From paul.hutchings at mira.co.uk Mon Sep 1 08:37:42 2008 From: paul.hutchings at mira.co.uk (Paul Hutchings) Date: Mon Sep 1 08:37:58 2008 Subject: virus detection reporting wrong scanner References: <48BA9848.3030402@ecs.soton.ac.uk> Message-ID: Still appears to be happening. All I did was download the beta and run the usual ./install.sh - presumably that would overwrite the manual change I made a week or so back to handle the changed vba32 output? -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: 31 August 2008 14:11 To: MailScanner discussion Subject: Re: virus detection reporting wrong scanner Please try this with the latest beta (4.71.9) and let me know if it still recurs. Paul Hutchings wrote: > I'm using clamd, avg and vba32. > > In maillog, I see the following: > > Aug 31 02:11:56 relay MailScanner[22637]: Virus Scanning: vba32 found 1 > infections > Aug 31 02:11:56 relay MailScanner[22637]: Infected message > C5B321FC55.019F5 came from 217.76.130.123 > Aug 31 02:11:56 relay MailScanner[22637]: Virus Scanning: Found 1 > viruses > Aug 31 02:11:56 relay MailScanner[22637]: Virus Scanning completed at > 1731 bytes per second > > In the report I see this: > > The following e-mails were found to have: Virus Detected > > Sender: skatemurcia.com@llgc793.servidoresdns.net > IP Address: 217.76.130.123 > Recipient: someone@ourdomain.com > Subject: Security Message - Important System Notification. > MessageID: C5B321FC55.019F5 > Quarantine: > Report: Clamd: msg-22637-48.html was infected: > HTML.Phishing.Bank-1248 > > Any suggestions? I know last week I had to modify one of the > MailScanner files to deal with the way that vba32 output changed since > the last MailScanner release. > > Lint output: > > Trying to setlogsock(unix) > Read 850 hostnames from the phishing whitelist > Read 5262 hostnames from the phishing blacklist > Checking version numbers... > Version number in MailScanner.conf (4.70.7) is correct. > > Your envelope_sender_header in spam.assassin.prefs.conf is correct. > MailScanner setting GID to (89) > MailScanner setting UID to (89) > > Checking for SpamAssassin errors (if you use it)... > SpamAssassin temporary working directory is > /var/spool/MailScanner/incoming/SpamAssassin-Temp > SpamAssassin temp dir = > /var/spool/MailScanner/incoming/SpamAssassin-Temp > Using SpamAssassin results cache > Connected to SpamAssassin cache database > SpamAssassin reported no errors. > I have found clamd avg vba32 scanners installed, and will use them all > by default. > Using locktype = posix > MailScanner.conf says "Virus Scanners = auto" > Found these virus scanners installed: clamd, vba32, avg > ======================================================================== > === > Virus and Content Scanning: Starting > ClamAVModule::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com > Virus Scanning: Clamd found 1 infections > Avg: Virus identified EICAR_Test in eicar.com > Virus Scanning: Avg found 1 infections > /var/spool/MailScanner/incoming/23308/1/eicar.com : infected > EICAR-Test-File > Virus Scanning: vba32 found 1 infections > Infected message 1 came from 10.1.1.1 > Virus Scanning: Found 1 viruses > ======================================================================== > === > Virus Scanner test reports: > Clamd said "eicar.com was infected: Eicar-Test-Signature" > Avg said "Found virus EICAR_Test in file eicar.com" > vba32 said "Found virus EICAR-Test-File in eicar.com" > > If any of your virus scanners (clamd,vba32,avg) > are not listed there, you should check that they are installed correctly > and that MailScanner is finding them correctly via its > virus.scanners.conf. > > Cheers, > Paul > > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. From cazahenha at hotmail.com Mon Sep 1 10:09:10 2008 From: cazahenha at hotmail.com (Caza Henha) Date: Mon Sep 1 10:09:21 2008 Subject: Rules with IP addresses Message-ID: Hi, I have recently installed Mailscanner with Postfix and MailWatch and it seems over the last week the system is running great, however I am now getting requests to tweak the default rules that I have from various users in different departments. I have been trying to delve into the knitty gritty of the rules and understand the principles and they do not seem very complicated and when looking at some examples on the Wiki things shouldn't be to difficult. Consequently I have noticed a number of examples have IP addresses in the From section of the rules and I was just wondering where this IP address was coming from and what it can actually be as I cannot seem to find any documentation on it. For example is this IP address (or the RegEx of one) the connecting smtp server (or any smtp server that the mail has passed through), client address, MX address of the sending domain etc or any combination of all the previous? Also can this be used in a "To" configuration, the reason I ask is that essentially we have four internal smtp servers which does sound like we process a lot of mail but they are basically queues for our application servers. Due to the current "trial" policy all spam is being marked and delivered and sorted at the client software, however we have a trouble ticket application that is currently getting lots of spam and because it sends out confirmation receipts etc we are getting bounces that are filling the queues. Although easy, I don't necessarily wish to have loads of "To" rules with the individual addresses of the trouble ticket system so I was wondering whether I could have the IP address (or even better the FQDN) of the forwarding SMTP server in the To rule, something like the following: spam.rules To: ticketing.example.com delete // Ticketing SMTP server To: exchange.example.com store // Exchange server FromOrTo: default deliver Is the above possible? If not is the following, To: 192.168.15.1 delete // Ticketing SMTP server To: 192.168.15.2 store // Exchange server FromOrTo: default deliver Kind Regards, Caza _________________________________________________________________ Win New York holidays with Kellogg?s & Live Search http://clk.atdmt.com/UKM/go/107571440/direct/01/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080901/9b36dd17/attachment.html From MailScanner at ecs.soton.ac.uk Mon Sep 1 12:20:19 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Sep 1 12:20:42 2008 Subject: virus detection reporting wrong scanner In-Reply-To: References: <48BA9848.3030402@ecs.soton.ac.uk> Message-ID: <48BBCFF3.2000003@ecs.soton.ac.uk> The report is definitely coming from ClamAV (clamav, clamavmodule or clamd) as the HTML.Phishing.Bank-.... is in their style. Are you sure you're not looking at a different report from the message? What does "MailScanner --lint" say about this? Paul Hutchings wrote: > Still appears to be happening. > > All I did was download the beta and run the usual ./install.sh - > presumably that would overwrite the manual change I made a week or so > back to handle the changed vba32 output? > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian > Field > Sent: 31 August 2008 14:11 > To: MailScanner discussion > Subject: Re: virus detection reporting wrong scanner > > Please try this with the latest beta (4.71.9) and let me know if it > still recurs. > > Paul Hutchings wrote: > >> I'm using clamd, avg and vba32. >> >> In maillog, I see the following: >> >> Aug 31 02:11:56 relay MailScanner[22637]: Virus Scanning: vba32 found >> > 1 > >> infections >> Aug 31 02:11:56 relay MailScanner[22637]: Infected message >> C5B321FC55.019F5 came from 217.76.130.123 >> Aug 31 02:11:56 relay MailScanner[22637]: Virus Scanning: Found 1 >> viruses >> Aug 31 02:11:56 relay MailScanner[22637]: Virus Scanning completed at >> 1731 bytes per second >> >> In the report I see this: >> >> The following e-mails were found to have: Virus Detected >> >> Sender: skatemurcia.com@llgc793.servidoresdns.net >> IP Address: 217.76.130.123 >> Recipient: someone@ourdomain.com >> Subject: Security Message - Important System Notification. >> MessageID: C5B321FC55.019F5 >> Quarantine: >> Report: Clamd: msg-22637-48.html was infected: >> HTML.Phishing.Bank-1248 >> >> Any suggestions? I know last week I had to modify one of the >> MailScanner files to deal with the way that vba32 output changed since >> the last MailScanner release. >> >> Lint output: >> >> Trying to setlogsock(unix) >> Read 850 hostnames from the phishing whitelist >> Read 5262 hostnames from the phishing blacklist >> Checking version numbers... >> Version number in MailScanner.conf (4.70.7) is correct. >> >> Your envelope_sender_header in spam.assassin.prefs.conf is correct. >> MailScanner setting GID to (89) >> MailScanner setting UID to (89) >> >> Checking for SpamAssassin errors (if you use it)... >> SpamAssassin temporary working directory is >> /var/spool/MailScanner/incoming/SpamAssassin-Temp >> SpamAssassin temp dir = >> /var/spool/MailScanner/incoming/SpamAssassin-Temp >> Using SpamAssassin results cache >> Connected to SpamAssassin cache database >> SpamAssassin reported no errors. >> I have found clamd avg vba32 scanners installed, and will use them all >> by default. >> Using locktype = posix >> MailScanner.conf says "Virus Scanners = auto" >> Found these virus scanners installed: clamd, vba32, avg >> >> > ======================================================================== > >> === >> Virus and Content Scanning: Starting >> ClamAVModule::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com >> Virus Scanning: Clamd found 1 infections >> Avg: Virus identified EICAR_Test in eicar.com >> Virus Scanning: Avg found 1 infections >> /var/spool/MailScanner/incoming/23308/1/eicar.com : infected >> EICAR-Test-File >> Virus Scanning: vba32 found 1 infections >> Infected message 1 came from 10.1.1.1 >> Virus Scanning: Found 1 viruses >> >> > ======================================================================== > >> === >> Virus Scanner test reports: >> Clamd said "eicar.com was infected: Eicar-Test-Signature" >> Avg said "Found virus EICAR_Test in file eicar.com" >> vba32 said "Found virus EICAR-Test-File in eicar.com" >> >> If any of your virus scanners (clamd,vba32,avg) >> are not listed there, you should check that they are installed >> > correctly > >> and that MailScanner is finding them correctly via its >> virus.scanners.conf. >> >> Cheers, >> Paul >> >> >> >> > > Jules > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Mon Sep 1 12:22:45 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Sep 1 12:23:06 2008 Subject: Rules with IP addresses In-Reply-To: References: Message-ID: <48BBD085.4060603@ecs.soton.ac.uk> Caza Henha wrote: > > Hi, > > I have recently installed Mailscanner with Postfix and MailWatch and > it seems over the last week the system is running great, however I am > now getting requests to tweak the default rules that I have from > various users in different departments. I have been trying to delve > into the knitty gritty of the rules and understand the principles and > they do not seem very complicated and when looking at some examples on > the Wiki things shouldn't be to difficult. > > Consequently I have noticed a number of examples have IP addresses in > the From section of the rules and I was just wondering where this IP > address was coming from and what it can actually be as I cannot seem > to find any documentation on it. For example is this IP address (or > the RegEx of one) the connecting smtp server (or any smtp server that > the mail has passed through), client address, MX address of the > sending domain etc or any combination of all the previous? It is the IP address of the machine that was the client end of the SMTP connection to the server. So in the case of a customer-facing SMTP server, it will be the customer's client IP address. In the case of an MX it would be the IP address of the SMTP server talking to you. > > Also can this be used in a "To" configuration, No. Due to the way mail delivery works, you don't know the IP address of the destination until you have already started sending the message. Can't be done. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From support-lists at petdoctors.co.uk Mon Sep 1 12:57:55 2008 From: support-lists at petdoctors.co.uk (Nigel Kendrick) Date: Mon Sep 1 12:58:18 2008 Subject: ClamAV error: Invalid function CL_SCAN_PHISHING_DOMAINLIST In-Reply-To: <48A58280.4030001@ecs.soton.ac.uk> References: <48A58280.4030001@ecs.soton.ac.uk> Message-ID: -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: Friday, August 15, 2008 2:20 PM To: MailScanner discussion Subject: Re: ClamAV error: Invalid function CL_SCAN_PHISHING_DOMAINLIST Nigel Kendrick wrote: > Just noticed ClamAV throwing the following error into Maillog: > > Aug 15 13:17:39 woking MailScanner[6082]: Commercial virus checker failed > with real error: Invalid function CL_SCAN_PHISHING_DOMAINLIST at > /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/Mail/ClamAV.pm line > 120. > > In have re-installed using Jules' ClamAV/SpamAssassin bundle, done a > freshcalm and restarted MailScanner and still getting the same. Can't find > much in the way of notes about this...!? > Did the "make test" phase of building the Mail::ClamAV module succeed? Jules Hi Jules, Just back from holiday and picking this one up. Yes, the "make test" runs fine. I have come across this comment but not sure what to make of it (or what to do)... http://kobesearch.cpan.org/htdocs/Mail-ClamAV/Mail/ClamAV.pm.html#CL_SCAN_PH ISHING_DOMAINLIST "CL_SCAN_PHISHING_DOMAINLIST With a minor version bump clamav development team removed this and broke backwards compatibility, so it is no longer supported in this module as of 0.22." That's the version (0.22) of Mail::ClamAV I am running on the affected server - but it's also that version on servers working OK? Confused!? From paul.hutchings at mira.co.uk Mon Sep 1 14:02:41 2008 From: paul.hutchings at mira.co.uk (Paul Hutchings) Date: Mon Sep 1 14:02:59 2008 Subject: virus detection reporting wrong scanner References: <48BA9848.3030402@ecs.soton.ac.uk> <48BBCFF3.2000003@ecs.soton.ac.uk> Message-ID: The lint seems to check out just fine. Maybe my understanding is wrong, but I thought that if multiple engines caught a virus in a message it listed that multiple engines had detected something in the report that's sent to postmaster (or wherever) - all I know is I have an entry in maillog by vba32 saying it detected a virus, at the same time an email was deleted and a report sent to postmaster saying it was because clam32 had detected a virus - yet there's no report in the postmaster mailbox that mentions vba32. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: 01 September 2008 12:20 To: MailScanner discussion Subject: Re: virus detection reporting wrong scanner The report is definitely coming from ClamAV (clamav, clamavmodule or clamd) as the HTML.Phishing.Bank-.... is in their style. Are you sure you're not looking at a different report from the message? What does "MailScanner --lint" say about this? Paul Hutchings wrote: > Still appears to be happening. > > All I did was download the beta and run the usual ./install.sh - > presumably that would overwrite the manual change I made a week or so > back to handle the changed vba32 output? > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian > Field > Sent: 31 August 2008 14:11 > To: MailScanner discussion > Subject: Re: virus detection reporting wrong scanner > > Please try this with the latest beta (4.71.9) and let me know if it > still recurs. > > Paul Hutchings wrote: > >> I'm using clamd, avg and vba32. >> >> In maillog, I see the following: >> >> Aug 31 02:11:56 relay MailScanner[22637]: Virus Scanning: vba32 found >> > 1 > >> infections >> Aug 31 02:11:56 relay MailScanner[22637]: Infected message >> C5B321FC55.019F5 came from 217.76.130.123 >> Aug 31 02:11:56 relay MailScanner[22637]: Virus Scanning: Found 1 >> viruses >> Aug 31 02:11:56 relay MailScanner[22637]: Virus Scanning completed at >> 1731 bytes per second >> >> In the report I see this: >> >> The following e-mails were found to have: Virus Detected >> >> Sender: skatemurcia.com@llgc793.servidoresdns.net >> IP Address: 217.76.130.123 >> Recipient: someone@ourdomain.com >> Subject: Security Message - Important System Notification. >> MessageID: C5B321FC55.019F5 >> Quarantine: >> Report: Clamd: msg-22637-48.html was infected: >> HTML.Phishing.Bank-1248 >> >> Any suggestions? I know last week I had to modify one of the >> MailScanner files to deal with the way that vba32 output changed since >> the last MailScanner release. >> >> Lint output: >> >> Trying to setlogsock(unix) >> Read 850 hostnames from the phishing whitelist >> Read 5262 hostnames from the phishing blacklist >> Checking version numbers... >> Version number in MailScanner.conf (4.70.7) is correct. >> >> Your envelope_sender_header in spam.assassin.prefs.conf is correct. >> MailScanner setting GID to (89) >> MailScanner setting UID to (89) >> >> Checking for SpamAssassin errors (if you use it)... >> SpamAssassin temporary working directory is >> /var/spool/MailScanner/incoming/SpamAssassin-Temp >> SpamAssassin temp dir = >> /var/spool/MailScanner/incoming/SpamAssassin-Temp >> Using SpamAssassin results cache >> Connected to SpamAssassin cache database >> SpamAssassin reported no errors. >> I have found clamd avg vba32 scanners installed, and will use them all >> by default. >> Using locktype = posix >> MailScanner.conf says "Virus Scanners = auto" >> Found these virus scanners installed: clamd, vba32, avg >> >> > ======================================================================== > >> === >> Virus and Content Scanning: Starting >> ClamAVModule::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com >> Virus Scanning: Clamd found 1 infections >> Avg: Virus identified EICAR_Test in eicar.com >> Virus Scanning: Avg found 1 infections >> /var/spool/MailScanner/incoming/23308/1/eicar.com : infected >> EICAR-Test-File >> Virus Scanning: vba32 found 1 infections >> Infected message 1 came from 10.1.1.1 >> Virus Scanning: Found 1 viruses >> >> > ======================================================================== > >> === >> Virus Scanner test reports: >> Clamd said "eicar.com was infected: Eicar-Test-Signature" >> Avg said "Found virus EICAR_Test in file eicar.com" >> vba32 said "Found virus EICAR-Test-File in eicar.com" >> >> If any of your virus scanners (clamd,vba32,avg) >> are not listed there, you should check that they are installed >> > correctly > >> and that MailScanner is finding them correctly via its >> virus.scanners.conf. >> >> Cheers, >> Paul >> >> >> >> > > Jules > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. From MailScanner at ecs.soton.ac.uk Mon Sep 1 14:07:44 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Sep 1 14:08:06 2008 Subject: ClamAV error: Invalid function CL_SCAN_PHISHING_DOMAINLIST In-Reply-To: References: <48A58280.4030001@ecs.soton.ac.uk> Message-ID: <48BBE920.1010605@ecs.soton.ac.uk> Nigel Kendrick wrote: > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian > Field > Sent: Friday, August 15, 2008 2:20 PM > To: MailScanner discussion > Subject: Re: ClamAV error: Invalid function CL_SCAN_PHISHING_DOMAINLIST > > > > Nigel Kendrick wrote: > >> Just noticed ClamAV throwing the following error into Maillog: >> >> Aug 15 13:17:39 woking MailScanner[6082]: Commercial virus checker failed >> with real error: Invalid function CL_SCAN_PHISHING_DOMAINLIST at >> /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/Mail/ClamAV.pm line >> 120. >> >> In have re-installed using Jules' ClamAV/SpamAssassin bundle, done a >> freshcalm and restarted MailScanner and still getting the same. Can't find >> much in the way of notes about this...!? >> >> > Did the "make test" phase of building the Mail::ClamAV module succeed? > > Jules > > > > > Hi Jules, > > Just back from holiday and picking this one up. Yes, the "make test" runs > fine. > > I have come across this comment but not sure what to make of it (or what to > do)... > > http://kobesearch.cpan.org/htdocs/Mail-ClamAV/Mail/ClamAV.pm.html#CL_SCAN_PH > ISHING_DOMAINLIST > > "CL_SCAN_PHISHING_DOMAINLIST > > With a minor version bump clamav development team removed this and broke > backwards compatibility, so it is no longer supported in this module as of > 0.22." > > That's the version (0.22) of Mail::ClamAV I am running on the affected > server - but it's also that version on servers working OK? > > Confused!? > I removed the mention of CL_SCAN_PHISHING_DOMAINLIST some time ago, it's certainly not in the latest version. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Mon Sep 1 14:36:08 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Sep 1 14:36:30 2008 Subject: MailScanner ANNOUNCE: 4.71 stable released Message-ID: <48BBEFC8.2060500@ecs.soton.ac.uk> Hi folks! I have just released a new stable version of MailScanner, version 4.71. The main changes this month are: - If a message contains a *.doc document, a new attachment can be added containing the text of the document. This will save your users from having to save the attachment, potentially switch operating systems, and open up Microsoft Word or OpenOffice just to read the words in the document. My users absolutely *love* this feature, it saves them a huge amount of time and hassle when memos are circulated by the management. See the "Add Text Of Doc" setting in MailScanner.conf for more details of how to configure this. - Updated support for Esets and F-Secure virus scanners. - Thanks to F-Secure for donating me a set of server licences so I can always be sure that I am supporting the latest versions of their products. Much appreciated! - One for Fetchmail users: used together with the "--invisible" option to fetchmail, MailScanner will correctly use the IP address of the connecting SMTP client, and not "localhost" or "127.0.0.1" for the IP address in rulesets. - Added protection against denial-of-service attacks on the HTML text parser Perl module. There is a message involving thousands of tags in circulation which breaks previous versions of MailScanner when they try to analyse the HTML of the email message. This is in no way an attack on MailScanner, but on the underlying HTML::Parser Perl module. - Improved support of DSN messages from bigfoot.com which incorrectly use the "message/partial" MIME identifier. Download it all as usual from www.mailscanner.info. The full Change Log is here: * New Features and Improvements * 1 Upgraded from File::Temp 0.19 to File::Temp 0.20 to resolve installation problem reported with Fedora Core 8 systems. 2 New Feature: We can now extract the plain text of Microsoft Word (up to 2004) documents in the *.doc format, and add it as new attachments to a message. This is done using the "antiword" program available from http://www.winfield.demon.nl/. There are 3 new configuration settings for this feature: "Add Text Of Doc" - This switches the feature on and off. Off by default. "Antiword" - Full command to run the antiword binary. Adding "-f" to it makes it highlight emphasized text in the output, which I find helps. "Antiword Timeout" - The greatest length of time antiword is allowed to run. 3 Improvement to phishing net, now correctly ignores ':80' in http URLs. 3 Implemented support for Esets version 3. 4 Implemented support for F-Secure 7.01. 5 Added protection against attacks on the HTML text parser (Perl module HTML::Parser) which is used to analyse HTML messages for dangerous tags. There is a message in circulation that breaks this, causing Perl to trigger a "Segmentation Fault". This protection is necessary, but may have an impact on the performance of MailScanner. Until the Perl module is fixed, however, this is very necessary protection for your email systems. 7 Added new option "Read IP Address From Received Header" which you can set to yes if you are running fetchmail and injecting mail from fetchmail into your MTA using SMTP. You need to set the "--invisible" option to fetchmail as well to stop it adding its own "Received:" header. See the "Advanced" section of MailScanner.conf for more info on this. 8 Added new rules to filename.rules.conf to allow for days of the week and months in filenames like my_document.july.doc so they aren't caught by the double filename extension trap. 8 Improved error notification if your permissions on /tmp are all wrong. It now tells you exactly what to type to fix them. 8 Improved VBA32 output parser to handle slightly different new output format. 8 Improved 'partial message' handling to only remove the partial-message section of the message, and not the whole thing. This is particularly relevant to DSNs from bigfoot.com 10 Improved F-Secure scanning within executables. * Fixes * 3 Improvement to "Sign Clean Messages" so the signature now appears where it should, above any tag as well as above any tag. 6 Fix to Exim support to allow for arbitrarily-named Exim ACLs. Fix kindly provided by dominik.schramm@businessmart.de. 6 Fix for missing watermarks, courtesy of Lasantha Marian. 7 Fix for case when Rebuild Bayes Every = 0 and Bayes is still rebuilt. 7 TNEF attachments will be added with correct filenames when TNEF Expander = internal. It was erroneously adding them with their "safe" filenames. 9 Removed a load of extra debug output code. 9 "Partial messages" are now quarantined correctly. 10 Removed duplicate warning output when "Virus Scanners = none". Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From support-lists at petdoctors.co.uk Mon Sep 1 15:53:07 2008 From: support-lists at petdoctors.co.uk (Nigel Kendrick) Date: Mon Sep 1 15:53:32 2008 Subject: ClamAV error: Invalid function CL_SCAN_PHISHING_DOMAINLIST In-Reply-To: <48BBE920.1010605@ecs.soton.ac.uk> References: <48A58280.4030001@ecs.soton.ac.uk> <48BBE920.1010605@ecs.soton.ac.uk> Message-ID: > Confused!? > I removed the mention of CL_SCAN_PHISHING_DOMAINLIST some time ago, it's certainly not in the latest version. Jules Hi Jules, I've just installed 4.71.10 and that's fixed it. Thanks Nigel From rwahyudi at gmail.com Mon Sep 1 17:22:29 2008 From: rwahyudi at gmail.com (R Wahyudi) Date: Mon Sep 1 17:22:53 2008 Subject: mailscanner in ISP In-Reply-To: References: <200808071101.m77B0QSC001902@safir.blacknight.ie> <1218189154.1886.79.camel@darkstar.netcore.co.in> Message-ID: <48BC16C5.90809@gmail.com> Scott Silva wrote: > on 8-8-2008 2:52 AM ram spake the following: >> On Thu, 2008-08-07 at 15:06 +0100, Paulo Roncon wrote: >>> Hello all, >>> >>> I work in a ISP and we want to install mailscanner to stop OUTBOUND >>> spam as its becoming a bottleneck... >>> I dont have any network metrics, as the guy in charge in out. I'm >>> thinking 1000000 plus messages/day. >>> >>> Questions: >>> -Anyone has ideias of the kind of HW solution nedeed? Use dedicated outgoing mail servers that handle just outgoing mail - dont mix outgoing with incomming mail server. I would go with clusters of less powerfull hardware and do load balancing instead of having just one or two powerfull hardware. This will provide high availability and allows you to stop server that saturated with spam without affecting your service. >>> -OUTBOUND filtering: Its gonna be *->*. Do you see any problems block all outgoing port 25 except to your mail server and ask user to use SMTP auth if they want to connect to external mail. This will reduce A LOT of spam coming out of your user. Most worms send email directly to the internet from the infected host. I've written auto-blacklist that will block IP address that send more than 4 spam/virus within 5 minutes, ban the IP for 30 minutes, and automatically remove it after 30 minutes. If users get blocked they will get SMTP error message which redirect them to a website where they can see the reason they get blocked and also display offending email header as evidence.. and at the same time allows you to upsell your security product. You can view the rough example here : http://mailwatch.sourceforge.net/doku.php?id=mailwatch:tipandtricks:postfix_auto_blacklist Tips configuring lightweight SA for outgoing mail : - Remove most of the body checking & reverse IP checking .. most of the time they give false positive and this will speed up SA - Skip bayes - use Surbl and increase its scoring highly .. - Do not use dynamic ip blacklist - most of your user will be on dynamic IP - use razor/pyzor and dcc & increase their score MTA tips: - Rate limit is a must - try policyd if you use postfix - Monitor your deferred queue, setup nagios to beep if you see a spike Regards, Rianto Wahyudi From cazahenha at hotmail.com Mon Sep 1 18:26:43 2008 From: cazahenha at hotmail.com (Caza Henha) Date: Mon Sep 1 18:26:54 2008 Subject: Rules with IP addresses In-Reply-To: <48BBD085.4060603@ecs.soton.ac.uk> References: <48BBD085.4060603@ecs.soton.ac.uk> Message-ID: Hi Jules, Thanks for the answer, I presumed that would be the case, but I was thinking that as our postfix configuration has transport maps it does actually know before sending the mail to our application server what the destination IP address is. Does this mean then that something like the following would be necessary: To: support@example.com store //Ticketing server To: issues@example.com store //Ticketing server .... To: application1@example.com delete //App Server 1 To: application2@example.com store //App Server 2 ... To: user@example.com delete //Exchange server To: user@example.com delete //Exchange server ..... FromOrTo: default deliver //Public Mail server Bearing in mind that there are 1000s of different email address permutations going to the app servers (writing a script to create the rules is easy) would there be any performance problems with Mailscanner reading these files? Also when using an IP address in the "From" could you direct me to information from the question below: > > Consequently I have noticed a number of examples have IP addresses in > > the From section of the rules and I was just wondering where this IP > > address was coming from and what it can actually be as I cannot seem > > to find any documentation on it. For example is this IP address (or > > the RegEx of one) the connecting smtp server (or any smtp server that > > the mail has passed through), client address, MX address of the > > sending domain etc or any combination of all the previous? Regards, Caza > Date: Mon, 1 Sep 2008 12:22:45 +0100> From: MailScanner@ecs.soton.ac.uk> To: mailscanner@lists.mailscanner.info> Subject: Re: Rules with IP addresses> > > > Caza Henha wrote:> >> > Hi,> > > > I have recently installed Mailscanner with Postfix and MailWatch and > > it seems over the last week the system is running great, however I am > > now getting requests to tweak the default rules that I have from > > various users in different departments. I have been trying to delve > > into the knitty gritty of the rules and understand the principles and > > they do not seem very complicated and when looking at some examples on > > the Wiki things shouldn't be to difficult.> > > > Consequently I have noticed a number of examples have IP addresses in > > the From section of the rules and I was just wondering where this IP > > address was coming from and what it can actually be as I cannot seem > > to find any documentation on it. For example is this IP address (or > > the RegEx of one) the connecting smtp server (or any smtp server that > > the mail has passed through), client address, MX address of the > > sending domain etc or any combination of all the previous?> It is the IP address of the machine that was the client end of the SMTP > connection to the server. So in the case of a customer-facing SMTP > server, it will be the customer's client IP address. In the case of an > MX it would be the IP address of the SMTP server talking to you.> > > > Also can this be used in a "To" configuration,> No. Due to the way mail delivery works, you don't know the IP address of > the destination until you have already started sending the message. > Can't be done.> > Jules> > -- > Julian Field MEng CITP CEng> www.MailScanner.info> Buy the MailScanner book at www.MailScanner.info/store> > Need help customising MailScanner?> Contact me!> Need help fixing or optimising your systems?> Contact me!> Need help getting you started solving new requirements from your boss?> Contact me!> > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654> > > -- > This message has been scanned for viruses and> dangerous content by MailScanner, and is> believed to be clean.> > -- > MailScanner mailing list> mailscanner@lists.mailscanner.info> http://lists.mailscanner.info/mailman/listinfo/mailscanner> > Before posting, read http://wiki.mailscanner.info/posting> > Support MailScanner development - buy the book off the website! _________________________________________________________________ Get all your favourite content with the slick new MSN Toolbar - FREE http://clk.atdmt.com/UKM/go/111354027/direct/01/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080901/6932180c/attachment.html From hvdkooij at vanderkooij.org Mon Sep 1 22:02:57 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Mon Sep 1 22:03:09 2008 Subject: MailScanner ANNOUNCE: 4.71 stable released In-Reply-To: <48BBEFC8.2060500@ecs.soton.ac.uk> References: <48BBEFC8.2060500@ecs.soton.ac.uk> Message-ID: <48BC5881.8010604@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Julian Field wrote: > Hi folks! > > I have just released a new stable version of MailScanner, version 4.71. I managed to update the yum repository. Things did not break down for me so I hope they will not do so for you either. I have no yet added anything to help you update the configuration. I think I will need to sleep on that a bit more before I give it a shot. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIvFh/BvzDRVjxmYERAhcnAJ9Frg/gZwkjlCm8pLUyAu2vVzpWmACgoIks f3uWGmpkpGRcZ+/DwwmSx8I= =1PP5 -----END PGP SIGNATURE----- From Jeff.Mills at versacold.com.au Mon Sep 1 23:32:39 2008 From: Jeff.Mills at versacold.com.au (Jeff Mills) Date: Mon Sep 1 23:32:51 2008 Subject: virus detection reporting wrong scanner In-Reply-To: References: <48BA9848.3030402@ecs.soton.ac.uk> <48BBCFF3.2000003@ecs.soton.ac.uk> Message-ID: > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Paul Hutchings > Sent: Monday, 1 September 2008 11:03 PM > To: MailScanner discussion > Subject: RE: virus detection reporting wrong scanner > > The lint seems to check out just fine. Maybe my > understanding is wrong, but I thought that if multiple > engines caught a virus in a message it listed that multiple > engines had detected something in the report that's sent to > postmaster (or wherever) - all I know is I have an entry in > maillog by vba32 saying it detected a virus, at the same time > an email was deleted and a report sent to postmaster saying > it was because clam32 had detected a virus - yet there's no > report in the postmaster mailbox that mentions vba32. > I have a similar issue, but have never bothered with it. Clamav finds a virus, and MailScanner reports that F-Prot and Bitdefender find it too. Sep 2 03:16:53 sam MailScanner[8070]: Clamd::INFECTED:: Email.Spam.Gen3737.Sanesecurity.08072802.StormSpam FOUND :: ./8C34AD3E132.E90B8/ Sep 2 03:16:53 sam MailScanner[8070]: Virus Scanning: Clamd found 1 infections Sep 2 03:16:53 sam MailScanner[8070]: Virus Scanning: F-Prot found 1 infections Sep 2 03:16:53 sam MailScanner[8070]: Virus Scanning: Bitdefender found 1 infections Sep 2 03:16:53 sam MailScanner[8070]: Infected message 8C34AD3E132.E90B8 came from 88.243.8.69 Sep 2 03:16:53 sam MailScanner[8070]: Virus Scanning: Found 1 viruses Sep 2 03:16:53 sam MailScanner[8070]: Virus Scanning completed at 3371 bytes per second Sep 2 03:16:53 sam MailScanner[8070]: Viruses marked as silent: Clamd: message was infected: From ismail at ismailozatay.net Tue Sep 2 06:16:48 2008 From: ismail at ismailozatay.net (=?windows-1252?Q?I=2Esmail_=D6ZATAY?=) Date: Tue Sep 2 06:17:12 2008 Subject: MailScanner ANNOUNCE: 4.71 stable released In-Reply-To: <48BBEFD0.7080507@ecs.soton.ac.uk> References: <48BBEFD0.7080507@ecs.soton.ac.uk> Message-ID: <48BCCC40.4030700@ismailozatay.net> Julian Field yazm?s,: > Hi folks! > > I have just released a new stable version of MailScanner, version 4.71. > > The main changes this month are: > > - If a message contains a *.doc document, a new attachment can be > added containing the text of the document. This will save your users > from having to save the attachment, potentially switch operating > systems, and open up Microsoft Word or OpenOffice just to read the > words in the document. My users absolutely *love* this feature, it > saves them a huge amount of time and hassle when memos are circulated > by the management. See the "Add Text Of Doc" setting in > MailScanner.conf for more details of how to configure this. > - Updated support for Esets and F-Secure virus scanners. > - Thanks to F-Secure for donating me a set of server licences so I can > always be sure that I am supporting the latest versions of their > products. Much appreciated! > - One for Fetchmail users: used together with the "--invisible" option > to fetchmail, MailScanner will correctly use the IP address of the > connecting SMTP client, and not "localhost" or "127.0.0.1" for the IP > address in rulesets. > - Added protection against denial-of-service attacks on the HTML text > parser Perl module. There is a message involving thousands of > tags in circulation which breaks previous versions of MailScanner when > they try to analyse the HTML of the email message. This is in no way > an attack on MailScanner, but on the underlying HTML::Parser Perl module. > - Improved support of DSN messages from bigfoot.com which incorrectly > use the "message/partial" MIME identifier. > > Download it all as usual from www.mailscanner.info. > > The full Change Log is here: > * New Features and Improvements * > 1 Upgraded from File::Temp 0.19 to File::Temp 0.20 to resolve > installation > problem reported with Fedora Core 8 systems. > 2 New Feature: We can now extract the plain text of Microsoft Word (up > to 2004) > documents in the *.doc format, and add it as new attachments to a > message. > This is done using the "antiword" program available from > http://www.winfield.demon.nl/. There are 3 new configuration settings for > this feature: > "Add Text Of Doc" - This switches the feature on and off. Off by default. > "Antiword" - Full command to run the antiword binary. Adding "-f" to it > makes it highlight emphasized text in the output, which I find helps. > "Antiword Timeout" - The greatest length of time antiword is allowed > to run. > 3 Improvement to phishing net, now correctly ignores ':80' in http URLs. > 3 Implemented support for Esets version 3. > 4 Implemented support for F-Secure 7.01. > 5 Added protection against attacks on the HTML text parser (Perl module > HTML::Parser) which is used to analyse HTML messages for dangerous tags. > There is a message in circulation that breaks this, causing Perl to > trigger > a "Segmentation Fault". This protection is necessary, but may have an > impact > on the performance of MailScanner. Until the Perl module is fixed, > however, > this is very necessary protection for your email systems. > 7 Added new option "Read IP Address From Received Header" which you > can set to > yes if you are running fetchmail and injecting mail from fetchmail > into your > MTA using SMTP. You need to set the "--invisible" option to fetchmail > as well > to stop it adding its own "Received:" header. See the "Advanced" > section of > MailScanner.conf for more info on this. > 8 Added new rules to filename.rules.conf to allow for days of the week > and > months in filenames like my_document.july.doc so they aren't caught by > the > double filename extension trap. > 8 Improved error notification if your permissions on /tmp are all > wrong. It > now tells you exactly what to type to fix them. > 8 Improved VBA32 output parser to handle slightly different new output > format. > 8 Improved 'partial message' handling to only remove the partial-message > section of the message, and not the whole thing. This is particularly > relevant to DSNs from bigfoot.com > 10 Improved F-Secure scanning within executables. > > * Fixes * > 3 Improvement to "Sign Clean Messages" so the signature now appears > where it > should, above any tag as well as above any tag. > 6 Fix to Exim support to allow for arbitrarily-named Exim ACLs. Fix > kindly > provided by dominik.schramm@businessmart.de. > 6 Fix for missing watermarks, courtesy of Lasantha Marian. > 7 Fix for case when Rebuild Bayes Every = 0 and Bayes is still rebuilt. > 7 TNEF attachments will be added with correct filenames when TNEF > Expander = > internal. It was erroneously adding them with their "safe" filenames. > 9 Removed a load of extra debug output code. > 9 "Partial messages" are now quarantined correctly. > 10 Removed duplicate warning output when "Virus Scanners = none". > > Jules > Yuppieee ..! I will support you forever Julian...! Thanks ismail From MailScanner at ecs.soton.ac.uk Tue Sep 2 09:00:33 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Sep 2 09:00:58 2008 Subject: Rules with IP addresses In-Reply-To: References: <48BBD085.4060603@ecs.soton.ac.uk> Message-ID: <48BCF2A1.1030001@ecs.soton.ac.uk> Caza Henha wrote: > Hi Jules, > > Thanks for the answer, I presumed that would be the case, but I was > thinking that as our postfix configuration has transport maps it does > actually know before sending the mail to our application server what > the destination IP address is. But that is not the general case, and I'm certainly not going to start processing entire Postfix configurations in an attempt to work it out. Sorry :( > Does this mean then that something like the following would be necessary: > > To: support@example.com store > //Ticketing server > To: issues@example.com store > //Ticketing server > .... > To: application1@example.com > delete //App Server 1 > To: application2@example.com > store //App Server 2 > ... > To: user@example.com delete > //Exchange server > To: user@example.com delete > //Exchange server > ..... > FromOrTo: default deliver //Public Mail server > > Bearing in mind that there are 1000s of different email address > permutations going to the app servers (writing a script to create the > rules is easy) would there be any performance problems with > Mailscanner reading these files? I wouldn't advise more than 1000 or so rules in a ruleset file. For anything bigger than that use a Custom Function. I suspect yours could be written as a Custom Function quite easily. Take a look in /usr/lib/MailScanner/MailScanner/CustomFunctions/*.pm and you'll see how to do it. Not hard if you know a bit of Perl. > Also when using an IP address in the "From" could you direct me to > information from the question below: > > > > Consequently I have noticed a number of examples have IP addresses in > > > the From section of the rules and I was just wondering where this IP > > > address was coming from and what it can actually be as I cannot seem > > > to find any documentation on it. For example is this IP address (or > > > the RegEx of one) the connecting smtp server (or any smtp server that > > > the mail has passed through), client address, MX address of the > > > sending domain etc or any combination of all the previous? I answered that in my previous mail, I believe. Here it is again copy-and-pasted from the quote below: > It is the IP address of the machine that was the client end of the SMTP > connection to the server. So in the case of a customer-facing SMTP > server, it will be the customer's client IP address. In the case of an > MX it would be the IP address of the SMTP server talking to you. > > > Date: Mon, 1 Sep 2008 12:22:45 +0100 > > From: MailScanner@ecs.soton.ac.uk > > To: mailscanner@lists.mailscanner.info > > Subject: Re: Rules with IP addresses > > > > > > > > Caza Henha wrote: > > > > > > Hi, > > > > > > I have recently installed Mailscanner with Postfix and MailWatch and > > > it seems over the last week the system is running great, however I am > > > now getting requests to tweak the default rules that I have from > > > various users in different departments. I have been trying to delve > > > into the knitty gritty of the rules and understand the principles and > > > they do not seem very complicated and when looking at some > examples on > > > the Wiki things shouldn't be to difficult. > > > > > > Consequently I have noticed a number of examples have IP addresses in > > > the From section of the rules and I was just wondering where this IP > > > address was coming from and what it can actually be as I cannot seem > > > to find any documentation on it. For example is this IP address (or > > > the RegEx of one) the connecting smtp server (or any smtp server that > > > the mail has passed through), client address, MX address of the > > > sending domain etc or any combination of all the previous? > > It is the IP address of the machine that was the client end of the SMTP > > connection to the server. So in the case of a customer-facing SMTP > > server, it will be the customer's client IP address. In the case of an > > MX it would be the IP address of the SMTP server talking to you. > > > > > > Also can this be used in a "To" configuration, > > No. Due to the way mail delivery works, you don't know the IP > address of > > the destination until you have already started sending the message. > > Can't be done. > > > > Jules > > > > -- > > Julian Field MEng CITP CEng > > www.MailScanner.info > > Buy the MailScanner book at www.MailScanner.info/store > > > > Need help customising MailScanner? > > Contact me! > > Need help fixing or optimising your systems? > > Contact me! > > Need help getting you started solving new requirements from your boss? > > Contact me! > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > ------------------------------------------------------------------------ > Try Facebook in Windows Live Messenger! Try it Now! > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Tue Sep 2 09:01:41 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Sep 2 09:02:01 2008 Subject: virus detection reporting wrong scanner In-Reply-To: References: <48BA9848.3030402@ecs.soton.ac.uk> <48BBCFF3.2000003@ecs.soton.ac.uk> Message-ID: <48BCF2E5.3000001@ecs.soton.ac.uk> Jeff Mills wrote: > > > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >> Of Paul Hutchings >> Sent: Monday, 1 September 2008 11:03 PM >> To: MailScanner discussion >> Subject: RE: virus detection reporting wrong scanner >> >> The lint seems to check out just fine. Maybe my >> understanding is wrong, but I thought that if multiple >> engines caught a virus in a message it listed that multiple >> engines had detected something in the report that's sent to >> postmaster (or wherever) - all I know is I have an entry in >> maillog by vba32 saying it detected a virus, at the same time >> an email was deleted and a report sent to postmaster saying >> it was because clam32 had detected a virus - yet there's no >> report in the postmaster mailbox that mentions vba32. >> >> > > I have a similar issue, but have never bothered with it. > Clamav finds a virus, and MailScanner reports that F-Prot and > Bitdefender find it too. > What does your "Virus Scanners =" line say in MailScanner.conf? > > Sep 2 03:16:53 sam MailScanner[8070]: Clamd::INFECTED:: > Email.Spam.Gen3737.Sanesecurity.08072802.StormSpam FOUND :: > ./8C34AD3E132.E90B8/ > Sep 2 03:16:53 sam MailScanner[8070]: Virus Scanning: Clamd found 1 > infections > Sep 2 03:16:53 sam MailScanner[8070]: Virus Scanning: F-Prot found 1 > infections > Sep 2 03:16:53 sam MailScanner[8070]: Virus Scanning: Bitdefender found > 1 infections > Sep 2 03:16:53 sam MailScanner[8070]: Infected message > 8C34AD3E132.E90B8 came from 88.243.8.69 > Sep 2 03:16:53 sam MailScanner[8070]: Virus Scanning: Found 1 viruses > Sep 2 03:16:53 sam MailScanner[8070]: Virus Scanning completed at 3371 > bytes per second > Sep 2 03:16:53 sam MailScanner[8070]: Viruses marked as silent: Clamd: > message was infected: > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From gmatt at nerc.ac.uk Tue Sep 2 09:29:30 2008 From: gmatt at nerc.ac.uk (Greg Matthews) Date: Tue Sep 2 09:30:05 2008 Subject: mailscanner in ISP In-Reply-To: <48BC16C5.90809@gmail.com> References: <200808071101.m77B0QSC001902@safir.blacknight.ie> <1218189154.1886.79.camel@darkstar.netcore.co.in> <48BC16C5.90809@gmail.com> Message-ID: <48BCF96A.2090707@nerc.ac.uk> R Wahyudi wrote: > your security product. You can view the rough example here : > http://mailwatch.sourceforge.net/doku.php?id=mailwatch:tipandtricks:postfix_auto_blacklist hey thats a pretty good example of making good use of the mailwatch database. That script could quite easily be adapted to sendmail too. Just print the correct foo to /etc/mail/access and a call to makemap. eg print FILE "connect:$ip ERROR:$reject_message" where $reject_message is the optional text which could also include your preferred DSN code. nice G -- Greg Matthews 01491 692445 Head of UNIX/Linux, iTSS Wallingford -- This message (and any attachments) is for the recipient only. NERC is subject to the Freedom of Information Act 2000 and the contents of this email and any reply you make may be disclosed by NERC unless it is exempt from release under the Act. Any material supplied to NERC may be stored in an electronic records management system. From cazahenha at hotmail.com Tue Sep 2 12:46:55 2008 From: cazahenha at hotmail.com (Caza Henha) Date: Tue Sep 2 12:47:05 2008 Subject: Rules with IP addresses In-Reply-To: <48BCF2A1.1030001@ecs.soton.ac.uk> References: <48BBD085.4060603@ecs.soton.ac.uk> <48BCF2A1.1030001@ecs.soton.ac.uk> Message-ID: Hi Jules, I considered that transport maps in postfix was not the general case and was not suggesting that it is somthing that should be worked into the product, not unless it was specifically warranted. I will look into the CustomFunctions as i do know a bit of Perl and sorry you did answer the question initially, just my eyes not working so good sitting at a screen all day...Just as a quick question though, does and ammendment to a ruleset require a restart of MailScanner? Regards Caza> Date: Tue, 2 Sep 2008 09:00:33 +0100> From: MailScanner@ecs.soton.ac.uk> To: mailscanner@lists.mailscanner.info> Subject: Re: Rules with IP addresses> > > > Caza Henha wrote:> > Hi Jules,> > > > Thanks for the answer, I presumed that would be the case, but I was > > thinking that as our postfix configuration has transport maps it does > > actually know before sending the mail to our application server what > > the destination IP address is.> But that is not the general case, and I'm certainly not going to start > processing entire Postfix configurations in an attempt to work it out. > Sorry :(> > Does this mean then that something like the following would be necessary:> > > > To: support@example.com store > > //Ticketing server> > To: issues@example.com store > > //Ticketing server> > ....> > To: application1@example.com > > delete //App Server 1> > To: application2@example.com > > store //App Server 2> > ...> > To: user@example.com delete > > //Exchange server> > To: user@example.com delete > > //Exchange server> > .....> > FromOrTo: default deliver //Public Mail server> > > > Bearing in mind that there are 1000s of different email address > > permutations going to the app servers (writing a script to create the > > rules is easy) would there be any performance problems with > > Mailscanner reading these files?> I wouldn't advise more than 1000 or so rules in a ruleset file. For > anything bigger than that use a Custom Function. I suspect yours could > be written as a Custom Function quite easily. Take a look in > /usr/lib/MailScanner/MailScanner/CustomFunctions/*.pm and you'll see how > to do it. Not hard if you know a bit of Perl.> > Also when using an IP address in the "From" could you direct me to > > information from the question below:> > > > > > Consequently I have noticed a number of examples have IP addresses in> > > > the From section of the rules and I was just wondering where this IP> > > > address was coming from and what it can actually be as I cannot seem> > > > to find any documentation on it. For example is this IP address (or> > > > the RegEx of one) the connecting smtp server (or any smtp server that> > > > the mail has passed through), client address, MX address of the> > > > sending domain etc or any combination of all the previous?> I answered that in my previous mail, I believe. Here it is again > copy-and-pasted from the quote below:> > > It is the IP address of the machine that was the client end of the SMTP> > connection to the server. So in the case of a customer-facing SMTP> > server, it will be the customer's client IP address. In the case of an> > MX it would be the IP address of the SMTP server talking to you.> > > > > Date: Mon, 1 Sep 2008 12:22:45 +0100> > > From: MailScanner@ecs.soton.ac.uk> > > To: mailscanner@lists.mailscanner.info> > > Subject: Re: Rules with IP addresses> > >> > >> > >> > > Caza Henha wrote:> > > >> > > > Hi,> > > >> > > > I have recently installed Mailscanner with Postfix and MailWatch and> > > > it seems over the last week the system is running great, however I am> > > > now getting requests to tweak the default rules that I have from> > > > various users in different departments. I have been trying to delve> > > > into the knitty gritty of the rules and understand the principles and> > > > they do not seem very complicated and when looking at some > > examples on> > > > the Wiki things shouldn't be to difficult.> > > >> > > > Consequently I have noticed a number of examples have IP addresses in> > > > the From section of the rules and I was just wondering where this IP> > > > address was coming from and what it can actually be as I cannot seem> > > > to find any documentation on it. For example is this IP address (or> > > > the RegEx of one) the connecting smtp server (or any smtp server that> > > > the mail has passed through), client address, MX address of the> > > > sending domain etc or any combination of all the previous?> > > It is the IP address of the machine that was the client end of the SMTP> > > connection to the server. So in the case of a customer-facing SMTP> > > server, it will be the customer's client IP address. In the case of an> > > MX it would be the IP address of the SMTP server talking to you.> > > >> > > > Also can this be used in a "To" configuration,> > > No. Due to the way mail delivery works, you don't know the IP > > address of> > > the destination until you have already started sending the message.> > > Can't be done.> > >> > > Jules> > >> > > --> > > Julian Field MEng CITP CEng> > > www.MailScanner.info> > > Buy the MailScanner book at www.MailScanner.info/store> > >> > > Need help customising MailScanner?> > > Contact me!> > > Need help fixing or optimising your systems?> > > Contact me!> > > Need help getting you started solving new requirements from your boss?> > > Contact me!> > >> > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654> > >> > >> > > --> > > This message has been scanned for viruses and> > > dangerous content by MailScanner, and is> > > believed to be clean.> > >> > > --> > > MailScanner mailing list> > > mailscanner@lists.mailscanner.info> > > http://lists.mailscanner.info/mailman/listinfo/mailscanner> > >> > > Before posting, read http://wiki.mailscanner.info/posting> > >> > > Support MailScanner development - buy the book off the website!> >> >> > ------------------------------------------------------------------------> > Try Facebook in Windows Live Messenger! Try it Now! > > > > Jules> > -- > Julian Field MEng CITP CEng> www.MailScanner.info> Buy the MailScanner book at www.MailScanner.info/store> > Need help customising MailScanner?> Contact me!> Need help fixing or optimising your systems?> Contact me!> Need help getting you started solving new requirements from your boss?> Contact me!> > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654> > > -- > This message has been scanned for viruses and> dangerous content by MailScanner, and is> believed to be clean.> > -- > MailScanner mailing list> mailscanner@lists.mailscanner.info> http://lists.mailscanner.info/mailman/listinfo/mailscanner> > Before posting, read http://wiki.mailscanner.info/posting> > Support MailScanner development - buy the book off the website! _________________________________________________________________ Make a mini you and download it into Windows Live Messenger http://clk.atdmt.com/UKM/go/111354029/direct/01/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080902/b82426c6/attachment.html From alex at rtpty.com Tue Sep 2 12:56:59 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Tue Sep 2 12:57:16 2008 Subject: Rules with IP addresses In-Reply-To: References: <48BBD085.4060603@ecs.soton.ac.uk> <48BCF2A1.1030001@ecs.soton.ac.uk> Message-ID: <4F3F694B-4E3D-4221-9BE2-822D264A0896@rtpty.com> Reload, I believe, would be sufficient. Sent from my iPhone On Sep 2, 2008, at 6:46 AM, Caza Henha wrote: > Hi Jules, > > I considered that transport maps in postfix was not the general case > and was not suggesting that it is somthing that should be worked > into the product, not unless it was specifically warranted. I will > look into the CustomFunctions as i do know a bit of Perl and sorry > you did answer the question initially, just my eyes not working so > good sitting at a screen all day...Just as a quick question though, > does and ammendment to a ruleset require a restart of MailScanner? > > Regards > > Caza > > > Date: Tue, 2 Sep 2008 09:00:33 +0100 > > From: MailScanner@ecs.soton.ac.uk > > To: mailscanner@lists.mailscanner.info > > Subject: Re: Rules with IP addresses > > > > > > > > Caza Henha wrote: > > > Hi Jules, > > > > > > Thanks for the answer, I presumed that would be the case, but I > was > > > thinking that as our postfix configuration has transport maps it > does > > > actually know before sending the mail to our application server > what > > > the destination IP address is. > > But that is not the general case, and I'm certainly not going to > start > > processing entire Postfix configurations in an attempt to work it > out. > > Sorry :( > > > Does this mean then that something like the following would be > necessary: > > > > > > To: support@example.com store > > > //Ticketing server > > > To: issues@example.com store > > > //Ticketing server > > > .... > > > To: application1@example.com > > > delete //App Server 1 > > > To: application2@example.com > > > store //App Server 2 > > > ... > > > To: user@example.com delete > > > //Exchange server > > > To: user@example.com delete > > > //Exchange server > > > ..... > > > FromOrTo: default deliver //Public Mail server > > > > > > Bearing in mind that there are 1000s of different email address > > > permutations going to the app servers (writing a script to > create the > > > rules is easy) would there be any performance problems with > > > Mailscanner reading these files? > > I wouldn't advise more than 1000 or so rules in a ruleset file. For > > anything bigger than that use a Custom Function. I suspect yours > could > > be written as a Custom Function quite easily. Take a look in > > /usr/lib/MailScanner/MailScanner/CustomFunctions/*.pm and you'll > see how > > to do it. Not hard if you know a bit of Perl. > > > Also when using an IP address in the "From" could you direct me to > > > information from the question below: > > > > > > > > Consequently I have noticed a number of examples have IP > addresses in > > > > > the From section of the rules and I was just wondering where > this IP > > > > > address was coming from and what it can actually be as I > cannot seem > > > > > to find any documentation on it. For example is this IP > address (or > > > > > the RegEx of one) the connecting smtp server (or any smtp > server that > > > > > the mail has passed through), client address, MX address of > the > > > > > sending domain etc or any combination of all the previous? > > I answered that in my previous mail, I believe. Here it is again > > copy-and-pasted from the quote below: > > > > > It is the IP address of the machine that was the client end of > the SMTP > > > connection to the server. So in the case of a customer-facing SMTP > > > server, it will be the customer's client IP address. In the case > of an > > > MX it would be the IP address of the SMTP server talking to you. > > > > > > > Date: Mon, 1 Sep 2008 12:22:45 +0100 > > > > From: MailScanner@ecs.soton.ac.uk > > > > To: mailscanner@lists.mailscanner.info > > > > Subject: Re: Rules with IP addresses > > > > > > > > > > > > > > > > Caza Henha wrote: > > > > > > > > > > Hi, > > > > > > > > > > I have recently installed Mailscanner with Postfix and > MailWatch and > > > > > it seems over the last week the system is running great, > however I am > > > > > now getting requests to tweak the default rules that I have > from > > > > > various users in different departments. I have been trying > to delve > > > > > into the knitty gritty of the rules and understand the > principles and > > > > > they do not seem very complicated and when looking at some > > > examples on > > > > > the Wiki things shouldn't be to difficult. > > > > > > > > > > Consequently I have noticed a number of examples have IP > addresses in > > > > > the From section of the rules and I was just wondering where > this IP > > > > > address was coming from and what it can actually be as I > cannot seem > > > > > to find any documentation on it. For example is this IP > address (or > > > > > the RegEx of one) the connecting smtp server (or any smtp > server that > > > > > the mail has passed through), client address, MX address of > the > > > > > sending domain etc or any combination of all the previous? > > > > It is the IP address of the machine that was the client end of > the SMTP > > > > connection to the server. So in the case of a customer-facing > SMTP > > > > server, it will be the customer's client IP address. In the > case of an > > > > MX it would be the IP address of the SMTP server talking to you. > > > > > > > > > > Also can this be used in a "To" configuration, > > > > No. Due to the way mail delivery works, you don't know the IP > > > address of > > > > the destination until you have already started sending the > message. > > > > Can't be done. > > > > > > > > Jules > > > > > > > > -- > > > > Julian Field MEng CITP CEng > > > > www.MailScanner.info > > > > Buy the MailScanner book at www.MailScanner.info/store > > > > > > > > Need help customising MailScanner? > > > > Contact me! > > > > Need help fixing or optimising your systems? > > > > Contact me! > > > > Need help getting you started solving new requirements from > your boss? > > > > Contact me! > > > > > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > > > > > > > > > -- > > > > This message has been scanned for viruses and > > > > dangerous content by MailScanner, and is > > > > believed to be clean. > > > > > > > > -- > > > > MailScanner mailing list > > > > mailscanner@lists.mailscanner.info > > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > > > > > Support MailScanner development - buy the book off the website! > > > > > > > > > > --- > --------------------------------------------------------------------- > > > Try Facebook in Windows Live Messenger! Try it Now! > > > > > > > Jules > > > > -- > > Julian Field MEng CITP CEng > > www.MailScanner.info > > Buy the MailScanner book at www.MailScanner.info/store > > > > Need help customising MailScanner? > > Contact me! > > Need help fixing or optimising your systems? > > Contact me! > > Need help getting you started solving new requirements from your > boss? > > Contact me! > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > Try Facebook in Windows Live Messenger! Try it Now! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080902/f9521b29/attachment.html From MailScanner at ecs.soton.ac.uk Tue Sep 2 13:47:35 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Sep 2 13:47:58 2008 Subject: Rules with IP addresses In-Reply-To: References: <48BBD085.4060603@ecs.soton.ac.uk> <48BCF2A1.1030001@ecs.soton.ac.uk> Message-ID: <48BD35E7.1010601@ecs.soton.ac.uk> Caza Henha wrote: > Hi Jules, > > I considered that transport maps in postfix was not the general case > and was not suggesting that it is somthing that should be worked into > the product, not unless it was specifically warranted. I will look > into the CustomFunctions as i do know a bit of Perl and sorry you did > answer the question initially, just my eyes not working so good > sitting at a screen all day...Just as a quick question though, does > and ammendment to a ruleset require a restart of MailScanner? No, just a "service MailScanner reload" or send a HUP to the master MailScanner process, at which point all the children will commit suicide and be re-spawned by the master. > > Regards > > Caza > > > Date: Tue, 2 Sep 2008 09:00:33 +0100 > > From: MailScanner@ecs.soton.ac.uk > > To: mailscanner@lists.mailscanner.info > > Subject: Re: Rules with IP addresses > > > > > > > > Caza Henha wrote: > > > Hi Jules, > > > > > > Thanks for the answer, I presumed that would be the case, but I was > > > thinking that as our postfix configuration has transport maps it does > > > actually know before sending the mail to our application server what > > > the destination IP address is. > > But that is not the general case, and I'm certainly not going to start > > processing entire Postfix configurations in an attempt to work it out. > > Sorry :( > > > Does this mean then that something like the following would be > necessary: > > > > > > To: support@example.com store > > > //Ticketing server > > > To: issues@example.com store > > > //Ticketing server > > > .... > > > To: application1@example.com > > > delete //App Server 1 > > > To: application2@example.com > > > store //App Server 2 > > > ... > > > To: user@example.com delete > > > //Exchange server > > > To: user@example.com delete > > > //Exchange server > > > ..... > > > FromOrTo: default deliver //Public Mail server > > > > > > Bearing in mind that there are 1000s of different email address > > > permutations going to the app servers (writing a script to create the > > > rules is easy) would there be any performance problems with > > > Mailscanner reading these files? > > I wouldn't advise more than 1000 or so rules in a ruleset file. For > > anything bigger than that use a Custom Function. I suspect yours could > > be written as a Custom Function quite easily. Take a look in > > /usr/lib/MailScanner/MailScanner/CustomFunctions/*.pm and you'll see > how > > to do it. Not hard if you know a bit of Perl. > > > Also when using an IP address in the "From" could you direct me to > > > information from the question below: > > > > > > > > Consequently I have noticed a number of examples have IP > addresses in > > > > > the From section of the rules and I was just wondering where > this IP > > > > > address was coming from and what it can actually be as I > cannot seem > > > > > to find any documentation on it. For example is this IP > address (or > > > > > the RegEx of one) the connecting smtp server (or any smtp > server that > > > > > the mail has passed through), client address, MX address of the > > > > > sending domain etc or any combination of all the previous? > > I answered that in my previous mail, I believe. Here it is again > > copy-and-pasted from the quote below: > > > > > It is the IP address of the machine that was the client end of the > SMTP > > > connection to the server. So in the case of a customer-facing SMTP > > > server, it will be the customer's client IP address. In the case of an > > > MX it would be the IP address of the SMTP server talking to you. > > > > > > > Date: Mon, 1 Sep 2008 12:22:45 +0100 > > > > From: MailScanner@ecs.soton.ac.uk > > > > To: mailscanner@lists.mailscanner.info > > > > Subject: Re: Rules with IP addresses > > > > > > > > > > > > > > > > Caza Henha wrote: > > > > > > > > > > Hi, > > > > > > > > > > I have recently installed Mailscanner with Postfix and > MailWatch and > > > > > it seems over the last week the system is running great, > however I am > > > > > now getting requests to tweak the default rules that I have from > > > > > various users in different departments. I have been trying to > delve > > > > > into the knitty gritty of the rules and understand the > principles and > > > > > they do not seem very complicated and when looking at some > > > examples on > > > > > the Wiki things shouldn't be to difficult. > > > > > > > > > > Consequently I have noticed a number of examples have IP > addresses in > > > > > the From section of the rules and I was just wondering where > this IP > > > > > address was coming from and what it can actually be as I > cannot seem > > > > > to find any documentation on it. For example is this IP > address (or > > > > > the RegEx of one) the connecting smtp server (or any smtp > server that > > > > > the mail has passed through), client address, MX address of the > > > > > sending domain etc or any combination of all the previous? > > > > It is the IP address of the machine that was the client end of > the SMTP > > > > connection to the server. So in the case of a customer-facing SMTP > > > > server, it will be the customer's client IP address. In the case > of an > > > > MX it would be the IP address of the SMTP server talking to you. > > > > > > > > > > Also can this be used in a "To" configuration, > > > > No. Due to the way mail delivery works, you don't know the IP > > > address of > > > > the destination until you have already started sending the message. > > > > Can't be done. > > > > > > > > Jules > > > > > > > > -- > > > > Julian Field MEng CITP CEng > > > > www.MailScanner.info > > > > Buy the MailScanner book at www.MailScanner.info/store > > > > > > > > Need help customising MailScanner? > > > > Contact me! > > > > Need help fixing or optimising your systems? > > > > Contact me! > > > > Need help getting you started solving new requirements from your > boss? > > > > Contact me! > > > > > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > > > > > > > > > -- > > > > This message has been scanned for viruses and > > > > dangerous content by MailScanner, and is > > > > believed to be clean. > > > > > > > > -- > > > > MailScanner mailing list > > > > mailscanner@lists.mailscanner.info > > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > > > > > Support MailScanner development - buy the book off the website! > > > > > > > > > > ------------------------------------------------------------------------ > > > Try Facebook in Windows Live Messenger! Try it Now! > > > > > > > Jules > > > > -- > > Julian Field MEng CITP CEng > > www.MailScanner.info > > Buy the MailScanner book at www.MailScanner.info/store > > > > Need help customising MailScanner? > > Contact me! > > Need help fixing or optimising your systems? > > Contact me! > > Need help getting you started solving new requirements from your boss? > > Contact me! > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > ------------------------------------------------------------------------ > Try Facebook in Windows Live Messenger! Try it Now! > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From campbell at cnpapers.com Tue Sep 2 15:11:48 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Tue Sep 2 15:16:44 2008 Subject: CVD extraction failure In-Reply-To: <223f97700808300110v4fe2b32fodecf06607fb01ec2@mail.gmail.com> References: <48B81488.6030807@cnpapers.com> <223f97700808300110v4fe2b32fodecf06607fb01ec2@mail.gmail.com> Message-ID: <48BD49A4.3070607@cnpapers.com> Glenn Steen wrote: > > > 2008/8/29 Steve Campbell > > > I hate to ask a question about old version stuff, but we're in the > middle of some changes here that just do not let me get around to > updating MS. I'm running *MailScanner has detected a possible > fraud attempt from "4.58.9." claiming to be* 4.58.9. > > I started updating the world of Clam/SA and got stopped before I > could get to MS. I now see "ERROR: CVD extraction failure" > messages in my log file. I'm assuming this has to do with new > ClamAV/ old MS and did my best to try and find where the message > is coming from. Couldn't find a clue in any of the update scripts, > etc. > > Any help would be appreciated, and any explanation as to the > severity of the messge would be gratefully appreciated also. > > Thanks > > Steve Campbell > > Do you get the same from freshclam? The clamav-autoupdate basically > just run freshclam... > Perhaps you have multiple clamav installed (or "leftovers" from more > than one)? Check your virus.scanners.conf for the relevant one you are > using:). As always, one install of the latest stable is best. > The error itself is ... pretty sever, I'd think, since you will lack > proper updates until fixed. > > Cheers > -- > Thanks Glenn, I checked freshclam, ran it manually, and found that the log file wasn't created. I touched the file, re-modded it to 777, and ran freshclam, and all was well. But I am still getting the CVD errors. I had checked the update-wrapper and autoupdate scripts before inquiring and saw nothing that looked wrong. For all I know, this may not even be Clam, now that I think about it, as the error log entry just says MailScanner, so it could be Bitdefender instead. I removed bitdefender and reloaded MS, but still am seeing the error, so I believe it is Clam related. Thanks. Steve From ssilva at sgvwater.com Tue Sep 2 16:20:07 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Sep 2 16:20:08 2008 Subject: MailScanner Watermark Plugin For Microsoft Exchange 2007 In-Reply-To: References: <48B7C397.5010508@ecs.soton.ac.uk><004401c909bd$ce4b2570$6ae17050$@dk> Message-ID: on 8-29-2008 11:02 AM Kevin Miller spake the following: > Scott Silva wrote: >> I am surprised at how much mail I still see sent from Exchange 6.5! >> >> Isn't that from back in the NT 4.0 days? > > That would be 5.5 I think. But there's still some of those around. 6.5 > is Exchange 2003. Between them was Exchange 2000, presumably 6.0. I > wonder why Microsoft counts in fives? > > ...Kevin Maybe they have got their fingers caught in the cookie jar so many times that they can only use their thumbs to count! ;-P But thanks for the info. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080902/744c17bc/signature.bin From craigwhite at azapple.com Tue Sep 2 16:37:03 2008 From: craigwhite at azapple.com (Craig White) Date: Tue Sep 2 16:44:57 2008 Subject: MailScanner Watermark Plugin For Microsoft Exchange 2007 In-Reply-To: References: <48B7C397.5010508@ecs.soton.ac.uk><004401c909bd$ce4b2570$6ae17050$@dk> Message-ID: <1220369823.16070.29.camel@lin-workstation.azapple.com> On Tue, 2008-09-02 at 08:20 -0700, Scott Silva wrote: > on 8-29-2008 11:02 AM Kevin Miller spake the following: > > Scott Silva wrote: > >> I am surprised at how much mail I still see sent from Exchange 6.5! > >> > >> Isn't that from back in the NT 4.0 days? > > > > That would be 5.5 I think. But there's still some of those around. 6.5 > > is Exchange 2003. Between them was Exchange 2000, presumably 6.0. I > > wonder why Microsoft counts in fives? > > > > ...Kevin > Maybe they have got their fingers caught in the cookie jar so many times that > they can only use their thumbs to count! ;-P ---- because experienced admins know to skip the .0 release Craig From glenn.steen at gmail.com Tue Sep 2 16:56:43 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Sep 2 16:56:53 2008 Subject: CVD extraction failure In-Reply-To: <48BD49A4.3070607@cnpapers.com> References: <48B81488.6030807@cnpapers.com> <223f97700808300110v4fe2b32fodecf06607fb01ec2@mail.gmail.com> <48BD49A4.3070607@cnpapers.com> Message-ID: <223f97700809020856x72dbe9eao757a2d09b985788e@mail.gmail.com> 2008/9/2 Steve Campbell > > > Glenn Steen wrote: > >> >> >> 2008/8/29 Steve Campbell > campbell@cnpapers.com>> >> >> I hate to ask a question about old version stuff, but we're in the >> middle of some changes here that just do not let me get around to >> updating MS. I'm running *MailScanner has detected a possible >> fraud attempt from "4.58.9." claiming to be* 4.58.9. >> >> I started updating the world of Clam/SA and got stopped before I >> could get to MS. I now see "ERROR: CVD extraction failure" >> messages in my log file. I'm assuming this has to do with new >> ClamAV/ old MS and did my best to try and find where the message >> is coming from. Couldn't find a clue in any of the update scripts, >> etc. >> >> Any help would be appreciated, and any explanation as to the >> severity of the messge would be gratefully appreciated also. >> >> Thanks >> >> Steve Campbell >> >> Do you get the same from freshclam? The clamav-autoupdate basically just >> run freshclam... >> Perhaps you have multiple clamav installed (or "leftovers" from more than >> one)? Check your virus.scanners.conf for the relevant one you are using:). >> As always, one install of the latest stable is best. >> The error itself is ... pretty sever, I'd think, since you will lack >> proper updates until fixed. >> >> Cheers >> -- >> >> > Thanks Glenn, > > I checked freshclam, ran it manually, and found that the log file wasn't > created. I touched the file, re-modded it to 777, and ran freshclam, and all > was well. But I am still getting the CVD errors. I had checked the > update-wrapper and autoupdate scripts before inquiring and saw nothing that > looked wrong. For all I know, this may not even be Clam, now that I think > about it, as the error log entry just says MailScanner, so it could be > Bitdefender instead. I removed bitdefender and reloaded MS, but still am > seeing the error, so I believe it is Clam related. > > Thanks. > > Steve Do you run clamavmodule? Then I'd guess at a Mail::Clamav/libclamav mismatch... What version of clamav did you move to? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080902/ec22451d/attachment.html From rjette at mestek.com Tue Sep 2 17:32:15 2008 From: rjette at mestek.com (Raymond Jette) Date: Tue Sep 2 17:32:26 2008 Subject: sa-learn with an Exchange server In-Reply-To: References: <6341E9EE11D6AC4B84D3225C0E8C6BAB8E1D1C@mtsrv-ex004.mestekcorp.com><6341E9EE11D6AC4B84D3225C0E8C6BAB8E1D27@mtsrv-ex004.mestekcorp.com><6341E9EE11D6AC4B84D3225C0E8C6BAB8E1D3C@mtsrv-ex004.mestekcorp.com> Message-ID: <6341E9EE11D6AC4B84D3225C0E8C6BAB8E1F24@mtsrv-ex004.mestekcorp.com> Thanks. Will the /etc/mail/spamassassin directory be replaced during an upgrade? From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Ehle, Roland Sent: Friday, August 29, 2008 1:34 PM To: MailScanner discussion Subject: AW: sa-learn with an Exchange server Raymond, all files ending in .cf located in /etc/mail/spamassassin are used by SpamAssassin. Of course you could put custom rules into /etc/MailScanner/spam.assassin.prefs.conf too, but I would not recommend to do so. Please keep in mind to do a test after implementing new rules. Regards, Roland Von: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Im Auftrag von Raymond Jette Gesendet: Freitag, 29. August 2008 16:12 An: MailScanner discussion Betreff: RE: sa-learn with an Exchange server Thanks for the link. I'll take a look at this. I am in the process of fighting spam in only one place. I just implemented Postfix, MS, SpamAssassin a few months ago. I'm still in the process of removing IMF. You're right about all of the false positives. I host mail for 37 domains. I receive a lot of spam still (not as much as before) and I'm always looking for more ways to improve the system. Where is the correct location to put custom SA rules? I have read /etc/mail/SpamAssassin. Is this correct even when running MS? Does anyone have any good links on creating custom rules? Thanks, Ray From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Ehle, Roland Sent: Friday, August 29, 2008 9:53 AM To: MailScanner discussion Subject: AW: sa-learn with an Exchange server You should fight spam at one place only. The spam detection included in Exchange 2003/2007 is not very reliable, as it produces many false positives. See my last mail, this should give you a hint. Von: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Im Auftrag von Raymond Jette Gesendet: Freitag, 29. August 2008 15:40 An: MailScanner discussion Betreff: RE: sa-learn with an Exchange server I also have thousands of spam messages that IMF is removing on my Exchange server. Is there a way to have SpamAssassin learn these messages? From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Raymond Jette Sent: Friday, August 29, 2008 9:29 AM To: mailscanner@lists.mailscanner.info Subject: sa-learn with an Exchange server Good morning, What is the best way to do an sa-learn when with an Exchange server? I have a spam mailbox were users have been forwarding spam. The problem is that they forwarded the mail so the message headers have changed. Is there a way to remove local headers from my mail systems or will I have to do this by hand? Thanks for the help, Ray -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080902/35ff1499/attachment.html From paul.hutchings at mira.co.uk Tue Sep 2 17:39:42 2008 From: paul.hutchings at mira.co.uk (Paul Hutchings) Date: Tue Sep 2 17:40:00 2008 Subject: virus detection reporting wrong scanner References: <48BA9848.3030402@ecs.soton.ac.uk> <48BBCFF3.2000003@ecs.soton.ac.uk> Message-ID: Interestingly (or not) it seems that reports are saying when infections are detected by avg, but still nothing on vba32 despite maillog saying that clamd, vba32 and avg detected infections. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jeff Mills Sent: 01 September 2008 23:33 To: MailScanner discussion Subject: RE: virus detection reporting wrong scanner > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Paul Hutchings > Sent: Monday, 1 September 2008 11:03 PM > To: MailScanner discussion > Subject: RE: virus detection reporting wrong scanner > > The lint seems to check out just fine. Maybe my > understanding is wrong, but I thought that if multiple > engines caught a virus in a message it listed that multiple > engines had detected something in the report that's sent to > postmaster (or wherever) - all I know is I have an entry in > maillog by vba32 saying it detected a virus, at the same time > an email was deleted and a report sent to postmaster saying > it was because clam32 had detected a virus - yet there's no > report in the postmaster mailbox that mentions vba32. > I have a similar issue, but have never bothered with it. Clamav finds a virus, and MailScanner reports that F-Prot and Bitdefender find it too. Sep 2 03:16:53 sam MailScanner[8070]: Clamd::INFECTED:: Email.Spam.Gen3737.Sanesecurity.08072802.StormSpam FOUND :: ./8C34AD3E132.E90B8/ Sep 2 03:16:53 sam MailScanner[8070]: Virus Scanning: Clamd found 1 infections Sep 2 03:16:53 sam MailScanner[8070]: Virus Scanning: F-Prot found 1 infections Sep 2 03:16:53 sam MailScanner[8070]: Virus Scanning: Bitdefender found 1 infections Sep 2 03:16:53 sam MailScanner[8070]: Infected message 8C34AD3E132.E90B8 came from 88.243.8.69 Sep 2 03:16:53 sam MailScanner[8070]: Virus Scanning: Found 1 viruses Sep 2 03:16:53 sam MailScanner[8070]: Virus Scanning completed at 3371 bytes per second Sep 2 03:16:53 sam MailScanner[8070]: Viruses marked as silent: Clamd: message was infected: -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. From dnsadmin at 1bigthink.com Tue Sep 2 18:01:36 2008 From: dnsadmin at 1bigthink.com (dnsadmin 1bigthink.com) Date: Tue Sep 2 18:01:57 2008 Subject: FYI ALL: Fwd: [Clamav-announce] announcing ClamAV 0.94 Message-ID: <200809021701.m82H1hBZ014534@mxt.1bigthink.com> >Dear ClamAV users, > >Sourcefire and the ClamAV team are pleased to announce the release of >ClamAV 0.94. The following are the key features and improvements of this >version: > > - Logical Signatures: The logical signature technology uses operators > such as AND, OR and NOT to allow the combination of more than one > signature into one entry in the signature database resulting in > more detailed and flexible pattern matching. > > - Anti-phishing Technology: Users can now change the priority and reporting > of ClamAV's heuristic anti-phishing scanner within the detection engine > process. They can choose whether, when scanning a supicious file, ClamAV > should stop scanning and report the phish, or continue to scan > in case the > file contains other malware (clamd: HeuristicScanPrecedence, > clamscan: --heuristic-scan-precedence) > > - Disassembly Engine: The initial version of the disassembly > engine improves > ClamAV's detection abilities. > > - PUA Detection: Users can now decide which PUA signatures should be loaded > (clamd: ExcludePUA, IncludePUA; clamscan: --exclude-pua, --include-pua) > > - Data Loss Prevention (DLP): This version includes a new module that, when > enabled, scans data for the inclusion of US formated Social Security > Numbers and credit card numbers (clamd: StructuredDataDetection, > clamscan: --detect-structured; additional fine-tuning options > are available) > > - IPv6 Support: Freshclam now supports IPv6 > > - Improved Scanning of Scripts: The normalization of scripts now covers > JavaScript > > - Improved QA and Unit Testing: The improved QA process now includes > API testing and new library of test files in various formats that are > tested on a wide variety of systems (try running 'make check' > in the source > directory) > >For more details, please refer to >http://www.clamav.net/press/0.94-WhatsNew.pdf >and to the ChangeLog. > >You may need to run 'ldconfig' after installing this version. > >** This version drops the special support for Cygwin. Our QA process showed >** serious problems with ClamAV builds under Cygwin due to some low-level >** incompatibilities in the POSIX compatibility layer, resulting in unreliable >** ClamAV behaviour. > >-- >The ClamAV team (http://www.clamav.net/team) > >-- >Luca Gibelli (luca _at_ clamav.net) ClamAV, a GPL anti-virus toolkit >[Tel] +39 0187 1851862 [Fax] +39 0187 1852252 [IM] nervous/jabber.linux.it >PGP key id 5EFC5582 @ any key-server || http://www.clamav.net/gpg/luca.gpg >_______________________________________________ >http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-announce -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From rcooper at dwford.com Tue Sep 2 18:11:17 2008 From: rcooper at dwford.com (Rick Cooper) Date: Tue Sep 2 18:11:47 2008 Subject: FYI ALL: Fwd: [Clamav-announce] announcing ClamAV 0.94 In-Reply-To: <200809021701.m82H1hBZ014534@mxt.1bigthink.com> References: <200809021701.m82H1hBZ014534@mxt.1bigthink.com> Message-ID: <341937BC5CED4B13BB5C15FEEFDA14BF@SAHOMELT> Note: If you happened to forget to remove PhishingRestrictedScan from your clamd.conf when the option was removed in 0.93.1(?), as I did, clamd will not start and it will emit no error (unless you run in foreground manually) or reason. Remove the PhishingRestrictedScan line from clamd.conf and everything will be fine. Rick > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of dnsadmin 1bigthink.com > Sent: Tuesday, September 02, 2008 2:02 PM > To: MailScanner mailing list > Subject: FYI ALL: Fwd: [Clamav-announce] announcing ClamAV 0.94 > > > > >Dear ClamAV users, > > > >Sourcefire and the ClamAV team are pleased to announce the > release of > >ClamAV 0.94. The following are the key features and > improvements of this > >version: > > > > - Logical Signatures: The logical signature technology > uses operators > > such as AND, OR and NOT to allow the combination of > more than one > > signature into one entry in the signature database resulting in > > more detailed and flexible pattern matching. > > > > - Anti-phishing Technology: Users can now change the > priority and reporting > > of ClamAV's heuristic anti-phishing scanner within the > detection engine > > process. They can choose whether, when scanning a > supicious file, ClamAV > > should stop scanning and report the phish, or continue to scan > > in case the > > file contains other malware (clamd: HeuristicScanPrecedence, > > clamscan: --heuristic-scan-precedence) > > > > - Disassembly Engine: The initial version of the disassembly > > engine improves > > ClamAV's detection abilities. > > > > - PUA Detection: Users can now decide which PUA > signatures should be loaded > > (clamd: ExcludePUA, IncludePUA; clamscan: > --exclude-pua, --include-pua) > > > > - Data Loss Prevention (DLP): This version includes a > new module that, when > > enabled, scans data for the inclusion of US formated > Social Security > > Numbers and credit card numbers (clamd: > StructuredDataDetection, > > clamscan: --detect-structured; additional fine-tuning options > > are available) > > > > - IPv6 Support: Freshclam now supports IPv6 > > > > - Improved Scanning of Scripts: The normalization of > scripts now covers > > JavaScript > > > > - Improved QA and Unit Testing: The improved QA process > now includes > > API testing and new library of test files in various > formats that are > > tested on a wide variety of systems (try running 'make check' > > in the source > > directory) > > > >For more details, please refer to > >http://www.clamav.net/press/0.94-WhatsNew.pdf > >and to the ChangeLog. > > > >You may need to run 'ldconfig' after installing this version. > > > >** This version drops the special support for Cygwin. Our > QA process showed > >** serious problems with ClamAV builds under Cygwin due to > some low-level > >** incompatibilities in the POSIX compatibility layer, > resulting in unreliable > >** ClamAV behaviour. > > > >-- > >The ClamAV team (http://www.clamav.net/team) > > > >-- > >Luca Gibelli (luca _at_ clamav.net) ClamAV, a GPL > anti-virus toolkit > >[Tel] +39 0187 1851862 [Fax] +39 0187 1852252 [IM] > nervous/jabber.linux.it > >PGP key id 5EFC5582 @ any key-server || > http://www.clamav.net/gpg/luca.gpg > >_______________________________________________ > >http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-announce > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From lists at openenterprise.ca Tue Sep 2 18:44:50 2008 From: lists at openenterprise.ca (Johnny Stork) Date: Tue Sep 2 18:45:05 2008 Subject: MS YUM repository? In-Reply-To: <48BC5881.8010604@vanderkooij.org> References: <48BBEFC8.2060500@ecs.soton.ac.uk> <48BC5881.8010604@vanderkooij.org> Message-ID: <48BD7B92.9090101@openenterprise.ca> I am running MS on CentOS 5x and I seem to recall that someone setup a repo to simplify MS updates with YUM. Sorry if I missed where the details/repo is but could someone please let me know the location of this repo and any additional info that might be needed to us it? Thanks Hugo van der Kooij wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Julian Field wrote: > >> Hi folks! >> >> I have just released a new stable version of MailScanner, version 4.71. >> > > I managed to update the yum repository. Things did not break down for me > so I hope they will not do so for you either. > > I have no yet added anything to help you update the configuration. I > think I will need to sleep on that a bit more before I give it a shot. > > Hugo. > > > - -- > hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ > PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc > > A: Yes. > >Q: Are you sure? > >>A: Because it reverses the logical flow of conversation. > >>>Q: Why is top posting frowned upon? > > Bored? Click on http://spamornot.org/ and rate those images. > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (GNU/Linux) > > iD8DBQFIvFh/BvzDRVjxmYERAhcnAJ9Frg/gZwkjlCm8pLUyAu2vVzpWmACgoIks > f3uWGmpkpGRcZ+/DwwmSx8I= > =1PP5 > -----END PGP SIGNATURE----- > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080902/8fcd2913/attachment.html From campbell at cnpapers.com Tue Sep 2 21:02:20 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Tue Sep 2 21:02:43 2008 Subject: CVD extraction failure In-Reply-To: <223f97700809020856x72dbe9eao757a2d09b985788e@mail.gmail.com> References: <48B81488.6030807@cnpapers.com> <223f97700808300110v4fe2b32fodecf06607fb01ec2@mail.gmail.com> <48BD49A4.3070607@cnpapers.com> <223f97700809020856x72dbe9eao757a2d09b985788e@mail.gmail.com> Message-ID: <48BD9BCC.8050900@cnpapers.com> Glenn Steen wrote: > > > 2008/9/2 Steve Campbell > > > > > Glenn Steen wrote: > > > > 2008/8/29 Steve Campbell >> > > > I hate to ask a question about old version stuff, but we're > in the > middle of some changes here that just do not let me get > around to > updating MS. I'm running *MailScanner has detected a possible > fraud attempt from "*MailScanner has detected a possible > fraud attempt from "4.58.9." claiming to be* 4.58.9. > " claiming to be* *MailScanner has detected a > possible fraud attempt from "4.58.9." claiming to be* 4.58.9. > <*MailScanner warning: numerical links are > often malicious:* http://4.58.9.> > > > I started updating the world of Clam/SA and got stopped > before I > could get to MS. I now see "ERROR: CVD extraction failure" > messages in my log file. I'm assuming this has to do with new > ClamAV/ old MS and did my best to try and find where the > message > is coming from. Couldn't find a clue in any of the update > scripts, > etc. > > Any help would be appreciated, and any explanation as to the > severity of the messge would be gratefully appreciated also. > > Thanks > > Steve Campbell > > Do you get the same from freshclam? The clamav-autoupdate > basically just run freshclam... > Perhaps you have multiple clamav installed (or "leftovers" > from more than one)? Check your virus.scanners.conf for the > relevant one you are using:). As always, one install of the > latest stable is best. > The error itself is ... pretty sever, I'd think, since you > will lack proper updates until fixed. > > Cheers > -- > > > Thanks Glenn, > > I checked freshclam, ran it manually, and found that the log file > wasn't created. I touched the file, re-modded it to 777, and ran > freshclam, and all was well. But I am still getting the CVD > errors. I had checked the update-wrapper and autoupdate scripts > before inquiring and saw nothing that looked wrong. For all I > know, this may not even be Clam, now that I think about it, as the > error log entry just says MailScanner, so it could be Bitdefender > instead. I removed bitdefender and reloaded MS, but still am > seeing the error, so I believe it is Clam related. > > Thanks. > > Steve > > Do you run clamavmodule? Then I'd guess at a Mail::Clamav/libclamav > mismatch... What version of clamav did you move to? > > Cheers > -- > -- Glenn > Nope, I run ClamAV. I upgraded to the last 0.93 before they announced the 0.94 version. I used Julian's install.sh. When I run freshclam -v it indicates I have the latest main.cvd and daily.cld according to the ClamAV website. I'll look around their website (don't know why I didn't do that first) and see if they have a FAQ or something. Thanks again. steve Steve From allan at zandahar.net Wed Sep 3 03:32:39 2008 From: allan at zandahar.net (Allan Spencer) Date: Wed Sep 3 03:33:14 2008 Subject: MSRBL-Spam issues Message-ID: <48BDF747.10802@zandahar.net> This morning around 7am I was met with a looping MS Server so after doing a --debug --lint found the following LibClamAV Error: cli_hex2str(): Malformed hexstring: 687474703A2F2F7777772E77656262616E6E6572736F6E6C696E652E636F6 (length: 61) LibClamAV Error: Problem parsing database at line 2746 LibClamAV Error: Can't load /usr/local/share/clamav/MSRBL-SPAM.ndb: Malformed database ClamAV Module ERROR:: Could not load databases from /usr/local/share/clamav at /usr/lib/MailScanner/MailScanner/SweepViruses.pm line 548 Delete the file and tried a manual reupdate but still does the same thing so deleted it for now and disable cronjob. Just wondering if anyone else has seen this ? 2 days ago upgraded to 4.71.10 but other than that nothing changed, Centos 4.6 SA & Clam package off the MS site and no yum updates Any suggestions or assistance Thanks Allan From allan at zandahar.net Wed Sep 3 03:47:16 2008 From: allan at zandahar.net (Allan Spencer) Date: Wed Sep 3 03:47:38 2008 Subject: MSRBL-Spam issues In-Reply-To: <48BDF747.10802@zandahar.net> References: <48BDF747.10802@zandahar.net> Message-ID: <48BDFAB4.1040300@zandahar.net> Not a biggie but realised I had an older version of the script which now checks if the db's are corrupt or not so that should help it from happening again But still the same issue and also tested on a clients server theyre seeing a corrupt db as well Allan Allan Spencer wrote: > This morning around 7am I was met with a looping MS Server so after > doing a --debug --lint found the following > > LibClamAV Error: cli_hex2str(): Malformed hexstring: > 687474703A2F2F7777772E77656262616E6E6572736F6E6C696E652E636F6 (length: > 61) > LibClamAV Error: Problem parsing database at line 2746 > LibClamAV Error: Can't load /usr/local/share/clamav/MSRBL-SPAM.ndb: > Malformed database > ClamAV Module ERROR:: Could not load databases from > /usr/local/share/clamav at > /usr/lib/MailScanner/MailScanner/SweepViruses.pm line 548 > > Delete the file and tried a manual reupdate but still does the same > thing so deleted it for now and disable cronjob. Just wondering if > anyone else has seen this ? > > 2 days ago upgraded to 4.71.10 but other than that nothing changed, > Centos 4.6 SA & Clam package off the MS site and no yum updates > > Any suggestions or assistance > > Thanks > Allan > From email at ace.net.au Wed Sep 3 06:20:58 2008 From: email at ace.net.au (Peter Nitschke) Date: Wed Sep 3 06:21:56 2008 Subject: Registry Files Message-ID: <200809031450580881.20997929@web.ace.net.au> Hi, Running MS 4.7.1 I just had a text file get blocked. "No Windows Registry files allowed (msg-1839-199.txt)" I checked, and it is just a text file. Any reason it got picked as a registry file? Cheers, Peter From email at ace.net.au Wed Sep 3 06:23:32 2008 From: email at ace.net.au (Peter Nitschke) Date: Wed Sep 3 06:24:05 2008 Subject: Blackberry Message-ID: <200809031453320272.209BD058@web.ace.net.au> Hi, Running MS 4.7.1 Just started getting Blackberry dat files getting blocked. "No programs allowed (ETP.DAT)" I have a few users with Blackberry's and it hasn't been a problem before that I know of. Could it be related to the upgrade? Cheers, Peter From hvdkooij at vanderkooij.org Wed Sep 3 06:28:45 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Wed Sep 3 06:28:53 2008 Subject: Registry Files In-Reply-To: <200809031450580881.20997929@web.ace.net.au> References: <200809031450580881.20997929@web.ace.net.au> Message-ID: <48BE208D.5080401@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Peter Nitschke wrote: > Running MS 4.7.1 > > I just had a text file get blocked. > > "No Windows Registry files allowed (msg-1839-199.txt)" > > I checked, and it is just a text file. > > Any reason it got picked as a registry file? What does the file utility tell you if you check things manually? Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIviCLBvzDRVjxmYERAjGPAJ9YURJKqG2QnQMQYaroYvOATz3WfQCeOxD/ P9FrK61CiQoQ/zQqdOPw5tY= =CosV -----END PGP SIGNATURE----- From hvdkooij at vanderkooij.org Wed Sep 3 06:46:29 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Wed Sep 3 06:46:38 2008 Subject: Blackberry In-Reply-To: <200809031453320272.209BD058@web.ace.net.au> References: <200809031453320272.209BD058@web.ace.net.au> Message-ID: <48BE24B5.1090203@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Peter Nitschke wrote: > Hi, > > Running MS 4.7.1 > > Just started getting Blackberry dat files getting blocked. > > "No programs allowed (ETP.DAT)" > > I have a few users with Blackberry's and it hasn't been a problem before > that I know of. > > Could it be related to the upgrade? Again: What does the file utility tell you? Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIviS0BvzDRVjxmYERAk8nAKCtA2d+JBm7+olJEgY2EsCcbGvH8QCgtFlR VMCREQjdidLGosCYMdSIvhc= =2c60 -----END PGP SIGNATURE----- From email at ace.net.au Wed Sep 3 08:12:07 2008 From: email at ace.net.au (Peter Nitschke) Date: Wed Sep 3 08:12:47 2008 Subject: Registry Files In-Reply-To: <48BE208D.5080401@vanderkooij.org> References: <200809031450580881.20997929@web.ace.net.au> <48BE208D.5080401@vanderkooij.org> Message-ID: <200809031642070928.20FF3C20@web.ace.net.au> File utility? I tried searching, but got nothing :-( *********** REPLY SEPARATOR *********** On 3/09/2008 at 7:28 AM Hugo van der Kooij wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >Peter Nitschke wrote: > >> Running MS 4.7.1 >> >> I just had a text file get blocked. >> >> "No Windows Registry files allowed (msg-1839-199.txt)" >> >> I checked, and it is just a text file. >> >> Any reason it got picked as a registry file? > >What does the file utility tell you if you check things manually? > >Hugo. > >- -- >hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ >PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc > > A: Yes. > >Q: Are you sure? > >>A: Because it reverses the logical flow of conversation. > >>>Q: Why is top posting frowned upon? > >Bored? Click on http://spamornot.org/ and rate those images. > >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.4.7 (GNU/Linux) > >iD8DBQFIviCLBvzDRVjxmYERAjGPAJ9YURJKqG2QnQMQYaroYvOATz3WfQCeOxD/ >P9FrK61CiQoQ/zQqdOPw5tY= >=CosV >-----END PGP SIGNATURE----- >-- >MailScanner mailing list >mailscanner@lists.mailscanner.info >http://lists.mailscanner.info/mailman/listinfo/mailscanner > >Before posting, read http://wiki.mailscanner.info/posting > >Support MailScanner development - buy the book off the website! From glenn.steen at gmail.com Wed Sep 3 08:18:13 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Sep 3 08:18:22 2008 Subject: Blackberry In-Reply-To: <200809031453320272.209BD058@web.ace.net.au> References: <200809031453320272.209BD058@web.ace.net.au> Message-ID: <223f97700809030018r255150b5hd3e691b18797a124@mail.gmail.com> 2008/9/3 Peter Nitschke > > Hi, > > Running MS 4.7.1 > > Just started getting Blackberry dat files getting blocked. > > "No programs allowed (ETP.DAT)" > > I have a few users with Blackberry's and it hasn't been a problem before > that I know of. > > Could it be related to the upgrade? No. The ETP.DAT file is an "abomination of sorts", containing the encrypted user activation data (for your BES server to pick up "automagically" from the users mailbox). In the message you also have the ascii armoured binary snippet, so why they insist on doing it this way is beyond me... Anyway... It can randomly hit any filetype rule. That you haven't seen any such before just means you've been lucky. Make an exeption rule for *.blackberry.net, or live with it;-). If you decide to use the former strategy, look at the "overloading" example in the wiki ... http://wiki.mailscanner.info/doku.php?id=documentation:configuration:rulesets:overloading > Cheers, > > Peter > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Wed Sep 3 08:25:41 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Sep 3 08:25:50 2008 Subject: Registry Files In-Reply-To: <200809031642070928.20FF3C20@web.ace.net.au> References: <200809031450580881.20997929@web.ace.net.au> <48BE208D.5080401@vanderkooij.org> <200809031642070928.20FF3C20@web.ace.net.au> Message-ID: <223f97700809030025y65946af3u27bd0d3cce677e53@mail.gmail.com> 2008/9/3 Peter Nitschke : > File utility? I tried searching, but got nothing :-( > The message got quarantined, right? Then you can run file /path/to/quarantine/on/to/the/attachment/that/bothered/file ... That way you'll see what exactly it is on about. BTW... "Registry files" are one of two things... The data files consisting the registry or ... plain text files with the normal windowsy look... My guess would be that the file commands magic for a windoze reg-text-file is pretty oportunistic... and triggers on something simple. How to amend that? Either munge your magics or pester the file command maintainer:-):-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ajcartmell at fonant.com Wed Sep 3 09:51:38 2008 From: ajcartmell at fonant.com (Anthony Cartmell) Date: Wed Sep 3 09:51:32 2008 Subject: MSRBL-Spam issues In-Reply-To: <48BDFAB4.1040300@zandahar.net> References: <48BDF747.10802@zandahar.net> <48BDFAB4.1040300@zandahar.net> Message-ID: > Not a biggie but realised I had an older version of the script which now > checks if the db's are corrupt or not so that should help it from > happening again I had this in the logs last night too. The error comes when the newly downloaded database file is checked in the /tmp tree. Looks like my actual MSRBL-SPAM.ndb was last successfully updated on 14 Jul 2008, according to the file date. Anyway, I've just run /etc/cron.daily/update_sanesecurity_sigs manually and it has successfully updated MSRBL-SPAM.ndb. Anthony -- www.fonant.com - Quality web sites From ajcartmell at fonant.com Wed Sep 3 10:54:35 2008 From: ajcartmell at fonant.com (Anthony Cartmell) Date: Wed Sep 3 10:54:22 2008 Subject: Fwd: MSRBL-Spam issues In-Reply-To: <15503.88.97.0.153.1220433701.squirrel@saturn.dataflame.net> References: <15503.88.97.0.153.1220433701.squirrel@saturn.dataflame.net> Message-ID: Steve of Sanesecurity has asked me to post this: ------- Forwarded message ------- This was posted on the MSRBL mailing list: > This should be resolved now (please fetch the latest signature files). > We put in place checks to prevent this from happening previously but it > seems someone bypassed those checks by running an old script to publish > the > changes, this has now been removed and extra warnings will be put in > place. The Sanesecurity download scripts use MSRBL and other Third-Party sigs, more infomation here: http://www.sanesecurity.co.uk/clamav/feedback.htm Cheers, Steve Sanesecurity ------ So it was a temporary problem at MSRBL which has been fixed (nothing to do with Sanesecurity). Cheers! Anthony -- www.fonant.com - Quality web sites From mailadmin at midland-ics.ie Wed Sep 3 11:02:29 2008 From: mailadmin at midland-ics.ie (Mail Admin) Date: Wed Sep 3 11:02:53 2008 Subject: MailScanner: Found dangerous Object Codebase/Data tag in HTML message Message-ID: <006401c90dac$2d650160$882f0420$@ie> Dear All One of my clients based in HongKong as getting valid email blocked with the Report = MailScanner: Found dangerous Object Codebase/Data tag in HTML message I have tried to relaes it but still gets blocked. On the Mailwatch view of the html I see < HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> @font-face { font-family: Calibri; } @font-face { font-family: Tahoma; } @font-face { font-family: ????; } @page Section1 {size: 612.0pt 792.0pt; margin: 72.0pt 72.0pt 72.0pt 72.0pt; } P.MsoNormal { FONT-SIZE: 11pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Calibri","sans-serif" } LI.MsoNormal { FONT-SIZE: 11pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Calibri","sans-serif" } DIV.MsoNormal { FONT-SIZE: 11pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Calibri","sans-serif" } A:link { COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99 } SPAN.MsoHyperlink { COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99 } A:visited { COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99 } SPAN.MsoHyperlinkFollowed { COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99 } P { FONT-SIZE: 12pt; MARGIN-LEFT: 0cm; MARGIN-RIGHT: 0cm; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 99; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto } P.MsoListParagraph { FONT-SIZE: 11pt; MARGIN: 0cm 0cm 0pt 36pt; FONT-FAMILY: "Calibri","sans-serif"; mso-style-priority: 34 } LI.MsoListParagraph { FONT-SIZE: 11pt; MARGIN: 0cm 0cm 0pt 36pt; FONT-FAMILY: "Calibri","sans-serif"; mso-style-priority: 34 } DIV.MsoListParagraph { FONT-SIZE: 11pt; MARGIN: 0cm 0cm 0pt 36pt; FONT-FAMILY: "Calibri","sans-serif"; mso-style-priority: 34 } SPAN.EmailStyle18 { COLOR: windowtext; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal } SPAN.EmailStyle20 { COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal-reply } .MsoChpDefault { FONT-SIZE: 10pt; mso-style-type: export-only } DIV.Section1 { page: Section1 } How can I allow this message through? I tried whielisting email address but still no joy. Thanks This e-mail is intended solely for the addressee(s) and is strictly confidential. The unauthorised use, disclosure or copying of this e-mail, or any information it contains is prohibited. If you have received this e-mail in error, please notify us immediately and then permanently delete it. Although Midland Internet & Computer Solutions make every effort to keep our systems free from viruses you should check this e-mail and any attachments to it for viruses as we cannot accept any liability for viruses inadvertently transmitted by use. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080903/b97099ec/attachment.html From asakawa at quickd.net Wed Sep 3 11:52:31 2008 From: asakawa at quickd.net (asakawa@quickd.net) Date: Wed Sep 3 11:53:14 2008 Subject: clamav-0.94-1.el4 Error Message-ID: Hi all clamav-0.94-1.el4 Error clamav have no test reports Virus and Content Scanning: Starting /1/eicar.com Found: EICAR test file NOT a virus. Virus Scanning: McAfee found 1 infections ALERT: [Eicar-Test-Signature] ./1/eicar.com <<< Contains code of the Eicar-Test-Signature virus Virus Scanning: AntiVir found 1 infections /usr/bin/clamscan: unrecognized option `--unzip' ERROR: Unknown option passed. ERROR: Can't parse the command line /usr/bin/clamscan: unrecognized option `--unrar=/usr/bin/unrar' ERROR: Unknown option passed. ERROR: Can't parse the command line Virus Scanning: ClamAV found 1 infections 1.message=>[Subject: Virus Scanner Test Message]=>eicar.com:infected: EICAR-Test-File (not a virus) 1/eicar.com:infected: EICAR-Test-File (not a virus) Virus Scanning: Bitdefender found 2 infections Virus Scanner test reports: McAfee said "/1/eicar.com Found: EICAR test file NOT a virus." AntiVir said "ALERT: [Eicar-Test-Signature] ./1/eicar.com <<< Contains code of the Eicar-Test-Signature virus" Bitdefender said "Found virus EICAR-Test-File (not a virus) in file eicar.com" Best regards, Takashi Asakawa From ard at pergamentum.com Wed Sep 3 11:54:00 2008 From: ard at pergamentum.com (Alisdair Davey) Date: Wed Sep 3 11:54:51 2008 Subject: Registry Files In-Reply-To: <223f97700809030025y65946af3u27bd0d3cce677e53@mail.gmail.com> References: <200809031450580881.20997929@web.ace.net.au> <48BE208D.5080401@vanderkooij.org> <200809031642070928.20FF3C20@web.ace.net.au> <223f97700809030025y65946af3u27bd0d3cce677e53@mail.gmail.com> Message-ID: <1220439240.20413.5.camel@localhost> On Wed, 2008-09-03 at 09:25 +0200, Glenn Steen wrote: > 2008/9/3 Peter Nitschke : > > File utility? I tried searching, but got nothing :-( > > > The message got quarantined, right? Then you can run > file /path/to/quarantine/on/to/the/attachment/that/bothered/file > ... That way you'll see what exactly it is on about. > > BTW... "Registry files" are one of two things... The data files > consisting the registry or ... plain text files with the normal > windowsy look... My guess would be that the file commands magic for a > windoze reg-text-file is pretty oportunistic... and triggers on > something simple. > How to amend that? Either munge your magics or pester the file command > maintainer:-):-). In a similar vein I quite often see ordinary text files being detected as quicktime movies because they match the file command magic for a quicktime file exactly as Glenn suggests. It is however infrequent enough that I just use one of the fine programs out there to release the message when it does occur... Cheers Alisdair -- Alisdair Davey Pergamentum Solutions ard@pergamentum.com 4 Fellswood Circle www.pergamentum.com Medford, MA 02155 From alex at rtpty.com Wed Sep 3 12:04:01 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Wed Sep 3 12:04:14 2008 Subject: MailScanner: Found dangerous Object Codebase/Data tag in HTML message In-Reply-To: <006401c90dac$2d650160$882f0420$@ie> References: <006401c90dac$2d650160$882f0420$@ie> Message-ID: <9E0DD65A-EFA0-4BA9-994E-670D2AE595C7@rtpty.com> Whitelisting doesn't stop MailScanner from scanning for dangerous content. "Object Codebase" stuff is, arguably, dangerous stuff. Use a ruleset to avoid scanning that particular address for "object codebase" stuff. On Sep 3, 2008, at 5:02 AM, Mail Admin wrote: > I tried whielisting email address but still no joy. > From agross at gcpsite.com Wed Sep 3 13:30:09 2008 From: agross at gcpsite.com (Adam Gross) Date: Wed Sep 3 13:30:37 2008 Subject: Strangest Thing... In-Reply-To: <200809031642070928.20FF3C20@web.ace.net.au> References: <200809031450580881.20997929@web.ace.net.au><48BE208D.5080401@vanderkooij.org> <200809031642070928.20FF3C20@web.ace.net.au> Message-ID: <826D5FDFCF76F6499D59755D401D6A86D891@gcpads01.gcpsite.local> Today I come in to find my MailScanner boxes sitting at a steady 85% CPU but doing nothing. After taking a peak in syslog I quickly discovered that for some reason MailScanner couldn't write to my quarantine directory! With a quick chown (chown postfix:www-data /var/spool/MailScanner/quarantine on Ubuntu/Debian) I was instantly back in business and my queues flushed dry within a few minutes. I haven't logged into my MailScanner boxes in weeks and came in to find this today which I thought to be quite strange. I wanted to pass this along to the list just in case I'm not the only one coming in to this strangeness this morning. -Adam -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Processed by MS01. From MailScanner at ecs.soton.ac.uk Wed Sep 3 14:14:51 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Sep 3 14:15:11 2008 Subject: FYI ALL: Fwd: [Clamav-announce] announcing ClamAV 0.94 In-Reply-To: References: <200809021701.m82H1hBZ014534@mxt.1bigthink.com> Message-ID: <48BE8DCB.1070603@ecs.soton.ac.uk> My newly updated ClamAV+SpamAssassin package should do this for you. Rick Cooper wrote: > Note: > > If you happened to forget to remove PhishingRestrictedScan from your > clamd.conf when the option was removed in 0.93.1(?), as I did, clamd will > not start and it will emit no error (unless you run in foreground manually) > or reason. Remove the PhishingRestrictedScan line from clamd.conf and > everything will be fine. > > Rick > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On > > Behalf Of dnsadmin 1bigthink.com > > Sent: Tuesday, September 02, 2008 2:02 PM > > To: MailScanner mailing list > > Subject: FYI ALL: Fwd: [Clamav-announce] announcing ClamAV 0.94 > > > > > > > > >Dear ClamAV users, > > > > > >Sourcefire and the ClamAV team are pleased to announce the > > release of > > >ClamAV 0.94. The following are the key features and > > improvements of this > > >version: > > > > > > - Logical Signatures: The logical signature technology > > uses operators > > > such as AND, OR and NOT to allow the combination of > > more than one > > > signature into one entry in the signature database resulting in > > > more detailed and flexible pattern matching. > > > > > > - Anti-phishing Technology: Users can now change the > > priority and reporting > > > of ClamAV's heuristic anti-phishing scanner within the > > detection engine > > > process. They can choose whether, when scanning a > > supicious file, ClamAV > > > should stop scanning and report the phish, or continue to scan > > > in case the > > > file contains other malware (clamd: HeuristicScanPrecedence, > > > clamscan: --heuristic-scan-precedence) > > > > > > - Disassembly Engine: The initial version of the disassembly > > > engine improves > > > ClamAV's detection abilities. > > > > > > - PUA Detection: Users can now decide which PUA > > signatures should be loaded > > > (clamd: ExcludePUA, IncludePUA; clamscan: > > --exclude-pua, --include-pua) > > > > > > - Data Loss Prevention (DLP): This version includes a > > new module that, when > > > enabled, scans data for the inclusion of US formated > > Social Security > > > Numbers and credit card numbers (clamd: > > StructuredDataDetection, > > > clamscan: --detect-structured; additional fine-tuning options > > > are available) > > > > > > - IPv6 Support: Freshclam now supports IPv6 > > > > > > - Improved Scanning of Scripts: The normalization of > > scripts now covers > > > JavaScript > > > > > > - Improved QA and Unit Testing: The improved QA process > > now includes > > > API testing and new library of test files in various > > formats that are > > > tested on a wide variety of systems (try running 'make check' > > > in the source > > > directory) > > > > > >For more details, please refer to > > >http://www.clamav.net/press/0.94-WhatsNew.pdf > > >and to the ChangeLog. > > > > > >You may need to run 'ldconfig' after installing this version. > > > > > >** This version drops the special support for Cygwin. Our > > QA process showed > > >** serious problems with ClamAV builds under Cygwin due to > > some low-level > > >** incompatibilities in the POSIX compatibility layer, > > resulting in unreliable > > >** ClamAV behaviour. > > > > > >-- > > >The ClamAV team (http://www.clamav.net/team) > > > > > >-- > > >Luca Gibelli (luca _at_ clamav.net) ClamAV, a GPL > > anti-virus toolkit > > >[Tel] +39 0187 1851862 [Fax] +39 0187 1852252 [IM] > > nervous/jabber.linux.it > > >PGP key id 5EFC5582 @ any key-server || > > http://www.clamav.net/gpg/luca.gpg > > >_______________________________________________ > > >http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-announce > > > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Wed Sep 3 14:29:43 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Sep 3 14:29:54 2008 Subject: Strangest Thing... In-Reply-To: <826D5FDFCF76F6499D59755D401D6A86D891@gcpads01.gcpsite.local> References: <200809031450580881.20997929@web.ace.net.au> <48BE208D.5080401@vanderkooij.org> <200809031642070928.20FF3C20@web.ace.net.au> <826D5FDFCF76F6499D59755D401D6A86D891@gcpads01.gcpsite.local> Message-ID: <223f97700809030629q549651fend859f8f224425ac4@mail.gmail.com> 2008/9/3 Adam Gross : > Today I come in to find my MailScanner boxes sitting at a steady 85% CPU > but doing nothing. After taking a peak in syslog I quickly discovered > that for some reason MailScanner couldn't write to my quarantine > directory! With a quick chown (chown postfix:www-data > /var/spool/MailScanner/quarantine on Ubuntu/Debian) I was instantly back > in business and my queues flushed dry within a few minutes. I haven't > logged into my MailScanner boxes in weeks and came in to find this today > which I thought to be quite strange. I wanted to pass this along to the > list just in case I'm not the only one coming in to this strangeness > this morning. > > -Adam > Sounds a bit like the "fun" one can get with a Mandriva system with a high security setting... The msec scripts will then once/day/week/month do some tests and ... revert your painstakingly set permissions. Sigh. The trick is to either lower security settings or go into the msec setup files and amend things... Could perhaps be something similar, in your case? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From m.anderlini at database.it Wed Sep 3 15:03:34 2008 From: m.anderlini at database.it (Marcello Anderlini) Date: Wed Sep 3 15:03:51 2008 Subject: Italian spam Message-ID: <2FA349F95CF3644FAFC92070E642EB6AD15339@beta.dbdomain.database.it> Hello, we are now getting a lot of spam in italian language. Spamassassing seems not able to detect it, I try to create some custom rules without success. I get email with subject like this "Nel mondo c'e troppo male bugia" or "Tra gli esami bisogna non solo studiare pero`". Someone could help me to suggest something to block this kind of spam ? Thanks a lot. Dr. Marcello Anderlini m.anderlini@database.it --------------------------------------------- Database Informatica S.r.l. Microsoft Certified Partner Tel. +39059775070 Fax. +39059779545 http://www.database.it --------------------------------------------- -- Messaggio verificato dal servizio antivirus di Database Informatica From submit at zuka.net Wed Sep 3 15:44:10 2008 From: submit at zuka.net (Dave Filchak) Date: Wed Sep 3 15:44:35 2008 Subject: Whitelisting Message-ID: <48BEA2BA.7010609@zuka.net> Folks ... I have been trying to whitelist a particular newsletter that we send out on behalf of a client of ours and have had no luck. It always comes back with the following subject: [Lifeskills_News] {Spam?} September 2008 Update. Mailman is hosted on my secondary mail server so the original post is sent to my main mail server and then is aliased over to my secondary mail server and on to Mailman. My client, understandably, is getting upset with seeing the {Spam} in the subject. The message is HTML but is not getting tagged as spam by my main mail server, but rather, by my secondary. I have the following rules in my rules file on the secondary: # This is where you can build a Spam WhiteList # Addresses matching in here, with the value # "yes" will never be marked as spam. #From: 152.78. yes #From: 130.246. yes From: 127.0.0.1 yes From: 204.15.37.138 yes From: 199.243.151.38 yes From: 199.243.151.21 yes From: gateway.zuka.net yes From: ywca_lifeskills@zuka.net yes From: dave.filchak@zuka.net yes From: ywca_lifeskills@ebony.zuka.net yes From: ywca_lifeskills-bounces@ebony.zuka.net yes From: ywca_lifeskills-bounces@zuka.net yes From: zuka-test-list-bounces@ebony.zuka.net yes From: zuka-test-list-bounces@zuka.net yes From: zuka-test-list@zuka.net yes From: adcam-announce-bounces@canadacannes.com yes From: adcam-announce-bounces*@canadacannes.com yes From: screenings@canadacannes.com yes To: adcam-announce@ebony.zuka.net yes To: adcam-announce@canadacannes.com yes From: cassies-bounces@ebony.zuka.net yes From: cassies@ebony.zuka.net yes From: ywca_lifeskills-announce@ebony.zuka.net yes FromOrTo: default no and, here are the headers from the post marked as spam: Return-Path: X-Original-To: submit@zuka.net Delivered-To: submit@zuka.net Received: from ebony.zuka.net (ebony.zuka.net [206.223.180.162]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by rosewood.zuka.net (Postfix) with ESMTP id 01384470A94; Wed, 3 Sep 2008 09:45:18 -0400 (EDT) X-Zuka-EB-MailScanner-Watermark: 1221051769.71856@Ued5x65pwLRORwVpfRoacw Received: from ebony.zuka.net (localhost [127.0.0.1]) by ebony.zuka.net (8.13.1/8.13.1) with ESMTP id m83CrpcE005374; Wed, 3 Sep 2008 09:01:47 -0400 X-Zuka-EB-MailScanner-Watermark: 1221051168.75288@3Ig5iVRkJ+lVuC0yg587qA Received: from rosewood.zuka.net (ns2.zuka.net [66.207.212.58]) by ebony.zuka.net (8.13.1/8.13.1) with ESMTP id m83CqiT1005355 for ; Wed, 3 Sep 2008 08:52:46 -0400 Received: from Magnolia.local (lan.zuka.net [204.15.37.138]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: dave.filchak@zuka.net) by rosewood.zuka.net (Postfix) with ESMTP id DE679470A4B for ; Wed, 3 Sep 2008 08:51:28 -0400 (EDT) Message-ID: <48BE8889.3070809@zuka.net> Date: Wed, 03 Sep 2008 08:52:25 -0400 Organization: Zuka Inc. User-Agent: Thunderbird 2.0.0.16 (Macintosh/20080707) MIME-Version: 1.0 To: ywca_lifeskills@zuka.net Content-Type: multipart/alternative; boundary="------------000101010301050402010204" X-zuka.net-rw-MailScanner: Not scanned: please contact your Internet E-Mail Service Provider for details, Not scanned: please contact your Internet E-Mail Service Provider for details X-zuka.net-rw-MailScanner-SpamCheck: not spam (whitelisted), SpamAssassin (not cached, score=3.581, required 5, ALL_TRUSTED -1.44, HEADER_SPAM 3.40, HTML_MESSAGE 0.00, HTML_TAG_BALANCE_BODY 0.81, SARE_HEAD_HDR_APPROV 0.82), not spam, SpamAssassin (not cached, score=0.808, required 5, HTML_MESSAGE 0.00, HTML_TAG_BALANCE_BODY 0.81) X-Zuka-EB-MailScanner-Information: Please contact the ISP for more information X-Zuka-MailScanner-ID: m83CqiT1005355 X-Zuka-EB-MailScanner: Found to be clean X-Zuka-EB-MailScanner-SpamCheck: spam, SpamAssassin (not cached, score=7.575, required 5, BAYES_50 0.00, HEADER_SPAM 3.40, HTML_MESSAGE 0.00, INLINE_IMAGE 2.00, SARE_GIF_ATTACH 1.42, SARE_HEAD_HDR_APPROV 0.17, SARE_UNI 0.59) X-Zuka-EB-MailScanner-SpamScore: sssssss X-Zuka-EB-MailScanner-From: dave.filchak@zuka.net From: "YWCA Lifeskills: Training, Coaching, Publications" Subject: [Lifeskills_News] {Spam?} September 2008 Update X-BeenThere: ywca_lifeskills@zuka.net X-Mailman-Version: 2.1.6 Precedence: list Reply-To: lifeskills@ywcatoronto.org List-Id: "YWCA Lifeskills: Training, Coaching, Publications" List-Unsubscribe: , List-Archive: List-Help: List-Subscribe: , Sender: ywca_lifeskills-bounces@zuka.net Errors-To: ywca_lifeskills-bounces@zuka.net X-zuka.net-rw-MailScanner-Information: Please contact the ISP for more information X-RWMailScanner-From: ywca_lifeskills-bounces@zuka.net The domain in question is ywcatoronto.org. It should be noted that I have set up the mail server zuka-test-list and send the same post to that and it does not get tagged as spam ... yet, when sending the post to the actual list, it does. I have the same rules for this test mail list as I do for the real list. Also note, that when I send this same email post to the test list, not only do the headers so the poster as being whitelisted on the main mail server, but also on the secondary. Not so when I send the post to the real list. I am sure I am missing something obvious. An help will be much appreciated. Regards, Dave From hvdkooij at vanderkooij.org Wed Sep 3 18:46:32 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Wed Sep 3 18:46:49 2008 Subject: Italian spam In-Reply-To: <2FA349F95CF3644FAFC92070E642EB6AD15339@beta.dbdomain.database.it> References: <2FA349F95CF3644FAFC92070E642EB6AD15339@beta.dbdomain.database.it> Message-ID: <48BECD78.9030606@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Marcello Anderlini wrote: > Hello, we are now getting a lot of spam in italian language. > Spamassassing seems not able to detect it, I try to create some custom > rules without success. > I get email with subject like this "Nel mondo c'e troppo male bugia" or > "Tra gli esami bisogna non solo studiare pero`". > > Someone could help me to suggest something to block this kind of spam ? Well, If you start feeding them to your Bayesian datbase it should learn quickly. I noticed more dutch spam over a week ago with some customers. Well not actually dutch. It was just english spam fed through some lame translator program. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIvs10BvzDRVjxmYERAihlAJ4nqJA8EjwOJY7S/fXguxRFSjLibwCdGSQj 3Eg9l/Gmor4zGp1e2f2q2lw= =XDvn -----END PGP SIGNATURE----- From yashodhan.barve at gmail.com Thu Sep 4 00:34:27 2008 From: yashodhan.barve at gmail.com (Yashodhan Barve) Date: Thu Sep 4 00:34:42 2008 Subject: need help..ClamAV 0.94 and MailScanner 4.69.9 In-Reply-To: <489AF542.3090608@ecs.soton.ac.uk> References: <4899AC93.10501@trayerproducts.com> <4899B259.9010204@gmail.com> <4899C0F7.6070603@ecs.soton.ac.uk> <489AF542.3090608@ecs.soton.ac.uk> Message-ID: <48BF1F03.9040501@gmail.com> Hi All, I am facing an issue with MailScanner 4.69.9 and ClamAV 0.94. I am using ClamAV rpm's and when I update to 0.94, MailScanner --lint gives the following errors Virus and Content Scanning: Starting /usr/bin/clamscan: unrecognized option `--unrar=/usr/bin/unrar' ERROR: Unknown option passed. ERROR: Can't parse the command line I tried to comment out all the ExtraOptions from /usr/lib/MailScanner/clamav-wrapper but the error still persists and clamav won't scan any messages. Is there a way to fix this without upgrading the MailScanner version? regards, yashodhan From Kevin_Miller at ci.juneau.ak.us Thu Sep 4 01:14:01 2008 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Thu Sep 4 01:14:16 2008 Subject: MailScanner ANNOUNCE: 4.71 stable released In-Reply-To: <48BBEFC8.2060500@ecs.soton.ac.uk> References: <48BBEFC8.2060500@ecs.soton.ac.uk> Message-ID: Julian Field wrote: > - Updated support for Esets and F-Secure virus scanners. > - Thanks to F-Secure for donating me a set of server licences so I can > always be sure that I am supporting the latest versions of their > products. Much appreciated! Like several others, my F-Secure 4.65 has gone to the great bit-bucket in the sky. Time to upgrade. Did you install the F-Secure Linux Security 7.01? Is that the package that the latest version of MailScanner has support for? I've downloaded it but not yet installed it. Thanks... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From holger-lists at noefer.org Thu Sep 4 07:26:23 2008 From: holger-lists at noefer.org (=?ISO-8859-1?Q?Hoger_N=F6fer?=) Date: Thu Sep 4 07:26:35 2008 Subject: need help..ClamAV 0.94 and MailScanner 4.69.9 In-Reply-To: <48BF1F03.9040501@gmail.com> References: <4899AC93.10501@trayerproducts.com> <4899B259.9010204@gmail.com> <4899C0F7.6070603@ecs.soton.ac.uk> <489AF542.3090608@ecs.soton.ac.uk> <48BF1F03.9040501@gmail.com> Message-ID: <48BF7F8F.6000606@noefer.org> Yashodhan Barve schrieb: > Hi All, > > I am facing an issue with MailScanner 4.69.9 and ClamAV 0.94. > > I am using ClamAV rpm's and when I update to 0.94, > MailScanner --lint gives the following errors > > Virus and Content Scanning: Starting > /usr/bin/clamscan: unrecognized option `--unrar=/usr/bin/unrar' > ERROR: Unknown option passed. > ERROR: Can't parse the command line > > I tried to comment out all the ExtraOptions from > /usr/lib/MailScanner/clamav-wrapper > > but the error still persists and clamav won't scan any messages. > > Is there a way to fix this without upgrading the MailScanner version? > > > regards, > yashodhan Hi, have a look at /opt/MailScanner/lib/MailScanner/SweepViruses.pm, I comment out the following lines: if ($rarcmd && -x $rarcmd) { $Scanners{clamav}->{CommonOptions} .= " --unrar=$rarcmd"; MailScanner::Log::InfoLog("ClamAV scanner using unrar command %s", $rarcmd); } Best regards, Holger From ms-list at alexb.ch Thu Sep 4 07:51:29 2008 From: ms-list at alexb.ch (Alex Broens) Date: Thu Sep 4 07:51:51 2008 Subject: Mailscanner Version 4.71.10-1 / ClamAV 0.94 infection reporting. Message-ID: <48BF8571.60000@alexb.ch> Good day All, Mailscanner Version 4.71.10-1 / ClamAV 0.94 using ClamD MailScanner --lint: Virus and Content Scanning: Starting ClamAVModule::INFECTED:: Eicar-Test-Signature FOUND :: ./1/ ClamAVModule::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com Virus Scanning: Clamd found 2 infections Infected message 1 came from 10.1.1.1 Virus Scanning: Found 2 viruses Filename Checks: (1 eicar.com) Doesn't seem right/elegant to me. It causes Mailwatch 1.x to report: Clamd: message was infected: Trojan.Fakealert-532 FOUND Clamd: Late.Night.rar was infected: Trojan.Fakealert-532 Can anybody reproduce running "MailScanner --lint" Jules? thanks Alex From martinh at solidstatelogic.com Thu Sep 4 08:43:34 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Thu Sep 4 08:43:46 2008 Subject: need help..ClamAV 0.94 and MailScanner 4.69.9 In-Reply-To: <48BF7F8F.6000606@noefer.org> Message-ID: <5d4fa1c4f4f6fa4b93c243d604939843@solidstatelogic.com> Or use clamd which is way faster.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Hoger N?fer > Sent: 04 September 2008 07:26 > To: MailScanner discussion > Subject: Re: need help..ClamAV 0.94 and MailScanner 4.69.9 > > Yashodhan Barve schrieb: > > Hi All, > > > > I am facing an issue with MailScanner 4.69.9 and ClamAV 0.94. > > > > I am using ClamAV rpm's and when I update to 0.94, > MailScanner --lint > > gives the following errors > > > > Virus and Content Scanning: Starting > > /usr/bin/clamscan: unrecognized option `--unrar=/usr/bin/unrar' > > ERROR: Unknown option passed. > > ERROR: Can't parse the command line > > > > I tried to comment out all the ExtraOptions from > > /usr/lib/MailScanner/clamav-wrapper > > > > but the error still persists and clamav won't scan any messages. > > > > Is there a way to fix this without upgrading the > MailScanner version? > > > > > > regards, > > yashodhan > > Hi, > > have a look at > /opt/MailScanner/lib/MailScanner/SweepViruses.pm, I comment > out the following lines: > if ($rarcmd && -x $rarcmd) { > $Scanners{clamav}->{CommonOptions} .= " --unrar=$rarcmd"; > MailScanner::Log::InfoLog("ClamAV scanner using unrar > command %s", > $rarcmd); > } > > > Best regards, > Holger > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From MailScanner at ecs.soton.ac.uk Thu Sep 4 10:11:46 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Sep 4 10:12:10 2008 Subject: MailScanner ANNOUNCE: 4.71 stable released In-Reply-To: References: <48BBEFC8.2060500@ecs.soton.ac.uk> Message-ID: <48BFA652.5020508@ecs.soton.ac.uk> Kevin Miller wrote: > Julian Field wrote: > >> - Updated support for Esets and F-Secure virus scanners. >> - Thanks to F-Secure for donating me a set of server licences so I can >> always be sure that I am supporting the latest versions of their >> products. Much appreciated! >> > > Like several others, my F-Secure 4.65 has gone to the great bit-bucket > in the sky. Time to upgrade. Did you install the F-Secure Linux > Security 7.01? Is that the package that the latest version of > MailScanner has support for? I've downloaded it but not yet installed > it. > I have provided support for 7.01. Install it with the "--command-line-only" switch on the installer command-line in order to just the get bits you want and not any of the whole irrelevant management environment. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Thu Sep 4 10:33:35 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Sep 4 10:34:04 2008 Subject: Mailscanner Version 4.71.10-1 / ClamAV 0.94 infection reporting. In-Reply-To: References: Message-ID: <48BFAB6F.5090902@ecs.soton.ac.uk> Alex Broens wrote: > Good day All, > > Mailscanner Version 4.71.10-1 / ClamAV 0.94 using ClamD > > > MailScanner --lint: > > Virus and Content Scanning: Starting > ClamAVModule::INFECTED:: Eicar-Test-Signature FOUND :: ./1/ > ClamAVModule::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com > Virus Scanning: Clamd found 2 infections > Infected message 1 came from 10.1.1.1 > Virus Scanning: Found 2 viruses > Filename Checks: (1 eicar.com) > > Doesn't seem right/elegant to me. > > It causes Mailwatch 1.x to report: > > Clamd: message was infected: Trojan.Fakealert-532 FOUND > Clamd: Late.Night.rar was infected: Trojan.Fakealert-532 > > > Can anybody reproduce running "MailScanner --lint" > > Jules? The "./1/" line is caused by "ClamAV Full Message Scan = yes". I believe it is the correct output. Can anyone contradict me? Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ms-list at alexb.ch Thu Sep 4 11:26:56 2008 From: ms-list at alexb.ch (Alex Broens) Date: Thu Sep 4 11:27:07 2008 Subject: Mailscanner Version 4.71.10-1 / ClamAV 0.94 infection reporting. In-Reply-To: <48BFAB6F.5090902@ecs.soton.ac.uk> References: <48BFAB6F.5090902@ecs.soton.ac.uk> Message-ID: <48BFB7F0.401@alexb.ch> On 9/4/2008 11:33 AM, Julian Field wrote: > > > Alex Broens wrote: >> Good day All, >> >> Mailscanner Version 4.71.10-1 / ClamAV 0.94 using ClamD >> >> >> MailScanner --lint: >> >> Virus and Content Scanning: Starting >> ClamAVModule::INFECTED:: Eicar-Test-Signature FOUND :: ./1/ >> ClamAVModule::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com >> Virus Scanning: Clamd found 2 infections >> Infected message 1 came from 10.1.1.1 >> Virus Scanning: Found 2 viruses >> Filename Checks: (1 eicar.com) >> >> Doesn't seem right/elegant to me. >> >> It causes Mailwatch 1.x to report: >> >> Clamd: message was infected: Trojan.Fakealert-532 FOUND >> Clamd: Late.Night.rar was infected: Trojan.Fakealert-532 >> >> >> Can anybody reproduce running "MailScanner --lint" >> >> Jules? > The "./1/" line is caused by "ClamAV Full Message Scan = yes". > I believe it is the correct output. > Can anyone contradict me? If that would be the case, is the logging is slightly borked? imo, only the infected file is relevant. Alex From yashodhan.barve at gmail.com Thu Sep 4 13:28:35 2008 From: yashodhan.barve at gmail.com (Yashodhan Barve) Date: Thu Sep 4 13:28:49 2008 Subject: need help..ClamAV 0.94 and MailScanner 4.69.9 In-Reply-To: <48BF7F8F.6000606@noefer.org> References: <4899AC93.10501@trayerproducts.com> <4899B259.9010204@gmail.com> <4899C0F7.6070603@ecs.soton.ac.uk> <489AF542.3090608@ecs.soton.ac.uk> <48BF1F03.9040501@gmail.com> <48BF7F8F.6000606@noefer.org> Message-ID: <48BFD473.6030001@gmail.com> Hoger N?fer wrote: > Yashodhan Barve schrieb: > > Hi, > > have a look at /opt/MailScanner/lib/MailScanner/SweepViruses.pm, I > comment out the > following lines: > if ($rarcmd && -x $rarcmd) { > $Scanners{clamav}->{CommonOptions} .= " --unrar=$rarcmd"; > MailScanner::Log::InfoLog("ClamAV scanner using unrar command %s", > $rarcmd); > } > > > Best regards, > Holger Thanks Holger. That worked. Martin, I had tried to use clamd in 0.92 days but the daemon kept dying and even monit could not restart it. So switched to clamscan, slower but always works. regards yashodhan. From MailScanner at ecs.soton.ac.uk Thu Sep 4 14:04:16 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Sep 4 14:04:36 2008 Subject: Mailscanner Version 4.71.10-1 / ClamAV 0.94 infection reporting. In-Reply-To: References: <48BFAB6F.5090902@ecs.soton.ac.uk> Message-ID: <48BFDCD0.3070801@ecs.soton.ac.uk> Alex Broens wrote: > On 9/4/2008 11:33 AM, Julian Field wrote: >> >> >> Alex Broens wrote: >>> Good day All, >>> >>> Mailscanner Version 4.71.10-1 / ClamAV 0.94 using ClamD >>> >>> >>> MailScanner --lint: >>> >>> Virus and Content Scanning: Starting >>> ClamAVModule::INFECTED:: Eicar-Test-Signature FOUND :: ./1/ >>> ClamAVModule::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com >>> Virus Scanning: Clamd found 2 infections >>> Infected message 1 came from 10.1.1.1 >>> Virus Scanning: Found 2 viruses >>> Filename Checks: (1 eicar.com) >>> >>> Doesn't seem right/elegant to me. >>> >>> It causes Mailwatch 1.x to report: >>> >>> Clamd: message was infected: Trojan.Fakealert-532 FOUND >>> Clamd: Late.Night.rar was infected: Trojan.Fakealert-532 >>> >>> >>> Can anybody reproduce running "MailScanner --lint" >>> >>> Jules? >> The "./1/" line is caused by "ClamAV Full Message Scan = yes". >> I believe it is the correct output. >> Can anyone contradict me? > > If that would be the case, is the logging is slightly borked? > imo, only the infected file is relevant. But everything that Mailwatch has reported is correct. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ms-list at alexb.ch Thu Sep 4 14:24:03 2008 From: ms-list at alexb.ch (Alex Broens) Date: Thu Sep 4 14:24:17 2008 Subject: Mailscanner Version 4.71.10-1 / ClamAV 0.94 infection reporting. In-Reply-To: <48BFDCD0.3070801@ecs.soton.ac.uk> References: <48BFAB6F.5090902@ecs.soton.ac.uk> <48BFDCD0.3070801@ecs.soton.ac.uk> Message-ID: <48BFE173.9030807@alexb.ch> On 9/4/2008 3:04 PM, Julian Field wrote: > > > Alex Broens wrote: >> On 9/4/2008 11:33 AM, Julian Field wrote: >>> >>> >>> Alex Broens wrote: >>>> Good day All, >>>> >>>> Mailscanner Version 4.71.10-1 / ClamAV 0.94 using ClamD >>>> >>>> >>>> MailScanner --lint: >>>> >>>> Virus and Content Scanning: Starting >>>> ClamAVModule::INFECTED:: Eicar-Test-Signature FOUND :: ./1/ >>>> ClamAVModule::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com >>>> Virus Scanning: Clamd found 2 infections >>>> Infected message 1 came from 10.1.1.1 >>>> Virus Scanning: Found 2 viruses >>>> Filename Checks: (1 eicar.com) >>>> >>>> Doesn't seem right/elegant to me. >>>> >>>> It causes Mailwatch 1.x to report: >>>> >>>> Clamd: message was infected: Trojan.Fakealert-532 FOUND >>>> Clamd: Late.Night.rar was infected: Trojan.Fakealert-532 >>>> >>>> >>>> Can anybody reproduce running "MailScanner --lint" >>>> >>>> Jules? >>> The "./1/" line is caused by "ClamAV Full Message Scan = yes". >>> I believe it is the correct output. >>> Can anyone contradict me? >> >> If that would be the case, is the logging is slightly borked? >> imo, only the infected file is relevant. > But everything that Mailwatch has reported is correct. Mailwatch is not the problem... it reports what MS spits at it. "ClamAV Full Message Scan = yes" shouldn't affect it as its still one virus. imo, MS is doing something unusual: MS using clamd, NOT clamavmodule 1: logging as ClamAVModule 2: Reporting 2 lines when it would be expected to report 1 Virus and Content Scanning: Starting ClamAVModule::INFECTED:: Eicar-Test-Signature FOUND :: ./1/ ClamAVModule::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com Virus Scanning: Clamd found 2 infections the report above is pretty confusing, isn't it? Alex From jplorier at montecarlotv.com.uy Thu Sep 4 14:29:55 2008 From: jplorier at montecarlotv.com.uy (Juan Pablo Lorier) Date: Thu Sep 4 14:32:16 2008 Subject: Mail passing through pretending to be whilisted In-Reply-To: <200809041101.m84B0X5i008258@safir.blacknight.ie> Message-ID: Hi, I've been seen in the logs spam passing through MailScanner because it "think" they are whitelisted. Message m83LrUAs017322 from 78.111.64.126 (kavalchuk@mail.com) ignored whitelist, had 29 recipients (>20) : 1 Time(s) I've checked the whitelist to see if anything can match to that domain but I've only have 3 entries and they differ a lot from that. I've an outdated mailscanner server (4.65), maybe there's something already detected and corrected about this, does it? Thanks in advance Ing. Juan Pablo Lorier Monte Carlo TV SA Montevideo, Uruguay +(598)2 9244444 -- Toda la informacion contenida en este email es confidencial y debe ser utilizada solo por su destinatario. From Denis.Beauchemin at USherbrooke.ca Thu Sep 4 14:36:43 2008 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Thu Sep 4 14:37:21 2008 Subject: Mail passing through pretending to be whilisted In-Reply-To: References: Message-ID: <48BFE46B.8000404@USherbrooke.ca> Juan Pablo Lorier a ?crit : > Hi, > > I've been seen in the logs spam passing through MailScanner because it > "think" they are whitelisted. > > Message m83LrUAs017322 from 78.111.64.126 (kavalchuk@mail.com) ignored > whitelist, had 29 recipients (>20) : 1 Time(s) > Juan Pablo, That's not what it says! It says it IGNORED the white list because there were too many recipients. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3608 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080904/9dcfe3a8/smime.bin From alex at rtpty.com Thu Sep 4 14:59:57 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Thu Sep 4 15:00:16 2008 Subject: Mail passing through pretending to be whilisted In-Reply-To: References: Message-ID: <6FC3F89B-9D3D-4260-96CD-687B85D3FADE@rtpty.com> You're probably not splitting recipients and whitelisting by domain. If only one of the recipients is whitelisted it'll go through unless you split them at the MTA. Sent from my iPhone On Sep 4, 2008, at 8:29 AM, "Juan Pablo Lorier" wrote: > Hi, > > I've been seen in the logs spam passing through MailScanner because it > "think" they are whitelisted. > > Message m83LrUAs017322 from 78.111.64.126 (kavalchuk@mail.com) ignored > whitelist, had 29 recipients (>20) : 1 Time(s) > > I've checked the whitelist to see if anything can match to that domain > but I've only have 3 entries and they differ a lot from that. > I've an outdated mailscanner server (4.65), maybe there's something > already detected and corrected about this, does it? > Thanks in advance > > > Ing. Juan Pablo Lorier > Monte Carlo TV SA > Montevideo, Uruguay > +(598)2 9244444 > > > > > > > -- Toda la informacion contenida en este email es confidencial y > debe ser utilizada solo por su destinatario. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From alex at rtpty.com Thu Sep 4 15:00:40 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Thu Sep 4 15:00:58 2008 Subject: Mail passing through pretending to be whilisted In-Reply-To: <48BFE46B.8000404@USherbrooke.ca> References: <48BFE46B.8000404@USherbrooke.ca> Message-ID: Didn't see that part. In any case splitting would help. Sent from my iPhone On Sep 4, 2008, at 8:36 AM, Denis Beauchemin = wrote: > Juan Pablo Lorier a =A8=A6crit : >> Hi, >> >> I've been seen in the logs spam passing through MailScanner because =20= >> it "think" they are whitelisted. >> Message m83LrUAs017322 from 78.111.64.126 (kavalchuk@mail.com) =20 >> ignored whitelist, had 29 recipients (>20) : 1 Time(s) >> > > Juan Pablo, > > That's not what it says! It says it IGNORED the white list because =20 > there were too many recipients. > > Denis > > --=20 > _ > =A1=E3v=A1=E3 Denis Beauchemin, analyste > /(_)\ Universit=A8=A6 de Sherbrooke, S.T.I. > ^ ^ T: 819.821.8000x62252 F: 819.821.8045 > > > --=20 > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From mmcintosh at infowall.com Thu Sep 4 16:18:16 2008 From: mmcintosh at infowall.com (mark mcintosh) Date: Thu Sep 4 16:19:07 2008 Subject: MailScanner Tweaking/Issues In-Reply-To: References: <48BFE46B.8000404@USherbrooke.ca> Message-ID: <48BFFC38.80706@infowall.com> Hello, I have a fairly new install of Mailscanner on a Centos 5.2 x64 VPS with (mailwatch, postfixadmin, mailscanner-mrtg, postfix, maildrop, dcc, razor, pyzor) The system is working and is blocking most of my spam but I would like to tweak it and I have a few concerns listed below. Why does the --lint test show that Pyzor is disabled ?? (Pyzor also shows not working in mailscanner lint test -->>pyzor: check failed: internal error (listed below) Why does it skip the Razor ?? Same for SpamCop ?? Th3 Net::Ident module is it critical ????? ----- Will forcing installation cause me to break anything else ?? The last line in the MailScanner --lint related to my mailwatch installation only appears at times and I am still looking into it any ideas ?? For clarity I have included the MailScanner -lint as well as the Spamassassin --lint Any help on these questions would be appreciated Mark McIntosh dbg: pyzor: local tests only, disabling Pyzor dbg: razor2: local tests only, skipping Razor dbg: reporter: local tests only, disabling SpamCop dbg: diag: module not installed: Net::Ident ('require' failed) ..............>> How important is this ??? as you can see I am going to have to force it if I want it to install. /Ident.....Net::Ident::_export_hooks() called too early to check prototype at /root/.cpan/build/Net-Ident-1.20/blib/lib/Net/Ident.pm line 29. t/Ident.....FAILED tests 1-3 Failed 3/7 tests, 57.14% okay Failed Test Stat Wstat Total Fail Failed List of Failed ------------------------------------------------------------------------------- t/Ident.t 7 3 42.86% 1-3 2 tests skipped. Failed 1/4 test scripts, 75.00% okay. 3/8 subtests failed, 62.50% okay. make: *** [test_dynamic] Error 255 /usr/bin/make test -- NOT OK Running make install make test had returned bad status, won't install without force *MailScanner --lint * Trying to setlogsock(unix) Read 821 hostnames from the phishing whitelist Read 2848 hostnames from the phishing blacklist Config: calling custom init function SQLBlacklist Starting up SQL Blacklist Read 6 blacklist entries Config: calling custom init function MailWatchLogging Started SQL Logging child Config: calling custom init function SQLWhitelist Starting up SQL Whitelist Read 1 whitelist entries Checking version numbers... Version number in MailScanner.conf (4.70.7) is correct. Your envelope_sender_header in spam.assassin.prefs.conf is correct. MailScanner setting GID to (89) MailScanner setting UID to (89) Checking for SpamAssassin errors (if you use it)... SpamAssassin temporary working directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp Using SpamAssassin results cache Connected to SpamAssassin cache database pyzor: check failed: internal error --------------------------->>>>>>>>>>>>>>>> how can I test this SpamAssassin reported no errors. Using locktype = posix MailScanner.conf says "Virus Scanners = clamd" Found these virus scanners installed: clamd =========================================================================== Virus and Content Scanning: Starting ClamAVModule::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com ClamAVModule::INFECTED:: Eicar-Test-Signature FOUND :: ./1/ Virus Scanning: Clamd found 2 infections Infected message 1 came from 10.1.1.1 Virus Scanning: Found 2 viruses Filename Checks: (1 eicar.com) Other Checks: Found 1 problems =========================================================================== Virus Scanner test reports: Clamd said "eicar.com was infected: Eicar-Test-Signature" If any of your virus scanners (clamd) are not listed there, you should check that they are installed correctly and that MailScanner is finding them correctly via its virus.scanners.conf. Config: calling custom end function SQLBlacklist Closing down by-domain spam blacklist Config: calling custom end function MailWatchLogging Config: calling custom end function SQLWhitelist Closing down by-domain spam whitelist [root@demo tmp]# commit ineffective with AutoCommit enabled at /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, line 887. Commmit ineffective while AutoCommit is on at /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, line 887. *Spamassasin --lint* ng facilities: all 0 [4482] dbg: logger: logging level is DBG 0.01582 [4482] dbg: generic: SpamAssassin version 3.2.5 0.00354 [4482] dbg: config: score set 0 chosen. 4E-05 [4482] dbg: util: running in taint mode? yes 3E-05 [4482] dbg: util: taint mode: deleting unsafe environment variables, resetting PATH 3E-05 [4482] dbg: util: PATH included '/sbin', keeping 2E-05 [4482] dbg: util: PATH included '/usr/sbin', keeping 3E-05 [4482] dbg: util: PATH included '/bin', keeping 3E-05 [4482] dbg: util: PATH included '/usr/bin', keeping 2E-05 [4482] dbg: util: final PATH set to: /sbin:/usr/sbin:/bin:/usr/bin 3E-05 [4482] dbg: dns: is Net::DNS::Resolver available? yes 5E-05 [4482] dbg: dns: Net::DNS version: 0.63 2E-05 [4482] dbg: diag: perl platform: 5.008008 linux 1.89106 [4482] dbg: diag: module installed: Digest::SHA1, version 2.10 0.0001 [4482] dbg: diag: module installed: HTML::Parser, version 3.56 3E-05 [4482] dbg: diag: module installed: Net::DNS, version 0.63 3E-05 [4482] dbg: diag: module installed: MIME::Base64, version 3.05 3E-05 [4482] dbg: diag: module installed: DB_File, version 1.814 2E-05 [4482] dbg: diag: module installed: Net::SMTP, version 2.31 2E-05 [4482] dbg: diag: module installed: Mail::SPF, version v2.004 2E-05 [4482] dbg: diag: module installed: Mail::SPF::Query, version 1.999001 3E-05 [4482] dbg: diag: module installed: IP::Country::Fast, version 604.001 3E-05 [4482] dbg: diag: module installed: Razor2::Client::Agent, version 2.84 4E-05 [4482] dbg: diag: module not installed: Net::Ident ('require' failed) 0.01899 [4482] dbg: diag: module installed: IO::Socket::INET6, version 2.51 6E-05 [4482] dbg: diag: module installed: IO::Socket::SSL, version 1.01 3E-05 [4482] dbg: diag: module installed: Compress::Zlib, version 1.42 3E-05 [4482] dbg: diag: module installed: Time::HiRes, version 1.68 3E-05 [4482] dbg: diag: module installed: Mail::DomainKeys, version 1.0 2E-05 [4482] dbg: diag: module installed: Mail::DKIM, version 0.32 3E-05 [4482] dbg: diag: module installed: DBI, version 1.56 2E-05 [4482] dbg: diag: module installed: Getopt::Long, version 2.35 3E-05 [4482] dbg: diag: module installed: LWP::UserAgent, version 5.810 2E-05 [4482] dbg: diag: module installed: HTTP::Date, version 5.810 2E-05 [4482] dbg: diag: module installed: Archive::Tar, version 1.30 2E-05 [4482] dbg: diag: module installed: IO::Zlib, version 1.04 2E-05 [4482] dbg: diag: module installed: Encode::Detect, version 1.00 3E-05 [4482] dbg: ignore: using a test message to lint rules 2E-05 [4482] dbg: config: using "/etc/mail/spamassassin" for site rules pre files 0.00866 [4482] dbg: config: read file /etc/mail/spamassassin/init.pre 0.01777 [4482] dbg: config: read file /etc/mail/spamassassin/v310.pre 0.00478 [4482] dbg: config: read file /etc/mail/spamassassin/v312.pre 0.00039 [4482] dbg: config: read file /etc/mail/spamassassin/v320.pre 0.00053 [4482] dbg: config: using "/var/lib/spamassassin/3.002005" for sys rules pre files 4E-05 [4482] dbg: config: using "/var/lib/spamassassin/3.002005" for default rules dir 0.00844 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org.cf 0.01451 [4482] dbg: config: using "/etc/mail/spamassassin" for site rules dir 0.02451 [4482] dbg: config: read file /etc/mail/spamassassin/70_sare_adult.cf 0.01549 [4482] dbg: config: read file /etc/mail/spamassassin/70_sare_bayes_poison_nxm.cf 0.00048 [4482] dbg: config: read file /etc/mail/spamassassin/70_sare_evilnum2.cf 0.00326 [4482] dbg: config: read file /etc/mail/spamassassin/70_sare_genlsubj0.cf 0.00241 [4482] dbg: config: read file /etc/mail/spamassassin/70_sare_genlsubj1.cf 0.0043 [4482] dbg: config: read file /etc/mail/spamassassin/70_sare_genlsubj2.cf 0.00121 [4482] dbg: config: read file /etc/mail/spamassassin/70_sare_genlsubj3.cf 0.00256 [4482] dbg: config: read file /etc/mail/spamassassin/70_sare_html0.cf 0.00164 [4482] dbg: config: read file /etc/mail/spamassassin/70_sare_html1.cf 0.0021 [4482] dbg: config: read file /etc/mail/spamassassin/70_sare_html2.cf 0.00142 [4482] dbg: config: read file /etc/mail/spamassassin/70_sare_html3.cf 0.00114 [4482] dbg: config: read file /etc/mail/spamassassin/70_sare_obfu.cf 0.00752 [4482] dbg: config: read file /etc/mail/spamassassin/70_sare_oem.cf 0.00109 [4482] dbg: config: read file /etc/mail/spamassassin/70_sare_random.cf 0.00147 [4482] dbg: config: read file /etc/mail/spamassassin/70_sare_specific.cf 0.00427 [4482] dbg: config: read file /etc/mail/spamassassin/70_sare_spoof.cf 0.00136 [4482] dbg: config: read file /etc/mail/spamassassin/70_sare_stocks.cf 0.0035 [4482] dbg: config: read file /etc/mail/spamassassin/70_sare_unsub.cf 0.00159 [4482] dbg: config: read file /etc/mail/spamassassin/70_sare_uri0.cf 0.0012 [4482] dbg: config: read file /etc/mail/spamassassin/70_sare_uri1.cf 0.00164 [4482] dbg: config: read file /etc/mail/spamassassin/70_sare_uri3.cf 0.00069 [4482] dbg: config: read file /etc/mail/spamassassin/70_sare_whitelist_rcvd.cf 0.00221 [4482] dbg: config: read file /etc/mail/spamassassin/70_sare_whitelist_spf.cf 0.00181 [4482] dbg: config: read file /etc/mail/spamassassin/70_sc_top200.cf 0.00111 [4482] dbg: config: read file /etc/mail/spamassassin/72_sare_bml_post25x.cf 0.00088 [4482] dbg: config: read file /etc/mail/spamassassin/72_sare_redirect_post3.0.0.cf 0.00088 [4482] dbg: config: read file /etc/mail/spamassassin/99_sare_fraud_post25x.cf 0.00066 [4482] dbg: config: read file /etc/mail/spamassassin/bogus-virus-warnings.cf 0.00682 [4482] dbg: config: read file /etc/mail/spamassassin/mailscanner.cf 0.01384 [4482] warn: config: path "/root/.spamassassin" is inaccessible: Permission denied 0.0001 [4482] dbg: config: mkdir /root/.spamassassin failed: mkdir /root/.spamassassin: Permission denied at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin.pm line 1577 0.07963 [4482] dbg: config: Permission denied 0.0001 [4482] dbg: config: using "/etc/MailScanner/spam.assassin.prefs.conf" for user prefs file 3E-05 [4482] dbg: config: read file /etc/MailScanner/spam.assassin.prefs.conf 3E-05 [4482] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC 0.04663 [4482] dbg: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from @INC 0.0272 [4482] dbg: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC 0.01915 [4482] dbg: plugin: loading Mail::SpamAssassin::Plugin::RelayCountry from @INC 0.02286 [4482] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razor2 from @INC 0.00101 [4482] dbg: razor2: local tests only, skipping Razor 0.0056 [4482] dbg: plugin: loading Mail::SpamAssassin::Plugin::Pyzor from @INC 0.00033 [4482] dbg: pyzor: local tests only, disabling Pyzor 0.00262 [4482] dbg: plugin: did not register Mail::SpamAssassin::Plugin::Razor2, already registered 0.00021 [4482] dbg: plugin: loading Mail::SpamAssassin::Plugin::SpamCop from @INC 9E-05 [4482] dbg: reporter: local tests only, disabling SpamCop 0.00336 [4482] dbg: plugin: loading Mail::SpamAssassin::Plugin::AWL from @INC 0.00023 [4482] dbg: plugin: loading Mail::SpamAssassin::Plugin::AutoLearnThreshold from @INC 0.01741 [4482] dbg: plugin: loading Mail::SpamAssassin::Plugin::WhiteListSubject from @INC 0.00367 [4482] dbg: plugin: loading Mail::SpamAssassin::Plugin::MIMEHeader from @INC 0.00127 [4482] dbg: plugin: loading Mail::SpamAssassin::Plugin::ReplaceTags from @INC 0.00259 [4482] dbg: plugin: did not register Mail::SpamAssassin::Plugin::RelayCountry, already registered 0.00192 [4482] dbg: plugin: did not register Mail::SpamAssassin::Plugin::SPF, already registered 0.0001 [4482] dbg: plugin: did not register Mail::SpamAssassin::Plugin::URIDNSBL, already registered 4E-05 [4482] dbg: plugin: loading Mail::SpamAssassin::Plugin::Check from @INC 0.00038 [4482] dbg: plugin: loading Mail::SpamAssassin::Plugin::HTTPSMismatch from @INC 0.00675 [4482] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDetail from @INC 0.00714 [4482] dbg: plugin: loading Mail::SpamAssassin::Plugin::Bayes from @INC 0.00251 [4482] dbg: plugin: loading Mail::SpamAssassin::Plugin::BodyEval from @INC 0.00337 [4482] dbg: plugin: loading Mail::SpamAssassin::Plugin::DNSEval from @INC 0.00246 [4482] dbg: plugin: loading Mail::SpamAssassin::Plugin::HTMLEval from @INC 0.00295 [4482] dbg: plugin: loading Mail::SpamAssassin::Plugin::HeaderEval from @INC 0.00568 [4482] dbg: plugin: loading Mail::SpamAssassin::Plugin::MIMEEval from @INC 0.00793 [4482] dbg: plugin: loading Mail::SpamAssassin::Plugin::RelayEval from @INC 0.01474 [4482] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIEval from @INC 0.01584 [4482] dbg: plugin: loading Mail::SpamAssassin::Plugin::WLBLEval from @INC 0.0013 [4482] dbg: plugin: loading Mail::SpamAssassin::Plugin::VBounce from @INC 0.0028 [4482] dbg: plugin: loading Mail::SpamAssassin::Plugin::ImageInfo from @INC 0.00159 [4482] dbg: plugin: did not register Mail::SpamAssassin::Plugin::RelayCountry, already registered 0.02143 [4482] dbg: plugin: did not register Mail::SpamAssassin::Plugin::SPF, already registered 0.0001 [4482] dbg: plugin: did not register Mail::SpamAssassin::Plugin::URIDNSBL, already registered 3E-05 [4482] dbg: plugin: did not register Mail::SpamAssassin::Plugin::Razor2, already registered 3E-05 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/10_default_prefs.cf 0.00022 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/10_default_prefs.cf" for included file 6E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/10_default_prefs.cf 0.02354 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_advance_fee.cf 0.00213 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_advance_fee.cf" for included file 4E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_advance_fee.cf 0.00076 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_body_tests.cf 0.00565 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_body_tests.cf" for included file 6E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_body_tests.cf 0.00103 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_compensate.cf 0.00429 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_compensate.cf" for included file 4E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_compensate.cf 0.00045 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_dnsbl_tests.cf 0.00106 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_dnsbl_tests.cf" for included file 4E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_dnsbl_tests.cf 0.00102 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_drugs.cf 0.0081 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_drugs.cf" for included file 5E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_drugs.cf 0.00106 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_dynrdns.cf 0.01091 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_dynrdns.cf" for included file 4E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_dynrdns.cf 0.01847 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_fake_helo_tests.cf 0.00588 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_fake_helo_tests.cf" for included file 0.00013 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_fake_helo_tests.cf 0.03296 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_head_tests.cf 0.00407 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_head_tests.cf" for included file 4E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_head_tests.cf 0.00179 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_html_tests.cf 0.02069 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_html_tests.cf" for included file 4E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_html_tests.cf 0.00094 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_imageinfo.cf 0.00839 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_imageinfo.cf" for included file 6E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_imageinfo.cf 0.00059 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_meta_tests.cf 0.00275 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_meta_tests.cf" for included file 5E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_meta_tests.cf 0.00068 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_net_tests.cf 0.00322 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_net_tests.cf" for included file 4E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_net_tests.cf 0.0008 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_phrases.cf 0.00142 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_phrases.cf" for included file 4E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_phrases.cf 0.00092 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_porn.cf 0.00879 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_porn.cf" for included file 5E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_porn.cf 0.00054 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_ratware.cf 0.00127 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_ratware.cf" for included file 4E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_ratware.cf 0.00107 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_uri_tests.cf 0.01357 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_uri_tests.cf" for included file 7E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_uri_tests.cf 0.00065 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_vbounce.cf 0.00471 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_vbounce.cf" for included file 6E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_vbounce.cf 0.00136 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/23_bayes.cf 0.01741 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/23_bayes.cf" for included file 0.00011 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/23_bayes.cf 0.00069 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_accessdb.cf 0.00231 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/25_accessdb.cf" for included file 0.00012 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_accessdb.cf 0.00036 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_antivirus.cf 0.00049 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/25_antivirus.cf" for included file 4E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_antivirus.cf 0.00036 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_asn.cf 0.00048 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/25_asn.cf" for included file 4E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_asn.cf 0.00036 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_dcc.cf 0.00044 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/25_dcc.cf" for included file 3E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_dcc.cf 0.00034 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_dkim.cf 0.00044 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/25_dkim.cf" for included file 3E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_dkim.cf 0.00063 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_domainkeys.cf 0.00079 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/25_domainkeys.cf" for included file 4E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_domainkeys.cf 0.00051 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_hashcash.cf 0.00063 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/25_hashcash.cf" for included file 4E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_hashcash.cf 0.00041 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_pyzor.cf 0.00177 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/25_pyzor.cf" for included file 4E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_pyzor.cf 0.00038 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_razor2.cf 0.00062 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/25_razor2.cf" for included file 5E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_razor2.cf 0.00041 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_replace.cf 0.00129 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/25_replace.cf" for included file 4E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_replace.cf 0.00077 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_spf.cf 0.00745 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/25_spf.cf" for included file 4E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_spf.cf 0.00048 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_textcat.cf 0.00174 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/25_textcat.cf" for included file 4E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_textcat.cf 0.00044 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_uribl.cf 0.00056 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/25_uribl.cf" for included file 5E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_uribl.cf 0.00061 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_de.cf 0.00452 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_de.cf" for included file 4E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_de.cf 0.00177 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_fr.cf 0.0047 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_fr.cf" for included file 5E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_fr.cf 0.00289 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_it.cf 0.0042 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_it.cf" for included file 6E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_it.cf 0.01957 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_nl.cf 0.00041 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_nl.cf" for included file 5E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_nl.cf 0.00174 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_pl.cf 0.00346 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_pl.cf" for included file 5E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_pl.cf 0.00129 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_pt_br.cf 0.00309 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_pt_br.cf" for included file 4E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_pt_br.cf 0.00042 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/50_scores.cf 0.00065 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/50_scores.cf" for included file 5E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/50_scores.cf 0.00371 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_awl.cf 0.04611 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/60_awl.cf" for included file 0.0001 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_awl.cf 0.00048 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_shortcircuit.cf 0.00082 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/60_shortcircuit.cf" for included file 5E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_shortcircuit.cf 0.00042 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist.cf 0.0009 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist.cf" for included file 4E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist.cf 0.00061 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist_dk.cf 0.00288 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist_dk.cf" for included file 4E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist_dk.cf 0.0005 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist_dkim.cf 0.0007 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist_dkim.cf" for included file 4E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist_dkim.cf 0.0004 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist_spf.cf 0.00064 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist_spf.cf" for included file 4E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist_spf.cf 0.00044 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist_subject.cf 0.00209 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist_subject.cf" for included file 4E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist_subject.cf 0.00042 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/72_active.cf 0.00096 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/72_active.cf" for included file 4E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/72_active.cf 0.00733 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/72_removed.cf 0.12368 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/72_removed.cf" for included file 0.00011 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/72_removed.cf 0.00052 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/72_scores.cf 0.00209 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/72_scores.cf" for included file 4E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/72_scores.cf 0.00034 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/80_additional.cf 0.00136 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/80_additional.cf" for included file 4E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/80_additional.cf 0.00099 [4482] dbg: rules: __XM_OL_22B61 merged duplicates: __XM_OL_A842E 1.02558 [4482] dbg: rules: __JM_REACTOR_DATE merged duplicates: __RATWARE_0_TZ_DATE 0.00011 [4482] dbg: rules: __XM_OL_07794 merged duplicates: __XM_OL_25340 __XM_OL_3857F __XM_OL_4F240 __XM_OL_58CB5 __XM_OL_6554A __XM_OL_812FF __XM_OL_C65FA __XM_OL_CF0C0 __XM_OL_F475E __XM_OL_F6D01 4E-05 [4482] dbg: rules: __HTML_IMG_ONLY merged duplicates: __IMG_ONLY 3E-05 [4482] dbg: rules: FU_UKGEOCITIES merged duplicates: __SARE_SPEC_XX2GEOCIT 3E-05 [4482] dbg: rules: FB_FAKE_NUMBERS merged duplicates: SARE_OBFU_NUMBERS 3E-05 [4482] dbg: rules: FH_MSGID_01C67 merged duplicates: __MSGID_VGA 5E-05 [4482] dbg: rules: FS_NEW_SOFT_UPLOAD merged duplicates: HS_SUBJ_NEW_SOFTWARE 5E-05 [4482] dbg: rules: __MO_OL_22B61 merged duplicates: __MO_OL_4F240 __MO_OL_ADFF7 6E-05 [4482] dbg: rules: SARE_SUB_2UNDERSCORES merged duplicates: SARE_SUB_6_FIG_INC SARE_SUB_ACCT_UPD SARE_SUB_ACQUISITION SARE_SUB_ACTION_OB SARE_SUB_ADV_DB SARE_SUB_ADV_SEARCH SARE_SUB_AGING SARE_SUB_AM_MED_DICT SARE_SUB_BETTER SARE_SUB_BETTER_OB1 SARE_SUB_BETTER_OB2 SARE_SUB_BE_HERE SARE_SUB_BIGGER SARE_SUB_BIGGER_OB SARE_SUB_BOOST_OB SARE_SUB_BREAKTHRU_OB SARE_SUB_BRKING_NEWS SARE_SUB_BULK_EMAIL SARE_SUB_BUY_CHEAP SARE_SUB_BUY_OB SARE_SUB_BUY_OB1 SARE_SUB_CALL_NOW SARE_SUB_CARD_BILLED SARE_SUB_CARTRIDGE_OB SARE_SUB_CASINO_OB SARE_SUB_CHANGE_LIFE SARE_SUB_CHARGE_OB SARE_SUB_CHEAP_OB SARE_SUB_CHRISTIAN SARE_SUB_COMMA_LEAD SARE_SUB_COMM_MAILERS SARE_SUB_CONFID_OB SARE_SUB_CONSULTN_OB SARE_SUB_COPYDVD SARE_SUB_DBL_MEDICTN SARE_SUB_DBL_PHARM SARE_SUB_DEBTS_COURT SARE_SUB_DOWNLOAD_OB SARE_SUB_EBAY_OB SARE_SUB_EXCITING_NEW SARE_SUB_EXCL_OB SARE_SUB_EXPIRED SARE_SUB_FOR_WOMEN SARE_SUB_FREE SARE_SUB_FREE_BANG SARE_SUB_GAPPY_3 SARE_SUB_GAPPY_4 SARE_SUB_GAPPY_5 SARE_SUB_GAPPY_6 SARE_SUB_GAPPY_7 SARE_SUB_GAPPY_8 SARE_SUB_GROW_BUSINESS SARE_SUB_HARD_OB SARE_SUB_HOMEOWNER_OB SARE_SUB_INC_ONLINE SARE_SUB_INKJET SARE_SUB_INKJET_OB SARE_SUB_KICKBACK SARE_SUB_LAST_CHANCE SARE_SUB_LEAD_PUNCT SARE_SUB_LETTERS_NUMS SARE_SUB_LONG_SUBJ_140 SARE_SUB_LONG_SUBJ_170 SARE_SUB_LOOKING_FOR SARE_SUB_LOSE_OB SARE_SUB_LOTS_PUNC_21 SARE_SUB_LOTS_PUNC_26 SARE_SUB_MEDICAL_NEWS SARE_SUB_MED_USE SARE_SUB_MENS_HEALTH SARE_SUB_MISC_1 SARE_SUB_MORTGAGE_OB SARE_SUB_MOVE_OB SARE_SUB_MSGSUB SARE_SUB_NOW_TIME SARE_SUB_ONLINE_OB SARE_SUB_ORIG_SOFT_OB SARE_SUB_PASSION_OB SARE_SUB_PENIS_OB SARE_SUB_PERFECT SARE_SUB_PERFECTLY SARE_SUB_PHOTOS_OB SARE_SUB_PHYSICIAN SARE_SUB_PHYSICIAN_OB SARE_SUB_PLEASE_OB SARE_SUB_PRICES_CAP SARE_SUB_PRINTER_OB SARE_SUB_PROFILE SARE_SUB_PROVEN_OB SARE_SUB_RAND_UC SARE_SUB_REAL_OB SARE_SUB_SAVE_PCT SARE_SUB_SAVE_UP_TO SARE_SUB_SION_OB SARE_SUB_SPECIAL_BANG SARE_SUB_STRETCH_MARK SARE_SUB_STRONG SARE_SUB_STRONG_OB SARE_SUB_TAXES SARE_SUB_THOU_CLI SARE_SUB_TION_OB SARE_SUB_TONER SARE_SUB_TONER_OB SARE_SUB_VIDEO_OB SARE_SUB_VIRUSQ SARE_SUB_WEBMASTER SARE_SUB_WEBMASTER2 SARE_SUB_WIN 0.00094 SARE_SUB_WINNER SARE_SUB_YOUNGER_OB SARE_SUB_YOUR_WOMAN 0.00014 [4482] dbg: rules: __MO_OL_812FF merged duplicates: __MO_OL_BC7E6 3E-05 [4482] dbg: rules: __SARE_HEAD_FALSE merged duplicates: __SARE_SUB_FALSE 3E-05 [4482] dbg: rules: SARE_SUBJ_SLUT merged duplicates: __FPS_SLUT 3E-05 [4482] dbg: rules: VIRUS_WARNING128 merged duplicates: __VBOUNCE_MMS 3E-05 [4482] dbg: rules: VIRUS_WARNING123 merged duplicates: VIRUS_WARNING37 6E-05 [4482] dbg: rules: __FVGT_RAPE merged duplicates: __WORD_RAPED 5E-05 [4482] dbg: rules: VIRUS_WARNING357 merged duplicates: __CRBOUNCE_BLOCKED 6E-05 [4482] dbg: rules: __XM_OL_C9068 merged duplicates: __XM_OL_EF20B 5E-05 [4482] dbg: rules: __FH_RCV_53 merged duplicates: __RCVD_53 5E-05 [4482] dbg: rules: __MO_OL_72641 merged duplicates: __MO_OL_A842E 5E-05 [4482] dbg: rules: SARE_OBFU_AFFORD merged duplicates: SARE_OBFU_AMP SARE_OBFU_BETTER_SUB SARE_OBFU_CARTRDGE_SUB SARE_OBFU_CIALIS SARE_OBFU_OBLIGATION SARE_OBFU_SEX_SPL SARE_OBFU_TBL_05 SARE_URI_AFF_DIG SARE_URI_CAMPAIGNID SARE_URI_CASINO SARE_URI_DIG_LET_PIC SARE_URI_H0 SARE_URI_HARRYDAV SARE_URI_HOUSE SARE_URI_IPPORT3333 SARE_URI_MIXED_CASE SARE_URI_MRTG SARE_URI_NUMASP8 SARE_URI_NUM_SUBDOM SARE_URI_OC SARE_URI_P8 SARE_URI_PERV SARE_URI_PORTD4 SARE_URI_REFID2 SARE_URI_REFID3 SARE_URI_SHARE_DIG SARE_URI_SIXCAPS SARE_URI_SQUARE SARE_URI_SUCCEZZ 0.00023 [4482] dbg: rules: VIRUS_WARNING103 merged duplicates: VIRUS_WARNING52 3E-05 [4482] dbg: rules: __MO_OL_4BF4C merged duplicates: __MO_OL_F6D01 5E-05 [4482] dbg: rules: __MO_OL_07794 merged duplicates: __MO_OL_8627E __MO_OL_F3B05 6E-05 [4482] dbg: rules: SARE_SPOOF_COM2OTH merged duplicates: SPOOF_COM2COM 5E-05 [4482] dbg: rules: __MO_OL_9B90B merged duplicates: __MO_OL_C65FA 5E-05 [4482] dbg: rules: __FH_FRM_53 merged duplicates: __FROM_53 5E-05 [4482] dbg: rules: __FH_HAS_XMSMAIL merged duplicates: __HAS_MSMAIL_PRI 6E-05 [4482] dbg: rules: KAM_STOCKOTC merged duplicates: KAM_STOCKTIP15 KAM_STOCKTIP20 KAM_STOCKTIP21 KAM_STOCKTIP4 KAM_STOCKTIP6 8E-05 [4482] dbg: rules: __MO_OL_91287 merged duplicates: __MO_OL_B30D1 __MO_OL_CF0C0 6E-05 [4482] dbg: rules: __XM_OL_015D5 merged duplicates: __XM_OL_4BF4C __XM_OL_4EEDB __XM_OL_5B79A __XM_OL_9B90B __XM_OL_ADFF7 __XM_OL_B30D1 __XM_OL_B4B40 __XM_OL_BC7E6 __XM_OL_F3B05 __XM_OL_FF5C8 0.00011 [4482] dbg: rules: __MO_OL_015D5 merged duplicates: __MO_OL_6554A 0.0001 [4482] dbg: rules: __MO_OL_25340 merged duplicates: __MO_OL_4EEDB __MO_OL_7533E 7E-05 [4482] dbg: rules: __MO_OL_58CB5 merged duplicates: __MO_OL_B4B40 5E-05 [4482] dbg: rules: __DOS_HAS_ANY_URI merged duplicates: __HAS_ANY_URI __SARE_URI_ANY 6E-05 [4482] dbg: rules: SARE_HTML_ALT_WAIT1 merged duplicates: SARE_HTML_ALT_WAIT2 SARE_HTML_A_NULL SARE_HTML_BADOPEN SARE_HTML_BAD_FG_CLR SARE_HTML_COLOR_NWHT3 SARE_HTML_FONT_INVIS2 SARE_HTML_FSIZE_1ALL SARE_HTML_GIF_DIM SARE_HTML_H2_CLK SARE_HTML_HTML_AFTER SARE_HTML_INV_TAGA SARE_HTML_JSCRIPT_ENC SARE_HTML_JVS_HREF SARE_HTML_MANY_BR10 SARE_HTML_NO_BODY SARE_HTML_NO_HTML1 SARE_HTML_P_JUSTIFY SARE_HTML_URI_2SLASH SARE_HTML_URI_AXEL SARE_HTML_URI_BADQRY SARE_HTML_URI_BUG SARE_HTML_URI_FORMPHP SARE_HTML_URI_HREF SARE_HTML_URI_MANYP2 SARE_HTML_URI_MANYP3 SARE_HTML_URI_NUMPHP3 SARE_HTML_URI_OBFU4 SARE_HTML_URI_OBFU4a SARE_HTML_URI_OPTPHP SARE_HTML_URI_REFID SARE_HTML_URI_RID SARE_HTML_URI_RM SARE_HTML_USL_MULT 0.00032 [4482] dbg: rules: VIRUS_WARNING107 merged duplicates: __VBOUNCE_AV_RESULTS 3E-05 [4482] dbg: rules: AXB_RCVD_ZOOBSEND merged duplicates: BROKEN_RATWARE_BOM CTYPE_001C_A DEAR_HOMEOWNER DIV_CENTER_A_HREF DRUG_RA_PRICE FM_DDDD_TIMES_2 FM_SEX_HOSTDDDD HG_HORMONE HS_PHARMA_1 HS_UPLOADED_SOFTWARE OEBOUND STOX_RCVD_N_NN_N URIBL_RHS_ABUSE URIBL_RHS_BOGUSMX URIBL_RHS_DSN URIBL_RHS_POST URIBL_RHS_TLD_WHOIS URIBL_RHS_WHOIS URIBL_XS_SURBL URI_L_PHP XMAILER_MIMEOLE_OL_5E7ED XMAILER_MIMEOLE_OL_C7C33 XMAILER_MIMEOLE_OL_D03AB X_LIBRARY YOUR_CRD_RATING 0.0002 [4482] dbg: rules: __MO_OL_F475E merged duplicates: __MO_OL_FF5C8 3E-05 [4482] dbg: conf: finish parsing 0.00272 [4482] dbg: plugin: Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0x2856330) implements 'finish_parsing_end', priority 0 0.03577 [4482] dbg: replacetags: replacing tags 0.00019 [4482] dbg: replacetags: done replacing tags 0.02281 [4482] dbg: bayes: tie-ing to DB file R/O /var/spool/MailScanner/spamassassin/bayes_toks 0.10894 [4482] dbg: bayes: tie-ing to DB file R/O /var/spool/MailScanner/spamassassin/bayes_seen 0.00087 [4482] dbg: bayes: found bayes db version 3 0.00085 [4482] dbg: bayes: DB journal sync: last sync: 1220536512 0.00041 [4482] dbg: config: score set 2 chosen. 0.00039 [4482] dbg: message: main message type: text/plain 0.00045 [4482] dbg: message: ---- MIME PARSER START ---- 3E-05 [4482] dbg: message: parsing normal part 3E-05 [4482] dbg: message: ---- MIME PARSER END ---- 9E-05 [4482] dbg: plugin: Mail::SpamAssassin::Plugin::DNSEval=HASH(0x279f300) implements 'check_start', priority 0 0.00055 [4482] dbg: plugin: Mail::SpamAssassin::Plugin::Check=HASH(0x2798460) implements 'check_main', priority 0 0.00113 [4482] dbg: conf: trusted_networks are not configured; it is recommended that you configure trusted_networks manually 0.00013 [4482] dbg: metadata: X-Spam-Relays-Trusted: 0.00023 [4482] dbg: metadata: X-Spam-Relays-Untrusted: 3E-05 [4482] dbg: metadata: X-Spam-Relays-Internal: 3E-05 [4482] dbg: metadata: X-Spam-Relays-External: 3E-05 [4482] dbg: plugin: Mail::SpamAssassin::Plugin::RelayCountry=HASH(0x2767220) implements 'extract_metadata', priority 0 9E-05 [4482] dbg: metadata: X-Relay-Countries: 0.00022 [4482] dbg: message: no encoding detected 0.00023 [4482] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x25cd100) implements 'parsed_metadata', priority 0 0.0002 [4482] dbg: plugin: Mail::SpamAssassin::Plugin::RelayCountry=HASH(0x2767220) implements 'parsed_metadata', priority 0 6E-05 [4482] dbg: dns: is DNS available? 0 0.00018 [4482] dbg: rules: local tests only, ignoring RBL eval 7E-05 [4482] dbg: check: running tests for priority: -1000 0.00107 [4482] dbg: rules: running head tests; score so far=0 0.00033 [4482] dbg: rules: compiled head tests 0.00049 [4482] dbg: eval: all '*From' addrs: ignore@compiling.spamassassin.taint.org 0.00139 [4482] dbg: eval: all '*To' addrs: 0.00055 [4482] dbg: rules: running body tests; score so far=0 0.0004 [4482] dbg: rules: compiled body tests 0.00026 [4482] dbg: rules: running uri tests; score so far=0 0.00011 [4482] dbg: rules: compiled uri tests 7E-05 [4482] dbg: rules: running rawbody tests; score so far=0 0.00013 [4482] dbg: rules: compiled rawbody tests 0.00014 [4482] dbg: rules: running full tests; score so far=0 0.00012 [4482] dbg: rules: compiled full tests 0.00016 [4482] dbg: rules: running meta tests; score so far=0 0.00015 [4482] dbg: rules: compiled meta tests 0.0002 [4482] dbg: check: running tests for priority: -950 0.00031 [4482] dbg: rules: running head tests; score so far=0 0.00011 [4482] dbg: rules: compiled head tests 0.00019 [4482] dbg: rules: running body tests; score so far=0 0.00054 [4482] dbg: rules: compiled body tests 0.00016 [4482] dbg: rules: running uri tests; score so far=0 0.00013 [4482] dbg: rules: compiled uri tests 0.00032 [4482] dbg: rules: running rawbody tests; score so far=0 4E-05 [4482] dbg: rules: compiled rawbody tests 6E-05 [4482] dbg: rules: running full tests; score so far=0 9E-05 [4482] dbg: rules: compiled full tests 0.00015 [4482] dbg: rules: running meta tests; score so far=0 0.00014 [4482] dbg: rules: compiled meta tests 0.00018 [4482] dbg: check: running tests for priority: -900 0.00012 [4482] dbg: rules: running head tests; score so far=0 0.0001 [4482] dbg: rules: compiled head tests 0.00016 [4482] dbg: rules: running body tests; score so far=0 0.0011 [4482] dbg: rules: compiled body tests 0.00016 [4482] dbg: rules: running uri tests; score so far=0 0.00011 [4482] dbg: rules: compiled uri tests 0.00013 [4482] dbg: rules: running rawbody tests; score so far=0 0.00013 [4482] dbg: rules: compiled rawbody tests 0.00014 [4482] dbg: rules: running full tests; score so far=0 0.00011 [4482] dbg: rules: compiled full tests 0.00017 [4482] dbg: rules: running meta tests; score so far=0 0.00015 [4482] dbg: rules: compiled meta tests 0.00019 [4482] dbg: check: running tests for priority: -400 0.00012 [4482] dbg: rules: running head tests; score so far=0 0.0001 [4482] dbg: rules: compiled head tests 0.00016 [4482] dbg: rules: running body tests; score so far=0 0.00013 [4482] dbg: rules: compiled body tests 0.00014 [4482] dbg: rules: running uri tests; score so far=0 0.00011 [4482] dbg: rules: compiled uri tests 0.00013 [4482] dbg: plugin: Mail::SpamAssassin::Plugin::WLBLEval=HASH(0x2a0cd20) implements 'check_wb_list', priority 0 0.00078 [4482] dbg: bayes: DB journal sync: last sync: 1220536512 0.00056 [4482] dbg: bayes: corpus size: nspam = 2289, nham = 444 0.00053 [4482] dbg: bayes: score = 0.000899556217436037 0.08655 [4482] dbg: bayes: DB expiry: tokens in DB: 117990, Expiry max size: 150000, Oldest atime: 1215437323, Newest atime: 1220538182, Last expire: 0, Current time: 1220538579 0.0007 [4482] dbg: bayes: DB journal sync: last sync: 1220536512 0.00027 [4482] dbg: bayes: untie-ing 0.00313 [4482] dbg: rules: running rawbody tests; score so far=0 0.00052 [4482] dbg: rules: compiled rawbody tests 0.00025 [4482] dbg: rules: running full tests; score so far=0 0.00013 [4482] dbg: rules: compiled full tests 0.00016 [4482] dbg: rules: running meta tests; score so far=0 0.00015 [4482] dbg: rules: compiled meta tests 0.00018 [4482] dbg: check: running tests for priority: 0 0.00012 [4482] dbg: rules: running head tests; score so far=0 0.00012 [4482] dbg: rules: compiled head tests 0.24221 [4482] dbg: rules: ran header rule __MISSING_REF ======> got hit: "UNSET" 0.0013 [4482] dbg: rules: ran header rule __MSOE_MID_WRONG_CASE ======> got hit: " 0.00318 [4482] dbg: rules: Message-Id: " 8E-05 [4482] dbg: rules: ran header rule MISSING_DATE ======> got hit: "UNSET" 0.00065 [4482] dbg: rules: ran header rule __SARE_WHITELIST_FLAG ======> got hit: "i" 0.00042 [4482] dbg: rules: ran header rule __MSGID_OK_HOST ======> got hit: "@lint_rules>" 0.00172 [4482] dbg: rules: ran header rule __MSGID_OK_DIGITS ======> got hit: "1220538576" 0.00019 [4482] dbg: rules: ran header rule __HAS_MSGID ======> got hit: "<" 0.00032 [4482] dbg: rules: ran header rule __SANE_MSGID ======> got hit: "<1220538576@lint_rules> 0.00016 [4482] dbg: rules: " 3E-05 [4482] dbg: spf: checking to see if the message has a Received-SPF header that we can use 0.01413 [4482] dbg: spf: already checked for Received-SPF headers, proceeding with DNS based checks 0.00064 [4482] dbg: spf: already checked for Received-SPF headers, proceeding with DNS based checks 0.00015 [4482] dbg: rules: ran eval rule NO_RELAYS ======> got hit (1) 0.00105 [4482] dbg: spf: already checked for Received-SPF headers, proceeding with DNS based checks 0.00031 [4482] dbg: spf: already checked for Received-SPF headers, proceeding with DNS based checks 0.00084 [4482] dbg: spf: cannot get Envelope-From, cannot use SPF 0.00147 [4482] dbg: spf: def_spf_whitelist_from: could not find useable envelope sender 4E-05 [4482] dbg: spf: already checked for Received-SPF headers, proceeding with DNS based checks 0.00012 [4482] dbg: spf: already checked for Received-SPF headers, proceeding with DNS based checks 0.00014 [4482] dbg: spf: already checked for Received-SPF headers, proceeding with DNS based checks 0.00042 [4482] dbg: rules: ran eval rule __UNUSABLE_MSGID ======> got hit (1) 0.00061 [4482] dbg: spf: spf_whitelist_from: could not find useable envelope sender 0.00032 [4482] dbg: rules: ran eval rule MISSING_HEADERS ======> got hit (1) 0.00049 [4482] dbg: rules: running body tests; score so far=1.5 0.00033 [4482] dbg: rules: compiled body tests 0.44736 [4482] dbg: rules: ran body rule __NONEMPTY_BODY ======> got hit: "I" 0.04167 [4482] dbg: rules: running uri tests; score so far=1.5 0.04615 [4482] dbg: rules: compiled uri tests 0.02043 [4482] dbg: eval: stock info total: 0 0.02142 [4482] dbg: rules: ran eval rule BAYES_00 ======> got hit (1) 0.00317 [4482] dbg: rules: running rawbody tests; score so far=-0.812 0.00409 [4482] dbg: rules: compiled rawbody tests 0.36254 [4482] dbg: rules: ran rawbody rule __TVD_BODY ======> got hit: "need" 0.00454 [4482] dbg: rules: running full tests; score so far=-0.812 0.00431 [4482] dbg: rules: compiled full tests 0.0029 [4482] dbg: rules: running meta tests; score so far=-0.812 0.00058 [4482] dbg: rules: compiled meta tests 0.00068 [4482] dbg: check: running tests for priority: 500 0.00049 [4482] dbg: dns: harvest_dnsbl_queries 0.00012 [4482] dbg: rules: running head tests; score so far=-0.812 0.00036 [4482] dbg: rules: compiled head tests 0.00841 [4482] dbg: rules: running body tests; score so far=-0.812 0.00048 [4482] dbg: rules: compiled body tests 0.00179 [4482] dbg: rules: running uri tests; score so far=-0.812 0.00154 [4482] dbg: rules: compiled uri tests 0.00128 [4482] dbg: rules: running rawbody tests; score so far=-0.812 0.00016 [4482] dbg: rules: compiled rawbody tests 0.00225 [4482] dbg: rules: running full tests; score so far=-0.812 0.00061 [4482] dbg: rules: compiled full tests 0.00053 [4482] dbg: rules: running meta tests; score so far=-0.812 0.00017 [4482] dbg: rules: meta test DIGEST_MULTIPLE has undefined dependency 'DCC_CHECK' 0.00019 [4482] dbg: rules: meta test SARE_RD_SAFE has undefined dependency 'SARE_RD_SAFE_MKSHRT' 0.02107 [4482] dbg: rules: meta test SARE_RD_SAFE has undefined dependency 'SARE_RD_SAFE_GT' 9E-05 [4482] dbg: rules: meta test SARE_RD_SAFE has undefined dependency 'SARE_RD_SAFE_TINY' 3E-05 [4482] dbg: rules: meta test VIRUS_WARNING_DOOM_BNC has undefined dependency 'VIRUS_WARNING_MYDOOM4' 0.00701 [4482] dbg: rules: compiled meta tests 0.43007 [4482] dbg: check: running tests for priority: 1000 0.00375 [4482] dbg: rules: running head tests; score so far=1.663 0.00011 [4482] dbg: rules: compiled head tests 0.00031 [4482] dbg: rules: running body tests; score so far=1.663 0.00059 [4482] dbg: rules: compiled body tests 0.00022 [4482] dbg: rules: running uri tests; score so far=1.663 0.00013 [4482] dbg: rules: compiled uri tests 3E-05 [4482] dbg: rules: running rawbody tests; score so far=1.663 0.00011 [4482] dbg: rules: compiled rawbody tests 0.00013 [4482] dbg: rules: running full tests; score so far=1.663 0.00012 [4482] dbg: rules: compiled full tests 0.00014 [4482] dbg: rules: running meta tests; score so far=1.663 0.00014 [4482] dbg: rules: compiled meta tests 0.00017 [4482] dbg: check: is spam? score=1.663 required=5 0.00048 [4482] dbg: check: tests=BAYES_00,MISSING_DATE,MISSING_HEADERS,MISSING_SUBJECT,NO_RECEIVED,NO_RELAYS 4E-05 [4482] dbg: check: subtests=__HAS_MSGID,__MISSING_REF,__MSGID_OK_DIGITS,__MSGID_OK_HOST,__MSOE_MID_WRONG_CASE,__NONEMPTY_BODY,__SANE_MSGID,__SARE_WHITELIST_FLAG,__TVD_BODY,__UNUSABLE_MSGID 6E-05 *Finish - Total Time* *8.29346* -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From vincent at zijnemail.nl Thu Sep 4 16:35:34 2008 From: vincent at zijnemail.nl (Vincent Verhagen) Date: Thu Sep 4 16:35:49 2008 Subject: MailScanner delivering mail with virus? Message-ID: <48C00046.7090002@zijnemail.nl> Using: MailScanner 4.71.10 F-Prot-6 (not the daemon) For some reason, MailScanner has passed some emails that were virusinfected according to F-Prot. See this excerpt from the log: Sep 4 14:51:29 mail2 MailScanner[21344]: New Batch: Scanning 1 messages, 31790 bytes Sep 4 14:51:29 mail2 MailScanner[21344]: Spam Checks completed at 90432 bytes per second Sep 4 14:51:29 mail2 MailScanner[21344]: Virus and Content Scanning: Starting Sep 4 14:51:33 mail2 MailScanner[21344]: [Found possible security risk] ./43E59D98828.C43D0.message->Fees_2007-2008.zip->Fees_2007-2008.doc.exe Sep 4 14:51:33 mail2 MailScanner[21344]: Virus Scanning: F-Prot6 found 1 infections Sep 4 14:51:33 mail2 MailScanner[21344]: Infected message 43E59D98828.C43D0.message->Fees_2007-2008.zip->Fees_2007-2008.doc.exe came from Sep 4 14:51:33 mail2 MailScanner[21344]: Virus Scanning: Found 1 viruses Sep 4 14:51:33 mail2 MailScanner[21344]: Virus Scanning completed at 9003 bytes per second Sep 4 14:51:33 mail2 MailScanner[21344]: Requeue: 43E59D98828.C43D0 to 5ADD8D98829 Sep 4 14:51:33 mail2 MailScanner[21344]: Uninfected: Delivered 1 messages Sep 4 14:51:33 mail2 MailScanner[21344]: Batch completed at 8160 bytes per second (31790 / 3) Sep 4 14:51:33 mail2 MailScanner[21344]: Batch (1 message) processed in 3.90 seconds Sep 4 14:51:33 mail2 MailScanner[21344]: Logging message 43E59D98828.C43D0 to SQL Sep 4 14:51:33 mail2 MailScanner[21344]: "Always Looked Up Last" took 0.00 seconds A few minutes later, it does so again: Sep 4 14:53:31 mail2 MailScanner[21344]: New Batch: Scanning 1 messages, 32024 bytes Sep 4 14:53:31 mail2 MailScanner[21344]: Spam Checks: Found 1 spam messages Sep 4 14:53:31 mail2 MailScanner[21344]: Spam Checks completed at 87136 bytes per second Sep 4 14:53:31 mail2 MailScanner[21344]: Virus and Content Scanning: Starting Sep 4 14:53:35 mail2 MailScanner[21344]: [Found possible security risk] ./9D0DFD98829.A3D54.message->Fees_2007-2008.zip->Fees_2007-2008.doc.exe Sep 4 14:53:35 mail2 MailScanner[21344]: Virus Scanning: F-Prot6 found 1 infections Sep 4 14:53:35 mail2 MailScanner[21344]: Infected message 9D0DFD98829.A3D54.message->Fees_2007-2008.zip->Fees_2007-2008.doc.exe came from Sep 4 14:53:35 mail2 MailScanner[21344]: Virus Scanning: Found 1 viruses Sep 4 14:53:35 mail2 MailScanner[21344]: Virus Scanning completed at 8846 bytes per second Sep 4 14:53:35 mail2 MailScanner[21344]: Requeue: 9D0DFD98829.A3D54 to DE875D98828 Sep 4 14:53:35 mail2 MailScanner[21344]: Uninfected: Delivered 1 messages Sep 4 14:53:35 mail2 MailScanner[21344]: Batch completed at 8002 bytes per second (32024 / 4) Sep 4 14:53:35 mail2 MailScanner[21344]: Batch (1 message) processed in 4.00 seconds Sep 4 14:53:35 mail2 MailScanner[21344]: Logging message 9D0DFD98829.A3D54 to SQL Sep 4 14:53:35 mail2 MailScanner[21344]: "Always Looked Up Last" took 0.00 seconds MailScanner is not configured to deliver viruses in any way and has never done so before. Anyone have an idea what causes this? Regards, Vincent From vincent at zijnemail.nl Thu Sep 4 16:45:04 2008 From: vincent at zijnemail.nl (Vincent Verhagen) Date: Thu Sep 4 16:45:18 2008 Subject: MailScanner delivering mail with virus? - Addition Message-ID: <48C00280.2030900@zijnemail.nl> It seems that there is more wrong here. When Clamd detects an infection, MailScanner reports that both ClamAVModule and F-Prot have found it... See below: Sep 4 17:39:20 mail2 MailScanner[26594]: New Batch: Scanning 1 messages, 3526 bytes Sep 4 17:39:20 mail2 MailScanner[26594]: Expired 1 records from the SpamAssassin cache Sep 4 17:39:20 mail2 MailScanner[26594]: Spam Checks: Found 1 spam messages Sep 4 17:39:20 mail2 MailScanner[26594]: Spam Checks completed at 5695 bytes per second Sep 4 17:39:20 mail2 MailScanner[26594]: Virus and Content Scanning: Starting Sep 4 17:39:22 mail2 MailScanner[26594]: ClamAVModule::INFECTED:: Email.Spam.Gen1986.Sanesecurity.07113001 FOUND :: ./2B620D98826.EF262/ Sep 4 17:39:22 mail2 MailScanner[26594]: Virus Scanning: Clamd found 1 infections Sep 4 17:39:24 mail2 MailScanner[26594]: Virus Scanning: F-Prot6 found 1 infections Sep 4 17:39:24 mail2 MailScanner[26594]: Infected message 2B620D98826.EF262 came from 117.64.193.63 Sep 4 17:39:24 mail2 MailScanner[26594]: Virus Scanning: Found 1 viruses Sep 4 17:39:24 mail2 MailScanner[26594]: Virus Scanning completed at 1029 bytes per second Sep 4 17:39:24 mail2 MailScanner[26594]: Saved entire message to /var/spool/MailScanner/quarantine/20080904/2B620D98826.EF262 Sep 4 17:39:24 mail2 MailScanner[26594]: Batch completed at 870 bytes per second (3526 / 4) Sep 4 17:39:24 mail2 MailScanner[26594]: Batch (1 message) processed in 4.05 seconds Sep 4 17:39:24 mail2 MailScanner[26594]: Logging message 2B620D98826.EF262 to SQL Sep 4 17:39:24 mail2 MailScanner[26594]: "Always Looked Up Last" took 0.00 seconds Sep 4 17:39:24 mail2 MailScanner[26728]: 2B620D98826.EF262: Logged to MailWatch SQL More info will follow as needed. From MailScanner at ecs.soton.ac.uk Thu Sep 4 16:55:12 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Sep 4 16:55:33 2008 Subject: MailScanner delivering mail with virus? In-Reply-To: References: Message-ID: <48C004E0.8030302@ecs.soton.ac.uk> Can you try setting ClamAV Full Message Scan = no and giving it another go? I don't like the look of 43E59D98828.C43D0.message as a filename, that looks definitely wrong to me. It is not managing to extract the attachment filename from the virus scanner report. Can you send me a copy of the mail queue file please? (off-list, to mailscanner@ecs.soton.ac.uk). Thanks, Jules. Vincent Verhagen wrote: > Using: > MailScanner 4.71.10 > F-Prot-6 (not the daemon) > > For some reason, MailScanner has passed some emails that were > virusinfected according to F-Prot. > See this excerpt from the log: > > Sep 4 14:51:29 mail2 MailScanner[21344]: New Batch: Scanning 1 > messages, 31790 bytes > Sep 4 14:51:29 mail2 MailScanner[21344]: Spam Checks completed at > 90432 bytes per second > Sep 4 14:51:29 mail2 MailScanner[21344]: Virus and Content Scanning: > Starting > Sep 4 14:51:33 mail2 MailScanner[21344]: [Found possible security > risk] > ./43E59D98828.C43D0.message->Fees_2007-2008.zip->Fees_2007-2008.doc.exe > Sep 4 14:51:33 mail2 MailScanner[21344]: Virus Scanning: F-Prot6 > found 1 infections > Sep 4 14:51:33 mail2 MailScanner[21344]: Infected message > 43E59D98828.C43D0.message->Fees_2007-2008.zip->Fees_2007-2008.doc.exe > came from > Sep 4 14:51:33 mail2 MailScanner[21344]: Virus Scanning: Found 1 viruses > Sep 4 14:51:33 mail2 MailScanner[21344]: Virus Scanning completed at > 9003 bytes per second > Sep 4 14:51:33 mail2 MailScanner[21344]: Requeue: 43E59D98828.C43D0 > to 5ADD8D98829 > Sep 4 14:51:33 mail2 MailScanner[21344]: Uninfected: Delivered 1 > messages > Sep 4 14:51:33 mail2 MailScanner[21344]: Batch completed at 8160 > bytes per second (31790 / 3) > Sep 4 14:51:33 mail2 MailScanner[21344]: Batch (1 message) processed > in 3.90 seconds > Sep 4 14:51:33 mail2 MailScanner[21344]: Logging message > 43E59D98828.C43D0 to SQL > Sep 4 14:51:33 mail2 MailScanner[21344]: "Always Looked Up Last" took > 0.00 seconds > > A few minutes later, it does so again: > > Sep 4 14:53:31 mail2 MailScanner[21344]: New Batch: Scanning 1 > messages, 32024 bytes > Sep 4 14:53:31 mail2 MailScanner[21344]: Spam Checks: Found 1 spam > messages > Sep 4 14:53:31 mail2 MailScanner[21344]: Spam Checks completed at > 87136 bytes per second > Sep 4 14:53:31 mail2 MailScanner[21344]: Virus and Content Scanning: > Starting > Sep 4 14:53:35 mail2 MailScanner[21344]: [Found possible security > risk] > ./9D0DFD98829.A3D54.message->Fees_2007-2008.zip->Fees_2007-2008.doc.exe > Sep 4 14:53:35 mail2 MailScanner[21344]: Virus Scanning: F-Prot6 > found 1 infections > Sep 4 14:53:35 mail2 MailScanner[21344]: Infected message > 9D0DFD98829.A3D54.message->Fees_2007-2008.zip->Fees_2007-2008.doc.exe > came from > Sep 4 14:53:35 mail2 MailScanner[21344]: Virus Scanning: Found 1 viruses > Sep 4 14:53:35 mail2 MailScanner[21344]: Virus Scanning completed at > 8846 bytes per second > Sep 4 14:53:35 mail2 MailScanner[21344]: Requeue: 9D0DFD98829.A3D54 > to DE875D98828 > Sep 4 14:53:35 mail2 MailScanner[21344]: Uninfected: Delivered 1 > messages > Sep 4 14:53:35 mail2 MailScanner[21344]: Batch completed at 8002 > bytes per second (32024 / 4) > Sep 4 14:53:35 mail2 MailScanner[21344]: Batch (1 message) processed > in 4.00 seconds > Sep 4 14:53:35 mail2 MailScanner[21344]: Logging message > 9D0DFD98829.A3D54 to SQL > Sep 4 14:53:35 mail2 MailScanner[21344]: "Always Looked Up Last" took > 0.00 seconds > > MailScanner is not configured to deliver viruses in any way and has > never done so before. > Anyone have an idea what causes this? > > Regards, > Vincent > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Thu Sep 4 17:05:07 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Sep 4 17:05:26 2008 Subject: MailScanner delivering mail with virus? - Addition In-Reply-To: References: Message-ID: <48C00733.4050004@ecs.soton.ac.uk> Please try this patch for SweepViruses.pm (in /usr/lib/MailScanner/MailScanner) --- SweepViruses.pm.old 2008-09-04 10:10:36.000000000 +0100 +++ SweepViruses.pm 2008-09-04 17:03:03.000000000 +0100 @@ -1506,7 +1506,7 @@ return 0; } else { # Must be an infection reports - MailScanner::Log::InfoLog("%s::%s", 'ClamAVModule', $logout); + MailScanner::Log::InfoLog("%s::%s", $Name, $logout); ($dot, $id, $part, @rest) = split(/\//, $filename); $report = $Name . ': ' if $Name; Vincent Verhagen wrote: > It seems that there is more wrong here. > When Clamd detects an infection, MailScanner reports that both > ClamAVModule and F-Prot have found it... See below: > > Sep 4 17:39:20 mail2 MailScanner[26594]: New Batch: Scanning 1 > messages, 3526 bytes > Sep 4 17:39:20 mail2 MailScanner[26594]: Expired 1 records from the > SpamAssassin cache > Sep 4 17:39:20 mail2 MailScanner[26594]: Spam Checks: Found 1 spam > messages > Sep 4 17:39:20 mail2 MailScanner[26594]: Spam Checks completed at > 5695 bytes per second > Sep 4 17:39:20 mail2 MailScanner[26594]: Virus and Content Scanning: > Starting > Sep 4 17:39:22 mail2 MailScanner[26594]: ClamAVModule::INFECTED:: > Email.Spam.Gen1986.Sanesecurity.07113001 FOUND :: ./2B620D98826.EF262/ > Sep 4 17:39:22 mail2 MailScanner[26594]: Virus Scanning: Clamd found > 1 infections > Sep 4 17:39:24 mail2 MailScanner[26594]: Virus Scanning: F-Prot6 > found 1 infections > Sep 4 17:39:24 mail2 MailScanner[26594]: Infected message > 2B620D98826.EF262 came from 117.64.193.63 > Sep 4 17:39:24 mail2 MailScanner[26594]: Virus Scanning: Found 1 viruses > Sep 4 17:39:24 mail2 MailScanner[26594]: Virus Scanning completed at > 1029 bytes per second > Sep 4 17:39:24 mail2 MailScanner[26594]: Saved entire message to > /var/spool/MailScanner/quarantine/20080904/2B620D98826.EF262 > Sep 4 17:39:24 mail2 MailScanner[26594]: Batch completed at 870 bytes > per second (3526 / 4) > Sep 4 17:39:24 mail2 MailScanner[26594]: Batch (1 message) processed > in 4.05 seconds > Sep 4 17:39:24 mail2 MailScanner[26594]: Logging message > 2B620D98826.EF262 to SQL > Sep 4 17:39:24 mail2 MailScanner[26594]: "Always Looked Up Last" took > 0.00 seconds > Sep 4 17:39:24 mail2 MailScanner[26728]: 2B620D98826.EF262: Logged to > MailWatch SQL > > More info will follow as needed. > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Kevin_Miller at ci.juneau.ak.us Thu Sep 4 17:40:59 2008 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Thu Sep 4 17:41:12 2008 Subject: MailScanner ANNOUNCE: 4.71 stable released In-Reply-To: <48BFA652.5020508@ecs.soton.ac.uk> References: <48BBEFC8.2060500@ecs.soton.ac.uk> <48BFA652.5020508@ecs.soton.ac.uk> Message-ID: Julian Field wrote: > Kevin Miller wrote: >> Julian Field wrote: >> >>> - Updated support for Esets and F-Secure virus scanners. >>> - Thanks to F-Secure for donating me a set of server licences so I >>> can always be sure that I am supporting the latest versions of >>> their products. Much appreciated! >>> >> >> Like several others, my F-Secure 4.65 has gone to the great >> bit-bucket in the sky. Time to upgrade. Did you install the >> F-Secure Linux Security 7.01? Is that the package that the latest >> version of MailScanner has support for? I've downloaded it but not >> yet installed it. >> > I have provided support for 7.01. Install it with the > "--command-line-only" switch on the installer command-line in order to > just the get bits you want and not any of the whole irrelevant > management environment. Great, thanks much Jules. As soon as they send me my new keys I'll kick that into gear. Appreciate it... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From Kevin_Miller at ci.juneau.ak.us Thu Sep 4 17:50:28 2008 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Thu Sep 4 17:50:38 2008 Subject: Spamassassin mostly stoped working after clamav/spamassasin update installation Message-ID: Yesterday I updated MailScanner, clamAV & spamassassin via the packages on the mailscanner site. I'd previously set up spamassassin to use the SARE & KAM rulesets. Both the spamassassin rules & the SARE rules were in /var/lib/spamassassin/3.002004. Last night the update_spamassassin script in cron.daily ran, and this morning in /var/lib/spamassassin there's a new directory, 3.002005, as expected. Only thing is, only the SARE rules are in it. Naturally, filtering isn't quite as robust as it was yesterday! Did I miss a step somewhere along the way? After upgrading using the clam/sp package was there something else I needed to do? My sare-sa-updates-channel.txt contains updates.spamassassin.org as the first line, so I'm not sure why the latest/greatest rules didn't come down. TIA.. ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From agross at gcpsite.com Thu Sep 4 19:39:01 2008 From: agross at gcpsite.com (Adam Gross) Date: Thu Sep 4 19:39:18 2008 Subject: need help..ClamAV 0.94 and MailScanner 4.69.9 In-Reply-To: <48BFD473.6030001@gmail.com> References: <4899AC93.10501@trayerproducts.com> <4899B259.9010204@gmail.com> <4899C0F7.6070603@ecs.soton.ac.uk> <489AF542.3090608@ecs.soton.ac.uk> <48BF1F03.9040501@gmail.com><48BF7F8F.6000606@noefer.org> <48BFD473.6030001@gmail.com> Message-ID: <826D5FDFCF76F6499D59755D401D6A86012880@gcpads01.gcpsite.local> I'm having the same problem as this one, and the fix here works... However, I'm also seeing: <----- Virus and Content Scanning: Starting /usr/local/bin/clamscan: unrecognized option `--unzip' ERROR: Unknown option passed. ERROR: Can't parse the command line -----> I didn't see a similar "unzipcmd" or "zipcmd" section so I was wary to make any changes. Adam Gross | agross@gcpsite.com | 859-630-8722 -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Yashodhan Barve Sent: Thursday, September 04, 2008 8:29 AM To: MailScanner discussion Subject: Re: need help..ClamAV 0.94 and MailScanner 4.69.9 Hoger N?fer wrote: > Yashodhan Barve schrieb: > > Hi, > > have a look at /opt/MailScanner/lib/MailScanner/SweepViruses.pm, I > comment out the > following lines: > if ($rarcmd && -x $rarcmd) { > $Scanners{clamav}->{CommonOptions} .= " --unrar=$rarcmd"; > MailScanner::Log::InfoLog("ClamAV scanner using unrar command %s", > $rarcmd); > } > > > Best regards, > Holger Thanks Holger. That worked. Martin, I had tried to use clamd in 0.92 days but the daemon kept dying and even monit could not restart it. So switched to clamscan, slower but always works. regards yashodhan. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Processed by MS01. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Processed by MS01. From holger-lists at noefer.org Thu Sep 4 19:52:13 2008 From: holger-lists at noefer.org (=?ISO-8859-1?Q?Hoger_N=F6fer?=) Date: Thu Sep 4 19:52:24 2008 Subject: need help..ClamAV 0.94 and MailScanner 4.69.9 In-Reply-To: <826D5FDFCF76F6499D59755D401D6A86012880@gcpads01.gcpsite.local> References: <4899AC93.10501@trayerproducts.com> <4899B259.9010204@gmail.com> <4899C0F7.6070603@ecs.soton.ac.uk> <489AF542.3090608@ecs.soton.ac.uk> <48BF1F03.9040501@gmail.com><48BF7F8F.6000606@noefer.org> <48BFD473.6030001@gmail.com> <826D5FDFCF76F6499D59755D401D6A86012880@gcpads01.gcpsite.local> Message-ID: <48C02E5D.8040609@noefer.org> Adam Gross schrieb: > I'm having the same problem as this one, and the fix here works... However, I'm also seeing: > > <----- > Virus and Content Scanning: Starting > /usr/local/bin/clamscan: unrecognized option `--unzip' > ERROR: Unknown option passed. > ERROR: Can't parse the command line > -----> > > I didn't see a similar "unzipcmd" or "zipcmd" section so I was wary to make any changes. > > Adam Gross | agross@gcpsite.com | 859-630-8722 > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Yashodhan Barve > Sent: Thursday, September 04, 2008 8:29 AM > To: MailScanner discussion > Subject: Re: need help..ClamAV 0.94 and MailScanner 4.69.9 > > Hoger N?fer wrote: > >> Yashodhan Barve schrieb: >> > > >> Hi, >> >> have a look at /opt/MailScanner/lib/MailScanner/SweepViruses.pm, I >> comment out the >> following lines: >> if ($rarcmd && -x $rarcmd) { >> $Scanners{clamav}->{CommonOptions} .= " --unrar=$rarcmd"; >> MailScanner::Log::InfoLog("ClamAV scanner using unrar command %s", >> $rarcmd); >> } >> >> >> Best regards, >> Holger >> > > Thanks Holger. That worked. > > Martin, I had tried to use clamd in 0.92 days but the daemon kept dying > and even monit could not restart it. So switched to clamscan, slower but > always works. > > regards > yashodhan. > > Hi, have a look at /opt/MailScanner/lib/clamav-wrapper, too. There are many ExtraScanOptions which are unknown in the latest clamav version. regards, Holger From jplorier at montecarlotv.com.uy Thu Sep 4 19:58:33 2008 From: jplorier at montecarlotv.com.uy (Juan Pablo Lorier) Date: Thu Sep 4 20:03:10 2008 Subject: Mail passing through pretending to be whilisted In-Reply-To: <200809041610.m84G9YjD018548@safir.blacknight.ie> Message-ID: Hi Denis, So you're saying that it's not letting the mail through, just not checking the withelist because it's been sent to too many recipients? Thanks, Ing. Juan Pablo Lorier Monte Carlo TV SA Montevideo, Uruguay +(598)2 9244444 -- Toda la informacion contenida en este email es confidencial y debe ser utilizada solo por su destinatario. From alex at rtpty.com Thu Sep 4 20:11:19 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Thu Sep 4 20:11:36 2008 Subject: Mail passing through pretending to be whilisted In-Reply-To: References: Message-ID: <0D9DF9A4-7671-4F09-AF13-D9ADFF8C6181@rtpty.com> Exactly. That's why I mentioned splitting recipients at the mta level. Sent from my iPhone On Sep 4, 2008, at 1:58 PM, "Juan Pablo Lorier" wrote: > Hi Denis, > > So you're saying that it's not letting the mail through, just not > checking the withelist because it's been sent to too many recipients? > Thanks, > > Ing. Juan Pablo Lorier > Monte Carlo TV SA > Montevideo, Uruguay > +(598)2 9244444 > > > > > > -- Toda la informacion contenida en este email es confidencial y > debe ser utilizada solo por su destinatario. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From yashodhan.barve at gmail.com Thu Sep 4 20:31:00 2008 From: yashodhan.barve at gmail.com (Yashodhan Barve) Date: Thu Sep 4 20:31:17 2008 Subject: need help..ClamAV 0.94 and MailScanner 4.69.9 In-Reply-To: <48C02E5D.8040609@noefer.org> References: <4899AC93.10501@trayerproducts.com> <4899B259.9010204@gmail.com> <4899C0F7.6070603@ecs.soton.ac.uk> <489AF542.3090608@ecs.soton.ac.uk> <48BF1F03.9040501@gmail.com><48BF7F8F.6000606@noefer.org> <48BFD473.6030001@gmail.com> <826D5FDFCF76F6499D59755D401D6A86012880@gcpads01.gcpsite.local> <48C02E5D.8040609@noefer.org> Message-ID: <48C03774.7090106@gmail.com> Hoger N?fer wrote: > Adam Gross schrieb: >> I'm having the same problem as this one, and the fix here works... However, I'm also seeing: >> >> <----- >> Virus and Content Scanning: Starting >> /usr/local/bin/clamscan: unrecognized option `--unzip' >> ERROR: Unknown option passed. >> ERROR: Can't parse the command line >> -----> >> >> I didn't see a similar "unzipcmd" or "zipcmd" section so I was wary to make any changes. >> >> Adam Gross | agross@gcpsite.com | 859-630-8722 >> >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Yashodhan Barve >> Sent: Thursday, September 04, 2008 8:29 AM >> To: MailScanner discussion >> Subject: Re: need help..ClamAV 0.94 and MailScanner 4.69.9 >> >> Hoger N?fer wrote: >> >>> Yashodhan Barve schrieb: >>> >> >>> Hi, >>> >>> have a look at /opt/MailScanner/lib/MailScanner/SweepViruses.pm, I >>> comment out the >>> following lines: >>> if ($rarcmd && -x $rarcmd) { >>> $Scanners{clamav}->{CommonOptions} .= " --unrar=$rarcmd"; >>> MailScanner::Log::InfoLog("ClamAV scanner using unrar command %s", >>> $rarcmd); >>> } >>> >>> >>> Best regards, >>> Holger >>> >> Thanks Holger. That worked. >> >> Martin, I had tried to use clamd in 0.92 days but the daemon kept dying >> and even monit could not restart it. So switched to clamscan, slower but >> always works. >> >> regards >> yashodhan. >> >> > > Hi, > > have a look at /opt/MailScanner/lib/clamav-wrapper, too. > There are many ExtraScanOptions which are unknown in > the latest clamav version. > > regards, > Holger You have to comment out all the ExtraOptions in clamav-wrapper, then it should all work. regards yashodhan From AHKAPLAN at PARTNERS.ORG Thu Sep 4 21:03:49 2008 From: AHKAPLAN at PARTNERS.ORG (Kaplan, Andrew H.) Date: Thu Sep 4 21:04:00 2008 Subject: Running MailScanner 4.64.3 and SpamAssassin 3.2.5 with ClamAV 0.94 Message-ID: Hi there - The new release of ClamAV, version 0.94, is available for download. I was planning on installing it on our system running MailScanner and SpamAssassin. The current version of ClamAV that is in use is the 0.93.3 release. Is there any danger to my upgrading ClamAV to the latest version, or will the latest version work with the two aforementioned programs? Thanks. The information transmitted in this electronic communication is intended only for the person or entity to whom it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this information in error, please contact the Compliance HelpLine at 800-856-1983 and properly dispose of this information. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080904/33049d3e/attachment.html From Kevin_Miller at ci.juneau.ak.us Thu Sep 4 22:50:57 2008 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Thu Sep 4 22:51:11 2008 Subject: MailScanner ANNOUNCE: 4.71 stable released In-Reply-To: <48BFA652.5020508@ecs.soton.ac.uk> References: <48BBEFC8.2060500@ecs.soton.ac.uk> <48BFA652.5020508@ecs.soton.ac.uk> Message-ID: Julian Field wrote: >> Julian Field wrote: > I have provided support for 7.01. Install it with the > "--command-line-only" switch on the installer command-line in order to > just the get bits you want and not any of the whole irrelevant > management environment. I just installed f-secure 7.01 in command line mode (upgrade from 4.65) and checked my contab. The previous installs would ask whether or not to modify crontab - this one doesn't. It just inserts the following in root's crontab: # Start of FSSP automatically added scheduled tasks. Do not edit. */1 * * * * /opt/f-secure/fssp/bin/dbupdate --auto >/dev/null 2>&1 # End of FSSP automatically added scheduled tasks. Do not edit. I presume that MailScanner has an f-secure update wrapper so I'm remming it out. Please correct me if I'm wrong on that Julian. It struck me as really odd though - unless I'm reading it wrong, f-secure wants to check for updates every minute? Seems a bit paranoid to me. Anyway, just wanted to give others a heads up on that... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From m.anderlini at database.it Fri Sep 5 08:17:25 2008 From: m.anderlini at database.it (Marcello Anderlini) Date: Fri Sep 5 08:17:45 2008 Subject: R: Italian spam In-Reply-To: <48BECD78.9030606@vanderkooij.org> References: <2FA349F95CF3644FAFC92070E642EB6AD15339@beta.dbdomain.database.it> <48BECD78.9030606@vanderkooij.org> Message-ID: <015e01c90f27$72acd3c0$2501a8c0@dbdomain.database.it> I suspect then that my bayes filter is not working correctly. I dayly try to istruct spamassasin using =========================================== sa-learn --spam --mbox /var/mail/spam and sa-learn --ham --mbox /var/mail/notspam =========================================== But it still scores that kind of spam as non spam, For ex. This was a spam message: ============================== Sep 4 20:56:33 netra MailScanner[24463]: Message m84IuSPZ011375 from 77.182.10.184 (36salamancak13@viajesecuador.net) to database.it is non spam, SpamAssassin (not cached, punteggio=-1.209, necessario 5, BAYES_00 -2.60, PLING_QUERY 1.39) ============================== How can be sure bayes filter are working correctly or reset that filter ? Thanks a lot. Dr. Marcello Anderlini m.anderlini@database.it --------------------------------------------- Database Informatica S.r.l. Microsoft Certified Partner Tel. +39059775070 Fax. +39059779545 http://www.database.it --------------------------------------------- -----Messaggio originale----- Da: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di Hugo van der Kooij Inviato: mercoled? 3 settembre 2008 19.47 A: MailScanner discussion Oggetto: Re: Italian spam -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Marcello Anderlini wrote: > Hello, we are now getting a lot of spam in italian language. > Spamassassing seems not able to detect it, I try to create some custom > rules without success. > I get email with subject like this "Nel mondo c'e troppo male bugia" > or "Tra gli esami bisogna non solo studiare pero`". > > Someone could help me to suggest something to block this kind of spam ? Well, If you start feeding them to your Bayesian datbase it should learn quickly. I noticed more dutch spam over a week ago with some customers. Well not actually dutch. It was just english spam fed through some lame translator program. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIvs10BvzDRVjxmYERAihlAJ4nqJA8EjwOJY7S/fXguxRFSjLibwCdGSQj 3Eg9l/Gmor4zGp1e2f2q2lw= =XDvn -----END PGP SIGNATURE----- -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- Messaggio verificato dal servizio antivirus di Database Informatica -- Messaggio verificato dal servizio antivirus di Database Informatica From joost at waversveld.nl Fri Sep 5 08:33:54 2008 From: joost at waversveld.nl (Joost Waversveld) Date: Fri Sep 5 08:34:18 2008 Subject: MS YUM repository? In-Reply-To: <48BD7B92.9090101@openenterprise.ca> References: <48BBEFC8.2060500@ecs.soton.ac.uk> <48BC5881.8010604@vanderkooij.org> <48BD7B92.9090101@openenterprise.ca> Message-ID: <48C0E0E2.90504@waversveld.nl> Johnny Stork wrote: > I am running MS on CentOS 5x and I seem to recall that someone setup a > repo to simplify MS updates with YUM. Sorry if I missed where the > details/repo is but could someone please let me know the location of > this repo and any additional info that might be needed to us it? > > Thanks > Hey Just found an message over this: [quote hugo van der kooij] Hi, I have updated a yum repository that will function as an add-on to the Centos 5 and rpmforge repositories. I plan to keep it up-to-date within 24 to 48 hours after Jules releases a new release. (Unless Jules will go to warp 10.) One can find it via http://yum.vanderkooij.org/ I am also thinking of building a Mailwatch 1.04 package. But that might take quite a while. Hugo. [/quote] success! Joost waversveld -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080905/2d7176da/attachment.html From jjlopez at at4wireless.com Fri Sep 5 09:37:41 2008 From: jjlopez at at4wireless.com (Juan Jose Lopez Gonzalez) Date: Fri Sep 5 09:29:18 2008 Subject: Archive too deep Message-ID: Hi all: We are experiencing some problems with attachment, some times MailScanner replace the e-mail with a {Dangerous Content} At the content filters said: MailScanner: archivetoodeep Note to Help Desk: Look on IT MailScanner in /var/spool/MailScanner/quarantine/ (message ). How we can change the deep level?? Thanks in advance. From martinh at solidstatelogic.com Fri Sep 5 09:38:32 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Fri Sep 5 09:38:44 2008 Subject: Archive too deep In-Reply-To: Message-ID: Juan http://www.mailscanner.info/MailScanner.conf.index.html#Maximum%20Archive%20Depth -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Juan Jose Lopez Gonzalez > Sent: 05 September 2008 09:38 > To: mailscanner@lists.mailscanner.info > Subject: Archive too deep > > Hi all: > > We are experiencing some problems with attachment, some > times MailScanner replace the e-mail with a {Dangerous Content} > > At the content filters said: > MailScanner: archivetoodeep > > Note to Help Desk: Look on IT MailScanner in > /var/spool/MailScanner/quarantine/ (message ). > > > How we can change the deep level?? > > Thanks in advance. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From MailScanner at ecs.soton.ac.uk Fri Sep 5 09:41:18 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Sep 5 09:41:35 2008 Subject: Spamassassin mostly stoped working after clamav/spamassasin update installation In-Reply-To: References: Message-ID: <48C0F0AE.2050609@ecs.soton.ac.uk> The KAM ruleset, how do you fetch it? If you do it without using sa-update, and just wget it or similar, then you want to put it into /etc/mail/spamassassin. Kevin Miller wrote: > Yesterday I updated MailScanner, clamAV & spamassassin via the packages > on the mailscanner site. I'd previously set up spamassassin to use the > SARE & KAM rulesets. Both the spamassassin rules & the SARE rules were > in /var/lib/spamassassin/3.002004. Last night the update_spamassassin > script in cron.daily ran, and this morning in /var/lib/spamassassin > there's a new directory, 3.002005, as expected. Only thing is, only the > SARE rules are in it. Naturally, filtering isn't quite as robust as it > was yesterday! > > Did I miss a step somewhere along the way? After upgrading using the > clam/sp package was there something else I needed to do? My > sare-sa-updates-channel.txt contains updates.spamassassin.org as the > first line, so I'm not sure why the latest/greatest rules didn't come > down. > > TIA.. > > ...Kevin > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Fri Sep 5 09:48:36 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Sep 5 09:48:55 2008 Subject: need help..ClamAV 0.94 and MailScanner 4.69.9 In-Reply-To: References: <4899AC93.10501@trayerproducts.com> <4899B259.9010204@gmail.com> <4899C0F7.6070603@ecs.soton.ac.uk> <489AF542.3090608@ecs.soton.ac.uk> <48BF1F03.9040501@gmail.com><48BF7F8F.6000606@noefer.org> <48BFD473.6030001@gmail.com> <826D5FDFCF76F6499D59755D401D6A86012880@gcpads01.gcpsite.local> Message-ID: <48C0F264.4040407@ecs.soton.ac.uk> Hoger N?fer wrote: > Adam Gross schrieb: > >> I'm having the same problem as this one, and the fix here works... However, I'm also seeing: >> >> <----- >> Virus and Content Scanning: Starting >> /usr/local/bin/clamscan: unrecognized option `--unzip' >> ERROR: Unknown option passed. >> ERROR: Can't parse the command line >> -----> >> >> I didn't see a similar "unzipcmd" or "zipcmd" section so I was wary to make any changes. >> >> Adam Gross | agross@gcpsite.com | 859-630-8722 >> >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Yashodhan Barve >> Sent: Thursday, September 04, 2008 8:29 AM >> To: MailScanner discussion >> Subject: Re: need help..ClamAV 0.94 and MailScanner 4.69.9 >> >> Hoger N?fer wrote: >> >> >>> Yashodhan Barve schrieb: >>> >>> >> >> >>> Hi, >>> >>> have a look at /opt/MailScanner/lib/MailScanner/SweepViruses.pm, I >>> comment out the >>> following lines: >>> if ($rarcmd && -x $rarcmd) { >>> $Scanners{clamav}->{CommonOptions} .= " --unrar=$rarcmd"; >>> MailScanner::Log::InfoLog("ClamAV scanner using unrar command %s", >>> $rarcmd); >>> } >>> >>> >>> Best regards, >>> Holger >>> >>> >> Thanks Holger. That worked. >> >> Martin, I had tried to use clamd in 0.92 days but the daemon kept dying >> and even monit could not restart it. So switched to clamscan, slower but >> always works. >> >> regards >> yashodhan. >> >> >> > > Hi, > > have a look at /opt/MailScanner/lib/clamav-wrapper, too. > There are many ExtraScanOptions which are unknown in > the latest clamav version. > Attached is a new clamav-wrapper, to go inside /opt/MailScanner/lib or /usr/lib/MailScanner, depending on your setup. It's in the same directory as all the other *wrapper and *autoupdate scripts. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- A non-text attachment was scrubbed... Name: clamav-wrapper.zip Type: application/x-zip-compressed Size: 2510 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080905/2656f6ac/clamav-wrapper.bin From MailScanner at ecs.soton.ac.uk Fri Sep 5 09:49:42 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Sep 5 09:50:01 2008 Subject: MailScanner ANNOUNCE: 4.71 stable released In-Reply-To: References: <48BBEFC8.2060500@ecs.soton.ac.uk> <48BFA652.5020508@ecs.soton.ac.uk> Message-ID: <48C0F2A6.8060401@ecs.soton.ac.uk> Kevin Miller wrote: > Julian Field wrote: > >>> Julian Field wrote: >>> >> I have provided support for 7.01. Install it with the >> "--command-line-only" switch on the installer command-line in order to >> just the get bits you want and not any of the whole irrelevant >> management environment. >> > > I just installed f-secure 7.01 in command line mode (upgrade from 4.65) > and checked my contab. The previous installs would ask whether or not > to modify crontab - this one doesn't. It just inserts the following in > root's crontab: > > # Start of FSSP automatically added scheduled tasks. Do not edit. > */1 * * * * /opt/f-secure/fssp/bin/dbupdate --auto >/dev/null 2>&1 > # End of FSSP automatically added scheduled tasks. Do not edit. > > I presume that MailScanner has an f-secure update wrapper so I'm remming > it out. Please correct me if I'm wrong on that Julian. > You are quite correct. You don't want to do a dbupdate every minute! Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Fri Sep 5 09:50:41 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Sep 5 09:51:01 2008 Subject: Archive too deep In-Reply-To: References: Message-ID: <48C0F2E1.9060108@ecs.soton.ac.uk> Juan Jose Lopez Gonzalez wrote: > Hi all: > > We are experiencing some problems with attachment, some times > MailScanner replace the e-mail with a {Dangerous Content} > > At the content filters said: > MailScanner: archivetoodeep > You need to run upgrade_languages_conf as well, to replace that "archivetoodeep" tag with the correct text for the user to read. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From topper at libero.it Fri Sep 5 11:33:59 2008 From: topper at libero.it (topper@libero.it) Date: Fri Sep 5 11:34:08 2008 Subject: MailScanner delivering mail with virus? Message-ID: ---------- Initial Header ----------- >From : mailscanner-bounces@lists.mailscanner.info To : "MailScanner discussion" mailscanner@lists.mailscanner.info Cc : Date : Thu, 04 Sep 2008 17:35:34 +0200 Subject : MailScanner delivering mail with virus? Hello, same trouble here: Sep 5 12:31:36 dns1 MailScanner[13266]: /var/spool/MailScanner/incoming/13266/./065764C1E2.556EC.message: Email.Phishing.Cur.Gen799.Sanesecurity.08021403 FOUND Sep 5 12:31:36 dns1 MailScanner[13266]: Virus Scanning: ClamAV found 1 infections Sep 5 12:31:36 dns1 MailScanner[13266]: Infected message 065764C1E2.556EC.message came from Sep 5 12:31:36 dns1 MailScanner[13266]: Virus Scanning: Found 1 viruses Sep 5 12:31:37 dns1 MailScanner[13266]: Requeue: 3C3A7B68002.E41D3 to A9A6C4C010 Sep 5 12:31:37 dns1 MailScanner[13266]: Requeue: B4982B68004.80A12 to 1B48B4C193 Sep 5 12:31:37 dns1 MailScanner[13266]: Requeue: 065764C1E2.556EC to 259CB4C1B1 Sep 5 12:31:37 dns1 MailScanner[13266]: Requeue: C6D414C111.21050 to CB5A94C1E2 Sep 5 12:31:37 dns1 MailScanner[13266]: Uninfected: Delivered 4 messages MailScanner 4.70.7 on Debian Etch. > Using: > MailScanner 4.71.10 > F-Prot-6 (not the daemon) > > For some reason, MailScanner has passed some emails that were > virusinfected according to F-Prot. > See this excerpt from the log: From MailScanner at ecs.soton.ac.uk Fri Sep 5 11:54:53 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Sep 5 11:55:13 2008 Subject: MailScanner delivering mail with virus? In-Reply-To: References: Message-ID: <48C10FFD.8030407@ecs.soton.ac.uk> Please can you send me an example file out of your queue or quarantine (as a raw queue file please, if possible). topper@libero.it wrote: > ---------- Initial Header ----------- > > >From : mailscanner-bounces@lists.mailscanner.info > To : "MailScanner discussion" mailscanner@lists.mailscanner.info > Cc : > Date : Thu, 04 Sep 2008 17:35:34 +0200 > Subject : MailScanner delivering mail with virus? > > Hello, same trouble here: > > Sep 5 12:31:36 dns1 MailScanner[13266]: /var/spool/MailScanner/incoming/13266/./065764C1E2.556EC.message: Email.Phishing.Cur.Gen799.Sanesecurity.08021403 FOUND > Sep 5 12:31:36 dns1 MailScanner[13266]: Virus Scanning: ClamAV found 1 infections > Sep 5 12:31:36 dns1 MailScanner[13266]: Infected message 065764C1E2.556EC.message came from > Sep 5 12:31:36 dns1 MailScanner[13266]: Virus Scanning: Found 1 viruses > Sep 5 12:31:37 dns1 MailScanner[13266]: Requeue: 3C3A7B68002.E41D3 to A9A6C4C010 > Sep 5 12:31:37 dns1 MailScanner[13266]: Requeue: B4982B68004.80A12 to 1B48B4C193 > Sep 5 12:31:37 dns1 MailScanner[13266]: Requeue: 065764C1E2.556EC to 259CB4C1B1 > Sep 5 12:31:37 dns1 MailScanner[13266]: Requeue: C6D414C111.21050 to CB5A94C1E2 > Sep 5 12:31:37 dns1 MailScanner[13266]: Uninfected: Delivered 4 messages > > MailScanner 4.70.7 on Debian Etch. > > > > > >> Using: >> MailScanner 4.71.10 >> F-Prot-6 (not the daemon) >> >> For some reason, MailScanner has passed some emails that were >> virusinfected according to F-Prot. >> See this excerpt from the log: >> > > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From amoore at dekalbmemorial.com Fri Sep 5 16:19:00 2008 From: amoore at dekalbmemorial.com (Aaron K. Moore) Date: Fri Sep 5 16:19:13 2008 Subject: Spamassassin mostly stoped working after clamav/spamassasin update installation In-Reply-To: References: Message-ID: <60D398EB2DB948409CA1F50D8AF1225704130721@exch1.dekalbmemorial.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Julian Field > Sent: Friday, September 05, 2008 4:41 AM > To: MailScanner discussion > Subject: Re: Spamassassin mostly stoped working after > clamav/spamassasin update installation > > The KAM ruleset, how do you fetch it? If you do it without > using sa-update, and just wget it or similar, then you want > to put it into /etc/mail/spamassassin. As far as I know it does not have an sa-update channel. I wrote a script to download it. http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf -- Aaron Kent Moore Information Technology Services DeKalb Memorial Hospital, Inc. Auburn, Indiana Phone: 260.920.2808 E-Mail: amoore@dekalbmemorial.com From yashodhan.barve at gmail.com Fri Sep 5 16:27:53 2008 From: yashodhan.barve at gmail.com (Yashodhan Barve) Date: Fri Sep 5 16:28:05 2008 Subject: need help..ClamAV 0.94 and MailScanner 4.69.9 In-Reply-To: <48C0F264.4040407@ecs.soton.ac.uk> References: <4899AC93.10501@trayerproducts.com> <4899B259.9010204@gmail.com> <4899C0F7.6070603@ecs.soton.ac.uk> <489AF542.3090608@ecs.soton.ac.uk> <48BF1F03.9040501@gmail.com><48BF7F8F.6000606@noefer.org> <48BFD473.6030001@gmail.com> <826D5FDFCF76F6499D59755D401D6A86012880@gcpads01.gcpsite.local> <48C0F264.4040407@ecs.soton.ac.uk> Message-ID: <48C14FF9.4080408@gmail.com> Julian Field wrote: > > > snipped.. >> > Attached is a new clamav-wrapper, to go inside /opt/MailScanner/lib or > /usr/lib/MailScanner, depending on your setup. It's in the same > directory as all the other *wrapper and *autoupdate scripts. > > > Jules > Thanks. yashodhan.. From AHKAPLAN at PARTNERS.ORG Fri Sep 5 16:48:47 2008 From: AHKAPLAN at PARTNERS.ORG (Kaplan, Andrew H.) Date: Fri Sep 5 16:49:00 2008 Subject: Updating MailScanner to Latest Version Along with SA and ClamAV Easy Install Package Message-ID: Hi there - I am ready to update MailScanner to the latest version along with that of the SA and ClamAV Easy Install package. My question is the following: Should I do the Easy Installation Package first, and then do MailScanner or vice versa? Thanks. The information transmitted in this electronic communication is intended only for the person or entity to whom it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this information in error, please contact the Compliance HelpLine at 800-856-1983 and properly dispose of this information. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080905/f306176c/attachment.html From alex at rtpty.com Fri Sep 5 16:59:33 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Fri Sep 5 16:59:50 2008 Subject: Updating MailScanner to Latest Version Along with SA and ClamAV Easy Install Package In-Reply-To: References: Message-ID: <15677694-83E3-44BF-B7F3-5255C953D23B@rtpty.com> I believe this has been asked before, but it would be good for everyone who's new here (and those of us who forget!) which one's first both when upgrading and when installing for the first time - although I suspect/believe/seem to remember that Julian's written it so well that it makes little or no difference. And it should be (if it isn't already) on the wiki! :D On Sep 5, 2008, at 10:48 AM, Kaplan, Andrew H. wrote: > My question is the following: Should I do the Easy Installation > Package first, and then do MailScanner or vice versa? > From richard.siddall at elirion.net Fri Sep 5 17:06:21 2008 From: richard.siddall at elirion.net (Richard Siddall) Date: Fri Sep 5 17:06:45 2008 Subject: Whitelisting In-Reply-To: <48BEA2BA.7010609@zuka.net> References: <48BEA2BA.7010609@zuka.net> Message-ID: <48C158FD.1030604@elirion.net> Dave Filchak wrote: > Folks ... I have been trying to whitelist a particular newsletter that > we send out on behalf of a client of ours and have had no luck. It > always comes back with the following subject: [Lifeskills_News] {Spam?} > September 2008 Update. Mailman is hosted on my secondary mail server so > the original post is sent to my main mail server and then is aliased > over to my secondary mail server and on to Mailman. My client, > understandably, is getting upset with seeing the {Spam} in the subject. > The message is HTML but is not getting tagged as spam by my main mail > server, but rather, by my secondary. I have the following rules in my > rules file on the secondary: [snip] > Subject: [Lifeskills_News] {Spam?} September 2008 Update [snip] > > An help will be much appreciated. Dave, I didn't see a reply to your e-mail yet. I was going to point out that it looks from the subject line like the e-mail is being marked as spam before it gets to Mailman, but you seem to have already concluded that. My second guess was that the from is: > From: "YWCA Lifeskills: Training, Coaching, > Publications" and you don't have that in your whitelist, but that's not true either. Is your whitelist file referenced in MailScanner.conf? Regards, Richard Siddall From alex at rtpty.com Fri Sep 5 17:16:16 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Fri Sep 5 17:17:02 2008 Subject: Post on Slashdot Message-ID: I saw this post on Slashdot and wanted to share - see if you have any insights, suggestions, etc. ---- Use the information against the spammers? (Score:4, Interesting) by Seriph (466197) on Friday September 05, @08:49AM (#24886827) I've been doing some digging into this over the last few months and noticed an awful lot of spamvertized sites seem to have their domains registered with such privacy protecting registrars. I've been thinking about how to use the fact that a domain is registered with such a registrar as part of a spam scoring metric and whether anyone else has already done work on this? Just on the mail passing through my systems, I'm seeing a very strong correlation between a mail being spam and it referring to a domain registered with such a registrar, with the domain nameservers being on dynamic IP space, and with the DNS for the spam domain having a very low TTL value set. It's also interesting to track back the nameservers for any domains referred to in the NS records of the spam domain. By doing so I can find fairly large networks of interrelated spam domains and spam websites, the addresses of many of which already appear on the likes of the Spamcop and Spamhaus SBL/XBL lists or appear there shortly afterwards. The point is, is it practical to use this sort of information against spammers and is anyone already doing it? ----- From ms-list at alexb.ch Fri Sep 5 17:20:49 2008 From: ms-list at alexb.ch (Alex Broens) Date: Fri Sep 5 17:21:08 2008 Subject: Mailscanner Version 4.71.10-1 / ClamAV 0.94 infection reporting. In-Reply-To: <48BFAB6F.5090902@ecs.soton.ac.uk> References: <48BFAB6F.5090902@ecs.soton.ac.uk> Message-ID: <48C15C61.2010600@alexb.ch> On 9/4/2008 11:33 AM, Julian Field wrote: > > > Alex Broens wrote: >> Good day All, >> >> Mailscanner Version 4.71.10-1 / ClamAV 0.94 using ClamD >> >> >> MailScanner --lint: >> >> Virus and Content Scanning: Starting >> ClamAVModule::INFECTED:: Eicar-Test-Signature FOUND :: ./1/ >> ClamAVModule::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com >> Virus Scanning: Clamd found 2 infections >> Infected message 1 came from 10.1.1.1 >> Virus Scanning: Found 2 viruses >> Filename Checks: (1 eicar.com) >> >> Doesn't seem right/elegant to me. >> >> It causes Mailwatch 1.x to report: >> >> Clamd: message was infected: Trojan.Fakealert-532 FOUND >> Clamd: Late.Night.rar was infected: Trojan.Fakealert-532 >> >> >> Can anybody reproduce running "MailScanner --lint" >> >> Jules? > The "./1/" line is caused by "ClamAV Full Message Scan = yes". > I believe it is the correct output. > Can anyone contradict me? Jules Did a fresh test setup on fresh Centos 5.2 ClamAV Full Message Scan = no only writes 1 "line". - confirmed. Sep 5 18:12:52 ms1 MailScanner[8640]: ClamAVModule::INFECTED:: Trojan.Fakealert-532 :: ./00AD510082F2.3A2DC/Late.Night.rar ____ ClamAV Full Message Scan = yes writes 2 "lines" Sep 5 17:53:09 ms1 MailScanner[2747]: ClamAVModule::INFECTED:: HTML.Phishing.Bank-1272 :: ./815BD10082B5.02C82/msg-2747-17.html Sep 5 17:53:09 ms1 MailScanner[2747]: ClamAVModule::INFECTED:: HTML.Phishing.Bank-1272 FOUND :: ./815BD10082B5.02C82/ ___ I don't understand why this is necessary and would like to request consistency so that "ClamAV Full Message Scan = yes" logs like "ClamAV Full Message Scan = no" thanks Alex From dominian at slackadelic.com Fri Sep 5 17:21:55 2008 From: dominian at slackadelic.com (Matt Hayes) Date: Fri Sep 5 17:22:11 2008 Subject: Post on Slashdot In-Reply-To: References: Message-ID: <48C15CA3.7070103@slackadelic.com> Alex Neuman van der Hans wrote: > I saw this post on Slashdot and wanted to share - see if you have any > insights, suggestions, etc. > > ---- > Use the information against the spammers? (Score:4, Interesting) > by Seriph (466197) on Friday September 05, @08:49AM (#24886827) > > I've been doing some digging into this over the last few months and > noticed an awful lot of spamvertized sites seem to have their domains > registered with such privacy protecting registrars. > > I've been thinking about how to use the fact that a domain is registered > with such a registrar as part of a spam scoring metric and whether > anyone else has already done work on this? Just on the mail passing > through my systems, I'm seeing a very strong correlation between a mail > being spam and it referring to a domain registered with such a > registrar, with the domain nameservers being on dynamic IP space, and > with the DNS for the spam domain having a very low TTL value set. > > It's also interesting to track back the nameservers for any domains > referred to in the NS records of the spam domain. By doing so I can find > fairly large networks of interrelated spam domains and spam websites, > the addresses of many of which already appear on the likes of the > Spamcop and Spamhaus SBL/XBL lists or appear there shortly afterwards. > > The point is, is it practical to use this sort of information against > spammers and is anyone already doing it? > ----- > > To me, private registration is a fine thing. I do it with my domains. If people start scoring spam because of a private registration, I would say a lot of false positives are going to happen. The private registration just means that the contact info posted is a "proxy" to the real person. All in all, you can still get a hold of the right people, just takes a little bit longer. -Matt From martinh at solidstatelogic.com Fri Sep 5 17:30:50 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Fri Sep 5 17:31:03 2008 Subject: Post on Slashdot In-Reply-To: <48C15CA3.7070103@slackadelic.com> Message-ID: Second what Matt days. We've have info from my wifes domain info used in two fraudilent attempts to get loans. The information was very specific to a couple of unusual things in that were in the domain registration. Given the low use of the domain and the amount of hassle these two attempts gave us we've dropped the domain completely. (oh yeah and complete dis-interest from the Police as well didn't help). -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Matt Hayes > Sent: 05 September 2008 17:22 > To: MailScanner discussion > Subject: Re: Post on Slashdot > > Alex Neuman van der Hans wrote: > > I saw this post on Slashdot and wanted to share - see if > you have any > > insights, suggestions, etc. > > > > ---- > > Use the information against the spammers? (Score:4, Interesting) by > > Seriph (466197) on Friday September 05, @08:49AM (#24886827) > > > > I've been doing some digging into this over the last few months and > > noticed an awful lot of spamvertized sites seem to have > their domains > > registered with such privacy protecting registrars. > > > > I've been thinking about how to use the fact that a domain is > > registered with such a registrar as part of a spam scoring > metric and > > whether anyone else has already done work on this? Just on the mail > > passing through my systems, I'm seeing a very strong correlation > > between a mail being spam and it referring to a domain > registered with > > such a registrar, with the domain nameservers being on dynamic IP > > space, and with the DNS for the spam domain having a very > low TTL value set. > > > > It's also interesting to track back the nameservers for any domains > > referred to in the NS records of the spam domain. By doing so I can > > find fairly large networks of interrelated spam domains and spam > > websites, the addresses of many of which already appear on > the likes > > of the Spamcop and Spamhaus SBL/XBL lists or appear there > shortly afterwards. > > > > The point is, is it practical to use this sort of > information against > > spammers and is anyone already doing it? > > ----- > > > > > > > To me, private registration is a fine thing. I do it with my domains. > If people start scoring spam because of a private > registration, I would say a lot of false positives are going > to happen. The private registration just means that the > contact info posted is a "proxy" to the real person. All in > all, you can still get a hold of the right people, just takes > a little bit longer. > > -Matt > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From alex at rtpty.com Fri Sep 5 18:12:42 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Fri Sep 5 18:13:00 2008 Subject: Post on Slashdot In-Reply-To: <48C15CA3.7070103@slackadelic.com> References: <48C15CA3.7070103@slackadelic.com> Message-ID: <8ADE7744-27F9-47F1-8D48-2610384CD805@rtpty.com> Point taken. But what about scoring on a combination of these factors? Sent from my iPhone On Sep 5, 2008, at 11:21 AM, Matt Hayes wrote: > Alex Neuman van der Hans wrote: >> I saw this post on Slashdot and wanted to share - see if you have any >> insights, suggestions, etc. >> >> ---- >> Use the information against the spammers? (Score:4, Interesting) >> by Seriph (466197) on Friday September 05, @08:49AM (#24886827) >> >> I've been doing some digging into this over the last few months and >> noticed an awful lot of spamvertized sites seem to have their domains >> registered with such privacy protecting registrars. >> >> I've been thinking about how to use the fact that a domain is >> registered >> with such a registrar as part of a spam scoring metric and whether >> anyone else has already done work on this? Just on the mail passing >> through my systems, I'm seeing a very strong correlation between a >> mail >> being spam and it referring to a domain registered with such a >> registrar, with the domain nameservers being on dynamic IP space, and >> with the DNS for the spam domain having a very low TTL value set. >> >> It's also interesting to track back the nameservers for any domains >> referred to in the NS records of the spam domain. By doing so I can >> find >> fairly large networks of interrelated spam domains and spam websites, >> the addresses of many of which already appear on the likes of the >> Spamcop and Spamhaus SBL/XBL lists or appear there shortly >> afterwards. >> >> The point is, is it practical to use this sort of information against >> spammers and is anyone already doing it? >> ----- >> >> > > > To me, private registration is a fine thing. I do it with my domains. > If people start scoring spam because of a private registration, I > would > say a lot of false positives are going to happen. The private > registration just means that the contact info posted is a "proxy" to > the > real person. All in all, you can still get a hold of the right > people, > just takes a little bit longer. > > -Matt > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From mkettler at evi-inc.com Fri Sep 5 18:12:11 2008 From: mkettler at evi-inc.com (Matt Kettler) Date: Fri Sep 5 18:15:21 2008 Subject: Post on Slashdot In-Reply-To: <48C15CA3.7070103@slackadelic.com> References: <48C15CA3.7070103@slackadelic.com> Message-ID: <48C1686B.7080208@evi-inc.com> Matt Hayes wrote: > Alex Neuman van der Hans wrote: >> I saw this post on Slashdot and wanted to share - see if you have any >> insights, suggestions, etc. >> >> ---- >> Use the information against the spammers? (Score:4, Interesting) >> by Seriph (466197) on Friday September 05, @08:49AM (#24886827) >> >> I've been doing some digging into this over the last few months and >> noticed an awful lot of spamvertized sites seem to have their domains >> registered with such privacy protecting registrars. >> >> I've been thinking about how to use the fact that a domain is registered >> with such a registrar as part of a spam scoring metric and whether >> anyone else has already done work on this? Just on the mail passing >> through my systems, I'm seeing a very strong correlation between a mail >> being spam and it referring to a domain registered with such a >> registrar, with the domain nameservers being on dynamic IP space, and >> with the DNS for the spam domain having a very low TTL value set. >> >> It's also interesting to track back the nameservers for any domains >> referred to in the NS records of the spam domain. By doing so I can find >> fairly large networks of interrelated spam domains and spam websites, >> the addresses of many of which already appear on the likes of the >> Spamcop and Spamhaus SBL/XBL lists or appear there shortly afterwards. >> >> The point is, is it practical to use this sort of information against >> spammers and is anyone already doing it? >> ----- >> >> > > > To me, private registration is a fine thing. I do it with my domains. > If people start scoring spam because of a private registration, I would > say a lot of false positives are going to happen. The private > registration just means that the contact info posted is a "proxy" to the > real person. All in all, you can still get a hold of the right people, > just takes a little bit longer. > True, but as I read it that's not the point here. The point is not that "private registration = spam". It's "private registration + dynamic IP + low DNS TTLS = spam", and they're also talking about URI's in the message, not the sending domain. Quite frankly, you can probably just drop the private registration part. An email with a URI pointing to a domain with low DNS TTLs is very likely to be spam, no matter how the domain is registered. Quite frankly, I suspect uribl.com already uses the described metric for preemptively blacklisting domains (yes, they *do* have automated systems that troll around for candidate domains that have not yet spammed, although they are reluctant to describe what metrics they use.), so if you've got URIBL_BLACK (a default rule) you're probably already using this technique without realizing it. From alex at rtpty.com Fri Sep 5 18:27:08 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Fri Sep 5 18:27:24 2008 Subject: Post on Slashdot In-Reply-To: <48C1686B.7080208@evi-inc.com> References: <48C15CA3.7070103@slackadelic.com> <48C1686B.7080208@evi-inc.com> Message-ID: <0D2A6003-4062-4BB7-A4AC-10575C6D2009@rtpty.com> But is there a way to implement this beyond URI_BLACK? On Sep 5, 2008, at 12:12 PM, Matt Kettler wrote: > Quite frankly, you can probably just drop the private registration > part. An email with a URI pointing to a domain with low DNS TTLs is > very likely to be spam, no matter how the domain is registered. From Kevin_Miller at ci.juneau.ak.us Fri Sep 5 18:38:11 2008 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Fri Sep 5 18:38:23 2008 Subject: Spamassassin mostly stoped working after clamav/spamassasin update installation In-Reply-To: <48C0F0AE.2050609@ecs.soton.ac.uk> References: <48C0F0AE.2050609@ecs.soton.ac.uk> Message-ID: Julian Field wrote: > The KAM ruleset, how do you fetch it? If you do it without using > sa-update, and just wget it or similar, then you want to put it into > /etc/mail/spamassassin. The KAM ruleset does live in /etc/mail/spamassassin. It's updated by /etc/cron.daily/KAM.cf.sh per your post from a year or so ago and is working fine. Sorry if that was confusing. It was the spamassassin rules that were missing. I poked I prodded around quite a bit, and finally just ran sa-update on it's own. That complained about an invalid or missing gpg key, but had a couple lines on how to import the key for spamassassin. Don't know how it got borked. I imported the keys and then reran sa-update. After I did that, the latest spamassassin files came over OK. I suspect that may have been the problem all along, but since I was initially running /etc/cron.daily/update_spamassassin I never saw the output (even w/the -D option in /etc/sysconfig/MailScanner). I noticed in my poking & prodding that I update_spamassassin was enabled in /etc/cron.daily and I also was running sa-update in roots crontab. It's been so long I can't recall why that was, but in looking through the archive I noted in the release notes of a 4.6X release of MailScanner that it fixed the call to sa-update. So I guess I can remove the sa-update crontab entry, and update_spamassassin will take care of both the SARE rules as well as the spamassassin rules, yes? (SARE rules channel is defined in /etc/sysconfig/MailScanner, btw.) Thanks... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From mkettler at evi-inc.com Fri Sep 5 19:17:18 2008 From: mkettler at evi-inc.com (Matt Kettler) Date: Fri Sep 5 19:19:01 2008 Subject: Post on Slashdot In-Reply-To: <0D2A6003-4062-4BB7-A4AC-10575C6D2009@rtpty.com> References: <48C15CA3.7070103@slackadelic.com> <48C1686B.7080208@evi-inc.com> <0D2A6003-4062-4BB7-A4AC-10575C6D2009@rtpty.com> Message-ID: <48C177AE.6040804@evi-inc.com> Alex Neuman van der Hans wrote: > But is there a way to implement this beyond URI_BLACK? > > On Sep 5, 2008, at 12:12 PM, Matt Kettler wrote: > >> Quite frankly, you can probably just drop the private registration >> part. An email with a URI pointing to a domain with low DNS TTLs is >> very likely to be spam, no matter how the domain is registered. > Not practically. Doing high-volume realtime whois queries is a good way to get your server blacklisted by the registrars who operate the whois servers. From alex at rtpty.com Fri Sep 5 19:38:37 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Fri Sep 5 19:38:57 2008 Subject: Post on Slashdot In-Reply-To: <48C177AE.6040804@evi-inc.com> References: <48C15CA3.7070103@slackadelic.com> <48C1686B.7080208@evi-inc.com> <0D2A6003-4062-4BB7-A4AC-10575C6D2009@rtpty.com> <48C177AE.6040804@evi-inc.com> Message-ID: Good point. Sent from my iPhone On Sep 5, 2008, at 1:17 PM, Matt Kettler wrote: > Alex Neuman van der Hans wrote: >> But is there a way to implement this beyond URI_BLACK? >> On Sep 5, 2008, at 12:12 PM, Matt Kettler wrote: >>> Quite frankly, you can probably just drop the private registration >>> part. An email with a URI pointing to a domain with low DNS TTLs >>> is very likely to be spam, no matter how the domain is registered. > > Not practically. Doing high-volume realtime whois queries is a good > way to get your server blacklisted by the registrars who operate the > whois servers. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From MailScanner at ecs.soton.ac.uk Fri Sep 5 20:48:44 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Sep 5 20:49:06 2008 Subject: Updating MailScanner to Latest Version Along with SA and ClamAV Easy Install Package In-Reply-To: References: Message-ID: <48C18D1C.3030709@ecs.soton.ac.uk> I would update MailScanner first, then the SA+ClamAV package. It would also personally install in that order too. Kaplan, Andrew H. wrote: > > Hi there ? > > I am ready to update MailScanner to the latest version along with that > of the SA and ClamAV Easy Install package. > > My question is the following: Should I do the Easy Installation > Package first, and then do MailScanner or vice versa? > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Fri Sep 5 20:51:40 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Sep 5 20:51:58 2008 Subject: Mailscanner Version 4.71.10-1 / ClamAV 0.94 infection reporting. In-Reply-To: References: <48BFAB6F.5090902@ecs.soton.ac.uk> Message-ID: <48C18DCC.5020806@ecs.soton.ac.uk> Alex Broens wrote: > On 9/4/2008 11:33 AM, Julian Field wrote: >> >> >> Alex Broens wrote: >>> Good day All, >>> >>> Mailscanner Version 4.71.10-1 / ClamAV 0.94 using ClamD >>> >>> >>> MailScanner --lint: >>> >>> Virus and Content Scanning: Starting >>> ClamAVModule::INFECTED:: Eicar-Test-Signature FOUND :: ./1/ >>> ClamAVModule::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com >>> Virus Scanning: Clamd found 2 infections >>> Infected message 1 came from 10.1.1.1 >>> Virus Scanning: Found 2 viruses >>> Filename Checks: (1 eicar.com) >>> >>> Doesn't seem right/elegant to me. >>> >>> It causes Mailwatch 1.x to report: >>> >>> Clamd: message was infected: Trojan.Fakealert-532 FOUND >>> Clamd: Late.Night.rar was infected: Trojan.Fakealert-532 >>> >>> >>> Can anybody reproduce running "MailScanner --lint" >>> >>> Jules? >> The "./1/" line is caused by "ClamAV Full Message Scan = yes". >> I believe it is the correct output. >> Can anyone contradict me? > > Jules > > Did a fresh test setup on fresh Centos 5.2 > > ClamAV Full Message Scan = no > > only writes 1 "line". - confirmed. > > Sep 5 18:12:52 ms1 MailScanner[8640]: ClamAVModule::INFECTED:: > Trojan.Fakealert-532 :: ./00AD510082F2.3A2DC/Late.Night.rar > > > ____ > ClamAV Full Message Scan = yes > > writes 2 "lines" > > Sep 5 17:53:09 ms1 MailScanner[2747]: ClamAVModule::INFECTED:: > HTML.Phishing.Bank-1272 :: ./815BD10082B5.02C82/msg-2747-17.html > Sep 5 17:53:09 ms1 MailScanner[2747]: ClamAVModule::INFECTED:: > HTML.Phishing.Bank-1272 FOUND :: ./815BD10082B5.02C82/ > ___ > > I don't understand why this is necessary and would like to request > consistency so that "ClamAV Full Message Scan = yes" logs like > "ClamAV Full Message Scan = no" So you want me to *not* log the fact that the Full Message Scan found a virus? Seems a bit strange to me... Do other people agree with me or Alex? Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Kevin_Miller at ci.juneau.ak.us Fri Sep 5 21:06:03 2008 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Fri Sep 5 21:06:16 2008 Subject: Mailscanner Version 4.71.10-1 / ClamAV 0.94 infection reporting. In-Reply-To: <48C18DCC.5020806@ecs.soton.ac.uk> References: <48BFAB6F.5090902@ecs.soton.ac.uk> <48C18DCC.5020806@ecs.soton.ac.uk> Message-ID: Julian Field wrote: > Alex Broens wrote: >> ClamAV Full Message Scan = yes >> >> writes 2 "lines" >> >> Sep 5 17:53:09 ms1 MailScanner[2747]: ClamAVModule::INFECTED:: >> HTML.Phishing.Bank-1272 :: ./815BD10082B5.02C82/msg-2747-17.html >> Sep 5 17:53:09 ms1 MailScanner[2747]: ClamAVModule::INFECTED:: >> HTML.Phishing.Bank-1272 FOUND :: ./815BD10082B5.02C82/ ___ >> >> I don't understand why this is necessary and would like to request >> consistency so that "ClamAV Full Message Scan = yes" logs like >> "ClamAV Full Message Scan = no" > So you want me to *not* log the fact that the Full Message Scan found > a virus? Seems a bit strange to me... > Do other people agree with me or Alex? I think what he wants is that "... = yes" output a single line, not a duplicate. It should be logged, but not twice, one right after the other... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From spamlists at coders.co.uk Fri Sep 5 21:18:39 2008 From: spamlists at coders.co.uk (Matt Hampton) Date: Fri Sep 5 21:19:45 2008 Subject: Using Spamd rather than the SpamAssassin Library Message-ID: <48C1941F.40703@coders.co.uk> All Don't know if anyone is interested but I have a (heavily) modified SA.pm which allows MailScanner to use spamd rather than the Mail::SpamAssassin library (similiar to how Rick(?) implemented the calmd vs ClamAVModule). I have checked with Jules and he is happy with me sharing it. $Id: SA.pm 4522 2008-08-20 15:19:23Z sysjkf $ Instructions: THINK CAREFULLY! Once this patch is in place MailScanner relies solely on spamd - you cannot choose between the two. This is beta code and it uses a file from the SVN repository of SpamAssassin which hasn't be published yet! Download http://www.coders.co.uk/SA.pm take a backup of the files SA.pm ConfigDefs.pl in the MailScanner installation (on mine /usr/lib/MailScanner/MailScanner) copy the downloaded file over the top of the existing file add the following three lines to the bottom ConfigDefs.pl spamdserv spamdport spamduser (where is the default user for spamd) The defaults for spamdserv/spamdport are "localhost" and port 783 YOU MUST REPLACE with a valid user! Locate you Mail::SpamAssassin::Client.pm Over write this with http://svn.apache.org/viewvc/spamassassin/trunk/lib/Mail/SpamAssassin/Client.pm?revision=597826 This is a drop in replacement and does not change the functionality - it exposes some extra bits and pieces. Why would you want to do this? Memory - Small over head as the SpamAssassin rules are loaded in to shared memory Faster - in theory it should be faster - haven't noticed a difference The biggy.....: If you were to put in your MailScanner.conf file Spamd User = &SomeFunction You can now control the user that talks to the spamd. This gives you: Individual bayes Individual awl Individual scores Need I say more..... enjoy and feed back please. If enough people like it (especially Jules!), I believe that retaining the ability to chose between the two is possible. matt From ms-list at alexb.ch Fri Sep 5 21:37:15 2008 From: ms-list at alexb.ch (Alex Broens) Date: Fri Sep 5 21:37:38 2008 Subject: Mailscanner Version 4.71.10-1 / ClamAV 0.94 infection reporting. In-Reply-To: <48C18DCC.5020806@ecs.soton.ac.uk> References: <48BFAB6F.5090902@ecs.soton.ac.uk> <48C18DCC.5020806@ecs.soton.ac.uk> Message-ID: <48C1987B.40609@alexb.ch> On 9/5/2008 9:51 PM, Julian Field wrote: > > > Alex Broens wrote: >> On 9/4/2008 11:33 AM, Julian Field wrote: >>> >>> >>> Alex Broens wrote: >>>> Good day All, >>>> >>>> Mailscanner Version 4.71.10-1 / ClamAV 0.94 using ClamD >>>> >>>> >>>> MailScanner --lint: >>>> >>>> Virus and Content Scanning: Starting >>>> ClamAVModule::INFECTED:: Eicar-Test-Signature FOUND :: ./1/ >>>> ClamAVModule::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com >>>> Virus Scanning: Clamd found 2 infections >>>> Infected message 1 came from 10.1.1.1 >>>> Virus Scanning: Found 2 viruses >>>> Filename Checks: (1 eicar.com) >>>> >>>> Doesn't seem right/elegant to me. >>>> >>>> It causes Mailwatch 1.x to report: >>>> >>>> Clamd: message was infected: Trojan.Fakealert-532 FOUND >>>> Clamd: Late.Night.rar was infected: Trojan.Fakealert-532 >>>> >>>> >>>> Can anybody reproduce running "MailScanner --lint" >>>> >>>> Jules? >>> The "./1/" line is caused by "ClamAV Full Message Scan = yes". >>> I believe it is the correct output. >>> Can anyone contradict me? >> >> Jules >> >> Did a fresh test setup on fresh Centos 5.2 >> >> ClamAV Full Message Scan = no >> >> only writes 1 "line". - confirmed. >> >> Sep 5 18:12:52 ms1 MailScanner[8640]: ClamAVModule::INFECTED:: >> Trojan.Fakealert-532 :: ./00AD510082F2.3A2DC/Late.Night.rar >> >> >> ____ >> ClamAV Full Message Scan = yes >> >> writes 2 "lines" >> >> Sep 5 17:53:09 ms1 MailScanner[2747]: ClamAVModule::INFECTED:: >> HTML.Phishing.Bank-1272 :: ./815BD10082B5.02C82/msg-2747-17.html >> Sep 5 17:53:09 ms1 MailScanner[2747]: ClamAVModule::INFECTED:: >> HTML.Phishing.Bank-1272 FOUND :: ./815BD10082B5.02C82/ >> ___ >> >> I don't understand why this is necessary and would like to request >> consistency so that "ClamAV Full Message Scan = yes" logs like >> "ClamAV Full Message Scan = no" > So you want me to *not* log the fact that the Full Message Scan found a > virus? Seems a bit strange to me... nope.. I only want to see what virus it caught, once see above; you're redundant, reporting the same guy twice although its one file, and in this case, not even, it was a phishing msg with no attachment. > Do other people agree with me or Alex? am I the only one looking at logs? :-) Alex From ms-list at alexb.ch Fri Sep 5 21:40:21 2008 From: ms-list at alexb.ch (Alex Broens) Date: Fri Sep 5 21:40:35 2008 Subject: Mailscanner Version 4.71.10-1 / ESETS 3.0.9 Message-ID: <48C19935.10701@alexb.ch> Julian Good news: Esets 3.0.9 has an x64 version available which works the bad news is that its sets the binaries permissions in /usr/sbin in such a way that MS can't run it :-) (chmod does wonders) also, the .cfg file is only readable by root so once you have this figured out, it works, and even logs in Mailwatch. There's still something weird in the log output but I hope to have that figured out and send you a fix or cry for help thx Alex From MailScanner at ecs.soton.ac.uk Fri Sep 5 21:55:14 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Sep 5 21:55:38 2008 Subject: Mailscanner Version 4.71.10-1 / ClamAV 0.94 infection reporting. In-Reply-To: References: <48BFAB6F.5090902@ecs.soton.ac.uk> <48C18DCC.5020806@ecs.soton.ac.uk> Message-ID: <48C19CB2.3080402@ecs.soton.ac.uk> Try the attached SweepViruses.pm. It will only help if the log output contains the attachment log entry first, followed by the message log entry. If it's the other way around, I can't suppress the message log entry on the basis that an attachment log entry may appear afterwards. If you have any better ideas on how to predict what may be logged in the future, I'm all ears :-) Cheers, Jules. Kevin Miller wrote: > Julian Field wrote: > >> Alex Broens wrote: >> >>> ClamAV Full Message Scan = yes >>> >>> writes 2 "lines" >>> >>> Sep 5 17:53:09 ms1 MailScanner[2747]: ClamAVModule::INFECTED:: >>> HTML.Phishing.Bank-1272 :: ./815BD10082B5.02C82/msg-2747-17.html >>> Sep 5 17:53:09 ms1 MailScanner[2747]: ClamAVModule::INFECTED:: >>> HTML.Phishing.Bank-1272 FOUND :: ./815BD10082B5.02C82/ ___ >>> >>> I don't understand why this is necessary and would like to request >>> consistency so that "ClamAV Full Message Scan = yes" logs like >>> "ClamAV Full Message Scan = no" >>> >> So you want me to *not* log the fact that the Full Message Scan found >> a virus? Seems a bit strange to me... >> Do other people agree with me or Alex? >> > > I think what he wants is that "... = yes" output a single line, not a > duplicate. It should be logged, but not twice, one right after the > other... > > ...Kevin > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- A non-text attachment was scrubbed... Name: SweepViruses.pm.zip Type: application/zip Size: 33927 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080905/e8e6f75d/SweepViruses.pm-0001.zip From ms-list at alexb.ch Fri Sep 5 22:10:11 2008 From: ms-list at alexb.ch (Alex Broens) Date: Fri Sep 5 22:10:27 2008 Subject: Mailscanner Version 4.71.10-1 / ClamAV 0.94 infection reporting. In-Reply-To: <48C19CB2.3080402@ecs.soton.ac.uk> References: <48BFAB6F.5090902@ecs.soton.ac.uk> <48C18DCC.5020806@ecs.soton.ac.uk> <48C19CB2.3080402@ecs.soton.ac.uk> Message-ID: <48C1A033.8000803@alexb.ch> On 9/5/2008 10:55 PM, Julian Field wrote: > Try the attached SweepViruses.pm. > It will only help if the log output contains the attachment log entry > first, followed by the message log entry. If it's the other way around, > I can't suppress the message log entry on the basis that an attachment > log entry may appear afterwards. > If you have any better ideas on how to predict what may be logged in the > future, I'm all ears :-) __ Sep 5 23:04:16 ms1 MailScanner[25357]: Clamd::INFECTED:: Eicar-Test-Signature :: ./411661008C85.5B8DE/eicar_com.zip __ maillog / clamd look GOOD Mailwatch agrees with one line /entry Now, can you do the magic on esets? :-) here's what its doing. I tried fiddling with the log formating in esets.cfg but have the feeling its being ignored. __ Sep 5 23:04:17 ms1 MailScanner[25357]: name="./411661008C85.5B8DE/eicar_com.zip", threat="Eicar test file", action="", info="" Sep 5 23:04:17 ms1 MailScanner[25357]: name="./411661008C85.5B8DE/eicar_com.zip ?? ZIP ?? eicar.com", threat="Eicar test file", action="", info="" __ thanks Alex From drew.marshall at technologytiger.net Fri Sep 5 22:10:13 2008 From: drew.marshall at technologytiger.net (Drew Marshall) Date: Fri Sep 5 22:13:03 2008 Subject: Using Spamd rather than the SpamAssassin Library In-Reply-To: <48C1941F.40703@coders.co.uk> References: <48C1941F.40703@coders.co.uk> Message-ID: <5851C691-2A38-40CC-9134-73427193F4D7@technologytiger.net> On 5 Sep 2008, at 21:18, Matt Hampton wrote: > All > > Don't know if anyone is interested but I have a (heavily) modified > SA.pm which allows MailScanner to use spamd rather than the > Mail::SpamAssassin library (similiar to how Rick(?) implemented the > calmd vs ClamAVModule). I have checked with Jules and he is happy > with me sharing it. Well I for one thought I would give it a go but I have bumped into this error: Can't call method "execute" on an undefined value at /usr/local/lib/ MailScanner/MailScanner/SA.pm line 615. On a FreeBSD 7 system running Postfix (In case permissions need to be considered!) I don't do perl so I'm not sure where to go with this. Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by Technology Tiger's Mail Launder system Our email policy can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ From MailScanner at ecs.soton.ac.uk Fri Sep 5 22:17:33 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Sep 5 22:17:54 2008 Subject: Mailscanner Version 4.71.10-1 / ClamAV 0.94 infection reporting. In-Reply-To: References: <48BFAB6F.5090902@ecs.soton.ac.uk> <48C18DCC.5020806@ecs.soton.ac.uk> <48C19CB2.3080402@ecs.soton.ac.uk> Message-ID: <48C1A1ED.3010509@ecs.soton.ac.uk> Alex Broens wrote: > On 9/5/2008 10:55 PM, Julian Field wrote: >> Try the attached SweepViruses.pm. >> It will only help if the log output contains the attachment log entry >> first, followed by the message log entry. If it's the other way >> around, I can't suppress the message log entry on the basis that an >> attachment log entry may appear afterwards. >> If you have any better ideas on how to predict what may be logged in >> the future, I'm all ears :-) > > __ > Sep 5 23:04:16 ms1 MailScanner[25357]: Clamd::INFECTED:: > Eicar-Test-Signature :: ./411661008C85.5B8DE/eicar_com.zip > __ > > maillog / clamd look GOOD > Mailwatch agrees with one line /entry > > > Now, can you do the magic on esets? :-) > > here's what its doing. > I tried fiddling with the log formating in esets.cfg but have the > feeling its being ignored. > > __ > Sep 5 23:04:17 ms1 MailScanner[25357]: > name="./411661008C85.5B8DE/eicar_com.zip", threat="Eicar test file", > action="", info="" > Sep 5 23:04:17 ms1 MailScanner[25357]: > name="./411661008C85.5B8DE/eicar_com.zip ?? ZIP ?? eicar.com", > threat="Eicar test file", action="", info="" > __ > Not if it's logging in that order, as I need to log the eicar.com entry, but I can't predict it's going to be there from the eicar_com.zip log entry. That requires crystal balls :-) > thanks > > Alex > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ms-list at alexb.ch Fri Sep 5 22:24:25 2008 From: ms-list at alexb.ch (Alex Broens) Date: Fri Sep 5 22:24:39 2008 Subject: Using Spamd rather than the SpamAssassin Library In-Reply-To: <5851C691-2A38-40CC-9134-73427193F4D7@technologytiger.net> References: <48C1941F.40703@coders.co.uk> <5851C691-2A38-40CC-9134-73427193F4D7@technologytiger.net> Message-ID: <48C1A389.8080604@alexb.ch> On 9/5/2008 11:10 PM, Drew Marshall wrote: > On 5 Sep 2008, at 21:18, Matt Hampton wrote: > >> All >> >> Don't know if anyone is interested but I have a (heavily) modified >> SA.pm which allows MailScanner to use spamd rather than the >> Mail::SpamAssassin library (similiar to how Rick(?) implemented the >> calmd vs ClamAVModule). I have checked with Jules and he is happy >> with me sharing it. > > Well I for one thought I would give it a go but I have bumped into this > error: > > Can't call method "execute" on an undefined value at > /usr/local/lib/MailScanner/MailScanner/SA.pm line 615. > > On a FreeBSD 7 system running Postfix (In case permissions need to be > considered!) > > I don't do perl so I'm not sure where to go with this. > > Drew dunno if you want to give it a try: Steve Freegard's hack ran smoothly Alex From ms-list at alexb.ch Fri Sep 5 22:35:24 2008 From: ms-list at alexb.ch (Alex Broens) Date: Fri Sep 5 22:35:37 2008 Subject: Mailscanner Version 4.71.10-1 / ClamAV 0.94 infection reporting. In-Reply-To: <48C1A1ED.3010509@ecs.soton.ac.uk> References: <48BFAB6F.5090902@ecs.soton.ac.uk> <48C18DCC.5020806@ecs.soton.ac.uk> <48C19CB2.3080402@ecs.soton.ac.uk> <48C1A1ED.3010509@ecs.soton.ac.uk> Message-ID: <48C1A61C.9060102@alexb.ch> On 9/5/2008 11:17 PM, Julian Field wrote: > > > Alex Broens wrote: >> On 9/5/2008 10:55 PM, Julian Field wrote: >>> Try the attached SweepViruses.pm. >>> It will only help if the log output contains the attachment log entry >>> first, followed by the message log entry. If it's the other way >>> around, I can't suppress the message log entry on the basis that an >>> attachment log entry may appear afterwards. >>> If you have any better ideas on how to predict what may be logged in >>> the future, I'm all ears :-) >> >> __ >> Sep 5 23:04:16 ms1 MailScanner[25357]: Clamd::INFECTED:: >> Eicar-Test-Signature :: ./411661008C85.5B8DE/eicar_com.zip >> __ >> >> maillog / clamd look GOOD >> Mailwatch agrees with one line /entry >> >> >> Now, can you do the magic on esets? :-) >> >> here's what its doing. >> I tried fiddling with the log formating in esets.cfg but have the >> feeling its being ignored. >> >> __ >> Sep 5 23:04:17 ms1 MailScanner[25357]: >> name="./411661008C85.5B8DE/eicar_com.zip", threat="Eicar test file", >> action="", info="" >> Sep 5 23:04:17 ms1 MailScanner[25357]: >> name="./411661008C85.5B8DE/eicar_com.zip ?? ZIP ?? eicar.com", >> threat="Eicar test file", action="", info="" >> __ >> > Not if it's logging in that order, as I need to log the eicar.com entry, > but I can't predict it's going to be there from the eicar_com.zip log > entry. That requires crystal balls :-) lemme see if I get this right Eset logging has log_format_summ = "format" log_format_part = "format" What happens if you only log the "summ" ? would that break anything? the chances of having two different infections in one archive are VERY small, or am I still missing something real important? Alex From MailScanner at ecs.soton.ac.uk Fri Sep 5 22:54:26 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Sep 5 22:54:45 2008 Subject: Mailscanner Version 4.71.10-1 / ClamAV 0.94 infection reporting. In-Reply-To: References: <48BFAB6F.5090902@ecs.soton.ac.uk> <48C18DCC.5020806@ecs.soton.ac.uk> <48C19CB2.3080402@ecs.soton.ac.uk> <48C1A1ED.3010509@ecs.soton.ac.uk> Message-ID: <48C1AA92.7090802@ecs.soton.ac.uk> Alex Broens wrote: > On 9/5/2008 11:17 PM, Julian Field wrote: >> >> >> Alex Broens wrote: >>> On 9/5/2008 10:55 PM, Julian Field wrote: >>>> Try the attached SweepViruses.pm. >>>> It will only help if the log output contains the attachment log >>>> entry first, followed by the message log entry. If it's the other >>>> way around, I can't suppress the message log entry on the basis >>>> that an attachment log entry may appear afterwards. >>>> If you have any better ideas on how to predict what may be logged >>>> in the future, I'm all ears :-) >>> >>> __ >>> Sep 5 23:04:16 ms1 MailScanner[25357]: Clamd::INFECTED:: >>> Eicar-Test-Signature :: ./411661008C85.5B8DE/eicar_com.zip >>> __ >>> >>> maillog / clamd look GOOD >>> Mailwatch agrees with one line /entry >>> >>> >>> Now, can you do the magic on esets? :-) >>> >>> here's what its doing. >>> I tried fiddling with the log formating in esets.cfg but have the >>> feeling its being ignored. >>> >>> __ >>> Sep 5 23:04:17 ms1 MailScanner[25357]: >>> name="./411661008C85.5B8DE/eicar_com.zip", threat="Eicar test file", >>> action="", info="" >>> Sep 5 23:04:17 ms1 MailScanner[25357]: >>> name="./411661008C85.5B8DE/eicar_com.zip ?? ZIP ?? eicar.com", >>> threat="Eicar test file", action="", info="" >>> __ >>> >> Not if it's logging in that order, as I need to log the eicar.com >> entry, but I can't predict it's going to be there from the >> eicar_com.zip log entry. That requires crystal balls :-) > > lemme see if I get this right > > Eset logging has > > log_format_summ = "format" > log_format_part = "format" > > What happens if you only log the "summ" ? > > would that break anything? Surely it's better to always log the more detailed one, ie log_format_part ? Personally I would much rather log both of them. Who cares about one extra log line? No-one ever reads them anyway, do they? > > the chances of having two different infections in one archive are VERY > small, or am I still missing something real important? > > Alex > > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Kevin_Miller at ci.juneau.ak.us Fri Sep 5 23:04:11 2008 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Fri Sep 5 23:04:22 2008 Subject: Mailscanner Version 4.71.10-1 / ClamAV 0.94 infection reporting. In-Reply-To: <48C1AA92.7090802@ecs.soton.ac.uk> References: <48BFAB6F.5090902@ecs.soton.ac.uk> <48C18DCC.5020806@ecs.soton.ac.uk> <48C19CB2.3080402@ecs.soton.ac.uk> <48C1A1ED.3010509@ecs.soton.ac.uk> <48C1AA92.7090802@ecs.soton.ac.uk> Message-ID: Julian Field wrote: > Who cares about one > extra log line? No-one ever reads them anyway, do they? What's a log? ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From spamlists at coders.co.uk Fri Sep 5 23:04:16 2008 From: spamlists at coders.co.uk (Matt Hampton) Date: Fri Sep 5 23:06:35 2008 Subject: Using Spamd rather than the SpamAssassin Library In-Reply-To: <5851C691-2A38-40CC-9134-73427193F4D7@technologytiger.net> References: <48C1941F.40703@coders.co.uk> <5851C691-2A38-40CC-9134-73427193F4D7@technologytiger.net> Message-ID: <48C1ACE0.5020708@coders.co.uk> Drew Marshall wrote: > > Well I for one thought I would give it a go but I have bumped into > this error: > > Can't call method "execute" on an undefined value at > /usr/local/lib/MailScanner/MailScanner/SA.pm line 615. > Thanks for trying! I should have said in my previous email that you need to delete your spamassasin cache From MailScanner.conf SpamAssassin Cache Database File = /var/spool/MailScanner/incoming/SpamAssassin.cache.db Stop MailScanner RM the file Restart MailScanner Of course you also need a working Spamd installation ;-) I start mine with /usr/bin/spamd -d -l -m10 -r /var/run/spamd.pid -q -x -u nobody And I have use SQL for my AWL and Bayes. matt From ms-list at alexb.ch Fri Sep 5 23:11:09 2008 From: ms-list at alexb.ch (Alex Broens) Date: Fri Sep 5 23:11:24 2008 Subject: Mailscanner Version 4.71.10-1 / ClamAV 0.94 infection reporting. In-Reply-To: <48C1AA92.7090802@ecs.soton.ac.uk> References: <48BFAB6F.5090902@ecs.soton.ac.uk> <48C18DCC.5020806@ecs.soton.ac.uk> <48C19CB2.3080402@ecs.soton.ac.uk> <48C1A1ED.3010509@ecs.soton.ac.uk> <48C1AA92.7090802@ecs.soton.ac.uk> Message-ID: <48C1AE7D.3030101@alexb.ch> On 9/5/2008 11:54 PM, Julian Field wrote: > > > Alex Broens wrote: >> On 9/5/2008 11:17 PM, Julian Field wrote: >>> >>> >>> Alex Broens wrote: >>>> On 9/5/2008 10:55 PM, Julian Field wrote: >>>>> Try the attached SweepViruses.pm. >>>>> It will only help if the log output contains the attachment log >>>>> entry first, followed by the message log entry. If it's the other >>>>> way around, I can't suppress the message log entry on the basis >>>>> that an attachment log entry may appear afterwards. >>>>> If you have any better ideas on how to predict what may be logged >>>>> in the future, I'm all ears :-) >>>> >>>> __ >>>> Sep 5 23:04:16 ms1 MailScanner[25357]: Clamd::INFECTED:: >>>> Eicar-Test-Signature :: ./411661008C85.5B8DE/eicar_com.zip >>>> __ >>>> >>>> maillog / clamd look GOOD >>>> Mailwatch agrees with one line /entry >>>> >>>> >>>> Now, can you do the magic on esets? :-) >>>> >>>> here's what its doing. >>>> I tried fiddling with the log formating in esets.cfg but have the >>>> feeling its being ignored. >>>> >>>> __ >>>> Sep 5 23:04:17 ms1 MailScanner[25357]: >>>> name="./411661008C85.5B8DE/eicar_com.zip", threat="Eicar test file", >>>> action="", info="" >>>> Sep 5 23:04:17 ms1 MailScanner[25357]: >>>> name="./411661008C85.5B8DE/eicar_com.zip ?? ZIP ?? eicar.com", >>>> threat="Eicar test file", action="", info="" >>>> __ >>>> >>> Not if it's logging in that order, as I need to log the eicar.com >>> entry, but I can't predict it's going to be there from the >>> eicar_com.zip log entry. That requires crystal balls :-) >> >> lemme see if I get this right >> >> Eset logging has >> >> log_format_summ = "format" >> log_format_part = "format" >> >> What happens if you only log the "summ" ? >> >> would that break anything? > Surely it's better to always log the more detailed one, ie > log_format_part ? > Personally I would much rather log both of them. Who cares about one > extra log line? No-one ever reads them anyway, do they? doesn't that go both ways :-) if nobody reads them, then verbosity is usually bloat & useless. the way it is now it dupes all Mailwatch entries and borks stats, etc and in the end both entries are pretty much saying the same. this is what MAilwatch spits out to the DB esets: Found virus Win32/TrojanDownloader.FakeAlert.HK trojan in Late.Night.rar ?? RAR ?? Late.Night.CamRip.Sexual.Blondy.Fuck.And.Suck.avi.exe Clamd: Late.Night.rar was infected: Trojan.Fakealert-532 esets: Found virus Win32/TrojanDownloader.FakeAlert.HK trojan in Late.Night.rar if we had this it would be enough: esets: Found virus Win32/TrojanDownloader.FakeAlert.HK trojan in Late.Night.rar ?? RAR ?? Clamd: Late.Night.rar was infected: Trojan.Fakealert-532 Night.rar at the end of the day the infected file is the RAR file, what's inside it becomes irrelevant so there's no real need to report it separately Alex From ssilva at sgvwater.com Fri Sep 5 23:41:00 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Sep 5 23:41:20 2008 Subject: clamav-0.94-1.el4 Error In-Reply-To: References: Message-ID: on 9-3-2008 3:52 AM asakawa@quickd.net spake the following: > Hi all > > clamav-0.94-1.el4 Error > > clamav have no test reports > > Virus and Content Scanning: Starting > /1/eicar.com Found: EICAR test file NOT a virus. > Virus Scanning: McAfee found 1 infections > ALERT: [Eicar-Test-Signature] ./1/eicar.com <<< Contains code of the Eicar-Test-Signature virus > Virus Scanning: AntiVir found 1 infections > /usr/bin/clamscan: unrecognized option `--unzip' > ERROR: Unknown option passed. > ERROR: Can't parse the command line > /usr/bin/clamscan: unrecognized option `--unrar=/usr/bin/unrar' > ERROR: Unknown option passed. > ERROR: Can't parse the command line > Virus Scanning: ClamAV found 1 infections > 1.message=>[Subject: Virus Scanner Test Message]=>eicar.com:infected: EICAR-Test-File (not a virus) > 1/eicar.com:infected: EICAR-Test-File (not a virus) > Virus Scanning: Bitdefender found 2 infections > > Virus Scanner test reports: > McAfee said "/1/eicar.com Found: EICAR test file NOT a virus." > AntiVir said "ALERT: [Eicar-Test-Signature] ./1/eicar.com <<< Contains code of the Eicar-Test-Signature virus" > Bitdefender said "Found virus EICAR-Test-File (not a virus) in file eicar.com" > > > Best regards, > Takashi Asakawa > > > Scan the list. Julian posted a fixed clamav wrapper for those who have the spare CPU cycles to run clamscan. Or convert your system to clamd. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080905/74a764e1/signature.bin From ssilva at sgvwater.com Fri Sep 5 23:50:35 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Sep 5 23:50:55 2008 Subject: Mailscanner Version 4.71.10-1 / ClamAV 0.94 infection reporting. In-Reply-To: References: <48BFAB6F.5090902@ecs.soton.ac.uk> <48C18DCC.5020806@ecs.soton.ac.uk> <48C19CB2.3080402@ecs.soton.ac.uk> <48C1A1ED.3010509@ecs.soton.ac.uk> <48C1AA92.7090802@ecs.soton.ac.uk> Message-ID: on 9-5-2008 3:04 PM Kevin Miller spake the following: > Julian Field wrote: > >> Who cares about one >> extra log line? No-one ever reads them anyway, do they? > > What's a log? > > > ...Kevin That is those short round things they make from trees! You throw one on the fire when it is cold. ;-P -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080905/9d3baf94/signature.bin From ssilva at sgvwater.com Fri Sep 5 23:58:20 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Sep 5 23:58:44 2008 Subject: Running MailScanner 4.64.3 and SpamAssassin 3.2.5 with ClamAV 0.94 In-Reply-To: References: Message-ID: on 9-4-2008 1:03 PM Kaplan, Andrew H. spake the following: > Hi there ? > > > > The new release of ClamAV, version 0.94, is available for download. I > was planning on installing it > > on our system running MailScanner and SpamAssassin. The current version > of ClamAV that is in > > use is the 0.93.3 release. > > > > Is there any danger to my upgrading ClamAV to the latest version, or > will the latest version work > > with the two aforementioned programs? > > Some patching needs to be done if you run clamscan instead of clamd. And I don't know if the perl module supports 0.94 yet. It usually gets a week or more behind. But if you are using clamd, you should be OK. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080905/50987af9/signature.bin From mark at msapiro.net Sat Sep 6 01:54:01 2008 From: mark at msapiro.net (Mark Sapiro) Date: Sat Sep 6 01:54:25 2008 Subject: Italian spam In-Reply-To: <015e01c90f27$72acd3c0$2501a8c0@dbdomain.database.it> Message-ID: Marcello Anderlini wrote: >I suspect then that my bayes filter is not working correctly. >I dayly try to istruct spamassasin using >=========================================== >sa-learn --spam --mbox /var/mail/spam and >sa-learn --ham --mbox /var/mail/notspam >=========================================== > >But it still scores that kind of spam as non spam, ... Where are the files bayes.mutex bayes_journal bayes_toks bayes_seen In my case, the files that spamassassin uses when invoked by MailScanner are /var/spool/MailScanner/spamassassin/bayes.mutex /var/spool/MailScanner/spamassassin/bayes_journal /var/spool/MailScanner/spamassassin/bayes_toks /var/spool/MailScanner/spamassassin/bayes_seen However if I were to run sa-learn as userx, the files that would be updated are in /home/userx/.spamassassin. In my case also, I use spamd so I use for example /usr/bin/spamc -u postfix -L spam < message to learn a message as spam. You may have to experiment with the -u option on sa-learn to get it to update the right bayes database. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From drew.marshall at technologytiger.net Sat Sep 6 13:19:12 2008 From: drew.marshall at technologytiger.net (Drew Marshall) Date: Sat Sep 6 13:19:28 2008 Subject: Using Spamd rather than the SpamAssassin Library In-Reply-To: <48C1ACE0.5020708@coders.co.uk> References: <48C1941F.40703@coders.co.uk> <5851C691-2A38-40CC-9134-73427193F4D7@technologytiger.net> <48C1ACE0.5020708@coders.co.uk> Message-ID: <322845F4-533F-49CC-A001-17C8D60619C6@technologytiger.net> On 5 Sep 2008, at 23:04, Matt Hampton wrote: > Drew Marshall wrote: >> >> Well I for one thought I would give it a go but I have bumped into >> this error: >> >> Can't call method "execute" on an undefined value at /usr/local/lib/ >> MailScanner/MailScanner/SA.pm line 615. >> > Thanks for trying! No problem! > > > I should have said in my previous email that you need to delete your > spamassasin cache That fixed it! Thanks > Of course you also need a working Spamd installation ;-) LOL naturally > I start mine with > > /usr/bin/spamd -d -l -m10 -r /var/run/spamd.pid -q -x -u nobody > > > And I have use SQL for my AWL and Bayes. I have not really played with AWL as it used to not tidy it's self up like bayes does. Perhaps I'll give it another look... Thanks, nice bit of code. Seems to be working well. I'll see what Monday brings when things load up a bit more. Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by Technology Tiger's Mail Launder system Our email policy can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ From zepplin at exemail.com.au Sat Sep 6 15:25:17 2008 From: zepplin at exemail.com.au (George C) Date: Sat Sep 6 15:25:29 2008 Subject: MailScanner refuses to shutdown - Possible broken pidof Message-ID: <48C292CD.1070901@exemail.com.au> Hi, I have MailScanner - v4.71.10 installed Exim 4.69 Installation was done by configserver (Way to the Web Limited) approximately 8 months or so ago. WHM 11.23.2 cPanel 11.23.6-R27164 CENTOS Enterprise 4.6 i686 on standard - WHM X v3.1.0 Up until recently MailScanner has performed flawlessly. Over the last week or so I've been getting daily mail showing MailScanner fails to shutdown. Aug 27 10:33:21 JS-GC-S1 MailScanner: MailScanner shutdown failed Aug 27 10:33:22 JS-GC-S1 runuser: Starting MailScanner... Aug 27 10:33:23 JS-GC-S1 MailScanner: MailScanner setting GID to mail (12) Aug 27 10:33:23 JS-GC-S1 MailScanner: MailScanner setting UID to mailnull (47) Also tried to manually shutdown with same result. [root@JS-GC-S1 ~]# /etc/rc.d/init.d/MailScanner restart Shutting down MailScanner daemons: MailScanner: [FAILED] Waiting for MailScanner to stop... Starting MailScanner daemons: MailScanner: [ OK ] I have contacted configserver and they say pidof is more than likely broken but cant offer any further assistance. I would appreciate any help/advice or suggestions as to how I may fix this recent issue. ********************************************** copy of /etc/rc.d/init.d/MailScanner . /etc/init.d/functions # Source networking configuration. . /etc/sysconfig/network # Check that networking is up. [ ${NETWORKING} = "no" ] && exit 0 TMPDIR=/var/spool/MailScanner export TMPDIR wait_for_pid () { i=0 echo -n "." while test $i -lt 35 ; do echo -n "." if [ -z "`/usr/bin/pgrep -u mailnull -f MailScanner`" ]; then break fi kill -9 `/usr/bin/pgrep -u mailnull -f MailScanner` >/dev/null 2>&1 sleep 1 i=`expr $i + 1` done } # See how we were called. case "$1" in start) # Start daemons. echo 'Starting MailScanner daemons:' echo -n ' MailScanner: ' daemon --user=root /usr/mailscanner/bin/check_mailscanner >/dev/null success echo ;; stop) # Stop daemons. echo 'Shutting down MailScanner daemons:' echo -n ' MailScanner:' killproc MailScanner echo echo -n ' Waiting for MailScanner to stop' wait_for_pid echo ;; status) # Work out if all of MailScanner is running echo 'Checking MailScanner daemons:' status MailScanner echo ;; reload) echo 'Reloading MailScanner workers:' killproc MailScanner -HUP if [ -z "`/usr/bin/pgrep -u mailnull -f MailScanner`" ]; then $0 start fi echo ;; restart) $0 stop $0 start ;; *) echo "Usage: service MailScanner {start|stop|status|restart|reload}" exit 1 esac exit ********************************************** copy of /etc/init.d/functions # -*-Shell-script-*- # # functions This file contains functions to be used by most or all # shell scripts in the /etc/init.d directory. # TEXTDOMAIN=initscripts # Make sure umask is sane umask 022 # Set up a default search path. PATH="/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin" export PATH # Get a sane screen width [ -z "${COLUMNS:-}" ] && COLUMNS=80 [ -z "${CONSOLETYPE:-}" ] && CONSOLETYPE="`/sbin/consoletype`" if [ -f /etc/sysconfig/i18n -a -z "${NOLOCALE:-}" ] ; then . /etc/sysconfig/i18n if [ "$CONSOLETYPE" != "pty" ]; then case "${LANG:-}" in ja_JP*|ko_KR*|zh_CN*|zh_TW*|bn_*|bd_*|pa_*|hi_*|ta_*|gu_*) export LC_MESSAGES=en_US export LANG ;; *) export LANG ;; esac else [ -n "$LC_MESSAGES" ] && export LC_MESSAGES export LANG fi fi # Read in our configuration if [ -z "${BOOTUP:-}" ]; then if [ -f /etc/sysconfig/init ]; then . /etc/sysconfig/init else # This all seem confusing? Look in /etc/sysconfig/init, # or in /usr/doc/initscripts-*/sysconfig.txt BOOTUP=color RES_COL=60 MOVE_TO_COL="echo -en \\033[${RES_COL}G" SETCOLOR_SUCCESS="echo -en \\033[1;32m" SETCOLOR_FAILURE="echo -en \\033[1;31m" SETCOLOR_WARNING="echo -en \\033[1;33m" SETCOLOR_NORMAL="echo -en \\033[0;39m" LOGLEVEL=1 fi if [ "$CONSOLETYPE" = "serial" ]; then BOOTUP=serial MOVE_TO_COL= SETCOLOR_SUCCESS= SETCOLOR_FAILURE= SETCOLOR_WARNING= SETCOLOR_NORMAL= fi fi if [ "${BOOTUP:-}" != "verbose" ]; then INITLOG_ARGS="-q" else INITLOG_ARGS= fi # Check if $pid (could be plural) are running checkpid() { local i for i in $* ; do [ -d "/proc/$i" ] && return 0 done return 1 } # A function to start a program. daemon() { # Test syntax. local gotbase= force= local base= user= nice= bg= pid= nicelevel=0 while [ "$1" != "${1##[-+]}" ]; do case $1 in '') echo $"$0: Usage: daemon [+/-nicelevel] {program}" return 1;; --check) base=$2 gotbase="yes" shift 2 ;; --check=?*) base=${1#--check=} gotbase="yes" shift ;; --user) user=$2 shift 2 ;; --user=?*) user=${1#--user=} shift ;; --force) force="force" shift ;; [-+][0-9]*) nice="nice -n $1" shift ;; *) echo $"$0: Usage: daemon [+/-nicelevel] {program}" return 1;; esac done # Save basename. [ -z "$gotbase" ] && base=${1##*/} # See if it's already running. Look *only* at the pid file. if [ -f /var/run/${base}.pid ]; then local line p read line < /var/run/${base}.pid for p in $line ; do [ -z "${p//[0-9]/}" -a -d "/proc/$p" ] && pid="$pid $p" done fi [ -n "${pid:-}" -a -z "${force:-}" ] && return # make sure it doesn't core dump anywhere unless requested ulimit -S -c ${DAEMON_COREFILE_LIMIT:-0} >/dev/null 2>&1 # if they set NICELEVEL in /etc/sysconfig/foo, honor it [ -n "$NICELEVEL" ] && nice="nice -n $NICELEVEL" # Echo daemon [ "${BOOTUP:-}" = "verbose" -a -z "$LSB" ] && echo -n " $base" # And start it up. if [ -z "$user" ]; then $nice initlog $INITLOG_ARGS -c "$*" else $nice initlog $INITLOG_ARGS -c "runuser -s /bin/bash - $user -c \"$*\"" fi [ "$?" -eq 0 ] && success $"$base startup" || failure $"$base startup" } # A function to stop a program. killproc() { RC=0; delay=3 # Test syntax. if [ "$#" -eq 0 ]; then echo $"Usage: killproc [ -d delay] {program} [signal]" return 1 fi if [ "$1" = "-d" ]; then delay=$2 shift 2 fi notset=0 notset=0 # check for second arg to be kill level if [ -n "$2" ]; then killlevel=$2 else notset=1 killlevel="-9" fi # Save basename. base=${1##*/} # Find pid. pid= if [ -f /var/run/${base}.pid ]; then local line p read line < /var/run/${base}.pid for p in $line ; do [ -z "${p//[0-9]/}" -a -d "/proc/$p" ] && pid="$pid $p" done fi if [ -z "$pid" ]; then pid=`pidof -o $$ -o $PPID -o %PPID -x $1 || \ pidof -o $$ -o $PPID -o %PPID -x $base` fi # Kill it. if [ -n "${pid:-}" ] ; then [ "$BOOTUP" = "verbose" -a -z "$LSB" ] && echo -n "$base " if [ "$notset" -eq "1" ] ; then if checkpid $pid 2>&1; then # TERM first, then KILL if not dead kill -TERM $pid >/dev/null 2>&1 usleep 100000 if checkpid $pid && sleep 1 && checkpid $pid && sleep $delay && checkpid $pid ; then kill -KILL $pid >/dev/null 2>&1 usleep 100000 fi fi checkpid $pid RC=$? [ "$RC" -eq 0 ] && failure $"$base shutdown" || success $"$base shutdown" RC=$((! $RC)) # use specified level only else if checkpid $pid; then kill $killlevel $pid >/dev/null 2>&1 RC=$? [ "$RC" -eq 0 ] && success $"$base $killlevel" || failure $"$base $killlevel" fi fi else failure $"$base shutdown" RC=1 fi # Remove pid file if any. if [ "$notset" = "1" ]; then rm -f /var/run/$base.pid fi return $RC } # A function to find the pid of a program. Looks *only* at the pidfile pidfileofproc() { local base=${1##*/} # Test syntax. if [ "$#" = 0 ] ; then echo $"Usage: pidfileofproc {program}" return 1 fi # First try "/var/run/*.pid" files if [ -f /var/run/$base.pid ] ; then local line p pid= read line < /var/run/$base.pid for p in $line ; do [ -z "${p//[0-9]/}" -a -d /proc/$p ] && pid="$pid $p" done if [ -n "$pid" ]; then echo $pid return 0 fi fi } # A function to find the pid of a program. pidofproc() { base=${1##*/} # Test syntax. if [ "$#" = 0 ]; then echo $"Usage: pidofproc {program}" return 1 fi # First try "/var/run/*.pid" files if [ -f /var/run/$base.pid ]; then local line p pid= read line < /var/run/$base.pid for p in $line ; do [ -z "${p//[0-9]/}" -a -d /proc/$p ] && pid="$pid $p" done if [ -n "$pid" ]; then echo $pid return 0 fi fi pidof -o $$ -o $PPID -o %PPID -x $1 || \ pidof -o $$ -o $PPID -o %PPID -x $base } status() { local base=${1##*/} local pid # Test syntax. if [ "$#" = 0 ] ; then echo $"Usage: status {program}" return 1 fi # First try "pidof" pid=`pidof -o $$ -o $PPID -o %PPID -x $1 || \ pidof -o $$ -o $PPID -o %PPID -x ${base}` if [ -n "$pid" ]; then echo $"${base} (pid $pid) is running..." return 0 fi # Next try "/var/run/*.pid" files if [ -f /var/run/${base}.pid ] ; then read pid < /var/run/${base}.pid if [ -n "$pid" ]; then echo $"${base} dead but pid file exists" return 1 fi fi # See if /var/lock/subsys/${base} exists if [ -f /var/lock/subsys/${base} ]; then echo $"${base} dead but subsys locked" return 2 fi echo $"${base} is stopped" return 3 } echo_success() { [ "$BOOTUP" = "color" ] && $MOVE_TO_COL echo -n "[ " [ "$BOOTUP" = "color" ] && $SETCOLOR_SUCCESS echo -n $"OK" [ "$BOOTUP" = "color" ] && $SETCOLOR_NORMAL echo -n " ]" echo -ne "\r" return 0 } echo_failure() { [ "$BOOTUP" = "color" ] && $MOVE_TO_COL echo -n "[" [ "$BOOTUP" = "color" ] && $SETCOLOR_FAILURE echo -n $"FAILED" [ "$BOOTUP" = "color" ] && $SETCOLOR_NORMAL echo -n "]" echo -ne "\r" return 1 } echo_passed() { [ "$BOOTUP" = "color" ] && $MOVE_TO_COL echo -n "[" [ "$BOOTUP" = "color" ] && $SETCOLOR_WARNING echo -n $"PASSED" [ "$BOOTUP" = "color" ] && $SETCOLOR_NORMAL echo -n "]" echo -ne "\r" return 1 } echo_warning() { [ "$BOOTUP" = "color" ] && $MOVE_TO_COL echo -n "[" [ "$BOOTUP" = "color" ] && $SETCOLOR_WARNING echo -n $"WARNING" [ "$BOOTUP" = "color" ] && $SETCOLOR_NORMAL echo -n "]" echo -ne "\r" return 1 } # Inform the graphical boot of our current state update_boot_stage() { if [ "$GRAPHICAL" = "yes" -a -x /usr/bin/rhgb-client ]; then /usr/bin/rhgb-client --update="$1" fi return 0 } # Log that something succeeded success() { if [ -z "${IN_INITLOG:-}" ]; then initlog $INITLOG_ARGS -n $0 -s "$1" -e 1 else # silly hack to avoid EPIPE killing rc.sysinit trap "" SIGPIPE echo "$INITLOG_ARGS -n $0 -s \"$1\" -e 1" >&21 trap - SIGPIPE fi [ "$BOOTUP" != "verbose" -a -z "$LSB" ] && echo_success return 0 } # Log that something failed failure() { rc=$? if [ -z "${IN_INITLOG:-}" ]; then initlog $INITLOG_ARGS -n $0 -s "$1" -e 2 else trap "" SIGPIPE echo "$INITLOG_ARGS -n $0 -s \"$1\" -e 2" >&21 trap - SIGPIPE fi [ "$BOOTUP" != "verbose" -a -z "$LSB" ] && echo_failure [ -x /usr/bin/rhgb-client ] && /usr/bin/rhgb-client --details=yes return $rc } # Log that something passed, but may have had errors. Useful for fsck passed() { rc=$? if [ -z "${IN_INITLOG:-}" ]; then initlog $INITLOG_ARGS -n $0 -s "$1" -e 1 else trap "" SIGPIPE echo "$INITLOG_ARGS -n $0 -s \"$1\" -e 1" >&21 trap - SIGPIPE fi [ "$BOOTUP" != "verbose" -a -z "$LSB" ] && echo_passed return $rc } # Log a warning warning() { rc=$? if [ -z "${IN_INITLOG:-}" ]; then initlog $INITLOG_ARGS -n $0 -s "$1" -e 1 else trap "" SIGPIPE echo "$INITLOG_ARGS -n $0 -s \"$1\" -e 1" >&21 trap - SIGPIPE fi [ "$BOOTUP" != "verbose" -a -z "$LSB" ] && echo_warning return $rc } # Run some action. Log its output. action() { STRING=$1 echo -n "$STRING " if [ "${RHGB_STARTED}" != "" -a -w /etc/rhgb/temp/rhgb-console ]; then echo -n "$STRING " > /etc/rhgb/temp/rhgb-console fi shift initlog $INITLOG_ARGS -c "$*" && success $"$STRING" || failure $"$STRING" rc=$? echo if [ "${RHGB_STARTED}" != "" -a -w /etc/rhgb/temp/rhgb-console ]; then if [ "$rc" = "0" ]; then echo_success > /etc/rhgb/temp/rhgb-console else echo_failure > /etc/rhgb/temp/rhgb-console [ -x /usr/bin/rhgb-client ] && /usr/bin/rhgb-client --details=yes fi echo fi return $rc } # returns OK if $1 contains $2 strstr() { [ "${1#*$2*}" = "$1" ] && return 1 return 0 } # Confirm whether we really want to run this service confirm() { [ -x /usr/bin/rhgb-client ] && /usr/bin/rhgb-client --details=yes while : ; do echo -n $"Start service $1 (Y)es/(N)o/(C)ontinue? [Y] " read answer if strstr $"yY" "$answer" || [ "$answer" = "" ] ; then return 0 elif strstr $"cC" "$answer" ; then rm -f /var/run/confirm [ -x /usr/bin/rhgb-client ] && /usr/bin/rhgb-client --details=no return 2 elif strstr $"nN" "$answer" ; then return 1 fi done } Regards, - George Chown -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080907/3c249486/attachment.html From ram at netcore.co.in Sat Sep 6 16:12:36 2008 From: ram at netcore.co.in (ram) Date: Sat Sep 6 16:12:59 2008 Subject: MailScanner takes too long extracting attachments due to "sleep 10" Message-ID: <1220713956.12800.47.camel@darkstar.netcore.co.in> I have my MailScanner server taking too long. Eventually looking at the source I found that the mails go into the UnpackOle() function in Message.pm (/usr/lib/MailScanner/MailScanner/Message.pm) This function has a "sleep 10;" What is this for ?? I realized when my client receives a mail with more than 10 attachments all processes take HUGE time to scan every message and mails get delayed For now I have just put a "return 0" beginning of the function and now it is working fine Thanks Ram From roland at inbox4u.de Sat Sep 6 20:11:41 2008 From: roland at inbox4u.de (Ehle, Roland) Date: Sat Sep 6 20:13:22 2008 Subject: AW: Using Spamd rather than the SpamAssassin Library In-Reply-To: <48C1ACE0.5020708@coders.co.uk> References: <48C1941F.40703@coders.co.uk> <5851C691-2A38-40CC-9134-73427193F4D7@technologytiger.net> <48C1ACE0.5020708@coders.co.uk> Message-ID: Matt, just to make sure, I did not misunderstand: is it necessary to remove the configuration line SpamAssassin Cache Database File = from /etc/MailScanner/MailScanner.conf? Regards, Roland > -----Urspr?ngliche Nachricht----- > Von: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] Im Auftrag von Matt Hampton > Gesendet: Samstag, 6. September 2008 00:04 > An: MailScanner discussion > Betreff: Re: Using Spamd rather than the SpamAssassin Library > > Drew Marshall wrote: > > > > Well I for one thought I would give it a go but I have bumped into > > this error: > > > > Can't call method "execute" on an undefined value at > > /usr/local/lib/MailScanner/MailScanner/SA.pm line 615. > > > Thanks for trying! > > I should have said in my previous email that you need to delete your > spamassasin cache > > From MailScanner.conf > > SpamAssassin Cache Database File = > /var/spool/MailScanner/incoming/SpamAssassin.cache.db > > Stop MailScanner > RM the file > Restart MailScanner > > Of course you also need a working Spamd installation ;-) > > I start mine with > > /usr/bin/spamd -d -l -m10 -r /var/run/spamd.pid -q -x -u nobody > > > And I have use SQL for my AWL and Bayes. > > matt > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From drew.marshall at technologytiger.net Sat Sep 6 20:19:59 2008 From: drew.marshall at technologytiger.net (Drew Marshall) Date: Sat Sep 6 20:20:17 2008 Subject: AW: Using Spamd rather than the SpamAssassin Library In-Reply-To: References: <48C1941F.40703@coders.co.uk> <5851C691-2A38-40CC-9134-73427193F4D7@technologytiger.net> <48C1ACE0.5020708@coders.co.uk> Message-ID: On 6 Sep 2008, at 20:11, Ehle, Roland wrote: > Matt, > > just to make sure, I did not misunderstand: > > is it necessary to remove the configuration line > > SpamAssassin Cache Database File = > > from /etc/MailScanner/MailScanner.conf? No, just delete the actual file that line relates to so when MS restarts it builds a new one. This is (IMHO) the greatest advantage to Matt's solution over the custom function that Steve posted, the cache is retained and you can have the memory advantages of using spamd and per user configs etc. Works great here! Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by Technology Tiger's Mail Launder system Our email policy can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ From spamlists at coders.co.uk Sat Sep 6 21:36:08 2008 From: spamlists at coders.co.uk (Matt Hampton) Date: Sat Sep 6 21:36:50 2008 Subject: AW: Using Spamd rather than the SpamAssassin Library In-Reply-To: References: <48C1941F.40703@coders.co.uk> <5851C691-2A38-40CC-9134-73427193F4D7@technologytiger.net> <48C1ACE0.5020708@coders.co.uk> Message-ID: <48C2E9B8.9090801@coders.co.uk> Drew Marshall wrote: > > No, just delete the actual file that line relates to so when MS > restarts it builds a new one. The reason for this is that an extra field is added to the cache for the username - this means that if you choose to use different usernames then result for one doesn't influence the results of another one. > This is (IMHO) the greatest advantage to Matt's solution over the > custom function that Steve posted, the cache is retained and you can > have the memory advantages of using spamd and per user configs etc. > To be fair I hadn't seen Steve's post. I wrote the code in July and left it running (brave/stupid) when I went on holiday at the beginning of August. Didn't come get home when planned (over running building works at home) and was limited to my works 3G card - didn't fancy downloading the 12,000 messages over that :-) > Works great here! Cool. Has anyone else braved it yet? matt From hvdkooij at vanderkooij.org Sat Sep 6 23:01:39 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sat Sep 6 23:01:52 2008 Subject: Yum repository Message-ID: <48C2FDC3.4080802@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The YUM repository is open and updates seem to work as well as one might expect. There is a small exercise left for the admin at the moment. You can find the repository information on http://yum.vanderkooij.org/ However as this is just about all there is to the repository it makes no sense at all to scan it every hour. Anyone scanning the repository too much may get expelled. Doing a check every 30 minutes like the client on 208.65.91.93 is not something I considere normal for a repository that is updated about once a month. So I suggest you trim it down if you like to keep using it. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIwv3CBvzDRVjxmYERAj3uAKCKGEGnZvyZAIWaOSqHPOO+vkHtUgCfbL+O R8KACHrZhWCWL4iBBh3eees= =ViaP -----END PGP SIGNATURE----- From roland at inbox4u.de Sun Sep 7 04:00:20 2008 From: roland at inbox4u.de (Ehle, Roland) Date: Sun Sep 7 04:01:17 2008 Subject: AW: AW: Using Spamd rather than the SpamAssassin Library In-Reply-To: <48C2E9B8.9090801@coders.co.uk> References: <48C1941F.40703@coders.co.uk> <5851C691-2A38-40CC-9134-73427193F4D7@technologytiger.net> <48C1ACE0.5020708@coders.co.uk> <48C2E9B8.9090801@coders.co.uk> Message-ID: I gave it a try, but found MailScanner process dying immediately after starting and messages were not processed at all. Probably a speciality of my system, that likes making me angry :-) Regards, Roland > -----Urspr?ngliche Nachricht----- > Von: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] Im Auftrag von Matt Hampton > Gesendet: Samstag, 6. September 2008 22:36 > An: MailScanner discussion > Betreff: Re: AW: Using Spamd rather than the SpamAssassin Library > > Drew Marshall wrote: > > > > No, just delete the actual file that line relates to so when MS > > restarts it builds a new one. > The reason for this is that an extra field is added to the cache for > the > username - this means that if you choose to use different usernames > then > result for one doesn't influence the results of another one. > > > This is (IMHO) the greatest advantage to Matt's solution over the > > custom function that Steve posted, the cache is retained and you can > > have the memory advantages of using spamd and per user configs etc. > > > To be fair I hadn't seen Steve's post. > > I wrote the code in July and left it running (brave/stupid) when I went > on holiday at the beginning of August. Didn't come get home when > planned (over running building works at home) and was limited to my > works 3G card - didn't fancy downloading the 12,000 messages over that > :-) > > > Works great here! > Cool. > > Has anyone else braved it yet? > > > matt > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From roland at inbox4u.de Sun Sep 7 07:40:04 2008 From: roland at inbox4u.de (Ehle, Roland) Date: Sun Sep 7 07:41:17 2008 Subject: AW: AW: Using Spamd rather than the SpamAssassin Library In-Reply-To: References: <48C1941F.40703@coders.co.uk> <5851C691-2A38-40CC-9134-73427193F4D7@technologytiger.net> <48C1ACE0.5020708@coders.co.uk> <48C2E9B8.9090801@coders.co.uk> Message-ID: After all: It is running, and it is fine! It was my own blindness, which causes the trouble :-) Thanks Matt for your contribution Hint for all others: If you are going to give this one a try, you should do the following, to prevent running into trouble with pyzor: Add pyzor_options --homedir /etc/mail/spamassassin to your /etc/MailScanner/spam.assassin.prefs.conf and execute pyzor --homedir /etc/mail/spamassassin discover Regards, Roland > -----Urspr?ngliche Nachricht----- > Von: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] Im Auftrag von Ehle, Roland > Gesendet: Sonntag, 7. September 2008 05:00 > An: MailScanner discussion > Betreff: AW: AW: Using Spamd rather than the SpamAssassin Library > > I gave it a try, but found MailScanner process dying immediately after > starting and messages were not processed at all. Probably a speciality > of my system, that likes making me angry :-) > > Regards, > Roland > > > -----Urspr?ngliche Nachricht----- > > Von: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > > bounces@lists.mailscanner.info] Im Auftrag von Matt Hampton > > Gesendet: Samstag, 6. September 2008 22:36 > > An: MailScanner discussion > > Betreff: Re: AW: Using Spamd rather than the SpamAssassin Library > > > > Drew Marshall wrote: > > > > > > No, just delete the actual file that line relates to so when MS > > > restarts it builds a new one. > > The reason for this is that an extra field is added to the cache for > > the > > username - this means that if you choose to use different usernames > > then > > result for one doesn't influence the results of another one. > > > > > This is (IMHO) the greatest advantage to Matt's solution over the > > > custom function that Steve posted, the cache is retained and you > can > > > have the memory advantages of using spamd and per user configs etc. > > > > > To be fair I hadn't seen Steve's post. > > > > I wrote the code in July and left it running (brave/stupid) when I > went > > on holiday at the beginning of August. Didn't come get home when > > planned (over running building works at home) and was limited to my > > works 3G card - didn't fancy downloading the 12,000 messages over > that > > :-) > > > > > Works great here! > > Cool. > > > > Has anyone else braved it yet? > > > > > > matt > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From paul.hutchings at mira.co.uk Sun Sep 7 10:08:05 2008 From: paul.hutchings at mira.co.uk (Paul Hutchings) Date: Sun Sep 7 10:08:19 2008 Subject: Yum repository References: <48C2FDC3.4080802@vanderkooij.org> Message-ID: Thanks Hugh - looks very useful! Presumably the intention is to have the stable version and not the latest beta/rc? -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Hugo van der Kooij Sent: 06 September 2008 23:02 To: MailScanner Mailinglist Subject: Yum repository -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The YUM repository is open and updates seem to work as well as one might expect. There is a small exercise left for the admin at the moment. You can find the repository information on http://yum.vanderkooij.org/ However as this is just about all there is to the repository it makes no sense at all to scan it every hour. Anyone scanning the repository too much may get expelled. Doing a check every 30 minutes like the client on 208.65.91.93 is not something I considere normal for a repository that is updated about once a month. So I suggest you trim it down if you like to keep using it. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIwv3CBvzDRVjxmYERAj3uAKCKGEGnZvyZAIWaOSqHPOO+vkHtUgCfbL+O R8KACHrZhWCWL4iBBh3eees= =ViaP -----END PGP SIGNATURE----- -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. From glenn.steen at gmail.com Sun Sep 7 15:58:57 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Sun Sep 7 15:59:07 2008 Subject: MailScanner Tweaking/Issues In-Reply-To: <48BFFC38.80706@infowall.com> References: <48BFE46B.8000404@USherbrooke.ca> <48BFFC38.80706@infowall.com> Message-ID: <223f97700809070758q495e55fes1929d78a02fd3130@mail.gmail.com> 2008/9/4 mark mcintosh : > Hello, > > I have a fairly new install of Mailscanner on a Centos 5.2 x64 VPS with > (mailwatch, postfixadmin, mailscanner-mrtg, postfix, maildrop, dcc, > razor, pyzor) > > The system is working and is blocking most of my spam but I would like > to tweak it and I have a few concerns listed below. > > Why does the --lint test show that Pyzor is disabled ?? (Pyzor also > shows not working in mailscanner lint test -->>pyzor: check failed: > internal error (listed below) > Why does it skip the Razor ?? Same for SpamCop ?? > Th3 Net::Ident module is it critical ????? ----- Will forcing > installation cause me to break anything else ?? SpamAssassin, that is responsible for all this, only do syntax checking with the --lint test. Hence all network tests are disabled when doing a --lint run. To actually include the tests, you need run something like: spamassassin -t -D < /path/to/an/actual/message/file ... You should have several likely candidates for that type of testing in your quarantine;-). Now, the Pyzor internal error might be because of anything ... well, almost. What happens if you do a "pyzor ping"? And if you do it as your postfix user? (you might need do "su - postfix -s /bin/bash" to be able to do the latter:) > The last line in the MailScanner --lint related to my mailwatch > installation only appears at times and I am still looking into it any > ideas ?? The Autocommit "warning" is normal. Just ignore it (it is purely informational, has no ill effects... Means that you have autocommit on in your DB, while MailWatch applies commits at appropriate places... The "error" reports that these are NOOPs... Which is fine;). > For clarity I have included the MailScanner -lint as well as the > Spamassassin --lint For brevity... I've removed them:-). > Any help on these questions would be appreciated > > Mark McIntosh > (snip) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From martinh at solidstatelogic.com Mon Sep 8 10:19:04 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Mon Sep 8 10:19:20 2008 Subject: AW: Using Spamd rather than the SpamAssassin Library In-Reply-To: Message-ID: Roland pyzor --homedir /etc/mail/spamassassin discover Will give problems in that it will give you a server that isn't updating. Pyzor support semd to have disappeared, but if you alter the ~/.pyzor/servers to.. 82.94.255.100:24441 It will work a lot better -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Ehle, Roland > Sent: 07 September 2008 07:40 > To: MailScanner discussion > Subject: AW: AW: Using Spamd rather than the SpamAssassin Library > > After all: It is running, and it is fine! It was my own > blindness, which causes the trouble :-) Thanks Matt for your > contribution > > Hint for all others: > > If you are going to give this one a try, you should do the > following, to prevent running into trouble with pyzor: > > Add > > pyzor_options --homedir /etc/mail/spamassassin > > to your /etc/MailScanner/spam.assassin.prefs.conf and execute > pyzor --homedir /etc/mail/spamassassin discover > > Regards, > Roland > > > -----Urspr?ngliche Nachricht----- > > Von: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner- > > bounces@lists.mailscanner.info] Im Auftrag von Ehle, Roland > > Gesendet: Sonntag, 7. September 2008 05:00 > > An: MailScanner discussion > > Betreff: AW: AW: Using Spamd rather than the SpamAssassin Library > > > > I gave it a try, but found MailScanner process dying > immediately after > > starting and messages were not processed at all. Probably a > speciality > > of my system, that likes making me angry :-) > > > > Regards, > > Roland > > > > > -----Urspr?ngliche Nachricht----- > > > Von: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner- > > > bounces@lists.mailscanner.info] Im Auftrag von Matt Hampton > > > Gesendet: Samstag, 6. September 2008 22:36 > > > An: MailScanner discussion > > > Betreff: Re: AW: Using Spamd rather than the SpamAssassin Library > > > > > > Drew Marshall wrote: > > > > > > > > No, just delete the actual file that line relates to so when MS > > > > restarts it builds a new one. > > > The reason for this is that an extra field is added to > the cache for > > > the username - this means that if you choose to use different > > > usernames then result for one doesn't influence the results of > > > another one. > > > > > > > This is (IMHO) the greatest advantage to Matt's > solution over the > > > > custom function that Steve posted, the cache is retained and you > > can > > > > have the memory advantages of using spamd and per user > configs etc. > > > > > > > To be fair I hadn't seen Steve's post. > > > > > > I wrote the code in July and left it running (brave/stupid) when I > > went > > > on holiday at the beginning of August. Didn't come get home when > > > planned (over running building works at home) and was > limited to my > > > works 3G card - didn't fancy downloading the 12,000 messages over > > that > > > :-) > > > > > > > Works great here! > > > Cool. > > > > > > Has anyone else braved it yet? > > > > > > > > > matt > > > -- > > > MailScanner mailing list > > > mailscanner@lists.mailscanner.info > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > > > Support MailScanner development - buy the book off the website! > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From glenn.steen at gmail.com Mon Sep 8 11:24:33 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Sep 8 11:24:42 2008 Subject: AW: Using Spamd rather than the SpamAssassin Library In-Reply-To: References: Message-ID: <223f97700809080324i2959f140y57775989d76b1e95@mail.gmail.com> 2008/9/8 Martin.Hepworth : > Roland > > pyzor --homedir /etc/mail/spamassassin discover > > > Will give problems in that it will give you a server that isn't updating. Pyzor support semd to have disappeared, but if you alter the ~/.pyzor/servers to.. > > 82.94.255.100:24441 > > It will work a lot better > Slight update.... seems that this is the server you get now, when doing a discover. So no need to avoid doing a discover any more:-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From MailScanner at ecs.soton.ac.uk Mon Sep 8 11:34:20 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Sep 8 11:34:42 2008 Subject: MailScanner takes too long extracting attachments due to "sleep 10" In-Reply-To: References: Message-ID: <48C4FFAC.2060407@ecs.soton.ac.uk> ram wrote: > I have my MailScanner server taking too long. Eventually looking at the > source I found that the mails go into the > UnpackOle() function in Message.pm > (/usr/lib/MailScanner/MailScanner/Message.pm) > > > This function has a "sleep 10;" > What is this for ?? > Oops! Sorry about that. I left in some old debug code. Many thanks for spotting that! It will be fixed in the next release. You can just delete that line. > > I realized when my client receives a mail with more than 10 attachments > all processes take HUGE time to scan every message and mails get delayed > > For now I have just > put a "return 0" beginning of the function and now it is working fine > > Thanks > Ram > > > > > > > > > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From martinh at solidstatelogic.com Mon Sep 8 11:50:49 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Mon Sep 8 11:51:04 2008 Subject: AW: Using Spamd rather than the SpamAssassin Library In-Reply-To: <223f97700809080324i2959f140y57775989d76b1e95@mail.gmail.com> Message-ID: Hurray -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Glenn Steen > Sent: 08 September 2008 11:25 > To: MailScanner discussion > Subject: Re: AW: Using Spamd rather than the SpamAssassin Library > > 2008/9/8 Martin.Hepworth : > > Roland > > > > pyzor --homedir /etc/mail/spamassassin discover > > > > > > Will give problems in that it will give you a server that > isn't updating. Pyzor support semd to have disappeared, but > if you alter the ~/.pyzor/servers to.. > > > > 82.94.255.100:24441 > > > > It will work a lot better > > > Slight update.... seems that this is the server you get now, > when doing a discover. So no need to avoid doing a discover > any more:-). > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From drew.marshall at technologytiger.net Mon Sep 8 12:06:54 2008 From: drew.marshall at technologytiger.net (Drew Marshall) Date: Mon Sep 8 12:18:24 2008 Subject: AW: Using Spamd rather than the SpamAssassin Library In-Reply-To: <48C2E9B8.9090801@coders.co.uk> References: <48C1941F.40703@coders.co.uk> <5851C691-2A38-40CC-9134-73427193F4D7@technologytiger.net> <48C1ACE0.5020708@coders.co.uk> <48C2E9B8.9090801@coders.co.uk> Message-ID: <520F0D8E-EA1E-499C-B899-FB0342DA061A@technologytiger.net> On 6 Sep 2008, at 21:36, Matt Hampton wrote: >> Works great here! > Cool. > > Has anyone else braved it yet? Matt It's still working fine on a box that looks like it's going to chomp ~16k messages today :-) One small question, so I can try to tune things a little more. How does MS hand the batch over to spamd? Is this one batch per spamd child? I have started spamd with an optimistic -m 30 and my MS 10 children are romping 20+ SA children, which seems a bit high. Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by Technology Tiger's Mail Launder system Our email policy can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ From m.anderlini at database.it Mon Sep 8 13:57:35 2008 From: m.anderlini at database.it (Marcello Anderlini) Date: Mon Sep 8 13:57:55 2008 Subject: R: Italian spam In-Reply-To: References: <015e01c90f27$72acd3c0$2501a8c0@dbdomain.database.it> Message-ID: <00cb01c911b2$77512fb0$2501a8c0@dbdomain.database.it> I have these file in /root/.spamassassin. In /var/spool/MailScanner/ I have not nothing except a SpamAssassin.cache.db in /var/spool/MailScanner/incoming I do not use spamd but spamassassin it's called from Mailscanner. It's correct ? Dr. Marcello Anderlini m.anderlini@database.it --------------------------------------------- Database Informatica S.r.l. Microsoft Certified Partner Tel. +39059775070 Fax. +39059779545 http://www.database.it --------------------------------------------- -----Messaggio originale----- Da: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di Mark Sapiro Inviato: sabato 6 settembre 2008 2.54 A: MailScanner List Oggetto: Re: Italian spam Marcello Anderlini wrote: >I suspect then that my bayes filter is not working correctly. >I dayly try to istruct spamassasin using >=========================================== >sa-learn --spam --mbox /var/mail/spam and sa-learn --ham --mbox >/var/mail/notspam =========================================== > >But it still scores that kind of spam as non spam, ... Where are the files bayes.mutex bayes_journal bayes_toks bayes_seen In my case, the files that spamassassin uses when invoked by MailScanner are /var/spool/MailScanner/spamassassin/bayes.mutex /var/spool/MailScanner/spamassassin/bayes_journal /var/spool/MailScanner/spamassassin/bayes_toks /var/spool/MailScanner/spamassassin/bayes_seen However if I were to run sa-learn as userx, the files that would be updated are in /home/userx/.spamassassin. In my case also, I use spamd so I use for example /usr/bin/spamc -u postfix -L spam < message to learn a message as spam. You may have to experiment with the -u option on sa-learn to get it to update the right bayes database. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- Messaggio verificato dal servizio antivirus di Database Informatica -- Messaggio verificato dal servizio antivirus di Database Informatica From spamlists at coders.co.uk Mon Sep 8 14:13:45 2008 From: spamlists at coders.co.uk (Matt Hampton) Date: Mon Sep 8 14:14:55 2008 Subject: AW: Using Spamd rather than the SpamAssassin Library In-Reply-To: <520F0D8E-EA1E-499C-B899-FB0342DA061A@technologytiger.net> References: <48C1941F.40703@coders.co.uk> <5851C691-2A38-40CC-9134-73427193F4D7@technologytiger.net> <48C1ACE0.5020708@coders.co.uk> <48C2E9B8.9090801@coders.co.uk> <520F0D8E-EA1E-499C-B899-FB0342DA061A@technologytiger.net> Message-ID: <48C52509.3080405@coders.co.uk> Drew Marshall wrote: > It's still working fine on a box that looks like it's going to chomp > ~16k messages today :-) > Excellent > One small question, so I can try to tune things a little more. How > does MS hand the batch over to spamd? Is this one batch per spamd > child? I have started spamd with an optimistic -m 30 and my MS 10 > children are romping 20+ SA children, which seems a bit high. It does one per message - as there is the possibility that you are using a different user for each message. I haven't seen this cause a slowdown and even with 20 children, it will still be using less than 10 copies of the rules in MailScanner. Can you see what status they are in (it will be in the maillog) regards Matt From jbuda at noticiasargentinas.com Mon Sep 8 15:42:03 2008 From: jbuda at noticiasargentinas.com (Jose Julian Buda) Date: Mon Sep 8 15:42:03 2008 Subject: ClamAV 0.94 References: Message-ID: <05b401c911c1$0ee8fc00$6000a8c0@tecnica> Hi , I have a mail server with : Debian etch Postfix Mailscanner Clamav Yesterday it work fine catching virus, but todat i've made an upgrade from clamav 0.93 to 0.94 and then the process stop catching mail with virus, i mean , the mails are stoped anyway by "No programs allowed" with mailscanner because of the extensions file, but there is not any message or report from "ClamAv". I have a txt file with eicar string , if i run on server: cat filewitheicar.txt | mail jbuda@noticiasargentinas.com the mail pass through the mailscanner and the workstation's antivirus alert me abourt the eicar strings. Why the mailscanner stop using clamav? Thank you any help about this. Sorry about my english Jose Julian Buda From dominian at slackadelic.com Mon Sep 8 15:48:00 2008 From: dominian at slackadelic.com (Matt Hayes) Date: Mon Sep 8 15:48:15 2008 Subject: ClamAV 0.94 In-Reply-To: <05b401c911c1$0ee8fc00$6000a8c0@tecnica> References: <05b401c911c1$0ee8fc00$6000a8c0@tecnica> Message-ID: <48C53B20.4090304@slackadelic.com> Jose Julian Buda wrote: > Hi , I have a mail server with : > Debian etch > Postfix > Mailscanner > Clamav > > Yesterday it work fine catching virus, but todat i've made an upgrade > from clamav 0.93 to 0.94 and then > the process stop catching mail with virus, i mean , the mails are stoped > anyway by "No programs allowed" with mailscanner because of the > extensions file, but there is not any message or report from "ClamAv". > > I have a txt file with eicar string , if i run on server: > > cat filewitheicar.txt | mail jbuda@noticiasargentinas.com > > the mail pass through the mailscanner and the workstation's antivirus > alert me abourt the eicar strings. > > Why the mailscanner stop using clamav? > > Thank you any help about this. > > Sorry about my english > > Jose Julian Buda Did you restart MailScanner after upgrading clamav? -Matt From list-mailscanner at linguaphone.com Mon Sep 8 15:53:33 2008 From: list-mailscanner at linguaphone.com (Gareth) Date: Mon Sep 8 15:58:22 2008 Subject: ClamAV 0.94 In-Reply-To: <05b401c911c1$0ee8fc00$6000a8c0@tecnica> References: <05b401c911c1$0ee8fc00$6000a8c0@tecnica> Message-ID: <1220885612.32360.7.camel@gblades-suse.linguaphone-intranet.co.uk> Did you run ldconfig after the upgrade? On Mon, 2008-09-08 at 15:42, Jose Julian Buda wrote: > Hi , I have a mail server with : > Debian etch > Postfix > Mailscanner > Clamav > > Yesterday it work fine catching virus, but todat i've made an upgrade from > clamav 0.93 to 0.94 and then > the process stop catching mail with virus, i mean , the mails are stoped > anyway by "No programs allowed" with mailscanner because of the extensions > file, but there is not any message or report from "ClamAv". > > I have a txt file with eicar string , if i run on server: > > cat filewitheicar.txt | mail jbuda@noticiasargentinas.com > > the mail pass through the mailscanner and the workstation's antivirus alert > me abourt the eicar strings. > > Why the mailscanner stop using clamav? > > Thank you any help about this. > > Sorry about my english > > Jose Julian Buda From jbuda at noticiasargentinas.com Mon Sep 8 16:03:27 2008 From: jbuda at noticiasargentinas.com (Jose Julian Buda) Date: Mon Sep 8 16:03:26 2008 Subject: ClamAV 0.94 References: <05b401c911c1$0ee8fc00$6000a8c0@tecnica> <48C53B20.4090304@slackadelic.com> Message-ID: <002301c911c4$0c5acfb0$6000a8c0@tecnica> ----- Original Message ----- From: "Matt Hayes" To: "MailScanner discussion" Sent: Monday, September 08, 2008 11:48 AM Subject: Re: ClamAV 0.94 > Jose Julian Buda wrote: >> Hi , I have a mail server with : >> Debian etch >> Postfix >> Mailscanner >> Clamav >> >> Yesterday it work fine catching virus, but todat i've made an upgrade >> from clamav 0.93 to 0.94 and then >> the process stop catching mail with virus, i mean , the mails are stoped >> anyway by "No programs allowed" with mailscanner because of the >> extensions file, but there is not any message or report from "ClamAv". >> >> I have a txt file with eicar string , if i run on server: >> >> cat filewitheicar.txt | mail jbuda@noticiasargentinas.com >> >> the mail pass through the mailscanner and the workstation's antivirus >> alert me abourt the eicar strings. >> >> Why the mailscanner stop using clamav? >> >> Thank you any help about this. >> >> Sorry about my english >> >> Jose Julian Buda > > Did you restart MailScanner after upgrading clamav? > > -Matt > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! Yes, i did. How can a see if the mailscanner call the clamscan program? Thank you Jose Julian Buda From Denis.Beauchemin at USherbrooke.ca Mon Sep 8 16:10:30 2008 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Mon Sep 8 16:10:45 2008 Subject: ClamAV 0.94 In-Reply-To: <002301c911c4$0c5acfb0$6000a8c0@tecnica> References: <05b401c911c1$0ee8fc00$6000a8c0@tecnica> <48C53B20.4090304@slackadelic.com> <002301c911c4$0c5acfb0$6000a8c0@tecnica> Message-ID: <48C54066.10701@USherbrooke.ca> Jose Julian Buda a ?crit : > > ----- Original Message ----- From: "Matt Hayes" > > To: "MailScanner discussion" > Sent: Monday, September 08, 2008 11:48 AM > Subject: Re: ClamAV 0.94 > > >> Jose Julian Buda wrote: >>> Hi , I have a mail server with : >>> Debian etch >>> Postfix >>> Mailscanner >>> Clamav >>> >>> Yesterday it work fine catching virus, but todat i've made an upgrade >>> from clamav 0.93 to 0.94 and then >>> the process stop catching mail with virus, i mean , the mails are >>> stoped >>> anyway by "No programs allowed" with mailscanner because of the >>> extensions file, but there is not any message or report from "ClamAv". >>> >>> I have a txt file with eicar string , if i run on server: >>> >>> cat filewitheicar.txt | mail jbuda@noticiasargentinas.com >>> >>> the mail pass through the mailscanner and the workstation's antivirus >>> alert me abourt the eicar strings. >>> >>> Why the mailscanner stop using clamav? >>> >>> Thank you any help about this. >>> >>> Sorry about my english >>> >>> Jose Julian Buda >> >> Did you restart MailScanner after upgrading clamav? >> >> -Matt >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > > > Yes, i did. > How can a see if the mailscanner call the clamscan program? > > > Thank you > Jose Julian Buda Jose Julian, How about "MailScanner --lint" ? See the output it gives on my system: MailScanner --lint Checking version numbers... Version number in MailScanner.conf (4.63.2) is correct. Checking for SpamAssassin errors (if you use it)... SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp SpamAssassin reported no errors. MailScanner.conf says "Virus Scanners = auto" Found these virus scanners installed: bitdefender, clamd, mcafee =========================================================================== Ignore errors about failing to find EOCD signature =========================================================================== Virus Scanner test reports: Clamd said "eicar.com was infected: Eicar-Test-Signature FOUND" Bitdefender said "Found virus EICAR-Test-File (not a virus) in file eicar.com" McAfee said "/1/eicar.com Found: EICAR test file NOT a virus." If any of your virus scanners (bitdefender,clamd,mcafee) are not listed there, you should check that they are installed correctly and that MailScanner is finding them correctly via its virus.scanners.conf. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From dominian at slackadelic.com Mon Sep 8 16:11:02 2008 From: dominian at slackadelic.com (Matt Hayes) Date: Mon Sep 8 16:11:14 2008 Subject: ClamAV 0.94 In-Reply-To: <002301c911c4$0c5acfb0$6000a8c0@tecnica> References: <05b401c911c1$0ee8fc00$6000a8c0@tecnica> <48C53B20.4090304@slackadelic.com> <002301c911c4$0c5acfb0$6000a8c0@tecnica> Message-ID: <48C54086.4080708@slackadelic.com> Jose Julian Buda wrote: > > ----- Original Message ----- From: "Matt Hayes" > To: "MailScanner discussion" > Sent: Monday, September 08, 2008 11:48 AM > Subject: Re: ClamAV 0.94 > > >> Jose Julian Buda wrote: >>> Hi , I have a mail server with : >>> Debian etch >>> Postfix >>> Mailscanner >>> Clamav >>> >>> Yesterday it work fine catching virus, but todat i've made an upgrade >>> from clamav 0.93 to 0.94 and then >>> the process stop catching mail with virus, i mean , the mails are stoped >>> anyway by "No programs allowed" with mailscanner because of the >>> extensions file, but there is not any message or report from "ClamAv". >>> >>> I have a txt file with eicar string , if i run on server: >>> >>> cat filewitheicar.txt | mail jbuda@noticiasargentinas.com >>> >>> the mail pass through the mailscanner and the workstation's antivirus >>> alert me abourt the eicar strings. >>> >>> Why the mailscanner stop using clamav? >>> >>> Thank you any help about this. >>> >>> Sorry about my english >>> >>> Jose Julian Buda >> >> Did you restart MailScanner after upgrading clamav? >> >> -Matt > > > > > > > Yes, i did. > How can a see if the mailscanner call the clamscan program? > > > Thank you > Jose Julian Buda Try enabling debug mode in MailScanner.conf -Matt From jbuda at noticiasargentinas.com Mon Sep 8 16:11:18 2008 From: jbuda at noticiasargentinas.com (Jose Julian Buda) Date: Mon Sep 8 16:11:17 2008 Subject: ClamAV 0.94 References: <05b401c911c1$0ee8fc00$6000a8c0@tecnica> <1220885612.32360.7.camel@gblades-suse.linguaphone-intranet.co.uk> Message-ID: <002e01c911c5$25581990$6000a8c0@tecnica> ----- Original Message ----- From: "Gareth" To: "MailScanner discussion" Sent: Monday, September 08, 2008 11:53 AM Subject: Re: ClamAV 0.94 > Did you run ldconfig after the upgrade? > > On Mon, 2008-09-08 at 15:42, Jose Julian Buda wrote: >> Hi , I have a mail server with : >> Debian etch >> Postfix >> Mailscanner >> Clamav >> >> Yesterday it work fine catching virus, but todat i've made an upgrade >> from >> clamav 0.93 to 0.94 and then >> the process stop catching mail with virus, i mean , the mails are stoped >> anyway by "No programs allowed" with mailscanner because of the >> extensions >> file, but there is not any message or report from "ClamAv". >> >> I have a txt file with eicar string , if i run on server: >> >> cat filewitheicar.txt | mail jbuda@noticiasargentinas.com >> >> the mail pass through the mailscanner and the workstation's antivirus >> alert >> me abourt the eicar strings. >> >> Why the mailscanner stop using clamav? >> >> Thank you any help about this. >> >> Sorry about my english >> >> Jose Julian Buda > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > __________ Informaci?n de NOD32, revisi?n 3424 (20080907) __________ > > Este mensaje ha sido analizado con NOD32 antivirus system > http://www.nod32.com > > No i didn`t , but i never need that command in the last upgrade before this. Anyway i have ran later and the problem persist. Is there a way to test if mailscanner is working properly? if the mailscanner take the "Virus Scanners = clamav " setting? Thank you Jose Julian Buda From jbuda at noticiasargentinas.com Mon Sep 8 16:28:11 2008 From: jbuda at noticiasargentinas.com (Jose Julian Buda) Date: Mon Sep 8 16:28:10 2008 Subject: ClamAV 0.94 References: <05b401c911c1$0ee8fc00$6000a8c0@tecnica> <48C53B20.4090304@slackadelic.com><002301c911c4$0c5acfb0$6000a8c0@tecnica> <48C54066.10701@USherbrooke.ca> Message-ID: <005901c911c7$81108f40$6000a8c0@tecnica> ----- Original Message ----- From: "Denis Beauchemin" To: "MailScanner discussion" Sent: Monday, September 08, 2008 12:10 PM Subject: Re: ClamAV 0.94 Jose Julian Buda a ?crit : > > ----- Original Message ----- From: "Matt Hayes" > To: "MailScanner discussion" > Sent: Monday, September 08, 2008 11:48 AM > Subject: Re: ClamAV 0.94 > > >> Jose Julian Buda wrote: >>> Hi , I have a mail server with : >>> Debian etch >>> Postfix >>> Mailscanner >>> Clamav >>> >>> Yesterday it work fine catching virus, but todat i've made an upgrade >>> from clamav 0.93 to 0.94 and then >>> the process stop catching mail with virus, i mean , the mails are stoped >>> anyway by "No programs allowed" with mailscanner because of the >>> extensions file, but there is not any message or report from "ClamAv". >>> >>> I have a txt file with eicar string , if i run on server: >>> >>> cat filewitheicar.txt | mail jbuda@noticiasargentinas.com >>> >>> the mail pass through the mailscanner and the workstation's antivirus >>> alert me abourt the eicar strings. >>> >>> Why the mailscanner stop using clamav? >>> >>> Thank you any help about this. >>> >>> Sorry about my english >>> >>> Jose Julian Buda >> >> Did you restart MailScanner after upgrading clamav? >> >> -Matt >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > > > Yes, i did. > How can a see if the mailscanner call the clamscan program? > > > Thank you > Jose Julian Buda Jose Julian, How about "MailScanner --lint" ? See the output it gives on my system: MailScanner --lint Checking version numbers... Version number in MailScanner.conf (4.63.2) is correct. Checking for SpamAssassin errors (if you use it)... SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp SpamAssassin reported no errors. MailScanner.conf says "Virus Scanners = auto" Found these virus scanners installed: bitdefender, clamd, mcafee =========================================================================== Ignore errors about failing to find EOCD signature =========================================================================== Virus Scanner test reports: Clamd said "eicar.com was infected: Eicar-Test-Signature FOUND" Bitdefender said "Found virus EICAR-Test-File (not a virus) in file eicar.com" McAfee said "/1/eicar.com Found: EICAR test file NOT a virus." If any of your virus scanners (bitdefender,clamd,mcafee) are not listed there, you should check that they are installed correctly and that MailScanner is finding them correctly via its virus.scanners.conf. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! __________ Informaci?n de NOD32, revisi?n 3424 (20080907) __________ Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com This is what i get : proxymails:~# MailScanner --lint Read 748 hostnames from the phishing whitelist MailScanner setting GID to (104) MailScanner setting UID to (100) Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database SpamAssassin reported no errors. Using locktype = flock MailScanner.conf says "Virus Scanners = clamav" Found these virus scanners installed: clamav proxymails:~# But the clamav is not triggered anyway I have changed to "Virus Scanners = auto" , it detect clamav , but the problem persist Thank you Jose Julian Buda From jra at baylink.com Mon Sep 8 16:38:17 2008 From: jra at baylink.com (Jay R. Ashworth) Date: Mon Sep 8 16:38:29 2008 Subject: Looking for a test mail generator In-Reply-To: <002301c911c4$0c5acfb0$6000a8c0@tecnica> References: <48C53B20.4090304@slackadelic.com> <002301c911c4$0c5acfb0$6000a8c0@tecnica> Message-ID: <20080908153817.GK17489@cgi.jachomes.com> To test a new installation before a cutover, I'm trying to find (out whether anyone has written) a program that can send a bunch of email to a SMTP server, logging what it does (both logical and session level), so that I can check that the results are what they should be. Optimally, I'd like something that worked like this: Provide it with 4 or 5 pieces of random spam, and 4 or 5 pieces of ham, and have it try to -- in random order -- send each of the message bodies to a) one or more provided valid addresses and b) one or more random non-valid addresses on the provisioned domain, and c) one or more completely random addresses. The goal, of course, is to make sure that what should pass through passes through, what should bounce bounces, what shouldn't backscatter doesn't, and what should deliver does. Has anyone already written this? I'm sure perl or python provides the modules, but I'm not good enough at either to do it myself. I could probably hack around something that does 60-70% of it into what I wanted, though. Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com '87 e24 St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 Those who cast the vote decide nothing. Those who count the vote decide everything. -- (Josef Stalin) From Denis.Beauchemin at USherbrooke.ca Mon Sep 8 16:42:35 2008 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Mon Sep 8 16:42:49 2008 Subject: ClamAV 0.94 In-Reply-To: <005901c911c7$81108f40$6000a8c0@tecnica> References: <05b401c911c1$0ee8fc00$6000a8c0@tecnica> <48C53B20.4090304@slackadelic.com><002301c911c4$0c5acfb0$6000a8c0@tecnica> <48C54066.10701@USherbrooke.ca> <005901c911c7$81108f40$6000a8c0@tecnica> Message-ID: <48C547EB.1090203@USherbrooke.ca> > This is what i get : > > proxymails:~# MailScanner --lint > Read 748 hostnames from the phishing whitelist > MailScanner setting GID to (104) > MailScanner setting UID to (100) > > Checking for SpamAssassin errors (if you use it)... > Using SpamAssassin results cache > Connected to SpamAssassin cache database > SpamAssassin reported no errors. > Using locktype = flock > MailScanner.conf says "Virus Scanners = clamav" > Found these virus scanners installed: clamav > proxymails:~# Jose Julian, I don't see a version number in the output. I think your version of MS is probably quite old. You should upgrade to the latest stable version because you cannot run Clam 0.94 with an old version of MS. Clam changed too many things lately. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From Carl.Andrews at crackerbarrel.com Mon Sep 8 16:45:49 2008 From: Carl.Andrews at crackerbarrel.com (Andrews Carl 448) Date: Mon Sep 8 16:46:01 2008 Subject: Officecat (Sourcefire) Message-ID: Link: http://www.snort.org/vrt/tools/officecat.html I just read about this, it might be something useful to add to an email gateway. There are windows and linux (compiled against ubuntu) executables. Thanks, Carl -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080908/a3a6ff7b/attachment.html From drew.marshall at technologytiger.net Mon Sep 8 16:27:41 2008 From: drew.marshall at technologytiger.net (Drew Marshall) Date: Mon Sep 8 16:55:25 2008 Subject: AW: Using Spamd rather than the SpamAssassin Library In-Reply-To: <48C52509.3080405@coders.co.uk> References: <48C1941F.40703@coders.co.uk> <5851C691-2A38-40CC-9134-73427193F4D7@technologytiger.net> <48C1ACE0.5020708@coders.co.uk> <48C2E9B8.9090801@coders.co.uk> <520F0D8E-EA1E-499C-B899-FB0342DA061A@technologytiger.net> <48C52509.3080405@coders.co.uk> Message-ID: <7A9C1520-4D96-4DDE-B04C-1C690069A2BE@technologytiger.net> On 8 Sep 2008, at 14:13, Matt Hampton wrote: > Drew Marshall wrote: >> >> One small question, so I can try to tune things a little more. How >> does MS hand the batch over to spamd? Is this one batch per spamd >> child? I have started spamd with an optimistic -m 30 and my MS 10 >> children are romping 20+ SA children, which seems a bit high. > It does one per message - as there is the possibility that you are > using a different user for each message. I haven't seen this cause > a slowdown and even with 20 children, it will still be using less > than 10 copies of the rules in MailScanner. > Can you see what status they are in (it will be in the maillog) Interesting... So there is the potential that with say 10 children, each with 20 messages that I am going to need 200 SA children? I fear I will have run out of memory by then! Hmm... Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by Technology Tiger's Mail Launder system Our email policy can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ From jbuda at noticiasargentinas.com Mon Sep 8 16:55:58 2008 From: jbuda at noticiasargentinas.com (Jose Julian Buda) Date: Mon Sep 8 16:55:57 2008 Subject: ClamAV 0.94 References: <05b401c911c1$0ee8fc00$6000a8c0@tecnica> <48C53B20.4090304@slackadelic.com><002301c911c4$0c5acfb0$6000a8c0@tecnica> <48C54066.10701@USherbrooke.ca><005901c911c7$81108f40$6000a8c0@tecnica> <48C547EB.1090203@USherbrooke.ca> Message-ID: <00b601c911cb$625b6580$6000a8c0@tecnica> ----- Original Message ----- From: "Denis Beauchemin" To: "MailScanner discussion" Sent: Monday, September 08, 2008 12:42 PM Subject: Re: ClamAV 0.94 > This is what i get : > > proxymails:~# MailScanner --lint > Read 748 hostnames from the phishing whitelist > MailScanner setting GID to (104) > MailScanner setting UID to (100) > > Checking for SpamAssassin errors (if you use it)... > Using SpamAssassin results cache > Connected to SpamAssassin cache database > SpamAssassin reported no errors. > Using locktype = flock > MailScanner.conf says "Virus Scanners = clamav" > Found these virus scanners installed: clamav > proxymails:~# Jose Julian, I don't see a version number in the output. I think your version of MS is probably quite old. You should upgrade to the latest stable version because you cannot run Clam 0.94 with an old version of MS. Clam changed too many things lately. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! __________ Informaci?n de NOD32, revisi?n 3424 (20080907) __________ Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com i have this installed : proxymails:~# apt-cache show mailscanner Package: mailscanner Priority: optional Section: mail Installed-Size: 3836 Maintainer: Debian QA Group Architecture: all Version: 4.55.10-3 How can i get a newer? Is that the problem? Thank you Jose Julian Buda From alex at rtpty.com Mon Sep 8 16:57:14 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Mon Sep 8 16:57:28 2008 Subject: Looking for a test mail generator In-Reply-To: <20080908153817.GK17489@cgi.jachomes.com> References: <48C53B20.4090304@slackadelic.com> <002301c911c4$0c5acfb0$6000a8c0@tecnica> <20080908153817.GK17489@cgi.jachomes.com> Message-ID: <55CCA7C0-9F7F-4F72-A335-28D5DF34F2C5@rtpty.com> You could probably do this with netcat and bash... Sent from my iPhone On Sep 8, 2008, at 10:38 AM, "Jay R. Ashworth" wrote: > To test a new installation before a cutover, I'm trying to find (out > whether anyone has written) a program that can send a bunch of email > to a > SMTP server, logging what it does (both logical and session level), so > that I can check that the results are what they should be. > > Optimally, I'd like something that worked like this: > > Provide it with 4 or 5 pieces of random spam, and 4 or 5 pieces of > ham, > and have it try to -- in random order -- send each of the message > bodies > to a) one or more provided valid addresses and b) one or more random > non-valid addresses on the provisioned domain, and c) one or more > completely random addresses. > > The goal, of course, is to make sure that what should pass through > passes > through, what should bounce bounces, what shouldn't backscatter > doesn't, > and what should deliver does. > > Has anyone already written this? I'm sure perl or python provides the > modules, but I'm not good enough at either to do it myself. I could > probably hack around something that does 60-70% of it into what I > wanted, > though. > > Cheers, > -- jra > -- > Jay R. Ashworth Baylink jra@baylink.com > Designer The Things I > Think RFC 2100 > Ashworth & Associates http:// > baylink.pitas.com '87 e24 > St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 > > Those who cast the vote decide nothing. > Those who count the vote decide everything. > -- (Josef Stalin) > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From jra at baylink.com Mon Sep 8 16:59:06 2008 From: jra at baylink.com (Jay R. Ashworth) Date: Mon Sep 8 16:59:17 2008 Subject: Looking for a test mail generator (unthreaded) Message-ID: <20080908155906.GA17894@cgi.jachomes.com> I am not having a good day today. Twice. In 5 minutes... Unthreadjacked: To test a new installation before a cutover, I'm trying to find (out whether anyone has written) a program that can send a bunch of email to a SMTP server, logging what it does (both logical and session level), so that I can check that the results are what they should be. Optimally, I'd like something that worked like this: Provide it with 4 or 5 pieces of random spam, and 4 or 5 pieces of ham, and have it try to -- in random order -- send each of the message bodies to a) one or more provided valid addresses and b) one or more random non-valid addresses on the provisioned domain, and c) one or more completely random addresses. The goal, of course, is to make sure that what should pass through passes through, what should bounce bounces, what shouldn't backscatter doesn't, and what should deliver does. Has anyone already written this? I'm sure perl or python provides the modules, but I'm not good enough at either to do it myself. I could probably hack around something that does 60-70% of it into what I wanted, though. Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com '87 e24 St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 Those who cast the vote decide nothing. Those who count the vote decide everything. -- (Josef Stalin) From spamlists at coders.co.uk Mon Sep 8 17:27:51 2008 From: spamlists at coders.co.uk (Matt Hampton) Date: Mon Sep 8 17:28:26 2008 Subject: AW: Using Spamd rather than the SpamAssassin Library In-Reply-To: <7A9C1520-4D96-4DDE-B04C-1C690069A2BE@technologytiger.net> References: <48C1941F.40703@coders.co.uk> <5851C691-2A38-40CC-9134-73427193F4D7@technologytiger.net> <48C1ACE0.5020708@coders.co.uk> <48C2E9B8.9090801@coders.co.uk> <520F0D8E-EA1E-499C-B899-FB0342DA061A@technologytiger.net> <48C52509.3080405@coders.co.uk> <7A9C1520-4D96-4DDE-B04C-1C690069A2BE@technologytiger.net> Message-ID: <48C55287.8050608@coders.co.uk> Drew Marshall wrote: > > Interesting... So there is the potential that with say 10 children, > each with 20 messages that I am going to need 200 SA children? I fear > I will have run out of memory by then! Hmm... Nope - they are processed sequentially - each batch will open a connection for the first message, wait for the response, close the connection, open the connection for the second message etc Once each message is finished there is a short delay whilst the server thread shuts down (updating bayes etc) before it can be used again. So it is possible for more than one child to be open per MS Child. matt From steve at fsl.com Mon Sep 8 17:34:58 2008 From: steve at fsl.com (Stephen Swaney) Date: Mon Sep 8 17:35:11 2008 Subject: Looking for a test mail generator (unthreaded) In-Reply-To: <20080908155906.GA17894@cgi.jachomes.com> References: <20080908155906.GA17894@cgi.jachomes.com> Message-ID: <48C55432.5020505@fsl.com> Jay R. Ashworth wrote: > I am not having a good day today. Twice. In 5 minutes... > > Unthreadjacked: > > > To test a new installation before a cutover, I'm trying to find (out > whether anyone has written) a program that can send a bunch of email to a > SMTP server, logging what it does (both logical and session level), so > that I can check that the results are what they should be. > > Optimally, I'd like something that worked like this: > > Provide it with 4 or 5 pieces of random spam, and 4 or 5 pieces of ham, > and have it try to -- in random order -- send each of the message bodies > to a) one or more provided valid addresses and b) one or more random > non-valid addresses on the provisioned domain, and c) one or more > completely random addresses. > > The goal, of course, is to make sure that what should pass through passes > through, what should bounce bounces, what shouldn't backscatter doesn't, > and what should deliver does. > > Has anyone already written this? I'm sure perl or python provides the > modules, but I'm not good enough at either to do it myself. I could > probably hack around something that does 60-70% of it into what I wanted, > though. > > Cheers, > -- jra > Jay, Look at http://www.snertsoft.com/sendmail/roundhouse/ I quote from Anthony Howe's site: "This is an SMTP multiplexer, which takes the input from an SMTP client connection and copies it to one or more SMTP servers. Intended as means to debug and test different mail server configurations using a production mail server's live data stream." You can test with your real mail stream:) Steve Steve Swaney steve@fsl.com Cell: 202 352.3262 Office: 202 595.7760, ext 601 www.fsl.com From aflynn at thornlawrence.com Mon Sep 8 17:38:30 2008 From: aflynn at thornlawrence.com (Alanna Flynn) Date: Mon Sep 8 17:38:41 2008 Subject: Changing Host Companies Message-ID: Dear Mr. Fitzpatrick, I was given you're website by Earl Bryan. I work for the law firm of Thorn | Lawrence, P.L. Mr. Thorn is one of the senior partners I work for. We would like to discuss the cost and what type of information you would need in order to change host companies for one of our clients. Please contact me at the number below at your earliest convenience. Sincerely, Alanna M. Flynn Paralegal to Eric Thorn & Marcus Lawrence Thorn | Lawrence, P.L. 402 East Oak Avenue, Suite 101 Tampa, Florida 33602 Telephone No.: (813) 514-8355 Facsimile No.: (813) 223-1867 URL: http://www.thornlawrence.com Email: aflynn@thornlawrence.com The information transmitted is intended only for the person or entity to which it is addressed and may contain -confidential and/or privileged material. Any review, retransmission, dissemination or other use of this information by persons or entities other than the intended recipient(s) is unauthorized and prohibited. Any transmission of confidential and/or privileged material to persons or entities other than the intended recipient(s) shall not be construed as a waiver of any privilege or confidence. If you receive this transmission in error, please contact the sender and delete the material. This e-mail message and any attachment to this e-mail message contains confidential information that may be legally privileged. If you are not the intended recipient, you must not review, retransmit, convert to hard copy, copy, use, or disseminate this e-mail or any attachments to it. If you have received this e-mail in error, please notify us immediately by return e-mail or by telephone at 813.514.8355 and delete this message. Please note that if this e-mail message contains a forwarded message or is a reply to a prior message, some or all of the contents of this message or any attachments may not have been produced by the sender. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080908/1771368f/attachment.html From dominian at slackadelic.com Mon Sep 8 17:41:16 2008 From: dominian at slackadelic.com (Matt Hayes) Date: Mon Sep 8 17:41:31 2008 Subject: Changing Host Companies In-Reply-To: References: Message-ID: <48C555AC.7010500@slackadelic.com> Alanna Flynn wrote: > Dear Mr. Fitzpatrick, > > > > I was given you?re website by Earl Bryan. I work for the law firm of > Thorn | Lawrence, P.L. Mr. Thorn is one of the senior partners I work > for. We would like to discuss the cost and what type of information you > would need in order to change host companies for one of our clients. > Please contact me at the number below at your earliest convenience. > > > > Sincerely, > > > > Alanna M. Flynn > > Paralegal to Eric Thorn & Marcus Lawrence > > Thorn | Lawrence, P.L. > > 402 East Oak Avenue, Suite 101 > > Tampa, Florida 33602 > > Telephone No.: (813) 514-8355 > > Facsimile No.: (813) 223-1867 > > URL: http://www.thornlawrence.com > > Email: aflynn@thornlawrence.com > > > er.. what? Whom are you speaking to? -Matt From gary at sgluk.com Mon Sep 8 17:41:15 2008 From: gary at sgluk.com (Gary Pentland) Date: Mon Sep 8 17:41:33 2008 Subject: Looking for a test mail generator (unthreaded) In-Reply-To: References: Message-ID: This doesn't cover what you need but it is a very basic bulk mail sender... I posted it in case the bit that sends the mail (at the bottom) may be of use to you. Hope that is of some help, when I get some time I'll have a go at writing a tool for this purpose aas I'm guessing a few people will find it useful. Gary #!/usr/bin/perl -w use Time::HiRes qw(usleep); my $fromaddr = "name\@domain.com"; my $pathtorecipfile = "./recipientfile"; my $pathtomsgfile = "./messagefile"; my $messg = read_message_file($pathtomsgfile); open_recipient_file($pathtorecipfile); while ($_=) { chomp; if (/([-_A-Za-z0-9@.]+)/) { $emailaddy = $1; } else { print ("Parse error for $_\n"); next; } send_email($emailaddy,$fromaddr,$messg); usleep 10; #DEBUG print ("$fromaddr\t$emailaddy\n"); #DEBUG } close_recipient_file(); ##################################################### sub open_recipient_file { $RECIPS = $pathtorecipfile; open (RECIPS) or die "Can't Open Recipient File $RECIPS:\n"; } ##################################################### sub close_recipient_file { close(RECIPS); } ##################################################### sub read_message_file { $MESGFILE = $pathtomsgfile; open (MESGFILE) or die "Can't Open Message File $MESGFILE:\n"; my @msg = ; $message = join "",@msg; return $message; close(MESGFILE); } ##################################################### sub send_email { my ($toaddr,$fromaddr,$messg) = @_; # DEBUG # print "DEBUG\n"; # print "From Address: $fromaddr\n"; # print "To Address: $toaddr\n"; # print "Message Body $messg\n"; # print "END DEBUG\n\n\n"; # DEBUG open (SENDMAIL, "|/usr/lib/sendmail -oi -t -odq -f ".$fromaddr) or die "Can't fork Sendmail: $!\n"; print SENDMAIL "From: $fromaddr\nTo: $toaddr\nReply-To: $fromaddr\n$messg\n"; close (SENDMAIL) or warn "Sendmail didn't close nicely"; } ##################################################### From csweeney at osubucks.org Mon Sep 8 17:45:05 2008 From: csweeney at osubucks.org (Chris Sweeney) Date: Mon Sep 8 17:45:45 2008 Subject: Changing Host Companies In-Reply-To: References: Message-ID: <945799266-1220892308-cardhu_decombobulator_blackberry.rim.net-1958471061-@bxe207.bisx.prod.on.blackberry> Interesting spam. --- Home Phone $10 per month, only from T-Mobile ask me for more information! -----Original Message----- From: "Alanna Flynn" Date: Mon, 8 Sep 2008 12:38:30 To: Cc: Eric Thorn Subject: Changing Host Companies -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From jra at baylink.com Mon Sep 8 17:59:20 2008 From: jra at baylink.com (Jay R. Ashworth) Date: Mon Sep 8 17:59:30 2008 Subject: Looking for a test mail generator (unthreaded) In-Reply-To: <48C55432.5020505@fsl.com> References: <20080908155906.GA17894@cgi.jachomes.com> <48C55432.5020505@fsl.com> Message-ID: <20080908165920.GA17955@cgi.jachomes.com> On Mon, Sep 08, 2008 at 12:34:58PM -0400, Stephen Swaney wrote: > Look at http://www.snertsoft.com/sendmail/roundhouse/ > > I quote from Anthony Howe's site: > > "This is an SMTP multiplexer, which takes the input from an SMTP client > connection and copies it to one or more SMTP servers. Intended as means > to debug and test different mail server configurations using a > production mail server's live data stream." > > You can test with your real mail stream:) I think someone else suggested that, in a query that I posted somewhere else last week. The problem is that part of what I need to test is the new server's ability to both terminate some mailboxes in the domain, and pass others through to my Exchange server that I can't kill yet. And that approach would cause me to end up with dupes on every message. Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com '87 e24 St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 Those who cast the vote decide nothing. Those who count the vote decide everything. -- (Josef Stalin) From Denis.Beauchemin at USherbrooke.ca Mon Sep 8 18:34:32 2008 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Mon Sep 8 18:34:46 2008 Subject: ClamAV 0.94 In-Reply-To: <00b601c911cb$625b6580$6000a8c0@tecnica> References: <05b401c911c1$0ee8fc00$6000a8c0@tecnica> <48C53B20.4090304@slackadelic.com><002301c911c4$0c5acfb0$6000a8c0@tecnica> <48C54066.10701@USherbrooke.ca><005901c911c7$81108f40$6000a8c0@tecnica> <48C547EB.1090203@USherbrooke.ca> <00b601c911cb$625b6580$6000a8c0@tecnica> Message-ID: <48C56228.4070307@USherbrooke.ca> Jose Julian Buda a ?crit : > > ----- Original Message ----- From: "Denis Beauchemin" > > To: "MailScanner discussion" > Sent: Monday, September 08, 2008 12:42 PM > Subject: Re: ClamAV 0.94 > > >> This is what i get : >> >> proxymails:~# MailScanner --lint >> Read 748 hostnames from the phishing whitelist >> MailScanner setting GID to (104) >> MailScanner setting UID to (100) >> >> Checking for SpamAssassin errors (if you use it)... >> Using SpamAssassin results cache >> Connected to SpamAssassin cache database >> SpamAssassin reported no errors. >> Using locktype = flock >> MailScanner.conf says "Virus Scanners = clamav" >> Found these virus scanners installed: clamav >> proxymails:~# > Jose Julian, > > I don't see a version number in the output. I think your version of MS > is probably quite old. You should upgrade to the latest stable version > because you cannot run Clam 0.94 with an old version of MS. Clam changed > too many things lately. > > Denis > > i have this installed : > > proxymails:~# apt-cache show mailscanner > Package: mailscanner > Priority: optional > Section: mail > Installed-Size: 3836 > Maintainer: Debian QA Group > Architecture: all > Version: 4.55.10-3 > > > How can i get a newer? > Is that the problem? Jose Julian, Your version is *really* old! You really should upgrade!! I don't run MS on a Debian-based Linux... but I found this in the wiki: http://wiki.mailscanner.info/doku.php?id=how_to_setup_mailscanner_on_ubuntu_8.04 It should point you in the right direction. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From ssilva at sgvwater.com Mon Sep 8 19:09:36 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Sep 8 19:10:45 2008 Subject: ClamAV 0.94 In-Reply-To: <05b401c911c1$0ee8fc00$6000a8c0@tecnica> References: <05b401c911c1$0ee8fc00$6000a8c0@tecnica> Message-ID: on 9-8-2008 7:42 AM Jose Julian Buda spake the following: > Hi , I have a mail server with : > Debian etch > Postfix > Mailscanner > Clamav > > Yesterday it work fine catching virus, but todat i've made an upgrade > from clamav 0.93 to 0.94 and then > the process stop catching mail with virus, i mean , the mails are stoped > anyway by "No programs allowed" with mailscanner because of the > extensions file, but there is not any message or report from "ClamAv". > > I have a txt file with eicar string , if i run on server: > > cat filewitheicar.txt | mail jbuda@noticiasargentinas.com > > the mail pass through the mailscanner and the workstation's antivirus > alert me abourt the eicar strings. > > Why the mailscanner stop using clamav? > > Thank you any help about this. > > Sorry about my english > > Jose Julian Buda There is a problem with mailscanner and the 0.94 clamscan. There is a patch floating on the mailing list, or you can load the next beta, which might have the patch in it. Or better yet, run clamd and use it. It is much faster, and has a lower system load. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080908/35e27873/signature.bin From jbuda at noticiasargentinas.com Mon Sep 8 19:29:54 2008 From: jbuda at noticiasargentinas.com (Jose Julian Buda) Date: Mon Sep 8 19:29:53 2008 Subject: ClamAV 0.94 References: <05b401c911c1$0ee8fc00$6000a8c0@tecnica> Message-ID: <023401c911e0$e3b8b7d0$6000a8c0@tecnica> ----- Original Message ----- From: "Scott Silva" To: Sent: Monday, September 08, 2008 3:09 PM Subject: Re: ClamAV 0.94 > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > __________ Informacisn de NOD32, revisisn 3424 (20080907) __________ > > Este mensaje ha sido analizado con NOD32 antivirus system > http://www.nod32.com > > Thank you . Now, the clamd daemon is running, how do i tell the mailscanner to use it? Thank you again Jose Julian Buda From Denis.Beauchemin at USherbrooke.ca Mon Sep 8 19:38:04 2008 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Mon Sep 8 19:38:22 2008 Subject: ClamAV 0.94 In-Reply-To: <023401c911e0$e3b8b7d0$6000a8c0@tecnica> References: <05b401c911c1$0ee8fc00$6000a8c0@tecnica> <023401c911e0$e3b8b7d0$6000a8c0@tecnica> Message-ID: <48C5710C.6010009@USherbrooke.ca> Jose Julian Buda a ?crit : > > ----- Original Message ----- From: "Scott Silva" > To: > Sent: Monday, September 08, 2008 3:09 PM > Subject: Re: ClamAV 0.94 > > >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> __________ Informacisn de NOD32, revisisn 3424 (20080907) __________ >> >> Este mensaje ha sido analizado con NOD32 antivirus system >> http://www.nod32.com >> >> > > Thank you . > > Now, the clamd daemon is running, how do i tell the mailscanner to use > it? > > Thank you again > Jose Julian Buda > > Jose Julian, I believe your MS version is too old to know about clamd... You really need to upgrade! Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From ssilva at sgvwater.com Mon Sep 8 20:00:11 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Sep 8 20:01:17 2008 Subject: AW: Using Spamd rather than the SpamAssassin Library In-Reply-To: <7A9C1520-4D96-4DDE-B04C-1C690069A2BE@technologytiger.net> References: <48C1941F.40703@coders.co.uk> <5851C691-2A38-40CC-9134-73427193F4D7@technologytiger.net> <48C1ACE0.5020708@coders.co.uk> <48C2E9B8.9090801@coders.co.uk> <520F0D8E-EA1E-499C-B899-FB0342DA061A@technologytiger.net> <48C52509.3080405@coders.co.uk> <7A9C1520-4D96-4DDE-B04C-1C690069A2BE@technologytiger.net> Message-ID: on 9-8-2008 8:27 AM Drew Marshall spake the following: > On 8 Sep 2008, at 14:13, Matt Hampton wrote: > >> Drew Marshall wrote: >>> >>> One small question, so I can try to tune things a little more. How >>> does MS hand the batch over to spamd? Is this one batch per spamd >>> child? I have started spamd with an optimistic -m 30 and my MS 10 >>> children are romping 20+ SA children, which seems a bit high. >> It does one per message - as there is the possibility that you are >> using a different user for each message. I haven't seen this cause a >> slowdown and even with 20 children, it will still be using less than >> 10 copies of the rules in MailScanner. >> Can you see what status they are in (it will be in the maillog) > > Interesting... So there is the potential that with say 10 children, each > with 20 messages that I am going to need 200 SA children? I fear I will > have run out of memory by then! Hmm... > I think the spamd children use much less memory then the children started by MailScanner. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080908/0ddc13da/signature.bin From ssilva at sgvwater.com Mon Sep 8 20:06:56 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Sep 8 20:08:05 2008 Subject: Changing Host Companies In-Reply-To: <945799266-1220892308-cardhu_decombobulator_blackberry.rim.net-1958471061-@bxe207.bisx.prod.on.blackberry> References: <945799266-1220892308-cardhu_decombobulator_blackberry.rim.net-1958471061-@bxe207.bisx.prod.on.blackberry> Message-ID: on 9-8-2008 9:45 AM Chris Sweeney spake the following: > Interesting spam. > --- > Home Phone $10 per month, only from T-Mobile ask me for more information! > Isn't the T-Mobile ad also spam? Although I'm sure that T-Mobile is adding that for you without your knowledge. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080908/4d139021/signature.bin From hvdkooij at vanderkooij.org Mon Sep 8 20:08:17 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Mon Sep 8 20:08:27 2008 Subject: Officecat (Sourcefire) In-Reply-To: References: Message-ID: <48C57821.1060306@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Andrews Carl 448 wrote: > Link: http://www.snort.org/vrt/tools/officecat.html > > I just read about this, it might be something useful to add to an email > gateway. There are windows and linux (compiled against ubuntu) executables. > Where I read: OfficeCat is a command line utility that can be used to process Microsoft Office Documents for the presence of potential exploit conditions in the file. The tool is used on Windows systems and is provided as a binary executable. That unbuntu stuff is just some wine wrapper. So why not use the original windows stuff and setup wine yourself. Why they have choosen to do a windows only version is something SourceFire might never answer. But I find it rather disturbing. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIxXggBvzDRVjxmYERAghiAJ9T3F4gJHmvdQMk3+zwcnZjJlcduACdE1iq Ou9cdc+ZIPxwnUW2F/fzvtg= =N8q0 -----END PGP SIGNATURE----- From jra at baylink.com Mon Sep 8 20:19:40 2008 From: jra at baylink.com (Jay R. Ashworth) Date: Mon Sep 8 20:19:50 2008 Subject: Changing Host Companies In-Reply-To: References: <945799266-1220892308-cardhu_decombobulator_blackberry.rim.net-1958471061-@bxe207.bisx.prod.on.blackberry> Message-ID: <20080908191940.GO17955@cgi.jachomes.com> On Mon, Sep 08, 2008 at 12:06:56PM -0700, Scott Silva wrote: > on 9-8-2008 9:45 AM Chris Sweeney spake the following: > >Interesting spam. > >--- > >Home Phone $10 per month, only from T-Mobile ask me for more information! > > > Isn't the T-Mobile ad also spam? > Although I'm sure that T-Mobile is adding that for you without your > knowledge. IME, no, it's not, even if he had put it there himself. Spam, to me, is a) unsolicited mail whose b) sole purpose is to solicit a sale. If he had that in his sig on a message he posted to a conversation which contained otherwise useful information (however slight), then I don't call it spam, myself. If it was someone *else's* thread, and he just perked in to say "meetoo!", then you have to look further, to things like "is the person a regular contributor", etc... If Spam were black and white, SA wouldn't have so many lines of code. :-) Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com '87 e24 St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 Those who cast the vote decide nothing. Those who count the vote decide everything. -- (Josef Stalin) From ssilva at sgvwater.com Mon Sep 8 20:14:46 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Sep 8 20:20:15 2008 Subject: ClamAV 0.94 In-Reply-To: <023401c911e0$e3b8b7d0$6000a8c0@tecnica> References: <05b401c911c1$0ee8fc00$6000a8c0@tecnica> <023401c911e0$e3b8b7d0$6000a8c0@tecnica> Message-ID: >> > > Thank you . > > Now, the clamd daemon is running, how do i tell the mailscanner to use it? > > Thank you again You will need to upgrade your mailscanner version. Debian uses a version that is probably 3 years old by now. In MailScanner time that is like 30 generations. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080908/86fc1ea7/signature.bin From jra at baylink.com Mon Sep 8 20:22:08 2008 From: jra at baylink.com (Jay R. Ashworth) Date: Mon Sep 8 20:22:17 2008 Subject: Officecat (Sourcefire) In-Reply-To: <48C57821.1060306@vanderkooij.org> References: <48C57821.1060306@vanderkooij.org> Message-ID: <20080908192208.GP17955@cgi.jachomes.com> On Mon, Sep 08, 2008 at 09:08:17PM +0200, Hugo van der Kooij wrote: > Why they have choosen to do a windows only version is something > SourceFire might never answer. But I find it rather disturbing. Bet cash it's because they decided to leverage some .NET module or something... Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com '87 e24 St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 Those who cast the vote decide nothing. Those who count the vote decide everything. -- (Josef Stalin) From hvdkooij at vanderkooij.org Mon Sep 8 20:27:55 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Mon Sep 8 20:28:08 2008 Subject: Looking for a test mail generator (unthreaded) In-Reply-To: <20080908155906.GA17894@cgi.jachomes.com> References: <20080908155906.GA17894@cgi.jachomes.com> Message-ID: <48C57CBB.3000508@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jay R. Ashworth wrote: > I am not having a good day today. Twice. In 5 minutes... > > Unthreadjacked: > > > To test a new installation before a cutover, I'm trying to find (out > whether anyone has written) a program that can send a bunch of email to a > SMTP server, logging what it does (both logical and session level), so > that I can check that the results are what they should be. A sender only has the view of what it communicates with the receiver. Whatever happens after the receiver takes over is anyone's guess. But it not of any concern to the sender anymore. So I fail to see how you could do l this on a session level from the sender. I would say that just ding a darn good job of configuring things right and bring it to live is the best test. I have written some code to do a keepalive check to see if the whole spam and AV chain works. The sending part is peanuts in perl. The verificaton part was the tough part. The chain goes like: TEST server ==> Spam box ==> AV box ==> TEST server So I end up by getting what I did send out if nothing breaks down. But it is a twist in that I need to configure an extra domain into my customer configuration to do this. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIxXy4BvzDRVjxmYERAsDvAJ9McGXLV/21HQiaCPdklCaovyLENwCeK08l HY/Ivij0U2WUkUv6/1IrzIU= =RXH6 -----END PGP SIGNATURE----- From hvdkooij at vanderkooij.org Mon Sep 8 20:41:06 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Mon Sep 8 20:41:16 2008 Subject: ClamAV 0.94 In-Reply-To: References: <05b401c911c1$0ee8fc00$6000a8c0@tecnica> <023401c911e0$e3b8b7d0$6000a8c0@tecnica> Message-ID: <48C57FD2.1050807@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Scott Silva wrote: >> Now, the clamd daemon is running, how do i tell the mailscanner to use >> it? > You will need to upgrade your mailscanner version. Debian uses a version > that is probably 3 years old by now. In MailScanner time that is like 30 > generations. In spam terms that is about 15 generations ago. I would recommend that Jules defines a version policy about how many versions back something is considered too old to be even bothered with and notification is send to the Debian team that their prehistoric version is too old to keep in there system. Keeping up was my greatest concern in regard to building a repository for MailScanner. Hugo. PS: Did anyone bother to check the awstats statistics? - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIxX/QBvzDRVjxmYERAt2sAKCR7jMDpQbK5fJpbbNc2P1TUJ2KzACaA0cx 6sYd4wVHEwQAFrc6UNH7Jpk= =MyeK -----END PGP SIGNATURE----- From mark at msapiro.net Mon Sep 8 22:09:56 2008 From: mark at msapiro.net (Mark Sapiro) Date: Mon Sep 8 22:10:07 2008 Subject: Italian spam In-Reply-To: <00cb01c911b2$77512fb0$2501a8c0@dbdomain.database.it> References: <015e01c90f27$72acd3c0$2501a8c0@dbdomain.database.it> <00cb01c911b2$77512fb0$2501a8c0@dbdomain.database.it> Message-ID: <20080908210956.GA2516@msapiro> On Mon, Sep 08, 2008 at 02:57:35PM +0200, Marcello Anderlini wrote: > I have these file in /root/.spamassassin. In /var/spool/MailScanner/ I have > not nothing except a SpamAssassin.cache.db in > /var/spool/MailScanner/incoming > > I do not use spamd but spamassassin it's called from Mailscanner. > > It's correct ? So if you run sa-learn as root, it updates the bayes files in /root/.spamassassin/ If MailScanner is also running as root, it is probably also using the same bayes files and should be learning from your sa-learn, but if it is running as some other user it may be using a different set. Try find / -name bayes.mutex and see if you find any other sets of spamassassin bayes files. > bayes.mutex > bayes_journal > bayes_toks > bayes_seen -- Mark Sapiro mark at msapiro net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From edward at tdcs.com.au Tue Sep 9 00:37:51 2008 From: edward at tdcs.com.au (Edward Dekkers) Date: Tue Sep 9 00:38:46 2008 Subject: Looking for a test mail generator (unthreaded) In-Reply-To: <20080908155906.GA17894@cgi.jachomes.com> References: <20080908155906.GA17894@cgi.jachomes.com> Message-ID: > I am not having a good day today. Twice. In 5 minutes... > > Unthreadjacked: > > > To test a new installation before a cutover, I'm trying to find (out > whether anyone has written) a program that can send a bunch of email to > a > SMTP server, logging what it does (both logical and session level), so > that I can check that the results are what they should be. > > Optimally, I'd like something that worked like this: > > Provide it with 4 or 5 pieces of random spam, and 4 or 5 pieces of ham, > and have it try to -- in random order -- send each of the message > bodies > to a) one or more provided valid addresses and b) one or more random > non-valid addresses on the provisioned domain, and c) one or more > completely random addresses. > > The goal, of course, is to make sure that what should pass through > passes > through, what should bounce bounces, what shouldn't backscatter > doesn't, > and what should deliver does. > > Has anyone already written this? I'm sure perl or python provides the > modules, but I'm not good enough at either to do it myself. I could > probably hack around something that does 60-70% of it into what I > wanted, > though. > > Cheers, > -- jra Could you use this as a base? http://tools.declude.com/ Regards, Ed. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jim.barber at ddihealth.com Tue Sep 9 02:38:41 2008 From: jim.barber at ddihealth.com (Jim Barber) Date: Tue Sep 9 02:39:06 2008 Subject: ClamAV 0.94 In-Reply-To: <48C57FD2.1050807@vanderkooij.org> References: <05b401c911c1$0ee8fc00$6000a8c0@tecnica> <023401c911e0$e3b8b7d0$6000a8c0@tecnica> <48C57FD2.1050807@vanderkooij.org> Message-ID: <48C5D3A1.9010201@ddihealth.com> Hugo van der Kooij wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Scott Silva wrote: > >>> Now, the clamd daemon is running, how do i tell the mailscanner to use >>> it? > >> You will need to upgrade your mailscanner version. Debian uses a version >> that is probably 3 years old by now. In MailScanner time that is like 30 >> generations. > > In spam terms that is about 15 generations ago. > > I would recommend that Jules defines a version policy about how many > versions back something is considered too old to be even bothered with > and notification is send to the Debian team that their prehistoric > version is too old to keep in there system. > > Keeping up was my greatest concern in regard to building a repository > for MailScanner. > > Hugo. > > PS: Did anyone bother to check the awstats statistics? The version of MailScanner in Debian's testing / lenny distribution is 4.68.8. That's also really old, but it does have the ability to use clamd (I'm using it successfully). To use it I needed to add the Debian-exim user to the clamav group. I also added the clamav user to the Debian-exim group, but you may be able to avoid that by setting "Incoming Work Group = clamav" in the config below. Then you need set a few values in your /etc/MailScanner/MailScanner.conf file: Incoming Work Permissions = 0660 Virus Scanners = clamd Monitors for ClamAV Updates = /var/lib/clamav/*.inc/* /var/lib/clamav/*.cvd Regards, ---------- Jim Barber DDI Health From m.anderlini at database.it Tue Sep 9 09:49:57 2008 From: m.anderlini at database.it (Marcello Anderlini) Date: Tue Sep 9 09:50:27 2008 Subject: R: Italian spam In-Reply-To: <20080908210956.GA2516@msapiro> References: <015e01c90f27$72acd3c0$2501a8c0@dbdomain.database.it><00cb01c911b2$77512fb0$2501a8c0@dbdomain.database.it> <20080908210956.GA2516@msapiro> Message-ID: <01b801c91259$09578610$2501a8c0@dbdomain.database.it> I have not fount any bayes.mutex. So could I be sure that spamassassin is using the bayes database store in /root/.spamassassin ? Dr. Marcello Anderlini m.anderlini@database.it --------------------------------------------- Database Informatica S.r.l. Microsoft Certified Partner Tel. +39059775070 Fax. +39059779545 http://www.database.it --------------------------------------------- -----Messaggio originale----- Da: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di Mark Sapiro Inviato: luned? 8 settembre 2008 23.10 A: MailScanner discussion Oggetto: Re: Italian spam On Mon, Sep 08, 2008 at 02:57:35PM +0200, Marcello Anderlini wrote: > I have these file in /root/.spamassassin. In /var/spool/MailScanner/ I > have not nothing except a SpamAssassin.cache.db in > /var/spool/MailScanner/incoming > > I do not use spamd but spamassassin it's called from Mailscanner. > > It's correct ? So if you run sa-learn as root, it updates the bayes files in /root/.spamassassin/ If MailScanner is also running as root, it is probably also using the same bayes files and should be learning from your sa-learn, but if it is running as some other user it may be using a different set. Try find / -name bayes.mutex and see if you find any other sets of spamassassin bayes files. > bayes.mutex > bayes_journal > bayes_toks > bayes_seen -- Mark Sapiro mark at msapiro net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- Messaggio verificato dal servizio antivirus di Database Informatica -- Messaggio verificato dal servizio antivirus di Database Informatica From glenn.steen at gmail.com Tue Sep 9 10:14:07 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Sep 9 10:14:17 2008 Subject: Looking for a test mail generator In-Reply-To: <20080908153817.GK17489@cgi.jachomes.com> References: <48C53B20.4090304@slackadelic.com> <002301c911c4$0c5acfb0$6000a8c0@tecnica> <20080908153817.GK17489@cgi.jachomes.com> Message-ID: <223f97700809090214v215d35b8m8f2f97363d3a15c2@mail.gmail.com> 2008/9/8 Jay R. Ashworth : > To test a new installation before a cutover, I'm trying to find (out > whether anyone has written) a program that can send a bunch of email to a > SMTP server, logging what it does (both logical and session level), so > that I can check that the results are what they should be. > > Optimally, I'd like something that worked like this: > > Provide it with 4 or 5 pieces of random spam, and 4 or 5 pieces of ham, > and have it try to -- in random order -- send each of the message bodies > to a) one or more provided valid addresses and b) one or more random > non-valid addresses on the provisioned domain, and c) one or more > completely random addresses. > > The goal, of course, is to make sure that what should pass through passes > through, what should bounce bounces, what shouldn't backscatter doesn't, > and what should deliver does. > > Has anyone already written this? I'm sure perl or python provides the > modules, but I'm not good enough at either to do it myself. I could > probably hack around something that does 60-70% of it into what I wanted, > though. > > Cheers, > -- jra This is not the first time this has cropped up... Generally the consesus has so far been that nothing beats the real thing... namely your current incoming mailflow. One would base the approach to do something like this (stress test/validation) on an appropriate tool for your MTA to split off the incoming mailflow ("copy" it) to the new machine... Something like roundhouse for sendmail, or always_bcc for Postfix. Care has to be taken that you don't actually deliver anything from the new box though:-). If you trawl the list archives (via gmane, perhaps) you should be able to find Jules excellent summary of "what's involved and how to do it". Generally speaking... a lot of work;). If all you need is a few (10 was it) "synthetic" messages... Why then some handcrafting and telnet is all you really need;-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From rabellino at di.unito.it Tue Sep 9 11:33:52 2008 From: rabellino at di.unito.it (Sergio Rabellino) Date: Tue Sep 9 11:34:29 2008 Subject: R: Italian spam In-Reply-To: <01b801c91259$09578610$2501a8c0@dbdomain.database.it> References: <015e01c90f27$72acd3c0$2501a8c0@dbdomain.database.it><00cb01c911b2$77512fb0$2501a8c0@dbdomain.database.it> <20080908210956.GA2516@msapiro> <01b801c91259$09578610$2501a8c0@dbdomain.database.it> Message-ID: <48C65110.1070908@di.unito.it> Following it's my configuration: check into the spam.assassin.prefs.conf into the etc directory of MailScanner for a line like bayes_path /opt/MailScanner/etc/bayes/bayes The last bayes is the filename prefix for the bayes database, and into the directory /opt/MailScanner/etc/bayes you will find something like these -rw-r--r-- 1 root root 36 Sep 9 12:30 bayes.mutex -rw-rw-rw- 1 root other 77736 Sep 9 12:30 bayes_journal -rw-r--r-- 1 root root 41967616 Sep 9 12:30 bayes_seen -rw-r--r-- 1 root root 167772160 Sep 9 12:30 bayes_toks Now using the -C /opt/MailScanner/etc/spam.assassin.prefs.conf parameter for sa-learn, you'll point your learner to the same database used by mailscanner. I'm using this config and the italian spam was detected after 3 users submit their messages as spam. Bye. Marcello Anderlini ha scritto: > I have not fount any bayes.mutex. So could I be sure that spamassassin is > using the bayes database store in /root/.spamassassin ? > > > Dr. Marcello Anderlini > m.anderlini@database.it > --------------------------------------------- > Database Informatica S.r.l. > Microsoft Certified Partner > Tel. +39059775070 > Fax. +39059779545 > http://www.database.it > --------------------------------------------- > > -----Messaggio originale----- > Da: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di Mark Sapiro > Inviato: luned? 8 settembre 2008 23.10 > A: MailScanner discussion > Oggetto: Re: Italian spam > > On Mon, Sep 08, 2008 at 02:57:35PM +0200, Marcello Anderlini wrote: > >> I have these file in /root/.spamassassin. In /var/spool/MailScanner/ I >> have not nothing except a SpamAssassin.cache.db in >> /var/spool/MailScanner/incoming >> >> I do not use spamd but spamassassin it's called from Mailscanner. >> >> It's correct ? >> > > > So if you run sa-learn as root, it updates the bayes files in > /root/.spamassassin/ > > If MailScanner is also running as root, it is probably also using the same > bayes files and should be learning from your sa-learn, but if it is running > as some other user it may be using a different set. > > Try > > find / -name bayes.mutex > > and see if you find any other sets of spamassassin bayes files. > > > >> bayes.mutex >> bayes_journal >> bayes_toks >> bayes_seen >> > > -- Ing. Sergio Rabellino Universit? degli Studi di Torino Dipartimento di Informatica ICT Services Director Tel +39-0116706701 Fax +39-011751603 C.so Svizzera , 185 - 10149 - Torino -------------- next part -------------- Skipped content of type multipart/related From ram at netcore.co.in Tue Sep 9 11:40:41 2008 From: ram at netcore.co.in (ram) Date: Tue Sep 9 11:41:06 2008 Subject: Is MailScanner affected by the Redhat bug Message-ID: <1220956841.6938.23.camel@darkstar.netcore.co.in> Redhat & Centos distros seem to have a performance issue with perl http://blog.vipul.net/2008/08/24/redhat-perl-what-a-tragedy/ I have all my servers running MailScanner on Centos. Is MailScanner greatly affected by the Bug ? Should I upgrade perl on my machines ? Thanks Ram From J.Ede at birchenallhowden.co.uk Tue Sep 9 11:49:37 2008 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Tue Sep 9 11:51:05 2008 Subject: Is MailScanner affected by the Redhat bug In-Reply-To: <1220956841.6938.23.camel@darkstar.netcore.co.in> References: <1220956841.6938.23.camel@darkstar.netcore.co.in> Message-ID: <4CAB0118AEC63A4FAAE77E6BCBDF760C792A26CDD7@server02.bhl.local> There isn't currently a patch out on CentOS yet for this issue or if there is it hasn't been slip-streamed into the main yum repository... Currently its either wait or download and compile own version of perl. Jason ________________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailscanner-bounces@lists.mailscanner.info] On Behalf Of ram [ram@netcore.co.in] Sent: 09 September 2008 11:40 To: MailScanner discussion Subject: Is MailScanner affected by the Redhat bug Redhat & Centos distros seem to have a performance issue with perl http://blog.vipul.net/2008/08/24/redhat-perl-what-a-tragedy/ I have all my servers running MailScanner on Centos. Is MailScanner greatly affected by the Bug ? Should I upgrade perl on my machines ? Thanks Ram -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From dean.plant at roke.co.uk Tue Sep 9 12:13:36 2008 From: dean.plant at roke.co.uk (Plant, Dean) Date: Tue Sep 9 12:13:49 2008 Subject: Is MailScanner affected by the Redhat bug In-Reply-To: <4CAB0118AEC63A4FAAE77E6BCBDF760C792A26CDD7@server02.bhl.local> Message-ID: <2181C5F19DD0254692452BFF3EAF1D68039412B4@rsys005a.comm.ad.roke.co.uk> Jason Ede wrote: > There isn't currently a patch out on CentOS yet for this issue or if > there is it hasn't been slip-streamed into the main yum repository... > > Currently its either wait or download and compile own version of perl. > http://www.karan.org/blog/index.php/2008/09/08/slow-perl-on-centos-5-pot ential-fix From gmatt at nerc.ac.uk Tue Sep 9 13:01:07 2008 From: gmatt at nerc.ac.uk (Greg Matthews) Date: Tue Sep 9 13:01:52 2008 Subject: Is MailScanner affected by the Redhat bug In-Reply-To: <1220956841.6938.23.camel@darkstar.netcore.co.in> References: <1220956841.6938.23.camel@darkstar.netcore.co.in> Message-ID: <48C66583.70800@nerc.ac.uk> ram wrote: > I have all my servers running MailScanner on Centos. Is MailScanner > greatly affected by the Bug ? > Should I upgrade perl on my machines ? I've ran tests last week on CentOS 4 and CentOS 5. CentOS 4.6 is unaffected but CentOS 5.2 does contain the bug. However, it is not clear that this performance issue unduly affects MailScanner as other latencies are likely to dominate. G > > > > Thanks > Ram > > > > -- Greg Matthews 01491 692445 Head of UNIX/Linux, iTSS Wallingford -- This message (and any attachments) is for the recipient only. NERC is subject to the Freedom of Information Act 2000 and the contents of this email and any reply you make may be disclosed by NERC unless it is exempt from release under the Act. Any material supplied to NERC may be stored in an electronic records management system. From csweeney at osubucks.org Tue Sep 9 14:07:18 2008 From: csweeney at osubucks.org (Chris Sweeney) Date: Tue Sep 9 14:07:41 2008 Subject: Is MailScanner affected by the Redhat bug In-Reply-To: <1220956841.6938.23.camel@darkstar.netcore.co.in> References: <1220956841.6938.23.camel@darkstar.netcore.co.in> Message-ID: <30334.65.161.188.11.1220965638.squirrel@webmail.osubucks.org> > Redhat & Centos distros seem to have a performance issue with perl > http://blog.vipul.net/2008/08/24/redhat-perl-what-a-tragedy/ > > > I have all my servers running MailScanner on Centos. Is MailScanner > greatly affected by the Bug ? > Should I upgrade perl on my machines ? > From: http://people.centos.org/z00dax/bz379791/ # # This small repo contains a patched version of perl to fix # the issues raised on : https://bugzilla.redhat.com/show_bug.cgi?id=379791 # for CentOS-5. Only i386 and x86_64 packages are provided. # # There has been some testing done on the centos-devel list, however you should # still test it yourself before deploying into production # # to install these packages : # cd /etc/yum.repos.d/; wget http://people.centos.org/z00dax/bz379791/bz379791.repo # yum --enablerepo=c5-bz379791 update perl # # -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From martinh at solidstatelogic.com Tue Sep 9 14:15:22 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Tue Sep 9 14:15:36 2008 Subject: Is MailScanner affected by the Redhat bug In-Reply-To: <30334.65.161.188.11.1220965638.squirrel@webmail.osubucks.org> Message-ID: <4841c96f9899f946a9ea3f1a3d0b7d20@solidstatelogic.com> Chris Just doing some checking of out mailscanner system that I won't bore you with but I notice you've got an issue with your setup. In Mailscanner.conf your %org-name% has a '.' in it that can upset some MTA's. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Chris Sweeney > Sent: 09 September 2008 14:07 > To: MailScanner discussion > Subject: Re: Is MailScanner affected by the Redhat bug > > > Redhat & Centos distros seem to have a performance issue with perl > > http://blog.vipul.net/2008/08/24/redhat-perl-what-a-tragedy/ > > > > > > I have all my servers running MailScanner on Centos. Is MailScanner > > greatly affected by the Bug ? > > Should I upgrade perl on my machines ? > > > From: > http://people.centos.org/z00dax/bz379791/ > > # > # This small repo contains a patched version of perl to fix # > the issues raised on : > https://bugzilla.redhat.com/show_bug.cgi?id=379791 > # for CentOS-5. Only i386 and x86_64 packages are provided. > # > # There has been some testing done on the centos-devel list, > however you should # still test it yourself before deploying > into production # # to install these packages : > # cd /etc/yum.repos.d/; wget > http://people.centos.org/z00dax/bz379791/bz379791.repo > # yum --enablerepo=c5-bz379791 update perl # # > > > > -- > This message has been scanned for viruses and dangerous > content by MailScanner, and is believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From m.anderlini at database.it Tue Sep 9 14:26:06 2008 From: m.anderlini at database.it (Marcello Anderlini) Date: Tue Sep 9 14:26:27 2008 Subject: R: R: Italian spam In-Reply-To: <48C65110.1070908@di.unito.it> References: <015e01c90f27$72acd3c0$2501a8c0@dbdomain.database.it><00cb01c911b2$77512fb0$2501a8c0@dbdomain.database.it> <20080908210956.GA2516@msapiro><01b801c91259$09578610$2501a8c0@dbdomain.database.it> <48C65110.1070908@di.unito.it> Message-ID: <021b01c9127f$9d6ea330$2501a8c0@dbdomain.database.it> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/jpeg Size: 4570 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080909/826c40e5/attachment.jpe From csweeney at osubucks.org Tue Sep 9 14:42:47 2008 From: csweeney at osubucks.org (Chris Sweeney) Date: Tue Sep 9 14:43:07 2008 Subject: Is MailScanner affected by the Redhat bug In-Reply-To: <4841c96f9899f946a9ea3f1a3d0b7d20@solidstatelogic.com> References: <30334.65.161.188.11.1220965638.squirrel@webmail.osubucks.org> <4841c96f9899f946a9ea3f1a3d0b7d20@solidstatelogic.com> Message-ID: <51607.65.161.188.11.1220967767.squirrel@webmail.osubucks.org> Hey thanks I'll check it out when I get back in tonight. > Chris > > Just doing some checking of out mailscanner system that I won't bore you > with but I notice you've got an issue with your setup. > > In Mailscanner.conf your %org-name% has a '.' in it that can upset some > MTA's. > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >> Of Chris Sweeney >> Sent: 09 September 2008 14:07 >> To: MailScanner discussion >> Subject: Re: Is MailScanner affected by the Redhat bug >> >> > Redhat & Centos distros seem to have a performance issue with perl >> > http://blog.vipul.net/2008/08/24/redhat-perl-what-a-tragedy/ >> > >> > >> > I have all my servers running MailScanner on Centos. Is MailScanner >> > greatly affected by the Bug ? >> > Should I upgrade perl on my machines ? >> > >> From: >> http://people.centos.org/z00dax/bz379791/ >> >> # >> # This small repo contains a patched version of perl to fix # >> the issues raised on : >> https://bugzilla.redhat.com/show_bug.cgi?id=379791 >> # for CentOS-5. Only i386 and x86_64 packages are provided. >> # >> # There has been some testing done on the centos-devel list, >> however you should # still test it yourself before deploying >> into production # # to install these packages : >> # cd /etc/yum.repos.d/; wget >> http://people.centos.org/z00dax/bz379791/bz379791.repo >> # yum --enablerepo=c5-bz379791 update perl # # >> >> >> >> -- >> This message has been scanned for viruses and dangerous >> content by MailScanner, and is believed to be clean. >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > > > > ********************************************************************** > Confidentiality : This e-mail and any attachments are intended for the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > Opinion : Any opinions expressed in this e-mail are entirely those of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We advise > that you consider this fact when e-mailing us. > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- Chris Sweeney Home Phone for $10 a month call 937-415-0943 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From richard.frovarp at sendit.nodak.edu Tue Sep 9 14:43:44 2008 From: richard.frovarp at sendit.nodak.edu (Richard Frovarp) Date: Tue Sep 9 14:43:58 2008 Subject: Is MailScanner affected by the Redhat bug In-Reply-To: <1220956841.6938.23.camel@darkstar.netcore.co.in> References: <1220956841.6938.23.camel@darkstar.netcore.co.in> Message-ID: <48C67D90.9020200@sendit.nodak.edu> ram wrote: > Redhat & Centos distros seem to have a performance issue with perl > http://blog.vipul.net/2008/08/24/redhat-perl-what-a-tragedy/ > > > I have all my servers running MailScanner on Centos. Is MailScanner > greatly affected by the Bug ? > Should I upgrade perl on my machines ? > > > > Thanks > Ram > > > > > It would appear that as far as anyone can tell, the systems aren't affected by the bug in a significant manner. Someone on the SA list did say he applied the fix to his CentOS box, and didn't notice any SA improvement. If you test that bug, it gets really nasty after 50,000 iterations. As others have said, if it is affecting MS/SA, other latencies are probably covering it up at this moment. From ram at netcore.co.in Tue Sep 9 14:59:34 2008 From: ram at netcore.co.in (ram) Date: Tue Sep 9 14:59:51 2008 Subject: Is MailScanner affected by the Redhat bug In-Reply-To: <48C66583.70800@nerc.ac.uk> References: <1220956841.6938.23.camel@darkstar.netcore.co.in> <48C66583.70800@nerc.ac.uk> Message-ID: <1220968774.6938.45.camel@darkstar.netcore.co.in> On Tue, 2008-09-09 at 13:01 +0100, Greg Matthews wrote: > ram wrote: > > I have all my servers running MailScanner on Centos. Is MailScanner > > greatly affected by the Bug ? > > Should I upgrade perl on my machines ? > > I've ran tests last week on CentOS 4 and CentOS 5. CentOS 4.6 is > unaffected but CentOS 5.2 does contain the bug. However, it is not clear > that this performance issue unduly affects MailScanner as other > latencies are likely to dominate. > I did some testing myself .. There is apparently absolutely no affect on MailScanner took ~1000 mails to a test machine , Centos 5 , 4GB Ram , with the perlbug and run it under MailScanner ( MailScanner + SA + customscanner + f-prot6 + clamavmodule ) It takes 18 minutes with the perl bug and it same time (infact took 15s more) after I upgraded perl with the patch on http://people.centos.org So That is not any major affect after all :-) Thanks Ram From rabellino at di.unito.it Tue Sep 9 15:06:14 2008 From: rabellino at di.unito.it (Sergio Rabellino) Date: Tue Sep 9 15:07:09 2008 Subject: R: R: Italian spam In-Reply-To: <021b01c9127f$9d6ea330$2501a8c0@dbdomain.database.it> References: <015e01c90f27$72acd3c0$2501a8c0@dbdomain.database.it><00cb01c911b2$77512fb0$2501a8c0@dbdomain.database.it> <20080908210956.GA2516@msapiro><01b801c91259$09578610$2501a8c0@dbdomain.database.it> <48C65110.1070908@di.unito.it> <021b01c9127f$9d6ea330$2501a8c0@dbdomain.database.it> Message-ID: <48C682D6.5010704@di.unito.it> I thinks you must set the directory once in /etc/Mailscanner/spam.assassin.prefs.conf, so you definitely choose a directory where bayes will store the database. I do not suggest an hidden directory, or the risk is that you will forgot everything in a week.... or less. then launch (as an user that can write into that dir ) sa-learn --no-sync -C /etc/Mailscanner/spam.assassin.prefs.conf < spam.eml ... once for every message... sa-learn --sync and your Mailscanner will see the modified bayes db. I ask the experts on this lists if the procedure is formally correct. Bye. Marcello Anderlini ha scritto: > Hello, in my /etc/Mailscanner/spam.assassin.prefs.conf > > I have just this commented line: > #bayes_path /var/spool/spamassassin/bayes > > I have look all around and I don't found any bayes.mutex file. > I have found only these files in /root/.spamassassin > ============== > -rw------- 1 root root 168 Sep 9 15:23 bayes_journal > -rw------- 1 root root 172904448 Sep 9 15:23 bayes_seen > -rw------- 1 root root 9105408 Sep 9 11:07 bayes_toks > ============== > > I can set sa-learn to use this directory ? > > thanks a lot > > Dr. Marcello Anderlini > m.anderlini@database.it > --------------------------------------------- > Database Informatica S.r.l. > Microsoft Certified Partner > Tel. +39059775070 > Fax. +39059779545 > http://www.database.it > --------------------------------------------- > > > ------------------------------------------------------------------------ > *Da:* mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] *Per conto di > *Sergio Rabellino > *Inviato:* marted? 9 settembre 2008 12.34 > *A:* MailScanner discussion > *Oggetto:* Re: R: Italian spam > > Following it's my configuration: > > check into the spam.assassin.prefs.conf into the etc directory of > MailScanner for a line like > > bayes_path /opt/MailScanner/etc/bayes/bayes > > The last bayes is the filename prefix for the bayes database, and into > the directory > /opt/MailScanner/etc/bayes you will find something like these > > -rw-r--r-- 1 root root 36 Sep 9 12:30 bayes.mutex > -rw-rw-rw- 1 root other 77736 Sep 9 12:30 > -rw-r--r-- 1 root root 41967616 Sep 9 12:30 bayes_seen > -rw-r--r-- 1 root root 167772160 Sep 9 12:30 bayes_toks > > Now using the -C /opt/MailScanner/etc/spam.assassin.prefs.conf > parameter for sa-learn, you'll point your learner to the same database > used by mailscanner. > I'm using this config and the italian spam was detected after 3 users > submit their messages as spam. > > Bye. > > Marcello Anderlini ha scritto: >> I have not fount any bayes.mutex. So could I be sure that spamassassin is >> using the bayes database store in /root/.spamassassin ? >> >> >> Dr. Marcello Anderlini >> m.anderlini@database.it >> --------------------------------------------- >> Database Informatica S.r.l. >> Microsoft Certified Partner >> Tel. +39059775070 >> Fax. +39059779545 >> http://www.database.it >> --------------------------------------------- >> >> -----Messaggio originale----- >> Da: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di Mark Sapiro >> Inviato: luned? 8 settembre 2008 23.10 >> A: MailScanner discussion >> Oggetto: Re: Italian spam >> >> On Mon, Sep 08, 2008 at 02:57:35PM +0200, Marcello Anderlini wrote: >> >>> I have these file in /root/.spamassassin. In /var/spool/MailScanner/ I >>> have not nothing except a SpamAssassin.cache.db in >>> /var/spool/MailScanner/incoming >>> >>> I do not use spamd but spamassassin it's called from Mailscanner. >>> >>> It's correct ? >>> >> >> >> So if you run sa-learn as root, it updates the bayes files in >> /root/.spamassassin/ >> >> If MailScanner is also running as root, it is probably also using the same >> bayes files and should be learning from your sa-learn, but if it is running >> as some other user it may be using a different set. >> >> Try >> >> find / -name bayes.mutex >> >> and see if you find any other sets of spamassassin bayes files. >> >> >> >>> bayes.mutex >>> bayes_journal >>> bayes_toks >>> bayes_seen >>> >> >> > > -- > Ing. Sergio Rabellino > > Universit? degli Studi di Torino > Dipartimento di Informatica > ICT Services Director > Tel +39-0116706701 Fax +39-011751603 > C.so Svizzera , 185 - 10149 - Torino > > > > > -- > Messaggio verificato dal servizio antivirus di *Database Informatica* > . > -- > Messaggio verificato dal servizio antivirus di *Database Informatica* > . -- Ing. Sergio Rabellino Universit? degli Studi di Torino Dipartimento di Informatica ICT Services Director Tel +39-0116706701 Fax +39-011751603 C.so Svizzera , 185 - 10149 - Torino -------------- next part -------------- Skipped content of type multipart/related From jra at baylink.com Tue Sep 9 15:11:10 2008 From: jra at baylink.com (Jay R. Ashworth) Date: Tue Sep 9 15:11:20 2008 Subject: Looking for a test mail generator (unthreaded) In-Reply-To: <48C57CBB.3000508@vanderkooij.org> References: <20080908155906.GA17894@cgi.jachomes.com> <48C57CBB.3000508@vanderkooij.org> Message-ID: <20080909141110.GB23322@cgi.jachomes.com> On Mon, Sep 08, 2008 at 09:27:55PM +0200, Hugo van der Kooij wrote: > Jay R. Ashworth wrote: > > I am not having a good day today. Twice. In 5 minutes... > > > > Unthreadjacked: > > > > > > To test a new installation before a cutover, I'm trying to find (out > > whether anyone has written) a program that can send a bunch of email to a > > SMTP server, logging what it does (both logical and session level), so > > that I can check that the results are what they should be. > > A sender only has the view of what it communicates with the receiver. > Whatever happens after the receiver takes over is anyone's guess. But it > not of any concern to the sender anymore. > > So I fail to see how you could do l this on a session level from the sender. Would you be happier if I said "conversation level"? > I would say that just doing a darn good job of configuring things right > and bring it to live is the best test. It's not *your* email. Executives are *insecure*. > I have written some code to do a keepalive check to see if the whole > spam and AV chain works. The sending part is peanuts in perl. The > verificaton part was the tough part. > > The chain goes like: > > TEST server ==> Spam box ==> AV box ==> TEST server > > So I end up by getting what I did send out if nothing breaks down. But > it is a twist in that I need to configure an extra domain into my > customer configuration to do this. Sure. But that's exactly the reason I want to do it the way I want to do it: I don't want to have to do *two* analyses: what should have happened to each incoming mail and what *did* -- I want to *know* what should have happened, because I have a list with message IDs that tells me, so all I have to do is check the expected targets and look to see if the messages are there. Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com '87 e24 St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 Those who cast the vote decide nothing. Those who count the vote decide everything. -- (Josef Stalin) From jra at baylink.com Tue Sep 9 15:13:10 2008 From: jra at baylink.com (Jay R. Ashworth) Date: Tue Sep 9 15:13:19 2008 Subject: Looking for a test mail generator (unthreaded) In-Reply-To: References: <20080908155906.GA17894@cgi.jachomes.com> Message-ID: <20080909141310.GC23322@cgi.jachomes.com> On Tue, Sep 09, 2008 at 07:37:51AM +0800, Edward Dekkers wrote: > Could you use this as a base? > > http://tools.declude.com/ It's on the right general lines. I wonder if it has a scriptable API... I'd love to get their sample spam. Does anyone have a good categorized spam corpus for this sort of testing? The SA guys? Anyone? Bueller? Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com '87 e24 St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 Those who cast the vote decide nothing. Those who count the vote decide everything. -- (Josef Stalin) From jbuda at noticiasargentinas.com Tue Sep 9 15:22:00 2008 From: jbuda at noticiasargentinas.com (Jose Julian Buda) Date: Tue Sep 9 15:21:56 2008 Subject: ClamAV 0.94 References: <05b401c911c1$0ee8fc00$6000a8c0@tecnica> <023401c911e0$e3b8b7d0$6000a8c0@tecnica> <48C57FD2.1050807@vanderkooij.org> <48C5D3A1.9010201@ddihealth.com> Message-ID: <00de01c91287$6c726110$6000a8c0@tecnica> ----- Original Message ----- From: "Jim Barber" To: "MailScanner discussion" Sent: Monday, September 08, 2008 10:38 PM Subject: Re: ClamAV 0.94 > Hugo van der Kooij wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Scott Silva wrote: >> >>>> Now, the clamd daemon is running, how do i tell the mailscanner to use >>>> it? >> >>> You will need to upgrade your mailscanner version. Debian uses a version >>> that is probably 3 years old by now. In MailScanner time that is like 30 >>> generations. >> >> In spam terms that is about 15 generations ago. >> >> I would recommend that Jules defines a version policy about how many >> versions back something is considered too old to be even bothered with >> and notification is send to the Debian team that their prehistoric >> version is too old to keep in there system. >> >> Keeping up was my greatest concern in regard to building a repository >> for MailScanner. >> >> Hugo. >> >> PS: Did anyone bother to check the awstats statistics? > > The version of MailScanner in Debian's testing / lenny distribution is > 4.68.8. > That's also really old, but it does have the ability to use clamd (I'm > using it successfully). > > To use it I needed to add the Debian-exim user to the clamav group. > I also added the clamav user to the Debian-exim group, but you may be able > to avoid that by setting "Incoming Work Group = clamav" in the config > below. > > Then you need set a few values in your /etc/MailScanner/MailScanner.conf > file: > > Incoming Work Permissions = 0660 > > Virus Scanners = clamd > > Monitors for ClamAV Updates = /var/lib/clamav/*.inc/* > /var/lib/clamav/*.cvd > > Regards, > > ---------- > Jim Barber > DDI Health > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > __________ Informacin de NOD32, revisin 3428 (20080909) __________ > > Este mensaje ha sido analizado con NOD32 antivirus system > http://www.nod32.com > > Can i use a lenny version on a production server ? If i shouldn't, how can i make this version work? This problem, i do not saw it yesterday with the clamav 0.93.3. Is it really a MS problem? However, i see that the clamav 0.94 is ok , if a try directly the wrapper script: proxymails:~# /etc/MailScanner/wrapper/clamav-wrapper /usr /root/.rnd: OK /root/.bashrc: OK /root/papa.txt: Eicar-Test-Signature FOUND /root/.viminfo: OK /root/.bash_history: OK /root/.profile: OK /root/balanceo: OK /root/pepe.zip: Eicar-Test-Signature FOUND /root/ipt.txt: OK ----------- SCAN SUMMARY ----------- Known viruses: 416286 Engine version: 0.94 Scanned directories: 1 Scanned files: 16 Infected files: 2 Data scanned: 0.61 MB Time: 3.919 sec (0 m 3 s) proxymails:~# I dont want to install a testing version on a production server, if it is not necesary somebody does have tested this lenny version on etch? Thank you . Jose Julian Buda From steve.swaney at fsl.com Tue Sep 9 15:39:56 2008 From: steve.swaney at fsl.com (Stephen Swaney) Date: Tue Sep 9 15:40:59 2008 Subject: Looking for a test mail generator (unthreaded) In-Reply-To: <20080909141110.GB23322@cgi.jachomes.com> References: <20080908155906.GA17894@cgi.jachomes.com> <48C57CBB.3000508@vanderkooij.org> <20080909141110.GB23322@cgi.jachomes.com> Message-ID: <00c501c91289$ee101260$ca303720$@swaney@fsl.com> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Jay R. Ashworth > Sent: Tuesday, September 09, 2008 10:11 AM > To: mailscanner@lists.mailscanner.info > Subject: Re: Looking for a test mail generator (unthreaded) > > On Mon, Sep 08, 2008 at 09:27:55PM +0200, Hugo van der Kooij wrote: > > Jay R. Ashworth wrote: > > > I am not having a good day today. Twice. In 5 minutes... > > > > > > Unthreadjacked: > > > > > > > > > To test a new installation before a cutover, I'm trying to find > (out > > > whether anyone has written) a program that can send a bunch of > email to a > > > SMTP server, logging what it does (both logical and session level), > so > > > that I can check that the results are what they should be. > > > > A sender only has the view of what it communicates with the receiver. > > Whatever happens after the receiver takes over is anyone's guess. But > it > > not of any concern to the sender anymore. > > > > So I fail to see how you could do l this on a session level from the > sender. > > Would you be happier if I said "conversation level"? > > > I would say that just doing a darn good job of configuring things > right > > and bring it to live is the best test. > > It's not *your* email. > > Executives are *insecure*. > > > I have written some code to do a keepalive check to see if the whole > > spam and AV chain works. The sending part is peanuts in perl. The > > verificaton part was the tough part. > > > > The chain goes like: > > > > TEST server ==> Spam box ==> AV box ==> TEST server > > > > So I end up by getting what I did send out if nothing breaks down. > But > > it is a twist in that I need to configure an extra domain into my > > customer configuration to do this. > > Sure. But that's exactly the reason I want to do it the way I want to > do > it: I don't want to have to do *two* analyses: what should have > happened > to each incoming mail and what *did* -- I want to *know* what should > have > happened, because I have a list with message IDs that tells me, so all > I > have to do is check the expected targets and look to see if the > messages > are there. > > Cheers, > -- jra Jay, Simply setup another mail hub with test accounts. A simple sendmail server delivering to local users would work just fine. The use Roundhouse to duplicate the feed. The feed goes first to your real mail hub for delivery as normal. Send the duplicate feed to the test server which should be configured to 1) send test messages to the test mail hub and 2) dev-null the rest. Seems this would be simple to set up and meet your requirements. Best regards, Steve Steve Swaney steve@fsl.com Office Phone: 202 595-7760 ext. 601 From jra at baylink.com Tue Sep 9 15:56:32 2008 From: jra at baylink.com (Jay R. Ashworth) Date: Tue Sep 9 15:56:43 2008 Subject: Looking for a test mail generator (unthreaded) In-Reply-To: <00c501c91289$ee101260$ca303720$@swaney@fsl.com> References: <20080908155906.GA17894@cgi.jachomes.com> <48C57CBB.3000508@vanderkooij.org> <20080909141110.GB23322@cgi.jachomes.com> <00c501c91289$ee101260$ca303720$@swaney@fsl.com> Message-ID: <20080909145632.GE23322@cgi.jachomes.com> On Tue, Sep 09, 2008 at 10:39:56AM -0400, Stephen Swaney wrote: > Simply setup another mail hub with test accounts. A simple sendmail server > delivering to local users would work just fine. > > The use Roundhouse to duplicate the feed. The feed goes first to your real > mail hub for delivery as normal. > > Send the duplicate feed to the test server which should be configured to 1) > send test messages to the test mail hub and 2) dev-null the rest. > > Seems this would be simple to set up and meet your requirements. But it doesn't, and please allow me to recap why, Juan Moore-Thyme :-) My problem is that I want a repeatable, predictable test, where *I do not have to spend hours figuring out what the EXPECTED results are*. If I use the real mail feed, that's what I'll have to do -- or at least, I'll have to analyse whether the two mail servers are reacting the same *way* to that mail feed, and if not, whether the new reaction is better or worse. If I can generate 50 messages that are, roughly, all the same every time (modulo a "batch number" in the message-ID maybe) *and that I know what the expected results are*, then all I have to do is look in the expected target places, and check messages off a check list. "All the messages from 00-09 should be in my mailbox. All the message from 10-19 should be in the postmaster mailbox. All the messages from 20-29 should be in the spam logs. All the messages from 30-39 should be in the AV logs. All the message from 40-49 should be in the mailer logs as having tried to generate *valid* no-backscatter bounces." And that way I don't have to analyse because I did that before I generated the 50 message bodies. IMO, this approach is critical to finding out what you actually need to know, without tearing your hair out. I'm just not a good enough coder to do it from scratch. I see I may have to add "yet" to that. :-) How are the python email libraries these days? Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com '87 e24 St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 Those who cast the vote decide nothing. Those who count the vote decide everything. -- (Josef Stalin) From ssilva at sgvwater.com Tue Sep 9 16:35:51 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Sep 9 16:36:15 2008 Subject: ClamAV 0.94 In-Reply-To: <00de01c91287$6c726110$6000a8c0@tecnica> References: <05b401c911c1$0ee8fc00$6000a8c0@tecnica> <023401c911e0$e3b8b7d0$6000a8c0@tecnica> <48C57FD2.1050807@vanderkooij.org> <48C5D3A1.9010201@ddihealth.com> <00de01c91287$6c726110$6000a8c0@tecnica> Message-ID: > > I dont want to install a testing version on a production server, if it > is not necesary > somebody does have tested this lenny version on etch? > > Thank you . Mailscanner is very stable, and many of us running production servers upgrade it regularly. You will either need to upgrade mailscanner or downgrade clamav. You can read this post and try the attached clam wrapper, but make sure you backup anything you replace so you can go back if it breaks worse. http://permalink.gmane.org/gmane.mail.virus.mailscanner/65912 -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080909/ba0b5cc9/signature-0001.bin From octaviomaiden at yahoo.com Tue Sep 9 16:52:30 2008 From: octaviomaiden at yahoo.com (Octavio) Date: Tue Sep 9 16:52:42 2008 Subject: check PTR with MS In-Reply-To: <20080909145632.GE23322@cgi.jachomes.com> Message-ID: <779829.58049.qm@web38904.mail.mud.yahoo.com> Hi I wonder to know if is possible check: if the IP has a name if the name exist similar like reject_unknown_client_hostname in postfix but using score the problem is that if I use it in postfix there are some domains that I want to receive emails but they are being rejected Thanks ____________________________________________________________________________________ Yahoo! MTV Blog & Rock >?Cu?ntanos tu historia, inspira una canci?n y g?nate un viaje a los Premios MTV! Participa aqu? http://mtvla.yahoo.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080909/49183a24/attachment.html From jbuda at noticiasargentinas.com Tue Sep 9 16:58:16 2008 From: jbuda at noticiasargentinas.com (Jose Julian Buda) Date: Tue Sep 9 16:58:11 2008 Subject: ClamAV 0.94 on etch - SOLVED References: <05b401c911c1$0ee8fc00$6000a8c0@tecnica> <023401c911e0$e3b8b7d0$6000a8c0@tecnica> <48C57FD2.1050807@vanderkooij.org><48C5D3A1.9010201@ddihealth.com> <00de01c91287$6c726110$6000a8c0@tecnica> Message-ID: <019601c91294$df4dd6d0$6000a8c0@tecnica> ----- Original Message ----- From: "Jose Julian Buda" To: "MailScanner discussion" Sent: Tuesday, September 09, 2008 11:22 AM Subject: Re: ClamAV 0.94 > > ----- Original Message ----- > From: "Jim Barber" > To: "MailScanner discussion" > Sent: Monday, September 08, 2008 10:38 PM > Subject: Re: ClamAV 0.94 > > >> Hugo van der Kooij wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> Scott Silva wrote: >>> >>>>> Now, the clamd daemon is running, how do i tell the mailscanner to use >>>>> it? >>> >>>> You will need to upgrade your mailscanner version. Debian uses a >>>> version >>>> that is probably 3 years old by now. In MailScanner time that is like >>>> 30 >>>> generations. >>> >>> In spam terms that is about 15 generations ago. >>> >>> I would recommend that Jules defines a version policy about how many >>> versions back something is considered too old to be even bothered with >>> and notification is send to the Debian team that their prehistoric >>> version is too old to keep in there system. >>> >>> Keeping up was my greatest concern in regard to building a repository >>> for MailScanner. >>> >>> Hugo. >>> >>> PS: Did anyone bother to check the awstats statistics? >> >> The version of MailScanner in Debian's testing / lenny distribution is >> 4.68.8. >> That's also really old, but it does have the ability to use clamd (I'm >> using it successfully). >> >> To use it I needed to add the Debian-exim user to the clamav group. >> I also added the clamav user to the Debian-exim group, but you may be >> able to avoid that by setting "Incoming Work Group = clamav" in the >> config below. >> >> Then you need set a few values in your /etc/MailScanner/MailScanner.conf >> file: >> >> Incoming Work Permissions = 0660 >> >> Virus Scanners = clamd >> >> Monitors for ClamAV Updates = /var/lib/clamav/*.inc/* >> /var/lib/clamav/*.cvd >> >> Regards, >> >> ---------- >> Jim Barber >> DDI Health >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> __________ Informacin de NOD32, revisin 3428 (20080909) __________ >> >> Este mensaje ha sido analizado con NOD32 antivirus system >> http://www.nod32.com >> >> > > > Can i use a lenny version on a production server ? > If i shouldn't, how can i make this version work? > This problem, i do not saw it yesterday with the clamav 0.93.3. > Is it really a MS problem? > However, i see that the clamav 0.94 is ok , if a try directly the wrapper > script: > > proxymails:~# /etc/MailScanner/wrapper/clamav-wrapper /usr > /root/.rnd: OK > /root/.bashrc: OK > /root/papa.txt: Eicar-Test-Signature FOUND > /root/.viminfo: OK > /root/.bash_history: OK > /root/.profile: OK > /root/balanceo: OK > /root/pepe.zip: Eicar-Test-Signature FOUND > /root/ipt.txt: OK > > ----------- SCAN SUMMARY ----------- > Known viruses: 416286 > Engine version: 0.94 > Scanned directories: 1 > Scanned files: 16 > Infected files: 2 > Data scanned: 0.61 MB > Time: 3.919 sec (0 m 3 s) > proxymails:~# > > > I dont want to install a testing version on a production server, if it is > not necesary > somebody does have tested this lenny version on etch? > > Thank you . > Jose Julian Buda > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > __________ Informacin de NOD32, revisin 3428 (20080909) __________ > > Este mensaje ha sido analizado con NOD32 antivirus system > http://www.nod32.com > > Well i did the test. I was recieving complains from users about message from antivirus on the workstations's mail client... wget http://debian.intergenia.de/debian/pool/main/m/mailscanner/mailscanner_4.68.8-1_all.deb dpkg -i mailscanner_4.68.8-1_all.deb .. mailscanner depends on libmailtools-perl (>= 2.02); however: Version of libmailtools-perl on system is 1.74-1. ..... that`s it, no problem with that, i think so... then as i saw on a forum(http://www.bluequartz.us/phpBB2/viewtopic.php?p=232823&sid=3b26f0c29a1e0629cb27b3c5ba475852) , "have a look at /opt/MailScanner/lib/MailScanner/SweepViruses.pm, I comment out the following lines: if ($rarcmd && -x $rarcmd) { $Scanners{clamav}->{CommonOptions} .= " --unrar=$rarcmd"; MailScanner::Log::InfoLog("ClamAV scanner using unrar command %s", $rarcmd); } " so i did it.. now , in the maillog i saw that clamav 0.94 is triggered ok... and proxymails:~# MailScanner --lint Trying to setlogsock(unix) Read 748 hostnames from the phishing whitelist Could not read phishing blacklist file at /usr/share/MailScanner//MailScanner/Config.pm line 919 Checking version numbers... Version number in MailScanner.conf (4.68.8) is correct. ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf ERROR: is not correct, it should match X-MailScanner-Envelope-From MailScanner setting GID to (104) MailScanner setting UID to (100) Checking for SpamAssassin errors (if you use it)... SpamAssassin temporary working directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp Using SpamAssassin results cache Connected to SpamAssassin cache database config: SpamAssassin failed to parse line, "/usr/bin/pyzor" is not valid for "pyzor_path", skipping: pyzor_path /usr/bin/pyzor config: failed to parse line, skipping, in "/etc/MailScanner/spam.assassin.prefs.conf": dcc_path /usr/bin/dccproc SpamAssassin reported an error. Using locktype = posix MailScanner.conf says "Virus Scanners = clamav" Found these virus scanners installed: clamav =========================================================================== Virus and Content Scanning: Starting ./1/eicar.com: Eicar-Test-Signature FOUND Virus Scanning: ClamAV found 1 infections Infected message 1 came from 10.1.1.1 Virus Scanning: Found 1 viruses Filename Checks: (1 eicar.com) Other Checks: Found 1 problems =========================================================================== Virus Scanner test reports: ClamAV said "eicar.com contains Eicar-Test-Signature" If any of your virus scanners (clamav) are not listed there, you should check that they are installed correctly and that MailScanner is finding them correctly via its virus.scanners.conf. ....... There is some problems as i see in the report, but i think it is not big deal, am i right? Thank you all . Jose Julian Buda From prandal at herefordshire.gov.uk Tue Sep 9 17:21:48 2008 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Tue Sep 9 17:22:06 2008 Subject: ClamAV 0.94 on etch - SOLVED In-Reply-To: <019601c91294$df4dd6d0$6000a8c0@tecnica> References: <05b401c911c1$0ee8fc00$6000a8c0@tecnica> <023401c911e0$e3b8b7d0$6000a8c0@tecnica> <48C57FD2.1050807@vanderkooij.org><48C5D3A1.9010201@ddihealth.com><00de01c91287$6c726110$6000a8c0@tecnica> <019601c91294$df4dd6d0$6000a8c0@tecnica> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA04A671C1@HC-MBX02.herefordshire.gov.uk> A few changes: Monitors for ClamAV Updates = /var/lib/clamav/*.cld /var/lib/clamav/*.cvd Or whatever path is appropriate. That shouldn't matter unless you're using ClamAVModule, but I'm pedantic. "ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf ERROR: is not correct, it should match X-MailScanner-Envelope-From" Check what they both are (the latter is in MailScanner.conf) and fix it to be consistent - this affects SPF handling, if I recall correctly. Cheers, Phil -- Phil Randal Networks Engineer Herefordshire Council Hereford, UK -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jose Julian Buda Sent: 09 September 2008 16:58 To: MailScanner discussion Subject: Re: ClamAV 0.94 on etch - SOLVED ----- Original Message ----- From: "Jose Julian Buda" To: "MailScanner discussion" Sent: Tuesday, September 09, 2008 11:22 AM Subject: Re: ClamAV 0.94 > > ----- Original Message ----- > From: "Jim Barber" > To: "MailScanner discussion" > Sent: Monday, September 08, 2008 10:38 PM > Subject: Re: ClamAV 0.94 > > >> Hugo van der Kooij wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> Scott Silva wrote: >>> >>>>> Now, the clamd daemon is running, how do i tell the mailscanner to use >>>>> it? >>> >>>> You will need to upgrade your mailscanner version. Debian uses a >>>> version >>>> that is probably 3 years old by now. In MailScanner time that is like >>>> 30 >>>> generations. >>> >>> In spam terms that is about 15 generations ago. >>> >>> I would recommend that Jules defines a version policy about how many >>> versions back something is considered too old to be even bothered with >>> and notification is send to the Debian team that their prehistoric >>> version is too old to keep in there system. >>> >>> Keeping up was my greatest concern in regard to building a repository >>> for MailScanner. >>> >>> Hugo. >>> >>> PS: Did anyone bother to check the awstats statistics? >> >> The version of MailScanner in Debian's testing / lenny distribution is >> 4.68.8. >> That's also really old, but it does have the ability to use clamd (I'm >> using it successfully). >> >> To use it I needed to add the Debian-exim user to the clamav group. >> I also added the clamav user to the Debian-exim group, but you may be >> able to avoid that by setting "Incoming Work Group = clamav" in the >> config below. >> >> Then you need set a few values in your /etc/MailScanner/MailScanner.conf >> file: >> >> Incoming Work Permissions = 0660 >> >> Virus Scanners = clamd >> >> Monitors for ClamAV Updates = /var/lib/clamav/*.inc/* >> /var/lib/clamav/*.cvd >> >> Regards, >> >> ---------- >> Jim Barber >> DDI Health >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> __________ Informacin de NOD32, revisin 3428 (20080909) __________ >> >> Este mensaje ha sido analizado con NOD32 antivirus system >> http://www.nod32.com >> >> > > > Can i use a lenny version on a production server ? > If i shouldn't, how can i make this version work? > This problem, i do not saw it yesterday with the clamav 0.93.3. > Is it really a MS problem? > However, i see that the clamav 0.94 is ok , if a try directly the wrapper > script: > > proxymails:~# /etc/MailScanner/wrapper/clamav-wrapper /usr > /root/.rnd: OK > /root/.bashrc: OK > /root/papa.txt: Eicar-Test-Signature FOUND > /root/.viminfo: OK > /root/.bash_history: OK > /root/.profile: OK > /root/balanceo: OK > /root/pepe.zip: Eicar-Test-Signature FOUND > /root/ipt.txt: OK > > ----------- SCAN SUMMARY ----------- > Known viruses: 416286 > Engine version: 0.94 > Scanned directories: 1 > Scanned files: 16 > Infected files: 2 > Data scanned: 0.61 MB > Time: 3.919 sec (0 m 3 s) > proxymails:~# > > > I dont want to install a testing version on a production server, if it is > not necesary > somebody does have tested this lenny version on etch? > > Thank you . > Jose Julian Buda > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > __________ Informacin de NOD32, revisin 3428 (20080909) __________ > > Este mensaje ha sido analizado con NOD32 antivirus system > http://www.nod32.com > > Well i did the test. I was recieving complains from users about message from antivirus on the workstations's mail client... wget http://debian.intergenia.de/debian/pool/main/m/mailscanner/mailscanner_4 .68.8-1_all.deb dpkg -i mailscanner_4.68.8-1_all.deb .. mailscanner depends on libmailtools-perl (>= 2.02); however: Version of libmailtools-perl on system is 1.74-1. ..... that`s it, no problem with that, i think so... then as i saw on a forum(http://www.bluequartz.us/phpBB2/viewtopic.php?p=232823&sid=3b26f0c 29a1e0629cb27b3c5ba475852) , "have a look at /opt/MailScanner/lib/MailScanner/SweepViruses.pm, I comment out the following lines: if ($rarcmd && -x $rarcmd) { $Scanners{clamav}->{CommonOptions} .= " --unrar=$rarcmd"; MailScanner::Log::InfoLog("ClamAV scanner using unrar command %s", $rarcmd); } " so i did it.. now , in the maillog i saw that clamav 0.94 is triggered ok... and proxymails:~# MailScanner --lint Trying to setlogsock(unix) Read 748 hostnames from the phishing whitelist Could not read phishing blacklist file at /usr/share/MailScanner//MailScanner/Config.pm line 919 Checking version numbers... Version number in MailScanner.conf (4.68.8) is correct. ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf ERROR: is not correct, it should match X-MailScanner-Envelope-From MailScanner setting GID to (104) MailScanner setting UID to (100) Checking for SpamAssassin errors (if you use it)... SpamAssassin temporary working directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp Using SpamAssassin results cache Connected to SpamAssassin cache database config: SpamAssassin failed to parse line, "/usr/bin/pyzor" is not valid for "pyzor_path", skipping: pyzor_path /usr/bin/pyzor config: failed to parse line, skipping, in "/etc/MailScanner/spam.assassin.prefs.conf": dcc_path /usr/bin/dccproc SpamAssassin reported an error. Using locktype = posix MailScanner.conf says "Virus Scanners = clamav" Found these virus scanners installed: clamav ======================================================================== === Virus and Content Scanning: Starting ./1/eicar.com: Eicar-Test-Signature FOUND Virus Scanning: ClamAV found 1 infections Infected message 1 came from 10.1.1.1 Virus Scanning: Found 1 viruses Filename Checks: (1 eicar.com) Other Checks: Found 1 problems ======================================================================== === Virus Scanner test reports: ClamAV said "eicar.com contains Eicar-Test-Signature" If any of your virus scanners (clamav) are not listed there, you should check that they are installed correctly and that MailScanner is finding them correctly via its virus.scanners.conf. ....... There is some problems as i see in the report, but i think it is not big deal, am i right? Thank you all . Jose Julian Buda -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From mark at msapiro.net Tue Sep 9 17:26:31 2008 From: mark at msapiro.net (Mark Sapiro) Date: Tue Sep 9 17:26:42 2008 Subject: Italian spam In-Reply-To: <021b01c9127f$9d6ea330$2501a8c0@dbdomain.database.it> References: <48C65110.1070908@di.unito.it> <021b01c9127f$9d6ea330$2501a8c0@dbdomain.database.it> Message-ID: <20080909162631.GA3016@msapiro> On Tue, Sep 09, 2008 at 03:26:06PM +0200, Marcello Anderlini wrote: > Hello, in my /etc/Mailscanner/spam.assassin.prefs.conf > > I have just this commented line: > #bayes_path /var/spool/spamassassin/bayes Do you have any uncommented bayes settings in spam.assassin.prefs.conf? In particular, 'use_bayes'. What does grep bayes /etc/MailScanner/spam.assassin.prefs.conf |grep -v ^# show? > > I have look all around and I don't found any bayes.mutex file. > I have found only these files in /root/.spamassassin > ============== > -rw------- 1 root root 168 Sep 9 15:23 bayes_journal > -rw------- 1 root root 172904448 Sep 9 15:23 bayes_seen > -rw------- 1 root root 9105408 Sep 9 11:07 bayes_toks > ============== > > I can set sa-learn to use this directory ? if sa-learn is run by root without specifying a configuration file, it will use this directory by default. You can verify by noting if the timestamps are updated when you run sa.learn. -- Mark Sapiro mark at msapiro net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From ssilva at sgvwater.com Tue Sep 9 17:42:26 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Sep 9 17:42:43 2008 Subject: Italian spam In-Reply-To: <20080909162631.GA3016@msapiro> References: <48C65110.1070908@di.unito.it> <021b01c9127f$9d6ea330$2501a8c0@dbdomain.database.it> <20080909162631.GA3016@msapiro> Message-ID: >> I can set sa-learn to use this directory ? > > > if sa-learn is run by root without specifying a configuration file, > it will use this directory by default. > More recent versions of MailScanner have fixed this by adding a symlink from the spamassassin.prefs.conf file to the spamassassin home directory (usually /etc/mail/spamassassin named mailscanner.cf. This makes spamassaasin run from the command line use the same settings as when mailscanner runs it. You will also need to un comment that bayes path, and if you want to keep your existing bayes data you will want to dump/restore it or otherwise move it to the new path. This is especially important if you run a MTA other than sendmail, as most other MTA's don't run as root, and will not have access to /root/.spamassassin -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080909/af81a50b/signature.bin From drew.marshall at technologytiger.net Tue Sep 9 22:03:44 2008 From: drew.marshall at technologytiger.net (Drew Marshall) Date: Tue Sep 9 22:03:59 2008 Subject: AW: Using Spamd rather than the SpamAssassin Library In-Reply-To: <48C55287.8050608@coders.co.uk> References: <48C1941F.40703@coders.co.uk> <5851C691-2A38-40CC-9134-73427193F4D7@technologytiger.net> <48C1ACE0.5020708@coders.co.uk> <48C2E9B8.9090801@coders.co.uk> <520F0D8E-EA1E-499C-B899-FB0342DA061A@technologytiger.net> <48C52509.3080405@coders.co.uk> <7A9C1520-4D96-4DDE-B04C-1C690069A2BE@technologytiger.net> <48C55287.8050608@coders.co.uk> Message-ID: <74138C8F-AFE6-4D22-A5ED-546B6B049795@technologytiger.net> On 8 Sep 2008, at 17:27, Matt Hampton wrote: > Drew Marshall wrote: >> >> Interesting... So there is the potential that with say 10 children, >> each with 20 messages that I am going to need 200 SA children? I >> fear I will have run out of memory by then! Hmm... > Nope - they are processed sequentially - each batch will open a > connection for the first message, wait for the response, close the > connection, open the connection for the second message etc > > Once each message is finished there is a short delay whilst the > server thread shuts down (updating bayes etc) before it can be used > again. So it is possible for more than one child to be open per MS > Child. I had to resort to the non spamd config today. I just plain ran out of server before I had run out of messages :-( I hit my max SA children and with the box starting to swap and the load average at 18+ decided I ought to do something about it. In order to look at the load issue, can your changes allow SA to be fed via socket as that would save some overhead? I have also amended the time out per child as I am sure there is something fishy going on with SA scanning some types of mail. I see the spamd route as giving me a good chance to catch the culprits as I should be able to time out one child and therefore one message. Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by Technology Tiger's Mail Launder system Our email policy can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ From spamlists at coders.co.uk Tue Sep 9 22:21:58 2008 From: spamlists at coders.co.uk (Matt Hampton) Date: Tue Sep 9 22:22:37 2008 Subject: AW: Using Spamd rather than the SpamAssassin Library In-Reply-To: <74138C8F-AFE6-4D22-A5ED-546B6B049795@technologytiger.net> References: <48C1941F.40703@coders.co.uk> <5851C691-2A38-40CC-9134-73427193F4D7@technologytiger.net> <48C1ACE0.5020708@coders.co.uk> <48C2E9B8.9090801@coders.co.uk> <520F0D8E-EA1E-499C-B899-FB0342DA061A@technologytiger.net> <48C52509.3080405@coders.co.uk> <7A9C1520-4D96-4DDE-B04C-1C690069A2BE@technologytiger.net> <48C55287.8050608@coders.co.uk> <74138C8F-AFE6-4D22-A5ED-546B6B049795@technologytiger.net> Message-ID: <48C6E8F6.2000105@coders.co.uk> Drew Marshall wrote: > > I had to resort to the non spamd config today. I just plain ran out of > server before I had run out of messages :-( > Grrr! > I hit my max SA children and with the box starting to swap and the > load average at 18+ decided I ought to do something about it. In order > to look at the load issue, can your changes allow SA to be fed via > socket as that would save some overhead? I take it you mean unix socket - if so yes - minor tweak required - I'll send a diff when is finished > I have also amended the time out per child as I am sure there is > something fishy going on with SA scanning some types of mail. I see > the spamd route as giving me a good chance to catch the culprits as I > should be able to time out one child and therefore one message. Some benefit then! matt From hvdkooij at vanderkooij.org Tue Sep 9 22:23:09 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Tue Sep 9 22:23:26 2008 Subject: OT: awstats on yum repository Message-ID: <48C6E93D.6030906@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I added some statistics specifically to track MailScanner downloads. For that I added the following lines to my awstats config: ExtraSectionName1="MailScanner downloads by architecture" ExtraSectionCodeFilter1="200 304" ExtraSectionCondition1="URL,^\/el[45]\/.*" ExtraSectionFirstColumnTitle1="Architecture" ExtraSectionFirstColumnValues1="URL,^\/el[45]\/([A-Za-z0-9_]+)\/mailscanner-[0-9].*" ExtraSectionFirstColumnFormat1="%s" ExtraSectionStatTypes1=PBL ExtraSectionAddAverageRow1=0 ExtraSectionAddSumRow1=1 MaxNbOfExtra1=20 MinHitExtra1=1 ExtraSectionName2="MailScanner wrapper downloads by architecture" ExtraSectionCodeFilter2="200 304" ExtraSectionCondition2="URL,^\/el[45]\/.*" ExtraSectionFirstColumnTitle2="Architecture" ExtraSectionFirstColumnValues2="URL,^\/el[45]\/([A-Za-z0-9_]+)\/mailscanner-wrapper-[0-9].*" ExtraSectionFirstColumnFormat2="%s" ExtraSectionStatTypes2=PBL ExtraSectionAddAverageRow2=0 ExtraSectionAddSumRow2=1 MaxNbOfExtra2=20 MinHitExtra2=1 ExtraSectionName3="MailScanner downloads by version" ExtraSectionCodeFilter3="200 304" ExtraSectionCondition3="URL,^\/el[45]\/.*" ExtraSectionFirstColumnTitle3="Version" ExtraSectionFirstColumnValues3="URL,^\/el[45]\/[A-Za-z0-9_]+\/mailscanner-([0-9.]+).*" ExtraSectionFirstColumnFormat3="%s" ExtraSectionStatTypes3=PBL ExtraSectionAddAverageRow3=0 ExtraSectionAddSumRow3=1 MaxNbOfExtra1=20 MinHitExtra1=1 Over time it will show how popular the repository is and Jules can use them to add to the general statistics. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIxuk8BvzDRVjxmYERAuTGAKCOo14MPaCF2+mZvv6JWQqsL5hTvgCeJI6C T0QAv1E1dtftgtz8+EuhA5Q= =7xHh -----END PGP SIGNATURE----- From spamlists at coders.co.uk Tue Sep 9 23:00:34 2008 From: spamlists at coders.co.uk (Matt Hampton) Date: Tue Sep 9 23:02:03 2008 Subject: AW: Using Spamd rather than the SpamAssassin Library In-Reply-To: <48C6E8F6.2000105@coders.co.uk> References: <48C1941F.40703@coders.co.uk> <5851C691-2A38-40CC-9134-73427193F4D7@technologytiger.net> <48C1ACE0.5020708@coders.co.uk> <48C2E9B8.9090801@coders.co.uk> <520F0D8E-EA1E-499C-B899-FB0342DA061A@technologytiger.net> <48C52509.3080405@coders.co.uk> <7A9C1520-4D96-4DDE-B04C-1C690069A2BE@technologytiger.net> <48C55287.8050608@coders.co.uk> <74138C8F-AFE6-4D22-A5ED-546B6B049795@technologytiger.net> <48C6E8F6.2000105@coders.co.uk> Message-ID: <48C6F202.8080206@coders.co.uk> Matt Hampton wrote: > I take it you mean unix socket - if so yes - minor tweak required - > I'll send a diff when is finished OK - have updated the file on the webserver http://www.coders.co.uk/SA.pm if you specify a path with at least one "/" in it spamd serv = /some/path it will ignore the port and call the client with socketpath matt From ssilva at sgvwater.com Tue Sep 9 23:24:11 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Sep 9 23:24:34 2008 Subject: OT: awstats on yum repository In-Reply-To: <48C6E93D.6030906@vanderkooij.org> References: <48C6E93D.6030906@vanderkooij.org> Message-ID: on 9-9-2008 2:23 PM Hugo van der Kooij spake the following: > Hi, > > I added some statistics specifically to track MailScanner downloads. For > that I added the following lines to my awstats config: > Just for fun I took a look and I get a 403 error. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080909/2038398b/signature.bin From allan at zandahar.net Wed Sep 10 05:11:03 2008 From: allan at zandahar.net (Allan Spencer) Date: Wed Sep 10 05:11:27 2008 Subject: Training MS/SA & Mailwatch Message-ID: <48C748D7.9060908@zandahar.net> Firstly please forgive me for being a bit of a newb but am looking at trying to train our MS/SA system to catch some of the spam thats getting through hopefully through the Mailwatch UI .Our MS doesn't accept any local mail and relays off to various Lotus Domino servers so not sure if this has an impact on the training capabilities Running Centos 4.x MS 4.71, SA 3.2.5, & ClamAV 0.94 The only other SA rules I've added are the KAM ones and I *THINK* I've got fuzzyocr working (which I will probably ditch shortly) In MW messages that have already been caught as a virus show me the option to learn as spam/ham (even though this is obvious) but no other messages give me this option. At the moment just need some starting points and directions towards a newb guide and maybe someone to have a glance over config file and --lint outputs to verify Cheers Allan From hvdkooij at vanderkooij.org Wed Sep 10 06:39:47 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Wed Sep 10 06:39:59 2008 Subject: OT: awstats on yum repository In-Reply-To: References: <48C6E93D.6030906@vanderkooij.org> Message-ID: <48C75DA3.4060608@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Scott Silva wrote: > on 9-9-2008 2:23 PM Hugo van der Kooij spake the following: >> Hi, >> >> I added some statistics specifically to track MailScanner downloads. For >> that I added the following lines to my awstats config: >> > Just for fun I took a look and I get a 403 error. That is the referer spam protection. I need to whitelist people explicitly to see the awstats pages. Otherwise I get loads of dummy requests just so that spammers can get their website listed in the referer section of the report. I have not yet found a way to limit this to only the referer section. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIx12hBvzDRVjxmYERAsC4AJ4452nVftMPRRXfJqcIW5jQs8Ih/wCgkzn4 lc0HTG62sSh+EVPuKVBieXo= =H9B5 -----END PGP SIGNATURE----- From martinh at solidstatelogic.com Wed Sep 10 07:23:18 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Wed Sep 10 07:19:16 2008 Subject: Training MS/SA & Mailwatch Message-ID: Allan This more of a MW question, so best to ask on that list. But a pointer is that you need 'store' all messages as an action for spam and non spam, so MW can have access to the message in order to learn them. As for off-host learning, best option is an Imap folder for spam and ham, then use one of many perl scripts floating about the SA site to pull them into your local bayes db. Have a lookn the MS wiki also for a section on getting the most out of spamassassin. -- martin -----Original Message----- From: Allan Spencer Sent: Wednesday, September 10, 2008 5:18 AM To: MailScanner discussion Subject: Training MS/SA & Mailwatch Firstly please forgive me for being a bit of a newb but am looking at trying to train our MS/SA system to catch some of the spam thats getting through hopefully through the Mailwatch UI .Our MS doesn't accept any local mail and relays off to various Lotus Domino servers so not sure if this has an impact on the training capabilities Running Centos 4.x MS 4.71, SA 3.2.5, & ClamAV 0.94 The only other SA rules I've added are the KAM ones and I *THINK* I've got fuzzyocr working (which I will probably ditch shortly) In MW messages that have already been caught as a virus show me the option to learn as spam/ham (even though this is obvious) but no other messages give me this option. At the moment just need some starting points and directions towards a newb guide and maybe someone to have a glance over config file and --lint outputs to verify Cheers Allan -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From drew.marshall at technologytiger.net Wed Sep 10 08:48:38 2008 From: drew.marshall at technologytiger.net (Drew Marshall) Date: Wed Sep 10 08:48:59 2008 Subject: AW: Using Spamd rather than the SpamAssassin Library In-Reply-To: <48C6F202.8080206@coders.co.uk> References: <48C1941F.40703@coders.co.uk> <5851C691-2A38-40CC-9134-73427193F4D7@technologytiger.net> <48C1ACE0.5020708@coders.co.uk> <48C2E9B8.9090801@coders.co.uk> <520F0D8E-EA1E-499C-B899-FB0342DA061A@technologytiger.net> <48C52509.3080405@coders.co.uk> <7A9C1520-4D96-4DDE-B04C-1C690069A2BE@technologytiger.net> <48C55287.8050608@coders.co.uk> <74138C8F-AFE6-4D22-A5ED-546B6B049795@technologytiger.net> <48C6E8F6.2000105@coders.co.uk> <48C6F202.8080206@coders.co.uk> Message-ID: On 9 Sep 2008, at 23:00, Matt Hampton wrote: > Matt Hampton wrote: >> I take it you mean unix socket - if so yes - minor tweak required - >> I'll send a diff when is finished > OK - have updated the file on the webserver > > http://www.coders.co.uk/SA.pm > > if you specify a path with at least one "/" in it > > spamd serv = /some/path > > it will ignore the port and call the client with socketpath Ok done this and it's now reporting 'Failed to create connection to spamd daemon: Connection refused' in debug (Mind you the mail doesn't half go though quick like that, although spam do increase a fair bit!). As far as I can see the socket is correct with correct permissions and I have even moved it to /tmp to make sure it's not a permissions error in the directories above. Any ideas? Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by Technology Tiger's Mail Launder system Our email policy can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ From swati.meghanand at gmail.com Wed Sep 10 09:54:43 2008 From: swati.meghanand at gmail.com (Swati Meghanand) Date: Wed Sep 10 09:54:53 2008 Subject: Spamassassin Timeout issue. Message-ID: <424c10260809100154v4d47738bg16e47138cde6b049@mail.gmail.com> Hi, I'm using mailscanner on a busy mail gateways from serveral months, which was working fine so far.From last few days I noticed incresed no of spam mails as well log Filtering queues (ofcourse slow processing of mailscanner).In log file of mailscanner I found following lines, Sep 10 04:47:29 localhost MailScanner[11027]: Virus and Content Scanning: Starting Sep 10 04:47:37 localhost MailScanner[8400]: SpamAssassin timed out and was killed, failure 8 of 20 Sep 10 04:47:37 localhost MailScanner[8680]: SpamAssassin timed out and was killed, failure 14 of 20 Sep 10 04:47:38 localhost MailScanner[8680]: Message 1KdL6x-0005q5-L3 from xx.xx.xx.xx (xxx@xxx.x) to xxx.xx is not spam, SpamAssassin (not cached, timed out) Sep 10 04:47:38 localhost MailScanner[8400]: Message 1KdLDG-0006se-Ox from xx.xx.xx.xx (xxx@xx.xxx) to xxx.xx is not spam, SpamAssassin (not cached, timed out) it clealy indicates mailscanner is not (able to) scanning messages. Any idea about this issue. Thanks in advance :-) Regards Swati Meghanand -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080910/989db4f4/attachment.html From martinh at solidstatelogic.com Wed Sep 10 10:10:31 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Wed Sep 10 10:10:42 2008 Subject: Spamassassin Timeout issue. In-Reply-To: <424c10260809100154v4d47738bg16e47138cde6b049@mail.gmail.com> Message-ID: Hi Have a look in the wiki about getting the most of spamassassin.. http://wiki.mailscanner.info/doku.php?id=maq:index&s=spamassassin#getting_the_best_out_of_spamassassin -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Swati Meghanand > Sent: 10 September 2008 09:55 > To: mailscanner@lists.mailscanner.info > Subject: Spamassassin Timeout issue. > > Hi, > > > I'm using mailscanner on a busy mail gateways from serveral > months, which was working fine so far.From last few days I > noticed incresed no of spam mails as well log Filtering > queues (ofcourse slow processing of mailscanner).In log file > of mailscanner I found following lines, > > Sep 10 04:47:29 localhost MailScanner[11027]: Virus and > Content Scanning: Starting Sep 10 04:47:37 localhost > MailScanner[8400]: SpamAssassin timed out and was killed, > failure 8 of 20 Sep 10 04:47:37 localhost MailScanner[8680]: > SpamAssassin timed out and was killed, failure 14 of 20 Sep > 10 04:47:38 localhost MailScanner[8680]: Message > 1KdL6x-0005q5-L3 from xx.xx.xx.xx (xxx@xxx.x) to xxx.xx is > not spam, SpamAssassin (not cached, timed out) Sep 10 > 04:47:38 localhost MailScanner[8400]: Message > 1KdLDG-0006se-Ox from xx.xx.xx.xx (xxx@xx.xxx) to xxx.xx is > not spam, SpamAssassin (not cached, timed out) > > it clealy indicates mailscanner is not (able to) scanning messages. > > Any idea about this issue. > > Thanks in advance :-) > > Regards > > Swati Meghanand > > > > > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From m.anderlini at database.it Wed Sep 10 11:11:15 2008 From: m.anderlini at database.it (Marcello Anderlini) Date: Wed Sep 10 11:11:40 2008 Subject: R: Italian spam In-Reply-To: <20080909162631.GA3016@msapiro> References: <48C65110.1070908@di.unito.it><021b01c9127f$9d6ea330$2501a8c0@dbdomain.database.it> <20080909162631.GA3016@msapiro> Message-ID: <004901c9132d$8f3103e0$2501a8c0@dbdomain.database.it> This is the result of your suggested command: ================= bayes_auto_expire 0 bayes_ignore_header X-MailScanner bayes_ignore_header X-MailScanner-SpamCheck bayes_ignore_header X-MailScanner-SpamScore bayes_ignore_header X-MailScanner-Information ================= I have also noticed that if I run these command from crontab I found two file (bayes_seen and bayes_took) in /.spamassassin directory. Instead if i run these command directly from "prompt" no new file are written in /.spamassassin directory !? ============ sa-learn --spam --no-sync --mbox /var/mail/spam sa-learn --ham --mbox --no-sync /var/mail/notspam sa-learn --sync I have also check (as suggested in one other email) and I have a link between /etc/mail/spamassassin/mailscanner.cf -> /etc/MailScanner/spam.assassin.prefs.conf Dr. Marcello Anderlini m.anderlini@database.it --------------------------------------------- Database Informatica S.r.l. Microsoft Certified Partner Tel. +39059775070 Fax. +39059779545 http://www.database.it --------------------------------------------- -----Messaggio originale----- Da: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di Mark Sapiro Inviato: marted? 9 settembre 2008 18.27 A: MailScanner discussion Oggetto: Re: Italian spam On Tue, Sep 09, 2008 at 03:26:06PM +0200, Marcello Anderlini wrote: > Hello, in my /etc/Mailscanner/spam.assassin.prefs.conf > > I have just this commented line: > #bayes_path /var/spool/spamassassin/bayes Do you have any uncommented bayes settings in spam.assassin.prefs.conf? In particular, 'use_bayes'. What does grep bayes /etc/MailScanner/spam.assassin.prefs.conf |grep -v ^# show? > > I have look all around and I don't found any bayes.mutex file. > I have found only these files in /root/.spamassassin ============== > -rw------- 1 root root 168 Sep 9 15:23 bayes_journal > -rw------- 1 root root 172904448 Sep 9 15:23 bayes_seen > -rw------- 1 root root 9105408 Sep 9 11:07 bayes_toks > ============== > > I can set sa-learn to use this directory ? if sa-learn is run by root without specifying a configuration file, it will use this directory by default. You can verify by noting if the timestamps are updated when you run sa.learn. -- Mark Sapiro mark at msapiro net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- Messaggio verificato dal servizio antivirus di Database Informatica -- Messaggio verificato dal servizio antivirus di Database Informatica From alex at rtpty.com Wed Sep 10 14:51:35 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Wed Sep 10 14:51:51 2008 Subject: Spamassassin Timeout issue. In-Reply-To: <424c10260809100154v4d47738bg16e47138cde6b049@mail.gmail.com> References: <424c10260809100154v4d47738bg16e47138cde6b049@mail.gmail.com> Message-ID: <8558A6EA-BFAA-4418-9C22-6A840146B7E1@rtpty.com> It's actually quite clearly indicating the opposite. You are not reading the logs right. If spamassassin is timing out, you need to take care of that. What caching nameserver are you running on that box? Sent from my iPhone On Sep 10, 2008, at 3:54 AM, "Swati Meghanand" wrote: > Hi, > > I'm using mailscanner on a busy mail gateways from serveral months, > which was working fine so far.From last few days I noticed incresed > no of spam mails as well log Filtering queues (ofcourse slow > processing of mailscanner).In log file of mailscanner I found > following lines, > > Sep 10 04:47:29 localhost MailScanner[11027]: Virus and Content > Scanning: Starting > Sep 10 04:47:37 localhost MailScanner[8400]: SpamAssassin timed out > and was killed, failure 8 of 20 > Sep 10 04:47:37 localhost MailScanner[8680]: SpamAssassin timed out > and was killed, failure 14 of 20 > Sep 10 04:47:38 localhost MailScanner[8680]: Message 1KdL6x-0005q5- > L3 from xx.xx.xx.xx (xxx@xxx.x) to xxx.xx is not spam, SpamAssassin > (not cached, timed out) > Sep 10 04:47:38 localhost MailScanner[8400]: Message 1KdLDG-0006se- > Ox from xx.xx.xx.xx (xxx@xx.xxx) to xxx.xx is not spam, SpamAssassin > (not cached, timed out) > > it clealy indicates mailscanner is not (able to) scanning messages. > > Any idea about this issue. > > Thanks in advance :-) > > Regards > > Swati Meghanand > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From swati.meghanand at gmail.com Wed Sep 10 15:05:34 2008 From: swati.meghanand at gmail.com (Swati Meghanand) Date: Wed Sep 10 15:05:46 2008 Subject: Spamassassin Timeout issue. In-Reply-To: <8558A6EA-BFAA-4418-9C22-6A840146B7E1@rtpty.com> References: <424c10260809100154v4d47738bg16e47138cde6b049@mail.gmail.com> <8558A6EA-BFAA-4418-9C22-6A840146B7E1@rtpty.com> Message-ID: <424c10260809100705k5b2714c4y4a286c9bc59f4383@mail.gmail.com> hi, I am not running any name server on the same machine, actually I am having a fail-over cluster of 3 machine having same configuration/setting I facing this prob in 2 machines the another thts 3rd is running smoothly... When I restart machine it works well for atleast 12-15 Hrs.(But restarting Mailscanner didn't helped me) Did u mean this could be a DNS related issue.... Regards, Swati Meghanand 2008/9/10 Alex Neuman van der Hans > It's actually quite clearly indicating the opposite. You are not reading > the logs right. If spamassassin is timing out, you need to take care of > that. What caching nameserver are you running on that box? > > Sent from my iPhone > > On Sep 10, 2008, at 3:54 AM, "Swati Meghanand" > wrote: > > Hi, >> >> I'm using mailscanner on a busy mail gateways from serveral months, which >> was working fine so far.From last few days I noticed incresed no of spam >> mails as well log Filtering queues (ofcourse slow processing of >> mailscanner).In log file of mailscanner I found following lines, >> >> Sep 10 04:47:29 localhost MailScanner[11027]: Virus and Content Scanning: >> Starting >> Sep 10 04:47:37 localhost MailScanner[8400]: SpamAssassin timed out and >> was killed, failure 8 of 20 >> Sep 10 04:47:37 localhost MailScanner[8680]: SpamAssassin timed out and >> was killed, failure 14 of 20 >> Sep 10 04:47:38 localhost MailScanner[8680]: Message 1KdL6x-0005q5-L3 from >> xx.xx.xx.xx (xxx@xxx.x) to xxx.xx is not spam, SpamAssassin (not cached, >> timed out) >> Sep 10 04:47:38 localhost MailScanner[8400]: Message 1KdLDG-0006se-Ox from >> xx.xx.xx.xx (xxx@xx.xxx) to xxx.xx is not spam, SpamAssassin (not cached, >> timed out) >> >> it clealy indicates mailscanner is not (able to) scanning messages. >> >> Any idea about this issue. >> >> Thanks in advance :-) >> >> Regards >> >> Swati Meghanand >> >> >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080910/05a8c9f9/attachment.html From alex at rtpty.com Wed Sep 10 15:22:03 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Wed Sep 10 15:22:21 2008 Subject: Spamassassin Timeout issue. In-Reply-To: <424c10260809100705k5b2714c4y4a286c9bc59f4383@mail.gmail.com> References: <424c10260809100154v4d47738bg16e47138cde6b049@mail.gmail.com> <8558A6EA-BFAA-4418-9C22-6A840146B7E1@rtpty.com> <424c10260809100705k5b2714c4y4a286c9bc59f4383@mail.gmail.com> Message-ID: When spamassassin times out, it usually is because of a DNS issue. Restarting works in your case probably because people trying to connect to your server "back off" when you restart it because to them it looks like your server died. They take pity and don't bother it for a while. When they see it back online, the load and backlog rises. Sent from my iPhone On Sep 10, 2008, at 9:05 AM, "Swati Meghanand" wrote: > hi, > > I am not running any name server on the same machine, actually I am > having a fail-over cluster of 3 machine having same configuration/ > setting I facing this prob in 2 machines the another thts 3rd is > running smoothly... > When I restart machine it works well for atleast 12-15 Hrs.(But > restarting Mailscanner didn't helped me) > > Did u mean this could be a DNS related issue.... > > Regards, > > Swati Meghanand > > > 2008/9/10 Alex Neuman van der Hans > It's actually quite clearly indicating the opposite. You are not > reading the logs right. If spamassassin is timing out, you need to > take care of that. What caching nameserver are you running on that > box? > > Sent from my iPhone > > > On Sep 10, 2008, at 3:54 AM, "Swati Meghanand" > wrote: > > Hi, > > I'm using mailscanner on a busy mail gateways from serveral months, > which was working fine so far.From last few days I noticed incresed > no of spam mails as well log Filtering queues (ofcourse slow > processing of mailscanner).In log file of mailscanner I found > following lines, > > Sep 10 04:47:29 localhost MailScanner[11027]: Virus and Content > Scanning: Starting > Sep 10 04:47:37 localhost MailScanner[8400]: SpamAssassin timed out > and was killed, failure 8 of 20 > Sep 10 04:47:37 localhost MailScanner[8680]: SpamAssassin timed out > and was killed, failure 14 of 20 > Sep 10 04:47:38 localhost MailScanner[8680]: Message 1KdL6x-0005q5- > L3 from xx.xx.xx.xx (xxx@xxx.x) to xxx.xx is not spam, SpamAssassin > (not cached, timed out) > Sep 10 04:47:38 localhost MailScanner[8400]: Message 1KdLDG-0006se- > Ox from xx.xx.xx.xx (xxx@xx.xxx) to xxx.xx is not spam, SpamAssassin > (not cached, timed out) > > it clealy indicates mailscanner is not (able to) scanning messages. > > Any idea about this issue. > > Thanks in advance :-) > > Regards > > Swati Meghanand > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080910/939794c7/attachment.html From m.anderlini at database.it Wed Sep 10 15:59:25 2008 From: m.anderlini at database.it (Marcello Anderlini) Date: Wed Sep 10 15:59:48 2008 Subject: R: Spamassassin Timeout issue. In-Reply-To: References: <424c10260809100154v4d47738bg16e47138cde6b049@mail.gmail.com><8558A6EA-BFAA-4418-9C22-6A840146B7E1@rtpty.com><424c10260809100705k5b2714c4y4a286c9bc59f4383@mail.gmail.com> Message-ID: <000301c91355$d0d6dd60$2501a8c0@dbdomain.database.it> I beg your pardon but I have the same problem and I looking for a solution since many month. On my system is installed a dns server resolving also our domain. Very often during the day, unexpectedly without change nothing spamassassin starts to run very slowly. I have followed all the tips founded but without success. Could be a dns problem ? This is my extract from my dns configuration. Is it enough to set it also as a cache dns ? Thanks and sorry for my worst english. ====================== options { # file di boot per named directory "/var/named"; forwarders { 83.216.172.1;83.216.172.2;213.234.128.211; }; query-source address * port 53; }; logging { channel local_log { /* * Use a file channnel. The file is * /var/log/named.log. [Why the ".log" * suffix?] Keep 2 versions of the file * and don't let it get bigger than 1 Mb. */ # file "/var/log/named.log" file "/var/log/named/named.log" versions 2 size 1M; print-time yes; }; category default { /* * Send every log category to the * local_log channel defined above. */ local_log; }; }; ====================== Dr. Marcello Anderlini m.anderlini@database.it --------------------------------------------- Database Informatica S.r.l. Microsoft Certified Partner Tel. +39059775070 Fax. +39059779545 http://www.database.it --------------------------------------------- ________________________________ Da: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di Alex Neuman van der Hans Inviato: mercoled? 10 settembre 2008 16.22 A: MailScanner discussion Cc: MailScanner discussion Oggetto: Re: Spamassassin Timeout issue. When spamassassin times out, it usually is because of a DNS issue. Restarting works in your case probably because people trying to connect to your server "back off" when you restart it because to them it looks like your server died. They take pity and don't bother it for a while. When they see it back online, the load and backlog rises. Sent from my iPhone On Sep 10, 2008, at 9:05 AM, "Swati Meghanand" wrote: hi, I am not running any name server on the same machine, actually I am having a fail-over cluster of 3 machine having same configuration/setting I facing this prob in 2 machines the another thts 3rd is running smoothly... When I restart machine it works well for atleast 12-15 Hrs.(But restarting Mailscanner didn't helped me) Did u mean this could be a DNS related issue.... Regards, Swati Meghanand 2008/9/10 Alex Neuman van der Hans < alex@rtpty.com> It's actually quite clearly indicating the opposite. You are not reading the logs right. If spamassassin is timing out, you need to take care of that. What caching nameserver are you running on that box? Sent from my iPhone On Sep 10, 2008, at 3:54 AM, "Swati Meghanand" < swati.meghanand@gmail.com> wrote: Hi, I'm using mailscanner on a busy mail gateways from serveral months, which was working fine so far.From last few days I noticed incresed no of spam mails as well log Filtering queues (ofcourse slow processing of mailscanner).In log file of mailscanner I found following lines, Sep 10 04:47:29 localhost MailScanner[11027]: Virus and Content Scanning: Starting Sep 10 04:47:37 localhost MailScanner[8400]: SpamAssassin timed out and was killed, failure 8 of 20 Sep 10 04:47:37 localhost MailScanner[8680]: SpamAssassin timed out and was killed, failure 14 of 20 Sep 10 04:47:38 localhost MailScanner[8680]: Message 1KdL6x-0005q5-L3 from xx.xx.xx.xx (xxx@xxx.x) to xxx.xx is not spam, SpamAssassin (not cached, timed out) Sep 10 04:47:38 localhost MailScanner[8400]: Message 1KdLDG-0006se-Ox from xx.xx.xx.xx (xxx@xx.xxx) to xxx.xx is not spam, SpamAssassin (not cached, timed out) it clealy indicates mailscanner is not (able to) scanning messages. Any idea about this issue. Thanks in advance :-) Regards Swati Meghanand -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- Messaggio verificato dal servizio antivirus di Database Informatica . -- Messaggio verificato dal servizio antivirus di Database Informatica From alex at rtpty.com Wed Sep 10 16:18:06 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Wed Sep 10 16:18:20 2008 Subject: R: Spamassassin Timeout issue. In-Reply-To: <000301c91355$d0d6dd60$2501a8c0@dbdomain.database.it> References: <424c10260809100154v4d47738bg16e47138cde6b049@mail.gmail.com><8558A6EA-BFAA-4418-9C22-6A840146B7E1@rtpty.com><424c10260809100705k5b2714c4y4a286c9bc59f4383@mail.gmail.com> <000301c91355$d0d6dd60$2501a8c0@dbdomain.database.it> Message-ID: Install a caching nameserver on your box and male sure it has access =20 to the outside world. You may also want to use opendns as your =20 forwarders since they can be faster than some ISP DNS servers. Your internal DNS - I'm guessing here... - is probably windows based. =20= In my experience this is usually not good. Sent from my iPhone On Sep 10, 2008, at 9:59 AM, "Marcello Anderlini" = wrote: > I beg your pardon but I have the same problem and I looking for a =20 > solution > since many month. > > On my system is installed a dns server resolving also our domain. > > Very often during the day, unexpectedly without change nothing =20 > spamassassin > starts to run very slowly. > I have followed all the tips founded but without success. Could be a =20= > dns > problem ? > This is my extract from my dns configuration. Is it enough to set it =20= > also as > a cache dns ? > > Thanks and sorry for my worst english. > > > > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > options { > # file di boot per named > directory "/var/named"; > forwarders { 83.216.172.1;83.216.172.2;213.234.128.211; }; > query-source address * port 53; > }; > > logging { > channel local_log { > /* > * Use a file channnel. The file is > * /var/log/named.log. [Why the ".log" > * suffix?] Keep 2 versions of the file > * and don't let it get bigger than 1 Mb. > */ > # file "/var/log/named.log" > file "/var/log/named/named.log" > versions 2 size 1M; > print-time yes; > }; > category default { > /* > * Send every log category to the > * local_log channel defined above. > */ > local_log; > }; > }; > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > > > Dr. Marcello Anderlini > m.anderlini@database.it > --------------------------------------------- > Database Informatica S.r.l. > Microsoft Certified Partner > Tel. +39059775070 > Fax. +39059779545 > http://www.database.it > --------------------------------------------- > > > ________________________________ > > Da: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di =20 > Alex Neuman > van der Hans > Inviato: mercoled=A8=AC 10 settembre 2008 16.22 > A: MailScanner discussion > Cc: MailScanner discussion > Oggetto: Re: Spamassassin Timeout issue. > > > When spamassassin times out, it usually is because of a DNS issue. > Restarting works in your case probably because people trying to =20 > connect to > your server "back off" when you restart it because to them it looks =20= > like > your server died. They take pity and don't bother it for a while. =20 > When they > see it back online, the load and backlog rises. > > Sent from my iPhone > > On Sep 10, 2008, at 9:05 AM, "Swati Meghanand" = > > wrote: > > > > hi, > > I am not running any name server on the same machine, actually I am > having a fail-over cluster of 3 machine having same configuration/=20 > setting I > facing this prob in 2 machines the another thts 3rd is running =20 > smoothly... > > > When I restart machine it works well for atleast 12-15 Hrs.(But > restarting Mailscanner didn't helped me) > > Did u mean this could be a DNS related issue.... > > Regards, > > Swati Meghanand > > > 2008/9/10 Alex Neuman van der Hans < > alex@rtpty.com> > > > It's actually quite clearly indicating the opposite. You are > not reading the logs right. If spamassassin is timing out, you need =20= > to take > care of that. What caching nameserver are you running on that box? > > Sent from my iPhone > > > On Sep 10, 2008, at 3:54 AM, "Swati Meghanand" < > swati.meghanand@gmail.com> wrote: > > > > Hi, > > I'm using mailscanner on a busy mail gateways from > serveral months, which was working fine so far.=46rom last few days I =20= > noticed > incresed no of spam mails as well log Filtering queues (ofcourse slow > processing of mailscanner).In log file of mailscanner I found =20 > following > lines, > > Sep 10 04:47:29 localhost MailScanner[11027]: Virus > and Content Scanning: Starting > Sep 10 04:47:37 localhost MailScanner[8400]: > SpamAssassin timed out and was killed, failure 8 of 20 > Sep 10 04:47:37 localhost MailScanner[8680]: > SpamAssassin timed out and was killed, failure 14 of 20 > Sep 10 04:47:38 localhost MailScanner[8680]: Message > 1KdL6x-0005q5-L3 from xx.xx.xx.xx (xxx@xxx.x) to xxx.xx is not spam, > SpamAssassin (not cached, timed out) > Sep 10 04:47:38 localhost MailScanner[8400]: Message > 1KdLDG-0006se-Ox from xx.xx.xx.xx (xxx@xx.xxx) to xxx.xx is not spam, > SpamAssassin (not cached, timed out) > > it clealy indicates mailscanner is not (able to) > scanning messages. > > Any idea about this issue. > > Thanks in advance :-) > > Regards > > Swati Meghanand > > > > > -- > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read > = http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off > the website! > > > -- > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read > http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the > website! > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read > http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > > --=20 > Messaggio verificato dal servizio antivirus di Database Informatica > . > > > --=20 > Messaggio verificato dal servizio antivirus di Database Informatica > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From prandal at herefordshire.gov.uk Wed Sep 10 16:29:24 2008 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Wed Sep 10 16:29:39 2008 Subject: Spamassassin Timeout issue. In-Reply-To: <000301c91355$d0d6dd60$2501a8c0@dbdomain.database.it> References: <424c10260809100154v4d47738bg16e47138cde6b049@mail.gmail.com><8558A6EA-BFAA-4418-9C22-6A840146B7E1@rtpty.com><424c10260809100705k5b2714c4y4a286c9bc59f4383@mail.gmail.com> <000301c91355$d0d6dd60$2501a8c0@dbdomain.database.it> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA04A6739F@HC-MBX02.herefordshire.gov.uk> "query-source address * port 53;" Eek! Repeat after me 10 times: "Dan Kaminsky". Time to do a sanity check on all your DNS setups to ensure you have current BINDs with randomised source ports for queries. Cheers, Phil -- Phil Randal Networks Engineer Herefordshire Council Hereford, UK -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Marcello Anderlini Sent: 10 September 2008 15:59 To: 'MailScanner discussion' Subject: R: Spamassassin Timeout issue. I beg your pardon but I have the same problem and I looking for a solution since many month. On my system is installed a dns server resolving also our domain. Very often during the day, unexpectedly without change nothing spamassassin starts to run very slowly. I have followed all the tips founded but without success. Could be a dns problem ? This is my extract from my dns configuration. Is it enough to set it also as a cache dns ? Thanks and sorry for my worst english. ====================== options { # file di boot per named directory "/var/named"; forwarders { 83.216.172.1;83.216.172.2;213.234.128.211; }; query-source address * port 53; }; logging { channel local_log { /* * Use a file channnel. The file is * /var/log/named.log. [Why the ".log" * suffix?] Keep 2 versions of the file * and don't let it get bigger than 1 Mb. */ # file "/var/log/named.log" file "/var/log/named/named.log" versions 2 size 1M; print-time yes; }; category default { /* * Send every log category to the * local_log channel defined above. */ local_log; }; }; ====================== Dr. Marcello Anderlini m.anderlini@database.it --------------------------------------------- Database Informatica S.r.l. Microsoft Certified Partner Tel. +39059775070 Fax. +39059779545 http://www.database.it --------------------------------------------- ________________________________ Da: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di Alex Neuman van der Hans Inviato: mercoled? 10 settembre 2008 16.22 A: MailScanner discussion Cc: MailScanner discussion Oggetto: Re: Spamassassin Timeout issue. When spamassassin times out, it usually is because of a DNS issue. Restarting works in your case probably because people trying to connect to your server "back off" when you restart it because to them it looks like your server died. They take pity and don't bother it for a while. When they see it back online, the load and backlog rises. Sent from my iPhone On Sep 10, 2008, at 9:05 AM, "Swati Meghanand" wrote: hi, I am not running any name server on the same machine, actually I am having a fail-over cluster of 3 machine having same configuration/setting I facing this prob in 2 machines the another thts 3rd is running smoothly... When I restart machine it works well for atleast 12-15 Hrs.(But restarting Mailscanner didn't helped me) Did u mean this could be a DNS related issue.... Regards, Swati Meghanand 2008/9/10 Alex Neuman van der Hans < alex@rtpty.com> It's actually quite clearly indicating the opposite. You are not reading the logs right. If spamassassin is timing out, you need to take care of that. What caching nameserver are you running on that box? Sent from my iPhone On Sep 10, 2008, at 3:54 AM, "Swati Meghanand" < swati.meghanand@gmail.com> wrote: Hi, I'm using mailscanner on a busy mail gateways from serveral months, which was working fine so far.From last few days I noticed incresed no of spam mails as well log Filtering queues (ofcourse slow processing of mailscanner).In log file of mailscanner I found following lines, Sep 10 04:47:29 localhost MailScanner[11027]: Virus and Content Scanning: Starting Sep 10 04:47:37 localhost MailScanner[8400]: SpamAssassin timed out and was killed, failure 8 of 20 Sep 10 04:47:37 localhost MailScanner[8680]: SpamAssassin timed out and was killed, failure 14 of 20 Sep 10 04:47:38 localhost MailScanner[8680]: Message 1KdL6x-0005q5-L3 from xx.xx.xx.xx (xxx@xxx.x) to xxx.xx is not spam, SpamAssassin (not cached, timed out) Sep 10 04:47:38 localhost MailScanner[8400]: Message 1KdLDG-0006se-Ox from xx.xx.xx.xx (xxx@xx.xxx) to xxx.xx is not spam, SpamAssassin (not cached, timed out) it clealy indicates mailscanner is not (able to) scanning messages. Any idea about this issue. Thanks in advance :-) Regards Swati Meghanand -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- Messaggio verificato dal servizio antivirus di Database Informatica . -- Messaggio verificato dal servizio antivirus di Database Informatica -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From m.anderlini at database.it Wed Sep 10 16:39:51 2008 From: m.anderlini at database.it (Marcello Anderlini) Date: Wed Sep 10 16:40:21 2008 Subject: R: Spamassassin Timeout issue. In-Reply-To: <7EF0EE5CB3B263488C8C18823239BEBA04A6739F@HC-MBX02.herefordshire.gov.uk> References: <424c10260809100154v4d47738bg16e47138cde6b049@mail.gmail.com><8558A6EA-BFAA-4418-9C22-6A840146B7E1@rtpty.com><424c10260809100705k5b2714c4y4a286c9bc59f4383@mail.gmail.com><000301c91355$d0d6dd60$2501a8c0@dbdomain.database.it> <7EF0EE5CB3B263488C8C18823239BEBA04A6739F@HC-MBX02.herefordshire.gov.uk> Message-ID: <000001c9135b$76c0ac60$2501a8c0@dbdomain.database.it> I beg your pardon but I do not understand your email. Could you please me more clear and "easy step" :-) Why "query-source address * port 53;" sould be wrong ??? Thanks again. Dr. Marcello Anderlini m.anderlini@database.it --------------------------------------------- Database Informatica S.r.l. Microsoft Certified Partner Tel. +39059775070 Fax. +39059779545 http://www.database.it --------------------------------------------- -----Messaggio originale----- Da: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di Randal, Phil Inviato: mercoled? 10 settembre 2008 17.29 A: MailScanner discussion Oggetto: RE: Spamassassin Timeout issue. "query-source address * port 53;" Eek! Repeat after me 10 times: "Dan Kaminsky". Time to do a sanity check on all your DNS setups to ensure you have current BINDs with randomised source ports for queries. Cheers, Phil -- Phil Randal Networks Engineer Herefordshire Council Hereford, UK -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Marcello Anderlini Sent: 10 September 2008 15:59 To: 'MailScanner discussion' Subject: R: Spamassassin Timeout issue. I beg your pardon but I have the same problem and I looking for a solution since many month. On my system is installed a dns server resolving also our domain. Very often during the day, unexpectedly without change nothing spamassassin starts to run very slowly. I have followed all the tips founded but without success. Could be a dns problem ? This is my extract from my dns configuration. Is it enough to set it also as a cache dns ? Thanks and sorry for my worst english. ====================== options { # file di boot per named directory "/var/named"; forwarders { 83.216.172.1;83.216.172.2;213.234.128.211; }; query-source address * port 53; }; logging { channel local_log { /* * Use a file channnel. The file is * /var/log/named.log. [Why the ".log" * suffix?] Keep 2 versions of the file * and don't let it get bigger than 1 Mb. */ # file "/var/log/named.log" file "/var/log/named/named.log" versions 2 size 1M; print-time yes; }; category default { /* * Send every log category to the * local_log channel defined above. */ local_log; }; }; ====================== Dr. Marcello Anderlini m.anderlini@database.it --------------------------------------------- Database Informatica S.r.l. Microsoft Certified Partner Tel. +39059775070 Fax. +39059779545 http://www.database.it --------------------------------------------- ________________________________ Da: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di Alex Neuman van der Hans Inviato: mercoled? 10 settembre 2008 16.22 A: MailScanner discussion Cc: MailScanner discussion Oggetto: Re: Spamassassin Timeout issue. When spamassassin times out, it usually is because of a DNS issue. Restarting works in your case probably because people trying to connect to your server "back off" when you restart it because to them it looks like your server died. They take pity and don't bother it for a while. When they see it back online, the load and backlog rises. Sent from my iPhone On Sep 10, 2008, at 9:05 AM, "Swati Meghanand" wrote: hi, I am not running any name server on the same machine, actually I am having a fail-over cluster of 3 machine having same configuration/setting I facing this prob in 2 machines the another thts 3rd is running smoothly... When I restart machine it works well for atleast 12-15 Hrs.(But restarting Mailscanner didn't helped me) Did u mean this could be a DNS related issue.... Regards, Swati Meghanand 2008/9/10 Alex Neuman van der Hans < alex@rtpty.com> It's actually quite clearly indicating the opposite. You are not reading the logs right. If spamassassin is timing out, you need to take care of that. What caching nameserver are you running on that box? Sent from my iPhone On Sep 10, 2008, at 3:54 AM, "Swati Meghanand" < swati.meghanand@gmail.com> wrote: Hi, I'm using mailscanner on a busy mail gateways from serveral months, which was working fine so far.From last few days I noticed incresed no of spam mails as well log Filtering queues (ofcourse slow processing of mailscanner).In log file of mailscanner I found following lines, Sep 10 04:47:29 localhost MailScanner[11027]: Virus and Content Scanning: Starting Sep 10 04:47:37 localhost MailScanner[8400]: SpamAssassin timed out and was killed, failure 8 of 20 Sep 10 04:47:37 localhost MailScanner[8680]: SpamAssassin timed out and was killed, failure 14 of 20 Sep 10 04:47:38 localhost MailScanner[8680]: Message 1KdL6x-0005q5-L3 from xx.xx.xx.xx (xxx@xxx.x) to xxx.xx is not spam, SpamAssassin (not cached, timed out) Sep 10 04:47:38 localhost MailScanner[8400]: Message 1KdLDG-0006se-Ox from xx.xx.xx.xx (xxx@xx.xxx) to xxx.xx is not spam, SpamAssassin (not cached, timed out) it clealy indicates mailscanner is not (able to) scanning messages. Any idea about this issue. Thanks in advance :-) Regards Swati Meghanand -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- Messaggio verificato dal servizio antivirus di Database Informatica . -- Messaggio verificato dal servizio antivirus di Database Informatica -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- Messaggio verificato dal servizio antivirus di Database Informatica -- Messaggio verificato dal servizio antivirus di Database Informatica From m.anderlini at database.it Wed Sep 10 16:40:17 2008 From: m.anderlini at database.it (Marcello Anderlini) Date: Wed Sep 10 16:41:06 2008 Subject: R:Re: R: Spamassassin Timeout issue. In-Reply-To: References: <424c10260809100154v4d47738bg16e47138cde6b049@mail.gmail.com><8558A6EA-BFAA-4418-9C22-6A840146B7E1@rtpty.com><424c10260809100705k5b2714c4y4a286c9bc59f4383@mail.gmail.com><000301c91355$d0d6dd60$2501a8c0@dbdomain.database.it> Message-ID: <000101c9135b$868080d0$2501a8c0@dbdomain.database.it> No it's non windows based, It's bind running on centos 4.x. I would like to know if someone could explain me if my dns configuration it's correct. Thanks again Dr. Marcello Anderlini m.anderlini@database.it --------------------------------------------- Database Informatica S.r.l. Microsoft Certified Partner Tel. +39059775070 Fax. +39059779545 http://www.database.it --------------------------------------------- -----Messaggio originale----- Da: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di Alex Neuman van der Hans Inviato: mercoled? 10 settembre 2008 17.18 A: MailScanner discussion Oggetto: [spam] Re: R: Spamassassin Timeout issue. Install a caching nameserver on your box and male sure it has access to the outside world. You may also want to use opendns as your forwarders since they can be faster than some ISP DNS servers. Your internal DNS - I'm guessing here... - is probably windows based. In my experience this is usually not good. Sent from my iPhone On Sep 10, 2008, at 9:59 AM, "Marcello Anderlini" wrote: > I beg your pardon but I have the same problem and I looking for a > solution since many month. > > On my system is installed a dns server resolving also our domain. > > Very often during the day, unexpectedly without change nothing > spamassassin starts to run very slowly. > I have followed all the tips founded but without success. Could be a > dns problem ? > This is my extract from my dns configuration. Is it enough to set it > also as a cache dns ? > > Thanks and sorry for my worst english. > > > > > ====================== > options { > # file di boot per named > directory "/var/named"; > forwarders { 83.216.172.1;83.216.172.2;213.234.128.211; }; > query-source address * port 53; }; > > logging { > channel local_log { > /* > * Use a file channnel. The file is > * /var/log/named.log. [Why the ".log" > * suffix?] Keep 2 versions of the file > * and don't let it get bigger than 1 Mb. > */ > # file "/var/log/named.log" > file "/var/log/named/named.log" > versions 2 size 1M; > print-time yes; > }; > category default { > /* > * Send every log category to the > * local_log channel defined above. > */ > local_log; > }; > }; > ====================== > > > Dr. Marcello Anderlini > m.anderlini@database.it > --------------------------------------------- > Database Informatica S.r.l. > Microsoft Certified Partner > Tel. +39059775070 > Fax. +39059779545 > http://www.database.it > --------------------------------------------- > > > ________________________________ > > Da: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di Alex > Neuman van der Hans > Inviato: mercoled? 10 settembre 2008 16.22 > A: MailScanner discussion > Cc: MailScanner discussion > Oggetto: Re: Spamassassin Timeout issue. > > > When spamassassin times out, it usually is because of a DNS issue. > Restarting works in your case probably because people trying to > connect to your server "back off" when you restart it because to them > it looks like your server died. They take pity and don't bother it for > a while. > When they > see it back online, the load and backlog rises. > > Sent from my iPhone > > On Sep 10, 2008, at 9:05 AM, "Swati Meghanand" > > > wrote: > > > > hi, > > I am not running any name server on the same machine, actually I am > having a fail-over cluster of 3 machine having same configuration/ > setting I facing this prob in 2 machines the another thts 3rd is > running smoothly... > > > When I restart machine it works well for atleast 12-15 Hrs.(But > restarting Mailscanner didn't helped me) > > Did u mean this could be a DNS related issue.... > > Regards, > > Swati Meghanand > > > 2008/9/10 Alex Neuman van der Hans < > alex@rtpty.com> > > > It's actually quite clearly indicating the opposite. You are > not reading the logs right. If spamassassin is timing out, you need > to take > care of that. What caching nameserver are you running on that box? > > Sent from my iPhone > > > On Sep 10, 2008, at 3:54 AM, "Swati Meghanand" < > swati.meghanand@gmail.com> wrote: > > > > Hi, > > I'm using mailscanner on a busy mail gateways from > serveral months, which was working fine so far.From last few days I > noticed > incresed no of spam mails as well log Filtering queues (ofcourse slow > processing of mailscanner).In log file of mailscanner I found > following > lines, > > Sep 10 04:47:29 localhost MailScanner[11027]: Virus > and Content Scanning: Starting > Sep 10 04:47:37 localhost MailScanner[8400]: > SpamAssassin timed out and was killed, failure 8 of 20 > Sep 10 04:47:37 localhost MailScanner[8680]: > SpamAssassin timed out and was killed, failure 14 of 20 > Sep 10 04:47:38 localhost MailScanner[8680]: Message > 1KdL6x-0005q5-L3 from xx.xx.xx.xx (xxx@xxx.x) to xxx.xx is not spam, > SpamAssassin (not cached, timed out) > Sep 10 04:47:38 localhost MailScanner[8400]: Message > 1KdLDG-0006se-Ox from xx.xx.xx.xx (xxx@xx.xxx) to xxx.xx is not spam, > SpamAssassin (not cached, timed out) > > it clealy indicates mailscanner is not (able to) > scanning messages. > > Any idea about this issue. > > Thanks in advance :-) > > Regards > > Swati Meghanand > > > > > -- > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read > http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off > the website! > > > -- > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read > http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the > website! > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read > http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > > -- > Messaggio verificato dal servizio antivirus di Database Informatica > . > > > -- > Messaggio verificato dal servizio antivirus di Database Informatica > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- Messaggio verificato dal servizio antivirus di Database Informatica -- Messaggio verificato dal servizio antivirus di Database Informatica From mkercher at nfsmith.com Wed Sep 10 16:54:30 2008 From: mkercher at nfsmith.com (Mike Kercher) Date: Wed Sep 10 16:55:11 2008 Subject: WMV's Getting Through Message-ID: <224FA7E11EA39E45843E11CEBBD3A36FEBFE7C@HOUPEX01.nfsmith.info> Recently, .WMV files have started being delivered through my MS boxes. I ran file against one of the attachments: file JobMarket-2010.wmv JobMarket-2010.wmv: Microsoft ASF In my filetype.rules.conf, I have: deny ASF No Windows media No Windows media files allowed This hasn't been changed in a LONG time I even tried adding \.wmv$ to filename.rules.conf, but they are still coming through. The only thing I see in the logs is that the email is too big for spam checks (is too big for spam checks (6657685 > 150000 bytes)) Any idea what I'm missing here? TIA Mike From prandal at herefordshire.gov.uk Wed Sep 10 16:58:54 2008 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Wed Sep 10 16:59:13 2008 Subject: Spamassassin Timeout issue. In-Reply-To: <000001c9135b$76c0ac60$2501a8c0@dbdomain.database.it> References: <424c10260809100154v4d47738bg16e47138cde6b049@mail.gmail.com><8558A6EA-BFAA-4418-9C22-6A840146B7E1@rtpty.com><424c10260809100705k5b2714c4y4a286c9bc59f4383@mail.gmail.com><000301c91355$d0d6dd60$2501a8c0@dbdomain.database.it><7EF0EE5CB3B263488C8C18823239BEBA04A6739F@HC-MBX02.herefordshire.gov.uk> <000001c9135b$76c0ac60$2501a8c0@dbdomain.database.it> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA04A673B5@HC-MBX02.herefordshire.gov.uk> You should not use a fixed SOURCE port for DNS queries. The destination port is, of course, 53. A non-"random" source port for DNS queries makes the Dan Kaminsky exploit trivial. http://www.unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html Cheers, Phil -- Phil Randal Networks Engineer Herefordshire Council Hereford, UK -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Marcello Anderlini Sent: 10 September 2008 16:40 To: 'MailScanner discussion' Subject: R: Spamassassin Timeout issue. I beg your pardon but I do not understand your email. Could you please me more clear and "easy step" :-) Why "query-source address * port 53;" sould be wrong ??? Thanks again. Dr. Marcello Anderlini m.anderlini@database.it --------------------------------------------- Database Informatica S.r.l. Microsoft Certified Partner Tel. +39059775070 Fax. +39059779545 http://www.database.it --------------------------------------------- -----Messaggio originale----- Da: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di Randal, Phil Inviato: mercoled? 10 settembre 2008 17.29 A: MailScanner discussion Oggetto: RE: Spamassassin Timeout issue. "query-source address * port 53;" Eek! Repeat after me 10 times: "Dan Kaminsky". Time to do a sanity check on all your DNS setups to ensure you have current BINDs with randomised source ports for queries. Cheers, Phil -- Phil Randal Networks Engineer Herefordshire Council Hereford, UK -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Marcello Anderlini Sent: 10 September 2008 15:59 To: 'MailScanner discussion' Subject: R: Spamassassin Timeout issue. I beg your pardon but I have the same problem and I looking for a solution since many month. On my system is installed a dns server resolving also our domain. Very often during the day, unexpectedly without change nothing spamassassin starts to run very slowly. I have followed all the tips founded but without success. Could be a dns problem ? This is my extract from my dns configuration. Is it enough to set it also as a cache dns ? Thanks and sorry for my worst english. ====================== options { # file di boot per named directory "/var/named"; forwarders { 83.216.172.1;83.216.172.2;213.234.128.211; }; query-source address * port 53; }; logging { channel local_log { /* * Use a file channnel. The file is * /var/log/named.log. [Why the ".log" * suffix?] Keep 2 versions of the file * and don't let it get bigger than 1 Mb. */ # file "/var/log/named.log" file "/var/log/named/named.log" versions 2 size 1M; print-time yes; }; category default { /* * Send every log category to the * local_log channel defined above. */ local_log; }; }; ====================== Dr. Marcello Anderlini m.anderlini@database.it --------------------------------------------- Database Informatica S.r.l. Microsoft Certified Partner Tel. +39059775070 Fax. +39059779545 http://www.database.it --------------------------------------------- ________________________________ Da: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di Alex Neuman van der Hans Inviato: mercoled? 10 settembre 2008 16.22 A: MailScanner discussion Cc: MailScanner discussion Oggetto: Re: Spamassassin Timeout issue. When spamassassin times out, it usually is because of a DNS issue. Restarting works in your case probably because people trying to connect to your server "back off" when you restart it because to them it looks like your server died. They take pity and don't bother it for a while. When they see it back online, the load and backlog rises. Sent from my iPhone On Sep 10, 2008, at 9:05 AM, "Swati Meghanand" wrote: hi, I am not running any name server on the same machine, actually I am having a fail-over cluster of 3 machine having same configuration/setting I facing this prob in 2 machines the another thts 3rd is running smoothly... When I restart machine it works well for atleast 12-15 Hrs.(But restarting Mailscanner didn't helped me) Did u mean this could be a DNS related issue.... Regards, Swati Meghanand 2008/9/10 Alex Neuman van der Hans < alex@rtpty.com> It's actually quite clearly indicating the opposite. You are not reading the logs right. If spamassassin is timing out, you need to take care of that. What caching nameserver are you running on that box? Sent from my iPhone On Sep 10, 2008, at 3:54 AM, "Swati Meghanand" < swati.meghanand@gmail.com> wrote: Hi, I'm using mailscanner on a busy mail gateways from serveral months, which was working fine so far.From last few days I noticed incresed no of spam mails as well log Filtering queues (ofcourse slow processing of mailscanner).In log file of mailscanner I found following lines, Sep 10 04:47:29 localhost MailScanner[11027]: Virus and Content Scanning: Starting Sep 10 04:47:37 localhost MailScanner[8400]: SpamAssassin timed out and was killed, failure 8 of 20 Sep 10 04:47:37 localhost MailScanner[8680]: SpamAssassin timed out and was killed, failure 14 of 20 Sep 10 04:47:38 localhost MailScanner[8680]: Message 1KdL6x-0005q5-L3 from xx.xx.xx.xx (xxx@xxx.x) to xxx.xx is not spam, SpamAssassin (not cached, timed out) Sep 10 04:47:38 localhost MailScanner[8400]: Message 1KdLDG-0006se-Ox from xx.xx.xx.xx (xxx@xx.xxx) to xxx.xx is not spam, SpamAssassin (not cached, timed out) it clealy indicates mailscanner is not (able to) scanning messages. Any idea about this issue. Thanks in advance :-) Regards Swati Meghanand -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- Messaggio verificato dal servizio antivirus di Database Informatica . -- Messaggio verificato dal servizio antivirus di Database Informatica -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- Messaggio verificato dal servizio antivirus di Database Informatica -- Messaggio verificato dal servizio antivirus di Database Informatica -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From alex at rtpty.com Wed Sep 10 16:59:06 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Wed Sep 10 16:59:56 2008 Subject: Spamassassin Timeout issue. In-Reply-To: <7EF0EE5CB3B263488C8C18823239BEBA04A6739F@HC-MBX02.herefordshire.gov.uk> References: <424c10260809100154v4d47738bg16e47138cde6b049@mail.gmail.com><8558A6EA-BFAA-4418-9C22-6A840146B7E1@rtpty.com><424c10260809100705k5b2714c4y4a286c9bc59f4383@mail.gmail.com> <000301c91355$d0d6dd60$2501a8c0@dbdomain.database.it> <7EF0EE5CB3B263488C8C18823239BEBA04A6739F@HC-MBX02.herefordshire.gov.uk> Message-ID: <0C446201-FEE4-4C73-A15F-275B5FE1C4EC@rtpty.com> In less technical terms, upgrade bind asap. Sent from my iPhone On Sep 10, 2008, at 10:29 AM, "Randal, Phil" = wrote: > "query-source address * port 53;" > > Eek! Repeat after me 10 times: "Dan Kaminsky". > > Time to do a sanity check on all your DNS setups to ensure you have =20= > current BINDs with randomised source ports for queries. > > Cheers, > > Phil > > -- > Phil Randal > Networks Engineer > Herefordshire Council > Hereford, UK > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info = [mailto:mailscanner-bounces@lists.mailscanner.info=20 > ] On Behalf Of Marcello Anderlini > Sent: 10 September 2008 15:59 > To: 'MailScanner discussion' > Subject: R: Spamassassin Timeout issue. > > I beg your pardon but I have the same problem and I looking for a =20 > solution since many month. > > On my system is installed a dns server resolving also our domain. > > Very often during the day, unexpectedly without change nothing =20 > spamassassin starts to run very slowly. > I have followed all the tips founded but without success. Could be a =20= > dns problem ? > This is my extract from my dns configuration. Is it enough to set it =20= > also as a cache dns ? > > Thanks and sorry for my worst english. > > > > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > options { > # file di boot per named > directory "/var/named"; > forwarders { 83.216.172.1;83.216.172.2;213.234.128.211; }; > query-source address * port 53; > }; > > logging { > channel local_log { > /* > * Use a file channnel. The file is > * /var/log/named.log. [Why the ".log" > * suffix?] Keep 2 versions of the file > * and don't let it get bigger than 1 Mb. > */ > # file "/var/log/named.log" > file "/var/log/named/named.log" > versions 2 size 1M; > print-time yes; > }; > category default { > /* > * Send every log category to the > * local_log channel defined above. > */ > local_log; > }; > }; > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > > > Dr. Marcello Anderlini > m.anderlini@database.it > --------------------------------------------- > Database Informatica S.r.l. > Microsoft Certified Partner > Tel. +39059775070 > Fax. +39059779545 > http://www.database.it > --------------------------------------------- > > > ________________________________ > > Da: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di =20 > Alex Neuman > van der Hans > Inviato: mercoled=A8=AC 10 settembre 2008 16.22 > A: MailScanner discussion > Cc: MailScanner discussion > Oggetto: Re: Spamassassin Timeout issue. > > > When spamassassin times out, it usually is because of a DNS issue. > Restarting works in your case probably because people trying to =20 > connect to > your server "back off" when you restart it because to them it looks =20= > like > your server died. They take pity and don't bother it for a while. =20 > When they > see it back online, the load and backlog rises. > > Sent from my iPhone > > On Sep 10, 2008, at 9:05 AM, "Swati Meghanand" = > > wrote: > > > > hi, > > I am not running any name server on the same machine, actually I am > having a fail-over cluster of 3 machine having same configuration/=20 > setting I > facing this prob in 2 machines the another thts 3rd is running =20 > smoothly... > > > When I restart machine it works well for atleast 12-15 Hrs.(But > restarting Mailscanner didn't helped me) > > Did u mean this could be a DNS related issue.... > > Regards, > > Swati Meghanand > > > 2008/9/10 Alex Neuman van der Hans < > alex@rtpty.com> > > > It's actually quite clearly indicating the opposite. You are > not reading the logs right. If spamassassin is timing out, you need =20= > to take > care of that. What caching nameserver are you running on that box? > > Sent from my iPhone > > > On Sep 10, 2008, at 3:54 AM, "Swati Meghanand" < > swati.meghanand@gmail.com> wrote: > > > > Hi, > > I'm using mailscanner on a busy mail gateways from > serveral months, which was working fine so far.=46rom last few days I =20= > noticed > incresed no of spam mails as well log Filtering queues (ofcourse slow > processing of mailscanner).In log file of mailscanner I found =20 > following > lines, > > Sep 10 04:47:29 localhost MailScanner[11027]: Virus > and Content Scanning: Starting > Sep 10 04:47:37 localhost MailScanner[8400]: > SpamAssassin timed out and was killed, failure 8 of 20 > Sep 10 04:47:37 localhost MailScanner[8680]: > SpamAssassin timed out and was killed, failure 14 of 20 > Sep 10 04:47:38 localhost MailScanner[8680]: Message > 1KdL6x-0005q5-L3 from xx.xx.xx.xx (xxx@xxx.x) to xxx.xx is not spam, > SpamAssassin (not cached, timed out) > Sep 10 04:47:38 localhost MailScanner[8400]: Message > 1KdLDG-0006se-Ox from xx.xx.xx.xx (xxx@xx.xxx) to xxx.xx is not spam, > SpamAssassin (not cached, timed out) > > it clealy indicates mailscanner is not (able to) > scanning messages. > > Any idea about this issue. > > Thanks in advance :-) > > Regards > > Swati Meghanand > > > > > -- > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read > = http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off > the website! > > > -- > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read > http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the > website! > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read > http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > > --=20 > Messaggio verificato dal servizio antivirus di Database Informatica > . > > > --=20 > Messaggio verificato dal servizio antivirus di Database Informatica > > --=20 > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From csweeney at osubucks.org Wed Sep 10 17:02:12 2008 From: csweeney at osubucks.org (Chris Sweeney) Date: Wed Sep 10 17:02:35 2008 Subject: R: Spamassassin Timeout issue. In-Reply-To: <000001c9135b$76c0ac60$2501a8c0@dbdomain.database.it> References: <424c10260809100154v4d47738bg16e47138cde6b049@mail.gmail.com><8558A6EA-BFAA-4418-9C22-6A840146B7E1@rtpty.com><424c10260809100705k5b2714c4y4a286c9bc59f4383@mail.gmail.com><000301c91355$d0d6dd60$2501a8c0@dbdomain.database.it> <7EF0EE5CB3B263488C8C18823239BEBA04A6739F@HC-MBX02.herefordshire.gov.uk> <000001c9135b$76c0ac60$2501a8c0@dbdomain.database.it> Message-ID: <47539.65.161.188.11.1221062532.squirrel@webmail.osubucks.org> Why use forwarders at all it just adds delay, use your DNS to resolve direct. Remove the source port: options { # file di boot per named directory "/var/named"; }; logging { channel local_log { /* * Use a file channnel. The file is * /var/log/named.log. [Why the ".log" * suffix?] Keep 2 versions of the file * and don't let it get bigger than 1 Mb. */ # file "/var/log/named.log" file "/var/log/named/named.log" versions 2 size 1M; print-time yes; }; category default { /* * Send every log category to the * local_log channel defined above. */ local_log; }; }; ====================== > I beg your pardon but I do not understand your email. > > Could you please me more clear and "easy step" :-) > > Why "query-source address * port 53;" sould be wrong ??? > > > Thanks again. > > > Dr. Marcello Anderlini > m.anderlini@database.it > --------------------------------------------- > Database Informatica S.r.l. > Microsoft Certified Partner > Tel. +39059775070 > Fax. +39059779545 > http://www.database.it > --------------------------------------------- > > -----Messaggio originale----- > Da: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di Randal, > Phil > Inviato: mercoled? 10 settembre 2008 17.29 > A: MailScanner discussion > Oggetto: RE: Spamassassin Timeout issue. > > "query-source address * port 53;" > > Eek! Repeat after me 10 times: "Dan Kaminsky". > > Time to do a sanity check on all your DNS setups to ensure you have > current > BINDs with randomised source ports for queries. > > Cheers, > > Phil > > -- > Phil Randal > Networks Engineer > Herefordshire Council > Hereford, UK > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Marcello > Anderlini > Sent: 10 September 2008 15:59 > To: 'MailScanner discussion' > Subject: R: Spamassassin Timeout issue. > > I beg your pardon but I have the same problem and I looking for a solution > since many month. > > On my system is installed a dns server resolving also our domain. > > Very often during the day, unexpectedly without change nothing > spamassassin > starts to run very slowly. > I have followed all the tips founded but without success. Could be a dns > problem ? > This is my extract from my dns configuration. Is it enough to set it also > as > a cache dns ? > > Thanks and sorry for my worst english. > > > > > ====================== > options { > # file di boot per named > directory "/var/named"; > forwarders { 83.216.172.1;83.216.172.2;213.234.128.211; }; > query-source address * port 53; > }; > > logging { > channel local_log { > /* > * Use a file channnel. The file is > * /var/log/named.log. [Why the ".log" > * suffix?] Keep 2 versions of the file > * and don't let it get bigger than 1 Mb. > */ > # file "/var/log/named.log" > file "/var/log/named/named.log" > versions 2 size 1M; > print-time yes; > }; > category default { > /* > * Send every log category to the > * local_log channel defined above. > */ > local_log; > }; > }; > ====================== > > > Dr. Marcello Anderlini > m.anderlini@database.it > --------------------------------------------- > Database Informatica S.r.l. > Microsoft Certified Partner > Tel. +39059775070 > Fax. +39059779545 > http://www.database.it > --------------------------------------------- > > > ________________________________ > > Da: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di Alex > Neuman > van der Hans > Inviato: mercoled? 10 settembre 2008 16.22 > A: MailScanner discussion > Cc: MailScanner discussion > Oggetto: Re: Spamassassin Timeout issue. > > > When spamassassin times out, it usually is because of a DNS issue. > Restarting works in your case probably because people trying to connect to > your server "back off" when you restart it because to them it looks like > your server died. They take pity and don't bother it for a while. When > they > see it back online, the load and backlog rises. > > Sent from my iPhone > > On Sep 10, 2008, at 9:05 AM, "Swati Meghanand" > wrote: > > > > hi, > > I am not running any name server on the same machine, actually I am > having a fail-over cluster of 3 machine having same configuration/setting > I > facing this prob in 2 machines the another thts 3rd is running smoothly... > > > When I restart machine it works well for atleast 12-15 Hrs.(But > restarting Mailscanner didn't helped me) > > Did u mean this could be a DNS related issue.... > > Regards, > > Swati Meghanand > > > 2008/9/10 Alex Neuman van der Hans < > alex@rtpty.com> > > > It's actually quite clearly indicating the opposite. You are > not reading the logs right. If spamassassin is timing out, you need to > take > care of that. What caching nameserver are you running on that box? > > Sent from my iPhone > > > On Sep 10, 2008, at 3:54 AM, "Swati Meghanand" < > swati.meghanand@gmail.com> wrote: > > > > Hi, > > I'm using mailscanner on a busy mail gateways from > serveral months, which was working fine so far.From last few days I > noticed > incresed no of spam mails as well log Filtering queues (ofcourse slow > processing of mailscanner).In log file of mailscanner I found following > lines, > > Sep 10 04:47:29 localhost MailScanner[11027]: Virus > and Content Scanning: Starting > Sep 10 04:47:37 localhost MailScanner[8400]: > SpamAssassin timed out and was killed, failure 8 of 20 > Sep 10 04:47:37 localhost MailScanner[8680]: > SpamAssassin timed out and was killed, failure 14 of 20 > Sep 10 04:47:38 localhost MailScanner[8680]: Message > 1KdL6x-0005q5-L3 from xx.xx.xx.xx (xxx@xxx.x) to xxx.xx is not spam, > SpamAssassin (not cached, timed out) > Sep 10 04:47:38 localhost MailScanner[8400]: Message > 1KdLDG-0006se-Ox from xx.xx.xx.xx (xxx@xx.xxx) to xxx.xx is not spam, > SpamAssassin (not cached, timed out) > > it clealy indicates mailscanner is not (able to) > scanning messages. > > Any idea about this issue. > > Thanks in advance :-) > > Regards > > Swati Meghanand > > > > > -- > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read > > http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off > the website! > > > -- > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read > http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the > website! > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read > http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > > -- > Messaggio verificato dal servizio antivirus di Database Informatica > . > > > -- > Messaggio verificato dal servizio antivirus di Database Informatica > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > Messaggio verificato dal servizio antivirus di Database Informatica > > > -- > Messaggio verificato dal servizio antivirus di Database Informatica > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- Chris Sweeney Home Phone for $10 a month call 937-415-0943 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From alex at rtpty.com Wed Sep 10 17:18:06 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Wed Sep 10 17:18:23 2008 Subject: R: Spamassassin Timeout issue. In-Reply-To: <47539.65.161.188.11.1221062532.squirrel@webmail.osubucks.org> References: <424c10260809100154v4d47738bg16e47138cde6b049@mail.gmail.com><8558A6EA-BFAA-4418-9C22-6A840146B7E1@rtpty.com><424c10260809100705k5b2714c4y4a286c9bc59f4383@mail.gmail.com><000301c91355$d0d6dd60$2501a8c0@dbdomain.database.it> <7EF0EE5CB3B263488C8C18823239BEBA04A6739F@HC-MBX02.herefordshire.gov.uk> <000001c9135b$76c0ac60$2501a8c0@dbdomain.database.it> <47539.65.161.188.11.1221062532.squirrel@webmail.osubucks.org> Message-ID: <97ABA591-579D-4F8F-A749-287C4499EE9A@rtpty.com> Would resolving direct be faster than resolving through opendns? Sent from my iPhone On Sep 10, 2008, at 11:02 AM, "Chris Sweeney" =20= wrote: > Why use forwarders at all it just adds delay, use your DNS to resolve > direct. Remove the source port: > > options { > # file di boot per named > directory "/var/named"; > }; > > logging { > channel local_log { > /* > * Use a file channnel. The file is > * /var/log/named.log. [Why the ".log" > * suffix?] Keep 2 versions of the file > * and don't let it get bigger than 1 Mb. > */ > # file "/var/log/named.log" > file "/var/log/named/named.log" > versions 2 size 1M; > print-time yes; > }; > category default { > /* > * Send every log category to the > * local_log channel defined above. > */ > local_log; > }; > }; > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > > >> I beg your pardon but I do not understand your email. >> >> Could you please me more clear and "easy step" :-) >> >> Why "query-source address * port 53;" sould be wrong ??? >> >> >> Thanks again. >> >> >> Dr. Marcello Anderlini >> m.anderlini@database.it >> --------------------------------------------- >> Database Informatica S.r.l. >> Microsoft Certified Partner >> Tel. +39059775070 >> Fax. +39059779545 >> http://www.database.it >> --------------------------------------------- >> >> -----Messaggio originale----- >> Da: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di =20 >> Randal, >> Phil >> Inviato: mercoled=A8=AC 10 settembre 2008 17.29 >> A: MailScanner discussion >> Oggetto: RE: Spamassassin Timeout issue. >> >> "query-source address * port 53;" >> >> Eek! Repeat after me 10 times: "Dan Kaminsky". >> >> Time to do a sanity check on all your DNS setups to ensure you have >> current >> BINDs with randomised source ports for queries. >> >> Cheers, >> >> Phil >> >> -- >> Phil Randal >> Networks Engineer >> Herefordshire Council >> Hereford, UK >> >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of =20 >> Marcello >> Anderlini >> Sent: 10 September 2008 15:59 >> To: 'MailScanner discussion' >> Subject: R: Spamassassin Timeout issue. >> >> I beg your pardon but I have the same problem and I looking for a =20 >> solution >> since many month. >> >> On my system is installed a dns server resolving also our domain. >> >> Very often during the day, unexpectedly without change nothing >> spamassassin >> starts to run very slowly. >> I have followed all the tips founded but without success. Could be =20= >> a dns >> problem ? >> This is my extract from my dns configuration. Is it enough to set =20 >> it also >> as >> a cache dns ? >> >> Thanks and sorry for my worst english. >> >> >> >> >> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >> options { >> # file di boot per named >> directory "/var/named"; >> forwarders { 83.216.172.1;83.216.172.2;213.234.128.211; }; >> query-source address * port 53; >> }; >> >> logging { >> channel local_log { >> /* >> * Use a file channnel. The file is >> * /var/log/named.log. [Why the ".log" >> * suffix?] Keep 2 versions of the file >> * and don't let it get bigger than 1 Mb. >> */ >> # file "/var/log/named.log" >> file "/var/log/named/named.log" >> versions 2 size 1M; >> print-time yes; >> }; >> category default { >> /* >> * Send every log category to the >> * local_log channel defined above. >> */ >> local_log; >> }; >> }; >> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >> >> >> Dr. Marcello Anderlini >> m.anderlini@database.it >> --------------------------------------------- >> Database Informatica S.r.l. >> Microsoft Certified Partner >> Tel. +39059775070 >> Fax. +39059779545 >> http://www.database.it >> --------------------------------------------- >> >> >> ________________________________ >> >> Da: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di Alex >> Neuman >> van der Hans >> Inviato: mercoled=A8=AC 10 settembre 2008 16.22 >> A: MailScanner discussion >> Cc: MailScanner discussion >> Oggetto: Re: Spamassassin Timeout issue. >> >> >> When spamassassin times out, it usually is because of a DNS issue. >> Restarting works in your case probably because people trying to =20 >> connect to >> your server "back off" when you restart it because to them it looks =20= >> like >> your server died. They take pity and don't bother it for a while. =20 >> When >> they >> see it back online, the load and backlog rises. >> >> Sent from my iPhone >> >> On Sep 10, 2008, at 9:05 AM, "Swati Meghanand" = > > >> wrote: >> >> >> >> hi, >> >> I am not running any name server on the same machine, actually I =20= >> am >> having a fail-over cluster of 3 machine having same configuration/=20 >> setting >> I >> facing this prob in 2 machines the another thts 3rd is running =20 >> smoothly... >> >> >> When I restart machine it works well for atleast 12-15 Hrs.(But >> restarting Mailscanner didn't helped me) >> >> Did u mean this could be a DNS related issue.... >> >> Regards, >> >> Swati Meghanand >> >> >> 2008/9/10 Alex Neuman van der Hans < >> alex@rtpty.com> >> >> >> It's actually quite clearly indicating the opposite. You are >> not reading the logs right. If spamassassin is timing out, you need =20= >> to >> take >> care of that. What caching nameserver are you running on that box? >> >> Sent from my iPhone >> >> >> On Sep 10, 2008, at 3:54 AM, "Swati Meghanand" < >> swati.meghanand@gmail.com> wrote: >> >> >> >> Hi, >> >> I'm using mailscanner on a busy mail gateways from >> serveral months, which was working fine so far.=46rom last few days I >> noticed >> incresed no of spam mails as well log Filtering queues (ofcourse slow >> processing of mailscanner).In log file of mailscanner I found =20 >> following >> lines, >> >> Sep 10 04:47:29 localhost MailScanner[11027]: Virus >> and Content Scanning: Starting >> Sep 10 04:47:37 localhost MailScanner[8400]: >> SpamAssassin timed out and was killed, failure 8 of 20 >> Sep 10 04:47:37 localhost MailScanner[8680]: >> SpamAssassin timed out and was killed, failure 14 of 20 >> Sep 10 04:47:38 localhost MailScanner[8680]: Message >> 1KdL6x-0005q5-L3 from xx.xx.xx.xx (xxx@xxx.x) to xxx.xx is not spam, >> SpamAssassin (not cached, timed out) >> Sep 10 04:47:38 localhost MailScanner[8400]: Message >> 1KdLDG-0006se-Ox from xx.xx.xx.xx (xxx@xx.xxx) to xxx.xx is not spam, >> SpamAssassin (not cached, timed out) >> >> it clealy indicates mailscanner is not (able to) >> scanning messages. >> >> Any idea about this issue. >> >> Thanks in advance :-) >> >> Regards >> >> Swati Meghanand >> >> >> >> >> -- >> MailScanner mailing list >> >> mailscanner@lists.mailscanner.info >> >> >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read >> >> http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off >> the website! >> >> >> -- >> MailScanner mailing list >> >> mailscanner@lists.mailscanner.info >> >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read >> http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the >> website! >> >> >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read >> http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> >> >> -- >> Messaggio verificato dal servizio antivirus di Database Informatica >> . >> >> >> -- >> Messaggio verificato dal servizio antivirus di Database Informatica >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> -- >> Messaggio verificato dal servizio antivirus di Database Informatica >> >> >> -- >> Messaggio verificato dal servizio antivirus di Database Informatica >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> > > > --=20 > Chris Sweeney > > Home Phone for $10 a month call 937-415-0943 > > > --=20 > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > --=20 > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From Kevin_Miller at ci.juneau.ak.us Wed Sep 10 18:28:09 2008 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Wed Sep 10 18:28:31 2008 Subject: R: Spamassassin Timeout issue. In-Reply-To: <97ABA591-579D-4F8F-A749-287C4499EE9A@rtpty.com> References: <424c10260809100154v4d47738bg16e47138cde6b049@mail.gmail.com><8558A6EA-BFAA-4418-9C22-6A840146B7E1@rtpty.com><424c10260809100705k5b2714c4y4a286c9bc59f4383@mail.gmail.com><000301c91355$d0d6dd60$2501a8c0@dbdomain.database.it><7EF0EE5CB3B263488C8C18823239BEBA04A6739F@HC-MBX02.herefordshire.gov.uk><000001c9135b$76c0ac60$2501a8c0@dbdomain.database.it><47539.65.161.188.11.1221062532.squirrel@webmail.osubucks.org> <97ABA591-579D-4F8F-A749-287C4499EE9A@rtpty.com> Message-ID: Alex Neuman van der Hans wrote: > Would resolving direct be faster than resolving through opendns? Depends. If opendns already has that entry cached, then it's one stop shopping. If it's a new query, the it would be marginally faster for you to hit the root servers yourself and recurse through the DNS tree. Remember too, that once your server gets a reply for somedomain.com, that it will be cached locally so there won't be any further remote lookups for it. At least until it expires. Personally, I don't think it is a significant difference either way. If, however, you're running an older version of bind or other DNS server that doesn't do random ports, and you don't have the luxury of upgrading in the immediate future, using opendns as a forwarder will add a layer of protection... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From csweeney at osubucks.org Wed Sep 10 18:41:39 2008 From: csweeney at osubucks.org (Chris Sweeney) Date: Wed Sep 10 18:41:58 2008 Subject: R: Spamassassin Timeout issue. In-Reply-To: References: <424c10260809100154v4d47738bg16e47138cde6b049@mail.gmail.com><8558A6EA-BFAA-4418-9C22-6A840146B7E1@rtpty.com><424c10260809100705k5b2714c4y4a286c9bc59f4383@mail.gmail.com><000301c91355$d0d6dd60$2501a8c0@dbdomain.database.it><7EF0EE5CB3B263488C8C18823239BEBA04A6739F@HC-MBX02.herefordshire.gov.uk><000001c9135b$76c0ac60$2501a8c0@dbdomain.database.it><47539.65.161.188.11.1221062532.squirrel@webmail.osubucks.org> <97ABA591-579D-4F8F-A749-287C4499EE9A@rtpty.com> Message-ID: <13425.65.161.188.11.1221068499.squirrel@webmail.osubucks.org> > Personally, I don't think it is a significant difference either way. > If, however, you're running an older version of bind or other DNS server > that doesn't do random ports, and you don't have the luxury of upgrading > in the immediate future, using opendns as a forwarder will add a layer > of protection... > It's going to depend on your network path to OpenDNS also. I personally have never found it faster to go off network (OpenDNS) then do lookups myself. Especially on a mail server since alot of your SPAM comes in batches the lookups to the same domain are going to much significanly faster in that respect. I've tried OpenDNS quite a few times and although its good and it is fast it has never beat going local in my test enough to increase my traffic going out/in from the internet. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From alex at rtpty.com Wed Sep 10 18:51:08 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Wed Sep 10 18:51:37 2008 Subject: R: Spamassassin Timeout issue. In-Reply-To: References: <424c10260809100154v4d47738bg16e47138cde6b049@mail.gmail.com><8558A6EA-BFAA-4418-9C22-6A840146B7E1@rtpty.com><424c10260809100705k5b2714c4y4a286c9bc59f4383@mail.gmail.com><000301c91355$d0d6dd60$2501a8c0@dbdomain.database.it><7EF0EE5CB3B263488C8C18823239BEBA04A6739F@HC-MBX02.herefordshire.gov.uk><000001c9135b$76c0ac60$2501a8c0@dbdomain.database.it><47539.65.161.188.11.1221062532.squirrel@webmail.osubucks.org> <97ABA591-579D-4F8F-A749-287C4499EE9A@rtpty.com> Message-ID: <3A286146-D0C7-41C4-9DC9-333064DF6473@rtpty.com> Sent from my iPhone On Sep 10, 2008, at 12:28 PM, "Kevin Miller" wrote: > Alex Neuman van der Hans wrote: >> Would resolving direct be faster than resolving through opendns? > > Depends. If opendns already has that entry cached, then it's one stop > shopping. If it's a new query, the it would be marginally faster for > you to hit the root servers yourself and recurse through the DNS tree. > Remember too, that once your server gets a reply for somedomain.com, > that it will be cached locally so there won't be any further remote > lookups for it. At least until it expires. > > Personally, I don't think it is a significant difference either way. > If, however, you're running an older version of bind or other DNS > server > that doesn't do random ports, and you don't have the luxury of > upgrading > in the immediate future, using opendns as a forwarder will add a layer > of protection... Hadn't thought of that one. Excellent point. > > > ...Kevin > -- > Kevin Miller Registered Linux User No: 307357 > CBJ MIS Dept. Network Systems Admin., Mail Admin. > 155 South Seward Street ph: (907) 586-0242 > Juneau, Alaska 99801 fax: (907 586-4500 > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From martinh at solidstatelogic.com Wed Sep 10 18:56:34 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Wed Sep 10 18:52:29 2008 Subject: R: Spamassassin Timeout issue. Message-ID: A quick look at the underlying dns protocol will show u why a local caching dns server will speed up queries over even a server <1ms away, and in practice the results can be dramatic for a system like SA/MS that is quite dns hungry. -- martin -----Original Message----- From: Chris Sweeney Sent: Wednesday, September 10, 2008 6:45 PM To: MailScanner discussion Subject: RE: R: Spamassassin Timeout issue. > Personally, I don't think it is a significant difference either way. > If, however, you're running an older version of bind or other DNS server > that doesn't do random ports, and you don't have the luxury of upgrading > in the immediate future, using opendns as a forwarder will add a layer > of protection... > It's going to depend on your network path to OpenDNS also. I personally have never found it faster to go off network (OpenDNS) then do lookups myself. Especially on a mail server since alot of your SPAM comes in batches the lookups to the same domain are going to much significanly faster in that respect. I've tried OpenDNS quite a few times and although its good and it is fast it has never beat going local in my test enough to increase my traffic going out/in from the internet. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From alex at rtpty.com Wed Sep 10 19:08:20 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Wed Sep 10 19:09:32 2008 Subject: R: Spamassassin Timeout issue. In-Reply-To: References: Message-ID: Specially since spam *usually* comes in batches from a few discrete sources at a time. Splitting recipients at the mta level helps even further through SA caching. Sent from my iPhone On Sep 10, 2008, at 12:56 PM, "Martin.Hepworth" wrote: > A quick look at the underlying dns protocol will show u why a local > caching dns server will speed up queries over even a server <1ms > away, and in practice the results can be dramatic for a system like > SA/MS that is quite dns hungry. > > -- > martin > > -----Original Message----- > From: Chris Sweeney > Sent: Wednesday, September 10, 2008 6:45 PM > To: MailScanner discussion > Subject: RE: R: Spamassassin Timeout issue. > >> Personally, I don't think it is a significant difference either way. >> If, however, you're running an older version of bind or other DNS >> server >> that doesn't do random ports, and you don't have the luxury of >> upgrading >> in the immediate future, using opendns as a forwarder will add a >> layer >> of protection... >> > It's going to depend on your network path to OpenDNS also. I > personally > have never found it faster to go off network (OpenDNS) then do lookups > myself. Especially on a mail server since alot of your SPAM comes in > batches the lookups to the same domain are going to much significanly > faster in that respect. > > I've tried OpenDNS quite a few times and although its good and it is > fast > it has never beat going local in my test enough to increase my traffic > going out/in from the internet. > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > ********************************************************************** > Confidentiality : This e-mail and any attachments are intended for the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > Opinion : Any opinions expressed in this e-mail are entirely those of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We advise > that you consider this fact when e-mailing us. > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From Kevin_Miller at ci.juneau.ak.us Wed Sep 10 19:35:10 2008 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Wed Sep 10 19:35:23 2008 Subject: R: Spamassassin Timeout issue. In-Reply-To: <13425.65.161.188.11.1221068499.squirrel@webmail.osubucks.org> References: <424c10260809100154v4d47738bg16e47138cde6b049@mail.gmail.com><8558A6EA-BFAA-4418-9C22-6A840146B7E1@rtpty.com><424c10260809100705k5b2714c4y4a286c9bc59f4383@mail.gmail.com><000301c91355$d0d6dd60$2501a8c0@dbdomain.database.it><7EF0EE5CB3B263488C8C18823239BEBA04A6739F@HC-MBX02.herefordshire.gov.uk><000001c9135b$76c0ac60$2501a8c0@dbdomain.database.it><47539.65.161.188.11.1221062532.squirrel@webmail.osubucks.org><97ABA591-579D-4F8F-A749-287C4499EE9A@rtpty.com> <13425.65.161.188.11.1221068499.squirrel@webmail.osubucks.org> Message-ID: Chris Sweeney wrote: > I've tried OpenDNS quite a few times and although its good and it is > fast it has never beat going local in my test enough to increase my > traffic going out/in from the internet. Absolutely - whether one resolves via the root servers, or opendns, a local caching server is a must. The question is just to what does it point. A caching server still has to get it's data from somewhere. I can't think of any good reason not to be running a caching server though*, since named is included on pretty much any disto and djb may be as well... ...Kevin *well, unless you're using a PII w/64 mb of ram :-) -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From clacroix at cegep-ste-foy.qc.ca Wed Sep 10 19:39:55 2008 From: clacroix at cegep-ste-foy.qc.ca (Charles Lacroix) Date: Wed Sep 10 19:40:19 2008 Subject: R: Spamassassin Timeout issue. In-Reply-To: References: Message-ID: <48C8147B.1050007@cegep-ste-foy.qc.ca> I'm about to add this rule into my custome rules set :) body IPHONE_BRAGGER /Sent from my iPhone/i score IPHONE_BRAGGER 150.0 Alex Neuman van der Hans a ?crit : > Specially since spam *usually* comes in batches from a few discrete > sources at a time. Splitting recipients at the mta level helps even > further through SA caching. > > Sent from my iPhone > > On Sep 10, 2008, at 12:56 PM, "Martin.Hepworth" > wrote: > >> A quick look at the underlying dns protocol will show u why a local >> caching dns server will speed up queries over even a server <1ms >> away, and in practice the results can be dramatic for a system like >> SA/MS that is quite dns hungry. >> >> -- >> martin >> >> -----Original Message----- >> From: Chris Sweeney >> Sent: Wednesday, September 10, 2008 6:45 PM >> To: MailScanner discussion >> Subject: RE: R: Spamassassin Timeout issue. >> >>> Personally, I don't think it is a significant difference either way. >>> If, however, you're running an older version of bind or other DNS >>> server >>> that doesn't do random ports, and you don't have the luxury of >>> upgrading >>> in the immediate future, using opendns as a forwarder will add a layer >>> of protection... >>> >> It's going to depend on your network path to OpenDNS also. I personally >> have never found it faster to go off network (OpenDNS) then do lookups >> myself. Especially on a mail server since alot of your SPAM comes in >> batches the lookups to the same domain are going to much significanly >> faster in that respect. >> >> I've tried OpenDNS quite a few times and although its good and it is >> fast >> it has never beat going local in my test enough to increase my traffic >> going out/in from the internet. >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> ********************************************************************** >> Confidentiality : This e-mail and any attachments are intended for the >> addressee only and may be confidential. If they come to you in error >> you must take no action based on them, nor must you copy or show them >> to anyone. Please advise the sender by replying to this e-mail >> immediately and then delete the original from your computer. >> Opinion : Any opinions expressed in this e-mail are entirely those of >> the author and unless specifically stated to the contrary, are not >> necessarily those of the author's employer. >> Security Warning : Internet e-mail is not necessarily a secure >> communications medium and can be subject to data corruption. We advise >> that you consider this fact when e-mailing us. >> Viruses : We have taken steps to ensure that this e-mail and any >> attachments are free from known viruses but in keeping with good >> computing practice, you should ensure that they are virus free. >> >> Red Lion 49 Ltd T/A Solid State Logic >> Registered as a limited company in England and Wales >> (Company No:5362730) >> Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, >> United Kingdom >> ********************************************************************** >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! From alex at rtpty.com Wed Sep 10 20:10:09 2008 From: alex at rtpty.com (Alex Neuman) Date: Wed Sep 10 20:10:20 2008 Subject: R: Spamassassin Timeout issue. In-Reply-To: <48C8147B.1050007@cegep-ste-foy.qc.ca> References: <48C8147B.1050007@cegep-ste-foy.qc.ca> Message-ID: <24e3d2e40809101210y196c4280m3870133b4383df43@mail.gmail.com> :-) On Wed, Sep 10, 2008 at 1:39 PM, Charles Lacroix < clacroix@cegep-ste-foy.qc.ca> wrote: > > I'm about to add this rule into my custome rules set :) > > > body IPHONE_BRAGGER /Sent from my iPhone/i > score IPHONE_BRAGGER 150.0 > > > > > > > Alex Neuman van der Hans a ?crit : > > Specially since spam *usually* comes in batches from a few discrete >> sources at a time. Splitting recipients at the mta level helps even further >> through SA caching. >> >> Sent from my iPhone >> >> On Sep 10, 2008, at 12:56 PM, "Martin.Hepworth" < >> martinh@solidstatelogic.com> wrote: >> >> A quick look at the underlying dns protocol will show u why a local >>> caching dns server will speed up queries over even a server <1ms away, and >>> in practice the results can be dramatic for a system like SA/MS that is >>> quite dns hungry. >>> >>> -- >>> martin >>> >>> -----Original Message----- >>> From: Chris Sweeney >>> Sent: Wednesday, September 10, 2008 6:45 PM >>> To: MailScanner discussion >>> Subject: RE: R: Spamassassin Timeout issue. >>> >>> Personally, I don't think it is a significant difference either way. >>>> If, however, you're running an older version of bind or other DNS server >>>> that doesn't do random ports, and you don't have the luxury of upgrading >>>> in the immediate future, using opendns as a forwarder will add a layer >>>> of protection... >>>> >>>> It's going to depend on your network path to OpenDNS also. I >>> personally >>> have never found it faster to go off network (OpenDNS) then do lookups >>> myself. Especially on a mail server since alot of your SPAM comes in >>> batches the lookups to the same domain are going to much significanly >>> faster in that respect. >>> >>> I've tried OpenDNS quite a few times and although its good and it is fast >>> it has never beat going local in my test enough to increase my traffic >>> going out/in from the internet. >>> >>> >>> -- >>> This message has been scanned for viruses and >>> dangerous content by MailScanner, and is >>> believed to be clean. >>> >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >>> ********************************************************************** >>> Confidentiality : This e-mail and any attachments are intended for the >>> addressee only and may be confidential. If they come to you in error >>> you must take no action based on them, nor must you copy or show them >>> to anyone. Please advise the sender by replying to this e-mail >>> immediately and then delete the original from your computer. >>> Opinion : Any opinions expressed in this e-mail are entirely those of >>> the author and unless specifically stated to the contrary, are not >>> necessarily those of the author's employer. >>> Security Warning : Internet e-mail is not necessarily a secure >>> communications medium and can be subject to data corruption. We advise >>> that you consider this fact when e-mailing us. >>> Viruses : We have taken steps to ensure that this e-mail and any >>> attachments are free from known viruses but in keeping with good >>> computing practice, you should ensure that they are virus free. >>> >>> Red Lion 49 Ltd T/A Solid State Logic >>> Registered as a limited company in England and Wales >>> (Company No:5362730) >>> Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, >>> United Kingdom >>> ********************************************************************** >>> >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >> > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080910/c044a8fa/attachment.html From hvdkooij at vanderkooij.org Wed Sep 10 21:15:27 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Wed Sep 10 21:15:39 2008 Subject: R: Spamassassin Timeout issue. In-Reply-To: <48C8147B.1050007@cegep-ste-foy.qc.ca> References: <48C8147B.1050007@cegep-ste-foy.qc.ca> Message-ID: <48C82ADF.80207@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Charles Lacroix wrote: > > I'm about to add this rule into my custome rules set :) > > > body IPHONE_BRAGGER /Sent from my iPhone/i > score IPHONE_BRAGGER 150.0 You wouldn't happen to have some rules to add bad karma points to long disclaimers? (Like the one you just forwarded in full. ;-) The best disclaimers are the oneliners pointing to a webpage. If you care you can read it and if you don't care you can't be annoyed by 20 lines of pointless disclaimer. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIyCreBvzDRVjxmYERAtD8AJ0adK6JmshlfzafYwWvTsrVGcsFFACfYdJE Y7UPZ5vTLAL+3ZpG66bgYds= =spiw -----END PGP SIGNATURE----- From hvdkooij at vanderkooij.org Wed Sep 10 21:29:06 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Wed Sep 10 21:29:14 2008 Subject: OT: awstats on yum repository In-Reply-To: References: <48C6E93D.6030906@vanderkooij.org> Message-ID: <48C82E12.7070806@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Scott Silva wrote: > on 9-9-2008 2:23 PM Hugo van der Kooij spake the following: >> Hi, >> >> I added some statistics specifically to track MailScanner downloads. For >> that I added the following lines to my awstats config: >> > Just for fun I took a look and I get a 403 error. Well the score so far: MailScanner downloads by architecture Architecture Pages Bandwidth Last visit i386 14 10.60 MB 10 Sep 2008 - 14:48 x86_64 6 4.54 MB 10 Sep 2008 - 00:45 Total 20 15.14 MB MailScanner wrapper downloads by architecture Architecture Pages Bandwidth Last visit i386 13 41.46 KB 10 Sep 2008 - 19:11 x86_64 2 6.31 KB 04 Sep 2008 - 02:13 spec 1 1.70 KB 10 Sep 2008 - 11:51 srpms 1 3.04 KB 07 Sep 2008 - 08:49 Total 17 52.51 KB MailScanner downloads by version Version Pages Bandwidth Last visit 4.71.10 17 12.94 MB 10 Sep 2008 - 14:48 4.70.7 3 2.19 MB 01 Sep 2008 - 20:36 Total 20 15.14 MB - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIyC4PBvzDRVjxmYERAs3hAJ9rdsSxW8aPGyviZOFE0BMNHeLbswCfU1r/ VPo52GG3ovFBpFyAeq9xzNg= =LxWp -----END PGP SIGNATURE----- From alex at rtpty.com Wed Sep 10 21:34:31 2008 From: alex at rtpty.com (Alex Neuman) Date: Wed Sep 10 21:34:41 2008 Subject: R: Spamassassin Timeout issue. In-Reply-To: <48C82ADF.80207@vanderkooij.org> References: <48C8147B.1050007@cegep-ste-foy.qc.ca> <48C82ADF.80207@vanderkooij.org> Message-ID: <24e3d2e40809101334r37ad33f4vde30087eea59cfb7@mail.gmail.com> For me the best disclaimers are none at all ... :D On Wed, Sep 10, 2008 at 3:15 PM, Hugo van der Kooij < hvdkooij@vanderkooij.org> wrote: > > The best disclaimers are the oneliners pointing to a webpage. If you > care you can read it and if you don't care you can't be annoyed by 20 > lines of pointless disclaimer. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080910/e7f2e11e/attachment.html From glenn.steen at gmail.com Wed Sep 10 22:16:19 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Sep 10 22:16:28 2008 Subject: Looking for a test mail generator (unthreaded) In-Reply-To: <20080909145632.GE23322@cgi.jachomes.com> References: <20080908155906.GA17894@cgi.jachomes.com> <48C57CBB.3000508@vanderkooij.org> <20080909141110.GB23322@cgi.jachomes.com> <20080909145632.GE23322@cgi.jachomes.com> Message-ID: <223f97700809101416v3fab61a8oe656627acd841bfe@mail.gmail.com> 2008/9/9 Jay R. Ashworth : > On Tue, Sep 09, 2008 at 10:39:56AM -0400, Stephen Swaney wrote: >> Simply setup another mail hub with test accounts. A simple sendmail server >> delivering to local users would work just fine. >> >> The use Roundhouse to duplicate the feed. The feed goes first to your real >> mail hub for delivery as normal. >> >> Send the duplicate feed to the test server which should be configured to 1) >> send test messages to the test mail hub and 2) dev-null the rest. >> >> Seems this would be simple to set up and meet your requirements. > > But it doesn't, and please allow me to recap why, Juan Moore-Thyme :-) > > My problem is that I want a repeatable, predictable test, where *I do not > have to spend hours figuring out what the EXPECTED results are*. If I > use the real mail feed, that's what I'll have to do -- or at least, I'll > have to analyse whether the two mail servers are reacting the same *way* > to that mail feed, and if not, whether the new reaction is better or > worse. > > If I can generate 50 messages that are, roughly, all the same every time > (modulo a "batch number" in the message-ID maybe) *and that I know what > the expected results are*, then all I have to do is look in the expected > target places, and check messages off a check list. > > "All the messages from 00-09 should be in my mailbox. > All the message from 10-19 should be in the postmaster mailbox. > All the messages from 20-29 should be in the spam logs. > All the messages from 30-39 should be in the AV logs. > All the message from 40-49 should be in the mailer logs as having tried > to generate *valid* no-backscatter bounces." > > And that way I don't have to analyse because I did that before I > generated the 50 message bodies. > > IMO, this approach is critical to finding out what you actually need to > know, without tearing your hair out. I'm just not a good enough coder to > do it from scratch. > > I see I may have to add "yet" to that. :-) > > How are the python email libraries these days? > > Cheers, > -- jra Handcraft the messags (or some simple scripting) and use a very basic shell-script around telnet.... Should be simple enough, and save you time, in the end. You will need handcraft them to be able to have the "finetuned" control you like anyway....;-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From alex at rtpty.com Wed Sep 10 22:24:23 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Wed Sep 10 22:24:39 2008 Subject: Looking for a test mail generator (unthreaded) In-Reply-To: <223f97700809101416v3fab61a8oe656627acd841bfe@mail.gmail.com> References: <20080908155906.GA17894@cgi.jachomes.com> <48C57CBB.3000508@vanderkooij.org> <20080909141110.GB23322@cgi.jachomes.com> <20080909145632.GE23322@cgi.jachomes.com> <223f97700809101416v3fab61a8oe656627acd841bfe@mail.gmail.com> Message-ID: Telnet and/or netcat.. Sent from my (somewhat chastised) iPhone On Sep 10, 2008, at 4:16 PM, "Glenn Steen" wrote: > 2008/9/9 Jay R. Ashworth : >> On Tue, Sep 09, 2008 at 10:39:56AM -0400, Stephen Swaney wrote: >>> Simply setup another mail hub with test accounts. A simple >>> sendmail server >>> delivering to local users would work just fine. >>> >>> The use Roundhouse to duplicate the feed. The feed goes first to >>> your real >>> mail hub for delivery as normal. >>> >>> Send the duplicate feed to the test server which should be >>> configured to 1) >>> send test messages to the test mail hub and 2) dev-null the rest. >>> >>> Seems this would be simple to set up and meet your requirements. >> >> But it doesn't, and please allow me to recap why, Juan Moore- >> Thyme :-) >> >> My problem is that I want a repeatable, predictable test, where *I >> do not >> have to spend hours figuring out what the EXPECTED results are*. >> If I >> use the real mail feed, that's what I'll have to do -- or at least, >> I'll >> have to analyse whether the two mail servers are reacting the same >> *way* >> to that mail feed, and if not, whether the new reaction is better or >> worse. >> >> If I can generate 50 messages that are, roughly, all the same every >> time >> (modulo a "batch number" in the message-ID maybe) *and that I know >> what >> the expected results are*, then all I have to do is look in the >> expected >> target places, and check messages off a check list. >> >> "All the messages from 00-09 should be in my mailbox. >> All the message from 10-19 should be in the postmaster mailbox. >> All the messages from 20-29 should be in the spam logs. >> All the messages from 30-39 should be in the AV logs. >> All the message from 40-49 should be in the mailer logs as having >> tried >> to generate *valid* no-backscatter bounces." >> >> And that way I don't have to analyse because I did that before I >> generated the 50 message bodies. >> >> IMO, this approach is critical to finding out what you actually >> need to >> know, without tearing your hair out. I'm just not a good enough >> coder to >> do it from scratch. >> >> I see I may have to add "yet" to that. :-) >> >> How are the python email libraries these days? >> >> Cheers, >> -- jra > Handcraft the messags (or some simple scripting) and use a very basic > shell-script around telnet.... Should be simple enough, and save you > time, in the end. You will need handcraft them to be able to have the > "finetuned" control you like anyway....;-) > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From ssilva at sgvwater.com Wed Sep 10 22:33:41 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Sep 10 22:34:07 2008 Subject: OT: awstats on yum repository In-Reply-To: <48C82E12.7070806@vanderkooij.org> References: <48C6E93D.6030906@vanderkooij.org> <48C82E12.7070806@vanderkooij.org> Message-ID: on 9-10-2008 1:29 PM Hugo van der Kooij spake the following: > Scott Silva wrote: >> on 9-9-2008 2:23 PM Hugo van der Kooij spake the following: >>> Hi, >>> >>> I added some statistics specifically to track MailScanner downloads. For >>> that I added the following lines to my awstats config: >>> >> Just for fun I took a look and I get a 403 error. > > Well the score so far: > > MailScanner downloads by architecture > Architecture Pages Bandwidth Last visit > i386 14 10.60 MB 10 Sep 2008 - 14:48 > x86_64 6 4.54 MB 10 Sep 2008 - 00:45 2 of these are me! ;-P > Total 20 15.14 MB > > > MailScanner wrapper downloads by architecture > Architecture Pages Bandwidth Last visit > i386 13 41.46 KB 10 Sep 2008 - 19:11 > x86_64 2 6.31 KB 04 Sep 2008 - 02:13 > spec 1 1.70 KB 10 Sep 2008 - 11:51 > srpms 1 3.04 KB 07 Sep 2008 - 08:49 > Total 17 52.51 KB I don't have the mailscanner-wrapper on my system, but it still updated the old rpm. Everything works so I don't see any problem > > > MailScanner downloads by version > Version Pages Bandwidth Last visit > 4.71.10 17 12.94 MB 10 Sep 2008 - 14:48 > 4.70.7 3 2.19 MB 01 Sep 2008 - 20:36 > Total 20 15.14 MB > > > > -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080910/b99f49a2/signature.bin From andrew at gdcon.net Wed Sep 10 22:48:44 2008 From: andrew at gdcon.net (Andrew MacLachlan) Date: Wed Sep 10 22:48:56 2008 Subject: R: Spamassassin Timeout issue. In-Reply-To: <24e3d2e40809101334r37ad33f4vde30087eea59cfb7@mail.gmail.com> References: <48C8147B.1050007@cegep-ste-foy.qc.ca> <48C82ADF.80207@vanderkooij.org> <24e3d2e40809101334r37ad33f4vde30087eea59cfb7@mail.gmail.com> Message-ID: <48C840BC.5070105@gdcon.net> Alex Neuman wrote: > For me the best disclaimers are none at all ... :D > Unfortunately not all legal bods agree... (Thanks for getting rid of the fanboy tagline) -- This message was scanned by ESVA and is believed to be clean. From ssilva at sgvwater.com Wed Sep 10 22:52:42 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Sep 10 22:53:08 2008 Subject: R: Spamassassin Timeout issue. In-Reply-To: <48C8147B.1050007@cegep-ste-foy.qc.ca> References: <48C8147B.1050007@cegep-ste-foy.qc.ca> Message-ID: on 9-10-2008 11:39 AM Charles Lacroix spake the following: > > I'm about to add this rule into my custome rules set :) > > > body IPHONE_BRAGGER /Sent from my iPhone/i > score IPHONE_BRAGGER 150.0 > If it is like my blackberry, it might be hard to turn off. I haven't found where to turn off the Blackberry brag, although everyone and their brother has one I guess it isn't really a brag. Mine is more like a leash and a choke chain! ;-P -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080910/5a0a7d76/signature.bin From drew.marshall at technologytiger.net Wed Sep 10 23:04:42 2008 From: drew.marshall at technologytiger.net (Drew Marshall) Date: Wed Sep 10 23:04:59 2008 Subject: R: Spamassassin Timeout issue. In-Reply-To: <48C840BC.5070105@gdcon.net> References: <48C8147B.1050007@cegep-ste-foy.qc.ca> <48C82ADF.80207@vanderkooij.org> <24e3d2e40809101334r37ad33f4vde30087eea59cfb7@mail.gmail.com> <48C840BC.5070105@gdcon.net> Message-ID: <91594189-3C35-45F1-89D6-131094427BA6@technologytiger.net> >> For me the best disclaimers are none at all ... :D >> > Unfortunately not all legal bods agree... Quite. It's a legal requirement in the UK (Not 20 lines admittedly but I think it's fair to say that most companies take the view that in for a penny in for the whole pound (GBP!)). Any way back to the subject in question, that iphone.... no sorry, the time outs :-) The other thing to do is to grab a sample of messages and run them through SpamAssassin manually and see which part of the scan is slow and look at improving that area. So if it goes slowly through the DNS tests make improvements to your DNS, if it's rules look at sa-compile, if it's Pyzor make sure you are querying the right server, is your bayes database corrupt etc etc. The biggest problem (And also the largest advantage) of SA is that it uses so many different tests in so many different ways so no one solution fits all. Sure the answers given so far are not wrong and are the usual suspects but it may not be the case for every problem. Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by Technology Tiger's Mail Launder system Our email policy can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ From ssilva at sgvwater.com Wed Sep 10 23:10:05 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Sep 10 23:10:22 2008 Subject: R: Spamassassin Timeout issue. In-Reply-To: <91594189-3C35-45F1-89D6-131094427BA6@technologytiger.net> References: <48C8147B.1050007@cegep-ste-foy.qc.ca> <48C82ADF.80207@vanderkooij.org> <24e3d2e40809101334r37ad33f4vde30087eea59cfb7@mail.gmail.com> <48C840BC.5070105@gdcon.net> <91594189-3C35-45F1-89D6-131094427BA6@technologytiger.net> Message-ID: on 9-10-2008 3:04 PM Drew Marshall spake the following: >>> For me the best disclaimers are none at all ... :D >>> >> Unfortunately not all legal bods agree... > > Quite. It's a legal requirement in the UK (Not 20 lines admittedly but I > think it's fair to say that most companies take the view that in for a > penny in for the whole pound (GBP!)). > > Any way back to the subject in question, that iphone.... no sorry, the > time outs :-) > > The other thing to do is to grab a sample of messages and run them > through SpamAssassin manually and see which part of the scan is slow and > look at improving that area. So if it goes slowly through the DNS tests > make improvements to your DNS, if it's rules look at sa-compile, if it's > Pyzor make sure you are querying the right server, is your bayes > database corrupt etc etc. The biggest problem (And also the largest > advantage) of SA is that it uses so many different tests in so many > different ways so no one solution fits all. Sure the answers given so > far are not wrong and are the usual suspects but it may not be the case > for every problem. > I think you can also get some timeouts if you are hitting the spamhaus blacklisting for too many queries. I do believe they are on by default in spamassassin. I know you can get hit if spamhaus is in your MTA, but I assume the same could happen to spamassassin. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080910/73024905/signature.bin From andrew at gdcon.net Wed Sep 10 23:12:13 2008 From: andrew at gdcon.net (Andrew MacLachlan) Date: Wed Sep 10 23:12:23 2008 Subject: OT: (was Re: R: Spamassassin Timeout issue.) In-Reply-To: References: <48C8147B.1050007@cegep-ste-foy.qc.ca> Message-ID: <48C8463D.3040807@gdcon.net> Scott Silva wrote: > If it is like my blackberry, it might be hard to turn off. > I haven't found where to turn off the Blackberry brag, although > everyone and their brother has one I guess it isn't really a brag. > Mine is more like a leash and a choke chain! ;-P > AKA nagging second wife. Either way it's pretty annoying whatever device does it - I really couldn't care less what device people use to send their message from as long as it doesn't tell me it's pedigree every time I get a message from it. Having said that, I'd be pretty interested if someone sent a message to the list from a Difference Engine... -Andy -- This message was scanned by ESVA and is believed to be clean. From alex at rtpty.com Wed Sep 10 23:17:38 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Wed Sep 10 23:17:53 2008 Subject: R: Spamassassin Timeout issue. In-Reply-To: References: <48C8147B.1050007@cegep-ste-foy.qc.ca> Message-ID: You can turn it off in your crackberry in the configuration webpage. On the JesusPhone it's under settings, mail, signature. --- Alex Neuman Reliant Technologies +507 6781-9505 Skype: alexneuman On Sep 10, 2008, at 4:52 PM, Scott Silva wrote: > on 9-10-2008 11:39 AM Charles Lacroix spake the following: >> I'm about to add this rule into my custome rules set :) >> body IPHONE_BRAGGER /Sent from my iPhone/i >> score IPHONE_BRAGGER 150.0 > If it is like my blackberry, it might be hard to turn off. > I haven't found where to turn off the Blackberry brag, although > everyone and their brother has one I guess it isn't really a brag. > Mine is more like a leash and a choke chain! ;-P > > > > -- > MailScanner is like deodorant... > You hope everybody uses it, and > you notice quickly if they don't!!!! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From andrew at gdcon.net Wed Sep 10 23:26:10 2008 From: andrew at gdcon.net (Andrew MacLachlan) Date: Wed Sep 10 23:26:29 2008 Subject: R: Spamassassin Timeout issue. In-Reply-To: References: <48C8147B.1050007@cegep-ste-foy.qc.ca> <48C82ADF.80207@vanderkooij.org> <24e3d2e40809101334r37ad33f4vde30087eea59cfb7@mail.gmail.com> <48C840BC.5070105@gdcon.net> <91594189-3C35-45F1-89D6-131094427BA6@technologytiger.net> Message-ID: <48C84982.20507@gdcon.net> Scott Silva wrote: > I think you can also get some timeouts if you are hitting the spamhaus > blacklisting for too many queries. I do believe they are on by default > in spamassassin. I know you can get hit if spamhaus is in your MTA, > but I assume the same could happen to spamassassin. > There's the thing - having read the Spamhaus Usage page (http://www.spamhaus.org/organization/dnsblusage.html) it's immediately obvious that it's not a good idea to enable it by default in SA (even though I like the service): "Use of the Spamhaus DNSBLs via DNS queries to our public DNSBL servers is free of charge if you meet /all three/ of the following criteria: 1. Your use of the Spamhaus DNSBLs is non-commercial*, /and/ 2. Your email traffic is less than 100,000 SMTP connections per day, /and/ 3. Your DNSBL query volume is less than 300,000 queries per day. If you do not fit /all three/ of these criteria then please do not use our public DNSBL servers" *Definition: "non-commercial use" is use for any purpose other than as part or all of a product or service that is resold, or for use of which a fee is charged. For example, using our DNSBLs in a commercial spam filtering appliance that is then sold to others requires a data feed, regardless of use volume. The same is true of commercial spam filtering software and commercial spam filtering services. A company that uses our DNSBLs solely to filter their own email qualifies as a non-commercial user and may use our free public DNSBLs if that company's email volume and DNSBL query volume is below the free use limits. The same is true for any non-profit organization, school, religious organization, or private individual who operates their own mail server." -Andy -- This message was scanned by ESVA and is believed to be clean. From allan at zandahar.net Wed Sep 10 23:59:30 2008 From: allan at zandahar.net (Allan Spencer) Date: Wed Sep 10 23:59:59 2008 Subject: Training MS/SA & Mailwatch In-Reply-To: References: Message-ID: <48C85152.5060401@zandahar.net> Well I figured I'd have to get MS doing what it needed to first before I could start with MW but I would hazard a guess and say you've pointed me in exactly the direction I needed and need to store messages. Off host learning is not a major issue we don't have enough mail volume and users to be concerned with it but even so the more load I can take off myself processing messages the better I guess Cheers Allan Martin.Hepworth wrote: > Allan > > This more of a MW question, so best to ask on that list. > > But a pointer is that you need 'store' all messages as an action for spam and non spam, so MW can have access to the message in order to learn them. > > As for off-host learning, best option is an Imap folder for spam and ham, then use one of many perl scripts floating about the SA site to pull them into your local bayes db. > > Have a lookn the MS wiki also for a section on getting the most out of spamassassin. > > From ssilva at sgvwater.com Thu Sep 11 00:03:10 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Sep 11 00:03:37 2008 Subject: R: Spamassassin Timeout issue. In-Reply-To: <48C84982.20507@gdcon.net> References: <48C8147B.1050007@cegep-ste-foy.qc.ca> <48C82ADF.80207@vanderkooij.org> <24e3d2e40809101334r37ad33f4vde30087eea59cfb7@mail.gmail.com> <48C840BC.5070105@gdcon.net> <91594189-3C35-45F1-89D6-131094427BA6@technologytiger.net> <48C84982.20507@gdcon.net> Message-ID: on 9-10-2008 3:26 PM Andrew MacLachlan spake the following: > Scott Silva wrote: >> I think you can also get some timeouts if you are hitting the spamhaus >> blacklisting for too many queries. I do believe they are on by default >> in spamassassin. I know you can get hit if spamhaus is in your MTA, >> but I assume the same could happen to spamassassin. >> > There's the thing - having read the Spamhaus Usage page > (http://www.spamhaus.org/organization/dnsblusage.html) it's immediately > obvious that it's not a good idea to enable it by default in SA (even > though I like the service): > Don't completely trust their docs. I have been blacklisted, and couldn't have hit that criteria on my system. But it is their service, and they can regulate it how they see fit. I can't justify paying for it to stop what messages are left after the other blacklists I use are done. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080910/1e93a805/signature.bin From ssilva at sgvwater.com Thu Sep 11 00:05:32 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Sep 11 00:10:15 2008 Subject: OT: (was Re: R: Spamassassin Timeout issue.) In-Reply-To: <48C8463D.3040807@gdcon.net> References: <48C8147B.1050007@cegep-ste-foy.qc.ca> <48C8463D.3040807@gdcon.net> Message-ID: on 9-10-2008 3:12 PM Andrew MacLachlan spake the following: > Scott Silva wrote: >> If it is like my blackberry, it might be hard to turn off. >> I haven't found where to turn off the Blackberry brag, although >> everyone and their brother has one I guess it isn't really a brag. >> Mine is more like a leash and a choke chain! ;-P >> > AKA nagging second wife. > > > Either way it's pretty annoying whatever device does it - I really > couldn't care less what device people use to send their message from as > long as it doesn't tell me it's pedigree every time I get a message from > it. Having said that, I'd be pretty interested if someone sent a message > to the list from a Difference Engine... > > > -Andy > > > -- > This message was scanned by ESVA and is believed to be clean. > Usually most of us also use a ruleset to not sign clean messages that go to the list. ;-D -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080910/2db02abd/signature.bin From andrew at gdcon.net Thu Sep 11 00:24:41 2008 From: andrew at gdcon.net (Andrew MacLachlan) Date: Thu Sep 11 00:24:57 2008 Subject: OT: (was Re: R: Spamassassin Timeout issue.) In-Reply-To: References: <48C8147B.1050007@cegep-ste-foy.qc.ca> <48C8463D.3040807@gdcon.net> Message-ID: <48C85739.3080808@gdcon.net> Scott Silva wrote: > Usually most of us also use a ruleset to not sign clean messages that > go to the list. ;-D > Touche. I'll review my dishonorable conduct and immediately amend my rules... -Andy -- This message was scanned by ESVA and is believed to be clean. From ssilva at sgvwater.com Thu Sep 11 00:30:09 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Sep 11 00:30:27 2008 Subject: OT: (was Re: R: Spamassassin Timeout issue.) In-Reply-To: <48C85739.3080808@gdcon.net> References: <48C8147B.1050007@cegep-ste-foy.qc.ca> <48C8463D.3040807@gdcon.net> <48C85739.3080808@gdcon.net> Message-ID: on 9-10-2008 4:24 PM Andrew MacLachlan spake the following: > Scott Silva wrote: >> Usually most of us also use a ruleset to not sign clean messages that >> go to the list. ;-D >> > > Touche. I'll review my dishonorable conduct and immediately amend my > rules... > > -Andy > Said with love and a smile! ;-) -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080910/34a24038/signature.bin From andrew at gdcon.net Thu Sep 11 00:36:39 2008 From: andrew at gdcon.net (Andrew MacLachlan) Date: Thu Sep 11 00:36:52 2008 Subject: OT: (was Re: R: Spamassassin Timeout issue.) In-Reply-To: References: <48C8147B.1050007@cegep-ste-foy.qc.ca> <48C8463D.3040807@gdcon.net> <48C85739.3080808@gdcon.net> Message-ID: <48C85A07.20209@gdcon.net> Scott Silva wrote: > on 9-10-2008 4:24 PM Andrew MacLachlan spake the following: >> Scott Silva wrote: >>> Usually most of us also use a ruleset to not sign clean messages >>> that go to the list. ;-D >>> >> >> Touche. I'll review my dishonorable conduct and immediately amend my >> rules... >> >> -Andy >> > Said with love and a smile! ;-) > Just be careful how you smile... I'm not easy you know :-) From chris at cjbuckley.net Thu Sep 11 01:49:05 2008 From: chris at cjbuckley.net (Christopher J. Buckley) Date: Thu Sep 11 01:49:28 2008 Subject: R: Spamassassin Timeout issue. In-Reply-To: <48C8147B.1050007@cegep-ste-foy.qc.ca> References: <48C8147B.1050007@cegep-ste-foy.qc.ca> Message-ID: <48C86B01.9040404@cjbuckley.net> Charles Lacroix wrote: > I'm about to add this rule into my custome rules set :) Indeed - it's nearly as bad as: i. top posting. ii. Not having the decency to SNIP appropriately in your reply. -- Kind Regards, :: http://www.cjbuckley.net/ Chris Buckley :: http://photos.cjbuckley.net/ From ram at netcore.co.in Thu Sep 11 07:00:50 2008 From: ram at netcore.co.in (ram) Date: Thu Sep 11 07:01:14 2008 Subject: Spamassassin Timeout issue. In-Reply-To: <424c10260809100154v4d47738bg16e47138cde6b049@mail.gmail.com> References: <424c10260809100154v4d47738bg16e47138cde6b049@mail.gmail.com> Message-ID: <1221112850.21720.41.camel@darkstar.netcore.co.in> On Wed, 2008-09-10 at 14:24 +0530, Swati Meghanand wrote: > Hi, > > > I'm using mailscanner on a busy mail gateways from serveral months, > which was working fine so far.From last few days I noticed incresed no > of spam mails as well log Filtering queues (ofcourse slow processing > of mailscanner).In log file of mailscanner I found following lines, > > Sep 10 04:47:29 localhost MailScanner[11027]: Virus and Content > Scanning: Starting > Sep 10 04:47:37 localhost MailScanner[8400]: SpamAssassin timed out > and was killed, failure 8 of 20 > Sep 10 04:47:37 localhost MailScanner[8680]: SpamAssassin timed out > and was killed, failure 14 of 20 > Sep 10 04:47:38 localhost MailScanner[8680]: Message 1KdL6x-0005q5-L3 > from xx.xx.xx.xx (xxx@xxx.x) to xxx.xx is not spam, SpamAssassin (not > cached, timed out) > Sep 10 04:47:38 localhost MailScanner[8400]: Message 1KdLDG-0006se-Ox > from xx.xx.xx.xx (xxx@xx.xxx) to xxx.xx is not spam, SpamAssassin (not > cached, timed out) > > it clealy indicates mailscanner is not (able to) scanning messages. Hi Swati, MailScanner Spamassassin timing out can be due to multiple reasons most likely this is a DNS issue like others have said. It could also be a huge BAYES file or a blocked RAZOR port etc Just check if your SA is still quering all the Dead DNS lists ( secuirtysage , ORDB , OPM BLITZED , DOB etc ) I would suggest take any mail and run spamassassin -D -t < /path/mail (test with a mail with multiple urls and one that has passed thru different mail hops ) That test would most probably give you enough results to find what is taking time. From hvdkooij at vanderkooij.org Thu Sep 11 07:01:37 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Thu Sep 11 07:01:47 2008 Subject: OT: awstats on yum repository In-Reply-To: References: <48C6E93D.6030906@vanderkooij.org> <48C82E12.7070806@vanderkooij.org> Message-ID: <48C8B441.3040202@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Scott Silva wrote: > I don't have the mailscanner-wrapper on my system, but it still updated > the old rpm. Everything works so I don't see any problem The wrapper is there as a convenience. Not all dependencies of the MailScanner packages are done automatically. So every dependency I noted that was not taken care of in the MailScanner package has been added to the wrapper. If you have no need for the wrapper, that's fine by me. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIyLRABvzDRVjxmYERAjwgAKCDawm4hoT0TIafbpebAeQaqFNGygCcCdNz 87vGJJmMpmckg6tih98kPpU= =6oTa -----END PGP SIGNATURE----- From glenn.steen at gmail.com Thu Sep 11 11:17:50 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Sep 11 11:18:00 2008 Subject: check PTR with MS In-Reply-To: <779829.58049.qm@web38904.mail.mud.yahoo.com> References: <20080909145632.GE23322@cgi.jachomes.com> <779829.58049.qm@web38904.mail.mud.yahoo.com> Message-ID: <223f97700809110317n23839f42pb6a2ba9267057f25@mail.gmail.com> 2008/9/9 Octavio : > Hi > I wonder to know if is possible check: > > if the IP has a name > if the name exist > > similar like reject_unknown_client_hostname in postfix but using score > > the problem is that if I use it in postfix there are some domains that I > want to receive emails but they are being rejected > > Thanks > You already have SA scoring on RDNS_NONE ... Isn't that enough? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From J.Ede at birchenallhowden.co.uk Thu Sep 11 12:44:55 2008 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Thu Sep 11 12:45:18 2008 Subject: Odd clam error in postfix logs Message-ID: <4CAB0118AEC63A4FAAE77E6BCBDF760C792A20ECAE@server02.bhl.local> I've just noticed we get this logged every time an email passed through our system... Sep 11 12:41:01 gateway2 clamd[13691]: /tmp/clamdwatch-DPB5RGeGkNR5sav3: Eicar-Test-Signature FOUND In /tmp that file doesn't exist, so it must be something about how the file is linked/extracted. I'm guessing this is not expected behaviour. Am on clam 0.93.3 and clamd is running Jason -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080911/9a3ddf54/attachment.html From list-mailscanner at linguaphone.com Thu Sep 11 12:53:18 2008 From: list-mailscanner at linguaphone.com (Gareth) Date: Thu Sep 11 12:53:54 2008 Subject: Odd clam error in postfix logs In-Reply-To: <4CAB0118AEC63A4FAAE77E6BCBDF760C792A20ECAE@server02.bhl.local> References: <4CAB0118AEC63A4FAAE77E6BCBDF760C792A20ECAE@server02.bhl.local> Message-ID: <1221133998.8647.8.camel@gblades-suse.linguaphone-intranet.co.uk> Isnt clamdwatch a script to monitor clamd and restart it if it fails? My guess is that it is being run for every mailscanner queue run and is is scanning the eicar test file to make sure it is working and reading its virus database correctly. On Thu, 2008-09-11 at 12:44, Jason Ede wrote: > I?ve just noticed we get this logged every time an email passed > through our system... > > > > Sep 11 12:41:01 gateway2 clamd[13691]: > /tmp/clamdwatch-DPB5RGeGkNR5sav3: Eicar-Test-Signature FOUND > > > > In /tmp that file doesn?t exist, so it must be something about how the > file is linked/extracted. I?m guessing this is not expected behaviour. > > > > Am on clam 0.93.3 and clamd is running > > > > Jason > > > > > > > > ______________________________________________________________________ > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From J.Ede at birchenallhowden.co.uk Thu Sep 11 13:02:19 2008 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Thu Sep 11 13:02:42 2008 Subject: Odd clam error in postfix logs In-Reply-To: <1221133998.8647.8.camel@gblades-suse.linguaphone-intranet.co.uk> References: <4CAB0118AEC63A4FAAE77E6BCBDF760C792A20ECAE@server02.bhl.local> <1221133998.8647.8.camel@gblades-suse.linguaphone-intranet.co.uk> Message-ID: <4CAB0118AEC63A4FAAE77E6BCBDF760C792A20ECB3@server02.bhl.local> Yes you're right. I didn't realise it did that, but just examined the script more closely and it does use EICAR test file. Jason > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Gareth > Sent: 11 September 2008 12:53 > To: MailScanner discussion > Subject: Re: Odd clam error in postfix logs > > Isnt clamdwatch a script to monitor clamd and restart it if it fails? > > My guess is that it is being run for every mailscanner queue run and is > is scanning the eicar test file to make sure it is working and reading > its virus database correctly. > > > On Thu, 2008-09-11 at 12:44, Jason Ede wrote: > > I?ve just noticed we get this logged every time an email passed > > through our system... > > > > > > > > Sep 11 12:41:01 gateway2 clamd[13691]: > > /tmp/clamdwatch-DPB5RGeGkNR5sav3: Eicar-Test-Signature FOUND > > > > > > > > In /tmp that file doesn?t exist, so it must be something about how > the > > file is linked/extracted. I?m guessing this is not expected > behaviour. > > > > > > > > Am on clam 0.93.3 and clamd is running > > > > > > > > Jason > > > > > > > > > > > > > > > > > ______________________________________________________________________ > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From danilo at amti.com.br Thu Sep 11 18:24:06 2008 From: danilo at amti.com.br (Danilo Egea) Date: Thu Sep 11 18:24:19 2008 Subject: Help with rule Message-ID: <48C95436.1040208@amti.com.br> (Sorry my english) :P Is possible creata a rule to block an email with a specific origin and destination? thanks ! -- Esta mensagem foi verificada pelos sistemas antiv?rus AMTI e acredita-se estar livre de perigo. From alex at rtpty.com Thu Sep 11 18:56:51 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Thu Sep 11 18:57:14 2008 Subject: Help with rule In-Reply-To: <48C95436.1040208@amti.com.br> References: <48C95436.1040208@amti.com.br> Message-ID: <90605A69-28B4-4911-9758-7DFD510CF04B@rtpty.com> Yes, it is! --- Alex Neuman Reliant Technologies +507 6781-9505 Skype: alexneuman On Sep 11, 2008, at 12:24 PM, Danilo Egea wrote: > (Sorry my english) :P > > Is possible creata a rule to block an email with a specific origin =20 > and destination? > > thanks ! > > --=20 > Esta mensagem foi verificada pelos sistemas antiv=A8=AArus AMTI e > acredita-se estar livre de perigo. > > --=20 > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From danilo at amti.com.br Thu Sep 11 19:07:44 2008 From: danilo at amti.com.br (Danilo Egea) Date: Thu Sep 11 19:07:57 2008 Subject: Help with rule In-Reply-To: <90605A69-28B4-4911-9758-7DFD510CF04B@rtpty.com> References: <48C95436.1040208@amti.com.br> <90605A69-28B4-4911-9758-7DFD510CF04B@rtpty.com> Message-ID: <48C95E70.1020400@amti.com.br> humm, :| how ? Alex Neuman van der Hans wrote: > Yes, it is! > > --- > > Alex Neuman > Reliant Technologies > +507 6781-9505 > Skype: alexneuman > > On Sep 11, 2008, at 12:24 PM, Danilo Egea wrote: > >> (Sorry my english) :P >> >> Is possible creata a rule to block an email with a specific origin >> and destination? >> >> thanks ! >> >> -- >> Esta mensagem foi verificada pelos sistemas antiv¨ªrus AMTI e >> acredita-se estar livre de perigo. >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Esta mensagem foi verificada pelos sistemas antivírus AMTI e acredita-se estar livre de perigo. From kc5goi at gmail.com Thu Sep 11 19:28:18 2008 From: kc5goi at gmail.com (Guy Story KC5GOI) Date: Thu Sep 11 19:28:31 2008 Subject: Help with rule In-Reply-To: <48C95E70.1020400@amti.com.br> Message-ID: <22705875.581221157694921.JavaMail.SYSTEM@kc5goi-1> Use the blacklisting rule. FromTo: block@address.whatever Yes ----- "Danilo Egea" wrote: > From: "Danilo Egea" > To: "MailScanner discussion" > Sent: Thursday, September 11, 2008 1:07:44 PM GMT -06:00 US/Canada Central > Subject: Re: Help with rule > > humm, :| how ? > > Alex Neuman van der Hans wrote: > > Yes, it is! > > > > --- > > > > Alex Neuman > > Reliant Technologies > > +507 6781-9505 > > Skype: alexneuman > > > > On Sep 11, 2008, at 12:24 PM, Danilo Egea > wrote: > > > >> (Sorry my english) :P > >> > >> Is possible creata a rule to block an email with a specific origin > >> and destination? > >> > >> thanks ! > >> > >> -- > >> Esta mensagem foi verificada pelos sistemas antiv?rus AMTI e > >> acredita-se estar livre de perigo. > >> > >> -- > >> MailScanner mailing list > >> mailscanner@lists.mailscanner.info > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner > >> > >> Before posting, read http://wiki.mailscanner.info/posting > >> > >> Support MailScanner development - buy the book off the website! > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > -- > Esta mensagem foi verificada pelos sistemas antiv?rus AMTI e > acredita-se estar livre de perigo. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From alex at rtpty.com Thu Sep 11 19:40:15 2008 From: alex at rtpty.com (Alex Neuman) Date: Thu Sep 11 19:40:24 2008 Subject: Help with rule In-Reply-To: <22705875.581221157694921.JavaMail.SYSTEM@kc5goi-1> References: <48C95E70.1020400@amti.com.br> <22705875.581221157694921.JavaMail.SYSTEM@kc5goi-1> Message-ID: <24e3d2e40809111140m4b6d8f2dr1a9763fb0db62657@mail.gmail.com> Actually what he means is from a specific address to a specific address. So if he means "block e-mails from Alicia to Roberto, but not necessarily from Roberto to Alicia or to Carlos", for example, he would do the following: under "Is Definitely Spam = no" change to: "Is Definitely Spam = %rules-dir%/a-quem-eu-bloco.rules (note the ".rules" at the end that indicates this is a ruleset) Then at /etc/MailScanner/rules, create a file called a-quem-eu-bloco.rules that says: FromOrTo: default no From:alicia@dominio.com.br and To: roberto@dominio.com.br yes Save it and restart MailScanner. And Danilo - try to read the configuration file itself and the documentation on the website - I'm sure with a few more minutes of looking at either of them you could have figured it out, too. We here on the list are glad to help, but it's easier if you help yourself first. On Thu, Sep 11, 2008 at 1:28 PM, Guy Story KC5GOI wrote: > Use the blacklisting rule. > > FromTo: block@address.whatever Yes > > > ----- "Danilo Egea" wrote: > > > From: "Danilo Egea" > > To: "MailScanner discussion" > > Sent: Thursday, September 11, 2008 1:07:44 PM GMT -06:00 US/Canada > Central > > Subject: Re: Help with rule > > > > humm, :| how ? > > > > Alex Neuman van der Hans wrote: > > > Yes, it is! > > > > > > --- > > > > > > Alex Neuman > > > Reliant Technologies > > > +507 6781-9505 > > > Skype: alexneuman > > > > > > On Sep 11, 2008, at 12:24 PM, Danilo Egea > > wrote: > > > > > >> (Sorry my english) :P > > >> > > >> Is possible creata a rule to block an email with a specific origin > > >> and destination? > > >> > > >> thanks ! > > >> > > >> -- > > >> Esta mensagem foi verificada pelos sistemas antiv?rus AMTI e > > >> acredita-se estar livre de perigo. > > >> > > >> -- > > >> MailScanner mailing list > > >> mailscanner@lists.mailscanner.info > > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner > > >> > > >> Before posting, read http://wiki.mailscanner.info/posting > > >> > > >> Support MailScanner development - buy the book off the website! > > > -- > > > MailScanner mailing list > > > mailscanner@lists.mailscanner.info > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > > > Support MailScanner development - buy the book off the website! > > > > > > > > > -- > > Esta mensagem foi verificada pelos sistemas antiv?rus AMTI e > > acredita-se estar livre de perigo. > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080911/bb5f4a34/attachment.html From danilo at amti.com.br Thu Sep 11 19:45:36 2008 From: danilo at amti.com.br (Danilo Egea) Date: Thu Sep 11 19:45:49 2008 Subject: Help with rule In-Reply-To: <22705875.581221157694921.JavaMail.SYSTEM@kc5goi-1> References: <22705875.581221157694921.JavaMail.SYSTEM@kc5goi-1> Message-ID: <48C96750.8010508@amti.com.br> I need something like this: From: ze@gmail To: bob@hotmail yes Guy Story KC5GOI wrote: > Use the blacklisting rule. > > FromTo: block@address.whatever Yes > > > ----- "Danilo Egea" wrote: > > >> From: "Danilo Egea" >> To: "MailScanner discussion" >> Sent: Thursday, September 11, 2008 1:07:44 PM GMT -06:00 US/Canada Central >> Subject: Re: Help with rule >> >> humm, :| how ? >> >> Alex Neuman van der Hans wrote: >> >>> Yes, it is! >>> >>> --- >>> >>> Alex Neuman >>> Reliant Technologies >>> +507 6781-9505 >>> Skype: alexneuman >>> >>> On Sep 11, 2008, at 12:24 PM, Danilo Egea >>> >> wrote: >> >>>> (Sorry my english) :P >>>> >>>> Is possible creata a rule to block an email with a specific origin >>>> and destination? >>>> >>>> thanks ! >>>> >>>> -- >>>> Esta mensagem foi verificada pelos sistemas antivírus AMTI e >>>> acredita-se estar livre de perigo. >>>> >>>> -- >>>> MailScanner mailing list >>>> mailscanner@lists.mailscanner.info >>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>> >>>> Before posting, read http://wiki.mailscanner.info/posting >>>> >>>> Support MailScanner development - buy the book off the website! >>>> >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >>> >> -- >> Esta mensagem foi verificada pelos sistemas antiv�rus AMTI e >> acredita-se estar livre de perigo. >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- Esta mensagem foi verificada pelos sistemas antivírus AMTI e acredita-se estar livre de perigo. From bpirie at rma.edu Thu Sep 11 19:56:15 2008 From: bpirie at rma.edu (Brendan Pirie) Date: Thu Sep 11 19:56:30 2008 Subject: Help with rule In-Reply-To: <48C96750.8010508@amti.com.br> References: <22705875.581221157694921.JavaMail.SYSTEM@kc5goi-1> <48C96750.8010508@amti.com.br> Message-ID: <48C969CF.7010105@rma.edu> If you're using mailwatch's blacklist feature, it supports this form of blacklist in the web interface. Danilo Egea wrote: > I need something like this: From: ze@gmail To: bob@hotmail yes > > > Guy Story KC5GOI wrote: >> Use the blacklisting rule. >> >> FromTo: block@address.whatever Yes >> >> >> ----- "Danilo Egea" wrote: >> >> >>> From: "Danilo Egea" >>> To: "MailScanner discussion" >>> Sent: Thursday, September 11, 2008 1:07:44 PM GMT -06:00 US/Canada >>> Central >>> Subject: Re: Help with rule >>> >>> humm, :| how ? >>> >>> Alex Neuman van der Hans wrote: >>> >>>> Yes, it is! >>>> >>>> --- >>>> >>>> Alex Neuman >>>> Reliant Technologies >>>> +507 6781-9505 >>>> Skype: alexneuman >>>> >>>> On Sep 11, 2008, at 12:24 PM, Danilo Egea >>>> >>> wrote: >>> >>>>> (Sorry my english) :P >>>>> >>>>> Is possible creata a rule to block an email with a specific origin >>>>> and destination? >>>>> >>>>> thanks ! >>>>> >>>>> -- >>>>> Esta mensagem foi verificada pelos sistemas antiv?rus AMTI e >>>>> acredita-se estar livre de perigo. >>>>> >>>>> -- >>>>> MailScanner mailing list >>>>> mailscanner@lists.mailscanner.info >>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>> >>>>> Before posting, read http://wiki.mailscanner.info/posting >>>>> >>>>> Support MailScanner development - buy the book off the website! >>>>> >>>> -- >>>> MailScanner mailing list >>>> mailscanner@lists.mailscanner.info >>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>> >>>> Before posting, read http://wiki.mailscanner.info/posting >>>> >>>> Support MailScanner development - buy the book off the website! >>>> >>>> >>> -- >>> Esta mensagem foi verificada pelos sistemas antiv?rus AMTI e >>> acredita-se estar livre de perigo. >>> >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > > From danilo at amti.com.br Thu Sep 11 20:03:20 2008 From: danilo at amti.com.br (Danilo Egea) Date: Thu Sep 11 20:03:34 2008 Subject: Help with rule In-Reply-To: <24e3d2e40809111140m4b6d8f2dr1a9763fb0db62657@mail.gmail.com> References: <48C95E70.1020400@amti.com.br> <22705875.581221157694921.JavaMail.SYSTEM@kc5goi-1> <24e3d2e40809111140m4b6d8f2dr1a9763fb0db62657@mail.gmail.com> Message-ID: <48C96B78.2080103@amti.com.br> Thanks Alex ! Alex Neuman wrote: > Actually what he means is from a specific address to a specific address. > > So if he means "block e-mails from Alicia to Roberto, but not > necessarily from Roberto to Alicia or to Carlos", for example, he > would do the following: > > under "Is Definitely Spam = no" change to: > "Is Definitely Spam = %rules-dir%/a-quem-eu-bloco.rules > (note the ".rules" at the end that indicates this is a ruleset) > > Then at /etc/MailScanner/rules, create a file called > a-quem-eu-bloco.rules that says: > > FromOrTo: default no > From:alicia@dominio.com.br and > To: roberto@dominio.com.br yes > > Save it and restart MailScanner. > > And Danilo - try to read the configuration file itself and the > documentation on the website - I'm sure with a few more minutes of > looking at either of them you could have figured it out, too. We here > on the list are glad to help, but it's easier if you help yourself first. > > On Thu, Sep 11, 2008 at 1:28 PM, Guy Story KC5GOI > wrote: > > Use the blacklisting rule. > > FromTo: block@address.whatever Yes > > > ----- "Danilo Egea" > wrote: > > > From: "Danilo Egea" > > > To: "MailScanner discussion" > > > Sent: Thursday, September 11, 2008 1:07:44 PM GMT -06:00 > US/Canada Central > > Subject: Re: Help with rule > > > > humm, :| how ? > > > > Alex Neuman van der Hans wrote: > > > Yes, it is! > > > > > > --- > > > > > > Alex Neuman > > > Reliant Technologies > > > +507 6781-9505 > > > Skype: alexneuman > > > > > > On Sep 11, 2008, at 12:24 PM, Danilo Egea > > > wrote: > > > > > >> (Sorry my english) :P > > >> > > >> Is possible creata a rule to block an email with a specific > origin > > >> and destination? > > >> > > >> thanks ! > > >> > > >> -- > > >> Esta mensagem foi verificada pelos sistemas antivírus AMTI e > > >> acredita-se estar livre de perigo. > > >> > > >> -- > > >> MailScanner mailing list > > >> mailscanner@lists.mailscanner.info > > > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner > > >> > > >> Before posting, read http://wiki.mailscanner.info/posting > > >> > > >> Support MailScanner development - buy the book off the website! > > > -- > > > MailScanner mailing list > > > mailscanner@lists.mailscanner.info > > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > > > Support MailScanner development - buy the book off the website! > > > > > > > > > -- > > Esta mensagem foi verificada pelos sistemas antiv�rus AMTI e > > acredita-se estar livre de perigo. > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > > -- > Esta mensagem foi verificada pelos sistemas antiv�rus AMTI e > acredita-se estar livre de perigo. -- Esta mensagem foi verificada pelos sistemas antivírus AMTI e acredita-se estar livre de perigo. From marcel-ml at irc-addicts.de Fri Sep 12 09:41:57 2008 From: marcel-ml at irc-addicts.de (Marcel Blenkers) Date: Fri Sep 12 09:43:50 2008 Subject: Update bad phishing sites fails Message-ID: Hi there, i am running the script "update_bad_phishing_sites" once every hour. But suddenly the Script returns an error, and thats why i receive the mail concerning "cron.hourly failed".. Could anyone check if i am the only one with this problem? Thanks in advance.. Greetings Marcel From martinh at solidstatelogic.com Fri Sep 12 09:46:13 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Fri Sep 12 09:46:28 2008 Subject: update_bad_phishing_sites erroring Message-ID: Jules Heads up - seems to have gone offline??? ##Unable to retrieve http://www.mailscanner.tv/.2008-09-12 :404 Not Found Unable to open base file -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From telecaadmin at gmail.com Fri Sep 12 09:58:03 2008 From: telecaadmin at gmail.com (Ronny T. Lampert) Date: Fri Sep 12 10:00:35 2008 Subject: update_bad_phishing_sites erroring In-Reply-To: References: Message-ID: <48CA2F1B.9020201@gmail.com> > Heads up - seems to have gone offline??? > > ##Unable to retrieve http://www.mailscanner.tv/.2008-09-12 :404 Not Found Unable to open base file > My older MailScanner with http://www.mailscanner.eu/phishing.bad.sites.conf.master is still working. Cheers, Ronny From swati.meghanand at gmail.com Fri Sep 12 10:03:48 2008 From: swati.meghanand at gmail.com (Swati Meghanand) Date: Fri Sep 12 10:03:58 2008 Subject: Spamassassin Timeout issue. In-Reply-To: <1221112850.21720.41.camel@darkstar.netcore.co.in> References: <424c10260809100154v4d47738bg16e47138cde6b049@mail.gmail.com> <1221112850.21720.41.camel@darkstar.netcore.co.in> Message-ID: <424c10260809120203o65366711oef62dfc6c6897065@mail.gmail.com> hi ram, Thanks for ur help, running spamassassin in debugging mode helped me a lot. I figured out that its not DNS related issue as spamassassin -D -t /path/to/mail gave me. [2646] dbg: dns: name server: xxx.xxx.xxx.xxx, family: 2, ipv6: 0 [2646] dbg: dns: testing resolver nameservers: xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx [2646] dbg: dns: trying (3) xxx.xxx... [2646] dbg: dns: looking up NS for 'xxx.xxx' [2646] dbg: dns: NS lookup of xxx.xxx using xxx.xxx.xxx.xxx succeeded => DNS available (set dns_available to override) [2646] dbg: dns: is DNS available? 1 possibly not even RAZOR issue [2646] dbg: razor2: part=0 engine=4 contested=0 confidence=0 [2646] dbg: razor2: results: spam? 0 [2646] dbg: razor2: results: engine 8, highest cf score: 0 [2646] dbg: razor2: results: engine 4, highest cf score: 0 yes i got some trouble with Pyzor, but not always sometimes i get following errors [17573] dbg: util: executable for pyzor was found at /usr/bin/pyzor [17573] dbg: pyzor: pyzor is available: /usr/bin/pyzor [17573] dbg: info: entering helper-app run mode [17573] dbg: pyzor: opening pipe: /usr/bin/pyzor check < /tmp/.spamassassin17573LkAPartmp [17778] dbg: util: setuid: ruid=0 euid=0 [17573] dbg: pyzor: [17778] finished: exit=0x0100 [17573] dbg: pyzor: got response: Traceback (most recent call last):\n File "/usr/bin/pyzor", line 4, in ?\n pyzor.client.run()\n File "/usr/lib/python2.3/site-packages/pyzor/client.py", line 934, in run\n ExecCall().run()\n File "/usr/lib/python2.3/site-packages/pyzor/client.py", line 188, in run\n if not apply(dispatch, (self, args)):\n File "/usr/lib/python2.3/site-packages/pyzor/client.py", line 264, in check\n response = runner.run(server, (digest, server))\n File "/usr/lib/python2.3/site-packages/pyzor/client.py", line 725, in run\n response = apply(self.routine, varargs, kwargs)\n File "/usr/lib/python2.3/site-packages/pyzor/client.py", line 57, in check\n msg = CheckRequest(digest)\n File "/usr/lib/python2.3/site-packages/pyzor/__init__.py", line 381, in __init__\n typecheck(digest, str)\n File "/usr/lib/python2.3/site-packages/pyzor/__init__.py", line 494, in typecheck\n raise TypeError\nTypeError [17573] dbg: info: leaving helper-app run mode [17573] warn: pyzor: check failed: internal error still not able to finget out the exact reason since this error is not coming always... Regards, Swati Meghanand 2008/9/11 ram > > On Wed, 2008-09-10 at 14:24 +0530, Swati Meghanand wrote: > > Hi, > > > > > > I'm using mailscanner on a busy mail gateways from serveral months, > > which was working fine so far.From last few days I noticed incresed no > > of spam mails as well log Filtering queues (ofcourse slow processing > > of mailscanner).In log file of mailscanner I found following lines, > > > > Sep 10 04:47:29 localhost MailScanner[11027]: Virus and Content > > Scanning: Starting > > Sep 10 04:47:37 localhost MailScanner[8400]: SpamAssassin timed out > > and was killed, failure 8 of 20 > > Sep 10 04:47:37 localhost MailScanner[8680]: SpamAssassin timed out > > and was killed, failure 14 of 20 > > Sep 10 04:47:38 localhost MailScanner[8680]: Message 1KdL6x-0005q5-L3 > > from xx.xx.xx.xx (xxx@xxx.x) to xxx.xx is not spam, SpamAssassin (not > > cached, timed out) > > Sep 10 04:47:38 localhost MailScanner[8400]: Message 1KdLDG-0006se-Ox > > from xx.xx.xx.xx (xxx@xx.xxx) to xxx.xx is not spam, SpamAssassin (not > > cached, timed out) > > > > it clealy indicates mailscanner is not (able to) scanning messages. > > Hi Swati, > MailScanner Spamassassin timing out can be due to multiple reasons most > likely this is a DNS issue like others have said. It could also be a > huge BAYES file or a blocked RAZOR port etc > > Just check if your SA is still quering all the Dead DNS lists > ( secuirtysage , ORDB , OPM BLITZED , DOB etc ) > > I would suggest take any mail and run > spamassassin -D -t < /path/mail > (test with a mail with multiple urls and one that has passed thru > different mail hops ) > > That test would most probably give you enough results to find what is > taking time. > > > > > > > > > > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080912/6acd8672/attachment.html From jcputter at centreweb.co.za Fri Sep 12 10:03:34 2008 From: jcputter at centreweb.co.za (JC) Date: Fri Sep 12 10:04:48 2008 Subject: FW: PTR Record Mailscanner Message-ID: <001001c914b6$6fc8e510$4f5aaf30$@co.za> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/jpeg Size: 2218 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080912/45e0eddd/attachment.jpe From andrew at gdcon.net Fri Sep 12 10:21:34 2008 From: andrew at gdcon.net (Andrew MacLachlan) Date: Fri Sep 12 10:21:39 2008 Subject: FW: PTR Record Mailscanner In-Reply-To: <001001c914b6$6fc8e510$4f5aaf30$@co.za> References: <001001c914b6$6fc8e510$4f5aaf30$@co.za> Message-ID: <48CA349E.6000206@gdcon.net> JC wrote: > > > > How can i change the score for the rule RDNS_NONE 0.2 is not working > for me > add a score of your liking to /etc/MailScanner/spam.assassin.prefs.conf then reload MailScanner -Andy From uxbod at splatnix.net Fri Sep 12 10:21:51 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Fri Sep 12 10:22:10 2008 Subject: Update bad phishing sites fails In-Reply-To: Message-ID: <6405047.1911221211310959.JavaMail.root@office.splatnix.net> Unable to retrieve http://www.mailscanner.tv/.2008-09-12 :404 Not Found Update required So I manually created /var/spool/MailScanner/quarantine/phishingupdate/cache/2008-09-12 and ran again which then updated the file okay. Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "Marcel Blenkers" wrote: > Hi there, > > > > i am running the script "update_bad_phishing_sites" once every hour. > > But suddenly the Script returns an error, and thats why i receive the > mail > > concerning "cron.hourly failed".. > > > > Could anyone check if i am the only one with this problem? > > > > Thanks in advance.. > > > > Greetings > > > > Marcel -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ram at netcore.co.in Fri Sep 12 10:24:21 2008 From: ram at netcore.co.in (ram) Date: Fri Sep 12 10:24:45 2008 Subject: Spamassassin Timeout issue. In-Reply-To: <424c10260809120203o65366711oef62dfc6c6897065@mail.gmail.com> References: <424c10260809100154v4d47738bg16e47138cde6b049@mail.gmail.com> <1221112850.21720.41.camel@darkstar.netcore.co.in> <424c10260809120203o65366711oef62dfc6c6897065@mail.gmail.com> Message-ID: <1221211461.634.73.camel@darkstar.netcore.co.in> On Fri, 2008-09-12 at 14:33 +0530, Swati Meghanand wrote: > hi ram, > > Thanks for ur help, running spamassassin in debugging mode helped me a > lot. > > I figured out that its not DNS related issue as spamassassin -D > -t /path/to/mail gave me. > You can never be sure. By experience I can say 9/10 times it is a DNS issue. Take more mails and test again , and at same times when your MailScanner server has issues of clearing off spamassassin -D -t /path/to/mail 2>&1 | tee -a /path/logfile grep -i time /path/logfile > [2646] dbg: dns: name server: xxx.xxx.xxx.xxx, family: 2, ipv6: 0 > [2646] dbg: dns: testing resolver nameservers: xxx.xxx.xxx.xxx, > xxx.xxx.xxx.xxx > [2646] dbg: dns: trying (3) xxx.xxx... > [2646] dbg: dns: looking up NS for 'xxx.xxx' > [2646] dbg: dns: NS lookup of xxx.xxx using xxx.xxx.xxx.xxx succeeded > => DNS available (set dns_available to override) > [2646] dbg: dns: is DNS available? 1 > > possibly not even RAZOR issue > > [2646] dbg: razor2: part=0 engine=4 contested=0 confidence=0 > [2646] dbg: razor2: results: spam? 0 > [2646] dbg: razor2: results: engine 8, highest cf score: 0 > [2646] dbg: razor2: results: engine 4, highest cf score: 0 > > yes i got some trouble with Pyzor, but not always > Disable pyzor for testing, It doesnt make any diff in the results anyway ... ofcourse YMMV :-) > .....(snipped) .... > still not able to finget out the exact reason since this error is not > coming always... > Keep trying, Sometimes it is just the errors are not continuous, you can set aggressive timeouts to narrow down the issues. Have you monitored you b/w usage for any choke over there. ( In India b/w is *still* an issue unfortunately) Thanks Ram From jcputter at centreweb.co.za Fri Sep 12 10:30:34 2008 From: jcputter at centreweb.co.za (JC) Date: Fri Sep 12 10:31:43 2008 Subject: FW: PTR Record Mailscanner In-Reply-To: <48CA349E.6000206@gdcon.net> References: <001001c914b6$6fc8e510$4f5aaf30$@co.za> <48CA349E.6000206@gdcon.net> Message-ID: <002801c914ba$352e5030$9f8af090$@co.za> I am using Rules Du Jour , cant find RDNS_NONE in spam.assassin.prefs.conf -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Andrew MacLachlan Sent: 12 September 2008 11:22 AM To: MailScanner discussion Subject: Re: FW: PTR Record Mailscanner JC wrote: > > > > How can i change the score for the rule RDNS_NONE 0.2 is not working > for me > add a score of your liking to /etc/MailScanner/spam.assassin.prefs.conf then reload MailScanner -Andy -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! This message has been scanned for viruses and dangerous content by Centerweb, and is believed to be clean. This message has been scanned for viruses and dangerous content by Centerweb, and is believed to be clean. From sandip.sinha at in.dclgroup.com Fri Sep 12 11:12:37 2008 From: sandip.sinha at in.dclgroup.com (sandip.sinha@in.dclgroup.com) Date: Fri Sep 12 11:12:57 2008 Subject: Message contained archive nested too deeply Message-ID: I have installed MailScanner in FC7 into our sendmail server. This works fine. However I am facing one problem which I couldn't able to figure out. For some attachments it gives the following error. The attachment does not have any virus, does not have zip with zip. Still it gives the folowing error. I want to know how to disable "Other Bad Content " scanning . ---------------------------------------------------------------------- The following e-mails were found to have: Other Bad Content Detected Sender: ss1@xxx.com IP Address: 10.20.10.1 Recipient: ss2@xxx.com Subject: MessageID: m8CA6SYX000360 Quarantine: /var/spool/MailScanner/quarantine/20080912/m8CA6SYX000360 Report: MailScanner: Message contained archive nested too deeply ---------------------------------------------------------------------- Sandip Calcutta, India. From prandal at herefordshire.gov.uk Fri Sep 12 11:50:27 2008 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Fri Sep 12 11:53:09 2008 Subject: Update bad phishing sites fails In-Reply-To: <6405047.1911221211310959.JavaMail.root@office.splatnix.net> References: <6405047.1911221211310959.JavaMail.root@office.splatnix.net> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA04A67669@HC-MBX02.herefordshire.gov.uk> That workaround fixed it for me too. Phil -- Phil Randal Networks Engineer Herefordshire Council Hereford, UK -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of --[ UxBoD ]-- Sent: 12 September 2008 10:22 To: MailScanner discussion Subject: Re: Update bad phishing sites fails Unable to retrieve http://www.mailscanner.tv/.2008-09-12 :404 Not Found Update required So I manually created /var/spool/MailScanner/quarantine/phishingupdate/cache/2008-09-12 and ran again which then updated the file okay. Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "Marcel Blenkers" wrote: > Hi there, > > > > i am running the script "update_bad_phishing_sites" once every hour. > > But suddenly the Script returns an error, and thats why i receive the > mail > > concerning "cron.hourly failed".. > > > > Could anyone check if i am the only one with this problem? > > > > Thanks in advance.. > > > > Greetings > > > > Marcel -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From ram at netcore.co.in Fri Sep 12 12:11:51 2008 From: ram at netcore.co.in (ram) Date: Fri Sep 12 12:12:15 2008 Subject: FW: PTR Record Mailscanner In-Reply-To: <002801c914ba$352e5030$9f8af090$@co.za> References: <001001c914b6$6fc8e510$4f5aaf30$@co.za> <48CA349E.6000206@gdcon.net> <002801c914ba$352e5030$9f8af090$@co.za> Message-ID: <1221217911.634.130.camel@darkstar.netcore.co.in> On Fri, 2008-09-12 at 11:30 +0200, JC wrote: > I am using Rules Du Jour , cant find RDNS_NONE in spam.assassin.prefs.conf > http://wiki.mailscanner.info/doku.php?id=maq:index look for How to customize SpamAssassin? Thanks Ram From support-lists at petdoctors.co.uk Fri Sep 12 12:33:27 2008 From: support-lists at petdoctors.co.uk (Nigel Kendrick) Date: Fri Sep 12 12:34:19 2008 Subject: Whitelist our mobile phone users Message-ID: <3E606460613F4C3C82955AD8D0214CC6@SUPPORT01V> We have a recurring problem (2-3 times a year) where UK Vodaphone domains get added to various RBLs and so our mobile users suddenly get their mail rejected as outbound spam by our mail server (MailScanner, Spamassassin and Postfix). Considering these users have to do an SMTP login to send mail, is it possible to whitelist them based on this fact? If not, what's the best way to cope with this without letting too much spam through - or do I just not scan outbound mail!? Thanks, Nigel Kendrick From jaearick at colby.edu Fri Sep 12 12:39:45 2008 From: jaearick at colby.edu (Jeff A. Earickson) Date: Fri Sep 12 12:40:02 2008 Subject: Update bad phishing sites fails In-Reply-To: <6405047.1911221211310959.JavaMail.root@office.splatnix.net> References: <6405047.1911221211310959.JavaMail.root@office.splatnix.net> Message-ID: I too had this problem and your suggestion fixed it. Many thanks. Jeff Earickson Colby College On Fri, 12 Sep 2008, --[ UxBoD ]-- wrote: > Date: Fri, 12 Sep 2008 10:21:51 +0100 (BST) > From: "--[ UxBoD ]--" > Reply-To: MailScanner discussion > To: MailScanner discussion > Subject: Re: Update bad phishing sites fails > > Unable to retrieve http://www.mailscanner.tv/.2008-09-12 :404 Not Found > Update required > > So I manually created /var/spool/MailScanner/quarantine/phishingupdate/cache/2008-09-12 and ran again which then updated the file okay. > > Regards, > > -- > --[ UxBoD ]-- > // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" > // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 > // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 > // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net > > ----- "Marcel Blenkers" wrote: > >> Hi there, >> >> >> >> i am running the script "update_bad_phishing_sites" once every hour. >> >> But suddenly the Script returns an error, and thats why i receive the >> mail >> >> concerning "cron.hourly failed".. >> >> >> >> Could anyone check if i am the only one with this problem? >> >> >> >> Thanks in advance.. >> >> >> >> Greetings >> >> >> >> Marcel > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From drew.marshall at technologytiger.net Fri Sep 12 12:46:42 2008 From: drew.marshall at technologytiger.net (Drew Marshall) Date: Fri Sep 12 12:56:14 2008 Subject: Whitelist our mobile phone users In-Reply-To: <3E606460613F4C3C82955AD8D0214CC6@SUPPORT01V> References: <3E606460613F4C3C82955AD8D0214CC6@SUPPORT01V> Message-ID: <8FEA8034-2F37-477F-994A-5AB80C11B774@technologytiger.net> On 12 Sep 2008, at 12:33, Nigel Kendrick wrote: > We have a recurring problem (2-3 times a year) where UK Vodaphone > domains > get added to various RBLs and so our mobile users suddenly get their > mail > rejected as outbound spam by our mail server (MailScanner, > Spamassassin and > Postfix). Considering these users have to do an SMTP login to send > mail, is > it possible to whitelist them based on this fact? If not, what's the > best > way to cope with this without letting too much spam through - or do > I just > not scan outbound mail!? What rejects the mail, Postfix or MailScanner? Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by Technology Tiger's Mail Launder system Our email policy can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ From alex at rtpty.com Fri Sep 12 13:11:21 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Fri Sep 12 13:11:35 2008 Subject: Update bad phishing sites fails In-Reply-To: References: Message-ID: <630139E8-ABD6-4428-B2B9-210053D6A646@rtpty.com> Anything else that could help, like a description of the error message, or a snippet from your log, would help a lot. --- Alex Neuman Reliant Technologies +507 6781-9505 Skype: alexneuman On Sep 12, 2008, at 3:41 AM, Marcel Blenkers wrote: > Hi there, > > i am running the script "update_bad_phishing_sites" once every hour. > But suddenly the Script returns an error, and thats why i receive > the mail > concerning "cron.hourly failed".. > > Could anyone check if i am the only one with this problem? > > Thanks in advance.. > > Greetings > > Marcel > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From alex at rtpty.com Fri Sep 12 13:14:54 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Fri Sep 12 13:15:10 2008 Subject: Message contained archive nested too deeply In-Reply-To: References: Message-ID: <6832C96C-54D7-40F1-80D4-9C11E7BC09AC@rtpty.com> Is it an office 2007 file? --- Alex Neuman Reliant Technologies +507 6781-9505 Skype: alexneuman On Sep 12, 2008, at 5:12 AM, sandip.sinha@in.dclgroup.com wrote: > I have installed MailScanner in FC7 into our sendmail server. This > works > fine. However I am facing one problem which I couldn't able to > figure out. > For some attachments it gives the following error. The attachment > does not > have any virus, does not have zip with zip. Still it gives the > folowing > error. > > I want to know how to disable "Other Bad Content " scanning . > > ---------------------------------------------------------------------- > The following e-mails were found to have: Other Bad Content Detected > > Sender: ss1@xxx.com > IP Address: 10.20.10.1 > Recipient: ss2@xxx.com > Subject: > MessageID: m8CA6SYX000360 > Quarantine: /var/spool/MailScanner/quarantine/20080912/m8CA6SYX000360 > Report: MailScanner: Message contained archive nested too deeply > ---------------------------------------------------------------------- > > Sandip > Calcutta, India. > > > > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From alex at rtpty.com Fri Sep 12 13:13:14 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Fri Sep 12 13:15:41 2008 Subject: Spamassassin Timeout issue. In-Reply-To: <424c10260809120203o65366711oef62dfc6c6897065@mail.gmail.com> References: <424c10260809100154v4d47738bg16e47138cde6b049@mail.gmail.com> <1221112850.21720.41.camel@darkstar.netcore.co.in> <424c10260809120203o65366711oef62dfc6c6897065@mail.gmail.com> Message-ID: Problems with pyzor? --- Alex Neuman Reliant Technologies +507 6781-9505 Skype: alexneuman On Sep 12, 2008, at 4:03 AM, "Swati Meghanand" wrote: > hi ram, > > Thanks for ur help, running spamassassin in debugging mode helped me > a lot. > > I figured out that its not DNS related issue as spamassassin -D -t / > path/to/mail gave me. > > [2646] dbg: dns: name server: xxx.xxx.xxx.xxx, family: 2, ipv6: 0 > [2646] dbg: dns: testing resolver nameservers: xxx.xxx.xxx.xxx, > xxx.xxx.xxx.xxx > [2646] dbg: dns: trying (3) xxx.xxx... > [2646] dbg: dns: looking up NS for 'xxx.xxx' > [2646] dbg: dns: NS lookup of xxx.xxx using xxx.xxx.xxx.xxx > succeeded => DNS available (set dns_available to override) > [2646] dbg: dns: is DNS available? 1 > > possibly not even RAZOR issue > > [2646] dbg: razor2: part=0 engine=4 contested=0 confidence=0 > [2646] dbg: razor2: results: spam? 0 > [2646] dbg: razor2: results: engine 8, highest cf score: 0 > [2646] dbg: razor2: results: engine 4, highest cf score: 0 > > yes i got some trouble with Pyzor, but not always > > sometimes i get following errors > > [17573] dbg: util: executable for pyzor was found at /usr/bin/pyzor > [17573] dbg: pyzor: pyzor is available: /usr/bin/pyzor > [17573] dbg: info: entering helper-app run mode > [17573] dbg: pyzor: opening pipe: /usr/bin/pyzor check < / > tmp/.spamassassin17573LkAPartmp > [17778] dbg: util: setuid: ruid=0 euid=0 > [17573] dbg: pyzor: [17778] finished: exit=0x0100 > [17573] dbg: pyzor: got response: Traceback (most recent call last): > \n File "/usr/bin/pyzor", line 4, in ?\n pyzor.client.run()\n File "/ > usr/lib/python2.3/site-packages/pyzor/client.py", line 934, in run\n > ExecCall().run()\n File "/usr/lib/python2.3/site-packages/pyzor/ > client.py", line 188, in run\n if not apply(dispatch, (self, args)): > \n File "/usr/lib/python2.3/site-packages/pyzor/client.py", line > 264, in check\n response = runner.run(server, (digest, server))\n > File "/usr/lib/python2.3/site-packages/pyzor/client.py", line 725, > in run\n response = apply(self.routine, varargs, kwargs)\n File "/ > usr/lib/python2.3/site-packages/pyzor/client.py", line 57, in check > \n msg = CheckRequest(digest)\n File "/usr/lib/python2.3/site- > packages/pyzor/__init__.py", line 381, in __init__\n > typecheck(digest, str)\n File "/usr/lib/python2.3/site-packages/ > pyzor/__init__.py", line 494, in typecheck\n raise TypeError > \nTypeError > [17573] dbg: info: leaving helper-app run mode > [17573] warn: pyzor: check failed: internal error > > still not able to finget out the exact reason since this error is > not coming always... > > Regards, > > Swati Meghanand > > > > > 2008/9/11 ram > > On Wed, 2008-09-10 at 14:24 +0530, Swati Meghanand wrote: > > Hi, > > > > > > I'm using mailscanner on a busy mail gateways from serveral months, > > which was working fine so far.From last few days I noticed > incresed no > > of spam mails as well log Filtering queues (ofcourse slow processing > > of mailscanner).In log file of mailscanner I found following lines, > > > > Sep 10 04:47:29 localhost MailScanner[11027]: Virus and Content > > Scanning: Starting > > Sep 10 04:47:37 localhost MailScanner[8400]: SpamAssassin timed out > > and was killed, failure 8 of 20 > > Sep 10 04:47:37 localhost MailScanner[8680]: SpamAssassin timed out > > and was killed, failure 14 of 20 > > Sep 10 04:47:38 localhost MailScanner[8680]: Message 1KdL6x-0005q5- > L3 > > from xx.xx.xx.xx (xxx@xxx.x) to xxx.xx is not spam, SpamAssassin > (not > > cached, timed out) > > Sep 10 04:47:38 localhost MailScanner[8400]: Message 1KdLDG-0006se- > Ox > > from xx.xx.xx.xx (xxx@xx.xxx) to xxx.xx is not spam, SpamAssassin > (not > > cached, timed out) > > > > it clealy indicates mailscanner is not (able to) scanning messages. > > Hi Swati, > MailScanner Spamassassin timing out can be due to multiple reasons > most > likely this is a DNS issue like others have said. It could also be a > huge BAYES file or a blocked RAZOR port etc > > Just check if your SA is still quering all the Dead DNS lists > ( secuirtysage , ORDB , OPM BLITZED , DOB etc ) > > I would suggest take any mail and run > spamassassin -D -t < /path/mail > (test with a mail with multiple urls and one that has passed thru > different mail hops ) > > That test would most probably give you enough results to find what is > taking time. > > > > > > > > > > > > > > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080912/6dcfc484/attachment.html From support-lists at petdoctors.co.uk Fri Sep 12 13:25:23 2008 From: support-lists at petdoctors.co.uk (Nigel Kendrick) Date: Fri Sep 12 13:26:04 2008 Subject: Whitelist our mobile phone users In-Reply-To: <8FEA8034-2F37-477F-994A-5AB80C11B774@technologytiger.net> References: <3E606460613F4C3C82955AD8D0214CC6@SUPPORT01V> <8FEA8034-2F37-477F-994A-5AB80C11B774@technologytiger.net> Message-ID: <573E790B644640178D281A2D0BE84301@SUPPORT01V> > We have a recurring problem (2-3 times a year) where UK Vodaphone > domains > get added to various RBLs and so our mobile users suddenly get their > mail > >What rejects the mail, Postfix or MailScanner? > >Drew It's MailScanner as the domain is found in 3+ RBLs From martinh at solidstatelogic.com Fri Sep 12 13:27:06 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Fri Sep 12 13:27:18 2008 Subject: Update bad phishing sites fails In-Reply-To: Message-ID: I wonder why it's putting it in the quarantine area and will we have to do this over the weekend.. /me prods Jules -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Jeff A. Earickson > Sent: 12 September 2008 12:40 > To: MailScanner discussion > Subject: Re: Update bad phishing sites fails > > I too had this problem and your suggestion fixed it. Many thanks. > > Jeff Earickson > Colby College > > On Fri, 12 Sep 2008, --[ UxBoD ]-- wrote: > > > Date: Fri, 12 Sep 2008 10:21:51 +0100 (BST) > > From: "--[ UxBoD ]--" > > Reply-To: MailScanner discussion > > > To: MailScanner discussion > > Subject: Re: Update bad phishing sites fails > > > > Unable to retrieve http://www.mailscanner.tv/.2008-09-12 :404 Not > > Found Update required > > > > So I manually created > /var/spool/MailScanner/quarantine/phishingupdate/cache/2008-09 > -12 and ran again which then updated the file okay. > > > > Regards, > > > > -- > > --[ UxBoD ]-- > > // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | > gpg --import" > > // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D > 2C5A 3A84 // > > Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: > +44 845 869 > > 2749 SIP Phone: uxbod@sip.splatnix.net > > > > ----- "Marcel Blenkers" wrote: > > > >> Hi there, > >> > >> > >> > >> i am running the script "update_bad_phishing_sites" once > every hour. > >> > >> But suddenly the Script returns an error, and thats why i > receive the > >> mail > >> > >> concerning "cron.hourly failed".. > >> > >> > >> > >> Could anyone check if i am the only one with this problem? > >> > >> > >> > >> Thanks in advance.. > >> > >> > >> > >> Greetings > >> > >> > >> > >> Marcel > > > > -- > > This message has been scanned for viruses and dangerous content by > > MailScanner, and is believed to be clean. > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From alex at rtpty.com Fri Sep 12 13:49:44 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Fri Sep 12 13:49:59 2008 Subject: Whitelist our mobile phone users In-Reply-To: <573E790B644640178D281A2D0BE84301@SUPPORT01V> References: <3E606460613F4C3C82955AD8D0214CC6@SUPPORT01V> <8FEA8034-2F37-477F-994A-5AB80C11B774@technologytiger.net> <573E790B644640178D281A2D0BE84301@SUPPORT01V> Message-ID: <961588DE-8692-4428-993D-EC1FC5167D4F@rtpty.com> At what level? SA scoring? Can you use a ruleset to exclude them from said rbls? Could you set up a different instance of your mta on a different port, like 587, so they could skip scanning? --- Alex Neuman Reliant Technologies +507 6781-9505 Skype: alexneuman On Sep 12, 2008, at 7:25 AM, "Nigel Kendrick" wrote: > >> We have a recurring problem (2-3 times a year) where UK Vodaphone >> domains >> get added to various RBLs and so our mobile users suddenly get their >> mail >> >> What rejects the mail, Postfix or MailScanner? >> >> Drew > > > It's MailScanner as the domain is found in 3+ RBLs > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From steve.freegard at fsl.com Fri Sep 12 14:05:10 2008 From: steve.freegard at fsl.com (Steve Freegard) Date: Fri Sep 12 14:05:22 2008 Subject: Whitelist our mobile phone users In-Reply-To: <573E790B644640178D281A2D0BE84301@SUPPORT01V> References: <3E606460613F4C3C82955AD8D0214CC6@SUPPORT01V> <8FEA8034-2F37-477F-994A-5AB80C11B774@technologytiger.net> <573E790B644640178D281A2D0BE84301@SUPPORT01V> Message-ID: <48CA6906.8020402@fsl.com> Nigel Kendrick wrote: >> We have a recurring problem (2-3 times a year) where UK Vodaphone >> domains >> get added to various RBLs and so our mobile users suddenly get their >> mail >> >> What rejects the mail, Postfix or MailScanner? >> >> Drew > > > It's MailScanner as the domain is found in 3+ RBLs > IMO - I would disable both 'Spam Domain Lists' and 'Spam Lists' in MailScanner.conf completely and let SpamAssassin score on these lists instead and move the 'trusted' RBLs into your MTA (e.g. zen.spamhaus.org) instead as this will significantly reduce the load on your MailScanner box. The 'Spam List' lookups are serialised in MailScanner whereas they are done in parallel and asynchronously in SpamAssassin and are therefore way faster. Cheers, Steve. From Denis.Beauchemin at USherbrooke.ca Fri Sep 12 14:26:57 2008 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Fri Sep 12 14:27:20 2008 Subject: FW: PTR Record Mailscanner In-Reply-To: <002801c914ba$352e5030$9f8af090$@co.za> References: <001001c914b6$6fc8e510$4f5aaf30$@co.za> <48CA349E.6000206@gdcon.net> <002801c914ba$352e5030$9f8af090$@co.za> Message-ID: <48CA6E21.7040703@USherbrooke.ca> JC a ?crit : > I am using Rules Du Jour , cant find RDNS_NONE in spam.assassin.prefs.conf > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Andrew > MacLachlan > Sent: 12 September 2008 11:22 AM > To: MailScanner discussion > Subject: Re: FW: PTR Record Mailscanner > > JC wrote: > >> >> >> How can i change the score for the rule RDNS_NONE 0.2 is not working >> for me >> >> > add a score of your liking to /etc/MailScanner/spam.assassin.prefs.conf > then reload MailScanner > > -Andy > > > > > JC, Add the following to spam.assassin.prefs.conf (use the score you want): score RDNS_NONE 123.45 Then reload MS. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From andrew at gdcon.net Fri Sep 12 14:35:20 2008 From: andrew at gdcon.net (Andrew MacLachlan) Date: Fri Sep 12 14:35:21 2008 Subject: FW: PTR Record Mailscanner In-Reply-To: <002801c914ba$352e5030$9f8af090$@co.za> References: <001001c914b6$6fc8e510$4f5aaf30$@co.za> <48CA349E.6000206@gdcon.net> <002801c914ba$352e5030$9f8af090$@co.za> Message-ID: <48CA7018.5000202@gdcon.net> JC wrote: > I am using Rules Du Jour , cant find RDNS_NONE in spam.assassin.prefs.conf > > Makes no difference - just create the over-ride following the examples in there. -Andy From spamlists at coders.co.uk Fri Sep 12 14:38:21 2008 From: spamlists at coders.co.uk (Matt) Date: Fri Sep 12 14:39:18 2008 Subject: Update bad phishing sites fails In-Reply-To: References: Message-ID: <48CA70CD.6070602@coders.co.uk> Martin.Hepworth wrote: > I wonder why it's putting it in the quarantine area and will we have to do this over the weekend.. > > It always puts it in the quarantine area - that is a guaranteed writeable area for MailScanner. The update fails safe - only if it successfully updates will it overwrite the file. Creating the blank file makes the updates work but you will no longer have the basefile for the day. The updates during the day are diffs against the basefile. You will currently have a very small file if you have create the base file manually. I believe it was caused by a network issue - the base file has been pushed out so this should restore the file for those of you who manually created the file and stop the errors for those you who haven't. More error checking is needed which is being looked at as we speak. matt From andrew at gdcon.net Fri Sep 12 14:45:48 2008 From: andrew at gdcon.net (Andrew MacLachlan) Date: Fri Sep 12 14:45:51 2008 Subject: Update bad phishing sites fails In-Reply-To: <48CA70CD.6070602@coders.co.uk> References: <48CA70CD.6070602@coders.co.uk> Message-ID: <48CA728C.9010202@gdcon.net> Matt wrote: > > > > I believe it was caused by a network issue It's _always_ the network if you are a software engineer. Vice-versa for network / hardware engineers. :-) From uxbod at splatnix.net Fri Sep 12 15:22:59 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Fri Sep 12 15:23:21 2008 Subject: Update bad phishing sites fails In-Reply-To: <48CA728C.9010202@gdcon.net> Message-ID: <3347952.1971221229379101.JavaMail.root@office.splatnix.net> lol :D Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "Andrew MacLachlan" wrote: > It's _always_ the network if you are a software engineer. Vice-versa > for > > network / hardware engineers. > > > > :-) -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jcputter at centreweb.co.za Fri Sep 12 15:35:45 2008 From: jcputter at centreweb.co.za (JC) Date: Fri Sep 12 15:36:59 2008 Subject: FW: PTR Record Mailscanner In-Reply-To: <48CA7018.5000202@gdcon.net> References: <001001c914b6$6fc8e510$4f5aaf30$@co.za> <48CA349E.6000206@gdcon.net> <002801c914ba$352e5030$9f8af090$@co.za> <48CA7018.5000202@gdcon.net> Message-ID: <000001c914e4$d76d3fd0$8647bf70$@co.za> Andy If i view spam.assassin.prefs.conf Must i add the entry or add it some how? -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Andrew MacLachlan Sent: 12 September 2008 03:35 PM To: MailScanner discussion Subject: Re: FW: PTR Record Mailscanner JC wrote: > I am using Rules Du Jour , cant find RDNS_NONE in spam.assassin.prefs.conf > > Makes no difference - just create the over-ride following the examples in there. -Andy -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! This message has been scanned for viruses and dangerous content by Centerweb, and is believed to be clean. This message has been scanned for viruses and dangerous content by Centerweb, and is believed to be clean. From Denis.Beauchemin at USherbrooke.ca Fri Sep 12 16:05:00 2008 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Fri Sep 12 16:05:15 2008 Subject: FW: PTR Record Mailscanner In-Reply-To: <000001c914e4$d76d3fd0$8647bf70$@co.za> References: <001001c914b6$6fc8e510$4f5aaf30$@co.za> <48CA349E.6000206@gdcon.net> <002801c914ba$352e5030$9f8af090$@co.za> <48CA7018.5000202@gdcon.net> <000001c914e4$d76d3fd0$8647bf70$@co.za> Message-ID: <48CA851C.1060406@USherbrooke.ca> JC a ?crit : > Andy > > If i view spam.assassin.prefs.conf > > Must i add the entry or add it some how? > JC, view is vi in read only. Use "vi spam.assassin.prefs.conf" (or any other text editor) to add the "score" line anywhere you want (bottom is good place). Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3306 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080912/8f07b6f1/smime.bin From ben.tisdall at photobox.com Fri Sep 12 17:52:49 2008 From: ben.tisdall at photobox.com (Ben Tisdall) Date: Fri Sep 12 17:53:27 2008 Subject: Desperately trying to debug poor spam scanning performance Message-ID: <48CA9E61.7080506@photobox.com> Hello all. I am edging slowly towards the tearing my hair out phase... I cannot seem to diagnose why an MS box due for installation soon is performing much more poorly than its soon to be predecessor & indeed my personal MS box running on desktop hardware. I'll use my personal box (let's call it desky) for comparison purposes here: BigOne ====== 2 x Xeon dual core 3GHz 2G RAM 2 x 15K SCSI Hardware RAID 1 (Smart Array 5i) Exim Caching dns Linux newacorn 2.6.18-92.1.10.el5 #1 SMP Tue Aug 5 07:41:53 EDT 2008 i686 i686 i386 GNU/Linux This is CentOS release 5.2 (Final) This is Perl version 5.008008 (5.8.8) This is MailScanner version 4.71.10 Desky ===== Athlon 64 3200 500MB RAM 7.2K SATA HD Software RAID 1 Exim Caching dns Linux jitter 2.6.18-92.1.6.el5 #1 SMP Wed Jun 25 13:49:24 EDT 2008 i686 athlon i386 GNU/Linux This is CentOS release 5.2 (Final) This is Perl version 5.008008 (5.8.8) This is MailScanner version 4.67.6 AND just to add insult to injury for my capabilities as sysadmin, BigOne is sitting in a dc with good connectivity & Desky is sitting on the end of an adsl line! For testing puposes I have BigOne acting as the primary MX for my personal mail domain & forwarding on to Desky. I can mail myself & tail the various logs (speed logging enabled of course) to get a feel for how quickly individual messages are processed. Both boxes are running dcc, pyzor & razor2, the fw allows established connections back in, no timeouts. But in any case even with these disabled the difference remains. These are some fairly typical (processed) lines of output from the two boxes (message sent from gmail). BigOne: 17:42:09 Spam Checks completed at 2523 bytes per second Desky: 17:42:17 Spam Checks completed at 5672 bytes per second Often the difference is much greater in Desky's favour. BigOne is supposed to go into production next week processing 20k per day, as things stand I'm not sure it'll hold up. Any pointers very gratefully received! Best regards, Ben. -- Ben Tisdall Linux Systems Administrator | www.photobox.com From alex at rtpty.com Fri Sep 12 18:02:58 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Fri Sep 12 18:03:23 2008 Subject: Desperately trying to debug poor spam scanning performance In-Reply-To: <48CA9E61.7080506@photobox.com> References: <48CA9E61.7080506@photobox.com> Message-ID: <5A881BE9-B6B4-463D-BFE0-0D7FFF8C80F3@rtpty.com> Have you tried disabling the various bits and pieces that make up spamassassin? --- Alex Neuman Reliant Technologies +507 6781-9505 Skype: alexneuman On Sep 12, 2008, at 11:52 AM, Ben Tisdall wrote: > Hello all. > > I am edging slowly towards the tearing my hair out phase... > > I cannot seem to diagnose why an MS box due for installation soon is > performing much more poorly than its soon to be predecessor & indeed > my > personal MS box running on desktop hardware. > > I'll use my personal box (let's call it desky) for comparison > purposes here: > > BigOne > ====== > > 2 x Xeon dual core 3GHz > 2G RAM > 2 x 15K SCSI > Hardware RAID 1 (Smart Array 5i) > Exim > Caching dns > > Linux newacorn 2.6.18-92.1.10.el5 #1 SMP Tue Aug 5 07:41:53 EDT 2008 > i686 i686 i386 GNU/Linux > This is CentOS release 5.2 (Final) > This is Perl version 5.008008 (5.8.8) > This is MailScanner version 4.71.10 > > Desky > ===== > > Athlon 64 3200 > 500MB RAM > 7.2K SATA HD > Software RAID 1 > Exim > Caching dns > > Linux jitter 2.6.18-92.1.6.el5 #1 SMP Wed Jun 25 13:49:24 EDT 2008 > i686 > athlon i386 GNU/Linux > This is CentOS release 5.2 (Final) > This is Perl version 5.008008 (5.8.8) > This is MailScanner version 4.67.6 > > AND just to add insult to injury for my capabilities as sysadmin, > BigOne > is sitting in a dc with good connectivity & Desky is sitting on the > end > of an adsl line! > > For testing puposes I have BigOne acting as the primary MX for my > personal mail domain & forwarding on to Desky. I can mail myself & > tail > the various logs (speed logging enabled of course) to get a feel for > how > quickly individual messages are processed. > > Both boxes are running dcc, pyzor & razor2, the fw allows established > connections back in, no timeouts. But in any case even with these > disabled the difference remains. > > These are some fairly typical (processed) lines of output from the two > boxes (message sent from gmail). > > BigOne: > > 17:42:09 Spam Checks completed at 2523 bytes per second > > Desky: > > 17:42:17 Spam Checks completed at 5672 bytes per second > > Often the difference is much greater in Desky's favour. > > BigOne is supposed to go into production next week processing 20k per > day, as things stand I'm not sure it'll hold up. > > Any pointers very gratefully received! > > Best regards, > > Ben. > > -- > Ben Tisdall > Linux Systems Administrator | www.photobox.com > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From dnsadmin at 1bigthink.com Fri Sep 12 18:34:38 2008 From: dnsadmin at 1bigthink.com (dnsadmin 1bigthink.com) Date: Fri Sep 12 18:34:55 2008 Subject: Desperately trying to debug poor spam scanning performance In-Reply-To: <48CA9E61.7080506@photobox.com> References: <48CA9E61.7080506@photobox.com> Message-ID: <200809121734.m8CHYl15006344@mxt.1bigthink.com> At 12:52 PM 9/12/2008, you wrote: >Hello all. > >I am edging slowly towards the tearing my hair out phase... > >I cannot seem to diagnose why an MS box due for installation soon is >performing much more poorly than its soon to be predecessor & indeed my >personal MS box running on desktop hardware. > >I'll use my personal box (let's call it desky) for comparison purposes here: > >BigOne >====== > >2 x Xeon dual core 3GHz >2G RAM >2 x 15K SCSI >Hardware RAID 1 (Smart Array 5i) >Exim >Caching dns > >Linux newacorn 2.6.18-92.1.10.el5 #1 SMP Tue Aug 5 07:41:53 EDT 2008 >i686 i686 i386 GNU/Linux >This is CentOS release 5.2 (Final) >This is Perl version 5.008008 (5.8.8) >This is MailScanner version 4.71.10 > >Desky >===== > >Athlon 64 3200 >500MB RAM >7.2K SATA HD >Software RAID 1 >Exim >Caching dns > >Linux jitter 2.6.18-92.1.6.el5 #1 SMP Wed Jun 25 13:49:24 EDT 2008 i686 >athlon i386 GNU/Linux >This is CentOS release 5.2 (Final) >This is Perl version 5.008008 (5.8.8) >This is MailScanner version 4.67.6 > >AND just to add insult to injury for my capabilities as sysadmin, BigOne >is sitting in a dc with good connectivity & Desky is sitting on the end >of an adsl line! > >For testing puposes I have BigOne acting as the primary MX for my >personal mail domain & forwarding on to Desky. I can mail myself & tail >the various logs (speed logging enabled of course) to get a feel for how >quickly individual messages are processed. > >Both boxes are running dcc, pyzor & razor2, the fw allows established >connections back in, no timeouts. But in any case even with these >disabled the difference remains. > >These are some fairly typical (processed) lines of output from the two >boxes (message sent from gmail). > >BigOne: > >17:42:09 Spam Checks completed at 2523 bytes per second > >Desky: > >17:42:17 Spam Checks completed at 5672 bytes per second > >Often the difference is much greater in Desky's favour. > >BigOne is supposed to go into production next week processing 20k per >day, as things stand I'm not sure it'll hold up. > >Any pointers very gratefully received! > >Best regards, > >Ben. Hello Ben, You didn't mention any particulars about OS or virus scanner engines.. We could probably help steer you just with that info. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ben.tisdall at photobox.com Fri Sep 12 19:57:14 2008 From: ben.tisdall at photobox.com (Ben Tisdall) Date: Fri Sep 12 19:57:36 2008 Subject: Desperately trying to debug poor spam scanning performance In-Reply-To: <200809121734.m8CHYl15006344@mxt.1bigthink.com> References: <48CA9E61.7080506@photobox.com> <200809121734.m8CHYl15006344@mxt.1bigthink.com> Message-ID: <48CABB8A.8040405@photobox.com> > > Hello Ben, > > You didn't mention any particulars about OS or virus scanner engines.. > > We could probably help steer you just with that info. > > What kind of OS particulars did you have in mind beyond CentOS 5.2 i386? It's running clamd 0.94 (installed from source), virus scanning performance is fine. Best regards, Ben. -- Ben Tisdall Linux Systems Administrator | www.photobox.com From ben.tisdall at photobox.com Fri Sep 12 20:00:43 2008 From: ben.tisdall at photobox.com (Ben Tisdall) Date: Fri Sep 12 20:00:52 2008 Subject: Desperately trying to debug poor spam scanning performance In-Reply-To: <5A881BE9-B6B4-463D-BFE0-0D7FFF8C80F3@rtpty.com> References: <48CA9E61.7080506@photobox.com> <5A881BE9-B6B4-463D-BFE0-0D7FFF8C80F3@rtpty.com> Message-ID: <48CABC5B.2010603@photobox.com> Alex Neuman van der Hans wrote: > Have you tried disabling the various bits and pieces that make up > spamassassin? > Thanks, I'll do that. In fact before I left the office I realised that the home box was missing: Mail::SPF Mail::SPF::Query So presumably SA is skipping SPF checks there. I'll diff out the output from MailScanner -V on the two boxes as soon as I can. Best regards, Ben. -- Ben Tisdall Linux Systems Administrator | www.photobox.com Google Talk: ben.tisdall@gmail.com | skype: btisdall +44 (0)20 8453 6161 From mark at msapiro.net Sat Sep 13 01:30:56 2008 From: mark at msapiro.net (Mark Sapiro) Date: Sat Sep 13 01:31:07 2008 Subject: Help with rule In-Reply-To: <24e3d2e40809111140m4b6d8f2dr1a9763fb0db62657@mail.gmail.com> References: <48C95E70.1020400@amti.com.br> <22705875.581221157694921.JavaMail.SYSTEM@kc5goi-1> <24e3d2e40809111140m4b6d8f2dr1a9763fb0db62657@mail.gmail.com> Message-ID: <20080913003056.GA2200@msapiro> On Thu, Sep 11, 2008 at 01:40:15PM -0500, Alex Neuman wrote: > > Then at /etc/MailScanner/rules, create a file called a-quem-eu-bloco.rules > that says: > > FromOrTo: default no > From:alicia@dominio.com.br and To: > roberto@dominio.com.br yes Shouldn't those two lines be in the other order - i.e. the 'default' last? -- Mark Sapiro mark at msapiro net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From alex at rtpty.com Sat Sep 13 01:44:06 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Sat Sep 13 01:44:19 2008 Subject: Help with rule In-Reply-To: <20080913003056.GA2200@msapiro> References: <48C95E70.1020400@amti.com.br> <22705875.581221157694921.JavaMail.SYSTEM@kc5goi-1> <24e3d2e40809111140m4b6d8f2dr1a9763fb0db62657@mail.gmail.com> <20080913003056.GA2200@msapiro> Message-ID: <140835AC-C50A-4939-8185-D5E5F4907C81@rtpty.com> I believe Jules has already mentioned that the default line can be anywhere, but the point you make is valid from a logical point of view. --- Alex Neuman Reliant Technologies +507 6781-9505 Skype: alexneuman On Sep 12, 2008, at 7:30 PM, Mark Sapiro wrote: > On Thu, Sep 11, 2008 at 01:40:15PM -0500, Alex Neuman wrote: >> >> Then at /etc/MailScanner/rules, create a file called a-quem-eu- >> bloco.rules >> that says: >> >> FromOrTo: default no >> From:alicia@dominio.com.br and To: >> roberto@dominio.com.br yes > > > Shouldn't those two lines be in the other order - i.e. the 'default' > last? > > -- > Mark Sapiro mark at msapiro net The highway is for gamblers, > San Francisco Bay Area, California better use your sense - B. Dylan > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From sandip.sinha at in.dclgroup.com Sat Sep 13 07:59:21 2008 From: sandip.sinha at in.dclgroup.com (sandip.sinha@in.dclgroup.com) Date: Sat Sep 13 07:59:35 2008 Subject: Message contained archive nested too deeply In-Reply-To: <6832C96C-54D7-40F1-80D4-9C11E7BC09AC@rtpty.com> References: <6832C96C-54D7-40F1-80D4-9C11E7BC09AC@rtpty.com> Message-ID: <44edf69fea4900789adfec373bae178b.squirrel@10.20.1.5> It is with Office 2003 or Office 2007 files. Thanks, Sandip Calcutta, India. > Is it an office 2007 file? > > --- > > Alex Neuman > Reliant Technologies > +507 6781-9505 > Skype: alexneuman > > On Sep 12, 2008, at 5:12 AM, sandip.sinha@in.dclgroup.com wrote: > >> I have installed MailScanner in FC7 into our sendmail server. This >> works >> fine. However I am facing one problem which I couldn't able to >> figure out. >> For some attachments it gives the following error. The attachment >> does not >> have any virus, does not have zip with zip. Still it gives the >> folowing >> error. >> >> I want to know how to disable "Other Bad Content " scanning . >> >> ---------------------------------------------------------------------- >> The following e-mails were found to have: Other Bad Content Detected >> >> Sender: ss1@xxx.com >> IP Address: 10.20.10.1 >> Recipient: ss2@xxx.com >> Subject: >> MessageID: m8CA6SYX000360 >> Quarantine: /var/spool/MailScanner/quarantine/20080912/m8CA6SYX000360 >> Report: MailScanner: Message contained archive nested too deeply >> ---------------------------------------------------------------------- >> >> Sandip >> Calcutta, India. >> >> >> >> >> >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > > From hvdkooij at vanderkooij.org Sat Sep 13 08:12:29 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sat Sep 13 08:12:43 2008 Subject: Message contained archive nested too deeply In-Reply-To: References: Message-ID: <48CB67DD.8090404@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 sandip.sinha@in.dclgroup.com wrote: > I have installed MailScanner in FC7 into our sendmail server. This works > fine. However I am facing one problem which I couldn't able to figure out. > For some attachments it gives the following error. The attachment does not > have any virus, does not have zip with zip. Still it gives the folowing > error. > > I want to know how to disable "Other Bad Content " scanning . > > ---------------------------------------------------------------------- > The following e-mails were found to have: Other Bad Content Detected > > Sender: ss1@xxx.com > IP Address: 10.20.10.1 > Recipient: ss2@xxx.com > Subject: > MessageID: m8CA6SYX000360 > Quarantine: /var/spool/MailScanner/quarantine/20080912/m8CA6SYX000360 > Report: MailScanner: Message contained archive nested too deeply > ---------------------------------------------------------------------- The obvious thing to do now is to investigate WHY it is nested too deeply. What is your MailScanner setting? And what structure can you derive from the message? With that information you should also have knowledge about how to make changes in a sane way. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIy2fcBvzDRVjxmYERAsrTAKCwZa957sDfpyZ6BWjRZQme+Y1WJwCgq7bm ZP5Ifwpn9uDdKvNsVynqmgw= =Q/l4 -----END PGP SIGNATURE----- From hvdkooij at vanderkooij.org Sat Sep 13 09:04:56 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sat Sep 13 09:05:04 2008 Subject: Error with EMTPY_MESSAGE Message-ID: <48CB7428.1030501@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, It seems to me that SA is flagging just about any message as EMPTY_MESSAGE. Is anyone else seeing this too? Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIy3QmBvzDRVjxmYERAomuAKCLGijrO9DKZF74aYbVkJofD/WE0gCgiG1s 8Wuc4sVVtIJZV1OmdC5HBiA= =MG0w -----END PGP SIGNATURE----- From hvdkooij at vanderkooij.org Sat Sep 13 09:22:25 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sat Sep 13 09:22:35 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <48CB7428.1030501@vanderkooij.org> References: <48CB7428.1030501@vanderkooij.org> Message-ID: <48CB7841.1070905@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hugo van der Kooij wrote: > Hi, > > It seems to me that SA is flagging just about any message as EMPTY_MESSAGE. Lets look at the lines: # __MIME_ATTACHMENT also used in 20_meta_tests.cf body __MIME_ATTACHMENT eval:check_for_mime('mime_attachment') # __MIME_ATTACHMENT defined in 20_html_tests.cf body __NONEMPTY_BODY /\S/ meta EMPTY_MESSAGE !__MIME_ATTACHMENT && !__NONEMPTY_BODY describe EMPTY_MESSAGE Message appears to have no textual parts and no Subject: text The description is incorrect in my view. The subject is not even tested. I can not see that much else wrong. But it seems SA is still raising the flag. A sample message taken from quarantine that is marked as EMPTY_MESSAGE: Received: from linuxbox.org (linuxbox.org [24.155.83.21]) by balin.waakhond.net (Postfix) with ESMTP id B5FE217E9086 for ; Sat, 13 Sep 2008 09:34:45 +0200 (CEST) Received: from linuxbox.org (ge@localhost.localdomain [127.0.0.1]) by linuxbox.org (8.13.8/8.13.8/Debian-3) with ESMTP id m8D7Ye6a020101 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for ; Sat, 13 Sep 2008 02:34:41 -0500 Received: from localhost (ge@localhost) by linuxbox.org (8.13.8/8.13.8/Submit) with ESMTP id m8D7YeFc020098 for ; Sat, 13 Sep 2008 02:34:40 -0500 Date: Sat, 13 Sep 2008 02:34:40 -0500 (CDT) From: Gadi Evron To: Hugo van der Kooij Subject: Re: community real-time BGP hijack notification service In-Reply-To: <48CB64A5.3030109@vanderkooij.org> Message-ID: References: <48CB64A5.3030109@vanderkooij.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-1.7.5 (linuxbox.org [127.0.0.1]); Sat, 13 Sep 2008 02:34:41 -0500 (CDT) Thanks for the note! Will be fixed shortly. On Sat, 13 Sep 2008, Hugo van der Kooij wrote: > -----BEGIN PGP SIGNED MESSAGE----- .... - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIy3g/BvzDRVjxmYERAjV6AJ9RMkLrv7MK9BJIT6MshMhDpsTwUwCeKQHj NUpXrtzTUEe/XPx7m8jtT30= =IA1Q -----END PGP SIGNATURE----- From hvdkooij at vanderkooij.org Sat Sep 13 14:56:35 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sat Sep 13 14:56:44 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <48CB7428.1030501@vanderkooij.org> References: <48CB7428.1030501@vanderkooij.org> Message-ID: <48CBC693.6060806@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hugo van der Kooij wrote: > Hi, > > It seems to me that SA is flagging just about any message as EMPTY_MESSAGE. > > Is anyone else seeing this too? I just had quite a bit of a discussion about malware that just walks past MailScanner with multiple AV scanners active. It seems that it might be related to postfix. Where MailScanner is trying to decode postfix queue files but not doing the right thing. My result on 3 sample queue files was 0% through MailScanner. But decoding them with postcat allowed me to hit 100% of the files. So the issue may require all postfix users to look very carefully into their messages and the ability to scan them properly. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIy8aRBvzDRVjxmYERAvCkAJsGvPm73uvJVXwQ1FNxFVhfeR18sgCgjkXZ B3hDRnyFl/314lU3TX+o6z4= =B8Is -----END PGP SIGNATURE----- From glenn.steen at gmail.com Sat Sep 13 15:42:23 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Sep 13 15:42:33 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <48CBC693.6060806@vanderkooij.org> References: <48CB7428.1030501@vanderkooij.org> <48CBC693.6060806@vanderkooij.org> Message-ID: <223f97700809130742q7029ec3bo2d3f06088f013ccd@mail.gmail.com> 2008/9/13 Hugo van der Kooij : > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hugo van der Kooij wrote: >> Hi, >> >> It seems to me that SA is flagging just about any message as EMPTY_MESSAGE. >> >> Is anyone else seeing this too? > > I just had quite a bit of a discussion about malware that just walks > past MailScanner with multiple AV scanners active. > > It seems that it might be related to postfix. Where MailScanner is > trying to decode postfix queue files but not doing the right thing. > > My result on 3 sample queue files was 0% through MailScanner. But > decoding them with postcat allowed me to hit 100% of the files. > > So the issue may require all postfix users to look very carefully into > their messages and the ability to scan them properly. > > Hugo. > Can I get a sample, please? Send it off-list. Do you do milters? Which milters? Version of postfix? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ms-list at alexb.ch Sat Sep 13 15:52:16 2008 From: ms-list at alexb.ch (Alex Broens) Date: Sat Sep 13 15:52:32 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <223f97700809130742q7029ec3bo2d3f06088f013ccd@mail.gmail.com> References: <48CB7428.1030501@vanderkooij.org> <48CBC693.6060806@vanderkooij.org> <223f97700809130742q7029ec3bo2d3f06088f013ccd@mail.gmail.com> Message-ID: <48CBD3A0.1060908@alexb.ch> On 9/13/2008 4:42 PM, Glenn Steen wrote: > 2008/9/13 Hugo van der Kooij : >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Hugo van der Kooij wrote: >>> Hi, >>> >>> It seems to me that SA is flagging just about any message as EMPTY_MESSAGE. >>> >>> Is anyone else seeing this too? >> I just had quite a bit of a discussion about malware that just walks >> past MailScanner with multiple AV scanners active. >> >> It seems that it might be related to postfix. Where MailScanner is >> trying to decode postfix queue files but not doing the right thing. >> >> My result on 3 sample queue files was 0% through MailScanner. But >> decoding them with postcat allowed me to hit 100% of the files. >> >> So the issue may require all postfix users to look very carefully into >> their messages and the ability to scan them properly. >> >> Hugo. >> > Can I get a sample, please? Send it off-list. > Do you do milters? Which milters? Version of postfix? Glenn, I see this on Postfix 2.5.2 Snertsoft milter-link rejecting, no tagging, etc, so no modifying of the msg. If Hugo hasn't sent the samples, let me know. Alex From glenn.steen at gmail.com Sat Sep 13 16:47:20 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Sep 13 16:47:30 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <48CBD3A0.1060908@alexb.ch> References: <48CB7428.1030501@vanderkooij.org> <48CBC693.6060806@vanderkooij.org> <223f97700809130742q7029ec3bo2d3f06088f013ccd@mail.gmail.com> <48CBD3A0.1060908@alexb.ch> Message-ID: <223f97700809130847p9f2dc2em9a65b6a6490f186f@mail.gmail.com> 2008/9/13 Alex Broens : > On 9/13/2008 4:42 PM, Glenn Steen wrote: >> >> 2008/9/13 Hugo van der Kooij : >>> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> Hugo van der Kooij wrote: >>>> >>>> Hi, >>>> >>>> It seems to me that SA is flagging just about any message as >>>> EMPTY_MESSAGE. >>>> >>>> Is anyone else seeing this too? >>> >>> I just had quite a bit of a discussion about malware that just walks >>> past MailScanner with multiple AV scanners active. >>> >>> It seems that it might be related to postfix. Where MailScanner is >>> trying to decode postfix queue files but not doing the right thing. >>> >>> My result on 3 sample queue files was 0% through MailScanner. But >>> decoding them with postcat allowed me to hit 100% of the files. >>> >>> So the issue may require all postfix users to look very carefully into >>> their messages and the ability to scan them properly. >>> >>> Hugo. >>> >> Can I get a sample, please? Send it off-list. >> Do you do milters? Which milters? Version of postfix? > > Glenn, I see this on Postfix 2.5.2 > Snertsoft milter-link rejecting, no tagging, etc, so no modifying of the > msg. > > If Hugo hasn't sent the samples, let me know. > > Alex > Thanks Alex (and Jules), I'll have a look ASAP! Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From Stefan.Fournier at gmx.de Sat Sep 13 16:56:14 2008 From: Stefan.Fournier at gmx.de (Stefan Fournier) Date: Sat Sep 13 16:56:28 2008 Subject: New McAfee engine available In-Reply-To: <223f97700808270747x737d1e4fs3447df176d54fe7b@mail.gmail.com> References: <48B3182A.9080007@USherbrooke.ca> <223f97700808270747x737d1e4fs3447df176d54fe7b@mail.gmail.com> Message-ID: <48CBE29E.4090800@gmx.de> >> Denis >> > Since we're coming up to the "official release" now, this is timely:-). > Changes... "Leaner, faster, better ..." .... Normal seel-speak:-):-). > Seems to have a smaller memory footprint though. And is supposed to > handle docx and more archive formats (or was that selfextracting > formats...?). All in all a real easy upgrade. It's an easy upgrade and it's worth to do it. We see a significant lower load on our systems (decreased from around 6 to below 5). Cheers, Stefan -- Stefan.Fournier@gmx.de From hvdkooij at vanderkooij.org Sat Sep 13 18:46:18 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sat Sep 13 18:46:28 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <223f97700809130742q7029ec3bo2d3f06088f013ccd@mail.gmail.com> References: <48CB7428.1030501@vanderkooij.org> <48CBC693.6060806@vanderkooij.org> <223f97700809130742q7029ec3bo2d3f06088f013ccd@mail.gmail.com> Message-ID: <48CBFC6A.6050300@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Glenn Steen wrote: > 2008/9/13 Hugo van der Kooij : >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Hugo van der Kooij wrote: >>> Hi, >>> >>> It seems to me that SA is flagging just about any message as EMPTY_MESSAGE. >>> >>> Is anyone else seeing this too? >> I just had quite a bit of a discussion about malware that just walks >> past MailScanner with multiple AV scanners active. >> >> It seems that it might be related to postfix. Where MailScanner is >> trying to decode postfix queue files but not doing the right thing. >> >> My result on 3 sample queue files was 0% through MailScanner. But >> decoding them with postcat allowed me to hit 100% of the files. >> >> So the issue may require all postfix users to look very carefully into >> their messages and the ability to scan them properly. >> >> Hugo. >> > Can I get a sample, please? Send it off-list. > Do you do milters? Which milters? Version of postfix? I use postfix 2.3.2 as it is the normal shipped package for Centos 5. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIy/w4BvzDRVjxmYERAn5YAJ9AdNuMzmtRng6ApE7jQ8gIrVd35QCgueXG vG5NfmOYhiRdb4QCgAGswBQ= =2b04 -----END PGP SIGNATURE----- From glenn.steen at gmail.com Sat Sep 13 19:12:10 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Sep 13 19:12:21 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <48CBFC6A.6050300@vanderkooij.org> References: <48CB7428.1030501@vanderkooij.org> <48CBC693.6060806@vanderkooij.org> <223f97700809130742q7029ec3bo2d3f06088f013ccd@mail.gmail.com> <48CBFC6A.6050300@vanderkooij.org> Message-ID: <223f97700809131112sc6d34basd6ba785f42114dcd@mail.gmail.com> 2008/9/13 Hugo van der Kooij : > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Glenn Steen wrote: >> 2008/9/13 Hugo van der Kooij : >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> Hugo van der Kooij wrote: >>>> Hi, >>>> >>>> It seems to me that SA is flagging just about any message as EMPTY_MESSAGE. >>>> >>>> Is anyone else seeing this too? >>> I just had quite a bit of a discussion about malware that just walks >>> past MailScanner with multiple AV scanners active. >>> >>> It seems that it might be related to postfix. Where MailScanner is >>> trying to decode postfix queue files but not doing the right thing. >>> >>> My result on 3 sample queue files was 0% through MailScanner. But >>> decoding them with postcat allowed me to hit 100% of the files. >>> >>> So the issue may require all postfix users to look very carefully into >>> their messages and the ability to scan them properly. >>> >>> Hugo. >>> >> Can I get a sample, please? Send it off-list. >> Do you do milters? Which milters? Version of postfix? > > I use postfix 2.3.2 as it is the normal shipped package for Centos 5. > > Hugo. > Just to give a little update: I've received queue files from Jules and Alex B. I've fed these through both a testbed and our current production .... And they simply worked as expected(!)... The zip-file they included got unpacked nicely, the filename _and_ filetype got it into the quarantine, as well as all my AVs firing like mad:-). This was on a Mandriva 2008.1 running perl 5.10.0 with MailScanner 4.71.10 ... latest stable and beta are essentially the same, so ... I'm leaning toward this being related to CentOS 5.2, possibly the relevant perl modules. Further than that is pretty hard for me to check, since I cannot reproduce the problem. I might get onto Alexs' testbed, to do some further debuging... But I do suggest that you who have a CentOS 5.2 box and are affected by the "non-unpacking" (should be easily determined... look for "Your internet access is going to get suspended" subjects that are either improperly unpacked (in the quarantine) or that slip by entirely... grab one and start feeding it through your system, varying your perl modules (mainly MIME-Tools related stuff, I'd guess). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Sat Sep 13 19:16:38 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Sep 13 19:16:48 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <223f97700809131112sc6d34basd6ba785f42114dcd@mail.gmail.com> References: <48CB7428.1030501@vanderkooij.org> <48CBC693.6060806@vanderkooij.org> <223f97700809130742q7029ec3bo2d3f06088f013ccd@mail.gmail.com> <48CBFC6A.6050300@vanderkooij.org> <223f97700809131112sc6d34basd6ba785f42114dcd@mail.gmail.com> Message-ID: <223f97700809131116v56a9946dkaa3d569a827ca2ec@mail.gmail.com> 2008/9/13 Glenn Steen : > 2008/9/13 Hugo van der Kooij : >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Glenn Steen wrote: >>> 2008/9/13 Hugo van der Kooij : >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA1 >>>> >>>> Hugo van der Kooij wrote: >>>>> Hi, >>>>> >>>>> It seems to me that SA is flagging just about any message as EMPTY_MESSAGE. >>>>> >>>>> Is anyone else seeing this too? >>>> I just had quite a bit of a discussion about malware that just walks >>>> past MailScanner with multiple AV scanners active. >>>> >>>> It seems that it might be related to postfix. Where MailScanner is >>>> trying to decode postfix queue files but not doing the right thing. >>>> >>>> My result on 3 sample queue files was 0% through MailScanner. But >>>> decoding them with postcat allowed me to hit 100% of the files. >>>> >>>> So the issue may require all postfix users to look very carefully into >>>> their messages and the ability to scan them properly. >>>> >>>> Hugo. >>>> >>> Can I get a sample, please? Send it off-list. >>> Do you do milters? Which milters? Version of postfix? >> >> I use postfix 2.3.2 as it is the normal shipped package for Centos 5. >> >> Hugo. >> > Just to give a little update: > > I've received queue files from Jules and Alex B. I've fed these > through both a testbed and our current production .... And they simply > worked as expected(!)... The zip-file they included got unpacked > nicely, the filename _and_ filetype got it into the quarantine, as > well as all my AVs firing like mad:-). > This was on a Mandriva 2008.1 running perl 5.10.0 with MailScanner > 4.71.10 ... latest stable and beta are essentially the same, so ... > > I'm leaning toward this being related to CentOS 5.2, possibly the > relevant perl modules. > Further than that is pretty hard for me to check, since I cannot > reproduce the problem. > I might get onto Alexs' testbed, to do some further debuging... But I > do suggest that you who have a CentOS 5.2 box and are affected by the > "non-unpacking" (should be easily determined... look for "Your > internet access is going to get suspended" subjects that are either > improperly unpacked (in the quarantine) or that slip by entirely... > grab one and start feeding it through your system, varying your perl > modules (mainly MIME-Tools related stuff, I'd guess). > BTW... I've not seen the EMPTY_MESSAGE rule firing at all... Other than a few truly empty messages... Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Sat Sep 13 19:56:37 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Sep 13 19:56:48 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <223f97700809131116v56a9946dkaa3d569a827ca2ec@mail.gmail.com> References: <48CB7428.1030501@vanderkooij.org> <48CBC693.6060806@vanderkooij.org> <223f97700809130742q7029ec3bo2d3f06088f013ccd@mail.gmail.com> <48CBFC6A.6050300@vanderkooij.org> <223f97700809131112sc6d34basd6ba785f42114dcd@mail.gmail.com> <223f97700809131116v56a9946dkaa3d569a827ca2ec@mail.gmail.com> Message-ID: <223f97700809131156s3f7abd4cq9366ec7365fb0506@mail.gmail.com> 2008/9/13 Glenn Steen : (snip) In case you who are affected need something to compare to that works, this is my MailScanner -V .... # MailScanner -V Running on Linux apmx07.ap1.se 2.6.24.5-server-1mnb #1 SMP Tue May 27 13:02:55 EDT 2008 i686 Intel(R) Xeon(R) CPU 5110 @ 1.60GHz GNU/Linux This is Mandriva Linux release 2008.1 (Official) for i586 This is Perl version 5.010000 (5.10.0) This is MailScanner version 4.71.10 Module versions are: 1.00 AnyDBM_File 1.23 Archive::Zip 0.22 bignum 1.08 Carp 2.008 Compress::Zlib 1.119 Convert::BinHex 0.17 Convert::TNEF 2.121_14 Data::Dumper 2.27 Date::Parse 1.01 DirHandle 1.06 Fcntl 2.76 File::Basename 2.11 File::Copy 2.01 FileHandle 2.04 File::Path 0.18 File::Temp 0.90 Filesys::Df 1.35 HTML::Entities 3.56 HTML::Parser 2.37 HTML::TokeParser 1.23_01 IO 1.14 IO::File 1.13 IO::Pipe 2.02 Mail::Header 1.88 Math::BigInt 0.21 Math::BigRat 3.07_01 MIME::Base64 5.425 MIME::Decoder 5.425 MIME::Decoder::UU 5.425 MIME::Head 5.425 MIME::Parser 3.07 MIME::QuotedPrint 5.425 MIME::Tools 0.11 Net::CIDR 1.25 Net::IP 0.16 OLE::Storage_Lite 1.04 Pod::Escapes 3.05 Pod::Simple 1.13 POSIX 1.19 Scalar::Util 1.80 Socket 2.18 Storable 1.4 Sys::Hostname::Long 0.22 Sys::Syslog 1.26 Test::Pod 0.72 Test::Simple 1.9711 Time::HiRes 1.02 Time::localtime Optional module versions are: 1.38 Archive::Tar 0.22 bignum 1.82 Business::ISBN 1.10 Business::ISBN::Data 1.08 Data::Dump 1.816 DB_File 1.14 DBD::SQLite 1.602 DBI 1.15 Digest 1.01 Digest::HMAC 2.36_01 Digest::MD5 2.11 Digest::SHA1 1.00 Encode::Detect 0.17012 Error 0.22 ExtUtils::CBuilder 2.19 ExtUtils::ParseXS 2.37 Getopt::Long 0.44 Inline 1.08 IO::String 1.07 IO::Zlib 2.23 IP::Country 0.22 Mail::ClamAV 3.002005 Mail::SpamAssassin v2.005 Mail::SPF 1.999001 Mail::SPF::Query 0.2808 Module::Build 0.20 Net::CIDR::Lite 0.63 Net::DNS 0.002.2 Net::DNS::Resolver::Programmable 0.37 Net::LDAP 4.007 NetAddr::IP 1.94 Parse::RecDescent missing SAVI 2.64 Test::Harness 0.95 Test::Manifest 2.0.0 Text::Balanced 1.35 URI 0.74 version 0.62 YAML Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From hvdkooij at vanderkooij.org Sat Sep 13 21:48:26 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sat Sep 13 21:48:38 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <223f97700809131156s3f7abd4cq9366ec7365fb0506@mail.gmail.com> References: <48CB7428.1030501@vanderkooij.org> <48CBC693.6060806@vanderkooij.org> <223f97700809130742q7029ec3bo2d3f06088f013ccd@mail.gmail.com> <48CBFC6A.6050300@vanderkooij.org> <223f97700809131112sc6d34basd6ba785f42114dcd@mail.gmail.com> <223f97700809131116v56a9946dkaa3d569a827ca2ec@mail.gmail.com> <223f97700809131156s3f7abd4cq9366ec7365fb0506@mail.gmail.com> Message-ID: <48CC271A.7060402@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Running on Linux balin.waakhond.net 2.6.18-92.1.10.el5PAE #1 SMP Tue Aug 5 08:14:05 EDT 2008 i686 i686 i386 GNU/Linux This is CentOS release 5.2 (Final) This is Perl version 5.008008 (5.8.8) This is MailScanner version 4.71.10 Module versions are: 1.00 AnyDBM_File 1.23 Archive::Zip 0.17 bignum 1.04 Carp 2.011 Compress::Zlib 1.119 Convert::BinHex 0.17 Convert::TNEF 2.121_08 Data::Dumper 2.27 Date::Parse 1.00 DirHandle 1.05 Fcntl 2.74 File::Basename 2.09 File::Copy 2.01 FileHandle 1.08 File::Path 0.16 File::Temp 0.92 Filesys::Df 1.35 HTML::Entities 3.56 HTML::Parser 2.37 HTML::TokeParser 1.23 IO 1.14 IO::File 1.13 IO::Pipe 2.03 Mail::Header 1.77 Math::BigInt 0.15 Math::BigRat 3.07 MIME::Base64 5.424 MIME::Decoder 5.424 MIME::Decoder::UU 5.424 MIME::Head 5.424 MIME::Parser 3.07 MIME::QuotedPrint 5.424 MIME::Tools 0.11 Net::CIDR 1.25 Net::IP 0.16 OLE::Storage_Lite missing Pod::Escapes missing Pod::Simple 1.09 POSIX 1.18 Scalar::Util 1.78 Socket 2.15 Storable 1.4 Sys::Hostname::Long 0.13 Sys::Syslog missing Test::Pod 0.62 Test::Simple 1.86 Time::HiRes 1.02 Time::localtime Optional module versions are: 1.38 Archive::Tar 0.17 bignum missing Business::ISBN missing Business::ISBN::Data missing Data::Dump 1.814 DB_File 1.14 DBD::SQLite 1.605 DBI 1.14 Digest 1.01 Digest::HMAC 2.36 Digest::MD5 2.11 Digest::SHA1 1.01 Encode::Detect 0.17014 Error missing ExtUtils::CBuilder missing ExtUtils::ParseXS 2.35 Getopt::Long 0.44 Inline missing IO::String 1.09 IO::Zlib 2.24 IP::Country missing Mail::ClamAV 3.002005 Mail::SpamAssassin v2.005 Mail::SPF missing Mail::SPF::Query missing Module::Build 0.20 Net::CIDR::Lite 0.63 Net::DNS missing Net::DNS::Resolver::Programmable missing Net::LDAP 4.007 NetAddr::IP missing Parse::RecDescent missing SAVI 2.56 Test::Harness missing Test::Manifest 1.95 Text::Balanced 1.35 URI 0.74 version missing YAML - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIzCcYBvzDRVjxmYERAuUbAJkB4X1GjAschWIBjTVQ4LqvNHlZ2QCeIYEB M/3ZJKhMVEmT5Bh4l10DA3k= =aAxU -----END PGP SIGNATURE----- From hvdkooij at vanderkooij.org Sat Sep 13 22:06:02 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sat Sep 13 22:06:14 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <223f97700809131112sc6d34basd6ba785f42114dcd@mail.gmail.com> References: <48CB7428.1030501@vanderkooij.org> <48CBC693.6060806@vanderkooij.org> <223f97700809130742q7029ec3bo2d3f06088f013ccd@mail.gmail.com> <48CBFC6A.6050300@vanderkooij.org> <223f97700809131112sc6d34basd6ba785f42114dcd@mail.gmail.com> Message-ID: <48CC2B3A.5010904@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Glenn Steen wrote: > 2008/9/13 Hugo van der Kooij : >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Glenn Steen wrote: >>> 2008/9/13 Hugo van der Kooij : >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA1 >>>> >>>> Hugo van der Kooij wrote: >>>>> Hi, >>>>> >>>>> It seems to me that SA is flagging just about any message as EMPTY_MESSAGE. >>>>> >>>>> Is anyone else seeing this too? >>>> I just had quite a bit of a discussion about malware that just walks >>>> past MailScanner with multiple AV scanners active. >>>> >>>> It seems that it might be related to postfix. Where MailScanner is >>>> trying to decode postfix queue files but not doing the right thing. >>>> >>>> My result on 3 sample queue files was 0% through MailScanner. But >>>> decoding them with postcat allowed me to hit 100% of the files. >>>> >>>> So the issue may require all postfix users to look very carefully into >>>> their messages and the ability to scan them properly. >>>> >>>> Hugo. >>>> >>> Can I get a sample, please? Send it off-list. >>> Do you do milters? Which milters? Version of postfix? >> I use postfix 2.3.2 as it is the normal shipped package for Centos 5. >> >> Hugo. >> > Just to give a little update: > > I've received queue files from Jules and Alex B. I've fed these > through both a testbed and our current production .... And they simply > worked as expected(!)... The zip-file they included got unpacked > nicely, the filename _and_ filetype got it into the quarantine, as > well as all my AVs firing like mad:-). > This was on a Mandriva 2008.1 running perl 5.10.0 with MailScanner > 4.71.10 ... latest stable and beta are essentially the same, so ... > > I'm leaning toward this being related to CentOS 5.2, possibly the > relevant perl modules. It seems you are using the perl interface to ClamAV and not clamd or anything else. That would at least have an impact on how things are called and how they are parsed in part. > Further than that is pretty hard for me to check, since I cannot > reproduce the problem. If you can setup a Centos 5 virtual machine you could give it a spin. See if it is something obvious we are all overlooking. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIzCs4BvzDRVjxmYERAqsDAJwME5hS5CgGDL/oLfpfFs3sRLDtbACgknw0 H6MML15R0o3K+w8U4Nde0II= =w3EG -----END PGP SIGNATURE----- From ms-list at alexb.ch Sat Sep 13 22:06:50 2008 From: ms-list at alexb.ch (Alex Broens) Date: Sat Sep 13 22:07:09 2008 Subject: Postfix support failing In-Reply-To: <223f97700809131343q13469d6cq392904d19d0879d3@mail.gmail.com> References: <48CBD694.9020401@ecs.soton.ac.uk> <48CC22A5.8010604@ecs.soton.ac.uk> <223f97700809131343q13469d6cq392904d19d0879d3@mail.gmail.com> Message-ID: <48CC2B6A.8040102@alexb.ch> On 9/13/2008 10:43 PM, Glenn Steen wrote: > 2008/9/13 Julian Field : >> Got something for you both to try out: >> >> Edit /usr/lib/MailScanner/MailScanner/Message.pm. >> In there, around line 2134, you will find a mention of "ReadMessageHandle". > Mine is on line 2126... lines leading up to it is: > $handle = IO::File->new_tmpfile or die "Your /tmp needs to be set > to \"chmod 1755 /tmp\""; > binmode($handle); > $this->{store}->ReadMessageHandle($this, $handle) or return; > + $handle->seek(0,0); # Rewind the file > > Correct place? >> On the next line, add this: >> $handle->seek(0,0); # Rewind the file >> >> Then restart MailScanner and see if it behaves any better. >> >> Please let me know how you get on. > We'll see in a moment.... Working with normal messages... stopping... > inserting your "affected" queue file... Still Just Works(tm). So the > rewind seems to break nothing:-). > Good News. Now all needed is that Alex and Hugo get their systems > cured by the same means:-):-). # # This is for sendmail and Exim systems # $handle = IO::File->new_tmpfile or die "Your /tmp needs to be set to \"chmod 1755 /tmp\""; binmode($handle); $this->{store}->ReadMessageHandle($this, $handle) or return; ## ADDED HACK BY JULES 9/13/2008 $handle->seek(0,0); # Rewind the file no change.. my 5 sample msgs weren't detected - hmpf (yes I did restart MS) Hugo? - want these 5 samples? you have the web uri to pick them up. ball over Alex From glenn.steen at gmail.com Sat Sep 13 22:26:10 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Sep 13 22:26:19 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <48CC2B3A.5010904@vanderkooij.org> References: <48CB7428.1030501@vanderkooij.org> <48CBC693.6060806@vanderkooij.org> <223f97700809130742q7029ec3bo2d3f06088f013ccd@mail.gmail.com> <48CBFC6A.6050300@vanderkooij.org> <223f97700809131112sc6d34basd6ba785f42114dcd@mail.gmail.com> <48CC2B3A.5010904@vanderkooij.org> Message-ID: <223f97700809131426o8d87d72g531559682193b670@mail.gmail.com> 2008/9/13 Hugo van der Kooij : > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Glenn Steen wrote: >> 2008/9/13 Hugo van der Kooij : >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> Glenn Steen wrote: >>>> 2008/9/13 Hugo van der Kooij : >>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>> Hash: SHA1 >>>>> >>>>> Hugo van der Kooij wrote: >>>>>> Hi, >>>>>> >>>>>> It seems to me that SA is flagging just about any message as EMPTY_MESSAGE. >>>>>> >>>>>> Is anyone else seeing this too? >>>>> I just had quite a bit of a discussion about malware that just walks >>>>> past MailScanner with multiple AV scanners active. >>>>> >>>>> It seems that it might be related to postfix. Where MailScanner is >>>>> trying to decode postfix queue files but not doing the right thing. >>>>> >>>>> My result on 3 sample queue files was 0% through MailScanner. But >>>>> decoding them with postcat allowed me to hit 100% of the files. >>>>> >>>>> So the issue may require all postfix users to look very carefully into >>>>> their messages and the ability to scan them properly. >>>>> >>>>> Hugo. >>>>> >>>> Can I get a sample, please? Send it off-list. >>>> Do you do milters? Which milters? Version of postfix? >>> I use postfix 2.3.2 as it is the normal shipped package for Centos 5. >>> >>> Hugo. >>> >> Just to give a little update: >> >> I've received queue files from Jules and Alex B. I've fed these >> through both a testbed and our current production .... And they simply >> worked as expected(!)... The zip-file they included got unpacked >> nicely, the filename _and_ filetype got it into the quarantine, as >> well as all my AVs firing like mad:-). >> This was on a Mandriva 2008.1 running perl 5.10.0 with MailScanner >> 4.71.10 ... latest stable and beta are essentially the same, so ... >> >> I'm leaning toward this being related to CentOS 5.2, possibly the >> relevant perl modules. > > It seems you are using the perl interface to ClamAV and not clamd or > anything else. That would at least have an impact on how things are > called and how they are parsed in part. Nope. I've just got the Mail::ClamAV module installed;-)... I'm using clamd, and am very happy about it too;). Actually, I tend to install _all_ the optional modules, regardless if I use them or not. Sure, a maintenance overhead, but then ... they're there when/if I decide to use a function that actually need 'em. >> Further than that is pretty hard for me to check, since I cannot >> reproduce the problem. > > If you can setup a Centos 5 virtual machine you could give it a spin. > See if it is something obvious we are all overlooking. I've been in shortly on Alex testbed... Nothing exactly stood out... Apart from not working, it looked fine:-). Did you get the "fixlet" Jules gave me and Alex? Seems to be innefectual for Alex. then again... Jules removed the mailscanner rpm, reinstalled it (via rpm -Uvh) and copied in his MailScanner.conf ... and that seemed to "cure" it for him. Which seems like a very very odd thing indeed. What happens if you do similarly? (remember to save a copy of /etc/MailScanner first;-). > Hugo. > Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From hvdkooij at vanderkooij.org Sun Sep 14 10:52:51 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Sep 14 10:53:01 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <223f97700809131112sc6d34basd6ba785f42114dcd@mail.gmail.com> References: <48CB7428.1030501@vanderkooij.org> <48CBC693.6060806@vanderkooij.org> <223f97700809130742q7029ec3bo2d3f06088f013ccd@mail.gmail.com> <48CBFC6A.6050300@vanderkooij.org> <223f97700809131112sc6d34basd6ba785f42114dcd@mail.gmail.com> Message-ID: <48CCDEF3.9060903@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Glenn Steen wrote: > 2008/9/13 Hugo van der Kooij : >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Glenn Steen wrote: >>> 2008/9/13 Hugo van der Kooij : >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA1 >>>> >>>> Hugo van der Kooij wrote: >>>>> Hi, >>>>> >>>>> It seems to me that SA is flagging just about any message as EMPTY_MESSAGE. >>>>> >>>>> Is anyone else seeing this too? >>>> I just had quite a bit of a discussion about malware that just walks >>>> past MailScanner with multiple AV scanners active. >>>> >>>> It seems that it might be related to postfix. Where MailScanner is >>>> trying to decode postfix queue files but not doing the right thing. >>>> >>>> My result on 3 sample queue files was 0% through MailScanner. But >>>> decoding them with postcat allowed me to hit 100% of the files. >>>> >>>> So the issue may require all postfix users to look very carefully into >>>> their messages and the ability to scan them properly. >>>> >>>> Hugo. >>>> >>> Can I get a sample, please? Send it off-list. >>> Do you do milters? Which milters? Version of postfix? >> I use postfix 2.3.2 as it is the normal shipped package for Centos 5. >> >> Hugo. >> > Just to give a little update: > > I've received queue files from Jules and Alex B. I've fed these > through both a testbed and our current production .... And they simply > worked as expected(!)... The zip-file they included got unpacked > nicely, the filename _and_ filetype got it into the quarantine, as > well as all my AVs firing like mad:-). > This was on a Mandriva 2008.1 running perl 5.10.0 with MailScanner > 4.71.10 ... latest stable and beta are essentially the same, so ... > > I'm leaning toward this being related to CentOS 5.2, possibly the > relevant perl modules. > Further than that is pretty hard for me to check, since I cannot > reproduce the problem. > I might get onto Alexs' testbed, to do some further debuging... But I > do suggest that you who have a CentOS 5.2 box and are affected by the > "non-unpacking" (should be easily determined... look for "Your > internet access is going to get suspended" subjects that are either > improperly unpacked (in the quarantine) or that slip by entirely... > grab one and start feeding it through your system, varying your perl > modules (mainly MIME-Tools related stuff, I'd guess). I have only seen the issue with queue files from Alex. And the odd EMPTY_MESSAGE report I found myself. I shoot down almost all other stuff on non FQDN issues and blacklisting dialup networks based on keywords in their hostname in postfix itself. So I can not recall to have seen messages sneak past with attachments in them. The attachment thing might be a combined thing of a new postfix building queue files slightly differently. But beyond the test messages I have never seen that issue arise. But if a beta version can be created that allows one to use postcat instead of a native MailScanner parser of the raw queue file just to see if it is a factor then I can test that as my MailScanner server is pretty low in traffic. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIzN7xBvzDRVjxmYERAlOdAKCgYBH+AJv2Q1AwNuaSAzD+ECHUNQCePPbG 09dq9O9VarfSUJryJ6l1Wcs= =Mz1W -----END PGP SIGNATURE----- From ms-list at alexb.ch Sun Sep 14 11:33:20 2008 From: ms-list at alexb.ch (Alex Broens) Date: Sun Sep 14 11:33:33 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <48CCDEF3.9060903@vanderkooij.org> References: <48CB7428.1030501@vanderkooij.org> <48CBC693.6060806@vanderkooij.org> <223f97700809130742q7029ec3bo2d3f06088f013ccd@mail.gmail.com> <48CBFC6A.6050300@vanderkooij.org> <223f97700809131112sc6d34basd6ba785f42114dcd@mail.gmail.com> <48CCDEF3.9060903@vanderkooij.org> Message-ID: <48CCE870.2030605@alexb.ch> On 9/14/2008 11:52 AM, Hugo van der Kooij wrote: > I have only seen the issue with queue files from Alex. And the odd > EMPTY_MESSAGE report I found myself. > > I shoot down almost all other stuff on non FQDN issues and blacklisting > dialup networks based on keywords in their hostname in postfix itself. > So I can not recall to have seen messages sneak past with attachments in > them. all the samples I have are coming into this trap box from this kind of hosts I'd normally reject as well. After ther last "setup.exe" type of fix Jules suggested, there are less messages beig skipped. The "infected.zip" samples still aren't detected. Have little hope we'll ever find the reasonf or this. > The attachment thing might be a combined thing of a new postfix building > queue files slightly differently. But beyond the test messages I have > never seen that issue arise. > > But if a beta version can be created that allows one to use postcat > instead of a native MailScanner parser of the raw queue file just to see > if it is a factor then I can test that as my MailScanner server is > pretty low in traffic. I'm for this as well. My test box has enough crappy traffic to put it thru its paces, and I can get more if required. Who knows, it could also turn out to be an alternative for low traffic setups as I don't imagine postcat would scalet too well. Alex From glenn.steen at gmail.com Sun Sep 14 12:04:48 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Sun Sep 14 12:04:58 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <48CCDEF3.9060903@vanderkooij.org> References: <48CB7428.1030501@vanderkooij.org> <48CBC693.6060806@vanderkooij.org> <223f97700809130742q7029ec3bo2d3f06088f013ccd@mail.gmail.com> <48CBFC6A.6050300@vanderkooij.org> <223f97700809131112sc6d34basd6ba785f42114dcd@mail.gmail.com> <48CCDEF3.9060903@vanderkooij.org> Message-ID: <223f97700809140404v7caa0216q1ab03d4472222924@mail.gmail.com> 2008/9/14 Hugo van der Kooij : > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Glenn Steen wrote: >> 2008/9/13 Hugo van der Kooij : >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> Glenn Steen wrote: >>>> 2008/9/13 Hugo van der Kooij : >>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>> Hash: SHA1 >>>>> >>>>> Hugo van der Kooij wrote: >>>>>> Hi, >>>>>> >>>>>> It seems to me that SA is flagging just about any message as EMPTY_MESSAGE. >>>>>> >>>>>> Is anyone else seeing this too? >>>>> I just had quite a bit of a discussion about malware that just walks >>>>> past MailScanner with multiple AV scanners active. >>>>> >>>>> It seems that it might be related to postfix. Where MailScanner is >>>>> trying to decode postfix queue files but not doing the right thing. >>>>> >>>>> My result on 3 sample queue files was 0% through MailScanner. But >>>>> decoding them with postcat allowed me to hit 100% of the files. >>>>> >>>>> So the issue may require all postfix users to look very carefully into >>>>> their messages and the ability to scan them properly. >>>>> >>>>> Hugo. >>>>> >>>> Can I get a sample, please? Send it off-list. >>>> Do you do milters? Which milters? Version of postfix? >>> I use postfix 2.3.2 as it is the normal shipped package for Centos 5. >>> >>> Hugo. >>> >> Just to give a little update: >> >> I've received queue files from Jules and Alex B. I've fed these >> through both a testbed and our current production .... And they simply >> worked as expected(!)... The zip-file they included got unpacked >> nicely, the filename _and_ filetype got it into the quarantine, as >> well as all my AVs firing like mad:-). >> This was on a Mandriva 2008.1 running perl 5.10.0 with MailScanner >> 4.71.10 ... latest stable and beta are essentially the same, so ... >> >> I'm leaning toward this being related to CentOS 5.2, possibly the >> relevant perl modules. >> Further than that is pretty hard for me to check, since I cannot >> reproduce the problem. >> I might get onto Alexs' testbed, to do some further debuging... But I >> do suggest that you who have a CentOS 5.2 box and are affected by the >> "non-unpacking" (should be easily determined... look for "Your >> internet access is going to get suspended" subjects that are either >> improperly unpacked (in the quarantine) or that slip by entirely... >> grab one and start feeding it through your system, varying your perl >> modules (mainly MIME-Tools related stuff, I'd guess). > > I have only seen the issue with queue files from Alex. And the odd > EMPTY_MESSAGE report I found myself. Yes, well... they seem to be indacations of the same thing. So far only observed on CentOS 5.2 boxes (I've had reports that it's working OK on Slackware as well as Mandriva). The problem is that the "exploding" of the message as read from the queue file fails. It simply returns nothing. Not that the message is malformed in any special way. Since I don't have this problem (with Alex files), I can't go much further there. > I shoot down almost all other stuff on non FQDN issues and blacklisting > dialup networks based on keywords in their hostname in postfix itself. > So I can not recall to have seen messages sneak past with attachments in > them. As do we all, so it is a very marginal thing,if a problem at all. I think:-). > The attachment thing might be a combined thing of a new postfix building > queue files slightly differently. But beyond the test messages I have > never seen that issue arise. There is no difference that the queue file decoding code would fall afoul of. The same code Just Work(tm) for me on my testbeds (and on my production, used for reference during my testing:-). > But if a beta version can be created that allows one to use postcat > instead of a native MailScanner parser of the raw queue file just to see > if it is a factor then I can test that as my MailScanner server is > pretty low in traffic. Not really doable, not really where the problem is at, unfortunately. It's more insidouos than that:-). > Hugo. > Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ms-list at alexb.ch Sun Sep 14 12:37:01 2008 From: ms-list at alexb.ch (Alex Broens) Date: Sun Sep 14 12:37:13 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <223f97700809140404v7caa0216q1ab03d4472222924@mail.gmail.com> References: <48CB7428.1030501@vanderkooij.org> <48CBC693.6060806@vanderkooij.org> <223f97700809130742q7029ec3bo2d3f06088f013ccd@mail.gmail.com> <48CBFC6A.6050300@vanderkooij.org> <223f97700809131112sc6d34basd6ba785f42114dcd@mail.gmail.com> <48CCDEF3.9060903@vanderkooij.org> <223f97700809140404v7caa0216q1ab03d4472222924@mail.gmail.com> Message-ID: <48CCF75D.3060302@alexb.ch> On 9/14/2008 1:04 PM, Glenn Steen wrote: > Yes, well... they seem to be indacations of the same thing. So far > only observed on CentOS 5.2 boxes (I've had reports that it's working > OK on Slackware as well as Mandriva). Centos 4.x and older MS release as well (most of my production boxes) > The problem is that the "exploding" of the message as read from the > queue file fails. It simply returns nothing. so that's the bug... > Not that the message is malformed in any special way. > Since I don't have this problem (with Alex files), I can't go much > further there. I'm still seeing it, on latest and not so new MS releases to its there - Ic an't hide it. atm, I don't poker for backward compatibility, but for the latest OS/MS releases I won't loose hope. >> I shoot down almost all other stuff on non FQDN issues and blacklisting >> dialup networks based on keywords in their hostname in postfix itself. >> So I can not recall to have seen messages sneak past with attachments in >> them. > As do we all, so it is a very marginal thing,if a problem at all. I think:-). not everybody does massiv rejects. One missed virus due to this exploding bug could cause havoc. >> The attachment thing might be a combined thing of a new postfix building >> queue files slightly differently. But beyond the test messages I have >> never seen that issue arise. > There is no difference that the queue file decoding code would fall > afoul of. The same code Just Work(tm) for me on my testbeds (and on my > production, used for reference during my testing:-). obviously, testing with another OS triggers a bunch of "works for me". I dare say Mandriva is pretty much one of the exotics in the global MS user base :-) for what we know, the issue, which is reproduceable may be affecting thousands of Centos 5.x installs. That it has gone by unnoticed hardly justifies ignoring it, does it? I truly hope Jules comes up with *THE* great idea coz this is becoming a serious showstopper. Alex From hvdkooij at vanderkooij.org Sun Sep 14 12:48:20 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Sep 14 12:48:29 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <48CCF75D.3060302@alexb.ch> References: <48CB7428.1030501@vanderkooij.org> <48CBC693.6060806@vanderkooij.org> <223f97700809130742q7029ec3bo2d3f06088f013ccd@mail.gmail.com> <48CBFC6A.6050300@vanderkooij.org> <223f97700809131112sc6d34basd6ba785f42114dcd@mail.gmail.com> <48CCDEF3.9060903@vanderkooij.org> <223f97700809140404v7caa0216q1ab03d4472222924@mail.gmail.com> <48CCF75D.3060302@alexb.ch> Message-ID: <48CCFA04.7020907@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alex Broens wrote: > On 9/14/2008 1:04 PM, Glenn Steen wrote: >> The problem is that the "exploding" of the message as read from the >> queue file fails. It simply returns nothing. > > so that's the bug... So what code is involved here? Which perl modules are used to help here. That is where we should focus our attention ATM. The point is that I can not accept Jules way of using package manager only in part by forcing package installations and getting into conflicts again with later updates. If I know which packages are involved I can see if there is a nice way around the use of the --force command which Jules seems to find perfectly aceptable but to which I must object as it breaks normal upgrade procedures. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIzPoCBvzDRVjxmYERAlYiAJsEcM7IVsSWYdieIeKTaVheNsrgQACgjdxa nSTqKSzA9gwf7mqLKykoHxc= =84DN -----END PGP SIGNATURE----- From hvdkooij at vanderkooij.org Sun Sep 14 13:12:35 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Sep 14 13:12:44 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <48CCF75D.3060302@alexb.ch> References: <48CB7428.1030501@vanderkooij.org> <48CBC693.6060806@vanderkooij.org> <223f97700809130742q7029ec3bo2d3f06088f013ccd@mail.gmail.com> <48CBFC6A.6050300@vanderkooij.org> <223f97700809131112sc6d34basd6ba785f42114dcd@mail.gmail.com> <48CCDEF3.9060903@vanderkooij.org> <223f97700809140404v7caa0216q1ab03d4472222924@mail.gmail.com> <48CCF75D.3060302@alexb.ch> Message-ID: <48CCFFB3.5080904@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alex Broens wrote: > On 9/14/2008 1:04 PM, Glenn Steen wrote: >> Yes, well... they seem to be indacations of the same thing. So far >> only observed on CentOS 5.2 boxes (I've had reports that it's working >> OK on Slackware as well as Mandriva). > > Centos 4.x and older MS release as well (most of my production boxes) Alex can you compare the list of packages on Centos 4 and Centos 5? Could this be a revival of past issues with the perl-IO module? >> The problem is that the "exploding" of the message as read from the >> queue file fails. It simply returns nothing. > > so that's the bug... What would it take to write a seperate program that calls upon the MailScanner code and compare the MailScanner results against postcat? That way we can find a set of sample queue files to work on and the difference might tell us why it does not work all the time. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIzP+xBvzDRVjxmYERAnGPAJ4mUxDSeVRHZw9HvK1a5JJB0vwQIACfYycZ Q+8yTBZH85MpTa25Zcy0cqs= =CNrx -----END PGP SIGNATURE----- From gesbbb at yahoo.com Sun Sep 14 13:27:22 2008 From: gesbbb at yahoo.com (Jerry) Date: Sun Sep 14 13:27:35 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <48CBFC6A.6050300@vanderkooij.org> References: <48CB7428.1030501@vanderkooij.org> <48CBC693.6060806@vanderkooij.org> <223f97700809130742q7029ec3bo2d3f06088f013ccd@mail.gmail.com> <48CBFC6A.6050300@vanderkooij.org> Message-ID: <20080914082722.08dad927@scorpio> On Sat, 13 Sep 2008 19:46:18 +0200 Hugo van der Kooij wrote: > I use postfix 2.3.2 as it is the normal shipped package for Centos 5. Obviously you are aware that, that is a very old and depreciated version of Postfix. I am not familiar with Centos 5; however, is there any way that you could update to Postfix 5.x, I forget what the last stable release number was, as opposed to using your older version? As a plus, there have been a few security features incorporated into the newer version. -- Jerry gesbbb@yahoo.com Fortune's current rates: Answers .10 Long answers .25 Answers requiring thought .50 Correct answers $1.00 Dumb looks are still free. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080914/5f316617/signature.bin From hvdkooij at vanderkooij.org Sun Sep 14 14:38:13 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Sep 14 14:38:22 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <20080914082722.08dad927@scorpio> References: <48CB7428.1030501@vanderkooij.org> <48CBC693.6060806@vanderkooij.org> <223f97700809130742q7029ec3bo2d3f06088f013ccd@mail.gmail.com> <48CBFC6A.6050300@vanderkooij.org> <20080914082722.08dad927@scorpio> Message-ID: <48CD13C5.2080806@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jerry wrote: > On Sat, 13 Sep 2008 19:46:18 +0200 > Hugo van der Kooij wrote: > >> I use postfix 2.3.2 as it is the normal shipped package for Centos 5. > > Obviously you are aware that, that is a very old and depreciated > version of Postfix. I am not familiar with Centos 5; however, is there > any way that you could update to Postfix 5.x, I forget what the last > stable release number was, as opposed to using your older version? As a > plus, there have been a few security features incorporated into the > newer version. There is no 5.x release of postfix. Jules tested with postfix 2.2 and did not see any issue. So I see no justification to break away from upstream updates. Hugo. PS: Your public key is not very public. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIzRPDBvzDRVjxmYERAss+AJkBny+rVBrCRLapax9lAFCYclUBoQCdGjEr MC30GZ4gp73NbHnmOfQM1xM= =wDym -----END PGP SIGNATURE----- From glenn.steen at gmail.com Sun Sep 14 14:40:44 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Sun Sep 14 14:40:55 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <48CCFFB3.5080904@vanderkooij.org> References: <48CB7428.1030501@vanderkooij.org> <48CBC693.6060806@vanderkooij.org> <223f97700809130742q7029ec3bo2d3f06088f013ccd@mail.gmail.com> <48CBFC6A.6050300@vanderkooij.org> <223f97700809131112sc6d34basd6ba785f42114dcd@mail.gmail.com> <48CCDEF3.9060903@vanderkooij.org> <223f97700809140404v7caa0216q1ab03d4472222924@mail.gmail.com> <48CCF75D.3060302@alexb.ch> <48CCFFB3.5080904@vanderkooij.org> Message-ID: <223f97700809140640r2f178689wc5273333c6e07354@mail.gmail.com> 2008/9/14 Hugo van der Kooij : > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Alex Broens wrote: >> On 9/14/2008 1:04 PM, Glenn Steen wrote: >>> Yes, well... they seem to be indacations of the same thing. So far >>> only observed on CentOS 5.2 boxes (I've had reports that it's working >>> OK on Slackware as well as Mandriva). >> >> Centos 4.x and older MS release as well (most of my production boxes) > > Alex can you compare the list of packages on Centos 4 and Centos 5? > Could this be a revival of past issues with the perl-IO module? Yes, it very much could. Then again, I'm not sure exactly what is happening... I suspect even Jules is a tad baffled here:-). >>> The problem is that the "exploding" of the message as read from the >>> queue file fails. It simply returns nothing. >> >> so that's the bug... > > What would it take to write a seperate program that calls upon the > MailScanner code and compare the MailScanner results against postcat? Pretty much writing MailScanner for a singel thread....;-). IMO it's not that easily separable. Much easier to just ... put some serious debug "breakpoints" and printouts at various stages, then running a single batch with a singel queue file. Which is pretty much what I did on my systems. > That way we can find a set of sample queue files to work on and the > difference might tell us why it does not work all the time. On my systems it did just work, with or without debug code. With Alex "bad" files. One thing I noted about the quarantined messages on Alex box was that they all lacked the message file... Similar infections on my box all have trhe expected message, zip-file and executable in the quarantine dir. So this is an easy thing to look for, for all youfollowing this thread. If you have virus quarantine directories lacking the message file (provided you do as Alex and I, and don't quarantine the complete queue file!), then you probably suffer from the attachment exploding problem. If you do, it would be interresting to see if it is, as I suspect, solely a CentOS 5.2 (or RHEL) problem. > Hugo. > Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Sun Sep 14 14:42:13 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Sun Sep 14 14:42:23 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <20080914082722.08dad927@scorpio> References: <48CB7428.1030501@vanderkooij.org> <48CBC693.6060806@vanderkooij.org> <223f97700809130742q7029ec3bo2d3f06088f013ccd@mail.gmail.com> <48CBFC6A.6050300@vanderkooij.org> <20080914082722.08dad927@scorpio> Message-ID: <223f97700809140642o4ac788ep4682cbc18037745a@mail.gmail.com> 2008/9/14 Jerry : > On Sat, 13 Sep 2008 19:46:18 +0200 > Hugo van der Kooij wrote: > >> I use postfix 2.3.2 as it is the normal shipped package for Centos 5. > > Obviously you are aware that, that is a very old and depreciated > version of Postfix. I am not familiar with Centos 5; however, is there > any way that you could update to Postfix 5.x, I forget what the last > stable release number was, as opposed to using your older version? As a > plus, there have been a few security features incorporated into the > newer version. > Probably not the issue here, Jerry, although it is good advice:-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ms-list at alexb.ch Sun Sep 14 15:11:04 2008 From: ms-list at alexb.ch (Alex Broens) Date: Sun Sep 14 15:11:16 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <20080914082722.08dad927@scorpio> References: <48CB7428.1030501@vanderkooij.org> <48CBC693.6060806@vanderkooij.org> <223f97700809130742q7029ec3bo2d3f06088f013ccd@mail.gmail.com> <48CBFC6A.6050300@vanderkooij.org> <20080914082722.08dad927@scorpio> Message-ID: <48CD1B78.2020908@alexb.ch> On 9/14/2008 2:27 PM, Jerry wrote: > On Sat, 13 Sep 2008 19:46:18 +0200 > Hugo van der Kooij wrote: > >> I use postfix 2.3.2 as it is the normal shipped package for Centos 5. > > Obviously you are aware that, that is a very old and depreciated > version of Postfix. I am not familiar with Centos 5; however, is there > any way that you could update to Postfix 5.x, I forget what the last > stable release number was, as opposed to using your older version? As a > plus, there have been a few security features incorporated into the > newer version. I'm using 2.5.2 Still looking for the time tunnel...If I'm lucky I'll be retired before Postifx 5.x is out :-) From hvdkooij at vanderkooij.org Sun Sep 14 15:11:10 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Sep 14 15:11:18 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <223f97700809140640r2f178689wc5273333c6e07354@mail.gmail.com> References: <48CB7428.1030501@vanderkooij.org> <48CBC693.6060806@vanderkooij.org> <223f97700809130742q7029ec3bo2d3f06088f013ccd@mail.gmail.com> <48CBFC6A.6050300@vanderkooij.org> <223f97700809131112sc6d34basd6ba785f42114dcd@mail.gmail.com> <48CCDEF3.9060903@vanderkooij.org> <223f97700809140404v7caa0216q1ab03d4472222924@mail.gmail.com> <48CCF75D.3060302@alexb.ch> <48CCFFB3.5080904@vanderkooij.org> <223f97700809140640r2f178689wc5273333c6e07354@mail.gmail.com> Message-ID: <48CD1B7E.3060004@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Glenn Steen wrote: > > On my systems it did just work, with or without debug code. With Alex > "bad" files. > One thing I noted about the quarantined messages on Alex box was that > they all lacked the message file... Similar infections on my box all > have trhe expected message, zip-file and executable in the quarantine > dir. So this is an easy thing to look for, for all youfollowing this > thread. If you have virus quarantine directories lacking the message > file (provided you do as Alex and I, and don't quarantine the complete > queue file!), then you probably suffer from the attachment exploding > problem. > If you do, it would be interresting to see if it is, as I suspect, > solely a CentOS 5.2 (or RHEL) problem. It would also be noteworthy to see how you installed everything. I started to take notes on the versions of rpmforge and what Jules included as source RPM. A lot of packages now seem to conflict with perl itself. If the statement is valid that sitelib goes for archlib I can rewrite all spec files to split properly but I can only rebuild them on Centos 5 for the i386 architecture at the moment. It will not work on Centos 4 It will basically mean I will rebuild everything one needs for Centos 5 that is not part of Centos 5 and put it in the repository. There is a load of perl packages part of the MailScanner rpm.tgz file. But are they all required? Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIzRt7BvzDRVjxmYERAhMYAKCcbrnj0a3lb5VzdjEYHdGxh5GNEQCfXnJ/ jLglW1v1tyRrTmKV2F4nv1g= =Akyd -----END PGP SIGNATURE----- From ms-list at alexb.ch Sun Sep 14 15:13:23 2008 From: ms-list at alexb.ch (Alex Broens) Date: Sun Sep 14 15:13:39 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <223f97700809140640r2f178689wc5273333c6e07354@mail.gmail.com> References: <48CB7428.1030501@vanderkooij.org> <48CBC693.6060806@vanderkooij.org> <223f97700809130742q7029ec3bo2d3f06088f013ccd@mail.gmail.com> <48CBFC6A.6050300@vanderkooij.org> <223f97700809131112sc6d34basd6ba785f42114dcd@mail.gmail.com> <48CCDEF3.9060903@vanderkooij.org> <223f97700809140404v7caa0216q1ab03d4472222924@mail.gmail.com> <48CCF75D.3060302@alexb.ch> <48CCFFB3.5080904@vanderkooij.org> <223f97700809140640r2f178689wc5273333c6e07354@mail.gmail.com> Message-ID: <48CD1C03.4050904@alexb.ch> On 9/14/2008 3:40 PM, Glenn Steen wrote: > 2008/9/14 Hugo van der Kooij : >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Alex Broens wrote: >>> On 9/14/2008 1:04 PM, Glenn Steen wrote: >>>> Yes, well... they seem to be indacations of the same thing. So far >>>> only observed on CentOS 5.2 boxes (I've had reports that it's working >>>> OK on Slackware as well as Mandriva). >>> Centos 4.x and older MS release as well (most of my production boxes) >> Alex can you compare the list of packages on Centos 4 and Centos 5? >> Could this be a revival of past issues with the perl-IO module? > > Yes, it very much could. > Then again, I'm not sure exactly what is happening... I suspect even > Jules is a tad baffled here:-). > >>>> The problem is that the "exploding" of the message as read from the >>>> queue file fails. It simply returns nothing. >>> so that's the bug... >> What would it take to write a seperate program that calls upon the >> MailScanner code and compare the MailScanner results against postcat? > > Pretty much writing MailScanner for a singel thread....;-). IMO it's > not that easily separable. Much easier to just ... put some serious > debug "breakpoints" and printouts at various stages, then running a > single batch with a singel queue file. > Which is pretty much what I did on my systems. > >> That way we can find a set of sample queue files to work on and the >> difference might tell us why it does not work all the time. > > On my systems it did just work, with or without debug code. With Alex > "bad" files. > One thing I noted about the quarantined messages on Alex box was that > they all lacked the message file... Similar infections on my box all > have trhe expected message, zip-file and executable in the quarantine > dir. So this is an easy thing to look for, for all youfollowing this > thread. If you have virus quarantine directories lacking the message > file (provided you do as Alex and I, and don't quarantine the complete > queue file!), then you probably suffer from the attachment exploding > problem. > If you do, it would be interresting to see if it is, as I suspect, > solely a CentOS 5.2 (or RHEL) problem. I can quarantine the whole file.. I thought I was.... what have I done wrong? Alex From gesbbb at yahoo.com Sun Sep 14 15:14:49 2008 From: gesbbb at yahoo.com (Jerry) Date: Sun Sep 14 15:15:02 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <48CD13C5.2080806@vanderkooij.org> References: <48CB7428.1030501@vanderkooij.org> <48CBC693.6060806@vanderkooij.org> <223f97700809130742q7029ec3bo2d3f06088f013ccd@mail.gmail.com> <48CBFC6A.6050300@vanderkooij.org> <20080914082722.08dad927@scorpio> <48CD13C5.2080806@vanderkooij.org> Message-ID: <20080914101449.229e7f12@scorpio> On Sun, 14 Sep 2008 15:38:13 +0200 Hugo van der Kooij wrote: > There is no 5.x release of postfix. Oops, meant 2.5.x version. My chubby fingers did me in again. In any case, my suggestion would still be that the OP upgrade his version of Postfix if that is reasonably possible. There have been several improvements. Even if it did not correct his immediate problem, it might very well forestall a future one. Just my 2?. -- Jerry gesbbb@yahoo.com SAN DIEGO: Four million people, where you can't get a good cheeseburger, no matter how hard you try. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080914/8f045801/signature.bin From alex at rtpty.com Sun Sep 14 15:23:22 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Sun Sep 14 15:23:36 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <48CD1B78.2020908@alexb.ch> References: <48CB7428.1030501@vanderkooij.org> <48CBC693.6060806@vanderkooij.org> <223f97700809130742q7029ec3bo2d3f06088f013ccd@mail.gmail.com> <48CBFC6A.6050300@vanderkooij.org> <20080914082722.08dad927@scorpio> <48CD1B78.2020908@alexb.ch> Message-ID: <08015894-8544-45CA-B6F4-EDDC28A821A3@rtpty.com> On Sep 14, 2008, at 9:11 AM, Alex Broens wrote: > Still looking for the time tunnel...If I'm lucky I'll be retired > before Postifx 5.x is out :-) I wonder if MailScanner version 23.19 (in beta at that time) will still cause swapping, specially in machines with under 1TB RAM... I hear there's an attachment exploding issue as well - vintage ISOs of old Blu-Ray disc movies have problems with the Perl-IO package... they fill the queue directory with a bunch of small 50GB files which are a nuisance... From hvdkooij at vanderkooij.org Sun Sep 14 15:32:31 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Sep 14 15:32:42 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <223f97700809140640r2f178689wc5273333c6e07354@mail.gmail.com> References: <48CB7428.1030501@vanderkooij.org> <48CBC693.6060806@vanderkooij.org> <223f97700809130742q7029ec3bo2d3f06088f013ccd@mail.gmail.com> <48CBFC6A.6050300@vanderkooij.org> <223f97700809131112sc6d34basd6ba785f42114dcd@mail.gmail.com> <48CCDEF3.9060903@vanderkooij.org> <223f97700809140404v7caa0216q1ab03d4472222924@mail.gmail.com> <48CCF75D.3060302@alexb.ch> <48CCFFB3.5080904@vanderkooij.org> <223f97700809140640r2f178689wc5273333c6e07354@mail.gmail.com> Message-ID: <48CD207F.3020300@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Glenn Steen wrote: > 2008/9/14 Hugo van der Kooij : >> That way we can find a set of sample queue files to work on and the >> difference might tell us why it does not work all the time. > > On my systems it did just work, with or without debug code. With Alex > "bad" files. There is an odd thing. I got no AV warning on the sample. Neither im MailWatch nor in /var/log/maillog. But if I go to the quarantine directory and scan the spam message file there I get a hit from ClamAV. The message in the quarantine looks like the genuine article. Malware and all. Just like I woule see from the postcat output. So at that point does the handling of the file differ between the interception and the storage of the file in the quarantine directry. The log for that batch (1 message): ep 14 10:11:58 balin MailScanner[21808]: New Batch: Scanning 1 messages, 48313 bytes Sep 14 10:11:58 balin MailScanner[21808]: Spam Checks: Starting Sep 14 10:12:00 balin MailScanner[21808]: RBL checks: 52D0E1008122.AE735 found in spamhaus-ZEN Sep 14 10:12:00 balin dovecot: pop3-login: Aborted login: rip=::ffff:84.244.132.155, lip=::ffff:84.244.132.155, TLS Sep 14 10:12:01 balin postfix/smtpd[21795]: connect from arwen.waakhond.net[80.69.95.182] Sep 14 10:12:01 balin postfix/smtpd[21795]: disconnect from arwen.waakhond.net[80.69.95.182] Sep 14 10:12:04 balin postfix/smtpd[21795]: connect from unknown[194.151.25.153] Sep 14 10:12:04 balin MailScanner[21808]: Message 52D0E1008122.AE735 from 213.211.146.118 (yes1@erac.com) to sambar.ch is spam, spamhaus-ZEN, SpamAssassin (not cached, score=13.837, required 3, BAYES_99 3.50, FH_HELO_EQ_D_D_D_D 0.00, HELO_DYNAMIC_IPADDR2 4.39, RCVD_IN_SORBS_DUL 0.88, RCVD_IN_XBL 3.03, RDNS_NONE 0.10, TVD_RCVD_IP 1.93) Sep 14 10:12:04 balin MailScanner[21808]: Spam Checks: Found 1 spam messages Sep 14 10:12:04 balin MailScanner[21808]: Spam Actions: message 52D0E1008122.AE735 actions are spam@barracuda.com,store,forward Sep 14 10:12:05 balin MailScanner[21808]: Virus and Content Scanning: Starting Sep 14 10:12:05 balin postfix/cleanup[21802]: 22A0417E9219: message-id=<20080914081205.22A0417E9219@balin.waakhond.net> Sep 14 10:12:05 balin postfix/qmgr[21777]: 22A0417E9219: from=, size=273, nrcpt=1 (queue active) Sep 14 10:12:05 balin postfix/local[21803]: 22A0417E9219: to=, relay=local, delay=0.34, delays=0.24/0/0/0.1, dsn=2.0.0, status=deliverable (delivers to command: /usr/bin/procmail -Y) Sep 14 10:12:05 balin postfix/qmgr[21777]: 22A0417E9219: removed Sep 14 10:12:06 balin postfix/smtpd[22123]: connect from imss.berk.nl[194.122.140.1] Sep 14 10:12:07 balin postfix/smtpd[22123]: C25A617E9219: client=imss.berk.nl[194.122.140.1] Sep 14 10:12:07 balin postfix/cleanup[21802]: C25A617E9219: message-id=<194.122.140.4.1221379925@balin.waakhond.net> Sep 14 10:12:08 balin postfix/qmgr[21777]: C25A617E9219: from=, size=2049, nrcpt=1 (queue active) Sep 14 10:12:08 balin postfix/smtpd[22123]: disconnect from imss.berk.nl[194.122.140.1] Sep 14 10:12:09 balin postfix/local[21803]: C25A617E9219: to=, relay=local, delay=2.6, delays=1.3/0/0/1.3, dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail -Y) Sep 14 10:12:09 balin postfix/qmgr[21777]: C25A617E9219: removed Sep 14 10:12:12 balin postfix/smtpd[21795]: BD0F817E9219: client=unknown[194.151.25.153] Sep 14 10:12:12 balin postfix/cleanup[21802]: BD0F817E9219: message-id=<194.151.25.153.1221379924@balin.waakhond.net> Sep 14 10:12:12 balin postfix/qmgr[21777]: BD0F817E9219: from=, size=1266, nrcpt=1 (queue active) Sep 14 10:12:12 balin postfix/smtpd[21795]: disconnect from unknown[194.151.25.153] Sep 14 10:12:12 balin postfix/local[21803]: BD0F817E9219: to=, relay=local, delay=7.7, delays=7.7/0/0/0.01, dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail -Y) Sep 14 10:12:12 balin postfix/qmgr[21777]: BD0F817E9219: removed Sep 14 10:12:13 balin MailScanner[21808]: Requeue: 52D0E1008122.AE735 to DC1CC17E9219 Sep 14 10:12:13 balin postfix/qmgr[21777]: DC1CC17E9219: from=, size=48252, nrcpt=1 (queue active) Sep 14 10:12:13 balin MailScanner[21808]: Uninfected: Delivered 1 messages Sep 14 10:12:13 balin MailScanner[21808]: Logging message 52D0E1008122.AE735 to SQL Sep 14 10:12:15 balin postfix/smtp[22176]: DC1CC17E9219: to=, relay=barracuda2.barracuda.com[216.129.105.115]:25, delay=154983, delays=154980/0.01/0.99/1.7, dsn=2.0.0, status=sent (250 Ok: queued as C6B224ACCE6) Sep 14 10:12:15 balin postfix/qmgr[21777]: DC1CC17E9219: removed There are 2 message logged which did not go through MailScanner during the handling of this message. But that is how I designed this server and should not worry anyone. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIzSB8BvzDRVjxmYERAp3NAJ4zLFDgAzjnS9ci5Z9G/kIXXiyYKACeKCyB zJ6zFCo9sTuX+AcLy8jTaec= =XAri -----END PGP SIGNATURE----- From hvdkooij at vanderkooij.org Sun Sep 14 16:04:22 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Sep 14 16:04:31 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <48CD1C03.4050904@alexb.ch> References: <48CB7428.1030501@vanderkooij.org> <48CBC693.6060806@vanderkooij.org> <223f97700809130742q7029ec3bo2d3f06088f013ccd@mail.gmail.com> <48CBFC6A.6050300@vanderkooij.org> <223f97700809131112sc6d34basd6ba785f42114dcd@mail.gmail.com> <48CCDEF3.9060903@vanderkooij.org> <223f97700809140404v7caa0216q1ab03d4472222924@mail.gmail.com> <48CCF75D.3060302@alexb.ch> <48CCFFB3.5080904@vanderkooij.org> <223f97700809140640r2f178689wc5273333c6e07354@mail.gmail.com> <48CD1C03.4050904@alexb.ch> Message-ID: <48CD27F6.6060900@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alex Broens wrote: > On 9/14/2008 3:40 PM, Glenn Steen wrote: >> 2008/9/14 Hugo van der Kooij : >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> Alex Broens wrote: >>>> On 9/14/2008 1:04 PM, Glenn Steen wrote: >>>>> Yes, well... they seem to be indacations of the same thing. So far >>>>> only observed on CentOS 5.2 boxes (I've had reports that it's working >>>>> OK on Slackware as well as Mandriva). >>>> Centos 4.x and older MS release as well (most of my production boxes) >>> Alex can you compare the list of packages on Centos 4 and Centos 5? >>> Could this be a revival of past issues with the perl-IO module? >> >> Yes, it very much could. >> Then again, I'm not sure exactly what is happening... I suspect even >> Jules is a tad baffled here:-). >> >>>>> The problem is that the "exploding" of the message as read from the >>>>> queue file fails. It simply returns nothing. >>>> so that's the bug... >>> What would it take to write a seperate program that calls upon the >>> MailScanner code and compare the MailScanner results against postcat? >> >> Pretty much writing MailScanner for a singel thread....;-). IMO it's >> not that easily separable. Much easier to just ... put some serious >> debug "breakpoints" and printouts at various stages, then running a >> single batch with a singel queue file. >> Which is pretty much what I did on my systems. >> >>> That way we can find a set of sample queue files to work on and the >>> difference might tell us why it does not work all the time. >> >> On my systems it did just work, with or without debug code. With Alex >> "bad" files. >> One thing I noted about the quarantined messages on Alex box was that >> they all lacked the message file... Similar infections on my box all >> have trhe expected message, zip-file and executable in the quarantine >> dir. So this is an easy thing to look for, for all youfollowing this >> thread. If you have virus quarantine directories lacking the message >> file (provided you do as Alex and I, and don't quarantine the complete >> queue file!), then you probably suffer from the attachment exploding >> problem. >> If you do, it would be interresting to see if it is, as I suspect, >> solely a CentOS 5.2 (or RHEL) problem. > > I can quarantine the whole file.. I thought I was.... > what have I done wrong? Just to compare note from the MailScanner -c output. I noticed these lines: Option Name Default Current Value =============================================================================== clamavfullmessagescan no yes logsilentviruses no yes monitorsforclamavupdates /usr/local/share/clamav/*.cvd /var/clamav/*.cld /var/clamav/*.cvd mta sendmail postfix quarantinesilentviruses no yes virusscanners auto clamav mcafee avastd virusscanning yes RULESET:Default=yes I also happen to notice there are no ClamAV warnings. I would have expected them on at least some of them that were detected by both Avast and McAfee. So I think I happen to have an issue with ClamAV I need to sort out. Not sure what as all the usual suspects turn out to be clean. Hugo - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIzSfzBvzDRVjxmYERAj/rAKChTQ/aQ4gktjO073Xd8Cv8m/Bg0ACgneQM nn5ueTO6X2a1ezrc1oytd0o= =ucXt -----END PGP SIGNATURE----- From glenn.steen at gmail.com Sun Sep 14 16:29:11 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Sun Sep 14 16:29:21 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <48CD1C03.4050904@alexb.ch> References: <48CB7428.1030501@vanderkooij.org> <223f97700809130742q7029ec3bo2d3f06088f013ccd@mail.gmail.com> <48CBFC6A.6050300@vanderkooij.org> <223f97700809131112sc6d34basd6ba785f42114dcd@mail.gmail.com> <48CCDEF3.9060903@vanderkooij.org> <223f97700809140404v7caa0216q1ab03d4472222924@mail.gmail.com> <48CCF75D.3060302@alexb.ch> <48CCFFB3.5080904@vanderkooij.org> <223f97700809140640r2f178689wc5273333c6e07354@mail.gmail.com> <48CD1C03.4050904@alexb.ch> Message-ID: <223f97700809140829v7b8de750o4cce2892da286a28@mail.gmail.com> 2008/9/14 Alex Broens : > On 9/14/2008 3:40 PM, Glenn Steen wrote: >> >> 2008/9/14 Hugo van der Kooij : >>> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> Alex Broens wrote: >>>> >>>> On 9/14/2008 1:04 PM, Glenn Steen wrote: >>>>> >>>>> Yes, well... they seem to be indacations of the same thing. So far >>>>> only observed on CentOS 5.2 boxes (I've had reports that it's working >>>>> OK on Slackware as well as Mandriva). >>>> >>>> Centos 4.x and older MS release as well (most of my production boxes) >>> >>> Alex can you compare the list of packages on Centos 4 and Centos 5? >>> Could this be a revival of past issues with the perl-IO module? >> >> Yes, it very much could. >> Then again, I'm not sure exactly what is happening... I suspect even >> Jules is a tad baffled here:-). >> >>>>> The problem is that the "exploding" of the message as read from the >>>>> queue file fails. It simply returns nothing. >>>> >>>> so that's the bug... >>> >>> What would it take to write a seperate program that calls upon the >>> MailScanner code and compare the MailScanner results against postcat? >> >> Pretty much writing MailScanner for a singel thread....;-). IMO it's >> not that easily separable. Much easier to just ... put some serious >> debug "breakpoints" and printouts at various stages, then running a >> single batch with a singel queue file. >> Which is pretty much what I did on my systems. >> >>> That way we can find a set of sample queue files to work on and the >>> difference might tell us why it does not work all the time. >> >> On my systems it did just work, with or without debug code. With Alex >> "bad" files. >> One thing I noted about the quarantined messages on Alex box was that >> they all lacked the message file... Similar infections on my box all >> have trhe expected message, zip-file and executable in the quarantine >> dir. So this is an easy thing to look for, for all youfollowing this >> thread. If you have virus quarantine directories lacking the message >> file (provided you do as Alex and I, and don't quarantine the complete >> queue file!), then you probably suffer from the attachment exploding >> problem. >> If you do, it would be interresting to see if it is, as I suspect, >> solely a CentOS 5.2 (or RHEL) problem. > > I can quarantine the whole file.. I thought I was.... > what have I done wrong? > > Alex > MailWatch demands that it gets quarantined as the RFC822-decoded file, not the queue file. Since your spam quarantine contained that, I drew that conclusion... is all;) Nothing wrong, so to speak, apart from the message exploding thing. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ms-list at alexb.ch Sun Sep 14 18:00:32 2008 From: ms-list at alexb.ch (Alex Broens) Date: Sun Sep 14 18:00:51 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <223f97700809140829v7b8de750o4cce2892da286a28@mail.gmail.com> References: <48CB7428.1030501@vanderkooij.org> <223f97700809130742q7029ec3bo2d3f06088f013ccd@mail.gmail.com> <48CBFC6A.6050300@vanderkooij.org> <223f97700809131112sc6d34basd6ba785f42114dcd@mail.gmail.com> <48CCDEF3.9060903@vanderkooij.org> <223f97700809140404v7caa0216q1ab03d4472222924@mail.gmail.com> <48CCF75D.3060302@alexb.ch> <48CCFFB3.5080904@vanderkooij.org> <223f97700809140640r2f178689wc5273333c6e07354@mail.gmail.com> <48CD1C03.4050904@alexb.ch> <223f97700809140829v7b8de750o4cce2892da286a28@mail.gmail.com> Message-ID: <48CD4330.1020905@alexb.ch> On 9/14/2008 5:29 PM, Glenn Steen wrote: > 2008/9/14 Alex Broens : >> On 9/14/2008 3:40 PM, Glenn Steen wrote: >>> 2008/9/14 Hugo van der Kooij : >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA1 >>>> >>>> Alex Broens wrote: >>>>> On 9/14/2008 1:04 PM, Glenn Steen wrote: >>>>>> Yes, well... they seem to be indacations of the same thing. So far >>>>>> only observed on CentOS 5.2 boxes (I've had reports that it's working >>>>>> OK on Slackware as well as Mandriva). >>>>> Centos 4.x and older MS release as well (most of my production boxes) >>>> Alex can you compare the list of packages on Centos 4 and Centos 5? >>>> Could this be a revival of past issues with the perl-IO module? >>> Yes, it very much could. >>> Then again, I'm not sure exactly what is happening... I suspect even >>> Jules is a tad baffled here:-). >>> >>>>>> The problem is that the "exploding" of the message as read from the >>>>>> queue file fails. It simply returns nothing. >>>>> so that's the bug... >>>> What would it take to write a seperate program that calls upon the >>>> MailScanner code and compare the MailScanner results against postcat? >>> Pretty much writing MailScanner for a singel thread....;-). IMO it's >>> not that easily separable. Much easier to just ... put some serious >>> debug "breakpoints" and printouts at various stages, then running a >>> single batch with a singel queue file. >>> Which is pretty much what I did on my systems. >>> >>>> That way we can find a set of sample queue files to work on and the >>>> difference might tell us why it does not work all the time. >>> On my systems it did just work, with or without debug code. With Alex >>> "bad" files. >>> One thing I noted about the quarantined messages on Alex box was that >>> they all lacked the message file... Similar infections on my box all >>> have trhe expected message, zip-file and executable in the quarantine >>> dir. So this is an easy thing to look for, for all youfollowing this >>> thread. If you have virus quarantine directories lacking the message >>> file (provided you do as Alex and I, and don't quarantine the complete >>> queue file!), then you probably suffer from the attachment exploding >>> problem. >>> If you do, it would be interresting to see if it is, as I suspect, >>> solely a CentOS 5.2 (or RHEL) problem. >> I can quarantine the whole file.. I thought I was.... >> what have I done wrong? >> >> Alex >> > MailWatch demands that it gets quarantined as the RFC822-decoded file, > not the queue file. Since your spam quarantine contained that, I drew > that conclusion... is all;) ya jumped to conclusions a bit too fast? :-) I was storing in Q file format to do the debugging - test box - no real users behind it - just a trap feed for a little BL I contribute to .-) > Nothing wrong, so to speak, apart from the message exploding thing. I didn't make them explode right.. yes... aaaaaaaaaaaall my fault. more beeeeeeeeeeeeeeeeeeeeeer, less bugs! Alex From drew.marshall at technologytiger.net Sun Sep 14 18:55:12 2008 From: drew.marshall at technologytiger.net (Drew Marshall) Date: Sun Sep 14 18:55:32 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <48CCF75D.3060302@alexb.ch> References: <48CB7428.1030501@vanderkooij.org> <48CBC693.6060806@vanderkooij.org> <223f97700809130742q7029ec3bo2d3f06088f013ccd@mail.gmail.com> <48CBFC6A.6050300@vanderkooij.org> <223f97700809131112sc6d34basd6ba785f42114dcd@mail.gmail.com> <48CCDEF3.9060903@vanderkooij.org> <223f97700809140404v7caa0216q1ab03d4472222924@mail.gmail.com> <48CCF75D.3060302@alexb.ch> Message-ID: <7F74F1D4-2758-4D0B-B272-9BBF78F41D25@technologytiger.net> On 14 Sep 2008, at 12:37, Alex Broens wrote: > On 9/14/2008 1:04 PM, Glenn Steen wrote: >> Yes, well... they seem to be indacations of the same thing. So far >> only observed on CentOS 5.2 boxes (I've had reports that it's working >> OK on Slackware as well as Mandriva). > > Centos 4.x and older MS release as well (most of my production boxes) I have not noticed any difference on my PF boxes. However, I am running FreeBSD. >>> I shoot down almost all other stuff on non FQDN issues and >>> blacklisting >>> dialup networks based on keywords in their hostname in postfix >>> itself. >>> So I can not recall to have seen messages sneak past with >>> attachments in >>> them. >> As do we all, so it is a very marginal thing,if a problem at all. I >> think:-). > > not everybody does massiv rejects. One missed virus due to this > exploding bug could cause havoc. Agreed > > >>> The attachment thing might be a combined thing of a new postfix >>> building >>> queue files slightly differently. But beyond the test messages I >>> have >>> never seen that issue arise. >> There is no difference that the queue file decoding code would fall >> afoul of. The same code Just Work(tm) for me on my testbeds (and on >> my >> production, used for reference during my testing:-). > > obviously, testing with another OS triggers a bunch of "works for me". > I dare say Mandriva is pretty much one of the exotics in the global > MS user base :-) I suspect it probably is! > > > for what we know, the issue, which is reproduceable may be affecting > thousands of Centos 5.x installs. That it has gone by unnoticed > hardly justifies ignoring it, does it? That one I have to agreed with. It made me crawl over my mail logs to make sure. Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by Technology Tiger's Mail Launder system Our email policy can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ From glenn.steen at gmail.com Sun Sep 14 19:58:12 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Sun Sep 14 19:58:21 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <7F74F1D4-2758-4D0B-B272-9BBF78F41D25@technologytiger.net> References: <48CB7428.1030501@vanderkooij.org> <48CBC693.6060806@vanderkooij.org> <223f97700809130742q7029ec3bo2d3f06088f013ccd@mail.gmail.com> <48CBFC6A.6050300@vanderkooij.org> <223f97700809131112sc6d34basd6ba785f42114dcd@mail.gmail.com> <48CCDEF3.9060903@vanderkooij.org> <223f97700809140404v7caa0216q1ab03d4472222924@mail.gmail.com> <48CCF75D.3060302@alexb.ch> <7F74F1D4-2758-4D0B-B272-9BBF78F41D25@technologytiger.net> Message-ID: <223f97700809141158k4ce1ea63v35cb3c9c3f747f3@mail.gmail.com> 2008/9/14 Drew Marshall : > On 14 Sep 2008, at 12:37, Alex Broens wrote: > >> On 9/14/2008 1:04 PM, Glenn Steen wrote: >>> >>> Yes, well... they seem to be indacations of the same thing. So far >>> only observed on CentOS 5.2 boxes (I've had reports that it's working >>> OK on Slackware as well as Mandriva). >> >> Centos 4.x and older MS release as well (most of my production boxes) > > I have not noticed any difference on my PF boxes. However, I am running > FreeBSD. > >>>> I shoot down almost all other stuff on non FQDN issues and blacklisting >>>> dialup networks based on keywords in their hostname in postfix itself. >>>> So I can not recall to have seen messages sneak past with attachments in >>>> them. >>> >>> As do we all, so it is a very marginal thing,if a problem at all. I >>> think:-). >> >> not everybody does massiv rejects. One missed virus due to this exploding >> bug could cause havoc. > > Agreed True enough. One just have to .... have a realistic view on the dangers here. >> >> >>>> The attachment thing might be a combined thing of a new postfix building >>>> queue files slightly differently. But beyond the test messages I have >>>> never seen that issue arise. >>> >>> There is no difference that the queue file decoding code would fall >>> afoul of. The same code Just Work(tm) for me on my testbeds (and on my >>> production, used for reference during my testing:-). >> >> obviously, testing with another OS triggers a bunch of "works for me". >> I dare say Mandriva is pretty much one of the exotics in the global MS >> user base :-) > > I suspect it probably is! Hmpf!:-) >> >> >> for what we know, the issue, which is reproduceable may be affecting >> thousands of Centos 5.x installs. That it has gone by unnoticed hardly >> justifies ignoring it, does it? > > That one I have to agreed with. It made me crawl over my mail logs to make > sure. Which is very good indeed. Thanks for the info! > Drew > Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From hvdkooij at vanderkooij.org Sun Sep 14 20:19:16 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Sep 14 20:19:28 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <48CB7428.1030501@vanderkooij.org> References: <48CB7428.1030501@vanderkooij.org> Message-ID: <48CD63B4.7080106@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hugo van der Kooij wrote: > Hi, > > It seems to me that SA is flagging just about any message as EMPTY_MESSAGE. > > Is anyone else seeing this too? Right. During compilation I noticed a warning about my language settings. My default is set to LANG=en_US.UTF-8 Could this be relevant? Hugo - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIzWOzBvzDRVjxmYERAk2TAJwMj7Bza5LoA7GFw3575poM2rekNACeJBBg A0f5yxMOIJDrm+3uh/QAkfM= =S/pC -----END PGP SIGNATURE----- From ms-list at alexb.ch Sun Sep 14 20:41:53 2008 From: ms-list at alexb.ch (Alex Broens) Date: Sun Sep 14 20:42:08 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <48CD63B4.7080106@vanderkooij.org> References: <48CB7428.1030501@vanderkooij.org> <48CD63B4.7080106@vanderkooij.org> Message-ID: <48CD6901.5060802@alexb.ch> On 9/14/2008 9:19 PM, Hugo van der Kooij wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hugo van der Kooij wrote: >> Hi, >> >> It seems to me that SA is flagging just about any message as EMPTY_MESSAGE. >> >> Is anyone else seeing this too? > > Right. During compilation I noticed a warning about my language > settings. My default is set to LANG=en_US.UTF-8 > > Could this be relevant? Mine is also: LANG=en_US.UTF-8 I'm now collecting infected msgs BEFORE MailScanner touches/sees them. Hope to find some which don't get detected and give you guys 100% pristine Q files. Alex From J.Ede at birchenallhowden.co.uk Mon Sep 15 08:26:53 2008 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Mon Sep 15 08:30:22 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <48CD6901.5060802@alexb.ch> References: <48CB7428.1030501@vanderkooij.org> <48CD63B4.7080106@vanderkooij.org>,<48CD6901.5060802@alexb.ch> Message-ID: <4CAB0118AEC63A4FAAE77E6BCBDF760C792A26CDE2@server02.bhl.local> ________________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex Broens [ms-list@alexb.ch] Sent: 14 September 2008 20:41 To: MailScanner discussion Subject: Re: Error with EMTPY_MESSAGE On 9/14/2008 9:19 PM, Hugo van der Kooij wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hugo van der Kooij wrote: >> Hi, >> >> It seems to me that SA is flagging just about any message as EMPTY_MESSAGE. >> >> Is anyone else seeing this too? > > Right. During compilation I noticed a warning about my language > settings. My default is set to LANG=en_US.UTF-8 > > Could this be relevant? Mine is also: LANG=en_US.UTF-8 I'm now collecting infected msgs BEFORE MailScanner touches/sees them. Hope to find some which don't get detected and give you guys 100% pristine Q files. Alex I've noticed a CentOS 5.2 box seems to catch less spam than an existing FC7 box but so far I've failed to find anything obviously wrong or that is obviously being missed. Its langauge setting is LANG=en_US Has anyone tried removing and recompiling perl and then doing a comparison to see if it solves the issue? Jason From MailScanner at ecs.soton.ac.uk Mon Sep 15 08:48:28 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Sep 15 08:48:47 2008 Subject: Potential Postfix CentOS message unpacking bug Message-ID: <48CE134C.7080307@ecs.soton.ac.uk> As some of you may have already realised, a few people are having a problem on particular OS's when using Postfix, where a message generated by a particular Trojan are not being unpacked properly. So Postfix users on CentOS, please can you check your logs for any 16-17Kb spams which could possibly containing an attachment called "start.zip" (grep should find it in raw queue files, if you're wondering how to do that for raw queue files), which have not always been detected as infected. You might want to use the "Archive Mail" feature of MailScanner.conf for a while to see if you're getting anything like that, in case you are suffering the problem. We would very much like to know how widespread this problem is, so please report back with your findings and we'll take a straw poll of the respondents. Thanks folks! Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Andreas.Kasenides at cs.ucy.ac.cy Mon Sep 15 09:06:56 2008 From: Andreas.Kasenides at cs.ucy.ac.cy (Andreas Kasenides) Date: Mon Sep 15 09:07:15 2008 Subject: Watermarking marking good mail as SPAM? Message-ID: <48CE17A0.1090805@cs.ucy.ac.cy> Hi everybody. MailScanner is a great community. I am suspecting that the watermarking feature is making some messages as spam when it should not. Here is part of a header from a message that was marked as spam. Subject: Re: [Spam] TACAS09 ............ Message-ID:<4ABB3634864C@mac.com> In-reply-to:<1020801@cs.ucy.ac.cy> References:<3D1A89EADBC@mac.com> <48CC0FDE.1020801@cs.ucy.ac.cy> X-Mailer:Apple Mail (2.928.1) X-CSatUCY-Information:Please contact xxxx@cs.ucy.ac.cy for help. X-CSatUCY-MailScanner-ID:E7309 X-CSatUCY-VirusCheck:Found to be clean X-CSatUCY-SpamCheck:not spam, SpamAssassin (score=-2.599, required 5, autolearn=not spam, BAYES_00 -2.60) X-CSatUCY-From:yyyyy@mac.com X-CSatUCY-Watermark:1221964537.75397@fPhgdJd/cnrjJXq+MyJL2w X-Spam-Status:No If I read it correctly SA has not marked this as spam. But yet the Subject was appended with [SPAM] (our spam signature). Our watermaking options are: Use Watermarking = yes Add Watermark = yes Check Watermarks With No Sender = yes Treat Invalid Watermarks With No Sender as Spam = spam Check Watermarks To Skip Spam Checks = yes Watermark Secret = zzzzzzz Watermark Lifetime = 604800 Watermark Header = X-%org-name%-Watermark: I have not been able to figure out when exactly this happens but it seems to me that messages are marked as SPAM when they are replies or forwards. (Re: or Fwd in the header). Is there any way to know when the watermarking fires marking a message as spam and why? Any ideas are appreciated. Thank you. Andreas Kasenides -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080915/711599e6/attachment.html From Paul.Bijnens at xplanation.com Mon Sep 15 09:48:58 2008 From: Paul.Bijnens at xplanation.com (Paul Bijnens) Date: Mon Sep 15 09:49:10 2008 Subject: Potential Postfix CentOS message unpacking bug In-Reply-To: <48CE134C.7080307@ecs.soton.ac.uk> References: <48CE134C.7080307@ecs.soton.ac.uk> Message-ID: <48CE217A.6050208@xplanation.com> On 2008-09-15 09:48, Julian Field wrote: > As some of you may have already realised, a few people are having a > problem on particular OS's when using Postfix, where a message generated > by a particular Trojan are not being unpacked properly. > > So Postfix users on CentOS, please can you check your logs for any > 16-17Kb spams which could possibly containing an attachment called > "start.zip" (grep should find it in raw queue files, if you're wondering > how to do that for raw queue files), which have not always been detected > as infected. > > You might want to use the "Archive Mail" feature of MailScanner.conf for > a while to see if you're getting anything like that, in case you are > suffering the problem. > > We would very much like to know how widespread this problem is, so > please report back with your findings and we'll take a straw poll of the > respondents. Running MailScanner on CentOS here, with archiving enabled as well. I did not find any message containing an attachment "start.zip" in my archived mails (between sep 11 and now sep 15 10:41 MET, for a total of 10928 mails). I'll still keep an eye on it for some days. -- Paul Bijnens, xplanation Technology Services Tel +32 16 397.511 Technologielaan 21 bus 2, B-3001 Leuven, BELGIUM Fax +32 16 397.512 http://www.xplanation.com/ email: Paul.Bijnens@xplanation.com *********************************************************************** * I think I've got the hang of it now: exit, ^D, ^C, ^\, ^Z, ^Q, ^^, * * F6, quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, * * stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt, abort, hangup, * * PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e, kill -1 $$, shutdown, * * init 0, kill -9 1, Alt-F4, Ctrl-Alt-Del, AltGr-NumLock, Stop-A, ... * * ... "Are you sure?" ... YES ... Phew ... I'm out * *********************************************************************** From Andreas.Kasenides at cs.ucy.ac.cy Mon Sep 15 10:00:24 2008 From: Andreas.Kasenides at cs.ucy.ac.cy (Andreas Kasenides) Date: Mon Sep 15 10:00:38 2008 Subject: Watermarking marking good mail as SPAM? In-Reply-To: <48CE17A0.1090805@cs.ucy.ac.cy> References: <48CE17A0.1090805@cs.ucy.ac.cy> Message-ID: <48CE2428.9060000@cs.ucy.ac.cy> I should have said that I am running MS: Linux xxxx.cs.ucy.ac.cy 2.6.18-53.1.21.el5 #1 SMP Tue May 20 09:35:07 EDT 2008 x86_64 x86_64 x86_64 GNU/Linux This is CentOS release 5 (Final) This is Perl version 5.008008 (5.8.8) This is MailScanner version 4.71.10 Andreas Kasenides wrote: > Hi everybody. MailScanner is a great community. > > I am suspecting that the watermarking feature is making some messages > as spam when it should not. Here is part of a header from a message > that was > marked as spam. > > Subject: > Re: [Spam] TACAS09 > ............ > Message-ID:<4ABB3634864C@mac.com> > In-reply-to:<1020801@cs.ucy.ac.cy> > References:<3D1A89EADBC@mac.com> <48CC0FDE.1020801@cs.ucy.ac.cy> > X-Mailer:Apple Mail (2.928.1) > X-CSatUCY-Information:Please contact xxxx@cs.ucy.ac.cy for help. > X-CSatUCY-MailScanner-ID:E7309 > X-CSatUCY-VirusCheck:Found to be clean > X-CSatUCY-SpamCheck:not spam, SpamAssassin (score=-2.599, required 5, > autolearn=not spam, BAYES_00 -2.60) > X-CSatUCY-From:yyyyy@mac.com > X-CSatUCY-Watermark:1221964537.75397@fPhgdJd/cnrjJXq+MyJL2w > X-Spam-Status:No > > If I read it correctly SA has not marked this as spam. > But yet the Subject was appended with [SPAM] (our spam signature). > Our watermaking options are: > > Use Watermarking = yes > Add Watermark = yes > Check Watermarks With No Sender = yes > Treat Invalid Watermarks With No Sender as Spam = spam > Check Watermarks To Skip Spam Checks = yes > Watermark Secret = zzzzzzz > Watermark Lifetime = 604800 > Watermark Header = X-%org-name%-Watermark: > > I have not been able to figure out when exactly this happens but it > seems to me that messages > are marked as SPAM when they are replies or forwards. (Re: or Fwd in > the header). > Is there any way to know when the watermarking fires marking a message > as spam and why? > Any ideas are appreciated. > Thank you. > Andreas Kasenides > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080915/97e8ff4d/attachment.html From gmatt at nerc.ac.uk Mon Sep 15 11:24:45 2008 From: gmatt at nerc.ac.uk (Greg Matthews) Date: Mon Sep 15 11:25:18 2008 Subject: clamd DoS? Message-ID: <48CE37ED.6040200@nerc.ac.uk> anyone else getting hammered by Trojan.Autorun-285 making clamd suck up CPU cycles? Given enough of these trojans (~10) I'm seeing timeouts from clamd. The tell tale sign is huge increase in cpu usage as clamd hogs the processors. I'm using 0.93.3 and MS 4.68.8 (both to be upgraded in a couple of weeks). GREG -- Greg Matthews 01491 692445 Head of UNIX/Linux, iTSS Wallingford -- This message (and any attachments) is for the recipient only. NERC is subject to the Freedom of Information Act 2000 and the contents of this email and any reply you make may be disclosed by NERC unless it is exempt from release under the Act. Any material supplied to NERC may be stored in an electronic records management system. From ben.tisdall at photobox.com Mon Sep 15 11:28:25 2008 From: ben.tisdall at photobox.com (Ben Tisdall) Date: Mon Sep 15 11:28:40 2008 Subject: Desperately trying to debug poor spam scanning performance In-Reply-To: <48CABC5B.2010603@photobox.com> References: <48CA9E61.7080506@photobox.com> <5A881BE9-B6B4-463D-BFE0-0D7FFF8C80F3@rtpty.com> <48CABC5B.2010603@photobox.com> Message-ID: <48CE38C9.2020308@photobox.com> Hi all, I've tried over the weekend to optimise spam processing speed on this box but with no major gains. Here's some data that might be useful (jitter is my home box & newacorn the not-yet-deployed production box). Speed Logging ============= gmail => test => home Spam Checks = no newacorn: 11:12:31 Spam Checks completed at 43536 bytes per second jitter: 11:12:37 Spam Checks completed at 60548 bytes per second Spam Checks = yes newacorn: 11:15:17 Spam Checks completed at 491 bytes per second jitter: 11:15:26 Spam Checks completed at 1778 bytes per second bonnie++ results: ================= https://jitter.tisdall.org.uk/pub/mstest/ms_disk.html Perl modules diff: ================== https://jitter.tisdall.org.uk/pub/mstest/ms_modules_diff.txt Let me know if any further info would be helpful. Thanks! Best regards, Ben. -- Ben Tisdall Linux Systems Administrator | www.photobox.com From raymond at prolocation.net Mon Sep 15 11:30:17 2008 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Mon Sep 15 11:30:26 2008 Subject: clamd DoS? In-Reply-To: <48CE37ED.6040200@nerc.ac.uk> References: <48CE37ED.6040200@nerc.ac.uk> Message-ID: Hi! > anyone else getting hammered by Trojan.Autorun-285 making clamd suck up CPU > cycles? Given enough of these trojans (~10) I'm seeing timeouts from clamd. > > The tell tale sign is huge increase in cpu usage as clamd hogs the > processors. > > I'm using 0.93.3 and MS 4.68.8 (both to be upgraded in a couple of weeks). Yes, and there is also messages breaking MS currently. We are looking to get some files over to Julian. [root@mx100 1KfAVc-0005nv-3m]# unzip contract_I1.zip Archive: contract_I1.zip inflating: contract_I1.doc.exe Stuff like that is keeping the CPU busy and after a while we see: Sep 15 11:49:59 mx100 MailScanner[19081]: Commercial scanner clamd timed out! Sep 15 11:49:59 mx100 MailScanner[19081]: clamd: Failed to complete, timed out Sep 15 11:49:59 mx100 MailScanner[19081]: Virus Scanning: Denial Of Service attack detected! So no, you ar enot the only one. We see this on multiple clusters running MS. Bye, Raymond. From raymond at prolocation.net Mon Sep 15 11:31:50 2008 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Mon Sep 15 11:31:58 2008 Subject: clamd DoS? In-Reply-To: <48CE37ED.6040200@nerc.ac.uk> References: <48CE37ED.6040200@nerc.ac.uk> Message-ID: Hi! > The tell tale sign is huge increase in cpu usage as clamd hogs the > processors. > > I'm using 0.93.3 and MS 4.68.8 (both to be upgraded in a couple of weeks). Also with ClamAV 0.94 and latest MS beta it breaks. We just upgraded. Bye, Raymond. From prandal at herefordshire.gov.uk Mon Sep 15 11:51:09 2008 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Mon Sep 15 11:51:41 2008 Subject: clamd DoS? In-Reply-To: <48CE37ED.6040200@nerc.ac.uk> References: <48CE37ED.6040200@nerc.ac.uk> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA04A6787D@HC-MBX02.herefordshire.gov.uk> I saw something similar with ClamAVModule on Friday - I increased the virus scan timeout in MailScanner.conf and the affected box has been happier since. Cheers, Phil -- Phil Randal Networks Engineer Herefordshire Council Hereford, UK -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Greg Matthews Sent: 15 September 2008 11:25 To: MailScanner discussion Subject: clamd DoS? anyone else getting hammered by Trojan.Autorun-285 making clamd suck up CPU cycles? Given enough of these trojans (~10) I'm seeing timeouts from clamd. The tell tale sign is huge increase in cpu usage as clamd hogs the processors. I'm using 0.93.3 and MS 4.68.8 (both to be upgraded in a couple of weeks). GREG -- Greg Matthews 01491 692445 Head of UNIX/Linux, iTSS Wallingford -- This message (and any attachments) is for the recipient only. NERC is subject to the Freedom of Information Act 2000 and the contents of this email and any reply you make may be disclosed by NERC unless it is exempt from release under the Act. Any material supplied to NERC may be stored in an electronic records management system. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From MailScanner at ecs.soton.ac.uk Mon Sep 15 12:19:50 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Sep 15 12:20:17 2008 Subject: Desperately trying to debug poor spam scanning performance In-Reply-To: References: <48CA9E61.7080506@photobox.com> <5A881BE9-B6B4-463D-BFE0-0D7FFF8C80F3@rtpty.com> <48CABC5B.2010603@photobox.com> Message-ID: <48CE44D6.9090907@ecs.soton.ac.uk> Ben Tisdall wrote: > Hi all, > > I've tried over the weekend to optimise spam processing speed on this > box but with no major gains. > > Here's some data that might be useful (jitter is my home box & newacorn > the not-yet-deployed production box). > > Speed Logging > ============= > > gmail => test => home > > Spam Checks = no > > newacorn: > > 11:12:31 Spam Checks completed at 43536 bytes per second > > jitter: > > 11:12:37 Spam Checks completed at 60548 bytes per second > > Spam Checks = yes > > newacorn: > > 11:15:17 Spam Checks completed at 491 bytes per second > > jitter: > > 11:15:26 Spam Checks completed at 1778 bytes per second > > > bonnie++ results: > ================= > > https://jitter.tisdall.org.uk/pub/mstest/ms_disk.html > > > Perl modules diff: > ================== > > https://jitter.tisdall.org.uk/pub/mstest/ms_modules_diff.txt > > Have you done a "MailScanner --debug --debug-sa" with a couple of messages in the queue, so you can see exactly where the slow bits are? It prints out a timestamp at the start of every line of output as the spam checks are done by SpamAssassin, so you can see which bits take a long time. Do you run a "default deny" on your outbound traffic through your firewall, so some tool like Razor (for example) is waiting for a timeout? Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From campbell at cnpapers.com Mon Sep 15 12:26:12 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Mon Sep 15 12:26:29 2008 Subject: Happy birthday , dude Message-ID: <48CE4654.9020403@cnpapers.com> Happy birthday. Hear you been out west again. Have any luck? See you when I can. In case you hadn't seen it, the Beatles tribute band "1964" is coming to town this month. (I think it's this month). steve From kevin.howard at jobmedia.com.au Mon Sep 15 12:28:12 2008 From: kevin.howard at jobmedia.com.au (Kevin Howard) Date: Mon Sep 15 12:28:34 2008 Subject: how to detect koi8-r characters Message-ID: <1A6F40B4130E4C23BDBBE9B37DC6D8BD@KHFUJITSU> Hi, We're receiving a lot of spam comprising Cyrillic characters in the subject line, example Subject: =?koi8-r?B?8sXLzGHNwSDXIOnObcXSzsVtxSA=?= and a message body which is 100% Cyrillic, some messages are plain text and some HTML. The plains messages are using; MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 8bit Spamassassin doesn't seem to be able to detect these reliably despite us training bayes on these messages and utilising language filters. So we're trying to use MCP to detect them but have had no success whatsoever to date. I have tried making a rule to detect " ?koi8 " in the subject line but Mailscanner only seems to look at visible characters. Any ideas? my preference is to stop them with MCP if possible. Thanks, Kevin -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080915/f3d685d0/attachment.html From hafiz at variegate.biz Mon Sep 15 12:44:40 2008 From: hafiz at variegate.biz (Mohd Hafiz Ramly) Date: Mon Sep 15 12:44:58 2008 Subject: Potential Postfix CentOS message unpacking bug In-Reply-To: <48CE134C.7080307@ecs.soton.ac.uk> References: <48CE134C.7080307@ecs.soton.ac.uk> Message-ID: <48CE4AA8.3050707@variegate.biz> An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080915/dc6964ff/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: bronze-SHADOW.png Type: image/png Size: 2874 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080915/dc6964ff/bronze-SHADOW.png From alex at rtpty.com Mon Sep 15 12:59:05 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Mon Sep 15 12:59:20 2008 Subject: Watermarking marking good mail as SPAM? In-Reply-To: <48CE17A0.1090805@cs.ucy.ac.cy> References: <48CE17A0.1090805@cs.ucy.ac.cy> Message-ID: <7697A9EB-71A0-4FC6-B7D0-3103FE9661F7@rtpty.com> Are you sure you did it? Change it to "[.SPAM.]" and see if it still happens. [SPAM] is fairly generic. On Sep 15, 2008, at 3:06 AM, Andreas Kasenides wrote: > But yet the Subject was appended with [SPAM] (our spam signature). From ms-list at alexb.ch Mon Sep 15 13:07:24 2008 From: ms-list at alexb.ch (Alex Broens) Date: Mon Sep 15 13:07:34 2008 Subject: Potential Postfix CentOS message unpacking bug In-Reply-To: <48CE4AA8.3050707@variegate.biz> References: <48CE134C.7080307@ecs.soton.ac.uk> <48CE4AA8.3050707@variegate.biz> Message-ID: <48CE4FFC.4040509@alexb.ch> On 9/15/2008 1:44 PM, Mohd Hafiz Ramly wrote: > Hi, > > My logs shows the message was blocked all right. > > [root@mail2 ~]# cat /var/log/maillog | grep start.zip > Sep 15 17:06:50 mail2 MailScanner[2130]: ClamAVModule::INFECTED:: > Trojan.Fakealert-532 :: ./E46EC418932.42ACF/start.zip > [root@mail2 ~]# cat /var/log/maillog | grep E46EC418932.42ACF > Sep 15 17:06:50 mail2 MailScanner[2130]: ClamAVModule::INFECTED:: > Trojan.Fakealert-532 FOUND :: ./E46EC418932.42ACF/ > Sep 15 17:06:50 mail2 MailScanner[2130]: ClamAVModule::INFECTED:: > Trojan.Fakealert-532 :: ./E46EC418932.42ACF/Start.exe > Sep 15 17:06:50 mail2 MailScanner[2130]: ClamAVModule::INFECTED:: > Trojan.Fakealert-532 :: ./E46EC418932.42ACF/start.zip > Sep 15 17:06:50 mail2 MailScanner[2130]: ClamAVModule::INFECTED:: > Email.Hdr.Sanesecurity.08071800 FOUND :: ./E46EC418932.42ACF/ > Sep 15 17:06:50 mail2 MailScanner[2130]: Infected message E46EC418932.42ACF came > from 89.136.55.85 > Sep 15 17:06:50 mail2 MailScanner[2130]: Filename Checks: (E46EC418932.42ACF > Start.exe) > Sep 15 17:06:50 mail2 MailScanner[2130]: Filetype Checks: No executables > (E46EC418932.42ACF Start.exe) > Sep 15 17:06:50 mail2 MailScanner[2130]: Logging message E46EC418932.42ACF to SQL > Sep 15 17:06:50 mail2 MailScanner[4701]: E46EC418932.42ACF: Logged to MailWatch SQL > [root@mail2 ~]# > > Let me know if you anything else from the logs. on the affected systems some are detected, sadly *not* all they'd be tagged as spam Alex From Andreas.Kasenides at cs.ucy.ac.cy Mon Sep 15 13:15:59 2008 From: Andreas.Kasenides at cs.ucy.ac.cy (Andreas Kasenides) Date: Mon Sep 15 13:16:14 2008 Subject: Watermarking marking good mail as SPAM? In-Reply-To: <7697A9EB-71A0-4FC6-B7D0-3103FE9661F7@rtpty.com> References: <48CE17A0.1090805@cs.ucy.ac.cy> <7697A9EB-71A0-4FC6-B7D0-3103FE9661F7@rtpty.com> Message-ID: <48CE51FF.1050301@cs.ucy.ac.cy> Alex Neuman van der Hans wrote: > Are you sure you did it? Change it to "[.SPAM.]" and see if it still > happens. [SPAM] is fairly generic. > > On Sep 15, 2008, at 3:06 AM, Andreas Kasenides wrote: > >> But yet the Subject was appended with [SPAM] (our spam signature). > I am certain it is not some other server that is marking the messages since messages originating from our servers have the same fate. Thanks Andreas -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080915/c45915e4/attachment.html From ben.tisdall at photobox.com Mon Sep 15 13:18:10 2008 From: ben.tisdall at photobox.com (Ben Tisdall) Date: Mon Sep 15 13:18:20 2008 Subject: Desperately trying to debug poor spam scanning performance In-Reply-To: <48CE44D6.9090907@ecs.soton.ac.uk> References: <48CA9E61.7080506@photobox.com> <5A881BE9-B6B4-463D-BFE0-0D7FFF8C80F3@rtpty.com> <48CABC5B.2010603@photobox.com> <48CE44D6.9090907@ecs.soton.ac.uk> Message-ID: <48CE5282.4020306@photobox.com> Julian Field wrote: > >> > Have you done a "MailScanner --debug --debug-sa" with a couple of > messages in the queue, so you can see exactly where the slow bits are? > It prints out a timestamp at the start of every line of output as the > spam checks are done by SpamAssassin, so you can see which bits take a > long time. > > Do you run a "default deny" on your outbound traffic through your > firewall, so some tool like Razor (for example) is waiting for a timeout? > Thanks Jules, I *can* see a razor timeout in the debug output. The fw should allow it and indeed if I razor-check a message I can see the packet exchange happening in both directions. I'll make more tests. Best regards, Ben. -- Ben Tisdall Linux Systems Administrator | www.photobox.com From Andreas.Kasenides at cs.ucy.ac.cy Mon Sep 15 13:26:30 2008 From: Andreas.Kasenides at cs.ucy.ac.cy (Andreas Kasenides) Date: Mon Sep 15 13:26:43 2008 Subject: Potential Postfix CentOS message unpacking bug In-Reply-To: <48CE134C.7080307@ecs.soton.ac.uk> References: <48CE134C.7080307@ecs.soton.ac.uk> Message-ID: <48CE5476.6020701@cs.ucy.ac.cy> Julian Field wrote: > As some of you may have already realised, a few people are having a > problem on particular OS's when using Postfix, where a message > generated by a particular Trojan are not being unpacked properly. > > So Postfix users on CentOS, please can you check your logs for any > 16-17Kb spams which could possibly containing an attachment called > "start.zip" (grep should find it in raw queue files, if you're > wondering how to do that for raw queue files), which have not always > been detected as infected. > > You might want to use the "Archive Mail" feature of MailScanner.conf > for a while to see if you're getting anything like that, in case you > are suffering the problem. > > We would very much like to know how widespread this problem is, so > please report back with your findings and we'll take a straw poll of > the respondents. > > Thanks folks! > > Jules > Running MS 4.71.10 with Postfix 2.3.3 and CentOS 5.2. Many of these, actually 79 in the last 36 hours or so have been caught successfully. Sep 14 07:25:25 iolaos-new MailScanner[16162]: /var/spool/MailScanner/incoming/16162/./DC59F8C275.169EC/start.zip: Trojan.Fakealert-532 FOUND Sep 14 07:25:29 iolaos-new MailScanner[15957]: /var/spool/MailScanner/incoming/15957/./C8E378C2A5.BBD68/start.zip: Trojan.Fakealert-532 FOUND Sep 14 07:26:05 iolaos-new MailScanner[15906]: /var/spool/MailScanner/incoming/15906/./6C6408C2A7.5DEC0/start.zip: Trojan.Fakealert-532 FOUND Sep 14 07:30:16 iolaos-new MailScanner[16162]: /var/spool/MailScanner/incoming/16162/./C5C768C2AA.09A93/start.zip: Trojan.Fakealert-532 FOUND ....... cat maillog|grep DC59F8C275.169EC Sep 14 07:25:25 iolaos-new MailScanner[16162]: /var/spool/MailScanner/incoming/16162/./DC59F8C275.169EC/start.zip: Trojan.Fakealert-532 FOUND Sep 14 07:25:25 iolaos-new MailScanner[16162]: /var/spool/MailScanner/incoming/16162/./DC59F8C275.169EC/Start.exe: Trojan.Fakealert-532 FOUND Sep 14 07:25:25 iolaos-new MailScanner[16162]: Infected message DC59F8C275.169EC came from 83.206.158.181 Sep 14 07:25:25 iolaos-new MailScanner[16162]: Filename Checks: (DC59F8C275.169EC Start.exe) Andreas -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080915/1544cb4e/attachment.html From alex at rtpty.com Mon Sep 15 13:40:57 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Mon Sep 15 13:41:16 2008 Subject: Watermarking marking good mail as SPAM? In-Reply-To: <48CE51FF.1050301@cs.ucy.ac.cy> References: <48CE17A0.1090805@cs.ucy.ac.cy> <7697A9EB-71A0-4FC6-B7D0-3103FE9661F7@rtpty.com> <48CE51FF.1050301@cs.ucy.ac.cy> Message-ID: <7384D2F2-DDF1-47F0-A642-5826B8B8563A@rtpty.com> There are milters that do the same. Humor me. I'm not saying your server's aren't doing the tagging, I'm suggesting you eliminate the possibility that something other than MailScanner is doing it. --- Alex Neuman Reliant Technologies +507 6781-9505 Skype: alexneuman On Sep 15, 2008, at 7:15 AM, Andreas Kasenides wrote: > Alex Neuman van der Hans wrote: >> >> Are you sure you did it? Change it to "[.SPAM.]" and see if it >> still happens. [SPAM] is fairly generic. >> >> On Sep 15, 2008, at 3:06 AM, Andreas Kasenides wrote: >> >>> But yet the Subject was appended with [SPAM] (our spam signature). >> > I am certain it is not some other server that is marking the messages > since messages originating from our servers have the same fate. > Thanks > Andreas > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080915/55f31a67/attachment.html From gmatt at nerc.ac.uk Mon Sep 15 13:43:20 2008 From: gmatt at nerc.ac.uk (Greg Matthews) Date: Mon Sep 15 13:43:43 2008 Subject: clamd DoS? In-Reply-To: References: <48CE37ED.6040200@nerc.ac.uk> Message-ID: <48CE5868.10509@nerc.ac.uk> Raymond Dijkxhoorn wrote: > Also with ClamAV 0.94 and latest MS beta it breaks. We just upgraded. thanks guys, good to know. Will keep a weather eye on the list. G > > Bye, > Raymond. -- Greg Matthews 01491 692445 Head of UNIX/Linux, iTSS Wallingford -- This message (and any attachments) is for the recipient only. NERC is subject to the Freedom of Information Act 2000 and the contents of this email and any reply you make may be disclosed by NERC unless it is exempt from release under the Act. Any material supplied to NERC may be stored in an electronic records management system. From Denis.Beauchemin at USherbrooke.ca Mon Sep 15 13:49:35 2008 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Mon Sep 15 13:49:52 2008 Subject: Desperately trying to debug poor spam scanning performance In-Reply-To: <48CE38C9.2020308@photobox.com> References: <48CA9E61.7080506@photobox.com> <5A881BE9-B6B4-463D-BFE0-0D7FFF8C80F3@rtpty.com> <48CABC5B.2010603@photobox.com> <48CE38C9.2020308@photobox.com> Message-ID: <48CE59DF.8000705@USherbrooke.ca> Ben Tisdall a ?crit : > Hi all, > > I've tried over the weekend to optimise spam processing speed on this > box but with no major gains. > > Here's some data that might be useful (jitter is my home box & newacorn > the not-yet-deployed production box). > > Speed Logging > ============= > > gmail => test => home > > Spam Checks = no > > newacorn: > > 11:12:31 Spam Checks completed at 43536 bytes per second > > jitter: > > 11:12:37 Spam Checks completed at 60548 bytes per second > > Spam Checks = yes > > newacorn: > > 11:15:17 Spam Checks completed at 491 bytes per second > > jitter: > > 11:15:26 Spam Checks completed at 1778 bytes per second > > > bonnie++ results: > ================= > > https://jitter.tisdall.org.uk/pub/mstest/ms_disk.html > > > Perl modules diff: > ================== > > https://jitter.tisdall.org.uk/pub/mstest/ms_modules_diff.txt > > Let me know if any further info would be helpful. > > Thanks! > > Best regards, > > Ben. > > Ben, Is newacorn your new machine ? If so, it has really bad I/O figures compared to jitter. Maybe you should investigate into this. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3306 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080915/661552e9/smime.bin From ms-list at alexb.ch Mon Sep 15 14:12:36 2008 From: ms-list at alexb.ch (Alex Broens) Date: Mon Sep 15 14:12:58 2008 Subject: Potential Postfix CentOS message unpacking bug In-Reply-To: <48CE5476.6020701@cs.ucy.ac.cy> References: <48CE134C.7080307@ecs.soton.ac.uk> <48CE5476.6020701@cs.ucy.ac.cy> Message-ID: <48CE5F44.4020901@alexb.ch> On 9/15/2008 2:26 PM, Andreas Kasenides wrote: > Julian Field wrote: >> As some of you may have already realised, a few people are having a >> problem on particular OS's when using Postfix, where a message >> generated by a particular Trojan are not being unpacked properly. >> >> So Postfix users on CentOS, please can you check your logs for any >> 16-17Kb spams which could possibly containing an attachment called >> "start.zip" (grep should find it in raw queue files, if you're >> wondering how to do that for raw queue files), which have not always >> been detected as infected. >> >> You might want to use the "Archive Mail" feature of MailScanner.conf >> for a while to see if you're getting anything like that, in case you >> are suffering the problem. >> >> We would very much like to know how widespread this problem is, so >> please report back with your findings and we'll take a straw poll of >> the respondents. >> >> Thanks folks! >> >> Jules >> > Running MS 4.71.10 with Postfix 2.3.3 and CentOS 5.2. > Many of these, actually 79 in the last 36 hours or so have been caught > successfully. many... cool how many were tagged as spam and not detected? Subjects can be: So cute! How Sun loves... Dare to see! Can't miss this. Tears from the Moon. Just watch this! all between 16.4kb and 16.8kb for those using Mailwatch they should be easy to find thanks all for your help Alex From ben.tisdall at photobox.com Mon Sep 15 14:24:30 2008 From: ben.tisdall at photobox.com (Ben Tisdall) Date: Mon Sep 15 14:24:40 2008 Subject: Desperately trying to debug poor spam scanning performance In-Reply-To: <48CE44D6.9090907@ecs.soton.ac.uk> References: <48CA9E61.7080506@photobox.com> <5A881BE9-B6B4-463D-BFE0-0D7FFF8C80F3@rtpty.com> <48CABC5B.2010603@photobox.com> <48CE44D6.9090907@ecs.soton.ac.uk> Message-ID: <48CE620E.9060909@photobox.com> The razor timeout seemed to have been a one-off. Here's a debug output (clearly Pyzor's unhappy, but it's the same on the comparison machine too, turning off doesn't help) https://jitter.tisdall.org.uk/pub/mstest/ms_debug.txt Best regards, Ben. -- Ben Tisdall Linux Systems Administrator | www.photobox.com Google Talk: ben.tisdall@gmail.com | skype: btisdall +44 (0)20 8453 6161 From alex at rtpty.com Mon Sep 15 14:40:28 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Mon Sep 15 14:40:52 2008 Subject: Potential Postfix CentOS message unpacking bug In-Reply-To: <48CE5476.6020701@cs.ucy.ac.cy> References: <48CE134C.7080307@ecs.soton.ac.uk> <48CE5476.6020701@cs.ucy.ac.cy> Message-ID: I'm not affected since I use sendmail, but if you guys post a brief howto regarding submitting samples I'll be glad to help. --- Alex Neuman Reliant Technologies +507 6781-9505 Skype: alexneuman On Sep 15, 2008, at 7:26 AM, Andreas Kasenides wrote: > Julian Field wrote: >> >> As some of you may have already realised, a few people are having a >> problem on particular OS's when using Postfix, where a message >> generated by a particular Trojan are not being unpacked properly. >> >> So Postfix users on CentOS, please can you check your logs for any >> 16-17Kb spams which could possibly containing an attachment called >> "start.zip" (grep should find it in raw queue files, if you're >> wondering how to do that for raw queue files), which have not >> always been detected as infected. >> >> You might want to use the "Archive Mail" feature of >> MailScanner.conf for a while to see if you're getting anything like >> that, in case you are suffering the problem. >> >> We would very much like to know how widespread this problem is, so >> please report back with your findings and we'll take a straw poll >> of the respondents. >> >> Thanks folks! >> >> Jules >> > Running MS 4.71.10 with Postfix 2.3.3 and CentOS 5.2. > Many of these, actually 79 in the last 36 hours or so have been > caught successfully. > > Sep 14 07:25:25 iolaos-new MailScanner[16162]: /var/spool/ > MailScanner/incoming/16162/./DC59F8C275.169EC/start.zip: > Trojan.Fakealert-532 FOUND > Sep 14 07:25:29 iolaos-new MailScanner[15957]: /var/spool/ > MailScanner/incoming/15957/./C8E378C2A5.BBD68/start.zip: > Trojan.Fakealert-532 FOUND > Sep 14 07:26:05 iolaos-new MailScanner[15906]: /var/spool/ > MailScanner/incoming/15906/./6C6408C2A7.5DEC0/start.zip: > Trojan.Fakealert-532 FOUND > Sep 14 07:30:16 iolaos-new MailScanner[16162]: /var/spool/ > MailScanner/incoming/16162/./C5C768C2AA.09A93/start.zip: > Trojan.Fakealert-532 FOUND > ....... > cat maillog|grep DC59F8C275.169EC > Sep 14 07:25:25 iolaos-new MailScanner[16162]: /var/spool/ > MailScanner/incoming/16162/./DC59F8C275.169EC/start.zip: > Trojan.Fakealert-532 FOUND > Sep 14 07:25:25 iolaos-new MailScanner[16162]: /var/spool/ > MailScanner/incoming/16162/./DC59F8C275.169EC/Start.exe: > Trojan.Fakealert-532 FOUND > Sep 14 07:25:25 iolaos-new MailScanner[16162]: Infected message > DC59F8C275.169EC came from 83.206.158.181 > Sep 14 07:25:25 iolaos-new MailScanner[16162]: Filename Checks: > (DC59F8C275.169EC Start.exe) > > > Andreas > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080915/1a67173d/attachment.html From campbell at cnpapers.com Mon Sep 15 15:34:39 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Mon Sep 15 15:35:02 2008 Subject: Happy birthday , dude In-Reply-To: <48CE4654.9020403@cnpapers.com> References: <48CE4654.9020403@cnpapers.com> Message-ID: <48CE727F.6040701@cnpapers.com> Talk about spam . Sorry for the errant "To:". Should have went to someone else, obviously. Steve Campbell wrote: > Happy birthday. > > Hear you been out west again. Have any luck? > > See you when I can. In case you hadn't seen it, the Beatles tribute > band "1964" is coming to town this month. (I think it's this month). > > steve > From dstraka at caspercollege.edu Mon Sep 15 15:52:52 2008 From: dstraka at caspercollege.edu (Daniel Straka) Date: Mon Sep 15 15:53:25 2008 Subject: A lot of spam getting through this weekend Message-ID: <48CE2264.61A4.0000.0@caspercollege.edu> Over the past 4 day sooo much spam is getting through my MailScanner installation that I'm beginning to wonder if the spammers have figured out a way to get around it. A lot of *exually related messages, bank phishing attempts and more. MailScanner / SpamAssassin appear to be working ok yet everyone is getting about 10x the usual amount of spam making it into their mailboxes. Is anyone else seeing an issue like this? Thanks, -- Dan Straka Systems Coordinator Casper College 307.268.2399 www.caspercollege.edu ( http://www.caspercollege.edu/ ) From uxbod at splatnix.net Mon Sep 15 16:06:36 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Mon Sep 15 16:07:07 2008 Subject: A lot of spam getting through this weekend In-Reply-To: <48CE2264.61A4.0000.0@caspercollege.edu> Message-ID: <15680497.2911221491195965.JavaMail.root@office.splatnix.net> Nope, as I use the SaneSecurity clam sigs which appear to be blocked ~98% of them. Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "Daniel Straka" wrote: > Over the past 4 day sooo much spam is getting through my MailScanner > installation that I'm beginning to wonder if the spammers have figured > out a way to get around it. A lot of *exually related messages, bank > phishing attempts and more. > > MailScanner / SpamAssassin appear to be working ok yet everyone is > getting about 10x the usual amount of spam making it into their > mailboxes. > > Is anyone else seeing an issue like this? > > > > Thanks, -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From martinh at solidstatelogic.com Mon Sep 15 16:27:33 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Mon Sep 15 16:27:46 2008 Subject: A lot of spam getting through this weekend In-Reply-To: <48CE2264.61A4.0000.0@caspercollege.edu> Message-ID: Dan Same here - looking at the scores my Bayes is low/negative scoring so I'm thinking about resetting with the starter one from www.fsl.com/support Saying that I had three under my spam threshold (5) and 23 in the spam (5-10) which were subject tagged and delivered and goodness knows how many blocked so... -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Daniel Straka > Sent: 15 September 2008 15:53 > To: mailscanner@lists.mailscanner.info > Subject: A lot of spam getting through this weekend > > Over the past 4 day sooo much spam is getting through my > MailScanner installation that I'm beginning to wonder if the > spammers have figured out a way to get around it. A lot of > *exually related messages, bank phishing attempts and more. > MailScanner / SpamAssassin appear to be working ok yet > everyone is getting about 10x the usual amount of spam making > it into their mailboxes. > Is anyone else seeing an issue like this? > > Thanks, > -- > > Dan Straka > Systems Coordinator > Casper College > 307.268.2399 > www.caspercollege.edu ( http://www.caspercollege.edu/ ) > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From MailScanner at ecs.soton.ac.uk Mon Sep 15 16:31:28 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Sep 15 16:31:51 2008 Subject: clamd DoS? In-Reply-To: References: <48CE37ED.6040200@nerc.ac.uk> Message-ID: <48CE7FD0.3070909@ecs.soton.ac.uk> Raymond Dijkxhoorn wrote: > Hi! > >> The tell tale sign is huge increase in cpu usage as clamd hogs the >> processors. >> >> I'm using 0.93.3 and MS 4.68.8 (both to be upgraded in a couple of >> weeks). > > Also with ClamAV 0.94 and latest MS beta it breaks. We just upgraded. I just ran the message with clamd and had no problems at all. At Mon Sep 15 16:29:30 2008 the virus scanner said: Clamd: contract_I1.zip was infected: Trojan.Agent-49425=20 # clamscan --version ClamAV 0.94/8247/Mon Sep 15 13:04:53 2008 Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From raymond at prolocation.net Mon Sep 15 16:46:19 2008 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Mon Sep 15 16:46:30 2008 Subject: clamd DoS? In-Reply-To: <48CE7FD0.3070909@ecs.soton.ac.uk> References: <48CE37ED.6040200@nerc.ac.uk> <48CE7FD0.3070909@ecs.soton.ac.uk> Message-ID: Hi! > Also with ClamAV 0.94 and latest MS beta it breaks. We just upgraded. > I just ran the message with clamd and had no problems at all. > > At Mon Sep 15 16:29:30 2008 the virus scanner said: > Clamd: contract_I1.zip was infected: Trojan.Agent-49425=20 > > # clamscan --version > ClamAV 0.94/8247/Mon Sep 15 13:04:53 2008 We have 4 different site that are having all the same issue, with various versions of MailScanner. I dont know if we can test feeding it Clam directly. But inside MailScannner with ClamD running it really breaks. So strange. If needed we can give you access to a couple of the machines. Bye, Raymond. From MailScanner at ecs.soton.ac.uk Mon Sep 15 17:07:48 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Sep 15 17:08:17 2008 Subject: clamd DoS? In-Reply-To: References: <48CE37ED.6040200@nerc.ac.uk> <48CE7FD0.3070909@ecs.soton.ac.uk> Message-ID: <48CE8854.8000508@ecs.soton.ac.uk> Raymond Dijkxhoorn wrote: > Hi! > >> Also with ClamAV 0.94 and latest MS beta it breaks. We just upgraded. >> I just ran the message with clamd and had no problems at all. >> >> At Mon Sep 15 16:29:30 2008 the virus scanner said: >> Clamd: contract_I1.zip was infected: Trojan.Agent-49425=20 >> >> # clamscan --version >> ClamAV 0.94/8247/Mon Sep 15 13:04:53 2008 > > We have 4 different site that are having all the same issue, with > various versions of MailScanner. I dont know if we can test feeding it > Clam directly. But inside MailScannner with ClamD running it really > breaks. So strange. In /usr/sbin/MailScanner there are a couple of calls to "Explode". Immediately after them, add a line saying exit; and it will stop straight after the attachment unpacking. Then you can go into /var/spool/MailScanner/incoming, find the relevant directory and see what attachments it pulled out. Then try clamscan-ing them by hand. If the attachments look okay in that directory, then it's a clamd issue I think. I would be interested to see what clamscan makes of them when run by hand. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Paul.Bijnens at xplanation.com Mon Sep 15 17:18:10 2008 From: Paul.Bijnens at xplanation.com (Paul Bijnens) Date: Mon Sep 15 17:18:19 2008 Subject: Potential Postfix CentOS message unpacking bug In-Reply-To: <48CE217A.6050208@xplanation.com> References: <48CE134C.7080307@ecs.soton.ac.uk> <48CE217A.6050208@xplanation.com> Message-ID: <48CE8AC2.8040600@xplanation.com> On 2008-09-15 10:48, Paul Bijnens wrote: > On 2008-09-15 09:48, Julian Field wrote: >> As some of you may have already realised, a few people are having a >> problem on particular OS's when using Postfix, where a message >> generated by a particular Trojan are not being unpacked properly. >> >> So Postfix users on CentOS, please can you check your logs for any >> 16-17Kb spams which could possibly containing an attachment called >> "start.zip" (grep should find it in raw queue files, if you're >> wondering how to do that for raw queue files), which have not always >> been detected as infected. >> >> You might want to use the "Archive Mail" feature of MailScanner.conf >> for a while to see if you're getting anything like that, in case you >> are suffering the problem. >> >> We would very much like to know how widespread this problem is, so >> please report back with your findings and we'll take a straw poll of >> the respondents. > > > Running MailScanner on CentOS here, with archiving enabled as well. > > I did not find any message containing an attachment "start.zip" in > my archived mails (between sep 11 and now sep 15 10:41 MET, for a total of > 10928 mails). > > I'll still keep an eye on it for some days. If the treat is indeed about the Trojan.Fakealert-532, then we had some in, and succesfully blocked as well. Just a few minutes ago: ClamAV: tube.zip contains Trojan.Fakealert-532 and some more last weekend, but all with different attachment names. But none got through. -- Paul Bijnens, xplanation Technology Services Tel +32 16 397.511 Technologielaan 21 bus 2, B-3001 Leuven, BELGIUM Fax +32 16 397.512 http://www.xplanation.com/ email: Paul.Bijnens@xplanation.com *********************************************************************** * I think I've got the hang of it now: exit, ^D, ^C, ^\, ^Z, ^Q, ^^, * * F6, quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, * * stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt, abort, hangup, * * PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e, kill -1 $$, shutdown, * * init 0, kill -9 1, Alt-F4, Ctrl-Alt-Del, AltGr-NumLock, Stop-A, ... * * ... "Are you sure?" ... YES ... Phew ... I'm out * *********************************************************************** From ssilva at sgvwater.com Mon Sep 15 17:42:34 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Sep 15 17:42:57 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <48CB7428.1030501@vanderkooij.org> References: <48CB7428.1030501@vanderkooij.org> Message-ID: on 9-13-2008 1:04 AM Hugo van der Kooij spake the following: > Hi, > > It seems to me that SA is flagging just about any message as EMPTY_MESSAGE. > > Is anyone else seeing this too? > > Hugo. > I only have 40 in over 93,000 messages. And all of those are fairly randomly spread out by date. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080915/1c45fc62/signature.bin From ssilva at sgvwater.com Mon Sep 15 17:51:59 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Sep 15 17:52:16 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <223f97700809140404v7caa0216q1ab03d4472222924@mail.gmail.com> References: <48CB7428.1030501@vanderkooij.org> <48CBC693.6060806@vanderkooij.org> <223f97700809130742q7029ec3bo2d3f06088f013ccd@mail.gmail.com> <48CBFC6A.6050300@vanderkooij.org> <223f97700809131112sc6d34basd6ba785f42114dcd@mail.gmail.com> <48CCDEF3.9060903@vanderkooij.org> <223f97700809140404v7caa0216q1ab03d4472222924@mail.gmail.com> Message-ID: >> But if a beta version can be created that allows one to use postcat >> instead of a native MailScanner parser of the raw queue file just to see >> if it is a factor then I can test that as my MailScanner server is >> pretty low in traffic. > Not really doable, not really where the problem is at, unfortunately. > It's more insidouos than that:-). > >> Hugo. >> > > Cheers And you guys were making fun of my sendmail install last year! Now who's laughing! ;-P -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080915/4ae58bbd/signature.bin From Kevin_Miller at ci.juneau.ak.us Mon Sep 15 18:58:51 2008 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Mon Sep 15 18:59:09 2008 Subject: Happy birthday , dude In-Reply-To: <48CE727F.6040701@cnpapers.com> References: <48CE4654.9020403@cnpapers.com> <48CE727F.6040701@cnpapers.com> Message-ID: Steve Campbell wrote: > Talk about spam . Sorry for the errant "To:". Should have went to > someone else, obviously. > > > Steve Campbell wrote: >> Happy birthday. >> >> Hear you been out west again. Have any luck? >> >> See you when I can. In case you hadn't seen it, the Beatles tribute >> band "1964" is coming to town this month. (I think it's this month). >> >> steve Does that mean I'm not gonna get a present? ;-) ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From submit at zuka.net Mon Sep 15 19:00:34 2008 From: submit at zuka.net (Dave Filchak) Date: Mon Sep 15 19:01:00 2008 Subject: Potential Postfix CentOS message unpacking bug In-Reply-To: <48CE134C.7080307@ecs.soton.ac.uk> References: <48CE134C.7080307@ecs.soton.ac.uk> Message-ID: <48CEA2C2.2050104@zuka.net> Julian Field wrote: >
As some > of you may have already realised, a few people are having a problem on > particular OS's when using Postfix, where a message generated by a > particular Trojan are not being unpacked properly. > > So Postfix users on CentOS, please can you check your logs for any > 16-17Kb spams which could possibly containing an attachment called > "start.zip" (grep should find it in raw queue files, if you're > wondering how to do that for raw queue files), which have not always > been detected as infected. > > You might want to use the "Archive Mail" feature of MailScanner.conf > for a while to see if you're getting anything like that, in case you > are suffering the problem. > > We would very much like to know how widespread this problem is, so > please report back with your findings and we'll take a straw poll of > the respondents. > > Thanks folks! > > Jules > Nothing here that I can see at this point Jules. Dave From campbell at cnpapers.com Mon Sep 15 19:15:28 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Mon Sep 15 19:15:45 2008 Subject: Happy birthday , dude In-Reply-To: References: <48CE4654.9020403@cnpapers.com> <48CE727F.6040701@cnpapers.com> Message-ID: <48CEA640.1060709@cnpapers.com> What makes you think somebody who can't hit the right line in a drop-down is gonna be able to get a present to anyone, anyhow? I'll do my best. steve Kevin Miller wrote: > Steve Campbell wrote: > >> Talk about spam . Sorry for the errant "To:". Should have went to >> someone else, obviously. >> >> >> Steve Campbell wrote: >> >>> Happy birthday. >>> >>> Hear you been out west again. Have any luck? >>> >>> See you when I can. In case you hadn't seen it, the Beatles tribute >>> band "1964" is coming to town this month. (I think it's this month). >>> >>> steve >>> > > Does that mean I'm not gonna get a present? ;-) > > ...Kevin > From alex at rtpty.com Mon Sep 15 19:51:51 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Mon Sep 15 19:52:04 2008 Subject: Way OT: Petition Message-ID: <37E268F2-CA94-40E4-AA5B-2845F5ED3DFC@rtpty.com> Guys, Since some of you blokes actually watch BBC from time to time between disasters, I'd like to let you know there's a petition circulating regarding David Tennant being allowed to light/carry the torch at the 2012 Olympics, per the "Fear Her" episode. Would be fun, right? http://www.petitiononline.com/Drwh2012/petition.html Regards, Alex From uxbod at splatnix.net Mon Sep 15 20:35:46 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Mon Sep 15 20:36:05 2008 Subject: Way OT: Petition In-Reply-To: <19374072.3121221507257971.JavaMail.root@office.splatnix.net> Message-ID: <11813714.3141221507346509.JavaMail.root@office.splatnix.net> So what is David's sporting background ? How has he elevated the British level of achievement ? Hey we could not even consider Richard Fox (World Canoe Slalom Champion x 10) who now coaches Australia! (and yes when I would younger I trained with him in the UK!). Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "Alex Neuman van der Hans" wrote: > Guys, > > > > Since some of you blokes actually watch BBC from time to time between > > disasters, I'd like to let you know there's a petition circulating > > regarding David Tennant being allowed to light/carry the torch at the > > 2012 Olympics, per the "Fear Her" episode. Would be fun, right? > > > > http://www.petitiononline.com/Drwh2012/petition.html > > > > Regards, > > > > Alex -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From uxbod at splatnix.net Mon Sep 15 20:39:42 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Mon Sep 15 20:39:59 2008 Subject: Way OT: Petition In-Reply-To: <37E268F2-CA94-40E4-AA5B-2845F5ED3DFC@rtpty.com> Message-ID: <2381076.3171221507582920.JavaMail.root@office.splatnix.net> Sorry RF 5x! Though hey how many people have done that! 5 x World Champion 1 x World Bronze medallist 5 x World team Champion Olympian 8 x National Champion Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "Alex Neuman van der Hans" wrote: > Guys, > > > > Since some of you blokes actually watch BBC from time to time between > > disasters, I'd like to let you know there's a petition circulating > > regarding David Tennant being allowed to light/carry the torch at the > > 2012 Olympics, per the "Fear Her" episode. Would be fun, right? > > > > http://www.petitiononline.com/Drwh2012/petition.html > > > > Regards, > > > > Alex -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mark at msapiro.net Mon Sep 15 21:16:22 2008 From: mark at msapiro.net (Mark Sapiro) Date: Mon Sep 15 21:16:36 2008 Subject: Potential Postfix CentOS message unpacking bug In-Reply-To: <48CE134C.7080307@ecs.soton.ac.uk> References: <48CE134C.7080307@ecs.soton.ac.uk> Message-ID: <20080915201622.GA4068@msapiro> On Mon, Sep 15, 2008 at 08:48:28AM +0100, Julian Field wrote: > > So Postfix users on CentOS, please can you check your logs for any > 16-17Kb spams which could possibly containing an attachment called > "start.zip" (grep should find it in raw queue files, if you're wondering > how to do that for raw queue files), which have not always been detected > as infected. I have seen exactly one of these /var/log/maillog:Sep 15 00:25:16 sbh16 MailScanner[783]: ClamAVModule::INFECTED:: Trojan.Fakealert-532 :: ./4C266690092.86EA5/start.zip in the last 30 days and no spam quarantined with start.zip attachments. > You might want to use the "Archive Mail" feature of MailScanner.conf for > a while to see if you're getting anything like that, in case you are > suffering the problem. I have just enabled Archive Mail and will look for start.zip in the archive. It would help if someone could post one of the infected messages that isn't properly scanned on the web somewhere and post a link here so we could test with that. -- Mark Sapiro mark at msapiro net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From Kevin_Miller at ci.juneau.ak.us Mon Sep 15 21:22:17 2008 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Mon Sep 15 21:22:30 2008 Subject: clamd DoS? In-Reply-To: <48CE8854.8000508@ecs.soton.ac.uk> References: <48CE37ED.6040200@nerc.ac.uk> <48CE7FD0.3070909@ecs.soton.ac.uk> <48CE8854.8000508@ecs.soton.ac.uk> Message-ID: Julian Field wrote: > In /usr/sbin/MailScanner there are a couple of calls to "Explode". > Immediately after them, add a line saying > exit; > and it will stop straight after the attachment unpacking. > Then you can go into /var/spool/MailScanner/incoming, find the > relevant directory and see what attachments it pulled out. > Then try clamscan-ing them by hand. If the attachments look okay in > that directory, then it's a clamd issue I think. I would be > interested to see what clamscan makes of them when run by hand. I was seeing a number of spam messages coming in w/the subject "Credit card transaction report". Every now and then one would get tagged as a virus, but most weren't. However, I went into MailWatch, selected one that wasn't marked as viral and saved the attached Report.zip to my linux workstation. Ark extracted the file report.doc.exe. I kicked off top in a term window, opened another terminal and ran 'clamscan report.doc.exe'. W/in a couple seconds CPU utilization was pegged. I'm running plain old clamav, not clamscan or clamd. Not much to go on, but maybe this will help a bit... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From hvdkooij at vanderkooij.org Mon Sep 15 21:41:59 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Mon Sep 15 21:42:15 2008 Subject: clamd DoS? In-Reply-To: References: <48CE37ED.6040200@nerc.ac.uk> <48CE7FD0.3070909@ecs.soton.ac.uk> <48CE8854.8000508@ecs.soton.ac.uk> Message-ID: <48CEC897.7090703@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kevin Miller wrote: > Julian Field wrote: > >> In /usr/sbin/MailScanner there are a couple of calls to "Explode". >> Immediately after them, add a line saying >> exit; >> and it will stop straight after the attachment unpacking. >> Then you can go into /var/spool/MailScanner/incoming, find the >> relevant directory and see what attachments it pulled out. >> Then try clamscan-ing them by hand. If the attachments look okay in >> that directory, then it's a clamd issue I think. I would be >> interested to see what clamscan makes of them when run by hand. > > I was seeing a number of spam messages coming in w/the subject "Credit > card transaction report". Every now and then one would get tagged as a > virus, but most weren't. However, I went into MailWatch, selected one > that wasn't marked as viral and saved the attached Report.zip to my > linux workstation. Ark extracted the file report.doc.exe. I kicked off > top in a term window, opened another terminal and ran 'clamscan > report.doc.exe'. W/in a couple seconds CPU utilization was pegged. So if you can do this on a plain file with just ClamAV as a factor I would think you have all the stuff that is needed to report a bug with the ClamAV team. If that is the case would you be kind enough to report the bug to the ClamAV team? Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFIzsiUBvzDRVjxmYERAqpmAJ0boKU5chAkI7TDONQ57+zwweQmSACfWwK7 VU+DFDsCiGs0AvFEpfCYiJw= =Iutn -----END PGP SIGNATURE----- From MailScanner at ecs.soton.ac.uk Mon Sep 15 21:47:00 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Sep 15 21:47:18 2008 Subject: clamd DoS? In-Reply-To: References: <48CE37ED.6040200@nerc.ac.uk> <48CE7FD0.3070909@ecs.soton.ac.uk> <48CE8854.8000508@ecs.soton.ac.uk> Message-ID: <48CEC9C4.9010507@ecs.soton.ac.uk> Kevin Miller wrote: > Julian Field wrote: > > >> In /usr/sbin/MailScanner there are a couple of calls to "Explode". >> Immediately after them, add a line saying >> exit; >> and it will stop straight after the attachment unpacking. >> Then you can go into /var/spool/MailScanner/incoming, find the >> relevant directory and see what attachments it pulled out. >> Then try clamscan-ing them by hand. If the attachments look okay in >> that directory, then it's a clamd issue I think. I would be >> interested to see what clamscan makes of them when run by hand. >> > > I was seeing a number of spam messages coming in w/the subject "Credit > card transaction report". Every now and then one would get tagged as a > virus, but most weren't. However, I went into MailWatch, selected one > that wasn't marked as viral and saved the attached Report.zip to my > linux workstation. Ark extracted the file report.doc.exe. I kicked off > top in a term window, opened another terminal and ran 'clamscan > report.doc.exe'. W/in a couple seconds CPU utilization was pegged. > > I'm running plain old clamav, not clamscan or clamd. > > Not much to go on, but maybe this will help a bit... > Ooh, can you post this on the web somewhere and tell me the URL so I can fetch this file and construct a message round it for testing? Thanks. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From hvdkooij at vanderkooij.org Mon Sep 15 21:48:31 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Mon Sep 15 21:48:41 2008 Subject: how to detect koi8-r characters In-Reply-To: <1A6F40B4130E4C23BDBBE9B37DC6D8BD@KHFUJITSU> References: <1A6F40B4130E4C23BDBBE9B37DC6D8BD@KHFUJITSU> Message-ID: <48CECA1F.2040702@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kevin Howard wrote: > Hi, > > We're receiving a lot of spam comprising Cyrillic characters in the > subject line, example Subject: =?koi8-r?B?8sXLzGHNwSDXIOnObcXSzsVtxSA=?= Here are some lines I put into the headercheck of postfix: /^Subject: =\?koi8-r\?/ REJECT No one here reads this language! /^From: =\?koi8-r\?/ REJECT No one here reads this language! /^Content-Type: .+; charset=koi8-r/ REJECT No one here reads this language! /^Subject:.+=\?windows-1251\?/ REJECT No one here reads this language! /^From: =\?windows-1251\?/ REJECT No one here reads this language! /^.*charset="windows-1251"$/ REJECT No one here reads this language! /^Content-Type: .+; charset=windows-1251/ REJECT No one here reads this language! /^Subject:.+=\?windows-1255\?/ REJECT No one here reads this language! /^From: =\?windows-1255\?/ REJECT No one here reads this language! /^Content-Type: .+; charset=windows-1255/ REJECT No one here reads this language! /^Subject:.+=\?ISO-2022-JP\?/ REJECT No one here reads this language! /^From: =\?ISO-2022-JP\?/ REJECT No one here reads this language! /^Content-Type: .+; charset=ISO-2022-JP/ REJECT No one here reads this language! /^Content-Type: .*GB2312/ REJECT No one here reads this language! It cuts down a lot on the unreadable spam. At present I am trying to convince XS4ALL to put a similar check into their spam checks. I understand they can not put it in the MTA. But if I can not read Russian there is no point in sending me email with a Russian characterset. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFIzsodBvzDRVjxmYERAkgfAJ0WvKZuJGlEuTBGrZeXcESBBtxS4wCdGulS ruta2KWoJF7zqLK8+FCk9Rk= =VJia -----END PGP SIGNATURE----- From MailScanner at ecs.soton.ac.uk Mon Sep 15 21:49:09 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Sep 15 21:49:29 2008 Subject: A lot of spam getting through this weekend In-Reply-To: References: Message-ID: <48CECA45.4010501@ecs.soton.ac.uk> Daniel Straka wrote: > Over the past 4 day sooo much spam is getting through my MailScanner installation that I'm beginning to wonder if the spammers have figured out a way to get around it. A lot of *exually related messages, bank phishing attempts and more. > MailScanner / SpamAssassin appear to be working ok yet everyone is getting about 10x the usual amount of spam making it into their mailboxes. > Is anyone else seeing an issue like this? > I'm seeing a huge amount of phishing spam, but I'm catching all of it okay. My setup is basically still the one I posted in my HOWTO I posted last July 2007, but with the addition of BarricadeMX to take most of the load. But MailScanner is catching this lot okay. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From hvdkooij at vanderkooij.org Mon Sep 15 21:53:27 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Mon Sep 15 21:53:36 2008 Subject: A lot of spam getting through this weekend In-Reply-To: References: Message-ID: <48CECB47.3000705@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Martin.Hepworth wrote: > Dan > > Same here - looking at the scores my Bayes is low/negative scoring so I'm thinking about resetting with the starter one from www.fsl.com/support I strongly urge people NEVER to use another persons bayesian database. Only you can decide what is SPAM and what is HAM in your messages. I am allowed to borrow a golf club from our CEO anytime a colleage dears to break this rule. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFIzstFBvzDRVjxmYERAn/BAJ97uDNKW+0LcQVtk60PSDSNpYJAdgCffjDe ILmDSS+lE7sBZeiiGjgwwgY= =D3z8 -----END PGP SIGNATURE----- From jan-peter at koopmann.eu Mon Sep 15 22:05:36 2008 From: jan-peter at koopmann.eu (Koopmann, Jan-Peter) Date: Mon Sep 15 22:05:58 2008 Subject: Spamassassin Timeout issue. In-Reply-To: References: Message-ID: > Sep 10 04:47:37 localhost MailScanner[8400]: SpamAssassin timed out and was killed, failure 8 of 20? Are you running BotNet.pm with SpamAssassin? I had a very similar issue and it was caused by a known bug in BotNet. Try to upgrade if you use it. From kate at rheel.co.nz Mon Sep 15 22:22:37 2008 From: kate at rheel.co.nz (Kate Kleinschafer) Date: Mon Sep 15 22:21:35 2008 Subject: Error on start cannot open config file Message-ID: <48CED21D.2020804@rheel.co.nz> Hi all, I have just done a fresh install of CentOS 5.2 and installed postfix (then done rpm -e sendmail) clamav and MailScanner. When I try and start MailScanner (after stopping the postfix service) I get the following error: MailScanner: Cannot open config file /etc/MailScanner/MailScanner.conf, Permission denied at /usr/lib/MailScanner/MailScanner/Config.pm line 657. If I change in MailScanner.conf Run as user = postfix to Run as user = then it works. I would really appreciate any advice on how to get this operational. Thanks Kate Apologies if this comes through twice - I thought I had changed my list email but it doesn't seem to be working. From Kevin_Miller at ci.juneau.ak.us Mon Sep 15 22:40:56 2008 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Mon Sep 15 22:41:07 2008 Subject: clamd DoS? In-Reply-To: <48CEC9C4.9010507@ecs.soton.ac.uk> References: <48CE37ED.6040200@nerc.ac.uk> <48CE7FD0.3070909@ecs.soton.ac.uk> <48CE8854.8000508@ecs.soton.ac.uk> <48CEC9C4.9010507@ecs.soton.ac.uk> Message-ID: Julian Field wrote: > Ooh, can you post this on the web somewhere and tell me the URL so I > can fetch this file and construct a message round it for testing? > > Thanks. > > Jules Will the mail file from the /var/spool/MailScanner/quarantine/spam/... tree work? I can shlep that up to an ftp server if that's OK. I didn't remember where exactly I got the original zip file so I grabbed another today and saved it to my workstation then extracted. Seems to be a lot of spaces in the filename: ======================================================================== mkm@mis-mkm-lnx:~/ziptest/test2$ clamscan report.doc\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ .exe ======================================================================== ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From glenn.steen at gmail.com Mon Sep 15 22:45:18 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Sep 15 22:45:29 2008 Subject: Error on start cannot open config file In-Reply-To: <48CED21D.2020804@rheel.co.nz> References: <48CED21D.2020804@rheel.co.nz> Message-ID: <223f97700809151445t4f3a2ff9j3921d88a3d75b5eb@mail.gmail.com> 2008/9/15 Kate Kleinschafer : > Hi all, > > I have just done a fresh install of CentOS 5.2 and installed postfix (then > done rpm -e sendmail) clamav and MailScanner. > When I try and start MailScanner (after stopping the postfix service) I get > the following error: > MailScanner: Cannot open config file /etc/MailScanner/MailScanner.conf, > Permission denied at /usr/lib/MailScanner/MailScanner/Config.pm line 657. > > If I change in MailScanner.conf Run as user = postfix to Run as user = > then it works. > > I would really appreciate any advice on how to get this operational. > > Thanks > Kate > > Apologies if this comes through twice - I thought I had changed my list > email but it doesn't seem to be working. > Your postfix user cannot read your config file/directory, likely. Test with su - postfix -s /bin/bash and then use cd and "ls -d" to try access /etc/MailScanner ... and ultimately reading MailScanner.conf with "less" or something. When using an MTA that runs as an unprivileged user, permissions is everything. Also check that you've either turned off SELinux or amended it so that it doesn't get in the way:). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From kate at rheel.co.nz Mon Sep 15 22:52:29 2008 From: kate at rheel.co.nz (Kate Kleinschafer) Date: Mon Sep 15 22:51:45 2008 Subject: Error on start cannot open config file In-Reply-To: <20080915214414.GA18544@lava-net.com> References: <48CED21D.2020804@rheel.co.nz> <20080915214414.GA18544@lava-net.com> Message-ID: <48CED91D.7080907@rheel.co.nz> Hi Igor, I have just tried 644 permissions and chowning to postfix:root. Both gave the same permission denied error. Thanks Kate Igor Gueths wrote: > Hi. What are the permissions on your MailSCanner.conf? In order for the postfix > user to be able to read the file, the file either needs to be owned by the > postfix user, or chmodded with permissions 644. Thanks. > On Tue, Sep 16, 2008 at 09:22:37AM +1200, Kate Kleinschafer wrote: > >> Hi all, >> >> I have just done a fresh install of CentOS 5.2 and installed postfix (then >> done rpm -e sendmail) clamav and MailScanner. >> When I try and start MailScanner (after stopping the postfix service) I get >> the following error: >> MailScanner: Cannot open config file /etc/MailScanner/MailScanner.conf, >> Permission denied at /usr/lib/MailScanner/MailScanner/Config.pm line 657. >> >> If I change in MailScanner.conf Run as user = postfix to Run as user = >> then it works. >> >> I would really appreciate any advice on how to get this operational. >> >> Thanks >> Kate >> >> Apologies if this comes through twice - I thought I had changed my list email but it doesn't seem to be working. >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> > > From Kevin_Miller at ci.juneau.ak.us Mon Sep 15 22:54:24 2008 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Mon Sep 15 22:54:34 2008 Subject: clamd DoS? In-Reply-To: <48CEC9C4.9010507@ecs.soton.ac.uk> References: <48CE37ED.6040200@nerc.ac.uk> <48CE7FD0.3070909@ecs.soton.ac.uk> <48CE8854.8000508@ecs.soton.ac.uk> <48CEC9C4.9010507@ecs.soton.ac.uk> Message-ID: Julian Field wrote: > Ooh, can you post this on the web somewhere and tell me the URL so I > can fetch this file and construct a message round it for testing? > > Thanks. > > Jules I sent a note w/the location to your jules@jules.fm address mentioned in the sig. Holler if you have any trouble accessing it... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From lists at tippingmar.com Mon Sep 15 22:55:01 2008 From: lists at tippingmar.com (Mark Nienberg) Date: Mon Sep 15 22:55:18 2008 Subject: how to detect koi8-r characters In-Reply-To: <1A6F40B4130E4C23BDBBE9B37DC6D8BD@KHFUJITSU> References: <1A6F40B4130E4C23BDBBE9B37DC6D8BD@KHFUJITSU> Message-ID: <48CED9B5.4020001@tippingmar.com> Kevin Howard wrote: > We're receiving a lot of spam comprising Cyrillic characters in the > subject line, example Subject: =?koi8-r?B?8sXLzGHNwSDXIOnObcXSzsVtxSA=?= > > and a message body which is 100% Cyrillic, some messages are plain > text and some HTML. > > The plains messages are using; > > MIME-Version: 1.0 > Content-Type: text/plain; > charset="koi8-r" > Content-Transfer-Encoding: 8bit > > > Spamassassin doesn't seem to be able to detect these reliably despite > us training bayes on these messages and utilising language filters. So > we're trying to use MCP to detect them but have had no success > whatsoever to date. > > I have tried making a rule to detect " ?koi8 " in the subject line but > Mailscanner only seems to look at visible characters. > > Any ideas? my preference is to stop them with MCP if possible. > I use a spamassassin rule like this: header LOCAL_CYRILLIC Subject:raw =~ /windows\-1251/i describe LOCAL_CYRILLIC Cyrillic fonts score LOCAL_CYRILLIC 3 in your case, maybe you need to replace windows-1251 with koi8-r. The "raw" part is important. Mark Nienberg From Kevin_Miller at ci.juneau.ak.us Mon Sep 15 23:35:45 2008 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Mon Sep 15 23:36:02 2008 Subject: clamd DoS? In-Reply-To: <48CEC897.7090703@vanderkooij.org> References: <48CE37ED.6040200@nerc.ac.uk> <48CE7FD0.3070909@ecs.soton.ac.uk> <48CE8854.8000508@ecs.soton.ac.uk> <48CEC897.7090703@vanderkooij.org> Message-ID: Hugo van der Kooij wrote: > So if you can do this on a plain file with just ClamAV as a factor I > would think you have all the stuff that is needed to report a bug with > the ClamAV team. > > If that is the case would you be kind enough to report the bug to the > ClamAV team? I started doing that, then did some more testing. On my Debian box, with clamav 0.90.1/8228 it spins. On my SUSE boxes, it comes back reporting Trojan.Agent-49371 with no CPU delay. Perhaps it's only a problem w/clamav 90.1? My main mail server (SUSE) is running .94/8251 The other SUSE box I tested is running 88.4/8251 (I know, badly out of date but there's a bug w/the compiler and a newer clamav won't compile. The box is slated for a rebuild RSN.) Given that it's an older version of clamav, a bug report would probably be rather untimely. It may however, be useful for others here to know so they can upgrade if the version of clamav they're running is affected... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From hvdkooij at vanderkooij.org Mon Sep 15 23:41:24 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Mon Sep 15 23:41:32 2008 Subject: Error on start cannot open config file In-Reply-To: <48CED91D.7080907@rheel.co.nz> References: <48CED21D.2020804@rheel.co.nz> <20080915214414.GA18544@lava-net.com> <48CED91D.7080907@rheel.co.nz> Message-ID: <48CEE494.2080307@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kate Kleinschafer wrote: > Hi Igor, > > I have just tried 644 permissions and chowning to postfix:root. > Both gave the same permission denied error. And just what did you change? directory? file? both? something else? Start from the root and work your way to the file. See if you have read rights as postfix user all the way. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFIzuSSBvzDRVjxmYERAmOwAJkBC1K667G6wyu5RBO63f9sIUH5uwCeP2t2 pl9N1sC9SmGsBPcMK09oRtU= =wmn+ -----END PGP SIGNATURE----- From kate at rheel.co.nz Mon Sep 15 23:50:17 2008 From: kate at rheel.co.nz (Kate Kleinschafer) Date: Mon Sep 15 23:49:36 2008 Subject: Error on start cannot open config file In-Reply-To: <223f97700809151445t4f3a2ff9j3921d88a3d75b5eb@mail.gmail.com> References: <48CED21D.2020804@rheel.co.nz> <223f97700809151445t4f3a2ff9j3921d88a3d75b5eb@mail.gmail.com> Message-ID: <48CEE6A9.5070508@rheel.co.nz> Thanks - that helped me find the problem. It was the permissions on the MailScanner folder itself. Again many thanks Kate Glenn Steen wrote: > 2008/9/15 Kate Kleinschafer : > >> Hi all, >> >> I have just done a fresh install of CentOS 5.2 and installed postfix (then >> done rpm -e sendmail) clamav and MailScanner. >> When I try and start MailScanner (after stopping the postfix service) I get >> the following error: >> MailScanner: Cannot open config file /etc/MailScanner/MailScanner.conf, >> Permission denied at /usr/lib/MailScanner/MailScanner/Config.pm line 657. >> >> If I change in MailScanner.conf Run as user = postfix to Run as user = >> then it works. >> >> I would really appreciate any advice on how to get this operational. >> >> Thanks >> Kate >> >> Apologies if this comes through twice - I thought I had changed my list >> email but it doesn't seem to be working. >> >> > Your postfix user cannot read your config file/directory, likely. Test with > su - postfix -s /bin/bash > and then use cd and "ls -d" to try access /etc/MailScanner ... and > ultimately reading MailScanner.conf with "less" or something. > When using an MTA that runs as an unprivileged user, permissions is everything. > Also check that you've either turned off SELinux or amended it so that > it doesn't get in the way:). > > Cheers > From swati.meghanand at gmail.com Tue Sep 16 11:06:36 2008 From: swati.meghanand at gmail.com (Swati Meghanand) Date: Tue Sep 16 11:06:45 2008 Subject: Spamassassin Timeout issue. In-Reply-To: References: Message-ID: <424c10260809160306q736b1c47jd41c0781e2a83904@mail.gmail.com> hi, No not running BotNet.pm with SpamAssassin? There was some issue with 'Pyzor'.. need to work on it, currently I stopped pyzor now it is working fine.. I found out the prob by running spamassassin in debugging mode 2008/9/16 Koopmann, Jan-Peter > > Sep 10 04:47:37 localhost MailScanner[8400]: SpamAssassin timed out and > was killed, failure 8 of 20 > > Are you running BotNet.pm with SpamAssassin? I had a very similar issue and > it was caused by a known bug in BotNet. Try to upgrade if you use it. > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080916/ba146b19/attachment.html From steve.freegard at fsl.com Tue Sep 16 11:58:00 2008 From: steve.freegard at fsl.com (Steve Freegard) Date: Tue Sep 16 11:58:20 2008 Subject: Desperately trying to debug poor spam scanning performance In-Reply-To: <48CE620E.9060909@photobox.com> References: <48CA9E61.7080506@photobox.com> <5A881BE9-B6B4-463D-BFE0-0D7FFF8C80F3@rtpty.com> <48CABC5B.2010603@photobox.com> <48CE44D6.9090907@ecs.soton.ac.uk> <48CE620E.9060909@photobox.com> Message-ID: <48CF9138.4020601@fsl.com> Hi Ben, Ben Tisdall wrote: > The razor timeout seemed to have been a one-off. > > Here's a debug output (clearly Pyzor's unhappy, but it's the same on the > comparison machine too, turning off doesn't help) > 1) Switch-off Pyzor by commenting the loadplugin lines in v3*.pre and init.pre in /etc/mail/spamassassin. IMHO - Pyzor isn't usable anymore unless you are low-volume and can put up with the timeouts decreasing your scanner throughput, so I always either don't install it or disable it. Even though it appears to be unwell on your machines anyway - disabling it will prevent the need for the code to get loaded anyway. 2) Compare like-for-like. Currently - each machine has different version of Perl modules (some newer some older). Check for updates to each of them on the new machine and get the latest versions. Also - you're looking at the 'Log Speed' output on both machines and because they are showing different lower numbers you're jumping to the conclusion that something is wrong.... it could be - but the only way to be certain is to process the *same* batch of messages on both machines (without any other traffic running at the same time) and then comparing the results. I'd expect the bytes throughput shown in the logs to vary greatly for each batch due to the fact that some messages are larger and more complex than others, so unless you are running the same batches through - then you can't really know for sure that one is slower than the other. 3) Do you have anything configured in 'Spam Lists' or 'Spam Domain List' on either machine in MailScanner.conf?? 4) Have you mounted /var/spool/MailScanner/incoming on tmpfs? Kind regards, Steve. From raymond at prolocation.net Tue Sep 16 11:59:04 2008 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Tue Sep 16 11:59:13 2008 Subject: clamd DoS? In-Reply-To: <48CEC9C4.9010507@ecs.soton.ac.uk> References: <48CE37ED.6040200@nerc.ac.uk> <48CE7FD0.3070909@ecs.soton.ac.uk> <48CE8854.8000508@ecs.soton.ac.uk> <48CEC9C4.9010507@ecs.soton.ac.uk> Message-ID: Hi! >> I was seeing a number of spam messages coming in w/the subject "Credit >> card transaction report". Every now and then one would get tagged as a >> virus, but most weren't. However, I went into MailWatch, selected one >> that wasn't marked as viral and saved the attached Report.zip to my >> linux workstation. Ark extracted the file report.doc.exe. I kicked off >> top in a term window, opened another terminal and ran 'clamscan >> report.doc.exe'. W/in a couple seconds CPU utilization was pegged. >> >> I'm running plain old clamav, not clamscan or clamd. >> >> Not much to go on, but maybe this will help a bit... > Ooh, can you post this on the web somewhere and tell me the URL so I can > fetch this file and construct a message round it for testing? The guys @ ClamAV are also looking into this (Thanks Luca!) Bye, Raymond. From ben.tisdall at photobox.com Tue Sep 16 12:12:25 2008 From: ben.tisdall at photobox.com (Ben Tisdall) Date: Tue Sep 16 12:12:39 2008 Subject: Desperately trying to debug poor spam scanning performance In-Reply-To: <48CF9138.4020601@fsl.com> References: <48CA9E61.7080506@photobox.com> <5A881BE9-B6B4-463D-BFE0-0D7FFF8C80F3@rtpty.com> <48CABC5B.2010603@photobox.com> <48CE44D6.9090907@ecs.soton.ac.uk> <48CE620E.9060909@photobox.com> <48CF9138.4020601@fsl.com> Message-ID: <48CF9499.4020707@photobox.com> Steve Freegard wrote: > > IMHO - Pyzor isn't usable anymore unless you are low-volume and can put > up with the timeouts decreasing your scanner throughput, so I always > either don't install it or disable it. > > Even though it appears to be unwell on your machines anyway - disabling > it will prevent the need for the code to get loaded anyway. Interesting to hear your take on this, anyone else share this view? > > 2) Compare like-for-like. > > Currently - each machine has different version of Perl modules (some > newer some older). Check for updates to each of them on the new machine > and get the latest versions. Sure, but I don't think the numbers I'm seeing can be explained away by module version differences. > Also - you're looking at the 'Log Speed' output on both machines and > because they are showing different lower numbers you're jumping to the > conclusion that something is wrong.... it could be - but the only way to > be certain is to process the *same* batch of messages on both machines > (without any other traffic running at the same time) and then comparing > the results. > > I'd expect the bytes throughput shown in the logs to vary greatly for > each batch due to the fact that some messages are larger and more > complex than others, so unless you are running the same batches through > - then you can't really know for sure that one is slower than the other. That's exactly what I'm doing - relaying a message throught the test box to my home box & comparing the figures. I correlate the ms logs with the exim logs to make sure I'm comparing correctly. > > 3) Do you have anything configured in 'Spam Lists' or 'Spam Domain > List' on either machine in MailScanner.conf?? Tried turning off, still sucky. > > 4) Have you mounted /var/spool/MailScanner/incoming on tmpfs? On this box not really an option, can't upgrade the RAM beyond 2G & it has to perform duties other than MS :( I'm strongly tending towards the theory that I/O is crappy on this box. I read something not very complimentary about the smart array 5/i on Linux & certainly the bonnie++ results are worse than those for my home box (2 x 15K SCSI on the test box, 2 x 7.2K SATA at home). In all likelihood I'll now be given a new box for MS with enough RAM to do incoming on tmpfs :) Thanks for your suggestions Steve. Best regards, Ben. -- Ben Tisdall Linux Systems Administrator | www.photobox.com From MailScanner at ecs.soton.ac.uk Tue Sep 16 12:33:02 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Sep 16 12:33:22 2008 Subject: New beta released -- avoids Clamd DoS attack Message-ID: <48CF996E.7010308@ecs.soton.ac.uk> I have just released beta version 4.72.2. The important change is this (from the Change Log): Filename and filetype checks are now done before virus scanning. This means that you can use the "deny+delete" type of filename or filetype rule to selectively delete files that will choke your buggy virus scanner. I hope this helps you out there! Remember to use "deny+delete" instead of "deny" in filename.rules.conf where you want to stop your virus scanner being attacked. Please let me know how you get on. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ms-list at alexb.ch Tue Sep 16 12:41:33 2008 From: ms-list at alexb.ch (Alex Broens) Date: Tue Sep 16 12:41:50 2008 Subject: clamd DoS? In-Reply-To: References: <48CE37ED.6040200@nerc.ac.uk> <48CE7FD0.3070909@ecs.soton.ac.uk> <48CE8854.8000508@ecs.soton.ac.uk> <48CEC9C4.9010507@ecs.soton.ac.uk> Message-ID: <48CF9B6D.5030105@alexb.ch> On 9/16/2008 12:59 PM, Raymond Dijkxhoorn wrote: > Hi! > >>> I was seeing a number of spam messages coming in w/the subject "Credit >>> card transaction report". Every now and then one would get tagged as a >>> virus, but most weren't. However, I went into MailWatch, selected one >>> that wasn't marked as viral and saved the attached Report.zip to my >>> linux workstation. Ark extracted the file report.doc.exe. I kicked off >>> top in a term window, opened another terminal and ran 'clamscan >>> report.doc.exe'. W/in a couple seconds CPU utilization was pegged. >>> >>> I'm running plain old clamav, not clamscan or clamd. >>> >>> Not much to go on, but maybe this will help a bit... > >> Ooh, can you post this on the web somewhere and tell me the URL so I >> can fetch this file and construct a message round it for testing? > > The guys @ ClamAV are also looking into this (Thanks Luca!) Luca rocks! (tell him this :-) Today I saw more floods of randomly detected/bypassed MS and AV scanners cases. good thing there are other ways to catch & block or kill them :-) Alex From martinh at solidstatelogic.com Tue Sep 16 13:22:41 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Tue Sep 16 13:23:08 2008 Subject: clamd DoS? In-Reply-To: <48CF9B6D.5030105@alexb.ch> Message-ID: <45e25328f7808c4eb7892dfa0cf3653a@solidstatelogic.com> Yeah - another virus scanner in the list - Sophos is blocking these nicely in concert with MS. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Alex Broens > Sent: 16 September 2008 12:42 > To: MailScanner discussion > Subject: Re: clamd DoS? > > On 9/16/2008 12:59 PM, Raymond Dijkxhoorn wrote: > > Hi! > > > >>> I was seeing a number of spam messages coming in w/the subject > >>> "Credit card transaction report". Every now and then one > would get > >>> tagged as a virus, but most weren't. However, I went into > >>> MailWatch, selected one that wasn't marked as viral and saved the > >>> attached Report.zip to my linux workstation. Ark > extracted the file > >>> report.doc.exe. I kicked off top in a term window, > opened another > >>> terminal and ran 'clamscan report.doc.exe'. W/in a > couple seconds CPU utilization was pegged. > >>> > >>> I'm running plain old clamav, not clamscan or clamd. > >>> > >>> Not much to go on, but maybe this will help a bit... > > > >> Ooh, can you post this on the web somewhere and tell me > the URL so I > >> can fetch this file and construct a message round it for testing? > > > > The guys @ ClamAV are also looking into this (Thanks Luca!) > > Luca rocks! (tell him this :-) > > Today I saw more floods of randomly detected/bypassed MS and > AV scanners > cases. > > good thing there are other ways to catch & block or kill them :-) > > Alex > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From glenn.steen at gmail.com Tue Sep 16 13:49:18 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Sep 16 13:49:28 2008 Subject: Desperately trying to debug poor spam scanning performance In-Reply-To: <48CF9499.4020707@photobox.com> References: <48CA9E61.7080506@photobox.com> <5A881BE9-B6B4-463D-BFE0-0D7FFF8C80F3@rtpty.com> <48CABC5B.2010603@photobox.com> <48CE44D6.9090907@ecs.soton.ac.uk> <48CE620E.9060909@photobox.com> <48CF9138.4020601@fsl.com> <48CF9499.4020707@photobox.com> Message-ID: <223f97700809160549i3ebcc672k669be5ab87deb0cf@mail.gmail.com> 2008/9/16 Ben Tisdall : > Steve Freegard wrote: > (snip) >> >> 4) Have you mounted /var/spool/MailScanner/incoming on tmpfs? > > On this box not really an option, can't upgrade the RAM beyond 2G & it > has to perform duties other than MS :( > > I'm strongly tending towards the theory that I/O is crappy on this box. > I read something not very complimentary about the smart array 5/i on > Linux & certainly the bonnie++ results are worse than those for my home > box (2 x 15K SCSI on the test box, 2 x 7.2K SATA at home). Sorry for not noticing this earlier:/. Smart 5i with write memory cache "addon" is "somewhat OK", the default el cheapo 5i you find onboard is usually not worth using. They will suck eggs through straws, when it comes to write performance. Get a real RAID card, not the memory thing... better value for money. Smarts are generally OK, so long as you stay away from the really _too_ cheap thingies:-). > In all likelihood I'll now be given a new box for MS with enough RAM to > do incoming on tmpfs :) New box == better RAID controller;-). My latest is a HP DL360G5 ... Actually with a very basic setup (==low price). Good value for money AFAICS. The E200i seems to perform OK:-). > Thanks for your suggestions Steve. > > Best regards, > > Ben. > Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From J.Ede at birchenallhowden.co.uk Tue Sep 16 14:02:34 2008 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Tue Sep 16 14:05:32 2008 Subject: Desperately trying to debug poor spam scanning performance In-Reply-To: <223f97700809160549i3ebcc672k669be5ab87deb0cf@mail.gmail.com> References: <48CA9E61.7080506@photobox.com> <5A881BE9-B6B4-463D-BFE0-0D7FFF8C80F3@rtpty.com> <48CABC5B.2010603@photobox.com> <48CE44D6.9090907@ecs.soton.ac.uk> <48CE620E.9060909@photobox.com> <48CF9138.4020601@fsl.com> <48CF9499.4020707@photobox.com>, <223f97700809160549i3ebcc672k669be5ab87deb0cf@mail.gmail.com> Message-ID: <4CAB0118AEC63A4FAAE77E6BCBDF760C792A26CDF4@server02.bhl.local> You could try looking at the RAID performance... first with just hdparm -t /dev/sda Then try changing blocksize by using blockdev --setra 0 /dev/sda and trying values of say 0,1,2,4,16,32,64,128,256 (default CentOS one I believe), 512, 1024,2048 Should be able to produce a table of read/write performance on each system... Be interesting to compare the values of the 2 servers. Jason ________________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailscanner-bounces@lists.mailscanner.info] On Behalf Of Glenn Steen [glenn.steen@gmail.com] Sent: 16 September 2008 13:49 To: MailScanner discussion Subject: Re: Desperately trying to debug poor spam scanning performance 2008/9/16 Ben Tisdall : > Steve Freegard wrote: > (snip) >> >> 4) Have you mounted /var/spool/MailScanner/incoming on tmpfs? > > On this box not really an option, can't upgrade the RAM beyond 2G & it > has to perform duties other than MS :( > > I'm strongly tending towards the theory that I/O is crappy on this box. > I read something not very complimentary about the smart array 5/i on > Linux & certainly the bonnie++ results are worse than those for my home > box (2 x 15K SCSI on the test box, 2 x 7.2K SATA at home). Sorry for not noticing this earlier:/. Smart 5i with write memory cache "addon" is "somewhat OK", the default el cheapo 5i you find onboard is usually not worth using. They will suck eggs through straws, when it comes to write performance. Get a real RAID card, not the memory thing... better value for money. Smarts are generally OK, so long as you stay away from the really _too_ cheap thingies:-). > In all likelihood I'll now be given a new box for MS with enough RAM to > do incoming on tmpfs :) New box == better RAID controller;-). My latest is a HP DL360G5 ... Actually with a very basic setup (==low price). Good value for money AFAICS. The E200i seems to perform OK:-). > Thanks for your suggestions Steve. > > Best regards, > > Ben. > Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From richard.frovarp at sendit.nodak.edu Tue Sep 16 15:27:57 2008 From: richard.frovarp at sendit.nodak.edu (Richard Frovarp) Date: Tue Sep 16 15:28:10 2008 Subject: Desperately trying to debug poor spam scanning performance In-Reply-To: <48CF9499.4020707@photobox.com> References: <48CA9E61.7080506@photobox.com> <5A881BE9-B6B4-463D-BFE0-0D7FFF8C80F3@rtpty.com> <48CABC5B.2010603@photobox.com> <48CE44D6.9090907@ecs.soton.ac.uk> <48CE620E.9060909@photobox.com> <48CF9138.4020601@fsl.com> <48CF9499.4020707@photobox.com> Message-ID: <48CFC26D.1060509@sendit.nodak.edu> Ben Tisdall wrote: > Steve Freegard wrote: > > >> IMHO - Pyzor isn't usable anymore unless you are low-volume and can put >> up with the timeouts decreasing your scanner throughput, so I always >> either don't install it or disable it. >> >> Even though it appears to be unwell on your machines anyway - disabling >> it will prevent the need for the code to get loaded anyway. >> > > > Interesting to hear your take on this, anyone else share this view? > I dumped Pyzor long ago. The timeouts were killing performance. Razor seems to work well enough. From jonas at vrt.dk Tue Sep 16 15:31:22 2008 From: jonas at vrt.dk ('Jonas Akrouh Larsen') Date: Tue Sep 16 15:31:32 2008 Subject: Free virusscanner Message-ID: <004b01c91808$e47752c0$ad65f840$@dk> Hi List As some of you may know Bitdefender used to have a 100% free edition of their product for linux. Sometimes in 2006 they changed their policy though. You can get a license here: http://www.bitdefender.com/site/Products/ScannerLicense/ And the actual download can be found here: http://download.bitdefender.com/SMB/Workstation_Security_and_Management/BitD efender_Antivirus_Scanner_for_Unices/Unix/Current/EN/Version_7.x/Linux/ I looked into getting bitdefender working about a year ago but could not find the right url's. So I thought I would send a quick post if others had been wondering too. The license is valid for home/private use, so it's a no go for businesses if they want to stay legit. Maybe somebody could update the wiki with this info. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080916/77dd5e02/attachment.html From alex at rtpty.com Tue Sep 16 15:57:58 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Tue Sep 16 15:58:11 2008 Subject: Free virusscanner In-Reply-To: <004b01c91808$e47752c0$ad65f840$@dk> References: <004b01c91808$e47752c0$ad65f840$@dk> Message-ID: <599626BE-365C-4B20-B35A-8AE16DCAA306@rtpty.com> Thanks for the info. Those of us with boxes running our own mail at home can use it alongside clamav*. On Sep 16, 2008, at 9:31 AM, Jonas Akrouh Larsen wrote: > You can get a license here: http://www.bitdefender.com/site/Products/ScannerLicense/ > > And the actual download can be found here:http://download.bitdefender.com/SMB/Workstation_Security_and_Management/BitDefender_Antivirus_Scanner_for_Unices/Unix/Current/EN/Version_7.x/Linux/ > From ssilva at sgvwater.com Tue Sep 16 16:40:01 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Sep 16 16:40:19 2008 Subject: Free virusscanner In-Reply-To: <599626BE-365C-4B20-B35A-8AE16DCAA306@rtpty.com> References: <004b01c91808$e47752c0$ad65f840$@dk> <599626BE-365C-4B20-B35A-8AE16DCAA306@rtpty.com> Message-ID: on 9-16-2008 7:57 AM Alex Neuman van der Hans spake the following: > Thanks for the info. Those of us with boxes running our own mail at home > can use it alongside clamav*. > > On Sep 16, 2008, at 9:31 AM, Jonas Akrouh Larsen wrote: > >> You can get a license here: >> http://www.bitdefender.com/site/Products/ScannerLicense/ >> >> And the actual download can be found >> here:http://download.bitdefender.com/SMB/Workstation_Security_and_Management/BitDefender_Antivirus_Scanner_for_Unices/Unix/Current/EN/Version_7.x/Linux/ >> >> > F-prot also has a "free for home use" scanner, as does AVG I believe. You can still find the old free bitdefender scanner in a google search, but I don't know how well it works anymore. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080916/6d20ba70/signature.bin From lists at tippingmar.com Tue Sep 16 17:44:13 2008 From: lists at tippingmar.com (Mark Nienberg) Date: Tue Sep 16 17:44:44 2008 Subject: Desperately trying to debug poor spam scanning performance In-Reply-To: <48CF9499.4020707@photobox.com> References: <48CA9E61.7080506@photobox.com> <5A881BE9-B6B4-463D-BFE0-0D7FFF8C80F3@rtpty.com> <48CABC5B.2010603@photobox.com> <48CE44D6.9090907@ecs.soton.ac.uk> <48CE620E.9060909@photobox.com> <48CF9138.4020601@fsl.com> <48CF9499.4020707@photobox.com> Message-ID: <48CFE25D.3010902@tippingmar.com> Ben Tisdall wrote: > Steve Freegard wrote: > > >> IMHO - Pyzor isn't usable anymore unless you are low-volume and can put >> up with the timeouts decreasing your scanner throughput, so I always >> either don't install it or disable it. >> >> > > Interesting to hear your take on this, anyone else share this view? > > Pyzor works well for me with the alternative pyzor server. In your .pyzor/servers file you should have 82.94.255.100:24441 Mark Nienberg From steve.freegard at fsl.com Tue Sep 16 17:55:08 2008 From: steve.freegard at fsl.com (Steve Freegard) Date: Tue Sep 16 17:55:20 2008 Subject: Desperately trying to debug poor spam scanning performance In-Reply-To: <48CFE25D.3010902@tippingmar.com> References: <48CA9E61.7080506@photobox.com> <5A881BE9-B6B4-463D-BFE0-0D7FFF8C80F3@rtpty.com> <48CABC5B.2010603@photobox.com> <48CE44D6.9090907@ecs.soton.ac.uk> <48CE620E.9060909@photobox.com> <48CF9138.4020601@fsl.com> <48CF9499.4020707@photobox.com> <48CFE25D.3010902@tippingmar.com> Message-ID: <48CFE4EC.6080907@fsl.com> Mark Nienberg wrote: > Ben Tisdall wrote: >> Steve Freegard wrote: >> >> >>> IMHO - Pyzor isn't usable anymore unless you are low-volume and can put >>> up with the timeouts decreasing your scanner throughput, so I always >>> either don't install it or disable it. >>> >>> >> >> Interesting to hear your take on this, anyone else share this view? >> >> > Pyzor works well for me with the alternative pyzor server. In your > .pyzor/servers file you should have > > 82.94.255.100:24441 > I knew about this server - but I'd still rather not trust my mail throughput to a single point of failure that everyone is querying. That's the biggest problem with Pyzor - the back-end has no easy way to replicate to slaves. Cheers, Steve. From lists at tippingmar.com Tue Sep 16 18:12:02 2008 From: lists at tippingmar.com (Mark Nienberg) Date: Tue Sep 16 18:12:19 2008 Subject: Desperately trying to debug poor spam scanning performance In-Reply-To: <48CFE4EC.6080907@fsl.com> References: <48CA9E61.7080506@photobox.com> <5A881BE9-B6B4-463D-BFE0-0D7FFF8C80F3@rtpty.com> <48CABC5B.2010603@photobox.com> <48CE44D6.9090907@ecs.soton.ac.uk> <48CE620E.9060909@photobox.com> <48CF9138.4020601@fsl.com> <48CF9499.4020707@photobox.com> <48CFE25D.3010902@tippingmar.com> <48CFE4EC.6080907@fsl.com> Message-ID: <48CFE8E2.2020806@tippingmar.com> Steve Freegard wrote: > Mark Nienberg wrote: >> Pyzor works well for me with the alternative pyzor server. In your >> .pyzor/servers file you should have >> >> 82.94.255.100:24441 >> > > I knew about this server - but I'd still rather not trust my mail > throughput to a single point of failure that everyone is querying. > > That's the biggest problem with Pyzor - the back-end has no easy way > to replicate to slaves. > Maybe it is because of my low volume (3000 msgs per day) but I haven't seen a spamassassin timeout or any kind in about a year. But I see what you mean about the pyzor server. I'm prepared to disable pyzor if it ever starts timing out for me. Mark Nienberg From campbell at cnpapers.com Tue Sep 16 20:22:03 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Tue Sep 16 20:22:20 2008 Subject: Autocommit errors are back? Message-ID: <48D0075B.80402@cnpapers.com> I just installed the new 4.71.10-1 and am seeing the following lines in my maillog. commit ineffective with AutoCommit enabled at /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, line 639. Commmit ineffective while AutoCommit is on at /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, line 639. I found in my older list mailings from 8/29/2008 that this was just debugging code, and would be removed after 4.71.7. Do I have other problems or should I remove lines somewhere? Thanks Steve Campbell From campbell at cnpapers.com Tue Sep 16 20:24:41 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Tue Sep 16 20:26:36 2008 Subject: sa-update question also Message-ID: <48D007F9.8090205@cnpapers.com> Sorry, should have all been in one mail. I see where I have sa-update saved as sa-update.rpmsave, but I don't see a new one. Can someone explain the procedures now in place, please? Again Thanks. Steve Campbell From MailScanner at ecs.soton.ac.uk Tue Sep 16 20:35:10 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Sep 16 20:35:29 2008 Subject: Autocommit errors are back? In-Reply-To: References: Message-ID: <48D00A6E.6090405@ecs.soton.ac.uk> Steve Campbell wrote: > I just installed the new 4.71.10-1 and am seeing the following lines > in my maillog. > > commit ineffective with AutoCommit enabled at > /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, > line 639. > Commmit ineffective while AutoCommit is on at > /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, > line 639. > > I found in my older list mailings from 8/29/2008 that this was just > debugging code, and would be removed after 4.71.7. Do I have other > problems or should I remove lines somewhere? This is caused by MailWatch, nothing to do with me or MailScanner at all. It won't be removed by MailScanner, ain't my problem :-) Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ssilva at sgvwater.com Tue Sep 16 20:37:31 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Sep 16 20:37:49 2008 Subject: Autocommit errors are back? In-Reply-To: <48D0075B.80402@cnpapers.com> References: <48D0075B.80402@cnpapers.com> Message-ID: on 9-16-2008 12:22 PM Steve Campbell spake the following: > I just installed the new 4.71.10-1 and am seeing the following lines in > my maillog. > > commit ineffective with AutoCommit enabled at > /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, > line 639. > Commmit ineffective while AutoCommit is on at > /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, > line 639. > > I found in my older list mailings from 8/29/2008 that this was just > debugging code, and would be removed after 4.71.7. Do I have other > problems or should I remove lines somewhere? > > Thanks > > Steve Campbell > AFAIR it is from having autocommit on in the mysql database (I do believe it is the default)and the various commits in the database code for mailwatch. It is noisy but harmless, and not part of the mailscanner code. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080916/626bd9a0/signature.bin From campbell at cnpapers.com Tue Sep 16 20:55:11 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Tue Sep 16 20:55:26 2008 Subject: Autocommit errors are back? In-Reply-To: <48D00A6E.6090405@ecs.soton.ac.uk> References: <48D00A6E.6090405@ecs.soton.ac.uk> Message-ID: <48D00F1F.1050601@cnpapers.com> Julian Field wrote: > > > Steve Campbell wrote: >> I just installed the new 4.71.10-1 and am seeing the following lines >> in my maillog. >> >> commit ineffective with AutoCommit enabled at >> /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line >> 93, line 639. >> Commmit ineffective while AutoCommit is on at >> /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line >> 93, line 639. >> >> I found in my older list mailings from 8/29/2008 that this was just >> debugging code, and would be removed after 4.71.7. Do I have other >> problems or should I remove lines somewhere? > This is caused by MailWatch, nothing to do with me or MailScanner at all. > It won't be removed by MailScanner, ain't my problem :-) > > Jules Gotcha, Just misled by the previous postings. It only happens upon startup anyway (I think) Sorry to point a finger the wrong way. Steve From ssilva at sgvwater.com Tue Sep 16 21:02:44 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Sep 16 21:03:07 2008 Subject: sa-update question also In-Reply-To: <48D007F9.8090205@cnpapers.com> References: <48D007F9.8090205@cnpapers.com> Message-ID: on 9-16-2008 12:24 PM Steve Campbell spake the following: > Sorry, should have all been in one mail. > > I see where I have sa-update saved as sa-update.rpmsave, but I don't see > a new one. Can someone explain the procedures now in place, please? > > Again Thanks. > > Steve Campbell > I don't see this on any of my machines. Maybe a postinstall script misfired on you if your sa-update was changed from the original. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080916/58337ec3/signature.bin From ljosnet at gmail.com Tue Sep 16 21:39:01 2008 From: ljosnet at gmail.com (=?ISO-8859-1?Q?Lj=F3snet?=) Date: Tue Sep 16 21:39:11 2008 Subject: Syntax error(s) in configuration file In-Reply-To: <4857E802.5060907@ecs.soton.ac.uk> References: <4857E802.5060907@ecs.soton.ac.uk> Message-ID: <910ee2ac0809161339ke617917oa377ed4f1b52b272@mail.gmail.com> I just did a clean install from the latest stable version of MailScanner and this was in my MailScanner.conf. On Tue, Jun 17, 2008 at 4:36 PM, Julian Field wrote: > Run "upgrade_MailScanner_conf" and it will tell you how to use this command, > which will fix this problem for you. Whenever you change your MailScanner > version (upgrade or downgrade, it handles both) you should re-run > upgrade_MailScanner_conf to fix up your MailScanner.conf file. > > Martin.Hepworth wrote: >> >> David >> >> Kinda what it says really....you no longer need a spamassassisinprefs >> setting in MailScanner.conf. >> >> -- >> Martin Hepworth >> Snr Systems Administrator >> Solid State Logic >> Tel: +44 (0)1865 842300 >> >> >>> >>> -----Original Message----- >>> From: mailscanner-bounces@lists.mailscanner.info >>> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >>> Of David Guillermo >>> Sent: 17 June 2008 11:35 >>> To: MailScanner discussion >>> Subject: Syntax error(s) in configuration file >>> >>> Hi. >>> >>> my problem is: >>> >>> Jun 17 12:20:16 servidor1 MailScanner[26675]: MailScanner >>> E-Mail Virus Scanner version 4.69.9 starting... >>> Jun 17 12:20:17 servidor1 MailScanner[26675]: Syntax error(s) >>> in configuration file: >>> Jun 17 12:20:17 servidor1 MailScanner[26675]: Unrecognised >>> keyword "spamassassinprefsfile" at line 1412 Jun 17 12:20:17 >>> servidor1 MailScanner[26675]: Warning: syntax errors in >>> /etc/MailScanner/MailScanner.conf. >>> >>> in my /etc/MailScanner/MailScanner.conf. >>> is >>> SpamAssassin Prefs File = %etc-dir%/spam.assassin.prefs.conf >>> >>> my version... MailScanner -V >>> >>> This is Fedora Core release 6 (Zod) >>> This is Perl version 5.008008 (5.8.8) >>> >>> This is MailScanner version 4.69.9 >>> Module versions are: >>> 1.00 AnyDBM_File >>> 1.16 Archive::Zip >>> 0.21 bignum >>> 1.04 Carp >>> 1.42 Compress::Zlib >>> 1.119 Convert::BinHex >>> 0.17 Convert::TNEF >>> 2.121_08 Data::Dumper >>> 2.27 Date::Parse >>> 1.00 DirHandle >>> 1.05 Fcntl >>> 2.74 File::Basename >>> 2.09 File::Copy >>> 2.01 FileHandle >>> 1.08 File::Path >>> 0.19 File::Temp >>> 0.90 Filesys::Df >>> 1.35 HTML::Entities >>> 3.56 HTML::Parser >>> 2.37 HTML::TokeParser >>> 1.23 IO >>> 1.14 IO::File >>> 1.13 IO::Pipe >>> 2.02 Mail::Header >>> 1.86 Math::BigInt >>> 0.19 Math::BigRat >>> 3.07 MIME::Base64 >>> 5.425 MIME::Decoder >>> 5.425 MIME::Decoder::UU >>> 5.425 MIME::Head >>> 5.425 MIME::Parser >>> 3.07 MIME::QuotedPrint >>> 5.425 MIME::Tools >>> 0.11 Net::CIDR >>> 1.25 Net::IP >>> 0.16 OLE::Storage_Lite >>> 1.04 Pod::Escapes >>> 3.05 Pod::Simple >>> 1.09 POSIX >>> 1.18 Scalar::Util >>> 1.78 Socket >>> 2.15 Storable >>> 1.4 Sys::Hostname::Long >>> 0.18 Sys::Syslog >>> 1.26 Test::Pod >>> 0.7 Test::Simple >>> 1.86 Time::HiRes >>> 1.02 Time::localtime >>> >>> Optional module versions are: >>> 1.30 Archive::Tar >>> 0.21 bignum >>> missing Business::ISBN >>> missing Business::ISBN::Data >>> missing Data::Dump >>> 1.814 DB_File >>> 1.13 DBD::SQLite >>> 1.56 DBI >>> 1.14 Digest >>> 1.01 Digest::HMAC >>> 2.36 Digest::MD5 >>> 2.11 Digest::SHA1 >>> missing Encode::Detect >>> missing Error >>> missing ExtUtils::CBuilder >>> missing ExtUtils::ParseXS >>> 2.36 Getopt::Long >>> missing Inline >>> missing IO::String >>> 1.04 IO::Zlib >>> missing IP::Country >>> missing Mail::ClamAV >>> 3.001009 Mail::SpamAssassin >>> missing Mail::SPF >>> missing Mail::SPF::Query >>> missing Module::Build >>> missing Net::CIDR::Lite >>> 0.63 Net::DNS >>> missing Net::DNS::Resolver::Programmable >>> 0.34 Net::LDAP >>> missing NetAddr::IP >>> missing Parse::RecDescent >>> missing SAVI >>> 2.56 Test::Harness >>> missing Test::Manifest >>> 1.95 Text::Balanced >>> 1.35 URI >>> missing version >>> missing YAML >>> >>> -- >>> -:- j0d3 >>> David Guillermo Rodriguez >>> Debian Unstable/Sid GNU/Linux >>> e-mail: davocasc98@gmail.com >>> http://j0d3.blogspot.com >>> Modelo de CPU: AMD Athlon(tm) 64 X2 Dual Core Processor 4600+ >>> Kernel: 2.6.24.2 >>> Linux user #408522 >>> -:- >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >>> >> >> >> >> >> ********************************************************************** >> Confidentiality : This e-mail and any attachments are intended for the >> addressee only and may be confidential. If they come to you in error you >> must take no action based on them, nor must you copy or show them to anyone. >> Please advise the sender by replying to this e-mail immediately and then >> delete the original from your computer. >> Opinion : Any opinions expressed in this e-mail are entirely those of the >> author and unless specifically stated to the contrary, are not necessarily >> those of the author's employer. >> Security Warning : Internet e-mail is not necessarily a secure >> communications medium and can be subject to data corruption. We advise that >> you consider this fact when e-mailing us. Viruses : We have taken steps to >> ensure that this e-mail and any attachments are free from known viruses but >> in keeping with good computing practice, you should ensure that they are >> virus free. >> >> Red Lion 49 Ltd T/A Solid State Logic >> Registered as a limited company in England and Wales (Company No:5362730) >> Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United >> Kingdom >> ********************************************************************** >> >> > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > PGP public key: http://www.jules.fm/julesfm.asc > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From jasonkdick at yahoo.com Tue Sep 16 21:53:35 2008 From: jasonkdick at yahoo.com (Jason Dick) Date: Tue Sep 16 21:53:45 2008 Subject: SpamAssassin not being Called Message-ID: <277347.45036.qm@web36606.mail.mud.yahoo.com> I have installed MailScanner 4.72.2 and SpamAssassin 3.2.5 on a Fedora Core 2 box and I am having problems with SpamAssassin. MailScanner seems to work just fine but it never seems to call SpamAssassin. I have the following set in MailScanner.conf: Spam Checks = yes Spam List = Spam Domain List = Use SpamAssassin = yes Log Spam = yes Debug SpamAssassin = yes Here's what maillog shows: Sep 16 16:30:40 icegate2 MailScanner[4229]: New Batch: Scanning 1 messages, 177272 bytes Sep 16 16:30:40 icegate2 MailScanner[4229]: Saved archive copies of m8GKUd1S004232 Sep 16 16:30:40 icegate2 MailScanner[4229]: Spam Checks: Starting Sep 16 16:30:41 icegate2 MailScanner[4229]: Filename Checks: Blocked Filename Detected (m8GKUd1S004232 msg-4229-2.gif) Sep 16 16:30:41 icegate2 MailScanner[4229]: Other Checks: Found 1 problems Sep 16 16:30:41 icegate2 MailScanner[4229]: Virus and Content Scanning: Starting Sep 16 16:30:41 icegate2 MailScanner[4229]: Saved infected "msg-4229-2.gif" to /var/spool/MailScanner/quarantine/20080916/m8GKUd1S004232 Sep 16 16:30:41 icegate2 MailScanner[4229]: Cleaned: Delivered 1 cleaned messages I get no errors on lint either. spamassassin -C spam.assassin.prefs.conf --lint It's been a few years since I've used MailScanner but I don't remember having to do anything special to get it work. Anyone have any ideas why SpamAssassin is not being called or how i can debug it? Jason From MailScanner at ecs.soton.ac.uk Tue Sep 16 21:53:59 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Sep 16 21:54:21 2008 Subject: Syntax error(s) in configuration file In-Reply-To: References: <4857E802.5060907@ecs.soton.ac.uk> Message-ID: <48D01CE7.80705@ecs.soton.ac.uk> Well I just checked the MailScanner.conf file I distribute and it isn't in there. So I am not quite sure how you got it, but the most likely route is that your system already had a /etc/MailScanner/MailScanner.conf file from a previous version in it. Lj?snet wrote: > I just did a clean install from the latest stable version of > MailScanner and this was in my MailScanner.conf. > > On Tue, Jun 17, 2008 at 4:36 PM, Julian Field > wrote: > >> Run "upgrade_MailScanner_conf" and it will tell you how to use this command, >> which will fix this problem for you. Whenever you change your MailScanner >> version (upgrade or downgrade, it handles both) you should re-run >> upgrade_MailScanner_conf to fix up your MailScanner.conf file. >> >> Martin.Hepworth wrote: >> >>> David >>> >>> Kinda what it says really....you no longer need a spamassassisinprefs >>> setting in MailScanner.conf. >>> >>> -- >>> Martin Hepworth >>> Snr Systems Administrator >>> Solid State Logic >>> Tel: +44 (0)1865 842300 >>> >>> >>> >>>> -----Original Message----- >>>> From: mailscanner-bounces@lists.mailscanner.info >>>> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >>>> Of David Guillermo >>>> Sent: 17 June 2008 11:35 >>>> To: MailScanner discussion >>>> Subject: Syntax error(s) in configuration file >>>> >>>> Hi. >>>> >>>> my problem is: >>>> >>>> Jun 17 12:20:16 servidor1 MailScanner[26675]: MailScanner >>>> E-Mail Virus Scanner version 4.69.9 starting... >>>> Jun 17 12:20:17 servidor1 MailScanner[26675]: Syntax error(s) >>>> in configuration file: >>>> Jun 17 12:20:17 servidor1 MailScanner[26675]: Unrecognised >>>> keyword "spamassassinprefsfile" at line 1412 Jun 17 12:20:17 >>>> servidor1 MailScanner[26675]: Warning: syntax errors in >>>> /etc/MailScanner/MailScanner.conf. >>>> >>>> in my /etc/MailScanner/MailScanner.conf. >>>> is >>>> SpamAssassin Prefs File = %etc-dir%/spam.assassin.prefs.conf >>>> >>>> my version... MailScanner -V >>>> >>>> This is Fedora Core release 6 (Zod) >>>> This is Perl version 5.008008 (5.8.8) >>>> >>>> This is MailScanner version 4.69.9 >>>> Module versions are: >>>> 1.00 AnyDBM_File >>>> 1.16 Archive::Zip >>>> 0.21 bignum >>>> 1.04 Carp >>>> 1.42 Compress::Zlib >>>> 1.119 Convert::BinHex >>>> 0.17 Convert::TNEF >>>> 2.121_08 Data::Dumper >>>> 2.27 Date::Parse >>>> 1.00 DirHandle >>>> 1.05 Fcntl >>>> 2.74 File::Basename >>>> 2.09 File::Copy >>>> 2.01 FileHandle >>>> 1.08 File::Path >>>> 0.19 File::Temp >>>> 0.90 Filesys::Df >>>> 1.35 HTML::Entities >>>> 3.56 HTML::Parser >>>> 2.37 HTML::TokeParser >>>> 1.23 IO >>>> 1.14 IO::File >>>> 1.13 IO::Pipe >>>> 2.02 Mail::Header >>>> 1.86 Math::BigInt >>>> 0.19 Math::BigRat >>>> 3.07 MIME::Base64 >>>> 5.425 MIME::Decoder >>>> 5.425 MIME::Decoder::UU >>>> 5.425 MIME::Head >>>> 5.425 MIME::Parser >>>> 3.07 MIME::QuotedPrint >>>> 5.425 MIME::Tools >>>> 0.11 Net::CIDR >>>> 1.25 Net::IP >>>> 0.16 OLE::Storage_Lite >>>> 1.04 Pod::Escapes >>>> 3.05 Pod::Simple >>>> 1.09 POSIX >>>> 1.18 Scalar::Util >>>> 1.78 Socket >>>> 2.15 Storable >>>> 1.4 Sys::Hostname::Long >>>> 0.18 Sys::Syslog >>>> 1.26 Test::Pod >>>> 0.7 Test::Simple >>>> 1.86 Time::HiRes >>>> 1.02 Time::localtime >>>> >>>> Optional module versions are: >>>> 1.30 Archive::Tar >>>> 0.21 bignum >>>> missing Business::ISBN >>>> missing Business::ISBN::Data >>>> missing Data::Dump >>>> 1.814 DB_File >>>> 1.13 DBD::SQLite >>>> 1.56 DBI >>>> 1.14 Digest >>>> 1.01 Digest::HMAC >>>> 2.36 Digest::MD5 >>>> 2.11 Digest::SHA1 >>>> missing Encode::Detect >>>> missing Error >>>> missing ExtUtils::CBuilder >>>> missing ExtUtils::ParseXS >>>> 2.36 Getopt::Long >>>> missing Inline >>>> missing IO::String >>>> 1.04 IO::Zlib >>>> missing IP::Country >>>> missing Mail::ClamAV >>>> 3.001009 Mail::SpamAssassin >>>> missing Mail::SPF >>>> missing Mail::SPF::Query >>>> missing Module::Build >>>> missing Net::CIDR::Lite >>>> 0.63 Net::DNS >>>> missing Net::DNS::Resolver::Programmable >>>> 0.34 Net::LDAP >>>> missing NetAddr::IP >>>> missing Parse::RecDescent >>>> missing SAVI >>>> 2.56 Test::Harness >>>> missing Test::Manifest >>>> 1.95 Text::Balanced >>>> 1.35 URI >>>> missing version >>>> missing YAML >>>> >>>> -- >>>> -:- j0d3 >>>> David Guillermo Rodriguez >>>> Debian Unstable/Sid GNU/Linux >>>> e-mail: davocasc98@gmail.com >>>> http://j0d3.blogspot.com >>>> Modelo de CPU: AMD Athlon(tm) 64 X2 Dual Core Processor 4600+ >>>> Kernel: 2.6.24.2 >>>> Linux user #408522 >>>> -:- >>>> -- >>>> MailScanner mailing list >>>> mailscanner@lists.mailscanner.info >>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>> >>>> Before posting, read http://wiki.mailscanner.info/posting >>>> >>>> Support MailScanner development - buy the book off the website! >>>> >>>> >>>> >>> >>> >>> ********************************************************************** >>> Confidentiality : This e-mail and any attachments are intended for the >>> addressee only and may be confidential. If they come to you in error you >>> must take no action based on them, nor must you copy or show them to anyone. >>> Please advise the sender by replying to this e-mail immediately and then >>> delete the original from your computer. >>> Opinion : Any opinions expressed in this e-mail are entirely those of the >>> author and unless specifically stated to the contrary, are not necessarily >>> those of the author's employer. >>> Security Warning : Internet e-mail is not necessarily a secure >>> communications medium and can be subject to data corruption. We advise that >>> you consider this fact when e-mailing us. Viruses : We have taken steps to >>> ensure that this e-mail and any attachments are free from known viruses but >>> in keeping with good computing practice, you should ensure that they are >>> virus free. >>> >>> Red Lion 49 Ltd T/A Solid State Logic >>> Registered as a limited company in England and Wales (Company No:5362730) >>> Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United >>> Kingdom >>> ********************************************************************** >>> >>> >>> >> Jules >> >> -- >> Julian Field MEng CITP CEng >> www.MailScanner.info >> Buy the MailScanner book at www.MailScanner.info/store >> >> MailScanner customisation, or any advanced system administration help? >> Contact me at Jules@Jules.FM >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> PGP public key: http://www.jules.fm/julesfm.asc >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ssilva at sgvwater.com Tue Sep 16 22:21:08 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Sep 16 22:21:28 2008 Subject: Syntax error(s) in configuration file In-Reply-To: <910ee2ac0809161339ke617917oa377ed4f1b52b272@mail.gmail.com> References: <4857E802.5060907@ecs.soton.ac.uk> <910ee2ac0809161339ke617917oa377ed4f1b52b272@mail.gmail.com> Message-ID: on 9-16-2008 1:39 PM ? spake the following: > I just did a clean install from the latest stable version of > MailScanner and this was in my MailScanner.conf. > The latest stable from www.mailscanner.info, or the latest stable from some packagers site like Debian? -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080916/4bba1d56/signature.bin From MailScanner at ecs.soton.ac.uk Tue Sep 16 22:21:47 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Sep 16 22:22:07 2008 Subject: SpamAssassin not being Called In-Reply-To: References: Message-ID: <48D0236B.4030200@ecs.soton.ac.uk> Jason Dick wrote: > I have installed > MailScanner 4.72.2 and SpamAssassin 3.2.5 on a Fedora Core 2 box and I am having problems > with SpamAssassin. MailScanner seems to work just fine but it never seems to > call SpamAssassin. > > I have the following > set in MailScanner.conf: > Spam Checks = > yes > Spam List = > Spam > Domain List = > Use SpamAssassin = yes > Log Spam = > yes > Debug SpamAssassin = yes > Switch this off. You only want to turn this on from the command-line. > > Here's what maillog > shows: > Sep 16 16:30:40 > icegate2 MailScanner[4229]: New Batch: Scanning 1 messages, 177272 bytes > Sep > 16 16:30:40 icegate2 MailScanner[4229]: Saved archive copies of > m8GKUd1S004232 > Sep 16 16:30:40 icegate2 MailScanner[4229]: Spam Checks: > Starting > Sep 16 16:30:41 icegate2 MailScanner[4229]: Filename Checks: Blocked > Filename Detected (m8GKUd1S004232 msg-4229-2.gif) > Sep 16 16:30:41 icegate2 > MailScanner[4229]: Other Checks: Found 1 problems > Sep 16 16:30:41 icegate2 > MailScanner[4229]: Virus and Content Scanning: Starting > Sep 16 16:30:41 > icegate2 MailScanner[4229]: Saved infected "msg-4229-2.gif" to > /var/spool/MailScanner/quarantine/20080916/m8GKUd1S004232 > Sep 16 16:30:41 > icegate2 MailScanner[4229]: Cleaned: Delivered 1 cleaned > messages > > I get no errors on lint either. > spamassassin -C spam.assassin.prefs.conf --lint > > > It's been a few years since I've used MailScanner but I don't remember > having to do anything special to get it work. Anyone have any ideas why SpamAssassin is not being called or how i can debug it? > > > > Jason > > > > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From campbell at cnpapers.com Wed Sep 17 00:01:18 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Wed Sep 17 00:03:16 2008 Subject: sa-update question also In-Reply-To: References: <48D007F9.8090205@cnpapers.com> Message-ID: <1221606078.48d03abe2facf@perdition.cnpapers.net> Quoting Scott Silva : > on 9-16-2008 12:24 PM Steve Campbell spake the following: > > Sorry, should have all been in one mail. > > > > I see where I have sa-update saved as sa-update.rpmsave, but I don't see > > a new one. Can someone explain the procedures now in place, please? > > > > Again Thanks. > > > > Steve Campbell > > > I don't see this on any of my machines. Maybe a postinstall script misfired > on > you if your sa-update was changed from the original. > > -- I did find a update-spamassassin script (or was it spamassassin-update?)in /etc/cron.daily. Maybe I jumped the gun again. I check tomorrow as I had to get home to push my mower around a little more. It's tough getting old. Thanks Steve ------------------------------------------------- This mail sent through IMP: http://horde.org/imp/ From prandal at herefordshire.gov.uk Wed Sep 17 09:57:38 2008 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Wed Sep 17 09:58:01 2008 Subject: clamd DoS? In-Reply-To: References: <48CE37ED.6040200@nerc.ac.uk><48CE7FD0.3070909@ecs.soton.ac.uk><48CE8854.8000508@ecs.soton.ac.uk><48CEC9C4.9010507@ecs.soton.ac.uk> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA04BFAE62@HC-MBX02.herefordshire.gov.uk> >From the ClamAV-users mailing list: "Hi all, This is been worked around with a signature update (daily 8262). A definitive (in-the-code) solution will be inculded in 0.94.1 Thanks everyone, -aCaB" Cheers, Phil -- Phil Randal Networks Engineer Herefordshire Council Hereford, UK -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Raymond Dijkxhoorn Sent: 16 September 2008 11:59 To: MailScanner discussion Subject: Re: clamd DoS? Hi! >> I was seeing a number of spam messages coming in w/the subject >> "Credit card transaction report". Every now and then one would get >> tagged as a virus, but most weren't. However, I went into MailWatch, >> selected one that wasn't marked as viral and saved the attached >> Report.zip to my linux workstation. Ark extracted the file >> report.doc.exe. I kicked off top in a term window, opened another >> terminal and ran 'clamscan report.doc.exe'. W/in a couple seconds CPU utilization was pegged. >> >> I'm running plain old clamav, not clamscan or clamd. >> >> Not much to go on, but maybe this will help a bit... > Ooh, can you post this on the web somewhere and tell me the URL so I > can fetch this file and construct a message round it for testing? The guys @ ClamAV are also looking into this (Thanks Luca!) Bye, Raymond. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From tony.johansson at svenskakyrkan.se Wed Sep 17 12:59:13 2008 From: tony.johansson at svenskakyrkan.se (Tony Johansson) Date: Wed Sep 17 12:59:32 2008 Subject: SpamAssassin cache hit inherits original spam score? Message-ID: We scan a number of different domains. Some have a required spam score of 7 while most use 5. The individual spam scores for the domains work as desired but seems to fail at times if a spam is cached. We've had examples where a domain that has set 5 as the required score gets spam delivered with a header as this: X-Svenskakyrkan-SpamCheck: not spam, SpamAssassin (cached, score=6.81, required 7, BAYES_50 0.00, DCC_CHECK 2.17, URIBL_BLACK 3.00, URIBL_SBL 1.64) Shouldnt the saved spam score be evaluated again when there is a cache hit? Regards, Tony From glenn.steen at gmail.com Wed Sep 17 13:07:34 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Sep 17 13:07:44 2008 Subject: Free virusscanner In-Reply-To: References: <004b01c91808$e47752c0$ad65f840$@dk> <599626BE-365C-4B20-B35A-8AE16DCAA306@rtpty.com> Message-ID: <223f97700809170507n1001e05bq71989d7045dbee9@mail.gmail.com> 2008/9/16 Scott Silva : > on 9-16-2008 7:57 AM Alex Neuman van der Hans spake the following: >> >> Thanks for the info. Those of us with boxes running our own mail at home >> can use it alongside clamav*. >> >> On Sep 16, 2008, at 9:31 AM, Jonas Akrouh Larsen wrote: >> >>> You can get a license here: >>> http://www.bitdefender.com/site/Products/ScannerLicense/ >>> >>> And the actual download can be found >>> here:http://download.bitdefender.com/SMB/Workstation_Security_and_Management/BitDefender_Antivirus_Scanner_for_Unices/Unix/Current/EN/Version_7.x/Linux/ >>> >> > F-prot also has a "free for home use" scanner, as does AVG I believe. You > can still find the old free bitdefender scanner in a google search, but I > don't know how well it works anymore. > As does a few others....:-) The "old" release just works... It still updates OK, is still a performance pig, and still find enough viruses (and is sometimes fastest of my clamd, mcafee, bdc "triplet":-)... So I'll keep using that one for a bit;). About the wiki... You can do that easily enough Jonas. The page is a bit in shambles, but ... I'm a bit stumped for time ATM. Could possibly post up the info in a day or two. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Wed Sep 17 13:12:09 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Sep 17 13:12:19 2008 Subject: Autocommit errors are back? In-Reply-To: <48D00F1F.1050601@cnpapers.com> References: <48D00A6E.6090405@ecs.soton.ac.uk> <48D00F1F.1050601@cnpapers.com> Message-ID: <223f97700809170512w398778adv2191728055717316@mail.gmail.com> 2008/9/16 Steve Campbell : > > > Julian Field wrote: >> >> >> Steve Campbell wrote: >>> >>> I just installed the new 4.71.10-1 and am seeing the following lines in >>> my maillog. >>> >>> commit ineffective with AutoCommit enabled at >>> /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, >>> line 639. >>> Commmit ineffective while AutoCommit is on at >>> /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, >>> line 639. >>> >>> I found in my older list mailings from 8/29/2008 that this was just >>> debugging code, and would be removed after 4.71.7. Do I have other problems >>> or should I remove lines somewhere? >> >> This is caused by MailWatch, nothing to do with me or MailScanner at all. >> It won't be removed by MailScanner, ain't my problem :-) >> >> Jules > > Gotcha, > > Just misled by the previous postings. It only happens upon startup anyway (I > think) > > Sorry to point a finger the wrong way. > > Steve > No fingerpointing needed;-). It is exactly as Scott says ... noisy and harmless...:) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From MailScanner at ecs.soton.ac.uk Wed Sep 17 16:26:19 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Sep 17 16:26:37 2008 Subject: SpamAssassin cache hit inherits original spam score? In-Reply-To: References: Message-ID: <48D1219B.4030306@ecs.soton.ac.uk> The cache does not store whether it was spam or not, it just caches the score points. So I'm not at all convinced you are seeing the behaviour you think you are, this may be the result of something else happening. Tony Johansson wrote: > We scan a number of different domains. Some have a required spam score > of 7 while most use 5. > > The individual spam scores for the domains work as desired but seems to > fail at times if a spam is cached. > > We've had examples where a domain that has set 5 as the required score > gets spam delivered with a header as this: > X-Svenskakyrkan-SpamCheck: not spam, SpamAssassin (cached, score=6.81, > required 7, BAYES_50 0.00, DCC_CHECK 2.17, URIBL_BLACK 3.00, URIBL_SBL 1.64) > > Shouldnt the saved spam score be evaluated again when there is a cache hit? > > Regards, Tony > > > > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From roland at inbox4u.de Wed Sep 17 20:13:09 2008 From: roland at inbox4u.de (Ehle, Roland) Date: Wed Sep 17 20:14:20 2008 Subject: AW: SpamAssassin cache hit inherits original spam score? In-Reply-To: References: Message-ID: Tony, do you split messages to multiple recipients into one message per recipient? Maybe this is the point. If you use different Spam Scores per Domain, you probably use a rules file. Are you sure, the rules file is setup correctly? The default rule should be at the end of the file. By the way: MailScanner works perfectly for me with different Spam Scores for the different domains. So there is probably a little dot missing in your configuration. Regards, Roland > -----Urspr?ngliche Nachricht----- > Von: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] Im Auftrag von Tony Johansson > Gesendet: Mittwoch, 17. September 2008 13:59 > An: mailscanner@lists.mailscanner.info > Betreff: SpamAssassin cache hit inherits original spam score? > > We scan a number of different domains. Some have a required spam score > of 7 while most use 5. > > The individual spam scores for the domains work as desired but seems to > fail at times if a spam is cached. > > We've had examples where a domain that has set 5 as the required score > gets spam delivered with a header as this: > X-Svenskakyrkan-SpamCheck: not spam, SpamAssassin (cached, score=6.81, > required 7, BAYES_50 0.00, DCC_CHECK 2.17, URIBL_BLACK 3.00, URIBL_SBL > 1.64) > > Shouldnt the saved spam score be evaluated again when there is a cache > hit? > > Regards, Tony > > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From paul at welshfamily.com Wed Sep 17 21:53:03 2008 From: paul at welshfamily.com (Paul Welsh) Date: Wed Sep 17 21:53:31 2008 Subject: Viruses getting through In-Reply-To: <200805311100.m4VB0MpV017805@safir.blacknight.ie> Message-ID: <200809172053.m8HKrMFo000866@safir.blacknight.ie> For the past few weeks I've had viruses getting through - the pesky ones that claim to be flight confirmations, bank statements or some such with small .zip files attached. I'm sure you know about them. Some are tagged as spam but not all. The headers of a recent one show that the message is classed as clean: Received: from [217.45.162.11] by etrn.borusantelekom.com; Wed, 17 Sep 2008 09:17:36 +0000 Message-ID: <01c918a6$39323800$0ba22dd9@ghw> From: "Lindsey Avila" Subject: Statement of fees 2008/09 Date: Wed, 17 Sep 2008 09:17:36 +0000 MIME-Version: 1.0 X-welshfamily-MailScanner: Found to be clean X-welshfamily-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=0.407, required 6, autolearn=disabled, XMAILER_MIMEOLE_OL_4B815 0.41) X-welshfamily-MailScanner-From: ghw@borashipping.com X-Spam-Status: No I'm using clamav and bitdefender but although updated with the latest definitions, it's probably ineffective because it's the free version v7.1. Running freshclam yields this: # freshclam ClamAV update process started at Wed Sep 17 21:41:04 2008 main.cld is up to date (version: 48, sigs: 399264, f-level: 35, builder: sven) daily.cld is up to date (version: 8272, sigs: 28579, f-level: 35, builder: ccordes) Here's the version of clam: # clamscan -V ClamAV 0.94/8272/Wed Sep 17 21:16:02 2008 I'm running MailScanner version 4.71.10. I did browse the archive of this list but couldn't find the answer. Any help appreciated. From martinh at solidstatelogic.com Wed Sep 17 22:22:00 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Wed Sep 17 22:17:15 2008 Subject: Viruses getting through Message-ID: Paul Was fixed last night in clamav, sophos has been detecting these fine for what its worth. Can't say i've any in last 18 hours or so though. -- martin -----Original Message----- From: Paul Welsh Sent: 17 September 2008 22:01 To: mailscanner@lists.mailscanner.info Subject: Viruses getting through For the past few weeks I've had viruses getting through - the pesky ones that claim to be flight confirmations, bank statements or some such with small .zip files attached. I'm sure you know about them. Some are tagged as spam but not all. The headers of a recent one show that the message is classed as clean: Received: from [217.45.162.11] by etrn.borusantelekom.com; Wed, 17 Sep 2008 09:17:36 +0000 Message-ID: <01c918a6$39323800$0ba22dd9@ghw> From: "Lindsey Avila" Subject: Statement of fees 2008/09 Date: Wed, 17 Sep 2008 09:17:36 +0000 MIME-Version: 1.0 X-welshfamily-MailScanner: Found to be clean X-welshfamily-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=0.407, required 6, autolearn=disabled, XMAILER_MIMEOLE_OL_4B815 0.41) X-welshfamily-MailScanner-From: ghw@borashipping.com X-Spam-Status: No I'm using clamav and bitdefender but although updated with the latest definitions, it's probably ineffective because it's the free version v7.1. Running freshclam yields this: # freshclam ClamAV update process started at Wed Sep 17 21:41:04 2008 main.cld is up to date (version: 48, sigs: 399264, f-level: 35, builder: sven) daily.cld is up to date (version: 8272, sigs: 28579, f-level: 35, builder: ccordes) Here's the version of clam: # clamscan -V ClamAV 0.94/8272/Wed Sep 17 21:16:02 2008 I'm running MailScanner version 4.71.10. I did browse the archive of this list but couldn't find the answer. Any help appreciated. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From ms-list at alexb.ch Wed Sep 17 22:18:48 2008 From: ms-list at alexb.ch (Alex Broens) Date: Wed Sep 17 22:19:00 2008 Subject: Viruses getting through In-Reply-To: <200809172053.m8HKrMFo000866@safir.blacknight.ie> References: <200809172053.m8HKrMFo000866@safir.blacknight.ie> Message-ID: <48D17438.60106@alexb.ch> On 9/17/2008 10:53 PM, Paul Welsh wrote: > For the past few weeks I've had viruses getting through - the pesky ones > that claim to be flight confirmations, bank statements or some such with > small .zip files attached. I'm sure you know about them. Some are tagged > as spam but not all. What Linux/Unix and MTA flavours are you using on that box? Thanks Alex > The headers of a recent one show that the message is classed as clean: > > Received: from [217.45.162.11] by etrn.borusantelekom.com; Wed, 17 Sep 2008 > 09:17:36 +0000 > Message-ID: <01c918a6$39323800$0ba22dd9@ghw> > From: "Lindsey Avila" > Subject: Statement of fees 2008/09 > Date: Wed, 17 Sep 2008 09:17:36 +0000 > MIME-Version: 1.0 > X-welshfamily-MailScanner: Found to be clean > X-welshfamily-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, > score=0.407, required 6, autolearn=disabled, > XMAILER_MIMEOLE_OL_4B815 0.41) > X-welshfamily-MailScanner-From: ghw@borashipping.com > X-Spam-Status: No > > I'm using clamav and bitdefender but although updated with the latest > definitions, it's probably ineffective because it's the free version v7.1. > Running freshclam yields this: > > # freshclam > ClamAV update process started at Wed Sep 17 21:41:04 2008 > main.cld is up to date (version: 48, sigs: 399264, f-level: 35, builder: > sven) > daily.cld is up to date (version: 8272, sigs: 28579, f-level: 35, builder: > ccordes) > > Here's the version of clam: > # clamscan -V > ClamAV 0.94/8272/Wed Sep 17 21:16:02 2008 > > I'm running MailScanner version 4.71.10. > > I did browse the archive of this list but couldn't find the answer. Any > help appreciated. > From paul at welshfamily.com Wed Sep 17 22:54:20 2008 From: paul at welshfamily.com (Paul Welsh) Date: Wed Sep 17 22:54:43 2008 Subject: Viruses getting through In-Reply-To: <200805311100.m4VB0MpV017805@safir.blacknight.ie> Message-ID: <200809172154.m8HLsZbb003542@safir.blacknight.ie> > -----Original Message----- > From: Alex Broens alexb.ch> > Subject: Re: Viruses getting through > What Linux/Unix and MTA flavours are you using on that box? Hi Alex I'm running CentOS release 4.7 and Exim 4.60. From ms-list at alexb.ch Wed Sep 17 23:11:02 2008 From: ms-list at alexb.ch (Alex Broens) Date: Wed Sep 17 23:11:13 2008 Subject: Viruses getting through In-Reply-To: <200809172154.m8HLsZbb003542@safir.blacknight.ie> References: <200809172154.m8HLsZbb003542@safir.blacknight.ie> Message-ID: <48D18076.5050703@alexb.ch> On 9/17/2008 11:54 PM, Paul Welsh wrote: >> -----Original Message----- >> From: Alex Broens alexb.ch> >> Subject: Re: Viruses getting through > >> What Linux/Unix and MTA flavours are you using on that box? > > Hi Alex > > I'm running CentOS release 4.7 and Exim 4.60. Hi Paul Thanks for the info. Pls watch it after the next ClamAV version upgrade.... If its still happening, Jules may be interested... Alex From hvdkooij at vanderkooij.org Thu Sep 18 00:04:10 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Thu Sep 18 00:04:20 2008 Subject: OT: awstats on yum repository In-Reply-To: References: <48C6E93D.6030906@vanderkooij.org> Message-ID: <48D18CEA.9070801@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Scott Silva wrote: > on 9-9-2008 2:23 PM Hugo van der Kooij spake the following: >> Hi, >> >> I added some statistics specifically to track MailScanner downloads. For >> that I added the following lines to my awstats config: >> > Just for fun I took a look and I get a 403 error. I published some stats to public static pages. They should get updated each hour. http://yum.vanderkooij.org/stats-1.html MailScanner downloads by architecture http://yum.vanderkooij.org/stats-2.html MailScanner wrapper downloads by architecture http://yum.vanderkooij.org/stats-3.html MailScanner downloads by version Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFI0YzoBvzDRVjxmYERAhVxAJ0eS0v+3UvlVT7qSBp5rwFdEL6OlwCfUyC9 KD9mpvUlZawNTia+g4mjY6M= =0VRh -----END PGP SIGNATURE----- From ssilva at sgvwater.com Thu Sep 18 00:21:06 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Sep 18 00:21:42 2008 Subject: OT: awstats on yum repository In-Reply-To: <48C8B441.3040202@vanderkooij.org> References: <48C6E93D.6030906@vanderkooij.org> <48C82E12.7070806@vanderkooij.org> <48C8B441.3040202@vanderkooij.org> Message-ID: on 9-10-2008 11:01 PM Hugo van