From jvoorhees1 at gmail.com Wed Oct 1 00:00:58 2008 From: jvoorhees1 at gmail.com (Jason Voorhees) Date: Wed Oct 1 00:04:11 2008 Subject: How Do You Use Spam from GroupWise for sa-learn In-Reply-To: <98250F24-8FE1-406C-8312-9D3EB711CCA8@rtpty.com> References: <48E20F46.61A4.0000.0@caspercollege.edu> <48E2857A.5020309@gmail.com> <98250F24-8FE1-406C-8312-9D3EB711CCA8@rtpty.com> Message-ID: <48E2AFAA.40500@gmail.com> Alex Neuman van der Hans escribi?: > This sounds like something that should be on the WIKI. > Actually it's on the WIKI... but on SpamAssassin's WIKI > Have you tried this on Exchange as well? > No, but it should work in any IMAP server > On Sep 30, 2008, at 3:00 PM, Jason Voorhees wrote: > >> $ fetchmail --all --keep --proto IMAP -u IMAP-USER -n -m 'sa-learn >> --spam' MAILSERVER-IP-ADDRESS > From paul at blacknight.com Wed Oct 1 00:21:19 2008 From: paul at blacknight.com (Paul Kelly :: Blacknight) Date: Wed Oct 1 00:21:28 2008 Subject: Barracuda Reputation Block List (BRBL) In-Reply-To: <48E2442F.61A4.0000.0@caspercollege.edu> References: <48E2442F.61A4.0000.0@caspercollege.edu> Message-ID: We've not found it to be very accurate and the percentage of FPs is too high for us. It can of course be used in SA like any RBL. Paul Kelly Technical Director Blacknight Internet Solutions ltd Hosting, Colocation, Dedicated servers IP Transit Services Tel: +353 (0) 59 9183072 Lo-call: 1850 929 929 DDI: +353 (0) 59 9183091 e-mail: paul@blacknight.ie web: http://www.blacknight.ie Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park, Sleaty Road, Graiguecullen, Carlow, Ireland Company No.: 370845 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Daniel Straka > Sent: Tuesday, September 30, 2008 10:22 PM > To: mailscanner@lists.mailscanner.info > Subject: Barracuda Reputation Block List (BRBL) > > Does anyone know if this new BL service can be used with MailScanner? > http://www.barracudacentral.org/rbl > > -- > > Dan Straka > Systems Coordinator > Casper College > 307.268.2399 > www.caspercollege.edu ( http://www.caspercollege.edu/ ) > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From ssilva at sgvwater.com Wed Oct 1 00:45:48 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Oct 1 00:46:07 2008 Subject: Way OT: Cat Names In-Reply-To: References: <48E24865.8040702@trayerproducts.com> Message-ID: on 9-30-2008 8:53 AM Alex Neuman van der Hans spake the following: > Plug & Pray? > Fire & Forget? > Bangers & Mash? > By and Large? > Pump & Dump? > Rockem & Sockem? > Ball & Chain? > Speak & Spell? > > On Sep 30, 2008, at 10:40 AM, Rodney Green wrote: > >> Kernel & Patch > Why would anyone want *two* cats! ;-P -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080930/a4884e2a/signature.bin From ssilva at sgvwater.com Wed Oct 1 00:48:28 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Oct 1 00:50:11 2008 Subject: MIME-tools 5.427 In-Reply-To: <48E1483A.2050509@ecs.soton.ac.uk> References: <48E1483A.2050509@ecs.soton.ac.uk> Message-ID: on 9-29-2008 2:27 PM Julian Field spake the following: > Please can a few people upgrade their MIME-tools Perl module to the > latest 5.427 as provided here: > http://search.cpan.org/CPAN/authors/id/D/DO/DONEILL/MIME-tools-5.427.tar.gz > and just check for me that everything still works okay. > > If it does, I'm going to upgrade to it in the main distribution. > > Thanks folks! > > P.S. Trying to choose cat names at the moment -- need two. Current > favourites are Cisco, Root, Tarball. They are both boys. Any preferences > or other suggestions are most welcome. You've got till the end of > Wednesday to come up with ideas and votes. Get your thinking hats on! :-) > > Jules > I named a cat Dammit once. It fit well since cats can be stubborn and independent most of the time. "Come here, Dammit!" "Stop scratching the couch, Dammit!" ;-P -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080930/c502964f/signature.bin From raubvogel at gmail.com Wed Oct 1 00:56:22 2008 From: raubvogel at gmail.com (Mauricio Tavares) Date: Wed Oct 1 00:56:35 2008 Subject: Way OT: Cat Names In-Reply-To: References: <48E24865.8040702@trayerproducts.com> Message-ID: <48E2BCA6.4090206@gmail.com> Scott Silva wrote: > on 9-30-2008 8:53 AM Alex Neuman van der Hans spake the following: >> Plug & Pray? >> Fire & Forget? >> Bangers & Mash? >> By and Large? >> Pump & Dump? >> Rockem & Sockem? >> Ball & Chain? >> Speak & Spell? >> >> On Sep 30, 2008, at 10:40 AM, Rodney Green wrote: >> >>> Kernel & Patch > Why would anyone want *two* cats! ;-P > So you can be entertained when they "negotiate" the daily aspects of their lives. ;) From rjette at mestek.com Wed Oct 1 01:51:52 2008 From: rjette at mestek.com (Raymond Jette) Date: Wed Oct 1 01:52:21 2008 Subject: MailScanner --lint References: <48E1E616.8080805@ecs.soton.ac.uk> Message-ID: <6341E9EE11D6AC4B84D3225C0E8C6BAB0B15B6@mtsrv-ex004.mestekcorp.com> Thanks. That's the command I was looking for. ________________________________ From: mailscanner-bounces@lists.mailscanner.info on behalf of Julian Field Sent: Tue 9/30/2008 4:40 AM To: MailScanner discussion Subject: Re: MailScanner --lint MailScanner --lint &> /tmp/logoutput.txt Ray Jette wrote: > I am running MailScanner --lint to look for problems. The output of this > command does not fit on the screen. I am trying to save this to a text > file for review. The command sudo MailScanner --lint > log.txt did not > work. > > I beleave this did not work because I need to redirect stderr. Is this > correct? I have been doing some research and have tryed to redirect this > a few different ways but have not been able to get it working. > > Does anyone have any ideas on how to do this? > > Thanks in advance, > Ray Jette > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/ms-tnef Size: 4575 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080930/501b88c4/attachment.bin From andrew at gdcon.net Wed Oct 1 02:28:20 2008 From: andrew at gdcon.net (Andrew MacLachlan) Date: Wed Oct 1 02:28:52 2008 Subject: Way OT: Cat Names In-Reply-To: References: <48E24865.8040702@trayerproducts.com> Message-ID: <48E2D234.7020103@gdcon.net> Scott Silva wrote: > Why would anyone want *two* cats! ;-P > Well Jules was considering Cisco as a name (I like the subtlety of that one) so maybe he wants a meshed fabric... -Andy From ram at netcore.co.in Wed Oct 1 07:14:57 2008 From: ram at netcore.co.in (ram) Date: Wed Oct 1 07:15:13 2008 Subject: Customizing Spamassin use according to recipients In-Reply-To: <48E2551D.4070901@alexb.ch> References: <1222786863.18634.99.camel@darkstar.netcore.co.in> <48E2551D.4070901@alexb.ch> Message-ID: <1222841697.29640.61.camel@darkstar.netcore.co.in> On Tue, 2008-09-30 at 18:34 +0200, Alex Broens wrote: > Apologize for the Subject fauxpas > Had a dumb key cut on TB's Quicktext > > On 9/30/2008 5:01 PM, ram wrote: > > I want to evaluate some spamassassin rules only when the mail is marked > > for some recipients > > > > Can I do this ? I dont mind changing a little bit of the src if that is > > required > > > > if "marked" means sent To some recipients: > > > With SA: > > header __TO_TESTUSER ToCC: =~ /(?:testuser1|testuser2)\@example\.com/ > body __STRING_TO_TEST /catch me/ > > meta TEST_RULE_TO_USERS12 (____TO_TESTUSER && __STRING_TO_TEST) > score TEST_RULE_TO_USERS12 1.0 > > is this what you are looking for? > > Alex > That would match only when header-to matches the envelope recipient. But I want the actual recipient not the ToCc Also I would not mind if a mail is marked to multiple recipients and rules misfire. That is agreeable in our scenario From Carl.Boberg at nrm.se Wed Oct 1 08:57:27 2008 From: Carl.Boberg at nrm.se (Carl Boberg) Date: Wed Oct 1 08:57:40 2008 Subject: Way OT: Cat Names In-Reply-To: References: Message-ID: <012FE5C11B554B4594A65A58F84DAC20060EC39D@saruman.nrm.se> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Alex Neuman van der Hans > Sent: den 30 september 2008 06:59 > To: MailScanner discussion > Subject: Way OT: Cat Names > > * File & Print > * TRON & CLU > * while and for > * gid & uid > * slash and dot > * patches and updates > * picard & riker > * (if both females) rose & martha > * doctor & master > * head & tail > * man & info > > Just off the top of my head... How about the obvious Spam and Ham ? Just the top of my head since we are on this list anyways :) Cheers -------------------------------- Carl Boberg System & Network Administrator Swedish Museum of Naturalhistory Frescativ?gen 40 104 05 Stockholm Sweden Tel nr: 08-5195 5116 Mobile: 0701-82 4055 E-mail: carl.boberg@nrm.se -------------------------------- From martinh at solidstatelogic.com Wed Oct 1 09:20:53 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Wed Oct 1 09:21:14 2008 Subject: Barracuda Reputation Block List (BRBL) In-Reply-To: Message-ID: <0209bbc223a55145bec1c2d2ee355c3f@solidstatelogic.com> Another vote as per Paul. Works better if you rename it with "-lastexternal" at the end, but still pushes out the odd FP which is worrying, so YMMV as they say, -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Paul Kelly :: Blacknight > Sent: 01 October 2008 00:21 > To: 'MailScanner discussion' > Subject: RE: Barracuda Reputation Block List (BRBL) > > We've not found it to be very accurate and the percentage of > FPs is too high for us. > > It can of course be used in SA like any RBL. > > Paul Kelly > Technical Director > Blacknight Internet Solutions ltd > Hosting, Colocation, Dedicated servers > IP Transit Services > Tel: +353 (0) 59 9183072 > Lo-call: 1850 929 929 > DDI: +353 (0) 59 9183091 > > e-mail: paul@blacknight.ie > web: http://www.blacknight.ie > > Blacknight Internet Solutions Ltd, > Unit 12A,Barrowside Business Park, > Sleaty Road, > Graiguecullen, > Carlow, > Ireland > > Company No.: 370845 > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > > Daniel Straka > > Sent: Tuesday, September 30, 2008 10:22 PM > > To: mailscanner@lists.mailscanner.info > > Subject: Barracuda Reputation Block List (BRBL) > > > > Does anyone know if this new BL service can be used with > MailScanner? > > http://www.barracudacentral.org/rbl > > > > -- > > > > Dan Straka > > Systems Coordinator > > Casper College > > 307.268.2399 > > www.caspercollege.edu ( http://www.caspercollege.edu/ ) > > > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From prandal at herefordshire.gov.uk Wed Oct 1 10:04:56 2008 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Wed Oct 1 10:05:13 2008 Subject: Way OT: Cat Names In-Reply-To: <48E2D234.7020103@gdcon.net> References: <48E24865.8040702@trayerproducts.com> <48E2D234.7020103@gdcon.net> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA04D7DDBA@HC-MBX02.herefordshire.gov.uk> I don't know if anybody's mentioned "ham" and "spam". Only trouble is, if they get taken overseas, they both need to be put in quarantine. Phil -- Phil Randal Networks Engineer Herefordshire Council Hereford, UK -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Andrew MacLachlan Sent: 01 October 2008 02:28 To: MailScanner discussion Subject: Re: Way OT: Cat Names Scott Silva wrote: > Why would anyone want *two* cats! ;-P > Well Jules was considering Cisco as a name (I like the subtlety of that one) so maybe he wants a meshed fabric... -Andy -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From ms-list at alexb.ch Wed Oct 1 10:54:27 2008 From: ms-list at alexb.ch (Alex Broens) Date: Wed Oct 1 10:54:43 2008 Subject: Customizing Spamassin use according to recipients In-Reply-To: <1222841697.29640.61.camel@darkstar.netcore.co.in> References: <1222786863.18634.99.camel@darkstar.netcore.co.in> <48E2551D.4070901@alexb.ch> <1222841697.29640.61.camel@darkstar.netcore.co.in> Message-ID: <48E348D3.2030702@alexb.ch> On 10/1/2008 8:14 AM, ram wrote: > On Tue, 2008-09-30 at 18:34 +0200, Alex Broens wrote: >> Apologize for the Subject fauxpas >> Had a dumb key cut on TB's Quicktext >> >> On 9/30/2008 5:01 PM, ram wrote: >>> I want to evaluate some spamassassin rules only when the mail is marked >>> for some recipients >>> >>> Can I do this ? I dont mind changing a little bit of the src if that is >>> required >>> >> if "marked" means sent To some recipients: >> >> >> With SA: >> >> header __TO_TESTUSER ToCC: =~ /(?:testuser1|testuser2)\@example\.com/ >> body __STRING_TO_TEST /catch me/ >> >> meta TEST_RULE_TO_USERS12 (____TO_TESTUSER && __STRING_TO_TEST) >> score TEST_RULE_TO_USERS12 1.0 >> >> is this what you are looking for? >> >> Alex >> > > > That would match only when header-to matches the envelope recipient. But > I want the actual recipient not the ToCc dunno if SA ever sees this SA list is probably the better source of info otoh, maybe your MTA can add/already adds the envelope rcpt into a custom header and you can use that for the rule. Alex From nwp at nz.lemon-computing.com Wed Oct 1 11:41:02 2008 From: nwp at nz.lemon-computing.com (Nick Phillips) Date: Wed Oct 1 11:41:39 2008 Subject: Way OT: Cat Names In-Reply-To: <012FE5C11B554B4594A65A58F84DAC20060EC39D@saruman.nrm.se> References: <012FE5C11B554B4594A65A58F84DAC20060EC39D@saruman.nrm.se> Message-ID: <48E353BE.1020903@nz.lemon-computing.com> Jules - surely the cats should be Tim and Les (tjc and lac)? They will be running the show, after all ;-) Cheers, Nick From erwin.lomibao at inquirer.net Wed Oct 1 11:44:01 2008 From: erwin.lomibao at inquirer.net (erwin lomibao) Date: Wed Oct 1 11:44:13 2008 Subject: Custom SpamAssassin rules from Network Associates, Inc Message-ID: Hello List, While testing the custom update script I wrote for uvscan, I came across this folder in the public FTP of Network Associates: ftp://ftp.nai.com/spamdefs/1.x/ it contains a file: ftp://ftp.nai.com/spamdefs/1.x/spamassassin.renu.maa.3115.zip I took a peek and saw a rules.zip file. Has anyone tried using these rules? Is one legally allowed to use these? regards, -- erwin lomibao senior systems admin inquirer interactive erwin.lomibao@{inquirer.net} 9f rufino plaza makati 1200 philippines -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081001/d15137a2/attachment.html From ms-list at alexb.ch Wed Oct 1 12:25:33 2008 From: ms-list at alexb.ch (Alex Broens) Date: Wed Oct 1 12:25:50 2008 Subject: Custom SpamAssassin rules from Network Associates, Inc In-Reply-To: References: Message-ID: <48E35E2D.9090408@alexb.ch> On 10/1/2008 12:44 PM, erwin lomibao wrote: > Hello List, > > While testing the custom update script I wrote for uvscan, I came across > this folder in the public FTP of Network Associates: > > ftp://ftp.nai.com/spamdefs/1.x/ > > it contains a file: > > ftp://ftp.nai.com/spamdefs/1.x/spamassassin.renu.maa.3115.zip > I took a peek and saw a rules.zip file. Has anyone tried using these rules? Hardly any will work as NAI's SA core is totally modified for their SDK. Those files are for their SA 2.6x core which IIRC is not used much anymore except on oldish devices. You wouldn't be able to handle any their .lu /streamed rules. Their fast_body stuff will also trip over your SA. They're fun to look at and learn, but not apt to be used as drop-in for SA. tho the secrets are in their .lu files :-) > Is one legally allowed to use these? hardly From Denis.Beauchemin at USherbrooke.ca Wed Oct 1 14:43:47 2008 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Wed Oct 1 14:44:09 2008 Subject: Way OT: Cat Names In-Reply-To: References: <48E24865.8040702@trayerproducts.com> Message-ID: <48E37E93.60309@USherbrooke.ca> Scott Silva a ?crit : > on 9-30-2008 8:53 AM Alex Neuman van der Hans spake the following: > >> Plug & Pray? >> Fire & Forget? >> Bangers & Mash? >> By and Large? >> Pump & Dump? >> Rockem & Sockem? >> Ball & Chain? >> Speak & Spell? >> >> On Sep 30, 2008, at 10:40 AM, Rodney Green wrote: >> >> >>> Kernel & Patch >>> > Why would anyone want *two* cats! ;-P > > > > Because they will play with one another and leave your furniture alone! How about sendmail and postfix? Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From jkidd at afflink.com Wed Oct 1 16:59:54 2008 From: jkidd at afflink.com (Josh Kidd) Date: Wed Oct 1 17:00:50 2008 Subject: GREPing Maillog Message-ID: <44478D9B01E40143A91E1192B0222F5B1C9482@WCMAIL2.performance.pfgc.com> May not be the best place to submit this question but wondered if anyone had any suggestions on how I could find an entry in my maillog and then copy that line and the next 4 lines into a text file. I know I can grep on the string I'm looking for, "grep Message delivery request rate limit exceeded /var/log/maillog", but I also want to record the statistics after that then somehow copy all of it into a file that I can access to show me what IPs may be abusing our server (don't mind the limit below it's low for testing). I'm using the Postfix anvil daemon to record these statistics, that seems to be working fine but we want to know if there is a computer that is sending out more than our pre-determined limit in case that computer has been infected. The server is FreeBSD 7, with Postfix, MailScanner (ClamAV and SA), and MailWatch. The log entries I'm looking for are these. Sep 28 17:41:24 fred postfix/smtpd[38086]: warning: Message delivery request rate limit exceeded: 6 from unknown[10.30.0.11] for service smtp Sep 28 17:41:24 fred postfix/smtpd[38086]: disconnect from unknown[10.30.0.11] Sep 28 17:41:25 fred postfix/anvil[38088]: statistics: max connection rate 6/30s for (smtp:10.30.0.11) at Sep 28 17:41:24 Sep 28 17:41:25 fred postfix/anvil[38088]: statistics: max connection count 1 for (smtp:10.30.0.11) at Sep 28 17:41:24 Sep 28 17:41:25 fred postfix/anvil[38088]: statistics: max message rate 6/30s for (smtp:10.30.0.11) at Sep 28 17:41:24 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081001/31f910e8/attachment.html From ecasarero at gmail.com Wed Oct 1 17:09:56 2008 From: ecasarero at gmail.com (Eduardo Casarero) Date: Wed Oct 1 17:10:06 2008 Subject: GREPing Maillog In-Reply-To: <44478D9B01E40143A91E1192B0222F5B1C9482@WCMAIL2.performance.pfgc.com> References: <44478D9B01E40143A91E1192B0222F5B1C9482@WCMAIL2.performance.pfgc.com> Message-ID: <7d9b3cf20810010909r4d91f935ma2596c500d8878b8@mail.gmail.com> 2008/10/1 Josh Kidd > May not be the best place to submit this question but wondered if anyone > had any suggestions on how I could find an entry in my maillog and then copy > that line and the next 4 lines into a text file. > > > > I know I can grep on the string I'm looking for, "grep Message delivery > request rate limit exceeded /var/log/maillog", but I also want to record the > statistics after that then somehow copy all of it into a file that I can > access to show me what IPs may be abusing our server (don't mind the limit > below it's low for testing). I'm using the Postfix anvil daemon to record > these statistics, that seems to be working fine but we want to know if there > is a computer that is sending out more than our pre-determined limit in case > that computer has been infected. > > > > The server is FreeBSD 7, with Postfix, MailScanner (ClamAV and SA), and > MailWatch. The log entries I'm looking for are these. > > > > Sep 28 17:41:24 fred postfix/smtpd[38086]: warning: Message delivery > request rate limit exceeded: 6 from unknown[10.30.0.11] for service smtp > > Sep 28 17:41:24 fred postfix/smtpd[38086]: disconnect from unknown[ > 10.30.0.11] > > Sep 28 17:41:25 fred postfix/anvil[38088]: statistics: max connection rate > 6/30s for (smtp:10.30.0.11) at Sep 28 17:41:24 > > Sep 28 17:41:25 fred postfix/anvil[38088]: statistics: max connection count > 1 for (smtp:10.30.0.11) at Sep 28 17:41:24 > > Sep 28 17:41:25 fred postfix/anvil[38088]: statistics: max message rate > 6/30s for (smtp:10.30.0.11) at Sep 28 17:41:24 > > * * > Try with awk grep "statistics: max rate" /var/log/maillog | awk -F "smtp:" '{print $2}' | awk -F ")" '{print $1}' | tr "[:upper:]" "[:lower:]" | awk '{freq[$1]++} END { for (ip in freq) printf "%s\t%d\n", ip, freq[ip] }' this doesn't work, you have to tune the awk's but, i use something similar to collect greylisting rejects. > ** > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081001/31585561/attachment.html From ssilva at sgvwater.com Wed Oct 1 17:33:34 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Oct 1 17:33:54 2008 Subject: Way OT: Cat Names In-Reply-To: <48E37E93.60309@USherbrooke.ca> References: <48E24865.8040702@trayerproducts.com> <48E37E93.60309@USherbrooke.ca> Message-ID: on 10-1-2008 6:43 AM Denis Beauchemin spake the following: > Scott Silva a ?crit : >> on 9-30-2008 8:53 AM Alex Neuman van der Hans spake the following: >> >>> Plug & Pray? >>> Fire & Forget? >>> Bangers & Mash? >>> By and Large? >>> Pump & Dump? >>> Rockem & Sockem? >>> Ball & Chain? >>> Speak & Spell? >>> >>> On Sep 30, 2008, at 10:40 AM, Rodney Green wrote: >>> >>> >>>> Kernel & Patch >>>> >> Why would anyone want *two* cats! ;-P >> >> >> >> > Because they will play with one another and leave your furniture alone! > > How about sendmail and postfix? > > Denis > Don't name them mailscanner and postfix, because postfix will always pick on mailscanner! ;-D -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081001/342c85ec/signature.bin From rcooper at dwford.com Wed Oct 1 18:17:00 2008 From: rcooper at dwford.com (Rick Cooper) Date: Wed Oct 1 18:17:14 2008 Subject: GREPing Maillog In-Reply-To: <44478D9B01E40143A91E1192B0222F5B1C9482@WCMAIL2.performance.pfgc.com> References: <44478D9B01E40143A91E1192B0222F5B1C9482@WCMAIL2.performance.pfgc.com> Message-ID: Don't know about FreeBSD but plain 'ole grep -A would be what you are looking for. grep -A 4 something maillog will return what you are looking for plus the next four lines. If there is more than one match the matches will be separated by a line of "---" chars. Of course you can redirect output to a file as normal, or you can pipe through tee if you want it going to stdout and a file(s) Rick _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Josh Kidd Sent: Wednesday, October 01, 2008 12:00 PM To: mailscanner@lists.mailscanner.info Subject: GREPing Maillog May not be the best place to submit this question but wondered if anyone had any suggestions on how I could find an entry in my maillog and then copy that line and the next 4 lines into a text file. I know I can grep on the string I'm looking for, "grep Message delivery request rate limit exceeded /var/log/maillog", but I also want to record the statistics after that then somehow copy all of it into a file that I can access to show me what IPs may be abusing our server (don't mind the limit below it's low for testing). I'm using the Postfix anvil daemon to record these statistics, that seems to be working fine but we want to know if there is a computer that is sending out more than our pre-determined limit in case that computer has been infected. The server is FreeBSD 7, with Postfix, MailScanner (ClamAV and SA), and MailWatch. The log entries I'm looking for are these. Sep 28 17:41:24 fred postfix/smtpd[38086]: warning: Message delivery request rate limit exceeded: 6 from unknown[10.30.0.11] for service smtp Sep 28 17:41:24 fred postfix/smtpd[38086]: disconnect from unknown[10.30.0.11] Sep 28 17:41:25 fred postfix/anvil[38088]: statistics: max connection rate 6/30s for (smtp:10.30.0.11) at Sep 28 17:41:24 Sep 28 17:41:25 fred postfix/anvil[38088]: statistics: max connection count 1 for (smtp:10.30.0.11) at Sep 28 17:41:24 Sep 28 17:41:25 fred postfix/anvil[38088]: statistics: max message rate 6/30s for (smtp:10.30.0.11) at Sep 28 17:41:24 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081001/21fedde4/attachment.html From glenn.steen at gmail.com Wed Oct 1 19:12:12 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Oct 1 19:12:21 2008 Subject: Way OT: Cat Names In-Reply-To: References: <48E24865.8040702@trayerproducts.com> <48E37E93.60309@USherbrooke.ca> Message-ID: <223f97700810011112p6303b28bs5487246e8c8e5a88@mail.gmail.com> 2008/10/1 Scott Silva : > on 10-1-2008 6:43 AM Denis Beauchemin spake the following: >> Scott Silva a ?crit : >>> on 9-30-2008 8:53 AM Alex Neuman van der Hans spake the following: >>> >>>> Plug & Pray? >>>> Fire & Forget? >>>> Bangers & Mash? >>>> By and Large? >>>> Pump & Dump? >>>> Rockem & Sockem? >>>> Ball & Chain? >>>> Speak & Spell? >>>> >>>> On Sep 30, 2008, at 10:40 AM, Rodney Green wrote: >>>> >>>> >>>>> Kernel & Patch >>>>> >>> Why would anyone want *two* cats! ;-P >>> >>> >>> >>> >> Because they will play with one another and leave your furniture alone! >> >> How about sendmail and postfix? >> >> Denis >> > Don't name them mailscanner and postfix, because postfix will always pick on > mailscanner! ;-D > Worse... MailScanner will violate postfix' interfaces!:D -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From wimmer at zcu.cz Wed Oct 1 20:01:33 2008 From: wimmer at zcu.cz (Milos Wimmer) Date: Wed Oct 1 20:01:42 2008 Subject: dirty problem with clamscan 0.94 Message-ID: Hi, I'm using MailScanner in conjunction with ClamAV clamscan antivirus engine. I found problem after upgrade ClamAV to version 0.94. All looked fine (no warnings in log files), but clamscan did not scan any file inside MailScanner. I found problem is caused by change of clamscan-0.94 options :-( Previous versions support options --unzip, --jar, --tar, --max-ratio and other while clamscan-0.94 does not. When you run "clamscan --unzip file" from command line, it writes: clamscan: unrecognized option `--unzip' ERROR: Unknown option passed. ERROR: Can't parse the command line and file does not check. MailScanner set these options inside of wrapper/clamav-wrapper file in ExtraScanOptions parametr. Similar thing is in SweepViruses.pm file for --unrar option. When I comment out setting of all these options, clamscan works inside MailScanner again nice. Please look at this problem - people using clamscan think they are safe, but they are not now. Clamscan-0.94 does not check anything inside MailScanner... Best regards, Milos From ssilva at sgvwater.com Wed Oct 1 20:15:34 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Oct 1 20:15:55 2008 Subject: dirty problem with clamscan 0.94 In-Reply-To: References: Message-ID: on 10-1-2008 12:01 PM Milos Wimmer spake the following: > > Hi, > > I'm using MailScanner in conjunction with ClamAV clamscan antivirus > engine. I found problem after upgrade ClamAV to version 0.94. > All looked fine (no warnings in log files), but clamscan did not scan > any file inside MailScanner. > > I found problem is caused by change of clamscan-0.94 options :-( > > Previous versions support options --unzip, --jar, --tar, --max-ratio and > other while clamscan-0.94 does not. > When you run "clamscan --unzip file" from command line, it writes: > clamscan: unrecognized option `--unzip' > ERROR: Unknown option passed. > ERROR: Can't parse the command line > > and file does not check. > > MailScanner set these options inside of wrapper/clamav-wrapper file > in ExtraScanOptions parametr. > Similar thing is in SweepViruses.pm file for --unrar option. > > When I comment out setting of all these options, clamscan works inside > MailScanner again nice. > > Please look at this problem - people using clamscan think they are safe, > but they are not now. Clamscan-0.94 does not check anything inside > MailScanner... > > > Best regards, > > Milos It is already fixed in the new betas. Stable is usually released every other month unless a large change warrants a release sooner. Most people aren't using clamscan since it is the most memory and processor intensive way to use clam with mailscanner. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081001/614b184a/signature.bin From alex at rtpty.com Wed Oct 1 20:18:15 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Wed Oct 1 20:19:03 2008 Subject: Way OT: Cat Names In-Reply-To: References: <48E24865.8040702@trayerproducts.com> <48E37E93.60309@USherbrooke.ca> Message-ID: And it'll probably cause swapping, too! On Oct 1, 2008, at 11:33 AM, Scott Silva wrote: > Don't name them mailscanner and postfix, because postfix will always > pick on > mailscanner! ;-D From campbell at cnpapers.com Wed Oct 1 20:40:01 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Wed Oct 1 20:40:19 2008 Subject: dirty problem with clamscan 0.94 In-Reply-To: References: Message-ID: <48E3D211.5020306@cnpapers.com> Scott Silva wrote: > on 10-1-2008 12:01 PM Milos Wimmer spake the following: > >> Hi, >> >> I'm using MailScanner in conjunction with ClamAV clamscan antivirus >> engine. I found problem after upgrade ClamAV to version 0.94. >> All looked fine (no warnings in log files), but clamscan did not scan >> any file inside MailScanner. >> >> I found problem is caused by change of clamscan-0.94 options :-( >> >> Previous versions support options --unzip, --jar, --tar, --max-ratio and >> other while clamscan-0.94 does not. >> When you run "clamscan --unzip file" from command line, it writes: >> clamscan: unrecognized option `--unzip' >> ERROR: Unknown option passed. >> ERROR: Can't parse the command line >> >> and file does not check. >> >> MailScanner set these options inside of wrapper/clamav-wrapper file >> in ExtraScanOptions parametr. >> Similar thing is in SweepViruses.pm file for --unrar option. >> >> When I comment out setting of all these options, clamscan works inside >> MailScanner again nice. >> >> Please look at this problem - people using clamscan think they are safe, >> but they are not now. Clamscan-0.94 does not check anything inside >> MailScanner... >> >> >> Best regards, >> >> Milos >> > It is already fixed in the new betas. Stable is usually released every other > month unless a large change warrants a release sooner. > Most people aren't using clamscan since it is the most memory and processor > intensive way to use clam with mailscanner. > > I must have the pickiest users in the world, as if mail goes down for one minute, I start getting calls. I suppose I could "startin" and maybe "startout" and load the Beta. I thought I found all of the instances of the ExtraScanOptions to remove the problem, but see I really haven't. So, if anyone knows where all these ExtraScanOption statements are, it would be great if someone could post them so I(we) could remove them. It would be even better if it just happened to consist of a few files that could be replaced from the Beta. I work at a newspaper (actually more than one - a morining and evening publication) and it doesn't leave much time to fiddle with things. Seems like the first thing they teach journalist at college is to say "I'm on deadline", and if they say it to an email admin, they have to append "and I'm expecting an important email". Sorry to be so whiny, but I finally took the time to upgrade from an ancient version just last week, and I don't think they'd sit still for another bout of upgrades. AOL also was blocking our new IP ranges, so Halloween came early around here and it was a week from hell. Thanks so much for any help. Steve Campbell From alex at rtpty.com Wed Oct 1 21:07:12 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Wed Oct 1 21:07:30 2008 Subject: dirty problem with clamscan 0.94 In-Reply-To: <48E3D211.5020306@cnpapers.com> References: <48E3D211.5020306@cnpapers.com> Message-ID: <5088FC31-658A-4BD1-82CA-C3F2BF56F913@rtpty.com> So run the MTA "as is" while you upgrade. That'll show them how much they *need* a filtering solution. ;-) On Oct 1, 2008, at 2:40 PM, Steve Campbell wrote: > I work at a newspaper (actually more than one - a morining and > evening publication) and it doesn't leave much time to fiddle with > things. Seems like the first thing they teach journalist at college > is to say "I'm on deadline", and if they say it to an email admin, > they have to append "and I'm expecting an important email". From shuttlebox at gmail.com Wed Oct 1 21:22:40 2008 From: shuttlebox at gmail.com (shuttlebox) Date: Wed Oct 1 21:22:50 2008 Subject: dirty problem with clamscan 0.94 In-Reply-To: <48E3D211.5020306@cnpapers.com> References: <48E3D211.5020306@cnpapers.com> Message-ID: <625385e30810011322o78e68366y6f726f383c34abc6@mail.gmail.com> On Wed, Oct 1, 2008 at 9:40 PM, Steve Campbell wrote: > Sorry to be so whiny, but I finally took the time to upgrade from an ancient > version just last week, and I don't think they'd sit still for another bout > of upgrades. AOL also was blocking our new IP ranges, so Halloween came > early around here and it was a week from hell. Use two systems even if you don't need it for the load. Then you can upgrade one while the other temporarily processes all your mail. -- /peter From ssilva at sgvwater.com Wed Oct 1 22:23:42 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Oct 1 22:24:08 2008 Subject: dirty problem with clamscan 0.94 In-Reply-To: <48E3D211.5020306@cnpapers.com> References: <48E3D211.5020306@cnpapers.com> Message-ID: on 10-1-2008 12:40 PM Steve Campbell spake the following: > > > Scott Silva wrote: >> on 10-1-2008 12:01 PM Milos Wimmer spake the following: >> >>> Hi, >>> >>> I'm using MailScanner in conjunction with ClamAV clamscan antivirus >>> engine. I found problem after upgrade ClamAV to version 0.94. >>> All looked fine (no warnings in log files), but clamscan did not scan >>> any file inside MailScanner. >>> >>> I found problem is caused by change of clamscan-0.94 options :-( >>> >>> Previous versions support options --unzip, --jar, --tar, --max-ratio and >>> other while clamscan-0.94 does not. >>> When you run "clamscan --unzip file" from command line, it writes: >>> clamscan: unrecognized option `--unzip' >>> ERROR: Unknown option passed. >>> ERROR: Can't parse the command line >>> >>> and file does not check. >>> >>> MailScanner set these options inside of wrapper/clamav-wrapper file >>> in ExtraScanOptions parametr. >>> Similar thing is in SweepViruses.pm file for --unrar option. >>> >>> When I comment out setting of all these options, clamscan works inside >>> MailScanner again nice. >>> >>> Please look at this problem - people using clamscan think they are safe, >>> but they are not now. Clamscan-0.94 does not check anything inside >>> MailScanner... >>> >>> >>> Best regards, >>> >>> Milos >>> >> It is already fixed in the new betas. Stable is usually released every >> other >> month unless a large change warrants a release sooner. >> Most people aren't using clamscan since it is the most memory and >> processor >> intensive way to use clam with mailscanner. >> >> > I must have the pickiest users in the world, as if mail goes down for > one minute, I start getting calls. I suppose I could "startin" and maybe > "startout" and load the Beta. I thought I found all of the instances of > the ExtraScanOptions to remove the problem, but see I really haven't. > > So, if anyone knows where all these ExtraScanOption statements are, it > would be great if someone could post them so I(we) could remove them. It > would be even better if it just happened to consist of a few files that > could be replaced from the Beta. > > I work at a newspaper (actually more than one - a morining and evening > publication) and it doesn't leave much time to fiddle with things. Seems > like the first thing they teach journalist at college is to say "I'm on > deadline", and if they say it to an email admin, they have to append > "and I'm expecting an important email". > > Sorry to be so whiny, but I finally took the time to upgrade from an > ancient version just last week, and I don't think they'd sit still for > another bout of upgrades. AOL also was blocking our new IP ranges, so > Halloween came early around here and it was a week from hell. > > Thanks so much for any help. > > Steve Campbell > I don't remember what changed, and I can't find the thread where Julian posted a fix. I think it was either sweepviruses.pm or clamav-wrapper, or maybe both. You could get those from the beta and swap them if someone verifies what was changed. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081001/d6c6ba83/signature.bin From markee at bandwidthco.com Thu Oct 2 02:34:29 2008 From: markee at bandwidthco.com (markee) Date: Thu Oct 2 02:34:22 2008 Subject: Way OT: Cat Names In-Reply-To: <223f97700810011112p6303b28bs5487246e8c8e5a88@mail.gmail.com> References: <48E24865.8040702@trayerproducts.com> <48E37E93.60309@USherbrooke.ca> <223f97700810011112p6303b28bs5487246e8c8e5a88@mail.gmail.com> Message-ID: <003901c9242f$039db5e0$0300a8c0@bandwidthco.com> -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Glenn Steen Sent: Wednesday, October 01, 2008 11:12 AM To: MailScanner discussion Subject: Re: Way OT: Cat Names 2008/10/1 Scott Silva : > on 10-1-2008 6:43 AM Denis Beauchemin spake the following: >> Scott Silva a ?crit : >>> on 9-30-2008 8:53 AM Alex Neuman van der Hans spake the following: >>> >>>> Plug & Pray? >>>> Fire & Forget? >>>> Bangers & Mash? >>>> By and Large? >>>> Pump & Dump? >>>> Rockem & Sockem? >>>> Ball & Chain? >>>> Speak & Spell? >>>> >>>> On Sep 30, 2008, at 10:40 AM, Rodney Green wrote: >>>> >>>> >>>>> Kernel & Patch >>>>> >>> Why would anyone want *two* cats! ;-P >>> >>> >>> >>> >> Because they will play with one another and leave your furniture alone! >> >> How about sendmail and postfix? >> >> Denis >> > Don't name them mailscanner and postfix, because postfix will always pick on > mailscanner! ;-D > Worse... MailScanner will violate postfix' interfaces!:D Here is my take on the subject. I happen to have four cats. Why? Because they are such remarkable beings. And because I find them to be very therapeutic, and more insightful and intelligent than most of the people I work with. Four cats should suffice. However, if I were to get two more cats, I would name them Lilo and Grub. ######################################################## This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. postmaster@bandwidthco.com MailScanner at Bandwidthco Computer Security is for your absolute protection. ######################################################## From erwin.lomibao at inquirer.net Thu Oct 2 05:53:48 2008 From: erwin.lomibao at inquirer.net (erwin lomibao) Date: Thu Oct 2 05:53:57 2008 Subject: Way OT: Cat Names In-Reply-To: <003901c9242f$039db5e0$0300a8c0@bandwidthco.com> References: <48E24865.8040702@trayerproducts.com> <48E37E93.60309@USherbrooke.ca> <223f97700810011112p6303b28bs5487246e8c8e5a88@mail.gmail.com> <003901c9242f$039db5e0$0300a8c0@bandwidthco.com> Message-ID: How about: if & then true & false ruby & rails <-- my vote python & django <-- 2nd fav perl & mason -- erwin lomibao senior systems admin inquirer interactive erwin.lomibao@{inquirer.net} 9f rufino plaza makati 1200 philippines -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081002/8789c53a/attachment.html From achim+mailscanner at qustodium.net Thu Oct 2 11:24:11 2008 From: achim+mailscanner at qustodium.net (Achim J. Latz) Date: Thu Oct 2 11:24:35 2008 Subject: Multiple confusions on my part. In-Reply-To: References: <48DCF72B.90903@ecs.soton.ac.uk> <48DD0C27.9070301@cnpapers.com> <48DD4782.8030002@cnpapers.com> <1222559122.48dec592b7178@perdition.cnpapers.net> Message-ID: <48E4A14B.1030706@qustodium.net> Hello Anthony: On 29/9/08 13:25, Anthony Cartmell wrote: > I modified my daily MailWatch report to have two features: > > 1) Messages sorted by spam score first, then date and time. > 2) Rows have coloured background set by spam score. White for low > scores, up to dark red for high ones. > > Means it's easy to scan to see how many might be false positives (the > white background rows, if any), and you only need to check the top of > the table. It's very clear that all the messages at the bottom are > definite spam! > > A daily MailWatch report in this format gives two benefits: > 1) Easy to spot any false positives, so users feel comfortable that > nothing can get lost in the filter. > 2) A graphic demonstration of the work that MailScanner is doing. Would you be willing to share your code with the list, or perhaps put it on the Wiki? This seems like a great idea and a very valuable addition, not only to underline the work that MailScanner does, but also to make it easier for the end-user to sift through the quarantined items. Thank you very much in advance, Achim From alex at rtpty.com Thu Oct 2 12:53:11 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Thu Oct 2 12:53:29 2008 Subject: Way OT: Cat Names In-Reply-To: References: <48E24865.8040702@trayerproducts.com> <48E37E93.60309@USherbrooke.ca> <223f97700810011112p6303b28bs5487246e8c8e5a88@mail.gmail.com> <003901c9242f$039db5e0$0300a8c0@bandwidthco.com> Message-ID: <5DDBC211-6003-4D2A-A1EE-3CDEC4C10508@rtpty.com> Tweedle-Dum and Tweedle-Dee? Hatter & Hare? On Oct 1, 2008, at 11:53 PM, erwin lomibao wrote: > How about: > > if & then > true & false > ruby & rails <-- my vote > python & django <-- 2nd fav > perl & mason > > > > > -- > erwin lomibao > > senior systems admin > inquirer interactive > erwin.lomibao@{inquirer.net} > 9f rufino plaza > makati 1200 > philippines > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From mgaudreault at reference.qc.ca Thu Oct 2 17:06:32 2008 From: mgaudreault at reference.qc.ca (Maxime Gaudreault) Date: Thu Oct 2 17:06:41 2008 Subject: Email address spoofing Message-ID: <6DD6B2C8A11BFC4092A148347F6126B86D0A3C@jupiter.reference.local> Hi Is there anything to do against email address spoofing ? Many of our customers have their email address spoofed. Then they receive a sh*t load of bounce: Mail delivery failed: returning message to sender failure notice Delivery Status Notification (Failure) Undeliverable: 73% off for steve.messner Returned mail: see transcript for details My antispam gateway stops 80% of them but the customers receives like 10 of these / minutes. Another result of these bounce is my server being overloaded which lead to greater delay for mail scanning. Can I do something against that ? Thanks in advance Max -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081002/d9647051/attachment.html From alex at rtpty.com Thu Oct 2 17:23:20 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Thu Oct 2 17:23:36 2008 Subject: Email address spoofing In-Reply-To: <6DD6B2C8A11BFC4092A148347F6126B86D0A3C@jupiter.reference.local> References: <6DD6B2C8A11BFC4092A148347F6126B86D0A3C@jupiter.reference.local> Message-ID: <69CC22E4-C75B-4D4F-813E-B91021F01E4E@rtpty.com> Short answer: NO. You can't stop people from *trying* to spoof you. Long answer: You need to discourage people from spoofing you, and to discourage others from accepting spoofed messages. To do this, you need to do three things: 1. Let the world know that messages from you should only come from a certain set of IP addresses. See http://openspf.org/ for more info. 2. Force the use of authentication in order to use your mail servers as a gateway. You don't want your own computers to "spoof" you when infected by trojans and such. 3. Use a milter such as milter-null, which signs each outgoing message, so that bounces that did not originate from your server are not received. Leverage this with MailScanner's "Watermark" feature so that your server doesn't accept or deliver spoofed messages. On Oct 2, 2008, at 11:06 AM, Maxime Gaudreault wrote: > Is there anything to do against email address spoofing ? From mgaudreault at reference.qc.ca Thu Oct 2 17:59:58 2008 From: mgaudreault at reference.qc.ca (Maxime Gaudreault) Date: Thu Oct 2 18:00:08 2008 Subject: Email address spoofing In-Reply-To: <69CC22E4-C75B-4D4F-813E-B91021F01E4E@rtpty.com> References: <6DD6B2C8A11BFC4092A148347F6126B86D0A3C@jupiter.reference.local> <69CC22E4-C75B-4D4F-813E-B91021F01E4E@rtpty.com> Message-ID: <6DD6B2C8A11BFC4092A148347F6126B86D0A3D@jupiter.reference.local> 1. I already use SPF for some domains, not all 2. My mail server already uses authentication. But my customers uses their ISP's mail server... not mine. 3. I'm not sure I understand but if they don't use my outgoing server, I can't signs the emails.. Max -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex Neuman van der Hans Sent: 2 octobre 2008 12:23 To: MailScanner discussion Subject: Re: Email address spoofing Short answer: NO. You can't stop people from *trying* to spoof you. Long answer: You need to discourage people from spoofing you, and to discourage others from accepting spoofed messages. To do this, you need to do three things: 1. Let the world know that messages from you should only come from a certain set of IP addresses. See http://openspf.org/ for more info. 2. Force the use of authentication in order to use your mail servers as a gateway. You don't want your own computers to "spoof" you when infected by trojans and such. 3. Use a milter such as milter-null, which signs each outgoing message, so that bounces that did not originate from your server are not received. Leverage this with MailScanner's "Watermark" feature so that your server doesn't accept or deliver spoofed messages. On Oct 2, 2008, at 11:06 AM, Maxime Gaudreault wrote: > Is there anything to do against email address spoofing ? -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From jonas at vrt.dk Thu Oct 2 18:01:11 2008 From: jonas at vrt.dk (Jonas Akrouh Larsen) Date: Thu Oct 2 18:01:23 2008 Subject: Barracuda Reputation Block List (BRBL) In-Reply-To: References: <48E2442F.61A4.0000.0@caspercollege.edu> Message-ID: <002601c924b0$78bb13a0$6a313ae0$@dk> At first I found it very very in-acurate, with loads of FP's. After tweaking the SA rule set, specically adding -lastexternal to the rbl id. It works much much better. It still hits on ham sometimes, more than zen, but its quite useful with the correct settings and scores. Cheers Jonas A. Larsen So I'd recommend adjusting the sa rules to make sure it only checks the last relay. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Paul Kelly :: Blacknight Sent: 1. oktober 2008 01:21 To: 'MailScanner discussion' Subject: RE: Barracuda Reputation Block List (BRBL) We've not found it to be very accurate and the percentage of FPs is too high for us. It can of course be used in SA like any RBL. Paul Kelly Technical Director Blacknight Internet Solutions ltd Hosting, Colocation, Dedicated servers IP Transit Services Tel: +353 (0) 59 9183072 Lo-call: 1850 929 929 DDI: +353 (0) 59 9183091 e-mail: paul@blacknight.ie web: http://www.blacknight.ie Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park, Sleaty Road, Graiguecullen, Carlow, Ireland Company No.: 370845 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Daniel Straka > Sent: Tuesday, September 30, 2008 10:22 PM > To: mailscanner@lists.mailscanner.info > Subject: Barracuda Reputation Block List (BRBL) > > Does anyone know if this new BL service can be used with MailScanner? > http://www.barracudacentral.org/rbl > > -- > > Dan Straka > Systems Coordinator > Casper College > 307.268.2399 > www.caspercollege.edu ( http://www.caspercollege.edu/ ) > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From alex at rtpty.com Thu Oct 2 18:17:57 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Thu Oct 2 18:18:11 2008 Subject: Email address spoofing In-Reply-To: <6DD6B2C8A11BFC4092A148347F6126B86D0A3D@jupiter.reference.local> References: <6DD6B2C8A11BFC4092A148347F6126B86D0A3C@jupiter.reference.local> <69CC22E4-C75B-4D4F-813E-B91021F01E4E@rtpty.com> <6DD6B2C8A11BFC4092A148347F6126B86D0A3D@jupiter.reference.local> Message-ID: Exactly. If they're using someone else's mailservers there is nothing to do. Stop them from using another server if you really want to solve the problem. If your users say "but I can't connect to your server" help them out by using port 465 and port 587 (with and without SSL). Port 25 is not a prerequisite; in fact, it should be discouraged unless you're a server. On Oct 2, 2008, at 11:59 AM, Maxime Gaudreault wrote: > 2. My mail server already uses authentication. But my customers uses > their ISP's mail server... not mine. > > 3. I'm not sure I understand but if they don't use my outgoing > server, I > can't signs the emails.. From rjette at mestek.com Thu Oct 2 18:27:03 2008 From: rjette at mestek.com (Ray Jette) Date: Thu Oct 2 18:26:45 2008 Subject: Blocked message Message-ID: <1222968423.26597.52.camel@mtws-rjette> I have a message in /var/spool/MailScanner/quarantine/20081002/spam that I need to deliver. To deliver it could I just place a copy in the /var/spool/postfix/incoming directory? I am also having trouble determining why this message was blocked. I checked my /var/log/mail.log file and did not come up with anything. Is there a way to re-run the message through MailScanner to see what happened? Thanks. From glenn.steen at gmail.com Thu Oct 2 19:30:27 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Oct 2 19:30:51 2008 Subject: Blocked message In-Reply-To: <1222968423.26597.52.camel@mtws-rjette> References: <1222968423.26597.52.camel@mtws-rjette> Message-ID: <223f97700810021130w3c5955a0w89f489ed4c926a03@mail.gmail.com> 2008/10/2 Ray Jette : > I have a message in /var/spool/MailScanner/quarantine/20081002/spam that > I need to deliver. To deliver it could I just place a copy in > the /var/spool/postfix/incoming directory? > It depends on whether you quarantine the queue file or the RFC822-format message file. One is binary, the other text... MailWatch demands the latter. Look at the howto at http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:postfix:how_to:release_quarantined_mail for the diverse options (actually more like 2.5:-). > I am also having trouble determining why this message was blocked. I > checked my /var/log/mail.log file and did not come up with anything. Is > there a way to re-run the message through MailScanner to see what > happened? Since it is in the spam quarantine, it is likely that running SA on it will reveal something... Or checking any BLs you have in the MS Spam Lists setting... Or it might've been an empty sender with no watermark. Did you grep for the queue ID, with no hits? Do you log that kind of thing? I'd recommend that you take a look at MailWatch for MailScanner, an excellent add-on:) > Thanks. > Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From rjette at mestek.com Thu Oct 2 20:24:22 2008 From: rjette at mestek.com (Ray Jette) Date: Thu Oct 2 20:24:03 2008 Subject: Blocked message In-Reply-To: <223f97700810021130w3c5955a0w89f489ed4c926a03@mail.gmail.com> References: <1222968423.26597.52.camel@mtws-rjette> <223f97700810021130w3c5955a0w89f489ed4c926a03@mail.gmail.com> Message-ID: <1222975462.26597.74.camel@mtws-rjette> Thanks for the quick reply. I'll look into what you suggested. On Thu, 2008-10-02 at 20:30 +0200, Glenn Steen wrote: > 2008/10/2 Ray Jette : > > I have a message in /var/spool/MailScanner/quarantine/20081002/spam that > > I need to deliver. To deliver it could I just place a copy in > > the /var/spool/postfix/incoming directory? > > > It depends on whether you quarantine the queue file or the > RFC822-format message file. One is binary, the other text... MailWatch > demands the latter. > Look at the howto at > http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:postfix:how_to:release_quarantined_mail > for the diverse options (actually more like 2.5:-). > > > I am also having trouble determining why this message was blocked. I > > checked my /var/log/mail.log file and did not come up with anything. Is > > there a way to re-run the message through MailScanner to see what > > happened? > Since it is in the spam quarantine, it is likely that running SA on it > will reveal something... Or checking any BLs you have in the MS Spam > Lists setting... Or it might've been an empty sender with no > watermark. Did you grep for the queue ID, with no hits? Do you log > that kind of thing? I'd recommend that you take a look at MailWatch > for MailScanner, an excellent add-on:) > > > Thanks. > > > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se From rjette at mestek.com Thu Oct 2 20:31:20 2008 From: rjette at mestek.com (Ray Jette) Date: Thu Oct 2 20:31:01 2008 Subject: Blocked message In-Reply-To: <1222968423.26597.52.camel@mtws-rjette> References: <1222968423.26597.52.camel@mtws-rjette> Message-ID: <1222975880.26597.76.camel@mtws-rjette> Is there a way to enable more detailed logging for when MS blocks a message? On Thu, 2008-10-02 at 13:27 -0400, Ray Jette wrote: > I have a message in /var/spool/MailScanner/quarantine/20081002/spam that > I need to deliver. To deliver it could I just place a copy in > the /var/spool/postfix/incoming directory? > > I am also having trouble determining why this message was blocked. I > checked my /var/log/mail.log file and did not come up with anything. Is > there a way to re-run the message through MailScanner to see what > happened? > > Thanks. > From martinh at solidstatelogic.com Thu Oct 2 20:43:50 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Thu Oct 2 20:37:43 2008 Subject: Email address spoofing Message-ID: Maxime The watermarking feature helps alot.. -- martin -----Original Message----- From: Maxime Gaudreault Sent: 02 October 2008 17:12 To: mailscanner@lists.mailscanner.info Subject: Email address spoofing Hi Is there anything to do against email address spoofing ? Many of our customers have their email address spoofed. Then they receive a sh*t load of bounce: Mail delivery failed: returning message to sender failure notice Delivery Status Notification (Failure) Undeliverable: 73% off for steve.messner Returned mail: see transcript for details My antispam gateway stops 80% of them but the customers receives like 10 of these / minutes. Another result of these bounce is my server being overloaded which lead to greater delay for mail scanning. Can I do something against that ? Thanks in advance Max ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From alex at rtpty.com Thu Oct 2 20:43:22 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Thu Oct 2 20:43:54 2008 Subject: Email address spoofing In-Reply-To: References: Message-ID: <829946C4-2F61-4913-B712-FC250B957489@rtpty.com> It does - it *really* does. However, unless other steps are taken, you're only treating the patient, not curing the disease. On Oct 2, 2008, at 2:43 PM, Martin.Hepworth wrote: > Maxime > > The watermarking feature helps alot.. > -- > martin > > -----Original Message----- > From: Maxime Gaudreault > Sent: 02 October 2008 17:12 > To: mailscanner@lists.mailscanner.info > Subject: Email address spoofing > > Hi > > > > Is there anything to do against email address spoofing ? Many of our > customers have their email address spoofed. Then they receive a sh*t > load of bounce: > > > > Mail delivery failed: returning message to sender > > failure notice > > Delivery Status Notification (Failure) > > Undeliverable: 73% off for steve.messner > > Returned mail: see transcript for details > > > > My antispam gateway stops 80% of them but the customers receives > like 10 > of these / minutes. Another result of these bounce is my server being > overloaded which lead to greater delay for mail scanning. > > > > Can I do something against that ? > > > > Thanks in advance > > > > Max > > > > > ********************************************************************** > Confidentiality : This e-mail and any attachments are intended for the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > Opinion : Any opinions expressed in this e-mail are entirely those of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We advise > that you consider this fact when e-mailing us. > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From clacroix at cegep-ste-foy.qc.ca Thu Oct 2 20:48:38 2008 From: clacroix at cegep-ste-foy.qc.ca (Charles Lacroix) Date: Thu Oct 2 20:48:51 2008 Subject: Email address spoofing In-Reply-To: References: Message-ID: <48E52596.3080109@cegep-ste-foy.qc.ca> but it kills some vacation scripts ... Martin.Hepworth a ?crit : > Maxime > > The watermarking feature helps alot.. > From alex at rtpty.com Thu Oct 2 21:06:02 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Thu Oct 2 21:06:14 2008 Subject: Email address spoofing In-Reply-To: <48E52596.3080109@cegep-ste-foy.qc.ca> References: <48E52596.3080109@cegep-ste-foy.qc.ca> Message-ID: <85C1A371-2CDC-44DD-970C-A3B400E9D87D@rtpty.com> That's a feature - not a bug! ;-) They deserve it! On Oct 2, 2008, at 2:48 PM, Charles Lacroix wrote: > but it kills some vacation scripts ... From J.Ede at birchenallhowden.co.uk Thu Oct 2 21:43:24 2008 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Thu Oct 2 21:43:43 2008 Subject: Email address spoofing In-Reply-To: <48E52596.3080109@cegep-ste-foy.qc.ca> References: <48E52596.3080109@cegep-ste-foy.qc.ca> Message-ID: <4CAB0118AEC63A4FAAE77E6BCBDF760C792A20F2AA@server02.bhl.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Charles Lacroix > Sent: 02 October 2008 20:49 > To: MailScanner discussion > Subject: Re: Email address spoofing > > but it kills some vacation scripts ... There is a problem with that? > > Martin.Hepworth a ?crit : > > Maxime > > > > The watermarking feature helps alot.. > > > From hvdkooij at vanderkooij.org Thu Oct 2 21:48:26 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Thu Oct 2 21:48:36 2008 Subject: Way OT: Cat Names In-Reply-To: References: <48E24865.8040702@trayerproducts.com> <48E37E93.60309@USherbrooke.ca> Message-ID: <48E5339A.9030809@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alex Neuman van der Hans wrote: > And it'll probably cause swapping, too! You mean. You may not even know which cat is postfix and which cat is mailscanner? > On Oct 1, 2008, at 11:33 AM, Scott Silva wrote: > >> Don't name them mailscanner and postfix, because postfix will always >> pick on >> mailscanner! ;-D > - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFI5TOYBvzDRVjxmYERAh0GAKCc8fzmbqbPgtswYv1Z1cNyTOokPwCgt6tg 8abMWsaTJ8/fjjMKce3Yh44= =E6QF -----END PGP SIGNATURE----- From ssilva at sgvwater.com Thu Oct 2 22:00:00 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Oct 2 22:05:14 2008 Subject: Email address spoofing In-Reply-To: <48E52596.3080109@cegep-ste-foy.qc.ca> References: <48E52596.3080109@cegep-ste-foy.qc.ca> Message-ID: on 10-2-2008 12:48 PM Charles Lacroix spake the following: > but it kills some vacation scripts ... > Another positive point! The last thing I want to see is that someone can go on vacation without having to check their e-mails or answer a cellphone! ;-P -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081002/900739d0/signature.bin From martinh at solidstatelogic.com Thu Oct 2 22:16:32 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Thu Oct 2 22:11:22 2008 Subject: Email address spoofing Message-ID: Well some people consider vacation emails as bad as spam anyway so ymmv on that one ;-) -- martin -----Original Message----- From: Charles Lacroix Sent: 02 October 2008 20:51 To: MailScanner discussion Subject: Re: Email address spoofing but it kills some vacation scripts ... Martin.Hepworth a ?crit : > Maxime > > The watermarking feature helps alot.. > -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From steve.swaney at fsl.com Thu Oct 2 22:18:14 2008 From: steve.swaney at fsl.com (Stephen Swaney) Date: Thu Oct 2 22:18:26 2008 Subject: Way OT: Cat Names In-Reply-To: <48E5339A.9030809@vanderkooij.org> References: <48E24865.8040702@trayerproducts.com> <48E37E93.60309@USherbrooke.ca> <48E5339A.9030809@vanderkooij.org> Message-ID: <027e01c924d4$621eeb70$265cc250$@swaney@fsl.com> Gang, This has been fun to watch but I think I have the best names for Julian's new kittys: "Don't come" and "Don't sit" That way when ever you call their names, they'll behave perfectly, which is more than you can say for most cats :) And this will surely impress your friends who have not been able to train their cats! Steve Steve Swaney steve@fsl.com Office Phone: 202 595-7760 ext. 601 From lists at designmedia.com Fri Oct 3 01:56:18 2008 From: lists at designmedia.com (Henry Kwan) Date: Fri Oct 3 01:56:40 2008 Subject: Email address spoofing References: <6DD6B2C8A11BFC4092A148347F6126B86D0A3C@jupiter.reference.local> <69CC22E4-C75B-4D4F-813E-B91021F01E4E@rtpty.com> Message-ID: Alex Neuman van der Hans rtpty.com> writes: > 3. Use a milter such as milter-null, which signs each outgoing > message, so that bounces that did not originate from your server are > not received. Leverage this with MailScanner's "Watermark" feature so > that your server doesn't accept or deliver spoofed messages. Hi, If you are already using the MailScanner "watermark" feature, is milter-null needed? Is there concern that the watermark can be spoofed? Thanks. From prandal at herefordshire.gov.uk Fri Oct 3 11:16:03 2008 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Fri Oct 3 11:16:32 2008 Subject: RFC 5321 and RFC 5322 Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA04D7E1B9@HC-MBX02.herefordshire.gov.uk> New draft email standards are out, replacing RFC 2821 and RFC 2822 http://www.ietf.org/rfc/rfc5321.txt http://www.ietf.org/rfc/rfc5322.txt Interesting commentary here: http://blog.mailchannels.com/2008/10/update-to-email-standards.html Cheers, Phil -- Phil Randal Networks Engineer Herefordshire Council Hereford, UK -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081003/ddb99ab3/attachment.html From alex at rtpty.com Fri Oct 3 12:16:21 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Fri Oct 3 12:16:36 2008 Subject: Email address spoofing In-Reply-To: References: <6DD6B2C8A11BFC4092A148347F6126B86D0A3C@jupiter.reference.local> <69CC22E4-C75B-4D4F-813E-B91021F01E4E@rtpty.com> Message-ID: The milter-null feature will stop e-mail without the watermark from reaching MailScanner and works on sendmail (possibly postfix). The watermark feature is more "complete" in that it allows more control. On Oct 2, 2008, at 7:56 PM, Henry Kwan wrote: > If you are already using the MailScanner "watermark" feature, is > milter-null > needed? Is there concern that the watermark can be spoofed? From dnsadmin at 1bigthink.com Fri Oct 3 15:49:14 2008 From: dnsadmin at 1bigthink.com (dnsadmin 1bigthink.com) Date: Fri Oct 3 15:49:33 2008 Subject: RFC 5321 and RFC 5322 In-Reply-To: <7EF0EE5CB3B263488C8C18823239BEBA04D7E1B9@HC-MBX02.hereford shire.gov.uk> References: <7EF0EE5CB3B263488C8C18823239BEBA04D7E1B9@HC-MBX02.herefordshire.gov.uk> Message-ID: <200810031449.m93EnLA0027745@mxt.1bigthink.com> At 06:16 AM 10/3/2008, you wrote: >Content-class: urn:content-classes:message >Content-Type: multipart/alternative; > boundary="----_=_NextPart_001_01C92541.0AC2825E" > >New draft email standards are out, replacing RFC 2821 and RFC 2822 > >http://www.ietf.org/rfc/rfc5321.txt > >http://www.ietf.org/rfc/rfc5322.txt > >Interesting commentary here: > >http://blog.mailchannels.com/2008/10/update-to-email-standards.html > > >Cheers, > >Phil Very much thanks for the 'heads-up,' Phil! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081003/3c3b6281/attachment.html From martinh at solidstatelogic.com Fri Oct 3 16:05:58 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Fri Oct 3 16:06:12 2008 Subject: RFC 5321 and RFC 5322 In-Reply-To: <200810031449.m93EnLA0027745@mxt.1bigthink.com> Message-ID: <053355a0a4e2c54c917584daeb819261@solidstatelogic.com> I like the summary document/commentary, esp the bit about not responding to 'bad content'. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of dnsadmin 1bigthink.com > Sent: 03 October 2008 15:49 > To: MailScanner discussion > Subject: Re: RFC 5321 and RFC 5322 > > At 06:16 AM 10/3/2008, you wrote: > > > Content-class: urn:content-classes:message > Content-Type: multipart/alternative; > boundary="----_=_NextPart_001_01C92541.0AC2825E" > > New draft email standards are out, replacing RFC 2821 > and RFC 2822 > > http://www.ietf.org/rfc/rfc5321.txt > > > http://www.ietf.org/rfc/rfc5322.txt > > > Interesting commentary here: > > > http://blog.mailchannels.com/2008/10/update-to-email-standards > .html > s.html> > > Cheers, > > Phil > > > Very much thanks for the 'heads-up,' Phil! > > -- > This message has been scanned for viruses and dangerous > content by MailScanner , and > is believed to be clean. > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From list-mailscanner at linguaphone.com Fri Oct 3 12:28:11 2008 From: list-mailscanner at linguaphone.com (Gareth) Date: Fri Oct 3 20:14:40 2008 Subject: Email address spoofing In-Reply-To: References: <6DD6B2C8A11BFC4092A148347F6126B86D0A3C@jupiter.reference.local> <69CC22E4-C75B-4D4F-813E-B91021F01E4E@rtpty.com> Message-ID: <1223033291.2311.5.camel@gblades-suse.linguaphone-intranet.co.uk> Alternativly you could use the VBounce spamassassin plugin. On Fri, 2008-10-03 at 12:16, Alex Neuman van der Hans wrote: > The milter-null feature will stop e-mail without the watermark from > reaching MailScanner and works on sendmail (possibly postfix). The > watermark feature is more "complete" in that it allows more control. > > On Oct 2, 2008, at 7:56 PM, Henry Kwan wrote: > > > If you are already using the MailScanner "watermark" feature, is > > milter-null > > needed? Is there concern that the watermark can be spoofed? From andrew at gdcon.net Sat Oct 4 01:40:44 2008 From: andrew at gdcon.net (Andrew MacLachlan) Date: Sat Oct 4 01:41:12 2008 Subject: Way OT: Cat Names In-Reply-To: <027e01c924d4$621eeb70$265cc250$@swaney@fsl.com> References: <48E24865.8040702@trayerproducts.com> <48E37E93.60309@USherbrooke.ca> <48E5339A.9030809@vanderkooij.org> <027e01c924d4$621eeb70$265cc250$@swaney@fsl.com> Message-ID: <48E6BB8C.2080303@gdcon.net> So Jules - What did you call them in the end? From jtwatson at linux-consulting.us Sat Oct 4 01:59:55 2008 From: jtwatson at linux-consulting.us (Joseph Watson) Date: Sat Oct 4 02:00:17 2008 Subject: Clamd Message-ID: <200810032059.56012.jtwatson@linux-consulting.us> Hello, I am trying to find out some information on configuring clamd with MailScanner but can't find this particular question answered anywhere. How does MailScanner determine whether to connect to clamd by socket or IP? If they are both avalible, which will be used? -- Regards Joseph Watson From r.berber at computer.org Sat Oct 4 07:21:22 2008 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Sat Oct 4 07:21:39 2008 Subject: Clamd In-Reply-To: <200810032059.56012.jtwatson@linux-consulting.us> References: <200810032059.56012.jtwatson@linux-consulting.us> Message-ID: Joseph Watson wrote: > I am trying to find out some information on configuring clamd with MailScanner > but can't find this particular question answered anywhere. > > How does MailScanner determine whether to connect to clamd by socket or IP? > If they are both avalible, which will be used? In MailScanner.conf there's a line: Clamd Socket = /tmp/clamd.socket The comments above that document the alternative use. -- Ren? Berber From jtwatson at linux-consulting.us Sat Oct 4 15:51:03 2008 From: jtwatson at linux-consulting.us (Joseph Watson) Date: Sat Oct 4 15:51:19 2008 Subject: Clamd In-Reply-To: References: <200810032059.56012.jtwatson@linux-consulting.us> Message-ID: <200810041051.03382.jtwatson@linux-consulting.us> On Saturday 04 October 2008 2:21:22 am Ren? Berber wrote: > Joseph Watson wrote: > > I am trying to find out some information on configuring clamd with > > MailScanner but can't find this particular question answered anywhere. > > > > How does MailScanner determine whether to connect to clamd by socket or > > IP? If they are both avalible, which will be used? > > In MailScanner.conf there's a line: > > Clamd Socket = /tmp/clamd.socket > > The comments above that document the alternative use. > -- > Ren? Berber I read the comments but I guess not very good... I got it now. :) Thanks for the help! Joseph Watson From ismail at ismailozatay.net Mon Oct 6 13:22:29 2008 From: ismail at ismailozatay.net (=?ISO-8859-9?Q?=DDsmail_=D6ZATAY?=) Date: Mon Oct 6 13:23:28 2008 Subject: Archive rules Message-ID: <48EA0305.7080209@ismailozatay.net> Hi all, I want to archive inbound and/or outbound messages into maildir format on CentOS 5.2 server running sendmail and mailscanner. Is it possible ? Thanks Regards ismail From maillists at conactive.com Mon Oct 6 13:31:12 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Mon Oct 6 13:32:10 2008 Subject: RFC 5321 and RFC 5322 In-Reply-To: <7EF0EE5CB3B263488C8C18823239BEBA04D7E1B9@HC-MBX02.herefordshire.gov.uk> References: <7EF0EE5CB3B263488C8C18823239BEBA04D7E1B9@HC-MBX02.herefordshire.gov.uk> Message-ID: Thanks, Phil! Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Mon Oct 6 13:48:19 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Mon Oct 6 13:48:53 2008 Subject: clamavmodule not found Message-ID: I want to use clamavmodule, but MS on a freshly installed setup doesn't find it: ClamAV Perl module not found, did you install it? I installed perl-ClamAV-Client.noarch 0:0.11-1.el5.rf on CentOS 5 via rpmforge. Is that not the correct software? Or is using clamd for a speedup recommended, anyway? (I haven't ever used it with MS.) Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Mon Oct 6 13:48:19 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Mon Oct 6 13:48:53 2008 Subject: Improvements to install.sh ? In-Reply-To: <48DE80F7.9020400@ecs.soton.ac.uk> References: <48DE80F7.9020400@ecs.soton.ac.uk> Message-ID: Julian Field wrote on Sat, 27 Sep 2008 19:52:39 +0100: > Today I have done some work on both the README and the QuickInstall.txt > files, to bring the up to date and to simplify them. Just yesterday, I read them before doing a new install of MS and wondered about "Red Hat 8.0". ;-) > > Also I have documented the "./install.sh fast" option, so people who > read the docs know it exists, as it greatly speeds things up if you know > what you're doing and don't need to read all the output. > > But what would people like to see improved in the actual installation > script, install.sh? An option to only install rpm's that are necessary for the respective OS. You could provide this for a short list of the most used OSes. e.g. a lot of the Perl modules you want to install are part of the main Perl on newer systems and conflict with them. This gives especially a hard time in case the system Perl gets updated (usually a security update). It can even lead to a case of a non-updatable Perl! eg. install-sh --system rhel5 would only install rpm -ivh tnef* rpm -ivh mailscanner* as *all* attached Perl modules are *not* necessary on that platform. They are either part of RHEL/CentOS 5 or can be installed via rpmforge. (yum install perl-Convert-BinHex perl-Convert-TNEF perl-Convert-BinHex perl-Convert-TNEF perl-DBD-SQLite perl-Filesys-Df perl-IO-stringy perl- MIME-tools perl-Net-CIDR perl-OLE-Storage_Lite perl-Pod-Escapes perl-Pod- Simple perl-Test-Pod perl-Time-HiRes) As for the setup actions in the mailscanner*.rpm itself, I wonder if it wouldn't be time to adjust it so it works for Postfix as well. I've changed to Postfix on my new setups and followed the instructions on http://www.mailscanner.info/postfix.html and in MailScanner.conf That worked right from the beginning and I think it shouldn't be difficult to do this via script or provide an alternative MailScanner.conf and provide the few filesystem actions with a script. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From ismail at ismailozatay.net Mon Oct 6 13:51:31 2008 From: ismail at ismailozatay.net (=?UTF-8?B?xLBzbWFpbCDDllpBVEFZ?=) Date: Mon Oct 6 13:55:27 2008 Subject: Archive rules In-Reply-To: References: Message-ID: <48EA09D3.5050904@ismailozatay.net> Hi all, I want to archive inbound and/or outbound messages into maildir format on CentOS 5.2 server running sendmail and mailscanner. Is it possible ? Thanks Regards ismail From ms-list at alexb.ch Mon Oct 6 14:13:16 2008 From: ms-list at alexb.ch (Alex Broens) Date: Mon Oct 6 14:13:32 2008 Subject: clamavmodule not found In-Reply-To: References: Message-ID: <48EA0EEC.2070205@alexb.ch> On 10/6/2008 2:48 PM, Kai Schaetzl wrote: > I want to use clamavmodule, but MS on a freshly installed setup doesn't > find it: > ClamAV Perl module not found, did you install it? > > I installed perl-ClamAV-Client.noarch 0:0.11-1.el5.rf on CentOS 5 via > rpmforge. Is that not the correct software? welcome to the daily headache! On some machines (with a history)installing from Cpan isn't possible either. clamd saved me MANY hours of debugging. > Or is using clamd for a speedup recommended, anyway? (I haven't ever used > it with MS.) I'm slowly deploying clamd and haven't noticed a speed disadvantage.. it uses way less RAM and you don't depend on the clamavmodule which has become a regular PITA. Convinced me. Alex From raymond at prolocation.net Mon Oct 6 14:21:20 2008 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Mon Oct 6 14:21:28 2008 Subject: clamavmodule not found In-Reply-To: <48EA0EEC.2070205@alexb.ch> References: <48EA0EEC.2070205@alexb.ch> Message-ID: Hi! > I'm slowly deploying clamd and haven't noticed a speed disadvantage.. it uses > way less RAM and you don't depend on the clamavmodule which has become a > regular PITA. > Convinced me. ClamD works faster here and the RAM saving is insain... I would not think twice. Bye, Raymond. From maillists at conactive.com Mon Oct 6 14:39:29 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Mon Oct 6 14:40:21 2008 Subject: Archive rules In-Reply-To: <48EA09D3.5050904@ismailozatay.net> References: <48EA09D3.5050904@ismailozatay.net> Message-ID: Please do not hijack other threads! Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Mon Oct 6 14:39:29 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Mon Oct 6 14:40:23 2008 Subject: clamavmodule not found In-Reply-To: References: <48EA0EEC.2070205@alexb.ch> Message-ID: Raymond Dijkxhoorn wrote on Mon, 6 Oct 2008 15:21:20 +0200 (CEST): > ClamD works faster here and the RAM saving is insain... > I would not think twice. Thank you both for the quick answers, makes the decision easy :-) Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From vlad at univap.br Mon Oct 6 15:12:24 2008 From: vlad at univap.br (Vladimir M Costa) Date: Mon Oct 6 15:12:23 2008 Subject: [Fwd: [Clamav-users] Sanesecurity Changes] Message-ID: <48EA1CC8.5070209@univap.br> FYI. -------------- next part -------------- An embedded message was scrubbed... From: "Steve Basford" Subject: [Clamav-users] Sanesecurity Changes Date: Mon, 6 Oct 2008 13:37:48 +0100 (BST) Size: 3646 Url: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081006/5b083b73/Clamav-usersSanesecurityChanges.eml From dstraka at caspercollege.edu Mon Oct 6 17:49:03 2008 From: dstraka at caspercollege.edu (Daniel Straka) Date: Mon Oct 6 17:49:36 2008 Subject: Null Sender Question Message-ID: <48E9ED1F.61A4.0000.0@caspercollege.edu> I've got MailScanner configured to send a message to senders whose attached files are password-protected and were not delivered. The resulting, outgoing message from my system has a Null Sender "from=<>" and I believe many of the receiving systems will not deliver messages with a null sender. Where can I fix this so the messages come from a postmaster or user? -- Dan Straka Systems Coordinator Casper College 307.268.2399 www.caspercollege.edu ( http://www.caspercollege.edu/ ) From alex at rtpty.com Mon Oct 6 17:58:39 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Mon Oct 6 17:59:04 2008 Subject: Null Sender Question In-Reply-To: <48E9ED1F.61A4.0000.0@caspercollege.edu> References: <48E9ED1F.61A4.0000.0@caspercollege.edu> Message-ID: I believe this is mta-dependent, so more info on that would help. On Oct 6, 2008, at 11:49 AM, Daniel Straka wrote: > Where can I fix this so the messages come from a postmaster or user? From dstraka at caspercollege.edu Mon Oct 6 18:06:33 2008 From: dstraka at caspercollege.edu (Daniel Straka) Date: Mon Oct 6 18:07:02 2008 Subject: Null Sender Question In-Reply-To: References: <48E9ED1F.61A4.0000.0@caspercollege.edu> Message-ID: <48E9F139.61A4.0000.0@caspercollege.edu> My MTA is sendmail v8.13.6 >>> On 10/6/2008 at 10:58 AM, in message , Alex Neuman van der Hans wrote: > I believe this is mta-dependent, so more info on that would help. > > On Oct 6, 2008, at 11:49 AM, Daniel Straka wrote: > >> Where can I fix this so the messages come from a postmaster or user? From roland at inbox4u.de Mon Oct 6 19:03:49 2008 From: roland at inbox4u.de (Ehle, Roland) Date: Mon Oct 6 19:04:39 2008 Subject: AW: clamavmodule not found In-Reply-To: References: Message-ID: Kai, there is a problem with the installation of the Mail::ClamAV perl module in conjunction witch ClamAV 0.94. There was a posting in the list with the link to a bugfix. Please read Phil Randals mail from 25.09.2008 with subject Mail::ClamAV patch for ClamAV 0.94. Regards, Roland > -----Urspr?ngliche Nachricht----- > Von: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] Im Auftrag von Kai Schaetzl > Gesendet: Montag, 6. Oktober 2008 14:48 > An: mailscanner@lists.mailscanner.info > Betreff: clamavmodule not found > > I want to use clamavmodule, but MS on a freshly installed setup doesn't > find it: > ClamAV Perl module not found, did you install it? > > I installed perl-ClamAV-Client.noarch 0:0.11-1.el5.rf on CentOS 5 via > rpmforge. Is that not the correct software? > > Or is using clamd for a speedup recommended, anyway? (I haven't ever > used > it with MS.) > > Kai > > -- > Kai Sch?tzl, Berlin, Germany > Get your web at Conactive Internet Services: http://www.conactive.com > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From alex at rtpty.com Mon Oct 6 19:22:35 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Mon Oct 6 19:22:49 2008 Subject: Archive rules In-Reply-To: <48EA09D3.5050904@ismailozatay.net> References: <48EA09D3.5050904@ismailozatay.net> Message-ID: <23D02F31-30A6-4D47-B71D-620B7726B06E@rtpty.com> Does it have to be maildir? I know you can do it using RFC822 files, but maildir... hmm... On Oct 6, 2008, at 7:51 AM, ?smail ?ZATAY wrote: > Hi all, > > I want to archive inbound and/or outbound messages into maildir > format on CentOS 5.2 server running sendmail and mailscanner. Is it > possible ? > > Thanks > > Regards > > ismail > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From maillists at conactive.com Mon Oct 6 20:31:18 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Mon Oct 6 20:31:53 2008 Subject: Null Sender Question In-Reply-To: <48E9ED1F.61A4.0000.0@caspercollege.edu> References: <48E9ED1F.61A4.0000.0@caspercollege.edu> Message-ID: Daniel Straka wrote on Mon, 06 Oct 2008 10:49:03 -0600: > I believe many of the receiving systems will not deliver messages > with a null sender. It's perfectly ok. It's actually required by RFC to accept these messages. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Mon Oct 6 20:31:18 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Mon Oct 6 20:31:53 2008 Subject: clamavmodule not found In-Reply-To: References: Message-ID: Roland Ehle wrote on Mon, 6 Oct 2008 20:03:49 +0200: > there is a problem with the installation of the Mail::ClamAV perl > module in conjunction witch ClamAV 0.94. There was a posting in the > list with the link to a bugfix. Please read Phil Randals mail from > 25.09.2008 with subject Mail::ClamAV patch for ClamAV 0.94. Thanks for the info, but I have decided to use clamd. Was installed and running on my preconfigured VM, anyway, had just forgotten about it ;-) Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From ismail at ismailozatay.net Mon Oct 6 20:34:17 2008 From: ismail at ismailozatay.net (=?UTF-8?B?xLBzbWFpbCDDllpBVEFZ?=) Date: Mon Oct 6 20:34:24 2008 Subject: Archive rules In-Reply-To: <23D02F31-30A6-4D47-B71D-620B7726B06E@rtpty.com> References: <48EA09D3.5050904@ismailozatay.net> <23D02F31-30A6-4D47-B71D-620B7726B06E@rtpty.com> Message-ID: <48EA6839.2080105@ismailozatay.net> Alex Neuman van der Hans yazm??: > Does it have to be maildir? I know you can do it using RFC822 files, > but maildir... hmm... > > On Oct 6, 2008, at 7:51 AM, ?smail ?ZATAY wrote: > >> Hi all, >> >> I want to archive inbound and/or outbound messages into maildir >> format on CentOS 5.2 server running sendmail and mailscanner. Is it >> possible ? >> >> Thanks >> >> Regards >> >> ismail >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > MailScanner running as a gateway. Actually i am using qmail background so i want mailscanner to put archive mails into maildir format. Because if there is a failure i want to restore them as soon as quick. Regards ismail From roland at inbox4u.de Mon Oct 6 20:34:18 2008 From: roland at inbox4u.de (Ehle, Roland) Date: Mon Oct 6 20:52:33 2008 Subject: AW: Null Sender Question In-Reply-To: <48E9ED1F.61A4.0000.0@caspercollege.edu> References: <48E9ED1F.61A4.0000.0@caspercollege.edu> Message-ID: Hi Dan, MailScanner does not use a Null sender, but usually MailScanner, or whatever you defined as "Notices From =" in your MailScanner.conf. Null sender replies are usually created by the MTA like postfix or sendmail. Regards, Roland > -----Urspr?ngliche Nachricht----- > Von: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] Im Auftrag von Daniel Straka > Gesendet: Montag, 6. Oktober 2008 18:49 > An: mailscanner@lists.mailscanner.info > Betreff: Null Sender Question > > I've got MailScanner configured to send a message to senders whose > attached files are password-protected and were not delivered. The > resulting, outgoing message from my system has a Null Sender "from=<>" > and I believe many of the receiving systems will not deliver messages > with a null sender. Where can I fix this so the messages come from a > postmaster or user? > -- > > Dan Straka > Systems Coordinator > Casper College > 307.268.2399 > www.caspercollege.edu ( http://www.caspercollege.edu/ ) > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From sbanderson at impromed.com Mon Oct 6 21:39:45 2008 From: sbanderson at impromed.com (Scott B. Anderson) Date: Mon Oct 6 21:41:50 2008 Subject: Null Sender Question In-Reply-To: References: <48E9ED1F.61A4.0000.0@caspercollege.edu> Message-ID: <4B16C177313C70448BFF4C80789335B3092F8E6A7A@ES1.impromed.com> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Kai Schaetzl > Sent: Monday, October 06, 2008 2:31 PM > To: mailscanner@lists.mailscanner.info > Subject: Re: Null Sender Question > > Daniel Straka wrote on Mon, 06 Oct 2008 10:49:03 -0600: > > > I believe many of the receiving systems will not deliver messages > > with a null sender. > > It's perfectly ok. It's actually required by RFC to accept these > messages. > > Kai > > -- > Kai Sch?tzl, Berlin, Germany > Get your web at Conactive Internet Services: http://www.conactive.com > Yes, but many, MANY of us Violate the old RFC standard, and the new ones recognize the need to reject email that otherwise passes the old RFC standard as valid email. To support my position, note the following: RFC 5321 supersedes RFC1123 where necessary. RFC 5321 includes the following text: " It also includes some additional material from RFC 1123 that required amplification. This material has been identified in multiple ways, mostly by tracking flaming on various lists and newsgroups and problems of unusual readings or interpretations that have appeared as the SMTP extensions have been deployed. Where this specification moves beyond consolidation and actually differs from earlier documents, it supersedes them technically as well as textually." Changes from RFC 2821 to RFC 5321 This was added as section 7.8: "7.8. Resistance to Attacks In recent years, there has been an increase of attacks on SMTP servers, either in conjunction with attempts to discover addresses for sending unsolicited messages or simply to make the servers inaccessible to others (i.e., as an application-level denial of service attack). While the means of doing so are beyond the scope of this Standard, rational operational behavior requires that servers be permitted to detect such attacks and take action to defend themselves. For example, if a server determines that a large number of RCPT TO commands are being sent, most or all with invalid addresses, as part of such an attack, it would be reasonable for the server to close the connection after generating an appropriate number of 5yz (normally 550) replies." I would suspect that in turn, a large number of MAIL FROM:<> would also fall under this section of RFC 5321. This list has debated this point before and I know at least one of us simply rejects email with a null sender via sendmail. In the past we agreed it was a direct violation of RFC1123, now it appears there is some discretion under applicable RFCs. (I changed my rejection notice on NULL sender in proto.m4 earlier today. ;-> ) Scott Anderson sbanderson@impromed.com From maillists at conactive.com Mon Oct 6 23:31:16 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Mon Oct 6 23:31:49 2008 Subject: Null Sender Question In-Reply-To: <4B16C177313C70448BFF4C80789335B3092F8E6A7A@ES1.impromed.com> References: <48E9ED1F.61A4.0000.0@caspercollege.edu> <4B16C177313C70448BFF4C80789335B3092F8E6A7A@ES1.impromed.com> Message-ID: Scott B. Anderson wrote on Mon, 6 Oct 2008 15:39:45 -0500: > Yes, but many, MANY of us Violate the old RFC standard, and the new > ones recognize the need to reject email that otherwise passes the > old RFC standard as valid email. You misunderstand 5321 completely, if you read it that way. > I would suspect that in turn, a large number of MAIL FROM:<> > would also fall under this section of RFC 5321. No, not at all. See, there is a difference between outright rejecting mail with <> senders (because of a <> sender) and rejecting mail that is unwanted and that bears "accidentally" a <> sender. It was *never* meant to require you to accept each and every mail from a <> sender even if your system thinks it's spam or harmful. > > This list has debated this point before and I know at least one of > us simply rejects email with a null sender via sendmail. Well, that's his problem. If he doesn't have many customers, that might be ok for him. My customers would ask me why they don't get any bounce notices anymore when they send to wrongly typed addresses etc. Accepting <> senders doesn't add anything to spam influx if you have a good anti- spamn system in place. In the past > we agreed it was a direct violation of RFC1123, now it appears there > is some discretion under applicable RFCs. Not at all. 5322 clearly requires the use of <> senders for DSNs and 1123 still applies. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From ssilva at sgvwater.com Tue Oct 7 00:50:52 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Oct 7 00:51:12 2008 Subject: clamavmodule not found In-Reply-To: References: Message-ID: on 10-6-2008 5:48 AM Kai Schaetzl spake the following: > I want to use clamavmodule, but MS on a freshly installed setup doesn't > find it: > ClamAV Perl module not found, did you install it? > > I installed perl-ClamAV-Client.noarch 0:0.11-1.el5.rf on CentOS 5 via > rpmforge. Is that not the correct software? > > Or is using clamd for a speedup recommended, anyway? (I haven't ever used > it with MS.) > > Kai > perl-Mail-ClamAV -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081006/7bfb844b/signature.bin From ajcartmell at fonant.com Tue Oct 7 13:26:25 2008 From: ajcartmell at fonant.com (Anthony Cartmell) Date: Tue Oct 7 13:26:39 2008 Subject: Multiple confusions on my part. In-Reply-To: <48E4A14B.1030706@qustodium.net> References: <48DCF72B.90903@ecs.soton.ac.uk> <48DD0C27.9070301@cnpapers.com> <48DD4782.8030002@cnpapers.com> <1222559122.48dec592b7178@perdition.cnpapers.net> <48E4A14B.1030706@qustodium.net> Message-ID: > Would you be willing to share your code with the list, or perhaps put it > on the Wiki? This seems like a great idea and a very valuable addition, > not only to underline the work that MailScanner does, but also to make > it easier for the end-user to sift through the quarantined items. Sorry for the delay, I've now added my modified version of quarantine_reports.php to the Wiki: http://wiki.mailscanner.info/doku.php?id=documentation:related_software:management:mailwatch:tips:quarantine_reports I hope this helps someone - any improvements or comments welcome :) Cheers! Anthony -- www.fonant.com - Quality web sites From jonas at vrt.dk Tue Oct 7 13:46:47 2008 From: jonas at vrt.dk (Jonas Akrouh Larsen) Date: Tue Oct 7 13:46:59 2008 Subject: Installer comments Message-ID: <003801c9287a$c299f2c0$47cdd840$@dk> Hi Julian Recently I think you asked for comments suggestions for the installer. At the time nothing occurred to me, as it generally works very well. However after upgrading to newest spamassassin + MailScanner some things stood out which could be improved. The following are for those of us using the tarball way to install (I run debian and their packages are oooold) When I install I do the following things manually every time I have to upgrade MailScanner: 1: Copy over the old report text files so the users get our customized texts. It would be super if the installer could do this for you somehow, basically ask if it should look for the old directory and copy over old files somehow. This is also true for the old configuration. I assume that most people who upgrade will want to run the upgrade_conf script on their old configuration to create an up2date configuration file. This could also (in a simple way I think) be done by the installer. Basically what I imagine is that (either by default or by passing the installer an option) he installer asks the user: What is the path to the old mailscanner install? Do you want to upgrade the old configuration? Do you want to keep you report/msg texts? I?m not sure if there could be more points, but its possible. The ones I have outlined are the ones I would like to have automated. 2: It?s more or less the same as the above points, so as for the reports/text issues. The same goes for rulesets. Every time I upgrade I have to manually copy the rulesets I use to the new directory for the paths in the configuration to be valid. I guess this could be solved by placing them outside the mailscanner directory, but that sort of breaks the intended installation ?style? if you know what I mean. I?d like your thought on this one as maybe I?m doing it the wrong way. Anyway that?s about it, to sum it up: I would love for the installer to be more umm assisting in upgrade, by asking the user questions about his old install and then offering to do some of the tasks involved in upgrading for him. I hope the above is comprehensible (English isn?t my native language) Let me know if I have been unclear on some of the points. Thanks again for providing this brilliant piece of software. Med venlig hilsen / Best regards Jonas Akrouh Larsen TechBiz ApS Laplandsgade 4, 2. sal 2300 K?benhavn S Office: 7020 0979 Direct: 3336 9974 Mobile: 5120 1096 Fax: 7020 0978 Web: www.techbiz.dk -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081007/dcd7c750/attachment.html From nik_muhyyiddin at hotmail.com Tue Oct 7 15:05:24 2008 From: nik_muhyyiddin at hotmail.com (Nik Muhammed Nik Karuddin) Date: Tue Oct 7 15:07:01 2008 Subject: Update relay recipients Message-ID: Guys, I would like to do php script through mailwatch by updating relay recipients from AD, but not working..anybody expert please help. $output"; html_end(); ?> Thanks Nik _________________________________________________________________ Get in touch with your inner athlete. Take the quiz. http://yourinnerathlete.windowslive.com?locale=en-my&ocid=TXT_TAGLM_WLYIA_takequiz_my -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081007/ff73ca95/attachment.html From maillists at conactive.com Tue Oct 7 17:00:20 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Tue Oct 7 17:00:57 2008 Subject: Update relay recipients In-Reply-To: References: Message-ID: Nik Muhammed Nik Karuddin wrote on Tue, 7 Oct 2008 22:05:24 +0800: > like to do php script through mailwatch by updating relay recipients from AD, > but not working..anybody expert please help. I won't be able to help you on LDAP, but looking at the information you give I doubt that anybody will be able to help you unless there's a very obvious flaw in your code. You do not say *anything* about what happens if you run the script. "not working" is a *really* bad description of a problem. Does running this script update-relay-recipients.sh work? Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Tue Oct 7 17:00:20 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Tue Oct 7 17:00:57 2008 Subject: Installer comments In-Reply-To: <003801c9287a$c299f2c0$47cdd840$@dk> References: <003801c9287a$c299f2c0$47cdd840$@dk> Message-ID: Jonas Akrouh Larsen wrote on Tue, 7 Oct 2008 14:46:47 +0200: > 2: It?s more or less the same as the above points, so as for the > reports/text issues. The same goes for rulesets. Every time I upgrade I have > to manually copy the rulesets I use to the new directory for the paths in > the configuration to be valid. which rulesets (MailScanner ones?), which "new" directory? I haven't done an upgrade for a while but I don't remember that it replaced my MS rulesets. I don't remember what happened with the reports. Do you always install to a different directory when upgrading? I've never done this. Do you use the tar.gz version? I don't think the rpm version even allows changing paths. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From alex at rtpty.com Tue Oct 7 17:11:46 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Tue Oct 7 17:11:59 2008 Subject: Update relay recipients In-Reply-To: References: Message-ID: <8D2FA5C6-EEE9-4769-AB1B-F870B874AC30@rtpty.com> On Oct 7, 2008, at 11:00 AM, Kai Schaetzl wrote: > "not working" is a *really* bad description of a problem. ... which most of us on the list hear X times a day! ;-) From ssilva at sgvwater.com Tue Oct 7 17:18:22 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Oct 7 17:18:53 2008 Subject: Installer comments In-Reply-To: <003801c9287a$c299f2c0$47cdd840$@dk> References: <003801c9287a$c299f2c0$47cdd840$@dk> Message-ID: on 10-7-2008 5:46 AM Jonas Akrouh Larsen spake the following: > Hi Julian > > > > Recently I think you asked for comments suggestions for the installer. > At the time nothing occurred to me, as it generally works very well. > > > > However after upgrading to newest spamassassin + MailScanner some things > stood out which could be improved. > > > > The following are for those of us using the tarball way to install (I > run debian and their packages are oooold) Backports has some newer packages > > > > When I install I do the following things manually every time I have to > upgrade MailScanner: > > > > 1: Copy over the old report text files so the users get our customized > texts. > I doubt that Julian would automate this as there are too many variables. You could probably script this yourself easier for your system. > It would be super if the installer could do this for you somehow, > basically ask if it should look for the old directory and copy over old > files somehow. > > This is also true for the old configuration. I assume that most people > who upgrade will want to run the upgrade_conf script on their old > configuration to create an up2date configuration file. > > This could also (in a simple way I think) be done by the installer. > This is also debatable, as some people with heavily commented conf files do not run the upgrade_mailscanner_conf script because it removes all their comments, but run a diff and fix it themselves. > > > Basically what I imagine is that (either by default or by passing the > installer an option) he installer asks the user: > > What is the path to the old mailscanner install? > > Do you want to upgrade the old configuration? > > Do you want to keep you report/msg texts? > > I?m not sure if there could be more points, but its possible. The ones I > have outlined are the ones I would like to have automated. > > I can't speak for Julian, but if you submit a diff to the install script, Julian *might* consider it, since he usually seems open to at least LOOK at proposed patches. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081007/e32ccdeb/signature.bin From nik_muhyyiddin at hotmail.com Tue Oct 7 18:17:04 2008 From: nik_muhyyiddin at hotmail.com (Nik Muhammed Nik Karuddin) Date: Tue Oct 7 18:17:15 2008 Subject: Update relay recipients In-Reply-To: References: Message-ID: Using the Ubuntu, It?s working fine with cron schedule..and manually execute through command line, this is from apache log CANNOT OPEN /etc/postfix/users_recipients Permission denied at /usr/bin/getadsmtp.pl line 127, line 439. /usr/bin/update-relay-recipients.sh: line 3: postmap: command not found /etc/lsb-base-logging.sh: line 22: /dev/console: Permission denied /etc/lsb-base-logging.sh: line 22: /dev/console: Permission denied emm... Thanks for reply -nik > Date: Tue, 7 Oct 2008 18:00:20 +0200 > To: mailscanner@lists.mailscanner.info > From: maillists@conactive.com > Subject: Re: Update relay recipients > > Nik Muhammed Nik Karuddin wrote on Tue, 7 Oct 2008 22:05:24 +0800: > > > like to do php script through mailwatch by updating relay recipients from AD, > > but not working..anybody expert please help. > > I won't be able to help you on LDAP, but looking at the information you give I > doubt that anybody will be able to help you unless there's a very obvious flaw > in your code. You do not say *anything* about what happens if you run the > script. "not working" is a *really* bad description of a problem. > Does running this script update-relay-recipients.sh work? > > Kai > > -- > Kai Sch?tzl, Berlin, Germany > Get your web at Conactive Internet Services: http://www.conactive.com > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! _________________________________________________________________ Manage multiple email accounts with Windows Live Mail effortlessly. http://www.get.live.com/wl/all -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081008/5ddba0c2/attachment.html From ajcartmell at fonant.com Tue Oct 7 18:21:00 2008 From: ajcartmell at fonant.com (Anthony Cartmell) Date: Tue Oct 7 18:21:16 2008 Subject: Migrate system: amavisd-new to mailscanner? Message-ID: Hi folks, I'm, currently, for my sins, helping www.ippimail.com to keep their systems going. They are running old versions of Postfix with amavsid-new and clamd, which seems to work OK, but I'd be more comfortable with MailScanner than amavisd-new. I use MailScanner with sendmail on my own servers, but Ippimail has usernames in a database (used for other things too), and I don't know how to get sendmail to use MySQL database for authentication. Is this possible? Also his usernames contain "@" which sendmail can't handle AFAIK. Also some users have mail accounts in the form name@username.ippimail.com, just to add to the confusion. So perhaps Postfix plus MailScanner might be OK? This would mean I could leave Postfix set up as it is, but replace amavisd-new with MailScanner, probably a simpler task? Current OS is Fedora 5 (!) but they plan to move to CentOS soon. Any advice on best options? Cheers! Anthony -- www.fonant.com - Quality web sites From mailbag at partnersolutions.ca Tue Oct 7 18:33:06 2008 From: mailbag at partnersolutions.ca (PSI Mailbag) Date: Tue Oct 7 18:33:19 2008 Subject: Update relay recipients In-Reply-To: References: Message-ID: <120EBC42C8319846842A4A49B3D5566BBDD2A0@psims003.pshosting.intranet> > Using the Ubuntu, Its working fine with cron schedule..and manually execute through command line, this is from apache log > > CANNOT OPEN /etc/postfix/users_recipients Permission denied at /usr/bin/getadsmtp.pl line 127, line 439. > /usr/bin/update-relay-recipients.sh: line 3: postmap: command not found > /etc/lsb-base-logging.sh: line 22: /dev/console: Permission denied > /etc/lsb-base-logging.sh: line 22: /dev/console: Permission denied It's because any process that you call from your web server will run as that specific user, typically "nobody" or "apache", depending on your distribution. You will have to either give your web server access to modify/update the files you want, or set the script to run either SUID or SGID as a user that has the proper access. However, pay attention to which method you decide to take, as both of them could potentially compromise the security of your server (depending on your code quality and other factors). Personally, you should just leave it to your crontab to run the task at the appropriate interval. In my case, I export the data from a domain server and upload it to my filter server. The filter then just parses out the data that was uploaded to it. It's a lot safer than giving your filter direct access to your Active Directory in any manor. (IMHO). Cheers, -Joshua From campbell at cnpapers.com Tue Oct 7 19:22:15 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Tue Oct 7 19:22:48 2008 Subject: Update relay recipients In-Reply-To: <8D2FA5C6-EEE9-4769-AB1B-F870B874AC30@rtpty.com> References: <8D2FA5C6-EEE9-4769-AB1B-F870B874AC30@rtpty.com> Message-ID: <48EBA8D7.8080302@cnpapers.com> Alex Neuman van der Hans wrote: > > On Oct 7, 2008, at 11:00 AM, Kai Schaetzl wrote: > >> "not working" is a *really* bad description of a problem. > > ... which most of us on the list hear X times a day! ;-) I have trained most of my users to use the more descriptive terms "It's broke" or "It's got a bug" :-) Steve From alex at rtpty.com Tue Oct 7 19:54:46 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Tue Oct 7 19:55:01 2008 Subject: Update relay recipients In-Reply-To: <48EBA8D7.8080302@cnpapers.com> References: <8D2FA5C6-EEE9-4769-AB1B-F870B874AC30@rtpty.com> <48EBA8D7.8080302@cnpapers.com> Message-ID: <3EE6012B-CB03-4220-9076-4972162877B4@rtpty.com> On Oct 7, 2008, at 1:22 PM, Steve Campbell wrote: > I have trained most of my users to use the more descriptive terms > "It's broke" or "It's got a bug" :-) Q: "Can you please tell me what the error message is?" A: "I saw a box that said something something your first born child something something your eternal soul something or other, but I clicked ok... Wait, there's someone at the door waving a contract..." From glenn.steen at gmail.com Tue Oct 7 20:10:43 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Oct 7 20:10:53 2008 Subject: Migrate system: amavisd-new to mailscanner? In-Reply-To: References: Message-ID: <223f97700810071210q5784317bo74558f1c8a8a5157@mail.gmail.com> 2008/10/7 Anthony Cartmell : > Hi folks, > > I'm, currently, for my sins, helping www.ippimail.com to keep their systems > going. > > They are running old versions of Postfix with amavsid-new and clamd, which > seems to work OK, but I'd be more comfortable with MailScanner than > amavisd-new. > > I use MailScanner with sendmail on my own servers, but Ippimail has > usernames in a database (used for other things too), and I don't know how to > get sendmail to use MySQL database for authentication. Is this possible? > Also his usernames contain "@" which sendmail can't handle AFAIK. Also some > users have mail accounts in the form name@username.ippimail.com, just to add > to the confusion. > > So perhaps Postfix plus MailScanner might be OK? This would mean I could > leave Postfix set up as it is, but replace amavisd-new with MailScanner, > probably a simpler task? Not exactly "as is", but definitely doable. Easiest would be to "sidegrade" to another machine, where you setup with MS from the outset, but that would be utopian, I suspect:-). Do read the setup instructions (both on the website and in the wiki) very carefully... When using PF, you'll likely be running as an unprivileged user, so all concerning that has to be exactly right... I'd work on a copy of /etc/postfix, so that when the big bang moment arrives... I could switch between the two with a few mv operations. It's been quite a few years since last I touched an amavisd (of any kind... I'm a happy MS customer:-), but you might need take it offline when installing MS, if the MS install messes up any "common" perl modules. > Current OS is Fedora 5 (!) but they plan to move to CentOS soon. Ew. > Any advice on best options? > > Cheers! > > Anthony Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From nwp at nz.lemon-computing.com Tue Oct 7 21:56:47 2008 From: nwp at nz.lemon-computing.com (Nick Phillips) Date: Tue Oct 7 21:57:01 2008 Subject: Installer comments In-Reply-To: References: <003801c9287a$c299f2c0$47cdd840$@dk> Message-ID: On 8/10/2008, at 5:18 AM, Scott Silva wrote: >> The following are for those of us using the tarball way to install (I >> run debian and their packages are oooold) > > Backports has some newer packages I'm trying to get to the point that I can help keep these up-to-date. Really, mailscanner should be in the Debian "Volatile" archive, I think. But before I can do this right, I need to get an autobuilder set up, and that is proving "interesting". Cheers, Nick From mailadmin at midland-ics.ie Wed Oct 8 09:59:13 2008 From: mailadmin at midland-ics.ie (Mail Admin) Date: Wed Oct 8 09:59:32 2008 Subject: How to prevent these Message-ID: <006701c92924$2374abe0$6a5e03a0$@ie> Hi all Am getting loads of these mails, with subject ???????? ??? What language is this, ? and why is MS /SA not picking it up? Thanks for any pointers This e-mail is intended solely for the addressee(s) and is strictly confidential. The unauthorised use, disclosure or copying of this e-mail, or any information it contains is prohibited. If you have received this e-mail in error, please notify us immediately and then permanently delete it. Although Midland Internet & Computer Solutions make every effort to keep our systems free from viruses you should check this e-mail and any attachments to it for viruses as we cannot accept any liability for viruses inadvertently transmitted by use. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081008/a995c389/attachment.html From martinh at solidstatelogic.com Wed Oct 8 10:08:37 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Wed Oct 8 10:08:47 2008 Subject: How to prevent these In-Reply-To: <006701c92924$2374abe0$6a5e03a0$@ie> Message-ID: <0266c0cd65f08d4c912582fad4d87f85@solidstatelogic.com> Hi Put the full email (headers and all) on a pastebin/web page and we can help... -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Mail Admin > Sent: 08 October 2008 09:59 > To: MailScanner discussion > Subject: How to prevent these > > Hi all > > > > Am getting loads of these mails, with subject ???????? ??? > > What language is this, ? and why is MS /SA not picking it up? > > > > Thanks for any pointers > > This e-mail is intended solely for the addressee(s) and is > strictly confidential. The unauthorised use, disclosure or > copying of this e-mail, or any information it contains is > prohibited. If you have received this e-mail in error, please > notify us immediately and then permanently delete it. > Although we make every effort to keep our systems free from > viruses, you should check this e-mail and any attachments to > it for viruses as we cannot accept any liability for viruses > inadvertently transmitted by use. > > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From martinh at solidstatelogic.com Wed Oct 8 10:20:59 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Wed Oct 8 10:21:12 2008 Subject: Brazilian William out of office again Message-ID: <14a75928360962478c5d601da226da03@solidstatelogic.com> Jules Can we try and track down william@observi.com.br and get him off the list. His OoO responder is still broke. ta -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From ben.tisdall at photobox.com Wed Oct 8 10:39:00 2008 From: ben.tisdall at photobox.com (Ben Tisdall) Date: Wed Oct 8 10:39:11 2008 Subject: Recommendations for secondary virus scanner Message-ID: <48EC7FB4.1050806@photobox.com> Hi esteemed listers, I would like to install a second av scanner on our MS system (currently using clamd). * It doesn't have to be free as in beer, but FOSS haters like Trend not welcome. * Reasonable cost if not free as in beer. * Low overhead. Looking forward to your recommendations. Best regards, Ben. -- Ben Tisdall Linux Systems Administrator | www.photobox.com From ajcartmell at fonant.com Wed Oct 8 10:47:42 2008 From: ajcartmell at fonant.com (Anthony Cartmell) Date: Wed Oct 8 10:47:54 2008 Subject: Migrate system: amavisd-new to mailscanner? In-Reply-To: <223f97700810071210q5784317bo74558f1c8a8a5157@mail.gmail.com> References: <223f97700810071210q5784317bo74558f1c8a8a5157@mail.gmail.com> Message-ID: >> So perhaps Postfix plus MailScanner might be OK? This would mean I could >> leave Postfix set up as it is, but replace amavisd-new with MailScanner, >> probably a simpler task? > Not exactly "as is", but definitely doable. > Easiest would be to "sidegrade" to another machine, where you setup > with MS from the outset, but that would be utopian, I suspect:-). Might be possible, as a server hardware change is on offer. I think I'm correct in saying that MailScanner is much better than amavisd-new? > Do read the setup instructions (both on the website and in the wiki) > very carefully... When using PF, you'll likely be running as an > unprivileged user, so all concerning that has to be exactly right... Good tip, thank you. Do we have a feeling for which MTAs people are mostly using with MailScanner? Is it mainly sendmail, or a random mix of all of them? >> Current OS is Fedora 5 (!) but they plan to move to CentOS soon. > Ew. Yeah! Anthony -- www.fonant.com - Quality web sites From martinh at solidstatelogic.com Wed Oct 8 10:54:11 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Wed Oct 8 10:54:22 2008 Subject: Migrate system: amavisd-new to mailscanner? In-Reply-To: Message-ID: > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Anthony Cartmell > Sent: 08 October 2008 10:48 > To: MailScanner discussion > Subject: Re: Migrate system: amavisd-new to mailscanner? > > >> So perhaps Postfix plus MailScanner might be OK? This would mean I > >> could leave Postfix set up as it is, but replace amavisd-new with > >> MailScanner, probably a simpler task? > > Not exactly "as is", but definitely doable. > > Easiest would be to "sidegrade" to another machine, where you setup > > with MS from the outset, but that would be utopian, I suspect:-). > > Might be possible, as a server hardware change is on offer. > > I think I'm correct in saying that MailScanner is much better > than amavisd-new? > Nice alternative....setup is easier in mailscanner IMHO as you don't have to learn a setup language. > > Do read the setup instructions (both on the website and in > the wiki) > > very carefully... When using PF, you'll likely be running as an > > unprivileged user, so all concerning that has to be exactly right... > > Good tip, thank you. > > Do we have a feeling for which MTAs people are mostly using > with MailScanner? Is it mainly sendmail, or a random mix of > all of them? > Random mix...;-) > >> Current OS is Fedora 5 (!) but they plan to move to CentOS soon. > > Ew. > > Yeah! > > Anthony -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From ben.tisdall at photobox.com Wed Oct 8 11:09:48 2008 From: ben.tisdall at photobox.com (Ben Tisdall) Date: Wed Oct 8 11:09:59 2008 Subject: Migrate system: amavisd-new to mailscanner? In-Reply-To: References: <223f97700810071210q5784317bo74558f1c8a8a5157@mail.gmail.com> Message-ID: <48EC86EC.7080100@photobox.com> Anthony Cartmell wrote: > > I think I'm correct in saying that MailScanner is much better than > amavisd-new? > A big win is that you can use mailwatch with MS. The analogue for amavisd-new is Maia Mailguard, but I was always put off by the fact that it uses a forked version of amavisd-new. I inherited a MS/exim setup here & was very impressed with the combination. I have since migrated the setup to new hardware in a new dc. Let's also not forget that MS enjoys a level of developer support that so good it borders on insane :) Best regards, Ben. -- Ben Tisdall Linux Systems Administrator | www.photobox.com From ms-list at alexb.ch Wed Oct 8 11:28:06 2008 From: ms-list at alexb.ch (Alex Broens) Date: Wed Oct 8 11:28:21 2008 Subject: Recommendations for secondary virus scanner In-Reply-To: <48EC7FB4.1050806@photobox.com> References: <48EC7FB4.1050806@photobox.com> Message-ID: <48EC8B36.3010206@alexb.ch> On 10/8/2008 11:39 AM, Ben Tisdall wrote: > Hi esteemed listers, > > I would like to install a second av scanner on our MS system (currently > using clamd). > > * It doesn't have to be free as in beer, but FOSS haters like Trend not > welcome. > * Reasonable cost if not free as in beer. > * Low overhead. > > Looking forward to your recommendations. F-Prot = fast, affordable, atm: good detection rates. GData & Avira are doing very well as well - you'l have to check pricing. My favourite, Nod32/Eset has lost MANY rating points. Atm, very slow in delivering updated signatures and lost generic detection "talent". Alex From alex at rtpty.com Wed Oct 8 13:24:37 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Wed Oct 8 13:24:51 2008 Subject: How to prevent these In-Reply-To: <006701c92924$2374abe0$6a5e03a0$@ie> References: <006701c92924$2374abe0$6a5e03a0$@ie> Message-ID: <84ABE3BA-2117-4660-9F71-BEB842BB16EA@rtpty.com> You can probably search the list for "russian spam" and find some pointers on how to detect it better. On Oct 8, 2008, at 3:59 AM, Mail Admin wrote: > ???????? ??? From ben.tisdall at photobox.com Wed Oct 8 13:50:07 2008 From: ben.tisdall at photobox.com (Ben Tisdall) Date: Wed Oct 8 13:50:29 2008 Subject: Recommendations for secondary virus scanner In-Reply-To: <48EC8B36.3010206@alexb.ch> References: <48EC7FB4.1050806@photobox.com> <48EC8B36.3010206@alexb.ch> Message-ID: <48ECAC7F.4000301@photobox.com> Alex Broens wrote: > > F-Prot = fast, affordable, atm: good detection rates. > GData & Avira are doing very well as well - you'l have to check pricing. > Thanks Alex. Ben. -- Ben Tisdall Linux Systems Administrator | www.photobox.com From Chris.Russell at knowledgeit.co.uk Wed Oct 8 14:58:56 2008 From: Chris.Russell at knowledgeit.co.uk (Chris Russell) Date: Wed Oct 8 15:00:40 2008 Subject: Recommendations for secondary virus scanner References: <48EC7FB4.1050806@photobox.com> <48EC8B36.3010206@alexb.ch> <48ECAC7F.4000301@photobox.com> Message-ID: <1638CDD827D51E4D8E9B2741290E1C91BF53C0@wkits02.knowledgeit.co.uk> > F-Prot = fast, affordable, atm: good detection rates. > GData & Avira are doing very well as well - you'l have to check pricing. Kaspersky. Very high detection rates, much better updates than things like Trend. Integrates pretty well. Pretty Reasonable too. Cheers Chris -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/ms-tnef Size: 3472 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081008/69a7b7bc/attachment.bin From mailadmin at midland-ics.ie Wed Oct 8 15:02:49 2008 From: mailadmin at midland-ics.ie (Mail Admin) Date: Wed Oct 8 15:03:11 2008 Subject: How to prevent these In-Reply-To: <0266c0cd65f08d4c912582fad4d87f85@solidstatelogic.com> References: <006701c92924$2374abe0$6a5e03a0$@ie> <0266c0cd65f08d4c912582fad4d87f85@solidstatelogic.com> Message-ID: <00f601c9294e$8d10dbd0$a7329370$@ie> Thanks http://arwen.midland-ics.ie/~kmurphy/sample.msg Regards Kevin -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Martin.Hepworth Sent: 08 October 2008 10:09 To: MailScanner discussion Subject: RE: How to prevent these Hi Put the full email (headers and all) on a pastebin/web page and we can help... -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Mail Admin > Sent: 08 October 2008 09:59 > To: MailScanner discussion > Subject: How to prevent these > > Hi all > > > > Am getting loads of these mails, with subject ???????? ??? > > What language is this, ? and why is MS /SA not picking it up? > > > > Thanks for any pointers > > This e-mail is intended solely for the addressee(s) and is > strictly confidential. The unauthorised use, disclosure or > copying of this e-mail, or any information it contains is > prohibited. If you have received this e-mail in error, please > notify us immediately and then permanently delete it. > Although we make every effort to keep our systems free from > viruses, you should check this e-mail and any attachments to > it for viruses as we cannot accept any liability for viruses > inadvertently transmitted by use. > > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. This e-mail is intended solely for the addressee(s) and is strictly confidential. The unauthorised use, disclosure or copying of this e-mail, or any information it contains is prohibited. If you have received this e-mail in error, please notify us immediately and then permanently delete it. Although Midland Internet & Computer Solutions make every effort to keep our systems free from viruses you should check this e-mail and any attachments to it for viruses as we cannot accept any liability for viruses inadvertently transmitted by use. From ssilva at sgvwater.com Wed Oct 8 16:05:44 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Oct 8 16:06:06 2008 Subject: Brazilian William out of office again In-Reply-To: <14a75928360962478c5d601da226da03@solidstatelogic.com> References: <14a75928360962478c5d601da226da03@solidstatelogic.com> Message-ID: on 10-8-2008 2:20 AM Martin.Hepworth spake the following: > Jules > > Can we try and track down william@observi.com.br and get him off the list. His OoO responder is still broke. > He has earned a permanent spot in my /etc/mail/access file! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081008/db23dc4c/signature.bin From martinh at solidstatelogic.com Wed Oct 8 17:05:12 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Wed Oct 8 17:05:43 2008 Subject: How to prevent these In-Reply-To: <00f601c9294e$8d10dbd0$a7329370$@ie> Message-ID: Err dunno what format that's in but mbox (rfc822) is nice.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Mail Admin > Sent: 08 October 2008 15:03 > To: MailScanner discussion > Subject: RE: How to prevent these > > Thanks > > http://arwen.midland-ics.ie/~kmurphy/sample.msg > > Regards > > Kevin > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Martin.Hepworth > Sent: 08 October 2008 10:09 > To: MailScanner discussion > Subject: RE: How to prevent these > > Hi > > Put the full email (headers and all) on a pastebin/web page > and we can help... > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Mail > > Admin > > Sent: 08 October 2008 09:59 > > To: MailScanner discussion > > Subject: How to prevent these > > > > Hi all > > > > > > > > Am getting loads of these mails, with subject ???????? ??? > > > > What language is this, ? and why is MS /SA not picking it up? > > > > > > > > Thanks for any pointers > > > > This e-mail is intended solely for the addressee(s) and is strictly > > confidential. The unauthorised use, disclosure or copying of this > > e-mail, or any information it contains is prohibited. If you have > > received this e-mail in error, please notify us immediately > and then > > permanently delete it. > > Although we make every effort to keep our systems free from > viruses, > > you should check this e-mail and any attachments to it for > viruses as > > we cannot accept any liability for viruses inadvertently > transmitted > > by use. > > > > > > > > > ********************************************************************** > Confidentiality : This e-mail and any attachments are > intended for the addressee only and may be confidential. If > they come to you in error you must take no action based on > them, nor must you copy or show them to anyone. Please advise > the sender by replying to this e-mail immediately and then > delete the original from your computer. > Opinion : Any opinions expressed in this e-mail are entirely > those of the author and unless specifically stated to the > contrary, are not necessarily those of the author's employer. > Security Warning : Internet e-mail is not necessarily a > secure communications medium and can be subject to data > corruption. We advise that you consider this fact when e-mailing us. > Viruses : We have taken steps to ensure that this e-mail and > any attachments are free from known viruses but in keeping > with good computing practice, you should ensure that they are > virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales (Company > No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, > Oxford OX5 1RU, United Kingdom > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and dangerous > content by MailScanner, and is believed to be clean. > > > This e-mail is intended solely for the addressee(s) and is > strictly confidential. The unauthorised use, disclosure or > copying of this e-mail, or any information it contains is > prohibited. If you have received this e-mail in error, please > notify us immediately and then permanently delete it. > Although Midland Internet & Computer Solutions make every > effort to keep our systems free from viruses you should check > this e-mail and any attachments to it for viruses as we > cannot accept any liability for viruses inadvertently > transmitted by use. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From stef at aoc-uk.com Wed Oct 8 17:12:15 2008 From: stef at aoc-uk.com (Stef Morrell) Date: Wed Oct 8 17:12:14 2008 Subject: How to prevent these In-Reply-To: References: <00f601c9294e$8d10dbd0$a7329370$@ie> Message-ID: <200810081612.m98GC6pr007150@safir.blacknight.ie> martinh@solidstatelogic.com wrote: > Err dunno what format that's in but mbox (rfc822) is nice.. It's in outlook message format. Stef Stefan Morrell | Operations Director Tel: 0845 3452820 | Alpha Omega Computers Ltd Fax: 0845 3452830 | Incorporating Level 5 Internet stef@aoc-uk.com | stef@l5net.net Alpha Omega Computers Ltd, Unit 57, BBTC, Grange Road, Batley, WF17 6ER. Registered in England No. 3867142. VAT No. GB734421454 From rpoe at plattesheriff.org Wed Oct 8 17:13:03 2008 From: rpoe at plattesheriff.org (Rob Poe) Date: Wed Oct 8 17:13:27 2008 Subject: Announcing the new FSL MailScanner Beta yum repository In-Reply-To: <48D25F6A.4090906@ecs.soton.ac.uk> References: <48D25F6A.4090906@ecs.soton.ac.uk> Message-ID: <48EC95BF020000A2000098FF@platteco-2.plattesheriff.org> Does this mean that the existing method of installing MailScanner (i.e. going to mailscanner.info / downloading the installer for MailScanner) is going away? >>> Julian Field 9/18/2008 9:02 AM >>> * What is it? This is a new Yum repository for CentOS 5 i386 and x86_64 only. It will always contain the latest MailScanner beta (4.72.2 at the time of writing) along with SpamAssassin (plus DCC, Razor, DKIM, SPF, IP-Country and Rule2XS plug-ins), ClamAV and all Perl module dependencies. It should be used for beta testing new releases only and should not be used in production. * Why is it different from other repositories? Because it aims to completely eliminate the problem of package conflicts and to make installations and upgrades as simple as possible. These rpms provide an automatic configuration that contains the regular tuning tips that would be unfamiliar to those who do not have in-depth knowledge of MailScanner and it's configuration. This significantly reduces the amount of time it takes to do an installation. From start to finish, the installation and configuration of all packages takes less than five minutes on a reasonably fast network. Package conflicts are avoided by creating a new RPM namespace for all the Perl modules required by MailScanner and SpamAssassin and by installing all Perl modules (except SpamAssassin) in /opt/fsl/lib/perl5. This allows the Perl system libraries to be totally independent so they can be updated by the operating system vendor without the possibility of breaking MailScanner or SpamAssassin. Automatic configuration is achieved by using RPM 'triggers' which allow the installation, upgrade or un-installation of one package trigger to access an action specified by another package. For example - when 're2c' is installed, the fsl-spamassassin package runs a trigger that automatically runs 'sa-update' and 'sa-compile' to get the latest rules and compile them and then automatically enables the 'Rule2XSBody' plug-in in v320.pre, subsequently if 're2c' is uninstalled, then the plug-in is automatically disabled. * Installation procedure Ideally it should be installed onto a server with a fresh minimal installation of CentOS/RHEL 5. This will allow the operating system and all MailScanner related applications to be safely updated by simply running `yum -y update`. If you want the MailScanner package to automatically mount the MailScanner incoming directory on tmpfs then run the following command before starting the installation: export MAILSCANNER_CREATE_TMPFS=1 Then simply run: wget http://yum.fslupdate.com/fsl-beta/fsl-beta.repo -O /etc/yum.repos.d/fsl-beta.repo yum -y groupinstall MailScannerGold export PERL5LIB=/opt/fsl/lib/perl5 Once all the packages are installed, the only configuration required is to MailScanner.conf, Sendmail (/etc/mail/access, /etc/mail/mailertable) and then enable and start them both by running: chkconfig MailScanner on service MailScanner start * Installing over an existing RPM based installation This is no different to the procedure above - except you should back-up your MailScanner and SpamAssassin configuration first as a precaution. The 'stock' MailScanner package has no automatic upgrade procedure you will need to manually run upgrade_MailScanner_conf and/or upgrade_languages_conf if any rpmnew files are created by the new package. * Support Sign-up for the fsl-beta support list at http://listserv.fsl.com/mailman/listinfo/fsl-mailscanner-beta. The use of the repository is entirely unsupported by FSL, so use is at your own risk - however we will be happy to answer and questions about the repository or packages on the fsl-beta list. * MailScannerGold PRODUCTION The MailScannerGold Production yum repository will be available in a few days. We'll post another announcement when it's available for subscription and downloading. Initial pricing for the production version subscription is a monthly fee of $30 / month for the first gateway and $20 / per month for each additional gateway. This should help us to recover our costs for development and maintenance while at the same time costing sites less that the salaries required for administrators to fully maintain and update the MailScanner systems. Support for MailScannerGold PRODUCTION will provided by a subscribers supported and FSL moderated email list. Subscribers to the service will also be able to obtain FSL support services at our standard hourly rates less a 25% discount. These repositories should make installing, running and updating MailScanner a lot easier for both newbes and experienced mail administrators. Jules -- Julian Field MEng CITP CEng Chief Technical Officer Fort Systems Ltd. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081008/9b0b4c03/attachment.html From Kevin_Miller at ci.juneau.ak.us Wed Oct 8 17:18:02 2008 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Wed Oct 8 17:18:12 2008 Subject: Recommendations for secondary virus scanner In-Reply-To: <48EC7FB4.1050806@photobox.com> References: <48EC7FB4.1050806@photobox.com> Message-ID: Ben Tisdall wrote: > Hi esteemed listers, > > I would like to install a second av scanner on our MS system > (currently using clamd). > > * It doesn't have to be free as in beer, but FOSS haters like Trend > not welcome. > * Reasonable cost if not free as in beer. > * Low overhead. > > Looking forward to your recommendations. I've been pretty happy w/F-Secure... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From martinh at solidstatelogic.com Wed Oct 8 17:36:46 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Wed Oct 8 17:37:01 2008 Subject: How to prevent these In-Reply-To: <200810081612.m98GC6pr007150@safir.blacknight.ie> Message-ID: <8834b874e1ef674a802f4f5eb21095be@solidstatelogic.com> So it is - yuck....nice rfc 822 is required so so can pump it into our SA's/ -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Stef Morrell > Sent: 08 October 2008 17:12 > To: MailScanner discussion > Subject: RE: How to prevent these > > martinh@solidstatelogic.com wrote: > > Err dunno what format that's in but mbox (rfc822) is nice.. > > It's in outlook message format. > > Stef > Stefan Morrell | Operations Director > Tel: 0845 3452820 | Alpha Omega Computers Ltd > Fax: 0845 3452830 | Incorporating Level 5 Internet > stef@aoc-uk.com | stef@l5net.net > > Alpha Omega Computers Ltd, Unit 57, BBTC, Grange Road, > Batley, WF17 6ER. > Registered in England No. 3867142. VAT No. GB734421454 > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From max at assuredata.com Wed Oct 8 18:17:06 2008 From: max at assuredata.com (Max Kipness) Date: Wed Oct 8 18:17:20 2008 Subject: Mqueue.in just keeps growing... Message-ID: Yesterday, I rebooted our MailScanner server after more than a year. There was a problem with an interface and it took an hour to bring it back up. When back up I noticed that the mqueue.in folder had grown to a couple of thousand as I have script to monitor all the queues. I didn?t think much of it because this happens, but it finally catches up after an hour or so. Well by the time I had a chance to get back to it in the evening, there were 40k messages in mquque, and incoming seemed to stay at 90. It was obvious that MailScanner was no longer processing mail. I see no errors in the maillog, the local dns caching server is working fine and fast as can be, and nothing else really stands out. Thinking that there were just too many emails coming in for it to handle (load was up to 47 and sendmail kept stopping and starting receiving messages). So I moved mqueue.in, mqueue, and incoming messages elsewhere and started MailScanner clean. Mqueue.in just started growing again. After reading some other messages, I decided the best thing might be to run in debug mode. I tried both setting debug=yes and running check_MailScanner, and running ./MailScanner ?debug and both of them print a few lines, the last being SpamAssassin temp dir=blah, blah then stops. In the maillog it prints a few lines and stops as well. Isn?t debug mode supposed to process some mail, or one at a time or something. Or am I doing it wrong. Any other suggestions as to how to get MailScanner running or to troubleshoot this error? Or get debug mode running to see where the problem might be? Unfortunately I had to stop the MailScanner services and start Sendmail and let thousands of spam through so users could get email today. Thanks for any assistance... Max -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081008/283ffea7/attachment.html From ecasarero at gmail.com Wed Oct 8 18:39:33 2008 From: ecasarero at gmail.com (Eduardo Casarero) Date: Wed Oct 8 18:39:43 2008 Subject: Mqueue.in just keeps growing... In-Reply-To: References: Message-ID: <7d9b3cf20810081039h23e1d1e1l7733c16143688894@mail.gmail.com> 2008/10/8 Max Kipness > Yesterday, I rebooted our MailScanner server after more than a year. > There was a problem with an interface and it took an hour to bring it back > up. When back up I noticed that the mqueue.in folder had grown to a couple > of thousand as I have script to monitor all the queues. I didn't think much > of it because this happens, but it finally catches up after an hour or so. > Well by the time I had a chance to get back to it in the evening, there were > 40k messages in mquque, and incoming seemed to stay at 90. It was obvious > that MailScanner was no longer processing mail. > > I see no errors in the maillog, the local dns caching server is working > fine and fast as can be, and nothing else really stands out. Thinking that > there were just too many emails coming in for it to handle (load was up to > 47 and sendmail kept stopping and starting receiving messages). So I moved > mqueue.in, mqueue, and incoming messages elsewhere and started MailScanner > clean. Mqueue.in just started growing again. > > After reading some other messages, I decided the best thing might be to run > in debug mode. I tried both setting debug=yes and running check_MailScanner, > and running ./MailScanner ?debug and both of them print a few lines, the > last being SpamAssassin temp dir=blah, blah then stops. In the maillog it > prints a few lines and stops as well. Isn't debug mode supposed to process > some mail, or one at a time or something. Or am I doing it wrong. > > Any other suggestions as to how to get MailScanner running or to > troubleshoot this error? Or get debug mode running to see where the problem > might be? > > Unfortunately I had to stop the MailScanner services and start Sendmail and > let thousands of spam through so users could get email today. > > Thanks for any assistance... > > Max > did you try mailscanner --lint? to see if there is any problem? also you can try disabling spamassassin or in spamassassin disable some plugins. Eduardo. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081008/b171e8ae/attachment.html From alex at rtpty.com Wed Oct 8 19:00:27 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Wed Oct 8 19:00:58 2008 Subject: Mqueue.in just keeps growing... In-Reply-To: References: Message-ID: <3B10CDEB-F08A-4427-81F3-28FCAF769AA9@rtpty.com> You probably updated something and broke perl. Install the latest MailScanner beta on top of your existing installation - that'll probably fix a lot of things. On Oct 8, 2008, at 12:17 PM, Max Kipness wrote: > Yesterday, I rebooted our MailScanner server after more than a year. > There was a problem with an interface and it took an hour to bring > it back up. When back up I noticed that the mqueue.in folder had > grown to a couple of thousand as I have script to monitor all the > queues. I didn?t think much of it because this happens, but it > finally catches up after an hour or so. Well by the time I had a > chance to get back to it in the evening, there were 40k messages in > mquque, and incoming seemed to stay at 90. It was obvious that > MailScanner was no longer processing mail. > > I see no errors in the maillog, the local dns caching server is > working fine and fast as can be, and nothing else really stands out. > Thinking that there were just too many emails coming in for it to > handle (load was up to 47 and sendmail kept stopping and starting > receiving messages). So I moved mqueue.in, mqueue, and incoming > messages elsewhere and started MailScanner clean. Mqueue.in just > started growing again. > > After reading some other messages, I decided the best thing might be > to run in debug mode. I tried both setting debug=yes and running > check_MailScanner, and running ./MailScanner ?debug and both of them > print a few lines, the last being SpamAssassin temp dir=blah, blah > then stops. In the maillog it prints a few lines and stops as well. > Isn?t debug mode supposed to process some mail, or one at a time or > something. Or am I doing it wrong. > > Any other suggestions as to how to get MailScanner running or to > troubleshoot this error? Or get debug mode running to see where the > problem might be? > > Unfortunately I had to stop the MailScanner services and start > Sendmail and let thousands of spam through so users could get email > today. > > Thanks for any assistance... > > Max > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From max at assuredata.com Wed Oct 8 21:47:42 2008 From: max at assuredata.com (Max Kipness) Date: Wed Oct 8 21:47:56 2008 Subject: Mqueue.in just keeps growing... Message-ID: <11375BD8FE838A409E10DB32B9BFFE9B1225A6@addc01.assuredata.local> >You probably updated something and broke perl. Install the latest >MailScanner beta on top of your existing installation - that'll >probably fix a lot of things. Well I tried your suggestion, and although the latest (stable) version installed just fine over the old, I'm having the exact same problem. Now when I run MailScanner in debug mode, I get a little more data from the stdout/command line, I get the following: [root@server1 MailScanner]# MailScanner --debug Currently you are using no virus scanners. This is probably not what you want. In your /etc/MailScanner/MailScanner.conf file, set Virus Scanners = clamav Then download http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/install-Clam-SA.tar.g z Unpack it, "cd" into the directory and run ./install.sh In Debugging mode, not forking... Trying to setlogsock(unix) SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp Building a message batch to scan... But nothing ever happens and I don't get much from the maillog either. I've disabled clamav temporarily thinking it may be playing a part in this problem, but evidently not. Next I will try disabling spamassassin and RBLs. There has to be a way to find out why MailScanner is not picking up mail from mqueue.in via some troubleshooting method I would think. Any other thoughts anyone? Thanks, Max -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081008/6f323287/attachment.html From alex at rtpty.com Wed Oct 8 22:19:54 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Wed Oct 8 22:20:11 2008 Subject: Mqueue.in just keeps growing... In-Reply-To: <11375BD8FE838A409E10DB32B9BFFE9B1225A6@addc01.assuredata.local> References: <11375BD8FE838A409E10DB32B9BFFE9B1225A6@addc01.assuredata.local> Message-ID: <0E6E302C-A70D-4594-9AEF-EEC50726F345@rtpty.com> Is MailScanner running at all? Permissions issues? On Oct 8, 2008, at 3:47 PM, Max Kipness wrote: > >You probably updated something and broke perl. Install the latest > >MailScanner beta on top of your existing installation - that'll > >probably fix a lot of things. > > Well I tried your suggestion, and although the latest (stable) > version installed just fine over the old, I?m having the exact same > problem. > > Now when I run MailScanner in debug mode, I get a little more data > from the stdout/command line, I get the following: > > [root@server1 MailScanner]# MailScanner --debug > > Currently you are using no virus scanners. > This is probably not what you want. > > In your /etc/MailScanner/MailScanner.conf file, set > Virus Scanners = clamav > Then download > http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/install-Clam-SA.tar.gz > Unpack it, "cd" into the directory and run ./install.sh > > In Debugging mode, not forking... > Trying to setlogsock(unix) > SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin- > Temp > Building a message batch to scan... > > But nothing ever happens and I don?t get much from the maillog > either. I?ve disabled clamav temporarily thinking it may be playing > a part in this problem, but evidently not. Next I will try disabling > spamassassin and RBLs. > > There has to be a way to find out why MailScanner is not picking up > mail from mqueue.in via some troubleshooting method I would think. > > Any other thoughts anyone? > > Thanks, > Max > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From richard.frovarp at sendit.nodak.edu Wed Oct 8 22:31:56 2008 From: richard.frovarp at sendit.nodak.edu (Richard Frovarp) Date: Wed Oct 8 22:32:09 2008 Subject: Mqueue.in just keeps growing... In-Reply-To: <11375BD8FE838A409E10DB32B9BFFE9B1225A6@addc01.assuredata.local> References: <11375BD8FE838A409E10DB32B9BFFE9B1225A6@addc01.assuredata.local> Message-ID: <48ED26CC.2040203@sendit.nodak.edu> Max Kipness wrote: > >You probably updated something and broke perl. Install the latest > >MailScanner beta on top of your existing installation - that'll > >probably fix a lot of things. > > Well I tried your suggestion, and although the latest (stable) version installed just fine over the old, I?m having the exact same problem. > > What about --lint? From ssilva at sgvwater.com Wed Oct 8 22:42:43 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Oct 8 22:43:03 2008 Subject: Announcing the new FSL MailScanner Beta yum repository In-Reply-To: <48EC95BF020000A2000098FF@platteco-2.plattesheriff.org> References: <48D25F6A.4090906@ecs.soton.ac.uk> <48EC95BF020000A2000098FF@platteco-2.plattesheriff.org> Message-ID: on 10-8-2008 9:13 AM Rob Poe spake the following: > Does this mean that the existing method of installing MailScanner (i.e. > going to mailscanner.info / downloading the installer for MailScanner) > is going away? > This is just a service set up by one of the paid supporters of MailScanner, Fortress Software. They have set up the repo for beta versions for free, but the repo for the stable versions are a paid service. The downloads will not go away AFAIK. Julian has stated that he will not drop the free nature of the system as it is now. The optional systems are for Admin convenience. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081008/10978155/signature.bin From ssilva at sgvwater.com Wed Oct 8 22:45:20 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Oct 8 22:50:11 2008 Subject: Migrate system: amavisd-new to mailscanner? In-Reply-To: References: <223f97700810071210q5784317bo74558f1c8a8a5157@mail.gmail.com> Message-ID: on 10-8-2008 2:47 AM Anthony Cartmell spake the following: >>> So perhaps Postfix plus MailScanner might be OK? This would mean I could >>> leave Postfix set up as it is, but replace amavisd-new with MailScanner, >>> probably a simpler task? >> Not exactly "as is", but definitely doable. >> Easiest would be to "sidegrade" to another machine, where you setup >> with MS from the outset, but that would be utopian, I suspect:-). > > Might be possible, as a server hardware change is on offer. > > I think I'm correct in saying that MailScanner is much better than > amavisd-new? > >> Do read the setup instructions (both on the website and in the wiki) >> very carefully... When using PF, you'll likely be running as an >> unprivileged user, so all concerning that has to be exactly right... > > Good tip, thank you. > > Do we have a feeling for which MTAs people are mostly using with > MailScanner? Is it mainly sendmail, or a random mix of all of them? > >>> Current OS is Fedora 5 (!) but they plan to move to CentOS soon. >> Ew. > > Yeah! > > Anthony I'm pretty sure that Sendmail and Postfix make up the majority of installs, with Exim probably very close. There has also been some support by third parties of Qmail, but it is probably dead-last in the "race". -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081008/f8cca5ac/signature.bin From ssilva at sgvwater.com Wed Oct 8 22:55:23 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Oct 8 22:55:53 2008 Subject: Recommendations for secondary virus scanner In-Reply-To: <48EC7FB4.1050806@photobox.com> References: <48EC7FB4.1050806@photobox.com> Message-ID: on 10-8-2008 2:39 AM Ben Tisdall spake the following: > Hi esteemed listers, > > I would like to install a second av scanner on our MS system (currently > using clamd). > > * It doesn't have to be free as in beer, but FOSS haters like Trend not > welcome. > * Reasonable cost if not free as in beer. > * Low overhead. > > Looking forward to your recommendations. > > Best regards, > > Ben. > If you have a corporate license of desktop virus scanners, check if it includes a commandline scanner for free. My McAfee corporate susscription includes their linux scanner as a bonus. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081008/a418a36f/signature.bin From steve at fsl.com Wed Oct 8 23:04:46 2008 From: steve at fsl.com (Stephen Swaney) Date: Wed Oct 8 23:04:58 2008 Subject: Announcing the new FSL MailScanner Beta yum repository In-Reply-To: References: <48D25F6A.4090906@ecs.soton.ac.uk> <48EC95BF020000A2000098FF@platteco-2.plattesheriff.org> Message-ID: <48ED2E7E.9050900@fsl.com> Scott Silva wrote: > on 10-8-2008 9:13 AM Rob Poe spake the following: > >> Does this mean that the existing method of installing MailScanner (i.e. >> going to mailscanner.info / downloading the installer for MailScanner) >> is going away? >> >> > This is just a service set up by one of the paid supporters of MailScanner, > Fortress Software. > They have set up the repo for beta versions for free, but the repo for the > stable versions are a paid service. > > The downloads will not go away AFAIK. Julian has stated that he will not drop > the free nature of the system as it is now. The optional systems are for Admin > convenience. > > Thanks Scott. For over five years now we have committed to keeping MailScanner as open source software and free. We use some of the funds from the "paid" support options, DefenderMX and BarricadeMX, to support some of the the improvements to MailScanner. Any feature that FSL has added to MailScanner has alway been and will always be incorporated back into MailScanner. Julian and I agreed on the day we started this business that MailScanner would "never branch" into free and paid versions. I think we have a pretty good record of keeping to this promise. I truly believe that MailScanner, the open source version, can increase it's market share by having the option of paid support. I know this because our paying clients tell us so. Most of our larger sites feel that having their MailScanner systems maintained and supported by professionals who keep very up to date on MailScanner and the related applications - actually saves them money. I think it's just good to have options and one of them will always be FSL and various support options. Best regards, Steve Steve Swaney steve@fsl.com Cell: 202 352.3262 Office: 202 595.7760, ext 601 www.fsl.com From max at assuredata.com Thu Oct 9 00:12:27 2008 From: max at assuredata.com (Max Kipness) Date: Thu Oct 9 00:12:39 2008 Subject: Mqueue.in just keeps growing... Message-ID: >You probably updated something and broke perl. Install the latest >MailScanner beta on top of your existing installation - that'll >probably fix a lot of things. >>What about --lint? Well after running some more tests, I?ve determined it may be a some performance issue. Why this started after the reboot I have no idea. I did a test in which I cleared all the queues and placed an iptables rule that blocked port 25. Then I started MailScanner, and opened port 25 just for about a minute. In that time frame I received about 1000 messages or so. After closing port 25 again, it took a bit, but MailScanner processed them all. I would say 90% was spam. I do not allow invalid email addresses, so this is all spam to legitimate addresses. Since then I?ve raised the number of processes to 15 and I have 900 messages at any given time in ?incoming?. The server is again very high on load so Sendmail is continuously rejecting then accepting messages. Seems like MailScanner may be processing very few emails so at this point, the mqueue.in is growing a little at a time now and never reducing. So is there anyway that I can get the performance set so that it catches up with this mail? It?s been working fine for over a year. The incoming mail content, especially spam has probably increased quite a bit, but just last week when I checked the queues everything was very low and normal. I can?t imagine why a reboot has made the server perform less. Any suggestions would be much appreciated. Max -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081008/41638ee4/attachment.html From ssilva at sgvwater.com Thu Oct 9 00:32:30 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Oct 9 00:32:46 2008 Subject: Mqueue.in just keeps growing... In-Reply-To: References: Message-ID: on 10-8-2008 4:12 PM Max Kipness spake the following: >>You probably updated something and broke perl. Install the latest >>MailScanner beta on top of your existing installation - that'll >>probably fix a lot of things. >>>What about --lint? > > Well after running some more tests, I?ve determined it may be a some > performance issue. Why this started after the reboot I have no idea. > > I did a test in which I cleared all the queues and placed an iptables > rule that blocked port 25. Then I started MailScanner, and opened port > 25 just for about a minute. In that time frame I received about 1000 > messages or so. After closing port 25 again, it took a bit, but > MailScanner processed them all. I would say 90% was spam. I do not allow > invalid email addresses, so this is all spam to legitimate addresses. > > Since then I?ve raised the number of processes to 15 and I have 900 > messages at any given time in ?incoming?. The server is again very high > on load so Sendmail is continuously rejecting then accepting messages. > Seems like MailScanner may be processing very few emails so at this > point, the mqueue.in is growing a little at a time now and never reducing. > > So is there anyway that I can get the performance set so that it catches > up with this mail? It?s been working fine for over a year. The incoming > mail content, especially spam has probably increased quite a bit, but > just last week when I checked the queues everything was very low and > normal. I can?t imagine why a reboot has made the server perform less. > > Any suggestions would be much appreciated. > > Max > > Could you have had a kernel update in that year that wouldn't have become active until the reboot? Is there any way you can use some blacklists at the MTA to reduce the crap getting into the queue? Maybe something that looks at the spam you are getting and adding entries as they hit. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081008/eb02ec3b/signature.bin From Kevin_Miller at ci.juneau.ak.us Thu Oct 9 01:08:29 2008 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Thu Oct 9 01:08:41 2008 Subject: Mqueue.in just keeps growing... In-Reply-To: References: Message-ID: snip >So is there anyway that I can get the performance set so that it >catches up with this mail? It's been working fine for over a year. >The incoming mail content, especially spam has probably increased >quite a bit, but just last week when I checked the queues >everything was very low and normal. I can't imagine why a reboot >has made the server perform less. > Any suggestions would be much appreciated. There are a couple of things that you may be able to do quite easily. You don't say what MTA you're using, but in sendmail you can add a greet pause line in your sendmail.mc file: FEATURE(`greet_pause', `10000')dnl That one thing that really helped me drop a *lot* of spam before it was even received. When a connection is made, it basically says "hold please" for 10 seconds. Legitimate MTAs don't have a problem w/that (some mail admins do - tough ) but spambots generally will just move on to the next message. I'm sure there's an equivilent in Postfix if you're using that instead. I'm not using it, but rate throttle may be helpful too. IIRC, that looks at how many inbound emails you're getting from a given user in a given amount of time, and if it exceeds it, the MTA throttles back what it will accept from that host. Also, you might set up MailScanner to us a tmpfs for processing mail if you have sufficient ram. See the tmpfs section on this page: http://wiki.mailscanner.info/doku.php?id=maq:index&s=tmpfs Good luck... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From alex at rtpty.com Thu Oct 9 01:56:32 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Thu Oct 9 01:56:45 2008 Subject: Mqueue.in just keeps growing... In-Reply-To: References: Message-ID: >You probably updated something and broke perl. Install the latest >MailScanner beta on top of your existing installation - that'll >probably fix a lot of things. On Oct 8, 2008, at 6:12 PM, Max Kipness wrote: > I can?t imagine why a reboot has made the server perform less. How's your caching dns performance? Have you updated spamassassin? What additional rules or plugins are you running? From alex at rtpty.com Thu Oct 9 01:58:55 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Thu Oct 9 01:59:09 2008 Subject: Mqueue.in just keeps growing... In-Reply-To: References: Message-ID: There's the stuff at: http://www.technoids.org/dossed.html Which is good for sendmail users. The same concepts applied to postfix (plus some more built into postfix) would also help. Oh, and if you're using postfix, you have to remember MailScanner causes swapping! On Oct 8, 2008, at 7:08 PM, Kevin Miller wrote: > There are a couple of things that you may be able to do quite easily. From hvdkooij at vanderkooij.org Thu Oct 9 06:29:52 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Thu Oct 9 06:30:03 2008 Subject: How to prevent these In-Reply-To: <006701c92924$2374abe0$6a5e03a0$@ie> References: <006701c92924$2374abe0$6a5e03a0$@ie> Message-ID: <48ED96D0.3010701@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mail Admin wrote: > Hi all > > > > Am getting loads of these mails, with subject ???????? ??? > > What language is this, ? and why is MS /SA not picking it up? Didn't they teach you Russian? (KOI8-R characterset) I get quite a few messages where only the Subject: and From: lines indicate the language. I kill these with header detection in postfix. (My first reply attempt was even shot down for the same reason.) Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFI7ZZKBvzDRVjxmYERAjkvAKCgYSKtivj1vnS0RzOLFb9rcEtsswCfcmbI 36dn89CB7okdG0IDE6qwuro= =aB5o -----END PGP SIGNATURE----- From hvdkooij at vanderkooij.org Thu Oct 9 06:35:13 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Thu Oct 9 06:35:22 2008 Subject: Recommendations for secondary virus scanner In-Reply-To: <48EC7FB4.1050806@photobox.com> References: <48EC7FB4.1050806@photobox.com> Message-ID: <48ED9811.3010709@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ben Tisdall wrote: > Hi esteemed listers, > > I would like to install a second av scanner on our MS system (currently > using clamd). > > * It doesn't have to be free as in beer, but FOSS haters like Trend not > welcome. > * Reasonable cost if not free as in beer. > * Low overhead. > > Looking forward to your recommendations. Maybe not what you like to hear. But signature detection will never win the race. Just about any AV manufacturer is aware of that by now. The way that MailScanner calls upon scanners may inhibit features of the product that you choose that will lower the detection rate. On the other hand many of the other tricks available to a postmaster by tightening up the MTA of choice and running MailScanner and all will get the same results. Hugo - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFI7ZgPBvzDRVjxmYERArGGAKCoGfrvzkaU5NLXpPPGbAcfsbyJ8wCgsebu Gt6OrstncZ3yyXjmrN3T8Cc= =NaID -----END PGP SIGNATURE----- From max at assuredata.com Thu Oct 9 07:58:32 2008 From: max at assuredata.com (Max Kipness) Date: Thu Oct 9 07:58:43 2008 Subject: Mqueue.in just keeps growing... Message-ID: <11375BD8FE838A409E10DB32B9BFFE9B1225A7@addc01.assuredata.local> >How's your caching dns performance? Have you updated spamassassin? >What additional rules or plugins are you running? -- Well I followed a lot of the suggestions for increasing performance, and although MailScanner is working a little better, it still cannot keep up. DNS performance is quick. I do not have the latest spamassassin version, but based on the fact that most spam is being caught by Sendmail now (as described below), I wouldn't think that is the problem. I added the greeting delay to sendmail, am now checking Spamcop and XBL at Sendmail level, and although tons of spam is now being caught before getting to MailScanner, my mqueue.in is at 30k, incoming is at a constant 180 and now mqueue is hovering around 2k. Mail is coming through but way too slow. Also, cpu is just pegged at 100% with several MailScanner processes, Sendmail processes, and kblockd/0 and kblockd/1 splitting up all cpu. I'm starting to wonder if after the reboot something has degraded my disk performance and now there isn't enough cpu for MailScanner to handle the number of messages coming in? I may have to resort to setting up MailScanner on another system at this point. Thanks for all the suggestions, and if anyone has any other ideas, please let me know. Thanks, Max -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081009/023dd198/attachment.html From martinh at solidstatelogic.com Thu Oct 9 09:08:48 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Thu Oct 9 09:09:01 2008 Subject: Mqueue.in just keeps growing... In-Reply-To: <11375BD8FE838A409E10DB32B9BFFE9B1225A7@addc01.assuredata.local> Message-ID: <3ef9c2980c008f40a17db78c15dc06ad@solidstatelogic.com> Max Anything obvious in these messages? ( unknown recipients, joe-job bounces)??? Is this the same amount of messages you were processing before? Have you tried turnin all the RBL's off in SA and just leaving a couple of known working ones on. (nb spamhaus will put you on their 'greylist' is you query them too much as part of their usage policy), http://www.spamhaus.org/organization/dnsblusage.html. So unless you've got a pay for feed I suggest you remove them from your setup given your message load. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Max Kipness > Sent: 09 October 2008 07:59 > To: MailScanner discussion > Subject: Re: Mqueue.in just keeps growing... > > >How's your caching dns performance? Have you updated spamassassin? > > >What additional rules or plugins are you running? -- > > > > Well I followed a lot of the suggestions for increasing > performance, and although MailScanner is working a little > better, it still cannot keep up. DNS performance is quick. I > do not have the latest spamassassin version, but based on the > fact that most spam is being caught by Sendmail now (as > described below), I wouldn't think that is the problem. > > > > I added the greeting delay to sendmail, am now checking > Spamcop and XBL at Sendmail level, and although tons of spam > is now being caught before getting to MailScanner, my > mqueue.in is at 30k, incoming is at a constant 180 and now > mqueue is hovering around 2k. Mail is coming through but way > too slow. Also, cpu is just pegged at 100% with several > MailScanner processes, Sendmail processes, and kblockd/0 and > kblockd/1 splitting up all cpu. I'm starting to wonder if > after the reboot something has degraded my disk performance > and now there isn't enough cpu for MailScanner to handle the > number of messages coming in? > > > > I may have to resort to setting up MailScanner on another > system at this point. > > > > Thanks for all the suggestions, and if anyone has any other > ideas, please let me know. > > > > Thanks, > > Max > > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From steve.freegard at fsl.com Thu Oct 9 09:17:09 2008 From: steve.freegard at fsl.com (Steve Freegard) Date: Thu Oct 9 09:17:22 2008 Subject: OT - EMEW (Enhanced Message-ID as Email Watermark) breaks pipermail threading In-Reply-To: <48B27D31.50803@fsl.com> References: <48B27D31.50803@fsl.com> Message-ID: <48EDBE05.9060602@fsl.com> Hi Mark, Steve Freegard wrote: > Hi Mark, > > Mark Sapiro wrote: >> I notice a few frequent posters on this list, including Jules since >> late May, appear to receive list posts with Message-IDs munged with >> EMEW watermarks. Thus their replies to list posts have In-Reply-To: >> with the munged Message-ID which breaks threading in the pipermail >> archive at >> (every time Jules replies to a post, a new thread is started). >> >> I am a Mailman developer and am concerned about what, if anything, I >> should do about this for the near term. My specific concerns are >> >> 1. how wide spread is the use of EMEW likely to become. > > Anyone using BarricadeMX can switch this on at any time. > >> 2. How do I recognize the added data in the Message-Id? It looks like >> the regexp 'EMEW-[0-9A-Za-z]{6}[0-9a-f]{32}-' will work and removing >> the match will restore the original Message-ID (or at least the >> immediately prior Message-ID). Is that a good regexp, or is there a >> better one? > > That regexp should work just fine. > > However - you shouldn't modify Mailman in any way - there's obviously a > bug that we need to fix. We've simply not noticed it as I read the list > using the GMane gateway and it threads just fine in Thunderbird. > >> 3. Are there products other than BarricadeMX that are munging >> Message-IDs in other ways for similar reasons. > > No to my knowledge. > >> I haven't been able to find much on the web about this. I would >> appreciate any advice or additional information anyone can point me to. > > We'll take this off-line and I'll contact you later once I've had a > chance to speak to one of my colleagues. We can then work out a fix and > push it out to all the BarricadeMX users via yum. > My previous reply appears not to have made it to the list and I can't find it anywhere in Thunderbird, so this is a re-send - apologies if you get it more than once. I'd forgotten to let you know that this was fixed in BarricadeMX v2.1.53 (the current version is now 2.1.60) as suspected it was a bug that caused the headers to be modified when they shouldn't have been. Kind regards, Steve. From mailadmin at midland-ics.ie Thu Oct 9 09:47:58 2008 From: mailadmin at midland-ics.ie (Mail Admin) Date: Thu Oct 9 09:48:23 2008 Subject: How to prevent these In-Reply-To: <48ED96D0.3010701@vanderkooij.org> References: <006701c92924$2374abe0$6a5e03a0$@ie> <48ED96D0.3010701@vanderkooij.org> Message-ID: <006b01c929eb$bb8c0960$32a41c20$@ie> Is there such a thing in SendMail -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Hugo van der Kooij Sent: 09 October 2008 06:30 To: MailScanner discussion Subject: Re: How to prevent these -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mail Admin wrote: > Hi all > > > > Am getting loads of these mails, with subject ???????? ??? > > What language is this, ? and why is MS /SA not picking it up? Didn't they teach you Russian? (KOI8-R characterset) I get quite a few messages where only the Subject: and From: lines indicate the language. I kill these with header detection in postfix. (My first reply attempt was even shot down for the same reason.) Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFI7ZZKBvzDRVjxmYERAjkvAKCgYSKtivj1vnS0RzOLFb9rcEtsswCfcmbI 36dn89CB7okdG0IDE6qwuro= =aB5o -----END PGP SIGNATURE----- -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. This e-mail is intended solely for the addressee(s) and is strictly confidential. The unauthorised use, disclosure or copying of this e-mail, or any information it contains is prohibited. If you have received this e-mail in error, please notify us immediately and then permanently delete it. Although Midland Internet & Computer Solutions make every effort to keep our systems free from viruses you should check this e-mail and any attachments to it for viruses as we cannot accept any liability for viruses inadvertently transmitted by use. From prandal at herefordshire.gov.uk Thu Oct 9 10:09:23 2008 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Thu Oct 9 10:11:14 2008 Subject: Mqueue.in just keeps growing... In-Reply-To: <11375BD8FE838A409E10DB32B9BFFE9B1225A7@addc01.assuredata.local> References: <11375BD8FE838A409E10DB32B9BFFE9B1225A7@addc01.assuredata.local> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA04EFEDDF@HC-MBX02.herefordshire.gov.uk> Which SA are you using? Have you done an sa-update to update the base SA rules? Cheers, Phil -- Phil Randal Networks Engineer Herefordshire Council Hereford, UK ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Max Kipness Sent: 09 October 2008 07:59 To: MailScanner discussion Subject: Re: Mqueue.in just keeps growing... >How's your caching dns performance? Have you updated spamassassin? >What additional rules or plugins are you running? -- Well I followed a lot of the suggestions for increasing performance, and although MailScanner is working a little better, it still cannot keep up. DNS performance is quick. I do not have the latest spamassassin version, but based on the fact that most spam is being caught by Sendmail now (as described below), I wouldn't think that is the problem. I added the greeting delay to sendmail, am now checking Spamcop and XBL at Sendmail level, and although tons of spam is now being caught before getting to MailScanner, my mqueue.in is at 30k, incoming is at a constant 180 and now mqueue is hovering around 2k. Mail is coming through but way too slow. Also, cpu is just pegged at 100% with several MailScanner processes, Sendmail processes, and kblockd/0 and kblockd/1 splitting up all cpu. I'm starting to wonder if after the reboot something has degraded my disk performance and now there isn't enough cpu for MailScanner to handle the number of messages coming in? I may have to resort to setting up MailScanner on another system at this point. Thanks for all the suggestions, and if anyone has any other ideas, please let me know. Thanks, Max -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081009/37532eb4/attachment.html From ben.tisdall at photobox.com Thu Oct 9 10:16:56 2008 From: ben.tisdall at photobox.com (Ben Tisdall) Date: Thu Oct 9 10:17:11 2008 Subject: Recommendations for secondary virus scanner In-Reply-To: <48ECAC7F.4000301@photobox.com> References: <48EC7FB4.1050806@photobox.com> <48EC8B36.3010206@alexb.ch> <48ECAC7F.4000301@photobox.com> Message-ID: <48EDCC08.3010004@photobox.com> Ben Tisdall wrote: > Alex Broens wrote: >> F-Prot = fast, affordable, atm: good detection rates. >> GData & Avira are doing very well as well - you'l have to check pricing. >> I'm confused by this whole 'licensing' thing (I normally leave that to the Windows admin sitting opposite me :) In general (and with F-prot in particular) is it necessary to use the 'mailserver' editions of these products? from a licensing standpoint? >From a technical standpoint I assume MS would do just as well with the workstation version. -- Ben Tisdall Linux Systems Administrator | www.photobox.com From MailScanner at ecs.soton.ac.uk Thu Oct 9 10:23:31 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Oct 9 10:23:53 2008 Subject: Brazilian William out of office again In-Reply-To: References: Message-ID: <48EDCD93.20109@ecs.soton.ac.uk> I have set his "nomail" flag. Martin.Hepworth wrote: > Jules > > Can we try and track down william@observi.com.br and get him off the list. His OoO responder is still broke. > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Thu Oct 9 10:25:58 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Oct 9 10:26:16 2008 Subject: Installer comments In-Reply-To: References: <003801c9287a$c299f2c0$47cdd840$@dk> Message-ID: <48EDCE26.8000906@ecs.soton.ac.uk> Scott Silva wrote: > > >> It would be super if the installer could do this for you somehow, >> basically ask if it should look for the old directory and copy over old >> files somehow. >> >> This is also true for the old configuration. I assume that most people >> who upgrade will want to run the upgrade_conf script on their old >> configuration to create an up2date configuration file. >> >> This could also (in a simple way I think) be done by the installer. >> >> > > This is also debatable, as some people with heavily commented conf files do > not run the upgrade_mailscanner_conf script because it removes all their > comments, but run a diff and fix it themselves. > There is a "keep-comments" command-line switch to do exactly this. >> >> >> Basically what I imagine is that (either by default or by passing the >> installer an option) he installer asks the user: >> >> What is the path to the old mailscanner install? >> >> Do you want to upgrade the old configuration? >> >> Do you want to keep you report/msg texts? >> >> I?m not sure if there could be more points, but its possible. The ones I >> have outlined are the ones I would like to have automated. >> >> >> > I can't speak for Julian, but if you submit a diff to the install script, > Julian *might* consider it, since he usually seems open to at least LOOK at > proposed patches. > I look at them. I don't guarantee to agree with them :-) Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Thu Oct 9 10:27:11 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Oct 9 10:27:29 2008 Subject: Way OT: Cat Names In-Reply-To: References: <48E24865.8040702@trayerproducts.com> <48E37E93.60309@USherbrooke.ca> <48E5339A.9030809@vanderkooij.org> <027e01c924d4$621eeb70$265cc250$@swaney@fsl.com> Message-ID: <48EDCE6F.7040001@ecs.soton.ac.uk> Root and Cisco. They have both settled in nicely and are incredibly well behaved. They definitely are members of the "white hat" brigade so far :-) Andrew MacLachlan wrote: > So Jules - What did you call them in the end? > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From max at assuredata.com Thu Oct 9 13:27:58 2008 From: max at assuredata.com (Max Kipness) Date: Thu Oct 9 13:28:08 2008 Subject: Mqueue.in just keeps growing... Message-ID: <11375BD8FE838A409E10DB32B9BFFE9B1225A8@addc01.assuredata.local> >Which SA are you using? >Have you done an sa-update to update the base SA rules? Just ran an sa-update. Doesn't seem to have made a difference. Version is: SpamAssassin version 3.2.4 running on Perl version 5.8.8 I don't think I'm running RBLs through SA, but I am running them through MailScanner. How would I check if they are being run through SA? Or would this be through default rules? Again, when I tail the maillog, I see tons of messages flash by, but most seem to be getting stopped as Spam now by Sendmail via the RBL rules I setup. So I think MailScanner is probably getting 50% less spam at this point. I'm not positive, but I would think it's the same amount of messages as before. Again this all started after a reboot. Thanks, Max -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081009/32c9d784/attachment.html From amoore at dekalbmemorial.com Thu Oct 9 13:51:33 2008 From: amoore at dekalbmemorial.com (Aaron K. Moore) Date: Thu Oct 9 13:51:44 2008 Subject: Mqueue.in just keeps growing... In-Reply-To: References: Message-ID: <60D398EB2DB948409CA1F50D8AF122570432FC6E@exch1.dekalbmemorial.local> Have you checked the status of any hardware or software based raid sets? Also, does the system have any devices that require a more recent driver? I have a couple of servers that the stock kernel NIC driver has poor performance (ping times of 10 ms vs. 1 to 2 ms with the newer driver). I have to always rebuild and reinstall the driver after a kernel update. -- Aaron Kent Moore Information Technology Services DeKalb Memorial Hospital, Inc. Auburn, Indiana Phone: 260.920.2808 E-Mail: amoore@dekalbmemorial.com From jonas at vrt.dk Thu Oct 9 14:40:43 2008 From: jonas at vrt.dk (Jonas Akrouh Larsen) Date: Thu Oct 9 14:40:57 2008 Subject: Installer comments In-Reply-To: References: <003801c9287a$c299f2c0$47cdd840$@dk> Message-ID: <00b801c92a14$a0697c70$e13c7550$@dk> >>> The following are for those of us using the tarball way to install (I >>> run debian and their packages are oooold) >> >> Backports has some newer packages > >I'm trying to get to the point that I can help keep these up-to-date. >Really, mailscanner should be in the Debian "Volatile" archive, I >think. But before I can do this right, I need to get an autobuilder >set up, and that is proving "interesting". Since we run our scanners on Debian I would be very willing to help test any attempts at keeping a debian packages relatively up2date with the Mailscanner release cycles. And I do agree it should be in volatile. I can't help actually maintain and build the package, but as I said I would love to help test them. Med venlig hilsen / Best regards Jonas Akrouh Larsen TechBiz ApS Laplandsgade 4, 2. sal 2300 K?benhavn S Office: 7020 0979 Direct: 3336 9974 Mobile: 5120 1096 Fax: 7020 0978 Web: www.techbiz.dk From campbell at cnpapers.com Thu Oct 9 14:47:57 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Thu Oct 9 14:48:14 2008 Subject: OT Shared Imap folders/accounts Message-ID: <48EE0B8D.5050300@cnpapers.com> Not the place to ask, I'm sure, but maybe someone can point me to the proper place or page. I've googled a while, and only became more confused, as what I'd like to do is not techically a shared Imap account. What I've seen so far is that an email account is set up with different users being able to access this account. The "shared" part comes from a mailbox permission of 1777 and/or group rights. The policy here, for as long as I can remember, is to have one IMAP account and everyone access it with the same username and password. This causes corruption, as you might guess. Is it truly just file permissions or group access to a mailbox, or where should I turn to see the other magic that makes this work? I use a standard Centos 3 install. Thanks, and sorry for the bother of OT. Steve Campbell From MailScanner at ecs.soton.ac.uk Thu Oct 9 14:58:44 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Oct 9 14:59:03 2008 Subject: OT Shared Imap folders/accounts In-Reply-To: References: Message-ID: <48EE0E14.2040906@ecs.soton.ac.uk> A better IMAP server, such as cyrus-imapd, can do this for you with no problems. I use it here and have several shared IMAP mailboxes with no problems at all. Even Exchange could do this for you :) What are you trying to use at the moment? Steve Campbell wrote: > Not the place to ask, I'm sure, but maybe someone can point me to the > proper place or page. > > I've googled a while, and only became more confused, as what I'd like > to do is not techically a shared Imap account. What I've seen so far > is that an email account is set up with different users being able to > access this account. The "shared" part comes from a mailbox permission > of 1777 and/or group rights. > > The policy here, for as long as I can remember, is to have one IMAP > account and everyone access it with the same username and password. > This causes corruption, as you might guess. > > Is it truly just file permissions or group access to a mailbox, or > where should I turn to see the other magic that makes this work? I use > a standard Centos 3 install. > > Thanks, and sorry for the bother of OT. > > Steve Campbell > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From list-mailscanner at linguaphone.com Thu Oct 9 15:02:52 2008 From: list-mailscanner at linguaphone.com (Gareth) Date: Thu Oct 9 15:07:57 2008 Subject: OT Shared Imap folders/accounts In-Reply-To: <48EE0E14.2040906@ecs.soton.ac.uk> References: <48EE0E14.2040906@ecs.soton.ac.uk> Message-ID: <1223560972.18283.19.camel@gblades-suse.linguaphone-intranet.co.uk> I second the suggestion of using Cyrus. The only slight difference you will see is that Cyrus will maintain the read status for each user individually so you will need to get people to move emails to subdirectories when they have dealt with them. On Thu, 2008-10-09 at 14:58, Julian Field wrote: > A better IMAP server, such as cyrus-imapd, can do this for you with no > problems. I use it here and have several shared IMAP mailboxes with no > problems at all. > > Even Exchange could do this for you :) > > What are you trying to use at the moment? > > Steve Campbell wrote: > > Not the place to ask, I'm sure, but maybe someone can point me to the > > proper place or page. > > > > I've googled a while, and only became more confused, as what I'd like > > to do is not techically a shared Imap account. What I've seen so far > > is that an email account is set up with different users being able to > > access this account. The "shared" part comes from a mailbox permission > > of 1777 and/or group rights. > > > > The policy here, for as long as I can remember, is to have one IMAP > > account and everyone access it with the same username and password. > > This causes corruption, as you might guess. > > > > Is it truly just file permissions or group access to a mailbox, or > > where should I turn to see the other magic that makes this work? I use > > a standard Centos 3 install. > > > > Thanks, and sorry for the bother of OT. > > > > Steve Campbell > > > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. From campbell at cnpapers.com Thu Oct 9 15:24:12 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Thu Oct 9 15:26:11 2008 Subject: OT Shared Imap folders/accounts In-Reply-To: <48EE0E14.2040906@ecs.soton.ac.uk> References: <48EE0E14.2040906@ecs.soton.ac.uk> Message-ID: <48EE140C.3060205@cnpapers.com> Julian Field wrote: > A better IMAP server, such as cyrus-imapd, can do this for you with no > problems. I use it here and have several shared IMAP mailboxes with no > problems at all. > > Even Exchange could do this for you :) > > What are you trying to use at the moment? > > Steve Campbell wrote: >> Not the place to ask, I'm sure, but maybe someone can point me to the >> proper place or page. >> >> I've googled a while, and only became more confused, as what I'd like >> to do is not techically a shared Imap account. What I've seen so far >> is that an email account is set up with different users being able to >> access this account. The "shared" part comes from a mailbox >> permission of 1777 and/or group rights. >> >> The policy here, for as long as I can remember, is to have one IMAP >> account and everyone access it with the same username and password. >> This causes corruption, as you might guess. >> >> Is it truly just file permissions or group access to a mailbox, or >> where should I turn to see the other magic that makes this work? I >> use a standard Centos 3 install. >> >> Thanks, and sorry for the bother of OT. >> >> Steve Campbell >> > > Jules > I'm not sure which Imap is installed. The rpm is named imap-2002d. I think this is UW imap, if I'm not mistaken. Steve From ecasarero at gmail.com Thu Oct 9 15:28:32 2008 From: ecasarero at gmail.com (Eduardo Casarero) Date: Thu Oct 9 15:28:41 2008 Subject: Mqueue.in just keeps growing... In-Reply-To: <11375BD8FE838A409E10DB32B9BFFE9B1225A7@addc01.assuredata.local> References: <11375BD8FE838A409E10DB32B9BFFE9B1225A7@addc01.assuredata.local> Message-ID: <7d9b3cf20810090728u38410324pc36466239ba067e3@mail.gmail.com> 2008/10/9 Max Kipness > >How's your caching dns performance? Have you updated spamassassin? > > >What additional rules or plugins are you running? -- > > > > Well I followed a lot of the suggestions for increasing performance, and > although MailScanner is working a little better, it still cannot keep up. > DNS performance is quick. I do not have the latest spamassassin version, but > based on the fact that most spam is being caught by Sendmail now (as > described below), I wouldn't think that is the problem. > > > > I added the greeting delay to sendmail, am now checking Spamcop and XBL at > Sendmail level, and although tons of spam is now being caught before getting > to MailScanner, my mqueue.in is at 30k, incoming is at a constant 180 and > now mqueue is hovering around 2k. Mail is coming through but way too slow. > Also, cpu is just pegged at 100% with several MailScanner processes, > Sendmail processes, and kblockd/0 and kblockd/1 splitting up all cpu. I'm > starting to wonder if after the reboot something has degraded my disk > performance and now there isn't enough cpu for MailScanner to handle the > number of messages coming in? > > > > I may have to resort to setting up MailScanner on another system at this > point. > > > > Thanks for all the suggestions, and if anyone has any other ideas, please > let me know. > > > milter-greylisting? milter-ahead? and milter-limit? all this helps a lotttt! at mta level. > Thanks, > > Max > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081009/818c1469/attachment.html From campbell at cnpapers.com Thu Oct 9 15:30:02 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Thu Oct 9 15:30:16 2008 Subject: OT Shared Imap folders/accounts In-Reply-To: <1223560972.18283.19.camel@gblades-suse.linguaphone-intranet.co.uk> References: <48EE0E14.2040906@ecs.soton.ac.uk> <1223560972.18283.19.camel@gblades-suse.linguaphone-intranet.co.uk> Message-ID: <48EE156A.3030404@cnpapers.com> Gareth wrote: > I second the suggestion of using Cyrus. > > The only slight difference you will see is that Cyrus will maintain the > read status for each user individually so you will need to get people to > move emails to subdirectories when they have dealt with them. > > On Thu, 2008-10-09 at 14:58, Julian Field wrote: > >> A better IMAP server, such as cyrus-imapd, can do this for you with no >> problems. I use it here and have several shared IMAP mailboxes with no >> problems at all. >> >> Even Exchange could do this for you :) >> >> What are you trying to use at the moment? >> >> Steve Campbell wrote: >> >>> Not the place to ask, I'm sure, but maybe someone can point me to the >>> proper place or page. >>> >>> I've googled a while, and only became more confused, as what I'd like >>> to do is not techically a shared Imap account. What I've seen so far >>> is that an email account is set up with different users being able to >>> access this account. The "shared" part comes from a mailbox permission >>> of 1777 and/or group rights. >>> >>> The policy here, for as long as I can remember, is to have one IMAP >>> account and everyone access it with the same username and password. >>> This causes corruption, as you might guess. >>> >>> Is it truly just file permissions or group access to a mailbox, or >>> where should I turn to see the other magic that makes this work? I use >>> a standard Centos 3 install. >>> >>> Thanks, and sorry for the bother of OT. >>> >>> Steve Campbell >>> >>> >> Jules >> >> > When you say "move them to subdirectories", does that mean they need to manually deal with this, or does it do it for them and they just need to get used to the difference. I'll review the cyrus pages, but does anyone have experience in removing whatever I have and installing cyrus? I haven't searched yet for rpms, but imagine I'd do a rpm -e for the current. The nice thing about the one installed by default is it works out of the package, even with our horde/imp install, so I'd need to tread lightly to keep the natives from getting upset. I'm guessing from both of the replies that there is more to shared accounts than just permissions, then? Thanks steve From ka at pacific.net Thu Oct 9 15:52:40 2008 From: ka at pacific.net (Ken A) Date: Thu Oct 9 15:52:16 2008 Subject: OT Shared Imap folders/accounts In-Reply-To: <48EE140C.3060205@cnpapers.com> References: <48EE0E14.2040906@ecs.soton.ac.uk> <48EE140C.3060205@cnpapers.com> Message-ID: <48EE1AB8.8060707@pacific.net> Dovecot should be happy on Centos3. It'll handle simultaneous access, and shared mailboxes, or shared folders just fine. http://atrpms.net/dist/el3/dovecot-1.0.x/ should work, or grab the 1.1 version from dovecot.org and build it for a better feature set. See http://wiki.dovecot.org/Migration too. Ken Steve Campbell wrote: > > > Julian Field wrote: >> A better IMAP server, such as cyrus-imapd, can do this for you with no >> problems. I use it here and have several shared IMAP mailboxes with no >> problems at all. >> >> Even Exchange could do this for you :) >> >> What are you trying to use at the moment? >> >> Steve Campbell wrote: >>> Not the place to ask, I'm sure, but maybe someone can point me to the >>> proper place or page. >>> >>> I've googled a while, and only became more confused, as what I'd like >>> to do is not techically a shared Imap account. What I've seen so far >>> is that an email account is set up with different users being able to >>> access this account. The "shared" part comes from a mailbox >>> permission of 1777 and/or group rights. >>> >>> The policy here, for as long as I can remember, is to have one IMAP >>> account and everyone access it with the same username and password. >>> This causes corruption, as you might guess. >>> >>> Is it truly just file permissions or group access to a mailbox, or >>> where should I turn to see the other magic that makes this work? I >>> use a standard Centos 3 install. >>> >>> Thanks, and sorry for the bother of OT. >>> >>> Steve Campbell >>> >> >> Jules >> > I'm not sure which Imap is installed. The rpm is named imap-2002d. I > think this is UW imap, if I'm not mistaken. > > Steve > -- Ken Anderson Pacific.Net From list-mailscanner at linguaphone.com Thu Oct 9 15:52:41 2008 From: list-mailscanner at linguaphone.com (Gareth) Date: Thu Oct 9 15:53:17 2008 Subject: OT Shared Imap folders/accounts In-Reply-To: <48EE156A.3030404@cnpapers.com> References: <48EE0E14.2040906@ecs.soton.ac.uk> <1223560972.18283.19.camel@gblades-suse.linguaphone-intranet.co.uk> <48EE156A.3030404@cnpapers.com> Message-ID: <1223563961.18286.26.camel@gblades-suse.linguaphone-intranet.co.uk> Because it maintains read status for each user you will find if you give people their own email accounts and give them access to the shared folder then when one person reads the mail it will still show as unread for other users. Hence why the normal thing to do is create a subfolder people can drag the mail to when it has been dealt with. As far as installing it you will find that cyrus stores the mail as individual files within /var/spool/imap together with 2 or 3 index files. There is also a master database of all the mailbox folders on the system together with permissions. The upside of this is that it is very memory and processor efficient and can scale to a very large number of users. However it does make importing mails a bit of a pain. Having both IMAP servers installed on different ports and using Outloot/Thunderbird to move the mails between then is what I did the last time but there may well be automated scripts you can use if you have more users than I did. On Thu, 2008-10-09 at 15:30, Steve Campbell wrote: > Gareth wrote: > > I second the suggestion of using Cyrus. > > > > The only slight difference you will see is that Cyrus will maintain the > > read status for each user individually so you will need to get people to > > move emails to subdirectories when they have dealt with them. > > > > On Thu, 2008-10-09 at 14:58, Julian Field wrote: > > > >> A better IMAP server, such as cyrus-imapd, can do this for you with no > >> problems. I use it here and have several shared IMAP mailboxes with no > >> problems at all. > >> > >> Even Exchange could do this for you :) > >> > >> What are you trying to use at the moment? > >> > >> Steve Campbell wrote: > >> > >>> Not the place to ask, I'm sure, but maybe someone can point me to the > >>> proper place or page. > >>> > >>> I've googled a while, and only became more confused, as what I'd like > >>> to do is not techically a shared Imap account. What I've seen so far > >>> is that an email account is set up with different users being able to > >>> access this account. The "shared" part comes from a mailbox permission > >>> of 1777 and/or group rights. > >>> > >>> The policy here, for as long as I can remember, is to have one IMAP > >>> account and everyone access it with the same username and password. > >>> This causes corruption, as you might guess. > >>> > >>> Is it truly just file permissions or group access to a mailbox, or > >>> where should I turn to see the other magic that makes this work? I use > >>> a standard Centos 3 install. > >>> > >>> Thanks, and sorry for the bother of OT. > >>> > >>> Steve Campbell > >>> > >>> > >> Jules > >> > >> > > > When you say "move them to subdirectories", does that mean they need to > manually deal with this, or does it do it for them and they just need to > get used to the difference. > > I'll review the cyrus pages, but does anyone have experience in removing > whatever I have and installing cyrus? I haven't searched yet for rpms, > but imagine I'd do a rpm -e for the current. > > The nice thing about the one installed by default is it works out of the > package, even with our horde/imp install, so I'd need to tread lightly > to keep the natives from getting upset. > > I'm guessing from both of the replies that there is more to shared > accounts than just permissions, then? > > Thanks > > steve From campbell at cnpapers.com Thu Oct 9 16:11:38 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Thu Oct 9 16:11:51 2008 Subject: OT Shared Imap folders/accounts In-Reply-To: <48EE0B8D.5050300@cnpapers.com> References: <48EE0B8D.5050300@cnpapers.com> Message-ID: <48EE1F2A.5090307@cnpapers.com> Steve Campbell wrote: > Not the place to ask, I'm sure, but maybe someone can point me to the > proper place or page. > > I've googled a while, and only became more confused, as what I'd like > to do is not techically a shared Imap account. What I've seen so far > is that an email account is set up with different users being able to > access this account. The "shared" part comes from a mailbox permission > of 1777 and/or group rights. > > The policy here, for as long as I can remember, is to have one IMAP > account and everyone access it with the same username and password. > This causes corruption, as you might guess. > > Is it truly just file permissions or group access to a mailbox, or > where should I turn to see the other magic that makes this work? I use > a standard Centos 3 install. > > Thanks, and sorry for the bother of OT. > > Steve Campbell > Thanks for all the good ideas. I hope it's showing that I really wasn't aware how IMAP worked. And I wonder how I've got it working now. The confusing part is that I create normal pop3 accounts, and people access them throught their client (and horde/imp) as IMAP and it seems to work. Of course, this might be where the corruption sometimes occurs. I'm still not sure whether I'm using UW or Courier, so I've got a lot of digging to do. Thanks again. Steve From Paul.Bijnens at xplanation.com Thu Oct 9 16:25:49 2008 From: Paul.Bijnens at xplanation.com (Paul Bijnens) Date: Thu Oct 9 16:26:00 2008 Subject: OT Shared Imap folders/accounts In-Reply-To: <48EE1F2A.5090307@cnpapers.com> References: <48EE0B8D.5050300@cnpapers.com> <48EE1F2A.5090307@cnpapers.com> Message-ID: <48EE227D.1000404@xplanation.com> On 2008-10-09 17:11, Steve Campbell wrote: > Thanks for all the good ideas. I hope it's showing that I really wasn't > aware how IMAP worked. And I wonder how I've got it working now. The > confusing part is that I create normal pop3 accounts, and people access > them throught their client (and horde/imp) as IMAP and it seems to work. > Of course, this might be where the corruption sometimes occurs. > > I'm still not sure whether I'm using UW or Courier, so I've got a lot of > digging to do. I think the fileformat you choose to store the mails on the server has a large impact for the concurrent access by many users of the same folder. Make sure you use Maildir format and not the mbox format. -- Paul Bijnens, xplanation Technology Services Tel +32 16 397.511 Technologielaan 21 bus 2, B-3001 Leuven, BELGIUM Fax +32 16 397.512 http://www.xplanation.com/ email: Paul.Bijnens@xplanation.com *********************************************************************** * I think I've got the hang of it now: exit, ^D, ^C, ^\, ^Z, ^Q, ^^, * * F6, quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, * * stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt, abort, hangup, * * PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e, kill -1 $$, shutdown, * * init 0, kill -9 1, Alt-F4, Ctrl-Alt-Del, AltGr-NumLock, Stop-A, ... * * ... "Are you sure?" ... YES ... Phew ... I'm out * *********************************************************************** From ka at pacific.net Thu Oct 9 16:28:59 2008 From: ka at pacific.net (Ken A) Date: Thu Oct 9 16:28:37 2008 Subject: OT Shared Imap folders/accounts In-Reply-To: <48EE1F2A.5090307@cnpapers.com> References: <48EE0B8D.5050300@cnpapers.com> <48EE1F2A.5090307@cnpapers.com> Message-ID: <48EE233B.10605@pacific.net> Steve Campbell wrote: > > > Steve Campbell wrote: >> Not the place to ask, I'm sure, but maybe someone can point me to the >> proper place or page. >> >> I've googled a while, and only became more confused, as what I'd like >> to do is not techically a shared Imap account. What I've seen so far >> is that an email account is set up with different users being able to >> access this account. The "shared" part comes from a mailbox permission >> of 1777 and/or group rights. >> >> The policy here, for as long as I can remember, is to have one IMAP >> account and everyone access it with the same username and password. >> This causes corruption, as you might guess. >> >> Is it truly just file permissions or group access to a mailbox, or >> where should I turn to see the other magic that makes this work? I use >> a standard Centos 3 install. >> >> Thanks, and sorry for the bother of OT. >> >> Steve Campbell >> > > Thanks for all the good ideas. I hope it's showing that I really wasn't > aware how IMAP worked. And I wonder how I've got it working now. The > confusing part is that I create normal pop3 accounts, and people access > them throught their client (and horde/imp) as IMAP and it seems to work. > Of course, this might be where the corruption sometimes occurs. > The pop3 rfc doesn't allow simultaneous access, so if you have pop3 clients, and your pop server isn't locking out other pop3 or imap clients, you _will_ have corrupted mail spools. Ken > I'm still not sure whether I'm using UW or Courier, so I've got a lot of > digging to do. > > Thanks again. > > Steve > -- Ken Anderson Pacific.Net From ssilva at sgvwater.com Thu Oct 9 17:14:48 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Oct 9 17:15:09 2008 Subject: OT Shared Imap folders/accounts In-Reply-To: <48EE1F2A.5090307@cnpapers.com> References: <48EE0B8D.5050300@cnpapers.com> <48EE1F2A.5090307@cnpapers.com> Message-ID: on 10-9-2008 8:11 AM Steve Campbell spake the following: > > > Steve Campbell wrote: >> Not the place to ask, I'm sure, but maybe someone can point me to the >> proper place or page. >> >> I've googled a while, and only became more confused, as what I'd like >> to do is not techically a shared Imap account. What I've seen so far >> is that an email account is set up with different users being able to >> access this account. The "shared" part comes from a mailbox permission >> of 1777 and/or group rights. >> >> The policy here, for as long as I can remember, is to have one IMAP >> account and everyone access it with the same username and password. >> This causes corruption, as you might guess. >> >> Is it truly just file permissions or group access to a mailbox, or >> where should I turn to see the other magic that makes this work? I use >> a standard Centos 3 install. >> >> Thanks, and sorry for the bother of OT. >> >> Steve Campbell >> > > Thanks for all the good ideas. I hope it's showing that I really wasn't > aware how IMAP worked. And I wonder how I've got it working now. The > confusing part is that I create normal pop3 accounts, and people access > them throught their client (and horde/imp) as IMAP and it seems to work. > Of course, this might be where the corruption sometimes occurs. > > I'm still not sure whether I'm using UW or Courier, so I've got a lot of > digging to do. > CentOS 3 came with UWImap standard, and I remember it being a poor performer. I also would recommend dovecot just for the fact that it should give you the shortest down time during the conversion. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081009/a349b027/signature.bin From ssilva at sgvwater.com Thu Oct 9 17:20:20 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Oct 9 17:20:39 2008 Subject: Installer comments In-Reply-To: <48EDCE26.8000906@ecs.soton.ac.uk> References: <003801c9287a$c299f2c0$47cdd840$@dk> <48EDCE26.8000906@ecs.soton.ac.uk> Message-ID: on 10-9-2008 2:25 AM Julian Field spake the following: > > > Scott Silva wrote: >> >> >>> It would be super if the installer could do this for you somehow, >>> basically ask if it should look for the old directory and copy over old >>> files somehow. >>> >>> This is also true for the old configuration. I assume that most people >>> who upgrade will want to run the upgrade_conf script on their old >>> configuration to create an up2date configuration file. >>> >>> This could also (in a simple way I think) be done by the installer. >>> >>> >> >> This is also debatable, as some people with heavily commented conf >> files do >> not run the upgrade_mailscanner_conf script because it removes all their >> comments, but run a diff and fix it themselves. >> > There is a "keep-comments" command-line switch to do exactly this. > But doesn't "keep-comments" switch then leave out anything you might have added? Which means you either get any comments that Julian has added, or you get to keep your own, but not both? -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081009/24989ce4/signature.bin From ssilva at sgvwater.com Thu Oct 9 17:23:47 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Oct 9 17:25:11 2008 Subject: How to prevent these In-Reply-To: <006b01c929eb$bb8c0960$32a41c20$@ie> References: <006701c92924$2374abe0$6a5e03a0$@ie> <48ED96D0.3010701@vanderkooij.org> <006b01c929eb$bb8c0960$32a41c20$@ie> Message-ID: on 10-9-2008 1:47 AM Mail Admin spake the following: > Is there such a thing in SendMail > I don't think so in stock sendmail. It was written back when the internet was a safer place to play. But there are milters that can do just about anything with sendmail. I know that if you have some perl coding skills, you can make mimedefang do just about everything you can think of short of feed the cat and clean the litterbox. There are probably other choices out there as well. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081009/c776e406/signature.bin From ssilva at sgvwater.com Thu Oct 9 17:26:29 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Oct 9 17:30:11 2008 Subject: Recommendations for secondary virus scanner In-Reply-To: <48EDCC08.3010004@photobox.com> References: <48EC7FB4.1050806@photobox.com> <48EC8B36.3010206@alexb.ch> <48ECAC7F.4000301@photobox.com> <48EDCC08.3010004@photobox.com> Message-ID: on 10-9-2008 2:16 AM Ben Tisdall spake the following: > Ben Tisdall wrote: >> Alex Broens wrote: >>> F-Prot = fast, affordable, atm: good detection rates. >>> GData & Avira are doing very well as well - you'l have to check pricing. >>> > > I'm confused by this whole 'licensing' thing (I normally leave that to > the Windows admin sitting opposite me :) > > In general (and with F-prot in particular) is it necessary to use the > 'mailserver' editions of these products? from a licensing standpoint? > >>From a technical standpoint I assume MS would do just as well with the > workstation version. > Mailscanner only needs a commandline scanner. How the different companies decide to charge you is totally up to them and their need for cashflow. Since you have a windows admin, have him check if you get a linux command line scanner license included with any desktop virus scanners you purchase. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081009/b1c930ca/signature.bin From alex at rtpty.com Thu Oct 9 17:32:57 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Thu Oct 9 17:33:11 2008 Subject: Mqueue.in just keeps growing... In-Reply-To: <11375BD8FE838A409E10DB32B9BFFE9B1225A7@addc01.assuredata.local> References: <11375BD8FE838A409E10DB32B9BFFE9B1225A7@addc01.assuredata.local> Message-ID: <67A0D6E3-E80D-4ED7-B741-2750F0F09538@rtpty.com> I've heard of spamassassin bugs hitting people in the past, with scanning speed being one of the places where you can tell something's wrong. On Oct 9, 2008, at 1:58 AM, Max Kipness wrote: > . I do not have the latest spamassassin version, but based on the > fact that most spam is being caught by Sendmail now (as described > below), I wouldn?t think that is the problem. From ms-list at alexb.ch Thu Oct 9 17:36:53 2008 From: ms-list at alexb.ch (Alex Broens) Date: Thu Oct 9 17:37:07 2008 Subject: Recommendations for secondary virus scanner In-Reply-To: References: <48EC7FB4.1050806@photobox.com> <48EC8B36.3010206@alexb.ch> <48ECAC7F.4000301@photobox.com> <48EDCC08.3010004@photobox.com> Message-ID: <48EE3325.50202@alexb.ch> On 10/9/2008 6:26 PM, Scott Silva wrote: > on 10-9-2008 2:16 AM Ben Tisdall spake the following: >> Ben Tisdall wrote: >>> Alex Broens wrote: >>>> F-Prot = fast, affordable, atm: good detection rates. >>>> GData & Avira are doing very well as well - you'l have to check pricing. >>>> >> I'm confused by this whole 'licensing' thing (I normally leave that to >> the Windows admin sitting opposite me :) >> >> In general (and with F-prot in particular) is it necessary to use the >> 'mailserver' editions of these products? from a licensing standpoint? >> >> >From a technical standpoint I assume MS would do just as well with the >> workstation version. >> > Mailscanner only needs a commandline scanner. How the different companies > decide to charge you is totally up to them and their need for cashflow. > > Since you have a windows admin, have him check if you get a linux command line > scanner license included with any desktop virus scanners you purchase. f-prot for linux server has a dameon which is amazingly fast. If you use the commandline version (included) its a hog compared to the daemon. Caveat: The daemon version has a stream limit pretty much like clamd. If you feed it a 30 MB msg via stream it will stick its toungue out and laugh at you. Alex From alex at rtpty.com Thu Oct 9 17:39:24 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Thu Oct 9 17:39:41 2008 Subject: How to prevent these In-Reply-To: <006b01c929eb$bb8c0960$32a41c20$@ie> References: <006701c92924$2374abe0$6a5e03a0$@ie> <48ED96D0.3010701@vanderkooij.org> <006b01c929eb$bb8c0960$32a41c20$@ie> Message-ID: <51182337-DA93-4885-A1E8-1ADE25BD153E@rtpty.com> There may be a milter. Google around and you'll probably find it - although it's generally not a good idea to filter by subject alone, only in very specific cases. On Oct 9, 2008, at 3:47 AM, Mail Admin wrote: > Is there such a thing in SendMail From alex at rtpty.com Thu Oct 9 17:42:02 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Thu Oct 9 17:42:16 2008 Subject: OT Shared Imap folders/accounts In-Reply-To: <48EE0B8D.5050300@cnpapers.com> References: <48EE0B8D.5050300@cnpapers.com> Message-ID: It *should* work - unless you're using ancient versions of whatever IMAP service you're using. Are you using dovecot? What kind of file locking are you using? On Oct 9, 2008, at 8:47 AM, Steve Campbell wrote: > Is it truly just file permissions or group access to a mailbox, or > where should I turn to see the other magic that makes this work? I > use a standard Centos 3 install. From alex at rtpty.com Thu Oct 9 17:45:52 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Thu Oct 9 17:46:21 2008 Subject: OT Shared Imap folders/accounts In-Reply-To: <48EE1F2A.5090307@cnpapers.com> References: <48EE0B8D.5050300@cnpapers.com> <48EE1F2A.5090307@cnpapers.com> Message-ID: <309FDFF8-B569-4B70-9F14-4777998B6CBE@rtpty.com> There's no such thing as "normal pop3 accounts" with your setup. There's system user accounts, which have mail, which can be read with both POP3 and IMAP. POP3 access by any one of them at the same time as the multiple IMAP users with such ancient software almost * guarantees* corruption. On Oct 9, 2008, at 10:11 AM, Steve Campbell wrote: > The confusing part is that I create normal pop3 accounts, and people > access them throught their client (and horde/imp) as IMAP and it > seems to work. From Kevin_Miller at ci.juneau.ak.us Thu Oct 9 17:48:35 2008 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Thu Oct 9 17:48:46 2008 Subject: Mqueue.in just keeps growing... In-Reply-To: <11375BD8FE838A409E10DB32B9BFFE9B1225A7@addc01.assuredata.local> References: <11375BD8FE838A409E10DB32B9BFFE9B1225A7@addc01.assuredata.local> Message-ID: >Well I followed a lot of the suggestions for increasing >performance, and although MailScanner is working a little >better, it still cannot keep up. DNS performance is quick. Have you taken a look at your memory footprint? I.e., are you swapping a lot? Might be as simple as adding more RAM... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From lars+lister.mailscanner at adventuras.no Thu Oct 9 17:58:58 2008 From: lars+lister.mailscanner at adventuras.no (Lars Kristiansen) Date: Thu Oct 9 17:59:34 2008 Subject: OT Shared Imap folders/accounts In-Reply-To: <1223563961.18286.26.camel@gblades-suse.linguaphone-intranet.co.uk> References: <48EE0E14.2040906@ecs.soton.ac.uk> <1223560972.18283.19.camel@gblades-suse.linguaphone-intranet.co.uk> <48EE156A.3030404@cnpapers.com> <1223563961.18286.26.camel@gblades-suse.linguaphone-intranet.co.uk> Message-ID: <48EE3852.9090200@adventuras.no> Gareth skrev: > Because it maintains read status for each user you will find if you give FYI: cyrus-imapd got sharedseen available as mailbox metadata now. Have a look at man cyradm. Example: mboxcfg user.gareth* sharedseen true > Having both IMAP servers installed on different ports and using > Outloot/Thunderbird to move the mails between then is what I did the > last time but there may well be automated scripts you can use if you > have more users than I did. imapsync has worked great for me, that means small migrations. It has a lot of options, so test runs might be wise. Best Regards, Lars From rpoe at plattesheriff.org Thu Oct 9 18:09:40 2008 From: rpoe at plattesheriff.org (Rob Poe) Date: Thu Oct 9 18:10:08 2008 Subject: Announcing the new FSL MailScanner Beta yum repository In-Reply-To: <48ED2E7E.9050900@fsl.com> References: <48D25F6A.4090906@ecs.soton.ac.uk> <48EC95BF020000A2000098FF@platteco-2.plattesheriff.org> <48ED2E7E.9050900@fsl.com> Message-ID: <48EDF484020000A2000099A9@platteco-2.plattesheriff.org> >>> Stephen Swaney 10/8/2008 5:04 PM >>> Scott Silva wrote: > on 10-8-2008 9:13 AM Rob Poe spake the following: > >> Does this mean that the existing method of installing MailScanner (i.e. >> going to mailscanner.info / downloading the installer for MailScanner) >> is going away? >> >> I truly believe that MailScanner, the open source version, can increase it's market share by having the option of paid support. I know this because our paying clients tell us so. Most of our larger sites feel that having their MailScanner systems maintained and supported by professionals who keep very up to date on MailScanner and the related applications - actually saves them money. I think it's just good to have options and one of them will always be FSL and various support options. ------------------ Thank you for clearing that up - I was confused - but that happens more often, more and more. (disclaimer: I can see a good reason to become a paying customer) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081009/1ddd25d9/attachment-0001.html From alex at rtpty.com Thu Oct 9 18:13:35 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Thu Oct 9 18:13:50 2008 Subject: Mqueue.in just keeps growing... In-Reply-To: References: <11375BD8FE838A409E10DB32B9BFFE9B1225A7@addc01.assuredata.local> Message-ID: And if you have (or get) a lot of RAM, putting stuff on tmpfs is also something worth trying... On Oct 9, 2008, at 11:48 AM, Kevin Miller wrote: > Might be as simple as adding more RAM... From richard.frovarp at sendit.nodak.edu Thu Oct 9 18:17:15 2008 From: richard.frovarp at sendit.nodak.edu (Richard Frovarp) Date: Thu Oct 9 18:17:29 2008 Subject: OT Shared Imap folders/accounts In-Reply-To: <48EE140C.3060205@cnpapers.com> References: <48EE0E14.2040906@ecs.soton.ac.uk> <48EE140C.3060205@cnpapers.com> Message-ID: <48EE3C9B.9060602@sendit.nodak.edu> Steve Campbell wrote: > > > I'm not sure which Imap is installed. The rpm is named imap-2002d. I > think this is UW imap, if I'm not mistaken. > > Steve > That's UW. We're running 2004g here. I know I can leave Thunderbird running on two machines at the same time and not have issues. I've also had Thunderbird running while using Squirrelmail without corruption. However, I am only actively using one, the other connection would just be doing the 5 or 10 minute update checks. UW has worked just fine for us using mbx. From campbell at cnpapers.com Thu Oct 9 18:23:40 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Thu Oct 9 18:24:00 2008 Subject: OT Shared Imap folders/accounts In-Reply-To: <309FDFF8-B569-4B70-9F14-4777998B6CBE@rtpty.com> References: <48EE0B8D.5050300@cnpapers.com> <48EE1F2A.5090307@cnpapers.com> <309FDFF8-B569-4B70-9F14-4777998B6CBE@rtpty.com> Message-ID: <48EE3E1C.9070907@cnpapers.com> Alex Neuman van der Hans wrote: > There's no such thing as "normal pop3 accounts" with your setup. > There's system user accounts, which have mail, which can be read with > both POP3 and IMAP. POP3 access by any one of them at the same time as > the multiple IMAP users with such ancient software almost * > guarantees* corruption. > > On Oct 9, 2008, at 10:11 AM, Steve Campbell wrote: > >> The confusing part is that I create normal pop3 accounts, and people >> access them throught their client (and horde/imp) as IMAP and it >> seems to work. > I've always referred to most of these accounts, or at least the owners of these accounts, as abnormal, so yes you're absolutely right. You're also right in pointing out these are normal system user accounts, with home directories and mboxes in /var/spool/mail. The corruption issue is so minimal, that I've never really looked for a permanent, real solution. For the most part, only one use is responsible for "cleaning" up the mailbox, but sometimes, somebody gets a little key-happy. As Scott suggested also, Dovecot looks most promising. Thanks loads. steve From campbell at cnpapers.com Thu Oct 9 18:57:59 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Thu Oct 9 18:58:29 2008 Subject: OT Shared Imap folders/accounts In-Reply-To: <48EE3C9B.9060602@sendit.nodak.edu> References: <48EE0E14.2040906@ecs.soton.ac.uk> <48EE140C.3060205@cnpapers.com> <48EE3C9B.9060602@sendit.nodak.edu> Message-ID: <48EE4627.4000006@cnpapers.com> Richard Frovarp wrote: > Steve Campbell wrote: >> >> >> I'm not sure which Imap is installed. The rpm is named imap-2002d. I >> think this is UW imap, if I'm not mistaken. >> >> Steve >> > That's UW. We're running 2004g here. I know I can leave Thunderbird > running on two machines at the same time and not have issues. I've > also had Thunderbird running while using Squirrelmail without > corruption. However, I am only actively using one, the other > connection would just be doing the 5 or 10 minute update checks. UW > has worked just fine for us using mbx. We run something similar, as I was referring to in a prior email (except I said "one use" instead of "one user"). All but one user per shift is supposed using this in read-only mode. Only that one special user is supposed to delete files. The account is sort of like a dropbox for work orders. Once the email has been taken care of, they log it on another system, and go fetch another. Periodically, expired orders get removed. I was a little surprised that there is a real difference in how IMAP clients handle these system user accounts. As I said earlier, I use Horde/Imp as a webmail application, and it accesses these POP accounts just fine in an IMAP-type web page.Imp does use a database, but not so much for the normal IMAP-related db functions as for it's own functions. There is a similar set of applications that I saw for cyrus which mimics the addressbook and so forth. Again thanks for all the feedback. I'm being well educated here as usual. steve From spamlists at coders.co.uk Thu Oct 9 22:20:42 2008 From: spamlists at coders.co.uk (Matt) Date: Thu Oct 9 22:21:24 2008 Subject: Mqueue.in just keeps growing... In-Reply-To: References: <11375BD8FE838A409E10DB32B9BFFE9B1225A7@addc01.assuredata.local> Message-ID: <48EE75AA.2020109@coders.co.uk> Alex Neuman van der Hans wrote: > And if you have (or get) a lot of RAM, putting stuff on tmpfs is also > something worth trying... > > On Oct 9, 2008, at 11:48 AM, Kevin Miller wrote: > >> Might be as simple as adding more RAM... > Try SA 3.2.5 - it is quicker. From ka at pacific.net Thu Oct 9 22:54:17 2008 From: ka at pacific.net (Ken A) Date: Thu Oct 9 22:53:53 2008 Subject: How to prevent these In-Reply-To: <51182337-DA93-4885-A1E8-1ADE25BD153E@rtpty.com> References: <006701c92924$2374abe0$6a5e03a0$@ie> <48ED96D0.3010701@vanderkooij.org> <006b01c929eb$bb8c0960$32a41c20$@ie> <51182337-DA93-4885-A1E8-1ADE25BD153E@rtpty.com> Message-ID: <48EE7D89.1050601@pacific.net> Alex Neuman van der Hans wrote: > There may be a milter. Google around and you'll probably find it - > although it's generally not a good idea to filter by subject alone, only > in very specific cases. > > On Oct 9, 2008, at 3:47 AM, Mail Admin wrote: > >> Is there such a thing in SendMail > http://www.benzedrine.cx/milter-regex.html works nicely for things like this if you absolutely never want mail with koi8-r in the subject line: reject "no koi8-r allowed here" header /^Subject$/ /koi8-r/i (not tested) Ken -- Ken Anderson Pacific.Net From nwp at nz.lemon-computing.com Fri Oct 10 00:12:41 2008 From: nwp at nz.lemon-computing.com (Nick Phillips) Date: Fri Oct 10 00:12:57 2008 Subject: =?iso-8859-1?q?Re=3A_na=EFve_koi8-r_regexp_a_bad_idea?= In-Reply-To: <48EE7D89.1050601@pacific.net> References: <006701c92924$2374abe0$6a5e03a0$@ie> <48ED96D0.3010701@vanderkooij.org> <006b01c929eb$bb8c0960$32a41c20$@ie> <51182337-DA93-4885-A1E8-1ADE25BD153E@rtpty.com> <48EE7D89.1050601@pacific.net> Message-ID: On 10/10/2008, at 10:54 AM, Ken A wrote: > Alex Neuman van der Hans wrote: >> There may be a milter. Google around and you'll probably find it - >> although it's generally not a good idea to filter by subject alone, >> only in very specific cases. >> On Oct 9, 2008, at 3:47 AM, Mail Admin wrote: >>> Is there such a thing in SendMail > > http://www.benzedrine.cx/milter-regex.html works nicely for things > like this if you absolutely never want mail with koi8-r in the > subject line: > > reject "no koi8-r allowed here" > header /^Subject$/ /koi8-r/i > > (not tested) Oops. Cheers, Nick From alex at rtpty.com Fri Oct 10 01:10:11 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Fri Oct 10 01:10:25 2008 Subject: Mqueue.in just keeps growing... In-Reply-To: <48EE75AA.2020109@coders.co.uk> References: <11375BD8FE838A409E10DB32B9BFFE9B1225A7@addc01.assuredata.local> <48EE75AA.2020109@coders.co.uk> Message-ID: And by quicker I think he means lots quicker ;-) On Oct 9, 2008, at 4:20 PM, Matt wrote: > Try SA 3.2.5 - it is quicker. -- From hvdkooij at vanderkooij.org Fri Oct 10 06:21:18 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Fri Oct 10 06:21:27 2008 Subject: How to prevent these In-Reply-To: <48EE7D89.1050601@pacific.net> References: <006701c92924$2374abe0$6a5e03a0$@ie> <48ED96D0.3010701@vanderkooij.org> <006b01c929eb$bb8c0960$32a41c20$@ie> <51182337-DA93-4885-A1E8-1ADE25BD153E@rtpty.com> <48EE7D89.1050601@pacific.net> Message-ID: <48EEE64E.3020104@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ken A wrote: > Alex Neuman van der Hans wrote: >> There may be a milter. Google around and you'll probably find it - >> although it's generally not a good idea to filter by subject alone, >> only in very specific cases. >> >> On Oct 9, 2008, at 3:47 AM, Mail Admin wrote: >> >>> Is there such a thing in SendMail >> > > http://www.benzedrine.cx/milter-regex.html works nicely for things like > this if you absolutely never want mail with koi8-r in the subject line: > > reject "no koi8-r allowed here" > header /^Subject$/ /koi8-r/i I would use /\?koi8-r\?/i there. I have not yet seen false positives. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFI7uZMBvzDRVjxmYERAs/BAJ9qrsjJisfE0r3aDPp7VV9HvCekywCffsRe 94iBOzRI5apVlV7EYFC95qM= =NMEt -----END PGP SIGNATURE----- From email at ace.net.au Fri Oct 10 09:16:46 2008 From: email at ace.net.au (Peter Nitschke) Date: Fri Oct 10 09:17:10 2008 Subject: Mqueue.in just keeps growing... In-Reply-To: <11375BD8FE838A409E10DB32B9BFFE9B1225A7@addc01.assuredata.local> References: <11375BD8FE838A409E10DB32B9BFFE9B1225A7@addc01.assuredata.local> Message-ID: <200810101846460611.1CB206A4@web.ace.net.au> Bottom line is that you are being hammered. Temporarily block port 25 until you can get the mess cleaned out. Reduce the number of MS children as it sounds like you may have too many, also reduce the number of mails per scan. That's part of your high load problem. Add or adjust these in sendmail.mc define(`confQUEUE_LA',`3')dnl define(`confREFUSE_LA',`3')dnl define(`confTO_IDENT', `0')dnl define(`confTO_INITIAL', `2m')dnl define(`confTO_CONNECT', `1m')dnl define(`confTO_ACONNECT', `2m')dnl define(`confTO_ICONNECT', `1m')dnl define(`confTO_HELO', `1m')dnl define(`confTO_MAIL', `1m')dnl define(`confTO_RCPT', `1m')dnl define(`confTO_DATAINIT', `2m')dnl define(`confTO_DATABLOCK', `2m')dnl define(`confTO_DATAFINAL', `2m')dnl define(`confTO_RSET', `1m')dnl define(`confTO_QUIT', `1m')dnl define(`confTO_MISC', `1m')dnl define(`confTO_COMMAND', `1m')dnl define(`confTO_CONTROL', `1m')dnl define(`confTO_LHLO', `1m')dnl define(`confMAX_DAEMON_CHILDREN',`50')dnl define(`confCONNECTION_RATE_THROTTLE',`20')dnl define(`confBAD_RCPT_THROTTLE',`2')dnl FEATURE(`conncontrol', ,`terminate')dnl FEATURE(`dnsbl', `bl.spamcop.net', `"Rejected "$&{client_addr}" by bl.spamcop.net"')dnl FEATURE(`dnsbl', `zen.spamhaus.org',`"Rejected "$&{client_addr}" by zen.spamhaus.org"')dnl Add this to /etc/mail/access ClientConn: 4 ClientRate: 10 ClientRate:127.0.0.1 0 Then run "make -C /etc/mail" Restart MailScanner. This stuff protects my server very well. Peter *********** REPLY SEPARATOR *********** On 9/10/2008 at 1:58 AM Max Kipness wrote: >>How's your caching dns performance? Have you updated spamassassin? > >>What additional rules or plugins are you running? -- > > > >Well I followed a lot of the suggestions for increasing performance, and >although MailScanner is working a little better, it still cannot keep >up. DNS performance is quick. I do not have the latest spamassassin >version, but based on the fact that most spam is being caught by >Sendmail now (as described below), I wouldn't think that is the problem. > > > >I added the greeting delay to sendmail, am now checking Spamcop and XBL >at Sendmail level, and although tons of spam is now being caught before >getting to MailScanner, my mqueue.in is at 30k, incoming is at a >constant 180 and now mqueue is hovering around 2k. Mail is coming >through but way too slow. Also, cpu is just pegged at 100% with several >MailScanner processes, Sendmail processes, and kblockd/0 and kblockd/1 >splitting up all cpu. I'm starting to wonder if after the reboot >something has degraded my disk performance and now there isn't enough >cpu for MailScanner to handle the number of messages coming in? > > > >I may have to resort to setting up MailScanner on another system at this >point. > > > >Thanks for all the suggestions, and if anyone has any other ideas, >please let me know. > > > >Thanks, > >Max > > >-- >MailScanner mailing list >mailscanner@lists.mailscanner.info >http://lists.mailscanner.info/mailman/listinfo/mailscanner > >Before posting, read http://wiki.mailscanner.info/posting > >Support MailScanner development - buy the book off the website! From ben.tisdall at photobox.com Fri Oct 10 09:27:30 2008 From: ben.tisdall at photobox.com (Ben Tisdall) Date: Fri Oct 10 09:27:42 2008 Subject: Recommendations for secondary virus scanner In-Reply-To: <48EE3325.50202@alexb.ch> References: <48EC7FB4.1050806@photobox.com> <48EC8B36.3010206@alexb.ch> <48ECAC7F.4000301@photobox.com> <48EDCC08.3010004@photobox.com> <48EE3325.50202@alexb.ch> Message-ID: <48EF11F2.5060701@photobox.com> Alex Broens wrote: >> >> Since you have a windows admin, have him check if you get a linux >> command line >> scanner license included with any desktop virus scanners you purchase. > > f-prot for linux server has a dameon which is amazingly fast. > If you use the commandline version (included) its a hog compared to the > daemon. > > Caveat: The daemon version has a stream limit pretty much like clamd. > If you feed it a 30 MB msg via stream it will stick its toungue out and > laugh at you. > Thanks, our MTA doesn't allow messages of that size. Anyone trying to send a 30MB email deserves no sympathy! Thanks for your help Alex & everyone else that contributed to the thread. -- Ben Tisdall Linux Systems Administrator | www.photobox.com From tgc at statsbiblioteket.dk Fri Oct 10 10:32:01 2008 From: tgc at statsbiblioteket.dk (Tom G. Christensen) Date: Fri Oct 10 10:32:11 2008 Subject: OT Shared Imap folders/accounts In-Reply-To: <48EE0E14.2040906@ecs.soton.ac.uk> References: <48EE0E14.2040906@ecs.soton.ac.uk> Message-ID: <48EF2111.5090104@statsbiblioteket.dk> Julian Field wrote: > Even Exchange could do this for you :) > Are you sure? It's not working so well here with Exchange 2007. Multiple clients accessing the same IMAP mailbox is definitely causing problems in my experience. It also has major problems with keeping the IMAP and MAPI (outlook) views in sync. Having recently converted to Exchange 2007 from an old SunONE installation I must say it's much much worse than I imagined :( -tgc From martinh at solidstatelogic.com Fri Oct 10 10:43:44 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Fri Oct 10 10:43:56 2008 Subject: OT Shared Imap folders/accounts In-Reply-To: <48EF2111.5090104@statsbiblioteket.dk> Message-ID: Heh...I always say Outlook and MS-exch tolerate imap rather than support it :-) -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Tom G. Christensen > Sent: 10 October 2008 10:32 > To: MailScanner discussion > Subject: Re: OT Shared Imap folders/accounts > > Julian Field wrote: > > Even Exchange could do this for you :) > > > Are you sure? It's not working so well here with Exchange 2007. > Multiple clients accessing the same IMAP mailbox is > definitely causing problems in my experience. It also has > major problems with keeping the IMAP and MAPI (outlook) views in sync. > Having recently converted to Exchange 2007 from an old SunONE > installation I must say it's much much worse than I imagined :( > > -tgc > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From Robert.Meurlin at se.fujitsu.com Fri Oct 10 11:57:50 2008 From: Robert.Meurlin at se.fujitsu.com (Meurlin Robert) Date: Fri Oct 10 11:59:41 2008 Subject: Clamscan eats a lot of cpu Message-ID: <797363C57EE0884786F428AAABCD469202470E42@sea0120sex2.nordic.x> Hello, have a problem that process "clamscan" eats a lot of cpu, there are always like 5-8 clamscan processes even if there are not anything to scan. I have the latest version of Julians Mailscanner package. Would be great if someone have any advice? //Rob -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081010/5cd611f1/attachment.html From ms-list at alexb.ch Fri Oct 10 12:30:27 2008 From: ms-list at alexb.ch (Alex Broens) Date: Fri Oct 10 12:30:42 2008 Subject: Clamscan eats a lot of cpu In-Reply-To: <797363C57EE0884786F428AAABCD469202470E42@sea0120sex2.nordic.x> References: <797363C57EE0884786F428AAABCD469202470E42@sea0120sex2.nordic.x> Message-ID: <48EF3CD3.4060104@alexb.ch> On 10/10/2008 12:57 PM, Meurlin Robert wrote: > Hello, > have a problem that process "clamscan" eats a lot of cpu, there are > always like 5-8 clamscan processes even if there are not anything to > scan. > > I have the latest version of Julians Mailscanner package. > > Would be great if someone have any advice? use clamd From sandrews at andrewscompanies.com Fri Oct 10 12:42:35 2008 From: sandrews at andrewscompanies.com (Steven Andrews) Date: Fri Oct 10 12:42:45 2008 Subject: Clamscan eats a lot of cpu In-Reply-To: <48EF3CD3.4060104@alexb.ch> References: <797363C57EE0884786F428AAABCD469202470E42@sea0120sex2.nordic.x> <48EF3CD3.4060104@alexb.ch> Message-ID: <1964AAFBC212F742958F9275BF63DBB090742F@winchester.andrewscompanies.com> Most of my boxes are very low volume. I quit using clamd when it had a habit of just dying for not good reason; is it happy and stable now? Is there a wiki for setting up clamd? -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex Broens Sent: Friday, October 10, 2008 7:30 AM To: MailScanner discussion Subject: Re: Clamscan eats a lot of cpu On 10/10/2008 12:57 PM, Meurlin Robert wrote: > Hello, > have a problem that process "clamscan" eats a lot of cpu, there are > always like 5-8 clamscan processes even if there are not anything to > scan. > > I have the latest version of Julians Mailscanner package. > > Would be great if someone have any advice? use clamd -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From alex at rtpty.com Fri Oct 10 13:06:17 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Fri Oct 10 13:06:36 2008 Subject: Clamscan eats a lot of cpu In-Reply-To: <1964AAFBC212F742958F9275BF63DBB090742F@winchester.andrewscompanies.com> References: <797363C57EE0884786F428AAABCD469202470E42@sea0120sex2.nordic.x> <48EF3CD3.4060104@alexb.ch> <1964AAFBC212F742958F9275BF63DBB090742F@winchester.andrewscompanies.com> Message-ID: <3F09ADED-5A49-43C8-91F3-0E6284CB4FF9@rtpty.com> There are ways to make it come back up... Although I don't know if you can have "clamd first, clamscan or clamavmodule if clamd chokes" in MailScanner though... I wonder... On Oct 10, 2008, at 6:42 AM, Steven Andrews wrote: > just dying for not good reason From ben.tisdall at photobox.com Fri Oct 10 13:08:07 2008 From: ben.tisdall at photobox.com (Ben Tisdall) Date: Fri Oct 10 13:08:23 2008 Subject: Clamscan eats a lot of cpu In-Reply-To: <1964AAFBC212F742958F9275BF63DBB090742F@winchester.andrewscompanies.com> References: <797363C57EE0884786F428AAABCD469202470E42@sea0120sex2.nordic.x> <48EF3CD3.4060104@alexb.ch> <1964AAFBC212F742958F9275BF63DBB090742F@winchester.andrewscompanies.com> Message-ID: <48EF45A7.3020200@photobox.com> Steven Andrews wrote: > Most of my boxes are very low volume. I quit using clamd when it had a > habit of just dying for not good reason; is it happy and stable now? > Extremely stable for me for quite a few years now. > Is there a wiki for setting up clamd? Not sure, but using the rpmforge packages should be pretty easy. Personally I prefer to install it from from source, it isn't difficult. -- Ben Tisdall Linux Systems Administrator | www.photobox.com From ecasarero at gmail.com Fri Oct 10 14:07:41 2008 From: ecasarero at gmail.com (Eduardo Casarero) Date: Fri Oct 10 14:07:51 2008 Subject: Clamscan eats a lot of cpu In-Reply-To: <48EF45A7.3020200@photobox.com> References: <797363C57EE0884786F428AAABCD469202470E42@sea0120sex2.nordic.x> <48EF3CD3.4060104@alexb.ch> <1964AAFBC212F742958F9275BF63DBB090742F@winchester.andrewscompanies.com> <48EF45A7.3020200@photobox.com> Message-ID: <7d9b3cf20810100607k7f18a980g18b89f81263b33d3@mail.gmail.com> 2008/10/10 Ben Tisdall > Steven Andrews wrote: > > Most of my boxes are very low volume. I quit using clamd when it had a > > habit of just dying for not good reason; is it happy and stable now? > > > > Extremely stable for me for quite a few years now. Yeap, extremely stable and saves a lottt of memory > > > > Is there a wiki for setting up clamd? > > Not sure, but using the rpmforge packages should be pretty easy. > > Personally I prefer to install it from from source, it isn't difficult. I use julian's installer it works perfect. > > > -- > Ben Tisdall > Linux Systems Administrator | www.photobox.com > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081010/e3e4b883/attachment.html From richard.frovarp at sendit.nodak.edu Fri Oct 10 14:50:18 2008 From: richard.frovarp at sendit.nodak.edu (Richard Frovarp) Date: Fri Oct 10 14:50:29 2008 Subject: Clamscan eats a lot of cpu In-Reply-To: <1964AAFBC212F742958F9275BF63DBB090742F@winchester.andrewscompanies.com> References: <797363C57EE0884786F428AAABCD469202470E42@sea0120sex2.nordic.x> <48EF3CD3.4060104@alexb.ch> <1964AAFBC212F742958F9275BF63DBB090742F@winchester.andrewscompanies.com> Message-ID: <48EF5D9A.2020401@sendit.nodak.edu> Steven Andrews wrote: > Most of my boxes are very low volume. I quit using clamd when it had a > habit of just dying for not good reason; is it happy and stable now? > > Is there a wiki for setting up clamd? > Yes. Search for clamd. From glenn.steen at gmail.com Fri Oct 10 15:05:21 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Oct 10 15:05:31 2008 Subject: Clamscan eats a lot of cpu In-Reply-To: <1964AAFBC212F742958F9275BF63DBB090742F@winchester.andrewscompanies.com> References: <797363C57EE0884786F428AAABCD469202470E42@sea0120sex2.nordic.x> <48EF3CD3.4060104@alexb.ch> <1964AAFBC212F742958F9275BF63DBB090742F@winchester.andrewscompanies.com> Message-ID: <223f97700810100705v36177af6xc6d393d692f28f0f@mail.gmail.com> 2008/10/10 Steven Andrews : > Most of my boxes are very low volume. I quit using clamd when it had a > habit of just dying for not good reason; is it happy and stable now? > > Is there a wiki for setting up clamd? > Yes. To "manage" where clamd dies, use the simple "clamdmon" cron scriptlet. -- Glenn > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex > Broens > Sent: Friday, October 10, 2008 7:30 AM > To: MailScanner discussion > Subject: Re: Clamscan eats a lot of cpu > > On 10/10/2008 12:57 PM, Meurlin Robert wrote: >> Hello, >> have a problem that process "clamscan" eats a lot of cpu, there are >> always like 5-8 clamscan processes even if there are not anything to >> scan. >> >> I have the latest version of Julians Mailscanner package. >> >> Would be great if someone have any advice? > > use clamd > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ka at pacific.net Fri Oct 10 15:16:57 2008 From: ka at pacific.net (Ken A) Date: Fri Oct 10 15:16:33 2008 Subject: yahoo dns issue today? Message-ID: <48EF63D9.4040408@pacific.net> Did anyone else bounce a bunch of yahoo groups email today, due to yahoo dns issues? *.yahoo.com stopped resolving for about an hour. Just curious if anyone else saw this, or knows what happened? Thanks, Ken -- Ken Anderson Pacific.Net From richard.frovarp at sendit.nodak.edu Fri Oct 10 16:41:22 2008 From: richard.frovarp at sendit.nodak.edu (Richard Frovarp) Date: Fri Oct 10 16:41:33 2008 Subject: OT Shared Imap folders/accounts In-Reply-To: <48EE4627.4000006@cnpapers.com> References: <48EE0E14.2040906@ecs.soton.ac.uk> <48EE140C.3060205@cnpapers.com> <48EE3C9B.9060602@sendit.nodak.edu> <48EE4627.4000006@cnpapers.com> Message-ID: <48EF77A2.8010506@sendit.nodak.edu> Steve Campbell wrote: > > > > I was a little surprised that there is a real difference in how IMAP > clients handle these system user accounts. As I said earlier, I use > Horde/Imp as a webmail application, and it accesses these POP accounts > just fine in an IMAP-type web page.Imp does use a database, but not so > much for the normal IMAP-related db functions as for it's own > functions. There is a similar set of applications that I saw for cyrus > which mimics the addressbook and so forth. Yeah, but do you have Horde/Imp configured to use POP or IMAP? You can make each one behave somewhat like the other, at least from the perspective from the end user. Just because it looks like IMAP, doesn't mean it is going to behave like IMAP. We run Imp as well, configured to use IMAP, just like SquirrelMail. From campbell at cnpapers.com Fri Oct 10 16:56:12 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Fri Oct 10 16:56:25 2008 Subject: OT Shared Imap folders/accounts In-Reply-To: <48EF77A2.8010506@sendit.nodak.edu> References: <48EE0E14.2040906@ecs.soton.ac.uk> <48EE140C.3060205@cnpapers.com> <48EE3C9B.9060602@sendit.nodak.edu> <48EE4627.4000006@cnpapers.com> <48EF77A2.8010506@sendit.nodak.edu> Message-ID: <48EF7B1C.5050103@cnpapers.com> Richard Frovarp wrote: > Steve Campbell wrote: >> >> >> >> I was a little surprised that there is a real difference in how IMAP >> clients handle these system user accounts. As I said earlier, I use >> Horde/Imp as a webmail application, and it accesses these POP >> accounts just fine in an IMAP-type web page.Imp does use a database, >> but not so much for the normal IMAP-related db functions as for it's >> own functions. There is a similar set of applications that I saw for >> cyrus which mimics the addressbook and so forth. > Yeah, but do you have Horde/Imp configured to use POP or IMAP? You can > make each one behave somewhat like the other, at least from the > perspective from the end user. Just because it looks like IMAP, > doesn't mean it is going to behave like IMAP. We run Imp as well, > configured to use IMAP, just like SquirrelMail. They're configured to use IMAP protocol. From ssilva at sgvwater.com Fri Oct 10 22:05:33 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Oct 10 22:06:06 2008 Subject: yahoo dns issue today? In-Reply-To: <48EF63D9.4040408@pacific.net> References: <48EF63D9.4040408@pacific.net> Message-ID: on 10-10-2008 7:16 AM Ken A spake the following: > Did anyone else bounce a bunch of yahoo groups email today, due to yahoo > dns issues? *.yahoo.com stopped resolving for about an hour. Just > curious if anyone else saw this, or knows what happened? > > Thanks, > Ken > You mean non-spam comes out of Yahoo? Go figure.... ;-P -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081010/2d712490/signature.bin From hvdkooij at vanderkooij.org Sun Oct 12 22:27:52 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Oct 12 22:28:02 2008 Subject: yahoo dns issue today? In-Reply-To: References: <48EF63D9.4040408@pacific.net> Message-ID: <48F26BD8.9000905@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Scott Silva wrote: > on 10-10-2008 7:16 AM Ken A spake the following: >> Did anyone else bounce a bunch of yahoo groups email today, due to yahoo >> dns issues? *.yahoo.com stopped resolving for about an hour. Just >> curious if anyone else saw this, or knows what happened? > You mean non-spam comes out of Yahoo? Well it seems miracles still happen. But untill someone using my email server can tell me why they need to receive Yahoo messages I will add Yahoo domains to the blacklist for each spam incident that originates from the servers from Yahoo. So far I got a 100% spam rating for Yahoo accounts from Germany, India, Japan, .... Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFI8mvWBvzDRVjxmYERAn1BAJ9YBu3fug7TrsI8Lz/wAyRyYLND6gCcDKuI ChNtZXcikS7bNb/C761TMZ0= =3GNq -----END PGP SIGNATURE----- From hvdkooij at vanderkooij.org Sun Oct 12 22:45:21 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Oct 12 22:45:30 2008 Subject: Accuracy of AV scanners Message-ID: <48F26FF1.7080107@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, How many rely just on the AV scanner to stop malware in email? I collected some older stuff and just let it parse through some scanners again. These originated from the first half of 2007. I have run several scanners over them untill september or october 2007 and then parked them away for later investigation. (And I mean I propably ran most scanners a dozen time or more and all of them being up-to-date up to the moment I ran the scanners.) Now I forgot about them untill I ran into them this weekend. So I decided to feed them to the various AV engines again. And I get quite a few hits now from the AV scanners that seemed to miss out on them last year. If you run some RBL's on he MTA or later and use that to move the garbage out of the mailbin and also use some other tests I guess you will not see much pass your MailScanner setup. But AV canners alone will surely not cathch them all. I can give some more numbers once I have completed the rerun. But given the amount of files it might take a few more days before I have them. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFI8m/vBvzDRVjxmYERAnj0AJ4yPweDv8dXw6JOvWNLPDPTjgFNjgCePd3e CaV/RoGIzjES57Q9aNEnvo4= =eCrs -----END PGP SIGNATURE----- From martinh at solidstatelogic.com Mon Oct 13 09:05:16 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Mon Oct 13 09:05:33 2008 Subject: Accuracy of AV scanners In-Reply-To: <48F26FF1.7080107@vanderkooij.org> Message-ID: Hugo As most virus scanners are signature based there's a time lag from the virus/malware appearing and the virus scanner on you machine finding it. (which is pretty obvious and you that). I leave the default checks of executable blocks etc which saves me enough times to keep it and release valid executables when I need to. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Hugo van der Kooij > Sent: 12 October 2008 22:45 > To: MailScanner discussion > Subject: Accuracy of AV scanners > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, > > How many rely just on the AV scanner to stop malware in email? > > I collected some older stuff and just let it parse through > some scanners again. These originated from the first half of > 2007. I have run several scanners over them untill september > or october 2007 and then parked them away for later > investigation. (And I mean I propably ran most scanners a > dozen time or more and all of them being up-to-date up to the > moment I ran the scanners.) > > Now I forgot about them untill I ran into them this weekend. > So I decided to feed them to the various AV engines again. > And I get quite a few hits now from the AV scanners that > seemed to miss out on them last year. > > If you run some RBL's on he MTA or later and use that to move > the garbage out of the mailbin and also use some other tests > I guess you will not see much pass your MailScanner setup. > But AV canners alone will surely not cathch them all. > > I can give some more numbers once I have completed the rerun. > But given the amount of files it might take a few more days > before I have them. > > Hugo. > > - -- > hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ > PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc > > A: Yes. > >Q: Are you sure? > >>A: Because it reverses the logical flow of conversation. > >>>Q: Why is top posting frowned upon? > > Bored? Click on http://spamornot.org/ and rate those images. > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org > > iD8DBQFI8m/vBvzDRVjxmYERAnj0AJ4yPweDv8dXw6JOvWNLPDPTjgFNjgCePd3e > CaV/RoGIzjES57Q9aNEnvo4= > =eCrs > -----END PGP SIGNATURE----- > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From gesbbb at yahoo.com Mon Oct 13 14:11:43 2008 From: gesbbb at yahoo.com (Jerry) Date: Mon Oct 13 14:12:04 2008 Subject: yahoo dns issue today? In-Reply-To: <48F26BD8.9000905@vanderkooij.org> References: <48EF63D9.4040408@pacific.net> <48F26BD8.9000905@vanderkooij.org> Message-ID: <20081013091143.76608dcb@scorpio> On Sun, 12 Oct 2008 23:27:52 +0200 Hugo van der Kooij wrote: [snip] >Well it seems miracles still happen. But untill someone using my email >server can tell me why they need to receive Yahoo messages I will add >Yahoo domains to the blacklist for each spam incident that originates >from the servers from Yahoo. So far I got a 100% spam rating for Yahoo >accounts from Germany, India, Japan, .... I am assuming that you have been vigorously blacklisting "GMail" as well. SPAM originating via Google's servers far out distances anything I get from Yahoo. In fact, that is one of the reasons I went back to using Yahoo for public discussion forums. Out of curiosity, why are you still using depreciated in-line pgp? -- Jerry gesbbb@yahoo.com And now for something completely the same. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081013/3f73a1b7/signature.bin From hvdkooij at vanderkooij.org Mon Oct 13 19:00:19 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Mon Oct 13 19:00:29 2008 Subject: yahoo dns issue today? In-Reply-To: <20081013091143.76608dcb@scorpio> References: <48EF63D9.4040408@pacific.net> <48F26BD8.9000905@vanderkooij.org> <20081013091143.76608dcb@scorpio> Message-ID: <48F38CB3.3010100@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jerry wrote: > On Sun, 12 Oct 2008 23:27:52 +0200 > Hugo van der Kooij wrote: > > [snip] > >> Well it seems miracles still happen. But untill someone using my email >> server can tell me why they need to receive Yahoo messages I will add >> Yahoo domains to the blacklist for each spam incident that originates >>from the servers from Yahoo. So far I got a 100% spam rating for Yahoo >> accounts from Germany, India, Japan, .... > > I am assuming that you have been vigorously blacklisting "GMail" as > well. SPAM originating via Google's servers far out distances anything > I get from Yahoo. In fact, that is one of the reasons I went back to > using Yahoo for public discussion forums. I have hardly seen spam from gmail for nearly a year. And while no family member is expecting email from Yahoo. They do expect email from hotmail and gmail. > Out of curiosity, why are you still using depreciated in-line pgp? Because it works for more people then the other way. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFI84yxBvzDRVjxmYERAh9rAJoDtSWX5+1D5FsvLG1tfb3PyiCOTwCfWSIP e/KFuGwA5P+SUHKej2w8JwY= =qLrd -----END PGP SIGNATURE----- From velda.midanovic at trezor.sr.gov.yu Tue Oct 14 08:12:58 2008 From: velda.midanovic at trezor.sr.gov.yu (Velda Midanovic) Date: Tue Oct 14 08:21:43 2008 Subject: MailScanner stop problem Message-ID: <000001c92dcc$4f5ca620$ee15f260$@midanovic@trezor.sr.gov.yu> Dear all, My configuration is as : RH4U5+sendmail+MailScanner 4.71.10-1+MailWatch 1.0.4+SpamAssassin+ClamAV When I do a #MailScanner -lint, I get this at the end : ----------------- Config: calling custom end function MailWatchLogging commit ineffective with AutoCommit enabled at /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, line 1. Commmit ineffective while AutoCommit is on at /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, line 1. ------------------- It also appears sometimes (but not always!) when I stop the MailScanner : # service MailScanner stop Shutting down MailScanner daemons: MailScanner: commit ineffective with AutoCommit enabled at /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, line 1. Commmit ineffective while AutoCommit is on at /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, line 1. [ OK ] incoming sendmail: [ OK ] outgoing sendmail: [ OK ] ------------------ There is nothing in /var/log/messages... EICAR and GTUBE test are OK. Help!!! Thanks in advance, Velda -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081014/2c56103b/attachment.html From glenn.steen at gmail.com Tue Oct 14 08:41:28 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Oct 14 08:41:38 2008 Subject: MailScanner stop problem In-Reply-To: <-8241848735774351436@unknownmsgid> References: <-8241848735774351436@unknownmsgid> Message-ID: <223f97700810140041m7c2d5a92qce6c78d9e51f3b2a@mail.gmail.com> 2008/10/14 Velda Midanovic : > Dear all, > > My configuration is as : RH4U5+sendmail+MailScanner 4.71.10-1+MailWatch > 1.0.4+SpamAssassin+ClamAV > > When I do a #MailScanner ?lint, I get this at the end : > > ----------------- > > Config: calling custom end function MailWatchLogging > > commit ineffective with AutoCommit enabled at > /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, > line 1. > > Commmit ineffective while AutoCommit is on at > /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, > line 1. > > ------------------- > > It also appears sometimes (but not always!) when I stop the MailScanner : > > # service MailScanner stop > > Shutting down MailScanner daemons: > > MailScanner: commit ineffective with AutoCommit enabled at > /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, > line 1. > > Commmit ineffective while AutoCommit is on at > /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, > line 1. > > [ OK ] > > incoming sendmail: [ OK ] > > outgoing sendmail: [ OK ] > > ------------------ > > There is nothing in /var/log/messages?.. > > EICAR and GTUBE test are OK. > > > > Help!!! > > Thanks in advance, > > Velda > Did you ever bother to *read* the message? Did you ever try looking for it in the archives of this list? Google it? If you had, you might have noticed that: - It is purely informational and, as such, non-harmful. - it is due to you having autocommit on, while MailWatch still does the commits as needed. All that "error" is doing is saying "Hey, I already did that!". - The only possible reason to "fix" this "error" is to aviod any more questions about how to fix it!!! Sorry Velda, don't mean to bite your head of, it's just that this crops up now and then... And no matter how much one explains, it still does... Sigh. Since Steve has moved on to other things (version 2 amongst them:-), this "error" will never be "fixed" ... and it doesn't need to be fixed:-). Just take a deep breath, forge ahead ... and live with it. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From mailadmin at midland-ics.ie Tue Oct 14 16:33:08 2008 From: mailadmin at midland-ics.ie (Mail Admin) Date: Tue Oct 14 16:33:39 2008 Subject: A users email is getting marked as spam, sending out via mailscanner Message-ID: <00d501c92e12$299995b0$7cccc110$@ie> Hi All One of my users, who send mail out via my MailScanner/SA/Mailwatch System gets there mail marked as SPAM in MS and SA. cached not score=7.329 6 required -2.60 BAYES_00 Bayesian spam probability is 0 to 1% 1.00 EXTRA_MPART_TYPE Header has extraneous Content-type:...type= entry 0.00 HTML_MESSAGE HTML included in message 1.26 HTML_TAG_BALANCE_BODY HTML has unbalanced "body" tags 5.50 KAM_STOCKTIP 1.11 MPART_ALT_DIFF_COUNT HTML and text parts are different 0.88 RCVD_IN_SORBS_DUL SORBS: sent directly from dynamic IP address 0.10 RDNS_DYNAMIC 0.08 TW_JK I am wondering why is KAM_STOCKTIP being called. Also is there a way to while list outgoing mails? As I use the MailWatch SQL Database for whitelit? Thanks This e-mail is intended solely for the addressee(s) and is strictly confidential. The unauthorised use, disclosure or copying of this e-mail, or any information it contains is prohibited. If you have received this e-mail in error, please notify us immediately and then permanently delete it. Although Midland Internet & Computer Solutions make every effort to keep our systems free from viruses you should check this e-mail and any attachments to it for viruses as we cannot accept any liability for viruses inadvertently transmitted by use. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081014/abcc7f5d/attachment.html From martinh at solidstatelogic.com Tue Oct 14 16:46:34 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Tue Oct 14 16:46:51 2008 Subject: A users email is getting marked as spam, sending out via mailscanner In-Reply-To: <00d501c92e12$299995b0$7cccc110$@ie> Message-ID: <8c219ef4966d054aae01fa2d5a8216ca@solidstatelogic.com> most people don't spam scan on outgoing email by creating a ruleset again "is definitely not spam" so email from the email server(s) don't get SA scanned. KAM_STOCKIP is a default rule in SA. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Mail Admin Sent: 14 October 2008 16:33 To: MailScanner discussion Subject: A users email is getting marked as spam, sending out via mailscanner Hi All One of my users, who send mail out via my MailScanner/SA/Mailwatch System gets there mail marked as SPAM in MS and SA. cached not score=7.329 6 required -2.60 BAYES_00 Bayesian spam probability is 0 to 1% 1.00 EXTRA_MPART_TYPE Header has extraneous Content-type:...type= entry 0.00 HTML_MESSAGE HTML included in message 1.26 HTML_TAG_BALANCE_BODY HTML has unbalanced "body" tags 5.50 KAM_STOCKTIP 1.11 MPART_ALT_DIFF_COUNT HTML and text parts are different 0.88 RCVD_IN_SORBS_DUL SORBS: sent directly from dynamic IP address 0.10 RDNS_DYNAMIC 0.08 TW_JK I am wondering why is KAM_STOCKTIP being called. Also is there a way to while list outgoing mails? As I use the MailWatch SQL Database for whitelit? Thanks This e-mail is intended solely for the addressee(s) and is strictly confidential. The unauthorised use, disclosure or copying of this e-mail, or any information it contains is prohibited. If you have received this e-mail in error, please notify us immediately and then permanently delete it. Although we make every effort to keep our systems free from viruses, you should check this e-mail and any attachments to it for viruses as we cannot accept any liability for viruses inadvertently transmitted by use. ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081014/76fef993/attachment.html From mailadmin at midland-ics.ie Tue Oct 14 16:58:09 2008 From: mailadmin at midland-ics.ie (Mail Admin) Date: Tue Oct 14 16:58:32 2008 Subject: A users email is getting marked as spam, sending out via mailscanner In-Reply-To: <8c219ef4966d054aae01fa2d5a8216ca@solidstatelogic.com> References: <00d501c92e12$299995b0$7cccc110$@ie> <8c219ef4966d054aae01fa2d5a8216ca@solidstatelogic.com> Message-ID: <00f101c92e15$a8505e40$f8f11ac0$@ie> I have &SQLWhiteList for my setting From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Martin.Hepworth Sent: 14 October 2008 16:47 To: MailScanner discussion Subject: RE: A users email is getting marked as spam, sending out via mailscanner most people don't spam scan on outgoing email by creating a ruleset again "is definitely not spam" so email from the email server(s) don't get SA scanned. KAM_STOCKIP is a default rule in SA. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Mail Admin Sent: 14 October 2008 16:33 To: MailScanner discussion Subject: A users email is getting marked as spam, sending out via mailscanner Hi All One of my users, who send mail out via my MailScanner/SA/Mailwatch System gets there mail marked as SPAM in MS and SA. cached not score=7.329 6 required -2.60 BAYES_00 Bayesian spam probability is 0 to 1% 1.00 EXTRA_MPART_TYPE Header has extraneous Content-type:...type= entry 0.00 HTML_MESSAGE HTML included in message 1.26 HTML_TAG_BALANCE_BODY HTML has unbalanced "body" tags 5.50 KAM_STOCKTIP 1.11 MPART_ALT_DIFF_COUNT HTML and text parts are different 0.88 RCVD_IN_SORBS_DUL SORBS: sent directly from dynamic IP address 0.10 RDNS_DYNAMIC 0.08 TW_JK I am wondering why is KAM_STOCKTIP being called. Also is there a way to while list outgoing mails? As I use the MailWatch SQL Database for whitelit? Thanks This e-mail is intended solely for the addressee(s) and is strictly confidential. The unauthorised use, disclosure or copying of this e-mail, or any information it contains is prohibited. If you have received this e-mail in error, please notify us immediately and then permanently delete it. Although we make every effort to keep our systems free from viruses, you should check this e-mail and any attachments to it for viruses as we cannot accept any liability for viruses inadvertently transmitted by use. ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. This e-mail is intended solely for the addressee(s) and is strictly confidential. The unauthorised use, disclosure or copying of this e-mail, or any information it contains is prohibited. If you have received this e-mail in error, please notify us immediately and then permanently delete it. Although Midland Internet & Computer Solutions make every effort to keep our systems free from viruses you should check this e-mail and any attachments to it for viruses as we cannot accept any liability for viruses inadvertently transmitted by use. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081014/d71fb13b/attachment.html From ssilva at sgvwater.com Tue Oct 14 16:58:21 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Oct 14 16:58:36 2008 Subject: A users email is getting marked as spam, sending out via mailscanner In-Reply-To: <00d501c92e12$299995b0$7cccc110$@ie> References: <00d501c92e12$299995b0$7cccc110$@ie> Message-ID: on 10-14-2008 8:33 AM Mail Admin spake the following: > Hi All > > > > One of my users, who send mail out via my MailScanner/SA/Mailwatch > System gets there mail marked as SPAM in MS and SA. > > > > > I am wondering why is KAM_STOCKTIP being called. > Because the user put something in the message that hits those regex's. > Also is there a way to while list outgoing mails? As I use the MailWatch > SQL Database for whitelist? > You can whitelist local users but you have to be careful. If you whitelist by domain name, you will be susceptible to spoofing. And the unpatched sql whitelist can only whitelist one IP address at a time. > > > Thanks > > This e-mail is intended solely for the addressee(s) and is strictly > confidential. The unauthorised use, disclosure or copying of this > e-mail, or any information it contains is prohibited. If you have > received this e-mail in error, please notify us immediately and then > permanently delete it. Although we make every effort to keep our systems > free from viruses, you should check this e-mail and any attachments to > it for viruses as we cannot accept any liability for viruses > inadvertently transmitted by use. > You completely void a disclaimer like this when you post to a public list. Maybe I shouldn't answer you, since I was not specifically addressed! Please! No body read this on this public list because the scary disclaimer says it is confidential! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081014/d87a0901/signature.bin From glenn.steen at gmail.com Tue Oct 14 20:38:23 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Oct 14 20:38:33 2008 Subject: A users email is getting marked as spam, sending out via mailscanner In-Reply-To: <00f101c92e15$a8505e40$f8f11ac0$@ie> References: <00d501c92e12$299995b0$7cccc110$@ie> <8c219ef4966d054aae01fa2d5a8216ca@solidstatelogic.com> <00f101c92e15$a8505e40$f8f11ac0$@ie> Message-ID: <223f97700810141238y21512c4dld467c4af53217789@mail.gmail.com> 2008/10/14 Mail Admin : > I have &SQLWhiteList for my setting > So use MaiWatch to att the IP address of the sending server then...! Or better yet... Make sure s/he generates valid HTML (balanced body tags...) and MIME headers... And perhaps add a small SA whitelist score bonus (def_whitelist...) to your spam.assassin.prefs.conf or local.cf... Is that person a roadrunner, since SORBS_DUL fire? Perhaps look at using an authenticated submission port instead... Endless possibilities abound, how to fix this:-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From gesbbb at yahoo.com Tue Oct 14 22:42:06 2008 From: gesbbb at yahoo.com (Jerry) Date: Tue Oct 14 22:42:20 2008 Subject: A users email is getting marked as spam, sending out via mailscanner In-Reply-To: References: <00d501c92e12$299995b0$7cccc110$@ie> Message-ID: <20081014174206.301119db@scorpio> On Tue, 14 Oct 2008 08:58:21 -0700 Scott Silva wrote: [snip] >> This e-mail is intended solely for the addressee(s) and is strictly >> confidential. The unauthorised use, disclosure or copying of this >> e-mail, or any information it contains is prohibited. If you have >> received this e-mail in error, please notify us immediately and then >> permanently delete it. Although we make every effort to keep our >> systems free from viruses, you should check this e-mail and any >> attachments to it for viruses as we cannot accept any liability for >> viruses inadvertently transmitted by use. >> >You completely void a disclaimer like this when you post to a public >list. Maybe I shouldn't answer you, since I was not specifically >addressed! Please! No body read this on this public list because the >scary disclaimer says it is confidential! Disclaimers, even in the few countries in which they are required by law, are basically unenforceable. Furthermore, they are usually not even required when posting to a publicly assessable forum such as this one. -- Jerry gesbbb@yahoo.com Ogden's Law: The sooner you fall behind, the more time you have to catch up. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081014/d948db5c/signature.bin From ssilva at sgvwater.com Tue Oct 14 22:57:50 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Oct 14 22:58:27 2008 Subject: Accuracy of AV scanners In-Reply-To: <48F26FF1.7080107@vanderkooij.org> References: <48F26FF1.7080107@vanderkooij.org> Message-ID: on 10-12-2008 2:45 PM Hugo van der Kooij spake the following: > Hi, > > How many rely just on the AV scanner to stop malware in email? > > I collected some older stuff and just let it parse through some scanners > again. These originated from the first half of 2007. I have run several > scanners over them untill september or october 2007 and then parked them > away for later investigation. (And I mean I propably ran most scanners a > dozen time or more and all of them being up-to-date up to the moment I > ran the scanners.) > > Now I forgot about them untill I ran into them this weekend. So I > decided to feed them to the various AV engines again. And I get quite a > few hits now from the AV scanners that seemed to miss out on them last year. > > If you run some RBL's on he MTA or later and use that to move the > garbage out of the mailbin and also use some other tests I guess you > will not see much pass your MailScanner setup. But AV canners alone will > surely not cathch them all. > > I can give some more numbers once I have completed the rerun. But given > the amount of files it might take a few more days before I have them. > > Hugo. > I also block and quarantine by content. I can't begin to count the times that something was caught by content type and by the time I can check the quarantine, the signatures have caught up. I block executables, encrypted archives, movie files, dangerous files like emf's and eps. All can be released by me to intended recip. if they contact me and in the case of movie files, can prove that they are work related. All other crap can be sent to personal mail accounts and checked from home. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081014/6721e708/signature.bin From kate at rheel.co.nz Tue Oct 14 23:21:47 2008 From: kate at rheel.co.nz (Kate Kleinschafer) Date: Tue Oct 14 23:20:31 2008 Subject: mail won't shift from queue Message-ID: <48F51B7B.4070307@rheel.co.nz> Hi all, I am running the latest version of MailScanner, with Spamassassin and postfix I checked the logs and the only thing I have found was the line Oct 15 09:24:08 box1 MailScanner[628]: writing to /var/spool/MailScanner/quarantine/20081015/spam/C74FE62E80E.5B5B3: No such file or directory The folders have been being made fine for the last several days but not today. Once I manually made the folder 2008105 the mail started being processed as normal. What could cause it to not make the folder today? Thanks Kate From andrew at gdcon.net Wed Oct 15 00:44:26 2008 From: andrew at gdcon.net (Andrew MacLachlan) Date: Wed Oct 15 00:44:45 2008 Subject: mail won't shift from queue In-Reply-To: <48F51B7B.4070307@rheel.co.nz> References: <48F51B7B.4070307@rheel.co.nz> Message-ID: <48F52EDA.2080600@gdcon.net> Kate Kleinschafer wrote: > > > What could cause it to not make the folder today? > > Have you checked permissions? From kate at rheel.co.nz Wed Oct 15 01:02:02 2008 From: kate at rheel.co.nz (Kate Kleinschafer) Date: Wed Oct 15 01:00:48 2008 Subject: mail won't shift from queue In-Reply-To: <48F52EDA.2080600@gdcon.net> References: <48F51B7B.4070307@rheel.co.nz> <48F52EDA.2080600@gdcon.net> Message-ID: <48F532FA.3080004@rheel.co.nz> Andrew MacLachlan wrote: > Kate Kleinschafer wrote: >> >> >> What could cause it to not make the folder today? >> >> > Have you checked permissions? > > Yes and I noticed that the quarantine folder had a different user than the other folders in that dir. So I have now changed it to postfix:apache However, The permissions were set like this for the last couple of days when the folders were created correctly - so I wouldn't have thought that this would be the problem. Thanks From velda.midanovic at trezor.sr.gov.yu Wed Oct 15 09:15:43 2008 From: velda.midanovic at trezor.sr.gov.yu (Velda Midanovic) Date: Wed Oct 15 09:24:28 2008 Subject: MailScanner stop problem+another one Message-ID: <000f01c92e9e$3dce4ad0$b96ae070$@midanovic@trezor.sr.gov.yu> Thank you. A bit sarcastic, but, well... True. I did a google for it, but wanted to be sure. In some wee hours of the morning, I did find a solution, and here it is : **************** In the file : /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm : sub ExitLogging { # Server exit - commit changes, close socket, and exit gracefully. close(SERVER); #$dbh->commit; ?----- This is the ONLY change, and it does work. $dbh->disconnect; exit; } *************** So there it is... *************** There has cropped up another problem, and only yesterday. It is this : After I stop MailScanner : service MailScanner status Checking MailScanner daemons: MailScanner: [ OK ] incoming sendmail: head: cannot open `/var/run/sendmail.in.pid' for rea ding: No such file or directory [FAILED] outgoing sendmail: head: cannot open `/var/run/sendmail.out.pid' for re ading: No such file or directory [FAILED] And YES I did Google it. Very little info. All seems to be working fine (tester GTUBE+EICAR), but it bugs me. I make files by hand (root smmsp rw-r-r--) in /var/run, and till the next (re)start it is OK, but then I have to make them again. So just a question : should I be worried? Velda 2008/10/14 Velda Midanovic : > Dear all, > > My configuration is as : RH4U5+sendmail+MailScanner > 4.71.10-1+MailWatch 1.0.4+SpamAssassin+ClamAV > > When I do a #MailScanner -lint, I get this at the end : > > ----------------- > > Config: calling custom end function MailWatchLogging > > commit ineffective with AutoCommit enabled at > /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, > line 1. > > Commmit ineffective while AutoCommit is on at > /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, > line 1. > > ------------------- > > It also appears sometimes (but not always!) when I stop the MailScanner : > > # service MailScanner stop > > Shutting down MailScanner daemons: > > MailScanner: commit ineffective with AutoCommit enabled at > /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, > line 1. > > Commmit ineffective while AutoCommit is on at > /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, > line 1. > > [ OK ] > > incoming sendmail: [ OK ] > > outgoing sendmail: [ OK ] > > ------------------ > > There is nothing in /var/log/messages... > > EICAR and GTUBE test are OK. > > > > Help!!! > > Thanks in advance, > > Velda > Did you ever bother to *read* the message? Did you ever try looking for it in the archives of this list? Google it? If you had, you might have noticed that: - It is purely informational and, as such, non-harmful. - it is due to you having autocommit on, while MailWatch still does the commits as needed. All that "error" is doing is saying "Hey, I already did that!". - The only possible reason to "fix" this "error" is to aviod any more questions about how to fix it!!! Sorry Velda, don't mean to bite your head of, it's just that this crops up now and then... And no matter how much one explains, it still does... Sigh. Since Steve has moved on to other things (version 2 amongst them:-), this "error" will never be "fixed" ... and it doesn't need to be fixed:-). Just take a deep breath, forge ahead ... and live with it. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081015/e869e9b0/attachment-0001.html From glenn.steen at gmail.com Wed Oct 15 10:34:44 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Oct 15 10:34:54 2008 Subject: MailScanner stop problem+another one In-Reply-To: <-7601795742309529679@unknownmsgid> References: <-7601795742309529679@unknownmsgid> Message-ID: <223f97700810150234q7ec8cb40nfa7568f3eff61064@mail.gmail.com> 2008/10/15 Velda Midanovic : > Thank you. > > A bit sarcastic, but, well... True. :-) > I did a google for it, but wanted to be sure. > > In some wee hours of the morning, I did find a solution, and here it is : Why? > **************** > > In the file : /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm > : > > sub ExitLogging { > > # Server exit - commit changes, close socket, and exit gracefully. > > close(SERVER); > > #$dbh->commit; ?----- This is the ONLY change, and it does work. > > $dbh->disconnect; > > exit; > > } > > *************** > > So there it is... Yes, but again... Why? This "fix" fills no discernible purpose. > *************** > > There has cropped up another problem, and only yesterday. > > It is this : > > After I stop MailScanner : > > service MailScanner status > > Checking MailScanner daemons: > > MailScanner: [ OK ] > > incoming sendmail: head: cannot open `/var/run/sendmail.in.pid' for > rea ding: No such file or directory > > [FAILED] > > outgoing sendmail: head: cannot open `/var/run/sendmail.out.pid' > for re ading: No such file or directory > > [FAILED] > > And YES I did Google it. > > Very little info. > > All seems to be working fine (tester GTUBE+EICAR), but it bugs me. > > I make files by hand (root smmsp rw-r?r--) in /var/run, and till the next > (re)start it is OK, but then I have to make them again. > > So just a question : should I be worried? > > Velda > Do you by any chance have your sendmail service still enabled? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From cobalt-users1 at fishnet.co.uk Wed Oct 15 15:06:25 2008 From: cobalt-users1 at fishnet.co.uk (Ian) Date: Wed Oct 15 15:06:41 2008 Subject: OT: Snort rules triggered by spammers Message-ID: <48F606F1.22259.E68761@cobalt-users1.fishnet.co.uk> Hi, Apologies for the Off Topic but this list is usually tolerant of such things when they vaguely resemble the fight against spam :) I run a simple firewall in front of our servers that has snort installed. I try to analyse the results as often as possible and look into false positives etc. I recently noticed that what I thought was a long running false positive was actually directly related to possible spam delivery attempts on one mail server. Basically there are a two rules available on the Bleeding Edge Threats website: http://www.bleedingthreats.net/bleeding-scan.rules which are supposed to trigger against NMAP Syn Stealth Scans ( ie the -sS option with the optional -f to cause fragmentation). These rules have been hitting a lot but only ever indicates a scan against port 25 of the one mail server I have running there, so I just assumed it was another false positive. When checking these IPs against the maillog today I got the following results: 155 unique IPs in list 13 do not appear in maillog 142 appear and are rejected for various reasons including: relay attempt spamcop spamhaus greet pause mailbox not found did not issue MAIL/EXPN/VRFY/ETRN The were 0 successful deliveries to the mail server at all from these IPs. Unfortunately I deleted a load of these alerts this morning, it usually goes up to a few thousand unique IPs a day. Could I be on to something? Is anyone else running snort in front of a mail server who could check this? Regards Ian -- From Robert.Meurlin at se.fujitsu.com Wed Oct 15 12:02:39 2008 From: Robert.Meurlin at se.fujitsu.com (Meurlin Robert) Date: Wed Oct 15 15:47:35 2008 Subject: SV: Clamscan eats a lot of cpu In-Reply-To: <223f97700810100705v36177af6xc6d393d692f28f0f@mail.gmail.com> References: <797363C57EE0884786F428AAABCD469202470E42@sea0120sex2.nordic.x><48EF3CD3.4060104@alexb.ch><1964AAFBC212F742958F9275BF63DBB090742F@winchester.andrewscompanies.com> <223f97700810100705v36177af6xc6d393d692f28f0f@mail.gmail.com> Message-ID: <797363C57EE0884786F428AAABCD469202470E57@sea0120sex2.nordic.x> Is it just to change to the following line in /usr/lib/MailScanner/clamav-wrapper : ClamScan=$1/bin/clamdscan Instead of ClamScan=$1/bin/clamscan ? -----Ursprungligt meddelande----- Fr?n: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] F?r Glenn Steen Skickat: den 10 oktober 2008 16:05 Till: MailScanner discussion ?mne: Re: Clamscan eats a lot of cpu 2008/10/10 Steven Andrews : > Most of my boxes are very low volume. I quit using clamd when it had a > habit of just dying for not good reason; is it happy and stable now? > > Is there a wiki for setting up clamd? > Yes. To "manage" where clamd dies, use the simple "clamdmon" cron scriptlet. -- Glenn > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex > Broens > Sent: Friday, October 10, 2008 7:30 AM > To: MailScanner discussion > Subject: Re: Clamscan eats a lot of cpu > > On 10/10/2008 12:57 PM, Meurlin Robert wrote: >> Hello, >> have a problem that process "clamscan" eats a lot of cpu, there are >> always like 5-8 clamscan processes even if there are not anything to >> scan. >> >> I have the latest version of Julians Mailscanner package. >> >> Would be great if someone have any advice? > > use clamd > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From erwan.loaec at cgin.fr Wed Oct 15 15:47:38 2008 From: erwan.loaec at cgin.fr (Erwan LOAEC) Date: Wed Oct 15 15:48:02 2008 Subject: Virus and Content Scanning doesn't work Message-ID: <48F6028A.4040901@cgin.fr> Hello everyone. I've a problem with my MailScanner config. This morning I've noticed that MailScanner doesn't filter virus, and other content. Only the SpamAssassin step is fully working. For exemple, here is a log of a batch where 1 mail is containing an attachment with virus content. The mail is delivered to recipient... Same behaviour, there is no content checking at all. I've an other configuration which is working well, I cannot found the difference between both configuration. Oct 15 16:39:26 bart MailScanner[16588]: New Batch: Scanning 4 messages, 8076 bytes Oct 15 16:39:26 bart MailScanner[16588]: Spam Checks: Starting Oct 15 16:39:26 bart MailScanner[16588]: Message 984A21AB8C3.5B1C1 from 80.118.190.1 (workflow_error@xxxxx) is whitelisted Oct 15 16:39:26 bart MailScanner[16588]: Message 00C7B1AB8E4.5EDE5 from 80.118.190.1 (workflow_error@xxxxx) is whitelisted Oct 15 16:39:26 bart MailScanner[16588]: Message 4ED041AB804.069AA from 80.118.190.1 (workflow_error@xxxxx) is whitelisted Oct 15 16:39:26 bart MailScanner[16588]: Virus and Content Scanning: Starting Oct 15 16:39:29 bart MailScanner[16588]: /var/spool/MailScanner/incoming/16588/./99C0A1AB8EA.14730.message: ClamAV-Test-File FOUND Oct 15 16:39:29 bart MailScanner[16588]: Virus Scanning: ClamAV found 1 infections Oct 15 16:39:29 bart MailScanner[16588]: Infected message 99C0A1AB8EA.14730.message came from Oct 15 16:39:29 bart MailScanner[16588]: Virus Scanning: Found 1 viruses Oct 15 16:39:29 bart MailScanner[16588]: Requeue: 984A21AB8C3.5B1C1 to A6EB71AB900 Oct 15 16:39:29 bart MailScanner[16588]: Requeue: 99C0A1AB8EA.14730 to D66FC1AB8C3 Oct 15 16:39:29 bart MailScanner[16588]: Requeue: 00C7B1AB8E4.5EDE5 to 82FDC1AB8EA Oct 15 16:39:29 bart MailScanner[16588]: Requeue: 4ED041AB804.069AA to 18EAB1AB8E4 Oct 15 16:39:29 bart MailScanner[16588]: Uninfected: Delivered 4 messages Is anyone can tell me what parameter should I have a look ? Thanks for advice... -- Erwan Loaec From martinh at solidstatelogic.com Wed Oct 15 16:30:51 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Wed Oct 15 16:31:13 2008 Subject: Clamscan eats a lot of cpu In-Reply-To: <797363C57EE0884786F428AAABCD469202470E57@sea0120sex2.nordic.x> Message-ID: Or use clamd... -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Meurlin Robert > Sent: 15 October 2008 12:03 > To: MailScanner discussion > Subject: SV: Clamscan eats a lot of cpu > > Is it just to change to the following line in > /usr/lib/MailScanner/clamav-wrapper : > > ClamScan=$1/bin/clamdscan > > Instead of > ClamScan=$1/bin/clamscan > > ? > > -----Ursprungligt meddelande----- > Fr?n: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] F?r Glenn Steen > Skickat: den 10 oktober 2008 16:05 > Till: MailScanner discussion > ?mne: Re: Clamscan eats a lot of cpu > > 2008/10/10 Steven Andrews : > > Most of my boxes are very low volume. I quit using clamd > when it had > > a habit of just dying for not good reason; is it happy and > stable now? > > > > Is there a wiki for setting up clamd? > > > Yes. > > To "manage" where clamd dies, use the simple "clamdmon" cron > scriptlet. > > -- Glenn > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Alex > > Broens > > Sent: Friday, October 10, 2008 7:30 AM > > To: MailScanner discussion > > Subject: Re: Clamscan eats a lot of cpu > > > > On 10/10/2008 12:57 PM, Meurlin Robert wrote: > >> Hello, > >> have a problem that process "clamscan" eats a lot of cpu, > there are > >> always like 5-8 clamscan processes even if there are not > anything to > >> scan. > >> > >> I have the latest version of Julians Mailscanner package. > >> > >> Would be great if someone have any advice? > > > > use clamd > > > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From ap113list at voila.fr Wed Oct 15 17:28:35 2008 From: ap113list at voila.fr (ap113list@voila.fr) Date: Wed Oct 15 17:28:44 2008 Subject: Problem with filename.rules.conf Message-ID: <1397916.4951501224088115323.JavaMail.www@wwinf4612> Hello, I have a problem with 4.71.10-1. The config file MailScanner.conf has a directive "Filename Rules = %etc-dir%/filename.rules.conf". The rule file is the default one. But MailScanner is still delivering attachment which are normally blocked in "filename.rules.conf". It is the same problem with "Filetype Rules". Is someone has an idea to debug this issue ? The command "MailScanner --lint" do not give any error related to this. Best regards, Xavier ____________________________________________________ ?coutez gratuitement Amy Winehouse sur Voila et d?couvrez d'autres titres en affinit? avec vos go?ts musicaux ! http://musiline.voila.fr/resume/3599 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081015/c90cc6a5/attachment.html From glenn.steen at gmail.com Wed Oct 15 17:56:23 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Oct 15 17:56:38 2008 Subject: Clamscan eats a lot of cpu In-Reply-To: <797363C57EE0884786F428AAABCD469202470E57@sea0120sex2.nordic.x> References: <797363C57EE0884786F428AAABCD469202470E42@sea0120sex2.nordic.x> <48EF3CD3.4060104@alexb.ch> <1964AAFBC212F742958F9275BF63DBB090742F@winchester.andrewscompanies.com> <223f97700810100705v36177af6xc6d393d692f28f0f@mail.gmail.com> <797363C57EE0884786F428AAABCD469202470E57@sea0120sex2.nordic.x> Message-ID: <223f97700810150956k1560b8fcya589490e5f051b08@mail.gmail.com> 2008/10/15 Meurlin Robert : > Is it just to change to the following line in /usr/lib/MailScanner/clamav-wrapper : > > ClamScan=$1/bin/clamdscan > > Instead of > ClamScan=$1/bin/clamscan > > ? > To paraphrase Donald Ducks Christmas (as sent on swedish TV.... Robert knows what I'm on about:-)... Nej nej nej dumsnut! ...:-) There are setup instructions on the wiki that you should be able to use. There was, prior to the clamd support, an effort to make what you suggest above work... But clamd is much better... Using Rick Coopers perl interface, MS will supply the objects directly to the clamd daemon directly without the need to fork of a "helper program/client". So you'll have much the same benefits as with clamavmodule, but with a lot better memory footprint... and the need to monitor the daemon process. Cheers -- Glenn > -----Ursprungligt meddelande----- > Fr?n: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] F?r Glenn Steen > Skickat: den 10 oktober 2008 16:05 > Till: MailScanner discussion > ?mne: Re: Clamscan eats a lot of cpu > > 2008/10/10 Steven Andrews : >> Most of my boxes are very low volume. I quit using clamd when it had a >> habit of just dying for not good reason; is it happy and stable now? >> >> Is there a wiki for setting up clamd? >> > Yes. > > To "manage" where clamd dies, use the simple "clamdmon" cron scriptlet. > > -- Glenn >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex >> Broens >> Sent: Friday, October 10, 2008 7:30 AM >> To: MailScanner discussion >> Subject: Re: Clamscan eats a lot of cpu >> >> On 10/10/2008 12:57 PM, Meurlin Robert wrote: >>> Hello, >>> have a problem that process "clamscan" eats a lot of cpu, there are >>> always like 5-8 clamscan processes even if there are not anything to >>> scan. >>> >>> I have the latest version of Julians Mailscanner package. >>> >>> Would be great if someone have any advice? >> >> use clamd >> >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > > > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From alex at rtpty.com Wed Oct 15 17:57:27 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Wed Oct 15 17:57:57 2008 Subject: Problem with filename.rules.conf In-Reply-To: <1397916.4951501224088115323.JavaMail.www@wwinf4612> References: <1397916.4951501224088115323.JavaMail.www@wwinf4612> Message-ID: Did you restart MailScanner? Did you configure MailScanner to log which files *are* and *aren't* allowed? On Oct 15, 2008, at 11:28 AM, ap113list@voila.fr wrote: > Hello, > > I have a problem with 4.71.10-1. The config file MailScanner.conf > has a directive "Filename Rules = %etc-dir%/filename.rules.conf". > The rule file is the default one. But MailScanner is still > delivering attachment which are normally blocked in > "filename.rules.conf". > > It is the same problem with "Filetype Rules". > > Is someone has an idea to debug this issue ? > > The command "MailScanner --lint" do not give any error related to > this. > > Best regards, > > Xavier > > > > ?coutez gratuitement Amy Winehouse sur Voila et d?couvrez d'autres > titres en affinit? avec vos go?ts musicaux ! -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From asakawa at quickd.net Thu Oct 16 02:06:14 2008 From: asakawa at quickd.net (asakawa@quickd.net) Date: Thu Oct 16 02:07:00 2008 Subject: Recent trend junkmails Message-ID: Recent tendency The junk e-mail uses PHPMailer+phplist for the sending origin. ------------------------------Header-------------------------- X-Spam-ASN: X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on MY-HOSTNAME X-Spam-Level: ************** X-Spam-Status: Yes, score=14.7 required=10.0 tests=ARIN,CONTENT_TYPE_PRESENT, HTML_IMAGE_ONLY_16,HTML_IMAGE_RATIO_02,HTML_MESSAGE,HTML_SHORT_LINK_IMG_2, MIME_HTML_ONLY,QENCPTR1,RCVD_NUMERIC_HELO2,RDNS_NONE,REVDNSUNKNOWN, X_MAILER_PRESENT autolearn=disabled version=3.2.5 X-Spam-Report: * 0.1 ARIN Mail from ARIN area (USA) * 1.5 RCVD_NUMERIC_HELO2 Received: contains bracketted IP address string * used for HELO * -0.1 CONTENT_TYPE_PRESENT exists:Content-Type * 0.1 X_MAILER_PRESENT exists:X-Mailer * 0.2 REVDNSUNKNOWN some MTA doesn't tell result of reverse dns lookup * failure. * 0.6 HTML_IMAGE_RATIO_02 BODY: HTML has a low ratio of text to image area * 1.0 HTML_MESSAGE BODY: HTML included in message * 0.4 MIME_HTML_ONLY BODY: Message only has text/html MIME parts * 2.5 HTML_IMAGE_ONLY_16 BODY: HTML: images with 1200-1600 bytes of words * 0.2 QENCPTR1 FULL: Quoted-Printable mime pattern * 0.2 HTML_SHORT_LINK_IMG_2 HTML is very short with a linked image * 8.0 RDNS_NONE Delivered to trusted network by a host with no rDNS Received: from [207.145.249.242] ([207.145.249.242]) by MY-HOSTNAME (8.13.1/8.13.1) with ESMTP id m9FElnE0012007 for ; Wed, 15 Oct 2008 23:47:50 +0900 Date: Wed, 15 Oct 2008 10:45:05 -0400 To: support@MY-MAIL-HOSTNAME From: Best Home Pharmacy Subject: [JUNK] [SUPER-SPAM] Get everything or nothing Message-ID: <96d4c43ea6e45bc2eb7cc20c1ebb46be@newsletter.Lgcare.co.kr> X-Priority: 3 X-Mailer: PHPMailer [version 1.73] X-Mailer: phplist v2.10.4 X-MessageID: 6291 X-ListMember: support@MY-MAIL-HOSTNAME Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/html; charset="iso-8859-1" X--MailScanner-Information: Please contact the ISP for more information X--MailScanner-ID: m9FElnE0012007 X--MailScanner: Found to be clean X--MailScanner-SpamCheck: spam, SpamAssassin (not cached, score=21.187, required 6, autolearn=disabled, ARIN 0.10, CONTENT_TYPE_PRESENT -0.10, DK_POLICY_SIGNSOME 0.00, HTML_IMAGE_ONLY_16 2.50, HTML_IMAGE_RATIO_02 0.55, HTML_MESSAGE 1.00, HTML_SHORT_LINK_IMG_2 0.24, MIME_HTML_ONLY 0.40, QENCPTR1 0.20, RAZOR2_CF_RANGE_51_100 2.50, RAZOR2_CF_RANGE_E4_51_100 1.50, RAZOR2_CF_RANGE_E8_51_100 1.50, RAZOR2_CHECK 1.00, RCVD_NUMERIC_HELO2 1.50, RDNS_NONE 8.00, REVDNSUNKNOWN 0.20, X_MAILER_PRESENT 0.10) X--MailScanner-SpamScore: sssssssssssssssssssss MailScanner-From: oettepeg1985@lgcare.co.kr X-Spam-Prev-Subject: [SUPER-SPAM] Get everything or nothing ------------------------------Header-------------------------- Takashi Asakawa From martinh at solidstatelogic.com Thu Oct 16 07:12:26 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Thu Oct 16 07:12:30 2008 Subject: Recent trend junkmails Message-ID: Hi If you post the full email (with these nice headers on a pastebin or web page) I can run it over my system which has lots of extra rules and see what hits for me. -- martin -----Original Message----- From: Sent: 16 October 2008 02:12 To: MailScanner discussion Subject: Recent trend junkmails Recent tendency The junk e-mail uses PHPMailer+phplist for the sending origin. ------------------------------Header-------------------------- X-Spam-ASN: X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on MY-HOSTNAME X-Spam-Level: ************** X-Spam-Status: Yes, score=14.7 required=10.0 tests=ARIN,CONTENT_TYPE_PRESENT, HTML_IMAGE_ONLY_16,HTML_IMAGE_RATIO_02,HTML_MESSAGE,HTML_SHORT_LINK_IMG_2, MIME_HTML_ONLY,QENCPTR1,RCVD_NUMERIC_HELO2,RDNS_NONE,REVDNSUNKNOWN, X_MAILER_PRESENT autolearn=disabled version=3.2.5 X-Spam-Report: * 0.1 ARIN Mail from ARIN area (USA) * 1.5 RCVD_NUMERIC_HELO2 Received: contains bracketted IP address string * used for HELO * -0.1 CONTENT_TYPE_PRESENT exists:Content-Type * 0.1 X_MAILER_PRESENT exists:X-Mailer * 0.2 REVDNSUNKNOWN some MTA doesn't tell result of reverse dns lookup * failure. * 0.6 HTML_IMAGE_RATIO_02 BODY: HTML has a low ratio of text to image area * 1.0 HTML_MESSAGE BODY: HTML included in message * 0.4 MIME_HTML_ONLY BODY: Message only has text/html MIME parts * 2.5 HTML_IMAGE_ONLY_16 BODY: HTML: images with 1200-1600 bytes of words * 0.2 QENCPTR1 FULL: Quoted-Printable mime pattern * 0.2 HTML_SHORT_LINK_IMG_2 HTML is very short with a linked image * 8.0 RDNS_NONE Delivered to trusted network by a host with no rDNS Received: from [207.145.249.242] ([207.145.249.242]) by MY-HOSTNAME (8.13.1/8.13.1) with ESMTP id m9FElnE0012007 for ; Wed, 15 Oct 2008 23:47:50 +0900 Date: Wed, 15 Oct 2008 10:45:05 -0400 To: support@MY-MAIL-HOSTNAME From: Best Home Pharmacy Subject: [JUNK] [SUPER-SPAM] Get everything or nothing Message-ID: <96d4c43ea6e45bc2eb7cc20c1ebb46be@newsletter.Lgcare.co.kr> X-Priority: 3 X-Mailer: PHPMailer [version 1.73] X-Mailer: phplist v2.10.4 X-MessageID: 6291 X-ListMember: support@MY-MAIL-HOSTNAME Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/html; charset="iso-8859-1" X--MailScanner-Information: Please contact the ISP for more information X--MailScanner-ID: m9FElnE0012007 X--MailScanner: Found to be clean X--MailScanner-SpamCheck: spam, SpamAssassin (not cached, score=21.187, required 6, autolearn=disabled, ARIN 0.10, CONTENT_TYPE_PRESENT -0.10, DK_POLICY_SIGNSOME 0.00, HTML_IMAGE_ONLY_16 2.50, HTML_IMAGE_RATIO_02 0.55, HTML_MESSAGE 1.00, HTML_SHORT_LINK_IMG_2 0.24, MIME_HTML_ONLY 0.40, QENCPTR1 0.20, RAZOR2_CF_RANGE_51_100 2.50, RAZOR2_CF_RANGE_E4_51_100 1.50, RAZOR2_CF_RANGE_E8_51_100 1.50, RAZOR2_CHECK 1.00, RCVD_NUMERIC_HELO2 1.50, RDNS_NONE 8.00, REVDNSUNKNOWN 0.20, X_MAILER_PRESENT 0.10) X--MailScanner-SpamScore: sssssssssssssssssssss MailScanner-From: oettepeg1985@lgcare.co.kr X-Spam-Prev-Subject: [SUPER-SPAM] Get everything or nothing ------------------------------Header-------------------------- Takashi Asakawa -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From erwan.loaec at cgin.fr Thu Oct 16 08:45:51 2008 From: erwan.loaec at cgin.fr (Erwan LOAEC) Date: Thu Oct 16 08:46:22 2008 Subject: Virus and Content Scanning doesn't work In-Reply-To: <48F6028A.4040901@cgin.fr> References: <48F6028A.4040901@cgin.fr> Message-ID: <48F6F12F.5030806@cgin.fr> I answer to myself. I've just reinstalled MIME::Parser lib and now it works. (I noticed that mails were not exploded...) -- Erwan Loaec Erwan LOAEC wrote: > Hello everyone. > > I've a problem with my MailScanner config. > This morning I've noticed that MailScanner doesn't filter virus, and > other content. Only the SpamAssassin step is fully working. > > For exemple, here is a log of a batch where 1 mail is containing an > attachment with virus content. > The mail is delivered to recipient... > > Same behaviour, there is no content checking at all. I've an other > configuration which is working well, I cannot found the difference > between both configuration. > > Oct 15 16:39:26 bart MailScanner[16588]: New Batch: Scanning 4 messages, > 8076 bytes > Oct 15 16:39:26 bart MailScanner[16588]: Spam Checks: Starting > Oct 15 16:39:26 bart MailScanner[16588]: Message 984A21AB8C3.5B1C1 from > 80.118.190.1 (workflow_error@xxxxx) is whitelisted > Oct 15 16:39:26 bart MailScanner[16588]: Message 00C7B1AB8E4.5EDE5 from > 80.118.190.1 (workflow_error@xxxxx) is whitelisted > Oct 15 16:39:26 bart MailScanner[16588]: Message 4ED041AB804.069AA from > 80.118.190.1 (workflow_error@xxxxx) is whitelisted > Oct 15 16:39:26 bart MailScanner[16588]: Virus and Content Scanning: > Starting > Oct 15 16:39:29 bart MailScanner[16588]: > /var/spool/MailScanner/incoming/16588/./99C0A1AB8EA.14730.message: > ClamAV-Test-File FOUND > Oct 15 16:39:29 bart MailScanner[16588]: Virus Scanning: ClamAV found 1 > infections > Oct 15 16:39:29 bart MailScanner[16588]: Infected message > 99C0A1AB8EA.14730.message came from > Oct 15 16:39:29 bart MailScanner[16588]: Virus Scanning: Found 1 viruses > Oct 15 16:39:29 bart MailScanner[16588]: Requeue: 984A21AB8C3.5B1C1 to > A6EB71AB900 > Oct 15 16:39:29 bart MailScanner[16588]: Requeue: 99C0A1AB8EA.14730 to > D66FC1AB8C3 > Oct 15 16:39:29 bart MailScanner[16588]: Requeue: 00C7B1AB8E4.5EDE5 to > 82FDC1AB8EA > Oct 15 16:39:29 bart MailScanner[16588]: Requeue: 4ED041AB804.069AA to > 18EAB1AB8E4 > Oct 15 16:39:29 bart MailScanner[16588]: Uninfected: Delivered 4 messages > > Is anyone can tell me what parameter should I have a look ? > > Thanks for advice... > > From glenn.steen at gmail.com Thu Oct 16 09:30:28 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Oct 16 09:30:37 2008 Subject: Virus and Content Scanning doesn't work In-Reply-To: <48F6F12F.5030806@cgin.fr> References: <48F6028A.4040901@cgin.fr> <48F6F12F.5030806@cgin.fr> Message-ID: <223f97700810160130h25ded7a3hf39caf6d25ea78fc@mail.gmail.com> 2008/10/16 Erwan LOAEC : > I answer to myself. > I've just reinstalled MIME::Parser lib and now it works. (I noticed that > mails were not exploded...) > Thanks for the info Erwan... Could you tell us a bit more about your setup, versions&distro&stuff like that, so we can put this info into perspective? Cheers -- Glenn > -- > Erwan Loaec > > Erwan LOAEC wrote: >> >> Hello everyone. >> >> I've a problem with my MailScanner config. >> This morning I've noticed that MailScanner doesn't filter virus, and other >> content. Only the SpamAssassin step is fully working. >> >> For exemple, here is a log of a batch where 1 mail is containing an >> attachment with virus content. >> The mail is delivered to recipient... >> >> Same behaviour, there is no content checking at all. I've an other >> configuration which is working well, I cannot found the difference between >> both configuration. >> >> Oct 15 16:39:26 bart MailScanner[16588]: New Batch: Scanning 4 messages, >> 8076 bytes >> Oct 15 16:39:26 bart MailScanner[16588]: Spam Checks: Starting >> Oct 15 16:39:26 bart MailScanner[16588]: Message 984A21AB8C3.5B1C1 from >> 80.118.190.1 (workflow_error@xxxxx) is whitelisted >> Oct 15 16:39:26 bart MailScanner[16588]: Message 00C7B1AB8E4.5EDE5 from >> 80.118.190.1 (workflow_error@xxxxx) is whitelisted >> Oct 15 16:39:26 bart MailScanner[16588]: Message 4ED041AB804.069AA from >> 80.118.190.1 (workflow_error@xxxxx) is whitelisted >> Oct 15 16:39:26 bart MailScanner[16588]: Virus and Content Scanning: >> Starting >> Oct 15 16:39:29 bart MailScanner[16588]: >> /var/spool/MailScanner/incoming/16588/./99C0A1AB8EA.14730.message: >> ClamAV-Test-File FOUND >> Oct 15 16:39:29 bart MailScanner[16588]: Virus Scanning: ClamAV found 1 >> infections >> Oct 15 16:39:29 bart MailScanner[16588]: Infected message >> 99C0A1AB8EA.14730.message came from >> Oct 15 16:39:29 bart MailScanner[16588]: Virus Scanning: Found 1 viruses >> Oct 15 16:39:29 bart MailScanner[16588]: Requeue: 984A21AB8C3.5B1C1 to >> A6EB71AB900 >> Oct 15 16:39:29 bart MailScanner[16588]: Requeue: 99C0A1AB8EA.14730 to >> D66FC1AB8C3 >> Oct 15 16:39:29 bart MailScanner[16588]: Requeue: 00C7B1AB8E4.5EDE5 to >> 82FDC1AB8EA >> Oct 15 16:39:29 bart MailScanner[16588]: Requeue: 4ED041AB804.069AA to >> 18EAB1AB8E4 >> Oct 15 16:39:29 bart MailScanner[16588]: Uninfected: Delivered 4 messages >> >> Is anyone can tell me what parameter should I have a look ? >> >> Thanks for advice... >> >> > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From erwan.loaec at cgin.fr Thu Oct 16 10:23:10 2008 From: erwan.loaec at cgin.fr (Erwan LOAEC) Date: Thu Oct 16 10:23:40 2008 Subject: Virus and Content Scanning doesn't work In-Reply-To: <48F6028A.4040901@cgin.fr> References: <48F6028A.4040901@cgin.fr> Message-ID: <48F707FE.5090806@cgin.fr> I'm using - MailScanner 4.70.7 (installed by myself) - with clamav 0.93.3 (compiled by myself) - postfix 2.5.2 (compiled by myself) The OS is: xxx:~/# cat /proc/version Linux version 2.6.18-6-686 (Debian 2.6.18.dfsg.1-22etch2) (dannf@debian.org) (gcc version 4.1.2 20061115 (prerelease) (Debian 4.1.1-21)) #1 SMP Mon Aug 18 08:42:39 UTC 2008 I debug by myself the perl code, and I've noticed after the line "$entity = eval { $parser->parse($handle) };" in MailScanner/Message.pm The mail content should be exploded into the /var/spool/MailScanner/PID/MESSAGE.ID, and the loop only found . and .. directory. That's why I've test a cpan command: cpan> test MIME::Parser And I've noticed some strange things, I've just closed the terminal, I cannot give out the exact output. I've just pressed "y" to the answer, and then everything was good... I don't know what's happen, MailScanner was working fine 1 month ago... This could be help some guys in the same situation... Best regards, Erwan Loaec From glenn.steen at gmail.com Thu Oct 16 11:20:51 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Oct 16 11:21:01 2008 Subject: Virus and Content Scanning doesn't work In-Reply-To: <48F707FE.5090806@cgin.fr> References: <48F6028A.4040901@cgin.fr> <48F707FE.5090806@cgin.fr> Message-ID: <223f97700810160320k1302e3cfm867b1df00a404bc8@mail.gmail.com> 2008/10/16 Erwan LOAEC : > I'm using > - MailScanner 4.70.7 (installed by myself) > - with clamav 0.93.3 (compiled by myself) > - postfix 2.5.2 (compiled by myself) > > The OS is: > xxx:~/# cat /proc/version > Linux version 2.6.18-6-686 (Debian 2.6.18.dfsg.1-22etch2) (dannf@debian.org) > (gcc version 4.1.2 20061115 (prerelease) (Debian 4.1.1-21)) #1 SMP Mon Aug > 18 08:42:39 UTC 2008 > > > I debug by myself the perl code, and I've noticed after the line > > "$entity = eval { $parser->parse($handle) };" > in MailScanner/Message.pm > > The mail content should be exploded into the > /var/spool/MailScanner/PID/MESSAGE.ID, and the loop only found . and .. > directory. > > That's why I've test a cpan command: > cpan> test MIME::Parser > > And I've noticed some strange things, I've just closed the terminal, I > cannot give out the exact output. I've just pressed "y" to the answer, and > then everything was good... I don't know what's happen, MailScanner was > working fine 1 month ago... > > This could be help some guys in the same situation... > Exactly!:-) Thanks for the elaboration. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From mark at msapiro.net Thu Oct 16 19:29:36 2008 From: mark at msapiro.net (Mark Sapiro) Date: Thu Oct 16 19:30:08 2008 Subject: Spurious {Disarmed} link. Message-ID: I received a message with the following (after MailScanner): MailScanner has detected a possible fraud attempt from "www.bawt.org" claiming to be www.bawt.org  It appears the original text was www.bawt.org  and MailScanner sees www.bawt.org  as being different from www.bawt.org. Since this can be confusing to recipients, perhaps Mailscanner could treat   as whitespace. The original message was composed by User-Agent: Outspring Mail 1.0.7 (81003.15.56) Mac OS X Version 10.4.11 (Build 8S2167) i486 -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From alex at rtpty.com Thu Oct 16 19:44:27 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Thu Oct 16 19:44:40 2008 Subject: Spurious {Disarmed} link. In-Reply-To: References: Message-ID: <21778ED0-FBAF-41C4-8B06-EB2A7CAC1206@rtpty.com> Or maybe they should write "proper" html! ;-P On Oct 16, 2008, at 1:29 PM, Mark Sapiro wrote: > Since this can be confusing to recipients, perhaps Mailscanner could > treat   as whitespace. From kate at rheel.co.nz Thu Oct 16 21:29:16 2008 From: kate at rheel.co.nz (Kate Kleinschafer) Date: Thu Oct 16 21:28:00 2008 Subject: no such file or directory errors in logwatch Message-ID: <48F7A41C.4020708@rheel.co.nz> Hi, I am getting lots of these in my logwatch email writing to /var/spool/MailScanner/quarantine/20081016/spam/CFB2162E753.73A42: No such file or directory : 1 Time(s) I think it may be related to the fact that MailScanner hasn't been creating the quarantine/2008101. folders for the last couple of days (I've had to manually create them) Originally I thought it was permissions but I have made them postfix:apache (which is correct against the mailscanner.conf file. Could someone give me some things to check as I don't yet know enough about how / when these folders are created to trouble shoot much further. Also there doesn't seem to be any errors relating to this in the maillog. Thanks Kate From mark at msapiro.net Fri Oct 17 00:17:11 2008 From: mark at msapiro.net (Mark Sapiro) Date: Fri Oct 17 00:17:23 2008 Subject: Spurious {Disarmed} link. In-Reply-To: <21778ED0-FBAF-41C4-8B06-EB2A7CAC1206@rtpty.com> Message-ID: Alex Neuman van der Hans wrote: >Or maybe they should write "proper" html! ;-P > >On Oct 16, 2008, at 1:29 PM, Mark Sapiro wrote: > >> Since this can be confusing to recipients, perhaps Mailscanner could >> treat   as whitespace. > And just exactly what is not "proper" about www.bawt.org  However, that's really beside the point. As I noted in the OP, that HTML was generated by "Outspring Mail" which is a commercial 3rd party Mac OS X MUA. I doubt the sender had much to do with the exact generated HTML, and certainly the recipient had nothing to do with it, but it's the recipient that sees MailScanner has detected a possible fraud attempt from "www.bawt.org" claiming to be www.bawt.org in the received message. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From MailScanner at ecs.soton.ac.uk Fri Oct 17 10:29:51 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Oct 17 10:30:16 2008 Subject: Spurious {Disarmed} link. In-Reply-To: References: Message-ID: <48F85B0F.9080600@ecs.soton.ac.uk> Fixed for the next release. Mark Sapiro wrote: > Alex Neuman van der Hans wrote: > > >> Or maybe they should write "proper" html! ;-P >> >> On Oct 16, 2008, at 1:29 PM, Mark Sapiro wrote: >> >> >>> Since this can be confusing to recipients, perhaps Mailscanner could >>> treat   as whitespace. >>> > > And just exactly what is not "proper" about > > www.bawt.org  > > However, that's really beside the point. As I noted in the OP, that > HTML was generated by "Outspring Mail" which is a commercial 3rd party > Mac OS X MUA. I doubt the sender had much to do with the exact > generated HTML, and certainly the recipient had nothing to do with it, > but it's the recipient that sees > > MailScanner has detected a possible fraud attempt from > "www.bawt.org" claiming to be www.bawt.org > > in the received message. > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Fri Oct 17 11:00:11 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Oct 17 11:00:20 2008 Subject: no such file or directory errors in logwatch In-Reply-To: <48F7A41C.4020708@rheel.co.nz> References: <48F7A41C.4020708@rheel.co.nz> Message-ID: <223f97700810170300i5a9d7ccdle46948b8e94d287e@mail.gmail.com> 2008/10/16 Kate Kleinschafer : > Hi, > > I am getting lots of these in my logwatch email > > writing to > /var/spool/MailScanner/quarantine/20081016/spam/CFB2162E753.73A42: No such > file or directory : 1 Time(s) > > I think it may be related to the fact that MailScanner hasn't been creating > the quarantine/2008101. folders for the last couple of days > (I've had to manually create them) > Originally I thought it was permissions but I have made them postfix:apache > (which is correct against the mailscanner.conf file. > > Could someone give me some things to check as I don't yet know enough about > how / when these folders are created to trouble shoot much further. > Also there doesn't seem to be any errors relating to this in the maillog. > > Thanks > Kate What do you have for Run As and the diverse permissionsin MailScanner.conf? Can your postfix user actually create the needed quarantine directories? You check this with: su - postfix -s /bin/bash ... and then use normal commands like cd, mkdir (and ls) to check that it can do what is needed. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From test at remedial-teacher.nl Sun Oct 19 15:25:33 2008 From: test at remedial-teacher.nl (Test) Date: Sun Oct 19 15:27:44 2008 Subject: Skipping checks on a whole domain Message-ID: <20081019162317.C8A5.EE63E960@remedial-teacher.nl> Hi list, I am currently in the process of getting a relay domain setup for a friend of mine. (because his provider blocks port 25) and i relay to a different port at his side... The relaying is setup ok but i want to disable mailscanner completely for this domain (so just relay, no scanning of spam/virus).. How can i get this to work ? -- Test From test at remedial-teacher.nl Sun Oct 19 15:53:19 2008 From: test at remedial-teacher.nl (Test) Date: Sun Oct 19 15:56:45 2008 Subject: Skipping checks on a whole domain In-Reply-To: <20081019162317.C8A5.EE63E960@remedial-teacher.nl> References: <20081019162317.C8A5.EE63E960@remedial-teacher.nl> Message-ID: <20081019165150.C8AC.EE63E960@remedial-teacher.nl> Hmm, i seemed to have missed this part in the MailScanner.conf. But what i would actually like to have is that the relayed mail goes completely around mailscanner (so no logging, mailwatch etc.) Must be some option in postfix to get this to work ? # The purpose of this option is to set it to be a ruleset, so that you # can skip all scanning of mail destined for some of your users/customers # and still scan all the rest. # A sample ruleset would look like this: # To: bad.customer.com no # From: ignore.domain.com no # FromOrTo: default yes # That will scan all mail except mail to bad.customer.com and mail from # ignore.domain.com. To set this up, put the 3 lines above into a file # called /etc/MailScanner/rules/scan.messages.rules and set the next line to # Scan Messages = %rules-dir%/scan.messages.rules # This can also be the filename of a ruleset (as illustrated above). #Scan Messages = yes Scan Messages = %rules-dir%/scan.messages.rules -- Test From gesbbb at yahoo.com Sun Oct 19 17:29:27 2008 From: gesbbb at yahoo.com (Jerry) Date: Sun Oct 19 17:29:50 2008 Subject: Skipping checks on a whole domain In-Reply-To: <20081019162317.C8A5.EE63E960@remedial-teacher.nl> References: <20081019162317.C8A5.EE63E960@remedial-teacher.nl> Message-ID: <20081019122927.0b690094@scorpio> On Sun, 19 Oct 2008 16:25:33 +0200 Test wrote: >I am currently in the process of getting a relay domain setup for a >friend of mine. (because his provider blocks port 25) and i relay to a >different port at his side... > >The relaying is setup ok but i want to disable mailscanner completely >for this domain (so just relay, no scanning of spam/virus).. > >How can i get this to work ? What MTA are you using? If Postfix, then it is quite possible. You could post on their forum for further information. http://www.postfix.com/lists.html -- Jerry gesbbb@yahoo.com HEAD CRASH!! FILES LOST!! Details at 11. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081019/9de0352f/signature.bin From ram at netcore.co.in Mon Oct 20 07:33:47 2008 From: ram at netcore.co.in (ram) Date: Mon Oct 20 07:34:03 2008 Subject: Skipping checks on a whole domain In-Reply-To: <20081019165150.C8AC.EE63E960@remedial-teacher.nl> References: <20081019162317.C8A5.EE63E960@remedial-teacher.nl> <20081019165150.C8AC.EE63E960@remedial-teacher.nl> Message-ID: <1224484427.1275.77.camel@darkstar.netcore.co.in> On Sun, 2008-10-19 at 16:53 +0200, Test wrote: > Hmm, i seemed to have missed this part in the MailScanner.conf. > > But what i would actually like to have is that the relayed mail goes > completely around mailscanner (so no logging, mailwatch etc.) > > Must be some option in postfix to get this to work ? You must be using header_checks in postfix to put mails in hold Ask you friend to relay on the submission port(587) and disable header_checks on the submission port. That is just a single line change in master.cf From chris at clh.org.uk Mon Oct 20 10:08:32 2008 From: chris at clh.org.uk (Chris Hardy) Date: Mon Oct 20 10:08:51 2008 Subject: Spamhaus RBLs In-Reply-To: <1224484427.1275.77.camel@darkstar.netcore.co.in> References: <20081019162317.C8A5.EE63E960@remedial-teacher.nl> <20081019165150.C8AC.EE63E960@remedial-teacher.nl> <1224484427.1275.77.camel@darkstar.netcore.co.in> Message-ID: <48FC4A90.4090509@clh.org.uk> Hi All Is it me, or are the spamhaus RBL lists not responding today? I cannot ping zen.spamhaus.org or xbl.spamhaus.org - DNS says unknown host I've tried this from multiple ISP connections. This has resulted in a much larger increase in spam getting through to my systems. Thanks Chris -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ms-list at alexb.ch Mon Oct 20 10:19:28 2008 From: ms-list at alexb.ch (Alex Broens) Date: Mon Oct 20 10:19:39 2008 Subject: Spamhaus RBLs In-Reply-To: <48FC4A90.4090509@clh.org.uk> References: <20081019162317.C8A5.EE63E960@remedial-teacher.nl> <20081019165150.C8AC.EE63E960@remedial-teacher.nl> <1224484427.1275.77.camel@darkstar.netcore.co.in> <48FC4A90.4090509@clh.org.uk> Message-ID: <48FC4D20.6060906@alexb.ch> On 10/20/2008 11:08 AM, Chris Hardy wrote: > Hi All > > Is it me, or are the spamhaus RBL lists not responding today? > I cannot ping zen.spamhaus.org or xbl.spamhaus.org - DNS says unknown host > > I've tried this from multiple ISP connections. > > This has resulted in a much larger increase in spam getting through to > my systems. Seems you've been tarpitted/blocked for being a heavy hitter. http://www.spamhaus.org/faq/answers.lasso?section=DNSBL%20Usage#220 Free Use vs Commercial Use Use of the Spamhaus DNSBLs via DNS queries to our public DNSBL mirrors is free of charge for low-volume non-commercial use. To check if you qualify for free use, please see Spamhaus DNSBL Usage Criteria. Use of the Spamhaus DNSBLs by ISPs, corporations and networks with high email traffic, or commercial spam filter companies requires a subscription to the Spamhaus dedicated Data Feed Service. __ Frequently Asked Questions (FAQ) Data Feed http://www.spamhaus.org/faq/answers.lasso?section=Data%20Fee From ram at netcore.co.in Mon Oct 20 12:17:05 2008 From: ram at netcore.co.in (ram) Date: Mon Oct 20 12:17:19 2008 Subject: Spamhaus RBLs In-Reply-To: <48FC4A90.4090509@clh.org.uk> References: <20081019162317.C8A5.EE63E960@remedial-teacher.nl> <20081019165150.C8AC.EE63E960@remedial-teacher.nl> <1224484427.1275.77.camel@darkstar.netcore.co.in> <48FC4A90.4090509@clh.org.uk> Message-ID: <1224501425.1275.142.camel@darkstar.netcore.co.in> On Mon, 2008-10-20 at 10:08 +0100, Chris Hardy wrote: > Hi All > > Is it me, or are the spamhaus RBL lists not responding today? > I cannot ping zen.spamhaus.org or xbl.spamhaus.org - DNS says unknown host > > I've tried this from multiple ISP connections. > > This has resulted in a much larger increase in spam getting through to > my systems. AFAIK Spamhaus offers its datafeed by rsync for free , for non commercial use for a small number of users Just set up a local rbldnsd and get the feeds. And the performance will be much better From dominian at slackadelic.com Mon Oct 20 14:05:22 2008 From: dominian at slackadelic.com (Matt Hayes) Date: Mon Oct 20 14:05:38 2008 Subject: Spamhaus RBLs In-Reply-To: <1224501425.1275.142.camel@darkstar.netcore.co.in> References: <20081019162317.C8A5.EE63E960@remedial-teacher.nl> <20081019165150.C8AC.EE63E960@remedial-teacher.nl> <1224484427.1275.77.camel@darkstar.netcore.co.in> <48FC4A90.4090509@clh.org.uk> <1224501425.1275.142.camel@darkstar.netcore.co.in> Message-ID: <48FC8212.20508@slackadelic.com> ram wrote: > On Mon, 2008-10-20 at 10:08 +0100, Chris Hardy wrote: >> Hi All >> >> Is it me, or are the spamhaus RBL lists not responding today? >> I cannot ping zen.spamhaus.org or xbl.spamhaus.org - DNS says unknown host >> >> I've tried this from multiple ISP connections. >> >> This has resulted in a much larger increase in spam getting through to >> my systems. > > > AFAIK Spamhaus offers its datafeed by rsync for free , for non > commercial use for a small number of users > > Just set up a local rbldnsd and get the feeds. And the performance will > be much better > > > I thought the feed was pay to use no matter what? if it isn't, I'd like information on that. -matt From ms-list at alexb.ch Mon Oct 20 14:17:03 2008 From: ms-list at alexb.ch (Alex Broens) Date: Mon Oct 20 14:17:17 2008 Subject: Spamhaus RBLs In-Reply-To: <48FC8212.20508@slackadelic.com> References: <20081019162317.C8A5.EE63E960@remedial-teacher.nl> <20081019165150.C8AC.EE63E960@remedial-teacher.nl> <1224484427.1275.77.camel@darkstar.netcore.co.in> <48FC4A90.4090509@clh.org.uk> <1224501425.1275.142.camel@darkstar.netcore.co.in> <48FC8212.20508@slackadelic.com> Message-ID: <48FC84CF.5040604@alexb.ch> On 10/20/2008 3:05 PM, Matt Hayes wrote: > ram wrote: >> On Mon, 2008-10-20 at 10:08 +0100, Chris Hardy wrote: >>> Hi All >>> >>> Is it me, or are the spamhaus RBL lists not responding today? >>> I cannot ping zen.spamhaus.org or xbl.spamhaus.org - DNS says unknown host >>> >>> I've tried this from multiple ISP connections. >>> >>> This has resulted in a much larger increase in spam getting through to >>> my systems. >> >> AFAIK Spamhaus offers its datafeed by rsync for free , for non >> commercial use for a small number of users >> >> Just set up a local rbldnsd and get the feeds. And the performance will >> be much better >> >> >> > > I thought the feed was pay to use no matter what? if it isn't, I'd like > information on that. I honestly doubt you'd get a free rsync (PBL+PB+XBL= +80MB) and if you're off their radar, why even worry with rsync lag and extra stuff to deploy & manage? ....but Spamhaus.org's FAQ is probably the better place to find out. From dave.list at pixelhammer.com Mon Oct 20 14:22:31 2008 From: dave.list at pixelhammer.com (DAve) Date: Mon Oct 20 14:22:53 2008 Subject: Spamhaus RBLs In-Reply-To: <48FC8212.20508@slackadelic.com> References: <20081019162317.C8A5.EE63E960@remedial-teacher.nl> <20081019165150.C8AC.EE63E960@remedial-teacher.nl> <1224484427.1275.77.camel@darkstar.netcore.co.in> <48FC4A90.4090509@clh.org.uk> <1224501425.1275.142.camel@darkstar.netcore.co.in> <48FC8212.20508@slackadelic.com> Message-ID: <48FC8617.2070808@pixelhammer.com> Matt Hayes wrote: > ram wrote: >> On Mon, 2008-10-20 at 10:08 +0100, Chris Hardy wrote: >>> Hi All >>> >>> Is it me, or are the spamhaus RBL lists not responding today? >>> I cannot ping zen.spamhaus.org or xbl.spamhaus.org - DNS says unknown host >>> >>> I've tried this from multiple ISP connections. >>> >>> This has resulted in a much larger increase in spam getting through to >>> my systems. >> >> AFAIK Spamhaus offers its datafeed by rsync for free , for non >> commercial use for a small number of users >> >> Just set up a local rbldnsd and get the feeds. And the performance will >> be much better >> >> >> > > I thought the feed was pay to use no matter what? if it isn't, I'd like > information on that. > > -matt Even a non-profit with less than 100 users needs to pay $250 for datafeed (according to the website form). DAve -- I am watching the debate and I am very disappointed. The rules are simple, "answer the question". I would vote right now, and I can in Indiana, for the man who answered the question directly, in less than a minute, and then sat down before the green light was out. From dominian at slackadelic.com Mon Oct 20 14:41:21 2008 From: dominian at slackadelic.com (Matt Hayes) Date: Mon Oct 20 14:41:33 2008 Subject: Spamhaus RBLs In-Reply-To: <48FC8617.2070808@pixelhammer.com> References: <20081019162317.C8A5.EE63E960@remedial-teacher.nl> <20081019165150.C8AC.EE63E960@remedial-teacher.nl> <1224484427.1275.77.camel@darkstar.netcore.co.in> <48FC4A90.4090509@clh.org.uk> <1224501425.1275.142.camel@darkstar.netcore.co.in> <48FC8212.20508@slackadelic.com> <48FC8617.2070808@pixelhammer.com> Message-ID: <48FC8A81.20607@slackadelic.com> DAve wrote: > Matt Hayes wrote: >> ram wrote: >>> On Mon, 2008-10-20 at 10:08 +0100, Chris Hardy wrote: >>>> Hi All >>>> >>>> Is it me, or are the spamhaus RBL lists not responding today? >>>> I cannot ping zen.spamhaus.org or xbl.spamhaus.org - DNS says >>>> unknown host >>>> >>>> I've tried this from multiple ISP connections. >>>> >>>> This has resulted in a much larger increase in spam getting through >>>> to my systems. >>> >>> AFAIK Spamhaus offers its datafeed by rsync for free , for non >>> commercial use for a small number of users >>> Just set up a local rbldnsd and get the feeds. And the performance will >>> be much better >>> >>> >>> >> >> I thought the feed was pay to use no matter what? if it isn't, I'd like >> information on that. >> >> -matt > > Even a non-profit with less than 100 users needs to pay $250 for > datafeed (according to the website form). > > DAve > Yep, that's what I thought. -Matt From martinh at solidstatelogic.com Mon Oct 20 14:43:45 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Mon Oct 20 14:44:05 2008 Subject: Spamhaus RBLs In-Reply-To: <48FC8212.20508@slackadelic.com> Message-ID: <1a624d544ad0d2468a92e3c1f4d2e463@solidstatelogic.com> Hi You can get free direct DNS lookups for low usage... http://www.spamhaus.org/organization/dnsblusage.html Not to be confused with free rsync.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Matt Hayes > Sent: 20 October 2008 14:05 > To: MailScanner discussion > Subject: Re: Spamhaus RBLs > > ram wrote: > > On Mon, 2008-10-20 at 10:08 +0100, Chris Hardy wrote: > >> Hi All > >> > >> Is it me, or are the spamhaus RBL lists not responding today? > >> I cannot ping zen.spamhaus.org or xbl.spamhaus.org - DNS > says unknown > >> host > >> > >> I've tried this from multiple ISP connections. > >> > >> This has resulted in a much larger increase in spam > getting through > >> to my systems. > > > > > > AFAIK Spamhaus offers its datafeed by rsync for free , for non > > commercial use for a small number of users > > > > Just set up a local rbldnsd and get the feeds. And the performance > > will be much better > > > > > > > > I thought the feed was pay to use no matter what? if it > isn't, I'd like information on that. > > -matt > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From simon at kmun.gov.kw Mon Oct 20 17:00:30 2008 From: simon at kmun.gov.kw (Benedict simon) Date: Mon Oct 20 16:29:02 2008 Subject: query on upgrade my clamav Message-ID: <1696.91.198.134.226.1224518430.squirrel@webmail.baladia.gov.kw> Dear All, I have the following setup running perfectly fine on my live server centos 5 sendmail 8.13.8-2.el5 MailScanner 4.66.5 clamav ver .093+ spam assassin installed from jules package i would like to upgrade my clamav n spammassasin could i jus download and install the new JUles clamav ver 0.94 + spam assassin package over my existing setup apprecite your help regards simon -- Network ADMIN ------------- KUWAIT MUNICIPALITY: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From chris at clh.org.uk Mon Oct 20 16:46:48 2008 From: chris at clh.org.uk (Chris Hardy) Date: Mon Oct 20 16:47:10 2008 Subject: query on upgrade my clamav In-Reply-To: <1696.91.198.134.226.1224518430.squirrel@webmail.baladia.gov.kw> References: <1696.91.198.134.226.1224518430.squirrel@webmail.baladia.gov.kw> Message-ID: <48FCA7E8.90509@clh.org.uk> Benedict simon wrote: > Dear All, > > I have the following setup running perfectly fine on my live server > > centos 5 > sendmail 8.13.8-2.el5 > MailScanner 4.66.5 > clamav ver .093+ spam assassin installed from jules package > > i would like to upgrade my clamav n spammassasin > > could i jus download and install the new JUles clamav ver 0.94 + spam > assassin package over my existing setup > > apprecite your help > > regards > > simon > > Hi Simon, That's how i usually update my server - download the newest version from www.mailscanner.info, and install. I would recommend you update your version of MailScanner too - 4.66 is quite old now Chris -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mark at msapiro.net Mon Oct 20 17:05:07 2008 From: mark at msapiro.net (Mark Sapiro) Date: Mon Oct 20 17:05:16 2008 Subject: Skipping checks on a whole domain In-Reply-To: <1224484427.1275.77.camel@darkstar.netcore.co.in> References: <20081019162317.C8A5.EE63E960@remedial-teacher.nl> <20081019165150.C8AC.EE63E960@remedial-teacher.nl> <1224484427.1275.77.camel@darkstar.netcore.co.in> Message-ID: <20081020160507.GA3564@msapiro> On Mon, Oct 20, 2008 at 12:03:47PM +0530, ram wrote: > On Sun, 2008-10-19 at 16:53 +0200, Test wrote: > > Hmm, i seemed to have missed this part in the MailScanner.conf. > > > > But what i would actually like to have is that the relayed mail goes > > completely around mailscanner (so no logging, mailwatch etc.) > > > > Must be some option in postfix to get this to work ? > > > You must be using header_checks in postfix to put mails in hold > > Ask you friend to relay on the submission port(587) and disable > header_checks on the submission port. That is just a single line change > in master.cf As I understand the OP's situation, this won't work. I think he is acting as the incoming MX for his friend's domain because the friend's provider blocks incoming port 25. There probably is a way to do this in postfix, but it isn't by changing the port the mail arrives at. -- Mark Sapiro mark at msapiro net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From sandrews at andrewscompanies.com Mon Oct 20 17:07:45 2008 From: sandrews at andrewscompanies.com (Steven Andrews) Date: Mon Oct 20 17:07:55 2008 Subject: Spamhaus RBLs In-Reply-To: <48FC4A90.4090509@clh.org.uk> References: <20081019162317.C8A5.EE63E960@remedial-teacher.nl> <20081019165150.C8AC.EE63E960@remedial-teacher.nl><1224484427.1275.77.camel@darkstar.netcore.co.in> <48FC4A90.4090509@clh.org.uk> Message-ID: <1964AAFBC212F742958F9275BF63DBB0907552@winchester.andrewscompanies.com> DNS is giving me the same here. Although, I can ping it from my comcrap machine. Xbl should be 208.69.32.132 and when I am back on the connection that says unknown host I CAN ping that IP directly. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Chris Hardy Sent: Monday, October 20, 2008 5:09 AM To: MailScanner discussion Subject: Spamhaus RBLs Hi All Is it me, or are the spamhaus RBL lists not responding today? I cannot ping zen.spamhaus.org or xbl.spamhaus.org - DNS says unknown host I've tried this from multiple ISP connections. This has resulted in a much larger increase in spam getting through to my systems. Thanks Chris -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From stef at aoc-uk.com Mon Oct 20 17:46:27 2008 From: stef at aoc-uk.com (Stef Morrell) Date: Mon Oct 20 17:46:44 2008 Subject: Skipping checks on a whole domain In-Reply-To: References: <20081019162317.C8A5.EE63E960@remedial-teacher.nl><20081019165150.C8AC.EE63E960@remedial-teacher.nl><1224484427.1275.77.camel@darkstar.netcore.co.in> Message-ID: <200810201646.m9KGkaQ3008633@safir.blacknight.ie> > -----Original Message----- > From: Mark Sapiro > Sent: 20 October 2008 17:05 > To: MailScanner discussion > Subject: Re: Skipping checks on a whole domain > > On Mon, Oct 20, 2008 at 12:03:47PM +0530, ram wrote: > > On Sun, 2008-10-19 at 16:53 +0200, Test wrote: > > > Hmm, i seemed to have missed this part in the MailScanner.conf. > > > > > > But what i would actually like to have is that the > relayed mail goes > > > completely around mailscanner (so no logging, mailwatch etc.) > > > > > > Must be some option in postfix to get this to work ? > > > > > As I understand the OP's situation, this won't work. I think > he is acting as the incoming MX for his friend's domain > because the friend's provider blocks incoming port 25. There > probably is a way to do this in postfix, but it isn't by > changing the port the mail arrives at. I've tried this at some length and header_checks are a doozy in postfix as every header line is checked, so it's going to match /^Received/ at some stage and be put into HOLD for MailScanner to process. You might be able to achieve something useful in header_checks with if !/^Received: / /^Received:/ HOLD endif But only if you can guarantee only one Received header will appear, otherwise any other Received headers will end up sending the email to the HOLD queue. Alternatively, you might be able to do something with the FILTER action in header_checks, putting your filtering rule before the general HOLDing rule. I'm unsure quite how that will work though, RTM I guess. Stef Stefan Morrell | Operations Director Tel: 0845 3452820 | Alpha Omega Computers Ltd Fax: 0845 3452830 | Incorporating Level 5 Internet stef@aoc-uk.com | stef@l5net.net Alpha Omega Computers Ltd, Unit 57, BBTC, Grange Road, Batley, WF17 6ER. Registered in England No. 3867142. VAT No. GB734421454 From glenn.steen at gmail.com Mon Oct 20 18:11:05 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Oct 20 18:11:15 2008 Subject: Skipping checks on a whole domain In-Reply-To: <200810201646.m9KGkaQ3008633@safir.blacknight.ie> References: <20081019162317.C8A5.EE63E960@remedial-teacher.nl> <20081019165150.C8AC.EE63E960@remedial-teacher.nl> <1224484427.1275.77.camel@darkstar.netcore.co.in> <200810201646.m9KGkaQ3008633@safir.blacknight.ie> Message-ID: <223f97700810201011s7cc06791x504ab6cce751a8d2@mail.gmail.com> 2008/10/20 Stef Morrell : >> -----Original Message----- >> From: Mark Sapiro >> Sent: 20 October 2008 17:05 >> To: MailScanner discussion >> Subject: Re: Skipping checks on a whole domain >> >> On Mon, Oct 20, 2008 at 12:03:47PM +0530, ram wrote: >> > On Sun, 2008-10-19 at 16:53 +0200, Test wrote: >> > > Hmm, i seemed to have missed this part in the MailScanner.conf. >> > > >> > > But what i would actually like to have is that the >> relayed mail goes >> > > completely around mailscanner (so no logging, mailwatch etc.) >> > > >> > > Must be some option in postfix to get this to work ? >> > >> > >> As I understand the OP's situation, this won't work. I think >> he is acting as the incoming MX for his friend's domain >> because the friend's provider blocks incoming port 25. There >> probably is a way to do this in postfix, but it isn't by >> changing the port the mail arrives at. > > I've tried this at some length and header_checks are a doozy in postfix > as every header line is checked, so it's going to match /^Received/ at > some stage and be put into HOLD for MailScanner to process. > > You might be able to achieve something useful in header_checks with > > if !/^Received: / > /^Received:/ HOLD > endif > > But only if you can guarantee only one Received header will appear, > otherwise any other Received headers will end up sending the email to > the HOLD queue. > Um, didn't you participate in the thread Hugo had on selective hold (through access...)? IIUC, that should be able to do what is needed. Anyone interested should look up "Selective HOLD" in the ml archives:-). > Alternatively, you might be able to do something with the FILTER action > in header_checks, putting your filtering rule before the general HOLDing > rule. I'm unsure quite how that will work though, RTM I guess. ... too tired to think this through properly, but ... I'm not sure it'd work. > Stef Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From lists at tippingmar.com Mon Oct 20 18:23:20 2008 From: lists at tippingmar.com (Mark Nienberg) Date: Mon Oct 20 18:23:37 2008 Subject: query on upgrade my clamav In-Reply-To: <1696.91.198.134.226.1224518430.squirrel@webmail.baladia.gov.kw> References: <1696.91.198.134.226.1224518430.squirrel@webmail.baladia.gov.kw> Message-ID: <48FCBE88.6080208@tippingmar.com> Benedict simon wrote: > I have the following setup running perfectly fine on my live server > > centos 5 > sendmail 8.13.8-2.el5 > MailScanner 4.66.5 > clamav ver .093+ spam assassin installed from jules package > > i would like to upgrade my clamav n spammassasin > > could i jus download and install the new JUles clamav ver 0.94 + spam > assassin package over my existing setup > No, you need to upgrade MailScanner also in order to get support for the 0.94 version of clamav. See the changelog http://www.mailscanner.info/ChangeLog Current thinking seems to be in favor of using clamd installed from rpmforge packages instead of clamavmodule. So: Install latest beta of MailScanner. yum install clamd from rpmforge repo (search the wiki for "clamd" for complete instructions). If your spamassassin is out of date, install it from Jules's easy install package, but tell it not to install clamav. Mark Nienberg From lists at tippingmar.com Mon Oct 20 19:32:32 2008 From: lists at tippingmar.com (Mark Nienberg) Date: Mon Oct 20 19:32:50 2008 Subject: more install.sh Message-ID: <48FCCEC0.1080702@tippingmar.com> I think on a centOS system the installer.sh is doing this for the perl modules that conflict with the base perl: check to see if the perl module is installed, see that it isn't, build an rpm for the module from the downloaded src, attempt to install the rpm, but the install fails due to conflict with installed perl, force install only for those that absolutely need it. I'm wondering if the process could be shorted to eliminate building the rpm for the module if the rpm already exists in /usr/src/redhat/RPMS (probably from a previous MailScanner install). Alternatively, could the initial check for the module be improved somehow to detect that the module is already installed as part of the the core perl installation? I suspect that must not be possible or Jules would have done it already. Also, the installer builds rpms for packages that will not install due to already installed rpms. For example, on my system it builds perl-IO-stringy-2.110-1 and tries to install it, but discovers that perl-IO-stringy-2.110-1.2.el5.rf is already installed. Could the installer test for already installed rpms before building and attempting installation of the new one? In the above example it would run "rpm -q perl-IO-stringy" and then do some sort of version checking. Mark Nienberg From simon at kmun.gov.kw Mon Oct 20 20:05:54 2008 From: simon at kmun.gov.kw (Benedict simon) Date: Mon Oct 20 19:34:26 2008 Subject: query on upgrade my clamav In-Reply-To: <48FCBE88.6080208@tippingmar.com> References: <1696.91.198.134.226.1224518430.squirrel@webmail.baladia.gov.kw> <48FCBE88.6080208@tippingmar.com> Message-ID: <2066.91.198.134.226.1224529554.squirrel@webmail.baladia.gov.kw> Thanks Mark, Really apprecite ur quick reply regards simon > Benedict simon wrote: >> I have the following setup running perfectly fine on my live server >> >> centos 5 >> sendmail 8.13.8-2.el5 >> MailScanner 4.66.5 >> clamav ver .093+ spam assassin installed from jules package >> >> i would like to upgrade my clamav n spammassasin >> >> could i jus download and install the new JUles clamav ver 0.94 + spam >> assassin package over my existing setup >> > No, you need to upgrade MailScanner also in order to get support for the > 0.94 version of clamav. > > See the changelog http://www.mailscanner.info/ChangeLog > > Current thinking seems to be in favor of using clamd installed from > rpmforge packages instead of clamavmodule. > > So: > > Install latest beta of MailScanner. > yum install clamd from rpmforge repo (search the wiki for "clamd" for > complete instructions). > If your spamassassin is out of date, install it from Jules's easy > install package, but tell it not to install clamav. > > Mark Nienberg > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > -- Network ADMIN ------------- KUWAIT MUNICIPALITY: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ssilva at sgvwater.com Mon Oct 20 19:52:31 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Oct 20 19:52:55 2008 Subject: Spamhaus RBLs In-Reply-To: <48FC4A90.4090509@clh.org.uk> References: <20081019162317.C8A5.EE63E960@remedial-teacher.nl> <20081019165150.C8AC.EE63E960@remedial-teacher.nl> <1224484427.1275.77.camel@darkstar.netcore.co.in> <48FC4A90.4090509@clh.org.uk> Message-ID: on 10-20-2008 2:08 AM Chris Hardy spake the following: > Hi All > > Is it me, or are the spamhaus RBL lists not responding today? > I cannot ping zen.spamhaus.org or xbl.spamhaus.org - DNS says unknown host > > I've tried this from multiple ISP connections. > > This has resulted in a much larger increase in spam getting through to > my systems. > > Thanks > > Chris > It sounds like they firewalled you for "going over their limit". -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081020/419c5c50/signature.bin From ssilva at sgvwater.com Mon Oct 20 19:53:43 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Oct 20 19:55:11 2008 Subject: Spamhaus RBLs In-Reply-To: <48FC4D20.6060906@alexb.ch> References: <20081019162317.C8A5.EE63E960@remedial-teacher.nl> <20081019165150.C8AC.EE63E960@remedial-teacher.nl> <1224484427.1275.77.camel@darkstar.netcore.co.in> <48FC4A90.4090509@clh.org.uk> <48FC4D20.6060906@alexb.ch> Message-ID: on 10-20-2008 2:19 AM Alex Broens spake the following: > On 10/20/2008 11:08 AM, Chris Hardy wrote: >> Hi All >> >> Is it me, or are the spamhaus RBL lists not responding today? >> I cannot ping zen.spamhaus.org or xbl.spamhaus.org - DNS says unknown >> host >> >> I've tried this from multiple ISP connections. >> >> This has resulted in a much larger increase in spam getting through to >> my systems. > > Seems you've been tarpitted/blocked for being a heavy hitter. > > http://www.spamhaus.org/faq/answers.lasso?section=DNSBL%20Usage#220 > > Free Use vs Commercial Use > Use of the Spamhaus DNSBLs via DNS queries to our public DNSBL > mirrors is free of charge for low-volume non-commercial use. To check if > you qualify for free use, please see Spamhaus DNSBL Usage Criteria. > > Use of the Spamhaus DNSBLs by ISPs, corporations and networks with high > email traffic, or commercial spam filter companies requires a > subscription to the Spamhaus dedicated Data Feed Service. > > __ > > Frequently Asked Questions (FAQ) > Data Feed > > http://www.spamhaus.org/faq/answers.lasso?section=Data%20Fee And don't bother trying to contact them to contest that you have gone over. My inquiries have fallen on deaf ears. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081020/5bae60a8/signature.bin From hvdkooij at vanderkooij.org Mon Oct 20 20:51:15 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Mon Oct 20 20:51:25 2008 Subject: Skipping checks on a whole domain In-Reply-To: <20081019165150.C8AC.EE63E960@remedial-teacher.nl> References: <20081019162317.C8A5.EE63E960@remedial-teacher.nl> <20081019165150.C8AC.EE63E960@remedial-teacher.nl> Message-ID: <48FCE133.4000904@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Test wrote: > Hmm, i seemed to have missed this part in the MailScanner.conf. > > But what i would actually like to have is that the relayed mail goes > completely around mailscanner (so no logging, mailwatch etc.) > > Must be some option in postfix to get this to work ? I guess you did not check out: http://hugo.vanderkooij.org/email/mailscanner.htm#HOLD See if you can think of a variation that matches your wishes. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFI/OEvBvzDRVjxmYERAjK/AJ9GSql78dxpVkZpdioRqwQ0kqzncACfSdLi WbDXbJ4YfkNP4DpAmW5lpOY= =p11j -----END PGP SIGNATURE----- From sandrews at andrewscompanies.com Mon Oct 20 20:52:24 2008 From: sandrews at andrewscompanies.com (Steven Andrews) Date: Mon Oct 20 20:52:35 2008 Subject: Spamhaus RBLs In-Reply-To: References: <20081019162317.C8A5.EE63E960@remedial-teacher.nl> <20081019165150.C8AC.EE63E960@remedial-teacher.nl> <1224484427.1275.77.camel@darkstar.netcore.co.in><48FC4A90.4090509@clh.org.uk> Message-ID: <1964AAFBC212F742958F9275BF63DBB090755D@winchester.andrewscompanies.com> When they "firewall" you, I'd assume they block your address entirely and that you couldn't even ping their IP. It appears he's trying to ping by the host name and is not getting an address at all; not that the ping is failing. To me, this smells like a DNS lookup issue, not that they've blocked you. I've tried it from a couple different networks, some it doesn't lookup, some it does. I tested a control network that doesn't have any reason to be looking up anything at spamhaus and it fails; my Comcast using opendns resolves those hosts fine. Pings to the IP address the host should go through fine. Checking dnsstuff.com A record lookup, zen.spamhaus.org has NO A or CNAME records at this time, even according to their parent servers. Please correct me if I'm interpreting this incorrectly. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Scott Silva Sent: Monday, October 20, 2008 2:53 PM To: mailscanner@lists.mailscanner.info Subject: Re: Spamhaus RBLs on 10-20-2008 2:08 AM Chris Hardy spake the following: > Hi All > > Is it me, or are the spamhaus RBL lists not responding today? > I cannot ping zen.spamhaus.org or xbl.spamhaus.org - DNS says unknown > host > > I've tried this from multiple ISP connections. > > This has resulted in a much larger increase in spam getting through to > my systems. > > Thanks > > Chris > It sounds like they firewalled you for "going over their limit". -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ms-list at alexb.ch Mon Oct 20 21:46:23 2008 From: ms-list at alexb.ch (Alex Broens) Date: Mon Oct 20 21:46:39 2008 Subject: Spamhaus RBLs In-Reply-To: <1964AAFBC212F742958F9275BF63DBB090755D@winchester.andrewscompanies.com> References: <20081019162317.C8A5.EE63E960@remedial-teacher.nl> <20081019165150.C8AC.EE63E960@remedial-teacher.nl> <1224484427.1275.77.camel@darkstar.netcore.co.in><48FC4A90.4090509@clh.org.uk> <1964AAFBC212F742958F9275BF63DBB090755D@winchester.andrewscompanies.com> Message-ID: <48FCEE1F.1030309@alexb.ch> On 10/20/2008 9:52 PM, Steven Andrews wrote: > When they "firewall" you, I'd assume they block your address entirely > and that you couldn't even ping their IP. It appears he's trying to > ping by the host name and is not getting an address at all; not that > the ping is failing. ping is an unreliable/irrelevant test. they block the hard hitter's NS from resolving spamhaus.org. > To me, this smells like a DNS lookup issue, not that they've blocked > you. I've tried it from a couple different networks, some it doesn't > lookup, some it does. I tested a control network that doesn't have > any reason to be looking up anything at spamhaus and it fails; my > Comcast using opendns resolves those hosts fine. Pings to the IP > address the host should go through fine. > Checking dnsstuff.com A record lookup, zen.spamhaus.org has NO A or > CNAME records at this time, even according to their parent servers. > > Please correct me if I'm interpreting this incorrectly. dig 2.0.0.127.zen.spamhaus.org if you get a reply, you're good if no reply, you're NS is ACLd for doing more queries than welcome. > -----Original Message----- From: > mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > Scott Silva Sent: Monday, October 20, 2008 2:53 PM To: > mailscanner@lists.mailscanner.info Subject: Re: Spamhaus RBLs > > on 10-20-2008 2:08 AM Chris Hardy spake the following: >> Hi All >> >> Is it me, or are the spamhaus RBL lists not responding today? I >> cannot ping zen.spamhaus.org or xbl.spamhaus.org - DNS says unknown >> host >> >> I've tried this from multiple ISP connections. >> >> This has resulted in a much larger increase in spam getting through >> to my systems. >> >> Thanks >> >> Chris >> > It sounds like they firewalled you for "going over their limit". > > > -- MailScanner is like deodorant... You hope everybody uses it, and > you notice quickly if they don't!!!! > > From steve.freegard at fsl.com Mon Oct 20 22:23:43 2008 From: steve.freegard at fsl.com (Steve Freegard) Date: Mon Oct 20 22:23:54 2008 Subject: Spamhaus RBLs In-Reply-To: <1964AAFBC212F742958F9275BF63DBB0907552@winchester.andrewscompanies.com> References: <20081019162317.C8A5.EE63E960@remedial-teacher.nl> <20081019165150.C8AC.EE63E960@remedial-teacher.nl><1224484427.1275.77.camel@darkstar.netcore.co.in> <48FC4A90.4090509@clh.org.uk> <1964AAFBC212F742958F9275BF63DBB0907552@winchester.andrewscompanies.com> Message-ID: <48FCF6DF.4070800@fsl.com> Steven Andrews wrote: > DNS is giving me the same here. Although, I can ping it from my comcrap > machine. Xbl should be 208.69.32.132 and when I am back on the > connection that says unknown host I CAN ping that IP directly. You don't 'ping' an RBL - they have to have an A record for the zone name at all (and most don't). The only requirement is NS records: [root@mail ~]# host -t NS zen.spamhaus.org zen.spamhaus.org name server l.ns.spamhaus.org. zen.spamhaus.org name server c.ns.spamhaus.org. ... snip ... The standard way to test an RBL is via a test point, which is usually 127.0.0.2: [root@mail ~]# host 2.0.0.127.zen.spamhaus.org 2.0.0.127.zen.spamhaus.org has address 127.0.0.2 2.0.0.127.zen.spamhaus.org has address 127.0.0.10 2.0.0.127.zen.spamhaus.org has address 127.0.0.4 Spamhaus will return a DNS status of REFUSED if you are blocked by them and you will not get any test points returned. Hope this helps. Kind regards, Steve. From kate at rheel.co.nz Mon Oct 20 22:43:28 2008 From: kate at rheel.co.nz (Kate Kleinschafer) Date: Mon Oct 20 22:42:17 2008 Subject: no such file or directory errors in logwatch In-Reply-To: <223f97700810170300i5a9d7ccdle46948b8e94d287e@mail.gmail.com> References: <48F7A41C.4020708@rheel.co.nz> <223f97700810170300i5a9d7ccdle46948b8e94d287e@mail.gmail.com> Message-ID: <48FCFB80.5080105@rheel.co.nz> Glenn Steen wrote: > 2008/10/16 Kate Kleinschafer : > >> Hi, >> >> I am getting lots of these in my logwatch email >> >> writing to >> /var/spool/MailScanner/quarantine/20081016/spam/CFB2162E753.73A42: No such >> file or directory : 1 Time(s) >> >> I think it may be related to the fact that MailScanner hasn't been creating >> the quarantine/2008101. folders for the last couple of days >> (I've had to manually create them) >> Originally I thought it was permissions but I have made them postfix:apache >> (which is correct against the mailscanner.conf file. >> >> Could someone give me some things to check as I don't yet know enough about >> how / when these folders are created to trouble shoot much further. >> Also there doesn't seem to be any errors relating to this in the maillog. >> >> Thanks >> Kate >> > What do you have for Run As and the diverse permissionsin MailScanner.conf? > Can your postfix user actually create the needed quarantine > directories? You check this with: > su - postfix -s /bin/bash > ... and then use normal commands like cd, mkdir (and ls) to check that > it can do what is needed. > > Cheers > Thanks for that info - Permissions was the problem. From sandrews at andrewscompanies.com Mon Oct 20 22:46:38 2008 From: sandrews at andrewscompanies.com (Steven Andrews) Date: Mon Oct 20 22:46:49 2008 Subject: Spamhaus RBLs In-Reply-To: <48FCEE1F.1030309@alexb.ch> References: <20081019162317.C8A5.EE63E960@remedial-teacher.nl> <20081019165150.C8AC.EE63E960@remedial-teacher.nl> <1224484427.1275.77.camel@darkstar.netcore.co.in><48FC4A90.4090509@clh.org.uk> <1964AAFBC212F742958F9275BF63DBB090755D@winchester.andrewscompanies.com> <48FCEE1F.1030309@alexb.ch> Message-ID: <1964AAFBC212F742958F9275BF63DBB0907562@winchester.andrewscompanies.com> Interesting. So, if my ISP's nameservers, which I've set as forwarders of my own, get acl'd, then mine will go down with it? Ok, I dig'd it and got back a lot of stuff...i'm assuming that if I got anything back at all, I'm good? Thanks all for the education. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex Broens Sent: Monday, October 20, 2008 4:46 PM To: MailScanner discussion Subject: Re: Spamhaus RBLs On 10/20/2008 9:52 PM, Steven Andrews wrote: > When they "firewall" you, I'd assume they block your address entirely > and that you couldn't even ping their IP. It appears he's trying to > ping by the host name and is not getting an address at all; not that > the ping is failing. ping is an unreliable/irrelevant test. they block the hard hitter's NS from resolving spamhaus.org. > To me, this smells like a DNS lookup issue, not that they've blocked > you. I've tried it from a couple different networks, some it doesn't > lookup, some it does. I tested a control network that doesn't have > any reason to be looking up anything at spamhaus and it fails; my > Comcast using opendns resolves those hosts fine. Pings to the IP > address the host should go through fine. > Checking dnsstuff.com A record lookup, zen.spamhaus.org has NO A or > CNAME records at this time, even according to their parent servers. > > Please correct me if I'm interpreting this incorrectly. dig 2.0.0.127.zen.spamhaus.org if you get a reply, you're good if no reply, you're NS is ACLd for doing more queries than welcome. > -----Original Message----- From: > mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > Scott Silva Sent: Monday, October 20, 2008 2:53 PM To: > mailscanner@lists.mailscanner.info Subject: Re: Spamhaus RBLs > > on 10-20-2008 2:08 AM Chris Hardy spake the following: >> Hi All >> >> Is it me, or are the spamhaus RBL lists not responding today? I >> cannot ping zen.spamhaus.org or xbl.spamhaus.org - DNS says unknown >> host >> >> I've tried this from multiple ISP connections. >> >> This has resulted in a much larger increase in spam getting through >> to my systems. >> >> Thanks >> >> Chris >> > It sounds like they firewalled you for "going over their limit". > > > -- MailScanner is like deodorant... You hope everybody uses it, and > you notice quickly if they don't!!!! > > -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From test at remedial-teacher.nl Mon Oct 20 22:55:49 2008 From: test at remedial-teacher.nl (Test) Date: Mon Oct 20 22:57:43 2008 Subject: Skipping checks on a whole domain In-Reply-To: <48FCE133.4000904@vanderkooij.org> References: <20081019165150.C8AC.EE63E960@remedial-teacher.nl> <48FCE133.4000904@vanderkooij.org> Message-ID: <20081020235045.89C6.EE63E960@remedial-teacher.nl> Hugo, I came across this page before but i probably didn't read it that well..(doh) I now have configured the following: /^@relay-domain\.nl$/ OK # Everyone else will go through MailScanner! /.*/ HOLD /^$/ HOLD In relay_domains: /^@relay-domain\.nl$/ OK But postfix gives me the 550 recipient address rejected: user unknown in local recipient table when sending mail to an address in the relayed domain.. relay-domain.nl Mind you, for other addresses it works fine. gr. Erwin -- Test From test at remedial-teacher.nl Mon Oct 20 23:04:36 2008 From: test at remedial-teacher.nl (Test) Date: Mon Oct 20 23:05:36 2008 Subject: Re2: Skipping checks on a whole domain Message-ID: <20081021000336.89D6.EE63E960@remedial-teacher.nl> Extra: If i send mail from the server it works, from a client it gives the 550 message... hmm, must be missing something again... Forwarded by Test ----------------------- Original Message ----------------------- From: Test To: MailScanner discussion Date: Mon, 20 Oct 2008 23:55:49 +0200 Subject: Re: Skipping checks on a whole domain ---- Hugo, I came across this page before but i probably didn't read it that well..(doh) I now have configured the following: /^@relay-domain\.nl$/ OK # Everyone else will go through MailScanner! /.*/ HOLD /^$/ HOLD In relay_domains: /^@relay-domain\.nl$/ OK But postfix gives me the 550 recipient address rejected: user unknown in local recipient table when sending mail to an address in the relayed domain.. relay-domain.nl Mind you, for other addresses it works fine. gr. Erwin -- Test --------------------- Original Message Ends -------------------- -- Test From andrew at gdcon.net Mon Oct 20 23:36:59 2008 From: andrew at gdcon.net (Andrew MacLachlan) Date: Mon Oct 20 23:37:16 2008 Subject: Xen Performance Message-ID: <48FD080B.7080101@gdcon.net> Has anyone got any idea of how well MailScanner performs under Xen compared to ESX? I'm interested in anyone's opinion who has tried both platforms - also any wisdom regarding messages/hour on either platform... -Andy From test at remedial-teacher.nl Mon Oct 20 23:40:24 2008 From: test at remedial-teacher.nl (Test) Date: Mon Oct 20 23:42:27 2008 Subject: Re3: Skipping checks on a whole domain Message-ID: <20081021003911.8A09.EE63E960@remedial-teacher.nl> Hmm, if one does some rtmf things work out better ;-)) The regexp was wrong: It should be: /@relay-domain\.nl$/ OK Forwarded by Test ----------------------- Original Message ----------------------- From: Test To: mailscanner@lists.mailscanner.info Date: Tue, 21 Oct 2008 00:04:36 +0200 Subject: Re2: Skipping checks on a whole domain ---- Extra: If i send mail from the server it works, from a client it gives the 550 message... hmm, must be missing something again... Forwarded by Test ----------------------- Original Message ----------------------- From: Test To: MailScanner discussion Date: Mon, 20 Oct 2008 23:55:49 +0200 Subject: Re: Skipping checks on a whole domain ---- Hugo, I came across this page before but i probably didn't read it that well..(doh) I now have configured the following: /^@relay-domain\.nl$/ OK # Everyone else will go through MailScanner! /.*/ HOLD /^$/ HOLD In relay_domains: /^@relay-domain\.nl$/ OK But postfix gives me the 550 recipient address rejected: user unknown in local recipient table when sending mail to an address in the relayed domain.. relay-domain.nl Mind you, for other addresses it works fine. gr. Erwin -- Test --------------------- Original Message Ends -------------------- -- Test --------------------- Original Message Ends -------------------- -- Test From andrew at gdcon.net Mon Oct 20 23:47:41 2008 From: andrew at gdcon.net (Andrew MacLachlan) Date: Mon Oct 20 23:47:58 2008 Subject: Spamhaus RBLs In-Reply-To: References: <20081019162317.C8A5.EE63E960@remedial-teacher.nl> <20081019165150.C8AC.EE63E960@remedial-teacher.nl> <1224484427.1275.77.camel@darkstar.netcore.co.in> <48FC4A90.4090509@clh.org.uk> <48FC4D20.6060906@alexb.ch> Message-ID: <48FD0A8D.3060203@gdcon.net> Scott Silva wrote: > > And don't bother trying to contact them to contest that you have gone over. My > inquiries have fallen on deaf ears. > > I've asked them repeatedly for prices for commercial service (i.e. feed subscripton) and they've not responded to those either... Maybe their idea of a good spam defense is to either not read or discard all mail before reading - either way it's not good business sense. -Andy From kate at rheel.co.nz Tue Oct 21 02:43:00 2008 From: kate at rheel.co.nz (Kate Kleinschafer) Date: Tue Oct 21 02:41:55 2008 Subject: Trouble with bayes sql Message-ID: <48FD33A4.2020200@rheel.co.nz> Hi all, With the latest MailScanner and spamassassin do you have to set up a symlink in /etc/mail/spamassassin to mailscanner.cf in order for the bayes to be used? Also do I need to make root the bayes_sql_override_username or should it be postfix? I have bayes setup as a mysql database - setttings are in spamassassin.prefs.conf (as per the wiki instructions for MailScanner) The reason I ask is because none of the bayes rules are being hit at all. This is the settings in spamassassin.prefs.conf bayes_store_module Mail::SpamAssassin::BayesStore::SQL bayes_sql_dsn DBI:mysql:sa_bayes:box.forspam.co.nz bayes_sql_username username (not used anywhere else) bayes_sql_password thepassword bayes_sql_override_username root I run spamassassin as user postfix Thanks Kate From hvdkooij at vanderkooij.org Tue Oct 21 06:35:09 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Tue Oct 21 06:35:21 2008 Subject: Skipping checks on a whole domain In-Reply-To: <20081020235045.89C6.EE63E960@remedial-teacher.nl> References: <20081019165150.C8AC.EE63E960@remedial-teacher.nl> <48FCE133.4000904@vanderkooij.org> <20081020235045.89C6.EE63E960@remedial-teacher.nl> Message-ID: <48FD6A0D.4040102@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Test wrote: > Hugo, > > I came across this page before but i probably didn't read it that well..(doh) > > I now have configured the following: > > > /^@relay-domain\.nl$/ OK > > # Everyone else will go through MailScanner! > /.*/ HOLD > /^$/ HOLD > > > In relay_domains: > /^@relay-domain\.nl$/ OK > > But postfix gives me the 550 recipient address rejected: user unknown in > local recipient table when sending mail to an address in the relayed > domain.. relay-domain.nl > > Mind you, for other addresses it works fine. OK might not be the right response for relay domains. I have not tested with relaying at all. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFI/WoLBvzDRVjxmYERAjbEAKCJ2bMMaSdUhSaYihuOd2UBS1eFKACfaHiN zersocGz2UjdtWRql/XIH04= =rGf9 -----END PGP SIGNATURE----- From ms-list at alexb.ch Tue Oct 21 08:33:35 2008 From: ms-list at alexb.ch (Alex Broens) Date: Tue Oct 21 08:33:45 2008 Subject: Spamhaus RBLs In-Reply-To: <48FD0A8D.3060203@gdcon.net> References: <20081019162317.C8A5.EE63E960@remedial-teacher.nl> <20081019165150.C8AC.EE63E960@remedial-teacher.nl> <1224484427.1275.77.camel@darkstar.netcore.co.in> <48FC4A90.4090509@clh.org.uk> <48FC4D20.6060906@alexb.ch> <48FD0A8D.3060203@gdcon.net> Message-ID: <48FD85CF.4020606@alexb.ch> On 10/21/2008 12:47 AM, Andrew MacLachlan wrote: > Scott Silva wrote: >> >> And don't bother trying to contact them to contest that you have gone >> over. My >> inquiries have fallen on deaf ears. >> >> > I've asked them repeatedly for prices for commercial service (i.e. feed > subscripton) and they've not responded to those either... Maybe their > idea of a good spam defense is to either not read or discard all mail > before reading - either way it's not good business sense. have you been on their site? (rants instead of research at the right places.. hmmmm) http://www.spamhaus.org/faq/answers.lasso?section=Data%20Feed#84 What is the application process? The application process is designed to allow organizations to initiate an application without committing to taking the service or making a payment until they are first satisfied with the service and have agreed to the contract terms. The process is: 1) Use the Price Calculator to find the correct price for your organization, based on the total number of Email Users you provide service for. http://www.spamhaus.org/datafeed/pricecalculator.lasso From telecaadmin at gmail.com Tue Oct 21 10:35:34 2008 From: telecaadmin at gmail.com (Ronny T. Lampert) Date: Tue Oct 21 10:36:15 2008 Subject: A bit OT: strange spikes in RBL-blocked connections Message-ID: <48FDA266.2030402@gmail.com> Hi all, best list to ask: for quite a while now I see strange spikes in RBL-blocked connections: Everything is fine with around 10-30 blocks/minute. Then suddenly at 10AM (GMT+1) they shoot up to 80-100/minute. They fall back a bit until 2PM. Around 2PM when they shoot up again to even higher levels and gently fall down until 4-5PM to their levels before 10AM. Anybody else noticed that? Cheers, Ronny From uxbod at splatnix.net Tue Oct 21 10:52:01 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Tue Oct 21 10:52:23 2008 Subject: A bit OT: strange spikes in RBL-blocked connections In-Reply-To: <48FDA266.2030402@gmail.com> Message-ID: <25994447.5381224582721942.JavaMail.root@office.splatnix.net> Probably when people are switching on their PCs in the different timezones (damn those bots!). Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From stef at aoc-uk.com Tue Oct 21 10:58:24 2008 From: stef at aoc-uk.com (Stef Morrell) Date: Tue Oct 21 10:58:38 2008 Subject: Skipping checks on a whole domain In-Reply-To: References: <20081019162317.C8A5.EE63E960@remedial-teacher.nl><20081019165150.C8AC.EE63E960@remedial-teacher.nl><1224484427.1275.77.camel@darkstar.netcore.co.in><200810201646.m9KGkaQ3008633@safir.blacknight.ie> Message-ID: <200810210958.m9L9wTEL005575@safir.blacknight.ie> Glenn Steen wrote: > 2008/10/20 Stef Morrell : > Um, didn't you participate in the thread Hugo had on > selective hold (through access...)? IIUC, that should be able to do > what is needed. Anyone interested should look up "Selective HOLD" in > the ml archives:-). This does ring a bell now. My memory is has become of late much like the swallowtail butterfly. It is bright, flits prettily hither and thither, but is alas, almost completely extinct. I'm fairly sure however that Hugo's method doesn't work for me as I'm also rejecting third party DSN in header checks... or something. It's not a file which is conducive to lots of rules. Stef Stefan Morrell | Operations Director Tel: 0845 3452820 | Alpha Omega Computers Ltd Fax: 0845 3452830 | Incorporating Level 5 Internet stef@aoc-uk.com | stef@l5net.net Standard Disclaimer: http://www.aoc-uk.com/16.asp Alpha Omega Computers Ltd, Unit 57, BBTC, Grange Road, Batley, WF17 6ER. Registered in England No. 3867142. VAT No. GB734421454 From telecaadmin at gmail.com Tue Oct 21 11:01:43 2008 From: telecaadmin at gmail.com (Ronny T. Lampert) Date: Tue Oct 21 11:02:24 2008 Subject: A bit OT: strange spikes in RBL-blocked connections In-Reply-To: <25994447.5381224582721942.JavaMail.root@office.splatnix.net> References: <25994447.5381224582721942.JavaMail.root@office.splatnix.net> Message-ID: <48FDA887.4010004@gmail.com> > Probably when people are switching on their PCs in the different timezones (damn those bots!). Yes but even only 2-3 months ago it would be very even - I would see occasional spikes, once in a while, but the rest was more "standard background noise". It seems bot allocation has changed to a more local attack pattern or even they don't care to be rather sneaky... From J.Ede at birchenallhowden.co.uk Tue Oct 21 11:50:10 2008 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Tue Oct 21 11:50:32 2008 Subject: Spamhaus RBLs In-Reply-To: <48FD0A8D.3060203@gdcon.net> References: <20081019162317.C8A5.EE63E960@remedial-teacher.nl> <20081019165150.C8AC.EE63E960@remedial-teacher.nl> <1224484427.1275.77.camel@darkstar.netcore.co.in> <48FC4A90.4090509@clh.org.uk> <48FC4D20.6060906@alexb.ch> <48FD0A8D.3060203@gdcon.net> Message-ID: <4CAB0118AEC63A4FAAE77E6BCBDF760C792A302444@server02.bhl.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Andrew MacLachlan > Sent: 20 October 2008 23:48 > To: MailScanner discussion > Subject: Re: Spamhaus RBLs > > Scott Silva wrote: > > > > And don't bother trying to contact them to contest that you have gone > over. My > > inquiries have fallen on deaf ears. > > > > > I've asked them repeatedly for prices for commercial service (i.e. feed > subscripton) and they've not responded to those either... Maybe their > idea of a good spam defense is to either not read or discard all mail > before reading - either way it's not good business sense. > > -Andy They have a calculator for working out how much a feed costs. http://www.spamhaus.org/datafeed/pricecalculator.lasso Might be worth trying their 30 day free trial first. Jason From J.Ede at birchenallhowden.co.uk Tue Oct 21 11:55:09 2008 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Tue Oct 21 11:55:33 2008 Subject: Trouble with bayes sql In-Reply-To: <48FD33A4.2020200@rheel.co.nz> References: <48FD33A4.2020200@rheel.co.nz> Message-ID: <4CAB0118AEC63A4FAAE77E6BCBDF760C792A302446@server02.bhl.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Kate Kleinschafer > Sent: 21 October 2008 02:43 > To: MailScanner discussion > Subject: Trouble with bayes sql > > Hi all, > > With the latest MailScanner and spamassassin do you have to set up a > symlink in /etc/mail/spamassassin to mailscanner.cf in order for the > bayes to be used? > Also do I need to make root the bayes_sql_override_username or should > it > be postfix? > > I have bayes setup as a mysql database - setttings are in > spamassassin.prefs.conf (as per the wiki instructions for MailScanner) > > The reason I ask is because none of the bayes rules are being hit at > all. > This is the settings in spamassassin.prefs.conf > bayes_store_module Mail::SpamAssassin::BayesStore::SQL > bayes_sql_dsn DBI:mysql:sa_bayes:box.forspam.co.nz > bayes_sql_username username (not used anywhere else) > bayes_sql_password thepassword > bayes_sql_override_username root > > I run spamassassin as user postfix > > Thanks > Kate What does the end of the output (all the lines mentioning bayes) of sa-learn --rebuild -D -p /etc/MailScanner/spam.assassin.prefs.conf show? From jan-peter at koopmann.eu Tue Oct 21 11:56:36 2008 From: jan-peter at koopmann.eu (Koopmann, Jan-Peter) Date: Tue Oct 21 11:57:18 2008 Subject: Xen Performance In-Reply-To: <48FD080B.7080101@gdcon.net> References: <48FD080B.7080101@gdcon.net> Message-ID: Hi, > Has anyone got any idea of how well MailScanner performs under Xen > compared to ESX? > I'm interested in anyone's opinion who has tried both platforms - also > any wisdom regarding messages/hour on either platform... That is hard if not impossible to answer I am afraid. We are using MailScanner and BarricadeMX on Virtual Iron (Xen based) on several sites with great success. However none of them is high volume (ISP style). All performance comparison I have seen and the few I have done myself suggest (!) that a proper Xen implementation can (!) outperform ESX in nearly all ways but certainly not to a big extent. The problem is that to my knowledge VMWare simply does not allow proper comparison of their platform to others and will smash down all reports on it in public. I might be wrong though. I think performance in your case will not be so much depending on using ESX vs. a good Xen installation (with suitable drivers etc.). It is more a question of "can/should I virtualize this" in the first place. This again depends on your I/O requirements, what SAN/NAS you have available etc., how much RAM, what CPUs etc. If you can virtualize it with ESX I do not see why you would have a performance problem with Xen. Regards, JP From uxbod at splatnix.net Tue Oct 21 12:20:07 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Tue Oct 21 12:20:31 2008 Subject: Xen Performance In-Reply-To: Message-ID: <6981129.5621224588007690.JavaMail.root@office.splatnix.net> Also depends on what processors you are using and whether the DomU's are para-virtualised or not. Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "Jan-Peter Koopmann" wrote: > Hi, > That is hard if not impossible to answer I am afraid. We are using > > MailScanner and BarricadeMX on Virtual Iron (Xen based) on several > sites > > with great success. However none of them is high volume (ISP style). > All > > performance comparison I have seen and the few I have done myself > > suggest (!) that a proper Xen implementation can (!) outperform ESX in > > nearly all ways but certainly not to a big extent. > > > > The problem is that to my knowledge VMWare simply does not allow > proper > > comparison of their platform to others and will smash down all reports > > on it in public. I might be wrong though. > > > > I think performance in your case will not be so much depending on > using > > ESX vs. a good Xen installation (with suitable drivers etc.). It is > more > > a question of "can/should I virtualize this" in the first place. This > > again depends on your I/O requirements, what SAN/NAS you have > available > > etc., how much RAM, what CPUs etc. If you can virtualize it with ESX I > > do not see why you would have a performance problem with Xen. > > > > Regards, > > JP -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From andrew at gdcon.net Tue Oct 21 12:37:11 2008 From: andrew at gdcon.net (Andrew MacLachlan) Date: Tue Oct 21 12:20:39 2008 Subject: Xen Performance In-Reply-To: References: <48FD080B.7080101@gdcon.net> Message-ID: <681685311b722c1d421f588dc7d6e30b.squirrel@wm.gdcon.net> On Tue, October 21, 2008 11:56 am, Koopmann, Jan-Peter wrote: > That is hard if not impossible to answer I am afraid. We are using > MailScanner and BarricadeMX on Virtual Iron (Xen based) on several sites > with great success. However none of them is high volume (ISP style). All > performance comparison I have seen and the few I have done myself > suggest (!) that a proper Xen implementation can (!) outperform ESX in > nearly all ways but certainly not to a big extent. > > The problem is that to my knowledge VMWare simply does not allow proper > comparison of their platform to others and will smash down all reports > on it in public. I might be wrong though. > > I think performance in your case will not be so much depending on using > ESX vs. a good Xen installation (with suitable drivers etc.). It is more > a question of "can/should I virtualize this" in the first place. This > again depends on your I/O requirements, what SAN/NAS you have available > etc., how much RAM, what CPUs etc. If you can virtualize it with ESX I > do not see why you would have a performance problem with Xen. > Thanks JP - I agree with your comments regarding "Should I virtualize" - I've been working with x86 virtualization since last century (that always sounds impressive) when the first versions of VMware Workstation were released, and I have to keep telling people that virtualization is a great technology, it doesn't suit every workload (put another way: Just because you CAN doesn't mean you SHOULD). My request was more around comparing ESX v Xen performance. I am aware of VMware viciously slapping down any comparisons (A clause in their EULA states that you can't benchmark or compare). The reason I'm asking all this is because I've just released a test version of ESVA (which was never intended to be carrier-grade) for Xen (previously ESVA was only available for VMware platforms) so I was interested in other peoples' experiences where they had tried MailScanner on both platforms. -Andy From andrew at gdcon.net Tue Oct 21 12:48:17 2008 From: andrew at gdcon.net (Andrew MacLachlan) Date: Tue Oct 21 12:31:44 2008 Subject: Xen Performance In-Reply-To: <6981129.5621224588007690.JavaMail.root@office.splatnix.net> References: <6981129.5621224588007690.JavaMail.root@office.splatnix.net> Message-ID: <7ee7632756c2e186959ba068b7ce6d12.squirrel@wm.gdcon.net> On Tue, October 21, 2008 12:20 pm, --[ UxBoD ]-- wrote: > Also depends on what processors you are using and whether the DomU's are > para-virtualised or not. > Citrix XenServer5 and yes - the DomUs are paravirtualized. Does anyone have any rough throughput figures for either hypervisor that they could send off list to avoid the wrath of VMware? These won't be published, it's more for my own information WRT MailScanner. -Andy From andrew at gdcon.net Tue Oct 21 12:52:32 2008 From: andrew at gdcon.net (Andrew MacLachlan) Date: Tue Oct 21 12:36:01 2008 Subject: Spamhaus RBLs In-Reply-To: <48FD85CF.4020606@alexb.ch> References: <20081019162317.C8A5.EE63E960@remedial-teacher.nl> <20081019165150.C8AC.EE63E960@remedial-teacher.nl> <1224484427.1275.77.camel@darkstar.netcore.co.in> <48FC4A90.4090509@clh.org.uk> <48FC4D20.6060906@alexb.ch> <48FD0A8D.3060203@gdcon.net> <48FD85CF.4020606@alexb.ch> Message-ID: <554b9006f85751889a5d02f4ed151c9a.squirrel@wm.gdcon.net> On Tue, October 21, 2008 8:33 am, Alex Broens wrote: > > have you been on their site? > (rants instead of research at the right places.. hmmmm) Of course. > > > http://www.spamhaus.org/faq/answers.lasso?section=Data%20Feed#84 > > What is the application process? > The application process is designed to allow organizations to initiate > an application without committing to taking the service or making a > payment until they are first satisfied with the service and have agreed > to the contract terms. The process is: > > 1) Use the Price Calculator to find the correct price for your > organization, based on the total number of Email Users you provide > service for. > http://www.spamhaus.org/datafeed/pricecalculator.lasso Yep - then when you put service provider in the calculator it asks that you send an email to them with details so they can provide a price - Try it yourself if you don't believe me. From ms-list at alexb.ch Tue Oct 21 13:07:07 2008 From: ms-list at alexb.ch (Alex Broens) Date: Tue Oct 21 13:07:22 2008 Subject: Spamhaus RBLs In-Reply-To: <554b9006f85751889a5d02f4ed151c9a.squirrel@wm.gdcon.net> References: <20081019162317.C8A5.EE63E960@remedial-teacher.nl> <20081019165150.C8AC.EE63E960@remedial-teacher.nl> <1224484427.1275.77.camel@darkstar.netcore.co.in> <48FC4A90.4090509@clh.org.uk> <48FC4D20.6060906@alexb.ch> <48FD0A8D.3060203@gdcon.net> <48FD85CF.4020606@alexb.ch> <554b9006f85751889a5d02f4ed151c9a.squirrel@wm.gdcon.net> Message-ID: <48FDC5EB.7070807@alexb.ch> On 10/21/2008 1:52 PM, Andrew MacLachlan wrote: > On Tue, October 21, 2008 8:33 am, Alex Broens wrote: >> have you been on their site? >> (rants instead of research at the right places.. hmmmm) > > Of course. > >> >> http://www.spamhaus.org/faq/answers.lasso?section=Data%20Feed#84 >> >> What is the application process? >> The application process is designed to allow organizations to initiate >> an application without committing to taking the service or making a >> payment until they are first satisfied with the service and have agreed >> to the contract terms. The process is: >> >> 1) Use the Price Calculator to find the correct price for your >> organization, based on the total number of Email Users you provide >> service for. >> http://www.spamhaus.org/datafeed/pricecalculator.lasso > > Yep - then when you put service provider in the calculator it asks that > you send an email to them with details so they can provide a price - Try > it yourself if you don't believe me. Org Type: Chose Internet Service Provider Users: 20.000 - 50.000 Internet Service Provider price for 20,000 - 50,000 users Per Year: US$ 5700.00 have my price.. From andrew at gdcon.net Tue Oct 21 13:35:00 2008 From: andrew at gdcon.net (Andrew MacLachlan) Date: Tue Oct 21 13:18:34 2008 Subject: OT: Re: Spamhaus RBLs In-Reply-To: <48FDC5EB.7070807@alexb.ch> References: <20081019162317.C8A5.EE63E960@remedial-teacher.nl> <20081019165150.C8AC.EE63E960@remedial-teacher.nl> <1224484427.1275.77.camel@darkstar.netcore.co.in> <48FC4A90.4090509@clh.org.uk> <48FC4D20.6060906@alexb.ch> <48FD0A8D.3060203@gdcon.net> <48FD85CF.4020606@alexb.ch> <554b9006f85751889a5d02f4ed151c9a.squirrel@wm.gdcon.net> <48FDC5EB.7070807@alexb.ch> Message-ID: <5900692e919afdc57cd6ea19abc098b9.squirrel@wm.gdcon.net> On Tue, October 21, 2008 1:07 pm, Alex Broens wrote: > Internet Service Provider price for 20,000 - 50,000 users > Per Year: US$ 5700.00 > > have my price.. OK - When I checked a few months back my experience was different. Obviously my earlier comments aren't valid (now). -Andy From ajcartmell at fonant.com Tue Oct 21 13:35:20 2008 From: ajcartmell at fonant.com (Anthony Cartmell) Date: Tue Oct 21 13:35:22 2008 Subject: OT Spamhaus tactics (was Spamhaus RBLs) In-Reply-To: <48FD0A8D.3060203@gdcon.net> References: <20081019162317.C8A5.EE63E960@remedial-teacher.nl> <20081019165150.C8AC.EE63E960@remedial-teacher.nl> <1224484427.1275.77.camel@darkstar.netcore.co.in> <48FC4A90.4090509@clh.org.uk> <48FC4D20.6060906@alexb.ch> <48FD0A8D.3060203@gdcon.net> Message-ID: >> And don't bother trying to contact them to contest that you have gone >> over. My >> inquiries have fallen on deaf ears. >> >> > I've asked them repeatedly for prices for commercial service (i.e. feed > subscripton) and they've not responded to those either... Maybe their > idea of a good spam defense is to either not read or discard all mail > before reading - either way it's not good business sense. That made me grin. A couple of days ago Spamhaus increased an SBL listing from a single IP address to an entire /24 block of 255 addresses. Thus many innocent servers, my own included, became blacklisted without warning. Their advice was that we should be checking that our network host was reading their abuse@ e-mail, and that if they weren't then we should get our servers hosted somewhere else. Their response to my complaint of being blocked incorrectly was: ~~~~~~ This is, unfortunately, what happens when Netrino's response to an SBL listing of a spammer on their network, is to move the spammer to a new IP address in the same block, and then allow him to continue spamming. If good mail deliverability is important to you, you may wish to review whether a provider with such policies is most appropriate to your needs? ~~~~~ Of course the spammer in question had more than on IP address allocated to his server, so I'm sure they didn't move him and allow him to continue on purpose. Netrino may well have been able to block him more effectively, but using hundreds of innocent servers as a lever to put pressure on seems unfair to me. A more generous approach might have been to contact the innocent server owners and warn us of the problem, rather than let our e-mail get blocked. And perhaps even have a mechanism to allow incorrectly-listed servers to be de-listed without needing to involve the block owner? The range of IP addresses listed in the SBL was reduced to just eight addresses a day or two later, and then finally removed altogether. The upside was that I learnt how to relay mail via my other server, hosted elsewhere, to avoid the blacklisted IP range. Spamhaus seemed such a good idea, but my opinion of its accuracy and policies is somewhat tainted now... Cheers! Anthony -- www.fonant.com - Quality web sites From MailScanner at ecs.soton.ac.uk Tue Oct 21 14:31:20 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Oct 21 14:31:39 2008 Subject: more install.sh In-Reply-To: <48FCCEC0.1080702@tippingmar.com> References: <48FCCEC0.1080702@tippingmar.com> Message-ID: <48FDD9A8.7070403@ecs.soton.ac.uk> Mark Nienberg wrote: > I think on a centOS system the installer.sh is doing this for the perl > modules that conflict with the base perl: > > check to see if the perl module is installed, > see that it isn't, > build an rpm for the module from the downloaded src, > attempt to install the rpm, but the install fails due to conflict with > installed perl, > force install only for those that absolutely need it. > > I'm wondering if the process could be shorted to eliminate building > the rpm for the module if the rpm already exists in > /usr/src/redhat/RPMS (probably from a previous MailScanner install). No, because then if something went wrong with the install (in that a corrupt RPM got built somehow), then re-installing wouldn't help the situation, and you would have to get into all sorts of messing around deleting files to get yourself out of the hole. > Alternatively, could the initial check for the module be improved > somehow to detect that the module is already installed as part of the > the core perl installation? I suspect that must not be possible or > Jules would have done it already. Not easy. You can't find where a Perl module is installed, just that it *is* installed. > > Also, the installer builds rpms for packages that will not install due > to already installed rpms. For example, on my system it builds > perl-IO-stringy-2.110-1 > and tries to install it, but discovers that > perl-IO-stringy-2.110-1.2.el5.rf > is already installed. > > Could the installer test for already installed rpms before building > and attempting installation of the new one? > In the above example it would run "rpm -q perl-IO-stringy" and then do > some sort of version checking. The version checking you need to do is far from trivial. 2.10 is greater than 2.9, but not in numerical or alphabetical terms. It's quite a tricky problem. I really don't want to open that Pandora's box! :-) Nice ideas though... P.S. Sorry I haven't been around here much recently. I'm a bit run down, and I have the impending prospect of major surgery (liver transplant for those of you who don't already know) and all the pain that goes with that. Plus I've got my kittens to look after, which consume quite a lot of my available energy. If there's anything serious, you can always mail me directly, and I do always read all of that, even if I don't keep up with the list every day at the moment. P.P.S. Thank you to all of you who answer everyone's queries and problems on my behalf, it is greatly appreciated! Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From maillists at conactive.com Tue Oct 21 14:31:35 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Tue Oct 21 14:31:49 2008 Subject: Xen Performance In-Reply-To: <48FD080B.7080101@gdcon.net> References: <48FD080B.7080101@gdcon.net> Message-ID: Just some comments: - use paravirtualization - don't use file-based fs - don't use xvda-based fs - give it enough RAM Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Tue Oct 21 14:31:35 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Tue Oct 21 14:31:49 2008 Subject: more install.sh In-Reply-To: <48FCCEC0.1080702@tippingmar.com> References: <48FCCEC0.1080702@tippingmar.com> Message-ID: Mark Nienberg wrote on Mon, 20 Oct 2008 11:32:32 -0700: > Alternatively, could the initial check for the module be improved > somehow to detect that the module is already installed as part of the > the core perl installation? I suspect that must not be possible or Jules > would have done it already. I've already pointed several times in that direction. At least there should be an installer option to skip all the perl modules alltogether. Or, maybe it's there now, I didn't check. What I do when installing a new MS is to install *only* the mailscanner*.rpm and the tnef and some other rpm from inside the tarball. *Not* all the perl*src.rpms. They are simply not needed on Red Hat platforms. All are either part of the distribution or even part of the distributed Perl or can be obtained from rpmforge. That makes the installation also *much* faster :-) AFAIK, Jules tries to make the installation "fool-proof", so you do not need to think about any requirements before installing MS. That obviously conflicts with an already well-equipped OS. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Tue Oct 21 14:31:35 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Tue Oct 21 14:31:50 2008 Subject: Trouble with bayes sql In-Reply-To: <48FD33A4.2020200@rheel.co.nz> References: <48FD33A4.2020200@rheel.co.nz> Message-ID: Kate Kleinschafer wrote on Tue, 21 Oct 2008 14:43:00 +1300: > With the latest MailScanner and spamassassin do you have to set up a > symlink in /etc/mail/spamassassin to mailscanner.cf in order for the > bayes to be used? Depends were you have your rules. if you have all of them in /etc/mail/spamassassin then you don't need that symlink. (Actually, I have to always *remove* it as I carry my own config.) > Also do I need to make root the bayes_sql_override_username or should it > be postfix? It depends on what you used before or if you converted from dbm to SQL which username you used there. Have a look at the table bayes_vars. It should contain only one record and this will hold the username. If there's more than one record, then you trained with different usernames. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Tue Oct 21 14:31:35 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Tue Oct 21 14:31:50 2008 Subject: Spamhaus RBLs In-Reply-To: <1964AAFBC212F742958F9275BF63DBB0907562@winchester.andrewscompanies.com> References: <20081019162317.C8A5.EE63E960@remedial-teacher.nl> <20081019165150.C8AC.EE63E960@remedial-teacher.nl> <1224484427.1275.77.camel@darkstar.netcore.co.in> <48FC4A90.4090509@clh.org.uk> <1964AAFBC212F742958F9275BF63DBB090755D@winchester.andrewscompanies.com> <48FCEE1F.1030309@alexb.ch> <1964AAFBC212F742958F9275BF63DBB0907562@winchester.andrewscompanies.com> Message-ID: Steven Andrews wrote on Mon, 20 Oct 2008 17:46:38 -0400: > Interesting. So, if my ISP's nameservers, which I've set as forwarders > of my own, get acl'd, then mine will go down with it? yes. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From MailScanner at ecs.soton.ac.uk Tue Oct 21 14:50:28 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Oct 21 14:50:48 2008 Subject: more install.sh In-Reply-To: References: <48FCCEC0.1080702@tippingmar.com> Message-ID: <48FDDE24.5040601@ecs.soton.ac.uk> Kai Schaetzl wrote: > Mark Nienberg wrote on Mon, 20 Oct 2008 11:32:32 -0700: > > >> Alternatively, could the initial check for the module be improved >> somehow to detect that the module is already installed as part of the >> the core perl installation? I suspect that must not be possible or Jules >> would have done it already. >> > > I've already pointed several times in that direction. At least there should > be an installer option to skip all the perl modules alltogether. Or, maybe > it's there now, I didn't check. What I do when installing a new MS is to > install *only* the mailscanner*.rpm and the tnef and some other rpm from > inside the tarball. *Not* all the perl*src.rpms. They are simply not needed > on Red Hat platforms. All are either part of the distribution or even part > of the distributed Perl or can be obtained from rpmforge. > That makes the installation also *much* faster :-) > > AFAIK, Jules tries to make the installation "fool-proof", so you do not > need to think about any requirements before installing MS. That obviously > conflicts with an already well-equipped OS. > Absolutely right. I try to keep it fool-proof, so that people who don't all the details can install and use it sensibly. If you know you don't need to run the install.sh then by all means feel free to not run it. That's your choice. But running it won't do any harm. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From t.d.lee at durham.ac.uk Tue Oct 21 15:09:31 2008 From: t.d.lee at durham.ac.uk (David Lee) Date: Tue Oct 21 15:10:20 2008 Subject: more install.sh In-Reply-To: <48FDD9A8.7070403@ecs.soton.ac.uk> References: <48FCCEC0.1080702@tippingmar.com> <48FDD9A8.7070403@ecs.soton.ac.uk> Message-ID: On Tue, 21 Oct 2008, Julian Field wrote: > Mark Nienberg wrote: >> I think on a centOS system the installer.sh is doing this for the perl >> modules that conflict with the base perl: >> >> check to see if the perl module is installed, >> see that it isn't, >> build an rpm for the module from the downloaded src, >> attempt to install the rpm, but the install fails due to conflict with >> installed perl, >> force install only for those that absolutely need it. >> >> I'm wondering if the process could be shorted to eliminate building the rpm >> for the module if the rpm already exists in /usr/src/redhat/RPMS (probably >> from a previous MailScanner install). > No, because then if something went wrong with the install (in that a corrupt > RPM got built somehow), then re-installing wouldn't help the situation, and > you would have to get into all sorts of messing around deleting files to get > yourself out of the hole. Is part (even all?) of the problem that some modules don't offer "VERSION" information? My skim-reading of "install.sh" and "CheckModuleVersion" suggests that MS only installs any given module either if its "VERSION" is too old, or if it doesn't support "VERSION" at all. (If a module both has "VERSION" and if that version is good enough, then the MS can safely skip its installation altogether.) Is that correct? If so, might it help if some of us here (not necessarily Julian) tried to persuade authors of VERSION-lacking modules to add "VERSION" support? >> Alternatively, could the initial check for the module be improved somehow >> to detect that the module is already installed as part of the the core perl >> installation? I suspect that must not be possible or Jules would have done >> it already. > Not easy. You can't find where a Perl module is installed, just that it *is* > installed. ... and (if the installed module supports it) its VERSION. >> Could the installer test for already installed rpms before building and >> attempting installation of the new one? >> In the above example it would run "rpm -q perl-IO-stringy" and then do some >> sort of version checking. > The version checking you need to do is far from trivial. 2.10 is greater than > 2.9, but not in numerical or alphabetical terms. It's quite a tricky problem. > I really don't want to open that Pandora's box! :-) But presumably the checking code in "CheckModuleVersion" is OK? So if a currently VERSION-lacking module could be persuaded to support VERSION, then things should be improved for that module, shouldn't they? There will, of course, be time delay for this to become effective until such support has trickled into future distributions. Might such a strategy (admittedly longer-term rather than quick-fix) help? -- : David Lee I.T. Service : : Senior Systems Programmer Computer Centre : : UNIX Team Leader Durham University : : South Road : : http://www.dur.ac.uk/t.d.lee/ Durham DH1 3LE : : Phone: +44 191 334 2752 U.K. : From maillists at conactive.com Tue Oct 21 15:23:48 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Tue Oct 21 15:23:57 2008 Subject: OT Spamhaus tactics (was Spamhaus RBLs) In-Reply-To: References: <20081019162317.C8A5.EE63E960@remedial-teacher.nl> <20081019165150.C8AC.EE63E960@remedial-teacher.nl> <1224484427.1275.77.camel@darkstar.netcore.co.in> <48FC4A90.4090509@clh.org.uk> <48FC4D20.6060906@alexb.ch> <48FD0A8D.3060203@gdcon.net> Message-ID: Anthony Cartmell wrote on Tue, 21 Oct 2008 13:35:20 +0100: > Spamhaus seemed such a good idea, but my opinion of its accuracy and > policies is somewhat tainted now... It's still one with quite "friendly" policies (ever dealt with spews/apews?). The point of doing what they did is that you catch the attention of the upstream provider much quicker than by listing only a few single IPs while the offending spammer is jumping from IP to IP. If the provider gets complaints from a lot of customers they may act quicker on getting rid of the spammer or they may prove that they *are* a spam hosting provider. So, it's effective either way. And there's also the occasional case where you accidentally attribute a subnet to a spammer because many IP addresses in that space already belong (or belonged) to them and it looks like they can use the whole range. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From ms-list at alexb.ch Tue Oct 21 15:51:23 2008 From: ms-list at alexb.ch (Alex Broens) Date: Tue Oct 21 15:51:34 2008 Subject: Beta Version 4.72.2-1 BUG - SweepVirus.pm nod32-1.99 Message-ID: <48FDEC6B.1060000@alexb.ch> Jules Version 4.72.2-1 SweepVirus.pm "nod32-1.99" => { Name => 'Nod32', Lock => 'Nod32Busy.lock', CommonOptions => '--arch --all -b', Does NOT log Viruses ____ older MS versions "nod32-1.99" => { Name => 'Nod32', Lock => 'Nod32Busy.lock', CommonOptions => '--arch --all', Removing -b from CommonOption restores logging the virus name as it always has. Dunno when & why that was changed but its definitely doesn't work with -b Thx Alex From ssilva at sgvwater.com Tue Oct 21 16:18:35 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Oct 21 16:18:58 2008 Subject: OT Spamhaus tactics (was Spamhaus RBLs) In-Reply-To: References: <20081019162317.C8A5.EE63E960@remedial-teacher.nl> <20081019165150.C8AC.EE63E960@remedial-teacher.nl> <1224484427.1275.77.camel@darkstar.netcore.co.in> <48FC4A90.4090509@clh.org.uk> <48FC4D20.6060906@alexb.ch> <48FD0A8D.3060203@gdcon.net> Message-ID: > Of course the spammer in question had more than on IP address allocated > to his server, so I'm sure they didn't move him and allow him to > continue on purpose. Netrino may well have been able to block him more > effectively, but using hundreds of innocent servers as a lever to put > pressure on seems unfair to me. A more generous approach might have been > to contact the innocent server owners and warn us of the problem, rather > than let our e-mail get blocked. And perhaps even have a mechanism to > allow incorrectly-listed servers to be de-listed without needing to > involve the block owner? > > The range of IP addresses listed in the SBL was reduced to just eight > addresses a day or two later, and then finally removed altogether. The > upside was that I learnt how to relay mail via my other server, hosted > elsewhere, to avoid the blacklisted IP range. > > Spamhaus seemed such a good idea, but my opinion of its accuracy and > policies is somewhat tainted now... > > Cheers! > > Anthony Blacklists do seem less attractive when you get on the other side of the fence. Spamhaus can get heavy handed sometimes, but usually in response to threats by the ISP. With the law in England giving them some protection from many international lawsuits, they don't have to be as "careful". -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081021/af5059f5/signature.bin From ms-list at alexb.ch Tue Oct 21 16:25:14 2008 From: ms-list at alexb.ch (Alex Broens) Date: Tue Oct 21 16:25:24 2008 Subject: MailScanner - Monitors for ClamAV Updates Message-ID: <48FDF45A.2080003@alexb.ch> Default MailScanner.conf contains Monitors for ClamAV Updates = /usr/local/share/clamav/*.cld /usr/local/share/clamav/*.cvd For support of some 3rd party signatures it would be very appreciated if would include: /usr/local/share/clamav/*.hdb thx Alex From ssilva at sgvwater.com Tue Oct 21 16:34:55 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Oct 21 16:35:19 2008 Subject: more install.sh In-Reply-To: References: <48FCCEC0.1080702@tippingmar.com> Message-ID: on 10-21-2008 6:31 AM Kai Schaetzl spake the following: > Mark Nienberg wrote on Mon, 20 Oct 2008 11:32:32 -0700: > >> Alternatively, could the initial check for the module be improved >> somehow to detect that the module is already installed as part of the >> the core perl installation? I suspect that must not be possible or Jules >> would have done it already. > > I've already pointed several times in that direction. At least there should > be an installer option to skip all the perl modules alltogether. Or, maybe > it's there now, I didn't check. What I do when installing a new MS is to > install *only* the mailscanner*.rpm and the tnef and some other rpm from > inside the tarball. *Not* all the perl*src.rpms. They are simply not needed > on Red Hat platforms. All are either part of the distribution or even part > of the distributed Perl or can be obtained from rpmforge. > That makes the installation also *much* faster :-) > > AFAIK, Jules tries to make the installation "fool-proof", so you do not > need to think about any requirements before installing MS. That obviously > conflicts with an already well-equipped OS. > > Kai > Not only fool proof, but he probably doesn't want to have case statements for dozens of mainline distros and their versions. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081021/66a1265a/signature.bin From lists at tippingmar.com Tue Oct 21 16:46:03 2008 From: lists at tippingmar.com (Mark Nienberg) Date: Tue Oct 21 16:46:20 2008 Subject: more install.sh In-Reply-To: <48FDD9A8.7070403@ecs.soton.ac.uk> References: <48FCCEC0.1080702@tippingmar.com> <48FDD9A8.7070403@ecs.soton.ac.uk> Message-ID: <48FDF93B.8020707@tippingmar.com> Julian Field wrote: > > Mark Nienberg wrote: >> >> Could the installer test for already installed rpms before building >> and attempting installation of the new one? >> In the above example it would run "rpm -q perl-IO-stringy" and then >> do some sort of version checking. > The version checking you need to do is far from trivial. 2.10 is > greater than 2.9, but not in numerical or alphabetical terms. It's > quite a tricky problem. I really don't want to open that Pandora's > box! :-) > I'll bet there is a perl module that does version comparison. But that means yet another perl module dependency. Maybe best not to go there. Mark From merkel at metalink.net Tue Oct 21 17:01:34 2008 From: merkel at metalink.net (Eric Merkel) Date: Tue Oct 21 17:01:49 2008 Subject: Xen Performance References: <48FD080B.7080101@gdcon.net> Message-ID: <423E2801274048CC9B1745E8DE3E2A80@staff.metalink.net> I cannot comment on VMware and MailScanner, but we are runing several XEN MailScannersVM's in an ISP environment (load balanced) and they are almost indistingiushable from a regular machine. All I can say is give the VM plenty of RAM since MailScanner needs it to run efficiently. -Eric ----- Original Message ----- From: "Andrew MacLachlan" To: "MailScanner discussion" Sent: 2008-10-20 18:36 Subject: Xen Performance > Has anyone got any idea of how well MailScanner performs under Xen > compared to ESX? > I'm interested in anyone's opinion who has tried both platforms - also any > wisdom regarding messages/hour on either platform... > > -Andy > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From ajcartmell at fonant.com Tue Oct 21 17:12:48 2008 From: ajcartmell at fonant.com (Anthony Cartmell) Date: Tue Oct 21 17:12:50 2008 Subject: OT Spamhaus tactics (was Spamhaus RBLs) In-Reply-To: References: <20081019162317.C8A5.EE63E960@remedial-teacher.nl> <20081019165150.C8AC.EE63E960@remedial-teacher.nl> <1224484427.1275.77.camel@darkstar.netcore.co.in> <48FC4A90.4090509@clh.org.uk> <48FC4D20.6060906@alexb.ch> <48FD0A8D.3060203@gdcon.net> Message-ID: >> Spamhaus seemed such a good idea, but my opinion of its accuracy and >> policies is somewhat tainted now... > > It's still one with quite "friendly" policies (ever dealt with > spews/apews?). No, not yet :) > The point of doing what they did is that you catch the > attention of the upstream provider much quicker than by listing only a > few single IPs while the offending spammer is jumping from IP to IP. Yes, it certainly was effective using hundreds of innocent servers as a lever to get one spammer stopped. Just not very nice being caught in the cross-fire with very little that we could do. > If the > provider gets complaints from a lot of customers they may act quicker on > getting rid of the spammer or they may prove that they *are* a spam > hosting provider. So, it's effective either way. True. Would have been nice to think that Spamhaus might have done just a little bit of homework to inspect the machines in the netblock to see who was using them, but I suppose they don't really care too much if innocent people's e-mail is getting blocked, so long as it doesn't happen often enough for people to question their lists and then stop paying for feeds. > And there's also the occasional case where you accidentally attribute a > subnet to a spammer because many IP addresses in that space already > belong (or belonged) to them and it looks like they can use the whole > range. This was deliberate escalation by Spamhaus, not accidental, they said as much in the comments. Cheers! Anthony -- www.fonant.com - Quality web sites From ajcartmell at fonant.com Tue Oct 21 17:15:14 2008 From: ajcartmell at fonant.com (Anthony Cartmell) Date: Tue Oct 21 17:15:24 2008 Subject: OT Spamhaus tactics (was Spamhaus RBLs) In-Reply-To: References: <20081019162317.C8A5.EE63E960@remedial-teacher.nl> <20081019165150.C8AC.EE63E960@remedial-teacher.nl> <1224484427.1275.77.camel@darkstar.netcore.co.in> <48FC4A90.4090509@clh.org.uk> <48FC4D20.6060906@alexb.ch> <48FD0A8D.3060203@gdcon.net> Message-ID: > With the law in England giving them some protection from > many international lawsuits, they don't have to be as "careful". Interestingly they blocked UK-based and UK-owned servers, and legal action against Spamhaus for disrupting their business was mentioned by one server owner... Hopefully a one-off learning experience for all concerned. Anthony -- www.fonant.com - Quality web sites From email at ace.net.au Tue Oct 21 17:16:13 2008 From: email at ace.net.au (Peter Nitschke) Date: Tue Oct 21 17:16:32 2008 Subject: A bit OT: strange spikes in RBL-blocked connections In-Reply-To: <48FDA266.2030402@gmail.com> References: <48FDA266.2030402@gmail.com> Message-ID: <200810220246130936.1F0FA95D@web.ace.net.au> I get typically 1-300 per 10 minutes. Then it will suddenly go to 15,000 per 10 minutes. I love RBL's! Peter *********** REPLY SEPARATOR *********** On 21/10/2008 at 11:35 AM Ronny T. Lampert wrote: >Hi all, > >best list to ask: for quite a while now I see strange spikes in >RBL-blocked connections: > >Everything is fine with around 10-30 blocks/minute. >Then suddenly at 10AM (GMT+1) they shoot up to 80-100/minute. They fall >back a bit until 2PM. >Around 2PM when they shoot up again to even higher levels and gently >fall down until 4-5PM to their levels before 10AM. > >Anybody else noticed that? > >Cheers, >Ronny From rcooper at dwford.com Tue Oct 21 20:46:12 2008 From: rcooper at dwford.com (Rick Cooper) Date: Tue Oct 21 20:46:28 2008 Subject: more install.sh In-Reply-To: <48FDD9A8.7070403@ecs.soton.ac.uk> References: <48FCCEC0.1080702@tippingmar.com> <48FDD9A8.7070403@ecs.soton.ac.uk> Message-ID: <55618674323542459DAF13523F39F1E9@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Julian Field > Sent: Tuesday, October 21, 2008 9:31 AM > To: MailScanner discussion > Subject: Re: more install.sh > > > > Mark Nienberg wrote: > > I think on a centOS system the installer.sh is doing this > for the perl > > modules that conflict with the base perl: > > > > check to see if the perl module is installed, > > see that it isn't, > > build an rpm for the module from the downloaded src, > > attempt to install the rpm, but the install fails due to > conflict with > > installed perl, > > force install only for those that absolutely need it. > > [...] > part of the > > the core perl installation? I suspect that must not be possible or > > Jules would have done it already. > Not easy. You can't find where a Perl module is installed, > just that it > *is* installed. Try perldoc -T perllocal. Outputs all modules that are installed in the following format: Mon Sep 8 12:53:02 2008: "Module" DBI::Shell * "installed into: /usr/lib/perl5/site_perl/5.8.8" * "LINKTYPE: dynamic" * "VERSION: 11.95" * "EXE_FILES: dbish" Not hard to parse, gives location (if that is really important) and version (where available). If you didn't want to return all modules and parse for the ones you want then cls;perldoc -t perllocal |grep -A 7 DBI::Shell Would return the above but only the one module DBI::Shell. Since you are using a shell script I suppose you would have to do a loop and something like MODULE=`perldoc -t perllocal |grep -A 7 DBI::Shell|grep '"Module"'|sed 's/.*Module" //'` VERSION=`perldoc -t perllocal |grep -A 7 DBI::Shell|grep 'VERSION'|sed 's/.*VERSION: //'|sed 's/"//g'` LOCATION=`perldoc -t perllocal |grep -A 7 DBI::Shell|grep 'installed into'|sed 's/.*into: //'|sed 's/"//g'` Or better yet run the perldoc -t perllocal > tempfile.name And grep tempfile.name for the information so the call to perldoc would only be used once for speed. > > > > Also, the installer builds rpms for packages that will not > install due > > to already installed rpms. For example, on my system it builds > > perl-IO-stringy-2.110-1 > > and tries to install it, but discovers that > > perl-IO-stringy-2.110-1.2.el5.rf > > is already installed. > > > > Could the installer test for already installed rpms before > building > > and attempting installation of the new one? > > In the above example it would run "rpm -q perl-IO-stringy" > and then do > > some sort of version checking. > The version checking you need to do is far from trivial. > 2.10 is greater > than 2.9, but not in numerical or alphabetical terms. It's quite a > tricky problem. I really don't want to open that Pandora's box! :-) > > Nice ideas though... [...] If you are just comparing parsed version numbers why not do the following with the above example (scale 7 should cover the weird 0.10789 versions) echo "scale=7;2.10 >= 2.9"|bc Which would output 0 but echo 'scale=7;2.10 <= 2.9' |bc Would output 1 Of course you would have to make sure that MODULE|VERSION != '' and install as required but that is trivial Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From kate at rheel.co.nz Tue Oct 21 20:57:07 2008 From: kate at rheel.co.nz (Kate Kleinschafer) Date: Tue Oct 21 20:55:53 2008 Subject: txt file getting blocked as Quick Time file Message-ID: <48FE3413.4070407@rheel.co.nz> Hi all, I am getting a few messages blocked saying they have a Quick Time file attached (which shows as msg-18161-4.txt) I know the message is ham. After doing some searching on the internet I came across a thread that said the following about the problem: /This bug is not so much a problem with filenames. I'm just pointing out />/ that the filenames.conf entries don't override filetype.conf So the />/ tnef created "msg*.txt" files that can be misinterpretted by filetype as />/ Quicktime files can't be overridden. The only options are to allow />/ quicktime filetypes or disable the "Use TNEF Contents" option. /Is the best option to allow QuickTime in filetype.rules.conf or is there another more suitable option. Thanks Kate From lklokner at gmail.com Tue Oct 21 22:03:46 2008 From: lklokner at gmail.com (=?WINDOWS-1252?Q?Lubo=9A_Klokner?=) Date: Tue Oct 21 22:03:56 2008 Subject: MS support for esets_cli Message-ID: Hi, I'm using esets with MS, but MS using esets_scan which is much more slower than esets_cli. esets_cli is using client-server esets architecture. [root@geck]-[~]# time esets_cli eicar_com.zip /root/eicar_com.zip: action="rejected" /root/eicar_com.zip: virus="Eicar test file" /root/eicar_com.zip ?? ZIP ?? eicar.com: virus="Eicar test file" real 0m0.010s user 0m0.001s sys 0m0.002s [root@geck]-[~]# time esets_scan eicar_com.zip ESET Command-line scanner, version 3.0.10, (C) 1992-2008 ESET, spol. s r.o. Using license: Fachhochschule Ansbach (/etc/esets/license/esets_db469e.lic) Module loader, version 1024 (20080514), build 1025 Module perseus, version 1155 (20081016), build 1189 Module scanner, version 3543 (20081021), build 3770 Module archiver, version 1083 (20081016), build 1038 Module advheur, version 1078 (20081016), build 1032 Command line: eicar_com.zip Scan started at: Tue 21 Oct 2008 10:37:54 PM CEST name="eicar_com.zip", threat="Eicar test file", action="", info="" name="eicar_com.zip ?? ZIP ?? eicar.com", threat="Eicar test file", action="", info="" Scan completed at: Tue 21 Oct 2008 10:37:54 PM CEST Scan time: 0 sec (0:00:00) Total: files - 1, objects 1 Infected: files - 1, objects 1 Cleaned: files - 0, objects 0 real 0m1.259s user 0m1.174s sys 0m0.065s [root@geck]-[~]# Is there any reason for using esets_scan instead of esets_cli ? Thank you. -- lubos klokner -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081021/26f82a15/attachment-0001.html From gesbbb at yahoo.com Tue Oct 21 22:09:57 2008 From: gesbbb at yahoo.com (Jerry) Date: Tue Oct 21 22:10:29 2008 Subject: OT Spamhaus tactics (was Spamhaus RBLs) In-Reply-To: References: <20081019162317.C8A5.EE63E960@remedial-teacher.nl> <20081019165150.C8AC.EE63E960@remedial-teacher.nl> <1224484427.1275.77.camel@darkstar.netcore.co.in> <48FC4A90.4090509@clh.org.uk> <48FC4D20.6060906@alexb.ch> <48FD0A8D.3060203@gdcon.net> Message-ID: <20081021170957.6d79764a@scorpio> On Tue, 21 Oct 2008 17:15:14 +0100 "Anthony Cartmell" wrote: >Interestingly they blocked UK-based and UK-owned servers, and legal >action against Spamhaus for disrupting their business was mentioned by >one server owner... They have been threatened with legal action so many times now that I seriously doubt that they even pay any attention to it. They are not doing the actual blocking; but rather supplying a list of known IP ranges from which SPAM originates. Personally, I think getting on your ISP's case and getting them to monitor SPAM on their network and deal with it quickly and decisively would be more appropriate. Yes, collateral damage does occur occasionally; however that is just a fact of life. -- Jerry gesbbb@yahoo.com There are only two kinds of tequila. Good and better. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081021/d537d734/signature.bin From ms-list at alexb.ch Tue Oct 21 22:17:41 2008 From: ms-list at alexb.ch (Alex Broens) Date: Tue Oct 21 22:17:51 2008 Subject: MS support for esets_cli In-Reply-To: References: Message-ID: <48FE46F5.2080509@alexb.ch> On 10/21/2008 11:03 PM, Lubo? Klokner wrote: > Hi, > > I'm using esets with MS, but MS using esets_scan which is much more slower > than esets_cli. esets_cli is using client-server esets architecture. what license type do you have? Alex From lklokner at gmail.com Tue Oct 21 22:30:49 2008 From: lklokner at gmail.com (=?WINDOWS-1252?Q?Lubo=9A_Klokner?=) Date: Tue Oct 21 22:30:58 2008 Subject: MS support for esets_cli In-Reply-To: <48FE46F5.2080509@alexb.ch> References: <48FE46F5.2080509@alexb.ch> Message-ID: On Tue, Oct 21, 2008 at 11:17 PM, Alex Broens wrote: > On 10/21/2008 11:03 PM, Lubo? Klokner wrote: > >> Hi, >> >> I'm using esets with MS, but MS using esets_scan which is much more slower >> than esets_cli. esets_cli is using client-server esets architecture. >> > > what license type do you have? > > I have Eset Mail Security. -- lubos klokner -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081021/3c6320bf/attachment.html From ms-list at alexb.ch Tue Oct 21 22:59:27 2008 From: ms-list at alexb.ch (Alex Broens) Date: Tue Oct 21 22:59:38 2008 Subject: MS support for esets_cli In-Reply-To: References: <48FE46F5.2080509@alexb.ch> Message-ID: <48FE50BF.5080206@alexb.ch> On 10/21/2008 11:30 PM, Lubo? Klokner wrote: > On Tue, Oct 21, 2008 at 11:17 PM, Alex Broens wrote: > >> On 10/21/2008 11:03 PM, Lubo? Klokner wrote: >> >>> Hi, >>> >>> I'm using esets with MS, but MS using esets_scan which is much more slower >>> than esets_cli. esets_cli is using client-server esets architecture. >>> >> what license type do you have? >> >> > I have Eset Mail Security. afaik, most MS users deploy Esets/Nod32 File Server version which does not support esets_cli which is why esets_scan was chosen. Having the mail server version, I'd personally opt for running as a milter (esets_smfi) or even esets_smtp and reject at smtp level instead of parsing thru the slower MailScanner process. Alex From kate at rheel.co.nz Wed Oct 22 04:54:22 2008 From: kate at rheel.co.nz (Kate Kleinschafer) Date: Wed Oct 22 04:53:09 2008 Subject: MCP stopped not showing Message-ID: <48FEA3EE.90608@rheel.co.nz> Hi, In MailWatch the Spam and High Spam scores are showing but I have 0 scores for Viruses MCP and High Scoring MCP. I know I have definately had hits on MCP and High Scoring MCP. Where abouts in the configuration for MailWatch would I go to begin trouble shooting why the results are not showing? Does anyone have any hints as to what might be wrong? Thanks Kate From alvaro at hostalia.com Wed Oct 22 11:32:05 2008 From: alvaro at hostalia.com (=?ISO-8859-1?Q?Alvaro_Mar=EDn?=) Date: Wed Oct 22 11:32:36 2008 Subject: A bit OT: strange spikes in RBL-blocked connections In-Reply-To: <200810220246130936.1F0FA95D@web.ace.net.au> References: <48FDA266.2030402@gmail.com> <200810220246130936.1F0FA95D@web.ace.net.au> Message-ID: <48FF0125.7050704@hostalia.com> Hi, the same here, from 3 months to now. Some days ago, I done some graphs following the behavior of some IPs (ones that send us more spam) and the result is curious (see images attached, the X axe is the hour). I see now that I'm not the only one :-) Regards, -- Alvaro Mar?n Illera Hostalia Internet www.hostalia.com -------------- next part -------------- A non-text attachment was scrubbed... Name: ip1.jpg Type: image/jpeg Size: 17098 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081022/b6c3157c/ip1.jpg -------------- next part -------------- A non-text attachment was scrubbed... Name: ip2.jpg Type: image/jpeg Size: 16471 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081022/b6c3157c/ip2.jpg From glenn.steen at gmail.com Wed Oct 22 12:05:18 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Oct 22 12:05:27 2008 Subject: Skipping checks on a whole domain In-Reply-To: <200810210958.m9L9wTEL005575@safir.blacknight.ie> References: <20081019162317.C8A5.EE63E960@remedial-teacher.nl> <20081019165150.C8AC.EE63E960@remedial-teacher.nl> <1224484427.1275.77.camel@darkstar.netcore.co.in> <200810201646.m9KGkaQ3008633@safir.blacknight.ie> <200810210958.m9L9wTEL005575@safir.blacknight.ie> Message-ID: <223f97700810220405o3a8b6098s26e34aa50750b6cd@mail.gmail.com> 2008/10/21 Stef Morrell : > Glenn Steen wrote: >> 2008/10/20 Stef Morrell : >> Um, didn't you participate in the thread Hugo had on >> selective hold (through access...)? IIUC, that should be able to do >> what is needed. Anyone interested should look up "Selective HOLD" in >> the ml archives:-). > > This does ring a bell now. My memory is has become of late much like the > swallowtail butterfly. It is bright, flits prettily hither and thither, > but is alas, almost completely extinct. > :-) ... Must be contagious...:-) > I'm fairly sure however that Hugo's method doesn't work for me as I'm > also rejecting third party DSN in header checks... or something. It's > not a file which is conducive to lots of rules. > Quite true. That's why his method doesn't use it:-). > Stef Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From srhitch at mecheng1.uwaterloo.ca Wed Oct 22 18:13:38 2008 From: srhitch at mecheng1.uwaterloo.ca (Steve Hitchman) Date: Wed Oct 22 18:13:59 2008 Subject: Spam Action Rules In-Reply-To: <223f97700810220405o3a8b6098s26e34aa50750b6cd@mail.gmail.com> References: <20081019162317.C8A5.EE63E960@remedial-teacher.nl> <20081019165150.C8AC.EE63E960@remedial-teacher.nl> <1224484427.1275.77.camel@darkstar.netcore.co.in> <200810201646.m9KGkaQ3008633@safir.blacknight.ie> <200810210958.m9L9wTEL005575@safir.blacknight.ie> <223f97700810220405o3a8b6098s26e34aa50750b6cd@mail.gmail.com> Message-ID: <001e01c93469$869657a0$93c306e0$@uwaterloo.ca> Gentlemen, I am having trouble with my upgrade from 4.56.8 to 4.67.6 on FreeBSD. I was using a ruleset for Spam Actions and High Scoring Spam Actions. In version 4.56.8 the way to mark the header as spam was to use the: Spam Header = X-Spam-Status: Yes-%org-name%-MailScanner-SpamCheck: In 4.67.6 the "X-Spam-Status: Yes" is inserted via the Action Rules such as: Spam Actions = deliver header "X-Spam-Status: Yes" For some reason when I leave it in the original form I get an extra "-" added to the header such as this: X-Spam-Status: -Yes-xxxxxxx... This is bad as it prevents such things as .procmailrc scripts from identifying marked spam. Bottom line is how do I make the "X-Spam-Status: Yes" show up in the header as well as use a filename rule for Spam Actions? Is this acceptable? Spam Actions = %rules.dir%/spamactions.rules header "X-Spam-Status: Yes" Thanks, Steve From kate at rheel.co.nz Wed Oct 22 20:45:19 2008 From: kate at rheel.co.nz (Kate Kleinschafer) Date: Wed Oct 22 20:44:01 2008 Subject: MCP stopped not showing - Sorry wrong list - Ignore In-Reply-To: <48FEA3EE.90608@rheel.co.nz> References: <48FEA3EE.90608@rheel.co.nz> Message-ID: <48FF82CF.8040503@rheel.co.nz> Kate Kleinschafer wrote: > Hi, > > In MailWatch the Spam and High Spam scores are showing but I have 0 > scores for Viruses MCP and High Scoring MCP. > > I know I have definately had hits on MCP and High Scoring MCP. > > Where abouts in the configuration for MailWatch would I go to begin > trouble shooting why the results are not showing? > > Does anyone have any hints as to what might be wrong? > > Thanks > Kate From ssilva at sgvwater.com Wed Oct 22 20:46:28 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Oct 22 20:46:56 2008 Subject: Spam Action Rules In-Reply-To: <001e01c93469$869657a0$93c306e0$@uwaterloo.ca> References: <20081019162317.C8A5.EE63E960@remedial-teacher.nl> <20081019165150.C8AC.EE63E960@remedial-teacher.nl> <1224484427.1275.77.camel@darkstar.netcore.co.in> <200810201646.m9KGkaQ3008633@safir.blacknight.ie> <200810210958.m9L9wTEL005575@safir.blacknight.ie> <223f97700810220405o3a8b6098s26e34aa50750b6cd@mail.gmail.com> <001e01c93469$869657a0$93c306e0$@uwaterloo.ca> Message-ID: on 10-22-2008 10:13 AM Steve Hitchman spake the following: > Gentlemen, > > I am having trouble with my upgrade from 4.56.8 to 4.67.6 on FreeBSD. I was > using a ruleset for Spam Actions and High Scoring Spam Actions. In version > 4.56.8 the way to mark the header as spam was to use the: > > Spam Header = X-Spam-Status: Yes-%org-name%-MailScanner-SpamCheck: This looks very wrong! It looks like you have 2 header lines munged together. AFAIR a header Can have only one colon, followed by a whitespace and a status. Maybe you want something like; Spam Header = X-%org-name%-Spam-Status: Yes or # Add this extra header to all messages found to be spam. # This can also be the filename of a ruleset. Spam Header = X-%org-name%-MailScanner-SpamCheck: -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081022/ae19250b/signature.bin From ssilva at sgvwater.com Wed Oct 22 21:16:43 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Oct 22 21:17:05 2008 Subject: MCP stopped not showing In-Reply-To: <48FEA3EE.90608@rheel.co.nz> References: <48FEA3EE.90608@rheel.co.nz> Message-ID: on 10-21-2008 8:54 PM Kate Kleinschafer spake the following: > Hi, > > In MailWatch the Spam and High Spam scores are showing but I have 0 > scores for Viruses MCP and High Scoring MCP. > > I know I have definately had hits on MCP and High Scoring MCP. > > Where abouts in the configuration for MailWatch would I go to begin > trouble shooting why the results are not showing? > > Does anyone have any hints as to what might be wrong? > > Thanks > Kate MCP rules have somewhat fallen out of favor because of the extra overhead of running 2 spamassassin instances. The spamassassin rule actions will do the same thing with half the overhead. http://www.mailscanner.info/MailScanner.conf.index.html#SpamAssassin%20Rule%20Actions -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081022/5fbf7e14/signature.bin From maillists at conactive.com Wed Oct 22 21:31:14 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Wed Oct 22 21:31:26 2008 Subject: Spam Action Rules In-Reply-To: <001e01c93469$869657a0$93c306e0$@uwaterloo.ca> References: <20081019162317.C8A5.EE63E960@remedial-teacher.nl> <20081019165150.C8AC.EE63E960@remedial-teacher.nl> <1224484427.1275.77.camel@darkstar.netcore.co.in> <200810201646.m9KGkaQ3008633@safir.blacknight.ie> <200810210958.m9L9wTEL005575@safir.blacknight.ie> <223f97700810220405o3a8b6098s26e34aa50750b6cd@mail.gmail.com> <001e01c93469$869657a0$93c306e0$@uwaterloo.ca> Message-ID: Steve Hitchman wrote on Wed, 22 Oct 2008 13:13:38 -0400: > Spam Header = X-Spam-Status: Yes-%org-name%-MailScanner-SpamCheck: Surely not. This is a mixup of two headers. Correct is: Spam Header = X-%org-name%-MailScanner-SpamCheck: Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From kate at rheel.co.nz Wed Oct 22 21:36:31 2008 From: kate at rheel.co.nz (Kate Kleinschafer) Date: Wed Oct 22 21:35:11 2008 Subject: MCP stopped not showing In-Reply-To: References: <48FEA3EE.90608@rheel.co.nz> Message-ID: <48FF8ECF.6050605@rheel.co.nz> Scott Silva wrote: > on 10-21-2008 8:54 PM Kate Kleinschafer spake the following: > >> Hi, >> >> In MailWatch the Spam and High Spam scores are showing but I have 0 >> scores for Viruses MCP and High Scoring MCP. >> >> I know I have definately had hits on MCP and High Scoring MCP. >> >> Where abouts in the configuration for MailWatch would I go to begin >> trouble shooting why the results are not showing? >> >> Does anyone have any hints as to what might be wrong? >> >> Thanks >> Kate >> > MCP rules have somewhat fallen out of favor because of the extra overhead of > running 2 spamassassin instances. The spamassassin rule actions will do the > same thing with half the overhead. > > http://www.mailscanner.info/MailScanner.conf.index.html#SpamAssassin%20Rule%20Actions > > > Will have to read up a bit more on this. Thanks. Kate From bfebrian.mailscanner at gedubrak.com Thu Oct 23 05:13:47 2008 From: bfebrian.mailscanner at gedubrak.com (Budi Febrianto) Date: Thu Oct 23 05:13:57 2008 Subject: OT Spamhaus tactics (was Spamhaus RBLs) In-Reply-To: References: <20081019162317.C8A5.EE63E960@remedial-teacher.nl> <20081019165150.C8AC.EE63E960@remedial-teacher.nl> <1224484427.1275.77.camel@darkstar.netcore.co.in> <48FC4A90.4090509@clh.org.uk> <48FC4D20.6060906@alexb.ch> <48FD0A8D.3060203@gdcon.net> Message-ID: <48FFF9FB.80104@gedubrak.com> Ever dealt with uceprotect? Still now, my servers listed in their block list even though they know that I did not sent spams. I have manually sent emails to my customers that uses uceprotect, so they can put me in their whitelist. Spamhaus, still one of the good guys. Kai Schaetzl wrote: > Anthony Cartmell wrote on Tue, 21 Oct 2008 13:35:20 +0100: > > >> Spamhaus seemed such a good idea, but my opinion of its accuracy and >> policies is somewhat tainted now... >> > > It's still one with quite "friendly" policies (ever dealt with > spews/apews?). The point of doing what they did is that you catch the > attention of the upstream provider much quicker than by listing only a few > single IPs while the offending spammer is jumping from IP to IP. If the > provider gets complaints from a lot of customers they may act quicker on > getting rid of the spammer or they may prove that they *are* a spam > hosting provider. So, it's effective either way. > And there's also the occasional case where you accidentally attribute a > subnet to a spammer because many IP addresses in that space already belong > (or belonged) to them and it looks like they can use the whole range. > > Kai > > From glenn.steen at gmail.com Thu Oct 23 10:05:50 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Oct 23 10:06:00 2008 Subject: Spam Action Rules In-Reply-To: <001e01c93469$869657a0$93c306e0$@uwaterloo.ca> References: <20081019162317.C8A5.EE63E960@remedial-teacher.nl> <20081019165150.C8AC.EE63E960@remedial-teacher.nl> <1224484427.1275.77.camel@darkstar.netcore.co.in> <200810201646.m9KGkaQ3008633@safir.blacknight.ie> <200810210958.m9L9wTEL005575@safir.blacknight.ie> <223f97700810220405o3a8b6098s26e34aa50750b6cd@mail.gmail.com> <001e01c93469$869657a0$93c306e0$@uwaterloo.ca> Message-ID: <223f97700810230205s4e5de228o903f7fd00dcbfcde@mail.gmail.com> 2008/10/22 Steve Hitchman : > Gentlemen, > > I am having trouble with my upgrade from 4.56.8 to 4.67.6 on FreeBSD. I was > using a ruleset for Spam Actions and High Scoring Spam Actions. In version > 4.56.8 the way to mark the header as spam was to use the: > > Spam Header = X-Spam-Status: Yes-%org-name%-MailScanner-SpamCheck: > > In 4.67.6 the "X-Spam-Status: Yes" is inserted via the Action Rules such as: > > Spam Actions = deliver header "X-Spam-Status: Yes" > > For some reason when I leave it in the original form I get an extra "-" > added to the header such as this: > > X-Spam-Status: -Yes-xxxxxxx... > > This is bad as it prevents such things as .procmailrc scripts from > identifying marked spam. Both Steve and Kai has commented on the broken state of your previous config, so I'll let that rest:-). > Bottom line is how do I make the "X-Spam-Status: Yes" show up in the header > as well as use a filename rule for Spam Actions? > > Is this acceptable? > > Spam Actions = %rules.dir%/spamactions.rules header "X-Spam-Status: Yes" Nope. Your spam action rules file need contain all the actions, not a mix like this. So if you have some "FromOrTo: ", the need be all the actions (for example: deliver store header "X-Spam-Status: Yes"). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ugob at lubik.ca Thu Oct 23 10:56:41 2008 From: ugob at lubik.ca (Ugo Bellavance) Date: Thu Oct 23 11:00:43 2008 Subject: Feature request:Batch ID Message-ID: Hi, Would it be possible to add a batch ID in a future version, to ease debugging? I just worked on a delay problem and it would be great to simply grep to find all log entries related to this batch, that took a lot of time to process. Thanks, From ugob at lubik.ca Thu Oct 23 11:04:38 2008 From: ugob at lubik.ca (Ugo Bellavance) Date: Thu Oct 23 11:08:31 2008 Subject: Long delay and no "Spam Checks completed in xxx seconds" Message-ID: Hi, Symptom: Batch took 612s to process (30 messages). This system usually processes that in around 200s. This batch should have been processed in less than 20s because all of the messages hit the SA cache. Virus scanning took about 7 secs. Observation: There is a 10-minute gap between the log of the last log entry of spam checks and the start of virus checks. Also, there is no log entry saying "Spam Checks completed in xxx seconds". Other relevant log entries: Oct 22 17:23:37 server MailScanner[9558]: Virus and Content Scanning: Starting Oct 22 17:23:45 server MailScanner[9558]: Virus Scanning completed at 2945 bytes per second Oct 22 17:23:46 server MailScanner[9558]: Uninfected: Delivered 30 messages Oct 22 17:23:46 server MailScanner[9558]: Batch completed at 2943 bytes per second (1803120 / 612) Oct 22 17:23:46 server MailScanner[9558]: Batch (30 messages) processed in 612.64 seconds Have a look at the speed of virus scanning. It took 8 seconds to be done, but if you compute 2945 1803120 / 2945, you also get 612s. This is CentOS release 4.7 (Final) This is Perl version 5.008005 (5.8.5) This is MailScanner version 4.71.10 Module versions are: 1.00 AnyDBM_File 1.26 Archive::Zip 0.21 bignum 1.03 Carp 2.008 Compress::Zlib 1.119 Convert::BinHex 0.17 Convert::TNEF 2.121 Data::Dumper 2.27 Date::Parse 1.00 DirHandle 1.05 Fcntl 2.73 File::Basename 2.08 File::Copy 2.01 FileHandle 1.06 File::Path 0.20 File::Temp 0.92 Filesys::Df 1.35 HTML::Entities 3.56 HTML::Parser 2.37 HTML::TokeParser 1.23 IO 1.14 IO::File 1.13 IO::Pipe 2.02 Mail::Header 1.86 Math::BigInt 0.19 Math::BigRat 3.05 MIME::Base64 5.425 MIME::Decoder 5.425 MIME::Decoder::UU 5.425 MIME::Head 5.425 MIME::Parser 3.03 MIME::QuotedPrint 5.425 MIME::Tools 0.11 Net::CIDR 1.25 Net::IP 0.16 OLE::Storage_Lite 1.04 Pod::Escapes 3.05 Pod::Simple 1.08 POSIX 1.14 Scalar::Util 1.77 Socket 2.13 Storable 1.4 Sys::Hostname::Long 0.18 Sys::Syslog missing Test::Pod 0.7 Test::Simple 1.9711 Time::HiRes 1.02 Time::localtime Optional module versions are: 1.36 Archive::Tar 0.21 bignum missing Business::ISBN missing Business::ISBN::Data missing Data::Dump 1.809 DB_File 1.14 DBD::SQLite 1.601 DBI 1.08 Digest 1.01 Digest::HMAC 2.33 Digest::MD5 2.11 Digest::SHA1 1.01 Encode::Detect 0.17015 Error 0.24 ExtUtils::CBuilder 2.19 ExtUtils::ParseXS 2.36 Getopt::Long 0.44 Inline 1.08 IO::String 1.09 IO::Zlib 2.25 IP::Country missing Mail::ClamAV 3.002005 Mail::SpamAssassin v2.006 Mail::SPF 1.999001 Mail::SPF::Query 0.2808 Module::Build 0.20 Net::CIDR::Lite 0.63 Net::DNS missing Net::DNS::Resolver::Programmable 0.34 Net::LDAP 4.007 NetAddr::IP 1.94 Parse::RecDescent missing SAVI 2.42 Test::Harness 1.22 Test::Manifest 1.95 Text::Balanced 1.30 URI 0.74 version missing YAML Thanks, Ugo From martinh at solidstatelogic.com Thu Oct 23 11:15:45 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Thu Oct 23 11:16:00 2008 Subject: Long delay and no "Spam Checks completed in xxx seconds" In-Reply-To: Message-ID: Ugo Nuke the sa-cache?? Has been know the get itself knotted up.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Ugo Bellavance > Sent: 23 October 2008 11:05 > To: mailscanner@lists.mailscanner.info > Subject: Long delay and no "Spam Checks completed in xxx seconds" > > Hi, > > Symptom: Batch took 612s to process (30 messages). > This system usually processes that in around 200s. This > batch should have been processed in less than 20s because all > of the messages hit the SA cache. Virus scanning took about 7 secs. > > Observation: There is a 10-minute gap between the log > of the last log entry of spam checks and the start of virus > checks. Also, there is no log entry saying "Spam Checks > completed in xxx seconds". > > Other relevant log entries: > > Oct 22 17:23:37 server MailScanner[9558]: Virus and Content Scanning: > Starting > Oct 22 17:23:45 server MailScanner[9558]: Virus Scanning completed at > 2945 bytes per second > Oct 22 17:23:46 server MailScanner[9558]: Uninfected: > Delivered 30 messages Oct 22 17:23:46 server > MailScanner[9558]: Batch completed at 2943 bytes per second > (1803120 / 612) Oct 22 17:23:46 server MailScanner[9558]: > Batch (30 messages) processed in 612.64 seconds > > Have a look at the speed of virus scanning. It took 8 > seconds to be done, but if you compute 2945 1803120 / 2945, > you also get 612s. > > This is CentOS release 4.7 (Final) > This is Perl version 5.008005 (5.8.5) > > This is MailScanner version 4.71.10 > Module versions are: > 1.00 AnyDBM_File > 1.26 Archive::Zip > 0.21 bignum > 1.03 Carp > 2.008 Compress::Zlib > 1.119 Convert::BinHex > 0.17 Convert::TNEF > 2.121 Data::Dumper > 2.27 Date::Parse > 1.00 DirHandle > 1.05 Fcntl > 2.73 File::Basename > 2.08 File::Copy > 2.01 FileHandle > 1.06 File::Path > 0.20 File::Temp > 0.92 Filesys::Df > 1.35 HTML::Entities > 3.56 HTML::Parser > 2.37 HTML::TokeParser > 1.23 IO > 1.14 IO::File > 1.13 IO::Pipe > 2.02 Mail::Header > 1.86 Math::BigInt > 0.19 Math::BigRat > 3.05 MIME::Base64 > 5.425 MIME::Decoder > 5.425 MIME::Decoder::UU > 5.425 MIME::Head > 5.425 MIME::Parser > 3.03 MIME::QuotedPrint > 5.425 MIME::Tools > 0.11 Net::CIDR > 1.25 Net::IP > 0.16 OLE::Storage_Lite > 1.04 Pod::Escapes > 3.05 Pod::Simple > 1.08 POSIX > 1.14 Scalar::Util > 1.77 Socket > 2.13 Storable > 1.4 Sys::Hostname::Long > 0.18 Sys::Syslog > missing Test::Pod > 0.7 Test::Simple > 1.9711 Time::HiRes > 1.02 Time::localtime > > Optional module versions are: > 1.36 Archive::Tar > 0.21 bignum > missing Business::ISBN > missing Business::ISBN::Data > missing Data::Dump > 1.809 DB_File > 1.14 DBD::SQLite > 1.601 DBI > 1.08 Digest > 1.01 Digest::HMAC > 2.33 Digest::MD5 > 2.11 Digest::SHA1 > 1.01 Encode::Detect > 0.17015 Error > 0.24 ExtUtils::CBuilder > 2.19 ExtUtils::ParseXS > 2.36 Getopt::Long > 0.44 Inline > 1.08 IO::String > 1.09 IO::Zlib > 2.25 IP::Country > missing Mail::ClamAV > 3.002005 Mail::SpamAssassin > v2.006 Mail::SPF > 1.999001 Mail::SPF::Query > 0.2808 Module::Build > 0.20 Net::CIDR::Lite > 0.63 Net::DNS > missing Net::DNS::Resolver::Programmable > 0.34 Net::LDAP > 4.007 NetAddr::IP > 1.94 Parse::RecDescent > missing SAVI > 2.42 Test::Harness > 1.22 Test::Manifest > 1.95 Text::Balanced > 1.30 URI > 0.74 version > missing YAML > > Thanks, > > Ugo > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From glenn.steen at gmail.com Thu Oct 23 11:39:30 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Oct 23 11:39:40 2008 Subject: Feature request:Batch ID In-Reply-To: References: Message-ID: <223f97700810230339y203c90f9r16485337c63efe90@mail.gmail.com> 2008/10/23 Ugo Bellavance : > Hi, > > Would it be possible to add a batch ID in a future version, to ease > debugging? I just worked on a delay problem and it would be great to simply > grep to find all log entries related to this batch, that took a lot of time > to process. > > Thanks, > Don't you have the MailScanner child PID handling the batch in the log? You could try greping on that, perhaps...? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ugob at lubik.ca Thu Oct 23 12:18:19 2008 From: ugob at lubik.ca (Ugo Bellavance) Date: Thu Oct 23 12:18:42 2008 Subject: Long delay and no "Spam Checks completed in xxx seconds" In-Reply-To: References: Message-ID: Martin.Hepworth a ?crit : > Ugo > > Nuke the sa-cache?? Has been know the get itself knotted up.. Hmmm, if it was knotted up, don't you think that all batches ever since would have been affected? I'll try that anyway. Thanks. Ugo From ugob at lubik.ca Thu Oct 23 12:31:39 2008 From: ugob at lubik.ca (Ugo Bellavance) Date: Thu Oct 23 12:31:58 2008 Subject: Feature request:Batch ID In-Reply-To: <223f97700810230339y203c90f9r16485337c63efe90@mail.gmail.com> References: <223f97700810230339y203c90f9r16485337c63efe90@mail.gmail.com> Message-ID: Glenn Steen a ?crit : > 2008/10/23 Ugo Bellavance : >> Hi, >> >> Would it be possible to add a batch ID in a future version, to ease >> debugging? I just worked on a delay problem and it would be great to simply >> grep to find all log entries related to this batch, that took a lot of time >> to process. >> >> Thanks, >> > Don't you have the MailScanner child PID handling the batch in the > log? You could try greping on that, perhaps...? > That is what I did, but it would have been easier with a Batch ID. A process doesn't handle only one batch... Regards, Ugo From jonas at vrt.dk Thu Oct 23 13:50:58 2008 From: jonas at vrt.dk (Jonas Akrouh Larsen) Date: Thu Oct 23 13:51:22 2008 Subject: Feature request:Batch ID In-Reply-To: References: Message-ID: <001801c9350d$fec57450$fc505cf0$@dk> For what its worth I think this would be a nice addition to, since I often find it difficult to parse the logs on the process id alone. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Ugo Bellavance Sent: 23. oktober 2008 11:57 To: mailscanner@lists.mailscanner.info Subject: Feature request:Batch ID Hi, Would it be possible to add a batch ID in a future version, to ease debugging? I just worked on a delay problem and it would be great to simply grep to find all log entries related to this batch, that took a lot of time to process. Thanks, -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From srhitch at mecheng1.uwaterloo.ca Thu Oct 23 13:50:33 2008 From: srhitch at mecheng1.uwaterloo.ca (Steve Hitchman) Date: Thu Oct 23 13:52:10 2008 Subject: Spam Action Rules In-Reply-To: <223f97700810230205s4e5de228o903f7fd00dcbfcde@mail.gmail.com> References: <20081019162317.C8A5.EE63E960@remedial-teacher.nl> <20081019165150.C8AC.EE63E960@remedial-teacher.nl> <1224484427.1275.77.camel@darkstar.netcore.co.in> <200810201646.m9KGkaQ3008633@safir.blacknight.ie> <200810210958.m9L9wTEL005575@safir.blacknight.ie> <223f97700810220405o3a8b6098s26e34aa50750b6cd@mail.gmail.com> <001e01c93469$869657a0$93c306e0$@uwaterloo.ca> <223f97700810230205s4e5de228o903f7fd00dcbfcde@mail.gmail.com> Message-ID: <005001c9350d$f07a8ca0$d16fa5e0$@uwaterloo.ca> Thanks for help guys. I have gotten the MailScanner.conf sorted out it terms of the "X-Spam-Status: Yes". With Glenn's insights I now know how to properly construct the Spam Actions rules file and I will implement that. Cheers, Steve > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Glenn Steen > Sent: October 23, 2008 5:06 AM > To: MailScanner discussion > Subject: Re: Spam Action Rules > > 2008/10/22 Steve Hitchman : > > Gentlemen, > > > > I am having trouble with my upgrade from 4.56.8 to 4.67.6 on FreeBSD. > I was > > using a ruleset for Spam Actions and High Scoring Spam Actions. In > version > > 4.56.8 the way to mark the header as spam was to use the: > > > > Spam Header = X-Spam-Status: Yes-%org-name%-MailScanner-SpamCheck: > > > > In 4.67.6 the "X-Spam-Status: Yes" is inserted via the Action Rules > such as: > > > > Spam Actions = deliver header "X-Spam-Status: Yes" > > > > For some reason when I leave it in the original form I get an extra > "-" > > added to the header such as this: > > > > X-Spam-Status: -Yes-xxxxxxx... > > > > This is bad as it prevents such things as .procmailrc scripts from > > identifying marked spam. > > Both Steve and Kai has commented on the broken state of your previous > config, so I'll let that rest:-). > > > Bottom line is how do I make the "X-Spam-Status: Yes" show up in the > header > > as well as use a filename rule for Spam Actions? > > > > Is this acceptable? > > > > Spam Actions = %rules.dir%/spamactions.rules header "X-Spam-Status: > Yes" > Nope. Your spam action rules file need contain all the actions, not a > mix like this. So if you have some "FromOrTo: ", the > need be all the actions (for example: deliver store header > "X-Spam-Status: Yes"). > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From gmatt at nerc.ac.uk Thu Oct 23 14:21:11 2008 From: gmatt at nerc.ac.uk (Greg Matthews) Date: Thu Oct 23 14:21:25 2008 Subject: Xen Performance In-Reply-To: References: <48FD080B.7080101@gdcon.net> Message-ID: <49007A47.3060800@nerc.ac.uk> Kai Schaetzl wrote: > Just some comments: > > - use paravirtualization > - don't use file-based fs > - don't use xvda-based fs dont use xvd block devices? why not? what is the alternative? or have I misunderstood? I use Xen for build, test and package environments and use xvd block devices on top of Logical Volumes exported from Dom0. Seems to give pretty good performance (but no figures to back that up). Can you elaborate? GREG > - give it enough RAM > > > Kai > -- Greg Matthews 01491 692445 Head of UNIX/Linux, iTSS Wallingford -- This message (and any attachments) is for the recipient only. NERC is subject to the Freedom of Information Act 2000 and the contents of this email and any reply you make may be disclosed by NERC unless it is exempt from release under the Act. Any material supplied to NERC may be stored in an electronic records management system. From gmatt at nerc.ac.uk Thu Oct 23 14:34:23 2008 From: gmatt at nerc.ac.uk (Greg Matthews) Date: Thu Oct 23 14:34:37 2008 Subject: txt file getting blocked as Quick Time file In-Reply-To: <48FE3413.4070407@rheel.co.nz> References: <48FE3413.4070407@rheel.co.nz> Message-ID: <49007D5F.2030004@nerc.ac.uk> Kate Kleinschafer wrote: > I am getting a few messages blocked saying they have a Quick Time file > attached (which shows as msg-18161-4.txt) the quicktime signatures are extremely broad. I get around this by commenting out the overly generous signatures and re-compiling the magic data. See the man page for "file(1)" in particular the "-C" option. See also the man page for magic(5) although this is not necessary it will give you a better idea of how file works. copy aside the orginal magic file (on redhat/centos this is /usr/share/file/magic) and edit it. Personally, I comment out the following lines: #4 string free Apple QuickTime movie file (free) #4 string junk Apple QuickTime movie file (junk) #4 string skip Apple QuickTime movie file (skip) #4 string wide Apple QuickTime movie file (wide) #4 string pict Apple QuickTime movie file (pict) which hit any message body beginning with those letters. If you examine the bodies of the messages that are getting blocked, I expect you'll find that they begin with one of those 4-letter combinations. Now recompile the .mgc file using file -C. Finally exclude "file" from software updates (edit /etc/yum.conf or tweak your up2date config). Also consider using the mime filetype checking - not sure where this is documented off-hand but it was discussed at length on this list. GREG > I know the message is ham. > After doing some searching on the internet I came across a thread that > said the following about the problem: > > /This bug is not so much a problem with filenames. I'm just pointing out > />/ that the filenames.conf entries don't override filetype.conf So the > />/ tnef created "msg*.txt" files that can be misinterpretted by > filetype as > />/ Quicktime files can't be overridden. The only options are to allow > />/ quicktime filetypes or disable the "Use TNEF Contents" option. > > /Is the best option to allow QuickTime in filetype.rules.conf or is > there another more suitable option. > > Thanks > Kate -- Greg Matthews 01491 692445 Head of UNIX/Linux, iTSS Wallingford -- This message (and any attachments) is for the recipient only. NERC is subject to the Freedom of Information Act 2000 and the contents of this email and any reply you make may be disclosed by NERC unless it is exempt from release under the Act. Any material supplied to NERC may be stored in an electronic records management system. From alvaro at hostalia.com Thu Oct 23 15:04:55 2008 From: alvaro at hostalia.com (=?ISO-8859-15?Q?Alvaro_Mar=EDn?=) Date: Thu Oct 23 15:05:29 2008 Subject: database is locked(5) at dbdimp.c line 402 Message-ID: <49008487.9090702@hostalia.com> Hello, I'm getting this error continuosly when the server's load is high: MailScanner[29045]: database is locked(5) at dbdimp.c line 402 and the message scanning slows a lot. I see that: # grep timeout .cpan/build/DBD-SQLite-1.14-hR9dHa/dbdimp.h -i /* 30 second timeout by default */ #define SQL_TIMEOUT 30000 the timeout is 30secs by default in SQLite, perhaps too high (I prefer scan the message again instead of wait 30secs). So I've modified MailScanner's SA.pm and added: $MailScanner::SA::cachedbh->func( "2000", 'busy_timeout'); to set it to 2 seconds, after the connection to the cache db: $MailScanner::SA::cachedbh = DBI->connect( "dbi:SQLite:$MailScanner::SA::cachefilename", "","",{PrintError=>0,InactiveDestroy=>1}); I've tested it and it seems that works fine; is this a safe way to do this? Perhaps recompile SQLite changing that value is better? Regards, -- Alvaro Mar?n Illera Hostalia Internet www.hostalia.com From uxbod at splatnix.net Thu Oct 23 15:59:10 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Thu Oct 23 15:59:30 2008 Subject: database is locked(5) at dbdimp.c line 402 In-Reply-To: <49008487.9090702@hostalia.com> Message-ID: <21603016.31224773950410.JavaMail.root@office.splatnix.net> Perhaps make it a configuration option ? Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 ----- "Alvaro Mar?n" wrote: > Hello, > > > > I'm getting this error continuosly when the server's load is high: > > > > MailScanner[29045]: database is locked(5) at dbdimp.c line 402 > > > > and the message scanning slows a lot. > > > > I see that: > > > > # grep timeout .cpan/build/DBD-SQLite-1.14-hR9dHa/dbdimp.h -i > > /* 30 second timeout by default */ > > #define SQL_TIMEOUT 30000 > > > > the timeout is 30secs by default in SQLite, perhaps too high (I prefer > > scan the message again instead of wait 30secs). > > > > So I've modified MailScanner's SA.pm and added: > > > > $MailScanner::SA::cachedbh->func( "2000", 'busy_timeout'); > > > > to set it to 2 seconds, after the connection to the cache db: > > > > $MailScanner::SA::cachedbh = DBI->connect( > > > > "dbi:SQLite:$MailScanner::SA::cachefilename", > > > "","",{PrintError=>0,InactiveDestroy=>1}); > > > > > > I've tested it and it seems that works fine; is this a safe way to do > > this? Perhaps recompile SQLite changing that value is better? > > > > Regards, -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From maillists at conactive.com Thu Oct 23 18:31:21 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Thu Oct 23 18:31:32 2008 Subject: Xen Performance In-Reply-To: <49007A47.3060800@nerc.ac.uk> References: <48FD080B.7080101@gdcon.net> <49007A47.3060800@nerc.ac.uk> Message-ID: Greg Matthews wrote on Thu, 23 Oct 2008 14:21:11 +0100: > dont use xvd block devices? why not? what is the alternative? You can use ext3 on LVs directly. Advantage is that you have all the repair tools at hand and that you can access the filesystem from dom0 by simply mounting it. You can do that even at runtime (I have to admit I did this only once or twice accidentally and wouldn't recommend making it a habit). Also makes backups easier in my eyes, I find it extremely handy this way. Some installers (like RHEL/CentOS 5) will not allow installation directly on such an LV and force the use of xvd, anyway. So, if you want to convert to such a setup you have to move the content of the xvda disk first to a new formatted LV. That is surely not worth it for short-lived VMs, but if you have VMs that are bound to run for years and get some good load I think it's worth it. I've got template disks for this case which I just duplicate and then start with a new config file. There might also be performance advantages in some situations, I don't know. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From kate at rheel.co.nz Fri Oct 24 04:05:00 2008 From: kate at rheel.co.nz (Kate Kleinschafer) Date: Fri Oct 24 04:03:44 2008 Subject: trouble getting SA Rule Action working Message-ID: <49013B5C.1040604@rheel.co.nz> Hi all, I am trying to get the system to delete mail with a SA score of greater than 12 Relevant settings in MailScanner.conf High SpamAssassin Score = 10 Spam Actions = %rules-dir%/spam.actions.rules High Scoring Spam Actions = store-spam SpamAssassin Rule Actions = SpamScore>12=>delete These settings are marking anything with a score greater than 10 as high spam but it is not deleting the messages with a spamscore greater than 12. I am checking the success via MailWatch. I am reloading the MailScanner config after changes. Thanks Kate From glenn.steen at gmail.com Fri Oct 24 09:39:05 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Oct 24 09:39:14 2008 Subject: trouble getting SA Rule Action working In-Reply-To: <49013B5C.1040604@rheel.co.nz> References: <49013B5C.1040604@rheel.co.nz> Message-ID: <223f97700810240139r556800a7k93aa0baa4d663f1b@mail.gmail.com> 2008/10/24 Kate Kleinschafer : > Hi all, > > I am trying to get the system to delete mail with a SA score of greater than > 12 > Relevant settings in MailScanner.conf > > High SpamAssassin Score = 10 > Spam Actions = %rules-dir%/spam.actions.rules > High Scoring Spam Actions = store-spam > SpamAssassin Rule Actions = SpamScore>12=>delete > > These settings are marking anything with a score greater than 10 as high > spam but it is not deleting the messages with a spamscore greater than 12. > > I am checking the success via MailWatch. > > I am reloading the MailScanner config after changes. > > Thanks > Kate Test with a GTUBE... Are the relevant mails really getting quarantined? If so, did you reload/restart MailScanner after changeing MailScanner.conf? Else it'll only take effect after the normal restart (every 4:th hour by default, IIRC). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From Denis.Beauchemin at USherbrooke.ca Fri Oct 24 13:44:04 2008 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Fri Oct 24 13:44:22 2008 Subject: trouble getting SA Rule Action working In-Reply-To: <49013B5C.1040604@rheel.co.nz> References: <49013B5C.1040604@rheel.co.nz> Message-ID: <4901C314.9070804@USherbrooke.ca> Kate Kleinschafer a ?crit : > Hi all, > > I am trying to get the system to delete mail with a SA score of > greater than 12 > Relevant settings in MailScanner.conf > > High SpamAssassin Score = 10 > Spam Actions = %rules-dir%/spam.actions.rules > High Scoring Spam Actions = store-spam > SpamAssassin Rule Actions = SpamScore>12=>delete > > These settings are marking anything with a score greater than 10 as > high spam but it is not deleting the messages with a spamscore greater > than 12. > > I am checking the success via MailWatch. > > I am reloading the MailScanner config after changes. > > Thanks > Kate Kate, How about trying this: High SpamAssassin Score = 12 High Scoring Spam Actions = store-spam,delete It will not keep spam with scores 10-12 but it will store and delete spam with scores >=12. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From housey at sme-ecom.co.uk Fri Oct 24 16:14:59 2008 From: housey at sme-ecom.co.uk (Paul Houselander (SME)) Date: Fri Oct 24 16:15:14 2008 Subject: messages being reprocessed Message-ID: <022c01c935eb$4ae02500$e0a06f00$@co.uk> Hi Started noticing today my mqueue.in was growing and my "Found xxx messages waiting" is growing and growing. I look in mqueue.in and the message it says it just processed is still in there and gets picked up again. It's not all messages as plenty are being delivered but I can't seem to determine any pattern? Im using MailScanner Version 4.70.7, SA 3.2.5 with clamav, kaspersky and f-prot Im still investigating but just wondered if anyone was seeing the same? Cheers Paul -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081024/a5c8f4c9/attachment.html From miguelanxo at telefonica.net Fri Oct 24 16:22:54 2008 From: miguelanxo at telefonica.net (Miguelanxo Otero Salgueiro) Date: Fri Oct 24 16:23:09 2008 Subject: messages being reprocessed In-Reply-To: <022c01c935eb$4ae02500$e0a06f00$@co.uk> References: <022c01c935eb$4ae02500$e0a06f00$@co.uk> Message-ID: <4901E84E.5060701@telefonica.net> Hi. I've found the same problem. Updating to the then current stable release 4.71.10-1 solved the problem. Regards, Miguelanxo. > > Hi > > Started noticing today my mqueue.in was growing and my ?Found xxx > messages waiting? is growing and growing. > > I look in mqueue.in and the message it says it just processed is still > in there and gets picked up again. > > It?s not all messages as plenty are being delivered but I can?t seem > to determine any pattern? > > Im using MailScanner Version 4.70.7, SA 3.2.5 with clamav, kaspersky > and f-prot > > Im still investigating but just wondered if anyone was seeing the same? > > Cheers > > Paul > From jethro.binks at strath.ac.uk Fri Oct 24 16:34:35 2008 From: jethro.binks at strath.ac.uk (Jethro R Binks) Date: Fri Oct 24 16:34:46 2008 Subject: messages being reprocessed In-Reply-To: <022c01c935eb$4ae02500$e0a06f00$@co.uk> References: <022c01c935eb$4ae02500$e0a06f00$@co.uk> Message-ID: On Fri, 24 Oct 2008, Paul Houselander \(SME\) wrote: > Started noticing today my mqueue.in was growing and my "Found xxx > messages waiting" is growing and growing. > > I look in mqueue.in and the message it says it just processed is still > in there and gets picked up again. > > It's not all messages as plenty are being delivered but I can't seem to > determine any pattern? I have seen this from time to time over the years, not for while, but as it happens I have been dealing with it over the last day or so. There are a few circumstances that can cause it to happen, but it is often some "bad message" that either MS or SA or your AV solution doesn't like causing timeouts or crashes or whatever ... anyway batch processing never completes, and MS goes over it again and again ... Anyway, in my case it was messages from "deverecollection@c-f-1.com" over the last couple of days, so as a quick check see if you have any of those in your mail queue, and if you do, remove them. If it's not that specific one, then take a look at the batch of messages that keeps getting checked by MS, you'll probably find one or more of them are wacko in some sense. The deverecollection has some bonkers HTML stuff in it, for example (I haven't done an exhaustive test to find out why MS/whatever doesn't like it). Jethro. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks Computing Officer, IT Services University Of Strathclyde, Glasgow, UK From steve.freegard at fsl.com Fri Oct 24 17:16:30 2008 From: steve.freegard at fsl.com (Steve Freegard) Date: Fri Oct 24 17:16:41 2008 Subject: messages being reprocessed In-Reply-To: <022c01c935eb$4ae02500$e0a06f00$@co.uk> References: <022c01c935eb$4ae02500$e0a06f00$@co.uk> Message-ID: <4901F4DE.8090802@fsl.com> Paul Houselander (SME) wrote: > Hi > > Started noticing today my mqueue.in was growing and my ?Found xxx > messages waiting? is growing and growing. > > I look in mqueue.in and the message it says it just processed is still > in there and gets picked up again. > Whenever you see this behaviour you should run the offending message through MailScanner in debug mode and see what happens. Most likely - you'll see a Perl error or a segfault which causes the child to crash and the batch to be reprocessed. A recent version of MailScanner addressed an issue in HTML::Parser which was causing a Perl segfault on certain messages which contain excessive nesting. Regards, Steve. From housey at sme-ecom.co.uk Fri Oct 24 17:38:56 2008 From: housey at sme-ecom.co.uk (Paul Houselander (SME)) Date: Fri Oct 24 17:46:22 2008 Subject: messages being reprocessed In-Reply-To: <4901F4DE.8090802@fsl.com> References: <022c01c935eb$4ae02500$e0a06f00$@co.uk> <4901F4DE.8090802@fsl.com> Message-ID: <028601c935f7$02973cf0$07c5b6d0$@co.uk> Hi Thanks for all the advice, I've upgraded and it processed the queue normally! Excellent support thanks! Paul > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Steve Freegard > Sent: 24 October 2008 17:17 > To: MailScanner discussion > Subject: Re: messages being reprocessed > > Paul Houselander (SME) wrote: > > Hi > > > > Started noticing today my mqueue.in was growing and my "Found xxx > > messages waiting" is growing and growing. > > > > I look in mqueue.in and the message it says it just processed is > still > > in there and gets picked up again. > > > > Whenever you see this behaviour you should run the offending message > through MailScanner in debug mode and see what happens. > > Most likely - you'll see a Perl error or a segfault which causes the > child to crash and the batch to be reprocessed. > > A recent version of MailScanner addressed an issue in HTML::Parser > which > was causing a Perl segfault on certain messages which contain excessive > nesting. > > Regards, > Steve. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From mailbag at partnersolutions.ca Fri Oct 24 20:16:05 2008 From: mailbag at partnersolutions.ca (PSI Mailbag) Date: Fri Oct 24 20:16:20 2008 Subject: A bit OT: strange spikes in RBL-blocked connections In-Reply-To: <48FDA266.2030402@gmail.com> References: <48FDA266.2030402@gmail.com> Message-ID: <120EBC42C8319846842A4A49B3D5566BBDD38B@psims003.pshosting.intranet> > Anybody else noticed that? I do see occasional spikes on my RBL hits, which is normal, but in the past 24 hours I've seen a very large increase in RBL hits (ZEN) on my side. Yesterday I had a total of 360k RBL rejections. Today I'm already up to 700k, and the day isn't event finished yet. These rejections are indeed all valid, as I've matched the majority of the IP's from previous rejections to make sure that it wasn't a rogue RBL knocking everything out. -Joshua -------------- next part -------------- A non-text attachment was scrubbed... Name: RejectedMessages.png Type: image/png Size: 20932 bytes Desc: RejectedMessages.png Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081024/61fb2d89/RejectedMessages.png From ecasarero at gmail.com Sat Oct 25 00:11:44 2008 From: ecasarero at gmail.com (Eduardo Casarero) Date: Sat Oct 25 00:11:55 2008 Subject: database is locked(5) at dbdimp.c line 402 In-Reply-To: <49008487.9090702@hostalia.com> References: <49008487.9090702@hostalia.com> Message-ID: <7d9b3cf20810241611q6b8f553bqdd2f8254e6a249a@mail.gmail.com> 2008/10/23 Alvaro Mar?n > Hello, > > I'm getting this error continuosly when the server's load is high: > > MailScanner[29045]: database is locked(5) at dbdimp.c line 402 > > and the message scanning slows a lot. > > I see that: > > # grep timeout .cpan/build/DBD-SQLite-1.14-hR9dHa/dbdimp.h -i > /* 30 second timeout by default */ > #define SQL_TIMEOUT 30000 > > the timeout is 30secs by default in SQLite, perhaps too high (I prefer > scan the message again instead of wait 30secs). > > So I've modified MailScanner's SA.pm and added: > > $MailScanner::SA::cachedbh->func( "2000", 'busy_timeout'); > > to set it to 2 seconds, after the connection to the cache db: > > $MailScanner::SA::cachedbh = DBI->connect( > > "dbi:SQLite:$MailScanner::SA::cachefilename", > "","",{PrintError=>0,InactiveDestroy=>1}); > > > I've tested it and it seems that works fine; is this a safe way to do > this? Perhaps recompile SQLite changing that value is better? > > Regards, Do you have the SA-cache on tmpfs? mounting in tmpfs should be fast enough to keep happy MS. Regards, Eduardo. > > > -- > Alvaro Mar?n Illera > Hostalia Internet > www.hostalia.com > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081024/3b854c13/attachment.html From lists at gmnet.net Sat Oct 25 02:13:21 2008 From: lists at gmnet.net (Rick Bragg) Date: Sat Oct 25 02:13:49 2008 Subject: Spam with Russian text getting through Message-ID: <1224897201.2508.210.camel@thor> Hi, Lately, I have been getting allot of spam making it's way through with Russian text. Has anyone else been hit with these? Any advice? Here is an example: MailScanner-NULL-Check: 1225500867.95916@KNp7sA5JRorsNWi6+MJnTw Return-Path: Received: from [220.89.224.184] ([220.89.224.184]) by host212.mounthunger.com (8.14.2/8.14.2/Debian-2build1) with ESMTP id m9P0sPSS008933 for ; Fri, 24 Oct 2008 20:54:27 -0400 Message-ID: <000601c9363c$0785163d$eeb63e96@kkrcad> From: "leicester quintin" To: Subject: {Spam?} =?koi8-r?B?9M/My88gzsHbySDUxczP3svJINTByyDTwcTLzyDT1M/O1dQgz9Qgzw==?= =?koi8-r?B?0sfB2s3BISDuxdQg18XNxc7JIM7BINLB2sTVzdjRLCDPzskg08zJ2w==?= =?koi8-r?B?y8/NyCDP1NHUINPFy9M=?= Date: Fri, 24 Oct 2008 23:07:12 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2720.3000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2727.1300 X-MailScanner-ID: m9P0sPSS008933 X-GreenMountainNetwork-MailScanner: Found to be clean X-GreenMountainNetwork-MailScanner-SpamCheck: spam, CBL, spamhaus-XBL, SpamAssassin (not cached, score=6.633, required 6, BAYES_99 3.50, RCVD_IN_XBL 3.03, RDNS_NONE 0.10) X-GreenMountainNetwork-MailScanner-SpamScore: ssssss X-GreenMountainNetwork-MailScanner-From: ldalessandro@publichealthgreybruce.on.ca X-Spam-Status: Yes X-Evolution-Source: pop://rbragg@mail.gmnet.net/ ??????? ?? ??????? ??? ?????? ?????? ?? ???????! ??? ??????? ?? ????????, ??? ?????? ????? ???? http://pirelvyhgjascxn.chat.ru/?XB=gmnet.net&jeAI=gdvH ?????? ???? ???????? ????? ?????? ????? ?????. ??????? ????? ???? ?????? ??????? ?????????? ?????. Thanks Rick -- This message has been scanned for viruses and dangerous content by Green Mountain Network, and is believed to be clean. From james at gray.net.au Sat Oct 25 03:10:47 2008 From: james at gray.net.au (James Gray) Date: Sat Oct 25 03:11:07 2008 Subject: Spam with Russian text getting through In-Reply-To: <1224897201.2508.210.camel@thor> References: <1224897201.2508.210.camel@thor> Message-ID: <773F9445-7084-414C-9041-3783B2B5A8A8@gray.net.au> On 25/10/2008, at 12:13 PM, Rick Bragg wrote: > Lately, I have been getting allot of spam making it's way through with > Russian text. Has anyone else been hit with these? Any advice? > > Here is an example: -->8-- snipped > X-GreenMountainNetwork-MailScanner-SpamCheck: spam, CBL, spamhaus-XBL, > SpamAssassin (not cached, score=6.633, required 6, BAYES_99 > 3.50, > RCVD_IN_XBL 3.03, RDNS_NONE 0.10) > X-GreenMountainNetwork-MailScanner-SpamScore: ssssss > X-GreenMountainNetwork-MailScanner-From: > ldalessandro@publichealthgreybruce.on.ca > X-Spam-Status: Yes Looks like it *WAS* flagged as spam to me. Check your spam actions setup - are you simply applying headers and delierying?? -- James -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2417 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081025/f65b22a9/smime.bin From hvdkooij at vanderkooij.org Sat Oct 25 09:37:02 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sat Oct 25 09:37:15 2008 Subject: Spam with Russian text getting through In-Reply-To: <1224897201.2508.210.camel@thor> References: <1224897201.2508.210.camel@thor> Message-ID: <4902DAAE.4070406@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rick Bragg wrote: > Lately, I have been getting allot of spam making it's way through with > Russian text. Has anyone else been hit with these? Any advice? Do not forget to check the archives of this mailinglist. Samples have been provided in the past to stop unwanted languages at the MTA level if you happen to run postfix. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFJAtqrBvzDRVjxmYERAjjVAJ90tGnI6EWYph5SMlp2PP0S6kobOgCgrjXp R6OqxUsSnYtOLrnOVBcPMNM= =TNV5 -----END PGP SIGNATURE----- From ja at conviator.com Sat Oct 25 14:13:08 2008 From: ja at conviator.com (Jan Agermose) Date: Sat Oct 25 14:14:07 2008 Subject: attachment => spam Message-ID: hi we get a lot of spam/virus with attachments like "regning.exe" or "rechnung.csr" and so on. I was wundering if attachments are checked before or after spam in mailscanner flow? And if spam is checked first, can I write a spam rule that will mark a mail as spam before its checked for attachments? this is because my settings right now sends a notice to the sender and forwards the mail (without attachements) to the TO person. The last I would like to stop for the mails where I know the mail is spam based on the attachement. regards Jan -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081025/c1956e83/attachment.html From hvdkooij at vanderkooij.org Sat Oct 25 23:40:44 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sat Oct 25 23:40:55 2008 Subject: Verify fake header Message-ID: <4903A06C.4090203@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, To the best of my knowledge this header should never occur on any valid message: X-AntiAbuse: Sender Address Domain - VANDERKOOIJ.ORG The whole header set is: Received: from host01.nabdhserv.net (nabdhserv.net [75.126.218.58]) by balin.waakhond.net (Postfix) with ESMTP id 5DEF617E8050 for ; Sat, 25 Oct 2008 10:41:59 +0200 (CEST) Received: from [82.178.213.148] (helo=gmail.com) by host01.nabdhserv.net with esmtpa (Exim 4.69) (envelope-from ) id 1KteiY-0006T2-K4 for hvdkooij@VANDERKOOIJ.ORG; Sat, 25 Oct 2008 12:41:57 +0400 To: hvdkooij@VANDERKOOIJ.ORG From: hvdkooij@VANDERKOOIJ.ORG Subject: ????? ????? ?? ???? - Come and See Content-Type: text/html; charset=windows-1256" X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - host01.nabdhserv.net X-AntiAbuse: Original Domain - vanderkooij.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - VANDERKOOIJ.ORG Message-Id: <20081025084203.5DEF617E8050@balin.waakhond.net> Date: Sat, 25 Oct 2008 10:41:59 +0200 (CEST) Does anyone know a check to tackle these fakes in a more generic way? That host is not listed in my SPF information so given that knowlegde it should be clear that host01.nabdhserv.net is not allowed to do this for my domain vanderkooij.org Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFJA6BrBvzDRVjxmYERAt9LAKCbTA87o+Dm/dZCiBKZBzN4C9Iz1QCfek99 AeCqssQo+QYpCuUmR7Rl2iI= =kRbW -----END PGP SIGNATURE----- From steve.freegard at fsl.com Sun Oct 26 14:54:52 2008 From: steve.freegard at fsl.com (Steve Freegard) Date: Sun Oct 26 14:55:03 2008 Subject: Verify fake header In-Reply-To: <4903A06C.4090203@vanderkooij.org> References: <4903A06C.4090203@vanderkooij.org> Message-ID: <490484BC.7020004@fsl.com> Hugo van der Kooij wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, > > To the best of my knowledge this header should never occur on any valid > message: > X-AntiAbuse: Sender Address Domain - VANDERKOOIJ.ORG > > The whole header set is: > > Received: from host01.nabdhserv.net (nabdhserv.net [75.126.218.58]) > by balin.waakhond.net (Postfix) with ESMTP id 5DEF617E8050 > for ; Sat, 25 Oct 2008 10:41:59 +0200 (CEST) > Received: from [82.178.213.148] (helo=gmail.com) > by host01.nabdhserv.net with esmtpa (Exim 4.69) > (envelope-from ) > id 1KteiY-0006T2-K4 > for hvdkooij@VANDERKOOIJ.ORG; Sat, 25 Oct 2008 12:41:57 +0400 > To: hvdkooij@VANDERKOOIJ.ORG > From: hvdkooij@VANDERKOOIJ.ORG > Subject: ????? ????? ?? ???? - Come and See > Content-Type: text/html; charset=windows-1256" > X-AntiAbuse: This header was added to track abuse, please include it > with any abuse report > X-AntiAbuse: Primary Hostname - host01.nabdhserv.net > X-AntiAbuse: Original Domain - vanderkooij.org > X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] > X-AntiAbuse: Sender Address Domain - VANDERKOOIJ.ORG > Message-Id: <20081025084203.5DEF617E8050@balin.waakhond.net> > Date: Sat, 25 Oct 2008 10:41:59 +0200 (CEST) > > > Does anyone know a check to tackle these fakes in a more generic way? > > That host is not listed in my SPF information so given that knowlegde it > should be clear that host01.nabdhserv.net is not allowed to do this for > my domain vanderkooij.org You've configured SPF srictly using -all, but you're aren't enforcing this in your inbound MTAs for your domain. If you had done so, then you wouldn't have even seen this message, so it would have been a moot point and we wouldn't be having this conversation. Isn't that one of the main points of SPF? I guess your argument is that the sender should have done more to prevent the emission of the message in the first place. I agree - but that's the whole problem with spam; it's all because people aren't careful enough. MTAs are way to generous currently - if you allow a client RELAY permissions, then it allow clients to do pretty much anything. You want to send a mail with an envelope from 'billg@microsoft.com'; no problemo - the assumption by MTAs is that RELAY permissions imply that they are being used as a smart host. SMTP AUTH can help, but there are plenty of bots that can capture AUTH credentials and use them - but the problem persists for AUTH hosts too; they are allowed the same wide-ranging RELAY permissions and can send as anyone to anywhere. MTAs should evolve with new access controls that limit RELAY permissions to only allow envelope-sender domains to a limited list of domains controlled by the administrator. At FSL we did this by only allowing domains outbound that we accepted inbound - anything else would get a 'relay denied' rejection. This isn't 100% optimal especially on a large site but it's an easy way to get this up and running quickly. This is a great way to be able to identify and reject outbound junk quickly and at low cost before applying other filtering. That's my opinion anyway. Cheers, Steve. From gdm at linuxpro.co.za Mon Oct 27 08:34:51 2008 From: gdm at linuxpro.co.za (Gregory Machin) Date: Mon Oct 27 08:35:03 2008 Subject: MailScanner quarantined file loosing their identity Message-ID: <30200a940810270134i6bbb754fxac49aaa95895098@mail.gmail.com> Hi I'm a MailScanner newbe . Please could someone assist me with the problem I'm having. I'v taken over an existing server which saves quarantined files for users to download "at thier own risk" . What is happening is that the attachments are being saved without their extension, and the file type in some cases in unidentifiable. What should I do to resolve this .. Many Thanks From MailScanner at ecs.soton.ac.uk Mon Oct 27 11:36:48 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Oct 27 11:37:18 2008 Subject: more install.sh In-Reply-To: <55618674323542459DAF13523F39F1E9@SAHOMELT> References: <48FCCEC0.1080702@tippingmar.com> <48FDD9A8.7070403@ecs.soton.ac.uk> <55618674323542459DAF13523F39F1E9@SAHOMELT> Message-ID: <4905A7D0.6010204@ecs.soton.ac.uk> Rick Cooper wrote: > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On > > Behalf Of Julian Field > > Sent: Tuesday, October 21, 2008 9:31 AM > > To: MailScanner discussion > > Subject: Re: more install.sh > > > > > > > > Mark Nienberg wrote: > > > I think on a centOS system the installer.sh is doing this > > for the perl > > > modules that conflict with the base perl: > > > > > > check to see if the perl module is installed, > > > see that it isn't, > > > build an rpm for the module from the downloaded src, > > > attempt to install the rpm, but the install fails due to > > conflict with > > > installed perl, > > > force install only for those that absolutely need it. > > > > [...] > > part of the > > > the core perl installation? I suspect that must not be possible or > > > Jules would have done it already. > > Not easy. You can't find where a Perl module is installed, > > just that it > > *is* installed. > > Try perldoc -T perllocal. Outputs all modules that are installed in the > following format: > > > Mon Sep 8 12:53:02 2008: "Module" DBI::Shell > * "installed into: /usr/lib/perl5/site_perl/5.8.8" > > * "LINKTYPE: dynamic" > > * "VERSION: 11.95" > > * "EXE_FILES: dbish" > > Not hard to parse, gives location (if that is really important) and version > (where available). If you didn't want to return all modules and parse for > the ones you want then > > cls;perldoc -t perllocal |grep -A 7 DBI::Shell > > Would return the above but only the one module DBI::Shell. Since you are > using a shell script I suppose you would have to do a loop and something > like > > MODULE=`perldoc -t perllocal |grep -A 7 DBI::Shell|grep '"Module"'|sed > 's/.*Module" //'` > VERSION=`perldoc -t perllocal |grep -A 7 DBI::Shell|grep 'VERSION'|sed > 's/.*VERSION: //'|sed 's/"//g'` > LOCATION=`perldoc -t perllocal |grep -A 7 DBI::Shell|grep 'installed > into'|sed 's/.*into: //'|sed 's/"//g'` > > Or better yet run the perldoc -t perllocal > tempfile.name > > And grep tempfile.name for the information so the call to perldoc would only > be used once for speed. > > > > > > > Also, the installer builds rpms for packages that will not > > install due > > > to already installed rpms. For example, on my system it builds > > > perl-IO-stringy-2.110-1 > > > and tries to install it, but discovers that > > > perl-IO-stringy-2.110-1.2.el5.rf > > > is already installed. > > > > > > Could the installer test for already installed rpms before > > building > > > and attempting installation of the new one? > > > In the above example it would run "rpm -q perl-IO-stringy" > > and then do > > > some sort of version checking. > > The version checking you need to do is far from trivial. > > 2.10 is greater > > than 2.9, but not in numerical or alphabetical terms. It's quite a > > tricky problem. I really don't want to open that Pandora's box! :-) > > > > Nice ideas though... > [...] > > If you are just comparing parsed version numbers why not do the following > with the above example (scale 7 should cover the weird 0.10789 versions) > > echo "scale=7;2.10 >= 2.9"|bc > > Which would output 0 but > echo 'scale=7;2.10 <= 2.9' |bc > > Would output 1 > Well, yes, but that's not so much use when: scale=7 2.10 <= 2.9 1 2.8 <= 2.9 1 Obviously 2.1 (as a number) is less than 2.9, I need it to be able to tell that 2.10 (as a version number two point ten) > two point nine. > Of course you would have to make sure that MODULE|VERSION != '' and install > as required but that is trivial > > Rick > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Mon Oct 27 11:51:04 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Oct 27 11:51:29 2008 Subject: New beta release 4.72.4-1 Message-ID: <4905AB28.7010404@ecs.soton.ac.uk> Hi Folks! Firstly, a big apology for not being around the place much recently. Several reasons. Number one, I now have two incredibly cute kittens to look after: http://www.jules.fm/gallery/v/CatsDay1/ http://www.jules.fm/gallery/v/RootAndCisco/ Number two, I seem to have had quite a lot on at work (my day-job). Number three, between numbers one and two, I just haven't had any energy left. I'm struggling quite hard to keep my weight up (currently only weigh 8 stone 1, 113 pounds, 51 kg) and just don't have much energy at the moment. There have been a load of colds going round, and while I don't really get colds (certainly never get blocked nose, stuffy head, anything like that) they still hit me a bit. As for the new liver, well they want to redo all the MRI scans, so I've got a few hours in an MRI scanner to look forward to. A rather critical new vein has opened up, which totally changed their surgical plan, and they need to be very sure it isn't going to close again or anything daft like that. And no, the phone hasn't rung yet, I'm still waiting for the liver transplant call. :-) So MailScanner has had to go on a bit of a back burner for a while. I'm sure you understand :-) Mean time, I have just put out a new beta release, which will go stable in a few days if no-one finds anything horribly wrong with it. So please do test it for me! Here is the Change Log: * New Features and Improvements * 1 Added support for ClamAV 0.94. Note that this has necessitated removal of complete support for earlier versions of ClamAV as the command-line settings are incompatible. So only use this version if you have upgraded to the latest ClamAV 0.94. 2 The "Found to be clean" header will not be added to the message at all if the relevant configuration setting is blank in MailScanner.conf. 2 Filename and filetype checks are now done before virus scanning. This means that you can use the "deny+delete" type of filename or filetype rule to selectively delete files that will choke your buggy virus scanner. 4 "install.sh" now logs all output to "install.log". 4 The RPM and SuSE versions of "install.sh" now have a "reinstall" command- line option which will make it attempt to remove the Perl RPMs before it installs them, in case you have changed your Perl version enough that the previous Perl modules were not being found by your new setup. Very handy for Fedora upgraders, among others. 4 Improvements to the "reinstall" command-line switch so it removes all the old versions first, before it starts installing anything new. 4 Updated MIME-tools to version 5.427. 4 Minor improvement to phishing net. 4 Added check to --lint for sufficiently correct /tmp permissions. * Fixes * 1 Changed logging of clamd so that it reports the virus scanner name correctly. 2 Removed debug code from OLE unpacking code. 3 Fixed log handling bug in filename rules matching code, thanks to Derek Chee. 4 Fixed bug where whole message body was deleted if a file nested within 2 zip files failed filename tests. 4 Fixed reporting bug in 'service MailScanner status' where it would produce an error instead of saying the incoming sendmail process was working fine. 4 Fixed a parsing bug in the "Avast" scanner support. 4 Minor change to error message when /tmp has wrong permissions. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From J.Ede at birchenallhowden.co.uk Mon Oct 27 12:06:29 2008 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Mon Oct 27 12:06:54 2008 Subject: New beta release 4.72.4-1 In-Reply-To: <4905AB28.7010404@ecs.soton.ac.uk> References: <4905AB28.7010404@ecs.soton.ac.uk> Message-ID: <4CAB0118AEC63A4FAAE77E6BCBDF760C792BDD008F@server02.bhl.local> > Number three, between numbers one and two, I just haven't had any > energy > left. I'm struggling quite hard to keep my weight up (currently only > weigh 8 stone 1, 113 pounds, 51 kg) and just don't have much energy at > the moment. There have been a load of colds going round, and while I > don't really get colds (certainly never get blocked nose, stuffy head, > anything like that) they still hit me a bit. As for the new liver, well > they want to redo all the MRI scans, so I've got a few hours in an MRI > scanner to look forward to. A rather critical new vein has opened up, > which totally changed their surgical plan, and they need to be very > sure > it isn't going to close again or anything daft like that. And no, the > phone hasn't rung yet, I'm still waiting for the liver transplant call. > :-) Hope the call comes soon! > > So MailScanner has had to go on a bit of a back burner for a while. I'm > sure you understand :-) Of course we understand :-) From martinh at solidstatelogic.com Mon Oct 27 12:33:24 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Mon Oct 27 12:33:35 2008 Subject: New beta release 4.72.4-1 In-Reply-To: <4905AB28.7010404@ecs.soton.ac.uk> Message-ID: <2d9ac0d513b1b14aa85a99b78cfc9025@solidstatelogic.com> Jules Running it now.. Number 1: I take your kittens and trump them with a puppy http://picasaweb.google.co.uk/maxsec/TimmyDay1# http://picasaweb.google.co.uk/maxsec/TimmyDay2# (must get some new pictures up there) Number 2: yup know that feeling Number 3: we're all praying/hoping/best wishes etc for ya dude. Ya do an excellent job. Many many thanks. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Julian Field > Sent: 27 October 2008 11:51 > To: MailScanner discussion; MailScanner-Beta mailing list > Subject: New beta release 4.72.4-1 > > Hi Folks! > > Firstly, a big apology for not being around the place much recently. > Several reasons. > > Number one, I now have two incredibly cute kittens to look after: > http://www.jules.fm/gallery/v/CatsDay1/ > http://www.jules.fm/gallery/v/RootAndCisco/ > > Number two, I seem to have had quite a lot on at work (my day-job). > > Number three, between numbers one and two, I just haven't had > any energy left. I'm struggling quite hard to keep my weight > up (currently only weigh 8 stone 1, 113 pounds, 51 kg) and > just don't have much energy at the moment. There have been a > load of colds going round, and while I don't really get colds > (certainly never get blocked nose, stuffy head, anything like > that) they still hit me a bit. As for the new liver, well > they want to redo all the MRI scans, so I've got a few hours > in an MRI scanner to look forward to. A rather critical new > vein has opened up, which totally changed their surgical > plan, and they need to be very sure it isn't going to close > again or anything daft like that. And no, the phone hasn't > rung yet, I'm still waiting for the liver transplant call. :-) > > So MailScanner has had to go on a bit of a back burner for a > while. I'm sure you understand :-) > > Mean time, I have just put out a new beta release, which will > go stable in a few days if no-one finds anything horribly > wrong with it. So please do test it for me! > > Here is the Change Log: > > * New Features and Improvements * > 1 Added support for ClamAV 0.94. Note that this has > necessitated removal of > complete support for earlier versions of ClamAV as the > command-line settings > are incompatible. So only use this version if you have > upgraded to the latest > ClamAV 0.94. > 2 The "Found to be clean" header will not be added to the > message at all if > the relevant configuration setting is blank in MailScanner.conf. > 2 Filename and filetype checks are now done before virus > scanning. This means > that you can use the "deny+delete" type of filename or > filetype rule to > selectively delete files that will choke your buggy virus scanner. > 4 "install.sh" now logs all output to "install.log". > 4 The RPM and SuSE versions of "install.sh" now have a > "reinstall" command- > line option which will make it attempt to remove the Perl > RPMs before it > installs them, in case you have changed your Perl version > enough that the > previous Perl modules were not being found by your new > setup. Very handy > for Fedora upgraders, among others. > 4 Improvements to the "reinstall" command-line switch so it > removes all the > old versions first, before it starts installing anything new. > 4 Updated MIME-tools to version 5.427. > 4 Minor improvement to phishing net. > 4 Added check to --lint for sufficiently correct /tmp permissions. > > * Fixes * > 1 Changed logging of clamd so that it reports the virus > scanner name correctly. > 2 Removed debug code from OLE unpacking code. > 3 Fixed log handling bug in filename rules matching code, > thanks to Derek Chee. > 4 Fixed bug where whole message body was deleted if a file > nested within 2 > zip files failed filename tests. > 4 Fixed reporting bug in 'service MailScanner status' where > it would produce > an error instead of saying the incoming sendmail process > was working fine. > 4 Fixed a parsing bug in the "Avast" scanner support. > 4 Minor change to error message when /tmp has wrong permissions. > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -- > This message has been scanned for viruses and dangerous > content by MailScanner, and is believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From chris at bluecobras.com Wed Oct 22 18:57:44 2008 From: chris at bluecobras.com (chris@bluecobras.com) Date: Mon Oct 27 12:34:53 2008 Subject: New beta release 4.72.4-1 In-Reply-To: <4905AB28.7010404@ecs.soton.ac.uk> References: <4905AB28.7010404@ecs.soton.ac.uk> Message-ID: <9bcea88afbf8f74e95d30b45110fc612@127.0.0.1> On Mon, 27 Oct 2008 11:51:04 +0000, Julian Field wrote: > Hi Folks! > > Firstly, a big apology for not being around the place much recently. > Several reasons. > > Number one, I now have two incredibly cute kittens to look after: > http://www.jules.fm/gallery/v/CatsDay1/ > http://www.jules.fm/gallery/v/RootAndCisco/ Yes, very cute. Brings back memories of a cat I had when I was younger. Beautiful all grey with a diamond shaped white mark on her neck. I have always liked cats. > Number two, I seem to have had quite a lot on at work (my day-job). I know that feeling. :( > Number three, between numbers one and two, I just haven't had any energy > left. I'm struggling quite hard to keep my weight up (currently only > weigh 8 stone 1, 113 pounds, 51 kg) and just don't have much energy at > the moment. There have been a load of colds going round, and while I > don't really get colds (certainly never get blocked nose, stuffy head, > anything like that) they still hit me a bit. As for the new liver, well > they want to redo all the MRI scans, so I've got a few hours in an MRI > scanner to look forward to. A rather critical new vein has opened up, > which totally changed their surgical plan, and they need to be very sure > it isn't going to close again or anything daft like that. And no, the > phone hasn't rung yet, I'm still waiting for the liver transplant call. > :-) Wow, 113 lbs. I imagine you are limited in what you can eat to keep it on with your liver not quite up to snuff. Most things that put weight on are not exactly good for you. But it's good to hear the new vein has opened up. The last couple reports I remember reading you have mentioned new viens. Sounds like you body is fighting back. > So MailScanner has had to go on a bit of a back burner for a while. I'm > sure you understand :-) As it should be. Take care of yourself first. Take Care Julian Chris From MailScanner at ecs.soton.ac.uk Mon Oct 27 13:37:25 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Oct 27 13:37:47 2008 Subject: database is locked(5) at dbdimp.c line 402 In-Reply-To: <7d9b3cf20810241611q6b8f553bqdd2f8254e6a249a@mail.gmail.com> References: <49008487.9090702@hostalia.com> <7d9b3cf20810241611q6b8f553bqdd2f8254e6a249a@mail.gmail.com> Message-ID: <4905C415.9070902@ecs.soton.ac.uk> I find I only get that error when the database file is corrupt. Deleting the SpamAssassin cache file in /var/spool/MailScanner/incoming always fixed it for me. Jules. Eduardo Casarero wrote: > > > 2008/10/23 Alvaro Mar?n > > > Hello, > > I'm getting this error continuosly when the server's load is high: > > MailScanner[29045]: database is locked(5) at dbdimp.c line 402 > > and the message scanning slows a lot. > > I see that: > > # grep timeout .cpan/build/DBD-SQLite-1.14-hR9dHa/dbdimp.h -i > /* 30 second timeout by default */ > #define SQL_TIMEOUT 30000 > > the timeout is 30secs by default in SQLite, perhaps too high (I prefer > scan the message again instead of wait 30secs). > > So I've modified MailScanner's SA.pm and added: > > $MailScanner::SA::cachedbh->func( "2000", 'busy_timeout'); > > to set it to 2 seconds, after the connection to the cache db: > > $MailScanner::SA::cachedbh = DBI->connect( > > "dbi:SQLite:$MailScanner::SA::cachefilename", > > "","",{PrintError=>0,InactiveDestroy=>1}); > > > I've tested it and it seems that works fine; is this a safe way to do > this? Perhaps recompile SQLite changing that value is better? > > Regards, > > > Do you have the SA-cache on tmpfs? mounting in tmpfs should be fast > enough to keep happy MS. > > Regards, > > Eduardo. > > > > -- > Alvaro Mar?n Illera > Hostalia Internet > www.hostalia.com > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From uxbod at splatnix.net Mon Oct 27 14:14:55 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Mon Oct 27 14:15:16 2008 Subject: New beta release 4.72.4-1 In-Reply-To: <4905AB28.7010404@ecs.soton.ac.uk> Message-ID: <3730261.1161225116895364.JavaMail.root@office.splatnix.net> Should they not be called RootKit ;) Fingers crossed that call comes in soon Jules and not another tele-marketing one instead! Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 ----- "Julian Field" wrote: > Hi Folks! > > > > Firstly, a big apology for not being around the place much recently. > > Several reasons. > > > > Number one, I now have two incredibly cute kittens to look after: > > http://www.jules.fm/gallery/v/CatsDay1/ > > http://www.jules.fm/gallery/v/RootAndCisco/ > > > > Number two, I seem to have had quite a lot on at work (my day-job). > > > > Number three, between numbers one and two, I just haven't had any > energy > > left. I'm struggling quite hard to keep my weight up (currently only > > weigh 8 stone 1, 113 pounds, 51 kg) and just don't have much energy at > > the moment. There have been a load of colds going round, and while I > > don't really get colds (certainly never get blocked nose, stuffy head, > > anything like that) they still hit me a bit. As for the new liver, > well > > they want to redo all the MRI scans, so I've got a few hours in an MRI > > scanner to look forward to. A rather critical new vein has opened up, > > which totally changed their surgical plan, and they need to be very > sure > > it isn't going to close again or anything daft like that. And no, the > > phone hasn't rung yet, I'm still waiting for the liver transplant > call. :-) > > > > So MailScanner has had to go on a bit of a back burner for a while. > I'm > > sure you understand :-) > > > > Mean time, I have just put out a new beta release, which will go > stable > > in a few days if no-one finds anything horribly wrong with it. So > please > > do test it for me! > > > > Here is the Change Log: > > > > * New Features and Improvements * > > 1 Added support for ClamAV 0.94. Note that this has necessitated > removal of > > complete support for earlier versions of ClamAV as the command-line > > settings > > are incompatible. So only use this version if you have upgraded to > the > > latest > > ClamAV 0.94. > > 2 The "Found to be clean" header will not be added to the message at > all if > > the relevant configuration setting is blank in MailScanner.conf. > > 2 Filename and filetype checks are now done before virus scanning. > This > > means > > that you can use the "deny+delete" type of filename or filetype rule > to > > selectively delete files that will choke your buggy virus scanner. > > 4 "install.sh" now logs all output to "install.log". > > 4 The RPM and SuSE versions of "install.sh" now have a "reinstall" > command- > > line option which will make it attempt to remove the Perl RPMs > before it > > installs them, in case you have changed your Perl version enough > that the > > previous Perl modules were not being found by your new setup. Very > handy > > for Fedora upgraders, among others. > > 4 Improvements to the "reinstall" command-line switch so it removes > all the > > old versions first, before it starts installing anything new. > > 4 Updated MIME-tools to version 5.427. > > 4 Minor improvement to phishing net. > > 4 Added check to --lint for sufficiently correct /tmp permissions. > > > > * Fixes * > > 1 Changed logging of clamd so that it reports the virus scanner name > > correctly. > > 2 Removed debug code from OLE unpacking code. > > 3 Fixed log handling bug in filename rules matching code, thanks to > > Derek Chee. > > 4 Fixed bug where whole message body was deleted if a file nested > within 2 > > zip files failed filename tests. > > 4 Fixed reporting bug in 'service MailScanner status' where it would > produce > > an error instead of saying the incoming sendmail process was working > fine. > > 4 Fixed a parsing bug in the "Avast" scanner support. > > 4 Minor change to error message when /tmp has wrong permissions. > > > > Jules -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From maillists at conactive.com Mon Oct 27 16:31:17 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Mon Oct 27 16:31:27 2008 Subject: MailScanner quarantined file loosing their identity In-Reply-To: <30200a940810270134i6bbb754fxac49aaa95895098@mail.gmail.com> References: <30200a940810270134i6bbb754fxac49aaa95895098@mail.gmail.com> Message-ID: Gregory Machin wrote on Mon, 27 Oct 2008 10:34:51 +0200: > What is happening is that the > attachments are being saved without their extension, and the file type > in some cases in unidentifiable. What should I do to resolve this .. Well, do you *know* that these files were sent with an extension? Not all operating systems enforce usage of extensions. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From nwp at nz.lemon-computing.com Mon Oct 27 19:02:15 2008 From: nwp at nz.lemon-computing.com (Nick Phillips) Date: Mon Oct 27 19:02:30 2008 Subject: New beta release 4.72.4-1 In-Reply-To: <4905AB28.7010404@ecs.soton.ac.uk> References: <4905AB28.7010404@ecs.soton.ac.uk> Message-ID: <3ABF8226-981A-494D-B514-CC87A4F43F79@nz.lemon-computing.com> On 28/10/2008, at 12:51 AM, Julian Field wrote: > Hi Folks! > > Firstly, a big apology for not being around the place much recently. > Several reasons. > > Number one, I now have two incredibly cute kittens to look after: > http://www.jules.fm/gallery/v/CatsDay1/ > http://www.jules.fm/gallery/v/RootAndCisco/ Are you sure they're not really just an excuse to show off the MacBook Air? >;-) Hope the next round of hospitals goes well. Cheers, Nick From martinh at solidstatelogic.com Mon Oct 27 21:06:32 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Mon Oct 27 21:05:26 2008 Subject: FW: New service - the Team Cymru Malware Hash Registry! Message-ID: ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** -------------- next part -------------- An embedded message was scrubbed... From: Ian Cook Subject: New service - the Team Cymru Malware Hash Registry! Date: Mon, 27 Oct 2008 18:12:00 +0000 Size: 4381 Url: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081027/72998435/attachment.mht From martinh at solidstatelogic.com Mon Oct 27 21:11:53 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Mon Oct 27 21:10:52 2008 Subject: New service - the Team Cymru Malware Hash Registry! Message-ID: Oops hit 'send' too quick.. Jules if ya get bored with the kitties, i think this could be a useful addition to MS. -- martin ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From achim+mailscanner at qustodium.net Mon Oct 27 22:15:56 2008 From: achim+mailscanner at qustodium.net (Achim J. Latz) Date: Mon Oct 27 22:16:54 2008 Subject: bitdefender-autoupdate improvements Message-ID: <49063D9C.3050907@qustodium.net> Good evening: The bitdefender-autoupdate script seems to cause quite a bit of load when run in its current version. I checked the code, and it appears that the signature updates are downloaded, compared with the current signatures, and then some statistics are printed out. HOWEVER, the comparison seems rather inefficient as it requires a lot of CPU and I/O capacity, probably because the signature files have grown rapidly since this script was last updated on 21/10/2003 [1]. While running the original version, I saw the machine load spike to 4 or 5 for a couple of minutes (AMD64, 1GB RAM) every time bitdefender-autoupdate was active (basically once every hour). The (ugly, hacked) updated version is not even noticable on the load -- the resulting unified diff is attached. Perhaps my ugly hack could serve as a starting point for somebody better versed in Perl to review the script completely? As Julian already states in his comments for that particular file: # Note from Jules: This looks awfully complicated, but it is because the # old version of the --update flag didn't work in bdc. # This code detects what version of bdc you are running # and uses the appropriate code for each version. # # YOU DON'T HAVE TO TWEAK IT!!! Please don't modify this file. Naturally, I do not agree with the last line (-: Best regards, Achim [1] "At the start of 2007, computer security firm F-Secure had about 250,000 malware signatures in its database, the result of almost 20 years of antivirus research. Now, near the end of 2007, the company has about 500,000 malware signatures." Source: -------------- next part -------------- --- bitdefender-autoupdate.orig 2008-08-14 14:03:30.000000000 +0200 +++ bitdefender-autoupdate 2008-10-04 10:03:10.000000000 +0200 @@ -144,7 +144,8 @@ $sendmailPath = "/usr/sbin/sendmail"; # full sendmail path ######## LOGFILE SIZE LIMIT ############## $logFileLimit = 5120; # logfile limit size in bytes - 0 = no limit - 5120 = 5 kb -#JKF This is now calculated $useBDCUpdate = 0; # select the method to use for updating +#JKF This is now calculated +#$useBDCUpdate = 1; # select the method to use for updating # 1 = user bdc --update method, # 0 = download file, unzip and test it ####################################################################### @@ -182,21 +183,23 @@ # JKF Set $useBDCUpdate according to which version is installed if (-e $bitDefenderPath . "shared/$bitDefBinary") { # JKF Old version. --update is broken and bdc is in "shared" directory + &updateLog("Old version. --update is broken and bdc is in shared directory"); $useBDCUpdate = 0; $bdcBinary = $bitDefenderPath . "shared/$bitDefBinary"; } if (-e "$bitDefenderPath$bitDefBinary") { # JKF New version. --update works and bdc is in main package directory + &updateLog("New version. --update works and bdc is in main package directory"); $useBDCUpdate = 1; $bdcBinary = $bitDefenderPath . $bitDefBinary; } # calcolo il numero di virus su cui siamo inizialmente protetti e restituisco il numero direttamente nel log -my $bitDCmd = $bdcBinary . " --vlist"; -my $origFile = $bitDefenderPath . $beforeFile; -system "$bitDCmd > $origFile "; +#my $bitDCmd = $bdcBinary . " --vlist"; +#my $origFile = $bitDefenderPath . $beforeFile; +#system "$bitDCmd > $origFile "; -&countViruses($origFile); +#&countViruses($origFile); if ( $useBDCUpdate == 1) { @@ -280,26 +283,26 @@ my $destFile = $bitDefenderPath . $afterFile; # calcolo il numero di virus su cui siamo protetti e restituisco il numero direttamente nel log -system "$bitDCmd > $destFile "; +# system "$bitDCmd > $destFile "; -&updateLog ("Following the changes:"); +# &updateLog ("Following the changes:"); -COMPARE: -my $newsFile = $bitDefenderPath . "news.txt"; +#COMPARE: +#my $newsFile = $bitDefenderPath . "news.txt"; -$afterFile = $bitDefenderPath . $afterFile; -$beforeFile = $bitDefenderPath . $beforeFile; +#$afterFile = $bitDefenderPath . $afterFile; +#$beforeFile = $bitDefenderPath . $beforeFile; -system "diff $beforeFile $afterFile > $newsFile"; +#system "diff $beforeFile $afterFile > $newsFile"; # include bdc report fr reporting families -my $bitDCmd = $bdcBinary . " --info"; -system "$bitDCmd >> $newsFile "; +#my $bitDCmd = $bdcBinary . " --info"; +#system "$bitDCmd >> $newsFile "; # get the file and print it in the log... -my $fh = new IO::File "< $newsFile" || &updateLog( "no news file found!"); -my @lines = $fh->getlines; -$fh->close; +#my $fh = new IO::File "< $newsFile" || &updateLog( "no news file found!"); +#my @lines = $fh->getlines; +#$fh->close; my $lines = @lines; @@ -323,7 +326,7 @@ $useSMTP = 0; # avoid mail } -&countViruses($destFile); +#&countViruses($destFile); if ( $useBDCUpdate == 0 ) { &determineRotation (1); # update rotation status From gdm at linuxpro.co.za Tue Oct 28 05:26:31 2008 From: gdm at linuxpro.co.za (Gregory Machin) Date: Tue Oct 28 05:26:41 2008 Subject: MailScanner quarantined file loosing their identity In-Reply-To: References: <30200a940810270134i6bbb754fxac49aaa95895098@mail.gmail.com> Message-ID: <30200a940810272226i2579f3c1m8be955612d738773@mail.gmail.com> Yes they do as the client is aware of the extention type in most case or at least the general mime type it should belong to ... these clients are using windows . On Mon, Oct 27, 2008 at 6:31 PM, Kai Schaetzl wrote: > Gregory Machin wrote on Mon, 27 Oct 2008 10:34:51 +0200: > >> What is happening is that the >> attachments are being saved without their extension, and the file type >> in some cases in unidentifiable. What should I do to resolve this .. > > Well, do you *know* that these files were sent with an extension? Not all > operating systems enforce usage of extensions. > > Kai > > -- > Kai Sch?tzl, Berlin, Germany > Get your web at Conactive Internet Services: http://www.conactive.com > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From neilw at dcdata.co.za Tue Oct 28 07:01:01 2008 From: neilw at dcdata.co.za (Neil Wilson) Date: Tue Oct 28 07:04:56 2008 Subject: SpamAssassin Autolearn Y (not spam) Message-ID: <4906B8AD.4030606@dcdata.co.za> Hi guys, I've got a whole bunch of emails that are getting through as non Spam(looking through MailWatch) when they are definitely Spam. Any ideas why these are being auto learnt as non spam. and how can I "learn" them as Spam? Thanks. Neil From alvaro at hostalia.com Tue Oct 28 08:46:12 2008 From: alvaro at hostalia.com (=?ISO-8859-1?Q?Alvaro_Mar=EDn?=) Date: Tue Oct 28 08:46:57 2008 Subject: database is locked(5) at dbdimp.c line 402 In-Reply-To: <4905C415.9070902@ecs.soton.ac.uk> References: <49008487.9090702@hostalia.com> <7d9b3cf20810241611q6b8f553bqdd2f8254e6a249a@mail.gmail.com> <4905C415.9070902@ecs.soton.ac.uk> Message-ID: <4906D154.305@hostalia.com> Julian Field escribi?: > I find I only get that error when the database file is corrupt. Deleting > the SpamAssassin cache file in /var/spool/MailScanner/incoming always > fixed it for me. But when this error appears, there are cache hits too (by other MS's processes) and when the server's load downs, the error disappears and all runs fine. It seems that some MailScanner processes want to write to the database and it's locked by other, so decreasing the timeout, it won't write the hash to db but it won't wait for 30secs. Regards, -- Alvaro Mar?n Illera Hostalia Internet www.hostalia.com From gmatt at nerc.ac.uk Tue Oct 28 08:49:15 2008 From: gmatt at nerc.ac.uk (Greg Matthews) Date: Tue Oct 28 08:49:37 2008 Subject: New service - the Team Cymru Malware Hash Registry! In-Reply-To: References: Message-ID: <4906D20B.90507@nerc.ac.uk> Martin.Hepworth wrote: > Oops hit 'send' too quick.. > > Jules if ya get bored with the kitties, i think this could be a useful addition to MS. who'd have thought "team-cymru" would be based in Illinois... GREG -- Greg Matthews 01491 692445 Head of UNIX/Linux, iTSS Wallingford -- This message (and any attachments) is for the recipient only. NERC is subject to the Freedom of Information Act 2000 and the contents of this email and any reply you make may be disclosed by NERC unless it is exempt from release under the Act. Any material supplied to NERC may be stored in an electronic records management system. From uxbod at splatnix.net Tue Oct 28 09:20:01 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Tue Oct 28 09:20:18 2008 Subject: New service - the Team Cymru Malware Hash Registry! In-Reply-To: <17079775.1711225185562113.JavaMail.root@office.splatnix.net> Message-ID: <3125154.1731225185601952.JavaMail.root@office.splatnix.net> Just had a read and it looks really good. I presume the best bet would be to use the DNS lookup method as most firewalls will have DNS open ? Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 ----- "Martin.Hepworth" wrote: > Oops hit 'send' too quick.. > > > > Jules if ya get bored with the kitties, i think this could be a useful > addition to MS. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ms-list at alexb.ch Tue Oct 28 09:58:34 2008 From: ms-list at alexb.ch (Alex Broens) Date: Tue Oct 28 09:58:35 2008 Subject: New service - the Team Cymru Malware Hash Registry! In-Reply-To: <3125154.1731225185601952.JavaMail.root@office.splatnix.net> References: <3125154.1731225185601952.JavaMail.root@office.splatnix.net> Message-ID: <4906E24A.6060902@alexb.ch> On 10/28/2008 10:20 AM, --[ UxBoD ]-- wrote: > Just had a read and it looks really good. I presume the best bet > would be to use the DNS lookup method as most firewalls will have DNS > open ? It has a couple of disadvantages compared to the malware.com.br ClamAV signatures: - The ClamAV signatures include a size field to avoid possible MD5 collisions. - The ClamAV sigs don't delay processing and have a small memory fingerprint. - The lookups to the Cymru site will slow down processing. (do they have enough iron to hold up to global traffic?) - "The Malware Hash Registry (MHR) is free for non-commercial use ONLY" so it should hardly become part of default MS. The one big plus is the close to real time detection though its hard to imagine that the stuff it detects doesn't get marked as spam by already existing methods. If Jules decides to add this to MailScanner I hope he does it as a custom function plugin imo, this does't belong in the main "glue" aka MailScanner. I see lots more potential for a SA plugin. Alex From maillists at conactive.com Tue Oct 28 10:31:17 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Tue Oct 28 10:31:27 2008 Subject: SpamAssassin Autolearn Y (not spam) In-Reply-To: <4906B8AD.4030606@dcdata.co.za> References: <4906B8AD.4030606@dcdata.co.za> Message-ID: Neil Wilson wrote on Tue, 28 Oct 2008 09:01:01 +0200: > I've got a whole bunch of emails that are getting through as non > Spam(looking through MailWatch) when they are definitely Spam. > > Any ideas why these are being auto learnt as non spam. and how can I > "learn" them as Spam? It looks like you are mixing two things: Are they detected as ham or are they detected as spam and not auto- learned? Ressources that might by useful to you: http://wiki.apache.org/spamassassin/FrequentlyAskedQuestions http://wiki.apache.org/spamassassin/ http://wiki.apache.org/spamassassin/MailingLists http://spamassassin.apache.org/doc.html Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From uxbod at splatnix.net Tue Oct 28 10:53:19 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Tue Oct 28 10:53:44 2008 Subject: New service - the Team Cymru Malware Hash Registry! In-Reply-To: <4906E24A.6060902@alexb.ch> Message-ID: <31149285.1811225191199895.JavaMail.root@office.splatnix.net> Yep kinda agree Alex after reading some more. I thing a SA rule would be well suited, and have mentioned such elsewhere. Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 ----- "Alex Broens" wrote: > It has a couple of disadvantages compared to the malware.com.br ClamAV > > signatures: > > > > - The ClamAV signatures include a size field to avoid possible MD5 > > collisions. > > > > - The ClamAV sigs don't delay processing and have a small memory > > fingerprint. > > > > > > - The lookups to the Cymru site will slow down processing. > > (do they have enough iron to hold up to global traffic?) > > > > - "The Malware Hash Registry (MHR) is free for non-commercial use > ONLY" > > so it should hardly become part of default MS. > > > > The one big plus is the close to real time detection though its hard > to > > imagine that the stuff it detects doesn't get marked as spam by > already > > existing methods. > > > > If Jules decides to add this to MailScanner I hope he does it as a > > custom function plugin > > imo, this does't belong in the main "glue" aka MailScanner. > > > > I see lots more potential for a SA plugin. > > > > Alex -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From steveb_clamav at sanesecurity.com Tue Oct 28 12:45:51 2008 From: steveb_clamav at sanesecurity.com (Steve Basford) Date: Tue Oct 28 11:46:49 2008 Subject: New service - the Team Cymru Malware Hash Registry! Message-ID: <21902.88.97.0.153.1225197951.squirrel@saturn.dataflame.net> > - The ClamAV signatures include a size field to avoid possible MD5 > collisions. That's true... I've got a small rogue.hdb database with I'm filling with rogue anti-virus software hashes and current high-hitting rogues ( it's downloaded with the new downloads scipts here: http://www.sanesecurity.co.uk/clamav/usage.htm ) You can, of course create your own database: Run ClamAV's sigtool in a directory of bad exe's or zips etc: sigtool --md5 * > bad.hdb Pop the bad.hdb into the ClamAV database directory, restart clamd and away you go. md5's will change... but may help with short term fixes ;) Cheers and sorry for highjacking the list :) Steve Sanesecurity From steve.freegard at fsl.com Tue Oct 28 12:16:08 2008 From: steve.freegard at fsl.com (Steve Freegard) Date: Tue Oct 28 12:16:18 2008 Subject: New service - the Team Cymru Malware Hash Registry! In-Reply-To: References: Message-ID: <49070288.9040406@fsl.com> Martin.Hepworth wrote: > Oops hit 'send' too quick.. > > Jules if ya get bored with the kitties, i think this could be a useful addition to MS. > Anyone fancy trying the attached? - I've tested it here and it appears to work fine. It's a plug-in to lookup the hashes in the Malware Registry implemented using MailScanner's generic virus scanner interface. It uses the SHA1 algorithm instead of MD5 and uses background sockets to increase scanning speed with a maximum timeout of 30 seconds waiting for DNS results. To install it - copy the attached to /usr/local/bin, then edit virus.scanners.conf and change: generic /usr/lib/MailScanner/generic-wrapper / to generic /usr/lib/MailScanner/generic-wrapper /usr/local/bin Then edit generic-wrapper and change MyScanner=/bin/false to MyScanner=generic_hash_scanner.pl And then test it by running the following (you must be in the same directory as the generic-wrapper script): ./generic-wrapper /usr/local/bin . You should get output similar to the following: [root@mail MailScanner]# ./generic-wrapper /usr/local/bin . CLEAN::File::./f-secure-wrapper CLEAN::File::./generic-wrapper CLEAN::File::./MailScanner/CustomFunctions/SignCleanMessages.pm CLEAN::File::./MailScanner/CustomFunctions/SignCleanMessagesFunction.tar.gz CLEAN::File::./sophos-wrapper CLEAN::File::./utils/bin/encode-base64 Here's an example with eicar: [root@mail MailScanner]# ./generic-wrapper /usr/local/bin eicar.com ERROR::Cymru_Malware_Hash::./eicar.com Any errors are reported as: INFO::ERROR:: And any output from the wrapper will be automatically displayed in the log by MailScanner: Oct 28 08:05:09 mail MailScanner[6065]: Virus and Content Scanning: Starting Oct 28 08:05:11 mail MailScanner[6065]: GenericScanner::CLEAN::File::./m9SC5507007840.header Oct 28 08:05:11 mail MailScanner[6065]: GenericScanner::CLEAN::File::./m9SC5507007840/msg-6065-48.html Oct 28 08:05:11 mail MailScanner[6065]: GenericScanner::CLEAN::File::./m9SC5507007840/msg-6065-47.txt Oct 28 08:05:11 mail MailScanner[6065]: Virus Scanning completed at 2420 bytes per second In my testing it's actually *faster* than a command-line virus scanner by a considerable margin: [root@mail ~]# time clamscan eicar.com real 0m11.910s user 0m11.447s sys 0m0.253s [root@mail ~]# time /usr/local/bin/generic_hash_scanner.pl eicar.com ERROR::Cymru_Malware_Hash::./eicar.com real 0m0.320s user 0m0.284s sys 0m0.036s How long it will stay this fast as people start using it remains to be seen. Kind regards, Steve. -------------- next part -------------- A non-text attachment was scrubbed... Name: generic_hash_scanner.pl Type: application/x-perl Size: 2648 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081028/cd851ada/generic_hash_scanner.bin From E.Bloodaxe at gold.ac.uk Tue Oct 28 12:26:26 2008 From: E.Bloodaxe at gold.ac.uk (Erik Bloodaxe) Date: Tue Oct 28 12:26:43 2008 Subject: MailScanner not detecting Trog/Agent-IBF - assistance needed. Message-ID: <490704F2.6030207@gold.ac.uk> Can anyone assist with a problem with my MailScanner/Sophos set up: E-mails with a zip file are getting through mail scanner with zip files containing Trog-Agent-IBF. The Sophos on the mail system will detect that a zip file infected with Trog/Agent-IBF. Other viruses are being detected and removed by MailScanner and sophos. Debugging only says that In Debugging mode, not forking... Queues are "/home/exim/spool/port.26/input" Ignore errors about failing to find EOCD signature format error: can't find EOCD signature at /opt/MailScanner/bin/MailScanner line 820 format error: can't find EOCD signature at /opt/MailScanner/bin/MailScanner line 820 Stopping now as you are debugging me. The messages are moved from the incomming queue to the outgoing one, but, the virus infected zip file is still there and there are no mailscanner headers added. CAn any one assist? Erik From uxbod at splatnix.net Tue Oct 28 12:35:52 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Tue Oct 28 12:36:18 2008 Subject: New service - the Team Cymru Malware Hash Registry! In-Reply-To: <49070288.9040406@fsl.com> Message-ID: <25279336.1921225197352545.JavaMail.root@office.splatnix.net> Superb Steve! Looks like its being heavily used already ;) # ./generic-wrapper /usr/local/bin . CLEAN::File::./f-prot-6-wrapper CLEAN::File::./kaspersky.prf CLEAN::File::./vexira-wrapper CLEAN::File::./MailScanner.pm CLEAN::File::./bitdefender-autoupdate CLEAN::File::./f-secure-wrapper CLEAN::File::./vba32-wrapper CLEAN::File::./symscanengine-wrapper CLEAN::File::./MailScanner/CustomFunctions/SQLBlackWhiteList.pm CLEAN::File::./vba32-autoupdate CLEAN::File::./kaspersky-autoupdate CLEAN::File::./MailScanner/Log.pm CLEAN::File::./clamav-autoupdate INFO::ERROR::Timed out after 30 seconds Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 ----- "Steve Freegard" wrote: > Anyone fancy trying the attached? - I've tested it here and it appears > > to work fine. > > > > It's a plug-in to lookup the hashes in the Malware Registry > implemented > > using MailScanner's generic virus scanner interface. > > > > It uses the SHA1 algorithm instead of MD5 and uses background sockets > to > > increase scanning speed with a maximum timeout of 30 seconds waiting > for > > DNS results. > > > > To install it - copy the attached to /usr/local/bin, then edit > > virus.scanners.conf and change: > > > > generic /usr/lib/MailScanner/generic-wrapper / > > to > > generic /usr/lib/MailScanner/generic-wrapper /usr/local/bin > > > > Then edit generic-wrapper and change > > > > MyScanner=/bin/false > > to > > MyScanner=generic_hash_scanner.pl > > > > And then test it by running the following (you must be in the same > > directory as the generic-wrapper script): > > > > ./generic-wrapper /usr/local/bin . > > > > You should get output similar to the following: > > > > [root@mail MailScanner]# ./generic-wrapper /usr/local/bin . > > CLEAN::File::./f-secure-wrapper > > CLEAN::File::./generic-wrapper > > CLEAN::File::./MailScanner/CustomFunctions/SignCleanMessages.pm > > CLEAN::File::./MailScanner/CustomFunctions/SignCleanMessagesFunction.tar.gz > > CLEAN::File::./sophos-wrapper > > CLEAN::File::./utils/bin/encode-base64 > > > > Here's an example with eicar: > > > > [root@mail MailScanner]# ./generic-wrapper /usr/local/bin eicar.com > > ERROR::Cymru_Malware_Hash::./eicar.com > > > > Any errors are reported as: > > > > INFO::ERROR:: > > > > And any output from the wrapper will be automatically displayed in the > > log by MailScanner: > > > > Oct 28 08:05:09 mail MailScanner[6065]: Virus and Content Scanning: > > Starting > > Oct 28 08:05:11 mail MailScanner[6065]: > > GenericScanner::CLEAN::File::./m9SC5507007840.header > > Oct 28 08:05:11 mail MailScanner[6065]: > > GenericScanner::CLEAN::File::./m9SC5507007840/msg-6065-48.html > > Oct 28 08:05:11 mail MailScanner[6065]: > > GenericScanner::CLEAN::File::./m9SC5507007840/msg-6065-47.txt > > Oct 28 08:05:11 mail MailScanner[6065]: Virus Scanning completed at > 2420 > > bytes per second > > > > In my testing it's actually *faster* than a command-line virus scanner > > by a considerable margin: > > > > [root@mail ~]# time clamscan eicar.com > > > > real 0m11.910s > > user 0m11.447s > > sys 0m0.253s > > > > [root@mail ~]# time /usr/local/bin/generic_hash_scanner.pl eicar.com > > ERROR::Cymru_Malware_Hash::./eicar.com > > > > real 0m0.320s > > user 0m0.284s > > sys 0m0.036s > > > > How long it will stay this fast as people start using it remains to be > seen. > > > > Kind regards, > > Steve. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From steve.freegard at fsl.com Tue Oct 28 12:57:21 2008 From: steve.freegard at fsl.com (Steve Freegard) Date: Tue Oct 28 12:57:34 2008 Subject: New service - the Team Cymru Malware Hash Registry! In-Reply-To: <25279336.1921225197352545.JavaMail.root@office.splatnix.net> References: <49070288.9040406@fsl.com> <25279336.1921225197352545.JavaMail.root@office.splatnix.net> Message-ID: <49070C31.9040905@fsl.com> --[ UxBoD ]-- wrote: > Superb Steve! Looks like its being heavily used already ;) > > # ./generic-wrapper /usr/local/bin . > INFO::ERROR::Timed out after 30 seconds > Try the attached - I've changed the timeout information: INFO::ERROR::Timed out after 30 seconds (113 remaining sockets waiting after 1 checks) I've not had it time out on me at all - to get the above output I had to add a sleep(10) after each result. Make sure you have a newish version of Net::DNS - I'm also running a local caching-nameserver. Regards, Steve. -------------- next part -------------- A non-text attachment was scrubbed... Name: generic_hash_scanner.pl Type: application/x-perl Size: 2810 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081028/ba3aca94/generic_hash_scanner.bin From E.Bloodaxe at gold.ac.uk Tue Oct 28 13:06:45 2008 From: E.Bloodaxe at gold.ac.uk (Erik Bloodaxe) Date: Tue Oct 28 13:07:16 2008 Subject: MailScanner not detecting Trog/Agent-IBF - assistance needed. In-Reply-To: <490704F2.6030207@gold.ac.uk> References: <490704F2.6030207@gold.ac.uk> Message-ID: <49070E65.7060007@gold.ac.uk> Erik Bloodaxe wrote: > Can anyone assist with a problem with my MailScanner/Sophos set up: > > E-mails with a zip file are getting through mail scanner with zip files > containing Trog-Agent-IBF. The Sophos on the mail system will detect > that a zip file infected with Trog/Agent-IBF. Other viruses are being > detected and removed by MailScanner and sophos. > > Debugging only says that > > In Debugging mode, not forking... > Queues are "/home/exim/spool/port.26/input" > Ignore errors about failing to find EOCD signature > format error: can't find EOCD signature > at /opt/MailScanner/bin/MailScanner line 820 > format error: can't find EOCD signature > at /opt/MailScanner/bin/MailScanner line 820 > Stopping now as you are debugging me. > > The messages are moved from the incomming queue to the outgoing one, > but, the virus infected zip file is still there and there are no > mailscanner headers added. > > CAn any one assist? > > Erik > > To correct my self. Mail Scanner headers are being added but these are showing the infected message to be clean. The syslog outpit is as follows: Oct 28 12:58:02 Scanner-host1 MailScanner[18068]: MailScanner E-Mail Virus Scanner version 4.57.6 starting... Oct 28 12:58:02 Scanner-host1 MailScanner[18068]: Read 853 hostnames from the phishing whitelist Oct 28 12:58:02 Scanner-host1 MailScanner[18068]: WARNING: You are trying to use the SpamAssassin cache but your DBI and/or DBD::SQLite Perl modules are not properly installed! Oct 28 12:58:02 Scanner-host1 MailScanner[18068]: lock.pl sees Config LockType = posix Oct 28 12:58:02 Scanner-host1 MailScanner[18068]: lock.pl sees have_module = 0 Oct 28 12:58:02 Scanner-host1 MailScanner[18068]: Using locktype = posix Oct 28 12:58:02 Scanner-host1 MailScanner[18068]: Creating hardcoded struct_flock subroutine for linux (Linux-type) Oct 28 12:58:02 Scanner-host1 MailScanner[18068]: New Batch: Scanning 1 messages, 93315 bytes Oct 28 12:58:02 Scanner-host1 MailScanner[18068]: Created attachment dirs for 1 messages Oct 28 12:58:02 Scanner-host1 MailScanner[18068]: RBL Checks: returned 256 Oct 28 12:58:03 Scanner-host1 MailScanner[18068]: SpamAssassin returned 0 Oct 28 12:58:03 Scanner-host1 MailScanner[18068]: Spam Checks: Found 1 spam messages Oct 28 12:58:03 Scanner-host1 MailScanner[18068]: Spam Checks completed at 269166 bytes per second Oct 28 12:58:03 Scanner-host1 MailScanner[18068]: Virus and Content Scanning: Starting Oct 28 12:58:03 Scanner-host1 MailScanner[18068]: Commencing scanning by sophos... Oct 28 12:58:06 Scanner-host1 MailScanner[18068]: Completed scanning by sophos Oct 28 12:58:06 Scanner-host1 MailScanner[18068]: Virus Scanning completed at 31236 bytes per second Oct 28 12:58:06 Scanner-host1 MailScanner[18068]: About to deliver 1 messages Oct 28 12:58:06 Scanner-host1 MailScanner[18068]: Uninfected: Delivered 1 messages Oct 28 12:58:06 Scanner-host1 MailScanner[18068]: Batch completed at 27899 bytes per second (93315 / 3) Oct 28 12:58:06 Scanner-host1 MailScanner[18068]: Batch (1 message) processed in 3.34 seconds Oct 28 12:58:06 Scanner-host1 MailScanner[18068]: MailScanner child dying of old age and the versions are : Running on Linux neptune.gold.ac.uk 2.6.18-8.1.10.el5 #1 SMP Thu Aug 30 20:43:28 EDT 2007 x86_64 x86_64 x86_64 GNU/Linux This is Red Hat Enterprise Linux Server release 5 (Tikanga) This is Perl version 5.008008 (5.8.8) This is MailScanner version 4.57.6 Module versions are: 1.00 AnyDBM_File 1.23 Archive::Zip 1.04 Carp 1.119 Convert::BinHex 1.00 DirHandle 1.05 Fcntl 2.74 File::Basename 2.09 File::Copy 2.01 FileHandle 1.08 File::Path 0.19 File::Temp 0.92 Filesys::Df 1.35 HTML::Entities 3.55 HTML::Parser 2.37 HTML::TokeParser 1.22 IO 1.13 IO::File 1.13 IO::Pipe 1.77 Mail::Header 3.07 MIME::Base64 5.425 MIME::Decoder 5.425 MIME::Decoder::UU 5.425 MIME::Head 5.425 MIME::Parser 3.07 MIME::QuotedPrint 5.425 MIME::Tools 0.11 Net::CIDR 1.09 POSIX 1.78 Socket 1.4 Sys::Hostname::Long 0.13 Sys::Syslog 1.86 Time::HiRes 1.02 Time::localtime Optional module versions are: 0.17 Convert::TNEF 1.814 DB_File missing DBD::SQLite 1.52 DBI 1.14 Digest 1.01 Digest::HMAC 2.36 Digest::MD5 2.11 Digest::SHA1 missing Inline missing Mail::ClamAV 3.001009 Mail::SpamAssassin missing Mail::SPF::Query missing Net::CIDR::Lite 1.25 Net::IP 0.59 Net::DNS missing Net::LDAP missing Parse::RecDescent missing SAVI 2.56 Test::Harness 0.62 Test::Simple 1.95 Text::Balanced 1.35 URI Any help appreciated. Erik From campbell at cnpapers.com Tue Oct 28 13:29:20 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Tue Oct 28 13:29:50 2008 Subject: OT - GreetPause question Message-ID: <490713B0.5090102@cnpapers.com> Done a little googling, but didn't see a specific answer. Don't belong to the sendmail mail list, but probably should join - I belong to too many already. It's OT so I'll listen to whatever comes my way. I use GreetPause. I have a default time set at 5000 in my sendmail.mc(cf) for 5 seconds. I have my own servers set at 0 so that there is no delay invoked. I have found where I can put different delays other than zero for certain IPs to override the default in the sendmail.cf, but I don't see it working (or maybe the spammers are really following the rules and wait). The override feature of GreetPause may only be valid in 8.14 sendmail for values other than 0. So that is my question - is it valid to put something like "GreetPause:xx.yy.zz 20000" in my access file, remake the access.db in sendmail 8.13? It doesn't give a warning when I remake it, but I see no pre-greeting messages for the inserted values in my logs. Thanks for any help. I'll continue looking elsewhere as I'm sure I've just overlooked it. Steve Campbell From jaearick at colby.edu Tue Oct 28 13:37:08 2008 From: jaearick at colby.edu (Jeff A. Earickson) Date: Tue Oct 28 13:37:25 2008 Subject: OT - GreetPause question In-Reply-To: <490713B0.5090102@cnpapers.com> References: <490713B0.5090102@cnpapers.com> Message-ID: On Tue, 28 Oct 2008, Steve Campbell wrote: > Date: Tue, 28 Oct 2008 09:29:20 -0400 > From: Steve Campbell > Reply-To: MailScanner discussion > To: mailscanner@lists.mailscanner.info > Subject: OT - GreetPause question > > Done a little googling, but didn't see a specific answer. Don't belong to the > sendmail mail list, but probably should join - I belong to too many already. > > It's OT so I'll listen to whatever comes my way. > > I use GreetPause. I have a default time set at 5000 in my sendmail.mc(cf) for > 5 seconds. I have my own servers set at 0 so that there is no delay invoked. > I have found where I can put different delays other than zero for certain IPs > to override the default in the sendmail.cf, but I don't see it working (or > maybe the spammers are really following the rules and wait). The override > feature of GreetPause may only be valid in 8.14 sendmail for values other > than 0. > > So that is my question - is it valid to put something like > "GreetPause:xx.yy.zz 20000" in my access file, remake the access.db in > sendmail 8.13? It doesn't give a warning when I remake it, but I see no > pre-greeting messages for the inserted values in my logs. > Steve, Yes, you can do something like: GreetPause:206.46.1705000 in your access file, remake access.db, and have it work. In the example above, this is Verizon. They won't tolerate delays beyond 5 seconds, which is shorter than my 7 or 8 sec delay, so I had to make adjustments for them. FWIW, greetpause doesn't do much anymore. Spammers with spambots will just wait you out. Jeff Earickson Colby College From bpirie at rma.edu Tue Oct 28 13:41:07 2008 From: bpirie at rma.edu (Brendan Pirie) Date: Tue Oct 28 13:40:02 2008 Subject: OT - GreetPause question In-Reply-To: <490713B0.5090102@cnpapers.com> References: <490713B0.5090102@cnpapers.com> Message-ID: <49071673.6030801@rma.edu> Steve, I haven't used this feature in the access.db myself, but the sendmail documentation for 8.13.8 includes examples of this: If FEATURE(`access_db') is enabled, an access database lookup with the GreetPause tag is done using client hostname, domain, IP address, or subnet to determine the pause time: GreetPause:my.domain 0 GreetPause:example.com 5000 GreetPause:10.1.2 2000 GreetPause:127.0.0.1 0 which strongly suggest what you're doing "should" work. HTH, Brendan Steve Campbell wrote: > Done a little googling, but didn't see a specific answer. Don't belong > to the sendmail mail list, but probably should join - I belong to too > many already. > > It's OT so I'll listen to whatever comes my way. > > I use GreetPause. I have a default time set at 5000 in my > sendmail.mc(cf) for 5 seconds. I have my own servers set at 0 so that > there is no delay invoked. I have found where I can put different > delays other than zero for certain IPs to override the default in the > sendmail.cf, but I don't see it working (or maybe the spammers are > really following the rules and wait). The override feature of > GreetPause may only be valid in 8.14 sendmail for values other than 0. > > So that is my question - is it valid to put something like > "GreetPause:xx.yy.zz 20000" in my access file, remake the access.db > in sendmail 8.13? It doesn't give a warning when I remake it, but I > see no pre-greeting messages for the inserted values in my logs. > > Thanks for any help. I'll continue looking elsewhere as I'm sure I've > just overlooked it. > > Steve Campbell > From uxbod at splatnix.net Tue Oct 28 13:40:33 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Tue Oct 28 13:40:50 2008 Subject: New service - the Team Cymru Malware Hash Registry! In-Reply-To: <49070C31.9040905@fsl.com> Message-ID: <4390784.2071225201233443.JavaMail.root@office.splatnix.net> Very cool :D Will roll it into my home server later to give it a try. Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 ----- "Steve Freegard" wrote: > Try the attached - I've changed the timeout information: > > > > INFO::ERROR::Timed out after 30 seconds (113 remaining sockets waiting > > after 1 checks) > > > > I've not had it time out on me at all - to get the above output I had > to > > add a sleep(10) after each result. > > > > Make sure you have a newish version of Net::DNS - I'm also running a > > local caching-nameserver. > > > > Regards, > > Steve. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From campbell at cnpapers.com Tue Oct 28 13:46:27 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Tue Oct 28 13:46:39 2008 Subject: OT - GreetPause question In-Reply-To: References: <490713B0.5090102@cnpapers.com> Message-ID: <490717B3.6000004@cnpapers.com> Jeff A. Earickson wrote: > On Tue, 28 Oct 2008, Steve Campbell wrote: > >> Date: Tue, 28 Oct 2008 09:29:20 -0400 >> From: Steve Campbell >> Reply-To: MailScanner discussion >> To: mailscanner@lists.mailscanner.info >> Subject: OT - GreetPause question >> >> Done a little googling, but didn't see a specific answer. Don't >> belong to the sendmail mail list, but probably should join - I belong >> to too many already. >> >> It's OT so I'll listen to whatever comes my way. >> >> I use GreetPause. I have a default time set at 5000 in my >> sendmail.mc(cf) for 5 seconds. I have my own servers set at 0 so that >> there is no delay invoked. I have found where I can put different >> delays other than zero for certain IPs to override the default in the >> sendmail.cf, but I don't see it working (or maybe the spammers are >> really following the rules and wait). The override feature of >> GreetPause may only be valid in 8.14 sendmail for values other than 0. >> >> So that is my question - is it valid to put something like >> "GreetPause:xx.yy.zz 20000" in my access file, remake the >> access.db in sendmail 8.13? It doesn't give a warning when I remake >> it, but I see no pre-greeting messages for the inserted values in my >> logs. >> > > Steve, > > Yes, you can do something like: > > GreetPause:206.46.1705000 > > in your access file, remake access.db, and have it work. In the > example above, > this is Verizon. They won't tolerate delays beyond 5 seconds, which > is shorter > than my 7 or 8 sec delay, so I had to make adjustments for them. > FWIW, greetpause > doesn't do much anymore. Spammers with spambots will just wait you out. > > Jeff Earickson > Colby College Jeff, Thanks very much. I typically REJECT a spammer, but when a block of IPs start showing up, I GreetPause them with a higher number. Once I know the entire Class C is bad, I REJECT that and remove the GreetPause along with the individual IP REJECTions. I'm not sure I was doing any good with the GreetPauses, but you seem to be correct when you say they wait me out, which would explain it. Steve From martinh at solidstatelogic.com Tue Oct 28 15:01:37 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Tue Oct 28 15:01:52 2008 Subject: New service - the Team Cymru Malware Hash Registry! In-Reply-To: <49070C31.9040905@fsl.com> Message-ID: <26288e05e1124c419352758edc9b9cf3@solidstatelogic.com> Steve Running here against latest beta (with freeBSD v.old and exim). So far so good - no hits yet so hard to say, but performance could be an issue for people, I've noticed a marked slow down in overall scanning times even with the caching DNS etc -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Steve Freegard > Sent: 28 October 2008 12:57 > To: MailScanner discussion > Subject: Re: New service - the Team Cymru Malware Hash Registry! > > --[ UxBoD ]-- wrote: > > Superb Steve! Looks like its being heavily used already ;) > > > > # ./generic-wrapper /usr/local/bin . > > INFO::ERROR::Timed out after 30 seconds > > > > Try the attached - I've changed the timeout information: > > INFO::ERROR::Timed out after 30 seconds (113 remaining > sockets waiting after 1 checks) > > I've not had it time out on me at all - to get the above > output I had to add a sleep(10) after each result. > > Make sure you have a newish version of Net::DNS - I'm also > running a local caching-nameserver. > > Regards, > Steve. > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From uxbod at splatnix.net Tue Oct 28 15:11:33 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Tue Oct 28 15:11:52 2008 Subject: New service - the Team Cymru Malware Hash Registry! In-Reply-To: <26288e05e1124c419352758edc9b9cf3@solidstatelogic.com> Message-ID: <23552790.2271225206693016.JavaMail.root@office.splatnix.net> Hmmm ... Does it scan the entire message or just if it has a attachment ? Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 ----- "Martin.Hepworth" wrote: > Steve > > > > Running here against latest beta (with freeBSD v.old and exim). > > > > So far so good - no hits yet so hard to say, but performance could be > an issue for people, I've noticed a marked slow down in overall > scanning times even with the caching DNS etc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ms-list at alexb.ch Tue Oct 28 15:13:29 2008 From: ms-list at alexb.ch (Alex Broens) Date: Tue Oct 28 15:13:33 2008 Subject: New service - the Team Cymru Malware Hash Registry! In-Reply-To: <26288e05e1124c419352758edc9b9cf3@solidstatelogic.com> References: <26288e05e1124c419352758edc9b9cf3@solidstatelogic.com> Message-ID: <49072C19.8030708@alexb.ch> On 10/28/2008 4:01 PM, Martin.Hepworth wrote: > Steve > > Running here against latest beta (with freeBSD v.old and exim). > > So far so good - no hits yet so hard to say, but performance could be an issue for people, I've noticed a marked slow down in overall scanning times even with the caching DNS etc > note for those more than X queries/sec: "If a given hash does not exist in our registry, the daemon will return a standard NXDOMAIN response (domain does not exist). If you have been rate limited, you will not receive any response and your packet will be dropped. From campbell at cnpapers.com Tue Oct 28 15:54:48 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Tue Oct 28 15:55:04 2008 Subject: OT - GreetPause question In-Reply-To: <49071673.6030801@rma.edu> References: <490713B0.5090102@cnpapers.com> <49071673.6030801@rma.edu> Message-ID: <490735C8.5040408@cnpapers.com> Thanks Brendan, I didn't think to look at the on-server docs. Steve Brendan Pirie wrote: > Steve, > > I haven't used this feature in the access.db myself, but the sendmail > documentation for 8.13.8 includes examples of this: > > If FEATURE(`access_db') is enabled, an access database > lookup with the GreetPause tag is done using client > hostname, domain, IP address, or subnet to determine the > pause time: > > GreetPause:my.domain 0 > GreetPause:example.com 5000 > GreetPause:10.1.2 2000 > GreetPause:127.0.0.1 0 > > which strongly suggest what you're doing "should" work. > > HTH, > > Brendan > > > Steve Campbell wrote: >> Done a little googling, but didn't see a specific answer. Don't >> belong to the sendmail mail list, but probably should join - I belong >> to too many already. >> >> It's OT so I'll listen to whatever comes my way. >> >> I use GreetPause. I have a default time set at 5000 in my >> sendmail.mc(cf) for 5 seconds. I have my own servers set at 0 so that >> there is no delay invoked. I have found where I can put different >> delays other than zero for certain IPs to override the default in the >> sendmail.cf, but I don't see it working (or maybe the spammers are >> really following the rules and wait). The override feature of >> GreetPause may only be valid in 8.14 sendmail for values other than 0. >> >> So that is my question - is it valid to put something like >> "GreetPause:xx.yy.zz 20000" in my access file, remake the >> access.db in sendmail 8.13? It doesn't give a warning when I remake >> it, but I see no pre-greeting messages for the inserted values in my >> logs. >> >> Thanks for any help. I'll continue looking elsewhere as I'm sure I've >> just overlooked it. >> >> Steve Campbell >> From steve.freegard at fsl.com Tue Oct 28 16:10:52 2008 From: steve.freegard at fsl.com (Steve Freegard) Date: Tue Oct 28 16:11:02 2008 Subject: New service - the Team Cymru Malware Hash Registry! In-Reply-To: <23552790.2271225206693016.JavaMail.root@office.splatnix.net> References: <26288e05e1124c419352758edc9b9cf3@solidstatelogic.com> <23552790.2271225206693016.JavaMail.root@office.splatnix.net> Message-ID: <4907398C.80600@fsl.com> --[ UxBoD ]-- wrote: > Hmmm ... Does it scan the entire message or just if it has a attachment ? It's using the generic virus scanner interface - so it will see the msg-nnnnn-n.txt and msg-nnnnnn-n.html files which relate to the text/plain and test/html parts of the message as exploded by the MIME parser which is the same as all the other virus scanners, so it will hash these and do a look-up for these as well. I've just added a new attachments_only variable that is default on along with a bit more logging. It's attached ;-) Cheers, Steve. -------------- next part -------------- A non-text attachment was scrubbed... Name: generic_hash_scanner.pl Type: application/x-perl Size: 3138 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081028/5962b8a3/generic_hash_scanner.bin From uxbod at splatnix.net Tue Oct 28 16:18:29 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Tue Oct 28 16:18:49 2008 Subject: New service - the Team Cymru Malware Hash Registry! In-Reply-To: <4907398C.80600@fsl.com> Message-ID: <28606454.2461225210709735.JavaMail.root@office.splatnix.net> Just to good Steve ;) Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 ----- "Steve Freegard" wrote: > It's using the generic virus scanner interface - so it will see the > > msg-nnnnn-n.txt and msg-nnnnnn-n.html files which relate to the > > text/plain and test/html parts of the message as exploded by the MIME > > parser which is the same as all the other virus scanners, so it will > > hash these and do a look-up for these as well. > > > > I've just added a new attachments_only variable that is default on > along > > with a bit more logging. It's attached ;-) > > > > Cheers, > > Steve. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From steve.freegard at fsl.com Tue Oct 28 16:22:35 2008 From: steve.freegard at fsl.com (Steve Freegard) Date: Tue Oct 28 16:22:47 2008 Subject: New service - the Team Cymru Malware Hash Registry! In-Reply-To: <26288e05e1124c419352758edc9b9cf3@solidstatelogic.com> References: <49070C31.9040905@fsl.com> <26288e05e1124c419352758edc9b9cf3@solidstatelogic.com> Message-ID: <49073C4B.5080206@fsl.com> Hi Martin, Martin.Hepworth wrote: > Running here against latest beta (with freeBSD v.old and exim). > > So far so good - no hits yet so hard to say, but performance could be an issue for people, I've noticed a marked slow down in overall scanning times even with the caching DNS etc > It would seen that it's international bandwidth that is the issue. I wrote and tested the scanner this morning on one of the FSL test boxes which is in Washington DC on a 10Mb Comcast cable line and have yet to see a timeout. However - just tried this on my laptop: smf@laptop-smf:~$ ./generic_hash_scanner.pl *.pl CLEAN::File::./clear_queue_orphans.pl INFO::ERROR::Timed out after 30 seconds (4 remaining sockets waiting after 29 checks) smf@laptop-smf:~$ host -t NS hash.cymru.com hash.cymru.com name server ns1.hash.cymru.com. hash.cymru.com name server ns2.hash.cymru.com. smf@laptop-smf:~$ host ns1.hash.cymru.com ns1.hash.cymru.com has address 216.90.108.33 smf@laptop-smf:~$ host ns2.hash.cymru.com ns2.hash.cymru.com has address 216.90.108.34 smf@laptop-smf:~$ host -t TXT 34.108.90.216.asn.routeviews.org 34.108.90.216.asn.routeviews.org descriptive text "23028" "216.90.108.0" "24" smf@laptop-smf:~$ host -t TXT 34.108.90.216.countries.blackholes.us 34.108.90.216.countries.blackholes.us descriptive text "us" Looks to me like they could do with some extra mirrors particularly in Europe as my RTT from Zen Internet in the UK is > 150ms Cheers, Steve From ms-list at alexb.ch Tue Oct 28 16:30:24 2008 From: ms-list at alexb.ch (Alex Broens) Date: Tue Oct 28 16:30:22 2008 Subject: New service - the Team Cymru Malware Hash Registry! In-Reply-To: <28606454.2461225210709735.JavaMail.root@office.splatnix.net> References: <28606454.2461225210709735.JavaMail.root@office.splatnix.net> Message-ID: <49073E20.9070905@alexb.ch> On 10/28/2008 5:18 PM, --[ UxBoD ]-- wrote: > Just to good Steve ;) latest trojan downloader detected via homebrew sigs is in "Instruction.zip" is cymru seeing it already From martinh at solidstatelogic.com Tue Oct 28 16:32:57 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Tue Oct 28 16:33:11 2008 Subject: New service - the Team Cymru Malware Hash Registry! In-Reply-To: <49073C4B.5080206@fsl.com> Message-ID: Could well be...my DNS forwarder is a well known company in Carlow, as my normal ISP (based in Texas) DNS server can be poor as the latency hits us bad (Oxford,UK to Dallas). Not seen any timeouts myself, just seems noticably (but only just) slower than before. I'll keep my eye on this. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Steve Freegard > Sent: 28 October 2008 16:23 > To: MailScanner discussion > Subject: Re: New service - the Team Cymru Malware Hash Registry! > > Hi Martin, > > Martin.Hepworth wrote: > > Running here against latest beta (with freeBSD v.old and exim). > > > > So far so good - no hits yet so hard to say, but > performance could be > > an issue for people, I've noticed a marked slow down in overall > > scanning times even with the caching DNS etc > > > > It would seen that it's international bandwidth that is the issue. > > I wrote and tested the scanner this morning on one of the FSL > test boxes which is in Washington DC on a 10Mb Comcast cable > line and have yet to see a timeout. > > However - just tried this on my laptop: > > smf@laptop-smf:~$ ./generic_hash_scanner.pl *.pl > CLEAN::File::./clear_queue_orphans.pl > INFO::ERROR::Timed out after 30 seconds (4 remaining sockets > waiting after 29 checks) > > smf@laptop-smf:~$ host -t NS hash.cymru.com hash.cymru.com > name server ns1.hash.cymru.com. > hash.cymru.com name server ns2.hash.cymru.com. > > smf@laptop-smf:~$ host ns1.hash.cymru.com ns1.hash.cymru.com > has address 216.90.108.33 > > smf@laptop-smf:~$ host ns2.hash.cymru.com ns2.hash.cymru.com > has address 216.90.108.34 > > smf@laptop-smf:~$ host -t TXT > 34.108.90.216.asn.routeviews.org > 34.108.90.216.asn.routeviews.org descriptive text "23028" > "216.90.108.0" > "24" > > smf@laptop-smf:~$ host -t TXT 34.108.90.216.countries.blackholes.us > 34.108.90.216.countries.blackholes.us descriptive text "us" > > Looks to me like they could do with some extra mirrors > particularly in Europe as my RTT from Zen Internet in the UK > is > 150ms > > Cheers, > Steve > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From uxbod at splatnix.net Tue Oct 28 16:48:28 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Tue Oct 28 16:48:45 2008 Subject: New service - the Team Cymru Malware Hash Registry! In-Reply-To: Message-ID: <18421505.2491225212508198.JavaMail.root@office.splatnix.net> If the result comes back positive to Malware could it be written to a local hash table ? Then when the scanner queries it looks at that first. I would imagine that most of the time it is going to be the usual culprits so why keep querying upstream ? Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 ----- "Martin.Hepworth" wrote: > Could well be...my DNS forwarder is a well known company in Carlow, as > my normal ISP (based in Texas) DNS server can be poor as the latency > hits us bad (Oxford,UK to Dallas). Not seen any timeouts myself, just > seems noticably (but only just) slower than before. I'll keep my eye > on this. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ms-list at alexb.ch Tue Oct 28 16:55:44 2008 From: ms-list at alexb.ch (Alex Broens) Date: Tue Oct 28 16:55:43 2008 Subject: New service - the Team Cymru Malware Hash Registry! In-Reply-To: <18421505.2491225212508198.JavaMail.root@office.splatnix.net> References: <18421505.2491225212508198.JavaMail.root@office.splatnix.net> Message-ID: <49074410.1020504@alexb.ch> On 10/28/2008 5:48 PM, --[ UxBoD ]-- wrote: > If the result comes back positive to Malware could it be written to a > local hash table ? Then when the scanner queries it looks at that > first. I would imagine that most of the time it is going to be the > usual culprits so why keep querying upstream ? Doesn't local DNS cache work for you? seems cheaper to read DNS cache (in mmeory) than to write/read from local file/DB , or am I missing something? From steve.freegard at fsl.com Tue Oct 28 17:08:50 2008 From: steve.freegard at fsl.com (Steve Freegard) Date: Tue Oct 28 17:08:59 2008 Subject: New service - the Team Cymru Malware Hash Registry! In-Reply-To: <49073E20.9070905@alexb.ch> References: <28606454.2461225210709735.JavaMail.root@office.splatnix.net> <49073E20.9070905@alexb.ch> Message-ID: <49074722.2010905@fsl.com> Alex Broens wrote: > On 10/28/2008 5:18 PM, --[ UxBoD ]-- wrote: >> Just to good Steve ;) > > latest trojan downloader detected via homebrew sigs is in "Instruction.zip" > > is cymru seeing it already Dunno - why don't you test it for yourself: smf@laptop-smf:~$ host 69630e4574ec6798239b091cda43dca0.malware.hash.cymru.com 69630e4574ec6798239b091cda43dca0.malware.hash.cymru.com has address 127.0.0.2 Regards, Steve. From ms-list at alexb.ch Tue Oct 28 17:16:03 2008 From: ms-list at alexb.ch (Alex Broens) Date: Tue Oct 28 17:16:01 2008 Subject: New service - the Team Cymru Malware Hash Registry! In-Reply-To: <49074722.2010905@fsl.com> References: <28606454.2461225210709735.JavaMail.root@office.splatnix.net> <49073E20.9070905@alexb.ch> <49074722.2010905@fsl.com> Message-ID: <490748D3.5050408@alexb.ch> On 10/28/2008 6:08 PM, Steve Freegard wrote: > Alex Broens wrote: >> On 10/28/2008 5:18 PM, --[ UxBoD ]-- wrote: >>> Just to good Steve ;) >> >> latest trojan downloader detected via homebrew sigs is in >> "Instruction.zip" >> >> is cymru seeing it already > > Dunno - why don't you test it for yourself: > > smf@laptop-smf:~$ host > 69630e4574ec6798239b091cda43dca0.malware.hash.cymru.com > 69630e4574ec6798239b091cda43dca0.malware.hash.cymru.com has address > 127.0.0.2 I don't have the sample file anymore.. :-) (was too fast doing cleanup) the hashes differ.. From steve.freegard at fsl.com Tue Oct 28 17:19:48 2008 From: steve.freegard at fsl.com (Steve Freegard) Date: Tue Oct 28 17:20:14 2008 Subject: New service - the Team Cymru Malware Hash Registry! In-Reply-To: <490748D3.5050408@alexb.ch> References: <28606454.2461225210709735.JavaMail.root@office.splatnix.net> <49073E20.9070905@alexb.ch> <49074722.2010905@fsl.com> <490748D3.5050408@alexb.ch> Message-ID: <490749B4.3030807@fsl.com> Alex Broens wrote: > On 10/28/2008 6:08 PM, Steve Freegard wrote: >> Alex Broens wrote: >>> On 10/28/2008 5:18 PM, --[ UxBoD ]-- wrote: >>>> Just to good Steve ;) >>> >>> latest trojan downloader detected via homebrew sigs is in >>> "Instruction.zip" >>> >>> is cymru seeing it already >> >> Dunno - why don't you test it for yourself: >> >> smf@laptop-smf:~$ host >> 69630e4574ec6798239b091cda43dca0.malware.hash.cymru.com >> 69630e4574ec6798239b091cda43dca0.malware.hash.cymru.com has address >> 127.0.0.2 > > I don't have the sample file anymore.. :-) > (was too fast doing cleanup) > > the hashes differ.. That's the hash of Eicar - that's why... From ms-list at alexb.ch Tue Oct 28 17:20:32 2008 From: ms-list at alexb.ch (Alex Broens) Date: Tue Oct 28 17:20:31 2008 Subject: New service - the Team Cymru Malware Hash Registry! In-Reply-To: <49074722.2010905@fsl.com> References: <28606454.2461225210709735.JavaMail.root@office.splatnix.net> <49073E20.9070905@alexb.ch> <49074722.2010905@fsl.com> Message-ID: <490749E0.2000100@alexb.ch> On 10/28/2008 6:08 PM, Steve Freegard wrote: > Alex Broens wrote: >> On 10/28/2008 5:18 PM, --[ UxBoD ]-- wrote: >>> Just to good Steve ;) >> >> latest trojan downloader detected via homebrew sigs is in >> "Instruction.zip" >> >> is cymru seeing it already > > Dunno - why don't you test it for yourself: > > smf@laptop-smf:~$ host > 69630e4574ec6798239b091cda43dca0.malware.hash.cymru.com > 69630e4574ec6798239b091cda43dca0.malware.hash.cymru.com has address > 127.0.0.2 just added: [axb@inet4 virus]# md5sum Instruction.zip e4f2502c0b75ba64cd5559a6033c2f88 Instruction.zip [axb@inet4 virus]# host e4f2502c0b75ba64cd5559a6033c2f88.malware.hash.cymru.com Host e4f2502c0b75ba64cd5559a6033c2f88.malware.hash.cymru.com not found: 3(NXDOMAIN) From martinh at solidstatelogic.com Tue Oct 28 17:31:25 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Tue Oct 28 17:31:37 2008 Subject: New service - the Team Cymru Malware Hash Registry! In-Reply-To: <490749E0.2000100@alexb.ch> Message-ID: <19fc595338e7654b9e9c4b3552f52edc@solidstatelogic.com> Alex In the FAQ at https://www.team-cymru.org/Services/MHR/ number 8 says.. How up-to-date is your registry? The malware hash registry is reloaded once per day. Please note that we try to avoid including too much polymorphic malware when possible. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Alex Broens > Sent: 28 October 2008 17:21 > To: MailScanner discussion > Subject: Re: New service - the Team Cymru Malware Hash Registry! > > On 10/28/2008 6:08 PM, Steve Freegard wrote: > > Alex Broens wrote: > >> On 10/28/2008 5:18 PM, --[ UxBoD ]-- wrote: > >>> Just to good Steve ;) > >> > >> latest trojan downloader detected via homebrew sigs is in > >> "Instruction.zip" > >> > >> is cymru seeing it already > > > > Dunno - why don't you test it for yourself: > > > > smf@laptop-smf:~$ host > > 69630e4574ec6798239b091cda43dca0.malware.hash.cymru.com > > 69630e4574ec6798239b091cda43dca0.malware.hash.cymru.com has address > > 127.0.0.2 > > just added: > > [axb@inet4 virus]# md5sum Instruction.zip > e4f2502c0b75ba64cd5559a6033c2f88 Instruction.zip > > [axb@inet4 virus]# host > e4f2502c0b75ba64cd5559a6033c2f88.malware.hash.cymru.com > Host e4f2502c0b75ba64cd5559a6033c2f88.malware.hash.cymru.com > not found: > 3(NXDOMAIN) > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From ms-list at alexb.ch Tue Oct 28 17:46:32 2008 From: ms-list at alexb.ch (Alex Broens) Date: Tue Oct 28 17:46:31 2008 Subject: New service - the Team Cymru Malware Hash Registry! In-Reply-To: <19fc595338e7654b9e9c4b3552f52edc@solidstatelogic.com> References: <19fc595338e7654b9e9c4b3552f52edc@solidstatelogic.com> Message-ID: <49074FF8.1010707@alexb.ch> On 10/28/2008 6:31 PM, Martin.Hepworth wrote: > Alex > > In the FAQ at https://www.team-cymru.org/Services/MHR/ number 8 > says.. > > How up-to-date is your registry? > > The malware hash registry is reloaded once per day. Please note that > we try to avoid including too much polymorphic malware when possible. > Doh... so what is left against new outbreaks? good old commercial AV with more or less fast reaction and generic sigs? homebrew sigtool --md5? any other ideas? From uxbod at splatnix.net Tue Oct 28 20:21:15 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Tue Oct 28 20:21:31 2008 Subject: New service - the Team Cymru Malware Hash Registry! In-Reply-To: <49074FF8.1010707@alexb.ch> Message-ID: <21726638.2711225225275345.JavaMail.root@office.splatnix.net> don't they all add to a decent defense ? end of day how many AV scanners do people run and how quick can people adapt with home rolled sigs ? Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 ----- "Alex Broens" wrote: > Doh... > > > > so what is left against new outbreaks? > > > > good old commercial AV with more or less fast reaction and generic > sigs? > > homebrew sigtool --md5? > > > > any other ideas? -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From uxbod at splatnix.net Tue Oct 28 20:22:21 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Tue Oct 28 20:22:37 2008 Subject: New service - the Team Cymru Malware Hash Registry! In-Reply-To: <49074410.1020504@alexb.ch> Message-ID: <16055869.2741225225341985.JavaMail.root@office.splatnix.net> Hmmmm ... won't things get expired though Alex if they have not been looked up in a while ? surely hashes will remain the same dependant on the construct of the file ? Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 ----- "Alex Broens" wrote: > Doesn't local DNS cache work for you? > > seems cheaper to read DNS cache (in mmeory) than to write/read from > > local file/DB , or am I missing something? -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From steve.freegard at fsl.com Tue Oct 28 21:37:40 2008 From: steve.freegard at fsl.com (Steve Freegard) Date: Tue Oct 28 21:37:51 2008 Subject: New service - the Team Cymru Malware Hash Registry! In-Reply-To: <16055869.2741225225341985.JavaMail.root@office.splatnix.net> References: <49074410.1020504@alexb.ch> <16055869.2741225225341985.JavaMail.root@office.splatnix.net> Message-ID: <49078624.4000209@fsl.com> --[ UxBoD ]-- wrote: > Hmmmm ... won't things get expired though Alex if they have not been looked up in a while ? surely hashes will remain the same dependant on the construct of the file ? ;; ANSWER SECTION: 69630e4574ec6798239b091cda43dca0.malware.hash.cymru.com. 86400 IN TXT "1207251065 89" 69630e4574ec6798239b091cda43dca0.malware.hash.cymru.com. 86400 IN A 127.0.0.2 Cached for 24 hours unless your nameserver cache needs the slots for something else. Should be ample for most people. Cheers, Steve. From uxbod at splatnix.net Tue Oct 28 21:53:50 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Tue Oct 28 21:54:06 2008 Subject: New service - the Team Cymru Malware Hash Registry! In-Reply-To: <49078624.4000209@fsl.com> Message-ID: <27598027.2811225230830622.JavaMail.root@office.splatnix.net> Steve, understood, but if a local persistant cache was generated then the number of upstream look ups for the same hash would reduce ? would this not also reduce the load on the upstream servers ? sorry if I am being stupid but it kinda makes sense to me :( isn't that what AV sigs are for ? Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 ----- "Steve Freegard" wrote: > ;; ANSWER SECTION: > > 69630e4574ec6798239b091cda43dca0.malware.hash.cymru.com. 86400 IN TXT > > "1207251065 89" > > 69630e4574ec6798239b091cda43dca0.malware.hash.cymru.com. 86400 IN A > > 127.0.0.2 > > > > Cached for 24 hours unless your nameserver cache needs the slots for > > something else. Should be ample for most people. > > > > Cheers, > > Steve. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From steve.freegard at fsl.com Tue Oct 28 22:35:16 2008 From: steve.freegard at fsl.com (Steve Freegard) Date: Tue Oct 28 22:35:26 2008 Subject: New service - the Team Cymru Malware Hash Registry! In-Reply-To: <27598027.2811225230830622.JavaMail.root@office.splatnix.net> References: <49078624.4000209@fsl.com> <27598027.2811225230830622.JavaMail.root@office.splatnix.net> Message-ID: <490793A4.5000705@fsl.com> --[ UxBoD ]-- wrote: > Steve, understood, but if a local persistant cache was generated then the number of upstream look ups for the same hash would reduce ? would this not also reduce the load on the upstream servers ? sorry if I am being stupid but it kinda makes sense to me :( isn't that what AV sigs are for ? All the records from the Malware Hash Registry have a TTL of 86400 seconds (24 hours), so that means that if you're looking up the same hash within 24 hours - it will come from your local cache provided it hasn't been purged to reclaim space. If you maintain a local cache - you really don't save a lot of lookups to the upstream since the vast majority of lookups are going to be negative lookups (e.g. NXDOMAIN). DNS was designed with caching in mind; and it works just fine for the purposes it was designed for - adding a second cache is almost always a bad idea and will introduce lag and incorrect results along with space bloat. If you're going to argue a local cache for these hashes - why not argue for local caching for DNS BL or URI BL lookups as well? The reason we don't do local caching for these is exactly the same as why we shouldn't do it here - the data is fluid - there's no guarantee that a positive or negative lookup now yield the same result the next time you look at the data. Regards, Steve. From hvdkooij at vanderkooij.org Tue Oct 28 23:04:45 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Tue Oct 28 23:04:59 2008 Subject: Increase in malware? Message-ID: <49079A8D.7080901@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Is it just me or has the amount of malware send around by email increased significantly the last days? Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFJB5qLBvzDRVjxmYERAjyVAJwKVSr2YUQZr/vGUB0KoDLqSsVYJwCfQ9+8 2cYWb4JhZuNarCD2vYE0D0I= =lq2U -----END PGP SIGNATURE----- From ricky.boone at gmail.com Tue Oct 28 23:40:29 2008 From: ricky.boone at gmail.com (Ricky Boone) Date: Tue Oct 28 23:40:43 2008 Subject: Increase in malware? In-Reply-To: <49079A8D.7080901@vanderkooij.org> References: <49079A8D.7080901@vanderkooij.org> Message-ID: <4907A2ED.9090900@gmail.com> Hugo van der Kooij wrote: > Is it just me or has the amount of malware send around by email > increased significantly the last days? Over the past week or so, I've also seen a marked increase in malware on my MailScanner systems. From markee at bandwidthco.com Wed Oct 29 02:49:04 2008 From: markee at bandwidthco.com (markee) Date: Wed Oct 29 01:48:36 2008 Subject: New beta release 4.72.4-1 In-Reply-To: <4905AB28.7010404@ecs.soton.ac.uk> References: <4905AB28.7010404@ecs.soton.ac.uk> Message-ID: <002a01c93970$e7d42450$0300a8c0@bandwidthco.com> Julian - Bless you and those two beautiful precious little kittens. They are so fortunate to have you. This is coming from both a cat lover and a MailScanner lover. MailScanner: the best, the most functional, and the most useful software ever created. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: Monday, October 27, 2008 3:51 AM To: MailScanner discussion; MailScanner-Beta mailing list Subject: New beta release 4.72.4-1 Hi Folks! Firstly, a big apology for not being around the place much recently. Several reasons. Number one, I now have two incredibly cute kittens to look after: http://www.jules.fm/gallery/v/CatsDay1/ http://www.jules.fm/gallery/v/RootAndCisco/ Number two, I seem to have had quite a lot on at work (my day-job). Number three, between numbers one and two, I just haven't had any energy left. I'm struggling quite hard to keep my weight up (currently only weigh 8 stone 1, 113 pounds, 51 kg) and just don't have much energy at the moment. There have been a load of colds going round, and while I don't really get colds (certainly never get blocked nose, stuffy head, anything like that) they still hit me a bit. As for the new liver, well they want to redo all the MRI scans, so I've got a few hours in an MRI scanner to look forward to. A rather critical new vein has opened up, which totally changed their surgical plan, and they need to be very sure it isn't going to close again or anything daft like that. And no, the phone hasn't rung yet, I'm still waiting for the liver transplant call. :-) So MailScanner has had to go on a bit of a back burner for a while. I'm sure you understand :-) Mean time, I have just put out a new beta release, which will go stable in a few days if no-one finds anything horribly wrong with it. So please do test it for me! Here is the Change Log: * New Features and Improvements * 1 Added support for ClamAV 0.94. Note that this has necessitated removal of complete support for earlier versions of ClamAV as the command-line settings are incompatible. So only use this version if you have upgraded to the latest ClamAV 0.94. 2 The "Found to be clean" header will not be added to the message at all if the relevant configuration setting is blank in MailScanner.conf. 2 Filename and filetype checks are now done before virus scanning. This means that you can use the "deny+delete" type of filename or filetype rule to selectively delete files that will choke your buggy virus scanner. 4 "install.sh" now logs all output to "install.log". 4 The RPM and SuSE versions of "install.sh" now have a "reinstall" command- line option which will make it attempt to remove the Perl RPMs before it installs them, in case you have changed your Perl version enough that the previous Perl modules were not being found by your new setup. Very handy for Fedora upgraders, among others. 4 Improvements to the "reinstall" command-line switch so it removes all the old versions first, before it starts installing anything new. 4 Updated MIME-tools to version 5.427. 4 Minor improvement to phishing net. 4 Added check to --lint for sufficiently correct /tmp permissions. * Fixes * 1 Changed logging of clamd so that it reports the virus scanner name correctly. 2 Removed debug code from OLE unpacking code. 3 Fixed log handling bug in filename rules matching code, thanks to Derek Chee. 4 Fixed bug where whole message body was deleted if a file nested within 2 zip files failed filename tests. 4 Fixed reporting bug in 'service MailScanner status' where it would produce an error instead of saying the incoming sendmail process was working fine. 4 Fixed a parsing bug in the "Avast" scanner support. 4 Minor change to error message when /tmp has wrong permissions. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! ######################################################## This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. postmaster@bandwidthco.com MailScanner at Bandwidthco Computer Security is for your absolute protection. ######################################################## ######################################################## This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. postmaster@bandwidthco.com MailScanner at Bandwidthco Computer Security is for your absolute protection. ######################################################## From drew.marshall at technologytiger.net Wed Oct 29 05:08:37 2008 From: drew.marshall at technologytiger.net (Drew Marshall) Date: Wed Oct 29 05:08:53 2008 Subject: Increase in malware? In-Reply-To: <4907A2ED.9090900@gmail.com> References: <49079A8D.7080901@vanderkooij.org> <4907A2ED.9090900@gmail.com> Message-ID: On 28 Oct 2008, at 23:40, Ricky Boone wrote: > Hugo van der Kooij wrote: >> Is it just me or has the amount of malware send around by email >> increased significantly the last days? > > Over the past week or so, I've also seen a marked increase in > malware on > my MailScanner systems. Agreed, although this is more a return to where we have been about 4 weeks previously. Perhaps fairer to say had any one noticed the decrease in malware over the last couple of weeks ;-) Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by Technology Tiger's Mail Launder system Our email policy can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ From gdm at linuxpro.co.za Wed Oct 29 07:16:29 2008 From: gdm at linuxpro.co.za (Gregory Machin) Date: Wed Oct 29 07:16:38 2008 Subject: MailScanner quarantined file truncating attachments Message-ID: <30200a940810290016k119761f3ia3135c03b1a6996a@mail.gmail.com> Hi I have notice that the attachments are bing truncated into on file with no extention .. What would cause this . From martinh at solidstatelogic.com Wed Oct 29 07:30:32 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Wed Oct 29 07:29:20 2008 Subject: Increase in malware? Message-ID: I'd say a drop myself..very little compared to a few weeks ago when the invoice malware was about. -- Martin -----Original Message----- From: Hugo van der Kooij Sent: 28 October 2008 23:09 To: mailscanner@lists.mailscanner.info Subject: Increase in malware? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Is it just me or has the amount of malware send around by email increased significantly the last days? Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFJB5qLBvzDRVjxmYERAjyVAJwKVSr2YUQZr/vGUB0KoDLqSsVYJwCfQ9+8 2cYWb4JhZuNarCD2vYE0D0I= =lq2U -----END PGP SIGNATURE----- -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From uxbod at splatnix.net Wed Oct 29 08:17:14 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Wed Oct 29 08:17:36 2008 Subject: New service - the Team Cymru Malware Hash Registry! In-Reply-To: <490793A4.5000705@fsl.com> Message-ID: <8222797.2921225268234840.JavaMail.root@office.splatnix.net> Cheers for putting me straight Steve ;) Nice explanation aswell :) Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 ----- "Steve Freegard" wrote: > All the records from the Malware Hash Registry have a TTL of 86400 > > seconds (24 hours), so that means that if you're looking up the same > > hash within 24 hours - it will come from your local cache provided it > > hasn't been purged to reclaim space. > > > > If you maintain a local cache - you really don't save a lot of lookups > > to the upstream since the vast majority of lookups are going to be > > negative lookups (e.g. NXDOMAIN). > > > > DNS was designed with caching in mind; and it works just fine for the > > purposes it was designed for - adding a second cache is almost always > a > > bad idea and will introduce lag and incorrect results along with space > > bloat. > > > > If you're going to argue a local cache for these hashes - why not > argue > > for local caching for DNS BL or URI BL lookups as well? The reason we > > don't do local caching for these is exactly the same as why we > shouldn't > > do it here - the data is fluid - there's no guarantee that a positive > or > > negative lookup now yield the same result the next time you look at > the > > data. > > > > Regards, > > Steve. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ms-list at alexb.ch Wed Oct 29 08:27:20 2008 From: ms-list at alexb.ch (Alex Broens) Date: Wed Oct 29 08:27:15 2008 Subject: New service - the Team Cymru Malware Hash Registry! In-Reply-To: <16055869.2741225225341985.JavaMail.root@office.splatnix.net> References: <16055869.2741225225341985.JavaMail.root@office.splatnix.net> Message-ID: <49081E68.6030100@alexb.ch> On 10/28/2008 9:22 PM, --[ UxBoD ]-- wrote: > Hmmmm ... won't things get expired though Alex if they have not been > looked up in a while ? surely hashes will remain the same dependant > on the construct of the file ? IMO: The floods last a few hours. cymru's rbldnsd entries have a TTL of 1800s a few extra queries are still cheaper than I/O and mantaining expiration on the local hash file, iow: you have nothing to do and watch locally. There is a reason why some of the big AV guys are taking this path (McAfee Artemis) Ale From ms-list at alexb.ch Wed Oct 29 08:29:28 2008 From: ms-list at alexb.ch (Alex Broens) Date: Wed Oct 29 08:29:23 2008 Subject: Increase in malware? In-Reply-To: <49079A8D.7080901@vanderkooij.org> References: <49079A8D.7080901@vanderkooij.org> Message-ID: <49081EE8.5000505@alexb.ch> On 10/29/2008 12:04 AM, Hugo van der Kooij wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, > > Is it just me or has the amount of malware send around by email > increased significantly the last days? yep.. 11 new homebrew sigs since midnight CET till 7 am CET. Ale From steve.freegard at fsl.com Wed Oct 29 11:07:34 2008 From: steve.freegard at fsl.com (Steve Freegard) Date: Wed Oct 29 11:07:53 2008 Subject: New service - the Team Cymru Malware Hash Registry! In-Reply-To: <49081E68.6030100@alexb.ch> References: <16055869.2741225225341985.JavaMail.root@office.splatnix.net> <49081E68.6030100@alexb.ch> Message-ID: <490843F6.1010606@fsl.com> Alex Broens wrote: > On 10/28/2008 9:22 PM, --[ UxBoD ]-- wrote: >> Hmmmm ... won't things get expired though Alex if they have not been >> looked up in a while ? surely hashes will remain the same dependant >> on the construct of the file ? > > IMO: > > The floods last a few hours. > cymru's rbldnsd entries have a TTL of 1800s > a few extra queries are still cheaper than I/O and mantaining expiration > on the local hash file, iow: you have nothing to do and watch locally. > > There is a reason why some of the big AV guys are taking this path > (McAfee Artemis) > > Alex If enough people were interested in participating by donating spam/virus trap feeds, then it would be relatively straightforward to provide fresh hashes of both malware and spam via two separate DNS based lists. Regards, Steve. From uxbod at splatnix.net Wed Oct 29 11:45:34 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Wed Oct 29 11:45:52 2008 Subject: New service - the Team Cymru Malware Hash Registry! In-Reply-To: <490843F6.1010606@fsl.com> Message-ID: <7852086.3241225280734669.JavaMail.root@office.splatnix.net> Count me in - just tell me what I would need to do ;) Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 ----- "Steve Freegard" wrote: > If enough people were interested in participating by donating > spam/virus > > trap feeds, then it would be relatively straightforward to provide > fresh > > hashes of both malware and spam via two separate DNS based lists. > > > > Regards, > > Steve. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ms-list at alexb.ch Wed Oct 29 11:49:06 2008 From: ms-list at alexb.ch (Alex Broens) Date: Wed Oct 29 11:49:01 2008 Subject: New service - the Team Cymru Malware Hash Registry! In-Reply-To: <490843F6.1010606@fsl.com> References: <16055869.2741225225341985.JavaMail.root@office.splatnix.net> <49081E68.6030100@alexb.ch> <490843F6.1010606@fsl.com> Message-ID: <49084DB2.70907@alexb.ch> On 10/29/2008 12:07 PM, Steve Freegard wrote: > Alex Broens wrote: >> On 10/28/2008 9:22 PM, --[ UxBoD ]-- wrote: >>> Hmmmm ... won't things get expired though Alex if they have not been >>> looked up in a while ? surely hashes will remain the same dependant >>> on the construct of the file ? >> >> IMO: >> >> The floods last a few hours. >> cymru's rbldnsd entries have a TTL of 1800s >> a few extra queries are still cheaper than I/O and mantaining >> expiration on the local hash file, iow: you have nothing to do and >> watch locally. >> >> There is a reason why some of the big AV guys are taking this path >> (McAfee Artemis) >> >> Alex > > If enough people were interested in participating by donating spam/virus > trap feeds, then it would be relatively straightforward to provide fresh > hashes of both malware and spam via two separate DNS based lists. May I pass on this? I already have a similar hobby .-) Alex From m.anderlini at database.it Wed Oct 29 12:15:22 2008 From: m.anderlini at database.it (Marcello Anderlini) Date: Wed Oct 29 12:15:46 2008 Subject: /var/spool/mqueue growing Message-ID: <2FA349F95CF3644FAFC92070E642EB6ADCCED6@beta.dbdomain.database.it> Hello everybody, today my /var/spool/mqueue is becoming very large and I do not understand why I'm using mailscanner-4.58.9-1,spamassassin-3.2.5-1.el4. on a centos 4.7. It seems to me that some msg stay here and are not devilivered to recipient still If they are on the same machine. Looking on maillog I've noticed that one of this: =============== Oct 29 10:46:58 netra MailScanner[6449]: Message m9T9klhf010817 from 84.253.164.189 (amministrazione@toppy.it) to toppy.it is too big for spam checks (173900 > 150000 bytes) =============== And nothing else. I've also try to send a sendmail -q -v but nothing seems to happen. Could be that the problem it's that if the msg it's to big to be spamchecked it remains in /var/spool/mqueue without been processed ? Thanks a lot for any kind of help Dr. Marcello Anderlini m.anderlini@database.it --------------------------------------------- Database Informatica S.r.l. Microsoft Certified Partner Tel. +39059775070 Fax. +39059779545 http://www.database.it --------------------------------------------- -- Messaggio verificato dal servizio antivirus di Database Informatica From stef at aoc-uk.com Wed Oct 29 13:38:59 2008 From: stef at aoc-uk.com (Stef Morrell) Date: Wed Oct 29 13:39:12 2008 Subject: New service - the Team Cymru Malware Hash Registry! In-Reply-To: References: <16055869.2741225225341985.JavaMail.root@office.splatnix.net><49081E68.6030100@alexb.ch> Message-ID: <200810291339.m9TDd4dE026908@safir.blacknight.ie> Steve Freegard wrote: > If enough people were interested in participating by donating > spam/virus trap feeds, then it would be relatively > straightforward to provide fresh hashes of both malware and > spam via two separate DNS based lists. At the risk of being like AOL and shouting 'me too', you could count me in. Stef Stefan Morrell | Operations Director Tel: 0845 3452820 | Alpha Omega Computers Ltd Fax: 0845 3452830 | Incorporating Level 5 Internet stef@aoc-uk.com | stef@l5net.net Standard Disclaimer: http://www.aoc-uk.com/16.asp Alpha Omega Computers Ltd, Unit 57, BBTC, Grange Road, Batley, WF17 6ER. Registered in England No. 3867142. VAT No. GB734421454 From Denis.Beauchemin at USherbrooke.ca Wed Oct 29 14:20:18 2008 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Wed Oct 29 14:20:32 2008 Subject: dsbl.org gone for good Message-ID: <49087122.6020208@USherbrooke.ca> Hello all, According to their web site: DSBL is GONE and highly unlikely to return. Please remove it from your mail server configuration. DSBL was a blocklist specialized in listing open relays and open proxies. To put it simply, DSBL listed IP addresses of computers that could be tricked into sending spam by anybody. This was a very successful strategy. Nowadays open relays and open proxies are rare, spammers hardly ever use them any more and no software seems to come with an open-by-default policy any more. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From gesbbb at yahoo.com Wed Oct 29 14:47:19 2008 From: gesbbb at yahoo.com (Jerry) Date: Wed Oct 29 14:47:40 2008 Subject: OT: New service - the Team Cymru Malware Hash Registry! In-Reply-To: <200810291339.m9TDd4dE026908@safir.blacknight.ie> References: <16055869.2741225225341985.JavaMail.root@office.splatnix.net> <49081E68.6030100@alexb.ch> <200810291339.m9TDd4dE026908@safir.blacknight.ie> Message-ID: <20081029104719.68e7f9f6@scorpio> On Wed, 29 Oct 2008 13:38:59 -0000 "Stef Morrell" wrote: >Steve Freegard wrote: >> If enough people were interested in participating by donating >> spam/virus trap feeds, then it would be relatively >> straightforward to provide fresh hashes of both malware and >> spam via two separate DNS based lists. > >At the risk of being like AOL and shouting 'me too', you could count me >in. > >Stef >Stefan Morrell | Operations Director >Tel: 0845 3452820 | Alpha Omega Computers Ltd >Fax: 0845 3452830 | Incorporating Level 5 Internet >stef@aoc-uk.com | stef@l5net.net > >Standard Disclaimer: http://www.aoc-uk.com/16.asp > >Alpha Omega Computers Ltd, Unit 57, BBTC, Grange Road, Batley, WF17 >6ER. Registered in England No. 3867142. VAT No. GB734421454 Stef, would you mind terribly prefixing your signature/disclaimer/etc. with a standard 'signature delimiter' so that my MUA can delete it automatically prior to replying to one of your posts? Thanks! -- Jerry gesbbb@yahoo.com If you think education is expensive, try ignorance. Derek Bok, president of Harvard -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081029/c1cc5ab3/signature.bin From stef at aoc-uk.com Wed Oct 29 15:06:05 2008 From: stef at aoc-uk.com (Stef Morrell) Date: Wed Oct 29 15:06:15 2008 Subject: OT: New service - the Team Cymru Malware Hash Registry! In-Reply-To: References: <16055869.2741225225341985.JavaMail.root@office.splatnix.net><49081E68.6030100@alexb.ch><200810291339.m9TDd4dE026908@safir.blacknight.ie> Message-ID: <200810291506.m9TF66fl030498@safir.blacknight.ie> "Jerry" wrote: > Stef, would you mind terribly prefixing your signature/disclaimer/etc. > with a standard 'signature delimiter' so that my MUA can > delete it automatically prior to replying to one of your posts? I can try... Personally, I'm all for the 'let's keep sigs down to 4 lines mmkay'... and then the corporate lawyers jump in (disclaimer, at least I managed to persuade the boss that putting it on a website was ok, and yes, between us, I know what they are worth, but anyway) and now of course it's a legal requirement (here in the UK at least) to include address information - email is now a 'business communication' same as a paper and ink letter! Anyway... sig duly adjusted. Stef -- Stefan Morrell | Operations Director Tel: 0845 3452820 | Alpha Omega Computers Ltd Fax: 0845 3452830 | Incorporating Level 5 Internet stef@aoc-uk.com | stef@l5net.net Standard Disclaimer: http://www.aoc-uk.com/16.asp Alpha Omega Computers Ltd, Unit 57, BBTC, Grange Road, Batley, WF17 6ER. Registered in England No. 3867142. VAT No. GB734421454 From ka at pacific.net Wed Oct 29 15:35:10 2008 From: ka at pacific.net (Ken A) Date: Wed Oct 29 15:35:10 2008 Subject: New service - the Team Cymru Malware Hash Registry! In-Reply-To: <490793A4.5000705@fsl.com> References: <49078624.4000209@fsl.com> <27598027.2811225230830622.JavaMail.root@office.splatnix.net> <490793A4.5000705@fsl.com> Message-ID: <490882AE.6000008@pacific.net> Steve Freegard wrote: > --[ UxBoD ]-- wrote: >> Steve, understood, but if a local persistant cache was generated then >> the number of upstream look ups for the same hash would reduce ? would >> this not also reduce the load on the upstream servers ? sorry if I am >> being stupid but it kinda makes sense to me :( isn't that what AV sigs >> are for ? > > All the records from the Malware Hash Registry have a TTL of 86400 > seconds (24 hours), so that means that if you're looking up the same > hash within 24 hours - it will come from your local cache provided it > hasn't been purged to reclaim space. > > If you maintain a local cache - you really don't save a lot of lookups > to the upstream since the vast majority of lookups are going to be > negative lookups (e.g. NXDOMAIN). > > DNS was designed with caching in mind; and it works just fine for the > purposes it was designed for - adding a second cache is almost always a > bad idea and will introduce lag and incorrect results along with space > bloat. > > If you're going to argue a local cache for these hashes - why not argue > for local caching for DNS BL or URI BL lookups as well? The reason we > don't do local caching for these is exactly the same as why we shouldn't > do it here - the data is fluid - there's no guarantee that a positive or > negative lookup now yield the same result the next time you look at the > data. Also consider DNS caching of NXDOMAIN responses. These are for much less time, but a local cache does significantly decrease DNS traffic upstream, but this depends a lot on your spam. Not only BL data is fluid, so are spam patterns. One approach may work better on most days than the other. I've not done that research. Just my two cents. :-) Ken > > Regards, > Steve. -- Ken Anderson Pacific.Net From gesbbb at yahoo.com Wed Oct 29 15:49:00 2008 From: gesbbb at yahoo.com (Jerry) Date: Wed Oct 29 15:49:14 2008 Subject: OT: New service - the Team Cymru Malware Hash Registry! In-Reply-To: <200810291506.m9TF66fl030498@safir.blacknight.ie> References: <16055869.2741225225341985.JavaMail.root@office.splatnix.net> <49081E68.6030100@alexb.ch> <200810291339.m9TDd4dE026908@safir.blacknight.ie> <200810291506.m9TF66fl030498@safir.blacknight.ie> Message-ID: <20081029114900.06933fe3@scorpio> On Wed, 29 Oct 2008 15:06:05 -0000 "Stef Morrell" wrote: >"Jerry" wrote: >> Stef, would you mind terribly prefixing your >> signature/disclaimer/etc. with a standard 'signature delimiter' so >> that my MUA can delete it automatically prior to replying to one of >> your posts? > >I can try... > >Personally, I'm all for the 'let's keep sigs down to 4 lines mmkay'... >and then the corporate lawyers jump in (disclaimer, at least I managed >to persuade the boss that putting it on a website was ok, and yes, >between us, I know what they are worth, but anyway) and now of course >it's a legal requirement (here in the UK at least) to include address >information - email is now a 'business communication' same as a paper >and ink letter! > >Anyway... sig duly adjusted. > >Stef >-- >Stefan Morrell | Operations Director >Tel: 0845 3452820 | Alpha Omega Computers Ltd >Fax: 0845 3452830 | Incorporating Level 5 Internet >stef@aoc-uk.com | stef@l5net.net > >Standard Disclaimer: http://www.aoc-uk.com/16.asp > >Alpha Omega Computers Ltd, Unit 57, BBTC, Grange Road, Batley, WF17 >6ER. Registered in England No. 3867142. VAT No. GB734421454 First, thank you for your quick response. However, it appears that your 'sig delimiter' is limited to two dashes rather than 'dash dash space'. Unfortunately, sans the the 'sig delimiter' will not work as intended. Maybe your MUA is stripping the 'space' at the end out. I have no idea. I do agree that massive signatures/disclaimers are a pure waste of time and bandwidth as well as being legally unenforceable. I believe in Germany, that they are not required on publicly accessible forums, such as this one. Is that different in the UK? The web accessible 'disclaimer' is a nice touch though. Unfortunately, some politician will undoubtedly eventually nullify that also. -- Jerry gesbbb@yahoo.com Paranoia is heightened awareness. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081029/607c595a/signature.bin From stef at aoc-uk.com Wed Oct 29 16:00:02 2008 From: stef at aoc-uk.com (Stef Morrell) Date: Wed Oct 29 16:00:13 2008 Subject: OT: New service - the Team Cymru Malware Hash Registry! In-Reply-To: References: <16055869.2741225225341985.JavaMail.root@office.splatnix.net><49081E68.6030100@alexb.ch><200810291339.m9TDd4dE026908@safir.blacknight.ie><200810291506.m9TF66fl030498@safir.blacknight.ie> Message-ID: <200810291600.m9TG04ks001676@safir.blacknight.ie> "Jerry" wrote: > > Maybe your MUA is stripping the 'space' at the end out. I have no > idea. Better? (there is definately a space in there as I edit this!). -- Stefan Morrell | Operations Director Tel: 0845 3452820 | Alpha Omega Computers Ltd Fax: 0845 3452830 | Incorporating Level 5 Internet stef@aoc-uk.com | stef@l5net.net Standard Disclaimer: http://www.aoc-uk.com/16.asp Alpha Omega Computers Ltd, Unit 57, BBTC, Grange Road, Batley, WF17 6ER. Registered in England No. 3867142. VAT No. GB734421454 From Kevin_Miller at ci.juneau.ak.us Wed Oct 29 17:41:20 2008 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Wed Oct 29 17:41:32 2008 Subject: Increase in malware? In-Reply-To: References: Message-ID: Martin.Hepworth wrote: > I'd say a drop myself..very little compared to a few weeks ago when > the invoice malware was about. Curious. Over the last year I've seen very little in the way of malware/viruses. Just get one or two a day maybe. The past few weeks it's been way up. On my main inbound mx host I see 72 for today so far. Interestingly, I see 9 on my secondary and none on my terciary. The third get's about 99% spam, the second is running around 96%. Seems that the spammers and virus writers are using somewhat different tactics... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From Kevin_Miller at ci.juneau.ak.us Wed Oct 29 17:57:32 2008 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Wed Oct 29 17:57:42 2008 Subject: OT: New service - the Team Cymru Malware Hash Registry! In-Reply-To: <200810291600.m9TG04ks001676@safir.blacknight.ie> References: <16055869.2741225225341985.JavaMail.root@office.splatnix.net><49081E68.6030100@alexb.ch><200810291339.m9TDd4dE026908@safir.blacknight.ie><200810291506.m9TF66fl030498@safir.blacknight.ie> <200810291600.m9TG04ks001676@safir.blacknight.ie> Message-ID: Stef Morrell wrote: > "Jerry" wrote: > >> >> Maybe your MUA is stripping the 'space' at the end out. I have no >> idea. > > Better? (there is definately a space in there as I edit this!). > > -- > Stefan Morrell | Operations Director > Tel: 0845 3452820 | Alpha Omega Computers Ltd > Fax: 0845 3452830 | Incorporating Level 5 Internet > stef@aoc-uk.com | stef@l5net.net > > Standard Disclaimer: http://www.aoc-uk.com/16.asp > > Alpha Omega Computers Ltd, Unit 57, BBTC, Grange Road, Batley, WF17 > 6ER. Registered in England No. 3867142. VAT No. GB734421454 Ha - you're using Exchange aren't you. My sig is correct too, when it leaves my desk, but it fails a reply as well. I'm betting Microsoft is doing us the 'favor' of stripping it out. Sigh. ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From hvdkooij at vanderkooij.org Wed Oct 29 18:20:47 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Wed Oct 29 18:21:01 2008 Subject: MailScanner quarantined file truncating attachments In-Reply-To: <30200a940810290016k119761f3ia3135c03b1a6996a@mail.gmail.com> References: <30200a940810290016k119761f3ia3135c03b1a6996a@mail.gmail.com> Message-ID: <4908A97F.20303@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Gregory Machin wrote: > Hi > I have notice that the attachments are bing truncated into on file > with no extention .. > What would cause this . And how did you configure the relevant settings in MailScanner? And did you check if the file just isn't the original message in full? Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFJCKl+BvzDRVjxmYERAsENAKCgOv9md7eRv+rbLVcwkGac3CicPwCgmMT+ 3UusYW906PevacMnRofOdbM= =u7Q4 -----END PGP SIGNATURE----- From dominian at slackadelic.com Wed Oct 29 19:06:04 2008 From: dominian at slackadelic.com (Matt Hayes) Date: Wed Oct 29 19:06:17 2008 Subject: dsbl.org gone for good In-Reply-To: <49087122.6020208@USherbrooke.ca> References: <49087122.6020208@USherbrooke.ca> Message-ID: <4908B41C.1050406@slackadelic.com> Denis Beauchemin wrote: > Hello all, > > According to their web site: > DSBL is GONE and highly unlikely to return. Please remove it from your > mail server configuration. > > DSBL was a blocklist specialized in listing open relays and open > proxies. To put it simply, DSBL listed IP addresses of computers that > could be tricked into sending spam by anybody. This was a very > successful strategy. Nowadays open relays and open proxies are rare, > spammers hardly ever use them any more and no software seems to come > with an open-by-default policy any more. > > Denis > This is news that is 3 to 4 years old... -Matt From Denis.Beauchemin at USherbrooke.ca Wed Oct 29 19:25:30 2008 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Wed Oct 29 19:25:53 2008 Subject: dsbl.org gone for good In-Reply-To: <4908B41C.1050406@slackadelic.com> References: <49087122.6020208@USherbrooke.ca> <4908B41C.1050406@slackadelic.com> Message-ID: <4908B8AA.5010802@USherbrooke.ca> Matt Hayes a ?crit : > Denis Beauchemin wrote: > >> Hello all, >> >> According to their web site: >> DSBL is GONE and highly unlikely to return. Please remove it from your >> mail server configuration. >> >> DSBL was a blocklist specialized in listing open relays and open >> proxies. To put it simply, DSBL listed IP addresses of computers that >> could be tricked into sending spam by anybody. This was a very >> successful strategy. Nowadays open relays and open proxies are rare, >> spammers hardly ever use them any more and no software seems to come >> with an open-by-default policy any more. >> >> Denis >> >> > > > This is news that is 3 to 4 years old... > > -Matt > According to their website, il happened sometime after 06/05/2008. Anyhow, I still had sendmail check it so I removed the test. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From gesbbb at yahoo.com Wed Oct 29 20:22:47 2008 From: gesbbb at yahoo.com (Jerry) Date: Wed Oct 29 20:23:08 2008 Subject: OT: New service - the Team Cymru Malware Hash Registry! In-Reply-To: References: <16055869.2741225225341985.JavaMail.root@office.splatnix.net> <49081E68.6030100@alexb.ch> <200810291339.m9TDd4dE026908@safir.blacknight.ie> <200810291506.m9TF66fl030498@safir.blacknight.ie> <200810291600.m9TG04ks001676@safir.blacknight.ie> Message-ID: <20081029162247.0c0aad68@scorpio> On Wed, 29 Oct 2008 09:57:32 -0800 "Kevin Miller" wrote: >Stef Morrell wrote: >> "Jerry" wrote: >> >>> >>> Maybe your MUA is stripping the 'space' at the end out. I have no >>> idea. >> >> Better? (there is definately a space in there as I edit this!). >> >> -- >> Stefan Morrell | Operations Director >> Tel: 0845 3452820 | Alpha Omega Computers Ltd >> Fax: 0845 3452830 | Incorporating Level 5 Internet >> stef@aoc-uk.com | stef@l5net.net >> >> Standard Disclaimer: http://www.aoc-uk.com/16.asp >> >> Alpha Omega Computers Ltd, Unit 57, BBTC, Grange Road, Batley, WF17 >> 6ER. Registered in England No. 3867142. VAT No. GB734421454 > >Ha - you're using Exchange aren't you. My sig is correct too, when it >leaves my desk, but it fails a reply as well. I'm betting Microsoft is >doing us the 'favor' of stripping it out. Sigh. > >...Kevin I have never heard of Exchange stripping out a 'space' character from email text. In any case, both signatures are now working correctly. I rechecked the first message with the non functioning signature, and it still does not contain a 'space' character after the double dash. Perhaps, it got lost in the transmission. In any case, all is well now. Thanks! -- Jerry gesbbb@yahoo.com Ain't nothin' an old man can do for me but bring me a message from a young man. Moms Mabley -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081029/f8229e2c/signature.bin From Kevin_Miller at ci.juneau.ak.us Wed Oct 29 20:36:15 2008 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Wed Oct 29 20:36:37 2008 Subject: OT: New service - the Team Cymru Malware Hash Registry! In-Reply-To: <20081029162247.0c0aad68@scorpio> References: <16055869.2741225225341985.JavaMail.root@office.splatnix.net><49081E68.6030100@alexb.ch><200810291339.m9TDd4dE026908@safir.blacknight.ie><200810291506.m9TF66fl030498@safir.blacknight.ie><200810291600.m9TG04ks001676@safir.blacknight.ie> <20081029162247.0c0aad68@scorpio> Message-ID: Jerry wrote: >> Ha - you're using Exchange aren't you. My sig is correct too, when >> it leaves my desk, but it fails a reply as well. I'm betting >> Microsoft is doing us the 'favor' of stripping it out. Sigh. >> >> ...Kevin > > I have never heard of Exchange stripping out a 'space' character from > email text. > > In any case, both signatures are now working correctly. I rechecked > the first message with the non functioning signature, and it still > does not contain a 'space' character after the double dash. Perhaps, > it got lost in the transmission. In any case, all is well now. > > Thanks! Hmmm. Looking at your post, I don't see a MailScanner sig appended underneath your signature. I do on mine. So now your signature is stripped out, but replying to my post strips out the MailScanner signature, but not my signature. It must parse from the bottom up. I think you're right about Exchange not stripping it out. I 'see' the space in my signature before I reply, but not in the reply itself, so maybe it's Outlook 2003 that's doing the cleanup. I dunno. Glad you got yours sorted... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From uxbod at splatnix.net Wed Oct 29 20:38:51 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Wed Oct 29 20:39:20 2008 Subject: Wrong Count In-Reply-To: <20081029162247.0c0aad68@scorpio> Message-ID: <26183669.3831225312731674.JavaMail.root@office.splatnix.net> Does everybody else see that when CLAMD finds a virri it reports double ? Surely below it should be 4 ? Oct 29 20:37:13 mailhub MailScanner[27632]: Clamd::INFECTED:: Email.Hdr.Sanesecurity.08022900 :: ./06BF247BFB.A68E5/ Oct 29 20:37:13 mailhub MailScanner[27632]: Clamd::INFECTED:: Email.Hdr.Sanesecurity.08022900 :: ./C836D47C0D.C47E1/ Oct 29 20:37:13 mailhub MailScanner[27632]: Clamd::INFECTED:: Email.Hdr.Sanesecurity.08022900 :: ./E142047C53.DBE44/ Oct 29 20:37:13 mailhub MailScanner[27632]: Clamd::INFECTED:: Email.Hdr.Sanesecurity.08022900 :: ./4CCD747C04.233FF/ Oct 29 20:37:13 mailhub MailScanner[27632]: Virus Scanning: Clamd found 8 infections Oct 29 20:37:13 mailhub MailScanner[27632]: Infected message E142047C53.DBE44 came from 204.13.249.74 Oct 29 20:37:13 mailhub MailScanner[27632]: Infected message C836D47C0D.C47E1 came from 204.13.249.74 Oct 29 20:37:13 mailhub MailScanner[27632]: Infected message 4CCD747C04.233FF came from 204.13.249.74 Oct 29 20:37:13 mailhub MailScanner[27632]: Infected message 06BF247BFB.A68E5 came from 204.13.249.74 Oct 29 20:37:13 mailhub MailScanner[27632]: Virus Scanning: Found 8 viruses Oct 29 20:37:13 mailhub MailScanner[27632]: Logging message E142047C53.DBE44 to SQL Oct 29 20:37:13 mailhub MailScanner[27632]: Logging message C836D47C0D.C47E1 to SQL Oct 29 20:37:13 mailhub MailScanner[27632]: Logging message 4CCD747C04.233FF to SQL Oct 29 20:37:13 mailhub MailScanner[27632]: Logging message 06BF247BFB.A68E5 to SQL Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From uxbod at splatnix.net Wed Oct 29 20:43:05 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Wed Oct 29 20:43:24 2008 Subject: OT: New service - the Team Cymru Malware Hash Registry! In-Reply-To: Message-ID: <33148880.3861225312985155.JavaMail.root@office.splatnix.net> Switch to Zimbra ;) Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 ----- "Kevin Miller" wrote: > Hmmm. Looking at your post, I don't see a MailScanner sig appended > > underneath your signature. I do on mine. So now your signature is > > stripped out, but replying to my post strips out the MailScanner > > signature, but not my signature. It must parse from the bottom up. > > > > I think you're right about Exchange not stripping it out. I 'see' the > > space in my signature before I reply, but not in the reply itself, so > > maybe it's Outlook 2003 that's doing the cleanup. > > > > I dunno. Glad you got yours sorted... > > > > ...Kevin -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From gesbbb at yahoo.com Wed Oct 29 21:30:43 2008 From: gesbbb at yahoo.com (Jerry) Date: Wed Oct 29 21:30:56 2008 Subject: OT: New service - the Team Cymru Malware Hash Registry! In-Reply-To: <33148880.3861225312985155.JavaMail.root@office.splatnix.net> References: <33148880.3861225312985155.JavaMail.root@office.splatnix.net> Message-ID: <20081029173043.6cafe42b@scorpio> On Wed, 29 Oct 2008 20:43:05 +0000 (GMT) "--[ UxBoD ]--" wrote: >Switch to Zimbra ;) 1) Why are you 'top posting'? 2) Why switch? Your MUA or whatever, failed to properly handle the 'sig delimiter'. -- Jerry gesbbb@yahoo.com What is a magician but a practicing theorist? Obi-Wan Kenobi -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081029/560d4d25/signature.bin From rwahyudi at gmail.com Wed Oct 29 21:49:25 2008 From: rwahyudi at gmail.com (R Wahyudi) Date: Wed Oct 29 21:49:56 2008 Subject: Long delay and no "Spam Checks completed in xxx seconds" In-Reply-To: References: Message-ID: <4908DA65.8050305@gmail.com> Ugo Bellavance wrote: > Hi, > > > > Observation: There is a 10-minute gap between the log of the last > log entry of spam checks and the start of virus checks. Also, there > is no log entry saying "Spam Checks completed in xxx seconds". > > Other relevant log entries: > > Oct 22 17:23:37 server MailScanner[9558]: Virus and Content Scanning: > Starting > Oct 22 17:23:45 server MailScanner[9558]: Virus Scanning completed at > 2945 bytes per second > Oct 22 17:23:46 server MailScanner[9558]: Uninfected: Delivered 30 > messages > Oct 22 17:23:46 server MailScanner[9558]: Batch completed at 2943 > bytes per second (1803120 / 612) > Oct 22 17:23:46 server MailScanner[9558]: Batch (30 messages) > processed in 612.64 seconds > > Have a look at the speed of virus scanning. It took 8 seconds to be > done, but if you compute 2945 1803120 / 2945, you also get 612s. > > Ugo, I found that the most common cause of 'slowness' is network bound & disk bound. So try turning off all DNS/razor/pyzor/surbl check and see if it make any difference. Also, you might try to disable the bayes and see if it improve the performance. Regards, Rianto Wahyudi From uxbod at splatnix.net Wed Oct 29 22:17:55 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Wed Oct 29 22:18:11 2008 Subject: OT: New service - the Team Cymru Malware Hash Registry! In-Reply-To: <20081029173043.6cafe42b@scorpio> Message-ID: <24636229.3921225318675261.JavaMail.root@office.splatnix.net> Sorry!...Better ? 1) Why are you 'top posting'? Have removed the additional CRs so hope this reads okay ? 2) Why switch? Your MUA or whatever, failed to properly handle the 'sig delimiter' -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ricky.boone at gmail.com Wed Oct 29 22:22:33 2008 From: ricky.boone at gmail.com (Ricky Boone) Date: Wed Oct 29 22:22:46 2008 Subject: Wrong Count In-Reply-To: <26183669.3831225312731674.JavaMail.root@office.splatnix.net> References: <26183669.3831225312731674.JavaMail.root@office.splatnix.net> Message-ID: <4908E229.7060602@gmail.com> --[ UxBoD ]-- wrote: > Does everybody else see that when CLAMD finds a virri it reports > double ? Surely below it should be 4 ? Doesn't the clamd scan report both the message and the attachment? That's what I've normally seen. What does the report show? From axisml at gmail.com Wed Oct 29 22:25:49 2008 From: axisml at gmail.com (Chris) Date: Wed Oct 29 22:26:04 2008 Subject: Wrong Count In-Reply-To: <26183669.3831225312731674.JavaMail.root@office.splatnix.net> References: <26183669.3831225312731674.JavaMail.root@office.splatnix.net> Message-ID: <200810291625.49275.axisml@gmail.com> On Wednesday 29 October 2008 2:38:51 pm --[ UxBoD ]-- wrote: > Does everybody else see that when CLAMD finds a virri it reports double ? > Surely below it should be 4 ? Yes - I do as well - usually twice what's really found - it's counting something wrong.... Chris From ssilva at sgvwater.com Wed Oct 29 22:37:16 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Oct 29 22:40:16 2008 Subject: Wrong Count In-Reply-To: <200810291625.49275.axisml@gmail.com> References: <26183669.3831225312731674.JavaMail.root@office.splatnix.net> <200810291625.49275.axisml@gmail.com> Message-ID: on 10-29-2008 3:25 PM Chris spake the following: > On Wednesday 29 October 2008 2:38:51 pm --[ UxBoD ]-- wrote: >> Does everybody else see that when CLAMD finds a virri it reports double ? >> Surely below it should be 4 ? > > Yes - I do as well - usually twice what's really found - it's counting > something wrong.... > > > > Chris If you have the setting "ClamAV Full Message Scan = yes" it can do that because the complete message is submitted along with its unpacked contents. So the message hits once, and the attachment will also hit. One virus, two reports. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081029/9589121f/signature.bin From stef at aoc-uk.com Thu Oct 30 10:37:48 2008 From: stef at aoc-uk.com (Stef Morrell) Date: Thu Oct 30 10:37:59 2008 Subject: OT: New service - the Team Cymru Malware Hash Registry! In-Reply-To: References: Message-ID: <200810301037.m9UAbovf029310@safir.blacknight.ie> "--[ UxBoD ]--" wrote: > Switch to Zimbra ;) > Real world commercial realities lean heavily in the M$ software direction. It's what the users know and what the bosses want. Stef -- Stefan Morrell | Operations Director Tel: 0845 3452820 | Alpha Omega Computers Ltd Fax: 0845 3452830 | Incorporating Level 5 Internet stef@aoc-uk.com | stef@l5net.net Standard Disclaimer: http://www.aoc-uk.com/16.asp Alpha Omega Computers Ltd, Unit 57, BBTC, Grange Road, Batley, WF17 6ER. Registered in England No. 3867142. VAT No. GB734421454 From martinh at solidstatelogic.com Thu Oct 30 11:10:17 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Thu Oct 30 11:10:31 2008 Subject: OT: New service - the Team Cymru Malware Hash Registry! In-Reply-To: <200810301037.m9UAbovf029310@safir.blacknight.ie> Message-ID: <4b0ecd9a8145354381883ed5d80e5c13@solidstatelogic.com> All about education then ain't it. If they want to spend ?????/$$$$$ to uncle Bill/Steve then fair enough, I'll go replace my MS setup with an IronPort or Baracuda them! -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Stef Morrell > Sent: 30 October 2008 10:38 > To: MailScanner discussion > Subject: RE: OT: New service - the Team Cymru Malware Hash Registry! > > "--[ UxBoD ]--" wrote: > > Switch to Zimbra ;) > > > > Real world commercial realities lean heavily in the M$ > software direction. It's what the users know and what the bosses want. > > Stef > -- > Stefan Morrell | Operations Director > Tel: 0845 3452820 | Alpha Omega Computers Ltd > Fax: 0845 3452830 | Incorporating Level 5 Internet > stef@aoc-uk.com | stef@l5net.net > > Standard Disclaimer: http://www.aoc-uk.com/16.asp > > Alpha Omega Computers Ltd, Unit 57, BBTC, Grange Road, > Batley, WF17 6ER. > Registered in England No. 3867142. VAT No. GB734421454 > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From stef at aoc-uk.com Thu Oct 30 11:41:30 2008 From: stef at aoc-uk.com (Stef Morrell) Date: Thu Oct 30 11:41:40 2008 Subject: OT: New service - the Team Cymru Malware Hash Registry! In-Reply-To: References: <200810301037.m9UAbovf029310@safir.blacknight.ie> Message-ID: <200810301141.m9UBfVqr032055@safir.blacknight.ie> Martin.Hepworth wrote: > All about education then ain't it. Yes and in particular, the cost of retraining all the staff to use a new MUA. > If they want to spend ?????/$$$$$ to uncle Bill/Steve then > fair enough, On the other hand, once you've set an SME up with a server running SBS, the average end user at least understands it enough somewhat get by. It's easy for us as 'experts' to sit in Ivory Towers saying how *nix & sendmail/postfix is so much better but the average business doesn't want the hassle of learning how, as that takes time away from whatever their core business is. Stef -- Stefan Morrell | Operations Director Tel: 0845 3452820 | Alpha Omega Computers Ltd Fax: 0845 3452830 | Incorporating Level 5 Internet stef@aoc-uk.com | stef@l5net.net Standard Disclaimer: http://www.aoc-uk.com/16.asp Alpha Omega Computers Ltd, Unit 57, BBTC, Grange Road, Batley, WF17 6ER. Registered in England No. 3867142. VAT No. GB734421454 From martinh at solidstatelogic.com Thu Oct 30 11:53:09 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Thu Oct 30 11:53:26 2008 Subject: OT: New service - the Team Cymru Malware Hash Registry! In-Reply-To: <200810301141.m9UBfVqr032055@safir.blacknight.ie> Message-ID: Average business will get a support contract with $consultant who will do everything anyway. Make no difference what the back-end is as long as they can use Outleek etc as you say. A lot of people make a nice living out of selling open-source alternatives to SBS as they come in at under 1/2 the M$ price, esp at this time. But we digress..:-) -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Stef Morrell > Sent: 30 October 2008 11:42 > To: MailScanner discussion > Subject: RE: OT: New service - the Team Cymru Malware Hash Registry! > > Martin.Hepworth wrote: > > All about education then ain't it. > > Yes and in particular, the cost of retraining all the staff > to use a new MUA. > > > If they want to spend ?????/$$$$$ to uncle Bill/Steve then fair > > enough, > > On the other hand, once you've set an SME up with a server > running SBS, the average end user at least understands it > enough somewhat get by. It's easy for us as 'experts' to sit > in Ivory Towers saying how *nix & sendmail/postfix is so much > better but the average business doesn't want the hassle of > learning how, as that takes time away from whatever their > core business is. > > Stef > -- > Stefan Morrell | Operations Director > Tel: 0845 3452820 | Alpha Omega Computers Ltd > Fax: 0845 3452830 | Incorporating Level 5 Internet > stef@aoc-uk.com | stef@l5net.net > > Standard Disclaimer: http://www.aoc-uk.com/16.asp > > Alpha Omega Computers Ltd, Unit 57, BBTC, Grange Road, > Batley, WF17 6ER. > Registered in England No. 3867142. VAT No. GB734421454 > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From achim+mailscanner at qustodium.net Thu Oct 30 12:04:24 2008 From: achim+mailscanner at qustodium.net (Achim J. Latz) Date: Thu Oct 30 12:04:50 2008 Subject: New service - the Team Cymru Malware Hash Registry! In-Reply-To: <490843F6.1010606@fsl.com> References: <16055869.2741225225341985.JavaMail.root@office.splatnix.net> <49081E68.6030100@alexb.ch> <490843F6.1010606@fsl.com> Message-ID: <4909A2C8.9040204@qustodium.net> Hello all: On 29/10/08 12:07, Steve Freegard wrote: > If enough people were interested in participating by donating spam/virus > trap feeds, then it would be relatively straightforward to provide fresh > hashes of both malware and spam via two separate DNS based lists. We (Qustodium Internet Security [1]) would be willing to provide bandwidth, storage space and signatures for such a concerted community effort. Just let me know what we have to do! Best regards, Achim [1] http://www.qustodium.net From stef at aoc-uk.com Thu Oct 30 12:11:51 2008 From: stef at aoc-uk.com (Stef Morrell) Date: Thu Oct 30 12:12:01 2008 Subject: OT: New service - the Team Cymru Malware Hash Registry! In-Reply-To: References: <200810301141.m9UBfVqr032055@safir.blacknight.ie> Message-ID: <200810301211.m9UCBqgE000865@safir.blacknight.ie> Martin.Hepworth wrote: > Average business will get a support contract with $consultant > who will do everything anyway. Like me.. Yay! > Make no difference what the back-end is as long as they can > use Outleek etc as you say. A lot of people make a nice > living out of selling open-source alternatives to SBS as they > come in at under 1/2 the M$ price, esp at this time. They've inevitably bought into some third party software for some business critical process, which requires doze server in some way, MS-SQL perhaps. So, we're tied into at least one doze server. At that point, we can use SBS and it's all done, or we have to buy more iron for an open source solution for 'other services', which by the time you've bought the tin, the warranties and my time, is getting expensive and I'm not delivering best value to client. At least I've got them putting IPCOP as their firewall solutions, so it's not all a complete loss. > But we digress..:-) Aye.. aye... Stef > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of >> Stef Morrell Sent: 30 October 2008 11:42 >> To: MailScanner discussion >> Subject: RE: OT: New service - the Team Cymru Malware Hash Registry! >> >> Martin.Hepworth wrote: >>> All about education then ain't it. >> >> Yes and in particular, the cost of retraining all the staff to use a >> new MUA. >> >>> If they want to spend ?????/$$$$$ to uncle Bill/Steve then fair >>> enough, >> >> On the other hand, once you've set an SME up with a server running >> SBS, the average end user at least understands it enough somewhat get >> by. It's easy for us as 'experts' to sit in Ivory Towers saying how >> *nix & sendmail/postfix is so much better but the average business >> doesn't want the hassle of learning how, as that takes time away from >> whatever their core business is. >> >> Stef -- Stefan Morrell | Operations Director Tel: 0845 3452820 | Alpha Omega Computers Ltd Fax: 0845 3452830 | Incorporating Level 5 Internet stef@aoc-uk.com | stef@l5net.net Standard Disclaimer: http://www.aoc-uk.com/16.asp Alpha Omega Computers Ltd, Unit 57, BBTC, Grange Road, Batley, WF17 6ER. Registered in England No. 3867142. VAT No. GB734421454 From sandrews at andrewscompanies.com Thu Oct 30 12:42:35 2008 From: sandrews at andrewscompanies.com (Steven Andrews) Date: Thu Oct 30 12:42:45 2008 Subject: OT: New service - the Team Cymru Malware Hash Registry! In-Reply-To: <200810301141.m9UBfVqr032055@safir.blacknight.ie> References: <200810301037.m9UAbovf029310@safir.blacknight.ie> <200810301141.m9UBfVqr032055@safir.blacknight.ie> Message-ID: <1964AAFBC212F742958F9275BF63DBB0907690@winchester.andrewscompanies.com> Businesses are in business to make money at whatever product/service they're selling. All technology is in support of that; IT needs to understand that overriding concept. 2 rungs up from them, they could care less if it's *nix or windows or a rat running on a wheel so all of our preferences for one thing over another are a complete waste. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Stef Morrell Sent: Thursday, October 30, 2008 7:42 AM To: MailScanner discussion Subject: RE: OT: New service - the Team Cymru Malware Hash Registry! Martin.Hepworth wrote: > All about education then ain't it. Yes and in particular, the cost of retraining all the staff to use a new MUA. > If they want to spend ?????/$$$$$ to uncle Bill/Steve then > fair enough, On the other hand, once you've set an SME up with a server running SBS, the average end user at least understands it enough somewhat get by. It's easy for us as 'experts' to sit in Ivory Towers saying how *nix & sendmail/postfix is so much better but the average business doesn't want the hassle of learning how, as that takes time away from whatever their core business is. Stef -- Stefan Morrell | Operations Director Tel: 0845 3452820 | Alpha Omega Computers Ltd Fax: 0845 3452830 | Incorporating Level 5 Internet stef@aoc-uk.com | stef@l5net.net Standard Disclaimer: http://www.aoc-uk.com/16.asp Alpha Omega Computers Ltd, Unit 57, BBTC, Grange Road, Batley, WF17 6ER. Registered in England No. 3867142. VAT No. GB734421454 -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From ka at pacific.net Thu Oct 30 13:59:07 2008 From: ka at pacific.net (Ken A) Date: Thu Oct 30 13:59:10 2008 Subject: OT: New service - the Team Cymru Malware Hash Registry! In-Reply-To: <200810301037.m9UAbovf029310@safir.blacknight.ie> References: <200810301037.m9UAbovf029310@safir.blacknight.ie> Message-ID: <4909BDAB.9070600@pacific.net> Stef Morrell wrote: > "--[ UxBoD ]--" wrote: >> Switch to Zimbra ;) >> > > Real world commercial realities lean heavily in the M$ software > direction. It's what the users know and what the bosses want. > > Stef But what we really want to know is.. What would Cisco and Root do? Ken -- Ken Anderson Pacific.Net From drew.marshall at technologytiger.net Thu Oct 30 14:07:19 2008 From: drew.marshall at technologytiger.net (Drew Marshall) Date: Thu Oct 30 14:07:33 2008 Subject: OT: New service - the Team Cymru Malware Hash Registry! In-Reply-To: <4909BDAB.9070600@pacific.net> References: <200810301037.m9UAbovf029310@safir.blacknight.ie> <4909BDAB.9070600@pacific.net> Message-ID: <5BA713EE-C355-4AF1-B7F7-84A104876DF0@technologytiger.net> On 30 Oct 2008, at 13:59, Ken A wrote: > Stef Morrell wrote: >> "--[ UxBoD ]--" wrote: >>> Switch to Zimbra ;) >>> >> Real world commercial realities lean heavily in the M$ software >> direction. It's what the users know and what the bosses want. >> Stef > > But what we really want to know is.. > What would Cisco and Root do? > Ken Sleep on it :-) Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by Technology Tiger's Mail Launder system Our email policy can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ From paul at welshfamily.com Thu Oct 30 14:17:55 2008 From: paul at welshfamily.com (Paul Welsh) Date: Thu Oct 30 14:18:26 2008 Subject: Scanning inside zip files In-Reply-To: <200809261100.m8QB0NCE010340@safir.blacknight.ie> Message-ID: <200810301418.m9UEII39005495@safir.blacknight.ie> Apologies if this has been covered many times previously but I used to set the maximum depth for zip file scanning to 0, ie, disable it. This allowed files that would otherwise be blocked to be zipped and sent. Then recently came the malware in zip files that changed so frequently that Clam and others couldn't keep up so I changed my zip scanning setting to block these viruses. Now I'm getting problems from customers who want to send programs in zip files so I've had to reset the maximum depth to 0 again. Off the top of my head I can only think that I should turn on the quarantine (it's off at present) and go back to blocking programs in zip files, then dig out files that get blocked in error from the quarantine as requested. Anyone else doing something more clever? From MailScanner at ecs.soton.ac.uk Thu Oct 30 15:32:10 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Oct 30 15:32:30 2008 Subject: "Remove These Headers" in MailScanner.conf Message-ID: <4909D37A.90805@ecs.soton.ac.uk> I have just come across a pretty good looking list of headers that you probably don't want in your incoming mail. These include headers that trigger "read receipts", as well as headers whose presence might break either your mailbox store or your users' email applications. Remove These Headers = Disposition-Notification-To: Return-Receipt-To: X-Confirm-Reading-To: Disposition-Notification-To: Receipt-Requested-To: Confirm-Reading-To: MDRcpt-To: MDSend-Notifications-To: Smtp-Rcpt-To: Return-Receipt-To: Read-Receipt-To: X-Confirm-Reading-To: X-Acknowledge-To: Delivery-Receipt-To: X-PMrqc: Errors-To: X-IMAPBase: X-IMAP: X-UID: Status: X-Status: X-UIDL: X-Keywords: X-Mozilla-Status: X-Mozilla-Status2: Use this, or any subset of it, if you want to. I have added it to the documentation in the MailScanner.conf file for the next release (which will be tomorrow or Saturday probably). Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From bpirie at rma.edu Thu Oct 30 15:44:26 2008 From: bpirie at rma.edu (Brendan Pirie) Date: Thu Oct 30 15:43:16 2008 Subject: "Remove These Headers" in MailScanner.conf In-Reply-To: <4909D37A.90805@ecs.soton.ac.uk> References: <4909D37A.90805@ecs.soton.ac.uk> Message-ID: <4909D65A.3050006@rma.edu> Julian Field wrote: > I have just come across a pretty good looking list of headers that you > probably don't want in your incoming mail. These include headers that > trigger "read receipts", as well as headers whose presence might break > either your mailbox store or your users' email applications. > > Remove These Headers = Disposition-Notification-To: Return-Receipt-To: > X-Confirm-Reading-To: Disposition-Notification-To: > Receipt-Requested-To: Confirm-Reading-To: MDRcpt-To: > MDSend-Notifications-To: Smtp-Rcpt-To: Return-Receipt-To: > Read-Receipt-To: X-Confirm-Reading-To: X-Acknowledge-To: > Delivery-Receipt-To: X-PMrqc: Errors-To: X-IMAPBase: X-IMAP: X-UID: > Status: X-Status: X-UIDL: X-Keywords: X-Mozilla-Status: > X-Mozilla-Status2: > > Use this, or any subset of it, if you want to. I have added it to the > documentation in the MailScanner.conf file for the next release (which > will be tomorrow or Saturday probably). > > Jules > Jules, There appear to be duplicates of the following entries in the list: Disposition-Notification-To: Return-Receipt-To: X-Confirm-Reading-To: Brendan From martinh at solidstatelogic.com Thu Oct 30 15:46:11 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Thu Oct 30 15:46:25 2008 Subject: "Remove These Headers" in MailScanner.conf In-Reply-To: <4909D37A.90805@ecs.soton.ac.uk> Message-ID: <46b33847a059c8459b0995558d04db10@solidstatelogic.com> Hmm Not sure about the read/delivery reciept stuff in there. A lot of people like to spam themselves with this stuff....I know it's a bad idea along with OoO replies but 'user's who need educating may take a dim view. What do other folk think? -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Julian Field > Sent: 30 October 2008 15:32 > To: MailScanner discussion > Subject: "Remove These Headers" in MailScanner.conf > > I have just come across a pretty good looking list of headers > that you probably don't want in your incoming mail. These > include headers that trigger "read receipts", as well as > headers whose presence might break either your mailbox store > or your users' email applications. > > Remove These Headers = Disposition-Notification-To: > Return-Receipt-To: > X-Confirm-Reading-To: Disposition-Notification-To: > Receipt-Requested-To: > Confirm-Reading-To: MDRcpt-To: MDSend-Notifications-To: Smtp-Rcpt-To: > Return-Receipt-To: Read-Receipt-To: X-Confirm-Reading-To: > X-Acknowledge-To: Delivery-Receipt-To: X-PMrqc: Errors-To: > X-IMAPBase: > X-IMAP: X-UID: Status: X-Status: X-UIDL: X-Keywords: > X-Mozilla-Status: > X-Mozilla-Status2: > > Use this, or any subset of it, if you want to. I have added > it to the documentation in the MailScanner.conf file for the > next release (which will be tomorrow or Saturday probably). > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -- > This message has been scanned for viruses and dangerous > content by MailScanner, and is believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From ggroot at ateneo.unile.it Thu Oct 30 16:05:25 2008 From: ggroot at ateneo.unile.it (Gigio) Date: Thu Oct 30 16:05:44 2008 Subject: bypass spam and MCP check In-Reply-To: <30200a940810270134i6bbb754fxac49aaa95895098@mail.gmail.com> References: <30200a940810270134i6bbb754fxac49aaa95895098@mail.gmail.com> Message-ID: <4909DB45.8010604@ateneo.unile.it> Hello all, I've mail server #1 (postfix+SA) and server #2 (postfix+MS+SA) some accounts on #1 forward emails to account on #2. Can I bypass spam and mcp check for these emails on #2? Many Thanks Sorry for my bad english From jethro.binks at strath.ac.uk Thu Oct 30 16:16:27 2008 From: jethro.binks at strath.ac.uk (Jethro R Binks) Date: Thu Oct 30 16:16:36 2008 Subject: "Remove These Headers" in MailScanner.conf In-Reply-To: <46b33847a059c8459b0995558d04db10@solidstatelogic.com> References: <46b33847a059c8459b0995558d04db10@solidstatelogic.com> Message-ID: On Thu, 30 Oct 2008, Julian Field wrote: > I have just come across a pretty good looking list of headers that you > probably don't want in your incoming mail. You're welcome Julian. On Thu, 30 Oct 2008, Martin.Hepworth wrote: > Not sure about the read/delivery reciept stuff in there. A lot of people > like to spam themselves with this stuff....I know it's a bad idea along > with OoO replies but 'user's who need educating may take a dim view. > > What do other folk think? There is no guarantee that any those headers have any operational meaning outside one's own administrative zone for email, and maybe not across different systems within it. Either the remote system may not support responding to them, or the end user may choose not to allow the acknowledgement. Absence of an auto-ack does not mean the message was not read, and end users should be trained accordingly. I personally consider it none of the sender's business when I happened to read one or other email. If I make a reply, then they'll know I read it then. That's all they need to know. In terms of MailScanner, then, I would probably suggest leaving the mail box status messages (X-IMAPBase:, Status:, etc) in the default list (a security decision), and then just listing the others as possible additional inclusions for those sites which want to additionally block the requests for disposition notifications/read receipts/etc (a policy/privacy decision). On a similar note, I am always much amused when "XYZ has recalled the message 'Blah blah blah'" messages go to mailing lists. Such features are even more useless, generally only working for internal email only: once the email has escaped to the Internet, it is too late. Drawing attention to the message ("Hmm, why did they want to recall it, what juicy gossip did they mis-send?") only serves to compound the error. Jethro. > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > > Of Julian Field > > Sent: 30 October 2008 15:32 > > To: MailScanner discussion > > Subject: "Remove These Headers" in MailScanner.conf > > > > I have just come across a pretty good looking list of headers > > that you probably don't want in your incoming mail. These > > include headers that trigger "read receipts", as well as > > headers whose presence might break either your mailbox store > > or your users' email applications. > > > > Remove These Headers = Disposition-Notification-To: > > Return-Receipt-To: > > X-Confirm-Reading-To: Disposition-Notification-To: > > Receipt-Requested-To: > > Confirm-Reading-To: MDRcpt-To: MDSend-Notifications-To: Smtp-Rcpt-To: > > Return-Receipt-To: Read-Receipt-To: X-Confirm-Reading-To: > > X-Acknowledge-To: Delivery-Receipt-To: X-PMrqc: Errors-To: > > X-IMAPBase: > > X-IMAP: X-UID: Status: X-Status: X-UIDL: X-Keywords: > > X-Mozilla-Status: > > X-Mozilla-Status2: > > > > Use this, or any subset of it, if you want to. I have added > > it to the documentation in the MailScanner.conf file for the > > next release (which will be tomorrow or Saturday probably). > > > > Jules > > > > -- > > Julian Field MEng CITP CEng > > www.MailScanner.info > > Buy the MailScanner book at www.MailScanner.info/store > > > > Need help customising MailScanner? > > Contact me! > > Need help fixing or optimising your systems? > > Contact me! > > Need help getting you started solving new requirements from your boss? > > Contact me! > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > > > -- > > This message has been scanned for viruses and dangerous > > content by MailScanner, and is believed to be clean. > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > > > ********************************************************************** > Confidentiality : This e-mail and any attachments are intended for the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > Opinion : Any opinions expressed in this e-mail are entirely those of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We advise > that you consider this fact when e-mailing us. > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK From ms-list at alexb.ch Thu Oct 30 16:31:51 2008 From: ms-list at alexb.ch (Alex Broens) Date: Thu Oct 30 16:31:43 2008 Subject: "Remove These Headers" in MailScanner.conf In-Reply-To: <46b33847a059c8459b0995558d04db10@solidstatelogic.com> References: <46b33847a059c8459b0995558d04db10@solidstatelogic.com> Message-ID: <4909E177.706@alexb.ch> On 10/30/2008 4:46 PM, Martin.Hepworth wrote: > Hmm > > Not sure about the read/delivery reciept stuff in there. A lot of > people like to spam themselves with this stuff....I know it's a bad > idea along with OoO replies but 'user's who need educating may take a > dim view. > > What do other folk think? Those who don't want them have already blocked them otherwise. Those who don't know what they man/do should keep their fingers off. I wouldn't add them to any conf file, in any way, maybe a linkto a Wiki article, not more. Alex > -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: > +44 (0)1865 842300 > >> -----Original Message----- From: >> mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of >> Julian Field Sent: 30 October 2008 15:32 To: MailScanner discussion >> Subject: "Remove These Headers" in MailScanner.conf >> >> I have just come across a pretty good looking list of headers that >> you probably don't want in your incoming mail. These include >> headers that trigger "read receipts", as well as headers whose >> presence might break either your mailbox store or your users' email >> applications. >> >> Remove These Headers = Disposition-Notification-To: >> Return-Receipt-To: X-Confirm-Reading-To: >> Disposition-Notification-To: Receipt-Requested-To: >> Confirm-Reading-To: MDRcpt-To: MDSend-Notifications-To: >> Smtp-Rcpt-To: Return-Receipt-To: Read-Receipt-To: >> X-Confirm-Reading-To: X-Acknowledge-To: Delivery-Receipt-To: >> X-PMrqc: Errors-To: X-IMAPBase: X-IMAP: X-UID: Status: X-Status: >> X-UIDL: X-Keywords: X-Mozilla-Status: X-Mozilla-Status2: >> >> Use this, or any subset of it, if you want to. I have added it to >> the documentation in the MailScanner.conf file for the next release >> (which will be tomorrow or Saturday probably). >> >> Jules >> >> -- Julian Field MEng CITP CEng www.MailScanner.info Buy the >> MailScanner book at www.MailScanner.info/store >> >> Need help customising MailScanner? Contact me! Need help fixing or >> optimising your systems? Contact me! Need help getting you started >> solving new requirements from your boss? Contact me! >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> >> >> -- This message has been scanned for viruses and dangerous content >> by MailScanner, and is believed to be clean. >> >> -- MailScanner mailing list mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > > > > ********************************************************************** > Confidentiality : This e-mail and any attachments are intended for > the addressee only and may be confidential. If they come to you in > error you must take no action based on them, nor must you copy or > show them to anyone. Please advise the sender by replying to this > e-mail immediately and then delete the original from your computer. > Opinion : Any opinions expressed in this e-mail are entirely those of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. Security Warning : > Internet e-mail is not necessarily a secure communications medium and > can be subject to data corruption. We advise that you consider this > fact when e-mailing us. Viruses : We have taken steps to ensure that > this e-mail and any attachments are free from known viruses but in > keeping with good computing practice, you should ensure that they are > virus free. > > Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company > in England and Wales (Company No:5362730) Registered Office: 25 > Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom > ********************************************************************** > > From Kevin_Miller at ci.juneau.ak.us Thu Oct 30 17:32:31 2008 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Thu Oct 30 17:32:44 2008 Subject: Scanning inside zip files In-Reply-To: <200810301418.m9UEII39005495@safir.blacknight.ie> References: <200809261100.m8QB0NCE010340@safir.blacknight.ie> <200810301418.m9UEII39005495@safir.blacknight.ie> Message-ID: Paul Welsh wrote: > Apologies if this has been covered many times previously but I used > to set the maximum depth for zip file scanning to 0, ie, disable it. > This allowed files that would otherwise be blocked to be zipped and > sent. > > Then recently came the malware in zip files that changed so > frequently that Clam and others couldn't keep up so I changed my zip > scanning setting to block these viruses. > > Now I'm getting problems from customers who want to send programs in > zip files so I've had to reset the maximum depth to 0 again. > > Off the top of my head I can only think that I should turn on the > quarantine (it's off at present) and go back to blocking programs in > zip files, then dig out files that get blocked in error from the > quarantine as requested. > > Anyone else doing something more clever? Can't say that it's particularly clever on my part, but our clever leader Julian made it pretty easy to set up a whitelist of domains allowed to send restricted content. Default behavior is to block, exceptions allowed to pass. This is simple if you only have a couple of exceptions. If you're talking dozens on a random basis it isn't quite so handy... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From martinh at solidstatelogic.com Thu Oct 30 17:49:04 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Thu Oct 30 17:49:21 2008 Subject: Scanning inside zip files In-Reply-To: Message-ID: Yeah there's this page about overloading that I put on the wiki.. http://wiki.mailscanner.info/doku.php?id=documentation:configuration:rulesets:overloading (spot you used to be a progammer) -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Kevin Miller > Sent: 30 October 2008 17:33 > To: MailScanner discussion > Subject: RE: Scanning inside zip files > > Paul Welsh wrote: > > Apologies if this has been covered many times previously > but I used to > > set the maximum depth for zip file scanning to 0, ie, disable it. > > This allowed files that would otherwise be blocked to be zipped and > > sent. > > > > Then recently came the malware in zip files that changed so > frequently > > that Clam and others couldn't keep up so I changed my zip scanning > > setting to block these viruses. > > > > Now I'm getting problems from customers who want to send > programs in > > zip files so I've had to reset the maximum depth to 0 again. > > > > Off the top of my head I can only think that I should turn on the > > quarantine (it's off at present) and go back to blocking > programs in > > zip files, then dig out files that get blocked in error from the > > quarantine as requested. > > > > Anyone else doing something more clever? > > Can't say that it's particularly clever on my part, but our > clever leader Julian made it pretty easy to set up a > whitelist of domains allowed to send restricted content. > Default behavior is to block, exceptions allowed to pass. > This is simple if you only have a couple of exceptions. If > you're talking dozens on a random basis it isn't quite so handy... > > ...Kevin > -- > Kevin Miller Registered Linux User No: 307357 > CBJ MIS Dept. Network Systems Admin., Mail Admin. > 155 South Seward Street ph: (907) 586-0242 > Juneau, Alaska 99801 fax: (907 586-4500 > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From rcooper at dwford.com Thu Oct 30 18:26:05 2008 From: rcooper at dwford.com (Rick Cooper) Date: Thu Oct 30 18:26:20 2008 Subject: Scanning inside zip files In-Reply-To: <200810301418.m9UEII39005495@safir.blacknight.ie> References: <200809261100.m8QB0NCE010340@safir.blacknight.ie> <200810301418.m9UEII39005495@safir.blacknight.ie> Message-ID: <0715ADCAA7C84802BB830BEAB465D801@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Paul Welsh > Sent: Thursday, October 30, 2008 10:18 AM > To: mailscanner@lists.mailscanner.info > Subject: Scanning inside zip files > > Apologies if this has been covered many times previously but > I used to set > the maximum depth for zip file scanning to 0, ie, disable > it. This allowed > files that would otherwise be blocked to be zipped and sent. > > Then recently came the malware in zip files that changed so > frequently that > Clam and others couldn't keep up so I changed my zip > scanning setting to > block these viruses. > > Now I'm getting problems from customers who want to send > programs in zip > files so I've had to reset the maximum depth to 0 again. > > Off the top of my head I can only think that I should turn > on the quarantine > (it's off at present) and go back to blocking programs in > zip files, then > dig out files that get blocked in error from the quarantine > as requested. > > Anyone else doing something more clever? > I have patches that cause MailScanner to use a different set of rule files (type and name) for files inside an archive. So I can allow .exe files in a zip file while disallowing them raw and they will still be virus scanned because the archive is opened by MailScanner Of course I have to patch each new version that comes out and rebuild the patches when something changes within that module Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ccampbell at brueggers.com Thu Oct 30 18:31:22 2008 From: ccampbell at brueggers.com (Christian Campbell) Date: Thu Oct 30 18:31:54 2008 Subject: QFM/DFM buildup Message-ID: Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3090 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081030/2367bfa8/smime.bin From ssilva at sgvwater.com Thu Oct 30 18:52:17 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Oct 30 18:52:44 2008 Subject: QFM/DFM buildup In-Reply-To: References: Message-ID: on 10-30-2008 11:31 AM Christian Campbell spake the following: > I am running MailScanner 4.67.6 with Sendmail. My /var/spool/mqueue.in > has a significant number of qfm files with no corresponding dfm files. > Can I safely delete those? Also, why do those qfm files stick around? > Is a solution to keeping this from happening? > > > I usually have the opposite. DFM files without matching QFM. Something like this in cron; ------------------------cut--------------------------- #!/bin/bash # clean up orphaned df* files in mqueue.in older than 1 day # no known cause for these files yet. /etc/init.d/MailScanner stop sleep 5 dir="/var/spool/mqueue.in" file=`find $dir -mtime +1` for i in ${file} do m=`basename ${i}` j=${m:2} if [ ! -e "${dir}/qf${j}" ]; then mv ${i} /var/tmp/ fi done #echo #df -hl /etc/init.d/MailScanner start exit 0 ------------------------cut--------------------------- -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081030/475fc737/signature.bin From ssilva at sgvwater.com Thu Oct 30 19:20:59 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Oct 30 19:21:25 2008 Subject: McAfee announcement about updates Message-ID: This should be of interest to anybody running McAfee virus scanners... ------------------------------------------------------------- Beginning November 1, 2008, McAfee will be releasing DAT files on Saturday and Sunday in addition to the existing Monday - Friday schedule. The process for updating to these DAT files will be the same as updating DAT files on Monday - Friday. ------------------------------------------------------------- I have been almost burned on 0day's that came out on Friday before. Luckily, it isn't my only scanner. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081030/190e1afb/signature.bin From gesbbb at yahoo.com Thu Oct 30 21:12:36 2008 From: gesbbb at yahoo.com (Jerry) Date: Thu Oct 30 21:12:56 2008 Subject: "Remove These Headers" in MailScanner.conf In-Reply-To: <46b33847a059c8459b0995558d04db10@solidstatelogic.com> References: <4909D37A.90805@ecs.soton.ac.uk> <46b33847a059c8459b0995558d04db10@solidstatelogic.com> Message-ID: <20081030171236.341a94db@scorpio> On Thu, 30 Oct 2008 15:46:11 +0000 "Martin.Hepworth" wrote: >Not sure about the read/delivery reciept stuff in there. A lot of >people like to spam themselves with this stuff....I know it's a bad >idea along with OoO replies but 'user's who need educating may take a >dim view. > >What do other folk think? Personally, unless I was setting the server up for my exclusive use, I would not want to block any of those headers by default. I am sick of software making arbitrary decisions on what I should or should not view or do. Unless it is a security problem, the sanitizing of email headers, content, etc should be left up to the end user. Offering the user the tools to do so is fine as long as they are not turned on by default. Case in point, at one time, perhaps even now, Google was blocking ZIP files that contained 'exe' files. They were also blocking encrypted files too. It did not take me long before I realized that I did not need a Nazi censoring my mail. Just my 2?. -- Jerry gesbbb@yahoo.com It's possible that the whole purpose of your life is to serve as a warning to others. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081030/64c8a1b1/signature.bin From kate at rheel.co.nz Thu Oct 30 22:30:41 2008 From: kate at rheel.co.nz (Kate Kleinschafer) Date: Thu Oct 30 22:29:24 2008 Subject: txt file getting blocked as Quick Time file In-Reply-To: <49007D5F.2030004@nerc.ac.uk> References: <48FE3413.4070407@rheel.co.nz> <49007D5F.2030004@nerc.ac.uk> Message-ID: <490A3591.10702@rheel.co.nz> Greg Matthews wrote: > Kate Kleinschafer wrote: >> I am getting a few messages blocked saying they have a Quick Time >> file attached (which shows as msg-18161-4.txt) > > the quicktime signatures are extremely broad. I get around this by > commenting out the overly generous signatures and re-compiling the > magic data. See the man page for "file(1)" in particular the "-C" > option. See also the man page for magic(5) although this is not > necessary it will give you a better idea of how file works. > > copy aside the orginal magic file (on redhat/centos this is > /usr/share/file/magic) and edit it. Personally, I comment out the > following lines: > > #4 string free Apple QuickTime movie file (free) > #4 string junk Apple QuickTime movie file (junk) > #4 string skip Apple QuickTime movie file (skip) > #4 string wide Apple QuickTime movie file (wide) > #4 string pict Apple QuickTime movie file (pict) > > which hit any message body beginning with those letters. If you > examine the bodies of the messages that are getting blocked, I expect > you'll find that they begin with one of those 4-letter combinations. > Now recompile the .mgc file using file -C. > > Finally exclude "file" from software updates (edit /etc/yum.conf or > tweak your up2date config). > > Also consider using the mime filetype checking - not sure where this > is documented off-hand but it was discussed at length on this list. > > GREG > >> I know the message is ham. >> After doing some searching on the internet I came across a thread >> that said the following about the problem: >> >> /This bug is not so much a problem with filenames. I'm just pointing >> out >> />/ that the filenames.conf entries don't override filetype.conf So >> the >> />/ tnef created "msg*.txt" files that can be misinterpretted by >> filetype as >> />/ Quicktime files can't be overridden. The only options are to allow >> />/ quicktime filetypes or disable the "Use TNEF Contents" option. >> >> /Is the best option to allow QuickTime in filetype.rules.conf or is >> there another more suitable option. >> >> Thanks >> Kate > Thank you for the very helpful information Greg - I had no idea that was how it checked and blocked the files. I will look into implementing this shortly. Thanks again. Kate From Jeff.Mills at versacold.com.au Fri Oct 31 00:28:04 2008 From: Jeff.Mills at versacold.com.au (Jeff Mills) Date: Fri Oct 31 00:28:17 2008 Subject: Docs.google.com spam Message-ID: I've noticed a lot of spam getting through at the moment with links to docs.google.com These emails are all random text based, which makes it very hard for bayes to do anything with it. Is anybody effectively detecting these as spam? If so, which rules are generally picking them up? From gmatt at nerc.ac.uk Fri Oct 31 08:41:30 2008 From: gmatt at nerc.ac.uk (Greg Matthews) Date: Fri Oct 31 08:41:47 2008 Subject: "Remove These Headers" in MailScanner.conf In-Reply-To: <20081030171236.341a94db@scorpio> References: <4909D37A.90805@ecs.soton.ac.uk> <46b33847a059c8459b0995558d04db10@solidstatelogic.com> <20081030171236.341a94db@scorpio> Message-ID: <490AC4BA.4080905@nerc.ac.uk> Jerry wrote: > On Thu, 30 Oct 2008 15:46:11 +0000 > "Martin.Hepworth" wrote: >> What do other folk think? > > Personally, unless I was setting the server up for my exclusive use, I > would not want to block any of those headers by default. I am sick of > software making arbitrary decisions on what I should or should not view > or do. Unless it is a security problem, the sanitizing of email > headers, content, etc should be left up to the end user. Offering the > user the tools to do so is fine as long as they are not turned on by > default. except there is a security problem. The point is that spammers are using delivery/read receipts to verify their address lists. Verified lists then become much more valuable. Also, there appears to be a bug in Outlook that will send receipts in certain circumstances even when configured not to. This was recently discussed on uk-mail-managers: "We're currently migrating to Exchange 2007 and came across this a couple of days ago. There seems to be a bug in Outlook whereby if you access your email account using IMAP and delete a message that requests a read receipt, when Outlook next notices the message has vanished it generates the "Not Read" response back to the sender. This is irrespective of whether the user has chosen to respond to delivery receipts or not. We've also noticed the behaviour when Messaging Records Management deletes emails on the server. .... We've logged a support case with MS, we'll see if we get a sensible response..." > Case in point, at one time, perhaps even now, Google was blocking ZIP > files that contained 'exe' files. They were also blocking encrypted > files too. It did not take me long before I realized that I did not > need a Nazi censoring my mail. you lose. See Godwin's Law. GREG > > Just my 2?. > > -- Greg Matthews 01491 692445 Head of UNIX/Linux, iTSS Wallingford -- This message (and any attachments) is for the recipient only. NERC is subject to the Freedom of Information Act 2000 and the contents of this email and any reply you make may be disclosed by NERC unless it is exempt from release under the Act. Any material supplied to NERC may be stored in an electronic records management system. From MailScanner at ecs.soton.ac.uk Fri Oct 31 09:06:52 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Oct 31 09:07:16 2008 Subject: "Remove These Headers" in MailScanner.conf In-Reply-To: <20081030171236.341a94db@scorpio> References: <4909D37A.90805@ecs.soton.ac.uk> <46b33847a059c8459b0995558d04db10@solidstatelogic.com> <20081030171236.341a94db@scorpio> Message-ID: <490ACAAC.2070505@ecs.soton.ac.uk> Jerry wrote: > On Thu, 30 Oct 2008 15:46:11 +0000 > "Martin.Hepworth" wrote: > > >> Not sure about the read/delivery reciept stuff in there. A lot of >> people like to spam themselves with this stuff....I know it's a bad >> idea along with OoO replies but 'user's who need educating may take a >> dim view. >> >> What do other folk think? >> > > Personally, unless I was setting the server up for my exclusive use, I > would not want to block any of those headers by default. I am sick of > software making arbitrary decisions on what I should or should not view > or do. Precisely. Which is why I added the list to the *documentation* in MailScanner.conf, not the default setting. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From martinh at solidstatelogic.com Fri Oct 31 09:13:17 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Fri Oct 31 09:13:31 2008 Subject: "Remove These Headers" in MailScanner.conf In-Reply-To: <490ACAAC.2070505@ecs.soton.ac.uk> Message-ID: Jules Now you see there I go again. Thinking Jules had made a mistake and actually he hasn't ;-) Just describing what it could do... -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Julian Field > Sent: 31 October 2008 09:07 > To: mailscanner@lists.mailscanner.info > Subject: Re: "Remove These Headers" in MailScanner.conf > > > > Jerry wrote: > > On Thu, 30 Oct 2008 15:46:11 +0000 > > "Martin.Hepworth" wrote: > > > > > >> Not sure about the read/delivery reciept stuff in there. A lot of > >> people like to spam themselves with this stuff....I know > it's a bad > >> idea along with OoO replies but 'user's who need educating > may take a > >> dim view. > >> > >> What do other folk think? > >> > > > > Personally, unless I was setting the server up for my > exclusive use, I > > would not want to block any of those headers by default. I > am sick of > > software making arbitrary decisions on what I should or should not > > view or do. > Precisely. Which is why I added the list to the > *documentation* in MailScanner.conf, not the default setting. > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -- > This message has been scanned for viruses and dangerous > content by MailScanner, and is believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From ms-list at alexb.ch Fri Oct 31 09:29:00 2008 From: ms-list at alexb.ch (Alex Broens) Date: Fri Oct 31 09:28:48 2008 Subject: "Remove These Headers" in MailScanner.conf In-Reply-To: References: Message-ID: <490ACFDC.2010502@alexb.ch> Sorry - me too. Tho I still think a link to the wiki is more adequate for stuff like this. That way users can add any possible suggestions/concerns/etc. Alex On 10/31/2008 10:13 AM, Martin.Hepworth wrote: > Jules > > Now you see there I go again. Thinking Jules had made a mistake and actually he hasn't ;-) Just describing what it could do... > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >> Of Julian Field >> Sent: 31 October 2008 09:07 >> To: mailscanner@lists.mailscanner.info >> Subject: Re: "Remove These Headers" in MailScanner.conf >> >> >> >> Jerry wrote: >>> On Thu, 30 Oct 2008 15:46:11 +0000 >>> "Martin.Hepworth" wrote: >>> >>> >>>> Not sure about the read/delivery reciept stuff in there. A lot of >>>> people like to spam themselves with this stuff....I know >> it's a bad >>>> idea along with OoO replies but 'user's who need educating >> may take a >>>> dim view. >>>> >>>> What do other folk think? >>>> >>> Personally, unless I was setting the server up for my >> exclusive use, I >>> would not want to block any of those headers by default. I >> am sick of >>> software making arbitrary decisions on what I should or should not >>> view or do. >> Precisely. Which is why I added the list to the >> *documentation* in MailScanner.conf, not the default setting. >> >> Jules >> >> -- >> Julian Field MEng CITP CEng >> www.MailScanner.info >> Buy the MailScanner book at www.MailScanner.info/store >> >> Need help customising MailScanner? >> Contact me! >> Need help fixing or optimising your systems? >> Contact me! >> Need help getting you started solving new requirements from your boss? >> Contact me! >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> >> >> -- >> This message has been scanned for viruses and dangerous >> content by MailScanner, and is believed to be clean. >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > > > > ********************************************************************** > Confidentiality : This e-mail and any attachments are intended for the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > Opinion : Any opinions expressed in this e-mail are entirely those of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We advise > that you consider this fact when e-mailing us. > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ********************************************************************** > From blaat0001 at gmail.com Fri Oct 31 09:39:22 2008 From: blaat0001 at gmail.com (BlaaT 0001) Date: Fri Oct 31 09:39:30 2008 Subject: Watermarking not working Message-ID: <254612fc0810310239q599fdcf1n1d9610ed3d1e7775@mail.gmail.com> Hello all, I'm still having problems using watermarking. My MailScanner settings related to watermarking are: Use Watermarking = yes Add Watermark = %rules-dir%/add.watermark.rules Check Watermarks With No Sender = %rules-dir%/check.watermarks.with.no.sender.rules Treat Invalid Watermarks With No Sender as Spam = 20 Check Watermarks To Skip Spam Checks = no Watermark Secret = *************** Watermark Lifetime = 604800 Watermark Header = X-%org-name%-WM: We add a watermark on outgoing mail, and we check incoming mail on watermarks (using the rulesets). Every "no sender" mail gets marked by the watermarking feature, from the logfile: Oct 31 08:39:31 mailscan02 MailScanner[26686]: Message 720DF48F44B.05390 had bad watermark, added 20 to spam score Oct 31 08:39:31 mailscan02 MailScanner[26686]: Message 720DF48F44B.05390 from 194.106.220.35 () to ourdomain.tld is spam (no watermark or sender address), SpamAssassin (score=0, vereist 20, autolearn=disabled) This was a legit bounce mail, a response to a mail send from our MailScanner machine with a watermark attached. This is the full message: ---------------------------------------------------------------- Received: from mail91.messagelabs.com (mail91.messagelabs.com [ 194.106.220.35]) by mailscan02.ourdomain.tld (Postfix) with ESMTP id 720DF48F44B for ; Fri, 31 Oct 2008 08:39:26 +0100 (CET) X-VirusChecked: Checked X-Msg-Ref: server-7.tower-91.messagelabs.com!1225438765!40564331!1 X-StarScan-Version: 5.5.12.14.2; banners=-,-,- X-Originating-IP: [77.94.249.25] X-SpamReason: No, hits=0.0 required=7.0 tests= Received: (qmail 30403 invoked from network); 31 Oct 2008 07:39:25 -0000 Received: from net3-nl-smtp-01.vevida.net (HELO net3-nl-smtp-01.vevida.net) (77.94.249.25) by server-7.tower-91.messagelabs.com with AES256-SHA encrypted SMTP; 31 Oct 2008 07:39:25 -0000 Received: from net3-nl-mail-02.vevida.net (net3-nl-mail-02.vevida.net [ 77.94.249.24]) by net3-nl-smtp-01.vevida.net (Postfix) with ESMTP id 3976B2EC542 for ; Fri, 31 Oct 2008 08:39:25 +0100 (CET) Received: by net3-nl-mail-02.vevida.net (Postfix, from userid 8) id 3793E35002B; Fri, 31 Oct 2008 08:39:25 +0100 (CET) Message-ID: Date: Fri, 31 Oct 2008 08:39:25 +0100 From: Mail Delivery Subsystem To: MIME-Version: 1.0 Content-Type: multipart/report; report-type=disposition-notification; boundary="21397/net3-nl-mail-02.vevida.net" Subject: Automatically rejected mail Auto-Submitted: auto-replied (rejected) Precedence: bulk This is a MIME-encapsulated message --21397/net3-nl-mail-02.vevida.net Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit Your message to was automatically rejected: Quota exceeded --21397/net3-nl-mail-02.vevida.net Content-Type: message/disposition-notification Reporting-UA: net3-nl-mail-02.vevida.net; Dovecot Mail Delivery Agent Final-Recipient: rfc822; newz@raar-nieuws.nl Original-Message-ID: Disposition: automatic-action/MDN-sent-automatically; deleted --21397/net3-nl-mail-02.vevida.net Content-Type: message/rfc822 Return-Path: Delivered-To: newz@raar-nieuws.nl Received: from net3-nl-mx-03.vevida.net (net3-nl-mx-03.vevida.net [ 77.94.249.31]) by net3-nl-mail-02.vevida.net (Postfix) with ESMTP id 332F8350029 for ; Fri, 31 Oct 2008 08:39:25 +0100 (CET) X-Virus-Scanned: amavisd-new at vevida.net X-Spam-Status: No, score=0.202 required=5 tests=[ANY_BOUNCE_MESSAGE=0.1, HTML_MESSAGE=0.001, UNPARSEABLE_RELAY=0.001, VBOUNCE_MESSAGE=0.1] Received: from mail.ourdomain.tld (mail.ourdomain.tld [our.ip.add.ress]) by net3-nl-mx-03.vevida.net (Postfix) with ESMTP id 38DB8976BC for ; Fri, 31 Oct 2008 08:39:24 +0100 (CET) Received: from sgmg.ourdomain.tld (sgmg.ourdomain.tld [10.2.10.109]) by mailscan02.ourdomain.tld (Postfix) with ESMTP id B76B148F448 Received: (from smtpd@127.0.0.1) by sgmg.prdf.nl (8.13.8/8.13.8) id m9V7dJj1022834 for ; Fri, 31 Oct 2008 08:39:19 +0100 Received: from unknown [10.2.10.114] by gateway id /processing/kwlCeRw3; Fri Oct 31 08:39:19 2008 MIME-Version: 1.0 X-MimeOLE: Produced By Microsoft Exchange V6.5 Subject: Out of Office AutoReply: RaaR - muziek op zondag - Jazz au Foyer Date: Fri, 31 Oct 2008 08:39:18 +0100 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: RaaR - muziek op zondag - Jazz au Foyer Thread-Index: Ack7K8SpBsNSNiAkRmq5jBTFlWpQiwAAAOPO From: "User, R" To: "RaaR eten & drinken" Content-class: urn:content-classes:message X-ORG-WM: 1226043563.0392@OUzi9liSBFaJtjtI7nMePQ X-ORG: Clean ---------------------------------------------------------------- We're using a third party to scan our email and forward it to us. We use MailScanner to filter out marked messages (spam header), we don't do much spam-scanning ourselves, just the default SpamAssassin ruleset without any dns checks. All our outgoing mail is relayed through the MailScanner machine and then delivered directly to the receiver's mailserver. We're using Postfix 2.5.1 as a MTA on an OpenBSD 4.3 machine. -bash-3.2# /opt/MailScanner/bin/MailScanner -v Running on OpenBSD mailscan02.ourdomain.tld 4.3 GENERIC#698 i386 This is Perl version 5.008008 (5.8.8) This is MailScanner version 4.70.7 Module versions are: 1.00 AnyDBM_File 1.23 Archive::Zip 0.21 bignum 1.04 Carp 2.008 Compress::Zlib 1.119 Convert::BinHex 0.17 Convert::TNEF 2.121_08 Data::Dumper 2.27 Date::Parse 1.00 DirHandle 1.05 Fcntl 2.74 File::Basename 2.09 File::Copy 2.01 FileHandle 1.08 File::Path 0.19 File::Temp 0.90 Filesys::Df 1.35 HTML::Entities 3.56 HTML::Parser 2.37 HTML::TokeParser 1.23 IO 1.14 IO::File 1.13 IO::Pipe 2.02 Mail::Header 1.86 Math::BigInt 0.19 Math::BigRat 3.07 MIME::Base64 5.425 MIME::Decoder 5.425 MIME::Decoder::UU 5.425 MIME::Head 5.425 MIME::Parser 3.07 MIME::QuotedPrint 5.425 MIME::Tools 0.11 Net::CIDR 1.25 Net::IP 0.16 OLE::Storage_Lite 1.04 Pod::Escapes 3.05 Pod::Simple 1.09 POSIX 1.19 Scalar::Util 1.78 Socket 2.16 Storable 1.4 Sys::Hostname::Long 0.18 Sys::Syslog 1.26 Test::Pod 0.7 Test::Simple 1.9707 Time::HiRes 1.02 Time::localtime Optional module versions are: 1.36 Archive::Tar 0.21 bignum missing Business::ISBN missing Business::ISBN::Data missing Data::Dump 1.814 DB_File 1.14 DBD::SQLite 1.59 DBI 1.14 Digest 1.01 Digest::HMAC 2.36 Digest::MD5 2.11 Digest::SHA1 missing Encode::Detect missing Error missing ExtUtils::CBuilder missing ExtUtils::ParseXS 2.36 Getopt::Long missing Inline 1.08 IO::String 1.08 IO::Zlib missing IP::Country missing Mail::ClamAV 3.002004 Mail::SpamAssassin missing Mail::SPF 1.999001 Mail::SPF::Query missing Module::Build 0.20 Net::CIDR::Lite 0.63 Net::DNS missing Net::DNS::Resolver::Programmable missing Net::LDAP missing NetAddr::IP missing Parse::RecDescent missing SAVI 2.64 Test::Harness missing Test::Manifest 1.95 Text::Balanced 1.35 URI missing version missing YAML What could be causing this? Why isn't watermarking working properly? Any help is much appreciated! Cheers. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081031/0c9440c7/attachment.html From martinh at solidstatelogic.com Fri Oct 31 09:48:13 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Fri Oct 31 09:48:28 2008 Subject: {Disarmed} Watermarking not working In-Reply-To: <254612fc0810310239q599fdcf1n1d9610ed3d1e7775@mail.gmail.com> Message-ID: <6ef01d84df28364093aa1cce79ce696a@solidstatelogic.com> Hi there was a fix for watermarking in 4.71.6, but as Julian's about to pop out a new stable in the 48 hours mught be worth hanging on for that,. also I don't see the watermark in the header that messagelabs rejected. looks like they are bouncing not rejecting.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of BlaaT 0001 Sent: 31 October 2008 09:39 To: MailScanner discussion Subject: {Disarmed} Watermarking not working Hello all, I'm still having problems using watermarking. My MailScanner settings related to watermarking are: Use Watermarking = yes Add Watermark = %rules-dir%/add.watermark.rules Check Watermarks With No Sender = %rules-dir%/check.watermarks.with.no.sender.rules Treat Invalid Watermarks With No Sender as Spam = 20 Check Watermarks To Skip Spam Checks = no Watermark Secret = *************** Watermark Lifetime = 604800 Watermark Header = X-%org-name%-WM: We add a watermark on outgoing mail, and we check incoming mail on watermarks (using the rulesets). Every "no sender" mail gets marked by the watermarking feature, from the logfile: Oct 31 08:39:31 mailscan02 MailScanner[26686]: Message 720DF48F44B.05390 had bad watermark, added 20 to spam score Oct 31 08:39:31 mailscan02 MailScanner[26686]: Message 720DF48F44B.05390 from MailScanner warning: numerical links are often malicious: 194.106.220.35 () to ourdomain.tld is spam (no watermark or sender address), SpamAssassin (score=0, vereist 20, autolearn=disabled) This was a legit bounce mail, a response to a mail send from our MailScanner machine with a watermark attached. This is the full message: ---------------------------------------------------------------- Received: from mail91.messagelabs.com (mail91.messagelabs.com [ MailScanner warning: numerical links are often malicious: 194.106.220.35]) by mailscan02.ourdomain.tld (Postfix) with ESMTP id 720DF48F44B for ; Fri, 31 Oct 2008 08:39:26 +0100 (CET) X-VirusChecked: Checked X-Msg-Ref: server-7.tower-91.messagelabs.com!1225438765!40564331!1 X-StarScan-Version: 5.5.12.14.2; banners=-,-,- X-Originating-IP: [ MailScanner warning: numerical links are often malicious: 77.94.249.25] X-SpamReason: No, hits=0.0 required=7.0 tests= Received: (qmail 30403 invoked from network); 31 Oct 2008 07:39:25 -0000 Received: from net3-nl-smtp-01.vevida.net (HELO net3-nl-smtp-01.vevida.net) ( MailScanner warning: numerical links are often malicious: 77.94.249.25) by server-7.tower-91.messagelabs.com with AES256-SHA encrypted SMTP; 31 Oct 2008 07:39:25 -0000 Received: from net3-nl-mail-02.vevida.net (net3-nl-mail-02.vevida.net [ MailScanner warning: numerical links are often malicious: 77.94.249.24]) by net3-nl-smtp-01.vevida.net (Postfix) with ESMTP id 3976B2EC542 for ; Fri, 31 Oct 2008 08:39:25 +0100 (CET) Received: by net3-nl-mail-02.vevida.net (Postfix, from userid 8) id 3793E35002B; Fri, 31 Oct 2008 08:39:25 +0100 (CET) Message-ID: Date: Fri, 31 Oct 2008 08:39:25 +0100 From: Mail Delivery Subsystem To: MIME-Version: 1.0 Content-Type: multipart/report; report-type=disposition-notification; boundary="21397/net3-nl-mail-02.vevida.net" Subject: Automatically rejected mail Auto-Submitted: auto-replied (rejected) Precedence: bulk This is a MIME-encapsulated message --21397/net3-nl-mail-02.vevida.net Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit Your message to was automatically rejected: Quota exceeded --21397/net3-nl-mail-02.vevida.net Content-Type: message/disposition-notification Reporting-UA: net3-nl-mail-02.vevida.net; Dovecot Mail Delivery Agent Final-Recipient: rfc822; newz@raar-nieuws.nl Original-Message-ID: Disposition: automatic-action/MDN-sent-automatically; deleted --21397/net3-nl-mail-02.vevida.net Content-Type: message/rfc822 Return-Path: Delivered-To: newz@raar-nieuws.nl Received: from net3-nl-mx-03.vevida.net (net3-nl-mx-03.vevida.net [ MailScanner warning: numerical links are often malicious: 77.94.249.31]) by net3-nl-mail-02.vevida.net (Postfix) with ESMTP id 332F8350029 for ; Fri, 31 Oct 2008 08:39:25 +0100 (CET) X-Virus-Scanned: amavisd-new at vevida.net X-Spam-Status: No, score=0.202 required=5 tests=[ANY_BOUNCE_MESSAGE=0.1, HTML_MESSAGE=0.001, UNPARSEABLE_RELAY=0.001, VBOUNCE_MESSAGE=0.1] Received: from mail.ourdomain.tld (mail.ourdomain.tld [our.ip.add.ress]) by net3-nl-mx-03.vevida.net (Postfix) with ESMTP id 38DB8976BC for ; Fri, 31 Oct 2008 08:39:24 +0100 (CET) Received: from sgmg.ourdomain.tld (sgmg.ourdomain.tld [ MailScanner warning: numerical links are often malicious: 10.2.10.109]) by mailscan02.ourdomain.tld (Postfix) with ESMTP id B76B148F448 Received: (from smtpd@127.0.0.1) by sgmg.prdf.nl (8.13.8/8.13.8) id m9V7dJj1022834 for ; Fri, 31 Oct 2008 08:39:19 +0100 Received: from unknown [ MailScanner warning: numerical links are often malicious: 10.2.10.114] by gateway id /processing/kwlCeRw3; Fri Oct 31 08:39:19 2008 MIME-Version: 1.0 X-MimeOLE: Produced By Microsoft Exchange V6.5 Subject: Out of Office AutoReply: RaaR - muziek op zondag - Jazz au Foyer Date: Fri, 31 Oct 2008 08:39:18 +0100 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: RaaR - muziek op zondag - Jazz au Foyer Thread-Index: Ack7K8SpBsNSNiAkRmq5jBTFlWpQiwAAAOPO From: "User, R" To: "RaaR eten & drinken" Content-class: urn:content-classes:message X-ORG-WM: 1226043563.0392@OUzi9liSBFaJtjtI7nMePQ X-ORG: Clean ---------------------------------------------------------------- We're using a third party to scan our email and forward it to us. We use MailScanner to filter out marked messages (spam header), we don't do much spam-scanning ourselves, just the default SpamAssassin ruleset without any dns checks. All our outgoing mail is relayed through the MailScanner machine and then delivered directly to the receiver's mailserver. We're using Postfix 2.5.1 as a MTA on an OpenBSD 4.3 machine. -bash-3.2# /opt/MailScanner/bin/MailScanner -v Running on OpenBSD mailscan02.ourdomain.tld 4.3 GENERIC#698 i386 This is Perl version 5.008008 (5.8.8) This is MailScanner version 4.70.7 Module versions are: 1.00 AnyDBM_File 1.23 Archive::Zip 0.21 bignum 1.04 Carp 2.008 Compress::Zlib 1.119 Convert::BinHex 0.17 Convert::TNEF 2.121_08 Data::Dumper 2.27 Date::Parse 1.00 DirHandle 1.05 Fcntl 2.74 File::Basename 2.09 File::Copy 2.01 FileHandle 1.08 File::Path 0.19 File::Temp 0.90 Filesys::Df 1.35 HTML::Entities 3.56 HTML::Parser 2.37 HTML::TokeParser 1.23 IO 1.14 IO::File 1.13 IO::Pipe 2.02 Mail::Header 1.86 Math::BigInt 0.19 Math::BigRat 3.07 MIME::Base64 5.425 MIME::Decoder 5.425 MIME::Decoder::UU 5.425 MIME::Head 5.425 MIME::Parser 3.07 MIME::QuotedPrint 5.425 MIME::Tools 0.11 Net::CIDR 1.25 Net::IP 0.16 OLE::Storage_Lite 1.04 Pod::Escapes 3.05 Pod::Simple 1.09 POSIX 1.19 Scalar::Util 1.78 Socket 2.16 Storable 1.4 Sys::Hostname::Long 0.18 Sys::Syslog 1.26 Test::Pod 0.7 Test::Simple 1.9707 Time::HiRes 1.02 Time::localtime Optional module versions are: 1.36 Archive::Tar 0.21 bignum missing Business::ISBN missing Business::ISBN::Data missing Data::Dump 1.814 DB_File 1.14 DBD::SQLite 1.59 DBI 1.14 Digest 1.01 Digest::HMAC 2.36 Digest::MD5 2.11 Digest::SHA1 missing Encode::Detect missing Error missing ExtUtils::CBuilder missing ExtUtils::ParseXS 2.36 Getopt::Long missing Inline 1.08 IO::String 1.08 IO::Zlib missing IP::Country missing Mail::ClamAV 3.002004 Mail::SpamAssassin missing Mail::SPF 1.999001 Mail::SPF::Query missing Module::Build 0.20 Net::CIDR::Lite 0.63 Net::DNS missing Net::DNS::Resolver::Programmable missing Net::LDAP missing NetAddr::IP missing Parse::RecDescent missing SAVI 2.64 Test::Harness missing Test::Manifest 1.95 Text::Balanced 1.35 URI missing version missing YAML What could be causing this? Why isn't watermarking working properly? Any help is much appreciated! Cheers. ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081031/8718bce9/attachment.html From blaat0001 at gmail.com Fri Oct 31 10:28:56 2008 From: blaat0001 at gmail.com (BlaaT 0001) Date: Fri Oct 31 10:29:05 2008 Subject: {Disarmed} Watermarking not working In-Reply-To: <6ef01d84df28364093aa1cce79ce696a@solidstatelogic.com> References: <254612fc0810310239q599fdcf1n1d9610ed3d1e7775@mail.gmail.com> <6ef01d84df28364093aa1cce79ce696a@solidstatelogic.com> Message-ID: <254612fc0810310328q2e4b2313k4ac445727451e51b@mail.gmail.com> Our failover host is running on MailScanner-4.71.10-1 and is showing the exact same behaviour. The only difference between our primaire node and failover node is the MailScanner version. The fix for watermarking has not made a difference on our machines unfortunately. Thanks for the reply. On Fri, Oct 31, 2008 at 10:48 AM, Martin.Hepworth < martinh@solidstatelogic.com> wrote: > Hi > > there was a fix for watermarking in 4.71.6, but as Julian's about to pop > out a new stable in the 48 hours mught be worth hanging on for that,. > > also I don't see the watermark in the header that messagelabs rejected. > looks like they are bouncing not rejecting.. > > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > ------------------------------ > *From:* mailscanner-bounces@lists.mailscanner.info [mailto: > mailscanner-bounces@lists.mailscanner.info] *On Behalf Of *BlaaT 0001 > *Sent:* 31 October 2008 09:39 > *To:* MailScanner discussion > *Subject:* {Disarmed} Watermarking not working > > Hello all, > > I'm still having problems using watermarking. My MailScanner settings > related to watermarking are: > > Use Watermarking = yes > Add Watermark = %rules-dir%/add.watermark.rules > Check Watermarks With No Sender = > %rules-dir%/check.watermarks.with.no.sender.rules > Treat Invalid Watermarks With No Sender as Spam = 20 > Check Watermarks To Skip Spam Checks = no > Watermark Secret = *************** > Watermark Lifetime = 604800 > Watermark Header = X-%org-name%-WM: > > We add a watermark on outgoing mail, and we check incoming mail on > watermarks (using the rulesets). > > Every "no sender" mail gets marked by the watermarking feature, from the > logfile: > > Oct 31 08:39:31 mailscan02 MailScanner[26686]: Message 720DF48F44B.05390 > had bad watermark, added 20 to spam score > Oct 31 08:39:31 mailscan02 MailScanner[26686]: Message 720DF48F44B.05390 > from *MailScanner warning: numerical links are often malicious:*194.106.220.35() to ourdomain.tld is spam (no watermark or sender address), SpamAssassin > (score=0, vereist 20, autolearn=disabled) > > This was a legit bounce mail, a response to a mail send from our > MailScanner machine with a watermark attached. > > This is the full message: > > ---------------------------------------------------------------- > > Received: from mail91.messagelabs.com (mail91.messagelabs.com [*MailScanner > warning: numerical links are often malicious:* 194.106.220.35 > ]) > by mailscan02.ourdomain.tld (Postfix) with ESMTP id 720DF48F44B > for ; Fri, 31 Oct 2008 08:39:26 +0100 (CET) > X-VirusChecked: Checked > X-Msg-Ref: server-7.tower-91.messagelabs.com!1225438765!40564331!1 > X-StarScan-Version: 5.5.12.14.2; banners=-,-,- > X-Originating-IP: [*MailScanner warning: numerical links are often > malicious:* 77.94.249.25 ] > X-SpamReason: No, hits=0.0 required=7.0 tests= > Received: (qmail 30403 invoked from network); 31 Oct 2008 07:39:25 -0000 > Received: from net3-nl-smtp-01.vevida.net (HELO net3-nl-smtp-01.vevida.net) > (*MailScanner warning: numerical links are often malicious:* 77.94.249.25 > ) > by server-7.tower-91.messagelabs.com with AES256-SHA encrypted SMTP; 31 > Oct 2008 07:39:25 -0000 > Received: from net3-nl-mail-02.vevida.net (net3-nl-mail-02.vevida.net [*MailScanner > warning: numerical links are often malicious:* 77.94.249.24 > ]) > by net3-nl-smtp-01.vevida.net (Postfix) with ESMTP id 3976B2EC542 > for ; Fri, 31 Oct 2008 08:39:25 +0100 (CET) > Received: by net3-nl-mail-02.vevida.net (Postfix, from userid 8) > id 3793E35002B; Fri, 31 Oct 2008 08:39:25 +0100 (CET) > Message-ID: > Date: Fri, 31 Oct 2008 08:39:25 +0100 > From: Mail Delivery Subsystem > To: > MIME-Version: 1.0 > Content-Type: multipart/report; report-type=disposition-notification; > boundary="21397/net3-nl-mail-02.vevida.net" > Subject: Automatically rejected mail > Auto-Submitted: auto-replied (rejected) > Precedence: bulk > > This is a MIME-encapsulated message > > --21397/net3-nl-mail-02.vevida.net > Content-Type: text/plain; charset=utf-8 > Content-Disposition: inline > Content-Transfer-Encoding: 8bit > > Your message to was automatically rejected: > Quota exceeded > --21397/net3-nl-mail-02.vevida.net > Content-Type: message/disposition-notification > > Reporting-UA: net3-nl-mail-02.vevida.net; Dovecot Mail Delivery Agent > Final-Recipient: rfc822; newz@raar-nieuws.nl > Original-Message-ID: > > Disposition: automatic-action/MDN-sent-automatically; deleted > > --21397/net3-nl-mail-02.vevida.net > Content-Type: message/rfc822 > > Return-Path: > Delivered-To: newz@raar-nieuws.nl > Received: from net3-nl-mx-03.vevida.net (net3-nl-mx-03.vevida.net [*MailScanner > warning: numerical links are often malicious:* 77.94.249.31 > ]) > by net3-nl-mail-02.vevida.net (Postfix) with ESMTP id 332F8350029 > for ; Fri, 31 Oct 2008 08:39:25 +0100 (CET) > X-Virus-Scanned: amavisd-new at vevida.net > X-Spam-Status: No, score=0.202 required=5 tests=[ANY_BOUNCE_MESSAGE=0.1, > HTML_MESSAGE=0.001, UNPARSEABLE_RELAY=0.001, VBOUNCE_MESSAGE=0.1] > Received: from mail.ourdomain.tld (mail.ourdomain.tld [our.ip.add.ress]) > by net3-nl-mx-03.vevida.net (Postfix) with ESMTP id 38DB8976BC > for ; Fri, 31 Oct 2008 08:39:24 +0100 (CET) > Received: from sgmg.ourdomain.tld (sgmg.ourdomain.tld [*MailScanner > warning: numerical links are often malicious:* 10.2.10.109 > ]) > by mailscan02.ourdomain.tld (Postfix) with ESMTP id B76B148F448 > Received: (from smtpd@127.0.0.1) by sgmg.prdf.nl (8.13.8/8.13.8) > id m9V7dJj1022834 for ; Fri, 31 Oct 2008 > 08:39:19 +0100 > Received: from unknown [*MailScanner warning: numerical links are often > malicious:* 10.2.10.114 ] by gateway id > /processing/kwlCeRw3; Fri Oct 31 08:39:19 2008 > MIME-Version: 1.0 > X-MimeOLE: Produced By Microsoft Exchange V6.5 > Subject: Out of Office AutoReply: RaaR - muziek op zondag - Jazz au Foyer > Date: Fri, 31 Oct 2008 08:39:18 +0100 > Message-ID: > > X-MS-Has-Attach: > X-MS-TNEF-Correlator: > Thread-Topic: RaaR - muziek op zondag - Jazz au Foyer > Thread-Index: Ack7K8SpBsNSNiAkRmq5jBTFlWpQiwAAAOPO > From: "User, R" > To: "RaaR eten & drinken" > Content-class: urn:content-classes:message > X-ORG-WM: 1226043563.0392@OUzi9liSBFaJtjtI7nMePQ > X-ORG: Clean > ---------------------------------------------------------------- > > We're using a third party to scan our email and forward it to us. We use > MailScanner to filter out marked messages (spam header), we don't do much > spam-scanning ourselves, just the default SpamAssassin ruleset without any > dns checks. All our outgoing mail is relayed through the MailScanner machine > and then delivered directly to the receiver's mailserver. > > We're using Postfix 2.5.1 as a MTA on an OpenBSD 4.3 machine. > > -bash-3.2# /opt/MailScanner/bin/MailScanner -v > Running on > OpenBSD mailscan02.ourdomain.tld 4.3 GENERIC#698 i386 > This is Perl version 5.008008 (5.8.8) > > This is MailScanner version 4.70.7 > Module versions are: > 1.00 AnyDBM_File > 1.23 Archive::Zip > 0.21 bignum > 1.04 Carp > 2.008 Compress::Zlib > 1.119 Convert::BinHex > 0.17 Convert::TNEF > 2.121_08 Data::Dumper > 2.27 Date::Parse > 1.00 DirHandle > 1.05 Fcntl > 2.74 File::Basename > 2.09 File::Copy > 2.01 FileHandle > 1.08 File::Path > 0.19 File::Temp > 0.90 Filesys::Df > 1.35 HTML::Entities > 3.56 HTML::Parser > 2.37 HTML::TokeParser > 1.23 IO > 1.14 IO::File > 1.13 IO::Pipe > 2.02 Mail::Header > 1.86 Math::BigInt > 0.19 Math::BigRat > 3.07 MIME::Base64 > 5.425 MIME::Decoder > 5.425 MIME::Decoder::UU > 5.425 MIME::Head > 5.425 MIME::Parser > 3.07 MIME::QuotedPrint > 5.425 MIME::Tools > 0.11 Net::CIDR > 1.25 Net::IP > 0.16 OLE::Storage_Lite > 1.04 Pod::Escapes > 3.05 Pod::Simple > 1.09 POSIX > 1.19 Scalar::Util > 1.78 Socket > 2.16 Storable > 1.4 Sys::Hostname::Long > 0.18 Sys::Syslog > 1.26 Test::Pod > 0.7 Test::Simple > 1.9707 Time::HiRes > 1.02 Time::localtime > > Optional module versions are: > 1.36 Archive::Tar > 0.21 bignum > missing Business::ISBN > missing Business::ISBN::Data > missing Data::Dump > 1.814 DB_File > 1.14 DBD::SQLite > 1.59 DBI > 1.14 Digest > 1.01 Digest::HMAC > 2.36 Digest::MD5 > 2.11 Digest::SHA1 > missing Encode::Detect > missing Error > missing ExtUtils::CBuilder > missing ExtUtils::ParseXS > 2.36 Getopt::Long > missing Inline > 1.08 IO::String > 1.08 IO::Zlib > missing IP::Country > missing Mail::ClamAV > 3.002004 Mail::SpamAssassin > missing Mail::SPF > 1.999001 Mail::SPF::Query > missing Module::Build > 0.20 Net::CIDR::Lite > 0.63 Net::DNS > missing Net::DNS::Resolver::Programmable > missing Net::LDAP > missing NetAddr::IP > missing Parse::RecDescent > missing SAVI > 2.64 Test::Harness > missing Test::Manifest > 1.95 Text::Balanced > 1.35 URI > missing version > missing YAML > > What could be causing this? Why isn't watermarking working properly? > Any help is much appreciated! > > Cheers. > > > ********************************************************************** > Confidentiality : This e-mail and any attachments are intended for the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > Opinion : Any opinions expressed in this e-mail are entirely those of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We advise > that you consider this fact when e-mailing us. > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081031/fc4828b5/attachment.html From ssilva at sgvwater.com Fri Oct 31 16:58:14 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Oct 31 16:58:32 2008 Subject: "Remove These Headers" in MailScanner.conf In-Reply-To: <490AC4BA.4080905@nerc.ac.uk> References: <4909D37A.90805@ecs.soton.ac.uk> <46b33847a059c8459b0995558d04db10@solidstatelogic.com> <20081030171236.341a94db@scorpio> <490AC4BA.4080905@nerc.ac.uk> Message-ID: on 10-31-2008 1:41 AM Greg Matthews spake the following: > Jerry wrote: >> On Thu, 30 Oct 2008 15:46:11 +0000 >> "Martin.Hepworth" wrote: >>> What do other folk think? >> >> Personally, unless I was setting the server up for my exclusive use, I >> would not want to block any of those headers by default. I am sick of >> software making arbitrary decisions on what I should or should not view >> or do. Unless it is a security problem, the sanitizing of email >> headers, content, etc should be left up to the end user. Offering the >> user the tools to do so is fine as long as they are not turned on by >> default. > > except there is a security problem. The point is that spammers are using > delivery/read receipts to verify their address lists. Verified lists > then become much more valuable. > > Also, there appears to be a bug in Outlook that will send receipts in > certain circumstances even when configured not to. This was recently > discussed on uk-mail-managers: > > "We're currently migrating to Exchange 2007 and came across this a > couple of days ago. There seems to be a bug in Outlook whereby if you > access your email account using IMAP and delete a message that requests > a read receipt, when Outlook next notices the message has vanished it > generates the "Not Read" response back to the sender. This is > irrespective of whether the user has chosen to respond to delivery > receipts or not. We've also noticed the behaviour when Messaging Records > Management deletes emails on the server. > .... > We've logged a support case with MS, we'll see if we get a sensible > response..." > That is a new Microsoft "feature". They assume you are doing it wrong, and they are going to save you from your erroneous ways! ;-P (Gets on flame-proof suit) -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081031/663a9f1c/signature.bin From ssilva at sgvwater.com Fri Oct 31 17:49:13 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Oct 31 17:49:31 2008 Subject: Watermarking not working In-Reply-To: <254612fc0810310239q599fdcf1n1d9610ed3d1e7775@mail.gmail.com> References: <254612fc0810310239q599fdcf1n1d9610ed3d1e7775@mail.gmail.com> Message-ID: on 10-31-2008 2:39 AM BlaaT 0001 spake the following: > Hello all, > > I'm still having problems using watermarking. My MailScanner settings > related to watermarking are: > > Use Watermarking = yes > Add Watermark = %rules-dir%/add.watermark.rules > Check Watermarks With No Sender = > %rules-dir%/check.watermarks.with.no.sender.rules > Treat Invalid Watermarks With No Sender as Spam = 20 > Check Watermarks To Skip Spam Checks = no > Watermark Secret = *************** > Watermark Lifetime = 604800 > Watermark Header = X-%org-name%-WM: > Why don't you try on ALL of your machines ; Watermark Header = X-Your-org-name-WM: ^^^^^^ hard coded orgname instead of letting it expand from %org-name% Maybe a slight difference in systems encoding is munging the orgname part of the watermark. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081031/4ec2fcbe/signature.bin From simon at kmun.gov.kw Fri Oct 31 18:12:49 2008 From: simon at kmun.gov.kw (Benedict simon) Date: Fri Oct 31 18:07:40 2008 Subject: help required in upgrading MS Message-ID: <1388.91.198.134.226.1225476769.squirrel@webmail.baladia.gov.kw> Dear All, I Have the following setup running fine for about a year or so on a single server. Cenots 5 (final) DNS bind-9.3.4-6.0.2.P1.el5_2 as my DNS server sendmail-8.13.8-2.el5 as my mail server MailScanner ver 4.66.5 jules easy package Clam-0.92-SA-3.2.4 pyzor-0.4.0 razor-agents-2.84 mailwatch-1.0.4 httpd-2.2.3-11.el5_1 all the above is workin fine . now i would like to upgrde to the latest MS stable version and also the stable clamav 0.94 nd SA 3.2.5 package since this is live server i wd highly apprecite if cd get some advice n steps about upgrading the MS version to the latest stable version and also the other required pckages i have gone throguh the wiki n upgrade instructions but was still a little confused wd relly apprecite your help MS was installed from tar.gz package regards simon -- Network ADMIN ------------- KUWAIT MUNICIPALITY: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ssilva at sgvwater.com Fri Oct 31 18:23:04 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Oct 31 18:23:26 2008 Subject: help required in upgrading MS In-Reply-To: <1388.91.198.134.226.1225476769.squirrel@webmail.baladia.gov.kw> References: <1388.91.198.134.226.1225476769.squirrel@webmail.baladia.gov.kw> Message-ID: on 10-31-2008 11:12 AM Benedict simon spake the following: > Dear All, > > I Have the following setup running fine for about a year or so on a single > server. > > Centos 5 (final) > DNS bind-9.3.4-6.0.2.P1.el5_2 as my DNS server > sendmail-8.13.8-2.el5 as my mail server > MailScanner ver 4.66.5 > jules easy package Clam-0.92-SA-3.2.4 > pyzor-0.4.0 > razor-agents-2.84 > mailwatch-1.0.4 > httpd-2.2.3-11.el5_1 > > all the above is workin fine . > > now i would like to upgrde to the latest MS stable version and also the > stable clamav 0.94 nd SA 3.2.5 package > > since this is live server i wd highly apprecite if cd get some advice n > steps about upgrading the MS version to the latest stable version and also > the other required pckages > > i have gone throguh the wiki n upgrade instructions but was still a little > confused > > wd relly apprecite your help > > MS was installed from tar.gz package > > > regards > > simon > > > > If the machine can be offline for about 10 minutes it is easy. stop mailscanner. If you don't have a backup MX you can start incoming (service MailScanner startin) Back up current if you want (there is a script available on the wiki http://wiki.mailscanner.info/doku.php?id=maq:index#upgrade_rpm ) Unpack and install clam-sa package unpack and install MailScanner package service MailScanner restart tail maillog to see if everything is working Pat self on back and get cup of coffee. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081031/f21f781a/signature.bin From gesbbb at yahoo.com Fri Oct 31 18:36:15 2008 From: gesbbb at yahoo.com (Jerry) Date: Fri Oct 31 18:36:36 2008 Subject: "Remove These Headers" in MailScanner.conf In-Reply-To: <490AC4BA.4080905@nerc.ac.uk> References: <4909D37A.90805@ecs.soton.ac.uk> <46b33847a059c8459b0995558d04db10@solidstatelogic.com> <20081030171236.341a94db@scorpio> <490AC4BA.4080905@nerc.ac.uk> Message-ID: <20081031143615.045b0e33@scorpio> On Fri, 31 Oct 2008 08:41:30 +0000 Greg Matthews wrote: [snip] >> Case in point, at one time, perhaps even now, Google was blocking ZIP >> files that contained 'exe' files. They were also blocking encrypted >> files too. It did not take me long before I realized that I did not >> need a Nazi censoring my mail. > >you lose. See Godwin's Law. I am fully aware of Godwin's law. Personally, I have always felt it was directed at two or more posters confronting each other rather than describing a situation or condition. In any case, as you might agree, "It is not paranoia if it is true." -- Jerry gesbbb@yahoo.com The quality of a pun is in the "Oy!" of the beholder. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081031/b107dde2/signature.bin From simon at kmun.gov.kw Fri Oct 31 19:03:10 2008 From: simon at kmun.gov.kw (Benedict simon) Date: Fri Oct 31 18:58:30 2008 Subject: help required in upgrading MS In-Reply-To: References: <1388.91.198.134.226.1225476769.squirrel@webmail.baladia.gov.kw> Message-ID: <1553.91.198.134.226.1225479790.squirrel@webmail.baladia.gov.kw> > on 10-31-2008 11:12 AM Benedict simon spake the following: >> Dear All, >> >> I Have the following setup running fine for about a year or so on a >> single >> server. >> >> Centos 5 (final) >> DNS bind-9.3.4-6.0.2.P1.el5_2 as my DNS server >> sendmail-8.13.8-2.el5 as my mail server >> MailScanner ver 4.66.5 >> jules easy package Clam-0.92-SA-3.2.4 >> pyzor-0.4.0 >> razor-agents-2.84 >> mailwatch-1.0.4 >> httpd-2.2.3-11.el5_1 >> >> all the above is workin fine . >> >> now i would like to upgrde to the latest MS stable version and also the >> stable clamav 0.94 nd SA 3.2.5 package >> >> since this is live server i wd highly apprecite if cd get some advice >> n >> steps about upgrading the MS version to the latest stable version and >> also >> the other required pckages >> >> i have gone throguh the wiki n upgrade instructions but was still a >> little >> confused >> >> wd relly apprecite your help >> >> MS was installed from tar.gz package >> >> >> regards >> >> simon >> >> >> >> > If the machine can be offline for about 10 minutes it is easy. > > stop mailscanner. If you don't have a backup MX you can start incoming > (service MailScanner startin) > > Back up current if you want (there is a script available on the wiki > http://wiki.mailscanner.info/doku.php?id=maq:index#upgrade_rpm ) > > Unpack and install clam-sa package > unpack and install MailScanner package > > service MailScanner restart > > tail maillog to see if everything is working > > Pat self on back and get cup of coffee. > Thanks Scott , really apprecite for your immediate quick reply by the way i cn get the Mil Server down even for 30 min or so .... simon smiles also i do have a secondary mail server jus wanna know about the pyxor n razor utilities .. can i jus upgrade them as per install docs?? any chnges need to be done in mailwatch thnks once again regards simon > -- > MailScanner is like deodorant... > You hope everybody uses it, and > you notice quickly if they don't!!!! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Network ADMIN ------------- KUWAIT MUNICIPALITY: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ssilva at sgvwater.com Fri Oct 31 21:45:52 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Oct 31 21:46:13 2008 Subject: help required in upgrading MS In-Reply-To: <1553.91.198.134.226.1225479790.squirrel@webmail.baladia.gov.kw> References: <1388.91.198.134.226.1225476769.squirrel@webmail.baladia.gov.kw> <1553.91.198.134.226.1225479790.squirrel@webmail.baladia.gov.kw> Message-ID: on 10-31-2008 12:03 PM Benedict simon spake the following: >> on 10-31-2008 11:12 AM Benedict simon spake the following: >>> Dear All, >>> >>> I Have the following setup running fine for about a year or so on a >>> single >>> server. >>> >>> Centos 5 (final) >>> DNS bind-9.3.4-6.0.2.P1.el5_2 as my DNS server >>> sendmail-8.13.8-2.el5 as my mail server >>> MailScanner ver 4.66.5 >>> jules easy package Clam-0.92-SA-3.2.4 >>> pyzor-0.4.0 >>> razor-agents-2.84 >>> mailwatch-1.0.4 >>> httpd-2.2.3-11.el5_1 >>> >>> all the above is workin fine . >>> >>> now i would like to upgrde to the latest MS stable version and also the >>> stable clamav 0.94 nd SA 3.2.5 package >>> >>> since this is live server i wd highly apprecite if cd get some advice >>> n >>> steps about upgrading the MS version to the latest stable version and >>> also >>> the other required pckages >>> >>> i have gone throguh the wiki n upgrade instructions but was still a >>> little >>> confused >>> >>> wd relly apprecite your help >>> >>> MS was installed from tar.gz package >>> >>> >>> regards >>> >>> simon >>> >>> >>> >>> >> If the machine can be offline for about 10 minutes it is easy. >> >> stop mailscanner. If you don't have a backup MX you can start incoming >> (service MailScanner startin) >> >> Back up current if you want (there is a script available on the wiki >> http://wiki.mailscanner.info/doku.php?id=maq:index#upgrade_rpm ) >> >> Unpack and install clam-sa package >> unpack and install MailScanner package >> >> service MailScanner restart >> >> tail maillog to see if everything is working >> >> Pat self on back and get cup of coffee. >> > Thanks Scott , > > really apprecite for your immediate quick reply > by the way i cn get the Mil Server down even for 30 min or so .... simon > smiles > > also i do have a secondary mail server > > jus wanna know about the pyxor n razor utilities .. can i jus upgrade them > as per install docs?? > any chnges need to be done in mailwatch > > thnks once again > > regards > > simon I hadn't noticed that pyzor or Razor had an update. But you should be able to upgrade them at the same time. If you are installing them where they haven't been before, then you do have to enable them in spamassassin. When you install Julian's clam-sa package, I do believe it tells you what you have to do at the end of the install script. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081031/9295a34b/signature.bin