassassin/init.pre >> [5284] dbg: config: read file /etc/spamassassin/v310.pre >> [5284] dbg: config: read file /etc/spamassassin/v312.pre >> [5284] dbg: config: using "/var/lib/spamassassin/3.001004" for sys rules pre files >> [5284] dbg: config: read file /var/lib/spamassassin/3.001004/saupdates_openprotect_com.pre >> [5284] dbg: config: read file /var/lib/spamassassin/3.001004/updates_spamassassin_org.pre >> [5284] dbg: config: using "/var/lib/spamassassin/3.001004" for default rules dir >> [5284] dbg: config: read file /var/lib/spamassassin/3.001004/70_sare_adult_cf_sare_sa-update_dostech_net.cf >> [5284] dbg: config: read file /var/lib/spamassassin/3.001004/70_sare_bayes_poison_nxm_cf_sare_sa-update_dostech_net.cf >> [5284] dbg: config: read file /var/lib/spamassassin/3.001004/70_sare_evilnum0_cf_sare_sa-update_dostech_net.cf >> [5284] dbg: config: read file /var/lib/spamassassin/3.001004/70_sare_genlsubj0_cf_sare_sa-update_dostech_net.cf >> [5284] dbg: config: read file /var/lib/spamassassin/3.001004/70_sare_genlsubj1_cf_sare_sa-update_dostech_net.cf >> [5284] dbg: config: read file /var/lib/spamassassin/3.001004/70_sare_genlsubj2_cf_sare_sa-update_dostech_net.cf >> [5284] dbg: config: read file /var/lib/spamassassin/3.001004/70_sare_header_cf_sare_sa-update_dostech_net.cf >> [5284] dbg: config: read file /var/lib/spamassassin/3.001004/70_sare_html_cf_sare_sa-update_dostech_net.cf >> [5284] dbg: config: read file /var/lib/spamassassin/3.001004/70_sare_obfu_cf_sare_sa-update_dostech_net.cf >> [5284] dbg: config: read file /var/lib/spamassassin/3.001004/70_sare_oem_cf_sare_sa-update_dostech_net.cf >> [...] >> >> ...and: >> >> [...] >> [5547] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001004/updates_spamassassin_org/empty.pre >> [5547] dbg: config: using "/var/lib/spamassassin/3.001004/updates_spamassassin_org/empty.pre" for included file >> [5547] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001004/70_sare_adult_cf_sare_sa-update_dostech_net/200705210700.cf >> [5547] dbg: config: using "/var/lib/spamassassin/3.001004/70_sare_adult_cf_sare_sa-update_dostech_net/200705210700.cf" for included file >> [5547] dbg: config: read file /var/lib/spamassassin/3.001004/70_sare_adult_cf_sare_sa-update_dostech_net/200705210700.cf >> [5547] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001004/70_sare_bayes_poison_nxm_cf_sare_sa-update_dostech_net/200506020000.cf >> [5547] dbg: config: using "/var/lib/spamassassin/3.001004/70_sare_bayes_poison_nxm_cf_sare_sa-update_dostech_net/200506020000.cf" for included file >> [5547] dbg: config: read file /var/lib/spamassassin/3.001004/70_sare_bayes_poison_nxm_cf_sare_sa-update_dostech_net/200506020000.cf >> [...] >> >> /Daniel >> >> -----Ursprungligt meddelande----- >> Fr?n: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] F?r Jason Ede >> Skickat: den 24 november 2008 12:37 >> Till: MailScanner discussion >> ?mne: RE: Local State Dir - /var/lib/spamassassin - SARE rules no hits >> >>> -----Original Message----- >>> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >>> bounces@lists.mailscanner.info] On Behalf Of Daniel Flensburg >>> Sent: 24 November 2008 10:56 >>> To: MailScanner discussion >>> Subject: SV: Local State Dir - /var/lib/spamassassin - SARE rules no >>> hits >>> >>> Hi Kai! >>> >>> Sorry about the reply button, I think you are right. >>> >>> I tried the setting below and restarted the server. I cannot see any >>> SARE hits yet. >>> I'm pretty sure it's not working. (tried to send text that another >>> working server get SARE hits on outgoing tests, no hits on "my"side) >>> >>> What is the best way to test if rules in /var/lib/spamassassin are >>> working correctly? >>> >>> Why does the two commands below give different results? >>> >>> spamassassin -D --lint >> >> Try spamassassin -D --lint -p / >> >> On my system its spamassassin -D --lint -p /etc/MailScanner/spam.assassin.prefs.conf >> >> Jason >> >>> >>> /opt/MailScanner/bin/MailScanner --debug --debug-sa >>> >>> Regards, >>> >>> /Daniel >>> >>> -----Ursprungligt meddelande----- >>> Fr?n: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >>> bounces@lists.mailscanner.info] F?r Kai Schaetzl >>> Skickat: den 23 november 2008 15:31 >>> Till: mailscanner@lists.mailscanner.info >>> ?mne: Re: Local State Dir - /var/lib/spamassassin - SARE rules no hits >>> >>> Daniel Flensburg wrote on Fri, 21 Nov 2008 16:10:48 +0100: >>> >>> > You have no idea what you did? >>> >>> I found this snippet: >>> http://lists.mailscanner.info/pipermail/mailscanner/2008- >>> April/083684.html >>> >>> so >>> >>> SpamAssassin Local State Dir = /var/lib/spamassassin >>> >>> should work for you. Double-check that and don't forget to restart >>> MailScanner. >>> >>> Btw, I just notice that your start message doesn't thread correctly. >>> Please, if you send a question to a mailing list, do *not* hit reply, >>> the >>> "new message" button is for that! >>> >>> Kai >>> >>> -- >>> Kai Sch?tzl, Berlin, Germany >>> Get your web at Conactive Internet Services: http://www.conactive.com >>> >>> >>> >> > Daniel > > How are you checking for hits against the SARE set and where abouts > are they installed to? > > > -- > Martin Hepworth > Oxford, UK > -- > MailScanner mailing list > Hmm the SARE rules should be in /var/lib/spamassassin/3.001004/saupdates_openprotect_com, not in the directory above. Now you've restarted mailscanner after you've updated so that's not the issue. maybe it's a problem. I'd do as Phil suggested - upgrade everything to latest versions. 3.1.4 is really realy old anyway, and 3.2.5 will help alot with general spam catching. I did a 3.1.7 -> 3.2.5 upgrade a couple of months ago with no issues and very little 'downtime' (I kept the MTA's going, just stopped mailscanner and it took around 15 minutes to complete). I'd also make sure you're running a reasonably up-to date mailscanner too. -- Martin Hepworth Oxford, UK From glenn.steen at gmail.com Mon Nov 24 14:22:07 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Nov 24 14:22:17 2008 Subject: Local State Dir - /var/lib/spamassassin - SARE rules no hits In-Reply-To: <3DF8101092666E4A9020D949E419EB6F02B9D3C8@ensms02.iris.se> References: <910ee2ac0811201634se99a4daob2b8ff95088daf27@mail.gmail.com> <3DF8101092666E4A9020D949E419EB6F02B7BABF@ensms02.iris.se> <3DF8101092666E4A9020D949E419EB6F02B7BCAA@ensms02.iris.se> <3DF8101092666E4A9020D949E419EB6F02B9D3C8@ensms02.iris.se> Message-ID: <223f97700811240622s743469aaw9bb56791c0ea6192@mail.gmail.com> 2008/11/24 Daniel Flensburg : > Hi Kai! > > Sorry about the reply button, I think you are right. > > I tried the setting below and restarted the server. I cannot see any SARE hits yet. > I'm pretty sure it's not working. (tried to send text that another working server get SARE hits on outgoing tests, no hits on "my"side) > > What is the best way to test if rules in /var/lib/spamassassin are working correctly? > > Why does the two commands below give different results? > > spamassassin -D --lint > > /opt/MailScanner/bin/MailScanner --debug --debug-sa > Because the first is run as root and the second is run a postfix. Stop "checking" things as root, when it comes to SA. Although the risk of it actually hurting you is minimal (provided you've set bayes perms correctly) it doesn't help you either. As a postfix user, your first gut reaction should be to test everything manually as your postfix user...!:-). So start by becoming postfix via "su - postfix -s /bin/bash", then use normal tools like "cd", "ls" and "less" to make sure you can a) reach the files and b) read the files. If the actual sa-update/SARE directories are correct (you can read them, as postfix), then likely the problem is "closer to the root directory". When you've fixed any permission issues, test the plain spamassassin command again. (snip) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From gmatt at nerc.ac.uk Mon Nov 24 15:07:23 2008 From: gmatt at nerc.ac.uk (Greg Matthews) Date: Mon Nov 24 15:07:43 2008 Subject: testing rules sets with --value= In-Reply-To: <491C430D.8000601@fsl.com> References: <491C1C78.7050605@nerc.ac.uk> <491C2329.40002@fsl.com> <223f97700811130544k6d949eb4i7ea88953ac49f421@mail.gmail.com> <491C430D.8000601@fsl.com> Message-ID: <492AC32B.2060908@nerc.ac.uk> Steve Freegard wrote: > Glenn Steen wrote: > Yep - MailScanner will do the translation automagically ;-) thanks guys, sorry its taken me so long to catch up with the list. Your answers covered everything I was after. GREG > > Cheers, > Steve. -- Greg Matthews 01491 692445 Head of UNIX/Linux, iTSS Wallingford -- This message (and any attachments) is for the recipient only. NERC is subject to the Freedom of Information Act 2000 and the contents of this email and any reply you make may be disclosed by NERC unless it is exempt from release under the Act. Any material supplied to NERC may be stored in an electronic records management system. From maillists at conactive.com Mon Nov 24 15:11:48 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Mon Nov 24 15:12:02 2008 Subject: Local State Dir - /var/lib/spamassassin - SARE rules no hits In-Reply-To: <3DF8101092666E4A9020D949E419EB6F02B9D4F0@ensms02.iris.se> References: <910ee2ac0811201634se99a4daob2b8ff95088daf27@mail.gmail.com> <3DF8101092666E4A9020D949E419EB6F02B7BABF@ensms02.iris.se> <3DF8101092666E4A9020D949E419EB6F02B7BCAA@ensms02.iris.se> <3DF8101092666E4A9020D949E419EB6F02B9D3C8@ensms02.iris.se> <4CAB0118AEC63A4FAAE77E6BCBDF760C7952018D86@server02.bhl.local> <3DF8101092666E4A9020D949E419EB6F02B9D459@ensms02.iris.se> <72cf361e0811240500k385530e5y3c830abc0cd5736e@mail.gma Message-ID: il.com> <3DF8101092666E4A9020D949E419EB6F02B9D4F0@ensms02.iris.se> Reply-To: mailscanner@lists.mailscanner.info Oh, please, you do not want to use *all* SARE rules especially not the evilnum rules! Pick no more than 5 sets that seem appropriate for you and wait a bit. if you want to see early hits then check out a rule and send yourself a mail that should hit one from an account you can be sure will get scanned. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Mon Nov 24 15:11:49 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Mon Nov 24 15:12:02 2008 Subject: Local State Dir - /var/lib/spamassassin - SARE rules no hits In-Reply-To: <223f97700811240622s743469aaw9bb56791c0ea6192@mail.gmail.com> References: <910ee2ac0811201634se99a4daob2b8ff95088daf27@mail.gmail.com> <3DF8101092666E4A9020D949E419EB6F02B7BABF@ensms02.iris.se> <3DF8101092666E4A9020D949E419EB6F02B7BCAA@ensms02.iris.se> <3DF8101092666E4A9020D949E419EB6F02B9D3C8@ensms02.iris.se> <223f97700811240622s743469aaw9bb56791c0ea6192@mail.gmail.com> Message-ID: Glenn Steen wrote on Mon, 24 Nov 2008 15:22:07 +0100: > Because the first is run as root and the second is run a postfix. Good tip, but running as root just gives the same result here. e.g. I clearly see /var/lib/spamassassin getting used ... Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Mon Nov 24 15:11:48 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Mon Nov 24 15:12:03 2008 Subject: Local State Dir - /var/lib/spamassassin - SARE rules no hits In-Reply-To: <3DF8101092666E4A9020D949E419EB6F02B9D459@ensms02.iris.se> References: <910ee2ac0811201634se99a4daob2b8ff95088daf27@mail.gmail.com> <3DF8101092666E4A9020D949E419EB6F02B7BABF@ensms02.iris.se> <3DF8101092666E4A9020D949E419EB6F02B7BCAA@ensms02.iris.se> <3DF8101092666E4A9020D949E419EB6F02B9D3C8@ensms02.iris.se> <4CAB0118AEC63A4FAAE77E6BCBDF760C7952018D86@server02.bhl.local> <3DF8101092666E4A9020D949E419EB6F02B9D459@ensms02.iris.se> Message-ID: Daniel Flensburg wrote on Mon, 24 Nov 2008 13:34:28 +0100: > gives me the impression the SARE-rules are working, but still no SARE-hits, why?: This is absolutely normal. Why should you get immediate hits with them? Check again with *MailScanner debug* if /var/lib gets used. If yes, then just wait. If no, it's likely a problem with your old MS version. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From Daniel.Flensburg at iris.se Mon Nov 24 15:25:51 2008 From: Daniel.Flensburg at iris.se (Daniel Flensburg) Date: Mon Nov 24 15:29:22 2008 Subject: SV: Local State Dir - /var/lib/spamassassin - SARE rules no hits In-Reply-To: References: <910ee2ac0811201634se99a4daob2b8ff95088daf27@mail.gmail.com><3DF8101092666E4A9020D949E419EB6F02B7BABF@ensms02.iris.se><3DF8101092666E4A9020D949E419EB6F02B7BCAA@ensms02.iris.se><3DF8101092666E4A9020D949E419EB6F02B9D3C8@ensms02.iris.se><4CAB0118AEC63A4FAAE77E6BCBDF760C7952018D86@server02.bhl.local><3DF8101092666E4A9020D949E419EB6F02B9D459@ensms02.iris.se> Message-ID: <3DF8101092666E4A9020D949E419EB6F02B9D621@ensms02.iris.se> MS version is up to date /Daniel -----Ursprungligt meddelande----- Fr?n: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] F?r Kai Schaetzl Skickat: den 24 november 2008 16:12 Till: mailscanner@lists.mailscanner.info ?mne: Re: Local State Dir - /var/lib/spamassassin - SARE rules no hits Daniel Flensburg wrote on Mon, 24 Nov 2008 13:34:28 +0100: > gives me the impression the SARE-rules are working, but still no SARE-hits, why?: This is absolutely normal. Why should you get immediate hits with them? Check again with *MailScanner debug* if /var/lib gets used. If yes, then just wait. If no, it's likely a problem with your old MS version. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From Daniel.Flensburg at iris.se Mon Nov 24 15:38:20 2008 From: Daniel.Flensburg at iris.se (Daniel Flensburg) Date: Mon Nov 24 15:41:48 2008 Subject: SV: Local State Dir - /var/lib/spamassassin - SARE rules no hits In-Reply-To: <223f97700811240622s743469aaw9bb56791c0ea6192@mail.gmail.com> References: <910ee2ac0811201634se99a4daob2b8ff95088daf27@mail.gmail.com><3DF8101092666E4A9020D949E419EB6F02B7BABF@ensms02.iris.se><3DF8101092666E4A9020D949E419EB6F02B7BCAA@ensms02.iris.se><3DF8101092666E4A9020D949E419EB6F02B9D3C8@ensms02.iris.se> <223f97700811240622s743469aaw9bb56791c0ea6192@mail.gmail.com> Message-ID: <3DF8101092666E4A9020D949E419EB6F02B9D641@ensms02.iris.se> I tried using the command "su - postfix -s /bin/bash" and I could ls cd and nano the *cf files in /var/lib/spamassassin/3.XXXXX BUT, now I cannot SA-LEARN with MailWatch. Have no idea if they are related but it happended at the same time. (No results In MailWatch > Bayes Info either) SA Learn: error code 13 returned from sa-learn: bayes: expire_old_tokens: locker: safe_lock: cannot create tmp lockfile /var/www/.spamassassin/bayes.lock.mailgw.kurs.irishadar.se.4836 for /var/www/.spamassassin/bayes.lock: Permission denied bayes: locker: safe_lock: cannot create tmp lockfile /var/www/.spamassassin/bayes.lock.mailgw.kurs.irishadar.se.4836 for /var/www/.spamassassin/bayes.lock: Permission denied Learned tokens from 0 message(s) (1 message(s) examined) My bayes files are not in /var/www either, but in /opt/MailScanner/bayes I have rebooted. What happened?! /Daniel -----Ursprungligt meddelande----- Fr?n: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] F?r Glenn Steen Skickat: den 24 november 2008 15:22 Till: MailScanner discussion ?mne: Re: Local State Dir - /var/lib/spamassassin - SARE rules no hits 2008/11/24 Daniel Flensburg : > Hi Kai! > > Sorry about the reply button, I think you are right. > > I tried the setting below and restarted the server. I cannot see any SARE hits yet. > I'm pretty sure it's not working. (tried to send text that another working server get SARE hits on outgoing tests, no hits on "my"side) > > What is the best way to test if rules in /var/lib/spamassassin are working correctly? > > Why does the two commands below give different results? > > spamassassin -D --lint > > /opt/MailScanner/bin/MailScanner --debug --debug-sa > Because the first is run as root and the second is run a postfix. Stop "checking" things as root, when it comes to SA. Although the risk of it actually hurting you is minimal (provided you've set bayes perms correctly) it doesn't help you either. As a postfix user, your first gut reaction should be to test everything manually as your postfix user...!:-). So start by becoming postfix via "su - postfix -s /bin/bash", then use normal tools like "cd", "ls" and "less" to make sure you can a) reach the files and b) read the files. If the actual sa-update/SARE directories are correct (you can read them, as postfix), then likely the problem is "closer to the root directory". When you've fixed any permission issues, test the plain spamassassin command again. (snip) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From Daniel.Flensburg at iris.se Mon Nov 24 15:43:01 2008 From: Daniel.Flensburg at iris.se (Daniel Flensburg) Date: Mon Nov 24 15:46:30 2008 Subject: SV: Local State Dir - /var/lib/spamassassin - SARE rules no hits In-Reply-To: References: <910ee2ac0811201634se99a4daob2b8ff95088daf27@mail.gmail.com><3DF8101092666E4A9020D949E419EB6F02B7BABF@ensms02.iris.se><3DF8101092666E4A9020D949E419EB6F02B7BCAA@ensms02.iris.se><3DF8101092666E4A9020D949E419EB6F02B9D3C8@ensms02.iris.se><4CAB0118AEC63A4FAAE77E6BCBDF760C7952018D86@server02.bhl.local><3DF8101092666E4A9020D949E419EB6F02B9D459@ensms02.iris.se> Message-ID: <3DF8101092666E4A9020D949E419EB6F02B9D64D@ensms02.iris.se> I did not expect do get immediate hits. I tried to send a mail witch got SARE-hits on another MS server, and its not working on my server. /Daniel -----Ursprungligt meddelande----- Fr?n: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] F?r Kai Schaetzl Skickat: den 24 november 2008 16:12 Till: mailscanner@lists.mailscanner.info ?mne: Re: Local State Dir - /var/lib/spamassassin - SARE rules no hits Daniel Flensburg wrote on Mon, 24 Nov 2008 13:34:28 +0100: > gives me the impression the SARE-rules are working, but still no SARE-hits, why?: This is absolutely normal. Why should you get immediate hits with them? Check again with *MailScanner debug* if /var/lib gets used. If yes, then just wait. If no, it's likely a problem with your old MS version. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From maxsec at gmail.com Mon Nov 24 16:10:43 2008 From: maxsec at gmail.com (Martin Hepworth) Date: Mon Nov 24 16:10:53 2008 Subject: Local State Dir - /var/lib/spamassassin - SARE rules no hits In-Reply-To: <3DF8101092666E4A9020D949E419EB6F02B9D641@ensms02.iris.se> References: <910ee2ac0811201634se99a4daob2b8ff95088daf27@mail.gmail.com> <3DF8101092666E4A9020D949E419EB6F02B7BABF@ensms02.iris.se> <3DF8101092666E4A9020D949E419EB6F02B7BCAA@ensms02.iris.se> <3DF8101092666E4A9020D949E419EB6F02B9D3C8@ensms02.iris.se> <223f97700811240622s743469aaw9bb56791c0ea6192@mail.gmail.com> <3DF8101092666E4A9020D949E419EB6F02B9D641@ensms02.iris.se> Message-ID: <72cf361e0811240810w340d6e09v466bd3e1acb2e2ef@mail.gmail.com> Dan it's using the apache user's home dir for the bayes db...check you've got perms correct so the apache user can see t he mailscanner setup files. -- Martin Hepworth Oxford, UK 2008/11/24 Daniel Flensburg : > I tried using the command "su - postfix -s /bin/bash" and I could ls cd and nano the *cf files in /var/lib/spamassassin/3.XXXXX > > BUT, now I cannot SA-LEARN with MailWatch. Have no idea if they are related but it happended at the same time. (No results In MailWatch > Bayes Info either) > > SA Learn: error code 13 returned from sa-learn: bayes: expire_old_tokens: locker: safe_lock: cannot create tmp lockfile /var/www/.spamassassin/bayes.lock.mailgw.kurs.irishadar.se.4836 for /var/www/.spamassassin/bayes.lock: Permission denied bayes: locker: safe_lock: cannot create tmp lockfile /var/www/.spamassassin/bayes.lock.mailgw.kurs.irishadar.se.4836 for /var/www/.spamassassin/bayes.lock: Permission denied Learned tokens from 0 message(s) (1 message(s) examined) > > My bayes files are not in /var/www either, but in /opt/MailScanner/bayes > > I have rebooted. What happened?! > > /Daniel > > -----Ursprungligt meddelande----- > Fr?n: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] F?r Glenn Steen > Skickat: den 24 november 2008 15:22 > Till: MailScanner discussion > ?mne: Re: Local State Dir - /var/lib/spamassassin - SARE rules no hits > > 2008/11/24 Daniel Flensburg : >> Hi Kai! >> >> Sorry about the reply button, I think you are right. >> >> I tried the setting below and restarted the server. I cannot see any SARE hits yet. >> I'm pretty sure it's not working. (tried to send text that another working server get SARE hits on outgoing tests, no hits on "my"side) >> >> What is the best way to test if rules in /var/lib/spamassassin are working correctly? >> >> Why does the two commands below give different results? >> >> spamassassin -D --lint >> >> /opt/MailScanner/bin/MailScanner --debug --debug-sa >> > Because the first is run as root and the second is run a postfix. Stop > "checking" things as root, when it comes to SA. Although the risk of > it actually hurting you is minimal (provided you've set bayes perms > correctly) it doesn't help you either. > > As a postfix user, your first gut reaction should be to test > everything manually as your postfix user...!:-). > So start by becoming postfix via "su - postfix -s /bin/bash", then use > normal tools like "cd", "ls" and "less" to make sure you can a) reach > the files and b) read the files. If the actual sa-update/SARE > directories are correct (you can read them, as postfix), then likely > the problem is "closer to the root directory". When you've fixed any > permission issues, test the plain spamassassin command again. > > (snip) > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From michael at osund.com Mon Nov 24 17:39:35 2008 From: michael at osund.com (michael) Date: Mon Nov 24 17:46:02 2008 Subject: Mailscanner doesnt scan. Message-ID: Hi! Like the topic says mailscanner or spamassassin doesnt scan or check my incoming or outgoing emails. I have Mailscanner spamassassin and clamav installed, and my configuration for postfix / mailscanner and some output from my /var/log/mail are attached below. /etc/postfix/main.cf readme_directory = /usr/share/doc/packages/postfix/README_FILES inet_protocols = all biff = no mail_spool_directory = /var/mail canonical_maps = hash:/etc/postfix/canonical virtual_alias_maps = hash:/etc/postfix/virtual virtual_alias_domains = hash:/etc/postfix/virtual relocated_maps = hash:/etc/postfix/relocated transport_maps = hash:/etc/postfix/transport sender_canonical_maps = hash:/etc/postfix/sender_canonical masquerade_exceptions = root masquerade_classes = envelope_sender, header_sender, header_recipient myhostname = osund.com program_directory = /usr/lib/postfix inet_interfaces = all masquerade_domains = mydestination = $myhostname, localhost.$mydomain defer_transports = mynetworks_style = subnet disable_dns_lookups = no relayhost = **************** mailbox_command = mailbox_transport = strict_8bitmime = no disable_mime_output_conversion = no smtpd_sender_restrictions = hash:/etc/postfix/access smtpd_client_restrictions = smtpd_helo_required = no smtpd_helo_restrictions = strict_rfc821_envelopes = no smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,check_relay_domains smtp_sasl_auth_enable = no smtpd_sasl_auth_enable = yes smtpd_use_tls = yes smtp_use_tls = yes alias_maps = hash:/etc/aliases mailbox_size_limit = 0 message_size_limit = 10240000 mydomain = osund.com mynetworks = 127.0.0.0/8 , 13.37.0.0/24 smtpd_sasl_local_domain = smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes smtpd_sasl_authenticated_header = yes smtpd_tls_auth_only = no smtp_tls_note_starttls_offer = yes smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom home_mailbox = Maildir/ header_checks = regexp:/etc/postfix/header_checks /etc/MailScanner/MailScanner.conf # ONLY SHOWING ACTIVE LINES THAT HAVE SOMETHING TODO WITH SCANNING %etc-dir% = /etc/MailScanner %report-dir% = /etc/MailScanner/reports/en Run As User = postfix Run As Group = postfix Max Children = 5 Queue Scan Interval = 6 Incoming Queue Dir = /var/spool/MailScanner/hold Outgoing Queue Dir = /var/spool/MailScanner/incoming Incoming Work Dir = /var/spool/MailScanner/incoming Quarantine Dir = /var/spool/MailScanner/quarantine MTA = postfix Scan Messages = yes Virus Scanning = yes Virus Scanners = clamav Use SpamAssassin = yes Log Spam = yes Of course theres alot of other options, please tell me if you want to know a value of another option. The /var/log/mail says this when a mail is being received. Nov 17 15:30:18 gateway postfix/smtpd[2597]: connect from *************.***[***.***.***.***] Nov 17 15:30:18 gateway MailScanner[2596]: MailScanner E-Mail Virus Scanner version 4.72.5 starting... Nov 17 15:30:20 gateway postfix/smtpd[2597]: warning: support for restriction "check_relay_domains" will be removed from Postfix; use "reject_unauth_destination" instead Nov 17 15:30:20 gateway postfix/smtpd[2597]: D7D0623970: client=***********.***[***.***.***.***] Nov 17 15:30:21 gateway postfix/cleanup[2617]: D7D0623970: hold: header Received: from **********.*** (******.**** [***.***.***.***])??by *****.*** (Postfix) with ESMTP id D7D0623970??for <*****@*******.***>; Mon, 17 Nov 2008 15:30:19 +0100 (CET) from *********.***[***.***.***.***]; from= to=<****@******.***> proto=ESMTP helo= Nov 17 15:30:21 gateway postfix/cleanup[2617]: D7D0623970: message-id=<707c30aa0811170635x587645ddn1077ecfa2d08fc36@mail.****.com> The messages are being correctly recieved and sent in both directions, but not scanned at all, i also dont get the "Scanned by MailScanner watermark in my sent Emails". I also see thees lines repeat along with the ClamAv update notice (ClamAv allready the latest database version bla bla bla) Nov 19 16:19:33 gateway MailScanner[3634]: MailScanner E-Mail Virus Scanner version 4.72.5 starting... Nov 19 16:19:35 gateway MailScanner[3634]: Read 848 hostnames from the phishing whitelist Nov 19 16:19:37 gateway MailScanner[3633]: Using SpamAssassin results cache Nov 19 16:19:37 gateway MailScanner[3633]: Connected to SpamAssassin cache database Nov 19 16:19:37 gateway MailScanner[3633]: Enabling SpamAssassin auto-whitelist functionality... Nov 19 16:19:39 gateway MailScanner[3634]: Read 7320 hostnames from the phishing blacklist Nov 19 16:19:39 gateway MailScanner[3634]: SpamAssassin temporary working directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp Ive searched the internet for MailScanner configurations and i think i have a correct configuration, any pointers and help at all would be awsome! /Reagards From maxsec at gmail.com Mon Nov 24 18:18:20 2008 From: maxsec at gmail.com (Martin Hepworth) Date: Mon Nov 24 18:18:29 2008 Subject: Mailscanner doesnt scan. In-Reply-To: References: Message-ID: <72cf361e0811241018o4bd0ca8apeb491ce0052faec@mail.gmail.com> 2008/11/24 michael : > Hi! > Like the topic says mailscanner or spamassassin doesnt scan or check my > incoming or outgoing emails. > I have Mailscanner spamassassin and clamav installed, and my configuration > for postfix / mailscanner and some output from my /var/log/mail are > attached below. > > /etc/postfix/main.cf > > readme_directory = /usr/share/doc/packages/postfix/README_FILES > inet_protocols = all > biff = no > mail_spool_directory = /var/mail > canonical_maps = hash:/etc/postfix/canonical > virtual_alias_maps = hash:/etc/postfix/virtual > virtual_alias_domains = hash:/etc/postfix/virtual > relocated_maps = hash:/etc/postfix/relocated > transport_maps = hash:/etc/postfix/transport > sender_canonical_maps = hash:/etc/postfix/sender_canonical > masquerade_exceptions = root > masquerade_classes = envelope_sender, header_sender, header_recipient > myhostname = osund.com > program_directory = /usr/lib/postfix > inet_interfaces = all > masquerade_domains = > mydestination = $myhostname, localhost.$mydomain > defer_transports = > mynetworks_style = subnet > disable_dns_lookups = no > relayhost = **************** > mailbox_command = > mailbox_transport = > strict_8bitmime = no > disable_mime_output_conversion = no > smtpd_sender_restrictions = hash:/etc/postfix/access > smtpd_client_restrictions = > smtpd_helo_required = no > smtpd_helo_restrictions = > strict_rfc821_envelopes = no > smtpd_recipient_restrictions = > permit_sasl_authenticated,permit_mynetworks,check_relay_domains > smtp_sasl_auth_enable = no > smtpd_sasl_auth_enable = yes > smtpd_use_tls = yes > smtp_use_tls = yes > alias_maps = hash:/etc/aliases > mailbox_size_limit = 0 > message_size_limit = 10240000 > mydomain = osund.com > mynetworks = 127.0.0.0/8 , 13.37.0.0/24 > smtpd_sasl_local_domain = > smtpd_sasl_security_options = noanonymous > broken_sasl_auth_clients = yes > smtpd_sasl_authenticated_header = yes > smtpd_tls_auth_only = no > smtp_tls_note_starttls_offer = yes > smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key > smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt > smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem > smtpd_tls_loglevel = 1 > smtpd_tls_received_header = yes > smtpd_tls_session_cache_timeout = 3600s > tls_random_source = dev:/dev/urandom > home_mailbox = Maildir/ > header_checks = regexp:/etc/postfix/header_checks > > /etc/MailScanner/MailScanner.conf > # ONLY SHOWING ACTIVE LINES THAT HAVE SOMETHING TODO WITH SCANNING > > %etc-dir% = /etc/MailScanner > %report-dir% = /etc/MailScanner/reports/en > Run As User = postfix > Run As Group = postfix > Max Children = 5 > Queue Scan Interval = 6 > Incoming Queue Dir = /var/spool/MailScanner/hold > Outgoing Queue Dir = /var/spool/MailScanner/incoming > Incoming Work Dir = /var/spool/MailScanner/incoming > Quarantine Dir = /var/spool/MailScanner/quarantine > MTA = postfix > Scan Messages = yes > Virus Scanning = yes > Virus Scanners = clamav > Use SpamAssassin = yes > Log Spam = yes > > Of course theres alot of other options, please tell me if you want to know > a value of another option. > > The /var/log/mail says this when a mail is being received. > > Nov 17 15:30:18 gateway postfix/smtpd[2597]: connect from > *************.***[***.***.***.***] > Nov 17 15:30:18 gateway MailScanner[2596]: MailScanner E-Mail Virus Scanner > version 4.72.5 starting... > Nov 17 15:30:20 gateway postfix/smtpd[2597]: warning: support for > restriction "check_relay_domains" will be removed from Postfix; use > "reject_unauth_destination" instead > Nov 17 15:30:20 gateway postfix/smtpd[2597]: D7D0623970: > client=***********.***[***.***.***.***] > Nov 17 15:30:21 gateway postfix/cleanup[2617]: D7D0623970: hold: header > Received: from **********.*** (******.**** [***.***.***.***])??by *****.*** > (Postfix) with ESMTP id D7D0623970??for <*****@*******.***>; Mon, 17 Nov > 2008 15:30:19 +0100 (CET) from *********.***[***.***.***.***]; > from= to=<****@******.***> proto=ESMTP > helo= > Nov 17 15:30:21 gateway postfix/cleanup[2617]: D7D0623970: > message-id=<707c30aa0811170635x587645ddn1077ecfa2d08fc36@mail.****.com> > > The messages are being correctly recieved and sent in both directions, but > not scanned at all, i also dont get the "Scanned by MailScanner watermark > in my sent Emails". > > I also see thees lines repeat along with the ClamAv update notice (ClamAv > allready the latest database version bla bla bla) > > Nov 19 16:19:33 gateway MailScanner[3634]: MailScanner E-Mail Virus Scanner > version 4.72.5 starting... > Nov 19 16:19:35 gateway MailScanner[3634]: Read 848 hostnames from the > phishing whitelist > Nov 19 16:19:37 gateway MailScanner[3633]: Using SpamAssassin results cache > > Nov 19 16:19:37 gateway MailScanner[3633]: Connected to SpamAssassin cache > database > Nov 19 16:19:37 gateway MailScanner[3633]: Enabling SpamAssassin > auto-whitelist functionality... > Nov 19 16:19:39 gateway MailScanner[3634]: Read 7320 hostnames from the > phishing blacklist > Nov 19 16:19:39 gateway MailScanner[3634]: SpamAssassin temporary working > directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp > > Ive searched the internet for MailScanner configurations and i think i have > a correct configuration, any pointers and help at all would be awsome! > > /Reagards > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Michael well looking at the postfix mailscanner how-to.. http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:postfix:installation in MailScanner.conf the "Incoming" and "Outgoing" queues are wrong...but that doesn't explain why the mail's being delivered. I presume you've created the /etc/postfix/header_checks file correctly? -- Martin Hepworth Oxford, UK From maillists at conactive.com Mon Nov 24 18:31:21 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Mon Nov 24 18:31:34 2008 Subject: Local State Dir - /var/lib/spamassassin - SARE rules no hits In-Reply-To: <3DF8101092666E4A9020D949E419EB6F02B9D621@ensms02.iris.se> References: <910ee2ac0811201634se99a4daob2b8ff95088daf27@mail.gmail.com> <3DF8101092666E4A9020D949E419EB6F02B7BABF@ensms02.iris.se> <3DF8101092666E4A9020D949E419EB6F02B7BCAA@ensms02.iris.se> <3DF8101092666E4A9020D949E419EB6F02B9D3C8@ensms02.iris.se> <4CAB0118AEC63A4FAAE77E6BCBDF760C7952018D86@server02.bhl.local> <3DF8101092666E4A9020D949E419EB6F02B9D459@ensms02.iris.se> <3DF81010926 Message-ID: 66E4A9020D949E419EB6F02B9D621@ensms02.iris.se> Reply-To: mailscanner@lists.mailscanner.info Daniel Flensburg wrote on Mon, 24 Nov 2008 16:25:51 +0100: > MS version is up to date well, from the old SA I figured your MS might be old as well. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From astephens at ptera.net Mon Nov 24 19:15:20 2008 From: astephens at ptera.net (Arthur Stephens) Date: Mon Nov 24 19:15:59 2008 Subject: Emails on HOLD not processed and delivered Message-ID: <492AFD48.8000507@ptera.net> I discovered this problem when customers complained about not getting emails from some people. It appears that whenever an email using ESMTP protocol goes on hold to be processed by mail scanner, it ends up being removed without processing it. Here are a couple of the numerous log entries reflecting this... [root@mailgate ~]# grep 4013E6FB03C: /var/log/maillog Nov 24 10:09:21 mailgate postfix/smtpd[14870]: 4013E6FB03C: client=mail.sound-tele.com[66.45.208.237] Nov 24 10:09:21 mailgate postfix/cleanup[14455]: 4013E6FB03C: hold: header Received: from mail.sound-tele.com (mail.sound-tele.com [66.45.208.237])??by mailgate.ptera.net (Postfix) with ESMTP id 4013E6FB03C??for ; Mon, 24 Nov 2008 10:09:21 -0800 (PST from mail.sound-tele.com[66.45.208.237]; from= to= proto=ESMTP helo= Nov 24 10:09:21 mailgate postfix/cleanup[14455]: 4013E6FB03C: message-id= [root@mailgate ~]# grep 53A4C6FB0A0: /var/log/maillog Nov 24 10:22:30 mailgate postfix/smtpd[14219]: 53A4C6FB0A0: client=unknown[206.169.232.4] Nov 24 10:22:30 mailgate postfix/cleanup[17578]: 53A4C6FB0A0: hold: header Received: from mail.columbiagrain.com (unknown [206.169.232.4])??by mailgate.ptera.net (Postfix) with ESMTP id 53A4C6FB0A0??for ; Mon, 24 Nov 2008 10:22:30 -0800 (PST) from unknown[206.169.232.4]; from= to= proto=ESMTP helo= Nov 24 10:22:30 mailgate postfix/cleanup[17578]: 53A4C6FB0A0: message-id=<28D95A3746D8414AA52458549F3EA58705228B88@pdx-mail1.columbiagrain.com> [root@mailgate ~]# grep 592E66FB09E: /var/log/maillog Nov 24 10:28:16 mailgate postfix/smtpd[18108]: 592E66FB09E: client=seven.pairlist.net[209.68.2.241] Nov 24 10:28:16 mailgate postfix/cleanup[15863]: 592E66FB09E: hold: header Received: from seven.pairlist.net (seven.pairlist.net [209.68.2.241])??by mailgate.ptera.net (Postfix) with ESMTP id 592E66FB09E??for ; Mon, 24 Nov 2008 10:28:16 -0800 (PST) from seven.pairlist.net[209.68.2.241]; from= to= proto=ESMTP helo= Nov 24 10:28:16 mailgate postfix/cleanup[15863]: 592E66FB09E: message-id= [root@mailgate ~]# I am so unlearned about this I do not know where to begin to solve this problem. Googling didn't reveal anything obvious. What is the information between the ?? trying to tell me? -- Arthur Stephens Senior Sales Technician Ptera Wireless Internet Service PO Box 135 Liberty Lake, WA 99019 509-927-7837 For technical support visit http://www.ptera.net/support ----------------------------------------------------------------------------- "This message may contain confidential and/or propriety information, and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company." From Daniel.Flensburg at iris.se Mon Nov 24 19:29:04 2008 From: Daniel.Flensburg at iris.se (Daniel Flensburg) Date: Mon Nov 24 19:33:40 2008 Subject: SV: Local State Dir - /var/lib/spamassassin - SARE rules no hits References: <910ee2ac0811201634se99a4daob2b8ff95088daf27@mail.gmail.com><3DF8101092666E4A9020D949E419EB6F02B7BABF@ensms02.iris.se><3DF8101092666E4A9020D949E419EB6F02B7BCAA@ensms02.iris.se><3DF8101092666E4A9020D949E419EB6F02B9D3C8@ensms02.iris.se><4CAB0118AEC63A4FAAE77E6BCBDF760C7952018D86@server02.bhl.local><3DF8101092666E4A9020D949E419EB6F02B9D459@ensms02.iris.se> <3DF81010926 Message-ID: <3DF8101092666E4A9020D949E419EB6F95DCE7@ensms02.iris.se> I really should update SA also. Now I might be forced to ;-) /Daniel ________________________________ Fr?n: mailscanner-bounces@lists.mailscanner.info genom Kai Schaetzl Skickat: m? 2008-11-24 19:31 Till: mailscanner@lists.mailscanner.info ?mne: Re: Local State Dir - /var/lib/spamassassin - SARE rules no hits 66E4A9020D949E419EB6F02B9D621@ensms02.iris.se> Reply-To: mailscanner@lists.mailscanner.info Daniel Flensburg wrote on Mon, 24 Nov 2008 16:25:51 +0100: > MS version is up to date well, from the old SA I figured your MS might be old as well. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From michael at osund.com Mon Nov 24 20:17:21 2008 From: michael at osund.com (michael) Date: Mon Nov 24 20:26:13 2008 Subject: Mailscanner doesnt scan. In-Reply-To: <72cf361e0811241018o4bd0ca8apeb491ce0052faec@mail.gmail.com> References: <72cf361e0811241018o4bd0ca8apeb491ce0052faec@mail.gmail.com> Message-ID: <1be7a8a441d7340b4fb2c034a5418296@osund.com> On Mon, 24 Nov 2008 18:18:20 +0000, "Martin Hepworth" wrote: > 2008/11/24 michael : >> Hi! >> Like the topic says mailscanner or spamassassin doesnt scan or check my >> incoming or outgoing emails. >> I have Mailscanner spamassassin and clamav installed, and my >> configuration >> for postfix / mailscanner and some output from my /var/log/mail are >> attached below. >> >> /etc/postfix/main.cf >> >> readme_directory = /usr/share/doc/packages/postfix/README_FILES >> inet_protocols = all >> biff = no >> mail_spool_directory = /var/mail >> canonical_maps = hash:/etc/postfix/canonical >> virtual_alias_maps = hash:/etc/postfix/virtual >> virtual_alias_domains = hash:/etc/postfix/virtual >> relocated_maps = hash:/etc/postfix/relocated >> transport_maps = hash:/etc/postfix/transport >> sender_canonical_maps = hash:/etc/postfix/sender_canonical >> masquerade_exceptions = root >> masquerade_classes = envelope_sender, header_sender, header_recipient >> myhostname = osund.com >> program_directory = /usr/lib/postfix >> inet_interfaces = all >> masquerade_domains = >> mydestination = $myhostname, localhost.$mydomain >> defer_transports = >> mynetworks_style = subnet >> disable_dns_lookups = no >> relayhost = **************** >> mailbox_command = >> mailbox_transport = >> strict_8bitmime = no >> disable_mime_output_conversion = no >> smtpd_sender_restrictions = hash:/etc/postfix/access >> smtpd_client_restrictions = >> smtpd_helo_required = no >> smtpd_helo_restrictions = >> strict_rfc821_envelopes = no >> smtpd_recipient_restrictions = >> permit_sasl_authenticated,permit_mynetworks,check_relay_domains >> smtp_sasl_auth_enable = no >> smtpd_sasl_auth_enable = yes >> smtpd_use_tls = yes >> smtp_use_tls = yes >> alias_maps = hash:/etc/aliases >> mailbox_size_limit = 0 >> message_size_limit = 10240000 >> mydomain = osund.com >> mynetworks = 127.0.0.0/8 , 13.37.0.0/24 >> smtpd_sasl_local_domain = >> smtpd_sasl_security_options = noanonymous >> broken_sasl_auth_clients = yes >> smtpd_sasl_authenticated_header = yes >> smtpd_tls_auth_only = no >> smtp_tls_note_starttls_offer = yes >> smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key >> smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt >> smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem >> smtpd_tls_loglevel = 1 >> smtpd_tls_received_header = yes >> smtpd_tls_session_cache_timeout = 3600s >> tls_random_source = dev:/dev/urandom >> home_mailbox = Maildir/ >> header_checks = regexp:/etc/postfix/header_checks >> >> /etc/MailScanner/MailScanner.conf >> # ONLY SHOWING ACTIVE LINES THAT HAVE SOMETHING TODO WITH SCANNING >> >> %etc-dir% = /etc/MailScanner >> %report-dir% = /etc/MailScanner/reports/en >> Run As User = postfix >> Run As Group = postfix >> Max Children = 5 >> Queue Scan Interval = 6 >> Incoming Queue Dir = /var/spool/MailScanner/hold >> Outgoing Queue Dir = /var/spool/MailScanner/incoming >> Incoming Work Dir = /var/spool/MailScanner/incoming >> Quarantine Dir = /var/spool/MailScanner/quarantine >> MTA = postfix >> Scan Messages = yes >> Virus Scanning = yes >> Virus Scanners = clamav >> Use SpamAssassin = yes >> Log Spam = yes >> >> Of course theres alot of other options, please tell me if you want to >> know >> a value of another option. >> >> The /var/log/mail says this when a mail is being received. >> >> Nov 17 15:30:18 gateway postfix/smtpd[2597]: connect from >> *************.***[***.***.***.***] >> Nov 17 15:30:18 gateway MailScanner[2596]: MailScanner E-Mail Virus >> Scanner >> version 4.72.5 starting... >> Nov 17 15:30:20 gateway postfix/smtpd[2597]: warning: support for >> restriction "check_relay_domains" will be removed from Postfix; use >> "reject_unauth_destination" instead >> Nov 17 15:30:20 gateway postfix/smtpd[2597]: D7D0623970: >> client=***********.***[***.***.***.***] >> Nov 17 15:30:21 gateway postfix/cleanup[2617]: D7D0623970: hold: header >> Received: from **********.*** (******.**** [***.***.***.***])??by >> *****.*** >> (Postfix) with ESMTP id D7D0623970??for <*****@*******.***>; Mon, 17 Nov >> 2008 15:30:19 +0100 (CET) from *********.***[***.***.***.***]; >> from= to=<****@******.***> proto=ESMTP >> helo= >> Nov 17 15:30:21 gateway postfix/cleanup[2617]: D7D0623970: >> message-id=<707c30aa0811170635x587645ddn1077ecfa2d08fc36@mail.****.com> >> >> The messages are being correctly recieved and sent in both directions, >> but >> not scanned at all, i also dont get the "Scanned by MailScanner watermark >> in my sent Emails". >> >> I also see thees lines repeat along with the ClamAv update notice (ClamAv >> allready the latest database version bla bla bla) >> >> Nov 19 16:19:33 gateway MailScanner[3634]: MailScanner E-Mail Virus >> Scanner >> version 4.72.5 starting... >> Nov 19 16:19:35 gateway MailScanner[3634]: Read 848 hostnames from the >> phishing whitelist >> Nov 19 16:19:37 gateway MailScanner[3633]: Using SpamAssassin results >> cache >> >> Nov 19 16:19:37 gateway MailScanner[3633]: Connected to SpamAssassin >> cache >> database >> Nov 19 16:19:37 gateway MailScanner[3633]: Enabling SpamAssassin >> auto-whitelist functionality... >> Nov 19 16:19:39 gateway MailScanner[3634]: Read 7320 hostnames from the >> phishing blacklist >> Nov 19 16:19:39 gateway MailScanner[3634]: SpamAssassin temporary working >> directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp >> >> Ive searched the internet for MailScanner configurations and i think i >> have >> a correct configuration, any pointers and help at all would be awsome! >> >> /Reagards >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > Michael > > well looking at the postfix mailscanner how-to.. > > http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:postfix:installation > > in MailScanner.conf the "Incoming" and "Outgoing" queues are > wrong...but that doesn't explain why the mail's being delivered. > > I presume you've created the /etc/postfix/header_checks file correctly? > > > -- > Martin Hepworth > Oxford, UK > Sweet jebus i did mix up the Incoming and Outgoing paths, it now scans all mails correctly, thanks a bunch! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ssilva at sgvwater.com Mon Nov 24 20:55:05 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Nov 24 20:55:32 2008 Subject: Big drop in SPAM volume? In-Reply-To: <492A7A59.9040407@gmail.com> References: <00de01c94bc5$4a6d5710$696078c1@JCSPC> <492A7A59.9040407@gmail.com> Message-ID: on 11-24-2008 1:56 AM Ronny T. Lampert spake the following: >> Hi, >> >> Is anybody else seeing a big drop off in SPAM volume over the last >> week or so? or is it just me? > > I'm down to "more normal levels" on > > - total connections > - RBL blocks (= 50% of total connections for last 3 hours) > - "is spam" by MS (down by about 20%). > > No way in hell we should allow McColo to go live again. > But then again it's only Monday morning so spammers might wake up later... > > Cheers. Trouble is, there seems to be other ways to get a block back up, even if for only a short time. If they manage to do this, the bots will get new code and come back. What is needed is for someone in power to take this block for a few weeks and log all systems that try and get instructions, and trace them back through the ISP. Then the ISP needs to inform those users they are infected. But it won't happen since someone will have to foot the bill. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081124/c7983332/signature.bin From cotharyus at gmail.com Mon Nov 24 21:54:34 2008 From: cotharyus at gmail.com (Drew) Date: Mon Nov 24 21:54:44 2008 Subject: Big drop in SPAM volume? In-Reply-To: References: <00de01c94bc5$4a6d5710$696078c1@JCSPC> <492A7A59.9040407@gmail.com> Message-ID: <715841970811241354o781bb449r365788c075b9739c@mail.gmail.com> On Mon, Nov 24, 2008 at 2:55 PM, Scott Silva wrote: > on 11-24-2008 1:56 AM Ronny T. Lampert spake the following: > >> Hi, > >> > >> Is anybody else seeing a big drop off in SPAM volume over the last > >> week or so? or is it just me? > > > > I'm down to "more normal levels" on > > > > - total connections > > - RBL blocks (= 50% of total connections for last 3 hours) > > - "is spam" by MS (down by about 20%). > > > > No way in hell we should allow McColo to go live again. > > But then again it's only Monday morning so spammers might wake up > later... > > > > Cheers. > Trouble is, there seems to be other ways to get a block back up, even if > for > only a short time. If they manage to do this, the bots will get new code > and > come back. What is needed is for someone in power to take this block for a > few > weeks and log all systems that try and get instructions, and trace them > back > through the ISP. Then the ISP needs to inform those users they are > infected. > But it won't happen since someone will have to foot the bill. > > One thing I *have* noticed since spam volume dropped is a huge increase in ssh attacks, and not just on mail servers. I'm pulling information from close to 500 systems when I say "huge" - I'm talking about nearly 1000 attempts per machine per day. Whoever is doing it is smart enough to be using many many IP addresses from all over the world, and just making a few attempts from each IP, then backing off to keep automated firewall add/remove tools from blocking too many attempts. Anyone else noticed this? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081124/6242be71/attachment.html From drew.marshall at technologytiger.net Mon Nov 24 23:08:42 2008 From: drew.marshall at technologytiger.net (Drew Marshall) Date: Mon Nov 24 23:08:59 2008 Subject: Big drop in SPAM volume? In-Reply-To: <715841970811241354o781bb449r365788c075b9739c@mail.gmail.com> References: <00de01c94bc5$4a6d5710$696078c1@JCSPC> <492A7A59.9040407@gmail.com> <715841970811241354o781bb449r365788c075b9739c@mail.gmail.com> Message-ID: On 24 Nov 2008, at 21:54, Drew wrote: > One thing I *have* noticed since spam volume dropped is a huge > increase in ssh attacks, and not just on mail servers. I'm pulling > information from close to 500 systems when I say "huge" - I'm > talking about nearly 1000 attempts per machine per day. Whoever is > doing it is smart enough to be using many many IP addresses from all > over the world, and just making a few attempts from each IP, then > backing off to keep automated firewall add/remove tools from > blocking too many attempts. Anyone else noticed this? > Yes, certainly. I only leave a couple of boxes accessible to the 'outside world' and their logs are filled daily with large numbers of attempts, almost exactly as you describe. I don't know when they will realise I just don't allow root or any other daemon ssh log in access... Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by Technology Tiger's Mail Launder system Our email policy can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ From traced at xpear.de Mon Nov 24 23:16:29 2008 From: traced at xpear.de (traced) Date: Mon Nov 24 23:16:39 2008 Subject: Big drop in SPAM volume? In-Reply-To: <715841970811241354o781bb449r365788c075b9739c@mail.gmail.com> References: <00de01c94bc5$4a6d5710$696078c1@JCSPC> <492A7A59.9040407@gmail.com> <715841970811241354o781bb449r365788c075b9739c@mail.gmail.com> Message-ID: <492B35CD.5060201@xpear.de> Hi, all my boxes are running ssh with changed port, an as good as no tries to break in. Regards, Bastian Drew schrieb: > > > On Mon, Nov 24, 2008 at 2:55 PM, Scott Silva > wrote: > > on 11-24-2008 1:56 AM Ronny T. Lampert spake the following: > >> Hi, > >> > >> Is anybody else seeing a big drop off in SPAM volume over the last > >> week or so? or is it just me? > > > > I'm down to "more normal levels" on > > > > - total connections > > - RBL blocks (= 50% of total connections for last 3 hours) > > - "is spam" by MS (down by about 20%). > > > > No way in hell we should allow McColo to go live again. > > But then again it's only Monday morning so spammers might wake up > later... > > > > Cheers. > Trouble is, there seems to be other ways to get a block back up, > even if for > only a short time. If they manage to do this, the bots will get new > code and > come back. What is needed is for someone in power to take this block > for a few > weeks and log all systems that try and get instructions, and trace > them back > through the ISP. Then the ISP needs to inform those users they are > infected. > But it won't happen since someone will have to foot the bill. > > One thing I *have* noticed since spam volume dropped is a huge increase > in ssh attacks, and not just on mail servers. I'm pulling information > from close to 500 systems when I say "huge" - I'm talking about nearly > 1000 attempts per machine per day. Whoever is doing it is smart enough > to be using many many IP addresses from all over the world, and just > making a few attempts from each IP, then backing off to keep automated > firewall add/remove tools from blocking too many attempts. Anyone else > noticed this? > From Daniel.Flensburg at iris.se Tue Nov 25 08:10:14 2008 From: Daniel.Flensburg at iris.se (Daniel Flensburg) Date: Tue Nov 25 08:13:41 2008 Subject: SV: Local State Dir - /var/lib/spamassassin - SARE rules no hits In-Reply-To: <72cf361e0811240810w340d6e09v466bd3e1acb2e2ef@mail.gmail.com> References: <910ee2ac0811201634se99a4daob2b8ff95088daf27@mail.gmail.com><3DF8101092666E4A9020D949E419EB6F02B7BABF@ensms02.iris.se><3DF8101092666E4A9020D949E419EB6F02B7BCAA@ensms02.iris.se><3DF8101092666E4A9020D949E419EB6F02B9D3C8@ensms02.iris.se><223f97700811240622s743469aaw9bb56791c0ea6192@mail.gmail.com><3DF8101092666E4A9020D949E419EB6F02B9D641@ensms02.iris.se> <72cf361e0811240810w340d6e09v466bd3e1acb2e2ef@mail.gmail.com> Message-ID: <3DF8101092666E4A9020D949E419EB6F02B9D770@ensms02.iris.se> The bayes sa-learn error is "solved". For some reason the spam.assassin.prefs.conf was now empty. I copied the file from the old Mailscanner-setup. Maybe new settings is not there, but I have to figure that out later. I wonder what happened? /Daniel -----Ursprungligt meddelande----- Fr?n: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] F?r Martin Hepworth Skickat: den 24 november 2008 17:11 Till: MailScanner discussion ?mne: Re: Local State Dir - /var/lib/spamassassin - SARE rules no hits Dan it's using the apache user's home dir for the bayes db...check you've got perms correct so the apache user can see t he mailscanner setup files. -- Martin Hepworth Oxford, UK 2008/11/24 Daniel Flensburg : > I tried using the command "su - postfix -s /bin/bash" and I could ls cd and nano the *cf files in /var/lib/spamassassin/3.XXXXX > > BUT, now I cannot SA-LEARN with MailWatch. Have no idea if they are related but it happended at the same time. (No results In MailWatch > Bayes Info either) > > SA Learn: error code 13 returned from sa-learn: bayes: expire_old_tokens: locker: safe_lock: cannot create tmp lockfile /var/www/.spamassassin/bayes.lock.mailgw.kurs.irishadar.se.4836 for /var/www/.spamassassin/bayes.lock: Permission denied bayes: locker: safe_lock: cannot create tmp lockfile /var/www/.spamassassin/bayes.lock.mailgw.kurs.irishadar.se.4836 for /var/www/.spamassassin/bayes.lock: Permission denied Learned tokens from 0 message(s) (1 message(s) examined) > > My bayes files are not in /var/www either, but in /opt/MailScanner/bayes > > I have rebooted. What happened?! > > /Daniel > > -----Ursprungligt meddelande----- > Fr?n: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] F?r Glenn Steen > Skickat: den 24 november 2008 15:22 > Till: MailScanner discussion > ?mne: Re: Local State Dir - /var/lib/spamassassin - SARE rules no hits > > 2008/11/24 Daniel Flensburg : >> Hi Kai! >> >> Sorry about the reply button, I think you are right. >> >> I tried the setting below and restarted the server. I cannot see any SARE hits yet. >> I'm pretty sure it's not working. (tried to send text that another working server get SARE hits on outgoing tests, no hits on "my"side) >> >> What is the best way to test if rules in /var/lib/spamassassin are working correctly? >> >> Why does the two commands below give different results? >> >> spamassassin -D --lint >> >> /opt/MailScanner/bin/MailScanner --debug --debug-sa >> > Because the first is run as root and the second is run a postfix. Stop > "checking" things as root, when it comes to SA. Although the risk of > it actually hurting you is minimal (provided you've set bayes perms > correctly) it doesn't help you either. > > As a postfix user, your first gut reaction should be to test > everything manually as your postfix user...!:-). > So start by becoming postfix via "su - postfix -s /bin/bash", then use > normal tools like "cd", "ls" and "less" to make sure you can a) reach > the files and b) read the files. If the actual sa-update/SARE > directories are correct (you can read them, as postfix), then likely > the problem is "closer to the root directory". When you've fixed any > permission issues, test the plain spamassassin command again. > > (snip) > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From Daniel.Flensburg at iris.se Tue Nov 25 13:33:24 2008 From: Daniel.Flensburg at iris.se (Daniel Flensburg) Date: Tue Nov 25 13:36:54 2008 Subject: SV: Local State Dir - /var/lib/spamassassin - SARE rules no hits In-Reply-To: <223f97700811240622s743469aaw9bb56791c0ea6192@mail.gmail.com> References: <910ee2ac0811201634se99a4daob2b8ff95088daf27@mail.gmail.com><3DF8101092666E4A9020D949E419EB6F02B7BABF@ensms02.iris.se><3DF8101092666E4A9020D949E419EB6F02B7BCAA@ensms02.iris.se><3DF8101092666E4A9020D949E419EB6F02B9D3C8@ensms02.iris.se> <223f97700811240622s743469aaw9bb56791c0ea6192@mail.gmail.com> Message-ID: <3DF8101092666E4A9020D949E419EB6F02B9DA14@ensms02.iris.se> Glenn! Can you please point me in the right direction? The SARE-rules still do not work. But I can cd, ls and nano files in the /var/lib/spamassassin/3.00xxxx directory after running "su - postfix -s /bin/bash". What exactly do you mean by "the problem is "closer to the root directory"."? Thank you in advance! /Daniel -----Ursprungligt meddelande----- Fr?n: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] F?r Glenn Steen Skickat: den 24 november 2008 15:22 Till: MailScanner discussion ?mne: Re: Local State Dir - /var/lib/spamassassin - SARE rules no hits 2008/11/24 Daniel Flensburg : > Hi Kai! > > Sorry about the reply button, I think you are right. > > I tried the setting below and restarted the server. I cannot see any SARE hits yet. > I'm pretty sure it's not working. (tried to send text that another working server get SARE hits on outgoing tests, no hits on "my"side) > > What is the best way to test if rules in /var/lib/spamassassin are working correctly? > > Why does the two commands below give different results? > > spamassassin -D --lint > > /opt/MailScanner/bin/MailScanner --debug --debug-sa > Because the first is run as root and the second is run a postfix. Stop "checking" things as root, when it comes to SA. Although the risk of it actually hurting you is minimal (provided you've set bayes perms correctly) it doesn't help you either. As a postfix user, your first gut reaction should be to test everything manually as your postfix user...!:-). So start by becoming postfix via "su - postfix -s /bin/bash", then use normal tools like "cd", "ls" and "less" to make sure you can a) reach the files and b) read the files. If the actual sa-update/SARE directories are correct (you can read them, as postfix), then likely the problem is "closer to the root directory". When you've fixed any permission issues, test the plain spamassassin command again. (snip) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From jaearick at colby.edu Tue Nov 25 14:58:12 2008 From: jaearick at colby.edu (Jeff A. Earickson) Date: Tue Nov 25 14:58:30 2008 Subject: new version of Message.pm for 4.72.5? Message-ID: Julian, I thought you posted a new version of Message.pm in the last couple of days to fix issues with "mailscanner doesn't scan" and "mailscanner child freezes" per the recent list postings. Now I can't find that posting on the list. Can I get this version? My issue: suddenly MailScanner is chewing up a lot of cpu time, I see stuff in my inbound queue that is old/should not be there. So MailScanner is choking on something in there, would like to figure out what... ----------------------------------- Jeff A. Earickson, Ph.D Senior UNIX Sysadmin Email Administrator Colby Sports Photographer Colby College, 4214 Mayflower Hill, Waterville ME, 04901-8842 207-859-4214 (fax 207-859-4186) Eastern Time Zone, USA ----------------------------------- From maillists at conactive.com Tue Nov 25 15:31:18 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Tue Nov 25 15:31:30 2008 Subject: Local State Dir - /var/lib/spamassassin - SARE rules no hits In-Reply-To: <3DF8101092666E4A9020D949E419EB6F02B9DA14@ensms02.iris.se> References: <910ee2ac0811201634se99a4daob2b8ff95088daf27@mail.gmail.com> <3DF8101092666E4A9020D949E419EB6F02B7BABF@ensms02.iris.se> <3DF8101092666E4A9020D949E419EB6F02B7BCAA@ensms02.iris.se> <3DF8101092666E4A9020D949E419EB6F02B9D3C8@ensms02.iris.se> <223f97700811240622s743469aaw9bb56791c0ea6192@mail.gmail.com> <3DF8101092666E4A9020D949E419EB6F02B9DA14@ensms02.iris.se> Message-ID: Daniel Flensburg wrote on Tue, 25 Nov 2008 14:33:24 +0100: > The SARE-rules still > do not work. But I can cd, ls and nano files in the /var/lib/spamassassin/3.00xxxx > directory after running "su - postfix -s /bin/bash". The point is not if you can write there, the point is if MS does use /var/lib for the rules now or not. If it doesn't, that's your problem. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From glenn.steen at gmail.com Tue Nov 25 15:52:29 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Nov 25 15:52:40 2008 Subject: Emails on HOLD not processed and delivered In-Reply-To: <492AFD48.8000507@ptera.net> References: <492AFD48.8000507@ptera.net> Message-ID: <223f97700811250752o3d8c9440q3b10c55dcd79fb7d@mail.gmail.com> 2008/11/24 Arthur Stephens : > I discovered this problem when customers complained about not getting emails > from some people. > > It appears that whenever an email using ESMTP protocol goes on hold to be > processed by mail scanner, it ends up being removed without processing it. > Here are a couple of the numerous log entries reflecting this... > > [root@mailgate ~]# grep 4013E6FB03C: /var/log/maillog > Nov 24 10:09:21 mailgate postfix/smtpd[14870]: 4013E6FB03C: > client=mail.sound-tele.com[66.45.208.237] > Nov 24 10:09:21 mailgate postfix/cleanup[14455]: 4013E6FB03C: hold: header > Received: from mail.sound-tele.com (mail.sound-tele.com [66.45.208.237])??by > mailgate.ptera.net (Postfix) with ESMTP id 4013E6FB03C??for > ; Mon, 24 Nov 2008 10:09:21 -0800 (PST from > mail.sound-tele.com[66.45.208.237]; from= > to= proto=ESMTP helo= > Nov 24 10:09:21 mailgate postfix/cleanup[14455]: 4013E6FB03C: > message-id= > > [root@mailgate ~]# grep 53A4C6FB0A0: /var/log/maillog > Nov 24 10:22:30 mailgate postfix/smtpd[14219]: 53A4C6FB0A0: > client=unknown[206.169.232.4] > Nov 24 10:22:30 mailgate postfix/cleanup[17578]: 53A4C6FB0A0: hold: header > Received: from mail.columbiagrain.com (unknown [206.169.232.4])??by > mailgate.ptera.net (Postfix) with ESMTP id 53A4C6FB0A0??for > ; Mon, 24 Nov 2008 10:22:30 -0800 (PST) from > unknown[206.169.232.4]; from= > to= proto=ESMTP helo= > Nov 24 10:22:30 mailgate postfix/cleanup[17578]: 53A4C6FB0A0: > message-id=<28D95A3746D8414AA52458549F3EA58705228B88@pdx-mail1.columbiagrain.com> > > [root@mailgate ~]# grep 592E66FB09E: /var/log/maillog > Nov 24 10:28:16 mailgate postfix/smtpd[18108]: 592E66FB09E: > client=seven.pairlist.net[209.68.2.241] > Nov 24 10:28:16 mailgate postfix/cleanup[15863]: 592E66FB09E: hold: header > Received: from seven.pairlist.net (seven.pairlist.net [209.68.2.241])??by > mailgate.ptera.net (Postfix) with ESMTP id 592E66FB09E??for > ; Mon, 24 Nov 2008 10:28:16 -0800 (PST) from > seven.pairlist.net[209.68.2.241]; from= > to= proto=ESMTP helo= > Nov 24 10:28:16 mailgate postfix/cleanup[15863]: 592E66FB09E: > message-id= > [root@mailgate ~]# > > I am so unlearned about this I do not know where to begin to solve this > problem. > Googling didn't reveal anything obvious. > What is the information between the ?? trying to tell me? > Nothing special, just the received line that triggered the header check to arrange for the message to be put on hold, for MailScanner to pick up. IIRC, the ?? is a replacement for linebreaks. So far so good. What should happen next is that MailScanner should pick up a few messages and process them in a batch, telling you what happens, then either deleting, quarantine or requeue the message (with a new queue ID). That doesn't seem to be happening for you. Is MailScanner running? If it is, do you perhaps have any files in the hold queue directory that isn't a queue file (this has been know to make things go to pieces:-)? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Tue Nov 25 16:03:38 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Nov 25 16:03:48 2008 Subject: Local State Dir - /var/lib/spamassassin - SARE rules no hits In-Reply-To: <3DF8101092666E4A9020D949E419EB6F02B9DA14@ensms02.iris.se> References: <910ee2ac0811201634se99a4daob2b8ff95088daf27@mail.gmail.com> <3DF8101092666E4A9020D949E419EB6F02B7BABF@ensms02.iris.se> <3DF8101092666E4A9020D949E419EB6F02B7BCAA@ensms02.iris.se> <3DF8101092666E4A9020D949E419EB6F02B9D3C8@ensms02.iris.se> <223f97700811240622s743469aaw9bb56791c0ea6192@mail.gmail.com> <3DF8101092666E4A9020D949E419EB6F02B9DA14@ensms02.iris.se> Message-ID: <223f97700811250803k4184f9a8rb9e2017b33f37a38@mail.gmail.com> 2008/11/25 Daniel Flensburg : > Glenn! > > Can you please point me in the right direction? The SARE-rules still do not work. But I can cd, ls and nano files in the /var/lib/spamassassin/3.00xxxx directory after running "su - postfix -s /bin/bash". > > What exactly do you mean by "the problem is "closer to the root directory"."? > > Thank you in advance! > > /Daniel Clumsy expression... What I meant is that if the perms look ok on the local files, but you still cannot access them as the PF user, then the problem would be situated in a parent directorys' permissions. Hope that was a bit clearer:-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Tue Nov 25 16:06:22 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Nov 25 16:06:32 2008 Subject: Local State Dir - /var/lib/spamassassin - SARE rules no hits In-Reply-To: <223f97700811250803k4184f9a8rb9e2017b33f37a38@mail.gmail.com> References: <910ee2ac0811201634se99a4daob2b8ff95088daf27@mail.gmail.com> <3DF8101092666E4A9020D949E419EB6F02B7BABF@ensms02.iris.se> <3DF8101092666E4A9020D949E419EB6F02B7BCAA@ensms02.iris.se> <3DF8101092666E4A9020D949E419EB6F02B9D3C8@ensms02.iris.se> <223f97700811240622s743469aaw9bb56791c0ea6192@mail.gmail.com> <3DF8101092666E4A9020D949E419EB6F02B9DA14@ensms02.iris.se> <223f97700811250803k4184f9a8rb9e2017b33f37a38@mail.gmail.com> Message-ID: <223f97700811250806s56cdfec8mbfc21032647191c7@mail.gmail.com> 2008/11/25 Glenn Steen : > 2008/11/25 Daniel Flensburg : >> Glenn! >> >> Can you please point me in the right direction? The SARE-rules still do not work. But I can cd, ls and nano files in the /var/lib/spamassassin/3.00xxxx directory after running "su - postfix -s /bin/bash". >> >> What exactly do you mean by "the problem is "closer to the root directory"."? >> >> Thank you in advance! >> >> /Daniel > Clumsy expression... What I meant is that if the perms look ok on the > local files, but you still cannot access them as the PF user, then the > problem would be situated in a parent directorys' permissions. Hope > that was a bit clearer:-) > As the postfix user, what does a "spamassassin -D --lint" (or even better, "spamassassin -D -t < /path/to/a/message/file/probably/from/your/spam/quarantine") say? Does it seem to be reading the correct rule files from the correct rule directories? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From jaearick at colby.edu Tue Nov 25 17:00:08 2008 From: jaearick at colby.edu (Jeff A. Earickson) Date: Tue Nov 25 17:00:28 2008 Subject: new version of Message.pm for 4.72.5? In-Reply-To: References: Message-ID: On Tue, 25 Nov 2008, Jeff A. Earickson wrote: > Date: Tue, 25 Nov 2008 09:58:12 -0500 (EST) > From: Jeff A. Earickson > Reply-To: MailScanner discussion > To: mailscanner mailing list > Subject: new version of Message.pm for 4.72.5? > > Julian, > > I thought you posted a new version of Message.pm in the last couple > of days to fix issues with "mailscanner doesn't scan" and > "mailscanner child freezes" per the recent list postings. Now I > can't find that posting on the list. Can I get this version? > > My issue: suddenly MailScanner is chewing up a lot of cpu time, > I see stuff in my inbound queue that is old/should not be there. > So MailScanner is choking on something in there, would like to > figure out what... Glenn Steen kindly resent the modified version of Message.pm, which I now have put it in place and it has cleared out stuck messages in my inbound queue. Things are looking normal again. My setup: Solaris 10, sendmail. Maybe this merits a general release... Jeff Earickson Colby College From astephens at ptera.net Tue Nov 25 17:06:12 2008 From: astephens at ptera.net (Arthur Stephens) Date: Tue Nov 25 17:06:56 2008 Subject: Emails on HOLD not processed and delivered In-Reply-To: <223f97700811250752o3d8c9440q3b10c55dcd79fb7d@mail.gmail.com> References: <492AFD48.8000507@ptera.net> <223f97700811250752o3d8c9440q3b10c55dcd79fb7d@mail.gmail.com> Message-ID: <492C3084.4050707@ptera.net> Glenn Steen wrote: > 2008/11/24 Arthur Stephens : > >> I discovered this problem when customers complained about not getting emails >> from some people. >> >> It appears that whenever an email using ESMTP protocol goes on hold to be >> processed by mail scanner, it ends up being removed without processing it. >> Here are a couple of the numerous log entries reflecting this... >> >> [root@mailgate ~]# grep 4013E6FB03C: /var/log/maillog >> Nov 24 10:09:21 mailgate postfix/smtpd[14870]: 4013E6FB03C: >> client=mail.sound-tele.com[66.45.208.237] >> Nov 24 10:09:21 mailgate postfix/cleanup[14455]: 4013E6FB03C: hold: header >> Received: from mail.sound-tele.com (mail.sound-tele.com [66.45.208.237])??by >> mailgate.ptera.net (Postfix) with ESMTP id 4013E6FB03C??for >> ; Mon, 24 Nov 2008 10:09:21 -0800 (PST from >> mail.sound-tele.com[66.45.208.237]; from= >> to= proto=ESMTP helo= >> Nov 24 10:09:21 mailgate postfix/cleanup[14455]: 4013E6FB03C: >> message-id= >> >> [root@mailgate ~]# grep 53A4C6FB0A0: /var/log/maillog >> Nov 24 10:22:30 mailgate postfix/smtpd[14219]: 53A4C6FB0A0: >> client=unknown[206.169.232.4] >> Nov 24 10:22:30 mailgate postfix/cleanup[17578]: 53A4C6FB0A0: hold: header >> Received: from mail.columbiagrain.com (unknown [206.169.232.4])??by >> mailgate.ptera.net (Postfix) with ESMTP id 53A4C6FB0A0??for >> ; Mon, 24 Nov 2008 10:22:30 -0800 (PST) from >> unknown[206.169.232.4]; from= >> to= proto=ESMTP helo= >> Nov 24 10:22:30 mailgate postfix/cleanup[17578]: 53A4C6FB0A0: >> message-id=<28D95A3746D8414AA52458549F3EA58705228B88@pdx-mail1.columbiagrain.com> >> >> [root@mailgate ~]# grep 592E66FB09E: /var/log/maillog >> Nov 24 10:28:16 mailgate postfix/smtpd[18108]: 592E66FB09E: >> client=seven.pairlist.net[209.68.2.241] >> Nov 24 10:28:16 mailgate postfix/cleanup[15863]: 592E66FB09E: hold: header >> Received: from seven.pairlist.net (seven.pairlist.net [209.68.2.241])??by >> mailgate.ptera.net (Postfix) with ESMTP id 592E66FB09E??for >> ; Mon, 24 Nov 2008 10:28:16 -0800 (PST) from >> seven.pairlist.net[209.68.2.241]; from= >> to= proto=ESMTP helo= >> Nov 24 10:28:16 mailgate postfix/cleanup[15863]: 592E66FB09E: >> message-id= >> [root@mailgate ~]# >> >> I am so unlearned about this I do not know where to begin to solve this >> problem. >> Googling didn't reveal anything obvious. >> What is the information between the ?? trying to tell me? >> >> > Nothing special, just the received line that triggered the header > check to arrange for the message to be put on hold, for MailScanner to > pick up. IIRC, the ?? is a replacement for linebreaks. > So far so good. > > What should happen next is that MailScanner should pick up a few > messages and process them in a batch, telling you what happens, then > either deleting, quarantine or requeue the message (with a new queue > ID). > That doesn't seem to be happening for you. > Is MailScanner running? > If it is, do you perhaps have any files in the hold queue directory > that isn't a queue file (this has been know to make things go to > pieces:-)? > > Cheers > Ok I checked the queue directory and found only queue files there. Here is the log of the missing email in question... I will mark the lines with a >> >> Nov 24 04:57:54 mailgate postfix/smtpd[15326]: connect from qmta10.emeryville.ca.mail.comcast.net[76.96.30.17] Nov 24 04:57:55 mailgate sqlgrey: grey: domain awl match: updating 76.96.30(76.96.30.17), comcast.net Nov 24 04:57:56 mailgate postfix/smtpd[15311]: connect from ff2.tintwin.com[216.117.206.100] Nov 24 04:57:57 mailgate MailScanner[2499]: Requeue: 286976FB0FC.A6B4D to 295586FB089 Nov 24 04:57:57 mailgate postfix/qmgr[1828]: 295586FB089: from=, size=5793, nrcpt=1 (queue active) Nov 24 04:57:57 mailgate MailScanner[2499]: Uninfected: Delivered 1 messages Nov 24 04:57:57 mailgate sqlgrey: grey: new: 216.117.206(216.117.206.100), mxhheabbhpxhuefmabc@amazinglydiva.com -> lauriek@ptera.net >> Nov 24 04:57:57 mailgate postfix/smtpd[15326]: 4ABEF6FB0E8: client=qmta10.emeryville.ca.mail.comcast.net[76.96.30.17] Nov 24 04:57:57 mailgate postfix/smtpd[15311]: NOQUEUE: reject: RCPT from ff2.tintwin.com[216.117.206.100]: 450 4.7.1 : Recipient address rejected: Greylisted for 5 minutes; from= to= proto=SMTP helo= >> Nov 24 04:57:57 mailgate postfix/cleanup[13547]: 4ABEF6FB0E8: hold: header Received: from QMTA10.emeryville.ca.mail.comcast.net (qmta10.emeryville.ca.mail.comcast.net [76.96.30.17])??by mailgate.ptera.net (Postfix) with ESMTP id 4ABEF6FB0E8??for ; Mon, 24 from qmta10.emeryville.ca.mail.comcast.net[76.96.30.17]; from= to= proto=ESMTP helo= >> Nov 24 04:57:57 mailgate postfix/cleanup[13547]: 4ABEF6FB0E8: message-id=<112420081325.17455.492AAB5E000238320000442F221555389407050C079002050C9A080C@comcast.net> This is the last entry for 4ABEF6FB0E8: No requeue. No delivery. Here is the trace of that email without the clutter. [root@mailgate ~]# grep 4ABEF6FB0E8: /var/log/maillog Nov 24 04:57:57 mailgate postfix/smtpd[15326]: 4ABEF6FB0E8: client=qmta10.emeryville.ca.mail.comcast.net[76.96.30.17] Nov 24 04:57:57 mailgate postfix/cleanup[13547]: 4ABEF6FB0E8: hold: header Received: from QMTA10.emeryville.ca.mail.comcast.net (qmta10.emeryville.ca.mail.comcast.net [76.96.30.17])??by mailgate.ptera.net (Postfix) with ESMTP id 4ABEF6FB0E8??for ; Mon, 24 from qmta10.emeryville.ca.mail.comcast.net[76.96.30.17]; from= to= proto=ESMTP helo= Nov 24 04:57:57 mailgate postfix/cleanup[13547]: 4ABEF6FB0E8: message-id=<112420081325.17455.492AAB5E000238320000442F221555389407050C079002050C9A080C@comcast.net> [root@mailgate ~]# Thanks Arthur -- Arthur Stephens Senior Sales Technician Ptera Wireless Internet Service PO Box 135 Liberty Lake, WA 99019 509-927-7837 For technical support visit http://www.ptera.net/support ----------------------------------------------------------------------------- "This message may contain confidential and/or propriety information, and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company." -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081125/2b33a2b8/attachment.html From jbuda at noticiasargentinas.com Tue Nov 25 17:34:56 2008 From: jbuda at noticiasargentinas.com (Jose Julian Buda) Date: Tue Nov 25 17:34:59 2008 Subject: Emails on HOLD not processed and delivered References: <492AFD48.8000507@ptera.net><223f97700811250752o3d8c9440q3b10c55dcd79fb7d@mail.gmail.com> <492C3084.4050707@ptera.net> Message-ID: <013101c94f24$22548070$6000a8c0@tecnica> ----- Original Message ----- From: "Arthur Stephens" To: "MailScanner discussion" Sent: Tuesday, November 25, 2008 3:06 PM Subject: Re: Emails on HOLD not processed and delivered > Glenn Steen wrote: >> 2008/11/24 Arthur Stephens : >> >>> I discovered this problem when customers complained about not getting >>> emails >>> from some people. >>> >>> It appears that whenever an email using ESMTP protocol goes on hold to >>> be >>> processed by mail scanner, it ends up being removed without processing >>> it. >>> Here are a couple of the numerous log entries reflecting this... >>> >>> [root@mailgate ~]# grep 4013E6FB03C: /var/log/maillog >>> Nov 24 10:09:21 mailgate postfix/smtpd[14870]: 4013E6FB03C: >>> client=mail.sound-tele.com[66.45.208.237] >>> Nov 24 10:09:21 mailgate postfix/cleanup[14455]: 4013E6FB03C: hold: >>> header >>> Received: from mail.sound-tele.com (mail.sound-tele.com >>> [66.45.208.237])??by >>> mailgate.ptera.net (Postfix) with ESMTP id 4013E6FB03C??for >>> ; Mon, 24 Nov 2008 10:09:21 -0800 (PST from >>> mail.sound-tele.com[66.45.208.237]; from= >>> to= proto=ESMTP helo= >>> Nov 24 10:09:21 mailgate postfix/cleanup[14455]: 4013E6FB03C: >>> message-id= >>> >>> [root@mailgate ~]# grep 53A4C6FB0A0: /var/log/maillog >>> Nov 24 10:22:30 mailgate postfix/smtpd[14219]: 53A4C6FB0A0: >>> client=unknown[206.169.232.4] >>> Nov 24 10:22:30 mailgate postfix/cleanup[17578]: 53A4C6FB0A0: hold: >>> header >>> Received: from mail.columbiagrain.com (unknown [206.169.232.4])??by >>> mailgate.ptera.net (Postfix) with ESMTP id 53A4C6FB0A0??for >>> ; Mon, 24 Nov 2008 10:22:30 -0800 (PST) from >>> unknown[206.169.232.4]; from= >>> to= proto=ESMTP helo= >>> Nov 24 10:22:30 mailgate postfix/cleanup[17578]: 53A4C6FB0A0: >>> message-id=<28D95A3746D8414AA52458549F3EA58705228B88@pdx-mail1.columbiagrain.com> >>> >>> [root@mailgate ~]# grep 592E66FB09E: /var/log/maillog >>> Nov 24 10:28:16 mailgate postfix/smtpd[18108]: 592E66FB09E: >>> client=seven.pairlist.net[209.68.2.241] >>> Nov 24 10:28:16 mailgate postfix/cleanup[15863]: 592E66FB09E: hold: >>> header >>> Received: from seven.pairlist.net (seven.pairlist.net >>> [209.68.2.241])??by >>> mailgate.ptera.net (Postfix) with ESMTP id 592E66FB09E??for >>> ; Mon, 24 Nov 2008 10:28:16 -0800 (PST) from >>> seven.pairlist.net[209.68.2.241]; >>> from= >>> to= proto=ESMTP helo= >>> Nov 24 10:28:16 mailgate postfix/cleanup[15863]: 592E66FB09E: >>> message-id= >>> [root@mailgate ~]# >>> >>> I am so unlearned about this I do not know where to begin to solve this >>> problem. >>> Googling didn't reveal anything obvious. >>> What is the information between the ?? trying to tell me? >>> >>> >> Nothing special, just the received line that triggered the header >> check to arrange for the message to be put on hold, for MailScanner to >> pick up. IIRC, the ?? is a replacement for linebreaks. >> So far so good. >> >> What should happen next is that MailScanner should pick up a few >> messages and process them in a batch, telling you what happens, then >> either deleting, quarantine or requeue the message (with a new queue >> ID). >> That doesn't seem to be happening for you. >> Is MailScanner running? >> If it is, do you perhaps have any files in the hold queue directory >> that isn't a queue file (this has been know to make things go to >> pieces:-)? >> >> Cheers >> > Ok I checked the queue directory and found only queue files there. > Here is the log of the missing email in question... I will mark the > lines with a >> > > >> Nov 24 04:57:54 mailgate postfix/smtpd[15326]: connect from > qmta10.emeryville.ca.mail.comcast.net[76.96.30.17] > Nov 24 04:57:55 mailgate sqlgrey: grey: domain awl match: updating > 76.96.30(76.96.30.17), comcast.net > Nov 24 04:57:56 mailgate postfix/smtpd[15311]: connect from > ff2.tintwin.com[216.117.206.100] > Nov 24 04:57:57 mailgate MailScanner[2499]: Requeue: 286976FB0FC.A6B4D > to 295586FB089 > Nov 24 04:57:57 mailgate postfix/qmgr[1828]: 295586FB089: > from=, size=5793, nrcpt=1 (queue active) > Nov 24 04:57:57 mailgate MailScanner[2499]: Uninfected: Delivered 1 > messages > Nov 24 04:57:57 mailgate sqlgrey: grey: new: > 216.117.206(216.117.206.100), mxhheabbhpxhuefmabc@amazinglydiva.com -> > lauriek@ptera.net > >> Nov 24 04:57:57 mailgate postfix/smtpd[15326]: 4ABEF6FB0E8: > client=qmta10.emeryville.ca.mail.comcast.net[76.96.30.17] > Nov 24 04:57:57 mailgate postfix/smtpd[15311]: NOQUEUE: reject: RCPT > from ff2.tintwin.com[216.117.206.100]: 450 4.7.1 : > Recipient address rejected: Greylisted for 5 minutes; > from= to= > proto=SMTP helo= > >> Nov 24 04:57:57 mailgate postfix/cleanup[13547]: 4ABEF6FB0E8: hold: > header Received: from QMTA10.emeryville.ca.mail.comcast.net > (qmta10.emeryville.ca.mail.comcast.net [76.96.30.17])??by > mailgate.ptera.net (Postfix) with ESMTP id 4ABEF6FB0E8??for > ; Mon, 24 from > qmta10.emeryville.ca.mail.comcast.net[76.96.30.17]; > from= to= proto=ESMTP > helo= > >> Nov 24 04:57:57 mailgate postfix/cleanup[13547]: 4ABEF6FB0E8: > message-id=<112420081325.17455.492AAB5E000238320000442F221555389407050C079002050C9A080C@comcast.net> > > This is the last entry for 4ABEF6FB0E8: No requeue. No delivery. > > Here is the trace of that email without the clutter. > > [root@mailgate ~]# grep 4ABEF6FB0E8: /var/log/maillog > Nov 24 04:57:57 mailgate postfix/smtpd[15326]: 4ABEF6FB0E8: > client=qmta10.emeryville.ca.mail.comcast.net[76.96.30.17] > Nov 24 04:57:57 mailgate postfix/cleanup[13547]: 4ABEF6FB0E8: hold: > header Received: from QMTA10.emeryville.ca.mail.comcast.net > (qmta10.emeryville.ca.mail.comcast.net [76.96.30.17])??by > mailgate.ptera.net (Postfix) with ESMTP id 4ABEF6FB0E8??for > ; Mon, 24 from > qmta10.emeryville.ca.mail.comcast.net[76.96.30.17]; > from= to= proto=ESMTP > helo= > Nov 24 04:57:57 mailgate postfix/cleanup[13547]: 4ABEF6FB0E8: > message-id=<112420081325.17455.492AAB5E000238320000442F221555389407050C079002050C9A080C@comcast.net> > [root@mailgate ~]# > > Thanks > Arthur > > -- > Arthur Stephens > Senior Sales Technician > Ptera Wireless Internet Service > PO Box 135 > Liberty Lake, WA 99019 > 509-927-7837 > For technical support visit http://www.ptera.net/support > ----------------------------------------------------------------------------- > "This message may contain confidential and/or propriety information, > and is intended for the person/entity to whom it was originally > addressed. Any use by others is strictly prohibited. > Please note that any views or opinions presented in this email are solely > those of the author and are not intended to represent those of the > company." > > > > __________ Informaci?n de NOD32, revisi?n 3639 (20081125) __________ > > Este mensaje ha sido analizado con NOD32 antivirus system > http://www.nod32.com > > -------------------------------------------------------------------------------- > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > __________ Informacisn de NOD32, revisisn 3639 (20081125) __________ > > Este mensaje ha sido analizado con NOD32 antivirus system > http://www.nod32.com > > Could it be a "Spam List" issue, because of a time out? Leave the Spam List = empty and restart mailscanner From jaearick at colby.edu Tue Nov 25 17:41:18 2008 From: jaearick at colby.edu (Jeff A. Earickson) Date: Tue Nov 25 17:41:36 2008 Subject: Emails on HOLD not processed and delivered In-Reply-To: <013101c94f24$22548070$6000a8c0@tecnica> References: <492AFD48.8000507@ptera.net><223f97700811250752o3d8c9440q3b10c55dcd79fb7d@mail.gmail.com> <492C3084.4050707@ptera.net> <013101c94f24$22548070$6000a8c0@tecnica> Message-ID: On Tue, 25 Nov 2008, Jose Julian Buda wrote: > Date: Tue, 25 Nov 2008 15:34:56 -0200 > From: Jose Julian Buda > Reply-To: MailScanner discussion > To: MailScanner discussion > Subject: Re: Emails on HOLD not processed and delivered > > > ----- Original Message ----- From: "Arthur Stephens" > To: "MailScanner discussion" > Sent: Tuesday, November 25, 2008 3:06 PM > Subject: Re: Emails on HOLD not processed and delivered > > This problem sounds like the one I just mentioned, whereby the latest Message.pm that got posted to the list by Julian a couple of days ago fixes the endless loop/email not moving out of the queue/high CPU. Jeff Earickson Colby College From cbarber at techquility.net Tue Nov 25 19:41:46 2008 From: cbarber at techquility.net (Chris Barber) Date: Tue Nov 25 19:42:35 2008 Subject: Message rules don't work, but if message forwarded, it does??? In-Reply-To: References: <4910E415.4050502@rheel.co.nz><43F62CA225017044BC84CFAF92B4333B035FB3@sbsserver.Techquility.net><223f97700811051117g2d4b91c5g4cda816ac8e2e862@mail.gmail.com><43F62CA225017044BC84CFAF92B4333B035FB8@sbsserver.Techquility.net><223f97700811051419r7982975fi34b25598b91ed1ca@mail.gmail.com><43F62CA225017044BC84CFAF92B4333B035FBC@sbsserver.Techquility.net> <223f97700811061050x5ca2b8a6t98d115ad27b450ea@mail.gmail.com><43F62CA225017044BC84CFAF92B4333B036074@sbsserver.Techquility.net> <43F62CA225017044BC84CFAF92B4333B03607E@sbsserver.Techquility.net> <43F62CA225017044BC84CFAF92B4333B036091@sbsserver.Techquility.net> Message-ID: <43F62CA225017044BC84CFAF92B4333B0360CA@sbsserver.Techquility.net> >> on 11-20-2008 10:37 PM Chris Barber spake the following: >> >> The HTML encoding seems different between messages. This might be why it gets caught the second time around. >> Also, the message you mark as missed has a RFC private IP address in >> it >> (Received: from [192.168.1.56] (unknown [192.168.1.56])) , but the one you marked as forwarded doesn't. Could they be mixed up? >> Never mind. They are mixed up because the one marked missed has a Fwd: >> prepended to the subject. >> The missed message is encoded with "quoted-printable" in the html section, but Thunderbird looks to be re-encoding it on the forward. Maybe you >>have a problem with your mime-tools module on the server. >> >> Oops, you are right I mixed up the folders. I am using MIME::Tools version 5.427. I think this was installed by Julian's install.sh script. Is >there a way to test/debug this module? >> >> > >It might not be the problem, it was just a possibility. I'm running 5.425 here. Not sure how to debug that. > >Maybe next time you can pipe the original message into spamassassin and see what happens. Here is another example of the problem I am having: Original message arrives and hits these rules: 0.50 BAYES_40 Bayesian spam probability is 20 to 40% 0.00 HTML_MESSAGE HTML included in message -0.00 SPF_PASS SPF: sender matches SPF record User forwards the message to me. The message flows through the same MailScanner server and hits all of these rules: -2.60 BAYES_00 Bayesian spam probability is 0 to 1% 0.00 HTML_MESSAGE HTML included in message 0.50 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% 1.50 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level above 50% 0.50 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 1.50 URIBL_BLACK Contains an URL listed in the URIBL blacklist 1.50 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist 1.50 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist As far as I can tell, MailScanner can handle quoted-printable encoding... It seems all of the network tests fail to scan the message. There are no errors in the maillog. Is there a way to enable debug/verbose logging in MailScanner? Thanks again for the assistance! From glenn.steen at gmail.com Tue Nov 25 20:56:45 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Nov 25 20:56:56 2008 Subject: new version of Message.pm for 4.72.5? In-Reply-To: References: Message-ID: <223f97700811251256g28a3abf2lbb1e75a077592c18@mail.gmail.com> 2008/11/25 Jeff A. Earickson : > On Tue, 25 Nov 2008, Jeff A. Earickson wrote: > >> Date: Tue, 25 Nov 2008 09:58:12 -0500 (EST) >> From: Jeff A. Earickson >> Reply-To: MailScanner discussion >> To: mailscanner mailing list >> Subject: new version of Message.pm for 4.72.5? >> >> Julian, >> >> I thought you posted a new version of Message.pm in the last couple >> of days to fix issues with "mailscanner doesn't scan" and >> "mailscanner child freezes" per the recent list postings. Now I >> can't find that posting on the list. Can I get this version? >> >> My issue: suddenly MailScanner is chewing up a lot of cpu time, >> I see stuff in my inbound queue that is old/should not be there. >> So MailScanner is choking on something in there, would like to >> figure out what... > > Glenn Steen kindly resent the modified version of Message.pm, which > I now have put it in place and it has cleared out stuck messages in > my inbound queue. Things are looking normal again. > > My setup: Solaris 10, sendmail. Maybe this merits a general release... > > Jeff Earickson > Colby College Unsurprisingly ...:-)... I I agree, this should at least be a beta, even though the change is rather small. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From rvdmerwe at mhg.co.za Tue Nov 25 21:13:39 2008 From: rvdmerwe at mhg.co.za (Rabie Van der Merwe) Date: Tue Nov 25 21:14:04 2008 Subject: Increased load Message-ID: <3FD8054D301F9246A6F10F3485E2204E061442@cptwexc02.za.mhgad.com> Can anyone think of a reason why moving from 4.69.9-3 to any of the later versions would increase the load on the server? I have 2 servers running MailScanner and my avg load went from 2 to 4 since the upgrade on both boxes. Regards Rabie van der Merwe From hvdkooij at vanderkooij.org Tue Nov 25 22:26:53 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Tue Nov 25 22:27:02 2008 Subject: Increased load In-Reply-To: <3FD8054D301F9246A6F10F3485E2204E061442@cptwexc02.za.mhgad.com> References: <3FD8054D301F9246A6F10F3485E2204E061442@cptwexc02.za.mhgad.com> Message-ID: <492C7BAD.5090708@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rabie Van der Merwe wrote: > > Can anyone think of a reason why moving from 4.69.9-3 to any of the > later versions would increase the load on the server? I have 2 servers > running MailScanner and my avg load went from 2 to 4 since the upgrade > on both boxes. Well load in itself should not be an issue. Is the average CPU usage significantly higher? (Use vmstat to find out.) Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. Nid wyf yn y swyddfa ar hyn o bryd. Anfonwch unrhyw waith i'w gyfieithu. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFJLHurBvzDRVjxmYERAoL4AJwPCOJyy0zKlyIdg6gcw9zr+f908wCfd1ba coBDbgd/x0Mz6BfLVCn1OhE= =IcK/ -----END PGP SIGNATURE----- From astephens at ptera.net Wed Nov 26 00:41:10 2008 From: astephens at ptera.net (Arthur Stephens) Date: Wed Nov 26 00:41:56 2008 Subject: Emails on HOLD not processed and delivered In-Reply-To: <013101c94f24$22548070$6000a8c0@tecnica> References: <492AFD48.8000507@ptera.net><223f97700811250752o3d8c9440q3b10c55dcd79fb7d@mail.gmail.com> <492C3084.4050707@ptera.net> <013101c94f24$22548070$6000a8c0@tecnica> Message-ID: <492C9B26.6070505@ptera.net> Jose Julian Buda wrote: > > ----- Original Message ----- From: "Arthur Stephens" > > To: "MailScanner discussion" > Sent: Tuesday, November 25, 2008 3:06 PM > Subject: Re: Emails on HOLD not processed and delivered > > >> Glenn Steen wrote: >>> 2008/11/24 Arthur Stephens : >>> >>>> I discovered this problem when customers complained about not >>>> getting emails >>>> from some people. >>>> >>>> It appears that whenever an email using ESMTP protocol goes on hold >>>> to be >>>> processed by mail scanner, it ends up being removed without >>>> processing it. >>>> Here are a couple of the numerous log entries reflecting this... >>>> >>>> [root@mailgate ~]# grep 4013E6FB03C: /var/log/maillog >>>> Nov 24 10:09:21 mailgate postfix/smtpd[14870]: 4013E6FB03C: >>>> client=mail.sound-tele.com[66.45.208.237] >>>> Nov 24 10:09:21 mailgate postfix/cleanup[14455]: 4013E6FB03C: hold: >>>> header >>>> Received: from mail.sound-tele.com (mail.sound-tele.com >>>> [66.45.208.237])??by >>>> mailgate.ptera.net (Postfix) with ESMTP id 4013E6FB03C??for >>>> ; Mon, 24 Nov 2008 10:09:21 -0800 (PST from >>>> mail.sound-tele.com[66.45.208.237]; from= >>>> to= proto=ESMTP helo= >>>> Nov 24 10:09:21 mailgate postfix/cleanup[14455]: 4013E6FB03C: >>>> message-id= >>>> >>>> [root@mailgate ~]# grep 53A4C6FB0A0: /var/log/maillog >>>> Nov 24 10:22:30 mailgate postfix/smtpd[14219]: 53A4C6FB0A0: >>>> client=unknown[206.169.232.4] >>>> Nov 24 10:22:30 mailgate postfix/cleanup[17578]: 53A4C6FB0A0: hold: >>>> header >>>> Received: from mail.columbiagrain.com (unknown [206.169.232.4])??by >>>> mailgate.ptera.net (Postfix) with ESMTP id 53A4C6FB0A0??for >>>> ; Mon, 24 Nov 2008 10:22:30 -0800 (PST) from >>>> unknown[206.169.232.4]; from= >>>> to= proto=ESMTP helo= >>>> Nov 24 10:22:30 mailgate postfix/cleanup[17578]: 53A4C6FB0A0: >>>> message-id=<28D95A3746D8414AA52458549F3EA58705228B88@pdx-mail1.columbiagrain.com> >>>> >>>> >>>> [root@mailgate ~]# grep 592E66FB09E: /var/log/maillog >>>> Nov 24 10:28:16 mailgate postfix/smtpd[18108]: 592E66FB09E: >>>> client=seven.pairlist.net[209.68.2.241] >>>> Nov 24 10:28:16 mailgate postfix/cleanup[15863]: 592E66FB09E: hold: >>>> header >>>> Received: from seven.pairlist.net (seven.pairlist.net >>>> [209.68.2.241])??by >>>> mailgate.ptera.net (Postfix) with ESMTP id 592E66FB09E??for >>>> ; Mon, 24 Nov 2008 10:28:16 -0800 (PST) from >>>> seven.pairlist.net[209.68.2.241]; >>>> from= >>>> to= proto=ESMTP helo= >>>> Nov 24 10:28:16 mailgate postfix/cleanup[15863]: 592E66FB09E: >>>> message-id= >>>> >>>> [root@mailgate ~]# >>>> >>>> I am so unlearned about this I do not know where to begin to solve >>>> this >>>> problem. >>>> Googling didn't reveal anything obvious. >>>> What is the information between the ?? trying to tell me? >>>> >>>> >>> Nothing special, just the received line that triggered the header >>> check to arrange for the message to be put on hold, for MailScanner to >>> pick up. IIRC, the ?? is a replacement for linebreaks. >>> So far so good. >>> >>> What should happen next is that MailScanner should pick up a few >>> messages and process them in a batch, telling you what happens, then >>> either deleting, quarantine or requeue the message (with a new queue >>> ID). >>> That doesn't seem to be happening for you. >>> Is MailScanner running? >>> If it is, do you perhaps have any files in the hold queue directory >>> that isn't a queue file (this has been know to make things go to >>> pieces:-)? >>> >>> Cheers >>> >> Ok I checked the queue directory and found only queue files there. >> Here is the log of the missing email in question... I will mark the >> lines with a >> >> >> >> Nov 24 04:57:54 mailgate postfix/smtpd[15326]: connect from >> qmta10.emeryville.ca.mail.comcast.net[76.96.30.17] >> Nov 24 04:57:55 mailgate sqlgrey: grey: domain awl match: updating >> 76.96.30(76.96.30.17), comcast.net >> Nov 24 04:57:56 mailgate postfix/smtpd[15311]: connect from >> ff2.tintwin.com[216.117.206.100] >> Nov 24 04:57:57 mailgate MailScanner[2499]: Requeue: 286976FB0FC.A6B4D >> to 295586FB089 >> Nov 24 04:57:57 mailgate postfix/qmgr[1828]: 295586FB089: >> from=, size=5793, nrcpt=1 (queue active) >> Nov 24 04:57:57 mailgate MailScanner[2499]: Uninfected: Delivered 1 >> messages >> Nov 24 04:57:57 mailgate sqlgrey: grey: new: >> 216.117.206(216.117.206.100), mxhheabbhpxhuefmabc@amazinglydiva.com -> >> lauriek@ptera.net >> >> Nov 24 04:57:57 mailgate postfix/smtpd[15326]: 4ABEF6FB0E8: >> client=qmta10.emeryville.ca.mail.comcast.net[76.96.30.17] >> Nov 24 04:57:57 mailgate postfix/smtpd[15311]: NOQUEUE: reject: RCPT >> from ff2.tintwin.com[216.117.206.100]: 450 4.7.1 : >> Recipient address rejected: Greylisted for 5 minutes; >> from= to= >> proto=SMTP helo= >> >> Nov 24 04:57:57 mailgate postfix/cleanup[13547]: 4ABEF6FB0E8: hold: >> header Received: from QMTA10.emeryville.ca.mail.comcast.net >> (qmta10.emeryville.ca.mail.comcast.net [76.96.30.17])??by >> mailgate.ptera.net (Postfix) with ESMTP id 4ABEF6FB0E8??for >> ; Mon, 24 from >> qmta10.emeryville.ca.mail.comcast.net[76.96.30.17]; >> from= to= proto=ESMTP >> helo= >> >> Nov 24 04:57:57 mailgate postfix/cleanup[13547]: 4ABEF6FB0E8: >> message-id=<112420081325.17455.492AAB5E000238320000442F221555389407050C079002050C9A080C@comcast.net> >> >> >> This is the last entry for 4ABEF6FB0E8: No requeue. No delivery. >> >> Here is the trace of that email without the clutter. >> >> [root@mailgate ~]# grep 4ABEF6FB0E8: /var/log/maillog >> Nov 24 04:57:57 mailgate postfix/smtpd[15326]: 4ABEF6FB0E8: >> client=qmta10.emeryville.ca.mail.comcast.net[76.96.30.17] >> Nov 24 04:57:57 mailgate postfix/cleanup[13547]: 4ABEF6FB0E8: hold: >> header Received: from QMTA10.emeryville.ca.mail.comcast.net >> (qmta10.emeryville.ca.mail.comcast.net [76.96.30.17])??by >> mailgate.ptera.net (Postfix) with ESMTP id 4ABEF6FB0E8??for >> ; Mon, 24 from >> qmta10.emeryville.ca.mail.comcast.net[76.96.30.17]; >> from= to= proto=ESMTP >> helo= >> Nov 24 04:57:57 mailgate postfix/cleanup[13547]: 4ABEF6FB0E8: >> message-id=<112420081325.17455.492AAB5E000238320000442F221555389407050C079002050C9A080C@comcast.net> >> >> [root@mailgate ~]# >> >> Thanks >> Arthur >> >> -- >> Arthur Stephens >> Senior Sales Technician >> Ptera Wireless Internet Service >> PO Box 135 >> Liberty Lake, WA 99019 >> 509-927-7837 >> For technical support visit http://www.ptera.net/support >> ----------------------------------------------------------------------------- >> >> "This message may contain confidential and/or propriety information, >> and is intended for the person/entity to whom it was originally >> addressed. Any use by others is strictly prohibited. >> Please note that any views or opinions presented in this email are >> solely >> those of the author and are not intended to represent those of the >> company." >> >> >> >> __________ Informaci?n de NOD32, revisi?n 3639 (20081125) __________ >> >> Este mensaje ha sido analizado con NOD32 antivirus system >> http://www.nod32.com >> >> > > > -------------------------------------------------------------------------------- > > > >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> >> __________ Informacisn de NOD32, revisisn 3639 (20081125) __________ >> >> Este mensaje ha sido analizado con NOD32 antivirus system >> http://www.nod32.com >> >> > > > > Could it be a "Spam List" issue, because of a time out? > > Leave the > > Spam List = > > empty and restart mailscanner Nope no change... -- Arthur Stephens Senior Sales Technician Ptera Wireless Internet Service PO Box 135 Liberty Lake, WA 99019 509-927-7837 For technical support visit http://www.ptera.net/support ----------------------------------------------------------------------------- "This message may contain confidential and/or propriety information, and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company." From astephens at ptera.net Wed Nov 26 00:45:04 2008 From: astephens at ptera.net (Arthur Stephens) Date: Wed Nov 26 00:45:49 2008 Subject: Emails on HOLD not processed and delivered In-Reply-To: <013101c94f24$22548070$6000a8c0@tecnica> References: <492AFD48.8000507@ptera.net><223f97700811250752o3d8c9440q3b10c55dcd79fb7d@mail.gmail.com> <492C3084.4050707@ptera.net> <013101c94f24$22548070$6000a8c0@tecnica> Message-ID: <492C9C10.5040107@ptera.net> Jose Julian Buda wrote: > > ----- Original Message ----- From: "Arthur Stephens" > > To: "MailScanner discussion" > Sent: Tuesday, November 25, 2008 3:06 PM > Subject: Re: Emails on HOLD not processed and delivered > > >> Glenn Steen wrote: >>> 2008/11/24 Arthur Stephens : >>> >>>> I discovered this problem when customers complained about not >>>> getting emails >>>> from some people. >>>> >>>> It appears that whenever an email using ESMTP protocol goes on hold >>>> to be >>>> processed by mail scanner, it ends up being removed without >>>> processing it. >>>> Here are a couple of the numerous log entries reflecting this... >>>> >>>> [root@mailgate ~]# grep 4013E6FB03C: /var/log/maillog >>>> Nov 24 10:09:21 mailgate postfix/smtpd[14870]: 4013E6FB03C: >>>> client=mail.sound-tele.com[66.45.208.237] >>>> Nov 24 10:09:21 mailgate postfix/cleanup[14455]: 4013E6FB03C: hold: >>>> header >>>> Received: from mail.sound-tele.com (mail.sound-tele.com >>>> [66.45.208.237])??by >>>> mailgate.ptera.net (Postfix) with ESMTP id 4013E6FB03C??for >>>> ; Mon, 24 Nov 2008 10:09:21 -0800 (PST from >>>> mail.sound-tele.com[66.45.208.237]; from= >>>> to= proto=ESMTP helo= >>>> Nov 24 10:09:21 mailgate postfix/cleanup[14455]: 4013E6FB03C: >>>> message-id= >>>> >>>> [root@mailgate ~]# grep 53A4C6FB0A0: /var/log/maillog >>>> Nov 24 10:22:30 mailgate postfix/smtpd[14219]: 53A4C6FB0A0: >>>> client=unknown[206.169.232.4] >>>> Nov 24 10:22:30 mailgate postfix/cleanup[17578]: 53A4C6FB0A0: hold: >>>> header >>>> Received: from mail.columbiagrain.com (unknown [206.169.232.4])??by >>>> mailgate.ptera.net (Postfix) with ESMTP id 53A4C6FB0A0??for >>>> ; Mon, 24 Nov 2008 10:22:30 -0800 (PST) from >>>> unknown[206.169.232.4]; from= >>>> to= proto=ESMTP helo= >>>> Nov 24 10:22:30 mailgate postfix/cleanup[17578]: 53A4C6FB0A0: >>>> message-id=<28D95A3746D8414AA52458549F3EA58705228B88@pdx-mail1.columbiagrain.com> >>>> >>>> >>>> [root@mailgate ~]# grep 592E66FB09E: /var/log/maillog >>>> Nov 24 10:28:16 mailgate postfix/smtpd[18108]: 592E66FB09E: >>>> client=seven.pairlist.net[209.68.2.241] >>>> Nov 24 10:28:16 mailgate postfix/cleanup[15863]: 592E66FB09E: hold: >>>> header >>>> Received: from seven.pairlist.net (seven.pairlist.net >>>> [209.68.2.241])??by >>>> mailgate.ptera.net (Postfix) with ESMTP id 592E66FB09E??for >>>> ; Mon, 24 Nov 2008 10:28:16 -0800 (PST) from >>>> seven.pairlist.net[209.68.2.241]; >>>> from= >>>> to= proto=ESMTP helo= >>>> Nov 24 10:28:16 mailgate postfix/cleanup[15863]: 592E66FB09E: >>>> message-id= >>>> >>>> [root@mailgate ~]# >>>> >>>> I am so unlearned about this I do not know where to begin to solve >>>> this >>>> problem. >>>> Googling didn't reveal anything obvious. >>>> What is the information between the ?? trying to tell me? >>>> >>>> >>> Nothing special, just the received line that triggered the header >>> check to arrange for the message to be put on hold, for MailScanner to >>> pick up. IIRC, the ?? is a replacement for linebreaks. >>> So far so good. >>> >>> What should happen next is that MailScanner should pick up a few >>> messages and process them in a batch, telling you what happens, then >>> either deleting, quarantine or requeue the message (with a new queue >>> ID). >>> That doesn't seem to be happening for you. >>> Is MailScanner running? >>> If it is, do you perhaps have any files in the hold queue directory >>> that isn't a queue file (this has been know to make things go to >>> pieces:-)? >>> >>> Cheers >>> >> Ok I checked the queue directory and found only queue files there. >> Here is the log of the missing email in question... I will mark the >> lines with a >> >> >> >> Nov 24 04:57:54 mailgate postfix/smtpd[15326]: connect from >> qmta10.emeryville.ca.mail.comcast.net[76.96.30.17] >> Nov 24 04:57:55 mailgate sqlgrey: grey: domain awl match: updating >> 76.96.30(76.96.30.17), comcast.net >> Nov 24 04:57:56 mailgate postfix/smtpd[15311]: connect from >> ff2.tintwin.com[216.117.206.100] >> Nov 24 04:57:57 mailgate MailScanner[2499]: Requeue: 286976FB0FC.A6B4D >> to 295586FB089 >> Nov 24 04:57:57 mailgate postfix/qmgr[1828]: 295586FB089: >> from=, size=5793, nrcpt=1 (queue active) >> Nov 24 04:57:57 mailgate MailScanner[2499]: Uninfected: Delivered 1 >> messages >> Nov 24 04:57:57 mailgate sqlgrey: grey: new: >> 216.117.206(216.117.206.100), mxhheabbhpxhuefmabc@amazinglydiva.com -> >> lauriek@ptera.net >> >> Nov 24 04:57:57 mailgate postfix/smtpd[15326]: 4ABEF6FB0E8: >> client=qmta10.emeryville.ca.mail.comcast.net[76.96.30.17] >> Nov 24 04:57:57 mailgate postfix/smtpd[15311]: NOQUEUE: reject: RCPT >> from ff2.tintwin.com[216.117.206.100]: 450 4.7.1 : >> Recipient address rejected: Greylisted for 5 minutes; >> from= to= >> proto=SMTP helo= >> >> Nov 24 04:57:57 mailgate postfix/cleanup[13547]: 4ABEF6FB0E8: hold: >> header Received: from QMTA10.emeryville.ca.mail.comcast.net >> (qmta10.emeryville.ca.mail.comcast.net [76.96.30.17])??by >> mailgate.ptera.net (Postfix) with ESMTP id 4ABEF6FB0E8??for >> ; Mon, 24 from >> qmta10.emeryville.ca.mail.comcast.net[76.96.30.17]; >> from= to= proto=ESMTP >> helo= >> >> Nov 24 04:57:57 mailgate postfix/cleanup[13547]: 4ABEF6FB0E8: >> message-id=<112420081325.17455.492AAB5E000238320000442F221555389407050C079002050C9A080C@comcast.net> >> >> >> This is the last entry for 4ABEF6FB0E8: No requeue. No delivery. >> >> Here is the trace of that email without the clutter. >> >> [root@mailgate ~]# grep 4ABEF6FB0E8: /var/log/maillog >> Nov 24 04:57:57 mailgate postfix/smtpd[15326]: 4ABEF6FB0E8: >> client=qmta10.emeryville.ca.mail.comcast.net[76.96.30.17] >> Nov 24 04:57:57 mailgate postfix/cleanup[13547]: 4ABEF6FB0E8: hold: >> header Received: from QMTA10.emeryville.ca.mail.comcast.net >> (qmta10.emeryville.ca.mail.comcast.net [76.96.30.17])??by >> mailgate.ptera.net (Postfix) with ESMTP id 4ABEF6FB0E8??for >> ; Mon, 24 from >> qmta10.emeryville.ca.mail.comcast.net[76.96.30.17]; >> from= to= proto=ESMTP >> helo= >> Nov 24 04:57:57 mailgate postfix/cleanup[13547]: 4ABEF6FB0E8: >> message-id=<112420081325.17455.492AAB5E000238320000442F221555389407050C079002050C9A080C@comcast.net> >> >> [root@mailgate ~]# >> >> Thanks >> Arthur >> >> -- >> Arthur Stephens >> Senior Sales Technician >> Ptera Wireless Internet Service >> PO Box 135 >> Liberty Lake, WA 99019 >> 509-927-7837 >> For technical support visit http://www.ptera.net/support >> ----------------------------------------------------------------------------- >> >> "This message may contain confidential and/or propriety information, >> and is intended for the person/entity to whom it was originally >> addressed. Any use by others is strictly prohibited. >> Please note that any views or opinions presented in this email are >> solely >> those of the author and are not intended to represent those of the >> company." >> >> >> >> __________ Informaci?n de NOD32, revisi?n 3639 (20081125) __________ >> >> Este mensaje ha sido analizado con NOD32 antivirus system >> http://www.nod32.com >> >> > > > -------------------------------------------------------------------------------- > > > >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> >> __________ Informacisn de NOD32, revisisn 3639 (20081125) __________ >> >> Este mensaje ha sido analizado con NOD32 antivirus system >> http://www.nod32.com >> >> > > > > Could it be a "Spam List" issue, because of a time out? > > Leave the > > Spam List = > > empty and restart mailscanner Correction... It did not fix the problem but it did allow a lot of spam to get through. -- Arthur Stephens Senior Sales Technician Ptera Wireless Internet Service PO Box 135 Liberty Lake, WA 99019 509-927-7837 For technical support visit http://www.ptera.net/support ----------------------------------------------------------------------------- "This message may contain confidential and/or propriety information, and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company." From rvdmerwe at mhg.co.za Wed Nov 26 05:30:25 2008 From: rvdmerwe at mhg.co.za (Rabie Van der Merwe) Date: Wed Nov 26 05:30:49 2008 Subject: Increased load In-Reply-To: <492C7BAD.5090708@vanderkooij.org> References: <3FD8054D301F9246A6F10F3485E2204E061442@cptwexc02.za.mhgad.com> <492C7BAD.5090708@vanderkooij.org> Message-ID: <3FD8054D301F9246A6F10F3485E2204E06145D@cptwexc02.za.mhgad.com> Yip CPU utilization is defiantly up. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Hugo van der Kooij Sent: 26 November 2008 00:27 AM To: MailScanner discussion Subject: Re: Increased load -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rabie Van der Merwe wrote: > > Can anyone think of a reason why moving from 4.69.9-3 to any of the > later versions would increase the load on the server? I have 2 servers > running MailScanner and my avg load went from 2 to 4 since the upgrade > on both boxes. Well load in itself should not be an issue. Is the average CPU usage significantly higher? (Use vmstat to find out.) Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. Nid wyf yn y swyddfa ar hyn o bryd. Anfonwch unrhyw waith i'w gyfieithu. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFJLHurBvzDRVjxmYERAoL4AJwPCOJyy0zKlyIdg6gcw9zr+f908wCfd1ba coBDbgd/x0Mz6BfLVCn1OhE= =IcK/ -----END PGP SIGNATURE----- -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From glenn.steen at gmail.com Wed Nov 26 08:53:33 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Nov 26 08:53:43 2008 Subject: Increased load In-Reply-To: <3FD8054D301F9246A6F10F3485E2204E06145D@cptwexc02.za.mhgad.com> References: <3FD8054D301F9246A6F10F3485E2204E061442@cptwexc02.za.mhgad.com> <492C7BAD.5090708@vanderkooij.org> <3FD8054D301F9246A6F10F3485E2204E06145D@cptwexc02.za.mhgad.com> Message-ID: <223f97700811260053o58213159o8a464ad52b20c192@mail.gmail.com> 2008/11/26 Rabie Van der Merwe : > > Yip CPU utilization is defiantly up. > Well, you need be strict with it then.... Tell it to be less defiant!!!:-):-):-)... (as if that would help:-) Seriously though, if you are using 4.72.5 you might need the latest Message.pm fix that Jules posted, or else you would see the children start to loop on some specific messages... Notably, the busy MailScanner child will report "cleaning messages" as commandline in "ps"... and never leave that state. Solutions would be: - get a hold of the fixed Message.pm and drop that into place (restart MS after that), or - revert to 4.71, or - wait for Jules to post a new release with the fix incorporated (there just might be a new beta around the corner:-). Cheers -- -- Glenn > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Hugo > van der Kooij > Sent: 26 November 2008 00:27 AM > To: MailScanner discussion > Subject: Re: Increased load > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Rabie Van der Merwe wrote: >> >> Can anyone think of a reason why moving from 4.69.9-3 to any of the >> later versions would increase the load on the server? I have 2 servers >> running MailScanner and my avg load went from 2 to 4 since the upgrade >> on both boxes. > > Well load in itself should not be an issue. Is the average CPU usage > significantly higher? (Use vmstat to find out.) > > Hugo. > > - -- > hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ > PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc > > A: Yes. > >Q: Are you sure? > >>A: Because it reverses the logical flow of conversation. > >>>Q: Why is top posting frowned upon? > > Bored? Click on http://spamornot.org/ and rate those images. > > Nid wyf yn y swyddfa ar hyn o bryd. Anfonwch unrhyw waith i'w gyfieithu. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org > > iD8DBQFJLHurBvzDRVjxmYERAoL4AJwPCOJyy0zKlyIdg6gcw9zr+f908wCfd1ba > coBDbgd/x0Mz6BfLVCn1OhE= > =IcK/ > -----END PGP SIGNATURE----- > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From Daniel.Flensburg at iris.se Wed Nov 26 09:09:05 2008 From: Daniel.Flensburg at iris.se (Daniel Flensburg) Date: Wed Nov 26 09:12:54 2008 Subject: SV: Local State Dir - /var/lib/spamassassin - SARE rules no hits In-Reply-To: <223f97700811250806s56cdfec8mbfc21032647191c7@mail.gmail.com> References: <910ee2ac0811201634se99a4daob2b8ff95088daf27@mail.gmail.com><3DF8101092666E4A9020D949E419EB6F02B7BABF@ensms02.iris.se><3DF8101092666E4A9020D949E419EB6F02B7BCAA@ensms02.iris.se><3DF8101092666E4A9020D949E419EB6F02B9D3C8@ensms02.iris.se><223f97700811240622s743469aaw9bb56791c0ea6192@mail.gmail.com><3DF8101092666E4A9020D949E419EB6F02B9DA14@ensms02.iris.se><223f97700811250803k4184f9a8rb9e2017b33f37a38@mail.gmail.com> <223f97700811250806s56cdfec8mbfc21032647191c7@mail.gmail.com> Message-ID: <3DF8101092666E4A9020D949E419EB6F02B9DCEF@ensms02.iris.se> Ok, did this: 1) "su - postfix -s /bin/bash" 2) As postfix user (promt sais: postfix@mailgw:~$)- ran "spamassassin -D --lint" The result look ok. It is reading the right folder: [...] [32442] dbg: config: using "/etc/spamassassin" for site rules pre files [32442] dbg: config: read file /etc/spamassassin/init.pre [32442] dbg: config: read file /etc/spamassassin/v310.pre [32442] dbg: config: read file /etc/spamassassin/v312.pre [32442] dbg: config: using "/var/lib/spamassassin/3.001004" for sys rules pre files [32442] dbg: config: read file /var/lib/spamassassin/3.001004/saupdates_openprotect_com.pre [32442] dbg: config: read file /var/lib/spamassassin/3.001004/updates_spamassassin_org.pre [32442] dbg: config: using "/var/lib/spamassassin/3.001004" for default rules dir [32442] dbg: config: read file /var/lib/spamassassin/3.001004/70_sare_adult_cf_sare_sa-update_dostech_net.cf [32442] dbg: config: read file /var/lib/spamassassin/3.001004/70_sare_bayes_poison_nxm_cf_sare_sa-update_dostech_net.cf [...] 3) Tried to run against a message in quarantine: cd /var/spool/MailScanner/quarantine/20081126: Permission denied Ok, so Postfix user cannot read the quarantine! ls -l gives: ? drwxr-xr-x 145 postfix postfix 4096 2008-11-26 09:33 incoming drwxrwx--- 12 root www-data 4096 2008-11-26 06:25 quarantine drwxr-xr-x 2 postfix postfix 4096 2008-11-25 12:25 spamassassin in Mailscanner.conf: Run As User = postfix Run As Group = postfix Incoming Queue Dir = /var/spool/postfix/hold Outgoing Queue Dir = /var/spool/postfix/incoming Incoming Work Dir = /var/spool/MailScanner/incoming Quarantine Dir = /var/spool/MailScanner/quarantine PID file = /opt/MailScanner/var/MailScanner.pid Incoming Work User = Incoming Work Group = Incoming Work Permissions = 0600 Quarantine User = root Quarantine Group = www-data Quarantine Permissions = 0660 Before I do something stupid. What would be the right settings? Could I just run chown -R postfix:www-data against the quarantine dir? Do I have to change the setting: Quarantine User = postfix? Something else? chmod the quarantine dir? Thank you all for your help! /Daniel -----Ursprungligt meddelande----- Fr?n: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] F?r Glenn Steen Skickat: den 25 november 2008 17:06 Till: MailScanner discussion ?mne: Re: Local State Dir - /var/lib/spamassassin - SARE rules no hits 2008/11/25 Glenn Steen : > 2008/11/25 Daniel Flensburg : >> Glenn! >> >> Can you please point me in the right direction? The SARE-rules still do not work. But I can cd, ls and nano files in the /var/lib/spamassassin/3.00xxxx directory after running "su - postfix -s /bin/bash". >> >> What exactly do you mean by "the problem is "closer to the root directory"."? >> >> Thank you in advance! >> >> /Daniel > Clumsy expression... What I meant is that if the perms look ok on the > local files, but you still cannot access them as the PF user, then the > problem would be situated in a parent directorys' permissions. Hope > that was a bit clearer:-) > As the postfix user, what does a "spamassassin -D --lint" (or even better, "spamassassin -D -t < /path/to/a/message/file/probably/from/your/spam/quarantine") say? Does it seem to be reading the correct rule files from the correct rule directories? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From maxsec at gmail.com Wed Nov 26 09:40:42 2008 From: maxsec at gmail.com (Martin Hepworth) Date: Wed Nov 26 09:40:50 2008 Subject: Local State Dir - /var/lib/spamassassin - SARE rules no hits In-Reply-To: <3DF8101092666E4A9020D949E419EB6F02B9DCEF@ensms02.iris.se> References: <910ee2ac0811201634se99a4daob2b8ff95088daf27@mail.gmail.com> <3DF8101092666E4A9020D949E419EB6F02B7BCAA@ensms02.iris.se> <3DF8101092666E4A9020D949E419EB6F02B9D3C8@ensms02.iris.se> <223f97700811240622s743469aaw9bb56791c0ea6192@mail.gmail.com> <3DF8101092666E4A9020D949E419EB6F02B9DA14@ensms02.iris.se> <223f97700811250803k4184f9a8rb9e2017b33f37a38@mail.gmail.com> <223f97700811250806s56cdfec8mbfc21032647191c7@mail.gmail.com> <3DF8101092666E4A9020D949E419EB6F02B9DCEF@ensms02.iris.se> Message-ID: <72cf361e0811260140j58151d15mcf23e98a0db94178@mail.gmail.com> 2008/11/26 Daniel Flensburg : > Ok, did this: > > 1) "su - postfix -s /bin/bash" > 2) As postfix user (promt sais: postfix@mailgw:~$)- ran "spamassassin -D --lint" > The result look ok. It is reading the right folder: > [...] > [32442] dbg: config: using "/etc/spamassassin" for site rules pre files > [32442] dbg: config: read file /etc/spamassassin/init.pre > [32442] dbg: config: read file /etc/spamassassin/v310.pre > [32442] dbg: config: read file /etc/spamassassin/v312.pre > [32442] dbg: config: using "/var/lib/spamassassin/3.001004" for sys rules pre files > [32442] dbg: config: read file /var/lib/spamassassin/3.001004/saupdates_openprotect_com.pre > [32442] dbg: config: read file /var/lib/spamassassin/3.001004/updates_spamassassin_org.pre > [32442] dbg: config: using "/var/lib/spamassassin/3.001004" for default rules dir > [32442] dbg: config: read file /var/lib/spamassassin/3.001004/70_sare_adult_cf_sare_sa-update_dostech_net.cf > [32442] dbg: config: read file /var/lib/spamassassin/3.001004/70_sare_bayes_poison_nxm_cf_sare_sa-update_dostech_net.cf > [...] > > 3) Tried to run against a message in quarantine: > > cd /var/spool/MailScanner/quarantine/20081126: Permission denied > > Ok, so Postfix user cannot read the quarantine! > > ls -l gives: > ? > drwxr-xr-x 145 postfix postfix 4096 2008-11-26 09:33 incoming > drwxrwx--- 12 root www-data 4096 2008-11-26 06:25 quarantine > drwxr-xr-x 2 postfix postfix 4096 2008-11-25 12:25 spamassassin > > in Mailscanner.conf: > > Run As User = postfix > Run As Group = postfix > Incoming Queue Dir = /var/spool/postfix/hold > Outgoing Queue Dir = /var/spool/postfix/incoming > Incoming Work Dir = /var/spool/MailScanner/incoming > Quarantine Dir = /var/spool/MailScanner/quarantine > PID file = /opt/MailScanner/var/MailScanner.pid > Incoming Work User = > Incoming Work Group = > Incoming Work Permissions = 0600 > Quarantine User = root > Quarantine Group = www-data > Quarantine Permissions = 0660 > > Before I do something stupid. What would be the right settings? Could I just run chown -R postfix:www-data against the quarantine dir? Do I have to change the setting: Quarantine User = postfix? Something else? chmod the quarantine dir? > > Thank you all for your help! > > /Daniel > > -----Ursprungligt meddelande----- > Fr?n: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] F?r Glenn Steen > Skickat: den 25 november 2008 17:06 > Till: MailScanner discussion > ?mne: Re: Local State Dir - /var/lib/spamassassin - SARE rules no hits > > 2008/11/25 Glenn Steen : >> 2008/11/25 Daniel Flensburg : >>> Glenn! >>> >>> Can you please point me in the right direction? The SARE-rules still do not work. But I can cd, ls and nano files in the /var/lib/spamassassin/3.00xxxx directory after running "su - postfix -s /bin/bash". >>> >>> What exactly do you mean by "the problem is "closer to the root directory"."? >>> >>> Thank you in advance! >>> >>> /Daniel >> Clumsy expression... What I meant is that if the perms look ok on the >> local files, but you still cannot access them as the PF user, then the >> problem would be situated in a parent directorys' permissions. Hope >> that was a bit clearer:-) >> > As the postfix user, what does a "spamassassin -D --lint" (or even > better, "spamassassin -D -t < > /path/to/a/message/file/probably/from/your/spam/quarantine") say? Does > it seem to be reading the correct rule files from the correct rule > directories? > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Daniel I'd also suggest Quarantine User = postfix -- Martin Hepworth Oxford, UK From maillists at conactive.com Wed Nov 26 10:31:16 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Wed Nov 26 10:31:34 2008 Subject: Local State Dir - /var/lib/spamassassin - SARE rules no hits In-Reply-To: <3DF8101092666E4A9020D949E419EB6F02B9DCEF@ensms02.iris.se> References: <910ee2ac0811201634se99a4daob2b8ff95088daf27@mail.gmail.com> <3DF8101092666E4A9020D949E419EB6F02B7BABF@ensms02.iris.se> <3DF8101092666E4A9020D949E419EB6F02B7BCAA@ensms02.iris.se> <3DF8101092666E4A9020D949E419EB6F02B9D3C8@ensms02.iris.se> <223f97700811240622s743469aaw9bb56791c0ea6192@mail.gmail.com> <3DF8101092666E4A9020D949E419EB6F02B9DA14@ensms02.iris.se> <223f97700811250803k4184f9a8rb9e2017b33f37a38@mail.gmail Message-ID: com> <3DF8101092666E4A9020D949E419EB6F02B9DCEF@ensms02.iris.se> Reply-To: mailscanner@lists.mailscanner.info Daniel Flensburg wrote on Wed, 26 Nov 2008 10:09:05 +0100: > drwxrwx--- 12 root www-data 4096 2008-11-26 06:25 quarantine That's indeed wrong. But this *does not* affect your /var/lib/sp... problem! Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From glenn.steen at gmail.com Wed Nov 26 10:38:08 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Nov 26 10:38:19 2008 Subject: Local State Dir - /var/lib/spamassassin - SARE rules no hits In-Reply-To: <3DF8101092666E4A9020D949E419EB6F02B9DCEF@ensms02.iris.se> References: <910ee2ac0811201634se99a4daob2b8ff95088daf27@mail.gmail.com> <3DF8101092666E4A9020D949E419EB6F02B7BCAA@ensms02.iris.se> <3DF8101092666E4A9020D949E419EB6F02B9D3C8@ensms02.iris.se> <223f97700811240622s743469aaw9bb56791c0ea6192@mail.gmail.com> <3DF8101092666E4A9020D949E419EB6F02B9DA14@ensms02.iris.se> <223f97700811250803k4184f9a8rb9e2017b33f37a38@mail.gmail.com> <223f97700811250806s56cdfec8mbfc21032647191c7@mail.gmail.com> <3DF8101092666E4A9020D949E419EB6F02B9DCEF@ensms02.iris.se> Message-ID: <223f97700811260238n1bda3741hc38339979a893206@mail.gmail.com> 2008/11/26 Daniel Flensburg : (snip) > Before I do something stupid. What would be the right settings? Could I just run chown -R postfix:www-data against the quarantine dir? Do I have to change the setting: Quarantine User = postfix? Something else? chmod the quarantine dir? > Do the chmod as you suggest (so that it includes the quarantine directory), and change Quarantine User to postfix, then restart MailScanner. That should be all. > Thank you all for your help! > > /Daniel > (snip) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Wed Nov 26 10:38:55 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Nov 26 10:39:05 2008 Subject: Local State Dir - /var/lib/spamassassin - SARE rules no hits In-Reply-To: <223f97700811260238n1bda3741hc38339979a893206@mail.gmail.com> References: <910ee2ac0811201634se99a4daob2b8ff95088daf27@mail.gmail.com> <3DF8101092666E4A9020D949E419EB6F02B7BCAA@ensms02.iris.se> <3DF8101092666E4A9020D949E419EB6F02B9D3C8@ensms02.iris.se> <223f97700811240622s743469aaw9bb56791c0ea6192@mail.gmail.com> <3DF8101092666E4A9020D949E419EB6F02B9DA14@ensms02.iris.se> <223f97700811250803k4184f9a8rb9e2017b33f37a38@mail.gmail.com> <223f97700811250806s56cdfec8mbfc21032647191c7@mail.gmail.com> <3DF8101092666E4A9020D949E419EB6F02B9DCEF@ensms02.iris.se> <223f97700811260238n1bda3741hc38339979a893206@mail.gmail.com> Message-ID: <223f97700811260238p464eb18boeb83ba308a5cfbc6@mail.gmail.com> 2008/11/26 Glenn Steen : > 2008/11/26 Daniel Flensburg : > (snip) >> Before I do something stupid. What would be the right settings? Could I just run chown -R postfix:www-data against the quarantine dir? Do I have to change the setting: Quarantine User = postfix? Something else? chmod the quarantine dir? >> > Do the chmod as you suggest (so that it includes the quarantine chown... of course:-). > directory), and change Quarantine User to postfix, then restart > MailScanner. That should be all. > >> Thank you all for your help! >> >> /Daniel >> > (snip) > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Wed Nov 26 10:40:41 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Nov 26 10:40:51 2008 Subject: Local State Dir - /var/lib/spamassassin - SARE rules no hits In-Reply-To: References: <910ee2ac0811201634se99a4daob2b8ff95088daf27@mail.gmail.com> <3DF8101092666E4A9020D949E419EB6F02B7BABF@ensms02.iris.se> <3DF8101092666E4A9020D949E419EB6F02B7BCAA@ensms02.iris.se> <3DF8101092666E4A9020D949E419EB6F02B9D3C8@ensms02.iris.se> <223f97700811240622s743469aaw9bb56791c0ea6192@mail.gmail.com> <3DF8101092666E4A9020D949E419EB6F02B9DA14@ensms02.iris.se> <3DF8101092666E4A9020D949E419EB6F02B9DCEF@ensms02.iris.se> Message-ID: <223f97700811260240m26fdd7fco4e6804c9cbc54f05@mail.gmail.com> 2008/11/26 Kai Schaetzl : > com> <3DF8101092666E4A9020D949E419EB6F02B9DCEF@ensms02.iris.se> > Reply-To: mailscanner@lists.mailscanner.info > > Daniel Flensburg wrote on Wed, 26 Nov 2008 10:09:05 +0100: > >> drwxrwx--- 12 root www-data 4096 2008-11-26 06:25 quarantine > > That's indeed wrong. But this *does not* affect your /var/lib/sp... > problem! > > Kai > Quite true, only Daniels ability to use a message in quarantine as a test message:). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From rvdmerwe at mhg.co.za Wed Nov 26 11:18:08 2008 From: rvdmerwe at mhg.co.za (Rabie Van der Merwe) Date: Wed Nov 26 11:18:36 2008 Subject: Increased load In-Reply-To: <223f97700811260053o58213159o8a464ad52b20c192@mail.gmail.com> References: <3FD8054D301F9246A6F10F3485E2204E061442@cptwexc02.za.mhgad.com><492C7BAD.5090708@vanderkooij.org><3FD8054D301F9246A6F10F3485E2204E06145D@cptwexc02.za.mhgad.com> <223f97700811260053o58213159o8a464ad52b20c192@mail.gmail.com> Message-ID: <3FD8054D301F9246A6F10F3485E2204E0614B7@cptwexc02.za.mhgad.com> I recently joined the mailing list, could someone repost the file or let me know what the subject of the message was as I cant search the through the mailing list. Regards Rabie PS BAD CPU!! Down, down boy, staaay ! :) -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Glenn Steen Sent: 26 November 2008 10:54 AM To: MailScanner discussion Subject: Re: Increased load 2008/11/26 Rabie Van der Merwe : > > Yip CPU utilization is defiantly up. > Well, you need be strict with it then.... Tell it to be less defiant!!!:-):-):-)... (as if that would help:-) Seriously though, if you are using 4.72.5 you might need the latest Message.pm fix that Jules posted, or else you would see the children start to loop on some specific messages... Notably, the busy MailScanner child will report "cleaning messages" as commandline in "ps"... and never leave that state. Solutions would be: - get a hold of the fixed Message.pm and drop that into place (restart MS after that), or - revert to 4.71, or - wait for Jules to post a new release with the fix incorporated (there just might be a new beta around the corner:-). Cheers -- -- Glenn > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Hugo > van der Kooij > Sent: 26 November 2008 00:27 AM > To: MailScanner discussion > Subject: Re: Increased load > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Rabie Van der Merwe wrote: >> >> Can anyone think of a reason why moving from 4.69.9-3 to any of the >> later versions would increase the load on the server? I have 2 servers >> running MailScanner and my avg load went from 2 to 4 since the upgrade >> on both boxes. > > Well load in itself should not be an issue. Is the average CPU usage > significantly higher? (Use vmstat to find out.) > > Hugo. > > - -- > hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ > PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc > > A: Yes. > >Q: Are you sure? > >>A: Because it reverses the logical flow of conversation. > >>>Q: Why is top posting frowned upon? > > Bored? Click on http://spamornot.org/ and rate those images. > > Nid wyf yn y swyddfa ar hyn o bryd. Anfonwch unrhyw waith i'w gyfieithu. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org > > iD8DBQFJLHurBvzDRVjxmYERAoL4AJwPCOJyy0zKlyIdg6gcw9zr+f908wCfd1ba > coBDbgd/x0Mz6BfLVCn1OhE= > =IcK/ > -----END PGP SIGNATURE----- > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From maxsec at gmail.com Wed Nov 26 11:51:51 2008 From: maxsec at gmail.com (Martin Hepworth) Date: Wed Nov 26 11:52:00 2008 Subject: Increased load In-Reply-To: <3FD8054D301F9246A6F10F3485E2204E0614B7@cptwexc02.za.mhgad.com> References: <3FD8054D301F9246A6F10F3485E2204E061442@cptwexc02.za.mhgad.com> <492C7BAD.5090708@vanderkooij.org> <3FD8054D301F9246A6F10F3485E2204E06145D@cptwexc02.za.mhgad.com> <223f97700811260053o58213159o8a464ad52b20c192@mail.gmail.com> <3FD8054D301F9246A6F10F3485E2204E0614B7@cptwexc02.za.mhgad.com> Message-ID: <72cf361e0811260351o512ff0dt4b5ab839949d2a35@mail.gmail.com> 2008/11/26 Rabie Van der Merwe : > > I recently joined the mailing list, could someone repost the file or let > me know what the subject of the message was as I cant search the through > the mailing list. > > Regards > Rabie > > PS BAD CPU!! Down, down boy, staaay ! :) > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Glenn > Steen > Sent: 26 November 2008 10:54 AM > To: MailScanner discussion > Subject: Re: Increased load > > 2008/11/26 Rabie Van der Merwe : >> >> Yip CPU utilization is defiantly up. >> > Well, you need be strict with it then.... Tell it to be less > defiant!!!:-):-):-)... (as if that would help:-) > > Seriously though, if you are using 4.72.5 you might need the latest > Message.pm fix that Jules posted, or else you would see the children > start to loop on some specific messages... Notably, the busy > MailScanner child will report "cleaning messages" as commandline in > "ps"... and never leave that state. > Solutions would be: > - get a hold of the fixed Message.pm and drop that into place (restart > MS after that), or > - revert to 4.71, or > - wait for Jules to post a new release with the fix incorporated > (there just might be a new beta around the corner:-). > > Cheers > -- > -- Glenn > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Hugo >> van der Kooij >> Sent: 26 November 2008 00:27 AM >> To: MailScanner discussion >> Subject: Re: Increased load >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Rabie Van der Merwe wrote: >>> >>> Can anyone think of a reason why moving from 4.69.9-3 to any of the >>> later versions would increase the load on the server? I have 2 > servers >>> running MailScanner and my avg load went from 2 to 4 since the > upgrade >>> on both boxes. >> >> Well load in itself should not be an issue. Is the average CPU usage >> significantly higher? (Use vmstat to find out.) >> >> Hugo. >> >> - -- >> hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ >> PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc >> >> A: Yes. >> >Q: Are you sure? >> >>A: Because it reverses the logical flow of conversation. >> >>>Q: Why is top posting frowned upon? >> >> Bored? Click on http://spamornot.org/ and rate those images. >> >> Nid wyf yn y swyddfa ar hyn o bryd. Anfonwch unrhyw waith i'w > gyfieithu. >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.4.7 (GNU/Linux) >> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org >> >> iD8DBQFJLHurBvzDRVjxmYERAoL4AJwPCOJyy0zKlyIdg6gcw9zr+f908wCfd1ba >> coBDbgd/x0Mz6BfLVCn1OhE= >> =IcK/ >> -----END PGP SIGNATURE----- >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > > > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > I've sent him this off list. -- Martin Hepworth Oxford, UK From Daniel.Flensburg at iris.se Wed Nov 26 12:48:50 2008 From: Daniel.Flensburg at iris.se (Daniel Flensburg) Date: Wed Nov 26 12:52:37 2008 Subject: SV: Local State Dir - /var/lib/spamassassin - SARE rules no hits In-Reply-To: <223f97700811260238p464eb18boeb83ba308a5cfbc6@mail.gmail.com> References: <910ee2ac0811201634se99a4daob2b8ff95088daf27@mail.gmail.com><3DF8101092666E4A9020D949E419EB6F02B7BCAA@ensms02.iris.se><3DF8101092666E4A9020D949E419EB6F02B9D3C8@ensms02.iris.se><223f97700811240622s743469aaw9bb56791c0ea6192@mail.gmail.com><3DF8101092666E4A9020D949E419EB6F02B9DA14@ensms02.iris.se><223f97700811250803k4184f9a8rb9e2017b33f37a38@mail.gmail.com><223f97700811250806s56cdfec8mbfc21032647191c7@mail.gmail.com><3DF8101092666E4A9020D949E419EB6F02B9DCEF@ensms02.iris.se><223f97700811260238n1bda3741hc38339979a893206@mail.gmail.com> <223f97700811260238p464eb18boeb83ba308a5cfbc6@mail.gmail.com> Message-ID: <3DF8101092666E4A9020D949E419EB6F02B9DEF6@ensms02.iris.se> Ok, running spamassassin -D -t /var/spool/MailScanner/quarantine/20081126/spam/5CADB8739E.14348, gives me: [3924] dbg: config: using "/etc/spamassassin" for site rules pre files [3924] dbg: config: read file /etc/spamassassin/init.pre [3924] dbg: config: read file /etc/spamassassin/v310.pre [3924] dbg: config: read file /etc/spamassassin/v312.pre [3924] dbg: config: using "/var/lib/spamassassin/3.001004" for sys rules pre files [3924] dbg: config: read file /var/lib/spamassassin/3.001004/saupdates_openprotect_com.pre [3924] dbg: config: read file /var/lib/spamassassin/3.001004/updates_spamassassin_org.pre [3924] dbg: config: using "/var/lib/spamassassin/3.001004" for default rules dir [3924] dbg: config: read file /var/lib/spamassassin/3.001004/70_sare_adult_cf_sare_sa-update_dostech_net.cf [...] [3924] dbg: config: read file /var/lib/spamassassin/3.001004/saupdates_openprotect_com.cf [3924] dbg: config: read file /var/lib/spamassassin/3.001004/sought_rules_yerp_org.cf [3924] dbg: config: read file /var/lib/spamassassin/3.001004/updates_spamassassin_org.cf [3924] dbg: config: using "/etc/spamassassin" for site rules dir [3924] dbg: config: read file /etc/spamassassin/FuzzyOcr.cf [3924] dbg: config: read file /etc/spamassassin/mailscanner.cf [3924] dbg: config: read file /etc/spamassassin/pdfinfo.cf [3924] dbg: config: using "/var/spool/postfix/.spamassassin" for user state dir [3924] dbg: config: mkdir /var/spool/postfix/.spamassassin failed: mkdir /var/spool/postfix/.spamassassin: Permission denied at /usr/share/perl5/Mail/SpamAssassin.pm line 1491 [3924] dbg: config: Permission denied [3924] dbg: config: using "/var/spool/postfix/.spamassassin" for user state dir [3924] dbg: config: mkdir /var/spool/postfix/.spamassassin failed: mkdir /var/spool/postfix/.spamassassin: Permission denied at /usr/share/perl5/Mail/SpamAssassin.pm line 1491 [3924] dbg: config: Permission denied [3924] warn: config: cannot write to /var/spool/postfix/.spamassassin/user_prefs: No such file or directory [3924] warn: config: failed to create default user preference file /var/spool/postfix/.spamassassin/user_prefs [3924] dbg: config: using "/var/spool/postfix/.spamassassin/user_prefs" for user prefs file BUT the settings in MailScanner.conf is: SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin I just created the .spamassassin in the /var/spool/postfix folder and now spamassassin does not complain. however If I check a message in MailWatch I get: cached not resultat=-1.507 2 krav -2.60 BAYES_00 Bayesian spam probability is 0 to 1% 1.09 EXTRA_MPART_TYPE Header has extraneous Content-type:...type= entry 0.00 HTML_MESSAGE HTML included in message checking same message with spamassassin -D -t /var/spool/MailScanner/quarantine/20081126/nonspam/F2F6E873B0.90E15 gives me: Content analysis details: (3.6 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.1 EXTRA_MPART_TYPE Header has extraneous Content-type:...type= entry 1.8 SARE_SPEC_REPLICA_OBFU BODY: Rolex with obfuscated replica 0.3 SARE_WEOFFER BODY: Offers Something 0.1 TW_HM BODY: Odd Letter Triples with HM 0.0 HTML_MESSAGE BODY: HTML included in message -1.1 BAYES_05 BODY: Bayesian spam probability is 1 to 5% [score: 0.0115] 1.4 SARE_GIF_ATTACH FULL: Email has a inline gif What can be the problem? I'm thinking my Apache user is perhaps missing permissions somewhere and cannot present the right result? Could this be the case? Look also at the differens scores 1.09/1.1 and Bayes hit 00/05 /Daniel -----Ursprungligt meddelande----- Fr?n: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] F?r Glenn Steen Skickat: den 26 november 2008 11:39 Till: MailScanner discussion ?mne: Re: Local State Dir - /var/lib/spamassassin - SARE rules no hits 2008/11/26 Glenn Steen : > 2008/11/26 Daniel Flensburg : > (snip) >> Before I do something stupid. What would be the right settings? Could I just run chown -R postfix:www-data against the quarantine dir? Do I have to change the setting: Quarantine User = postfix? Something else? chmod the quarantine dir? >> > Do the chmod as you suggest (so that it includes the quarantine chown... of course:-). > directory), and change Quarantine User to postfix, then restart > MailScanner. That should be all. > >> Thank you all for your help! >> >> /Daniel >> > (snip) > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From ms-list at alexb.ch Wed Nov 26 13:08:19 2008 From: ms-list at alexb.ch (Alex Broens) Date: Wed Nov 26 13:06:19 2008 Subject: SV: Local State Dir - /var/lib/spamassassin - SARE rules no hits In-Reply-To: <3DF8101092666E4A9020D949E419EB6F02B9DEF6@ensms02.iris.se> References: <910ee2ac0811201634se99a4daob2b8ff95088daf27@mail.gmail.com><3DF8101092666E4A9020D949E419EB6F02B7BCAA@ensms02.iris.se><3DF8101092666E4A9020D949E419EB6F02B9D3C8@ensms02.iris.se><223f97700811240622s743469aaw9bb56791c0ea6192@mail.gmail.com><3DF8101092666E4A9020D949E419EB6F02B9DA14@ensms02.iris.se><223f97700811250803k4184f9a8rb9e2017b33f37a38@mail.gmail.com><223f97700811250806s56cdfec8mbfc21032647191c7@mail.gmail.com><3DF8101092666E4A9020D949E419EB6F02B9DCEF@ensms02.iris.se><223f97700811260238n1bda3741hc38339979a893206@mail.gmail.com> <223f97700811260238p464eb18boeb83ba308a5cfbc6@mail.gmail.com> <3DF8101092666E4A9020D949E419EB6F02B9DEF6@ensms02.iris.se> Message-ID: <492D4A43.8070109@alexb.ch> On 11/26/2008 1:48 PM, Daniel Flensburg wrote: > BUT the settings in MailScanner.conf is: > > SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin what are you trying to reinvent? pls send me your mailscanner.conf offflist will edit and add some instructions so you can move on... Alex From neilw at dcdata.co.za Wed Nov 26 15:15:10 2008 From: neilw at dcdata.co.za (Neil Wilson) Date: Wed Nov 26 15:14:50 2008 Subject: [Fwd: error when starting MS] In-Reply-To: <491BEFF4.4020102@ecs.soton.ac.uk> References: <491A7588.5050307@dcdata.co.za> <491B1B67.7020200@ecs.soton.ac.uk> <491BC645.2070703@dcdata.co.za> <491BEFF4.4020102@ecs.soton.ac.uk> Message-ID: <492D67FE.2020804@dcdata.co.za> Julian Field wrote: >>> What does this produce? >>> >>> perl -MFilesys::Df -e 'print $Filesys::Df::VERSION;' >>> >>> It should print the version number of Filesys::Df. If it doesn't >>> then try removing the Df.pm file you found, and re-install the >>> module from CPAN. >> I get the following, should I try removing it anyway, and then >> re-installing it? >> >> perl -MFilesys::Df -e 'print $Filesys::Df::VERSION;' >> 0.92 > So that worked. Try removing and reinstalling it anyway, just in case > that helps. Not sure if anyone has any other ideas, but for some reason I still can't get my MS to start after an upgrade to the latest version. Below is the full error. Starting MailScanner...Can't locate Filesys/Df.pm in @INC (@INC contains: /opt/MailScanner/lib /usr/lib/perl5/5.8.6/i486-linux /usr/lib/perl5/5.8.6 /usr/lib/perl5/site_perl/5.8.6/i486-linux /usr/lib/perl5/site_perl/5.8.6 /usr/lib/perl5/site_perl . /opt/MailScanner/lib) at /opt/MailScanner/bin/MailScanner line 67. BEGIN failed--compilation aborted at /opt/MailScanner/bin/MailScanner line 67. Done. I've tried re-installing the module from cpan and from source with still no luck, the module definitely exists, and MS even detects it when I try and re-install MS /usr/lib/perl5/site_perl/5.8.6/i486-linux/Filesys/Df.pm Below is from the install.log Oh good, module Filesys::Df version 0.90 is already installed. Please shout if anyone has any other suggestions. Thanks. Neil This email and all contents are subject to the following disclaimer: http://www.dcdata.co.za/emaildisclaimer.html From bbecken at aafp.org Wed Nov 26 16:16:45 2008 From: bbecken at aafp.org (Brad Beckenhauer) Date: Wed Nov 26 16:17:30 2008 Subject: Clamav updated to version 0.94.2 Message-ID: <492D220D.BC55.0068.3@aafp.org> The main clamav.org webpage still shows 0.94.1 as stable But the sources webpage shows 0.94.2 as stable. http://www.clamav.net/download/sources/ thanks Brad From glenn.steen at gmail.com Wed Nov 26 16:20:58 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Nov 26 16:21:08 2008 Subject: Local State Dir - /var/lib/spamassassin - SARE rules no hits In-Reply-To: <3DF8101092666E4A9020D949E419EB6F02B9DEF6@ensms02.iris.se> References: <910ee2ac0811201634se99a4daob2b8ff95088daf27@mail.gmail.com> <3DF8101092666E4A9020D949E419EB6F02B9D3C8@ensms02.iris.se> <223f97700811240622s743469aaw9bb56791c0ea6192@mail.gmail.com> <3DF8101092666E4A9020D949E419EB6F02B9DA14@ensms02.iris.se> <223f97700811250803k4184f9a8rb9e2017b33f37a38@mail.gmail.com> <223f97700811250806s56cdfec8mbfc21032647191c7@mail.gmail.com> <3DF8101092666E4A9020D949E419EB6F02B9DCEF@ensms02.iris.se> <223f97700811260238n1bda3741hc38339979a893206@mail.gmail.com> <223f97700811260238p464eb18boeb83ba308a5cfbc6@mail.gmail.com> <3DF8101092666E4A9020D949E419EB6F02B9DEF6@ensms02.iris.se> Message-ID: <223f97700811260820q46c31b81n9bf0c444ac35383c@mail.gmail.com> 2008/11/26 Daniel Flensburg : > Ok, running spamassassin -D -t /var/spool/MailScanner/quarantine/20081126/spam/5CADB8739E.14348, gives me: > > [3924] dbg: config: using "/etc/spamassassin" for site rules pre files > [3924] dbg: config: read file /etc/spamassassin/init.pre > [3924] dbg: config: read file /etc/spamassassin/v310.pre > [3924] dbg: config: read file /etc/spamassassin/v312.pre > [3924] dbg: config: using "/var/lib/spamassassin/3.001004" for sys rules pre files > [3924] dbg: config: read file /var/lib/spamassassin/3.001004/saupdates_openprotect_com.pre > [3924] dbg: config: read file /var/lib/spamassassin/3.001004/updates_spamassassin_org.pre > [3924] dbg: config: using "/var/lib/spamassassin/3.001004" for default rules dir > [3924] dbg: config: read file /var/lib/spamassassin/3.001004/70_sare_adult_cf_sare_sa-update_dostech_net.cf > [...] > [3924] dbg: config: read file /var/lib/spamassassin/3.001004/saupdates_openprotect_com.cf > [3924] dbg: config: read file /var/lib/spamassassin/3.001004/sought_rules_yerp_org.cf > [3924] dbg: config: read file /var/lib/spamassassin/3.001004/updates_spamassassin_org.cf > [3924] dbg: config: using "/etc/spamassassin" for site rules dir > [3924] dbg: config: read file /etc/spamassassin/FuzzyOcr.cf > [3924] dbg: config: read file /etc/spamassassin/mailscanner.cf > [3924] dbg: config: read file /etc/spamassassin/pdfinfo.cf > [3924] dbg: config: using "/var/spool/postfix/.spamassassin" for user state dir > [3924] dbg: config: mkdir /var/spool/postfix/.spamassassin failed: mkdir /var/spool/postfix/.spamassassin: Permission denied at /usr/share/perl5/Mail/SpamAssassin.pm line 1491 > [3924] dbg: config: Permission denied > [3924] dbg: config: using "/var/spool/postfix/.spamassassin" for user state dir > [3924] dbg: config: mkdir /var/spool/postfix/.spamassassin failed: mkdir /var/spool/postfix/.spamassassin: Permission denied at /usr/share/perl5/Mail/SpamAssassin.pm line 1491 > [3924] dbg: config: Permission denied > [3924] warn: config: cannot write to /var/spool/postfix/.spamassassin/user_prefs: No such file or directory > [3924] warn: config: failed to create default user preference file /var/spool/postfix/.spamassassin/user_prefs > [3924] dbg: config: using "/var/spool/postfix/.spamassassin/user_prefs" for user prefs file > > > BUT the settings in MailScanner.conf is: > > SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin > That setting would only work if postfix can read and write it... Can it? It seems to revert to the default. You could mkdir ~postfix/.spamassassin chown postfix.postfix ~postfix/.spamassassin or something similar (as root), to get past that problem. > I just created the .spamassassin in the /var/spool/postfix folder and now spamassassin does not complain. Hm, perhaps I should start reading the whole message before giving advice:-):-) > however If I check a message in MailWatch I get: > > cached not > resultat=-1.507 > 2 krav > -2.60 BAYES_00 Bayesian spam probability is 0 to 1% > 1.09 EXTRA_MPART_TYPE Header has extraneous Content-type:...type= entry > 0.00 HTML_MESSAGE HTML included in message > > checking same message with spamassassin -D -t /var/spool/MailScanner/quarantine/20081126/nonspam/F2F6E873B0.90E15 > > gives me: > > Content analysis details: (3.6 points, 5.0 required) > > pts rule name description > ---- ---------------------- -------------------------------------------------- > 1.1 EXTRA_MPART_TYPE Header has extraneous Content-type:...type= entry > 1.8 SARE_SPEC_REPLICA_OBFU BODY: Rolex with obfuscated replica > 0.3 SARE_WEOFFER BODY: Offers Something > 0.1 TW_HM BODY: Odd Letter Triples with HM > 0.0 HTML_MESSAGE BODY: HTML included in message > -1.1 BAYES_05 BODY: Bayesian spam probability is 1 to 5% > [score: 0.0115] > 1.4 SARE_GIF_ATTACH FULL: Email has a inline gif > > What can be the problem? I'm thinking my Apache user is perhaps missing permissions somewhere and cannot present the right result? Could this be the case? Look also at the differens scores 1.09/1.1 and Bayes hit 00/05 For some reason your MS instance of SA doesn't seem to think it can do network tests... or rather DNS-based tests. Do you have the mailscanner.cf symlink? Do you try "force" dns to on, or do you rely on it being detected? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ms-list at alexb.ch Wed Nov 26 17:34:56 2008 From: ms-list at alexb.ch (Alex Broens) Date: Wed Nov 26 17:32:55 2008 Subject: Local State Dir - /var/lib/spamassassin - SARE rules no hits In-Reply-To: <223f97700811260820q46c31b81n9bf0c444ac35383c@mail.gmail.com> References: <910ee2ac0811201634se99a4daob2b8ff95088daf27@mail.gmail.com> <3DF8101092666E4A9020D949E419EB6F02B9D3C8@ensms02.iris.se> <223f97700811240622s743469aaw9bb56791c0ea6192@mail.gmail.com> <3DF8101092666E4A9020D949E419EB6F02B9DA14@ensms02.iris.se> <223f97700811250803k4184f9a8rb9e2017b33f37a38@mail.gmail.com> <223f97700811250806s56cdfec8mbfc21032647191c7@mail.gmail.com> <3DF8101092666E4A9020D949E419EB6F02B9DCEF@ensms02.iris.se> <223f97700811260238n1bda3741hc38339979a893206@mail.gmail.com> <223f97700811260238p464eb18boeb83ba308a5cfbc6@mail.gmail.com> <3DF8101092666E4A9020D949E419EB6F02B9DEF6@ensms02.iris.se> <223f97700811260820q46c31b81n9bf0c444ac35383c@mail.gmail.com> Message-ID: <492D88C0.1060605@alexb.ch> On 11/26/2008 5:20 PM, Glenn Steen wrote: > That setting would only work if postfix can read and write it... Can > it? It seems to revert to the default. You could > mkdir ~postfix/.spamassassin > chown postfix.postfix ~postfix/.spamassassin > or something similar (as root), to get past that problem. perhaps do it the k.i.s.s way to start off with.. and tighten up as you go... Run As User = postfix Run As Group = postfix Incoming Work User = # YES! EMPTY! Incoming Work Group = # YES! EMPTY! Incoming Work Permissions = 0640 Quarantine User = root Quarantine Group = apache #www_run # whatever_required_for_specific OS Quarantine Permissions = 0664 ##replace "apache" with whatever you need for specific OS chown -R postfix:postfix /var/spool/MailScanner/incoming chown -R postfix:apache /var/spool/MailScanner/quarantine chmod 0775 -R /var/spool/MailScanner/quarantine does that work for you? if yes.. slowly tighten up and find the best for your needs.. Ale From astephens at ptera.net Wed Nov 26 19:16:45 2008 From: astephens at ptera.net (Arthur Stephens) Date: Wed Nov 26 19:16:56 2008 Subject: Dumb Question Message-ID: <492DA09D.1000208@ptera.net> I want to upgrade do I run the install.sh to do that? [root@mailgate MailScanner-4.72.5-1]# MailScanner -v Running on Linux mailgate.ptera.net 2.6.15-1.2054_FC5smp #1 SMP Tue Mar 14 16:05:46 EST 2006 i686 i686 i386 GNU/Linux This is Fedora Core release 5 (Bordeaux) This is Perl version 5.008008 (5.8.8) This is MailScanner version 4.55.10 Module versions are: 1.00 AnyDBM_File 1.14 Archive::Zip 1.04 Carp 1.119 Convert::BinHex 1.00 DirHandle 1.05 Fcntl 2.74 File::Basename 2.09 File::Copy 2.01 FileHandle 1.08 File::Path 0.16 File::Temp 0.90 Filesys::Df 1.35 HTML::Entities 3.54 HTML::Parser 2.37 HTML::TokeParser 1.22 IO 1.13 IO::File 1.13 IO::Pipe 1.71 Mail::Header 3.05 MIME::Base64 5.420 MIME::Decoder 5.420 MIME::Decoder::UU 5.420 MIME::Head 5.420 MIME::Parser 3.03 MIME::QuotedPrint 5.420 MIME::Tools 0.10 Net::CIDR 1.09 POSIX 1.78 Socket 1.4 Sys::Hostname::Long 0.17 Sys::Syslog 1.86 Time::HiRes 1.02 Time::localtime Optional module versions are: 0.17 Convert::TNEF 1.814 DB_File 1.12 DBD::SQLite 1.52 DBI 1.14 Digest 1.01 Digest::HMAC 2.36 Digest::MD5 2.11 Digest::SHA1 missing Inline missing Mail::ClamAV 3.001000 Mail::SpamAssassin missing Mail::SPF::Query missing Net::CIDR::Lite 1.24 Net::IP 0.55 Net::DNS missing Net::LDAP missing Parse::RecDescent missing SAVI 2.56 Test::Harness 0.62 Test::Simple 1.95 Text::Balanced 1.35 URI -- Arthur Stephens Senior Sales Technician Ptera Wireless Internet Service PO Box 135 Liberty Lake, WA 99019 509-927-7837 For technical support visit http://www.ptera.net/support ----------------------------------------------------------------------------- "This message may contain confidential and/or propriety information, and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company." From glenn.steen at gmail.com Wed Nov 26 20:00:34 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Nov 26 20:00:44 2008 Subject: Dumb Question In-Reply-To: <492DA09D.1000208@ptera.net> References: <492DA09D.1000208@ptera.net> Message-ID: <223f97700811261200k3bac69b1j4b25f9d66aea21a5@mail.gmail.com> 2008/11/26 Arthur Stephens : > I want to upgrade do I run the install.sh to do that? > Yes. There is a nice section on how to do this in the MAQ (http://wiki.mailscanner.info/doku.php?id=maq:index#upgrade_rpm). > [root@mailgate MailScanner-4.72.5-1]# MailScanner -v > Running on > Linux mailgate.ptera.net 2.6.15-1.2054_FC5smp #1 SMP Tue Mar 14 16:05:46 EST > 2006 i686 i686 i386 GNU/Linux > This is Fedora Core release 5 (Bordeaux) > This is Perl version 5.008008 (5.8.8) > > This is MailScanner version 4.55.10 And indeed... you NEED that upgrade. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From maxsec at gmail.com Wed Nov 26 21:05:57 2008 From: maxsec at gmail.com (Martin Hepworth) Date: Wed Nov 26 21:06:05 2008 Subject: Dumb Question In-Reply-To: <223f97700811261200k3bac69b1j4b25f9d66aea21a5@mail.gmail.com> References: <492DA09D.1000208@ptera.net> <223f97700811261200k3bac69b1j4b25f9d66aea21a5@mail.gmail.com> Message-ID: <72cf361e0811261305l417953f5n1c422a9c89f518f5@mail.gmail.com> 2008/11/26 Glenn Steen : > 2008/11/26 Arthur Stephens : >> I want to upgrade do I run the install.sh to do that? >> > Yes. There is a nice section on how to do this in the MAQ > (http://wiki.mailscanner.info/doku.php?id=maq:index#upgrade_rpm). > >> [root@mailgate MailScanner-4.72.5-1]# MailScanner -v >> Running on >> Linux mailgate.ptera.net 2.6.15-1.2054_FC5smp #1 SMP Tue Mar 14 16:05:46 EST >> 2006 i686 i686 i386 GNU/Linux >> This is Fedora Core release 5 (Bordeaux) >> This is Perl version 5.008008 (5.8.8) >> >> This is MailScanner version 4.55.10 > And indeed... you NEED that upgrade. > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > and not just the mailScanner is in need of upgrading either. Don't ya love FC installs ;-) -- Martin Hepworth Oxford, UK From astephens at ptera.net Wed Nov 26 23:44:27 2008 From: astephens at ptera.net (Arthur Stephens) Date: Wed Nov 26 23:44:39 2008 Subject: Big increase in spam Message-ID: <492DDF5B.2060207@ptera.net> Is it just me or did spammers figure out a away to get around mail scanner. I used not get any spam at all. But now so far today I have received 20 to 30 so far. So I upgraded MailScanner - double checked config settings but they still keep coming. -- Arthur Stephens Senior Sales Technician Ptera Wireless Internet Service PO Box 135 Liberty Lake, WA 99019 509-927-7837 For technical support visit http://www.ptera.net/support ----------------------------------------------------------------------------- "This message may contain confidential and/or propriety information, and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company." From ecasarero at gmail.com Thu Nov 27 02:17:21 2008 From: ecasarero at gmail.com (Eduardo Casarero) Date: Thu Nov 27 02:17:32 2008 Subject: Big increase in spam In-Reply-To: <492DDF5B.2060207@ptera.net> References: <492DDF5B.2060207@ptera.net> Message-ID: <7d9b3cf20811261817g44cdd571g2602007123e533ea@mail.gmail.com> http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9121678 check that, Srizbi botnet apparently came back. just like terminator. 2008/11/26 Arthur Stephens > Is it just me or did spammers figure out a away to get around mail scanner. > I used not get any spam at all. But now so far today I have received 20 to > 30 so far. > So I upgraded MailScanner - double checked config settings but they still > keep coming. > > -- > Arthur Stephens > Senior Sales Technician > Ptera Wireless Internet Service > PO Box 135 > Liberty Lake, WA 99019 > 509-927-7837 > For technical support visit http://www.ptera.net/support > > ----------------------------------------------------------------------------- > "This message may contain confidential and/or propriety information, > and is intended for the person/entity to whom it was originally > addressed. Any use by others is strictly prohibited. > Please note that any views or opinions presented in this email are solely > those of the author and are not intended to represent those of the company." > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081127/e64366fa/attachment.html From hvdkooij at vanderkooij.org Thu Nov 27 06:27:44 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Thu Nov 27 06:37:59 2008 Subject: Big increase in spam In-Reply-To: <492DDF5B.2060207@ptera.net> References: <492DDF5B.2060207@ptera.net> Message-ID: <492E3DE0.4070002@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Arthur Stephens wrote: > Is it just me or did spammers figure out a away to get around mail scanner. > I used not get any spam at all. But now so far today I have received 20 > to 30 so far. > So I upgraded MailScanner - double checked config settings but they > still keep coming. Well. What are the SA scores for those messages? My guess: Your SA database has been poluted so your SA score will stick around 50% and without other matches in SA that is usually not enough to be stopped. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. Nid wyf yn y swyddfa ar hyn o bryd. Anfonwch unrhyw waith i'w gyfieithu. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFJLj3eBvzDRVjxmYERAtklAJ9bVjGuGm9bw4AeRDS8dZ2qCHqrZwCfQd3r PFW5VQ25sihyDuS4orGGtlo= =67k0 -----END PGP SIGNATURE----- From Daniel.Flensburg at iris.se Thu Nov 27 10:13:21 2008 From: Daniel.Flensburg at iris.se (Daniel Flensburg) Date: Thu Nov 27 10:17:00 2008 Subject: SV: Local State Dir - /var/lib/spamassassin - SARE rules no hits In-Reply-To: <223f97700811260820q46c31b81n9bf0c444ac35383c@mail.gmail.com> References: <910ee2ac0811201634se99a4daob2b8ff95088daf27@mail.gmail.com><3DF8101092666E4A9020D949E419EB6F02B9D3C8@ensms02.iris.se><223f97700811240622s743469aaw9bb56791c0ea6192@mail.gmail.com><3DF8101092666E4A9020D949E419EB6F02B9DA14@ensms02.iris.se><223f97700811250803k4184f9a8rb9e2017b33f37a38@mail.gmail.com><223f97700811250806s56cdfec8mbfc21032647191c7@mail.gmail.com><3DF8101092666E4A9020D949E419EB6F02B9DCEF@ensms02.iris.se><223f97700811260238n1bda3741hc38339979a893206@mail.gmail.com><223f97700811260238p464eb18boeb83ba308a5cfbc6@mail.gmail.com><3DF8101092666E4A9020D949E419EB6F02B9DEF6@ensms02.iris.se> <223f97700811260820q46c31b81n9bf0c444ac35383c@mail.gmail.com> Message-ID: <3DF8101092666E4A9020D949E419EB6F02BC30E8@ensms02.iris.se> > > SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin > That setting would only work if postfix can read and write it... Can it? It seems to revert to the default. You could mkdir ~postfix/.spamassassin chown postfix.postfix ~postfix/.spamassassin or something similar (as root), to get past that problem. postfix user can ls and create files in this dir. Strange... > I just created the .spamassassin in the /var/spool/postfix folder and now spamassassin does not complain. Hm, perhaps I should start reading the whole message before giving advice:-):-) > however If I check a message in MailWatch I get: > > cached not > resultat=-1.507 > 2 krav > -2.60 BAYES_00 Bayesian spam probability is 0 to 1% > 1.09 EXTRA_MPART_TYPE Header has extraneous Content-type:...type= entry > 0.00 HTML_MESSAGE HTML included in message > > checking same message with spamassassin -D -t /var/spool/MailScanner/quarantine/20081126/nonspam/F2F6E873B0.90E15 > > gives me: > > Content analysis details: (3.6 points, 5.0 required) > > pts rule name description > ---- ---------------------- -------------------------------------------------- > 1.1 EXTRA_MPART_TYPE Header has extraneous Content-type:...type= entry > 1.8 SARE_SPEC_REPLICA_OBFU BODY: Rolex with obfuscated replica > 0.3 SARE_WEOFFER BODY: Offers Something > 0.1 TW_HM BODY: Odd Letter Triples with HM > 0.0 HTML_MESSAGE BODY: HTML included in message > -1.1 BAYES_05 BODY: Bayesian spam probability is 1 to 5% > [score: 0.0115] > 1.4 SARE_GIF_ATTACH FULL: Email has a inline gif > > What can be the problem? I'm thinking my Apache user is perhaps missing permissions somewhere and cannot present the right result? Could this be the case? Look also at the differens scores 1.09/1.1 and Bayes hit 00/05 For some reason your MS instance of SA doesn't seem to think it can do network tests... or rather DNS-based tests. Do you have the mailscanner.cf symlink? Do you try "force" dns to on, or do you rely on it being detected? I have the symlink: lrwxrwxrwx 1 root root 45 2007-02-08 10:04 mailscanner.cf -> /opt/MailScanner/etc/spam.assassin.prefs.conf If you mean this setting in spam.assassin.prefs.conf, then yes I "force" dns: # ================== Settings For SpamAssassin =========================== dns_available yes From Kit at simplysites.co.uk Thu Nov 27 10:27:17 2008 From: Kit at simplysites.co.uk (Kit Wong) Date: Thu Nov 27 10:27:34 2008 Subject: Big increase in spam In-Reply-To: <492E3DE0.4070002@vanderkooij.org> References: <492DDF5B.2060207@ptera.net> <492E3DE0.4070002@vanderkooij.org> Message-ID: -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Hugo van der Kooij Sent: 27 November 2008 06:28 To: MailScanner discussion Subject: Re: Big increase in spam -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Arthur Stephens wrote: > Is it just me or did spammers figure out a away to get around mail scanner. > I used not get any spam at all. But now so far today I have received 20 > to 30 so far. > So I upgraded MailScanner - double checked config settings but they > still keep coming. Well. What are the SA scores for those messages? My guess: Your SA database has been poluted so your SA score will stick around 50% and without other matches in SA that is usually not enough to be stopped. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. Nid wyf yn y swyddfa ar hyn o bryd. Anfonwch unrhyw waith i'w gyfieithu. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFJLj3eBvzDRVjxmYERAtklAJ9bVjGuGm9bw4AeRDS8dZ2qCHqrZwCfQd3r PFW5VQ25sihyDuS4orGGtlo= =67k0 -----END PGP SIGNATURE----- -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- Scanned by MailScanner. ------------------------------------------------------------------ I have noticed 50% increase here. They are a variant of "Night of Pleasure" as the subject all from different ip/senders/emails etc. I have greylisting, 3 rbl in sendmail and they are getting through. I noticed that they all get a hit with KAM_THEBAT which I have now bumped up the score. This has caught 99% of them. (not sure if anyone actually use THEBAT, but that's too bad at the moment). Regards Kit From Daniel.Flensburg at iris.se Thu Nov 27 14:07:44 2008 From: Daniel.Flensburg at iris.se (Daniel Flensburg) Date: Thu Nov 27 14:11:16 2008 Subject: SV: Local State Dir - /var/lib/spamassassin - SARE rules no hits In-Reply-To: <492D88C0.1060605@alexb.ch> References: <910ee2ac0811201634se99a4daob2b8ff95088daf27@mail.gmail.com> <3DF8101092666E4A9020D949E419EB6F02B9D3C8@ensms02.iris.se> <223f97700811240622s743469aaw9bb56791c0ea6192@mail.gmail.com> <3DF8101092666E4A9020D949E419EB6F02B9DA14@ensms02.iris.se> <223f97700811250803k4184f9a8rb9e2017b33f37a38@mail.gmail.com> <223f97700811250806s56cdfec8mbfc21032647191c7@mail.gmail.com> <3DF8101092666E4A9020D949E419EB6F02B9DCEF@ensms02.iris.se> <223f97700811260238n1bda3741hc38339979a893206@mail.gmail.com> <223f97700811260238p464eb18boeb83ba308a5cfbc6@mail.gmail.com> <3DF8101092666E4A9020D949E419EB6F02B9DEF6@ensms02.iris.se><223f97700811260820q46c31b81n9bf0c444ac35383c@mail.gmail.com> <492D88C0.1060605@alexb.ch> Message-ID: <3DF8101092666E4A9020D949E419EB6F02BC327B@ensms02.iris.se> The settings you suggest seems to work, but still no SARE-rule hits. I have tested once again to send a message that get SARE-hits on another MS-server, but no no... I think I give up. It's an old setup on old hardware. I'll apply for money and time to install a new system on newer hardware. Thank you anyway! I'll be back! /Daniel -----Ursprungligt meddelande----- Fr?n: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] F?r Alex Broens Skickat: den 26 november 2008 18:35 Till: MailScanner discussion ?mne: Re: Local State Dir - /var/lib/spamassassin - SARE rules no hits On 11/26/2008 5:20 PM, Glenn Steen wrote: > That setting would only work if postfix can read and write it... Can > it? It seems to revert to the default. You could > mkdir ~postfix/.spamassassin > chown postfix.postfix ~postfix/.spamassassin > or something similar (as root), to get past that problem. perhaps do it the k.i.s.s way to start off with.. and tighten up as you go... Run As User = postfix Run As Group = postfix Incoming Work User = # YES! EMPTY! Incoming Work Group = # YES! EMPTY! Incoming Work Permissions = 0640 Quarantine User = root Quarantine Group = apache #www_run # whatever_required_for_specific OS Quarantine Permissions = 0664 ##replace "apache" with whatever you need for specific OS chown -R postfix:postfix /var/spool/MailScanner/incoming chown -R postfix:apache /var/spool/MailScanner/quarantine chmod 0775 -R /var/spool/MailScanner/quarantine does that work for you? if yes.. slowly tighten up and find the best for your needs.. Ale -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From ms-list at alexb.ch Thu Nov 27 14:35:08 2008 From: ms-list at alexb.ch (Alex Broens) Date: Thu Nov 27 14:33:03 2008 Subject: SV: Local State Dir - /var/lib/spamassassin - SARE rules no hits In-Reply-To: <3DF8101092666E4A9020D949E419EB6F02BC327B@ensms02.iris.se> References: <910ee2ac0811201634se99a4daob2b8ff95088daf27@mail.gmail.com> <3DF8101092666E4A9020D949E419EB6F02B9D3C8@ensms02.iris.se> <223f97700811240622s743469aaw9bb56791c0ea6192@mail.gmail.com> <3DF8101092666E4A9020D949E419EB6F02B9DA14@ensms02.iris.se> <223f97700811250803k4184f9a8rb9e2017b33f37a38@mail.gmail.com> <223f97700811250806s56cdfec8mbfc21032647191c7@mail.gmail.com> <3DF8101092666E4A9020D949E419EB6F02B9DCEF@ensms02.iris.se> <223f97700811260238n1bda3741hc38339979a893206@mail.gmail.com> <223f97700811260238p464eb18boeb83ba308a5cfbc6@mail.gmail.com> <3DF8101092666E4A9020D949E419EB6F02B9DEF6@ensms02.iris.se><223f97700811260820q46c31b81n9bf0c444ac35383c@mail.gmail.com> <492D88C0.1060605@alexb.ch> <3DF8101092666E4A9020D949E419EB6F02BC327B@ensms02.iris.se> Message-ID: <492EB01C.8070800@alexb.ch> On 11/27/2008 3:07 PM, Daniel Flensburg wrote: > The settings you suggest seems to work, but still no SARE-rule hits. > I have tested once again to send a message that get SARE-hits on > another MS-server, but no no... here's an idea... remove the SARE sa-update channnel (those rules haven't changed for a long time & its unlikely that they will - partially my fault) MOVE all the SARE rules you want to keep to /etc/mail/spamassassin that should work... > I think I give up. It's an old setup on old hardware. I'll apply for > money and time to install a new system on newer hardware. unusual approach for a little problem, but hey.... Alex From t.d.lee at durham.ac.uk Thu Nov 27 16:27:18 2008 From: t.d.lee at durham.ac.uk (David Lee) Date: Thu Nov 27 16:28:33 2008 Subject: 4.73.2 beta released, and new trend-autoupdate In-Reply-To: <49282947.6000302@ecs.soton.ac.uk> References: <49282947.6000302@ecs.soton.ac.uk> Message-ID: On Sat, 22 Nov 2008, Julian Field wrote: > [...] > I have also just released a whole new MailScanner 4.73.2 including this new > replacement file. > [...] Does it also look at the measures discussed earlier this month to detect logjams from segfaulting MS? (Thread "MS/perl segfaults".) I'd be happy to try to beta-test that. -- : David Lee I.T. Service : : Senior Systems Programmer Computer Centre : : UNIX Team Leader Durham University : : South Road : : http://www.dur.ac.uk/t.d.lee/ Durham DH1 3LE : : Phone: +44 191 334 2752 U.K. : From t.d.lee at durham.ac.uk Thu Nov 27 16:39:36 2008 From: t.d.lee at durham.ac.uk (David Lee) Date: Thu Nov 27 16:41:58 2008 Subject: Centos 5.2, MS, perl ClamAV module Message-ID: I'm aware that the topic of the perl ClamAV module is a frequent one (because of the unfortunate habit of the clamav software to change its interface on each minor release, requiring the perl module maintainer to do work). I've just tried a fresh install (64 bit Intel) of Centos 5.2, MS-4.72.5-1 and install-Clam-SA-latest.tar.gz (install-Clam-0.94.1-SA-3.2.5). "install-Clam-0.94.1-SA-3.2.5" successfully builds the clamav software itself (installing it into "/usr/local/{bin,lib64,etc,include}" (etc.) It then tries to build the perl ClamAV module, which fails: ClamAV.xs:308: error: 'CL_EFSYNC' undeclared (first use in this function) ClamAV.xs:321: error: 'CL_ELOCKDB' undeclared (first use in this function) Looking in the (just previously installed) "/usr/local/include/clamav.h" shows that "CL_EFSYNC" is commented out, and that "CL_ELOCKDB" doesn't seem to exist at all. So the two clam-related bits of "install-Clam-0.94.1-SA-3.2.5" would seem to be inconsistent. Is the recommendation is that we no longer use the perl ClamAV module and instead use "clamd"? If so, then are all the pieces in place to ensure that the "clamd" module is automatically invoked? (The "chkconfig ..." and "service ... start" or equivalents?) -- : David Lee I.T. Service : : Senior Systems Programmer Computer Centre : : UNIX Team Leader Durham University : : South Road : : http://www.dur.ac.uk/t.d.lee/ Durham DH1 3LE : : Phone: +44 191 334 2752 U.K. : From steve.freegard at fsl.com Thu Nov 27 16:47:56 2008 From: steve.freegard at fsl.com (Steve Freegard) Date: Thu Nov 27 16:48:07 2008 Subject: Centos 5.2, MS, perl ClamAV module In-Reply-To: References: Message-ID: <492ECF3C.40804@fsl.com> David Lee wrote: > > Is the recommendation is that we no longer use the perl ClamAV module > and instead use "clamd"? > Yes - IMHO. The module hogs memory as each child has it's own copy of the signatures; clamd is threaded and therefore all threads share a single in-memory copy of the signatures. Cheers, Steve. From NIKOLAOS.PAVLIDIS at beds.ac.uk Thu Nov 27 16:51:24 2008 From: NIKOLAOS.PAVLIDIS at beds.ac.uk (NIKOLAOS PAVLIDIS) Date: Thu Nov 27 16:51:37 2008 Subject: Centos 5.2, MS, perl ClamAV module In-Reply-To: <492ED00C0200002700025EE9@gwiadom.oes.beds.ac.uk> References: <492ECE7D0200003600021D2F@gwiadom.oes.beds.ac.uk> <492ED00C0200002700025EE9@gwiadom.oes.beds.ac.uk> Message-ID: <492ED00C0200002700025EE9@gwiadom.oes.beds.ac.uk> Hello David, The development of the perl clamav module is quite slow and as discussed previously, the clamd solution is the optimal one. From my experience clamd is fully implementable on centos systems, all you need is the clamd script in /etc/init.d. Sample scripts are available under contrib/init just make sure that you configure your clamd.conf to your specs since MS will not be providing the configuration options for it since it will be invoked separately as a daemon. Regards, Nik On Thu, 2008-11-27 at 16:39 +0000, David Lee wrote: > I'm aware that the topic of the perl ClamAV module is a frequent one > (because of the unfortunate habit of the clamav software to change its > interface on each minor release, requiring the perl module maintainer to > do work). > > I've just tried a fresh install (64 bit Intel) of Centos 5.2, MS-4.72.5-1 > and install-Clam-SA-latest.tar.gz (install-Clam-0.94.1-SA-3.2.5). > > "install-Clam-0.94.1-SA-3.2.5" successfully builds the clamav software > itself (installing it into "/usr/local/{bin,lib64,etc,include}" (etc.) > > It then tries to build the perl ClamAV module, which fails: > ClamAV.xs:308: error: 'CL_EFSYNC' undeclared (first use in this function) > ClamAV.xs:321: error: 'CL_ELOCKDB' undeclared (first use in this function) > > Looking in the (just previously installed) "/usr/local/include/clamav.h" > shows that "CL_EFSYNC" is commented out, and that "CL_ELOCKDB" doesn't > seem to exist at all. > > So the two clam-related bits of "install-Clam-0.94.1-SA-3.2.5" would seem > to be inconsistent. > > Is the recommendation is that we no longer use the perl ClamAV module and > instead use "clamd"? > > If so, then are all the pieces in place to ensure that the "clamd" module > is automatically invoked? (The "chkconfig ..." and "service ... start" > or equivalents?) > > > -- > > : David Lee I.T. Service : > : Senior Systems Programmer Computer Centre : > : UNIX Team Leader Durham University : > : South Road : > : http://www.dur.ac.uk/t.d.lee/ Durham DH1 3LE : > : Phone: +44 191 334 2752 U.K. : -- ? Nikolaos Pavlidis BSc (Hons) MBCS NCLP System Administrator University Of Bedfordshire Park Square LU1 3JU Luton, Beds, UK Tel: +441582489277 From maxsec at gmail.com Thu Nov 27 17:15:16 2008 From: maxsec at gmail.com (Martin Hepworth) Date: Thu Nov 27 17:15:25 2008 Subject: Centos 5.2, MS, perl ClamAV module In-Reply-To: <492ED00C0200002700025EE9@gwiadom.oes.beds.ac.uk> References: <492ECE7D0200003600021D2F@gwiadom.oes.beds.ac.uk> <492ED00C0200002700025EE9@gwiadom.oes.beds.ac.uk> <492ED00C0200002700025EE9@gwiadom.oes.beds.ac.uk> Message-ID: <72cf361e0811270915o17ab998l4ebacc2ea81d8865@mail.gmail.com> 2008/11/27 NIKOLAOS PAVLIDIS : > Hello David, > > The development of the perl clamav module is quite slow and as discussed > previously, the clamd solution is the optimal one. From my experience > clamd is fully implementable on centos systems, all you need is the > clamd script in /etc/init.d. > > Sample scripts are available under contrib/init just make sure that you > configure your clamd.conf to your specs since MS will not be providing > the configuration options for it since it will be invoked separately as > a daemon. > > Regards, > > Nik > > On Thu, 2008-11-27 at 16:39 +0000, David Lee wrote: >> I'm aware that the topic of the perl ClamAV module is a frequent one >> (because of the unfortunate habit of the clamav software to change its > >> interface on each minor release, requiring the perl module maintainer > to >> do work). >> >> I've just tried a fresh install (64 bit Intel) of Centos 5.2, > MS-4.72.5-1 >> and install-Clam-SA-latest.tar.gz (install-Clam-0.94.1-SA-3.2.5). >> >> "install-Clam-0.94.1-SA-3.2.5" successfully builds the clamav software > >> itself (installing it into "/usr/local/{bin,lib64,etc,include}" (etc.) >> >> It then tries to build the perl ClamAV module, which fails: >> ClamAV.xs:308: error: 'CL_EFSYNC' undeclared (first use in this > function) >> ClamAV.xs:321: error: 'CL_ELOCKDB' undeclared (first use in this > function) >> >> Looking in the (just previously installed) > "/usr/local/include/clamav.h" >> shows that "CL_EFSYNC" is commented out, and that "CL_ELOCKDB" doesn't > >> seem to exist at all. >> >> So the two clam-related bits of "install-Clam-0.94.1-SA-3.2.5" would > seem >> to be inconsistent. >> >> Is the recommendation is that we no longer use the perl ClamAV module > and >> instead use "clamd"? >> >> If so, then are all the pieces in place to ensure that the "clamd" > module >> is automatically invoked? (The "chkconfig ..." and "service ... > start" >> or equivalents?) >> >> >> -- >> >> : David Lee I.T. Service : >> : Senior Systems Programmer Computer Centre : >> : UNIX Team Leader Durham University : >> : South Road : >> : http://www.dur.ac.uk/t.d.lee/ Durham DH1 3LE : >> : Phone: +44 191 334 2752 U.K. : > -- > ? > Nikolaos Pavlidis BSc (Hons) MBCS NCLP > System Administrator > University Of Bedfordshire > Park Square LU1 3JU > Luton, Beds, UK > Tel: +441582489277 > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Another vote for clamd, I've been running clamd at my old work since the beta's came out with clam support and never had any issues. -- Martin Hepworth Oxford, UK From t.d.lee at durham.ac.uk Thu Nov 27 18:17:45 2008 From: t.d.lee at durham.ac.uk (David Lee) Date: Thu Nov 27 18:18:14 2008 Subject: Centos 5.2, MS, perl ClamAV module In-Reply-To: <492ED00C0200002700025EE9@gwiadom.oes.beds.ac.uk> References: <492ECE7D0200003600021D2F@gwiadom.oes.beds.ac.uk> <492ED00C0200002700025EE9@gwiadom.oes.beds.ac.uk> <492ED00C0200002700025EE9@gwiadom.oes.beds.ac.uk> Message-ID: David Lee had asked: >> >> Is the recommendation is that we no longer use the perl ClamAV module and >> instead use "clamd"? >> >> If so, then are all the pieces in place to ensure that the "clamd" module >> is automatically invoked? (The "chkconfig ..." and "service ... start" >> or equivalents?) NIKOLAOS PAVLIDIS replied: > The development of the perl clamav module is quite slow and as discussed > previously, the clamd solution is the optimal one. From my experience > clamd is fully implementable on centos systems, all you need is the > clamd script in /etc/init.d. > > Sample scripts are available under contrib/init just make sure that you > configure your clamd.conf to your specs since MS will not be providing > the configuration options for it since it will be invoked separately as > a daemon. Thanks for the reply. On a personal level, I'm happy to switch to "clamd". Now, switching context away from "me and my problem" and towards "solving a general problem for potentially all clam users"... # ... Are all the pieces in place to ensure that the "clamd" module is # automatically invoked? (The "chkconfig ..." and "service ... start" or # equivalents?) And I think the answer is "not yet". Julian has done an excellent job not only with MS itself but, just as usefully, with getting the default installation (for all users) as reasonably right as it could be. But I suspect that this may be one area which needs attention. If the default recommendation for ClamAV has changed from being the perl module to being "clamd"... ... then the default installation should (I propose) automatically install the relevant "/etc/init.d" script (and other associated things that might be necessary). Julian: If the above is broadly correct, I'll happily help beta-test a revised "ClamAV/SA" tarfile that attempts to install "/etc/init.d/clamd" and friends. -- : David Lee I.T. Service : : Senior Systems Programmer Computer Centre : : UNIX Team Leader Durham University : : South Road : : http://www.dur.ac.uk/t.d.lee/ Durham DH1 3LE : : Phone: +44 191 334 2752 U.K. : From rcooper at dwford.com Thu Nov 27 19:23:36 2008 From: rcooper at dwford.com (Rick Cooper) Date: Thu Nov 27 19:23:49 2008 Subject: Centos 5.2, MS, perl ClamAV module In-Reply-To: References: Message-ID: If you look at the change log there were several changes to the libclamav api. Any time you see that you know that the perl module will be broken Rick > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of David Lee > Sent: Thursday, November 27, 2008 2:40 PM > To: MailScanner discussion > Subject: Centos 5.2, MS, perl ClamAV module > > > I'm aware that the topic of the perl ClamAV module is a frequent one > (because of the unfortunate habit of the clamav software to > change its > interface on each minor release, requiring the perl module > maintainer to > do work). > > I've just tried a fresh install (64 bit Intel) of Centos > 5.2, MS-4.72.5-1 > and install-Clam-SA-latest.tar.gz (install-Clam-0.94.1-SA-3.2.5). > > "install-Clam-0.94.1-SA-3.2.5" successfully builds the > clamav software > itself (installing it into > "/usr/local/{bin,lib64,etc,include}" (etc.) > > It then tries to build the perl ClamAV module, which fails: > ClamAV.xs:308: error: 'CL_EFSYNC' undeclared (first use > in this function) > ClamAV.xs:321: error: 'CL_ELOCKDB' undeclared (first use > in this function) > > Looking in the (just previously installed) > "/usr/local/include/clamav.h" > shows that "CL_EFSYNC" is commented out, and that > "CL_ELOCKDB" doesn't > seem to exist at all. > > So the two clam-related bits of > "install-Clam-0.94.1-SA-3.2.5" would seem > to be inconsistent. > > Is the recommendation is that we no longer use the perl > ClamAV module and > instead use "clamd"? > > If so, then are all the pieces in place to ensure that the > "clamd" module > is automatically invoked? (The "chkconfig ..." and "service > ... start" > or equivalents?) > > > -- > > : David Lee I.T. Service : > : Senior Systems Programmer Computer Centre : > : UNIX Team Leader Durham University : > : South Road : > : http://www.dur.ac.uk/t.d.lee/ Durham DH1 3LE : > : Phone: +44 191 334 2752 U.K. : > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Kit at simplysites.co.uk Thu Nov 27 21:55:31 2008 From: Kit at simplysites.co.uk (Kit Wong) Date: Thu Nov 27 21:55:53 2008 Subject: sendmail mailscanner exchange gateway Message-ID: Hi All I have setup a gateway using sendmail, mailscanner then to exhange as found http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:sendmail:how_to:setup_a_gateway&s=smtp Using this method however has its problems. Unknown email addresses are not rejected at the MTA level, which causes unneccessary load on MS. Is there a method where I can configure sendmail to accept only valid email address then process it by mailscanner and smtp forwarded to the desired exchange server? Thanks in advance Kit -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081127/8863edf7/attachment.html From alex at rtpty.com Thu Nov 27 22:06:02 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Thu Nov 27 22:06:14 2008 Subject: sendmail mailscanner exchange gateway In-Reply-To: References: Message-ID: <1F820456-BA2D-463F-8711-CBF09BCD2D3E@rtpty.com> Yes, there are several. My method for under 50 inboxes is to do this at /etc/mail/access: To:alex@mydomain.com RELAY To:alice@mydomain.com RELAY To:bob@mydomain.com RELAY To:mydomain.com 551 Unknown User. You're either a moron or a spammer. Go away! HAHAHAHA (or words to that effect) Otherwise you need to look them up. On Nov 27, 2008, at 4:55 PM, Kit Wong wrote: > Is there a method where I can configure sendmail to accept only > valid email address then process it by mailscanner and smtp > forwarded to the desired exchange server? > From traced at xpear.de Thu Nov 27 22:06:19 2008 From: traced at xpear.de (traced) Date: Thu Nov 27 22:06:32 2008 Subject: sendmail mailscanner exchange gateway In-Reply-To: References: Message-ID: <492F19DB.70901@xpear.de> Hi, dr. google showed several hits, this looks interesting, using ldap: http://lists.mailscanner.info/pipermail/mailscanner/2006-February/058377.html Regards, Bastian Kit Wong schrieb: > Hi All > > I have setup a gateway using sendmail, mailscanner then to exhange as found > http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:sendmail:how_to:setup_a_gateway&s=smtp > > Using this method however has its problems. Unknown email addresses are > not rejected at the MTA level, which causes unneccessary load on MS. > > Is there a method where I can configure sendmail to accept only valid > email address then process it by mailscanner and smtp forwarded to the > desired exchange server? > > Thanks in advance > Kit > From glenn.steen at gmail.com Thu Nov 27 22:43:21 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Nov 27 22:43:31 2008 Subject: sendmail mailscanner exchange gateway In-Reply-To: References: Message-ID: <223f97700811271443m255a275cs57fdf24d57826f96@mail.gmail.com> 2008/11/27 Kit Wong : > Hi All > > I have setup a gateway using sendmail, mailscanner then to exhange as found > http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:sendmail:how_to:setup_a_gateway&s=smtp > Using this method however has its problems. Unknown email addresses are > not rejected at the MTA level, which causes unneccessary load on MS. > > Is there a method where I can configure sendmail to accept only valid email > address then process it by mailscanner and smtp forwarded to the desired > exchange server? > > Thanks in advance > Kit You can use a milter to do recipient address verification, if neither of the other suggestions are to your liking... As mentioned on the wiki (another article in the sendmail how_to folder), smf-sav is OK. Look at http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:sendmail:how_to:reject_non_existent_users Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From Kit at simplysites.co.uk Thu Nov 27 23:43:11 2008 From: Kit at simplysites.co.uk (Kit Wong) Date: Thu Nov 27 23:45:03 2008 Subject: sendmail mailscanner exchange gateway References: <1F820456-BA2D-463F-8711-CBF09BCD2D3E@rtpty.com> Message-ID: ________________________________ From: mailscanner-bounces@lists.mailscanner.info on behalf of Alex Neuman van der Hans Sent: Thu 27/11/2008 22:06 To: MailScanner discussion Subject: Re: sendmail mailscanner exchange gateway Yes, there are several. My method for under 50 inboxes is to do this at /etc/mail/access: To:alex@mydomain.com RELAY To:alice@mydomain.com RELAY To:bob@mydomain.com RELAY To:mydomain.com 551 Unknown User. You're either a moron or a spammer. Go away! HAHAHAHA (or words to that effect) Otherwise you need to look them up. On Nov 27, 2008, at 4:55 PM, Kit Wong wrote: > Is there a method where I can configure sendmail to accept only > valid email address then process it by mailscanner and smtp > forwarded to the desired exchange server? > -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- Scanned by MailScanner. --------------------------------------------------------------------------------------------------------------------- access.db seems to work fantastically. Thanks Alex if anyone else might be interested http://www.faqs.org/docs/securing/chap22sec178.html has a useful guide on access for sendmail -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/ms-tnef Size: 4746 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081127/e6cd85c7/attachment.bin From gmatt at nerc.ac.uk Fri Nov 28 08:52:49 2008 From: gmatt at nerc.ac.uk (Greg Matthews) Date: Fri Nov 28 08:53:08 2008 Subject: script disarming and large javascript messages Message-ID: <492FB161.2070406@nerc.ac.uk> Is anyone else seeing a problem with disarming scripts within email resulting in messages containing ~200k of disarmed javascript? This looks like complete nonsense to the recipient. The script contains lots of references to Dana, here is a typical first chunk: var DanaShimData="var DSJsFuncs = [null,null,[{nm:\"go\",flg:0xf},{nm:\"dJ\",flg:0x37},],null,[{nm:\"item\",flg:0xf},{nm:\"href\",flg:0xf},{nm:\"save\",lcnm:\"save\",flg:0xb},{nm:\"open\",lcnm:\"open\",flg:0x3b},{nm:\"load\",lcnm:\"load\",flg:0x3b},{nm:\"eval\",flg:0x57},],....... Note that the lines are very long, sometimes over 5000 characters! Is there any alternative to simply turning off script disarming? Seems drastic and possibly dangerous. GREG -- Greg Matthews 01491 692445 Head of UNIX/Linux, iTSS Wallingford -- This message (and any attachments) is for the recipient only. NERC is subject to the Freedom of Information Act 2000 and the contents of this email and any reply you make may be disclosed by NERC unless it is exempt from release under the Act. Any material supplied to NERC may be stored in an electronic records management system. From steve.freegard at fsl.com Fri Nov 28 09:37:43 2008 From: steve.freegard at fsl.com (Steve Freegard) Date: Fri Nov 28 09:37:53 2008 Subject: script disarming and large javascript messages In-Reply-To: <492FB161.2070406@nerc.ac.uk> References: <492FB161.2070406@nerc.ac.uk> Message-ID: <492FBBE7.1070506@fsl.com> Greg Matthews wrote: > Is anyone else seeing a problem with disarming scripts within email > resulting in messages containing ~200k of disarmed javascript? This > looks like complete nonsense to the recipient. Why are you getting e-mail with Javascript in it in the first place? I can't think any e-mail clients that will run any javascript due to the security issues of doing so. > The script contains lots of references to Dana, here is a typical > first chunk: > > var DanaShimData="var DSJsFuncs = > [null,null,[{nm:\"go\",flg:0xf},{nm:\"dJ\",flg:0x37},],null,[{nm:\"item\",flg:0xf},{nm:\"href\",flg:0xf},{nm:\"save\",lcnm:\"save\",flg:0xb},{nm:\"open\",lcnm:\"open\",flg:0x3b},{nm:\"load\",lcnm:\"load\",flg:0x3b},{nm:\"eval\",flg:0x57},],....... > > > Note that the lines are very long, sometimes over 5000 characters! 1000 characters including the CRLF is the maximum line length allowed by the RFC. Is this the case pre-disarming? > Is there any alternative to simply turning off script disarming? Seems > drastic and possibly dangerous. I'd definitely be finding out what this stuff is doing in an e-mail in the first place. Cheers, Steve. From prandal at herefordshire.gov.uk Fri Nov 28 10:28:36 2008 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Fri Nov 28 10:28:54 2008 Subject: Centos 5.2, MS, perl ClamAV module In-Reply-To: References: Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA0547A104@HC-MBX02.herefordshire.gov.uk> It really is easy to upgrade to clamd. In addition to what the wiki says on the subject ( http://wiki.mailscanner.info/doku.php?id=documentation:anti_virus:clamav :switch_to_rpm_clamd ), you'll need to remove /usr/local/lin/libclam* I had to edit /var/www/html/mailscanner/functions.php, other.php, and rep_viruses.php to get MailWatch to play properly with clamd. The changes were trivial: In functions.php case 'clamd': define(VIRUS_REGEX, '/(.+) was infected: (\S+)/'); In other.php
  • ClamAV Status (if you're already using clamav_status.php - can't remember if that was in original MailWatch or a later patch) In rep_viruses.php case("clamd"): $scanner[$vscanner]['name'] = "ClamD"; $scanner[$vscanner]['regexp'] = "/(.+) was infected: (\S+)/"; break; I run clamdwatch.pl from crontab: */1 * * * * root /usr/local/bin/clamdwatch.pl -q && ( /usr/bin/killall -9 clamd; rm -fr /tmp/clamd.socket; /etc/init.d/clamd start 2>&1 ) Hope this helps. I'm not going to have the time to update the wiki, alas, so can someone make the appropriate changes to that page? Cheers, Phil -- Phil Randal | Networks Engineer Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: prandal@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Rick Cooper Sent: 27 November 2008 19:24 To: 'MailScanner discussion' Subject: RE: Centos 5.2, MS, perl ClamAV module If you look at the change log there were several changes to the libclamav api. Any time you see that you know that the perl module will be broken Rick > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of David Lee > Sent: Thursday, November 27, 2008 2:40 PM > To: MailScanner discussion > Subject: Centos 5.2, MS, perl ClamAV module > > > I'm aware that the topic of the perl ClamAV module is a frequent one > (because of the unfortunate habit of the clamav software to > change its > interface on each minor release, requiring the perl module > maintainer to > do work). > > I've just tried a fresh install (64 bit Intel) of Centos > 5.2, MS-4.72.5-1 > and install-Clam-SA-latest.tar.gz (install-Clam-0.94.1-SA-3.2.5). > > "install-Clam-0.94.1-SA-3.2.5" successfully builds the > clamav software > itself (installing it into > "/usr/local/{bin,lib64,etc,include}" (etc.) > > It then tries to build the perl ClamAV module, which fails: > ClamAV.xs:308: error: 'CL_EFSYNC' undeclared (first use > in this function) > ClamAV.xs:321: error: 'CL_ELOCKDB' undeclared (first use > in this function) > > Looking in the (just previously installed) > "/usr/local/include/clamav.h" > shows that "CL_EFSYNC" is commented out, and that > "CL_ELOCKDB" doesn't > seem to exist at all. > > So the two clam-related bits of > "install-Clam-0.94.1-SA-3.2.5" would seem > to be inconsistent. > > Is the recommendation is that we no longer use the perl > ClamAV module and > instead use "clamd"? > > If so, then are all the pieces in place to ensure that the > "clamd" module > is automatically invoked? (The "chkconfig ..." and "service > ... start" > or equivalents?) > > > -- > > : David Lee I.T. Service : > : Senior Systems Programmer Computer Centre : > : UNIX Team Leader Durham University : > : South Road : > : http://www.dur.ac.uk/t.d.lee/ Durham DH1 3LE : > : Phone: +44 191 334 2752 U.K. : > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From prandal at herefordshire.gov.uk Fri Nov 28 10:37:36 2008 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Fri Nov 28 10:37:51 2008 Subject: Centos 5.2, MS, perl ClamAV module In-Reply-To: <7EF0EE5CB3B263488C8C18823239BEBA0547A104@HC-MBX02.herefordshire.gov.uk> References: <7EF0EE5CB3B263488C8C18823239BEBA0547A104@HC-MBX02.herefordshire.gov.uk> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA0547A10D@HC-MBX02.herefordshire.gov.uk> oops, must check before hitting send in future: remove /usr/local/lib/libclam* Cheers, Phil -- Phil Randal | Networks Engineer Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: prandal@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Randal, Phil Sent: 28 November 2008 10:29 To: MailScanner discussion Subject: RE: Centos 5.2, MS, perl ClamAV module It really is easy to upgrade to clamd. In addition to what the wiki says on the subject ( http://wiki.mailscanner.info/doku.php?id=documentation:anti_virus:clamav :switch_to_rpm_clamd ), you'll need to remove /usr/local/lin/libclam* I had to edit /var/www/html/mailscanner/functions.php, other.php, and rep_viruses.php to get MailWatch to play properly with clamd. The changes were trivial: In functions.php case 'clamd': define(VIRUS_REGEX, '/(.+) was infected: (\S+)/'); In other.php
  • ClamAV Status (if you're already using clamav_status.php - can't remember if that was in original MailWatch or a later patch) In rep_viruses.php case("clamd"): $scanner[$vscanner]['name'] = "ClamD"; $scanner[$vscanner]['regexp'] = "/(.+) was infected: (\S+)/"; break; I run clamdwatch.pl from crontab: */1 * * * * root /usr/local/bin/clamdwatch.pl -q && ( /usr/bin/killall -9 clamd; rm -fr /tmp/clamd.socket; /etc/init.d/clamd start 2>&1 ) Hope this helps. I'm not going to have the time to update the wiki, alas, so can someone make the appropriate changes to that page? Cheers, Phil -- Phil Randal | Networks Engineer Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: prandal@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Rick Cooper Sent: 27 November 2008 19:24 To: 'MailScanner discussion' Subject: RE: Centos 5.2, MS, perl ClamAV module If you look at the change log there were several changes to the libclamav api. Any time you see that you know that the perl module will be broken Rick > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of David Lee > Sent: Thursday, November 27, 2008 2:40 PM > To: MailScanner discussion > Subject: Centos 5.2, MS, perl ClamAV module > > > I'm aware that the topic of the perl ClamAV module is a frequent one > (because of the unfortunate habit of the clamav software to > change its > interface on each minor release, requiring the perl module > maintainer to > do work). > > I've just tried a fresh install (64 bit Intel) of Centos > 5.2, MS-4.72.5-1 > and install-Clam-SA-latest.tar.gz (install-Clam-0.94.1-SA-3.2.5). > > "install-Clam-0.94.1-SA-3.2.5" successfully builds the > clamav software > itself (installing it into > "/usr/local/{bin,lib64,etc,include}" (etc.) > > It then tries to build the perl ClamAV module, which fails: > ClamAV.xs:308: error: 'CL_EFSYNC' undeclared (first use > in this function) > ClamAV.xs:321: error: 'CL_ELOCKDB' undeclared (first use > in this function) > > Looking in the (just previously installed) > "/usr/local/include/clamav.h" > shows that "CL_EFSYNC" is commented out, and that > "CL_ELOCKDB" doesn't > seem to exist at all. > > So the two clam-related bits of > "install-Clam-0.94.1-SA-3.2.5" would seem > to be inconsistent. > > Is the recommendation is that we no longer use the perl > ClamAV module and > instead use "clamd"? > > If so, then are all the pieces in place to ensure that the > "clamd" module > is automatically invoked? (The "chkconfig ..." and "service > ... start" > or equivalents?) > > > -- > > : David Lee I.T. Service : > : Senior Systems Programmer Computer Centre : > : UNIX Team Leader Durham University : > : South Road : > : http://www.dur.ac.uk/t.d.lee/ Durham DH1 3LE : > : Phone: +44 191 334 2752 U.K. : > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From gmatt at nerc.ac.uk Fri Nov 28 11:52:37 2008 From: gmatt at nerc.ac.uk (Greg Matthews) Date: Fri Nov 28 11:53:29 2008 Subject: script disarming and large javascript messages In-Reply-To: <492FBBE7.1070506@fsl.com> References: <492FB161.2070406@nerc.ac.uk> <492FBBE7.1070506@fsl.com> Message-ID: <492FDB85.3000100@nerc.ac.uk> Steve Freegard wrote: > Greg Matthews wrote: >> Is anyone else seeing a problem with disarming scripts within email >> resulting in messages containing ~200k of disarmed javascript? This >> looks like complete nonsense to the recipient. > > Why are you getting e-mail with Javascript in it in the first place? I > can't think any e-mail clients that will run any javascript due to the > security issues of doing so. I really dont know! They come from various locations and to various recipients. It is a serious amount of script too. >> Note that the lines are very long, sometimes over 5000 characters! > > 1000 characters including the CRLF is the maximum line length allowed by > the RFC. Is this the case pre-disarming? It is very difficult for me to tell as we dont have resources available on our relays to archive or store messages for any length of time. >> Is there any alternative to simply turning off script disarming? Seems >> drastic and possibly dangerous. > > I'd definitely be finding out what this stuff is doing in an e-mail in > the first place. thats what I've been trying to do but with no real progress. I was hoping that someone might recognise that Dana stuff (is it Outlook Web Access by any chance?) I can tar up an example and send it to you if it would help? GREG > > Cheers, > Steve. -- Greg Matthews 01491 692445 Head of UNIX/Linux, iTSS Wallingford -- This message (and any attachments) is for the recipient only. NERC is subject to the Freedom of Information Act 2000 and the contents of this email and any reply you make may be disclosed by NERC unless it is exempt from release under the Act. Any material supplied to NERC may be stored in an electronic records management system. From MailScanner at ecs.soton.ac.uk Fri Nov 28 12:16:58 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Nov 28 12:17:18 2008 Subject: Increased load In-Reply-To: <223f97700811260053o58213159o8a464ad52b20c192@mail.gmail.com> References: <3FD8054D301F9246A6F10F3485E2204E061442@cptwexc02.za.mhgad.com> <492C7BAD.5090708@vanderkooij.org> <3FD8054D301F9246A6F10F3485E2204E06145D@cptwexc02.za.mhgad.com> <223f97700811260053o58213159o8a464ad52b20c192@mail.gmail.com> Message-ID: <492FE13A.6000804@ecs.soton.ac.uk> On 26/11/08 08:53, Glenn Steen wrote: > 2008/11/26 Rabie Van der Merwe: > >> Yip CPU utilization is defiantly up. >> >> > Well, you need be strict with it then.... Tell it to be less > defiant!!!:-):-):-)... (as if that would help:-) > > Seriously though, if you are using 4.72.5 you might need the latest > Message.pm fix that Jules posted, I've posted a new beta since then, which includes that fix. > or else you would see the children > start to loop on some specific messages... Notably, the busy > MailScanner child will report "cleaning messages" as commandline in > "ps"... and never leave that state. > Solutions would be: > - get a hold of the fixed Message.pm and drop that into place (restart > MS after that), or > - revert to 4.71, or > - wait for Jules to post a new release with the fix incorporated > (there just might be a new beta around the corner:-). > > Cheers > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Fri Nov 28 12:17:30 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Nov 28 12:17:39 2008 Subject: script disarming and large javascript messages In-Reply-To: <492FBBE7.1070506@fsl.com> References: <492FB161.2070406@nerc.ac.uk> <492FBBE7.1070506@fsl.com> Message-ID: <223f97700811280417s6f27916p4395d61d35d9698e@mail.gmail.com> 2008/11/28 Steve Freegard : > Greg Matthews wrote: (snip) >> Note that the lines are very long, sometimes over 5000 characters! > > 1000 characters including the CRLF is the maximum line length allowed by the > RFC. Is this the case pre-disarming? I thought that 5321/5322 changed that so that the actual lines could eb arbitrary lengths...? Trying to dispense with warped/wrapped multi-line headers...? Or am I remembering wrong...? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From astephens at ptera.net Fri Nov 28 16:15:22 2008 From: astephens at ptera.net (Arthur Stephens) Date: Fri Nov 28 16:15:44 2008 Subject: Big increase in spam In-Reply-To: <492E3DE0.4070002@vanderkooij.org> References: <492DDF5B.2060207@ptera.net> <492E3DE0.4070002@vanderkooij.org> Message-ID: <4930191A.6010905@ptera.net> Hugo van der Kooij wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Arthur Stephens wrote: > >> Is it just me or did spammers figure out a away to get around mail scanner. >> I used not get any spam at all. But now so far today I have received 20 >> to 30 so far. >> So I upgraded MailScanner - double checked config settings but they >> still keep coming. >> > > Well. What are the SA scores for those messages? > > My guess: Your SA database has been poluted so your SA score will stick > around 50% and without other matches in SA that is usually not enough to > be stopped. > > Hugo. > > - -- > hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ > PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc > > A: Yes. > >Q: Are you sure? > >>A: Because it reverses the logical flow of conversation. > >>>Q: Why is top posting frowned upon? > > Bored? Click on http://spamornot.org/ and rate those images. > > Nid wyf yn y swyddfa ar hyn o bryd. Anfonwch unrhyw waith i'w gyfieithu. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org > > iD8DBQFJLj3eBvzDRVjxmYERAtklAJ9bVjGuGm9bw4AeRDS8dZ2qCHqrZwCfQd3r > PFW5VQ25sihyDuS4orGGtlo= > =67k0 > -----END PGP SIGNATURE----- > Here are a few from the message source... I have 190 of them this morning. X-Ptera-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=1.286, required 6, BAYES_50 0.00, HTML_90_100 0.11, HTML_IMAGE_RATIO_02 0.46, HTML_MESSAGE 0.00, MPART_ALT_DIFF_COUNT 0.71) X-Ptera-MailScanner-SpamScore: s X-Ptera-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=3.004, required 6, BAYES_50 0.00, HTML_MESSAGE 0.00, MIME_HTML_MOSTLY 1.10, SUBJ_LIFE_INSURANCE 1.90) X-Ptera-MailScanner-SpamScore: sss X-Ptera-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=3.27, required 6, BAYES_50 0.00, HTML_90_100 0.11, HTML_IMAGE_RATIO_02 0.46, HTML_MESSAGE 0.00, REMOVE_BEFORE_LINK 2.69) X-Ptera-MailScanner-SpamScore: sss X-Ptera-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-1.777, required 6, autolearn=not spam, BAYES_00 -2.60, HTML_90_100 0.11, HTML_MESSAGE 0.00, MPART_ALT_DIFF_COUNT 0.71) X-Ptera-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-1.777, required 6, autolearn=not spam, BAYES_00 -2.60, HTML_90_100 0.11, HTML_MESSAGE 0.00, MPART_ALT_DIFF_COUNT 0.71) -- Arthur Stephens Senior Sales Technician Ptera Wireless Internet Service PO Box 135 Liberty Lake, WA 99019 509-927-7837 For technical support visit http://www.ptera.net/support ----------------------------------------------------------------------------- "This message may contain confidential and/or propriety information, and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company." -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081128/c5651fa8/attachment.html From traced at xpear.de Fri Nov 28 18:57:18 2008 From: traced at xpear.de (traced) Date: Fri Nov 28 18:57:31 2008 Subject: Big increase in spam In-Reply-To: <4930191A.6010905@ptera.net> References: <492DDF5B.2060207@ptera.net> <492E3DE0.4070002@vanderkooij.org> <4930191A.6010905@ptera.net> Message-ID: <49303F0E.5010700@xpear.de> Hi, I gave BAYES_50 a higher default value, 3 or so. Also changed the other BAYES_XX values. Bayes 99 gives 10. Never hab problems with this settings! Regards, Basti Arthur Stephens schrieb: > Hugo van der Kooij wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Arthur Stephens wrote: >> >>> Is it just me or did spammers figure out a away to get around mail scanner. >>> I used not get any spam at all. But now so far today I have received 20 >>> to 30 so far. >>> So I upgraded MailScanner - double checked config settings but they >>> still keep coming. >>> >> >> Well. What are the SA scores for those messages? >> >> My guess: Your SA database has been poluted so your SA score will stick >> around 50% and without other matches in SA that is usually not enough to >> be stopped. >> >> Hugo. >> >> - -- >> hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ >> PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc >> >> A: Yes. >> >Q: Are you sure? >> >>A: Because it reverses the logical flow of conversation. >> >>>Q: Why is top posting frowned upon? >> >> Bored? Click on http://spamornot.org/ and rate those images. >> >> Nid wyf yn y swyddfa ar hyn o bryd. Anfonwch unrhyw waith i'w gyfieithu. >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.4.7 (GNU/Linux) >> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org >> >> iD8DBQFJLj3eBvzDRVjxmYERAtklAJ9bVjGuGm9bw4AeRDS8dZ2qCHqrZwCfQd3r >> PFW5VQ25sihyDuS4orGGtlo= >> =67k0 >> -----END PGP SIGNATURE----- >> > Here are a few from the message source... I have 190 of them this morning. > > X-Ptera-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, > score=1.286, required 6, BAYES_50 0.00, HTML_90_100 0.11, > HTML_IMAGE_RATIO_02 0.46, HTML_MESSAGE 0.00, > MPART_ALT_DIFF_COUNT 0.71) > X-Ptera-MailScanner-SpamScore: s > > X-Ptera-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, > score=3.004, required 6, BAYES_50 0.00, HTML_MESSAGE 0.00, > MIME_HTML_MOSTLY 1.10, SUBJ_LIFE_INSURANCE 1.90) > X-Ptera-MailScanner-SpamScore: sss > > X-Ptera-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, > score=3.27, required 6, BAYES_50 0.00, HTML_90_100 0.11, > HTML_IMAGE_RATIO_02 0.46, HTML_MESSAGE 0.00, > REMOVE_BEFORE_LINK 2.69) > X-Ptera-MailScanner-SpamScore: sss > > X-Ptera-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, > score=-1.777, required 6, autolearn=not spam, BAYES_00 -2.60, > HTML_90_100 0.11, HTML_MESSAGE 0.00, MPART_ALT_DIFF_COUNT 0.71) > > X-Ptera-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, > score=-1.777, required 6, autolearn=not spam, BAYES_00 -2.60, > HTML_90_100 0.11, HTML_MESSAGE 0.00, MPART_ALT_DIFF_COUNT 0.71) > > -- > Arthur Stephens > Senior Sales Technician > Ptera Wireless Internet Service > PO Box 135 > Liberty Lake, WA 99019 > 509-927-7837 > For technical support visit http://www.ptera.net/support > ----------------------------------------------------------------------------- > "This message may contain confidential and/or propriety information, > and is intended for the person/entity to whom it was originally > addressed. Any use by others is strictly prohibited. > Please note that any views or opinions presented in this email are solely > those of the author and are not intended to represent those of the company." > From maillists at conactive.com Fri Nov 28 23:31:21 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Fri Nov 28 23:31:31 2008 Subject: Big increase in spam In-Reply-To: <49303F0E.5010700@xpear.de> References: <492DDF5B.2060207@ptera.net> <492E3DE0.4070002@vanderkooij.org> <4930191A.6010905@ptera.net> <49303F0E.5010700@xpear.de> Message-ID: Traced wrote on Fri, 28 Nov 2008 19:57:18 +0100: > I gave BAYES_50 a higher default value, 3 or so. Also changed > the other BAYES_XX values. Bayes 99 gives 10. Never hab > problems with this settings! Maybe not for you. Doing what you did is strongly discouraged! And if you have to there's already something wrong with your setup and you are just hosing it a bit more. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From traced at xpear.de Sat Nov 29 01:12:28 2008 From: traced at xpear.de (traced) Date: Sat Nov 29 01:12:40 2008 Subject: Big increase in spam In-Reply-To: References: <492DDF5B.2060207@ptera.net> <492E3DE0.4070002@vanderkooij.org> <4930191A.6010905@ptera.net> <49303F0E.5010700@xpear.de> Message-ID: <493096FC.7020904@xpear.de> Hi Kai, sorry for my question, but what could be wrong in giving more trust to the bayes list? Are you all using the standard values coming with MS? Regards, Bastian Kai Schaetzl schrieb: > Traced wrote on Fri, 28 Nov 2008 19:57:18 +0100: > >> I gave BAYES_50 a higher default value, 3 or so. Also changed >> the other BAYES_XX values. Bayes 99 gives 10. Never hab >> problems with this settings! > > Maybe not for you. Doing what you did is strongly discouraged! > And if you have to there's already something wrong with your setup and you > are just hosing it a bit more. > > Kai > From hvdkooij at vanderkooij.org Sat Nov 29 09:42:07 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sat Nov 29 09:42:16 2008 Subject: Big increase in spam In-Reply-To: <493096FC.7020904@xpear.de> References: <492DDF5B.2060207@ptera.net> <492E3DE0.4070002@vanderkooij.org> <4930191A.6010905@ptera.net> <49303F0E.5010700@xpear.de> <493096FC.7020904@xpear.de> Message-ID: <49310E6F.70505@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 traced wrote: > Hi Kai, > > sorry for my question, but what could be wrong in giving more trust to > the bayes list? Are you all using the standard values coming with MS? I use it but with some caution. So I am not making big jumps between values. But I have calibrated the bayesian scale to my liking. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. Nid wyf yn y swyddfa ar hyn o bryd. Anfonwch unrhyw waith i'w gyfieithu. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFJMQ5tBvzDRVjxmYERAplEAKCZ7UqdjnpmMnTQ/Z29HYUvfwQSRACfV5JP 6ruyx+XcwbtoXSLb/FsxoAQ= =Mxib -----END PGP SIGNATURE----- From hvdkooij at vanderkooij.org Sat Nov 29 09:45:09 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sat Nov 29 09:45:19 2008 Subject: Centos 5.2, MS, perl ClamAV module In-Reply-To: <7EF0EE5CB3B263488C8C18823239BEBA0547A104@HC-MBX02.herefordshire.gov.uk> References: <7EF0EE5CB3B263488C8C18823239BEBA0547A104@HC-MBX02.herefordshire.gov.uk> Message-ID: <49310F25.6070700@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Randal, Phil wrote: > I run clamdwatch.pl from crontab: > > */1 * * * * root /usr/local/bin/clamdwatch.pl -q && ( /usr/bin/killall > -9 clamd; rm -fr /tmp/clamd.socket; /etc/init.d/clamd start 2>&1 ) Sounds like this is a bit overdone. * would be equal to */1 ;-0 Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. Nid wyf yn y swyddfa ar hyn o bryd. Anfonwch unrhyw waith i'w gyfieithu. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFJMQ8kBvzDRVjxmYERAuy8AJ92htFwS0zxsutjIuar9VN3T71+BACgqYNi oYDCHMT0yH2BX1FgHbeEBYs= =jRYa -----END PGP SIGNATURE----- From hvdkooij at vanderkooij.org Sat Nov 29 09:48:00 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sat Nov 29 09:48:10 2008 Subject: script disarming and large javascript messages In-Reply-To: <223f97700811280417s6f27916p4395d61d35d9698e@mail.gmail.com> References: <492FB161.2070406@nerc.ac.uk> <492FBBE7.1070506@fsl.com> <223f97700811280417s6f27916p4395d61d35d9698e@mail.gmail.com> Message-ID: <49310FD0.7020404@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Glenn Steen wrote: > 2008/11/28 Steve Freegard : >> Greg Matthews wrote: > (snip) >>> Note that the lines are very long, sometimes over 5000 characters! >> 1000 characters including the CRLF is the maximum line length allowed by the >> RFC. Is this the case pre-disarming? > > I thought that 5321/5322 changed that so that the actual lines could > eb arbitrary lengths...? Trying to dispense with warped/wrapped > multi-line headers...? Or am I remembering wrong...? The original RFC was only mentioning HEADER line length to the best of my knowledge. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. Nid wyf yn y swyddfa ar hyn o bryd. Anfonwch unrhyw waith i'w gyfieithu. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFJMQ/OBvzDRVjxmYERAiNqAKCEuIOgrl3nY8mT73wTTaGXulviUACeOtf0 3yR24v949bFMC90POk/ixjo= =sje8 -----END PGP SIGNATURE----- From maxsec at gmail.com Sat Nov 29 11:43:27 2008 From: maxsec at gmail.com (Martin Hepworth) Date: Sat Nov 29 11:43:36 2008 Subject: Big increase in spam In-Reply-To: <4930191A.6010905@ptera.net> References: <492DDF5B.2060207@ptera.net> <492E3DE0.4070002@vanderkooij.org> <4930191A.6010905@ptera.net> Message-ID: <72cf361e0811290343i639fde84vfdcda807797e1df5@mail.gmail.com> 2008/11/28 Arthur Stephens : > Hugo van der Kooij wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Arthur Stephens wrote: > > > Is it just me or did spammers figure out a away to get around mail scanner. > I used not get any spam at all. But now so far today I have received 20 > to 30 so far. > So I upgraded MailScanner - double checked config settings but they > still keep coming. > > > Well. What are the SA scores for those messages? > > My guess: Your SA database has been poluted so your SA score will stick > around 50% and without other matches in SA that is usually not enough to > be stopped. > > Hugo. > > - -- > hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ > PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc > > A: Yes. > >Q: Are you sure? > >>A: Because it reverses the logical flow of conversation. > >>>Q: Why is top posting frowned upon? > > Bored? Click on http://spamornot.org/ and rate those images. > > Nid wyf yn y swyddfa ar hyn o bryd. Anfonwch unrhyw waith i'w gyfieithu. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org > > iD8DBQFJLj3eBvzDRVjxmYERAtklAJ9bVjGuGm9bw4AeRDS8dZ2qCHqrZwCfQd3r > PFW5VQ25sihyDuS4orGGtlo= > =67k0 > -----END PGP SIGNATURE----- > > > Here are a few from the message source... I have 190 of them this morning. > > X-Ptera-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, > score=1.286, required 6, BAYES_50 0.00, HTML_90_100 0.11, > HTML_IMAGE_RATIO_02 0.46, HTML_MESSAGE 0.00, > MPART_ALT_DIFF_COUNT 0.71) > X-Ptera-MailScanner-SpamScore: s > > X-Ptera-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, > score=3.004, required 6, BAYES_50 0.00, HTML_MESSAGE 0.00, > MIME_HTML_MOSTLY 1.10, SUBJ_LIFE_INSURANCE 1.90) > X-Ptera-MailScanner-SpamScore: sss > > X-Ptera-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, > score=3.27, required 6, BAYES_50 0.00, HTML_90_100 0.11, > HTML_IMAGE_RATIO_02 0.46, HTML_MESSAGE 0.00, > REMOVE_BEFORE_LINK 2.69) > X-Ptera-MailScanner-SpamScore: sss > > X-Ptera-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, > score=-1.777, required 6, autolearn=not spam, BAYES_00 -2.60, > HTML_90_100 0.11, HTML_MESSAGE 0.00, MPART_ALT_DIFF_COUNT 0.71) > > X-Ptera-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, > score=-1.777, required 6, autolearn=not spam, BAYES_00 -2.60, > HTML_90_100 0.11, HTML_MESSAGE 0.00, MPART_ALT_DIFF_COUNT 0.71) > > -- > Arthur Stephens > Senior Sales Technician > Ptera Wireless Internet Service > PO Box 135 > Liberty Lake, WA 99019 > 509-927-7837 > For technical support visit http://www.ptera.net/support > ----------------------------------------------------------------------------- > "This message may contain confidential and/or propriety information, > and is intended for the person/entity to whom it was originally > addressed. Any use by others is strictly prohibited. > Please note that any views or opinions presented in this email are solely > those of the author and are not intended to represent those of the company." > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > Arthur if can post the full email (headers and all) to a web page or pastebin, some people can then run then on their system and let you know which rules they hit. I presume you've got razor/dcc and the SARE rules setup? The sought.cf ruleset is very handy too and of course don't forget to run sa-update regularly and keep SA itselft updated (current version is 3.2.5). -- Martin Hepworth Oxford, UK From maillists at conactive.com Sat Nov 29 12:31:16 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Sat Nov 29 12:31:33 2008 Subject: Big increase in spam In-Reply-To: <493096FC.7020904@xpear.de> References: <492DDF5B.2060207@ptera.net> <492E3DE0.4070002@vanderkooij.org> <4930191A.6010905@ptera.net> <49303F0E.5010700@xpear.de> <493096FC.7020904@xpear.de> Message-ID: Traced wrote on Sat, 29 Nov 2008 02:12:28 +0100: > sorry for my question, but what could be wrong in giving more trust to > the bayes list? read the archives of sa-users, I won't repeat what's been explained and shown there umpteen times. You may even find it explained on the SA wiki. Again, if you have to resort to such measures to catch your spam there's something wrong with your setup already. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From hvdkooij at vanderkooij.org Sat Nov 29 12:45:01 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sat Nov 29 12:45:11 2008 Subject: Big increase in spam In-Reply-To: <492DDF5B.2060207@ptera.net> References: <492DDF5B.2060207@ptera.net> Message-ID: <4931394D.3020103@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Arthur Stephens wrote: > Is it just me or did spammers figure out a away to get around mail scanner. > I used not get any spam at all. But now so far today I have received 20 > to 30 so far. > So I upgraded MailScanner - double checked config settings but they > still keep coming. I suggest you retrain SA database by hand. The time invested in this action is propably very much worth every second of it. I also found that these remarks on the bayesian database: http://www.barracudanetworks.com/ns/downloads/Barracuda_Bayes.pdf I can vounch for the ill efffects on accuracy if you overfeed the bayesian database on those units. And have seen it happen in lesser degrees on my MailScanner installations. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. Nid wyf yn y swyddfa ar hyn o bryd. Anfonwch unrhyw waith i'w gyfieithu. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFJMTlMBvzDRVjxmYERAuzuAJ0bqtORG4ufBzMJVkRrGd88Rv+EmACgt6ir bJPfRvbdKGuImfyJeOXD6GI= =8WCd -----END PGP SIGNATURE----- From ugob at lubik.ca Sat Nov 29 19:19:43 2008 From: ugob at lubik.ca (Ugo Bellavance) Date: Sat Nov 29 19:20:08 2008 Subject: Big increase in spam In-Reply-To: <492DDF5B.2060207@ptera.net> References: <492DDF5B.2060207@ptera.net> Message-ID: Arthur Stephens a ?crit : > Is it just me or did spammers figure out a away to get around mail scanner. > I used not get any spam at all. But now so far today I have received 20 > to 30 so far. > So I upgraded MailScanner - double checked config settings but they > still keep coming. > There is also an increase of spam that slips through our config, especially spam saying that they want me to test laptops, Coke or Pepsi, that I've got a Visa gift card or a Steakhouse dinner waiting... the body contains a bunch of URLs with complex parameters. I didn't dare click on them. From traced at xpear.de Sat Nov 29 19:55:15 2008 From: traced at xpear.de (traced) Date: Sat Nov 29 19:55:25 2008 Subject: Big increase in spam In-Reply-To: References: <492DDF5B.2060207@ptera.net> Message-ID: <49319E23.4070000@xpear.de> Ugo Bellavance schrieb: > There is also an increase of spam that slips through our config, > especially spam saying that they want me to test laptops, Coke or Pepsi, > that I've got a Visa gift card or a Steakhouse dinner waiting... the > body contains a bunch of URLs with complex parameters. I didn't dare > click on them. > Perhaps there are SA rules matching that "new" kind of spam? Regards, Bastian From ugob at lubik.ca Sun Nov 30 15:01:09 2008 From: ugob at lubik.ca (Ugo Bellavance) Date: Sun Nov 30 15:05:52 2008 Subject: Big increase in spam In-Reply-To: <49319E23.4070000@xpear.de> References: <492DDF5B.2060207@ptera.net> <49319E23.4070000@xpear.de> Message-ID: traced wrote: > > Ugo Bellavance schrieb: >> There is also an increase of spam that slips through our config, >> especially spam saying that they want me to test laptops, Coke or >> Pepsi, that I've got a Visa gift card or a Steakhouse dinner >> waiting... the body contains a bunch of URLs with complex >> parameters. I didn't dare click on them. >> > > Perhaps there are SA rules matching that "new" kind of spam? By writing to this list, I was hoping that someone had some ;). I could post some samples. Regards, Ugo From ms-list at alexb.ch Sun Nov 30 15:17:00 2008 From: ms-list at alexb.ch (Alex Broens) Date: Sun Nov 30 15:17:14 2008 Subject: Big increase in spam In-Reply-To: References: <492DDF5B.2060207@ptera.net> <49319E23.4070000@xpear.de> Message-ID: <4932AE6C.7020309@alexb.ch> On 11/30/2008 4:01 PM, Ugo Bellavance wrote: > traced wrote: >> >> Ugo Bellavance schrieb: >>> There is also an increase of spam that slips through our config, >>> especially spam saying that they want me to test laptops, Coke or >>> Pepsi, that I've got a Visa gift card or a Steakhouse dinner >>> waiting... the body contains a bunch of URLs with complex >>> parameters. I didn't dare click on them. >>> >> >> Perhaps there are SA rules matching that "new" kind of spam? > > By writing to this list, I was hoping that someone had some ;). you'll be better off on "users@spamassassin.apache.org" > I could post some samples. ... to the right list where the rule writers could be watching... Alex From garry at glendown.de Sun Nov 30 18:34:51 2008 From: garry at glendown.de (Garry) Date: Sun Nov 30 18:35:03 2008 Subject: Using other blacklists for host blocking? Message-ID: <4932DCCB.1080002@glendown.de> Seeing the rising amount of failed SSH attempts to several of the boxes I have, I was wondering ... has anyone here tried to use some other blacklists to block incoming MTA access? Assuming that a large amount of spam is delivered through botnets, which may also be used for other types of attacks, using data from one attack vector might be helpful in taking care of other things, too ... especially as things like failed SSH connections are more objective than deciding whether a mail is spam or not ... Any comments? -garry From ssilva at sgvwater.com Sun Nov 30 21:28:12 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Sun Nov 30 21:28:41 2008 Subject: Centos 5.2, MS, perl ClamAV module In-Reply-To: References: Message-ID: on 11-27-2008 8:39 AM David Lee spake the following: > > I'm aware that the topic of the perl ClamAV module is a frequent one > (because of the unfortunate habit of the clamav software to change its > interface on each minor release, requiring the perl module maintainer to > do work). > > I've just tried a fresh install (64 bit Intel) of Centos 5.2, MS-4.72.5-1 > and install-Clam-SA-latest.tar.gz (install-Clam-0.94.1-SA-3.2.5). > > "install-Clam-0.94.1-SA-3.2.5" successfully builds the clamav software > itself (installing it into "/usr/local/{bin,lib64,etc,include}" (etc.) > > It then tries to build the perl ClamAV module, which fails: > ClamAV.xs:308: error: 'CL_EFSYNC' undeclared (first use in this > function) > ClamAV.xs:321: error: 'CL_ELOCKDB' undeclared (first use in this > function) > > Looking in the (just previously installed) "/usr/local/include/clamav.h" > shows that "CL_EFSYNC" is commented out, and that "CL_ELOCKDB" doesn't > seem to exist at all. > > So the two clam-related bits of "install-Clam-0.94.1-SA-3.2.5" would > seem to be inconsistent. > > Is the recommendation is that we no longer use the perl ClamAV module > and instead use "clamd"? > > If so, then are all the pieces in place to ensure that the "clamd" > module is automatically invoked? (The "chkconfig ..." and "service ... > start" > or equivalents?) > > Since you are using CentOS 5, you can enable the rpmforge repo and get spamassassin and clamav from yum. The yum repo has a working clamd setup, and even Julian has recommended this way with CentOS. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081130/f73a73a8/signature.bin From lists at rheel.co.nz Sun Nov 30 21:54:05 2008 From: lists at rheel.co.nz (Lists) Date: Sun Nov 30 21:52:43 2008 Subject: log files double rotate happening Message-ID: <49330B7D.4060300@rheel.co.nz> Hi all, I have set up in logrotate.conf the following (intent is to compress the maillog files weekly) what is happening is that i'm getting zip files created ie maillog.1.gz but also getting the maillog.0 maillog.1 files being created. It is making it quite difficult to find information in them later. Can someone guide me to turn of the original maillog.0 maillog.1 rotation (as i think the rotation in the below logrotate would suffice) Thanks Kate # see "man logrotate" for details # rotate log files weekly weekly # keep 4 weeks worth of backlogs rotate 4 # create new (empty) log files after rotating old ones create # uncomment this if you want your log files compressed #compress # RPM packages drop log rotation information into this directory include /etc/logrotate.d # no packages own wtmp -- we'll rotate them here /var/log/wtmp { monthly minsize 1M create 0664 root utmp rotate 1 } # system-specific logs may be also be configured here. /var/log/maillog { missingok daily rotate 7 create compress start 0 postrotate /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true endscript } From hvdkooij at vanderkooij.org Sun Nov 30 22:19:24 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Nov 30 22:19:35 2008 Subject: Using other blacklists for host blocking? In-Reply-To: <4932DCCB.1080002@glendown.de> References: <4932DCCB.1080002@glendown.de> Message-ID: <4933116C.2050105@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Garry wrote: > Seeing the rising amount of failed SSH attempts to several of the boxes > I have, I was wondering ... has anyone here tried to use some other > blacklists to block incoming MTA access? > > Assuming that a large amount of spam is delivered through botnets, which > may also be used for other types of attacks, using data from one attack > vector might be helpful in taking care of other things, too ... > especially as things like failed SSH connections are more objective than > deciding whether a mail is spam or not ... The two are totally unreleated. Most SSH session originate from unix boxes under poor management. Where just about all spam originate from poorly managed windows machines. So what will you learn in relation to SMTP from these SSH connections? Just about nothing. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. Nid wyf yn y swyddfa ar hyn o bryd. Anfonwch unrhyw waith i'w gyfieithu. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFJMxFlBvzDRVjxmYERAhZZAJ4+kj/aylCIQ76WSnmVjl1UZhp+AgCglRNP OlGXGtdQysIVGpoSUNndXnQ= =ATqd -----END PGP SIGNATURE----- From hvdkooij at vanderkooij.org Sun Nov 30 22:22:39 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Nov 30 22:22:49 2008 Subject: log files double rotate happening In-Reply-To: <49330B7D.4060300@rheel.co.nz> References: <49330B7D.4060300@rheel.co.nz> Message-ID: <4933122F.9000901@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Lists wrote: > Hi all, > > I have set up in logrotate.conf the following (intent is to compress the > maillog files weekly) I feel that his question would be better asked at a mailinglist where logrotate authors may dwell. While it has an impact on the files generated by MailScanner it is in fact not a MailScanner problem and another list may serve your better in your quest for a solution. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. Nid wyf yn y swyddfa ar hyn o bryd. Anfonwch unrhyw waith i'w gyfieithu. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFJMxIuBvzDRVjxmYERAtKdAJ9/8Rp7VZxhjqWfRYoWSTOPmnmPzQCfUnoW kMMT2SVFtKErOH9indjr5WI= =pjz9 -----END PGP SIGNATURE----- From lists at rheel.co.nz Sun Nov 30 23:06:16 2008 From: lists at rheel.co.nz (Lists) Date: Sun Nov 30 23:04:51 2008 Subject: log files double rotate happening In-Reply-To: <4933122F.9000901@vanderkooij.org> References: <49330B7D.4060300@rheel.co.nz> <4933122F.9000901@vanderkooij.org> Message-ID: <49331C68.3060605@rheel.co.nz> Hugo van der Kooij wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Lists wrote: > >> Hi all, >> >> I have set up in logrotate.conf the following (intent is to compress the >> maillog files weekly) >> > > I feel that his question would be better asked at a mailinglist where > logrotate authors may dwell. > > While it has an impact on the files generated by MailScanner it is in > fact not a MailScanner problem and another list may serve your better in > your quest for a solution. > > Hugo. > Thanks Hugo - will try another list. Just thought to ask here first as it is the build in maillog rotation that I want to disable I think. > - -- > hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ > PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc > > A: Yes. > >Q: Are you sure? > >>A: Because it reverses the logical flow of conversation. > >>>Q: Why is top posting frowned upon? > > Bored? Click on http://spamornot.org/ and rate those images. > > Nid wyf yn y swyddfa ar hyn o bryd. Anfonwch unrhyw waith i'w gyfieithu. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org > > iD8DBQFJMxIuBvzDRVjxmYERAtKdAJ9/8Rp7VZxhjqWfRYoWSTOPmnmPzQCfUnoW > kMMT2SVFtKErOH9indjr5WI= > =pjz9 > -----END PGP SIGNATURE----- > From maillists at conactive.com Sun Nov 30 23:31:18 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Sun Nov 30 23:31:32 2008 Subject: log files double rotate happening In-Reply-To: <49330B7D.4060300@rheel.co.nz> References: <49330B7D.4060300@rheel.co.nz> Message-ID: Lists wrote on Mon, 01 Dec 2008 10:54:05 +1300: > what is happening is that i'm getting zip files created ie maillog.1.gz > but also getting the maillog.0 maillog.1 files being created. because normally logrotate has already configuration for maillog. (/etc/logrotate.d) Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com