From paul.hutchings at mira.co.uk Mon Sep 1 08:37:42 2008 From: paul.hutchings at mira.co.uk (Paul Hutchings) Date: Mon Sep 1 08:37:58 2008 Subject: virus detection reporting wrong scanner References: <48BA9848.3030402@ecs.soton.ac.uk> Message-ID: Still appears to be happening. All I did was download the beta and run the usual ./install.sh - presumably that would overwrite the manual change I made a week or so back to handle the changed vba32 output? -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: 31 August 2008 14:11 To: MailScanner discussion Subject: Re: virus detection reporting wrong scanner Please try this with the latest beta (4.71.9) and let me know if it still recurs. Paul Hutchings wrote: > I'm using clamd, avg and vba32. > > In maillog, I see the following: > > Aug 31 02:11:56 relay MailScanner[22637]: Virus Scanning: vba32 found 1 > infections > Aug 31 02:11:56 relay MailScanner[22637]: Infected message > C5B321FC55.019F5 came from 217.76.130.123 > Aug 31 02:11:56 relay MailScanner[22637]: Virus Scanning: Found 1 > viruses > Aug 31 02:11:56 relay MailScanner[22637]: Virus Scanning completed at > 1731 bytes per second > > In the report I see this: > > The following e-mails were found to have: Virus Detected > > Sender: skatemurcia.com@llgc793.servidoresdns.net > IP Address: 217.76.130.123 > Recipient: someone@ourdomain.com > Subject: Security Message - Important System Notification. > MessageID: C5B321FC55.019F5 > Quarantine: > Report: Clamd: msg-22637-48.html was infected: > HTML.Phishing.Bank-1248 > > Any suggestions? I know last week I had to modify one of the > MailScanner files to deal with the way that vba32 output changed since > the last MailScanner release. > > Lint output: > > Trying to setlogsock(unix) > Read 850 hostnames from the phishing whitelist > Read 5262 hostnames from the phishing blacklist > Checking version numbers... > Version number in MailScanner.conf (4.70.7) is correct. > > Your envelope_sender_header in spam.assassin.prefs.conf is correct. > MailScanner setting GID to (89) > MailScanner setting UID to (89) > > Checking for SpamAssassin errors (if you use it)... > SpamAssassin temporary working directory is > /var/spool/MailScanner/incoming/SpamAssassin-Temp > SpamAssassin temp dir = > /var/spool/MailScanner/incoming/SpamAssassin-Temp > Using SpamAssassin results cache > Connected to SpamAssassin cache database > SpamAssassin reported no errors. > I have found clamd avg vba32 scanners installed, and will use them all > by default. > Using locktype = posix > MailScanner.conf says "Virus Scanners = auto" > Found these virus scanners installed: clamd, vba32, avg > ======================================================================== > === > Virus and Content Scanning: Starting > ClamAVModule::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com > Virus Scanning: Clamd found 1 infections > Avg: Virus identified EICAR_Test in eicar.com > Virus Scanning: Avg found 1 infections > /var/spool/MailScanner/incoming/23308/1/eicar.com : infected > EICAR-Test-File > Virus Scanning: vba32 found 1 infections > Infected message 1 came from 10.1.1.1 > Virus Scanning: Found 1 viruses > ======================================================================== > === > Virus Scanner test reports: > Clamd said "eicar.com was infected: Eicar-Test-Signature" > Avg said "Found virus EICAR_Test in file eicar.com" > vba32 said "Found virus EICAR-Test-File in eicar.com" > > If any of your virus scanners (clamd,vba32,avg) > are not listed there, you should check that they are installed correctly > and that MailScanner is finding them correctly via its > virus.scanners.conf. > > Cheers, > Paul > > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. From cazahenha at hotmail.com Mon Sep 1 10:09:10 2008 From: cazahenha at hotmail.com (Caza Henha) Date: Mon Sep 1 10:09:21 2008 Subject: Rules with IP addresses Message-ID: Hi, I have recently installed Mailscanner with Postfix and MailWatch and it seems over the last week the system is running great, however I am now getting requests to tweak the default rules that I have from various users in different departments. I have been trying to delve into the knitty gritty of the rules and understand the principles and they do not seem very complicated and when looking at some examples on the Wiki things shouldn't be to difficult. Consequently I have noticed a number of examples have IP addresses in the From section of the rules and I was just wondering where this IP address was coming from and what it can actually be as I cannot seem to find any documentation on it. For example is this IP address (or the RegEx of one) the connecting smtp server (or any smtp server that the mail has passed through), client address, MX address of the sending domain etc or any combination of all the previous? Also can this be used in a "To" configuration, the reason I ask is that essentially we have four internal smtp servers which does sound like we process a lot of mail but they are basically queues for our application servers. Due to the current "trial" policy all spam is being marked and delivered and sorted at the client software, however we have a trouble ticket application that is currently getting lots of spam and because it sends out confirmation receipts etc we are getting bounces that are filling the queues. Although easy, I don't necessarily wish to have loads of "To" rules with the individual addresses of the trouble ticket system so I was wondering whether I could have the IP address (or even better the FQDN) of the forwarding SMTP server in the To rule, something like the following: spam.rules To: ticketing.example.com delete // Ticketing SMTP server To: exchange.example.com store // Exchange server FromOrTo: default deliver Is the above possible? If not is the following, To: 192.168.15.1 delete // Ticketing SMTP server To: 192.168.15.2 store // Exchange server FromOrTo: default deliver Kind Regards, Caza _________________________________________________________________ Win New York holidays with Kellogg?s & Live Search http://clk.atdmt.com/UKM/go/107571440/direct/01/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080901/9b36dd17/attachment.html From MailScanner at ecs.soton.ac.uk Mon Sep 1 12:20:19 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Sep 1 12:20:42 2008 Subject: virus detection reporting wrong scanner In-Reply-To: References: <48BA9848.3030402@ecs.soton.ac.uk> Message-ID: <48BBCFF3.2000003@ecs.soton.ac.uk> The report is definitely coming from ClamAV (clamav, clamavmodule or clamd) as the HTML.Phishing.Bank-.... is in their style. Are you sure you're not looking at a different report from the message? What does "MailScanner --lint" say about this? Paul Hutchings wrote: > Still appears to be happening. > > All I did was download the beta and run the usual ./install.sh - > presumably that would overwrite the manual change I made a week or so > back to handle the changed vba32 output? > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian > Field > Sent: 31 August 2008 14:11 > To: MailScanner discussion > Subject: Re: virus detection reporting wrong scanner > > Please try this with the latest beta (4.71.9) and let me know if it > still recurs. > > Paul Hutchings wrote: > >> I'm using clamd, avg and vba32. >> >> In maillog, I see the following: >> >> Aug 31 02:11:56 relay MailScanner[22637]: Virus Scanning: vba32 found >> > 1 > >> infections >> Aug 31 02:11:56 relay MailScanner[22637]: Infected message >> C5B321FC55.019F5 came from 217.76.130.123 >> Aug 31 02:11:56 relay MailScanner[22637]: Virus Scanning: Found 1 >> viruses >> Aug 31 02:11:56 relay MailScanner[22637]: Virus Scanning completed at >> 1731 bytes per second >> >> In the report I see this: >> >> The following e-mails were found to have: Virus Detected >> >> Sender: skatemurcia.com@llgc793.servidoresdns.net >> IP Address: 217.76.130.123 >> Recipient: someone@ourdomain.com >> Subject: Security Message - Important System Notification. >> MessageID: C5B321FC55.019F5 >> Quarantine: >> Report: Clamd: msg-22637-48.html was infected: >> HTML.Phishing.Bank-1248 >> >> Any suggestions? I know last week I had to modify one of the >> MailScanner files to deal with the way that vba32 output changed since >> the last MailScanner release. >> >> Lint output: >> >> Trying to setlogsock(unix) >> Read 850 hostnames from the phishing whitelist >> Read 5262 hostnames from the phishing blacklist >> Checking version numbers... >> Version number in MailScanner.conf (4.70.7) is correct. >> >> Your envelope_sender_header in spam.assassin.prefs.conf is correct. >> MailScanner setting GID to (89) >> MailScanner setting UID to (89) >> >> Checking for SpamAssassin errors (if you use it)... >> SpamAssassin temporary working directory is >> /var/spool/MailScanner/incoming/SpamAssassin-Temp >> SpamAssassin temp dir = >> /var/spool/MailScanner/incoming/SpamAssassin-Temp >> Using SpamAssassin results cache >> Connected to SpamAssassin cache database >> SpamAssassin reported no errors. >> I have found clamd avg vba32 scanners installed, and will use them all >> by default. >> Using locktype = posix >> MailScanner.conf says "Virus Scanners = auto" >> Found these virus scanners installed: clamd, vba32, avg >> >> > ======================================================================== > >> === >> Virus and Content Scanning: Starting >> ClamAVModule::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com >> Virus Scanning: Clamd found 1 infections >> Avg: Virus identified EICAR_Test in eicar.com >> Virus Scanning: Avg found 1 infections >> /var/spool/MailScanner/incoming/23308/1/eicar.com : infected >> EICAR-Test-File >> Virus Scanning: vba32 found 1 infections >> Infected message 1 came from 10.1.1.1 >> Virus Scanning: Found 1 viruses >> >> > ======================================================================== > >> === >> Virus Scanner test reports: >> Clamd said "eicar.com was infected: Eicar-Test-Signature" >> Avg said "Found virus EICAR_Test in file eicar.com" >> vba32 said "Found virus EICAR-Test-File in eicar.com" >> >> If any of your virus scanners (clamd,vba32,avg) >> are not listed there, you should check that they are installed >> > correctly > >> and that MailScanner is finding them correctly via its >> virus.scanners.conf. >> >> Cheers, >> Paul >> >> >> >> > > Jules > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Mon Sep 1 12:22:45 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Sep 1 12:23:06 2008 Subject: Rules with IP addresses In-Reply-To: References: Message-ID: <48BBD085.4060603@ecs.soton.ac.uk> Caza Henha wrote: > > Hi, > > I have recently installed Mailscanner with Postfix and MailWatch and > it seems over the last week the system is running great, however I am > now getting requests to tweak the default rules that I have from > various users in different departments. I have been trying to delve > into the knitty gritty of the rules and understand the principles and > they do not seem very complicated and when looking at some examples on > the Wiki things shouldn't be to difficult. > > Consequently I have noticed a number of examples have IP addresses in > the From section of the rules and I was just wondering where this IP > address was coming from and what it can actually be as I cannot seem > to find any documentation on it. For example is this IP address (or > the RegEx of one) the connecting smtp server (or any smtp server that > the mail has passed through), client address, MX address of the > sending domain etc or any combination of all the previous? It is the IP address of the machine that was the client end of the SMTP connection to the server. So in the case of a customer-facing SMTP server, it will be the customer's client IP address. In the case of an MX it would be the IP address of the SMTP server talking to you. > > Also can this be used in a "To" configuration, No. Due to the way mail delivery works, you don't know the IP address of the destination until you have already started sending the message. Can't be done. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From support-lists at petdoctors.co.uk Mon Sep 1 12:57:55 2008 From: support-lists at petdoctors.co.uk (Nigel Kendrick) Date: Mon Sep 1 12:58:18 2008 Subject: ClamAV error: Invalid function CL_SCAN_PHISHING_DOMAINLIST In-Reply-To: <48A58280.4030001@ecs.soton.ac.uk> References: <48A58280.4030001@ecs.soton.ac.uk> Message-ID: -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: Friday, August 15, 2008 2:20 PM To: MailScanner discussion Subject: Re: ClamAV error: Invalid function CL_SCAN_PHISHING_DOMAINLIST Nigel Kendrick wrote: > Just noticed ClamAV throwing the following error into Maillog: > > Aug 15 13:17:39 woking MailScanner[6082]: Commercial virus checker failed > with real error: Invalid function CL_SCAN_PHISHING_DOMAINLIST at > /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/Mail/ClamAV.pm line > 120. > > In have re-installed using Jules' ClamAV/SpamAssassin bundle, done a > freshcalm and restarted MailScanner and still getting the same. Can't find > much in the way of notes about this...!? > Did the "make test" phase of building the Mail::ClamAV module succeed? Jules Hi Jules, Just back from holiday and picking this one up. Yes, the "make test" runs fine. I have come across this comment but not sure what to make of it (or what to do)... http://kobesearch.cpan.org/htdocs/Mail-ClamAV/Mail/ClamAV.pm.html#CL_SCAN_PH ISHING_DOMAINLIST "CL_SCAN_PHISHING_DOMAINLIST With a minor version bump clamav development team removed this and broke backwards compatibility, so it is no longer supported in this module as of 0.22." That's the version (0.22) of Mail::ClamAV I am running on the affected server - but it's also that version on servers working OK? Confused!? From paul.hutchings at mira.co.uk Mon Sep 1 14:02:41 2008 From: paul.hutchings at mira.co.uk (Paul Hutchings) Date: Mon Sep 1 14:02:59 2008 Subject: virus detection reporting wrong scanner References: <48BA9848.3030402@ecs.soton.ac.uk> <48BBCFF3.2000003@ecs.soton.ac.uk> Message-ID: The lint seems to check out just fine. Maybe my understanding is wrong, but I thought that if multiple engines caught a virus in a message it listed that multiple engines had detected something in the report that's sent to postmaster (or wherever) - all I know is I have an entry in maillog by vba32 saying it detected a virus, at the same time an email was deleted and a report sent to postmaster saying it was because clam32 had detected a virus - yet there's no report in the postmaster mailbox that mentions vba32. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: 01 September 2008 12:20 To: MailScanner discussion Subject: Re: virus detection reporting wrong scanner The report is definitely coming from ClamAV (clamav, clamavmodule or clamd) as the HTML.Phishing.Bank-.... is in their style. Are you sure you're not looking at a different report from the message? What does "MailScanner --lint" say about this? Paul Hutchings wrote: > Still appears to be happening. > > All I did was download the beta and run the usual ./install.sh - > presumably that would overwrite the manual change I made a week or so > back to handle the changed vba32 output? > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian > Field > Sent: 31 August 2008 14:11 > To: MailScanner discussion > Subject: Re: virus detection reporting wrong scanner > > Please try this with the latest beta (4.71.9) and let me know if it > still recurs. > > Paul Hutchings wrote: > >> I'm using clamd, avg and vba32. >> >> In maillog, I see the following: >> >> Aug 31 02:11:56 relay MailScanner[22637]: Virus Scanning: vba32 found >> > 1 > >> infections >> Aug 31 02:11:56 relay MailScanner[22637]: Infected message >> C5B321FC55.019F5 came from 217.76.130.123 >> Aug 31 02:11:56 relay MailScanner[22637]: Virus Scanning: Found 1 >> viruses >> Aug 31 02:11:56 relay MailScanner[22637]: Virus Scanning completed at >> 1731 bytes per second >> >> In the report I see this: >> >> The following e-mails were found to have: Virus Detected >> >> Sender: skatemurcia.com@llgc793.servidoresdns.net >> IP Address: 217.76.130.123 >> Recipient: someone@ourdomain.com >> Subject: Security Message - Important System Notification. >> MessageID: C5B321FC55.019F5 >> Quarantine: >> Report: Clamd: msg-22637-48.html was infected: >> HTML.Phishing.Bank-1248 >> >> Any suggestions? I know last week I had to modify one of the >> MailScanner files to deal with the way that vba32 output changed since >> the last MailScanner release. >> >> Lint output: >> >> Trying to setlogsock(unix) >> Read 850 hostnames from the phishing whitelist >> Read 5262 hostnames from the phishing blacklist >> Checking version numbers... >> Version number in MailScanner.conf (4.70.7) is correct. >> >> Your envelope_sender_header in spam.assassin.prefs.conf is correct. >> MailScanner setting GID to (89) >> MailScanner setting UID to (89) >> >> Checking for SpamAssassin errors (if you use it)... >> SpamAssassin temporary working directory is >> /var/spool/MailScanner/incoming/SpamAssassin-Temp >> SpamAssassin temp dir = >> /var/spool/MailScanner/incoming/SpamAssassin-Temp >> Using SpamAssassin results cache >> Connected to SpamAssassin cache database >> SpamAssassin reported no errors. >> I have found clamd avg vba32 scanners installed, and will use them all >> by default. >> Using locktype = posix >> MailScanner.conf says "Virus Scanners = auto" >> Found these virus scanners installed: clamd, vba32, avg >> >> > ======================================================================== > >> === >> Virus and Content Scanning: Starting >> ClamAVModule::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com >> Virus Scanning: Clamd found 1 infections >> Avg: Virus identified EICAR_Test in eicar.com >> Virus Scanning: Avg found 1 infections >> /var/spool/MailScanner/incoming/23308/1/eicar.com : infected >> EICAR-Test-File >> Virus Scanning: vba32 found 1 infections >> Infected message 1 came from 10.1.1.1 >> Virus Scanning: Found 1 viruses >> >> > ======================================================================== > >> === >> Virus Scanner test reports: >> Clamd said "eicar.com was infected: Eicar-Test-Signature" >> Avg said "Found virus EICAR_Test in file eicar.com" >> vba32 said "Found virus EICAR-Test-File in eicar.com" >> >> If any of your virus scanners (clamd,vba32,avg) >> are not listed there, you should check that they are installed >> > correctly > >> and that MailScanner is finding them correctly via its >> virus.scanners.conf. >> >> Cheers, >> Paul >> >> >> >> > > Jules > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. From MailScanner at ecs.soton.ac.uk Mon Sep 1 14:07:44 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Sep 1 14:08:06 2008 Subject: ClamAV error: Invalid function CL_SCAN_PHISHING_DOMAINLIST In-Reply-To: References: <48A58280.4030001@ecs.soton.ac.uk> Message-ID: <48BBE920.1010605@ecs.soton.ac.uk> Nigel Kendrick wrote: > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian > Field > Sent: Friday, August 15, 2008 2:20 PM > To: MailScanner discussion > Subject: Re: ClamAV error: Invalid function CL_SCAN_PHISHING_DOMAINLIST > > > > Nigel Kendrick wrote: > >> Just noticed ClamAV throwing the following error into Maillog: >> >> Aug 15 13:17:39 woking MailScanner[6082]: Commercial virus checker failed >> with real error: Invalid function CL_SCAN_PHISHING_DOMAINLIST at >> /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/Mail/ClamAV.pm line >> 120. >> >> In have re-installed using Jules' ClamAV/SpamAssassin bundle, done a >> freshcalm and restarted MailScanner and still getting the same. Can't find >> much in the way of notes about this...!? >> >> > Did the "make test" phase of building the Mail::ClamAV module succeed? > > Jules > > > > > Hi Jules, > > Just back from holiday and picking this one up. Yes, the "make test" runs > fine. > > I have come across this comment but not sure what to make of it (or what to > do)... > > http://kobesearch.cpan.org/htdocs/Mail-ClamAV/Mail/ClamAV.pm.html#CL_SCAN_PH > ISHING_DOMAINLIST > > "CL_SCAN_PHISHING_DOMAINLIST > > With a minor version bump clamav development team removed this and broke > backwards compatibility, so it is no longer supported in this module as of > 0.22." > > That's the version (0.22) of Mail::ClamAV I am running on the affected > server - but it's also that version on servers working OK? > > Confused!? > I removed the mention of CL_SCAN_PHISHING_DOMAINLIST some time ago, it's certainly not in the latest version. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Mon Sep 1 14:36:08 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Sep 1 14:36:30 2008 Subject: MailScanner ANNOUNCE: 4.71 stable released Message-ID: <48BBEFC8.2060500@ecs.soton.ac.uk> Hi folks! I have just released a new stable version of MailScanner, version 4.71. The main changes this month are: - If a message contains a *.doc document, a new attachment can be added containing the text of the document. This will save your users from having to save the attachment, potentially switch operating systems, and open up Microsoft Word or OpenOffice just to read the words in the document. My users absolutely *love* this feature, it saves them a huge amount of time and hassle when memos are circulated by the management. See the "Add Text Of Doc" setting in MailScanner.conf for more details of how to configure this. - Updated support for Esets and F-Secure virus scanners. - Thanks to F-Secure for donating me a set of server licences so I can always be sure that I am supporting the latest versions of their products. Much appreciated! - One for Fetchmail users: used together with the "--invisible" option to fetchmail, MailScanner will correctly use the IP address of the connecting SMTP client, and not "localhost" or "127.0.0.1" for the IP address in rulesets. - Added protection against denial-of-service attacks on the HTML text parser Perl module. There is a message involving thousands of tags in circulation which breaks previous versions of MailScanner when they try to analyse the HTML of the email message. This is in no way an attack on MailScanner, but on the underlying HTML::Parser Perl module. - Improved support of DSN messages from bigfoot.com which incorrectly use the "message/partial" MIME identifier. Download it all as usual from www.mailscanner.info. The full Change Log is here: * New Features and Improvements * 1 Upgraded from File::Temp 0.19 to File::Temp 0.20 to resolve installation problem reported with Fedora Core 8 systems. 2 New Feature: We can now extract the plain text of Microsoft Word (up to 2004) documents in the *.doc format, and add it as new attachments to a message. This is done using the "antiword" program available from http://www.winfield.demon.nl/. There are 3 new configuration settings for this feature: "Add Text Of Doc" - This switches the feature on and off. Off by default. "Antiword" - Full command to run the antiword binary. Adding "-f" to it makes it highlight emphasized text in the output, which I find helps. "Antiword Timeout" - The greatest length of time antiword is allowed to run. 3 Improvement to phishing net, now correctly ignores ':80' in http URLs. 3 Implemented support for Esets version 3. 4 Implemented support for F-Secure 7.01. 5 Added protection against attacks on the HTML text parser (Perl module HTML::Parser) which is used to analyse HTML messages for dangerous tags. There is a message in circulation that breaks this, causing Perl to trigger a "Segmentation Fault". This protection is necessary, but may have an impact on the performance of MailScanner. Until the Perl module is fixed, however, this is very necessary protection for your email systems. 7 Added new option "Read IP Address From Received Header" which you can set to yes if you are running fetchmail and injecting mail from fetchmail into your MTA using SMTP. You need to set the "--invisible" option to fetchmail as well to stop it adding its own "Received:" header. See the "Advanced" section of MailScanner.conf for more info on this. 8 Added new rules to filename.rules.conf to allow for days of the week and months in filenames like my_document.july.doc so they aren't caught by the double filename extension trap. 8 Improved error notification if your permissions on /tmp are all wrong. It now tells you exactly what to type to fix them. 8 Improved VBA32 output parser to handle slightly different new output format. 8 Improved 'partial message' handling to only remove the partial-message section of the message, and not the whole thing. This is particularly relevant to DSNs from bigfoot.com 10 Improved F-Secure scanning within executables. * Fixes * 3 Improvement to "Sign Clean Messages" so the signature now appears where it should, above any tag as well as above any tag. 6 Fix to Exim support to allow for arbitrarily-named Exim ACLs. Fix kindly provided by dominik.schramm@businessmart.de. 6 Fix for missing watermarks, courtesy of Lasantha Marian. 7 Fix for case when Rebuild Bayes Every = 0 and Bayes is still rebuilt. 7 TNEF attachments will be added with correct filenames when TNEF Expander = internal. It was erroneously adding them with their "safe" filenames. 9 Removed a load of extra debug output code. 9 "Partial messages" are now quarantined correctly. 10 Removed duplicate warning output when "Virus Scanners = none". Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From support-lists at petdoctors.co.uk Mon Sep 1 15:53:07 2008 From: support-lists at petdoctors.co.uk (Nigel Kendrick) Date: Mon Sep 1 15:53:32 2008 Subject: ClamAV error: Invalid function CL_SCAN_PHISHING_DOMAINLIST In-Reply-To: <48BBE920.1010605@ecs.soton.ac.uk> References: <48A58280.4030001@ecs.soton.ac.uk> <48BBE920.1010605@ecs.soton.ac.uk> Message-ID: > Confused!? > I removed the mention of CL_SCAN_PHISHING_DOMAINLIST some time ago, it's certainly not in the latest version. Jules Hi Jules, I've just installed 4.71.10 and that's fixed it. Thanks Nigel From rwahyudi at gmail.com Mon Sep 1 17:22:29 2008 From: rwahyudi at gmail.com (R Wahyudi) Date: Mon Sep 1 17:22:53 2008 Subject: mailscanner in ISP In-Reply-To: References: <200808071101.m77B0QSC001902@safir.blacknight.ie> <1218189154.1886.79.camel@darkstar.netcore.co.in> Message-ID: <48BC16C5.90809@gmail.com> Scott Silva wrote: > on 8-8-2008 2:52 AM ram spake the following: >> On Thu, 2008-08-07 at 15:06 +0100, Paulo Roncon wrote: >>> Hello all, >>> >>> I work in a ISP and we want to install mailscanner to stop OUTBOUND >>> spam as its becoming a bottleneck... >>> I dont have any network metrics, as the guy in charge in out. I'm >>> thinking 1000000 plus messages/day. >>> >>> Questions: >>> -Anyone has ideias of the kind of HW solution nedeed? Use dedicated outgoing mail servers that handle just outgoing mail - dont mix outgoing with incomming mail server. I would go with clusters of less powerfull hardware and do load balancing instead of having just one or two powerfull hardware. This will provide high availability and allows you to stop server that saturated with spam without affecting your service. >>> -OUTBOUND filtering: Its gonna be *->*. Do you see any problems block all outgoing port 25 except to your mail server and ask user to use SMTP auth if they want to connect to external mail. This will reduce A LOT of spam coming out of your user. Most worms send email directly to the internet from the infected host. I've written auto-blacklist that will block IP address that send more than 4 spam/virus within 5 minutes, ban the IP for 30 minutes, and automatically remove it after 30 minutes. If users get blocked they will get SMTP error message which redirect them to a website where they can see the reason they get blocked and also display offending email header as evidence.. and at the same time allows you to upsell your security product. You can view the rough example here : http://mailwatch.sourceforge.net/doku.php?id=mailwatch:tipandtricks:postfix_auto_blacklist Tips configuring lightweight SA for outgoing mail : - Remove most of the body checking & reverse IP checking .. most of the time they give false positive and this will speed up SA - Skip bayes - use Surbl and increase its scoring highly .. - Do not use dynamic ip blacklist - most of your user will be on dynamic IP - use razor/pyzor and dcc & increase their score MTA tips: - Rate limit is a must - try policyd if you use postfix - Monitor your deferred queue, setup nagios to beep if you see a spike Regards, Rianto Wahyudi From cazahenha at hotmail.com Mon Sep 1 18:26:43 2008 From: cazahenha at hotmail.com (Caza Henha) Date: Mon Sep 1 18:26:54 2008 Subject: Rules with IP addresses In-Reply-To: <48BBD085.4060603@ecs.soton.ac.uk> References: <48BBD085.4060603@ecs.soton.ac.uk> Message-ID: Hi Jules, Thanks for the answer, I presumed that would be the case, but I was thinking that as our postfix configuration has transport maps it does actually know before sending the mail to our application server what the destination IP address is. Does this mean then that something like the following would be necessary: To: support@example.com store //Ticketing server To: issues@example.com store //Ticketing server .... To: application1@example.com delete //App Server 1 To: application2@example.com store //App Server 2 ... To: user@example.com delete //Exchange server To: user@example.com delete //Exchange server ..... FromOrTo: default deliver //Public Mail server Bearing in mind that there are 1000s of different email address permutations going to the app servers (writing a script to create the rules is easy) would there be any performance problems with Mailscanner reading these files? Also when using an IP address in the "From" could you direct me to information from the question below: > > Consequently I have noticed a number of examples have IP addresses in > > the From section of the rules and I was just wondering where this IP > > address was coming from and what it can actually be as I cannot seem > > to find any documentation on it. For example is this IP address (or > > the RegEx of one) the connecting smtp server (or any smtp server that > > the mail has passed through), client address, MX address of the > > sending domain etc or any combination of all the previous? Regards, Caza > Date: Mon, 1 Sep 2008 12:22:45 +0100> From: MailScanner@ecs.soton.ac.uk> To: mailscanner@lists.mailscanner.info> Subject: Re: Rules with IP addresses> > > > Caza Henha wrote:> >> > Hi,> > > > I have recently installed Mailscanner with Postfix and MailWatch and > > it seems over the last week the system is running great, however I am > > now getting requests to tweak the default rules that I have from > > various users in different departments. I have been trying to delve > > into the knitty gritty of the rules and understand the principles and > > they do not seem very complicated and when looking at some examples on > > the Wiki things shouldn't be to difficult.> > > > Consequently I have noticed a number of examples have IP addresses in > > the From section of the rules and I was just wondering where this IP > > address was coming from and what it can actually be as I cannot seem > > to find any documentation on it. For example is this IP address (or > > the RegEx of one) the connecting smtp server (or any smtp server that > > the mail has passed through), client address, MX address of the > > sending domain etc or any combination of all the previous?> It is the IP address of the machine that was the client end of the SMTP > connection to the server. So in the case of a customer-facing SMTP > server, it will be the customer's client IP address. In the case of an > MX it would be the IP address of the SMTP server talking to you.> > > > Also can this be used in a "To" configuration,> No. Due to the way mail delivery works, you don't know the IP address of > the destination until you have already started sending the message. > Can't be done.> > Jules> > -- > Julian Field MEng CITP CEng> www.MailScanner.info> Buy the MailScanner book at www.MailScanner.info/store> > Need help customising MailScanner?> Contact me!> Need help fixing or optimising your systems?> Contact me!> Need help getting you started solving new requirements from your boss?> Contact me!> > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654> > > -- > This message has been scanned for viruses and> dangerous content by MailScanner, and is> believed to be clean.> > -- > MailScanner mailing list> mailscanner@lists.mailscanner.info> http://lists.mailscanner.info/mailman/listinfo/mailscanner> > Before posting, read http://wiki.mailscanner.info/posting> > Support MailScanner development - buy the book off the website! _________________________________________________________________ Get all your favourite content with the slick new MSN Toolbar - FREE http://clk.atdmt.com/UKM/go/111354027/direct/01/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080901/6932180c/attachment.html From hvdkooij at vanderkooij.org Mon Sep 1 22:02:57 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Mon Sep 1 22:03:09 2008 Subject: MailScanner ANNOUNCE: 4.71 stable released In-Reply-To: <48BBEFC8.2060500@ecs.soton.ac.uk> References: <48BBEFC8.2060500@ecs.soton.ac.uk> Message-ID: <48BC5881.8010604@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Julian Field wrote: > Hi folks! > > I have just released a new stable version of MailScanner, version 4.71. I managed to update the yum repository. Things did not break down for me so I hope they will not do so for you either. I have no yet added anything to help you update the configuration. I think I will need to sleep on that a bit more before I give it a shot. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIvFh/BvzDRVjxmYERAhcnAJ9Frg/gZwkjlCm8pLUyAu2vVzpWmACgoIks f3uWGmpkpGRcZ+/DwwmSx8I= =1PP5 -----END PGP SIGNATURE----- From Jeff.Mills at versacold.com.au Mon Sep 1 23:32:39 2008 From: Jeff.Mills at versacold.com.au (Jeff Mills) Date: Mon Sep 1 23:32:51 2008 Subject: virus detection reporting wrong scanner In-Reply-To: References: <48BA9848.3030402@ecs.soton.ac.uk> <48BBCFF3.2000003@ecs.soton.ac.uk> Message-ID: > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Paul Hutchings > Sent: Monday, 1 September 2008 11:03 PM > To: MailScanner discussion > Subject: RE: virus detection reporting wrong scanner > > The lint seems to check out just fine. Maybe my > understanding is wrong, but I thought that if multiple > engines caught a virus in a message it listed that multiple > engines had detected something in the report that's sent to > postmaster (or wherever) - all I know is I have an entry in > maillog by vba32 saying it detected a virus, at the same time > an email was deleted and a report sent to postmaster saying > it was because clam32 had detected a virus - yet there's no > report in the postmaster mailbox that mentions vba32. > I have a similar issue, but have never bothered with it. Clamav finds a virus, and MailScanner reports that F-Prot and Bitdefender find it too. Sep 2 03:16:53 sam MailScanner[8070]: Clamd::INFECTED:: Email.Spam.Gen3737.Sanesecurity.08072802.StormSpam FOUND :: ./8C34AD3E132.E90B8/ Sep 2 03:16:53 sam MailScanner[8070]: Virus Scanning: Clamd found 1 infections Sep 2 03:16:53 sam MailScanner[8070]: Virus Scanning: F-Prot found 1 infections Sep 2 03:16:53 sam MailScanner[8070]: Virus Scanning: Bitdefender found 1 infections Sep 2 03:16:53 sam MailScanner[8070]: Infected message 8C34AD3E132.E90B8 came from 88.243.8.69 Sep 2 03:16:53 sam MailScanner[8070]: Virus Scanning: Found 1 viruses Sep 2 03:16:53 sam MailScanner[8070]: Virus Scanning completed at 3371 bytes per second Sep 2 03:16:53 sam MailScanner[8070]: Viruses marked as silent: Clamd: message was infected: From ismail at ismailozatay.net Tue Sep 2 06:16:48 2008 From: ismail at ismailozatay.net (=?windows-1252?Q?I=2Esmail_=D6ZATAY?=) Date: Tue Sep 2 06:17:12 2008 Subject: MailScanner ANNOUNCE: 4.71 stable released In-Reply-To: <48BBEFD0.7080507@ecs.soton.ac.uk> References: <48BBEFD0.7080507@ecs.soton.ac.uk> Message-ID: <48BCCC40.4030700@ismailozatay.net> Julian Field yazm?s,: > Hi folks! > > I have just released a new stable version of MailScanner, version 4.71. > > The main changes this month are: > > - If a message contains a *.doc document, a new attachment can be > added containing the text of the document. This will save your users > from having to save the attachment, potentially switch operating > systems, and open up Microsoft Word or OpenOffice just to read the > words in the document. My users absolutely *love* this feature, it > saves them a huge amount of time and hassle when memos are circulated > by the management. See the "Add Text Of Doc" setting in > MailScanner.conf for more details of how to configure this. > - Updated support for Esets and F-Secure virus scanners. > - Thanks to F-Secure for donating me a set of server licences so I can > always be sure that I am supporting the latest versions of their > products. Much appreciated! > - One for Fetchmail users: used together with the "--invisible" option > to fetchmail, MailScanner will correctly use the IP address of the > connecting SMTP client, and not "localhost" or "127.0.0.1" for the IP > address in rulesets. > - Added protection against denial-of-service attacks on the HTML text > parser Perl module. There is a message involving thousands of > tags in circulation which breaks previous versions of MailScanner when > they try to analyse the HTML of the email message. This is in no way > an attack on MailScanner, but on the underlying HTML::Parser Perl module. > - Improved support of DSN messages from bigfoot.com which incorrectly > use the "message/partial" MIME identifier. > > Download it all as usual from www.mailscanner.info. > > The full Change Log is here: > * New Features and Improvements * > 1 Upgraded from File::Temp 0.19 to File::Temp 0.20 to resolve > installation > problem reported with Fedora Core 8 systems. > 2 New Feature: We can now extract the plain text of Microsoft Word (up > to 2004) > documents in the *.doc format, and add it as new attachments to a > message. > This is done using the "antiword" program available from > http://www.winfield.demon.nl/. There are 3 new configuration settings for > this feature: > "Add Text Of Doc" - This switches the feature on and off. Off by default. > "Antiword" - Full command to run the antiword binary. Adding "-f" to it > makes it highlight emphasized text in the output, which I find helps. > "Antiword Timeout" - The greatest length of time antiword is allowed > to run. > 3 Improvement to phishing net, now correctly ignores ':80' in http URLs. > 3 Implemented support for Esets version 3. > 4 Implemented support for F-Secure 7.01. > 5 Added protection against attacks on the HTML text parser (Perl module > HTML::Parser) which is used to analyse HTML messages for dangerous tags. > There is a message in circulation that breaks this, causing Perl to > trigger > a "Segmentation Fault". This protection is necessary, but may have an > impact > on the performance of MailScanner. Until the Perl module is fixed, > however, > this is very necessary protection for your email systems. > 7 Added new option "Read IP Address From Received Header" which you > can set to > yes if you are running fetchmail and injecting mail from fetchmail > into your > MTA using SMTP. You need to set the "--invisible" option to fetchmail > as well > to stop it adding its own "Received:" header. See the "Advanced" > section of > MailScanner.conf for more info on this. > 8 Added new rules to filename.rules.conf to allow for days of the week > and > months in filenames like my_document.july.doc so they aren't caught by > the > double filename extension trap. > 8 Improved error notification if your permissions on /tmp are all > wrong. It > now tells you exactly what to type to fix them. > 8 Improved VBA32 output parser to handle slightly different new output > format. > 8 Improved 'partial message' handling to only remove the partial-message > section of the message, and not the whole thing. This is particularly > relevant to DSNs from bigfoot.com > 10 Improved F-Secure scanning within executables. > > * Fixes * > 3 Improvement to "Sign Clean Messages" so the signature now appears > where it > should, above any tag as well as above any tag. > 6 Fix to Exim support to allow for arbitrarily-named Exim ACLs. Fix > kindly > provided by dominik.schramm@businessmart.de. > 6 Fix for missing watermarks, courtesy of Lasantha Marian. > 7 Fix for case when Rebuild Bayes Every = 0 and Bayes is still rebuilt. > 7 TNEF attachments will be added with correct filenames when TNEF > Expander = > internal. It was erroneously adding them with their "safe" filenames. > 9 Removed a load of extra debug output code. > 9 "Partial messages" are now quarantined correctly. > 10 Removed duplicate warning output when "Virus Scanners = none". > > Jules > Yuppieee ..! I will support you forever Julian...! Thanks ismail From MailScanner at ecs.soton.ac.uk Tue Sep 2 09:00:33 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Sep 2 09:00:58 2008 Subject: Rules with IP addresses In-Reply-To: References: <48BBD085.4060603@ecs.soton.ac.uk> Message-ID: <48BCF2A1.1030001@ecs.soton.ac.uk> Caza Henha wrote: > Hi Jules, > > Thanks for the answer, I presumed that would be the case, but I was > thinking that as our postfix configuration has transport maps it does > actually know before sending the mail to our application server what > the destination IP address is. But that is not the general case, and I'm certainly not going to start processing entire Postfix configurations in an attempt to work it out. Sorry :( > Does this mean then that something like the following would be necessary: > > To: support@example.com store > //Ticketing server > To: issues@example.com store > //Ticketing server > .... > To: application1@example.com > delete //App Server 1 > To: application2@example.com > store //App Server 2 > ... > To: user@example.com delete > //Exchange server > To: user@example.com delete > //Exchange server > ..... > FromOrTo: default deliver //Public Mail server > > Bearing in mind that there are 1000s of different email address > permutations going to the app servers (writing a script to create the > rules is easy) would there be any performance problems with > Mailscanner reading these files? I wouldn't advise more than 1000 or so rules in a ruleset file. For anything bigger than that use a Custom Function. I suspect yours could be written as a Custom Function quite easily. Take a look in /usr/lib/MailScanner/MailScanner/CustomFunctions/*.pm and you'll see how to do it. Not hard if you know a bit of Perl. > Also when using an IP address in the "From" could you direct me to > information from the question below: > > > > Consequently I have noticed a number of examples have IP addresses in > > > the From section of the rules and I was just wondering where this IP > > > address was coming from and what it can actually be as I cannot seem > > > to find any documentation on it. For example is this IP address (or > > > the RegEx of one) the connecting smtp server (or any smtp server that > > > the mail has passed through), client address, MX address of the > > > sending domain etc or any combination of all the previous? I answered that in my previous mail, I believe. Here it is again copy-and-pasted from the quote below: > It is the IP address of the machine that was the client end of the SMTP > connection to the server. So in the case of a customer-facing SMTP > server, it will be the customer's client IP address. In the case of an > MX it would be the IP address of the SMTP server talking to you. > > > Date: Mon, 1 Sep 2008 12:22:45 +0100 > > From: MailScanner@ecs.soton.ac.uk > > To: mailscanner@lists.mailscanner.info > > Subject: Re: Rules with IP addresses > > > > > > > > Caza Henha wrote: > > > > > > Hi, > > > > > > I have recently installed Mailscanner with Postfix and MailWatch and > > > it seems over the last week the system is running great, however I am > > > now getting requests to tweak the default rules that I have from > > > various users in different departments. I have been trying to delve > > > into the knitty gritty of the rules and understand the principles and > > > they do not seem very complicated and when looking at some > examples on > > > the Wiki things shouldn't be to difficult. > > > > > > Consequently I have noticed a number of examples have IP addresses in > > > the From section of the rules and I was just wondering where this IP > > > address was coming from and what it can actually be as I cannot seem > > > to find any documentation on it. For example is this IP address (or > > > the RegEx of one) the connecting smtp server (or any smtp server that > > > the mail has passed through), client address, MX address of the > > > sending domain etc or any combination of all the previous? > > It is the IP address of the machine that was the client end of the SMTP > > connection to the server. So in the case of a customer-facing SMTP > > server, it will be the customer's client IP address. In the case of an > > MX it would be the IP address of the SMTP server talking to you. > > > > > > Also can this be used in a "To" configuration, > > No. Due to the way mail delivery works, you don't know the IP > address of > > the destination until you have already started sending the message. > > Can't be done. > > > > Jules > > > > -- > > Julian Field MEng CITP CEng > > www.MailScanner.info > > Buy the MailScanner book at www.MailScanner.info/store > > > > Need help customising MailScanner? > > Contact me! > > Need help fixing or optimising your systems? > > Contact me! > > Need help getting you started solving new requirements from your boss? > > Contact me! > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > ------------------------------------------------------------------------ > Try Facebook in Windows Live Messenger! Try it Now! > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Tue Sep 2 09:01:41 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Sep 2 09:02:01 2008 Subject: virus detection reporting wrong scanner In-Reply-To: References: <48BA9848.3030402@ecs.soton.ac.uk> <48BBCFF3.2000003@ecs.soton.ac.uk> Message-ID: <48BCF2E5.3000001@ecs.soton.ac.uk> Jeff Mills wrote: > > > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >> Of Paul Hutchings >> Sent: Monday, 1 September 2008 11:03 PM >> To: MailScanner discussion >> Subject: RE: virus detection reporting wrong scanner >> >> The lint seems to check out just fine. Maybe my >> understanding is wrong, but I thought that if multiple >> engines caught a virus in a message it listed that multiple >> engines had detected something in the report that's sent to >> postmaster (or wherever) - all I know is I have an entry in >> maillog by vba32 saying it detected a virus, at the same time >> an email was deleted and a report sent to postmaster saying >> it was because clam32 had detected a virus - yet there's no >> report in the postmaster mailbox that mentions vba32. >> >> > > I have a similar issue, but have never bothered with it. > Clamav finds a virus, and MailScanner reports that F-Prot and > Bitdefender find it too. > What does your "Virus Scanners =" line say in MailScanner.conf? > > Sep 2 03:16:53 sam MailScanner[8070]: Clamd::INFECTED:: > Email.Spam.Gen3737.Sanesecurity.08072802.StormSpam FOUND :: > ./8C34AD3E132.E90B8/ > Sep 2 03:16:53 sam MailScanner[8070]: Virus Scanning: Clamd found 1 > infections > Sep 2 03:16:53 sam MailScanner[8070]: Virus Scanning: F-Prot found 1 > infections > Sep 2 03:16:53 sam MailScanner[8070]: Virus Scanning: Bitdefender found > 1 infections > Sep 2 03:16:53 sam MailScanner[8070]: Infected message > 8C34AD3E132.E90B8 came from 88.243.8.69 > Sep 2 03:16:53 sam MailScanner[8070]: Virus Scanning: Found 1 viruses > Sep 2 03:16:53 sam MailScanner[8070]: Virus Scanning completed at 3371 > bytes per second > Sep 2 03:16:53 sam MailScanner[8070]: Viruses marked as silent: Clamd: > message was infected: > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From gmatt at nerc.ac.uk Tue Sep 2 09:29:30 2008 From: gmatt at nerc.ac.uk (Greg Matthews) Date: Tue Sep 2 09:30:05 2008 Subject: mailscanner in ISP In-Reply-To: <48BC16C5.90809@gmail.com> References: <200808071101.m77B0QSC001902@safir.blacknight.ie> <1218189154.1886.79.camel@darkstar.netcore.co.in> <48BC16C5.90809@gmail.com> Message-ID: <48BCF96A.2090707@nerc.ac.uk> R Wahyudi wrote: > your security product. You can view the rough example here : > http://mailwatch.sourceforge.net/doku.php?id=mailwatch:tipandtricks:postfix_auto_blacklist hey thats a pretty good example of making good use of the mailwatch database. That script could quite easily be adapted to sendmail too. Just print the correct foo to /etc/mail/access and a call to makemap. eg print FILE "connect:$ip ERROR:$reject_message" where $reject_message is the optional text which could also include your preferred DSN code. nice G -- Greg Matthews 01491 692445 Head of UNIX/Linux, iTSS Wallingford -- This message (and any attachments) is for the recipient only. NERC is subject to the Freedom of Information Act 2000 and the contents of this email and any reply you make may be disclosed by NERC unless it is exempt from release under the Act. Any material supplied to NERC may be stored in an electronic records management system. From cazahenha at hotmail.com Tue Sep 2 12:46:55 2008 From: cazahenha at hotmail.com (Caza Henha) Date: Tue Sep 2 12:47:05 2008 Subject: Rules with IP addresses In-Reply-To: <48BCF2A1.1030001@ecs.soton.ac.uk> References: <48BBD085.4060603@ecs.soton.ac.uk> <48BCF2A1.1030001@ecs.soton.ac.uk> Message-ID: Hi Jules, I considered that transport maps in postfix was not the general case and was not suggesting that it is somthing that should be worked into the product, not unless it was specifically warranted. I will look into the CustomFunctions as i do know a bit of Perl and sorry you did answer the question initially, just my eyes not working so good sitting at a screen all day...Just as a quick question though, does and ammendment to a ruleset require a restart of MailScanner? Regards Caza> Date: Tue, 2 Sep 2008 09:00:33 +0100> From: MailScanner@ecs.soton.ac.uk> To: mailscanner@lists.mailscanner.info> Subject: Re: Rules with IP addresses> > > > Caza Henha wrote:> > Hi Jules,> > > > Thanks for the answer, I presumed that would be the case, but I was > > thinking that as our postfix configuration has transport maps it does > > actually know before sending the mail to our application server what > > the destination IP address is.> But that is not the general case, and I'm certainly not going to start > processing entire Postfix configurations in an attempt to work it out. > Sorry :(> > Does this mean then that something like the following would be necessary:> > > > To: support@example.com store > > //Ticketing server> > To: issues@example.com store > > //Ticketing server> > ....> > To: application1@example.com > > delete //App Server 1> > To: application2@example.com > > store //App Server 2> > ...> > To: user@example.com delete > > //Exchange server> > To: user@example.com delete > > //Exchange server> > .....> > FromOrTo: default deliver //Public Mail server> > > > Bearing in mind that there are 1000s of different email address > > permutations going to the app servers (writing a script to create the > > rules is easy) would there be any performance problems with > > Mailscanner reading these files?> I wouldn't advise more than 1000 or so rules in a ruleset file. For > anything bigger than that use a Custom Function. I suspect yours could > be written as a Custom Function quite easily. Take a look in > /usr/lib/MailScanner/MailScanner/CustomFunctions/*.pm and you'll see how > to do it. Not hard if you know a bit of Perl.> > Also when using an IP address in the "From" could you direct me to > > information from the question below:> > > > > > Consequently I have noticed a number of examples have IP addresses in> > > > the From section of the rules and I was just wondering where this IP> > > > address was coming from and what it can actually be as I cannot seem> > > > to find any documentation on it. For example is this IP address (or> > > > the RegEx of one) the connecting smtp server (or any smtp server that> > > > the mail has passed through), client address, MX address of the> > > > sending domain etc or any combination of all the previous?> I answered that in my previous mail, I believe. Here it is again > copy-and-pasted from the quote below:> > > It is the IP address of the machine that was the client end of the SMTP> > connection to the server. So in the case of a customer-facing SMTP> > server, it will be the customer's client IP address. In the case of an> > MX it would be the IP address of the SMTP server talking to you.> > > > > Date: Mon, 1 Sep 2008 12:22:45 +0100> > > From: MailScanner@ecs.soton.ac.uk> > > To: mailscanner@lists.mailscanner.info> > > Subject: Re: Rules with IP addresses> > >> > >> > >> > > Caza Henha wrote:> > > >> > > > Hi,> > > >> > > > I have recently installed Mailscanner with Postfix and MailWatch and> > > > it seems over the last week the system is running great, however I am> > > > now getting requests to tweak the default rules that I have from> > > > various users in different departments. I have been trying to delve> > > > into the knitty gritty of the rules and understand the principles and> > > > they do not seem very complicated and when looking at some > > examples on> > > > the Wiki things shouldn't be to difficult.> > > >> > > > Consequently I have noticed a number of examples have IP addresses in> > > > the From section of the rules and I was just wondering where this IP> > > > address was coming from and what it can actually be as I cannot seem> > > > to find any documentation on it. For example is this IP address (or> > > > the RegEx of one) the connecting smtp server (or any smtp server that> > > > the mail has passed through), client address, MX address of the> > > > sending domain etc or any combination of all the previous?> > > It is the IP address of the machine that was the client end of the SMTP> > > connection to the server. So in the case of a customer-facing SMTP> > > server, it will be the customer's client IP address. In the case of an> > > MX it would be the IP address of the SMTP server talking to you.> > > >> > > > Also can this be used in a "To" configuration,> > > No. Due to the way mail delivery works, you don't know the IP > > address of> > > the destination until you have already started sending the message.> > > Can't be done.> > >> > > Jules> > >> > > --> > > Julian Field MEng CITP CEng> > > www.MailScanner.info> > > Buy the MailScanner book at www.MailScanner.info/store> > >> > > Need help customising MailScanner?> > > Contact me!> > > Need help fixing or optimising your systems?> > > Contact me!> > > Need help getting you started solving new requirements from your boss?> > > Contact me!> > >> > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654> > >> > >> > > --> > > This message has been scanned for viruses and> > > dangerous content by MailScanner, and is> > > believed to be clean.> > >> > > --> > > MailScanner mailing list> > > mailscanner@lists.mailscanner.info> > > http://lists.mailscanner.info/mailman/listinfo/mailscanner> > >> > > Before posting, read http://wiki.mailscanner.info/posting> > >> > > Support MailScanner development - buy the book off the website!> >> >> > ------------------------------------------------------------------------> > Try Facebook in Windows Live Messenger! Try it Now! > > > > Jules> > -- > Julian Field MEng CITP CEng> www.MailScanner.info> Buy the MailScanner book at www.MailScanner.info/store> > Need help customising MailScanner?> Contact me!> Need help fixing or optimising your systems?> Contact me!> Need help getting you started solving new requirements from your boss?> Contact me!> > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654> > > -- > This message has been scanned for viruses and> dangerous content by MailScanner, and is> believed to be clean.> > -- > MailScanner mailing list> mailscanner@lists.mailscanner.info> http://lists.mailscanner.info/mailman/listinfo/mailscanner> > Before posting, read http://wiki.mailscanner.info/posting> > Support MailScanner development - buy the book off the website! _________________________________________________________________ Make a mini you and download it into Windows Live Messenger http://clk.atdmt.com/UKM/go/111354029/direct/01/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080902/b82426c6/attachment.html From alex at rtpty.com Tue Sep 2 12:56:59 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Tue Sep 2 12:57:16 2008 Subject: Rules with IP addresses In-Reply-To: References: <48BBD085.4060603@ecs.soton.ac.uk> <48BCF2A1.1030001@ecs.soton.ac.uk> Message-ID: <4F3F694B-4E3D-4221-9BE2-822D264A0896@rtpty.com> Reload, I believe, would be sufficient. Sent from my iPhone On Sep 2, 2008, at 6:46 AM, Caza Henha wrote: > Hi Jules, > > I considered that transport maps in postfix was not the general case > and was not suggesting that it is somthing that should be worked > into the product, not unless it was specifically warranted. I will > look into the CustomFunctions as i do know a bit of Perl and sorry > you did answer the question initially, just my eyes not working so > good sitting at a screen all day...Just as a quick question though, > does and ammendment to a ruleset require a restart of MailScanner? > > Regards > > Caza > > > Date: Tue, 2 Sep 2008 09:00:33 +0100 > > From: MailScanner@ecs.soton.ac.uk > > To: mailscanner@lists.mailscanner.info > > Subject: Re: Rules with IP addresses > > > > > > > > Caza Henha wrote: > > > Hi Jules, > > > > > > Thanks for the answer, I presumed that would be the case, but I > was > > > thinking that as our postfix configuration has transport maps it > does > > > actually know before sending the mail to our application server > what > > > the destination IP address is. > > But that is not the general case, and I'm certainly not going to > start > > processing entire Postfix configurations in an attempt to work it > out. > > Sorry :( > > > Does this mean then that something like the following would be > necessary: > > > > > > To: support@example.com store > > > //Ticketing server > > > To: issues@example.com store > > > //Ticketing server > > > .... > > > To: application1@example.com > > > delete //App Server 1 > > > To: application2@example.com > > > store //App Server 2 > > > ... > > > To: user@example.com delete > > > //Exchange server > > > To: user@example.com delete > > > //Exchange server > > > ..... > > > FromOrTo: default deliver //Public Mail server > > > > > > Bearing in mind that there are 1000s of different email address > > > permutations going to the app servers (writing a script to > create the > > > rules is easy) would there be any performance problems with > > > Mailscanner reading these files? > > I wouldn't advise more than 1000 or so rules in a ruleset file. For > > anything bigger than that use a Custom Function. I suspect yours > could > > be written as a Custom Function quite easily. Take a look in > > /usr/lib/MailScanner/MailScanner/CustomFunctions/*.pm and you'll > see how > > to do it. Not hard if you know a bit of Perl. > > > Also when using an IP address in the "From" could you direct me to > > > information from the question below: > > > > > > > > Consequently I have noticed a number of examples have IP > addresses in > > > > > the From section of the rules and I was just wondering where > this IP > > > > > address was coming from and what it can actually be as I > cannot seem > > > > > to find any documentation on it. For example is this IP > address (or > > > > > the RegEx of one) the connecting smtp server (or any smtp > server that > > > > > the mail has passed through), client address, MX address of > the > > > > > sending domain etc or any combination of all the previous? > > I answered that in my previous mail, I believe. Here it is again > > copy-and-pasted from the quote below: > > > > > It is the IP address of the machine that was the client end of > the SMTP > > > connection to the server. So in the case of a customer-facing SMTP > > > server, it will be the customer's client IP address. In the case > of an > > > MX it would be the IP address of the SMTP server talking to you. > > > > > > > Date: Mon, 1 Sep 2008 12:22:45 +0100 > > > > From: MailScanner@ecs.soton.ac.uk > > > > To: mailscanner@lists.mailscanner.info > > > > Subject: Re: Rules with IP addresses > > > > > > > > > > > > > > > > Caza Henha wrote: > > > > > > > > > > Hi, > > > > > > > > > > I have recently installed Mailscanner with Postfix and > MailWatch and > > > > > it seems over the last week the system is running great, > however I am > > > > > now getting requests to tweak the default rules that I have > from > > > > > various users in different departments. I have been trying > to delve > > > > > into the knitty gritty of the rules and understand the > principles and > > > > > they do not seem very complicated and when looking at some > > > examples on > > > > > the Wiki things shouldn't be to difficult. > > > > > > > > > > Consequently I have noticed a number of examples have IP > addresses in > > > > > the From section of the rules and I was just wondering where > this IP > > > > > address was coming from and what it can actually be as I > cannot seem > > > > > to find any documentation on it. For example is this IP > address (or > > > > > the RegEx of one) the connecting smtp server (or any smtp > server that > > > > > the mail has passed through), client address, MX address of > the > > > > > sending domain etc or any combination of all the previous? > > > > It is the IP address of the machine that was the client end of > the SMTP > > > > connection to the server. So in the case of a customer-facing > SMTP > > > > server, it will be the customer's client IP address. In the > case of an > > > > MX it would be the IP address of the SMTP server talking to you. > > > > > > > > > > Also can this be used in a "To" configuration, > > > > No. Due to the way mail delivery works, you don't know the IP > > > address of > > > > the destination until you have already started sending the > message. > > > > Can't be done. > > > > > > > > Jules > > > > > > > > -- > > > > Julian Field MEng CITP CEng > > > > www.MailScanner.info > > > > Buy the MailScanner book at www.MailScanner.info/store > > > > > > > > Need help customising MailScanner? > > > > Contact me! > > > > Need help fixing or optimising your systems? > > > > Contact me! > > > > Need help getting you started solving new requirements from > your boss? > > > > Contact me! > > > > > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > > > > > > > > > -- > > > > This message has been scanned for viruses and > > > > dangerous content by MailScanner, and is > > > > believed to be clean. > > > > > > > > -- > > > > MailScanner mailing list > > > > mailscanner@lists.mailscanner.info > > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > > > > > Support MailScanner development - buy the book off the website! > > > > > > > > > > --- > --------------------------------------------------------------------- > > > Try Facebook in Windows Live Messenger! Try it Now! > > > > > > > Jules > > > > -- > > Julian Field MEng CITP CEng > > www.MailScanner.info > > Buy the MailScanner book at www.MailScanner.info/store > > > > Need help customising MailScanner? > > Contact me! > > Need help fixing or optimising your systems? > > Contact me! > > Need help getting you started solving new requirements from your > boss? > > Contact me! > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > Try Facebook in Windows Live Messenger! Try it Now! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080902/f9521b29/attachment.html From MailScanner at ecs.soton.ac.uk Tue Sep 2 13:47:35 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Sep 2 13:47:58 2008 Subject: Rules with IP addresses In-Reply-To: References: <48BBD085.4060603@ecs.soton.ac.uk> <48BCF2A1.1030001@ecs.soton.ac.uk> Message-ID: <48BD35E7.1010601@ecs.soton.ac.uk> Caza Henha wrote: > Hi Jules, > > I considered that transport maps in postfix was not the general case > and was not suggesting that it is somthing that should be worked into > the product, not unless it was specifically warranted. I will look > into the CustomFunctions as i do know a bit of Perl and sorry you did > answer the question initially, just my eyes not working so good > sitting at a screen all day...Just as a quick question though, does > and ammendment to a ruleset require a restart of MailScanner? No, just a "service MailScanner reload" or send a HUP to the master MailScanner process, at which point all the children will commit suicide and be re-spawned by the master. > > Regards > > Caza > > > Date: Tue, 2 Sep 2008 09:00:33 +0100 > > From: MailScanner@ecs.soton.ac.uk > > To: mailscanner@lists.mailscanner.info > > Subject: Re: Rules with IP addresses > > > > > > > > Caza Henha wrote: > > > Hi Jules, > > > > > > Thanks for the answer, I presumed that would be the case, but I was > > > thinking that as our postfix configuration has transport maps it does > > > actually know before sending the mail to our application server what > > > the destination IP address is. > > But that is not the general case, and I'm certainly not going to start > > processing entire Postfix configurations in an attempt to work it out. > > Sorry :( > > > Does this mean then that something like the following would be > necessary: > > > > > > To: support@example.com store > > > //Ticketing server > > > To: issues@example.com store > > > //Ticketing server > > > .... > > > To: application1@example.com > > > delete //App Server 1 > > > To: application2@example.com > > > store //App Server 2 > > > ... > > > To: user@example.com delete > > > //Exchange server > > > To: user@example.com delete > > > //Exchange server > > > ..... > > > FromOrTo: default deliver //Public Mail server > > > > > > Bearing in mind that there are 1000s of different email address > > > permutations going to the app servers (writing a script to create the > > > rules is easy) would there be any performance problems with > > > Mailscanner reading these files? > > I wouldn't advise more than 1000 or so rules in a ruleset file. For > > anything bigger than that use a Custom Function. I suspect yours could > > be written as a Custom Function quite easily. Take a look in > > /usr/lib/MailScanner/MailScanner/CustomFunctions/*.pm and you'll see > how > > to do it. Not hard if you know a bit of Perl. > > > Also when using an IP address in the "From" could you direct me to > > > information from the question below: > > > > > > > > Consequently I have noticed a number of examples have IP > addresses in > > > > > the From section of the rules and I was just wondering where > this IP > > > > > address was coming from and what it can actually be as I > cannot seem > > > > > to find any documentation on it. For example is this IP > address (or > > > > > the RegEx of one) the connecting smtp server (or any smtp > server that > > > > > the mail has passed through), client address, MX address of the > > > > > sending domain etc or any combination of all the previous? > > I answered that in my previous mail, I believe. Here it is again > > copy-and-pasted from the quote below: > > > > > It is the IP address of the machine that was the client end of the > SMTP > > > connection to the server. So in the case of a customer-facing SMTP > > > server, it will be the customer's client IP address. In the case of an > > > MX it would be the IP address of the SMTP server talking to you. > > > > > > > Date: Mon, 1 Sep 2008 12:22:45 +0100 > > > > From: MailScanner@ecs.soton.ac.uk > > > > To: mailscanner@lists.mailscanner.info > > > > Subject: Re: Rules with IP addresses > > > > > > > > > > > > > > > > Caza Henha wrote: > > > > > > > > > > Hi, > > > > > > > > > > I have recently installed Mailscanner with Postfix and > MailWatch and > > > > > it seems over the last week the system is running great, > however I am > > > > > now getting requests to tweak the default rules that I have from > > > > > various users in different departments. I have been trying to > delve > > > > > into the knitty gritty of the rules and understand the > principles and > > > > > they do not seem very complicated and when looking at some > > > examples on > > > > > the Wiki things shouldn't be to difficult. > > > > > > > > > > Consequently I have noticed a number of examples have IP > addresses in > > > > > the From section of the rules and I was just wondering where > this IP > > > > > address was coming from and what it can actually be as I > cannot seem > > > > > to find any documentation on it. For example is this IP > address (or > > > > > the RegEx of one) the connecting smtp server (or any smtp > server that > > > > > the mail has passed through), client address, MX address of the > > > > > sending domain etc or any combination of all the previous? > > > > It is the IP address of the machine that was the client end of > the SMTP > > > > connection to the server. So in the case of a customer-facing SMTP > > > > server, it will be the customer's client IP address. In the case > of an > > > > MX it would be the IP address of the SMTP server talking to you. > > > > > > > > > > Also can this be used in a "To" configuration, > > > > No. Due to the way mail delivery works, you don't know the IP > > > address of > > > > the destination until you have already started sending the message. > > > > Can't be done. > > > > > > > > Jules > > > > > > > > -- > > > > Julian Field MEng CITP CEng > > > > www.MailScanner.info > > > > Buy the MailScanner book at www.MailScanner.info/store > > > > > > > > Need help customising MailScanner? > > > > Contact me! > > > > Need help fixing or optimising your systems? > > > > Contact me! > > > > Need help getting you started solving new requirements from your > boss? > > > > Contact me! > > > > > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > > > > > > > > > -- > > > > This message has been scanned for viruses and > > > > dangerous content by MailScanner, and is > > > > believed to be clean. > > > > > > > > -- > > > > MailScanner mailing list > > > > mailscanner@lists.mailscanner.info > > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > > > > > Support MailScanner development - buy the book off the website! > > > > > > > > > > ------------------------------------------------------------------------ > > > Try Facebook in Windows Live Messenger! Try it Now! > > > > > > > Jules > > > > -- > > Julian Field MEng CITP CEng > > www.MailScanner.info > > Buy the MailScanner book at www.MailScanner.info/store > > > > Need help customising MailScanner? > > Contact me! > > Need help fixing or optimising your systems? > > Contact me! > > Need help getting you started solving new requirements from your boss? > > Contact me! > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > ------------------------------------------------------------------------ > Try Facebook in Windows Live Messenger! Try it Now! > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From campbell at cnpapers.com Tue Sep 2 15:11:48 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Tue Sep 2 15:16:44 2008 Subject: CVD extraction failure In-Reply-To: <223f97700808300110v4fe2b32fodecf06607fb01ec2@mail.gmail.com> References: <48B81488.6030807@cnpapers.com> <223f97700808300110v4fe2b32fodecf06607fb01ec2@mail.gmail.com> Message-ID: <48BD49A4.3070607@cnpapers.com> Glenn Steen wrote: > > > 2008/8/29 Steve Campbell > > > I hate to ask a question about old version stuff, but we're in the > middle of some changes here that just do not let me get around to > updating MS. I'm running *MailScanner has detected a possible > fraud attempt from "4.58.9." claiming to be* 4.58.9. > > I started updating the world of Clam/SA and got stopped before I > could get to MS. I now see "ERROR: CVD extraction failure" > messages in my log file. I'm assuming this has to do with new > ClamAV/ old MS and did my best to try and find where the message > is coming from. Couldn't find a clue in any of the update scripts, > etc. > > Any help would be appreciated, and any explanation as to the > severity of the messge would be gratefully appreciated also. > > Thanks > > Steve Campbell > > Do you get the same from freshclam? The clamav-autoupdate basically > just run freshclam... > Perhaps you have multiple clamav installed (or "leftovers" from more > than one)? Check your virus.scanners.conf for the relevant one you are > using:). As always, one install of the latest stable is best. > The error itself is ... pretty sever, I'd think, since you will lack > proper updates until fixed. > > Cheers > -- > Thanks Glenn, I checked freshclam, ran it manually, and found that the log file wasn't created. I touched the file, re-modded it to 777, and ran freshclam, and all was well. But I am still getting the CVD errors. I had checked the update-wrapper and autoupdate scripts before inquiring and saw nothing that looked wrong. For all I know, this may not even be Clam, now that I think about it, as the error log entry just says MailScanner, so it could be Bitdefender instead. I removed bitdefender and reloaded MS, but still am seeing the error, so I believe it is Clam related. Thanks. Steve From ssilva at sgvwater.com Tue Sep 2 16:20:07 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Sep 2 16:20:08 2008 Subject: MailScanner Watermark Plugin For Microsoft Exchange 2007 In-Reply-To: References: <48B7C397.5010508@ecs.soton.ac.uk><004401c909bd$ce4b2570$6ae17050$@dk> Message-ID: on 8-29-2008 11:02 AM Kevin Miller spake the following: > Scott Silva wrote: >> I am surprised at how much mail I still see sent from Exchange 6.5! >> >> Isn't that from back in the NT 4.0 days? > > That would be 5.5 I think. But there's still some of those around. 6.5 > is Exchange 2003. Between them was Exchange 2000, presumably 6.0. I > wonder why Microsoft counts in fives? > > ...Kevin Maybe they have got their fingers caught in the cookie jar so many times that they can only use their thumbs to count! ;-P But thanks for the info. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080902/744c17bc/signature.bin From craigwhite at azapple.com Tue Sep 2 16:37:03 2008 From: craigwhite at azapple.com (Craig White) Date: Tue Sep 2 16:44:57 2008 Subject: MailScanner Watermark Plugin For Microsoft Exchange 2007 In-Reply-To: References: <48B7C397.5010508@ecs.soton.ac.uk><004401c909bd$ce4b2570$6ae17050$@dk> Message-ID: <1220369823.16070.29.camel@lin-workstation.azapple.com> On Tue, 2008-09-02 at 08:20 -0700, Scott Silva wrote: > on 8-29-2008 11:02 AM Kevin Miller spake the following: > > Scott Silva wrote: > >> I am surprised at how much mail I still see sent from Exchange 6.5! > >> > >> Isn't that from back in the NT 4.0 days? > > > > That would be 5.5 I think. But there's still some of those around. 6.5 > > is Exchange 2003. Between them was Exchange 2000, presumably 6.0. I > > wonder why Microsoft counts in fives? > > > > ...Kevin > Maybe they have got their fingers caught in the cookie jar so many times that > they can only use their thumbs to count! ;-P ---- because experienced admins know to skip the .0 release Craig From glenn.steen at gmail.com Tue Sep 2 16:56:43 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Sep 2 16:56:53 2008 Subject: CVD extraction failure In-Reply-To: <48BD49A4.3070607@cnpapers.com> References: <48B81488.6030807@cnpapers.com> <223f97700808300110v4fe2b32fodecf06607fb01ec2@mail.gmail.com> <48BD49A4.3070607@cnpapers.com> Message-ID: <223f97700809020856x72dbe9eao757a2d09b985788e@mail.gmail.com> 2008/9/2 Steve Campbell > > > Glenn Steen wrote: > >> >> >> 2008/8/29 Steve Campbell > campbell@cnpapers.com>> >> >> I hate to ask a question about old version stuff, but we're in the >> middle of some changes here that just do not let me get around to >> updating MS. I'm running *MailScanner has detected a possible >> fraud attempt from "4.58.9." claiming to be* 4.58.9. >> >> I started updating the world of Clam/SA and got stopped before I >> could get to MS. I now see "ERROR: CVD extraction failure" >> messages in my log file. I'm assuming this has to do with new >> ClamAV/ old MS and did my best to try and find where the message >> is coming from. Couldn't find a clue in any of the update scripts, >> etc. >> >> Any help would be appreciated, and any explanation as to the >> severity of the messge would be gratefully appreciated also. >> >> Thanks >> >> Steve Campbell >> >> Do you get the same from freshclam? The clamav-autoupdate basically just >> run freshclam... >> Perhaps you have multiple clamav installed (or "leftovers" from more than >> one)? Check your virus.scanners.conf for the relevant one you are using:). >> As always, one install of the latest stable is best. >> The error itself is ... pretty sever, I'd think, since you will lack >> proper updates until fixed. >> >> Cheers >> -- >> >> > Thanks Glenn, > > I checked freshclam, ran it manually, and found that the log file wasn't > created. I touched the file, re-modded it to 777, and ran freshclam, and all > was well. But I am still getting the CVD errors. I had checked the > update-wrapper and autoupdate scripts before inquiring and saw nothing that > looked wrong. For all I know, this may not even be Clam, now that I think > about it, as the error log entry just says MailScanner, so it could be > Bitdefender instead. I removed bitdefender and reloaded MS, but still am > seeing the error, so I believe it is Clam related. > > Thanks. > > Steve Do you run clamavmodule? Then I'd guess at a Mail::Clamav/libclamav mismatch... What version of clamav did you move to? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080902/ec22451d/attachment.html From rjette at mestek.com Tue Sep 2 17:32:15 2008 From: rjette at mestek.com (Raymond Jette) Date: Tue Sep 2 17:32:26 2008 Subject: sa-learn with an Exchange server In-Reply-To: References: <6341E9EE11D6AC4B84D3225C0E8C6BAB8E1D1C@mtsrv-ex004.mestekcorp.com><6341E9EE11D6AC4B84D3225C0E8C6BAB8E1D27@mtsrv-ex004.mestekcorp.com><6341E9EE11D6AC4B84D3225C0E8C6BAB8E1D3C@mtsrv-ex004.mestekcorp.com> Message-ID: <6341E9EE11D6AC4B84D3225C0E8C6BAB8E1F24@mtsrv-ex004.mestekcorp.com> Thanks. Will the /etc/mail/spamassassin directory be replaced during an upgrade? From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Ehle, Roland Sent: Friday, August 29, 2008 1:34 PM To: MailScanner discussion Subject: AW: sa-learn with an Exchange server Raymond, all files ending in .cf located in /etc/mail/spamassassin are used by SpamAssassin. Of course you could put custom rules into /etc/MailScanner/spam.assassin.prefs.conf too, but I would not recommend to do so. Please keep in mind to do a test after implementing new rules. Regards, Roland Von: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Im Auftrag von Raymond Jette Gesendet: Freitag, 29. August 2008 16:12 An: MailScanner discussion Betreff: RE: sa-learn with an Exchange server Thanks for the link. I'll take a look at this. I am in the process of fighting spam in only one place. I just implemented Postfix, MS, SpamAssassin a few months ago. I'm still in the process of removing IMF. You're right about all of the false positives. I host mail for 37 domains. I receive a lot of spam still (not as much as before) and I'm always looking for more ways to improve the system. Where is the correct location to put custom SA rules? I have read /etc/mail/SpamAssassin. Is this correct even when running MS? Does anyone have any good links on creating custom rules? Thanks, Ray From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Ehle, Roland Sent: Friday, August 29, 2008 9:53 AM To: MailScanner discussion Subject: AW: sa-learn with an Exchange server You should fight spam at one place only. The spam detection included in Exchange 2003/2007 is not very reliable, as it produces many false positives. See my last mail, this should give you a hint. Von: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Im Auftrag von Raymond Jette Gesendet: Freitag, 29. August 2008 15:40 An: MailScanner discussion Betreff: RE: sa-learn with an Exchange server I also have thousands of spam messages that IMF is removing on my Exchange server. Is there a way to have SpamAssassin learn these messages? From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Raymond Jette Sent: Friday, August 29, 2008 9:29 AM To: mailscanner@lists.mailscanner.info Subject: sa-learn with an Exchange server Good morning, What is the best way to do an sa-learn when with an Exchange server? I have a spam mailbox were users have been forwarding spam. The problem is that they forwarded the mail so the message headers have changed. Is there a way to remove local headers from my mail systems or will I have to do this by hand? Thanks for the help, Ray -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080902/35ff1499/attachment.html From paul.hutchings at mira.co.uk Tue Sep 2 17:39:42 2008 From: paul.hutchings at mira.co.uk (Paul Hutchings) Date: Tue Sep 2 17:40:00 2008 Subject: virus detection reporting wrong scanner References: <48BA9848.3030402@ecs.soton.ac.uk> <48BBCFF3.2000003@ecs.soton.ac.uk> Message-ID: Interestingly (or not) it seems that reports are saying when infections are detected by avg, but still nothing on vba32 despite maillog saying that clamd, vba32 and avg detected infections. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jeff Mills Sent: 01 September 2008 23:33 To: MailScanner discussion Subject: RE: virus detection reporting wrong scanner > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Paul Hutchings > Sent: Monday, 1 September 2008 11:03 PM > To: MailScanner discussion > Subject: RE: virus detection reporting wrong scanner > > The lint seems to check out just fine. Maybe my > understanding is wrong, but I thought that if multiple > engines caught a virus in a message it listed that multiple > engines had detected something in the report that's sent to > postmaster (or wherever) - all I know is I have an entry in > maillog by vba32 saying it detected a virus, at the same time > an email was deleted and a report sent to postmaster saying > it was because clam32 had detected a virus - yet there's no > report in the postmaster mailbox that mentions vba32. > I have a similar issue, but have never bothered with it. Clamav finds a virus, and MailScanner reports that F-Prot and Bitdefender find it too. Sep 2 03:16:53 sam MailScanner[8070]: Clamd::INFECTED:: Email.Spam.Gen3737.Sanesecurity.08072802.StormSpam FOUND :: ./8C34AD3E132.E90B8/ Sep 2 03:16:53 sam MailScanner[8070]: Virus Scanning: Clamd found 1 infections Sep 2 03:16:53 sam MailScanner[8070]: Virus Scanning: F-Prot found 1 infections Sep 2 03:16:53 sam MailScanner[8070]: Virus Scanning: Bitdefender found 1 infections Sep 2 03:16:53 sam MailScanner[8070]: Infected message 8C34AD3E132.E90B8 came from 88.243.8.69 Sep 2 03:16:53 sam MailScanner[8070]: Virus Scanning: Found 1 viruses Sep 2 03:16:53 sam MailScanner[8070]: Virus Scanning completed at 3371 bytes per second Sep 2 03:16:53 sam MailScanner[8070]: Viruses marked as silent: Clamd: message was infected: -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. From dnsadmin at 1bigthink.com Tue Sep 2 18:01:36 2008 From: dnsadmin at 1bigthink.com (dnsadmin 1bigthink.com) Date: Tue Sep 2 18:01:57 2008 Subject: FYI ALL: Fwd: [Clamav-announce] announcing ClamAV 0.94 Message-ID: <200809021701.m82H1hBZ014534@mxt.1bigthink.com> >Dear ClamAV users, > >Sourcefire and the ClamAV team are pleased to announce the release of >ClamAV 0.94. The following are the key features and improvements of this >version: > > - Logical Signatures: The logical signature technology uses operators > such as AND, OR and NOT to allow the combination of more than one > signature into one entry in the signature database resulting in > more detailed and flexible pattern matching. > > - Anti-phishing Technology: Users can now change the priority and reporting > of ClamAV's heuristic anti-phishing scanner within the detection engine > process. They can choose whether, when scanning a supicious file, ClamAV > should stop scanning and report the phish, or continue to scan > in case the > file contains other malware (clamd: HeuristicScanPrecedence, > clamscan: --heuristic-scan-precedence) > > - Disassembly Engine: The initial version of the disassembly > engine improves > ClamAV's detection abilities. > > - PUA Detection: Users can now decide which PUA signatures should be loaded > (clamd: ExcludePUA, IncludePUA; clamscan: --exclude-pua, --include-pua) > > - Data Loss Prevention (DLP): This version includes a new module that, when > enabled, scans data for the inclusion of US formated Social Security > Numbers and credit card numbers (clamd: StructuredDataDetection, > clamscan: --detect-structured; additional fine-tuning options > are available) > > - IPv6 Support: Freshclam now supports IPv6 > > - Improved Scanning of Scripts: The normalization of scripts now covers > JavaScript > > - Improved QA and Unit Testing: The improved QA process now includes > API testing and new library of test files in various formats that are > tested on a wide variety of systems (try running 'make check' > in the source > directory) > >For more details, please refer to >http://www.clamav.net/press/0.94-WhatsNew.pdf >and to the ChangeLog. > >You may need to run 'ldconfig' after installing this version. > >** This version drops the special support for Cygwin. Our QA process showed >** serious problems with ClamAV builds under Cygwin due to some low-level >** incompatibilities in the POSIX compatibility layer, resulting in unreliable >** ClamAV behaviour. > >-- >The ClamAV team (http://www.clamav.net/team) > >-- >Luca Gibelli (luca _at_ clamav.net) ClamAV, a GPL anti-virus toolkit >[Tel] +39 0187 1851862 [Fax] +39 0187 1852252 [IM] nervous/jabber.linux.it >PGP key id 5EFC5582 @ any key-server || http://www.clamav.net/gpg/luca.gpg >_______________________________________________ >http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-announce -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From rcooper at dwford.com Tue Sep 2 18:11:17 2008 From: rcooper at dwford.com (Rick Cooper) Date: Tue Sep 2 18:11:47 2008 Subject: FYI ALL: Fwd: [Clamav-announce] announcing ClamAV 0.94 In-Reply-To: <200809021701.m82H1hBZ014534@mxt.1bigthink.com> References: <200809021701.m82H1hBZ014534@mxt.1bigthink.com> Message-ID: <341937BC5CED4B13BB5C15FEEFDA14BF@SAHOMELT> Note: If you happened to forget to remove PhishingRestrictedScan from your clamd.conf when the option was removed in 0.93.1(?), as I did, clamd will not start and it will emit no error (unless you run in foreground manually) or reason. Remove the PhishingRestrictedScan line from clamd.conf and everything will be fine. Rick > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of dnsadmin 1bigthink.com > Sent: Tuesday, September 02, 2008 2:02 PM > To: MailScanner mailing list > Subject: FYI ALL: Fwd: [Clamav-announce] announcing ClamAV 0.94 > > > > >Dear ClamAV users, > > > >Sourcefire and the ClamAV team are pleased to announce the > release of > >ClamAV 0.94. The following are the key features and > improvements of this > >version: > > > > - Logical Signatures: The logical signature technology > uses operators > > such as AND, OR and NOT to allow the combination of > more than one > > signature into one entry in the signature database resulting in > > more detailed and flexible pattern matching. > > > > - Anti-phishing Technology: Users can now change the > priority and reporting > > of ClamAV's heuristic anti-phishing scanner within the > detection engine > > process. They can choose whether, when scanning a > supicious file, ClamAV > > should stop scanning and report the phish, or continue to scan > > in case the > > file contains other malware (clamd: HeuristicScanPrecedence, > > clamscan: --heuristic-scan-precedence) > > > > - Disassembly Engine: The initial version of the disassembly > > engine improves > > ClamAV's detection abilities. > > > > - PUA Detection: Users can now decide which PUA > signatures should be loaded > > (clamd: ExcludePUA, IncludePUA; clamscan: > --exclude-pua, --include-pua) > > > > - Data Loss Prevention (DLP): This version includes a > new module that, when > > enabled, scans data for the inclusion of US formated > Social Security > > Numbers and credit card numbers (clamd: > StructuredDataDetection, > > clamscan: --detect-structured; additional fine-tuning options > > are available) > > > > - IPv6 Support: Freshclam now supports IPv6 > > > > - Improved Scanning of Scripts: The normalization of > scripts now covers > > JavaScript > > > > - Improved QA and Unit Testing: The improved QA process > now includes > > API testing and new library of test files in various > formats that are > > tested on a wide variety of systems (try running 'make check' > > in the source > > directory) > > > >For more details, please refer to > >http://www.clamav.net/press/0.94-WhatsNew.pdf > >and to the ChangeLog. > > > >You may need to run 'ldconfig' after installing this version. > > > >** This version drops the special support for Cygwin. Our > QA process showed > >** serious problems with ClamAV builds under Cygwin due to > some low-level > >** incompatibilities in the POSIX compatibility layer, > resulting in unreliable > >** ClamAV behaviour. > > > >-- > >The ClamAV team (http://www.clamav.net/team) > > > >-- > >Luca Gibelli (luca _at_ clamav.net) ClamAV, a GPL > anti-virus toolkit > >[Tel] +39 0187 1851862 [Fax] +39 0187 1852252 [IM] > nervous/jabber.linux.it > >PGP key id 5EFC5582 @ any key-server || > http://www.clamav.net/gpg/luca.gpg > >_______________________________________________ > >http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-announce > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From lists at openenterprise.ca Tue Sep 2 18:44:50 2008 From: lists at openenterprise.ca (Johnny Stork) Date: Tue Sep 2 18:45:05 2008 Subject: MS YUM repository? In-Reply-To: <48BC5881.8010604@vanderkooij.org> References: <48BBEFC8.2060500@ecs.soton.ac.uk> <48BC5881.8010604@vanderkooij.org> Message-ID: <48BD7B92.9090101@openenterprise.ca> I am running MS on CentOS 5x and I seem to recall that someone setup a repo to simplify MS updates with YUM. Sorry if I missed where the details/repo is but could someone please let me know the location of this repo and any additional info that might be needed to us it? Thanks Hugo van der Kooij wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Julian Field wrote: > >> Hi folks! >> >> I have just released a new stable version of MailScanner, version 4.71. >> > > I managed to update the yum repository. Things did not break down for me > so I hope they will not do so for you either. > > I have no yet added anything to help you update the configuration. I > think I will need to sleep on that a bit more before I give it a shot. > > Hugo. > > > - -- > hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ > PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc > > A: Yes. > >Q: Are you sure? > >>A: Because it reverses the logical flow of conversation. > >>>Q: Why is top posting frowned upon? > > Bored? Click on http://spamornot.org/ and rate those images. > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (GNU/Linux) > > iD8DBQFIvFh/BvzDRVjxmYERAhcnAJ9Frg/gZwkjlCm8pLUyAu2vVzpWmACgoIks > f3uWGmpkpGRcZ+/DwwmSx8I= > =1PP5 > -----END PGP SIGNATURE----- > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080902/8fcd2913/attachment.html From campbell at cnpapers.com Tue Sep 2 21:02:20 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Tue Sep 2 21:02:43 2008 Subject: CVD extraction failure In-Reply-To: <223f97700809020856x72dbe9eao757a2d09b985788e@mail.gmail.com> References: <48B81488.6030807@cnpapers.com> <223f97700808300110v4fe2b32fodecf06607fb01ec2@mail.gmail.com> <48BD49A4.3070607@cnpapers.com> <223f97700809020856x72dbe9eao757a2d09b985788e@mail.gmail.com> Message-ID: <48BD9BCC.8050900@cnpapers.com> Glenn Steen wrote: > > > 2008/9/2 Steve Campbell > > > > > Glenn Steen wrote: > > > > 2008/8/29 Steve Campbell >> > > > I hate to ask a question about old version stuff, but we're > in the > middle of some changes here that just do not let me get > around to > updating MS. I'm running *MailScanner has detected a possible > fraud attempt from "*MailScanner has detected a possible > fraud attempt from "4.58.9." claiming to be* 4.58.9. > " claiming to be* *MailScanner has detected a > possible fraud attempt from "4.58.9." claiming to be* 4.58.9. > <*MailScanner warning: numerical links are > often malicious:* http://4.58.9.> > > > I started updating the world of Clam/SA and got stopped > before I > could get to MS. I now see "ERROR: CVD extraction failure" > messages in my log file. I'm assuming this has to do with new > ClamAV/ old MS and did my best to try and find where the > message > is coming from. Couldn't find a clue in any of the update > scripts, > etc. > > Any help would be appreciated, and any explanation as to the > severity of the messge would be gratefully appreciated also. > > Thanks > > Steve Campbell > > Do you get the same from freshclam? The clamav-autoupdate > basically just run freshclam... > Perhaps you have multiple clamav installed (or "leftovers" > from more than one)? Check your virus.scanners.conf for the > relevant one you are using:). As always, one install of the > latest stable is best. > The error itself is ... pretty sever, I'd think, since you > will lack proper updates until fixed. > > Cheers > -- > > > Thanks Glenn, > > I checked freshclam, ran it manually, and found that the log file > wasn't created. I touched the file, re-modded it to 777, and ran > freshclam, and all was well. But I am still getting the CVD > errors. I had checked the update-wrapper and autoupdate scripts > before inquiring and saw nothing that looked wrong. For all I > know, this may not even be Clam, now that I think about it, as the > error log entry just says MailScanner, so it could be Bitdefender > instead. I removed bitdefender and reloaded MS, but still am > seeing the error, so I believe it is Clam related. > > Thanks. > > Steve > > Do you run clamavmodule? Then I'd guess at a Mail::Clamav/libclamav > mismatch... What version of clamav did you move to? > > Cheers > -- > -- Glenn > Nope, I run ClamAV. I upgraded to the last 0.93 before they announced the 0.94 version. I used Julian's install.sh. When I run freshclam -v it indicates I have the latest main.cvd and daily.cld according to the ClamAV website. I'll look around their website (don't know why I didn't do that first) and see if they have a FAQ or something. Thanks again. steve Steve From allan at zandahar.net Wed Sep 3 03:32:39 2008 From: allan at zandahar.net (Allan Spencer) Date: Wed Sep 3 03:33:14 2008 Subject: MSRBL-Spam issues Message-ID: <48BDF747.10802@zandahar.net> This morning around 7am I was met with a looping MS Server so after doing a --debug --lint found the following LibClamAV Error: cli_hex2str(): Malformed hexstring: 687474703A2F2F7777772E77656262616E6E6572736F6E6C696E652E636F6 (length: 61) LibClamAV Error: Problem parsing database at line 2746 LibClamAV Error: Can't load /usr/local/share/clamav/MSRBL-SPAM.ndb: Malformed database ClamAV Module ERROR:: Could not load databases from /usr/local/share/clamav at /usr/lib/MailScanner/MailScanner/SweepViruses.pm line 548 Delete the file and tried a manual reupdate but still does the same thing so deleted it for now and disable cronjob. Just wondering if anyone else has seen this ? 2 days ago upgraded to 4.71.10 but other than that nothing changed, Centos 4.6 SA & Clam package off the MS site and no yum updates Any suggestions or assistance Thanks Allan From allan at zandahar.net Wed Sep 3 03:47:16 2008 From: allan at zandahar.net (Allan Spencer) Date: Wed Sep 3 03:47:38 2008 Subject: MSRBL-Spam issues In-Reply-To: <48BDF747.10802@zandahar.net> References: <48BDF747.10802@zandahar.net> Message-ID: <48BDFAB4.1040300@zandahar.net> Not a biggie but realised I had an older version of the script which now checks if the db's are corrupt or not so that should help it from happening again But still the same issue and also tested on a clients server theyre seeing a corrupt db as well Allan Allan Spencer wrote: > This morning around 7am I was met with a looping MS Server so after > doing a --debug --lint found the following > > LibClamAV Error: cli_hex2str(): Malformed hexstring: > 687474703A2F2F7777772E77656262616E6E6572736F6E6C696E652E636F6 (length: > 61) > LibClamAV Error: Problem parsing database at line 2746 > LibClamAV Error: Can't load /usr/local/share/clamav/MSRBL-SPAM.ndb: > Malformed database > ClamAV Module ERROR:: Could not load databases from > /usr/local/share/clamav at > /usr/lib/MailScanner/MailScanner/SweepViruses.pm line 548 > > Delete the file and tried a manual reupdate but still does the same > thing so deleted it for now and disable cronjob. Just wondering if > anyone else has seen this ? > > 2 days ago upgraded to 4.71.10 but other than that nothing changed, > Centos 4.6 SA & Clam package off the MS site and no yum updates > > Any suggestions or assistance > > Thanks > Allan > From email at ace.net.au Wed Sep 3 06:20:58 2008 From: email at ace.net.au (Peter Nitschke) Date: Wed Sep 3 06:21:56 2008 Subject: Registry Files Message-ID: <200809031450580881.20997929@web.ace.net.au> Hi, Running MS 4.7.1 I just had a text file get blocked. "No Windows Registry files allowed (msg-1839-199.txt)" I checked, and it is just a text file. Any reason it got picked as a registry file? Cheers, Peter From email at ace.net.au Wed Sep 3 06:23:32 2008 From: email at ace.net.au (Peter Nitschke) Date: Wed Sep 3 06:24:05 2008 Subject: Blackberry Message-ID: <200809031453320272.209BD058@web.ace.net.au> Hi, Running MS 4.7.1 Just started getting Blackberry dat files getting blocked. "No programs allowed (ETP.DAT)" I have a few users with Blackberry's and it hasn't been a problem before that I know of. Could it be related to the upgrade? Cheers, Peter From hvdkooij at vanderkooij.org Wed Sep 3 06:28:45 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Wed Sep 3 06:28:53 2008 Subject: Registry Files In-Reply-To: <200809031450580881.20997929@web.ace.net.au> References: <200809031450580881.20997929@web.ace.net.au> Message-ID: <48BE208D.5080401@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Peter Nitschke wrote: > Running MS 4.7.1 > > I just had a text file get blocked. > > "No Windows Registry files allowed (msg-1839-199.txt)" > > I checked, and it is just a text file. > > Any reason it got picked as a registry file? What does the file utility tell you if you check things manually? Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIviCLBvzDRVjxmYERAjGPAJ9YURJKqG2QnQMQYaroYvOATz3WfQCeOxD/ P9FrK61CiQoQ/zQqdOPw5tY= =CosV -----END PGP SIGNATURE----- From hvdkooij at vanderkooij.org Wed Sep 3 06:46:29 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Wed Sep 3 06:46:38 2008 Subject: Blackberry In-Reply-To: <200809031453320272.209BD058@web.ace.net.au> References: <200809031453320272.209BD058@web.ace.net.au> Message-ID: <48BE24B5.1090203@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Peter Nitschke wrote: > Hi, > > Running MS 4.7.1 > > Just started getting Blackberry dat files getting blocked. > > "No programs allowed (ETP.DAT)" > > I have a few users with Blackberry's and it hasn't been a problem before > that I know of. > > Could it be related to the upgrade? Again: What does the file utility tell you? Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIviS0BvzDRVjxmYERAk8nAKCtA2d+JBm7+olJEgY2EsCcbGvH8QCgtFlR VMCREQjdidLGosCYMdSIvhc= =2c60 -----END PGP SIGNATURE----- From email at ace.net.au Wed Sep 3 08:12:07 2008 From: email at ace.net.au (Peter Nitschke) Date: Wed Sep 3 08:12:47 2008 Subject: Registry Files In-Reply-To: <48BE208D.5080401@vanderkooij.org> References: <200809031450580881.20997929@web.ace.net.au> <48BE208D.5080401@vanderkooij.org> Message-ID: <200809031642070928.20FF3C20@web.ace.net.au> File utility? I tried searching, but got nothing :-( *********** REPLY SEPARATOR *********** On 3/09/2008 at 7:28 AM Hugo van der Kooij wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >Peter Nitschke wrote: > >> Running MS 4.7.1 >> >> I just had a text file get blocked. >> >> "No Windows Registry files allowed (msg-1839-199.txt)" >> >> I checked, and it is just a text file. >> >> Any reason it got picked as a registry file? > >What does the file utility tell you if you check things manually? > >Hugo. > >- -- >hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ >PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc > > A: Yes. > >Q: Are you sure? > >>A: Because it reverses the logical flow of conversation. > >>>Q: Why is top posting frowned upon? > >Bored? Click on http://spamornot.org/ and rate those images. > >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.4.7 (GNU/Linux) > >iD8DBQFIviCLBvzDRVjxmYERAjGPAJ9YURJKqG2QnQMQYaroYvOATz3WfQCeOxD/ >P9FrK61CiQoQ/zQqdOPw5tY= >=CosV >-----END PGP SIGNATURE----- >-- >MailScanner mailing list >mailscanner@lists.mailscanner.info >http://lists.mailscanner.info/mailman/listinfo/mailscanner > >Before posting, read http://wiki.mailscanner.info/posting > >Support MailScanner development - buy the book off the website! From glenn.steen at gmail.com Wed Sep 3 08:18:13 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Sep 3 08:18:22 2008 Subject: Blackberry In-Reply-To: <200809031453320272.209BD058@web.ace.net.au> References: <200809031453320272.209BD058@web.ace.net.au> Message-ID: <223f97700809030018r255150b5hd3e691b18797a124@mail.gmail.com> 2008/9/3 Peter Nitschke > > Hi, > > Running MS 4.7.1 > > Just started getting Blackberry dat files getting blocked. > > "No programs allowed (ETP.DAT)" > > I have a few users with Blackberry's and it hasn't been a problem before > that I know of. > > Could it be related to the upgrade? No. The ETP.DAT file is an "abomination of sorts", containing the encrypted user activation data (for your BES server to pick up "automagically" from the users mailbox). In the message you also have the ascii armoured binary snippet, so why they insist on doing it this way is beyond me... Anyway... It can randomly hit any filetype rule. That you haven't seen any such before just means you've been lucky. Make an exeption rule for *.blackberry.net, or live with it;-). If you decide to use the former strategy, look at the "overloading" example in the wiki ... http://wiki.mailscanner.info/doku.php?id=documentation:configuration:rulesets:overloading > Cheers, > > Peter > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Wed Sep 3 08:25:41 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Sep 3 08:25:50 2008 Subject: Registry Files In-Reply-To: <200809031642070928.20FF3C20@web.ace.net.au> References: <200809031450580881.20997929@web.ace.net.au> <48BE208D.5080401@vanderkooij.org> <200809031642070928.20FF3C20@web.ace.net.au> Message-ID: <223f97700809030025y65946af3u27bd0d3cce677e53@mail.gmail.com> 2008/9/3 Peter Nitschke : > File utility? I tried searching, but got nothing :-( > The message got quarantined, right? Then you can run file /path/to/quarantine/on/to/the/attachment/that/bothered/file ... That way you'll see what exactly it is on about. BTW... "Registry files" are one of two things... The data files consisting the registry or ... plain text files with the normal windowsy look... My guess would be that the file commands magic for a windoze reg-text-file is pretty oportunistic... and triggers on something simple. How to amend that? Either munge your magics or pester the file command maintainer:-):-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ajcartmell at fonant.com Wed Sep 3 09:51:38 2008 From: ajcartmell at fonant.com (Anthony Cartmell) Date: Wed Sep 3 09:51:32 2008 Subject: MSRBL-Spam issues In-Reply-To: <48BDFAB4.1040300@zandahar.net> References: <48BDF747.10802@zandahar.net> <48BDFAB4.1040300@zandahar.net> Message-ID: > Not a biggie but realised I had an older version of the script which now > checks if the db's are corrupt or not so that should help it from > happening again I had this in the logs last night too. The error comes when the newly downloaded database file is checked in the /tmp tree. Looks like my actual MSRBL-SPAM.ndb was last successfully updated on 14 Jul 2008, according to the file date. Anyway, I've just run /etc/cron.daily/update_sanesecurity_sigs manually and it has successfully updated MSRBL-SPAM.ndb. Anthony -- www.fonant.com - Quality web sites From ajcartmell at fonant.com Wed Sep 3 10:54:35 2008 From: ajcartmell at fonant.com (Anthony Cartmell) Date: Wed Sep 3 10:54:22 2008 Subject: Fwd: MSRBL-Spam issues In-Reply-To: <15503.88.97.0.153.1220433701.squirrel@saturn.dataflame.net> References: <15503.88.97.0.153.1220433701.squirrel@saturn.dataflame.net> Message-ID: Steve of Sanesecurity has asked me to post this: ------- Forwarded message ------- This was posted on the MSRBL mailing list: > This should be resolved now (please fetch the latest signature files). > We put in place checks to prevent this from happening previously but it > seems someone bypassed those checks by running an old script to publish > the > changes, this has now been removed and extra warnings will be put in > place. The Sanesecurity download scripts use MSRBL and other Third-Party sigs, more infomation here: http://www.sanesecurity.co.uk/clamav/feedback.htm Cheers, Steve Sanesecurity ------ So it was a temporary problem at MSRBL which has been fixed (nothing to do with Sanesecurity). Cheers! Anthony -- www.fonant.com - Quality web sites From mailadmin at midland-ics.ie Wed Sep 3 11:02:29 2008 From: mailadmin at midland-ics.ie (Mail Admin) Date: Wed Sep 3 11:02:53 2008 Subject: MailScanner: Found dangerous Object Codebase/Data tag in HTML message Message-ID: <006401c90dac$2d650160$882f0420$@ie> Dear All One of my clients based in HongKong as getting valid email blocked with the Report = MailScanner: Found dangerous Object Codebase/Data tag in HTML message I have tried to relaes it but still gets blocked. On the Mailwatch view of the html I see < HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> @font-face { font-family: Calibri; } @font-face { font-family: Tahoma; } @font-face { font-family: ????; } @page Section1 {size: 612.0pt 792.0pt; margin: 72.0pt 72.0pt 72.0pt 72.0pt; } P.MsoNormal { FONT-SIZE: 11pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Calibri","sans-serif" } LI.MsoNormal { FONT-SIZE: 11pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Calibri","sans-serif" } DIV.MsoNormal { FONT-SIZE: 11pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Calibri","sans-serif" } A:link { COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99 } SPAN.MsoHyperlink { COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99 } A:visited { COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99 } SPAN.MsoHyperlinkFollowed { COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99 } P { FONT-SIZE: 12pt; MARGIN-LEFT: 0cm; MARGIN-RIGHT: 0cm; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 99; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto } P.MsoListParagraph { FONT-SIZE: 11pt; MARGIN: 0cm 0cm 0pt 36pt; FONT-FAMILY: "Calibri","sans-serif"; mso-style-priority: 34 } LI.MsoListParagraph { FONT-SIZE: 11pt; MARGIN: 0cm 0cm 0pt 36pt; FONT-FAMILY: "Calibri","sans-serif"; mso-style-priority: 34 } DIV.MsoListParagraph { FONT-SIZE: 11pt; MARGIN: 0cm 0cm 0pt 36pt; FONT-FAMILY: "Calibri","sans-serif"; mso-style-priority: 34 } SPAN.EmailStyle18 { COLOR: windowtext; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal } SPAN.EmailStyle20 { COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal-reply } .MsoChpDefault { FONT-SIZE: 10pt; mso-style-type: export-only } DIV.Section1 { page: Section1 } How can I allow this message through? I tried whielisting email address but still no joy. Thanks This e-mail is intended solely for the addressee(s) and is strictly confidential. The unauthorised use, disclosure or copying of this e-mail, or any information it contains is prohibited. If you have received this e-mail in error, please notify us immediately and then permanently delete it. Although Midland Internet & Computer Solutions make every effort to keep our systems free from viruses you should check this e-mail and any attachments to it for viruses as we cannot accept any liability for viruses inadvertently transmitted by use. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080903/b97099ec/attachment.html From asakawa at quickd.net Wed Sep 3 11:52:31 2008 From: asakawa at quickd.net (asakawa@quickd.net) Date: Wed Sep 3 11:53:14 2008 Subject: clamav-0.94-1.el4 Error Message-ID: Hi all clamav-0.94-1.el4 Error clamav have no test reports Virus and Content Scanning: Starting /1/eicar.com Found: EICAR test file NOT a virus. Virus Scanning: McAfee found 1 infections ALERT: [Eicar-Test-Signature] ./1/eicar.com <<< Contains code of the Eicar-Test-Signature virus Virus Scanning: AntiVir found 1 infections /usr/bin/clamscan: unrecognized option `--unzip' ERROR: Unknown option passed. ERROR: Can't parse the command line /usr/bin/clamscan: unrecognized option `--unrar=/usr/bin/unrar' ERROR: Unknown option passed. ERROR: Can't parse the command line Virus Scanning: ClamAV found 1 infections 1.message=>[Subject: Virus Scanner Test Message]=>eicar.com:infected: EICAR-Test-File (not a virus) 1/eicar.com:infected: EICAR-Test-File (not a virus) Virus Scanning: Bitdefender found 2 infections Virus Scanner test reports: McAfee said "/1/eicar.com Found: EICAR test file NOT a virus." AntiVir said "ALERT: [Eicar-Test-Signature] ./1/eicar.com <<< Contains code of the Eicar-Test-Signature virus" Bitdefender said "Found virus EICAR-Test-File (not a virus) in file eicar.com" Best regards, Takashi Asakawa From ard at pergamentum.com Wed Sep 3 11:54:00 2008 From: ard at pergamentum.com (Alisdair Davey) Date: Wed Sep 3 11:54:51 2008 Subject: Registry Files In-Reply-To: <223f97700809030025y65946af3u27bd0d3cce677e53@mail.gmail.com> References: <200809031450580881.20997929@web.ace.net.au> <48BE208D.5080401@vanderkooij.org> <200809031642070928.20FF3C20@web.ace.net.au> <223f97700809030025y65946af3u27bd0d3cce677e53@mail.gmail.com> Message-ID: <1220439240.20413.5.camel@localhost> On Wed, 2008-09-03 at 09:25 +0200, Glenn Steen wrote: > 2008/9/3 Peter Nitschke : > > File utility? I tried searching, but got nothing :-( > > > The message got quarantined, right? Then you can run > file /path/to/quarantine/on/to/the/attachment/that/bothered/file > ... That way you'll see what exactly it is on about. > > BTW... "Registry files" are one of two things... The data files > consisting the registry or ... plain text files with the normal > windowsy look... My guess would be that the file commands magic for a > windoze reg-text-file is pretty oportunistic... and triggers on > something simple. > How to amend that? Either munge your magics or pester the file command > maintainer:-):-). In a similar vein I quite often see ordinary text files being detected as quicktime movies because they match the file command magic for a quicktime file exactly as Glenn suggests. It is however infrequent enough that I just use one of the fine programs out there to release the message when it does occur... Cheers Alisdair -- Alisdair Davey Pergamentum Solutions ard@pergamentum.com 4 Fellswood Circle www.pergamentum.com Medford, MA 02155 From alex at rtpty.com Wed Sep 3 12:04:01 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Wed Sep 3 12:04:14 2008 Subject: MailScanner: Found dangerous Object Codebase/Data tag in HTML message In-Reply-To: <006401c90dac$2d650160$882f0420$@ie> References: <006401c90dac$2d650160$882f0420$@ie> Message-ID: <9E0DD65A-EFA0-4BA9-994E-670D2AE595C7@rtpty.com> Whitelisting doesn't stop MailScanner from scanning for dangerous content. "Object Codebase" stuff is, arguably, dangerous stuff. Use a ruleset to avoid scanning that particular address for "object codebase" stuff. On Sep 3, 2008, at 5:02 AM, Mail Admin wrote: > I tried whielisting email address but still no joy. > From agross at gcpsite.com Wed Sep 3 13:30:09 2008 From: agross at gcpsite.com (Adam Gross) Date: Wed Sep 3 13:30:37 2008 Subject: Strangest Thing... In-Reply-To: <200809031642070928.20FF3C20@web.ace.net.au> References: <200809031450580881.20997929@web.ace.net.au><48BE208D.5080401@vanderkooij.org> <200809031642070928.20FF3C20@web.ace.net.au> Message-ID: <826D5FDFCF76F6499D59755D401D6A86D891@gcpads01.gcpsite.local> Today I come in to find my MailScanner boxes sitting at a steady 85% CPU but doing nothing. After taking a peak in syslog I quickly discovered that for some reason MailScanner couldn't write to my quarantine directory! With a quick chown (chown postfix:www-data /var/spool/MailScanner/quarantine on Ubuntu/Debian) I was instantly back in business and my queues flushed dry within a few minutes. I haven't logged into my MailScanner boxes in weeks and came in to find this today which I thought to be quite strange. I wanted to pass this along to the list just in case I'm not the only one coming in to this strangeness this morning. -Adam -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Processed by MS01. From MailScanner at ecs.soton.ac.uk Wed Sep 3 14:14:51 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Sep 3 14:15:11 2008 Subject: FYI ALL: Fwd: [Clamav-announce] announcing ClamAV 0.94 In-Reply-To: References: <200809021701.m82H1hBZ014534@mxt.1bigthink.com> Message-ID: <48BE8DCB.1070603@ecs.soton.ac.uk> My newly updated ClamAV+SpamAssassin package should do this for you. Rick Cooper wrote: > Note: > > If you happened to forget to remove PhishingRestrictedScan from your > clamd.conf when the option was removed in 0.93.1(?), as I did, clamd will > not start and it will emit no error (unless you run in foreground manually) > or reason. Remove the PhishingRestrictedScan line from clamd.conf and > everything will be fine. > > Rick > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On > > Behalf Of dnsadmin 1bigthink.com > > Sent: Tuesday, September 02, 2008 2:02 PM > > To: MailScanner mailing list > > Subject: FYI ALL: Fwd: [Clamav-announce] announcing ClamAV 0.94 > > > > > > > > >Dear ClamAV users, > > > > > >Sourcefire and the ClamAV team are pleased to announce the > > release of > > >ClamAV 0.94. The following are the key features and > > improvements of this > > >version: > > > > > > - Logical Signatures: The logical signature technology > > uses operators > > > such as AND, OR and NOT to allow the combination of > > more than one > > > signature into one entry in the signature database resulting in > > > more detailed and flexible pattern matching. > > > > > > - Anti-phishing Technology: Users can now change the > > priority and reporting > > > of ClamAV's heuristic anti-phishing scanner within the > > detection engine > > > process. They can choose whether, when scanning a > > supicious file, ClamAV > > > should stop scanning and report the phish, or continue to scan > > > in case the > > > file contains other malware (clamd: HeuristicScanPrecedence, > > > clamscan: --heuristic-scan-precedence) > > > > > > - Disassembly Engine: The initial version of the disassembly > > > engine improves > > > ClamAV's detection abilities. > > > > > > - PUA Detection: Users can now decide which PUA > > signatures should be loaded > > > (clamd: ExcludePUA, IncludePUA; clamscan: > > --exclude-pua, --include-pua) > > > > > > - Data Loss Prevention (DLP): This version includes a > > new module that, when > > > enabled, scans data for the inclusion of US formated > > Social Security > > > Numbers and credit card numbers (clamd: > > StructuredDataDetection, > > > clamscan: --detect-structured; additional fine-tuning options > > > are available) > > > > > > - IPv6 Support: Freshclam now supports IPv6 > > > > > > - Improved Scanning of Scripts: The normalization of > > scripts now covers > > > JavaScript > > > > > > - Improved QA and Unit Testing: The improved QA process > > now includes > > > API testing and new library of test files in various > > formats that are > > > tested on a wide variety of systems (try running 'make check' > > > in the source > > > directory) > > > > > >For more details, please refer to > > >http://www.clamav.net/press/0.94-WhatsNew.pdf > > >and to the ChangeLog. > > > > > >You may need to run 'ldconfig' after installing this version. > > > > > >** This version drops the special support for Cygwin. Our > > QA process showed > > >** serious problems with ClamAV builds under Cygwin due to > > some low-level > > >** incompatibilities in the POSIX compatibility layer, > > resulting in unreliable > > >** ClamAV behaviour. > > > > > >-- > > >The ClamAV team (http://www.clamav.net/team) > > > > > >-- > > >Luca Gibelli (luca _at_ clamav.net) ClamAV, a GPL > > anti-virus toolkit > > >[Tel] +39 0187 1851862 [Fax] +39 0187 1852252 [IM] > > nervous/jabber.linux.it > > >PGP key id 5EFC5582 @ any key-server || > > http://www.clamav.net/gpg/luca.gpg > > >_______________________________________________ > > >http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-announce > > > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Wed Sep 3 14:29:43 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Sep 3 14:29:54 2008 Subject: Strangest Thing... In-Reply-To: <826D5FDFCF76F6499D59755D401D6A86D891@gcpads01.gcpsite.local> References: <200809031450580881.20997929@web.ace.net.au> <48BE208D.5080401@vanderkooij.org> <200809031642070928.20FF3C20@web.ace.net.au> <826D5FDFCF76F6499D59755D401D6A86D891@gcpads01.gcpsite.local> Message-ID: <223f97700809030629q549651fend859f8f224425ac4@mail.gmail.com> 2008/9/3 Adam Gross : > Today I come in to find my MailScanner boxes sitting at a steady 85% CPU > but doing nothing. After taking a peak in syslog I quickly discovered > that for some reason MailScanner couldn't write to my quarantine > directory! With a quick chown (chown postfix:www-data > /var/spool/MailScanner/quarantine on Ubuntu/Debian) I was instantly back > in business and my queues flushed dry within a few minutes. I haven't > logged into my MailScanner boxes in weeks and came in to find this today > which I thought to be quite strange. I wanted to pass this along to the > list just in case I'm not the only one coming in to this strangeness > this morning. > > -Adam > Sounds a bit like the "fun" one can get with a Mandriva system with a high security setting... The msec scripts will then once/day/week/month do some tests and ... revert your painstakingly set permissions. Sigh. The trick is to either lower security settings or go into the msec setup files and amend things... Could perhaps be something similar, in your case? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From m.anderlini at database.it Wed Sep 3 15:03:34 2008 From: m.anderlini at database.it (Marcello Anderlini) Date: Wed Sep 3 15:03:51 2008 Subject: Italian spam Message-ID: <2FA349F95CF3644FAFC92070E642EB6AD15339@beta.dbdomain.database.it> Hello, we are now getting a lot of spam in italian language. Spamassassing seems not able to detect it, I try to create some custom rules without success. I get email with subject like this "Nel mondo c'e troppo male bugia" or "Tra gli esami bisogna non solo studiare pero`". Someone could help me to suggest something to block this kind of spam ? Thanks a lot. Dr. Marcello Anderlini m.anderlini@database.it --------------------------------------------- Database Informatica S.r.l. Microsoft Certified Partner Tel. +39059775070 Fax. +39059779545 http://www.database.it --------------------------------------------- -- Messaggio verificato dal servizio antivirus di Database Informatica From submit at zuka.net Wed Sep 3 15:44:10 2008 From: submit at zuka.net (Dave Filchak) Date: Wed Sep 3 15:44:35 2008 Subject: Whitelisting Message-ID: <48BEA2BA.7010609@zuka.net> Folks ... I have been trying to whitelist a particular newsletter that we send out on behalf of a client of ours and have had no luck. It always comes back with the following subject: [Lifeskills_News] {Spam?} September 2008 Update. Mailman is hosted on my secondary mail server so the original post is sent to my main mail server and then is aliased over to my secondary mail server and on to Mailman. My client, understandably, is getting upset with seeing the {Spam} in the subject. The message is HTML but is not getting tagged as spam by my main mail server, but rather, by my secondary. I have the following rules in my rules file on the secondary: # This is where you can build a Spam WhiteList # Addresses matching in here, with the value # "yes" will never be marked as spam. #From: 152.78. yes #From: 130.246. yes From: 127.0.0.1 yes From: 204.15.37.138 yes From: 199.243.151.38 yes From: 199.243.151.21 yes From: gateway.zuka.net yes From: ywca_lifeskills@zuka.net yes From: dave.filchak@zuka.net yes From: ywca_lifeskills@ebony.zuka.net yes From: ywca_lifeskills-bounces@ebony.zuka.net yes From: ywca_lifeskills-bounces@zuka.net yes From: zuka-test-list-bounces@ebony.zuka.net yes From: zuka-test-list-bounces@zuka.net yes From: zuka-test-list@zuka.net yes From: adcam-announce-bounces@canadacannes.com yes From: adcam-announce-bounces*@canadacannes.com yes From: screenings@canadacannes.com yes To: adcam-announce@ebony.zuka.net yes To: adcam-announce@canadacannes.com yes From: cassies-bounces@ebony.zuka.net yes From: cassies@ebony.zuka.net yes From: ywca_lifeskills-announce@ebony.zuka.net yes FromOrTo: default no and, here are the headers from the post marked as spam: Return-Path: X-Original-To: submit@zuka.net Delivered-To: submit@zuka.net Received: from ebony.zuka.net (ebony.zuka.net [206.223.180.162]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by rosewood.zuka.net (Postfix) with ESMTP id 01384470A94; Wed, 3 Sep 2008 09:45:18 -0400 (EDT) X-Zuka-EB-MailScanner-Watermark: 1221051769.71856@Ued5x65pwLRORwVpfRoacw Received: from ebony.zuka.net (localhost [127.0.0.1]) by ebony.zuka.net (8.13.1/8.13.1) with ESMTP id m83CrpcE005374; Wed, 3 Sep 2008 09:01:47 -0400 X-Zuka-EB-MailScanner-Watermark: 1221051168.75288@3Ig5iVRkJ+lVuC0yg587qA Received: from rosewood.zuka.net (ns2.zuka.net [66.207.212.58]) by ebony.zuka.net (8.13.1/8.13.1) with ESMTP id m83CqiT1005355 for ; Wed, 3 Sep 2008 08:52:46 -0400 Received: from Magnolia.local (lan.zuka.net [204.15.37.138]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: dave.filchak@zuka.net) by rosewood.zuka.net (Postfix) with ESMTP id DE679470A4B for ; Wed, 3 Sep 2008 08:51:28 -0400 (EDT) Message-ID: <48BE8889.3070809@zuka.net> Date: Wed, 03 Sep 2008 08:52:25 -0400 Organization: Zuka Inc. User-Agent: Thunderbird 2.0.0.16 (Macintosh/20080707) MIME-Version: 1.0 To: ywca_lifeskills@zuka.net Content-Type: multipart/alternative; boundary="------------000101010301050402010204" X-zuka.net-rw-MailScanner: Not scanned: please contact your Internet E-Mail Service Provider for details, Not scanned: please contact your Internet E-Mail Service Provider for details X-zuka.net-rw-MailScanner-SpamCheck: not spam (whitelisted), SpamAssassin (not cached, score=3.581, required 5, ALL_TRUSTED -1.44, HEADER_SPAM 3.40, HTML_MESSAGE 0.00, HTML_TAG_BALANCE_BODY 0.81, SARE_HEAD_HDR_APPROV 0.82), not spam, SpamAssassin (not cached, score=0.808, required 5, HTML_MESSAGE 0.00, HTML_TAG_BALANCE_BODY 0.81) X-Zuka-EB-MailScanner-Information: Please contact the ISP for more information X-Zuka-MailScanner-ID: m83CqiT1005355 X-Zuka-EB-MailScanner: Found to be clean X-Zuka-EB-MailScanner-SpamCheck: spam, SpamAssassin (not cached, score=7.575, required 5, BAYES_50 0.00, HEADER_SPAM 3.40, HTML_MESSAGE 0.00, INLINE_IMAGE 2.00, SARE_GIF_ATTACH 1.42, SARE_HEAD_HDR_APPROV 0.17, SARE_UNI 0.59) X-Zuka-EB-MailScanner-SpamScore: sssssss X-Zuka-EB-MailScanner-From: dave.filchak@zuka.net From: "YWCA Lifeskills: Training, Coaching, Publications" Subject: [Lifeskills_News] {Spam?} September 2008 Update X-BeenThere: ywca_lifeskills@zuka.net X-Mailman-Version: 2.1.6 Precedence: list Reply-To: lifeskills@ywcatoronto.org List-Id: "YWCA Lifeskills: Training, Coaching, Publications" List-Unsubscribe: , List-Archive: List-Help: List-Subscribe: , Sender: ywca_lifeskills-bounces@zuka.net Errors-To: ywca_lifeskills-bounces@zuka.net X-zuka.net-rw-MailScanner-Information: Please contact the ISP for more information X-RWMailScanner-From: ywca_lifeskills-bounces@zuka.net The domain in question is ywcatoronto.org. It should be noted that I have set up the mail server zuka-test-list and send the same post to that and it does not get tagged as spam ... yet, when sending the post to the actual list, it does. I have the same rules for this test mail list as I do for the real list. Also note, that when I send this same email post to the test list, not only do the headers so the poster as being whitelisted on the main mail server, but also on the secondary. Not so when I send the post to the real list. I am sure I am missing something obvious. An help will be much appreciated. Regards, Dave From hvdkooij at vanderkooij.org Wed Sep 3 18:46:32 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Wed Sep 3 18:46:49 2008 Subject: Italian spam In-Reply-To: <2FA349F95CF3644FAFC92070E642EB6AD15339@beta.dbdomain.database.it> References: <2FA349F95CF3644FAFC92070E642EB6AD15339@beta.dbdomain.database.it> Message-ID: <48BECD78.9030606@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Marcello Anderlini wrote: > Hello, we are now getting a lot of spam in italian language. > Spamassassing seems not able to detect it, I try to create some custom > rules without success. > I get email with subject like this "Nel mondo c'e troppo male bugia" or > "Tra gli esami bisogna non solo studiare pero`". > > Someone could help me to suggest something to block this kind of spam ? Well, If you start feeding them to your Bayesian datbase it should learn quickly. I noticed more dutch spam over a week ago with some customers. Well not actually dutch. It was just english spam fed through some lame translator program. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIvs10BvzDRVjxmYERAihlAJ4nqJA8EjwOJY7S/fXguxRFSjLibwCdGSQj 3Eg9l/Gmor4zGp1e2f2q2lw= =XDvn -----END PGP SIGNATURE----- From yashodhan.barve at gmail.com Thu Sep 4 00:34:27 2008 From: yashodhan.barve at gmail.com (Yashodhan Barve) Date: Thu Sep 4 00:34:42 2008 Subject: need help..ClamAV 0.94 and MailScanner 4.69.9 In-Reply-To: <489AF542.3090608@ecs.soton.ac.uk> References: <4899AC93.10501@trayerproducts.com> <4899B259.9010204@gmail.com> <4899C0F7.6070603@ecs.soton.ac.uk> <489AF542.3090608@ecs.soton.ac.uk> Message-ID: <48BF1F03.9040501@gmail.com> Hi All, I am facing an issue with MailScanner 4.69.9 and ClamAV 0.94. I am using ClamAV rpm's and when I update to 0.94, MailScanner --lint gives the following errors Virus and Content Scanning: Starting /usr/bin/clamscan: unrecognized option `--unrar=/usr/bin/unrar' ERROR: Unknown option passed. ERROR: Can't parse the command line I tried to comment out all the ExtraOptions from /usr/lib/MailScanner/clamav-wrapper but the error still persists and clamav won't scan any messages. Is there a way to fix this without upgrading the MailScanner version? regards, yashodhan From Kevin_Miller at ci.juneau.ak.us Thu Sep 4 01:14:01 2008 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Thu Sep 4 01:14:16 2008 Subject: MailScanner ANNOUNCE: 4.71 stable released In-Reply-To: <48BBEFC8.2060500@ecs.soton.ac.uk> References: <48BBEFC8.2060500@ecs.soton.ac.uk> Message-ID: Julian Field wrote: > - Updated support for Esets and F-Secure virus scanners. > - Thanks to F-Secure for donating me a set of server licences so I can > always be sure that I am supporting the latest versions of their > products. Much appreciated! Like several others, my F-Secure 4.65 has gone to the great bit-bucket in the sky. Time to upgrade. Did you install the F-Secure Linux Security 7.01? Is that the package that the latest version of MailScanner has support for? I've downloaded it but not yet installed it. Thanks... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From holger-lists at noefer.org Thu Sep 4 07:26:23 2008 From: holger-lists at noefer.org (=?ISO-8859-1?Q?Hoger_N=F6fer?=) Date: Thu Sep 4 07:26:35 2008 Subject: need help..ClamAV 0.94 and MailScanner 4.69.9 In-Reply-To: <48BF1F03.9040501@gmail.com> References: <4899AC93.10501@trayerproducts.com> <4899B259.9010204@gmail.com> <4899C0F7.6070603@ecs.soton.ac.uk> <489AF542.3090608@ecs.soton.ac.uk> <48BF1F03.9040501@gmail.com> Message-ID: <48BF7F8F.6000606@noefer.org> Yashodhan Barve schrieb: > Hi All, > > I am facing an issue with MailScanner 4.69.9 and ClamAV 0.94. > > I am using ClamAV rpm's and when I update to 0.94, > MailScanner --lint gives the following errors > > Virus and Content Scanning: Starting > /usr/bin/clamscan: unrecognized option `--unrar=/usr/bin/unrar' > ERROR: Unknown option passed. > ERROR: Can't parse the command line > > I tried to comment out all the ExtraOptions from > /usr/lib/MailScanner/clamav-wrapper > > but the error still persists and clamav won't scan any messages. > > Is there a way to fix this without upgrading the MailScanner version? > > > regards, > yashodhan Hi, have a look at /opt/MailScanner/lib/MailScanner/SweepViruses.pm, I comment out the following lines: if ($rarcmd && -x $rarcmd) { $Scanners{clamav}->{CommonOptions} .= " --unrar=$rarcmd"; MailScanner::Log::InfoLog("ClamAV scanner using unrar command %s", $rarcmd); } Best regards, Holger From ms-list at alexb.ch Thu Sep 4 07:51:29 2008 From: ms-list at alexb.ch (Alex Broens) Date: Thu Sep 4 07:51:51 2008 Subject: Mailscanner Version 4.71.10-1 / ClamAV 0.94 infection reporting. Message-ID: <48BF8571.60000@alexb.ch> Good day All, Mailscanner Version 4.71.10-1 / ClamAV 0.94 using ClamD MailScanner --lint: Virus and Content Scanning: Starting ClamAVModule::INFECTED:: Eicar-Test-Signature FOUND :: ./1/ ClamAVModule::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com Virus Scanning: Clamd found 2 infections Infected message 1 came from 10.1.1.1 Virus Scanning: Found 2 viruses Filename Checks: (1 eicar.com) Doesn't seem right/elegant to me. It causes Mailwatch 1.x to report: Clamd: message was infected: Trojan.Fakealert-532 FOUND Clamd: Late.Night.rar was infected: Trojan.Fakealert-532 Can anybody reproduce running "MailScanner --lint" Jules? thanks Alex From martinh at solidstatelogic.com Thu Sep 4 08:43:34 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Thu Sep 4 08:43:46 2008 Subject: need help..ClamAV 0.94 and MailScanner 4.69.9 In-Reply-To: <48BF7F8F.6000606@noefer.org> Message-ID: <5d4fa1c4f4f6fa4b93c243d604939843@solidstatelogic.com> Or use clamd which is way faster.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Hoger N?fer > Sent: 04 September 2008 07:26 > To: MailScanner discussion > Subject: Re: need help..ClamAV 0.94 and MailScanner 4.69.9 > > Yashodhan Barve schrieb: > > Hi All, > > > > I am facing an issue with MailScanner 4.69.9 and ClamAV 0.94. > > > > I am using ClamAV rpm's and when I update to 0.94, > MailScanner --lint > > gives the following errors > > > > Virus and Content Scanning: Starting > > /usr/bin/clamscan: unrecognized option `--unrar=/usr/bin/unrar' > > ERROR: Unknown option passed. > > ERROR: Can't parse the command line > > > > I tried to comment out all the ExtraOptions from > > /usr/lib/MailScanner/clamav-wrapper > > > > but the error still persists and clamav won't scan any messages. > > > > Is there a way to fix this without upgrading the > MailScanner version? > > > > > > regards, > > yashodhan > > Hi, > > have a look at > /opt/MailScanner/lib/MailScanner/SweepViruses.pm, I comment > out the following lines: > if ($rarcmd && -x $rarcmd) { > $Scanners{clamav}->{CommonOptions} .= " --unrar=$rarcmd"; > MailScanner::Log::InfoLog("ClamAV scanner using unrar > command %s", > $rarcmd); > } > > > Best regards, > Holger > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From MailScanner at ecs.soton.ac.uk Thu Sep 4 10:11:46 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Sep 4 10:12:10 2008 Subject: MailScanner ANNOUNCE: 4.71 stable released In-Reply-To: References: <48BBEFC8.2060500@ecs.soton.ac.uk> Message-ID: <48BFA652.5020508@ecs.soton.ac.uk> Kevin Miller wrote: > Julian Field wrote: > >> - Updated support for Esets and F-Secure virus scanners. >> - Thanks to F-Secure for donating me a set of server licences so I can >> always be sure that I am supporting the latest versions of their >> products. Much appreciated! >> > > Like several others, my F-Secure 4.65 has gone to the great bit-bucket > in the sky. Time to upgrade. Did you install the F-Secure Linux > Security 7.01? Is that the package that the latest version of > MailScanner has support for? I've downloaded it but not yet installed > it. > I have provided support for 7.01. Install it with the "--command-line-only" switch on the installer command-line in order to just the get bits you want and not any of the whole irrelevant management environment. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Thu Sep 4 10:33:35 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Sep 4 10:34:04 2008 Subject: Mailscanner Version 4.71.10-1 / ClamAV 0.94 infection reporting. In-Reply-To: References: Message-ID: <48BFAB6F.5090902@ecs.soton.ac.uk> Alex Broens wrote: > Good day All, > > Mailscanner Version 4.71.10-1 / ClamAV 0.94 using ClamD > > > MailScanner --lint: > > Virus and Content Scanning: Starting > ClamAVModule::INFECTED:: Eicar-Test-Signature FOUND :: ./1/ > ClamAVModule::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com > Virus Scanning: Clamd found 2 infections > Infected message 1 came from 10.1.1.1 > Virus Scanning: Found 2 viruses > Filename Checks: (1 eicar.com) > > Doesn't seem right/elegant to me. > > It causes Mailwatch 1.x to report: > > Clamd: message was infected: Trojan.Fakealert-532 FOUND > Clamd: Late.Night.rar was infected: Trojan.Fakealert-532 > > > Can anybody reproduce running "MailScanner --lint" > > Jules? The "./1/" line is caused by "ClamAV Full Message Scan = yes". I believe it is the correct output. Can anyone contradict me? Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ms-list at alexb.ch Thu Sep 4 11:26:56 2008 From: ms-list at alexb.ch (Alex Broens) Date: Thu Sep 4 11:27:07 2008 Subject: Mailscanner Version 4.71.10-1 / ClamAV 0.94 infection reporting. In-Reply-To: <48BFAB6F.5090902@ecs.soton.ac.uk> References: <48BFAB6F.5090902@ecs.soton.ac.uk> Message-ID: <48BFB7F0.401@alexb.ch> On 9/4/2008 11:33 AM, Julian Field wrote: > > > Alex Broens wrote: >> Good day All, >> >> Mailscanner Version 4.71.10-1 / ClamAV 0.94 using ClamD >> >> >> MailScanner --lint: >> >> Virus and Content Scanning: Starting >> ClamAVModule::INFECTED:: Eicar-Test-Signature FOUND :: ./1/ >> ClamAVModule::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com >> Virus Scanning: Clamd found 2 infections >> Infected message 1 came from 10.1.1.1 >> Virus Scanning: Found 2 viruses >> Filename Checks: (1 eicar.com) >> >> Doesn't seem right/elegant to me. >> >> It causes Mailwatch 1.x to report: >> >> Clamd: message was infected: Trojan.Fakealert-532 FOUND >> Clamd: Late.Night.rar was infected: Trojan.Fakealert-532 >> >> >> Can anybody reproduce running "MailScanner --lint" >> >> Jules? > The "./1/" line is caused by "ClamAV Full Message Scan = yes". > I believe it is the correct output. > Can anyone contradict me? If that would be the case, is the logging is slightly borked? imo, only the infected file is relevant. Alex From yashodhan.barve at gmail.com Thu Sep 4 13:28:35 2008 From: yashodhan.barve at gmail.com (Yashodhan Barve) Date: Thu Sep 4 13:28:49 2008 Subject: need help..ClamAV 0.94 and MailScanner 4.69.9 In-Reply-To: <48BF7F8F.6000606@noefer.org> References: <4899AC93.10501@trayerproducts.com> <4899B259.9010204@gmail.com> <4899C0F7.6070603@ecs.soton.ac.uk> <489AF542.3090608@ecs.soton.ac.uk> <48BF1F03.9040501@gmail.com> <48BF7F8F.6000606@noefer.org> Message-ID: <48BFD473.6030001@gmail.com> Hoger N?fer wrote: > Yashodhan Barve schrieb: > > Hi, > > have a look at /opt/MailScanner/lib/MailScanner/SweepViruses.pm, I > comment out the > following lines: > if ($rarcmd && -x $rarcmd) { > $Scanners{clamav}->{CommonOptions} .= " --unrar=$rarcmd"; > MailScanner::Log::InfoLog("ClamAV scanner using unrar command %s", > $rarcmd); > } > > > Best regards, > Holger Thanks Holger. That worked. Martin, I had tried to use clamd in 0.92 days but the daemon kept dying and even monit could not restart it. So switched to clamscan, slower but always works. regards yashodhan. From MailScanner at ecs.soton.ac.uk Thu Sep 4 14:04:16 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Sep 4 14:04:36 2008 Subject: Mailscanner Version 4.71.10-1 / ClamAV 0.94 infection reporting. In-Reply-To: References: <48BFAB6F.5090902@ecs.soton.ac.uk> Message-ID: <48BFDCD0.3070801@ecs.soton.ac.uk> Alex Broens wrote: > On 9/4/2008 11:33 AM, Julian Field wrote: >> >> >> Alex Broens wrote: >>> Good day All, >>> >>> Mailscanner Version 4.71.10-1 / ClamAV 0.94 using ClamD >>> >>> >>> MailScanner --lint: >>> >>> Virus and Content Scanning: Starting >>> ClamAVModule::INFECTED:: Eicar-Test-Signature FOUND :: ./1/ >>> ClamAVModule::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com >>> Virus Scanning: Clamd found 2 infections >>> Infected message 1 came from 10.1.1.1 >>> Virus Scanning: Found 2 viruses >>> Filename Checks: (1 eicar.com) >>> >>> Doesn't seem right/elegant to me. >>> >>> It causes Mailwatch 1.x to report: >>> >>> Clamd: message was infected: Trojan.Fakealert-532 FOUND >>> Clamd: Late.Night.rar was infected: Trojan.Fakealert-532 >>> >>> >>> Can anybody reproduce running "MailScanner --lint" >>> >>> Jules? >> The "./1/" line is caused by "ClamAV Full Message Scan = yes". >> I believe it is the correct output. >> Can anyone contradict me? > > If that would be the case, is the logging is slightly borked? > imo, only the infected file is relevant. But everything that Mailwatch has reported is correct. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ms-list at alexb.ch Thu Sep 4 14:24:03 2008 From: ms-list at alexb.ch (Alex Broens) Date: Thu Sep 4 14:24:17 2008 Subject: Mailscanner Version 4.71.10-1 / ClamAV 0.94 infection reporting. In-Reply-To: <48BFDCD0.3070801@ecs.soton.ac.uk> References: <48BFAB6F.5090902@ecs.soton.ac.uk> <48BFDCD0.3070801@ecs.soton.ac.uk> Message-ID: <48BFE173.9030807@alexb.ch> On 9/4/2008 3:04 PM, Julian Field wrote: > > > Alex Broens wrote: >> On 9/4/2008 11:33 AM, Julian Field wrote: >>> >>> >>> Alex Broens wrote: >>>> Good day All, >>>> >>>> Mailscanner Version 4.71.10-1 / ClamAV 0.94 using ClamD >>>> >>>> >>>> MailScanner --lint: >>>> >>>> Virus and Content Scanning: Starting >>>> ClamAVModule::INFECTED:: Eicar-Test-Signature FOUND :: ./1/ >>>> ClamAVModule::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com >>>> Virus Scanning: Clamd found 2 infections >>>> Infected message 1 came from 10.1.1.1 >>>> Virus Scanning: Found 2 viruses >>>> Filename Checks: (1 eicar.com) >>>> >>>> Doesn't seem right/elegant to me. >>>> >>>> It causes Mailwatch 1.x to report: >>>> >>>> Clamd: message was infected: Trojan.Fakealert-532 FOUND >>>> Clamd: Late.Night.rar was infected: Trojan.Fakealert-532 >>>> >>>> >>>> Can anybody reproduce running "MailScanner --lint" >>>> >>>> Jules? >>> The "./1/" line is caused by "ClamAV Full Message Scan = yes". >>> I believe it is the correct output. >>> Can anyone contradict me? >> >> If that would be the case, is the logging is slightly borked? >> imo, only the infected file is relevant. > But everything that Mailwatch has reported is correct. Mailwatch is not the problem... it reports what MS spits at it. "ClamAV Full Message Scan = yes" shouldn't affect it as its still one virus. imo, MS is doing something unusual: MS using clamd, NOT clamavmodule 1: logging as ClamAVModule 2: Reporting 2 lines when it would be expected to report 1 Virus and Content Scanning: Starting ClamAVModule::INFECTED:: Eicar-Test-Signature FOUND :: ./1/ ClamAVModule::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com Virus Scanning: Clamd found 2 infections the report above is pretty confusing, isn't it? Alex From jplorier at montecarlotv.com.uy Thu Sep 4 14:29:55 2008 From: jplorier at montecarlotv.com.uy (Juan Pablo Lorier) Date: Thu Sep 4 14:32:16 2008 Subject: Mail passing through pretending to be whilisted In-Reply-To: <200809041101.m84B0X5i008258@safir.blacknight.ie> Message-ID: Hi, I've been seen in the logs spam passing through MailScanner because it "think" they are whitelisted. Message m83LrUAs017322 from 78.111.64.126 (kavalchuk@mail.com) ignored whitelist, had 29 recipients (>20) : 1 Time(s) I've checked the whitelist to see if anything can match to that domain but I've only have 3 entries and they differ a lot from that. I've an outdated mailscanner server (4.65), maybe there's something already detected and corrected about this, does it? Thanks in advance Ing. Juan Pablo Lorier Monte Carlo TV SA Montevideo, Uruguay +(598)2 9244444 -- Toda la informacion contenida en este email es confidencial y debe ser utilizada solo por su destinatario. From Denis.Beauchemin at USherbrooke.ca Thu Sep 4 14:36:43 2008 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Thu Sep 4 14:37:21 2008 Subject: Mail passing through pretending to be whilisted In-Reply-To: References: Message-ID: <48BFE46B.8000404@USherbrooke.ca> Juan Pablo Lorier a ?crit : > Hi, > > I've been seen in the logs spam passing through MailScanner because it > "think" they are whitelisted. > > Message m83LrUAs017322 from 78.111.64.126 (kavalchuk@mail.com) ignored > whitelist, had 29 recipients (>20) : 1 Time(s) > Juan Pablo, That's not what it says! It says it IGNORED the white list because there were too many recipients. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3608 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080904/9dcfe3a8/smime.bin From alex at rtpty.com Thu Sep 4 14:59:57 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Thu Sep 4 15:00:16 2008 Subject: Mail passing through pretending to be whilisted In-Reply-To: References: Message-ID: <6FC3F89B-9D3D-4260-96CD-687B85D3FADE@rtpty.com> You're probably not splitting recipients and whitelisting by domain. If only one of the recipients is whitelisted it'll go through unless you split them at the MTA. Sent from my iPhone On Sep 4, 2008, at 8:29 AM, "Juan Pablo Lorier" wrote: > Hi, > > I've been seen in the logs spam passing through MailScanner because it > "think" they are whitelisted. > > Message m83LrUAs017322 from 78.111.64.126 (kavalchuk@mail.com) ignored > whitelist, had 29 recipients (>20) : 1 Time(s) > > I've checked the whitelist to see if anything can match to that domain > but I've only have 3 entries and they differ a lot from that. > I've an outdated mailscanner server (4.65), maybe there's something > already detected and corrected about this, does it? > Thanks in advance > > > Ing. Juan Pablo Lorier > Monte Carlo TV SA > Montevideo, Uruguay > +(598)2 9244444 > > > > > > > -- Toda la informacion contenida en este email es confidencial y > debe ser utilizada solo por su destinatario. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From alex at rtpty.com Thu Sep 4 15:00:40 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Thu Sep 4 15:00:58 2008 Subject: Mail passing through pretending to be whilisted In-Reply-To: <48BFE46B.8000404@USherbrooke.ca> References: <48BFE46B.8000404@USherbrooke.ca> Message-ID: Didn't see that part. In any case splitting would help. Sent from my iPhone On Sep 4, 2008, at 8:36 AM, Denis Beauchemin = wrote: > Juan Pablo Lorier a =A8=A6crit : >> Hi, >> >> I've been seen in the logs spam passing through MailScanner because =20= >> it "think" they are whitelisted. >> Message m83LrUAs017322 from 78.111.64.126 (kavalchuk@mail.com) =20 >> ignored whitelist, had 29 recipients (>20) : 1 Time(s) >> > > Juan Pablo, > > That's not what it says! It says it IGNORED the white list because =20 > there were too many recipients. > > Denis > > --=20 > _ > =A1=E3v=A1=E3 Denis Beauchemin, analyste > /(_)\ Universit=A8=A6 de Sherbrooke, S.T.I. > ^ ^ T: 819.821.8000x62252 F: 819.821.8045 > > > --=20 > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From mmcintosh at infowall.com Thu Sep 4 16:18:16 2008 From: mmcintosh at infowall.com (mark mcintosh) Date: Thu Sep 4 16:19:07 2008 Subject: MailScanner Tweaking/Issues In-Reply-To: References: <48BFE46B.8000404@USherbrooke.ca> Message-ID: <48BFFC38.80706@infowall.com> Hello, I have a fairly new install of Mailscanner on a Centos 5.2 x64 VPS with (mailwatch, postfixadmin, mailscanner-mrtg, postfix, maildrop, dcc, razor, pyzor) The system is working and is blocking most of my spam but I would like to tweak it and I have a few concerns listed below. Why does the --lint test show that Pyzor is disabled ?? (Pyzor also shows not working in mailscanner lint test -->>pyzor: check failed: internal error (listed below) Why does it skip the Razor ?? Same for SpamCop ?? Th3 Net::Ident module is it critical ????? ----- Will forcing installation cause me to break anything else ?? The last line in the MailScanner --lint related to my mailwatch installation only appears at times and I am still looking into it any ideas ?? For clarity I have included the MailScanner -lint as well as the Spamassassin --lint Any help on these questions would be appreciated Mark McIntosh dbg: pyzor: local tests only, disabling Pyzor dbg: razor2: local tests only, skipping Razor dbg: reporter: local tests only, disabling SpamCop dbg: diag: module not installed: Net::Ident ('require' failed) ..............>> How important is this ??? as you can see I am going to have to force it if I want it to install. /Ident.....Net::Ident::_export_hooks() called too early to check prototype at /root/.cpan/build/Net-Ident-1.20/blib/lib/Net/Ident.pm line 29. t/Ident.....FAILED tests 1-3 Failed 3/7 tests, 57.14% okay Failed Test Stat Wstat Total Fail Failed List of Failed ------------------------------------------------------------------------------- t/Ident.t 7 3 42.86% 1-3 2 tests skipped. Failed 1/4 test scripts, 75.00% okay. 3/8 subtests failed, 62.50% okay. make: *** [test_dynamic] Error 255 /usr/bin/make test -- NOT OK Running make install make test had returned bad status, won't install without force *MailScanner --lint * Trying to setlogsock(unix) Read 821 hostnames from the phishing whitelist Read 2848 hostnames from the phishing blacklist Config: calling custom init function SQLBlacklist Starting up SQL Blacklist Read 6 blacklist entries Config: calling custom init function MailWatchLogging Started SQL Logging child Config: calling custom init function SQLWhitelist Starting up SQL Whitelist Read 1 whitelist entries Checking version numbers... Version number in MailScanner.conf (4.70.7) is correct. Your envelope_sender_header in spam.assassin.prefs.conf is correct. MailScanner setting GID to (89) MailScanner setting UID to (89) Checking for SpamAssassin errors (if you use it)... SpamAssassin temporary working directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp Using SpamAssassin results cache Connected to SpamAssassin cache database pyzor: check failed: internal error --------------------------->>>>>>>>>>>>>>>> how can I test this SpamAssassin reported no errors. Using locktype = posix MailScanner.conf says "Virus Scanners = clamd" Found these virus scanners installed: clamd =========================================================================== Virus and Content Scanning: Starting ClamAVModule::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com ClamAVModule::INFECTED:: Eicar-Test-Signature FOUND :: ./1/ Virus Scanning: Clamd found 2 infections Infected message 1 came from 10.1.1.1 Virus Scanning: Found 2 viruses Filename Checks: (1 eicar.com) Other Checks: Found 1 problems =========================================================================== Virus Scanner test reports: Clamd said "eicar.com was infected: Eicar-Test-Signature" If any of your virus scanners (clamd) are not listed there, you should check that they are installed correctly and that MailScanner is finding them correctly via its virus.scanners.conf. Config: calling custom end function SQLBlacklist Closing down by-domain spam blacklist Config: calling custom end function MailWatchLogging Config: calling custom end function SQLWhitelist Closing down by-domain spam whitelist [root@demo tmp]# commit ineffective with AutoCommit enabled at /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, line 887. Commmit ineffective while AutoCommit is on at /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, line 887. *Spamassasin --lint* ng facilities: all 0 [4482] dbg: logger: logging level is DBG 0.01582 [4482] dbg: generic: SpamAssassin version 3.2.5 0.00354 [4482] dbg: config: score set 0 chosen. 4E-05 [4482] dbg: util: running in taint mode? yes 3E-05 [4482] dbg: util: taint mode: deleting unsafe environment variables, resetting PATH 3E-05 [4482] dbg: util: PATH included '/sbin', keeping 2E-05 [4482] dbg: util: PATH included '/usr/sbin', keeping 3E-05 [4482] dbg: util: PATH included '/bin', keeping 3E-05 [4482] dbg: util: PATH included '/usr/bin', keeping 2E-05 [4482] dbg: util: final PATH set to: /sbin:/usr/sbin:/bin:/usr/bin 3E-05 [4482] dbg: dns: is Net::DNS::Resolver available? yes 5E-05 [4482] dbg: dns: Net::DNS version: 0.63 2E-05 [4482] dbg: diag: perl platform: 5.008008 linux 1.89106 [4482] dbg: diag: module installed: Digest::SHA1, version 2.10 0.0001 [4482] dbg: diag: module installed: HTML::Parser, version 3.56 3E-05 [4482] dbg: diag: module installed: Net::DNS, version 0.63 3E-05 [4482] dbg: diag: module installed: MIME::Base64, version 3.05 3E-05 [4482] dbg: diag: module installed: DB_File, version 1.814 2E-05 [4482] dbg: diag: module installed: Net::SMTP, version 2.31 2E-05 [4482] dbg: diag: module installed: Mail::SPF, version v2.004 2E-05 [4482] dbg: diag: module installed: Mail::SPF::Query, version 1.999001 3E-05 [4482] dbg: diag: module installed: IP::Country::Fast, version 604.001 3E-05 [4482] dbg: diag: module installed: Razor2::Client::Agent, version 2.84 4E-05 [4482] dbg: diag: module not installed: Net::Ident ('require' failed) 0.01899 [4482] dbg: diag: module installed: IO::Socket::INET6, version 2.51 6E-05 [4482] dbg: diag: module installed: IO::Socket::SSL, version 1.01 3E-05 [4482] dbg: diag: module installed: Compress::Zlib, version 1.42 3E-05 [4482] dbg: diag: module installed: Time::HiRes, version 1.68 3E-05 [4482] dbg: diag: module installed: Mail::DomainKeys, version 1.0 2E-05 [4482] dbg: diag: module installed: Mail::DKIM, version 0.32 3E-05 [4482] dbg: diag: module installed: DBI, version 1.56 2E-05 [4482] dbg: diag: module installed: Getopt::Long, version 2.35 3E-05 [4482] dbg: diag: module installed: LWP::UserAgent, version 5.810 2E-05 [4482] dbg: diag: module installed: HTTP::Date, version 5.810 2E-05 [4482] dbg: diag: module installed: Archive::Tar, version 1.30 2E-05 [4482] dbg: diag: module installed: IO::Zlib, version 1.04 2E-05 [4482] dbg: diag: module installed: Encode::Detect, version 1.00 3E-05 [4482] dbg: ignore: using a test message to lint rules 2E-05 [4482] dbg: config: using "/etc/mail/spamassassin" for site rules pre files 0.00866 [4482] dbg: config: read file /etc/mail/spamassassin/init.pre 0.01777 [4482] dbg: config: read file /etc/mail/spamassassin/v310.pre 0.00478 [4482] dbg: config: read file /etc/mail/spamassassin/v312.pre 0.00039 [4482] dbg: config: read file /etc/mail/spamassassin/v320.pre 0.00053 [4482] dbg: config: using "/var/lib/spamassassin/3.002005" for sys rules pre files 4E-05 [4482] dbg: config: using "/var/lib/spamassassin/3.002005" for default rules dir 0.00844 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org.cf 0.01451 [4482] dbg: config: using "/etc/mail/spamassassin" for site rules dir 0.02451 [4482] dbg: config: read file /etc/mail/spamassassin/70_sare_adult.cf 0.01549 [4482] dbg: config: read file /etc/mail/spamassassin/70_sare_bayes_poison_nxm.cf 0.00048 [4482] dbg: config: read file /etc/mail/spamassassin/70_sare_evilnum2.cf 0.00326 [4482] dbg: config: read file /etc/mail/spamassassin/70_sare_genlsubj0.cf 0.00241 [4482] dbg: config: read file /etc/mail/spamassassin/70_sare_genlsubj1.cf 0.0043 [4482] dbg: config: read file /etc/mail/spamassassin/70_sare_genlsubj2.cf 0.00121 [4482] dbg: config: read file /etc/mail/spamassassin/70_sare_genlsubj3.cf 0.00256 [4482] dbg: config: read file /etc/mail/spamassassin/70_sare_html0.cf 0.00164 [4482] dbg: config: read file /etc/mail/spamassassin/70_sare_html1.cf 0.0021 [4482] dbg: config: read file /etc/mail/spamassassin/70_sare_html2.cf 0.00142 [4482] dbg: config: read file /etc/mail/spamassassin/70_sare_html3.cf 0.00114 [4482] dbg: config: read file /etc/mail/spamassassin/70_sare_obfu.cf 0.00752 [4482] dbg: config: read file /etc/mail/spamassassin/70_sare_oem.cf 0.00109 [4482] dbg: config: read file /etc/mail/spamassassin/70_sare_random.cf 0.00147 [4482] dbg: config: read file /etc/mail/spamassassin/70_sare_specific.cf 0.00427 [4482] dbg: config: read file /etc/mail/spamassassin/70_sare_spoof.cf 0.00136 [4482] dbg: config: read file /etc/mail/spamassassin/70_sare_stocks.cf 0.0035 [4482] dbg: config: read file /etc/mail/spamassassin/70_sare_unsub.cf 0.00159 [4482] dbg: config: read file /etc/mail/spamassassin/70_sare_uri0.cf 0.0012 [4482] dbg: config: read file /etc/mail/spamassassin/70_sare_uri1.cf 0.00164 [4482] dbg: config: read file /etc/mail/spamassassin/70_sare_uri3.cf 0.00069 [4482] dbg: config: read file /etc/mail/spamassassin/70_sare_whitelist_rcvd.cf 0.00221 [4482] dbg: config: read file /etc/mail/spamassassin/70_sare_whitelist_spf.cf 0.00181 [4482] dbg: config: read file /etc/mail/spamassassin/70_sc_top200.cf 0.00111 [4482] dbg: config: read file /etc/mail/spamassassin/72_sare_bml_post25x.cf 0.00088 [4482] dbg: config: read file /etc/mail/spamassassin/72_sare_redirect_post3.0.0.cf 0.00088 [4482] dbg: config: read file /etc/mail/spamassassin/99_sare_fraud_post25x.cf 0.00066 [4482] dbg: config: read file /etc/mail/spamassassin/bogus-virus-warnings.cf 0.00682 [4482] dbg: config: read file /etc/mail/spamassassin/mailscanner.cf 0.01384 [4482] warn: config: path "/root/.spamassassin" is inaccessible: Permission denied 0.0001 [4482] dbg: config: mkdir /root/.spamassassin failed: mkdir /root/.spamassassin: Permission denied at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin.pm line 1577 0.07963 [4482] dbg: config: Permission denied 0.0001 [4482] dbg: config: using "/etc/MailScanner/spam.assassin.prefs.conf" for user prefs file 3E-05 [4482] dbg: config: read file /etc/MailScanner/spam.assassin.prefs.conf 3E-05 [4482] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC 0.04663 [4482] dbg: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from @INC 0.0272 [4482] dbg: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC 0.01915 [4482] dbg: plugin: loading Mail::SpamAssassin::Plugin::RelayCountry from @INC 0.02286 [4482] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razor2 from @INC 0.00101 [4482] dbg: razor2: local tests only, skipping Razor 0.0056 [4482] dbg: plugin: loading Mail::SpamAssassin::Plugin::Pyzor from @INC 0.00033 [4482] dbg: pyzor: local tests only, disabling Pyzor 0.00262 [4482] dbg: plugin: did not register Mail::SpamAssassin::Plugin::Razor2, already registered 0.00021 [4482] dbg: plugin: loading Mail::SpamAssassin::Plugin::SpamCop from @INC 9E-05 [4482] dbg: reporter: local tests only, disabling SpamCop 0.00336 [4482] dbg: plugin: loading Mail::SpamAssassin::Plugin::AWL from @INC 0.00023 [4482] dbg: plugin: loading Mail::SpamAssassin::Plugin::AutoLearnThreshold from @INC 0.01741 [4482] dbg: plugin: loading Mail::SpamAssassin::Plugin::WhiteListSubject from @INC 0.00367 [4482] dbg: plugin: loading Mail::SpamAssassin::Plugin::MIMEHeader from @INC 0.00127 [4482] dbg: plugin: loading Mail::SpamAssassin::Plugin::ReplaceTags from @INC 0.00259 [4482] dbg: plugin: did not register Mail::SpamAssassin::Plugin::RelayCountry, already registered 0.00192 [4482] dbg: plugin: did not register Mail::SpamAssassin::Plugin::SPF, already registered 0.0001 [4482] dbg: plugin: did not register Mail::SpamAssassin::Plugin::URIDNSBL, already registered 4E-05 [4482] dbg: plugin: loading Mail::SpamAssassin::Plugin::Check from @INC 0.00038 [4482] dbg: plugin: loading Mail::SpamAssassin::Plugin::HTTPSMismatch from @INC 0.00675 [4482] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDetail from @INC 0.00714 [4482] dbg: plugin: loading Mail::SpamAssassin::Plugin::Bayes from @INC 0.00251 [4482] dbg: plugin: loading Mail::SpamAssassin::Plugin::BodyEval from @INC 0.00337 [4482] dbg: plugin: loading Mail::SpamAssassin::Plugin::DNSEval from @INC 0.00246 [4482] dbg: plugin: loading Mail::SpamAssassin::Plugin::HTMLEval from @INC 0.00295 [4482] dbg: plugin: loading Mail::SpamAssassin::Plugin::HeaderEval from @INC 0.00568 [4482] dbg: plugin: loading Mail::SpamAssassin::Plugin::MIMEEval from @INC 0.00793 [4482] dbg: plugin: loading Mail::SpamAssassin::Plugin::RelayEval from @INC 0.01474 [4482] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIEval from @INC 0.01584 [4482] dbg: plugin: loading Mail::SpamAssassin::Plugin::WLBLEval from @INC 0.0013 [4482] dbg: plugin: loading Mail::SpamAssassin::Plugin::VBounce from @INC 0.0028 [4482] dbg: plugin: loading Mail::SpamAssassin::Plugin::ImageInfo from @INC 0.00159 [4482] dbg: plugin: did not register Mail::SpamAssassin::Plugin::RelayCountry, already registered 0.02143 [4482] dbg: plugin: did not register Mail::SpamAssassin::Plugin::SPF, already registered 0.0001 [4482] dbg: plugin: did not register Mail::SpamAssassin::Plugin::URIDNSBL, already registered 3E-05 [4482] dbg: plugin: did not register Mail::SpamAssassin::Plugin::Razor2, already registered 3E-05 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/10_default_prefs.cf 0.00022 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/10_default_prefs.cf" for included file 6E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/10_default_prefs.cf 0.02354 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_advance_fee.cf 0.00213 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_advance_fee.cf" for included file 4E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_advance_fee.cf 0.00076 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_body_tests.cf 0.00565 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_body_tests.cf" for included file 6E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_body_tests.cf 0.00103 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_compensate.cf 0.00429 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_compensate.cf" for included file 4E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_compensate.cf 0.00045 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_dnsbl_tests.cf 0.00106 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_dnsbl_tests.cf" for included file 4E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_dnsbl_tests.cf 0.00102 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_drugs.cf 0.0081 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_drugs.cf" for included file 5E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_drugs.cf 0.00106 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_dynrdns.cf 0.01091 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_dynrdns.cf" for included file 4E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_dynrdns.cf 0.01847 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_fake_helo_tests.cf 0.00588 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_fake_helo_tests.cf" for included file 0.00013 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_fake_helo_tests.cf 0.03296 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_head_tests.cf 0.00407 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_head_tests.cf" for included file 4E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_head_tests.cf 0.00179 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_html_tests.cf 0.02069 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_html_tests.cf" for included file 4E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_html_tests.cf 0.00094 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_imageinfo.cf 0.00839 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_imageinfo.cf" for included file 6E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_imageinfo.cf 0.00059 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_meta_tests.cf 0.00275 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_meta_tests.cf" for included file 5E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_meta_tests.cf 0.00068 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_net_tests.cf 0.00322 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_net_tests.cf" for included file 4E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_net_tests.cf 0.0008 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_phrases.cf 0.00142 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_phrases.cf" for included file 4E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_phrases.cf 0.00092 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_porn.cf 0.00879 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_porn.cf" for included file 5E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_porn.cf 0.00054 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_ratware.cf 0.00127 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_ratware.cf" for included file 4E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_ratware.cf 0.00107 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_uri_tests.cf 0.01357 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_uri_tests.cf" for included file 7E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_uri_tests.cf 0.00065 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_vbounce.cf 0.00471 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_vbounce.cf" for included file 6E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_vbounce.cf 0.00136 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/23_bayes.cf 0.01741 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/23_bayes.cf" for included file 0.00011 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/23_bayes.cf 0.00069 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_accessdb.cf 0.00231 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/25_accessdb.cf" for included file 0.00012 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_accessdb.cf 0.00036 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_antivirus.cf 0.00049 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/25_antivirus.cf" for included file 4E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_antivirus.cf 0.00036 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_asn.cf 0.00048 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/25_asn.cf" for included file 4E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_asn.cf 0.00036 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_dcc.cf 0.00044 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/25_dcc.cf" for included file 3E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_dcc.cf 0.00034 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_dkim.cf 0.00044 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/25_dkim.cf" for included file 3E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_dkim.cf 0.00063 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_domainkeys.cf 0.00079 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/25_domainkeys.cf" for included file 4E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_domainkeys.cf 0.00051 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_hashcash.cf 0.00063 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/25_hashcash.cf" for included file 4E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_hashcash.cf 0.00041 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_pyzor.cf 0.00177 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/25_pyzor.cf" for included file 4E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_pyzor.cf 0.00038 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_razor2.cf 0.00062 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/25_razor2.cf" for included file 5E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_razor2.cf 0.00041 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_replace.cf 0.00129 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/25_replace.cf" for included file 4E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_replace.cf 0.00077 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_spf.cf 0.00745 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/25_spf.cf" for included file 4E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_spf.cf 0.00048 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_textcat.cf 0.00174 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/25_textcat.cf" for included file 4E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_textcat.cf 0.00044 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_uribl.cf 0.00056 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/25_uribl.cf" for included file 5E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_uribl.cf 0.00061 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_de.cf 0.00452 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_de.cf" for included file 4E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_de.cf 0.00177 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_fr.cf 0.0047 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_fr.cf" for included file 5E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_fr.cf 0.00289 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_it.cf 0.0042 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_it.cf" for included file 6E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_it.cf 0.01957 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_nl.cf 0.00041 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_nl.cf" for included file 5E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_nl.cf 0.00174 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_pl.cf 0.00346 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_pl.cf" for included file 5E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_pl.cf 0.00129 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_pt_br.cf 0.00309 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_pt_br.cf" for included file 4E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_pt_br.cf 0.00042 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/50_scores.cf 0.00065 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/50_scores.cf" for included file 5E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/50_scores.cf 0.00371 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_awl.cf 0.04611 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/60_awl.cf" for included file 0.0001 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_awl.cf 0.00048 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_shortcircuit.cf 0.00082 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/60_shortcircuit.cf" for included file 5E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_shortcircuit.cf 0.00042 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist.cf 0.0009 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist.cf" for included file 4E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist.cf 0.00061 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist_dk.cf 0.00288 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist_dk.cf" for included file 4E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist_dk.cf 0.0005 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist_dkim.cf 0.0007 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist_dkim.cf" for included file 4E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist_dkim.cf 0.0004 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist_spf.cf 0.00064 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist_spf.cf" for included file 4E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist_spf.cf 0.00044 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist_subject.cf 0.00209 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist_subject.cf" for included file 4E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist_subject.cf 0.00042 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/72_active.cf 0.00096 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/72_active.cf" for included file 4E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/72_active.cf 0.00733 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/72_removed.cf 0.12368 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/72_removed.cf" for included file 0.00011 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/72_removed.cf 0.00052 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/72_scores.cf 0.00209 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/72_scores.cf" for included file 4E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/72_scores.cf 0.00034 [4482] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/80_additional.cf 0.00136 [4482] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/80_additional.cf" for included file 4E-05 [4482] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/80_additional.cf 0.00099 [4482] dbg: rules: __XM_OL_22B61 merged duplicates: __XM_OL_A842E 1.02558 [4482] dbg: rules: __JM_REACTOR_DATE merged duplicates: __RATWARE_0_TZ_DATE 0.00011 [4482] dbg: rules: __XM_OL_07794 merged duplicates: __XM_OL_25340 __XM_OL_3857F __XM_OL_4F240 __XM_OL_58CB5 __XM_OL_6554A __XM_OL_812FF __XM_OL_C65FA __XM_OL_CF0C0 __XM_OL_F475E __XM_OL_F6D01 4E-05 [4482] dbg: rules: __HTML_IMG_ONLY merged duplicates: __IMG_ONLY 3E-05 [4482] dbg: rules: FU_UKGEOCITIES merged duplicates: __SARE_SPEC_XX2GEOCIT 3E-05 [4482] dbg: rules: FB_FAKE_NUMBERS merged duplicates: SARE_OBFU_NUMBERS 3E-05 [4482] dbg: rules: FH_MSGID_01C67 merged duplicates: __MSGID_VGA 5E-05 [4482] dbg: rules: FS_NEW_SOFT_UPLOAD merged duplicates: HS_SUBJ_NEW_SOFTWARE 5E-05 [4482] dbg: rules: __MO_OL_22B61 merged duplicates: __MO_OL_4F240 __MO_OL_ADFF7 6E-05 [4482] dbg: rules: SARE_SUB_2UNDERSCORES merged duplicates: SARE_SUB_6_FIG_INC SARE_SUB_ACCT_UPD SARE_SUB_ACQUISITION SARE_SUB_ACTION_OB SARE_SUB_ADV_DB SARE_SUB_ADV_SEARCH SARE_SUB_AGING SARE_SUB_AM_MED_DICT SARE_SUB_BETTER SARE_SUB_BETTER_OB1 SARE_SUB_BETTER_OB2 SARE_SUB_BE_HERE SARE_SUB_BIGGER SARE_SUB_BIGGER_OB SARE_SUB_BOOST_OB SARE_SUB_BREAKTHRU_OB SARE_SUB_BRKING_NEWS SARE_SUB_BULK_EMAIL SARE_SUB_BUY_CHEAP SARE_SUB_BUY_OB SARE_SUB_BUY_OB1 SARE_SUB_CALL_NOW SARE_SUB_CARD_BILLED SARE_SUB_CARTRIDGE_OB SARE_SUB_CASINO_OB SARE_SUB_CHANGE_LIFE SARE_SUB_CHARGE_OB SARE_SUB_CHEAP_OB SARE_SUB_CHRISTIAN SARE_SUB_COMMA_LEAD SARE_SUB_COMM_MAILERS SARE_SUB_CONFID_OB SARE_SUB_CONSULTN_OB SARE_SUB_COPYDVD SARE_SUB_DBL_MEDICTN SARE_SUB_DBL_PHARM SARE_SUB_DEBTS_COURT SARE_SUB_DOWNLOAD_OB SARE_SUB_EBAY_OB SARE_SUB_EXCITING_NEW SARE_SUB_EXCL_OB SARE_SUB_EXPIRED SARE_SUB_FOR_WOMEN SARE_SUB_FREE SARE_SUB_FREE_BANG SARE_SUB_GAPPY_3 SARE_SUB_GAPPY_4 SARE_SUB_GAPPY_5 SARE_SUB_GAPPY_6 SARE_SUB_GAPPY_7 SARE_SUB_GAPPY_8 SARE_SUB_GROW_BUSINESS SARE_SUB_HARD_OB SARE_SUB_HOMEOWNER_OB SARE_SUB_INC_ONLINE SARE_SUB_INKJET SARE_SUB_INKJET_OB SARE_SUB_KICKBACK SARE_SUB_LAST_CHANCE SARE_SUB_LEAD_PUNCT SARE_SUB_LETTERS_NUMS SARE_SUB_LONG_SUBJ_140 SARE_SUB_LONG_SUBJ_170 SARE_SUB_LOOKING_FOR SARE_SUB_LOSE_OB SARE_SUB_LOTS_PUNC_21 SARE_SUB_LOTS_PUNC_26 SARE_SUB_MEDICAL_NEWS SARE_SUB_MED_USE SARE_SUB_MENS_HEALTH SARE_SUB_MISC_1 SARE_SUB_MORTGAGE_OB SARE_SUB_MOVE_OB SARE_SUB_MSGSUB SARE_SUB_NOW_TIME SARE_SUB_ONLINE_OB SARE_SUB_ORIG_SOFT_OB SARE_SUB_PASSION_OB SARE_SUB_PENIS_OB SARE_SUB_PERFECT SARE_SUB_PERFECTLY SARE_SUB_PHOTOS_OB SARE_SUB_PHYSICIAN SARE_SUB_PHYSICIAN_OB SARE_SUB_PLEASE_OB SARE_SUB_PRICES_CAP SARE_SUB_PRINTER_OB SARE_SUB_PROFILE SARE_SUB_PROVEN_OB SARE_SUB_RAND_UC SARE_SUB_REAL_OB SARE_SUB_SAVE_PCT SARE_SUB_SAVE_UP_TO SARE_SUB_SION_OB SARE_SUB_SPECIAL_BANG SARE_SUB_STRETCH_MARK SARE_SUB_STRONG SARE_SUB_STRONG_OB SARE_SUB_TAXES SARE_SUB_THOU_CLI SARE_SUB_TION_OB SARE_SUB_TONER SARE_SUB_TONER_OB SARE_SUB_VIDEO_OB SARE_SUB_VIRUSQ SARE_SUB_WEBMASTER SARE_SUB_WEBMASTER2 SARE_SUB_WIN 0.00094 SARE_SUB_WINNER SARE_SUB_YOUNGER_OB SARE_SUB_YOUR_WOMAN 0.00014 [4482] dbg: rules: __MO_OL_812FF merged duplicates: __MO_OL_BC7E6 3E-05 [4482] dbg: rules: __SARE_HEAD_FALSE merged duplicates: __SARE_SUB_FALSE 3E-05 [4482] dbg: rules: SARE_SUBJ_SLUT merged duplicates: __FPS_SLUT 3E-05 [4482] dbg: rules: VIRUS_WARNING128 merged duplicates: __VBOUNCE_MMS 3E-05 [4482] dbg: rules: VIRUS_WARNING123 merged duplicates: VIRUS_WARNING37 6E-05 [4482] dbg: rules: __FVGT_RAPE merged duplicates: __WORD_RAPED 5E-05 [4482] dbg: rules: VIRUS_WARNING357 merged duplicates: __CRBOUNCE_BLOCKED 6E-05 [4482] dbg: rules: __XM_OL_C9068 merged duplicates: __XM_OL_EF20B 5E-05 [4482] dbg: rules: __FH_RCV_53 merged duplicates: __RCVD_53 5E-05 [4482] dbg: rules: __MO_OL_72641 merged duplicates: __MO_OL_A842E 5E-05 [4482] dbg: rules: SARE_OBFU_AFFORD merged duplicates: SARE_OBFU_AMP SARE_OBFU_BETTER_SUB SARE_OBFU_CARTRDGE_SUB SARE_OBFU_CIALIS SARE_OBFU_OBLIGATION SARE_OBFU_SEX_SPL SARE_OBFU_TBL_05 SARE_URI_AFF_DIG SARE_URI_CAMPAIGNID SARE_URI_CASINO SARE_URI_DIG_LET_PIC SARE_URI_H0 SARE_URI_HARRYDAV SARE_URI_HOUSE SARE_URI_IPPORT3333 SARE_URI_MIXED_CASE SARE_URI_MRTG SARE_URI_NUMASP8 SARE_URI_NUM_SUBDOM SARE_URI_OC SARE_URI_P8 SARE_URI_PERV SARE_URI_PORTD4 SARE_URI_REFID2 SARE_URI_REFID3 SARE_URI_SHARE_DIG SARE_URI_SIXCAPS SARE_URI_SQUARE SARE_URI_SUCCEZZ 0.00023 [4482] dbg: rules: VIRUS_WARNING103 merged duplicates: VIRUS_WARNING52 3E-05 [4482] dbg: rules: __MO_OL_4BF4C merged duplicates: __MO_OL_F6D01 5E-05 [4482] dbg: rules: __MO_OL_07794 merged duplicates: __MO_OL_8627E __MO_OL_F3B05 6E-05 [4482] dbg: rules: SARE_SPOOF_COM2OTH merged duplicates: SPOOF_COM2COM 5E-05 [4482] dbg: rules: __MO_OL_9B90B merged duplicates: __MO_OL_C65FA 5E-05 [4482] dbg: rules: __FH_FRM_53 merged duplicates: __FROM_53 5E-05 [4482] dbg: rules: __FH_HAS_XMSMAIL merged duplicates: __HAS_MSMAIL_PRI 6E-05 [4482] dbg: rules: KAM_STOCKOTC merged duplicates: KAM_STOCKTIP15 KAM_STOCKTIP20 KAM_STOCKTIP21 KAM_STOCKTIP4 KAM_STOCKTIP6 8E-05 [4482] dbg: rules: __MO_OL_91287 merged duplicates: __MO_OL_B30D1 __MO_OL_CF0C0 6E-05 [4482] dbg: rules: __XM_OL_015D5 merged duplicates: __XM_OL_4BF4C __XM_OL_4EEDB __XM_OL_5B79A __XM_OL_9B90B __XM_OL_ADFF7 __XM_OL_B30D1 __XM_OL_B4B40 __XM_OL_BC7E6 __XM_OL_F3B05 __XM_OL_FF5C8 0.00011 [4482] dbg: rules: __MO_OL_015D5 merged duplicates: __MO_OL_6554A 0.0001 [4482] dbg: rules: __MO_OL_25340 merged duplicates: __MO_OL_4EEDB __MO_OL_7533E 7E-05 [4482] dbg: rules: __MO_OL_58CB5 merged duplicates: __MO_OL_B4B40 5E-05 [4482] dbg: rules: __DOS_HAS_ANY_URI merged duplicates: __HAS_ANY_URI __SARE_URI_ANY 6E-05 [4482] dbg: rules: SARE_HTML_ALT_WAIT1 merged duplicates: SARE_HTML_ALT_WAIT2 SARE_HTML_A_NULL SARE_HTML_BADOPEN SARE_HTML_BAD_FG_CLR SARE_HTML_COLOR_NWHT3 SARE_HTML_FONT_INVIS2 SARE_HTML_FSIZE_1ALL SARE_HTML_GIF_DIM SARE_HTML_H2_CLK SARE_HTML_HTML_AFTER SARE_HTML_INV_TAGA SARE_HTML_JSCRIPT_ENC SARE_HTML_JVS_HREF SARE_HTML_MANY_BR10 SARE_HTML_NO_BODY SARE_HTML_NO_HTML1 SARE_HTML_P_JUSTIFY SARE_HTML_URI_2SLASH SARE_HTML_URI_AXEL SARE_HTML_URI_BADQRY SARE_HTML_URI_BUG SARE_HTML_URI_FORMPHP SARE_HTML_URI_HREF SARE_HTML_URI_MANYP2 SARE_HTML_URI_MANYP3 SARE_HTML_URI_NUMPHP3 SARE_HTML_URI_OBFU4 SARE_HTML_URI_OBFU4a SARE_HTML_URI_OPTPHP SARE_HTML_URI_REFID SARE_HTML_URI_RID SARE_HTML_URI_RM SARE_HTML_USL_MULT 0.00032 [4482] dbg: rules: VIRUS_WARNING107 merged duplicates: __VBOUNCE_AV_RESULTS 3E-05 [4482] dbg: rules: AXB_RCVD_ZOOBSEND merged duplicates: BROKEN_RATWARE_BOM CTYPE_001C_A DEAR_HOMEOWNER DIV_CENTER_A_HREF DRUG_RA_PRICE FM_DDDD_TIMES_2 FM_SEX_HOSTDDDD HG_HORMONE HS_PHARMA_1 HS_UPLOADED_SOFTWARE OEBOUND STOX_RCVD_N_NN_N URIBL_RHS_ABUSE URIBL_RHS_BOGUSMX URIBL_RHS_DSN URIBL_RHS_POST URIBL_RHS_TLD_WHOIS URIBL_RHS_WHOIS URIBL_XS_SURBL URI_L_PHP XMAILER_MIMEOLE_OL_5E7ED XMAILER_MIMEOLE_OL_C7C33 XMAILER_MIMEOLE_OL_D03AB X_LIBRARY YOUR_CRD_RATING 0.0002 [4482] dbg: rules: __MO_OL_F475E merged duplicates: __MO_OL_FF5C8 3E-05 [4482] dbg: conf: finish parsing 0.00272 [4482] dbg: plugin: Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0x2856330) implements 'finish_parsing_end', priority 0 0.03577 [4482] dbg: replacetags: replacing tags 0.00019 [4482] dbg: replacetags: done replacing tags 0.02281 [4482] dbg: bayes: tie-ing to DB file R/O /var/spool/MailScanner/spamassassin/bayes_toks 0.10894 [4482] dbg: bayes: tie-ing to DB file R/O /var/spool/MailScanner/spamassassin/bayes_seen 0.00087 [4482] dbg: bayes: found bayes db version 3 0.00085 [4482] dbg: bayes: DB journal sync: last sync: 1220536512 0.00041 [4482] dbg: config: score set 2 chosen. 0.00039 [4482] dbg: message: main message type: text/plain 0.00045 [4482] dbg: message: ---- MIME PARSER START ---- 3E-05 [4482] dbg: message: parsing normal part 3E-05 [4482] dbg: message: ---- MIME PARSER END ---- 9E-05 [4482] dbg: plugin: Mail::SpamAssassin::Plugin::DNSEval=HASH(0x279f300) implements 'check_start', priority 0 0.00055 [4482] dbg: plugin: Mail::SpamAssassin::Plugin::Check=HASH(0x2798460) implements 'check_main', priority 0 0.00113 [4482] dbg: conf: trusted_networks are not configured; it is recommended that you configure trusted_networks manually 0.00013 [4482] dbg: metadata: X-Spam-Relays-Trusted: 0.00023 [4482] dbg: metadata: X-Spam-Relays-Untrusted: 3E-05 [4482] dbg: metadata: X-Spam-Relays-Internal: 3E-05 [4482] dbg: metadata: X-Spam-Relays-External: 3E-05 [4482] dbg: plugin: Mail::SpamAssassin::Plugin::RelayCountry=HASH(0x2767220) implements 'extract_metadata', priority 0 9E-05 [4482] dbg: metadata: X-Relay-Countries: 0.00022 [4482] dbg: message: no encoding detected 0.00023 [4482] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x25cd100) implements 'parsed_metadata', priority 0 0.0002 [4482] dbg: plugin: Mail::SpamAssassin::Plugin::RelayCountry=HASH(0x2767220) implements 'parsed_metadata', priority 0 6E-05 [4482] dbg: dns: is DNS available? 0 0.00018 [4482] dbg: rules: local tests only, ignoring RBL eval 7E-05 [4482] dbg: check: running tests for priority: -1000 0.00107 [4482] dbg: rules: running head tests; score so far=0 0.00033 [4482] dbg: rules: compiled head tests 0.00049 [4482] dbg: eval: all '*From' addrs: ignore@compiling.spamassassin.taint.org 0.00139 [4482] dbg: eval: all '*To' addrs: 0.00055 [4482] dbg: rules: running body tests; score so far=0 0.0004 [4482] dbg: rules: compiled body tests 0.00026 [4482] dbg: rules: running uri tests; score so far=0 0.00011 [4482] dbg: rules: compiled uri tests 7E-05 [4482] dbg: rules: running rawbody tests; score so far=0 0.00013 [4482] dbg: rules: compiled rawbody tests 0.00014 [4482] dbg: rules: running full tests; score so far=0 0.00012 [4482] dbg: rules: compiled full tests 0.00016 [4482] dbg: rules: running meta tests; score so far=0 0.00015 [4482] dbg: rules: compiled meta tests 0.0002 [4482] dbg: check: running tests for priority: -950 0.00031 [4482] dbg: rules: running head tests; score so far=0 0.00011 [4482] dbg: rules: compiled head tests 0.00019 [4482] dbg: rules: running body tests; score so far=0 0.00054 [4482] dbg: rules: compiled body tests 0.00016 [4482] dbg: rules: running uri tests; score so far=0 0.00013 [4482] dbg: rules: compiled uri tests 0.00032 [4482] dbg: rules: running rawbody tests; score so far=0 4E-05 [4482] dbg: rules: compiled rawbody tests 6E-05 [4482] dbg: rules: running full tests; score so far=0 9E-05 [4482] dbg: rules: compiled full tests 0.00015 [4482] dbg: rules: running meta tests; score so far=0 0.00014 [4482] dbg: rules: compiled meta tests 0.00018 [4482] dbg: check: running tests for priority: -900 0.00012 [4482] dbg: rules: running head tests; score so far=0 0.0001 [4482] dbg: rules: compiled head tests 0.00016 [4482] dbg: rules: running body tests; score so far=0 0.0011 [4482] dbg: rules: compiled body tests 0.00016 [4482] dbg: rules: running uri tests; score so far=0 0.00011 [4482] dbg: rules: compiled uri tests 0.00013 [4482] dbg: rules: running rawbody tests; score so far=0 0.00013 [4482] dbg: rules: compiled rawbody tests 0.00014 [4482] dbg: rules: running full tests; score so far=0 0.00011 [4482] dbg: rules: compiled full tests 0.00017 [4482] dbg: rules: running meta tests; score so far=0 0.00015 [4482] dbg: rules: compiled meta tests 0.00019 [4482] dbg: check: running tests for priority: -400 0.00012 [4482] dbg: rules: running head tests; score so far=0 0.0001 [4482] dbg: rules: compiled head tests 0.00016 [4482] dbg: rules: running body tests; score so far=0 0.00013 [4482] dbg: rules: compiled body tests 0.00014 [4482] dbg: rules: running uri tests; score so far=0 0.00011 [4482] dbg: rules: compiled uri tests 0.00013 [4482] dbg: plugin: Mail::SpamAssassin::Plugin::WLBLEval=HASH(0x2a0cd20) implements 'check_wb_list', priority 0 0.00078 [4482] dbg: bayes: DB journal sync: last sync: 1220536512 0.00056 [4482] dbg: bayes: corpus size: nspam = 2289, nham = 444 0.00053 [4482] dbg: bayes: score = 0.000899556217436037 0.08655 [4482] dbg: bayes: DB expiry: tokens in DB: 117990, Expiry max size: 150000, Oldest atime: 1215437323, Newest atime: 1220538182, Last expire: 0, Current time: 1220538579 0.0007 [4482] dbg: bayes: DB journal sync: last sync: 1220536512 0.00027 [4482] dbg: bayes: untie-ing 0.00313 [4482] dbg: rules: running rawbody tests; score so far=0 0.00052 [4482] dbg: rules: compiled rawbody tests 0.00025 [4482] dbg: rules: running full tests; score so far=0 0.00013 [4482] dbg: rules: compiled full tests 0.00016 [4482] dbg: rules: running meta tests; score so far=0 0.00015 [4482] dbg: rules: compiled meta tests 0.00018 [4482] dbg: check: running tests for priority: 0 0.00012 [4482] dbg: rules: running head tests; score so far=0 0.00012 [4482] dbg: rules: compiled head tests 0.24221 [4482] dbg: rules: ran header rule __MISSING_REF ======> got hit: "UNSET" 0.0013 [4482] dbg: rules: ran header rule __MSOE_MID_WRONG_CASE ======> got hit: " 0.00318 [4482] dbg: rules: Message-Id: " 8E-05 [4482] dbg: rules: ran header rule MISSING_DATE ======> got hit: "UNSET" 0.00065 [4482] dbg: rules: ran header rule __SARE_WHITELIST_FLAG ======> got hit: "i" 0.00042 [4482] dbg: rules: ran header rule __MSGID_OK_HOST ======> got hit: "@lint_rules>" 0.00172 [4482] dbg: rules: ran header rule __MSGID_OK_DIGITS ======> got hit: "1220538576" 0.00019 [4482] dbg: rules: ran header rule __HAS_MSGID ======> got hit: "<" 0.00032 [4482] dbg: rules: ran header rule __SANE_MSGID ======> got hit: "<1220538576@lint_rules> 0.00016 [4482] dbg: rules: " 3E-05 [4482] dbg: spf: checking to see if the message has a Received-SPF header that we can use 0.01413 [4482] dbg: spf: already checked for Received-SPF headers, proceeding with DNS based checks 0.00064 [4482] dbg: spf: already checked for Received-SPF headers, proceeding with DNS based checks 0.00015 [4482] dbg: rules: ran eval rule NO_RELAYS ======> got hit (1) 0.00105 [4482] dbg: spf: already checked for Received-SPF headers, proceeding with DNS based checks 0.00031 [4482] dbg: spf: already checked for Received-SPF headers, proceeding with DNS based checks 0.00084 [4482] dbg: spf: cannot get Envelope-From, cannot use SPF 0.00147 [4482] dbg: spf: def_spf_whitelist_from: could not find useable envelope sender 4E-05 [4482] dbg: spf: already checked for Received-SPF headers, proceeding with DNS based checks 0.00012 [4482] dbg: spf: already checked for Received-SPF headers, proceeding with DNS based checks 0.00014 [4482] dbg: spf: already checked for Received-SPF headers, proceeding with DNS based checks 0.00042 [4482] dbg: rules: ran eval rule __UNUSABLE_MSGID ======> got hit (1) 0.00061 [4482] dbg: spf: spf_whitelist_from: could not find useable envelope sender 0.00032 [4482] dbg: rules: ran eval rule MISSING_HEADERS ======> got hit (1) 0.00049 [4482] dbg: rules: running body tests; score so far=1.5 0.00033 [4482] dbg: rules: compiled body tests 0.44736 [4482] dbg: rules: ran body rule __NONEMPTY_BODY ======> got hit: "I" 0.04167 [4482] dbg: rules: running uri tests; score so far=1.5 0.04615 [4482] dbg: rules: compiled uri tests 0.02043 [4482] dbg: eval: stock info total: 0 0.02142 [4482] dbg: rules: ran eval rule BAYES_00 ======> got hit (1) 0.00317 [4482] dbg: rules: running rawbody tests; score so far=-0.812 0.00409 [4482] dbg: rules: compiled rawbody tests 0.36254 [4482] dbg: rules: ran rawbody rule __TVD_BODY ======> got hit: "need" 0.00454 [4482] dbg: rules: running full tests; score so far=-0.812 0.00431 [4482] dbg: rules: compiled full tests 0.0029 [4482] dbg: rules: running meta tests; score so far=-0.812 0.00058 [4482] dbg: rules: compiled meta tests 0.00068 [4482] dbg: check: running tests for priority: 500 0.00049 [4482] dbg: dns: harvest_dnsbl_queries 0.00012 [4482] dbg: rules: running head tests; score so far=-0.812 0.00036 [4482] dbg: rules: compiled head tests 0.00841 [4482] dbg: rules: running body tests; score so far=-0.812 0.00048 [4482] dbg: rules: compiled body tests 0.00179 [4482] dbg: rules: running uri tests; score so far=-0.812 0.00154 [4482] dbg: rules: compiled uri tests 0.00128 [4482] dbg: rules: running rawbody tests; score so far=-0.812 0.00016 [4482] dbg: rules: compiled rawbody tests 0.00225 [4482] dbg: rules: running full tests; score so far=-0.812 0.00061 [4482] dbg: rules: compiled full tests 0.00053 [4482] dbg: rules: running meta tests; score so far=-0.812 0.00017 [4482] dbg: rules: meta test DIGEST_MULTIPLE has undefined dependency 'DCC_CHECK' 0.00019 [4482] dbg: rules: meta test SARE_RD_SAFE has undefined dependency 'SARE_RD_SAFE_MKSHRT' 0.02107 [4482] dbg: rules: meta test SARE_RD_SAFE has undefined dependency 'SARE_RD_SAFE_GT' 9E-05 [4482] dbg: rules: meta test SARE_RD_SAFE has undefined dependency 'SARE_RD_SAFE_TINY' 3E-05 [4482] dbg: rules: meta test VIRUS_WARNING_DOOM_BNC has undefined dependency 'VIRUS_WARNING_MYDOOM4' 0.00701 [4482] dbg: rules: compiled meta tests 0.43007 [4482] dbg: check: running tests for priority: 1000 0.00375 [4482] dbg: rules: running head tests; score so far=1.663 0.00011 [4482] dbg: rules: compiled head tests 0.00031 [4482] dbg: rules: running body tests; score so far=1.663 0.00059 [4482] dbg: rules: compiled body tests 0.00022 [4482] dbg: rules: running uri tests; score so far=1.663 0.00013 [4482] dbg: rules: compiled uri tests 3E-05 [4482] dbg: rules: running rawbody tests; score so far=1.663 0.00011 [4482] dbg: rules: compiled rawbody tests 0.00013 [4482] dbg: rules: running full tests; score so far=1.663 0.00012 [4482] dbg: rules: compiled full tests 0.00014 [4482] dbg: rules: running meta tests; score so far=1.663 0.00014 [4482] dbg: rules: compiled meta tests 0.00017 [4482] dbg: check: is spam? score=1.663 required=5 0.00048 [4482] dbg: check: tests=BAYES_00,MISSING_DATE,MISSING_HEADERS,MISSING_SUBJECT,NO_RECEIVED,NO_RELAYS 4E-05 [4482] dbg: check: subtests=__HAS_MSGID,__MISSING_REF,__MSGID_OK_DIGITS,__MSGID_OK_HOST,__MSOE_MID_WRONG_CASE,__NONEMPTY_BODY,__SANE_MSGID,__SARE_WHITELIST_FLAG,__TVD_BODY,__UNUSABLE_MSGID 6E-05 *Finish - Total Time* *8.29346* -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From vincent at zijnemail.nl Thu Sep 4 16:35:34 2008 From: vincent at zijnemail.nl (Vincent Verhagen) Date: Thu Sep 4 16:35:49 2008 Subject: MailScanner delivering mail with virus? Message-ID: <48C00046.7090002@zijnemail.nl> Using: MailScanner 4.71.10 F-Prot-6 (not the daemon) For some reason, MailScanner has passed some emails that were virusinfected according to F-Prot. See this excerpt from the log: Sep 4 14:51:29 mail2 MailScanner[21344]: New Batch: Scanning 1 messages, 31790 bytes Sep 4 14:51:29 mail2 MailScanner[21344]: Spam Checks completed at 90432 bytes per second Sep 4 14:51:29 mail2 MailScanner[21344]: Virus and Content Scanning: Starting Sep 4 14:51:33 mail2 MailScanner[21344]: [Found possible security risk] ./43E59D98828.C43D0.message->Fees_2007-2008.zip->Fees_2007-2008.doc.exe Sep 4 14:51:33 mail2 MailScanner[21344]: Virus Scanning: F-Prot6 found 1 infections Sep 4 14:51:33 mail2 MailScanner[21344]: Infected message 43E59D98828.C43D0.message->Fees_2007-2008.zip->Fees_2007-2008.doc.exe came from Sep 4 14:51:33 mail2 MailScanner[21344]: Virus Scanning: Found 1 viruses Sep 4 14:51:33 mail2 MailScanner[21344]: Virus Scanning completed at 9003 bytes per second Sep 4 14:51:33 mail2 MailScanner[21344]: Requeue: 43E59D98828.C43D0 to 5ADD8D98829 Sep 4 14:51:33 mail2 MailScanner[21344]: Uninfected: Delivered 1 messages Sep 4 14:51:33 mail2 MailScanner[21344]: Batch completed at 8160 bytes per second (31790 / 3) Sep 4 14:51:33 mail2 MailScanner[21344]: Batch (1 message) processed in 3.90 seconds Sep 4 14:51:33 mail2 MailScanner[21344]: Logging message 43E59D98828.C43D0 to SQL Sep 4 14:51:33 mail2 MailScanner[21344]: "Always Looked Up Last" took 0.00 seconds A few minutes later, it does so again: Sep 4 14:53:31 mail2 MailScanner[21344]: New Batch: Scanning 1 messages, 32024 bytes Sep 4 14:53:31 mail2 MailScanner[21344]: Spam Checks: Found 1 spam messages Sep 4 14:53:31 mail2 MailScanner[21344]: Spam Checks completed at 87136 bytes per second Sep 4 14:53:31 mail2 MailScanner[21344]: Virus and Content Scanning: Starting Sep 4 14:53:35 mail2 MailScanner[21344]: [Found possible security risk] ./9D0DFD98829.A3D54.message->Fees_2007-2008.zip->Fees_2007-2008.doc.exe Sep 4 14:53:35 mail2 MailScanner[21344]: Virus Scanning: F-Prot6 found 1 infections Sep 4 14:53:35 mail2 MailScanner[21344]: Infected message 9D0DFD98829.A3D54.message->Fees_2007-2008.zip->Fees_2007-2008.doc.exe came from Sep 4 14:53:35 mail2 MailScanner[21344]: Virus Scanning: Found 1 viruses Sep 4 14:53:35 mail2 MailScanner[21344]: Virus Scanning completed at 8846 bytes per second Sep 4 14:53:35 mail2 MailScanner[21344]: Requeue: 9D0DFD98829.A3D54 to DE875D98828 Sep 4 14:53:35 mail2 MailScanner[21344]: Uninfected: Delivered 1 messages Sep 4 14:53:35 mail2 MailScanner[21344]: Batch completed at 8002 bytes per second (32024 / 4) Sep 4 14:53:35 mail2 MailScanner[21344]: Batch (1 message) processed in 4.00 seconds Sep 4 14:53:35 mail2 MailScanner[21344]: Logging message 9D0DFD98829.A3D54 to SQL Sep 4 14:53:35 mail2 MailScanner[21344]: "Always Looked Up Last" took 0.00 seconds MailScanner is not configured to deliver viruses in any way and has never done so before. Anyone have an idea what causes this? Regards, Vincent From vincent at zijnemail.nl Thu Sep 4 16:45:04 2008 From: vincent at zijnemail.nl (Vincent Verhagen) Date: Thu Sep 4 16:45:18 2008 Subject: MailScanner delivering mail with virus? - Addition Message-ID: <48C00280.2030900@zijnemail.nl> It seems that there is more wrong here. When Clamd detects an infection, MailScanner reports that both ClamAVModule and F-Prot have found it... See below: Sep 4 17:39:20 mail2 MailScanner[26594]: New Batch: Scanning 1 messages, 3526 bytes Sep 4 17:39:20 mail2 MailScanner[26594]: Expired 1 records from the SpamAssassin cache Sep 4 17:39:20 mail2 MailScanner[26594]: Spam Checks: Found 1 spam messages Sep 4 17:39:20 mail2 MailScanner[26594]: Spam Checks completed at 5695 bytes per second Sep 4 17:39:20 mail2 MailScanner[26594]: Virus and Content Scanning: Starting Sep 4 17:39:22 mail2 MailScanner[26594]: ClamAVModule::INFECTED:: Email.Spam.Gen1986.Sanesecurity.07113001 FOUND :: ./2B620D98826.EF262/ Sep 4 17:39:22 mail2 MailScanner[26594]: Virus Scanning: Clamd found 1 infections Sep 4 17:39:24 mail2 MailScanner[26594]: Virus Scanning: F-Prot6 found 1 infections Sep 4 17:39:24 mail2 MailScanner[26594]: Infected message 2B620D98826.EF262 came from 117.64.193.63 Sep 4 17:39:24 mail2 MailScanner[26594]: Virus Scanning: Found 1 viruses Sep 4 17:39:24 mail2 MailScanner[26594]: Virus Scanning completed at 1029 bytes per second Sep 4 17:39:24 mail2 MailScanner[26594]: Saved entire message to /var/spool/MailScanner/quarantine/20080904/2B620D98826.EF262 Sep 4 17:39:24 mail2 MailScanner[26594]: Batch completed at 870 bytes per second (3526 / 4) Sep 4 17:39:24 mail2 MailScanner[26594]: Batch (1 message) processed in 4.05 seconds Sep 4 17:39:24 mail2 MailScanner[26594]: Logging message 2B620D98826.EF262 to SQL Sep 4 17:39:24 mail2 MailScanner[26594]: "Always Looked Up Last" took 0.00 seconds Sep 4 17:39:24 mail2 MailScanner[26728]: 2B620D98826.EF262: Logged to MailWatch SQL More info will follow as needed. From MailScanner at ecs.soton.ac.uk Thu Sep 4 16:55:12 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Sep 4 16:55:33 2008 Subject: MailScanner delivering mail with virus? In-Reply-To: References: Message-ID: <48C004E0.8030302@ecs.soton.ac.uk> Can you try setting ClamAV Full Message Scan = no and giving it another go? I don't like the look of 43E59D98828.C43D0.message as a filename, that looks definitely wrong to me. It is not managing to extract the attachment filename from the virus scanner report. Can you send me a copy of the mail queue file please? (off-list, to mailscanner@ecs.soton.ac.uk). Thanks, Jules. Vincent Verhagen wrote: > Using: > MailScanner 4.71.10 > F-Prot-6 (not the daemon) > > For some reason, MailScanner has passed some emails that were > virusinfected according to F-Prot. > See this excerpt from the log: > > Sep 4 14:51:29 mail2 MailScanner[21344]: New Batch: Scanning 1 > messages, 31790 bytes > Sep 4 14:51:29 mail2 MailScanner[21344]: Spam Checks completed at > 90432 bytes per second > Sep 4 14:51:29 mail2 MailScanner[21344]: Virus and Content Scanning: > Starting > Sep 4 14:51:33 mail2 MailScanner[21344]: [Found possible security > risk] > ./43E59D98828.C43D0.message->Fees_2007-2008.zip->Fees_2007-2008.doc.exe > Sep 4 14:51:33 mail2 MailScanner[21344]: Virus Scanning: F-Prot6 > found 1 infections > Sep 4 14:51:33 mail2 MailScanner[21344]: Infected message > 43E59D98828.C43D0.message->Fees_2007-2008.zip->Fees_2007-2008.doc.exe > came from > Sep 4 14:51:33 mail2 MailScanner[21344]: Virus Scanning: Found 1 viruses > Sep 4 14:51:33 mail2 MailScanner[21344]: Virus Scanning completed at > 9003 bytes per second > Sep 4 14:51:33 mail2 MailScanner[21344]: Requeue: 43E59D98828.C43D0 > to 5ADD8D98829 > Sep 4 14:51:33 mail2 MailScanner[21344]: Uninfected: Delivered 1 > messages > Sep 4 14:51:33 mail2 MailScanner[21344]: Batch completed at 8160 > bytes per second (31790 / 3) > Sep 4 14:51:33 mail2 MailScanner[21344]: Batch (1 message) processed > in 3.90 seconds > Sep 4 14:51:33 mail2 MailScanner[21344]: Logging message > 43E59D98828.C43D0 to SQL > Sep 4 14:51:33 mail2 MailScanner[21344]: "Always Looked Up Last" took > 0.00 seconds > > A few minutes later, it does so again: > > Sep 4 14:53:31 mail2 MailScanner[21344]: New Batch: Scanning 1 > messages, 32024 bytes > Sep 4 14:53:31 mail2 MailScanner[21344]: Spam Checks: Found 1 spam > messages > Sep 4 14:53:31 mail2 MailScanner[21344]: Spam Checks completed at > 87136 bytes per second > Sep 4 14:53:31 mail2 MailScanner[21344]: Virus and Content Scanning: > Starting > Sep 4 14:53:35 mail2 MailScanner[21344]: [Found possible security > risk] > ./9D0DFD98829.A3D54.message->Fees_2007-2008.zip->Fees_2007-2008.doc.exe > Sep 4 14:53:35 mail2 MailScanner[21344]: Virus Scanning: F-Prot6 > found 1 infections > Sep 4 14:53:35 mail2 MailScanner[21344]: Infected message > 9D0DFD98829.A3D54.message->Fees_2007-2008.zip->Fees_2007-2008.doc.exe > came from > Sep 4 14:53:35 mail2 MailScanner[21344]: Virus Scanning: Found 1 viruses > Sep 4 14:53:35 mail2 MailScanner[21344]: Virus Scanning completed at > 8846 bytes per second > Sep 4 14:53:35 mail2 MailScanner[21344]: Requeue: 9D0DFD98829.A3D54 > to DE875D98828 > Sep 4 14:53:35 mail2 MailScanner[21344]: Uninfected: Delivered 1 > messages > Sep 4 14:53:35 mail2 MailScanner[21344]: Batch completed at 8002 > bytes per second (32024 / 4) > Sep 4 14:53:35 mail2 MailScanner[21344]: Batch (1 message) processed > in 4.00 seconds > Sep 4 14:53:35 mail2 MailScanner[21344]: Logging message > 9D0DFD98829.A3D54 to SQL > Sep 4 14:53:35 mail2 MailScanner[21344]: "Always Looked Up Last" took > 0.00 seconds > > MailScanner is not configured to deliver viruses in any way and has > never done so before. > Anyone have an idea what causes this? > > Regards, > Vincent > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Thu Sep 4 17:05:07 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Sep 4 17:05:26 2008 Subject: MailScanner delivering mail with virus? - Addition In-Reply-To: References: Message-ID: <48C00733.4050004@ecs.soton.ac.uk> Please try this patch for SweepViruses.pm (in /usr/lib/MailScanner/MailScanner) --- SweepViruses.pm.old 2008-09-04 10:10:36.000000000 +0100 +++ SweepViruses.pm 2008-09-04 17:03:03.000000000 +0100 @@ -1506,7 +1506,7 @@ return 0; } else { # Must be an infection reports - MailScanner::Log::InfoLog("%s::%s", 'ClamAVModule', $logout); + MailScanner::Log::InfoLog("%s::%s", $Name, $logout); ($dot, $id, $part, @rest) = split(/\//, $filename); $report = $Name . ': ' if $Name; Vincent Verhagen wrote: > It seems that there is more wrong here. > When Clamd detects an infection, MailScanner reports that both > ClamAVModule and F-Prot have found it... See below: > > Sep 4 17:39:20 mail2 MailScanner[26594]: New Batch: Scanning 1 > messages, 3526 bytes > Sep 4 17:39:20 mail2 MailScanner[26594]: Expired 1 records from the > SpamAssassin cache > Sep 4 17:39:20 mail2 MailScanner[26594]: Spam Checks: Found 1 spam > messages > Sep 4 17:39:20 mail2 MailScanner[26594]: Spam Checks completed at > 5695 bytes per second > Sep 4 17:39:20 mail2 MailScanner[26594]: Virus and Content Scanning: > Starting > Sep 4 17:39:22 mail2 MailScanner[26594]: ClamAVModule::INFECTED:: > Email.Spam.Gen1986.Sanesecurity.07113001 FOUND :: ./2B620D98826.EF262/ > Sep 4 17:39:22 mail2 MailScanner[26594]: Virus Scanning: Clamd found > 1 infections > Sep 4 17:39:24 mail2 MailScanner[26594]: Virus Scanning: F-Prot6 > found 1 infections > Sep 4 17:39:24 mail2 MailScanner[26594]: Infected message > 2B620D98826.EF262 came from 117.64.193.63 > Sep 4 17:39:24 mail2 MailScanner[26594]: Virus Scanning: Found 1 viruses > Sep 4 17:39:24 mail2 MailScanner[26594]: Virus Scanning completed at > 1029 bytes per second > Sep 4 17:39:24 mail2 MailScanner[26594]: Saved entire message to > /var/spool/MailScanner/quarantine/20080904/2B620D98826.EF262 > Sep 4 17:39:24 mail2 MailScanner[26594]: Batch completed at 870 bytes > per second (3526 / 4) > Sep 4 17:39:24 mail2 MailScanner[26594]: Batch (1 message) processed > in 4.05 seconds > Sep 4 17:39:24 mail2 MailScanner[26594]: Logging message > 2B620D98826.EF262 to SQL > Sep 4 17:39:24 mail2 MailScanner[26594]: "Always Looked Up Last" took > 0.00 seconds > Sep 4 17:39:24 mail2 MailScanner[26728]: 2B620D98826.EF262: Logged to > MailWatch SQL > > More info will follow as needed. > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Kevin_Miller at ci.juneau.ak.us Thu Sep 4 17:40:59 2008 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Thu Sep 4 17:41:12 2008 Subject: MailScanner ANNOUNCE: 4.71 stable released In-Reply-To: <48BFA652.5020508@ecs.soton.ac.uk> References: <48BBEFC8.2060500@ecs.soton.ac.uk> <48BFA652.5020508@ecs.soton.ac.uk> Message-ID: Julian Field wrote: > Kevin Miller wrote: >> Julian Field wrote: >> >>> - Updated support for Esets and F-Secure virus scanners. >>> - Thanks to F-Secure for donating me a set of server licences so I >>> can always be sure that I am supporting the latest versions of >>> their products. Much appreciated! >>> >> >> Like several others, my F-Secure 4.65 has gone to the great >> bit-bucket in the sky. Time to upgrade. Did you install the >> F-Secure Linux Security 7.01? Is that the package that the latest >> version of MailScanner has support for? I've downloaded it but not >> yet installed it. >> > I have provided support for 7.01. Install it with the > "--command-line-only" switch on the installer command-line in order to > just the get bits you want and not any of the whole irrelevant > management environment. Great, thanks much Jules. As soon as they send me my new keys I'll kick that into gear. Appreciate it... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From Kevin_Miller at ci.juneau.ak.us Thu Sep 4 17:50:28 2008 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Thu Sep 4 17:50:38 2008 Subject: Spamassassin mostly stoped working after clamav/spamassasin update installation Message-ID: Yesterday I updated MailScanner, clamAV & spamassassin via the packages on the mailscanner site. I'd previously set up spamassassin to use the SARE & KAM rulesets. Both the spamassassin rules & the SARE rules were in /var/lib/spamassassin/3.002004. Last night the update_spamassassin script in cron.daily ran, and this morning in /var/lib/spamassassin there's a new directory, 3.002005, as expected. Only thing is, only the SARE rules are in it. Naturally, filtering isn't quite as robust as it was yesterday! Did I miss a step somewhere along the way? After upgrading using the clam/sp package was there something else I needed to do? My sare-sa-updates-channel.txt contains updates.spamassassin.org as the first line, so I'm not sure why the latest/greatest rules didn't come down. TIA.. ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From agross at gcpsite.com Thu Sep 4 19:39:01 2008 From: agross at gcpsite.com (Adam Gross) Date: Thu Sep 4 19:39:18 2008 Subject: need help..ClamAV 0.94 and MailScanner 4.69.9 In-Reply-To: <48BFD473.6030001@gmail.com> References: <4899AC93.10501@trayerproducts.com> <4899B259.9010204@gmail.com> <4899C0F7.6070603@ecs.soton.ac.uk> <489AF542.3090608@ecs.soton.ac.uk> <48BF1F03.9040501@gmail.com><48BF7F8F.6000606@noefer.org> <48BFD473.6030001@gmail.com> Message-ID: <826D5FDFCF76F6499D59755D401D6A86012880@gcpads01.gcpsite.local> I'm having the same problem as this one, and the fix here works... However, I'm also seeing: <----- Virus and Content Scanning: Starting /usr/local/bin/clamscan: unrecognized option `--unzip' ERROR: Unknown option passed. ERROR: Can't parse the command line -----> I didn't see a similar "unzipcmd" or "zipcmd" section so I was wary to make any changes. Adam Gross | agross@gcpsite.com | 859-630-8722 -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Yashodhan Barve Sent: Thursday, September 04, 2008 8:29 AM To: MailScanner discussion Subject: Re: need help..ClamAV 0.94 and MailScanner 4.69.9 Hoger N?fer wrote: > Yashodhan Barve schrieb: > > Hi, > > have a look at /opt/MailScanner/lib/MailScanner/SweepViruses.pm, I > comment out the > following lines: > if ($rarcmd && -x $rarcmd) { > $Scanners{clamav}->{CommonOptions} .= " --unrar=$rarcmd"; > MailScanner::Log::InfoLog("ClamAV scanner using unrar command %s", > $rarcmd); > } > > > Best regards, > Holger Thanks Holger. That worked. Martin, I had tried to use clamd in 0.92 days but the daemon kept dying and even monit could not restart it. So switched to clamscan, slower but always works. regards yashodhan. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Processed by MS01. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Processed by MS01. From holger-lists at noefer.org Thu Sep 4 19:52:13 2008 From: holger-lists at noefer.org (=?ISO-8859-1?Q?Hoger_N=F6fer?=) Date: Thu Sep 4 19:52:24 2008 Subject: need help..ClamAV 0.94 and MailScanner 4.69.9 In-Reply-To: <826D5FDFCF76F6499D59755D401D6A86012880@gcpads01.gcpsite.local> References: <4899AC93.10501@trayerproducts.com> <4899B259.9010204@gmail.com> <4899C0F7.6070603@ecs.soton.ac.uk> <489AF542.3090608@ecs.soton.ac.uk> <48BF1F03.9040501@gmail.com><48BF7F8F.6000606@noefer.org> <48BFD473.6030001@gmail.com> <826D5FDFCF76F6499D59755D401D6A86012880@gcpads01.gcpsite.local> Message-ID: <48C02E5D.8040609@noefer.org> Adam Gross schrieb: > I'm having the same problem as this one, and the fix here works... However, I'm also seeing: > > <----- > Virus and Content Scanning: Starting > /usr/local/bin/clamscan: unrecognized option `--unzip' > ERROR: Unknown option passed. > ERROR: Can't parse the command line > -----> > > I didn't see a similar "unzipcmd" or "zipcmd" section so I was wary to make any changes. > > Adam Gross | agross@gcpsite.com | 859-630-8722 > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Yashodhan Barve > Sent: Thursday, September 04, 2008 8:29 AM > To: MailScanner discussion > Subject: Re: need help..ClamAV 0.94 and MailScanner 4.69.9 > > Hoger N?fer wrote: > >> Yashodhan Barve schrieb: >> > > >> Hi, >> >> have a look at /opt/MailScanner/lib/MailScanner/SweepViruses.pm, I >> comment out the >> following lines: >> if ($rarcmd && -x $rarcmd) { >> $Scanners{clamav}->{CommonOptions} .= " --unrar=$rarcmd"; >> MailScanner::Log::InfoLog("ClamAV scanner using unrar command %s", >> $rarcmd); >> } >> >> >> Best regards, >> Holger >> > > Thanks Holger. That worked. > > Martin, I had tried to use clamd in 0.92 days but the daemon kept dying > and even monit could not restart it. So switched to clamscan, slower but > always works. > > regards > yashodhan. > > Hi, have a look at /opt/MailScanner/lib/clamav-wrapper, too. There are many ExtraScanOptions which are unknown in the latest clamav version. regards, Holger From jplorier at montecarlotv.com.uy Thu Sep 4 19:58:33 2008 From: jplorier at montecarlotv.com.uy (Juan Pablo Lorier) Date: Thu Sep 4 20:03:10 2008 Subject: Mail passing through pretending to be whilisted In-Reply-To: <200809041610.m84G9YjD018548@safir.blacknight.ie> Message-ID: Hi Denis, So you're saying that it's not letting the mail through, just not checking the withelist because it's been sent to too many recipients? Thanks, Ing. Juan Pablo Lorier Monte Carlo TV SA Montevideo, Uruguay +(598)2 9244444 -- Toda la informacion contenida en este email es confidencial y debe ser utilizada solo por su destinatario. From alex at rtpty.com Thu Sep 4 20:11:19 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Thu Sep 4 20:11:36 2008 Subject: Mail passing through pretending to be whilisted In-Reply-To: References: Message-ID: <0D9DF9A4-7671-4F09-AF13-D9ADFF8C6181@rtpty.com> Exactly. That's why I mentioned splitting recipients at the mta level. Sent from my iPhone On Sep 4, 2008, at 1:58 PM, "Juan Pablo Lorier" wrote: > Hi Denis, > > So you're saying that it's not letting the mail through, just not > checking the withelist because it's been sent to too many recipients? > Thanks, > > Ing. Juan Pablo Lorier > Monte Carlo TV SA > Montevideo, Uruguay > +(598)2 9244444 > > > > > > -- Toda la informacion contenida en este email es confidencial y > debe ser utilizada solo por su destinatario. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From yashodhan.barve at gmail.com Thu Sep 4 20:31:00 2008 From: yashodhan.barve at gmail.com (Yashodhan Barve) Date: Thu Sep 4 20:31:17 2008 Subject: need help..ClamAV 0.94 and MailScanner 4.69.9 In-Reply-To: <48C02E5D.8040609@noefer.org> References: <4899AC93.10501@trayerproducts.com> <4899B259.9010204@gmail.com> <4899C0F7.6070603@ecs.soton.ac.uk> <489AF542.3090608@ecs.soton.ac.uk> <48BF1F03.9040501@gmail.com><48BF7F8F.6000606@noefer.org> <48BFD473.6030001@gmail.com> <826D5FDFCF76F6499D59755D401D6A86012880@gcpads01.gcpsite.local> <48C02E5D.8040609@noefer.org> Message-ID: <48C03774.7090106@gmail.com> Hoger N?fer wrote: > Adam Gross schrieb: >> I'm having the same problem as this one, and the fix here works... However, I'm also seeing: >> >> <----- >> Virus and Content Scanning: Starting >> /usr/local/bin/clamscan: unrecognized option `--unzip' >> ERROR: Unknown option passed. >> ERROR: Can't parse the command line >> -----> >> >> I didn't see a similar "unzipcmd" or "zipcmd" section so I was wary to make any changes. >> >> Adam Gross | agross@gcpsite.com | 859-630-8722 >> >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Yashodhan Barve >> Sent: Thursday, September 04, 2008 8:29 AM >> To: MailScanner discussion >> Subject: Re: need help..ClamAV 0.94 and MailScanner 4.69.9 >> >> Hoger N?fer wrote: >> >>> Yashodhan Barve schrieb: >>> >> >>> Hi, >>> >>> have a look at /opt/MailScanner/lib/MailScanner/SweepViruses.pm, I >>> comment out the >>> following lines: >>> if ($rarcmd && -x $rarcmd) { >>> $Scanners{clamav}->{CommonOptions} .= " --unrar=$rarcmd"; >>> MailScanner::Log::InfoLog("ClamAV scanner using unrar command %s", >>> $rarcmd); >>> } >>> >>> >>> Best regards, >>> Holger >>> >> Thanks Holger. That worked. >> >> Martin, I had tried to use clamd in 0.92 days but the daemon kept dying >> and even monit could not restart it. So switched to clamscan, slower but >> always works. >> >> regards >> yashodhan. >> >> > > Hi, > > have a look at /opt/MailScanner/lib/clamav-wrapper, too. > There are many ExtraScanOptions which are unknown in > the latest clamav version. > > regards, > Holger You have to comment out all the ExtraOptions in clamav-wrapper, then it should all work. regards yashodhan From AHKAPLAN at PARTNERS.ORG Thu Sep 4 21:03:49 2008 From: AHKAPLAN at PARTNERS.ORG (Kaplan, Andrew H.) Date: Thu Sep 4 21:04:00 2008 Subject: Running MailScanner 4.64.3 and SpamAssassin 3.2.5 with ClamAV 0.94 Message-ID: Hi there - The new release of ClamAV, version 0.94, is available for download. I was planning on installing it on our system running MailScanner and SpamAssassin. The current version of ClamAV that is in use is the 0.93.3 release. Is there any danger to my upgrading ClamAV to the latest version, or will the latest version work with the two aforementioned programs? Thanks. The information transmitted in this electronic communication is intended only for the person or entity to whom it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this information in error, please contact the Compliance HelpLine at 800-856-1983 and properly dispose of this information. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080904/33049d3e/attachment.html From Kevin_Miller at ci.juneau.ak.us Thu Sep 4 22:50:57 2008 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Thu Sep 4 22:51:11 2008 Subject: MailScanner ANNOUNCE: 4.71 stable released In-Reply-To: <48BFA652.5020508@ecs.soton.ac.uk> References: <48BBEFC8.2060500@ecs.soton.ac.uk> <48BFA652.5020508@ecs.soton.ac.uk> Message-ID: Julian Field wrote: >> Julian Field wrote: > I have provided support for 7.01. Install it with the > "--command-line-only" switch on the installer command-line in order to > just the get bits you want and not any of the whole irrelevant > management environment. I just installed f-secure 7.01 in command line mode (upgrade from 4.65) and checked my contab. The previous installs would ask whether or not to modify crontab - this one doesn't. It just inserts the following in root's crontab: # Start of FSSP automatically added scheduled tasks. Do not edit. */1 * * * * /opt/f-secure/fssp/bin/dbupdate --auto >/dev/null 2>&1 # End of FSSP automatically added scheduled tasks. Do not edit. I presume that MailScanner has an f-secure update wrapper so I'm remming it out. Please correct me if I'm wrong on that Julian. It struck me as really odd though - unless I'm reading it wrong, f-secure wants to check for updates every minute? Seems a bit paranoid to me. Anyway, just wanted to give others a heads up on that... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From m.anderlini at database.it Fri Sep 5 08:17:25 2008 From: m.anderlini at database.it (Marcello Anderlini) Date: Fri Sep 5 08:17:45 2008 Subject: R: Italian spam In-Reply-To: <48BECD78.9030606@vanderkooij.org> References: <2FA349F95CF3644FAFC92070E642EB6AD15339@beta.dbdomain.database.it> <48BECD78.9030606@vanderkooij.org> Message-ID: <015e01c90f27$72acd3c0$2501a8c0@dbdomain.database.it> I suspect then that my bayes filter is not working correctly. I dayly try to istruct spamassasin using =========================================== sa-learn --spam --mbox /var/mail/spam and sa-learn --ham --mbox /var/mail/notspam =========================================== But it still scores that kind of spam as non spam, For ex. This was a spam message: ============================== Sep 4 20:56:33 netra MailScanner[24463]: Message m84IuSPZ011375 from 77.182.10.184 (36salamancak13@viajesecuador.net) to database.it is non spam, SpamAssassin (not cached, punteggio=-1.209, necessario 5, BAYES_00 -2.60, PLING_QUERY 1.39) ============================== How can be sure bayes filter are working correctly or reset that filter ? Thanks a lot. Dr. Marcello Anderlini m.anderlini@database.it --------------------------------------------- Database Informatica S.r.l. Microsoft Certified Partner Tel. +39059775070 Fax. +39059779545 http://www.database.it --------------------------------------------- -----Messaggio originale----- Da: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di Hugo van der Kooij Inviato: mercoled? 3 settembre 2008 19.47 A: MailScanner discussion Oggetto: Re: Italian spam -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Marcello Anderlini wrote: > Hello, we are now getting a lot of spam in italian language. > Spamassassing seems not able to detect it, I try to create some custom > rules without success. > I get email with subject like this "Nel mondo c'e troppo male bugia" > or "Tra gli esami bisogna non solo studiare pero`". > > Someone could help me to suggest something to block this kind of spam ? Well, If you start feeding them to your Bayesian datbase it should learn quickly. I noticed more dutch spam over a week ago with some customers. Well not actually dutch. It was just english spam fed through some lame translator program. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIvs10BvzDRVjxmYERAihlAJ4nqJA8EjwOJY7S/fXguxRFSjLibwCdGSQj 3Eg9l/Gmor4zGp1e2f2q2lw= =XDvn -----END PGP SIGNATURE----- -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- Messaggio verificato dal servizio antivirus di Database Informatica -- Messaggio verificato dal servizio antivirus di Database Informatica From joost at waversveld.nl Fri Sep 5 08:33:54 2008 From: joost at waversveld.nl (Joost Waversveld) Date: Fri Sep 5 08:34:18 2008 Subject: MS YUM repository? In-Reply-To: <48BD7B92.9090101@openenterprise.ca> References: <48BBEFC8.2060500@ecs.soton.ac.uk> <48BC5881.8010604@vanderkooij.org> <48BD7B92.9090101@openenterprise.ca> Message-ID: <48C0E0E2.90504@waversveld.nl> Johnny Stork wrote: > I am running MS on CentOS 5x and I seem to recall that someone setup a > repo to simplify MS updates with YUM. Sorry if I missed where the > details/repo is but could someone please let me know the location of > this repo and any additional info that might be needed to us it? > > Thanks > Hey Just found an message over this: [quote hugo van der kooij] Hi, I have updated a yum repository that will function as an add-on to the Centos 5 and rpmforge repositories. I plan to keep it up-to-date within 24 to 48 hours after Jules releases a new release. (Unless Jules will go to warp 10.) One can find it via http://yum.vanderkooij.org/ I am also thinking of building a Mailwatch 1.04 package. But that might take quite a while. Hugo. [/quote] success! Joost waversveld -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080905/2d7176da/attachment.html From jjlopez at at4wireless.com Fri Sep 5 09:37:41 2008 From: jjlopez at at4wireless.com (Juan Jose Lopez Gonzalez) Date: Fri Sep 5 09:29:18 2008 Subject: Archive too deep Message-ID: Hi all: We are experiencing some problems with attachment, some times MailScanner replace the e-mail with a {Dangerous Content} At the content filters said: MailScanner: archivetoodeep Note to Help Desk: Look on IT MailScanner in /var/spool/MailScanner/quarantine/ (message ). How we can change the deep level?? Thanks in advance. From martinh at solidstatelogic.com Fri Sep 5 09:38:32 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Fri Sep 5 09:38:44 2008 Subject: Archive too deep In-Reply-To: Message-ID: Juan http://www.mailscanner.info/MailScanner.conf.index.html#Maximum%20Archive%20Depth -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Juan Jose Lopez Gonzalez > Sent: 05 September 2008 09:38 > To: mailscanner@lists.mailscanner.info > Subject: Archive too deep > > Hi all: > > We are experiencing some problems with attachment, some > times MailScanner replace the e-mail with a {Dangerous Content} > > At the content filters said: > MailScanner: archivetoodeep > > Note to Help Desk: Look on IT MailScanner in > /var/spool/MailScanner/quarantine/ (message ). > > > How we can change the deep level?? > > Thanks in advance. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From MailScanner at ecs.soton.ac.uk Fri Sep 5 09:41:18 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Sep 5 09:41:35 2008 Subject: Spamassassin mostly stoped working after clamav/spamassasin update installation In-Reply-To: References: Message-ID: <48C0F0AE.2050609@ecs.soton.ac.uk> The KAM ruleset, how do you fetch it? If you do it without using sa-update, and just wget it or similar, then you want to put it into /etc/mail/spamassassin. Kevin Miller wrote: > Yesterday I updated MailScanner, clamAV & spamassassin via the packages > on the mailscanner site. I'd previously set up spamassassin to use the > SARE & KAM rulesets. Both the spamassassin rules & the SARE rules were > in /var/lib/spamassassin/3.002004. Last night the update_spamassassin > script in cron.daily ran, and this morning in /var/lib/spamassassin > there's a new directory, 3.002005, as expected. Only thing is, only the > SARE rules are in it. Naturally, filtering isn't quite as robust as it > was yesterday! > > Did I miss a step somewhere along the way? After upgrading using the > clam/sp package was there something else I needed to do? My > sare-sa-updates-channel.txt contains updates.spamassassin.org as the > first line, so I'm not sure why the latest/greatest rules didn't come > down. > > TIA.. > > ...Kevin > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Fri Sep 5 09:48:36 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Sep 5 09:48:55 2008 Subject: need help..ClamAV 0.94 and MailScanner 4.69.9 In-Reply-To: References: <4899AC93.10501@trayerproducts.com> <4899B259.9010204@gmail.com> <4899C0F7.6070603@ecs.soton.ac.uk> <489AF542.3090608@ecs.soton.ac.uk> <48BF1F03.9040501@gmail.com><48BF7F8F.6000606@noefer.org> <48BFD473.6030001@gmail.com> <826D5FDFCF76F6499D59755D401D6A86012880@gcpads01.gcpsite.local> Message-ID: <48C0F264.4040407@ecs.soton.ac.uk> Hoger N?fer wrote: > Adam Gross schrieb: > >> I'm having the same problem as this one, and the fix here works... However, I'm also seeing: >> >> <----- >> Virus and Content Scanning: Starting >> /usr/local/bin/clamscan: unrecognized option `--unzip' >> ERROR: Unknown option passed. >> ERROR: Can't parse the command line >> -----> >> >> I didn't see a similar "unzipcmd" or "zipcmd" section so I was wary to make any changes. >> >> Adam Gross | agross@gcpsite.com | 859-630-8722 >> >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Yashodhan Barve >> Sent: Thursday, September 04, 2008 8:29 AM >> To: MailScanner discussion >> Subject: Re: need help..ClamAV 0.94 and MailScanner 4.69.9 >> >> Hoger N?fer wrote: >> >> >>> Yashodhan Barve schrieb: >>> >>> >> >> >>> Hi, >>> >>> have a look at /opt/MailScanner/lib/MailScanner/SweepViruses.pm, I >>> comment out the >>> following lines: >>> if ($rarcmd && -x $rarcmd) { >>> $Scanners{clamav}->{CommonOptions} .= " --unrar=$rarcmd"; >>> MailScanner::Log::InfoLog("ClamAV scanner using unrar command %s", >>> $rarcmd); >>> } >>> >>> >>> Best regards, >>> Holger >>> >>> >> Thanks Holger. That worked. >> >> Martin, I had tried to use clamd in 0.92 days but the daemon kept dying >> and even monit could not restart it. So switched to clamscan, slower but >> always works. >> >> regards >> yashodhan. >> >> >> > > Hi, > > have a look at /opt/MailScanner/lib/clamav-wrapper, too. > There are many ExtraScanOptions which are unknown in > the latest clamav version. > Attached is a new clamav-wrapper, to go inside /opt/MailScanner/lib or /usr/lib/MailScanner, depending on your setup. It's in the same directory as all the other *wrapper and *autoupdate scripts. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- A non-text attachment was scrubbed... Name: clamav-wrapper.zip Type: application/x-zip-compressed Size: 2510 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080905/2656f6ac/clamav-wrapper.bin From MailScanner at ecs.soton.ac.uk Fri Sep 5 09:49:42 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Sep 5 09:50:01 2008 Subject: MailScanner ANNOUNCE: 4.71 stable released In-Reply-To: References: <48BBEFC8.2060500@ecs.soton.ac.uk> <48BFA652.5020508@ecs.soton.ac.uk> Message-ID: <48C0F2A6.8060401@ecs.soton.ac.uk> Kevin Miller wrote: > Julian Field wrote: > >>> Julian Field wrote: >>> >> I have provided support for 7.01. Install it with the >> "--command-line-only" switch on the installer command-line in order to >> just the get bits you want and not any of the whole irrelevant >> management environment. >> > > I just installed f-secure 7.01 in command line mode (upgrade from 4.65) > and checked my contab. The previous installs would ask whether or not > to modify crontab - this one doesn't. It just inserts the following in > root's crontab: > > # Start of FSSP automatically added scheduled tasks. Do not edit. > */1 * * * * /opt/f-secure/fssp/bin/dbupdate --auto >/dev/null 2>&1 > # End of FSSP automatically added scheduled tasks. Do not edit. > > I presume that MailScanner has an f-secure update wrapper so I'm remming > it out. Please correct me if I'm wrong on that Julian. > You are quite correct. You don't want to do a dbupdate every minute! Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Fri Sep 5 09:50:41 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Sep 5 09:51:01 2008 Subject: Archive too deep In-Reply-To: References: Message-ID: <48C0F2E1.9060108@ecs.soton.ac.uk> Juan Jose Lopez Gonzalez wrote: > Hi all: > > We are experiencing some problems with attachment, some times > MailScanner replace the e-mail with a {Dangerous Content} > > At the content filters said: > MailScanner: archivetoodeep > You need to run upgrade_languages_conf as well, to replace that "archivetoodeep" tag with the correct text for the user to read. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From topper at libero.it Fri Sep 5 11:33:59 2008 From: topper at libero.it (topper@libero.it) Date: Fri Sep 5 11:34:08 2008 Subject: MailScanner delivering mail with virus? Message-ID: ---------- Initial Header ----------- >From : mailscanner-bounces@lists.mailscanner.info To : "MailScanner discussion" mailscanner@lists.mailscanner.info Cc : Date : Thu, 04 Sep 2008 17:35:34 +0200 Subject : MailScanner delivering mail with virus? Hello, same trouble here: Sep 5 12:31:36 dns1 MailScanner[13266]: /var/spool/MailScanner/incoming/13266/./065764C1E2.556EC.message: Email.Phishing.Cur.Gen799.Sanesecurity.08021403 FOUND Sep 5 12:31:36 dns1 MailScanner[13266]: Virus Scanning: ClamAV found 1 infections Sep 5 12:31:36 dns1 MailScanner[13266]: Infected message 065764C1E2.556EC.message came from Sep 5 12:31:36 dns1 MailScanner[13266]: Virus Scanning: Found 1 viruses Sep 5 12:31:37 dns1 MailScanner[13266]: Requeue: 3C3A7B68002.E41D3 to A9A6C4C010 Sep 5 12:31:37 dns1 MailScanner[13266]: Requeue: B4982B68004.80A12 to 1B48B4C193 Sep 5 12:31:37 dns1 MailScanner[13266]: Requeue: 065764C1E2.556EC to 259CB4C1B1 Sep 5 12:31:37 dns1 MailScanner[13266]: Requeue: C6D414C111.21050 to CB5A94C1E2 Sep 5 12:31:37 dns1 MailScanner[13266]: Uninfected: Delivered 4 messages MailScanner 4.70.7 on Debian Etch. > Using: > MailScanner 4.71.10 > F-Prot-6 (not the daemon) > > For some reason, MailScanner has passed some emails that were > virusinfected according to F-Prot. > See this excerpt from the log: From MailScanner at ecs.soton.ac.uk Fri Sep 5 11:54:53 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Sep 5 11:55:13 2008 Subject: MailScanner delivering mail with virus? In-Reply-To: References: Message-ID: <48C10FFD.8030407@ecs.soton.ac.uk> Please can you send me an example file out of your queue or quarantine (as a raw queue file please, if possible). topper@libero.it wrote: > ---------- Initial Header ----------- > > >From : mailscanner-bounces@lists.mailscanner.info > To : "MailScanner discussion" mailscanner@lists.mailscanner.info > Cc : > Date : Thu, 04 Sep 2008 17:35:34 +0200 > Subject : MailScanner delivering mail with virus? > > Hello, same trouble here: > > Sep 5 12:31:36 dns1 MailScanner[13266]: /var/spool/MailScanner/incoming/13266/./065764C1E2.556EC.message: Email.Phishing.Cur.Gen799.Sanesecurity.08021403 FOUND > Sep 5 12:31:36 dns1 MailScanner[13266]: Virus Scanning: ClamAV found 1 infections > Sep 5 12:31:36 dns1 MailScanner[13266]: Infected message 065764C1E2.556EC.message came from > Sep 5 12:31:36 dns1 MailScanner[13266]: Virus Scanning: Found 1 viruses > Sep 5 12:31:37 dns1 MailScanner[13266]: Requeue: 3C3A7B68002.E41D3 to A9A6C4C010 > Sep 5 12:31:37 dns1 MailScanner[13266]: Requeue: B4982B68004.80A12 to 1B48B4C193 > Sep 5 12:31:37 dns1 MailScanner[13266]: Requeue: 065764C1E2.556EC to 259CB4C1B1 > Sep 5 12:31:37 dns1 MailScanner[13266]: Requeue: C6D414C111.21050 to CB5A94C1E2 > Sep 5 12:31:37 dns1 MailScanner[13266]: Uninfected: Delivered 4 messages > > MailScanner 4.70.7 on Debian Etch. > > > > > >> Using: >> MailScanner 4.71.10 >> F-Prot-6 (not the daemon) >> >> For some reason, MailScanner has passed some emails that were >> virusinfected according to F-Prot. >> See this excerpt from the log: >> > > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From amoore at dekalbmemorial.com Fri Sep 5 16:19:00 2008 From: amoore at dekalbmemorial.com (Aaron K. Moore) Date: Fri Sep 5 16:19:13 2008 Subject: Spamassassin mostly stoped working after clamav/spamassasin update installation In-Reply-To: References: Message-ID: <60D398EB2DB948409CA1F50D8AF1225704130721@exch1.dekalbmemorial.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Julian Field > Sent: Friday, September 05, 2008 4:41 AM > To: MailScanner discussion > Subject: Re: Spamassassin mostly stoped working after > clamav/spamassasin update installation > > The KAM ruleset, how do you fetch it? If you do it without > using sa-update, and just wget it or similar, then you want > to put it into /etc/mail/spamassassin. As far as I know it does not have an sa-update channel. I wrote a script to download it. http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf -- Aaron Kent Moore Information Technology Services DeKalb Memorial Hospital, Inc. Auburn, Indiana Phone: 260.920.2808 E-Mail: amoore@dekalbmemorial.com From yashodhan.barve at gmail.com Fri Sep 5 16:27:53 2008 From: yashodhan.barve at gmail.com (Yashodhan Barve) Date: Fri Sep 5 16:28:05 2008 Subject: need help..ClamAV 0.94 and MailScanner 4.69.9 In-Reply-To: <48C0F264.4040407@ecs.soton.ac.uk> References: <4899AC93.10501@trayerproducts.com> <4899B259.9010204@gmail.com> <4899C0F7.6070603@ecs.soton.ac.uk> <489AF542.3090608@ecs.soton.ac.uk> <48BF1F03.9040501@gmail.com><48BF7F8F.6000606@noefer.org> <48BFD473.6030001@gmail.com> <826D5FDFCF76F6499D59755D401D6A86012880@gcpads01.gcpsite.local> <48C0F264.4040407@ecs.soton.ac.uk> Message-ID: <48C14FF9.4080408@gmail.com> Julian Field wrote: > > > snipped.. >> > Attached is a new clamav-wrapper, to go inside /opt/MailScanner/lib or > /usr/lib/MailScanner, depending on your setup. It's in the same > directory as all the other *wrapper and *autoupdate scripts. > > > Jules > Thanks. yashodhan.. From AHKAPLAN at PARTNERS.ORG Fri Sep 5 16:48:47 2008 From: AHKAPLAN at PARTNERS.ORG (Kaplan, Andrew H.) Date: Fri Sep 5 16:49:00 2008 Subject: Updating MailScanner to Latest Version Along with SA and ClamAV Easy Install Package Message-ID: Hi there - I am ready to update MailScanner to the latest version along with that of the SA and ClamAV Easy Install package. My question is the following: Should I do the Easy Installation Package first, and then do MailScanner or vice versa? Thanks. The information transmitted in this electronic communication is intended only for the person or entity to whom it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this information in error, please contact the Compliance HelpLine at 800-856-1983 and properly dispose of this information. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080905/f306176c/attachment.html From alex at rtpty.com Fri Sep 5 16:59:33 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Fri Sep 5 16:59:50 2008 Subject: Updating MailScanner to Latest Version Along with SA and ClamAV Easy Install Package In-Reply-To: References: Message-ID: <15677694-83E3-44BF-B7F3-5255C953D23B@rtpty.com> I believe this has been asked before, but it would be good for everyone who's new here (and those of us who forget!) which one's first both when upgrading and when installing for the first time - although I suspect/believe/seem to remember that Julian's written it so well that it makes little or no difference. And it should be (if it isn't already) on the wiki! :D On Sep 5, 2008, at 10:48 AM, Kaplan, Andrew H. wrote: > My question is the following: Should I do the Easy Installation > Package first, and then do MailScanner or vice versa? > From richard.siddall at elirion.net Fri Sep 5 17:06:21 2008 From: richard.siddall at elirion.net (Richard Siddall) Date: Fri Sep 5 17:06:45 2008 Subject: Whitelisting In-Reply-To: <48BEA2BA.7010609@zuka.net> References: <48BEA2BA.7010609@zuka.net> Message-ID: <48C158FD.1030604@elirion.net> Dave Filchak wrote: > Folks ... I have been trying to whitelist a particular newsletter that > we send out on behalf of a client of ours and have had no luck. It > always comes back with the following subject: [Lifeskills_News] {Spam?} > September 2008 Update. Mailman is hosted on my secondary mail server so > the original post is sent to my main mail server and then is aliased > over to my secondary mail server and on to Mailman. My client, > understandably, is getting upset with seeing the {Spam} in the subject. > The message is HTML but is not getting tagged as spam by my main mail > server, but rather, by my secondary. I have the following rules in my > rules file on the secondary: [snip] > Subject: [Lifeskills_News] {Spam?} September 2008 Update [snip] > > An help will be much appreciated. Dave, I didn't see a reply to your e-mail yet. I was going to point out that it looks from the subject line like the e-mail is being marked as spam before it gets to Mailman, but you seem to have already concluded that. My second guess was that the from is: > From: "YWCA Lifeskills: Training, Coaching, > Publications" and you don't have that in your whitelist, but that's not true either. Is your whitelist file referenced in MailScanner.conf? Regards, Richard Siddall From alex at rtpty.com Fri Sep 5 17:16:16 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Fri Sep 5 17:17:02 2008 Subject: Post on Slashdot Message-ID: I saw this post on Slashdot and wanted to share - see if you have any insights, suggestions, etc. ---- Use the information against the spammers? (Score:4, Interesting) by Seriph (466197) on Friday September 05, @08:49AM (#24886827) I've been doing some digging into this over the last few months and noticed an awful lot of spamvertized sites seem to have their domains registered with such privacy protecting registrars. I've been thinking about how to use the fact that a domain is registered with such a registrar as part of a spam scoring metric and whether anyone else has already done work on this? Just on the mail passing through my systems, I'm seeing a very strong correlation between a mail being spam and it referring to a domain registered with such a registrar, with the domain nameservers being on dynamic IP space, and with the DNS for the spam domain having a very low TTL value set. It's also interesting to track back the nameservers for any domains referred to in the NS records of the spam domain. By doing so I can find fairly large networks of interrelated spam domains and spam websites, the addresses of many of which already appear on the likes of the Spamcop and Spamhaus SBL/XBL lists or appear there shortly afterwards. The point is, is it practical to use this sort of information against spammers and is anyone already doing it? ----- From ms-list at alexb.ch Fri Sep 5 17:20:49 2008 From: ms-list at alexb.ch (Alex Broens) Date: Fri Sep 5 17:21:08 2008 Subject: Mailscanner Version 4.71.10-1 / ClamAV 0.94 infection reporting. In-Reply-To: <48BFAB6F.5090902@ecs.soton.ac.uk> References: <48BFAB6F.5090902@ecs.soton.ac.uk> Message-ID: <48C15C61.2010600@alexb.ch> On 9/4/2008 11:33 AM, Julian Field wrote: > > > Alex Broens wrote: >> Good day All, >> >> Mailscanner Version 4.71.10-1 / ClamAV 0.94 using ClamD >> >> >> MailScanner --lint: >> >> Virus and Content Scanning: Starting >> ClamAVModule::INFECTED:: Eicar-Test-Signature FOUND :: ./1/ >> ClamAVModule::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com >> Virus Scanning: Clamd found 2 infections >> Infected message 1 came from 10.1.1.1 >> Virus Scanning: Found 2 viruses >> Filename Checks: (1 eicar.com) >> >> Doesn't seem right/elegant to me. >> >> It causes Mailwatch 1.x to report: >> >> Clamd: message was infected: Trojan.Fakealert-532 FOUND >> Clamd: Late.Night.rar was infected: Trojan.Fakealert-532 >> >> >> Can anybody reproduce running "MailScanner --lint" >> >> Jules? > The "./1/" line is caused by "ClamAV Full Message Scan = yes". > I believe it is the correct output. > Can anyone contradict me? Jules Did a fresh test setup on fresh Centos 5.2 ClamAV Full Message Scan = no only writes 1 "line". - confirmed. Sep 5 18:12:52 ms1 MailScanner[8640]: ClamAVModule::INFECTED:: Trojan.Fakealert-532 :: ./00AD510082F2.3A2DC/Late.Night.rar ____ ClamAV Full Message Scan = yes writes 2 "lines" Sep 5 17:53:09 ms1 MailScanner[2747]: ClamAVModule::INFECTED:: HTML.Phishing.Bank-1272 :: ./815BD10082B5.02C82/msg-2747-17.html Sep 5 17:53:09 ms1 MailScanner[2747]: ClamAVModule::INFECTED:: HTML.Phishing.Bank-1272 FOUND :: ./815BD10082B5.02C82/ ___ I don't understand why this is necessary and would like to request consistency so that "ClamAV Full Message Scan = yes" logs like "ClamAV Full Message Scan = no" thanks Alex From dominian at slackadelic.com Fri Sep 5 17:21:55 2008 From: dominian at slackadelic.com (Matt Hayes) Date: Fri Sep 5 17:22:11 2008 Subject: Post on Slashdot In-Reply-To: References: Message-ID: <48C15CA3.7070103@slackadelic.com> Alex Neuman van der Hans wrote: > I saw this post on Slashdot and wanted to share - see if you have any > insights, suggestions, etc. > > ---- > Use the information against the spammers? (Score:4, Interesting) > by Seriph (466197) on Friday September 05, @08:49AM (#24886827) > > I've been doing some digging into this over the last few months and > noticed an awful lot of spamvertized sites seem to have their domains > registered with such privacy protecting registrars. > > I've been thinking about how to use the fact that a domain is registered > with such a registrar as part of a spam scoring metric and whether > anyone else has already done work on this? Just on the mail passing > through my systems, I'm seeing a very strong correlation between a mail > being spam and it referring to a domain registered with such a > registrar, with the domain nameservers being on dynamic IP space, and > with the DNS for the spam domain having a very low TTL value set. > > It's also interesting to track back the nameservers for any domains > referred to in the NS records of the spam domain. By doing so I can find > fairly large networks of interrelated spam domains and spam websites, > the addresses of many of which already appear on the likes of the > Spamcop and Spamhaus SBL/XBL lists or appear there shortly afterwards. > > The point is, is it practical to use this sort of information against > spammers and is anyone already doing it? > ----- > > To me, private registration is a fine thing. I do it with my domains. If people start scoring spam because of a private registration, I would say a lot of false positives are going to happen. The private registration just means that the contact info posted is a "proxy" to the real person. All in all, you can still get a hold of the right people, just takes a little bit longer. -Matt From martinh at solidstatelogic.com Fri Sep 5 17:30:50 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Fri Sep 5 17:31:03 2008 Subject: Post on Slashdot In-Reply-To: <48C15CA3.7070103@slackadelic.com> Message-ID: Second what Matt days. We've have info from my wifes domain info used in two fraudilent attempts to get loans. The information was very specific to a couple of unusual things in that were in the domain registration. Given the low use of the domain and the amount of hassle these two attempts gave us we've dropped the domain completely. (oh yeah and complete dis-interest from the Police as well didn't help). -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Matt Hayes > Sent: 05 September 2008 17:22 > To: MailScanner discussion > Subject: Re: Post on Slashdot > > Alex Neuman van der Hans wrote: > > I saw this post on Slashdot and wanted to share - see if > you have any > > insights, suggestions, etc. > > > > ---- > > Use the information against the spammers? (Score:4, Interesting) by > > Seriph (466197) on Friday September 05, @08:49AM (#24886827) > > > > I've been doing some digging into this over the last few months and > > noticed an awful lot of spamvertized sites seem to have > their domains > > registered with such privacy protecting registrars. > > > > I've been thinking about how to use the fact that a domain is > > registered with such a registrar as part of a spam scoring > metric and > > whether anyone else has already done work on this? Just on the mail > > passing through my systems, I'm seeing a very strong correlation > > between a mail being spam and it referring to a domain > registered with > > such a registrar, with the domain nameservers being on dynamic IP > > space, and with the DNS for the spam domain having a very > low TTL value set. > > > > It's also interesting to track back the nameservers for any domains > > referred to in the NS records of the spam domain. By doing so I can > > find fairly large networks of interrelated spam domains and spam > > websites, the addresses of many of which already appear on > the likes > > of the Spamcop and Spamhaus SBL/XBL lists or appear there > shortly afterwards. > > > > The point is, is it practical to use this sort of > information against > > spammers and is anyone already doing it? > > ----- > > > > > > > To me, private registration is a fine thing. I do it with my domains. > If people start scoring spam because of a private > registration, I would say a lot of false positives are going > to happen. The private registration just means that the > contact info posted is a "proxy" to the real person. All in > all, you can still get a hold of the right people, just takes > a little bit longer. > > -Matt > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From alex at rtpty.com Fri Sep 5 18:12:42 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Fri Sep 5 18:13:00 2008 Subject: Post on Slashdot In-Reply-To: <48C15CA3.7070103@slackadelic.com> References: <48C15CA3.7070103@slackadelic.com> Message-ID: <8ADE7744-27F9-47F1-8D48-2610384CD805@rtpty.com> Point taken. But what about scoring on a combination of these factors? Sent from my iPhone On Sep 5, 2008, at 11:21 AM, Matt Hayes wrote: > Alex Neuman van der Hans wrote: >> I saw this post on Slashdot and wanted to share - see if you have any >> insights, suggestions, etc. >> >> ---- >> Use the information against the spammers? (Score:4, Interesting) >> by Seriph (466197) on Friday September 05, @08:49AM (#24886827) >> >> I've been doing some digging into this over the last few months and >> noticed an awful lot of spamvertized sites seem to have their domains >> registered with such privacy protecting registrars. >> >> I've been thinking about how to use the fact that a domain is >> registered >> with such a registrar as part of a spam scoring metric and whether >> anyone else has already done work on this? Just on the mail passing >> through my systems, I'm seeing a very strong correlation between a >> mail >> being spam and it referring to a domain registered with such a >> registrar, with the domain nameservers being on dynamic IP space, and >> with the DNS for the spam domain having a very low TTL value set. >> >> It's also interesting to track back the nameservers for any domains >> referred to in the NS records of the spam domain. By doing so I can >> find >> fairly large networks of interrelated spam domains and spam websites, >> the addresses of many of which already appear on the likes of the >> Spamcop and Spamhaus SBL/XBL lists or appear there shortly >> afterwards. >> >> The point is, is it practical to use this sort of information against >> spammers and is anyone already doing it? >> ----- >> >> > > > To me, private registration is a fine thing. I do it with my domains. > If people start scoring spam because of a private registration, I > would > say a lot of false positives are going to happen. The private > registration just means that the contact info posted is a "proxy" to > the > real person. All in all, you can still get a hold of the right > people, > just takes a little bit longer. > > -Matt > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From mkettler at evi-inc.com Fri Sep 5 18:12:11 2008 From: mkettler at evi-inc.com (Matt Kettler) Date: Fri Sep 5 18:15:21 2008 Subject: Post on Slashdot In-Reply-To: <48C15CA3.7070103@slackadelic.com> References: <48C15CA3.7070103@slackadelic.com> Message-ID: <48C1686B.7080208@evi-inc.com> Matt Hayes wrote: > Alex Neuman van der Hans wrote: >> I saw this post on Slashdot and wanted to share - see if you have any >> insights, suggestions, etc. >> >> ---- >> Use the information against the spammers? (Score:4, Interesting) >> by Seriph (466197) on Friday September 05, @08:49AM (#24886827) >> >> I've been doing some digging into this over the last few months and >> noticed an awful lot of spamvertized sites seem to have their domains >> registered with such privacy protecting registrars. >> >> I've been thinking about how to use the fact that a domain is registered >> with such a registrar as part of a spam scoring metric and whether >> anyone else has already done work on this? Just on the mail passing >> through my systems, I'm seeing a very strong correlation between a mail >> being spam and it referring to a domain registered with such a >> registrar, with the domain nameservers being on dynamic IP space, and >> with the DNS for the spam domain having a very low TTL value set. >> >> It's also interesting to track back the nameservers for any domains >> referred to in the NS records of the spam domain. By doing so I can find >> fairly large networks of interrelated spam domains and spam websites, >> the addresses of many of which already appear on the likes of the >> Spamcop and Spamhaus SBL/XBL lists or appear there shortly afterwards. >> >> The point is, is it practical to use this sort of information against >> spammers and is anyone already doing it? >> ----- >> >> > > > To me, private registration is a fine thing. I do it with my domains. > If people start scoring spam because of a private registration, I would > say a lot of false positives are going to happen. The private > registration just means that the contact info posted is a "proxy" to the > real person. All in all, you can still get a hold of the right people, > just takes a little bit longer. > True, but as I read it that's not the point here. The point is not that "private registration = spam". It's "private registration + dynamic IP + low DNS TTLS = spam", and they're also talking about URI's in the message, not the sending domain. Quite frankly, you can probably just drop the private registration part. An email with a URI pointing to a domain with low DNS TTLs is very likely to be spam, no matter how the domain is registered. Quite frankly, I suspect uribl.com already uses the described metric for preemptively blacklisting domains (yes, they *do* have automated systems that troll around for candidate domains that have not yet spammed, although they are reluctant to describe what metrics they use.), so if you've got URIBL_BLACK (a default rule) you're probably already using this technique without realizing it. From alex at rtpty.com Fri Sep 5 18:27:08 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Fri Sep 5 18:27:24 2008 Subject: Post on Slashdot In-Reply-To: <48C1686B.7080208@evi-inc.com> References: <48C15CA3.7070103@slackadelic.com> <48C1686B.7080208@evi-inc.com> Message-ID: <0D2A6003-4062-4BB7-A4AC-10575C6D2009@rtpty.com> But is there a way to implement this beyond URI_BLACK? On Sep 5, 2008, at 12:12 PM, Matt Kettler wrote: > Quite frankly, you can probably just drop the private registration > part. An email with a URI pointing to a domain with low DNS TTLs is > very likely to be spam, no matter how the domain is registered. From Kevin_Miller at ci.juneau.ak.us Fri Sep 5 18:38:11 2008 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Fri Sep 5 18:38:23 2008 Subject: Spamassassin mostly stoped working after clamav/spamassasin update installation In-Reply-To: <48C0F0AE.2050609@ecs.soton.ac.uk> References: <48C0F0AE.2050609@ecs.soton.ac.uk> Message-ID: Julian Field wrote: > The KAM ruleset, how do you fetch it? If you do it without using > sa-update, and just wget it or similar, then you want to put it into > /etc/mail/spamassassin. The KAM ruleset does live in /etc/mail/spamassassin. It's updated by /etc/cron.daily/KAM.cf.sh per your post from a year or so ago and is working fine. Sorry if that was confusing. It was the spamassassin rules that were missing. I poked I prodded around quite a bit, and finally just ran sa-update on it's own. That complained about an invalid or missing gpg key, but had a couple lines on how to import the key for spamassassin. Don't know how it got borked. I imported the keys and then reran sa-update. After I did that, the latest spamassassin files came over OK. I suspect that may have been the problem all along, but since I was initially running /etc/cron.daily/update_spamassassin I never saw the output (even w/the -D option in /etc/sysconfig/MailScanner). I noticed in my poking & prodding that I update_spamassassin was enabled in /etc/cron.daily and I also was running sa-update in roots crontab. It's been so long I can't recall why that was, but in looking through the archive I noted in the release notes of a 4.6X release of MailScanner that it fixed the call to sa-update. So I guess I can remove the sa-update crontab entry, and update_spamassassin will take care of both the SARE rules as well as the spamassassin rules, yes? (SARE rules channel is defined in /etc/sysconfig/MailScanner, btw.) Thanks... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From mkettler at evi-inc.com Fri Sep 5 19:17:18 2008 From: mkettler at evi-inc.com (Matt Kettler) Date: Fri Sep 5 19:19:01 2008 Subject: Post on Slashdot In-Reply-To: <0D2A6003-4062-4BB7-A4AC-10575C6D2009@rtpty.com> References: <48C15CA3.7070103@slackadelic.com> <48C1686B.7080208@evi-inc.com> <0D2A6003-4062-4BB7-A4AC-10575C6D2009@rtpty.com> Message-ID: <48C177AE.6040804@evi-inc.com> Alex Neuman van der Hans wrote: > But is there a way to implement this beyond URI_BLACK? > > On Sep 5, 2008, at 12:12 PM, Matt Kettler wrote: > >> Quite frankly, you can probably just drop the private registration >> part. An email with a URI pointing to a domain with low DNS TTLs is >> very likely to be spam, no matter how the domain is registered. > Not practically. Doing high-volume realtime whois queries is a good way to get your server blacklisted by the registrars who operate the whois servers. From alex at rtpty.com Fri Sep 5 19:38:37 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Fri Sep 5 19:38:57 2008 Subject: Post on Slashdot In-Reply-To: <48C177AE.6040804@evi-inc.com> References: <48C15CA3.7070103@slackadelic.com> <48C1686B.7080208@evi-inc.com> <0D2A6003-4062-4BB7-A4AC-10575C6D2009@rtpty.com> <48C177AE.6040804@evi-inc.com> Message-ID: Good point. Sent from my iPhone On Sep 5, 2008, at 1:17 PM, Matt Kettler wrote: > Alex Neuman van der Hans wrote: >> But is there a way to implement this beyond URI_BLACK? >> On Sep 5, 2008, at 12:12 PM, Matt Kettler wrote: >>> Quite frankly, you can probably just drop the private registration >>> part. An email with a URI pointing to a domain with low DNS TTLs >>> is very likely to be spam, no matter how the domain is registered. > > Not practically. Doing high-volume realtime whois queries is a good > way to get your server blacklisted by the registrars who operate the > whois servers. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From MailScanner at ecs.soton.ac.uk Fri Sep 5 20:48:44 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Sep 5 20:49:06 2008 Subject: Updating MailScanner to Latest Version Along with SA and ClamAV Easy Install Package In-Reply-To: References: Message-ID: <48C18D1C.3030709@ecs.soton.ac.uk> I would update MailScanner first, then the SA+ClamAV package. It would also personally install in that order too. Kaplan, Andrew H. wrote: > > Hi there ? > > I am ready to update MailScanner to the latest version along with that > of the SA and ClamAV Easy Install package. > > My question is the following: Should I do the Easy Installation > Package first, and then do MailScanner or vice versa? > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Fri Sep 5 20:51:40 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Sep 5 20:51:58 2008 Subject: Mailscanner Version 4.71.10-1 / ClamAV 0.94 infection reporting. In-Reply-To: References: <48BFAB6F.5090902@ecs.soton.ac.uk> Message-ID: <48C18DCC.5020806@ecs.soton.ac.uk> Alex Broens wrote: > On 9/4/2008 11:33 AM, Julian Field wrote: >> >> >> Alex Broens wrote: >>> Good day All, >>> >>> Mailscanner Version 4.71.10-1 / ClamAV 0.94 using ClamD >>> >>> >>> MailScanner --lint: >>> >>> Virus and Content Scanning: Starting >>> ClamAVModule::INFECTED:: Eicar-Test-Signature FOUND :: ./1/ >>> ClamAVModule::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com >>> Virus Scanning: Clamd found 2 infections >>> Infected message 1 came from 10.1.1.1 >>> Virus Scanning: Found 2 viruses >>> Filename Checks: (1 eicar.com) >>> >>> Doesn't seem right/elegant to me. >>> >>> It causes Mailwatch 1.x to report: >>> >>> Clamd: message was infected: Trojan.Fakealert-532 FOUND >>> Clamd: Late.Night.rar was infected: Trojan.Fakealert-532 >>> >>> >>> Can anybody reproduce running "MailScanner --lint" >>> >>> Jules? >> The "./1/" line is caused by "ClamAV Full Message Scan = yes". >> I believe it is the correct output. >> Can anyone contradict me? > > Jules > > Did a fresh test setup on fresh Centos 5.2 > > ClamAV Full Message Scan = no > > only writes 1 "line". - confirmed. > > Sep 5 18:12:52 ms1 MailScanner[8640]: ClamAVModule::INFECTED:: > Trojan.Fakealert-532 :: ./00AD510082F2.3A2DC/Late.Night.rar > > > ____ > ClamAV Full Message Scan = yes > > writes 2 "lines" > > Sep 5 17:53:09 ms1 MailScanner[2747]: ClamAVModule::INFECTED:: > HTML.Phishing.Bank-1272 :: ./815BD10082B5.02C82/msg-2747-17.html > Sep 5 17:53:09 ms1 MailScanner[2747]: ClamAVModule::INFECTED:: > HTML.Phishing.Bank-1272 FOUND :: ./815BD10082B5.02C82/ > ___ > > I don't understand why this is necessary and would like to request > consistency so that "ClamAV Full Message Scan = yes" logs like > "ClamAV Full Message Scan = no" So you want me to *not* log the fact that the Full Message Scan found a virus? Seems a bit strange to me... Do other people agree with me or Alex? Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Kevin_Miller at ci.juneau.ak.us Fri Sep 5 21:06:03 2008 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Fri Sep 5 21:06:16 2008 Subject: Mailscanner Version 4.71.10-1 / ClamAV 0.94 infection reporting. In-Reply-To: <48C18DCC.5020806@ecs.soton.ac.uk> References: <48BFAB6F.5090902@ecs.soton.ac.uk> <48C18DCC.5020806@ecs.soton.ac.uk> Message-ID: Julian Field wrote: > Alex Broens wrote: >> ClamAV Full Message Scan = yes >> >> writes 2 "lines" >> >> Sep 5 17:53:09 ms1 MailScanner[2747]: ClamAVModule::INFECTED:: >> HTML.Phishing.Bank-1272 :: ./815BD10082B5.02C82/msg-2747-17.html >> Sep 5 17:53:09 ms1 MailScanner[2747]: ClamAVModule::INFECTED:: >> HTML.Phishing.Bank-1272 FOUND :: ./815BD10082B5.02C82/ ___ >> >> I don't understand why this is necessary and would like to request >> consistency so that "ClamAV Full Message Scan = yes" logs like >> "ClamAV Full Message Scan = no" > So you want me to *not* log the fact that the Full Message Scan found > a virus? Seems a bit strange to me... > Do other people agree with me or Alex? I think what he wants is that "... = yes" output a single line, not a duplicate. It should be logged, but not twice, one right after the other... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From spamlists at coders.co.uk Fri Sep 5 21:18:39 2008 From: spamlists at coders.co.uk (Matt Hampton) Date: Fri Sep 5 21:19:45 2008 Subject: Using Spamd rather than the SpamAssassin Library Message-ID: <48C1941F.40703@coders.co.uk> All Don't know if anyone is interested but I have a (heavily) modified SA.pm which allows MailScanner to use spamd rather than the Mail::SpamAssassin library (similiar to how Rick(?) implemented the calmd vs ClamAVModule). I have checked with Jules and he is happy with me sharing it. $Id: SA.pm 4522 2008-08-20 15:19:23Z sysjkf $ Instructions: THINK CAREFULLY! Once this patch is in place MailScanner relies solely on spamd - you cannot choose between the two. This is beta code and it uses a file from the SVN repository of SpamAssassin which hasn't be published yet! Download http://www.coders.co.uk/SA.pm take a backup of the files SA.pm ConfigDefs.pl in the MailScanner installation (on mine /usr/lib/MailScanner/MailScanner) copy the downloaded file over the top of the existing file add the following three lines to the bottom ConfigDefs.pl spamdserv spamdport spamduser (where is the default user for spamd) The defaults for spamdserv/spamdport are "localhost" and port 783 YOU MUST REPLACE with a valid user! Locate you Mail::SpamAssassin::Client.pm Over write this with http://svn.apache.org/viewvc/spamassassin/trunk/lib/Mail/SpamAssassin/Client.pm?revision=597826 This is a drop in replacement and does not change the functionality - it exposes some extra bits and pieces. Why would you want to do this? Memory - Small over head as the SpamAssassin rules are loaded in to shared memory Faster - in theory it should be faster - haven't noticed a difference The biggy.....: If you were to put in your MailScanner.conf file Spamd User = &SomeFunction You can now control the user that talks to the spamd. This gives you: Individual bayes Individual awl Individual scores Need I say more..... enjoy and feed back please. If enough people like it (especially Jules!), I believe that retaining the ability to chose between the two is possible. matt From ms-list at alexb.ch Fri Sep 5 21:37:15 2008 From: ms-list at alexb.ch (Alex Broens) Date: Fri Sep 5 21:37:38 2008 Subject: Mailscanner Version 4.71.10-1 / ClamAV 0.94 infection reporting. In-Reply-To: <48C18DCC.5020806@ecs.soton.ac.uk> References: <48BFAB6F.5090902@ecs.soton.ac.uk> <48C18DCC.5020806@ecs.soton.ac.uk> Message-ID: <48C1987B.40609@alexb.ch> On 9/5/2008 9:51 PM, Julian Field wrote: > > > Alex Broens wrote: >> On 9/4/2008 11:33 AM, Julian Field wrote: >>> >>> >>> Alex Broens wrote: >>>> Good day All, >>>> >>>> Mailscanner Version 4.71.10-1 / ClamAV 0.94 using ClamD >>>> >>>> >>>> MailScanner --lint: >>>> >>>> Virus and Content Scanning: Starting >>>> ClamAVModule::INFECTED:: Eicar-Test-Signature FOUND :: ./1/ >>>> ClamAVModule::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com >>>> Virus Scanning: Clamd found 2 infections >>>> Infected message 1 came from 10.1.1.1 >>>> Virus Scanning: Found 2 viruses >>>> Filename Checks: (1 eicar.com) >>>> >>>> Doesn't seem right/elegant to me. >>>> >>>> It causes Mailwatch 1.x to report: >>>> >>>> Clamd: message was infected: Trojan.Fakealert-532 FOUND >>>> Clamd: Late.Night.rar was infected: Trojan.Fakealert-532 >>>> >>>> >>>> Can anybody reproduce running "MailScanner --lint" >>>> >>>> Jules? >>> The "./1/" line is caused by "ClamAV Full Message Scan = yes". >>> I believe it is the correct output. >>> Can anyone contradict me? >> >> Jules >> >> Did a fresh test setup on fresh Centos 5.2 >> >> ClamAV Full Message Scan = no >> >> only writes 1 "line". - confirmed. >> >> Sep 5 18:12:52 ms1 MailScanner[8640]: ClamAVModule::INFECTED:: >> Trojan.Fakealert-532 :: ./00AD510082F2.3A2DC/Late.Night.rar >> >> >> ____ >> ClamAV Full Message Scan = yes >> >> writes 2 "lines" >> >> Sep 5 17:53:09 ms1 MailScanner[2747]: ClamAVModule::INFECTED:: >> HTML.Phishing.Bank-1272 :: ./815BD10082B5.02C82/msg-2747-17.html >> Sep 5 17:53:09 ms1 MailScanner[2747]: ClamAVModule::INFECTED:: >> HTML.Phishing.Bank-1272 FOUND :: ./815BD10082B5.02C82/ >> ___ >> >> I don't understand why this is necessary and would like to request >> consistency so that "ClamAV Full Message Scan = yes" logs like >> "ClamAV Full Message Scan = no" > So you want me to *not* log the fact that the Full Message Scan found a > virus? Seems a bit strange to me... nope.. I only want to see what virus it caught, once see above; you're redundant, reporting the same guy twice although its one file, and in this case, not even, it was a phishing msg with no attachment. > Do other people agree with me or Alex? am I the only one looking at logs? :-) Alex From ms-list at alexb.ch Fri Sep 5 21:40:21 2008 From: ms-list at alexb.ch (Alex Broens) Date: Fri Sep 5 21:40:35 2008 Subject: Mailscanner Version 4.71.10-1 / ESETS 3.0.9 Message-ID: <48C19935.10701@alexb.ch> Julian Good news: Esets 3.0.9 has an x64 version available which works the bad news is that its sets the binaries permissions in /usr/sbin in such a way that MS can't run it :-) (chmod does wonders) also, the .cfg file is only readable by root so once you have this figured out, it works, and even logs in Mailwatch. There's still something weird in the log output but I hope to have that figured out and send you a fix or cry for help thx Alex From MailScanner at ecs.soton.ac.uk Fri Sep 5 21:55:14 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Sep 5 21:55:38 2008 Subject: Mailscanner Version 4.71.10-1 / ClamAV 0.94 infection reporting. In-Reply-To: References: <48BFAB6F.5090902@ecs.soton.ac.uk> <48C18DCC.5020806@ecs.soton.ac.uk> Message-ID: <48C19CB2.3080402@ecs.soton.ac.uk> Try the attached SweepViruses.pm. It will only help if the log output contains the attachment log entry first, followed by the message log entry. If it's the other way around, I can't suppress the message log entry on the basis that an attachment log entry may appear afterwards. If you have any better ideas on how to predict what may be logged in the future, I'm all ears :-) Cheers, Jules. Kevin Miller wrote: > Julian Field wrote: > >> Alex Broens wrote: >> >>> ClamAV Full Message Scan = yes >>> >>> writes 2 "lines" >>> >>> Sep 5 17:53:09 ms1 MailScanner[2747]: ClamAVModule::INFECTED:: >>> HTML.Phishing.Bank-1272 :: ./815BD10082B5.02C82/msg-2747-17.html >>> Sep 5 17:53:09 ms1 MailScanner[2747]: ClamAVModule::INFECTED:: >>> HTML.Phishing.Bank-1272 FOUND :: ./815BD10082B5.02C82/ ___ >>> >>> I don't understand why this is necessary and would like to request >>> consistency so that "ClamAV Full Message Scan = yes" logs like >>> "ClamAV Full Message Scan = no" >>> >> So you want me to *not* log the fact that the Full Message Scan found >> a virus? Seems a bit strange to me... >> Do other people agree with me or Alex? >> > > I think what he wants is that "... = yes" output a single line, not a > duplicate. It should be logged, but not twice, one right after the > other... > > ...Kevin > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- A non-text attachment was scrubbed... Name: SweepViruses.pm.zip Type: application/zip Size: 33927 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080905/e8e6f75d/SweepViruses.pm-0001.zip From ms-list at alexb.ch Fri Sep 5 22:10:11 2008 From: ms-list at alexb.ch (Alex Broens) Date: Fri Sep 5 22:10:27 2008 Subject: Mailscanner Version 4.71.10-1 / ClamAV 0.94 infection reporting. In-Reply-To: <48C19CB2.3080402@ecs.soton.ac.uk> References: <48BFAB6F.5090902@ecs.soton.ac.uk> <48C18DCC.5020806@ecs.soton.ac.uk> <48C19CB2.3080402@ecs.soton.ac.uk> Message-ID: <48C1A033.8000803@alexb.ch> On 9/5/2008 10:55 PM, Julian Field wrote: > Try the attached SweepViruses.pm. > It will only help if the log output contains the attachment log entry > first, followed by the message log entry. If it's the other way around, > I can't suppress the message log entry on the basis that an attachment > log entry may appear afterwards. > If you have any better ideas on how to predict what may be logged in the > future, I'm all ears :-) __ Sep 5 23:04:16 ms1 MailScanner[25357]: Clamd::INFECTED:: Eicar-Test-Signature :: ./411661008C85.5B8DE/eicar_com.zip __ maillog / clamd look GOOD Mailwatch agrees with one line /entry Now, can you do the magic on esets? :-) here's what its doing. I tried fiddling with the log formating in esets.cfg but have the feeling its being ignored. __ Sep 5 23:04:17 ms1 MailScanner[25357]: name="./411661008C85.5B8DE/eicar_com.zip", threat="Eicar test file", action="", info="" Sep 5 23:04:17 ms1 MailScanner[25357]: name="./411661008C85.5B8DE/eicar_com.zip ?? ZIP ?? eicar.com", threat="Eicar test file", action="", info="" __ thanks Alex From drew.marshall at technologytiger.net Fri Sep 5 22:10:13 2008 From: drew.marshall at technologytiger.net (Drew Marshall) Date: Fri Sep 5 22:13:03 2008 Subject: Using Spamd rather than the SpamAssassin Library In-Reply-To: <48C1941F.40703@coders.co.uk> References: <48C1941F.40703@coders.co.uk> Message-ID: <5851C691-2A38-40CC-9134-73427193F4D7@technologytiger.net> On 5 Sep 2008, at 21:18, Matt Hampton wrote: > All > > Don't know if anyone is interested but I have a (heavily) modified > SA.pm which allows MailScanner to use spamd rather than the > Mail::SpamAssassin library (similiar to how Rick(?) implemented the > calmd vs ClamAVModule). I have checked with Jules and he is happy > with me sharing it. Well I for one thought I would give it a go but I have bumped into this error: Can't call method "execute" on an undefined value at /usr/local/lib/ MailScanner/MailScanner/SA.pm line 615. On a FreeBSD 7 system running Postfix (In case permissions need to be considered!) I don't do perl so I'm not sure where to go with this. Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by Technology Tiger's Mail Launder system Our email policy can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ From MailScanner at ecs.soton.ac.uk Fri Sep 5 22:17:33 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Sep 5 22:17:54 2008 Subject: Mailscanner Version 4.71.10-1 / ClamAV 0.94 infection reporting. In-Reply-To: References: <48BFAB6F.5090902@ecs.soton.ac.uk> <48C18DCC.5020806@ecs.soton.ac.uk> <48C19CB2.3080402@ecs.soton.ac.uk> Message-ID: <48C1A1ED.3010509@ecs.soton.ac.uk> Alex Broens wrote: > On 9/5/2008 10:55 PM, Julian Field wrote: >> Try the attached SweepViruses.pm. >> It will only help if the log output contains the attachment log entry >> first, followed by the message log entry. If it's the other way >> around, I can't suppress the message log entry on the basis that an >> attachment log entry may appear afterwards. >> If you have any better ideas on how to predict what may be logged in >> the future, I'm all ears :-) > > __ > Sep 5 23:04:16 ms1 MailScanner[25357]: Clamd::INFECTED:: > Eicar-Test-Signature :: ./411661008C85.5B8DE/eicar_com.zip > __ > > maillog / clamd look GOOD > Mailwatch agrees with one line /entry > > > Now, can you do the magic on esets? :-) > > here's what its doing. > I tried fiddling with the log formating in esets.cfg but have the > feeling its being ignored. > > __ > Sep 5 23:04:17 ms1 MailScanner[25357]: > name="./411661008C85.5B8DE/eicar_com.zip", threat="Eicar test file", > action="", info="" > Sep 5 23:04:17 ms1 MailScanner[25357]: > name="./411661008C85.5B8DE/eicar_com.zip ?? ZIP ?? eicar.com", > threat="Eicar test file", action="", info="" > __ > Not if it's logging in that order, as I need to log the eicar.com entry, but I can't predict it's going to be there from the eicar_com.zip log entry. That requires crystal balls :-) > thanks > > Alex > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ms-list at alexb.ch Fri Sep 5 22:24:25 2008 From: ms-list at alexb.ch (Alex Broens) Date: Fri Sep 5 22:24:39 2008 Subject: Using Spamd rather than the SpamAssassin Library In-Reply-To: <5851C691-2A38-40CC-9134-73427193F4D7@technologytiger.net> References: <48C1941F.40703@coders.co.uk> <5851C691-2A38-40CC-9134-73427193F4D7@technologytiger.net> Message-ID: <48C1A389.8080604@alexb.ch> On 9/5/2008 11:10 PM, Drew Marshall wrote: > On 5 Sep 2008, at 21:18, Matt Hampton wrote: > >> All >> >> Don't know if anyone is interested but I have a (heavily) modified >> SA.pm which allows MailScanner to use spamd rather than the >> Mail::SpamAssassin library (similiar to how Rick(?) implemented the >> calmd vs ClamAVModule). I have checked with Jules and he is happy >> with me sharing it. > > Well I for one thought I would give it a go but I have bumped into this > error: > > Can't call method "execute" on an undefined value at > /usr/local/lib/MailScanner/MailScanner/SA.pm line 615. > > On a FreeBSD 7 system running Postfix (In case permissions need to be > considered!) > > I don't do perl so I'm not sure where to go with this. > > Drew dunno if you want to give it a try: Steve Freegard's hack ran smoothly Alex From ms-list at alexb.ch Fri Sep 5 22:35:24 2008 From: ms-list at alexb.ch (Alex Broens) Date: Fri Sep 5 22:35:37 2008 Subject: Mailscanner Version 4.71.10-1 / ClamAV 0.94 infection reporting. In-Reply-To: <48C1A1ED.3010509@ecs.soton.ac.uk> References: <48BFAB6F.5090902@ecs.soton.ac.uk> <48C18DCC.5020806@ecs.soton.ac.uk> <48C19CB2.3080402@ecs.soton.ac.uk> <48C1A1ED.3010509@ecs.soton.ac.uk> Message-ID: <48C1A61C.9060102@alexb.ch> On 9/5/2008 11:17 PM, Julian Field wrote: > > > Alex Broens wrote: >> On 9/5/2008 10:55 PM, Julian Field wrote: >>> Try the attached SweepViruses.pm. >>> It will only help if the log output contains the attachment log entry >>> first, followed by the message log entry. If it's the other way >>> around, I can't suppress the message log entry on the basis that an >>> attachment log entry may appear afterwards. >>> If you have any better ideas on how to predict what may be logged in >>> the future, I'm all ears :-) >> >> __ >> Sep 5 23:04:16 ms1 MailScanner[25357]: Clamd::INFECTED:: >> Eicar-Test-Signature :: ./411661008C85.5B8DE/eicar_com.zip >> __ >> >> maillog / clamd look GOOD >> Mailwatch agrees with one line /entry >> >> >> Now, can you do the magic on esets? :-) >> >> here's what its doing. >> I tried fiddling with the log formating in esets.cfg but have the >> feeling its being ignored. >> >> __ >> Sep 5 23:04:17 ms1 MailScanner[25357]: >> name="./411661008C85.5B8DE/eicar_com.zip", threat="Eicar test file", >> action="", info="" >> Sep 5 23:04:17 ms1 MailScanner[25357]: >> name="./411661008C85.5B8DE/eicar_com.zip ?? ZIP ?? eicar.com", >> threat="Eicar test file", action="", info="" >> __ >> > Not if it's logging in that order, as I need to log the eicar.com entry, > but I can't predict it's going to be there from the eicar_com.zip log > entry. That requires crystal balls :-) lemme see if I get this right Eset logging has log_format_summ = "format" log_format_part = "format" What happens if you only log the "summ" ? would that break anything? the chances of having two different infections in one archive are VERY small, or am I still missing something real important? Alex From MailScanner at ecs.soton.ac.uk Fri Sep 5 22:54:26 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Sep 5 22:54:45 2008 Subject: Mailscanner Version 4.71.10-1 / ClamAV 0.94 infection reporting. In-Reply-To: References: <48BFAB6F.5090902@ecs.soton.ac.uk> <48C18DCC.5020806@ecs.soton.ac.uk> <48C19CB2.3080402@ecs.soton.ac.uk> <48C1A1ED.3010509@ecs.soton.ac.uk> Message-ID: <48C1AA92.7090802@ecs.soton.ac.uk> Alex Broens wrote: > On 9/5/2008 11:17 PM, Julian Field wrote: >> >> >> Alex Broens wrote: >>> On 9/5/2008 10:55 PM, Julian Field wrote: >>>> Try the attached SweepViruses.pm. >>>> It will only help if the log output contains the attachment log >>>> entry first, followed by the message log entry. If it's the other >>>> way around, I can't suppress the message log entry on the basis >>>> that an attachment log entry may appear afterwards. >>>> If you have any better ideas on how to predict what may be logged >>>> in the future, I'm all ears :-) >>> >>> __ >>> Sep 5 23:04:16 ms1 MailScanner[25357]: Clamd::INFECTED:: >>> Eicar-Test-Signature :: ./411661008C85.5B8DE/eicar_com.zip >>> __ >>> >>> maillog / clamd look GOOD >>> Mailwatch agrees with one line /entry >>> >>> >>> Now, can you do the magic on esets? :-) >>> >>> here's what its doing. >>> I tried fiddling with the log formating in esets.cfg but have the >>> feeling its being ignored. >>> >>> __ >>> Sep 5 23:04:17 ms1 MailScanner[25357]: >>> name="./411661008C85.5B8DE/eicar_com.zip", threat="Eicar test file", >>> action="", info="" >>> Sep 5 23:04:17 ms1 MailScanner[25357]: >>> name="./411661008C85.5B8DE/eicar_com.zip ?? ZIP ?? eicar.com", >>> threat="Eicar test file", action="", info="" >>> __ >>> >> Not if it's logging in that order, as I need to log the eicar.com >> entry, but I can't predict it's going to be there from the >> eicar_com.zip log entry. That requires crystal balls :-) > > lemme see if I get this right > > Eset logging has > > log_format_summ = "format" > log_format_part = "format" > > What happens if you only log the "summ" ? > > would that break anything? Surely it's better to always log the more detailed one, ie log_format_part ? Personally I would much rather log both of them. Who cares about one extra log line? No-one ever reads them anyway, do they? > > the chances of having two different infections in one archive are VERY > small, or am I still missing something real important? > > Alex > > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Kevin_Miller at ci.juneau.ak.us Fri Sep 5 23:04:11 2008 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Fri Sep 5 23:04:22 2008 Subject: Mailscanner Version 4.71.10-1 / ClamAV 0.94 infection reporting. In-Reply-To: <48C1AA92.7090802@ecs.soton.ac.uk> References: <48BFAB6F.5090902@ecs.soton.ac.uk> <48C18DCC.5020806@ecs.soton.ac.uk> <48C19CB2.3080402@ecs.soton.ac.uk> <48C1A1ED.3010509@ecs.soton.ac.uk> <48C1AA92.7090802@ecs.soton.ac.uk> Message-ID: Julian Field wrote: > Who cares about one > extra log line? No-one ever reads them anyway, do they? What's a log? ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From spamlists at coders.co.uk Fri Sep 5 23:04:16 2008 From: spamlists at coders.co.uk (Matt Hampton) Date: Fri Sep 5 23:06:35 2008 Subject: Using Spamd rather than the SpamAssassin Library In-Reply-To: <5851C691-2A38-40CC-9134-73427193F4D7@technologytiger.net> References: <48C1941F.40703@coders.co.uk> <5851C691-2A38-40CC-9134-73427193F4D7@technologytiger.net> Message-ID: <48C1ACE0.5020708@coders.co.uk> Drew Marshall wrote: > > Well I for one thought I would give it a go but I have bumped into > this error: > > Can't call method "execute" on an undefined value at > /usr/local/lib/MailScanner/MailScanner/SA.pm line 615. > Thanks for trying! I should have said in my previous email that you need to delete your spamassasin cache From MailScanner.conf SpamAssassin Cache Database File = /var/spool/MailScanner/incoming/SpamAssassin.cache.db Stop MailScanner RM the file Restart MailScanner Of course you also need a working Spamd installation ;-) I start mine with /usr/bin/spamd -d -l -m10 -r /var/run/spamd.pid -q -x -u nobody And I have use SQL for my AWL and Bayes. matt From ms-list at alexb.ch Fri Sep 5 23:11:09 2008 From: ms-list at alexb.ch (Alex Broens) Date: Fri Sep 5 23:11:24 2008 Subject: Mailscanner Version 4.71.10-1 / ClamAV 0.94 infection reporting. In-Reply-To: <48C1AA92.7090802@ecs.soton.ac.uk> References: <48BFAB6F.5090902@ecs.soton.ac.uk> <48C18DCC.5020806@ecs.soton.ac.uk> <48C19CB2.3080402@ecs.soton.ac.uk> <48C1A1ED.3010509@ecs.soton.ac.uk> <48C1AA92.7090802@ecs.soton.ac.uk> Message-ID: <48C1AE7D.3030101@alexb.ch> On 9/5/2008 11:54 PM, Julian Field wrote: > > > Alex Broens wrote: >> On 9/5/2008 11:17 PM, Julian Field wrote: >>> >>> >>> Alex Broens wrote: >>>> On 9/5/2008 10:55 PM, Julian Field wrote: >>>>> Try the attached SweepViruses.pm. >>>>> It will only help if the log output contains the attachment log >>>>> entry first, followed by the message log entry. If it's the other >>>>> way around, I can't suppress the message log entry on the basis >>>>> that an attachment log entry may appear afterwards. >>>>> If you have any better ideas on how to predict what may be logged >>>>> in the future, I'm all ears :-) >>>> >>>> __ >>>> Sep 5 23:04:16 ms1 MailScanner[25357]: Clamd::INFECTED:: >>>> Eicar-Test-Signature :: ./411661008C85.5B8DE/eicar_com.zip >>>> __ >>>> >>>> maillog / clamd look GOOD >>>> Mailwatch agrees with one line /entry >>>> >>>> >>>> Now, can you do the magic on esets? :-) >>>> >>>> here's what its doing. >>>> I tried fiddling with the log formating in esets.cfg but have the >>>> feeling its being ignored. >>>> >>>> __ >>>> Sep 5 23:04:17 ms1 MailScanner[25357]: >>>> name="./411661008C85.5B8DE/eicar_com.zip", threat="Eicar test file", >>>> action="", info="" >>>> Sep 5 23:04:17 ms1 MailScanner[25357]: >>>> name="./411661008C85.5B8DE/eicar_com.zip ?? ZIP ?? eicar.com", >>>> threat="Eicar test file", action="", info="" >>>> __ >>>> >>> Not if it's logging in that order, as I need to log the eicar.com >>> entry, but I can't predict it's going to be there from the >>> eicar_com.zip log entry. That requires crystal balls :-) >> >> lemme see if I get this right >> >> Eset logging has >> >> log_format_summ = "format" >> log_format_part = "format" >> >> What happens if you only log the "summ" ? >> >> would that break anything? > Surely it's better to always log the more detailed one, ie > log_format_part ? > Personally I would much rather log both of them. Who cares about one > extra log line? No-one ever reads them anyway, do they? doesn't that go both ways :-) if nobody reads them, then verbosity is usually bloat & useless. the way it is now it dupes all Mailwatch entries and borks stats, etc and in the end both entries are pretty much saying the same. this is what MAilwatch spits out to the DB esets: Found virus Win32/TrojanDownloader.FakeAlert.HK trojan in Late.Night.rar ?? RAR ?? Late.Night.CamRip.Sexual.Blondy.Fuck.And.Suck.avi.exe Clamd: Late.Night.rar was infected: Trojan.Fakealert-532 esets: Found virus Win32/TrojanDownloader.FakeAlert.HK trojan in Late.Night.rar if we had this it would be enough: esets: Found virus Win32/TrojanDownloader.FakeAlert.HK trojan in Late.Night.rar ?? RAR ?? Clamd: Late.Night.rar was infected: Trojan.Fakealert-532 Night.rar at the end of the day the infected file is the RAR file, what's inside it becomes irrelevant so there's no real need to report it separately Alex From ssilva at sgvwater.com Fri Sep 5 23:41:00 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Sep 5 23:41:20 2008 Subject: clamav-0.94-1.el4 Error In-Reply-To: References: Message-ID: on 9-3-2008 3:52 AM asakawa@quickd.net spake the following: > Hi all > > clamav-0.94-1.el4 Error > > clamav have no test reports > > Virus and Content Scanning: Starting > /1/eicar.com Found: EICAR test file NOT a virus. > Virus Scanning: McAfee found 1 infections > ALERT: [Eicar-Test-Signature] ./1/eicar.com <<< Contains code of the Eicar-Test-Signature virus > Virus Scanning: AntiVir found 1 infections > /usr/bin/clamscan: unrecognized option `--unzip' > ERROR: Unknown option passed. > ERROR: Can't parse the command line > /usr/bin/clamscan: unrecognized option `--unrar=/usr/bin/unrar' > ERROR: Unknown option passed. > ERROR: Can't parse the command line > Virus Scanning: ClamAV found 1 infections > 1.message=>[Subject: Virus Scanner Test Message]=>eicar.com:infected: EICAR-Test-File (not a virus) > 1/eicar.com:infected: EICAR-Test-File (not a virus) > Virus Scanning: Bitdefender found 2 infections > > Virus Scanner test reports: > McAfee said "/1/eicar.com Found: EICAR test file NOT a virus." > AntiVir said "ALERT: [Eicar-Test-Signature] ./1/eicar.com <<< Contains code of the Eicar-Test-Signature virus" > Bitdefender said "Found virus EICAR-Test-File (not a virus) in file eicar.com" > > > Best regards, > Takashi Asakawa > > > Scan the list. Julian posted a fixed clamav wrapper for those who have the spare CPU cycles to run clamscan. Or convert your system to clamd. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080905/74a764e1/signature.bin From ssilva at sgvwater.com Fri Sep 5 23:50:35 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Sep 5 23:50:55 2008 Subject: Mailscanner Version 4.71.10-1 / ClamAV 0.94 infection reporting. In-Reply-To: References: <48BFAB6F.5090902@ecs.soton.ac.uk> <48C18DCC.5020806@ecs.soton.ac.uk> <48C19CB2.3080402@ecs.soton.ac.uk> <48C1A1ED.3010509@ecs.soton.ac.uk> <48C1AA92.7090802@ecs.soton.ac.uk> Message-ID: on 9-5-2008 3:04 PM Kevin Miller spake the following: > Julian Field wrote: > >> Who cares about one >> extra log line? No-one ever reads them anyway, do they? > > What's a log? > > > ...Kevin That is those short round things they make from trees! You throw one on the fire when it is cold. ;-P -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080905/9d3baf94/signature.bin From ssilva at sgvwater.com Fri Sep 5 23:58:20 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Sep 5 23:58:44 2008 Subject: Running MailScanner 4.64.3 and SpamAssassin 3.2.5 with ClamAV 0.94 In-Reply-To: References: Message-ID: on 9-4-2008 1:03 PM Kaplan, Andrew H. spake the following: > Hi there ? > > > > The new release of ClamAV, version 0.94, is available for download. I > was planning on installing it > > on our system running MailScanner and SpamAssassin. The current version > of ClamAV that is in > > use is the 0.93.3 release. > > > > Is there any danger to my upgrading ClamAV to the latest version, or > will the latest version work > > with the two aforementioned programs? > > Some patching needs to be done if you run clamscan instead of clamd. And I don't know if the perl module supports 0.94 yet. It usually gets a week or more behind. But if you are using clamd, you should be OK. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080905/50987af9/signature.bin From mark at msapiro.net Sat Sep 6 01:54:01 2008 From: mark at msapiro.net (Mark Sapiro) Date: Sat Sep 6 01:54:25 2008 Subject: Italian spam In-Reply-To: <015e01c90f27$72acd3c0$2501a8c0@dbdomain.database.it> Message-ID: Marcello Anderlini wrote: >I suspect then that my bayes filter is not working correctly. >I dayly try to istruct spamassasin using >=========================================== >sa-learn --spam --mbox /var/mail/spam and >sa-learn --ham --mbox /var/mail/notspam >=========================================== > >But it still scores that kind of spam as non spam, ... Where are the files bayes.mutex bayes_journal bayes_toks bayes_seen In my case, the files that spamassassin uses when invoked by MailScanner are /var/spool/MailScanner/spamassassin/bayes.mutex /var/spool/MailScanner/spamassassin/bayes_journal /var/spool/MailScanner/spamassassin/bayes_toks /var/spool/MailScanner/spamassassin/bayes_seen However if I were to run sa-learn as userx, the files that would be updated are in /home/userx/.spamassassin. In my case also, I use spamd so I use for example /usr/bin/spamc -u postfix -L spam < message to learn a message as spam. You may have to experiment with the -u option on sa-learn to get it to update the right bayes database. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From drew.marshall at technologytiger.net Sat Sep 6 13:19:12 2008 From: drew.marshall at technologytiger.net (Drew Marshall) Date: Sat Sep 6 13:19:28 2008 Subject: Using Spamd rather than the SpamAssassin Library In-Reply-To: <48C1ACE0.5020708@coders.co.uk> References: <48C1941F.40703@coders.co.uk> <5851C691-2A38-40CC-9134-73427193F4D7@technologytiger.net> <48C1ACE0.5020708@coders.co.uk> Message-ID: <322845F4-533F-49CC-A001-17C8D60619C6@technologytiger.net> On 5 Sep 2008, at 23:04, Matt Hampton wrote: > Drew Marshall wrote: >> >> Well I for one thought I would give it a go but I have bumped into >> this error: >> >> Can't call method "execute" on an undefined value at /usr/local/lib/ >> MailScanner/MailScanner/SA.pm line 615. >> > Thanks for trying! No problem! > > > I should have said in my previous email that you need to delete your > spamassasin cache That fixed it! Thanks > Of course you also need a working Spamd installation ;-) LOL naturally > I start mine with > > /usr/bin/spamd -d -l -m10 -r /var/run/spamd.pid -q -x -u nobody > > > And I have use SQL for my AWL and Bayes. I have not really played with AWL as it used to not tidy it's self up like bayes does. Perhaps I'll give it another look... Thanks, nice bit of code. Seems to be working well. I'll see what Monday brings when things load up a bit more. Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by Technology Tiger's Mail Launder system Our email policy can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ From zepplin at exemail.com.au Sat Sep 6 15:25:17 2008 From: zepplin at exemail.com.au (George C) Date: Sat Sep 6 15:25:29 2008 Subject: MailScanner refuses to shutdown - Possible broken pidof Message-ID: <48C292CD.1070901@exemail.com.au> Hi, I have MailScanner - v4.71.10 installed Exim 4.69 Installation was done by configserver (Way to the Web Limited) approximately 8 months or so ago. WHM 11.23.2 cPanel 11.23.6-R27164 CENTOS Enterprise 4.6 i686 on standard - WHM X v3.1.0 Up until recently MailScanner has performed flawlessly. Over the last week or so I've been getting daily mail showing MailScanner fails to shutdown. Aug 27 10:33:21 JS-GC-S1 MailScanner: MailScanner shutdown failed Aug 27 10:33:22 JS-GC-S1 runuser: Starting MailScanner... Aug 27 10:33:23 JS-GC-S1 MailScanner: MailScanner setting GID to mail (12) Aug 27 10:33:23 JS-GC-S1 MailScanner: MailScanner setting UID to mailnull (47) Also tried to manually shutdown with same result. [root@JS-GC-S1 ~]# /etc/rc.d/init.d/MailScanner restart Shutting down MailScanner daemons: MailScanner: [FAILED] Waiting for MailScanner to stop... Starting MailScanner daemons: MailScanner: [ OK ] I have contacted configserver and they say pidof is more than likely broken but cant offer any further assistance. I would appreciate any help/advice or suggestions as to how I may fix this recent issue. ********************************************** copy of /etc/rc.d/init.d/MailScanner . /etc/init.d/functions # Source networking configuration. . /etc/sysconfig/network # Check that networking is up. [ ${NETWORKING} = "no" ] && exit 0 TMPDIR=/var/spool/MailScanner export TMPDIR wait_for_pid () { i=0 echo -n "." while test $i -lt 35 ; do echo -n "." if [ -z "`/usr/bin/pgrep -u mailnull -f MailScanner`" ]; then break fi kill -9 `/usr/bin/pgrep -u mailnull -f MailScanner` >/dev/null 2>&1 sleep 1 i=`expr $i + 1` done } # See how we were called. case "$1" in start) # Start daemons. echo 'Starting MailScanner daemons:' echo -n ' MailScanner: ' daemon --user=root /usr/mailscanner/bin/check_mailscanner >/dev/null success echo ;; stop) # Stop daemons. echo 'Shutting down MailScanner daemons:' echo -n ' MailScanner:' killproc MailScanner echo echo -n ' Waiting for MailScanner to stop' wait_for_pid echo ;; status) # Work out if all of MailScanner is running echo 'Checking MailScanner daemons:' status MailScanner echo ;; reload) echo 'Reloading MailScanner workers:' killproc MailScanner -HUP if [ -z "`/usr/bin/pgrep -u mailnull -f MailScanner`" ]; then $0 start fi echo ;; restart) $0 stop $0 start ;; *) echo "Usage: service MailScanner {start|stop|status|restart|reload}" exit 1 esac exit ********************************************** copy of /etc/init.d/functions # -*-Shell-script-*- # # functions This file contains functions to be used by most or all # shell scripts in the /etc/init.d directory. # TEXTDOMAIN=initscripts # Make sure umask is sane umask 022 # Set up a default search path. PATH="/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin" export PATH # Get a sane screen width [ -z "${COLUMNS:-}" ] && COLUMNS=80 [ -z "${CONSOLETYPE:-}" ] && CONSOLETYPE="`/sbin/consoletype`" if [ -f /etc/sysconfig/i18n -a -z "${NOLOCALE:-}" ] ; then . /etc/sysconfig/i18n if [ "$CONSOLETYPE" != "pty" ]; then case "${LANG:-}" in ja_JP*|ko_KR*|zh_CN*|zh_TW*|bn_*|bd_*|pa_*|hi_*|ta_*|gu_*) export LC_MESSAGES=en_US export LANG ;; *) export LANG ;; esac else [ -n "$LC_MESSAGES" ] && export LC_MESSAGES export LANG fi fi # Read in our configuration if [ -z "${BOOTUP:-}" ]; then if [ -f /etc/sysconfig/init ]; then . /etc/sysconfig/init else # This all seem confusing? Look in /etc/sysconfig/init, # or in /usr/doc/initscripts-*/sysconfig.txt BOOTUP=color RES_COL=60 MOVE_TO_COL="echo -en \\033[${RES_COL}G" SETCOLOR_SUCCESS="echo -en \\033[1;32m" SETCOLOR_FAILURE="echo -en \\033[1;31m" SETCOLOR_WARNING="echo -en \\033[1;33m" SETCOLOR_NORMAL="echo -en \\033[0;39m" LOGLEVEL=1 fi if [ "$CONSOLETYPE" = "serial" ]; then BOOTUP=serial MOVE_TO_COL= SETCOLOR_SUCCESS= SETCOLOR_FAILURE= SETCOLOR_WARNING= SETCOLOR_NORMAL= fi fi if [ "${BOOTUP:-}" != "verbose" ]; then INITLOG_ARGS="-q" else INITLOG_ARGS= fi # Check if $pid (could be plural) are running checkpid() { local i for i in $* ; do [ -d "/proc/$i" ] && return 0 done return 1 } # A function to start a program. daemon() { # Test syntax. local gotbase= force= local base= user= nice= bg= pid= nicelevel=0 while [ "$1" != "${1##[-+]}" ]; do case $1 in '') echo $"$0: Usage: daemon [+/-nicelevel] {program}" return 1;; --check) base=$2 gotbase="yes" shift 2 ;; --check=?*) base=${1#--check=} gotbase="yes" shift ;; --user) user=$2 shift 2 ;; --user=?*) user=${1#--user=} shift ;; --force) force="force" shift ;; [-+][0-9]*) nice="nice -n $1" shift ;; *) echo $"$0: Usage: daemon [+/-nicelevel] {program}" return 1;; esac done # Save basename. [ -z "$gotbase" ] && base=${1##*/} # See if it's already running. Look *only* at the pid file. if [ -f /var/run/${base}.pid ]; then local line p read line < /var/run/${base}.pid for p in $line ; do [ -z "${p//[0-9]/}" -a -d "/proc/$p" ] && pid="$pid $p" done fi [ -n "${pid:-}" -a -z "${force:-}" ] && return # make sure it doesn't core dump anywhere unless requested ulimit -S -c ${DAEMON_COREFILE_LIMIT:-0} >/dev/null 2>&1 # if they set NICELEVEL in /etc/sysconfig/foo, honor it [ -n "$NICELEVEL" ] && nice="nice -n $NICELEVEL" # Echo daemon [ "${BOOTUP:-}" = "verbose" -a -z "$LSB" ] && echo -n " $base" # And start it up. if [ -z "$user" ]; then $nice initlog $INITLOG_ARGS -c "$*" else $nice initlog $INITLOG_ARGS -c "runuser -s /bin/bash - $user -c \"$*\"" fi [ "$?" -eq 0 ] && success $"$base startup" || failure $"$base startup" } # A function to stop a program. killproc() { RC=0; delay=3 # Test syntax. if [ "$#" -eq 0 ]; then echo $"Usage: killproc [ -d delay] {program} [signal]" return 1 fi if [ "$1" = "-d" ]; then delay=$2 shift 2 fi notset=0 notset=0 # check for second arg to be kill level if [ -n "$2" ]; then killlevel=$2 else notset=1 killlevel="-9" fi # Save basename. base=${1##*/} # Find pid. pid= if [ -f /var/run/${base}.pid ]; then local line p read line < /var/run/${base}.pid for p in $line ; do [ -z "${p//[0-9]/}" -a -d "/proc/$p" ] && pid="$pid $p" done fi if [ -z "$pid" ]; then pid=`pidof -o $$ -o $PPID -o %PPID -x $1 || \ pidof -o $$ -o $PPID -o %PPID -x $base` fi # Kill it. if [ -n "${pid:-}" ] ; then [ "$BOOTUP" = "verbose" -a -z "$LSB" ] && echo -n "$base " if [ "$notset" -eq "1" ] ; then if checkpid $pid 2>&1; then # TERM first, then KILL if not dead kill -TERM $pid >/dev/null 2>&1 usleep 100000 if checkpid $pid && sleep 1 && checkpid $pid && sleep $delay && checkpid $pid ; then kill -KILL $pid >/dev/null 2>&1 usleep 100000 fi fi checkpid $pid RC=$? [ "$RC" -eq 0 ] && failure $"$base shutdown" || success $"$base shutdown" RC=$((! $RC)) # use specified level only else if checkpid $pid; then kill $killlevel $pid >/dev/null 2>&1 RC=$? [ "$RC" -eq 0 ] && success $"$base $killlevel" || failure $"$base $killlevel" fi fi else failure $"$base shutdown" RC=1 fi # Remove pid file if any. if [ "$notset" = "1" ]; then rm -f /var/run/$base.pid fi return $RC } # A function to find the pid of a program. Looks *only* at the pidfile pidfileofproc() { local base=${1##*/} # Test syntax. if [ "$#" = 0 ] ; then echo $"Usage: pidfileofproc {program}" return 1 fi # First try "/var/run/*.pid" files if [ -f /var/run/$base.pid ] ; then local line p pid= read line < /var/run/$base.pid for p in $line ; do [ -z "${p//[0-9]/}" -a -d /proc/$p ] && pid="$pid $p" done if [ -n "$pid" ]; then echo $pid return 0 fi fi } # A function to find the pid of a program. pidofproc() { base=${1##*/} # Test syntax. if [ "$#" = 0 ]; then echo $"Usage: pidofproc {program}" return 1 fi # First try "/var/run/*.pid" files if [ -f /var/run/$base.pid ]; then local line p pid= read line < /var/run/$base.pid for p in $line ; do [ -z "${p//[0-9]/}" -a -d /proc/$p ] && pid="$pid $p" done if [ -n "$pid" ]; then echo $pid return 0 fi fi pidof -o $$ -o $PPID -o %PPID -x $1 || \ pidof -o $$ -o $PPID -o %PPID -x $base } status() { local base=${1##*/} local pid # Test syntax. if [ "$#" = 0 ] ; then echo $"Usage: status {program}" return 1 fi # First try "pidof" pid=`pidof -o $$ -o $PPID -o %PPID -x $1 || \ pidof -o $$ -o $PPID -o %PPID -x ${base}` if [ -n "$pid" ]; then echo $"${base} (pid $pid) is running..." return 0 fi # Next try "/var/run/*.pid" files if [ -f /var/run/${base}.pid ] ; then read pid < /var/run/${base}.pid if [ -n "$pid" ]; then echo $"${base} dead but pid file exists" return 1 fi fi # See if /var/lock/subsys/${base} exists if [ -f /var/lock/subsys/${base} ]; then echo $"${base} dead but subsys locked" return 2 fi echo $"${base} is stopped" return 3 } echo_success() { [ "$BOOTUP" = "color" ] && $MOVE_TO_COL echo -n "[ " [ "$BOOTUP" = "color" ] && $SETCOLOR_SUCCESS echo -n $"OK" [ "$BOOTUP" = "color" ] && $SETCOLOR_NORMAL echo -n " ]" echo -ne "\r" return 0 } echo_failure() { [ "$BOOTUP" = "color" ] && $MOVE_TO_COL echo -n "[" [ "$BOOTUP" = "color" ] && $SETCOLOR_FAILURE echo -n $"FAILED" [ "$BOOTUP" = "color" ] && $SETCOLOR_NORMAL echo -n "]" echo -ne "\r" return 1 } echo_passed() { [ "$BOOTUP" = "color" ] && $MOVE_TO_COL echo -n "[" [ "$BOOTUP" = "color" ] && $SETCOLOR_WARNING echo -n $"PASSED" [ "$BOOTUP" = "color" ] && $SETCOLOR_NORMAL echo -n "]" echo -ne "\r" return 1 } echo_warning() { [ "$BOOTUP" = "color" ] && $MOVE_TO_COL echo -n "[" [ "$BOOTUP" = "color" ] && $SETCOLOR_WARNING echo -n $"WARNING" [ "$BOOTUP" = "color" ] && $SETCOLOR_NORMAL echo -n "]" echo -ne "\r" return 1 } # Inform the graphical boot of our current state update_boot_stage() { if [ "$GRAPHICAL" = "yes" -a -x /usr/bin/rhgb-client ]; then /usr/bin/rhgb-client --update="$1" fi return 0 } # Log that something succeeded success() { if [ -z "${IN_INITLOG:-}" ]; then initlog $INITLOG_ARGS -n $0 -s "$1" -e 1 else # silly hack to avoid EPIPE killing rc.sysinit trap "" SIGPIPE echo "$INITLOG_ARGS -n $0 -s \"$1\" -e 1" >&21 trap - SIGPIPE fi [ "$BOOTUP" != "verbose" -a -z "$LSB" ] && echo_success return 0 } # Log that something failed failure() { rc=$? if [ -z "${IN_INITLOG:-}" ]; then initlog $INITLOG_ARGS -n $0 -s "$1" -e 2 else trap "" SIGPIPE echo "$INITLOG_ARGS -n $0 -s \"$1\" -e 2" >&21 trap - SIGPIPE fi [ "$BOOTUP" != "verbose" -a -z "$LSB" ] && echo_failure [ -x /usr/bin/rhgb-client ] && /usr/bin/rhgb-client --details=yes return $rc } # Log that something passed, but may have had errors. Useful for fsck passed() { rc=$? if [ -z "${IN_INITLOG:-}" ]; then initlog $INITLOG_ARGS -n $0 -s "$1" -e 1 else trap "" SIGPIPE echo "$INITLOG_ARGS -n $0 -s \"$1\" -e 1" >&21 trap - SIGPIPE fi [ "$BOOTUP" != "verbose" -a -z "$LSB" ] && echo_passed return $rc } # Log a warning warning() { rc=$? if [ -z "${IN_INITLOG:-}" ]; then initlog $INITLOG_ARGS -n $0 -s "$1" -e 1 else trap "" SIGPIPE echo "$INITLOG_ARGS -n $0 -s \"$1\" -e 1" >&21 trap - SIGPIPE fi [ "$BOOTUP" != "verbose" -a -z "$LSB" ] && echo_warning return $rc } # Run some action. Log its output. action() { STRING=$1 echo -n "$STRING " if [ "${RHGB_STARTED}" != "" -a -w /etc/rhgb/temp/rhgb-console ]; then echo -n "$STRING " > /etc/rhgb/temp/rhgb-console fi shift initlog $INITLOG_ARGS -c "$*" && success $"$STRING" || failure $"$STRING" rc=$? echo if [ "${RHGB_STARTED}" != "" -a -w /etc/rhgb/temp/rhgb-console ]; then if [ "$rc" = "0" ]; then echo_success > /etc/rhgb/temp/rhgb-console else echo_failure > /etc/rhgb/temp/rhgb-console [ -x /usr/bin/rhgb-client ] && /usr/bin/rhgb-client --details=yes fi echo fi return $rc } # returns OK if $1 contains $2 strstr() { [ "${1#*$2*}" = "$1" ] && return 1 return 0 } # Confirm whether we really want to run this service confirm() { [ -x /usr/bin/rhgb-client ] && /usr/bin/rhgb-client --details=yes while : ; do echo -n $"Start service $1 (Y)es/(N)o/(C)ontinue? [Y] " read answer if strstr $"yY" "$answer" || [ "$answer" = "" ] ; then return 0 elif strstr $"cC" "$answer" ; then rm -f /var/run/confirm [ -x /usr/bin/rhgb-client ] && /usr/bin/rhgb-client --details=no return 2 elif strstr $"nN" "$answer" ; then return 1 fi done } Regards, - George Chown -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080907/3c249486/attachment.html From ram at netcore.co.in Sat Sep 6 16:12:36 2008 From: ram at netcore.co.in (ram) Date: Sat Sep 6 16:12:59 2008 Subject: MailScanner takes too long extracting attachments due to "sleep 10" Message-ID: <1220713956.12800.47.camel@darkstar.netcore.co.in> I have my MailScanner server taking too long. Eventually looking at the source I found that the mails go into the UnpackOle() function in Message.pm (/usr/lib/MailScanner/MailScanner/Message.pm) This function has a "sleep 10;" What is this for ?? I realized when my client receives a mail with more than 10 attachments all processes take HUGE time to scan every message and mails get delayed For now I have just put a "return 0" beginning of the function and now it is working fine Thanks Ram From roland at inbox4u.de Sat Sep 6 20:11:41 2008 From: roland at inbox4u.de (Ehle, Roland) Date: Sat Sep 6 20:13:22 2008 Subject: AW: Using Spamd rather than the SpamAssassin Library In-Reply-To: <48C1ACE0.5020708@coders.co.uk> References: <48C1941F.40703@coders.co.uk> <5851C691-2A38-40CC-9134-73427193F4D7@technologytiger.net> <48C1ACE0.5020708@coders.co.uk> Message-ID: Matt, just to make sure, I did not misunderstand: is it necessary to remove the configuration line SpamAssassin Cache Database File = from /etc/MailScanner/MailScanner.conf? Regards, Roland > -----Urspr?ngliche Nachricht----- > Von: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] Im Auftrag von Matt Hampton > Gesendet: Samstag, 6. September 2008 00:04 > An: MailScanner discussion > Betreff: Re: Using Spamd rather than the SpamAssassin Library > > Drew Marshall wrote: > > > > Well I for one thought I would give it a go but I have bumped into > > this error: > > > > Can't call method "execute" on an undefined value at > > /usr/local/lib/MailScanner/MailScanner/SA.pm line 615. > > > Thanks for trying! > > I should have said in my previous email that you need to delete your > spamassasin cache > > From MailScanner.conf > > SpamAssassin Cache Database File = > /var/spool/MailScanner/incoming/SpamAssassin.cache.db > > Stop MailScanner > RM the file > Restart MailScanner > > Of course you also need a working Spamd installation ;-) > > I start mine with > > /usr/bin/spamd -d -l -m10 -r /var/run/spamd.pid -q -x -u nobody > > > And I have use SQL for my AWL and Bayes. > > matt > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From drew.marshall at technologytiger.net Sat Sep 6 20:19:59 2008 From: drew.marshall at technologytiger.net (Drew Marshall) Date: Sat Sep 6 20:20:17 2008 Subject: AW: Using Spamd rather than the SpamAssassin Library In-Reply-To: References: <48C1941F.40703@coders.co.uk> <5851C691-2A38-40CC-9134-73427193F4D7@technologytiger.net> <48C1ACE0.5020708@coders.co.uk> Message-ID: On 6 Sep 2008, at 20:11, Ehle, Roland wrote: > Matt, > > just to make sure, I did not misunderstand: > > is it necessary to remove the configuration line > > SpamAssassin Cache Database File = > > from /etc/MailScanner/MailScanner.conf? No, just delete the actual file that line relates to so when MS restarts it builds a new one. This is (IMHO) the greatest advantage to Matt's solution over the custom function that Steve posted, the cache is retained and you can have the memory advantages of using spamd and per user configs etc. Works great here! Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by Technology Tiger's Mail Launder system Our email policy can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ From spamlists at coders.co.uk Sat Sep 6 21:36:08 2008 From: spamlists at coders.co.uk (Matt Hampton) Date: Sat Sep 6 21:36:50 2008 Subject: AW: Using Spamd rather than the SpamAssassin Library In-Reply-To: References: <48C1941F.40703@coders.co.uk> <5851C691-2A38-40CC-9134-73427193F4D7@technologytiger.net> <48C1ACE0.5020708@coders.co.uk> Message-ID: <48C2E9B8.9090801@coders.co.uk> Drew Marshall wrote: > > No, just delete the actual file that line relates to so when MS > restarts it builds a new one. The reason for this is that an extra field is added to the cache for the username - this means that if you choose to use different usernames then result for one doesn't influence the results of another one. > This is (IMHO) the greatest advantage to Matt's solution over the > custom function that Steve posted, the cache is retained and you can > have the memory advantages of using spamd and per user configs etc. > To be fair I hadn't seen Steve's post. I wrote the code in July and left it running (brave/stupid) when I went on holiday at the beginning of August. Didn't come get home when planned (over running building works at home) and was limited to my works 3G card - didn't fancy downloading the 12,000 messages over that :-) > Works great here! Cool. Has anyone else braved it yet? matt From hvdkooij at vanderkooij.org Sat Sep 6 23:01:39 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sat Sep 6 23:01:52 2008 Subject: Yum repository Message-ID: <48C2FDC3.4080802@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The YUM repository is open and updates seem to work as well as one might expect. There is a small exercise left for the admin at the moment. You can find the repository information on http://yum.vanderkooij.org/ However as this is just about all there is to the repository it makes no sense at all to scan it every hour. Anyone scanning the repository too much may get expelled. Doing a check every 30 minutes like the client on 208.65.91.93 is not something I considere normal for a repository that is updated about once a month. So I suggest you trim it down if you like to keep using it. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIwv3CBvzDRVjxmYERAj3uAKCKGEGnZvyZAIWaOSqHPOO+vkHtUgCfbL+O R8KACHrZhWCWL4iBBh3eees= =ViaP -----END PGP SIGNATURE----- From roland at inbox4u.de Sun Sep 7 04:00:20 2008 From: roland at inbox4u.de (Ehle, Roland) Date: Sun Sep 7 04:01:17 2008 Subject: AW: AW: Using Spamd rather than the SpamAssassin Library In-Reply-To: <48C2E9B8.9090801@coders.co.uk> References: <48C1941F.40703@coders.co.uk> <5851C691-2A38-40CC-9134-73427193F4D7@technologytiger.net> <48C1ACE0.5020708@coders.co.uk> <48C2E9B8.9090801@coders.co.uk> Message-ID: I gave it a try, but found MailScanner process dying immediately after starting and messages were not processed at all. Probably a speciality of my system, that likes making me angry :-) Regards, Roland > -----Urspr?ngliche Nachricht----- > Von: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] Im Auftrag von Matt Hampton > Gesendet: Samstag, 6. September 2008 22:36 > An: MailScanner discussion > Betreff: Re: AW: Using Spamd rather than the SpamAssassin Library > > Drew Marshall wrote: > > > > No, just delete the actual file that line relates to so when MS > > restarts it builds a new one. > The reason for this is that an extra field is added to the cache for > the > username - this means that if you choose to use different usernames > then > result for one doesn't influence the results of another one. > > > This is (IMHO) the greatest advantage to Matt's solution over the > > custom function that Steve posted, the cache is retained and you can > > have the memory advantages of using spamd and per user configs etc. > > > To be fair I hadn't seen Steve's post. > > I wrote the code in July and left it running (brave/stupid) when I went > on holiday at the beginning of August. Didn't come get home when > planned (over running building works at home) and was limited to my > works 3G card - didn't fancy downloading the 12,000 messages over that > :-) > > > Works great here! > Cool. > > Has anyone else braved it yet? > > > matt > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From roland at inbox4u.de Sun Sep 7 07:40:04 2008 From: roland at inbox4u.de (Ehle, Roland) Date: Sun Sep 7 07:41:17 2008 Subject: AW: AW: Using Spamd rather than the SpamAssassin Library In-Reply-To: References: <48C1941F.40703@coders.co.uk> <5851C691-2A38-40CC-9134-73427193F4D7@technologytiger.net> <48C1ACE0.5020708@coders.co.uk> <48C2E9B8.9090801@coders.co.uk> Message-ID: After all: It is running, and it is fine! It was my own blindness, which causes the trouble :-) Thanks Matt for your contribution Hint for all others: If you are going to give this one a try, you should do the following, to prevent running into trouble with pyzor: Add pyzor_options --homedir /etc/mail/spamassassin to your /etc/MailScanner/spam.assassin.prefs.conf and execute pyzor --homedir /etc/mail/spamassassin discover Regards, Roland > -----Urspr?ngliche Nachricht----- > Von: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] Im Auftrag von Ehle, Roland > Gesendet: Sonntag, 7. September 2008 05:00 > An: MailScanner discussion > Betreff: AW: AW: Using Spamd rather than the SpamAssassin Library > > I gave it a try, but found MailScanner process dying immediately after > starting and messages were not processed at all. Probably a speciality > of my system, that likes making me angry :-) > > Regards, > Roland > > > -----Urspr?ngliche Nachricht----- > > Von: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > > bounces@lists.mailscanner.info] Im Auftrag von Matt Hampton > > Gesendet: Samstag, 6. September 2008 22:36 > > An: MailScanner discussion > > Betreff: Re: AW: Using Spamd rather than the SpamAssassin Library > > > > Drew Marshall wrote: > > > > > > No, just delete the actual file that line relates to so when MS > > > restarts it builds a new one. > > The reason for this is that an extra field is added to the cache for > > the > > username - this means that if you choose to use different usernames > > then > > result for one doesn't influence the results of another one. > > > > > This is (IMHO) the greatest advantage to Matt's solution over the > > > custom function that Steve posted, the cache is retained and you > can > > > have the memory advantages of using spamd and per user configs etc. > > > > > To be fair I hadn't seen Steve's post. > > > > I wrote the code in July and left it running (brave/stupid) when I > went > > on holiday at the beginning of August. Didn't come get home when > > planned (over running building works at home) and was limited to my > > works 3G card - didn't fancy downloading the 12,000 messages over > that > > :-) > > > > > Works great here! > > Cool. > > > > Has anyone else braved it yet? > > > > > > matt > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From paul.hutchings at mira.co.uk Sun Sep 7 10:08:05 2008 From: paul.hutchings at mira.co.uk (Paul Hutchings) Date: Sun Sep 7 10:08:19 2008 Subject: Yum repository References: <48C2FDC3.4080802@vanderkooij.org> Message-ID: Thanks Hugh - looks very useful! Presumably the intention is to have the stable version and not the latest beta/rc? -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Hugo van der Kooij Sent: 06 September 2008 23:02 To: MailScanner Mailinglist Subject: Yum repository -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The YUM repository is open and updates seem to work as well as one might expect. There is a small exercise left for the admin at the moment. You can find the repository information on http://yum.vanderkooij.org/ However as this is just about all there is to the repository it makes no sense at all to scan it every hour. Anyone scanning the repository too much may get expelled. Doing a check every 30 minutes like the client on 208.65.91.93 is not something I considere normal for a repository that is updated about once a month. So I suggest you trim it down if you like to keep using it. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIwv3CBvzDRVjxmYERAj3uAKCKGEGnZvyZAIWaOSqHPOO+vkHtUgCfbL+O R8KACHrZhWCWL4iBBh3eees= =ViaP -----END PGP SIGNATURE----- -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. From glenn.steen at gmail.com Sun Sep 7 15:58:57 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Sun Sep 7 15:59:07 2008 Subject: MailScanner Tweaking/Issues In-Reply-To: <48BFFC38.80706@infowall.com> References: <48BFE46B.8000404@USherbrooke.ca> <48BFFC38.80706@infowall.com> Message-ID: <223f97700809070758q495e55fes1929d78a02fd3130@mail.gmail.com> 2008/9/4 mark mcintosh : > Hello, > > I have a fairly new install of Mailscanner on a Centos 5.2 x64 VPS with > (mailwatch, postfixadmin, mailscanner-mrtg, postfix, maildrop, dcc, > razor, pyzor) > > The system is working and is blocking most of my spam but I would like > to tweak it and I have a few concerns listed below. > > Why does the --lint test show that Pyzor is disabled ?? (Pyzor also > shows not working in mailscanner lint test -->>pyzor: check failed: > internal error (listed below) > Why does it skip the Razor ?? Same for SpamCop ?? > Th3 Net::Ident module is it critical ????? ----- Will forcing > installation cause me to break anything else ?? SpamAssassin, that is responsible for all this, only do syntax checking with the --lint test. Hence all network tests are disabled when doing a --lint run. To actually include the tests, you need run something like: spamassassin -t -D < /path/to/an/actual/message/file ... You should have several likely candidates for that type of testing in your quarantine;-). Now, the Pyzor internal error might be because of anything ... well, almost. What happens if you do a "pyzor ping"? And if you do it as your postfix user? (you might need do "su - postfix -s /bin/bash" to be able to do the latter:) > The last line in the MailScanner --lint related to my mailwatch > installation only appears at times and I am still looking into it any > ideas ?? The Autocommit "warning" is normal. Just ignore it (it is purely informational, has no ill effects... Means that you have autocommit on in your DB, while MailWatch applies commits at appropriate places... The "error" reports that these are NOOPs... Which is fine;). > For clarity I have included the MailScanner -lint as well as the > Spamassassin --lint For brevity... I've removed them:-). > Any help on these questions would be appreciated > > Mark McIntosh > (snip) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From martinh at solidstatelogic.com Mon Sep 8 10:19:04 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Mon Sep 8 10:19:20 2008 Subject: AW: Using Spamd rather than the SpamAssassin Library In-Reply-To: Message-ID: Roland pyzor --homedir /etc/mail/spamassassin discover Will give problems in that it will give you a server that isn't updating. Pyzor support semd to have disappeared, but if you alter the ~/.pyzor/servers to.. 82.94.255.100:24441 It will work a lot better -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Ehle, Roland > Sent: 07 September 2008 07:40 > To: MailScanner discussion > Subject: AW: AW: Using Spamd rather than the SpamAssassin Library > > After all: It is running, and it is fine! It was my own > blindness, which causes the trouble :-) Thanks Matt for your > contribution > > Hint for all others: > > If you are going to give this one a try, you should do the > following, to prevent running into trouble with pyzor: > > Add > > pyzor_options --homedir /etc/mail/spamassassin > > to your /etc/MailScanner/spam.assassin.prefs.conf and execute > pyzor --homedir /etc/mail/spamassassin discover > > Regards, > Roland > > > -----Urspr?ngliche Nachricht----- > > Von: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner- > > bounces@lists.mailscanner.info] Im Auftrag von Ehle, Roland > > Gesendet: Sonntag, 7. September 2008 05:00 > > An: MailScanner discussion > > Betreff: AW: AW: Using Spamd rather than the SpamAssassin Library > > > > I gave it a try, but found MailScanner process dying > immediately after > > starting and messages were not processed at all. Probably a > speciality > > of my system, that likes making me angry :-) > > > > Regards, > > Roland > > > > > -----Urspr?ngliche Nachricht----- > > > Von: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner- > > > bounces@lists.mailscanner.info] Im Auftrag von Matt Hampton > > > Gesendet: Samstag, 6. September 2008 22:36 > > > An: MailScanner discussion > > > Betreff: Re: AW: Using Spamd rather than the SpamAssassin Library > > > > > > Drew Marshall wrote: > > > > > > > > No, just delete the actual file that line relates to so when MS > > > > restarts it builds a new one. > > > The reason for this is that an extra field is added to > the cache for > > > the username - this means that if you choose to use different > > > usernames then result for one doesn't influence the results of > > > another one. > > > > > > > This is (IMHO) the greatest advantage to Matt's > solution over the > > > > custom function that Steve posted, the cache is retained and you > > can > > > > have the memory advantages of using spamd and per user > configs etc. > > > > > > > To be fair I hadn't seen Steve's post. > > > > > > I wrote the code in July and left it running (brave/stupid) when I > > went > > > on holiday at the beginning of August. Didn't come get home when > > > planned (over running building works at home) and was > limited to my > > > works 3G card - didn't fancy downloading the 12,000 messages over > > that > > > :-) > > > > > > > Works great here! > > > Cool. > > > > > > Has anyone else braved it yet? > > > > > > > > > matt > > > -- > > > MailScanner mailing list > > > mailscanner@lists.mailscanner.info > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > > > Support MailScanner development - buy the book off the website! > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From glenn.steen at gmail.com Mon Sep 8 11:24:33 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Sep 8 11:24:42 2008 Subject: AW: Using Spamd rather than the SpamAssassin Library In-Reply-To: References: Message-ID: <223f97700809080324i2959f140y57775989d76b1e95@mail.gmail.com> 2008/9/8 Martin.Hepworth : > Roland > > pyzor --homedir /etc/mail/spamassassin discover > > > Will give problems in that it will give you a server that isn't updating. Pyzor support semd to have disappeared, but if you alter the ~/.pyzor/servers to.. > > 82.94.255.100:24441 > > It will work a lot better > Slight update.... seems that this is the server you get now, when doing a discover. So no need to avoid doing a discover any more:-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From MailScanner at ecs.soton.ac.uk Mon Sep 8 11:34:20 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Sep 8 11:34:42 2008 Subject: MailScanner takes too long extracting attachments due to "sleep 10" In-Reply-To: References: Message-ID: <48C4FFAC.2060407@ecs.soton.ac.uk> ram wrote: > I have my MailScanner server taking too long. Eventually looking at the > source I found that the mails go into the > UnpackOle() function in Message.pm > (/usr/lib/MailScanner/MailScanner/Message.pm) > > > This function has a "sleep 10;" > What is this for ?? > Oops! Sorry about that. I left in some old debug code. Many thanks for spotting that! It will be fixed in the next release. You can just delete that line. > > I realized when my client receives a mail with more than 10 attachments > all processes take HUGE time to scan every message and mails get delayed > > For now I have just > put a "return 0" beginning of the function and now it is working fine > > Thanks > Ram > > > > > > > > > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From martinh at solidstatelogic.com Mon Sep 8 11:50:49 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Mon Sep 8 11:51:04 2008 Subject: AW: Using Spamd rather than the SpamAssassin Library In-Reply-To: <223f97700809080324i2959f140y57775989d76b1e95@mail.gmail.com> Message-ID: Hurray -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Glenn Steen > Sent: 08 September 2008 11:25 > To: MailScanner discussion > Subject: Re: AW: Using Spamd rather than the SpamAssassin Library > > 2008/9/8 Martin.Hepworth : > > Roland > > > > pyzor --homedir /etc/mail/spamassassin discover > > > > > > Will give problems in that it will give you a server that > isn't updating. Pyzor support semd to have disappeared, but > if you alter the ~/.pyzor/servers to.. > > > > 82.94.255.100:24441 > > > > It will work a lot better > > > Slight update.... seems that this is the server you get now, > when doing a discover. So no need to avoid doing a discover > any more:-). > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From drew.marshall at technologytiger.net Mon Sep 8 12:06:54 2008 From: drew.marshall at technologytiger.net (Drew Marshall) Date: Mon Sep 8 12:18:24 2008 Subject: AW: Using Spamd rather than the SpamAssassin Library In-Reply-To: <48C2E9B8.9090801@coders.co.uk> References: <48C1941F.40703@coders.co.uk> <5851C691-2A38-40CC-9134-73427193F4D7@technologytiger.net> <48C1ACE0.5020708@coders.co.uk> <48C2E9B8.9090801@coders.co.uk> Message-ID: <520F0D8E-EA1E-499C-B899-FB0342DA061A@technologytiger.net> On 6 Sep 2008, at 21:36, Matt Hampton wrote: >> Works great here! > Cool. > > Has anyone else braved it yet? Matt It's still working fine on a box that looks like it's going to chomp ~16k messages today :-) One small question, so I can try to tune things a little more. How does MS hand the batch over to spamd? Is this one batch per spamd child? I have started spamd with an optimistic -m 30 and my MS 10 children are romping 20+ SA children, which seems a bit high. Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by Technology Tiger's Mail Launder system Our email policy can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ From m.anderlini at database.it Mon Sep 8 13:57:35 2008 From: m.anderlini at database.it (Marcello Anderlini) Date: Mon Sep 8 13:57:55 2008 Subject: R: Italian spam In-Reply-To: References: <015e01c90f27$72acd3c0$2501a8c0@dbdomain.database.it> Message-ID: <00cb01c911b2$77512fb0$2501a8c0@dbdomain.database.it> I have these file in /root/.spamassassin. In /var/spool/MailScanner/ I have not nothing except a SpamAssassin.cache.db in /var/spool/MailScanner/incoming I do not use spamd but spamassassin it's called from Mailscanner. It's correct ? Dr. Marcello Anderlini m.anderlini@database.it --------------------------------------------- Database Informatica S.r.l. Microsoft Certified Partner Tel. +39059775070 Fax. +39059779545 http://www.database.it --------------------------------------------- -----Messaggio originale----- Da: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di Mark Sapiro Inviato: sabato 6 settembre 2008 2.54 A: MailScanner List Oggetto: Re: Italian spam Marcello Anderlini wrote: >I suspect then that my bayes filter is not working correctly. >I dayly try to istruct spamassasin using >=========================================== >sa-learn --spam --mbox /var/mail/spam and sa-learn --ham --mbox >/var/mail/notspam =========================================== > >But it still scores that kind of spam as non spam, ... Where are the files bayes.mutex bayes_journal bayes_toks bayes_seen In my case, the files that spamassassin uses when invoked by MailScanner are /var/spool/MailScanner/spamassassin/bayes.mutex /var/spool/MailScanner/spamassassin/bayes_journal /var/spool/MailScanner/spamassassin/bayes_toks /var/spool/MailScanner/spamassassin/bayes_seen However if I were to run sa-learn as userx, the files that would be updated are in /home/userx/.spamassassin. In my case also, I use spamd so I use for example /usr/bin/spamc -u postfix -L spam < message to learn a message as spam. You may have to experiment with the -u option on sa-learn to get it to update the right bayes database. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- Messaggio verificato dal servizio antivirus di Database Informatica -- Messaggio verificato dal servizio antivirus di Database Informatica From spamlists at coders.co.uk Mon Sep 8 14:13:45 2008 From: spamlists at coders.co.uk (Matt Hampton) Date: Mon Sep 8 14:14:55 2008 Subject: AW: Using Spamd rather than the SpamAssassin Library In-Reply-To: <520F0D8E-EA1E-499C-B899-FB0342DA061A@technologytiger.net> References: <48C1941F.40703@coders.co.uk> <5851C691-2A38-40CC-9134-73427193F4D7@technologytiger.net> <48C1ACE0.5020708@coders.co.uk> <48C2E9B8.9090801@coders.co.uk> <520F0D8E-EA1E-499C-B899-FB0342DA061A@technologytiger.net> Message-ID: <48C52509.3080405@coders.co.uk> Drew Marshall wrote: > It's still working fine on a box that looks like it's going to chomp > ~16k messages today :-) > Excellent > One small question, so I can try to tune things a little more. How > does MS hand the batch over to spamd? Is this one batch per spamd > child? I have started spamd with an optimistic -m 30 and my MS 10 > children are romping 20+ SA children, which seems a bit high. It does one per message - as there is the possibility that you are using a different user for each message. I haven't seen this cause a slowdown and even with 20 children, it will still be using less than 10 copies of the rules in MailScanner. Can you see what status they are in (it will be in the maillog) regards Matt From jbuda at noticiasargentinas.com Mon Sep 8 15:42:03 2008 From: jbuda at noticiasargentinas.com (Jose Julian Buda) Date: Mon Sep 8 15:42:03 2008 Subject: ClamAV 0.94 References: Message-ID: <05b401c911c1$0ee8fc00$6000a8c0@tecnica> Hi , I have a mail server with : Debian etch Postfix Mailscanner Clamav Yesterday it work fine catching virus, but todat i've made an upgrade from clamav 0.93 to 0.94 and then the process stop catching mail with virus, i mean , the mails are stoped anyway by "No programs allowed" with mailscanner because of the extensions file, but there is not any message or report from "ClamAv". I have a txt file with eicar string , if i run on server: cat filewitheicar.txt | mail jbuda@noticiasargentinas.com the mail pass through the mailscanner and the workstation's antivirus alert me abourt the eicar strings. Why the mailscanner stop using clamav? Thank you any help about this. Sorry about my english Jose Julian Buda From dominian at slackadelic.com Mon Sep 8 15:48:00 2008 From: dominian at slackadelic.com (Matt Hayes) Date: Mon Sep 8 15:48:15 2008 Subject: ClamAV 0.94 In-Reply-To: <05b401c911c1$0ee8fc00$6000a8c0@tecnica> References: <05b401c911c1$0ee8fc00$6000a8c0@tecnica> Message-ID: <48C53B20.4090304@slackadelic.com> Jose Julian Buda wrote: > Hi , I have a mail server with : > Debian etch > Postfix > Mailscanner > Clamav > > Yesterday it work fine catching virus, but todat i've made an upgrade > from clamav 0.93 to 0.94 and then > the process stop catching mail with virus, i mean , the mails are stoped > anyway by "No programs allowed" with mailscanner because of the > extensions file, but there is not any message or report from "ClamAv". > > I have a txt file with eicar string , if i run on server: > > cat filewitheicar.txt | mail jbuda@noticiasargentinas.com > > the mail pass through the mailscanner and the workstation's antivirus > alert me abourt the eicar strings. > > Why the mailscanner stop using clamav? > > Thank you any help about this. > > Sorry about my english > > Jose Julian Buda Did you restart MailScanner after upgrading clamav? -Matt From list-mailscanner at linguaphone.com Mon Sep 8 15:53:33 2008 From: list-mailscanner at linguaphone.com (Gareth) Date: Mon Sep 8 15:58:22 2008 Subject: ClamAV 0.94 In-Reply-To: <05b401c911c1$0ee8fc00$6000a8c0@tecnica> References: <05b401c911c1$0ee8fc00$6000a8c0@tecnica> Message-ID: <1220885612.32360.7.camel@gblades-suse.linguaphone-intranet.co.uk> Did you run ldconfig after the upgrade? On Mon, 2008-09-08 at 15:42, Jose Julian Buda wrote: > Hi , I have a mail server with : > Debian etch > Postfix > Mailscanner > Clamav > > Yesterday it work fine catching virus, but todat i've made an upgrade from > clamav 0.93 to 0.94 and then > the process stop catching mail with virus, i mean , the mails are stoped > anyway by "No programs allowed" with mailscanner because of the extensions > file, but there is not any message or report from "ClamAv". > > I have a txt file with eicar string , if i run on server: > > cat filewitheicar.txt | mail jbuda@noticiasargentinas.com > > the mail pass through the mailscanner and the workstation's antivirus alert > me abourt the eicar strings. > > Why the mailscanner stop using clamav? > > Thank you any help about this. > > Sorry about my english > > Jose Julian Buda From jbuda at noticiasargentinas.com Mon Sep 8 16:03:27 2008 From: jbuda at noticiasargentinas.com (Jose Julian Buda) Date: Mon Sep 8 16:03:26 2008 Subject: ClamAV 0.94 References: <05b401c911c1$0ee8fc00$6000a8c0@tecnica> <48C53B20.4090304@slackadelic.com> Message-ID: <002301c911c4$0c5acfb0$6000a8c0@tecnica> ----- Original Message ----- From: "Matt Hayes" To: "MailScanner discussion" Sent: Monday, September 08, 2008 11:48 AM Subject: Re: ClamAV 0.94 > Jose Julian Buda wrote: >> Hi , I have a mail server with : >> Debian etch >> Postfix >> Mailscanner >> Clamav >> >> Yesterday it work fine catching virus, but todat i've made an upgrade >> from clamav 0.93 to 0.94 and then >> the process stop catching mail with virus, i mean , the mails are stoped >> anyway by "No programs allowed" with mailscanner because of the >> extensions file, but there is not any message or report from "ClamAv". >> >> I have a txt file with eicar string , if i run on server: >> >> cat filewitheicar.txt | mail jbuda@noticiasargentinas.com >> >> the mail pass through the mailscanner and the workstation's antivirus >> alert me abourt the eicar strings. >> >> Why the mailscanner stop using clamav? >> >> Thank you any help about this. >> >> Sorry about my english >> >> Jose Julian Buda > > Did you restart MailScanner after upgrading clamav? > > -Matt > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! Yes, i did. How can a see if the mailscanner call the clamscan program? Thank you Jose Julian Buda From Denis.Beauchemin at USherbrooke.ca Mon Sep 8 16:10:30 2008 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Mon Sep 8 16:10:45 2008 Subject: ClamAV 0.94 In-Reply-To: <002301c911c4$0c5acfb0$6000a8c0@tecnica> References: <05b401c911c1$0ee8fc00$6000a8c0@tecnica> <48C53B20.4090304@slackadelic.com> <002301c911c4$0c5acfb0$6000a8c0@tecnica> Message-ID: <48C54066.10701@USherbrooke.ca> Jose Julian Buda a ?crit : > > ----- Original Message ----- From: "Matt Hayes" > > To: "MailScanner discussion" > Sent: Monday, September 08, 2008 11:48 AM > Subject: Re: ClamAV 0.94 > > >> Jose Julian Buda wrote: >>> Hi , I have a mail server with : >>> Debian etch >>> Postfix >>> Mailscanner >>> Clamav >>> >>> Yesterday it work fine catching virus, but todat i've made an upgrade >>> from clamav 0.93 to 0.94 and then >>> the process stop catching mail with virus, i mean , the mails are >>> stoped >>> anyway by "No programs allowed" with mailscanner because of the >>> extensions file, but there is not any message or report from "ClamAv". >>> >>> I have a txt file with eicar string , if i run on server: >>> >>> cat filewitheicar.txt | mail jbuda@noticiasargentinas.com >>> >>> the mail pass through the mailscanner and the workstation's antivirus >>> alert me abourt the eicar strings. >>> >>> Why the mailscanner stop using clamav? >>> >>> Thank you any help about this. >>> >>> Sorry about my english >>> >>> Jose Julian Buda >> >> Did you restart MailScanner after upgrading clamav? >> >> -Matt >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > > > Yes, i did. > How can a see if the mailscanner call the clamscan program? > > > Thank you > Jose Julian Buda Jose Julian, How about "MailScanner --lint" ? See the output it gives on my system: MailScanner --lint Checking version numbers... Version number in MailScanner.conf (4.63.2) is correct. Checking for SpamAssassin errors (if you use it)... SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp SpamAssassin reported no errors. MailScanner.conf says "Virus Scanners = auto" Found these virus scanners installed: bitdefender, clamd, mcafee =========================================================================== Ignore errors about failing to find EOCD signature =========================================================================== Virus Scanner test reports: Clamd said "eicar.com was infected: Eicar-Test-Signature FOUND" Bitdefender said "Found virus EICAR-Test-File (not a virus) in file eicar.com" McAfee said "/1/eicar.com Found: EICAR test file NOT a virus." If any of your virus scanners (bitdefender,clamd,mcafee) are not listed there, you should check that they are installed correctly and that MailScanner is finding them correctly via its virus.scanners.conf. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From dominian at slackadelic.com Mon Sep 8 16:11:02 2008 From: dominian at slackadelic.com (Matt Hayes) Date: Mon Sep 8 16:11:14 2008 Subject: ClamAV 0.94 In-Reply-To: <002301c911c4$0c5acfb0$6000a8c0@tecnica> References: <05b401c911c1$0ee8fc00$6000a8c0@tecnica> <48C53B20.4090304@slackadelic.com> <002301c911c4$0c5acfb0$6000a8c0@tecnica> Message-ID: <48C54086.4080708@slackadelic.com> Jose Julian Buda wrote: > > ----- Original Message ----- From: "Matt Hayes" > To: "MailScanner discussion" > Sent: Monday, September 08, 2008 11:48 AM > Subject: Re: ClamAV 0.94 > > >> Jose Julian Buda wrote: >>> Hi , I have a mail server with : >>> Debian etch >>> Postfix >>> Mailscanner >>> Clamav >>> >>> Yesterday it work fine catching virus, but todat i've made an upgrade >>> from clamav 0.93 to 0.94 and then >>> the process stop catching mail with virus, i mean , the mails are stoped >>> anyway by "No programs allowed" with mailscanner because of the >>> extensions file, but there is not any message or report from "ClamAv". >>> >>> I have a txt file with eicar string , if i run on server: >>> >>> cat filewitheicar.txt | mail jbuda@noticiasargentinas.com >>> >>> the mail pass through the mailscanner and the workstation's antivirus >>> alert me abourt the eicar strings. >>> >>> Why the mailscanner stop using clamav? >>> >>> Thank you any help about this. >>> >>> Sorry about my english >>> >>> Jose Julian Buda >> >> Did you restart MailScanner after upgrading clamav? >> >> -Matt > > > > > > > Yes, i did. > How can a see if the mailscanner call the clamscan program? > > > Thank you > Jose Julian Buda Try enabling debug mode in MailScanner.conf -Matt From jbuda at noticiasargentinas.com Mon Sep 8 16:11:18 2008 From: jbuda at noticiasargentinas.com (Jose Julian Buda) Date: Mon Sep 8 16:11:17 2008 Subject: ClamAV 0.94 References: <05b401c911c1$0ee8fc00$6000a8c0@tecnica> <1220885612.32360.7.camel@gblades-suse.linguaphone-intranet.co.uk> Message-ID: <002e01c911c5$25581990$6000a8c0@tecnica> ----- Original Message ----- From: "Gareth" To: "MailScanner discussion" Sent: Monday, September 08, 2008 11:53 AM Subject: Re: ClamAV 0.94 > Did you run ldconfig after the upgrade? > > On Mon, 2008-09-08 at 15:42, Jose Julian Buda wrote: >> Hi , I have a mail server with : >> Debian etch >> Postfix >> Mailscanner >> Clamav >> >> Yesterday it work fine catching virus, but todat i've made an upgrade >> from >> clamav 0.93 to 0.94 and then >> the process stop catching mail with virus, i mean , the mails are stoped >> anyway by "No programs allowed" with mailscanner because of the >> extensions >> file, but there is not any message or report from "ClamAv". >> >> I have a txt file with eicar string , if i run on server: >> >> cat filewitheicar.txt | mail jbuda@noticiasargentinas.com >> >> the mail pass through the mailscanner and the workstation's antivirus >> alert >> me abourt the eicar strings. >> >> Why the mailscanner stop using clamav? >> >> Thank you any help about this. >> >> Sorry about my english >> >> Jose Julian Buda > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > __________ Informaci?n de NOD32, revisi?n 3424 (20080907) __________ > > Este mensaje ha sido analizado con NOD32 antivirus system > http://www.nod32.com > > No i didn`t , but i never need that command in the last upgrade before this. Anyway i have ran later and the problem persist. Is there a way to test if mailscanner is working properly? if the mailscanner take the "Virus Scanners = clamav " setting? Thank you Jose Julian Buda From jbuda at noticiasargentinas.com Mon Sep 8 16:28:11 2008 From: jbuda at noticiasargentinas.com (Jose Julian Buda) Date: Mon Sep 8 16:28:10 2008 Subject: ClamAV 0.94 References: <05b401c911c1$0ee8fc00$6000a8c0@tecnica> <48C53B20.4090304@slackadelic.com><002301c911c4$0c5acfb0$6000a8c0@tecnica> <48C54066.10701@USherbrooke.ca> Message-ID: <005901c911c7$81108f40$6000a8c0@tecnica> ----- Original Message ----- From: "Denis Beauchemin" To: "MailScanner discussion" Sent: Monday, September 08, 2008 12:10 PM Subject: Re: ClamAV 0.94 Jose Julian Buda a ?crit : > > ----- Original Message ----- From: "Matt Hayes" > To: "MailScanner discussion" > Sent: Monday, September 08, 2008 11:48 AM > Subject: Re: ClamAV 0.94 > > >> Jose Julian Buda wrote: >>> Hi , I have a mail server with : >>> Debian etch >>> Postfix >>> Mailscanner >>> Clamav >>> >>> Yesterday it work fine catching virus, but todat i've made an upgrade >>> from clamav 0.93 to 0.94 and then >>> the process stop catching mail with virus, i mean , the mails are stoped >>> anyway by "No programs allowed" with mailscanner because of the >>> extensions file, but there is not any message or report from "ClamAv". >>> >>> I have a txt file with eicar string , if i run on server: >>> >>> cat filewitheicar.txt | mail jbuda@noticiasargentinas.com >>> >>> the mail pass through the mailscanner and the workstation's antivirus >>> alert me abourt the eicar strings. >>> >>> Why the mailscanner stop using clamav? >>> >>> Thank you any help about this. >>> >>> Sorry about my english >>> >>> Jose Julian Buda >> >> Did you restart MailScanner after upgrading clamav? >> >> -Matt >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > > > Yes, i did. > How can a see if the mailscanner call the clamscan program? > > > Thank you > Jose Julian Buda Jose Julian, How about "MailScanner --lint" ? See the output it gives on my system: MailScanner --lint Checking version numbers... Version number in MailScanner.conf (4.63.2) is correct. Checking for SpamAssassin errors (if you use it)... SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp SpamAssassin reported no errors. MailScanner.conf says "Virus Scanners = auto" Found these virus scanners installed: bitdefender, clamd, mcafee =========================================================================== Ignore errors about failing to find EOCD signature =========================================================================== Virus Scanner test reports: Clamd said "eicar.com was infected: Eicar-Test-Signature FOUND" Bitdefender said "Found virus EICAR-Test-File (not a virus) in file eicar.com" McAfee said "/1/eicar.com Found: EICAR test file NOT a virus." If any of your virus scanners (bitdefender,clamd,mcafee) are not listed there, you should check that they are installed correctly and that MailScanner is finding them correctly via its virus.scanners.conf. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! __________ Informaci?n de NOD32, revisi?n 3424 (20080907) __________ Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com This is what i get : proxymails:~# MailScanner --lint Read 748 hostnames from the phishing whitelist MailScanner setting GID to (104) MailScanner setting UID to (100) Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database SpamAssassin reported no errors. Using locktype = flock MailScanner.conf says "Virus Scanners = clamav" Found these virus scanners installed: clamav proxymails:~# But the clamav is not triggered anyway I have changed to "Virus Scanners = auto" , it detect clamav , but the problem persist Thank you Jose Julian Buda From jra at baylink.com Mon Sep 8 16:38:17 2008 From: jra at baylink.com (Jay R. Ashworth) Date: Mon Sep 8 16:38:29 2008 Subject: Looking for a test mail generator In-Reply-To: <002301c911c4$0c5acfb0$6000a8c0@tecnica> References: <48C53B20.4090304@slackadelic.com> <002301c911c4$0c5acfb0$6000a8c0@tecnica> Message-ID: <20080908153817.GK17489@cgi.jachomes.com> To test a new installation before a cutover, I'm trying to find (out whether anyone has written) a program that can send a bunch of email to a SMTP server, logging what it does (both logical and session level), so that I can check that the results are what they should be. Optimally, I'd like something that worked like this: Provide it with 4 or 5 pieces of random spam, and 4 or 5 pieces of ham, and have it try to -- in random order -- send each of the message bodies to a) one or more provided valid addresses and b) one or more random non-valid addresses on the provisioned domain, and c) one or more completely random addresses. The goal, of course, is to make sure that what should pass through passes through, what should bounce bounces, what shouldn't backscatter doesn't, and what should deliver does. Has anyone already written this? I'm sure perl or python provides the modules, but I'm not good enough at either to do it myself. I could probably hack around something that does 60-70% of it into what I wanted, though. Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com '87 e24 St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 Those who cast the vote decide nothing. Those who count the vote decide everything. -- (Josef Stalin) From Denis.Beauchemin at USherbrooke.ca Mon Sep 8 16:42:35 2008 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Mon Sep 8 16:42:49 2008 Subject: ClamAV 0.94 In-Reply-To: <005901c911c7$81108f40$6000a8c0@tecnica> References: <05b401c911c1$0ee8fc00$6000a8c0@tecnica> <48C53B20.4090304@slackadelic.com><002301c911c4$0c5acfb0$6000a8c0@tecnica> <48C54066.10701@USherbrooke.ca> <005901c911c7$81108f40$6000a8c0@tecnica> Message-ID: <48C547EB.1090203@USherbrooke.ca> > This is what i get : > > proxymails:~# MailScanner --lint > Read 748 hostnames from the phishing whitelist > MailScanner setting GID to (104) > MailScanner setting UID to (100) > > Checking for SpamAssassin errors (if you use it)... > Using SpamAssassin results cache > Connected to SpamAssassin cache database > SpamAssassin reported no errors. > Using locktype = flock > MailScanner.conf says "Virus Scanners = clamav" > Found these virus scanners installed: clamav > proxymails:~# Jose Julian, I don't see a version number in the output. I think your version of MS is probably quite old. You should upgrade to the latest stable version because you cannot run Clam 0.94 with an old version of MS. Clam changed too many things lately. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From Carl.Andrews at crackerbarrel.com Mon Sep 8 16:45:49 2008 From: Carl.Andrews at crackerbarrel.com (Andrews Carl 448) Date: Mon Sep 8 16:46:01 2008 Subject: Officecat (Sourcefire) Message-ID: Link: http://www.snort.org/vrt/tools/officecat.html I just read about this, it might be something useful to add to an email gateway. There are windows and linux (compiled against ubuntu) executables. Thanks, Carl -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080908/a3a6ff7b/attachment.html From drew.marshall at technologytiger.net Mon Sep 8 16:27:41 2008 From: drew.marshall at technologytiger.net (Drew Marshall) Date: Mon Sep 8 16:55:25 2008 Subject: AW: Using Spamd rather than the SpamAssassin Library In-Reply-To: <48C52509.3080405@coders.co.uk> References: <48C1941F.40703@coders.co.uk> <5851C691-2A38-40CC-9134-73427193F4D7@technologytiger.net> <48C1ACE0.5020708@coders.co.uk> <48C2E9B8.9090801@coders.co.uk> <520F0D8E-EA1E-499C-B899-FB0342DA061A@technologytiger.net> <48C52509.3080405@coders.co.uk> Message-ID: <7A9C1520-4D96-4DDE-B04C-1C690069A2BE@technologytiger.net> On 8 Sep 2008, at 14:13, Matt Hampton wrote: > Drew Marshall wrote: >> >> One small question, so I can try to tune things a little more. How >> does MS hand the batch over to spamd? Is this one batch per spamd >> child? I have started spamd with an optimistic -m 30 and my MS 10 >> children are romping 20+ SA children, which seems a bit high. > It does one per message - as there is the possibility that you are > using a different user for each message. I haven't seen this cause > a slowdown and even with 20 children, it will still be using less > than 10 copies of the rules in MailScanner. > Can you see what status they are in (it will be in the maillog) Interesting... So there is the potential that with say 10 children, each with 20 messages that I am going to need 200 SA children? I fear I will have run out of memory by then! Hmm... Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by Technology Tiger's Mail Launder system Our email policy can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ From jbuda at noticiasargentinas.com Mon Sep 8 16:55:58 2008 From: jbuda at noticiasargentinas.com (Jose Julian Buda) Date: Mon Sep 8 16:55:57 2008 Subject: ClamAV 0.94 References: <05b401c911c1$0ee8fc00$6000a8c0@tecnica> <48C53B20.4090304@slackadelic.com><002301c911c4$0c5acfb0$6000a8c0@tecnica> <48C54066.10701@USherbrooke.ca><005901c911c7$81108f40$6000a8c0@tecnica> <48C547EB.1090203@USherbrooke.ca> Message-ID: <00b601c911cb$625b6580$6000a8c0@tecnica> ----- Original Message ----- From: "Denis Beauchemin" To: "MailScanner discussion" Sent: Monday, September 08, 2008 12:42 PM Subject: Re: ClamAV 0.94 > This is what i get : > > proxymails:~# MailScanner --lint > Read 748 hostnames from the phishing whitelist > MailScanner setting GID to (104) > MailScanner setting UID to (100) > > Checking for SpamAssassin errors (if you use it)... > Using SpamAssassin results cache > Connected to SpamAssassin cache database > SpamAssassin reported no errors. > Using locktype = flock > MailScanner.conf says "Virus Scanners = clamav" > Found these virus scanners installed: clamav > proxymails:~# Jose Julian, I don't see a version number in the output. I think your version of MS is probably quite old. You should upgrade to the latest stable version because you cannot run Clam 0.94 with an old version of MS. Clam changed too many things lately. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! __________ Informaci?n de NOD32, revisi?n 3424 (20080907) __________ Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com i have this installed : proxymails:~# apt-cache show mailscanner Package: mailscanner Priority: optional Section: mail Installed-Size: 3836 Maintainer: Debian QA Group Architecture: all Version: 4.55.10-3 How can i get a newer? Is that the problem? Thank you Jose Julian Buda From alex at rtpty.com Mon Sep 8 16:57:14 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Mon Sep 8 16:57:28 2008 Subject: Looking for a test mail generator In-Reply-To: <20080908153817.GK17489@cgi.jachomes.com> References: <48C53B20.4090304@slackadelic.com> <002301c911c4$0c5acfb0$6000a8c0@tecnica> <20080908153817.GK17489@cgi.jachomes.com> Message-ID: <55CCA7C0-9F7F-4F72-A335-28D5DF34F2C5@rtpty.com> You could probably do this with netcat and bash... Sent from my iPhone On Sep 8, 2008, at 10:38 AM, "Jay R. Ashworth" wrote: > To test a new installation before a cutover, I'm trying to find (out > whether anyone has written) a program that can send a bunch of email > to a > SMTP server, logging what it does (both logical and session level), so > that I can check that the results are what they should be. > > Optimally, I'd like something that worked like this: > > Provide it with 4 or 5 pieces of random spam, and 4 or 5 pieces of > ham, > and have it try to -- in random order -- send each of the message > bodies > to a) one or more provided valid addresses and b) one or more random > non-valid addresses on the provisioned domain, and c) one or more > completely random addresses. > > The goal, of course, is to make sure that what should pass through > passes > through, what should bounce bounces, what shouldn't backscatter > doesn't, > and what should deliver does. > > Has anyone already written this? I'm sure perl or python provides the > modules, but I'm not good enough at either to do it myself. I could > probably hack around something that does 60-70% of it into what I > wanted, > though. > > Cheers, > -- jra > -- > Jay R. Ashworth Baylink jra@baylink.com > Designer The Things I > Think RFC 2100 > Ashworth & Associates http:// > baylink.pitas.com '87 e24 > St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 > > Those who cast the vote decide nothing. > Those who count the vote decide everything. > -- (Josef Stalin) > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From jra at baylink.com Mon Sep 8 16:59:06 2008 From: jra at baylink.com (Jay R. Ashworth) Date: Mon Sep 8 16:59:17 2008 Subject: Looking for a test mail generator (unthreaded) Message-ID: <20080908155906.GA17894@cgi.jachomes.com> I am not having a good day today. Twice. In 5 minutes... Unthreadjacked: To test a new installation before a cutover, I'm trying to find (out whether anyone has written) a program that can send a bunch of email to a SMTP server, logging what it does (both logical and session level), so that I can check that the results are what they should be. Optimally, I'd like something that worked like this: Provide it with 4 or 5 pieces of random spam, and 4 or 5 pieces of ham, and have it try to -- in random order -- send each of the message bodies to a) one or more provided valid addresses and b) one or more random non-valid addresses on the provisioned domain, and c) one or more completely random addresses. The goal, of course, is to make sure that what should pass through passes through, what should bounce bounces, what shouldn't backscatter doesn't, and what should deliver does. Has anyone already written this? I'm sure perl or python provides the modules, but I'm not good enough at either to do it myself. I could probably hack around something that does 60-70% of it into what I wanted, though. Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com '87 e24 St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 Those who cast the vote decide nothing. Those who count the vote decide everything. -- (Josef Stalin) From spamlists at coders.co.uk Mon Sep 8 17:27:51 2008 From: spamlists at coders.co.uk (Matt Hampton) Date: Mon Sep 8 17:28:26 2008 Subject: AW: Using Spamd rather than the SpamAssassin Library In-Reply-To: <7A9C1520-4D96-4DDE-B04C-1C690069A2BE@technologytiger.net> References: <48C1941F.40703@coders.co.uk> <5851C691-2A38-40CC-9134-73427193F4D7@technologytiger.net> <48C1ACE0.5020708@coders.co.uk> <48C2E9B8.9090801@coders.co.uk> <520F0D8E-EA1E-499C-B899-FB0342DA061A@technologytiger.net> <48C52509.3080405@coders.co.uk> <7A9C1520-4D96-4DDE-B04C-1C690069A2BE@technologytiger.net> Message-ID: <48C55287.8050608@coders.co.uk> Drew Marshall wrote: > > Interesting... So there is the potential that with say 10 children, > each with 20 messages that I am going to need 200 SA children? I fear > I will have run out of memory by then! Hmm... Nope - they are processed sequentially - each batch will open a connection for the first message, wait for the response, close the connection, open the connection for the second message etc Once each message is finished there is a short delay whilst the server thread shuts down (updating bayes etc) before it can be used again. So it is possible for more than one child to be open per MS Child. matt From steve at fsl.com Mon Sep 8 17:34:58 2008 From: steve at fsl.com (Stephen Swaney) Date: Mon Sep 8 17:35:11 2008 Subject: Looking for a test mail generator (unthreaded) In-Reply-To: <20080908155906.GA17894@cgi.jachomes.com> References: <20080908155906.GA17894@cgi.jachomes.com> Message-ID: <48C55432.5020505@fsl.com> Jay R. Ashworth wrote: > I am not having a good day today. Twice. In 5 minutes... > > Unthreadjacked: > > > To test a new installation before a cutover, I'm trying to find (out > whether anyone has written) a program that can send a bunch of email to a > SMTP server, logging what it does (both logical and session level), so > that I can check that the results are what they should be. > > Optimally, I'd like something that worked like this: > > Provide it with 4 or 5 pieces of random spam, and 4 or 5 pieces of ham, > and have it try to -- in random order -- send each of the message bodies > to a) one or more provided valid addresses and b) one or more random > non-valid addresses on the provisioned domain, and c) one or more > completely random addresses. > > The goal, of course, is to make sure that what should pass through passes > through, what should bounce bounces, what shouldn't backscatter doesn't, > and what should deliver does. > > Has anyone already written this? I'm sure perl or python provides the > modules, but I'm not good enough at either to do it myself. I could > probably hack around something that does 60-70% of it into what I wanted, > though. > > Cheers, > -- jra > Jay, Look at http://www.snertsoft.com/sendmail/roundhouse/ I quote from Anthony Howe's site: "This is an SMTP multiplexer, which takes the input from an SMTP client connection and copies it to one or more SMTP servers. Intended as means to debug and test different mail server configurations using a production mail server's live data stream." You can test with your real mail stream:) Steve Steve Swaney steve@fsl.com Cell: 202 352.3262 Office: 202 595.7760, ext 601 www.fsl.com From aflynn at thornlawrence.com Mon Sep 8 17:38:30 2008 From: aflynn at thornlawrence.com (Alanna Flynn) Date: Mon Sep 8 17:38:41 2008 Subject: Changing Host Companies Message-ID: Dear Mr. Fitzpatrick, I was given you're website by Earl Bryan. I work for the law firm of Thorn | Lawrence, P.L. Mr. Thorn is one of the senior partners I work for. We would like to discuss the cost and what type of information you would need in order to change host companies for one of our clients. Please contact me at the number below at your earliest convenience. Sincerely, Alanna M. Flynn Paralegal to Eric Thorn & Marcus Lawrence Thorn | Lawrence, P.L. 402 East Oak Avenue, Suite 101 Tampa, Florida 33602 Telephone No.: (813) 514-8355 Facsimile No.: (813) 223-1867 URL: http://www.thornlawrence.com Email: aflynn@thornlawrence.com The information transmitted is intended only for the person or entity to which it is addressed and may contain -confidential and/or privileged material. Any review, retransmission, dissemination or other use of this information by persons or entities other than the intended recipient(s) is unauthorized and prohibited. Any transmission of confidential and/or privileged material to persons or entities other than the intended recipient(s) shall not be construed as a waiver of any privilege or confidence. If you receive this transmission in error, please contact the sender and delete the material. This e-mail message and any attachment to this e-mail message contains confidential information that may be legally privileged. If you are not the intended recipient, you must not review, retransmit, convert to hard copy, copy, use, or disseminate this e-mail or any attachments to it. If you have received this e-mail in error, please notify us immediately by return e-mail or by telephone at 813.514.8355 and delete this message. Please note that if this e-mail message contains a forwarded message or is a reply to a prior message, some or all of the contents of this message or any attachments may not have been produced by the sender. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080908/1771368f/attachment.html From dominian at slackadelic.com Mon Sep 8 17:41:16 2008 From: dominian at slackadelic.com (Matt Hayes) Date: Mon Sep 8 17:41:31 2008 Subject: Changing Host Companies In-Reply-To: References: Message-ID: <48C555AC.7010500@slackadelic.com> Alanna Flynn wrote: > Dear Mr. Fitzpatrick, > > > > I was given you?re website by Earl Bryan. I work for the law firm of > Thorn | Lawrence, P.L. Mr. Thorn is one of the senior partners I work > for. We would like to discuss the cost and what type of information you > would need in order to change host companies for one of our clients. > Please contact me at the number below at your earliest convenience. > > > > Sincerely, > > > > Alanna M. Flynn > > Paralegal to Eric Thorn & Marcus Lawrence > > Thorn | Lawrence, P.L. > > 402 East Oak Avenue, Suite 101 > > Tampa, Florida 33602 > > Telephone No.: (813) 514-8355 > > Facsimile No.: (813) 223-1867 > > URL: http://www.thornlawrence.com > > Email: aflynn@thornlawrence.com > > > er.. what? Whom are you speaking to? -Matt From gary at sgluk.com Mon Sep 8 17:41:15 2008 From: gary at sgluk.com (Gary Pentland) Date: Mon Sep 8 17:41:33 2008 Subject: Looking for a test mail generator (unthreaded) In-Reply-To: References: Message-ID: This doesn't cover what you need but it is a very basic bulk mail sender... I posted it in case the bit that sends the mail (at the bottom) may be of use to you. Hope that is of some help, when I get some time I'll have a go at writing a tool for this purpose aas I'm guessing a few people will find it useful. Gary #!/usr/bin/perl -w use Time::HiRes qw(usleep); my $fromaddr = "name\@domain.com"; my $pathtorecipfile = "./recipientfile"; my $pathtomsgfile = "./messagefile"; my $messg = read_message_file($pathtomsgfile); open_recipient_file($pathtorecipfile); while ($_=) { chomp; if (/([-_A-Za-z0-9@.]+)/) { $emailaddy = $1; } else { print ("Parse error for $_\n"); next; } send_email($emailaddy,$fromaddr,$messg); usleep 10; #DEBUG print ("$fromaddr\t$emailaddy\n"); #DEBUG } close_recipient_file(); ##################################################### sub open_recipient_file { $RECIPS = $pathtorecipfile; open (RECIPS) or die "Can't Open Recipient File $RECIPS:\n"; } ##################################################### sub close_recipient_file { close(RECIPS); } ##################################################### sub read_message_file { $MESGFILE = $pathtomsgfile; open (MESGFILE) or die "Can't Open Message File $MESGFILE:\n"; my @msg = ; $message = join "",@msg; return $message; close(MESGFILE); } ##################################################### sub send_email { my ($toaddr,$fromaddr,$messg) = @_; # DEBUG # print "DEBUG\n"; # print "From Address: $fromaddr\n"; # print "To Address: $toaddr\n"; # print "Message Body $messg\n"; # print "END DEBUG\n\n\n"; # DEBUG open (SENDMAIL, "|/usr/lib/sendmail -oi -t -odq -f ".$fromaddr) or die "Can't fork Sendmail: $!\n"; print SENDMAIL "From: $fromaddr\nTo: $toaddr\nReply-To: $fromaddr\n$messg\n"; close (SENDMAIL) or warn "Sendmail didn't close nicely"; } ##################################################### From csweeney at osubucks.org Mon Sep 8 17:45:05 2008 From: csweeney at osubucks.org (Chris Sweeney) Date: Mon Sep 8 17:45:45 2008 Subject: Changing Host Companies In-Reply-To: References: Message-ID: <945799266-1220892308-cardhu_decombobulator_blackberry.rim.net-1958471061-@bxe207.bisx.prod.on.blackberry> Interesting spam. --- Home Phone $10 per month, only from T-Mobile ask me for more information! -----Original Message----- From: "Alanna Flynn" Date: Mon, 8 Sep 2008 12:38:30 To: Cc: Eric Thorn Subject: Changing Host Companies -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From jra at baylink.com Mon Sep 8 17:59:20 2008 From: jra at baylink.com (Jay R. Ashworth) Date: Mon Sep 8 17:59:30 2008 Subject: Looking for a test mail generator (unthreaded) In-Reply-To: <48C55432.5020505@fsl.com> References: <20080908155906.GA17894@cgi.jachomes.com> <48C55432.5020505@fsl.com> Message-ID: <20080908165920.GA17955@cgi.jachomes.com> On Mon, Sep 08, 2008 at 12:34:58PM -0400, Stephen Swaney wrote: > Look at http://www.snertsoft.com/sendmail/roundhouse/ > > I quote from Anthony Howe's site: > > "This is an SMTP multiplexer, which takes the input from an SMTP client > connection and copies it to one or more SMTP servers. Intended as means > to debug and test different mail server configurations using a > production mail server's live data stream." > > You can test with your real mail stream:) I think someone else suggested that, in a query that I posted somewhere else last week. The problem is that part of what I need to test is the new server's ability to both terminate some mailboxes in the domain, and pass others through to my Exchange server that I can't kill yet. And that approach would cause me to end up with dupes on every message. Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com '87 e24 St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 Those who cast the vote decide nothing. Those who count the vote decide everything. -- (Josef Stalin) From Denis.Beauchemin at USherbrooke.ca Mon Sep 8 18:34:32 2008 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Mon Sep 8 18:34:46 2008 Subject: ClamAV 0.94 In-Reply-To: <00b601c911cb$625b6580$6000a8c0@tecnica> References: <05b401c911c1$0ee8fc00$6000a8c0@tecnica> <48C53B20.4090304@slackadelic.com><002301c911c4$0c5acfb0$6000a8c0@tecnica> <48C54066.10701@USherbrooke.ca><005901c911c7$81108f40$6000a8c0@tecnica> <48C547EB.1090203@USherbrooke.ca> <00b601c911cb$625b6580$6000a8c0@tecnica> Message-ID: <48C56228.4070307@USherbrooke.ca> Jose Julian Buda a ?crit : > > ----- Original Message ----- From: "Denis Beauchemin" > > To: "MailScanner discussion" > Sent: Monday, September 08, 2008 12:42 PM > Subject: Re: ClamAV 0.94 > > >> This is what i get : >> >> proxymails:~# MailScanner --lint >> Read 748 hostnames from the phishing whitelist >> MailScanner setting GID to (104) >> MailScanner setting UID to (100) >> >> Checking for SpamAssassin errors (if you use it)... >> Using SpamAssassin results cache >> Connected to SpamAssassin cache database >> SpamAssassin reported no errors. >> Using locktype = flock >> MailScanner.conf says "Virus Scanners = clamav" >> Found these virus scanners installed: clamav >> proxymails:~# > Jose Julian, > > I don't see a version number in the output. I think your version of MS > is probably quite old. You should upgrade to the latest stable version > because you cannot run Clam 0.94 with an old version of MS. Clam changed > too many things lately. > > Denis > > i have this installed : > > proxymails:~# apt-cache show mailscanner > Package: mailscanner > Priority: optional > Section: mail > Installed-Size: 3836 > Maintainer: Debian QA Group > Architecture: all > Version: 4.55.10-3 > > > How can i get a newer? > Is that the problem? Jose Julian, Your version is *really* old! You really should upgrade!! I don't run MS on a Debian-based Linux... but I found this in the wiki: http://wiki.mailscanner.info/doku.php?id=how_to_setup_mailscanner_on_ubuntu_8.04 It should point you in the right direction. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From ssilva at sgvwater.com Mon Sep 8 19:09:36 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Sep 8 19:10:45 2008 Subject: ClamAV 0.94 In-Reply-To: <05b401c911c1$0ee8fc00$6000a8c0@tecnica> References: <05b401c911c1$0ee8fc00$6000a8c0@tecnica> Message-ID: on 9-8-2008 7:42 AM Jose Julian Buda spake the following: > Hi , I have a mail server with : > Debian etch > Postfix > Mailscanner > Clamav > > Yesterday it work fine catching virus, but todat i've made an upgrade > from clamav 0.93 to 0.94 and then > the process stop catching mail with virus, i mean , the mails are stoped > anyway by "No programs allowed" with mailscanner because of the > extensions file, but there is not any message or report from "ClamAv". > > I have a txt file with eicar string , if i run on server: > > cat filewitheicar.txt | mail jbuda@noticiasargentinas.com > > the mail pass through the mailscanner and the workstation's antivirus > alert me abourt the eicar strings. > > Why the mailscanner stop using clamav? > > Thank you any help about this. > > Sorry about my english > > Jose Julian Buda There is a problem with mailscanner and the 0.94 clamscan. There is a patch floating on the mailing list, or you can load the next beta, which might have the patch in it. Or better yet, run clamd and use it. It is much faster, and has a lower system load. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080908/35e27873/signature.bin From jbuda at noticiasargentinas.com Mon Sep 8 19:29:54 2008 From: jbuda at noticiasargentinas.com (Jose Julian Buda) Date: Mon Sep 8 19:29:53 2008 Subject: ClamAV 0.94 References: <05b401c911c1$0ee8fc00$6000a8c0@tecnica> Message-ID: <023401c911e0$e3b8b7d0$6000a8c0@tecnica> ----- Original Message ----- From: "Scott Silva" To: Sent: Monday, September 08, 2008 3:09 PM Subject: Re: ClamAV 0.94 > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > __________ Informacisn de NOD32, revisisn 3424 (20080907) __________ > > Este mensaje ha sido analizado con NOD32 antivirus system > http://www.nod32.com > > Thank you . Now, the clamd daemon is running, how do i tell the mailscanner to use it? Thank you again Jose Julian Buda From Denis.Beauchemin at USherbrooke.ca Mon Sep 8 19:38:04 2008 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Mon Sep 8 19:38:22 2008 Subject: ClamAV 0.94 In-Reply-To: <023401c911e0$e3b8b7d0$6000a8c0@tecnica> References: <05b401c911c1$0ee8fc00$6000a8c0@tecnica> <023401c911e0$e3b8b7d0$6000a8c0@tecnica> Message-ID: <48C5710C.6010009@USherbrooke.ca> Jose Julian Buda a ?crit : > > ----- Original Message ----- From: "Scott Silva" > To: > Sent: Monday, September 08, 2008 3:09 PM > Subject: Re: ClamAV 0.94 > > >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> __________ Informacisn de NOD32, revisisn 3424 (20080907) __________ >> >> Este mensaje ha sido analizado con NOD32 antivirus system >> http://www.nod32.com >> >> > > Thank you . > > Now, the clamd daemon is running, how do i tell the mailscanner to use > it? > > Thank you again > Jose Julian Buda > > Jose Julian, I believe your MS version is too old to know about clamd... You really need to upgrade! Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From ssilva at sgvwater.com Mon Sep 8 20:00:11 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Sep 8 20:01:17 2008 Subject: AW: Using Spamd rather than the SpamAssassin Library In-Reply-To: <7A9C1520-4D96-4DDE-B04C-1C690069A2BE@technologytiger.net> References: <48C1941F.40703@coders.co.uk> <5851C691-2A38-40CC-9134-73427193F4D7@technologytiger.net> <48C1ACE0.5020708@coders.co.uk> <48C2E9B8.9090801@coders.co.uk> <520F0D8E-EA1E-499C-B899-FB0342DA061A@technologytiger.net> <48C52509.3080405@coders.co.uk> <7A9C1520-4D96-4DDE-B04C-1C690069A2BE@technologytiger.net> Message-ID: on 9-8-2008 8:27 AM Drew Marshall spake the following: > On 8 Sep 2008, at 14:13, Matt Hampton wrote: > >> Drew Marshall wrote: >>> >>> One small question, so I can try to tune things a little more. How >>> does MS hand the batch over to spamd? Is this one batch per spamd >>> child? I have started spamd with an optimistic -m 30 and my MS 10 >>> children are romping 20+ SA children, which seems a bit high. >> It does one per message - as there is the possibility that you are >> using a different user for each message. I haven't seen this cause a >> slowdown and even with 20 children, it will still be using less than >> 10 copies of the rules in MailScanner. >> Can you see what status they are in (it will be in the maillog) > > Interesting... So there is the potential that with say 10 children, each > with 20 messages that I am going to need 200 SA children? I fear I will > have run out of memory by then! Hmm... > I think the spamd children use much less memory then the children started by MailScanner. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080908/0ddc13da/signature.bin From ssilva at sgvwater.com Mon Sep 8 20:06:56 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Sep 8 20:08:05 2008 Subject: Changing Host Companies In-Reply-To: <945799266-1220892308-cardhu_decombobulator_blackberry.rim.net-1958471061-@bxe207.bisx.prod.on.blackberry> References: <945799266-1220892308-cardhu_decombobulator_blackberry.rim.net-1958471061-@bxe207.bisx.prod.on.blackberry> Message-ID: on 9-8-2008 9:45 AM Chris Sweeney spake the following: > Interesting spam. > --- > Home Phone $10 per month, only from T-Mobile ask me for more information! > Isn't the T-Mobile ad also spam? Although I'm sure that T-Mobile is adding that for you without your knowledge. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080908/4d139021/signature.bin From hvdkooij at vanderkooij.org Mon Sep 8 20:08:17 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Mon Sep 8 20:08:27 2008 Subject: Officecat (Sourcefire) In-Reply-To: References: Message-ID: <48C57821.1060306@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Andrews Carl 448 wrote: > Link: http://www.snort.org/vrt/tools/officecat.html > > I just read about this, it might be something useful to add to an email > gateway. There are windows and linux (compiled against ubuntu) executables. > Where I read: OfficeCat is a command line utility that can be used to process Microsoft Office Documents for the presence of potential exploit conditions in the file. The tool is used on Windows systems and is provided as a binary executable. That unbuntu stuff is just some wine wrapper. So why not use the original windows stuff and setup wine yourself. Why they have choosen to do a windows only version is something SourceFire might never answer. But I find it rather disturbing. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIxXggBvzDRVjxmYERAghiAJ9T3F4gJHmvdQMk3+zwcnZjJlcduACdE1iq Ou9cdc+ZIPxwnUW2F/fzvtg= =N8q0 -----END PGP SIGNATURE----- From jra at baylink.com Mon Sep 8 20:19:40 2008 From: jra at baylink.com (Jay R. Ashworth) Date: Mon Sep 8 20:19:50 2008 Subject: Changing Host Companies In-Reply-To: References: <945799266-1220892308-cardhu_decombobulator_blackberry.rim.net-1958471061-@bxe207.bisx.prod.on.blackberry> Message-ID: <20080908191940.GO17955@cgi.jachomes.com> On Mon, Sep 08, 2008 at 12:06:56PM -0700, Scott Silva wrote: > on 9-8-2008 9:45 AM Chris Sweeney spake the following: > >Interesting spam. > >--- > >Home Phone $10 per month, only from T-Mobile ask me for more information! > > > Isn't the T-Mobile ad also spam? > Although I'm sure that T-Mobile is adding that for you without your > knowledge. IME, no, it's not, even if he had put it there himself. Spam, to me, is a) unsolicited mail whose b) sole purpose is to solicit a sale. If he had that in his sig on a message he posted to a conversation which contained otherwise useful information (however slight), then I don't call it spam, myself. If it was someone *else's* thread, and he just perked in to say "meetoo!", then you have to look further, to things like "is the person a regular contributor", etc... If Spam were black and white, SA wouldn't have so many lines of code. :-) Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com '87 e24 St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 Those who cast the vote decide nothing. Those who count the vote decide everything. -- (Josef Stalin) From ssilva at sgvwater.com Mon Sep 8 20:14:46 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Sep 8 20:20:15 2008 Subject: ClamAV 0.94 In-Reply-To: <023401c911e0$e3b8b7d0$6000a8c0@tecnica> References: <05b401c911c1$0ee8fc00$6000a8c0@tecnica> <023401c911e0$e3b8b7d0$6000a8c0@tecnica> Message-ID: >> > > Thank you . > > Now, the clamd daemon is running, how do i tell the mailscanner to use it? > > Thank you again You will need to upgrade your mailscanner version. Debian uses a version that is probably 3 years old by now. In MailScanner time that is like 30 generations. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080908/86fc1ea7/signature.bin From jra at baylink.com Mon Sep 8 20:22:08 2008 From: jra at baylink.com (Jay R. Ashworth) Date: Mon Sep 8 20:22:17 2008 Subject: Officecat (Sourcefire) In-Reply-To: <48C57821.1060306@vanderkooij.org> References: <48C57821.1060306@vanderkooij.org> Message-ID: <20080908192208.GP17955@cgi.jachomes.com> On Mon, Sep 08, 2008 at 09:08:17PM +0200, Hugo van der Kooij wrote: > Why they have choosen to do a windows only version is something > SourceFire might never answer. But I find it rather disturbing. Bet cash it's because they decided to leverage some .NET module or something... Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com '87 e24 St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 Those who cast the vote decide nothing. Those who count the vote decide everything. -- (Josef Stalin) From hvdkooij at vanderkooij.org Mon Sep 8 20:27:55 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Mon Sep 8 20:28:08 2008 Subject: Looking for a test mail generator (unthreaded) In-Reply-To: <20080908155906.GA17894@cgi.jachomes.com> References: <20080908155906.GA17894@cgi.jachomes.com> Message-ID: <48C57CBB.3000508@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jay R. Ashworth wrote: > I am not having a good day today. Twice. In 5 minutes... > > Unthreadjacked: > > > To test a new installation before a cutover, I'm trying to find (out > whether anyone has written) a program that can send a bunch of email to a > SMTP server, logging what it does (both logical and session level), so > that I can check that the results are what they should be. A sender only has the view of what it communicates with the receiver. Whatever happens after the receiver takes over is anyone's guess. But it not of any concern to the sender anymore. So I fail to see how you could do l this on a session level from the sender. I would say that just ding a darn good job of configuring things right and bring it to live is the best test. I have written some code to do a keepalive check to see if the whole spam and AV chain works. The sending part is peanuts in perl. The verificaton part was the tough part. The chain goes like: TEST server ==> Spam box ==> AV box ==> TEST server So I end up by getting what I did send out if nothing breaks down. But it is a twist in that I need to configure an extra domain into my customer configuration to do this. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIxXy4BvzDRVjxmYERAsDvAJ9McGXLV/21HQiaCPdklCaovyLENwCeK08l HY/Ivij0U2WUkUv6/1IrzIU= =RXH6 -----END PGP SIGNATURE----- From hvdkooij at vanderkooij.org Mon Sep 8 20:41:06 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Mon Sep 8 20:41:16 2008 Subject: ClamAV 0.94 In-Reply-To: References: <05b401c911c1$0ee8fc00$6000a8c0@tecnica> <023401c911e0$e3b8b7d0$6000a8c0@tecnica> Message-ID: <48C57FD2.1050807@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Scott Silva wrote: >> Now, the clamd daemon is running, how do i tell the mailscanner to use >> it? > You will need to upgrade your mailscanner version. Debian uses a version > that is probably 3 years old by now. In MailScanner time that is like 30 > generations. In spam terms that is about 15 generations ago. I would recommend that Jules defines a version policy about how many versions back something is considered too old to be even bothered with and notification is send to the Debian team that their prehistoric version is too old to keep in there system. Keeping up was my greatest concern in regard to building a repository for MailScanner. Hugo. PS: Did anyone bother to check the awstats statistics? - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIxX/QBvzDRVjxmYERAt2sAKCR7jMDpQbK5fJpbbNc2P1TUJ2KzACaA0cx 6sYd4wVHEwQAFrc6UNH7Jpk= =MyeK -----END PGP SIGNATURE----- From mark at msapiro.net Mon Sep 8 22:09:56 2008 From: mark at msapiro.net (Mark Sapiro) Date: Mon Sep 8 22:10:07 2008 Subject: Italian spam In-Reply-To: <00cb01c911b2$77512fb0$2501a8c0@dbdomain.database.it> References: <015e01c90f27$72acd3c0$2501a8c0@dbdomain.database.it> <00cb01c911b2$77512fb0$2501a8c0@dbdomain.database.it> Message-ID: <20080908210956.GA2516@msapiro> On Mon, Sep 08, 2008 at 02:57:35PM +0200, Marcello Anderlini wrote: > I have these file in /root/.spamassassin. In /var/spool/MailScanner/ I have > not nothing except a SpamAssassin.cache.db in > /var/spool/MailScanner/incoming > > I do not use spamd but spamassassin it's called from Mailscanner. > > It's correct ? So if you run sa-learn as root, it updates the bayes files in /root/.spamassassin/ If MailScanner is also running as root, it is probably also using the same bayes files and should be learning from your sa-learn, but if it is running as some other user it may be using a different set. Try find / -name bayes.mutex and see if you find any other sets of spamassassin bayes files. > bayes.mutex > bayes_journal > bayes_toks > bayes_seen -- Mark Sapiro mark at msapiro net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From edward at tdcs.com.au Tue Sep 9 00:37:51 2008 From: edward at tdcs.com.au (Edward Dekkers) Date: Tue Sep 9 00:38:46 2008 Subject: Looking for a test mail generator (unthreaded) In-Reply-To: <20080908155906.GA17894@cgi.jachomes.com> References: <20080908155906.GA17894@cgi.jachomes.com> Message-ID: > I am not having a good day today. Twice. In 5 minutes... > > Unthreadjacked: > > > To test a new installation before a cutover, I'm trying to find (out > whether anyone has written) a program that can send a bunch of email to > a > SMTP server, logging what it does (both logical and session level), so > that I can check that the results are what they should be. > > Optimally, I'd like something that worked like this: > > Provide it with 4 or 5 pieces of random spam, and 4 or 5 pieces of ham, > and have it try to -- in random order -- send each of the message > bodies > to a) one or more provided valid addresses and b) one or more random > non-valid addresses on the provisioned domain, and c) one or more > completely random addresses. > > The goal, of course, is to make sure that what should pass through > passes > through, what should bounce bounces, what shouldn't backscatter > doesn't, > and what should deliver does. > > Has anyone already written this? I'm sure perl or python provides the > modules, but I'm not good enough at either to do it myself. I could > probably hack around something that does 60-70% of it into what I > wanted, > though. > > Cheers, > -- jra Could you use this as a base? http://tools.declude.com/ Regards, Ed. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jim.barber at ddihealth.com Tue Sep 9 02:38:41 2008 From: jim.barber at ddihealth.com (Jim Barber) Date: Tue Sep 9 02:39:06 2008 Subject: ClamAV 0.94 In-Reply-To: <48C57FD2.1050807@vanderkooij.org> References: <05b401c911c1$0ee8fc00$6000a8c0@tecnica> <023401c911e0$e3b8b7d0$6000a8c0@tecnica> <48C57FD2.1050807@vanderkooij.org> Message-ID: <48C5D3A1.9010201@ddihealth.com> Hugo van der Kooij wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Scott Silva wrote: > >>> Now, the clamd daemon is running, how do i tell the mailscanner to use >>> it? > >> You will need to upgrade your mailscanner version. Debian uses a version >> that is probably 3 years old by now. In MailScanner time that is like 30 >> generations. > > In spam terms that is about 15 generations ago. > > I would recommend that Jules defines a version policy about how many > versions back something is considered too old to be even bothered with > and notification is send to the Debian team that their prehistoric > version is too old to keep in there system. > > Keeping up was my greatest concern in regard to building a repository > for MailScanner. > > Hugo. > > PS: Did anyone bother to check the awstats statistics? The version of MailScanner in Debian's testing / lenny distribution is 4.68.8. That's also really old, but it does have the ability to use clamd (I'm using it successfully). To use it I needed to add the Debian-exim user to the clamav group. I also added the clamav user to the Debian-exim group, but you may be able to avoid that by setting "Incoming Work Group = clamav" in the config below. Then you need set a few values in your /etc/MailScanner/MailScanner.conf file: Incoming Work Permissions = 0660 Virus Scanners = clamd Monitors for ClamAV Updates = /var/lib/clamav/*.inc/* /var/lib/clamav/*.cvd Regards, ---------- Jim Barber DDI Health From m.anderlini at database.it Tue Sep 9 09:49:57 2008 From: m.anderlini at database.it (Marcello Anderlini) Date: Tue Sep 9 09:50:27 2008 Subject: R: Italian spam In-Reply-To: <20080908210956.GA2516@msapiro> References: <015e01c90f27$72acd3c0$2501a8c0@dbdomain.database.it><00cb01c911b2$77512fb0$2501a8c0@dbdomain.database.it> <20080908210956.GA2516@msapiro> Message-ID: <01b801c91259$09578610$2501a8c0@dbdomain.database.it> I have not fount any bayes.mutex. So could I be sure that spamassassin is using the bayes database store in /root/.spamassassin ? Dr. Marcello Anderlini m.anderlini@database.it --------------------------------------------- Database Informatica S.r.l. Microsoft Certified Partner Tel. +39059775070 Fax. +39059779545 http://www.database.it --------------------------------------------- -----Messaggio originale----- Da: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di Mark Sapiro Inviato: luned? 8 settembre 2008 23.10 A: MailScanner discussion Oggetto: Re: Italian spam On Mon, Sep 08, 2008 at 02:57:35PM +0200, Marcello Anderlini wrote: > I have these file in /root/.spamassassin. In /var/spool/MailScanner/ I > have not nothing except a SpamAssassin.cache.db in > /var/spool/MailScanner/incoming > > I do not use spamd but spamassassin it's called from Mailscanner. > > It's correct ? So if you run sa-learn as root, it updates the bayes files in /root/.spamassassin/ If MailScanner is also running as root, it is probably also using the same bayes files and should be learning from your sa-learn, but if it is running as some other user it may be using a different set. Try find / -name bayes.mutex and see if you find any other sets of spamassassin bayes files. > bayes.mutex > bayes_journal > bayes_toks > bayes_seen -- Mark Sapiro mark at msapiro net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- Messaggio verificato dal servizio antivirus di Database Informatica -- Messaggio verificato dal servizio antivirus di Database Informatica From glenn.steen at gmail.com Tue Sep 9 10:14:07 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Sep 9 10:14:17 2008 Subject: Looking for a test mail generator In-Reply-To: <20080908153817.GK17489@cgi.jachomes.com> References: <48C53B20.4090304@slackadelic.com> <002301c911c4$0c5acfb0$6000a8c0@tecnica> <20080908153817.GK17489@cgi.jachomes.com> Message-ID: <223f97700809090214v215d35b8m8f2f97363d3a15c2@mail.gmail.com> 2008/9/8 Jay R. Ashworth : > To test a new installation before a cutover, I'm trying to find (out > whether anyone has written) a program that can send a bunch of email to a > SMTP server, logging what it does (both logical and session level), so > that I can check that the results are what they should be. > > Optimally, I'd like something that worked like this: > > Provide it with 4 or 5 pieces of random spam, and 4 or 5 pieces of ham, > and have it try to -- in random order -- send each of the message bodies > to a) one or more provided valid addresses and b) one or more random > non-valid addresses on the provisioned domain, and c) one or more > completely random addresses. > > The goal, of course, is to make sure that what should pass through passes > through, what should bounce bounces, what shouldn't backscatter doesn't, > and what should deliver does. > > Has anyone already written this? I'm sure perl or python provides the > modules, but I'm not good enough at either to do it myself. I could > probably hack around something that does 60-70% of it into what I wanted, > though. > > Cheers, > -- jra This is not the first time this has cropped up... Generally the consesus has so far been that nothing beats the real thing... namely your current incoming mailflow. One would base the approach to do something like this (stress test/validation) on an appropriate tool for your MTA to split off the incoming mailflow ("copy" it) to the new machine... Something like roundhouse for sendmail, or always_bcc for Postfix. Care has to be taken that you don't actually deliver anything from the new box though:-). If you trawl the list archives (via gmane, perhaps) you should be able to find Jules excellent summary of "what's involved and how to do it". Generally speaking... a lot of work;). If all you need is a few (10 was it) "synthetic" messages... Why then some handcrafting and telnet is all you really need;-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From rabellino at di.unito.it Tue Sep 9 11:33:52 2008 From: rabellino at di.unito.it (Sergio Rabellino) Date: Tue Sep 9 11:34:29 2008 Subject: R: Italian spam In-Reply-To: <01b801c91259$09578610$2501a8c0@dbdomain.database.it> References: <015e01c90f27$72acd3c0$2501a8c0@dbdomain.database.it><00cb01c911b2$77512fb0$2501a8c0@dbdomain.database.it> <20080908210956.GA2516@msapiro> <01b801c91259$09578610$2501a8c0@dbdomain.database.it> Message-ID: <48C65110.1070908@di.unito.it> Following it's my configuration: check into the spam.assassin.prefs.conf into the etc directory of MailScanner for a line like bayes_path /opt/MailScanner/etc/bayes/bayes The last bayes is the filename prefix for the bayes database, and into the directory /opt/MailScanner/etc/bayes you will find something like these -rw-r--r-- 1 root root 36 Sep 9 12:30 bayes.mutex -rw-rw-rw- 1 root other 77736 Sep 9 12:30 bayes_journal -rw-r--r-- 1 root root 41967616 Sep 9 12:30 bayes_seen -rw-r--r-- 1 root root 167772160 Sep 9 12:30 bayes_toks Now using the -C /opt/MailScanner/etc/spam.assassin.prefs.conf parameter for sa-learn, you'll point your learner to the same database used by mailscanner. I'm using this config and the italian spam was detected after 3 users submit their messages as spam. Bye. Marcello Anderlini ha scritto: > I have not fount any bayes.mutex. So could I be sure that spamassassin is > using the bayes database store in /root/.spamassassin ? > > > Dr. Marcello Anderlini > m.anderlini@database.it > --------------------------------------------- > Database Informatica S.r.l. > Microsoft Certified Partner > Tel. +39059775070 > Fax. +39059779545 > http://www.database.it > --------------------------------------------- > > -----Messaggio originale----- > Da: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di Mark Sapiro > Inviato: luned? 8 settembre 2008 23.10 > A: MailScanner discussion > Oggetto: Re: Italian spam > > On Mon, Sep 08, 2008 at 02:57:35PM +0200, Marcello Anderlini wrote: > >> I have these file in /root/.spamassassin. In /var/spool/MailScanner/ I >> have not nothing except a SpamAssassin.cache.db in >> /var/spool/MailScanner/incoming >> >> I do not use spamd but spamassassin it's called from Mailscanner. >> >> It's correct ? >> > > > So if you run sa-learn as root, it updates the bayes files in > /root/.spamassassin/ > > If MailScanner is also running as root, it is probably also using the same > bayes files and should be learning from your sa-learn, but if it is running > as some other user it may be using a different set. > > Try > > find / -name bayes.mutex > > and see if you find any other sets of spamassassin bayes files. > > > >> bayes.mutex >> bayes_journal >> bayes_toks >> bayes_seen >> > > -- Ing. Sergio Rabellino Universit? degli Studi di Torino Dipartimento di Informatica ICT Services Director Tel +39-0116706701 Fax +39-011751603 C.so Svizzera , 185 - 10149 - Torino -------------- next part -------------- Skipped content of type multipart/related From ram at netcore.co.in Tue Sep 9 11:40:41 2008 From: ram at netcore.co.in (ram) Date: Tue Sep 9 11:41:06 2008 Subject: Is MailScanner affected by the Redhat bug Message-ID: <1220956841.6938.23.camel@darkstar.netcore.co.in> Redhat & Centos distros seem to have a performance issue with perl http://blog.vipul.net/2008/08/24/redhat-perl-what-a-tragedy/ I have all my servers running MailScanner on Centos. Is MailScanner greatly affected by the Bug ? Should I upgrade perl on my machines ? Thanks Ram From J.Ede at birchenallhowden.co.uk Tue Sep 9 11:49:37 2008 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Tue Sep 9 11:51:05 2008 Subject: Is MailScanner affected by the Redhat bug In-Reply-To: <1220956841.6938.23.camel@darkstar.netcore.co.in> References: <1220956841.6938.23.camel@darkstar.netcore.co.in> Message-ID: <4CAB0118AEC63A4FAAE77E6BCBDF760C792A26CDD7@server02.bhl.local> There isn't currently a patch out on CentOS yet for this issue or if there is it hasn't been slip-streamed into the main yum repository... Currently its either wait or download and compile own version of perl. Jason ________________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailscanner-bounces@lists.mailscanner.info] On Behalf Of ram [ram@netcore.co.in] Sent: 09 September 2008 11:40 To: MailScanner discussion Subject: Is MailScanner affected by the Redhat bug Redhat & Centos distros seem to have a performance issue with perl http://blog.vipul.net/2008/08/24/redhat-perl-what-a-tragedy/ I have all my servers running MailScanner on Centos. Is MailScanner greatly affected by the Bug ? Should I upgrade perl on my machines ? Thanks Ram -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From dean.plant at roke.co.uk Tue Sep 9 12:13:36 2008 From: dean.plant at roke.co.uk (Plant, Dean) Date: Tue Sep 9 12:13:49 2008 Subject: Is MailScanner affected by the Redhat bug In-Reply-To: <4CAB0118AEC63A4FAAE77E6BCBDF760C792A26CDD7@server02.bhl.local> Message-ID: <2181C5F19DD0254692452BFF3EAF1D68039412B4@rsys005a.comm.ad.roke.co.uk> Jason Ede wrote: > There isn't currently a patch out on CentOS yet for this issue or if > there is it hasn't been slip-streamed into the main yum repository... > > Currently its either wait or download and compile own version of perl. > http://www.karan.org/blog/index.php/2008/09/08/slow-perl-on-centos-5-pot ential-fix From gmatt at nerc.ac.uk Tue Sep 9 13:01:07 2008 From: gmatt at nerc.ac.uk (Greg Matthews) Date: Tue Sep 9 13:01:52 2008 Subject: Is MailScanner affected by the Redhat bug In-Reply-To: <1220956841.6938.23.camel@darkstar.netcore.co.in> References: <1220956841.6938.23.camel@darkstar.netcore.co.in> Message-ID: <48C66583.70800@nerc.ac.uk> ram wrote: > I have all my servers running MailScanner on Centos. Is MailScanner > greatly affected by the Bug ? > Should I upgrade perl on my machines ? I've ran tests last week on CentOS 4 and CentOS 5. CentOS 4.6 is unaffected but CentOS 5.2 does contain the bug. However, it is not clear that this performance issue unduly affects MailScanner as other latencies are likely to dominate. G > > > > Thanks > Ram > > > > -- Greg Matthews 01491 692445 Head of UNIX/Linux, iTSS Wallingford -- This message (and any attachments) is for the recipient only. NERC is subject to the Freedom of Information Act 2000 and the contents of this email and any reply you make may be disclosed by NERC unless it is exempt from release under the Act. Any material supplied to NERC may be stored in an electronic records management system. From csweeney at osubucks.org Tue Sep 9 14:07:18 2008 From: csweeney at osubucks.org (Chris Sweeney) Date: Tue Sep 9 14:07:41 2008 Subject: Is MailScanner affected by the Redhat bug In-Reply-To: <1220956841.6938.23.camel@darkstar.netcore.co.in> References: <1220956841.6938.23.camel@darkstar.netcore.co.in> Message-ID: <30334.65.161.188.11.1220965638.squirrel@webmail.osubucks.org> > Redhat & Centos distros seem to have a performance issue with perl > http://blog.vipul.net/2008/08/24/redhat-perl-what-a-tragedy/ > > > I have all my servers running MailScanner on Centos. Is MailScanner > greatly affected by the Bug ? > Should I upgrade perl on my machines ? > From: http://people.centos.org/z00dax/bz379791/ # # This small repo contains a patched version of perl to fix # the issues raised on : https://bugzilla.redhat.com/show_bug.cgi?id=379791 # for CentOS-5. Only i386 and x86_64 packages are provided. # # There has been some testing done on the centos-devel list, however you should # still test it yourself before deploying into production # # to install these packages : # cd /etc/yum.repos.d/; wget http://people.centos.org/z00dax/bz379791/bz379791.repo # yum --enablerepo=c5-bz379791 update perl # # -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From martinh at solidstatelogic.com Tue Sep 9 14:15:22 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Tue Sep 9 14:15:36 2008 Subject: Is MailScanner affected by the Redhat bug In-Reply-To: <30334.65.161.188.11.1220965638.squirrel@webmail.osubucks.org> Message-ID: <4841c96f9899f946a9ea3f1a3d0b7d20@solidstatelogic.com> Chris Just doing some checking of out mailscanner system that I won't bore you with but I notice you've got an issue with your setup. In Mailscanner.conf your %org-name% has a '.' in it that can upset some MTA's. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Chris Sweeney > Sent: 09 September 2008 14:07 > To: MailScanner discussion > Subject: Re: Is MailScanner affected by the Redhat bug > > > Redhat & Centos distros seem to have a performance issue with perl > > http://blog.vipul.net/2008/08/24/redhat-perl-what-a-tragedy/ > > > > > > I have all my servers running MailScanner on Centos. Is MailScanner > > greatly affected by the Bug ? > > Should I upgrade perl on my machines ? > > > From: > http://people.centos.org/z00dax/bz379791/ > > # > # This small repo contains a patched version of perl to fix # > the issues raised on : > https://bugzilla.redhat.com/show_bug.cgi?id=379791 > # for CentOS-5. Only i386 and x86_64 packages are provided. > # > # There has been some testing done on the centos-devel list, > however you should # still test it yourself before deploying > into production # # to install these packages : > # cd /etc/yum.repos.d/; wget > http://people.centos.org/z00dax/bz379791/bz379791.repo > # yum --enablerepo=c5-bz379791 update perl # # > > > > -- > This message has been scanned for viruses and dangerous > content by MailScanner, and is believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From m.anderlini at database.it Tue Sep 9 14:26:06 2008 From: m.anderlini at database.it (Marcello Anderlini) Date: Tue Sep 9 14:26:27 2008 Subject: R: R: Italian spam In-Reply-To: <48C65110.1070908@di.unito.it> References: <015e01c90f27$72acd3c0$2501a8c0@dbdomain.database.it><00cb01c911b2$77512fb0$2501a8c0@dbdomain.database.it> <20080908210956.GA2516@msapiro><01b801c91259$09578610$2501a8c0@dbdomain.database.it> <48C65110.1070908@di.unito.it> Message-ID: <021b01c9127f$9d6ea330$2501a8c0@dbdomain.database.it> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/jpeg Size: 4570 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080909/826c40e5/attachment.jpe From csweeney at osubucks.org Tue Sep 9 14:42:47 2008 From: csweeney at osubucks.org (Chris Sweeney) Date: Tue Sep 9 14:43:07 2008 Subject: Is MailScanner affected by the Redhat bug In-Reply-To: <4841c96f9899f946a9ea3f1a3d0b7d20@solidstatelogic.com> References: <30334.65.161.188.11.1220965638.squirrel@webmail.osubucks.org> <4841c96f9899f946a9ea3f1a3d0b7d20@solidstatelogic.com> Message-ID: <51607.65.161.188.11.1220967767.squirrel@webmail.osubucks.org> Hey thanks I'll check it out when I get back in tonight. > Chris > > Just doing some checking of out mailscanner system that I won't bore you > with but I notice you've got an issue with your setup. > > In Mailscanner.conf your %org-name% has a '.' in it that can upset some > MTA's. > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >> Of Chris Sweeney >> Sent: 09 September 2008 14:07 >> To: MailScanner discussion >> Subject: Re: Is MailScanner affected by the Redhat bug >> >> > Redhat & Centos distros seem to have a performance issue with perl >> > http://blog.vipul.net/2008/08/24/redhat-perl-what-a-tragedy/ >> > >> > >> > I have all my servers running MailScanner on Centos. Is MailScanner >> > greatly affected by the Bug ? >> > Should I upgrade perl on my machines ? >> > >> From: >> http://people.centos.org/z00dax/bz379791/ >> >> # >> # This small repo contains a patched version of perl to fix # >> the issues raised on : >> https://bugzilla.redhat.com/show_bug.cgi?id=379791 >> # for CentOS-5. Only i386 and x86_64 packages are provided. >> # >> # There has been some testing done on the centos-devel list, >> however you should # still test it yourself before deploying >> into production # # to install these packages : >> # cd /etc/yum.repos.d/; wget >> http://people.centos.org/z00dax/bz379791/bz379791.repo >> # yum --enablerepo=c5-bz379791 update perl # # >> >> >> >> -- >> This message has been scanned for viruses and dangerous >> content by MailScanner, and is believed to be clean. >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > > > > ********************************************************************** > Confidentiality : This e-mail and any attachments are intended for the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > Opinion : Any opinions expressed in this e-mail are entirely those of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We advise > that you consider this fact when e-mailing us. > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- Chris Sweeney Home Phone for $10 a month call 937-415-0943 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From richard.frovarp at sendit.nodak.edu Tue Sep 9 14:43:44 2008 From: richard.frovarp at sendit.nodak.edu (Richard Frovarp) Date: Tue Sep 9 14:43:58 2008 Subject: Is MailScanner affected by the Redhat bug In-Reply-To: <1220956841.6938.23.camel@darkstar.netcore.co.in> References: <1220956841.6938.23.camel@darkstar.netcore.co.in> Message-ID: <48C67D90.9020200@sendit.nodak.edu> ram wrote: > Redhat & Centos distros seem to have a performance issue with perl > http://blog.vipul.net/2008/08/24/redhat-perl-what-a-tragedy/ > > > I have all my servers running MailScanner on Centos. Is MailScanner > greatly affected by the Bug ? > Should I upgrade perl on my machines ? > > > > Thanks > Ram > > > > > It would appear that as far as anyone can tell, the systems aren't affected by the bug in a significant manner. Someone on the SA list did say he applied the fix to his CentOS box, and didn't notice any SA improvement. If you test that bug, it gets really nasty after 50,000 iterations. As others have said, if it is affecting MS/SA, other latencies are probably covering it up at this moment. From ram at netcore.co.in Tue Sep 9 14:59:34 2008 From: ram at netcore.co.in (ram) Date: Tue Sep 9 14:59:51 2008 Subject: Is MailScanner affected by the Redhat bug In-Reply-To: <48C66583.70800@nerc.ac.uk> References: <1220956841.6938.23.camel@darkstar.netcore.co.in> <48C66583.70800@nerc.ac.uk> Message-ID: <1220968774.6938.45.camel@darkstar.netcore.co.in> On Tue, 2008-09-09 at 13:01 +0100, Greg Matthews wrote: > ram wrote: > > I have all my servers running MailScanner on Centos. Is MailScanner > > greatly affected by the Bug ? > > Should I upgrade perl on my machines ? > > I've ran tests last week on CentOS 4 and CentOS 5. CentOS 4.6 is > unaffected but CentOS 5.2 does contain the bug. However, it is not clear > that this performance issue unduly affects MailScanner as other > latencies are likely to dominate. > I did some testing myself .. There is apparently absolutely no affect on MailScanner took ~1000 mails to a test machine , Centos 5 , 4GB Ram , with the perlbug and run it under MailScanner ( MailScanner + SA + customscanner + f-prot6 + clamavmodule ) It takes 18 minutes with the perl bug and it same time (infact took 15s more) after I upgraded perl with the patch on http://people.centos.org So That is not any major affect after all :-) Thanks Ram From rabellino at di.unito.it Tue Sep 9 15:06:14 2008 From: rabellino at di.unito.it (Sergio Rabellino) Date: Tue Sep 9 15:07:09 2008 Subject: R: R: Italian spam In-Reply-To: <021b01c9127f$9d6ea330$2501a8c0@dbdomain.database.it> References: <015e01c90f27$72acd3c0$2501a8c0@dbdomain.database.it><00cb01c911b2$77512fb0$2501a8c0@dbdomain.database.it> <20080908210956.GA2516@msapiro><01b801c91259$09578610$2501a8c0@dbdomain.database.it> <48C65110.1070908@di.unito.it> <021b01c9127f$9d6ea330$2501a8c0@dbdomain.database.it> Message-ID: <48C682D6.5010704@di.unito.it> I thinks you must set the directory once in /etc/Mailscanner/spam.assassin.prefs.conf, so you definitely choose a directory where bayes will store the database. I do not suggest an hidden directory, or the risk is that you will forgot everything in a week.... or less. then launch (as an user that can write into that dir ) sa-learn --no-sync -C /etc/Mailscanner/spam.assassin.prefs.conf < spam.eml ... once for every message... sa-learn --sync and your Mailscanner will see the modified bayes db. I ask the experts on this lists if the procedure is formally correct. Bye. Marcello Anderlini ha scritto: > Hello, in my /etc/Mailscanner/spam.assassin.prefs.conf > > I have just this commented line: > #bayes_path /var/spool/spamassassin/bayes > > I have look all around and I don't found any bayes.mutex file. > I have found only these files in /root/.spamassassin > ============== > -rw------- 1 root root 168 Sep 9 15:23 bayes_journal > -rw------- 1 root root 172904448 Sep 9 15:23 bayes_seen > -rw------- 1 root root 9105408 Sep 9 11:07 bayes_toks > ============== > > I can set sa-learn to use this directory ? > > thanks a lot > > Dr. Marcello Anderlini > m.anderlini@database.it > --------------------------------------------- > Database Informatica S.r.l. > Microsoft Certified Partner > Tel. +39059775070 > Fax. +39059779545 > http://www.database.it > --------------------------------------------- > > > ------------------------------------------------------------------------ > *Da:* mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] *Per conto di > *Sergio Rabellino > *Inviato:* marted? 9 settembre 2008 12.34 > *A:* MailScanner discussion > *Oggetto:* Re: R: Italian spam > > Following it's my configuration: > > check into the spam.assassin.prefs.conf into the etc directory of > MailScanner for a line like > > bayes_path /opt/MailScanner/etc/bayes/bayes > > The last bayes is the filename prefix for the bayes database, and into > the directory > /opt/MailScanner/etc/bayes you will find something like these > > -rw-r--r-- 1 root root 36 Sep 9 12:30 bayes.mutex > -rw-rw-rw- 1 root other 77736 Sep 9 12:30 > -rw-r--r-- 1 root root 41967616 Sep 9 12:30 bayes_seen > -rw-r--r-- 1 root root 167772160 Sep 9 12:30 bayes_toks > > Now using the -C /opt/MailScanner/etc/spam.assassin.prefs.conf > parameter for sa-learn, you'll point your learner to the same database > used by mailscanner. > I'm using this config and the italian spam was detected after 3 users > submit their messages as spam. > > Bye. > > Marcello Anderlini ha scritto: >> I have not fount any bayes.mutex. So could I be sure that spamassassin is >> using the bayes database store in /root/.spamassassin ? >> >> >> Dr. Marcello Anderlini >> m.anderlini@database.it >> --------------------------------------------- >> Database Informatica S.r.l. >> Microsoft Certified Partner >> Tel. +39059775070 >> Fax. +39059779545 >> http://www.database.it >> --------------------------------------------- >> >> -----Messaggio originale----- >> Da: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di Mark Sapiro >> Inviato: luned? 8 settembre 2008 23.10 >> A: MailScanner discussion >> Oggetto: Re: Italian spam >> >> On Mon, Sep 08, 2008 at 02:57:35PM +0200, Marcello Anderlini wrote: >> >>> I have these file in /root/.spamassassin. In /var/spool/MailScanner/ I >>> have not nothing except a SpamAssassin.cache.db in >>> /var/spool/MailScanner/incoming >>> >>> I do not use spamd but spamassassin it's called from Mailscanner. >>> >>> It's correct ? >>> >> >> >> So if you run sa-learn as root, it updates the bayes files in >> /root/.spamassassin/ >> >> If MailScanner is also running as root, it is probably also using the same >> bayes files and should be learning from your sa-learn, but if it is running >> as some other user it may be using a different set. >> >> Try >> >> find / -name bayes.mutex >> >> and see if you find any other sets of spamassassin bayes files. >> >> >> >>> bayes.mutex >>> bayes_journal >>> bayes_toks >>> bayes_seen >>> >> >> > > -- > Ing. Sergio Rabellino > > Universit? degli Studi di Torino > Dipartimento di Informatica > ICT Services Director > Tel +39-0116706701 Fax +39-011751603 > C.so Svizzera , 185 - 10149 - Torino > > > > > -- > Messaggio verificato dal servizio antivirus di *Database Informatica* > . > -- > Messaggio verificato dal servizio antivirus di *Database Informatica* > . -- Ing. Sergio Rabellino Universit? degli Studi di Torino Dipartimento di Informatica ICT Services Director Tel +39-0116706701 Fax +39-011751603 C.so Svizzera , 185 - 10149 - Torino -------------- next part -------------- Skipped content of type multipart/related From jra at baylink.com Tue Sep 9 15:11:10 2008 From: jra at baylink.com (Jay R. Ashworth) Date: Tue Sep 9 15:11:20 2008 Subject: Looking for a test mail generator (unthreaded) In-Reply-To: <48C57CBB.3000508@vanderkooij.org> References: <20080908155906.GA17894@cgi.jachomes.com> <48C57CBB.3000508@vanderkooij.org> Message-ID: <20080909141110.GB23322@cgi.jachomes.com> On Mon, Sep 08, 2008 at 09:27:55PM +0200, Hugo van der Kooij wrote: > Jay R. Ashworth wrote: > > I am not having a good day today. Twice. In 5 minutes... > > > > Unthreadjacked: > > > > > > To test a new installation before a cutover, I'm trying to find (out > > whether anyone has written) a program that can send a bunch of email to a > > SMTP server, logging what it does (both logical and session level), so > > that I can check that the results are what they should be. > > A sender only has the view of what it communicates with the receiver. > Whatever happens after the receiver takes over is anyone's guess. But it > not of any concern to the sender anymore. > > So I fail to see how you could do l this on a session level from the sender. Would you be happier if I said "conversation level"? > I would say that just doing a darn good job of configuring things right > and bring it to live is the best test. It's not *your* email. Executives are *insecure*. > I have written some code to do a keepalive check to see if the whole > spam and AV chain works. The sending part is peanuts in perl. The > verificaton part was the tough part. > > The chain goes like: > > TEST server ==> Spam box ==> AV box ==> TEST server > > So I end up by getting what I did send out if nothing breaks down. But > it is a twist in that I need to configure an extra domain into my > customer configuration to do this. Sure. But that's exactly the reason I want to do it the way I want to do it: I don't want to have to do *two* analyses: what should have happened to each incoming mail and what *did* -- I want to *know* what should have happened, because I have a list with message IDs that tells me, so all I have to do is check the expected targets and look to see if the messages are there. Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com '87 e24 St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 Those who cast the vote decide nothing. Those who count the vote decide everything. -- (Josef Stalin) From jra at baylink.com Tue Sep 9 15:13:10 2008 From: jra at baylink.com (Jay R. Ashworth) Date: Tue Sep 9 15:13:19 2008 Subject: Looking for a test mail generator (unthreaded) In-Reply-To: References: <20080908155906.GA17894@cgi.jachomes.com> Message-ID: <20080909141310.GC23322@cgi.jachomes.com> On Tue, Sep 09, 2008 at 07:37:51AM +0800, Edward Dekkers wrote: > Could you use this as a base? > > http://tools.declude.com/ It's on the right general lines. I wonder if it has a scriptable API... I'd love to get their sample spam. Does anyone have a good categorized spam corpus for this sort of testing? The SA guys? Anyone? Bueller? Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com '87 e24 St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 Those who cast the vote decide nothing. Those who count the vote decide everything. -- (Josef Stalin) From jbuda at noticiasargentinas.com Tue Sep 9 15:22:00 2008 From: jbuda at noticiasargentinas.com (Jose Julian Buda) Date: Tue Sep 9 15:21:56 2008 Subject: ClamAV 0.94 References: <05b401c911c1$0ee8fc00$6000a8c0@tecnica> <023401c911e0$e3b8b7d0$6000a8c0@tecnica> <48C57FD2.1050807@vanderkooij.org> <48C5D3A1.9010201@ddihealth.com> Message-ID: <00de01c91287$6c726110$6000a8c0@tecnica> ----- Original Message ----- From: "Jim Barber" To: "MailScanner discussion" Sent: Monday, September 08, 2008 10:38 PM Subject: Re: ClamAV 0.94 > Hugo van der Kooij wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Scott Silva wrote: >> >>>> Now, the clamd daemon is running, how do i tell the mailscanner to use >>>> it? >> >>> You will need to upgrade your mailscanner version. Debian uses a version >>> that is probably 3 years old by now. In MailScanner time that is like 30 >>> generations. >> >> In spam terms that is about 15 generations ago. >> >> I would recommend that Jules defines a version policy about how many >> versions back something is considered too old to be even bothered with >> and notification is send to the Debian team that their prehistoric >> version is too old to keep in there system. >> >> Keeping up was my greatest concern in regard to building a repository >> for MailScanner. >> >> Hugo. >> >> PS: Did anyone bother to check the awstats statistics? > > The version of MailScanner in Debian's testing / lenny distribution is > 4.68.8. > That's also really old, but it does have the ability to use clamd (I'm > using it successfully). > > To use it I needed to add the Debian-exim user to the clamav group. > I also added the clamav user to the Debian-exim group, but you may be able > to avoid that by setting "Incoming Work Group = clamav" in the config > below. > > Then you need set a few values in your /etc/MailScanner/MailScanner.conf > file: > > Incoming Work Permissions = 0660 > > Virus Scanners = clamd > > Monitors for ClamAV Updates = /var/lib/clamav/*.inc/* > /var/lib/clamav/*.cvd > > Regards, > > ---------- > Jim Barber > DDI Health > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > __________ Informacin de NOD32, revisin 3428 (20080909) __________ > > Este mensaje ha sido analizado con NOD32 antivirus system > http://www.nod32.com > > Can i use a lenny version on a production server ? If i shouldn't, how can i make this version work? This problem, i do not saw it yesterday with the clamav 0.93.3. Is it really a MS problem? However, i see that the clamav 0.94 is ok , if a try directly the wrapper script: proxymails:~# /etc/MailScanner/wrapper/clamav-wrapper /usr /root/.rnd: OK /root/.bashrc: OK /root/papa.txt: Eicar-Test-Signature FOUND /root/.viminfo: OK /root/.bash_history: OK /root/.profile: OK /root/balanceo: OK /root/pepe.zip: Eicar-Test-Signature FOUND /root/ipt.txt: OK ----------- SCAN SUMMARY ----------- Known viruses: 416286 Engine version: 0.94 Scanned directories: 1 Scanned files: 16 Infected files: 2 Data scanned: 0.61 MB Time: 3.919 sec (0 m 3 s) proxymails:~# I dont want to install a testing version on a production server, if it is not necesary somebody does have tested this lenny version on etch? Thank you . Jose Julian Buda From steve.swaney at fsl.com Tue Sep 9 15:39:56 2008 From: steve.swaney at fsl.com (Stephen Swaney) Date: Tue Sep 9 15:40:59 2008 Subject: Looking for a test mail generator (unthreaded) In-Reply-To: <20080909141110.GB23322@cgi.jachomes.com> References: <20080908155906.GA17894@cgi.jachomes.com> <48C57CBB.3000508@vanderkooij.org> <20080909141110.GB23322@cgi.jachomes.com> Message-ID: <00c501c91289$ee101260$ca303720$@swaney@fsl.com> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Jay R. Ashworth > Sent: Tuesday, September 09, 2008 10:11 AM > To: mailscanner@lists.mailscanner.info > Subject: Re: Looking for a test mail generator (unthreaded) > > On Mon, Sep 08, 2008 at 09:27:55PM +0200, Hugo van der Kooij wrote: > > Jay R. Ashworth wrote: > > > I am not having a good day today. Twice. In 5 minutes... > > > > > > Unthreadjacked: > > > > > > > > > To test a new installation before a cutover, I'm trying to find > (out > > > whether anyone has written) a program that can send a bunch of > email to a > > > SMTP server, logging what it does (both logical and session level), > so > > > that I can check that the results are what they should be. > > > > A sender only has the view of what it communicates with the receiver. > > Whatever happens after the receiver takes over is anyone's guess. But > it > > not of any concern to the sender anymore. > > > > So I fail to see how you could do l this on a session level from the > sender. > > Would you be happier if I said "conversation level"? > > > I would say that just doing a darn good job of configuring things > right > > and bring it to live is the best test. > > It's not *your* email. > > Executives are *insecure*. > > > I have written some code to do a keepalive check to see if the whole > > spam and AV chain works. The sending part is peanuts in perl. The > > verificaton part was the tough part. > > > > The chain goes like: > > > > TEST server ==> Spam box ==> AV box ==> TEST server > > > > So I end up by getting what I did send out if nothing breaks down. > But > > it is a twist in that I need to configure an extra domain into my > > customer configuration to do this. > > Sure. But that's exactly the reason I want to do it the way I want to > do > it: I don't want to have to do *two* analyses: what should have > happened > to each incoming mail and what *did* -- I want to *know* what should > have > happened, because I have a list with message IDs that tells me, so all > I > have to do is check the expected targets and look to see if the > messages > are there. > > Cheers, > -- jra Jay, Simply setup another mail hub with test accounts. A simple sendmail server delivering to local users would work just fine. The use Roundhouse to duplicate the feed. The feed goes first to your real mail hub for delivery as normal. Send the duplicate feed to the test server which should be configured to 1) send test messages to the test mail hub and 2) dev-null the rest. Seems this would be simple to set up and meet your requirements. Best regards, Steve Steve Swaney steve@fsl.com Office Phone: 202 595-7760 ext. 601 From jra at baylink.com Tue Sep 9 15:56:32 2008 From: jra at baylink.com (Jay R. Ashworth) Date: Tue Sep 9 15:56:43 2008 Subject: Looking for a test mail generator (unthreaded) In-Reply-To: <00c501c91289$ee101260$ca303720$@swaney@fsl.com> References: <20080908155906.GA17894@cgi.jachomes.com> <48C57CBB.3000508@vanderkooij.org> <20080909141110.GB23322@cgi.jachomes.com> <00c501c91289$ee101260$ca303720$@swaney@fsl.com> Message-ID: <20080909145632.GE23322@cgi.jachomes.com> On Tue, Sep 09, 2008 at 10:39:56AM -0400, Stephen Swaney wrote: > Simply setup another mail hub with test accounts. A simple sendmail server > delivering to local users would work just fine. > > The use Roundhouse to duplicate the feed. The feed goes first to your real > mail hub for delivery as normal. > > Send the duplicate feed to the test server which should be configured to 1) > send test messages to the test mail hub and 2) dev-null the rest. > > Seems this would be simple to set up and meet your requirements. But it doesn't, and please allow me to recap why, Juan Moore-Thyme :-) My problem is that I want a repeatable, predictable test, where *I do not have to spend hours figuring out what the EXPECTED results are*. If I use the real mail feed, that's what I'll have to do -- or at least, I'll have to analyse whether the two mail servers are reacting the same *way* to that mail feed, and if not, whether the new reaction is better or worse. If I can generate 50 messages that are, roughly, all the same every time (modulo a "batch number" in the message-ID maybe) *and that I know what the expected results are*, then all I have to do is look in the expected target places, and check messages off a check list. "All the messages from 00-09 should be in my mailbox. All the message from 10-19 should be in the postmaster mailbox. All the messages from 20-29 should be in the spam logs. All the messages from 30-39 should be in the AV logs. All the message from 40-49 should be in the mailer logs as having tried to generate *valid* no-backscatter bounces." And that way I don't have to analyse because I did that before I generated the 50 message bodies. IMO, this approach is critical to finding out what you actually need to know, without tearing your hair out. I'm just not a good enough coder to do it from scratch. I see I may have to add "yet" to that. :-) How are the python email libraries these days? Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com '87 e24 St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 Those who cast the vote decide nothing. Those who count the vote decide everything. -- (Josef Stalin) From ssilva at sgvwater.com Tue Sep 9 16:35:51 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Sep 9 16:36:15 2008 Subject: ClamAV 0.94 In-Reply-To: <00de01c91287$6c726110$6000a8c0@tecnica> References: <05b401c911c1$0ee8fc00$6000a8c0@tecnica> <023401c911e0$e3b8b7d0$6000a8c0@tecnica> <48C57FD2.1050807@vanderkooij.org> <48C5D3A1.9010201@ddihealth.com> <00de01c91287$6c726110$6000a8c0@tecnica> Message-ID: > > I dont want to install a testing version on a production server, if it > is not necesary > somebody does have tested this lenny version on etch? > > Thank you . Mailscanner is very stable, and many of us running production servers upgrade it regularly. You will either need to upgrade mailscanner or downgrade clamav. You can read this post and try the attached clam wrapper, but make sure you backup anything you replace so you can go back if it breaks worse. http://permalink.gmane.org/gmane.mail.virus.mailscanner/65912 -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080909/ba0b5cc9/signature-0001.bin From octaviomaiden at yahoo.com Tue Sep 9 16:52:30 2008 From: octaviomaiden at yahoo.com (Octavio) Date: Tue Sep 9 16:52:42 2008 Subject: check PTR with MS In-Reply-To: <20080909145632.GE23322@cgi.jachomes.com> Message-ID: <779829.58049.qm@web38904.mail.mud.yahoo.com> Hi I wonder to know if is possible check: if the IP has a name if the name exist similar like reject_unknown_client_hostname in postfix but using score the problem is that if I use it in postfix there are some domains that I want to receive emails but they are being rejected Thanks ____________________________________________________________________________________ Yahoo! MTV Blog & Rock >?Cu?ntanos tu historia, inspira una canci?n y g?nate un viaje a los Premios MTV! Participa aqu? http://mtvla.yahoo.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080909/49183a24/attachment.html From jbuda at noticiasargentinas.com Tue Sep 9 16:58:16 2008 From: jbuda at noticiasargentinas.com (Jose Julian Buda) Date: Tue Sep 9 16:58:11 2008 Subject: ClamAV 0.94 on etch - SOLVED References: <05b401c911c1$0ee8fc00$6000a8c0@tecnica> <023401c911e0$e3b8b7d0$6000a8c0@tecnica> <48C57FD2.1050807@vanderkooij.org><48C5D3A1.9010201@ddihealth.com> <00de01c91287$6c726110$6000a8c0@tecnica> Message-ID: <019601c91294$df4dd6d0$6000a8c0@tecnica> ----- Original Message ----- From: "Jose Julian Buda" To: "MailScanner discussion" Sent: Tuesday, September 09, 2008 11:22 AM Subject: Re: ClamAV 0.94 > > ----- Original Message ----- > From: "Jim Barber" > To: "MailScanner discussion" > Sent: Monday, September 08, 2008 10:38 PM > Subject: Re: ClamAV 0.94 > > >> Hugo van der Kooij wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> Scott Silva wrote: >>> >>>>> Now, the clamd daemon is running, how do i tell the mailscanner to use >>>>> it? >>> >>>> You will need to upgrade your mailscanner version. Debian uses a >>>> version >>>> that is probably 3 years old by now. In MailScanner time that is like >>>> 30 >>>> generations. >>> >>> In spam terms that is about 15 generations ago. >>> >>> I would recommend that Jules defines a version policy about how many >>> versions back something is considered too old to be even bothered with >>> and notification is send to the Debian team that their prehistoric >>> version is too old to keep in there system. >>> >>> Keeping up was my greatest concern in regard to building a repository >>> for MailScanner. >>> >>> Hugo. >>> >>> PS: Did anyone bother to check the awstats statistics? >> >> The version of MailScanner in Debian's testing / lenny distribution is >> 4.68.8. >> That's also really old, but it does have the ability to use clamd (I'm >> using it successfully). >> >> To use it I needed to add the Debian-exim user to the clamav group. >> I also added the clamav user to the Debian-exim group, but you may be >> able to avoid that by setting "Incoming Work Group = clamav" in the >> config below. >> >> Then you need set a few values in your /etc/MailScanner/MailScanner.conf >> file: >> >> Incoming Work Permissions = 0660 >> >> Virus Scanners = clamd >> >> Monitors for ClamAV Updates = /var/lib/clamav/*.inc/* >> /var/lib/clamav/*.cvd >> >> Regards, >> >> ---------- >> Jim Barber >> DDI Health >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> __________ Informacin de NOD32, revisin 3428 (20080909) __________ >> >> Este mensaje ha sido analizado con NOD32 antivirus system >> http://www.nod32.com >> >> > > > Can i use a lenny version on a production server ? > If i shouldn't, how can i make this version work? > This problem, i do not saw it yesterday with the clamav 0.93.3. > Is it really a MS problem? > However, i see that the clamav 0.94 is ok , if a try directly the wrapper > script: > > proxymails:~# /etc/MailScanner/wrapper/clamav-wrapper /usr > /root/.rnd: OK > /root/.bashrc: OK > /root/papa.txt: Eicar-Test-Signature FOUND > /root/.viminfo: OK > /root/.bash_history: OK > /root/.profile: OK > /root/balanceo: OK > /root/pepe.zip: Eicar-Test-Signature FOUND > /root/ipt.txt: OK > > ----------- SCAN SUMMARY ----------- > Known viruses: 416286 > Engine version: 0.94 > Scanned directories: 1 > Scanned files: 16 > Infected files: 2 > Data scanned: 0.61 MB > Time: 3.919 sec (0 m 3 s) > proxymails:~# > > > I dont want to install a testing version on a production server, if it is > not necesary > somebody does have tested this lenny version on etch? > > Thank you . > Jose Julian Buda > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > __________ Informacin de NOD32, revisin 3428 (20080909) __________ > > Este mensaje ha sido analizado con NOD32 antivirus system > http://www.nod32.com > > Well i did the test. I was recieving complains from users about message from antivirus on the workstations's mail client... wget http://debian.intergenia.de/debian/pool/main/m/mailscanner/mailscanner_4.68.8-1_all.deb dpkg -i mailscanner_4.68.8-1_all.deb .. mailscanner depends on libmailtools-perl (>= 2.02); however: Version of libmailtools-perl on system is 1.74-1. ..... that`s it, no problem with that, i think so... then as i saw on a forum(http://www.bluequartz.us/phpBB2/viewtopic.php?p=232823&sid=3b26f0c29a1e0629cb27b3c5ba475852) , "have a look at /opt/MailScanner/lib/MailScanner/SweepViruses.pm, I comment out the following lines: if ($rarcmd && -x $rarcmd) { $Scanners{clamav}->{CommonOptions} .= " --unrar=$rarcmd"; MailScanner::Log::InfoLog("ClamAV scanner using unrar command %s", $rarcmd); } " so i did it.. now , in the maillog i saw that clamav 0.94 is triggered ok... and proxymails:~# MailScanner --lint Trying to setlogsock(unix) Read 748 hostnames from the phishing whitelist Could not read phishing blacklist file at /usr/share/MailScanner//MailScanner/Config.pm line 919 Checking version numbers... Version number in MailScanner.conf (4.68.8) is correct. ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf ERROR: is not correct, it should match X-MailScanner-Envelope-From MailScanner setting GID to (104) MailScanner setting UID to (100) Checking for SpamAssassin errors (if you use it)... SpamAssassin temporary working directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp Using SpamAssassin results cache Connected to SpamAssassin cache database config: SpamAssassin failed to parse line, "/usr/bin/pyzor" is not valid for "pyzor_path", skipping: pyzor_path /usr/bin/pyzor config: failed to parse line, skipping, in "/etc/MailScanner/spam.assassin.prefs.conf": dcc_path /usr/bin/dccproc SpamAssassin reported an error. Using locktype = posix MailScanner.conf says "Virus Scanners = clamav" Found these virus scanners installed: clamav =========================================================================== Virus and Content Scanning: Starting ./1/eicar.com: Eicar-Test-Signature FOUND Virus Scanning: ClamAV found 1 infections Infected message 1 came from 10.1.1.1 Virus Scanning: Found 1 viruses Filename Checks: (1 eicar.com) Other Checks: Found 1 problems =========================================================================== Virus Scanner test reports: ClamAV said "eicar.com contains Eicar-Test-Signature" If any of your virus scanners (clamav) are not listed there, you should check that they are installed correctly and that MailScanner is finding them correctly via its virus.scanners.conf. ....... There is some problems as i see in the report, but i think it is not big deal, am i right? Thank you all . Jose Julian Buda From prandal at herefordshire.gov.uk Tue Sep 9 17:21:48 2008 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Tue Sep 9 17:22:06 2008 Subject: ClamAV 0.94 on etch - SOLVED In-Reply-To: <019601c91294$df4dd6d0$6000a8c0@tecnica> References: <05b401c911c1$0ee8fc00$6000a8c0@tecnica> <023401c911e0$e3b8b7d0$6000a8c0@tecnica> <48C57FD2.1050807@vanderkooij.org><48C5D3A1.9010201@ddihealth.com><00de01c91287$6c726110$6000a8c0@tecnica> <019601c91294$df4dd6d0$6000a8c0@tecnica> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA04A671C1@HC-MBX02.herefordshire.gov.uk> A few changes: Monitors for ClamAV Updates = /var/lib/clamav/*.cld /var/lib/clamav/*.cvd Or whatever path is appropriate. That shouldn't matter unless you're using ClamAVModule, but I'm pedantic. "ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf ERROR: is not correct, it should match X-MailScanner-Envelope-From" Check what they both are (the latter is in MailScanner.conf) and fix it to be consistent - this affects SPF handling, if I recall correctly. Cheers, Phil -- Phil Randal Networks Engineer Herefordshire Council Hereford, UK -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jose Julian Buda Sent: 09 September 2008 16:58 To: MailScanner discussion Subject: Re: ClamAV 0.94 on etch - SOLVED ----- Original Message ----- From: "Jose Julian Buda" To: "MailScanner discussion" Sent: Tuesday, September 09, 2008 11:22 AM Subject: Re: ClamAV 0.94 > > ----- Original Message ----- > From: "Jim Barber" > To: "MailScanner discussion" > Sent: Monday, September 08, 2008 10:38 PM > Subject: Re: ClamAV 0.94 > > >> Hugo van der Kooij wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> Scott Silva wrote: >>> >>>>> Now, the clamd daemon is running, how do i tell the mailscanner to use >>>>> it? >>> >>>> You will need to upgrade your mailscanner version. Debian uses a >>>> version >>>> that is probably 3 years old by now. In MailScanner time that is like >>>> 30 >>>> generations. >>> >>> In spam terms that is about 15 generations ago. >>> >>> I would recommend that Jules defines a version policy about how many >>> versions back something is considered too old to be even bothered with >>> and notification is send to the Debian team that their prehistoric >>> version is too old to keep in there system. >>> >>> Keeping up was my greatest concern in regard to building a repository >>> for MailScanner. >>> >>> Hugo. >>> >>> PS: Did anyone bother to check the awstats statistics? >> >> The version of MailScanner in Debian's testing / lenny distribution is >> 4.68.8. >> That's also really old, but it does have the ability to use clamd (I'm >> using it successfully). >> >> To use it I needed to add the Debian-exim user to the clamav group. >> I also added the clamav user to the Debian-exim group, but you may be >> able to avoid that by setting "Incoming Work Group = clamav" in the >> config below. >> >> Then you need set a few values in your /etc/MailScanner/MailScanner.conf >> file: >> >> Incoming Work Permissions = 0660 >> >> Virus Scanners = clamd >> >> Monitors for ClamAV Updates = /var/lib/clamav/*.inc/* >> /var/lib/clamav/*.cvd >> >> Regards, >> >> ---------- >> Jim Barber >> DDI Health >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> __________ Informacin de NOD32, revisin 3428 (20080909) __________ >> >> Este mensaje ha sido analizado con NOD32 antivirus system >> http://www.nod32.com >> >> > > > Can i use a lenny version on a production server ? > If i shouldn't, how can i make this version work? > This problem, i do not saw it yesterday with the clamav 0.93.3. > Is it really a MS problem? > However, i see that the clamav 0.94 is ok , if a try directly the wrapper > script: > > proxymails:~# /etc/MailScanner/wrapper/clamav-wrapper /usr > /root/.rnd: OK > /root/.bashrc: OK > /root/papa.txt: Eicar-Test-Signature FOUND > /root/.viminfo: OK > /root/.bash_history: OK > /root/.profile: OK > /root/balanceo: OK > /root/pepe.zip: Eicar-Test-Signature FOUND > /root/ipt.txt: OK > > ----------- SCAN SUMMARY ----------- > Known viruses: 416286 > Engine version: 0.94 > Scanned directories: 1 > Scanned files: 16 > Infected files: 2 > Data scanned: 0.61 MB > Time: 3.919 sec (0 m 3 s) > proxymails:~# > > > I dont want to install a testing version on a production server, if it is > not necesary > somebody does have tested this lenny version on etch? > > Thank you . > Jose Julian Buda > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > __________ Informacin de NOD32, revisin 3428 (20080909) __________ > > Este mensaje ha sido analizado con NOD32 antivirus system > http://www.nod32.com > > Well i did the test. I was recieving complains from users about message from antivirus on the workstations's mail client... wget http://debian.intergenia.de/debian/pool/main/m/mailscanner/mailscanner_4 .68.8-1_all.deb dpkg -i mailscanner_4.68.8-1_all.deb .. mailscanner depends on libmailtools-perl (>= 2.02); however: Version of libmailtools-perl on system is 1.74-1. ..... that`s it, no problem with that, i think so... then as i saw on a forum(http://www.bluequartz.us/phpBB2/viewtopic.php?p=232823&sid=3b26f0c 29a1e0629cb27b3c5ba475852) , "have a look at /opt/MailScanner/lib/MailScanner/SweepViruses.pm, I comment out the following lines: if ($rarcmd && -x $rarcmd) { $Scanners{clamav}->{CommonOptions} .= " --unrar=$rarcmd"; MailScanner::Log::InfoLog("ClamAV scanner using unrar command %s", $rarcmd); } " so i did it.. now , in the maillog i saw that clamav 0.94 is triggered ok... and proxymails:~# MailScanner --lint Trying to setlogsock(unix) Read 748 hostnames from the phishing whitelist Could not read phishing blacklist file at /usr/share/MailScanner//MailScanner/Config.pm line 919 Checking version numbers... Version number in MailScanner.conf (4.68.8) is correct. ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf ERROR: is not correct, it should match X-MailScanner-Envelope-From MailScanner setting GID to (104) MailScanner setting UID to (100) Checking for SpamAssassin errors (if you use it)... SpamAssassin temporary working directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp Using SpamAssassin results cache Connected to SpamAssassin cache database config: SpamAssassin failed to parse line, "/usr/bin/pyzor" is not valid for "pyzor_path", skipping: pyzor_path /usr/bin/pyzor config: failed to parse line, skipping, in "/etc/MailScanner/spam.assassin.prefs.conf": dcc_path /usr/bin/dccproc SpamAssassin reported an error. Using locktype = posix MailScanner.conf says "Virus Scanners = clamav" Found these virus scanners installed: clamav ======================================================================== === Virus and Content Scanning: Starting ./1/eicar.com: Eicar-Test-Signature FOUND Virus Scanning: ClamAV found 1 infections Infected message 1 came from 10.1.1.1 Virus Scanning: Found 1 viruses Filename Checks: (1 eicar.com) Other Checks: Found 1 problems ======================================================================== === Virus Scanner test reports: ClamAV said "eicar.com contains Eicar-Test-Signature" If any of your virus scanners (clamav) are not listed there, you should check that they are installed correctly and that MailScanner is finding them correctly via its virus.scanners.conf. ....... There is some problems as i see in the report, but i think it is not big deal, am i right? Thank you all . Jose Julian Buda -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From mark at msapiro.net Tue Sep 9 17:26:31 2008 From: mark at msapiro.net (Mark Sapiro) Date: Tue Sep 9 17:26:42 2008 Subject: Italian spam In-Reply-To: <021b01c9127f$9d6ea330$2501a8c0@dbdomain.database.it> References: <48C65110.1070908@di.unito.it> <021b01c9127f$9d6ea330$2501a8c0@dbdomain.database.it> Message-ID: <20080909162631.GA3016@msapiro> On Tue, Sep 09, 2008 at 03:26:06PM +0200, Marcello Anderlini wrote: > Hello, in my /etc/Mailscanner/spam.assassin.prefs.conf > > I have just this commented line: > #bayes_path /var/spool/spamassassin/bayes Do you have any uncommented bayes settings in spam.assassin.prefs.conf? In particular, 'use_bayes'. What does grep bayes /etc/MailScanner/spam.assassin.prefs.conf |grep -v ^# show? > > I have look all around and I don't found any bayes.mutex file. > I have found only these files in /root/.spamassassin > ============== > -rw------- 1 root root 168 Sep 9 15:23 bayes_journal > -rw------- 1 root root 172904448 Sep 9 15:23 bayes_seen > -rw------- 1 root root 9105408 Sep 9 11:07 bayes_toks > ============== > > I can set sa-learn to use this directory ? if sa-learn is run by root without specifying a configuration file, it will use this directory by default. You can verify by noting if the timestamps are updated when you run sa.learn. -- Mark Sapiro mark at msapiro net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From ssilva at sgvwater.com Tue Sep 9 17:42:26 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Sep 9 17:42:43 2008 Subject: Italian spam In-Reply-To: <20080909162631.GA3016@msapiro> References: <48C65110.1070908@di.unito.it> <021b01c9127f$9d6ea330$2501a8c0@dbdomain.database.it> <20080909162631.GA3016@msapiro> Message-ID: >> I can set sa-learn to use this directory ? > > > if sa-learn is run by root without specifying a configuration file, > it will use this directory by default. > More recent versions of MailScanner have fixed this by adding a symlink from the spamassassin.prefs.conf file to the spamassassin home directory (usually /etc/mail/spamassassin named mailscanner.cf. This makes spamassaasin run from the command line use the same settings as when mailscanner runs it. You will also need to un comment that bayes path, and if you want to keep your existing bayes data you will want to dump/restore it or otherwise move it to the new path. This is especially important if you run a MTA other than sendmail, as most other MTA's don't run as root, and will not have access to /root/.spamassassin -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080909/af81a50b/signature.bin From drew.marshall at technologytiger.net Tue Sep 9 22:03:44 2008 From: drew.marshall at technologytiger.net (Drew Marshall) Date: Tue Sep 9 22:03:59 2008 Subject: AW: Using Spamd rather than the SpamAssassin Library In-Reply-To: <48C55287.8050608@coders.co.uk> References: <48C1941F.40703@coders.co.uk> <5851C691-2A38-40CC-9134-73427193F4D7@technologytiger.net> <48C1ACE0.5020708@coders.co.uk> <48C2E9B8.9090801@coders.co.uk> <520F0D8E-EA1E-499C-B899-FB0342DA061A@technologytiger.net> <48C52509.3080405@coders.co.uk> <7A9C1520-4D96-4DDE-B04C-1C690069A2BE@technologytiger.net> <48C55287.8050608@coders.co.uk> Message-ID: <74138C8F-AFE6-4D22-A5ED-546B6B049795@technologytiger.net> On 8 Sep 2008, at 17:27, Matt Hampton wrote: > Drew Marshall wrote: >> >> Interesting... So there is the potential that with say 10 children, >> each with 20 messages that I am going to need 200 SA children? I >> fear I will have run out of memory by then! Hmm... > Nope - they are processed sequentially - each batch will open a > connection for the first message, wait for the response, close the > connection, open the connection for the second message etc > > Once each message is finished there is a short delay whilst the > server thread shuts down (updating bayes etc) before it can be used > again. So it is possible for more than one child to be open per MS > Child. I had to resort to the non spamd config today. I just plain ran out of server before I had run out of messages :-( I hit my max SA children and with the box starting to swap and the load average at 18+ decided I ought to do something about it. In order to look at the load issue, can your changes allow SA to be fed via socket as that would save some overhead? I have also amended the time out per child as I am sure there is something fishy going on with SA scanning some types of mail. I see the spamd route as giving me a good chance to catch the culprits as I should be able to time out one child and therefore one message. Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by Technology Tiger's Mail Launder system Our email policy can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ From spamlists at coders.co.uk Tue Sep 9 22:21:58 2008 From: spamlists at coders.co.uk (Matt Hampton) Date: Tue Sep 9 22:22:37 2008 Subject: AW: Using Spamd rather than the SpamAssassin Library In-Reply-To: <74138C8F-AFE6-4D22-A5ED-546B6B049795@technologytiger.net> References: <48C1941F.40703@coders.co.uk> <5851C691-2A38-40CC-9134-73427193F4D7@technologytiger.net> <48C1ACE0.5020708@coders.co.uk> <48C2E9B8.9090801@coders.co.uk> <520F0D8E-EA1E-499C-B899-FB0342DA061A@technologytiger.net> <48C52509.3080405@coders.co.uk> <7A9C1520-4D96-4DDE-B04C-1C690069A2BE@technologytiger.net> <48C55287.8050608@coders.co.uk> <74138C8F-AFE6-4D22-A5ED-546B6B049795@technologytiger.net> Message-ID: <48C6E8F6.2000105@coders.co.uk> Drew Marshall wrote: > > I had to resort to the non spamd config today. I just plain ran out of > server before I had run out of messages :-( > Grrr! > I hit my max SA children and with the box starting to swap and the > load average at 18+ decided I ought to do something about it. In order > to look at the load issue, can your changes allow SA to be fed via > socket as that would save some overhead? I take it you mean unix socket - if so yes - minor tweak required - I'll send a diff when is finished > I have also amended the time out per child as I am sure there is > something fishy going on with SA scanning some types of mail. I see > the spamd route as giving me a good chance to catch the culprits as I > should be able to time out one child and therefore one message. Some benefit then! matt From hvdkooij at vanderkooij.org Tue Sep 9 22:23:09 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Tue Sep 9 22:23:26 2008 Subject: OT: awstats on yum repository Message-ID: <48C6E93D.6030906@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I added some statistics specifically to track MailScanner downloads. For that I added the following lines to my awstats config: ExtraSectionName1="MailScanner downloads by architecture" ExtraSectionCodeFilter1="200 304" ExtraSectionCondition1="URL,^\/el[45]\/.*" ExtraSectionFirstColumnTitle1="Architecture" ExtraSectionFirstColumnValues1="URL,^\/el[45]\/([A-Za-z0-9_]+)\/mailscanner-[0-9].*" ExtraSectionFirstColumnFormat1="%s" ExtraSectionStatTypes1=PBL ExtraSectionAddAverageRow1=0 ExtraSectionAddSumRow1=1 MaxNbOfExtra1=20 MinHitExtra1=1 ExtraSectionName2="MailScanner wrapper downloads by architecture" ExtraSectionCodeFilter2="200 304" ExtraSectionCondition2="URL,^\/el[45]\/.*" ExtraSectionFirstColumnTitle2="Architecture" ExtraSectionFirstColumnValues2="URL,^\/el[45]\/([A-Za-z0-9_]+)\/mailscanner-wrapper-[0-9].*" ExtraSectionFirstColumnFormat2="%s" ExtraSectionStatTypes2=PBL ExtraSectionAddAverageRow2=0 ExtraSectionAddSumRow2=1 MaxNbOfExtra2=20 MinHitExtra2=1 ExtraSectionName3="MailScanner downloads by version" ExtraSectionCodeFilter3="200 304" ExtraSectionCondition3="URL,^\/el[45]\/.*" ExtraSectionFirstColumnTitle3="Version" ExtraSectionFirstColumnValues3="URL,^\/el[45]\/[A-Za-z0-9_]+\/mailscanner-([0-9.]+).*" ExtraSectionFirstColumnFormat3="%s" ExtraSectionStatTypes3=PBL ExtraSectionAddAverageRow3=0 ExtraSectionAddSumRow3=1 MaxNbOfExtra1=20 MinHitExtra1=1 Over time it will show how popular the repository is and Jules can use them to add to the general statistics. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIxuk8BvzDRVjxmYERAuTGAKCOo14MPaCF2+mZvv6JWQqsL5hTvgCeJI6C T0QAv1E1dtftgtz8+EuhA5Q= =7xHh -----END PGP SIGNATURE----- From spamlists at coders.co.uk Tue Sep 9 23:00:34 2008 From: spamlists at coders.co.uk (Matt Hampton) Date: Tue Sep 9 23:02:03 2008 Subject: AW: Using Spamd rather than the SpamAssassin Library In-Reply-To: <48C6E8F6.2000105@coders.co.uk> References: <48C1941F.40703@coders.co.uk> <5851C691-2A38-40CC-9134-73427193F4D7@technologytiger.net> <48C1ACE0.5020708@coders.co.uk> <48C2E9B8.9090801@coders.co.uk> <520F0D8E-EA1E-499C-B899-FB0342DA061A@technologytiger.net> <48C52509.3080405@coders.co.uk> <7A9C1520-4D96-4DDE-B04C-1C690069A2BE@technologytiger.net> <48C55287.8050608@coders.co.uk> <74138C8F-AFE6-4D22-A5ED-546B6B049795@technologytiger.net> <48C6E8F6.2000105@coders.co.uk> Message-ID: <48C6F202.8080206@coders.co.uk> Matt Hampton wrote: > I take it you mean unix socket - if so yes - minor tweak required - > I'll send a diff when is finished OK - have updated the file on the webserver http://www.coders.co.uk/SA.pm if you specify a path with at least one "/" in it spamd serv = /some/path it will ignore the port and call the client with socketpath matt From ssilva at sgvwater.com Tue Sep 9 23:24:11 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Sep 9 23:24:34 2008 Subject: OT: awstats on yum repository In-Reply-To: <48C6E93D.6030906@vanderkooij.org> References: <48C6E93D.6030906@vanderkooij.org> Message-ID: on 9-9-2008 2:23 PM Hugo van der Kooij spake the following: > Hi, > > I added some statistics specifically to track MailScanner downloads. For > that I added the following lines to my awstats config: > Just for fun I took a look and I get a 403 error. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080909/2038398b/signature.bin From allan at zandahar.net Wed Sep 10 05:11:03 2008 From: allan at zandahar.net (Allan Spencer) Date: Wed Sep 10 05:11:27 2008 Subject: Training MS/SA & Mailwatch Message-ID: <48C748D7.9060908@zandahar.net> Firstly please forgive me for being a bit of a newb but am looking at trying to train our MS/SA system to catch some of the spam thats getting through hopefully through the Mailwatch UI .Our MS doesn't accept any local mail and relays off to various Lotus Domino servers so not sure if this has an impact on the training capabilities Running Centos 4.x MS 4.71, SA 3.2.5, & ClamAV 0.94 The only other SA rules I've added are the KAM ones and I *THINK* I've got fuzzyocr working (which I will probably ditch shortly) In MW messages that have already been caught as a virus show me the option to learn as spam/ham (even though this is obvious) but no other messages give me this option. At the moment just need some starting points and directions towards a newb guide and maybe someone to have a glance over config file and --lint outputs to verify Cheers Allan From hvdkooij at vanderkooij.org Wed Sep 10 06:39:47 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Wed Sep 10 06:39:59 2008 Subject: OT: awstats on yum repository In-Reply-To: References: <48C6E93D.6030906@vanderkooij.org> Message-ID: <48C75DA3.4060608@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Scott Silva wrote: > on 9-9-2008 2:23 PM Hugo van der Kooij spake the following: >> Hi, >> >> I added some statistics specifically to track MailScanner downloads. For >> that I added the following lines to my awstats config: >> > Just for fun I took a look and I get a 403 error. That is the referer spam protection. I need to whitelist people explicitly to see the awstats pages. Otherwise I get loads of dummy requests just so that spammers can get their website listed in the referer section of the report. I have not yet found a way to limit this to only the referer section. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIx12hBvzDRVjxmYERAsC4AJ4452nVftMPRRXfJqcIW5jQs8Ih/wCgkzn4 lc0HTG62sSh+EVPuKVBieXo= =H9B5 -----END PGP SIGNATURE----- From martinh at solidstatelogic.com Wed Sep 10 07:23:18 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Wed Sep 10 07:19:16 2008 Subject: Training MS/SA & Mailwatch Message-ID: Allan This more of a MW question, so best to ask on that list. But a pointer is that you need 'store' all messages as an action for spam and non spam, so MW can have access to the message in order to learn them. As for off-host learning, best option is an Imap folder for spam and ham, then use one of many perl scripts floating about the SA site to pull them into your local bayes db. Have a lookn the MS wiki also for a section on getting the most out of spamassassin. -- martin -----Original Message----- From: Allan Spencer Sent: Wednesday, September 10, 2008 5:18 AM To: MailScanner discussion Subject: Training MS/SA & Mailwatch Firstly please forgive me for being a bit of a newb but am looking at trying to train our MS/SA system to catch some of the spam thats getting through hopefully through the Mailwatch UI .Our MS doesn't accept any local mail and relays off to various Lotus Domino servers so not sure if this has an impact on the training capabilities Running Centos 4.x MS 4.71, SA 3.2.5, & ClamAV 0.94 The only other SA rules I've added are the KAM ones and I *THINK* I've got fuzzyocr working (which I will probably ditch shortly) In MW messages that have already been caught as a virus show me the option to learn as spam/ham (even though this is obvious) but no other messages give me this option. At the moment just need some starting points and directions towards a newb guide and maybe someone to have a glance over config file and --lint outputs to verify Cheers Allan -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From drew.marshall at technologytiger.net Wed Sep 10 08:48:38 2008 From: drew.marshall at technologytiger.net (Drew Marshall) Date: Wed Sep 10 08:48:59 2008 Subject: AW: Using Spamd rather than the SpamAssassin Library In-Reply-To: <48C6F202.8080206@coders.co.uk> References: <48C1941F.40703@coders.co.uk> <5851C691-2A38-40CC-9134-73427193F4D7@technologytiger.net> <48C1ACE0.5020708@coders.co.uk> <48C2E9B8.9090801@coders.co.uk> <520F0D8E-EA1E-499C-B899-FB0342DA061A@technologytiger.net> <48C52509.3080405@coders.co.uk> <7A9C1520-4D96-4DDE-B04C-1C690069A2BE@technologytiger.net> <48C55287.8050608@coders.co.uk> <74138C8F-AFE6-4D22-A5ED-546B6B049795@technologytiger.net> <48C6E8F6.2000105@coders.co.uk> <48C6F202.8080206@coders.co.uk> Message-ID: On 9 Sep 2008, at 23:00, Matt Hampton wrote: > Matt Hampton wrote: >> I take it you mean unix socket - if so yes - minor tweak required - >> I'll send a diff when is finished > OK - have updated the file on the webserver > > http://www.coders.co.uk/SA.pm > > if you specify a path with at least one "/" in it > > spamd serv = /some/path > > it will ignore the port and call the client with socketpath Ok done this and it's now reporting 'Failed to create connection to spamd daemon: Connection refused' in debug (Mind you the mail doesn't half go though quick like that, although spam do increase a fair bit!). As far as I can see the socket is correct with correct permissions and I have even moved it to /tmp to make sure it's not a permissions error in the directories above. Any ideas? Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by Technology Tiger's Mail Launder system Our email policy can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ From swati.meghanand at gmail.com Wed Sep 10 09:54:43 2008 From: swati.meghanand at gmail.com (Swati Meghanand) Date: Wed Sep 10 09:54:53 2008 Subject: Spamassassin Timeout issue. Message-ID: <424c10260809100154v4d47738bg16e47138cde6b049@mail.gmail.com> Hi, I'm using mailscanner on a busy mail gateways from serveral months, which was working fine so far.From last few days I noticed incresed no of spam mails as well log Filtering queues (ofcourse slow processing of mailscanner).In log file of mailscanner I found following lines, Sep 10 04:47:29 localhost MailScanner[11027]: Virus and Content Scanning: Starting Sep 10 04:47:37 localhost MailScanner[8400]: SpamAssassin timed out and was killed, failure 8 of 20 Sep 10 04:47:37 localhost MailScanner[8680]: SpamAssassin timed out and was killed, failure 14 of 20 Sep 10 04:47:38 localhost MailScanner[8680]: Message 1KdL6x-0005q5-L3 from xx.xx.xx.xx (xxx@xxx.x) to xxx.xx is not spam, SpamAssassin (not cached, timed out) Sep 10 04:47:38 localhost MailScanner[8400]: Message 1KdLDG-0006se-Ox from xx.xx.xx.xx (xxx@xx.xxx) to xxx.xx is not spam, SpamAssassin (not cached, timed out) it clealy indicates mailscanner is not (able to) scanning messages. Any idea about this issue. Thanks in advance :-) Regards Swati Meghanand -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080910/989db4f4/attachment.html From martinh at solidstatelogic.com Wed Sep 10 10:10:31 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Wed Sep 10 10:10:42 2008 Subject: Spamassassin Timeout issue. In-Reply-To: <424c10260809100154v4d47738bg16e47138cde6b049@mail.gmail.com> Message-ID: Hi Have a look in the wiki about getting the most of spamassassin.. http://wiki.mailscanner.info/doku.php?id=maq:index&s=spamassassin#getting_the_best_out_of_spamassassin -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Swati Meghanand > Sent: 10 September 2008 09:55 > To: mailscanner@lists.mailscanner.info > Subject: Spamassassin Timeout issue. > > Hi, > > > I'm using mailscanner on a busy mail gateways from serveral > months, which was working fine so far.From last few days I > noticed incresed no of spam mails as well log Filtering > queues (ofcourse slow processing of mailscanner).In log file > of mailscanner I found following lines, > > Sep 10 04:47:29 localhost MailScanner[11027]: Virus and > Content Scanning: Starting Sep 10 04:47:37 localhost > MailScanner[8400]: SpamAssassin timed out and was killed, > failure 8 of 20 Sep 10 04:47:37 localhost MailScanner[8680]: > SpamAssassin timed out and was killed, failure 14 of 20 Sep > 10 04:47:38 localhost MailScanner[8680]: Message > 1KdL6x-0005q5-L3 from xx.xx.xx.xx (xxx@xxx.x) to xxx.xx is > not spam, SpamAssassin (not cached, timed out) Sep 10 > 04:47:38 localhost MailScanner[8400]: Message > 1KdLDG-0006se-Ox from xx.xx.xx.xx (xxx@xx.xxx) to xxx.xx is > not spam, SpamAssassin (not cached, timed out) > > it clealy indicates mailscanner is not (able to) scanning messages. > > Any idea about this issue. > > Thanks in advance :-) > > Regards > > Swati Meghanand > > > > > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From m.anderlini at database.it Wed Sep 10 11:11:15 2008 From: m.anderlini at database.it (Marcello Anderlini) Date: Wed Sep 10 11:11:40 2008 Subject: R: Italian spam In-Reply-To: <20080909162631.GA3016@msapiro> References: <48C65110.1070908@di.unito.it><021b01c9127f$9d6ea330$2501a8c0@dbdomain.database.it> <20080909162631.GA3016@msapiro> Message-ID: <004901c9132d$8f3103e0$2501a8c0@dbdomain.database.it> This is the result of your suggested command: ================= bayes_auto_expire 0 bayes_ignore_header X-MailScanner bayes_ignore_header X-MailScanner-SpamCheck bayes_ignore_header X-MailScanner-SpamScore bayes_ignore_header X-MailScanner-Information ================= I have also noticed that if I run these command from crontab I found two file (bayes_seen and bayes_took) in /.spamassassin directory. Instead if i run these command directly from "prompt" no new file are written in /.spamassassin directory !? ============ sa-learn --spam --no-sync --mbox /var/mail/spam sa-learn --ham --mbox --no-sync /var/mail/notspam sa-learn --sync I have also check (as suggested in one other email) and I have a link between /etc/mail/spamassassin/mailscanner.cf -> /etc/MailScanner/spam.assassin.prefs.conf Dr. Marcello Anderlini m.anderlini@database.it --------------------------------------------- Database Informatica S.r.l. Microsoft Certified Partner Tel. +39059775070 Fax. +39059779545 http://www.database.it --------------------------------------------- -----Messaggio originale----- Da: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di Mark Sapiro Inviato: marted? 9 settembre 2008 18.27 A: MailScanner discussion Oggetto: Re: Italian spam On Tue, Sep 09, 2008 at 03:26:06PM +0200, Marcello Anderlini wrote: > Hello, in my /etc/Mailscanner/spam.assassin.prefs.conf > > I have just this commented line: > #bayes_path /var/spool/spamassassin/bayes Do you have any uncommented bayes settings in spam.assassin.prefs.conf? In particular, 'use_bayes'. What does grep bayes /etc/MailScanner/spam.assassin.prefs.conf |grep -v ^# show? > > I have look all around and I don't found any bayes.mutex file. > I have found only these files in /root/.spamassassin ============== > -rw------- 1 root root 168 Sep 9 15:23 bayes_journal > -rw------- 1 root root 172904448 Sep 9 15:23 bayes_seen > -rw------- 1 root root 9105408 Sep 9 11:07 bayes_toks > ============== > > I can set sa-learn to use this directory ? if sa-learn is run by root without specifying a configuration file, it will use this directory by default. You can verify by noting if the timestamps are updated when you run sa.learn. -- Mark Sapiro mark at msapiro net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- Messaggio verificato dal servizio antivirus di Database Informatica -- Messaggio verificato dal servizio antivirus di Database Informatica From alex at rtpty.com Wed Sep 10 14:51:35 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Wed Sep 10 14:51:51 2008 Subject: Spamassassin Timeout issue. In-Reply-To: <424c10260809100154v4d47738bg16e47138cde6b049@mail.gmail.com> References: <424c10260809100154v4d47738bg16e47138cde6b049@mail.gmail.com> Message-ID: <8558A6EA-BFAA-4418-9C22-6A840146B7E1@rtpty.com> It's actually quite clearly indicating the opposite. You are not reading the logs right. If spamassassin is timing out, you need to take care of that. What caching nameserver are you running on that box? Sent from my iPhone On Sep 10, 2008, at 3:54 AM, "Swati Meghanand" wrote: > Hi, > > I'm using mailscanner on a busy mail gateways from serveral months, > which was working fine so far.From last few days I noticed incresed > no of spam mails as well log Filtering queues (ofcourse slow > processing of mailscanner).In log file of mailscanner I found > following lines, > > Sep 10 04:47:29 localhost MailScanner[11027]: Virus and Content > Scanning: Starting > Sep 10 04:47:37 localhost MailScanner[8400]: SpamAssassin timed out > and was killed, failure 8 of 20 > Sep 10 04:47:37 localhost MailScanner[8680]: SpamAssassin timed out > and was killed, failure 14 of 20 > Sep 10 04:47:38 localhost MailScanner[8680]: Message 1KdL6x-0005q5- > L3 from xx.xx.xx.xx (xxx@xxx.x) to xxx.xx is not spam, SpamAssassin > (not cached, timed out) > Sep 10 04:47:38 localhost MailScanner[8400]: Message 1KdLDG-0006se- > Ox from xx.xx.xx.xx (xxx@xx.xxx) to xxx.xx is not spam, SpamAssassin > (not cached, timed out) > > it clealy indicates mailscanner is not (able to) scanning messages. > > Any idea about this issue. > > Thanks in advance :-) > > Regards > > Swati Meghanand > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From swati.meghanand at gmail.com Wed Sep 10 15:05:34 2008 From: swati.meghanand at gmail.com (Swati Meghanand) Date: Wed Sep 10 15:05:46 2008 Subject: Spamassassin Timeout issue. In-Reply-To: <8558A6EA-BFAA-4418-9C22-6A840146B7E1@rtpty.com> References: <424c10260809100154v4d47738bg16e47138cde6b049@mail.gmail.com> <8558A6EA-BFAA-4418-9C22-6A840146B7E1@rtpty.com> Message-ID: <424c10260809100705k5b2714c4y4a286c9bc59f4383@mail.gmail.com> hi, I am not running any name server on the same machine, actually I am having a fail-over cluster of 3 machine having same configuration/setting I facing this prob in 2 machines the another thts 3rd is running smoothly... When I restart machine it works well for atleast 12-15 Hrs.(But restarting Mailscanner didn't helped me) Did u mean this could be a DNS related issue.... Regards, Swati Meghanand 2008/9/10 Alex Neuman van der Hans > It's actually quite clearly indicating the opposite. You are not reading > the logs right. If spamassassin is timing out, you need to take care of > that. What caching nameserver are you running on that box? > > Sent from my iPhone > > On Sep 10, 2008, at 3:54 AM, "Swati Meghanand" > wrote: > > Hi, >> >> I'm using mailscanner on a busy mail gateways from serveral months, which >> was working fine so far.From last few days I noticed incresed no of spam >> mails as well log Filtering queues (ofcourse slow processing of >> mailscanner).In log file of mailscanner I found following lines, >> >> Sep 10 04:47:29 localhost MailScanner[11027]: Virus and Content Scanning: >> Starting >> Sep 10 04:47:37 localhost MailScanner[8400]: SpamAssassin timed out and >> was killed, failure 8 of 20 >> Sep 10 04:47:37 localhost MailScanner[8680]: SpamAssassin timed out and >> was killed, failure 14 of 20 >> Sep 10 04:47:38 localhost MailScanner[8680]: Message 1KdL6x-0005q5-L3 from >> xx.xx.xx.xx (xxx@xxx.x) to xxx.xx is not spam, SpamAssassin (not cached, >> timed out) >> Sep 10 04:47:38 localhost MailScanner[8400]: Message 1KdLDG-0006se-Ox from >> xx.xx.xx.xx (xxx@xx.xxx) to xxx.xx is not spam, SpamAssassin (not cached, >> timed out) >> >> it clealy indicates mailscanner is not (able to) scanning messages. >> >> Any idea about this issue. >> >> Thanks in advance :-) >> >> Regards >> >> Swati Meghanand >> >> >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080910/05a8c9f9/attachment.html From alex at rtpty.com Wed Sep 10 15:22:03 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Wed Sep 10 15:22:21 2008 Subject: Spamassassin Timeout issue. In-Reply-To: <424c10260809100705k5b2714c4y4a286c9bc59f4383@mail.gmail.com> References: <424c10260809100154v4d47738bg16e47138cde6b049@mail.gmail.com> <8558A6EA-BFAA-4418-9C22-6A840146B7E1@rtpty.com> <424c10260809100705k5b2714c4y4a286c9bc59f4383@mail.gmail.com> Message-ID: When spamassassin times out, it usually is because of a DNS issue. Restarting works in your case probably because people trying to connect to your server "back off" when you restart it because to them it looks like your server died. They take pity and don't bother it for a while. When they see it back online, the load and backlog rises. Sent from my iPhone On Sep 10, 2008, at 9:05 AM, "Swati Meghanand" wrote: > hi, > > I am not running any name server on the same machine, actually I am > having a fail-over cluster of 3 machine having same configuration/ > setting I facing this prob in 2 machines the another thts 3rd is > running smoothly... > When I restart machine it works well for atleast 12-15 Hrs.(But > restarting Mailscanner didn't helped me) > > Did u mean this could be a DNS related issue.... > > Regards, > > Swati Meghanand > > > 2008/9/10 Alex Neuman van der Hans > It's actually quite clearly indicating the opposite. You are not > reading the logs right. If spamassassin is timing out, you need to > take care of that. What caching nameserver are you running on that > box? > > Sent from my iPhone > > > On Sep 10, 2008, at 3:54 AM, "Swati Meghanand" > wrote: > > Hi, > > I'm using mailscanner on a busy mail gateways from serveral months, > which was working fine so far.From last few days I noticed incresed > no of spam mails as well log Filtering queues (ofcourse slow > processing of mailscanner).In log file of mailscanner I found > following lines, > > Sep 10 04:47:29 localhost MailScanner[11027]: Virus and Content > Scanning: Starting > Sep 10 04:47:37 localhost MailScanner[8400]: SpamAssassin timed out > and was killed, failure 8 of 20 > Sep 10 04:47:37 localhost MailScanner[8680]: SpamAssassin timed out > and was killed, failure 14 of 20 > Sep 10 04:47:38 localhost MailScanner[8680]: Message 1KdL6x-0005q5- > L3 from xx.xx.xx.xx (xxx@xxx.x) to xxx.xx is not spam, SpamAssassin > (not cached, timed out) > Sep 10 04:47:38 localhost MailScanner[8400]: Message 1KdLDG-0006se- > Ox from xx.xx.xx.xx (xxx@xx.xxx) to xxx.xx is not spam, SpamAssassin > (not cached, timed out) > > it clealy indicates mailscanner is not (able to) scanning messages. > > Any idea about this issue. > > Thanks in advance :-) > > Regards > > Swati Meghanand > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080910/939794c7/attachment.html From m.anderlini at database.it Wed Sep 10 15:59:25 2008 From: m.anderlini at database.it (Marcello Anderlini) Date: Wed Sep 10 15:59:48 2008 Subject: R: Spamassassin Timeout issue. In-Reply-To: References: <424c10260809100154v4d47738bg16e47138cde6b049@mail.gmail.com><8558A6EA-BFAA-4418-9C22-6A840146B7E1@rtpty.com><424c10260809100705k5b2714c4y4a286c9bc59f4383@mail.gmail.com> Message-ID: <000301c91355$d0d6dd60$2501a8c0@dbdomain.database.it> I beg your pardon but I have the same problem and I looking for a solution since many month. On my system is installed a dns server resolving also our domain. Very often during the day, unexpectedly without change nothing spamassassin starts to run very slowly. I have followed all the tips founded but without success. Could be a dns problem ? This is my extract from my dns configuration. Is it enough to set it also as a cache dns ? Thanks and sorry for my worst english. ====================== options { # file di boot per named directory "/var/named"; forwarders { 83.216.172.1;83.216.172.2;213.234.128.211; }; query-source address * port 53; }; logging { channel local_log { /* * Use a file channnel. The file is * /var/log/named.log. [Why the ".log" * suffix?] Keep 2 versions of the file * and don't let it get bigger than 1 Mb. */ # file "/var/log/named.log" file "/var/log/named/named.log" versions 2 size 1M; print-time yes; }; category default { /* * Send every log category to the * local_log channel defined above. */ local_log; }; }; ====================== Dr. Marcello Anderlini m.anderlini@database.it --------------------------------------------- Database Informatica S.r.l. Microsoft Certified Partner Tel. +39059775070 Fax. +39059779545 http://www.database.it --------------------------------------------- ________________________________ Da: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di Alex Neuman van der Hans Inviato: mercoled? 10 settembre 2008 16.22 A: MailScanner discussion Cc: MailScanner discussion Oggetto: Re: Spamassassin Timeout issue. When spamassassin times out, it usually is because of a DNS issue. Restarting works in your case probably because people trying to connect to your server "back off" when you restart it because to them it looks like your server died. They take pity and don't bother it for a while. When they see it back online, the load and backlog rises. Sent from my iPhone On Sep 10, 2008, at 9:05 AM, "Swati Meghanand" wrote: hi, I am not running any name server on the same machine, actually I am having a fail-over cluster of 3 machine having same configuration/setting I facing this prob in 2 machines the another thts 3rd is running smoothly... When I restart machine it works well for atleast 12-15 Hrs.(But restarting Mailscanner didn't helped me) Did u mean this could be a DNS related issue.... Regards, Swati Meghanand 2008/9/10 Alex Neuman van der Hans < alex@rtpty.com> It's actually quite clearly indicating the opposite. You are not reading the logs right. If spamassassin is timing out, you need to take care of that. What caching nameserver are you running on that box? Sent from my iPhone On Sep 10, 2008, at 3:54 AM, "Swati Meghanand" < swati.meghanand@gmail.com> wrote: Hi, I'm using mailscanner on a busy mail gateways from serveral months, which was working fine so far.From last few days I noticed incresed no of spam mails as well log Filtering queues (ofcourse slow processing of mailscanner).In log file of mailscanner I found following lines, Sep 10 04:47:29 localhost MailScanner[11027]: Virus and Content Scanning: Starting Sep 10 04:47:37 localhost MailScanner[8400]: SpamAssassin timed out and was killed, failure 8 of 20 Sep 10 04:47:37 localhost MailScanner[8680]: SpamAssassin timed out and was killed, failure 14 of 20 Sep 10 04:47:38 localhost MailScanner[8680]: Message 1KdL6x-0005q5-L3 from xx.xx.xx.xx (xxx@xxx.x) to xxx.xx is not spam, SpamAssassin (not cached, timed out) Sep 10 04:47:38 localhost MailScanner[8400]: Message 1KdLDG-0006se-Ox from xx.xx.xx.xx (xxx@xx.xxx) to xxx.xx is not spam, SpamAssassin (not cached, timed out) it clealy indicates mailscanner is not (able to) scanning messages. Any idea about this issue. Thanks in advance :-) Regards Swati Meghanand -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- Messaggio verificato dal servizio antivirus di Database Informatica . -- Messaggio verificato dal servizio antivirus di Database Informatica From alex at rtpty.com Wed Sep 10 16:18:06 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Wed Sep 10 16:18:20 2008 Subject: R: Spamassassin Timeout issue. In-Reply-To: <000301c91355$d0d6dd60$2501a8c0@dbdomain.database.it> References: <424c10260809100154v4d47738bg16e47138cde6b049@mail.gmail.com><8558A6EA-BFAA-4418-9C22-6A840146B7E1@rtpty.com><424c10260809100705k5b2714c4y4a286c9bc59f4383@mail.gmail.com> <000301c91355$d0d6dd60$2501a8c0@dbdomain.database.it> Message-ID: Install a caching nameserver on your box and male sure it has access =20 to the outside world. You may also want to use opendns as your =20 forwarders since they can be faster than some ISP DNS servers. Your internal DNS - I'm guessing here... - is probably windows based. =20= In my experience this is usually not good. Sent from my iPhone On Sep 10, 2008, at 9:59 AM, "Marcello Anderlini" = wrote: > I beg your pardon but I have the same problem and I looking for a =20 > solution > since many month. > > On my system is installed a dns server resolving also our domain. > > Very often during the day, unexpectedly without change nothing =20 > spamassassin > starts to run very slowly. > I have followed all the tips founded but without success. Could be a =20= > dns > problem ? > This is my extract from my dns configuration. Is it enough to set it =20= > also as > a cache dns ? > > Thanks and sorry for my worst english. > > > > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > options { > # file di boot per named > directory "/var/named"; > forwarders { 83.216.172.1;83.216.172.2;213.234.128.211; }; > query-source address * port 53; > }; > > logging { > channel local_log { > /* > * Use a file channnel. The file is > * /var/log/named.log. [Why the ".log" > * suffix?] Keep 2 versions of the file > * and don't let it get bigger than 1 Mb. > */ > # file "/var/log/named.log" > file "/var/log/named/named.log" > versions 2 size 1M; > print-time yes; > }; > category default { > /* > * Send every log category to the > * local_log channel defined above. > */ > local_log; > }; > }; > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > > > Dr. Marcello Anderlini > m.anderlini@database.it > --------------------------------------------- > Database Informatica S.r.l. > Microsoft Certified Partner > Tel. +39059775070 > Fax. +39059779545 > http://www.database.it > --------------------------------------------- > > > ________________________________ > > Da: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di =20 > Alex Neuman > van der Hans > Inviato: mercoled=A8=AC 10 settembre 2008 16.22 > A: MailScanner discussion > Cc: MailScanner discussion > Oggetto: Re: Spamassassin Timeout issue. > > > When spamassassin times out, it usually is because of a DNS issue. > Restarting works in your case probably because people trying to =20 > connect to > your server "back off" when you restart it because to them it looks =20= > like > your server died. They take pity and don't bother it for a while. =20 > When they > see it back online, the load and backlog rises. > > Sent from my iPhone > > On Sep 10, 2008, at 9:05 AM, "Swati Meghanand" = > > wrote: > > > > hi, > > I am not running any name server on the same machine, actually I am > having a fail-over cluster of 3 machine having same configuration/=20 > setting I > facing this prob in 2 machines the another thts 3rd is running =20 > smoothly... > > > When I restart machine it works well for atleast 12-15 Hrs.(But > restarting Mailscanner didn't helped me) > > Did u mean this could be a DNS related issue.... > > Regards, > > Swati Meghanand > > > 2008/9/10 Alex Neuman van der Hans < > alex@rtpty.com> > > > It's actually quite clearly indicating the opposite. You are > not reading the logs right. If spamassassin is timing out, you need =20= > to take > care of that. What caching nameserver are you running on that box? > > Sent from my iPhone > > > On Sep 10, 2008, at 3:54 AM, "Swati Meghanand" < > swati.meghanand@gmail.com> wrote: > > > > Hi, > > I'm using mailscanner on a busy mail gateways from > serveral months, which was working fine so far.=46rom last few days I =20= > noticed > incresed no of spam mails as well log Filtering queues (ofcourse slow > processing of mailscanner).In log file of mailscanner I found =20 > following > lines, > > Sep 10 04:47:29 localhost MailScanner[11027]: Virus > and Content Scanning: Starting > Sep 10 04:47:37 localhost MailScanner[8400]: > SpamAssassin timed out and was killed, failure 8 of 20 > Sep 10 04:47:37 localhost MailScanner[8680]: > SpamAssassin timed out and was killed, failure 14 of 20 > Sep 10 04:47:38 localhost MailScanner[8680]: Message > 1KdL6x-0005q5-L3 from xx.xx.xx.xx (xxx@xxx.x) to xxx.xx is not spam, > SpamAssassin (not cached, timed out) > Sep 10 04:47:38 localhost MailScanner[8400]: Message > 1KdLDG-0006se-Ox from xx.xx.xx.xx (xxx@xx.xxx) to xxx.xx is not spam, > SpamAssassin (not cached, timed out) > > it clealy indicates mailscanner is not (able to) > scanning messages. > > Any idea about this issue. > > Thanks in advance :-) > > Regards > > Swati Meghanand > > > > > -- > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read > = http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off > the website! > > > -- > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read > http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the > website! > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read > http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > > --=20 > Messaggio verificato dal servizio antivirus di Database Informatica > . > > > --=20 > Messaggio verificato dal servizio antivirus di Database Informatica > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From prandal at herefordshire.gov.uk Wed Sep 10 16:29:24 2008 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Wed Sep 10 16:29:39 2008 Subject: Spamassassin Timeout issue. In-Reply-To: <000301c91355$d0d6dd60$2501a8c0@dbdomain.database.it> References: <424c10260809100154v4d47738bg16e47138cde6b049@mail.gmail.com><8558A6EA-BFAA-4418-9C22-6A840146B7E1@rtpty.com><424c10260809100705k5b2714c4y4a286c9bc59f4383@mail.gmail.com> <000301c91355$d0d6dd60$2501a8c0@dbdomain.database.it> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA04A6739F@HC-MBX02.herefordshire.gov.uk> "query-source address * port 53;" Eek! Repeat after me 10 times: "Dan Kaminsky". Time to do a sanity check on all your DNS setups to ensure you have current BINDs with randomised source ports for queries. Cheers, Phil -- Phil Randal Networks Engineer Herefordshire Council Hereford, UK -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Marcello Anderlini Sent: 10 September 2008 15:59 To: 'MailScanner discussion' Subject: R: Spamassassin Timeout issue. I beg your pardon but I have the same problem and I looking for a solution since many month. On my system is installed a dns server resolving also our domain. Very often during the day, unexpectedly without change nothing spamassassin starts to run very slowly. I have followed all the tips founded but without success. Could be a dns problem ? This is my extract from my dns configuration. Is it enough to set it also as a cache dns ? Thanks and sorry for my worst english. ====================== options { # file di boot per named directory "/var/named"; forwarders { 83.216.172.1;83.216.172.2;213.234.128.211; }; query-source address * port 53; }; logging { channel local_log { /* * Use a file channnel. The file is * /var/log/named.log. [Why the ".log" * suffix?] Keep 2 versions of the file * and don't let it get bigger than 1 Mb. */ # file "/var/log/named.log" file "/var/log/named/named.log" versions 2 size 1M; print-time yes; }; category default { /* * Send every log category to the * local_log channel defined above. */ local_log; }; }; ====================== Dr. Marcello Anderlini m.anderlini@database.it --------------------------------------------- Database Informatica S.r.l. Microsoft Certified Partner Tel. +39059775070 Fax. +39059779545 http://www.database.it --------------------------------------------- ________________________________ Da: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di Alex Neuman van der Hans Inviato: mercoled? 10 settembre 2008 16.22 A: MailScanner discussion Cc: MailScanner discussion Oggetto: Re: Spamassassin Timeout issue. When spamassassin times out, it usually is because of a DNS issue. Restarting works in your case probably because people trying to connect to your server "back off" when you restart it because to them it looks like your server died. They take pity and don't bother it for a while. When they see it back online, the load and backlog rises. Sent from my iPhone On Sep 10, 2008, at 9:05 AM, "Swati Meghanand" wrote: hi, I am not running any name server on the same machine, actually I am having a fail-over cluster of 3 machine having same configuration/setting I facing this prob in 2 machines the another thts 3rd is running smoothly... When I restart machine it works well for atleast 12-15 Hrs.(But restarting Mailscanner didn't helped me) Did u mean this could be a DNS related issue.... Regards, Swati Meghanand 2008/9/10 Alex Neuman van der Hans < alex@rtpty.com> It's actually quite clearly indicating the opposite. You are not reading the logs right. If spamassassin is timing out, you need to take care of that. What caching nameserver are you running on that box? Sent from my iPhone On Sep 10, 2008, at 3:54 AM, "Swati Meghanand" < swati.meghanand@gmail.com> wrote: Hi, I'm using mailscanner on a busy mail gateways from serveral months, which was working fine so far.From last few days I noticed incresed no of spam mails as well log Filtering queues (ofcourse slow processing of mailscanner).In log file of mailscanner I found following lines, Sep 10 04:47:29 localhost MailScanner[11027]: Virus and Content Scanning: Starting Sep 10 04:47:37 localhost MailScanner[8400]: SpamAssassin timed out and was killed, failure 8 of 20 Sep 10 04:47:37 localhost MailScanner[8680]: SpamAssassin timed out and was killed, failure 14 of 20 Sep 10 04:47:38 localhost MailScanner[8680]: Message 1KdL6x-0005q5-L3 from xx.xx.xx.xx (xxx@xxx.x) to xxx.xx is not spam, SpamAssassin (not cached, timed out) Sep 10 04:47:38 localhost MailScanner[8400]: Message 1KdLDG-0006se-Ox from xx.xx.xx.xx (xxx@xx.xxx) to xxx.xx is not spam, SpamAssassin (not cached, timed out) it clealy indicates mailscanner is not (able to) scanning messages. Any idea about this issue. Thanks in advance :-) Regards Swati Meghanand -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- Messaggio verificato dal servizio antivirus di Database Informatica . -- Messaggio verificato dal servizio antivirus di Database Informatica -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From m.anderlini at database.it Wed Sep 10 16:39:51 2008 From: m.anderlini at database.it (Marcello Anderlini) Date: Wed Sep 10 16:40:21 2008 Subject: R: Spamassassin Timeout issue. In-Reply-To: <7EF0EE5CB3B263488C8C18823239BEBA04A6739F@HC-MBX02.herefordshire.gov.uk> References: <424c10260809100154v4d47738bg16e47138cde6b049@mail.gmail.com><8558A6EA-BFAA-4418-9C22-6A840146B7E1@rtpty.com><424c10260809100705k5b2714c4y4a286c9bc59f4383@mail.gmail.com><000301c91355$d0d6dd60$2501a8c0@dbdomain.database.it> <7EF0EE5CB3B263488C8C18823239BEBA04A6739F@HC-MBX02.herefordshire.gov.uk> Message-ID: <000001c9135b$76c0ac60$2501a8c0@dbdomain.database.it> I beg your pardon but I do not understand your email. Could you please me more clear and "easy step" :-) Why "query-source address * port 53;" sould be wrong ??? Thanks again. Dr. Marcello Anderlini m.anderlini@database.it --------------------------------------------- Database Informatica S.r.l. Microsoft Certified Partner Tel. +39059775070 Fax. +39059779545 http://www.database.it --------------------------------------------- -----Messaggio originale----- Da: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di Randal, Phil Inviato: mercoled? 10 settembre 2008 17.29 A: MailScanner discussion Oggetto: RE: Spamassassin Timeout issue. "query-source address * port 53;" Eek! Repeat after me 10 times: "Dan Kaminsky". Time to do a sanity check on all your DNS setups to ensure you have current BINDs with randomised source ports for queries. Cheers, Phil -- Phil Randal Networks Engineer Herefordshire Council Hereford, UK -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Marcello Anderlini Sent: 10 September 2008 15:59 To: 'MailScanner discussion' Subject: R: Spamassassin Timeout issue. I beg your pardon but I have the same problem and I looking for a solution since many month. On my system is installed a dns server resolving also our domain. Very often during the day, unexpectedly without change nothing spamassassin starts to run very slowly. I have followed all the tips founded but without success. Could be a dns problem ? This is my extract from my dns configuration. Is it enough to set it also as a cache dns ? Thanks and sorry for my worst english. ====================== options { # file di boot per named directory "/var/named"; forwarders { 83.216.172.1;83.216.172.2;213.234.128.211; }; query-source address * port 53; }; logging { channel local_log { /* * Use a file channnel. The file is * /var/log/named.log. [Why the ".log" * suffix?] Keep 2 versions of the file * and don't let it get bigger than 1 Mb. */ # file "/var/log/named.log" file "/var/log/named/named.log" versions 2 size 1M; print-time yes; }; category default { /* * Send every log category to the * local_log channel defined above. */ local_log; }; }; ====================== Dr. Marcello Anderlini m.anderlini@database.it --------------------------------------------- Database Informatica S.r.l. Microsoft Certified Partner Tel. +39059775070 Fax. +39059779545 http://www.database.it --------------------------------------------- ________________________________ Da: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di Alex Neuman van der Hans Inviato: mercoled? 10 settembre 2008 16.22 A: MailScanner discussion Cc: MailScanner discussion Oggetto: Re: Spamassassin Timeout issue. When spamassassin times out, it usually is because of a DNS issue. Restarting works in your case probably because people trying to connect to your server "back off" when you restart it because to them it looks like your server died. They take pity and don't bother it for a while. When they see it back online, the load and backlog rises. Sent from my iPhone On Sep 10, 2008, at 9:05 AM, "Swati Meghanand" wrote: hi, I am not running any name server on the same machine, actually I am having a fail-over cluster of 3 machine having same configuration/setting I facing this prob in 2 machines the another thts 3rd is running smoothly... When I restart machine it works well for atleast 12-15 Hrs.(But restarting Mailscanner didn't helped me) Did u mean this could be a DNS related issue.... Regards, Swati Meghanand 2008/9/10 Alex Neuman van der Hans < alex@rtpty.com> It's actually quite clearly indicating the opposite. You are not reading the logs right. If spamassassin is timing out, you need to take care of that. What caching nameserver are you running on that box? Sent from my iPhone On Sep 10, 2008, at 3:54 AM, "Swati Meghanand" < swati.meghanand@gmail.com> wrote: Hi, I'm using mailscanner on a busy mail gateways from serveral months, which was working fine so far.From last few days I noticed incresed no of spam mails as well log Filtering queues (ofcourse slow processing of mailscanner).In log file of mailscanner I found following lines, Sep 10 04:47:29 localhost MailScanner[11027]: Virus and Content Scanning: Starting Sep 10 04:47:37 localhost MailScanner[8400]: SpamAssassin timed out and was killed, failure 8 of 20 Sep 10 04:47:37 localhost MailScanner[8680]: SpamAssassin timed out and was killed, failure 14 of 20 Sep 10 04:47:38 localhost MailScanner[8680]: Message 1KdL6x-0005q5-L3 from xx.xx.xx.xx (xxx@xxx.x) to xxx.xx is not spam, SpamAssassin (not cached, timed out) Sep 10 04:47:38 localhost MailScanner[8400]: Message 1KdLDG-0006se-Ox from xx.xx.xx.xx (xxx@xx.xxx) to xxx.xx is not spam, SpamAssassin (not cached, timed out) it clealy indicates mailscanner is not (able to) scanning messages. Any idea about this issue. Thanks in advance :-) Regards Swati Meghanand -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- Messaggio verificato dal servizio antivirus di Database Informatica . -- Messaggio verificato dal servizio antivirus di Database Informatica -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- Messaggio verificato dal servizio antivirus di Database Informatica -- Messaggio verificato dal servizio antivirus di Database Informatica From m.anderlini at database.it Wed Sep 10 16:40:17 2008 From: m.anderlini at database.it (Marcello Anderlini) Date: Wed Sep 10 16:41:06 2008 Subject: R:Re: R: Spamassassin Timeout issue. In-Reply-To: References: <424c10260809100154v4d47738bg16e47138cde6b049@mail.gmail.com><8558A6EA-BFAA-4418-9C22-6A840146B7E1@rtpty.com><424c10260809100705k5b2714c4y4a286c9bc59f4383@mail.gmail.com><000301c91355$d0d6dd60$2501a8c0@dbdomain.database.it> Message-ID: <000101c9135b$868080d0$2501a8c0@dbdomain.database.it> No it's non windows based, It's bind running on centos 4.x. I would like to know if someone could explain me if my dns configuration it's correct. Thanks again Dr. Marcello Anderlini m.anderlini@database.it --------------------------------------------- Database Informatica S.r.l. Microsoft Certified Partner Tel. +39059775070 Fax. +39059779545 http://www.database.it --------------------------------------------- -----Messaggio originale----- Da: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di Alex Neuman van der Hans Inviato: mercoled? 10 settembre 2008 17.18 A: MailScanner discussion Oggetto: [spam] Re: R: Spamassassin Timeout issue. Install a caching nameserver on your box and male sure it has access to the outside world. You may also want to use opendns as your forwarders since they can be faster than some ISP DNS servers. Your internal DNS - I'm guessing here... - is probably windows based. In my experience this is usually not good. Sent from my iPhone On Sep 10, 2008, at 9:59 AM, "Marcello Anderlini" wrote: > I beg your pardon but I have the same problem and I looking for a > solution since many month. > > On my system is installed a dns server resolving also our domain. > > Very often during the day, unexpectedly without change nothing > spamassassin starts to run very slowly. > I have followed all the tips founded but without success. Could be a > dns problem ? > This is my extract from my dns configuration. Is it enough to set it > also as a cache dns ? > > Thanks and sorry for my worst english. > > > > > ====================== > options { > # file di boot per named > directory "/var/named"; > forwarders { 83.216.172.1;83.216.172.2;213.234.128.211; }; > query-source address * port 53; }; > > logging { > channel local_log { > /* > * Use a file channnel. The file is > * /var/log/named.log. [Why the ".log" > * suffix?] Keep 2 versions of the file > * and don't let it get bigger than 1 Mb. > */ > # file "/var/log/named.log" > file "/var/log/named/named.log" > versions 2 size 1M; > print-time yes; > }; > category default { > /* > * Send every log category to the > * local_log channel defined above. > */ > local_log; > }; > }; > ====================== > > > Dr. Marcello Anderlini > m.anderlini@database.it > --------------------------------------------- > Database Informatica S.r.l. > Microsoft Certified Partner > Tel. +39059775070 > Fax. +39059779545 > http://www.database.it > --------------------------------------------- > > > ________________________________ > > Da: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di Alex > Neuman van der Hans > Inviato: mercoled? 10 settembre 2008 16.22 > A: MailScanner discussion > Cc: MailScanner discussion > Oggetto: Re: Spamassassin Timeout issue. > > > When spamassassin times out, it usually is because of a DNS issue. > Restarting works in your case probably because people trying to > connect to your server "back off" when you restart it because to them > it looks like your server died. They take pity and don't bother it for > a while. > When they > see it back online, the load and backlog rises. > > Sent from my iPhone > > On Sep 10, 2008, at 9:05 AM, "Swati Meghanand" > > > wrote: > > > > hi, > > I am not running any name server on the same machine, actually I am > having a fail-over cluster of 3 machine having same configuration/ > setting I facing this prob in 2 machines the another thts 3rd is > running smoothly... > > > When I restart machine it works well for atleast 12-15 Hrs.(But > restarting Mailscanner didn't helped me) > > Did u mean this could be a DNS related issue.... > > Regards, > > Swati Meghanand > > > 2008/9/10 Alex Neuman van der Hans < > alex@rtpty.com> > > > It's actually quite clearly indicating the opposite. You are > not reading the logs right. If spamassassin is timing out, you need > to take > care of that. What caching nameserver are you running on that box? > > Sent from my iPhone > > > On Sep 10, 2008, at 3:54 AM, "Swati Meghanand" < > swati.meghanand@gmail.com> wrote: > > > > Hi, > > I'm using mailscanner on a busy mail gateways from > serveral months, which was working fine so far.From last few days I > noticed > incresed no of spam mails as well log Filtering queues (ofcourse slow > processing of mailscanner).In log file of mailscanner I found > following > lines, > > Sep 10 04:47:29 localhost MailScanner[11027]: Virus > and Content Scanning: Starting > Sep 10 04:47:37 localhost MailScanner[8400]: > SpamAssassin timed out and was killed, failure 8 of 20 > Sep 10 04:47:37 localhost MailScanner[8680]: > SpamAssassin timed out and was killed, failure 14 of 20 > Sep 10 04:47:38 localhost MailScanner[8680]: Message > 1KdL6x-0005q5-L3 from xx.xx.xx.xx (xxx@xxx.x) to xxx.xx is not spam, > SpamAssassin (not cached, timed out) > Sep 10 04:47:38 localhost MailScanner[8400]: Message > 1KdLDG-0006se-Ox from xx.xx.xx.xx (xxx@xx.xxx) to xxx.xx is not spam, > SpamAssassin (not cached, timed out) > > it clealy indicates mailscanner is not (able to) > scanning messages. > > Any idea about this issue. > > Thanks in advance :-) > > Regards > > Swati Meghanand > > > > > -- > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read > http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off > the website! > > > -- > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read > http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the > website! > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read > http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > > -- > Messaggio verificato dal servizio antivirus di Database Informatica > . > > > -- > Messaggio verificato dal servizio antivirus di Database Informatica > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- Messaggio verificato dal servizio antivirus di Database Informatica -- Messaggio verificato dal servizio antivirus di Database Informatica From mkercher at nfsmith.com Wed Sep 10 16:54:30 2008 From: mkercher at nfsmith.com (Mike Kercher) Date: Wed Sep 10 16:55:11 2008 Subject: WMV's Getting Through Message-ID: <224FA7E11EA39E45843E11CEBBD3A36FEBFE7C@HOUPEX01.nfsmith.info> Recently, .WMV files have started being delivered through my MS boxes. I ran file against one of the attachments: file JobMarket-2010.wmv JobMarket-2010.wmv: Microsoft ASF In my filetype.rules.conf, I have: deny ASF No Windows media No Windows media files allowed This hasn't been changed in a LONG time I even tried adding \.wmv$ to filename.rules.conf, but they are still coming through. The only thing I see in the logs is that the email is too big for spam checks (is too big for spam checks (6657685 > 150000 bytes)) Any idea what I'm missing here? TIA Mike From prandal at herefordshire.gov.uk Wed Sep 10 16:58:54 2008 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Wed Sep 10 16:59:13 2008 Subject: Spamassassin Timeout issue. In-Reply-To: <000001c9135b$76c0ac60$2501a8c0@dbdomain.database.it> References: <424c10260809100154v4d47738bg16e47138cde6b049@mail.gmail.com><8558A6EA-BFAA-4418-9C22-6A840146B7E1@rtpty.com><424c10260809100705k5b2714c4y4a286c9bc59f4383@mail.gmail.com><000301c91355$d0d6dd60$2501a8c0@dbdomain.database.it><7EF0EE5CB3B263488C8C18823239BEBA04A6739F@HC-MBX02.herefordshire.gov.uk> <000001c9135b$76c0ac60$2501a8c0@dbdomain.database.it> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA04A673B5@HC-MBX02.herefordshire.gov.uk> You should not use a fixed SOURCE port for DNS queries. The destination port is, of course, 53. A non-"random" source port for DNS queries makes the Dan Kaminsky exploit trivial. http://www.unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html Cheers, Phil -- Phil Randal Networks Engineer Herefordshire Council Hereford, UK -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Marcello Anderlini Sent: 10 September 2008 16:40 To: 'MailScanner discussion' Subject: R: Spamassassin Timeout issue. I beg your pardon but I do not understand your email. Could you please me more clear and "easy step" :-) Why "query-source address * port 53;" sould be wrong ??? Thanks again. Dr. Marcello Anderlini m.anderlini@database.it --------------------------------------------- Database Informatica S.r.l. Microsoft Certified Partner Tel. +39059775070 Fax. +39059779545 http://www.database.it --------------------------------------------- -----Messaggio originale----- Da: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di Randal, Phil Inviato: mercoled? 10 settembre 2008 17.29 A: MailScanner discussion Oggetto: RE: Spamassassin Timeout issue. "query-source address * port 53;" Eek! Repeat after me 10 times: "Dan Kaminsky". Time to do a sanity check on all your DNS setups to ensure you have current BINDs with randomised source ports for queries. Cheers, Phil -- Phil Randal Networks Engineer Herefordshire Council Hereford, UK -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Marcello Anderlini Sent: 10 September 2008 15:59 To: 'MailScanner discussion' Subject: R: Spamassassin Timeout issue. I beg your pardon but I have the same problem and I looking for a solution since many month. On my system is installed a dns server resolving also our domain. Very often during the day, unexpectedly without change nothing spamassassin starts to run very slowly. I have followed all the tips founded but without success. Could be a dns problem ? This is my extract from my dns configuration. Is it enough to set it also as a cache dns ? Thanks and sorry for my worst english. ====================== options { # file di boot per named directory "/var/named"; forwarders { 83.216.172.1;83.216.172.2;213.234.128.211; }; query-source address * port 53; }; logging { channel local_log { /* * Use a file channnel. The file is * /var/log/named.log. [Why the ".log" * suffix?] Keep 2 versions of the file * and don't let it get bigger than 1 Mb. */ # file "/var/log/named.log" file "/var/log/named/named.log" versions 2 size 1M; print-time yes; }; category default { /* * Send every log category to the * local_log channel defined above. */ local_log; }; }; ====================== Dr. Marcello Anderlini m.anderlini@database.it --------------------------------------------- Database Informatica S.r.l. Microsoft Certified Partner Tel. +39059775070 Fax. +39059779545 http://www.database.it --------------------------------------------- ________________________________ Da: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di Alex Neuman van der Hans Inviato: mercoled? 10 settembre 2008 16.22 A: MailScanner discussion Cc: MailScanner discussion Oggetto: Re: Spamassassin Timeout issue. When spamassassin times out, it usually is because of a DNS issue. Restarting works in your case probably because people trying to connect to your server "back off" when you restart it because to them it looks like your server died. They take pity and don't bother it for a while. When they see it back online, the load and backlog rises. Sent from my iPhone On Sep 10, 2008, at 9:05 AM, "Swati Meghanand" wrote: hi, I am not running any name server on the same machine, actually I am having a fail-over cluster of 3 machine having same configuration/setting I facing this prob in 2 machines the another thts 3rd is running smoothly... When I restart machine it works well for atleast 12-15 Hrs.(But restarting Mailscanner didn't helped me) Did u mean this could be a DNS related issue.... Regards, Swati Meghanand 2008/9/10 Alex Neuman van der Hans < alex@rtpty.com> It's actually quite clearly indicating the opposite. You are not reading the logs right. If spamassassin is timing out, you need to take care of that. What caching nameserver are you running on that box? Sent from my iPhone On Sep 10, 2008, at 3:54 AM, "Swati Meghanand" < swati.meghanand@gmail.com> wrote: Hi, I'm using mailscanner on a busy mail gateways from serveral months, which was working fine so far.From last few days I noticed incresed no of spam mails as well log Filtering queues (ofcourse slow processing of mailscanner).In log file of mailscanner I found following lines, Sep 10 04:47:29 localhost MailScanner[11027]: Virus and Content Scanning: Starting Sep 10 04:47:37 localhost MailScanner[8400]: SpamAssassin timed out and was killed, failure 8 of 20 Sep 10 04:47:37 localhost MailScanner[8680]: SpamAssassin timed out and was killed, failure 14 of 20 Sep 10 04:47:38 localhost MailScanner[8680]: Message 1KdL6x-0005q5-L3 from xx.xx.xx.xx (xxx@xxx.x) to xxx.xx is not spam, SpamAssassin (not cached, timed out) Sep 10 04:47:38 localhost MailScanner[8400]: Message 1KdLDG-0006se-Ox from xx.xx.xx.xx (xxx@xx.xxx) to xxx.xx is not spam, SpamAssassin (not cached, timed out) it clealy indicates mailscanner is not (able to) scanning messages. Any idea about this issue. Thanks in advance :-) Regards Swati Meghanand -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- Messaggio verificato dal servizio antivirus di Database Informatica . -- Messaggio verificato dal servizio antivirus di Database Informatica -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- Messaggio verificato dal servizio antivirus di Database Informatica -- Messaggio verificato dal servizio antivirus di Database Informatica -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From alex at rtpty.com Wed Sep 10 16:59:06 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Wed Sep 10 16:59:56 2008 Subject: Spamassassin Timeout issue. In-Reply-To: <7EF0EE5CB3B263488C8C18823239BEBA04A6739F@HC-MBX02.herefordshire.gov.uk> References: <424c10260809100154v4d47738bg16e47138cde6b049@mail.gmail.com><8558A6EA-BFAA-4418-9C22-6A840146B7E1@rtpty.com><424c10260809100705k5b2714c4y4a286c9bc59f4383@mail.gmail.com> <000301c91355$d0d6dd60$2501a8c0@dbdomain.database.it> <7EF0EE5CB3B263488C8C18823239BEBA04A6739F@HC-MBX02.herefordshire.gov.uk> Message-ID: <0C446201-FEE4-4C73-A15F-275B5FE1C4EC@rtpty.com> In less technical terms, upgrade bind asap. Sent from my iPhone On Sep 10, 2008, at 10:29 AM, "Randal, Phil" = wrote: > "query-source address * port 53;" > > Eek! Repeat after me 10 times: "Dan Kaminsky". > > Time to do a sanity check on all your DNS setups to ensure you have =20= > current BINDs with randomised source ports for queries. > > Cheers, > > Phil > > -- > Phil Randal > Networks Engineer > Herefordshire Council > Hereford, UK > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info = [mailto:mailscanner-bounces@lists.mailscanner.info=20 > ] On Behalf Of Marcello Anderlini > Sent: 10 September 2008 15:59 > To: 'MailScanner discussion' > Subject: R: Spamassassin Timeout issue. > > I beg your pardon but I have the same problem and I looking for a =20 > solution since many month. > > On my system is installed a dns server resolving also our domain. > > Very often during the day, unexpectedly without change nothing =20 > spamassassin starts to run very slowly. > I have followed all the tips founded but without success. Could be a =20= > dns problem ? > This is my extract from my dns configuration. Is it enough to set it =20= > also as a cache dns ? > > Thanks and sorry for my worst english. > > > > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > options { > # file di boot per named > directory "/var/named"; > forwarders { 83.216.172.1;83.216.172.2;213.234.128.211; }; > query-source address * port 53; > }; > > logging { > channel local_log { > /* > * Use a file channnel. The file is > * /var/log/named.log. [Why the ".log" > * suffix?] Keep 2 versions of the file > * and don't let it get bigger than 1 Mb. > */ > # file "/var/log/named.log" > file "/var/log/named/named.log" > versions 2 size 1M; > print-time yes; > }; > category default { > /* > * Send every log category to the > * local_log channel defined above. > */ > local_log; > }; > }; > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > > > Dr. Marcello Anderlini > m.anderlini@database.it > --------------------------------------------- > Database Informatica S.r.l. > Microsoft Certified Partner > Tel. +39059775070 > Fax. +39059779545 > http://www.database.it > --------------------------------------------- > > > ________________________________ > > Da: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di =20 > Alex Neuman > van der Hans > Inviato: mercoled=A8=AC 10 settembre 2008 16.22 > A: MailScanner discussion > Cc: MailScanner discussion > Oggetto: Re: Spamassassin Timeout issue. > > > When spamassassin times out, it usually is because of a DNS issue. > Restarting works in your case probably because people trying to =20 > connect to > your server "back off" when you restart it because to them it looks =20= > like > your server died. They take pity and don't bother it for a while. =20 > When they > see it back online, the load and backlog rises. > > Sent from my iPhone > > On Sep 10, 2008, at 9:05 AM, "Swati Meghanand" = > > wrote: > > > > hi, > > I am not running any name server on the same machine, actually I am > having a fail-over cluster of 3 machine having same configuration/=20 > setting I > facing this prob in 2 machines the another thts 3rd is running =20 > smoothly... > > > When I restart machine it works well for atleast 12-15 Hrs.(But > restarting Mailscanner didn't helped me) > > Did u mean this could be a DNS related issue.... > > Regards, > > Swati Meghanand > > > 2008/9/10 Alex Neuman van der Hans < > alex@rtpty.com> > > > It's actually quite clearly indicating the opposite. You are > not reading the logs right. If spamassassin is timing out, you need =20= > to take > care of that. What caching nameserver are you running on that box? > > Sent from my iPhone > > > On Sep 10, 2008, at 3:54 AM, "Swati Meghanand" < > swati.meghanand@gmail.com> wrote: > > > > Hi, > > I'm using mailscanner on a busy mail gateways from > serveral months, which was working fine so far.=46rom last few days I =20= > noticed > incresed no of spam mails as well log Filtering queues (ofcourse slow > processing of mailscanner).In log file of mailscanner I found =20 > following > lines, > > Sep 10 04:47:29 localhost MailScanner[11027]: Virus > and Content Scanning: Starting > Sep 10 04:47:37 localhost MailScanner[8400]: > SpamAssassin timed out and was killed, failure 8 of 20 > Sep 10 04:47:37 localhost MailScanner[8680]: > SpamAssassin timed out and was killed, failure 14 of 20 > Sep 10 04:47:38 localhost MailScanner[8680]: Message > 1KdL6x-0005q5-L3 from xx.xx.xx.xx (xxx@xxx.x) to xxx.xx is not spam, > SpamAssassin (not cached, timed out) > Sep 10 04:47:38 localhost MailScanner[8400]: Message > 1KdLDG-0006se-Ox from xx.xx.xx.xx (xxx@xx.xxx) to xxx.xx is not spam, > SpamAssassin (not cached, timed out) > > it clealy indicates mailscanner is not (able to) > scanning messages. > > Any idea about this issue. > > Thanks in advance :-) > > Regards > > Swati Meghanand > > > > > -- > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read > = http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off > the website! > > > -- > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read > http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the > website! > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read > http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > > --=20 > Messaggio verificato dal servizio antivirus di Database Informatica > . > > > --=20 > Messaggio verificato dal servizio antivirus di Database Informatica > > --=20 > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From csweeney at osubucks.org Wed Sep 10 17:02:12 2008 From: csweeney at osubucks.org (Chris Sweeney) Date: Wed Sep 10 17:02:35 2008 Subject: R: Spamassassin Timeout issue. In-Reply-To: <000001c9135b$76c0ac60$2501a8c0@dbdomain.database.it> References: <424c10260809100154v4d47738bg16e47138cde6b049@mail.gmail.com><8558A6EA-BFAA-4418-9C22-6A840146B7E1@rtpty.com><424c10260809100705k5b2714c4y4a286c9bc59f4383@mail.gmail.com><000301c91355$d0d6dd60$2501a8c0@dbdomain.database.it> <7EF0EE5CB3B263488C8C18823239BEBA04A6739F@HC-MBX02.herefordshire.gov.uk> <000001c9135b$76c0ac60$2501a8c0@dbdomain.database.it> Message-ID: <47539.65.161.188.11.1221062532.squirrel@webmail.osubucks.org> Why use forwarders at all it just adds delay, use your DNS to resolve direct. Remove the source port: options { # file di boot per named directory "/var/named"; }; logging { channel local_log { /* * Use a file channnel. The file is * /var/log/named.log. [Why the ".log" * suffix?] Keep 2 versions of the file * and don't let it get bigger than 1 Mb. */ # file "/var/log/named.log" file "/var/log/named/named.log" versions 2 size 1M; print-time yes; }; category default { /* * Send every log category to the * local_log channel defined above. */ local_log; }; }; ====================== > I beg your pardon but I do not understand your email. > > Could you please me more clear and "easy step" :-) > > Why "query-source address * port 53;" sould be wrong ??? > > > Thanks again. > > > Dr. Marcello Anderlini > m.anderlini@database.it > --------------------------------------------- > Database Informatica S.r.l. > Microsoft Certified Partner > Tel. +39059775070 > Fax. +39059779545 > http://www.database.it > --------------------------------------------- > > -----Messaggio originale----- > Da: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di Randal, > Phil > Inviato: mercoled? 10 settembre 2008 17.29 > A: MailScanner discussion > Oggetto: RE: Spamassassin Timeout issue. > > "query-source address * port 53;" > > Eek! Repeat after me 10 times: "Dan Kaminsky". > > Time to do a sanity check on all your DNS setups to ensure you have > current > BINDs with randomised source ports for queries. > > Cheers, > > Phil > > -- > Phil Randal > Networks Engineer > Herefordshire Council > Hereford, UK > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Marcello > Anderlini > Sent: 10 September 2008 15:59 > To: 'MailScanner discussion' > Subject: R: Spamassassin Timeout issue. > > I beg your pardon but I have the same problem and I looking for a solution > since many month. > > On my system is installed a dns server resolving also our domain. > > Very often during the day, unexpectedly without change nothing > spamassassin > starts to run very slowly. > I have followed all the tips founded but without success. Could be a dns > problem ? > This is my extract from my dns configuration. Is it enough to set it also > as > a cache dns ? > > Thanks and sorry for my worst english. > > > > > ====================== > options { > # file di boot per named > directory "/var/named"; > forwarders { 83.216.172.1;83.216.172.2;213.234.128.211; }; > query-source address * port 53; > }; > > logging { > channel local_log { > /* > * Use a file channnel. The file is > * /var/log/named.log. [Why the ".log" > * suffix?] Keep 2 versions of the file > * and don't let it get bigger than 1 Mb. > */ > # file "/var/log/named.log" > file "/var/log/named/named.log" > versions 2 size 1M; > print-time yes; > }; > category default { > /* > * Send every log category to the > * local_log channel defined above. > */ > local_log; > }; > }; > ====================== > > > Dr. Marcello Anderlini > m.anderlini@database.it > --------------------------------------------- > Database Informatica S.r.l. > Microsoft Certified Partner > Tel. +39059775070 > Fax. +39059779545 > http://www.database.it > --------------------------------------------- > > > ________________________________ > > Da: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di Alex > Neuman > van der Hans > Inviato: mercoled? 10 settembre 2008 16.22 > A: MailScanner discussion > Cc: MailScanner discussion > Oggetto: Re: Spamassassin Timeout issue. > > > When spamassassin times out, it usually is because of a DNS issue. > Restarting works in your case probably because people trying to connect to > your server "back off" when you restart it because to them it looks like > your server died. They take pity and don't bother it for a while. When > they > see it back online, the load and backlog rises. > > Sent from my iPhone > > On Sep 10, 2008, at 9:05 AM, "Swati Meghanand" > wrote: > > > > hi, > > I am not running any name server on the same machine, actually I am > having a fail-over cluster of 3 machine having same configuration/setting > I > facing this prob in 2 machines the another thts 3rd is running smoothly... > > > When I restart machine it works well for atleast 12-15 Hrs.(But > restarting Mailscanner didn't helped me) > > Did u mean this could be a DNS related issue.... > > Regards, > > Swati Meghanand > > > 2008/9/10 Alex Neuman van der Hans < > alex@rtpty.com> > > > It's actually quite clearly indicating the opposite. You are > not reading the logs right. If spamassassin is timing out, you need to > take > care of that. What caching nameserver are you running on that box? > > Sent from my iPhone > > > On Sep 10, 2008, at 3:54 AM, "Swati Meghanand" < > swati.meghanand@gmail.com> wrote: > > > > Hi, > > I'm using mailscanner on a busy mail gateways from > serveral months, which was working fine so far.From last few days I > noticed > incresed no of spam mails as well log Filtering queues (ofcourse slow > processing of mailscanner).In log file of mailscanner I found following > lines, > > Sep 10 04:47:29 localhost MailScanner[11027]: Virus > and Content Scanning: Starting > Sep 10 04:47:37 localhost MailScanner[8400]: > SpamAssassin timed out and was killed, failure 8 of 20 > Sep 10 04:47:37 localhost MailScanner[8680]: > SpamAssassin timed out and was killed, failure 14 of 20 > Sep 10 04:47:38 localhost MailScanner[8680]: Message > 1KdL6x-0005q5-L3 from xx.xx.xx.xx (xxx@xxx.x) to xxx.xx is not spam, > SpamAssassin (not cached, timed out) > Sep 10 04:47:38 localhost MailScanner[8400]: Message > 1KdLDG-0006se-Ox from xx.xx.xx.xx (xxx@xx.xxx) to xxx.xx is not spam, > SpamAssassin (not cached, timed out) > > it clealy indicates mailscanner is not (able to) > scanning messages. > > Any idea about this issue. > > Thanks in advance :-) > > Regards > > Swati Meghanand > > > > > -- > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read > > http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off > the website! > > > -- > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read > http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the > website! > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read > http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > > -- > Messaggio verificato dal servizio antivirus di Database Informatica > . > > > -- > Messaggio verificato dal servizio antivirus di Database Informatica > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > Messaggio verificato dal servizio antivirus di Database Informatica > > > -- > Messaggio verificato dal servizio antivirus di Database Informatica > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- Chris Sweeney Home Phone for $10 a month call 937-415-0943 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From alex at rtpty.com Wed Sep 10 17:18:06 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Wed Sep 10 17:18:23 2008 Subject: R: Spamassassin Timeout issue. In-Reply-To: <47539.65.161.188.11.1221062532.squirrel@webmail.osubucks.org> References: <424c10260809100154v4d47738bg16e47138cde6b049@mail.gmail.com><8558A6EA-BFAA-4418-9C22-6A840146B7E1@rtpty.com><424c10260809100705k5b2714c4y4a286c9bc59f4383@mail.gmail.com><000301c91355$d0d6dd60$2501a8c0@dbdomain.database.it> <7EF0EE5CB3B263488C8C18823239BEBA04A6739F@HC-MBX02.herefordshire.gov.uk> <000001c9135b$76c0ac60$2501a8c0@dbdomain.database.it> <47539.65.161.188.11.1221062532.squirrel@webmail.osubucks.org> Message-ID: <97ABA591-579D-4F8F-A749-287C4499EE9A@rtpty.com> Would resolving direct be faster than resolving through opendns? Sent from my iPhone On Sep 10, 2008, at 11:02 AM, "Chris Sweeney" =20= wrote: > Why use forwarders at all it just adds delay, use your DNS to resolve > direct. Remove the source port: > > options { > # file di boot per named > directory "/var/named"; > }; > > logging { > channel local_log { > /* > * Use a file channnel. The file is > * /var/log/named.log. [Why the ".log" > * suffix?] Keep 2 versions of the file > * and don't let it get bigger than 1 Mb. > */ > # file "/var/log/named.log" > file "/var/log/named/named.log" > versions 2 size 1M; > print-time yes; > }; > category default { > /* > * Send every log category to the > * local_log channel defined above. > */ > local_log; > }; > }; > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > > >> I beg your pardon but I do not understand your email. >> >> Could you please me more clear and "easy step" :-) >> >> Why "query-source address * port 53;" sould be wrong ??? >> >> >> Thanks again. >> >> >> Dr. Marcello Anderlini >> m.anderlini@database.it >> --------------------------------------------- >> Database Informatica S.r.l. >> Microsoft Certified Partner >> Tel. +39059775070 >> Fax. +39059779545 >> http://www.database.it >> --------------------------------------------- >> >> -----Messaggio originale----- >> Da: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di =20 >> Randal, >> Phil >> Inviato: mercoled=A8=AC 10 settembre 2008 17.29 >> A: MailScanner discussion >> Oggetto: RE: Spamassassin Timeout issue. >> >> "query-source address * port 53;" >> >> Eek! Repeat after me 10 times: "Dan Kaminsky". >> >> Time to do a sanity check on all your DNS setups to ensure you have >> current >> BINDs with randomised source ports for queries. >> >> Cheers, >> >> Phil >> >> -- >> Phil Randal >> Networks Engineer >> Herefordshire Council >> Hereford, UK >> >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of =20 >> Marcello >> Anderlini >> Sent: 10 September 2008 15:59 >> To: 'MailScanner discussion' >> Subject: R: Spamassassin Timeout issue. >> >> I beg your pardon but I have the same problem and I looking for a =20 >> solution >> since many month. >> >> On my system is installed a dns server resolving also our domain. >> >> Very often during the day, unexpectedly without change nothing >> spamassassin >> starts to run very slowly. >> I have followed all the tips founded but without success. Could be =20= >> a dns >> problem ? >> This is my extract from my dns configuration. Is it enough to set =20 >> it also >> as >> a cache dns ? >> >> Thanks and sorry for my worst english. >> >> >> >> >> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >> options { >> # file di boot per named >> directory "/var/named"; >> forwarders { 83.216.172.1;83.216.172.2;213.234.128.211; }; >> query-source address * port 53; >> }; >> >> logging { >> channel local_log { >> /* >> * Use a file channnel. The file is >> * /var/log/named.log. [Why the ".log" >> * suffix?] Keep 2 versions of the file >> * and don't let it get bigger than 1 Mb. >> */ >> # file "/var/log/named.log" >> file "/var/log/named/named.log" >> versions 2 size 1M; >> print-time yes; >> }; >> category default { >> /* >> * Send every log category to the >> * local_log channel defined above. >> */ >> local_log; >> }; >> }; >> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >> >> >> Dr. Marcello Anderlini >> m.anderlini@database.it >> --------------------------------------------- >> Database Informatica S.r.l. >> Microsoft Certified Partner >> Tel. +39059775070 >> Fax. +39059779545 >> http://www.database.it >> --------------------------------------------- >> >> >> ________________________________ >> >> Da: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di Alex >> Neuman >> van der Hans >> Inviato: mercoled=A8=AC 10 settembre 2008 16.22 >> A: MailScanner discussion >> Cc: MailScanner discussion >> Oggetto: Re: Spamassassin Timeout issue. >> >> >> When spamassassin times out, it usually is because of a DNS issue. >> Restarting works in your case probably because people trying to =20 >> connect to >> your server "back off" when you restart it because to them it looks =20= >> like >> your server died. They take pity and don't bother it for a while. =20 >> When >> they >> see it back online, the load and backlog rises. >> >> Sent from my iPhone >> >> On Sep 10, 2008, at 9:05 AM, "Swati Meghanand" = > > >> wrote: >> >> >> >> hi, >> >> I am not running any name server on the same machine, actually I =20= >> am >> having a fail-over cluster of 3 machine having same configuration/=20 >> setting >> I >> facing this prob in 2 machines the another thts 3rd is running =20 >> smoothly... >> >> >> When I restart machine it works well for atleast 12-15 Hrs.(But >> restarting Mailscanner didn't helped me) >> >> Did u mean this could be a DNS related issue.... >> >> Regards, >> >> Swati Meghanand >> >> >> 2008/9/10 Alex Neuman van der Hans < >> alex@rtpty.com> >> >> >> It's actually quite clearly indicating the opposite. You are >> not reading the logs right. If spamassassin is timing out, you need =20= >> to >> take >> care of that. What caching nameserver are you running on that box? >> >> Sent from my iPhone >> >> >> On Sep 10, 2008, at 3:54 AM, "Swati Meghanand" < >> swati.meghanand@gmail.com> wrote: >> >> >> >> Hi, >> >> I'm using mailscanner on a busy mail gateways from >> serveral months, which was working fine so far.=46rom last few days I >> noticed >> incresed no of spam mails as well log Filtering queues (ofcourse slow >> processing of mailscanner).In log file of mailscanner I found =20 >> following >> lines, >> >> Sep 10 04:47:29 localhost MailScanner[11027]: Virus >> and Content Scanning: Starting >> Sep 10 04:47:37 localhost MailScanner[8400]: >> SpamAssassin timed out and was killed, failure 8 of 20 >> Sep 10 04:47:37 localhost MailScanner[8680]: >> SpamAssassin timed out and was killed, failure 14 of 20 >> Sep 10 04:47:38 localhost MailScanner[8680]: Message >> 1KdL6x-0005q5-L3 from xx.xx.xx.xx (xxx@xxx.x) to xxx.xx is not spam, >> SpamAssassin (not cached, timed out) >> Sep 10 04:47:38 localhost MailScanner[8400]: Message >> 1KdLDG-0006se-Ox from xx.xx.xx.xx (xxx@xx.xxx) to xxx.xx is not spam, >> SpamAssassin (not cached, timed out) >> >> it clealy indicates mailscanner is not (able to) >> scanning messages. >> >> Any idea about this issue. >> >> Thanks in advance :-) >> >> Regards >> >> Swati Meghanand >> >> >> >> >> -- >> MailScanner mailing list >> >> mailscanner@lists.mailscanner.info >> >> >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read >> >> http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off >> the website! >> >> >> -- >> MailScanner mailing list >> >> mailscanner@lists.mailscanner.info >> >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read >> http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the >> website! >> >> >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read >> http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> >> >> -- >> Messaggio verificato dal servizio antivirus di Database Informatica >> . >> >> >> -- >> Messaggio verificato dal servizio antivirus di Database Informatica >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> -- >> Messaggio verificato dal servizio antivirus di Database Informatica >> >> >> -- >> Messaggio verificato dal servizio antivirus di Database Informatica >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> > > > --=20 > Chris Sweeney > > Home Phone for $10 a month call 937-415-0943 > > > --=20 > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > --=20 > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From Kevin_Miller at ci.juneau.ak.us Wed Sep 10 18:28:09 2008 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Wed Sep 10 18:28:31 2008 Subject: R: Spamassassin Timeout issue. In-Reply-To: <97ABA591-579D-4F8F-A749-287C4499EE9A@rtpty.com> References: <424c10260809100154v4d47738bg16e47138cde6b049@mail.gmail.com><8558A6EA-BFAA-4418-9C22-6A840146B7E1@rtpty.com><424c10260809100705k5b2714c4y4a286c9bc59f4383@mail.gmail.com><000301c91355$d0d6dd60$2501a8c0@dbdomain.database.it><7EF0EE5CB3B263488C8C18823239BEBA04A6739F@HC-MBX02.herefordshire.gov.uk><000001c9135b$76c0ac60$2501a8c0@dbdomain.database.it><47539.65.161.188.11.1221062532.squirrel@webmail.osubucks.org> <97ABA591-579D-4F8F-A749-287C4499EE9A@rtpty.com> Message-ID: Alex Neuman van der Hans wrote: > Would resolving direct be faster than resolving through opendns? Depends. If opendns already has that entry cached, then it's one stop shopping. If it's a new query, the it would be marginally faster for you to hit the root servers yourself and recurse through the DNS tree. Remember too, that once your server gets a reply for somedomain.com, that it will be cached locally so there won't be any further remote lookups for it. At least until it expires. Personally, I don't think it is a significant difference either way. If, however, you're running an older version of bind or other DNS server that doesn't do random ports, and you don't have the luxury of upgrading in the immediate future, using opendns as a forwarder will add a layer of protection... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From csweeney at osubucks.org Wed Sep 10 18:41:39 2008 From: csweeney at osubucks.org (Chris Sweeney) Date: Wed Sep 10 18:41:58 2008 Subject: R: Spamassassin Timeout issue. In-Reply-To: References: <424c10260809100154v4d47738bg16e47138cde6b049@mail.gmail.com><8558A6EA-BFAA-4418-9C22-6A840146B7E1@rtpty.com><424c10260809100705k5b2714c4y4a286c9bc59f4383@mail.gmail.com><000301c91355$d0d6dd60$2501a8c0@dbdomain.database.it><7EF0EE5CB3B263488C8C18823239BEBA04A6739F@HC-MBX02.herefordshire.gov.uk><000001c9135b$76c0ac60$2501a8c0@dbdomain.database.it><47539.65.161.188.11.1221062532.squirrel@webmail.osubucks.org> <97ABA591-579D-4F8F-A749-287C4499EE9A@rtpty.com> Message-ID: <13425.65.161.188.11.1221068499.squirrel@webmail.osubucks.org> > Personally, I don't think it is a significant difference either way. > If, however, you're running an older version of bind or other DNS server > that doesn't do random ports, and you don't have the luxury of upgrading > in the immediate future, using opendns as a forwarder will add a layer > of protection... > It's going to depend on your network path to OpenDNS also. I personally have never found it faster to go off network (OpenDNS) then do lookups myself. Especially on a mail server since alot of your SPAM comes in batches the lookups to the same domain are going to much significanly faster in that respect. I've tried OpenDNS quite a few times and although its good and it is fast it has never beat going local in my test enough to increase my traffic going out/in from the internet. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From alex at rtpty.com Wed Sep 10 18:51:08 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Wed Sep 10 18:51:37 2008 Subject: R: Spamassassin Timeout issue. In-Reply-To: References: <424c10260809100154v4d47738bg16e47138cde6b049@mail.gmail.com><8558A6EA-BFAA-4418-9C22-6A840146B7E1@rtpty.com><424c10260809100705k5b2714c4y4a286c9bc59f4383@mail.gmail.com><000301c91355$d0d6dd60$2501a8c0@dbdomain.database.it><7EF0EE5CB3B263488C8C18823239BEBA04A6739F@HC-MBX02.herefordshire.gov.uk><000001c9135b$76c0ac60$2501a8c0@dbdomain.database.it><47539.65.161.188.11.1221062532.squirrel@webmail.osubucks.org> <97ABA591-579D-4F8F-A749-287C4499EE9A@rtpty.com> Message-ID: <3A286146-D0C7-41C4-9DC9-333064DF6473@rtpty.com> Sent from my iPhone On Sep 10, 2008, at 12:28 PM, "Kevin Miller" wrote: > Alex Neuman van der Hans wrote: >> Would resolving direct be faster than resolving through opendns? > > Depends. If opendns already has that entry cached, then it's one stop > shopping. If it's a new query, the it would be marginally faster for > you to hit the root servers yourself and recurse through the DNS tree. > Remember too, that once your server gets a reply for somedomain.com, > that it will be cached locally so there won't be any further remote > lookups for it. At least until it expires. > > Personally, I don't think it is a significant difference either way. > If, however, you're running an older version of bind or other DNS > server > that doesn't do random ports, and you don't have the luxury of > upgrading > in the immediate future, using opendns as a forwarder will add a layer > of protection... Hadn't thought of that one. Excellent point. > > > ...Kevin > -- > Kevin Miller Registered Linux User No: 307357 > CBJ MIS Dept. Network Systems Admin., Mail Admin. > 155 South Seward Street ph: (907) 586-0242 > Juneau, Alaska 99801 fax: (907 586-4500 > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From martinh at solidstatelogic.com Wed Sep 10 18:56:34 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Wed Sep 10 18:52:29 2008 Subject: R: Spamassassin Timeout issue. Message-ID: A quick look at the underlying dns protocol will show u why a local caching dns server will speed up queries over even a server <1ms away, and in practice the results can be dramatic for a system like SA/MS that is quite dns hungry. -- martin -----Original Message----- From: Chris Sweeney Sent: Wednesday, September 10, 2008 6:45 PM To: MailScanner discussion Subject: RE: R: Spamassassin Timeout issue. > Personally, I don't think it is a significant difference either way. > If, however, you're running an older version of bind or other DNS server > that doesn't do random ports, and you don't have the luxury of upgrading > in the immediate future, using opendns as a forwarder will add a layer > of protection... > It's going to depend on your network path to OpenDNS also. I personally have never found it faster to go off network (OpenDNS) then do lookups myself. Especially on a mail server since alot of your SPAM comes in batches the lookups to the same domain are going to much significanly faster in that respect. I've tried OpenDNS quite a few times and although its good and it is fast it has never beat going local in my test enough to increase my traffic going out/in from the internet. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From alex at rtpty.com Wed Sep 10 19:08:20 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Wed Sep 10 19:09:32 2008 Subject: R: Spamassassin Timeout issue. In-Reply-To: References: Message-ID: Specially since spam *usually* comes in batches from a few discrete sources at a time. Splitting recipients at the mta level helps even further through SA caching. Sent from my iPhone On Sep 10, 2008, at 12:56 PM, "Martin.Hepworth" wrote: > A quick look at the underlying dns protocol will show u why a local > caching dns server will speed up queries over even a server <1ms > away, and in practice the results can be dramatic for a system like > SA/MS that is quite dns hungry. > > -- > martin > > -----Original Message----- > From: Chris Sweeney > Sent: Wednesday, September 10, 2008 6:45 PM > To: MailScanner discussion > Subject: RE: R: Spamassassin Timeout issue. > >> Personally, I don't think it is a significant difference either way. >> If, however, you're running an older version of bind or other DNS >> server >> that doesn't do random ports, and you don't have the luxury of >> upgrading >> in the immediate future, using opendns as a forwarder will add a >> layer >> of protection... >> > It's going to depend on your network path to OpenDNS also. I > personally > have never found it faster to go off network (OpenDNS) then do lookups > myself. Especially on a mail server since alot of your SPAM comes in > batches the lookups to the same domain are going to much significanly > faster in that respect. > > I've tried OpenDNS quite a few times and although its good and it is > fast > it has never beat going local in my test enough to increase my traffic > going out/in from the internet. > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > ********************************************************************** > Confidentiality : This e-mail and any attachments are intended for the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > Opinion : Any opinions expressed in this e-mail are entirely those of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We advise > that you consider this fact when e-mailing us. > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From Kevin_Miller at ci.juneau.ak.us Wed Sep 10 19:35:10 2008 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Wed Sep 10 19:35:23 2008 Subject: R: Spamassassin Timeout issue. In-Reply-To: <13425.65.161.188.11.1221068499.squirrel@webmail.osubucks.org> References: <424c10260809100154v4d47738bg16e47138cde6b049@mail.gmail.com><8558A6EA-BFAA-4418-9C22-6A840146B7E1@rtpty.com><424c10260809100705k5b2714c4y4a286c9bc59f4383@mail.gmail.com><000301c91355$d0d6dd60$2501a8c0@dbdomain.database.it><7EF0EE5CB3B263488C8C18823239BEBA04A6739F@HC-MBX02.herefordshire.gov.uk><000001c9135b$76c0ac60$2501a8c0@dbdomain.database.it><47539.65.161.188.11.1221062532.squirrel@webmail.osubucks.org><97ABA591-579D-4F8F-A749-287C4499EE9A@rtpty.com> <13425.65.161.188.11.1221068499.squirrel@webmail.osubucks.org> Message-ID: Chris Sweeney wrote: > I've tried OpenDNS quite a few times and although its good and it is > fast it has never beat going local in my test enough to increase my > traffic going out/in from the internet. Absolutely - whether one resolves via the root servers, or opendns, a local caching server is a must. The question is just to what does it point. A caching server still has to get it's data from somewhere. I can't think of any good reason not to be running a caching server though*, since named is included on pretty much any disto and djb may be as well... ...Kevin *well, unless you're using a PII w/64 mb of ram :-) -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From clacroix at cegep-ste-foy.qc.ca Wed Sep 10 19:39:55 2008 From: clacroix at cegep-ste-foy.qc.ca (Charles Lacroix) Date: Wed Sep 10 19:40:19 2008 Subject: R: Spamassassin Timeout issue. In-Reply-To: References: Message-ID: <48C8147B.1050007@cegep-ste-foy.qc.ca> I'm about to add this rule into my custome rules set :) body IPHONE_BRAGGER /Sent from my iPhone/i score IPHONE_BRAGGER 150.0 Alex Neuman van der Hans a ?crit : > Specially since spam *usually* comes in batches from a few discrete > sources at a time. Splitting recipients at the mta level helps even > further through SA caching. > > Sent from my iPhone > > On Sep 10, 2008, at 12:56 PM, "Martin.Hepworth" > wrote: > >> A quick look at the underlying dns protocol will show u why a local >> caching dns server will speed up queries over even a server <1ms >> away, and in practice the results can be dramatic for a system like >> SA/MS that is quite dns hungry. >> >> -- >> martin >> >> -----Original Message----- >> From: Chris Sweeney >> Sent: Wednesday, September 10, 2008 6:45 PM >> To: MailScanner discussion >> Subject: RE: R: Spamassassin Timeout issue. >> >>> Personally, I don't think it is a significant difference either way. >>> If, however, you're running an older version of bind or other DNS >>> server >>> that doesn't do random ports, and you don't have the luxury of >>> upgrading >>> in the immediate future, using opendns as a forwarder will add a layer >>> of protection... >>> >> It's going to depend on your network path to OpenDNS also. I personally >> have never found it faster to go off network (OpenDNS) then do lookups >> myself. Especially on a mail server since alot of your SPAM comes in >> batches the lookups to the same domain are going to much significanly >> faster in that respect. >> >> I've tried OpenDNS quite a few times and although its good and it is >> fast >> it has never beat going local in my test enough to increase my traffic >> going out/in from the internet. >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> ********************************************************************** >> Confidentiality : This e-mail and any attachments are intended for the >> addressee only and may be confidential. If they come to you in error >> you must take no action based on them, nor must you copy or show them >> to anyone. Please advise the sender by replying to this e-mail >> immediately and then delete the original from your computer. >> Opinion : Any opinions expressed in this e-mail are entirely those of >> the author and unless specifically stated to the contrary, are not >> necessarily those of the author's employer. >> Security Warning : Internet e-mail is not necessarily a secure >> communications medium and can be subject to data corruption. We advise >> that you consider this fact when e-mailing us. >> Viruses : We have taken steps to ensure that this e-mail and any >> attachments are free from known viruses but in keeping with good >> computing practice, you should ensure that they are virus free. >> >> Red Lion 49 Ltd T/A Solid State Logic >> Registered as a limited company in England and Wales >> (Company No:5362730) >> Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, >> United Kingdom >> ********************************************************************** >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! From alex at rtpty.com Wed Sep 10 20:10:09 2008 From: alex at rtpty.com (Alex Neuman) Date: Wed Sep 10 20:10:20 2008 Subject: R: Spamassassin Timeout issue. In-Reply-To: <48C8147B.1050007@cegep-ste-foy.qc.ca> References: <48C8147B.1050007@cegep-ste-foy.qc.ca> Message-ID: <24e3d2e40809101210y196c4280m3870133b4383df43@mail.gmail.com> :-) On Wed, Sep 10, 2008 at 1:39 PM, Charles Lacroix < clacroix@cegep-ste-foy.qc.ca> wrote: > > I'm about to add this rule into my custome rules set :) > > > body IPHONE_BRAGGER /Sent from my iPhone/i > score IPHONE_BRAGGER 150.0 > > > > > > > Alex Neuman van der Hans a ?crit : > > Specially since spam *usually* comes in batches from a few discrete >> sources at a time. Splitting recipients at the mta level helps even further >> through SA caching. >> >> Sent from my iPhone >> >> On Sep 10, 2008, at 12:56 PM, "Martin.Hepworth" < >> martinh@solidstatelogic.com> wrote: >> >> A quick look at the underlying dns protocol will show u why a local >>> caching dns server will speed up queries over even a server <1ms away, and >>> in practice the results can be dramatic for a system like SA/MS that is >>> quite dns hungry. >>> >>> -- >>> martin >>> >>> -----Original Message----- >>> From: Chris Sweeney >>> Sent: Wednesday, September 10, 2008 6:45 PM >>> To: MailScanner discussion >>> Subject: RE: R: Spamassassin Timeout issue. >>> >>> Personally, I don't think it is a significant difference either way. >>>> If, however, you're running an older version of bind or other DNS server >>>> that doesn't do random ports, and you don't have the luxury of upgrading >>>> in the immediate future, using opendns as a forwarder will add a layer >>>> of protection... >>>> >>>> It's going to depend on your network path to OpenDNS also. I >>> personally >>> have never found it faster to go off network (OpenDNS) then do lookups >>> myself. Especially on a mail server since alot of your SPAM comes in >>> batches the lookups to the same domain are going to much significanly >>> faster in that respect. >>> >>> I've tried OpenDNS quite a few times and although its good and it is fast >>> it has never beat going local in my test enough to increase my traffic >>> going out/in from the internet. >>> >>> >>> -- >>> This message has been scanned for viruses and >>> dangerous content by MailScanner, and is >>> believed to be clean. >>> >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >>> ********************************************************************** >>> Confidentiality : This e-mail and any attachments are intended for the >>> addressee only and may be confidential. If they come to you in error >>> you must take no action based on them, nor must you copy or show them >>> to anyone. Please advise the sender by replying to this e-mail >>> immediately and then delete the original from your computer. >>> Opinion : Any opinions expressed in this e-mail are entirely those of >>> the author and unless specifically stated to the contrary, are not >>> necessarily those of the author's employer. >>> Security Warning : Internet e-mail is not necessarily a secure >>> communications medium and can be subject to data corruption. We advise >>> that you consider this fact when e-mailing us. >>> Viruses : We have taken steps to ensure that this e-mail and any >>> attachments are free from known viruses but in keeping with good >>> computing practice, you should ensure that they are virus free. >>> >>> Red Lion 49 Ltd T/A Solid State Logic >>> Registered as a limited company in England and Wales >>> (Company No:5362730) >>> Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, >>> United Kingdom >>> ********************************************************************** >>> >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >> > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080910/c044a8fa/attachment.html From hvdkooij at vanderkooij.org Wed Sep 10 21:15:27 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Wed Sep 10 21:15:39 2008 Subject: R: Spamassassin Timeout issue. In-Reply-To: <48C8147B.1050007@cegep-ste-foy.qc.ca> References: <48C8147B.1050007@cegep-ste-foy.qc.ca> Message-ID: <48C82ADF.80207@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Charles Lacroix wrote: > > I'm about to add this rule into my custome rules set :) > > > body IPHONE_BRAGGER /Sent from my iPhone/i > score IPHONE_BRAGGER 150.0 You wouldn't happen to have some rules to add bad karma points to long disclaimers? (Like the one you just forwarded in full. ;-) The best disclaimers are the oneliners pointing to a webpage. If you care you can read it and if you don't care you can't be annoyed by 20 lines of pointless disclaimer. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIyCreBvzDRVjxmYERAtD8AJ0adK6JmshlfzafYwWvTsrVGcsFFACfYdJE Y7UPZ5vTLAL+3ZpG66bgYds= =spiw -----END PGP SIGNATURE----- From hvdkooij at vanderkooij.org Wed Sep 10 21:29:06 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Wed Sep 10 21:29:14 2008 Subject: OT: awstats on yum repository In-Reply-To: References: <48C6E93D.6030906@vanderkooij.org> Message-ID: <48C82E12.7070806@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Scott Silva wrote: > on 9-9-2008 2:23 PM Hugo van der Kooij spake the following: >> Hi, >> >> I added some statistics specifically to track MailScanner downloads. For >> that I added the following lines to my awstats config: >> > Just for fun I took a look and I get a 403 error. Well the score so far: MailScanner downloads by architecture Architecture Pages Bandwidth Last visit i386 14 10.60 MB 10 Sep 2008 - 14:48 x86_64 6 4.54 MB 10 Sep 2008 - 00:45 Total 20 15.14 MB MailScanner wrapper downloads by architecture Architecture Pages Bandwidth Last visit i386 13 41.46 KB 10 Sep 2008 - 19:11 x86_64 2 6.31 KB 04 Sep 2008 - 02:13 spec 1 1.70 KB 10 Sep 2008 - 11:51 srpms 1 3.04 KB 07 Sep 2008 - 08:49 Total 17 52.51 KB MailScanner downloads by version Version Pages Bandwidth Last visit 4.71.10 17 12.94 MB 10 Sep 2008 - 14:48 4.70.7 3 2.19 MB 01 Sep 2008 - 20:36 Total 20 15.14 MB - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIyC4PBvzDRVjxmYERAs3hAJ9rdsSxW8aPGyviZOFE0BMNHeLbswCfU1r/ VPo52GG3ovFBpFyAeq9xzNg= =LxWp -----END PGP SIGNATURE----- From alex at rtpty.com Wed Sep 10 21:34:31 2008 From: alex at rtpty.com (Alex Neuman) Date: Wed Sep 10 21:34:41 2008 Subject: R: Spamassassin Timeout issue. In-Reply-To: <48C82ADF.80207@vanderkooij.org> References: <48C8147B.1050007@cegep-ste-foy.qc.ca> <48C82ADF.80207@vanderkooij.org> Message-ID: <24e3d2e40809101334r37ad33f4vde30087eea59cfb7@mail.gmail.com> For me the best disclaimers are none at all ... :D On Wed, Sep 10, 2008 at 3:15 PM, Hugo van der Kooij < hvdkooij@vanderkooij.org> wrote: > > The best disclaimers are the oneliners pointing to a webpage. If you > care you can read it and if you don't care you can't be annoyed by 20 > lines of pointless disclaimer. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080910/e7f2e11e/attachment.html From glenn.steen at gmail.com Wed Sep 10 22:16:19 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Sep 10 22:16:28 2008 Subject: Looking for a test mail generator (unthreaded) In-Reply-To: <20080909145632.GE23322@cgi.jachomes.com> References: <20080908155906.GA17894@cgi.jachomes.com> <48C57CBB.3000508@vanderkooij.org> <20080909141110.GB23322@cgi.jachomes.com> <20080909145632.GE23322@cgi.jachomes.com> Message-ID: <223f97700809101416v3fab61a8oe656627acd841bfe@mail.gmail.com> 2008/9/9 Jay R. Ashworth : > On Tue, Sep 09, 2008 at 10:39:56AM -0400, Stephen Swaney wrote: >> Simply setup another mail hub with test accounts. A simple sendmail server >> delivering to local users would work just fine. >> >> The use Roundhouse to duplicate the feed. The feed goes first to your real >> mail hub for delivery as normal. >> >> Send the duplicate feed to the test server which should be configured to 1) >> send test messages to the test mail hub and 2) dev-null the rest. >> >> Seems this would be simple to set up and meet your requirements. > > But it doesn't, and please allow me to recap why, Juan Moore-Thyme :-) > > My problem is that I want a repeatable, predictable test, where *I do not > have to spend hours figuring out what the EXPECTED results are*. If I > use the real mail feed, that's what I'll have to do -- or at least, I'll > have to analyse whether the two mail servers are reacting the same *way* > to that mail feed, and if not, whether the new reaction is better or > worse. > > If I can generate 50 messages that are, roughly, all the same every time > (modulo a "batch number" in the message-ID maybe) *and that I know what > the expected results are*, then all I have to do is look in the expected > target places, and check messages off a check list. > > "All the messages from 00-09 should be in my mailbox. > All the message from 10-19 should be in the postmaster mailbox. > All the messages from 20-29 should be in the spam logs. > All the messages from 30-39 should be in the AV logs. > All the message from 40-49 should be in the mailer logs as having tried > to generate *valid* no-backscatter bounces." > > And that way I don't have to analyse because I did that before I > generated the 50 message bodies. > > IMO, this approach is critical to finding out what you actually need to > know, without tearing your hair out. I'm just not a good enough coder to > do it from scratch. > > I see I may have to add "yet" to that. :-) > > How are the python email libraries these days? > > Cheers, > -- jra Handcraft the messags (or some simple scripting) and use a very basic shell-script around telnet.... Should be simple enough, and save you time, in the end. You will need handcraft them to be able to have the "finetuned" control you like anyway....;-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From alex at rtpty.com Wed Sep 10 22:24:23 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Wed Sep 10 22:24:39 2008 Subject: Looking for a test mail generator (unthreaded) In-Reply-To: <223f97700809101416v3fab61a8oe656627acd841bfe@mail.gmail.com> References: <20080908155906.GA17894@cgi.jachomes.com> <48C57CBB.3000508@vanderkooij.org> <20080909141110.GB23322@cgi.jachomes.com> <20080909145632.GE23322@cgi.jachomes.com> <223f97700809101416v3fab61a8oe656627acd841bfe@mail.gmail.com> Message-ID: Telnet and/or netcat.. Sent from my (somewhat chastised) iPhone On Sep 10, 2008, at 4:16 PM, "Glenn Steen" wrote: > 2008/9/9 Jay R. Ashworth : >> On Tue, Sep 09, 2008 at 10:39:56AM -0400, Stephen Swaney wrote: >>> Simply setup another mail hub with test accounts. A simple >>> sendmail server >>> delivering to local users would work just fine. >>> >>> The use Roundhouse to duplicate the feed. The feed goes first to >>> your real >>> mail hub for delivery as normal. >>> >>> Send the duplicate feed to the test server which should be >>> configured to 1) >>> send test messages to the test mail hub and 2) dev-null the rest. >>> >>> Seems this would be simple to set up and meet your requirements. >> >> But it doesn't, and please allow me to recap why, Juan Moore- >> Thyme :-) >> >> My problem is that I want a repeatable, predictable test, where *I >> do not >> have to spend hours figuring out what the EXPECTED results are*. >> If I >> use the real mail feed, that's what I'll have to do -- or at least, >> I'll >> have to analyse whether the two mail servers are reacting the same >> *way* >> to that mail feed, and if not, whether the new reaction is better or >> worse. >> >> If I can generate 50 messages that are, roughly, all the same every >> time >> (modulo a "batch number" in the message-ID maybe) *and that I know >> what >> the expected results are*, then all I have to do is look in the >> expected >> target places, and check messages off a check list. >> >> "All the messages from 00-09 should be in my mailbox. >> All the message from 10-19 should be in the postmaster mailbox. >> All the messages from 20-29 should be in the spam logs. >> All the messages from 30-39 should be in the AV logs. >> All the message from 40-49 should be in the mailer logs as having >> tried >> to generate *valid* no-backscatter bounces." >> >> And that way I don't have to analyse because I did that before I >> generated the 50 message bodies. >> >> IMO, this approach is critical to finding out what you actually >> need to >> know, without tearing your hair out. I'm just not a good enough >> coder to >> do it from scratch. >> >> I see I may have to add "yet" to that. :-) >> >> How are the python email libraries these days? >> >> Cheers, >> -- jra > Handcraft the messags (or some simple scripting) and use a very basic > shell-script around telnet.... Should be simple enough, and save you > time, in the end. You will need handcraft them to be able to have the > "finetuned" control you like anyway....;-) > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From ssilva at sgvwater.com Wed Sep 10 22:33:41 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Sep 10 22:34:07 2008 Subject: OT: awstats on yum repository In-Reply-To: <48C82E12.7070806@vanderkooij.org> References: <48C6E93D.6030906@vanderkooij.org> <48C82E12.7070806@vanderkooij.org> Message-ID: on 9-10-2008 1:29 PM Hugo van der Kooij spake the following: > Scott Silva wrote: >> on 9-9-2008 2:23 PM Hugo van der Kooij spake the following: >>> Hi, >>> >>> I added some statistics specifically to track MailScanner downloads. For >>> that I added the following lines to my awstats config: >>> >> Just for fun I took a look and I get a 403 error. > > Well the score so far: > > MailScanner downloads by architecture > Architecture Pages Bandwidth Last visit > i386 14 10.60 MB 10 Sep 2008 - 14:48 > x86_64 6 4.54 MB 10 Sep 2008 - 00:45 2 of these are me! ;-P > Total 20 15.14 MB > > > MailScanner wrapper downloads by architecture > Architecture Pages Bandwidth Last visit > i386 13 41.46 KB 10 Sep 2008 - 19:11 > x86_64 2 6.31 KB 04 Sep 2008 - 02:13 > spec 1 1.70 KB 10 Sep 2008 - 11:51 > srpms 1 3.04 KB 07 Sep 2008 - 08:49 > Total 17 52.51 KB I don't have the mailscanner-wrapper on my system, but it still updated the old rpm. Everything works so I don't see any problem > > > MailScanner downloads by version > Version Pages Bandwidth Last visit > 4.71.10 17 12.94 MB 10 Sep 2008 - 14:48 > 4.70.7 3 2.19 MB 01 Sep 2008 - 20:36 > Total 20 15.14 MB > > > > -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080910/b99f49a2/signature.bin From andrew at gdcon.net Wed Sep 10 22:48:44 2008 From: andrew at gdcon.net (Andrew MacLachlan) Date: Wed Sep 10 22:48:56 2008 Subject: R: Spamassassin Timeout issue. In-Reply-To: <24e3d2e40809101334r37ad33f4vde30087eea59cfb7@mail.gmail.com> References: <48C8147B.1050007@cegep-ste-foy.qc.ca> <48C82ADF.80207@vanderkooij.org> <24e3d2e40809101334r37ad33f4vde30087eea59cfb7@mail.gmail.com> Message-ID: <48C840BC.5070105@gdcon.net> Alex Neuman wrote: > For me the best disclaimers are none at all ... :D > Unfortunately not all legal bods agree... (Thanks for getting rid of the fanboy tagline) -- This message was scanned by ESVA and is believed to be clean. From ssilva at sgvwater.com Wed Sep 10 22:52:42 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Sep 10 22:53:08 2008 Subject: R: Spamassassin Timeout issue. In-Reply-To: <48C8147B.1050007@cegep-ste-foy.qc.ca> References: <48C8147B.1050007@cegep-ste-foy.qc.ca> Message-ID: on 9-10-2008 11:39 AM Charles Lacroix spake the following: > > I'm about to add this rule into my custome rules set :) > > > body IPHONE_BRAGGER /Sent from my iPhone/i > score IPHONE_BRAGGER 150.0 > If it is like my blackberry, it might be hard to turn off. I haven't found where to turn off the Blackberry brag, although everyone and their brother has one I guess it isn't really a brag. Mine is more like a leash and a choke chain! ;-P -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080910/5a0a7d76/signature.bin From drew.marshall at technologytiger.net Wed Sep 10 23:04:42 2008 From: drew.marshall at technologytiger.net (Drew Marshall) Date: Wed Sep 10 23:04:59 2008 Subject: R: Spamassassin Timeout issue. In-Reply-To: <48C840BC.5070105@gdcon.net> References: <48C8147B.1050007@cegep-ste-foy.qc.ca> <48C82ADF.80207@vanderkooij.org> <24e3d2e40809101334r37ad33f4vde30087eea59cfb7@mail.gmail.com> <48C840BC.5070105@gdcon.net> Message-ID: <91594189-3C35-45F1-89D6-131094427BA6@technologytiger.net> >> For me the best disclaimers are none at all ... :D >> > Unfortunately not all legal bods agree... Quite. It's a legal requirement in the UK (Not 20 lines admittedly but I think it's fair to say that most companies take the view that in for a penny in for the whole pound (GBP!)). Any way back to the subject in question, that iphone.... no sorry, the time outs :-) The other thing to do is to grab a sample of messages and run them through SpamAssassin manually and see which part of the scan is slow and look at improving that area. So if it goes slowly through the DNS tests make improvements to your DNS, if it's rules look at sa-compile, if it's Pyzor make sure you are querying the right server, is your bayes database corrupt etc etc. The biggest problem (And also the largest advantage) of SA is that it uses so many different tests in so many different ways so no one solution fits all. Sure the answers given so far are not wrong and are the usual suspects but it may not be the case for every problem. Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by Technology Tiger's Mail Launder system Our email policy can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ From ssilva at sgvwater.com Wed Sep 10 23:10:05 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Sep 10 23:10:22 2008 Subject: R: Spamassassin Timeout issue. In-Reply-To: <91594189-3C35-45F1-89D6-131094427BA6@technologytiger.net> References: <48C8147B.1050007@cegep-ste-foy.qc.ca> <48C82ADF.80207@vanderkooij.org> <24e3d2e40809101334r37ad33f4vde30087eea59cfb7@mail.gmail.com> <48C840BC.5070105@gdcon.net> <91594189-3C35-45F1-89D6-131094427BA6@technologytiger.net> Message-ID: on 9-10-2008 3:04 PM Drew Marshall spake the following: >>> For me the best disclaimers are none at all ... :D >>> >> Unfortunately not all legal bods agree... > > Quite. It's a legal requirement in the UK (Not 20 lines admittedly but I > think it's fair to say that most companies take the view that in for a > penny in for the whole pound (GBP!)). > > Any way back to the subject in question, that iphone.... no sorry, the > time outs :-) > > The other thing to do is to grab a sample of messages and run them > through SpamAssassin manually and see which part of the scan is slow and > look at improving that area. So if it goes slowly through the DNS tests > make improvements to your DNS, if it's rules look at sa-compile, if it's > Pyzor make sure you are querying the right server, is your bayes > database corrupt etc etc. The biggest problem (And also the largest > advantage) of SA is that it uses so many different tests in so many > different ways so no one solution fits all. Sure the answers given so > far are not wrong and are the usual suspects but it may not be the case > for every problem. > I think you can also get some timeouts if you are hitting the spamhaus blacklisting for too many queries. I do believe they are on by default in spamassassin. I know you can get hit if spamhaus is in your MTA, but I assume the same could happen to spamassassin. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080910/73024905/signature.bin From andrew at gdcon.net Wed Sep 10 23:12:13 2008 From: andrew at gdcon.net (Andrew MacLachlan) Date: Wed Sep 10 23:12:23 2008 Subject: OT: (was Re: R: Spamassassin Timeout issue.) In-Reply-To: References: <48C8147B.1050007@cegep-ste-foy.qc.ca> Message-ID: <48C8463D.3040807@gdcon.net> Scott Silva wrote: > If it is like my blackberry, it might be hard to turn off. > I haven't found where to turn off the Blackberry brag, although > everyone and their brother has one I guess it isn't really a brag. > Mine is more like a leash and a choke chain! ;-P > AKA nagging second wife. Either way it's pretty annoying whatever device does it - I really couldn't care less what device people use to send their message from as long as it doesn't tell me it's pedigree every time I get a message from it. Having said that, I'd be pretty interested if someone sent a message to the list from a Difference Engine... -Andy -- This message was scanned by ESVA and is believed to be clean. From alex at rtpty.com Wed Sep 10 23:17:38 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Wed Sep 10 23:17:53 2008 Subject: R: Spamassassin Timeout issue. In-Reply-To: References: <48C8147B.1050007@cegep-ste-foy.qc.ca> Message-ID: You can turn it off in your crackberry in the configuration webpage. On the JesusPhone it's under settings, mail, signature. --- Alex Neuman Reliant Technologies +507 6781-9505 Skype: alexneuman On Sep 10, 2008, at 4:52 PM, Scott Silva wrote: > on 9-10-2008 11:39 AM Charles Lacroix spake the following: >> I'm about to add this rule into my custome rules set :) >> body IPHONE_BRAGGER /Sent from my iPhone/i >> score IPHONE_BRAGGER 150.0 > If it is like my blackberry, it might be hard to turn off. > I haven't found where to turn off the Blackberry brag, although > everyone and their brother has one I guess it isn't really a brag. > Mine is more like a leash and a choke chain! ;-P > > > > -- > MailScanner is like deodorant... > You hope everybody uses it, and > you notice quickly if they don't!!!! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From andrew at gdcon.net Wed Sep 10 23:26:10 2008 From: andrew at gdcon.net (Andrew MacLachlan) Date: Wed Sep 10 23:26:29 2008 Subject: R: Spamassassin Timeout issue. In-Reply-To: References: <48C8147B.1050007@cegep-ste-foy.qc.ca> <48C82ADF.80207@vanderkooij.org> <24e3d2e40809101334r37ad33f4vde30087eea59cfb7@mail.gmail.com> <48C840BC.5070105@gdcon.net> <91594189-3C35-45F1-89D6-131094427BA6@technologytiger.net> Message-ID: <48C84982.20507@gdcon.net> Scott Silva wrote: > I think you can also get some timeouts if you are hitting the spamhaus > blacklisting for too many queries. I do believe they are on by default > in spamassassin. I know you can get hit if spamhaus is in your MTA, > but I assume the same could happen to spamassassin. > There's the thing - having read the Spamhaus Usage page (http://www.spamhaus.org/organization/dnsblusage.html) it's immediately obvious that it's not a good idea to enable it by default in SA (even though I like the service): "Use of the Spamhaus DNSBLs via DNS queries to our public DNSBL servers is free of charge if you meet /all three/ of the following criteria: 1. Your use of the Spamhaus DNSBLs is non-commercial*, /and/ 2. Your email traffic is less than 100,000 SMTP connections per day, /and/ 3. Your DNSBL query volume is less than 300,000 queries per day. If you do not fit /all three/ of these criteria then please do not use our public DNSBL servers" *Definition: "non-commercial use" is use for any purpose other than as part or all of a product or service that is resold, or for use of which a fee is charged. For example, using our DNSBLs in a commercial spam filtering appliance that is then sold to others requires a data feed, regardless of use volume. The same is true of commercial spam filtering software and commercial spam filtering services. A company that uses our DNSBLs solely to filter their own email qualifies as a non-commercial user and may use our free public DNSBLs if that company's email volume and DNSBL query volume is below the free use limits. The same is true for any non-profit organization, school, religious organization, or private individual who operates their own mail server." -Andy -- This message was scanned by ESVA and is believed to be clean. From allan at zandahar.net Wed Sep 10 23:59:30 2008 From: allan at zandahar.net (Allan Spencer) Date: Wed Sep 10 23:59:59 2008 Subject: Training MS/SA & Mailwatch In-Reply-To: References: Message-ID: <48C85152.5060401@zandahar.net> Well I figured I'd have to get MS doing what it needed to first before I could start with MW but I would hazard a guess and say you've pointed me in exactly the direction I needed and need to store messages. Off host learning is not a major issue we don't have enough mail volume and users to be concerned with it but even so the more load I can take off myself processing messages the better I guess Cheers Allan Martin.Hepworth wrote: > Allan > > This more of a MW question, so best to ask on that list. > > But a pointer is that you need 'store' all messages as an action for spam and non spam, so MW can have access to the message in order to learn them. > > As for off-host learning, best option is an Imap folder for spam and ham, then use one of many perl scripts floating about the SA site to pull them into your local bayes db. > > Have a lookn the MS wiki also for a section on getting the most out of spamassassin. > > From ssilva at sgvwater.com Thu Sep 11 00:03:10 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Sep 11 00:03:37 2008 Subject: R: Spamassassin Timeout issue. In-Reply-To: <48C84982.20507@gdcon.net> References: <48C8147B.1050007@cegep-ste-foy.qc.ca> <48C82ADF.80207@vanderkooij.org> <24e3d2e40809101334r37ad33f4vde30087eea59cfb7@mail.gmail.com> <48C840BC.5070105@gdcon.net> <91594189-3C35-45F1-89D6-131094427BA6@technologytiger.net> <48C84982.20507@gdcon.net> Message-ID: on 9-10-2008 3:26 PM Andrew MacLachlan spake the following: > Scott Silva wrote: >> I think you can also get some timeouts if you are hitting the spamhaus >> blacklisting for too many queries. I do believe they are on by default >> in spamassassin. I know you can get hit if spamhaus is in your MTA, >> but I assume the same could happen to spamassassin. >> > There's the thing - having read the Spamhaus Usage page > (http://www.spamhaus.org/organization/dnsblusage.html) it's immediately > obvious that it's not a good idea to enable it by default in SA (even > though I like the service): > Don't completely trust their docs. I have been blacklisted, and couldn't have hit that criteria on my system. But it is their service, and they can regulate it how they see fit. I can't justify paying for it to stop what messages are left after the other blacklists I use are done. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080910/1e93a805/signature.bin From ssilva at sgvwater.com Thu Sep 11 00:05:32 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Sep 11 00:10:15 2008 Subject: OT: (was Re: R: Spamassassin Timeout issue.) In-Reply-To: <48C8463D.3040807@gdcon.net> References: <48C8147B.1050007@cegep-ste-foy.qc.ca> <48C8463D.3040807@gdcon.net> Message-ID: on 9-10-2008 3:12 PM Andrew MacLachlan spake the following: > Scott Silva wrote: >> If it is like my blackberry, it might be hard to turn off. >> I haven't found where to turn off the Blackberry brag, although >> everyone and their brother has one I guess it isn't really a brag. >> Mine is more like a leash and a choke chain! ;-P >> > AKA nagging second wife. > > > Either way it's pretty annoying whatever device does it - I really > couldn't care less what device people use to send their message from as > long as it doesn't tell me it's pedigree every time I get a message from > it. Having said that, I'd be pretty interested if someone sent a message > to the list from a Difference Engine... > > > -Andy > > > -- > This message was scanned by ESVA and is believed to be clean. > Usually most of us also use a ruleset to not sign clean messages that go to the list. ;-D -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080910/2db02abd/signature.bin From andrew at gdcon.net Thu Sep 11 00:24:41 2008 From: andrew at gdcon.net (Andrew MacLachlan) Date: Thu Sep 11 00:24:57 2008 Subject: OT: (was Re: R: Spamassassin Timeout issue.) In-Reply-To: References: <48C8147B.1050007@cegep-ste-foy.qc.ca> <48C8463D.3040807@gdcon.net> Message-ID: <48C85739.3080808@gdcon.net> Scott Silva wrote: > Usually most of us also use a ruleset to not sign clean messages that > go to the list. ;-D > Touche. I'll review my dishonorable conduct and immediately amend my rules... -Andy -- This message was scanned by ESVA and is believed to be clean. From ssilva at sgvwater.com Thu Sep 11 00:30:09 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Sep 11 00:30:27 2008 Subject: OT: (was Re: R: Spamassassin Timeout issue.) In-Reply-To: <48C85739.3080808@gdcon.net> References: <48C8147B.1050007@cegep-ste-foy.qc.ca> <48C8463D.3040807@gdcon.net> <48C85739.3080808@gdcon.net> Message-ID: on 9-10-2008 4:24 PM Andrew MacLachlan spake the following: > Scott Silva wrote: >> Usually most of us also use a ruleset to not sign clean messages that >> go to the list. ;-D >> > > Touche. I'll review my dishonorable conduct and immediately amend my > rules... > > -Andy > Said with love and a smile! ;-) -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080910/34a24038/signature.bin From andrew at gdcon.net Thu Sep 11 00:36:39 2008 From: andrew at gdcon.net (Andrew MacLachlan) Date: Thu Sep 11 00:36:52 2008 Subject: OT: (was Re: R: Spamassassin Timeout issue.) In-Reply-To: References: <48C8147B.1050007@cegep-ste-foy.qc.ca> <48C8463D.3040807@gdcon.net> <48C85739.3080808@gdcon.net> Message-ID: <48C85A07.20209@gdcon.net> Scott Silva wrote: > on 9-10-2008 4:24 PM Andrew MacLachlan spake the following: >> Scott Silva wrote: >>> Usually most of us also use a ruleset to not sign clean messages >>> that go to the list. ;-D >>> >> >> Touche. I'll review my dishonorable conduct and immediately amend my >> rules... >> >> -Andy >> > Said with love and a smile! ;-) > Just be careful how you smile... I'm not easy you know :-) From chris at cjbuckley.net Thu Sep 11 01:49:05 2008 From: chris at cjbuckley.net (Christopher J. Buckley) Date: Thu Sep 11 01:49:28 2008 Subject: R: Spamassassin Timeout issue. In-Reply-To: <48C8147B.1050007@cegep-ste-foy.qc.ca> References: <48C8147B.1050007@cegep-ste-foy.qc.ca> Message-ID: <48C86B01.9040404@cjbuckley.net> Charles Lacroix wrote: > I'm about to add this rule into my custome rules set :) Indeed - it's nearly as bad as: i. top posting. ii. Not having the decency to SNIP appropriately in your reply. -- Kind Regards, :: http://www.cjbuckley.net/ Chris Buckley :: http://photos.cjbuckley.net/ From ram at netcore.co.in Thu Sep 11 07:00:50 2008 From: ram at netcore.co.in (ram) Date: Thu Sep 11 07:01:14 2008 Subject: Spamassassin Timeout issue. In-Reply-To: <424c10260809100154v4d47738bg16e47138cde6b049@mail.gmail.com> References: <424c10260809100154v4d47738bg16e47138cde6b049@mail.gmail.com> Message-ID: <1221112850.21720.41.camel@darkstar.netcore.co.in> On Wed, 2008-09-10 at 14:24 +0530, Swati Meghanand wrote: > Hi, > > > I'm using mailscanner on a busy mail gateways from serveral months, > which was working fine so far.From last few days I noticed incresed no > of spam mails as well log Filtering queues (ofcourse slow processing > of mailscanner).In log file of mailscanner I found following lines, > > Sep 10 04:47:29 localhost MailScanner[11027]: Virus and Content > Scanning: Starting > Sep 10 04:47:37 localhost MailScanner[8400]: SpamAssassin timed out > and was killed, failure 8 of 20 > Sep 10 04:47:37 localhost MailScanner[8680]: SpamAssassin timed out > and was killed, failure 14 of 20 > Sep 10 04:47:38 localhost MailScanner[8680]: Message 1KdL6x-0005q5-L3 > from xx.xx.xx.xx (xxx@xxx.x) to xxx.xx is not spam, SpamAssassin (not > cached, timed out) > Sep 10 04:47:38 localhost MailScanner[8400]: Message 1KdLDG-0006se-Ox > from xx.xx.xx.xx (xxx@xx.xxx) to xxx.xx is not spam, SpamAssassin (not > cached, timed out) > > it clealy indicates mailscanner is not (able to) scanning messages. Hi Swati, MailScanner Spamassassin timing out can be due to multiple reasons most likely this is a DNS issue like others have said. It could also be a huge BAYES file or a blocked RAZOR port etc Just check if your SA is still quering all the Dead DNS lists ( secuirtysage , ORDB , OPM BLITZED , DOB etc ) I would suggest take any mail and run spamassassin -D -t < /path/mail (test with a mail with multiple urls and one that has passed thru different mail hops ) That test would most probably give you enough results to find what is taking time. From hvdkooij at vanderkooij.org Thu Sep 11 07:01:37 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Thu Sep 11 07:01:47 2008 Subject: OT: awstats on yum repository In-Reply-To: References: <48C6E93D.6030906@vanderkooij.org> <48C82E12.7070806@vanderkooij.org> Message-ID: <48C8B441.3040202@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Scott Silva wrote: > I don't have the mailscanner-wrapper on my system, but it still updated > the old rpm. Everything works so I don't see any problem The wrapper is there as a convenience. Not all dependencies of the MailScanner packages are done automatically. So every dependency I noted that was not taken care of in the MailScanner package has been added to the wrapper. If you have no need for the wrapper, that's fine by me. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIyLRABvzDRVjxmYERAjwgAKCDawm4hoT0TIafbpebAeQaqFNGygCcCdNz 87vGJJmMpmckg6tih98kPpU= =6oTa -----END PGP SIGNATURE----- From glenn.steen at gmail.com Thu Sep 11 11:17:50 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Sep 11 11:18:00 2008 Subject: check PTR with MS In-Reply-To: <779829.58049.qm@web38904.mail.mud.yahoo.com> References: <20080909145632.GE23322@cgi.jachomes.com> <779829.58049.qm@web38904.mail.mud.yahoo.com> Message-ID: <223f97700809110317n23839f42pb6a2ba9267057f25@mail.gmail.com> 2008/9/9 Octavio : > Hi > I wonder to know if is possible check: > > if the IP has a name > if the name exist > > similar like reject_unknown_client_hostname in postfix but using score > > the problem is that if I use it in postfix there are some domains that I > want to receive emails but they are being rejected > > Thanks > You already have SA scoring on RDNS_NONE ... Isn't that enough? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From J.Ede at birchenallhowden.co.uk Thu Sep 11 12:44:55 2008 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Thu Sep 11 12:45:18 2008 Subject: Odd clam error in postfix logs Message-ID: <4CAB0118AEC63A4FAAE77E6BCBDF760C792A20ECAE@server02.bhl.local> I've just noticed we get this logged every time an email passed through our system... Sep 11 12:41:01 gateway2 clamd[13691]: /tmp/clamdwatch-DPB5RGeGkNR5sav3: Eicar-Test-Signature FOUND In /tmp that file doesn't exist, so it must be something about how the file is linked/extracted. I'm guessing this is not expected behaviour. Am on clam 0.93.3 and clamd is running Jason -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080911/9a3ddf54/attachment.html From list-mailscanner at linguaphone.com Thu Sep 11 12:53:18 2008 From: list-mailscanner at linguaphone.com (Gareth) Date: Thu Sep 11 12:53:54 2008 Subject: Odd clam error in postfix logs In-Reply-To: <4CAB0118AEC63A4FAAE77E6BCBDF760C792A20ECAE@server02.bhl.local> References: <4CAB0118AEC63A4FAAE77E6BCBDF760C792A20ECAE@server02.bhl.local> Message-ID: <1221133998.8647.8.camel@gblades-suse.linguaphone-intranet.co.uk> Isnt clamdwatch a script to monitor clamd and restart it if it fails? My guess is that it is being run for every mailscanner queue run and is is scanning the eicar test file to make sure it is working and reading its virus database correctly. On Thu, 2008-09-11 at 12:44, Jason Ede wrote: > I?ve just noticed we get this logged every time an email passed > through our system... > > > > Sep 11 12:41:01 gateway2 clamd[13691]: > /tmp/clamdwatch-DPB5RGeGkNR5sav3: Eicar-Test-Signature FOUND > > > > In /tmp that file doesn?t exist, so it must be something about how the > file is linked/extracted. I?m guessing this is not expected behaviour. > > > > Am on clam 0.93.3 and clamd is running > > > > Jason > > > > > > > > ______________________________________________________________________ > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From J.Ede at birchenallhowden.co.uk Thu Sep 11 13:02:19 2008 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Thu Sep 11 13:02:42 2008 Subject: Odd clam error in postfix logs In-Reply-To: <1221133998.8647.8.camel@gblades-suse.linguaphone-intranet.co.uk> References: <4CAB0118AEC63A4FAAE77E6BCBDF760C792A20ECAE@server02.bhl.local> <1221133998.8647.8.camel@gblades-suse.linguaphone-intranet.co.uk> Message-ID: <4CAB0118AEC63A4FAAE77E6BCBDF760C792A20ECB3@server02.bhl.local> Yes you're right. I didn't realise it did that, but just examined the script more closely and it does use EICAR test file. Jason > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Gareth > Sent: 11 September 2008 12:53 > To: MailScanner discussion > Subject: Re: Odd clam error in postfix logs > > Isnt clamdwatch a script to monitor clamd and restart it if it fails? > > My guess is that it is being run for every mailscanner queue run and is > is scanning the eicar test file to make sure it is working and reading > its virus database correctly. > > > On Thu, 2008-09-11 at 12:44, Jason Ede wrote: > > I?ve just noticed we get this logged every time an email passed > > through our system... > > > > > > > > Sep 11 12:41:01 gateway2 clamd[13691]: > > /tmp/clamdwatch-DPB5RGeGkNR5sav3: Eicar-Test-Signature FOUND > > > > > > > > In /tmp that file doesn?t exist, so it must be something about how > the > > file is linked/extracted. I?m guessing this is not expected > behaviour. > > > > > > > > Am on clam 0.93.3 and clamd is running > > > > > > > > Jason > > > > > > > > > > > > > > > > > ______________________________________________________________________ > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From danilo at amti.com.br Thu Sep 11 18:24:06 2008 From: danilo at amti.com.br (Danilo Egea) Date: Thu Sep 11 18:24:19 2008 Subject: Help with rule Message-ID: <48C95436.1040208@amti.com.br> (Sorry my english) :P Is possible creata a rule to block an email with a specific origin and destination? thanks ! -- Esta mensagem foi verificada pelos sistemas antiv?rus AMTI e acredita-se estar livre de perigo. From alex at rtpty.com Thu Sep 11 18:56:51 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Thu Sep 11 18:57:14 2008 Subject: Help with rule In-Reply-To: <48C95436.1040208@amti.com.br> References: <48C95436.1040208@amti.com.br> Message-ID: <90605A69-28B4-4911-9758-7DFD510CF04B@rtpty.com> Yes, it is! --- Alex Neuman Reliant Technologies +507 6781-9505 Skype: alexneuman On Sep 11, 2008, at 12:24 PM, Danilo Egea wrote: > (Sorry my english) :P > > Is possible creata a rule to block an email with a specific origin =20 > and destination? > > thanks ! > > --=20 > Esta mensagem foi verificada pelos sistemas antiv=A8=AArus AMTI e > acredita-se estar livre de perigo. > > --=20 > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From danilo at amti.com.br Thu Sep 11 19:07:44 2008 From: danilo at amti.com.br (Danilo Egea) Date: Thu Sep 11 19:07:57 2008 Subject: Help with rule In-Reply-To: <90605A69-28B4-4911-9758-7DFD510CF04B@rtpty.com> References: <48C95436.1040208@amti.com.br> <90605A69-28B4-4911-9758-7DFD510CF04B@rtpty.com> Message-ID: <48C95E70.1020400@amti.com.br> humm, :| how ? Alex Neuman van der Hans wrote: > Yes, it is! > > --- > > Alex Neuman > Reliant Technologies > +507 6781-9505 > Skype: alexneuman > > On Sep 11, 2008, at 12:24 PM, Danilo Egea wrote: > >> (Sorry my english) :P >> >> Is possible creata a rule to block an email with a specific origin >> and destination? >> >> thanks ! >> >> -- >> Esta mensagem foi verificada pelos sistemas antiv¨ªrus AMTI e >> acredita-se estar livre de perigo. >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Esta mensagem foi verificada pelos sistemas antivírus AMTI e acredita-se estar livre de perigo. From kc5goi at gmail.com Thu Sep 11 19:28:18 2008 From: kc5goi at gmail.com (Guy Story KC5GOI) Date: Thu Sep 11 19:28:31 2008 Subject: Help with rule In-Reply-To: <48C95E70.1020400@amti.com.br> Message-ID: <22705875.581221157694921.JavaMail.SYSTEM@kc5goi-1> Use the blacklisting rule. FromTo: block@address.whatever Yes ----- "Danilo Egea" wrote: > From: "Danilo Egea" > To: "MailScanner discussion" > Sent: Thursday, September 11, 2008 1:07:44 PM GMT -06:00 US/Canada Central > Subject: Re: Help with rule > > humm, :| how ? > > Alex Neuman van der Hans wrote: > > Yes, it is! > > > > --- > > > > Alex Neuman > > Reliant Technologies > > +507 6781-9505 > > Skype: alexneuman > > > > On Sep 11, 2008, at 12:24 PM, Danilo Egea > wrote: > > > >> (Sorry my english) :P > >> > >> Is possible creata a rule to block an email with a specific origin > >> and destination? > >> > >> thanks ! > >> > >> -- > >> Esta mensagem foi verificada pelos sistemas antiv?rus AMTI e > >> acredita-se estar livre de perigo. > >> > >> -- > >> MailScanner mailing list > >> mailscanner@lists.mailscanner.info > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner > >> > >> Before posting, read http://wiki.mailscanner.info/posting > >> > >> Support MailScanner development - buy the book off the website! > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > -- > Esta mensagem foi verificada pelos sistemas antiv?rus AMTI e > acredita-se estar livre de perigo. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From alex at rtpty.com Thu Sep 11 19:40:15 2008 From: alex at rtpty.com (Alex Neuman) Date: Thu Sep 11 19:40:24 2008 Subject: Help with rule In-Reply-To: <22705875.581221157694921.JavaMail.SYSTEM@kc5goi-1> References: <48C95E70.1020400@amti.com.br> <22705875.581221157694921.JavaMail.SYSTEM@kc5goi-1> Message-ID: <24e3d2e40809111140m4b6d8f2dr1a9763fb0db62657@mail.gmail.com> Actually what he means is from a specific address to a specific address. So if he means "block e-mails from Alicia to Roberto, but not necessarily from Roberto to Alicia or to Carlos", for example, he would do the following: under "Is Definitely Spam = no" change to: "Is Definitely Spam = %rules-dir%/a-quem-eu-bloco.rules (note the ".rules" at the end that indicates this is a ruleset) Then at /etc/MailScanner/rules, create a file called a-quem-eu-bloco.rules that says: FromOrTo: default no From:alicia@dominio.com.br and To: roberto@dominio.com.br yes Save it and restart MailScanner. And Danilo - try to read the configuration file itself and the documentation on the website - I'm sure with a few more minutes of looking at either of them you could have figured it out, too. We here on the list are glad to help, but it's easier if you help yourself first. On Thu, Sep 11, 2008 at 1:28 PM, Guy Story KC5GOI wrote: > Use the blacklisting rule. > > FromTo: block@address.whatever Yes > > > ----- "Danilo Egea" wrote: > > > From: "Danilo Egea" > > To: "MailScanner discussion" > > Sent: Thursday, September 11, 2008 1:07:44 PM GMT -06:00 US/Canada > Central > > Subject: Re: Help with rule > > > > humm, :| how ? > > > > Alex Neuman van der Hans wrote: > > > Yes, it is! > > > > > > --- > > > > > > Alex Neuman > > > Reliant Technologies > > > +507 6781-9505 > > > Skype: alexneuman > > > > > > On Sep 11, 2008, at 12:24 PM, Danilo Egea > > wrote: > > > > > >> (Sorry my english) :P > > >> > > >> Is possible creata a rule to block an email with a specific origin > > >> and destination? > > >> > > >> thanks ! > > >> > > >> -- > > >> Esta mensagem foi verificada pelos sistemas antiv?rus AMTI e > > >> acredita-se estar livre de perigo. > > >> > > >> -- > > >> MailScanner mailing list > > >> mailscanner@lists.mailscanner.info > > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner > > >> > > >> Before posting, read http://wiki.mailscanner.info/posting > > >> > > >> Support MailScanner development - buy the book off the website! > > > -- > > > MailScanner mailing list > > > mailscanner@lists.mailscanner.info > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > > > Support MailScanner development - buy the book off the website! > > > > > > > > > -- > > Esta mensagem foi verificada pelos sistemas antiv?rus AMTI e > > acredita-se estar livre de perigo. > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080911/bb5f4a34/attachment.html From danilo at amti.com.br Thu Sep 11 19:45:36 2008 From: danilo at amti.com.br (Danilo Egea) Date: Thu Sep 11 19:45:49 2008 Subject: Help with rule In-Reply-To: <22705875.581221157694921.JavaMail.SYSTEM@kc5goi-1> References: <22705875.581221157694921.JavaMail.SYSTEM@kc5goi-1> Message-ID: <48C96750.8010508@amti.com.br> I need something like this: From: ze@gmail To: bob@hotmail yes Guy Story KC5GOI wrote: > Use the blacklisting rule. > > FromTo: block@address.whatever Yes > > > ----- "Danilo Egea" wrote: > > >> From: "Danilo Egea" >> To: "MailScanner discussion" >> Sent: Thursday, September 11, 2008 1:07:44 PM GMT -06:00 US/Canada Central >> Subject: Re: Help with rule >> >> humm, :| how ? >> >> Alex Neuman van der Hans wrote: >> >>> Yes, it is! >>> >>> --- >>> >>> Alex Neuman >>> Reliant Technologies >>> +507 6781-9505 >>> Skype: alexneuman >>> >>> On Sep 11, 2008, at 12:24 PM, Danilo Egea >>> >> wrote: >> >>>> (Sorry my english) :P >>>> >>>> Is possible creata a rule to block an email with a specific origin >>>> and destination? >>>> >>>> thanks ! >>>> >>>> -- >>>> Esta mensagem foi verificada pelos sistemas antivírus AMTI e >>>> acredita-se estar livre de perigo. >>>> >>>> -- >>>> MailScanner mailing list >>>> mailscanner@lists.mailscanner.info >>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>> >>>> Before posting, read http://wiki.mailscanner.info/posting >>>> >>>> Support MailScanner development - buy the book off the website! >>>> >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >>> >> -- >> Esta mensagem foi verificada pelos sistemas antiv�rus AMTI e >> acredita-se estar livre de perigo. >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- Esta mensagem foi verificada pelos sistemas antivírus AMTI e acredita-se estar livre de perigo. From bpirie at rma.edu Thu Sep 11 19:56:15 2008 From: bpirie at rma.edu (Brendan Pirie) Date: Thu Sep 11 19:56:30 2008 Subject: Help with rule In-Reply-To: <48C96750.8010508@amti.com.br> References: <22705875.581221157694921.JavaMail.SYSTEM@kc5goi-1> <48C96750.8010508@amti.com.br> Message-ID: <48C969CF.7010105@rma.edu> If you're using mailwatch's blacklist feature, it supports this form of blacklist in the web interface. Danilo Egea wrote: > I need something like this: From: ze@gmail To: bob@hotmail yes > > > Guy Story KC5GOI wrote: >> Use the blacklisting rule. >> >> FromTo: block@address.whatever Yes >> >> >> ----- "Danilo Egea" wrote: >> >> >>> From: "Danilo Egea" >>> To: "MailScanner discussion" >>> Sent: Thursday, September 11, 2008 1:07:44 PM GMT -06:00 US/Canada >>> Central >>> Subject: Re: Help with rule >>> >>> humm, :| how ? >>> >>> Alex Neuman van der Hans wrote: >>> >>>> Yes, it is! >>>> >>>> --- >>>> >>>> Alex Neuman >>>> Reliant Technologies >>>> +507 6781-9505 >>>> Skype: alexneuman >>>> >>>> On Sep 11, 2008, at 12:24 PM, Danilo Egea >>>> >>> wrote: >>> >>>>> (Sorry my english) :P >>>>> >>>>> Is possible creata a rule to block an email with a specific origin >>>>> and destination? >>>>> >>>>> thanks ! >>>>> >>>>> -- >>>>> Esta mensagem foi verificada pelos sistemas antiv?rus AMTI e >>>>> acredita-se estar livre de perigo. >>>>> >>>>> -- >>>>> MailScanner mailing list >>>>> mailscanner@lists.mailscanner.info >>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>> >>>>> Before posting, read http://wiki.mailscanner.info/posting >>>>> >>>>> Support MailScanner development - buy the book off the website! >>>>> >>>> -- >>>> MailScanner mailing list >>>> mailscanner@lists.mailscanner.info >>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>> >>>> Before posting, read http://wiki.mailscanner.info/posting >>>> >>>> Support MailScanner development - buy the book off the website! >>>> >>>> >>> -- >>> Esta mensagem foi verificada pelos sistemas antiv?rus AMTI e >>> acredita-se estar livre de perigo. >>> >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > > From danilo at amti.com.br Thu Sep 11 20:03:20 2008 From: danilo at amti.com.br (Danilo Egea) Date: Thu Sep 11 20:03:34 2008 Subject: Help with rule In-Reply-To: <24e3d2e40809111140m4b6d8f2dr1a9763fb0db62657@mail.gmail.com> References: <48C95E70.1020400@amti.com.br> <22705875.581221157694921.JavaMail.SYSTEM@kc5goi-1> <24e3d2e40809111140m4b6d8f2dr1a9763fb0db62657@mail.gmail.com> Message-ID: <48C96B78.2080103@amti.com.br> Thanks Alex ! Alex Neuman wrote: > Actually what he means is from a specific address to a specific address. > > So if he means "block e-mails from Alicia to Roberto, but not > necessarily from Roberto to Alicia or to Carlos", for example, he > would do the following: > > under "Is Definitely Spam = no" change to: > "Is Definitely Spam = %rules-dir%/a-quem-eu-bloco.rules > (note the ".rules" at the end that indicates this is a ruleset) > > Then at /etc/MailScanner/rules, create a file called > a-quem-eu-bloco.rules that says: > > FromOrTo: default no > From:alicia@dominio.com.br and > To: roberto@dominio.com.br yes > > Save it and restart MailScanner. > > And Danilo - try to read the configuration file itself and the > documentation on the website - I'm sure with a few more minutes of > looking at either of them you could have figured it out, too. We here > on the list are glad to help, but it's easier if you help yourself first. > > On Thu, Sep 11, 2008 at 1:28 PM, Guy Story KC5GOI > wrote: > > Use the blacklisting rule. > > FromTo: block@address.whatever Yes > > > ----- "Danilo Egea" > wrote: > > > From: "Danilo Egea" > > > To: "MailScanner discussion" > > > Sent: Thursday, September 11, 2008 1:07:44 PM GMT -06:00 > US/Canada Central > > Subject: Re: Help with rule > > > > humm, :| how ? > > > > Alex Neuman van der Hans wrote: > > > Yes, it is! > > > > > > --- > > > > > > Alex Neuman > > > Reliant Technologies > > > +507 6781-9505 > > > Skype: alexneuman > > > > > > On Sep 11, 2008, at 12:24 PM, Danilo Egea > > > wrote: > > > > > >> (Sorry my english) :P > > >> > > >> Is possible creata a rule to block an email with a specific > origin > > >> and destination? > > >> > > >> thanks ! > > >> > > >> -- > > >> Esta mensagem foi verificada pelos sistemas antivírus AMTI e > > >> acredita-se estar livre de perigo. > > >> > > >> -- > > >> MailScanner mailing list > > >> mailscanner@lists.mailscanner.info > > > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner > > >> > > >> Before posting, read http://wiki.mailscanner.info/posting > > >> > > >> Support MailScanner development - buy the book off the website! > > > -- > > > MailScanner mailing list > > > mailscanner@lists.mailscanner.info > > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > > > Support MailScanner development - buy the book off the website! > > > > > > > > > -- > > Esta mensagem foi verificada pelos sistemas antiv�rus AMTI e > > acredita-se estar livre de perigo. > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > > -- > Esta mensagem foi verificada pelos sistemas antiv�rus AMTI e > acredita-se estar livre de perigo. -- Esta mensagem foi verificada pelos sistemas antivírus AMTI e acredita-se estar livre de perigo. From marcel-ml at irc-addicts.de Fri Sep 12 09:41:57 2008 From: marcel-ml at irc-addicts.de (Marcel Blenkers) Date: Fri Sep 12 09:43:50 2008 Subject: Update bad phishing sites fails Message-ID: Hi there, i am running the script "update_bad_phishing_sites" once every hour. But suddenly the Script returns an error, and thats why i receive the mail concerning "cron.hourly failed".. Could anyone check if i am the only one with this problem? Thanks in advance.. Greetings Marcel From martinh at solidstatelogic.com Fri Sep 12 09:46:13 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Fri Sep 12 09:46:28 2008 Subject: update_bad_phishing_sites erroring Message-ID: Jules Heads up - seems to have gone offline??? ##Unable to retrieve http://www.mailscanner.tv/.2008-09-12 :404 Not Found Unable to open base file -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From telecaadmin at gmail.com Fri Sep 12 09:58:03 2008 From: telecaadmin at gmail.com (Ronny T. Lampert) Date: Fri Sep 12 10:00:35 2008 Subject: update_bad_phishing_sites erroring In-Reply-To: References: Message-ID: <48CA2F1B.9020201@gmail.com> > Heads up - seems to have gone offline??? > > ##Unable to retrieve http://www.mailscanner.tv/.2008-09-12 :404 Not Found Unable to open base file > My older MailScanner with http://www.mailscanner.eu/phishing.bad.sites.conf.master is still working. Cheers, Ronny From swati.meghanand at gmail.com Fri Sep 12 10:03:48 2008 From: swati.meghanand at gmail.com (Swati Meghanand) Date: Fri Sep 12 10:03:58 2008 Subject: Spamassassin Timeout issue. In-Reply-To: <1221112850.21720.41.camel@darkstar.netcore.co.in> References: <424c10260809100154v4d47738bg16e47138cde6b049@mail.gmail.com> <1221112850.21720.41.camel@darkstar.netcore.co.in> Message-ID: <424c10260809120203o65366711oef62dfc6c6897065@mail.gmail.com> hi ram, Thanks for ur help, running spamassassin in debugging mode helped me a lot. I figured out that its not DNS related issue as spamassassin -D -t /path/to/mail gave me. [2646] dbg: dns: name server: xxx.xxx.xxx.xxx, family: 2, ipv6: 0 [2646] dbg: dns: testing resolver nameservers: xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx [2646] dbg: dns: trying (3) xxx.xxx... [2646] dbg: dns: looking up NS for 'xxx.xxx' [2646] dbg: dns: NS lookup of xxx.xxx using xxx.xxx.xxx.xxx succeeded => DNS available (set dns_available to override) [2646] dbg: dns: is DNS available? 1 possibly not even RAZOR issue [2646] dbg: razor2: part=0 engine=4 contested=0 confidence=0 [2646] dbg: razor2: results: spam? 0 [2646] dbg: razor2: results: engine 8, highest cf score: 0 [2646] dbg: razor2: results: engine 4, highest cf score: 0 yes i got some trouble with Pyzor, but not always sometimes i get following errors [17573] dbg: util: executable for pyzor was found at /usr/bin/pyzor [17573] dbg: pyzor: pyzor is available: /usr/bin/pyzor [17573] dbg: info: entering helper-app run mode [17573] dbg: pyzor: opening pipe: /usr/bin/pyzor check < /tmp/.spamassassin17573LkAPartmp [17778] dbg: util: setuid: ruid=0 euid=0 [17573] dbg: pyzor: [17778] finished: exit=0x0100 [17573] dbg: pyzor: got response: Traceback (most recent call last):\n File "/usr/bin/pyzor", line 4, in ?\n pyzor.client.run()\n File "/usr/lib/python2.3/site-packages/pyzor/client.py", line 934, in run\n ExecCall().run()\n File "/usr/lib/python2.3/site-packages/pyzor/client.py", line 188, in run\n if not apply(dispatch, (self, args)):\n File "/usr/lib/python2.3/site-packages/pyzor/client.py", line 264, in check\n response = runner.run(server, (digest, server))\n File "/usr/lib/python2.3/site-packages/pyzor/client.py", line 725, in run\n response = apply(self.routine, varargs, kwargs)\n File "/usr/lib/python2.3/site-packages/pyzor/client.py", line 57, in check\n msg = CheckRequest(digest)\n File "/usr/lib/python2.3/site-packages/pyzor/__init__.py", line 381, in __init__\n typecheck(digest, str)\n File "/usr/lib/python2.3/site-packages/pyzor/__init__.py", line 494, in typecheck\n raise TypeError\nTypeError [17573] dbg: info: leaving helper-app run mode [17573] warn: pyzor: check failed: internal error still not able to finget out the exact reason since this error is not coming always... Regards, Swati Meghanand 2008/9/11 ram > > On Wed, 2008-09-10 at 14:24 +0530, Swati Meghanand wrote: > > Hi, > > > > > > I'm using mailscanner on a busy mail gateways from serveral months, > > which was working fine so far.From last few days I noticed incresed no > > of spam mails as well log Filtering queues (ofcourse slow processing > > of mailscanner).In log file of mailscanner I found following lines, > > > > Sep 10 04:47:29 localhost MailScanner[11027]: Virus and Content > > Scanning: Starting > > Sep 10 04:47:37 localhost MailScanner[8400]: SpamAssassin timed out > > and was killed, failure 8 of 20 > > Sep 10 04:47:37 localhost MailScanner[8680]: SpamAssassin timed out > > and was killed, failure 14 of 20 > > Sep 10 04:47:38 localhost MailScanner[8680]: Message 1KdL6x-0005q5-L3 > > from xx.xx.xx.xx (xxx@xxx.x) to xxx.xx is not spam, SpamAssassin (not > > cached, timed out) > > Sep 10 04:47:38 localhost MailScanner[8400]: Message 1KdLDG-0006se-Ox > > from xx.xx.xx.xx (xxx@xx.xxx) to xxx.xx is not spam, SpamAssassin (not > > cached, timed out) > > > > it clealy indicates mailscanner is not (able to) scanning messages. > > Hi Swati, > MailScanner Spamassassin timing out can be due to multiple reasons most > likely this is a DNS issue like others have said. It could also be a > huge BAYES file or a blocked RAZOR port etc > > Just check if your SA is still quering all the Dead DNS lists > ( secuirtysage , ORDB , OPM BLITZED , DOB etc ) > > I would suggest take any mail and run > spamassassin -D -t < /path/mail > (test with a mail with multiple urls and one that has passed thru > different mail hops ) > > That test would most probably give you enough results to find what is > taking time. > > > > > > > > > > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080912/6acd8672/attachment.html From jcputter at centreweb.co.za Fri Sep 12 10:03:34 2008 From: jcputter at centreweb.co.za (JC) Date: Fri Sep 12 10:04:48 2008 Subject: FW: PTR Record Mailscanner Message-ID: <001001c914b6$6fc8e510$4f5aaf30$@co.za> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/jpeg Size: 2218 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080912/45e0eddd/attachment.jpe From andrew at gdcon.net Fri Sep 12 10:21:34 2008 From: andrew at gdcon.net (Andrew MacLachlan) Date: Fri Sep 12 10:21:39 2008 Subject: FW: PTR Record Mailscanner In-Reply-To: <001001c914b6$6fc8e510$4f5aaf30$@co.za> References: <001001c914b6$6fc8e510$4f5aaf30$@co.za> Message-ID: <48CA349E.6000206@gdcon.net> JC wrote: > > > > How can i change the score for the rule RDNS_NONE 0.2 is not working > for me > add a score of your liking to /etc/MailScanner/spam.assassin.prefs.conf then reload MailScanner -Andy From uxbod at splatnix.net Fri Sep 12 10:21:51 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Fri Sep 12 10:22:10 2008 Subject: Update bad phishing sites fails In-Reply-To: Message-ID: <6405047.1911221211310959.JavaMail.root@office.splatnix.net> Unable to retrieve http://www.mailscanner.tv/.2008-09-12 :404 Not Found Update required So I manually created /var/spool/MailScanner/quarantine/phishingupdate/cache/2008-09-12 and ran again which then updated the file okay. Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "Marcel Blenkers" wrote: > Hi there, > > > > i am running the script "update_bad_phishing_sites" once every hour. > > But suddenly the Script returns an error, and thats why i receive the > mail > > concerning "cron.hourly failed".. > > > > Could anyone check if i am the only one with this problem? > > > > Thanks in advance.. > > > > Greetings > > > > Marcel -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ram at netcore.co.in Fri Sep 12 10:24:21 2008 From: ram at netcore.co.in (ram) Date: Fri Sep 12 10:24:45 2008 Subject: Spamassassin Timeout issue. In-Reply-To: <424c10260809120203o65366711oef62dfc6c6897065@mail.gmail.com> References: <424c10260809100154v4d47738bg16e47138cde6b049@mail.gmail.com> <1221112850.21720.41.camel@darkstar.netcore.co.in> <424c10260809120203o65366711oef62dfc6c6897065@mail.gmail.com> Message-ID: <1221211461.634.73.camel@darkstar.netcore.co.in> On Fri, 2008-09-12 at 14:33 +0530, Swati Meghanand wrote: > hi ram, > > Thanks for ur help, running spamassassin in debugging mode helped me a > lot. > > I figured out that its not DNS related issue as spamassassin -D > -t /path/to/mail gave me. > You can never be sure. By experience I can say 9/10 times it is a DNS issue. Take more mails and test again , and at same times when your MailScanner server has issues of clearing off spamassassin -D -t /path/to/mail 2>&1 | tee -a /path/logfile grep -i time /path/logfile > [2646] dbg: dns: name server: xxx.xxx.xxx.xxx, family: 2, ipv6: 0 > [2646] dbg: dns: testing resolver nameservers: xxx.xxx.xxx.xxx, > xxx.xxx.xxx.xxx > [2646] dbg: dns: trying (3) xxx.xxx... > [2646] dbg: dns: looking up NS for 'xxx.xxx' > [2646] dbg: dns: NS lookup of xxx.xxx using xxx.xxx.xxx.xxx succeeded > => DNS available (set dns_available to override) > [2646] dbg: dns: is DNS available? 1 > > possibly not even RAZOR issue > > [2646] dbg: razor2: part=0 engine=4 contested=0 confidence=0 > [2646] dbg: razor2: results: spam? 0 > [2646] dbg: razor2: results: engine 8, highest cf score: 0 > [2646] dbg: razor2: results: engine 4, highest cf score: 0 > > yes i got some trouble with Pyzor, but not always > Disable pyzor for testing, It doesnt make any diff in the results anyway ... ofcourse YMMV :-) > .....(snipped) .... > still not able to finget out the exact reason since this error is not > coming always... > Keep trying, Sometimes it is just the errors are not continuous, you can set aggressive timeouts to narrow down the issues. Have you monitored you b/w usage for any choke over there. ( In India b/w is *still* an issue unfortunately) Thanks Ram From jcputter at centreweb.co.za Fri Sep 12 10:30:34 2008 From: jcputter at centreweb.co.za (JC) Date: Fri Sep 12 10:31:43 2008 Subject: FW: PTR Record Mailscanner In-Reply-To: <48CA349E.6000206@gdcon.net> References: <001001c914b6$6fc8e510$4f5aaf30$@co.za> <48CA349E.6000206@gdcon.net> Message-ID: <002801c914ba$352e5030$9f8af090$@co.za> I am using Rules Du Jour , cant find RDNS_NONE in spam.assassin.prefs.conf -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Andrew MacLachlan Sent: 12 September 2008 11:22 AM To: MailScanner discussion Subject: Re: FW: PTR Record Mailscanner JC wrote: > > > > How can i change the score for the rule RDNS_NONE 0.2 is not working > for me > add a score of your liking to /etc/MailScanner/spam.assassin.prefs.conf then reload MailScanner -Andy -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! This message has been scanned for viruses and dangerous content by Centerweb, and is believed to be clean. This message has been scanned for viruses and dangerous content by Centerweb, and is believed to be clean. From sandip.sinha at in.dclgroup.com Fri Sep 12 11:12:37 2008 From: sandip.sinha at in.dclgroup.com (sandip.sinha@in.dclgroup.com) Date: Fri Sep 12 11:12:57 2008 Subject: Message contained archive nested too deeply Message-ID: I have installed MailScanner in FC7 into our sendmail server. This works fine. However I am facing one problem which I couldn't able to figure out. For some attachments it gives the following error. The attachment does not have any virus, does not have zip with zip. Still it gives the folowing error. I want to know how to disable "Other Bad Content " scanning . ---------------------------------------------------------------------- The following e-mails were found to have: Other Bad Content Detected Sender: ss1@xxx.com IP Address: 10.20.10.1 Recipient: ss2@xxx.com Subject: MessageID: m8CA6SYX000360 Quarantine: /var/spool/MailScanner/quarantine/20080912/m8CA6SYX000360 Report: MailScanner: Message contained archive nested too deeply ---------------------------------------------------------------------- Sandip Calcutta, India. From prandal at herefordshire.gov.uk Fri Sep 12 11:50:27 2008 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Fri Sep 12 11:53:09 2008 Subject: Update bad phishing sites fails In-Reply-To: <6405047.1911221211310959.JavaMail.root@office.splatnix.net> References: <6405047.1911221211310959.JavaMail.root@office.splatnix.net> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA04A67669@HC-MBX02.herefordshire.gov.uk> That workaround fixed it for me too. Phil -- Phil Randal Networks Engineer Herefordshire Council Hereford, UK -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of --[ UxBoD ]-- Sent: 12 September 2008 10:22 To: MailScanner discussion Subject: Re: Update bad phishing sites fails Unable to retrieve http://www.mailscanner.tv/.2008-09-12 :404 Not Found Update required So I manually created /var/spool/MailScanner/quarantine/phishingupdate/cache/2008-09-12 and ran again which then updated the file okay. Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "Marcel Blenkers" wrote: > Hi there, > > > > i am running the script "update_bad_phishing_sites" once every hour. > > But suddenly the Script returns an error, and thats why i receive the > mail > > concerning "cron.hourly failed".. > > > > Could anyone check if i am the only one with this problem? > > > > Thanks in advance.. > > > > Greetings > > > > Marcel -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From ram at netcore.co.in Fri Sep 12 12:11:51 2008 From: ram at netcore.co.in (ram) Date: Fri Sep 12 12:12:15 2008 Subject: FW: PTR Record Mailscanner In-Reply-To: <002801c914ba$352e5030$9f8af090$@co.za> References: <001001c914b6$6fc8e510$4f5aaf30$@co.za> <48CA349E.6000206@gdcon.net> <002801c914ba$352e5030$9f8af090$@co.za> Message-ID: <1221217911.634.130.camel@darkstar.netcore.co.in> On Fri, 2008-09-12 at 11:30 +0200, JC wrote: > I am using Rules Du Jour , cant find RDNS_NONE in spam.assassin.prefs.conf > http://wiki.mailscanner.info/doku.php?id=maq:index look for How to customize SpamAssassin? Thanks Ram From support-lists at petdoctors.co.uk Fri Sep 12 12:33:27 2008 From: support-lists at petdoctors.co.uk (Nigel Kendrick) Date: Fri Sep 12 12:34:19 2008 Subject: Whitelist our mobile phone users Message-ID: <3E606460613F4C3C82955AD8D0214CC6@SUPPORT01V> We have a recurring problem (2-3 times a year) where UK Vodaphone domains get added to various RBLs and so our mobile users suddenly get their mail rejected as outbound spam by our mail server (MailScanner, Spamassassin and Postfix). Considering these users have to do an SMTP login to send mail, is it possible to whitelist them based on this fact? If not, what's the best way to cope with this without letting too much spam through - or do I just not scan outbound mail!? Thanks, Nigel Kendrick From jaearick at colby.edu Fri Sep 12 12:39:45 2008 From: jaearick at colby.edu (Jeff A. Earickson) Date: Fri Sep 12 12:40:02 2008 Subject: Update bad phishing sites fails In-Reply-To: <6405047.1911221211310959.JavaMail.root@office.splatnix.net> References: <6405047.1911221211310959.JavaMail.root@office.splatnix.net> Message-ID: I too had this problem and your suggestion fixed it. Many thanks. Jeff Earickson Colby College On Fri, 12 Sep 2008, --[ UxBoD ]-- wrote: > Date: Fri, 12 Sep 2008 10:21:51 +0100 (BST) > From: "--[ UxBoD ]--" > Reply-To: MailScanner discussion > To: MailScanner discussion > Subject: Re: Update bad phishing sites fails > > Unable to retrieve http://www.mailscanner.tv/.2008-09-12 :404 Not Found > Update required > > So I manually created /var/spool/MailScanner/quarantine/phishingupdate/cache/2008-09-12 and ran again which then updated the file okay. > > Regards, > > -- > --[ UxBoD ]-- > // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" > // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 > // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 > // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net > > ----- "Marcel Blenkers" wrote: > >> Hi there, >> >> >> >> i am running the script "update_bad_phishing_sites" once every hour. >> >> But suddenly the Script returns an error, and thats why i receive the >> mail >> >> concerning "cron.hourly failed".. >> >> >> >> Could anyone check if i am the only one with this problem? >> >> >> >> Thanks in advance.. >> >> >> >> Greetings >> >> >> >> Marcel > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From drew.marshall at technologytiger.net Fri Sep 12 12:46:42 2008 From: drew.marshall at technologytiger.net (Drew Marshall) Date: Fri Sep 12 12:56:14 2008 Subject: Whitelist our mobile phone users In-Reply-To: <3E606460613F4C3C82955AD8D0214CC6@SUPPORT01V> References: <3E606460613F4C3C82955AD8D0214CC6@SUPPORT01V> Message-ID: <8FEA8034-2F37-477F-994A-5AB80C11B774@technologytiger.net> On 12 Sep 2008, at 12:33, Nigel Kendrick wrote: > We have a recurring problem (2-3 times a year) where UK Vodaphone > domains > get added to various RBLs and so our mobile users suddenly get their > mail > rejected as outbound spam by our mail server (MailScanner, > Spamassassin and > Postfix). Considering these users have to do an SMTP login to send > mail, is > it possible to whitelist them based on this fact? If not, what's the > best > way to cope with this without letting too much spam through - or do > I just > not scan outbound mail!? What rejects the mail, Postfix or MailScanner? Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by Technology Tiger's Mail Launder system Our email policy can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ From alex at rtpty.com Fri Sep 12 13:11:21 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Fri Sep 12 13:11:35 2008 Subject: Update bad phishing sites fails In-Reply-To: References: Message-ID: <630139E8-ABD6-4428-B2B9-210053D6A646@rtpty.com> Anything else that could help, like a description of the error message, or a snippet from your log, would help a lot. --- Alex Neuman Reliant Technologies +507 6781-9505 Skype: alexneuman On Sep 12, 2008, at 3:41 AM, Marcel Blenkers wrote: > Hi there, > > i am running the script "update_bad_phishing_sites" once every hour. > But suddenly the Script returns an error, and thats why i receive > the mail > concerning "cron.hourly failed".. > > Could anyone check if i am the only one with this problem? > > Thanks in advance.. > > Greetings > > Marcel > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From alex at rtpty.com Fri Sep 12 13:14:54 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Fri Sep 12 13:15:10 2008 Subject: Message contained archive nested too deeply In-Reply-To: References: Message-ID: <6832C96C-54D7-40F1-80D4-9C11E7BC09AC@rtpty.com> Is it an office 2007 file? --- Alex Neuman Reliant Technologies +507 6781-9505 Skype: alexneuman On Sep 12, 2008, at 5:12 AM, sandip.sinha@in.dclgroup.com wrote: > I have installed MailScanner in FC7 into our sendmail server. This > works > fine. However I am facing one problem which I couldn't able to > figure out. > For some attachments it gives the following error. The attachment > does not > have any virus, does not have zip with zip. Still it gives the > folowing > error. > > I want to know how to disable "Other Bad Content " scanning . > > ---------------------------------------------------------------------- > The following e-mails were found to have: Other Bad Content Detected > > Sender: ss1@xxx.com > IP Address: 10.20.10.1 > Recipient: ss2@xxx.com > Subject: > MessageID: m8CA6SYX000360 > Quarantine: /var/spool/MailScanner/quarantine/20080912/m8CA6SYX000360 > Report: MailScanner: Message contained archive nested too deeply > ---------------------------------------------------------------------- > > Sandip > Calcutta, India. > > > > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From alex at rtpty.com Fri Sep 12 13:13:14 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Fri Sep 12 13:15:41 2008 Subject: Spamassassin Timeout issue. In-Reply-To: <424c10260809120203o65366711oef62dfc6c6897065@mail.gmail.com> References: <424c10260809100154v4d47738bg16e47138cde6b049@mail.gmail.com> <1221112850.21720.41.camel@darkstar.netcore.co.in> <424c10260809120203o65366711oef62dfc6c6897065@mail.gmail.com> Message-ID: Problems with pyzor? --- Alex Neuman Reliant Technologies +507 6781-9505 Skype: alexneuman On Sep 12, 2008, at 4:03 AM, "Swati Meghanand" wrote: > hi ram, > > Thanks for ur help, running spamassassin in debugging mode helped me > a lot. > > I figured out that its not DNS related issue as spamassassin -D -t / > path/to/mail gave me. > > [2646] dbg: dns: name server: xxx.xxx.xxx.xxx, family: 2, ipv6: 0 > [2646] dbg: dns: testing resolver nameservers: xxx.xxx.xxx.xxx, > xxx.xxx.xxx.xxx > [2646] dbg: dns: trying (3) xxx.xxx... > [2646] dbg: dns: looking up NS for 'xxx.xxx' > [2646] dbg: dns: NS lookup of xxx.xxx using xxx.xxx.xxx.xxx > succeeded => DNS available (set dns_available to override) > [2646] dbg: dns: is DNS available? 1 > > possibly not even RAZOR issue > > [2646] dbg: razor2: part=0 engine=4 contested=0 confidence=0 > [2646] dbg: razor2: results: spam? 0 > [2646] dbg: razor2: results: engine 8, highest cf score: 0 > [2646] dbg: razor2: results: engine 4, highest cf score: 0 > > yes i got some trouble with Pyzor, but not always > > sometimes i get following errors > > [17573] dbg: util: executable for pyzor was found at /usr/bin/pyzor > [17573] dbg: pyzor: pyzor is available: /usr/bin/pyzor > [17573] dbg: info: entering helper-app run mode > [17573] dbg: pyzor: opening pipe: /usr/bin/pyzor check < / > tmp/.spamassassin17573LkAPartmp > [17778] dbg: util: setuid: ruid=0 euid=0 > [17573] dbg: pyzor: [17778] finished: exit=0x0100 > [17573] dbg: pyzor: got response: Traceback (most recent call last): > \n File "/usr/bin/pyzor", line 4, in ?\n pyzor.client.run()\n File "/ > usr/lib/python2.3/site-packages/pyzor/client.py", line 934, in run\n > ExecCall().run()\n File "/usr/lib/python2.3/site-packages/pyzor/ > client.py", line 188, in run\n if not apply(dispatch, (self, args)): > \n File "/usr/lib/python2.3/site-packages/pyzor/client.py", line > 264, in check\n response = runner.run(server, (digest, server))\n > File "/usr/lib/python2.3/site-packages/pyzor/client.py", line 725, > in run\n response = apply(self.routine, varargs, kwargs)\n File "/ > usr/lib/python2.3/site-packages/pyzor/client.py", line 57, in check > \n msg = CheckRequest(digest)\n File "/usr/lib/python2.3/site- > packages/pyzor/__init__.py", line 381, in __init__\n > typecheck(digest, str)\n File "/usr/lib/python2.3/site-packages/ > pyzor/__init__.py", line 494, in typecheck\n raise TypeError > \nTypeError > [17573] dbg: info: leaving helper-app run mode > [17573] warn: pyzor: check failed: internal error > > still not able to finget out the exact reason since this error is > not coming always... > > Regards, > > Swati Meghanand > > > > > 2008/9/11 ram > > On Wed, 2008-09-10 at 14:24 +0530, Swati Meghanand wrote: > > Hi, > > > > > > I'm using mailscanner on a busy mail gateways from serveral months, > > which was working fine so far.From last few days I noticed > incresed no > > of spam mails as well log Filtering queues (ofcourse slow processing > > of mailscanner).In log file of mailscanner I found following lines, > > > > Sep 10 04:47:29 localhost MailScanner[11027]: Virus and Content > > Scanning: Starting > > Sep 10 04:47:37 localhost MailScanner[8400]: SpamAssassin timed out > > and was killed, failure 8 of 20 > > Sep 10 04:47:37 localhost MailScanner[8680]: SpamAssassin timed out > > and was killed, failure 14 of 20 > > Sep 10 04:47:38 localhost MailScanner[8680]: Message 1KdL6x-0005q5- > L3 > > from xx.xx.xx.xx (xxx@xxx.x) to xxx.xx is not spam, SpamAssassin > (not > > cached, timed out) > > Sep 10 04:47:38 localhost MailScanner[8400]: Message 1KdLDG-0006se- > Ox > > from xx.xx.xx.xx (xxx@xx.xxx) to xxx.xx is not spam, SpamAssassin > (not > > cached, timed out) > > > > it clealy indicates mailscanner is not (able to) scanning messages. > > Hi Swati, > MailScanner Spamassassin timing out can be due to multiple reasons > most > likely this is a DNS issue like others have said. It could also be a > huge BAYES file or a blocked RAZOR port etc > > Just check if your SA is still quering all the Dead DNS lists > ( secuirtysage , ORDB , OPM BLITZED , DOB etc ) > > I would suggest take any mail and run > spamassassin -D -t < /path/mail > (test with a mail with multiple urls and one that has passed thru > different mail hops ) > > That test would most probably give you enough results to find what is > taking time. > > > > > > > > > > > > > > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080912/6dcfc484/attachment.html From support-lists at petdoctors.co.uk Fri Sep 12 13:25:23 2008 From: support-lists at petdoctors.co.uk (Nigel Kendrick) Date: Fri Sep 12 13:26:04 2008 Subject: Whitelist our mobile phone users In-Reply-To: <8FEA8034-2F37-477F-994A-5AB80C11B774@technologytiger.net> References: <3E606460613F4C3C82955AD8D0214CC6@SUPPORT01V> <8FEA8034-2F37-477F-994A-5AB80C11B774@technologytiger.net> Message-ID: <573E790B644640178D281A2D0BE84301@SUPPORT01V> > We have a recurring problem (2-3 times a year) where UK Vodaphone > domains > get added to various RBLs and so our mobile users suddenly get their > mail > >What rejects the mail, Postfix or MailScanner? > >Drew It's MailScanner as the domain is found in 3+ RBLs From martinh at solidstatelogic.com Fri Sep 12 13:27:06 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Fri Sep 12 13:27:18 2008 Subject: Update bad phishing sites fails In-Reply-To: Message-ID: I wonder why it's putting it in the quarantine area and will we have to do this over the weekend.. /me prods Jules -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Jeff A. Earickson > Sent: 12 September 2008 12:40 > To: MailScanner discussion > Subject: Re: Update bad phishing sites fails > > I too had this problem and your suggestion fixed it. Many thanks. > > Jeff Earickson > Colby College > > On Fri, 12 Sep 2008, --[ UxBoD ]-- wrote: > > > Date: Fri, 12 Sep 2008 10:21:51 +0100 (BST) > > From: "--[ UxBoD ]--" > > Reply-To: MailScanner discussion > > > To: MailScanner discussion > > Subject: Re: Update bad phishing sites fails > > > > Unable to retrieve http://www.mailscanner.tv/.2008-09-12 :404 Not > > Found Update required > > > > So I manually created > /var/spool/MailScanner/quarantine/phishingupdate/cache/2008-09 > -12 and ran again which then updated the file okay. > > > > Regards, > > > > -- > > --[ UxBoD ]-- > > // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | > gpg --import" > > // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D > 2C5A 3A84 // > > Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: > +44 845 869 > > 2749 SIP Phone: uxbod@sip.splatnix.net > > > > ----- "Marcel Blenkers" wrote: > > > >> Hi there, > >> > >> > >> > >> i am running the script "update_bad_phishing_sites" once > every hour. > >> > >> But suddenly the Script returns an error, and thats why i > receive the > >> mail > >> > >> concerning "cron.hourly failed".. > >> > >> > >> > >> Could anyone check if i am the only one with this problem? > >> > >> > >> > >> Thanks in advance.. > >> > >> > >> > >> Greetings > >> > >> > >> > >> Marcel > > > > -- > > This message has been scanned for viruses and dangerous content by > > MailScanner, and is believed to be clean. > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From alex at rtpty.com Fri Sep 12 13:49:44 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Fri Sep 12 13:49:59 2008 Subject: Whitelist our mobile phone users In-Reply-To: <573E790B644640178D281A2D0BE84301@SUPPORT01V> References: <3E606460613F4C3C82955AD8D0214CC6@SUPPORT01V> <8FEA8034-2F37-477F-994A-5AB80C11B774@technologytiger.net> <573E790B644640178D281A2D0BE84301@SUPPORT01V> Message-ID: <961588DE-8692-4428-993D-EC1FC5167D4F@rtpty.com> At what level? SA scoring? Can you use a ruleset to exclude them from said rbls? Could you set up a different instance of your mta on a different port, like 587, so they could skip scanning? --- Alex Neuman Reliant Technologies +507 6781-9505 Skype: alexneuman On Sep 12, 2008, at 7:25 AM, "Nigel Kendrick" wrote: > >> We have a recurring problem (2-3 times a year) where UK Vodaphone >> domains >> get added to various RBLs and so our mobile users suddenly get their >> mail >> >> What rejects the mail, Postfix or MailScanner? >> >> Drew > > > It's MailScanner as the domain is found in 3+ RBLs > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From steve.freegard at fsl.com Fri Sep 12 14:05:10 2008 From: steve.freegard at fsl.com (Steve Freegard) Date: Fri Sep 12 14:05:22 2008 Subject: Whitelist our mobile phone users In-Reply-To: <573E790B644640178D281A2D0BE84301@SUPPORT01V> References: <3E606460613F4C3C82955AD8D0214CC6@SUPPORT01V> <8FEA8034-2F37-477F-994A-5AB80C11B774@technologytiger.net> <573E790B644640178D281A2D0BE84301@SUPPORT01V> Message-ID: <48CA6906.8020402@fsl.com> Nigel Kendrick wrote: >> We have a recurring problem (2-3 times a year) where UK Vodaphone >> domains >> get added to various RBLs and so our mobile users suddenly get their >> mail >> >> What rejects the mail, Postfix or MailScanner? >> >> Drew > > > It's MailScanner as the domain is found in 3+ RBLs > IMO - I would disable both 'Spam Domain Lists' and 'Spam Lists' in MailScanner.conf completely and let SpamAssassin score on these lists instead and move the 'trusted' RBLs into your MTA (e.g. zen.spamhaus.org) instead as this will significantly reduce the load on your MailScanner box. The 'Spam List' lookups are serialised in MailScanner whereas they are done in parallel and asynchronously in SpamAssassin and are therefore way faster. Cheers, Steve. From Denis.Beauchemin at USherbrooke.ca Fri Sep 12 14:26:57 2008 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Fri Sep 12 14:27:20 2008 Subject: FW: PTR Record Mailscanner In-Reply-To: <002801c914ba$352e5030$9f8af090$@co.za> References: <001001c914b6$6fc8e510$4f5aaf30$@co.za> <48CA349E.6000206@gdcon.net> <002801c914ba$352e5030$9f8af090$@co.za> Message-ID: <48CA6E21.7040703@USherbrooke.ca> JC a ?crit : > I am using Rules Du Jour , cant find RDNS_NONE in spam.assassin.prefs.conf > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Andrew > MacLachlan > Sent: 12 September 2008 11:22 AM > To: MailScanner discussion > Subject: Re: FW: PTR Record Mailscanner > > JC wrote: > >> >> >> How can i change the score for the rule RDNS_NONE 0.2 is not working >> for me >> >> > add a score of your liking to /etc/MailScanner/spam.assassin.prefs.conf > then reload MailScanner > > -Andy > > > > > JC, Add the following to spam.assassin.prefs.conf (use the score you want): score RDNS_NONE 123.45 Then reload MS. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From andrew at gdcon.net Fri Sep 12 14:35:20 2008 From: andrew at gdcon.net (Andrew MacLachlan) Date: Fri Sep 12 14:35:21 2008 Subject: FW: PTR Record Mailscanner In-Reply-To: <002801c914ba$352e5030$9f8af090$@co.za> References: <001001c914b6$6fc8e510$4f5aaf30$@co.za> <48CA349E.6000206@gdcon.net> <002801c914ba$352e5030$9f8af090$@co.za> Message-ID: <48CA7018.5000202@gdcon.net> JC wrote: > I am using Rules Du Jour , cant find RDNS_NONE in spam.assassin.prefs.conf > > Makes no difference - just create the over-ride following the examples in there. -Andy From spamlists at coders.co.uk Fri Sep 12 14:38:21 2008 From: spamlists at coders.co.uk (Matt) Date: Fri Sep 12 14:39:18 2008 Subject: Update bad phishing sites fails In-Reply-To: References: Message-ID: <48CA70CD.6070602@coders.co.uk> Martin.Hepworth wrote: > I wonder why it's putting it in the quarantine area and will we have to do this over the weekend.. > > It always puts it in the quarantine area - that is a guaranteed writeable area for MailScanner. The update fails safe - only if it successfully updates will it overwrite the file. Creating the blank file makes the updates work but you will no longer have the basefile for the day. The updates during the day are diffs against the basefile. You will currently have a very small file if you have create the base file manually. I believe it was caused by a network issue - the base file has been pushed out so this should restore the file for those of you who manually created the file and stop the errors for those you who haven't. More error checking is needed which is being looked at as we speak. matt From andrew at gdcon.net Fri Sep 12 14:45:48 2008 From: andrew at gdcon.net (Andrew MacLachlan) Date: Fri Sep 12 14:45:51 2008 Subject: Update bad phishing sites fails In-Reply-To: <48CA70CD.6070602@coders.co.uk> References: <48CA70CD.6070602@coders.co.uk> Message-ID: <48CA728C.9010202@gdcon.net> Matt wrote: > > > > I believe it was caused by a network issue It's _always_ the network if you are a software engineer. Vice-versa for network / hardware engineers. :-) From uxbod at splatnix.net Fri Sep 12 15:22:59 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Fri Sep 12 15:23:21 2008 Subject: Update bad phishing sites fails In-Reply-To: <48CA728C.9010202@gdcon.net> Message-ID: <3347952.1971221229379101.JavaMail.root@office.splatnix.net> lol :D Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "Andrew MacLachlan" wrote: > It's _always_ the network if you are a software engineer. Vice-versa > for > > network / hardware engineers. > > > > :-) -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jcputter at centreweb.co.za Fri Sep 12 15:35:45 2008 From: jcputter at centreweb.co.za (JC) Date: Fri Sep 12 15:36:59 2008 Subject: FW: PTR Record Mailscanner In-Reply-To: <48CA7018.5000202@gdcon.net> References: <001001c914b6$6fc8e510$4f5aaf30$@co.za> <48CA349E.6000206@gdcon.net> <002801c914ba$352e5030$9f8af090$@co.za> <48CA7018.5000202@gdcon.net> Message-ID: <000001c914e4$d76d3fd0$8647bf70$@co.za> Andy If i view spam.assassin.prefs.conf Must i add the entry or add it some how? -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Andrew MacLachlan Sent: 12 September 2008 03:35 PM To: MailScanner discussion Subject: Re: FW: PTR Record Mailscanner JC wrote: > I am using Rules Du Jour , cant find RDNS_NONE in spam.assassin.prefs.conf > > Makes no difference - just create the over-ride following the examples in there. -Andy -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! This message has been scanned for viruses and dangerous content by Centerweb, and is believed to be clean. This message has been scanned for viruses and dangerous content by Centerweb, and is believed to be clean. From Denis.Beauchemin at USherbrooke.ca Fri Sep 12 16:05:00 2008 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Fri Sep 12 16:05:15 2008 Subject: FW: PTR Record Mailscanner In-Reply-To: <000001c914e4$d76d3fd0$8647bf70$@co.za> References: <001001c914b6$6fc8e510$4f5aaf30$@co.za> <48CA349E.6000206@gdcon.net> <002801c914ba$352e5030$9f8af090$@co.za> <48CA7018.5000202@gdcon.net> <000001c914e4$d76d3fd0$8647bf70$@co.za> Message-ID: <48CA851C.1060406@USherbrooke.ca> JC a ?crit : > Andy > > If i view spam.assassin.prefs.conf > > Must i add the entry or add it some how? > JC, view is vi in read only. Use "vi spam.assassin.prefs.conf" (or any other text editor) to add the "score" line anywhere you want (bottom is good place). Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3306 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080912/8f07b6f1/smime.bin From ben.tisdall at photobox.com Fri Sep 12 17:52:49 2008 From: ben.tisdall at photobox.com (Ben Tisdall) Date: Fri Sep 12 17:53:27 2008 Subject: Desperately trying to debug poor spam scanning performance Message-ID: <48CA9E61.7080506@photobox.com> Hello all. I am edging slowly towards the tearing my hair out phase... I cannot seem to diagnose why an MS box due for installation soon is performing much more poorly than its soon to be predecessor & indeed my personal MS box running on desktop hardware. I'll use my personal box (let's call it desky) for comparison purposes here: BigOne ====== 2 x Xeon dual core 3GHz 2G RAM 2 x 15K SCSI Hardware RAID 1 (Smart Array 5i) Exim Caching dns Linux newacorn 2.6.18-92.1.10.el5 #1 SMP Tue Aug 5 07:41:53 EDT 2008 i686 i686 i386 GNU/Linux This is CentOS release 5.2 (Final) This is Perl version 5.008008 (5.8.8) This is MailScanner version 4.71.10 Desky ===== Athlon 64 3200 500MB RAM 7.2K SATA HD Software RAID 1 Exim Caching dns Linux jitter 2.6.18-92.1.6.el5 #1 SMP Wed Jun 25 13:49:24 EDT 2008 i686 athlon i386 GNU/Linux This is CentOS release 5.2 (Final) This is Perl version 5.008008 (5.8.8) This is MailScanner version 4.67.6 AND just to add insult to injury for my capabilities as sysadmin, BigOne is sitting in a dc with good connectivity & Desky is sitting on the end of an adsl line! For testing puposes I have BigOne acting as the primary MX for my personal mail domain & forwarding on to Desky. I can mail myself & tail the various logs (speed logging enabled of course) to get a feel for how quickly individual messages are processed. Both boxes are running dcc, pyzor & razor2, the fw allows established connections back in, no timeouts. But in any case even with these disabled the difference remains. These are some fairly typical (processed) lines of output from the two boxes (message sent from gmail). BigOne: 17:42:09 Spam Checks completed at 2523 bytes per second Desky: 17:42:17 Spam Checks completed at 5672 bytes per second Often the difference is much greater in Desky's favour. BigOne is supposed to go into production next week processing 20k per day, as things stand I'm not sure it'll hold up. Any pointers very gratefully received! Best regards, Ben. -- Ben Tisdall Linux Systems Administrator | www.photobox.com From alex at rtpty.com Fri Sep 12 18:02:58 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Fri Sep 12 18:03:23 2008 Subject: Desperately trying to debug poor spam scanning performance In-Reply-To: <48CA9E61.7080506@photobox.com> References: <48CA9E61.7080506@photobox.com> Message-ID: <5A881BE9-B6B4-463D-BFE0-0D7FFF8C80F3@rtpty.com> Have you tried disabling the various bits and pieces that make up spamassassin? --- Alex Neuman Reliant Technologies +507 6781-9505 Skype: alexneuman On Sep 12, 2008, at 11:52 AM, Ben Tisdall wrote: > Hello all. > > I am edging slowly towards the tearing my hair out phase... > > I cannot seem to diagnose why an MS box due for installation soon is > performing much more poorly than its soon to be predecessor & indeed > my > personal MS box running on desktop hardware. > > I'll use my personal box (let's call it desky) for comparison > purposes here: > > BigOne > ====== > > 2 x Xeon dual core 3GHz > 2G RAM > 2 x 15K SCSI > Hardware RAID 1 (Smart Array 5i) > Exim > Caching dns > > Linux newacorn 2.6.18-92.1.10.el5 #1 SMP Tue Aug 5 07:41:53 EDT 2008 > i686 i686 i386 GNU/Linux > This is CentOS release 5.2 (Final) > This is Perl version 5.008008 (5.8.8) > This is MailScanner version 4.71.10 > > Desky > ===== > > Athlon 64 3200 > 500MB RAM > 7.2K SATA HD > Software RAID 1 > Exim > Caching dns > > Linux jitter 2.6.18-92.1.6.el5 #1 SMP Wed Jun 25 13:49:24 EDT 2008 > i686 > athlon i386 GNU/Linux > This is CentOS release 5.2 (Final) > This is Perl version 5.008008 (5.8.8) > This is MailScanner version 4.67.6 > > AND just to add insult to injury for my capabilities as sysadmin, > BigOne > is sitting in a dc with good connectivity & Desky is sitting on the > end > of an adsl line! > > For testing puposes I have BigOne acting as the primary MX for my > personal mail domain & forwarding on to Desky. I can mail myself & > tail > the various logs (speed logging enabled of course) to get a feel for > how > quickly individual messages are processed. > > Both boxes are running dcc, pyzor & razor2, the fw allows established > connections back in, no timeouts. But in any case even with these > disabled the difference remains. > > These are some fairly typical (processed) lines of output from the two > boxes (message sent from gmail). > > BigOne: > > 17:42:09 Spam Checks completed at 2523 bytes per second > > Desky: > > 17:42:17 Spam Checks completed at 5672 bytes per second > > Often the difference is much greater in Desky's favour. > > BigOne is supposed to go into production next week processing 20k per > day, as things stand I'm not sure it'll hold up. > > Any pointers very gratefully received! > > Best regards, > > Ben. > > -- > Ben Tisdall > Linux Systems Administrator | www.photobox.com > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From dnsadmin at 1bigthink.com Fri Sep 12 18:34:38 2008 From: dnsadmin at 1bigthink.com (dnsadmin 1bigthink.com) Date: Fri Sep 12 18:34:55 2008 Subject: Desperately trying to debug poor spam scanning performance In-Reply-To: <48CA9E61.7080506@photobox.com> References: <48CA9E61.7080506@photobox.com> Message-ID: <200809121734.m8CHYl15006344@mxt.1bigthink.com> At 12:52 PM 9/12/2008, you wrote: >Hello all. > >I am edging slowly towards the tearing my hair out phase... > >I cannot seem to diagnose why an MS box due for installation soon is >performing much more poorly than its soon to be predecessor & indeed my >personal MS box running on desktop hardware. > >I'll use my personal box (let's call it desky) for comparison purposes here: > >BigOne >====== > >2 x Xeon dual core 3GHz >2G RAM >2 x 15K SCSI >Hardware RAID 1 (Smart Array 5i) >Exim >Caching dns > >Linux newacorn 2.6.18-92.1.10.el5 #1 SMP Tue Aug 5 07:41:53 EDT 2008 >i686 i686 i386 GNU/Linux >This is CentOS release 5.2 (Final) >This is Perl version 5.008008 (5.8.8) >This is MailScanner version 4.71.10 > >Desky >===== > >Athlon 64 3200 >500MB RAM >7.2K SATA HD >Software RAID 1 >Exim >Caching dns > >Linux jitter 2.6.18-92.1.6.el5 #1 SMP Wed Jun 25 13:49:24 EDT 2008 i686 >athlon i386 GNU/Linux >This is CentOS release 5.2 (Final) >This is Perl version 5.008008 (5.8.8) >This is MailScanner version 4.67.6 > >AND just to add insult to injury for my capabilities as sysadmin, BigOne >is sitting in a dc with good connectivity & Desky is sitting on the end >of an adsl line! > >For testing puposes I have BigOne acting as the primary MX for my >personal mail domain & forwarding on to Desky. I can mail myself & tail >the various logs (speed logging enabled of course) to get a feel for how >quickly individual messages are processed. > >Both boxes are running dcc, pyzor & razor2, the fw allows established >connections back in, no timeouts. But in any case even with these >disabled the difference remains. > >These are some fairly typical (processed) lines of output from the two >boxes (message sent from gmail). > >BigOne: > >17:42:09 Spam Checks completed at 2523 bytes per second > >Desky: > >17:42:17 Spam Checks completed at 5672 bytes per second > >Often the difference is much greater in Desky's favour. > >BigOne is supposed to go into production next week processing 20k per >day, as things stand I'm not sure it'll hold up. > >Any pointers very gratefully received! > >Best regards, > >Ben. Hello Ben, You didn't mention any particulars about OS or virus scanner engines.. We could probably help steer you just with that info. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ben.tisdall at photobox.com Fri Sep 12 19:57:14 2008 From: ben.tisdall at photobox.com (Ben Tisdall) Date: Fri Sep 12 19:57:36 2008 Subject: Desperately trying to debug poor spam scanning performance In-Reply-To: <200809121734.m8CHYl15006344@mxt.1bigthink.com> References: <48CA9E61.7080506@photobox.com> <200809121734.m8CHYl15006344@mxt.1bigthink.com> Message-ID: <48CABB8A.8040405@photobox.com> > > Hello Ben, > > You didn't mention any particulars about OS or virus scanner engines.. > > We could probably help steer you just with that info. > > What kind of OS particulars did you have in mind beyond CentOS 5.2 i386? It's running clamd 0.94 (installed from source), virus scanning performance is fine. Best regards, Ben. -- Ben Tisdall Linux Systems Administrator | www.photobox.com From ben.tisdall at photobox.com Fri Sep 12 20:00:43 2008 From: ben.tisdall at photobox.com (Ben Tisdall) Date: Fri Sep 12 20:00:52 2008 Subject: Desperately trying to debug poor spam scanning performance In-Reply-To: <5A881BE9-B6B4-463D-BFE0-0D7FFF8C80F3@rtpty.com> References: <48CA9E61.7080506@photobox.com> <5A881BE9-B6B4-463D-BFE0-0D7FFF8C80F3@rtpty.com> Message-ID: <48CABC5B.2010603@photobox.com> Alex Neuman van der Hans wrote: > Have you tried disabling the various bits and pieces that make up > spamassassin? > Thanks, I'll do that. In fact before I left the office I realised that the home box was missing: Mail::SPF Mail::SPF::Query So presumably SA is skipping SPF checks there. I'll diff out the output from MailScanner -V on the two boxes as soon as I can. Best regards, Ben. -- Ben Tisdall Linux Systems Administrator | www.photobox.com Google Talk: ben.tisdall@gmail.com | skype: btisdall +44 (0)20 8453 6161 From mark at msapiro.net Sat Sep 13 01:30:56 2008 From: mark at msapiro.net (Mark Sapiro) Date: Sat Sep 13 01:31:07 2008 Subject: Help with rule In-Reply-To: <24e3d2e40809111140m4b6d8f2dr1a9763fb0db62657@mail.gmail.com> References: <48C95E70.1020400@amti.com.br> <22705875.581221157694921.JavaMail.SYSTEM@kc5goi-1> <24e3d2e40809111140m4b6d8f2dr1a9763fb0db62657@mail.gmail.com> Message-ID: <20080913003056.GA2200@msapiro> On Thu, Sep 11, 2008 at 01:40:15PM -0500, Alex Neuman wrote: > > Then at /etc/MailScanner/rules, create a file called a-quem-eu-bloco.rules > that says: > > FromOrTo: default no > From:alicia@dominio.com.br and To: > roberto@dominio.com.br yes Shouldn't those two lines be in the other order - i.e. the 'default' last? -- Mark Sapiro mark at msapiro net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From alex at rtpty.com Sat Sep 13 01:44:06 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Sat Sep 13 01:44:19 2008 Subject: Help with rule In-Reply-To: <20080913003056.GA2200@msapiro> References: <48C95E70.1020400@amti.com.br> <22705875.581221157694921.JavaMail.SYSTEM@kc5goi-1> <24e3d2e40809111140m4b6d8f2dr1a9763fb0db62657@mail.gmail.com> <20080913003056.GA2200@msapiro> Message-ID: <140835AC-C50A-4939-8185-D5E5F4907C81@rtpty.com> I believe Jules has already mentioned that the default line can be anywhere, but the point you make is valid from a logical point of view. --- Alex Neuman Reliant Technologies +507 6781-9505 Skype: alexneuman On Sep 12, 2008, at 7:30 PM, Mark Sapiro wrote: > On Thu, Sep 11, 2008 at 01:40:15PM -0500, Alex Neuman wrote: >> >> Then at /etc/MailScanner/rules, create a file called a-quem-eu- >> bloco.rules >> that says: >> >> FromOrTo: default no >> From:alicia@dominio.com.br and To: >> roberto@dominio.com.br yes > > > Shouldn't those two lines be in the other order - i.e. the 'default' > last? > > -- > Mark Sapiro mark at msapiro net The highway is for gamblers, > San Francisco Bay Area, California better use your sense - B. Dylan > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From sandip.sinha at in.dclgroup.com Sat Sep 13 07:59:21 2008 From: sandip.sinha at in.dclgroup.com (sandip.sinha@in.dclgroup.com) Date: Sat Sep 13 07:59:35 2008 Subject: Message contained archive nested too deeply In-Reply-To: <6832C96C-54D7-40F1-80D4-9C11E7BC09AC@rtpty.com> References: <6832C96C-54D7-40F1-80D4-9C11E7BC09AC@rtpty.com> Message-ID: <44edf69fea4900789adfec373bae178b.squirrel@10.20.1.5> It is with Office 2003 or Office 2007 files. Thanks, Sandip Calcutta, India. > Is it an office 2007 file? > > --- > > Alex Neuman > Reliant Technologies > +507 6781-9505 > Skype: alexneuman > > On Sep 12, 2008, at 5:12 AM, sandip.sinha@in.dclgroup.com wrote: > >> I have installed MailScanner in FC7 into our sendmail server. This >> works >> fine. However I am facing one problem which I couldn't able to >> figure out. >> For some attachments it gives the following error. The attachment >> does not >> have any virus, does not have zip with zip. Still it gives the >> folowing >> error. >> >> I want to know how to disable "Other Bad Content " scanning . >> >> ---------------------------------------------------------------------- >> The following e-mails were found to have: Other Bad Content Detected >> >> Sender: ss1@xxx.com >> IP Address: 10.20.10.1 >> Recipient: ss2@xxx.com >> Subject: >> MessageID: m8CA6SYX000360 >> Quarantine: /var/spool/MailScanner/quarantine/20080912/m8CA6SYX000360 >> Report: MailScanner: Message contained archive nested too deeply >> ---------------------------------------------------------------------- >> >> Sandip >> Calcutta, India. >> >> >> >> >> >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > > From hvdkooij at vanderkooij.org Sat Sep 13 08:12:29 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sat Sep 13 08:12:43 2008 Subject: Message contained archive nested too deeply In-Reply-To: References: Message-ID: <48CB67DD.8090404@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 sandip.sinha@in.dclgroup.com wrote: > I have installed MailScanner in FC7 into our sendmail server. This works > fine. However I am facing one problem which I couldn't able to figure out. > For some attachments it gives the following error. The attachment does not > have any virus, does not have zip with zip. Still it gives the folowing > error. > > I want to know how to disable "Other Bad Content " scanning . > > ---------------------------------------------------------------------- > The following e-mails were found to have: Other Bad Content Detected > > Sender: ss1@xxx.com > IP Address: 10.20.10.1 > Recipient: ss2@xxx.com > Subject: > MessageID: m8CA6SYX000360 > Quarantine: /var/spool/MailScanner/quarantine/20080912/m8CA6SYX000360 > Report: MailScanner: Message contained archive nested too deeply > ---------------------------------------------------------------------- The obvious thing to do now is to investigate WHY it is nested too deeply. What is your MailScanner setting? And what structure can you derive from the message? With that information you should also have knowledge about how to make changes in a sane way. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIy2fcBvzDRVjxmYERAsrTAKCwZa957sDfpyZ6BWjRZQme+Y1WJwCgq7bm ZP5Ifwpn9uDdKvNsVynqmgw= =Q/l4 -----END PGP SIGNATURE----- From hvdkooij at vanderkooij.org Sat Sep 13 09:04:56 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sat Sep 13 09:05:04 2008 Subject: Error with EMTPY_MESSAGE Message-ID: <48CB7428.1030501@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, It seems to me that SA is flagging just about any message as EMPTY_MESSAGE. Is anyone else seeing this too? Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIy3QmBvzDRVjxmYERAomuAKCLGijrO9DKZF74aYbVkJofD/WE0gCgiG1s 8Wuc4sVVtIJZV1OmdC5HBiA= =MG0w -----END PGP SIGNATURE----- From hvdkooij at vanderkooij.org Sat Sep 13 09:22:25 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sat Sep 13 09:22:35 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <48CB7428.1030501@vanderkooij.org> References: <48CB7428.1030501@vanderkooij.org> Message-ID: <48CB7841.1070905@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hugo van der Kooij wrote: > Hi, > > It seems to me that SA is flagging just about any message as EMPTY_MESSAGE. Lets look at the lines: # __MIME_ATTACHMENT also used in 20_meta_tests.cf body __MIME_ATTACHMENT eval:check_for_mime('mime_attachment') # __MIME_ATTACHMENT defined in 20_html_tests.cf body __NONEMPTY_BODY /\S/ meta EMPTY_MESSAGE !__MIME_ATTACHMENT && !__NONEMPTY_BODY describe EMPTY_MESSAGE Message appears to have no textual parts and no Subject: text The description is incorrect in my view. The subject is not even tested. I can not see that much else wrong. But it seems SA is still raising the flag. A sample message taken from quarantine that is marked as EMPTY_MESSAGE: Received: from linuxbox.org (linuxbox.org [24.155.83.21]) by balin.waakhond.net (Postfix) with ESMTP id B5FE217E9086 for ; Sat, 13 Sep 2008 09:34:45 +0200 (CEST) Received: from linuxbox.org (ge@localhost.localdomain [127.0.0.1]) by linuxbox.org (8.13.8/8.13.8/Debian-3) with ESMTP id m8D7Ye6a020101 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for ; Sat, 13 Sep 2008 02:34:41 -0500 Received: from localhost (ge@localhost) by linuxbox.org (8.13.8/8.13.8/Submit) with ESMTP id m8D7YeFc020098 for ; Sat, 13 Sep 2008 02:34:40 -0500 Date: Sat, 13 Sep 2008 02:34:40 -0500 (CDT) From: Gadi Evron To: Hugo van der Kooij Subject: Re: community real-time BGP hijack notification service In-Reply-To: <48CB64A5.3030109@vanderkooij.org> Message-ID: References: <48CB64A5.3030109@vanderkooij.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-1.7.5 (linuxbox.org [127.0.0.1]); Sat, 13 Sep 2008 02:34:41 -0500 (CDT) Thanks for the note! Will be fixed shortly. On Sat, 13 Sep 2008, Hugo van der Kooij wrote: > -----BEGIN PGP SIGNED MESSAGE----- .... - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIy3g/BvzDRVjxmYERAjV6AJ9RMkLrv7MK9BJIT6MshMhDpsTwUwCeKQHj NUpXrtzTUEe/XPx7m8jtT30= =IA1Q -----END PGP SIGNATURE----- From hvdkooij at vanderkooij.org Sat Sep 13 14:56:35 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sat Sep 13 14:56:44 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <48CB7428.1030501@vanderkooij.org> References: <48CB7428.1030501@vanderkooij.org> Message-ID: <48CBC693.6060806@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hugo van der Kooij wrote: > Hi, > > It seems to me that SA is flagging just about any message as EMPTY_MESSAGE. > > Is anyone else seeing this too? I just had quite a bit of a discussion about malware that just walks past MailScanner with multiple AV scanners active. It seems that it might be related to postfix. Where MailScanner is trying to decode postfix queue files but not doing the right thing. My result on 3 sample queue files was 0% through MailScanner. But decoding them with postcat allowed me to hit 100% of the files. So the issue may require all postfix users to look very carefully into their messages and the ability to scan them properly. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIy8aRBvzDRVjxmYERAvCkAJsGvPm73uvJVXwQ1FNxFVhfeR18sgCgjkXZ B3hDRnyFl/314lU3TX+o6z4= =B8Is -----END PGP SIGNATURE----- From glenn.steen at gmail.com Sat Sep 13 15:42:23 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Sep 13 15:42:33 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <48CBC693.6060806@vanderkooij.org> References: <48CB7428.1030501@vanderkooij.org> <48CBC693.6060806@vanderkooij.org> Message-ID: <223f97700809130742q7029ec3bo2d3f06088f013ccd@mail.gmail.com> 2008/9/13 Hugo van der Kooij : > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hugo van der Kooij wrote: >> Hi, >> >> It seems to me that SA is flagging just about any message as EMPTY_MESSAGE. >> >> Is anyone else seeing this too? > > I just had quite a bit of a discussion about malware that just walks > past MailScanner with multiple AV scanners active. > > It seems that it might be related to postfix. Where MailScanner is > trying to decode postfix queue files but not doing the right thing. > > My result on 3 sample queue files was 0% through MailScanner. But > decoding them with postcat allowed me to hit 100% of the files. > > So the issue may require all postfix users to look very carefully into > their messages and the ability to scan them properly. > > Hugo. > Can I get a sample, please? Send it off-list. Do you do milters? Which milters? Version of postfix? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ms-list at alexb.ch Sat Sep 13 15:52:16 2008 From: ms-list at alexb.ch (Alex Broens) Date: Sat Sep 13 15:52:32 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <223f97700809130742q7029ec3bo2d3f06088f013ccd@mail.gmail.com> References: <48CB7428.1030501@vanderkooij.org> <48CBC693.6060806@vanderkooij.org> <223f97700809130742q7029ec3bo2d3f06088f013ccd@mail.gmail.com> Message-ID: <48CBD3A0.1060908@alexb.ch> On 9/13/2008 4:42 PM, Glenn Steen wrote: > 2008/9/13 Hugo van der Kooij : >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Hugo van der Kooij wrote: >>> Hi, >>> >>> It seems to me that SA is flagging just about any message as EMPTY_MESSAGE. >>> >>> Is anyone else seeing this too? >> I just had quite a bit of a discussion about malware that just walks >> past MailScanner with multiple AV scanners active. >> >> It seems that it might be related to postfix. Where MailScanner is >> trying to decode postfix queue files but not doing the right thing. >> >> My result on 3 sample queue files was 0% through MailScanner. But >> decoding them with postcat allowed me to hit 100% of the files. >> >> So the issue may require all postfix users to look very carefully into >> their messages and the ability to scan them properly. >> >> Hugo. >> > Can I get a sample, please? Send it off-list. > Do you do milters? Which milters? Version of postfix? Glenn, I see this on Postfix 2.5.2 Snertsoft milter-link rejecting, no tagging, etc, so no modifying of the msg. If Hugo hasn't sent the samples, let me know. Alex From glenn.steen at gmail.com Sat Sep 13 16:47:20 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Sep 13 16:47:30 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <48CBD3A0.1060908@alexb.ch> References: <48CB7428.1030501@vanderkooij.org> <48CBC693.6060806@vanderkooij.org> <223f97700809130742q7029ec3bo2d3f06088f013ccd@mail.gmail.com> <48CBD3A0.1060908@alexb.ch> Message-ID: <223f97700809130847p9f2dc2em9a65b6a6490f186f@mail.gmail.com> 2008/9/13 Alex Broens : > On 9/13/2008 4:42 PM, Glenn Steen wrote: >> >> 2008/9/13 Hugo van der Kooij : >>> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> Hugo van der Kooij wrote: >>>> >>>> Hi, >>>> >>>> It seems to me that SA is flagging just about any message as >>>> EMPTY_MESSAGE. >>>> >>>> Is anyone else seeing this too? >>> >>> I just had quite a bit of a discussion about malware that just walks >>> past MailScanner with multiple AV scanners active. >>> >>> It seems that it might be related to postfix. Where MailScanner is >>> trying to decode postfix queue files but not doing the right thing. >>> >>> My result on 3 sample queue files was 0% through MailScanner. But >>> decoding them with postcat allowed me to hit 100% of the files. >>> >>> So the issue may require all postfix users to look very carefully into >>> their messages and the ability to scan them properly. >>> >>> Hugo. >>> >> Can I get a sample, please? Send it off-list. >> Do you do milters? Which milters? Version of postfix? > > Glenn, I see this on Postfix 2.5.2 > Snertsoft milter-link rejecting, no tagging, etc, so no modifying of the > msg. > > If Hugo hasn't sent the samples, let me know. > > Alex > Thanks Alex (and Jules), I'll have a look ASAP! Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From Stefan.Fournier at gmx.de Sat Sep 13 16:56:14 2008 From: Stefan.Fournier at gmx.de (Stefan Fournier) Date: Sat Sep 13 16:56:28 2008 Subject: New McAfee engine available In-Reply-To: <223f97700808270747x737d1e4fs3447df176d54fe7b@mail.gmail.com> References: <48B3182A.9080007@USherbrooke.ca> <223f97700808270747x737d1e4fs3447df176d54fe7b@mail.gmail.com> Message-ID: <48CBE29E.4090800@gmx.de> >> Denis >> > Since we're coming up to the "official release" now, this is timely:-). > Changes... "Leaner, faster, better ..." .... Normal seel-speak:-):-). > Seems to have a smaller memory footprint though. And is supposed to > handle docx and more archive formats (or was that selfextracting > formats...?). All in all a real easy upgrade. It's an easy upgrade and it's worth to do it. We see a significant lower load on our systems (decreased from around 6 to below 5). Cheers, Stefan -- Stefan.Fournier@gmx.de From hvdkooij at vanderkooij.org Sat Sep 13 18:46:18 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sat Sep 13 18:46:28 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <223f97700809130742q7029ec3bo2d3f06088f013ccd@mail.gmail.com> References: <48CB7428.1030501@vanderkooij.org> <48CBC693.6060806@vanderkooij.org> <223f97700809130742q7029ec3bo2d3f06088f013ccd@mail.gmail.com> Message-ID: <48CBFC6A.6050300@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Glenn Steen wrote: > 2008/9/13 Hugo van der Kooij : >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Hugo van der Kooij wrote: >>> Hi, >>> >>> It seems to me that SA is flagging just about any message as EMPTY_MESSAGE. >>> >>> Is anyone else seeing this too? >> I just had quite a bit of a discussion about malware that just walks >> past MailScanner with multiple AV scanners active. >> >> It seems that it might be related to postfix. Where MailScanner is >> trying to decode postfix queue files but not doing the right thing. >> >> My result on 3 sample queue files was 0% through MailScanner. But >> decoding them with postcat allowed me to hit 100% of the files. >> >> So the issue may require all postfix users to look very carefully into >> their messages and the ability to scan them properly. >> >> Hugo. >> > Can I get a sample, please? Send it off-list. > Do you do milters? Which milters? Version of postfix? I use postfix 2.3.2 as it is the normal shipped package for Centos 5. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIy/w4BvzDRVjxmYERAn5YAJ9AdNuMzmtRng6ApE7jQ8gIrVd35QCgueXG vG5NfmOYhiRdb4QCgAGswBQ= =2b04 -----END PGP SIGNATURE----- From glenn.steen at gmail.com Sat Sep 13 19:12:10 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Sep 13 19:12:21 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <48CBFC6A.6050300@vanderkooij.org> References: <48CB7428.1030501@vanderkooij.org> <48CBC693.6060806@vanderkooij.org> <223f97700809130742q7029ec3bo2d3f06088f013ccd@mail.gmail.com> <48CBFC6A.6050300@vanderkooij.org> Message-ID: <223f97700809131112sc6d34basd6ba785f42114dcd@mail.gmail.com> 2008/9/13 Hugo van der Kooij : > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Glenn Steen wrote: >> 2008/9/13 Hugo van der Kooij : >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> Hugo van der Kooij wrote: >>>> Hi, >>>> >>>> It seems to me that SA is flagging just about any message as EMPTY_MESSAGE. >>>> >>>> Is anyone else seeing this too? >>> I just had quite a bit of a discussion about malware that just walks >>> past MailScanner with multiple AV scanners active. >>> >>> It seems that it might be related to postfix. Where MailScanner is >>> trying to decode postfix queue files but not doing the right thing. >>> >>> My result on 3 sample queue files was 0% through MailScanner. But >>> decoding them with postcat allowed me to hit 100% of the files. >>> >>> So the issue may require all postfix users to look very carefully into >>> their messages and the ability to scan them properly. >>> >>> Hugo. >>> >> Can I get a sample, please? Send it off-list. >> Do you do milters? Which milters? Version of postfix? > > I use postfix 2.3.2 as it is the normal shipped package for Centos 5. > > Hugo. > Just to give a little update: I've received queue files from Jules and Alex B. I've fed these through both a testbed and our current production .... And they simply worked as expected(!)... The zip-file they included got unpacked nicely, the filename _and_ filetype got it into the quarantine, as well as all my AVs firing like mad:-). This was on a Mandriva 2008.1 running perl 5.10.0 with MailScanner 4.71.10 ... latest stable and beta are essentially the same, so ... I'm leaning toward this being related to CentOS 5.2, possibly the relevant perl modules. Further than that is pretty hard for me to check, since I cannot reproduce the problem. I might get onto Alexs' testbed, to do some further debuging... But I do suggest that you who have a CentOS 5.2 box and are affected by the "non-unpacking" (should be easily determined... look for "Your internet access is going to get suspended" subjects that are either improperly unpacked (in the quarantine) or that slip by entirely... grab one and start feeding it through your system, varying your perl modules (mainly MIME-Tools related stuff, I'd guess). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Sat Sep 13 19:16:38 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Sep 13 19:16:48 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <223f97700809131112sc6d34basd6ba785f42114dcd@mail.gmail.com> References: <48CB7428.1030501@vanderkooij.org> <48CBC693.6060806@vanderkooij.org> <223f97700809130742q7029ec3bo2d3f06088f013ccd@mail.gmail.com> <48CBFC6A.6050300@vanderkooij.org> <223f97700809131112sc6d34basd6ba785f42114dcd@mail.gmail.com> Message-ID: <223f97700809131116v56a9946dkaa3d569a827ca2ec@mail.gmail.com> 2008/9/13 Glenn Steen : > 2008/9/13 Hugo van der Kooij : >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Glenn Steen wrote: >>> 2008/9/13 Hugo van der Kooij : >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA1 >>>> >>>> Hugo van der Kooij wrote: >>>>> Hi, >>>>> >>>>> It seems to me that SA is flagging just about any message as EMPTY_MESSAGE. >>>>> >>>>> Is anyone else seeing this too? >>>> I just had quite a bit of a discussion about malware that just walks >>>> past MailScanner with multiple AV scanners active. >>>> >>>> It seems that it might be related to postfix. Where MailScanner is >>>> trying to decode postfix queue files but not doing the right thing. >>>> >>>> My result on 3 sample queue files was 0% through MailScanner. But >>>> decoding them with postcat allowed me to hit 100% of the files. >>>> >>>> So the issue may require all postfix users to look very carefully into >>>> their messages and the ability to scan them properly. >>>> >>>> Hugo. >>>> >>> Can I get a sample, please? Send it off-list. >>> Do you do milters? Which milters? Version of postfix? >> >> I use postfix 2.3.2 as it is the normal shipped package for Centos 5. >> >> Hugo. >> > Just to give a little update: > > I've received queue files from Jules and Alex B. I've fed these > through both a testbed and our current production .... And they simply > worked as expected(!)... The zip-file they included got unpacked > nicely, the filename _and_ filetype got it into the quarantine, as > well as all my AVs firing like mad:-). > This was on a Mandriva 2008.1 running perl 5.10.0 with MailScanner > 4.71.10 ... latest stable and beta are essentially the same, so ... > > I'm leaning toward this being related to CentOS 5.2, possibly the > relevant perl modules. > Further than that is pretty hard for me to check, since I cannot > reproduce the problem. > I might get onto Alexs' testbed, to do some further debuging... But I > do suggest that you who have a CentOS 5.2 box and are affected by the > "non-unpacking" (should be easily determined... look for "Your > internet access is going to get suspended" subjects that are either > improperly unpacked (in the quarantine) or that slip by entirely... > grab one and start feeding it through your system, varying your perl > modules (mainly MIME-Tools related stuff, I'd guess). > BTW... I've not seen the EMPTY_MESSAGE rule firing at all... Other than a few truly empty messages... Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Sat Sep 13 19:56:37 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Sep 13 19:56:48 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <223f97700809131116v56a9946dkaa3d569a827ca2ec@mail.gmail.com> References: <48CB7428.1030501@vanderkooij.org> <48CBC693.6060806@vanderkooij.org> <223f97700809130742q7029ec3bo2d3f06088f013ccd@mail.gmail.com> <48CBFC6A.6050300@vanderkooij.org> <223f97700809131112sc6d34basd6ba785f42114dcd@mail.gmail.com> <223f97700809131116v56a9946dkaa3d569a827ca2ec@mail.gmail.com> Message-ID: <223f97700809131156s3f7abd4cq9366ec7365fb0506@mail.gmail.com> 2008/9/13 Glenn Steen : (snip) In case you who are affected need something to compare to that works, this is my MailScanner -V .... # MailScanner -V Running on Linux apmx07.ap1.se 2.6.24.5-server-1mnb #1 SMP Tue May 27 13:02:55 EDT 2008 i686 Intel(R) Xeon(R) CPU 5110 @ 1.60GHz GNU/Linux This is Mandriva Linux release 2008.1 (Official) for i586 This is Perl version 5.010000 (5.10.0) This is MailScanner version 4.71.10 Module versions are: 1.00 AnyDBM_File 1.23 Archive::Zip 0.22 bignum 1.08 Carp 2.008 Compress::Zlib 1.119 Convert::BinHex 0.17 Convert::TNEF 2.121_14 Data::Dumper 2.27 Date::Parse 1.01 DirHandle 1.06 Fcntl 2.76 File::Basename 2.11 File::Copy 2.01 FileHandle 2.04 File::Path 0.18 File::Temp 0.90 Filesys::Df 1.35 HTML::Entities 3.56 HTML::Parser 2.37 HTML::TokeParser 1.23_01 IO 1.14 IO::File 1.13 IO::Pipe 2.02 Mail::Header 1.88 Math::BigInt 0.21 Math::BigRat 3.07_01 MIME::Base64 5.425 MIME::Decoder 5.425 MIME::Decoder::UU 5.425 MIME::Head 5.425 MIME::Parser 3.07 MIME::QuotedPrint 5.425 MIME::Tools 0.11 Net::CIDR 1.25 Net::IP 0.16 OLE::Storage_Lite 1.04 Pod::Escapes 3.05 Pod::Simple 1.13 POSIX 1.19 Scalar::Util 1.80 Socket 2.18 Storable 1.4 Sys::Hostname::Long 0.22 Sys::Syslog 1.26 Test::Pod 0.72 Test::Simple 1.9711 Time::HiRes 1.02 Time::localtime Optional module versions are: 1.38 Archive::Tar 0.22 bignum 1.82 Business::ISBN 1.10 Business::ISBN::Data 1.08 Data::Dump 1.816 DB_File 1.14 DBD::SQLite 1.602 DBI 1.15 Digest 1.01 Digest::HMAC 2.36_01 Digest::MD5 2.11 Digest::SHA1 1.00 Encode::Detect 0.17012 Error 0.22 ExtUtils::CBuilder 2.19 ExtUtils::ParseXS 2.37 Getopt::Long 0.44 Inline 1.08 IO::String 1.07 IO::Zlib 2.23 IP::Country 0.22 Mail::ClamAV 3.002005 Mail::SpamAssassin v2.005 Mail::SPF 1.999001 Mail::SPF::Query 0.2808 Module::Build 0.20 Net::CIDR::Lite 0.63 Net::DNS 0.002.2 Net::DNS::Resolver::Programmable 0.37 Net::LDAP 4.007 NetAddr::IP 1.94 Parse::RecDescent missing SAVI 2.64 Test::Harness 0.95 Test::Manifest 2.0.0 Text::Balanced 1.35 URI 0.74 version 0.62 YAML Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From hvdkooij at vanderkooij.org Sat Sep 13 21:48:26 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sat Sep 13 21:48:38 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <223f97700809131156s3f7abd4cq9366ec7365fb0506@mail.gmail.com> References: <48CB7428.1030501@vanderkooij.org> <48CBC693.6060806@vanderkooij.org> <223f97700809130742q7029ec3bo2d3f06088f013ccd@mail.gmail.com> <48CBFC6A.6050300@vanderkooij.org> <223f97700809131112sc6d34basd6ba785f42114dcd@mail.gmail.com> <223f97700809131116v56a9946dkaa3d569a827ca2ec@mail.gmail.com> <223f97700809131156s3f7abd4cq9366ec7365fb0506@mail.gmail.com> Message-ID: <48CC271A.7060402@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Running on Linux balin.waakhond.net 2.6.18-92.1.10.el5PAE #1 SMP Tue Aug 5 08:14:05 EDT 2008 i686 i686 i386 GNU/Linux This is CentOS release 5.2 (Final) This is Perl version 5.008008 (5.8.8) This is MailScanner version 4.71.10 Module versions are: 1.00 AnyDBM_File 1.23 Archive::Zip 0.17 bignum 1.04 Carp 2.011 Compress::Zlib 1.119 Convert::BinHex 0.17 Convert::TNEF 2.121_08 Data::Dumper 2.27 Date::Parse 1.00 DirHandle 1.05 Fcntl 2.74 File::Basename 2.09 File::Copy 2.01 FileHandle 1.08 File::Path 0.16 File::Temp 0.92 Filesys::Df 1.35 HTML::Entities 3.56 HTML::Parser 2.37 HTML::TokeParser 1.23 IO 1.14 IO::File 1.13 IO::Pipe 2.03 Mail::Header 1.77 Math::BigInt 0.15 Math::BigRat 3.07 MIME::Base64 5.424 MIME::Decoder 5.424 MIME::Decoder::UU 5.424 MIME::Head 5.424 MIME::Parser 3.07 MIME::QuotedPrint 5.424 MIME::Tools 0.11 Net::CIDR 1.25 Net::IP 0.16 OLE::Storage_Lite missing Pod::Escapes missing Pod::Simple 1.09 POSIX 1.18 Scalar::Util 1.78 Socket 2.15 Storable 1.4 Sys::Hostname::Long 0.13 Sys::Syslog missing Test::Pod 0.62 Test::Simple 1.86 Time::HiRes 1.02 Time::localtime Optional module versions are: 1.38 Archive::Tar 0.17 bignum missing Business::ISBN missing Business::ISBN::Data missing Data::Dump 1.814 DB_File 1.14 DBD::SQLite 1.605 DBI 1.14 Digest 1.01 Digest::HMAC 2.36 Digest::MD5 2.11 Digest::SHA1 1.01 Encode::Detect 0.17014 Error missing ExtUtils::CBuilder missing ExtUtils::ParseXS 2.35 Getopt::Long 0.44 Inline missing IO::String 1.09 IO::Zlib 2.24 IP::Country missing Mail::ClamAV 3.002005 Mail::SpamAssassin v2.005 Mail::SPF missing Mail::SPF::Query missing Module::Build 0.20 Net::CIDR::Lite 0.63 Net::DNS missing Net::DNS::Resolver::Programmable missing Net::LDAP 4.007 NetAddr::IP missing Parse::RecDescent missing SAVI 2.56 Test::Harness missing Test::Manifest 1.95 Text::Balanced 1.35 URI 0.74 version missing YAML - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIzCcYBvzDRVjxmYERAuUbAJkB4X1GjAschWIBjTVQ4LqvNHlZ2QCeIYEB M/3ZJKhMVEmT5Bh4l10DA3k= =aAxU -----END PGP SIGNATURE----- From hvdkooij at vanderkooij.org Sat Sep 13 22:06:02 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sat Sep 13 22:06:14 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <223f97700809131112sc6d34basd6ba785f42114dcd@mail.gmail.com> References: <48CB7428.1030501@vanderkooij.org> <48CBC693.6060806@vanderkooij.org> <223f97700809130742q7029ec3bo2d3f06088f013ccd@mail.gmail.com> <48CBFC6A.6050300@vanderkooij.org> <223f97700809131112sc6d34basd6ba785f42114dcd@mail.gmail.com> Message-ID: <48CC2B3A.5010904@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Glenn Steen wrote: > 2008/9/13 Hugo van der Kooij : >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Glenn Steen wrote: >>> 2008/9/13 Hugo van der Kooij : >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA1 >>>> >>>> Hugo van der Kooij wrote: >>>>> Hi, >>>>> >>>>> It seems to me that SA is flagging just about any message as EMPTY_MESSAGE. >>>>> >>>>> Is anyone else seeing this too? >>>> I just had quite a bit of a discussion about malware that just walks >>>> past MailScanner with multiple AV scanners active. >>>> >>>> It seems that it might be related to postfix. Where MailScanner is >>>> trying to decode postfix queue files but not doing the right thing. >>>> >>>> My result on 3 sample queue files was 0% through MailScanner. But >>>> decoding them with postcat allowed me to hit 100% of the files. >>>> >>>> So the issue may require all postfix users to look very carefully into >>>> their messages and the ability to scan them properly. >>>> >>>> Hugo. >>>> >>> Can I get a sample, please? Send it off-list. >>> Do you do milters? Which milters? Version of postfix? >> I use postfix 2.3.2 as it is the normal shipped package for Centos 5. >> >> Hugo. >> > Just to give a little update: > > I've received queue files from Jules and Alex B. I've fed these > through both a testbed and our current production .... And they simply > worked as expected(!)... The zip-file they included got unpacked > nicely, the filename _and_ filetype got it into the quarantine, as > well as all my AVs firing like mad:-). > This was on a Mandriva 2008.1 running perl 5.10.0 with MailScanner > 4.71.10 ... latest stable and beta are essentially the same, so ... > > I'm leaning toward this being related to CentOS 5.2, possibly the > relevant perl modules. It seems you are using the perl interface to ClamAV and not clamd or anything else. That would at least have an impact on how things are called and how they are parsed in part. > Further than that is pretty hard for me to check, since I cannot > reproduce the problem. If you can setup a Centos 5 virtual machine you could give it a spin. See if it is something obvious we are all overlooking. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIzCs4BvzDRVjxmYERAqsDAJwME5hS5CgGDL/oLfpfFs3sRLDtbACgknw0 H6MML15R0o3K+w8U4Nde0II= =w3EG -----END PGP SIGNATURE----- From ms-list at alexb.ch Sat Sep 13 22:06:50 2008 From: ms-list at alexb.ch (Alex Broens) Date: Sat Sep 13 22:07:09 2008 Subject: Postfix support failing In-Reply-To: <223f97700809131343q13469d6cq392904d19d0879d3@mail.gmail.com> References: <48CBD694.9020401@ecs.soton.ac.uk> <48CC22A5.8010604@ecs.soton.ac.uk> <223f97700809131343q13469d6cq392904d19d0879d3@mail.gmail.com> Message-ID: <48CC2B6A.8040102@alexb.ch> On 9/13/2008 10:43 PM, Glenn Steen wrote: > 2008/9/13 Julian Field : >> Got something for you both to try out: >> >> Edit /usr/lib/MailScanner/MailScanner/Message.pm. >> In there, around line 2134, you will find a mention of "ReadMessageHandle". > Mine is on line 2126... lines leading up to it is: > $handle = IO::File->new_tmpfile or die "Your /tmp needs to be set > to \"chmod 1755 /tmp\""; > binmode($handle); > $this->{store}->ReadMessageHandle($this, $handle) or return; > + $handle->seek(0,0); # Rewind the file > > Correct place? >> On the next line, add this: >> $handle->seek(0,0); # Rewind the file >> >> Then restart MailScanner and see if it behaves any better. >> >> Please let me know how you get on. > We'll see in a moment.... Working with normal messages... stopping... > inserting your "affected" queue file... Still Just Works(tm). So the > rewind seems to break nothing:-). > Good News. Now all needed is that Alex and Hugo get their systems > cured by the same means:-):-). # # This is for sendmail and Exim systems # $handle = IO::File->new_tmpfile or die "Your /tmp needs to be set to \"chmod 1755 /tmp\""; binmode($handle); $this->{store}->ReadMessageHandle($this, $handle) or return; ## ADDED HACK BY JULES 9/13/2008 $handle->seek(0,0); # Rewind the file no change.. my 5 sample msgs weren't detected - hmpf (yes I did restart MS) Hugo? - want these 5 samples? you have the web uri to pick them up. ball over Alex From glenn.steen at gmail.com Sat Sep 13 22:26:10 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Sep 13 22:26:19 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <48CC2B3A.5010904@vanderkooij.org> References: <48CB7428.1030501@vanderkooij.org> <48CBC693.6060806@vanderkooij.org> <223f97700809130742q7029ec3bo2d3f06088f013ccd@mail.gmail.com> <48CBFC6A.6050300@vanderkooij.org> <223f97700809131112sc6d34basd6ba785f42114dcd@mail.gmail.com> <48CC2B3A.5010904@vanderkooij.org> Message-ID: <223f97700809131426o8d87d72g531559682193b670@mail.gmail.com> 2008/9/13 Hugo van der Kooij : > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Glenn Steen wrote: >> 2008/9/13 Hugo van der Kooij : >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> Glenn Steen wrote: >>>> 2008/9/13 Hugo van der Kooij : >>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>> Hash: SHA1 >>>>> >>>>> Hugo van der Kooij wrote: >>>>>> Hi, >>>>>> >>>>>> It seems to me that SA is flagging just about any message as EMPTY_MESSAGE. >>>>>> >>>>>> Is anyone else seeing this too? >>>>> I just had quite a bit of a discussion about malware that just walks >>>>> past MailScanner with multiple AV scanners active. >>>>> >>>>> It seems that it might be related to postfix. Where MailScanner is >>>>> trying to decode postfix queue files but not doing the right thing. >>>>> >>>>> My result on 3 sample queue files was 0% through MailScanner. But >>>>> decoding them with postcat allowed me to hit 100% of the files. >>>>> >>>>> So the issue may require all postfix users to look very carefully into >>>>> their messages and the ability to scan them properly. >>>>> >>>>> Hugo. >>>>> >>>> Can I get a sample, please? Send it off-list. >>>> Do you do milters? Which milters? Version of postfix? >>> I use postfix 2.3.2 as it is the normal shipped package for Centos 5. >>> >>> Hugo. >>> >> Just to give a little update: >> >> I've received queue files from Jules and Alex B. I've fed these >> through both a testbed and our current production .... And they simply >> worked as expected(!)... The zip-file they included got unpacked >> nicely, the filename _and_ filetype got it into the quarantine, as >> well as all my AVs firing like mad:-). >> This was on a Mandriva 2008.1 running perl 5.10.0 with MailScanner >> 4.71.10 ... latest stable and beta are essentially the same, so ... >> >> I'm leaning toward this being related to CentOS 5.2, possibly the >> relevant perl modules. > > It seems you are using the perl interface to ClamAV and not clamd or > anything else. That would at least have an impact on how things are > called and how they are parsed in part. Nope. I've just got the Mail::ClamAV module installed;-)... I'm using clamd, and am very happy about it too;). Actually, I tend to install _all_ the optional modules, regardless if I use them or not. Sure, a maintenance overhead, but then ... they're there when/if I decide to use a function that actually need 'em. >> Further than that is pretty hard for me to check, since I cannot >> reproduce the problem. > > If you can setup a Centos 5 virtual machine you could give it a spin. > See if it is something obvious we are all overlooking. I've been in shortly on Alex testbed... Nothing exactly stood out... Apart from not working, it looked fine:-). Did you get the "fixlet" Jules gave me and Alex? Seems to be innefectual for Alex. then again... Jules removed the mailscanner rpm, reinstalled it (via rpm -Uvh) and copied in his MailScanner.conf ... and that seemed to "cure" it for him. Which seems like a very very odd thing indeed. What happens if you do similarly? (remember to save a copy of /etc/MailScanner first;-). > Hugo. > Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From hvdkooij at vanderkooij.org Sun Sep 14 10:52:51 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Sep 14 10:53:01 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <223f97700809131112sc6d34basd6ba785f42114dcd@mail.gmail.com> References: <48CB7428.1030501@vanderkooij.org> <48CBC693.6060806@vanderkooij.org> <223f97700809130742q7029ec3bo2d3f06088f013ccd@mail.gmail.com> <48CBFC6A.6050300@vanderkooij.org> <223f97700809131112sc6d34basd6ba785f42114dcd@mail.gmail.com> Message-ID: <48CCDEF3.9060903@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Glenn Steen wrote: > 2008/9/13 Hugo van der Kooij : >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Glenn Steen wrote: >>> 2008/9/13 Hugo van der Kooij : >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA1 >>>> >>>> Hugo van der Kooij wrote: >>>>> Hi, >>>>> >>>>> It seems to me that SA is flagging just about any message as EMPTY_MESSAGE. >>>>> >>>>> Is anyone else seeing this too? >>>> I just had quite a bit of a discussion about malware that just walks >>>> past MailScanner with multiple AV scanners active. >>>> >>>> It seems that it might be related to postfix. Where MailScanner is >>>> trying to decode postfix queue files but not doing the right thing. >>>> >>>> My result on 3 sample queue files was 0% through MailScanner. But >>>> decoding them with postcat allowed me to hit 100% of the files. >>>> >>>> So the issue may require all postfix users to look very carefully into >>>> their messages and the ability to scan them properly. >>>> >>>> Hugo. >>>> >>> Can I get a sample, please? Send it off-list. >>> Do you do milters? Which milters? Version of postfix? >> I use postfix 2.3.2 as it is the normal shipped package for Centos 5. >> >> Hugo. >> > Just to give a little update: > > I've received queue files from Jules and Alex B. I've fed these > through both a testbed and our current production .... And they simply > worked as expected(!)... The zip-file they included got unpacked > nicely, the filename _and_ filetype got it into the quarantine, as > well as all my AVs firing like mad:-). > This was on a Mandriva 2008.1 running perl 5.10.0 with MailScanner > 4.71.10 ... latest stable and beta are essentially the same, so ... > > I'm leaning toward this being related to CentOS 5.2, possibly the > relevant perl modules. > Further than that is pretty hard for me to check, since I cannot > reproduce the problem. > I might get onto Alexs' testbed, to do some further debuging... But I > do suggest that you who have a CentOS 5.2 box and are affected by the > "non-unpacking" (should be easily determined... look for "Your > internet access is going to get suspended" subjects that are either > improperly unpacked (in the quarantine) or that slip by entirely... > grab one and start feeding it through your system, varying your perl > modules (mainly MIME-Tools related stuff, I'd guess). I have only seen the issue with queue files from Alex. And the odd EMPTY_MESSAGE report I found myself. I shoot down almost all other stuff on non FQDN issues and blacklisting dialup networks based on keywords in their hostname in postfix itself. So I can not recall to have seen messages sneak past with attachments in them. The attachment thing might be a combined thing of a new postfix building queue files slightly differently. But beyond the test messages I have never seen that issue arise. But if a beta version can be created that allows one to use postcat instead of a native MailScanner parser of the raw queue file just to see if it is a factor then I can test that as my MailScanner server is pretty low in traffic. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIzN7xBvzDRVjxmYERAlOdAKCgYBH+AJv2Q1AwNuaSAzD+ECHUNQCePPbG 09dq9O9VarfSUJryJ6l1Wcs= =Mz1W -----END PGP SIGNATURE----- From ms-list at alexb.ch Sun Sep 14 11:33:20 2008 From: ms-list at alexb.ch (Alex Broens) Date: Sun Sep 14 11:33:33 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <48CCDEF3.9060903@vanderkooij.org> References: <48CB7428.1030501@vanderkooij.org> <48CBC693.6060806@vanderkooij.org> <223f97700809130742q7029ec3bo2d3f06088f013ccd@mail.gmail.com> <48CBFC6A.6050300@vanderkooij.org> <223f97700809131112sc6d34basd6ba785f42114dcd@mail.gmail.com> <48CCDEF3.9060903@vanderkooij.org> Message-ID: <48CCE870.2030605@alexb.ch> On 9/14/2008 11:52 AM, Hugo van der Kooij wrote: > I have only seen the issue with queue files from Alex. And the odd > EMPTY_MESSAGE report I found myself. > > I shoot down almost all other stuff on non FQDN issues and blacklisting > dialup networks based on keywords in their hostname in postfix itself. > So I can not recall to have seen messages sneak past with attachments in > them. all the samples I have are coming into this trap box from this kind of hosts I'd normally reject as well. After ther last "setup.exe" type of fix Jules suggested, there are less messages beig skipped. The "infected.zip" samples still aren't detected. Have little hope we'll ever find the reasonf or this. > The attachment thing might be a combined thing of a new postfix building > queue files slightly differently. But beyond the test messages I have > never seen that issue arise. > > But if a beta version can be created that allows one to use postcat > instead of a native MailScanner parser of the raw queue file just to see > if it is a factor then I can test that as my MailScanner server is > pretty low in traffic. I'm for this as well. My test box has enough crappy traffic to put it thru its paces, and I can get more if required. Who knows, it could also turn out to be an alternative for low traffic setups as I don't imagine postcat would scalet too well. Alex From glenn.steen at gmail.com Sun Sep 14 12:04:48 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Sun Sep 14 12:04:58 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <48CCDEF3.9060903@vanderkooij.org> References: <48CB7428.1030501@vanderkooij.org> <48CBC693.6060806@vanderkooij.org> <223f97700809130742q7029ec3bo2d3f06088f013ccd@mail.gmail.com> <48CBFC6A.6050300@vanderkooij.org> <223f97700809131112sc6d34basd6ba785f42114dcd@mail.gmail.com> <48CCDEF3.9060903@vanderkooij.org> Message-ID: <223f97700809140404v7caa0216q1ab03d4472222924@mail.gmail.com> 2008/9/14 Hugo van der Kooij : > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Glenn Steen wrote: >> 2008/9/13 Hugo van der Kooij : >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> Glenn Steen wrote: >>>> 2008/9/13 Hugo van der Kooij : >>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>> Hash: SHA1 >>>>> >>>>> Hugo van der Kooij wrote: >>>>>> Hi, >>>>>> >>>>>> It seems to me that SA is flagging just about any message as EMPTY_MESSAGE. >>>>>> >>>>>> Is anyone else seeing this too? >>>>> I just had quite a bit of a discussion about malware that just walks >>>>> past MailScanner with multiple AV scanners active. >>>>> >>>>> It seems that it might be related to postfix. Where MailScanner is >>>>> trying to decode postfix queue files but not doing the right thing. >>>>> >>>>> My result on 3 sample queue files was 0% through MailScanner. But >>>>> decoding them with postcat allowed me to hit 100% of the files. >>>>> >>>>> So the issue may require all postfix users to look very carefully into >>>>> their messages and the ability to scan them properly. >>>>> >>>>> Hugo. >>>>> >>>> Can I get a sample, please? Send it off-list. >>>> Do you do milters? Which milters? Version of postfix? >>> I use postfix 2.3.2 as it is the normal shipped package for Centos 5. >>> >>> Hugo. >>> >> Just to give a little update: >> >> I've received queue files from Jules and Alex B. I've fed these >> through both a testbed and our current production .... And they simply >> worked as expected(!)... The zip-file they included got unpacked >> nicely, the filename _and_ filetype got it into the quarantine, as >> well as all my AVs firing like mad:-). >> This was on a Mandriva 2008.1 running perl 5.10.0 with MailScanner >> 4.71.10 ... latest stable and beta are essentially the same, so ... >> >> I'm leaning toward this being related to CentOS 5.2, possibly the >> relevant perl modules. >> Further than that is pretty hard for me to check, since I cannot >> reproduce the problem. >> I might get onto Alexs' testbed, to do some further debuging... But I >> do suggest that you who have a CentOS 5.2 box and are affected by the >> "non-unpacking" (should be easily determined... look for "Your >> internet access is going to get suspended" subjects that are either >> improperly unpacked (in the quarantine) or that slip by entirely... >> grab one and start feeding it through your system, varying your perl >> modules (mainly MIME-Tools related stuff, I'd guess). > > I have only seen the issue with queue files from Alex. And the odd > EMPTY_MESSAGE report I found myself. Yes, well... they seem to be indacations of the same thing. So far only observed on CentOS 5.2 boxes (I've had reports that it's working OK on Slackware as well as Mandriva). The problem is that the "exploding" of the message as read from the queue file fails. It simply returns nothing. Not that the message is malformed in any special way. Since I don't have this problem (with Alex files), I can't go much further there. > I shoot down almost all other stuff on non FQDN issues and blacklisting > dialup networks based on keywords in their hostname in postfix itself. > So I can not recall to have seen messages sneak past with attachments in > them. As do we all, so it is a very marginal thing,if a problem at all. I think:-). > The attachment thing might be a combined thing of a new postfix building > queue files slightly differently. But beyond the test messages I have > never seen that issue arise. There is no difference that the queue file decoding code would fall afoul of. The same code Just Work(tm) for me on my testbeds (and on my production, used for reference during my testing:-). > But if a beta version can be created that allows one to use postcat > instead of a native MailScanner parser of the raw queue file just to see > if it is a factor then I can test that as my MailScanner server is > pretty low in traffic. Not really doable, not really where the problem is at, unfortunately. It's more insidouos than that:-). > Hugo. > Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ms-list at alexb.ch Sun Sep 14 12:37:01 2008 From: ms-list at alexb.ch (Alex Broens) Date: Sun Sep 14 12:37:13 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <223f97700809140404v7caa0216q1ab03d4472222924@mail.gmail.com> References: <48CB7428.1030501@vanderkooij.org> <48CBC693.6060806@vanderkooij.org> <223f97700809130742q7029ec3bo2d3f06088f013ccd@mail.gmail.com> <48CBFC6A.6050300@vanderkooij.org> <223f97700809131112sc6d34basd6ba785f42114dcd@mail.gmail.com> <48CCDEF3.9060903@vanderkooij.org> <223f97700809140404v7caa0216q1ab03d4472222924@mail.gmail.com> Message-ID: <48CCF75D.3060302@alexb.ch> On 9/14/2008 1:04 PM, Glenn Steen wrote: > Yes, well... they seem to be indacations of the same thing. So far > only observed on CentOS 5.2 boxes (I've had reports that it's working > OK on Slackware as well as Mandriva). Centos 4.x and older MS release as well (most of my production boxes) > The problem is that the "exploding" of the message as read from the > queue file fails. It simply returns nothing. so that's the bug... > Not that the message is malformed in any special way. > Since I don't have this problem (with Alex files), I can't go much > further there. I'm still seeing it, on latest and not so new MS releases to its there - Ic an't hide it. atm, I don't poker for backward compatibility, but for the latest OS/MS releases I won't loose hope. >> I shoot down almost all other stuff on non FQDN issues and blacklisting >> dialup networks based on keywords in their hostname in postfix itself. >> So I can not recall to have seen messages sneak past with attachments in >> them. > As do we all, so it is a very marginal thing,if a problem at all. I think:-). not everybody does massiv rejects. One missed virus due to this exploding bug could cause havoc. >> The attachment thing might be a combined thing of a new postfix building >> queue files slightly differently. But beyond the test messages I have >> never seen that issue arise. > There is no difference that the queue file decoding code would fall > afoul of. The same code Just Work(tm) for me on my testbeds (and on my > production, used for reference during my testing:-). obviously, testing with another OS triggers a bunch of "works for me". I dare say Mandriva is pretty much one of the exotics in the global MS user base :-) for what we know, the issue, which is reproduceable may be affecting thousands of Centos 5.x installs. That it has gone by unnoticed hardly justifies ignoring it, does it? I truly hope Jules comes up with *THE* great idea coz this is becoming a serious showstopper. Alex From hvdkooij at vanderkooij.org Sun Sep 14 12:48:20 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Sep 14 12:48:29 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <48CCF75D.3060302@alexb.ch> References: <48CB7428.1030501@vanderkooij.org> <48CBC693.6060806@vanderkooij.org> <223f97700809130742q7029ec3bo2d3f06088f013ccd@mail.gmail.com> <48CBFC6A.6050300@vanderkooij.org> <223f97700809131112sc6d34basd6ba785f42114dcd@mail.gmail.com> <48CCDEF3.9060903@vanderkooij.org> <223f97700809140404v7caa0216q1ab03d4472222924@mail.gmail.com> <48CCF75D.3060302@alexb.ch> Message-ID: <48CCFA04.7020907@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alex Broens wrote: > On 9/14/2008 1:04 PM, Glenn Steen wrote: >> The problem is that the "exploding" of the message as read from the >> queue file fails. It simply returns nothing. > > so that's the bug... So what code is involved here? Which perl modules are used to help here. That is where we should focus our attention ATM. The point is that I can not accept Jules way of using package manager only in part by forcing package installations and getting into conflicts again with later updates. If I know which packages are involved I can see if there is a nice way around the use of the --force command which Jules seems to find perfectly aceptable but to which I must object as it breaks normal upgrade procedures. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIzPoCBvzDRVjxmYERAlYiAJsEcM7IVsSWYdieIeKTaVheNsrgQACgjdxa nSTqKSzA9gwf7mqLKykoHxc= =84DN -----END PGP SIGNATURE----- From hvdkooij at vanderkooij.org Sun Sep 14 13:12:35 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Sep 14 13:12:44 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <48CCF75D.3060302@alexb.ch> References: <48CB7428.1030501@vanderkooij.org> <48CBC693.6060806@vanderkooij.org> <223f97700809130742q7029ec3bo2d3f06088f013ccd@mail.gmail.com> <48CBFC6A.6050300@vanderkooij.org> <223f97700809131112sc6d34basd6ba785f42114dcd@mail.gmail.com> <48CCDEF3.9060903@vanderkooij.org> <223f97700809140404v7caa0216q1ab03d4472222924@mail.gmail.com> <48CCF75D.3060302@alexb.ch> Message-ID: <48CCFFB3.5080904@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alex Broens wrote: > On 9/14/2008 1:04 PM, Glenn Steen wrote: >> Yes, well... they seem to be indacations of the same thing. So far >> only observed on CentOS 5.2 boxes (I've had reports that it's working >> OK on Slackware as well as Mandriva). > > Centos 4.x and older MS release as well (most of my production boxes) Alex can you compare the list of packages on Centos 4 and Centos 5? Could this be a revival of past issues with the perl-IO module? >> The problem is that the "exploding" of the message as read from the >> queue file fails. It simply returns nothing. > > so that's the bug... What would it take to write a seperate program that calls upon the MailScanner code and compare the MailScanner results against postcat? That way we can find a set of sample queue files to work on and the difference might tell us why it does not work all the time. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIzP+xBvzDRVjxmYERAnGPAJ4mUxDSeVRHZw9HvK1a5JJB0vwQIACfYycZ Q+8yTBZH85MpTa25Zcy0cqs= =CNrx -----END PGP SIGNATURE----- From gesbbb at yahoo.com Sun Sep 14 13:27:22 2008 From: gesbbb at yahoo.com (Jerry) Date: Sun Sep 14 13:27:35 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <48CBFC6A.6050300@vanderkooij.org> References: <48CB7428.1030501@vanderkooij.org> <48CBC693.6060806@vanderkooij.org> <223f97700809130742q7029ec3bo2d3f06088f013ccd@mail.gmail.com> <48CBFC6A.6050300@vanderkooij.org> Message-ID: <20080914082722.08dad927@scorpio> On Sat, 13 Sep 2008 19:46:18 +0200 Hugo van der Kooij wrote: > I use postfix 2.3.2 as it is the normal shipped package for Centos 5. Obviously you are aware that, that is a very old and depreciated version of Postfix. I am not familiar with Centos 5; however, is there any way that you could update to Postfix 5.x, I forget what the last stable release number was, as opposed to using your older version? As a plus, there have been a few security features incorporated into the newer version. -- Jerry gesbbb@yahoo.com Fortune's current rates: Answers .10 Long answers .25 Answers requiring thought .50 Correct answers $1.00 Dumb looks are still free. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080914/5f316617/signature.bin From hvdkooij at vanderkooij.org Sun Sep 14 14:38:13 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Sep 14 14:38:22 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <20080914082722.08dad927@scorpio> References: <48CB7428.1030501@vanderkooij.org> <48CBC693.6060806@vanderkooij.org> <223f97700809130742q7029ec3bo2d3f06088f013ccd@mail.gmail.com> <48CBFC6A.6050300@vanderkooij.org> <20080914082722.08dad927@scorpio> Message-ID: <48CD13C5.2080806@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jerry wrote: > On Sat, 13 Sep 2008 19:46:18 +0200 > Hugo van der Kooij wrote: > >> I use postfix 2.3.2 as it is the normal shipped package for Centos 5. > > Obviously you are aware that, that is a very old and depreciated > version of Postfix. I am not familiar with Centos 5; however, is there > any way that you could update to Postfix 5.x, I forget what the last > stable release number was, as opposed to using your older version? As a > plus, there have been a few security features incorporated into the > newer version. There is no 5.x release of postfix. Jules tested with postfix 2.2 and did not see any issue. So I see no justification to break away from upstream updates. Hugo. PS: Your public key is not very public. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIzRPDBvzDRVjxmYERAss+AJkBny+rVBrCRLapax9lAFCYclUBoQCdGjEr MC30GZ4gp73NbHnmOfQM1xM= =wDym -----END PGP SIGNATURE----- From glenn.steen at gmail.com Sun Sep 14 14:40:44 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Sun Sep 14 14:40:55 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <48CCFFB3.5080904@vanderkooij.org> References: <48CB7428.1030501@vanderkooij.org> <48CBC693.6060806@vanderkooij.org> <223f97700809130742q7029ec3bo2d3f06088f013ccd@mail.gmail.com> <48CBFC6A.6050300@vanderkooij.org> <223f97700809131112sc6d34basd6ba785f42114dcd@mail.gmail.com> <48CCDEF3.9060903@vanderkooij.org> <223f97700809140404v7caa0216q1ab03d4472222924@mail.gmail.com> <48CCF75D.3060302@alexb.ch> <48CCFFB3.5080904@vanderkooij.org> Message-ID: <223f97700809140640r2f178689wc5273333c6e07354@mail.gmail.com> 2008/9/14 Hugo van der Kooij : > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Alex Broens wrote: >> On 9/14/2008 1:04 PM, Glenn Steen wrote: >>> Yes, well... they seem to be indacations of the same thing. So far >>> only observed on CentOS 5.2 boxes (I've had reports that it's working >>> OK on Slackware as well as Mandriva). >> >> Centos 4.x and older MS release as well (most of my production boxes) > > Alex can you compare the list of packages on Centos 4 and Centos 5? > Could this be a revival of past issues with the perl-IO module? Yes, it very much could. Then again, I'm not sure exactly what is happening... I suspect even Jules is a tad baffled here:-). >>> The problem is that the "exploding" of the message as read from the >>> queue file fails. It simply returns nothing. >> >> so that's the bug... > > What would it take to write a seperate program that calls upon the > MailScanner code and compare the MailScanner results against postcat? Pretty much writing MailScanner for a singel thread....;-). IMO it's not that easily separable. Much easier to just ... put some serious debug "breakpoints" and printouts at various stages, then running a single batch with a singel queue file. Which is pretty much what I did on my systems. > That way we can find a set of sample queue files to work on and the > difference might tell us why it does not work all the time. On my systems it did just work, with or without debug code. With Alex "bad" files. One thing I noted about the quarantined messages on Alex box was that they all lacked the message file... Similar infections on my box all have trhe expected message, zip-file and executable in the quarantine dir. So this is an easy thing to look for, for all youfollowing this thread. If you have virus quarantine directories lacking the message file (provided you do as Alex and I, and don't quarantine the complete queue file!), then you probably suffer from the attachment exploding problem. If you do, it would be interresting to see if it is, as I suspect, solely a CentOS 5.2 (or RHEL) problem. > Hugo. > Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Sun Sep 14 14:42:13 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Sun Sep 14 14:42:23 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <20080914082722.08dad927@scorpio> References: <48CB7428.1030501@vanderkooij.org> <48CBC693.6060806@vanderkooij.org> <223f97700809130742q7029ec3bo2d3f06088f013ccd@mail.gmail.com> <48CBFC6A.6050300@vanderkooij.org> <20080914082722.08dad927@scorpio> Message-ID: <223f97700809140642o4ac788ep4682cbc18037745a@mail.gmail.com> 2008/9/14 Jerry : > On Sat, 13 Sep 2008 19:46:18 +0200 > Hugo van der Kooij wrote: > >> I use postfix 2.3.2 as it is the normal shipped package for Centos 5. > > Obviously you are aware that, that is a very old and depreciated > version of Postfix. I am not familiar with Centos 5; however, is there > any way that you could update to Postfix 5.x, I forget what the last > stable release number was, as opposed to using your older version? As a > plus, there have been a few security features incorporated into the > newer version. > Probably not the issue here, Jerry, although it is good advice:-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ms-list at alexb.ch Sun Sep 14 15:11:04 2008 From: ms-list at alexb.ch (Alex Broens) Date: Sun Sep 14 15:11:16 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <20080914082722.08dad927@scorpio> References: <48CB7428.1030501@vanderkooij.org> <48CBC693.6060806@vanderkooij.org> <223f97700809130742q7029ec3bo2d3f06088f013ccd@mail.gmail.com> <48CBFC6A.6050300@vanderkooij.org> <20080914082722.08dad927@scorpio> Message-ID: <48CD1B78.2020908@alexb.ch> On 9/14/2008 2:27 PM, Jerry wrote: > On Sat, 13 Sep 2008 19:46:18 +0200 > Hugo van der Kooij wrote: > >> I use postfix 2.3.2 as it is the normal shipped package for Centos 5. > > Obviously you are aware that, that is a very old and depreciated > version of Postfix. I am not familiar with Centos 5; however, is there > any way that you could update to Postfix 5.x, I forget what the last > stable release number was, as opposed to using your older version? As a > plus, there have been a few security features incorporated into the > newer version. I'm using 2.5.2 Still looking for the time tunnel...If I'm lucky I'll be retired before Postifx 5.x is out :-) From hvdkooij at vanderkooij.org Sun Sep 14 15:11:10 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Sep 14 15:11:18 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <223f97700809140640r2f178689wc5273333c6e07354@mail.gmail.com> References: <48CB7428.1030501@vanderkooij.org> <48CBC693.6060806@vanderkooij.org> <223f97700809130742q7029ec3bo2d3f06088f013ccd@mail.gmail.com> <48CBFC6A.6050300@vanderkooij.org> <223f97700809131112sc6d34basd6ba785f42114dcd@mail.gmail.com> <48CCDEF3.9060903@vanderkooij.org> <223f97700809140404v7caa0216q1ab03d4472222924@mail.gmail.com> <48CCF75D.3060302@alexb.ch> <48CCFFB3.5080904@vanderkooij.org> <223f97700809140640r2f178689wc5273333c6e07354@mail.gmail.com> Message-ID: <48CD1B7E.3060004@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Glenn Steen wrote: > > On my systems it did just work, with or without debug code. With Alex > "bad" files. > One thing I noted about the quarantined messages on Alex box was that > they all lacked the message file... Similar infections on my box all > have trhe expected message, zip-file and executable in the quarantine > dir. So this is an easy thing to look for, for all youfollowing this > thread. If you have virus quarantine directories lacking the message > file (provided you do as Alex and I, and don't quarantine the complete > queue file!), then you probably suffer from the attachment exploding > problem. > If you do, it would be interresting to see if it is, as I suspect, > solely a CentOS 5.2 (or RHEL) problem. It would also be noteworthy to see how you installed everything. I started to take notes on the versions of rpmforge and what Jules included as source RPM. A lot of packages now seem to conflict with perl itself. If the statement is valid that sitelib goes for archlib I can rewrite all spec files to split properly but I can only rebuild them on Centos 5 for the i386 architecture at the moment. It will not work on Centos 4 It will basically mean I will rebuild everything one needs for Centos 5 that is not part of Centos 5 and put it in the repository. There is a load of perl packages part of the MailScanner rpm.tgz file. But are they all required? Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIzRt7BvzDRVjxmYERAhMYAKCcbrnj0a3lb5VzdjEYHdGxh5GNEQCfXnJ/ jLglW1v1tyRrTmKV2F4nv1g= =Akyd -----END PGP SIGNATURE----- From ms-list at alexb.ch Sun Sep 14 15:13:23 2008 From: ms-list at alexb.ch (Alex Broens) Date: Sun Sep 14 15:13:39 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <223f97700809140640r2f178689wc5273333c6e07354@mail.gmail.com> References: <48CB7428.1030501@vanderkooij.org> <48CBC693.6060806@vanderkooij.org> <223f97700809130742q7029ec3bo2d3f06088f013ccd@mail.gmail.com> <48CBFC6A.6050300@vanderkooij.org> <223f97700809131112sc6d34basd6ba785f42114dcd@mail.gmail.com> <48CCDEF3.9060903@vanderkooij.org> <223f97700809140404v7caa0216q1ab03d4472222924@mail.gmail.com> <48CCF75D.3060302@alexb.ch> <48CCFFB3.5080904@vanderkooij.org> <223f97700809140640r2f178689wc5273333c6e07354@mail.gmail.com> Message-ID: <48CD1C03.4050904@alexb.ch> On 9/14/2008 3:40 PM, Glenn Steen wrote: > 2008/9/14 Hugo van der Kooij : >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Alex Broens wrote: >>> On 9/14/2008 1:04 PM, Glenn Steen wrote: >>>> Yes, well... they seem to be indacations of the same thing. So far >>>> only observed on CentOS 5.2 boxes (I've had reports that it's working >>>> OK on Slackware as well as Mandriva). >>> Centos 4.x and older MS release as well (most of my production boxes) >> Alex can you compare the list of packages on Centos 4 and Centos 5? >> Could this be a revival of past issues with the perl-IO module? > > Yes, it very much could. > Then again, I'm not sure exactly what is happening... I suspect even > Jules is a tad baffled here:-). > >>>> The problem is that the "exploding" of the message as read from the >>>> queue file fails. It simply returns nothing. >>> so that's the bug... >> What would it take to write a seperate program that calls upon the >> MailScanner code and compare the MailScanner results against postcat? > > Pretty much writing MailScanner for a singel thread....;-). IMO it's > not that easily separable. Much easier to just ... put some serious > debug "breakpoints" and printouts at various stages, then running a > single batch with a singel queue file. > Which is pretty much what I did on my systems. > >> That way we can find a set of sample queue files to work on and the >> difference might tell us why it does not work all the time. > > On my systems it did just work, with or without debug code. With Alex > "bad" files. > One thing I noted about the quarantined messages on Alex box was that > they all lacked the message file... Similar infections on my box all > have trhe expected message, zip-file and executable in the quarantine > dir. So this is an easy thing to look for, for all youfollowing this > thread. If you have virus quarantine directories lacking the message > file (provided you do as Alex and I, and don't quarantine the complete > queue file!), then you probably suffer from the attachment exploding > problem. > If you do, it would be interresting to see if it is, as I suspect, > solely a CentOS 5.2 (or RHEL) problem. I can quarantine the whole file.. I thought I was.... what have I done wrong? Alex From gesbbb at yahoo.com Sun Sep 14 15:14:49 2008 From: gesbbb at yahoo.com (Jerry) Date: Sun Sep 14 15:15:02 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <48CD13C5.2080806@vanderkooij.org> References: <48CB7428.1030501@vanderkooij.org> <48CBC693.6060806@vanderkooij.org> <223f97700809130742q7029ec3bo2d3f06088f013ccd@mail.gmail.com> <48CBFC6A.6050300@vanderkooij.org> <20080914082722.08dad927@scorpio> <48CD13C5.2080806@vanderkooij.org> Message-ID: <20080914101449.229e7f12@scorpio> On Sun, 14 Sep 2008 15:38:13 +0200 Hugo van der Kooij wrote: > There is no 5.x release of postfix. Oops, meant 2.5.x version. My chubby fingers did me in again. In any case, my suggestion would still be that the OP upgrade his version of Postfix if that is reasonably possible. There have been several improvements. Even if it did not correct his immediate problem, it might very well forestall a future one. Just my 2?. -- Jerry gesbbb@yahoo.com SAN DIEGO: Four million people, where you can't get a good cheeseburger, no matter how hard you try. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080914/8f045801/signature.bin From alex at rtpty.com Sun Sep 14 15:23:22 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Sun Sep 14 15:23:36 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <48CD1B78.2020908@alexb.ch> References: <48CB7428.1030501@vanderkooij.org> <48CBC693.6060806@vanderkooij.org> <223f97700809130742q7029ec3bo2d3f06088f013ccd@mail.gmail.com> <48CBFC6A.6050300@vanderkooij.org> <20080914082722.08dad927@scorpio> <48CD1B78.2020908@alexb.ch> Message-ID: <08015894-8544-45CA-B6F4-EDDC28A821A3@rtpty.com> On Sep 14, 2008, at 9:11 AM, Alex Broens wrote: > Still looking for the time tunnel...If I'm lucky I'll be retired > before Postifx 5.x is out :-) I wonder if MailScanner version 23.19 (in beta at that time) will still cause swapping, specially in machines with under 1TB RAM... I hear there's an attachment exploding issue as well - vintage ISOs of old Blu-Ray disc movies have problems with the Perl-IO package... they fill the queue directory with a bunch of small 50GB files which are a nuisance... From hvdkooij at vanderkooij.org Sun Sep 14 15:32:31 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Sep 14 15:32:42 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <223f97700809140640r2f178689wc5273333c6e07354@mail.gmail.com> References: <48CB7428.1030501@vanderkooij.org> <48CBC693.6060806@vanderkooij.org> <223f97700809130742q7029ec3bo2d3f06088f013ccd@mail.gmail.com> <48CBFC6A.6050300@vanderkooij.org> <223f97700809131112sc6d34basd6ba785f42114dcd@mail.gmail.com> <48CCDEF3.9060903@vanderkooij.org> <223f97700809140404v7caa0216q1ab03d4472222924@mail.gmail.com> <48CCF75D.3060302@alexb.ch> <48CCFFB3.5080904@vanderkooij.org> <223f97700809140640r2f178689wc5273333c6e07354@mail.gmail.com> Message-ID: <48CD207F.3020300@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Glenn Steen wrote: > 2008/9/14 Hugo van der Kooij : >> That way we can find a set of sample queue files to work on and the >> difference might tell us why it does not work all the time. > > On my systems it did just work, with or without debug code. With Alex > "bad" files. There is an odd thing. I got no AV warning on the sample. Neither im MailWatch nor in /var/log/maillog. But if I go to the quarantine directory and scan the spam message file there I get a hit from ClamAV. The message in the quarantine looks like the genuine article. Malware and all. Just like I woule see from the postcat output. So at that point does the handling of the file differ between the interception and the storage of the file in the quarantine directry. The log for that batch (1 message): ep 14 10:11:58 balin MailScanner[21808]: New Batch: Scanning 1 messages, 48313 bytes Sep 14 10:11:58 balin MailScanner[21808]: Spam Checks: Starting Sep 14 10:12:00 balin MailScanner[21808]: RBL checks: 52D0E1008122.AE735 found in spamhaus-ZEN Sep 14 10:12:00 balin dovecot: pop3-login: Aborted login: rip=::ffff:84.244.132.155, lip=::ffff:84.244.132.155, TLS Sep 14 10:12:01 balin postfix/smtpd[21795]: connect from arwen.waakhond.net[80.69.95.182] Sep 14 10:12:01 balin postfix/smtpd[21795]: disconnect from arwen.waakhond.net[80.69.95.182] Sep 14 10:12:04 balin postfix/smtpd[21795]: connect from unknown[194.151.25.153] Sep 14 10:12:04 balin MailScanner[21808]: Message 52D0E1008122.AE735 from 213.211.146.118 (yes1@erac.com) to sambar.ch is spam, spamhaus-ZEN, SpamAssassin (not cached, score=13.837, required 3, BAYES_99 3.50, FH_HELO_EQ_D_D_D_D 0.00, HELO_DYNAMIC_IPADDR2 4.39, RCVD_IN_SORBS_DUL 0.88, RCVD_IN_XBL 3.03, RDNS_NONE 0.10, TVD_RCVD_IP 1.93) Sep 14 10:12:04 balin MailScanner[21808]: Spam Checks: Found 1 spam messages Sep 14 10:12:04 balin MailScanner[21808]: Spam Actions: message 52D0E1008122.AE735 actions are spam@barracuda.com,store,forward Sep 14 10:12:05 balin MailScanner[21808]: Virus and Content Scanning: Starting Sep 14 10:12:05 balin postfix/cleanup[21802]: 22A0417E9219: message-id=<20080914081205.22A0417E9219@balin.waakhond.net> Sep 14 10:12:05 balin postfix/qmgr[21777]: 22A0417E9219: from=, size=273, nrcpt=1 (queue active) Sep 14 10:12:05 balin postfix/local[21803]: 22A0417E9219: to=, relay=local, delay=0.34, delays=0.24/0/0/0.1, dsn=2.0.0, status=deliverable (delivers to command: /usr/bin/procmail -Y) Sep 14 10:12:05 balin postfix/qmgr[21777]: 22A0417E9219: removed Sep 14 10:12:06 balin postfix/smtpd[22123]: connect from imss.berk.nl[194.122.140.1] Sep 14 10:12:07 balin postfix/smtpd[22123]: C25A617E9219: client=imss.berk.nl[194.122.140.1] Sep 14 10:12:07 balin postfix/cleanup[21802]: C25A617E9219: message-id=<194.122.140.4.1221379925@balin.waakhond.net> Sep 14 10:12:08 balin postfix/qmgr[21777]: C25A617E9219: from=, size=2049, nrcpt=1 (queue active) Sep 14 10:12:08 balin postfix/smtpd[22123]: disconnect from imss.berk.nl[194.122.140.1] Sep 14 10:12:09 balin postfix/local[21803]: C25A617E9219: to=, relay=local, delay=2.6, delays=1.3/0/0/1.3, dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail -Y) Sep 14 10:12:09 balin postfix/qmgr[21777]: C25A617E9219: removed Sep 14 10:12:12 balin postfix/smtpd[21795]: BD0F817E9219: client=unknown[194.151.25.153] Sep 14 10:12:12 balin postfix/cleanup[21802]: BD0F817E9219: message-id=<194.151.25.153.1221379924@balin.waakhond.net> Sep 14 10:12:12 balin postfix/qmgr[21777]: BD0F817E9219: from=, size=1266, nrcpt=1 (queue active) Sep 14 10:12:12 balin postfix/smtpd[21795]: disconnect from unknown[194.151.25.153] Sep 14 10:12:12 balin postfix/local[21803]: BD0F817E9219: to=, relay=local, delay=7.7, delays=7.7/0/0/0.01, dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail -Y) Sep 14 10:12:12 balin postfix/qmgr[21777]: BD0F817E9219: removed Sep 14 10:12:13 balin MailScanner[21808]: Requeue: 52D0E1008122.AE735 to DC1CC17E9219 Sep 14 10:12:13 balin postfix/qmgr[21777]: DC1CC17E9219: from=, size=48252, nrcpt=1 (queue active) Sep 14 10:12:13 balin MailScanner[21808]: Uninfected: Delivered 1 messages Sep 14 10:12:13 balin MailScanner[21808]: Logging message 52D0E1008122.AE735 to SQL Sep 14 10:12:15 balin postfix/smtp[22176]: DC1CC17E9219: to=, relay=barracuda2.barracuda.com[216.129.105.115]:25, delay=154983, delays=154980/0.01/0.99/1.7, dsn=2.0.0, status=sent (250 Ok: queued as C6B224ACCE6) Sep 14 10:12:15 balin postfix/qmgr[21777]: DC1CC17E9219: removed There are 2 message logged which did not go through MailScanner during the handling of this message. But that is how I designed this server and should not worry anyone. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIzSB8BvzDRVjxmYERAp3NAJ4zLFDgAzjnS9ci5Z9G/kIXXiyYKACeKCyB zJ6zFCo9sTuX+AcLy8jTaec= =XAri -----END PGP SIGNATURE----- From hvdkooij at vanderkooij.org Sun Sep 14 16:04:22 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Sep 14 16:04:31 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <48CD1C03.4050904@alexb.ch> References: <48CB7428.1030501@vanderkooij.org> <48CBC693.6060806@vanderkooij.org> <223f97700809130742q7029ec3bo2d3f06088f013ccd@mail.gmail.com> <48CBFC6A.6050300@vanderkooij.org> <223f97700809131112sc6d34basd6ba785f42114dcd@mail.gmail.com> <48CCDEF3.9060903@vanderkooij.org> <223f97700809140404v7caa0216q1ab03d4472222924@mail.gmail.com> <48CCF75D.3060302@alexb.ch> <48CCFFB3.5080904@vanderkooij.org> <223f97700809140640r2f178689wc5273333c6e07354@mail.gmail.com> <48CD1C03.4050904@alexb.ch> Message-ID: <48CD27F6.6060900@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alex Broens wrote: > On 9/14/2008 3:40 PM, Glenn Steen wrote: >> 2008/9/14 Hugo van der Kooij : >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> Alex Broens wrote: >>>> On 9/14/2008 1:04 PM, Glenn Steen wrote: >>>>> Yes, well... they seem to be indacations of the same thing. So far >>>>> only observed on CentOS 5.2 boxes (I've had reports that it's working >>>>> OK on Slackware as well as Mandriva). >>>> Centos 4.x and older MS release as well (most of my production boxes) >>> Alex can you compare the list of packages on Centos 4 and Centos 5? >>> Could this be a revival of past issues with the perl-IO module? >> >> Yes, it very much could. >> Then again, I'm not sure exactly what is happening... I suspect even >> Jules is a tad baffled here:-). >> >>>>> The problem is that the "exploding" of the message as read from the >>>>> queue file fails. It simply returns nothing. >>>> so that's the bug... >>> What would it take to write a seperate program that calls upon the >>> MailScanner code and compare the MailScanner results against postcat? >> >> Pretty much writing MailScanner for a singel thread....;-). IMO it's >> not that easily separable. Much easier to just ... put some serious >> debug "breakpoints" and printouts at various stages, then running a >> single batch with a singel queue file. >> Which is pretty much what I did on my systems. >> >>> That way we can find a set of sample queue files to work on and the >>> difference might tell us why it does not work all the time. >> >> On my systems it did just work, with or without debug code. With Alex >> "bad" files. >> One thing I noted about the quarantined messages on Alex box was that >> they all lacked the message file... Similar infections on my box all >> have trhe expected message, zip-file and executable in the quarantine >> dir. So this is an easy thing to look for, for all youfollowing this >> thread. If you have virus quarantine directories lacking the message >> file (provided you do as Alex and I, and don't quarantine the complete >> queue file!), then you probably suffer from the attachment exploding >> problem. >> If you do, it would be interresting to see if it is, as I suspect, >> solely a CentOS 5.2 (or RHEL) problem. > > I can quarantine the whole file.. I thought I was.... > what have I done wrong? Just to compare note from the MailScanner -c output. I noticed these lines: Option Name Default Current Value =============================================================================== clamavfullmessagescan no yes logsilentviruses no yes monitorsforclamavupdates /usr/local/share/clamav/*.cvd /var/clamav/*.cld /var/clamav/*.cvd mta sendmail postfix quarantinesilentviruses no yes virusscanners auto clamav mcafee avastd virusscanning yes RULESET:Default=yes I also happen to notice there are no ClamAV warnings. I would have expected them on at least some of them that were detected by both Avast and McAfee. So I think I happen to have an issue with ClamAV I need to sort out. Not sure what as all the usual suspects turn out to be clean. Hugo - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIzSfzBvzDRVjxmYERAj/rAKChTQ/aQ4gktjO073Xd8Cv8m/Bg0ACgneQM nn5ueTO6X2a1ezrc1oytd0o= =ucXt -----END PGP SIGNATURE----- From glenn.steen at gmail.com Sun Sep 14 16:29:11 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Sun Sep 14 16:29:21 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <48CD1C03.4050904@alexb.ch> References: <48CB7428.1030501@vanderkooij.org> <223f97700809130742q7029ec3bo2d3f06088f013ccd@mail.gmail.com> <48CBFC6A.6050300@vanderkooij.org> <223f97700809131112sc6d34basd6ba785f42114dcd@mail.gmail.com> <48CCDEF3.9060903@vanderkooij.org> <223f97700809140404v7caa0216q1ab03d4472222924@mail.gmail.com> <48CCF75D.3060302@alexb.ch> <48CCFFB3.5080904@vanderkooij.org> <223f97700809140640r2f178689wc5273333c6e07354@mail.gmail.com> <48CD1C03.4050904@alexb.ch> Message-ID: <223f97700809140829v7b8de750o4cce2892da286a28@mail.gmail.com> 2008/9/14 Alex Broens : > On 9/14/2008 3:40 PM, Glenn Steen wrote: >> >> 2008/9/14 Hugo van der Kooij : >>> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> Alex Broens wrote: >>>> >>>> On 9/14/2008 1:04 PM, Glenn Steen wrote: >>>>> >>>>> Yes, well... they seem to be indacations of the same thing. So far >>>>> only observed on CentOS 5.2 boxes (I've had reports that it's working >>>>> OK on Slackware as well as Mandriva). >>>> >>>> Centos 4.x and older MS release as well (most of my production boxes) >>> >>> Alex can you compare the list of packages on Centos 4 and Centos 5? >>> Could this be a revival of past issues with the perl-IO module? >> >> Yes, it very much could. >> Then again, I'm not sure exactly what is happening... I suspect even >> Jules is a tad baffled here:-). >> >>>>> The problem is that the "exploding" of the message as read from the >>>>> queue file fails. It simply returns nothing. >>>> >>>> so that's the bug... >>> >>> What would it take to write a seperate program that calls upon the >>> MailScanner code and compare the MailScanner results against postcat? >> >> Pretty much writing MailScanner for a singel thread....;-). IMO it's >> not that easily separable. Much easier to just ... put some serious >> debug "breakpoints" and printouts at various stages, then running a >> single batch with a singel queue file. >> Which is pretty much what I did on my systems. >> >>> That way we can find a set of sample queue files to work on and the >>> difference might tell us why it does not work all the time. >> >> On my systems it did just work, with or without debug code. With Alex >> "bad" files. >> One thing I noted about the quarantined messages on Alex box was that >> they all lacked the message file... Similar infections on my box all >> have trhe expected message, zip-file and executable in the quarantine >> dir. So this is an easy thing to look for, for all youfollowing this >> thread. If you have virus quarantine directories lacking the message >> file (provided you do as Alex and I, and don't quarantine the complete >> queue file!), then you probably suffer from the attachment exploding >> problem. >> If you do, it would be interresting to see if it is, as I suspect, >> solely a CentOS 5.2 (or RHEL) problem. > > I can quarantine the whole file.. I thought I was.... > what have I done wrong? > > Alex > MailWatch demands that it gets quarantined as the RFC822-decoded file, not the queue file. Since your spam quarantine contained that, I drew that conclusion... is all;) Nothing wrong, so to speak, apart from the message exploding thing. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ms-list at alexb.ch Sun Sep 14 18:00:32 2008 From: ms-list at alexb.ch (Alex Broens) Date: Sun Sep 14 18:00:51 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <223f97700809140829v7b8de750o4cce2892da286a28@mail.gmail.com> References: <48CB7428.1030501@vanderkooij.org> <223f97700809130742q7029ec3bo2d3f06088f013ccd@mail.gmail.com> <48CBFC6A.6050300@vanderkooij.org> <223f97700809131112sc6d34basd6ba785f42114dcd@mail.gmail.com> <48CCDEF3.9060903@vanderkooij.org> <223f97700809140404v7caa0216q1ab03d4472222924@mail.gmail.com> <48CCF75D.3060302@alexb.ch> <48CCFFB3.5080904@vanderkooij.org> <223f97700809140640r2f178689wc5273333c6e07354@mail.gmail.com> <48CD1C03.4050904@alexb.ch> <223f97700809140829v7b8de750o4cce2892da286a28@mail.gmail.com> Message-ID: <48CD4330.1020905@alexb.ch> On 9/14/2008 5:29 PM, Glenn Steen wrote: > 2008/9/14 Alex Broens : >> On 9/14/2008 3:40 PM, Glenn Steen wrote: >>> 2008/9/14 Hugo van der Kooij : >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA1 >>>> >>>> Alex Broens wrote: >>>>> On 9/14/2008 1:04 PM, Glenn Steen wrote: >>>>>> Yes, well... they seem to be indacations of the same thing. So far >>>>>> only observed on CentOS 5.2 boxes (I've had reports that it's working >>>>>> OK on Slackware as well as Mandriva). >>>>> Centos 4.x and older MS release as well (most of my production boxes) >>>> Alex can you compare the list of packages on Centos 4 and Centos 5? >>>> Could this be a revival of past issues with the perl-IO module? >>> Yes, it very much could. >>> Then again, I'm not sure exactly what is happening... I suspect even >>> Jules is a tad baffled here:-). >>> >>>>>> The problem is that the "exploding" of the message as read from the >>>>>> queue file fails. It simply returns nothing. >>>>> so that's the bug... >>>> What would it take to write a seperate program that calls upon the >>>> MailScanner code and compare the MailScanner results against postcat? >>> Pretty much writing MailScanner for a singel thread....;-). IMO it's >>> not that easily separable. Much easier to just ... put some serious >>> debug "breakpoints" and printouts at various stages, then running a >>> single batch with a singel queue file. >>> Which is pretty much what I did on my systems. >>> >>>> That way we can find a set of sample queue files to work on and the >>>> difference might tell us why it does not work all the time. >>> On my systems it did just work, with or without debug code. With Alex >>> "bad" files. >>> One thing I noted about the quarantined messages on Alex box was that >>> they all lacked the message file... Similar infections on my box all >>> have trhe expected message, zip-file and executable in the quarantine >>> dir. So this is an easy thing to look for, for all youfollowing this >>> thread. If you have virus quarantine directories lacking the message >>> file (provided you do as Alex and I, and don't quarantine the complete >>> queue file!), then you probably suffer from the attachment exploding >>> problem. >>> If you do, it would be interresting to see if it is, as I suspect, >>> solely a CentOS 5.2 (or RHEL) problem. >> I can quarantine the whole file.. I thought I was.... >> what have I done wrong? >> >> Alex >> > MailWatch demands that it gets quarantined as the RFC822-decoded file, > not the queue file. Since your spam quarantine contained that, I drew > that conclusion... is all;) ya jumped to conclusions a bit too fast? :-) I was storing in Q file format to do the debugging - test box - no real users behind it - just a trap feed for a little BL I contribute to .-) > Nothing wrong, so to speak, apart from the message exploding thing. I didn't make them explode right.. yes... aaaaaaaaaaaall my fault. more beeeeeeeeeeeeeeeeeeeeeer, less bugs! Alex From drew.marshall at technologytiger.net Sun Sep 14 18:55:12 2008 From: drew.marshall at technologytiger.net (Drew Marshall) Date: Sun Sep 14 18:55:32 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <48CCF75D.3060302@alexb.ch> References: <48CB7428.1030501@vanderkooij.org> <48CBC693.6060806@vanderkooij.org> <223f97700809130742q7029ec3bo2d3f06088f013ccd@mail.gmail.com> <48CBFC6A.6050300@vanderkooij.org> <223f97700809131112sc6d34basd6ba785f42114dcd@mail.gmail.com> <48CCDEF3.9060903@vanderkooij.org> <223f97700809140404v7caa0216q1ab03d4472222924@mail.gmail.com> <48CCF75D.3060302@alexb.ch> Message-ID: <7F74F1D4-2758-4D0B-B272-9BBF78F41D25@technologytiger.net> On 14 Sep 2008, at 12:37, Alex Broens wrote: > On 9/14/2008 1:04 PM, Glenn Steen wrote: >> Yes, well... they seem to be indacations of the same thing. So far >> only observed on CentOS 5.2 boxes (I've had reports that it's working >> OK on Slackware as well as Mandriva). > > Centos 4.x and older MS release as well (most of my production boxes) I have not noticed any difference on my PF boxes. However, I am running FreeBSD. >>> I shoot down almost all other stuff on non FQDN issues and >>> blacklisting >>> dialup networks based on keywords in their hostname in postfix >>> itself. >>> So I can not recall to have seen messages sneak past with >>> attachments in >>> them. >> As do we all, so it is a very marginal thing,if a problem at all. I >> think:-). > > not everybody does massiv rejects. One missed virus due to this > exploding bug could cause havoc. Agreed > > >>> The attachment thing might be a combined thing of a new postfix >>> building >>> queue files slightly differently. But beyond the test messages I >>> have >>> never seen that issue arise. >> There is no difference that the queue file decoding code would fall >> afoul of. The same code Just Work(tm) for me on my testbeds (and on >> my >> production, used for reference during my testing:-). > > obviously, testing with another OS triggers a bunch of "works for me". > I dare say Mandriva is pretty much one of the exotics in the global > MS user base :-) I suspect it probably is! > > > for what we know, the issue, which is reproduceable may be affecting > thousands of Centos 5.x installs. That it has gone by unnoticed > hardly justifies ignoring it, does it? That one I have to agreed with. It made me crawl over my mail logs to make sure. Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by Technology Tiger's Mail Launder system Our email policy can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ From glenn.steen at gmail.com Sun Sep 14 19:58:12 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Sun Sep 14 19:58:21 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <7F74F1D4-2758-4D0B-B272-9BBF78F41D25@technologytiger.net> References: <48CB7428.1030501@vanderkooij.org> <48CBC693.6060806@vanderkooij.org> <223f97700809130742q7029ec3bo2d3f06088f013ccd@mail.gmail.com> <48CBFC6A.6050300@vanderkooij.org> <223f97700809131112sc6d34basd6ba785f42114dcd@mail.gmail.com> <48CCDEF3.9060903@vanderkooij.org> <223f97700809140404v7caa0216q1ab03d4472222924@mail.gmail.com> <48CCF75D.3060302@alexb.ch> <7F74F1D4-2758-4D0B-B272-9BBF78F41D25@technologytiger.net> Message-ID: <223f97700809141158k4ce1ea63v35cb3c9c3f747f3@mail.gmail.com> 2008/9/14 Drew Marshall : > On 14 Sep 2008, at 12:37, Alex Broens wrote: > >> On 9/14/2008 1:04 PM, Glenn Steen wrote: >>> >>> Yes, well... they seem to be indacations of the same thing. So far >>> only observed on CentOS 5.2 boxes (I've had reports that it's working >>> OK on Slackware as well as Mandriva). >> >> Centos 4.x and older MS release as well (most of my production boxes) > > I have not noticed any difference on my PF boxes. However, I am running > FreeBSD. > >>>> I shoot down almost all other stuff on non FQDN issues and blacklisting >>>> dialup networks based on keywords in their hostname in postfix itself. >>>> So I can not recall to have seen messages sneak past with attachments in >>>> them. >>> >>> As do we all, so it is a very marginal thing,if a problem at all. I >>> think:-). >> >> not everybody does massiv rejects. One missed virus due to this exploding >> bug could cause havoc. > > Agreed True enough. One just have to .... have a realistic view on the dangers here. >> >> >>>> The attachment thing might be a combined thing of a new postfix building >>>> queue files slightly differently. But beyond the test messages I have >>>> never seen that issue arise. >>> >>> There is no difference that the queue file decoding code would fall >>> afoul of. The same code Just Work(tm) for me on my testbeds (and on my >>> production, used for reference during my testing:-). >> >> obviously, testing with another OS triggers a bunch of "works for me". >> I dare say Mandriva is pretty much one of the exotics in the global MS >> user base :-) > > I suspect it probably is! Hmpf!:-) >> >> >> for what we know, the issue, which is reproduceable may be affecting >> thousands of Centos 5.x installs. That it has gone by unnoticed hardly >> justifies ignoring it, does it? > > That one I have to agreed with. It made me crawl over my mail logs to make > sure. Which is very good indeed. Thanks for the info! > Drew > Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From hvdkooij at vanderkooij.org Sun Sep 14 20:19:16 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Sep 14 20:19:28 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <48CB7428.1030501@vanderkooij.org> References: <48CB7428.1030501@vanderkooij.org> Message-ID: <48CD63B4.7080106@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hugo van der Kooij wrote: > Hi, > > It seems to me that SA is flagging just about any message as EMPTY_MESSAGE. > > Is anyone else seeing this too? Right. During compilation I noticed a warning about my language settings. My default is set to LANG=en_US.UTF-8 Could this be relevant? Hugo - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIzWOzBvzDRVjxmYERAk2TAJwMj7Bza5LoA7GFw3575poM2rekNACeJBBg A0f5yxMOIJDrm+3uh/QAkfM= =S/pC -----END PGP SIGNATURE----- From ms-list at alexb.ch Sun Sep 14 20:41:53 2008 From: ms-list at alexb.ch (Alex Broens) Date: Sun Sep 14 20:42:08 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <48CD63B4.7080106@vanderkooij.org> References: <48CB7428.1030501@vanderkooij.org> <48CD63B4.7080106@vanderkooij.org> Message-ID: <48CD6901.5060802@alexb.ch> On 9/14/2008 9:19 PM, Hugo van der Kooij wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hugo van der Kooij wrote: >> Hi, >> >> It seems to me that SA is flagging just about any message as EMPTY_MESSAGE. >> >> Is anyone else seeing this too? > > Right. During compilation I noticed a warning about my language > settings. My default is set to LANG=en_US.UTF-8 > > Could this be relevant? Mine is also: LANG=en_US.UTF-8 I'm now collecting infected msgs BEFORE MailScanner touches/sees them. Hope to find some which don't get detected and give you guys 100% pristine Q files. Alex From J.Ede at birchenallhowden.co.uk Mon Sep 15 08:26:53 2008 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Mon Sep 15 08:30:22 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <48CD6901.5060802@alexb.ch> References: <48CB7428.1030501@vanderkooij.org> <48CD63B4.7080106@vanderkooij.org>,<48CD6901.5060802@alexb.ch> Message-ID: <4CAB0118AEC63A4FAAE77E6BCBDF760C792A26CDE2@server02.bhl.local> ________________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex Broens [ms-list@alexb.ch] Sent: 14 September 2008 20:41 To: MailScanner discussion Subject: Re: Error with EMTPY_MESSAGE On 9/14/2008 9:19 PM, Hugo van der Kooij wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hugo van der Kooij wrote: >> Hi, >> >> It seems to me that SA is flagging just about any message as EMPTY_MESSAGE. >> >> Is anyone else seeing this too? > > Right. During compilation I noticed a warning about my language > settings. My default is set to LANG=en_US.UTF-8 > > Could this be relevant? Mine is also: LANG=en_US.UTF-8 I'm now collecting infected msgs BEFORE MailScanner touches/sees them. Hope to find some which don't get detected and give you guys 100% pristine Q files. Alex I've noticed a CentOS 5.2 box seems to catch less spam than an existing FC7 box but so far I've failed to find anything obviously wrong or that is obviously being missed. Its langauge setting is LANG=en_US Has anyone tried removing and recompiling perl and then doing a comparison to see if it solves the issue? Jason From MailScanner at ecs.soton.ac.uk Mon Sep 15 08:48:28 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Sep 15 08:48:47 2008 Subject: Potential Postfix CentOS message unpacking bug Message-ID: <48CE134C.7080307@ecs.soton.ac.uk> As some of you may have already realised, a few people are having a problem on particular OS's when using Postfix, where a message generated by a particular Trojan are not being unpacked properly. So Postfix users on CentOS, please can you check your logs for any 16-17Kb spams which could possibly containing an attachment called "start.zip" (grep should find it in raw queue files, if you're wondering how to do that for raw queue files), which have not always been detected as infected. You might want to use the "Archive Mail" feature of MailScanner.conf for a while to see if you're getting anything like that, in case you are suffering the problem. We would very much like to know how widespread this problem is, so please report back with your findings and we'll take a straw poll of the respondents. Thanks folks! Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Andreas.Kasenides at cs.ucy.ac.cy Mon Sep 15 09:06:56 2008 From: Andreas.Kasenides at cs.ucy.ac.cy (Andreas Kasenides) Date: Mon Sep 15 09:07:15 2008 Subject: Watermarking marking good mail as SPAM? Message-ID: <48CE17A0.1090805@cs.ucy.ac.cy> Hi everybody. MailScanner is a great community. I am suspecting that the watermarking feature is making some messages as spam when it should not. Here is part of a header from a message that was marked as spam. Subject: Re: [Spam] TACAS09 ............ Message-ID:<4ABB3634864C@mac.com> In-reply-to:<1020801@cs.ucy.ac.cy> References:<3D1A89EADBC@mac.com> <48CC0FDE.1020801@cs.ucy.ac.cy> X-Mailer:Apple Mail (2.928.1) X-CSatUCY-Information:Please contact xxxx@cs.ucy.ac.cy for help. X-CSatUCY-MailScanner-ID:E7309 X-CSatUCY-VirusCheck:Found to be clean X-CSatUCY-SpamCheck:not spam, SpamAssassin (score=-2.599, required 5, autolearn=not spam, BAYES_00 -2.60) X-CSatUCY-From:yyyyy@mac.com X-CSatUCY-Watermark:1221964537.75397@fPhgdJd/cnrjJXq+MyJL2w X-Spam-Status:No If I read it correctly SA has not marked this as spam. But yet the Subject was appended with [SPAM] (our spam signature). Our watermaking options are: Use Watermarking = yes Add Watermark = yes Check Watermarks With No Sender = yes Treat Invalid Watermarks With No Sender as Spam = spam Check Watermarks To Skip Spam Checks = yes Watermark Secret = zzzzzzz Watermark Lifetime = 604800 Watermark Header = X-%org-name%-Watermark: I have not been able to figure out when exactly this happens but it seems to me that messages are marked as SPAM when they are replies or forwards. (Re: or Fwd in the header). Is there any way to know when the watermarking fires marking a message as spam and why? Any ideas are appreciated. Thank you. Andreas Kasenides -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080915/711599e6/attachment.html From Paul.Bijnens at xplanation.com Mon Sep 15 09:48:58 2008 From: Paul.Bijnens at xplanation.com (Paul Bijnens) Date: Mon Sep 15 09:49:10 2008 Subject: Potential Postfix CentOS message unpacking bug In-Reply-To: <48CE134C.7080307@ecs.soton.ac.uk> References: <48CE134C.7080307@ecs.soton.ac.uk> Message-ID: <48CE217A.6050208@xplanation.com> On 2008-09-15 09:48, Julian Field wrote: > As some of you may have already realised, a few people are having a > problem on particular OS's when using Postfix, where a message generated > by a particular Trojan are not being unpacked properly. > > So Postfix users on CentOS, please can you check your logs for any > 16-17Kb spams which could possibly containing an attachment called > "start.zip" (grep should find it in raw queue files, if you're wondering > how to do that for raw queue files), which have not always been detected > as infected. > > You might want to use the "Archive Mail" feature of MailScanner.conf for > a while to see if you're getting anything like that, in case you are > suffering the problem. > > We would very much like to know how widespread this problem is, so > please report back with your findings and we'll take a straw poll of the > respondents. Running MailScanner on CentOS here, with archiving enabled as well. I did not find any message containing an attachment "start.zip" in my archived mails (between sep 11 and now sep 15 10:41 MET, for a total of 10928 mails). I'll still keep an eye on it for some days. -- Paul Bijnens, xplanation Technology Services Tel +32 16 397.511 Technologielaan 21 bus 2, B-3001 Leuven, BELGIUM Fax +32 16 397.512 http://www.xplanation.com/ email: Paul.Bijnens@xplanation.com *********************************************************************** * I think I've got the hang of it now: exit, ^D, ^C, ^\, ^Z, ^Q, ^^, * * F6, quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, * * stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt, abort, hangup, * * PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e, kill -1 $$, shutdown, * * init 0, kill -9 1, Alt-F4, Ctrl-Alt-Del, AltGr-NumLock, Stop-A, ... * * ... "Are you sure?" ... YES ... Phew ... I'm out * *********************************************************************** From Andreas.Kasenides at cs.ucy.ac.cy Mon Sep 15 10:00:24 2008 From: Andreas.Kasenides at cs.ucy.ac.cy (Andreas Kasenides) Date: Mon Sep 15 10:00:38 2008 Subject: Watermarking marking good mail as SPAM? In-Reply-To: <48CE17A0.1090805@cs.ucy.ac.cy> References: <48CE17A0.1090805@cs.ucy.ac.cy> Message-ID: <48CE2428.9060000@cs.ucy.ac.cy> I should have said that I am running MS: Linux xxxx.cs.ucy.ac.cy 2.6.18-53.1.21.el5 #1 SMP Tue May 20 09:35:07 EDT 2008 x86_64 x86_64 x86_64 GNU/Linux This is CentOS release 5 (Final) This is Perl version 5.008008 (5.8.8) This is MailScanner version 4.71.10 Andreas Kasenides wrote: > Hi everybody. MailScanner is a great community. > > I am suspecting that the watermarking feature is making some messages > as spam when it should not. Here is part of a header from a message > that was > marked as spam. > > Subject: > Re: [Spam] TACAS09 > ............ > Message-ID:<4ABB3634864C@mac.com> > In-reply-to:<1020801@cs.ucy.ac.cy> > References:<3D1A89EADBC@mac.com> <48CC0FDE.1020801@cs.ucy.ac.cy> > X-Mailer:Apple Mail (2.928.1) > X-CSatUCY-Information:Please contact xxxx@cs.ucy.ac.cy for help. > X-CSatUCY-MailScanner-ID:E7309 > X-CSatUCY-VirusCheck:Found to be clean > X-CSatUCY-SpamCheck:not spam, SpamAssassin (score=-2.599, required 5, > autolearn=not spam, BAYES_00 -2.60) > X-CSatUCY-From:yyyyy@mac.com > X-CSatUCY-Watermark:1221964537.75397@fPhgdJd/cnrjJXq+MyJL2w > X-Spam-Status:No > > If I read it correctly SA has not marked this as spam. > But yet the Subject was appended with [SPAM] (our spam signature). > Our watermaking options are: > > Use Watermarking = yes > Add Watermark = yes > Check Watermarks With No Sender = yes > Treat Invalid Watermarks With No Sender as Spam = spam > Check Watermarks To Skip Spam Checks = yes > Watermark Secret = zzzzzzz > Watermark Lifetime = 604800 > Watermark Header = X-%org-name%-Watermark: > > I have not been able to figure out when exactly this happens but it > seems to me that messages > are marked as SPAM when they are replies or forwards. (Re: or Fwd in > the header). > Is there any way to know when the watermarking fires marking a message > as spam and why? > Any ideas are appreciated. > Thank you. > Andreas Kasenides > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080915/97e8ff4d/attachment.html From gmatt at nerc.ac.uk Mon Sep 15 11:24:45 2008 From: gmatt at nerc.ac.uk (Greg Matthews) Date: Mon Sep 15 11:25:18 2008 Subject: clamd DoS? Message-ID: <48CE37ED.6040200@nerc.ac.uk> anyone else getting hammered by Trojan.Autorun-285 making clamd suck up CPU cycles? Given enough of these trojans (~10) I'm seeing timeouts from clamd. The tell tale sign is huge increase in cpu usage as clamd hogs the processors. I'm using 0.93.3 and MS 4.68.8 (both to be upgraded in a couple of weeks). GREG -- Greg Matthews 01491 692445 Head of UNIX/Linux, iTSS Wallingford -- This message (and any attachments) is for the recipient only. NERC is subject to the Freedom of Information Act 2000 and the contents of this email and any reply you make may be disclosed by NERC unless it is exempt from release under the Act. Any material supplied to NERC may be stored in an electronic records management system. From ben.tisdall at photobox.com Mon Sep 15 11:28:25 2008 From: ben.tisdall at photobox.com (Ben Tisdall) Date: Mon Sep 15 11:28:40 2008 Subject: Desperately trying to debug poor spam scanning performance In-Reply-To: <48CABC5B.2010603@photobox.com> References: <48CA9E61.7080506@photobox.com> <5A881BE9-B6B4-463D-BFE0-0D7FFF8C80F3@rtpty.com> <48CABC5B.2010603@photobox.com> Message-ID: <48CE38C9.2020308@photobox.com> Hi all, I've tried over the weekend to optimise spam processing speed on this box but with no major gains. Here's some data that might be useful (jitter is my home box & newacorn the not-yet-deployed production box). Speed Logging ============= gmail => test => home Spam Checks = no newacorn: 11:12:31 Spam Checks completed at 43536 bytes per second jitter: 11:12:37 Spam Checks completed at 60548 bytes per second Spam Checks = yes newacorn: 11:15:17 Spam Checks completed at 491 bytes per second jitter: 11:15:26 Spam Checks completed at 1778 bytes per second bonnie++ results: ================= https://jitter.tisdall.org.uk/pub/mstest/ms_disk.html Perl modules diff: ================== https://jitter.tisdall.org.uk/pub/mstest/ms_modules_diff.txt Let me know if any further info would be helpful. Thanks! Best regards, Ben. -- Ben Tisdall Linux Systems Administrator | www.photobox.com From raymond at prolocation.net Mon Sep 15 11:30:17 2008 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Mon Sep 15 11:30:26 2008 Subject: clamd DoS? In-Reply-To: <48CE37ED.6040200@nerc.ac.uk> References: <48CE37ED.6040200@nerc.ac.uk> Message-ID: Hi! > anyone else getting hammered by Trojan.Autorun-285 making clamd suck up CPU > cycles? Given enough of these trojans (~10) I'm seeing timeouts from clamd. > > The tell tale sign is huge increase in cpu usage as clamd hogs the > processors. > > I'm using 0.93.3 and MS 4.68.8 (both to be upgraded in a couple of weeks). Yes, and there is also messages breaking MS currently. We are looking to get some files over to Julian. [root@mx100 1KfAVc-0005nv-3m]# unzip contract_I1.zip Archive: contract_I1.zip inflating: contract_I1.doc.exe Stuff like that is keeping the CPU busy and after a while we see: Sep 15 11:49:59 mx100 MailScanner[19081]: Commercial scanner clamd timed out! Sep 15 11:49:59 mx100 MailScanner[19081]: clamd: Failed to complete, timed out Sep 15 11:49:59 mx100 MailScanner[19081]: Virus Scanning: Denial Of Service attack detected! So no, you ar enot the only one. We see this on multiple clusters running MS. Bye, Raymond. From raymond at prolocation.net Mon Sep 15 11:31:50 2008 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Mon Sep 15 11:31:58 2008 Subject: clamd DoS? In-Reply-To: <48CE37ED.6040200@nerc.ac.uk> References: <48CE37ED.6040200@nerc.ac.uk> Message-ID: Hi! > The tell tale sign is huge increase in cpu usage as clamd hogs the > processors. > > I'm using 0.93.3 and MS 4.68.8 (both to be upgraded in a couple of weeks). Also with ClamAV 0.94 and latest MS beta it breaks. We just upgraded. Bye, Raymond. From prandal at herefordshire.gov.uk Mon Sep 15 11:51:09 2008 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Mon Sep 15 11:51:41 2008 Subject: clamd DoS? In-Reply-To: <48CE37ED.6040200@nerc.ac.uk> References: <48CE37ED.6040200@nerc.ac.uk> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA04A6787D@HC-MBX02.herefordshire.gov.uk> I saw something similar with ClamAVModule on Friday - I increased the virus scan timeout in MailScanner.conf and the affected box has been happier since. Cheers, Phil -- Phil Randal Networks Engineer Herefordshire Council Hereford, UK -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Greg Matthews Sent: 15 September 2008 11:25 To: MailScanner discussion Subject: clamd DoS? anyone else getting hammered by Trojan.Autorun-285 making clamd suck up CPU cycles? Given enough of these trojans (~10) I'm seeing timeouts from clamd. The tell tale sign is huge increase in cpu usage as clamd hogs the processors. I'm using 0.93.3 and MS 4.68.8 (both to be upgraded in a couple of weeks). GREG -- Greg Matthews 01491 692445 Head of UNIX/Linux, iTSS Wallingford -- This message (and any attachments) is for the recipient only. NERC is subject to the Freedom of Information Act 2000 and the contents of this email and any reply you make may be disclosed by NERC unless it is exempt from release under the Act. Any material supplied to NERC may be stored in an electronic records management system. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From MailScanner at ecs.soton.ac.uk Mon Sep 15 12:19:50 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Sep 15 12:20:17 2008 Subject: Desperately trying to debug poor spam scanning performance In-Reply-To: References: <48CA9E61.7080506@photobox.com> <5A881BE9-B6B4-463D-BFE0-0D7FFF8C80F3@rtpty.com> <48CABC5B.2010603@photobox.com> Message-ID: <48CE44D6.9090907@ecs.soton.ac.uk> Ben Tisdall wrote: > Hi all, > > I've tried over the weekend to optimise spam processing speed on this > box but with no major gains. > > Here's some data that might be useful (jitter is my home box & newacorn > the not-yet-deployed production box). > > Speed Logging > ============= > > gmail => test => home > > Spam Checks = no > > newacorn: > > 11:12:31 Spam Checks completed at 43536 bytes per second > > jitter: > > 11:12:37 Spam Checks completed at 60548 bytes per second > > Spam Checks = yes > > newacorn: > > 11:15:17 Spam Checks completed at 491 bytes per second > > jitter: > > 11:15:26 Spam Checks completed at 1778 bytes per second > > > bonnie++ results: > ================= > > https://jitter.tisdall.org.uk/pub/mstest/ms_disk.html > > > Perl modules diff: > ================== > > https://jitter.tisdall.org.uk/pub/mstest/ms_modules_diff.txt > > Have you done a "MailScanner --debug --debug-sa" with a couple of messages in the queue, so you can see exactly where the slow bits are? It prints out a timestamp at the start of every line of output as the spam checks are done by SpamAssassin, so you can see which bits take a long time. Do you run a "default deny" on your outbound traffic through your firewall, so some tool like Razor (for example) is waiting for a timeout? Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From campbell at cnpapers.com Mon Sep 15 12:26:12 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Mon Sep 15 12:26:29 2008 Subject: Happy birthday , dude Message-ID: <48CE4654.9020403@cnpapers.com> Happy birthday. Hear you been out west again. Have any luck? See you when I can. In case you hadn't seen it, the Beatles tribute band "1964" is coming to town this month. (I think it's this month). steve From kevin.howard at jobmedia.com.au Mon Sep 15 12:28:12 2008 From: kevin.howard at jobmedia.com.au (Kevin Howard) Date: Mon Sep 15 12:28:34 2008 Subject: how to detect koi8-r characters Message-ID: <1A6F40B4130E4C23BDBBE9B37DC6D8BD@KHFUJITSU> Hi, We're receiving a lot of spam comprising Cyrillic characters in the subject line, example Subject: =?koi8-r?B?8sXLzGHNwSDXIOnObcXSzsVtxSA=?= and a message body which is 100% Cyrillic, some messages are plain text and some HTML. The plains messages are using; MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 8bit Spamassassin doesn't seem to be able to detect these reliably despite us training bayes on these messages and utilising language filters. So we're trying to use MCP to detect them but have had no success whatsoever to date. I have tried making a rule to detect " ?koi8 " in the subject line but Mailscanner only seems to look at visible characters. Any ideas? my preference is to stop them with MCP if possible. Thanks, Kevin -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080915/f3d685d0/attachment.html From hafiz at variegate.biz Mon Sep 15 12:44:40 2008 From: hafiz at variegate.biz (Mohd Hafiz Ramly) Date: Mon Sep 15 12:44:58 2008 Subject: Potential Postfix CentOS message unpacking bug In-Reply-To: <48CE134C.7080307@ecs.soton.ac.uk> References: <48CE134C.7080307@ecs.soton.ac.uk> Message-ID: <48CE4AA8.3050707@variegate.biz> An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080915/dc6964ff/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: bronze-SHADOW.png Type: image/png Size: 2874 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080915/dc6964ff/bronze-SHADOW.png From alex at rtpty.com Mon Sep 15 12:59:05 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Mon Sep 15 12:59:20 2008 Subject: Watermarking marking good mail as SPAM? In-Reply-To: <48CE17A0.1090805@cs.ucy.ac.cy> References: <48CE17A0.1090805@cs.ucy.ac.cy> Message-ID: <7697A9EB-71A0-4FC6-B7D0-3103FE9661F7@rtpty.com> Are you sure you did it? Change it to "[.SPAM.]" and see if it still happens. [SPAM] is fairly generic. On Sep 15, 2008, at 3:06 AM, Andreas Kasenides wrote: > But yet the Subject was appended with [SPAM] (our spam signature). From ms-list at alexb.ch Mon Sep 15 13:07:24 2008 From: ms-list at alexb.ch (Alex Broens) Date: Mon Sep 15 13:07:34 2008 Subject: Potential Postfix CentOS message unpacking bug In-Reply-To: <48CE4AA8.3050707@variegate.biz> References: <48CE134C.7080307@ecs.soton.ac.uk> <48CE4AA8.3050707@variegate.biz> Message-ID: <48CE4FFC.4040509@alexb.ch> On 9/15/2008 1:44 PM, Mohd Hafiz Ramly wrote: > Hi, > > My logs shows the message was blocked all right. > > [root@mail2 ~]# cat /var/log/maillog | grep start.zip > Sep 15 17:06:50 mail2 MailScanner[2130]: ClamAVModule::INFECTED:: > Trojan.Fakealert-532 :: ./E46EC418932.42ACF/start.zip > [root@mail2 ~]# cat /var/log/maillog | grep E46EC418932.42ACF > Sep 15 17:06:50 mail2 MailScanner[2130]: ClamAVModule::INFECTED:: > Trojan.Fakealert-532 FOUND :: ./E46EC418932.42ACF/ > Sep 15 17:06:50 mail2 MailScanner[2130]: ClamAVModule::INFECTED:: > Trojan.Fakealert-532 :: ./E46EC418932.42ACF/Start.exe > Sep 15 17:06:50 mail2 MailScanner[2130]: ClamAVModule::INFECTED:: > Trojan.Fakealert-532 :: ./E46EC418932.42ACF/start.zip > Sep 15 17:06:50 mail2 MailScanner[2130]: ClamAVModule::INFECTED:: > Email.Hdr.Sanesecurity.08071800 FOUND :: ./E46EC418932.42ACF/ > Sep 15 17:06:50 mail2 MailScanner[2130]: Infected message E46EC418932.42ACF came > from 89.136.55.85 > Sep 15 17:06:50 mail2 MailScanner[2130]: Filename Checks: (E46EC418932.42ACF > Start.exe) > Sep 15 17:06:50 mail2 MailScanner[2130]: Filetype Checks: No executables > (E46EC418932.42ACF Start.exe) > Sep 15 17:06:50 mail2 MailScanner[2130]: Logging message E46EC418932.42ACF to SQL > Sep 15 17:06:50 mail2 MailScanner[4701]: E46EC418932.42ACF: Logged to MailWatch SQL > [root@mail2 ~]# > > Let me know if you anything else from the logs. on the affected systems some are detected, sadly *not* all they'd be tagged as spam Alex From Andreas.Kasenides at cs.ucy.ac.cy Mon Sep 15 13:15:59 2008 From: Andreas.Kasenides at cs.ucy.ac.cy (Andreas Kasenides) Date: Mon Sep 15 13:16:14 2008 Subject: Watermarking marking good mail as SPAM? In-Reply-To: <7697A9EB-71A0-4FC6-B7D0-3103FE9661F7@rtpty.com> References: <48CE17A0.1090805@cs.ucy.ac.cy> <7697A9EB-71A0-4FC6-B7D0-3103FE9661F7@rtpty.com> Message-ID: <48CE51FF.1050301@cs.ucy.ac.cy> Alex Neuman van der Hans wrote: > Are you sure you did it? Change it to "[.SPAM.]" and see if it still > happens. [SPAM] is fairly generic. > > On Sep 15, 2008, at 3:06 AM, Andreas Kasenides wrote: > >> But yet the Subject was appended with [SPAM] (our spam signature). > I am certain it is not some other server that is marking the messages since messages originating from our servers have the same fate. Thanks Andreas -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080915/c45915e4/attachment.html From ben.tisdall at photobox.com Mon Sep 15 13:18:10 2008 From: ben.tisdall at photobox.com (Ben Tisdall) Date: Mon Sep 15 13:18:20 2008 Subject: Desperately trying to debug poor spam scanning performance In-Reply-To: <48CE44D6.9090907@ecs.soton.ac.uk> References: <48CA9E61.7080506@photobox.com> <5A881BE9-B6B4-463D-BFE0-0D7FFF8C80F3@rtpty.com> <48CABC5B.2010603@photobox.com> <48CE44D6.9090907@ecs.soton.ac.uk> Message-ID: <48CE5282.4020306@photobox.com> Julian Field wrote: > >> > Have you done a "MailScanner --debug --debug-sa" with a couple of > messages in the queue, so you can see exactly where the slow bits are? > It prints out a timestamp at the start of every line of output as the > spam checks are done by SpamAssassin, so you can see which bits take a > long time. > > Do you run a "default deny" on your outbound traffic through your > firewall, so some tool like Razor (for example) is waiting for a timeout? > Thanks Jules, I *can* see a razor timeout in the debug output. The fw should allow it and indeed if I razor-check a message I can see the packet exchange happening in both directions. I'll make more tests. Best regards, Ben. -- Ben Tisdall Linux Systems Administrator | www.photobox.com From Andreas.Kasenides at cs.ucy.ac.cy Mon Sep 15 13:26:30 2008 From: Andreas.Kasenides at cs.ucy.ac.cy (Andreas Kasenides) Date: Mon Sep 15 13:26:43 2008 Subject: Potential Postfix CentOS message unpacking bug In-Reply-To: <48CE134C.7080307@ecs.soton.ac.uk> References: <48CE134C.7080307@ecs.soton.ac.uk> Message-ID: <48CE5476.6020701@cs.ucy.ac.cy> Julian Field wrote: > As some of you may have already realised, a few people are having a > problem on particular OS's when using Postfix, where a message > generated by a particular Trojan are not being unpacked properly. > > So Postfix users on CentOS, please can you check your logs for any > 16-17Kb spams which could possibly containing an attachment called > "start.zip" (grep should find it in raw queue files, if you're > wondering how to do that for raw queue files), which have not always > been detected as infected. > > You might want to use the "Archive Mail" feature of MailScanner.conf > for a while to see if you're getting anything like that, in case you > are suffering the problem. > > We would very much like to know how widespread this problem is, so > please report back with your findings and we'll take a straw poll of > the respondents. > > Thanks folks! > > Jules > Running MS 4.71.10 with Postfix 2.3.3 and CentOS 5.2. Many of these, actually 79 in the last 36 hours or so have been caught successfully. Sep 14 07:25:25 iolaos-new MailScanner[16162]: /var/spool/MailScanner/incoming/16162/./DC59F8C275.169EC/start.zip: Trojan.Fakealert-532 FOUND Sep 14 07:25:29 iolaos-new MailScanner[15957]: /var/spool/MailScanner/incoming/15957/./C8E378C2A5.BBD68/start.zip: Trojan.Fakealert-532 FOUND Sep 14 07:26:05 iolaos-new MailScanner[15906]: /var/spool/MailScanner/incoming/15906/./6C6408C2A7.5DEC0/start.zip: Trojan.Fakealert-532 FOUND Sep 14 07:30:16 iolaos-new MailScanner[16162]: /var/spool/MailScanner/incoming/16162/./C5C768C2AA.09A93/start.zip: Trojan.Fakealert-532 FOUND ....... cat maillog|grep DC59F8C275.169EC Sep 14 07:25:25 iolaos-new MailScanner[16162]: /var/spool/MailScanner/incoming/16162/./DC59F8C275.169EC/start.zip: Trojan.Fakealert-532 FOUND Sep 14 07:25:25 iolaos-new MailScanner[16162]: /var/spool/MailScanner/incoming/16162/./DC59F8C275.169EC/Start.exe: Trojan.Fakealert-532 FOUND Sep 14 07:25:25 iolaos-new MailScanner[16162]: Infected message DC59F8C275.169EC came from 83.206.158.181 Sep 14 07:25:25 iolaos-new MailScanner[16162]: Filename Checks: (DC59F8C275.169EC Start.exe) Andreas -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080915/1544cb4e/attachment.html From alex at rtpty.com Mon Sep 15 13:40:57 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Mon Sep 15 13:41:16 2008 Subject: Watermarking marking good mail as SPAM? In-Reply-To: <48CE51FF.1050301@cs.ucy.ac.cy> References: <48CE17A0.1090805@cs.ucy.ac.cy> <7697A9EB-71A0-4FC6-B7D0-3103FE9661F7@rtpty.com> <48CE51FF.1050301@cs.ucy.ac.cy> Message-ID: <7384D2F2-DDF1-47F0-A642-5826B8B8563A@rtpty.com> There are milters that do the same. Humor me. I'm not saying your server's aren't doing the tagging, I'm suggesting you eliminate the possibility that something other than MailScanner is doing it. --- Alex Neuman Reliant Technologies +507 6781-9505 Skype: alexneuman On Sep 15, 2008, at 7:15 AM, Andreas Kasenides wrote: > Alex Neuman van der Hans wrote: >> >> Are you sure you did it? Change it to "[.SPAM.]" and see if it >> still happens. [SPAM] is fairly generic. >> >> On Sep 15, 2008, at 3:06 AM, Andreas Kasenides wrote: >> >>> But yet the Subject was appended with [SPAM] (our spam signature). >> > I am certain it is not some other server that is marking the messages > since messages originating from our servers have the same fate. > Thanks > Andreas > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080915/55f31a67/attachment.html From gmatt at nerc.ac.uk Mon Sep 15 13:43:20 2008 From: gmatt at nerc.ac.uk (Greg Matthews) Date: Mon Sep 15 13:43:43 2008 Subject: clamd DoS? In-Reply-To: References: <48CE37ED.6040200@nerc.ac.uk> Message-ID: <48CE5868.10509@nerc.ac.uk> Raymond Dijkxhoorn wrote: > Also with ClamAV 0.94 and latest MS beta it breaks. We just upgraded. thanks guys, good to know. Will keep a weather eye on the list. G > > Bye, > Raymond. -- Greg Matthews 01491 692445 Head of UNIX/Linux, iTSS Wallingford -- This message (and any attachments) is for the recipient only. NERC is subject to the Freedom of Information Act 2000 and the contents of this email and any reply you make may be disclosed by NERC unless it is exempt from release under the Act. Any material supplied to NERC may be stored in an electronic records management system. From Denis.Beauchemin at USherbrooke.ca Mon Sep 15 13:49:35 2008 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Mon Sep 15 13:49:52 2008 Subject: Desperately trying to debug poor spam scanning performance In-Reply-To: <48CE38C9.2020308@photobox.com> References: <48CA9E61.7080506@photobox.com> <5A881BE9-B6B4-463D-BFE0-0D7FFF8C80F3@rtpty.com> <48CABC5B.2010603@photobox.com> <48CE38C9.2020308@photobox.com> Message-ID: <48CE59DF.8000705@USherbrooke.ca> Ben Tisdall a ?crit : > Hi all, > > I've tried over the weekend to optimise spam processing speed on this > box but with no major gains. > > Here's some data that might be useful (jitter is my home box & newacorn > the not-yet-deployed production box). > > Speed Logging > ============= > > gmail => test => home > > Spam Checks = no > > newacorn: > > 11:12:31 Spam Checks completed at 43536 bytes per second > > jitter: > > 11:12:37 Spam Checks completed at 60548 bytes per second > > Spam Checks = yes > > newacorn: > > 11:15:17 Spam Checks completed at 491 bytes per second > > jitter: > > 11:15:26 Spam Checks completed at 1778 bytes per second > > > bonnie++ results: > ================= > > https://jitter.tisdall.org.uk/pub/mstest/ms_disk.html > > > Perl modules diff: > ================== > > https://jitter.tisdall.org.uk/pub/mstest/ms_modules_diff.txt > > Let me know if any further info would be helpful. > > Thanks! > > Best regards, > > Ben. > > Ben, Is newacorn your new machine ? If so, it has really bad I/O figures compared to jitter. Maybe you should investigate into this. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3306 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080915/661552e9/smime.bin From ms-list at alexb.ch Mon Sep 15 14:12:36 2008 From: ms-list at alexb.ch (Alex Broens) Date: Mon Sep 15 14:12:58 2008 Subject: Potential Postfix CentOS message unpacking bug In-Reply-To: <48CE5476.6020701@cs.ucy.ac.cy> References: <48CE134C.7080307@ecs.soton.ac.uk> <48CE5476.6020701@cs.ucy.ac.cy> Message-ID: <48CE5F44.4020901@alexb.ch> On 9/15/2008 2:26 PM, Andreas Kasenides wrote: > Julian Field wrote: >> As some of you may have already realised, a few people are having a >> problem on particular OS's when using Postfix, where a message >> generated by a particular Trojan are not being unpacked properly. >> >> So Postfix users on CentOS, please can you check your logs for any >> 16-17Kb spams which could possibly containing an attachment called >> "start.zip" (grep should find it in raw queue files, if you're >> wondering how to do that for raw queue files), which have not always >> been detected as infected. >> >> You might want to use the "Archive Mail" feature of MailScanner.conf >> for a while to see if you're getting anything like that, in case you >> are suffering the problem. >> >> We would very much like to know how widespread this problem is, so >> please report back with your findings and we'll take a straw poll of >> the respondents. >> >> Thanks folks! >> >> Jules >> > Running MS 4.71.10 with Postfix 2.3.3 and CentOS 5.2. > Many of these, actually 79 in the last 36 hours or so have been caught > successfully. many... cool how many were tagged as spam and not detected? Subjects can be: So cute! How Sun loves... Dare to see! Can't miss this. Tears from the Moon. Just watch this! all between 16.4kb and 16.8kb for those using Mailwatch they should be easy to find thanks all for your help Alex From ben.tisdall at photobox.com Mon Sep 15 14:24:30 2008 From: ben.tisdall at photobox.com (Ben Tisdall) Date: Mon Sep 15 14:24:40 2008 Subject: Desperately trying to debug poor spam scanning performance In-Reply-To: <48CE44D6.9090907@ecs.soton.ac.uk> References: <48CA9E61.7080506@photobox.com> <5A881BE9-B6B4-463D-BFE0-0D7FFF8C80F3@rtpty.com> <48CABC5B.2010603@photobox.com> <48CE44D6.9090907@ecs.soton.ac.uk> Message-ID: <48CE620E.9060909@photobox.com> The razor timeout seemed to have been a one-off. Here's a debug output (clearly Pyzor's unhappy, but it's the same on the comparison machine too, turning off doesn't help) https://jitter.tisdall.org.uk/pub/mstest/ms_debug.txt Best regards, Ben. -- Ben Tisdall Linux Systems Administrator | www.photobox.com Google Talk: ben.tisdall@gmail.com | skype: btisdall +44 (0)20 8453 6161 From alex at rtpty.com Mon Sep 15 14:40:28 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Mon Sep 15 14:40:52 2008 Subject: Potential Postfix CentOS message unpacking bug In-Reply-To: <48CE5476.6020701@cs.ucy.ac.cy> References: <48CE134C.7080307@ecs.soton.ac.uk> <48CE5476.6020701@cs.ucy.ac.cy> Message-ID: I'm not affected since I use sendmail, but if you guys post a brief howto regarding submitting samples I'll be glad to help. --- Alex Neuman Reliant Technologies +507 6781-9505 Skype: alexneuman On Sep 15, 2008, at 7:26 AM, Andreas Kasenides wrote: > Julian Field wrote: >> >> As some of you may have already realised, a few people are having a >> problem on particular OS's when using Postfix, where a message >> generated by a particular Trojan are not being unpacked properly. >> >> So Postfix users on CentOS, please can you check your logs for any >> 16-17Kb spams which could possibly containing an attachment called >> "start.zip" (grep should find it in raw queue files, if you're >> wondering how to do that for raw queue files), which have not >> always been detected as infected. >> >> You might want to use the "Archive Mail" feature of >> MailScanner.conf for a while to see if you're getting anything like >> that, in case you are suffering the problem. >> >> We would very much like to know how widespread this problem is, so >> please report back with your findings and we'll take a straw poll >> of the respondents. >> >> Thanks folks! >> >> Jules >> > Running MS 4.71.10 with Postfix 2.3.3 and CentOS 5.2. > Many of these, actually 79 in the last 36 hours or so have been > caught successfully. > > Sep 14 07:25:25 iolaos-new MailScanner[16162]: /var/spool/ > MailScanner/incoming/16162/./DC59F8C275.169EC/start.zip: > Trojan.Fakealert-532 FOUND > Sep 14 07:25:29 iolaos-new MailScanner[15957]: /var/spool/ > MailScanner/incoming/15957/./C8E378C2A5.BBD68/start.zip: > Trojan.Fakealert-532 FOUND > Sep 14 07:26:05 iolaos-new MailScanner[15906]: /var/spool/ > MailScanner/incoming/15906/./6C6408C2A7.5DEC0/start.zip: > Trojan.Fakealert-532 FOUND > Sep 14 07:30:16 iolaos-new MailScanner[16162]: /var/spool/ > MailScanner/incoming/16162/./C5C768C2AA.09A93/start.zip: > Trojan.Fakealert-532 FOUND > ....... > cat maillog|grep DC59F8C275.169EC > Sep 14 07:25:25 iolaos-new MailScanner[16162]: /var/spool/ > MailScanner/incoming/16162/./DC59F8C275.169EC/start.zip: > Trojan.Fakealert-532 FOUND > Sep 14 07:25:25 iolaos-new MailScanner[16162]: /var/spool/ > MailScanner/incoming/16162/./DC59F8C275.169EC/Start.exe: > Trojan.Fakealert-532 FOUND > Sep 14 07:25:25 iolaos-new MailScanner[16162]: Infected message > DC59F8C275.169EC came from 83.206.158.181 > Sep 14 07:25:25 iolaos-new MailScanner[16162]: Filename Checks: > (DC59F8C275.169EC Start.exe) > > > Andreas > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080915/1a67173d/attachment.html From campbell at cnpapers.com Mon Sep 15 15:34:39 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Mon Sep 15 15:35:02 2008 Subject: Happy birthday , dude In-Reply-To: <48CE4654.9020403@cnpapers.com> References: <48CE4654.9020403@cnpapers.com> Message-ID: <48CE727F.6040701@cnpapers.com> Talk about spam . Sorry for the errant "To:". Should have went to someone else, obviously. Steve Campbell wrote: > Happy birthday. > > Hear you been out west again. Have any luck? > > See you when I can. In case you hadn't seen it, the Beatles tribute > band "1964" is coming to town this month. (I think it's this month). > > steve > From dstraka at caspercollege.edu Mon Sep 15 15:52:52 2008 From: dstraka at caspercollege.edu (Daniel Straka) Date: Mon Sep 15 15:53:25 2008 Subject: A lot of spam getting through this weekend Message-ID: <48CE2264.61A4.0000.0@caspercollege.edu> Over the past 4 day sooo much spam is getting through my MailScanner installation that I'm beginning to wonder if the spammers have figured out a way to get around it. A lot of *exually related messages, bank phishing attempts and more. MailScanner / SpamAssassin appear to be working ok yet everyone is getting about 10x the usual amount of spam making it into their mailboxes. Is anyone else seeing an issue like this? Thanks, -- Dan Straka Systems Coordinator Casper College 307.268.2399 www.caspercollege.edu ( http://www.caspercollege.edu/ ) From uxbod at splatnix.net Mon Sep 15 16:06:36 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Mon Sep 15 16:07:07 2008 Subject: A lot of spam getting through this weekend In-Reply-To: <48CE2264.61A4.0000.0@caspercollege.edu> Message-ID: <15680497.2911221491195965.JavaMail.root@office.splatnix.net> Nope, as I use the SaneSecurity clam sigs which appear to be blocked ~98% of them. Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "Daniel Straka" wrote: > Over the past 4 day sooo much spam is getting through my MailScanner > installation that I'm beginning to wonder if the spammers have figured > out a way to get around it. A lot of *exually related messages, bank > phishing attempts and more. > > MailScanner / SpamAssassin appear to be working ok yet everyone is > getting about 10x the usual amount of spam making it into their > mailboxes. > > Is anyone else seeing an issue like this? > > > > Thanks, -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From martinh at solidstatelogic.com Mon Sep 15 16:27:33 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Mon Sep 15 16:27:46 2008 Subject: A lot of spam getting through this weekend In-Reply-To: <48CE2264.61A4.0000.0@caspercollege.edu> Message-ID: Dan Same here - looking at the scores my Bayes is low/negative scoring so I'm thinking about resetting with the starter one from www.fsl.com/support Saying that I had three under my spam threshold (5) and 23 in the spam (5-10) which were subject tagged and delivered and goodness knows how many blocked so... -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Daniel Straka > Sent: 15 September 2008 15:53 > To: mailscanner@lists.mailscanner.info > Subject: A lot of spam getting through this weekend > > Over the past 4 day sooo much spam is getting through my > MailScanner installation that I'm beginning to wonder if the > spammers have figured out a way to get around it. A lot of > *exually related messages, bank phishing attempts and more. > MailScanner / SpamAssassin appear to be working ok yet > everyone is getting about 10x the usual amount of spam making > it into their mailboxes. > Is anyone else seeing an issue like this? > > Thanks, > -- > > Dan Straka > Systems Coordinator > Casper College > 307.268.2399 > www.caspercollege.edu ( http://www.caspercollege.edu/ ) > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From MailScanner at ecs.soton.ac.uk Mon Sep 15 16:31:28 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Sep 15 16:31:51 2008 Subject: clamd DoS? In-Reply-To: References: <48CE37ED.6040200@nerc.ac.uk> Message-ID: <48CE7FD0.3070909@ecs.soton.ac.uk> Raymond Dijkxhoorn wrote: > Hi! > >> The tell tale sign is huge increase in cpu usage as clamd hogs the >> processors. >> >> I'm using 0.93.3 and MS 4.68.8 (both to be upgraded in a couple of >> weeks). > > Also with ClamAV 0.94 and latest MS beta it breaks. We just upgraded. I just ran the message with clamd and had no problems at all. At Mon Sep 15 16:29:30 2008 the virus scanner said: Clamd: contract_I1.zip was infected: Trojan.Agent-49425=20 # clamscan --version ClamAV 0.94/8247/Mon Sep 15 13:04:53 2008 Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From raymond at prolocation.net Mon Sep 15 16:46:19 2008 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Mon Sep 15 16:46:30 2008 Subject: clamd DoS? In-Reply-To: <48CE7FD0.3070909@ecs.soton.ac.uk> References: <48CE37ED.6040200@nerc.ac.uk> <48CE7FD0.3070909@ecs.soton.ac.uk> Message-ID: Hi! > Also with ClamAV 0.94 and latest MS beta it breaks. We just upgraded. > I just ran the message with clamd and had no problems at all. > > At Mon Sep 15 16:29:30 2008 the virus scanner said: > Clamd: contract_I1.zip was infected: Trojan.Agent-49425=20 > > # clamscan --version > ClamAV 0.94/8247/Mon Sep 15 13:04:53 2008 We have 4 different site that are having all the same issue, with various versions of MailScanner. I dont know if we can test feeding it Clam directly. But inside MailScannner with ClamD running it really breaks. So strange. If needed we can give you access to a couple of the machines. Bye, Raymond. From MailScanner at ecs.soton.ac.uk Mon Sep 15 17:07:48 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Sep 15 17:08:17 2008 Subject: clamd DoS? In-Reply-To: References: <48CE37ED.6040200@nerc.ac.uk> <48CE7FD0.3070909@ecs.soton.ac.uk> Message-ID: <48CE8854.8000508@ecs.soton.ac.uk> Raymond Dijkxhoorn wrote: > Hi! > >> Also with ClamAV 0.94 and latest MS beta it breaks. We just upgraded. >> I just ran the message with clamd and had no problems at all. >> >> At Mon Sep 15 16:29:30 2008 the virus scanner said: >> Clamd: contract_I1.zip was infected: Trojan.Agent-49425=20 >> >> # clamscan --version >> ClamAV 0.94/8247/Mon Sep 15 13:04:53 2008 > > We have 4 different site that are having all the same issue, with > various versions of MailScanner. I dont know if we can test feeding it > Clam directly. But inside MailScannner with ClamD running it really > breaks. So strange. In /usr/sbin/MailScanner there are a couple of calls to "Explode". Immediately after them, add a line saying exit; and it will stop straight after the attachment unpacking. Then you can go into /var/spool/MailScanner/incoming, find the relevant directory and see what attachments it pulled out. Then try clamscan-ing them by hand. If the attachments look okay in that directory, then it's a clamd issue I think. I would be interested to see what clamscan makes of them when run by hand. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Paul.Bijnens at xplanation.com Mon Sep 15 17:18:10 2008 From: Paul.Bijnens at xplanation.com (Paul Bijnens) Date: Mon Sep 15 17:18:19 2008 Subject: Potential Postfix CentOS message unpacking bug In-Reply-To: <48CE217A.6050208@xplanation.com> References: <48CE134C.7080307@ecs.soton.ac.uk> <48CE217A.6050208@xplanation.com> Message-ID: <48CE8AC2.8040600@xplanation.com> On 2008-09-15 10:48, Paul Bijnens wrote: > On 2008-09-15 09:48, Julian Field wrote: >> As some of you may have already realised, a few people are having a >> problem on particular OS's when using Postfix, where a message >> generated by a particular Trojan are not being unpacked properly. >> >> So Postfix users on CentOS, please can you check your logs for any >> 16-17Kb spams which could possibly containing an attachment called >> "start.zip" (grep should find it in raw queue files, if you're >> wondering how to do that for raw queue files), which have not always >> been detected as infected. >> >> You might want to use the "Archive Mail" feature of MailScanner.conf >> for a while to see if you're getting anything like that, in case you >> are suffering the problem. >> >> We would very much like to know how widespread this problem is, so >> please report back with your findings and we'll take a straw poll of >> the respondents. > > > Running MailScanner on CentOS here, with archiving enabled as well. > > I did not find any message containing an attachment "start.zip" in > my archived mails (between sep 11 and now sep 15 10:41 MET, for a total of > 10928 mails). > > I'll still keep an eye on it for some days. If the treat is indeed about the Trojan.Fakealert-532, then we had some in, and succesfully blocked as well. Just a few minutes ago: ClamAV: tube.zip contains Trojan.Fakealert-532 and some more last weekend, but all with different attachment names. But none got through. -- Paul Bijnens, xplanation Technology Services Tel +32 16 397.511 Technologielaan 21 bus 2, B-3001 Leuven, BELGIUM Fax +32 16 397.512 http://www.xplanation.com/ email: Paul.Bijnens@xplanation.com *********************************************************************** * I think I've got the hang of it now: exit, ^D, ^C, ^\, ^Z, ^Q, ^^, * * F6, quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, * * stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt, abort, hangup, * * PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e, kill -1 $$, shutdown, * * init 0, kill -9 1, Alt-F4, Ctrl-Alt-Del, AltGr-NumLock, Stop-A, ... * * ... "Are you sure?" ... YES ... Phew ... I'm out * *********************************************************************** From ssilva at sgvwater.com Mon Sep 15 17:42:34 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Sep 15 17:42:57 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <48CB7428.1030501@vanderkooij.org> References: <48CB7428.1030501@vanderkooij.org> Message-ID: on 9-13-2008 1:04 AM Hugo van der Kooij spake the following: > Hi, > > It seems to me that SA is flagging just about any message as EMPTY_MESSAGE. > > Is anyone else seeing this too? > > Hugo. > I only have 40 in over 93,000 messages. And all of those are fairly randomly spread out by date. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080915/1c45fc62/signature.bin From ssilva at sgvwater.com Mon Sep 15 17:51:59 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Sep 15 17:52:16 2008 Subject: Error with EMTPY_MESSAGE In-Reply-To: <223f97700809140404v7caa0216q1ab03d4472222924@mail.gmail.com> References: <48CB7428.1030501@vanderkooij.org> <48CBC693.6060806@vanderkooij.org> <223f97700809130742q7029ec3bo2d3f06088f013ccd@mail.gmail.com> <48CBFC6A.6050300@vanderkooij.org> <223f97700809131112sc6d34basd6ba785f42114dcd@mail.gmail.com> <48CCDEF3.9060903@vanderkooij.org> <223f97700809140404v7caa0216q1ab03d4472222924@mail.gmail.com> Message-ID: >> But if a beta version can be created that allows one to use postcat >> instead of a native MailScanner parser of the raw queue file just to see >> if it is a factor then I can test that as my MailScanner server is >> pretty low in traffic. > Not really doable, not really where the problem is at, unfortunately. > It's more insidouos than that:-). > >> Hugo. >> > > Cheers And you guys were making fun of my sendmail install last year! Now who's laughing! ;-P -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080915/4ae58bbd/signature.bin From Kevin_Miller at ci.juneau.ak.us Mon Sep 15 18:58:51 2008 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Mon Sep 15 18:59:09 2008 Subject: Happy birthday , dude In-Reply-To: <48CE727F.6040701@cnpapers.com> References: <48CE4654.9020403@cnpapers.com> <48CE727F.6040701@cnpapers.com> Message-ID: Steve Campbell wrote: > Talk about spam . Sorry for the errant "To:". Should have went to > someone else, obviously. > > > Steve Campbell wrote: >> Happy birthday. >> >> Hear you been out west again. Have any luck? >> >> See you when I can. In case you hadn't seen it, the Beatles tribute >> band "1964" is coming to town this month. (I think it's this month). >> >> steve Does that mean I'm not gonna get a present? ;-) ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From submit at zuka.net Mon Sep 15 19:00:34 2008 From: submit at zuka.net (Dave Filchak) Date: Mon Sep 15 19:01:00 2008 Subject: Potential Postfix CentOS message unpacking bug In-Reply-To: <48CE134C.7080307@ecs.soton.ac.uk> References: <48CE134C.7080307@ecs.soton.ac.uk> Message-ID: <48CEA2C2.2050104@zuka.net> Julian Field wrote: >
As some > of you may have already realised, a few people are having a problem on > particular OS's when using Postfix, where a message generated by a > particular Trojan are not being unpacked properly. > > So Postfix users on CentOS, please can you check your logs for any > 16-17Kb spams which could possibly containing an attachment called > "start.zip" (grep should find it in raw queue files, if you're > wondering how to do that for raw queue files), which have not always > been detected as infected. > > You might want to use the "Archive Mail" feature of MailScanner.conf > for a while to see if you're getting anything like that, in case you > are suffering the problem. > > We would very much like to know how widespread this problem is, so > please report back with your findings and we'll take a straw poll of > the respondents. > > Thanks folks! > > Jules > Nothing here that I can see at this point Jules. Dave From campbell at cnpapers.com Mon Sep 15 19:15:28 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Mon Sep 15 19:15:45 2008 Subject: Happy birthday , dude In-Reply-To: References: <48CE4654.9020403@cnpapers.com> <48CE727F.6040701@cnpapers.com> Message-ID: <48CEA640.1060709@cnpapers.com> What makes you think somebody who can't hit the right line in a drop-down is gonna be able to get a present to anyone, anyhow? I'll do my best. steve Kevin Miller wrote: > Steve Campbell wrote: > >> Talk about spam . Sorry for the errant "To:". Should have went to >> someone else, obviously. >> >> >> Steve Campbell wrote: >> >>> Happy birthday. >>> >>> Hear you been out west again. Have any luck? >>> >>> See you when I can. In case you hadn't seen it, the Beatles tribute >>> band "1964" is coming to town this month. (I think it's this month). >>> >>> steve >>> > > Does that mean I'm not gonna get a present? ;-) > > ...Kevin > From alex at rtpty.com Mon Sep 15 19:51:51 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Mon Sep 15 19:52:04 2008 Subject: Way OT: Petition Message-ID: <37E268F2-CA94-40E4-AA5B-2845F5ED3DFC@rtpty.com> Guys, Since some of you blokes actually watch BBC from time to time between disasters, I'd like to let you know there's a petition circulating regarding David Tennant being allowed to light/carry the torch at the 2012 Olympics, per the "Fear Her" episode. Would be fun, right? http://www.petitiononline.com/Drwh2012/petition.html Regards, Alex From uxbod at splatnix.net Mon Sep 15 20:35:46 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Mon Sep 15 20:36:05 2008 Subject: Way OT: Petition In-Reply-To: <19374072.3121221507257971.JavaMail.root@office.splatnix.net> Message-ID: <11813714.3141221507346509.JavaMail.root@office.splatnix.net> So what is David's sporting background ? How has he elevated the British level of achievement ? Hey we could not even consider Richard Fox (World Canoe Slalom Champion x 10) who now coaches Australia! (and yes when I would younger I trained with him in the UK!). Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "Alex Neuman van der Hans" wrote: > Guys, > > > > Since some of you blokes actually watch BBC from time to time between > > disasters, I'd like to let you know there's a petition circulating > > regarding David Tennant being allowed to light/carry the torch at the > > 2012 Olympics, per the "Fear Her" episode. Would be fun, right? > > > > http://www.petitiononline.com/Drwh2012/petition.html > > > > Regards, > > > > Alex -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From uxbod at splatnix.net Mon Sep 15 20:39:42 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Mon Sep 15 20:39:59 2008 Subject: Way OT: Petition In-Reply-To: <37E268F2-CA94-40E4-AA5B-2845F5ED3DFC@rtpty.com> Message-ID: <2381076.3171221507582920.JavaMail.root@office.splatnix.net> Sorry RF 5x! Though hey how many people have done that! 5 x World Champion 1 x World Bronze medallist 5 x World team Champion Olympian 8 x National Champion Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "Alex Neuman van der Hans" wrote: > Guys, > > > > Since some of you blokes actually watch BBC from time to time between > > disasters, I'd like to let you know there's a petition circulating > > regarding David Tennant being allowed to light/carry the torch at the > > 2012 Olympics, per the "Fear Her" episode. Would be fun, right? > > > > http://www.petitiononline.com/Drwh2012/petition.html > > > > Regards, > > > > Alex -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mark at msapiro.net Mon Sep 15 21:16:22 2008 From: mark at msapiro.net (Mark Sapiro) Date: Mon Sep 15 21:16:36 2008 Subject: Potential Postfix CentOS message unpacking bug In-Reply-To: <48CE134C.7080307@ecs.soton.ac.uk> References: <48CE134C.7080307@ecs.soton.ac.uk> Message-ID: <20080915201622.GA4068@msapiro> On Mon, Sep 15, 2008 at 08:48:28AM +0100, Julian Field wrote: > > So Postfix users on CentOS, please can you check your logs for any > 16-17Kb spams which could possibly containing an attachment called > "start.zip" (grep should find it in raw queue files, if you're wondering > how to do that for raw queue files), which have not always been detected > as infected. I have seen exactly one of these /var/log/maillog:Sep 15 00:25:16 sbh16 MailScanner[783]: ClamAVModule::INFECTED:: Trojan.Fakealert-532 :: ./4C266690092.86EA5/start.zip in the last 30 days and no spam quarantined with start.zip attachments. > You might want to use the "Archive Mail" feature of MailScanner.conf for > a while to see if you're getting anything like that, in case you are > suffering the problem. I have just enabled Archive Mail and will look for start.zip in the archive. It would help if someone could post one of the infected messages that isn't properly scanned on the web somewhere and post a link here so we could test with that. -- Mark Sapiro mark at msapiro net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From Kevin_Miller at ci.juneau.ak.us Mon Sep 15 21:22:17 2008 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Mon Sep 15 21:22:30 2008 Subject: clamd DoS? In-Reply-To: <48CE8854.8000508@ecs.soton.ac.uk> References: <48CE37ED.6040200@nerc.ac.uk> <48CE7FD0.3070909@ecs.soton.ac.uk> <48CE8854.8000508@ecs.soton.ac.uk> Message-ID: Julian Field wrote: > In /usr/sbin/MailScanner there are a couple of calls to "Explode". > Immediately after them, add a line saying > exit; > and it will stop straight after the attachment unpacking. > Then you can go into /var/spool/MailScanner/incoming, find the > relevant directory and see what attachments it pulled out. > Then try clamscan-ing them by hand. If the attachments look okay in > that directory, then it's a clamd issue I think. I would be > interested to see what clamscan makes of them when run by hand. I was seeing a number of spam messages coming in w/the subject "Credit card transaction report". Every now and then one would get tagged as a virus, but most weren't. However, I went into MailWatch, selected one that wasn't marked as viral and saved the attached Report.zip to my linux workstation. Ark extracted the file report.doc.exe. I kicked off top in a term window, opened another terminal and ran 'clamscan report.doc.exe'. W/in a couple seconds CPU utilization was pegged. I'm running plain old clamav, not clamscan or clamd. Not much to go on, but maybe this will help a bit... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From hvdkooij at vanderkooij.org Mon Sep 15 21:41:59 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Mon Sep 15 21:42:15 2008 Subject: clamd DoS? In-Reply-To: References: <48CE37ED.6040200@nerc.ac.uk> <48CE7FD0.3070909@ecs.soton.ac.uk> <48CE8854.8000508@ecs.soton.ac.uk> Message-ID: <48CEC897.7090703@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kevin Miller wrote: > Julian Field wrote: > >> In /usr/sbin/MailScanner there are a couple of calls to "Explode". >> Immediately after them, add a line saying >> exit; >> and it will stop straight after the attachment unpacking. >> Then you can go into /var/spool/MailScanner/incoming, find the >> relevant directory and see what attachments it pulled out. >> Then try clamscan-ing them by hand. If the attachments look okay in >> that directory, then it's a clamd issue I think. I would be >> interested to see what clamscan makes of them when run by hand. > > I was seeing a number of spam messages coming in w/the subject "Credit > card transaction report". Every now and then one would get tagged as a > virus, but most weren't. However, I went into MailWatch, selected one > that wasn't marked as viral and saved the attached Report.zip to my > linux workstation. Ark extracted the file report.doc.exe. I kicked off > top in a term window, opened another terminal and ran 'clamscan > report.doc.exe'. W/in a couple seconds CPU utilization was pegged. So if you can do this on a plain file with just ClamAV as a factor I would think you have all the stuff that is needed to report a bug with the ClamAV team. If that is the case would you be kind enough to report the bug to the ClamAV team? Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFIzsiUBvzDRVjxmYERAqpmAJ0boKU5chAkI7TDONQ57+zwweQmSACfWwK7 VU+DFDsCiGs0AvFEpfCYiJw= =Iutn -----END PGP SIGNATURE----- From MailScanner at ecs.soton.ac.uk Mon Sep 15 21:47:00 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Sep 15 21:47:18 2008 Subject: clamd DoS? In-Reply-To: References: <48CE37ED.6040200@nerc.ac.uk> <48CE7FD0.3070909@ecs.soton.ac.uk> <48CE8854.8000508@ecs.soton.ac.uk> Message-ID: <48CEC9C4.9010507@ecs.soton.ac.uk> Kevin Miller wrote: > Julian Field wrote: > > >> In /usr/sbin/MailScanner there are a couple of calls to "Explode". >> Immediately after them, add a line saying >> exit; >> and it will stop straight after the attachment unpacking. >> Then you can go into /var/spool/MailScanner/incoming, find the >> relevant directory and see what attachments it pulled out. >> Then try clamscan-ing them by hand. If the attachments look okay in >> that directory, then it's a clamd issue I think. I would be >> interested to see what clamscan makes of them when run by hand. >> > > I was seeing a number of spam messages coming in w/the subject "Credit > card transaction report". Every now and then one would get tagged as a > virus, but most weren't. However, I went into MailWatch, selected one > that wasn't marked as viral and saved the attached Report.zip to my > linux workstation. Ark extracted the file report.doc.exe. I kicked off > top in a term window, opened another terminal and ran 'clamscan > report.doc.exe'. W/in a couple seconds CPU utilization was pegged. > > I'm running plain old clamav, not clamscan or clamd. > > Not much to go on, but maybe this will help a bit... > Ooh, can you post this on the web somewhere and tell me the URL so I can fetch this file and construct a message round it for testing? Thanks. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From hvdkooij at vanderkooij.org Mon Sep 15 21:48:31 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Mon Sep 15 21:48:41 2008 Subject: how to detect koi8-r characters In-Reply-To: <1A6F40B4130E4C23BDBBE9B37DC6D8BD@KHFUJITSU> References: <1A6F40B4130E4C23BDBBE9B37DC6D8BD@KHFUJITSU> Message-ID: <48CECA1F.2040702@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kevin Howard wrote: > Hi, > > We're receiving a lot of spam comprising Cyrillic characters in the > subject line, example Subject: =?koi8-r?B?8sXLzGHNwSDXIOnObcXSzsVtxSA=?= Here are some lines I put into the headercheck of postfix: /^Subject: =\?koi8-r\?/ REJECT No one here reads this language! /^From: =\?koi8-r\?/ REJECT No one here reads this language! /^Content-Type: .+; charset=koi8-r/ REJECT No one here reads this language! /^Subject:.+=\?windows-1251\?/ REJECT No one here reads this language! /^From: =\?windows-1251\?/ REJECT No one here reads this language! /^.*charset="windows-1251"$/ REJECT No one here reads this language! /^Content-Type: .+; charset=windows-1251/ REJECT No one here reads this language! /^Subject:.+=\?windows-1255\?/ REJECT No one here reads this language! /^From: =\?windows-1255\?/ REJECT No one here reads this language! /^Content-Type: .+; charset=windows-1255/ REJECT No one here reads this language! /^Subject:.+=\?ISO-2022-JP\?/ REJECT No one here reads this language! /^From: =\?ISO-2022-JP\?/ REJECT No one here reads this language! /^Content-Type: .+; charset=ISO-2022-JP/ REJECT No one here reads this language! /^Content-Type: .*GB2312/ REJECT No one here reads this language! It cuts down a lot on the unreadable spam. At present I am trying to convince XS4ALL to put a similar check into their spam checks. I understand they can not put it in the MTA. But if I can not read Russian there is no point in sending me email with a Russian characterset. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFIzsodBvzDRVjxmYERAkgfAJ0WvKZuJGlEuTBGrZeXcESBBtxS4wCdGulS ruta2KWoJF7zqLK8+FCk9Rk= =VJia -----END PGP SIGNATURE----- From MailScanner at ecs.soton.ac.uk Mon Sep 15 21:49:09 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Sep 15 21:49:29 2008 Subject: A lot of spam getting through this weekend In-Reply-To: References: Message-ID: <48CECA45.4010501@ecs.soton.ac.uk> Daniel Straka wrote: > Over the past 4 day sooo much spam is getting through my MailScanner installation that I'm beginning to wonder if the spammers have figured out a way to get around it. A lot of *exually related messages, bank phishing attempts and more. > MailScanner / SpamAssassin appear to be working ok yet everyone is getting about 10x the usual amount of spam making it into their mailboxes. > Is anyone else seeing an issue like this? > I'm seeing a huge amount of phishing spam, but I'm catching all of it okay. My setup is basically still the one I posted in my HOWTO I posted last July 2007, but with the addition of BarricadeMX to take most of the load. But MailScanner is catching this lot okay. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From hvdkooij at vanderkooij.org Mon Sep 15 21:53:27 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Mon Sep 15 21:53:36 2008 Subject: A lot of spam getting through this weekend In-Reply-To: References: Message-ID: <48CECB47.3000705@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Martin.Hepworth wrote: > Dan > > Same here - looking at the scores my Bayes is low/negative scoring so I'm thinking about resetting with the starter one from www.fsl.com/support I strongly urge people NEVER to use another persons bayesian database. Only you can decide what is SPAM and what is HAM in your messages. I am allowed to borrow a golf club from our CEO anytime a colleage dears to break this rule. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFIzstFBvzDRVjxmYERAn/BAJ97uDNKW+0LcQVtk60PSDSNpYJAdgCffjDe ILmDSS+lE7sBZeiiGjgwwgY= =D3z8 -----END PGP SIGNATURE----- From jan-peter at koopmann.eu Mon Sep 15 22:05:36 2008 From: jan-peter at koopmann.eu (Koopmann, Jan-Peter) Date: Mon Sep 15 22:05:58 2008 Subject: Spamassassin Timeout issue. In-Reply-To: References: Message-ID: > Sep 10 04:47:37 localhost MailScanner[8400]: SpamAssassin timed out and was killed, failure 8 of 20? Are you running BotNet.pm with SpamAssassin? I had a very similar issue and it was caused by a known bug in BotNet. Try to upgrade if you use it. From kate at rheel.co.nz Mon Sep 15 22:22:37 2008 From: kate at rheel.co.nz (Kate Kleinschafer) Date: Mon Sep 15 22:21:35 2008 Subject: Error on start cannot open config file Message-ID: <48CED21D.2020804@rheel.co.nz> Hi all, I have just done a fresh install of CentOS 5.2 and installed postfix (then done rpm -e sendmail) clamav and MailScanner. When I try and start MailScanner (after stopping the postfix service) I get the following error: MailScanner: Cannot open config file /etc/MailScanner/MailScanner.conf, Permission denied at /usr/lib/MailScanner/MailScanner/Config.pm line 657. If I change in MailScanner.conf Run as user = postfix to Run as user = then it works. I would really appreciate any advice on how to get this operational. Thanks Kate Apologies if this comes through twice - I thought I had changed my list email but it doesn't seem to be working. From Kevin_Miller at ci.juneau.ak.us Mon Sep 15 22:40:56 2008 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Mon Sep 15 22:41:07 2008 Subject: clamd DoS? In-Reply-To: <48CEC9C4.9010507@ecs.soton.ac.uk> References: <48CE37ED.6040200@nerc.ac.uk> <48CE7FD0.3070909@ecs.soton.ac.uk> <48CE8854.8000508@ecs.soton.ac.uk> <48CEC9C4.9010507@ecs.soton.ac.uk> Message-ID: Julian Field wrote: > Ooh, can you post this on the web somewhere and tell me the URL so I > can fetch this file and construct a message round it for testing? > > Thanks. > > Jules Will the mail file from the /var/spool/MailScanner/quarantine/spam/... tree work? I can shlep that up to an ftp server if that's OK. I didn't remember where exactly I got the original zip file so I grabbed another today and saved it to my workstation then extracted. Seems to be a lot of spaces in the filename: ======================================================================== mkm@mis-mkm-lnx:~/ziptest/test2$ clamscan report.doc\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ .exe ======================================================================== ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From glenn.steen at gmail.com Mon Sep 15 22:45:18 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Sep 15 22:45:29 2008 Subject: Error on start cannot open config file In-Reply-To: <48CED21D.2020804@rheel.co.nz> References: <48CED21D.2020804@rheel.co.nz> Message-ID: <223f97700809151445t4f3a2ff9j3921d88a3d75b5eb@mail.gmail.com> 2008/9/15 Kate Kleinschafer : > Hi all, > > I have just done a fresh install of CentOS 5.2 and installed postfix (then > done rpm -e sendmail) clamav and MailScanner. > When I try and start MailScanner (after stopping the postfix service) I get > the following error: > MailScanner: Cannot open config file /etc/MailScanner/MailScanner.conf, > Permission denied at /usr/lib/MailScanner/MailScanner/Config.pm line 657. > > If I change in MailScanner.conf Run as user = postfix to Run as user = > then it works. > > I would really appreciate any advice on how to get this operational. > > Thanks > Kate > > Apologies if this comes through twice - I thought I had changed my list > email but it doesn't seem to be working. > Your postfix user cannot read your config file/directory, likely. Test with su - postfix -s /bin/bash and then use cd and "ls -d" to try access /etc/MailScanner ... and ultimately reading MailScanner.conf with "less" or something. When using an MTA that runs as an unprivileged user, permissions is everything. Also check that you've either turned off SELinux or amended it so that it doesn't get in the way:). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From kate at rheel.co.nz Mon Sep 15 22:52:29 2008 From: kate at rheel.co.nz (Kate Kleinschafer) Date: Mon Sep 15 22:51:45 2008 Subject: Error on start cannot open config file In-Reply-To: <20080915214414.GA18544@lava-net.com> References: <48CED21D.2020804@rheel.co.nz> <20080915214414.GA18544@lava-net.com> Message-ID: <48CED91D.7080907@rheel.co.nz> Hi Igor, I have just tried 644 permissions and chowning to postfix:root. Both gave the same permission denied error. Thanks Kate Igor Gueths wrote: > Hi. What are the permissions on your MailSCanner.conf? In order for the postfix > user to be able to read the file, the file either needs to be owned by the > postfix user, or chmodded with permissions 644. Thanks. > On Tue, Sep 16, 2008 at 09:22:37AM +1200, Kate Kleinschafer wrote: > >> Hi all, >> >> I have just done a fresh install of CentOS 5.2 and installed postfix (then >> done rpm -e sendmail) clamav and MailScanner. >> When I try and start MailScanner (after stopping the postfix service) I get >> the following error: >> MailScanner: Cannot open config file /etc/MailScanner/MailScanner.conf, >> Permission denied at /usr/lib/MailScanner/MailScanner/Config.pm line 657. >> >> If I change in MailScanner.conf Run as user = postfix to Run as user = >> then it works. >> >> I would really appreciate any advice on how to get this operational. >> >> Thanks >> Kate >> >> Apologies if this comes through twice - I thought I had changed my list email but it doesn't seem to be working. >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> > > From Kevin_Miller at ci.juneau.ak.us Mon Sep 15 22:54:24 2008 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Mon Sep 15 22:54:34 2008 Subject: clamd DoS? In-Reply-To: <48CEC9C4.9010507@ecs.soton.ac.uk> References: <48CE37ED.6040200@nerc.ac.uk> <48CE7FD0.3070909@ecs.soton.ac.uk> <48CE8854.8000508@ecs.soton.ac.uk> <48CEC9C4.9010507@ecs.soton.ac.uk> Message-ID: Julian Field wrote: > Ooh, can you post this on the web somewhere and tell me the URL so I > can fetch this file and construct a message round it for testing? > > Thanks. > > Jules I sent a note w/the location to your jules@jules.fm address mentioned in the sig. Holler if you have any trouble accessing it... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From lists at tippingmar.com Mon Sep 15 22:55:01 2008 From: lists at tippingmar.com (Mark Nienberg) Date: Mon Sep 15 22:55:18 2008 Subject: how to detect koi8-r characters In-Reply-To: <1A6F40B4130E4C23BDBBE9B37DC6D8BD@KHFUJITSU> References: <1A6F40B4130E4C23BDBBE9B37DC6D8BD@KHFUJITSU> Message-ID: <48CED9B5.4020001@tippingmar.com> Kevin Howard wrote: > We're receiving a lot of spam comprising Cyrillic characters in the > subject line, example Subject: =?koi8-r?B?8sXLzGHNwSDXIOnObcXSzsVtxSA=?= > > and a message body which is 100% Cyrillic, some messages are plain > text and some HTML. > > The plains messages are using; > > MIME-Version: 1.0 > Content-Type: text/plain; > charset="koi8-r" > Content-Transfer-Encoding: 8bit > > > Spamassassin doesn't seem to be able to detect these reliably despite > us training bayes on these messages and utilising language filters. So > we're trying to use MCP to detect them but have had no success > whatsoever to date. > > I have tried making a rule to detect " ?koi8 " in the subject line but > Mailscanner only seems to look at visible characters. > > Any ideas? my preference is to stop them with MCP if possible. > I use a spamassassin rule like this: header LOCAL_CYRILLIC Subject:raw =~ /windows\-1251/i describe LOCAL_CYRILLIC Cyrillic fonts score LOCAL_CYRILLIC 3 in your case, maybe you need to replace windows-1251 with koi8-r. The "raw" part is important. Mark Nienberg From Kevin_Miller at ci.juneau.ak.us Mon Sep 15 23:35:45 2008 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Mon Sep 15 23:36:02 2008 Subject: clamd DoS? In-Reply-To: <48CEC897.7090703@vanderkooij.org> References: <48CE37ED.6040200@nerc.ac.uk> <48CE7FD0.3070909@ecs.soton.ac.uk> <48CE8854.8000508@ecs.soton.ac.uk> <48CEC897.7090703@vanderkooij.org> Message-ID: Hugo van der Kooij wrote: > So if you can do this on a plain file with just ClamAV as a factor I > would think you have all the stuff that is needed to report a bug with > the ClamAV team. > > If that is the case would you be kind enough to report the bug to the > ClamAV team? I started doing that, then did some more testing. On my Debian box, with clamav 0.90.1/8228 it spins. On my SUSE boxes, it comes back reporting Trojan.Agent-49371 with no CPU delay. Perhaps it's only a problem w/clamav 90.1? My main mail server (SUSE) is running .94/8251 The other SUSE box I tested is running 88.4/8251 (I know, badly out of date but there's a bug w/the compiler and a newer clamav won't compile. The box is slated for a rebuild RSN.) Given that it's an older version of clamav, a bug report would probably be rather untimely. It may however, be useful for others here to know so they can upgrade if the version of clamav they're running is affected... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From hvdkooij at vanderkooij.org Mon Sep 15 23:41:24 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Mon Sep 15 23:41:32 2008 Subject: Error on start cannot open config file In-Reply-To: <48CED91D.7080907@rheel.co.nz> References: <48CED21D.2020804@rheel.co.nz> <20080915214414.GA18544@lava-net.com> <48CED91D.7080907@rheel.co.nz> Message-ID: <48CEE494.2080307@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kate Kleinschafer wrote: > Hi Igor, > > I have just tried 644 permissions and chowning to postfix:root. > Both gave the same permission denied error. And just what did you change? directory? file? both? something else? Start from the root and work your way to the file. See if you have read rights as postfix user all the way. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFIzuSSBvzDRVjxmYERAmOwAJkBC1K667G6wyu5RBO63f9sIUH5uwCeP2t2 pl9N1sC9SmGsBPcMK09oRtU= =wmn+ -----END PGP SIGNATURE----- From kate at rheel.co.nz Mon Sep 15 23:50:17 2008 From: kate at rheel.co.nz (Kate Kleinschafer) Date: Mon Sep 15 23:49:36 2008 Subject: Error on start cannot open config file In-Reply-To: <223f97700809151445t4f3a2ff9j3921d88a3d75b5eb@mail.gmail.com> References: <48CED21D.2020804@rheel.co.nz> <223f97700809151445t4f3a2ff9j3921d88a3d75b5eb@mail.gmail.com> Message-ID: <48CEE6A9.5070508@rheel.co.nz> Thanks - that helped me find the problem. It was the permissions on the MailScanner folder itself. Again many thanks Kate Glenn Steen wrote: > 2008/9/15 Kate Kleinschafer : > >> Hi all, >> >> I have just done a fresh install of CentOS 5.2 and installed postfix (then >> done rpm -e sendmail) clamav and MailScanner. >> When I try and start MailScanner (after stopping the postfix service) I get >> the following error: >> MailScanner: Cannot open config file /etc/MailScanner/MailScanner.conf, >> Permission denied at /usr/lib/MailScanner/MailScanner/Config.pm line 657. >> >> If I change in MailScanner.conf Run as user = postfix to Run as user = >> then it works. >> >> I would really appreciate any advice on how to get this operational. >> >> Thanks >> Kate >> >> Apologies if this comes through twice - I thought I had changed my list >> email but it doesn't seem to be working. >> >> > Your postfix user cannot read your config file/directory, likely. Test with > su - postfix -s /bin/bash > and then use cd and "ls -d" to try access /etc/MailScanner ... and > ultimately reading MailScanner.conf with "less" or something. > When using an MTA that runs as an unprivileged user, permissions is everything. > Also check that you've either turned off SELinux or amended it so that > it doesn't get in the way:). > > Cheers > From swati.meghanand at gmail.com Tue Sep 16 11:06:36 2008 From: swati.meghanand at gmail.com (Swati Meghanand) Date: Tue Sep 16 11:06:45 2008 Subject: Spamassassin Timeout issue. In-Reply-To: References: Message-ID: <424c10260809160306q736b1c47jd41c0781e2a83904@mail.gmail.com> hi, No not running BotNet.pm with SpamAssassin? There was some issue with 'Pyzor'.. need to work on it, currently I stopped pyzor now it is working fine.. I found out the prob by running spamassassin in debugging mode 2008/9/16 Koopmann, Jan-Peter > > Sep 10 04:47:37 localhost MailScanner[8400]: SpamAssassin timed out and > was killed, failure 8 of 20 > > Are you running BotNet.pm with SpamAssassin? I had a very similar issue and > it was caused by a known bug in BotNet. Try to upgrade if you use it. > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080916/ba146b19/attachment.html From steve.freegard at fsl.com Tue Sep 16 11:58:00 2008 From: steve.freegard at fsl.com (Steve Freegard) Date: Tue Sep 16 11:58:20 2008 Subject: Desperately trying to debug poor spam scanning performance In-Reply-To: <48CE620E.9060909@photobox.com> References: <48CA9E61.7080506@photobox.com> <5A881BE9-B6B4-463D-BFE0-0D7FFF8C80F3@rtpty.com> <48CABC5B.2010603@photobox.com> <48CE44D6.9090907@ecs.soton.ac.uk> <48CE620E.9060909@photobox.com> Message-ID: <48CF9138.4020601@fsl.com> Hi Ben, Ben Tisdall wrote: > The razor timeout seemed to have been a one-off. > > Here's a debug output (clearly Pyzor's unhappy, but it's the same on the > comparison machine too, turning off doesn't help) > 1) Switch-off Pyzor by commenting the loadplugin lines in v3*.pre and init.pre in /etc/mail/spamassassin. IMHO - Pyzor isn't usable anymore unless you are low-volume and can put up with the timeouts decreasing your scanner throughput, so I always either don't install it or disable it. Even though it appears to be unwell on your machines anyway - disabling it will prevent the need for the code to get loaded anyway. 2) Compare like-for-like. Currently - each machine has different version of Perl modules (some newer some older). Check for updates to each of them on the new machine and get the latest versions. Also - you're looking at the 'Log Speed' output on both machines and because they are showing different lower numbers you're jumping to the conclusion that something is wrong.... it could be - but the only way to be certain is to process the *same* batch of messages on both machines (without any other traffic running at the same time) and then comparing the results. I'd expect the bytes throughput shown in the logs to vary greatly for each batch due to the fact that some messages are larger and more complex than others, so unless you are running the same batches through - then you can't really know for sure that one is slower than the other. 3) Do you have anything configured in 'Spam Lists' or 'Spam Domain List' on either machine in MailScanner.conf?? 4) Have you mounted /var/spool/MailScanner/incoming on tmpfs? Kind regards, Steve. From raymond at prolocation.net Tue Sep 16 11:59:04 2008 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Tue Sep 16 11:59:13 2008 Subject: clamd DoS? In-Reply-To: <48CEC9C4.9010507@ecs.soton.ac.uk> References: <48CE37ED.6040200@nerc.ac.uk> <48CE7FD0.3070909@ecs.soton.ac.uk> <48CE8854.8000508@ecs.soton.ac.uk> <48CEC9C4.9010507@ecs.soton.ac.uk> Message-ID: Hi! >> I was seeing a number of spam messages coming in w/the subject "Credit >> card transaction report". Every now and then one would get tagged as a >> virus, but most weren't. However, I went into MailWatch, selected one >> that wasn't marked as viral and saved the attached Report.zip to my >> linux workstation. Ark extracted the file report.doc.exe. I kicked off >> top in a term window, opened another terminal and ran 'clamscan >> report.doc.exe'. W/in a couple seconds CPU utilization was pegged. >> >> I'm running plain old clamav, not clamscan or clamd. >> >> Not much to go on, but maybe this will help a bit... > Ooh, can you post this on the web somewhere and tell me the URL so I can > fetch this file and construct a message round it for testing? The guys @ ClamAV are also looking into this (Thanks Luca!) Bye, Raymond. From ben.tisdall at photobox.com Tue Sep 16 12:12:25 2008 From: ben.tisdall at photobox.com (Ben Tisdall) Date: Tue Sep 16 12:12:39 2008 Subject: Desperately trying to debug poor spam scanning performance In-Reply-To: <48CF9138.4020601@fsl.com> References: <48CA9E61.7080506@photobox.com> <5A881BE9-B6B4-463D-BFE0-0D7FFF8C80F3@rtpty.com> <48CABC5B.2010603@photobox.com> <48CE44D6.9090907@ecs.soton.ac.uk> <48CE620E.9060909@photobox.com> <48CF9138.4020601@fsl.com> Message-ID: <48CF9499.4020707@photobox.com> Steve Freegard wrote: > > IMHO - Pyzor isn't usable anymore unless you are low-volume and can put > up with the timeouts decreasing your scanner throughput, so I always > either don't install it or disable it. > > Even though it appears to be unwell on your machines anyway - disabling > it will prevent the need for the code to get loaded anyway. Interesting to hear your take on this, anyone else share this view? > > 2) Compare like-for-like. > > Currently - each machine has different version of Perl modules (some > newer some older). Check for updates to each of them on the new machine > and get the latest versions. Sure, but I don't think the numbers I'm seeing can be explained away by module version differences. > Also - you're looking at the 'Log Speed' output on both machines and > because they are showing different lower numbers you're jumping to the > conclusion that something is wrong.... it could be - but the only way to > be certain is to process the *same* batch of messages on both machines > (without any other traffic running at the same time) and then comparing > the results. > > I'd expect the bytes throughput shown in the logs to vary greatly for > each batch due to the fact that some messages are larger and more > complex than others, so unless you are running the same batches through > - then you can't really know for sure that one is slower than the other. That's exactly what I'm doing - relaying a message throught the test box to my home box & comparing the figures. I correlate the ms logs with the exim logs to make sure I'm comparing correctly. > > 3) Do you have anything configured in 'Spam Lists' or 'Spam Domain > List' on either machine in MailScanner.conf?? Tried turning off, still sucky. > > 4) Have you mounted /var/spool/MailScanner/incoming on tmpfs? On this box not really an option, can't upgrade the RAM beyond 2G & it has to perform duties other than MS :( I'm strongly tending towards the theory that I/O is crappy on this box. I read something not very complimentary about the smart array 5/i on Linux & certainly the bonnie++ results are worse than those for my home box (2 x 15K SCSI on the test box, 2 x 7.2K SATA at home). In all likelihood I'll now be given a new box for MS with enough RAM to do incoming on tmpfs :) Thanks for your suggestions Steve. Best regards, Ben. -- Ben Tisdall Linux Systems Administrator | www.photobox.com From MailScanner at ecs.soton.ac.uk Tue Sep 16 12:33:02 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Sep 16 12:33:22 2008 Subject: New beta released -- avoids Clamd DoS attack Message-ID: <48CF996E.7010308@ecs.soton.ac.uk> I have just released beta version 4.72.2. The important change is this (from the Change Log): Filename and filetype checks are now done before virus scanning. This means that you can use the "deny+delete" type of filename or filetype rule to selectively delete files that will choke your buggy virus scanner. I hope this helps you out there! Remember to use "deny+delete" instead of "deny" in filename.rules.conf where you want to stop your virus scanner being attacked. Please let me know how you get on. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ms-list at alexb.ch Tue Sep 16 12:41:33 2008 From: ms-list at alexb.ch (Alex Broens) Date: Tue Sep 16 12:41:50 2008 Subject: clamd DoS? In-Reply-To: References: <48CE37ED.6040200@nerc.ac.uk> <48CE7FD0.3070909@ecs.soton.ac.uk> <48CE8854.8000508@ecs.soton.ac.uk> <48CEC9C4.9010507@ecs.soton.ac.uk> Message-ID: <48CF9B6D.5030105@alexb.ch> On 9/16/2008 12:59 PM, Raymond Dijkxhoorn wrote: > Hi! > >>> I was seeing a number of spam messages coming in w/the subject "Credit >>> card transaction report". Every now and then one would get tagged as a >>> virus, but most weren't. However, I went into MailWatch, selected one >>> that wasn't marked as viral and saved the attached Report.zip to my >>> linux workstation. Ark extracted the file report.doc.exe. I kicked off >>> top in a term window, opened another terminal and ran 'clamscan >>> report.doc.exe'. W/in a couple seconds CPU utilization was pegged. >>> >>> I'm running plain old clamav, not clamscan or clamd. >>> >>> Not much to go on, but maybe this will help a bit... > >> Ooh, can you post this on the web somewhere and tell me the URL so I >> can fetch this file and construct a message round it for testing? > > The guys @ ClamAV are also looking into this (Thanks Luca!) Luca rocks! (tell him this :-) Today I saw more floods of randomly detected/bypassed MS and AV scanners cases. good thing there are other ways to catch & block or kill them :-) Alex From martinh at solidstatelogic.com Tue Sep 16 13:22:41 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Tue Sep 16 13:23:08 2008 Subject: clamd DoS? In-Reply-To: <48CF9B6D.5030105@alexb.ch> Message-ID: <45e25328f7808c4eb7892dfa0cf3653a@solidstatelogic.com> Yeah - another virus scanner in the list - Sophos is blocking these nicely in concert with MS. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Alex Broens > Sent: 16 September 2008 12:42 > To: MailScanner discussion > Subject: Re: clamd DoS? > > On 9/16/2008 12:59 PM, Raymond Dijkxhoorn wrote: > > Hi! > > > >>> I was seeing a number of spam messages coming in w/the subject > >>> "Credit card transaction report". Every now and then one > would get > >>> tagged as a virus, but most weren't. However, I went into > >>> MailWatch, selected one that wasn't marked as viral and saved the > >>> attached Report.zip to my linux workstation. Ark > extracted the file > >>> report.doc.exe. I kicked off top in a term window, > opened another > >>> terminal and ran 'clamscan report.doc.exe'. W/in a > couple seconds CPU utilization was pegged. > >>> > >>> I'm running plain old clamav, not clamscan or clamd. > >>> > >>> Not much to go on, but maybe this will help a bit... > > > >> Ooh, can you post this on the web somewhere and tell me > the URL so I > >> can fetch this file and construct a message round it for testing? > > > > The guys @ ClamAV are also looking into this (Thanks Luca!) > > Luca rocks! (tell him this :-) > > Today I saw more floods of randomly detected/bypassed MS and > AV scanners > cases. > > good thing there are other ways to catch & block or kill them :-) > > Alex > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From glenn.steen at gmail.com Tue Sep 16 13:49:18 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Sep 16 13:49:28 2008 Subject: Desperately trying to debug poor spam scanning performance In-Reply-To: <48CF9499.4020707@photobox.com> References: <48CA9E61.7080506@photobox.com> <5A881BE9-B6B4-463D-BFE0-0D7FFF8C80F3@rtpty.com> <48CABC5B.2010603@photobox.com> <48CE44D6.9090907@ecs.soton.ac.uk> <48CE620E.9060909@photobox.com> <48CF9138.4020601@fsl.com> <48CF9499.4020707@photobox.com> Message-ID: <223f97700809160549i3ebcc672k669be5ab87deb0cf@mail.gmail.com> 2008/9/16 Ben Tisdall : > Steve Freegard wrote: > (snip) >> >> 4) Have you mounted /var/spool/MailScanner/incoming on tmpfs? > > On this box not really an option, can't upgrade the RAM beyond 2G & it > has to perform duties other than MS :( > > I'm strongly tending towards the theory that I/O is crappy on this box. > I read something not very complimentary about the smart array 5/i on > Linux & certainly the bonnie++ results are worse than those for my home > box (2 x 15K SCSI on the test box, 2 x 7.2K SATA at home). Sorry for not noticing this earlier:/. Smart 5i with write memory cache "addon" is "somewhat OK", the default el cheapo 5i you find onboard is usually not worth using. They will suck eggs through straws, when it comes to write performance. Get a real RAID card, not the memory thing... better value for money. Smarts are generally OK, so long as you stay away from the really _too_ cheap thingies:-). > In all likelihood I'll now be given a new box for MS with enough RAM to > do incoming on tmpfs :) New box == better RAID controller;-). My latest is a HP DL360G5 ... Actually with a very basic setup (==low price). Good value for money AFAICS. The E200i seems to perform OK:-). > Thanks for your suggestions Steve. > > Best regards, > > Ben. > Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From J.Ede at birchenallhowden.co.uk Tue Sep 16 14:02:34 2008 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Tue Sep 16 14:05:32 2008 Subject: Desperately trying to debug poor spam scanning performance In-Reply-To: <223f97700809160549i3ebcc672k669be5ab87deb0cf@mail.gmail.com> References: <48CA9E61.7080506@photobox.com> <5A881BE9-B6B4-463D-BFE0-0D7FFF8C80F3@rtpty.com> <48CABC5B.2010603@photobox.com> <48CE44D6.9090907@ecs.soton.ac.uk> <48CE620E.9060909@photobox.com> <48CF9138.4020601@fsl.com> <48CF9499.4020707@photobox.com>, <223f97700809160549i3ebcc672k669be5ab87deb0cf@mail.gmail.com> Message-ID: <4CAB0118AEC63A4FAAE77E6BCBDF760C792A26CDF4@server02.bhl.local> You could try looking at the RAID performance... first with just hdparm -t /dev/sda Then try changing blocksize by using blockdev --setra 0 /dev/sda and trying values of say 0,1,2,4,16,32,64,128,256 (default CentOS one I believe), 512, 1024,2048 Should be able to produce a table of read/write performance on each system... Be interesting to compare the values of the 2 servers. Jason ________________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailscanner-bounces@lists.mailscanner.info] On Behalf Of Glenn Steen [glenn.steen@gmail.com] Sent: 16 September 2008 13:49 To: MailScanner discussion Subject: Re: Desperately trying to debug poor spam scanning performance 2008/9/16 Ben Tisdall : > Steve Freegard wrote: > (snip) >> >> 4) Have you mounted /var/spool/MailScanner/incoming on tmpfs? > > On this box not really an option, can't upgrade the RAM beyond 2G & it > has to perform duties other than MS :( > > I'm strongly tending towards the theory that I/O is crappy on this box. > I read something not very complimentary about the smart array 5/i on > Linux & certainly the bonnie++ results are worse than those for my home > box (2 x 15K SCSI on the test box, 2 x 7.2K SATA at home). Sorry for not noticing this earlier:/. Smart 5i with write memory cache "addon" is "somewhat OK", the default el cheapo 5i you find onboard is usually not worth using. They will suck eggs through straws, when it comes to write performance. Get a real RAID card, not the memory thing... better value for money. Smarts are generally OK, so long as you stay away from the really _too_ cheap thingies:-). > In all likelihood I'll now be given a new box for MS with enough RAM to > do incoming on tmpfs :) New box == better RAID controller;-). My latest is a HP DL360G5 ... Actually with a very basic setup (==low price). Good value for money AFAICS. The E200i seems to perform OK:-). > Thanks for your suggestions Steve. > > Best regards, > > Ben. > Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From richard.frovarp at sendit.nodak.edu Tue Sep 16 15:27:57 2008 From: richard.frovarp at sendit.nodak.edu (Richard Frovarp) Date: Tue Sep 16 15:28:10 2008 Subject: Desperately trying to debug poor spam scanning performance In-Reply-To: <48CF9499.4020707@photobox.com> References: <48CA9E61.7080506@photobox.com> <5A881BE9-B6B4-463D-BFE0-0D7FFF8C80F3@rtpty.com> <48CABC5B.2010603@photobox.com> <48CE44D6.9090907@ecs.soton.ac.uk> <48CE620E.9060909@photobox.com> <48CF9138.4020601@fsl.com> <48CF9499.4020707@photobox.com> Message-ID: <48CFC26D.1060509@sendit.nodak.edu> Ben Tisdall wrote: > Steve Freegard wrote: > > >> IMHO - Pyzor isn't usable anymore unless you are low-volume and can put >> up with the timeouts decreasing your scanner throughput, so I always >> either don't install it or disable it. >> >> Even though it appears to be unwell on your machines anyway - disabling >> it will prevent the need for the code to get loaded anyway. >> > > > Interesting to hear your take on this, anyone else share this view? > I dumped Pyzor long ago. The timeouts were killing performance. Razor seems to work well enough. From jonas at vrt.dk Tue Sep 16 15:31:22 2008 From: jonas at vrt.dk ('Jonas Akrouh Larsen') Date: Tue Sep 16 15:31:32 2008 Subject: Free virusscanner Message-ID: <004b01c91808$e47752c0$ad65f840$@dk> Hi List As some of you may know Bitdefender used to have a 100% free edition of their product for linux. Sometimes in 2006 they changed their policy though. You can get a license here: http://www.bitdefender.com/site/Products/ScannerLicense/ And the actual download can be found here: http://download.bitdefender.com/SMB/Workstation_Security_and_Management/BitD efender_Antivirus_Scanner_for_Unices/Unix/Current/EN/Version_7.x/Linux/ I looked into getting bitdefender working about a year ago but could not find the right url's. So I thought I would send a quick post if others had been wondering too. The license is valid for home/private use, so it's a no go for businesses if they want to stay legit. Maybe somebody could update the wiki with this info. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080916/77dd5e02/attachment.html From alex at rtpty.com Tue Sep 16 15:57:58 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Tue Sep 16 15:58:11 2008 Subject: Free virusscanner In-Reply-To: <004b01c91808$e47752c0$ad65f840$@dk> References: <004b01c91808$e47752c0$ad65f840$@dk> Message-ID: <599626BE-365C-4B20-B35A-8AE16DCAA306@rtpty.com> Thanks for the info. Those of us with boxes running our own mail at home can use it alongside clamav*. On Sep 16, 2008, at 9:31 AM, Jonas Akrouh Larsen wrote: > You can get a license here: http://www.bitdefender.com/site/Products/ScannerLicense/ > > And the actual download can be found here:http://download.bitdefender.com/SMB/Workstation_Security_and_Management/BitDefender_Antivirus_Scanner_for_Unices/Unix/Current/EN/Version_7.x/Linux/ > From ssilva at sgvwater.com Tue Sep 16 16:40:01 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Sep 16 16:40:19 2008 Subject: Free virusscanner In-Reply-To: <599626BE-365C-4B20-B35A-8AE16DCAA306@rtpty.com> References: <004b01c91808$e47752c0$ad65f840$@dk> <599626BE-365C-4B20-B35A-8AE16DCAA306@rtpty.com> Message-ID: on 9-16-2008 7:57 AM Alex Neuman van der Hans spake the following: > Thanks for the info. Those of us with boxes running our own mail at home > can use it alongside clamav*. > > On Sep 16, 2008, at 9:31 AM, Jonas Akrouh Larsen wrote: > >> You can get a license here: >> http://www.bitdefender.com/site/Products/ScannerLicense/ >> >> And the actual download can be found >> here:http://download.bitdefender.com/SMB/Workstation_Security_and_Management/BitDefender_Antivirus_Scanner_for_Unices/Unix/Current/EN/Version_7.x/Linux/ >> >> > F-prot also has a "free for home use" scanner, as does AVG I believe. You can still find the old free bitdefender scanner in a google search, but I don't know how well it works anymore. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080916/6d20ba70/signature.bin From lists at tippingmar.com Tue Sep 16 17:44:13 2008 From: lists at tippingmar.com (Mark Nienberg) Date: Tue Sep 16 17:44:44 2008 Subject: Desperately trying to debug poor spam scanning performance In-Reply-To: <48CF9499.4020707@photobox.com> References: <48CA9E61.7080506@photobox.com> <5A881BE9-B6B4-463D-BFE0-0D7FFF8C80F3@rtpty.com> <48CABC5B.2010603@photobox.com> <48CE44D6.9090907@ecs.soton.ac.uk> <48CE620E.9060909@photobox.com> <48CF9138.4020601@fsl.com> <48CF9499.4020707@photobox.com> Message-ID: <48CFE25D.3010902@tippingmar.com> Ben Tisdall wrote: > Steve Freegard wrote: > > >> IMHO - Pyzor isn't usable anymore unless you are low-volume and can put >> up with the timeouts decreasing your scanner throughput, so I always >> either don't install it or disable it. >> >> > > Interesting to hear your take on this, anyone else share this view? > > Pyzor works well for me with the alternative pyzor server. In your .pyzor/servers file you should have 82.94.255.100:24441 Mark Nienberg From steve.freegard at fsl.com Tue Sep 16 17:55:08 2008 From: steve.freegard at fsl.com (Steve Freegard) Date: Tue Sep 16 17:55:20 2008 Subject: Desperately trying to debug poor spam scanning performance In-Reply-To: <48CFE25D.3010902@tippingmar.com> References: <48CA9E61.7080506@photobox.com> <5A881BE9-B6B4-463D-BFE0-0D7FFF8C80F3@rtpty.com> <48CABC5B.2010603@photobox.com> <48CE44D6.9090907@ecs.soton.ac.uk> <48CE620E.9060909@photobox.com> <48CF9138.4020601@fsl.com> <48CF9499.4020707@photobox.com> <48CFE25D.3010902@tippingmar.com> Message-ID: <48CFE4EC.6080907@fsl.com> Mark Nienberg wrote: > Ben Tisdall wrote: >> Steve Freegard wrote: >> >> >>> IMHO - Pyzor isn't usable anymore unless you are low-volume and can put >>> up with the timeouts decreasing your scanner throughput, so I always >>> either don't install it or disable it. >>> >>> >> >> Interesting to hear your take on this, anyone else share this view? >> >> > Pyzor works well for me with the alternative pyzor server. In your > .pyzor/servers file you should have > > 82.94.255.100:24441 > I knew about this server - but I'd still rather not trust my mail throughput to a single point of failure that everyone is querying. That's the biggest problem with Pyzor - the back-end has no easy way to replicate to slaves. Cheers, Steve. From lists at tippingmar.com Tue Sep 16 18:12:02 2008 From: lists at tippingmar.com (Mark Nienberg) Date: Tue Sep 16 18:12:19 2008 Subject: Desperately trying to debug poor spam scanning performance In-Reply-To: <48CFE4EC.6080907@fsl.com> References: <48CA9E61.7080506@photobox.com> <5A881BE9-B6B4-463D-BFE0-0D7FFF8C80F3@rtpty.com> <48CABC5B.2010603@photobox.com> <48CE44D6.9090907@ecs.soton.ac.uk> <48CE620E.9060909@photobox.com> <48CF9138.4020601@fsl.com> <48CF9499.4020707@photobox.com> <48CFE25D.3010902@tippingmar.com> <48CFE4EC.6080907@fsl.com> Message-ID: <48CFE8E2.2020806@tippingmar.com> Steve Freegard wrote: > Mark Nienberg wrote: >> Pyzor works well for me with the alternative pyzor server. In your >> .pyzor/servers file you should have >> >> 82.94.255.100:24441 >> > > I knew about this server - but I'd still rather not trust my mail > throughput to a single point of failure that everyone is querying. > > That's the biggest problem with Pyzor - the back-end has no easy way > to replicate to slaves. > Maybe it is because of my low volume (3000 msgs per day) but I haven't seen a spamassassin timeout or any kind in about a year. But I see what you mean about the pyzor server. I'm prepared to disable pyzor if it ever starts timing out for me. Mark Nienberg From campbell at cnpapers.com Tue Sep 16 20:22:03 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Tue Sep 16 20:22:20 2008 Subject: Autocommit errors are back? Message-ID: <48D0075B.80402@cnpapers.com> I just installed the new 4.71.10-1 and am seeing the following lines in my maillog. commit ineffective with AutoCommit enabled at /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, line 639. Commmit ineffective while AutoCommit is on at /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, line 639. I found in my older list mailings from 8/29/2008 that this was just debugging code, and would be removed after 4.71.7. Do I have other problems or should I remove lines somewhere? Thanks Steve Campbell From campbell at cnpapers.com Tue Sep 16 20:24:41 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Tue Sep 16 20:26:36 2008 Subject: sa-update question also Message-ID: <48D007F9.8090205@cnpapers.com> Sorry, should have all been in one mail. I see where I have sa-update saved as sa-update.rpmsave, but I don't see a new one. Can someone explain the procedures now in place, please? Again Thanks. Steve Campbell From MailScanner at ecs.soton.ac.uk Tue Sep 16 20:35:10 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Sep 16 20:35:29 2008 Subject: Autocommit errors are back? In-Reply-To: References: Message-ID: <48D00A6E.6090405@ecs.soton.ac.uk> Steve Campbell wrote: > I just installed the new 4.71.10-1 and am seeing the following lines > in my maillog. > > commit ineffective with AutoCommit enabled at > /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, > line 639. > Commmit ineffective while AutoCommit is on at > /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, > line 639. > > I found in my older list mailings from 8/29/2008 that this was just > debugging code, and would be removed after 4.71.7. Do I have other > problems or should I remove lines somewhere? This is caused by MailWatch, nothing to do with me or MailScanner at all. It won't be removed by MailScanner, ain't my problem :-) Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ssilva at sgvwater.com Tue Sep 16 20:37:31 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Sep 16 20:37:49 2008 Subject: Autocommit errors are back? In-Reply-To: <48D0075B.80402@cnpapers.com> References: <48D0075B.80402@cnpapers.com> Message-ID: on 9-16-2008 12:22 PM Steve Campbell spake the following: > I just installed the new 4.71.10-1 and am seeing the following lines in > my maillog. > > commit ineffective with AutoCommit enabled at > /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, > line 639. > Commmit ineffective while AutoCommit is on at > /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, > line 639. > > I found in my older list mailings from 8/29/2008 that this was just > debugging code, and would be removed after 4.71.7. Do I have other > problems or should I remove lines somewhere? > > Thanks > > Steve Campbell > AFAIR it is from having autocommit on in the mysql database (I do believe it is the default)and the various commits in the database code for mailwatch. It is noisy but harmless, and not part of the mailscanner code. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080916/626bd9a0/signature.bin From campbell at cnpapers.com Tue Sep 16 20:55:11 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Tue Sep 16 20:55:26 2008 Subject: Autocommit errors are back? In-Reply-To: <48D00A6E.6090405@ecs.soton.ac.uk> References: <48D00A6E.6090405@ecs.soton.ac.uk> Message-ID: <48D00F1F.1050601@cnpapers.com> Julian Field wrote: > > > Steve Campbell wrote: >> I just installed the new 4.71.10-1 and am seeing the following lines >> in my maillog. >> >> commit ineffective with AutoCommit enabled at >> /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line >> 93, line 639. >> Commmit ineffective while AutoCommit is on at >> /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line >> 93, line 639. >> >> I found in my older list mailings from 8/29/2008 that this was just >> debugging code, and would be removed after 4.71.7. Do I have other >> problems or should I remove lines somewhere? > This is caused by MailWatch, nothing to do with me or MailScanner at all. > It won't be removed by MailScanner, ain't my problem :-) > > Jules Gotcha, Just misled by the previous postings. It only happens upon startup anyway (I think) Sorry to point a finger the wrong way. Steve From ssilva at sgvwater.com Tue Sep 16 21:02:44 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Sep 16 21:03:07 2008 Subject: sa-update question also In-Reply-To: <48D007F9.8090205@cnpapers.com> References: <48D007F9.8090205@cnpapers.com> Message-ID: on 9-16-2008 12:24 PM Steve Campbell spake the following: > Sorry, should have all been in one mail. > > I see where I have sa-update saved as sa-update.rpmsave, but I don't see > a new one. Can someone explain the procedures now in place, please? > > Again Thanks. > > Steve Campbell > I don't see this on any of my machines. Maybe a postinstall script misfired on you if your sa-update was changed from the original. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080916/58337ec3/signature.bin From ljosnet at gmail.com Tue Sep 16 21:39:01 2008 From: ljosnet at gmail.com (=?ISO-8859-1?Q?Lj=F3snet?=) Date: Tue Sep 16 21:39:11 2008 Subject: Syntax error(s) in configuration file In-Reply-To: <4857E802.5060907@ecs.soton.ac.uk> References: <4857E802.5060907@ecs.soton.ac.uk> Message-ID: <910ee2ac0809161339ke617917oa377ed4f1b52b272@mail.gmail.com> I just did a clean install from the latest stable version of MailScanner and this was in my MailScanner.conf. On Tue, Jun 17, 2008 at 4:36 PM, Julian Field wrote: > Run "upgrade_MailScanner_conf" and it will tell you how to use this command, > which will fix this problem for you. Whenever you change your MailScanner > version (upgrade or downgrade, it handles both) you should re-run > upgrade_MailScanner_conf to fix up your MailScanner.conf file. > > Martin.Hepworth wrote: >> >> David >> >> Kinda what it says really....you no longer need a spamassassisinprefs >> setting in MailScanner.conf. >> >> -- >> Martin Hepworth >> Snr Systems Administrator >> Solid State Logic >> Tel: +44 (0)1865 842300 >> >> >>> >>> -----Original Message----- >>> From: mailscanner-bounces@lists.mailscanner.info >>> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >>> Of David Guillermo >>> Sent: 17 June 2008 11:35 >>> To: MailScanner discussion >>> Subject: Syntax error(s) in configuration file >>> >>> Hi. >>> >>> my problem is: >>> >>> Jun 17 12:20:16 servidor1 MailScanner[26675]: MailScanner >>> E-Mail Virus Scanner version 4.69.9 starting... >>> Jun 17 12:20:17 servidor1 MailScanner[26675]: Syntax error(s) >>> in configuration file: >>> Jun 17 12:20:17 servidor1 MailScanner[26675]: Unrecognised >>> keyword "spamassassinprefsfile" at line 1412 Jun 17 12:20:17 >>> servidor1 MailScanner[26675]: Warning: syntax errors in >>> /etc/MailScanner/MailScanner.conf. >>> >>> in my /etc/MailScanner/MailScanner.conf. >>> is >>> SpamAssassin Prefs File = %etc-dir%/spam.assassin.prefs.conf >>> >>> my version... MailScanner -V >>> >>> This is Fedora Core release 6 (Zod) >>> This is Perl version 5.008008 (5.8.8) >>> >>> This is MailScanner version 4.69.9 >>> Module versions are: >>> 1.00 AnyDBM_File >>> 1.16 Archive::Zip >>> 0.21 bignum >>> 1.04 Carp >>> 1.42 Compress::Zlib >>> 1.119 Convert::BinHex >>> 0.17 Convert::TNEF >>> 2.121_08 Data::Dumper >>> 2.27 Date::Parse >>> 1.00 DirHandle >>> 1.05 Fcntl >>> 2.74 File::Basename >>> 2.09 File::Copy >>> 2.01 FileHandle >>> 1.08 File::Path >>> 0.19 File::Temp >>> 0.90 Filesys::Df >>> 1.35 HTML::Entities >>> 3.56 HTML::Parser >>> 2.37 HTML::TokeParser >>> 1.23 IO >>> 1.14 IO::File >>> 1.13 IO::Pipe >>> 2.02 Mail::Header >>> 1.86 Math::BigInt >>> 0.19 Math::BigRat >>> 3.07 MIME::Base64 >>> 5.425 MIME::Decoder >>> 5.425 MIME::Decoder::UU >>> 5.425 MIME::Head >>> 5.425 MIME::Parser >>> 3.07 MIME::QuotedPrint >>> 5.425 MIME::Tools >>> 0.11 Net::CIDR >>> 1.25 Net::IP >>> 0.16 OLE::Storage_Lite >>> 1.04 Pod::Escapes >>> 3.05 Pod::Simple >>> 1.09 POSIX >>> 1.18 Scalar::Util >>> 1.78 Socket >>> 2.15 Storable >>> 1.4 Sys::Hostname::Long >>> 0.18 Sys::Syslog >>> 1.26 Test::Pod >>> 0.7 Test::Simple >>> 1.86 Time::HiRes >>> 1.02 Time::localtime >>> >>> Optional module versions are: >>> 1.30 Archive::Tar >>> 0.21 bignum >>> missing Business::ISBN >>> missing Business::ISBN::Data >>> missing Data::Dump >>> 1.814 DB_File >>> 1.13 DBD::SQLite >>> 1.56 DBI >>> 1.14 Digest >>> 1.01 Digest::HMAC >>> 2.36 Digest::MD5 >>> 2.11 Digest::SHA1 >>> missing Encode::Detect >>> missing Error >>> missing ExtUtils::CBuilder >>> missing ExtUtils::ParseXS >>> 2.36 Getopt::Long >>> missing Inline >>> missing IO::String >>> 1.04 IO::Zlib >>> missing IP::Country >>> missing Mail::ClamAV >>> 3.001009 Mail::SpamAssassin >>> missing Mail::SPF >>> missing Mail::SPF::Query >>> missing Module::Build >>> missing Net::CIDR::Lite >>> 0.63 Net::DNS >>> missing Net::DNS::Resolver::Programmable >>> 0.34 Net::LDAP >>> missing NetAddr::IP >>> missing Parse::RecDescent >>> missing SAVI >>> 2.56 Test::Harness >>> missing Test::Manifest >>> 1.95 Text::Balanced >>> 1.35 URI >>> missing version >>> missing YAML >>> >>> -- >>> -:- j0d3 >>> David Guillermo Rodriguez >>> Debian Unstable/Sid GNU/Linux >>> e-mail: davocasc98@gmail.com >>> http://j0d3.blogspot.com >>> Modelo de CPU: AMD Athlon(tm) 64 X2 Dual Core Processor 4600+ >>> Kernel: 2.6.24.2 >>> Linux user #408522 >>> -:- >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >>> >> >> >> >> >> ********************************************************************** >> Confidentiality : This e-mail and any attachments are intended for the >> addressee only and may be confidential. If they come to you in error you >> must take no action based on them, nor must you copy or show them to anyone. >> Please advise the sender by replying to this e-mail immediately and then >> delete the original from your computer. >> Opinion : Any opinions expressed in this e-mail are entirely those of the >> author and unless specifically stated to the contrary, are not necessarily >> those of the author's employer. >> Security Warning : Internet e-mail is not necessarily a secure >> communications medium and can be subject to data corruption. We advise that >> you consider this fact when e-mailing us. Viruses : We have taken steps to >> ensure that this e-mail and any attachments are free from known viruses but >> in keeping with good computing practice, you should ensure that they are >> virus free. >> >> Red Lion 49 Ltd T/A Solid State Logic >> Registered as a limited company in England and Wales (Company No:5362730) >> Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United >> Kingdom >> ********************************************************************** >> >> > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > PGP public key: http://www.jules.fm/julesfm.asc > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From jasonkdick at yahoo.com Tue Sep 16 21:53:35 2008 From: jasonkdick at yahoo.com (Jason Dick) Date: Tue Sep 16 21:53:45 2008 Subject: SpamAssassin not being Called Message-ID: <277347.45036.qm@web36606.mail.mud.yahoo.com> I have installed MailScanner 4.72.2 and SpamAssassin 3.2.5 on a Fedora Core 2 box and I am having problems with SpamAssassin. MailScanner seems to work just fine but it never seems to call SpamAssassin. I have the following set in MailScanner.conf: Spam Checks = yes Spam List = Spam Domain List = Use SpamAssassin = yes Log Spam = yes Debug SpamAssassin = yes Here's what maillog shows: Sep 16 16:30:40 icegate2 MailScanner[4229]: New Batch: Scanning 1 messages, 177272 bytes Sep 16 16:30:40 icegate2 MailScanner[4229]: Saved archive copies of m8GKUd1S004232 Sep 16 16:30:40 icegate2 MailScanner[4229]: Spam Checks: Starting Sep 16 16:30:41 icegate2 MailScanner[4229]: Filename Checks: Blocked Filename Detected (m8GKUd1S004232 msg-4229-2.gif) Sep 16 16:30:41 icegate2 MailScanner[4229]: Other Checks: Found 1 problems Sep 16 16:30:41 icegate2 MailScanner[4229]: Virus and Content Scanning: Starting Sep 16 16:30:41 icegate2 MailScanner[4229]: Saved infected "msg-4229-2.gif" to /var/spool/MailScanner/quarantine/20080916/m8GKUd1S004232 Sep 16 16:30:41 icegate2 MailScanner[4229]: Cleaned: Delivered 1 cleaned messages I get no errors on lint either. spamassassin -C spam.assassin.prefs.conf --lint It's been a few years since I've used MailScanner but I don't remember having to do anything special to get it work. Anyone have any ideas why SpamAssassin is not being called or how i can debug it? Jason From MailScanner at ecs.soton.ac.uk Tue Sep 16 21:53:59 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Sep 16 21:54:21 2008 Subject: Syntax error(s) in configuration file In-Reply-To: References: <4857E802.5060907@ecs.soton.ac.uk> Message-ID: <48D01CE7.80705@ecs.soton.ac.uk> Well I just checked the MailScanner.conf file I distribute and it isn't in there. So I am not quite sure how you got it, but the most likely route is that your system already had a /etc/MailScanner/MailScanner.conf file from a previous version in it. Lj?snet wrote: > I just did a clean install from the latest stable version of > MailScanner and this was in my MailScanner.conf. > > On Tue, Jun 17, 2008 at 4:36 PM, Julian Field > wrote: > >> Run "upgrade_MailScanner_conf" and it will tell you how to use this command, >> which will fix this problem for you. Whenever you change your MailScanner >> version (upgrade or downgrade, it handles both) you should re-run >> upgrade_MailScanner_conf to fix up your MailScanner.conf file. >> >> Martin.Hepworth wrote: >> >>> David >>> >>> Kinda what it says really....you no longer need a spamassassisinprefs >>> setting in MailScanner.conf. >>> >>> -- >>> Martin Hepworth >>> Snr Systems Administrator >>> Solid State Logic >>> Tel: +44 (0)1865 842300 >>> >>> >>> >>>> -----Original Message----- >>>> From: mailscanner-bounces@lists.mailscanner.info >>>> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >>>> Of David Guillermo >>>> Sent: 17 June 2008 11:35 >>>> To: MailScanner discussion >>>> Subject: Syntax error(s) in configuration file >>>> >>>> Hi. >>>> >>>> my problem is: >>>> >>>> Jun 17 12:20:16 servidor1 MailScanner[26675]: MailScanner >>>> E-Mail Virus Scanner version 4.69.9 starting... >>>> Jun 17 12:20:17 servidor1 MailScanner[26675]: Syntax error(s) >>>> in configuration file: >>>> Jun 17 12:20:17 servidor1 MailScanner[26675]: Unrecognised >>>> keyword "spamassassinprefsfile" at line 1412 Jun 17 12:20:17 >>>> servidor1 MailScanner[26675]: Warning: syntax errors in >>>> /etc/MailScanner/MailScanner.conf. >>>> >>>> in my /etc/MailScanner/MailScanner.conf. >>>> is >>>> SpamAssassin Prefs File = %etc-dir%/spam.assassin.prefs.conf >>>> >>>> my version... MailScanner -V >>>> >>>> This is Fedora Core release 6 (Zod) >>>> This is Perl version 5.008008 (5.8.8) >>>> >>>> This is MailScanner version 4.69.9 >>>> Module versions are: >>>> 1.00 AnyDBM_File >>>> 1.16 Archive::Zip >>>> 0.21 bignum >>>> 1.04 Carp >>>> 1.42 Compress::Zlib >>>> 1.119 Convert::BinHex >>>> 0.17 Convert::TNEF >>>> 2.121_08 Data::Dumper >>>> 2.27 Date::Parse >>>> 1.00 DirHandle >>>> 1.05 Fcntl >>>> 2.74 File::Basename >>>> 2.09 File::Copy >>>> 2.01 FileHandle >>>> 1.08 File::Path >>>> 0.19 File::Temp >>>> 0.90 Filesys::Df >>>> 1.35 HTML::Entities >>>> 3.56 HTML::Parser >>>> 2.37 HTML::TokeParser >>>> 1.23 IO >>>> 1.14 IO::File >>>> 1.13 IO::Pipe >>>> 2.02 Mail::Header >>>> 1.86 Math::BigInt >>>> 0.19 Math::BigRat >>>> 3.07 MIME::Base64 >>>> 5.425 MIME::Decoder >>>> 5.425 MIME::Decoder::UU >>>> 5.425 MIME::Head >>>> 5.425 MIME::Parser >>>> 3.07 MIME::QuotedPrint >>>> 5.425 MIME::Tools >>>> 0.11 Net::CIDR >>>> 1.25 Net::IP >>>> 0.16 OLE::Storage_Lite >>>> 1.04 Pod::Escapes >>>> 3.05 Pod::Simple >>>> 1.09 POSIX >>>> 1.18 Scalar::Util >>>> 1.78 Socket >>>> 2.15 Storable >>>> 1.4 Sys::Hostname::Long >>>> 0.18 Sys::Syslog >>>> 1.26 Test::Pod >>>> 0.7 Test::Simple >>>> 1.86 Time::HiRes >>>> 1.02 Time::localtime >>>> >>>> Optional module versions are: >>>> 1.30 Archive::Tar >>>> 0.21 bignum >>>> missing Business::ISBN >>>> missing Business::ISBN::Data >>>> missing Data::Dump >>>> 1.814 DB_File >>>> 1.13 DBD::SQLite >>>> 1.56 DBI >>>> 1.14 Digest >>>> 1.01 Digest::HMAC >>>> 2.36 Digest::MD5 >>>> 2.11 Digest::SHA1 >>>> missing Encode::Detect >>>> missing Error >>>> missing ExtUtils::CBuilder >>>> missing ExtUtils::ParseXS >>>> 2.36 Getopt::Long >>>> missing Inline >>>> missing IO::String >>>> 1.04 IO::Zlib >>>> missing IP::Country >>>> missing Mail::ClamAV >>>> 3.001009 Mail::SpamAssassin >>>> missing Mail::SPF >>>> missing Mail::SPF::Query >>>> missing Module::Build >>>> missing Net::CIDR::Lite >>>> 0.63 Net::DNS >>>> missing Net::DNS::Resolver::Programmable >>>> 0.34 Net::LDAP >>>> missing NetAddr::IP >>>> missing Parse::RecDescent >>>> missing SAVI >>>> 2.56 Test::Harness >>>> missing Test::Manifest >>>> 1.95 Text::Balanced >>>> 1.35 URI >>>> missing version >>>> missing YAML >>>> >>>> -- >>>> -:- j0d3 >>>> David Guillermo Rodriguez >>>> Debian Unstable/Sid GNU/Linux >>>> e-mail: davocasc98@gmail.com >>>> http://j0d3.blogspot.com >>>> Modelo de CPU: AMD Athlon(tm) 64 X2 Dual Core Processor 4600+ >>>> Kernel: 2.6.24.2 >>>> Linux user #408522 >>>> -:- >>>> -- >>>> MailScanner mailing list >>>> mailscanner@lists.mailscanner.info >>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>> >>>> Before posting, read http://wiki.mailscanner.info/posting >>>> >>>> Support MailScanner development - buy the book off the website! >>>> >>>> >>>> >>> >>> >>> ********************************************************************** >>> Confidentiality : This e-mail and any attachments are intended for the >>> addressee only and may be confidential. If they come to you in error you >>> must take no action based on them, nor must you copy or show them to anyone. >>> Please advise the sender by replying to this e-mail immediately and then >>> delete the original from your computer. >>> Opinion : Any opinions expressed in this e-mail are entirely those of the >>> author and unless specifically stated to the contrary, are not necessarily >>> those of the author's employer. >>> Security Warning : Internet e-mail is not necessarily a secure >>> communications medium and can be subject to data corruption. We advise that >>> you consider this fact when e-mailing us. Viruses : We have taken steps to >>> ensure that this e-mail and any attachments are free from known viruses but >>> in keeping with good computing practice, you should ensure that they are >>> virus free. >>> >>> Red Lion 49 Ltd T/A Solid State Logic >>> Registered as a limited company in England and Wales (Company No:5362730) >>> Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United >>> Kingdom >>> ********************************************************************** >>> >>> >>> >> Jules >> >> -- >> Julian Field MEng CITP CEng >> www.MailScanner.info >> Buy the MailScanner book at www.MailScanner.info/store >> >> MailScanner customisation, or any advanced system administration help? >> Contact me at Jules@Jules.FM >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> PGP public key: http://www.jules.fm/julesfm.asc >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ssilva at sgvwater.com Tue Sep 16 22:21:08 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Sep 16 22:21:28 2008 Subject: Syntax error(s) in configuration file In-Reply-To: <910ee2ac0809161339ke617917oa377ed4f1b52b272@mail.gmail.com> References: <4857E802.5060907@ecs.soton.ac.uk> <910ee2ac0809161339ke617917oa377ed4f1b52b272@mail.gmail.com> Message-ID: on 9-16-2008 1:39 PM ? spake the following: > I just did a clean install from the latest stable version of > MailScanner and this was in my MailScanner.conf. > The latest stable from www.mailscanner.info, or the latest stable from some packagers site like Debian? -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080916/4bba1d56/signature.bin From MailScanner at ecs.soton.ac.uk Tue Sep 16 22:21:47 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Sep 16 22:22:07 2008 Subject: SpamAssassin not being Called In-Reply-To: References: Message-ID: <48D0236B.4030200@ecs.soton.ac.uk> Jason Dick wrote: > I have installed > MailScanner 4.72.2 and SpamAssassin 3.2.5 on a Fedora Core 2 box and I am having problems > with SpamAssassin. MailScanner seems to work just fine but it never seems to > call SpamAssassin. > > I have the following > set in MailScanner.conf: > Spam Checks = > yes > Spam List = > Spam > Domain List = > Use SpamAssassin = yes > Log Spam = > yes > Debug SpamAssassin = yes > Switch this off. You only want to turn this on from the command-line. > > Here's what maillog > shows: > Sep 16 16:30:40 > icegate2 MailScanner[4229]: New Batch: Scanning 1 messages, 177272 bytes > Sep > 16 16:30:40 icegate2 MailScanner[4229]: Saved archive copies of > m8GKUd1S004232 > Sep 16 16:30:40 icegate2 MailScanner[4229]: Spam Checks: > Starting > Sep 16 16:30:41 icegate2 MailScanner[4229]: Filename Checks: Blocked > Filename Detected (m8GKUd1S004232 msg-4229-2.gif) > Sep 16 16:30:41 icegate2 > MailScanner[4229]: Other Checks: Found 1 problems > Sep 16 16:30:41 icegate2 > MailScanner[4229]: Virus and Content Scanning: Starting > Sep 16 16:30:41 > icegate2 MailScanner[4229]: Saved infected "msg-4229-2.gif" to > /var/spool/MailScanner/quarantine/20080916/m8GKUd1S004232 > Sep 16 16:30:41 > icegate2 MailScanner[4229]: Cleaned: Delivered 1 cleaned > messages > > I get no errors on lint either. > spamassassin -C spam.assassin.prefs.conf --lint > > > It's been a few years since I've used MailScanner but I don't remember > having to do anything special to get it work. Anyone have any ideas why SpamAssassin is not being called or how i can debug it? > > > > Jason > > > > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From campbell at cnpapers.com Wed Sep 17 00:01:18 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Wed Sep 17 00:03:16 2008 Subject: sa-update question also In-Reply-To: References: <48D007F9.8090205@cnpapers.com> Message-ID: <1221606078.48d03abe2facf@perdition.cnpapers.net> Quoting Scott Silva : > on 9-16-2008 12:24 PM Steve Campbell spake the following: > > Sorry, should have all been in one mail. > > > > I see where I have sa-update saved as sa-update.rpmsave, but I don't see > > a new one. Can someone explain the procedures now in place, please? > > > > Again Thanks. > > > > Steve Campbell > > > I don't see this on any of my machines. Maybe a postinstall script misfired > on > you if your sa-update was changed from the original. > > -- I did find a update-spamassassin script (or was it spamassassin-update?)in /etc/cron.daily. Maybe I jumped the gun again. I check tomorrow as I had to get home to push my mower around a little more. It's tough getting old. Thanks Steve ------------------------------------------------- This mail sent through IMP: http://horde.org/imp/ From prandal at herefordshire.gov.uk Wed Sep 17 09:57:38 2008 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Wed Sep 17 09:58:01 2008 Subject: clamd DoS? In-Reply-To: References: <48CE37ED.6040200@nerc.ac.uk><48CE7FD0.3070909@ecs.soton.ac.uk><48CE8854.8000508@ecs.soton.ac.uk><48CEC9C4.9010507@ecs.soton.ac.uk> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA04BFAE62@HC-MBX02.herefordshire.gov.uk> >From the ClamAV-users mailing list: "Hi all, This is been worked around with a signature update (daily 8262). A definitive (in-the-code) solution will be inculded in 0.94.1 Thanks everyone, -aCaB" Cheers, Phil -- Phil Randal Networks Engineer Herefordshire Council Hereford, UK -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Raymond Dijkxhoorn Sent: 16 September 2008 11:59 To: MailScanner discussion Subject: Re: clamd DoS? Hi! >> I was seeing a number of spam messages coming in w/the subject >> "Credit card transaction report". Every now and then one would get >> tagged as a virus, but most weren't. However, I went into MailWatch, >> selected one that wasn't marked as viral and saved the attached >> Report.zip to my linux workstation. Ark extracted the file >> report.doc.exe. I kicked off top in a term window, opened another >> terminal and ran 'clamscan report.doc.exe'. W/in a couple seconds CPU utilization was pegged. >> >> I'm running plain old clamav, not clamscan or clamd. >> >> Not much to go on, but maybe this will help a bit... > Ooh, can you post this on the web somewhere and tell me the URL so I > can fetch this file and construct a message round it for testing? The guys @ ClamAV are also looking into this (Thanks Luca!) Bye, Raymond. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From tony.johansson at svenskakyrkan.se Wed Sep 17 12:59:13 2008 From: tony.johansson at svenskakyrkan.se (Tony Johansson) Date: Wed Sep 17 12:59:32 2008 Subject: SpamAssassin cache hit inherits original spam score? Message-ID: We scan a number of different domains. Some have a required spam score of 7 while most use 5. The individual spam scores for the domains work as desired but seems to fail at times if a spam is cached. We've had examples where a domain that has set 5 as the required score gets spam delivered with a header as this: X-Svenskakyrkan-SpamCheck: not spam, SpamAssassin (cached, score=6.81, required 7, BAYES_50 0.00, DCC_CHECK 2.17, URIBL_BLACK 3.00, URIBL_SBL 1.64) Shouldnt the saved spam score be evaluated again when there is a cache hit? Regards, Tony From glenn.steen at gmail.com Wed Sep 17 13:07:34 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Sep 17 13:07:44 2008 Subject: Free virusscanner In-Reply-To: References: <004b01c91808$e47752c0$ad65f840$@dk> <599626BE-365C-4B20-B35A-8AE16DCAA306@rtpty.com> Message-ID: <223f97700809170507n1001e05bq71989d7045dbee9@mail.gmail.com> 2008/9/16 Scott Silva : > on 9-16-2008 7:57 AM Alex Neuman van der Hans spake the following: >> >> Thanks for the info. Those of us with boxes running our own mail at home >> can use it alongside clamav*. >> >> On Sep 16, 2008, at 9:31 AM, Jonas Akrouh Larsen wrote: >> >>> You can get a license here: >>> http://www.bitdefender.com/site/Products/ScannerLicense/ >>> >>> And the actual download can be found >>> here:http://download.bitdefender.com/SMB/Workstation_Security_and_Management/BitDefender_Antivirus_Scanner_for_Unices/Unix/Current/EN/Version_7.x/Linux/ >>> >> > F-prot also has a "free for home use" scanner, as does AVG I believe. You > can still find the old free bitdefender scanner in a google search, but I > don't know how well it works anymore. > As does a few others....:-) The "old" release just works... It still updates OK, is still a performance pig, and still find enough viruses (and is sometimes fastest of my clamd, mcafee, bdc "triplet":-)... So I'll keep using that one for a bit;). About the wiki... You can do that easily enough Jonas. The page is a bit in shambles, but ... I'm a bit stumped for time ATM. Could possibly post up the info in a day or two. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Wed Sep 17 13:12:09 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Sep 17 13:12:19 2008 Subject: Autocommit errors are back? In-Reply-To: <48D00F1F.1050601@cnpapers.com> References: <48D00A6E.6090405@ecs.soton.ac.uk> <48D00F1F.1050601@cnpapers.com> Message-ID: <223f97700809170512w398778adv2191728055717316@mail.gmail.com> 2008/9/16 Steve Campbell : > > > Julian Field wrote: >> >> >> Steve Campbell wrote: >>> >>> I just installed the new 4.71.10-1 and am seeing the following lines in >>> my maillog. >>> >>> commit ineffective with AutoCommit enabled at >>> /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, >>> line 639. >>> Commmit ineffective while AutoCommit is on at >>> /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, >>> line 639. >>> >>> I found in my older list mailings from 8/29/2008 that this was just >>> debugging code, and would be removed after 4.71.7. Do I have other problems >>> or should I remove lines somewhere? >> >> This is caused by MailWatch, nothing to do with me or MailScanner at all. >> It won't be removed by MailScanner, ain't my problem :-) >> >> Jules > > Gotcha, > > Just misled by the previous postings. It only happens upon startup anyway (I > think) > > Sorry to point a finger the wrong way. > > Steve > No fingerpointing needed;-). It is exactly as Scott says ... noisy and harmless...:) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From MailScanner at ecs.soton.ac.uk Wed Sep 17 16:26:19 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Sep 17 16:26:37 2008 Subject: SpamAssassin cache hit inherits original spam score? In-Reply-To: References: Message-ID: <48D1219B.4030306@ecs.soton.ac.uk> The cache does not store whether it was spam or not, it just caches the score points. So I'm not at all convinced you are seeing the behaviour you think you are, this may be the result of something else happening. Tony Johansson wrote: > We scan a number of different domains. Some have a required spam score > of 7 while most use 5. > > The individual spam scores for the domains work as desired but seems to > fail at times if a spam is cached. > > We've had examples where a domain that has set 5 as the required score > gets spam delivered with a header as this: > X-Svenskakyrkan-SpamCheck: not spam, SpamAssassin (cached, score=6.81, > required 7, BAYES_50 0.00, DCC_CHECK 2.17, URIBL_BLACK 3.00, URIBL_SBL 1.64) > > Shouldnt the saved spam score be evaluated again when there is a cache hit? > > Regards, Tony > > > > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From roland at inbox4u.de Wed Sep 17 20:13:09 2008 From: roland at inbox4u.de (Ehle, Roland) Date: Wed Sep 17 20:14:20 2008 Subject: AW: SpamAssassin cache hit inherits original spam score? In-Reply-To: References: Message-ID: Tony, do you split messages to multiple recipients into one message per recipient? Maybe this is the point. If you use different Spam Scores per Domain, you probably use a rules file. Are you sure, the rules file is setup correctly? The default rule should be at the end of the file. By the way: MailScanner works perfectly for me with different Spam Scores for the different domains. So there is probably a little dot missing in your configuration. Regards, Roland > -----Urspr?ngliche Nachricht----- > Von: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] Im Auftrag von Tony Johansson > Gesendet: Mittwoch, 17. September 2008 13:59 > An: mailscanner@lists.mailscanner.info > Betreff: SpamAssassin cache hit inherits original spam score? > > We scan a number of different domains. Some have a required spam score > of 7 while most use 5. > > The individual spam scores for the domains work as desired but seems to > fail at times if a spam is cached. > > We've had examples where a domain that has set 5 as the required score > gets spam delivered with a header as this: > X-Svenskakyrkan-SpamCheck: not spam, SpamAssassin (cached, score=6.81, > required 7, BAYES_50 0.00, DCC_CHECK 2.17, URIBL_BLACK 3.00, URIBL_SBL > 1.64) > > Shouldnt the saved spam score be evaluated again when there is a cache > hit? > > Regards, Tony > > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From paul at welshfamily.com Wed Sep 17 21:53:03 2008 From: paul at welshfamily.com (Paul Welsh) Date: Wed Sep 17 21:53:31 2008 Subject: Viruses getting through In-Reply-To: <200805311100.m4VB0MpV017805@safir.blacknight.ie> Message-ID: <200809172053.m8HKrMFo000866@safir.blacknight.ie> For the past few weeks I've had viruses getting through - the pesky ones that claim to be flight confirmations, bank statements or some such with small .zip files attached. I'm sure you know about them. Some are tagged as spam but not all. The headers of a recent one show that the message is classed as clean: Received: from [217.45.162.11] by etrn.borusantelekom.com; Wed, 17 Sep 2008 09:17:36 +0000 Message-ID: <01c918a6$39323800$0ba22dd9@ghw> From: "Lindsey Avila" Subject: Statement of fees 2008/09 Date: Wed, 17 Sep 2008 09:17:36 +0000 MIME-Version: 1.0 X-welshfamily-MailScanner: Found to be clean X-welshfamily-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=0.407, required 6, autolearn=disabled, XMAILER_MIMEOLE_OL_4B815 0.41) X-welshfamily-MailScanner-From: ghw@borashipping.com X-Spam-Status: No I'm using clamav and bitdefender but although updated with the latest definitions, it's probably ineffective because it's the free version v7.1. Running freshclam yields this: # freshclam ClamAV update process started at Wed Sep 17 21:41:04 2008 main.cld is up to date (version: 48, sigs: 399264, f-level: 35, builder: sven) daily.cld is up to date (version: 8272, sigs: 28579, f-level: 35, builder: ccordes) Here's the version of clam: # clamscan -V ClamAV 0.94/8272/Wed Sep 17 21:16:02 2008 I'm running MailScanner version 4.71.10. I did browse the archive of this list but couldn't find the answer. Any help appreciated. From martinh at solidstatelogic.com Wed Sep 17 22:22:00 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Wed Sep 17 22:17:15 2008 Subject: Viruses getting through Message-ID: Paul Was fixed last night in clamav, sophos has been detecting these fine for what its worth. Can't say i've any in last 18 hours or so though. -- martin -----Original Message----- From: Paul Welsh Sent: 17 September 2008 22:01 To: mailscanner@lists.mailscanner.info Subject: Viruses getting through For the past few weeks I've had viruses getting through - the pesky ones that claim to be flight confirmations, bank statements or some such with small .zip files attached. I'm sure you know about them. Some are tagged as spam but not all. The headers of a recent one show that the message is classed as clean: Received: from [217.45.162.11] by etrn.borusantelekom.com; Wed, 17 Sep 2008 09:17:36 +0000 Message-ID: <01c918a6$39323800$0ba22dd9@ghw> From: "Lindsey Avila" Subject: Statement of fees 2008/09 Date: Wed, 17 Sep 2008 09:17:36 +0000 MIME-Version: 1.0 X-welshfamily-MailScanner: Found to be clean X-welshfamily-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=0.407, required 6, autolearn=disabled, XMAILER_MIMEOLE_OL_4B815 0.41) X-welshfamily-MailScanner-From: ghw@borashipping.com X-Spam-Status: No I'm using clamav and bitdefender but although updated with the latest definitions, it's probably ineffective because it's the free version v7.1. Running freshclam yields this: # freshclam ClamAV update process started at Wed Sep 17 21:41:04 2008 main.cld is up to date (version: 48, sigs: 399264, f-level: 35, builder: sven) daily.cld is up to date (version: 8272, sigs: 28579, f-level: 35, builder: ccordes) Here's the version of clam: # clamscan -V ClamAV 0.94/8272/Wed Sep 17 21:16:02 2008 I'm running MailScanner version 4.71.10. I did browse the archive of this list but couldn't find the answer. Any help appreciated. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From ms-list at alexb.ch Wed Sep 17 22:18:48 2008 From: ms-list at alexb.ch (Alex Broens) Date: Wed Sep 17 22:19:00 2008 Subject: Viruses getting through In-Reply-To: <200809172053.m8HKrMFo000866@safir.blacknight.ie> References: <200809172053.m8HKrMFo000866@safir.blacknight.ie> Message-ID: <48D17438.60106@alexb.ch> On 9/17/2008 10:53 PM, Paul Welsh wrote: > For the past few weeks I've had viruses getting through - the pesky ones > that claim to be flight confirmations, bank statements or some such with > small .zip files attached. I'm sure you know about them. Some are tagged > as spam but not all. What Linux/Unix and MTA flavours are you using on that box? Thanks Alex > The headers of a recent one show that the message is classed as clean: > > Received: from [217.45.162.11] by etrn.borusantelekom.com; Wed, 17 Sep 2008 > 09:17:36 +0000 > Message-ID: <01c918a6$39323800$0ba22dd9@ghw> > From: "Lindsey Avila" > Subject: Statement of fees 2008/09 > Date: Wed, 17 Sep 2008 09:17:36 +0000 > MIME-Version: 1.0 > X-welshfamily-MailScanner: Found to be clean > X-welshfamily-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, > score=0.407, required 6, autolearn=disabled, > XMAILER_MIMEOLE_OL_4B815 0.41) > X-welshfamily-MailScanner-From: ghw@borashipping.com > X-Spam-Status: No > > I'm using clamav and bitdefender but although updated with the latest > definitions, it's probably ineffective because it's the free version v7.1. > Running freshclam yields this: > > # freshclam > ClamAV update process started at Wed Sep 17 21:41:04 2008 > main.cld is up to date (version: 48, sigs: 399264, f-level: 35, builder: > sven) > daily.cld is up to date (version: 8272, sigs: 28579, f-level: 35, builder: > ccordes) > > Here's the version of clam: > # clamscan -V > ClamAV 0.94/8272/Wed Sep 17 21:16:02 2008 > > I'm running MailScanner version 4.71.10. > > I did browse the archive of this list but couldn't find the answer. Any > help appreciated. > From paul at welshfamily.com Wed Sep 17 22:54:20 2008 From: paul at welshfamily.com (Paul Welsh) Date: Wed Sep 17 22:54:43 2008 Subject: Viruses getting through In-Reply-To: <200805311100.m4VB0MpV017805@safir.blacknight.ie> Message-ID: <200809172154.m8HLsZbb003542@safir.blacknight.ie> > -----Original Message----- > From: Alex Broens alexb.ch> > Subject: Re: Viruses getting through > What Linux/Unix and MTA flavours are you using on that box? Hi Alex I'm running CentOS release 4.7 and Exim 4.60. From ms-list at alexb.ch Wed Sep 17 23:11:02 2008 From: ms-list at alexb.ch (Alex Broens) Date: Wed Sep 17 23:11:13 2008 Subject: Viruses getting through In-Reply-To: <200809172154.m8HLsZbb003542@safir.blacknight.ie> References: <200809172154.m8HLsZbb003542@safir.blacknight.ie> Message-ID: <48D18076.5050703@alexb.ch> On 9/17/2008 11:54 PM, Paul Welsh wrote: >> -----Original Message----- >> From: Alex Broens alexb.ch> >> Subject: Re: Viruses getting through > >> What Linux/Unix and MTA flavours are you using on that box? > > Hi Alex > > I'm running CentOS release 4.7 and Exim 4.60. Hi Paul Thanks for the info. Pls watch it after the next ClamAV version upgrade.... If its still happening, Jules may be interested... Alex From hvdkooij at vanderkooij.org Thu Sep 18 00:04:10 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Thu Sep 18 00:04:20 2008 Subject: OT: awstats on yum repository In-Reply-To: References: <48C6E93D.6030906@vanderkooij.org> Message-ID: <48D18CEA.9070801@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Scott Silva wrote: > on 9-9-2008 2:23 PM Hugo van der Kooij spake the following: >> Hi, >> >> I added some statistics specifically to track MailScanner downloads. For >> that I added the following lines to my awstats config: >> > Just for fun I took a look and I get a 403 error. I published some stats to public static pages. They should get updated each hour. http://yum.vanderkooij.org/stats-1.html MailScanner downloads by architecture http://yum.vanderkooij.org/stats-2.html MailScanner wrapper downloads by architecture http://yum.vanderkooij.org/stats-3.html MailScanner downloads by version Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFI0YzoBvzDRVjxmYERAhVxAJ0eS0v+3UvlVT7qSBp5rwFdEL6OlwCfUyC9 KD9mpvUlZawNTia+g4mjY6M= =0VRh -----END PGP SIGNATURE----- From ssilva at sgvwater.com Thu Sep 18 00:21:06 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Sep 18 00:21:42 2008 Subject: OT: awstats on yum repository In-Reply-To: <48C8B441.3040202@vanderkooij.org> References: <48C6E93D.6030906@vanderkooij.org> <48C82E12.7070806@vanderkooij.org> <48C8B441.3040202@vanderkooij.org> Message-ID: on 9-10-2008 11:01 PM Hugo van der Kooij spake the following: > Scott Silva wrote: > >> I don't have the mailscanner-wrapper on my system, but it still updated >> the old rpm. Everything works so I don't see any problem > > The wrapper is there as a convenience. Not all dependencies of the > MailScanner packages are done automatically. So every dependency I noted > that was not taken care of in the MailScanner package has been added to > the wrapper. > > If you have no need for the wrapper, that's fine by me. > > Hugo. I probably didn't need the wrapper since this machine had mailscanner installed already. Definitely would be needed on a fresh install from the wrapper. I think this is great if you have time to keep it up. Once you get it automated, it probably doesn't take too long to keep it going. Too bad Julian doesn't map his easy install rpm tarball to a fixed symlink. Then it could probably run on autopilot for months at a time. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080917/5f146bad/signature.bin From hvdkooij at vanderkooij.org Thu Sep 18 00:44:53 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Thu Sep 18 00:45:05 2008 Subject: OT: awstats on yum repository In-Reply-To: References: <48C6E93D.6030906@vanderkooij.org> <48C82E12.7070806@vanderkooij.org> <48C8B441.3040202@vanderkooij.org> Message-ID: <48D19675.2020607@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Scott Silva wrote: > on 9-10-2008 11:01 PM Hugo van der Kooij spake the following: >> Scott Silva wrote: >> >>> I don't have the mailscanner-wrapper on my system, but it still updated >>> the old rpm. Everything works so I don't see any problem >> >> The wrapper is there as a convenience. Not all dependencies of the >> MailScanner packages are done automatically. So every dependency I noted >> that was not taken care of in the MailScanner package has been added to >> the wrapper. >> >> If you have no need for the wrapper, that's fine by me. >> >> Hugo. > I probably didn't need the wrapper since this machine had mailscanner > installed already. Definitely would be needed on a fresh install from > the wrapper. > I think this is great if you have time to keep it up. Once you get it > automated, it probably doesn't take too long to keep it going. > > Too bad Julian doesn't map his easy install rpm tarball to a fixed > symlink. Then it could probably run on autopilot for months at a time. If the source RPM is updated each time the "compiled" version is done it could be done almost automagic. Almost but for the fact that it needs a passphrase to sign the packages. And the fact I prefer to test it before I update the repository. Hugo - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFI0ZZzBvzDRVjxmYERArn4AKCJrM4Shu/PDjyJZ0dfyLT0EWLRQQCggFJ0 HoEX1ABo44gncS/KV4d6sF0= =DQLT -----END PGP SIGNATURE----- From dean.plant at roke.co.uk Thu Sep 18 09:12:54 2008 From: dean.plant at roke.co.uk (Plant, Dean) Date: Thu Sep 18 09:13:09 2008 Subject: Viruses getting through In-Reply-To: <200809172053.m8HKrMFo000866@safir.blacknight.ie> Message-ID: <2181C5F19DD0254692452BFF3EAF1D68039412F7@rsys005a.comm.ad.roke.co.uk> Paul Welsh wrote: > For the past few weeks I've had viruses getting through - the pesky > ones that claim to be flight confirmations, bank statements or some > such with small .zip files attached. I'm sure you know about them. > Some are tagged as spam but not all. > Are you running the Sanesecurity sigs? Although they don't catch all of the variants, they do help. Also are you doing filename/filetype checking in zip files? This will also help. Dean From J.Ede at birchenallhowden.co.uk Thu Sep 18 09:25:47 2008 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Thu Sep 18 09:26:06 2008 Subject: Is MailScanner affected by the Redhat bug In-Reply-To: <1220968774.6938.45.camel@darkstar.netcore.co.in> References: <1220956841.6938.23.camel@darkstar.netcore.co.in> <48C66583.70800@nerc.ac.uk> <1220968774.6938.45.camel@darkstar.netcore.co.in> Message-ID: <4CAB0118AEC63A4FAAE77E6BCBDF760C792A20EECB@server02.bhl.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of ram > Sent: 09 September 2008 15:00 > To: MailScanner discussion > Subject: Re: Is MailScanner affected by the Redhat bug > > > On Tue, 2008-09-09 at 13:01 +0100, Greg Matthews wrote: > > ram wrote: > > > I have all my servers running MailScanner on Centos. Is MailScanner > > > greatly affected by the Bug ? > > > Should I upgrade perl on my machines ? > > > > I've ran tests last week on CentOS 4 and CentOS 5. CentOS 4.6 is > > unaffected but CentOS 5.2 does contain the bug. However, it is not > clear > > that this performance issue unduly affects MailScanner as other > > latencies are likely to dominate. > > > > > I did some testing myself .. There is apparently absolutely no affect > on > MailScanner > > took ~1000 mails to a test machine , Centos 5 , 4GB Ram , > with the perlbug and run it under MailScanner ( MailScanner + SA + > customscanner + f-prot6 + clamavmodule ) > > It takes 18 minutes with the perl bug and it same time (infact took 15s > more) after I upgraded perl with the patch on http://people.centos.org > > > So That is not any major affect after all :-) > > > > > Thanks > Ram CentOS have released the patch for this. Installed this morning and confirmed it fixes the bless issue. Jason From MailScanner at ecs.soton.ac.uk Thu Sep 18 09:44:29 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Sep 18 09:44:49 2008 Subject: OT: awstats on yum repository In-Reply-To: References: <48C6E93D.6030906@vanderkooij.org> <48C82E12.7070806@vanderkooij.org> <48C8B441.3040202@vanderkooij.org> Message-ID: <48D214ED.1050107@ecs.soton.ac.uk> Scott Silva wrote: > on 9-10-2008 11:01 PM Hugo van der Kooij spake the following: >> Scott Silva wrote: >> >>> I don't have the mailscanner-wrapper on my system, but it still updated >>> the old rpm. Everything works so I don't see any problem >> >> The wrapper is there as a convenience. Not all dependencies of the >> MailScanner packages are done automatically. So every dependency I noted >> that was not taken care of in the MailScanner package has been added to >> the wrapper. >> >> If you have no need for the wrapper, that's fine by me. >> >> Hugo. > I probably didn't need the wrapper since this machine had mailscanner > installed already. Definitely would be needed on a fresh install from > the wrapper. > I think this is great if you have time to keep it up. Once you get it > automated, it probably doesn't take too long to keep it going. > > Too bad Julian doesn't map his easy install rpm tarball to a fixed > symlink. Then it could probably run on autopilot for months at a time. I could do that easily enough for you. How about install-Clam-SA-latest.tar.gz? Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ms-list at alexb.ch Thu Sep 18 09:49:39 2008 From: ms-list at alexb.ch (Alex Broens) Date: Thu Sep 18 09:49:56 2008 Subject: Is MailScanner affected by the Redhat bug In-Reply-To: <4CAB0118AEC63A4FAAE77E6BCBDF760C792A20EECB@server02.bhl.local> References: <1220956841.6938.23.camel@darkstar.netcore.co.in> <48C66583.70800@nerc.ac.uk> <1220968774.6938.45.camel@darkstar.netcore.co.in> <4CAB0118AEC63A4FAAE77E6BCBDF760C792A20EECB@server02.bhl.local> Message-ID: <48D21623.3050501@alexb.ch> On 9/18/2008 10:25 AM, Jason Ede wrote: >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of ram >> Sent: 09 September 2008 15:00 >> To: MailScanner discussion >> Subject: Re: Is MailScanner affected by the Redhat bug >> >> >> On Tue, 2008-09-09 at 13:01 +0100, Greg Matthews wrote: >>> ram wrote: >>>> I have all my servers running MailScanner on Centos. Is MailScanner >>>> greatly affected by the Bug ? >>>> Should I upgrade perl on my machines ? >>> I've ran tests last week on CentOS 4 and CentOS 5. CentOS 4.6 is >>> unaffected but CentOS 5.2 does contain the bug. However, it is not >> clear >>> that this performance issue unduly affects MailScanner as other >>> latencies are likely to dominate. >>> >> >> I did some testing myself .. There is apparently absolutely no affect >> on >> MailScanner >> >> took ~1000 mails to a test machine , Centos 5 , 4GB Ram , >> with the perlbug and run it under MailScanner ( MailScanner + SA + >> customscanner + f-prot6 + clamavmodule ) >> >> It takes 18 minutes with the perl bug and it same time (infact took 15s >> more) after I upgraded perl with the patch on http://people.centos.org >> >> >> So That is not any major affect after all :-) >> >> >> >> >> Thanks >> Ram > > CentOS have released the patch for this. Installed this morning and confirmed it fixes the bless issue. could become a dependency party... my Centos 5 testbox complained about version conflicts concerning perl-Math-BigInt perl-IO perl-bignum From raymond at prolocation.net Thu Sep 18 09:52:17 2008 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Thu Sep 18 09:52:28 2008 Subject: clamd DoS? In-Reply-To: <7EF0EE5CB3B263488C8C18823239BEBA04BFAE62@HC-MBX02.herefordshire.gov.uk> References: <48CE37ED.6040200@nerc.ac.uk><48CE7FD0.3070909@ecs.soton.ac.uk><48CE8854.8000508@ecs.soton.ac.uk><48CEC9C4.9010507@ecs.soton.ac.uk> <7EF0EE5CB3B263488C8C18823239BEBA04BFAE62@HC-MBX02.herefordshire.gov.uk> Message-ID: Hi! > "Hi all, > This is been worked around with a signature update (daily 8262). > A definitive (in-the-code) solution will be inculded in 0.94.1 > > Thanks everyone, > -aCaB" Yups! > Dear ClamAV user, > > The following submissions have been processed and published: > - 4531939 Worm.Autorun-1722 :-) Bye, Raymond. From prandal at herefordshire.gov.uk Thu Sep 18 10:17:50 2008 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Thu Sep 18 10:32:34 2008 Subject: Viruses getting through In-Reply-To: <200809172053.m8HKrMFo000866@safir.blacknight.ie> References: <200805311100.m4VB0MpV017805@safir.blacknight.ie> <200809172053.m8HKrMFo000866@safir.blacknight.ie> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA04BFB0CD@HC-MBX02.herefordshire.gov.uk> Even the ClamAV team have been "slow" in getting out patterns for these. There's about three or four mass-mailed trojans doing the rounds, and the dropped trojans get changed daily or more regularly. I'm dealing with them by rigorously training Bayes, writing custom SA rules based on the email content, and attachment-blocking. Every little bit helps. Cheers, Phil -- Phil Randal Networks Engineer Herefordshire Council Hereford, UK -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Paul Welsh Sent: 17 September 2008 21:53 To: mailscanner@lists.mailscanner.info Subject: Viruses getting through For the past few weeks I've had viruses getting through - the pesky ones that claim to be flight confirmations, bank statements or some such with small .zip files attached. I'm sure you know about them. Some are tagged as spam but not all. The headers of a recent one show that the message is classed as clean: Received: from [217.45.162.11] by etrn.borusantelekom.com; Wed, 17 Sep 2008 09:17:36 +0000 Message-ID: <01c918a6$39323800$0ba22dd9@ghw> From: "Lindsey Avila" Subject: Statement of fees 2008/09 Date: Wed, 17 Sep 2008 09:17:36 +0000 MIME-Version: 1.0 X-welshfamily-MailScanner: Found to be clean X-welshfamily-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=0.407, required 6, autolearn=disabled, XMAILER_MIMEOLE_OL_4B815 0.41) X-welshfamily-MailScanner-From: ghw@borashipping.com X-Spam-Status: No I'm using clamav and bitdefender but although updated with the latest definitions, it's probably ineffective because it's the free version v7.1. Running freshclam yields this: # freshclam ClamAV update process started at Wed Sep 17 21:41:04 2008 main.cld is up to date (version: 48, sigs: 399264, f-level: 35, builder: sven) daily.cld is up to date (version: 8272, sigs: 28579, f-level: 35, builder: ccordes) Here's the version of clam: # clamscan -V ClamAV 0.94/8272/Wed Sep 17 21:16:02 2008 I'm running MailScanner version 4.71.10. I did browse the archive of this list but couldn't find the answer. Any help appreciated. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From MailScanner at ecs.soton.ac.uk Thu Sep 18 10:41:56 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Sep 18 10:42:18 2008 Subject: Is MailScanner affected by the Redhat bug In-Reply-To: References: <1220956841.6938.23.camel@darkstar.netcore.co.in> <48C66583.70800@nerc.ac.uk> <1220968774.6938.45.camel@darkstar.netcore.co.in> <4CAB0118AEC63A4FAAE77E6BCBDF760C792A20EECB@server02.bhl.local> Message-ID: <48D22264.7040403@ecs.soton.ac.uk> Alex Broens wrote: > On 9/18/2008 10:25 AM, Jason Ede wrote: >>> -----Original Message----- >>> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >>> bounces@lists.mailscanner.info] On Behalf Of ram >>> Sent: 09 September 2008 15:00 >>> To: MailScanner discussion >>> Subject: Re: Is MailScanner affected by the Redhat bug >>> >>> >>> On Tue, 2008-09-09 at 13:01 +0100, Greg Matthews wrote: >>>> ram wrote: >>>>> I have all my servers running MailScanner on Centos. Is MailScanner >>>>> greatly affected by the Bug ? >>>>> Should I upgrade perl on my machines ? >>>> I've ran tests last week on CentOS 4 and CentOS 5. CentOS 4.6 is >>>> unaffected but CentOS 5.2 does contain the bug. However, it is not >>> clear >>>> that this performance issue unduly affects MailScanner as other >>>> latencies are likely to dominate. >>>> >>> >>> I did some testing myself .. There is apparently absolutely no affect >>> on >>> MailScanner >>> >>> took ~1000 mails to a test machine , Centos 5 , 4GB Ram , >>> with the perlbug and run it under MailScanner ( MailScanner + SA + >>> customscanner + f-prot6 + clamavmodule ) >>> >>> It takes 18 minutes with the perl bug and it same time (infact took 15s >>> more) after I upgraded perl with the patch on http://people.centos.org >>> >>> >>> So That is not any major affect after all :-) >>> >>> >>> >>> >>> Thanks >>> Ram >> >> CentOS have released the patch for this. Installed this morning and >> confirmed it fixes the bless issue. > > could become a dependency party... > my Centos 5 testbox complained about version conflicts concerning > > perl-Math-BigInt > perl-IO > perl-bignum Delete these RPMs, upgrade Perl, then just re-run the MailScanner installer and it will put back the bits it needs. This is pretty quick and harmless. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From J.Ede at birchenallhowden.co.uk Thu Sep 18 10:14:24 2008 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Thu Sep 18 10:44:50 2008 Subject: Is MailScanner affected by the Redhat bug In-Reply-To: <48D21623.3050501@alexb.ch> References: <1220956841.6938.23.camel@darkstar.netcore.co.in> <48C66583.70800@nerc.ac.uk> <1220968774.6938.45.camel@darkstar.netcore.co.in> <4CAB0118AEC63A4FAAE77E6BCBDF760C792A20EECB@server02.bhl.local> <48D21623.3050501@alexb.ch> Message-ID: <4CAB0118AEC63A4FAAE77E6BCBDF760C792A20EED8@server02.bhl.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Alex Broens > Sent: 18 September 2008 09:50 > To: MailScanner discussion > Subject: Re: Is MailScanner affected by the Redhat bug > > On 9/18/2008 10:25 AM, Jason Ede wrote: > >> -----Original Message----- > >> From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner- > >> bounces@lists.mailscanner.info] On Behalf Of ram > >> Sent: 09 September 2008 15:00 > >> To: MailScanner discussion > >> Subject: Re: Is MailScanner affected by the Redhat bug > >> > >> > >> On Tue, 2008-09-09 at 13:01 +0100, Greg Matthews wrote: > >>> ram wrote: > >>>> I have all my servers running MailScanner on Centos. Is > MailScanner > >>>> greatly affected by the Bug ? > >>>> Should I upgrade perl on my machines ? > >>> I've ran tests last week on CentOS 4 and CentOS 5. CentOS 4.6 is > >>> unaffected but CentOS 5.2 does contain the bug. However, it is not > >> clear > >>> that this performance issue unduly affects MailScanner as other > >>> latencies are likely to dominate. > >>> > >> > >> I did some testing myself .. There is apparently absolutely no > affect > >> on > >> MailScanner > >> > >> took ~1000 mails to a test machine , Centos 5 , 4GB Ram , > >> with the perlbug and run it under MailScanner ( MailScanner + SA + > >> customscanner + f-prot6 + clamavmodule ) > >> > >> It takes 18 minutes with the perl bug and it same time (infact took > 15s > >> more) after I upgraded perl with the patch on > http://people.centos.org > >> > >> > >> So That is not any major affect after all :-) > >> > >> > >> > >> > >> Thanks > >> Ram > > > > CentOS have released the patch for this. Installed this morning and > confirmed it fixes the bless issue. > > could become a dependency party... > my Centos 5 testbox complained about version conflicts concerning > > perl-Math-BigInt > perl-IO > perl-bignum > Mine also complained about perl-Math-BigRat and perl-File-Temp... I normally stop MS, remove the conflicting modules, run the update and then reinstall MailScanner. It seems that the system is processing mails a touch faster since the fix, but I've not had enough mail through to confirm it yet. Jason From ms-list at alexb.ch Thu Sep 18 10:53:22 2008 From: ms-list at alexb.ch (Alex Broens) Date: Thu Sep 18 10:53:35 2008 Subject: Is MailScanner affected by the Redhat bug In-Reply-To: <48D22264.7040403@ecs.soton.ac.uk> References: <1220956841.6938.23.camel@darkstar.netcore.co.in> <48C66583.70800@nerc.ac.uk> <1220968774.6938.45.camel@darkstar.netcore.co.in> <4CAB0118AEC63A4FAAE77E6BCBDF760C792A20EECB@server02.bhl.local> <48D22264.7040403@ecs.soton.ac.uk> Message-ID: <48D22512.1030504@alexb.ch> On 9/18/2008 11:41 AM, Julian Field wrote: > > > Alex Broens wrote: >> On 9/18/2008 10:25 AM, Jason Ede wrote: >>>> -----Original Message----- >>>> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >>>> bounces@lists.mailscanner.info] On Behalf Of ram >>>> Sent: 09 September 2008 15:00 >>>> To: MailScanner discussion >>>> Subject: Re: Is MailScanner affected by the Redhat bug >>>> >>>> >>>> On Tue, 2008-09-09 at 13:01 +0100, Greg Matthews wrote: >>>>> ram wrote: >>>>>> I have all my servers running MailScanner on Centos. Is MailScanner >>>>>> greatly affected by the Bug ? >>>>>> Should I upgrade perl on my machines ? >>>>> I've ran tests last week on CentOS 4 and CentOS 5. CentOS 4.6 is >>>>> unaffected but CentOS 5.2 does contain the bug. However, it is not >>>> clear >>>>> that this performance issue unduly affects MailScanner as other >>>>> latencies are likely to dominate. >>>>> >>>> >>>> I did some testing myself .. There is apparently absolutely no affect >>>> on >>>> MailScanner >>>> >>>> took ~1000 mails to a test machine , Centos 5 , 4GB Ram , >>>> with the perlbug and run it under MailScanner ( MailScanner + SA + >>>> customscanner + f-prot6 + clamavmodule ) >>>> >>>> It takes 18 minutes with the perl bug and it same time (infact took 15s >>>> more) after I upgraded perl with the patch on http://people.centos.org >>>> >>>> >>>> So That is not any major affect after all :-) >>>> >>>> >>>> >>>> >>>> Thanks >>>> Ram >>> >>> CentOS have released the patch for this. Installed this morning and >>> confirmed it fixes the bless issue. >> >> could become a dependency party... >> my Centos 5 testbox complained about version conflicts concerning >> >> perl-Math-BigInt >> perl-IO >> perl-bignum > Delete these RPMs, upgrade Perl, then just re-run the MailScanner > installer and it will put back the bits it needs. This is pretty quick > and harmless. re-installing the 3 modules was safer and faster... btw: I have the feeling your Clam-SA installer has a bit of a historical mess of SA .pre files and overwrites existing files/settings seems plugins laods are redundant. IMO, if the .pre files already exist, they shouldn't be overwritten as they contain admin defined settings. I haven't written down the whole follow up of what is redundant and what not, but I know I've disabled/removed some loadplugin lines which were redundant. Alex From prandal at herefordshire.gov.uk Thu Sep 18 10:56:26 2008 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Thu Sep 18 10:57:38 2008 Subject: Is MailScanner affected by the Redhat bug In-Reply-To: <48D22264.7040403@ecs.soton.ac.uk> References: <1220956841.6938.23.camel@darkstar.netcore.co.in> <48C66583.70800@nerc.ac.uk> <1220968774.6938.45.camel@darkstar.netcore.co.in> <4CAB0118AEC63A4FAAE77E6BCBDF760C792A20EECB@server02.bhl.local> <48D22264.7040403@ecs.soton.ac.uk> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA04BFB0EE@HC-MBX02.herefordshire.gov.uk> Julian Field wrote: >> my Centos 5 testbox complained about version conflicts concerning >> >> perl-Math-BigInt >> perl-IO >> perl-bignum > Delete these RPMs, upgrade Perl, then just re-run the MailScanner > installer and it will put back the bits it needs. This is pretty > quick and harmless. > > Jules On my CentOS 5.2 boxes, I had to rpm -e perl-Math-BigRat perl-Math-BigInt perl-bignum perl-File-Temp perl-IO yum update and then re-run MailScanner's installer. And all's well. Cheers, Phil -- Phil Randal Networks Engineer Herefordshire Council Hereford, UK From jonas at vrt.dk Thu Sep 18 12:39:16 2008 From: jonas at vrt.dk (Jonas Akrouh Larsen) Date: Thu Sep 18 12:39:29 2008 Subject: SpamAssassin cache hit inherits original spam score? In-Reply-To: <48D1219B.4030306@ecs.soton.ac.uk> References: <48D1219B.4030306@ecs.soton.ac.uk> Message-ID: <001001c91983$2e5e1e20$8b1a5a60$@dk> Hmmm so does that mean that if a mail was not marked as spam at 10:00 and cached, then gets delivered again at 11:00 (now hitting more rbl's and other network related test) it still wont be marked as spam because the score was cached from the first occurrence? If that?s true then using the cache have a negative aspect I hadn?t thought of before. Med venlig hilsen / Best regards Jonas Akrouh Larsen TechBiz ApS Laplandsgade 4, 2. sal 2300 K?benhavn S Office: 7020 0979 Direct: 3336 9974 Mobile: 5120 1096 Fax: 7020 0978 Web: www.techbiz.dk -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: 17. september 2008 17:26 To: MailScanner discussion Subject: Re: SpamAssassin cache hit inherits original spam score? The cache does not store whether it was spam or not, it just caches the score points. So I'm not at all convinced you are seeing the behaviour you think you are, this may be the result of something else happening. Tony Johansson wrote: > We scan a number of different domains. Some have a required spam score > of 7 while most use 5. > > The individual spam scores for the domains work as desired but seems to > fail at times if a spam is cached. > > We've had examples where a domain that has set 5 as the required score > gets spam delivered with a header as this: > X-Svenskakyrkan-SpamCheck: not spam, SpamAssassin (cached, score=6.81, > required 7, BAYES_50 0.00, DCC_CHECK 2.17, URIBL_BLACK 3.00, URIBL_SBL 1.64) > > Shouldnt the saved spam score be evaluated again when there is a cache hit? > > Regards, Tony > > > > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From martinh at solidstatelogic.com Thu Sep 18 12:52:12 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Thu Sep 18 12:52:24 2008 Subject: SpamAssassin cache hit inherits original spam score? In-Reply-To: <001001c91983$2e5e1e20$8b1a5a60$@dk> Message-ID: <52ade232afd79d40a5b8cf48c965077b@solidstatelogic.com> Correct, its a cache of recently seen email and it's spamassassin score.. See "SpamAssassin Cache Timings" for the actual timings used for ham, spam and high scoring spam....here's mine, which are the default. # Do not change this unless you absolutely have to, these numbers have # been carefully calculated. # They affect the length of time that different types of message are # stored in the SpamAssassin cache which can be configured earlier in # this file (look for "Cache"). # The numbers are all set in seconds. They are: # 1. Non-Spam cache lifetime = 30 minutes # 2. Spam (low scoring) cache lifetime = 5 minutes # 3. High-Scoring spam cache lifetime = 3 hours # 4. Viruses cache lifetime = 2 days # 5. How often to check the cache for expired messages = 10 minutes SpamAssassin Cache Timings = 1800,300,10800,172800,600 -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Jonas Akrouh Larsen > Sent: 18 September 2008 12:39 > To: MailScanner discussion > Subject: RE: SpamAssassin cache hit inherits original spam score? > > Hmmm so does that mean that if a mail was not marked as spam > at 10:00 and cached, then gets delivered again at 11:00 (now > hitting more rbl's and other network related test) it still > wont be marked as spam because the score was cached from the > first occurrence? > > If that's true then using the cache have a negative aspect I > hadn't thought of before. > > > Med venlig hilsen / Best regards > > Jonas Akrouh Larsen > > TechBiz ApS > Laplandsgade 4, 2. sal > 2300 K?benhavn S > > Office: 7020 0979 > Direct: 3336 9974 > Mobile: 5120 1096 > Fax: 7020 0978 > Web: www.techbiz.dk > > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Julian Field > Sent: 17. september 2008 17:26 > To: MailScanner discussion > Subject: Re: SpamAssassin cache hit inherits original spam score? > > The cache does not store whether it was spam or not, it just > caches the score points. > So I'm not at all convinced you are seeing the behaviour you > think you are, this may be the result of something else happening. > > Tony Johansson wrote: > > We scan a number of different domains. Some have a required > spam score > > of 7 while most use 5. > > > > The individual spam scores for the domains work as desired > but seems > > to fail at times if a spam is cached. > > > > We've had examples where a domain that has set 5 as the > required score > > gets spam delivered with a header as this: > > X-Svenskakyrkan-SpamCheck: not spam, SpamAssassin (cached, > score=6.81, > > required 7, BAYES_50 0.00, DCC_CHECK 2.17, URIBL_BLACK > 3.00, URIBL_SBL > 1.64) > > > > Shouldnt the saved spam score be evaluated again when there > is a cache > hit? > > > > Regards, Tony > > > > > > > > > > > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 > B654 PGP public key: http://www.jules.fm/julesfm.asc > > > -- > This message has been scanned for viruses and dangerous > content by MailScanner, and is believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From davejenx at googlemail.com Thu Sep 18 14:46:25 2008 From: davejenx at googlemail.com (Dave Jenkins) Date: Thu Sep 18 14:46:35 2008 Subject: Is MailScanner affected by the Redhat bug In-Reply-To: <7EF0EE5CB3B263488C8C18823239BEBA04BFB0EE@HC-MBX02.herefordshire.gov.uk> References: <1220956841.6938.23.camel@darkstar.netcore.co.in> <48C66583.70800@nerc.ac.uk> <1220968774.6938.45.camel@darkstar.netcore.co.in> <4CAB0118AEC63A4FAAE77E6BCBDF760C792A20EECB@server02.bhl.local> <48D22264.7040403@ecs.soton.ac.uk> <7EF0EE5CB3B263488C8C18823239BEBA04BFB0EE@HC-MBX02.herefordshire.gov.uk> Message-ID: 2008/9/18 Randal, Phil : > Julian Field wrote: >>> my Centos 5 testbox complained about version conflicts concerning >>> >>> perl-Math-BigInt >>> perl-IO >>> perl-bignum >> Delete these RPMs, upgrade Perl, then just re-run the MailScanner >> installer and it will put back the bits it needs. This is pretty >> quick and harmless. >> >> Jules > > On my CentOS 5.2 boxes, I had to > > rpm -e perl-Math-BigRat perl-Math-BigInt perl-bignum perl-File-Temp > perl-IO > > yum update > > and then re-run MailScanner's installer. The conflicts that I saw on CentOS 5.2 all related to man files, e.g. ---- file /usr/share/man/man3/Math::BigFloat.3pm.gz from install of perl-5.8.8-15.el5_2.1 conflicts with file from package perl-Math-BigInt-1.89-1.el5.rf file /usr/share/man/man3/Math::BigInt.3pm.gz from install of perl-5.8.8-15.el5_2.1 conflicts with file from package perl-Math-BigInt-1.89-1.el5.rf ---- I've been getting similar errors, but the other way around, from yum on CentOS 5.2 and RH5 servers when trying to install updated perl-Math-BigInt etc packages from rpmforge. Because the conflicts only involved man files, contrary to my usual caution I used rpm -Uhv --replacefiles to install the new perl rpm. All seems to be well and I'm assuming there's no need in this case to re-run the MS installer. Wouldn't it be nice though if the conflicts could be avoided? E.g. if, in the same way that perl-Math-BigInt's /usr/lib/perl5/vendor_perl/5.8.8/Math/BigFloat.pm can coexist with perl's /usr/lib/perl5/5.8.8/Math/BigFloat.pm and be chosen ahead of it thanks to @INC, the man files could coexist in different locations instead of conflicting. Dave From MailScanner at ecs.soton.ac.uk Thu Sep 18 15:02:18 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Sep 18 15:02:40 2008 Subject: Announcing the new FSL MailScanner Beta yum repository Message-ID: <48D25F6A.4090906@ecs.soton.ac.uk> * What is it? This is a new Yum repository for CentOS 5 i386 and x86_64 only. It will always contain the latest MailScanner beta (4.72.2 at the time of writing) along with SpamAssassin (plus DCC, Razor, DKIM, SPF, IP-Country and Rule2XS plug-ins), ClamAV and all Perl module dependencies. It should be used for beta testing new releases only and should not be used in production. * Why is it different from other repositories? Because it aims to completely eliminate the problem of package conflicts and to make installations and upgrades as simple as possible. These rpms provide an automatic configuration that contains the regular tuning tips that would be unfamiliar to those who do not have in-depth knowledge of MailScanner and it's configuration. This significantly reduces the amount of time it takes to do an installation. From start to finish, the installation and configuration of all packages takes less than five minutes on a reasonably fast network. Package conflicts are avoided by creating a new RPM namespace for all the Perl modules required by MailScanner and SpamAssassin and by installing all Perl modules (except SpamAssassin) in /opt/fsl/lib/perl5. This allows the Perl system libraries to be totally independent so they can be updated by the operating system vendor without the possibility of breaking MailScanner or SpamAssassin. Automatic configuration is achieved by using RPM 'triggers' which allow the installation, upgrade or un-installation of one package trigger to access an action specified by another package. For example - when 're2c' is installed, the fsl-spamassassin package runs a trigger that automatically runs 'sa-update' and 'sa-compile' to get the latest rules and compile them and then automatically enables the 'Rule2XSBody' plug-in in v320.pre, subsequently if 're2c' is uninstalled, then the plug-in is automatically disabled. * Installation procedure Ideally it should be installed onto a server with a fresh minimal installation of CentOS/RHEL 5. This will allow the operating system and all MailScanner related applications to be safely updated by simply running `yum -y update`. If you want the MailScanner package to automatically mount the MailScanner incoming directory on tmpfs then run the following command before starting the installation: export MAILSCANNER_CREATE_TMPFS=1 Then simply run: wget http://yum.fslupdate.com/fsl-beta/fsl-beta.repo -O /etc/yum.repos.d/fsl-beta.repo yum -y groupinstall MailScannerGold export PERL5LIB=/opt/fsl/lib/perl5 Once all the packages are installed, the only configuration required is to MailScanner.conf, Sendmail (/etc/mail/access, /etc/mail/mailertable) and then enable and start them both by running: chkconfig MailScanner on service MailScanner start * Installing over an existing RPM based installation This is no different to the procedure above - except you should back-up your MailScanner and SpamAssassin configuration first as a precaution. The 'stock' MailScanner package has no automatic upgrade procedure you will need to manually run upgrade_MailScanner_conf and/or upgrade_languages_conf if any rpmnew files are created by the new package. * Support Sign-up for the fsl-beta support list at http://listserv.fsl.com/mailman/listinfo/fsl-mailscanner-beta. The use of the repository is entirely unsupported by FSL, so use is at your own risk - however we will be happy to answer and questions about the repository or packages on the fsl-beta list. * MailScannerGold PRODUCTION The MailScannerGold Production yum repository will be available in a few days. We'll post another announcement when it's available for subscription and downloading. Initial pricing for the production version subscription is a monthly fee of $30 / month for the first gateway and $20 / per month for each additional gateway. This should help us to recover our costs for development and maintenance while at the same time costing sites less that the salaries required for administrators to fully maintain and update the MailScanner systems. Support for MailScannerGold PRODUCTION will provided by a subscribers supported and FSL moderated email list. Subscribers to the service will also be able to obtain FSL support services at our standard hourly rates less a 25% discount. These repositories should make installing, running and updating MailScanner a lot easier for both newbes and experienced mail administrators. Jules -- Julian Field MEng CITP CEng Chief Technical Officer Fort Systems Ltd. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jan-peter at koopmann.eu Thu Sep 18 15:51:14 2008 From: jan-peter at koopmann.eu (Koopmann, Jan-Peter) Date: Thu Sep 18 15:51:39 2008 Subject: Announcing the new FSL MailScanner Beta yum repository In-Reply-To: References: Message-ID: Would love to join the list but upon hitting "confirm" I get --- We're sorry, we hit a bug! Please inform the webmaster for this site of this problem. Printing of traceback and other system information has been explicitly inhibited, but the webmaster can find this information in the Mailman error logs. --- :-) From ssilva at sgvwater.com Thu Sep 18 16:22:45 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Sep 18 16:23:06 2008 Subject: OT: awstats on yum repository In-Reply-To: <48D214ED.1050107@ecs.soton.ac.uk> References: <48C6E93D.6030906@vanderkooij.org> <48C82E12.7070806@vanderkooij.org> <48C8B441.3040202@vanderkooij.org> <48D214ED.1050107@ecs.soton.ac.uk> Message-ID: on 9-18-2008 1:44 AM Julian Field spake the following: > > > Scott Silva wrote: >> on 9-10-2008 11:01 PM Hugo van der Kooij spake the following: >>> Scott Silva wrote: >>> >>>> I don't have the mailscanner-wrapper on my system, but it still updated >>>> the old rpm. Everything works so I don't see any problem >>> >>> The wrapper is there as a convenience. Not all dependencies of the >>> MailScanner packages are done automatically. So every dependency I noted >>> that was not taken care of in the MailScanner package has been added to >>> the wrapper. >>> >>> If you have no need for the wrapper, that's fine by me. >>> >>> Hugo. >> I probably didn't need the wrapper since this machine had mailscanner >> installed already. Definitely would be needed on a fresh install from >> the wrapper. >> I think this is great if you have time to keep it up. Once you get it >> automated, it probably doesn't take too long to keep it going. >> >> Too bad Julian doesn't map his easy install rpm tarball to a fixed >> symlink. Then it could probably run on autopilot for months at a time. > I could do that easily enough for you. How about > install-Clam-SA-latest.tar.gz? > > Jules > Since Hugo wants to keep a "hands on" approach, I guess it isn't necessary. But maybe others would like it. I'm moving my servers exclusively to CentOS 5 by the end of the year, so I will probably use Hugo's repo for now. It may only save me 10 minutes or so, but 10 more minutes free is a good thing IMHO. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080918/64968d86/signature.bin From steve.swaney at fsl.com Thu Sep 18 16:28:12 2008 From: steve.swaney at fsl.com (Stephen Swaney) Date: Thu Sep 18 16:28:21 2008 Subject: Announcing the new FSL MailScanner Beta yum repository In-Reply-To: References: Message-ID: <160a01c919a3$29ef1db0$7dcd5910$@swaney@fsl.com> Strange it worked for me yesterday and again today: http://listserv.fsl.com/mailman/listinfo/fsl-mailscanner-beta DefenderMX 2.0 with MailWatch 2.0 should start testing late next week. Best regards, Steve Steve Swaney steve@fsl.com Office Phone: 202 595-7760 ext. 601 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Koopmann, Jan-Peter > Sent: Thursday, September 18, 2008 10:51 AM > To: mailscanner@lists.mailscanner.info > Subject: RE: Announcing the new FSL MailScanner Beta yum repository > > Would love to join the list but upon hitting "confirm" I get > > --- > We're sorry, we hit a bug! > > Please inform the webmaster for this site of this problem. Printing of > traceback and other system information has been explicitly inhibited, > but the webmaster can find this information in the Mailman error logs. > --- > > :-) > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From steve.swaney at fsl.com Thu Sep 18 16:46:49 2008 From: steve.swaney at fsl.com (Stephen Swaney) Date: Thu Sep 18 16:46:59 2008 Subject: Announcing the new FSL MailScanner Beta yum repository In-Reply-To: <160a01c919a3$29ef1db0$7dcd5910$@swaney@fsl.com> References: <160a01c919a3$29ef1db0$7dcd5910$@swaney@fsl.com> Message-ID: <161c01c919a5$c34c8540$49e58fc0$@swaney@fsl.com> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Stephen Swaney > Sent: Thursday, September 18, 2008 11:28 AM > To: 'MailScanner discussion' > Subject: RE: Announcing the new FSL MailScanner Beta yum repository > > Strange it worked for me yesterday and again today: > > http://listserv.fsl.com/mailman/listinfo/fsl-mailscanner-beta > > DefenderMX 2.0 with MailWatch 2.0 should start testing late next week. > > Best regards, > > Steve > Sorry I thought I was replying only to Jan Peter. Please ignore the plug for DefenderMX and contact me off list if you have any trouble subscribing to the lis. Thanks, Steve Swaney steve@fsl.com Office Phone: 202 595-7760 ext. 601 From martinh at solidstatelogic.com Thu Sep 18 16:47:56 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Thu Sep 18 16:48:09 2008 Subject: Announcing the new FSL MailScanner Beta yum repository In-Reply-To: <160a01c919a3$29ef1db0$7dcd5910$@swaney@fsl.com> Message-ID: And me just now.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Stephen Swaney > Sent: 18 September 2008 16:28 > To: MailScanner discussion > Subject: RE: Announcing the new FSL MailScanner Beta yum repository > > Strange it worked for me yesterday and again today: > > http://listserv.fsl.com/mailman/listinfo/fsl-mailscanner-beta > > DefenderMX 2.0 with MailWatch 2.0 should start testing late next week. > > Best regards, > > Steve > > Steve Swaney > steve@fsl.com > Office Phone: 202 595-7760 ext. 601 > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner- > > bounces@lists.mailscanner.info] On Behalf Of Koopmann, Jan-Peter > > Sent: Thursday, September 18, 2008 10:51 AM > > To: mailscanner@lists.mailscanner.info > > Subject: RE: Announcing the new FSL MailScanner Beta yum repository > > > > Would love to join the list but upon hitting "confirm" I get > > > > --- > > We're sorry, we hit a bug! > > > > Please inform the webmaster for this site of this problem. > Printing of > > traceback and other system information has been explicitly > inhibited, > > but the webmaster can find this information in the Mailman > error logs. > > --- > > > > :-) > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From hvdkooij at vanderkooij.org Thu Sep 18 22:23:24 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Thu Sep 18 22:23:34 2008 Subject: Is MailScanner affected by the Redhat bug In-Reply-To: References: <1220956841.6938.23.camel@darkstar.netcore.co.in> <48C66583.70800@nerc.ac.uk> <1220968774.6938.45.camel@darkstar.netcore.co.in> <4CAB0118AEC63A4FAAE77E6BCBDF760C792A20EECB@server02.bhl.local> <48D22264.7040403@ecs.soton.ac.uk> <7EF0EE5CB3B263488C8C18823239BEBA04BFB0EE@HC-MBX02.herefordshire.gov.uk> Message-ID: <48D2C6CC.4000904@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dave Jenkins wrote: > 2008/9/18 Randal, Phil : >> Julian Field wrote: >>>> my Centos 5 testbox complained about version conflicts concerning >>>> >>>> perl-Math-BigInt >>>> perl-IO >>>> perl-bignum >>> Delete these RPMs, upgrade Perl, then just re-run the MailScanner >>> installer and it will put back the bits it needs. This is pretty >>> quick and harmless. >>> >>> Jules >> On my CentOS 5.2 boxes, I had to >> >> rpm -e perl-Math-BigRat perl-Math-BigInt perl-bignum perl-File-Temp >> perl-IO >> >> yum update >> >> and then re-run MailScanner's installer. > > The conflicts that I saw on CentOS 5.2 all related to man files, e.g. > ---- > file /usr/share/man/man3/Math::BigFloat.3pm.gz from install of > perl-5.8.8-15.el5_2.1 conflicts with file from package > perl-Math-BigInt-1.89-1.el5.rf > file /usr/share/man/man3/Math::BigInt.3pm.gz from install of > perl-5.8.8-15.el5_2.1 conflicts with file from package > perl-Math-BigInt-1.89-1.el5.rf > ---- > > I've been getting similar errors, but the other way around, from yum > on CentOS 5.2 and RH5 servers when trying to install updated > perl-Math-BigInt etc packages from rpmforge. > > Because the conflicts only involved man files, contrary to my usual > caution I used > rpm -Uhv --replacefiles > to install the new perl rpm. All seems to be well and I'm assuming > there's no need in this case to re-run the MS installer. > > Wouldn't it be nice though if the conflicts could be avoided? E.g. if, > in the same way that perl-Math-BigInt's > /usr/lib/perl5/vendor_perl/5.8.8/Math/BigFloat.pm can coexist with > perl's /usr/lib/perl5/5.8.8/Math/BigFloat.pm and be chosen ahead of it > thanks to @INC, the man files could coexist in different locations > instead of conflicting. FSL worked on one solution. I handled it differently by splitting the packages and using the sitelib way for the binaries. It seems however there rather different views on the whole matter. rpmforge will just drop the conflicting packages claiming they are now part of perl and you shoud leave it at that. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFI0sbKBvzDRVjxmYERAkwIAJwLEKJZ1Dxjfux6hzGFQ+BZbosCNACeOtu4 nVUQNGkWtl1kbQNxsLmr65w= =eFLM -----END PGP SIGNATURE----- From agross at gcpsite.com Thu Sep 18 23:36:27 2008 From: agross at gcpsite.com (Adam Gross) Date: Thu Sep 18 23:36:43 2008 Subject: Announcing the new FSL MailScanner Beta yum repository In-Reply-To: References: <160a01c919a3$29ef1db0$7dcd5910$@swaney@fsl.com> Message-ID: <826D5FDFCF76F6499D59755D401D6A86D89C@gcpads01.gcpsite.local> Does this method remove the need for the "crontab -e" entries I've previously used? Adam Gross | agross@gcpsite.com | 859-630-8722 -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Martin.Hepworth Sent: Thursday, September 18, 2008 11:48 AM To: MailScanner discussion Subject: RE: Announcing the new FSL MailScanner Beta yum repository And me just now.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Stephen Swaney > Sent: 18 September 2008 16:28 > To: MailScanner discussion > Subject: RE: Announcing the new FSL MailScanner Beta yum repository > > Strange it worked for me yesterday and again today: > > http://listserv.fsl.com/mailman/listinfo/fsl-mailscanner-beta > > DefenderMX 2.0 with MailWatch 2.0 should start testing late next week. > > Best regards, > > Steve > > Steve Swaney > steve@fsl.com > Office Phone: 202 595-7760 ext. 601 > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner- > > bounces@lists.mailscanner.info] On Behalf Of Koopmann, Jan-Peter > > Sent: Thursday, September 18, 2008 10:51 AM > > To: mailscanner@lists.mailscanner.info > > Subject: RE: Announcing the new FSL MailScanner Beta yum repository > > > > Would love to join the list but upon hitting "confirm" I get > > > > --- > > We're sorry, we hit a bug! > > > > Please inform the webmaster for this site of this problem. > Printing of > > traceback and other system information has been explicitly > inhibited, > > but the webmaster can find this information in the Mailman > error logs. > > --- > > > > :-) > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Processed by GCPMS01. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Processed by GCPMS01. From kate at rheel.co.nz Fri Sep 19 02:14:26 2008 From: kate at rheel.co.nz (Kate Kleinschafer) Date: Fri Sep 19 02:14:18 2008 Subject: Mailscanner mrtg mountpoint Message-ID: <48D2FCF2.2040108@rheel.co.nz> Hi all, I am getting the following in my maillog: Unable to find a mountpoint for /var/spool/MailScanner/incoming. Please set MailScanner Work Directory in mailscanner-mrtg.conf to a valid mountpoint I did some searching and tried changing the mailscanner-mrtg.conf to / but this didn't help Currently my config file says: MailScanner Work Directory = /var/spool/MailScanner/incoming and Spool Directory = /var/spool my df shows mounts as / /boot /dev/shm Any ideas what i need to change? Thanks Kate From alex at rtpty.com Fri Sep 19 02:21:44 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Fri Sep 19 02:22:01 2008 Subject: Mailscanner mrtg mountpoint In-Reply-To: <48D2FCF2.2040108@rheel.co.nz> References: <48D2FCF2.2040108@rheel.co.nz> Message-ID: <19E87A1F-BD2C-4871-9D87-82BF0A9261FE@rtpty.com> It sounds like a problem with mailscanner-mrtg, not MailScanner. On Sep 18, 2008, at 8:14 PM, Kate Kleinschafer wrote: > Hi all, > I am getting the following in my maillog: > Unable to find a mountpoint for /var/spool/MailScanner/incoming. > Please set MailScanner Work Directory in mailscanner-mrtg.conf to a > valid mountpoint > > I did some searching and tried changing the mailscanner-mrtg.conf > to / but this didn't help > > Currently my config file says: > MailScanner Work Directory = /var/spool/MailScanner/incoming > and > Spool Directory = /var/spool > > my df shows mounts as > / > /boot > /dev/shm > > Any ideas what i need to change? > > Thanks > Kate > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From alex at rtpty.com Fri Sep 19 02:23:21 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Fri Sep 19 02:23:34 2008 Subject: Mailscanner mrtg mountpoint In-Reply-To: <48D2FCF2.2040108@rheel.co.nz> References: <48D2FCF2.2040108@rheel.co.nz> Message-ID: Where's /var/spool/MailScanner/incoming? Physically? What partition? Where's that partition mounted? On Sep 18, 2008, at 8:14 PM, Kate Kleinschafer wrote: > Please set MailScanner Work Directory From kate at rheel.co.nz Fri Sep 19 02:40:25 2008 From: kate at rheel.co.nz (Kate Kleinschafer) Date: Fri Sep 19 02:39:25 2008 Subject: Mailscanner mrtg mountpoint In-Reply-To: References: <48D2FCF2.2040108@rheel.co.nz> Message-ID: <48D30309.4030200@rheel.co.nz> its on / (I think - I'm not awesome with linux-- yet : ) ) Alex Neuman van der Hans wrote: > Where's /var/spool/MailScanner/incoming? Physically? What partition? > Where's that partition mounted? > > On Sep 18, 2008, at 8:14 PM, Kate Kleinschafer wrote: > >> Please set MailScanner Work Directory > From kate at rheel.co.nz Fri Sep 19 02:42:06 2008 From: kate at rheel.co.nz (Kate Kleinschafer) Date: Fri Sep 19 02:41:20 2008 Subject: Mailscanner mrtg mountpoint In-Reply-To: References: <48D2FCF2.2040108@rheel.co.nz> Message-ID: <48D3036E.6070604@rheel.co.nz> or maybe you mean the physical partition? Which is /dev/mapper/VolGroup00-LogVol00 Alex Neuman van der Hans wrote: > Where's /var/spool/MailScanner/incoming? Physically? What partition? > Where's that partition mounted? > > On Sep 18, 2008, at 8:14 PM, Kate Kleinschafer wrote: > >> Please set MailScanner Work Directory > From alex at rtpty.com Fri Sep 19 02:42:21 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Fri Sep 19 02:42:36 2008 Subject: Mailscanner mrtg mountpoint In-Reply-To: <48D30309.4030200@rheel.co.nz> References: <48D2FCF2.2040108@rheel.co.nz> <48D30309.4030200@rheel.co.nz> Message-ID: <8335E524-F858-4C36-94B4-3956554323D5@rtpty.com> No problem. Can you paste the output of the following commands: df -h mount Thanks! On Sep 18, 2008, at 8:40 PM, Kate Kleinschafer wrote: > its on / > (I think - I'm not awesome with linux-- yet : ) ) > > > > Alex Neuman van der Hans wrote: >> Where's /var/spool/MailScanner/incoming? Physically? What >> partition? Where's that partition mounted? >> >> On Sep 18, 2008, at 8:14 PM, Kate Kleinschafer wrote: >> >>> Please set MailScanner Work Directory >> > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From alex at rtpty.com Fri Sep 19 02:51:35 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Fri Sep 19 02:51:56 2008 Subject: Mailscanner mrtg mountpoint In-Reply-To: <48D3036E.6070604@rheel.co.nz> References: <48D2FCF2.2040108@rheel.co.nz> <48D3036E.6070604@rheel.co.nz> Message-ID: <45E7319A-F13C-4E67-9424-76AF3F6C8D20@rtpty.com> So /var/spool/MailScanner/incoming would be mounted on / then... The thing is... If it's still not working after making those changes, you probably need to restart something. On Sep 18, 2008, at 8:42 PM, Kate Kleinschafer wrote: > or maybe you mean the physical partition? > Which is > /dev/mapper/VolGroup00-LogVol00 > > > > Alex Neuman van der Hans wrote: >> Where's /var/spool/MailScanner/incoming? Physically? What >> partition? Where's that partition mounted? >> >> On Sep 18, 2008, at 8:14 PM, Kate Kleinschafer wrote: >> >>> Please set MailScanner Work Directory >> > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From kate at rheel.co.nz Fri Sep 19 03:01:30 2008 From: kate at rheel.co.nz (Kate Kleinschafer) Date: Fri Sep 19 03:01:33 2008 Subject: Mailscanner mrtg mountpoint In-Reply-To: <8335E524-F858-4C36-94B4-3956554323D5@rtpty.com> References: <48D2FCF2.2040108@rheel.co.nz> <48D30309.4030200@rheel.co.nz> <8335E524-F858-4C36-94B4-3956554323D5@rtpty.com> Message-ID: <48D307FA.3090506@rheel.co.nz> df - h Filesystem Size Used Avail Use% Mounted on /dev/mapper/VolGroup00-LogVol00 31G 1.9G 28G 7% / /dev/sda1 99M 18M 77M 19% /boot tmpfs 1014M 0 1014M 0% /dev/shm //192.168.1.100/e 34G 31G 3.3G 91% /mnt/mail mount /dev/mapper/VolGroup00-LogVol00 on / type ext3 (rw) proc on /proc type proc (rw) sysfs on /sys type sysfs (rw) devpts on /dev/pts type devpts (rw,gid=5,mode=620) /dev/sda1 on /boot type ext3 (rw) tmpfs on /dev/shm type tmpfs (rw) none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw) sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw) //192.168.1.100/e on /mnt/mail type cifs (rw,mand) Alex Neuman van der Hans wrote: > No problem. > > Can you paste the output of the following commands: > > df -h > mount > > Thanks! > > On Sep 18, 2008, at 8:40 PM, Kate Kleinschafer wrote: > >> its on / >> (I think - I'm not awesome with linux-- yet : ) ) >> >> >> >> Alex Neuman van der Hans wrote: >>> Where's /var/spool/MailScanner/incoming? Physically? What partition? >>> Where's that partition mounted? >>> >>> On Sep 18, 2008, at 8:14 PM, Kate Kleinschafer wrote: >>> >>>> Please set MailScanner Work Directory >>> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > From kate at rheel.co.nz Fri Sep 19 03:03:49 2008 From: kate at rheel.co.nz (Kate Kleinschafer) Date: Fri Sep 19 03:02:53 2008 Subject: Mailscanner mrtg mountpoint In-Reply-To: <45E7319A-F13C-4E67-9424-76AF3F6C8D20@rtpty.com> References: <48D2FCF2.2040108@rheel.co.nz> <48D3036E.6070604@rheel.co.nz> <45E7319A-F13C-4E67-9424-76AF3F6C8D20@rtpty.com> Message-ID: <48D30885.1090502@rheel.co.nz> So would I change: MailScanner Work Directory = /var/spool/MailScanner/incoming and Spool Directory = /var/spool To MailScanner Work Directory = / Spool Directory = / Also to reload would I just do a MailScanner restart? ?? Alex Neuman van der Hans wrote: > So /var/spool/MailScanner/incoming would be mounted on / then... > > The thing is... If it's still not working after making those changes, > you probably need to restart something. > > On Sep 18, 2008, at 8:42 PM, Kate Kleinschafer wrote: > >> or maybe you mean the physical partition? >> Which is >> /dev/mapper/VolGroup00-LogVol00 >> >> >> >> Alex Neuman van der Hans wrote: >>> Where's /var/spool/MailScanner/incoming? Physically? What partition? >>> Where's that partition mounted? >>> >>> On Sep 18, 2008, at 8:14 PM, Kate Kleinschafer wrote: >>> >>>> Please set MailScanner Work Directory >>> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > From alex at rtpty.com Fri Sep 19 03:22:02 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Fri Sep 19 03:22:21 2008 Subject: Mailscanner mrtg mountpoint In-Reply-To: <48D30885.1090502@rheel.co.nz> References: <48D2FCF2.2040108@rheel.co.nz> <48D3036E.6070604@rheel.co.nz> <45E7319A-F13C-4E67-9424-76AF3F6C8D20@rtpty.com> <48D30885.1090502@rheel.co.nz> Message-ID: <516529A9-6B1E-4D12-AA0B-81A0324C2F76@rtpty.com> No idea, but I think you should change the work directory thing but not the spool directory thing. What about restarting mailscanner-mrtg? Does it run a process somewhere that needs to restart as well? On Sep 18, 2008, at 9:03 PM, Kate Kleinschafer wrote: > So would I change: > MailScanner Work Directory = /var/spool/MailScanner/incoming > and > Spool Directory = /var/spool > > To > MailScanner Work Directory = / > > Spool Directory = / > > Also to reload would I just do a MailScanner restart? > ?? > From kate at rheel.co.nz Fri Sep 19 05:14:58 2008 From: kate at rheel.co.nz (Kate Kleinschafer) Date: Fri Sep 19 05:14:00 2008 Subject: Mailscanner mrtg mountpoint In-Reply-To: <516529A9-6B1E-4D12-AA0B-81A0324C2F76@rtpty.com> References: <48D2FCF2.2040108@rheel.co.nz> <48D3036E.6070604@rheel.co.nz> <45E7319A-F13C-4E67-9424-76AF3F6C8D20@rtpty.com> <48D30885.1090502@rheel.co.nz> <516529A9-6B1E-4D12-AA0B-81A0324C2F76@rtpty.com> Message-ID: <48D32742.4020507@rheel.co.nz> Hmm, I tried changing the work directory again to / and restarted the whole machine but am still getting unable to find a mountpoint for /var/spool not really sure what else to try. Any suggestions? Kate Alex Neuman van der Hans wrote: > No idea, but I think you should change the work directory thing but > not the spool directory thing. > > What about restarting mailscanner-mrtg? Does it run a process > somewhere that needs to restart as well? > > On Sep 18, 2008, at 9:03 PM, Kate Kleinschafer wrote: > >> So would I change: >> MailScanner Work Directory = /var/spool/MailScanner/incoming >> and >> Spool Directory = /var/spool >> >> To >> MailScanner Work Directory = / >> >> Spool Directory = / >> >> Also to reload would I just do a MailScanner restart? >> ?? >> > From hvdkooij at vanderkooij.org Fri Sep 19 05:23:55 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Fri Sep 19 05:24:05 2008 Subject: Announcing the new FSL MailScanner Beta yum repository In-Reply-To: <826D5FDFCF76F6499D59755D401D6A86D89C@gcpads01.gcpsite.local> References: <160a01c919a3$29ef1db0$7dcd5910$@swaney@fsl.com> <826D5FDFCF76F6499D59755D401D6A86D89C@gcpads01.gcpsite.local> Message-ID: <48D3295B.8050403@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Adam Gross wrote: > Does this method remove the need for the "crontab -e" entries I've > previously used? What are you referring to? What sort of a crontab entries are you talking about? Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFI0ylZBvzDRVjxmYERAl4WAJ96DRtHay2Uhjv1+97lrkp9iG+8WQCdG1ej 5tKvo6FaZpG3+jvpUH3z+EY= =+qVn -----END PGP SIGNATURE----- From alex at rtpty.com Fri Sep 19 05:28:24 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Fri Sep 19 05:28:40 2008 Subject: Mailscanner mrtg mountpoint In-Reply-To: <48D32742.4020507@rheel.co.nz> References: <48D2FCF2.2040108@rheel.co.nz> <48D3036E.6070604@rheel.co.nz> <45E7319A-F13C-4E67-9424-76AF3F6C8D20@rtpty.com> <48D30885.1090502@rheel.co.nz> <516529A9-6B1E-4D12-AA0B-81A0324C2F76@rtpty.com> <48D32742.4020507@rheel.co.nz> Message-ID: <707BBEC7-9A63-4FD0-BA43-C422919DBBA6@rtpty.com> Where does mailscanner-mrtg direct you for support? On Sep 18, 2008, at 11:14 PM, Kate Kleinschafer wrote: > Hmm, > > I tried changing the work directory again to / and restarted the > whole machine but am still getting > unable to find a mountpoint for /var/spool > > not really sure what else to try. > > Any suggestions? > > Kate > > Alex Neuman van der Hans wrote: >> No idea, but I think you should change the work directory thing but >> not the spool directory thing. >> >> What about restarting mailscanner-mrtg? Does it run a process >> somewhere that needs to restart as well? >> >> On Sep 18, 2008, at 9:03 PM, Kate Kleinschafer wrote: >> >>> So would I change: >>> MailScanner Work Directory = /var/spool/MailScanner/incoming >>> and >>> Spool Directory = /var/spool >>> >>> To >>> MailScanner Work Directory = / >>> >>> Spool Directory = / >>> >>> Also to reload would I just do a MailScanner restart? >>> ?? >>> >> > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From hvdkooij at vanderkooij.org Fri Sep 19 05:28:58 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Fri Sep 19 05:29:08 2008 Subject: Mailscanner mrtg mountpoint In-Reply-To: <48D2FCF2.2040108@rheel.co.nz> References: <48D2FCF2.2040108@rheel.co.nz> Message-ID: <48D32A8A.6080808@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kate Kleinschafer wrote: > I am getting the following in my maillog: > Unable to find a mountpoint for /var/spool/MailScanner/incoming. Please > set MailScanner Work Directory in mailscanner-mrtg.conf to a valid > mountpoint > > I did some searching and tried changing the mailscanner-mrtg.conf to / > but this didn't help Let's get back to basics. Does MailScanner in itself actually work? Can you process email messages? Does that work without MRTG stuff added? Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFI0yqIBvzDRVjxmYERAkLYAKC3lKTa1gc99fEqTV5wa/gKvY6ekwCeJapc 7ZuEZ3Ky9f6/4cL4kmPg9UY= =CCEk -----END PGP SIGNATURE----- From alex at rtpty.com Fri Sep 19 05:30:17 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Fri Sep 19 05:30:37 2008 Subject: Mailscanner mrtg mountpoint In-Reply-To: <48D32742.4020507@rheel.co.nz> References: <48D2FCF2.2040108@rheel.co.nz> <48D3036E.6070604@rheel.co.nz> <45E7319A-F13C-4E67-9424-76AF3F6C8D20@rtpty.com> <48D30885.1090502@rheel.co.nz> <516529A9-6B1E-4D12-AA0B-81A0324C2F76@rtpty.com> <48D32742.4020507@rheel.co.nz> Message-ID: <97EE203F-977E-4735-A25A-76B6C938F6EE@rtpty.com> Besides, this was updated last on 2005. Things have changed a bit. Anybody here running this that could give Kate a hand? On Sep 18, 2008, at 11:14 PM, Kate Kleinschafer wrote: > Hmm, > > I tried changing the work directory again to / and restarted the > whole machine but am still getting > unable to find a mountpoint for /var/spool > > not really sure what else to try. > > Any suggestions? > > Kate > > Alex Neuman van der Hans wrote: >> No idea, but I think you should change the work directory thing but >> not the spool directory thing. >> >> What about restarting mailscanner-mrtg? Does it run a process >> somewhere that needs to restart as well? >> >> On Sep 18, 2008, at 9:03 PM, Kate Kleinschafer wrote: >> >>> So would I change: >>> MailScanner Work Directory = /var/spool/MailScanner/incoming >>> and >>> Spool Directory = /var/spool >>> >>> To >>> MailScanner Work Directory = / >>> >>> Spool Directory = / >>> >>> Also to reload would I just do a MailScanner restart? >>> ?? >>> >> > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From kate at rheel.co.nz Fri Sep 19 06:00:26 2008 From: kate at rheel.co.nz (Kate Kleinschafer) Date: Fri Sep 19 05:59:30 2008 Subject: Mailscanner mrtg mountpoint In-Reply-To: <48D32A8A.6080808@vanderkooij.org> References: <48D2FCF2.2040108@rheel.co.nz> <48D32A8A.6080808@vanderkooij.org> Message-ID: <48D331EA.1060303@rheel.co.nz> When I telnet in from another machine I get the error (after the rcpt to: command) 451 4.3.5 server configuration problem This is my first ever mailscanner postfix spamassassin install Thanks Kate Hugo van der Kooij wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Kate Kleinschafer wrote: > > >> I am getting the following in my maillog: >> Unable to find a mountpoint for /var/spool/MailScanner/incoming. Please >> set MailScanner Work Directory in mailscanner-mrtg.conf to a valid >> mountpoint >> >> I did some searching and tried changing the mailscanner-mrtg.conf to / >> but this didn't help >> > > Let's get back to basics. Does MailScanner in itself actually work? Can > you process email messages? Does that work without MRTG stuff added? > > Hugo. > > - -- > hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ > PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc > > A: Yes. > >Q: Are you sure? > >>A: Because it reverses the logical flow of conversation. > >>>Q: Why is top posting frowned upon? > > Bored? Click on http://spamornot.org/ and rate those images. > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org > > iD8DBQFI0yqIBvzDRVjxmYERAkLYAKC3lKTa1gc99fEqTV5wa/gKvY6ekwCeJapc > 7ZuEZ3Ky9f6/4cL4kmPg9UY= > =CCEk > -----END PGP SIGNATURE----- > From alex at rtpty.com Fri Sep 19 06:15:46 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Fri Sep 19 06:16:42 2008 Subject: Mailscanner mrtg mountpoint In-Reply-To: <48D331EA.1060303@rheel.co.nz> References: <48D2FCF2.2040108@rheel.co.nz> <48D32A8A.6080808@vanderkooij.org> <48D331EA.1060303@rheel.co.nz> Message-ID: <5356F1DF-27AF-4F6E-8B4B-81D902E08AF6@rtpty.com> You should really consider installing things one at a time and making sure everything else works before moving on to the next piece. --- Alex Neuman Reliant Technologies +507 6781-9505 Skype: alexneuman On Sep 19, 2008, at 12:00 AM, Kate Kleinschafer wrote: > When I telnet in from another machine I get the error (after the > rcpt to: command) > 451 4.3.5 server configuration problem > > This is my first ever mailscanner postfix spamassassin install > > Thanks > Kate > > Hugo van der Kooij wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Kate Kleinschafer wrote: >> >> >>> I am getting the following in my maillog: >>> Unable to find a mountpoint for /var/spool/MailScanner/incoming. >>> Please >>> set MailScanner Work Directory in mailscanner-mrtg.conf to a valid >>> mountpoint >>> >>> I did some searching and tried changing the mailscanner-mrtg.conf >>> to / >>> but this didn't help >>> >> >> Let's get back to basics. Does MailScanner in itself actually work? >> Can >> you process email messages? Does that work without MRTG stuff added? >> >> Hugo. >> >> - -- >> hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ >> PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc >> >> A: Yes. >> >Q: Are you sure? >> >>A: Because it reverses the logical flow of conversation. >> >>>Q: Why is top posting frowned upon? >> >> Bored? Click on http://spamornot.org/ and rate those images. >> >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.4.7 (GNU/Linux) >> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org >> >> iD8DBQFI0yqIBvzDRVjxmYERAkLYAKC3lKTa1gc99fEqTV5wa/gKvY6ekwCeJapc >> 7ZuEZ3Ky9f6/4cL4kmPg9UY= >> =CCEk >> -----END PGP SIGNATURE----- >> > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From ugob at lubik.ca Fri Sep 19 13:14:32 2008 From: ugob at lubik.ca (Ugo Bellavance) Date: Fri Sep 19 13:14:51 2008 Subject: Red hat perl performance fix Message-ID: https://rhn.redhat.com/rhn/errata/details/Details.do?eid=7619 From pmcewan at energywebnetwork.com Fri Sep 19 13:25:54 2008 From: pmcewan at energywebnetwork.com (Paul McEwan) Date: Fri Sep 19 13:26:08 2008 Subject: Russian Spam Message-ID: <003201c91a52$dcf7fd50$96e7f7f0$@com> Is there a way to filter out emails using the Russian character set, koi8-r, with Mailscanner/Spamassassin? A lot of spam has been slipping through using that charset, and it's obviously spam Thanks -- Paul -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ms-list at alexb.ch Fri Sep 19 13:33:24 2008 From: ms-list at alexb.ch (Alex Broens) Date: Fri Sep 19 13:33:39 2008 Subject: Russian Spam In-Reply-To: <003201c91a52$dcf7fd50$96e7f7f0$@com> References: <003201c91a52$dcf7fd50$96e7f7f0$@com> Message-ID: <48D39C14.2050506@alexb.ch> On 9/19/2008 2:25 PM, Paul McEwan wrote: > Is there a way to filter out emails using the Russian character set, koi8-r, > with Mailscanner/Spamassassin? > > A lot of spam has been slipping through using that charset, and it's > obviously spam > Sa settings: ok_locales all (allow all locales) ok_locales en (only allow English) ok_locales en ja zh (allow English, Japanese, and Chinese) etc, etc "LANGUAGE OPTIONS" http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Conf.txt h2h Alex From Denis.Beauchemin at USherbrooke.ca Fri Sep 19 13:38:57 2008 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Fri Sep 19 13:39:15 2008 Subject: Mailscanner mrtg mountpoint In-Reply-To: <48D2FCF2.2040108@rheel.co.nz> References: <48D2FCF2.2040108@rheel.co.nz> Message-ID: <48D39D61.3060403@USherbrooke.ca> Kate Kleinschafer a ?crit : > Hi all, > I am getting the following in my maillog: > Unable to find a mountpoint for /var/spool/MailScanner/incoming. > Please set MailScanner Work Directory in mailscanner-mrtg.conf to a > valid mountpoint > > I did some searching and tried changing the mailscanner-mrtg.conf to / > but this didn't help > > Currently my config file says: > MailScanner Work Directory = /var/spool/MailScanner/incoming > and > Spool Directory = /var/spool > > my df shows mounts as > / > /boot > /dev/shm > > Any ideas what i need to change? > > Thanks > Kate > Kate, You should put "Spool Directory = /" and "MailScanner Work Directory = /var/spool/MailScanner/incoming" but you also need to modify /etc/fstab to add: none /var/spool/MailScanner/incoming tmpfs defaults,noatime 0 0 Once this is done, stop MailScanner, "mount /var/spool/MailScanner/incoming" and start MailScanner. You really need to specify mount points for these graphs. And since mailscanner-mrtg runs from /etc/cron.d/mailscanner-mrtg.crond you don't have to restart anything for it to react to your changes. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3306 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080919/a66887a5/smime.bin From alex at rtpty.com Fri Sep 19 13:38:55 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Fri Sep 19 13:39:18 2008 Subject: Russian Spam In-Reply-To: <003201c91a52$dcf7fd50$96e7f7f0$@com> References: <003201c91a52$dcf7fd50$96e7f7f0$@com> Message-ID: <792D1CDC-91D6-4DE9-8AAD-C81FDAB67178@rtpty.com> Which one of the rules discussed a few days ago on the list have you tried? Also if you're running postfix someone kindly contributed some header checks as well. --- Alex Neuman Reliant Technologies +507 6781-9505 Skype: alexneuman On Sep 19, 2008, at 7:25 AM, "Paul McEwan" wrote: > Is there a way to filter out emails using the Russian character set, > koi8-r, > with Mailscanner/Spamassassin? > > A lot of spam has been slipping through using that charset, and it's > obviously spam > > Thanks > > -- Paul > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From alex at rtpty.com Fri Sep 19 13:49:21 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Fri Sep 19 13:49:37 2008 Subject: Mailscanner mrtg mountpoint In-Reply-To: <48D39D61.3060403@USherbrooke.ca> References: <48D2FCF2.2040108@rheel.co.nz> <48D39D61.3060403@USherbrooke.ca> Message-ID: <824B45E0-9104-485B-A7E9-A4461D3DA7D9@rtpty.com> This would put the incoming folder on a ramdisk, which could be detrimental to servers with little RAM or big batches. Does it *have* to be like this for mailscanner-mrtg to work? Not that I don't agree with doing it (most of my servers have it that way when possible), just thought that everybody should know what this entails. On Sep 19, 2008, at 7:38 AM, Denis Beauchemin wrote: > none /var/spool/MailScanner/incoming tmpfs > defaults,noatime 0 0 From pmcewan at energywebnetwork.com Fri Sep 19 13:57:14 2008 From: pmcewan at energywebnetwork.com (Paul McEwan) Date: Fri Sep 19 13:57:27 2008 Subject: Russian Spam In-Reply-To: <792D1CDC-91D6-4DE9-8AAD-C81FDAB67178@rtpty.com> References: <003201c91a52$dcf7fd50$96e7f7f0$@com> <792D1CDC-91D6-4DE9-8AAD-C81FDAB67178@rtpty.com> Message-ID: <003c01c91a57$3ddc8970$b9959c50$@com> I just started having a real problem, and I haven't read all the past emails I'll go back and find the ones you're talking about Thanks -- Paul -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex Neuman van der Hans Sent: Friday, September 19, 2008 8:39 AM To: MailScanner discussion Subject: Re: Russian Spam Which one of the rules discussed a few days ago on the list have you tried? Also if you're running postfix someone kindly contributed some header checks as well. --- Alex Neuman Reliant Technologies +507 6781-9505 Skype: alexneuman On Sep 19, 2008, at 7:25 AM, "Paul McEwan" wrote: > Is there a way to filter out emails using the Russian character set, > koi8-r, > with Mailscanner/Spamassassin? > > A lot of spam has been slipping through using that charset, and it's > obviously spam > > Thanks > > -- Paul > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ugob at lubik.ca Fri Sep 19 14:44:09 2008 From: ugob at lubik.ca (Ugo Bellavance) Date: Fri Sep 19 14:44:30 2008 Subject: Mailscanner mrtg mountpoint In-Reply-To: <824B45E0-9104-485B-A7E9-A4461D3DA7D9@rtpty.com> References: <48D2FCF2.2040108@rheel.co.nz> <48D39D61.3060403@USherbrooke.ca> <824B45E0-9104-485B-A7E9-A4461D3DA7D9@rtpty.com> Message-ID: Alex Neuman van der Hans a ?crit : > This would put the incoming folder on a ramdisk, which could be > detrimental to servers with little RAM or big batches. Does it *have* to > be like this for mailscanner-mrtg to work? Not that I don't agree with > doing it (most of my servers have it that way when possible), just > thought that everybody should know what this entails. > > On Sep 19, 2008, at 7:38 AM, Denis Beauchemin wrote: > >> none /var/spool/MailScanner/incoming tmpfs >> defaults,noatime 0 0 > No, it doesn't have to be. If it is not, use / as mount point in mailscanner-mrtg. Ugo From campbell at cnpapers.com Fri Sep 19 15:13:59 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Fri Sep 19 15:14:21 2008 Subject: SpamAssassin timeouts - 0 of 20 Message-ID: <48D3B3A7.1090102@cnpapers.com> I upgraded everything yesterday on one of my servers and am now seeing a ton of the following messages in my logs. Sep 19 10:09:57 mailserver1 MailScanner[14529]: SpamAssassin timed out and was killed, failure 0 of 20 Should I be worried since it's saying "0" of 20? Is this a real failure? Thanks Steve Campbell From martinh at solidstatelogic.com Fri Sep 19 15:27:53 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Fri Sep 19 15:28:03 2008 Subject: SpamAssassin timeouts - 0 of 20 In-Reply-To: <48D3B3A7.1090102@cnpapers.com> Message-ID: <1df4ffecd250b941a1a99e84b3a081b5@solidstatelogic.com> Steve Yeah, it real. Normally this is DNS/RBL related. Check you've got a local caching nameserver on the mailScanner host and also what RBLs you are calling. Most people find it works best with only 2 or 3 defined to be used by SA. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Steve Campbell > Sent: 19 September 2008 15:14 > To: mailscanner@lists.mailscanner.info > Subject: SpamAssassin timeouts - 0 of 20 > > I upgraded everything yesterday on one of my servers and am > now seeing a ton of the following messages in my logs. > > Sep 19 10:09:57 mailserver1 MailScanner[14529]: SpamAssassin > timed out and was killed, failure 0 of 20 > > Should I be worried since it's saying "0" of 20? Is this a > real failure? > > Thanks > > Steve Campbell > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From m.anderlini at database.it Fri Sep 19 15:58:39 2008 From: m.anderlini at database.it (Marcello Anderlini) Date: Fri Sep 19 15:59:01 2008 Subject: R: SpamAssassin timeouts - 0 of 20 In-Reply-To: <1df4ffecd250b941a1a99e84b3a081b5@solidstatelogic.com> References: <48D3B3A7.1090102@cnpapers.com> <1df4ffecd250b941a1a99e84b3a081b5@solidstatelogic.com> Message-ID: <002401c91a68$334439c0$2501a8c0@dbdomain.database.it> Where I can set this RBLS in SA and how can I understand wich are the "best" ? Best regards Dr. Marcello Anderlini m.anderlini@database.it --------------------------------------------- Database Informatica S.r.l. Microsoft Certified Partner Tel. +39059775070 Fax. +39059779545 http://www.database.it --------------------------------------------- -----Messaggio originale----- Da: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di Martin.Hepworth Inviato: venerd? 19 settembre 2008 16.28 A: MailScanner discussion Oggetto: RE: SpamAssassin timeouts - 0 of 20 Steve Yeah, it real. Normally this is DNS/RBL related. Check you've got a local caching nameserver on the mailScanner host and also what RBLs you are calling. Most people find it works best with only 2 or 3 defined to be used by SA. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Steve > Campbell > Sent: 19 September 2008 15:14 > To: mailscanner@lists.mailscanner.info > Subject: SpamAssassin timeouts - 0 of 20 > > I upgraded everything yesterday on one of my servers and am now seeing > a ton of the following messages in my logs. > > Sep 19 10:09:57 mailserver1 MailScanner[14529]: SpamAssassin timed out > and was killed, failure 0 of 20 > > Should I be worried since it's saying "0" of 20? Is this a real > failure? > > Thanks > > Steve Campbell > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- Messaggio verificato dal servizio antivirus di Database Informatica -- Messaggio verificato dal servizio antivirus di Database Informatica From swati.meghanand at gmail.com Fri Sep 19 16:10:07 2008 From: swati.meghanand at gmail.com (Swati Meghanand) Date: Fri Sep 19 16:10:16 2008 Subject: SpamAssassin timeouts - 0 of 20 In-Reply-To: <1df4ffecd250b941a1a99e84b3a081b5@solidstatelogic.com> References: <48D3B3A7.1090102@cnpapers.com> <1df4ffecd250b941a1a99e84b3a081b5@solidstatelogic.com> Message-ID: <424c10260809190810g6dc98ff1mf922cceb3678801a@mail.gmail.com> Hi The best way to findout the prob is running spamassassin in debugging mode #spamassassin -D -t /path/to/msg I was facing the same prob a week ago got soln from the this mailing list :-) 2008/9/19 Martin.Hepworth > Steve > > Yeah, it real. > > Normally this is DNS/RBL related. Check you've got a local caching > nameserver on the mailScanner host and also what RBLs you are calling. Most > people find it works best with only 2 or 3 defined to be used by SA. > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > > Of Steve Campbell > > Sent: 19 September 2008 15:14 > > To: mailscanner@lists.mailscanner.info > > Subject: SpamAssassin timeouts - 0 of 20 > > > > I upgraded everything yesterday on one of my servers and am > > now seeing a ton of the following messages in my logs. > > > > Sep 19 10:09:57 mailserver1 MailScanner[14529]: SpamAssassin > > timed out and was killed, failure 0 of 20 > > > > Should I be worried since it's saying "0" of 20? Is this a > > real failure? > > > > Thanks > > > > Steve Campbell > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > > > ********************************************************************** > Confidentiality : This e-mail and any attachments are intended for the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > Opinion : Any opinions expressed in this e-mail are entirely those of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We advise > that you consider this fact when e-mailing us. > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080919/b769acbd/attachment.html From ram at netcore.co.in Fri Sep 19 16:14:01 2008 From: ram at netcore.co.in (ram) Date: Fri Sep 19 16:14:21 2008 Subject: Disable clamav phising signatures for some ids Message-ID: <1221837241.5275.4.camel@darkstar.netcore.co.in> We have some ids which gets user complaints of spam We use MailScanner with clamavmodule on our own server , but clamav module keeps detecting mail as phishing and the mail never reaches the mailbox Can I configure MS to make an exception for some ids Thanks Ram From martinh at solidstatelogic.com Fri Sep 19 16:19:48 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Fri Sep 19 16:19:59 2008 Subject: SpamAssassin timeouts - 0 of 20 In-Reply-To: <002401c91a68$334439c0$2501a8c0@dbdomain.database.it> Message-ID: Marcello By default it'll use them all. (/var/lib/spamassassin//updates_spamassassin_org/20_dnsbl_tests.cf) To stop each one change it's score to zero in /etc/mail/spamassassin/mailscanner.cf eg.. score __RCVD_IN_NJABL 0.0 I only use the Spamhaus Zen list (I'm low traffic so get away with the free service), and spamcap. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Marcello Anderlini > Sent: 19 September 2008 15:59 > To: MailScanner discussion > Subject: R: SpamAssassin timeouts - 0 of 20 > > Where I can set this RBLS in SA and how can I understand wich > are the "best" > ? > > Best regards > > > Dr. Marcello Anderlini > m.anderlini@database.it > --------------------------------------------- > Database Informatica S.r.l. > Microsoft Certified Partner > Tel. +39059775070 > Fax. +39059779545 > http://www.database.it > --------------------------------------------- > > -----Messaggio originale----- > Da: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto > di Martin.Hepworth > Inviato: venerd? 19 settembre 2008 16.28 > A: MailScanner discussion > Oggetto: RE: SpamAssassin timeouts - 0 of 20 > > Steve > > Yeah, it real. > > Normally this is DNS/RBL related. Check you've got a local > caching nameserver on the mailScanner host and also what RBLs > you are calling. Most people find it works best with only 2 > or 3 defined to be used by SA. > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Steve > > Campbell > > Sent: 19 September 2008 15:14 > > To: mailscanner@lists.mailscanner.info > > Subject: SpamAssassin timeouts - 0 of 20 > > > > I upgraded everything yesterday on one of my servers and am > now seeing > > a ton of the following messages in my logs. > > > > Sep 19 10:09:57 mailserver1 MailScanner[14529]: > SpamAssassin timed out > > and was killed, failure 0 of 20 > > > > Should I be worried since it's saying "0" of 20? Is this a real > > failure? > > > > Thanks > > > > Steve Campbell > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > > > ********************************************************************** > Confidentiality : This e-mail and any attachments are > intended for the addressee only and may be confidential. If > they come to you in error you must take no action based on > them, nor must you copy or show them to anyone. > Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > Opinion : Any opinions expressed in this e-mail are entirely > those of the author and unless specifically stated to the > contrary, are not necessarily those of the author's employer. > Security Warning : Internet e-mail is not necessarily a > secure communications medium and can be subject to data > corruption. We advise that you consider this fact when e-mailing us. > Viruses : We have taken steps to ensure that this e-mail and > any attachments are free from known viruses but in keeping > with good computing practice, you should ensure that they are > virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales (Company > No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, > Oxford OX5 1RU, United Kingdom > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > Messaggio verificato dal servizio antivirus di Database Informatica > > > -- > Messaggio verificato dal servizio antivirus di Database Informatica > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From prandal at herefordshire.gov.uk Fri Sep 19 16:38:27 2008 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Fri Sep 19 16:38:44 2008 Subject: Disable clamav phising signatures for some ids In-Reply-To: <1221837241.5275.4.camel@darkstar.netcore.co.in> References: <1221837241.5275.4.camel@darkstar.netcore.co.in> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA04BFB3BB@HC-MBX02.herefordshire.gov.uk> Whose phishing sigs are you using? ClamAV's default signatures are very reliable. Can you try and clarify what you're telling us, too? You say "We have some ids which gets user complaints of spam" and then ask about disabling ClamAV signatures. I'm confused. Phil -- Phil Randal Networks Engineer Herefordshire Council Hereford, UK -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of ram Sent: 19 September 2008 16:14 To: MailScanner discussion Subject: Disable clamav phising signatures for some ids We have some ids which gets user complaints of spam We use MailScanner with clamavmodule on our own server , but clamav module keeps detecting mail as phishing and the mail never reaches the mailbox Can I configure MS to make an exception for some ids Thanks Ram -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From campbell at cnpapers.com Fri Sep 19 18:48:18 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Fri Sep 19 18:48:39 2008 Subject: SpamAssassin timeouts - 0 of 20 In-Reply-To: References: Message-ID: <48D3E5E2.6050008@cnpapers.com> Martin.Hepworth wrote: > Marcello > > By default it'll use them all. (/var/lib/spamassassin//updates_spamassassin_org/20_dnsbl_tests.cf) > > To stop each one change it's score to zero in /etc/mail/spamassassin/mailscanner.cf eg.. > > score __RCVD_IN_NJABL 0.0 > > I only use the Spamhaus Zen list (I'm low traffic so get away with the free service), and spamcap. > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >> Of Marcello Anderlini >> Sent: 19 September 2008 15:59 >> To: MailScanner discussion >> Subject: R: SpamAssassin timeouts - 0 of 20 >> >> Where I can set this RBLS in SA and how can I understand wich >> are the "best" >> ? >> >> Best regards >> >> >> Dr. Marcello Anderlini >> m.anderlini@database.it >> --------------------------------------------- >> Database Informatica S.r.l. >> Microsoft Certified Partner >> Tel. +39059775070 >> Fax. +39059779545 >> http://www.database.it >> --------------------------------------------- >> >> -----Messaggio originale----- >> Da: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto >> di Martin.Hepworth >> Inviato: venerd? 19 settembre 2008 16.28 >> A: MailScanner discussion >> Oggetto: RE: SpamAssassin timeouts - 0 of 20 >> >> Steve >> >> Yeah, it real. >> >> Normally this is DNS/RBL related. Check you've got a local >> caching nameserver on the mailScanner host and also what RBLs >> you are calling. Most people find it works best with only 2 >> or 3 defined to be used by SA. >> >> -- >> Martin Hepworth >> Snr Systems Administrator >> Solid State Logic >> Tel: +44 (0)1865 842300 >> >> >>> -----Original Message----- >>> From: mailscanner-bounces@lists.mailscanner.info >>> [mailto:mailscanner-bounces@lists.mailscanner.info] On >>> >> Behalf Of Steve >> >>> Campbell >>> Sent: 19 September 2008 15:14 >>> To: mailscanner@lists.mailscanner.info >>> Subject: SpamAssassin timeouts - 0 of 20 >>> >>> I upgraded everything yesterday on one of my servers and am >>> >> now seeing >> >>> a ton of the following messages in my logs. >>> >>> Sep 19 10:09:57 mailserver1 MailScanner[14529]: >>> >> SpamAssassin timed out >> >>> and was killed, failure 0 of 20 >>> >>> Should I be worried since it's saying "0" of 20? Is this a real >>> failure? >>> >>> Thanks >>> >>> Steve Campbell >>> > Thanks for all the help. I'm pretty sure it's DNS type stuff as we just moved to a new provider recently. But - what's up with the ZERO of 20 part? That's the reason I asked about problems. Sort of like saying no timeouts, which isn't a problem. :-\ Thanks all for the really great list and software. steve From ssilva at sgvwater.com Fri Sep 19 19:31:23 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Sep 19 19:31:42 2008 Subject: SpamAssassin timeouts - 0 of 20 In-Reply-To: <48D3E5E2.6050008@cnpapers.com> References: <48D3E5E2.6050008@cnpapers.com> Message-ID: >> > Thanks for all the help. I'm pretty sure it's DNS type stuff as we just > moved to a new provider recently. > > But - what's up with the ZERO of 20 part? That's the reason I asked > about problems. Sort of like saying no timeouts, which isn't a problem. :-\ > > Thanks all for the really great list and software. > > steve > > > On computers, a zero is a valid starting point. But the fact that it says timeout is a problem. Every message that it times out on will go through your system to a (future) angry user. The local caching nameserver should help a lot. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080919/2f9bad58/signature.bin From campbell at cnpapers.com Fri Sep 19 20:20:16 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Fri Sep 19 20:20:28 2008 Subject: SpamAssassin timeouts - 0 of 20 In-Reply-To: References: <48D3E5E2.6050008@cnpapers.com> Message-ID: <48D3FB70.8050200@cnpapers.com> Scott Silva wrote: > >>> >> Thanks for all the help. I'm pretty sure it's DNS type stuff as we >> just moved to a new provider recently. >> >> But - what's up with the ZERO of 20 part? That's the reason I asked >> about problems. Sort of like saying no timeouts, which isn't a >> problem. :-\ >> >> Thanks all for the really great list and software. >> >> steve >> >> >> > On computers, a zero is a valid starting point. But the fact that it > says timeout is a problem. Every message that it times out on will go > through your system to a (future) angry user. > The local caching nameserver should help a lot. > > Got that going again. Had to stop it for a while due to the IP changes we just made. Time will tell if that gets it back to the very-few-a-day we used to see. steve From mark at msapiro.net Sat Sep 20 02:28:23 2008 From: mark at msapiro.net (Mark Sapiro) Date: Sat Sep 20 02:28:40 2008 Subject: Potential Postfix CentOS message unpacking bug In-Reply-To: <20080915201622.GA4068@msapiro> Message-ID: Mark Sapiro wrote: >On Mon, Sep 15, 2008 at 08:48:28AM +0100, Julian Field wrote: >> >> So Postfix users on CentOS, please can you check your logs for any >> 16-17Kb spams which could possibly containing an attachment called >> "start.zip" (grep should find it in raw queue files, if you're wondering >> how to do that for raw queue files), which have not always been detected >> as infected. > > >I have seen exactly one of these > >/var/log/maillog:Sep 15 00:25:16 sbh16 MailScanner[783]: ClamAVModule::INFECTED:: Trojan.Fakealert-532 :: ./4C266690092.86EA5/start.zip > >in the last 30 days and no spam quarantined with start.zip attachments. > > >> You might want to use the "Archive Mail" feature of MailScanner.conf for >> a while to see if you're getting anything like that, in case you are >> suffering the problem. > > >I have just enabled Archive Mail and will look for start.zip in the archive. Here's an update. This is very strange. I set Archive Mail = /var/spool/MailScanner/archive in MailScanner.conf, and I started looking for archived messages containing start.zip. I also noticed that the actual trojan when identified was identified as Trojan.Fakealert-532, so I looked for that in clamd reports as well and found several detections in messages with a "tube.zip" attachment. Two days ago, I found two archived messages with tube.zip attachments that had been quarantined as high-spam and not detected by clamd as infected with Trojan.Fakealert-532. I wanted to see the spam detections for these messages so I added a rule to my high spam rules that would forward the message to me and reloaded Mailscanner. I then copied one of the archived queue file to /var/spool/postfix/hold/ and was shocked to find that this time it was flagged by clamd as infected with Trojan.Fakealert-532. This requeued message was archived too and I did a cmp of the two archived queue files and they were identical, yet the first message was not flagged by clamd and was quarantined as high spam and the second message was flagged by clamd. So the bottom line is I've seen the problem, but it appears to be intermittent, even with an identical message. # MailScanner -v Running on Linux sbh16.songbird.com 2.6.18-8.1.14.el5 #1 SMP Thu Sep 27 18:58:54 EDT 2007 i 686 i686 i386 GNU/Linux This is CentOS release 5 (Final) This is Perl version 5.008008 (5.8.8) This is MailScanner version 4.71.10 Module versions are: 1.00 AnyDBM_File 1.16 Archive::Zip 0.21 bignum 1.04 Carp 1.42 Compress::Zlib 1.119 Convert::BinHex 0.17 Convert::TNEF 2.121_08 Data::Dumper 2.27 Date::Parse 1.00 DirHandle 1.05 Fcntl 2.74 File::Basename 2.09 File::Copy 2.01 FileHandle 1.08 File::Path 0.20 File::Temp 0.90 Filesys::Df 1.35 HTML::Entities 3.56 HTML::Parser 2.37 HTML::TokeParser 1.23 IO 1.14 IO::File 1.13 IO::Pipe 2.02 Mail::Header 1.86 Math::BigInt 0.19 Math::BigRat 3.05 MIME::Base64 5.425 MIME::Decoder 5.425 MIME::Decoder::UU 5.425 MIME::Head 5.425 MIME::Parser 3.03 MIME::QuotedPrint 5.425 MIME::Tools 0.11 Net::CIDR 1.25 Net::IP 0.16 OLE::Storage_Lite 1.04 Pod::Escapes 3.05 Pod::Simple 1.09 POSIX 1.18 Scalar::Util 1.78 Socket 2.15 Storable 1.4 Sys::Hostname::Long 0.13 Sys::Syslog 1.26 Test::Pod 0.6 Test::Simple 1.68 Time::HiRes 1.02 Time::localtime Optional module versions are: 1.30 Archive::Tar 0.21 bignum 1.82 Business::ISBN 1.10 Business::ISBN::Data 1.08 Data::Dump 1.814 DB_File 1.13 DBD::SQLite 1.56 DBI 1.10 Digest 1.01 Digest::HMAC 2.36 Digest::MD5 2.10 Digest::SHA1 1.00 Encode::Detect 0.17008 Error 0.18 ExtUtils::CBuilder 2.18 ExtUtils::ParseXS 2.35 Getopt::Long 0.44 Inline 1.08 IO::String 1.04 IO::Zlib 2.21 IP::Country missing Mail::ClamAV 3.002005 Mail::SpamAssassin v2.004 Mail::SPF 1.999001 Mail::SPF::Query 0.2808 Module::Build 0.20 Net::CIDR::Lite 0.63 Net::DNS 0.002.2 Net::DNS::Resolver::Programmable missing Net::LDAP 4.004 NetAddr::IP 1.94 Parse::RecDescent missing SAVI 2.52 Test::Harness 0.95 Test::Manifest 1.98 Text::Balanced 1.35 URI 0.7203 version 0.62 YAML # MailScanner --lint Trying to setlogsock(unix) Read 851 hostnames from the phishing whitelist Read 4648 hostnames from the phishing blacklist Checking version numbers... Version number in MailScanner.conf (4.71.10) is correct. Your envelope_sender_header in spam.assassin.prefs.conf is correct. MailScanner setting GID to (89) MailScanner setting UID to (89) Checking for SpamAssassin errors (if you use it)... SpamAssassin temporary working directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp Using SpamAssassin results cache Connected to SpamAssassin cache database SpamAssassin reported no errors. Using locktype = posix MailScanner.conf says "Virus Scanners = clamd" Found these virus scanners installed: clamd =========================================================================== Virus and Content Scanning: Starting ClamAVModule::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com ClamAVModule::INFECTED:: Eicar-Test-Signature FOUND :: ./1/ Virus Scanning: Clamd found 2 infections Infected message 1 came from 10.1.1.1 Virus Scanning: Found 2 viruses Filename Checks: (1 eicar.com) Other Checks: Found 1 problems =========================================================================== Virus Scanner test reports: Clamd said "eicar.com was infected: Eicar-Test-Signature" If any of your virus scanners (clamd) are not listed there, you should check that they are installed correctly and that MailScanner is finding them correctly via its virus.scanners.conf. # -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From MailScanner at ecs.soton.ac.uk Sat Sep 20 13:48:09 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sat Sep 20 13:48:29 2008 Subject: SpamAssassin timeouts - 0 of 20 In-Reply-To: References: <48D3E5E2.6050008@cnpapers.com> Message-ID: <48D4F109.20002@ecs.soton.ac.uk> Steve Campbell wrote: > > > Scott Silva wrote: >> >>>> >>> Thanks for all the help. I'm pretty sure it's DNS type stuff as we >>> just moved to a new provider recently. >>> >>> But - what's up with the ZERO of 20 part? That's the reason I asked >>> about problems. Sort of like saying no timeouts, which isn't a >>> problem. :-\ >>> >>> Thanks all for the really great list and software. >>> >>> steve >>> >>> >>> >> On computers, a zero is a valid starting point. But the fact that it >> says timeout is a problem. Every message that it times out on will go >> through your system to a (future) angry user. >> The local caching nameserver should help a lot. >> >> > Got that going again. Had to stop it for a while due to the IP changes > we just made. > > Time will tell if that gets it back to the very-few-a-day we used to see. If you call SpamAssassin directly with the "spamassassin" command, it can be very difficult to see which bits took all the time. If you run MailScanner --debug --debug-sa then it will run SpamAssassin but will print the time at the start of every line of SpamAssassin output, which makes it *much* easier to see where the hold-ups were. Don't worry about the 0 in 0 of 20, just something I never bothered fixing :-) Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From kevin.howard at jobmedia.com.au Sat Sep 20 14:01:36 2008 From: kevin.howard at jobmedia.com.au (Kevin Howard) Date: Sat Sep 20 14:01:53 2008 Subject: Russian spam - header checks In-Reply-To: <200809201101.m8KB0Q7h028651@safir.blacknight.ie> References: <200809201101.m8KB0Q7h028651@safir.blacknight.ie> Message-ID: <47167FA1F8B14BA88386617599CFCB98@KHFUJITSU> We found the locales rules didn't help stop the Russian spam. We're doing it successfully using MCP; header RULE7 Subject:raw =~ /koi8/i describe RULE7 Banned Subject score RULE7 6.7 the ":raw" part is the key. Or it can be done in the SA rules using this: header LOCAL_CYRILLIC Subject:raw =~ /koi8/i describe LOCAL_CYRILLIC Cyrillic fonts score LOCAL_CYRILLIC 3 Someone else on here gave me this tip a week or so ago, I can't find the original message, but thanks whoever it was :) Kevin From MailScanner at ecs.soton.ac.uk Sat Sep 20 14:32:29 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sat Sep 20 14:32:52 2008 Subject: Russian spam - header checks In-Reply-To: References: <200809201101.m8KB0Q7h028651@safir.blacknight.ie> Message-ID: <48D4FB6D.9040905@ecs.soton.ac.uk> You can do it without all the overhead of MCP, read about "SpamAssassin Rule Actions" in MailScanner.conf. This will be a **LOT** faster. Kevin Howard wrote: > We found the locales rules didn't help stop the Russian spam. > > We're doing it successfully using MCP; > > header RULE7 Subject:raw =~ /koi8/i > describe RULE7 Banned Subject > score RULE7 6.7 > > the ":raw" part is the key. > > Or it can be done in the SA rules using this: > > header LOCAL_CYRILLIC Subject:raw =~ /koi8/i > describe LOCAL_CYRILLIC Cyrillic fonts > score LOCAL_CYRILLIC 3 > > Someone else on here gave me this tip a week or so ago, I can't find the > original message, but thanks whoever it was :) > > Kevin > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From simon at kmun.gov.kw Sat Sep 20 19:27:27 2008 From: simon at kmun.gov.kw (Benedict simon) Date: Sat Sep 20 18:58:22 2008 Subject: question abt quarantine release Message-ID: <1533.91.198.134.226.1221935247.squirrel@webmail.baladia.gov.kw> Dear AlL, I am using the following n been workin succesfully Centos 5.1 smtp server running sendmail mailscanner spamassassin+clamav mailwatch now i wd like to know the following any quarantined mail by mailscanner i am using mailwatch to succesfully release it and it works grt i would like to know how could i realese mail quarantined by mailscanner without mailwatch i have root privileges to the system apprecite your help regards simon -- Network ADMIN ------------- KUWAIT MUNICIPALITY: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From alex at rtpty.com Sat Sep 20 19:13:33 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Sat Sep 20 19:13:52 2008 Subject: question abt quarantine release In-Reply-To: <1533.91.198.134.226.1221935247.squirrel@webmail.baladia.gov.kw> References: <1533.91.198.134.226.1221935247.squirrel@webmail.baladia.gov.kw> Message-ID: U wd cp r mv q fl frm quarantine fld 2 reg q fld so sm cn pckup n dlvr --- Alex Neuman Reliant Technologies +507 6781-9505 Skype: alexneuman On Sep 20, 2008, at 1:27 PM, "Benedict simon" wrote: > > Dear AlL, > > I am using the following n been workin succesfully > > Centos 5.1 > smtp server running sendmail > mailscanner > spamassassin+clamav > mailwatch > > now i wd like to know the following > any quarantined mail by mailscanner i am using mailwatch to > succesfully > release it and it works grt > > i would like to know how could i realese mail quarantined by > mailscanner > without mailwatch > > i have root privileges to the system > > apprecite your help > > regards > > simon > > -- > Network ADMIN > ------------- > KUWAIT MUNICIPALITY: > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From alex at rtpty.com Sat Sep 20 19:17:42 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Sat Sep 20 19:18:02 2008 Subject: question abt quarantine release In-Reply-To: <1533.91.198.134.226.1221935247.squirrel@webmail.baladia.gov.kw> References: <1533.91.198.134.226.1221935247.squirrel@webmail.baladia.gov.kw> Message-ID: Sorry, had problems with my keyboard and hit sen too early ;-) What I meant to say is you need to do the same thing mailwatch does: move or copy the queue file from the quarantine into the regular queue folder so sendmail can pick it up, or if it's an mbox style rfc822 (iirc) file you can do: formail -s sendmail name@address.co m < message --- Alex Neuman Reliant Technologies +507 6781-9505 Skype: alexneuman On Sep 20, 2008, at 1:27 PM, "Benedict simon" wrote: > > Dear AlL, > > I am using the following n been workin succesfully > > Centos 5.1 > smtp server running sendmail > mailscanner > spamassassin+clamav > mailwatch > > now i wd like to know the following > any quarantined mail by mailscanner i am using mailwatch to > succesfully > release it and it works grt > > i would like to know how could i realese mail quarantined by > mailscanner > without mailwatch > > i have root privileges to the system > > apprecite your help > > regards > > simon > > -- > Network ADMIN > ------------- > KUWAIT MUNICIPALITY: > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From simon at kmun.gov.kw Sat Sep 20 21:26:34 2008 From: simon at kmun.gov.kw (Benedict simon) Date: Sat Sep 20 20:57:44 2008 Subject: thnks Message-ID: <1607.91.198.134.226.1221942394.squirrel@webmail.baladia.gov.kw> Thnks for ur real quick reply i try it out n let u know really apprecite regards simon -- Network ADMIN ------------- KUWAIT MUNICIPALITY: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From alex at rtpty.com Sat Sep 20 21:15:37 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Sat Sep 20 21:15:59 2008 Subject: thnks In-Reply-To: <1607.91.198.134.226.1221942394.squirrel@webmail.baladia.gov.kw> References: <1607.91.198.134.226.1221942394.squirrel@webmail.baladia.gov.kw> Message-ID: <29902B76-6953-41AD-A88D-5CD7C77299DF@rtpty.com> Please fix your keyboard while you're at it... ;-) --- Alex Neuman Reliant Technologies +507 6781-9505 Skype: alexneuman On Sep 20, 2008, at 3:26 PM, "Benedict simon" wrote: > Thnks for ur real quick reply > > i try it out n let u know > > really apprecite > > > regards > > > simon > > > -- > Network ADMIN > ------------- > KUWAIT MUNICIPALITY: > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From glenn.steen at gmail.com Sun Sep 21 00:51:08 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Sun Sep 21 00:51:18 2008 Subject: question abt quarantine release In-Reply-To: References: <1533.91.198.134.226.1221935247.squirrel@webmail.baladia.gov.kw> Message-ID: <223f97700809201651k48d2baaap4984ac0f5ee9c9cc@mail.gmail.com> 2008/9/20 Alex Neuman van der Hans : > Sorry, had problems with my keyboard and hit sen too early ;-) > > What I meant to say is you need to do the same thing mailwatch does: move or > copy the queue file from the quarantine into the regular queue folder so > sendmail can pick it up, or if it's an mbox style rfc822 (iirc) file you can > do: > > formail -s sendmail name@address.co m < message > Hilarious Alex! LOL One could just pnt 'm 2 t wiki! ...;) ... Use the sendmail force ... > --- > > Alex Neuman > Reliant Technologies > +507 6781-9505 > Skype: alexneuman > > On Sep 20, 2008, at 1:27 PM, "Benedict simon" wrote: > >> >> Dear AlL, >> >> I am using the following n been workin succesfully >> >> Centos 5.1 >> smtp server running sendmail >> mailscanner >> spamassassin+clamav >> mailwatch >> >> now i wd like to know the following >> any quarantined mail by mailscanner i am using mailwatch to succesfully >> release it and it works grt >> >> i would like to know how could i realese mail quarantined by mailscanner >> without mailwatch >> >> i have root privileges to the system >> >> apprecite your help >> >> regards >> >> simon >> >> -- >> Network ADMIN >> ------------- >> KUWAIT MUNICIPALITY: >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From nik_muhyyiddin at hotmail.com Sun Sep 21 05:39:06 2008 From: nik_muhyyiddin at hotmail.com (Nik Muhammed Muhyyiddin) Date: Sun Sep 21 05:39:21 2008 Subject: PHP Script for Mailwatch Message-ID: Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: release.JPG Type: image/jpeg Size: 28813 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080921/4fedeffd/release.jpe From nik_muhyyiddin at hotmail.com Sun Sep 21 05:59:37 2008 From: nik_muhyyiddin at hotmail.com (Nik Muhammed Muhyyiddin) Date: Sun Sep 21 05:59:49 2008 Subject: question abt quarantine release In-Reply-To: <1533.91.198.134.226.1221935247.squirrel@webmail.baladia.gov.kw> References: <1533.91.198.134.226.1221935247.squirrel@webmail.baladia.gov.kw> Message-ID: I used this script #!/bin/sh # this is the final destination for the mail to be released: # postfix's incoming queue POSTFIX_DEST=/var/spool/postfix/incoming # check for valid parameters if [ -z "$1" ]; then echo "Syntax: release.sh " echo "Example: release.sh 678362AC.9CFE7" exit fi # find the specific mail in the quarantine folders folder=`find /var/spool/MailScanner/quarantine/ -name $1` mailname=`echo $1 | cut -d . -f1` # copy the mail if [ -e $POSTFIX_DEST/$mailname ] ; then echo "ERROR: $mailname already in $POSTFIX_DEST! EXITING" echo "This should not happen" exit 255 fi cp -avi "$folder/$mailname" "$POSTFIX_DEST/$mailname" # make it 0700 so that the mail is deemed ready chmod 0700 $POSTFIX_DEST/$mailname - nik -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Benedict simon Sent: Sunday, September 21, 2008 2:27 AM To: mailscanner@lists.mailscanner.info Subject: question abt quarantine release Dear AlL, I am using the following n been workin succesfully Centos 5.1 smtp server running sendmail mailscanner spamassassin+clamav mailwatch now i wd like to know the following any quarantined mail by mailscanner i am using mailwatch to succesfully release it and it works grt i would like to know how could i realese mail quarantined by mailscanner without mailwatch i have root privileges to the system apprecite your help regards simon -- Network ADMIN ------------- KUWAIT MUNICIPALITY: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From agross at gcpsite.com Sun Sep 21 07:10:20 2008 From: agross at gcpsite.com (Adam Gross) Date: Sun Sep 21 07:10:43 2008 Subject: PHP Script for Mailwatch In-Reply-To: References: Message-ID: <826D5FDFCF76F6499D59755D401D6A86D89D@gcpads01.gcpsite.local> I suggest you take a look at MailWatch -- http://mailwatch.sourceforge.net/doku.php. As I'm writing this message it appears the site is down (maintenance?). MailWatch simplifies EVERYTHING including releasing items from quarantine. You can release numerous items all at once in a single click using an easy to use kickass web interface, among many other things, such as providing each of your end users with the ability to do the same for themselves, including managing their own white/blacklists. It's pretty killer, check it out. -Adam From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Nik Muhammed Muhyyiddin Sent: Sunday, September 21, 2008 12:39 AM To: mailscanner@lists.mailscanner.info Subject: PHP Script for Mailwatch Hi all, Somebody please help..i would like to have a php script for releasing the quarantine mail.. Sometime I have to ssh to the server and executed the "release.sh " to released the message. It's much better if I can copy & paste the Message-ID to a simple form and it's then run the "/sbin/release.sh" when I click at the Release Button. Thanks, Nik -- This message has been scanned for viruses and dangerous content by MailScanner , and is believed to be clean. Processed by GCPMS01. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Processed by GCPMS01. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080921/2dd0e6f9/attachment.html From hvdkooij at vanderkooij.org Sun Sep 21 12:29:21 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Sep 21 12:29:31 2008 Subject: Announcing the new FSL MailScanner Beta yum repository In-Reply-To: <48D25F6A.4090906@ecs.soton.ac.uk> References: <48D25F6A.4090906@ecs.soton.ac.uk> Message-ID: <48D63011.6010008@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Julian Field wrote: > This is a new Yum repository for CentOS 5 i386 and x86_64 only. It will > always contain the latest MailScanner beta (4.72.2 at the time of > writing) along with SpamAssassin (plus DCC, Razor, DKIM, SPF, IP-Country > and Rule2XS plug-ins), ClamAV and all Perl module dependencies. Much as I appreciate the work you put in to this there is a thing I find less apealing. If this is "your" repository and you start to charge money then it should not depend on free repositories like the way you do now with certain packages. ClamAV was the first one I noticed as it is a straight copy of rpmforge. Or part of the payment should end up with the rpmforge team for service rendered. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFI1jAPBvzDRVjxmYERAtmvAJ9CDVPTSKOiv5D+gDTLHieP6WccoQCgqbjv pSW0fqy8lCbstgxWKgQ5hTQ= =1Qca -----END PGP SIGNATURE----- From jtwatson at linux-consulting.us Sun Sep 21 13:35:14 2008 From: jtwatson at linux-consulting.us (Joseph Watson) Date: Sun Sep 21 13:36:06 2008 Subject: Problem with ClamAV Message-ID: <200809210835.14706.jtwatson@linux-consulting.us> Hello, I am trying to upgrade to the latest version of MailScanner and am having a problem using ClamAV. [root@MailServ f-prot]# clamscan -V ClamAV 0.94/8296/Sat Sep 20 23:04:54 2008 In Debugging mode, not forking... Trying to setlogsock(unix) SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp Building a message batch to scan... Have a batch of 1 message. max message size is '200k' /usr/bin/clamscan: unrecognized option `--unzip' ERROR: Unknown option passed. ERROR: Can't parse the command line /usr/bin/clamscan: unrecognized option `--unrar=/usr/bin/unrar' ERROR: Unknown option passed. ERROR: Can't parse the command line Stopping now as you are debugging me. I cant seem to find any info on this... Maybe someone has seen this? Thanks much [root@MailServ f-prot]# MailScanner -V Running on Linux MyDomain 2.6.24.7-desktop-1mnb #1 SMP Mon Jul 28 15:12:10 EDT 2008 i686 AMD Athlon(tm) XP 2100+ GNU/Linux This is Mandriva Linux release 2008.1 (Official) for i586 This is Perl version 5.010000 (5.10.0) This is MailScanner version 4.71.10 Module versions are: 1.00 AnyDBM_File 1.23 Archive::Zip 0.22 bignum 1.08 Carp 2.008 Compress::Zlib 1.119 Convert::BinHex 0.17 Convert::TNEF 2.121_14 Data::Dumper 2.27 Date::Parse 1.01 DirHandle 1.06 Fcntl 2.76 File::Basename 2.11 File::Copy 2.01 FileHandle 2.04 File::Path 0.18 File::Temp 0.79 Filesys::Df 1.35 HTML::Entities 3.56 HTML::Parser 2.37 HTML::TokeParser 1.23_01 IO 1.14 IO::File 1.13 IO::Pipe 2.02 Mail::Header 1.88 Math::BigInt 0.21 Math::BigRat 3.07_01 MIME::Base64 5.425 MIME::Decoder 5.425 MIME::Decoder::UU 5.425 MIME::Head 5.425 MIME::Parser 3.07 MIME::QuotedPrint 5.425 MIME::Tools 0.11 Net::CIDR 1.25 Net::IP 0.16 OLE::Storage_Lite 1.04 Pod::Escapes 3.05 Pod::Simple 1.13 POSIX 1.19 Scalar::Util 1.80 Socket 2.18 Storable 1.4 Sys::Hostname::Long 0.22 Sys::Syslog 1.26 Test::Pod 0.78 Test::Simple 1.9711 Time::HiRes 1.02 Time::localtime Optional module versions are: 1.38 Archive::Tar 0.22 bignum missing Business::ISBN missing Business::ISBN::Data missing Data::Dump 1.816 DB_File 1.14 DBD::SQLite 1.602 DBI 1.15 Digest 1.01 Digest::HMAC 2.36_01 Digest::MD5 2.11 Digest::SHA1 1.00 Encode::Detect 0.17012 Error 0.22 ExtUtils::CBuilder 2.18_02 ExtUtils::ParseXS 2.37 Getopt::Long missing Inline missing IO::String 1.07 IO::Zlib 2.23 IP::Country missing Mail::ClamAV 3.002004 Mail::SpamAssassin v2.005 Mail::SPF 1.999001 Mail::SPF::Query 0.2808 Module::Build 0.20 Net::CIDR::Lite 0.63 Net::DNS missing Net::DNS::Resolver::Programmable missing Net::LDAP 4.007 NetAddr::IP missing Parse::RecDescent missing SAVI 2.64 Test::Harness missing Test::Manifest 2.0.0 Text::Balanced 1.35 URI 0.74 version missing YAML -- Regards Joseph Watson From r.berber at computer.org Sun Sep 21 16:30:28 2008 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Sun Sep 21 16:30:45 2008 Subject: Problem with ClamAV In-Reply-To: <200809210835.14706.jtwatson@linux-consulting.us> References: <200809210835.14706.jtwatson@linux-consulting.us> Message-ID: Joseph Watson wrote: [snip] > [root@MailServ f-prot]# clamscan -V > ClamAV 0.94/8296/Sat Sep 20 23:04:54 2008 > > > In Debugging mode, not forking... > Trying to setlogsock(unix) > SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp > Building a message batch to scan... > Have a batch of 1 message. > max message size is '200k' > /usr/bin/clamscan: unrecognized option `--unzip' > ERROR: Unknown option passed. > ERROR: Can't parse the command line > /usr/bin/clamscan: unrecognized option `--unrar=/usr/bin/unrar' [snip] > This is MailScanner version 4.71.10 [snip] You seem to have a modified MailScanner/lib/clamav-wrapper, the lines with the above options (--unzip and --unrar) should be commented out as they are no longer recognized by clamav 0.94. -- Ren? Berber From email at ace.net.au Sun Sep 21 16:36:50 2008 From: email at ace.net.au (Peter Nitschke) Date: Sun Sep 21 16:35:38 2008 Subject: Problem with ClamAV In-Reply-To: <200809210835.14706.jtwatson@linux-consulting.us> References: <200809210835.14706.jtwatson@linux-consulting.us> Message-ID: <200809220106500892.063323DC@web.ace.net.au> Any chance you don't have unzip and unrar installed? Posted from my PC. *********** REPLY SEPARATOR *********** On 21/09/2008 at 8:35 AM Joseph Watson wrote: >Hello, > >I am trying to upgrade to the latest version of MailScanner and am having >a >problem using ClamAV. > >[root@MailServ f-prot]# clamscan -V >ClamAV 0.94/8296/Sat Sep 20 23:04:54 2008 > > >In Debugging mode, not forking... >Trying to setlogsock(unix) >SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp >Building a message batch to scan... >Have a batch of 1 message. >max message size is '200k' >/usr/bin/clamscan: unrecognized option `--unzip' >ERROR: Unknown option passed. >ERROR: Can't parse the command line >/usr/bin/clamscan: unrecognized option `--unrar=/usr/bin/unrar' >ERROR: Unknown option passed. >ERROR: Can't parse the command line >Stopping now as you are debugging me. > >I cant seem to find any info on this... Maybe someone has seen this? > >Thanks much > From MailScanner at ecs.soton.ac.uk Sun Sep 21 17:57:17 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Sep 21 17:57:36 2008 Subject: Announcing the new FSL MailScanner Beta yum repository In-Reply-To: References: <48D25F6A.4090906@ecs.soton.ac.uk> Message-ID: <48D67CED.8060802@ecs.soton.ac.uk> Hugo van der Kooij wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Julian Field wrote: > > >> This is a new Yum repository for CentOS 5 i386 and x86_64 only. It will >> always contain the latest MailScanner beta (4.72.2 at the time of >> writing) along with SpamAssassin (plus DCC, Razor, DKIM, SPF, IP-Country >> and Rule2XS plug-ins), ClamAV and all Perl module dependencies. >> > > Much as I appreciate the work you put in to this there is a thing I find > less apealing. > > If this is "your" repository and you start to charge money then it > should not depend on free repositories like the way you do now with > certain packages. ClamAV was the first one I noticed as it is a straight > copy of rpmforge. Or part of the payment should end up with the rpmforge > team for service rendered. > I don't want to start any form of argument here, but isn't this like all those companies out there who sell MailScanner as a chargeable service to all their customers, and then never even consider giving me any form of compensation for all the profit they are making out of my work? Yes, there are a few very notable exceptions to this (thankyou, you know who you are), but there aren't very many who give me anything. Most of them take the profit and run, without ever even thinking of giving me anything in return. Also, the beta repository is free. And any services like this that we may choose to make a charge for, I don't directly get any of that money anyway. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Sun Sep 21 17:57:55 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Sep 21 17:58:14 2008 Subject: Problem with ClamAV In-Reply-To: References: Message-ID: <48D67D13.8030900@ecs.soton.ac.uk> Upgrade to the latest beta of MailScanner. Joseph Watson wrote: > Hello, > > I am trying to upgrade to the latest version of MailScanner and am having a > problem using ClamAV. > > [root@MailServ f-prot]# clamscan -V > ClamAV 0.94/8296/Sat Sep 20 23:04:54 2008 > > > In Debugging mode, not forking... > Trying to setlogsock(unix) > SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp > Building a message batch to scan... > Have a batch of 1 message. > max message size is '200k' > /usr/bin/clamscan: unrecognized option `--unzip' > ERROR: Unknown option passed. > ERROR: Can't parse the command line > /usr/bin/clamscan: unrecognized option `--unrar=/usr/bin/unrar' > ERROR: Unknown option passed. > ERROR: Can't parse the command line > Stopping now as you are debugging me. > > I cant seem to find any info on this... Maybe someone has seen this? > > Thanks much > > [root@MailServ f-prot]# MailScanner -V > Running on > Linux MyDomain 2.6.24.7-desktop-1mnb #1 SMP Mon Jul 28 15:12:10 EDT 2008 i686 > AMD Athlon(tm) XP 2100+ GNU/Linux > This is Mandriva Linux release 2008.1 (Official) for i586 > This is Perl version 5.010000 (5.10.0) > > This is MailScanner version 4.71.10 > Module versions are: > 1.00 AnyDBM_File > 1.23 Archive::Zip > 0.22 bignum > 1.08 Carp > 2.008 Compress::Zlib > 1.119 Convert::BinHex > 0.17 Convert::TNEF > 2.121_14 Data::Dumper > 2.27 Date::Parse > 1.01 DirHandle > 1.06 Fcntl > 2.76 File::Basename > 2.11 File::Copy > 2.01 FileHandle > 2.04 File::Path > 0.18 File::Temp > 0.79 Filesys::Df > 1.35 HTML::Entities > 3.56 HTML::Parser > 2.37 HTML::TokeParser > 1.23_01 IO > 1.14 IO::File > 1.13 IO::Pipe > 2.02 Mail::Header > 1.88 Math::BigInt > 0.21 Math::BigRat > 3.07_01 MIME::Base64 > 5.425 MIME::Decoder > 5.425 MIME::Decoder::UU > 5.425 MIME::Head > 5.425 MIME::Parser > 3.07 MIME::QuotedPrint > 5.425 MIME::Tools > 0.11 Net::CIDR > 1.25 Net::IP > 0.16 OLE::Storage_Lite > 1.04 Pod::Escapes > 3.05 Pod::Simple > 1.13 POSIX > 1.19 Scalar::Util > 1.80 Socket > 2.18 Storable > 1.4 Sys::Hostname::Long > 0.22 Sys::Syslog > 1.26 Test::Pod > 0.78 Test::Simple > 1.9711 Time::HiRes > 1.02 Time::localtime > > Optional module versions are: > 1.38 Archive::Tar > 0.22 bignum > missing Business::ISBN > missing Business::ISBN::Data > missing Data::Dump > 1.816 DB_File > 1.14 DBD::SQLite > 1.602 DBI > 1.15 Digest > 1.01 Digest::HMAC > 2.36_01 Digest::MD5 > 2.11 Digest::SHA1 > 1.00 Encode::Detect > 0.17012 Error > 0.22 ExtUtils::CBuilder > 2.18_02 ExtUtils::ParseXS > 2.37 Getopt::Long > missing Inline > missing IO::String > 1.07 IO::Zlib > 2.23 IP::Country > missing Mail::ClamAV > 3.002004 Mail::SpamAssassin > v2.005 Mail::SPF > 1.999001 Mail::SPF::Query > 0.2808 Module::Build > 0.20 Net::CIDR::Lite > 0.63 Net::DNS > missing Net::DNS::Resolver::Programmable > missing Net::LDAP > 4.007 NetAddr::IP > missing Parse::RecDescent > missing SAVI > 2.64 Test::Harness > missing Test::Manifest > 2.0.0 Text::Balanced > 1.35 URI > 0.74 version > missing YAML > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jtwatson at linux-consulting.us Sun Sep 21 20:16:03 2008 From: jtwatson at linux-consulting.us (Joseph Watson) Date: Sun Sep 21 20:17:16 2008 Subject: Problem with ClamAV In-Reply-To: <48D67D13.8030900@ecs.soton.ac.uk> References: <48D67D13.8030900@ecs.soton.ac.uk> Message-ID: <200809211516.03930.jtwatson@linux-consulting.us> Thanks much. I will try that. -- Regards Joseph Watson On Sunday September 21 2008 12:57:55 pm Julian Field wrote: > Upgrade to the latest beta of MailScanner. > > Joseph Watson wrote: > > Hello, > > > > I am trying to upgrade to the latest version of MailScanner and am having > > a problem using ClamAV. > > > > [root@MailServ f-prot]# clamscan -V > > ClamAV 0.94/8296/Sat Sep 20 23:04:54 2008 > > > > > > In Debugging mode, not forking... > > Trying to setlogsock(unix) > > SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp > > Building a message batch to scan... > > Have a batch of 1 message. > > max message size is '200k' > > /usr/bin/clamscan: unrecognized option `--unzip' > > ERROR: Unknown option passed. > > ERROR: Can't parse the command line > > /usr/bin/clamscan: unrecognized option `--unrar=/usr/bin/unrar' > > ERROR: Unknown option passed. > > ERROR: Can't parse the command line > > Stopping now as you are debugging me. > > > > I cant seem to find any info on this... Maybe someone has seen this? > > > > Thanks much > > > > [root@MailServ f-prot]# MailScanner -V > > Running on > > Linux MyDomain 2.6.24.7-desktop-1mnb #1 SMP Mon Jul 28 15:12:10 EDT 2008 > > i686 AMD Athlon(tm) XP 2100+ GNU/Linux > > This is Mandriva Linux release 2008.1 (Official) for i586 > > This is Perl version 5.010000 (5.10.0) > > > > This is MailScanner version 4.71.10 > > Module versions are: > > 1.00 AnyDBM_File > > 1.23 Archive::Zip > > 0.22 bignum > > 1.08 Carp > > 2.008 Compress::Zlib > > 1.119 Convert::BinHex > > 0.17 Convert::TNEF > > 2.121_14 Data::Dumper > > 2.27 Date::Parse > > 1.01 DirHandle > > 1.06 Fcntl > > 2.76 File::Basename > > 2.11 File::Copy > > 2.01 FileHandle > > 2.04 File::Path > > 0.18 File::Temp > > 0.79 Filesys::Df > > 1.35 HTML::Entities > > 3.56 HTML::Parser > > 2.37 HTML::TokeParser > > 1.23_01 IO > > 1.14 IO::File > > 1.13 IO::Pipe > > 2.02 Mail::Header > > 1.88 Math::BigInt > > 0.21 Math::BigRat > > 3.07_01 MIME::Base64 > > 5.425 MIME::Decoder > > 5.425 MIME::Decoder::UU > > 5.425 MIME::Head > > 5.425 MIME::Parser > > 3.07 MIME::QuotedPrint > > 5.425 MIME::Tools > > 0.11 Net::CIDR > > 1.25 Net::IP > > 0.16 OLE::Storage_Lite > > 1.04 Pod::Escapes > > 3.05 Pod::Simple > > 1.13 POSIX > > 1.19 Scalar::Util > > 1.80 Socket > > 2.18 Storable > > 1.4 Sys::Hostname::Long > > 0.22 Sys::Syslog > > 1.26 Test::Pod > > 0.78 Test::Simple > > 1.9711 Time::HiRes > > 1.02 Time::localtime > > > > Optional module versions are: > > 1.38 Archive::Tar > > 0.22 bignum > > missing Business::ISBN > > missing Business::ISBN::Data > > missing Data::Dump > > 1.816 DB_File > > 1.14 DBD::SQLite > > 1.602 DBI > > 1.15 Digest > > 1.01 Digest::HMAC > > 2.36_01 Digest::MD5 > > 2.11 Digest::SHA1 > > 1.00 Encode::Detect > > 0.17012 Error > > 0.22 ExtUtils::CBuilder > > 2.18_02 ExtUtils::ParseXS > > 2.37 Getopt::Long > > missing Inline > > missing IO::String > > 1.07 IO::Zlib > > 2.23 IP::Country > > missing Mail::ClamAV > > 3.002004 Mail::SpamAssassin > > v2.005 Mail::SPF > > 1.999001 Mail::SPF::Query > > 0.2808 Module::Build > > 0.20 Net::CIDR::Lite > > 0.63 Net::DNS > > missing Net::DNS::Resolver::Programmable > > missing Net::LDAP > > 4.007 NetAddr::IP > > missing Parse::RecDescent > > missing SAVI > > 2.64 Test::Harness > > missing Test::Manifest > > 2.0.0 Text::Balanced > > 1.35 URI > > 0.74 version > > missing YAML > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > PGP public key: http://www.jules.fm/julesfm.asc > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. From jtwatson at linux-consulting.us Sun Sep 21 21:34:09 2008 From: jtwatson at linux-consulting.us (Joseph Watson) Date: Sun Sep 21 21:35:02 2008 Subject: Minor bug in init script Message-ID: <200809211634.09124.jtwatson@linux-consulting.us> Hello, There has been a minor bug in the init script for a while now. This does not cause any problems, it is just a reporting issue. I use Postfix configured as a single instance (hold queue method), and when I start MailScanner I get the following output. [root@MailServ MailScanner]# /etc/init.d/MailScanner start Starting MailScanner daemons: incoming postfix: [ OK ] outgoing postfix: [ OK ] MailScanner: [ OK ] If I make the following change to the init script diff -w /etc/init.d/MailScanner /etc/init.d/MailScanner.mod 103c103 < if test -x $POSTFIX ; then --- > if test -x $POSTFIXINCF ; then when I start MailScanner: [root@MailServ MailScanner]# /etc/init.d/MailScanner start Starting MailScanner daemons: incoming postfix: [ OK ] Assuming you are using a single Postfix instance (hold queue method) outgoing postfix: [ OK ] MailScanner: [ OK ] Again this is quite a minor issue, but It is nice to see this reminder. -- Regards Joseph Watson From ssilva at sgvwater.com Mon Sep 22 02:03:27 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Sep 22 02:03:46 2008 Subject: SpamAssassin timeouts - 0 of 20 In-Reply-To: <48D4F109.20002@ecs.soton.ac.uk> References: <48D3E5E2.6050008@cnpapers.com> <48D4F109.20002@ecs.soton.ac.uk> Message-ID: > > Don't worry about the 0 in 0 of 20, just something I never bothered > fixing :-) > > Jules So is the zero not actually a timeout? I always thought it was just a counter that for some reason started counting at zero instead of one. I rarely see them anymore. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080921/02f41651/signature.bin From ssilva at sgvwater.com Mon Sep 22 02:07:38 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Sep 22 02:10:11 2008 Subject: question abt quarantine release In-Reply-To: References: <1533.91.198.134.226.1221935247.squirrel@webmail.baladia.gov.kw> Message-ID: on 9-20-2008 11:17 AM Alex Neuman van der Hans spake the following: > Sorry, had problems with my keyboard and hit sen too early ;-) > I thought some teenager had hacked your e-mail and was responding to your mails! ;-P -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080921/b5befc63/signature.bin From kate at rheel.co.nz Mon Sep 22 05:13:22 2008 From: kate at rheel.co.nz (Kate Kleinschafer) Date: Mon Sep 22 05:38:45 2008 Subject: Mailscanner mrtg mountpoint In-Reply-To: References: <48D2FCF2.2040108@rheel.co.nz> <48D39D61.3060403@USherbrooke.ca> <824B45E0-9104-485B-A7E9-A4461D3DA7D9@rtpty.com> Message-ID: <48D71B62.2090509@rheel.co.nz> Thanks everyone for your help. I ended up changing it to / as I don't want to risk reducing performance mounting it at this stage. Thanks again Kate Ugo Bellavance wrote: > Alex Neuman van der Hans a ?crit : >> This would put the incoming folder on a ramdisk, which could be >> detrimental to servers with little RAM or big batches. Does it *have* >> to be like this for mailscanner-mrtg to work? Not that I don't agree >> with doing it (most of my servers have it that way when possible), >> just thought that everybody should know what this entails. >> >> On Sep 19, 2008, at 7:38 AM, Denis Beauchemin wrote: >> >>> none /var/spool/MailScanner/incoming tmpfs >>> defaults,noatime 0 0 >> > > No, it doesn't have to be. If it is not, use / as mount point in > mailscanner-mrtg. > > Ugo > From J.Ede at birchenallhowden.co.uk Mon Sep 22 11:01:55 2008 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Mon Sep 22 11:03:32 2008 Subject: Announcing the new FSL MailScanner Beta yum repository In-Reply-To: <48D67CED.8060802@ecs.soton.ac.uk> References: <48D25F6A.4090906@ecs.soton.ac.uk> , <48D67CED.8060802@ecs.soton.ac.uk> Message-ID: <4CAB0118AEC63A4FAAE77E6BCBDF760C792A26CDF8@server02.bhl.local> ________________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field [MailScanner@ecs.soton.ac.uk] Sent: 21 September 2008 17:57 To: MailScanner discussion Subject: Re: Announcing the new FSL MailScanner Beta yum repository Hugo van der Kooij wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Julian Field wrote: > > >> This is a new Yum repository for CentOS 5 i386 and x86_64 only. It will >> always contain the latest MailScanner beta (4.72.2 at the time of >> writing) along with SpamAssassin (plus DCC, Razor, DKIM, SPF, IP-Country >> and Rule2XS plug-ins), ClamAV and all Perl module dependencies. >> > > Much as I appreciate the work you put in to this there is a thing I find > less apealing. > > If this is "your" repository and you start to charge money then it > should not depend on free repositories like the way you do now with > certain packages. ClamAV was the first one I noticed as it is a straight > copy of rpmforge. Or part of the payment should end up with the rpmforge > team for service rendered. > I don't want to start any form of argument here, but isn't this like all those companies out there who sell MailScanner as a chargeable service to all their customers, and then never even consider giving me any form of compensation for all the profit they are making out of my work? Yes, there are a few very notable exceptions to this (thankyou, you know who you are), but there aren't very many who give me anything. Most of them take the profit and run, without ever even thinking of giving me anything in return. Also, the beta repository is free. And any services like this that we may choose to make a charge for, I don't directly get any of that money anyway. Jules I'm taking it you get some of the money when we buy the MS book or is wish list preferred? Jason From MailScanner at ecs.soton.ac.uk Mon Sep 22 11:26:32 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Sep 22 11:26:52 2008 Subject: Announcing the new FSL MailScanner Beta yum repository In-Reply-To: References: <48D25F6A.4090906@ecs.soton.ac.uk> , <48D67CED.8060802@ecs.soton.ac.uk> Message-ID: <48D772D8.30901@ecs.soton.ac.uk> Jason Ede wrote: > ________________________________________ > From: mailscanner-bounces@lists.mailscanner.info [mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field [MailScanner@ecs.soton.ac.uk] > Sent: 21 September 2008 17:57 > To: MailScanner discussion > Subject: Re: Announcing the new FSL MailScanner Beta yum repository > > Hugo van der Kooij wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Julian Field wrote: >> >> >> >>> This is a new Yum repository for CentOS 5 i386 and x86_64 only. It will >>> always contain the latest MailScanner beta (4.72.2 at the time of >>> writing) along with SpamAssassin (plus DCC, Razor, DKIM, SPF, IP-Country >>> and Rule2XS plug-ins), ClamAV and all Perl module dependencies. >>> >>> >> Much as I appreciate the work you put in to this there is a thing I find >> less apealing. >> >> If this is "your" repository and you start to charge money then it >> should not depend on free repositories like the way you do now with >> certain packages. ClamAV was the first one I noticed as it is a straight >> copy of rpmforge. Or part of the payment should end up with the rpmforge >> team for service rendered. >> >> > I don't want to start any form of argument here, but isn't this like all > those companies out there who sell MailScanner as a chargeable service > to all their customers, and then never even consider giving me any form > of compensation for all the profit they are making out of my work? > > Yes, there are a few very notable exceptions to this (thankyou, you know > who you are), but there aren't very many who give me anything. Most of > them take the profit and run, without ever even thinking of giving me > anything in return. > > Also, the beta repository is free. > > And any services like this that we may choose to make a charge for, I > don't directly get any of that money anyway. > > Jules > > I'm taking it you get some of the money when we buy the MS book or is wish list preferred? > I do make a small amount of money from the book sales. However, I get all the benefit of wish-list purchases :-) Thanks! Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Denis.Beauchemin at USherbrooke.ca Mon Sep 22 13:34:56 2008 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Mon Sep 22 13:35:13 2008 Subject: Potential Postfix CentOS message unpacking bug In-Reply-To: References: Message-ID: <48D790F0.1080000@USherbrooke.ca> Mark Sapiro a ?crit : > Mark Sapiro wrote: > > >> On Mon, Sep 15, 2008 at 08:48:28AM +0100, Julian Field wrote: >> >>> So Postfix users on CentOS, please can you check your logs for any >>> 16-17Kb spams which could possibly containing an attachment called >>> "start.zip" (grep should find it in raw queue files, if you're wondering >>> how to do that for raw queue files), which have not always been detected >>> as infected. >>> >> I have seen exactly one of these >> >> /var/log/maillog:Sep 15 00:25:16 sbh16 MailScanner[783]: ClamAVModule::INFECTED:: Trojan.Fakealert-532 :: ./4C266690092.86EA5/start.zip >> >> in the last 30 days and no spam quarantined with start.zip attachments. >> >> >> >>> You might want to use the "Archive Mail" feature of MailScanner.conf for >>> a while to see if you're getting anything like that, in case you are >>> suffering the problem. >>> >> I have just enabled Archive Mail and will look for start.zip in the archive. >> > > > Here's an update. This is very strange. I set > > Archive Mail = /var/spool/MailScanner/archive > > in MailScanner.conf, and I started looking for archived messages > containing start.zip. I also noticed that the actual trojan when > identified was identified as Trojan.Fakealert-532, so I looked for > that in clamd reports as well and found several detections in messages > with a "tube.zip" attachment. Two days ago, I found two archived > messages with tube.zip attachments that had been quarantined as > high-spam and not detected by clamd as infected with > Trojan.Fakealert-532. > > I wanted to see the spam detections for these messages so I added a > rule to my high spam rules that would forward the message to me and > reloaded Mailscanner. I then copied one of the archived queue file to > /var/spool/postfix/hold/ and was shocked to find that this time it was > flagged by clamd as infected with Trojan.Fakealert-532. This requeued > message was archived too and I did a cmp of the two archived queue > files and they were identical, yet the first message was not flagged > by clamd and was quarantined as high spam and the second message was > flagged by clamd. > > So the bottom line is I've seen the problem, but it appears to be > intermittent, even with an identical message. > Mark, ClamAV gets updated quite often. Maybe it didn't know about Trojan.Fakealert-532 the first time the email got through but it knew better some time later. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From campbell at cnpapers.com Mon Sep 22 14:15:38 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Mon Sep 22 14:15:56 2008 Subject: SpamAssassin timeouts - 0 of 20 In-Reply-To: <48D4F109.20002@ecs.soton.ac.uk> References: <48D3E5E2.6050008@cnpapers.com> <48D4F109.20002@ecs.soton.ac.uk> Message-ID: <48D79A7A.5080800@cnpapers.com> Julian Field wrote: > > > Steve Campbell wrote: >> >> >> Scott Silva wrote: >>> >>>>> >>>> Thanks for all the help. I'm pretty sure it's DNS type stuff as we >>>> just moved to a new provider recently. >>>> >>>> But - what's up with the ZERO of 20 part? That's the reason I asked >>>> about problems. Sort of like saying no timeouts, which isn't a >>>> problem. :-\ >>>> >>>> Thanks all for the really great list and software. >>>> >>>> steve >>>> >>>> >>>> >>> On computers, a zero is a valid starting point. But the fact that it >>> says timeout is a problem. Every message that it times out on will >>> go through your system to a (future) angry user. >>> The local caching nameserver should help a lot. >>> >>> >> Got that going again. Had to stop it for a while due to the IP >> changes we just made. >> >> Time will tell if that gets it back to the very-few-a-day we used to >> see. > If you call SpamAssassin directly with the "spamassassin" command, it > can be very difficult to see which bits took all the time. If you run > MailScanner --debug --debug-sa > then it will run SpamAssassin but will print the time at the start of > every line of SpamAssassin output, which makes it *much* easier to see > where the hold-ups were. > > Don't worry about the 0 in 0 of 20, just something I never bothered > fixing :-) > > Jules > Thanks Julian, Steve From jan-peter at koopmann.eu Mon Sep 22 15:37:34 2008 From: jan-peter at koopmann.eu (Koopmann, Jan-Peter) Date: Mon Sep 22 15:37:57 2008 Subject: Announcing the new FSL MailScanner Beta yum repository In-Reply-To: References: Message-ID: > Strange it worked for me yesterday and again today: Now it worked... Strange. From steve.swaney at fsl.com Mon Sep 22 15:48:14 2008 From: steve.swaney at fsl.com (Stephen Swaney) Date: Mon Sep 22 15:50:21 2008 Subject: Announcing the new FSL MailScanner Beta yum repository In-Reply-To: References: Message-ID: <48D7B02E.9060002@fsl.com> Jan-Peter, I saw that you were added to the list. Let us know how you like the new repository. The production repository is ready to go and will be announced soon. Also All of our software will soon use this model for installation :) Best regards, Steve Koopmann, Jan-Peter wrote: >> Strange it worked for me yesterday and again today: >> > > Now it worked... Strange. > > -------------- next part -------------- A non-text attachment was scrubbed... Name: steve_swaney.vcf Type: text/x-vcard Size: 305 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080922/23c34a52/steve_swaney.vcf From roland at inbox4u.de Mon Sep 22 21:22:59 2008 From: roland at inbox4u.de (Ehle, Roland) Date: Mon Sep 22 21:24:21 2008 Subject: spamd - errors in maillog Message-ID: Hi all, just checked the maillog on a server, on which I started using spamd a couple of days ago, and found many errors: Sep 22 20:58:52 serv6 spamd[21343]: Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin/Check.pm line 1028, line 911. Sep 22 20:58:53 serv6 last message repeated 3124 times Sep 22 20:58:53 serv6 spamd[21343]: Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin/Check.pm line 1028, <$tmpfile> line 704. Sep 22 20:58:53 serv6 last message repeated 450 times If I switch off spamd and run MailScanner with SpamAssassin everything is fine. So far, I could not find the reason for the problem. As I was using spamd a couple of days without errors, and used sa-compile today due to new rules, it might be a problem with compiled rules. Sa-compile had no errors. Regards, Roland -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080922/7f53f0d9/attachment.html From jkidd at afflink.com Mon Sep 22 22:32:40 2008 From: jkidd at afflink.com (Josh Kidd) Date: Mon Sep 22 22:33:31 2008 Subject: Notify Admin of User Sending High Volume of Mail Message-ID: <44478D9B01E40143A91E1192B0222F5B1C942D@WCMAIL2.performance.pfgc.com> Don't know if anyone else has attempted to do something like this before or not, I gave a scan to Google and the lists and didn't see anything. I have MailScanner setup on a FreeBSD7 machine running Postfix+MailScanner(SA,ClamAV)+Mailwatch. We are wanting to find a way that if a user's computer is infected and starts sending out a large number of emails in a short time frame (ie: 20,30,50 messages in 2-5 minutes). I assume this would have to be a custom ruleset but being new to MailScanner I don't know exactly how I would go about creating this rule. Has anyone done something like this or know's how to? I want MailScanner or Mailwatch to email me if a user's outbound mail volume exceeds our pre-defined limits so I can shutdown whatever is sending out the large volume of mail to prevent our domain from being blacklisted. Thanks in Advance, JK -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080922/bbbb556e/attachment.html From ssilva at sgvwater.com Mon Sep 22 22:50:23 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Sep 22 22:50:51 2008 Subject: Notify Admin of User Sending High Volume of Mail In-Reply-To: <44478D9B01E40143A91E1192B0222F5B1C942D@WCMAIL2.performance.pfgc.com> References: <44478D9B01E40143A91E1192B0222F5B1C942D@WCMAIL2.performance.pfgc.com> Message-ID: on 9-22-2008 2:32 PM Josh Kidd spake the following: > Don?t know if anyone else has attempted to do something like this before > or not, I gave a scan to Google and the lists and didn?t see anything. I > have MailScanner setup on a FreeBSD7 machine running > Postfix+MailScanner(SA,ClamAV)+Mailwatch. We are wanting to find a way > that if a user?s computer is infected and starts sending out a large > number of emails in a short time frame (ie: 20,30,50 messages in 2-5 > minutes). > > > > I assume this would have to be a custom ruleset but being new to > MailScanner I don?t know exactly how I would go about creating this > rule. Has anyone done something like this or know?s how to? I want > MailScanner or Mailwatch to email me if a user?s outbound mail volume > exceeds our pre-defined limits so I can shutdown whatever is sending out > the large volume of mail to prevent our domain from being blacklisted. > > > > Thanks in Advance, > > JK > > > 1: Block all users from being able to send smtp directly to the outside world. All mail must go through servers under your control. Scan this outgoing mail. Never completely trust your users because machines get owned everyday. 2: Set sending limits in postfix. I can't help you here other than knowing that it can be done. 3: You need a log runner or other script to look for the entries for too many attempts in the logs and mail a warning. Maybe even add an iptables rule for a quick stop while you investigate. That way it gets stopped when no one is available for intervention. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080922/1d08f4cd/signature.bin From ecasarero at gmail.com Tue Sep 23 01:19:45 2008 From: ecasarero at gmail.com (Eduardo Casarero) Date: Tue Sep 23 01:19:56 2008 Subject: Notify Admin of User Sending High Volume of Mail In-Reply-To: <44478D9B01E40143A91E1192B0222F5B1C942D@WCMAIL2.performance.pfgc.com> References: <44478D9B01E40143A91E1192B0222F5B1C942D@WCMAIL2.performance.pfgc.com> Message-ID: <7d9b3cf20809221719te56f24bi58f97dd3df65ba49@mail.gmail.com> check this http://www.milter.info/sendmail/milter-limit/ its for sendmail but i think you could use it in postfix. 2008/9/22 Josh Kidd > Don't know if anyone else has attempted to do something like this before > or not, I gave a scan to Google and the lists and didn't see anything. I > have MailScanner setup on a FreeBSD7 machine running > Postfix+MailScanner(SA,ClamAV)+Mailwatch. We are wanting to find a way that > if a user's computer is infected and starts sending out a large number of > emails in a short time frame (ie: 20,30,50 messages in 2-5 minutes). > > > > I assume this would have to be a custom ruleset but being new to > MailScanner I don't know exactly how I would go about creating this rule. > Has anyone done something like this or know's how to? I want MailScanner or > Mailwatch to email me if a user's outbound mail volume exceeds our > pre-defined limits so I can shutdown whatever is sending out the large > volume of mail to prevent our domain from being blacklisted. > > > > Thanks in Advance, > > JK > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080922/675204fa/attachment.html From hvdkooij at vanderkooij.org Tue Sep 23 06:39:34 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Tue Sep 23 06:39:43 2008 Subject: Notify Admin of User Sending High Volume of Mail In-Reply-To: <44478D9B01E40143A91E1192B0222F5B1C942D@WCMAIL2.performance.pfgc.com> References: <44478D9B01E40143A91E1192B0222F5B1C942D@WCMAIL2.performance.pfgc.com> Message-ID: <48D88116.3030906@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Josh Kidd wrote: > Don?t know if anyone else has attempted to do something like this before > or not, I gave a scan to Google and the lists and didn?t see anything. I > have MailScanner setup on a FreeBSD7 machine running > Postfix+MailScanner(SA,ClamAV)+Mailwatch. We are wanting to find a way > that if a user?s computer is infected and starts sending out a large > number of emails in a short time frame (ie: 20,30,50 messages in 2-5 > minutes). Well if you scan the messages and flag them as spam you might be able to use a tool like sec to parse log files and raise a flag on the proper conditions. I must admit I would have to think a bit before I could write the actual sec rule(s). Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFI2IEUBvzDRVjxmYERAplNAKCgffzvvWUolzDzzYPVOF7uNSsy4QCdH1Rg RV1zx16C0zAZi73Luhz042g= =1cNm -----END PGP SIGNATURE----- From list-mailscanner at linguaphone.com Tue Sep 23 12:10:11 2008 From: list-mailscanner at linguaphone.com (Gareth) Date: Tue Sep 23 12:27:48 2008 Subject: Notify Admin of User Sending High Volume of Mail In-Reply-To: <44478D9B01E40143A91E1192B0222F5B1C942D@WCMAIL2.performance.pfgc.com> References: <44478D9B01E40143A91E1192B0222F5B1C942D@WCMAIL2.performance.pfgc.com> Message-ID: <1222168210.7678.4.camel@gblades-suse.linguaphone-intranet.co.uk> Have a look at the tool I wrote to block persistant spammers automatically :- http://www.gbnetwork.co.uk/mailscanner/mailwatch2rbl/index.html You dont have to use it to actually block senders but it will create a database of the senders of messages for the last 23 hours which you can use as a starting point. You could also use the mw2rbltool program and get it to show you the top 25 spammers and run it through grep against your internal IP address range and get the output mailed to you if there are any entries. Example output of the top25 spammers is :- [root@mailscanner ~]# mw2rbltool show top spam IP 218.58.88.27 (China), 5 messages, 0 hams, 5 spams IP 202.37.168.211 (New Zealand), 5 messages, 0 hams, 5 spams IP 217.27.244.142 (United Kingdom), 4 messages, 0 hams, 4 spams IP 209.222.78.12 (United States), 4 messages, 0 hams, 4 spams IP 208.111.178.160 (United States), 4 messages, 0 hams, 4 spams IP 195.137.222.184 (Turkey), 3 messages, 0 hams, 3 spams IP 125.134.217.84 (Korea, Republic of), 3 messages, 0 hams, 3 spams IP 80.12.242.47 (France), 2 messages, 0 hams, 2 spams IP 70.250.239.19 (United States), 2 messages, 0 hams, 2 spams IP 92.39.130.44 (Russian Federation), 2 messages, 0 hams, 2 spams IP 128.186.138.188 (United States), 2 messages, 0 hams, 2 spams IP 216.10.72.209 (United States), 2 messages, 0 hams, 2 spams IP 82.33.206.166 (United Kingdom), 2 messages, 0 hams, 2 spams IP 220.168.183.117 (China), 2 messages, 0 hams, 2 spams IP 64.192.201.251 (United States), 2 messages, 0 hams, 2 spams IP 204.116.138.72 (United States), 2 messages, 0 hams, 2 spams IP 134.17.243.64 (United States), 2 messages, 0 hams, 2 spams IP 134.17.127.241 (United States), 2 messages, 0 hams, 2 spams IP 208.111.178.251 (United States), 2 messages, 0 hams, 2 spams IP 58.252.215.194 (China), 2 messages, 0 hams, 2 spams IP 85.170.224.228 (France), 2 messages, 0 hams, 2 spams IP 88.255.132.11 (Turkey), 2 messages, 0 hams, 2 spams IP 89.46.60.21 (Romania), 2 messages, 0 hams, 2 spams IP 85.113.158.249 (Russian Federation), 2 messages, 0 hams, 2 spams IP 67.227.65.48 (United States), 2 messages, 0 hams, 2 spams On Mon, 2008-09-22 at 22:32, Josh Kidd wrote: > Don?t know if anyone else has attempted to do something like this > before or not, I gave a scan to Google and the lists and didn?t see > anything. I have MailScanner setup on a FreeBSD7 machine running > Postfix+MailScanner(SA,ClamAV)+Mailwatch. We are wanting to find a way > that if a user?s computer is infected and starts sending out a large > number of emails in a short time frame (ie: 20,30,50 messages in 2-5 > minutes). > > > > I assume this would have to be a custom ruleset but being new to > MailScanner I don?t know exactly how I would go about creating this > rule. Has anyone done something like this or know?s how to? I want > MailScanner or Mailwatch to email me if a user?s outbound mail volume > exceeds our pre-defined limits so I can shutdown whatever is sending > out the large volume of mail to prevent our domain from being > blacklisted. > > > > Thanks in Advance, > > JK > > > > > > ______________________________________________________________________ > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From mark at msapiro.net Tue Sep 23 17:33:59 2008 From: mark at msapiro.net (Mark Sapiro) Date: Tue Sep 23 17:34:13 2008 Subject: Potential Postfix CentOS message unpacking bug In-Reply-To: <48D790F0.1080000@USherbrooke.ca> References: <48D790F0.1080000@USherbrooke.ca> Message-ID: <20080923163359.GA2596@msapiro> On Mon, Sep 22, 2008 at 08:34:56AM -0400, Denis Beauchemin wrote: > Mark Sapiro a ?crit : > >Mark Sapiro wrote: > > > > > >>On Mon, Sep 15, 2008 at 08:48:28AM +0100, Julian Field wrote: > >> > >>>So Postfix users on CentOS, please can you check your logs for any > >>>16-17Kb spams which could possibly containing an attachment called > >>>"start.zip" (grep should find it in raw queue files, if you're wondering > >>>how to do that for raw queue files), which have not always been detected > >>>as infected. > >>> > >>I have seen exactly one of these > >> > >>/var/log/maillog:Sep 15 00:25:16 sbh16 MailScanner[783]: > >>ClamAVModule::INFECTED:: Trojan.Fakealert-532 :: > >>./4C266690092.86EA5/start.zip > >> > >>in the last 30 days and no spam quarantined with start.zip attachments. > >> > >> > >> > >>>You might want to use the "Archive Mail" feature of MailScanner.conf for > >>>a while to see if you're getting anything like that, in case you are > >>>suffering the problem. > >>> > >>I have just enabled Archive Mail and will look for start.zip in the > >>archive. > >> > > > > > >Here's an update. This is very strange. I set > > > >Archive Mail = /var/spool/MailScanner/archive > > > >in MailScanner.conf, and I started looking for archived messages > >containing start.zip. I also noticed that the actual trojan when > >identified was identified as Trojan.Fakealert-532, so I looked for > >that in clamd reports as well and found several detections in messages > >with a "tube.zip" attachment. Two days ago, I found two archived > >messages with tube.zip attachments that had been quarantined as > >high-spam and not detected by clamd as infected with > >Trojan.Fakealert-532. > > > >I wanted to see the spam detections for these messages so I added a > >rule to my high spam rules that would forward the message to me and > >reloaded Mailscanner. I then copied one of the archived queue file to > >/var/spool/postfix/hold/ and was shocked to find that this time it was > >flagged by clamd as infected with Trojan.Fakealert-532. This requeued > >message was archived too and I did a cmp of the two archived queue > >files and they were identical, yet the first message was not flagged > >by clamd and was quarantined as high spam and the second message was > >flagged by clamd. > > > >So the bottom line is I've seen the problem, but it appears to be > >intermittent, even with an identical message. > > > > Mark, > > ClamAV gets updated quite often. Maybe it didn't know about > Trojan.Fakealert-532 the first time the email got through but it knew > better some time later. > Denis, While that is possible in general it is not the case here for two reasons. 1. ClamAV had been detecting Trojan.Fakealert-532 on my system for at least two days prior to the two missed detections. 2. Even if ClamAV didn't have a signature, the tube.zip file contains a file named VideoTube.com.avi.exe which should have been flagged for bad filename even if the trojan wasn't detected by ClamAV. -- Mark Sapiro mark at msapiro net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From jkidd at afflink.com Tue Sep 23 20:50:11 2008 From: jkidd at afflink.com (Josh Kidd) Date: Tue Sep 23 20:51:05 2008 Subject: Notify Admin of User Sending High Volume of Mail In-Reply-To: References: <44478D9B01E40143A91E1192B0222F5B1C942D@WCMAIL2.performance.pfgc.com> Message-ID: <44478D9B01E40143A91E1192B0222F5B1C9436@WCMAIL2.performance.pfgc.com> I have the 1st one done, all of my mail is going through this Postfix gateway and being scanned by MailScanner. What I have to have is something that will fit into the process to stop a users computer from sending out spam if it's infected. Would the Postfix anvil(8) daemon work here with the smtpd_client_message_rate_limit setting to control how many message delivery requests are allowed within the anvil_rate_time_unit? I've been playing around with this but don't know how to implement it correctly I think since it doesn't seem to be working. I've added these lines to my Postfix main.cf. The numbers are low just as a test to get some results without having to spam my test relay. Any idea on how to implement the Anvil and Smtpd rate limits? anvil_rate_time_unit = 60s anvil_status_update_time = 30s smtpd_client_message_rate_limit = 10 -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Scott Silva Sent: Monday, September 22, 2008 4:50 PM To: mailscanner@lists.mailscanner.info Subject: Re: Notify Admin of User Sending High Volume of Mail on 9-22-2008 2:32 PM Josh Kidd spake the following: > Don?t know if anyone else has attempted to do something like this > before or not, I gave a scan to Google and the lists and didn?t see > anything. I have MailScanner setup on a FreeBSD7 machine running > Postfix+MailScanner(SA,ClamAV)+Mailwatch. We are wanting to find a way > that if a user?s computer is infected and starts sending out a large > number of emails in a short time frame (ie: 20,30,50 messages in 2-5 > minutes). > > > > I assume this would have to be a custom ruleset but being new to > MailScanner I don?t know exactly how I would go about creating this > rule. Has anyone done something like this or know?s how to? I want > MailScanner or Mailwatch to email me if a user?s outbound mail volume > exceeds our pre-defined limits so I can shutdown whatever is sending > out the large volume of mail to prevent our domain from being blacklisted. > > > > Thanks in Advance, > > JK > > > 1: Block all users from being able to send smtp directly to the outside world. All mail must go through servers under your control. Scan this outgoing mail. Never completely trust your users because machines get owned everyday. 2: Set sending limits in postfix. I can't help you here other than knowing that it can be done. 3: You need a log runner or other script to look for the entries for too many attempts in the logs and mail a warning. Maybe even add an iptables rule for a quick stop while you investigate. That way it gets stopped when no one is available for intervention. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From gmatt at nerc.ac.uk Wed Sep 24 10:30:49 2008 From: gmatt at nerc.ac.uk (Greg Matthews) Date: Wed Sep 24 10:31:03 2008 Subject: MailScanner delivering mail with virus? - Addition In-Reply-To: <48C00733.4050004@ecs.soton.ac.uk> References: <48C00733.4050004@ecs.soton.ac.uk> Message-ID: <48DA08C9.6010204@nerc.ac.uk> Julian, the patch below does not work on my 32bit platforms. On my 64bit test platform it works fine but on the production relays $Name does not seem to be populated. Any explanation for this? Anyone else seeing it? GREG Julian Field wrote: > Please try this patch for SweepViruses.pm (in > /usr/lib/MailScanner/MailScanner) > > --- SweepViruses.pm.old 2008-09-04 10:10:36.000000000 +0100 > +++ SweepViruses.pm 2008-09-04 17:03:03.000000000 +0100 > @@ -1506,7 +1506,7 @@ > return 0; > } else { > # Must be an infection reports > - MailScanner::Log::InfoLog("%s::%s", 'ClamAVModule', $logout); > + MailScanner::Log::InfoLog("%s::%s", $Name, $logout); > > ($dot, $id, $part, @rest) = split(/\//, $filename); > $report = $Name . ': ' if $Name; > -- Greg Matthews 01491 692445 Head of UNIX/Linux, iTSS Wallingford -- This message (and any attachments) is for the recipient only. NERC is subject to the Freedom of Information Act 2000 and the contents of this email and any reply you make may be disclosed by NERC unless it is exempt from release under the Act. Any material supplied to NERC may be stored in an electronic records management system. From simonmjones at gmail.com Wed Sep 24 11:21:32 2008 From: simonmjones at gmail.com (Simon Jones) Date: Wed Sep 24 11:21:40 2008 Subject: .docx MS Office 2007 files Message-ID: <70572c510809240321p550aed9cob44a1bd20e8f33f7@mail.gmail.com> Hello, I'm having the same trouble as http://lists.mailscanner.info/pipermail/mailscanner/2007-May/073418.html but struggling with the ruleset format. I have filename.rules and filename.rules.conf in my /etc/MailScanner dir - the filename.rules.conf file has loads of stuff in it but i'm not getting the formatting of the syntax and my mailscanner book doesn't make too much sense to me either... can any of you kind chaps explain how it works so i can get my head around it? thanks! Simon From Kit at simplysites.co.uk Wed Sep 24 17:02:53 2008 From: Kit at simplysites.co.uk (Kit Wong) Date: Wed Sep 24 17:03:11 2008 Subject: noreply@ junk coming through Message-ID: I have latest mailscanner + spamassassin + sare rules etc I am wondering if anyone else is getting a lot of noreply@ junk coming through. Bayesian is 0 to 1% Here is one example. Return-Path: Received: from OTBPDESIGN.COM (USD16.SELIAINC.com [174.133.114.16]) by ns.simply-sites.co.uk (8.13.1/8.13.1) with SMTP id m8OFjE5S028718 for ; Wed, 24 Sep 2008 16:45:19 +0100 Date: Wed, 24 Sep 2008 10:45:19 -0500 (CDT) From: Google Profit Team To: kit@simplysites.net Subject: Quit your boring job and be a google millionaire Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="ISO-8859-1" Message-Id: <1390005101@OTBPDESIGN.COM> Kind Regards Kit Wong From alex at rtpty.com Wed Sep 24 17:18:49 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Wed Sep 24 17:19:13 2008 Subject: noreply@ junk coming through In-Reply-To: References: Message-ID: <084DFB93-C2E8-4498-848B-114234E1C486@rtpty.com> No, but this does the trick for me in sendmail's /etc/mail/access: noreply@ 551 Noreply@? Noreceive! ;-) --- Alex Neuman Reliant Technologies +507 6781-9505 Skype: alexneuman On Sep 24, 2008, at 11:02 AM, "Kit Wong" wrote: > I have latest mailscanner + spamassassin + sare rules etc > I am wondering if anyone else is getting a lot of noreply@ junk > coming through. > Bayesian is 0 to 1% > Here is one example. > > Return-Path: > Received: from OTBPDESIGN.COM (USD16.SELIAINC.com [174.133.114.16]) > by ns.simply-sites.co.uk (8.13.1/8.13.1) with SMTP id > m8OFjE5S028718 > for ; Wed, 24 Sep 2008 16:45:19 +0100 > Date: Wed, 24 Sep 2008 10:45:19 -0500 (CDT) > From: Google Profit Team > To: kit@simplysites.net > Subject: Quit your boring job and be a google millionaire > Mime-Version: 1.0 > Content-Transfer-Encoding: 7bit > Content-Type: text/plain; charset="ISO-8859-1" > Message-Id: <1390005101@OTBPDESIGN.COM> > > Kind Regards > > Kit Wong > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From rjette at mestek.com Wed Sep 24 17:52:23 2008 From: rjette at mestek.com (Ray Jette) Date: Wed Sep 24 17:56:40 2008 Subject: MS won't sto Message-ID: <1222275143.20664.3.camel@mtws-rjette> This morning I tryed to restart mailscanner and now it won't come up: sudo /etc/init.d/mailscanner start I receive the following message: Can't locate MailScanner/Message.pm in @INC (@INC contains: /usr/share/MailScanner/ /etc/perl /usr/local/lib/perl/5.8.8 /usr/local/share/perl/5.8.8 /usr/lib/perl5 /usr/share/perl5 /usr/lib/perl/5.8 /usr/share/perl/5.8 /usr/local/site_perl . /usr/share/MailScanner/) at /usr/sbin/MailScanner line 80. BEGAIN failed--compilation abourted at /usr/sbin/MailScanner line 80. Thanks in advance for any help you may provide Ray From ugob at lubik.ca Wed Sep 24 18:02:32 2008 From: ugob at lubik.ca (Ugo Bellavance) Date: Wed Sep 24 18:02:51 2008 Subject: MS won't sto In-Reply-To: <1222275143.20664.3.camel@mtws-rjette> References: <1222275143.20664.3.camel@mtws-rjette> Message-ID: Ray Jette a ?crit : > This morning I tryed to restart mailscanner and now it won't come up: > sudo /etc/init.d/mailscanner start > > I receive the following message: > > Can't locate MailScanner/Message.pm in @INC (@INC > contains: /usr/share/MailScanner/ /etc/perl /usr/local/lib/perl/5.8.8 /usr/local/share/perl/5.8.8 /usr/lib/perl5 /usr/share/perl5 /usr/lib/perl/5.8 /usr/share/perl/5.8 /usr/local/site_perl . /usr/share/MailScanner/) at /usr/sbin/MailScanner line 80. > > BEGAIN failed--compilation abourted at /usr/sbin/MailScanner line 80. > > Thanks in advance for any help you may provide How did you install it, what OS/distro, what install package? From alex at rtpty.com Wed Sep 24 18:07:28 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Wed Sep 24 18:07:53 2008 Subject: MS won't sto In-Reply-To: <1222275143.20664.3.camel@mtws-rjette> References: <1222275143.20664.3.camel@mtws-rjette> Message-ID: <7BDF0414-C397-4032-A3BC-6DB2F0671D35@rtpty.com> You ran an update which broke the relationship between perl's modules and MailScanner. You need to roll it back or update MailScanner. --- Alex Neuman Reliant Technologies +507 6781-9505 Skype: alexneuman On Sep 24, 2008, at 11:52 AM, Ray Jette wrote: > This morning I tryed to restart mailscanner and now it won't come up: > sudo /etc/init.d/mailscanner start > > I receive the following message: > > Can't locate MailScanner/Message.pm in @INC (@INC > contains: /usr/share/MailScanner/ /etc/perl /usr/local/lib/perl/ > 5.8.8 /usr/local/share/perl/5.8.8 /usr/lib/perl5 /usr/share/perl5 / > usr/lib/perl/5.8 /usr/share/perl/5.8 /usr/local/site_perl . /usr/ > share/MailScanner/) at /usr/sbin/MailScanner line 80. > > BEGAIN failed--compilation abourted at /usr/sbin/MailScanner line 80. > > Thanks in advance for any help you may provide > > Ray > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From martelm at quark.vsc.edu Wed Sep 24 18:23:04 2008 From: martelm at quark.vsc.edu (Michael H. Martel) Date: Wed Sep 24 18:23:25 2008 Subject: MailScanner and Microsoft Office 2007 Documents Message-ID: <5DEE921D5DDAFB53FBC02109@sherlockholmes.vsc.edu> Greetings! I think I know the answer to this, but I figure I'll ask anyway. We're running MailScanner 4.71.10-1 on CentOS 4.7. Been working great for quite a while. Today, one of the auditors (dang auditors, they cause all the problems) sent a MS Word 2007 document to my CFO. MailScanner looked at it and saw an embedded .emf file. So MailScanner said, nope and stripped the docx file out. Which is what it's supposed to do!! So, short of allowing emf files, which I could do, is there a way to tell MailScanner not to treat docx files as archives ? I'm not even sure that I want that, but .... Thanks! Michael -- --------------------------------o--------------------------------- Michael H. Martel | Systems Administrator michael.martel@vsc.edu | Vermont State Colleges http://www.vsc.edu/~michael | PH:802-241-2544 FX:802-241-3363 From Kit at simplysites.co.uk Wed Sep 24 19:02:41 2008 From: Kit at simplysites.co.uk (Kit Wong) Date: Wed Sep 24 19:02:57 2008 Subject: noreply@ junk coming through In-Reply-To: <084DFB93-C2E8-4498-848B-114234E1C486@rtpty.com> References: <084DFB93-C2E8-4498-848B-114234E1C486@rtpty.com> Message-ID: Aren't there some newsletters, order confirmations, ebay etc that are legitimate that usually use the noreply@? -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex Neuman van der Hans Sent: 24 September 2008 17:19 To: MailScanner discussion Subject: Re: noreply@ junk coming through No, but this does the trick for me in sendmail's /etc/mail/access: noreply@ 551 Noreply@? Noreceive! ;-) --- Alex Neuman Reliant Technologies +507 6781-9505 Skype: alexneuman On Sep 24, 2008, at 11:02 AM, "Kit Wong" wrote: > I have latest mailscanner + spamassassin + sare rules etc > I am wondering if anyone else is getting a lot of noreply@ junk > coming through. > Bayesian is 0 to 1% > Here is one example. > > Return-Path: > Received: from OTBPDESIGN.COM (USD16.SELIAINC.com [174.133.114.16]) > by ns.simply-sites.co.uk (8.13.1/8.13.1) with SMTP id > m8OFjE5S028718 > for ; Wed, 24 Sep 2008 16:45:19 +0100 > Date: Wed, 24 Sep 2008 10:45:19 -0500 (CDT) > From: Google Profit Team > To: kit@simplysites.net > Subject: Quit your boring job and be a google millionaire > Mime-Version: 1.0 > Content-Transfer-Encoding: 7bit > Content-Type: text/plain; charset="ISO-8859-1" > Message-Id: <1390005101@OTBPDESIGN.COM> > > Kind Regards > > Kit Wong > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- Scanned by MailScanner. From alex at rtpty.com Wed Sep 24 19:17:36 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Wed Sep 24 19:18:57 2008 Subject: noreply@ junk coming through In-Reply-To: References: <084DFB93-C2E8-4498-848B-114234E1C486@rtpty.com> Message-ID: <6AEBDAB7-212D-46E8-A2AE-3D2F6039C807@rtpty.com> Short answer: yes. Long answer: no. Well configured lists have real addresses. Well configured autoresponders and such are always properly configured. --- Alex Neuman Reliant Technologies +507 6781-9505 Skype: alexneuman On Sep 24, 2008, at 1:02 PM, "Kit Wong" wrote: > Aren't there some newsletters, order confirmations, ebay etc that > are legitimate that usually use the noreply@? > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info > ] On Behalf Of Alex Neuman van der Hans > Sent: 24 September 2008 17:19 > To: MailScanner discussion > Subject: Re: noreply@ junk coming through > > No, but this does the trick for me in sendmail's /etc/mail/access: > > noreply@ 551 Noreply@? Noreceive! > > ;-) > > --- > > Alex Neuman > Reliant Technologies > +507 6781-9505 > Skype: alexneuman > > On Sep 24, 2008, at 11:02 AM, "Kit Wong" > wrote: > >> I have latest mailscanner + spamassassin + sare rules etc >> I am wondering if anyone else is getting a lot of noreply@ junk >> coming through. >> Bayesian is 0 to 1% >> Here is one example. >> >> Return-Path: >> Received: from OTBPDESIGN.COM (USD16.SELIAINC.com [174.133.114.16]) >> by ns.simply-sites.co.uk (8.13.1/8.13.1) with SMTP id >> m8OFjE5S028718 >> for ; Wed, 24 Sep 2008 16:45:19 +0100 >> Date: Wed, 24 Sep 2008 10:45:19 -0500 (CDT) >> From: Google Profit Team >> To: kit@simplysites.net >> Subject: Quit your boring job and be a google millionaire >> Mime-Version: 1.0 >> Content-Transfer-Encoding: 7bit >> Content-Type: text/plain; charset="ISO-8859-1" >> Message-Id: <1390005101@OTBPDESIGN.COM> >> >> Kind Regards >> >> Kit Wong >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > Scanned by MailScanner. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From ssilva at sgvwater.com Wed Sep 24 19:23:56 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Sep 24 19:24:17 2008 Subject: noreply@ junk coming through In-Reply-To: <6AEBDAB7-212D-46E8-A2AE-3D2F6039C807@rtpty.com> References: <084DFB93-C2E8-4498-848B-114234E1C486@rtpty.com> <6AEBDAB7-212D-46E8-A2AE-3D2F6039C807@rtpty.com> Message-ID: on 9-24-2008 11:17 AM Alex Neuman van der Hans spake the following: > Short answer: yes. > > Long answer: no. Well configured lists have real addresses. Well > configured autoresponders and such are always properly configured. > I get system outage alerts about my Verizon T-1's with a noreply address. But it is different enough that the sendmail snip in the original reply wouldn't fire So I guess legitimacy is in the inbox of the receiver! Just take a little time to see if you do have any legit mail using noreply@ address. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080924/65263342/signature.bin From mkercher at nfsmith.com Wed Sep 24 19:24:08 2008 From: mkercher at nfsmith.com (Mike Kercher) Date: Wed Sep 24 19:25:03 2008 Subject: WMV's Getting Through In-Reply-To: <224FA7E11EA39E45843E11CEBBD3A36FEBFE7C@HOUPEX01.nfsmith.info> References: <224FA7E11EA39E45843E11CEBBD3A36FEBFE7C@HOUPEX01.nfsmith.info> Message-ID: <224FA7E11EA39E45843E11CEBBD3A36FEC04B6@HOUPEX01.nfsmith.info> -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Mike Kercher Sent: Wednesday, September 10, 2008 10:55 To: MailScanner discussion Subject: WMV's Getting Through Recently, .WMV files have started being delivered through my MS boxes. I ran file against one of the attachments: file JobMarket-2010.wmv JobMarket-2010.wmv: Microsoft ASF In my filetype.rules.conf, I have: deny ASF No Windows media No Windows media files allowed This hasn't been changed in a LONG time I even tried adding \.wmv$ to filename.rules.conf, but they are still coming through. The only thing I see in the logs is that the email is too big for spam checks (is too big for spam checks (6657685 > 150000 bytes)) Any idea what I'm missing here? TIA Mike -- Bumping to see if anyone has any suggestions. Mike From dave.list at pixelhammer.com Wed Sep 24 19:33:30 2008 From: dave.list at pixelhammer.com (DAve) Date: Wed Sep 24 19:33:47 2008 Subject: noreply@ junk coming through In-Reply-To: References: <084DFB93-C2E8-4498-848B-114234E1C486@rtpty.com> Message-ID: <48DA87FA.6050702@pixelhammer.com> Kit Wong wrote: > Aren't there some newsletters, order confirmations, ebay etc that are legitimate that usually use the noreply@? > We have started blocking noreply very recently. Looking back through the last 30 days not a single message we have received from noreply@* was ham. All told we have 120k to 250k connections in total a day (traffic has been very erratic lately with the zombies). Of those connections, 10k to 12k are from local part addresses we have been blocking outright for several months now. DAve > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex Neuman van der Hans > Sent: 24 September 2008 17:19 > To: MailScanner discussion > Subject: Re: noreply@ junk coming through > > No, but this does the trick for me in sendmail's /etc/mail/access: > > noreply@ 551 Noreply@? Noreceive! > > ;-) > > --- > > Alex Neuman > Reliant Technologies > +507 6781-9505 > Skype: alexneuman > > On Sep 24, 2008, at 11:02 AM, "Kit Wong" wrote: > >> I have latest mailscanner + spamassassin + sare rules etc >> I am wondering if anyone else is getting a lot of noreply@ junk >> coming through. >> Bayesian is 0 to 1% >> Here is one example. >> >> Return-Path: >> Received: from OTBPDESIGN.COM (USD16.SELIAINC.com [174.133.114.16]) >> by ns.simply-sites.co.uk (8.13.1/8.13.1) with SMTP id >> m8OFjE5S028718 >> for ; Wed, 24 Sep 2008 16:45:19 +0100 >> Date: Wed, 24 Sep 2008 10:45:19 -0500 (CDT) >> From: Google Profit Team >> To: kit@simplysites.net >> Subject: Quit your boring job and be a google millionaire >> Mime-Version: 1.0 >> Content-Transfer-Encoding: 7bit >> Content-Type: text/plain; charset="ISO-8859-1" >> Message-Id: <1390005101@OTBPDESIGN.COM> >> >> Kind Regards >> >> Kit Wong >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- Don't tell me I'm driving the cart! From alex at rtpty.com Wed Sep 24 19:38:29 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Wed Sep 24 19:38:51 2008 Subject: noreply@ junk coming through In-Reply-To: References: <084DFB93-C2E8-4498-848B-114234E1C486@rtpty.com> <6AEBDAB7-212D-46E8-A2AE-3D2F6039C807@rtpty.com> Message-ID: <0A855ACC-9566-491E-9880-50D8F66CF527@rtpty.com> Very true. Those system messages usually come from noblahblahreply- somethingorother@ so they rarely hit the rule. --- Alex Neuman Reliant Technologies +507 6781-9505 Skype: alexneuman On Sep 24, 2008, at 1:23 PM, Scott Silva wrote: > on 9-24-2008 11:17 AM Alex Neuman van der Hans spake the following: >> Short answer: yes. >> Long answer: no. Well configured lists have real addresses. Well >> configured autoresponders and such are always properly configured. > I get system outage alerts about my Verizon T-1's with a noreply > address. But it is different enough that the sendmail snip in the > original reply wouldn't fire > > So I guess legitimacy is in the inbox of the receiver! > Just take a little time to see if you do have any legit mail using > noreply@ address. > > > > -- > MailScanner is like deodorant... > You hope everybody uses it, and > you notice quickly if they don't!!!! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From alex at rtpty.com Wed Sep 24 19:41:29 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Wed Sep 24 19:41:53 2008 Subject: WMV's Getting Through In-Reply-To: <224FA7E11EA39E45843E11CEBBD3A36FEC04B6@HOUPEX01.nfsmith.info> References: <224FA7E11EA39E45843E11CEBBD3A36FEBFE7C@HOUPEX01.nfsmith.info> <224FA7E11EA39E45843E11CEBBD3A36FEC04B6@HOUPEX01.nfsmith.info> Message-ID: <3CF0F6D8-3576-468D-A412-274B33FD186D@rtpty.com> You probably have multiple recipients and one has the right to receive them. --- Alex Neuman Reliant Technologies +507 6781-9505 Skype: alexneuman On Sep 24, 2008, at 1:24 PM, "Mike Kercher" wrote: > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Mike > Kercher > Sent: Wednesday, September 10, 2008 10:55 > To: MailScanner discussion > Subject: WMV's Getting Through > > Recently, .WMV files have started being delivered through my MS boxes. > > I ran file against one of the attachments: > > file JobMarket-2010.wmv > JobMarket-2010.wmv: Microsoft ASF > > In my filetype.rules.conf, I have: > > deny ASF No Windows media No Windows media files > allowed > > This hasn't been changed in a LONG time > > I even tried adding \.wmv$ to filename.rules.conf, but they are still > coming through. > > The only thing I see in the logs is that the email is too big for spam > checks (is too big for spam checks (6657685 > 150000 bytes)) > > Any idea what I'm missing here? > > TIA > > Mike > -- > > Bumping to see if anyone has any suggestions. > > Mike > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From Kit at simplysites.co.uk Wed Sep 24 19:58:01 2008 From: Kit at simplysites.co.uk (Kit Wong) Date: Wed Sep 24 19:58:20 2008 Subject: noreply@ junk coming through In-Reply-To: References: <084DFB93-C2E8-4498-848B-114234E1C486@rtpty.com> <6AEBDAB7-212D-46E8-A2AE-3D2F6039C807@rtpty.com> Message-ID: -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Scott Silva Sent: 24 September 2008 19:24 To: mailscanner@lists.mailscanner.info Subject: Re: noreply@ junk coming through on 9-24-2008 11:17 AM Alex Neuman van der Hans spake the following: >> Short answer: yes. >> >> Long answer: no. Well configured lists have real addresses. Well >> configured autoresponders and such are always properly configured. > >I get system outage alerts about my Verizon T-1's with a noreply address. But it is different enough that the sendmail snip in the original reply wouldn't fire >So I guess legitimacy is in the inbox of the receiver! >Just take a little time to see if you do have any legit mail using noreply@ address. Just notice a majority of these noreply@ junk mail are listed in URI_BLACK. I just need to pump the scores up on this. Stupid question....where do I go to change the score? I have 4 50_scores.cf /etc/mail/spamassassin/updates_spamassassin_org/50_scores.cf /usr/share/spamassassin/50_scores.cf /var/lib/spamassassin/3.001009/updates_spamassassin_org/50_scores.cf /var/lib/spamassassin/3.002004/updates_spamassassin_org/50_scores.cf I read somewhere that changing 50_scores.cf is not recommended as it will be over written when it updates. Do I stick it in /etc/mail/spamassassin/local.cf? From ssilva at sgvwater.com Wed Sep 24 20:06:08 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Sep 24 20:10:11 2008 Subject: noreply@ junk coming through In-Reply-To: References: <084DFB93-C2E8-4498-848B-114234E1C486@rtpty.com> <6AEBDAB7-212D-46E8-A2AE-3D2F6039C807@rtpty.com> Message-ID: on 9-24-2008 11:58 AM Kit Wong spake the following: > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Scott Silva > Sent: 24 September 2008 19:24 > To: mailscanner@lists.mailscanner.info > Subject: Re: noreply@ junk coming through > > on 9-24-2008 11:17 AM Alex Neuman van der Hans spake the following: >>> Short answer: yes. >>> >>> Long answer: no. Well configured lists have real addresses. Well >>> configured autoresponders and such are always properly configured. >> I get system outage alerts about my Verizon T-1's with a noreply address. But it is different enough that the sendmail snip in the original reply wouldn't fire > >> So I guess legitimacy is in the inbox of the receiver! >> Just take a little time to see if you do have any legit mail using noreply@ address. > > Just notice a majority of these noreply@ junk mail are listed in URI_BLACK. > I just need to pump the scores up on this. > Stupid question....where do I go to change the score? > I have 4 50_scores.cf > > /etc/mail/spamassassin/updates_spamassassin_org/50_scores.cf > /usr/share/spamassassin/50_scores.cf > /var/lib/spamassassin/3.001009/updates_spamassassin_org/50_scores.cf > /var/lib/spamassassin/3.002004/updates_spamassassin_org/50_scores.cf > > I read somewhere that changing 50_scores.cf is not recommended as it will be over written when it updates. > Do I stick it in /etc/mail/spamassassin/local.cf? > > Add it in spamassassin.prefs.conf "score rule_name 5.0" (or suitable number for you) -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080924/a086f807/signature.bin From alex at rtpty.com Wed Sep 24 20:15:14 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Wed Sep 24 20:15:38 2008 Subject: noreply@ junk coming through In-Reply-To: References: <084DFB93-C2E8-4498-848B-114234E1C486@rtpty.com> <6AEBDAB7-212D-46E8-A2AE-3D2F6039C807@rtpty.com> Message-ID: Or in whatever.cf as long as it's on /etc/mail/spamassassin --- Alex Neuman Reliant Technologies +507 6781-9505 Skype: alexneuman On Sep 24, 2008, at 1:58 PM, "Kit Wong" wrote: > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info > ] On Behalf Of Scott Silva > Sent: 24 September 2008 19:24 > To: mailscanner@lists.mailscanner.info > Subject: Re: noreply@ junk coming through > > on 9-24-2008 11:17 AM Alex Neuman van der Hans spake the following: >>> Short answer: yes. >>> >>> Long answer: no. Well configured lists have real addresses. Well >>> configured autoresponders and such are always properly configured. >> >> I get system outage alerts about my Verizon T-1's with a noreply >> address. But it is different enough that the sendmail snip in the >> original reply wouldn't fire > >> So I guess legitimacy is in the inbox of the receiver! >> Just take a little time to see if you do have any legit mail using >> noreply@ address. > > Just notice a majority of these noreply@ junk mail are listed in > URI_BLACK. > I just need to pump the scores up on this. > Stupid question....where do I go to change the score? > I have 4 50_scores.cf > > /etc/mail/spamassassin/updates_spamassassin_org/50_scores.cf > /usr/share/spamassassin/50_scores.cf > /var/lib/spamassassin/3.001009/updates_spamassassin_org/50_scores.cf > /var/lib/spamassassin/3.002004/updates_spamassassin_org/50_scores.cf > > I read somewhere that changing 50_scores.cf is not recommended as it > will be over written when it updates. > Do I stick it in /etc/mail/spamassassin/local.cf? > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From Kit at simplysites.co.uk Wed Sep 24 20:18:41 2008 From: Kit at simplysites.co.uk (Kit Wong) Date: Wed Sep 24 20:18:59 2008 Subject: Autolearn whitelisted emails Message-ID: Hi All Not sure if this is a feature that I need to switch on or something else. Is it possible to autolearn whitelisted emails as ham? This would ultimately help the accuracy of Bayes. Regards Kit -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080924/f9bbff22/attachment.html From mkercher at nfsmith.com Wed Sep 24 20:23:31 2008 From: mkercher at nfsmith.com (Mike Kercher) Date: Wed Sep 24 20:24:28 2008 Subject: WMV's Getting Through In-Reply-To: <3CF0F6D8-3576-468D-A412-274B33FD186D@rtpty.com> References: <224FA7E11EA39E45843E11CEBBD3A36FEBFE7C@HOUPEX01.nfsmith.info><224FA7E11EA39E45843E11CEBBD3A36FEC04B6@HOUPEX01.nfsmith.info> <3CF0F6D8-3576-468D-A412-274B33FD186D@rtpty.com> Message-ID: <224FA7E11EA39E45843E11CEBBD3A36FEC04D1@HOUPEX01.nfsmith.info> I don't have any rulesets that allow WMV's for anyone. I want to block them all. WMV seems to be the only extension getting through...mp3, mpg and avi are still being blocked. Mike -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex Neuman van der Hans Sent: Wednesday, September 24, 2008 13:41 To: MailScanner discussion Subject: Re: WMV's Getting Through You probably have multiple recipients and one has the right to receive them. --- Alex Neuman Reliant Technologies +507 6781-9505 Skype: alexneuman On Sep 24, 2008, at 1:24 PM, "Mike Kercher" wrote: > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Mike > Kercher > Sent: Wednesday, September 10, 2008 10:55 > To: MailScanner discussion > Subject: WMV's Getting Through > > Recently, .WMV files have started being delivered through my MS boxes. > > I ran file against one of the attachments: > > file JobMarket-2010.wmv > JobMarket-2010.wmv: Microsoft ASF > > In my filetype.rules.conf, I have: > > deny ASF No Windows media No Windows media files > allowed > > This hasn't been changed in a LONG time > > I even tried adding \.wmv$ to filename.rules.conf, but they are still > coming through. > > The only thing I see in the logs is that the email is too big for spam > checks (is too big for spam checks (6657685 > 150000 bytes)) > > Any idea what I'm missing here? > > TIA > > Mike > -- > > Bumping to see if anyone has any suggestions. > > Mike > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From alex at rtpty.com Wed Sep 24 20:34:22 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Wed Sep 24 20:34:52 2008 Subject: Autolearn whitelisted emails In-Reply-To: References: Message-ID: <0B22312C-CE1D-4FBC-9A6A-70AE6242D6B3@rtpty.com> Unless someone spoofs said addresses. --- Alex Neuman Reliant Technologies +507 6781-9505 Skype: alexneuman On Sep 24, 2008, at 2:18 PM, "Kit Wong" wrote: > Hi All > > Not sure if this is a feature that I need to switch on or something > else. > > > > Is it possible to autolearn whitelisted emails as ham? > > This would ultimately help the accuracy of Bayes. > > > > Regards > > > > Kit > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From Kit at simplysites.co.uk Wed Sep 24 20:41:58 2008 From: Kit at simplysites.co.uk (Kit Wong) Date: Wed Sep 24 20:44:24 2008 Subject: Autolearn whitelisted emails In-Reply-To: <0B22312C-CE1D-4FBC-9A6A-70AE6242D6B3@rtpty.com> References: <0B22312C-CE1D-4FBC-9A6A-70AE6242D6B3@rtpty.com> Message-ID: Sorry, whitelisted IP addresses manually added to spam.whitelist.rules file -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex Neuman van der Hans Sent: 24 September 2008 20:34 To: MailScanner discussion Subject: Re: Autolearn whitelisted emails Unless someone spoofs said addresses. --- Alex Neuman Reliant Technologies +507 6781-9505 Skype: alexneuman On Sep 24, 2008, at 2:18 PM, "Kit Wong" wrote: > Hi All > > Not sure if this is a feature that I need to switch on or something > else. > > > > Is it possible to autolearn whitelisted emails as ham? > > This would ultimately help the accuracy of Bayes. > > > > Regards > > > > Kit > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- Scanned by MailScanner. No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.169 / Virus Database: 270.7.1/1688 - Release Date: 24/09/2008 06:29 From Kit at simplysites.co.uk Wed Sep 24 20:53:19 2008 From: Kit at simplysites.co.uk (Kit Wong) Date: Wed Sep 24 20:54:07 2008 Subject: Autolearn whitelisted emails References: <0B22312C-CE1D-4FBC-9A6A-70AE6242D6B3@rtpty.com> Message-ID: I think I have found it, it does do it just as long as you give Whitelisted ip's a high negative score!! thanks ________________________________ From: mailscanner-bounces@lists.mailscanner.info on behalf of Kit Wong Sent: Wed 24/09/2008 20:41 To: MailScanner discussion Subject: RE: Autolearn whitelisted emails Sorry, whitelisted IP addresses manually added to spam.whitelist.rules file -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex Neuman van der Hans Sent: 24 September 2008 20:34 To: MailScanner discussion Subject: Re: Autolearn whitelisted emails Unless someone spoofs said addresses. --- Alex Neuman Reliant Technologies +507 6781-9505 Skype: alexneuman On Sep 24, 2008, at 2:18 PM, "Kit Wong" wrote: > Hi All > > Not sure if this is a feature that I need to switch on or something > else. > > > > Is it possible to autolearn whitelisted emails as ham? > > This would ultimately help the accuracy of Bayes. > > > > Regards > > > > Kit > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- Scanned by MailScanner. No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.169 / Virus Database: 270.7.1/1688 - Release Date: 24/09/2008 06:29 -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- Scanned by MailScanner. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/ms-tnef Size: 5113 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080924/1d3e1625/attachment.bin From Kit at simplysites.co.uk Wed Sep 24 22:53:56 2008 From: Kit at simplysites.co.uk (Kit Wong) Date: Wed Sep 24 22:54:24 2008 Subject: Autolearn whitelisted emails In-Reply-To: References: <0B22312C-CE1D-4FBC-9A6A-70AE6242D6B3@rtpty.com> Message-ID: Now that's the theory but when I put the ip in spam.whitelist.rules all I get is SpamAssassin Score: 0.00 in message details of Mailwatch. Can I give it a negative score of say -100 instead? Am I missing a setting somewhere? -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Kit Wong Sent: 24 September 2008 20:53 To: MailScanner discussion Subject: RE: Autolearn whitelisted emails I think I have found it, it does do it just as long as you give Whitelisted ip's a high negative score!! thanks ________________________________ From: mailscanner-bounces@lists.mailscanner.info on behalf of Kit Wong Sent: Wed 24/09/2008 20:41 To: MailScanner discussion Subject: RE: Autolearn whitelisted emails Sorry, whitelisted IP addresses manually added to spam.whitelist.rules file -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex Neuman van der Hans Sent: 24 September 2008 20:34 To: MailScanner discussion Subject: Re: Autolearn whitelisted emails Unless someone spoofs said addresses. --- Alex Neuman Reliant Technologies +507 6781-9505 Skype: alexneuman On Sep 24, 2008, at 2:18 PM, "Kit Wong" wrote: > Hi All > > Not sure if this is a feature that I need to switch on or something > else. > > > > Is it possible to autolearn whitelisted emails as ham? > > This would ultimately help the accuracy of Bayes. > > > > Regards > > > > Kit > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- Scanned by MailScanner. No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.169 / Virus Database: 270.7.1/1688 - Release Date: 24/09/2008 06:29 -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- Scanned by MailScanner. -- Scanned by MailScanner. -- Scanned by MailScanner. From annett.david at gmail.com Wed Sep 24 22:59:10 2008 From: annett.david at gmail.com (David Annett) Date: Wed Sep 24 22:59:19 2008 Subject: Start failure due to Compress/Zlib.pm line 9 Message-ID: Hi guys, MailScanner is failing to start on my CentOS 5 server due to what appears to be an issue with perl-Archive-Zip. When I issue a "service MailScanner start" I get the following error: Starting MailScanner daemons: incoming sendmail: [ OK ] outgoing sendmail: [ OK ] MailScanner: is only avaliable with the XS version at /usr/lib/perl5/vendor_perl/5.8.8/Compress/Zlib.pm line 9 BEGIN failed--compilation aborted at /usr/lib/perl5/vendor_perl/5.8.8/Compress/Zlib.pm line 9. Compilation failed in require at /usr/lib/perl5/vendor_perl/5.8.8/Archive/Zip.pm line 11. BEGIN failed--compilation aborted at /usr/lib/perl5/vendor_perl/5.8.8/Archive/Zip.pm line 11. Compilation failed in require at /usr/lib/MailScanner/MailScanner/Message.pm line 48. BEGIN failed--compilation aborted at /usr/lib/MailScanner/MailScanner/Message.pm line 48. Compilation failed in require at /usr/sbin/MailScanner line 79. BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 79. [ OK ] >From what I can gather the issue could be with perl-Archive-Zip and according to yum is "perl-Archive-Zip.noarch 1.23-1.el5.rf installed". The latest version I can find is 1.24 but not packaged for CentOS. I wellcome any suggestions as the email for my whole domain has now been down for serveral hours and I'm running out of ideas fo how to fix this! Thanks in advance David -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080925/7504f172/attachment.html From mkettler at evi-inc.com Wed Sep 24 23:01:57 2008 From: mkettler at evi-inc.com (Matt Kettler) Date: Wed Sep 24 23:02:49 2008 Subject: Autolearn whitelisted emails In-Reply-To: References: Message-ID: <48DAB8D5.1060003@evi-inc.com> Kit Wong wrote: > Hi All > > Not sure if this is a feature that I need to switch on or something else. > > > > Is it possible to autolearn whitelisted emails as ham? > > This would ultimately help the accuracy of Bayes. > This is in general not a good idea. SpamAssassin intentionally doesn't consider its own whitelisting scores when doing autolearning. Why? Because it's *very* common to make a small mistake in your whitelisting config, and if that gets abused and spammed, your whole bayes DB is now polluted with garbage learning. If you can't recover all the mis-learned messages and retrain them, you pretty much have to wipe out your bayes DB and start from scratch. From andrew at gdcon.net Thu Sep 25 00:14:37 2008 From: andrew at gdcon.net (Andrew MacLachlan) Date: Thu Sep 25 00:14:59 2008 Subject: Announcing the new FSL MailScanner Beta yum repository In-Reply-To: <48D67CED.8060802@ecs.soton.ac.uk> References: <48D25F6A.4090906@ecs.soton.ac.uk> <48D67CED.8060802@ecs.soton.ac.uk> Message-ID: <48DAC9DD.5000505@gdcon.net> Julian Field wrote: > I don't want to start any form of argument here, but isn't this like > all those companies out there who sell MailScanner as a chargeable > service to all their customers, and then never even consider giving me > any form of compensation for all the profit they are making out of my > work? No argument from me - I've had sooo many people wanting to sell ESVA (which is MS based) that I've lost count - Biggest problem with that approach is that it's morally bankrupt - I couldn't reasonably charge for something that isn't mine to sell. OK - I've invested a lot of time and effort (as well as some money) on building the thing and making it easy to use, but I've also had a lot of help from others as well. The only way that I could justify making money out of something like ESVA is to redistribute some of the profits back to those who provide the software that makes it work (i.e. Jules ) - and not by selling the software - you can only sell your time (i.e. support, managed/professional services, value-add etc.) - which is exactly how I see the repository: Value add for the MS portions. The rest of the packages (i.e. ClamAV, SA etc. are free but included in the repository for convenience and stability. If you don't want to hand-crank everything there are other (free) options. > > Yes, there are a few very notable exceptions to this (thankyou, you > know who you are), but there aren't very many who give me anything. > Most of them take the profit and run, without ever even thinking of > giving me anything in return. I've not donated anything but can you make an exception as I don't make any money either? > > Also, the beta repository is free. > > And any services like this that we may choose to make a charge for, I > don't directly get any of that money anyway. :-( > > Jules > -Andy From alex at rtpty.com Thu Sep 25 00:14:38 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Thu Sep 25 00:15:00 2008 Subject: Start failure due to Compress/Zlib.pm line 9 In-Reply-To: References: Message-ID: Down because you don't want to run your mta by itself. Down because you ran a peel update that broke several things. Update MailScanner, along with other relevant perl modules such as scalar::util, and do a --lint. Run your my by itself in the meantime. Disable yum updates. --- Alex Neuman Reliant Technologies +507 6781-9505 Skype: alexneuman On Sep 24, 2008, at 4:59 PM, "David Annett" wrote: > Hi guys, > MailScanner is failing to start on my CentOS 5 server due to what > appears to be an issue with perl-Archive-Zip. When I issue a > "service MailScanner start" I get the following error: > > Starting MailScanner daemons: > incoming sendmail: [ OK ] > outgoing sendmail: [ OK ] > MailScanner: is only avaliable with the XS version > at /usr/lib/perl5/vendor_perl/5.8.8/Compress/Zlib.pm line 9 > BEGIN failed--compilation aborted at /usr/lib/perl5/vendor_perl/ > 5.8.8/Compress/Zlib.pm line 9. > Compilation failed in require at /usr/lib/perl5/vendor_perl/5.8.8/ > Archive/Zip.pm line 11. > BEGIN failed--compilation aborted at /usr/lib/perl5/vendor_perl/ > 5.8.8/Archive/Zip.pm line 11. > Compilation failed in require at /usr/lib/MailScanner/MailScanner/ > Message.pm line 48. > BEGIN failed--compilation aborted at /usr/lib/MailScanner/ > MailScanner/Message.pm line 48. > Compilation failed in require at /usr/sbin/MailScanner line 79. > BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 79. > [ OK ] > > From what I can gather the issue could be with perl-Archive-Zip and > according to yum is "perl-Archive-Zip.noarch 1.23-1.el5.rf > installed". The latest version I can find is 1.24 but not packaged > for CentOS. > > I wellcome any suggestions as the email for my whole domain has now > been down for serveral hours and I'm running out of ideas fo how to > fix this! > > Thanks in advance > David > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From annett.david at gmail.com Thu Sep 25 02:28:30 2008 From: annett.david at gmail.com (David Annett) Date: Thu Sep 25 02:28:42 2008 Subject: Start failure due to Compress/Zlib.pm line 9 In-Reply-To: References: Message-ID: I hope you don't find my attitude lazy since I feel the server should serve me and not the other way round, so I try to keep things as simple as possible while providing the features I want. For this reason I have never looked at running the mta by itself. I have tried downloading the latest version of MailScanner from www.mailscanner.org and installed it. I have also tried using cpan to update Archive::Zip and, as suggested, Scalar::Init. Neither help as even running "/usr/sbin/MailScanner -v" returns an error. I will disable yum if that is what it takes to make the system work properly. I suspect it is also the cause of dhcpd.conf file periodically having it's DNS info overwriten. I have relied on yum to keep me patched so as to reduce hacking risks. The bottom line is I'm still stuffed. I read throught 2 months of mailling list listings before placing my message but guess I should return and read more. Thanks for your advice. On Thu, Sep 25, 2008 at 11:14 AM, Alex Neuman van der Hans wrote: > Down because you don't want to run your mta by itself. Down because you ran > a peel update that broke several things. > > Update MailScanner, along with other relevant perl modules such as > scalar::util, and do a --lint. Run your my by itself in the meantime. > Disable yum updates. > > --- > > Alex Neuman > Reliant Technologies > +507 6781-9505 > Skype: alexneuman > > > On Sep 24, 2008, at 4:59 PM, "David Annett" > wrote: > > Hi guys, >> MailScanner is failing to start on my CentOS 5 server due to what appears >> to be an issue with perl-Archive-Zip. When I issue a "service MailScanner >> start" I get the following error: >> >> Starting MailScanner daemons: >> incoming sendmail: [ OK ] >> outgoing sendmail: [ OK ] >> MailScanner: is only avaliable with the XS version at >> /usr/lib/perl5/vendor_perl/5.8.8/Compress/Zlib.pm line 9 >> BEGIN failed--compilation aborted at >> /usr/lib/perl5/vendor_perl/5.8.8/Compress/Zlib.pm line 9. >> Compilation failed in require at >> /usr/lib/perl5/vendor_perl/5.8.8/Archive/Zip.pm line 11. >> BEGIN failed--compilation aborted at >> /usr/lib/perl5/vendor_perl/5.8.8/Archive/Zip.pm line 11. >> Compilation failed in require at >> /usr/lib/MailScanner/MailScanner/Message.pm line 48. >> BEGIN failed--compilation aborted at >> /usr/lib/MailScanner/MailScanner/Message.pm line 48. >> Compilation failed in require at /usr/sbin/MailScanner line 79. >> BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 79. >> [ OK ] >> >> From what I can gather the issue could be with perl-Archive-Zip and >> according to yum is "perl-Archive-Zip.noarch 1.23-1.el5.rf installed". The >> latest version I can find is 1.24 but not packaged for CentOS. >> >> I wellcome any suggestions as the email for my whole domain has now been >> down for serveral hours and I'm running out of ideas fo how to fix this! >> >> Thanks in advance >> David >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080925/4fc5183a/attachment.html From indunil75 at gmail.com Thu Sep 25 05:20:28 2008 From: indunil75 at gmail.com (Indunil Jayasooriya) Date: Thu Sep 25 05:20:37 2008 Subject: Archive Mail Message-ID: <7ed6b0aa0809242120rf74084ai38141f18242c6b1b@mail.gmail.com> Hi, I want to archive both outgoing mail incoming mails to 2 diffrent email addresses. I think I will have to write a rule set for that. I have set Archive Mail as follows in MailScanner.conf file. #Archive Mail = /var/spool/MailScanner/archive Archive Mail = %rules-dir%/archive.rules Pls assume my domain is example.com. Then, How can I write a rule to for incoimg mails and outgoing mails I have wrote a simple rule as follows my archive.rules as follows To:@example.com incomingarchive@example.com From:@example.com outgoingarchive@example.com then, I created a 2 usernames such as incomingarchive and outgoingarchive by using useradd command. Am I right? Any Advice? -- Thank you Indunil Jayasooriya From alex at rtpty.com Thu Sep 25 05:39:49 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Thu Sep 25 05:40:04 2008 Subject: Start failure due to Compress/Zlib.pm line 9 In-Reply-To: References: Message-ID: Try this: killall -9 MailScanner killall -9 sendmail sendmail -bd -q5m sendmail -O QueueDirectory=/var/spool/mqueue.in (this should take a long long time) (this assumes you're running sendmail) That should take care of mail for now - if your sendmail's properly configured you're still blocking a lot of spam at the MTA level. Then go back and run: MailScanner --lint Take note of where it chokes. That's your starting point. Paste it here, you'll probably get some help. You should also include things like OS, architecture, type of install, etc. On Sep 24, 2008, at 8:28 PM, David Annett wrote: > I hope you don't find my attitude lazy since I feel the server > should serve me and not the other way round, so I try to keep things > as simple as possible while providing the features I want. For this > reason I have never looked at running the mta by itself. I have > tried downloading the latest version of MailScanner from www.mailscanner.org > and installed it. I have also tried using cpan to update > Archive::Zip and, as suggested, Scalar::Init. Neither help as even > running "/usr/sbin/MailScanner -v" returns an error. I will disable > yum if that is what it takes to make the system work properly. I > suspect it is also the cause of dhcpd.conf file periodically having > it's DNS info overwriten. I have relied on yum to keep me patched > so as to reduce hacking risks. > > The bottom line is I'm still stuffed. I read throught 2 months of > mailling list listings before placing my message but guess I should > return and read more. > > Thanks for your advice. > > On Thu, Sep 25, 2008 at 11:14 AM, Alex Neuman van der Hans > wrote: > Down because you don't want to run your mta by itself. Down because > you ran a peel update that broke several things. > > Update MailScanner, along with other relevant perl modules such as > scalar::util, and do a --lint. Run your my by itself in the > meantime. Disable yum updates. > > --- > > Alex Neuman > Reliant Technologies > +507 6781-9505 > Skype: alexneuman > > > On Sep 24, 2008, at 4:59 PM, "David Annett" > wrote: > > Hi guys, > MailScanner is failing to start on my CentOS 5 server due to what > appears to be an issue with perl-Archive-Zip. When I issue a > "service MailScanner start" I get the following error: > > Starting MailScanner daemons: > incoming sendmail: [ OK ] > outgoing sendmail: [ OK ] > MailScanner: is only avaliable with the XS version > at /usr/lib/perl5/vendor_perl/5.8.8/Compress/Zlib.pm line 9 > BEGIN failed--compilation aborted at /usr/lib/perl5/vendor_perl/ > 5.8.8/Compress/Zlib.pm line 9. > Compilation failed in require at /usr/lib/perl5/vendor_perl/5.8.8/ > Archive/Zip.pm line 11. > BEGIN failed--compilation aborted at /usr/lib/perl5/vendor_perl/ > 5.8.8/Archive/Zip.pm line 11. > Compilation failed in require at /usr/lib/MailScanner/MailScanner/ > Message.pm line 48. > BEGIN failed--compilation aborted at /usr/lib/MailScanner/ > MailScanner/Message.pm line 48. > Compilation failed in require at /usr/sbin/MailScanner line 79. > BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 79. > [ OK ] > > >From what I can gather the issue could be with perl-Archive-Zip and > according to yum is "perl-Archive-Zip.noarch 1.23-1.el5.rf > installed". The latest version I can find is 1.24 but not packaged > for CentOS. > > I wellcome any suggestions as the email for my whole domain has now > been down for serveral hours and I'm running out of ideas fo how to > fix this! > > Thanks in advance > David > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From paul.hutchings at mira.co.uk Thu Sep 25 09:31:53 2008 From: paul.hutchings at mira.co.uk (Paul Hutchings) Date: Thu Sep 25 09:32:08 2008 Subject: Selective Signatures? Message-ID: If I have a box that relays through my MailScanner box (running Postfix), how can I configure signature rules such that only mail from that IP address *and* with a "from" domain of ourdomain.com receives a signature please? I can see how to do either/or but not how to make a rule so that both conditions must be true. Essentially I don't want mail sent from that IP but with a "from" domain of "otherdomain.com" to have a signature added. Cheers, Paul -- MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. From lists at sequestered.net Thu Sep 25 09:56:02 2008 From: lists at sequestered.net (Jay Chandler) Date: Thu Sep 25 09:56:42 2008 Subject: MailScanner on a Postfix Mailgate Message-ID: <48DB5222.6030000@sequestered.net> Howdy, folks; been a while since I've posted here. For those who may or may not recall, I used to administer MailScanner (among other things) for $WeTeachYuppies. I moved on to corporate life about a year ago, and have been doing all right with mail filtering via DNS up until now. My issue is that MailScanner at the old job (as well as MailScanner at home) run on FreeBSD, which is relatively straightforward. Running it on CentOS 5.2 (our platform of choice at work) seems to be a dependency nightmare, with it being incredibly easy to stomp the MailScanner installation into oblivion. Short of putting a gun to someone's head and demanding FreeBSD mailgates, is there a good solution to this problem? I can't be the first person to say "Wait a second, this is nightmarish" about the upkeep of MS under Linux; I've been running my home install with minimal maintenance under FreeBSD for two years, yet I can't seem to keep a system together under Linux for more than one patch cycle without something important dying... -- Jay Chandler / KB1JWQ Living Legend / Systems Exorcist Today's Excuse: All of the packets are empty From lists at sequestered.net Thu Sep 25 10:43:49 2008 From: lists at sequestered.net (Jay Chandler) Date: Thu Sep 25 10:44:29 2008 Subject: SuSE and MailScanner Message-ID: <48DB5D55.3080808@sequestered.net> Gah, I'm prolific tonight; the travails of an unfamiliar system. A client is having me set up MailScanner with Postfix. /etc/MailScanner/MailScanner.conf: Run As User = postfix Run As Group = postfix Incoming Queue Dir = /var/spool/postfix/hold Outgoing Queue Dir = /var/spool/postfix/incoming MTA = postfix Messages are being sent to the hold queue by Postfix, but MailScanner never picks them up. I see the MailScanner process waiting for messages (as it states in ps aux), but it never actually sees the messages sitting there. The directories in question are owned by postfix:postfix; what else should I check? -- Jay Chandler / KB1JWQ Living Legend / Systems Exorcist Today's Excuse: All of the packets are empty From martinh at solidstatelogic.com Thu Sep 25 10:55:48 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Thu Sep 25 10:56:07 2008 Subject: SuSE and MailScanner In-Reply-To: <48DB5D55.3080808@sequestered.net> Message-ID: <5385471e102f7b40ab91646a13551cb6@solidstatelogic.com> Jay Run in debug mode.....logged in as postfix user of course. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Jay Chandler > Sent: 25 September 2008 10:44 > To: MailScanner discussion > Subject: SuSE and MailScanner > > Gah, I'm prolific tonight; the travails of an unfamiliar system. > > A client is having me set up MailScanner with Postfix. > > /etc/MailScanner/MailScanner.conf: > Run As User = postfix > Run As Group = postfix > Incoming Queue Dir = /var/spool/postfix/hold Outgoing Queue > Dir = /var/spool/postfix/incoming MTA = postfix > > Messages are being sent to the hold queue by Postfix, but > MailScanner never picks them up. I see the MailScanner > process waiting for messages (as it states in ps aux), but it > never actually sees the messages sitting there. The > directories in question are owned by postfix:postfix; what > else should I check? > > > -- > Jay Chandler / KB1JWQ > Living Legend / Systems Exorcist > Today's Excuse: All of the packets are empty > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From lists at sequestered.net Thu Sep 25 11:46:32 2008 From: lists at sequestered.net (Jay Chandler) Date: Thu Sep 25 11:47:04 2008 Subject: SuSE and MailScanner In-Reply-To: <5385471e102f7b40ab91646a13551cb6@solidstatelogic.com> References: <5385471e102f7b40ab91646a13551cb6@solidstatelogic.com> Message-ID: <48DB6C08.5040309@sequestered.net> Martin.Hepworth wrote: > Jay > > Run in debug mode.....logged in as postfix user of course. > > -- > Done. Hangs at: postfix@linux-p7d8:~> /usr/sbin/MailScanner -debug In Debugging mode, not forking... Trying to setlogsock(unix) SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp Building a message batch to scan... I'm open to suggestions. :-) -- Jay Chandler / KB1JWQ Living Legend / Systems Exorcist Today's Excuse: All of the packets are empty From andrew at gdcon.net Thu Sep 25 11:55:18 2008 From: andrew at gdcon.net (Andrew MacLachlan) Date: Thu Sep 25 11:55:32 2008 Subject: MailScanner on a Postfix Mailgate In-Reply-To: <48DB5222.6030000@sequestered.net> References: <48DB5222.6030000@sequestered.net> Message-ID: <48DB6E16.3060602@gdcon.net> Jay Chandler wrote: > Howdy, folks; been a while since I've posted here. > > For those who may or may not recall, I used to administer MailScanner > (among other things) for $WeTeachYuppies. I moved on to corporate > life about a year ago, and have been doing all right with mail > filtering via DNS up until now. > > My issue is that MailScanner at the old job (as well as MailScanner at > home) run on FreeBSD, which is relatively straightforward. Running it > on CentOS 5.2 (our platform of choice at work) seems to be a > dependency nightmare, with it being incredibly easy to stomp the > MailScanner installation into oblivion. > Short of putting a gun to someone's head and demanding FreeBSD > mailgates, is there a good solution to this problem? I can't be the > first person to say "Wait a second, this is nightmarish" about the > upkeep of MS under Linux; I've been running my home install with > minimal maintenance under FreeBSD for two years, yet I can't seem to > keep a system together under Linux for more than one patch cycle > without something important dying... > And there I was thinking that MS on CentOS was pretty straight forward... The only thing I've done is block yum from attempting to update perl. Everything else is pretty stock-standard. What are the specifics of the systems you are having issues with? -Andy From martinh at solidstatelogic.com Thu Sep 25 11:55:22 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Thu Sep 25 11:55:43 2008 Subject: SuSE and MailScanner In-Reply-To: <48DB6C08.5040309@sequestered.net> Message-ID: <00ac753be329a54f932b779a4c292b5d@solidstatelogic.com> Hmm Does that exist and can the postfix user acces it? -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Jay Chandler > Sent: 25 September 2008 11:47 > To: MailScanner discussion > Subject: Re: SuSE and MailScanner > > Martin.Hepworth wrote: > > Jay > > > > Run in debug mode.....logged in as postfix user of course. > > > > -- > > > > Done. > > Hangs at: > postfix@linux-p7d8:~> /usr/sbin/MailScanner -debug In > Debugging mode, not forking... > Trying to setlogsock(unix) > SpamAssassin temp dir = > /var/spool/MailScanner/incoming/SpamAssassin-Temp > Building a message batch to scan... > > I'm open to suggestions. :-) > > > -- > Jay Chandler / KB1JWQ > Living Legend / Systems Exorcist > Today's Excuse: All of the packets are empty > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From roland at inbox4u.de Thu Sep 25 11:55:05 2008 From: roland at inbox4u.de (Ehle, Roland) Date: Thu Sep 25 11:55:53 2008 Subject: AW: Selective Signatures? In-Reply-To: References: Message-ID: Hi Paul, this is easy to do. You must: 1. Set "Sign Clean Messages=" to a ruleset 2. Put into the ruleset the following lines From: *@domain.com and From: IP yes From: *@ourdomain.com and From: IP yes Remember to have a Tab behind the first From: and behind IP That's it Regards, Roland > -----Urspr?ngliche Nachricht----- > Von: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] Im Auftrag von Paul Hutchings > Gesendet: Donnerstag, 25. September 2008 10:32 > An: MailScanner discussion > Betreff: Selective Signatures? > > If I have a box that relays through my MailScanner box (running > Postfix), how can I configure signature rules such that only mail from > that IP address *and* with a "from" domain of ourdomain.com receives a > signature please? > > I can see how to do either/or but not how to make a rule so that both > conditions must be true. > > Essentially I don't want mail sent from that IP but with a "from" > domain > of "otherdomain.com" to have a signature added. > > Cheers, > Paul > > > -- > MIRA Ltd > > Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. > > Registered in England and Wales No. 402570 > VAT Registration GB 114 5409 96 > > The contents of this e-mail are confidential and are solely for the use > of the intended recipient. > If you receive this e-mail in error, please delete it and notify us > either by e-mail, telephone or fax. > You should not copy, forward or otherwise disclose the content of the > e-mail as this is prohibited. > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From martinh at solidstatelogic.com Thu Sep 25 12:09:53 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Thu Sep 25 12:10:05 2008 Subject: SuSE and MailScanner In-Reply-To: <00ac753be329a54f932b779a4c292b5d@solidstatelogic.com> Message-ID: <504945306091dc44aa12c52a64c5fd62@solidstatelogic.com> Jay Also try MailScanner --debug --debug-sa -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: Martin.Hepworth [mailto:martinh@solidstatelogic.com] > Sent: 25 September 2008 11:55 > To: MailScanner discussion > Subject: RE: SuSE and MailScanner > > Hmm > > Does that exist and can the postfix user acces it? > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Jay > > Chandler > > Sent: 25 September 2008 11:47 > > To: MailScanner discussion > > Subject: Re: SuSE and MailScanner > > > > Martin.Hepworth wrote: > > > Jay > > > > > > Run in debug mode.....logged in as postfix user of course. > > > > > > -- > > > > > > > Done. > > > > Hangs at: > > postfix@linux-p7d8:~> /usr/sbin/MailScanner -debug In > Debugging mode, > > not forking... > > Trying to setlogsock(unix) > > SpamAssassin temp dir = > > /var/spool/MailScanner/incoming/SpamAssassin-Temp > > Building a message batch to scan... > > > > I'm open to suggestions. :-) > > > > > > -- > > Jay Chandler / KB1JWQ > > Living Legend / Systems Exorcist > > Today's Excuse: All of the packets are empty > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From lists at sequestered.net Thu Sep 25 12:34:13 2008 From: lists at sequestered.net (Jay Chandler) Date: Thu Sep 25 12:34:33 2008 Subject: SuSE and MailScanner In-Reply-To: <00ac753be329a54f932b779a4c292b5d@solidstatelogic.com> References: <00ac753be329a54f932b779a4c292b5d@solidstatelogic.com> Message-ID: <48DB7735.2050209@sequestered.net> Martin.Hepworth wrote: > Hmm > > Does that exist and can the postfix user acces it? > > Yes. The delay issue seems to have solved itself-- odd. Now: postfix@linux-p7d8:~> /usr/sbin/MailScanner -debug In Debugging mode, not forking... Trying to setlogsock(unix) SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp Building a message batch to scan... Have a batch of 1 message. max message size is '200k' /usr/local/bin/clamscan: unrecognized option '--unzip' ERROR: Unknown option passed. ERROR: Can't parse the command line Stopping now as you are debugging me. postfix@linux-p7d8:~> Any idea what would cause this? I built the clamav from the tarball provided at mailscanner.info. -- Jay Chandler / KB1JWQ Living Legend / Systems Exorcist Today's Excuse: All of the packets are empty From lhaig at haigmail.com Thu Sep 25 12:45:00 2008 From: lhaig at haigmail.com (Lance Haig) Date: Thu Sep 25 12:45:10 2008 Subject: SuSE and MailScanner In-Reply-To: <48DB7735.2050209@sequestered.net> References: <00ac753be329a54f932b779a4c292b5d@solidstatelogic.com> <48DB7735.2050209@sequestered.net> Message-ID: <132eedb8553e96188fda700b65ab556e@redrail.co.uk> Hi Jay, I wrote this some time ago and it could help http://wiki.mailscanner.info/doku.php?id=documentation:install_upgrade:install:rpm-suse Does it help? Lance On Thu, 25 Sep 2008 04:34:13 -0700, Jay Chandler wrote: > Martin.Hepworth wrote: >> Hmm >> >> Does that exist and can the postfix user acces it? >> >> > Yes. The delay issue seems to have solved itself-- odd. Now: > > postfix@linux-p7d8:~> /usr/sbin/MailScanner -debug > In Debugging mode, not forking... > Trying to setlogsock(unix) > SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp > Building a message batch to scan... > Have a batch of 1 message. > max message size is '200k' > /usr/local/bin/clamscan: unrecognized option '--unzip' > ERROR: Unknown option passed. > ERROR: Can't parse the command line > Stopping now as you are debugging me. > postfix@linux-p7d8:~> > > Any idea what would cause this? I built the clamav from the tarball > provided at mailscanner.info. > > > -- > Jay Chandler / KB1JWQ > Living Legend / Systems Exorcist > Today's Excuse: All of the packets are empty > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From chris at clh.org.uk Thu Sep 25 12:49:26 2008 From: chris at clh.org.uk (Chris Hardy) Date: Thu Sep 25 12:49:46 2008 Subject: MailScanner on a Postfix Mailgate In-Reply-To: <48DB6E16.3060602@gdcon.net> References: <48DB5222.6030000@sequestered.net> <48DB6E16.3060602@gdcon.net> Message-ID: <48DB7AC6.2020803@clh.org.uk> I've been using MS on CentOS successfully for ages with no problems apart from the perl issue that's well known about. New version of MS come, run package, run the upgrader, restart MS - hey presto! Do you use anything specific that causes problems? c -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From martinh at solidstatelogic.com Thu Sep 25 13:12:35 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Thu Sep 25 13:12:50 2008 Subject: MailScanner on a Postfix Mailgate In-Reply-To: <48DB7AC6.2020803@clh.org.uk> Message-ID: It's the centos updates the blat over the MS perl libs etc that cause the issue. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Chris Hardy > Sent: 25 September 2008 12:49 > To: MailScanner discussion > Subject: Re: MailScanner on a Postfix Mailgate > > I've been using MS on CentOS successfully for ages with no > problems apart from the perl issue that's well known about. > > New version of MS come, run package, run the upgrader, > restart MS - hey presto! > > Do you use anything specific that causes problems? > > c > > -- > This message has been scanned for viruses and dangerous > content by MailScanner, and is believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From Denis.Beauchemin at USherbrooke.ca Thu Sep 25 13:22:40 2008 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Thu Sep 25 13:22:55 2008 Subject: AW: Selective Signatures? In-Reply-To: References: Message-ID: <48DB8290.9040802@USherbrooke.ca> Ehle, Roland a ?crit : > Hi Paul, > > this is easy to do. You must: > > 1. Set "Sign Clean Messages=" to a ruleset > 2. Put into the ruleset the following lines > > From: *@domain.com and From: IP yes > From: *@ourdomain.com and From: IP yes > > Remember to have a Tab behind the first From: and behind IP > That's it > Paul and Roland, I'm pretty sure there is no need to use TABs in rules files, except for those 2: filename.rules.conf and filetype.rules.conf Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From paul.hutchings at mira.co.uk Thu Sep 25 14:15:26 2008 From: paul.hutchings at mira.co.uk (Paul Hutchings) Date: Thu Sep 25 14:15:40 2008 Subject: Selective Signatures? In-Reply-To: References: Message-ID: Crikey now I do feel dumb - I didn't know you could do selective rulesets and of course the syntax makes perfect sense. Thanks very much indeed! -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Ehle, Roland Sent: 25 September 2008 11:55 To: MailScanner discussion Subject: AW: Selective Signatures? Hi Paul, this is easy to do. You must: 1. Set "Sign Clean Messages=" to a ruleset 2. Put into the ruleset the following lines From: *@domain.com and From: IP yes From: *@ourdomain.com and From: IP yes Remember to have a Tab behind the first From: and behind IP That's it Regards, Roland > -----Urspr?ngliche Nachricht----- > Von: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] Im Auftrag von Paul Hutchings > Gesendet: Donnerstag, 25. September 2008 10:32 > An: MailScanner discussion > Betreff: Selective Signatures? > > If I have a box that relays through my MailScanner box (running > Postfix), how can I configure signature rules such that only mail from > that IP address *and* with a "from" domain of ourdomain.com receives a > signature please? > > I can see how to do either/or but not how to make a rule so that both > conditions must be true. > > Essentially I don't want mail sent from that IP but with a "from" > domain > of "otherdomain.com" to have a signature added. > > Cheers, > Paul > > > -- > MIRA Ltd > > Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. > > Registered in England and Wales No. 402570 > VAT Registration GB 114 5409 96 > > The contents of this e-mail are confidential and are solely for the use > of the intended recipient. > If you receive this e-mail in error, please delete it and notify us > either by e-mail, telephone or fax. > You should not copy, forward or otherwise disclose the content of the > e-mail as this is prohibited. > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. From velda.midanovic at trezor.sr.gov.yu Thu Sep 25 14:23:19 2008 From: velda.midanovic at trezor.sr.gov.yu (Velda Midanovic) Date: Thu Sep 25 14:30:53 2008 Subject: Moving to a new server Message-ID: <004101c91f11$e6562480$b3026d80$@midanovic@trezor.sr.gov.yu> Dear All, I have a running combination of RH4U5+sendmail+MailScanner+MailWatch+MySQL and it is working OK. Only in a short time I will have to move server to a bigger maschine. I will set up software, no problem, BUT how to move the data in MySQL database??? I have no experiance with something like this!! Some URLs would be wonderful, and some helpful advice. ------ Also another problem. One server (with the above mentioned combination) has been running for more than a year, and now, when I want from the MailWatch a "Total Messages by Date" I get the report only till May of this year, and no more??? Best from, Velda -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080925/ea1b6899/attachment.html From ecasarero at gmail.com Thu Sep 25 14:44:05 2008 From: ecasarero at gmail.com (Eduardo Casarero) Date: Thu Sep 25 14:44:15 2008 Subject: Moving to a new server In-Reply-To: <70672101405464557@unknownmsgid> References: <70672101405464557@unknownmsgid> Message-ID: <7d9b3cf20809250644t6b1c02abo290ccfea421c7add@mail.gmail.com> 2008/9/25 Velda Midanovic > Dear All, > > I have a running combination of RH4U5+sendmail+MailScanner+MailWatch+MySQL > and it is working OK. Only in a short time I will have to move server to a > bigger maschine. > > I will set up software, no problem, BUT how to move the data in MySQL > database??? I have no experiance with something like this!! > #man mysqldump > Some URLs would be wonderful, and some helpful advice. > > ------ > > Also another problem. One server (with the above mentioned combination) has > been running for more than a year, and now, when I want from the MailWatch a > ?Total Messages by Date" I get the report only till May of this year, and no > more??? > > > I think you should ask this in the mailwatch list, IMO. > Best from, > > Velda > > -- > This message has been scanned for viruses and > dangerous content by *MailScanner* , and is > believed to be clean. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080925/9645a09b/attachment.html From prandal at herefordshire.gov.uk Thu Sep 25 14:58:35 2008 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Thu Sep 25 14:59:18 2008 Subject: Mail::ClamAV patch for ClamAV 0.94 Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA04BFBADE@HC-MBX02.herefordshire.gov.uk> Hi folks, I've noticed that there's a patch for Mail::ClamAV to build against ClamAV 0.94 here: http://rt.cpan.org/Public/Bug/Display.html?id=39301 Jules, is this included in your convenient ClamAV/Spamassassin installer? Cheers, Phil -- Phil Randal Networks Engineer Herefordshire Council Hereford, UK -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080925/d0479bf6/attachment.html From gregg at mochabomb.com Thu Sep 25 15:07:28 2008 From: gregg at mochabomb.com (=?ISO-8859-1?Q?Gregg=20LainJr=2E?=) Date: Thu Sep 25 15:07:41 2008 Subject: Moving to a new server Message-ID: <200809251407.m8PE7Wie018306@safir.blacknight.ie> I do this a lot - might as welll script it also.. To backup: mysqldump -h hostname.tld -u user -pPassword database-name > database-date.sql to restore on same or another machine:: mysql -h hostame.tld -u user -pPassword database-name < databasefile.sql Yes there is no space after the -p.... hostname is most likely localhost... Gregg -----Original Message----- From: Eduardo Casarero Date: 9/25/08 6:44 am To: MailScanner discussion Subj: Re: Moving to a new server 2008/9/25 Velda Midanovic > Dear All, > > I have a running combination of RH4U5+sendmail+MailScanner+MailWatch+MySQL > and it is working OK. Only in a short time I will have to move server to a > bigger maschine. > > I will set up software, no problem, BUT how to move the data in MySQL > database??? I have no experiance with something like this!! > #man mysqldump > Some URLs would be wonderful, and some helpful advice. > > ------ > > Also another problem. One server (with the above mentioned combination) has > been running for more than a year, and now, when I want from the MailWatch a > ?Total Messages by Date" I get the report only till May of this year, and no > more??? > > > I think you should ask this in the mailwatch list, IMO. > Best from, > > Velda > > -- > This message has been scanned for viruses and > dangerous content by *MailScanner* , and is > believed to be clean. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > From gregg at mochabomb.com Thu Sep 25 15:07:28 2008 From: gregg at mochabomb.com (=?ISO-8859-1?Q?Gregg=20LainJr=2E?=) Date: Thu Sep 25 15:07:42 2008 Subject: Moving to a new server Message-ID: <200809251407.m8PE7WL9018305@safir.blacknight.ie> I do this a lot - might as welll script it also.. To backup: mysqldump -h hostname.tld -u user -pPassword database-name > database-date.sql to restore on same or another machine:: mysql -h hostame.tld -u user -pPassword database-name < databasefile.sql Yes there is no space after the -p.... hostname is most likely localhost... Gregg -----Original Message----- From: Eduardo Casarero Date: 9/25/08 6:44 am To: MailScanner discussion Subj: Re: Moving to a new server 2008/9/25 Velda Midanovic > Dear All, > > I have a running combination of RH4U5+sendmail+MailScanner+MailWatch+MySQL > and it is working OK. Only in a short time I will have to move server to a > bigger maschine. > > I will set up software, no problem, BUT how to move the data in MySQL > database??? I have no experiance with something like this!! > #man mysqldump > Some URLs would be wonderful, and some helpful advice. > > ------ > > Also another problem. One server (with the above mentioned combination) has > been running for more than a year, and now, when I want from the MailWatch a > ?Total Messages by Date" I get the report only till May of this year, and no > more??? > > > I think you should ask this in the mailwatch list, IMO. > Best from, > > Velda > > -- > This message has been scanned for viruses and > dangerous content by *MailScanner* , and is > believed to be clean. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > From malli at mcrirents.com Thu Sep 25 16:44:05 2008 From: malli at mcrirents.com (Mohammed Alli) Date: Thu Sep 25 15:46:39 2008 Subject: Dspam and MailScanner Message-ID: <3B1A431BDA34C54581BE43253BC1BD9328C864@exchange.computerrents.com> Guys, I've gotten Dspam working with my MailScanner setup on Ubuntu. I can see both MailScanner and Dspam headers added to my messages. Dspam is tagging missed messages as **SPAM**, per my setup. I just don't know how to combine the 2 scores. I tried the Spamassassin perl module for Dspam, but it doesn't work either and requires Amavisd-new to combine the scores. I tried Dspam as a GenericSpamScanner, but I couldn't tell if it was working as I didn't see anything in the mail.log. Any suggestions? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080925/449cdca3/attachment.html From raubvogel at gmail.com Thu Sep 25 15:51:53 2008 From: raubvogel at gmail.com (Mauricio Tavares) Date: Thu Sep 25 15:52:06 2008 Subject: Allowing xls files Message-ID: <48DBA589.1050007@gmail.com> I would like to configure my mailscanner install such that it allows (unfortunately it has to until I am able to teach people to just zip the file) .xls files, which is seems not to right now. I checked in /etc/MailScanner/filename.rules.conf and could not find the entry responsible for that. Could anyone point me out to what I am not seeing? Thanks! From alex at rtpty.com Thu Sep 25 15:59:53 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Thu Sep 25 16:00:52 2008 Subject: Dspam and MailScanner In-Reply-To: <3B1A431BDA34C54581BE43253BC1BD9328C864@exchange.computerrents.com> References: <3B1A431BDA34C54581BE43253BC1BD9328C864@exchange.computerrents.com> Message-ID: <10CCE591-3F46-4211-8C31-22EA1201E6A9@rtpty.com> How about giving a step by step of what you did? That way those of us who haven't tried it can, and those who have might make suggestions... Remember to include things like os, mta, etc. - if it's too long you can use the wiki or pastebin. --- Alex Neuman Reliant Technologies +507 6781-9505 Skype: alexneuman On Sep 25, 2008, at 10:44 AM, "Mohammed Alli" wrote: > Guys, > > > > I?ve gotten Dspam working with my MailScanner setup on Ubuntu. I ca > n see both MailScanner and Dspam headers added to my messages. Dspa > m is tagging missed messages as **SPAM**, per my setup. I just don? > t know how to combine the 2 scores. I tried the Spamassassin perl m > odule for Dspam, but it doesn?t work either and requires Amavisd-new > to combine the scores. > > > > I tried Dspam as a GenericSpamScanner, but I couldn?t tell if it was > working as I didn?t see anything in the mail.log. > > > > Any suggestions? > > > > > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080925/9ea76511/attachment.html From ssilva at sgvwater.com Thu Sep 25 16:12:11 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Sep 25 16:12:34 2008 Subject: MailScanner on a Postfix Mailgate In-Reply-To: <48DB5222.6030000@sequestered.net> References: <48DB5222.6030000@sequestered.net> Message-ID: on 9-25-2008 1:56 AM Jay Chandler spake the following: > Howdy, folks; been a while since I've posted here. > > For those who may or may not recall, I used to administer MailScanner > (among other things) for $WeTeachYuppies. I moved on to corporate life > about a year ago, and have been doing all right with mail filtering via > DNS up until now. > > My issue is that MailScanner at the old job (as well as MailScanner at > home) run on FreeBSD, which is relatively straightforward. Running it > on CentOS 5.2 (our platform of choice at work) seems to be a dependency > nightmare, with it being incredibly easy to stomp the MailScanner > installation into oblivion. > Short of putting a gun to someone's head and demanding FreeBSD > mailgates, is there a good solution to this problem? I can't be the > first person to say "Wait a second, this is nightmarish" about the > upkeep of MS under Linux; I've been running my home install with minimal > maintenance under FreeBSD for two years, yet I can't seem to keep a > system together under Linux for more than one patch cycle without > something important dying... > It can be as easy as this; http://yum.vanderkooij.org/ Just don't run the yum updates automatically. Subscribe to the announce list and run updates at quiet times. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080925/8e488d13/signature.bin From email at ace.net.au Thu Sep 25 16:32:28 2008 From: email at ace.net.au (Peter Nitschke) Date: Thu Sep 25 16:32:42 2008 Subject: Log problem? Message-ID: <200809260102280332.14086FC2@web.ace.net.au> MS 4.71.10-1 Does the 3rd line look incomplete? Sep 25 20:37:32 nx22 MailScanner[15691]: Virus Scanning: F-Prot found 1 infections Sep 25 20:37:32 nx22 MailScanner[15691]: Infected message m8PB7NYZ019577 came from 61.9.189.143 Sep 25 20:37:32 nx22 MailScanner[15691]: Infected message 15691 came from Sep 25 20:37:32 nx22 MailScanner[15691]: Virus Scanning: Found 1 viruses Regards, Peter From alex at rtpty.com Thu Sep 25 16:55:50 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Thu Sep 25 16:56:05 2008 Subject: Allowing xls files In-Reply-To: <48DBA589.1050007@gmail.com> References: <48DBA589.1050007@gmail.com> Message-ID: "Seems not to" isn't too helpful. Can you describe exactly what happens? On Sep 25, 2008, at 9:51 AM, Mauricio Tavares wrote: > I would like to configure my mailscanner install such that it > allows (unfortunately it has to until I am able to teach people to > just zip the file) .xls files, which is seems not to right now. I > checked in /etc/MailScanner/filename.rules.conf and could not find > the entry responsible for that. Could anyone point me out to what I > am not seeing? Thanks! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From roland at inbox4u.de Thu Sep 25 17:01:55 2008 From: roland at inbox4u.de (Ehle, Roland) Date: Thu Sep 25 17:02:44 2008 Subject: AW: Allowing xls files In-Reply-To: <48DBA589.1050007@gmail.com> References: <48DBA589.1050007@gmail.com> Message-ID: Hi Mauricio, Excel files are allowed by default. The only reason I can imagine, why an excel file could be blocked by MailScanner is the filename. Users tend to name their files in strange ways like invoice.2008.08.23.xls which will be blocked by MailScanner due the rule, which blocks filenames with double file extensions (Hint: look for Deny all other double file extensions in your filename.rules.conf) Files might be blocked too, if you have spaces in the filename. Regards, Roland > -----Urspr?ngliche Nachricht----- > Von: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] Im Auftrag von Mauricio Tavares > Gesendet: Donnerstag, 25. September 2008 16:52 > An: MailScanner discussion > Betreff: Allowing xls files > > I would like to configure my mailscanner install such that it > allows > (unfortunately it has to until I am able to teach people to just zip > the > file) .xls files, which is seems not to right now. I checked in > /etc/MailScanner/filename.rules.conf and could not find the entry > responsible for that. Could anyone point me out to what I am not > seeing? > Thanks! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From alex at rtpty.com Thu Sep 25 17:05:59 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Thu Sep 25 17:06:14 2008 Subject: AW: Allowing xls files In-Reply-To: References: <48DBA589.1050007@gmail.com> Message-ID: <2D6F1BA3-35CF-4EE6-B5AC-F9B259136D0D@rtpty.com> Or if they are deeply nested xlsx files. On Sep 25, 2008, at 11:01 AM, Ehle, Roland wrote: > Files might be blocked too, if you have spaces in the filename. From mkercher at nfsmith.com Thu Sep 25 17:11:35 2008 From: mkercher at nfsmith.com (Mike Kercher) Date: Thu Sep 25 17:12:09 2008 Subject: WMV's Getting Through In-Reply-To: <3CF0F6D8-3576-468D-A412-274B33FD186D@rtpty.com> References: <224FA7E11EA39E45843E11CEBBD3A36FEBFE7C@HOUPEX01.nfsmith.info><224FA7E11EA39E45843E11CEBBD3A36FEC04B6@HOUPEX01.nfsmith.info> <3CF0F6D8-3576-468D-A412-274B33FD186D@rtpty.com> Message-ID: <224FA7E11EA39E45843E11CEBBD3A36FEC0606@HOUPEX01.nfsmith.info> I just sent this attachment to myself only. The headers show: ------=_Part_22984_29391453.1222357509928 Content-Type: video/x-ms-wmv; name=JobMarket-2010.wmv Content-Transfer-Encoding: base64 X-Attachment-Id: f_fljk36e00 Content-Disposition: attachment; filename=JobMarket-2010.wmv In filename.rules.conf I have: deny \.wmv$ No Windows Media files No Windows Media files In filetype.rules.conf I have: deny ASF No Windows media No Windows media files allowed I ran file against the attachment and get: [root@HOUPMS01 ~]# file JobMarket-2010.wmv JobMarket-2010.wmv: Microsoft ASF [root@HOUPMS01 ~]# file -i JobMarket-2010.wmv JobMarket-2010.wmv: application/octet-stream I'm not sure what else to look at. Mike -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex Neuman van der Hans Sent: Wednesday, September 24, 2008 13:41 To: MailScanner discussion Subject: Re: WMV's Getting Through You probably have multiple recipients and one has the right to receive them. --- Alex Neuman Reliant Technologies +507 6781-9505 Skype: alexneuman On Sep 24, 2008, at 1:24 PM, "Mike Kercher" wrote: From alex at rtpty.com Thu Sep 25 17:18:45 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Thu Sep 25 17:18:59 2008 Subject: WMV's Getting Through In-Reply-To: <224FA7E11EA39E45843E11CEBBD3A36FEC0606@HOUPEX01.nfsmith.info> References: <224FA7E11EA39E45843E11CEBBD3A36FEBFE7C@HOUPEX01.nfsmith.info><224FA7E11EA39E45843E11CEBBD3A36FEC04B6@HOUPEX01.nfsmith.info> <3CF0F6D8-3576-468D-A412-274B33FD186D@rtpty.com> <224FA7E11EA39E45843E11CEBBD3A36FEC0606@HOUPEX01.nfsmith.info> Message-ID: Are you sure it's deny(tab)\.wmv$(tab) and so on? and not spaces? dunno if it's still required though On Sep 25, 2008, at 11:11 AM, Mike Kercher wrote: > I just sent this attachment to myself only. The headers show: > > ------=_Part_22984_29391453.1222357509928 > Content-Type: video/x-ms-wmv; name=JobMarket-2010.wmv > Content-Transfer-Encoding: base64 > X-Attachment-Id: f_fljk36e00 > Content-Disposition: attachment; filename=JobMarket-2010.wmv > > In filename.rules.conf I have: > > deny \.wmv$ No Windows Media files No > Windows Media files > > In filetype.rules.conf I have: > > deny ASF No Windows media No Windows media files > allowed > > I ran file against the attachment and get: > > [root@HOUPMS01 ~]# file JobMarket-2010.wmv > JobMarket-2010.wmv: Microsoft ASF > > [root@HOUPMS01 ~]# file -i JobMarket-2010.wmv > JobMarket-2010.wmv: application/octet-stream > > I'm not sure what else to look at. > > Mike > > > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex > Neuman van der Hans > Sent: Wednesday, September 24, 2008 13:41 > To: MailScanner discussion > Subject: Re: WMV's Getting Through > > You probably have multiple recipients and one has the right to receive > them. > > --- > > Alex Neuman > Reliant Technologies > +507 6781-9505 > Skype: alexneuman > > On Sep 24, 2008, at 1:24 PM, "Mike Kercher" > wrote: > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From mkercher at nfsmith.com Thu Sep 25 17:50:35 2008 From: mkercher at nfsmith.com (Mike Kercher) Date: Thu Sep 25 17:51:06 2008 Subject: WMV's Getting Through In-Reply-To: References: <224FA7E11EA39E45843E11CEBBD3A36FEBFE7C@HOUPEX01.nfsmith.info><224FA7E11EA39E45843E11CEBBD3A36FEC04B6@HOUPEX01.nfsmith.info><3CF0F6D8-3576-468D-A412-274B33FD186D@rtpty.com><224FA7E11EA39E45843E11CEBBD3A36FEC0606@HOUPEX01.nfsmith.info> Message-ID: <224FA7E11EA39E45843E11CEBBD3A36FEC0624@HOUPEX01.nfsmith.info> Yeah...I verified they are all tabbed :) Mike -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex Neuman van der Hans Sent: Thursday, September 25, 2008 11:19 To: MailScanner discussion Subject: Re: WMV's Getting Through Are you sure it's deny(tab)\.wmv$(tab) and so on? and not spaces? dunno if it's still required though On Sep 25, 2008, at 11:11 AM, Mike Kercher wrote: > I just sent this attachment to myself only. The headers show: > > ------=_Part_22984_29391453.1222357509928 > Content-Type: video/x-ms-wmv; name=JobMarket-2010.wmv > Content-Transfer-Encoding: base64 > X-Attachment-Id: f_fljk36e00 > Content-Disposition: attachment; filename=JobMarket-2010.wmv > > In filename.rules.conf I have: > > deny \.wmv$ No Windows Media files No > Windows Media files > > In filetype.rules.conf I have: > > deny ASF No Windows media No Windows media files > allowed > > I ran file against the attachment and get: > > [root@HOUPMS01 ~]# file JobMarket-2010.wmv > JobMarket-2010.wmv: Microsoft ASF > > [root@HOUPMS01 ~]# file -i JobMarket-2010.wmv > JobMarket-2010.wmv: application/octet-stream > > I'm not sure what else to look at. > > Mike > > > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex > Neuman van der Hans > Sent: Wednesday, September 24, 2008 13:41 > To: MailScanner discussion > Subject: Re: WMV's Getting Through > > You probably have multiple recipients and one has the right to receive > them. > > --- > > Alex Neuman > Reliant Technologies > +507 6781-9505 > Skype: alexneuman > > On Sep 24, 2008, at 1:24 PM, "Mike Kercher" > wrote: > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From dstraka at caspercollege.edu Thu Sep 25 18:00:52 2008 From: dstraka at caspercollege.edu (Daniel Straka) Date: Thu Sep 25 18:01:25 2008 Subject: MailScanner Losing it's Efficiency Message-ID: <48DB6F63.61A4.0000.0@caspercollege.edu> I'm running MailScanner v4.54.6 with SpamAssassin v3.1.3 and over the last couple of weeks a lot of spam is coming through that is quite spammy in nature. So it seems that MailScanner is no longer very effective at spam detection. The number of messages that make it into user mailboxes has gone from ~4000 to ~6000 per day without an overall increase in mail received at the mx servers. What could cause a decrease in the effectiveness of spam detection? Any tips (details please) on keeping MS and SA optimized at spam detection? Is it possible the spammers have a bunch of new relays that aren't in the RBL's yet? Or are the spamcop or spamhaus RBL's having issues? Thanks, -- Dan Straka Systems Coordinator Casper College 307.268.2399 www.caspercollege.edu ( http://www.caspercollege.edu/ ) From ssilva at sgvwater.com Thu Sep 25 18:03:14 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Sep 25 18:03:31 2008 Subject: WMV's Getting Through In-Reply-To: <224FA7E11EA39E45843E11CEBBD3A36FEC0624@HOUPEX01.nfsmith.info> References: <224FA7E11EA39E45843E11CEBBD3A36FEBFE7C@HOUPEX01.nfsmith.info><224FA7E11EA39E45843E11CEBBD3A36FEC04B6@HOUPEX01.nfsmith.info><3CF0F6D8-3576-468D-A412-274B33FD186D@rtpty.com><224FA7E11EA39E45843E11CEBBD3A36FEC0606@HOUPEX01.nfsmith.info> <224FA7E11EA39E45843E11CEBBD3A36FEC0624@HOUPEX01.nfsmith.info> Message-ID: on 9-25-2008 9:50 AM Mike Kercher spake the following: > Yeah...I verified they are all tabbed :) > > Mike > Are you running on CentOS 5 with postfix MTA? There is a bug currently under scrutiny about some attachments not getting unpacked/decoded properly. http://permalink.gmane.org/gmane.mail.virus.mailscanner/66176 -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080925/0e976237/signature-0001.bin From ssilva at sgvwater.com Thu Sep 25 18:07:42 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Sep 25 18:10:13 2008 Subject: MailScanner Losing it's Efficiency In-Reply-To: <48DB6F63.61A4.0000.0@caspercollege.edu> References: <48DB6F63.61A4.0000.0@caspercollege.edu> Message-ID: on 9-25-2008 10:00 AM Daniel Straka spake the following: > I'm running MailScanner v4.54.6 with SpamAssassin v3.1.3 and over the last couple of weeks a lot of spam is coming through that is quite spammy in nature. So it seems that MailScanner is no longer very effective at spam detection. The number of messages that make it into user mailboxes has gone from ~4000 to ~6000 per day without an overall increase in mail received at the mx servers. What could cause a decrease in the effectiveness of spam detection? Any tips (details please) on keeping MS and SA optimized at spam detection? > > Is it possible the spammers have a bunch of new relays that aren't in the RBL's yet? Or are the spamcop or spamhaus RBL's having issues? > > Thanks, Or maybe you are using a 3 year old version of MailScanner and a 2 year old version of spamassassin? You must be on Debian. MailScanner has a very active development cycle and so does spamassassin. You should try current versions of the software before you complain about how it works. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080925/a7691cc9/signature.bin From mkercher at nfsmith.com Thu Sep 25 18:13:28 2008 From: mkercher at nfsmith.com (Mike Kercher) Date: Thu Sep 25 18:13:58 2008 Subject: WMV's Getting Through In-Reply-To: References: <224FA7E11EA39E45843E11CEBBD3A36FEBFE7C@HOUPEX01.nfsmith.info><224FA7E11EA39E45843E11CEBBD3A36FEC04B6@HOUPEX01.nfsmith.info><3CF0F6D8-3576-468D-A412-274B33FD186D@rtpty.com><224FA7E11EA39E45843E11CEBBD3A36FEC0606@HOUPEX01.nfsmith.info> <224FA7E11EA39E45843E11CEBBD3A36FEC0624@HOUPEX01.nfsmith.info> Message-ID: <224FA7E11EA39E45843E11CEBBD3A36FEC0630@HOUPEX01.nfsmith.info> No...this is Centos 4.7 and sendmail. Mike -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Scott Silva Sent: Thursday, September 25, 2008 12:03 To: mailscanner@lists.mailscanner.info Subject: Re: WMV's Getting Through on 9-25-2008 9:50 AM Mike Kercher spake the following: > Yeah...I verified they are all tabbed :) > > Mike > Are you running on CentOS 5 with postfix MTA? There is a bug currently under scrutiny about some attachments not getting unpacked/decoded properly. http://permalink.gmane.org/gmane.mail.virus.mailscanner/66176 -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From mkercher at nfsmith.com Thu Sep 25 18:16:30 2008 From: mkercher at nfsmith.com (Mike Kercher) Date: Thu Sep 25 18:16:54 2008 Subject: WMV's Getting Through In-Reply-To: References: <224FA7E11EA39E45843E11CEBBD3A36FEBFE7C@HOUPEX01.nfsmith.info><224FA7E11EA39E45843E11CEBBD3A36FEC04B6@HOUPEX01.nfsmith.info><3CF0F6D8-3576-468D-A412-274B33FD186D@rtpty.com><224FA7E11EA39E45843E11CEBBD3A36FEC0606@HOUPEX01.nfsmith.info> <224FA7E11EA39E45843E11CEBBD3A36FEC0624@HOUPEX01.nfsmith.info> Message-ID: <224FA7E11EA39E45843E11CEBBD3A36FEC0632@HOUPEX01.nfsmith.info> I've got 2 MailScanners. On the primary MX, it seems that filename checks are not being performed. On the secondary MX, Filename Checks are being logged. Mike -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Scott Silva Sent: Thursday, September 25, 2008 12:03 To: mailscanner@lists.mailscanner.info Subject: Re: WMV's Getting Through on 9-25-2008 9:50 AM Mike Kercher spake the following: > Yeah...I verified they are all tabbed :) > > Mike > Are you running on CentOS 5 with postfix MTA? There is a bug currently under scrutiny about some attachments not getting unpacked/decoded properly. http://permalink.gmane.org/gmane.mail.virus.mailscanner/66176 -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Thu Sep 25 18:16:33 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Sep 25 18:20:12 2008 Subject: WMV's Getting Through In-Reply-To: References: <224FA7E11EA39E45843E11CEBBD3A36FEBFE7C@HOUPEX01.nfsmith.info><224FA7E11EA39E45843E11CEBBD3A36FEC04B6@HOUPEX01.nfsmith.info><3CF0F6D8-3576-468D-A412-274B33FD186D@rtpty.com><224FA7E11EA39E45843E11CEBBD3A36FEC0606@HOUPEX01.nfsmith.info> <224FA7E11EA39E45843E11CEBBD3A36FEC0624@HOUPEX01.nfsmith.info> Message-ID: on 9-25-2008 10:03 AM Scott Silva spake the following: > on 9-25-2008 9:50 AM Mike Kercher spake the following: >> Yeah...I verified they are all tabbed :) >> >> Mike >> > Are you running on CentOS 5 with postfix MTA? > There is a bug currently under scrutiny about some attachments not > getting unpacked/decoded properly. > > http://permalink.gmane.org/gmane.mail.virus.mailscanner/66176 > > Hit send too early... Maybe this is affecting you, maybe not. Do you have a queue file or RFC822 copy of this message to put up for testing. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080925/18218233/signature.bin From mkercher at nfsmith.com Thu Sep 25 18:37:41 2008 From: mkercher at nfsmith.com (Mike Kercher) Date: Thu Sep 25 18:38:13 2008 Subject: WMV's Getting Through In-Reply-To: References: <224FA7E11EA39E45843E11CEBBD3A36FEBFE7C@HOUPEX01.nfsmith.info><224FA7E11EA39E45843E11CEBBD3A36FEC04B6@HOUPEX01.nfsmith.info><3CF0F6D8-3576-468D-A412-274B33FD186D@rtpty.com><224FA7E11EA39E45843E11CEBBD3A36FEC0606@HOUPEX01.nfsmith.info> <224FA7E11EA39E45843E11CEBBD3A36FEC0624@HOUPEX01.nfsmith.info> Message-ID: <224FA7E11EA39E45843E11CEBBD3A36FEC0642@HOUPEX01.nfsmith.info> Here is the message which was stored as a non-spam action: http://www.vesol.com/m8PHY2hm026958 Mike -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Scott Silva Sent: Thursday, September 25, 2008 12:17 To: mailscanner@lists.mailscanner.info Subject: Re: WMV's Getting Through on 9-25-2008 10:03 AM Scott Silva spake the following: > on 9-25-2008 9:50 AM Mike Kercher spake the following: >> Yeah...I verified they are all tabbed :) >> >> Mike >> > Are you running on CentOS 5 with postfix MTA? > There is a bug currently under scrutiny about some attachments not > getting unpacked/decoded properly. > > http://permalink.gmane.org/gmane.mail.virus.mailscanner/66176 > > Hit send too early... Maybe this is affecting you, maybe not. Do you have a queue file or RFC822 copy of this message to put up for testing. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Thu Sep 25 18:45:50 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Sep 25 18:46:07 2008 Subject: WMV's Getting Through In-Reply-To: <224FA7E11EA39E45843E11CEBBD3A36FEC0632@HOUPEX01.nfsmith.info> References: <224FA7E11EA39E45843E11CEBBD3A36FEBFE7C@HOUPEX01.nfsmith.info><224FA7E11EA39E45843E11CEBBD3A36FEC04B6@HOUPEX01.nfsmith.info><3CF0F6D8-3576-468D-A412-274B33FD186D@rtpty.com><224FA7E11EA39E45843E11CEBBD3A36FEC0606@HOUPEX01.nfsmith.info> <224FA7E11EA39E45843E11CEBBD3A36FEC0624@HOUPEX01.nfsmith.info> <224FA7E11EA39E45843E11CEBBD3A36FEC0632@HOUPEX01.nfsmith.info> Message-ID: on 9-25-2008 10:16 AM Mike Kercher spake the following: > I've got 2 MailScanners. On the primary MX, it seems that filename > checks are not being performed. On the secondary MX, Filename Checks > are being logged. > Compare a MailScanner -v on both systems and look for diffs in perl modules. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080925/7a178f1e/signature.bin From mkercher at nfsmith.com Thu Sep 25 18:55:29 2008 From: mkercher at nfsmith.com (Mike Kercher) Date: Thu Sep 25 18:56:02 2008 Subject: WMV's Getting Through In-Reply-To: References: <224FA7E11EA39E45843E11CEBBD3A36FEBFE7C@HOUPEX01.nfsmith.info><224FA7E11EA39E45843E11CEBBD3A36FEC04B6@HOUPEX01.nfsmith.info><3CF0F6D8-3576-468D-A412-274B33FD186D@rtpty.com><224FA7E11EA39E45843E11CEBBD3A36FEC0606@HOUPEX01.nfsmith.info> <224FA7E11EA39E45843E11CEBBD3A36FEC0624@HOUPEX01.nfsmith.info> <224FA7E11EA39E45843E11CEBBD3A36FEC0632@HOUPEX01.nfsmith.info> Message-ID: <224FA7E11EA39E45843E11CEBBD3A36FEC064D@HOUPEX01.nfsmith.info> Good call. There are some differences in module versions. Problem box is Centos 4.7, other box is RHEL4.7 Should I reinstall MailScanner with the --force option to fix perl-modules? Thanks! Mike -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Scott Silva Sent: Thursday, September 25, 2008 12:46 To: mailscanner@lists.mailscanner.info Subject: Re: WMV's Getting Through on 9-25-2008 10:16 AM Mike Kercher spake the following: > I've got 2 MailScanners. On the primary MX, it seems that filename > checks are not being performed. On the secondary MX, Filename Checks > are being logged. > Compare a MailScanner -v on both systems and look for diffs in perl modules. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From malli at mcrirents.com Thu Sep 25 19:53:31 2008 From: malli at mcrirents.com (Mohammed Alli) Date: Thu Sep 25 18:56:06 2008 Subject: Dspam and MailScanner In-Reply-To: <10CCE591-3F46-4211-8C31-22EA1201E6A9@rtpty.com> References: <3B1A431BDA34C54581BE43253BC1BD9328C864@exchange.computerrents.com> <10CCE591-3F46-4211-8C31-22EA1201E6A9@rtpty.com> Message-ID: <3B1A431BDA34C54581BE43253BC1BD9328C866@exchange.computerrents.com> I'm currently running Ubuntu Hardy with MailScanner 4.68/Postfix 2.5.1 via SpamSnake. I don't have a complete guide for the Dspam inclusion as yet but heres a summary. I installed Dspam 3.68 using apt, but it's not the current version. I'm using it as a content filter for postfix. So the mails comes in and gets sent to Dspam and are reinjected back into postfix on port 10026. MailScanner then picks it up from the queue. I can see from mail.log that the mails are triggering Dspam correctly and that the headers are added to each mail. What I don't know is how to get MailScanner to use the results. Below is a sample of what it looks like: X-MailScanner-ID: 3E313B8327.019A5 X-MCRI-MailScanner: Found to be clean X-MCRI-MailScanner-From: mailscanner-bounces@lists.mailscanner.info X-DSPAM-Result: Innocent X-DSPAM-Processed: Thu Sep 25 13:43:28 2008 X-DSPAM-Confidence: 0.9967 X-DSPAM-Probability: 0.0000 X-DSPAM-Signature: 48dbcdc0181456572320380 ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex Neuman van der Hans Sent: Thursday, September 25, 2008 10:00 AM To: MailScanner discussion Subject: Re: Dspam and MailScanner How about giving a step by step of what you did? That way those of us who haven't tried it can, and those who have might make suggestions... Remember to include things like os, mta, etc. - if it's too long you can use the wiki or pastebin. --- Alex Neuman Reliant Technologies +507 6781-9505 Skype: alexneuman On Sep 25, 2008, at 10:44 AM, "Mohammed Alli" wrote: Guys, I've gotten Dspam working with my MailScanner setup on Ubuntu. I can see both MailScanner and Dspam headers added to my messages. Dspam is tagging missed messages as **SPAM**, per my setup. I just don't know how to combine the 2 scores. I tried the Spamassassin perl module for Dspam, but it doesn't work either and requires Amavisd-new to combine the scores. I tried Dspam as a GenericSpamScanner, but I couldn't tell if it was working as I didn't see anything in the mail.log. Any suggestions? -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080925/1e52bff7/attachment.html From ssilva at sgvwater.com Thu Sep 25 18:58:05 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Sep 25 18:58:58 2008 Subject: MailScanner Losing it's Efficiency {Scanned} In-Reply-To: <48DB76EF.61A4.0000.0@caspercollege.edu> References: <48DB6F63.61A4.0000.0@caspercollege.edu> <48DB76EF.61A4.0000.0@caspercollege.edu> Message-ID: <48DBD12D.9040401@sgvwater.com> on 9-25-2008 10:33 AM Daniel Straka spake the following: > Thanks Scott, that message to the list was really helpful. I made a mistake on my MS version it's 4.69.9 and I installed it and SA at the same time in May so I'm pretty sure they're not too far out of rev. > > So, do you have anything positive to say regarding my issue? > Sorry if it was short, but there are a lot of people with Debian servers that get old versions of software and can't figure out why it doesn't work. What blacklists are you using? Could you have been locked out of spamhaus for your usage? Try host 2.0.0.127.zen.spamhaus.org on the mail server and see if you get a response. Does your bayes hits look consistent, or could you have a poisoned database? Do you have any extra rules? Rules emporium rules are still fairly valid even though they aren't getting updated anymore. Back on the list since there are valid points to look at. -- Scott Silva Network Administrator San Gabriel Valley Water Company 11142 Garvey Ave. El Monte CA 91733 626.448.6183 x.296 ssilva@sgvwater.com -- This message has been scanned for viruses and dangerous content by the San Gabriel Valley Water Co. MailScanner, and is believed to be clean. From dstraka at caspercollege.edu Thu Sep 25 18:58:39 2008 From: dstraka at caspercollege.edu (Daniel Straka) Date: Thu Sep 25 18:59:05 2008 Subject: MailScanner Losing it's Efficiency Message-ID: <48DB7CEE.61A4.0000.0@caspercollege.edu> As Scott was so kind to point out, I made a mistake on my MS version , it's 4.69.9, installed in May. Sorry about that. I'm running MailScanner v4.54.6 with SpamAssassin v3.1.3 and over the last couple of weeks a lot of spam is coming through that is quite spammy in nature. So it seems that MailScanner is no longer very effective at spam detection. The number of messages that make it into user mailboxes has gone from ~4000 to ~6000 per day without an overall increase in mail received at the mx servers. What could cause a decrease in the effectiveness of spam detection? Any tips (details please) on keeping MS and SA optimized at spam detection? Is it possible the spammers have a bunch of new relays that aren't in the RBL's yet? Or are the spamcop or spamhaus RBL's having issues? Thanks, -- Dan Straka Systems Coordinator Casper College 307.268.2399 www.caspercollege.edu ( http://www.caspercollege.edu/ ) From ssilva at sgvwater.com Thu Sep 25 19:16:07 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Sep 25 19:16:29 2008 Subject: WMV's Getting Through In-Reply-To: <224FA7E11EA39E45843E11CEBBD3A36FEC064D@HOUPEX01.nfsmith.info> References: <224FA7E11EA39E45843E11CEBBD3A36FEBFE7C@HOUPEX01.nfsmith.info><224FA7E11EA39E45843E11CEBBD3A36FEC04B6@HOUPEX01.nfsmith.info><3CF0F6D8-3576-468D-A412-274B33FD186D@rtpty.com><224FA7E11EA39E45843E11CEBBD3A36FEC0606@HOUPEX01.nfsmith.info> <224FA7E11EA39E45843E11CEBBD3A36FEC0624@HOUPEX01.nfsmith.info> <224FA7E11EA39E45843E11CEBBD3A36FEC0632@HOUPEX01.nfsmith.info> <224FA7E11EA39E45843E11CEBBD3A36FEC064D@HOUPEX01.nfsmith.info> Message-ID: on 9-25-2008 10:55 AM Mike Kercher spake the following: > Good call. There are some differences in module versions. Problem box > is Centos 4.7, other box is RHEL4.7 Should I reinstall MailScanner with > the --force option to fix perl-modules? > Shouldn't break it any worse. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080925/e7e5733c/signature.bin From richard.frovarp at sendit.nodak.edu Thu Sep 25 19:17:08 2008 From: richard.frovarp at sendit.nodak.edu (Richard Frovarp) Date: Thu Sep 25 19:17:19 2008 Subject: MailScanner Losing it's Efficiency In-Reply-To: <48DB7CEE.61A4.0000.0@caspercollege.edu> References: <48DB7CEE.61A4.0000.0@caspercollege.edu> Message-ID: <48DBD5A4.6030703@sendit.nodak.edu> Daniel Straka wrote: > As Scott was so kind to point out, I made a mistake on my MS version , it's 4.69.9, installed in May. Sorry about that. > > I'm running MailScanner v4.54.6 with SpamAssassin v3.1.3 and over the last couple of weeks a lot of spam is coming through that is quite spammy in nature. So it seems that MailScanner is no longer very effective at spam detection. The number of messages that make it into user mailboxes has gone from ~4000 to ~6000 per day without an overall increase in mail received at the mx servers. What could cause a decrease in the effectiveness of spam detection? Any tips (details please) on keeping MS and SA optimized at spam detection? > > Is it possible the spammers have a bunch of new relays that aren't in the RBL's yet? Or are the spamcop or spamhaus RBL's having issues? > > Thanks, > As Scott said, upgrade SA. At 3.1.3 you won't have access to the latest rule definitions. Razor helps quite a bit as well. From alex at rtpty.com Thu Sep 25 19:25:00 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Thu Sep 25 19:25:27 2008 Subject: MailScanner Losing it's Efficiency {Scanned} In-Reply-To: <48DBD12D.9040401@sgvwater.com> References: <48DB6F63.61A4.0000.0@caspercollege.edu> <48DB76EF.61A4.0000.0@caspercollege.edu> <48DBD12D.9040401@sgvwater.com> Message-ID: Which rulesemporium rules do you recommend? --- Alex Neuman Reliant Technologies +507 6781-9505 Skype: alexneuman On Sep 25, 2008, at 12:58 PM, Scott Silva wrote: > on 9-25-2008 10:33 AM Daniel Straka spake the following: >> Thanks Scott, that message to the list was really helpful. I made a >> mistake on my MS version it's 4.69.9 and I installed it and SA at >> the same time in May so I'm pretty sure they're not too far out of >> rev. >> So, do you have anything positive to say regarding my issue? >> > Sorry if it was short, but there are a lot of people with Debian > servers that get old versions of software and can't figure out why > it doesn't work. > > What blacklists are you using? > Could you have been locked out of spamhaus for your usage? > Try host 2.0.0.127.zen.spamhaus.org on the mail server and see if > you get a response. > > Does your bayes hits look consistent, or could you have a poisoned > database? > > Do you have any extra rules? Rules emporium rules are still fairly > valid even though they aren't getting updated anymore. > > Back on the list since there are valid points to look at. > > > > -- > > Scott Silva > Network Administrator > San Gabriel Valley Water Company > 11142 Garvey Ave. El Monte CA 91733 > 626.448.6183 x.296 > ssilva@sgvwater.com > > > -- > This message has been scanned for viruses and > dangerous content by the San Gabriel Valley Water Co. > MailScanner, and is believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From mkercher at nfsmith.com Thu Sep 25 19:27:31 2008 From: mkercher at nfsmith.com (Mike Kercher) Date: Thu Sep 25 19:27:57 2008 Subject: WMV's Getting Through In-Reply-To: References: <224FA7E11EA39E45843E11CEBBD3A36FEBFE7C@HOUPEX01.nfsmith.info><224FA7E11EA39E45843E11CEBBD3A36FEC04B6@HOUPEX01.nfsmith.info><3CF0F6D8-3576-468D-A412-274B33FD186D@rtpty.com><224FA7E11EA39E45843E11CEBBD3A36FEC0606@HOUPEX01.nfsmith.info> <224FA7E11EA39E45843E11CEBBD3A36FEC0624@HOUPEX01.nfsmith.info> <224FA7E11EA39E45843E11CEBBD3A36FEC0632@HOUPEX01.nfsmith.info> <224FA7E11EA39E45843E11CEBBD3A36FEC064D@HOUPEX01.nfsmith.info> Message-ID: <224FA7E11EA39E45843E11CEBBD3A36FEC065D@HOUPEX01.nfsmith.info> I reinstalled without the --force option first and that has fixed the problem. I sure appreciate your input and direction! Mike -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Scott Silva Sent: Thursday, September 25, 2008 13:16 To: mailscanner@lists.mailscanner.info Subject: Re: WMV's Getting Through on 9-25-2008 10:55 AM Mike Kercher spake the following: > Good call. There are some differences in module versions. Problem > box is Centos 4.7, other box is RHEL4.7 Should I reinstall > MailScanner with the --force option to fix perl-modules? > Shouldn't break it any worse. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From mmcintosh at infowall.com Thu Sep 25 19:34:07 2008 From: mmcintosh at infowall.com (mmcintosh Infowall) Date: Thu Sep 25 19:34:48 2008 Subject: CentOs YUM Update? In-Reply-To: <3B1A431BDA34C54581BE43253BC1BD9328C866@exchange.computerrents.com> References: <3B1A431BDA34C54581BE43253BC1BD9328C864@exchange.computerrents.com> <10CCE591-3F46-4211-8C31-22EA1201E6A9@rtpty.com> <3B1A431BDA34C54581BE43253BC1BD9328C866@exchange.computerrents.com> Message-ID: <48DBD99F.2000404@infowall.com> Hello All, I am planning on running a YUM Update on my Centos 5.2 system I have read on this list that there can be problems with perl modules that are incompatible with MailScanner so was wondering if anyone had a list of what I should not update or what versions I should be running. Below is my MailScanner -v. Mark McIntosh This is CentOS release 5.2 (Final) This is Perl version 5.008008 (5.8.8) This is MailScanner version 4.71.10 Module versions are: 1.00 AnyDBM_File 1.16 Archive::Zip 0.21 bignum 1.04 Carp 1.42 Compress::Zlib 1.119 Convert::BinHex 0.17 Convert::TNEF 2.121_08 Data::Dumper 2.27 Date::Parse 1.00 DirHandle 1.05 Fcntl 2.74 File::Basename 2.09 File::Copy 2.01 FileHandle 1.08 File::Path 0.20 File::Temp 0.92 Filesys::Df 1.35 HTML::Entities 3.56 HTML::Parser 2.37 HTML::TokeParser 1.23 IO 1.14 IO::File 1.13 IO::Pipe 2.02 Mail::Header 1.86 Math::BigInt 0.19 Math::BigRat 3.05 MIME::Base64 5.425 MIME::Decoder 5.425 MIME::Decoder::UU 5.425 MIME::Head 5.425 MIME::Parser 3.03 MIME::QuotedPrint 5.425 MIME::Tools 0.11 Net::CIDR 1.25 Net::IP 0.16 OLE::Storage_Lite 1.04 Pod::Escapes 3.05 Pod::Simple 1.09 POSIX 1.18 Scalar::Util 1.78 Socket 2.15 Storable 1.4 Sys::Hostname::Long 0.13 Sys::Syslog 1.26 Test::Pod 0.6 Test::Simple 1.68 Time::HiRes 1.02 Time::localtime Optional module versions are: 1.30 Archive::Tar 0.21 bignum 1.82 Business::ISBN 1.10 Business::ISBN::Data 1.08 Data::Dump 1.814 DB_File 1.13 DBD::SQLite 1.56 DBI 1.10 Digest 1.01 Digest::HMAC 2.36 Digest::MD5 2.10 Digest::SHA1 1.00 Encode::Detect 0.17008 Error 0.18 ExtUtils::CBuilder 2.18 ExtUtils::ParseXS 2.35 Getopt::Long 0.44 Inline 1.08 IO::String 1.04 IO::Zlib 2.21 IP::Country missing Mail::ClamAV 3.002005 Mail::SpamAssassin v2.004 Mail::SPF 1.999001 Mail::SPF::Query 0.2808 Module::Build 0.20 Net::CIDR::Lite 0.63 Net::DNS 0.002.2 Net::DNS::Resolver::Programmable 0.37 Net::LDAP 4.004 NetAddr::IP 1.94 Parse::RecDescent missing SAVI 2.52 Test::Harness 0.95 Test::Manifest 1.98 Text::Balanced 1.35 URI 0.7203 version 0.62 YAML -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ssilva at sgvwater.com Thu Sep 25 19:52:12 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Sep 25 19:52:40 2008 Subject: CentOs YUM Update? In-Reply-To: <48DBD99F.2000404@infowall.com> References: <3B1A431BDA34C54581BE43253BC1BD9328C864@exchange.computerrents.com> <10CCE591-3F46-4211-8C31-22EA1201E6A9@rtpty.com> <3B1A431BDA34C54581BE43253BC1BD9328C866@exchange.computerrents.com> <48DBD99F.2000404@infowall.com> Message-ID: on 9-25-2008 11:34 AM mmcintosh Infowall spake the following: > Hello All, > > I am planning on running a YUM Update on my Centos 5.2 system I have > read on this list that there can be problems with perl modules that are > incompatible with MailScanner so was wondering if anyone had a list of > what I should not update or what versions I should be running. Below is > my MailScanner -v. > The problem is the new perl update overwrites or chokes on the newer modules installed by mailscanner. When you try the update, the new perl update will fail and list the modules it conflicts with. Rpm -e those, update, and re-install MailScanner to re-install those modules and you should be all set. I am planning to upgrade mine this weekend when the mail won't be missed for a few hours during the upgrade and cleanup. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080925/7a72b7fd/signature.bin From ssilva at sgvwater.com Thu Sep 25 20:06:39 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Sep 25 20:07:07 2008 Subject: MailScanner Losing it's Efficiency {Scanned} In-Reply-To: References: <48DB6F63.61A4.0000.0@caspercollege.edu> <48DB76EF.61A4.0000.0@caspercollege.edu> <48DBD12D.9040401@sgvwater.com> Message-ID: on 9-25-2008 11:25 AM Alex Neuman van der Hans spake the following: > Which rulesemporium rules do you recommend? > Looking at 100,000 messages in the database I get good hits on sare_unsub and the various sare_html. I also get good hits on the kam list (http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf) and razor. I added the following for some blacklists that I didn't see included with spamassassin. Play with the scores if you need to; ----------------------------------------------------------------------------------- header RCVD_IN_PSBL eval:check_rbl('psbl', 'psbl.surriel.com.') describe RCVD_IN_PSBL Received via a relay in PSBL tflags RCVD_IN_PSBL net score RCVD_IN_PSBL 0 1.50 0 1.50 header RCVD_IN_UCE_PFSM_1 eval:check_rbl('UCE_PFSM_1', 'dnsbl-1.uceprotect.net') describe RCVD_IN_UCE_PFSM_1 Received via a relay in UCE_PFSM_1 tflags RCVD_IN_UCE_PFSM_1 net score RCVD_IN_UCE_PFSM_1 0 1.50 0 1.50 header RCVD_IN_UCE_PFSM_2 eval:check_rbl('UCE_PFSM_2', 'dnsbl-2.uceprotect.net') describe RCVD_IN_UCE_PFSM_2 Received via a relay in UCE_PFSM_2 tflags RCVD_IN_UCE_PFSM_2 net score RCVD_IN_UCE_PFSM_2 0 1.50 0 1.50 header RCVD_IN_UCE_PFSM_3 eval:check_rbl('UCE_PFSM_3', 'dnsbl-3.uceprotect.net') describe RCVD_IN_UCE_PFSM_3 Received via a relay in UCE_PFSM_3 tflags RCVD_IN_UCE_PFSM_3 net score RCVD_IN_UCE_PFSM_3 0 2.50 0 2.50 header MONSTER_JOBS Subject =~ /Monster Job \#/i describe MONSTER_JOBS Monster Job Resume replies score MONSTER_JOBS -3.00 body L_DRUGS11 /([CVAXP] ){5}/ header L_DRUGS12 MESSAGEID =~/^<[a-f0-9]{12}\$[a-f0-9]{8}\$[a-f0-9]{8}\@[a-zA-Z]+>/ meta L_DRUGS1 L_DRUGS11 && L_DRUGS12 score L_DRUGS1 5 describe L_DRUGS1 Strange Message-ID and Spam signature in body. header DNS_FROM_MPBULK_RHSBL eval:check_rbl_from_host('mprhs', 'bulk.rhs.mailpolice.com.') describe DNS_FROM_MPBULK_RHSBL From: sender listed in bulk.rhs.mailpolice.com tflags DNS_FROM_MPBULK_RHSBL net score DNS_FROM_MPBULK_RHSBL 2.0 urirhsbl URIBL_BULK_MPRHS bulk.rhs.mailpolice.com. A body URIBL_BULK_MPRHS eval:check_uridnsbl('URIBL_BULK_MPRHS') describe URIBL_BULK_MPRHS Contains a URL listed in the MailPolice bulk senders list tflags URIBL_BULK_MPRHS net score URIBL_BULK_MPRHS 2.0 urirhsbl URIBL_PORN_MPRHS porn.rhs.mailpolice.com. A body URIBL_PORN_MPRHS eval:check_uridnsbl('URIBL_PORN_MPRHS') describe URIBL_PORN_MPRHS Contains a URL listed in the MailPolice porn domains list tflags URIBL_PORN_MPRHS net score URIBL_PORN_MPRHS 2.0 urirhsbl URIBL_FRAUD_MPRHS fraud.rhs.mailpolice.com. A body URIBL_FRAUD_MPRHS eval:check_uridnsbl('URIBL_FRAUD_MPRHS') describe URIBL_FRAUD_MPRHS Contains a URL listed in the MailPolice fraud domains list tflags URIBL_FRAUD_MPRHS net score URIBL_FRAUD_MPRHS 2.0 header RCVD_IN_SPAMCANNIBAL eval:check_rbl('spamcannibal', 'bl.spamcannibal.org.') describe RCVD_IN_SPAMCANNIBAL Received via a relay in SpamCannibal tflags RCVD_IN_SPAMCANNIBAL net score RCVD_IN_SPAMCANNIBAL 0 1.50 0 1.50 header RCVD_IN_MSRBL eval:check_rbl('msrbl', 'combined.rbl.msrbl.net.') describe RCVD_IN_MSRBL Received via a relay in MSRBL tflags RCVD_IN_MSRBL net score RCVD_IN_MSRBL 0 1.50 0 1.50 header RCVD_IN_BACKSCATTER eval:check_rbl('msrbl', 'ips.backscatterer.org.') describe RCVD_IN_BACKSCATTER Received via a relay in Backscatter.org tflags RCVD_IN_BACKSCATTER net score RCVD_IN_BACKSCATTER 0 1.50 0 1.50 #---added 8/1/2006 to combat image spam rawbody INLINE_IMAGE /src\s*=\s*["']cid:/i describe INLINE_IMAGE Inline Images score INLINE_IMAGE 2.0 #added 11/27/2007 as a spam test #Many of the spams originating from hotmail addresses here have a #Reply-To: address in a yahoo domain. header __HC_FROM_HOTMAIL From =~ /\@hotmail\./ describe __HC_FROM_HOTMAIL email From hotmail user header __HC_REPLY_YAHOO Reply-To =~ /\@yahoo\./ describe __HC_REPLY_YAHOO Reply-To yahoo user meta HC_HOTMAIL_YAHOO ( __HC_FROM_HOTMAIL && __HC_REPLY_YAHOO) describe HC_HOTMAIL_YAHOO From hotmail, reply to Yahoo score HC_HOTMAIL_YAHOO 20 ----------------------------------------------------------------------------------- -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080925/55a86ea3/signature.bin From mmcintosh at infowall.com Thu Sep 25 20:32:41 2008 From: mmcintosh at infowall.com (mmcintosh Infowall) Date: Thu Sep 25 20:33:28 2008 Subject: CentOs YUM Update? In-Reply-To: References: <3B1A431BDA34C54581BE43253BC1BD9328C864@exchange.computerrents.com> <10CCE591-3F46-4211-8C31-22EA1201E6A9@rtpty.com> <3B1A431BDA34C54581BE43253BC1BD9328C866@exchange.computerrents.com> <48DBD99F.2000404@infowall.com> Message-ID: <48DBE759.2090200@infowall.com> Scott Silva wrote: > on 9-25-2008 11:34 AM mmcintosh Infowall spake the following: >> Hello All, >> >> I am planning on running a YUM Update on my Centos 5.2 system I have >> read on this list that there can be problems with perl modules that >> are incompatible with MailScanner so was wondering if anyone had a >> list of what I should not update or what versions I should be >> running. Below is my MailScanner -v. >> > The problem is the new perl update overwrites or chokes on the newer > modules installed by mailscanner. When you try the update, the new > perl update will fail and list the modules it conflicts with. > Rpm -e those, update, and re-install MailScanner to re-install those > modules and you should be all set. > > I am planning to upgrade mine this weekend when the mail won't be > missed for a few hours during the upgrade and cleanup. > Scott, Thanks I will try it this weekend and see how it goes. Mark -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From alex at rtpty.com Thu Sep 25 20:37:26 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Thu Sep 25 20:37:58 2008 Subject: MailScanner Losing it's Efficiency {Scanned} In-Reply-To: References: <48DB6F63.61A4.0000.0@caspercollege.edu> <48DB76EF.61A4.0000.0@caspercollege.edu> <48DBD12D.9040401@sgvwater.com> Message-ID: <6A3B0506-E544-4FBA-A4B6-92B391793D00@rtpty.com> Excellent! Sounds like a good article for the wiki... --- Alex Neuman Reliant Technologies +507 6781-9505 Skype: alexneuman On Sep 25, 2008, at 2:06 PM, Scott Silva wrote: > on 9-25-2008 11:25 AM Alex Neuman van der Hans spake the following: >> Which rulesemporium rules do you recommend? > Looking at 100,000 messages in the database I get good hits on > sare_unsub and the various sare_html. I also get good hits on the > kam list (http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf > ) > and razor. > > I added the following for some blacklists that I didn't see included > with spamassassin. Play with the scores if you need to; > --- > --- > --- > --- > --- > -------------------------------------------------------------------- > > header RCVD_IN_PSBL eval:check_rbl('psbl', > 'psbl.surriel.com.') > describe RCVD_IN_PSBL Received via a relay in PSBL > tflags RCVD_IN_PSBL net > score RCVD_IN_PSBL 0 1.50 0 1.50 > > header RCVD_IN_UCE_PFSM_1 eval:check_rbl('UCE_PFSM_1', > 'dnsbl-1.uceprotect.net') > describe RCVD_IN_UCE_PFSM_1 Received via a relay in > UCE_PFSM_1 > tflags RCVD_IN_UCE_PFSM_1 net > score RCVD_IN_UCE_PFSM_1 0 1.50 0 1.50 > > header RCVD_IN_UCE_PFSM_2 eval:check_rbl('UCE_PFSM_2', > 'dnsbl-2.uceprotect.net') > describe RCVD_IN_UCE_PFSM_2 Received via a relay in > UCE_PFSM_2 > tflags RCVD_IN_UCE_PFSM_2 net > score RCVD_IN_UCE_PFSM_2 0 1.50 0 1.50 > > header RCVD_IN_UCE_PFSM_3 eval:check_rbl('UCE_PFSM_3', > 'dnsbl-3.uceprotect.net') > describe RCVD_IN_UCE_PFSM_3 Received via a relay in > UCE_PFSM_3 > tflags RCVD_IN_UCE_PFSM_3 net > score RCVD_IN_UCE_PFSM_3 0 2.50 0 2.50 > > header MONSTER_JOBS Subject =~ /Monster Job \#/i > describe MONSTER_JOBS Monster Job Resume replies > score MONSTER_JOBS -3.00 > > body L_DRUGS11 /([CVAXP] ){5}/ > header L_DRUGS12 MESSAGEID =~/^<[a-f0-9]{12}\$[a-f0-9]{8}\$[a-f0-9] > {8}\@[a-zA-Z]+>/ > meta L_DRUGS1 L_DRUGS11 && L_DRUGS12 > score L_DRUGS1 5 > describe L_DRUGS1 Strange Message-ID and Spam signature in body. > > header DNS_FROM_MPBULK_RHSBL eval:check_rbl_from_host('mprhs', > 'bulk.rhs.mailpolice.com.') > describe DNS_FROM_MPBULK_RHSBL From: sender listed in > bulk.rhs.mailpolice.com > tflags DNS_FROM_MPBULK_RHSBL net > score DNS_FROM_MPBULK_RHSBL 2.0 > > > urirhsbl URIBL_BULK_MPRHS bulk.rhs.mailpolice.com. A > body URIBL_BULK_MPRHS eval:check_uridnsbl('URIBL_BULK_MPRHS') > describe URIBL_BULK_MPRHS Contains a URL listed in the MailPolice > bulk senders list > tflags URIBL_BULK_MPRHS net > score URIBL_BULK_MPRHS 2.0 > > > urirhsbl URIBL_PORN_MPRHS porn.rhs.mailpolice.com. A > body URIBL_PORN_MPRHS eval:check_uridnsbl('URIBL_PORN_MPRHS') > describe URIBL_PORN_MPRHS Contains a URL listed in the MailPolice > porn domains list > tflags URIBL_PORN_MPRHS net > score URIBL_PORN_MPRHS 2.0 > > > urirhsbl URIBL_FRAUD_MPRHS fraud.rhs.mailpolice.com. A > body URIBL_FRAUD_MPRHS eval:check_uridnsbl('URIBL_FRAUD_MPRHS') > describe URIBL_FRAUD_MPRHS Contains a URL listed in the MailPolice > fraud domains list > tflags URIBL_FRAUD_MPRHS net > score URIBL_FRAUD_MPRHS 2.0 > > header RCVD_IN_SPAMCANNIBAL > eval:check_rbl('spamcannibal', 'bl.spamcannibal.org.') > describe RCVD_IN_SPAMCANNIBAL Received via a relay in > SpamCannibal > tflags RCVD_IN_SPAMCANNIBAL net > score RCVD_IN_SPAMCANNIBAL 0 1.50 0 1.50 > > header RCVD_IN_MSRBL eval:check_rbl('msrbl', > 'combined.rbl.msrbl.net.') > describe RCVD_IN_MSRBL Received via a relay in MSRBL > tflags RCVD_IN_MSRBL net > score RCVD_IN_MSRBL 0 1.50 0 1.50 > > header RCVD_IN_BACKSCATTER eval:check_rbl('msrbl', > 'ips.backscatterer.org.') > describe RCVD_IN_BACKSCATTER Received via a relay in > Backscatter.org > tflags RCVD_IN_BACKSCATTER net > score RCVD_IN_BACKSCATTER 0 1.50 0 1.50 > > #---added 8/1/2006 to combat image spam > rawbody INLINE_IMAGE /src\s*=\s*["']cid:/i > describe INLINE_IMAGE Inline Images > score INLINE_IMAGE 2.0 > > > > #added 11/27/2007 as a spam test > #Many of the spams originating from hotmail addresses here have a > #Reply-To: address in a yahoo domain. > > header __HC_FROM_HOTMAIL From =~ /\@hotmail\./ > describe __HC_FROM_HOTMAIL email From hotmail user > > header __HC_REPLY_YAHOO Reply-To =~ /\@yahoo\./ > describe __HC_REPLY_YAHOO Reply-To yahoo user > > meta HC_HOTMAIL_YAHOO ( __HC_FROM_HOTMAIL && > __HC_REPLY_YAHOO) > describe HC_HOTMAIL_YAHOO From hotmail, reply to Yahoo > score HC_HOTMAIL_YAHOO 20 > > --- > --- > --- > --- > --- > -------------------------------------------------------------------- > > > -- > MailScanner is like deodorant... > You hope everybody uses it, and > you notice quickly if they don't!!!! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From ssilva at sgvwater.com Thu Sep 25 20:46:30 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Sep 25 20:50:11 2008 Subject: MailScanner Losing it's Efficiency {Scanned} In-Reply-To: <6A3B0506-E544-4FBA-A4B6-92B391793D00@rtpty.com> References: <48DB6F63.61A4.0000.0@caspercollege.edu> <48DB76EF.61A4.0000.0@caspercollege.edu> <48DBD12D.9040401@sgvwater.com> <6A3B0506-E544-4FBA-A4B6-92B391793D00@rtpty.com> Message-ID: on 9-25-2008 12:37 PM Alex Neuman van der Hans spake the following: > Excellent! Sounds like a good article for the wiki... > I don't think I would add all that to a wiki, because blacklists are so regional. What works well for me might clobber legit mail for you. But it is a good look at what can be done over time. You can see comments in there from 2006, so it is always a work in progress. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080925/07694c6c/signature.bin From dstraka at caspercollege.edu Thu Sep 25 21:15:42 2008 From: dstraka at caspercollege.edu (Daniel Straka) Date: Thu Sep 25 21:16:12 2008 Subject: MailScanner Losing it's Efficiency {Scanned} In-Reply-To: References: <48DB6F63.61A4.0000.0@caspercollege.edu> <48DB76EF.61A4.0000.0@caspercollege.edu> <48DBD12D.9040401@sgvwater.com> Message-ID: <48DB9D0E.61A4.0000.0@caspercollege.edu> >>> Scott Silva 9/25/2008 1:06 PM >>> > on 9-25-2008 11:25 AM Alex Neuman van der Hans spake the following: > Which rulesemporium rules do you recommend? > > Looking at 100,000 messages in the database I get good hits on sare_unsub and > the various sare_html. I also get good hits on the kam list > (http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf) > and razor. I'd like to try the KAM.cf for spamassassin. There's no KAM.pm, how does one install (if you will) the KAM.cf rules? I can't find any instructions for using a .cf file without a corresponding .pm file. From gesbbb at yahoo.com Thu Sep 25 21:26:23 2008 From: gesbbb at yahoo.com (Jerry) Date: Thu Sep 25 21:26:35 2008 Subject: Allowing xls files In-Reply-To: References: <48DBA589.1050007@gmail.com> Message-ID: <20080925162623.6f0f8979@scorpio> On Thu, 25 Sep 2008 18:01:55 +0200 "Ehle, Roland" wrote: > Excel files are allowed by default. The only reason I can imagine, > why an excel file could be blocked by MailScanner is the filename. > Users tend to name their files in strange ways like > invoice.2008.08.23.xls which will be blocked by MailScanner due the > rule, which blocks filenames with double file extensions (Hint: look > for Deny all other double file extensions in your filename.rules.conf) I don't think that naming convention is so strange. The only thing different is that I would have named the file: invoice-2008.08.23.xls instead. Unfortunately, a colon ':' is not an acceptable character for a file name under Windows. -- Jerry gesbbb@yahoo.com America is a melting pot. You know, where those on the bottom get burned, and the scum rises to the top. Utah Phillips -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080925/6aa79e89/signature-0001.bin From alex at rtpty.com Thu Sep 25 21:28:57 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Thu Sep 25 21:29:11 2008 Subject: MailScanner Losing it's Efficiency {Scanned} In-Reply-To: <48DB9D0E.61A4.0000.0@caspercollege.edu> References: <48DB6F63.61A4.0000.0@caspercollege.edu> <48DB76EF.61A4.0000.0@caspercollege.edu> <48DBD12D.9040401@sgvwater.com> <48DB9D0E.61A4.0000.0@caspercollege.edu> Message-ID: <8C597485-2AF2-41C5-8C9B-FCC7E943727C@rtpty.com> It's the other way around. CF files don't usually need PM files, PM files do. Just copy that CF file on /etc/mail/spamassassin (I guess symlinks are also ok). Usually this'll do: cd /etc/mail/spamassassin wget http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf service MailScanner restart On Sep 25, 2008, at 3:15 PM, Daniel Straka wrote: >>>> Scott Silva 9/25/2008 1:06 PM >>> >> on 9-25-2008 11:25 AM Alex Neuman van der Hans spake the following: >> Which rulesemporium rules do you recommend? >> >> Looking at 100,000 messages in the database I get good hits on >> sare_unsub and >> the various sare_html. I also get good hits on the kam list >> (http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf) >> and razor. > > > I'd like to try the KAM.cf for spamassassin. There's no KAM.pm, how > does one install (if you will) the KAM.cf rules? I can't find any > instructions for using a .cf file without a corresponding .pm file. > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From roland at inbox4u.de Thu Sep 25 21:33:45 2008 From: roland at inbox4u.de (Ehle, Roland) Date: Thu Sep 25 21:34:33 2008 Subject: AW: Allowing xls files In-Reply-To: <20080925162623.6f0f8979@scorpio> References: <48DBA589.1050007@gmail.com> <20080925162623.6f0f8979@scorpio> Message-ID: Slightly OT, but you are right. It depends on the person. For some people this naming convention is not strange, but normal :-) > -----Urspr?ngliche Nachricht----- > Von: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] Im Auftrag von Jerry > Gesendet: Donnerstag, 25. September 2008 22:26 > An: mailscanner@lists.mailscanner.info > Betreff: Re: Allowing xls files > > On Thu, 25 Sep 2008 18:01:55 +0200 > "Ehle, Roland" wrote: > > > Excel files are allowed by default. The only reason I can imagine, > why > > an excel file could be blocked by MailScanner is the filename. > > Users tend to name their files in strange ways like > > invoice.2008.08.23.xls which will be blocked by MailScanner due the > > rule, which blocks filenames with double file extensions (Hint: look > > for Deny all other double file extensions in your > filename.rules.conf) > > I don't think that naming convention is so strange. The only thing > different is that I would have named the file: invoice-2008.08.23.xls > instead. Unfortunately, a colon ':' is not an acceptable character for > a file name under Windows. > > -- > Jerry > gesbbb@yahoo.com > > America is a melting pot. You know, where those on the bottom get > burned, and the scum rises to the top. > > Utah Phillips From martinh at solidstatelogic.com Thu Sep 25 21:45:10 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Thu Sep 25 21:39:40 2008 Subject: MailScanner Losing it's Efficiency Message-ID: Daniel 1st off upgrade sa and look at what's scoring these email's low. I've had quite a few emails scored low with bayes being part of the issue. There's some info on the wiki about getting the most out of SA. -- martin -----Original Message----- From: Daniel Straka Sent: 25 September 2008 19:16 To: mailscanner@lists.mailscanner.info Subject: MailScanner Losing it's Efficiency As Scott was so kind to point out, I made a mistake on my MS version , it's 4.69.9, installed in May. Sorry about that. I'm running MailScanner v4.54.6 with SpamAssassin v3.1.3 and over the last couple of weeks a lot of spam is coming through that is quite spammy in nature. So it seems that MailScanner is no longer very effective at spam detection. The number of messages that make it into user mailboxes has gone from ~4000 to ~6000 per day without an overall increase in mail received at the mx servers. What could cause a decrease in the effectiveness of spam detection? Any tips (details please) on keeping MS and SA optimized at spam detection? Is it possible the spammers have a bunch of new relays that aren't in the RBL's yet? Or are the spamcop or spamhaus RBL's having issues? Thanks, -- Dan Straka Systems Coordinator Casper College 307.268.2399 www.caspercollege.edu ( http://www.caspercollege.edu/ ) -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From Kevin_Miller at ci.juneau.ak.us Thu Sep 25 21:41:03 2008 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Thu Sep 25 21:41:15 2008 Subject: MailScanner Losing it's Efficiency {Scanned} In-Reply-To: <48DB9D0E.61A4.0000.0@caspercollege.edu> References: <48DB6F63.61A4.0000.0@caspercollege.edu> <48DB76EF.61A4.0000.0@caspercollege.edu> <48DBD12D.9040401@sgvwater.com> <48DB9D0E.61A4.0000.0@caspercollege.edu> Message-ID: Daniel Straka wrote: > I'd like to try the KAM.cf for spamassassin. There's no KAM.pm, how > does one install (if you will) the KAM.cf rules? I can't find any > instructions for using a .cf file without a corresponding .pm file. Download it from: http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf To download the latest version automatically every night, fetch http://www.mailscanner.info/files/4/KAM.cf.sh and put it in /etc/cron.daily Be sure to make it executable: chmod +x /etc/cron.daily/KAM.cf.sh Run it once to get the initial copy of the ruleset file. It will keep a backup copy of the KAM.cf ruleset in KAM.cf.backup, which it will use if it can't download KAM.cf correctly later. ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From dstraka at caspercollege.edu Thu Sep 25 21:42:01 2008 From: dstraka at caspercollege.edu (Daniel Straka) Date: Thu Sep 25 21:42:34 2008 Subject: MailScanner Losing it's Efficiency {Scanned} In-Reply-To: <8C597485-2AF2-41C5-8C9B-FCC7E943727C@rtpty.com> References: <48DB6F63.61A4.0000.0@caspercollege.edu> <48DB76EF.61A4.0000.0@caspercollege.edu> <48DBD12D.9040401@sgvwater.com> <48DB9D0E.61A4.0000.0@caspercollege.edu><48DB9D0E.61A4.0000.0@caspercollege.edu> <8C597485-2AF2-41C5-8C9B-FCC7E943727C@rtpty.com> Message-ID: <48DBA338.61A4.0000.0@caspercollege.edu> I dropped KAM.cf into /etc/mail/spamassassin and ran "spamassasin --lint" and here's the output: [12246] warn: plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/KAM.pm in @INC (@INC contains: /usr/lib/perl5/vendor_perl/5.8.8/i586-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.8 /usr/lib/perl5/5.8.8/i586-linux-thread-multi /usr/lib/perl5/5.8.8 /usr/lib/perl5/site_perl/5.8.8/i586-linux-thread-multi /usr/lib/perl5/site_perl/5.8.8 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl) at (eval 68) line 1. [12246] warn: plugin: failed to create instance of plugin Mail::SpamAssassin::Plugin::KAM: Can't locate object method "new" via package "Mail::SpamAssassin::Plugin::KAM" at (eval 69) line 1. It appears to be looking for a corresponding .pm file. Anyone have this issue? >>> On 9/25/2008 at 2:28 PM, in message <8C597485-2AF2-41C5-8C9B-FCC7E943727C@rtpty.com>, Alex Neuman van der Hans wrote: > It's the other way around. CF files don't usually need PM files, PM > files do. Just copy that CF file on /etc/mail/spamassassin (I guess > symlinks are also ok). > Usually this'll do: > cd /etc/mail/spamassassin > wget http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf > service MailScanner restart > > On Sep 25, 2008, at 3:15 PM, Daniel Straka wrote: > >>>>> Scott Silva 9/25/2008 1:06 PM >>> >>> on 9-25-2008 11:25 AM Alex Neuman van der Hans spake the following: >>> Which rulesemporium rules do you recommend? >>> >>> Looking at 100,000 messages in the database I get good hits on >>> sare_unsub and >>> the various sare_html. I also get good hits on the kam list >>> (http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf) >>> and razor. >> >> >> I'd like to try the KAM.cf for spamassassin. There's no KAM.pm, how >> does one install (if you will) the KAM.cf rules? I can't find any >> instructions for using a .cf file without a corresponding .pm file. >> >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! From alex at rtpty.com Thu Sep 25 21:53:20 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Thu Sep 25 21:53:35 2008 Subject: MailScanner Losing it's Efficiency In-Reply-To: References: Message-ID: <4E3F50DE-8731-4B11-860C-EE6628142FD0@rtpty.com> Oh, and it's efficacy - not efficiency! hahahaha ... the composition nazi strikes again! MWAHAHAHAHA... Seek help! From alex at rtpty.com Thu Sep 25 21:59:46 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Thu Sep 25 21:59:58 2008 Subject: MailScanner Losing it's Efficiency {Scanned} In-Reply-To: <48DBA338.61A4.0000.0@caspercollege.edu> References: <48DB6F63.61A4.0000.0@caspercollege.edu> <48DB76EF.61A4.0000.0@caspercollege.edu> <48DBD12D.9040401@sgvwater.com> <48DB9D0E.61A4.0000.0@caspercollege.edu><48DB9D0E.61A4.0000.0@caspercollege.edu> <8C597485-2AF2-41C5-8C9B-FCC7E943727C@rtpty.com> <48DBA338.61A4.0000.0@caspercollege.edu> Message-ID: <0F18B4AB-755A-4653-ADD0-B09FA58E25D5@rtpty.com> Not here. This looks like a perl problem. And spamassassin --lint doesn't show much info on my setup; I usually use spamassassi -D --lint On Sep 25, 2008, at 3:42 PM, Daniel Straka wrote: > It appears to be looking for a corresponding .pm file. Anyone have > this issue? From ssilva at sgvwater.com Thu Sep 25 22:13:16 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Sep 25 22:13:34 2008 Subject: MailScanner Losing it's Efficiency {Scanned} In-Reply-To: <0F18B4AB-755A-4653-ADD0-B09FA58E25D5@rtpty.com> References: <48DB6F63.61A4.0000.0@caspercollege.edu> <48DB76EF.61A4.0000.0@caspercollege.edu> <48DBD12D.9040401@sgvwater.com> <48DB9D0E.61A4.0000.0@caspercollege.edu><48DB9D0E.61A4.0000.0@caspercollege.edu> <8C597485-2AF2-41C5-8C9B-FCC7E943727C@rtpty.com> <48DBA338.61A4.0000.0@caspercollege.edu> <0F18B4AB-755A-4653-ADD0-B09FA58E25D5@rtpty.com> Message-ID: on 9-25-2008 1:59 PM Alex Neuman van der Hans spake the following: > Not here. This looks like a perl problem. > > And spamassassin --lint doesn't show much info on my setup; I usually > use spamassassi -D --lint > > On Sep 25, 2008, at 3:42 PM, Daniel Straka wrote: > >> It appears to be looking for a corresponding .pm file. Anyone have >> this issue? > I don't see any call for a pm file in the cf. How did you download it? -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080925/813017fa/signature.bin From dstraka at caspercollege.edu Thu Sep 25 22:41:32 2008 From: dstraka at caspercollege.edu (Daniel Straka) Date: Thu Sep 25 22:42:10 2008 Subject: MailScanner Losing it's Efficiency {Scanned} In-Reply-To: References: <48DB6F63.61A4.0000.0@caspercollege.edu> <48DB76EF.61A4.0000.0@caspercollege.edu> <48DBD12D.9040401@sgvwater.com> <48DB9D0E.61A4.0000.0@caspercollege.edu><48DB9D0E.61A4.0000.0@caspercollege.edu> <8C597485-2AF2-41C5-8C9B-FCC7E943727C@rtpty.com> <48DBA338.61A4.0000.0@caspercollege.edu> <0F18B4AB-755A-4653-ADD0-B09FA58E25D5@rtpty.com><0F18B4AB-755A-4653-ADD0-B09FA58E25D5@rtpty.com> Message-ID: <48DBB12B.61A4.0000.0@caspercollege.edu> >>> Scott Silva 9/25/2008 3:13 PM >>> on 9-25-2008 1:59 PM Alex Neuman van der Hans spake the following: >> Not here. This looks like a perl problem. >> >> And spamassassin --lint doesn't show much info on my setup; I usually >> use spamassassi -D --lint >> >>> On Sep 25, 2008, at 3:42 PM, Daniel Straka wrote: >>> >>> It appears to be looking for a corresponding .pm file. Anyone have >>> this issue? >> >I don't see any call for a pm file in the cf. > >How did you download it? I overdid it and put an entry in the v310.PRE file and that was causing the lint errors. I've done this in the past when I've had .pm and .cf pairs to work with. KAM.cf appears to be working as I'm seeing many SA KAM hits in the mail log. I'll let it run a while and leave the list alone. Thanks to everyone who has helped me with these matters. -- Dan Straka Systems Coordinator Casper College 307.268.2399 www.caspercollege.edu ( http://www.caspercollege.edu/ ) From martinh at solidstatelogic.com Fri Sep 26 08:53:38 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Fri Sep 26 08:53:50 2008 Subject: MailScanner Losing it's Efficiency {Scanned} In-Reply-To: Message-ID: <0444f1395c35b44ab87c872948f05223@solidstatelogic.com> Or create a custom ruleset for rulesdujour ;-) -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Kevin Miller > Sent: 25 September 2008 21:41 > To: MailScanner discussion > Subject: RE: MailScanner Losing it's Efficiency {Scanned} > > Daniel Straka wrote: > > > I'd like to try the KAM.cf for spamassassin. There's no KAM.pm, how > > does one install (if you will) the KAM.cf rules? I can't find any > > instructions for using a .cf file without a corresponding .pm file. > > > Download it from: > http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf > > To download the latest version automatically every night, fetch > http://www.mailscanner.info/files/4/KAM.cf.sh and put it in > /etc/cron.daily > > Be sure to make it executable: > chmod +x /etc/cron.daily/KAM.cf.sh > > Run it once to get the initial copy of the ruleset file. It > will keep a backup copy of the KAM.cf ruleset in > KAM.cf.backup, which it will use if it can't download KAM.cf > correctly later. > > > ...Kevin > -- > Kevin Miller Registered Linux User No: 307357 > CBJ MIS Dept. Network Systems Admin., Mail Admin. > 155 South Seward Street ph: (907) 586-0242 > Juneau, Alaska 99801 fax: (907 586-4500 > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From prandal at herefordshire.gov.uk Fri Sep 26 12:04:27 2008 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Fri Sep 26 12:05:07 2008 Subject: Attention all iXhash users Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA04BFBBF6@HC-MBX02.herefordshire.gov.uk> >From a post by Dirk Bonengel on the spamassassin-users mailing list (and on the iXhash website): Important news iXhash.net ist now using its own domain to serve iXhash data. If you use the iXhash plugin, make sure to rework your configuration: * Dump any test using 'nospam.login-solutions.de' as domain * Likewise, dump any test using 'nospam.login-solutions.ag' * Create a new test querying the domain 'generic.ixhash.net' More details on what zones are available are available at http://ixhash.sourceforge.net/listinfo.html There's an example config at http://ixhash.sourceforge.net/example.html but it has a typo in it (CYTME should be CTYME) Cheers, Phil -- Phil Randal Networks Engineer Herefordshire Council Hereford, UK -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080926/1d1f7f45/attachment.html From prandal at herefordshire.gov.uk Fri Sep 26 12:18:22 2008 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Fri Sep 26 12:19:08 2008 Subject: MailScanner Losing it's Efficiency {Scanned} In-Reply-To: References: Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA04BFBBFD@HC-MBX02.herefordshire.gov.uk> header __HC_FROM_HOTMAIL From =~ /\@(?:live|hotmail)\./ describe __HC_FROM_HOTMAIL email From hotmail or live user is a better rule than my original header __HC_FROM_HOTMAIL From =~ /\@hotmail\./ describe __HC_FROM_HOTMAIL email From hotmail user FreeMail.pm from http://sa.hege.li/FreeMail.pm is also useful. Cheers, Phil -- Phil Randal Networks Engineer Herefordshire Council Hereford, UK -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Scott Silva Sent: 25 September 2008 20:07 To: mailscanner@lists.mailscanner.info Subject: Re: MailScanner Losing it's Efficiency {Scanned} on 9-25-2008 11:25 AM Alex Neuman van der Hans spake the following: > Which rulesemporium rules do you recommend? > Looking at 100,000 messages in the database I get good hits on sare_unsub and the various sare_html. I also get good hits on the kam list (http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf) and razor. I added the following for some blacklists that I didn't see included with spamassassin. Play with the scores if you need to; ------------------------------------------------------------------------ ----------- header RCVD_IN_PSBL eval:check_rbl('psbl', 'psbl.surriel.com.') describe RCVD_IN_PSBL Received via a relay in PSBL tflags RCVD_IN_PSBL net score RCVD_IN_PSBL 0 1.50 0 1.50 header RCVD_IN_UCE_PFSM_1 eval:check_rbl('UCE_PFSM_1', 'dnsbl-1.uceprotect.net') describe RCVD_IN_UCE_PFSM_1 Received via a relay in UCE_PFSM_1 tflags RCVD_IN_UCE_PFSM_1 net score RCVD_IN_UCE_PFSM_1 0 1.50 0 1.50 header RCVD_IN_UCE_PFSM_2 eval:check_rbl('UCE_PFSM_2', 'dnsbl-2.uceprotect.net') describe RCVD_IN_UCE_PFSM_2 Received via a relay in UCE_PFSM_2 tflags RCVD_IN_UCE_PFSM_2 net score RCVD_IN_UCE_PFSM_2 0 1.50 0 1.50 header RCVD_IN_UCE_PFSM_3 eval:check_rbl('UCE_PFSM_3', 'dnsbl-3.uceprotect.net') describe RCVD_IN_UCE_PFSM_3 Received via a relay in UCE_PFSM_3 tflags RCVD_IN_UCE_PFSM_3 net score RCVD_IN_UCE_PFSM_3 0 2.50 0 2.50 header MONSTER_JOBS Subject =~ /Monster Job \#/i describe MONSTER_JOBS Monster Job Resume replies score MONSTER_JOBS -3.00 body L_DRUGS11 /([CVAXP] ){5}/ header L_DRUGS12 MESSAGEID =~/^<[a-f0-9]{12}\$[a-f0-9]{8}\$[a-f0-9]{8}\@[a-zA-Z]+>/ meta L_DRUGS1 L_DRUGS11 && L_DRUGS12 score L_DRUGS1 5 describe L_DRUGS1 Strange Message-ID and Spam signature in body. header DNS_FROM_MPBULK_RHSBL eval:check_rbl_from_host('mprhs', 'bulk.rhs.mailpolice.com.') describe DNS_FROM_MPBULK_RHSBL From: sender listed in bulk.rhs.mailpolice.com tflags DNS_FROM_MPBULK_RHSBL net score DNS_FROM_MPBULK_RHSBL 2.0 urirhsbl URIBL_BULK_MPRHS bulk.rhs.mailpolice.com. A body URIBL_BULK_MPRHS eval:check_uridnsbl('URIBL_BULK_MPRHS') describe URIBL_BULK_MPRHS Contains a URL listed in the MailPolice bulk senders list tflags URIBL_BULK_MPRHS net score URIBL_BULK_MPRHS 2.0 urirhsbl URIBL_PORN_MPRHS porn.rhs.mailpolice.com. A body URIBL_PORN_MPRHS eval:check_uridnsbl('URIBL_PORN_MPRHS') describe URIBL_PORN_MPRHS Contains a URL listed in the MailPolice porn domains list tflags URIBL_PORN_MPRHS net score URIBL_PORN_MPRHS 2.0 urirhsbl URIBL_FRAUD_MPRHS fraud.rhs.mailpolice.com. A body URIBL_FRAUD_MPRHS eval:check_uridnsbl('URIBL_FRAUD_MPRHS') describe URIBL_FRAUD_MPRHS Contains a URL listed in the MailPolice fraud domains list tflags URIBL_FRAUD_MPRHS net score URIBL_FRAUD_MPRHS 2.0 header RCVD_IN_SPAMCANNIBAL eval:check_rbl('spamcannibal', 'bl.spamcannibal.org.') describe RCVD_IN_SPAMCANNIBAL Received via a relay in SpamCannibal tflags RCVD_IN_SPAMCANNIBAL net score RCVD_IN_SPAMCANNIBAL 0 1.50 0 1.50 header RCVD_IN_MSRBL eval:check_rbl('msrbl', 'combined.rbl.msrbl.net.') describe RCVD_IN_MSRBL Received via a relay in MSRBL tflags RCVD_IN_MSRBL net score RCVD_IN_MSRBL 0 1.50 0 1.50 header RCVD_IN_BACKSCATTER eval:check_rbl('msrbl', 'ips.backscatterer.org.') describe RCVD_IN_BACKSCATTER Received via a relay in Backscatter.org tflags RCVD_IN_BACKSCATTER net score RCVD_IN_BACKSCATTER 0 1.50 0 1.50 #---added 8/1/2006 to combat image spam rawbody INLINE_IMAGE /src\s*=\s*["']cid:/i describe INLINE_IMAGE Inline Images score INLINE_IMAGE 2.0 #added 11/27/2007 as a spam test #Many of the spams originating from hotmail addresses here have a #Reply-To: address in a yahoo domain. header __HC_FROM_HOTMAIL From =~ /\@hotmail\./ describe __HC_FROM_HOTMAIL email From hotmail user header __HC_REPLY_YAHOO Reply-To =~ /\@yahoo\./ describe __HC_REPLY_YAHOO Reply-To yahoo user meta HC_HOTMAIL_YAHOO ( __HC_FROM_HOTMAIL && __HC_REPLY_YAHOO) describe HC_HOTMAIL_YAHOO From hotmail, reply to Yahoo score HC_HOTMAIL_YAHOO 20 ------------------------------------------------------------------------ ----------- -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From campbell at cnpapers.com Fri Sep 26 14:31:53 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Fri Sep 26 14:49:39 2008 Subject: Multiple confusions on my part. Message-ID: <48DCE449.2040203@cnpapers.com> I've started seeing multiple timeouts with Spamassassin, and posted earlier about this. I got some good advice, and tried running some of the recommendations. Some of the problems I'm seeing : When I run MailScanner --debug --debug-sa I get some of the following errors that I can't figure out 08:59:37 [31687] dbg: async: starting: DNSBL-TXT, dns:TXT:241.235.4.69.bl.spamco p.net. (timeout 15.0s, min 3.0s) 08:59:37 [31687] dbg: async: starting: DNSBL-A, dns:A:embarrassedrabbit.com.rhsb l.ahbl.org. (timeout 15.0s, min 3.0s) I can't seem to find where to turn these off or zero the score. I also see in the output the following: 08:59:39 /usr/local/bin/clamscan: unrecognized option `--unrar=/usr/bin/unrar' 08:59:39 ERROR: Unknown option passed. 08:59:39 ERROR: Can't parse the command line I have commented out the relevant lines in /usr/lib/MailScanner/clamav-wrapper but still get the errors as though they are still there. Also, when I run "/etc/rc.d/init.d/MailScanner reload", I get the following warning/error Reloading MailScanner workers: MailScanner: kill -2544: No such process [ OK ] When I run "/etc/rc.d/init.d/MailScanner status", I get the following warning/error Checking MailScanner daemons: MailScanner: [ OK ] incoming sendmail: head: /var/run/sendmail.in.pid: No such file or directory [FAILED] outgoing sendmail: [ OK ] There is indeed no such file, but there is a sm-client.pid. Plenty of problems, and I'm sure these old eyes just aren't seeing the fix. Any help would be greatfully appreciated. Steve Campbell From campbell at cnpapers.com Fri Sep 26 14:34:15 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Fri Sep 26 14:49:58 2008 Subject: Multiple confusions on my part. - addendum Message-ID: <48DCE4D7.6060100@cnpapers.com> Forgot to mention CentOS 3, sendmail, latest stable MS/SA/ClamAV. Hope I didn't forget anything else. Steve From malli at mcrirents.com Fri Sep 26 16:22:41 2008 From: malli at mcrirents.com (Mohammed Alli) Date: Fri Sep 26 15:25:17 2008 Subject: Dspam and MailScanner In-Reply-To: <10CCE591-3F46-4211-8C31-22EA1201E6A9@rtpty.com> References: <3B1A431BDA34C54581BE43253BC1BD9328C864@exchange.computerrents.com> <10CCE591-3F46-4211-8C31-22EA1201E6A9@rtpty.com> Message-ID: <3B1A431BDA34C54581BE43253BC1BD9328C867@exchange.computerrents.com> Ok guys, I'm at a point now where Mailscanner is logging Dspam headers. Take a look at the following: Received: from DSPAM-Daemon (localhost [127.0.0.1]) by xxx.org (Postfix) with SMTP id A7259B83BA for ; Fri, 26 Sep 2008 10:07:43 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by xxx.org (Postfix) with ESMTP id 8AC9DB83B8 for < xxx@xxx.com>; Fri, 26 Sep 2008 10:07:43 -0400 (EDT) Received: from xxx.org ([127.0.0.1]) by localhost (xxx.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oF2FtsAbUmen for < xxx@xxx.com>; Fri, 26 Sep 2008 10:07:42 -0400 (EDT) Received: from 121.189.88.200.d.dyn.codetel.net.do (unknown [200.88.189.121]) by xxx.org (Postfix) with ESMTP for < xxx@xxx.com>; Fri, 26 Sep 2008 10:07:42 -0400 (EDT) Message-ID: <000a01c91fe2$067c51fd$1a8a0592@ddlaqctm> From: "Normal Sexual" < xxx@xxx.com> To: "Treat erectile dysfunction online now" < xxx@xxx.com> Subject: Drug Erectile Date: Fri, 26 Sep 2008 12:27:26 +0000 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0007_01C91FE2.06791D0F" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2720.3000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2727.1300 X-DSPAM-Result: Innocent X-DSPAM-Processed: Fri Sep 26 10:07:43 2008 X-DSPAM-Confidence: 0.9990 X-DSPAM-Probability: 0.0000 X-DSPAM-Signature: 48dcecaf205628863029213 [ ] 09/26/08 10:07:52 xxx@xxx.com Drug Erectile 3.4Kb 35.72 Spam Spam Report: Score Matching Rule Description cached not score=35.718 4.5 required autolearn=spam 3.50 BAYES_99 Bayesian spam probability is 99 to 100% 2.17 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) 0.00 DIGEST_MULTIPLE Message hits more than one network digest check 0.28 DRUGS_ERECTILE Refers to an erectile drug -0.25 DSPAM_HAM 4.39 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP addr 2) I had to implement Amavisd-new and Dspam as a pre-queue scanner. The mail is then reinjected back into the queue, where MailScanner picks it up. I can see it logging using Mailwatch, but the From To line is blank, although if I go into details I can see it. MailScanner is even using a rule I have setup in my local.cf for Dspam results. If the mail is spam, it assigns a score and if it's ham, it gives it a negative score. I do have a problem with Dspam being inaccurate, as you can see from the example above. Guess I'll have to retrain it or dump the db and start over. ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex Neuman van der Hans Sent: Thursday, September 25, 2008 10:00 AM To: MailScanner discussion Subject: Re: Dspam and MailScanner How about giving a step by step of what you did? That way those of us who haven't tried it can, and those who have might make suggestions... Remember to include things like os, mta, etc. - if it's too long you can use the wiki or pastebin. --- Alex Neuman Reliant Technologies +507 6781-9505 Skype: alexneuman On Sep 25, 2008, at 10:44 AM, "Mohammed Alli" wrote: Guys, I've gotten Dspam working with my MailScanner setup on Ubuntu. I can see both MailScanner and Dspam headers added to my messages. Dspam is tagging missed messages as **SPAM**, per my setup. I just don't know how to combine the 2 scores. I tried the Spamassassin perl module for Dspam, but it doesn't work either and requires Amavisd-new to combine the scores. I tried Dspam as a GenericSpamScanner, but I couldn't tell if it was working as I didn't see anything in the mail.log. Any suggestions? -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080926/107f9a37/attachment.html From martinh at solidstatelogic.com Fri Sep 26 15:28:09 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Fri Sep 26 15:28:23 2008 Subject: Multiple confusions on my part. In-Reply-To: <48DCE449.2040203@cnpapers.com> Message-ID: <9952486b2f9fe04fa0619422954a92a1@solidstatelogic.com> Steve See below -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Steve Campbell > Sent: 26 September 2008 14:32 > To: mailscanner@lists.mailscanner.info > Subject: Multiple confusions on my part. > > I've started seeing multiple timeouts with Spamassassin, and > posted earlier about this. I got some good advice, and tried > running some of the recommendations. > > Some of the problems I'm seeing : > > When I run MailScanner --debug --debug-sa > > I get some of the following errors that I can't figure out > > 08:59:37 [31687] dbg: async: starting: DNSBL-TXT, > dns:TXT:241.235.4.69.bl.spamco p.net. (timeout 15.0s, min 3.0s) > 08:59:37 [31687] dbg: async: starting: DNSBL-A, > dns:A:embarrassedrabbit.com.rhsb l.ahbl.org. (timeout 15.0s, min 3.0s) > > I can't seem to find where to turn these off or zero the score. > Give them a zero score in /etc/mail/spamassassin/mailscanner.conf. See /var/lib/spamassassin//updates_spamassassin_org/20_dnsbl_tests.cf for what RBL's it uses by default. I only run a couple here. Also usual advice of make sure the mailscanner host is running a local caching nameserver! > I also see in the output the following: > > > 08:59:39 /usr/local/bin/clamscan: unrecognized option > `--unrar=/usr/bin/unrar' > 08:59:39 ERROR: Unknown option passed. > 08:59:39 ERROR: Can't parse the command line > > I have commented out the relevant lines in > /usr/lib/MailScanner/clamav-wrapper but still get the errors > as though they are still there. > > > > Also, when I run "/etc/rc.d/init.d/MailScanner reload", I get > the following warning/error > > Reloading MailScanner workers: > MailScanner: kill -2544: No such process You got a bad process-id in there, manually kill the MS processes I'd suggest. > [ > OK ] When I run "/etc/rc.d/init.d/MailScanner status", I get > the following warning/error > > Checking MailScanner daemons: > MailScanner: [ OK ] > incoming sendmail: head: /var/run/sendmail.in.pid: > No such file or directory > [FAILED] > outgoing sendmail: [ OK ] > > There is indeed no such file, but there is a sm-client.pid. > Check the setup of sendmail - two sendmails, writing pids to correct files etc > Plenty of problems, and I'm sure these old eyes just aren't > seeing the fix. > > Any help would be greatfully appreciated. > > Steve Campbell > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From MailScanner at ecs.soton.ac.uk Fri Sep 26 15:37:06 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Sep 26 15:37:28 2008 Subject: Multiple confusions on my part. In-Reply-To: References: Message-ID: <48DCF392.4090008@ecs.soton.ac.uk> Steve Campbell wrote: > I've started seeing multiple timeouts with Spamassassin, and posted > earlier about this. I got some good advice, and tried running some of > the recommendations. > > Some of the problems I'm seeing : > > When I run MailScanner --debug --debug-sa > > I get some of the following errors that I can't figure out > > 08:59:37 [31687] dbg: async: starting: DNSBL-TXT, > dns:TXT:241.235.4.69.bl.spamco > p.net. (timeout 15.0s, min 3.0s) > 08:59:37 [31687] dbg: async: starting: DNSBL-A, > dns:A:embarrassedrabbit.com.rhsb > l.ahbl.org. (timeout 15.0s, min 3.0s) > > I can't seem to find where to turn these off or zero the score. > In /etc/MailScanner/spamassassin.prefs.conf, add these lines score RCVD_IN_BL_SPAMCOP_NET 0.0 score DNS_FROM_AHBL_RHSBL 0.0 > I also see in the output the following: > > > 08:59:39 /usr/local/bin/clamscan: unrecognized option > `--unrar=/usr/bin/unrar' > 08:59:39 ERROR: Unknown option passed. > 08:59:39 ERROR: Can't parse the command line > > I have commented out the relevant lines in > /usr/lib/MailScanner/clamav-wrapper but still get the errors as though > they are still there. You need the latest beta to work with ClamAV 0.94. You would be far better off upgrading to using clamd instead, it is a *whole* lot faster. But be sure to configure clamd to talk to freshclam properly, or else clamd will never know it needs to re-read its virus signatures. That's all in clamd.conf. > > > > Also, when I run "/etc/rc.d/init.d/MailScanner reload", I get the > following warning/error > > Reloading MailScanner workers: > MailScanner: kill -2544: No such process > [ OK ] > When I run "/etc/rc.d/init.d/MailScanner status", I get the following > warning/error > > Checking MailScanner daemons: > MailScanner: [ OK ] > incoming sendmail: head: /var/run/sendmail.in.pid: No such > file or directory That should have been created by "service MailScanner start" (or "/etc/rc.d/init.d/MailScanner start"). You're quite right, it isn't. sendmail should have created it. I'll tweak the init.d script so that it doesn't care. This is a pretty harmless error, even so. Just ignore it for now. > [FAILED] > outgoing sendmail: [ OK ] > > There is indeed no such file, but there is a sm-client.pid. > > Plenty of problems, and I'm sure these old eyes just aren't seeing the > fix. > > Any help would be greatfully appreciated. > > Steve Campbell > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Fri Sep 26 15:52:27 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Sep 26 15:52:46 2008 Subject: Multiple confusions on my part. In-Reply-To: References: Message-ID: <48DCF72B.90903@ecs.soton.ac.uk> Try the attached replacement for /etc/rc.d/init.d/MailScanner. You will obviously need to unzip it first! :-) Jules. Julian Field wrote: > > > Steve Campbell wrote: >> I've started seeing multiple timeouts with Spamassassin, and posted >> earlier about this. I got some good advice, and tried running some of >> the recommendations. >> >> Some of the problems I'm seeing : >> >> When I run MailScanner --debug --debug-sa >> >> I get some of the following errors that I can't figure out >> >> 08:59:37 [31687] dbg: async: starting: DNSBL-TXT, >> dns:TXT:241.235.4.69.bl.spamco >> p.net. (timeout 15.0s, min 3.0s) >> 08:59:37 [31687] dbg: async: starting: DNSBL-A, >> dns:A:embarrassedrabbit.com.rhsb >> l.ahbl.org. (timeout 15.0s, min 3.0s) >> >> I can't seem to find where to turn these off or zero the score. >> > In /etc/MailScanner/spamassassin.prefs.conf, add these lines > score RCVD_IN_BL_SPAMCOP_NET 0.0 > score DNS_FROM_AHBL_RHSBL 0.0 >> I also see in the output the following: >> >> >> 08:59:39 /usr/local/bin/clamscan: unrecognized option >> `--unrar=/usr/bin/unrar' >> 08:59:39 ERROR: Unknown option passed. >> 08:59:39 ERROR: Can't parse the command line >> >> I have commented out the relevant lines in >> /usr/lib/MailScanner/clamav-wrapper but still get the errors as >> though they are still there. > You need the latest beta to work with ClamAV 0.94. You would be far > better off upgrading to using clamd instead, it is a *whole* lot > faster. But be sure to configure clamd to talk to freshclam properly, > or else clamd will never know it needs to re-read its virus > signatures. That's all in clamd.conf. >> >> >> >> Also, when I run "/etc/rc.d/init.d/MailScanner reload", I get the >> following warning/error >> >> Reloading MailScanner workers: >> MailScanner: kill -2544: No such process >> [ OK ] >> When I run "/etc/rc.d/init.d/MailScanner status", I get the following >> warning/error >> >> Checking MailScanner daemons: >> MailScanner: [ OK ] >> incoming sendmail: head: /var/run/sendmail.in.pid: No such >> file or directory > That should have been created by "service MailScanner start" (or > "/etc/rc.d/init.d/MailScanner start"). You're quite right, it isn't. > sendmail should have created it. I'll tweak the init.d script so that > it doesn't care. This is a pretty harmless error, even so. Just ignore > it for now. > >> [FAILED] >> outgoing sendmail: [ OK ] >> >> There is indeed no such file, but there is a sm-client.pid. >> >> Plenty of problems, and I'm sure these old eyes just aren't seeing >> the fix. >> >> Any help would be greatfully appreciated. >> >> Steve Campbell >> > > Jules > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- A non-text attachment was scrubbed... Name: etc.rc.d.init.d.MailScanner.zip Type: application/x-zip-compressed Size: 3000 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080926/418bf7d3/etc.rc.d.init.d.MailScanner.bin From raymond at prolocation.net Fri Sep 26 16:26:17 2008 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Fri Sep 26 16:26:25 2008 Subject: Log problem? In-Reply-To: <200809260102280332.14086FC2@web.ace.net.au> References: <200809260102280332.14086FC2@web.ace.net.au> Message-ID: Hi! > Does the 3rd line look incomplete? > > Sep 25 20:37:32 nx22 MailScanner[15691]: Virus Scanning: F-Prot found 1 > infections > Sep 25 20:37:32 nx22 MailScanner[15691]: Infected message m8PB7NYZ019577 > came from 61.9.189.143 > Sep 25 20:37:32 nx22 MailScanner[15691]: Infected message 15691 came from > Sep 25 20:37:32 nx22 MailScanner[15691]: Virus Scanning: Found 1 viruses Nice backlog also, allmost 16.000 messages in queue ;) Bye, Raymond. From malli at mcrirents.com Fri Sep 26 18:06:13 2008 From: malli at mcrirents.com (Mohammed Alli) Date: Fri Sep 26 17:08:49 2008 Subject: Dspam and MailScanner In-Reply-To: <3B1A431BDA34C54581BE43253BC1BD9328C867@exchange.computerrents.com> References: <3B1A431BDA34C54581BE43253BC1BD9328C864@exchange.computerrents.com><10CCE591-3F46-4211-8C31-22EA1201E6A9@rtpty.com> <3B1A431BDA34C54581BE43253BC1BD9328C867@exchange.computerrents.com> Message-ID: <3B1A431BDA34C54581BE43253BC1BD9328C868@exchange.computerrents.com> Ok guys, I've redone the Dspam db and retrained it with the spamassassin corpus. Now everything seems to be working fine. However, since MailWatch\MailScanner doesn't know who the email is coming from, it can't distinguish between whitelist or blacklist entries. I can see the address in the mail.log or if I go into the message detail using MailWatch. The message still gets delivered the same, with the only difference being the headers that are added. Does anyone know of any Postfix setting that will hide the sender email address? Thanks, ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Mohammed Alli Sent: Friday, September 26, 2008 10:23 AM To: MailScanner discussion Subject: RE: Dspam and MailScanner Ok guys, I'm at a point now where Mailscanner is logging Dspam headers. Take a look at the following: Received: from DSPAM-Daemon (localhost [127.0.0.1]) by xxx.org (Postfix) with SMTP id A7259B83BA for ; Fri, 26 Sep 2008 10:07:43 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by xxx.org (Postfix) with ESMTP id 8AC9DB83B8 for < xxx@xxx.com>; Fri, 26 Sep 2008 10:07:43 -0400 (EDT) Received: from xxx.org ([127.0.0.1]) by localhost (xxx.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oF2FtsAbUmen for < xxx@xxx.com>; Fri, 26 Sep 2008 10:07:42 -0400 (EDT) Received: from 121.189.88.200.d.dyn.codetel.net.do (unknown [200.88.189.121]) by xxx.org (Postfix) with ESMTP for < xxx@xxx.com>; Fri, 26 Sep 2008 10:07:42 -0400 (EDT) Message-ID: <000a01c91fe2$067c51fd$1a8a0592@ddlaqctm> From: "Normal Sexual" < xxx@xxx.com> To: "Treat erectile dysfunction online now" < xxx@xxx.com> Subject: Drug Erectile Date: Fri, 26 Sep 2008 12:27:26 +0000 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0007_01C91FE2.06791D0F" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2720.3000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2727.1300 X-DSPAM-Result: Innocent X-DSPAM-Processed: Fri Sep 26 10:07:43 2008 X-DSPAM-Confidence: 0.9990 X-DSPAM-Probability: 0.0000 X-DSPAM-Signature: 48dcecaf205628863029213 [ ] 09/26/08 10:07:52 xxx@xxx.com Drug Erectile 3.4Kb 35.72 Spam Spam Report: Score Matching Rule Description cached not score=35.718 4.5 required autolearn=spam 3.50 BAYES_99 Bayesian spam probability is 99 to 100% 2.17 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) 0.00 DIGEST_MULTIPLE Message hits more than one network digest check 0.28 DRUGS_ERECTILE Refers to an erectile drug -0.25 DSPAM_HAM 4.39 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP addr 2) I had to implement Amavisd-new and Dspam as a pre-queue scanner. The mail is then reinjected back into the queue, where MailScanner picks it up. I can see it logging using Mailwatch, but the From To line is blank, although if I go into details I can see it. MailScanner is even using a rule I have setup in my local.cf for Dspam results. If the mail is spam, it assigns a score and if it's ham, it gives it a negative score. I do have a problem with Dspam being inaccurate, as you can see from the example above. Guess I'll have to retrain it or dump the db and start over. ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex Neuman van der Hans Sent: Thursday, September 25, 2008 10:00 AM To: MailScanner discussion Subject: Re: Dspam and MailScanner How about giving a step by step of what you did? That way those of us who haven't tried it can, and those who have might make suggestions... Remember to include things like os, mta, etc. - if it's too long you can use the wiki or pastebin. --- Alex Neuman Reliant Technologies +507 6781-9505 Skype: alexneuman On Sep 25, 2008, at 10:44 AM, "Mohammed Alli" wrote: Guys, I've gotten Dspam working with my MailScanner setup on Ubuntu. I can see both MailScanner and Dspam headers added to my messages. Dspam is tagging missed messages as **SPAM**, per my setup. I just don't know how to combine the 2 scores. I tried the Spamassassin perl module for Dspam, but it doesn't work either and requires Amavisd-new to combine the scores. I tried Dspam as a GenericSpamScanner, but I couldn't tell if it was working as I didn't see anything in the mail.log. Any suggestions? -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080926/9b2318ee/attachment-0001.html From campbell at cnpapers.com Fri Sep 26 17:21:59 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Fri Sep 26 17:22:13 2008 Subject: Multiple confusions on my part. In-Reply-To: <48DCF72B.90903@ecs.soton.ac.uk> References: <48DCF72B.90903@ecs.soton.ac.uk> Message-ID: <48DD0C27.9070301@cnpapers.com> Thanks Martin and Julian; I'm still seeing the DNSBL-A, junk in the debug output, but I can keep digging for that. I never knew where all those DNSBL checks came from, so that was a big help Martin. The new init script seem to work. I tried stopping, starting, reloading and anything else I could think of and the only problem I found was that when I did a stop, my phone rang! :-) So thanks every one for the help. Steve Julian Field wrote: > Try the attached replacement for > /etc/rc.d/init.d/MailScanner. > You will obviously need to unzip it first! :-) > > Jules. > > Julian Field wrote: >> >> >> Steve Campbell wrote: >>> I've started seeing multiple timeouts with Spamassassin, and posted >>> earlier about this. I got some good advice, and tried running some >>> of the recommendations. >>> >>> Some of the problems I'm seeing : >>> >>> When I run MailScanner --debug --debug-sa >>> >>> I get some of the following errors that I can't figure out >>> >>> 08:59:37 [31687] dbg: async: starting: DNSBL-TXT, >>> dns:TXT:241.235.4.69.bl.spamco >>> p.net. (timeout 15.0s, min 3.0s) >>> 08:59:37 [31687] dbg: async: starting: DNSBL-A, >>> dns:A:embarrassedrabbit.com.rhsb >>> l.ahbl.org. (timeout 15.0s, min 3.0s) >>> >>> I can't seem to find where to turn these off or zero the score. >>> >> In /etc/MailScanner/spamassassin.prefs.conf, add these lines >> score RCVD_IN_BL_SPAMCOP_NET 0.0 >> score DNS_FROM_AHBL_RHSBL 0.0 >>> I also see in the output the following: >>> >>> >>> 08:59:39 /usr/local/bin/clamscan: unrecognized option >>> `--unrar=/usr/bin/unrar' >>> 08:59:39 ERROR: Unknown option passed. >>> 08:59:39 ERROR: Can't parse the command line >>> >>> I have commented out the relevant lines in >>> /usr/lib/MailScanner/clamav-wrapper but still get the errors as >>> though they are still there. >> You need the latest beta to work with ClamAV 0.94. You would be far >> better off upgrading to using clamd instead, it is a *whole* lot >> faster. But be sure to configure clamd to talk to freshclam properly, >> or else clamd will never know it needs to re-read its virus >> signatures. That's all in clamd.conf. >>> >>> >>> >>> Also, when I run "/etc/rc.d/init.d/MailScanner reload", I get the >>> following warning/error >>> >>> Reloading MailScanner workers: >>> MailScanner: kill -2544: No such process >>> [ OK ] >>> When I run "/etc/rc.d/init.d/MailScanner status", I get the >>> following warning/error >>> >>> Checking MailScanner daemons: >>> MailScanner: [ OK ] >>> incoming sendmail: head: /var/run/sendmail.in.pid: No such >>> file or directory >> That should have been created by "service MailScanner start" (or >> "/etc/rc.d/init.d/MailScanner start"). You're quite right, it isn't. >> sendmail should have created it. I'll tweak the init.d script so that >> it doesn't care. This is a pretty harmless error, even so. Just >> ignore it for now. >> >>> [FAILED] >>> outgoing sendmail: [ OK ] >>> >>> There is indeed no such file, but there is a sm-client.pid. >>> >>> Plenty of problems, and I'm sure these old eyes just aren't seeing >>> the fix. >>> >>> Any help would be greatfully appreciated. >>> >>> Steve Campbell >>> >> >> Jules >> > > Jules > From ssilva at sgvwater.com Fri Sep 26 18:06:48 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Sep 26 18:10:11 2008 Subject: MailScanner Losing it's Efficiency {Scanned} In-Reply-To: <0444f1395c35b44ab87c872948f05223@solidstatelogic.com> References: <0444f1395c35b44ab87c872948f05223@solidstatelogic.com> Message-ID: on 9-26-2008 12:53 AM Martin.Hepworth spake the following: > Or create a custom ruleset for rulesdujour ;-) > I just ran julesdujour after having it turned off for over 6 months and there were no updates. The sare ninjas were not kidding when they said they weren't updating anymore. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080926/c6f60a44/signature.bin From ssilva at sgvwater.com Fri Sep 26 18:14:10 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Sep 26 18:15:14 2008 Subject: Multiple confusions on my part. In-Reply-To: <48DD0C27.9070301@cnpapers.com> References: <48DCF72B.90903@ecs.soton.ac.uk> <48DD0C27.9070301@cnpapers.com> Message-ID: on 9-26-2008 9:21 AM Steve Campbell spake the following: > Thanks Martin and Julian; > > I'm still seeing the DNSBL-A, junk in the debug output, but I can keep > digging for that. > > I never knew where all those DNSBL checks came from, so that was a big > help Martin. > > The new init script seem to work. I tried stopping, starting, reloading > and anything else I could think of and the only problem I found was that > when I did a stop, my phone rang! :-) > We all get that darn telephone ringing bug (feature?). I also get it when I *don't* run MailScanner stop. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080926/6c3166cc/signature.bin From martinh at solidstatelogic.com Fri Sep 26 19:09:05 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Fri Sep 26 19:03:33 2008 Subject: MailScanner Losing it's Efficiency {Scanned} Message-ID: Well yeah, but its so easy to in rules to rdj.. -- martin -----Original Message----- From: Scott Silva Sent: 26 September 2008 18:14 To: mailscanner@lists.mailscanner.info Subject: Re: MailScanner Losing it's Efficiency {Scanned} on 9-26-2008 12:53 AM Martin.Hepworth spake the following: > Or create a custom ruleset for rulesdujour ;-) > I just ran julesdujour after having it turned off for over 6 months and there were no updates. The sare ninjas were not kidding when they said they weren't updating anymore. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From campbell at cnpapers.com Fri Sep 26 21:35:14 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Fri Sep 26 21:35:28 2008 Subject: Multiple confusions on my part. In-Reply-To: References: <48DCF72B.90903@ecs.soton.ac.uk> <48DD0C27.9070301@cnpapers.com> Message-ID: <48DD4782.8030002@cnpapers.com> Scott Silva wrote: > on 9-26-2008 9:21 AM Steve Campbell spake the following: >> Thanks Martin and Julian; >> >> I'm still seeing the DNSBL-A, junk in the debug output, but I can >> keep digging for that. >> >> I never knew where all those DNSBL checks came from, so that was a >> big help Martin. >> >> The new init script seem to work. I tried stopping, starting, >> reloading and anything else I could think of and the only problem I >> found was that when I did a stop, my phone rang! :-) >> > We all get that darn telephone ringing bug (feature?). I also get it > when I *don't* run MailScanner stop. I have a problem going on where one person is getting too much spam, and the person sitting beside them argues for more. An easy fix, though. But then the next week, the same two argue for the exact opposite. From dyioulos at firstbhph.com Fri Sep 26 21:48:51 2008 From: dyioulos at firstbhph.com (Dimitri Yioulos) Date: Fri Sep 26 21:49:22 2008 Subject: Multiple confusions on my part. In-Reply-To: <48DD4782.8030002@cnpapers.com> References: <48DD4782.8030002@cnpapers.com> Message-ID: <200809261648.52398.dyioulos@firstbhph.com> On Friday 26 September 2008 4:35 pm, Steve Campbell wrote: > Scott Silva wrote: > > on 9-26-2008 9:21 AM Steve Campbell spake the following: > >> Thanks Martin and Julian; > >> > >> I'm still seeing the DNSBL-A, junk in the debug output, but I can > >> keep digging for that. > >> > >> I never knew where all those DNSBL checks came from, so that was a > >> big help Martin. > >> > >> The new init script seem to work. I tried stopping, starting, > >> reloading and anything else I could think of and the only problem I > >> found was that when I did a stop, my phone rang! :-) > > > > We all get that darn telephone ringing bug (feature?). I also get it > > when I *don't* run MailScanner stop. > > I have a problem going on where one person is getting too much spam, and > the person sitting beside them argues for more. An easy fix, though. But > then the next week, the same two argue for the exact opposite. > So shoot 'em both. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ssilva at sgvwater.com Fri Sep 26 23:43:10 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Sep 26 23:43:29 2008 Subject: Multiple confusions on my part. In-Reply-To: <48DD4782.8030002@cnpapers.com> References: <48DCF72B.90903@ecs.soton.ac.uk> <48DD0C27.9070301@cnpapers.com> <48DD4782.8030002@cnpapers.com> Message-ID: on 9-26-2008 1:35 PM Steve Campbell spake the following: > > > Scott Silva wrote: >> on 9-26-2008 9:21 AM Steve Campbell spake the following: >>> Thanks Martin and Julian; >>> >>> I'm still seeing the DNSBL-A, junk in the debug output, but I can >>> keep digging for that. >>> >>> I never knew where all those DNSBL checks came from, so that was a >>> big help Martin. >>> >>> The new init script seem to work. I tried stopping, starting, >>> reloading and anything else I could think of and the only problem I >>> found was that when I did a stop, my phone rang! :-) >>> >> We all get that darn telephone ringing bug (feature?). I also get it >> when I *don't* run MailScanner stop. > I have a problem going on where one person is getting too much spam, and > the person sitting beside them argues for more. An easy fix, though. But > then the next week, the same two argue for the exact opposite. > I had a user complain that I didn't do anything and they got too much spam... So I gave them *ALL* of it. For the whole company. Even high scoring stuff. They never complained again! ;-P Member in good standing of the BOFH West Coast chapter, US division -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080926/8a032cc9/signature.bin From Kevin_Miller at ci.juneau.ak.us Fri Sep 26 23:59:35 2008 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Fri Sep 26 23:59:45 2008 Subject: Multiple confusions on my part. In-Reply-To: References: <48DCF72B.90903@ecs.soton.ac.uk> <48DD0C27.9070301@cnpapers.com> <48DD4782.8030002@cnpapers.com> Message-ID: Scott Silva wrote: > I had a user complain that I didn't do anything and they got too much > spam... So I gave them *ALL* of it. For the whole company. Even high > scoring stuff. They never complained again! ;-P > > Member in good standing of the BOFH West Coast chapter, US division My hero! I usually content myself w/sending them a .png of the stats in the upper right of the MailWatch screen. When they see the 75% spam and the numbers they stop whining about the three they got that week. Maybe I'll turn the filters off for 10 minutes on the day I retire. That outta earn me a gold watch. Or a first class lynching... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From annett.david at gmail.com Sat Sep 27 03:18:54 2008 From: annett.david at gmail.com (David Annett) Date: Sat Sep 27 03:19:05 2008 Subject: MailScanner on a Postfix Mailgate In-Reply-To: <48DB7AC6.2020803@clh.org.uk> References: <48DB5222.6030000@sequestered.net> <48DB6E16.3060602@gdcon.net> <48DB7AC6.2020803@clh.org.uk> Message-ID: If the perl issue is well known the fix is well known too? With a system that is still broken I would love to know that! Can't MS be fixed to work with more that one version of perl? On Thu, Sep 25, 2008 at 11:49 PM, Chris Hardy wrote: > I've been using MS on CentOS successfully for ages with no problems apart > from the perl issue that's well known about. > > New version of MS come, run package, run the upgrader, restart MS - hey > presto! > > Do you use anything specific that causes problems? > > c > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080927/175a385c/attachment.html From MailScanner at ecs.soton.ac.uk Sat Sep 27 10:19:04 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sat Sep 27 10:19:39 2008 Subject: Multiple confusions on my part. In-Reply-To: References: <48DCF72B.90903@ecs.soton.ac.uk> <48DD0C27.9070301@cnpapers.com> <48DD4782.8030002@cnpapers.com> Message-ID: <48DDFA88.1050806@ecs.soton.ac.uk> Kevin Miller wrote: > Scott Silva wrote: > >> I had a user complain that I didn't do anything and they got too much >> spam... So I gave them *ALL* of it. For the whole company. Even high >> scoring stuff. They never complained again! ;-P >> >> Member in good standing of the BOFH West Coast chapter, US division >> > > My hero! I usually content myself w/sending them a .png of the stats in > the upper right of the MailWatch screen. When they see the 75% spam and > the numbers they stop whining about the three they got that week. > > Maybe I'll turn the filters off for 10 minutes on the day I retire. > That outta earn me a gold watch. Or a first class lynching... > I long to be able to do that. Our head of department did appreciate it a bit more when I told him he would get 26 times more mail if I switched off the spam killers! That shut him up a bit :-) Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Sat Sep 27 19:52:39 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sat Sep 27 19:53:03 2008 Subject: Improvements to install.sh ? Message-ID: <48DE80F7.9020400@ecs.soton.ac.uk> Hi folks! I haven't done anything to the installer in quite a long time. Are there any improvements people would like to see, particularly in the RPM installer as that's by far the most common distribution, and is used by the least tech-savvy people who need the most guidance. Today I have done some work on both the README and the QuickInstall.txt files, to bring the up to date and to simplify them. Also I have documented the "./install.sh fast" option, so people who read the docs know it exists, as it greatly speeds things up if you know what you're doing and don't need to read all the output. But what would people like to see improved in the actual installation script, install.sh? Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ms-list at alexb.ch Sat Sep 27 20:19:49 2008 From: ms-list at alexb.ch (Alex Broens) Date: Sat Sep 27 20:20:02 2008 Subject: Improvements to install.sh ? In-Reply-To: <48DE80F7.9020400@ecs.soton.ac.uk> References: <48DE80F7.9020400@ecs.soton.ac.uk> Message-ID: <48DE8755.5080603@alexb.ch> On 9/27/2008 8:52 PM, Julian Field wrote: > Hi folks! > > I haven't done anything to the installer in quite a long time. > Are there any improvements people would like to see, particularly in the > RPM installer as that's by far the most common distribution, and is used > by the least tech-savvy people who need the most guidance. > > Today I have done some work on both the README and the QuickInstall.txt > files, to bring the up to date and to simplify them. > > Also I have documented the "./install.sh fast" option, so people who > read the docs know it exists, as it greatly speeds things up if you know > what you're doing and don't need to read all the output. > > But what would people like to see improved in the actual installation > script, install.sh? Hi Jules, 1.- Before you start doing the setup, check which Perl modules you'll be updating/overwriting, show a list and REQUIRE an "Press enter" key to accept these changes 2.- Write a install.log in system's root folder. Write the results of [1.] at the top. if admin chooses to use the "fast" method, only write the log. I think this would help avoid surprises The "only worry about xyz" gives a possible sense of safety, not sure at this point if anything else is so trivial as lately there have been growing dependency issues. Ideally, if you need to use a higher module version for MS that what you find installed, add to /path/to/MailScanner/perl but I assume that would require a massive lot of work. my 2 cents Alex From alex at rtpty.com Sat Sep 27 20:54:33 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Sat Sep 27 20:54:58 2008 Subject: Improvements to install.sh ? In-Reply-To: <48DE80F7.9020400@ecs.soton.ac.uk> References: <48DE80F7.9020400@ecs.soton.ac.uk> Message-ID: <4D0A5E36-6CD5-4CFD-892A-93C8C13087C4@rtpty.com> I *am* tech savvy enough to recognize how *brilliant* your installer is, you insensitive clod! ;-) --- Alex Neuman Reliant Technologies +507 6781-9505 Skype: alexneuman On Sep 27, 2008, at 1:52 PM, Julian Field wrote: > Hi folks! > > I haven't done anything to the installer in quite a long time. > Are there any improvements people would like to see, particularly in > the RPM installer as that's by far the most common distribution, and > is used by the least tech-savvy people who need the most guidance. > > Today I have done some work on both the README and the > QuickInstall.txt files, to bring the up to date and to simplify them. > > Also I have documented the "./install.sh fast" option, so people who > read the docs know it exists, as it greatly speeds things up if you > know what you're doing and don't need to read all the output. > > But what would people like to see improved in the actual > installation script, install.sh? > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > PGP public key: http://www.jules.fm/julesfm.asc > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From campbell at cnpapers.com Sun Sep 28 00:45:22 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Sun Sep 28 00:45:47 2008 Subject: Multiple confusions on my part. In-Reply-To: References: <48DCF72B.90903@ecs.soton.ac.uk> <48DD0C27.9070301@cnpapers.com> <48DD4782.8030002@cnpapers.com> Message-ID: <1222559122.48dec592b7178@perdition.cnpapers.net> Quoting Kevin Miller : > Scott Silva wrote: > > I had a user complain that I didn't do anything and they got too much > > spam... So I gave them *ALL* of it. For the whole company. Even high > > scoring stuff. They never complained again! ;-P > > > > Member in good standing of the BOFH West Coast chapter, US division > > My hero! I usually content myself w/sending them a .png of the stats in > the upper right of the MailWatch screen. When they see the 75% spam and > the numbers they stop whining about the three they got that week. > > Maybe I'll turn the filters off for 10 minutes on the day I retire. > That outta earn me a gold watch. Or a first class lynching... > > ...Kevin > -- The worst, I think, are the people who complain about the Daily Quarantine Report I send them from Mailwatch that is too big for them to review everyday. And my sendmail access file with all those REJECTs is huge. So there really is no winning for the poor email admin. Steve ------------------------------------------------- This mail sent through IMP: http://horde.org/imp/ From annett.david at gmail.com Sun Sep 28 00:45:48 2008 From: annett.david at gmail.com (David Annett) Date: Sun Sep 28 00:45:59 2008 Subject: Improvements to install.sh ? In-Reply-To: <48DE8755.5080603@alexb.ch> References: <48DE80F7.9020400@ecs.soton.ac.uk> <48DE8755.5080603@alexb.ch> Message-ID: I think Alex's suggestions are good. I have a MS insall that has been broken for a while. From what I can tell Yum broke things and now I think the key to getting it to work is the MS installer and seeing what issues is is finding. The problem is a lot of stuff flashes by really quickly so it's hard to tell what issues it is finding. I was looking for an install log to find out why I still have problems. My suggestions would be: 1. Write an install log somewhere and at the end of the install tell the user where to find the log. 2. We possible to identity, and supported by the console, highlight errors that may be an issue in another colour so as they flash by you know there is something to follow up on. Thanks David On Sun, Sep 28, 2008 at 7:19 AM, Alex Broens wrote: > On 9/27/2008 8:52 PM, Julian Field wrote: > >> Hi folks! >> >> I haven't done anything to the installer in quite a long time. >> Are there any improvements people would like to see, particularly in the >> RPM installer as that's by far the most common distribution, and,,, > > > Hi Jules, > ... > 2.- Write a install.log in system's root folder. Write the results of [1.] > at the top. > ... > my 2 cents > > Alex -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080928/8637648f/attachment.html From email at ace.net.au Sun Sep 28 05:03:09 2008 From: email at ace.net.au (Peter Nitschke) Date: Sun Sep 28 05:03:30 2008 Subject: Log problem? In-Reply-To: References: <200809260102280332.14086FC2@web.ace.net.au> Message-ID: <200809281333090203.21045A7D@web.ace.net.au> No backlog, just the incrementing mail process number from what I can see. I have more info though. It relates to F-prot finding something that Clam-D doesn't. The Fprot reports are read/written incorrectly, so the infected mail slips through the crack. :( I read about another user having the same problem a while back, but he didn't know what fixed it eventually. Looks like I might need to build a server with older versions and see at what point in updating it breaks. Peter *********** REPLY SEPARATOR *********** On 26/09/2008 at 5:26 PM Raymond Dijkxhoorn wrote: >Hi! > >> Does the 3rd line look incomplete? >> >> Sep 25 20:37:32 nx22 MailScanner[15691]: Virus Scanning: F-Prot found 1 >> infections >> Sep 25 20:37:32 nx22 MailScanner[15691]: Infected message m8PB7NYZ019577 >> came from 61.9.189.143 >> Sep 25 20:37:32 nx22 MailScanner[15691]: Infected message 15691 came from >> Sep 25 20:37:32 nx22 MailScanner[15691]: Virus Scanning: Found 1 viruses > >Nice backlog also, allmost 16.000 messages in queue ;) > >Bye, >Raymond. >-- >MailScanner mailing list >mailscanner@lists.mailscanner.info >http://lists.mailscanner.info/mailman/listinfo/mailscanner > >Before posting, read http://wiki.mailscanner.info/posting > >Support MailScanner development - buy the book off the website! From email at ace.net.au Sun Sep 28 07:01:22 2008 From: email at ace.net.au (Peter Nitschke) Date: Sun Sep 28 07:01:40 2008 Subject: Improvements to install.sh ? In-Reply-To: <48DE80F7.9020400@ecs.soton.ac.uk> References: <48DE80F7.9020400@ecs.soton.ac.uk> Message-ID: <200809281531220386.217095B4@web.ace.net.au> Slightly related. The RPM has no space after empty config lines in MailScanner.conf eg "Run As User =" However upgrade_MailScanner_conf adds a space eg "Run As User = " which means you get a lot of extra lines cluttering up a diff of the old and new .conf files. Peter *********** REPLY SEPARATOR *********** On 27/09/2008 at 7:52 PM Julian Field wrote: >Hi folks! > >I haven't done anything to the installer in quite a long time. >Are there any improvements people would like to see, particularly in the >RPM installer as that's by far the most common distribution, and is used >by the least tech-savvy people who need the most guidance. > >Today I have done some work on both the README and the QuickInstall.txt >files, to bring the up to date and to simplify them. > >Also I have documented the "./install.sh fast" option, so people who >read the docs know it exists, as it greatly speeds things up if you know >what you're doing and don't need to read all the output. > >But what would people like to see improved in the actual installation >script, install.sh? > >Jules > >-- From erwin.lomibao at gmail.com Sun Sep 28 10:28:56 2008 From: erwin.lomibao at gmail.com (erwin lomibao) Date: Sun Sep 28 10:29:04 2008 Subject: Improvements to install.sh ? In-Reply-To: <200809281531220386.217095B4@web.ace.net.au> References: <48DE80F7.9020400@ecs.soton.ac.uk> <200809281531220386.217095B4@web.ace.net.au> Message-ID: Hello I'm a newbie in the list. Net install (!!), just download one file (install.sh) which: - determines the what unix it is running on - install (or upgrade) any missing modules and download them via apt, yum, port, emerge, pkg_add or whatever - ask to install (or upgrade) optional modules and download them - install (or upgrade to) the latest stable MailScanner - install the correct startup script for each distribution - setup a working MailScanner.conf by asking the basics (mail server, hostname, organization, enable av, spam checks, etc) - ?? I know it would take a complete re-write of the install.sh but it's something I would wish to see. Thanks On Sun, Sep 28, 2008 at 2:01 PM, Peter Nitschke wrote: > Slightly related. > > The RPM has no space after empty config lines in MailScanner.conf eg "Run > As User =" > However upgrade_MailScanner_conf adds a space eg "Run As User = " which > means you get a lot of extra lines cluttering up a diff of the old and new > .conf files. > > Peter > > > *********** REPLY SEPARATOR *********** > > On 27/09/2008 at 7:52 PM Julian Field wrote: > > >Hi folks! > > > >I haven't done anything to the installer in quite a long time. > >Are there any improvements people would like to see, particularly in the > >RPM installer as that's by far the most common distribution, and is used > >by the least tech-savvy people who need the most guidance. > > > >Today I have done some work on both the README and the QuickInstall.txt > >files, to bring the up to date and to simplify them. > > > >Also I have documented the "./install.sh fast" option, so people who > >read the docs know it exists, as it greatly speeds things up if you know > >what you're doing and don't need to read all the output. > > > >But what would people like to see improved in the actual installation > >script, install.sh? > > > >Jules > > > >-- > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- erwin lomibao senior systems admin inquirer interactive erwin.lomibao@{inquirer.net} 9f rufino plaza makati 1200 philippines -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080928/ea3becfb/attachment.html From hvdkooij at vanderkooij.org Sun Sep 28 11:13:59 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Sep 28 11:14:09 2008 Subject: Improvements to install.sh ? In-Reply-To: References: <48DE80F7.9020400@ecs.soton.ac.uk> <200809281531220386.217095B4@web.ace.net.au> Message-ID: <48DF58E7.4010005@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 erwin lomibao wrote: > Hello I'm a newbie in the list. > Net install (!!), just download one file (install.sh) which: > - determines the what unix it is running on > - install (or upgrade) any missing modules and download them via apt, > yum, port, emerge, pkg_add or whatever > - ask to install (or upgrade) optional modules and download them > - install (or upgrade to) the latest stable MailScanner > - install the correct startup script for each distribution > - setup a working MailScanner.conf by asking the basics (mail server, > hostname, organization, enable av, spam checks, etc) > - ?? > I know it would take a complete re-write of the install.sh but it's > something I would wish to see. Some of these things should not be in an install script. The configuration part in particular should not be part of it. Just doing the dependency stuff for all distributions would be a big PITA and require a team of Julians. There is however documentation intended for software package makers. It is the main purpose of the whole LSB project. If Jules could make an LSB compliant installation then some of the problems might go away. But it will require a lot of rainy afternoons to get there. But come to think of it it would be nice if the script would warn that it will cause update conflicts because it will force some packages. Preferably it should never use the force option or at least ask for explicite permission to do so. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFI31jlBvzDRVjxmYERAiS5AKCFwg8jOi+R/zFsaT2AzyUjl0ctgwCgl65G 1QSl8AeKTL8M94SDrYE4f/g= =tEIz -----END PGP SIGNATURE----- From andrew at gdcon.net Sun Sep 28 12:45:52 2008 From: andrew at gdcon.net (Andrew MacLachlan) Date: Sun Sep 28 12:46:11 2008 Subject: Improvements to install.sh ? In-Reply-To: <48DF58E7.4010005@vanderkooij.org> References: <48DE80F7.9020400@ecs.soton.ac.uk> <200809281531220386.217095B4@web.ace.net.au> <48DF58E7.4010005@vanderkooij.org> Message-ID: <48DF6E70.5050304@gdcon.net> Hugo van der Kooij wrote: > erwin lomibao wrote: > >> Hello I'm a newbie in the list. >> Net install (!!), just download one file (install.sh) which: >> - determines the what unix it is running on >> - install (or upgrade) any missing modules and download them via apt, >> yum, port, emerge, pkg_add or whatever >> - ask to install (or upgrade) optional modules and download them >> - install (or upgrade to) the latest stable MailScanner >> - install the correct startup script for each distribution >> - setup a working MailScanner.conf by asking the basics (mail server, >> hostname, organization, enable av, spam checks, etc) >> - ?? >> I know it would take a complete re-write of the install.sh but it's >> something I would wish to see. >> Apart from the determine which OS it is and configure bit, doesn't the new repository do just that? > > But come to think of it it would be nice if the script would warn that > it will cause update conflicts because it will force some packages. > Preferably it should never use the force option or at least ask for > explicite permission to do so. > THAT would be a nice touch... Maybe only display errors during the install but log everything? -Andy From martinh at solidstatelogic.com Sun Sep 28 13:32:27 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Sun Sep 28 13:26:45 2008 Subject: Improvements to install.sh ? Message-ID: Log would indeed be handy, sometimes my scroll-back isn't big enough to spot any issues. Helping out with beta testin I find the current way uof upgrading (the generic installer) brilliant. A 12 line script to front end all my rules/customisations etc and i'm done -----Original Message----- From: Alex Broens Sent: 27 September 2008 20:22 To: MailScanner discussion Subject: Re: Improvements to install.sh ? On 9/27/2008 8:52 PM, Julian Field wrote: > Hi folks! > > I haven't done anything to the installer in quite a long time. > Are there any improvements people would like to see, particularly in the > RPM installer as that's by far the most common distribution, and is used > by the least tech-savvy people who need the most guidance. > > Today I have done some work on both the README and the QuickInstall.txt > files, to bring the up to date and to simplify them. > > Also I have documented the "./install.sh fast" option, so people who > read the docs know it exists, as it greatly speeds things up if you know > what you're doing and don't need to read all the output. > > But what would people like to see improved in the actual installation > script, install.sh? Hi Jules, 1.- Before you start doing the setup, check which Perl modules you'll be updating/overwriting, show a list and REQUIRE an "Press enter" key to accept these changes 2.- Write a install.log in system's root folder. Write the results of [1.] at the top. if admin chooses to use the "fast" method, only write the log. I think this would help avoid surprises The "only worry about xyz" gives a possible sense of safety, not sure at this point if anything else is so trivial as lately there have been growing dependency issues. Ideally, if you need to use a higher module version for MS that what you find installed, add to /path/to/MailScanner/perl but I assume that would require a massive lot of work. my 2 cents Alex -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From andrew at gdcon.net Sun Sep 28 16:21:32 2008 From: andrew at gdcon.net (Andrew MacLachlan) Date: Sun Sep 28 16:21:49 2008 Subject: Improvements to install.sh ? In-Reply-To: References: Message-ID: <48DFA0FC.2050400@gdcon.net> Martin.Hepworth wrote: > Log would indeed be handy, sometimes my scroll-back isn't big enough to spot any issues. > > Try logsave - It's a great utility for capturing output. http://linux.die.net/man/8/logsave -Andy From mhw at WittsEnd.com Sun Sep 28 16:47:03 2008 From: mhw at WittsEnd.com (Michael H. Warfield) Date: Sun Sep 28 16:47:20 2008 Subject: Improvements to install.sh ? In-Reply-To: <48DE80F7.9020400@ecs.soton.ac.uk> References: <48DE80F7.9020400@ecs.soton.ac.uk> Message-ID: <1222616823.12861.11.camel@canyon.wittsend.com> Hey Juian! Wow... Serendipity or what. I was just in the middle of a yum upgrade of some Fedora 8 systems to Fedora 9 and ran smack into a bloody nightmare with MailScanner. The problem here is that Fedora 8 had perl 5.8 and had all the modules installed for that. Fedora 9 has perl 5.10. The yum upgrade (which was also nightmarish due to the signing key rollover and a dependency hell on openssl and openldap) upgraded all the base perl stuff but not the MailScanner stuff. Trying to reinstall MailScanner seems to work but then it doesn't run, complaining about Hostname/Long.pm not existing amongst others (fix one and there's more). The problem is, the rpm is installed but for the wrong version of perl and wasn't upgraded and the install doesn't install it because it thinks it's already there, even though the .pm module is in the wrong version directory. I had to manually build and install the bad modules until MailScanner would restart. I strongly suspect that this would be the case even if I did not use a live yum upgrade but used an anaconda install (CD or preupgrade) as well. My suggestion for install.sh would be a sanity check to insure the correct rpm's are there for that distribution or a "reinstall" option that will reinstall the rpm's even if the exact same rpm is already present. Yeah, this is a corner case that rarely comes up but it's an UGLY corner case, in this case. Mike On Sat, 2008-09-27 at 19:52 +0100, Julian Field wrote: > Hi folks! > > I haven't done anything to the installer in quite a long time. > Are there any improvements people would like to see, particularly in the > RPM installer as that's by far the most common distribution, and is used > by the least tech-savvy people who need the most guidance. > > Today I have done some work on both the README and the QuickInstall.txt > files, to bring the up to date and to simplify them. > > Also I have documented the "./install.sh fast" option, so people who > read the docs know it exists, as it greatly speeds things up if you know > what you're doing and don't need to read all the output. > > But what would people like to see improved in the actual installation > script, install.sh? > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > PGP public key: http://www.jules.fm/julesfm.asc > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. -- Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw@WittsEnd.com /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 307 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080928/2581e302/attachment.bin From MailScanner at ecs.soton.ac.uk Sun Sep 28 17:15:57 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Sep 28 17:16:16 2008 Subject: Improvements to install.sh ? In-Reply-To: References: Message-ID: <48DFADBD.1080200@ecs.soton.ac.uk> Andrew MacLachlan wrote: > Martin.Hepworth wrote: >> Log would indeed be handy, sometimes my scroll-back isn't big enough >> to spot any issues. >> >> > Try logsave - It's a great utility for capturing output. > http://linux.die.net/man/8/logsave I'll just use "tee", thanks, it's always there and quite sufficient for the job. Cheers anyway. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From martinh at solidstatelogic.com Sun Sep 28 17:37:01 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Sun Sep 28 17:31:18 2008 Subject: Improvements to install.sh ? Message-ID: Ok i'll be first to bite:-) Running servers on fedora is considered "a bad idea" (tm), your problem below being one of the reasons. -- martin -----Original Message----- From: Michael H. Warfield Sent: 28 September 2008 16:50 To: MailScanner discussion Cc: mhw@WittsEnd.com Subject: Re: Improvements to install.sh ? Hey Juian! Wow... Serendipity or what. I was just in the middle of a yum upgrade of some Fedora 8 systems to Fedora 9 and ran smack into a bloody nightmare with MailScanner. The problem here is that Fedora 8 had perl 5.8 and had all the modules installed for that. Fedora 9 has perl 5.10. The yum upgrade (which was also nightmarish due to the signing key rollover and a dependency hell on openssl and openldap) upgraded all the base perl stuff but not the MailScanner stuff. Trying to reinstall MailScanner seems to work but then it doesn't run, complaining about Hostname/Long.pm not existing amongst others (fix one and there's more). The problem is, the rpm is installed but for the wrong version of perl and wasn't upgraded and the install doesn't install it because it thinks it's already there, even though the .pm module is in the wrong version directory. I had to manually build and install the bad modules until MailScanner would restart. I strongly suspect that this would be the case even if I did not use a live yum upgrade but used an anaconda install (CD or preupgrade) as well. My suggestion for install.sh would be a sanity check to insure the correct rpm's are there for that distribution or a "reinstall" option that will reinstall the rpm's even if the exact same rpm is already present. Yeah, this is a corner case that rarely comes up but it's an UGLY corner case, in this case. Mike On Sat, 2008-09-27 at 19:52 +0100, Julian Field wrote: > Hi folks! > > I haven't done anything to the installer in quite a long time. > Are there any improvements people would like to see, particularly in the > RPM installer as that's by far the most common distribution, and is used > by the least tech-savvy people who need the most guidance. > > Today I have done some work on both the README and the QuickInstall.txt > files, to bring the up to date and to simplify them. > > Also I have documented the "./install.sh fast" option, so people who > read the docs know it exists, as it greatly speeds things up if you know > what you're doing and don't need to read all the output. > > But what would people like to see improved in the actual installation > script, install.sh? > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > PGP public key: http://www.jules.fm/julesfm.asc > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. -- Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw@WittsEnd.com /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From MailScanner at ecs.soton.ac.uk Sun Sep 28 17:44:42 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Sep 28 17:45:06 2008 Subject: Improvements to install.sh ? In-Reply-To: References: <48DE80F7.9020400@ecs.soton.ac.uk> Message-ID: <48DFB47A.8090803@ecs.soton.ac.uk> Good idea, I like that one. There is now a "reinstall" or "--reinstall" command-line option which will attempt to remove the perl- rpm if it is installed, just before it attempts to install the new one. Should solve your problem nicely. I have also added a logfile called "install.log" in the current directory, in which all output will be copied. Jules. Michael H. Warfield wrote: > Hey Juian! > > Wow... Serendipity or what. I was just in the middle of a yum upgrade > of some Fedora 8 systems to Fedora 9 and ran smack into a bloody > nightmare with MailScanner. The problem here is that Fedora 8 had perl > 5.8 and had all the modules installed for that. Fedora 9 has perl 5.10. > The yum upgrade (which was also nightmarish due to the signing key > rollover and a dependency hell on openssl and openldap) upgraded all the > base perl stuff but not the MailScanner stuff. Trying to reinstall > MailScanner seems to work but then it doesn't run, complaining about > Hostname/Long.pm not existing amongst others (fix one and there's more). > The problem is, the rpm is installed but for the wrong version of perl > and wasn't upgraded and the install doesn't install it because it thinks > it's already there, even though the .pm module is in the wrong version > directory. I had to manually build and install the bad modules until > MailScanner would restart. > > I strongly suspect that this would be the case even if I did not use a > live yum upgrade but used an anaconda install (CD or preupgrade) as > well. > > My suggestion for install.sh would be a sanity check to insure the > correct rpm's are there for that distribution or a "reinstall" option > that will reinstall the rpm's even if the exact same rpm is already > present. Yeah, this is a corner case that rarely comes up but it's an > UGLY corner case, in this case. > > Mike > > On Sat, 2008-09-27 at 19:52 +0100, Julian Field wrote: > >> Hi folks! >> >> I haven't done anything to the installer in quite a long time. >> Are there any improvements people would like to see, particularly in the >> RPM installer as that's by far the most common distribution, and is used >> by the least tech-savvy people who need the most guidance. >> >> Today I have done some work on both the README and the QuickInstall.txt >> files, to bring the up to date and to simplify them. >> >> Also I have documented the "./install.sh fast" option, so people who >> read the docs know it exists, as it greatly speeds things up if you know >> what you're doing and don't need to read all the output. >> >> But what would people like to see improved in the actual installation >> script, install.sh? >> >> Jules >> >> -- >> Julian Field MEng CITP CEng >> www.MailScanner.info >> Buy the MailScanner book at www.MailScanner.info/store >> >> MailScanner customisation, or any advanced system administration help? >> Contact me at Jules@Jules.FM >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> PGP public key: http://www.jules.fm/julesfm.asc >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Sun Sep 28 17:49:57 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Sep 28 17:50:18 2008 Subject: Improvements to install.sh ? In-Reply-To: References: <48DE80F7.9020400@ecs.soton.ac.uk> <200809281531220386.217095B4@web.ace.net.au> <48DF58E7.4010005@vanderkooij.org> Message-ID: <48DFB5B5.8010507@ecs.soton.ac.uk> Andrew MacLachlan wrote: > Maybe only display errors during the install but log everything? The only snag is that the "make test" phase of installing a Perl module can take quite a while, and there's no other way to get any feedback at all that it is actually still working and hasn't hung or anything. It also makes it very difficult to get errors into the log but not onto the console while the script is running, as currently I can do it with a single "tee" that wraps up the entire install.sh script contents, saving making hundreds of modifications and duplications within the script. At the moment it is a very simple change, which is tidy and simple and easy to maintain. I can easily remove the output of the "make test" phase altogether. Unfortunately there is no control within "rpmbuild" of what output it generates and what it doesn't. It has virtually no configuration at all. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mhw at WittsEnd.com Sun Sep 28 18:07:27 2008 From: mhw at WittsEnd.com (Michael H. Warfield) Date: Sun Sep 28 18:07:42 2008 Subject: Improvements to install.sh ? In-Reply-To: References: Message-ID: <1222621647.12861.15.camel@canyon.wittsend.com> On Sun, 2008-09-28 at 17:37 +0100, Martin.Hepworth wrote: > Ok i'll be first to bite:-) > Running servers on fedora is considered "a bad idea" (tm), your problem below being one of the reasons. You don't have much choice if you want advanced features like md5sums on BGP peering and the like (I peer both IPv4 and IPv6 on BGP and have contributed patches to the quagga project). Ever try a live upgrade of a CentOS system or RHEL from 4.x to 5.x? I wouldn't consider them in this environment simply because they are that much worse. > -- > martin Mike > -----Original Message----- > From: Michael H. Warfield > Sent: 28 September 2008 16:50 > To: MailScanner discussion > Cc: mhw@WittsEnd.com > Subject: Re: Improvements to install.sh ? > > Hey Juian! > > Wow... Serendipity or what. I was just in the middle of a yum upgrade > of some Fedora 8 systems to Fedora 9 and ran smack into a bloody > nightmare with MailScanner. The problem here is that Fedora 8 had perl > 5.8 and had all the modules installed for that. Fedora 9 has perl 5.10. > The yum upgrade (which was also nightmarish due to the signing key > rollover and a dependency hell on openssl and openldap) upgraded all the > base perl stuff but not the MailScanner stuff. Trying to reinstall > MailScanner seems to work but then it doesn't run, complaining about > Hostname/Long.pm not existing amongst others (fix one and there's more). > The problem is, the rpm is installed but for the wrong version of perl > and wasn't upgraded and the install doesn't install it because it thinks > it's already there, even though the .pm module is in the wrong version > directory. I had to manually build and install the bad modules until > MailScanner would restart. > > I strongly suspect that this would be the case even if I did not use a > live yum upgrade but used an anaconda install (CD or preupgrade) as > well. > > My suggestion for install.sh would be a sanity check to insure the > correct rpm's are there for that distribution or a "reinstall" option > that will reinstall the rpm's even if the exact same rpm is already > present. Yeah, this is a corner case that rarely comes up but it's an > UGLY corner case, in this case. > > Mike > > On Sat, 2008-09-27 at 19:52 +0100, Julian Field wrote: > > Hi folks! > > > > I haven't done anything to the installer in quite a long time. > > Are there any improvements people would like to see, particularly in the > > RPM installer as that's by far the most common distribution, and is used > > by the least tech-savvy people who need the most guidance. > > > > Today I have done some work on both the README and the QuickInstall.txt > > files, to bring the up to date and to simplify them. > > > > Also I have documented the "./install.sh fast" option, so people who > > read the docs know it exists, as it greatly speeds things up if you know > > what you're doing and don't need to read all the output. > > > > But what would people like to see improved in the actual installation > > script, install.sh? > > > > Jules > > > > -- > > Julian Field MEng CITP CEng > > www.MailScanner.info > > Buy the MailScanner book at www.MailScanner.info/store > > > > MailScanner customisation, or any advanced system administration help? > > Contact me at Jules@Jules.FM > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > PGP public key: http://www.jules.fm/julesfm.asc > > > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > -- > Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw@WittsEnd.com > /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ > NIC whois: MHW9 | An optimist believes we live in the best of all > PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! > > > ********************************************************************** > Confidentiality : This e-mail and any attachments are intended for the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > Opinion : Any opinions expressed in this e-mail are entirely those of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We advise > that you consider this fact when e-mailing us. > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ********************************************************************** -- Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw@WittsEnd.com /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 307 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080928/e2a78c5e/attachment.bin From ms-list at alexb.ch Sun Sep 28 18:28:43 2008 From: ms-list at alexb.ch (Alex Broens) Date: Sun Sep 28 18:29:41 2008 Subject: Improvements to install.sh ? In-Reply-To: <1222621647.12861.15.camel@canyon.wittsend.com> References: <1222621647.12861.15.camel@canyon.wittsend.com> Message-ID: <48DFBECB.8020006@alexb.ch> On 9/28/2008 7:07 PM, Michael H. Warfield wrote: > On Sun, 2008-09-28 at 17:37 +0100, Martin.Hepworth wrote: >> Ok i'll be first to bite:-) > >> Running servers on fedora is considered "a bad idea" (tm), your problem below being one of the reasons. > > You don't have much choice if you want advanced features like md5sums > on BGP peering and the like (I peer both IPv4 and IPv6 on BGP and have > contributed patches to the quagga project). you do all this stuff on your MailScanner boxes? >Ever try a live upgrade of > a CentOS system or RHEL from 4.x to 5.x? I wouldn't consider them in > this environment simply because they are that much worse. Never heard of anybody sane and/or sober who does this unless the person is prepared to loose hair, brain cells and possibly a job. Alex From email at ace.net.au Sun Sep 28 18:40:12 2008 From: email at ace.net.au (Peter Nitschke) Date: Sun Sep 28 18:40:30 2008 Subject: Improvements to install.sh ? In-Reply-To: <1222621647.12861.15.camel@canyon.wittsend.com> References: <1222621647.12861.15.camel@canyon.wittsend.com> Message-ID: <200809290310120511.23F06005@web.ace.net.au> *********** REPLY SEPARATOR *********** On 28/09/2008 at 1:07 PM Michael H. Warfield wrote: >On Sun, 2008-09-28 at 17:37 +0100, Martin.Hepworth wrote: >> Ok i'll be first to bite:-) > >> Running servers on fedora is considered "a bad idea" (tm), your problem >below being one of the reasons. > > You don't have much choice if you want advanced features like md5sums >on BGP peering and the like (I peer both IPv4 and IPv6 on BGP and have >contributed patches to the quagga project). Ever try a live upgrade of >a CentOS system or RHEL from 4.x to 5.x? I wouldn't consider them in >this environment simply because they are that much worse. But you don't _have_ to upgrade Rhel/Centos 4 to 5 for it to stay functional. As I use MS just for scanning then passing to a pop server, it's my preference to just build a new box (or VM) with major OS version changes. From shuttlebox at gmail.com Sun Sep 28 19:31:35 2008 From: shuttlebox at gmail.com (shuttlebox) Date: Sun Sep 28 19:31:44 2008 Subject: Improvements to install.sh ? In-Reply-To: <48DFBECB.8020006@alexb.ch> References: <1222621647.12861.15.camel@canyon.wittsend.com> <48DFBECB.8020006@alexb.ch> Message-ID: <625385e30809281131p3312d841yd0cf1ec41abf5124@mail.gmail.com> On Sun, Sep 28, 2008 at 7:28 PM, Alex Broens wrote: >> Ever try a live upgrade of >> a CentOS system or RHEL from 4.x to 5.x? I wouldn't consider them in >> this environment simply because they are that much worse. > > Never heard of anybody sane and/or sober who does this unless the person is > prepared to loose hair, brain cells and possibly a job. Funny, in Solaris we do live upgrades all the time so not to risk what you just mentioned. ;-) -- /peter From hvdkooij at vanderkooij.org Sun Sep 28 19:42:01 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Sep 28 19:42:12 2008 Subject: Improvements to install.sh ? In-Reply-To: <625385e30809281131p3312d841yd0cf1ec41abf5124@mail.gmail.com> References: <1222621647.12861.15.camel@canyon.wittsend.com> <48DFBECB.8020006@alexb.ch> <625385e30809281131p3312d841yd0cf1ec41abf5124@mail.gmail.com> Message-ID: <48DFCFF9.6050105@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 shuttlebox wrote: > On Sun, Sep 28, 2008 at 7:28 PM, Alex Broens wrote: >>> Ever try a live upgrade of >>> a CentOS system or RHEL from 4.x to 5.x? I wouldn't consider them in >>> this environment simply because they are that much worse. >> Never heard of anybody sane and/or sober who does this unless the person is >> prepared to loose hair, brain cells and possibly a job. > > Funny, in Solaris we do live upgrades all the time so not to risk what > you just mentioned. ;-) I recall that I have once done a Centos 4 to Centos 5 upgrade by just picking up the version package and let yum take care of the rest But that was just a proof of concept. Centos 4 will be receiving updates for quite a while. Unlike the unworkable schedule you are forced to with Fedora. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFI38/4BvzDRVjxmYERAo4IAKCqxYnR7EKTPfcGZYmSXgiHpkeuAACfQXqh nTvunF6YBou3jzvhe+lNA/g= =ksUG -----END PGP SIGNATURE----- From mhw at WittsEnd.com Sun Sep 28 19:59:57 2008 From: mhw at WittsEnd.com (Michael H. Warfield) Date: Sun Sep 28 20:00:17 2008 Subject: Improvements to install.sh ? In-Reply-To: <1222616823.12861.11.camel@canyon.wittsend.com> References: <48DE80F7.9020400@ecs.soton.ac.uk> <1222616823.12861.11.camel@canyon.wittsend.com> Message-ID: <1222628397.12861.19.camel@canyon.wittsend.com> On Sun, 2008-09-28 at 11:47 -0400, Michael H. Warfield wrote: > Hey Juian! > Wow... Serendipity or what. I was just in the middle of a yum upgrade > of some Fedora 8 systems to Fedora 9 and ran smack into a bloody > nightmare with MailScanner. The problem here is that Fedora 8 had perl > 5.8 and had all the modules installed for that. Fedora 9 has perl 5.10. > The yum upgrade (which was also nightmarish due to the signing key > rollover and a dependency hell on openssl and openldap) upgraded all the > base perl stuff but not the MailScanner stuff. Trying to reinstall > MailScanner seems to work but then it doesn't run, complaining about > Hostname/Long.pm not existing amongst others (fix one and there's more). > The problem is, the rpm is installed but for the wrong version of perl > and wasn't upgraded and the install doesn't install it because it thinks > it's already there, even though the .pm module is in the wrong version > directory. I had to manually build and install the bad modules until > MailScanner would restart. Managed to narrow it down to three critical perl modules that had to be manually removed via rpm -e and then rebuilt and reinstalled manually. perl-Sys-Hostname-Long perl-Net-CIDR perl-OLE-Storage_Lite Reinstalling MailScanner then reinstalling those three did the trick. Maybe just something peculiar to them. Everything else upgraded smoothly. > I strongly suspect that this would be the case even if I did not use a > live yum upgrade but used an anaconda install (CD or preupgrade) as > well. > > My suggestion for install.sh would be a sanity check to insure the > correct rpm's are there for that distribution or a "reinstall" option > that will reinstall the rpm's even if the exact same rpm is already > present. Yeah, this is a corner case that rarely comes up but it's an > UGLY corner case, in this case. > > Mike > > On Sat, 2008-09-27 at 19:52 +0100, Julian Field wrote: > > Hi folks! > > > > I haven't done anything to the installer in quite a long time. > > Are there any improvements people would like to see, particularly in the > > RPM installer as that's by far the most common distribution, and is used > > by the least tech-savvy people who need the most guidance. > > > > Today I have done some work on both the README and the QuickInstall.txt > > files, to bring the up to date and to simplify them. > > > > Also I have documented the "./install.sh fast" option, so people who > > read the docs know it exists, as it greatly speeds things up if you know > > what you're doing and don't need to read all the output. > > > > But what would people like to see improved in the actual installation > > script, install.sh? > > > > Jules > > > > -- > > Julian Field MEng CITP CEng > > www.MailScanner.info > > Buy the MailScanner book at www.MailScanner.info/store > > > > MailScanner customisation, or any advanced system administration help? > > Contact me at Jules@Jules.FM > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > PGP public key: http://www.jules.fm/julesfm.asc > > > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. -- Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw@WittsEnd.com /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 307 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080928/f4ac4adb/attachment.bin From jonas at vrt.dk Sun Sep 28 20:08:22 2008 From: jonas at vrt.dk (Jonas Akrouh Larsen) Date: Sun Sep 28 20:08:46 2008 Subject: Problem with mailscanner form out of nowhere Message-ID: <000001c9219d$93687b90$ba3972b0$@dk> Hi List 1 of my scanners starting having issues over the weekend. After having stopped it and run a -debug on it it reports the following: scanner0:/etc/init.d# /opt/MailScanner/bin/MailScanner --debug In Debugging mode, not forking... Trying to setlogsock(unix) SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp Building a message batch to scan... Have a batch of 15 messages. Modification of a read-only value attempted at /opt/MailScanner/lib/MailScanner/Log.pm line 117, line 110. And then it just quits. I have not upgraded anything on the system recently and haven't had any problems. The only thing I could find was an old mention of a similar perl error on the list which seemed to sugest it had something to do with "bad" mails in the queue. Do anybody have any idea what might be going on? Desperately seeking advice Jonas A. Larsen -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080928/076ff6e5/attachment.html From martinh at solidstatelogic.com Sun Sep 28 21:01:33 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Sun Sep 28 20:55:53 2008 Subject: Problem with mailscanner form out of nowhere Message-ID: What does.. Mailscanner --debug --debug-sa And Mailscanner -v And Mailscanner -lint Show? Anything in message log? -- martin -----Original Message----- From: Jonas Akrouh Larsen Sent: 28 September 2008 20:13 To: mailscanner@lists.mailscanner.info Subject: Problem with mailscanner form out of nowhere Hi List 1 of my scanners starting having issues over the weekend. After having stopped it and run a -debug on it it reports the following: scanner0:/etc/init.d# /opt/MailScanner/bin/MailScanner --debug In Debugging mode, not forking... Trying to setlogsock(unix) SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp Building a message batch to scan... Have a batch of 15 messages. Modification of a read-only value attempted at /opt/MailScanner/lib/MailScanner/Log.pm line 117, line 110. And then it just quits. I have not upgraded anything on the system recently and haven't had any problems. The only thing I could find was an old mention of a similar perl error on the list which seemed to sugest it had something to do with "bad" mails in the queue. Do anybody have any idea what might be going on? Desperately seeking advice Jonas A. Larsen ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From jonas at vrt.dk Sun Sep 28 21:23:39 2008 From: jonas at vrt.dk (Jonas Akrouh Larsen) Date: Sun Sep 28 21:24:03 2008 Subject: Problem with mailscanner form out of nowhere In-Reply-To: References: Message-ID: <002301c921a8$17e3fed0$47abfc70$@dk> --debug --debug-sa is the same except more output. MailScanner -V didn?t report any missing modules or any errors. I went ahead and upgraded mailscanner to the newest stable (4.71.10) which didn?t help anything. I was on 4.71.7 before that. MailScanner --lint didn?t cause any problems. The solution though was as I suspected to remove 3 mails from the queue. Now it appears to run ok. Although it?s a bit troublesome that MailScanner wasn?t able to report any meaningfull error. I have saved the 3 trouble mails and if I get time im gonna look and test them tomorrow on my other scanners. They are all spam mails so no worries about them not being delivered. But its gonna be interesting to see if they can crash my other 2 scanners as well. I will try and report back my findings. Have a nice Sunday ya'll. Jonas A. Larsen -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Martin.Hepworth Sent: 28. september 2008 22:02 To: MailScanner discussion Subject: RE: Problem with mailscanner form out of nowhere What does.. Mailscanner --debug --debug-sa And Mailscanner -v And Mailscanner -lint Show? Anything in message log? -- martin -----Original Message----- From: Jonas Akrouh Larsen Sent: 28 September 2008 20:13 To: mailscanner@lists.mailscanner.info Subject: Problem with mailscanner form out of nowhere Hi List 1 of my scanners starting having issues over the weekend. After having stopped it and run a -debug on it it reports the following: scanner0:/etc/init.d# /opt/MailScanner/bin/MailScanner --debug In Debugging mode, not forking... Trying to setlogsock(unix) SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp Building a message batch to scan... Have a batch of 15 messages. Modification of a read-only value attempted at /opt/MailScanner/lib/MailScanner/Log.pm line 117, line 110. And then it just quits. I have not upgraded anything on the system recently and haven't had any problems. The only thing I could find was an old mention of a similar perl error on the list which seemed to sugest it had something to do with "bad" mails in the queue. Do anybody have any idea what might be going on? Desperately seeking advice Jonas A. Larsen ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From ssilva at sgvwater.com Mon Sep 29 01:23:00 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Sep 29 01:23:22 2008 Subject: Improvements to install.sh ? In-Reply-To: <1222616823.12861.11.camel@canyon.wittsend.com> References: <48DE80F7.9020400@ecs.soton.ac.uk> <1222616823.12861.11.camel@canyon.wittsend.com> Message-ID: on 9-28-2008 8:47 AM Michael H. Warfield spake the following: > Hey Juian! > > Wow... Serendipity or what. I was just in the middle of a yum upgrade > of some Fedora 8 systems to Fedora 9 and ran smack into a bloody > nightmare with MailScanner. The problem here is that Fedora 8 had perl > 5.8 and had all the modules installed for that. Fedora 9 has perl 5.10. > The yum upgrade (which was also nightmarish due to the signing key > rollover and a dependency hell on openssl and openldap) upgraded all the > base perl stuff but not the MailScanner stuff. Trying to reinstall > MailScanner seems to work but then it doesn't run, complaining about > Hostname/Long.pm not existing amongst others (fix one and there's more). > The problem is, the rpm is installed but for the wrong version of perl > and wasn't upgraded and the install doesn't install it because it thinks > it's already there, even though the .pm module is in the wrong version > directory. I had to manually build and install the bad modules until > MailScanner would restart. > > I strongly suspect that this would be the case even if I did not use a > live yum upgrade but used an anaconda install (CD or preupgrade) as > well. > > My suggestion for install.sh would be a sanity check to insure the > correct rpm's are there for that distribution or a "reinstall" option > that will reinstall the rpm's even if the exact same rpm is already > present. Yeah, this is a corner case that rarely comes up but it's an > UGLY corner case, in this case. > That is probably why most of the Enterprise distributions usually discourage upgrades between major versions. I won't start the enterprise VS hobbyist distro war again. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080928/23e5451a/signature.bin From ssilva at sgvwater.com Mon Sep 29 01:27:11 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Sep 29 01:30:17 2008 Subject: Improvements to install.sh ? In-Reply-To: <48DFB47A.8090803@ecs.soton.ac.uk> References: <48DE80F7.9020400@ecs.soton.ac.uk> <48DFB47A.8090803@ecs.soton.ac.uk> Message-ID: on 9-28-2008 9:44 AM Julian Field spake the following: > Good idea, I like that one. There is now a "reinstall" or "--reinstall" > command-line option which will attempt to remove the perl- > rpm if it is installed, just before it attempts to install the new one. > Should solve your problem nicely. > > I have also added a logfile called "install.log" in the current > directory, in which all output will be copied. > Is there any possibility of adding a pause after the removal phase but before the re-install phase? That way people with perl rpm upgrades from RedHat can update and get the new perl installed in another shell and then resume the first. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080928/222b10fe/signature.bin From MailScanner at ecs.soton.ac.uk Mon Sep 29 08:28:06 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Sep 29 08:28:28 2008 Subject: Improvements to install.sh ? In-Reply-To: References: <48DE80F7.9020400@ecs.soton.ac.uk> <48DFB47A.8090803@ecs.soton.ac.uk> Message-ID: <48E08386.40702@ecs.soton.ac.uk> Scott Silva wrote: > on 9-28-2008 9:44 AM Julian Field spake the following: >> Good idea, I like that one. There is now a "reinstall" or >> "--reinstall" command-line option which will attempt to remove the >> perl- rpm if it is installed, just before it attempts to >> install the new one. >> Should solve your problem nicely. >> >> I have also added a logfile called "install.log" in the current >> directory, in which all output will be copied. >> > Is there any possibility of adding a pause after the removal phase but > before the re-install phase? It's done per-module. I'm not sure I can rewind a < That way people with perl rpm upgrades from RedHat can update and get > the new perl installed in another shell and then resume the first. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ajcartmell at fonant.com Mon Sep 29 12:25:05 2008 From: ajcartmell at fonant.com (Anthony Cartmell) Date: Mon Sep 29 12:25:12 2008 Subject: Multiple confusions on my part. In-Reply-To: <1222559122.48dec592b7178@perdition.cnpapers.net> References: <48DCF72B.90903@ecs.soton.ac.uk> <48DD0C27.9070301@cnpapers.com> <48DD4782.8030002@cnpapers.com> <1222559122.48dec592b7178@perdition.cnpapers.net> Message-ID: > The worst, I think, are the people who complain about the Daily > Quarantine > Report I send them from Mailwatch that is too big for them to review > everyday. I modified my daily MailWatch report to have two features: 1) Messages sorted by spam score first, then date and time. 2) Rows have coloured background set by spam score. White for low scores, up to dark red for high ones. Means it's easy to scan to see how many might be false positives (the white background rows, if any), and you only need to check the top of the table. It's very clear that all the messages at the bottom are definite spam! A daily MailWatch report in this format gives two benefits: 1) Easy to spot any false positives, so users feel comfortable that nothing can get lost in the filter. 2) A graphic demonstration of the work that MailScanner is doing. Cheers! Anthony -- www.fonant.com - Quality web sites From ajcartmell at fonant.com Mon Sep 29 12:35:21 2008 From: ajcartmell at fonant.com (Anthony Cartmell) Date: Mon Sep 29 12:35:27 2008 Subject: Improvements to install.sh ? In-Reply-To: References: Message-ID: > Running servers on fedora is considered "a bad idea" (tm), your problem > below being one of the reasons. We've been here before. Fedora is better in some circumstances, CentOS is better in others. Fedora will require more frequent updates, but that can be a Good Thing: look at the update frequency of MailScanner :) Please remember that we don't all run MailScanner on dedicated-to-mail servers. In fact the beauty of MailScanner is that it doesn't need a server to itself, even with quite high mail volumes. I've looked into the whole Fedora/CentOS issue regularly. For my use (web hosting mostly, requiring up-to-date packages, some e-mail) Fedora is much better suited to the job than CentOS. I can see that for others CentOS is they way to go, and Fedora would be silly. But we're not all doing the same things! In any case, perl package update problems are much more to do with how perl is installed than the particular OS you're using. Yum and CPAN can break MailScanner on CentOS too. Cheers! Anthony -- www.fonant.com - Quality web sites From Denis.Beauchemin at USherbrooke.ca Mon Sep 29 13:49:33 2008 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Mon Sep 29 13:49:54 2008 Subject: Improvements to install.sh ? In-Reply-To: <48E08386.40702@ecs.soton.ac.uk> References: <48DE80F7.9020400@ecs.soton.ac.uk> <48DFB47A.8090803@ecs.soton.ac.uk> <48E08386.40702@ecs.soton.ac.uk> Message-ID: <48E0CEDD.2040100@USherbrooke.ca> Julian Field a ?crit : > > > Scott Silva wrote: >> on 9-28-2008 9:44 AM Julian Field spake the following: >>> Good idea, I like that one. There is now a "reinstall" or >>> "--reinstall" command-line option which will attempt to remove the >>> perl- rpm if it is installed, just before it attempts >>> to install the new one. >>> Should solve your problem nicely. >>> >>> I have also added a logfile called "install.log" in the current >>> directory, in which all output will be copied. >>> >> Is there any possibility of adding a pause after the removal phase >> but before the re-install phase? > It's done per-module. I'm not sure I can rewind a < can't read the table twice. I'm trying to avoid duplicating stuff in > the file if I can. > > Jules > Julian, I just tried the following and it seems to work fine: #!/bin/bash LIST="/etc/motd /etc/sysconfig/network /etc/hosts /etc/group" while read FILE do echo "Working on $FILE" done << EOF $LIST EOF while read FILE do ls -l "$FILE" done << EOF $LIST EOF Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From campbell at cnpapers.com Mon Sep 29 14:05:24 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Mon Sep 29 14:06:54 2008 Subject: Improvements to install.sh ? In-Reply-To: <48DFA0FC.2050400@gdcon.net> References: <48DFA0FC.2050400@gdcon.net> Message-ID: <48E0D294.2050305@cnpapers.com> Andrew MacLachlan wrote: > Martin.Hepworth wrote: >> Log would indeed be handy, sometimes my scroll-back isn't big enough >> to spot any issues. >> >> > Try logsave - It's a great utility for capturing output. > http://linux.die.net/man/8/logsave > > > -Andy > > Martin, I found the man page easily enough, but saw no place to get whatever I needed to install/load/copy logsave from. Any help? Steve Campbell From Denis.Beauchemin at USherbrooke.ca Mon Sep 29 14:41:35 2008 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Mon Sep 29 14:41:54 2008 Subject: Improvements to install.sh ? In-Reply-To: <48E0D294.2050305@cnpapers.com> References: <48DFA0FC.2050400@gdcon.net> <48E0D294.2050305@cnpapers.com> Message-ID: <48E0DB0F.90200@USherbrooke.ca> Steve Campbell a ?crit : > > > Andrew MacLachlan wrote: >> Martin.Hepworth wrote: >>> Log would indeed be handy, sometimes my scroll-back isn't big enough >>> to spot any issues. >>> >>> >> Try logsave - It's a great utility for capturing output. >> http://linux.die.net/man/8/logsave >> >> >> -Andy >> >> > > Martin, > > I found the man page easily enough, but saw no place to get whatever I > needed to install/load/copy logsave from. > > Any help? > > Steve Campbell > Steve, I don't know logsave, but all Linux distros I know come with "script". Before installing anything I do "script install.$(date +%Y%m%d)" to start a log file with the current date, then I run the install script and then I hit Ctrl-D (or type exit) to stop logging. I then peruse the output to make sure I didn't miss any error. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From campbell at cnpapers.com Mon Sep 29 15:09:08 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Mon Sep 29 15:09:21 2008 Subject: Improvements to install.sh ? In-Reply-To: <48E0DB0F.90200@USherbrooke.ca> References: <48DFA0FC.2050400@gdcon.net> <48E0D294.2050305@cnpapers.com> <48E0DB0F.90200@USherbrooke.ca> Message-ID: <48E0E184.6020606@cnpapers.com> Thanks Denis, That linux stuff is great. Sad to say, there's so much to learn I don't think I'd ever be able to say I was proficient in it. I just keep learning more and more and ..... Steve Denis Beauchemin wrote: > Steve Campbell a ?crit : >> >> >> Andrew MacLachlan wrote: >>> Martin.Hepworth wrote: >>>> Log would indeed be handy, sometimes my scroll-back isn't big >>>> enough to spot any issues. >>>> >>>> >>> Try logsave - It's a great utility for capturing output. >>> http://linux.die.net/man/8/logsave >>> >>> >>> -Andy >>> >>> >> >> Martin, >> >> I found the man page easily enough, but saw no place to get whatever >> I needed to install/load/copy logsave from. >> >> Any help? >> >> Steve Campbell >> > Steve, > > I don't know logsave, but all Linux distros I know come with > "script". Before installing anything I do "script install.$(date > +%Y%m%d)" to start a log file with the current date, then I run the > install script and then I hit Ctrl-D (or type exit) to stop logging. > I then peruse the output to make sure I didn't miss any error. > > Denis > From Kevin_Miller at ci.juneau.ak.us Mon Sep 29 17:17:34 2008 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Mon Sep 29 17:17:47 2008 Subject: Improvements to install.sh ? In-Reply-To: <48DE80F7.9020400@ecs.soton.ac.uk> References: <48DE80F7.9020400@ecs.soton.ac.uk> Message-ID: Julian Field wrote: > Hi folks! > > I haven't done anything to the installer in quite a long time. > Are there any improvements people would like to see, particularly in > the RPM installer as that's by far the most common distribution, and > is used by the least tech-savvy people who need the most guidance. > > Today I have done some work on both the README and the > QuickInstall.txt files, to bring the up to date and to simplify them. > > Also I have documented the "./install.sh fast" option, so people who > read the docs know it exists, as it greatly speeds things up if you > know what you're doing and don't need to read all the output. > > But what would people like to see improved in the actual installation > script, install.sh? Nothing overwhelming on my end but there are a couple of minor things that would be nice, as long as you're inspired. At at the tail end of the installation script, it mentions running update_MailScanner & update_languages. I always forget the exact syntax so run them w/o any args which then displays three lines showing exactly what to run. It would be great if that was shown instead of just the simple reminder. When the combined spam/av script runs it adds the same three or four lines to each .pre file. As you've noted in the past, it's harmless to add them in multiple times. But it would be cleaner if they were just added to the latest. Nothing to lose sleep over, just a little extra cruft to wade through when/if debugging. Many of us use MailWatch of course. It might be nice if it asked if MailWatch was going to be used, and if so, set the appropriate variables in MailScanner.conf at install time. On the other hand, since MailWatch 2 is on the horizon, it may have a completely different set of variables so this might not be worthwhile at this point. That's all that comes to mind off hand... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From gesbbb at yahoo.com Mon Sep 29 17:36:10 2008 From: gesbbb at yahoo.com (Jerry) Date: Mon Sep 29 17:36:30 2008 Subject: Improvements to install.sh ? In-Reply-To: <48E0DB0F.90200@USherbrooke.ca> References: <48DFA0FC.2050400@gdcon.net> <48E0D294.2050305@cnpapers.com> <48E0DB0F.90200@USherbrooke.ca> Message-ID: <20080929123610.26ecf63b@scorpio> On Mon, 29 Sep 2008 09:41:35 -0400 Denis Beauchemin wrote: > I don't know logsave, but all Linux distros I know come with > "script". Before installing anything I do "script install.$(date > +%Y%m%d)" to start a log file with the current date, then I run the > install script and then I hit Ctrl-D (or type exit) to stop logging. > I then peruse the output to make sure I didn't miss any error. Why not just run it the way the 'man' page suggests. At least on FreeBSD this is how I use it. SYNOPSIS: script [-akq] [-t time] [file [command ...]] It will terminate when the script ends and will record the start and stop time as well. Just my 2?. -- Jerry gesbbb@yahoo.com QOTD: "I used to go to UCLA, but then my Dad got a job." -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080929/84b7fd68/signature.bin From ms-list at alexb.ch Mon Sep 29 17:38:31 2008 From: ms-list at alexb.ch (Alex Broens) Date: Mon Sep 29 17:38:46 2008 Subject: Improvements to install.sh ? In-Reply-To: References: <48DE80F7.9020400@ecs.soton.ac.uk> Message-ID: <48E10487.8080506@alexb.ch> On 9/29/2008 6:17 PM, Kevin Miller wrote: > When the combined spam/av script runs it adds the same three or four > lines to each .pre file. As you've noted in the past, it's harmless to > add them in multiple times. But it would be cleaner if they were just > added to the latest. Nothing to lose sleep over, just a little extra > cruft to wade through when/if debugging. the .pre files belong to SpamAssassin and shouldn't ever be touched/modified by MailScanner. If the files are missing, it would be acceptable to have MailScanner add them, but to overwrite existing files should be avoided by all means. Alex From Kevin_Miller at ci.juneau.ak.us Mon Sep 29 17:56:43 2008 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Mon Sep 29 17:56:55 2008 Subject: Improvements to install.sh ? In-Reply-To: <48E10487.8080506@alexb.ch> References: <48DE80F7.9020400@ecs.soton.ac.uk> <48E10487.8080506@alexb.ch> Message-ID: Alex Broens wrote: > On 9/29/2008 6:17 PM, Kevin Miller wrote: > > When the combined spam/av script runs it adds the same three or > four >> lines to each .pre file. As you've noted in the past, it's harmless >> to add them in multiple times. But it would be cleaner if they were >> just added to the latest. Nothing to lose sleep over, just a little >> extra cruft to wade through when/if debugging. > > the .pre files belong to SpamAssassin and shouldn't ever be > touched/modified by MailScanner. > > If the files are missing, it would be acceptable to have MailScanner > add them, but to overwrite existing files should be avoided by all > means. It's during the clamAV/spamassassin install, not the MailScanner install (which I mentioned above). I know the discussion is the MailScanner install, but knowing that Julian is usually pretty thorough I figured I'd add that in on the off chance he'll be looking to improve both scripts. Obviously when installing spamassassin it's acceptable that one would touch it's related config files... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From annett.david at gmail.com Mon Sep 29 20:34:52 2008 From: annett.david at gmail.com (David Annett) Date: Mon Sep 29 20:35:02 2008 Subject: Start failure due to Compress/Zlib.pm line 9 In-Reply-To: References: Message-ID: Thanks for the advice Alex, it didn't all work for me but it did keep the mail running until I could find the fix. To help others in future I can say the fix was in the archives about a year back and was: ------ The perl Scalar-Util module in Fedora install is broken. You need to download the latest version from the website... I get the error occasionally after perl updates itself. wget http://search.cpan.org/CPAN/authors/id/G/GB/GBARR/Scalar-List-Utils-1.19.tar.gz tar xzvf Scalar-List-Utils-1.19.tar.gz cd Scalar-List-Utils-1.19 perl Makefile.PL make test make install -------- I also disabled perl updates in yum in the hope that it won't break again by adding to /etc/yum.conf the line: exclude=perl-* Of course I now have to hope there is not an important perl security update in future that I don't hear about. On Thu, Sep 25, 2008 at 4:39 PM, Alex Neuman van der Hans wrote: > > Try this: > > killall -9 MailScanner > killall -9 sendmail > sendmail -bd -q5m > sendmail -O QueueDirectory=/var/spool/mqueue.in (this should take a long long time) > (this assumes you're running sendmail) > > That should take care of mail for now - if your sendmail's properly configured you're still blocking a lot of spam at the MTA level. > ... From ms-list at alexb.ch Mon Sep 29 21:59:29 2008 From: ms-list at alexb.ch (Alex Broens) Date: Mon Sep 29 21:59:45 2008 Subject: Improvements to install.sh ? In-Reply-To: References: <48DE80F7.9020400@ecs.soton.ac.uk> <48E10487.8080506@alexb.ch> Message-ID: <48E141B1.5050802@alexb.ch> On 9/29/2008 6:56 PM, Kevin Miller wrote: > Alex Broens wrote: >> On 9/29/2008 6:17 PM, Kevin Miller wrote: >> > When the combined spam/av script runs it adds the same three or >> four >>> lines to each .pre file. As you've noted in the past, it's harmless >>> to add them in multiple times. But it would be cleaner if they were >>> just added to the latest. Nothing to lose sleep over, just a little >>> extra cruft to wade through when/if debugging. >> the .pre files belong to SpamAssassin and shouldn't ever be >> touched/modified by MailScanner. >> >> If the files are missing, it would be acceptable to have MailScanner >> add them, but to overwrite existing files should be avoided by all >> means. > > It's during the clamAV/spamassassin install, not the MailScanner install > (which I mentioned above). I know the discussion is the MailScanner > install, but knowing that Julian is usually pretty thorough I figured > I'd add that in on the off chance he'll be looking to improve both > scripts. Sorry mixed them up... > Obviously when installing spamassassin it's acceptable that one would > touch it's related config files... by SA's make process yes, and that will never overwrite user conf = *.pre files Alex From MailScanner at ecs.soton.ac.uk Mon Sep 29 22:27:22 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Sep 29 22:27:42 2008 Subject: MIME-tools 5.427 Message-ID: <48E1483A.2050509@ecs.soton.ac.uk> Please can a few people upgrade their MIME-tools Perl module to the latest 5.427 as provided here: http://search.cpan.org/CPAN/authors/id/D/DO/DONEILL/MIME-tools-5.427.tar.gz and just check for me that everything still works okay. If it does, I'm going to upgrade to it in the main distribution. Thanks folks! P.S. Trying to choose cat names at the moment -- need two. Current favourites are Cisco, Root, Tarball. They are both boys. Any preferences or other suggestions are most welcome. You've got till the end of Wednesday to come up with ideas and votes. Get your thinking hats on! :-) Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Kevin_Miller at ci.juneau.ak.us Mon Sep 29 22:31:50 2008 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Mon Sep 29 22:32:00 2008 Subject: MIME-tools 5.427 In-Reply-To: <48E1483A.2050509@ecs.soton.ac.uk> References: <48E1483A.2050509@ecs.soton.ac.uk> Message-ID: Julian Field wrote: > Please can a few people upgrade their MIME-tools Perl module to the > latest 5.427 as provided here: > http://search.cpan.org/CPAN/authors/id/D/DO/DONEILL/MIME-tools-5.427.tar .gz > and just check for me that everything still works okay. > > If it does, I'm going to upgrade to it in the main distribution. > > Thanks folks! > > P.S. Trying to choose cat names at the moment -- need two. Current > favourites are Cisco, Root, Tarball. They are both boys. Any > preferences or other suggestions are most welcome. You've got till > the end of Wednesday to come up with ideas and votes. Get your > thinking hats on! :-) Personally, I've always liked "Dawg" and "Guess". Friend: What's your cat's name? You: Guess Friend: Um, Cisco? Root? Tarball? You: Guess. etc.. ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From ms-list at alexb.ch Mon Sep 29 22:49:42 2008 From: ms-list at alexb.ch (Alex Broens) Date: Mon Sep 29 22:49:58 2008 Subject: MIME-tools 5.427 In-Reply-To: <48E1483A.2050509@ecs.soton.ac.uk> References: <48E1483A.2050509@ecs.soton.ac.uk> Message-ID: <48E14D76.9030308@alexb.ch> On 9/29/2008 11:27 PM, Julian Field wrote: > Please can a few people upgrade their MIME-tools Perl module to the > latest 5.427 as provided here: > http://search.cpan.org/CPAN/authors/id/D/DO/DONEILL/MIME-tools-5.427.tar.gz > and just check for me that everything still works okay. > > If it does, I'm going to upgrade to it in the main distribution. > > Thanks folks! > > P.S. Trying to choose cat names at the moment -- need two. Current > favourites are Cisco, Root, Tarball. They are both boys. Any preferences > or other suggestions are most welcome. You've got till the end of > Wednesday to come up with ideas and votes. Get your thinking hats on! :-) Cisco is my black cat SCSI (skahzee) the grey one, a she. name I've considered: Flex Floppy Bzip Switch Cert :-) Alex From mikes at hartwellcorp.com Mon Sep 29 22:39:32 2008 From: mikes at hartwellcorp.com (Michael St. Laurent) Date: Mon Sep 29 22:50:00 2008 Subject: MIME-tools 5.427 References: <48E1483A.2050509@ecs.soton.ac.uk> Message-ID: <3BF93070B3D1B047BA7ABF612958950D02CF67F4@hcex.hartwellcorp.com> If you're going for unix command names how about cat? ;) > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Julian Field > Sent: Monday, September 29, 2008 2:27 PM > To: MailScanner discussion > Subject: MIME-tools 5.427 > > Please can a few people upgrade their MIME-tools Perl module to the > latest 5.427 as provided here: > http://search.cpan.org/CPAN/authors/id/D/DO/DONEILL/MIME-tools- > 5.427.tar.gz > and just check for me that everything still works okay. > > If it does, I'm going to upgrade to it in the main distribution. > > Thanks folks! > > P.S. Trying to choose cat names at the moment -- need two. Current > favourites are Cisco, Root, Tarball. They are both boys. Any preferences > or other suggestions are most welcome. You've got till the end of > Wednesday to come up with ideas and votes. Get your thinking hats on! :-) > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > PGP public key: http://www.jules.fm/julesfm.asc > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From alex at rtpty.com Mon Sep 29 22:52:54 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Mon Sep 29 22:53:19 2008 Subject: MIME-tools 5.427 In-Reply-To: <48E1483A.2050509@ecs.soton.ac.uk> References: <48E1483A.2050509@ecs.soton.ac.uk> Message-ID: <43131596-9F09-4B8A-BBD7-361F870B8B37@rtpty.com> In keeping with the cat theme, how about more & less, pipe and Yee, pico and nano, pine and elm, or (gasp!) vi and emacs? For more inspiration just press tab twice and hit yes at your bash prompt! --- Alex Neuman Reliant Technologies +507 6781-9505 Skype: alexneuman On Sep 29, 2008, at 4:27 PM, Julian Field wrote: > Please can a few people upgrade their MIME-tools Perl module to the > latest 5.427 as provided here: > http://search.cpan.org/CPAN/authors/id/D/DO/DONEILL/MIME-tools-5.427.tar.gz > and just check for me that everything still works okay. > > If it does, I'm going to upgrade to it in the main distribution. > > Thanks folks! > > P.S. Trying to choose cat names at the moment -- need two. Current > favourites are Cisco, Root, Tarball. They are both boys. Any > preferences or other suggestions are most welcome. You've got till > the end of Wednesday to come up with ideas and votes. Get your > thinking hats on! :-) > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > PGP public key: http://www.jules.fm/julesfm.asc > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From steve.freegard at fsl.com Tue Sep 30 00:00:38 2008 From: steve.freegard at fsl.com (Steve Freegard) Date: Tue Sep 30 00:00:49 2008 Subject: MIME-tools 5.427 In-Reply-To: <48E1483A.2050509@ecs.soton.ac.uk> References: <48E1483A.2050509@ecs.soton.ac.uk> Message-ID: <48E15E16.3060001@fsl.com> Julian Field wrote: > > P.S. Trying to choose cat names at the moment -- need two. Current > favourites are Cisco, Root, Tarball. They are both boys. Any preferences > or other suggestions are most welcome. You've got till the end of > Wednesday to come up with ideas and votes. Get your thinking hats on! :-) > Sed and Awk? ;-) From rjette at mestek.com Tue Sep 30 01:23:47 2008 From: rjette at mestek.com (Ray Jette) Date: Tue Sep 30 01:23:57 2008 Subject: MailScanner --lint Message-ID: <1222734227.27091.2.camel@laptop> I am running MailScanner --lint to look for problems. The output of this command does not fit on the screen. I am trying to save this to a text file for review. The command sudo MailScanner --lint > log.txt did not work. I beleave this did not work because I need to redirect stderr. Is this correct? I have been doing some research and have tryed to redirect this a few different ways but have not been able to get it working. Does anyone have any ideas on how to do this? Thanks in advance, Ray Jette From rjette at mestek.com Tue Sep 30 01:41:57 2008 From: rjette at mestek.com (Ray Jette) Date: Tue Sep 30 01:42:08 2008 Subject: MailScanner --lint In-Reply-To: <1222734227.27091.2.camel@laptop> References: <1222734227.27091.2.camel@laptop> Message-ID: <1222735317.27091.4.camel@laptop> I tried to run "sudo MailScanner --lint --debug --debug-sa 2> log.txt. This did save some information to the log file but not all of it. I must be missing something. On Mon, 2008-09-29 at 20:23 -0400, Ray Jette wrote: > I am running MailScanner --lint to look for problems. The output of this > command does not fit on the screen. I am trying to save this to a text > file for review. The command sudo MailScanner --lint > log.txt did not > work. > > I beleave this did not work because I need to redirect stderr. Is this > correct? I have been doing some research and have tryed to redirect this > a few different ways but have not been able to get it working. > > Does anyone have any ideas on how to do this? > > Thanks in advance, > Ray Jette From gcle at smcaus.com.au Tue Sep 30 02:02:23 2008 From: gcle at smcaus.com.au (Gerard Cleary) Date: Tue Sep 30 02:03:18 2008 Subject: MailScanner --lint In-Reply-To: <1222734227.27091.2.camel@laptop> References: <1222734227.27091.2.camel@laptop> Message-ID: <200809301102.24094.gcle@smcaus.com.au> On Tue, 30 Sep 2008 10:23:47 Ray Jette wrote: > I am running MailScanner --lint to look for problems. The output of this > command does not fit on the screen. I am trying to save this to a text > file for review. The command sudo MailScanner --lint > log.txt did not > work. > > I beleave this did not work because I need to redirect stderr. Is this > correct? I have been doing some research and have tryed to redirect this > a few different ways but have not been able to get it working. > > Does anyone have any ideas on how to do this? > > Thanks in advance, > Ray Jette The output is going to "stderr" so use MailScanner --lint 2>log.txt I found the page useful All the best, Gerard. -- Gerard Cleary SMC Systems Administration Ph: +61 2 9354 8222 From rjette at mestek.com Tue Sep 30 02:18:21 2008 From: rjette at mestek.com (Ray Jette) Date: Tue Sep 30 02:18:30 2008 Subject: MailScanner --lint In-Reply-To: <200809301102.24094.gcle@smcaus.com.au> References: <1222734227.27091.2.camel@laptop> <200809301102.24094.gcle@smcaus.com.au> Message-ID: <1222737501.27091.6.camel@laptop> Thanks for the quick reply. I found that this does log some information to the log file but it does not seem to log it all. If I compare what's on the screen to what is in the log file some information is missing. On Tue, 2008-09-30 at 11:02 +1000, Gerard Cleary wrote: > tldp.org/LDP/abs/html/io-redirection.html From alex at rtpty.com Tue Sep 30 03:03:04 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Tue Sep 30 03:03:18 2008 Subject: MIME-tools 5.427 In-Reply-To: <48E15E16.3060001@fsl.com> References: <48E1483A.2050509@ecs.soton.ac.uk> <48E15E16.3060001@fsl.com> Message-ID: <9DADB92A-6DB9-4DD3-9F0A-A1B9D1433A3C@rtpty.com> bash and k(ah)sh? On Sep 29, 2008, at 7:00 PM, Steve Freegard wrote: > Julian Field wrote: >> P.S. Trying to choose cat names at the moment -- need two. Current >> favourites are Cisco, Root, Tarball. They are both boys. Any >> preferences or other suggestions are most welcome. You've got till >> the end of Wednesday to come up with ideas and votes. Get your >> thinking hats on! :-) > > Sed and Awk? ;-) > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From roland at inbox4u.de Tue Sep 30 04:55:02 2008 From: roland at inbox4u.de (Ehle, Roland) Date: Tue Sep 30 04:55:54 2008 Subject: AW: MIME-tools 5.427 In-Reply-To: <48E1483A.2050509@ecs.soton.ac.uk> References: <48E1483A.2050509@ecs.soton.ac.uk> Message-ID: Hi, > -----Urspr?ngliche Nachricht----- > Von: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] Im Auftrag von Julian Field > Gesendet: Montag, 29. September 2008 23:27 > Betreff: MIME-tools 5.427 > > Please can a few people upgrade their MIME-tools Perl module to the > latest 5.427 as provided here: > http://search.cpan.org/CPAN/authors/id/D/DO/DONEILL/MIME-tools- > 5.427.tar.gz > and just check for me that everything still works okay. Just installed on a Centos5 box. Installation worked without problems. I will be watching and reporting. Regards, Roland From alex at rtpty.com Tue Sep 30 05:58:54 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Tue Sep 30 05:59:08 2008 Subject: Way OT: Cat Names Message-ID: * File & Print * TRON & CLU * while and for * gid & uid * slash and dot * patches and updates * picard & riker * (if both females) rose & martha * doctor & master * head & tail * man & info Just off the top of my head... From michael at huntley.net Tue Sep 30 06:55:58 2008 From: michael at huntley.net (Michael Huntley) Date: Tue Sep 30 06:56:18 2008 Subject: MIME-tools 5.427 In-Reply-To: <48E1483A.2050509@ecs.soton.ac.uk> References: <48E1483A.2050509@ecs.soton.ac.uk> Message-ID: <48E1BF6E.5090808@huntley.net> Julian Field wrote: > Please can a few people upgrade their MIME-tools Perl module to the > latest 5.427 as provided here: > http://search.cpan.org/CPAN/authors/id/D/DO/DONEILL/MIME-tools-5.427.tar.gz > > and just check for me that everything still works okay. > > If it does, I'm going to upgrade to it in the main distribution. > > Thanks folks! > > P.S. Trying to choose cat names at the moment -- need two. Current > favourites are Cisco, Root, Tarball. They are both boys. Any > preferences or other suggestions are most welcome. You've got till the > end of Wednesday to come up with ideas and votes. Get your thinking > hats on! :-) > > Jules > Interesting. Everyone is selecting a name focused on technology. So here's one for ya: Nuke It has several meanings. I had a Sphynx named Nuke and he was awesome. He was named after Newcastle Brown Ale, but since he was a naked cat Nuke fit too. And of course, you can slur it to be "New-key" as it fits in with RedHat's bumbling (D'oh!) of their rpm repository. Cheers! m vinum vesco valens viscus From martinh at solidstatelogic.com Tue Sep 30 07:04:37 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Tue Sep 30 06:58:43 2008 Subject: Way OT: Cat Names Message-ID: Gizmo k9 Watt (as in electrical...volt, amp, watt) We got server called watt, hours of fun ala "who's on first"...you think i should get out more :-) -- martin -----Original Message----- From: Alex Neuman van der Hans Sent: 30 September 2008 06:03 To: MailScanner discussion Subject: Way OT: Cat Names * File & Print * TRON & CLU * while and for * gid & uid * slash and dot * patches and updates * picard & riker * (if both females) rose & martha * doctor & master * head & tail * man & info Just off the top of my head... -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From hvdkooij at vanderkooij.org Tue Sep 30 07:01:10 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Tue Sep 30 07:01:21 2008 Subject: MIME-tools 5.427 In-Reply-To: <48E1483A.2050509@ecs.soton.ac.uk> References: <48E1483A.2050509@ecs.soton.ac.uk> Message-ID: <48E1C0A6.2050209@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Julian Field wrote: > Please can a few people upgrade their MIME-tools Perl module to the > latest 5.427 as provided here: > http://search.cpan.org/CPAN/authors/id/D/DO/DONEILL/MIME-tools-5.427.tar.gz > and just check for me that everything still works okay. Last weekend Peter, Julian and I had been looking into an issue with the perl MIME tools. I have adjusted the wrapper accordingly to install perl-MIME-Tools 5.425 and perl-File-Temp 0.20 The pont is that is seems that version of perl-MIME-Tools seem to need it to function properly yet the dependecy is not autmagically detected. Hugo. PS: Cats usually do not listen to names. But are MS people in general cat people? If so, it might explain some reaction in the past on this mailinglist. They were more the dog type of people ;-) - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFI4cCkBvzDRVjxmYERAjfjAJsEdevUFWW+5wu3o4QUr6tm2Q+h7QCdGsxf foR6BIaHqn7NnDJq6b4I+ao= =lA2i -----END PGP SIGNATURE----- From hvdkooij at vanderkooij.org Tue Sep 30 07:08:56 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Tue Sep 30 07:09:04 2008 Subject: Way OT: Cat Names In-Reply-To: References: Message-ID: <48E1C278.2020109@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alex Neuman van der Hans wrote: > * File & Print > * TRON & CLU > * while and for > * gid & uid > * slash and dot > * patches and updates > * picard & riker > * (if both females) rose & martha > * doctor & master > * head & tail > * man & info > > Just off the top of my head... Well. There is one problem. These names imply that the wearer of the name behaves in a predictable way just like any unix command. But I think we all (should) know that if anything cat manual pages do not exist. I think the world would not be big enough to hold a manual page for just one cat. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFI4cJ1BvzDRVjxmYERAjIdAJ9gWBiKrfqgulOwDyhHKl4y0dTEOgCeIew8 zVLKzfn4Gx8IOQuHZJVLozk= =Nv0P -----END PGP SIGNATURE----- From ms-list at alexb.ch Tue Sep 30 07:43:36 2008 From: ms-list at alexb.ch (Alex Broens) Date: Tue Sep 30 07:43:48 2008 Subject: MIME-tools 5.427 In-Reply-To: <48E1C0A6.2050209@vanderkooij.org> References: <48E1483A.2050509@ecs.soton.ac.uk> <48E1C0A6.2050209@vanderkooij.org> Message-ID: <48E1CA98.5050305@alexb.ch> On 9/30/2008 8:01 AM, Hugo van der Kooij wrote: > > PS: Cats usually do not listen to names. But are MS people in general > cat people? If so, it might explain some reaction in the past on this > mailinglist. They were more the dog type of people ;-) you bet cats listen to names... easily reproduceable on production cats :-) From spamlists at coders.co.uk Tue Sep 30 07:49:40 2008 From: spamlists at coders.co.uk (Matt) Date: Tue Sep 30 07:51:32 2008 Subject: MailScanner --lint In-Reply-To: <1222734227.27091.2.camel@laptop> References: <1222734227.27091.2.camel@laptop> Message-ID: <48E1CC04.20500@coders.co.uk> Ray Jette wrote: > I am running MailScanner --lint to look for problems. The output of this > command does not fit on the screen. I am trying to save this to a text > file for review. The command sudo MailScanner --lint > log.txt did not > work. > Take a look at http://tldp.org/HOWTO/Bash-Prog-Intro-HOWTO-3.html Specifically example 3.4 sudo MailScanner --lint &> log.txt matt From erwin.lomibao at inquirer.net Tue Sep 30 08:15:13 2008 From: erwin.lomibao at inquirer.net (erwin lomibao) Date: Tue Sep 30 08:15:22 2008 Subject: Improvements to install.sh ? In-Reply-To: <48E0DB0F.90200@USherbrooke.ca> References: <48DFA0FC.2050400@gdcon.net> <48E0D294.2050305@cnpapers.com> <48E0DB0F.90200@USherbrooke.ca> Message-ID: I use ttyrec. It records everything that's typed and displayed which you can review using ttyplay later on. On Mon, Sep 29, 2008 at 9:41 PM, Denis Beauchemin < Denis.Beauchemin@usherbrooke.ca> wrote: > > Steve, > > I don't know logsave, but all Linux distros I know come with "script". > Before installing anything I do "script install.$(date +%Y%m%d)" to start a > log file with the current date, then I run the install script and then I hit > Ctrl-D (or type exit) to stop logging. I then peruse the output to make > sure I didn't miss any error. > > Denis > > -- > _ > ?v? Denis Beauchemin, analyste > /(_)\ Universit? de Sherbrooke, S.T.I. > ^ ^ T: 819.821.8000x62252 F: 819.821.8045 > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- erwin lomibao senior systems admin inquirer interactive erwin.lomibao@{inquirer.net} 9f rufino plaza makati 1200 philippines -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080930/e2cf4eb2/attachment.html From MailScanner at ecs.soton.ac.uk Tue Sep 30 09:40:54 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Sep 30 09:41:17 2008 Subject: MailScanner --lint In-Reply-To: References: Message-ID: <48E1E616.8080805@ecs.soton.ac.uk> MailScanner --lint &> /tmp/logoutput.txt Ray Jette wrote: > I am running MailScanner --lint to look for problems. The output of this > command does not fit on the screen. I am trying to save this to a text > file for review. The command sudo MailScanner --lint > log.txt did not > work. > > I beleave this did not work because I need to redirect stderr. Is this > correct? I have been doing some research and have tryed to redirect this > a few different ways but have not been able to get it working. > > Does anyone have any ideas on how to do this? > > Thanks in advance, > Ray Jette > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From martyn at invictawiz.com Tue Sep 30 10:08:15 2008 From: martyn at invictawiz.com (Martyn Routley) Date: Tue Sep 30 10:08:24 2008 Subject: Way OT: Cat Names In-Reply-To: References: Message-ID: <48E1EC7F.8080707@invictawiz.com> Alex Neuman van der Hans wrote: > * File & Print > * TRON & CLU > * while and for > * gid & uid > * slash and dot > * patches and updates > * picard & riker > * (if both females) rose & martha > * doctor & master > * head & tail > * man & info > > Just off the top of my head... > Cat5 & Cat6? -- Martyn Routley From andrew at gdcon.net Tue Sep 30 10:47:45 2008 From: andrew at gdcon.net (Andrew MacLachlan) Date: Tue Sep 30 10:48:08 2008 Subject: Improvements to install.sh ? In-Reply-To: <48E0D294.2050305@cnpapers.com> References: <48DFA0FC.2050400@gdcon.net> <48E0D294.2050305@cnpapers.com> Message-ID: <48E1F5C1.8030505@gdcon.net> Steve Campbell wrote: > I found the man page easily enough, but saw no place to get whatever I > needed to install/load/copy logsave from. > > Any help? > > Steve Campbell If you are using CentOS/RHEL: yum install logsave -Andy From andrew at gdcon.net Tue Sep 30 10:54:11 2008 From: andrew at gdcon.net (Andrew MacLachlan) Date: Tue Sep 30 10:54:27 2008 Subject: Way OT: Cat Names In-Reply-To: <48E1EC7F.8080707@invictawiz.com> References: <48E1EC7F.8080707@invictawiz.com> Message-ID: <48E1F743.20804@gdcon.net> Martyn Routley wrote: > Alex Neuman van der Hans wrote: > >> * File & Print >> * TRON & CLU >> * while and for >> * gid & uid >> * slash and dot >> * patches and updates >> * picard & riker >> * (if both females) rose & martha >> * doctor & master >> * head & tail >> * man & info >> >> Just off the top of my head... >> >> > Cat5 & Cat6? > > Bill & Linus? -Andy From chris at clh.org.uk Tue Sep 30 12:00:39 2008 From: chris at clh.org.uk (Chris Hardy) Date: Tue Sep 30 12:00:54 2008 Subject: Way OT: Cat Names In-Reply-To: <48E1F743.20804@gdcon.net> References: <48E1EC7F.8080707@invictawiz.com> <48E1F743.20804@gdcon.net> Message-ID: <48E206D7.7000508@clh.org.uk> Andrew MacLachlan wrote: > Bill & Linus? > > -Andy > I like that, but would he end up showing favouritism to Linus? :) My choice has gotta be Slack and Ware :) C -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From martinh at solidstatelogic.com Tue Sep 30 12:09:56 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Tue Sep 30 12:10:08 2008 Subject: MIME-tools 5.427 In-Reply-To: <48E1483A.2050509@ecs.soton.ac.uk> Message-ID: Jules Been running for last couple of hours no obvious issues so far. FreeBSD 4.11 Perl v5.8.5 MS 4.72.1-1 -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Julian Field > Sent: 29 September 2008 22:27 > To: MailScanner discussion > Subject: MIME-tools 5.427 > > Please can a few people upgrade their MIME-tools Perl module > to the latest 5.427 as provided here: > http://search.cpan.org/CPAN/authors/id/D/DO/DONEILL/MIME-tools > -5.427.tar.gz > and just check for me that everything still works okay. > > If it does, I'm going to upgrade to it in the main distribution. > > Thanks folks! > > P.S. Trying to choose cat names at the moment -- need two. > Current favourites are Cisco, Root, Tarball. They are both > boys. Any preferences or other suggestions are most welcome. > You've got till the end of Wednesday to come up with ideas > and votes. Get your thinking hats on! :-) > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 > B654 PGP public key: http://www.jules.fm/julesfm.asc > > > -- > This message has been scanned for viruses and dangerous > content by MailScanner, and is believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From jen at ah.dk Tue Sep 30 12:22:40 2008 From: jen at ah.dk (Jan Elmqvist Nielsen) Date: Tue Sep 30 12:23:01 2008 Subject: MailScanner 4.72.2-1 and clamavmodule In-Reply-To: <1222737501.27091.6.camel@laptop> References: <1222734227.27091.2.camel@laptop> <200809301102.24094.gcle@smcaus.com.au> <1222737501.27091.6.camel@laptop> Message-ID: <6FEBCA03F26F344484341AC71B6669D1649B536F99@nhsmail01.nhs.local> I have used install-Clam-0.94-SA-3.2.5 Clamavmodule dosn't report ClamAVModule::INFECTED:: Trojan.Agent-52097:: ./m8UAsTP2019721/ in maillog Only Virus Scanning: ClamAVModule found 1 infections MailScanner --lint show Trying to setlogsock(unix) Read 850 hostnames from the phishing whitelist Read 5268 hostnames from the phishing blacklist Config: calling custom init function MailWatchLogging Started SQL Logging child Checking version numbers... Version number in MailScanner.conf (4.72.2) is correct. Checking for SpamAssassin errors (if you use it)... SpamAssassin temporary working directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp Using SpamAssassin results cache Connected to SpamAssassin cache database SpamAssassin reported no errors. Using locktype = posix MailScanner.conf says "Virus Scanners = kaspersky-4.5 avg clamavmodule" Found these virus scanners installed: clamavmodule, kaspersky-4.5, f-protd-6, f-secure, avg =========================================================================== Filename Checks: (1 eicar.com) Filetype Checks: Allowing 1 eicar.com Other Checks: Found 1 problems Virus and Content Scanning: Starting /var/spool/MailScanner/incoming/23006/1/eicar.com INFECTED EICAR-Test-File Virus Scanning: Kaspersky found 1 infections Avg: Virus identified EICAR_Test in eicar.com Virus Scanning: Avg found 1 infections ClamAVModule::INFECTED:: Eicar-Test-Signature:: ./1/ ClamAVModule::INFECTED:: Eicar-Test-Signature:: ./1/eicar.com Virus Scanning: ClamAVModule found 2 infections Infected message 1 came from 10.1.1.1 Virus Scanning: Found 2 viruses =========================================================================== Virus Scanner test reports: Kaspersky said "/var/spool/MailScanner/incoming/23006/1/eicar.com INFECTED EICAR-Test-File" Avg said "Found virus EICAR_Test in file eicar.com" ClamAVModule said "eicar.com was infected: Eicar-Test-Signature" If any of your virus scanners (clamavmodule,kaspersky-4.5,f-protd-6,f-secure,avg) are not listed there, you should check that they are installed correctly and that MailScanner is finding them correctly via its virus.scanners.conf. Config: calling custom end function MailWatchLogging Is I missing something in clamd.conf or freshclam.conf? /Jan Elmqvist Nielsen From andrew at gdcon.net Tue Sep 30 12:48:11 2008 From: andrew at gdcon.net (Andrew MacLachlan) Date: Tue Sep 30 12:48:29 2008 Subject: Way OT: Cat Names In-Reply-To: <48E206D7.7000508@clh.org.uk> References: <48E1EC7F.8080707@invictawiz.com> <48E1F743.20804@gdcon.net> <48E206D7.7000508@clh.org.uk> Message-ID: <48E211FB.5070302@gdcon.net> Chris Hardy wrote: > Andrew MacLachlan wrote: >> Bill & Linus? >> >> -Andy >> > I like that, but would he end up showing favouritism to Linus? :) > > My choice has gotta be Slack and Ware :) > > C > Maybe Alan (Turing) and Charles (Babbage) then? -Andy From raubvogel at gmail.com Tue Sep 30 13:50:34 2008 From: raubvogel at gmail.com (Mauricio Tavares) Date: Tue Sep 30 13:50:47 2008 Subject: Way OT: Cat Names In-Reply-To: <48E206D7.7000508@clh.org.uk> References: <48E1EC7F.8080707@invictawiz.com> <48E1F743.20804@gdcon.net> <48E206D7.7000508@clh.org.uk> Message-ID: <48E2209A.9000700@gmail.com> Chris Hardy wrote: > Andrew MacLachlan wrote: >> Bill & Linus? >> >> -Andy >> > I like that, but would he end up showing favouritism to Linus? :) > > My choice has gotta be Slack and Ware :) > ubuntu and gentoo and maybe freebsd because each camp can be rather rabbid From dstraka at caspercollege.edu Tue Sep 30 15:14:45 2008 From: dstraka at caspercollege.edu (Daniel Straka) Date: Tue Sep 30 15:15:39 2008 Subject: Users sending password protected attachments aren't notified Message-ID: <48E1DFF5.61A4.0000.0@caspercollege.edu> Is there a way to configure MailScanner to notify the sender of a password protected attachment that it was not accepted and the recipient never received it? MailScanner v4.69.9, Sophos AV -- Dan Straka Systems Coordinator Casper College 307.268.2399 www.caspercollege.edu ( http://www.caspercollege.edu/ ) From MailScanner at ecs.soton.ac.uk Tue Sep 30 15:35:37 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Sep 30 15:35:58 2008 Subject: Users sending password protected attachments aren't notified In-Reply-To: References: Message-ID: <48E23939.7080600@ecs.soton.ac.uk> The setting Notify Senders Of Other Blocked Content = yes should do the trick. Daniel Straka wrote: > Is there a way to configure MailScanner to notify the sender of a password protected attachment that it was not accepted and the recipient never received it? MailScanner v4.69.9, Sophos AV > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ram at netcore.co.in Tue Sep 30 16:01:03 2008 From: ram at netcore.co.in (ram) Date: Tue Sep 30 16:01:25 2008 Subject: Customizing Spamassin use according to recipients Message-ID: <1222786863.18634.99.camel@darkstar.netcore.co.in> I want to evaluate some spamassassin rules only when the mail is marked for some recipients Can I do this ? I dont mind changing a little bit of the src if that is required Thanks Ram From alex at rtpty.com Tue Sep 30 16:14:09 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Tue Sep 30 16:14:23 2008 Subject: Customizing Spamassin use according to recipients In-Reply-To: <1222786863.18634.99.camel@darkstar.netcore.co.in> References: <1222786863.18634.99.camel@darkstar.netcore.co.in> Message-ID: <220E4A4F-4BB6-4EFC-96D1-4715D5A644D4@rtpty.com> If you don't separate the recipients at the MTA you might run into situations where two users (one with the special rules, one without) receive an e-mail. On Sep 30, 2008, at 10:01 AM, ram wrote: > only when the mail is marked > for some recipients From jvoorhees1 at gmail.com Tue Sep 30 16:12:09 2008 From: jvoorhees1 at gmail.com (Jason Voorhees) Date: Tue Sep 30 16:15:17 2008 Subject: MCP doesn't work anymore Message-ID: <48E241C9.9060401@gmail.com> Hi all: I'm running MailScanner 4.71.10 and I have a custom MCP rule in /etc/MailScanner/mcp/20_publicidad.cf to block emails containing "publicidad" in the Subject. That MCP rule was working without problems but today it suddenly stopped working. I can see too many emails containing "publicidad" that are not being matched by the MCP rule. I had similar problems with MailScanner package provided by Debian Etch 4.0r3. Is there a way to know why MCP isn't working? Can I do some manual test to check if my MailScanner configuration is fine? MailScanner --lint doesn't show any errors related to MCP nor SpamAssassin :( Thanks, bytes :) From support-lists at petdoctors.co.uk Tue Sep 30 16:27:08 2008 From: support-lists at petdoctors.co.uk (Nigel Kendrick) Date: Tue Sep 30 16:27:28 2008 Subject: Way OT: Cat Names In-Reply-To: <48E2209A.9000700@gmail.com> References: <48E1EC7F.8080707@invictawiz.com> <48E1F743.20804@gdcon.net><48E206D7.7000508@clh.org.uk> <48E2209A.9000700@gmail.com> Message-ID: vi and emacs yowl..spit spit spit.. From dstraka at caspercollege.edu Tue Sep 30 16:36:18 2008 From: dstraka at caspercollege.edu (Daniel Straka) Date: Tue Sep 30 16:37:04 2008 Subject: Users sending password protected attachments aren't notified In-Reply-To: <48E23939.7080600@ecs.soton.ac.uk> References: <48E23939.7080600@ecs.soton.ac.uk> Message-ID: <48E1F311.61A4.0000.0@caspercollege.edu> Thanks for the suggestion Jules but that is my current setting already and "Notify Senders = yes" also. Senders are notified a message is to big. There must be another tweak to do but I'm not finding it. >>> On 9/30/2008 at 8:35 AM, in message <48E23939.7080600@ecs.soton.ac.uk>, Julian Field wrote: > The setting > Notify Senders Of Other Blocked Content = yes > should do the trick. > > Daniel Straka wrote: >> Is there a way to configure MailScanner to notify the sender of a password > protected attachment that it was not accepted and the recipient never > received it? MailScanner v4.69.9, Sophos AV >> >> > > Jules From rgreen at trayerproducts.com Tue Sep 30 16:40:21 2008 From: rgreen at trayerproducts.com (Rodney Green) Date: Tue Sep 30 16:40:43 2008 Subject: Way OT: Cat Names In-Reply-To: References: Message-ID: <48E24865.8040702@trayerproducts.com> On 9/30/2008 12:58 AM, Alex Neuman van der Hans wrote: > * File & Print > * TRON & CLU > * while and for > * gid & uid > * slash and dot > * patches and updates > * picard & riker > * (if both females) rose & martha > * doctor & master > * head & tail > * man & info > > Just off the top of my head... > Kernel & Patch From alex at rtpty.com Tue Sep 30 16:52:01 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Tue Sep 30 16:52:13 2008 Subject: Users sending password protected attachments aren't notified In-Reply-To: <48E1F311.61A4.0000.0@caspercollege.edu> References: <48E23939.7080600@ecs.soton.ac.uk> <48E1F311.61A4.0000.0@caspercollege.edu> Message-ID: <442BC63E-1A52-470F-BEF1-71887402412B@rtpty.com> Perhaps the message is too big *as well as* encrypted. On Sep 30, 2008, at 10:36 AM, Daniel Straka wrote: > Senders are notified a message is to big From alex at rtpty.com Tue Sep 30 16:53:36 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Tue Sep 30 16:53:50 2008 Subject: Way OT: Cat Names In-Reply-To: <48E24865.8040702@trayerproducts.com> References: <48E24865.8040702@trayerproducts.com> Message-ID: Plug & Pray? Fire & Forget? Bangers & Mash? By and Large? Pump & Dump? Rockem & Sockem? Ball & Chain? Speak & Spell? On Sep 30, 2008, at 10:40 AM, Rodney Green wrote: > Kernel & Patch From MailScanner at ecs.soton.ac.uk Tue Sep 30 16:55:23 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Sep 30 16:56:30 2008 Subject: Customizing Spamassin use according to recipients In-Reply-To: References: Message-ID: <48E24BEB.30209@ecs.soton.ac.uk> Read up on the "SpamAssassin Rule Actions" setting in MailScanner.conf. You can use a ruleset with that, and it will make specific SpamAssassin rules cause specific actions, only when particular people or groups of people get the message. You can make the SpamAssassin rules in there be meta-rules, which are expressions combining other SpamAssasssin rules. So you can say things like "if the message is for this user, and this rule and that rule both fire, then do this action" and complex setups like that. ram wrote: > I want to evaluate some spamassassin rules only when the mail is marked > for some recipients > > Can I do this ? I dont mind changing a little bit of the src if that is > required > > > Thanks > Ram > > > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Tue Sep 30 16:55:54 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Sep 30 16:56:38 2008 Subject: MCP doesn't work anymore In-Reply-To: References: Message-ID: <48E24C0A.5080803@ecs.soton.ac.uk> So what did you change that broke it? Jason Voorhees wrote: > Hi all: > > I'm running MailScanner 4.71.10 and I have a custom MCP rule in > /etc/MailScanner/mcp/20_publicidad.cf to block emails containing > "publicidad" in the Subject. > That MCP rule was working without problems but today it suddenly > stopped working. I can see too many emails containing "publicidad" > that are not being matched by the MCP rule. > > I had similar problems with MailScanner package provided by Debian > Etch 4.0r3. > > Is there a way to know why MCP isn't working? Can I do some manual > test to check if my MailScanner configuration is fine? > > MailScanner --lint doesn't show any errors related to MCP nor > SpamAssassin :( > > Thanks, bytes :) Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From dstraka at caspercollege.edu Tue Sep 30 17:15:37 2008 From: dstraka at caspercollege.edu (Daniel Straka) Date: Tue Sep 30 17:16:07 2008 Subject: Users sending password protected attachments aren't notified In-Reply-To: <442BC63E-1A52-470F-BEF1-71887402412B@rtpty.com> References: <48E23939.7080600@ecs.soton.ac.uk> <48E1F311.61A4.0000.0@caspercollege.edu> <442BC63E-1A52-470F-BEF1-71887402412B@rtpty.com> Message-ID: <48E1FC48.61A4.0000.0@caspercollege.edu> Sorry if I was misleading Alex, but that's not the case. >>> On 9/30/2008 at 9:52 AM, in message <442BC63E-1A52-470F-BEF1-71887402412B@rtpty.com>, Alex Neuman van der Hans wrote: > Perhaps the message is too big *as well as* encrypted. > On Sep 30, 2008, at 10:36 AM, Daniel Straka wrote: > >> Senders are notified a message is to big From alex at rtpty.com Tue Sep 30 17:17:38 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Tue Sep 30 17:17:53 2008 Subject: MCP doesn't work anymore In-Reply-To: <48E24C0A.5080803@ecs.soton.ac.uk> References: <48E24C0A.5080803@ecs.soton.ac.uk> Message-ID: <94C55C00-50D8-4F02-BD44-FCB1B62CA430@rtpty.com> What does that rule say? Do the e-mails with "publicidad" come to an address that's explicitly denied from being scanned by MCP? A compromised form on a webserver + a 'don't use MCP' that includes the webserver's IP address could do this. A "From:" that uses an easily-spoofable domain could do this as well. On Sep 30, 2008, at 10:55 AM, Julian Field wrote: >> I'm running MailScanner 4.71.10 and I have a custom MCP rule in / >> etc/MailScanner/mcp/20_publicidad.cf to block emails containing >> "publicidad" in the Subject. > From ms-list at alexb.ch Tue Sep 30 17:18:18 2008 From: ms-list at alexb.ch (Alex Broens) Date: Tue Sep 30 17:18:30 2008 Subject: mcr - In-Reply-To: <1222786863.18634.99.camel@darkstar.netcore.co.in> References: <1222786863.18634.99.camel@darkstar.netcore.co.in> Message-ID: <48E2514A.2060705@alexb.ch> On 9/30/2008 5:01 PM, ram wrote: > I want to evaluate some spamassassin rules only when the mail is marked > for some recipients > > Can I do this ? I dont mind changing a little bit of the src if that is > required if "marked" means sent To some recipients: With SA: header __TO_TESTUSER ToCC: =~ /(?:testuser1|testuser2)\@example\.com/ body __STRING_TO_TEST /catch me/ meta TEST_RULE_TO_USERS12 (____TO_TESTUSER && __STRING_TO_TEST) score TEST_RULE_TO_USERS12 1.0 is this what you are looking for? Alex From ms-list at alexb.ch Tue Sep 30 17:34:37 2008 From: ms-list at alexb.ch (Alex Broens) Date: Tue Sep 30 17:34:53 2008 Subject: Customizing Spamassin use according to recipients In-Reply-To: <1222786863.18634.99.camel@darkstar.netcore.co.in> References: <1222786863.18634.99.camel@darkstar.netcore.co.in> Message-ID: <48E2551D.4070901@alexb.ch> Apologize for the Subject fauxpas Had a dumb key cut on TB's Quicktext On 9/30/2008 5:01 PM, ram wrote: > I want to evaluate some spamassassin rules only when the mail is marked > for some recipients > > Can I do this ? I dont mind changing a little bit of the src if that is > required > if "marked" means sent To some recipients: With SA: header __TO_TESTUSER ToCC: =~ /(?:testuser1|testuser2)\@example\.com/ body __STRING_TO_TEST /catch me/ meta TEST_RULE_TO_USERS12 (____TO_TESTUSER && __STRING_TO_TEST) score TEST_RULE_TO_USERS12 1.0 is this what you are looking for? Alex From jvoorhees1 at gmail.com Tue Sep 30 17:42:46 2008 From: jvoorhees1 at gmail.com (Jason Voorhees) Date: Tue Sep 30 17:45:57 2008 Subject: MCP doesn't work anymore In-Reply-To: <48E24C0A.5080803@ecs.soton.ac.uk> References: <48E24C0A.5080803@ecs.soton.ac.uk> Message-ID: <48E25706.8060600@gmail.com> I changed a rule in 20_publicidad.cf that was different from the "publicidad" one. I deleted the last modification and MCP worked again. I'll check my rules again, but I still would like to know if MCP is failing because of a bad syntax of rules. Do I must enable debug mode or something similar in MailScanner to find this kind of errors? Julian Field escribi?: > So what did you change that broke it? > > Jason Voorhees wrote: >> Hi all: >> >> I'm running MailScanner 4.71.10 and I have a custom MCP rule in >> /etc/MailScanner/mcp/20_publicidad.cf to block emails containing >> "publicidad" in the Subject. >> That MCP rule was working without problems but today it suddenly >> stopped working. I can see too many emails containing "publicidad" >> that are not being matched by the MCP rule. >> >> I had similar problems with MailScanner package provided by Debian >> Etch 4.0r3. >> >> Is there a way to know why MCP isn't working? Can I do some manual >> test to check if my MailScanner configuration is fine? >> >> MailScanner --lint doesn't show any errors related to MCP nor >> SpamAssassin :( >> >> Thanks, bytes :) > > Jules > From dstraka at caspercollege.edu Tue Sep 30 18:36:39 2008 From: dstraka at caspercollege.edu (Daniel Straka) Date: Tue Sep 30 18:39:10 2008 Subject: How Do You Use Spam from GroupWise for sa-learn Message-ID: <48E20F46.61A4.0000.0@caspercollege.edu> My email system is GroupWise 7. I'd like to use sa-learn and feed it spam from a GroupWise folder. Can anyone tell me how they're getting the spam from GW into a folder on the MS/SA linux box for the sa-learn process? Thanks, -- Dan Straka Systems Coordinator Casper College 307.268.2399 www.caspercollege.edu ( http://www.caspercollege.edu/ ) From martinh at solidstatelogic.com Tue Sep 30 18:53:15 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Tue Sep 30 18:47:18 2008 Subject: How Do You Use Spam from GroupWise for sa-learn Message-ID: You need an imap folder that a perl script on the ms box can connect to. Can groupwise provide such folders? -- martin -----Original Message----- From: Daniel Straka Sent: 30 September 2008 18:44 To: mailscanner@lists.mailscanner.info Subject: How Do You Use Spam from GroupWise for sa-learn My email system is GroupWise 7. I'd like to use sa-learn and feed it spam from a GroupWise folder. Can anyone tell me how they're getting the spam from GW into a folder on the MS/SA linux box for the sa-learn process? Thanks, -- Dan Straka Systems Coordinator Casper College 307.268.2399 www.caspercollege.edu ( http://www.caspercollege.edu/ ) -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From alex at rtpty.com Tue Sep 30 18:48:48 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Tue Sep 30 18:49:04 2008 Subject: How Do You Use Spam from GroupWise for sa-learn In-Reply-To: <48E20F46.61A4.0000.0@caspercollege.edu> References: <48E20F46.61A4.0000.0@caspercollege.edu> Message-ID: <773390AF-39F0-4CF9-A5F1-2805ACB419E2@rtpty.com> Does GroupWise support IMAP access? On Sep 30, 2008, at 12:36 PM, Daniel Straka wrote: > My email system is GroupWise 7. I'd like to use sa-learn and feed it > spam from a GroupWise folder. Can anyone tell me how they're getting > the spam from GW into a folder on the MS/SA linux box for the sa- > learn process? > > Thanks, > -- > > Dan Straka > Systems Coordinator > Casper College > 307.268.2399 > www.caspercollege.edu ( http://www.caspercollege.edu/ ) > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From dstraka at caspercollege.edu Tue Sep 30 18:53:32 2008 From: dstraka at caspercollege.edu (Daniel Straka) Date: Tue Sep 30 18:54:09 2008 Subject: How Do You Use Spam from GroupWise for sa-learn In-Reply-To: <773390AF-39F0-4CF9-A5F1-2805ACB419E2@rtpty.com> References: <48E20F46.61A4.0000.0@caspercollege.edu> <773390AF-39F0-4CF9-A5F1-2805ACB419E2@rtpty.com> Message-ID: <48E2133B.61A4.0000.0@caspercollege.edu> >>> On 9/30/2008 at 11:48 AM, in message <773390AF-39F0-4CF9-A5F1-2805ACB419E2@rtpty.com>, Alex Neuman van der Hans wrote: > Does GroupWise support IMAP access? Yep From alex at rtpty.com Tue Sep 30 19:01:08 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Tue Sep 30 19:01:23 2008 Subject: How Do You Use Spam from GroupWise for sa-learn In-Reply-To: <48E2133B.61A4.0000.0@caspercollege.edu> References: <48E20F46.61A4.0000.0@caspercollege.edu> <773390AF-39F0-4CF9-A5F1-2805ACB419E2@rtpty.com> <48E2133B.61A4.0000.0@caspercollege.edu> Message-ID: Well there you go then! ;-) On Sep 30, 2008, at 12:53 PM, Daniel Straka wrote: >>>> On 9/30/2008 at 11:48 AM, in message > <773390AF-39F0-4CF9-A5F1-2805ACB419E2@rtpty.com>, Alex Neuman van > der Hans > wrote: >> Does GroupWise support IMAP access? > > Yep > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From glenn.steen at gmail.com Tue Sep 30 19:10:52 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Sep 30 19:11:03 2008 Subject: MailScanner --lint In-Reply-To: <48E1E616.8080805@ecs.soton.ac.uk> References: <48E1E616.8080805@ecs.soton.ac.uk> Message-ID: <223f97700809301110y43ece6cagc508cb2775ec43d@mail.gmail.com> 2008/9/30 Julian Field : > MailScanner --lint &> /tmp/logoutput.txt > Assuming bash, yes. Try that on ksh or similar... The perhaps more portable way would be "MailScanner --lint 2>&1 > /tmp/logoutput.txt" ... :-). > Ray Jette wrote: >> >> I am running MailScanner --lint to look for problems. The output of this >> command does not fit on the screen. I am trying to save this to a text >> file for review. The command sudo MailScanner --lint > log.txt did not >> work. >> I beleave this did not work because I need to redirect stderr. Is this >> correct? I have been doing some research and have tryed to redirect this >> a few different ways but have not been able to get it working. >> >> Does anyone have any ideas on how to do this? >> Thanks in advance, >> Ray Jette >> > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Tue Sep 30 19:14:36 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Sep 30 19:14:46 2008 Subject: MIME-tools 5.427 In-Reply-To: <3BF93070B3D1B047BA7ABF612958950D02CF67F4@hcex.hartwellcorp.com> References: <48E1483A.2050509@ecs.soton.ac.uk> <3BF93070B3D1B047BA7ABF612958950D02CF67F4@hcex.hartwellcorp.com> Message-ID: <223f97700809301114p48f127d2lf58dee56317f78da@mail.gmail.com> 2008/9/29 Michael St. Laurent : > If you're going for unix command names how about cat? ;) > Since cat likely is the C/A/T, they should be troff and nroff, of course...:-) >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Julian Field >> Sent: Monday, September 29, 2008 2:27 PM >> To: MailScanner discussion >> Subject: MIME-tools 5.427 >> >> Please can a few people upgrade their MIME-tools Perl module to the >> latest 5.427 as provided here: >> http://search.cpan.org/CPAN/authors/id/D/DO/DONEILL/MIME-tools- >> 5.427.tar.gz >> and just check for me that everything still works okay. >> >> If it does, I'm going to upgrade to it in the main distribution. >> >> Thanks folks! >> >> P.S. Trying to choose cat names at the moment -- need two. Current >> favourites are Cisco, Root, Tarball. They are both boys. Any > preferences >> or other suggestions are most welcome. You've got till the end of >> Wednesday to come up with ideas and votes. Get your thinking hats on! > :-) >> >> Jules >> >> -- >> Julian Field MEng CITP CEng >> www.MailScanner.info >> Buy the MailScanner book at www.MailScanner.info/store >> >> MailScanner customisation, or any advanced system administration help? >> Contact me at Jules@Jules.FM >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> PGP public key: http://www.jules.fm/julesfm.asc >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Tue Sep 30 19:19:13 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Sep 30 19:19:22 2008 Subject: MIME-tools 5.427 In-Reply-To: <48E1C0A6.2050209@vanderkooij.org> References: <48E1483A.2050509@ecs.soton.ac.uk> <48E1C0A6.2050209@vanderkooij.org> Message-ID: <223f97700809301119j1ff04993n7605793acd7e99a8@mail.gmail.com> 2008/9/30 Hugo van der Kooij : > -----BEGIN PGP SIGNED MESSAGE----- (snip) > Hugo. > > PS: Cats usually do not listen to names. But are MS people in general > cat people? If so, it might explain some reaction in the past on this > mailinglist. They were more the dog type of people ;-) > Being called names and listening to them (or even reacting) isn't exactly the same thing, now is it?:-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From alex at rtpty.com Tue Sep 30 19:24:06 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Tue Sep 30 19:24:21 2008 Subject: MIME-tools 5.427 In-Reply-To: <223f97700809301114p48f127d2lf58dee56317f78da@mail.gmail.com> References: <48E1483A.2050509@ecs.soton.ac.uk> <3BF93070B3D1B047BA7ABF612958950D02CF67F4@hcex.hartwellcorp.com> <223f97700809301114p48f127d2lf58dee56317f78da@mail.gmail.com> Message-ID: <0A98AB33-DEE4-4AAF-9A62-97CA1F11944E@rtpty.com> Funny, they both sound like a cat passing a hairball! :D On Sep 30, 2008, at 1:14 PM, Glenn Steen wrote: > Since cat likely is the C/A/T, they should be troff and nroff, of > course...:-) From martinh at solidstatelogic.com Tue Sep 30 19:45:04 2008 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Tue Sep 30 19:39:28 2008 Subject: How Do You Use Spam from GroupWise for sa-learn Message-ID: Daniel A search for "sa-learn imap perl script" should get you started then, if not i'll pop something onto the wiki tomorrow. -- martin -----Original Message----- From: Daniel Straka Sent: 30 September 2008 19:00 To: MailScanner discussion Subject: Re: How Do You Use Spam from GroupWise for sa-learn >>> On 9/30/2008 at 11:48 AM, in message <773390AF-39F0-4CF9-A5F1-2805ACB419E2@rtpty.com>, Alex Neuman van der Hans wrote: > Does GroupWise support IMAP access? Yep -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From alex at rtpty.com Tue Sep 30 19:46:14 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Tue Sep 30 19:46:30 2008 Subject: Weird Brazilian E-mail Message-ID: <7192457D-D9FF-45CF-A77D-2F8C7B80518A@rtpty.com> Did everyone just get a message from a certain "william" from Brazil saying "I'm not here", in reply to a list message about MIME-tools? From axisml at gmail.com Tue Sep 30 19:50:39 2008 From: axisml at gmail.com (Chris Stone) Date: Tue Sep 30 19:50:47 2008 Subject: MailScanner 4.72.2-1 and clamavmodule In-Reply-To: <6FEBCA03F26F344484341AC71B6669D1649B536F99@nhsmail01.nhs.local> References: <1222734227.27091.2.camel@laptop> <200809301102.24094.gcle@smcaus.com.au> <1222737501.27091.6.camel@laptop> <6FEBCA03F26F344484341AC71B6669D1649B536F99@nhsmail01.nhs.local> Message-ID: <3047fef10809301150t7925d695j836872629b01cf2a@mail.gmail.com> On Tue, Sep 30, 2008 at 5:22 AM, Jan Elmqvist Nielsen wrote: > I have used install-Clam-0.94-SA-3.2.5 > > Clamavmodule dosn't report > ClamAVModule::INFECTED:: Trojan.Agent-52097:: ./m8UAsTP2019721/ > in maillog > > Only > Virus Scanning: ClamAVModule found 1 infections I've seen, for a couple of versions now, where even without ClamAVModule installed and everything configured to use clamd, in my maillog, I get some: Sep 30 11:47:47 smtp1 MailScanner[23822]: ClamAVModule::INFECTED:: MSRBL-Images.0-0-wxYz.UNOFFICIAL :: ./m8UHfhwq002699/49266_44444.jpg Sep 30 11:49:49 smtp1 MailScanner[22866]: ClamAVModule::INFECTED:: Email.Malware.Sanesecurity.08022212.UNOFFICIAL FOUND :: ./m8UHhpO7003361/ Sep 30 11:50:22 smtp1 MailScanner[25396]: ClamAVModule::INFECTED:: Html.Phishing.Bank.SenetAxis.20080924002.UNOFFICIAL FOUND :: ./m8UHciOX001987/ Sep 30 11:50:22 smtp1 MailScanner[25396]: ClamAVModule::INFECTED:: Html.Phishing.Bank.SenetAxis.20080924002.UNOFFICIAL :: ./m8UHciOX001987/msg-25396-274.html Most of the viruses found reference Clamd. Don't know if this might be related to your problem. Your --lint does show you have ClamAVModule installed, so if you want to use just clamd, then try removing ClamAVModule and setting MailScanner.conf to use clamd. My --lint: [root@smtp1 root]# MailScanner --lint Trying to setlogsock(unix) Config: calling custom init function SQLSpamScores Read 5 Spam entries Config: calling custom init function SQLBlacklist Starting up SQL Blacklist Read 321 blacklist entries Config: calling custom init function MailWatchLogging Started SQL Logging child Config: calling custom init function SQLNoScan Read 3 No Spam Scan entries Config: calling custom init function SQLHighSpamScores Read 7 high Spam entries Config: calling custom init function SQLWhitelist Starting up SQL Whitelist Read 880 whitelist entries Checking version numbers... Version number in MailScanner.conf (4.70.6) is correct. Your envelope_sender_header in spam.assassin.prefs.conf is correct. Checking for SpamAssassin errors (if you use it)... SpamAssassin temporary working directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp Using SpamAssassin results cache Connected to SpamAssassin cache database SpamAssassin reported no errors. Using locktype = posix MailScanner.conf says "Virus Scanners = clamd" Found these virus scanners installed: clamd =========================================================================== Virus and Content Scanning: Starting ClamAVModule::INFECTED:: Eicar-Test-Signature FOUND :: ./1/ ClamAVModule::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com Virus Scanning: Clamd found 2 infections Infected message 1 came from 10.1.1.1 Virus Scanning: Found 2 viruses Filename Checks: (1 eicar.com) Other Checks: Found 1 problems =========================================================================== Virus Scanner test reports: Clamd said "eicar.com was infected: Eicar-Test-Signature" If any of your virus scanners (clamd) are not listed there, you should check that they are installed correctly and that MailScanner is finding them correctly via its virus.scanners.conf. Config: calling custom end function SQLSpamScores Closing down SQL Spam Scores Config: calling custom end function SQLBlacklist Closing down by-domain spam blacklist Config: calling custom end function MailWatchLogging Config: calling custom end function SQLNoScan Closing down SQL No Scan Config: calling custom end function SQLHighSpamScores Closing down SQL High Spam Scores Config: calling custom end function SQLWhitelist Closing down by-domain spam whitelist From glenn.steen at gmail.com Tue Sep 30 19:56:03 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Sep 30 19:56:12 2008 Subject: MIME-tools 5.427 In-Reply-To: <0A98AB33-DEE4-4AAF-9A62-97CA1F11944E@rtpty.com> References: <48E1483A.2050509@ecs.soton.ac.uk> <3BF93070B3D1B047BA7ABF612958950D02CF67F4@hcex.hartwellcorp.com> <223f97700809301114p48f127d2lf58dee56317f78da@mail.gmail.com> <0A98AB33-DEE4-4AAF-9A62-97CA1F11944E@rtpty.com> Message-ID: <223f97700809301156k324515b2r527c5325a75abe1@mail.gmail.com> 2008/9/30 Alex Neuman van der Hans : > Funny, they both sound like a cat passing a hairball! :D Look a bit like it too ... Abominatins, both... Not that a typesetter usually pass hairballs, more likely the one using them will eventually have kittens... (Hm, I'm breaking a rule here, trying to be pun-ish in a (to me:) foreign language...). > On Sep 30, 2008, at 1:14 PM, Glenn Steen wrote: > >> Since cat likely is the C/A/T, they should be troff and nroff, of >> course...:-) > Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From campbell at cnpapers.com Tue Sep 30 19:56:22 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Tue Sep 30 19:56:37 2008 Subject: Weird Brazilian E-mail In-Reply-To: <7192457D-D9FF-45CF-A77D-2F8C7B80518A@rtpty.com> References: <7192457D-D9FF-45CF-A77D-2F8C7B80518A@rtpty.com> Message-ID: <48E27656.4060101@cnpapers.com> I've received four of them already. Hope you don't feel slighted if you only got one :-) Thanks for the translation, though. I couldn't find it anywhere. Steve Campbell Alex Neuman van der Hans wrote: > Did everyone just get a message from a certain "william" from Brazil > saying "I'm not here", in reply to a list message about MIME-tools? From alex at rtpty.com Tue Sep 30 20:04:00 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Tue Sep 30 20:04:15 2008 Subject: Weird Brazilian E-mail In-Reply-To: <48E27656.4060101@cnpapers.com> References: <7192457D-D9FF-45CF-A77D-2F8C7B80518A@rtpty.com> <48E27656.4060101@cnpapers.com> Message-ID: <8928A664-DF86-4ADD-B3E4-51CD0E3E9883@rtpty.com> That's probably because you post more than I do! ;-) It's probably a misfiring vacation message. On Sep 30, 2008, at 1:56 PM, Steve Campbell wrote: > I've received four of them already. Hope you don't feel slighted if > you only got one :-) > > Thanks for the translation, though. I couldn't find it anywhere. > > > Steve Campbell > > Alex Neuman van der Hans wrote: >> Did everyone just get a message from a certain "william" from >> Brazil saying "I'm not here", in reply to a list message about MIME- >> tools? > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From mkercher at nfsmith.com Tue Sep 30 20:08:03 2008 From: mkercher at nfsmith.com (Mike Kercher) Date: Tue Sep 30 20:08:42 2008 Subject: Weird Brazilian E-mail In-Reply-To: <7192457D-D9FF-45CF-A77D-2F8C7B80518A@rtpty.com> References: <7192457D-D9FF-45CF-A77D-2F8C7B80518A@rtpty.com> Message-ID: <224FA7E11EA39E45843E11CEBBD3A36FFADEBF@HOUPEX01.nfsmith.info> I got one in reply to a different topic -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex Neuman van der Hans Sent: Tuesday, September 30, 2008 13:46 To: MailScanner discussion Subject: Weird Brazilian E-mail Did everyone just get a message from a certain "william" from Brazil saying "I'm not here", in reply to a list message about MIME-tools? -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From jvoorhees1 at gmail.com Tue Sep 30 21:00:58 2008 From: jvoorhees1 at gmail.com (Jason Voorhees) Date: Tue Sep 30 21:04:09 2008 Subject: How Do You Use Spam from GroupWise for sa-learn In-Reply-To: <48E20F46.61A4.0000.0@caspercollege.edu> References: <48E20F46.61A4.0000.0@caspercollege.edu> Message-ID: <48E2857A.5020309@gmail.com> Hi: You can run something like this: $ fetchmail --all --keep --proto IMAP -u IMAP-USER -n -m 'sa-learn --spam' MAILSERVER-IP-ADDRESS Don't forget --keep option if you don't want to delete all the contents of the IMAP folder containing spam. Bytes! Daniel Straka escribi?: > My email system is GroupWise 7. I'd like to use sa-learn and feed it spam from a GroupWise folder. Can anyone tell me how they're getting the spam from GW into a folder on the MS/SA linux box for the sa-learn process? > > Thanks, From alex at rtpty.com Tue Sep 30 21:32:45 2008 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Tue Sep 30 21:32:59 2008 Subject: How Do You Use Spam from GroupWise for sa-learn In-Reply-To: <48E2857A.5020309@gmail.com> References: <48E20F46.61A4.0000.0@caspercollege.edu> <48E2857A.5020309@gmail.com> Message-ID: <98250F24-8FE1-406C-8312-9D3EB711CCA8@rtpty.com> This sounds like something that should be on the WIKI. Have you tried this on Exchange as well? On Sep 30, 2008, at 3:00 PM, Jason Voorhees wrote: > $ fetchmail --all --keep --proto IMAP -u IMAP-USER -n -m 'sa-learn > --spam' MAILSERVER-IP-ADDRESS From Kevin_Miller at ci.juneau.ak.us Tue Sep 30 21:40:38 2008 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Tue Sep 30 21:40:49 2008 Subject: Weird Brazilian E-mail In-Reply-To: <7192457D-D9FF-45CF-A77D-2F8C7B80518A@rtpty.com> References: <7192457D-D9FF-45CF-A77D-2F8C7B80518A@rtpty.com> Message-ID: Alex Neuman van der Hans wrote: > Did everyone just get a message from a certain "william" from Brazil > saying "I'm not here", in reply to a list message about MIME-tools? Oh, is that what it is. I got four also. He was about a half inch away from being added to my etc/mail/access file. Bad enough when the out of office does a reply, but when it replies-all, man, that's pathetic... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From dstraka at caspercollege.edu Tue Sep 30 22:22:24 2008 From: dstraka at caspercollege.edu (Daniel Straka) Date: Tue Sep 30 22:22:57 2008 Subject: Barracuda Reputation Block List (BRBL) Message-ID: <48E2442F.61A4.0000.0@caspercollege.edu> Does anyone know if this new BL service can be used with MailScanner? http://www.barracudacentral.org/rbl -- Dan Straka Systems Coordinator Casper College 307.268.2399 www.caspercollege.edu ( http://www.caspercollege.edu/ ) From axisml at gmail.com Tue Sep 30 23:49:38 2008 From: axisml at gmail.com (Chris) Date: Tue Sep 30 23:49:51 2008 Subject: Barracuda Reputation Block List (BRBL) In-Reply-To: <48E2442F.61A4.0000.0@caspercollege.edu> References: <48E2442F.61A4.0000.0@caspercollege.edu> Message-ID: <200809301649.38096.axisml@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday 30 September 2008 3:22:24 pm Daniel Straka wrote: > Does anyone know if this new BL service can be used with MailScanner? > http://www.barracudacentral.org/rbl # BarracudaCental.org RBL header BARRACUDA_BRBL rbleval:check_rbl('b-rbl','b.barracudacentral.org.') describe BARRACUDA_BRBL Listed: Barracuda Reputation Block List (BRBL) score BARRACUDA_BRBL 2.45 Chris - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkjirMAACgkQYRSw/sBj1jy/BACgllM7BEQXfPksPrlQ27OnClBs +hoAn1AgJ04PGq30XdQ2u9AmLYMJpEuV =1sK+ - -----END PGP SIGNATURE----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkjirQIACgkQYRSw/sBj1jzroQCgs1lLgCxkU5u8m8l6tpcaC1Em +BsAnRHr+ZSzT1RkDnO8MiD1Pfnw3Qxa =ctq5 -----END PGP SIGNATURE-----