From fcusack at fcusack.com Tue Dec 1 05:26:08 2009 From: fcusack at fcusack.com (Frank Cusack) Date: Tue Dec 1 05:26:21 2009 Subject: Spam Actions store vs store-spam Message-ID: In "Spam Actions" what is the difference between "store" and "store-spam"? # store - store the message in the (spam) quarantine # store-spam - store the message in the spam quarantine Ordinary mail I would just put a header on but there is a special case where I want to hold the mail in quarantine. -frank From fcusack at fcusack.com Tue Dec 1 05:56:37 2009 From: fcusack at fcusack.com (Frank Cusack) Date: Tue Dec 1 05:56:51 2009 Subject: Spam Actions bounce Message-ID: <70640AB4B0DAE2F88A4C21FB@rdf.local> Why does "Spam Actions" have a bounce action available but "High Scoring Spam Actions" does not? And what is the interaction with "Enable Spam Bounce"? Does "Enable Spam Bounce" have to be yes and then also "Spam Actions" has to be bounce to bounce a given mail? From the example bounce.rules it doesn't seem so since there is a stern warning that the default rule must not be yes. If both the "Enable Spam Bounce" and the "Spam Actions" had to be on then said warning wouldn't be necessary because merely enabling the bounce rule doesn't mean that it a bounce is sent, it just means that the Spam Actions bounce action can then take effect. But perhaps that warning is just a scare tactic (make sure you know what you're doing), because from the "Enable Spam Bounce" description it does seem that both settings have to be on. If in fact both settings have to be on in order to bounce a spam, what happens if your only action in "Spam Actions" is bounce? Is there a default action? What if you have bounce plus other actions? Is the bounce action simply ignored? I think I'd really like to have bounce capability for "High Scoring Spam Actions" as well. I don't understand why you would limit the bounce action to only low-scoring spam since the action itself doesn't make sense for spam in general. Sorry that I'm packing so many questions in here but I figure better to get it all in one email than to do a long back and forth. thanks -frank ps. the deeper i get into mailscanner the more i like it! From fcusack at fcusack.com Tue Dec 1 06:17:32 2009 From: fcusack at fcusack.com (Frank Cusack) Date: Tue Dec 1 06:17:43 2009 Subject: Read IP Address From Received Header Message-ID: Last question, I hope! For "Read IP Address From Received Header": # no or 0 ==> use the SMTP client address, ie. the address of the system # talking to the MailScanner server. This is the normal setting. # yes or 1 ==> use the first IP address contained in the first "Received:" # header at the top of the email message's headers. Since MailScanner is not itself an SMTP server, doesn't the SMTP server on the host MailScanner is running on always add a Received: header before MailScanner sees the mail? How would MailScanner ever see the address of the SMTP client if it is always [at least] once-removed? I'm using MailScanner with postfix, using the "hold" queue to pick up new mails. Maybe there's another configuration (content_filter?) or for other MTAs there is a way for MS to get the mail before any MTA processing? Since my configuration is MX->MS->recipient it seems like I should set this value to 2? The MX host and the MS host both add a Received: header. thanks again, -frank From fcusack at fcusack.com Tue Dec 1 06:41:40 2009 From: fcusack at fcusack.com (Frank Cusack) Date: Tue Dec 1 06:41:52 2009 Subject: rule patterns Message-ID: <4E0F0F45E36CE3804D45D23B@rdf.local> OK this is definitely the last question! :) rules/README example patterns: *@sub.domain.com # Any user at 1 domain *@*.domain.com # Any user at any sub-domain of "domain.com" host:mail.example.com # Any hostname host:example.com # Any domain name host:mail*.example.com # Any hostname or domain name with wildcards Shouldn't the first host: example say "a single hostname"? And the 2nd say "a single domain name"? Likewise the 3rd example. Is *@domain.com equivalent to host:domain.com? It would seem so although since "host:" isn't really defined I'm not 100% sure it means the part after the "@" in the email address being tested. (only 99.9% sure) But really what I wanted to get to is that bounce.rules has: #From: yourcustomer.com yes which doesn't match any of the example patterns in README. Is bounce.rules in error? -frank From ajcartmell at fonant.com Tue Dec 1 10:16:55 2009 From: ajcartmell at fonant.com (Anthony Cartmell) Date: Tue Dec 1 10:17:07 2009 Subject: OT: PGP In-Reply-To: <49df20710911301504m47d979abx85b00efa7d9383fd@mail.gmail.com> References: <49df20710911301504m47d979abx85b00efa7d9383fd@mail.gmail.com> Message-ID: > The users are running Windows XP and Outlook 2003 connected to an > Exchange server with MailScanner feeding it so a product with plugins > for Outlook would be handy. I've used GPG4Win with its Outlook plugin with a client successfully. A little fiddly to set up (copying the keyring files between machines is easier than trying to export/import via the UI) but the decrypt button works nicely in Outlook (you have to open the message in its own window to get the button, but otherwise it's easy). HTH, Anthony -- www.fonant.com - Quality web sites Fonant Ltd is registered in England and Wales, company No. 7006596 Registered office: Grafton Lodge, 15 Grafton Road, Worthing, West Sussex, BN11 1QR From MailScanner at ecs.soton.ac.uk Tue Dec 1 12:00:24 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Dec 1 12:08:26 2009 Subject: Spam Actions store vs store-spam In-Reply-To: References: <4B150558.3070003@ecs.soton.ac.uk> Message-ID: In the "Spam Actions" I suspect the answer is no difference at all. It's just that the list of actions is available to use in a few other places, where there may be a difference in that stating store-spam explicitly puts it in the spam archive and no other. On 01/12/2009 05:26, Frank Cusack wrote: > In "Spam Actions" what is the difference between "store" and > "store-spam"? > > # store - store the message in the (spam) quarantine > # store-spam - store the message in the spam quarantine > > Ordinary mail I would just put a header on but there is a special case > where I want to hold the mail in quarantine. > > -frank Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Tue Dec 1 12:39:53 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Dec 1 12:40:02 2009 Subject: MailScanner Looping? - REVISITED with more info In-Reply-To: References: <223f97700911120529g7dc2410blcd2b3bb0727519a6@mail.gmail.com> <223f97700911130045v716f0630w45a76061b70fc506@mail.gmail.com> <4B1274E4.70000@ecs.soton.ac.uk> Message-ID: <223f97700912010439p29cb85e4gd61760ae4444ba7a@mail.gmail.com> 2009/11/30 Edward Dekkers : >> Do this on the latest release. You may well find the behaviour has >> changed. > > OK, happy to try this. Is there a nice dpkg way to do this for Ubuntu? > (Can't seem to find it). Reason I ask is because all the MailScanner > documentation seems to have its directories in different places than the > Ubuntu dpkg install of MailScanner. It was always running so well and the > only thing I'm a guru at is messing things up. > :-). Don't belittle yourself... with a little attention to details, I'm sure you'll be fine;) > Should I remove the dpkg version and start from scratch with the tarball? It might be real hard finding the latest beta (or even the latest stable) in dpkg format. So you'd need backup your configuration changes (mainly MailScanner.conf and rules directories, I suppose), then remove it. After that, you'd need install the tarball of the latest and greatest... Since that will have all in one directory hierarchy, you'd perhaps best "move" your changes to MailScanner.conf etc over manually. > How does this affect spamassassin/clamav? Not at all? You'd need make sure any changes needed are done (Run As User/Group and perms etc), but other than that, they shouldn't be affected. > Regards, > Ed. > Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ilikeuce at bornefeld-ettmann.de Tue Dec 1 12:45:38 2009 From: ilikeuce at bornefeld-ettmann.de (Ralph Bornefeld-Ettmann) Date: Tue Dec 1 12:46:16 2009 Subject: rule patterns In-Reply-To: <4E0F0F45E36CE3804D45D23B@rdf.local> References: <4E0F0F45E36CE3804D45D23B@rdf.local> Message-ID: Frank Cusack schrieb: > OK this is definitely the last question! :) > > rules/README example patterns: > > *@sub.domain.com # Any user at 1 domain > *@*.domain.com # Any user at any sub-domain of "domain.com" > > host:mail.example.com # Any hostname > host:example.com # Any domain name > host:mail*.example.com # Any hostname or domain name with wildcards > > Shouldn't the first host: example say "a single hostname"? And the 2nd > say "a single domain name"? Likewise the 3rd example. > > Is *@domain.com equivalent to host:domain.com? It would seem so although > since "host:" isn't really defined I'm not 100% sure it means the part > after the "@" in the email address being tested. (only 99.9% sure) > > But really what I wanted to get to is that bounce.rules has: > > #From: yourcustomer.com yes > > which doesn't match any of the example patterns in README. Is bounce.rules > in error? > > -frank host means host - quite simple. From: host:mail.example.com yes reads like this : If a mail comes from host mail.example.com (no matter what sender domain is used) then hand over "yes" to the related variable. From: mail.example.com yes From: *@mail.example.com yes read the same If a mail comes from domain mail.example.com then hand over "yes" From: *@example.com yes this handles only mails from example.com, the mail.example.com domain has to be handeled separately From: *@*.example.com yes and this handles mails from any subdomain of example.com but not directly from example.com From: *@*example.com yes this handles mails from example.com and its subdomains but also from anyexample.com, myexample.com, dumbexample.com ...... HTH Ralph From paul.welsh.3 at googlemail.com Tue Dec 1 12:57:20 2009 From: paul.welsh.3 at googlemail.com (Paul Welsh) Date: Tue Dec 1 12:57:29 2009 Subject: OT: PGP In-Reply-To: References: <49df20710911301504m47d979abx85b00efa7d9383fd@mail.gmail.com> Message-ID: <49df20710912010457i73e7af09m856ade85ffe513f@mail.gmail.com> 2009/12/1 Anthony Cartmell : >> The users are running Windows XP and Outlook 2003 connected to an >> Exchange server with MailScanner feeding it so a product with plugins >> for Outlook would be handy. > > I've used GPG4Win with its Outlook plugin with a client successfully. Hi Antony Were they using Exchange? I found GPG4Win didn't inspire my confidence (I got a message saying Outlook couldn't update my reminders at one point) and it just felt a bit flakey. To be fair though I didn't have time to do what you might call thorough testing. From glenn.steen at gmail.com Tue Dec 1 13:05:18 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Dec 1 13:05:27 2009 Subject: Spam Actions bounce In-Reply-To: <70640AB4B0DAE2F88A4C21FB@rdf.local> References: <70640AB4B0DAE2F88A4C21FB@rdf.local> Message-ID: <223f97700912010505i269acc90q8647a63da40af576@mail.gmail.com> 2009/12/1 Frank Cusack : > Why does "Spam Actions" have a bounce action available but "High Scoring > Spam Actions" does not? ?And what is the interaction with "Enable Spam > Bounce"? ?Does "Enable Spam Bounce" have to be yes and then also "Spam > Actions" has to be bounce to bounce a given mail? ?From the example > bounce.rules it doesn't seem so since there is a stern warning that the > default rule must not be yes. ?If both the "Enable Spam Bounce" and the > "Spam Actions" had to be on then said warning wouldn't be necessary > because merely enabling the bounce rule doesn't mean that it a bounce > is sent, it just means that the Spam Actions bounce action can then take > effect. ?But perhaps that warning is just a scare tactic (make sure you > know what you're doing), because from the "Enable Spam Bounce" description > it does seem that both settings have to be on. > > If in fact both settings have to be on in order to bounce a spam, what > happens if your only action in "Spam Actions" is bounce? ?Is there a > default action? ?What if you have bounce plus other actions? ?Is the > bounce action simply ignored? > > I think I'd really like to have bounce capability for "High Scoring Spam > Actions" as well. ?I don't understand why you would limit the bounce > action to only low-scoring spam since the action itself doesn't make > sense for spam in general. > Because the "High Scoring Spam" is very very likely to be shite, it would be idiotic to bounce it. If anything, shove it into the quarantine. > Sorry that I'm packing so many questions in here but I figure better > to get it all in one email than to do a long back and forth. Yet you lack one: Should you really use the bounce feature of MailScanner at all? In almost all cases the answer is a resounding "NO!"...;-) > thanks > -frank > ps. the deeper i get into mailscanner the more i like it! Yes, that is as expected;-). Remember that Jules (and a few others, but mainly Jules) has been tinkering with it for very many years now, constantly adding a feature here and a feature there... So that MS caters to a lot of tastes and have the ability to fulfill even the most moronic of policies ... That doesn't mean one have to actually USE all features provided;-);-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Tue Dec 1 13:29:07 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Dec 1 13:29:16 2009 Subject: Read IP Address From Received Header In-Reply-To: References: Message-ID: <223f97700912010529o401ea919h967ab2aa3bccdb89@mail.gmail.com> 2009/12/1 Frank Cusack : > Last question, I hope! > > For "Read IP Address From Received Header": > > # no or 0 ?==> use the SMTP client address, ie. the address of the system > # ? ? ? ? ? ? ?talking to the MailScanner server. This is the normal > setting. > # yes or 1 ==> use the first IP address contained in the first "Received:" > # ? ? ? ? ? ? ?header at the top of the email message's headers. > > Since MailScanner is not itself an SMTP server, doesn't the SMTP server > on the host MailScanner is running on always add a Received: header before > MailScanner sees the mail? ?How would MailScanner ever see the address of > the SMTP client if it is always [at least] once-removed? > IIRC (always dicey, that assumption:-), there are some situations where what the MTA stores in its queue files aren't reliably the last hop, and for those cases this setting will look at the last Received: header to find that out. For example, it might look like: Received: from bw3smtp78.bwz.se (bw3smtp78.bwz.se [213.80.124.78]) by mail.ap1.se (Postfix) with ESMTP id 8D80432AF3A for ; Tue, 1 Dec 2009 14:11:55 +0100 (CET) .... In whuch case the "last hop" before our server would be 213.80.124.78 ... Which one can also see in the "non-message" parts of the queue file, in my case... So I don't need this way of finding that out. Hence I've got this set to the default. So the assumption that it wouldn't be visible is false. > I'm using MailScanner with postfix, using the "hold" queue to pick up > new mails. ?Maybe there's another configuration (content_filter?) or > for other MTAs there is a way for MS to get the mail before any MTA > processing? > If you have a setup like Amavisd (or if you've followed my instructions for how to split multi-recipient mails;-), MailScanner will always see these as coming from localhost, regardless of method used. In this case you'd need be able to specify how many Received: lines to ignore, which (fortunately) is exactly what you can do by setting a number higher than 1;-). If you _don't_ have that setting... it indicates that your MailScanner is rather old... In which case you should immediately move as close as possible to the latest stable release. > Since my configuration is > > MX->MS->recipient > So you're not running MS on your MXes? In my case I do, so the "order" is -> Postfix-which-lands-in-hold -> MTA -> Postfix-incoming -> ... mailstore ... So by this I can rely on it to be right by default. If you do have another MTA between "the net" and your MS box, then you really do need set this to 2. > it seems like I should set this value to 2? ?The MX host and the MS host > both add a Received: header. Why do you have it like that? BarricadeMX? > thanks again, > -frank Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Tue Dec 1 13:32:06 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Dec 1 13:32:15 2009 Subject: Read IP Address From Received Header In-Reply-To: <223f97700912010529o401ea919h967ab2aa3bccdb89@mail.gmail.com> References: <223f97700912010529o401ea919h967ab2aa3bccdb89@mail.gmail.com> Message-ID: <223f97700912010532t60f6fef0pd0a541743c92ae9f@mail.gmail.com> 2009/12/1 Glenn Steen : (snip) > So you're not running MS on your MXes? In my case I do, so the "order" > is -> Postfix-which-lands-in-hold -> MTA -> > Postfix-incoming -> ... mailstore ... So by this I can rely on it to > be right by default. Gah. Should've read -> Postfix-which-lands-in-hold -> MS -> > Postfix-incoming -> ... mailstore ... (snip) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From edward at tdcs.com.au Tue Dec 1 13:34:55 2009 From: edward at tdcs.com.au (Edward Dekkers) Date: Tue Dec 1 13:35:59 2009 Subject: MailScanner Looping? - REVISITED with more info In-Reply-To: References: <223f97700911120529g7dc2410blcd2b3bb0727519a6@mail.gmail.com> <223f97700911130045v716f0630w45a76061b70fc506@mail.gmail.com> <4B1274E4.70000@ecs.soton.ac.uk> Message-ID: > OK, happy to try this. Is there a nice dpkg way to do this for Ubuntu? > (Can't seem to find it). Reason I ask is because all the MailScanner > documentation seems to have its directories in different places than > the > Ubuntu dpkg install of MailScanner. It was always running so well and > the > only thing I'm a guru at is messing things up. > > Should I remove the dpkg version and start from scratch with the > tarball? > > How does this affect spamassassin/clamav? > > Regards, > Ed. OK -= just an update. I WILL upgrade mailscanner over the weekend when I have some time, but for a quick fix for the Ubuntu users there's this I found on a post: Re: MailScanner not working after 9.10 upgrade Success. The problem is with the init script. In /etc/init.d/mailscanner, I had to add -c ${user} to the start-stop-daemon line, since it had no idea what user to run as. It was strange that when called from the command line as (for me) sudo -u Debian-exim MailScanner, it would work. So, the modified line in the init script should look something like: start-stop-daemon --start --quiet --startas $STARTAS --name $NAME --test > /dev/null \ || return 1 start-stop-daemon --start --quiet --nicelevel $run_nice -c ${user} --exec $DAEMON --name $NAME -- $DAEMON_ARGS \ || return 2 Add the -c ${user}, restart mailscanner, and it'll be back working. At least this is working for me. Tim It worked for me :) Ed. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Tue Dec 1 13:35:53 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Dec 1 13:36:02 2009 Subject: rule patterns In-Reply-To: References: <4E0F0F45E36CE3804D45D23B@rdf.local> Message-ID: <223f97700912010535j60c74f3fub74998c4a9fbad61@mail.gmail.com> 2009/12/1 Ralph Bornefeld-Ettmann : > Frank Cusack schrieb: >> >> OK this is definitely the last question! :) >> >> rules/README example patterns: >> >> ? ? ? *@sub.domain.com ? ? ? ?# Any user at 1 domain >> ? ? ? *@*.domain.com ? ? ? ? ?# Any user at any sub-domain of "domain.com" >> >> ? ? ? host:mail.example.com ? # Any hostname >> ? ? ? host:example.com ? ? ? ?# Any domain name >> ? ? ? host:mail*.example.com ?# Any hostname or domain name with wildcards >> >> Shouldn't the first host: example say "a single hostname"? ?And the 2nd >> say "a single domain name"? ?Likewise the 3rd example. >> >> Is *@domain.com equivalent to host:domain.com? ?It would seem so although >> since "host:" isn't really defined I'm not 100% sure it means the part >> after the "@" in the email address being tested. ?(only 99.9% sure) >> >> But really what I wanted to get to is that bounce.rules has: >> >> #From: ? ? ? ? ?yourcustomer.com ? ? ? ?yes >> >> which doesn't match any of the example patterns in README. ?Is >> bounce.rules >> in error? >> >> -frank > > host means host - quite simple. > > From: ? host:mail.example.com ? yes > > reads like this : > > If a mail comes from host mail.example.com (no matter what sender domain is > used) then hand over "yes" to the related variable. > > > From: ? mail.example.com ? ? ? ?yes > From: ? *@mail.example.com ? ? ?yes > > read the same > > If a mail comes from domain mail.example.com then hand over "yes" > > From: ? *@example.com ? yes > > this handles only mails from example.com, the mail.example.com domain has to > be handeled separately > > From: ? *@*.example.com yes > > and this handles mails from any subdomain of example.com but not directly > from example.com > > > From: ? *@*example.com ?yes > > this handles mails from example.com and its subdomains but also from > anyexample.com, myexample.com, dumbexample.com ...... > > > HTH > > Ralph > ... And you shouldn't be using the easily spoofable things above, but rather use the IP address of your customers sending MTA! And really think hard and long if the bounce thing should be used at all;-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From rcooper at dwford.com Tue Dec 1 14:36:08 2009 From: rcooper at dwford.com (Rick Cooper) Date: Tue Dec 1 14:36:22 2009 Subject: rule patterns In-Reply-To: <223f97700912010535j60c74f3fub74998c4a9fbad61@mail.gmail.com> References: <4E0F0F45E36CE3804D45D23B@rdf.local> <223f97700912010535j60c74f3fub74998c4a9fbad61@mail.gmail.com> Message-ID: <1AFF310C90D2439BA09885C230EE119D@SAHOMELT> ----Original Message---- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Glenn Steen Sent: Tuesday, December 01, 2009 8:36 AM To: MailScanner discussion Subject: Re: rule patterns > 2009/12/1 Ralph Bornefeld-Ettmann : >> Frank Cusack schrieb: >>> >>> OK this is definitely the last question! :) >>> >>> rules/README example patterns: >>> >>> ? ? ? *@sub.domain.com ? ? ? ?# Any user at 1 domain >>> ? ? ? *@*.domain.com ? ? ? ? ?# Any user at any sub-domain of >>> "domain.com" >>> >>> ? ? ? host:mail.example.com ? # Any hostname >>> ? ? ? host:example.com ? ? ? ?# Any domain name >>> ? ? ? host:mail*.example.com ?# Any hostname or domain name with >>> wildcards >>> >>> Shouldn't the first host: example say "a single hostname"? ?And the 2nd >>> say "a single domain name"? ?Likewise the 3rd example. >>> >>> Is *@domain.com equivalent to host:domain.com? ?It would seem so >>> although since "host:" isn't really defined I'm not 100% sure it means >>> the part after the "@" in the email address being tested. ?(only 99.9% >>> sure) >>> >>> But really what I wanted to get to is that bounce.rules has: >>> >>> #From: ? ? ? ? ?yourcustomer.com ? ? ? ?yes >>> >>> which doesn't match any of the example patterns in README. ?Is >>> bounce.rules in error? >>> >>> -frank >> >> host means host - quite simple. >> >> From: ? host:mail.example.com ? yes >> >> reads like this : >> >> If a mail comes from host mail.example.com (no matter what sender domain >> is used) then hand over "yes" to the related variable. >> >> >> From: ? mail.example.com ? ? ? ?yes >> From: ? *@mail.example.com ? ? ?yes >> >> read the same >> >> If a mail comes from domain mail.example.com then hand over "yes" >> >> From: ? *@example.com ? yes >> >> this handles only mails from example.com, the mail.example.com domain >> has to be handeled separately >> >> From: ? *@*.example.com yes >> >> and this handles mails from any subdomain of example.com but not >> directly from example.com >> >> >> From: ? *@*example.com ?yes >> >> this handles mails from example.com and its subdomains but also from >> anyexample.com, myexample.com, dumbexample.com ...... >> >> >> HTH >> >> Ralph >> > ... And you shouldn't be using the easily spoofable things above, but > rather use the IP address of your customers sending MTA! > And really think hard and long if the bounce thing should be used at > all;-). > > Cheers > -- > -- Glenn Glenn, didn't you mean to say "Dear God in heaven never use a bounce thing"? Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From lhaig at haigmail.com Tue Dec 1 15:54:14 2009 From: lhaig at haigmail.com (Lance Haig) Date: Tue Dec 1 15:54:41 2009 Subject: Single Quarantine for more than one MS server Message-ID: <1259682854.16497.2.camel@lancehaig> Hi, I want to create a single quarantine server for both my MS servers so that users only have to login to one site to release their spam etc... Has anyone done this and do you perhaps have any advice? I also want to archive mail on a per domain basis does that just work like the normal rules? Thanks Lance -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From fcusack at fcusack.com Tue Dec 1 17:18:31 2009 From: fcusack at fcusack.com (Frank Cusack) Date: Tue Dec 1 17:18:44 2009 Subject: rule patterns In-Reply-To: References: <4E0F0F45E36CE3804D45D23B@rdf.local> Message-ID: <17599C918FFAD089E0EC8D67@rdf.local> On December 1, 2009 1:45:38 PM +0100 Ralph Bornefeld-Ettmann wrote: >> But really what I wanted to get to is that bounce.rules has: >> >> # From: yourcustomer.com yes >> >> which doesn't match any of the example patterns in README. Is >> bounce.rules in error? >> >> -frank > host means host - quite simple. ah, so *not* the RHS of the email address as I thought. I'm glad I asked. So where does MS get the idea of the host from? Is it the same as "Read IP Address From Received Header"? so is the bounce.rules example file incorrect? What would the pattern above actually match? Judging from the examples in README, I would guess it will never match anything. -frank From fcusack at fcusack.com Tue Dec 1 17:20:57 2009 From: fcusack at fcusack.com (Frank Cusack) Date: Tue Dec 1 17:21:09 2009 Subject: Spam Actions bounce In-Reply-To: <223f97700912010505i269acc90q8647a63da40af576@mail.gmail.com> References: <70640AB4B0DAE2F88A4C21FB@rdf.local> <223f97700912010505i269acc90q8647a63da40af576@mail.gmail.com> Message-ID: <8E94C3F395298E21C1143701@rdf.local> On December 1, 2009 2:05:18 PM +0100 Glenn Steen wrote: > Because the "High Scoring Spam" is very very likely to be shite, it > would be idiotic to bounce it. If anything, shove it into the > quarantine. Well IMHO it is idiotic to bounce low scoring spam as well. You would only do this for very special cases (and I'm glad the option is there). But since this only makes sense for those special cases, I can't see why high scoring spam shouldn't be bounced. -frank From fcusack at fcusack.com Tue Dec 1 17:32:58 2009 From: fcusack at fcusack.com (Frank Cusack) Date: Tue Dec 1 17:33:09 2009 Subject: Read IP Address From Received Header In-Reply-To: <223f97700912010529o401ea919h967ab2aa3bccdb89@mail.gmail.com> References: <223f97700912010529o401ea919h967ab2aa3bccdb89@mail.gmail.com> Message-ID: On December 1, 2009 2:29:07 PM +0100 Glenn Steen wrote: > 2009/12/1 Frank Cusack : >> Last question, I hope! >> >> For "Read IP Address From Received Header": >> >> # no or 0 ?==> use the SMTP client address, ie. the address of the >> # system ? ? ? ? ? ? ?talking to the MailScanner server. This is >> # the normal >> setting. >> # yes or 1 ==> use the first IP address contained in the first >> # "Received:" ? ? ? ? ? ? ?header at the top of the email >> # message's headers. >> >> Since MailScanner is not itself an SMTP server, doesn't the SMTP server >> on the host MailScanner is running on always add a Received: header >> before MailScanner sees the mail? ?How would MailScanner ever see the >> address of the SMTP client if it is always [at least] once-removed? >> > IIRC (always dicey, that assumption:-), there are some situations > where what the MTA stores in its queue files aren't reliably the last Oh, so the queue files contain the SMTP client IP? ok that makes sense then. > hop, and for those cases this setting will look at the last Received: > header to find that out. For example, it might look like: So it seems then that 0 and 1 are equivalent, it's just that for 0 MS doesn't have to scan and parse the Received: header in the email. Is that right? > If you do have another MTA between "the net" and your MS box, then you > really do need set this to 2. > >> it seems like I should set this value to 2? ?The MX host and the MS host >> both add a Received: header. > Why do you have it like that? BarricadeMX? I do have another MTA in between, so thanks for the verification that I should use "2". I only have it like that because it's difficult to install the MS software on my MX host. Also I will note that with this setting being fixed like that, it means backup MX hosts have to send directly to MS and not use an intermediate hop of the primary MX. Maybe that's remedial info for you though. :) So now that I understand that bit, here's a problem combining that and "bounce". The bounce action for spam says you need to whitelist 127.0.0.1 ... make sense. But since I have "Read IP Address From Received Header" set to 2, and for bounces there will not even be 2 received headers, will that whitelist even work? -frank From rcooper at dwford.com Tue Dec 1 18:07:15 2009 From: rcooper at dwford.com (Rick Cooper) Date: Tue Dec 1 18:07:32 2009 Subject: Spam Actions bounce In-Reply-To: <8E94C3F395298E21C1143701@rdf.local> References: <70640AB4B0DAE2F88A4C21FB@rdf.local><223f97700912010505i269acc90q8647a63da40af576@mail.gmail.com> <8E94C3F395298E21C1143701@rdf.local> Message-ID: <589443C620BB494A9081E9AF24830AD5@SAHOMELT> ----Original Message---- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Frank Cusack Sent: Tuesday, December 01, 2009 12:21 PM To: MailScanner discussion Subject: Re: Spam Actions bounce > On December 1, 2009 2:05:18 PM +0100 Glenn Steen > wrote: >> Because the "High Scoring Spam" is very very likely to be shite, it >> would be idiotic to bounce it. If anything, shove it into the >> quarantine. > > Well IMHO it is idiotic to bounce low scoring spam as well. You would > only do this for very special cases (and I'm glad the option is there). > But since this only makes sense for those special cases, I can't see > why high scoring spam shouldn't be bounced. Because high scoring spam is almost certainly (depending on what you have set as high) not legit and therefore the address used is not the real address of the sender. This is how a joe job works. Mr. Spammer culls addresses from the internet (news lists, web sites, etc) and then uses them as the sender address, you bounce the spam and it ends up heading back to the sender address who now has the spam in his/her mailbox (unless that system tags it as spam and refuses delivery). My opinion is when I accept an email for delivery I either deliver it or deal with it but I do not attempt to return it, ever. Our basic smtp rules deny 95+% of the junk and MailScanner/MailWatch and I handle the rest. I cannot remember the last time I allowed a mail system to bounce emails as it just irresponsible in today's climate. If an email hits 14+ at smtp time, delivery is denied and I have only had one fp ever at that score. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From funk.gabor at hunetkft.hu Tue Dec 1 18:23:54 2009 From: funk.gabor at hunetkft.hu (Gabor FUNK) Date: Tue Dec 1 18:24:07 2009 Subject: Spam Actions bounce References: <70640AB4B0DAE2F88A4C21FB@rdf.local><223f97700912010505i269acc90q8647a63da40af576@mail.gmail.com> <8E94C3F395298E21C1143701@rdf.local> Message-ID: <003b01ca72b3$7119a920$152ea8c0@hunetkft.local> > Well IMHO it is idiotic to bounce low scoring spam as well. You would > only do this for very special cases (and I'm glad the option is there). > But since this only makes sense for those special cases, I can't see > why high scoring spam shouldn't be bounced. Hmm, because you likely bounce to forged innocent addresses? (which likely get your server blacklisted, etc.) To start with, read: http://www.spamcop.net/fom-serve/cache/329.html#bounces G. From fcusack at fcusack.com Tue Dec 1 18:43:20 2009 From: fcusack at fcusack.com (Frank Cusack) Date: Tue Dec 1 18:43:35 2009 Subject: Spam Actions bounce In-Reply-To: <589443C620BB494A9081E9AF24830AD5@SAHOMELT> References: <70640AB4B0DAE2F88A4C21FB@rdf.local> <223f97700912010505i269acc90q8647a63da40af576@mail.gmail.com> <8E94C3F395298E21C1143701@rdf.local> <589443C620BB494A9081E9AF24830AD5@SAHOMELT> Message-ID: On December 1, 2009 1:07:15 PM -0500 Rick Cooper wrote: > ----Original Message---- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Frank > Cusack Sent: Tuesday, December 01, 2009 12:21 PM To: MailScanner > discussion Subject: Re: Spam Actions bounce > >> On December 1, 2009 2:05:18 PM +0100 Glenn Steen >> wrote: >>> Because the "High Scoring Spam" is very very likely to be shite, it >>> would be idiotic to bounce it. If anything, shove it into the >>> quarantine. >> >> Well IMHO it is idiotic to bounce low scoring spam as well. You would >> only do this for very special cases (and I'm glad the option is there). >> But since this only makes sense for those special cases, I can't see >> why high scoring spam shouldn't be bounced. > > Because high scoring spam is almost certainly (depending on what you have > set as high) not legit and therefore the address used is not the real > address of the sender. This is how a joe job works Yes I know how joe jobs work. :) I have known about joe jobs before they were called joe jobs. Even low scoring spam, if it is spam and not a FP, is going to have a forged sender address. low score vs high score isn't really a joe job indicator. Again, this is a special use case and why there would be a distinction to allow bounce for normal spam and not high scoring spam I can't understand yet. -frank From fcusack at fcusack.com Tue Dec 1 18:44:19 2009 From: fcusack at fcusack.com (Frank Cusack) Date: Tue Dec 1 18:44:31 2009 Subject: Spam Actions bounce In-Reply-To: <003b01ca72b3$7119a920$152ea8c0@hunetkft.local> References: <70640AB4B0DAE2F88A4C21FB@rdf.local> <223f97700912010505i269acc90q8647a63da40af576@mail.gmail.com> <8E94C3F395298E21C1143701@rdf.local> <003b01ca72b3$7119a920$152ea8c0@hunetkft.local> Message-ID: On December 1, 2009 7:23:54 PM +0100 Gabor FUNK wrote: >> Well IMHO it is idiotic to bounce low scoring spam as well. You would >> only do this for very special cases (and I'm glad the option is there). >> But since this only makes sense for those special cases, I can't see >> why high scoring spam shouldn't be bounced. > > Hmm, because you likely bounce to forged innocent addresses? no difference for low scoring spam. From fcusack at fcusack.com Tue Dec 1 18:55:38 2009 From: fcusack at fcusack.com (Frank Cusack) Date: Tue Dec 1 18:55:49 2009 Subject: Spam Actions bounce In-Reply-To: References: <70640AB4B0DAE2F88A4C21FB@rdf.local> <223f97700912010505i269acc90q8647a63da40af576@mail.gmail.com> <8E94C3F395298E21C1143701@rdf.local> <589443C620BB494A9081E9AF24830AD5@SAHOMELT> Message-ID: <0720C03CCFAB190F4997642F@rdf.local> >> Because high scoring spam is almost certainly (depending on what you have >> set as high) huh ... i guess as a workaround i can set the high score VERY high so all spam gets classified as normal spam. Do you see why it doesn't make sense to not have bounce for high scoring spam? What is the difference between 9 and 10? So I can bounce 9's but not 10's? There's no reason for the distinction wrt bounce. -frank From rcooper at dwford.com Tue Dec 1 21:06:38 2009 From: rcooper at dwford.com (Rick Cooper) Date: Tue Dec 1 21:06:55 2009 Subject: Spam Actions bounce In-Reply-To: References: <70640AB4B0DAE2F88A4C21FB@rdf.local><223f97700912010505i269acc90q8647a63da40af576@mail.gmail.com><8E94C3F395298E21C1143701@rdf.local><589443C620BB494A9081E9AF24830AD5@SAHOMELT> Message-ID: ----Original Message---- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Frank Cusack Sent: Tuesday, December 01, 2009 1:43 PM To: MailScanner discussion Subject: RE: Spam Actions bounce > On December 1, 2009 1:07:15 PM -0500 Rick Cooper > wrote: >> ----Original Message---- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Frank >> Cusack Sent: Tuesday, December 01, 2009 12:21 PM To: MailScanner >> discussion Subject: Re: Spam Actions bounce >> >>> On December 1, 2009 2:05:18 PM +0100 Glenn Steen >>> wrote: >>>> Because the "High Scoring Spam" is very very likely to be shite, it >>>> would be idiotic to bounce it. If anything, shove it into the >>>> quarantine. >>> >>> Well IMHO it is idiotic to bounce low scoring spam as well. You would >>> only do this for very special cases (and I'm glad the option is there). >>> But since this only makes sense for those special cases, I can't see >>> why high scoring spam shouldn't be bounced. >> >> Because high scoring spam is almost certainly (depending on what you have >> set as high) not legit and therefore the address used is not the real >> address of the sender. This is how a joe job works > > Yes I know how joe jobs work. :) I have known about joe jobs before > they were called joe jobs. > > Even low scoring spam, if it is spam and not a FP, is going to have a > forged sender address. low score vs high score isn't really a joe job > indicator. > > Again, this is a special use case and why there would be a distinction > to allow bounce for normal spam and not high scoring spam I can't > understand yet. > I agree, there should be no distinction, but there are those who feel if they tag at, say 6 and the spam hits 7 or 8 it might be a fp and bounce. I prefer quarantine and notify user if they feel like checking... Most can tell from sender and subject if it's something they want or not and don't even bother to pickup the message. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From rcooper at dwford.com Tue Dec 1 21:12:24 2009 From: rcooper at dwford.com (Rick Cooper) Date: Tue Dec 1 21:12:39 2009 Subject: Spam Actions bounce In-Reply-To: <0720C03CCFAB190F4997642F@rdf.local> References: <70640AB4B0DAE2F88A4C21FB@rdf.local><223f97700912010505i269acc90q8647a63da40af576@mail.gmail.com><8E94C3F395298E21C1143701@rdf.local><589443C620BB494A9081E9AF24830AD5@SAHOMELT> <0720C03CCFAB190F4997642F@rdf.local> Message-ID: <130C3D3349684B6C9AE3A569CBF00806@SAHOMELT> ----Original Message---- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Frank Cusack Sent: Tuesday, December 01, 2009 1:56 PM To: MailScanner discussion Subject: RE: Spam Actions bounce >>> Because high scoring spam is almost certainly (depending on what you >>> have set as high) > > huh ... i guess as a workaround i can set the high score VERY high so > all spam gets classified as normal spam. > > Do you see why it doesn't make sense to not have bounce for high scoring > spam? What is the difference between 9 and 10? So I can bounce 9's > but not 10's? There's no reason for the distinction wrt bounce. > No one should ever have to put up with bounce spam ever. That is like saying I think this guy asking for me might be a murder so I will tell him that other guy over there is me, but if he looked like a child killer I would call the police. No right is right and if you accept a message you have accepted the responsibility for that message. You bounce spam and you are a spammer. That is as bad as sending someone a notice that they sent you a virus... If you find a virus you only know one thing about the sender, it's not from the address that supposedly sent it. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mrm at medicine.wisc.edu Tue Dec 1 21:31:50 2009 From: mrm at medicine.wisc.edu (Michael Masse) Date: Tue Dec 1 21:32:09 2009 Subject: Spam Actions bounce In-Reply-To: <0720C03CCFAB190F4997642F@rdf.local> References: <70640AB4B0DAE2F88A4C21FB@rdf.local> <223f97700912010505i269acc90q8647a63da40af576@mail.gmail.com> <8E94C3F395298E21C1143701@rdf.local> <589443C620BB494A9081E9AF24830AD5@SAHOMELT> <0720C03CCFAB190F4997642F@rdf.local> Message-ID: <4B1536E6020000FC0000B19B@gwmail.medicine.wisc.edu> >>> On 12/1/2009 at 12:55 PM, in message <0720C03CCFAB190F4997642F@rdf.local>, Frank Cusack wrote: >> > Because high scoring spam is almost certainly (depending on what you have >>> set as high) > > huh ... i guess as a workaround i can set the high score VERY high so > all spam gets classified as normal spam. > > Do you see why it doesn't make sense to not have bounce for high scoring > spam? What is the difference between 9 and 10? So I can bounce 9's > but not 10's? There's no reason for the distinction wrt bounce. > > -frank It makes all kinds of sense. Your not making the distinction between low scoring and high scoring spam. Whatever you set your threshold to between high and low is up to you, and although you may be able to concoct a reason to reply back to low scoring spam, high scoring spam means 100% sure it's spam, therefore there is never a need to reply to it. If you're getting FP's into the high scoring spam range then you have other problems that you need to address. You say you have a special case where you need to reply. Whatever that special case may be you can create a rule that takes whatever criteria you want for that specific case and reply back regardless of whether it's low or high so you can do whatever it is you want, so again, it makes perfect sense as to why you cannot reply back to high scoring spam. In other words, not having an explicit option to reply back to high scoring spam doesn't mean you can't do it. -Mike From fcusack at fcusack.com Tue Dec 1 21:56:47 2009 From: fcusack at fcusack.com (Frank Cusack) Date: Tue Dec 1 21:57:00 2009 Subject: Spam Actions bounce In-Reply-To: <4B1536E6020000FC0000B19B@gwmail.medicine.wisc.edu> References: <70640AB4B0DAE2F88A4C21FB@rdf.local> <223f97700912010505i269acc90q8647a63da40af576@mail.gmail.com> <8E94C3F395298E21C1143701@rdf.local> <589443C620BB494A9081E9AF24830AD5@SAHOMELT> <0720C03CCFAB190F4997642F@rdf.local> <4B1536E6020000FC0000B19B@gwmail.medicine.wisc.edu> Message-ID: <6381609E2B8719B8A3481C3D@rdf.local> On December 1, 2009 3:31:50 PM -0600 Michael Masse wrote: >>>> On 12/1/2009 at 12:55 PM, in message >>>> <0720C03CCFAB190F4997642F@rdf.local>, > Frank Cusack wrote: >>> > Because high scoring spam is almost certainly (depending on what you >>> > have set as high) >> >> huh ... i guess as a workaround i can set the high score VERY high so >> all spam gets classified as normal spam. >> >> Do you see why it doesn't make sense to not have bounce for high scoring >> spam? What is the difference between 9 and 10? So I can bounce 9's >> but not 10's? There's no reason for the distinction wrt bounce. >> >> -frank > > It makes all kinds of sense. Your not making the distinction between > low scoring and high scoring spam. Whatever you set your threshold to > between high and low is up to you, and although you may be able to > concoct a reason to reply back to low scoring spam, high scoring spam > means 100% sure it's spam, therefore there is never a need to reply to > it. OK first of all, as I have basically acknowledged, there is never a need to reply (bounce, DSN, whatever) to any spam, low or high scoring. The reason the bounce distinction doesn't make sense is because -- whatever the threshold -- the difference between low and high is just 1 point. Just as spam 29 is pretty much the same as spam 30, spam 9 is the same as 10 and spam 2 is about the same as 3. There's no reason to allow bounce to spam 9 but disallow bounce to spam 10. Even spam with score 1, if it is indeed spam, is still spam and is therefore almost certainly a joe job and you should not send a reply. (And if it's not spam it's even worse to send a reply.) I thought it would have been obvious, but I am not sending bounce messages to the Internet. Ever. That would be stupid. Even when virus filters (before spam filters even existed really) first came out and sent replies I thought that was stupid even though the "general public" obviously thought it was a good idea. My friends and I used to joe job each other in university days, before spam even existed (ahh a kinder gentler time) just as a prank. Of course the term joe job hadn't even been coined yet. Like I said, this is a special case. I agree with the sentiment that bounce is "dangerous" but I'm glad it's an option (for special use cases) and since it is there, there's just no reason to limit it to low scoring spam. It's just as bad to do it for low scoring spam as it is for high scoring spam. Regardless of your threshold for high. -frank From glenn.steen at gmail.com Tue Dec 1 22:30:03 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Dec 1 22:30:12 2009 Subject: Read IP Address From Received Header In-Reply-To: References: <223f97700912010529o401ea919h967ab2aa3bccdb89@mail.gmail.com> Message-ID: <223f97700912011430u17c04c48rb117090f1130bc2a@mail.gmail.com> Good question... I try avoid bouncing at all costs, so... never had to find out;-) 2009/12/1, Frank Cusack : > On December 1, 2009 2:29:07 PM +0100 Glenn Steen > wrote: >> 2009/12/1 Frank Cusack : >>> Last question, I hope! >>> >>> For "Read IP Address From Received Header": >>> >>> # no or 0 ?==> use the SMTP client address, ie. the address of the >>> # system ? ? ? ? ? ? ?talking to the MailScanner server. This is >>> # the normal >>> setting. >>> # yes or 1 ==> use the first IP address contained in the first >>> # "Received:" ? ? ? ? ? ? ?header at the top of the email >>> # message's headers. >>> >>> Since MailScanner is not itself an SMTP server, doesn't the SMTP server >>> on the host MailScanner is running on always add a Received: header >>> before MailScanner sees the mail? ?How would MailScanner ever see the >>> address of the SMTP client if it is always [at least] once-removed? >>> >> IIRC (always dicey, that assumption:-), there are some situations >> where what the MTA stores in its queue files aren't reliably the last > > Oh, so the queue files contain the SMTP client IP? ok that makes > sense then. > >> hop, and for those cases this setting will look at the last Received: >> header to find that out. For example, it might look like: > > So it seems then that 0 and 1 are equivalent, it's just that for 0 > MS doesn't have to scan and parse the Received: header in the email. > Is that right? > >> If you do have another MTA between "the net" and your MS box, then you >> really do need set this to 2. >> >>> it seems like I should set this value to 2? ?The MX host and the MS host >>> both add a Received: header. >> Why do you have it like that? BarricadeMX? > > I do have another MTA in between, so thanks for the verification that > I should use "2". I only have it like that because it's difficult to > install the MS software on my MX host. Also I will note that with > this setting being fixed like that, it means backup MX hosts have to > send directly to MS and not use an intermediate hop of the primary MX. > Maybe that's remedial info for you though. :) > > So now that I understand that bit, here's a problem combining that > and "bounce". The bounce action for spam says you need to whitelist > 127.0.0.1 ... make sense. But since I have "Read IP Address From > Received Header" set to 2, and for bounces there will not even be > 2 received headers, will that whitelist even work? > > -frank > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Skickat fr?n min mobila enhet -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Tue Dec 1 22:43:01 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Dec 1 22:43:12 2009 Subject: rule patterns In-Reply-To: <1AFF310C90D2439BA09885C230EE119D@SAHOMELT> References: <4E0F0F45E36CE3804D45D23B@rdf.local> <223f97700912010535j60c74f3fub74998c4a9fbad61@mail.gmail.com> <1AFF310C90D2439BA09885C230EE119D@SAHOMELT> Message-ID: <223f97700912011443l15ae807dwf1eea1a01cf033d9@mail.gmail.com> But of course:-). Only time it might be of some use, that I can see, would be in a closed environment of some type. ... Kind of think that's what Frank is on about. 2009/12/1, Rick Cooper : > ----Original Message---- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Glenn > Steen Sent: Tuesday, December 01, 2009 8:36 AM To: MailScanner discussion > Subject: Re: rule patterns > >> 2009/12/1 Ralph Bornefeld-Ettmann : >>> Frank Cusack schrieb: >>>> >>>> OK this is definitely the last question! :) >>>> >>>> rules/README example patterns: >>>> >>>> ? ? ? *@sub.domain.com ? ? ? ?# Any user at 1 domain >>>> ? ? ? *@*.domain.com ? ? ? ? ?# Any user at any sub-domain of >>>> "domain.com" >>>> >>>> ? ? ? host:mail.example.com ? # Any hostname >>>> ? ? ? host:example.com ? ? ? ?# Any domain name >>>> ? ? ? host:mail*.example.com ?# Any hostname or domain name with >>>> wildcards >>>> >>>> Shouldn't the first host: example say "a single hostname"? ?And the 2nd >>>> say "a single domain name"? ?Likewise the 3rd example. >>>> >>>> Is *@domain.com equivalent to host:domain.com? ?It would seem so >>>> although since "host:" isn't really defined I'm not 100% sure it means >>>> the part after the "@" in the email address being tested. ?(only 99.9% >>>> sure) >>>> >>>> But really what I wanted to get to is that bounce.rules has: >>>> >>>> #From: ? ? ? ? ?yourcustomer.com ? ? ? ?yes >>>> >>>> which doesn't match any of the example patterns in README. ?Is >>>> bounce.rules in error? >>>> >>>> -frank >>> >>> host means host - quite simple. >>> >>> From: ? host:mail.example.com ? yes >>> >>> reads like this : >>> >>> If a mail comes from host mail.example.com (no matter what sender domain >>> is used) then hand over "yes" to the related variable. >>> >>> >>> From: ? mail.example.com ? ? ? ?yes >>> From: ? *@mail.example.com ? ? ?yes >>> >>> read the same >>> >>> If a mail comes from domain mail.example.com then hand over "yes" >>> >>> From: ? *@example.com ? yes >>> >>> this handles only mails from example.com, the mail.example.com domain >>> has to be handeled separately >>> >>> From: ? *@*.example.com yes >>> >>> and this handles mails from any subdomain of example.com but not >>> directly from example.com >>> >>> >>> From: ? *@*example.com ?yes >>> >>> this handles mails from example.com and its subdomains but also from >>> anyexample.com, myexample.com, dumbexample.com ...... >>> >>> >>> HTH >>> >>> Ralph >>> >> ... And you shouldn't be using the easily spoofable things above, but >> rather use the IP address of your customers sending MTA! >> And really think hard and long if the bounce thing should be used at >> all;-). >> >> Cheers >> -- >> -- Glenn > > Glenn, didn't you mean to say "Dear God in heaven never use a bounce thing"? > > Rick > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Skickat fr?n min mobila enhet -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From fcusack at fcusack.com Tue Dec 1 23:00:40 2009 From: fcusack at fcusack.com (Frank Cusack) Date: Tue Dec 1 23:00:55 2009 Subject: rule patterns In-Reply-To: <223f97700912011443l15ae807dwf1eea1a01cf033d9@mail.gmail.com> References: <4E0F0F45E36CE3804D45D23B@rdf.local> <223f97700912010535j60c74f3fub74998c4a9fbad61@mail.gmail.com> <1AFF310C90D2439BA09885C230EE119D@SAHOMELT> <223f97700912011443l15ae807dwf1eea1a01cf033d9@mail.gmail.com> Message-ID: On December 1, 2009 11:43:01 PM +0100 Glenn Steen wrote: > But of course:-). Only time it might be of some use, that I can see, > would be in a closed environment of some type. > ... Kind of think that's what Frank is on about. > yeah, i think i got off on the wrong foot by not being very clear about that. From glenn.steen at gmail.com Wed Dec 2 08:50:51 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Dec 2 08:51:00 2009 Subject: Single Quarantine for more than one MS server In-Reply-To: <1259682854.16497.2.camel@lancehaig> References: <1259682854.16497.2.camel@lancehaig> Message-ID: <223f97700912020050l35a61a1dt8f61c4c8ff7c1c7c@mail.gmail.com> 2009/12/1 Lance Haig : > Hi, > > I want to create a single quarantine server for both my MS servers so > that users only have to login to one site to release their spam etc... > > Has anyone done this and do you perhaps have any advice? > > I also want to archive mail on a per domain basis does that just work > like the normal rules? > > Thanks > > Lance > But if you use MailWatch, it'll present a "united front"... removing the need to "consolidate" the quarantine. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From alessandro.fachin at qnet.it Wed Dec 2 10:05:33 2009 From: alessandro.fachin at qnet.it (Alessandro Fachin) Date: Wed Dec 2 10:05:46 2009 Subject: Inspect tgz tar Message-ID: <200912021105.33220.alessandro.fachin@qnet.it> Hi, in the main Mailscanner.conf I founded the options to inspect zip and rar archive: # Where the "gunzip" command is installed. # This is used for expanding .gz files. # To disable gzipped file checking, set this value to blank # and the timeout to 0. Gunzip Command = /bin/gunzip Is it possible also inspect tgz tar archives ? Regards. -- Alessandro Fachin alessandro.fachin@qnet.it Qnet s.r.l Via Circonvallazione Sud 76 33033 Codroipo (UD) - Italy http://www.qnet.it http://www.qfarm.it Tel. +39 0432 906062 Fax +39 0432 901514 From MailScanner at ecs.soton.ac.uk Wed Dec 2 12:30:57 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Dec 2 12:31:16 2009 Subject: rule patterns In-Reply-To: <4E0F0F45E36CE3804D45D23B@rdf.local> References: <4E0F0F45E36CE3804D45D23B@rdf.local> <4B165E01.4070400@ecs.soton.ac.uk> Message-ID: On 01/12/2009 06:41, Frank Cusack wrote: > OK this is definitely the last question! :) > > rules/README example patterns: > > *@sub.domain.com # Any user at 1 domain > *@*.domain.com # Any user at any sub-domain of > "domain.com" Those 2 examples look at the email sender address in the SMTP envelope. > > host:mail.example.com # Any hostname > host:example.com # Any domain name > host:mail*.example.com # Any hostname or domain name with > wildcards Those 3 examples look at the hostname of the system at the other end of the SMTP conneciton. Nothing to do with the email envelope sender address at all. > > Shouldn't the first host: example say "a single hostname"? And the 2nd > say "a single domain name"? Likewise the 3rd example. > > Is *@domain.com equivalent to host:domain.com? It would seem so although > since "host:" isn't really defined I'm not 100% sure it means the part > after the "@" in the email address being tested. (only 99.9% sure) > > But really what I wanted to get to is that bounce.rules has: > > #From: yourcustomer.com yes > > which doesn't match any of the example patterns in README. Is > bounce.rules > in error? > > -frank Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Wed Dec 2 12:34:01 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Dec 2 12:34:33 2009 Subject: Single Quarantine for more than one MS server In-Reply-To: <1259682854.16497.2.camel@lancehaig> References: <1259682854.16497.2.camel@lancehaig> <4B165EB9.3020900@ecs.soton.ac.uk> Message-ID: On 01/12/2009 15:54, Lance Haig wrote: > Hi, > > I want to create a single quarantine server for both my MS servers so > that users only have to login to one site to release their spam etc... > > Has anyone done this and do you perhaps have any advice? > > I also want to archive mail on a per domain basis does that just work > like the normal rules? > Read the docs in MailScanner.conf just above the "Archive Mail" setting. It is all explained there. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Garrod.Alwood at lorodoes.com Wed Dec 2 12:37:24 2009 From: Garrod.Alwood at lorodoes.com (Garrod M. Alwood) Date: Wed Dec 2 12:42:55 2009 Subject: Single Quarantine for more than one MS server In-Reply-To: <223f97700912020050l35a61a1dt8f61c4c8ff7c1c7c@mail.gmail.com> References: <1259682854.16497.2.camel@lancehaig> <223f97700912020050l35a61a1dt8f61c4c8ff7c1c7c@mail.gmail.com> Message-ID: A non-text attachment was scrubbed... Name: smime.p7m Type: application/x-pkcs7-mime Size: 6461 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091202/b30c4eee/smime.bin From FUNK.Gabor at hunetkft.hu Wed Dec 2 13:32:10 2009 From: FUNK.Gabor at hunetkft.hu (Gabor FUNK) Date: Wed Dec 2 13:32:29 2009 Subject: OT: bl.csma.biz dead Message-ID: <52CAEF0651FD47F79D7E6495665A31D3@M2007> I hope it is just OT only a little bit. It hadn't occured me that bl.csma.biz went or going to die, but as of 13:45 CET today it seemingly started returning positives to all queries, meanwhile their site worked till several minutes ago, now it also stopped working. Whois says: Domain Name: CSMA.BIZ ... Registrant Name: Pending Renewal or Deletion ... Name Server: NS1.PENDINGRENEWALDELETION.COM Name Server: NS2.PENDINGRENEWALDELETION.COM Created by Registrar: NETWORK SOLUTIONS INC. Last Updated by Registrar: NETWORK SOLUTIONS INC. Domain Registration Date: Sun Nov 25 23:07:23 GMT 2001 Domain Expiration Date: Tue Nov 24 23:59:59 GMT 2009 Domain Last Updated Date: Wed Dec 02 11:43:56 GMT 2009 so whoever uses it for any purposes, consider a remove or alike... g. From richard at fastnet.co.uk Wed Dec 2 14:47:55 2009 From: richard at fastnet.co.uk (Richard Mealing) Date: Wed Dec 2 14:47:01 2009 Subject: Whitelists. Message-ID: Hi everyone, I have a centralised mailwatch but currently I am using white/black list per domain ie, not sql. Does anyone have anything set-up currently that gives the user for their domain(s) the ability to configure their own white/black lists? I'm looking for some sort of customer portal that would let them log in and update their own white lists. I have been searching around but I just wanted to ask the question here, to see if anyone has ever done this. Many thanks, Rich -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091202/729a8504/attachment.html From lhaig at haigmail.com Wed Dec 2 14:54:08 2009 From: lhaig at haigmail.com (Lance Haig) Date: Wed Dec 2 14:54:48 2009 Subject: Single Quarantine for more than one MS server In-Reply-To: <223f97700912020050l35a61a1dt8f61c4c8ff7c1c7c@mail.gmail.com> References: <1259682854.16497.2.camel@lancehaig> <223f97700912020050l35a61a1dt8f61c4c8ff7c1c7c@mail.gmail.com> Message-ID: <1259765648.5419.2.camel@lancehaig> I was not aware that you could release from multiple MS boxes from a single Mailwatch instance Lance On Wed, 2009-12-02 at 09:50 +0100, Glenn Steen wrote: > 2009/12/1 Lance Haig : > > Hi, > > > > I want to create a single quarantine server for both my MS servers so > > that users only have to login to one site to release their spam etc... > > > > Has anyone done this and do you perhaps have any advice? > > > > I also want to archive mail on a per domain basis does that just work > > like the normal rules? > > > > Thanks > > > > Lance > > > But if you use MailWatch, it'll present a "united front"... removing > the need to "consolidate" the quarantine. > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From lhaig at haigmail.com Wed Dec 2 14:54:32 2009 From: lhaig at haigmail.com (Lance Haig) Date: Wed Dec 2 14:54:52 2009 Subject: Single Quarantine for more than one MS server In-Reply-To: References: <1259682854.16497.2.camel@lancehaig> <4B165EB9.3020900@ecs.soton.ac.uk> Message-ID: <1259765672.5419.3.camel@lancehaig> Thanks Jules, I will have a look at the notes :-) Lance On Wed, 2009-12-02 at 12:34 +0000, Julian Field wrote: > > On 01/12/2009 15:54, Lance Haig wrote: > > Hi, > > > > I want to create a single quarantine server for both my MS servers so > > that users only have to login to one site to release their spam etc... > > > > Has anyone done this and do you perhaps have any advice? > > > > I also want to archive mail on a per domain basis does that just work > > like the normal rules? > > > Read the docs in MailScanner.conf just above the "Archive Mail" setting. > It is all explained there. > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > Follow me at twitter.com/JulesFM and twitter.com/MailScanner > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From lhaig at haigmail.com Wed Dec 2 14:55:28 2009 From: lhaig at haigmail.com (Lance Haig) Date: Wed Dec 2 14:55:50 2009 Subject: Single Quarantine for more than one MS server In-Reply-To: References: <1259682854.16497.2.camel@lancehaig> <223f97700912020050l35a61a1dt8f61c4c8ff7c1c7c@mail.gmail.com> Message-ID: <1259765728.5419.4.camel@lancehaig> On Wed, 2009-12-02 at 07:37 -0500, Garrod M. Alwood wrote: > I didn't think you could release on a multi-MS to one Mailwatch setup My thoughts are the same on this one I really hope you are wrong :-) Lance > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Glenn Steen > Sent: Wednesday, December 02, 2009 3:51 AM > To: MailScanner discussion > Subject: Re: Single Quarantine for more than one MS server > > 2009/12/1 Lance Haig : > > Hi, > > > > I want to create a single quarantine server for both my MS servers so > > that users only have to login to one site to release their spam etc... > > > > Has anyone done this and do you perhaps have any advice? > > > > I also want to archive mail on a per domain basis does that just work > > like the normal rules? > > > > Thanks > > > > Lance > > > But if you use MailWatch, it'll present a "united front"... removing > the need to "consolidate" the quarantine. > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Antony.Stone at mailscanner.open.source.it Wed Dec 2 16:16:46 2009 From: Antony.Stone at mailscanner.open.source.it (Antony Stone) Date: Wed Dec 2 16:16:51 2009 Subject: Quarantining password-protected ZIPs? Message-ID: <200912021716.46820.Antony.Stone@mailscanner.open.source.it> Hi. MailScanner has a nice feature to detect when an attachment contains a password-protected ZIP file, and you can specify whether such attachments are permitted or not. I would like to block such attachments by default, storing them in quarantine, and send a notification message to the recipient, or the postmaster, so that if the email is from a trusted source, it can be released and delivered. However, it appears that if a password-protected zip file is discovered, it is treated as though it's a virus, and therefore: a) the original email is thrown away and can't be delivered later b) no notification can be sent to the recipient or the postmaster unless they get these for real viruses too I hope I am I missing something about the configuration options: - Is it possible to treat password-protected ZIPs like spam instead of like viruses? - Is it possible to quarantine such attachments, without quarantining all viruses (or archiving all email)? I hope someone can help, Thanks, -- In the Beginning there was nothing, which exploded. - Terry Pratchett Please reply to the list; please don't CC me. From glenn.steen at gmail.com Wed Dec 2 17:34:08 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Dec 2 17:34:17 2009 Subject: Single Quarantine for more than one MS server In-Reply-To: <1259765728.5419.4.camel@lancehaig> References: <1259682854.16497.2.camel@lancehaig> <223f97700912020050l35a61a1dt8f61c4c8ff7c1c7c@mail.gmail.com> <1259765728.5419.4.camel@lancehaig> Message-ID: <223f97700912020934i21f5b2fflbbe487a5a63b84a1@mail.gmail.com> 2009/12/2 Lance Haig : > On Wed, 2009-12-02 at 07:37 -0500, Garrod M. Alwood wrote: >> I didn't think you could release on a multi-MS to one Mailwatch setup > > > ?My thoughts are the same on this one > > I really hope you are wrong :-) > > Lance > You can have multiple MailScanner servers logging to one database... You'll still need MailWatch installed on the respective MX hosts, but... XML-RPC will take care of running the release on the correct server (where the quarantined item is actually stored). There are a few things to look at/tinker a bit with, but ... to all intents and purposes this will be all you need, once you get it going. Or did I misunderstand your intent? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From jonas at vrt.dk Wed Dec 2 21:24:35 2009 From: jonas at vrt.dk (Jonas A. Larsen) Date: Wed Dec 2 21:24:48 2009 Subject: Single Quarantine for more than one MS server In-Reply-To: <223f97700912020934i21f5b2fflbbe487a5a63b84a1@mail.gmail.com> References: <1259682854.16497.2.camel@lancehaig> <223f97700912020050l35a61a1dt8f61c4c8ff7c1c7c@mail.gmail.com> <1259765728.5419.4.camel@lancehaig> <223f97700912020934i21f5b2fflbbe487a5a63b84a1@mail.gmail.com> Message-ID: <003801ca7395$d95750e0$8c05f2a0$@dk> > 2009/12/2 Lance Haig : > > On Wed, 2009-12-02 at 07:37 -0500, Garrod M. Alwood wrote: > >> I didn't think you could release on a multi-MS to one Mailwatch > setup > > > > > > ?My thoughts are the same on this one > > > > I really hope you are wrong :-) > > > > Lance > > > You can have multiple MailScanner servers logging to one database... > You'll still need MailWatch installed on the respective MX hosts, > but... XML-RPC will take care of running the release on the correct > server (where the quarantined item is actually stored). There are a > few things to look at/tinker a bit with, but ... to all intents and > purposes this will be all you need, once you get it going. > Or did I misunderstand your intent? > > Cheers > -- Just so Glenn isn?t all alone in claiming the above... We have run with a handful of mailscanner servers and 1 centralized mailwatch/DB for several years. It works great, no issues at all that I can think of. Except for mailwatch not scaling well, you shouldn?t encounter any issues. Best regards and good luck Jonas Larsen From lhaig at haigmail.com Wed Dec 2 23:23:36 2009 From: lhaig at haigmail.com (Lance Haig) Date: Wed Dec 2 23:23:59 2009 Subject: Single Quarantine for more than one MS server In-Reply-To: <223f97700912020934i21f5b2fflbbe487a5a63b84a1@mail.gmail.com> References: <1259682854.16497.2.camel@lancehaig> <223f97700912020050l35a61a1dt8f61c4c8ff7c1c7c@mail.gmail.com> <1259765728.5419.4.camel@lancehaig> <223f97700912020934i21f5b2fflbbe487a5a63b84a1@mail.gmail.com> Message-ID: <4B16F6F8.7030802@haigmail.com> On 12/02/2009 05:34 PM, Glenn Steen wrote: > 2009/12/2 Lance Haig: >> On Wed, 2009-12-02 at 07:37 -0500, Garrod M. Alwood wrote: >>> I didn't think you could release on a multi-MS to one Mailwatch setup >> >> >> My thoughts are the same on this one >> >> I really hope you are wrong :-) >> >> Lance >> > You can have multiple MailScanner servers logging to one database... > You'll still need MailWatch installed on the respective MX hosts, > but... XML-RPC will take care of running the release on the correct > server (where the quarantined item is actually stored). There are a > few things to look at/tinker a bit with, but ... to all intents and > purposes this will be all you need, once you get it going. > Or did I misunderstand your intent? > > Cheers You understood perfectly. so the idea is to create one db server. and have multiple ms servers with mailwatch. is there documentation for the xml-rpc setup? or will you be willing to help me out. Thanks Lance -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From goetz.reinicke at filmakademie.de Thu Dec 3 08:11:39 2009 From: goetz.reinicke at filmakademie.de (=?ISO-8859-15?Q?G=F6tz_Reinicke_-_IT-Koordinator?=) Date: Thu Dec 3 08:11:56 2009 Subject: parsing/reading /etc/MailScanner/conf.d/README Message-ID: <4B1772BB.1000600@filmakademie.de> Hi, I noticed, that I do have the /etc/MailScanner/conf.d/README File and Mailscanner tries to pare or read it ... >From my maillog: Dec 3 09:08:53 mail MailScanner[32139]: Reading configuration file /etc/MailScanner/MailScanner.conf Dec 3 09:08:53 mail MailScanner[32139]: Reading configuration file /etc/MailScanner/conf.d/README MailScanner E-Mail Virus Scanner version 4.78.17 Regards, G?tz -- G?tz Reinicke IT-Koordinator Tel. +49 7141 969 420 Fax +49 7141 969 55 420 E-Mail goetz.reinicke@filmakademie.de Filmakademie Baden-W?rttemberg GmbH Akademiehof 10 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzende des Aufsichtsrats: Prof. Dr. Claudia H?bner Staatsr?tin f?r Demographischen Wandel und f?r Senioren im Staatsministerium Gesch?ftsf?hrer: Prof. Thomas Schadt From MailScanner at ecs.soton.ac.uk Thu Dec 3 09:08:00 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Dec 3 09:08:40 2009 Subject: Quarantining password-protected ZIPs? In-Reply-To: <200912021716.46820.Antony.Stone@mailscanner.open.source.it> References: <200912021716.46820.Antony.Stone@mailscanner.open.source.it> <4B177FF0.4050905@ecs.soton.ac.uk> Message-ID: Look in MailScanner.conf and search for "Zip-Password". That way you can stop them being treated as "Silent Viruses" and so they will be quarantined and so on for you. On 02/12/2009 16:16, Antony Stone wrote: > Hi. > > MailScanner has a nice feature to detect when an attachment contains a > password-protected ZIP file, and you can specify whether such attachments are > permitted or not. > > I would like to block such attachments by default, storing them in quarantine, > and send a notification message to the recipient, or the postmaster, so that > if the email is from a trusted source, it can be released and delivered. > > However, it appears that if a password-protected zip file is discovered, it is > treated as though it's a virus, and therefore: > > a) the original email is thrown away and can't be delivered later > > b) no notification can be sent to the recipient or the postmaster unless they > get these for real viruses too > > I hope I am I missing something about the configuration options: > > - Is it possible to treat password-protected ZIPs like spam instead of like > viruses? > > - Is it possible to quarantine such attachments, without quarantining all > viruses (or archiving all email)? > > I hope someone can help, > > > Thanks, > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Thu Dec 3 09:09:13 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Dec 3 09:09:34 2009 Subject: parsing/reading /etc/MailScanner/conf.d/README In-Reply-To: <4B1772BB.1000600@filmakademie.de> References: <4B1772BB.1000600@filmakademie.de> <4B178039.1080907@ecs.soton.ac.uk> Message-ID: On 03/12/2009 08:11, G?tz Reinicke - IT-Koordinator wrote: > Hi, > > I noticed, that I do have the /etc/MailScanner/conf.d/README File and > Mailscanner tries to pare or read it ... > MailScanner processes all files in conf.d by mistake. That's why I carefully added comment characters at the start of each line in the README file, specifically so that it wouldn't cause any harm. > > From my maillog: > > Dec 3 09:08:53 mail MailScanner[32139]: Reading configuration file > /etc/MailScanner/MailScanner.conf > > Dec 3 09:08:53 mail MailScanner[32139]: Reading configuration file > /etc/MailScanner/conf.d/README > > MailScanner E-Mail Virus Scanner version 4.78.17 > > > Regards, > > G?tz > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From goetz.reinicke at filmakademie.de Thu Dec 3 10:09:46 2009 From: goetz.reinicke at filmakademie.de (=?ISO-8859-15?Q?G=F6tz_Reinicke_-_IT-Koordinator?=) Date: Thu Dec 3 10:10:08 2009 Subject: parsing/reading /etc/MailScanner/conf.d/README In-Reply-To: References: <4B1772BB.1000600@filmakademie.de> <4B178039.1080907@ecs.soton.ac.uk> Message-ID: <4B178E6A.1040808@filmakademie.de> Julian Field schrieb: > > > On 03/12/2009 08:11, G?tz Reinicke - IT-Koordinator wrote: >> Hi, >> >> I noticed, that I do have the /etc/MailScanner/conf.d/README File and >> Mailscanner tries to pare or read it ... >> > MailScanner processes all files in conf.d by mistake. That's why I > carefully added comment characters at the start of each line in the > README file, specifically so that it wouldn't cause any harm. Thats what I thought :-), but wouldn't it be "better" to parse only e.g. ".conf" Files? You say "by mistake" - are there any parsing-changes in the next MS? E.g. sometimes I do have a working config for a system and if I change multiple parameters for testing, I just copy the working config to an other name (.conf.working), so I can switch back very fast to the working config... Cheers, G?tz -- G?tz Reinicke IT-Koordinator Tel. +49 7141 969 420 Fax +49 7141 969 55 420 E-Mail goetz.reinicke@filmakademie.de Filmakademie Baden-W?rttemberg GmbH Akademiehof 10 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzende des Aufsichtsrats: Prof. Dr. Claudia H?bner Staatsr?tin f?r Demographischen Wandel und f?r Senioren im Staatsministerium Gesch?ftsf?hrer: Prof. Thomas Schadt From ajcartmell at fonant.com Thu Dec 3 10:41:54 2009 From: ajcartmell at fonant.com (Anthony Cartmell) Date: Thu Dec 3 10:41:57 2009 Subject: OT: PGP In-Reply-To: <49df20710912010457i73e7af09m856ade85ffe513f@mail.gmail.com> References: <49df20710911301504m47d979abx85b00efa7d9383fd@mail.gmail.com> <49df20710912010457i73e7af09m856ade85ffe513f@mail.gmail.com> Message-ID: > Were they using Exchange? I think so, but not certain. But the Outlook plugin should work irrespective of the MTA, I'd have thought? > I found GPG4Win didn't inspire my > confidence (I got a message saying Outlook couldn't update my > reminders at one point) and it just felt a bit flakey. To be fair > though I didn't have time to do what you might call thorough testing. It's not the most professional of products, I agree, but if you can get it to work the price is excellent :) Anthony -- www.fonant.com - Quality web sites Fonant Ltd is registered in England and Wales, company No. 7006596 Registered office: Grafton Lodge, 15 Grafton Road, Worthing, West Sussex, BN11 1QR From MailScanner at ecs.soton.ac.uk Thu Dec 3 10:46:40 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Dec 3 11:11:28 2009 Subject: parsing/reading /etc/MailScanner/conf.d/README In-Reply-To: <4B178E6A.1040808@filmakademie.de> References: <4B1772BB.1000600@filmakademie.de> <4B178039.1080907@ecs.soton.ac.uk> <4B178E6A.1040808@filmakademie.de> <4B179710.2000704@ecs.soton.ac.uk> Message-ID: On 03/12/2009 10:09, G?tz Reinicke - IT-Koordinator wrote: > Julian Field schrieb: > >> >> On 03/12/2009 08:11, G?tz Reinicke - IT-Koordinator wrote: >> >>> Hi, >>> >>> I noticed, that I do have the /etc/MailScanner/conf.d/README File and >>> Mailscanner tries to pare or read it ... >>> >>> >> MailScanner processes all files in conf.d by mistake. That's why I >> carefully added comment characters at the start of each line in the >> README file, specifically so that it wouldn't cause any harm. >> > > Thats what I thought :-), but wouldn't it be "better" to parse only e.g. > ".conf" Files? > No, I wanted to parse them regardless of what you felt like naming them. > You say "by mistake" - are there any parsing-changes in the next MS? > Sorry, I meant "by design" and not "by mistake" ! :( Typing too fast too early in the morning... > E.g. sometimes I do have a working config for a system and if I change > multiple parameters for testing, I just copy the working config to an > other name (.conf.working), so I can switch back very fast to the > working config... > cd /etc/MailScanner cp -r conf.d conf.d.working should do the job nicely for you. > Cheers, > > G?tz > > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From waytotheweb at googlemail.com Thu Dec 3 11:45:14 2009 From: waytotheweb at googlemail.com (Sarah Michaelson) Date: Thu Dec 3 11:45:23 2009 Subject: MailScanner Deleting incoming spool directories Message-ID: Hi all, We have a client who has mailscanner installed on a number of cPanel servers and it has been working great up until the last few weeks, when on about 10 of his servers he started getting these errors in the maillog: Nov 12 21:49:12 paris MailScanner[1313]: Cannot cd to dir /var/spool/exim_incoming/input/2 to read messages, No such file or directory Nov 12 21:49:12 paris MailScanner[1313]: Cannot cd to dir /var/spool/exim_incoming/input/2 to read messages, No such file or directory Nov 12 21:49:12 paris MailScanner[1313]: Cannot cd to dir /var/spool/exim_incoming/input/3 to read messages, No such file or directory Nov 12 21:49:12 paris MailScanner[1313]: Cannot cd to dir /var/spool/exim_incoming/input/3 to read messages, No such file or directory Nov 12 21:49:12 paris MailScanner[1313]: Cannot cd to dir /var/spool/exim_incoming/input/4 to read messages, No such file or directory Nov 12 21:49:12 paris MailScanner[1313]: Cannot cd to dir /var/spool/exim_incoming/input/4 to read messages, No such file or directory Nov 12 21:49:12 paris MailScanner[1313]: Cannot cd to dir /var/spool/exim_incoming/input/5 to read messages, No such file or directory Nov 12 21:49:12 paris MailScanner[1313]: Cannot cd to dir /var/spool/exim_incoming/input/5 to read messages, No such file or directory Nov 12 21:49:12 paris MailScanner[1313]: Cannot cd to dir /var/spool/exim_incoming/input/6 to read messages, No such file or directory What seems to be happening is that once MailScanner processes the mail in the incoming queue, it starts deleting the empty spool directories. I've tried uninstalling and reinstalling the latest stable version, uninstalling and reinstalling the previous stable version (because he said it seemed to start after an upgrade) and the problem still occurs. System information: MailScanner v4.78.17 (tried version v4.77.10 and still had problem) MTA is exim 4.69 CentOS 5.4 cPanel 11.25.0-C40255 8 GB RAM 8 CPUs I would be very grateful for any suggestions of where to look or what to try next to resolve this issue. -- Regards, Sarah Michaelson Way to the Web Ltd Server Management Services: http://www.configserver.com From MailScanner at ecs.soton.ac.uk Thu Dec 3 12:28:11 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Dec 3 12:28:34 2009 Subject: MailScanner Deleting incoming spool directories In-Reply-To: References: <4B17AEDB.3060108@ecs.soton.ac.uk> Message-ID: What did he change a "few weeks" ago? I might suspect his setting of Incoming Work Dir, which is not the same as Incoming Queue Dir ! Jules. On 03/12/2009 11:45, Sarah Michaelson wrote: > Hi all, > > We have a client who has mailscanner installed on a number of cPanel > servers and it has been working great up until the last few weeks, > when on about 10 of his servers he started getting these errors in the > maillog: > > Nov 12 21:49:12 paris MailScanner[1313]: Cannot cd to dir > /var/spool/exim_incoming/input/2 to read messages, No such file or > directory > Nov 12 21:49:12 paris MailScanner[1313]: Cannot cd to dir > /var/spool/exim_incoming/input/2 to read messages, No such file or > directory > Nov 12 21:49:12 paris MailScanner[1313]: Cannot cd to dir > /var/spool/exim_incoming/input/3 to read messages, No such file or > directory > Nov 12 21:49:12 paris MailScanner[1313]: Cannot cd to dir > /var/spool/exim_incoming/input/3 to read messages, No such file or > directory > Nov 12 21:49:12 paris MailScanner[1313]: Cannot cd to dir > /var/spool/exim_incoming/input/4 to read messages, No such file or > directory > Nov 12 21:49:12 paris MailScanner[1313]: Cannot cd to dir > /var/spool/exim_incoming/input/4 to read messages, No such file or > directory > Nov 12 21:49:12 paris MailScanner[1313]: Cannot cd to dir > /var/spool/exim_incoming/input/5 to read messages, No such file or > directory > Nov 12 21:49:12 paris MailScanner[1313]: Cannot cd to dir > /var/spool/exim_incoming/input/5 to read messages, No such file or > directory > Nov 12 21:49:12 paris MailScanner[1313]: Cannot cd to dir > /var/spool/exim_incoming/input/6 to read messages, No such file or > directory > > What seems to be happening is that once MailScanner processes the mail > in the incoming queue, it starts deleting the empty spool directories. > I've tried uninstalling and reinstalling the latest stable version, > uninstalling and reinstalling the previous stable version (because he > said it seemed to start after an upgrade) and the problem still > occurs. > > System information: > > MailScanner v4.78.17 (tried version v4.77.10 and still had problem) > MTA is exim 4.69 > CentOS 5.4 > cPanel 11.25.0-C40255 > 8 GB RAM > 8 CPUs > > I would be very grateful for any suggestions of where to look or what > to try next to resolve this issue. > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From pascal.maes at elec.ucl.ac.be Thu Dec 3 13:45:31 2009 From: pascal.maes at elec.ucl.ac.be (Pascal Maes) Date: Thu Dec 3 13:47:26 2009 Subject: Other Bad Content Detected Message-ID: Hello, Is it possible to have a white list for the "cantanalyze" situation ? I would like that if the From: and/or the To: match some values, the message will no be quarantined. Thanks -- Pascal From glenn.steen at gmail.com Thu Dec 3 14:56:30 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Dec 3 14:56:42 2009 Subject: Single Quarantine for more than one MS server In-Reply-To: <4B16F6F8.7030802@haigmail.com> References: <1259682854.16497.2.camel@lancehaig> <223f97700912020050l35a61a1dt8f61c4c8ff7c1c7c@mail.gmail.com> <1259765728.5419.4.camel@lancehaig> <223f97700912020934i21f5b2fflbbe487a5a63b84a1@mail.gmail.com> <4B16F6F8.7030802@haigmail.com> Message-ID: <223f97700912030656p2b6918eu5de26fc7d3dc6feb@mail.gmail.com> 2009/12/3 Lance Haig : > On 12/02/2009 05:34 PM, Glenn Steen wrote: >> >> 2009/12/2 Lance Haig: >>> >>> On Wed, 2009-12-02 at 07:37 -0500, Garrod M. Alwood wrote: >>>> >>>> I didn't think you could release on a multi-MS to one Mailwatch setup >>> >>> >>> ?My thoughts are the same on this one >>> >>> I really hope you are wrong :-) >>> >>> Lance >>> >> You can have multiple MailScanner servers logging to one database... >> You'll still need MailWatch installed on the respective MX hosts, >> but... XML-RPC will take care of running the release on the correct >> server (where the quarantined item is actually stored). There are a >> few things to look at/tinker a bit with, but ... to all intents and >> purposes this will be all you need, once you get it going. >> Or did I misunderstand your intent? >> >> Cheers > > > You understood perfectly. > > so the idea is to create one db server. > > and have multiple ms servers with mailwatch. > > is there documentation for the xml-rpc setup? or will you be willing to help > me out. > > Thanks > Lance > The docs, RemoteDB.txt, is slightly wrong (enumeration of steps in the INSTALL file in the tarball... But if you read it with a critical eye, it shouldn't be that difficult:-). There have been a few threads, on the MailWatch list, lately on the xml-rpc problems some have had with never versions of php, so ... take a look there;-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ricardo at wenn.com Thu Dec 3 15:00:22 2009 From: ricardo at wenn.com (Ricardo Branco) Date: Thu Dec 3 15:00:43 2009 Subject: Problem with Return-Path from certain ISPs Message-ID: <4B17D286.9020303@wenn.com> Centos+MailScanner+Sendmail+DovecotLDA We started noticing issues with return-path not being passed though to Sendmail/DovecotLDA. This causes a knock on affect on Sieve filters in DovecotLDA which rely on Return-Path being passed though. If I take MailScanner out the loop then all is well, Return-Path exists to my mailbox, but if MS is running then it does not come through. Any reason why this would be happening? From waytotheweb at googlemail.com Thu Dec 3 15:16:45 2009 From: waytotheweb at googlemail.com (Sarah Michaelson) Date: Thu Dec 3 15:16:55 2009 Subject: MailScanner Deleting incoming spool directories In-Reply-To: References: <4B17AEDB.3060108@ecs.soton.ac.uk> Message-ID: 2009/12/3 Julian Field : > What did he change a "few weeks" ago? > I might suspect his setting of Incoming Work Dir, which is not the same as > Incoming Queue Dir ! He says he did not change anything. I wondered about a configuration change as well but since I uninstalled and reinstalled MailScanner twice with fresh, default settings I don't see how that could be the case. Sarah Michaelson > > Jules. > > On 03/12/2009 11:45, Sarah Michaelson wrote: >> >> Hi all, >> >> We have a client who has mailscanner installed on a number of cPanel >> servers and it has been working great up until the last few weeks, >> when on about 10 of his servers he started getting these errors in the >> maillog: >> >> Nov 12 21:49:12 paris MailScanner[1313]: Cannot cd to dir >> /var/spool/exim_incoming/input/2 to read messages, No such file or >> directory >> Nov 12 21:49:12 paris MailScanner[1313]: Cannot cd to dir >> /var/spool/exim_incoming/input/2 to read messages, No such file or >> directory >> Nov 12 21:49:12 paris MailScanner[1313]: Cannot cd to dir >> /var/spool/exim_incoming/input/3 to read messages, No such file or >> directory >> Nov 12 21:49:12 paris MailScanner[1313]: Cannot cd to dir >> /var/spool/exim_incoming/input/3 to read messages, No such file or >> directory >> Nov 12 21:49:12 paris MailScanner[1313]: Cannot cd to dir >> /var/spool/exim_incoming/input/4 to read messages, No such file or >> directory >> Nov 12 21:49:12 paris MailScanner[1313]: Cannot cd to dir >> /var/spool/exim_incoming/input/4 to read messages, No such file or >> directory >> Nov 12 21:49:12 paris MailScanner[1313]: Cannot cd to dir >> /var/spool/exim_incoming/input/5 to read messages, No such file or >> directory >> Nov 12 21:49:12 paris MailScanner[1313]: Cannot cd to dir >> /var/spool/exim_incoming/input/5 to read messages, No such file or >> directory >> Nov 12 21:49:12 paris MailScanner[1313]: Cannot cd to dir >> /var/spool/exim_incoming/input/6 to read messages, No such file or >> directory >> >> What seems to be happening is that once MailScanner processes the mail >> in the incoming queue, it starts deleting the empty spool directories. >> I've tried uninstalling and reinstalling the latest stable version, >> uninstalling and reinstalling the previous stable version (because he >> said it seemed to start after an upgrade) and the problem still >> occurs. >> >> System information: >> >> MailScanner v4.78.17 (tried version v4.77.10 and still had problem) >> MTA is exim 4.69 >> CentOS 5.4 >> cPanel 11.25.0-C40255 >> 8 GB RAM >> 8 CPUs >> >> I would be very grateful for any suggestions of where to look or what >> to try next to resolve this issue. >> >> > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > Follow me at twitter.com/JulesFM and twitter.com/MailScanner > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Regards, Sarah Michaelson Way to the Web Ltd Server Management Services: http://www.configserver.com From Antony.Stone at mailscanner.open.source.it Thu Dec 3 15:46:07 2009 From: Antony.Stone at mailscanner.open.source.it (Antony Stone) Date: Thu Dec 3 15:46:27 2009 Subject: Quarantining password-protected ZIPs? In-Reply-To: References: <200912021716.46820.Antony.Stone@mailscanner.open.source.it> <4B177FF0.4050905@ecs.soton.ac.uk> Message-ID: <200912031646.07717.Antony.Stone@mailscanner.open.source.it> On Thursday 03 December 2009, Julian Field wrote: > Look in MailScanner.conf and search for "Zip-Password". That way you can > stop them being treated as "Silent Viruses" and so they will be > quarantined and so on for you. Thanks for the suggestion. I currently have: Silent Viruses = HTML-IFrame All-Viruses The config file says "Zip-Password: This keyword is not needed if you include All-Viruses." "All-Viruses: .... this includes Zip-Password so you don't need to include both" So, what should I set Silent Viruses to if I want all real viruses to be treated silently, but I want Zips with Passwords to be treated non-silently? Basically, how do I say "All-Viruses except Zip-Password"? Thanks, Antony. > On 02/12/2009 16:16, Antony Stone wrote: > > Hi. > > > > MailScanner has a nice feature to detect when an attachment contains a > > password-protected ZIP file, and you can specify whether such attachments > > are permitted or not. > > > > I would like to block such attachments by default, storing them in > > quarantine, and send a notification message to the recipient, or the > > postmaster, so that if the email is from a trusted source, it can be > > released and delivered. > > > > However, it appears that if a password-protected zip file is discovered, > > it is treated as though it's a virus, and therefore: > > > > a) the original email is thrown away and can't be delivered later > > > > b) no notification can be sent to the recipient or the postmaster unless > > they get these for real viruses too > > > > I hope I am I missing something about the configuration options: > > > > - Is it possible to treat password-protected ZIPs like spam instead of > > like viruses? > > > > - Is it possible to quarantine such attachments, without quarantining > > all viruses (or archiving all email)? > > > > I hope someone can help, > > > > > > Thanks, -- Tinned food was developed for the British Navy in 1813. The tin opener was not invented until 1858. Please reply to the list; please don't CC me. From ricardo at wenn.com Thu Dec 3 16:09:26 2009 From: ricardo at wenn.com (Ricardo Branco) Date: Thu Dec 3 16:09:38 2009 Subject: Signature causing blank emails Message-ID: <4B17E2B6.3060005@wenn.com> Centos+MailScanner+Sendmail+DovecotLDA Since upgrading to the latest MS version (4.78.17-4 from rpm.tar.gz) it seems that now that always tries to sign internal messages even though I have the same config as before. From: 10.0.0. yes FromOrTo: default no This is causing issues where it tries to sign a HTML message that already has a HTML signature, I then end up with a blank email with a few attachments. From ricardo at wenn.com Thu Dec 3 21:20:37 2009 From: ricardo at wenn.com (Ricardo Branco) Date: Thu Dec 3 21:21:07 2009 Subject: Signature causing blank emails Message-ID: <4B182BA5.3090601@wenn.com> Dont Sign HTML If Headers Exist = In-Reply-To: References: I think this setting is broken, if i try and use it as shown above i end up with broken emails I cant understand what has happened. From logs at comp-wiz.com Fri Dec 4 01:04:27 2009 From: logs at comp-wiz.com (Vernon) Date: Fri Dec 4 01:04:51 2009 Subject: {Spam?} Everything being labeled as SPAM Message-ID: <009501ca747d$bb3f43e0$31bdcba0$@com> Almost all emails being received at my server is being labeled as SPAM. I read through the config file and for the life of me I couldn't find where you turn it down some. I know that there is a score that tell it to label the email with that tag, can someone please refresh my memory. Thanks -- This message has been scanned for viruses and dangerous content by comp-wiz.com, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091203/e7887cb9/attachment.html From hvdkooij at vanderkooij.org Fri Dec 4 06:34:41 2009 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Fri Dec 4 06:34:57 2009 Subject: Whitelists. In-Reply-To: References: Message-ID: <4B18AD81.7010007@vanderkooij.org> On 02/12/09 15:47, Richard Mealing wrote: > Hi everyone, > > I have a centralised mailwatch but currently I am using white/black list > per domain ie, not sql. > > Does anyone have anything set-up currently that gives the user for their > domain(s) the ability to configure their own white/black lists? > > I?m looking for some sort of customer portal that would let them log in > and update their own white lists. Well. I would be cautious with user whitelists. If anything it is the weak spot of the Barracuda solution. Because users don't understand email (most of he time). So they end up whitelisting all sort of silly addresses and then complain about the amount of spam they get. Real life example: They whitelist all of hotmail but get dozens of fake messages each day from alledged hotmail accounts. That get one or two from a friend each week that are legit and would not be stopped anyway. (Even when those are totally not work related.) So I would be rather cautious and make this a process that you supervise and forget about automating it. From hvdkooij at vanderkooij.org Fri Dec 4 06:40:50 2009 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Fri Dec 4 06:40:59 2009 Subject: {Spam?} Everything being labeled as SPAM In-Reply-To: <009501ca747d$bb3f43e0$31bdcba0$@com> References: <009501ca747d$bb3f43e0$31bdcba0$@com> Message-ID: <4B18AEF2.6050907@vanderkooij.org> On 04/12/09 02:04, Vernon wrote: > Almost all emails being received at my server is being labeled as SPAM. > I read through the config file and for the life of me I couldn?t find > where you turn it down some. I know that there is a score that tell it > to label the email with that tag, can someone please refresh my memory. Well. Check your own message: X-compWIZ-MailScanner-SpamCheck: spam, spamhaus-ZEN That wasn't so hard to find. Hugo. From logs at comp-wiz.com Fri Dec 4 15:39:12 2009 From: logs at comp-wiz.com (Vernon) Date: Fri Dec 4 15:39:34 2009 Subject: {Spam?} RE: {Spam?} Everything being labeled as SPAM In-Reply-To: <4B18AEF2.6050907@vanderkooij.org> References: <009501ca747d$bb3f43e0$31bdcba0$@com> <4B18AEF2.6050907@vanderkooij.org> Message-ID: <00d501ca74f7$ee83ce40$cb8b6ac0$@com> Not sure what you mean... -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Hugo van der Kooij Sent: Friday, December 04, 2009 1:41 AM To: mailscanner@lists.mailscanner.info Subject: Re: {Spam?} Everything being labeled as SPAM On 04/12/09 02:04, Vernon wrote: > Almost all emails being received at my server is being labeled as SPAM. > I read through the config file and for the life of me I couldn't find > where you turn it down some. I know that there is a score that tell it > to label the email with that tag, can someone please refresh my memory. Well. Check your own message: X-compWIZ-MailScanner-SpamCheck: spam, spamhaus-ZEN That wasn't so hard to find. Hugo. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by comp-wiz.com, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by comp-wiz.com, and is believed to be clean. From logs at comp-wiz.com Fri Dec 4 18:01:32 2009 From: logs at comp-wiz.com (Vernon) Date: Fri Dec 4 18:01:58 2009 Subject: {Spam?} RE: {Spam?} RE: {Spam?} Everything being labeled as SPAM In-Reply-To: <00d501ca74f7$ee83ce40$cb8b6ac0$@com> References: <009501ca747d$bb3f43e0$31bdcba0$@com> <4B18AEF2.6050907@vanderkooij.org> <00d501ca74f7$ee83ce40$cb8b6ac0$@com> Message-ID: <00d901ca750b$d09b9e30$71d2da90$@com> If you mean I should check the RBLs, I have and I not listed. It appears that every message we send out is marked as SPAM, our own emails. How can I correct this? Thanks -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Hugo van der Kooij Sent: Friday, December 04, 2009 1:41 AM To: mailscanner@lists.mailscanner.info Subject: Re: {Spam?} Everything being labeled as SPAM On 04/12/09 02:04, Vernon wrote: > Almost all emails being received at my server is being labeled as SPAM. > I read through the config file and for the life of me I couldn't find > where you turn it down some. I know that there is a score that tell it > to label the email with that tag, can someone please refresh my memory. Well. Check your own message: X-compWIZ-MailScanner-SpamCheck: spam, spamhaus-ZEN That wasn't so hard to find. Hugo. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by comp-wiz.com, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by comp-wiz.com, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by comp-wiz.com, and is believed to be clean. From logs at comp-wiz.com Fri Dec 4 18:46:02 2009 From: logs at comp-wiz.com (Vernon Webb) Date: Fri Dec 4 18:46:52 2009 Subject: {Spam?} RE: {Spam?} Everything being labeled as SPAM In-Reply-To: <00d501ca74f7$ee83ce40$cb8b6ac0$@com> References: <009501ca747d$bb3f43e0$31bdcba0$@com> <4B18AEF2.6050907@vanderkooij.org> <00d501ca74f7$ee83ce40$cb8b6ac0$@com> Message-ID: <002d01ca7512$07b90eb0$172b2c10$@com> Okay so I'm a little dense, I got it, you wanted me to check my RBL and I did, changed it from spamhaus-ZEN to SBL+XBL. Good idea? Is there a difference? Was spamhaus-ZEN a mistake? Thanks in advance, ~Vern From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Vernon Sent: Friday, December 04, 2009 10:39 AM To: MailScanner discussion Subject: {Spam?} RE: {Spam?} Everything being labeled as SPAM Not sure what you mean... -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Hugo van der Kooij Sent: Friday, December 04, 2009 1:41 AM To: mailscanner@lists.mailscanner.info Subject: Re: {Spam?} Everything being labeled as SPAM On 04/12/09 02:04, Vernon wrote: > Almost all emails being received at my server is being labeled as SPAM. > I read through the config file and for the life of me I couldn't find > where you turn it down some. I know that there is a score that tell it > to label the email with that tag, can someone please refresh my memory. Well. Check your own message: X-compWIZ-MailScanner-SpamCheck: spam, spamhaus-ZEN That wasn't so hard to find. Hugo. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by comp-wiz.com, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by comp-wiz.com, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by comp-wiz.com, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091204/de4f5f4a/attachment.html From hvdkooij at vanderkooij.org Sat Dec 5 10:40:03 2009 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sat Dec 5 10:40:13 2009 Subject: {Spam?} RE: {Spam?} Everything being labeled as SPAM In-Reply-To: <002d01ca7512$07b90eb0$172b2c10$@com> References: <009501ca747d$bb3f43e0$31bdcba0$@com> <4B18AEF2.6050907@vanderkooij.org> <00d501ca74f7$ee83ce40$cb8b6ac0$@com> <002d01ca7512$07b90eb0$172b2c10$@com> Message-ID: <4B1A3883.9080606@vanderkooij.org> On 04/12/09 19:46, Vernon Webb wrote: > Okay so I?m a little dense, I got it, you wanted me to check my RBL and > I did, changed it from *spamhaus-ZEN* to *SBL+XBL*. Good idea? Is there > a difference? Was *spamhaus-ZEN* a mistake? Perhaps. Or you have exceeded the number of queries and you get everything blacklisted by them. I suggest you dig in the archives and their website in regard to your limitations in using spamhaus. Hugo. From ms-list at alexb.ch Sun Dec 6 11:11:11 2009 From: ms-list at alexb.ch (Alex Broens) Date: Sun Dec 6 11:11:20 2009 Subject: Headsup: possibly clamd crash Message-ID: <4B1B914F.7000300@alexb.ch> Last night, due to a corrupt clamav signature update, a number of my clamd instances crashed you may want to check if all is ok Alex From mark at msapiro.net Sun Dec 6 16:19:08 2009 From: mark at msapiro.net (Mark Sapiro) Date: Sun Dec 6 16:19:34 2009 Subject: Minor issue with ScamNailer updates. Message-ID: There seems to be an issue with updates to ScamNailer using the 2.07 script due to the numbering scheme. Files appear to be numbered wwd where ww is the week of the year and d is the day of the week, but the day followes the normal Sun - Sat, 0 - 6 numbering, but the week increments on Monday. This results, e.g., in files for Saturday named '486' and files for Sunday named '480'. I don't know if this is related to the following or not, but I get output from the update script at 05:16 UTC on Sunday like Reading status from /var/cache/ScamNailer/status Checking that /var/cache/ScamNailer/cache/2009-486 exists... ok Checking that /var/cache/ScamNailer/cache/2009-486.0 exists... ok I am working with: Current: 2009-480 - 1 and Status: 2009-486 - 0 This is base update Update required Retrieving http://www.mailscanner.tv/emails.2009-480.1 /var/cache/ScamNailer/cache/2009-480.1 Updating live file /var/cache/ScamNailer/phishing.emails.list Deleting cached file: 2009-486.... ok Reloading MailScanner workers: MailScanner: [ OK ] Outgoing postfix: [ OK ] which looks OK, but then on the next run at 11:16 UTC on Sunday Reading status from /var/cache/ScamNailer/status Checking that /var/cache/ScamNailer/cache/2009-480 exists... ok Checking that /var/cache/ScamNailer/cache/2009-480.1 exists... ok I am working with: Current: 2009-480 - 0 and Status: 2009-480 - 1 No base update required Update required Error!: 0<1 Updating live file /var/cache/ScamNailer/phishing.emails.list Deleting cached file: 2009-480.1.... ok Reloading MailScanner workers: MailScanner: [ OK ] Outgoing postfix: [ OK ] Somehow to appears that at 05:16 'current' is 2009-480.1, but at 11:16 'current' is 2009-480.0. What happened to 2009-480.1? -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From MailScanner at ecs.soton.ac.uk Mon Dec 7 09:41:45 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Dec 7 09:42:06 2009 Subject: Minor issue with ScamNailer updates. In-Reply-To: References: <4B1CCDD9.2030504@ecs.soton.ac.uk> Message-ID: %W starts a week on Monday, but %w starts a week on Sunday. I have changed the %W to %U which also starts the week on Sunday. That should fix this. Well spotted! Jules. On 06/12/2009 16:19, Mark Sapiro wrote: > There seems to be an issue with updates to ScamNailer using the 2.07 > script due to the numbering scheme. Files appear to be numbered wwd > where ww is the week of the year and d is the day of the week, but the > day followes the normal Sun - Sat, 0 - 6 numbering, but the week > increments on Monday. > > This results, e.g., in files for Saturday named '486' and files for > Sunday named '480'. > > I don't know if this is related to the following or not, but I get > output from the update script at 05:16 UTC on Sunday like > > Reading status from /var/cache/ScamNailer/status > Checking that /var/cache/ScamNailer/cache/2009-486 exists... ok > Checking that /var/cache/ScamNailer/cache/2009-486.0 exists... ok > I am working with: Current: 2009-480 - 1 and Status: 2009-486 - 0 > This is base update > Update required > Retrieving http://www.mailscanner.tv/emails.2009-480.1 > /var/cache/ScamNailer/cache/2009-480.1 > Updating live file /var/cache/ScamNailer/phishing.emails.list > Deleting cached file: 2009-486.... ok > Reloading MailScanner workers: > MailScanner: [ OK ] > Outgoing postfix: [ OK ] > > which looks OK, but then on the next run at 11:16 UTC on Sunday > > Reading status from /var/cache/ScamNailer/status > Checking that /var/cache/ScamNailer/cache/2009-480 exists... ok > Checking that /var/cache/ScamNailer/cache/2009-480.1 exists... ok > I am working with: Current: 2009-480 - 0 and Status: 2009-480 - 1 > No base update required > Update required > Error!: 0<1 > Updating live file /var/cache/ScamNailer/phishing.emails.list > Deleting cached file: 2009-480.1.... ok > Reloading MailScanner workers: > MailScanner: [ OK ] > Outgoing postfix: [ OK ] > > Somehow to appears that at 05:16 'current' is 2009-480.1, but at 11:16 > 'current' is 2009-480.0. What happened to 2009-480.1? > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From edward.prendergast at netring.co.uk Mon Dec 7 11:53:57 2009 From: edward.prendergast at netring.co.uk (Edward Prendergast) Date: Mon Dec 7 11:54:19 2009 Subject: Taint error with Perl v5.10.1 Message-ID: <4B1CECD5.3040502@netring.co.uk> Hi, I'm trying to bypass the Perl of the system (Centos 5.4) so I can use CPAN for up to date modules. I've got a copy of Perl in /opt/perl5, and the new Perl is added to the beginning of $PATH. MailScanner itself starts fine but when it tries to pull in custom modules taint errors occur: Dec 7 11:40:24 server8 MailScanner[24803]: MailScanner E-Mail Virus Scanner version 4.78.17 starting... Dec 7 11:40:24 server8 MailScanner[24803]: Could not use Custom Function code /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm, it could not be "require"d. Make sure the last line is "1;" and t he module is correct with perl -wc (Error: Insecure dependency in require while running with -T switch at /usr/lib/MailScanner/MailScanner/Config.pm line 754. Dec 7 11:40:24 server8 MailScanner[24803]: ) Dec 7 11:40:24 server8 MailScanner[24803]: Could not use Custom Function code /usr/lib/MailScanner/MailScanner/CustomFunctions/CustomAction.pm, it could not be "require"d. Make sure the last line is "1;" an d the module is correct with perl -wc (Error: Insecure dependency in require while running with -T switch at /usr/lib/MailScanner/MailScanner/Config.pm line 754. Dec 7 11:40:24 server8 MailScanner[24803]: ) Dec 7 11:40:24 server8 MailScanner[24803]: Could not use Custom Function code /usr/lib/MailScanner/MailScanner/CustomFunctions/SQLBlackWhiteList.pm, it could not be "require"d. Make sure the last line is "1 ;" and the module is correct with perl -wc (Error: Insecure dependency in require while running with -T switch at /usr/lib/MailScanner/MailScanner/Config.pm line 754. Dec 7 11:40:24 server8 MailScanner[24803]: ) Dec 7 11:40:24 server8 MailScanner[24803]: Could not use Custom Function code /usr/lib/MailScanner/MailScanner/CustomFunctions/Ruleset-from-Function.pm, it could not be "require"d. Make sure the last line i s "1;" and the module is correct with perl -wc (Error: Insecure dependency in require while running with -T switch at /usr/lib/MailScanner/MailScanner/Config.pm line 754. Dec 7 11:40:24 server8 MailScanner[24803]: ) Dec 7 11:40:24 server8 MailScanner[24803]: Could not use Custom Function code /usr/lib/MailScanner/MailScanner/CustomFunctions/GenericSpamScanner.pm, it could not be "require"d. Make sure the last line is " 1;" and the module is correct with perl -wc (Error: Insecure dependency in require while running with -T switch at /usr/lib/MailScanner/MailScanner/Config.pm line 754. Dec 7 11:40:24 server8 MailScanner[24803]: ) Dec 7 11:40:24 server8 MailScanner[24803]: Could not use Custom Function code /usr/lib/MailScanner/MailScanner/CustomFunctions/ZMRouterDirHash.pm, it could not be "require"d. Make sure the last line is "1;" and the module is correct with perl -wc (Error: Insecure dependency in require while running with -T switch at /usr/lib/MailScanner/MailScanner/Config.pm line 754. Dec 7 11:40:24 server8 MailScanner[24803]: ) Dec 7 11:40:24 server8 MailScanner[24803]: Could not use Custom Function code /usr/lib/MailScanner/MailScanner/CustomFunctions/MyExample.pm, it could not be "require"d. Make sure the last line is "1;" and the module is correct with perl -wc (Error: Insecure dependency in require while running with -T switch at /usr/lib/MailScanner/MailScanner/Config.pm line 754. Dec 7 11:40:24 server8 MailScanner[24803]: ) When MailScanner drops privileges it goes down to the postfix user. In case this was related to file permissions I altered all the custom modules ownership to root:postfix but this made no difference. My best guess is a tainted @INC: http://search.cpan.org/~dapm/perl-5.10.1/pod/perlsec.pod#Taint_mode_and_@INC But I'm not sure if this is correct, and if it is, how to go about solving it? Thanks, Edward ************ The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorised. If you are not the intended recipient, any action taken or omitted to be taken in reliance on it, any form of reproduction, dissemination, copying, disclosure, modification, distribution and/or publication of this E-mail message is strictly prohibited and may be unlawful. If you have received this E-mail message in error, please notify us immediately. Please also destroy and delete the message from your computer. ************ From drew.marshall at trunknetworks.com Mon Dec 7 12:18:32 2009 From: drew.marshall at trunknetworks.com (Drew Marshall) Date: Mon Dec 7 12:18:53 2009 Subject: Taint error with Perl v5.10.1 In-Reply-To: <4B1CECD5.3040502@netring.co.uk> References: <4B1CECD5.3040502@netring.co.uk> Message-ID: <881E10D2-165D-40D0-890F-9BB4FA0CAE37@trunknetworks.com> On 7 Dec 2009, at 11:53, Edward Prendergast wrote: > When MailScanner drops privileges it goes down to the postfix user. > In case this was related to file permissions I altered all the > custom modules ownership to root:postfix but this made no > difference. My best guess is a tainted @INC: > > http://search.cpan.org/~dapm/perl-5.10.1/pod/perlsec.pod#Taint_mode_and_ > @INC > > But I'm not sure if this is correct, and if it is, how to go about > solving it? Try installing the latest beta. I believe Jules has fixed tainting issues in that version. Drew -- In line with our policy, this message has been scanned for viruses and dangerous content. Our email policy can be found at www.trunknetworks.com/policy Trunk Networks Limited is registered in Scotland with registration number: SC351063 Registered Office 55-57 West High Street Inverurie AB51 3QQ From edward.prendergast at netring.co.uk Mon Dec 7 12:33:41 2009 From: edward.prendergast at netring.co.uk (Edward Prendergast) Date: Mon Dec 7 12:33:54 2009 Subject: Taint error with Perl v5.10.1 In-Reply-To: <881E10D2-165D-40D0-890F-9BB4FA0CAE37@trunknetworks.com> References: <4B1CECD5.3040502@netring.co.uk> <881E10D2-165D-40D0-890F-9BB4FA0CAE37@trunknetworks.com> Message-ID: <4B1CF625.5010208@netring.co.uk> Drew Marshall wrote: > On 7 Dec 2009, at 11:53, Edward Prendergast wrote: > >> When MailScanner drops privileges it goes down to the postfix user. >> In case this was related to file permissions I altered all the custom >> modules ownership to root:postfix but this made no difference. My >> best guess is a tainted @INC: >> >> http://search.cpan.org/~dapm/perl-5.10.1/pod/perlsec.pod#Taint_mode_and_@INC >> >> >> But I'm not sure if this is correct, and if it is, how to go about >> solving it? > > Try installing the latest beta. I believe Jules has fixed tainting > issues in that version. Thanks for your feedback. As I'm running in production I think I may downgrade to Perl 5.8.9 (I have the flexibility to do this now - this is one of the reasons why I'm looking to replace the RHEL-bundled Perl RPM-based install with a custom version) and wait for these changes to work their way through in a stable release. Thanks, Edward ************ The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorised. If you are not the intended recipient, any action taken or omitted to be taken in reliance on it, any form of reproduction, dissemination, copying, disclosure, modification, distribution and/or publication of this E-mail message is strictly prohibited and may be unlawful. If you have received this E-mail message in error, please notify us immediately. Please also destroy and delete the message from your computer. ************ From Johan at double-l.nl Mon Dec 7 12:57:01 2009 From: Johan at double-l.nl (Johan Hendriks) Date: Mon Dec 7 12:57:11 2009 Subject: Taint error with Perl v5.10.1 References: <4B1CECD5.3040502@netring.co.uk><881E10D2-165D-40D0-890F-9BB4FA0CAE37@trunknetworks.com> <4B1CF625.5010208@netring.co.uk> Message-ID: <57200BF94E69E54880C9BB1AF714BBCBA572DE@w2003s01.double-l.local> >> On 7 Dec 2009, at 11:53, Edward Prendergast wrote: >> >>> When MailScanner drops privileges it goes down to the postfix user. >>> In case this was related to file permissions I altered all the custom >>> modules ownership to root:postfix but this made no difference. My >>> best guess is a tainted @INC: >>> >>> http://search.cpan.org/~dapm/perl-5.10.1/pod/perlsec.pod#Taint_mode_and_ @INC >>> >>> >>> But I'm not sure if this is correct, and if it is, how to go about >>> solving it? >> >> Try installing the latest beta. I believe Jules has fixed tainting >> issues in that version. >Thanks for your feedback. As I'm running in production I think I may >downgrade to Perl 5.8.9 (I have the flexibility to do this now - this is >one of the reasons why I'm looking to replace the RHEL-bundled Perl >RPM-based install with a custom version) and wait for these changes to >work their way through in a stable release. >Thanks, >Edward Perl-5.8.9 will give you the same problem. Use perl 5.8.8 or 5.10.0 this will work regards, Johan Hendriks From lists at buschor.ch Mon Dec 7 14:40:31 2009 From: lists at buschor.ch (ThB) Date: Mon Dec 7 14:40:41 2009 Subject: MailScanner 4.79.3-1 taint problem in TNEF module Message-ID: <59491.130.59.6.127.1260196831.squirrel@webmail.buschor.ch> Hello, Just found another taint problem in MailScanner 4.79.3-1. The lib/MailScanner/TNEF.pm module throws a taint error if I'm using the external tnef expander. TNEF Expander = /usr/local/bin/tnef --maxsize=100000000 # /opt/MailScanner/bin/MailScanner --debug --id 1NHa3y-0003zs-3E In Debugging mode, not forking... Trying to setlogsock(native) INFO:: Meaningless output that goes nowhere, to keep SAVI happy Building a message batch to scan... Have a batch of 1 message. Insecure dependency in rename while running with -T switch at /opt/MailScanner/lib/MailScanner/TNEF.pm line 322. Using the internal TNEF expander (TNEF Expander = internal) works without problem. regards Thomas From jonas.lilja at sigma.se Mon Dec 7 14:52:41 2009 From: jonas.lilja at sigma.se (Jonas Lilja) Date: Mon Dec 7 14:52:54 2009 Subject: Perl install problem Message-ID: <3A08229453BB5B4EA8629BE7CDA2E9620EAB17D27E@ss0010.sigma.local> Hi, I've big problems with MailScanner installation. I run install.sh on a Fedora 8 and MS 4.78 (latest). Before I started the install-scipt I ensured that Perl was completely removed from the machine (rpm -q perl says "package perl is not installed"). This is the output when the install-script tries to build Perl-modules: Please help Jonas Lilja, Sweden Setting Perl5 search path ./install.sh: ./getPERLLIB: /usr/bin/perl: bad interpreter: No such file or directory ./install.sh: line 412: [: too many arguments I think your system will build architecture-dependent modules for package perl is not installed Deleting all the old versions of the Perl modules I built, I will re-install them in a minute. Removing perl-TimeDate Removing perl-MailTools Perl modules I built have been removed... Rebuilding all the Perl RPMs for your version of Perl Attempting to build and install perl-File-Spec-0.82-3 --rebuild: unknown option Missing file /usr/src/redhat/RPMS/noarch/perl-File-Spec-0.82-3.noarch.rpm. Maybe it did not build correctly? Attempting to build and install perl-ExtUtils-MakeMaker-6.50-2 --rebuild: unknown option Missing file /usr/src/redhat/RPMS/noarch/perl-ExtUtils-MakeMaker-6.50-2.noarch.rpm. Maybe it did not build correctly? Attempting to build and install perl-Pod-Escapes-1.04-2 --rebuild: unknown option Etc. etc. etc. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091207/4299e4c9/attachment.html From edward.prendergast at netring.co.uk Mon Dec 7 16:07:23 2009 From: edward.prendergast at netring.co.uk (Edward Prendergast) Date: Mon Dec 7 16:07:32 2009 Subject: [SOLVED] Taint error with Perl v5.10.1 In-Reply-To: <57200BF94E69E54880C9BB1AF714BBCBA572DE@w2003s01.double-l.local> References: <4B1CECD5.3040502@netring.co.uk><881E10D2-165D-40D0-890F-9BB4FA0CAE37@trunknetworks.com> <4B1CF625.5010208@netring.co.uk> <57200BF94E69E54880C9BB1AF714BBCBA572DE@w2003s01.double-l.local> Message-ID: <4B1D283B.6040809@netring.co.uk> Johan Hendriks wrote: >>> On 7 Dec 2009, at 11:53, Edward Prendergast wrote: >>> >>> >>>> When MailScanner drops privileges it goes down to the postfix user. >>>> In case this was related to file permissions I altered all the >>>> > custom > >>>> modules ownership to root:postfix but this made no difference. My >>>> best guess is a tainted @INC: >>>> >>>> >>>> > http://search.cpan.org/~dapm/perl-5.10.1/pod/perlsec.pod#Taint_mode_and_ > @INC > >>>> But I'm not sure if this is correct, and if it is, how to go about >>>> solving it? >>>> >>> Try installing the latest beta. I believe Jules has fixed tainting >>> issues in that version. >>> > > >> Thanks for your feedback. As I'm running in production I think I may >> downgrade to Perl 5.8.9 (I have the flexibility to do this now - this >> > is > >> one of the reasons why I'm looking to replace the RHEL-bundled Perl >> RPM-based install with a custom version) and wait for these changes to >> work their way through in a stable release. >> > > >> Thanks, >> Edward >> > > Perl-5.8.9 will give you the same problem. > Use perl 5.8.8 or 5.10.0 > this will work > Thanks - I will do this until the taint fixes make it into the stable release. -Edward ************ The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorised. If you are not the intended recipient, any action taken or omitted to be taken in reliance on it, any form of reproduction, dissemination, copying, disclosure, modification, distribution and/or publication of this E-mail message is strictly prohibited and may be unlawful. If you have received this E-mail message in error, please notify us immediately. Please also destroy and delete the message from your computer. ************ From drolland at kdinet.com Mon Dec 7 17:36:25 2009 From: drolland at kdinet.com (Diane Rolland) Date: Mon Dec 7 17:38:12 2009 Subject: Problem with check_MailScanner hourly Cron In-Reply-To: <002d01ca6bcd$04ea4490$0ebecdb0$@com> References: <002d01ca6bcd$04ea4490$0ebecdb0$@com> Message-ID: <02ba01ca7763$ced31c90$6c7955b0$@com> I was hoping someone could shed some light on this one. has anybody seen this issue? From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Diane Rolland Sent: Sunday, November 22, 2009 5:39 PM To: mailscanner@lists.mailscanner.info Subject: Problem with check_MailScanner hourly Cron Hi all, I seem to have a problem on one of my servers with the check_MailScanner hourly job. If MailScanner is stopped it honors the lock MailScanner.off and the cron job says Not Restarting. However, if I MailScanner is running I get Starting MailScanner. Done in the cron notice. Resultant problem is that I end up with hundreds of MailScanner processes (1 master waiting for children, and 5 waiting for messages - every hour). So, it appears it isn't seeing that MailScanner is already running and starts again. And MailScanner stop only stops the group associated with the .pid file, so I end up having to manually kill the orphaned processes I am running: Linux Red Hat Enterprise AS release 4 (Nahant Update 8) MailScanner 4.78.17 What could be wrong and what can I check? I have had to take it out of the cron.hourly directory, but I can recreate the issue by running the check_MailScanner manually. Thanks in Advance! Diane -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091207/dff3640c/attachment.html From alex at rtpty.com Mon Dec 7 18:58:47 2009 From: alex at rtpty.com (Alex Neuman) Date: Mon Dec 7 18:59:03 2009 Subject: Problem with check_MailScanner hourly Cron In-Reply-To: <02ba01ca7763$ced31c90$6c7955b0$@com> References: <002d01ca6bcd$04ea4490$0ebecdb0$@com> <02ba01ca7763$ced31c90$6c7955b0$@com> Message-ID: Does this mean that after 5 hours you'll have 5 masters and 25 children? On Dec 7, 2009, at 12:36 PM, Diane Rolland wrote: > (1 master waiting for children, and 5 waiting for messages ? every hour) From fcusack at fcusack.com Mon Dec 7 21:35:13 2009 From: fcusack at fcusack.com (Frank Cusack) Date: Mon Dec 7 21:35:29 2009 Subject: Headsup: possibly clamd crash In-Reply-To: <4B1B914F.7000300@alexb.ch> References: <4B1B914F.7000300@alexb.ch> Message-ID: <2BD28A4EB9853A6D13936DF1@rdf.local> On December 6, 2009 12:11:11 PM +0100 Alex Broens wrote: > Last night, due to a corrupt clamav signature update, a number of my > clamd instances crashed > you may want to check if all is ok corrupt because the signature file was corrupt or because somehow your download of it was corrupted? From ms-list at alexb.ch Mon Dec 7 21:56:58 2009 From: ms-list at alexb.ch (Alex Broens) Date: Mon Dec 7 21:57:07 2009 Subject: Headsup: possibly clamd crash In-Reply-To: <2BD28A4EB9853A6D13936DF1@rdf.local> References: <4B1B914F.7000300@alexb.ch> <2BD28A4EB9853A6D13936DF1@rdf.local> Message-ID: <4B1D7A2A.9020808@alexb.ch> On 12/7/2009 10:35 PM, Frank Cusack wrote: > On December 6, 2009 12:11:11 PM +0100 Alex Broens wrote: >> Last night, due to a corrupt clamav signature update, a number of my >> clamd instances crashed >> you may want to check if all is ok > > corrupt because the signature file was corrupt or because somehow your > download of it was corrupted? On a hangoverish Sunday, I was more into seeing that signatures were being replaced as fast as possible and monitoring future updates real close than doing scientific analysis :-) iow: I don't really know... From jeff.mills at sydneytech.com.au Mon Dec 7 23:56:30 2009 From: jeff.mills at sydneytech.com.au (Jeff Mills) Date: Mon Dec 7 23:56:43 2009 Subject: Kaspersky Daemon script Message-ID: <556B68BE19272143ADE2500D9CC858BD3F6B57@stssvr01.Sts.local> Is anyone using any of the current versions of Kaspersky as a daemon with MailScanner? We've recently started using Kaspersky on clients and I would like to use our license with MailScanner too. I have downloaded the latest version and managed to get kavmd running on my machines, but I can't find a KavDaemonClient in the install. Obviously using the standard Kaspersky antivirus install was very slow scanning mail because it had to read the databases each time, so I would like to get a daemon going the way clamd works. Is anyone using this with the newer versions of Kaspersky? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091208/6c8c25ae/attachment.html From damfam at gmail.com Tue Dec 8 17:50:53 2009 From: damfam at gmail.com (Edward Dam) Date: Tue Dec 8 17:51:03 2009 Subject: Email Address allowed delivery from single domain Message-ID: <65a7d0f30912080950q245725d4k9158df3fbd2cc585@mail.gmail.com> Hi all, I hope you can help. We're running Mailscanner and it's working great. What I need to do now is create a rule that allows a specific user delivery of email from a single domain only. For example: user1@example.com should only be allowed incoming email from *@foo.com However all other users at example.com should receive all email as they normally would. Basically we need to restrict email for a specific user to a single incoming domain. Based on the documentation I have read, I am pretty sure that this can should be able to be done with a Custom Function and a perl script, but I am unsure as to how to call the perl script (and what roughly it would look like, as my perl scripting is less than stellar) If anyone could point me in the right direction, it would be appreciated! Thanks, Ed -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091208/baeb0320/attachment.html From rcooper at dwford.com Tue Dec 8 18:32:31 2009 From: rcooper at dwford.com (Rick Cooper) Date: Tue Dec 8 18:32:50 2009 Subject: Email Address allowed delivery from single domain In-Reply-To: <65a7d0f30912080950q245725d4k9158df3fbd2cc585@mail.gmail.com> References: <65a7d0f30912080950q245725d4k9158df3fbd2cc585@mail.gmail.com> Message-ID: _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Edward Dam Sent: Tuesday, December 08, 2009 12:51 PM To: mailscanner@lists.mailscanner.info Subject: Email Address allowed delivery from single domain Hi all, I hope you can help. We're running Mailscanner and it's working great. What I need to do now is create a rule that allows a specific user delivery of email from a single domain only. For example: user1@example.com should only be allowed incoming email from *@foo.com However all other users at example.com should receive all email as they normally would. Basically we need to restrict email for a specific user to a single incoming domain. Based on the documentation I have read, I am pretty sure that this can should be able to be done with a Custom Function and a perl script, but I am unsure as to how to call the perl script (and what roughly it would look like, as my perl scripting is less than stellar) If anyone could point me in the right direction, it would be appreciated! Were I going to do this I would do it at smtp time during reciept to Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091208/ae893ec9/attachment.html From damfam at gmail.com Tue Dec 8 20:11:37 2009 From: damfam at gmail.com (Edward Dam) Date: Tue Dec 8 20:11:47 2009 Subject: Email Address allowed delivery from single domain In-Reply-To: References: <65a7d0f30912080950q245725d4k9158df3fbd2cc585@mail.gmail.com> Message-ID: <65a7d0f30912081211g2f3b76f5k69218a980557db65@mail.gmail.com> Thanks for the suggestion. I had thought of that, but have not found a way to do so with Sendmail's config that can be as granular as affecting a specific user only (rather than system wide) - which is why I'm turning to MailScanner, as it is a lot more flexible. If anyone has any thought as to doing it at the MTA level, I'm all ears. On Tue, Dec 8, 2009 at 1:32 PM, Rick Cooper wrote: > > > ------------------------------ > *From:* mailscanner-bounces@lists.mailscanner.info [mailto: > mailscanner-bounces@lists.mailscanner.info] *On Behalf Of *Edward Dam > *Sent:* Tuesday, December 08, 2009 12:51 PM > *To:* mailscanner@lists.mailscanner.info > *Subject:* Email Address allowed delivery from single domain > > Hi all, > > I hope you can help. We're running Mailscanner and it's working great. What > I need to do now is create a rule that allows a specific user delivery of > email from a single domain only. > > For example: > > user1@example.com should only be allowed incoming email from *@foo.com > > However all other users at example.com should receive all email as they > normally would. Basically we need to restrict email for a specific user to a > single incoming domain. > > Based on the documentation I have read, I am pretty sure that this can > should be able to be done with a Custom Function and a perl script, but I am > unsure as to how to call the perl script (and what roughly it would look > like, as my perl scripting is less than stellar) > > If anyone could point me in the right direction, it would be appreciated! > > Were I going to do this I would do it at smtp time during reciept to > > > Rick > > -- > This message has been scanned for viruses and > dangerous content by *MailScanner* , and is > believed to be clean. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091208/0bd31632/attachment.html From steve at fsl.com Tue Dec 8 20:35:35 2009 From: steve at fsl.com (Stephen Swaney) Date: Tue Dec 8 20:35:44 2009 Subject: Email Address allowed delivery from single domain In-Reply-To: <65a7d0f30912081211g2f3b76f5k69218a980557db65@mail.gmail.com> References: <65a7d0f30912080950q245725d4k9158df3fbd2cc585@mail.gmail.com> <65a7d0f30912081211g2f3b76f5k69218a980557db65@mail.gmail.com> Message-ID: <48CC082C-E681-46C9-A722-339350B44CC0@fsl.com> On Dec 8, 2009, at 3:11 PM, Edward Dam wrote: > Thanks for the suggestion. I had thought of that, but have not found a way to do so with Sendmail's config that can be as granular as affecting a specific user only (rather than system wide) - which is why I'm turning to MailScanner, as it is a lot more flexible. > If anyone has any thought as to doing it at the MTA level, I'm all ears. > > > On Tue, Dec 8, 2009 at 1:32 PM, Rick Cooper wrote: > > What's wrong with adding a line like: spammer@aol.com REJECT To the /etc/mail/acesss file and remaking the access.db? More details at: http://www.sendmail.org/m4/anti_spam.html Best regards, Steve -- Steve Swaney steve@fsl.com www.fsl.com The most accurate and cost effective anti-spam solutions available From gcle at smcaus.com.au Tue Dec 8 20:37:13 2009 From: gcle at smcaus.com.au (Gerard Cleary) Date: Tue Dec 8 20:37:38 2009 Subject: Email Address allowed delivery from single domain In-Reply-To: <65a7d0f30912080950q245725d4k9158df3fbd2cc585@mail.gmail.com> References: <65a7d0f30912080950q245725d4k9158df3fbd2cc585@mail.gmail.com> Message-ID: <200912090737.13182.gcle@smcaus.com.au> On Wed, 9 Dec 2009 04:50:53 Edward Dam wrote: > For example: > > user1@example.com should only be allowed incoming email from ?*@foo.com > > However all other users at example.com should receive all email as they > normally would. Basically we need to restrict email for a specific user to > a single incoming domain. I have probably missed something completely obvious that makes this problem much more difficult than I can see, but I use a ruleset based on the "Reject Message = no" entry in the MailScanner.conf file which works well. I changed the MailScanner.conf file to say: Reject Message = %rules-dir%/reject.rules. Then in the rules directory I have a file called reject.rules which contains entries like: To: user1@example.com and From: *@foo.com no To: user1@example.com yes To: default no The README file in the MailScanner/rules directory contains all the ruleset instructions and the EXAMPLES file is excellent for ideas on using rulesets. All the best, Gerard. -- From damfam at gmail.com Tue Dec 8 20:48:25 2009 From: damfam at gmail.com (Edward Dam) Date: Tue Dec 8 20:48:35 2009 Subject: Email Address allowed delivery from single domain In-Reply-To: <48CC082C-E681-46C9-A722-339350B44CC0@fsl.com> References: <65a7d0f30912080950q245725d4k9158df3fbd2cc585@mail.gmail.com> <65a7d0f30912081211g2f3b76f5k69218a980557db65@mail.gmail.com> <48CC082C-E681-46C9-A722-339350B44CC0@fsl.com> Message-ID: <65a7d0f30912081248j6a1722bi8694f22d14aad19c@mail.gmail.com> Thanks Steve, but that would reject all mail from aol.com What I want to do, is for a specific user on my domain (user1@example.com) allow said user to ONLY send/receive to a specific domain (foo.com) Every other user (user2, 3 ,5 @ example.com) should be able to send/receive mail to anywhere, INCLUDING foo.com On Tue, Dec 8, 2009 at 3:35 PM, Stephen Swaney wrote: > > On Dec 8, 2009, at 3:11 PM, Edward Dam wrote: > > > Thanks for the suggestion. I had thought of that, but have not found a > way to do so with Sendmail's config that can be as granular as affecting a > specific user only (rather than system wide) - which is why I'm turning to > MailScanner, as it is a lot more flexible. > > If anyone has any thought as to doing it at the MTA level, I'm all ears. > > > > > > On Tue, Dec 8, 2009 at 1:32 PM, Rick Cooper wrote: > > > > > > What's wrong with adding a line like: > > spammer@aol.com REJECT > > To the /etc/mail/acesss file and remaking the access.db? > > More details at: > > http://www.sendmail.org/m4/anti_spam.html > > > Best regards, > > Steve > > -- > Steve Swaney > steve@fsl.com > www.fsl.com > The most accurate and cost effective anti-spam solutions available > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091208/32eb7876/attachment.html From damfam at gmail.com Tue Dec 8 20:53:54 2009 From: damfam at gmail.com (Edward Dam) Date: Tue Dec 8 20:54:06 2009 Subject: Email Address allowed delivery from single domain In-Reply-To: <200912090737.13182.gcle@smcaus.com.au> References: <65a7d0f30912080950q245725d4k9158df3fbd2cc585@mail.gmail.com> <200912090737.13182.gcle@smcaus.com.au> Message-ID: <65a7d0f30912081253m29c6f6ads40e6bf61df69b4d2@mail.gmail.com> Hi Gerard, That... will likely work. I will test and thank you very much. I did read the README in the rules folder a while ago, but for some reason had it in my head that you couldn't declare 2 variables on one line ( to:user1@example.com and from:*@foo.com) which is why I was looking deeper. Thanks again, and I will report on my success (or lack thereof) On Tue, Dec 8, 2009 at 3:37 PM, Gerard Cleary wrote: > On Wed, 9 Dec 2009 04:50:53 Edward Dam wrote: > > For example: > > > > user1@example.com should only be allowed incoming email from *@foo.com > > > > However all other users at example.com should receive all email as they > > normally would. Basically we need to restrict email for a specific user > to > > a single incoming domain. > > I have probably missed something completely obvious that makes this problem > much more difficult than I can see, but I use a ruleset based on > the "Reject Message = no" entry in the MailScanner.conf file which works > well. > > I changed the MailScanner.conf file to say: Reject Message = > %rules-dir%/reject.rules. > > Then in the rules directory I have a file called reject.rules which > contains entries like: > > To: user1@example.com and From: *@foo.com no > To: user1@example.com yes > To: default no > > > The README file in the MailScanner/rules directory contains all the ruleset > instructions and the EXAMPLES file is excellent for ideas on using > rulesets. > > All the best, > Gerard. > > -- > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091208/0e51723a/attachment.html From rcooper at dwford.com Tue Dec 8 20:57:18 2009 From: rcooper at dwford.com (Rick Cooper) Date: Tue Dec 8 20:57:33 2009 Subject: Email Address allowed delivery from single domain In-Reply-To: <65a7d0f30912081211g2f3b76f5k69218a980557db65@mail.gmail.com> References: <65a7d0f30912080950q245725d4k9158df3fbd2cc585@mail.gmail.com> <65a7d0f30912081211g2f3b76f5k69218a980557db65@mail.gmail.com> Message-ID: _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Edward Dam Sent: Tuesday, December 08, 2009 3:12 PM To: MailScanner discussion Subject: Re: Email Address allowed delivery from single domain Thanks for the suggestion. I had thought of that, but have not found a way to do so with Sendmail's config that can be as granular as affecting a specific user only (rather than system wide) - which is why I'm turning to MailScanner, as it is a lot more flexible. If anyone has any thought as to doing it at the MTA level, I'm all ears. [Rick Cooper] Sorry I am an exim man, but I have got to believe sendmail has a way to do such a simple thing Rick On Tue, Dec 8, 2009 at 1:32 PM, Rick Cooper wrote: _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Edward Dam Sent: Tuesday, December 08, 2009 12:51 PM To: mailscanner@lists.mailscanner.info Subject: Email Address allowed delivery from single domain Hi all, I hope you can help. We're running Mailscanner and it's working great. What I need to do now is create a rule that allows a specific user delivery of email from a single domain only. For example: user1@example.com should only be allowed incoming email from *@foo.com However all other users at example.com should receive all email as they normally would. Basically we need to restrict email for a specific user to a single incoming domain. Based on the documentation I have read, I am pretty sure that this can should be able to be done with a Custom Function and a perl script, but I am unsure as to how to call the perl script (and what roughly it would look like, as my perl scripting is less than stellar) If anyone could point me in the right direction, it would be appreciated! Were I going to do this I would do it at smtp time during reciept to Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091208/f9d40ccc/attachment.html From steve at fsl.com Tue Dec 8 21:13:39 2009 From: steve at fsl.com (Stephen Swaney) Date: Tue Dec 8 21:13:51 2009 Subject: Email Address allowed delivery from single domain In-Reply-To: <65a7d0f30912081248j6a1722bi8694f22d14aad19c@mail.gmail.com> References: <65a7d0f30912080950q245725d4k9158df3fbd2cc585@mail.gmail.com> <65a7d0f30912081211g2f3b76f5k69218a980557db65@mail.gmail.com> <48CC082C-E681-46C9-A722-339350B44CC0@fsl.com> <65a7d0f30912081248j6a1722bi8694f22d14aad19c@mail.gmail.com> Message-ID: On Dec 8, 2009, at 3:48 PM, Edward Dam wrote: > Thanks Steve, but that would reject all mail from aol.com > > What I want to do, is for a specific user on my domain (user1@example.com) allow said user to ONLY send/receive to a specific domain (foo.com) > > Every other user (user2, 3 ,5 @ example.com) should be able to send/receive mail to anywhere, INCLUDING foo.com > > > > > On Tue, Dec 8, 2009 at 3:35 PM, Stephen Swaney wrote: > > On Dec 8, 2009, at 3:11 PM, Edward Dam wrote: > > > Thanks for the suggestion. I had thought of that, but have not found a way to do so with Sendmail's config that can be as granular as affecting a specific user only (rather than system wide) - which is why I'm turning to MailScanner, as it is a lot more flexible. > > If anyone has any thought as to doing it at the MTA level, I'm all ears. > > > > > > On Tue, Dec 8, 2009 at 1:32 PM, Rick Cooper wrote: > > > > > > What's wrong with adding a line like: > > spammer@aol.com REJECT > > To the /etc/mail/acesss file and remaking the access.db? > > More details at: > > http://www.sendmail.org/m4/anti_spam.html > > > Best regards, > > Steve > Not according to the documentation at the referenced URL: spammer@aol.com REJECT cyberspammer.com REJECT TLD REJECT 192.168.212 REJECT IPv6:2002:c0a8:02c7 RELAY IPv6:2002:c0a8:51d2::23f4 REJECT would refuse mail from spammer@aol.com, any user from cyberspammer.com (or any host within the cyberspammer.com domain), any host in the entire top level domain TLD, 192.168.212.* network, and the IPv6 address 2002:c0a8:51d2::23f4. It would allow relay for the IPv6 network 2002:c0a8:02c7::/48. bets regards, Steve -- Steve Swaney steve@fsl.com 202 595-7760 ext: 601 www.fsl.com The most accurate and cost effective anti-spam solutions available From lstewart at superb.net Tue Dec 8 23:54:03 2009 From: lstewart at superb.net (Landon Stewart) Date: Tue Dec 8 23:54:14 2009 Subject: Patch/hackery to store body of an email Message-ID: Is there a way via a patch or other hackery to store the body of an email. Even just the first 1K of an email so one can review the contents of it in MailWatch? -- Landon Stewart SuperbHosting.Net by Superb Internet Corp. Toll Free: 888-354-6128 x 4199 (US/Canada) Web hosting and more "Ahead of the Rest": http://www.superbhosting.net -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091208/8494edd0/attachment.html From GSilver at rampuptech.com Wed Dec 9 03:34:02 2009 From: GSilver at rampuptech.com (Gavin Silver) Date: Wed Dec 9 03:36:51 2009 Subject: Patch/hackery to store body of an email In-Reply-To: References: Message-ID: If mailscanner is set to store all non-spam messages you should be able to view the entire message in mailwatch. Is this something you have attempted yet? ---------------------------------- Gavin Silver The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailscanner-bounces@lists.mailscanner.info] On Behalf Of Landon Stewart [lstewart@superb.net] Sent: Tuesday, December 08, 2009 6:54 PM To: mailscanner@lists.mailscanner.info Subject: Patch/hackery to store body of an email Is there a way via a patch or other hackery to store the body of an email. Even just the first 1K of an email so one can review the contents of it in MailWatch? -- Landon Stewart > SuperbHosting.Net by Superb Internet Corp. Toll Free: 888-354-6128 x 4199 (US/Canada) Web hosting and more "Ahead of the Rest": http://www.superbhosting.net -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091208/474f9dad/attachment.html From lstewart at superb.net Wed Dec 9 04:20:21 2009 From: lstewart at superb.net (Landon Stewart) Date: Wed Dec 9 04:20:34 2009 Subject: Patch/hackery to store body of an email In-Reply-To: References: Message-ID: On Tue, Dec 8, 2009 at 7:34 PM, Gavin Silver wrote: > If mailscanner is set to store all non-spam messages you should be able > to view the entire message in mailwatch. Is this something you > have attempted yet? > Thanks Gavin, I have not attempted this yet. It's not even storing spam messages... Perhaps that's an option too? I'll look more closely at the configuration directives available. Thanks again! -- Landon Stewart SuperbHosting.Net by Superb Internet Corp. Toll Free: 888-354-6128 x 4199 (US/Canada) Web hosting and more "Ahead of the Rest": http://www.superbhosting.net -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091208/06c07bdc/attachment.html From tenderby at mailwash.com.au Wed Dec 9 07:02:07 2009 From: tenderby at mailwash.com.au (Tony Enderby) Date: Wed Dec 9 07:02:31 2009 Subject: Mailscanner only being invoked with certain message sizes Message-ID: <4B1F4B6F.7050205@mailwash.com.au> Hi there, I have a clean install of the latest MS from Julian's site and have it installed with default rules and scanning options. The only think I have changed is the scanner entry in the .conf file from auto to clamav and added an entry for &MailWatchLogging to log to a MySQL database for MailWatch. Machine is Fedora Core 9 with sendmail. If I start MailScanner with service MailScanner start && tail -f /var/log/maillog I can see the children fork and the process start to run complete with SQL logging child started entries. Mail can be sent in and out without error but there are no MS style entries in the logs and no header info added UNTIL I send a message over 450K i.e a blank body email with a random image in it or a Word doc of equivalent or greater size. When I send a message at or over this size I see the MS process output in the logs (Starting Virus / Content scanning etc) as well as a write to the MailWatch database. Anything under this though sends and gets back ok but only with sendmail log entries and not MailScanner. A MailScanner --lint returns a favourable reply with complaints only about rar not being found. If anyone could shed some light in this it would be great, Thanks in advance, Tony. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Wed Dec 9 10:55:32 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Dec 9 10:55:41 2009 Subject: Perl install problem In-Reply-To: <3A08229453BB5B4EA8629BE7CDA2E9620EAB17D27E@ss0010.sigma.local> References: <3A08229453BB5B4EA8629BE7CDA2E9620EAB17D27E@ss0010.sigma.local> Message-ID: <223f97700912090255q32752d07y3b50c3b2ae46532@mail.gmail.com> 2009/12/7 Jonas Lilja : > Hi, I?ve big problems with MailScanner installation. I run install.sh on a > Fedora 8 and MS 4.78 (latest). Before I started the install-scipt I ensured > that Perl was completely removed from the machine (rpm -q perl says ?package > perl is not installed?). This is the output when the install-script tries to > build Perl-modules: > > > > Please help > > > > Jonas Lilja, Sweden > Hej Jonas, Why do you think a perl program like MailScanner would work without perl installed? Install perl and you'll be fine! There *might* be some rpm/perl package/module issues, but ... if you don't have the basic prerequisites installed, the MailScanner installer will never work. Ha det -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From alessandro.fachin at qnet.it Wed Dec 9 11:48:09 2009 From: alessandro.fachin at qnet.it (Alessandro Fachin) Date: Wed Dec 9 11:48:22 2009 Subject: Mailscanner changes mail unique ID Message-ID: <200912091248.10220.alessandro.fachin@qnet.it> Hi, I'm using mailscanner with postfix, is it possible to force mailscanner to don't change the mail id while processing it ? An example: Dec 9 10:54:26 ocsam MailScanner[26207]: Requeue: 1053E38B5C.64F04 to ADDE338B64 If possibile I want to have the same ID from the begin util the end. Regards. -- Alessandro Fachin alessandro.fachin@qnet.it Qnet s.r.l Via Circonvallazione Sud 76 33033 Codroipo (UD) - Italy http://www.qnet.it http://www.qfarm.it Tel. +39 0432 906062 Fax +39 0432 901514 From stef at aoc-uk.com Wed Dec 9 12:02:44 2009 From: stef at aoc-uk.com (Stef Morrell) Date: Wed Dec 9 12:03:10 2009 Subject: Mailscanner changes mail unique ID In-Reply-To: References: Message-ID: <200912091203.nB9C31n8026876@safir.blacknight.ie> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Alessandro Fachin > > I'm using mailscanner with postfix, is it possible to force > mailscanner to don't change the mail id while processing it ? > > An example: > Dec 9 10:54:26 ocsam MailScanner[26207]: Requeue: 1053E38B5C.64F04 to > ADDE338B64 > > If possibile I want to have the same ID from the begin util > the end. Regards. Postfix uses inode numbers for the queue ID. This means that when Mailscanner has processed the email and needs to copy it back into the queue for sending a new inode will be used and that will become the new queue ID. So, regretfully, the short answer is no, it's not possible. Stef -- Stefan Morrell | Operations Director Tel: 0845 3452820 | Alpha Omega Computers Ltd Fax: 0845 3452830 | Incorporating Level 5 Internet stef@aoc-uk.com | stef@l5net.net Standard Disclaimer: http://www.aoc-uk.com/16.asp Alpha Omega Computers Ltd, Batley Technology Centre, Grange Road, Batley, WF17 6ER. Registered in England No. 3867142. VAT No. GB734421454 From glenn.steen at gmail.com Wed Dec 9 14:40:04 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Dec 9 14:40:13 2009 Subject: Mailscanner only being invoked with certain message sizes In-Reply-To: <4B1F4B6F.7050205@mailwash.com.au> References: <4B1F4B6F.7050205@mailwash.com.au> Message-ID: <223f97700912090640x229e5d37w6d9a43fd5e39e6b0@mail.gmail.com> 2009/12/9 Tony Enderby : > Hi there, > > I have a clean install of the latest MS from Julian's site and have it > installed with default rules > and scanning options. The only think I have changed is the scanner entry in > the .conf file from > auto to clamav and added an entry for &MailWatchLogging to log to a MySQL > database for > MailWatch. > > Machine is Fedora Core 9 with sendmail. > > If I start MailScanner with service MailScanner start && tail -f > /var/log/maillog I can see the children fork > and the process start to run complete with SQL logging child started > entries. ?Mail can be sent in and out > without error but there are no MS style entries in the logs and no header > info added UNTIL I send a message > over 450K i.e a blank body email with a random image in it or a Word doc of > equivalent or greater size. When I send a message at or over this size I see > the MS process output in the logs (Starting Virus / Content scanning etc) > as well as a write to the MailWatch database. ?Anything under this though > sends and gets back ok but only with sendmail > log entries and not MailScanner. > > A MailScanner --lint returns a favourable reply with complaints only about > rar not being found. > > If anyone could shed some light in this it would be great, > > Thanks in advance, > > Tony. > Check that you don't have your "plain" MTA still running (nor set to autostart.... ps is a good tool here:-). What I'm thinking is that smaller messages never stay in your incoming queue long enough for MailScanner to pick it up... Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From tenderby at mailwash.com.au Wed Dec 9 16:00:04 2009 From: tenderby at mailwash.com.au (Tony Enderby) Date: Wed Dec 9 16:00:33 2009 Subject: Mailscanner only being invoked with certain message sizes In-Reply-To: <223f97700912090640x229e5d37w6d9a43fd5e39e6b0@mail.gmail.com> References: <4B1F4B6F.7050205@mailwash.com.au> <223f97700912090640x229e5d37w6d9a43fd5e39e6b0@mail.gmail.com> Message-ID: <4B1FC984.9020606@mailwash.com.au> Glenn Steen wrote: > 2009/12/9 Tony Enderby : > >> Hi there, >> >> I have a clean install of the latest MS from Julian's site and have it >> installed with default rules >> and scanning options. The only think I have changed is the scanner entry in >> the .conf file from >> auto to clamav and added an entry for &MailWatchLogging to log to a MySQL >> database for >> MailWatch. >> >> Machine is Fedora Core 9 with sendmail. >> >> If I start MailScanner with service MailScanner start && tail -f >> /var/log/maillog I can see the children fork >> and the process start to run complete with SQL logging child started >> entries. Mail can be sent in and out >> without error but there are no MS style entries in the logs and no header >> info added UNTIL I send a message >> over 450K i.e a blank body email with a random image in it or a Word doc of >> equivalent or greater size. When I send a message at or over this size I see >> the MS process output in the logs (Starting Virus / Content scanning etc) >> as well as a write to the MailWatch database. Anything under this though >> sends and gets back ok but only with sendmail >> log entries and not MailScanner. >> >> A MailScanner --lint returns a favourable reply with complaints only about >> rar not being found. >> >> If anyone could shed some light in this it would be great, >> >> Thanks in advance, >> >> Tony. >> >> > Check that you don't have your "plain" MTA still running (nor set to > autostart.... ps is a good tool here:-). What I'm thinking is that > smaller messages never stay in your incoming queue long enough for > MailScanner to pick it up... > > Cheers > Thanks Glenn, sendmail itself is not running as I performed a chkconfig sendmail off when I first setup MS on this box and quit the service. I noticed that sm-client is still running though on the problem machines, however this is also running on a later version of Fedora I am testing on and this machine does not suffer this problem so I'm not sure where to go from here. Tony. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ricardo at wenn.com Wed Dec 9 16:53:09 2009 From: ricardo at wenn.com (Ricardo Branco) Date: Wed Dec 9 16:53:24 2009 Subject: Signature causing blank emails In-Reply-To: <4B182BA5.3090601@wenn.com> References: <4B182BA5.3090601@wenn.com> Message-ID: <4B1FD5F5.1030705@wenn.com> UPDATE Order of events to cause the problem are. 1) Have both HTML/TXT signatures setup, in the HTML one have an image that is attached. Attach Image To Signature = yes Attach Image To HTML Message Only = yes Allow Multiple HTML Signatures = no Dont Sign HTML If Headers Exist = In-Reply-To: References: 2) send email with only HTML section, no plain text 3) reply to it and then it all goes wrong The error is located in the following file /usr/lib/MailScanner/MailScanner/Message.pm # $Id: Message.pm 4924 2009-09-24 15:49:56Z sysjkf $ Version 4.78 RPM downloaded from website Line 4717 >> 4732 Ive had to comment out the lines to stop the error happening. Can anyone confirm this issue. Ricardo Branco wrote, On 03/12/2009 21:20: > Dont Sign HTML If Headers Exist = In-Reply-To: References: > > I think this setting is broken, if i try and use it as shown above i > end up with broken emails > > I cant understand what has happened. From fcusack at fcusack.com Wed Dec 9 18:39:05 2009 From: fcusack at fcusack.com (Frank Cusack) Date: Wed Dec 9 18:39:20 2009 Subject: Mailscanner changes mail unique ID In-Reply-To: <200912091203.nB9C31n8026876@safir.blacknight.ie> References: <200912091203.nB9C31n8026876@safir.blacknight.ie> Message-ID: <44DFAF78889DBA82708BE058@rdf.local> On December 9, 2009 12:02:44 PM +0000 Stef Morrell wrote: > Postfix uses inode numbers for the queue ID. This means that when > Mailscanner has processed the email and needs to copy it back into the > queue for sending a new inode will be used and that will become the new > queue ID. > > So, regretfully, the short answer is no, it's not possible. Mailscanner could copy the file, edit the original in-place and then move the original to the incoming queue. It's possible, but MS doesn't work that way. -frank From msz at astrouw.edu.pl Thu Dec 10 10:22:09 2009 From: msz at astrouw.edu.pl (Michal Szymanski) Date: Thu Dec 10 10:22:18 2009 Subject: MS keeps sending "Problem Messages" email Message-ID: <20091210102209.GA14987@astrouw.edu.pl> Hello, After upgrade of my system, MailScanner started to send, every hour or two, the following message to local "root": Currently being processed: Number of messages: 3 Tries Message Next Try At ===== ======= =========== 2 679CF35238A.A4B92 Wed Dec 9 19:06:46 2009 2 2212E352375.A31EA Wed Dec 9 19:04:47 2009 2 9985E35238D.A78A5 Wed Dec 9 19:04:13 2009 -- MailScanner No trace of files named as above, anywhere in the system (like in quarantine, queues etc.) I tried to trace the messages in the maillog and found following (example for the last message listed above): Dec 9 18:21:28 sirius postfix/smtpd[1881]: 9985E35238D: client=p5B2531BA.dip0.t-ipconnect.de[91.37.49.186] Dec 9 18:21:29 sirius postfix/cleanup[3256]: 9985E35238D: hold: header Received: from p5B2531BA.dip0.t-ipconnect.de (p5B2531BA.dip0.t-ipconnect.de [91.37.49.186])??by sirius.astrouw.edu.pl (Postfix) with ESMTP id 9985E35238D??for ; Wed, 9 Dec 20 from p5B2531BA.dip0.t-ipconnect.de[91.37.49.186]; from= to= proto=ESMTP helo= Dec 9 18:21:29 sirius postfix/cleanup[3256]: 9985E35238D: message-id=<5034578476.9BS8LI00880302@eqzruroqbfptc.rtirnzudbtgvkgy.net> Dec 9 19:01:06 sirius MailScanner[6927]: Making attempt 2 at processing message 9985E35238D.A78A5 Dec 9 19:02:03 sirius MailScanner[6927]: Requeue: 9985E35238D.A78A5 to 445AD352375 After the message was requeued, the traces of the new ID are as follows: Dec 9 19:02:03 sirius MailScanner[6927]: Requeue: 9985E35238D.A78A5 to 445AD352375 Dec 9 22:46:52 sirius postfix/qmgr[19287]: 445AD352375: from=, size=5917, nrcpt=1 (queue active) Dec 9 22:46:53 sirius postfix/local[19298]: 445AD352375: to=, relay=local, delay=15925, delays=15924/0.13/0/0.17, dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail) Dec 9 22:46:53 sirius postfix/qmgr[19287]: 445AD352375: removed So it seems that it was finally delivered. Why does it appear in these "Problem messages" emails? How to get rid of them? regards, Michal. From glenn.steen at gmail.com Thu Dec 10 13:32:15 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Dec 10 13:32:25 2009 Subject: Mailscanner changes mail unique ID In-Reply-To: <44DFAF78889DBA82708BE058@rdf.local> References: <200912091203.nB9C31n8026876@safir.blacknight.ie> <44DFAF78889DBA82708BE058@rdf.local> Message-ID: <223f97700912100532o7e023b4cg7f865ba6ed4e7775@mail.gmail.com> 2009/12/9 Frank Cusack : > On December 9, 2009 12:02:44 PM +0000 Stef Morrell wrote: >> >> Postfix uses inode numbers for the queue ID. This means that when >> Mailscanner has processed the email and needs to copy it back into the >> queue for sending a new inode will be used and that will become the new >> queue ID. >> >> So, regretfully, the short answer is no, it's not possible. > > Mailscanner could copy the file, edit the original in-place and then > move the original to the incoming queue. ?It's possible, but MS doesn't > work that way. > > -frank One might think that yes, but due to how Postfix works (and the "unstandard" practices of MailScanner:-), that isn't possible either. Apart from making "grep" more easy, there is really no real issue with the requeue -> new queue file -> new queue file ID... If you're handy with perl, making a "mailloggrep" program that correctly parses and "greps" all possible queue IDs for the message would be rather simple. What we ended up doing, which is to construct a completely new message queue file, is actually what Wietse (a rather long time ago, when he wanted to demonstrate the "folly" of working with batches of queue files instead of (like amavisd) through the limiting interfaces at hand (SMTP, mainly)) stipulated as the only sane way of doing this (along with some other "rules"...). Fun thing was that he was unaware of the fact that MS actually already did all that;-). If you like, and have the luxury to wait for me to have some spare time, could probably whip a little script up for you relatively easy, especially if you'd not mind it being ugly;-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Thu Dec 10 14:29:34 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Dec 10 14:29:44 2009 Subject: Mailscanner changes mail unique ID In-Reply-To: <223f97700912100532o7e023b4cg7f865ba6ed4e7775@mail.gmail.com> References: <200912091203.nB9C31n8026876@safir.blacknight.ie> <44DFAF78889DBA82708BE058@rdf.local> <223f97700912100532o7e023b4cg7f865ba6ed4e7775@mail.gmail.com> Message-ID: <223f97700912100629t4bbec3bcy644938a2cd560d93@mail.gmail.com> 2009/12/10 Glenn Steen : > 2009/12/9 Frank Cusack : >> On December 9, 2009 12:02:44 PM +0000 Stef Morrell wrote: >>> >>> Postfix uses inode numbers for the queue ID. This means that when >>> Mailscanner has processed the email and needs to copy it back into the >>> queue for sending a new inode will be used and that will become the new >>> queue ID. >>> >>> So, regretfully, the short answer is no, it's not possible. >> >> Mailscanner could copy the file, edit the original in-place and then >> move the original to the incoming queue. ?It's possible, but MS doesn't >> work that way. >> >> -frank > One might think that yes, but due to how Postfix works (and the > "unstandard" practices of MailScanner:-), that isn't possible either. > Apart from making "grep" more easy, there is really no real issue with > the requeue -> new queue file -> new queue file ID... > If you're handy with perl, making a "mailloggrep" program that > correctly parses and "greps" all possible queue IDs for the message > would be rather simple. > > What we ended up doing, which is to construct a completely new message > queue file, is actually what Wietse (a rather long time ago, when he > wanted to demonstrate the "folly" of working with batches of queue > files instead of (like amavisd) through the limiting interfaces at > hand (SMTP, mainly)) stipulated as the only sane way of doing this > (along with some other "rules"...). Fun thing was that he was unaware > of the fact that MS actually already did all that;-). > > If you like, and have the luxury to wait for me to have some spare > time, ?could probably whip a little script up for you relatively easy, > especially if you'd not mind it being ugly;-). > > Cheers Here you go... put this in a file (make sure the perl path is OK, as well as the path to your mail log file), chmod +x said file, run as per the Usage... Ugly and perhaps not the most effective, but ... works;-). -------------------------- cut here #!/usr/bin/perl -w open(R,"\n" if($#ARGV ne 0); $src = "$ARGV[0]"; while ($_=) { print if(/$src/); if(/Requeue: $ARGV[0]...... to (\w*)/) { $src .= "|$1"; } } exit(0); # End of Script -------------------------- cut here Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From jonas.lilja at sigma.se Thu Dec 10 14:43:38 2009 From: jonas.lilja at sigma.se (Jonas Lilja) Date: Thu Dec 10 14:43:49 2009 Subject: SV: Perl install problem SOLVED In-Reply-To: <223f97700912090255q32752d07y3b50c3b2ae46532@mail.gmail.com> References: <3A08229453BB5B4EA8629BE7CDA2E9620EAB17D27E@ss0010.sigma.local> <223f97700912090255q32752d07y3b50c3b2ae46532@mail.gmail.com> Message-ID: <3A08229453BB5B4EA8629BE7CDA2E9620EAB333EF3@ss0010.sigma.local> It works fine now. I reinstalled the OS with RHEL5 and then ran the install-script (without problem). Thanx /Jonas PS - I had Perl installed (the script said "Good, you appear to only have 1 copy of Perl installed") so there must be something with Fedora (internal links). No matter - it works fine now. -----Ursprungligt meddelande----- Fr?n: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] F?r Glenn Steen Skickat: den 9 december 2009 11:56 Till: MailScanner discussion ?mne: Re: Perl install problem 2009/12/7 Jonas Lilja : > Hi, I've big problems with MailScanner installation. I run install.sh on a > Fedora 8 and MS 4.78 (latest). Before I started the install-scipt I ensured > that Perl was completely removed from the machine (rpm -q perl says "package > perl is not installed"). This is the output when the install-script tries to > build Perl-modules: > > > > Please help > > > > Jonas Lilja, Sweden > Hej Jonas, Why do you think a perl program like MailScanner would work without perl installed? Install perl and you'll be fine! There *might* be some rpm/perl package/module issues, but ... if you don't have the basic prerequisites installed, the MailScanner installer will never work. Ha det -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From glenn.steen at gmail.com Thu Dec 10 15:32:01 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Dec 10 15:32:10 2009 Subject: Perl install problem SOLVED In-Reply-To: <3A08229453BB5B4EA8629BE7CDA2E9620EAB333EF3@ss0010.sigma.local> References: <3A08229453BB5B4EA8629BE7CDA2E9620EAB17D27E@ss0010.sigma.local> <223f97700912090255q32752d07y3b50c3b2ae46532@mail.gmail.com> <3A08229453BB5B4EA8629BE7CDA2E9620EAB333EF3@ss0010.sigma.local> Message-ID: <223f97700912100732v7ed75476tb91f451428f3e80e@mail.gmail.com> 2009/12/10 Jonas Lilja : > It works fine now. I reinstalled the OS with RHEL5 and then ran the install-script (without problem). > > Thanx /Jonas Good that you solved it. > PS - I had Perl installed (the script said "Good, you appear to only have 1 copy of Perl installed") so there must be something with Fedora (internal links). No matter - it works fine now. > This is what you told us: --------------------------------------- Setting Perl5 search path ./install.sh: ./getPERLLIB: /usr/bin/perl: bad interpreter: No such file or directory ./install.sh: line 412: [: too many arguments I think your system will build architecture-dependent modules for package perl is not installed --------------------------------------- ... and that clearly indicates that your statement (that you had removed perl) was true! .... So no, you hadn't got it installed;-). As you say... no matter, it works now... Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From hvdkooij at vanderkooij.org Thu Dec 10 21:11:30 2009 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Thu Dec 10 21:11:42 2009 Subject: MS keeps sending "Problem Messages" email In-Reply-To: <20091210102209.GA14987@astrouw.edu.pl> References: <20091210102209.GA14987@astrouw.edu.pl> Message-ID: <4B216402.3070805@vanderkooij.org> On 10/12/09 11:22, Michal Szymanski wrote: > After upgrade of my system, MailScanner started to send, every hour or > two, the following message to local "root": > > Currently being processed: > > Number of messages: 3 > Tries Message Next Try At > ===== ======= =========== > 2 679CF35238A.A4B92 Wed Dec 9 19:06:46 2009 > 2 2212E352375.A31EA Wed Dec 9 19:04:47 2009 > 2 9985E35238D.A78A5 Wed Dec 9 19:04:13 2009 > > -- > MailScanner > > No trace of files named as above, anywhere in the system (like in > quarantine, queues etc.) My guess is that you just happen to have too many messages in a batch. Then they can't all be handled in time so they stay in the queue untill the next attempt and then pass through. Perhaps you need to reduce the number of messages in 1 batch? Hugo. From fcusack at fcusack.com Fri Dec 11 05:20:47 2009 From: fcusack at fcusack.com (Frank Cusack) Date: Fri Dec 11 05:21:04 2009 Subject: rule patterns In-Reply-To: <4E0F0F45E36CE3804D45D23B@rdf.local> References: <4E0F0F45E36CE3804D45D23B@rdf.local> Message-ID: <02B6E3B4415AA3BC0F1351C6@rdf.local> On November 30, 2009 10:41:40 PM -0800 Frank Cusack wrote: > But really what I wanted to get to is that bounce.rules has: > ># From: yourcustomer.com yes > > which doesn't match any of the example patterns in README. Is > bounce.rules in error? I am still not clear on this. Is the example bounce.rules wrong? -frank From fcusack at fcusack.com Fri Dec 11 05:26:28 2009 From: fcusack at fcusack.com (Frank Cusack) Date: Fri Dec 11 05:26:39 2009 Subject: Read IP Address From Received Header In-Reply-To: References: <223f97700912010529o401ea919h967ab2aa3bccdb89@mail.gmail.com> Message-ID: On December 1, 2009 9:32:58 AM -0800 Frank Cusack wrote: > So now that I understand that bit, here's a problem combining that > and "bounce". The bounce action for spam says you need to whitelist > 127.0.0.1 ... make sense. But since I have "Read IP Address From > Received Header" set to 2, and for bounces there will not even be > 2 received headers, will that whitelist even work? I'm still not satisfied with the answer on bouncing, but it seems that bounce is not a viable option anyway, if your mailscanner host is not the MX host, due to the impossibility of whitelisting yourself in that case. UNLESS ... unless I can set "Read IP Address From Received Header" to 0, disabling any host-specific whitelists other than localhost but at least allowing "bounce" to work. Yes? -frank From fcusack at fcusack.com Fri Dec 11 05:28:03 2009 From: fcusack at fcusack.com (Frank Cusack) Date: Fri Dec 11 05:28:14 2009 Subject: Spam Actions bounce In-Reply-To: <70640AB4B0DAE2F88A4C21FB@rdf.local> References: <70640AB4B0DAE2F88A4C21FB@rdf.local> Message-ID: Let's try this again. Does "Spam Actions" bounce even work at all? If so, what is the interaction between that and "Enable Spam Bounce"? -frank From fcusack at fcusack.com Fri Dec 11 05:47:44 2009 From: fcusack at fcusack.com (Frank Cusack) Date: Fri Dec 11 05:47:55 2009 Subject: Spam Actions bounce In-Reply-To: References: <70640AB4B0DAE2F88A4C21FB@rdf.local> Message-ID: <467FBF8D4309495922E5294D@rdf.local> On December 11, 2009 12:28:03 AM -0500 Frank Cusack wrote: > Let's try this again. > > Does "Spam Actions" bounce even work at all? If so, what is the > interaction between that and "Enable Spam Bounce"? Nevermind, I read the code and figured it out. It works like I thought and it's just that the warning in bounce.rules is too strong (since setting bounce to "yes" there doesn't actually bounce a message). -frank From ricardo at wenn.com Fri Dec 11 10:46:33 2009 From: ricardo at wenn.com (Ricardo Branco) Date: Fri Dec 11 10:46:48 2009 Subject: Problem with Return-Path from certain ISPs In-Reply-To: <4B17D286.9020303@wenn.com> References: <4B17D286.9020303@wenn.com> Message-ID: <4B222309.90306@wenn.com> Ive been able to reproduce this again and again, not only with Hotmail. It seems that if the sending MTA (ie Hotmail) supplies a Return-Path then for some reason its taken out. I think there is a bug in MailScanner/Sendmail.pm arround line 352 I tested this by telnetting to my mail server and in the DATA section putting a returnpath and it then did not end up on the final headers, but if i dont put it then its there. Ricardo Branco wrote, On 03/12/2009 15:00: > Centos+MailScanner+Sendmail+DovecotLDA > > We started noticing issues with return-path not being passed though to > Sendmail/DovecotLDA. > This causes a knock on affect on Sieve filters in DovecotLDA which > rely on Return-Path being passed though. > > If I take MailScanner out the loop then all is well, Return-Path > exists to my mailbox, but if MS is running then it does not come through. > > Any reason why this would be happening? From jethro.binks at strath.ac.uk Fri Dec 11 11:31:40 2009 From: jethro.binks at strath.ac.uk (Jethro R Binks) Date: Fri Dec 11 11:31:49 2009 Subject: Problem with Return-Path from certain ISPs In-Reply-To: <4B222309.90306@wenn.com> References: <4B17D286.9020303@wenn.com> <4B222309.90306@wenn.com> Message-ID: On Fri, 11 Dec 2009, Ricardo Branco wrote: > Ive been able to reproduce this again and again, not only with Hotmail. > > It seems that if the sending MTA (ie Hotmail) supplies a Return-Path > then for some reason its taken out. > > I think there is a bug in MailScanner/Sendmail.pm arround line 352 > > I tested this by telnetting to my mail server and in the DATA section > putting a returnpath and it then did not end up on the final headers, > but if i dont put it then its there. The Return-Path: header should ONLY be added by the final receiving server, at the point of delivery to the mailbox (in its role as MDA). Its value is copied from the envelope sender address as received by the delivering server. It should not be present on messages in-transit before that point, so it is not inappropriate for it to be removed as it is untrusted information -- if MailScanner is indeed doing so. Perhaps Sendmail, or Dovecot's LDA, are not adding the header when they should? Jethro. > > Ricardo Branco wrote, On 03/12/2009 15:00: > > Centos+MailScanner+Sendmail+DovecotLDA > > > > We started noticing issues with return-path not being passed though to > > Sendmail/DovecotLDA. This causes a knock on affect on Sieve filters in > > DovecotLDA which rely on Return-Path being passed though. > > > > If I take MailScanner out the loop then all is well, Return-Path > > exists to my mailbox, but if MS is running then it does not come > > through. > > > > Any reason why this would be happening? > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK From ricardo at wenn.com Fri Dec 11 11:47:55 2009 From: ricardo at wenn.com (Ricardo Branco) Date: Fri Dec 11 11:48:13 2009 Subject: Problem with Return-Path from certain ISPs In-Reply-To: References: <4B17D286.9020303@wenn.com> <4B222309.90306@wenn.com> Message-ID: <4B22316B.8040509@wenn.com> If I take MS out the loop then its all ok, this is the main turning point to indicate MS as being the culprit in this. I think that Hotmail is adding the Return-Path for some reason and then MS has code to detect it and reconstitute the header for when it needs to add extra headers etc.., its at this point that its going wrong and it fails to add a new one, clearly its MS and not sendmail in this particular case due to my prior remark. Jethro R Binks wrote, On 11/12/2009 11:31: > On Fri, 11 Dec 2009, Ricardo Branco wrote: > > >> Ive been able to reproduce this again and again, not only with Hotmail. >> >> It seems that if the sending MTA (ie Hotmail) supplies a Return-Path >> then for some reason its taken out. >> >> I think there is a bug in MailScanner/Sendmail.pm arround line 352 >> >> I tested this by telnetting to my mail server and in the DATA section >> putting a returnpath and it then did not end up on the final headers, >> but if i dont put it then its there. >> > The Return-Path: header should ONLY be added by the final receiving > server, at the point of delivery to the mailbox (in its role as MDA). > Its value is copied from the envelope sender address as received by the > delivering server. It should not be present on messages in-transit before > that point, so it is not inappropriate for it to be removed as it is > untrusted information -- if MailScanner is indeed doing so. > > Perhaps Sendmail, or Dovecot's LDA, are not adding the header when they > should? > > Jethro. > > > >> Ricardo Branco wrote, On 03/12/2009 15:00: >> >>> Centos+MailScanner+Sendmail+DovecotLDA >>> >>> We started noticing issues with return-path not being passed though to >>> Sendmail/DovecotLDA. This causes a knock on affect on Sieve filters in >>> DovecotLDA which rely on Return-Path being passed though. >>> >>> If I take MailScanner out the loop then all is well, Return-Path >>> exists to my mailbox, but if MS is running then it does not come >>> through. >>> >>> Any reason why this would be happening? >>> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > . . . . . . . . . . . . . . . . . . . . . . . . . > Jethro R Binks > Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK > From msz at astrouw.edu.pl Fri Dec 11 12:21:19 2009 From: msz at astrouw.edu.pl (Michal Szymanski) Date: Fri Dec 11 12:21:28 2009 Subject: MS keeps sending "Problem Messages" email In-Reply-To: <200912111204.nBBC0qAw018669@safir.blacknight.ie> References: <200912111204.nBBC0qAw018669@safir.blacknight.ie> Message-ID: <20091211122119.GA24099@astrouw.edu.pl> > Date: Thu, 10 Dec 2009 22:11:30 +0100 > From: Hugo van der Kooij > Subject: Re: MS keeps sending "Problem Messages" email > To: mailscanner@lists.mailscanner.info > Message-ID: <4B216402.3070805@vanderkooij.org> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > On 10/12/09 11:22, Michal Szymanski wrote: > > > After upgrade of my system, MailScanner started to send, every hour or > > two, the following message to local "root": > > > > Currently being processed: > > > > Number of messages: 3 > > Tries Message Next Try At > > ===== ======= =========== > > 2 679CF35238A.A4B92 Wed Dec 9 19:06:46 2009 > > 2 2212E352375.A31EA Wed Dec 9 19:04:47 2009 > > 2 9985E35238D.A78A5 Wed Dec 9 19:04:13 2009 > > > > -- > > MailScanner > > > > No trace of files named as above, anywhere in the system (like in > > quarantine, queues etc.) > > My guess is that you just happen to have too many messages in a batch. > Then they can't all be handled in time so they stay in the queue untill > the next attempt and then pass through. > > Perhaps you need to reduce the number of messages in 1 batch? > > Hugo. I am not sure what you are suggesting. What do you mean by "batch". I do not see these messages in any of MailScanner/postfix spooling directories (or, at least, I cannot find them, either by 'find' or 'grep'). How can they reappear, then? regards, Michal. From msz at astrouw.edu.pl Fri Dec 11 15:19:05 2009 From: msz at astrouw.edu.pl (Michal Szymanski) Date: Fri Dec 11 15:19:14 2009 Subject: technical: replying to a digested message? Message-ID: <20091211151905.GA4338@astrouw.edu.pl> Sorry for OT queistion but is there an easy way to reply to a message got in a daily digest in such a way that it gets into the right thread? I chose the digest option to get less mail traffic but now I see that when I replied to a digested message, a new thread was opened. I am using mainly 'mutt' as mailer and it mentions something about showing multipart/digest messages as separate mails but this appaently does now work with mailscanner digests. regards, Michal. -- Michal Szymanski (msz at astrouw dot edu dot pl) Warsaw University Observatory, Warszawa, POLAND From fcusack at fcusack.com Fri Dec 11 15:26:10 2009 From: fcusack at fcusack.com (Frank Cusack) Date: Fri Dec 11 15:26:24 2009 Subject: mailscanner doesn't create work dirs per "Run As User" Message-ID: <72FB0CE32BF69AF506062BE4@rdf.local> If the "Incoming Work Dir" and "Quarantine Dir" do not exist when mailscanner starts up, it creates them but this apparently happens before changing uid, as evidenced on my system by them being created owned by root. Mailscanner is then unable to create the subdirs underneath as by the time it does THAT, it has changed to the Run As User. Or am I doing something wrong? 4.78.17 -frank From richard at fastnet.co.uk Fri Dec 11 16:04:02 2009 From: richard at fastnet.co.uk (Richard Mealing) Date: Fri Dec 11 16:03:15 2009 Subject: Rulesets for SA Message-ID: Hi everyone, I have been adding rulesets into SA with the following in the "Virus Names Which Are Spam" - Sane*UNOFFICIAL HTML/* ScamNailer.Phish* winnow.malware* winnow.botnet.ff.trojans* winnow.botnets* It's working great for me, so I thought I would share this with you all if you are interested - The scores have been changed a few times but as I say, this works great for me. All you should need to do is replace the ORGNAME. I've also added the ScamVirus at the bottom (and above) as I'm just downloading it periodically into the clam directory. #Sanesecurity Signature (jurlbl.ndb) header SPAMVIRUSJurlblAuto X-ORGNAME-MailScanner-SpamVirus-Report =~ /Sanesecurity.Jurlbl.Auto/i score SPAMVIRUSJurlblAuto 3.0 #SaneSecurity Signature (phish.ndb) header SPAMVIRUSDoc X-ORGNAME-MailScanner-SpamVirus-Report =~ /Sanesecurity.Doc/i score SPAMVIRUSDoc 3.0 header SPAMVIRUSFake X-ORGNAME-MailScanner-SpamVirus-Report =~ /Sanesecurity.Fake/i score SPAMVIRUSFake 3.0 header SPAMVIRUSPhishingAuction X-ORGNAME-MailScanner-SpamVirus-Report =~ /Sanesecurity.Phishing.Auction./i score SPAMVIRUSPhishingAuction 3.0 header SPAMVIRUSPhishingAzon X-ORGNAME-MailScanner-SpamVirus-Report =~ /Sanesecurity.Phishing.Azon/i score SPAMVIRUSPhishingAzon 3.0 header SPAMVIRUSPhishingBank X-ORGNAME-MailScanner-SpamVirus-Report =~ /Sanesecurity.Phishing.Bank/i score SPAMVIRUSPhishingBank 3.0 header SPAMVIRUSPhishingCard X-ORGNAME-MailScanner-SpamVirus-Report =~ /Sanesecurity.Phishing.Card/i score SPAMVIRUSPhishingCard 3.0 header SPAMVIRUSPhishingCur X-ORGNAME-MailScanner-SpamVirus-Report =~ /Sanesecurity.Phishing.Cur/i score SPAMVIRUSPhishingCur 3.0 header SPAMVIRUSPhishingDca X-ORGNAME-MailScanner-SpamVirus-Report =~ /Sanesecurity.Phishing.Dca/i score SPAMVIRUSPhishingDca 3.0 header SPAMVIRUSPhishingFake X-ORGNAME-MailScanner-SpamVirus-Report =~ /Sanesecurity.Phishing.Fake/i score SPAMVIRUSPhishingFake 3.0 header SPAMVIRUSPhishingGiftCard X-ORGNAME-MailScanner-SpamVirus-Report =~ /Sanesecurity.Phishing.GiftCard/i score SPAMVIRUSPhishingGiftCard 3.0 header SPAMVIRUSPhishingHex X-ORGNAME-MailScanner-SpamVirus-Report =~ /Sanesecurity.Phishing.Hex/i score SPAMVIRUSPhishingHex 3.0 header SPAMVIRUSPhishingIvt X-ORGNAME-MailScanner-SpamVirus-Report =~ /Sanesecurity.Phishing.Ivt/i score SPAMVIRUSPhishingIvt 3.0 header SPAMVIRUSPhishingJsc X-ORGNAME-MailScanner-SpamVirus-Report =~ /Sanesecurity.Phishing.Jsc/i score SPAMVIRUSPhishingJsc 3.0 header SPAMVIRUSPhishingNam X-ORGNAME-MailScanner-SpamVirus-Report =~ /Sanesecurity.Phishing.Nam/i score SPAMVIRUSPhishingNam 3.0 header SPAMVIRUSPhishingOnf X-ORGNAME-MailScanner-SpamVirus-Report =~ /Sanesecurity.Phishing.Onf/i score SPAMVIRUSPhishingOnf 3.0 header SPAMVIRUSPhishingPay X-ORGNAME-MailScanner-SpamVirus-Report =~ /Sanesecurity.Phishing.Pay/i score SPAMVIRUSPhishingPay 3.0 header SPAMVIRUSPhishingRdi X-ORGNAME-MailScanner-SpamVirus-Report =~ /Sanesecurity.Phishing.Rdi/i score SPAMVIRUSPhishingRdi 3.0 header SPAMVIRUSPhishingRock X-ORGNAME-MailScanner-SpamVirus-Report =~ /Sanesecurity.Phishing.Rock/i score SPAMVIRUSPhishingRock 3.0 header SPAMVIRUSPhishingRockGen X-ORGNAME-MailScanner-SpamVirus-Report =~ /Sanesecurity.Phishing.RockGen/i score SPAMVIRUSPhishingRockGen 3.0 header SPAMVIRUSPhishingShop X-ORGNAME-MailScanner-SpamVirus-Report =~ /Sanesecurity.Phishing.Shop/i score SPAMVIRUSPhishingShop 3.0 header SPAMVIRUSPhishingSlw X-ORGNAME-MailScanner-SpamVirus-Report =~ /Sanesecurity.Phishing.Slw/i score SPAMVIRUSPhishingSlw 3.0 header SPAMVIRUSPhishingUrl X-ORGNAME-MailScanner-SpamVirus-Report =~ /Sanesecurity.Phishing.Url/i score SPAMVIRUSPhishingUrl 3.0 header SPAMVIRUSPhishingWrd X-ORGNAME-MailScanner-SpamVirus-Report =~ /Sanesecurity.Phishing.Wrd/i score SPAMVIRUSPhishingWrd 3.0 header SPAMVIRUSPhishingTestSig X-ORGNAME-MailScanner-SpamVirus-Report =~ /Sanesecurity.PhishingTestSig/i score SPAMVIRUSPhishingTestSig 3.0 header SPAMVIRUSTestSig_Type3_Bdy X-ORGNAME-MailScanner-SpamVirus-Report =~ /TestSig_Type3_Bdy/i score SPAMVIRUSTestSig_Type3_Bdy 3.0 header SPAMVIRUSTestSig_Type4_Bdy X-ORGNAME-MailScanner-SpamVirus-Report =~ /TestSig_Type4_Bdy/i score SPAMVIRUSTestSig_Type4_Bdy 3.0 header SPAMVIRUSTestSig_Type4_Hdr X-ORGNAME-MailScanner-SpamVirus-Report =~ /TestSig_Type4_Hdr/i score SPAMVIRUSTestSig_Type4_Hdr 3.0 #SaneSecurity Signature (scam.ndb) header SPAMVIRUSSpam X-ORGNAME-MailScanner-SpamVirus-Report =~ /Sanesecurity.Spam/i score SPAMVIRUSSpam 3.0 header SPAMVIRUSCred X-ORGNAME-MailScanner-SpamVirus-Report =~ /Sanesecurity.Cred/i score SPAMVIRUSCred 3.0 header SPAMVIRUSDipl X-ORGNAME-MailScanner-SpamVirus-Report =~ /Sanesecurity.Dipl/i score SPAMVIRUSDipl 3.0 header SPAMVIRUSHdr X-ORGNAME-MailScanner-SpamVirus-Report =~ /Sanesecurity.Hdr/i score SPAMVIRUSHdr 3.0 header SPAMVIRUSImg X-ORGNAME-MailScanner-SpamVirus-Report =~ /Sanesecurity.Img/i score SPAMVIRUSImg 3.0 header SPAMVIRUSJob X-ORGNAME-MailScanner-SpamVirus-Report =~ /Sanesecurity.Job/i score SPAMVIRUSJob 3.0 header SPAMVIRUSLoan X-ORGNAME-MailScanner-SpamVirus-Report =~ /Sanesecurity.Loan/i score SPAMVIRUSLoan 3.0 header SPAMVIRUSPorn X-ORGNAME-MailScanner-SpamVirus-Report =~ /Sanesecurity.Porn/i score SPAMVIRUSPorn 3.0 header SPAMVIRUSImgo X-ORGNAME-MailScanner-SpamVirus-Report =~ /Sanesecurity.Imgo/i score SPAMVIRUSImgo 3.0 header SPAMVIRUSScam4 X-ORGNAME-MailScanner-SpamVirus-Report =~ /Sanesecurity.Scam4/i score SPAMVIRUSScam4 3.0 header SPAMVIRUSScamL X-ORGNAME-MailScanner-SpamVirus-Report =~ /Sanesecurity.ScamL/i score SPAMVIRUSScamL 3.0 header SPAMVIRUSStk X-ORGNAME-MailScanner-SpamVirus-Report =~ /Sanesecurity.Stk/i score SPAMVIRUSStk 3.0 header SPAMVIRUSTestSig X-ORGNAME-MailScanner-SpamVirus-Report =~ /Sanesecurity.TestSig/i score SPAMVIRUSTestSig 3.0 #SaneSecurity Signature (junk.ndb) header SPAMVIRUSJunk X-ORGNAME-MailScanner-SpamVirus-Report =~ /Sanesecurity.Junk/i score SPAMVIRUSJunk 3.0 #SaneSecurity Signature (rogue.hdb) header SPAMVIRUSRogue X-ORGNAME-MailScanner-SpamVirus-Report =~ /Sanesecurity.Rogue/i score SPAMVIRUSRogue 4.0 header SPAMVIRUSTrogan X-ORGNAME-MailScanner-SpamVirus-Report =~ /Sanesecurity.Trojan/i score SPAMVIRUSTrogan 4.0 #SaneSecurity Signature (lott.ndb) header SPAMVIRUSLott X-ORGNAME-MailScanner-SpamVirus-Report =~ /Sanesecurity.Lott/i score SPAMVIRUSLott 3.0 #SaneSecurity Signature (spear.ndb) header SPAMVIRUSSpear X-ORGNAME-MailScanner-SpamVirus-Report =~ /Sanesecurity.Spear/i score SPAMVIRUSSpear 3.0 #SaneSecurity Signature (spamimg.hdb) header SPAMVIRUSSpamImg X-ORGNAME-MailScanner-SpamVirus-Report =~ /Sanesecurity.SpamImg/i score SPAMVIRUSSpamImg 3.0 #SaneSecurity Signature (spam.ldb) header SPAMVIRUSSpamldg X-ORGNAME-MailScanner-SpamVirus-Report =~ /Sanesecurity.Spam.ldb/i score SPAMVIRUSSpamldg 3.0 #SaneSecurity Signature (winnow_malware.hdb) header SPAMVIRUSwinmalware X-ORGNAME-MailScanner-SpamVirus-Report =~ /winnow.malware/i score SPAMVIRUSwinmalware 2.0 #SaneSecurity Signature (winnow_malware_links.ndb) header SPAMVIRUSwinmalwarelink X-ORGNAME-MailScanner-SpamVirus-Report =~ /winnow.botnet.ff.trojans/i score SPAMVIRUSwinmalwarelink 3.0 header SPAMVIRUSwinmalwarelinkbot X-ORGNAME-MailScanner-SpamVirus-Report =~ /winnow.botnets/i score SPAMVIRUSwinmalwarelinkbot 3.0 #ScamNailer Config! New... header SCAMNAILER X-ORGNAME-MailScanner-SpamVirus-Report =~ /ScamNailer.Phish/i score SCAMNAILER 2.0 Thanks, Rich -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091211/1f7b478f/attachment.html From GSilver at rampuptech.com Fri Dec 11 16:30:40 2009 From: GSilver at rampuptech.com (Gavin Silver) Date: Fri Dec 11 16:30:57 2009 Subject: Mailscanner Upgrade (Ubuntu) In-Reply-To: References: Message-ID: <98935592-BAEC-4CF8-98DE-1B12757031ED@rampuptech.com> Is it as easy as downloading the latest release from http://debian.intergenia.de/debian/pool/main/m/mailscanner/ and just dpkg -i the deb? Will it maintain all of my configurations? I cant seem to find any documentation online relating to upgrading on debian based systems and the book only has information regarding the rpm version Thanks in advance. ---------------------------------- Gavin Silver -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091211/1a221289/attachment.html From bpirie at rma.edu Fri Dec 11 16:42:39 2009 From: bpirie at rma.edu (Brendan Pirie) Date: Fri Dec 11 16:42:58 2009 Subject: Mailscanner Upgrade (Ubuntu) In-Reply-To: <98935592-BAEC-4CF8-98DE-1B12757031ED@rampuptech.com> References: <98935592-BAEC-4CF8-98DE-1B12757031ED@rampuptech.com> Message-ID: <4B22767F.2020603@rma.edu> The deb package you're referring to is not maintained by the MailScanner author, so any documentation specific to the deb should come from the deb maintainer. Brendan On 12/11/2009 11:30 AM, Gavin Silver wrote: > Is it as easy as downloading the latest release from > http://debian.intergenia.de/debian/pool/main/m/mailscanner/ and just > dpkg -i the deb? > > Will it maintain all of my configurations? > > I cant seem to find any documentation online relating to upgrading on > debian based systems and the book only has information regarding the > rpm version > > > > Thanks in advance. > > > ---------------------------------- > Gavin Silver > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091211/910579b1/attachment.html From GSilver at rampuptech.com Fri Dec 11 17:33:32 2009 From: GSilver at rampuptech.com (Gavin Silver) Date: Fri Dec 11 17:33:49 2009 Subject: Mailscanner Upgrade (Ubuntu) In-Reply-To: <4B22767F.2020603@rma.edu> References: <98935592-BAEC-4CF8-98DE-1B12757031ED@rampuptech.com> <4B22767F.2020603@rma.edu> Message-ID: It is not maintained but it is linked to directly from http://www.mailscanner.info/ubuntu.html If anyone with personal experience upgrading mailscanner on a debian based system would please share any information they have with me it would be greatly appreciated. On Dec 11, 2009, at 11:42 AM, Brendan Pirie wrote: The deb package you're referring to is not maintained by the MailScanner author, so any documentation specific to the deb should come from the deb maintainer. Brendan On 12/11/2009 11:30 AM, Gavin Silver wrote: Is it as easy as downloading the latest release from http://debian.intergenia.de/debian/pool/main/m/mailscanner/ and just dpkg -i the deb? Will it maintain all of my configurations? I cant seem to find any documentation online relating to upgrading on debian based systems and the book only has information regarding the rpm version Thanks in advance. ---------------------------------- Gavin Silver -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! ---------------------------------- Gavin Silver Ramp Up Technology gsilver@rampuptech.com ---------------------------------- Please remember to send all issues to: support@rampuptech.com. The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091211/66890053/attachment.html From greg at blastzone.com Fri Dec 11 18:24:33 2009 From: greg at blastzone.com (greg@blastzone.com) Date: Fri Dec 11 18:24:48 2009 Subject: Mailscanner Upgrade (Ubuntu) In-Reply-To: References: <98935592-BAEC-4CF8-98DE-1B12757031ED@rampuptech.com> <4B22767F.2020603@rma.edu> Message-ID: I've always installed from sources on my debian box, and the process documented there for upgrades works pretty well. And this is coming from a windows shop linux-noob... On Fri, 11 Dec 2009 12:33:32 -0500, Gavin Silver wrote: > It is not maintained but it is linked to directly from > http://www.mailscanner.info/ubuntu.html > > If anyone with personal experience upgrading mailscanner on a debian based > system would please share any information they have with me it would be > greatly appreciated. > > > > On Dec 11, 2009, at 11:42 AM, Brendan Pirie wrote: > > The deb package you're referring to is not maintained by the MailScanner > author, so any documentation specific to the deb should come from the deb > maintainer. > > Brendan > > On 12/11/2009 11:30 AM, Gavin Silver wrote: > Is it as easy as downloading the latest release from > http://debian.intergenia.de/debian/pool/main/m/mailscanner/ and just dpkg > -i the deb? > > Will it maintain all of my configurations? > > I cant seem to find any documentation online relating to upgrading on > debian based systems and the book only has information regarding the rpm > version > > > > Thanks in advance. > > > ---------------------------------- > Gavin Silver > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > ---------------------------------- > Gavin Silver > Ramp Up Technology > gsilver@rampuptech.com > ---------------------------------- > > Please remember to send all issues to: > support@rampuptech.com. > > The information contained in this message may be privileged and > confidential and protected from disclosure. If the reader of this message > is not the intended recipient, or an employee or agent responsible for > delivering this message to the intended recipient, you are hereby notified > that any dissemination, distribution or copying of this communication is > strictly prohibited. If you have received this communication in error, > please notify us immediately by replying to the message and deleting it > from your computer. From dgottsc at emory.edu Fri Dec 11 18:35:42 2009 From: dgottsc at emory.edu (Gottschalk, David) Date: Fri Dec 11 18:36:07 2009 Subject: University MailScanner Setup Message-ID: I'm posing a question to those of you who work for a University or College. Here at Emory, we have a hosted email filtering called Postini (which is now owned by Google). Behind that, we have six MailScanner machines that relay mail to the appropriate internal mail system. After the economic turndown, we have been looking anywhere to save costs. I'm contemplating proposing that we dump our hosted filtering solution because it is quite expensive ($5+ per user per year), and rely on MailScanner instead entirely. Then we would just have a bunch of MailScanner machines fronted by a load balancer to handle all inbound email (I'd imagine we need more than six after doing so) I'm wondering though how other colleges are handling their mail filtering using MailScanner. How many machines are being used, etc, etc? We currently get about 30-40 million email messages per week, of which about 1.5 million are delivered to our relays. We have approximately 40,000 email accounts. Thanks for any assistance, advice. David Gottschalk Emory University UTS Messaging Team This e-mail message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential and privileged information. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message (including any attachments) is strictly prohibited. If you have received this message in error, please contact the sender by reply e-mail message and destroy all copies of the original message (including attachments). From shuttlebox at gmail.com Fri Dec 11 18:55:10 2009 From: shuttlebox at gmail.com (shuttlebox) Date: Fri Dec 11 18:55:38 2009 Subject: University MailScanner Setup In-Reply-To: References: Message-ID: <625385e30912111055r2a08bb70pe9a4a09c79b66af1@mail.gmail.com> On Fri, Dec 11, 2009 at 7:35 PM, Gottschalk, David wrote: > Then we would just have a bunch of MailScanner machines fronted by a load balancer to handle all inbound email (I'd imagine we need more than six after doing so) I doubt you need to spend money/time on a dedicated load balancer. Just setting up all your MailScanner servers as MX hosts in your DNS should do the trick for free. Load balancing via round robin from DNS and failover from SMTP automatically picking the next MX if one is not available. -- /peter From steve.freegard at fsl.com Fri Dec 11 19:12:49 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Fri Dec 11 19:13:03 2009 Subject: University MailScanner Setup In-Reply-To: <625385e30912111055r2a08bb70pe9a4a09c79b66af1@mail.gmail.com> References: <625385e30912111055r2a08bb70pe9a4a09c79b66af1@mail.gmail.com> Message-ID: <4B2299B1.4000903@fsl.com> On 11/12/09 18:55, shuttlebox wrote: > On Fri, Dec 11, 2009 at 7:35 PM, Gottschalk, David wrote: >> Then we would just have a bunch of MailScanner machines fronted by a load balancer to handle all inbound email (I'd imagine we need more than six after doing so) > > I doubt you need to spend money/time on a dedicated load balancer. > Just setting up all your MailScanner servers as MX hosts in your DNS > should do the trick for free. Load balancing via round robin from DNS > and failover from SMTP automatically picking the next MX if one is not > available. > If you can afford a proper load balancer with all the associated bells and whistles, then IMO you'll save yourself plenty of headaches in a MailScanner environment. MX load balancing is fine for SMTP services; but MailScanner doesn't speak SMTP - it's both post-queue and batching, so if you can report your inbound queue sizes to the load balancer; then you can minimize your pre-delivery waiting times and ensure that load is evenly spread out - which can be a real problem if you have mismatched machines performance wise. Kind regards, Steve. From lstewart at superb.net Fri Dec 11 19:32:43 2009 From: lstewart at superb.net (Landon Stewart) Date: Fri Dec 11 19:32:54 2009 Subject: University MailScanner Setup In-Reply-To: References: Message-ID: On Fri, Dec 11, 2009 at 10:35 AM, Gottschalk, David wrote: > I'm wondering though how other colleges are handling their mail filtering > using MailScanner. How many machines are being used, etc, etc? > We use MailScanner to filter *outbound* mail from our web cluster (about 50 servers). Two high end machines with round robin DNS does the trick for us. It's not perfect but if all the machines have identical hardware the law of averages will be fine for round robin DNS. If you are mixing hardware I think that one or more of them will eventually get loaded down and cause issues unless you baby sit your mail servers regularly. Load balancing is good but not necessary in our setup. Handing your volume though it would help if it was actually balancing load instead of just distributing based on response time of the SMTP daemon or something equally useless. > > We currently get about 30-40 million email messages per week, of which > about 1.5 million are delivered to our relays. We have approximately 40,000 > email accounts. > We are only processing about 110,000 outbound email messages a week from these web servers across both MailScanner boxen. -- Landon Stewart SuperbHosting.Net by Superb Internet Corp. Toll Free: 888-354-6128 x 4199 (US/Canada) Web hosting and more "Ahead of the Rest": http://www.superbhosting.net -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091211/fbe8c286/attachment.html From rlopezcnm at gmail.com Fri Dec 11 20:43:26 2009 From: rlopezcnm at gmail.com (Robert Lopez) Date: Fri Dec 11 20:43:36 2009 Subject: University MailScanner Setup In-Reply-To: References: Message-ID: On Fri, Dec 11, 2009 at 11:35 AM, Gottschalk, David wrote: > I'm posing a question to those of you who work for a University or College. > > Here at Emory, we have a hosted email filtering called Postini (which is now owned by Google). Behind that, we have six MailScanner machines that relay mail to the appropriate internal mail system. After the economic turndown, we have been looking anywhere to save costs. I'm contemplating proposing that we dump our hosted filtering solution because it is quite expensive ($5+ per user per year), and rely on MailScanner instead entirely. Then we would just have a bunch of MailScanner machines fronted by a load balancer to handle all inbound email (I'd imagine we need more than six after doing so) > > I'm wondering though how other colleges are handling their mail filtering using MailScanner. How many machines are being used, etc, etc? > > We currently get about 30-40 million email messages per week, of which about 1.5 million are delivered to our relays. We have approximately 40,000 email accounts. > > Thanks for any assistance, advice. > > David Gottschalk > Emory University > UTS Messaging Team > > > > This e-mail message (including any attachments) is for the sole use of > the intended recipient(s) and may contain confidential and privileged > information. ?If the reader of this message is not the intended > recipient, you are hereby notified that any dissemination, distribution > or copying of this message (including any attachments) is strictly > prohibited. > > If you have received this message in error, please contact > the sender by reply e-mail message and destroy all copies of the > original message (including attachments). > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > David, At Central New Mexico Community College, we run three load balanced Postfix+MailScanner gateways that pass email to either a student email system, a faculty/staff system, or to a mailman list server. As of this week, we have 130,647 email accounts of which 54,405 are currently enrolled students+college staff. Based on the last six weeks: We accept and deliver about 0.5 million email per week. The Postfix+RBL reject about 2.25 million email that were never queued to MailScanner. MailScanner+Spamassassin identify 130k/week accepted email as spam. MailScanner+ClamAV find over 300 virus/week. MailScanner+ finds over 35,000 phishing email/week. -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106 From dchee at uci.edu Fri Dec 11 21:19:36 2009 From: dchee at uci.edu (Derek Chee) Date: Fri Dec 11 21:19:48 2009 Subject: University MailScanner Setup In-Reply-To: References: Message-ID: <10955DE2-701D-4D9F-AF83-14366D546D97@uci.edu> On Dec 11, 2009, at 10:35 AM, Gottschalk, David wrote: > I'm wondering though how other colleges are handling their mail filtering using MailScanner. How many machines are being used, etc, etc? At UC Irvine, we have four Sendmail+MailScanner external email gateways. We don't have a load balancer, just MX records. The four servers are not identical so we occasionally have unbalanced load issues, but nothing of major concern. We run ClamAV as a milter with most of the SaneSecurity signatures, Spamhaus ZEN RBL for blocking, internal block list, greylisting, connection throttling (too many, too soon, too many bad, etc.) and SpamAssassin (just tagging, no quarantine). According to the the latest stats, we blocked 6.7 million connections/messages last week through whatever means. Accepted 2.3 million messages and marked 136k of those as spam. These numbers are not peak numbers. We had a dramatic drop off in spam in September 2008. Before that time, we were rejecting around 4 million connections/messages per day with the same set of four servers, while the number of accepted messages stayed the same. I really couldn't tell you how many mailboxes we protect as the gateways protect multiple servers at UC Irvine and I've never counted all of the potential accounts. -- Derek Derek Chee Network & Support Programming Office of Information Technology University of California, Irvine From pascal.maes at elec.ucl.ac.be Sat Dec 12 06:12:28 2009 From: pascal.maes at elec.ucl.ac.be (Pascal Maes) Date: Sat Dec 12 06:12:44 2009 Subject: Other bad content detected : Why ? Message-ID: <5664624F-BBB7-4189-A988-F47CA9AEF04F@elec.ucl.ac.be> Hello Could you tell us why the following message has bad contents You will find the raw mail queue file stored on the postfix server (DE3D2EB99B) and the message that has been released (38629.msg) but some lines are perhaps been added by the other mta (beetween the postfix server and the mailbox) Thanks -- Pascal -------------- next part -------------- A non-text attachment was scrubbed... Name: DE3D2EB99B Type: application/octet-stream Size: 3395 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091212/6827d3fe/DE3D2EB99B.obj -------------- next part -------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: 38629.msg Type: application/octet-stream Size: 2954 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091212/6827d3fe/38629.obj From mmmm82 at gmail.com Sat Dec 12 12:51:10 2009 From: mmmm82 at gmail.com (Monis Monther) Date: Sat Dec 12 12:51:19 2009 Subject: University MailScanner Setup In-Reply-To: <10955DE2-701D-4D9F-AF83-14366D546D97@uci.edu> References: <10955DE2-701D-4D9F-AF83-14366D546D97@uci.edu> Message-ID: <837e17ab0912120451w60b6d8e6p36e979b533aec07a@mail.gmail.com> What do you use to monitor all of this??? On Fri, Dec 11, 2009 at 11:19 PM, Derek Chee wrote: > On Dec 11, 2009, at 10:35 AM, Gottschalk, David wrote: > > I'm wondering though how other colleges are handling their mail filtering > using MailScanner. How many machines are being used, etc, etc? > > At UC Irvine, we have four Sendmail+MailScanner external email gateways. > We don't have a load balancer, just MX records. The four servers are not > identical so we occasionally have unbalanced load issues, but nothing of > major concern. We run ClamAV as a milter with most of the SaneSecurity > signatures, Spamhaus ZEN RBL for blocking, internal block list, greylisting, > connection throttling (too many, too soon, too many bad, etc.) and > SpamAssassin (just tagging, no quarantine). > > According to the the latest stats, we blocked 6.7 million > connections/messages last week through whatever means. Accepted 2.3 million > messages and marked 136k of those as spam. These numbers are not peak > numbers. We had a dramatic drop off in spam in September 2008. Before that > time, we were rejecting around 4 million connections/messages per day with > the same set of four servers, while the number of accepted messages stayed > the same. I really couldn't tell you how many mailboxes we protect as the > gateways protect multiple servers at UC Irvine and I've never counted all of > the potential accounts. > > -- Derek > > Derek Chee > Network & Support Programming > Office of Information Technology > University of California, Irvine > > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091212/8cd4690d/attachment.html From dchee at uci.edu Sat Dec 12 17:36:19 2009 From: dchee at uci.edu (Derek Chee) Date: Sat Dec 12 17:36:31 2009 Subject: University MailScanner Setup In-Reply-To: <837e17ab0912120451w60b6d8e6p36e979b533aec07a@mail.gmail.com> References: <10955DE2-701D-4D9F-AF83-14366D546D97@uci.edu> <837e17ab0912120451w60b6d8e6p36e979b533aec07a@mail.gmail.com> Message-ID: Custom Perl script reading the sendmail logs and an Excel spreadsheet. Very old school. -- Derek On Dec 12, 2009, at 4:51 AM, Monis Monther wrote: > What do you use to monitor all of this??? > > On Fri, Dec 11, 2009 at 11:19 PM, Derek Chee wrote: > On Dec 11, 2009, at 10:35 AM, Gottschalk, David wrote: > > I'm wondering though how other colleges are handling their mail filtering using MailScanner. How many machines are being used, etc, etc? > > At UC Irvine, we have four Sendmail+MailScanner external email gateways. We don't have a load balancer, just MX records. The four servers are not identical so we occasionally have unbalanced load issues, but nothing of major concern. We run ClamAV as a milter with most of the SaneSecurity signatures, Spamhaus ZEN RBL for blocking, internal block list, greylisting, connection throttling (too many, too soon, too many bad, etc.) and SpamAssassin (just tagging, no quarantine). > > According to the the latest stats, we blocked 6.7 million connections/messages last week through whatever means. Accepted 2.3 million messages and marked 136k of those as spam. These numbers are not peak numbers. We had a dramatic drop off in spam in September 2008. Before that time, we were rejecting around 4 million connections/messages per day with the same set of four servers, while the number of accepted messages stayed the same. I really couldn't tell you how many mailboxes we protect as the gateways protect multiple servers at UC Irvine and I've never counted all of the potential accounts. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091212/ef8d5825/attachment.html From brose at med.wayne.edu Sat Dec 12 21:13:05 2009 From: brose at med.wayne.edu (Rose, Bobby) Date: Sat Dec 12 21:13:37 2009 Subject: University MailScanner Setup In-Reply-To: <625385e30912111055r2a08bb70pe9a4a09c79b66af1@mail.gmail.com> References: <625385e30912111055r2a08bb70pe9a4a09c79b66af1@mail.gmail.com> Message-ID: We have two boxes (somewhat similar hardware) using LVS (with Piranha as GUI) for the load balancing of smtp. Our message counts are around 90-110 thousand. Bobby Rose Wayne State University School of Medicine -=B -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of shuttlebox Sent: Friday, December 11, 2009 1:55 PM To: MailScanner discussion Subject: Re: University MailScanner Setup On Fri, Dec 11, 2009 at 7:35 PM, Gottschalk, David wrote: > Then we would just have a bunch of MailScanner machines fronted by a load balancer to handle all inbound email (I'd imagine we need more than six after doing so) I doubt you need to spend money/time on a dedicated load balancer. Just setting up all your MailScanner servers as MX hosts in your DNS should do the trick for free. Load balancing via round robin from DNS and failover from SMTP automatically picking the next MX if one is not available. -- /peter -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! This document may include proprietary and confidential information of Wayne State University Physician Group and may only be read by those person(s) to whom it is addressed. If you have received this e-mail message in error, please notify us immediately. This document may not be reproduced, copied, distributed, published, modified or furnished to third parties, without prior written consent of Wayne State University Physician Group. Thank you. From mmmm82 at gmail.com Sun Dec 13 21:16:45 2009 From: mmmm82 at gmail.com (Monis Monther) Date: Sun Dec 13 21:16:53 2009 Subject: University MailScanner Setup In-Reply-To: References: <625385e30912111055r2a08bb70pe9a4a09c79b66af1@mail.gmail.com> Message-ID: <837e17ab0912131316j4abd95b3u1c886582b2f9c571@mail.gmail.com> Can you please also add how you monitor, and if anyone posts a solution please add the monitoring solution with it, Thanks On Sat, Dec 12, 2009 at 11:13 PM, Rose, Bobby wrote: > We have two boxes (somewhat similar hardware) using LVS (with Piranha as > GUI) for the load balancing of smtp. Our message counts are around 90-110 > thousand. > > Bobby Rose > Wayne State University School of Medicine > > -=B > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto: > mailscanner-bounces@lists.mailscanner.info] On Behalf Of shuttlebox > Sent: Friday, December 11, 2009 1:55 PM > To: MailScanner discussion > Subject: Re: University MailScanner Setup > > On Fri, Dec 11, 2009 at 7:35 PM, Gottschalk, David > wrote: > > Then we would just have a bunch of MailScanner machines fronted by a load > balancer to handle all inbound email (I'd imagine we need more than six > after doing so) > > I doubt you need to spend money/time on a dedicated load balancer. > Just setting up all your MailScanner servers as MX hosts in your DNS > should do the trick for free. Load balancing via round robin from DNS > and failover from SMTP automatically picking the next MX if one is not > available. > > -- > /peter > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > This document may include proprietary and confidential information of Wayne > State University Physician Group and may only be read by those person(s) to > whom it is addressed. If you have received this e-mail message in error, > please notify us immediately. This document may not be reproduced, copied, > distributed, published, modified or furnished to third parties, without > prior written consent of Wayne State University Physician Group. Thank you. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091213/0b4f3b06/attachment.html From brose at med.wayne.edu Sun Dec 13 22:04:15 2009 From: brose at med.wayne.edu (Rose, Bobby) Date: Sun Dec 13 22:04:34 2009 Subject: University MailScanner Setup In-Reply-To: <837e17ab0912131316j4abd95b3u1c886582b2f9c571@mail.gmail.com> References: <625385e30912111055r2a08bb70pe9a4a09c79b66af1@mail.gmail.com> <837e17ab0912131316j4abd95b3u1c886582b2f9c571@mail.gmail.com> Message-ID: We use Sitescope to monitor all out boxes for such things as CPU, Mem, Disk and mailscanner/sendmail process count and port 25 connectivity (if load is high then sendmail doesn't accept connections thus alerting us to an issue). I also use a modified version of mailstats now called vispan which is based on perl and mrtg (http://www.while.org.uk/content/view/9/5/). We also do quarantining and per user whitelisting/blacklisting using MailWatch (http://mailwatch.sourceforge.net/). From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Monis Monther Sent: Sunday, December 13, 2009 4:17 PM To: MailScanner discussion Subject: Re: University MailScanner Setup Can you please also add how you monitor, and if anyone posts a solution please add the monitoring solution with it, Thanks On Sat, Dec 12, 2009 at 11:13 PM, Rose, Bobby > wrote: We have two boxes (somewhat similar hardware) using LVS (with Piranha as GUI) for the load balancing of smtp. Our message counts are around 90-110 thousand. Bobby Rose Wayne State University School of Medicine -=B -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of shuttlebox Sent: Friday, December 11, 2009 1:55 PM To: MailScanner discussion Subject: Re: University MailScanner Setup On Fri, Dec 11, 2009 at 7:35 PM, Gottschalk, David > wrote: > Then we would just have a bunch of MailScanner machines fronted by a load balancer to handle all inbound email (I'd imagine we need more than six after doing so) I doubt you need to spend money/time on a dedicated load balancer. Just setting up all your MailScanner servers as MX hosts in your DNS should do the trick for free. Load balancing via round robin from DNS and failover from SMTP automatically picking the next MX if one is not available. -- /peter -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! This document may include proprietary and confidential information of Wayne State University Physician Group and may only be read by those person(s) to whom it is addressed. If you have received this e-mail message in error, please notify us immediately. This document may not be reproduced, copied, distributed, published, modified or furnished to third parties, without prior written consent of Wayne State University Physician Group. Thank you. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! ________________________________ This document may include proprietary and confidential information of Wayne State University Physician Group and may only be read by those person(s) to whom it is addressed. If you have received this e-mail message in error, please notify us immediately. This document may not be reproduced, copied, distributed, published, modified or furnished to third parties, without prior written consent of Wayne State University Physician Group. Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091213/5866cf5b/attachment.html From J.Ede at birchenallhowden.co.uk Mon Dec 14 08:40:02 2009 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Mon Dec 14 08:40:23 2009 Subject: University MailScanner Setup In-Reply-To: <837e17ab0912131316j4abd95b3u1c886582b2f9c571@mail.gmail.com> References: <625385e30912111055r2a08bb70pe9a4a09c79b66af1@mail.gmail.com> <837e17ab0912131316j4abd95b3u1c886582b2f9c571@mail.gmail.com> Message-ID: <1213490F1F316842A544A850422BFA96128C18B520@BHLSBS.bhl.local> We use zabbix, www.zabbix.com and this for monitoring postfix.. http://www.zabbix.com/wiki/howto/monitor/mail/postfix/monitoringpostfix Along with a few items for monitoring state of postfix, MailScanner and clamd services it seems to work quite well... Also, use vispan http://www.while.org.uk/content/view/9/5/ which has a nice gui and is easy to keep track of trends and such. Jason From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Monis Monther Sent: 13 December 2009 21:17 To: MailScanner discussion Subject: Re: University MailScanner Setup Can you please also add how you monitor, and if anyone posts a solution please add the monitoring solution with it, Thanks On Sat, Dec 12, 2009 at 11:13 PM, Rose, Bobby > wrote: We have two boxes (somewhat similar hardware) using LVS (with Piranha as GUI) for the load balancing of smtp. Our message counts are around 90-110 thousand. Bobby Rose Wayne State University School of Medicine -=B -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of shuttlebox Sent: Friday, December 11, 2009 1:55 PM To: MailScanner discussion Subject: Re: University MailScanner Setup On Fri, Dec 11, 2009 at 7:35 PM, Gottschalk, David > wrote: > Then we would just have a bunch of MailScanner machines fronted by a load balancer to handle all inbound email (I'd imagine we need more than six after doing so) I doubt you need to spend money/time on a dedicated load balancer. Just setting up all your MailScanner servers as MX hosts in your DNS should do the trick for free. Load balancing via round robin from DNS and failover from SMTP automatically picking the next MX if one is not available. -- /peter -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! This document may include proprietary and confidential information of Wayne State University Physician Group and may only be read by those person(s) to whom it is addressed. If you have received this e-mail message in error, please notify us immediately. This document may not be reproduced, copied, distributed, published, modified or furnished to third parties, without prior written consent of Wayne State University Physician Group. Thank you. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091214/056a19da/attachment.html From mmmm82 at gmail.com Mon Dec 14 08:56:14 2009 From: mmmm82 at gmail.com (Monis Monther) Date: Mon Dec 14 08:56:24 2009 Subject: University MailScanner Setup In-Reply-To: References: <625385e30912111055r2a08bb70pe9a4a09c79b66af1@mail.gmail.com> <837e17ab0912131316j4abd95b3u1c886582b2f9c571@mail.gmail.com> Message-ID: <837e17ab0912140056o3c493f42q6dc8b81dc2fa72b@mail.gmail.com> Thanks for sharing this info We also use MailWatch for monitoring, but one thing I cant find in it is when a mail is blocked due to bad file name or type it only says Bad content but no details stating what the reason was, so I have to go through the maillog and check what exactly it was, this process could be a little bit a hurdle for HelpDesk team as they need a simple GUI tool and also they dont have shell access on the server. We also use mailscanner-mrtg to keep graphs for statistical info. On Mon, Dec 14, 2009 at 12:04 AM, Rose, Bobby wrote: > We use Sitescope to monitor all out boxes for such things as CPU, Mem, > Disk and mailscanner/sendmail process count and port 25 connectivity (if > load is high then sendmail doesn?t accept connections thus alerting us to an > issue). I also use a modified version of mailstats now called vispan which > is based on perl and mrtg (http://www.while.org.uk/content/view/9/5/). We > also do quarantining and per user whitelisting/blacklisting using MailWatch > (http://mailwatch.sourceforge.net/). > > > > > > > > *From:* mailscanner-bounces@lists.mailscanner.info [mailto: > mailscanner-bounces@lists.mailscanner.info] *On Behalf Of *Monis Monther > *Sent:* Sunday, December 13, 2009 4:17 PM > > *To:* MailScanner discussion > *Subject:* Re: University MailScanner Setup > > > > Can you please also add how you monitor, and if anyone posts a solution > please add the monitoring solution with it, Thanks > > On Sat, Dec 12, 2009 at 11:13 PM, Rose, Bobby wrote: > > We have two boxes (somewhat similar hardware) using LVS (with Piranha as > GUI) for the load balancing of smtp. Our message counts are around 90-110 > thousand. > > Bobby Rose > Wayne State University School of Medicine > > -=B > > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto: > mailscanner-bounces@lists.mailscanner.info] On Behalf Of shuttlebox > Sent: Friday, December 11, 2009 1:55 PM > To: MailScanner discussion > Subject: Re: University MailScanner Setup > > On Fri, Dec 11, 2009 at 7:35 PM, Gottschalk, David > wrote: > > Then we would just have a bunch of MailScanner machines fronted by a load > balancer to handle all inbound email (I'd imagine we need more than six > after doing so) > > I doubt you need to spend money/time on a dedicated load balancer. > Just setting up all your MailScanner servers as MX hosts in your DNS > should do the trick for free. Load balancing via round robin from DNS > and failover from SMTP automatically picking the next MX if one is not > available. > > -- > /peter > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > This document may include proprietary and confidential information of Wayne > State University Physician Group and may only be read by those person(s) to > whom it is addressed. If you have received this e-mail message in error, > please notify us immediately. This document may not be reproduced, copied, > distributed, published, modified or furnished to third parties, without > prior written consent of Wayne State University Physician Group. Thank you. > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > > ------------------------------ > This document may include proprietary and confidential information of Wayne > State University Physician Group and may only be read by those person(s) to > whom it is addressed. If you have received this e-mail message in error, > please notify us immediately. This document may not be reproduced, copied, > distributed, published, modified or furnished to third parties, without > prior written consent of Wayne State University Physician Group. Thank you. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091214/07a37b4e/attachment.html From glenn.steen at gmail.com Mon Dec 14 10:38:27 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Dec 14 10:38:35 2009 Subject: University MailScanner Setup In-Reply-To: <837e17ab0912140056o3c493f42q6dc8b81dc2fa72b@mail.gmail.com> References: <625385e30912111055r2a08bb70pe9a4a09c79b66af1@mail.gmail.com> <837e17ab0912131316j4abd95b3u1c886582b2f9c571@mail.gmail.com> <837e17ab0912140056o3c493f42q6dc8b81dc2fa72b@mail.gmail.com> Message-ID: <223f97700912140238g3692f606nf00964b0fcd3a5e5@mail.gmail.com> 2009/12/14 Monis Monther : > Thanks for sharing this info > > We also use MailWatch for monitoring, but one thing I cant find in it is > when a mail is blocked due to bad file name or type it only says Bad content > but no details stating what the reason was, so I have to go through the > maillog and check what exactly it was, this process could be a little bit a > hurdle for HelpDesk team as they need a simple GUI tool and also they dont > have shell access on the server. The Report: field contain what MailScanenr thought of it... Like "Bo programs allowed", or "Attempt to hide real filename extension" ... Is this not enough for you? Sure, you need look at the message detail (click in the empty box at the start of the line) ... but that should be it. No need to log on and trawl the maillog files...:) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ssilva at sgvwater.com Mon Dec 14 16:59:58 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Dec 14 17:00:35 2009 Subject: Read IP Address From Received Header In-Reply-To: References: <223f97700912010529o401ea919h967ab2aa3bccdb89@mail.gmail.com> Message-ID: on 12-10-2009 9:26 PM Frank Cusack spake the following: > On December 1, 2009 9:32:58 AM -0800 Frank Cusack > wrote: >> So now that I understand that bit, here's a problem combining that >> and "bounce". The bounce action for spam says you need to whitelist >> 127.0.0.1 ... make sense. But since I have "Read IP Address From >> Received Header" set to 2, and for bounces there will not even be >> 2 received headers, will that whitelist even work? > > I'm still not satisfied with the answer on bouncing, but it seems > that bounce is not a viable option anyway, if your mailscanner host > is not the MX host, due to the impossibility of whitelisting yourself > in that case. UNLESS ... unless I can set "Read IP Address From > Received Header" to 0, disabling any host-specific whitelists other > than localhost but at least allowing "bounce" to work. Yes? > > -frank Bounce is NEVER a good idea... Almost all spam is forged in some way, and you will olny cause yourself problems -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091214/7c541ef9/signature.bin From drolland at kdinet.com Mon Dec 14 18:53:50 2009 From: drolland at kdinet.com (Diane Rolland) Date: Mon Dec 14 18:55:12 2009 Subject: Problem with check_MailScanner hourly Cron In-Reply-To: References: <002d01ca6bcd$04ea4490$0ebecdb0$@com> <02ba01ca7763$ced31c90$6c7955b0$@com> Message-ID: <033a01ca7cee$c8647d50$592d77f0$@com> Yes, that is what is happening. Discovered the multiples trying to troubleshoot whey mail didn't always go out. When more than one instance, it seems to get unreliable in sending mail. Shut down the hourly cron, and now only one Master/Children, and mail always goes out. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex Neuman Sent: Monday, December 07, 2009 12:59 PM To: MailScanner discussion Subject: Re: Problem with check_MailScanner hourly Cron Does this mean that after 5 hours you'll have 5 masters and 25 children? On Dec 7, 2009, at 12:36 PM, Diane Rolland wrote: > (1 master waiting for children, and 5 waiting for messages - every hour) -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From fcusack at fcusack.com Mon Dec 14 23:46:31 2009 From: fcusack at fcusack.com (Frank Cusack) Date: Mon Dec 14 23:46:44 2009 Subject: quarantine release might lose mail? Message-ID: Aren't queue files named after the inode? If that's right, then the method in the above web page would seem to be wrong. First of all, the queue file in the quarantine is a copy of the original queue file, so the filename is "wrong". This doesn't matter and does not lead to a problem for mailscanner purposes though, AFAICT. But the method of release involves copying the file to the incoming directory. This part is wrong, since the file is named incorrectly and postfix might reuse that filename. postfix won't itself put a file in the incoming queue dir (unless you can somehow bypass the header_check, not sure if that can happen for locally generated mail), but because the inode can be reused, 2+ queue files can be in the quarantine with the same name. You could release all of them together and lose mail. I would think that you need to install the queue file using mktemp, then change the filename and lastly change the file mode. -frank From glenn.steen at gmail.com Tue Dec 15 10:01:07 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Dec 15 10:01:16 2009 Subject: Problem with check_MailScanner hourly Cron In-Reply-To: <033a01ca7cee$c8647d50$592d77f0$@com> References: <002d01ca6bcd$04ea4490$0ebecdb0$@com> <02ba01ca7763$ced31c90$6c7955b0$@com> <033a01ca7cee$c8647d50$592d77f0$@com> Message-ID: <223f97700912150201q1e2cbf08rfcdd2a3f7bcc3a18@mail.gmail.com> 2009/12/14 Diane Rolland : > Yes, that is what is happening. ?Discovered the multiples trying to > troubleshoot whey mail didn't always go out. ?When more than one instance, > it seems to get unreliable in sending mail. ?Shut down the hourly cron, and > now only one Master/Children, and mail always goes out. > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex Neuman > Sent: Monday, December 07, 2009 12:59 PM > To: MailScanner discussion > Subject: Re: Problem with check_MailScanner hourly Cron > > Does this mean that after 5 hours you'll have 5 masters and 25 children? > > On Dec 7, 2009, at 12:36 PM, Diane Rolland wrote: > >> (1 master waiting for children, and 5 waiting for messages - every hour) > Ok, so for some reason the check_MailScanner script logic fails. What do you get if you do uname -a ps axww | egrep MailScanner'[:]|\['MailScanner'\]|[ ]'/usr/sbin/MailScanner The first should be a line contailing the litteral word "Linux", the second a (longish) list of MailScanner processes, whith PID as first column... If the latter produces no output... then that would explain things;-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Tue Dec 15 10:08:50 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Dec 15 10:08:59 2009 Subject: quarantine release might lose mail? In-Reply-To: References: Message-ID: <223f97700912150208m5e318004l56eff6ffed9ec904@mail.gmail.com> 2009/12/15 Frank Cusack : > > > Aren't queue files named after the inode? > > If that's right, then the method in the above web page would seem to > be wrong. ?First of all, the queue file in the quarantine is a copy of > the original queue file, so the filename is "wrong". ?This doesn't matter > and does not lead to a problem for mailscanner purposes though, AFAICT. > > But the method of release involves copying the file to the incoming > directory. ?This part is wrong, since the file is named incorrectly and > postfix might reuse that filename. ?postfix won't itself put a file in > the incoming queue dir (unless you can somehow bypass the header_check, > not sure if that can happen for locally generated mail), but because > the inode can be reused, 2+ queue files can be in the quarantine with > the same name. ?You could release all of them together and lose mail. Highly theoretical risk, Highly unlikely to be a problem. What is your rate of release?;-) > I would think that you need to install the queue file using mktemp, > then change the filename and lastly change the file mode. Perhaps, to be truly kosher, but in reality... this is not a big problem. And if you elect to use MailWatch, which demand that the you quarantine the RFC822 encoded message file (iow not the queue file), the problem goes away entirely... > -frank Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Tue Dec 15 10:33:36 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Dec 15 10:33:48 2009 Subject: Other bad content detected : Why ? In-Reply-To: <5664624F-BBB7-4189-A988-F47CA9AEF04F@elec.ucl.ac.be> References: <5664624F-BBB7-4189-A988-F47CA9AEF04F@elec.ucl.ac.be> Message-ID: <223f97700912150233g1f4c3811u91b9bdeeea780210@mail.gmail.com> 2009/12/12 Pascal Maes : > Hello > > Could you tell us why the following message has bad contents > > You will find the raw mail queue file stored on the postfix server (DE3D2EB99B) and the message that has been released (38629.msg) but some lines are perhaps been added by the other mta (beetween the postfix server and the mailbox) > > Thanks > -- > Pascal > Might be that the eacute characters ... aggravate... your file command. Have you tried stripping it down to the "plain message body", as found in the queue file (using postcat or similar, to get at it), then running file on it to see what it says? Note that something seem to have ... munged ... some of those, so the message you show is slightly ... wrong, in that regard. Also, I see that you use clamd-milter, which in turn means that you use the p-record rewriting.... Might not be the most efficient thing to do, since that will carry a "body spin-through" penalty. If that is your only milter, I'd think about using clamd in MailScanner instead. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From maillists at conactive.com Tue Dec 15 13:11:48 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Tue Dec 15 13:12:02 2009 Subject: Support for SA 3.3 ? Message-ID: A beta of SA 3.3 has been released a few days ago. I just downloaded and built/tested it. Has anyone already tried if it works with MS? As it appears the API has just been expanded, so it should work fine, but I thought I'd ask around before jumping. Info: http://people.apache.org/~wtogami/devel/ Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From MailScanner at ecs.soton.ac.uk Tue Dec 15 13:58:19 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Dec 15 13:58:31 2009 Subject: MailScanner 4.79.3-1 taint problem in TNEF module In-Reply-To: <59491.130.59.6.127.1260196831.squirrel@webmail.buschor.ch> References: <59491.130.59.6.127.1260196831.squirrel@webmail.buschor.ch> <4B2795FB.2040604@ecs.soton.ac.uk> Message-ID: Fixed. Will be in the next release. Thanks for reporting it! Jules. On 07/12/2009 14:40, ThB wrote: > Hello, > > Just found another taint problem in MailScanner 4.79.3-1. > The lib/MailScanner/TNEF.pm module throws a taint error if I'm using the > external tnef expander. > TNEF Expander = /usr/local/bin/tnef --maxsize=100000000 > > > # /opt/MailScanner/bin/MailScanner --debug --id 1NHa3y-0003zs-3E > > In Debugging mode, not forking... > Trying to setlogsock(native) > INFO:: Meaningless output that goes nowhere, to keep SAVI happy > Building a message batch to scan... > Have a batch of 1 message. > Insecure dependency in rename while running with -T switch at > /opt/MailScanner/lib/MailScanner/TNEF.pm line 322. > > > Using the internal TNEF expander (TNEF Expander = internal) works without > problem. > > > regards > Thomas > > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From maillists at conactive.com Tue Dec 15 15:49:58 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Tue Dec 15 15:50:12 2009 Subject: technical: replying to a digested message? In-Reply-To: <20091211151905.GA4338@astrouw.edu.pl> References: <20091211151905.GA4338@astrouw.edu.pl> Message-ID: Michal Szymanski wrote on Fri, 11 Dec 2009 16:19:05 +0100: > Sorry for OT queistion but is there an easy way to reply to a message > got in a daily digest in such a way that it gets into the right thread? Does the digest contain the original message-id of the messages? If not, there is no way. And, if yes, I'm not sure if you could call it "easy" ;-) Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From fcusack at fcusack.com Tue Dec 15 15:52:46 2009 From: fcusack at fcusack.com (Frank Cusack) Date: Tue Dec 15 15:53:01 2009 Subject: quarantine release might lose mail? In-Reply-To: <223f97700912150208m5e318004l56eff6ffed9ec904@mail.gmail.com> References: <223f97700912150208m5e318004l56eff6ffed9ec904@mail.gmail.com> Message-ID: <5C94E2006E6A728CEEC47B23@rdf.local> On December 15, 2009 11:08:50 AM +0100 Glenn Steen wrote: > Highly theoretical risk, Highly unlikely to be a problem. What is your > rate of release?;-) I can see why the postfix guys aren't happy with mailscanner. It's not theoretical at all, the method documented to release from quarantine can absolutely corrupt or lose mail. (If, as you seem to agree, there can be a collision in queue file names.) Unlikely, for sure but most of the problems we face are edge conditions. I wouldn't know how to characterize the rate of inode reuse so I wouldn't be able to estimate how unlikely. >> I would think that you need to install the queue file using mktemp, >> then change the filename and lastly change the file mode. > Perhaps, to be truly kosher, but in reality... this is not a big problem. > And if you elect to use MailWatch, which demand that the you > quarantine the RFC822 encoded message file (iow not the queue file), > the problem goes away entirely... I don't use MW however thanks for the pointer. Like the problem where mailscanner would certify messages as clean if the virus scanner was not available, I cannot agree with the philosophy here. I don't like my infrastructure to work 99% of the time. Especially not, as in this case, where the fix is trivial and especially not when the problem and solution is known. I will post my qrelease program later today. -frank From rlopezcnm at gmail.com Tue Dec 15 17:32:36 2009 From: rlopezcnm at gmail.com (Robert Lopez) Date: Tue Dec 15 17:33:30 2009 Subject: phishing.bad.sites.conf v ScamNailer Message-ID: When ScamNailer came out did MailScanner stop supporting the phishing.bad.sites.conf file or is it available for local use? -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106 From fcusack at fcusack.com Tue Dec 15 23:00:01 2009 From: fcusack at fcusack.com (Frank Cusack) Date: Tue Dec 15 23:00:14 2009 Subject: quarantine release might lose mail? In-Reply-To: <5C94E2006E6A728CEEC47B23@rdf.local> References: <223f97700912150208m5e318004l56eff6ffed9ec904@mail.gmail.com> <5C94E2006E6A728CEEC47B23@rdf.local> Message-ID: On December 15, 2009 10:52:46 AM -0500 Frank Cusack wrote: > Especially not, as in this case, where the fix is trivial and especially > not when the problem and solution is known. I will post my qrelease > program later today. Here it is. One thing I learned is that the queue file name includes a timestamp, so the chance of a collision is much, much less than I'd originally guessed. Very very close to zero, I would expect. But the fix is trivial and guarantees correctness. Maybe this can make it onto the wiki page. #!/bin/zsh # qrelease - release a mail from the mailscanner quarantine for postfix # The mailscanner quarantine directory and the postfix queue directory must # be on the same filesystem. # See also # http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:postfix:how_to:release_quarantined_mail # # warn needs to prefix with progname, not function name unsetopt FUNCTION_ARGZERO warn() { echo $0: $* >&2 } die() { warn $* exit 1 } if [ $# -ne 1 ] then echo "Usage: $0 QUARANTINE" >&2 exit 1 fi [ -d "$1" ] || die "Directory $1 does not exist" qd=$1 pd=$(postconf -h queue_directory)/incoming perl -e "exit 1 if (stat '$qd/.')[0] != (stat '$pd/.')[0]" || die "$qd and $pd are not the same filesystem" # die on any errors not explicitly caught set -e qf=${qd##*/} # basename qf=${qf%.*} # prefix [ -f $qd/$qf ] || die "Queue File $qd/$qf does not exist" # The queue file name has a microseconds timestamp portion and an inum portion. # The inum portion guarantees a unique name in the filesystem (required # to prevent loss of data across the multiple queues). # The time portion avoids recycling the queue id's quickly, so that an # individual email can more easily be traced. # # Note that the queue filename in the quarantine is incorrect as it maintains # the original queue filename, but is a COPY of the original queue file (ie, # the inum portion is wrong). Because of the timestamp portion, it is highly # unlikely to collide but it is possible. The chance of collision depends on # the resolution of the system clock and the rate of inode reuse. We correct # it because having an ABSOLUTE guarantee is nice and also it's trivial. # We preserve the timestamp portion. ts=$(printf %.5s $qf) # make a copy first cp $qd/$qf $qd/$ts.rename # rename the queue file to match inum pf=$ts$(printf %X $(ls -i $qd/$ts.rename | awk '{print $1}')) mv $qd/$ts.rename $qd/$pf # move to postfix queue dir mv -i $qd/$pf $pd/$pf References: <223f97700912150208m5e318004l56eff6ffed9ec904@mail.gmail.com> <5C94E2006E6A728CEEC47B23@rdf.local> Message-ID: <223f97700912160149k2a98ecabmd5e147c16e49f13d@mail.gmail.com> 2009/12/16 Frank Cusack : > On December 15, 2009 10:52:46 AM -0500 Frank Cusack > wrote: >> >> Especially not, as in this case, where the fix is trivial and especially >> not when the problem and solution is known. ?I will post my qrelease >> program later today. > > Here it is. ?One thing I learned is that the queue file name includes > a timestamp, so the chance of a collision is much, much less than I'd > originally guessed. ?Very very close to zero, I would expect. ?But So now you see why I mentioned things like "highly theoretical" etc:-). It's not really a timestamp, as such, being just the current millisecond... But I see you've got that:-). And the inode reuse is highly dependant on how you've partitioned your storage... If one has a ... "lazy"... scheme (like only a big / and a very smallish /boot, which is what I'd recommend for most systems these days, due to modern HW and filesystem anatomy), the inode reuse problem is a non-issue. But it is nice that you took the time to type this up, for those who do quarantine as queue files, and who really perceive this as a problem. > the fix is trivial and guarantees correctness. ?Maybe this can make > it onto the wiki page. Yes it can! And you're the chap to do it;-). Just register and edit away...:-). Personally, I find it less than nice when larger (more than a few lines) scripts are quoted in code segments, so you could as well upload a file and publish that... Perhaps one should ... tidy... some of the other stuff too. As is, I find the bias of "methods" and "tips" for queue file management a bit ... cluttery (if there is such a word:-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From patrick at vande-walle.eu Wed Dec 16 11:57:18 2009 From: patrick at vande-walle.eu (Patrick Vande Walle) Date: Wed Dec 16 11:57:47 2009 Subject: Support for SA 3.3 ? In-Reply-To: References: Message-ID: <418a3f7cf19d15e43fd156f0c1408000@localhost> On Tue, 15 Dec 2009 14:11:48 +0100, Kai Schaetzl wrote: > A beta of SA 3.3 has been released a few days ago. I just downloaded and > built/tested it. Has anyone already tried if it works with MS? As it > appears the API has just been expanded, so it should work fine, but I > thought I'd ask around before jumping. > > Info: http://people.apache.org/~wtogami/devel/ I have been running SA 3.3 beta 1 with MS for a few days now, and did not encounter any issues. This is on a low volume mail server. Some SA rules seem to need some fine tuning, though. Patrick Vande Walle -- Blog: http://patrick.vande-walle.eu Twitter: http://twitter.vande-walle.eu From mark at msapiro.net Wed Dec 16 15:53:55 2009 From: mark at msapiro.net (Mark Sapiro) Date: Wed Dec 16 15:54:41 2009 Subject: technical: replying to a digested message? In-Reply-To: References: <20091211151905.GA4338@astrouw.edu.pl> Message-ID: <4B290293.5070602@msapiro.net> Kai Schaetzl wrote: > Michal Szymanski wrote on Fri, 11 Dec 2009 16:19:05 +0100: > >> Sorry for OT queistion but is there an easy way to reply to a message >> got in a daily digest in such a way that it gets into the right thread? > > Does the digest contain the original message-id of the messages? If not, > there is no way. And, if yes, I'm not sure if you could call it "easy" ;-) If you're talking about digests from a Mailman list, if you select the MIME format digest rather than the plain format, and you use an MUA that can open the individual message/rfc822 parts as messages (I use mostly mutt and Thunderbird and they both can do this), just open the message you want and reply normally as I am doing here. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From dgottsc at emory.edu Wed Dec 16 16:02:29 2009 From: dgottsc at emory.edu (Gottschalk, David) Date: Wed Dec 16 16:04:18 2009 Subject: University MailScanner Setup In-Reply-To: <10955DE2-701D-4D9F-AF83-14366D546D97@uci.edu> References: <10955DE2-701D-4D9F-AF83-14366D546D97@uci.edu> Message-ID: Thanks to everyone for the tips/advice. I think Derek has the most relevant case to our setup. I suspect that rejecting spam on the SMTP/MTA level will be the best approach to prevent us from having to use lots of gateway machines. Currently, we utilize six, but not as efficiently as I would like to. If anyone else has any setups similar to ours that they would like to mention, I would appreciate it. David Gottschalk UTS Email team david.gottschalk@emory.edu -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Derek Chee Sent: Friday, December 11, 2009 4:20 PM To: MailScanner discussion Subject: Re: University MailScanner Setup On Dec 11, 2009, at 10:35 AM, Gottschalk, David wrote: > I'm wondering though how other colleges are handling their mail filtering using MailScanner. How many machines are being used, etc, etc? At UC Irvine, we have four Sendmail+MailScanner external email gateways. We don't have a load balancer, just MX records. The four servers are not identical so we occasionally have unbalanced load issues, but nothing of major concern. We run ClamAV as a milter with most of the SaneSecurity signatures, Spamhaus ZEN RBL for blocking, internal block list, greylisting, connection throttling (too many, too soon, too many bad, etc.) and SpamAssassin (just tagging, no quarantine). According to the the latest stats, we blocked 6.7 million connections/messages last week through whatever means. Accepted 2.3 million messages and marked 136k of those as spam. These numbers are not peak numbers. We had a dramatic drop off in spam in September 2008. Before that time, we were rejecting around 4 million connections/messages per day with the same set of four servers, while the number of accepted messages stayed the same. I really couldn't tell you how many mailboxes we protect as the gateways protect multiple servers at UC Irvine and I've never counted all of the potential accounts. -- Derek Derek Chee Network & Support Programming Office of Information Technology University of California, Irvine -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! This e-mail message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential and privileged information. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message (including any attachments) is strictly prohibited. If you have received this message in error, please contact the sender by reply e-mail message and destroy all copies of the original message (including attachments). From mailscanner_list at phisch.ca Wed Dec 16 17:04:09 2009 From: mailscanner_list at phisch.ca (Jared Bater) Date: Wed Dec 16 17:04:18 2009 Subject: University MailScanner Setup In-Reply-To: References: Message-ID: We filter for a few smaller post-secondary?s as well as a few dozen K-12 districts. We have two gateway machines running MS/Postfix on Sun coolthreads hardware. Two separate DNS servers run RBLDNSd/Bind and serve a local mirror of the Spamhaus Zen feed (for which we have a subscription and rsync with them), the Barracuda RBL as well as a locally generated RBL. We also use SQLGrey, though I?m no longer convinced it adds terribly much value these days. Another machine does MySQL for Mailwatch logging and fancy reporting with pretty graphs. We reject 85-95% of all incoming connections at the MTA level and pass the rest to MS. We use Clamd with the addition of Sanesecurity and ScamNailer sigs. We wrote in ?house a parser for the MTA logs to have them inserted into the MailWatch DB in order to get daily message counts, which get munged into a daily summary table for all of our customer domains. We then purge the MTA junk out of the DB to save on space. Load-balancing is done via DNS round-robin. A proper load balancer is on my list for Santa this year. I emailed it, so I hope it doesn?t get caught in a quarantine or collide with some queue file of the same name somewhere along the way. We see between 2 and 7 million connections hit our gateways per day, with 80,000 to 100,000 being delivered to user mailboxes or downstream customer servers as ?clean? daily. /jared On Fri, Dec 11, 2009 at 12:35 PM, Gottschalk, David wrote: > I'm posing a question to those of you who work for a University or College. > > Here at Emory, we have a hosted email filtering called Postini (which is > now owned by Google). Behind that, we have six MailScanner machines that > relay mail to the appropriate internal mail system. After the economic > turndown, we have been looking anywhere to save costs. I'm contemplating > proposing that we dump our hosted filtering solution because it is quite > expensive ($5+ per user per year), and rely on MailScanner instead entirely. > Then we would just have a bunch of MailScanner machines fronted by a load > balancer to handle all inbound email (I'd imagine we need more than six > after doing so) > > I'm wondering though how other colleges are handling their mail filtering > using MailScanner. How many machines are being used, etc, etc? > > We currently get about 30-40 million email messages per week, of which > about 1.5 million are delivered to our relays. We have approximately 40,000 > email accounts. > > Thanks for any assistance, advice. > > David Gottschalk > Emory University > UTS Messaging Team > > > > This e-mail message (including any attachments) is for the sole use of > the intended recipient(s) and may contain confidential and privileged > information. If the reader of this message is not the intended > recipient, you are hereby notified that any dissemination, distribution > or copying of this message (including any attachments) is strictly > prohibited. > > If you have received this message in error, please contact > the sender by reply e-mail message and destroy all copies of the > original message (including attachments). > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091216/ea84d2f7/attachment.html From bbecken at aafp.org Wed Dec 16 17:33:32 2009 From: bbecken at aafp.org (Brad Beckenhauer) Date: Wed Dec 16 17:33:55 2009 Subject: ClamAV 0.95.3 Message-ID: <4B28C58C020000680003168C@smtp.aafp.org> I've not seen any mention of ClamAV 0.95.3 on the forum where normally a SpamAssassin-Clamav package is rolled fairly quickly... Probably not a big deal, but I figured I'd toss it out there as my systems are logging and current. I also use the clamav-autoupdate script which logs output to /tmp/ClamAV.update.log. The Log file finally hit a size limit and stopped logging. I'm considering modifying the script to point to a common log file in /var/log and setting up logrotate to handle the file instead. Perhaps a setting in MailScanner.conf where all the MailScanner update scripts point to this common logfile when called? -------------------------------------- ClamAV update process started at Wed Dec 16 11:10:08 2009 WARNING: Your ClamAV installation is OUTDATED! WARNING: Local version: 0.95.2 Recommended version: 0.95.3 DON'T PANIC! Read http://www.clamav.net/support/faq main.cld is up to date (version: 51, sigs: 545035, f-level: 42, builder: sven) daily.cld is up to date (version: 10187, sigs: 132586, f-level: 44, builder: arnaud) http://lurker.clamav.net/message/20091028.165120.f237a88d.en.html#clamav-announce announcing ClamAV 0.95.3 Author: Luca Gibelli ( mailto:noreply@clamav.net ) Date: 2009-10-28 11:512009-10-28 16:51 -500UTC To: clamav-announce Subject: [Clamav-announce] announcing ClamAV 0.95.3 Dear ClamAV users, ClamAV 0.95.3 is a bugfix release recommended for all users. Please refer to the ChangeLog included in the source distribution for the list of changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091216/4a4a7dd0/attachment.html From Kevin_Miller at ci.juneau.ak.us Wed Dec 16 18:12:40 2009 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Wed Dec 16 18:12:55 2009 Subject: quarantine release might lose mail? In-Reply-To: <223f97700912160149k2a98ecabmd5e147c16e49f13d@mail.gmail.com> References: <223f97700912150208m5e318004l56eff6ffed9ec904@mail.gmail.com> <5C94E2006E6A728CEEC47B23@rdf.local> <223f97700912160149k2a98ecabmd5e147c16e49f13d@mail.gmail.com> Message-ID: <4A09477D575C2C4B86497161427DD94C136ABB1E11@city-exchange07> Glenn Steen wrote: > ... cluttery (if there is such a word:-). There is now! See, that's the beauty of English. We steal all our words from foreigners and/or make 'em up as we go. ;-) ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From maillists at conactive.com Wed Dec 16 19:31:30 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Wed Dec 16 19:31:40 2009 Subject: University MailScanner Setup In-Reply-To: References: <10955DE2-701D-4D9F-AF83-14366D546D97@uci.edu> Message-ID: David Gottschalk wrote on Wed, 16 Dec 2009 11:02:29 -0500: > I suspect that rejecting spam on the SMTP/MTA level will be the best > approach to prevent us from having to use lots of gateway machines. Yes, you want to stop a good portion of the crap at MTA level. With greylisting and postfix restrictions. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Wed Dec 16 20:31:20 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Wed Dec 16 20:31:31 2009 Subject: Support for SA 3.3 ? In-Reply-To: <418a3f7cf19d15e43fd156f0c1408000@localhost> References: <418a3f7cf19d15e43fd156f0c1408000@localhost> Message-ID: Patrick Vande Walle wrote on Wed, 16 Dec 2009 12:57:18 +0100: > I have been running SA 3.3 beta 1 with MS for a few days now, and did not > encounter any issues. Thanks for the update. I installed it now. I had to remove the Freemail plugin and found I can enable it in v330.pre now. So far, so good. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Wed Dec 16 20:31:20 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Wed Dec 16 20:31:35 2009 Subject: phishing.bad.sites.conf v ScamNailer In-Reply-To: References: Message-ID: Robert Lopez wrote on Tue, 15 Dec 2009 10:32:36 -0700: > When ScamNailer came out did MailScanner stop supporting the > phishing.bad.sites.conf file or is it available for local use? Oh, well, I notice only now that the file has gone. But not the safe sites list. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From rlopezcnm at gmail.com Wed Dec 16 22:14:01 2009 From: rlopezcnm at gmail.com (Robert Lopez) Date: Wed Dec 16 22:14:14 2009 Subject: phishing.bad.sites.conf v ScamNailer In-Reply-To: References: Message-ID: On Wed, Dec 16, 2009 at 1:31 PM, Kai Schaetzl wrote: > Robert Lopez wrote on Tue, 15 Dec 2009 10:32:36 -0700: > >> When ScamNailer came out did MailScanner stop supporting the >> phishing.bad.sites.conf file or is it available for local use? > > Oh, well, I notice only now that the file has gone. But not the safe sites > list. > > Kai > > -- > Kai Sch?tzl, Berlin, Germany > Get your web at Conactive Internet Services: http://www.conactive.com > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > I started putting the url from inside phishing email that are slipping in into the phishing.bad.sites.conf file in the hope it is still read. I obviously have not gone reading or tracing the code to verify this. -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106 From glenn.steen at gmail.com Wed Dec 16 22:24:10 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Dec 16 22:24:25 2009 Subject: quarantine release might lose mail? In-Reply-To: <4A09477D575C2C4B86497161427DD94C136ABB1E11@city-exchange07> References: <223f97700912150208m5e318004l56eff6ffed9ec904@mail.gmail.com> <5C94E2006E6A728CEEC47B23@rdf.local> <223f97700912160149k2a98ecabmd5e147c16e49f13d@mail.gmail.com> <4A09477D575C2C4B86497161427DD94C136ABB1E11@city-exchange07> Message-ID: <223f97700912161424q4d202517u6e7b1c5c167fe007@mail.gmail.com> 2009/12/16 Kevin Miller : > Glenn Steen wrote: >> ... cluttery (if there is such a word:-). > > There is now! > See, that's the beauty of English. ?We steal all our words from foreigners and/or make 'em up as we go. > ;-) > > ...Kevin Thats the normal modus operandi for the Swedish langage too (most languages, I imagine, except perhaps some very protectionistic ones ... like ... icelandic...:-). Swedish might seem like a much poorer language due to it not even containing half as many words as english.... But then we can make a verb of anything "on the fly" (no "make this" or "do that"... just "dish-a" and "bed-a", sort of... Among linguists the verb "Larsa" take the noun Lars (the name) and use it to describe the act of greeting someone by their first/given name), and we can happily combine any words to create new meaning ... thus lessening the need for a multitude of similes and synonyms... I do love english too, but (naturally) swedish is my first love:-). And also... Since English is my second language (we'll not mention my third.... "La belle langue" indeed...:), I think it only polite to ask before strting to change it. Oh well, that was severely off topic... So I'll refrain from more philosophical ponderings about the nature of language, and the golden rule... "If you made yourself understood, rules/grammar be damned"...;-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From seven at seven.dorksville.net Wed Dec 16 22:33:38 2009 From: seven at seven.dorksville.net (Anthony Giggins) Date: Wed Dec 16 22:33:59 2009 Subject: {Disarmed} ClamAV 0.95.3 In-Reply-To: <4B28C58C020000680003168C@smtp.aafp.org> References: <4B28C58C020000680003168C@smtp.aafp.org> Message-ID: <58384.125.168.254.15.1261002818.squirrel@seven.dorksville.net> This was announced back in October http://lists.mailscanner.info/pipermail/mailscanner/2009-October/093709.html Cheers, Anthony From fcusack at fcusack.com Thu Dec 17 04:00:21 2009 From: fcusack at fcusack.com (Frank Cusack) Date: Thu Dec 17 04:00:39 2009 Subject: quarantine release might lose mail? In-Reply-To: <223f97700912160149k2a98ecabmd5e147c16e49f13d@mail.gmail.com> References: <223f97700912150208m5e318004l56eff6ffed9ec904@mail.gmail.com> <5C94E2006E6A728CEEC47B23@rdf.local> <223f97700912160149k2a98ecabmd5e147c16e49f13d@mail.gmail.com> Message-ID: <01403FBE3FDD49726F5844DD@rdf.local> On December 16, 2009 10:49:44 AM +0100 Glenn Steen wrote: > If one has > a ... "lazy"... scheme (like only a big / and a very smallish /boot, > which is what I'd recommend for most systems these days, due to modern > HW and filesystem anatomy), the inode reuse problem is a non-issue. Do you say that because you expect that with lots of free inodes, that the "next" free one is always used (as opposed to, e.g., how open() works where the lowest fd is always assigned?)? On zfs and HFS+ it does appear that a new file always gets the "next" inum. No idea if that's a guarantee. On ext3, which I imagine is what "most" folks use, that's not the case: [root@linux ~]# uname -a Linux linux 2.6.18-128.el5 #1 SMP Wed Jan 21 10:44:23 EST 2009 i686 i686 i386 GNU/Linux [root@linux ~]# for i in 1 2 3 4 5 6 7 8 9 0 ; do touch m; ls -i m; rm -f m; done 8184004 m 8184004 m 8184004 m 8184004 m 8184004 m 8184004 m 8184004 m 8184004 m 8184004 m 8184004 m [root@linux ~]# df . | grep /dev /dev/mapper/VolGroup00-LogVol00 [root@linux ~]# mount | grep `df . | grep /dev` /dev/mapper/VolGroup00-LogVol00 on / type ext3 (rw) [root@linux ~]# So for ext3 I would expect that recycling an inode has a high likelihood. -frank From lev.fpt at gmail.com Thu Dec 17 09:53:14 2009 From: lev.fpt at gmail.com (Le Vu) Date: Thu Dec 17 09:53:24 2009 Subject: F-prot-6 and W32/Netsky cause MailScanner to crash Message-ID: <9df8044a0912170153j6624a78obd808cfa95f0bc97@mail.gmail.com> Hi, I have a MailScanner installation stable for months (without antivirus). Yesterday I installed and enabled f-prot-6 and MailScanner report several crashes when it detected some W32/Netsky viruses. Dec 17 14:25:31 ISP-MTA1 MailScanner[16347]: Making attempt 6 at processing message 1C6D718D000A.A7A10 Dec 17 14:25:31 ISP-MTA1 MailScanner[16347]: New Batch: Found 26 messages waiting Dec 17 14:25:31 ISP-MTA1 MailScanner[16347]: New Batch: Forwarding 3 unscanned messages, 72121 bytes Dec 17 14:25:31 ISP-MTA1 MailScanner[16347]: Virus and Content Scanning: Starting Dec 17 14:25:33 ISP-MTA1 MailScanner[16347]: [Found virus] ./1C6D718D000A.A7A10/message.pif Dec 17 14:25:33 ISP-MTA1 MailScanner[16347]: [Found exploit] ./1C6D718D000A.A7A10/msg-16347-96.html Dec 17 14:25:33 ISP-MTA1 MailScanner[16347]: Found spam-virus in Dec 17 14:25:33 ISP-MTA1 MailScanner[16347]: Virus Scanning: F-Prot6 found 1 infections Dec 17 14:25:33 ISP-MTA1 MailScanner[16347]: Virus Scanning: Found 1 viruses => the MailScanner procces crash here I have the virus scanning enabled only for two internal hosts, and the message cause MailScanner crash is from other hosts. It would be appreciated if anyone show me how to debug the with these message. Thanks, Vu ---------------------------------------------------- MailScanner.conf Virus Scanning = %rules-dir%/virus.scanning.rules virus.scanning.rules: From: xxx.245.0.150 yes From: xxx.245.0.151 yes FromOrTo: default no Process MailScanner[16347] log http://pastebin.com/m246a3dc Message attempted to kill MailScanner log: http://pastebin.com/m3c7131b7 /var/log/message http://pastebin.com/m10325826 Sample message http://pastebin.com/m18da87f3 From glenn.steen at gmail.com Thu Dec 17 12:05:42 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Dec 17 12:05:51 2009 Subject: quarantine release might lose mail? In-Reply-To: <01403FBE3FDD49726F5844DD@rdf.local> References: <223f97700912150208m5e318004l56eff6ffed9ec904@mail.gmail.com> <5C94E2006E6A728CEEC47B23@rdf.local> <223f97700912160149k2a98ecabmd5e147c16e49f13d@mail.gmail.com> <01403FBE3FDD49726F5844DD@rdf.local> Message-ID: <223f97700912170405y46c09152vf1a30bd239a2683d@mail.gmail.com> 2009/12/17 Frank Cusack : > On December 16, 2009 10:49:44 AM +0100 Glenn Steen > wrote: >> >> ?If one has >> a ... "lazy"... scheme (like only a big / and a very smallish /boot, >> which is what I'd recommend for most systems these days, due to modern >> HW and filesystem anatomy), the inode reuse problem is a non-issue. > > Do you say that because you expect that with lots of free inodes, that > the "next" free one is always used (as opposed to, e.g., how open() > works where the lowest fd is always assigned?)? No, of course not. The amount of free inodes is irrelevant to this reasoning. One can probably assume that an inode number "returned" to the pool will be the next one used (as you show below). What it entails is the rate of inode use as such... If you have one big partition for all consumers (of inodes), the risk that a particular inode will be used as a postfix queue file lessens. Factor in time, and the risk of reuse resulting in the scenario your script tries ro protect against... and the risk dwindles down even further. So even though it is not that easily quantifiable, one can be fairly certain that the released queue file (which is the one risking being overwritten) will pass through unscathed;-). Haven't checked the release code, but it just might have a safeguard that entirely deflates the discussion (I'm too busy to go look! This year-end is more "silly season" than ever!!!). Notably, when I started using MailScanner/postfix/MailWatch, the inode/queue file ID reuse rate was very high on my systems, due to a "bad" partitioning scheme (basically, postfix had its own partition/filesystem), so ... I got a lot of duplicates in my maillog table ... since back then, the added "entropy" wasn't there. But even so, the rate of reuse was never such that ut resulted in a problem *outside* of MailWatch. Jules fixed the logging issue with the entropy added to the queue ID (very ckever solution, that:-), even though I seemed to be the only one seeing the problem. Well, once I shifted to a "better"/"lazier" oartitioning scheme, I saw the rate drop rather dramatically. So ... empirical "proof" is on my side here;-);-) > On zfs and HFS+ it does appear that a new file always gets the "next" inum. > No idea if that's a guarantee. > It's probably not. It will always be a limited resource. > On ext3, which I imagine is what "most" folks use, that's not the case: > > [root@linux ~]# uname -a > Linux linux 2.6.18-128.el5 #1 SMP Wed Jan 21 10:44:23 EST 2009 i686 i686 > i386 GNU/Linux > [root@linux ~]# for i in 1 2 3 4 5 6 7 8 9 0 ; do touch m; ls -i m; rm -f m; > done > 8184004 m > 8184004 m > 8184004 m > 8184004 m > 8184004 m > 8184004 m > 8184004 m > 8184004 m > 8184004 m > 8184004 m > [root@linux ~]# df . | grep /dev > /dev/mapper/VolGroup00-LogVol00 > [root@linux ~]# mount | grep `df . | grep /dev` > /dev/mapper/VolGroup00-LogVol00 on / type ext3 (rw) > [root@linux ~]# > > So for ext3 I would expect that recycling an inode has a high likelihood. True. So this is why you'd want there to be "other" consumers... Look, all I'm saying is that the risk is limited, depends on a few factors like FS/partion-scheme, time ... and rate of messages received, of course... and ... well, look at it this way: Noone has shown that this has ever happened, anywhere. Else someone would've complained about released messages not getting properly released etc ... and someone would've typed up something like your script to cure that. That it hasn't happened says something;-). Don't get me wrong, anything that make the MS/PF combo a better one is nice, and well received... It's brilliant that you took the time and elected to contribute! > -frank Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Thu Dec 17 12:12:32 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Dec 17 12:12:41 2009 Subject: quarantine release might lose mail? In-Reply-To: <223f97700912170405y46c09152vf1a30bd239a2683d@mail.gmail.com> References: <223f97700912150208m5e318004l56eff6ffed9ec904@mail.gmail.com> <5C94E2006E6A728CEEC47B23@rdf.local> <223f97700912160149k2a98ecabmd5e147c16e49f13d@mail.gmail.com> <01403FBE3FDD49726F5844DD@rdf.local> <223f97700912170405y46c09152vf1a30bd239a2683d@mail.gmail.com> Message-ID: <223f97700912170412k16048b78s962a3fd468087469@mail.gmail.com> 2009/12/17 Glenn Steen : (snip) > Haven't checked the > release code, but it just might have a safeguard that entirely > deflates the discussion That should read "requeue", not "release"... obviously:-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From steve.freegard at fsl.com Thu Dec 17 12:28:10 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Thu Dec 17 12:28:21 2009 Subject: quarantine release might lose mail? In-Reply-To: <223f97700912170405y46c09152vf1a30bd239a2683d@mail.gmail.com> References: <223f97700912150208m5e318004l56eff6ffed9ec904@mail.gmail.com> <5C94E2006E6A728CEEC47B23@rdf.local> <223f97700912160149k2a98ecabmd5e147c16e49f13d@mail.gmail.com> <01403FBE3FDD49726F5844DD@rdf.local> <223f97700912170405y46c09152vf1a30bd239a2683d@mail.gmail.com> Message-ID: <4B2A23DA.6060908@fsl.com> On 17/12/09 12:05, Glenn Steen wrote: > 2009/12/17 Frank Cusack: << snipped entire discussion >> Why anyone still quarantines stuff using the queue file format is completely beyond me. Every MTA supported by MailScanner implements sendmail binary argument compatibility so just store your quarantine files in rfc822 format and then release them like so: sendmail user@domain.com -i < /path/to/quarantine/date/id/message All that is needed for this to work is to exclude 127.0.0.1 from scanning via a rulesets on the relevant configuration items ('Scan Messages' being the easiest; but least safe). This way you get a decent audit trail of released messages, it's safe, cross platform and still works if you migrate from one MTA to another and no kludgy scripts necessary. This is precisely the reason I elected to only support this method in MailWatch. Maybe the 'old' instructions on the Wiki should be marked as deprecated and replaced with this method being the recommended way to release stuff from a quarantine. Regards, Steve. From glenn.steen at gmail.com Thu Dec 17 13:22:37 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Dec 17 13:22:46 2009 Subject: quarantine release might lose mail? In-Reply-To: <4B2A23DA.6060908@fsl.com> References: <223f97700912150208m5e318004l56eff6ffed9ec904@mail.gmail.com> <5C94E2006E6A728CEEC47B23@rdf.local> <223f97700912160149k2a98ecabmd5e147c16e49f13d@mail.gmail.com> <01403FBE3FDD49726F5844DD@rdf.local> <223f97700912170405y46c09152vf1a30bd239a2683d@mail.gmail.com> <4B2A23DA.6060908@fsl.com> Message-ID: <223f97700912170522g241e404bme005d8074862c154@mail.gmail.com> 2009/12/17 Steve Freegard : > On 17/12/09 12:05, Glenn Steen wrote: >> >> 2009/12/17 Frank Cusack: > > << snipped entire discussion >> > > Why anyone still quarantines stuff using the queue file format is completely > beyond me. CC. > Every MTA supported by MailScanner implements sendmail binary argument > compatibility so just store your quarantine files in rfc822 format and then > release them like so: > > sendmail user@domain.com -i < /path/to/quarantine/date/id/message > > All that is needed for this to work is to exclude 127.0.0.1 from scanning > via a rulesets on the relevant configuration items ('Scan Messages' being > the easiest; but least safe). > > This way you get a decent audit trail of released messages, it's safe, cross > platform and still works if you migrate from one MTA to another and no > kludgy scripts necessary. > > This is precisely the reason I elected to only support this method in > MailWatch. Not to mention ease of parsing... One format regardless of MTA;-);-) > Maybe the 'old' instructions on the Wiki should be marked as deprecated and > replaced with this method being the recommended way to release stuff from a > quarantine. I agree. In the postfix case this would be restructure and slightly rephrase things a bit... I might get some time this weekend to do even that small a thing. If one wants to use queue files no matter what, one should use some script like Franks (I just checked the code, no safeguards... So, to be purely kosher...:-), but perhaps based on some other shell ...... zsh isn't the most widely installed... Bash or even sh might be better. And making it obvious that it is a less than stellar decision to use the queue files at all;) > Regards, > Steve. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From maillists at conactive.com Thu Dec 17 13:46:33 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Thu Dec 17 13:46:44 2009 Subject: phishing.bad.sites.conf v ScamNailer In-Reply-To: References: Message-ID: Robert Lopez wrote on Wed, 16 Dec 2009 15:14:01 -0700: > I started putting the url from inside phishing email that are slipping > in into the phishing.bad.sites.conf file in the hope it is still read. > I obviously have not gone reading or tracing the code to verify this. We are rarely getting any phishing mails. I think they are all already rejected at MTA level. So, it doesn't matter too much for me. I was just surprised about this MS error message when restarting it. As I haven't upgraded MS for some months now I'm sure the file is still being read on my systems, just that the downloaded file is empty. I have now moved the file that came with the rpm in its place and stopped update_bad_phishing_sites. I'm not seeing any mention of this change in http://mailscanner.info/ChangeLog Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From fcusack at fcusack.com Thu Dec 17 14:45:26 2009 From: fcusack at fcusack.com (Frank Cusack) Date: Thu Dec 17 14:45:37 2009 Subject: quarantine release might lose mail? In-Reply-To: <4B2A23DA.6060908@fsl.com> References: <223f97700912150208m5e318004l56eff6ffed9ec904@mail.gmail.com> <5C94E2006E6A728CEEC47B23@rdf.local> <223f97700912160149k2a98ecabmd5e147c16e49f13d@mail.gmail.com> <01403FBE3FDD49726F5844DD@rdf.local> <223f97700912170405y46c09152vf1a30bd239a2683d@mail.gmail.com> <4B2A23DA.6060908@fsl.com> Message-ID: On December 17, 2009 12:28:10 PM +0000 Steve Freegard wrote: > On 17/12/09 12:05, Glenn Steen wrote: >> 2009/12/17 Frank Cusack: > << snipped entire discussion >> > > Why anyone still quarantines stuff using the queue file format is > completely beyond me. > > Every MTA supported by MailScanner implements sendmail binary argument > compatibility so just store your quarantine files in rfc822 format and > then release them like so: > > sendmail user@domain.com -i < /path/to/quarantine/date/id/message > > All that is needed for this to work is to exclude 127.0.0.1 from scanning > via a rulesets on the relevant configuration items ('Scan Messages' being > the easiest; but least safe). See my earlier email about how "Read IP Address from Received Header" works. That was never really answered fully but my takeaway from it is that MS cannot determine where mail comes from if there are a variable number of hops from your mx gateway to the MS host. Meaning, if your MX host is a hop away, and therefore you need to set "Read IP Address from Received Header" to 2, then you can never whitelist 127.0.0.1 because that first Received header will not be parsed by MS. Perhaps that's wrong but again that's just what I was able piece together from what answers I did get to that thread. -frank From steve.freegard at fsl.com Thu Dec 17 15:04:59 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Thu Dec 17 15:05:10 2009 Subject: quarantine release might lose mail? In-Reply-To: References: <223f97700912150208m5e318004l56eff6ffed9ec904@mail.gmail.com> <5C94E2006E6A728CEEC47B23@rdf.local> <223f97700912160149k2a98ecabmd5e147c16e49f13d@mail.gmail.com> <01403FBE3FDD49726F5844DD@rdf.local> <223f97700912170405y46c09152vf1a30bd239a2683d@mail.gmail.com> <4B2A23DA.6060908@fsl.com> Message-ID: <4B2A489B.1060701@fsl.com> On 17/12/09 14:45, Frank Cusack wrote: > On December 17, 2009 12:28:10 PM +0000 Steve Freegard > wrote: >> On 17/12/09 12:05, Glenn Steen wrote: >>> 2009/12/17 Frank Cusack: >> << snipped entire discussion >> >> >> Why anyone still quarantines stuff using the queue file format is >> completely beyond me. >> >> Every MTA supported by MailScanner implements sendmail binary argument >> compatibility so just store your quarantine files in rfc822 format and >> then release them like so: >> >> sendmail user@domain.com -i < /path/to/quarantine/date/id/message >> >> All that is needed for this to work is to exclude 127.0.0.1 from scanning >> via a rulesets on the relevant configuration items ('Scan Messages' being >> the easiest; but least safe). > > See my earlier email about how "Read IP Address from Received Header" > works. > That was never really answered fully but my takeaway from it is that MS > cannot determine where mail comes from if there are a variable number of > hops from your mx gateway to the MS host. Meaning, if your MX host is a > hop away, and therefore you need to set "Read IP Address from Received > Header" to 2, then you can never whitelist 127.0.0.1 because that first > Received header will not be parsed by MS. > > Perhaps that's wrong but again that's just what I was able piece together > from what answers I did get to that thread. Huh? Don't see what this has to do with anything if you use MailScanner properly. It's a *gateway* and should be running as the inbound MX for your domain and 'Read IP Address from Received Header' should be left well alone. MailScanner will read the client IP address from the queue file. That how all of us use it.... I'm going to guess that you're trying to use a single MailScanner systems for inbound and outbound scanning and that you want to apply rules to your MUA clients separately using the IP address supplied in the Received headers by your mail server which is using the MailScanner gateway as a smart host.... if so - run a separate outbound gateway and configure 'Read IP Address from Received Header' accordingly. If you need anything more complex - then write a CustomFunction on 'Read IP Address from Received Header' and parse the received headers yourself and return the correct number back using that. Using a custom function - you could achieve that on a single box; but mixing outbound and inbound on anything but a small system is asking for trouble. Outbound mail typically requires a totally handling to inbound and you don't want either inbound or outbound mail to affect the service to each other. Regards, Steve. From glenn.steen at gmail.com Thu Dec 17 15:16:06 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Dec 17 15:16:17 2009 Subject: quarantine release might lose mail? In-Reply-To: References: <223f97700912150208m5e318004l56eff6ffed9ec904@mail.gmail.com> <5C94E2006E6A728CEEC47B23@rdf.local> <223f97700912160149k2a98ecabmd5e147c16e49f13d@mail.gmail.com> <01403FBE3FDD49726F5844DD@rdf.local> <223f97700912170405y46c09152vf1a30bd239a2683d@mail.gmail.com> <4B2A23DA.6060908@fsl.com> Message-ID: <223f97700912170716l2b542c02r95fbd0fd80e9b7d6@mail.gmail.com> 2009/12/17 Frank Cusack : > On December 17, 2009 12:28:10 PM +0000 Steve Freegard > wrote: >> >> On 17/12/09 12:05, Glenn Steen wrote: >>> >>> 2009/12/17 Frank Cusack: >> >> << snipped entire discussion >> >> >> Why anyone still quarantines stuff using the queue file format is >> completely beyond me. >> >> Every MTA supported by MailScanner implements sendmail binary argument >> compatibility so just store your quarantine files in rfc822 format and >> then release them like so: >> >> sendmail user@domain.com -i < /path/to/quarantine/date/id/message >> >> All that is needed for this to work is to exclude 127.0.0.1 from scanning >> via a rulesets on the relevant configuration items ('Scan Messages' being >> the easiest; but least safe). > > See my earlier email about how "Read IP Address from Received Header" works. > That was never really answered fully but my takeaway from it is that MS > cannot determine where mail comes from if there are a variable number of > hops from your mx gateway to the MS host. ?Meaning, if your MX host is a > hop away, and therefore you need to set "Read IP Address from Received > Header" to 2, then you can never whitelist 127.0.0.1 because that first > Received header will not be parsed by MS. > > Perhaps that's wrong but again that's just what I was able piece together > from what answers I did get to that thread. Could you explain why it is like that? Your "mail bastions" should be your PF/MS-hosts, unless you have something very clever (like a BarricadeMX) in between... And why would you set your secondary path/fallback to have a different amount of hops? You might have mentioned why before, but if so... I've forgotten. Could you elaborate a bit? To my eyes, it seems you're doing something less than optimal... but I might be wrong:-) > -frank Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From shuttlebox at gmail.com Thu Dec 17 15:32:22 2009 From: shuttlebox at gmail.com (shuttlebox) Date: Thu Dec 17 15:32:51 2009 Subject: quarantine release might lose mail? In-Reply-To: <4B2A489B.1060701@fsl.com> References: <223f97700912150208m5e318004l56eff6ffed9ec904@mail.gmail.com> <5C94E2006E6A728CEEC47B23@rdf.local> <223f97700912160149k2a98ecabmd5e147c16e49f13d@mail.gmail.com> <01403FBE3FDD49726F5844DD@rdf.local> <223f97700912170405y46c09152vf1a30bd239a2683d@mail.gmail.com> <4B2A23DA.6060908@fsl.com> <4B2A489B.1060701@fsl.com> Message-ID: <625385e30912170732i3e4d4c82x92a3d3e3c0fb262@mail.gmail.com> On Thu, Dec 17, 2009 at 4:04 PM, Steve Freegard wrote: > It's a *gateway* and should be running as the inbound MX for your domain and > 'Read IP Address from Received Header' should be left well alone. > MailScanner will read the client IP address from the queue file. > > That how all of us use it.... No, it's not... -- /peter From glenn.steen at gmail.com Thu Dec 17 15:59:47 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Dec 17 15:59:55 2009 Subject: quarantine release might lose mail? In-Reply-To: <625385e30912170732i3e4d4c82x92a3d3e3c0fb262@mail.gmail.com> References: <5C94E2006E6A728CEEC47B23@rdf.local> <223f97700912160149k2a98ecabmd5e147c16e49f13d@mail.gmail.com> <01403FBE3FDD49726F5844DD@rdf.local> <223f97700912170405y46c09152vf1a30bd239a2683d@mail.gmail.com> <4B2A23DA.6060908@fsl.com> <4B2A489B.1060701@fsl.com> <625385e30912170732i3e4d4c82x92a3d3e3c0fb262@mail.gmail.com> Message-ID: <223f97700912170759o142f3966h74794e15ce3c872b@mail.gmail.com> 2009/12/17 shuttlebox : > On Thu, Dec 17, 2009 at 4:04 PM, Steve Freegard wrote: >> It's a *gateway* and should be running as the inbound MX for your domain and >> 'Read IP Address from Received Header' should be left well alone. >> MailScanner will read the client IP address from the queue file. >> >> That how all of us use it.... > > No, it's not... > Well, even if the GW is local to your mailstore...:-). Or did you have anything ... exotic... in mind? Please elaborate... -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From fcusack at fcusack.com Thu Dec 17 16:17:49 2009 From: fcusack at fcusack.com (Frank Cusack) Date: Thu Dec 17 16:17:59 2009 Subject: quarantine release might lose mail? In-Reply-To: <4B2A489B.1060701@fsl.com> References: <223f97700912150208m5e318004l56eff6ffed9ec904@mail.gmail.com> <5C94E2006E6A728CEEC47B23@rdf.local> <223f97700912160149k2a98ecabmd5e147c16e49f13d@mail.gmail.com> <01403FBE3FDD49726F5844DD@rdf.local> <223f97700912170405y46c09152vf1a30bd239a2683d@mail.gmail.com> <4B2A23DA.6060908@fsl.com> <4B2A489B.1060701@fsl.com> Message-ID: <5327C5D8286CC412F17FCB4F@rdf.local> On December 17, 2009 3:04:59 PM +0000 Steve Freegard wrote: > Huh? Don't see what this has to do with anything if you use MailScanner > properly. > > It's a *gateway* and should be running as the inbound MX for your domain > and 'Read IP Address from Received Header' should be left well alone. > MailScanner will read the client IP address from the queue file. It is not a gateway. It does not even implement an SMTP client much less a server. It is a filter. > That how all of us use it.... Apparently not as some solutions using it as other than a gateway are documented. One may not have the network configuration to support using it as a gateway. Just for example, if you have a backup MX server, perhaps you cannot run MailScanner on that server. In which case you MUST have a hop before your MS server so that when mail is forwarded from the backup to the MS server, the source IP is properly interpreted. Or are you saying that everyone using MS "properly" must have enough resources to have a backup MX server on another network and under their direct control. > I'm going to guess that you're trying to use a single MailScanner systems > for inbound and outbound scanning and that you want to apply rules to > your MUA clients separately using the IP address supplied in the Received > headers by your mail server which is using the MailScanner gateway as a > smart host.... if so - run a separate outbound gateway and configure > 'Read IP Address from Received Header' accordingly. That is correct, however just as I am unable to run MS on my MX host I am unable to run MS on my SMTP host (the host which receives mail from users). > If you need anything more complex - then write a CustomFunction on 'Read > IP Address from Received Header' and parse the received headers yourself > and return the correct number back using that. It was much less complex (trivial as I noted) to properly release a queue file from the quarantine. -frank From fcusack at fcusack.com Thu Dec 17 16:52:17 2009 From: fcusack at fcusack.com (Frank Cusack) Date: Thu Dec 17 16:52:32 2009 Subject: quarantine release might lose mail? In-Reply-To: <223f97700912170405y46c09152vf1a30bd239a2683d@mail.gmail.com> References: <223f97700912150208m5e318004l56eff6ffed9ec904@mail.gmail.com> <5C94E2006E6A728CEEC47B23@rdf.local> <223f97700912160149k2a98ecabmd5e147c16e49f13d@mail.gmail.com> <01403FBE3FDD49726F5844DD@rdf.local> <223f97700912170405y46c09152vf1a30bd239a2683d@mail.gmail.com> Message-ID: <7BABF5C55B2054483DDDA2BF@rdf.local> On December 17, 2009 1:05:42 PM +0100 Glenn Steen wrote: > Notably, when I started using MailScanner/postfix/MailWatch, the > inode/queue file ID reuse rate was very high on my systems, due to a > "bad" partitioning scheme (basically, postfix had its own > partition/filesystem), so ... I got a lot of duplicates in my maillog > table ... since back then, the added "entropy" wasn't there. But even I see. Yes, a modern partitioning scheme helps. :) Still, it was fun to see how the different fs's allocate inums. > Look, all I'm saying is that the risk is limited, agreed. -frank From mark at msapiro.net Thu Dec 17 17:50:41 2009 From: mark at msapiro.net (Mark Sapiro) Date: Thu Dec 17 17:51:04 2009 Subject: phishing.bad.sites.conf v ScamNailer In-Reply-To: Message-ID: Kai Schaetzl wrote: >Robert Lopez wrote on Wed, 16 Dec 2009 15:14:01 -0700: > >> I started putting the url from inside phishing email that are slipping >> in into the phishing.bad.sites.conf file in the hope it is still read. >> I obviously have not gone reading or tracing the code to verify this. > >We are rarely getting any phishing mails. I think they are all already >rejected at MTA level. So, it doesn't matter too much for me. I was just >surprised about this MS error message when restarting it. >As I haven't upgraded MS for some months now I'm sure the file is still >being read on my systems, just that the downloaded file is empty. I have >now moved the file that came with the rpm in its place and stopped >update_bad_phishing_sites. I'm not seeing any mention of this change in >http://mailscanner.info/ChangeLog I don't get it. When I installed the 4.79.4 rpm, it installed a /etc/MailScanner/phishing.bad.sites.conf.rpmnew and update_phishing_sites runs regularly and gets an aproximately 290K phishing.bad.sites.conf. What's the problem? -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From steve.freegard at fsl.com Thu Dec 17 18:13:58 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Thu Dec 17 18:14:08 2009 Subject: quarantine release might lose mail? In-Reply-To: <5327C5D8286CC412F17FCB4F@rdf.local> References: <223f97700912150208m5e318004l56eff6ffed9ec904@mail.gmail.com> <5C94E2006E6A728CEEC47B23@rdf.local> <223f97700912160149k2a98ecabmd5e147c16e49f13d@mail.gmail.com> <01403FBE3FDD49726F5844DD@rdf.local> <223f97700912170405y46c09152vf1a30bd239a2683d@mail.gmail.com> <4B2A23DA.6060908@fsl.com> <4B2A489B.1060701@fsl.com> <5327C5D8286CC412F17FCB4F@rdf.local> Message-ID: <4B2A74E6.6010301@fsl.com> On 17/12/09 16:17, Frank Cusack wrote: > On December 17, 2009 3:04:59 PM +0000 Steve Freegard > wrote: >> Huh? Don't see what this has to do with anything if you use MailScanner >> properly. >> >> It's a *gateway* and should be running as the inbound MX for your domain >> and 'Read IP Address from Received Header' should be left well alone. >> MailScanner will read the client IP address from the queue file. > > It is not a gateway. It does not even implement an SMTP client much > less a server. It is a filter. > I disagree - if deployed as documented e.g. MTA in -> MailScanner -> MTA out - then the sum of the parts can be called a gateway. >> That how all of us use it.... > > Apparently not as some solutions using it as other than a gateway are > documented. One may not have the network configuration to support > using it as a gateway. Just for example, if you have a backup MX > server, perhaps you cannot run MailScanner on that server. In which > case you MUST have a hop before your MS server so that when mail is > forwarded from the backup to the MS server, the source IP is properly > interpreted. > > Or are you saying that everyone using MS "properly" must have enough > resources to have a backup MX server on another network and under > their direct control. > A very 1990s-style set-up. Backup MXes that are not within your control are spam magnets and should be avoided at all costs. They will cause backscatter unless a lot of care is taken in their configuration. They need to be configured with as strict rules as the primary systems and implement things like recipient verification. >> I'm going to guess that you're trying to use a single MailScanner systems >> for inbound and outbound scanning and that you want to apply rules to >> your MUA clients separately using the IP address supplied in the Received >> headers by your mail server which is using the MailScanner gateway as a >> smart host.... if so - run a separate outbound gateway and configure >> 'Read IP Address from Received Header' accordingly. > > That is correct, however just as I am unable to run MS on my MX host > I am unable to run MS on my SMTP host (the host which receives mail from > users). > Hmmm ... configuration like that leaves you with seriously limited options. No wonder you were asking about the 'bounce' action... >> If you need anything more complex - then write a CustomFunction on 'Read >> IP Address from Received Header' and parse the received headers yourself >> and return the correct number back using that. > > It was much less complex (trivial as I noted) to properly release a > queue file from the quarantine. > Ok. Regards, Steve. From maillists at conactive.com Thu Dec 17 19:46:51 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Thu Dec 17 19:47:06 2009 Subject: phishing.bad.sites.conf v ScamNailer In-Reply-To: References: Message-ID: Mark Sapiro wrote on Thu, 17 Dec 2009 09:50:41 -0800: > I don't get it. When I installed the 4.79.4 rpm, it installed a > /etc/MailScanner/phishing.bad.sites.conf.rpmnew and > update_phishing_sites runs regularly and gets an aproximately 290K > phishing.bad.sites.conf. > > What's the problem? Hm, thanks for *this* info! I have an older version (June) and Robert may have as well. I suppose something must have changed since then (e.g. retrieval of the hostnames like the scamnailer paackage does it?). I get this output from running the script: Reading status from /var/spool/MailScanner/quarantine/phishingupdate/status Checking that /var/spool/MailScanner/quarantine/phishingupdate/cache/2009 -503 exists... no - reseting..... ok Checking that /var/spool/MailScanner/quarantine/phishingupdate/cache/-1.0 exists... ok I am working with: Current: 2009-504 - 0 and Status: -1 - 0 This is base update Unable to retrieve http://www.mailscanner.tv/.2009-504 :500 Can't connect to www.mailscanner.tv:80 (connect: timeout) Update required Updating live file /etc/MailScanner/phishing.bad.sites.conf cp: cannot stat `/var/spool/MailScanner/quarantine/phishingupdate/cache//2009-504': No such file or directory and this leaves one without a phishing.bad.sites.conf as this has been moved to phishing.bad.sites.conf.old which will get eventually overwritten with an empty file on the next run. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From mikej at rogers.com Thu Dec 17 22:27:56 2009 From: mikej at rogers.com (Mike Jakubik) Date: Thu Dec 17 22:27:33 2009 Subject: taint mode perl problem under freebsd (fixed) Message-ID: FreeBSD admins rejoice, you can finally update perl without breaking MailScanner. I have tested the latest version and it works great. I've also submited a pr to update the port so it will be available soon. Thank you Julian for finally fixing this! This was driving a lot of the FreeBSD folks crazy as no one could figure out what the issue was. From rlopezcnm at gmail.com Thu Dec 17 22:46:43 2009 From: rlopezcnm at gmail.com (Robert Lopez) Date: Thu Dec 17 22:46:53 2009 Subject: phishing.bad.sites.conf v ScamNailer In-Reply-To: References: Message-ID: On Thu, Dec 17, 2009 at 12:46 PM, Kai Schaetzl wrote: > Mark Sapiro wrote on Thu, 17 Dec 2009 09:50:41 -0800: > >> I don't get it. When I installed the 4.79.4 rpm, it installed a >> /etc/MailScanner/phishing.bad.sites.conf.rpmnew and >> update_phishing_sites runs regularly and gets an aproximately 290K >> phishing.bad.sites.conf. >> >> What's the problem? > > Hm, thanks for *this* info! > > I have an older version (June) and Robert may have as well. > I suppose something must have changed since then (e.g. retrieval of the > hostnames like the scamnailer paackage does it?). > > I get this output from running the script: > Reading status from > /var/spool/MailScanner/quarantine/phishingupdate/status > Checking that /var/spool/MailScanner/quarantine/phishingupdate/cache/2009 > -503 exists... no - reseting..... ok > Checking that /var/spool/MailScanner/quarantine/phishingupdate/cache/-1.0 > exists... ok > I am working with: Current: 2009-504 - 0 and Status: -1 - 0 > This is base update > Unable to retrieve http://www.mailscanner.tv/.2009-504 :500 Can't connect > to www.mailscanner.tv:80 (connect: timeout) > Update required > Updating live file /etc/MailScanner/phishing.bad.sites.conf > cp: cannot stat > `/var/spool/MailScanner/quarantine/phishingupdate/cache//2009-504': No > such file or directory > > and this leaves one without a phishing.bad.sites.conf as this has been > moved to phishing.bad.sites.conf.old which will get eventually overwritten > with an empty file on the next run. > > > Kai > > -- > Kai Sch?tzl, Berlin, Germany > Get your web at Conactive Internet Services: http://www.conactive.com > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Yes. Old in MailScanner terms (still current in Ubuntu terms): # MailScanner --version Running on Linux mg05 2.6.28-11-server #42-Ubuntu SMP Fri Apr 17 02:45:36 UTC 2009 x86_64 GNU/Linux This is Perl version 5.010000 (5.10.0) This is MailScanner version 4.74.16 <...> Unless I am terribly confused, I think ScanNailer == jkf.phishing. I have that running and it is being updated: # ls -l /var/cache/jkf.phishingupdate/* -rw-r--r-- 1 root root 411561 2009-12-16 17:17 /var/cache/jkf.phishingupdate/phishing.emails.list -rw-r--r-- 1 root root 410713 2009-12-15 17:17 /var/cache/jkf.phishingupdate/phishing.emails.list.old -rw-r--r-- 1 root root 11 2009-12-16 17:17 /var/cache/jkf.phishingupdate/status /var/cache/jkf.phishingupdate/cache: total 404 -rw-r--r-- 1 root root 411561 2009-12-16 17:17 2009-504 I still have these files: # ls -l /etc/MailScanner/phishing.* -rw-r--r-- 1 root root 134840 2009-12-15 10:24 /etc/MailScanner/phishing.bad.sites.conf -rw-r--r-- 1 root root 4779 2009-10-20 15:44 /etc/MailScanner/phishing.safe.sites.conf and I am still editing them to insert files into both of them. Into the phishing.bad.sites.conf I am adding the url of college specific phishing sites that slip past all email defenses. I have yet to see proof the url I put there are functioning. Those seem to be short lived so maybe there is success but maybe the url just have not been reused. Sorry for any confusion. -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106 From glenn.steen at gmail.com Fri Dec 18 09:22:55 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Dec 18 09:23:04 2009 Subject: quarantine release might lose mail? In-Reply-To: <4B2A74E6.6010301@fsl.com> References: <223f97700912160149k2a98ecabmd5e147c16e49f13d@mail.gmail.com> <01403FBE3FDD49726F5844DD@rdf.local> <223f97700912170405y46c09152vf1a30bd239a2683d@mail.gmail.com> <4B2A23DA.6060908@fsl.com> <4B2A489B.1060701@fsl.com> <5327C5D8286CC412F17FCB4F@rdf.local> <4B2A74E6.6010301@fsl.com> Message-ID: <223f97700912180122o1150205aie9801a05349c863b@mail.gmail.com> 2009/12/17 Steve Freegard : > On 17/12/09 16:17, Frank Cusack wrote: >> >> On December 17, 2009 3:04:59 PM +0000 Steve Freegard >> wrote: >>> >>> Huh? Don't see what this has to do with anything if you use MailScanner >>> properly. >>> >>> It's a *gateway* and should be running as the inbound MX for your domain >>> and 'Read IP Address from Received Header' should be left well alone. >>> MailScanner will read the client IP address from the queue file. >> >> It is not a gateway. It does not even implement an SMTP client much >> less a server. It is a filter. >> > > I disagree - if deployed as documented e.g. MTA in -> MailScanner -> MTA out > - then the sum of the parts can be called a gateway. > >>> That how all of us use it.... >> >> Apparently not as some solutions using it as other than a gateway are >> documented. One may not have the network configuration to support >> using it as a gateway. Just for example, if you have a backup MX >> server, perhaps you cannot run MailScanner on that server. In which >> case you MUST have a hop before your MS server so that when mail is >> forwarded from the backup to the MS server, the source IP is properly >> interpreted. >> >> Or are you saying that everyone using MS "properly" must have enough >> resources to have a backup MX server on another network and under >> their direct control. >> > > A very 1990s-style set-up. ?Backup MXes that are not within your control are > spam magnets and should be avoided at all costs. ?They will cause > backscatter unless a lot of care is taken in their configuration. > > They need to be configured with as strict rules as the primary systems and > implement things like recipient verification. > >>> I'm going to guess that you're trying to use a single MailScanner systems >>> for inbound and outbound scanning and that you want to apply rules to >>> your MUA clients separately using the IP address supplied in the Received >>> headers by your mail server which is using the MailScanner gateway as a >>> smart host.... if so - run a separate outbound gateway and configure >>> 'Read IP Address from Received Header' accordingly. >> >> That is correct, however just as I am unable to run MS on my MX host >> I am unable to run MS on my SMTP host (the host which receives mail from >> users). >> > > Hmmm ... configuration like that leaves you with seriously limited options. > ? No wonder you were asking about the 'bounce' action... > >>> If you need anything more complex - then write a CustomFunction on 'Read >>> IP Address from Received Header' and parse the received headers yourself >>> and return the correct number back using that. >> >> It was much less complex (trivial as I noted) to properly release a >> queue file from the quarantine. >> > > Ok. > > Regards, > Steve. Steve is the voice of reason here Frank, so listen well to his advice. Given your current situation, I'd seriously think of ditching the secondare entirely... As is, it doesn't add any security worth mentioning, only trouble. For real mail sent through real MTAs, a service outage will be handled (more or less well) via the RFCs anyway, so ... the use of a secondary is only to try simulate something that mail was never designed for, in your case at least, so ... not that great:/ I haven't looked at it lately, but there used to be a fairly opinionated (but good) wiki page on best practices ... Have a quick peek at http://wiki.mailscanner.info/doku.php?id=best_practices ... it's actually worth the read;-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From lists at elasticmind.net Fri Dec 18 10:33:39 2009 From: lists at elasticmind.net (mog) Date: Fri Dec 18 10:34:11 2009 Subject: taint mode perl problem under freebsd (fixed) In-Reply-To: References: Message-ID: <4B2B5A83.6000300@elasticmind.net> Whoooo! Christmas has come early! Hehe, you're absolutely right, it has definitely been driving me crazy so I think that makes me one of the folks you speak of :-\ A big thank you to Julian for fixing this for us and to Mike for updating the port! Kind regards, mog Mike Jakubik wrote: > FreeBSD admins rejoice, you can finally update perl without breaking > MailScanner. I have tested the latest version and it works great. I've > also submited a pr to update the port so it will be available soon. > > Thank you Julian for finally fixing this! This was driving a lot of the > FreeBSD folks crazy as no one could figure out what the issue was. > > > From lists at elasticmind.net Fri Dec 18 10:47:29 2009 From: lists at elasticmind.net (mog) Date: Fri Dec 18 10:47:52 2009 Subject: taint mode perl problem under freebsd (fixed) In-Reply-To: <4B2B5A83.6000300@elasticmind.net> References: <4B2B5A83.6000300@elasticmind.net> Message-ID: <4B2B5DC1.8060002@elasticmind.net> Forgot to add this before sending... Also want to say thanks to the people on the list who helped in testing and identifying the taint mode problem. It means MailScanner and Perl can finally work as they should on FreeBSD and I, for one, greatly appreciate it. Might as well wish everyone a Merry Christmas (hell, it's snowing!) and a Happy New Year while I'm at it :-D Kind regards, mog mog wrote: > Whoooo! Christmas has come early! > > Hehe, you're absolutely right, it has definitely been driving me crazy > so I think that makes me one of the folks you speak of :-\ > > A big thank you to Julian for fixing this for us and to Mike for > updating the port! > > Kind regards, > mog > > > Mike Jakubik wrote: >> FreeBSD admins rejoice, you can finally update perl without breaking >> MailScanner. I have tested the latest version and it works great. I've >> also submited a pr to update the port so it will be available soon. >> >> Thank you Julian for finally fixing this! This was driving a lot of the >> FreeBSD folks crazy as no one could figure out what the issue was. >> >> >> From alessandro.fachin at qnet.it Fri Dec 18 11:44:46 2009 From: alessandro.fachin at qnet.it (Alessandro Fachin) Date: Fri Dec 18 11:44:57 2009 Subject: Mailscanner changes mail unique ID Message-ID: <200912181244.46360.alessandro.fachin@qnet.it> Thanks a lot Glenn... Your perl script is very usefull! It will reduce the number of my grep to looking dor ID on mail.log. Thanks!!! Regards! -- Alessandro Fachin alessandro.fachin@qnet.it Qnet s.r.l Via Circonvallazione Sud 76 33033 Codroipo (UD) - Italy http://www.qnet.it http://www.qfarm.it Tel. +39 0432 906062 Fax +39 0432 901514 From maillists at conactive.com Fri Dec 18 12:31:21 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Fri Dec 18 12:31:34 2009 Subject: phishing.bad.sites.conf v ScamNailer In-Reply-To: References: Message-ID: Robert Lopez wrote on Thu, 17 Dec 2009 15:46:43 -0700: > Unless I am terribly confused, I think ScanNailer == jkf.phishing. Might be so, I've never tried it. > I still have these files: > # ls -l /etc/MailScanner/phishing.* > -rw-r--r-- 1 root root 134840 2009-12-15 10:24 > /etc/MailScanner/phishing.bad.sites.conf > -rw-r--r-- 1 root root 4779 2009-10-20 15:44 > /etc/MailScanner/phishing.safe.sites.conf > > and I am still editing them to insert files into both of them. So, you have disabled the update script then? (if not it overwrites your additions.) What do you get as output when you run /usr/sbin/update_bad_phishing_sites manually? (You want to backup update_bad_phishing_sites before this.) Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From fcusack at fcusack.com Fri Dec 18 14:59:02 2009 From: fcusack at fcusack.com (Frank Cusack) Date: Fri Dec 18 14:59:18 2009 Subject: quarantine release might lose mail? In-Reply-To: <223f97700912180122o1150205aie9801a05349c863b@mail.gmail.com> References: <223f97700912160149k2a98ecabmd5e147c16e49f13d@mail.gmail.com> <01403FBE3FDD49726F5844DD@rdf.local> <223f97700912170405y46c09152vf1a30bd239a2683d@mail.gmail.com> <4B2A23DA.6060908@fsl.com> <4B2A489B.1060701@fsl.com> <5327C5D8286CC412F17FCB4F@rdf.local> <4B2A74E6.6010301@fsl.com> <223f97700912180122o1150205aie9801a05349c863b@mail.gmail.com> Message-ID: <5DC2F914FD036028469F3559@rdf.local> On December 18, 2009 10:22:55 AM +0100 Glenn Steen wrote: > Steve is the voice of reason here Frank, so listen well to his advice. > Given your current situation, I'd seriously think of ditching the > secondare entirely... As is, it doesn't add any security worth > mentioning, only trouble. For real mail sent through real MTAs, a > service outage will be handled (more or less well) via the RFCs > anyway, so ... the use of a secondary is only to try simulate > something that mail was never designed for, in your case at least, so > ... not that great:/ I am now tending to agree. In fact, I'm not sure why I have *ever* used a secondary MX. It's not like you can tolerate more than a day of downtime (even a day would be long) and even if so, not hard to put up a second box on the same IP. I guess it harkens back to the days of lots of little partitions on the hard drive. > I haven't looked at it lately, but there used to be a fairly > opinionated (but good) wiki page on best practices ... Have a quick > peek at http://wiki.mailscanner.info/doku.php?id=best_practices ... > it's actually worth the read;-) thanks, i hadn't seen that page. i'll check it out. -frank From glenn.steen at gmail.com Fri Dec 18 16:29:22 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Dec 18 16:29:31 2009 Subject: quarantine release might lose mail? In-Reply-To: <5DC2F914FD036028469F3559@rdf.local> References: <01403FBE3FDD49726F5844DD@rdf.local> <223f97700912170405y46c09152vf1a30bd239a2683d@mail.gmail.com> <4B2A23DA.6060908@fsl.com> <4B2A489B.1060701@fsl.com> <5327C5D8286CC412F17FCB4F@rdf.local> <4B2A74E6.6010301@fsl.com> <223f97700912180122o1150205aie9801a05349c863b@mail.gmail.com> <5DC2F914FD036028469F3559@rdf.local> Message-ID: <223f97700912180829k4e9a0adv761aeb58bc19b359@mail.gmail.com> 2009/12/18 Frank Cusack : > On December 18, 2009 10:22:55 AM +0100 Glenn Steen > wrote: >> >> Steve is the voice of reason here Frank, so listen well to his advice. >> Given your current situation, I'd seriously think of ditching the >> secondare entirely... As is, it doesn't add any security worth >> mentioning, only trouble. For real mail sent through real MTAs, a >> service outage will be handled (more or less well) via the RFCs >> anyway, so ... the use of a secondary is only to try simulate >> something that mail was never designed for, in your case at least, so >> ... not that great:/ > > I am now tending to agree. ?In fact, I'm not sure why I have *ever* > used a secondary MX. ?It's not like you can tolerate more than a day > of downtime (even a day would be long) and even if so, not hard to > put up a second box on the same IP. > > I guess it harkens back to the days of lots of little partitions > on the hard drive. :-) One could of course have several equal weight MXes for performance/load balancing, but that's another issue:-). >> I haven't looked at it lately, but there used to be a fairly >> opinionated (but good) wiki page on best practices ... Have a quick >> peek at http://wiki.mailscanner.info/doku.php?id=best_practices ... >> it's actually worth the read;-) > > thanks, i hadn't seen that page. ?i'll check it out. > Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From mark at msapiro.net Fri Dec 18 16:36:26 2009 From: mark at msapiro.net (Mark Sapiro) Date: Fri Dec 18 16:36:53 2009 Subject: phishing.bad.sites.conf v ScamNailer In-Reply-To: References: Message-ID: <4B2BAF8A.6030203@msapiro.net> Kai Schaetzl wrote: > Mark Sapiro wrote on Thu, 17 Dec 2009 09:50:41 -0800: > >> I don't get it. When I installed the 4.79.4 rpm, it installed a >> /etc/MailScanner/phishing.bad.sites.conf.rpmnew and >> update_phishing_sites runs regularly and gets an aproximately 290K >> phishing.bad.sites.conf. >> >> What's the problem? > > Hm, thanks for *this* info! > > I have an older version (June) and Robert may have as well. > I suppose something must have changed since then (e.g. retrieval of the > hostnames like the scamnailer paackage does it?). > > I get this output from running the script: > Reading status from > /var/spool/MailScanner/quarantine/phishingupdate/status > Checking that /var/spool/MailScanner/quarantine/phishingupdate/cache/2009 > -503 exists... no - reseting..... ok > Checking that /var/spool/MailScanner/quarantine/phishingupdate/cache/-1.0 > exists... ok > I am working with: Current: 2009-504 - 0 and Status: -1 - 0 > This is base update > Unable to retrieve http://www.mailscanner.tv/.2009-504 :500 Can't connect > to www.mailscanner.tv:80 (connect: timeout) > Update required > Updating live file /etc/MailScanner/phishing.bad.sites.conf > cp: cannot stat > `/var/spool/MailScanner/quarantine/phishingupdate/cache//2009-504': No > such file or directory > > and this leaves one without a phishing.bad.sites.conf as this has been > moved to phishing.bad.sites.conf.old which will get eventually overwritten > with an empty file on the next run. Now I'm really confused. That looks like output from a ScamNailer type script, yet my, presumably current, /usr/sbin/update_phishing_sites script doesn't do anything like that (and it's ID is $Id: update_phishing_sites 3982 2007-06-26 09:00:39Z sysjkf $ indicating it hasn't changed in years). It is attached as update_phishing_sites.txt -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -------------- next part -------------- #!/bin/sh # # MailScanner - SMTP E-Mail Virus Scanner # Copyright (C) 2002 Julian Field # # $Id: update_phishing_sites 3982 2007-06-26 09:00:39Z sysjkf $ # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # # The author, Julian Field, can be contacted by email at # Jules@JulianField.net # or by paper mail at # Julian Field # Dept of Electronics & Computer Science # University of Southampton # Southampton # SO17 1BJ # United Kingdom # PATH=/bin:/usr/bin:/sbin:/usr/sbin:/usr/etc:/usr/local/bin:/usr/sfw/bin export PATH if [ -d /etc/MailScanner ]; then cd /etc/MailScanner else logger -p mail.warn -t update.phishing.sites Cannot find MailScanner configuration directory, update failed. echo Cannot find MailScanner configuration directory. echo Auto-updates of phishing.safe.sites.conf will not happen. exit 1 fi wget http://www.mailscanner.info/phishing.safe.sites.conf.master || \ curl -O http://www.mailscanner.info/phishing.safe.sites.conf.master || \ ( logger -p mail.warn -t update.phishing.sites Cannot find wget or curl, update failed. ; echo Cannot find wget or curl to do phishing sites update. ; exit 1 ) if [ -s phishing.safe.sites.conf.master ]; then cat phishing.safe.sites.conf.master phishing.safe.sites.conf | \ sort | uniq > phishing.safe.sites.conf.new cp -f phishing.safe.sites.conf phishing.safe.sites.conf.old mv -f phishing.safe.sites.conf.new phishing.safe.sites.conf chmod a+r phishing.safe.sites.conf logger -p mail.info -t update.phishing.sites Phishing safe sites list updated else logger -p mail.info -t update.phishing.sites Phishing safe sites list update failed! fi rm -f phishing.safe.sites.conf.master exit 0 From maillists at conactive.com Fri Dec 18 17:54:53 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Fri Dec 18 17:55:02 2009 Subject: phishing.bad.sites.conf v ScamNailer In-Reply-To: <4B2BAF8A.6030203@msapiro.net> References: <4B2BAF8A.6030203@msapiro.net> Message-ID: Mark Sapiro wrote on Fri, 18 Dec 2009 08:36:26 -0800: > /usr/sbin/update_phishing_sites we need /usr/sbin/update_bad_phishing_sites. Unfortunately, it contains a bad CVS id (the same as the update_phishing_sites script). What happens if you run it? Today I get a slightly different output: /usr/sbin/update_bad_phishing_sites Reading status from /var/spool/MailScanner/quarantine/phishingupdate/status Checking that /var/spool/MailScanner/quarantine/phishingupdate/cache/2009 -504 exists... no - reseting..... ok Checking that /var/spool/MailScanner/quarantine/phishingupdate/cache/-1.0 exists... ok I am working with: Current: 2009-505 - 1 and Status: -1 - 0 This is base update Unable to retrieve http://www.mailscanner.tv/.2009-505 :500 Can't connect to www.mailscanner.tv:80 (connect: timeout) Update required Retrieving http://www.mailscanner.tv/2009-505.1 Failed to retrieve http://www.mailscanner.tv/2009-505.1 at /usr/sbin/update_bad_phishing_sites line 198. Unable to open base file (/var/spool/MailScanner/quarantine/phishingupdate/cache//2009-505) Looks like the update mechanism is still legit, but I'm getting blocked? This script was running hourly as per MS default setup. Now it's not running at all. Jules, are you listening? Should this work or not? Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From mikej at rogers.com Fri Dec 18 18:42:35 2009 From: mikej at rogers.com (Mike Jakubik) Date: Fri Dec 18 18:42:05 2009 Subject: MS unable to process xlsx file Message-ID: <75658973142c15a9d694ad67abec8ae8.squirrel@wettoast.dyndns.org> Hi, I have an Excel file that is causing MS to timeout when scanning the email. I'm not sure if its a problem with MS or one of the Perl modules, but it does not happen on one of my older mail servers. I am attaching the spreadsheet that is causing the problem, perhaps some else could try it? Dec 18 13:34:46 illidan MailScanner[86530]: Warning: skipping message 61D6556492.A038A as it has been attempted too many times Dec 18 13:34:46 illidan MailScanner[86530]: Quarantined message 61D6556492.A038A as it caused MailScanner to crash several times Dec 18 13:34:46 illidan MailScanner[86530]: Saved entire message to /var/spool/MailScanner/quarantine/20091218/61D6556492.A038A Here is my environment: MailScanner 4.79.4 Perl, v5.8.9 p5-AppConfig-1.66 A Perl module for reading configuration files p5-Archive-Tar-1.54 Perl module for creation and manipulation of tar files p5-Archive-Zip-1.30 Perl module to create, manipulate, read, and write Zip arch p5-Authen-SASL-2.13 Perl5 module for SASL authentication p5-CGI.pm-3.48,1 Simple Common Gateway Interface Class for Perl p5-Chart-2.4.1_2 A perl5 interface to build chart graphics p5-Class-Accessor-0.34 Automated accessor generation p5-Compress-Raw-Bzip2-2.023 Low-Level Interface to bzip2 compression library p5-Compress-Raw-Zlib-2.023 Low-Level Interface to zlib compression library p5-Compress-Zlib-2.015 Perl5 interface to zlib compression library p5-Convert-BinHex-1.119 Perl module to extract data from Macintosh BinHex files p5-Convert-TNEF-0.17 Perl module to read TNEF files p5-Crypt-OpenSSL-Bignum-0.04 OpenSSL's multiprecision integer arithmetic p5-Crypt-OpenSSL-RSA-0.26 Perl5 module to RSA encode and decode strings using OpenSSL p5-Crypt-OpenSSL-Random-0.04 Perl5 interface to the OpenSSL pseudo-random number generat p5-DBD-Pg-2.15.1 Provides access to PostgreSQL databases through the DBI p5-DBD-SQLite-1.27 Provides access to SQLite3 databases through the DBI p5-DBD-mysql51-4.012 MySQL 5.1 driver for the Perl5 Database Interface (DBI) p5-DBI-1.60.9 The perl5 Database Interface. Required for DBD::* modules p5-Data-Dumper-2.125 Stringified perl data structures, suitable for both printin p5-Digest-HMAC-1.01 Perl5 interface to HMAC Message-Digest Algorithms p5-Digest-SHA-5.47 Perl extension for SHA-1/224/256/384/512 p5-Digest-SHA1-2.12 Perl interface to the SHA-1 Algorithm p5-Email-Address-1.88.9 RFC 2822 Address Parsing and Creation p5-Email-MIME-1.902_1 Easy MIME message parsing p5-Email-MIME-ContentType-1.01.5 Parse a MIME Content-Type Header p5-Email-MIME-Encodings-1.313 A unified interface to MIME encoding and decoding p5-Email-MessageID-1.401 Generate world unique message-ids p5-Email-Send-2.198 Email::Send - Simply Sending Email p5-Email-Simple-2.100 Simple parsing of RFC2822 message format and headers p5-Email-Valid-0.182 Check validity of Internet email addresses p5-Encode-2.39 Provides interfaces between strings and the rest of the sys p5-Encode-Detect-1.01 An Encode::Encoding subclass that detects the encoding of d p5-Error-0.17015 Perl module to provide Error/exception support for perl: Er p5-ExtUtils-CBuilder-0.27,1 Compile and link C code for Perl modules p5-ExtUtils-ParseXS-2.21 Converts Perl XS code into C code p5-File-Temp-0.22 Perl5 module to generate temporary files or directories saf p5-File-Which-1.09 Portable implementation of `which' in Perl p5-Filesys-Df-0.92 Perl extension for filesystem space p5-GD-2.44 A perl5 interface to Gd Graphics Library version2 p5-GD-Graph-1.44.01_2 Graph plotting module for perl5 p5-GD-TextUtil-0.86_1 Text utilities for use with GD drawing package p5-GSSAPI-0.26 Perl extension providing access to the GSSAPIv2 library p5-Getopt-Long-2.38 Perl module for extended processing of command line options p5-HTML-Parser-3.64 Perl5 module for parsing HTML documents p5-HTML-Scrubber-0.08 Perl extension for scrubbing/sanitizing html p5-HTML-Tagset-3.20 Some useful data table in parsing HTML p5-IO-1.25,1 Various IO modules for Perl p5-IO-Compress-Base-2.015 Base Class for IO::Uncompress modules p5-IO-Compress-Bzip2-2.015 An interface to allow writing bzip2 compressed data to file p5-IO-Compress-Zlib-2.015 Perl5 interface for reading and writing of (g)zip files p5-IO-Socket-SSL-1.31 Perl5 interface to SSL sockets p5-IO-String-1.08 Simplified Perl5 module to handle I/O on in-core strings p5-IO-Zlib-1.10 IO:: style interface to Compress::Zlib p5-IO-stringy-2.110 Perl5 module for using IO handles with non-file objects p5-MIME-Base64-3.08 Perl5 module for Base64 and Quoted-Printable encodings p5-MIME-Charset-1.008 Charset Informations for MIME p5-MIME-EncWords-1.011.1 Deal with RFC 2047 encoded words (improved) p5-MIME-Tools-5.427_1,2 A set of perl5 modules for MIME p5-MIME-Types-1.28 Perl extension for determining MIME types p5-Mail-DKIM-0.37 Perl5 module to process and/or create DKIM email p5-Mail-SPF-2.007 Reference implementation of the RFC 4408 SPF protocol p5-Mail-Sendmail-0.79 Perl module implementing a simple, platform-independent mai p5-Mail-SpamAssassin-3.2.5_4 A highly efficient mail filter for identifying spam p5-Mail-Tools-2.04 Perl5 modules for dealing with Internet e-mail messages p5-Math-BigInt-1.89 Math::BigInt - Arbitrary size integer math package p5-Module-Build-0.35 Build and install Perl modules p5-Module-Pluggable-3.9 Automatically give your module the ability to have plugins p5-Net-1.22_1,1 Perl5 modules to access and use network protocols p5-Net-CIDR-0.13 Perl module to manipulate IPv4/IPv6 netblocks in CIDR notat p5-Net-DNS-0.65 Perl5 interface to the DNS resolver, and dynamic updates p5-Net-DNS-Resolver-Programmable-0.003 Programmable DNS resolver for off-line testing p5-Net-Domain-TLD-1.68 Look up and validate TLDs p5-Net-IP-1.25_1 Perl extension for manipulating IPv4/IPv6 addresses p5-Net-Ident-1.20 Lookup the username on the remote end of a TCP/IP connectio p5-Net-SSLeay-1.35_2 Perl5 interface to SSL p5-NetAddr-IP-4.02.7 Perl module for working with IP addresses and blocks thereo p5-OLE-Storage_Lite-0.19 Perl module for OLE document interface p5-Package-Constants-0.02 List all constants declared in a package p5-PatchReader-0.9.5 Perl module with utilities to read and manipulate patches a p5-PathTools-3.3100 A Perl module for portably manipulating file specifications p5-Return-Value-1.666001 Return::Value - Polymorphic Return Values p5-Storable-2.21 Persistency for perl data structures p5-Sys-Hostname-Long-1.4 Try every conceivable way to get full hostname p5-Template-GD-2.66 Template Toolkit plugin to interface with GD modules p5-Template-Toolkit-2.22_1 Extensive Toolkit for template processing p5-Time-HiRes-1.9719,1 A perl5 module implementing High resolution time, sleep, an p5-TimeDate-1.19,1 Perl5 module containing a better/faster date parser for abs p5-UNIVERSAL-require-0.13 Perl module to require() from a variable p5-URI-1.51 Perl5 interface to Uniform Resource Identifier (URI) refere p5-XML-Parser-2.36_1 Perl extension interface to James Clark's XML parser, expat p5-YAML-0.70 YAML implementation in Perl p5-gettext-1.05_2 Message handling functions p5-libwww-5.834 Perl5 library for WWW access p5-version-0.78 Perl extension for Version Objects Thanks. -------------- next part -------------- A non-text attachment was scrubbed... Name: test.xlsx Type: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet Size: 43942 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091218/be6d3acc/test.bin From mikej at rogers.com Fri Dec 18 18:50:13 2009 From: mikej at rogers.com (Mike Jakubik) Date: Fri Dec 18 18:49:40 2009 Subject: MS unable to process xlsx file (taint mode prob again?) In-Reply-To: <75658973142c15a9d694ad67abec8ae8.squirrel@wettoast.dyndns.org> References: <75658973142c15a9d694ad67abec8ae8.squirrel@wettoast.dyndns.org> Message-ID: <5002fe2d3649296a67d126ee328ee264.squirrel@wettoast.dyndns.org> On Fri, December 18, 2009 1:42 pm, Mike Jakubik wrote: > Hi, > > I have an Excel file that is causing MS to timeout when scanning the > email. I'm not sure if its a problem with MS or one of the Perl modules, > but it does not happen on one of my older mail servers. I am attaching the > spreadsheet that is causing the problem, perhaps some else could try it? I just ran MS in debug mode on and this is what i got: Building a message batch to scan... Have a batch of 1 message. Insecure dependency in open while running with -T switch at /usr/local/lib/perl5/site_perl/5.8.9/mach/IO/File.pm line 185. /usr/local/etc/rc.d/mailscanner: WARNING: failed to start mailscanner Could this be the cause? From rlopezcnm at gmail.com Fri Dec 18 23:57:20 2009 From: rlopezcnm at gmail.com (Robert Lopez) Date: Fri Dec 18 23:57:30 2009 Subject: phishing.bad.sites.conf v ScamNailer In-Reply-To: References: <4B2BAF8A.6030203@msapiro.net> Message-ID: On Fri, Dec 18, 2009 at 10:54 AM, Kai Schaetzl wrote: > Mark Sapiro wrote on Fri, 18 Dec 2009 08:36:26 -0800: > >> /usr/sbin/update_phishing_sites > > we need /usr/sbin/update_bad_phishing_sites. Unfortunately, > it contains a bad CVS id (the same as the update_phishing_sites script). > What happens if you run it? > > Today I get a slightly different output: > /usr/sbin/update_bad_phishing_sites > Reading status from > /var/spool/MailScanner/quarantine/phishingupdate/status > Checking that /var/spool/MailScanner/quarantine/phishingupdate/cache/2009 > -504 exists... no - reseting..... ok > Checking that /var/spool/MailScanner/quarantine/phishingupdate/cache/-1.0 > exists... ok > I am working with: Current: 2009-505 - 1 and Status: -1 - 0 > This is base update > Unable to retrieve http://www.mailscanner.tv/.2009-505 :500 Can't connect > to www.mailscanner.tv:80 (connect: timeout) > Update required > Retrieving http://www.mailscanner.tv/2009-505.1 > Failed to retrieve http://www.mailscanner.tv/2009-505.1 at > /usr/sbin/update_bad_phishing_sites line 198. > Unable to open base file > (/var/spool/MailScanner/quarantine/phishingupdate/cache//2009-505) > > Looks like the update mechanism is still legit, but I'm getting blocked? > This script was running hourly as per MS default setup. Now it's not > running at all. > Jules, are you listening? Should this work or not? > > Kai > > -- > Kai Sch?tzl, Berlin, Germany > Get your web at Conactive Internet Services: http://www.conactive.com > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > I have /usr/sbin/update_phishing_sites which updates the save sites only. It is the exact same file posted by Mark Sapiro. I did just run it and I did get a newer file than the one I had before. I do not have /usr/sbin/update_bad_phishing_sites Locate (updatedb) does not find update_bad_phishing_sites any place. According to my notes, I took out the cron job to run update_phishing_sites when I installed the jkf.anti-spear-phishing stuff. That now appears to be a mistake. I have to now put that back in. -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106 From mark at msapiro.net Sat Dec 19 15:55:01 2009 From: mark at msapiro.net (Mark Sapiro) Date: Sat Dec 19 15:55:23 2009 Subject: phishing.bad.sites.conf v ScamNailer In-Reply-To: References: <4B2BAF8A.6030203@msapiro.net> Message-ID: <4B2CF755.8000707@msapiro.net> Kai Schaetzl wrote: > Mark Sapiro wrote on Fri, 18 Dec 2009 08:36:26 -0800: > >> /usr/sbin/update_phishing_sites > > we need /usr/sbin/update_bad_phishing_sites. Unfortunately, > it contains a bad CVS id (the same as the update_phishing_sites script). > What happens if you run it? Sorry, I wasn't paying close enough attention. I have attached my /usr/sbin/update_bad_phishing_sites as update_bad_phishing_sites.txt, but I suspect it is the same as yours. I just ran it by hand and I got # update_bad_phishing_sites Reading status from /var/spool/MailScanner/quarantine/phishingupdate/status Checking that /var/spool/MailScanner/quarantine/phishingupdate/cache/2009-506 exists... ok Checking that /var/spool/MailScanner/quarantine/phishingupdate/cache/2009-506.0 exists... ok I am working with: Current: 2009-506 - 0 and Status: 2009-506 - 0 No base update required which doesn't say much. I have temporarily removed the > /dev/null 2>&1 from the command in the cron and I'll post that output when it actually updates. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -------------- next part -------------- #!/usr/bin/perl -w # # MailScanner - SMTP E-Mail Virus Scanner # Copyright (C) 2008 Julian Field # # $Id: update_phishing_sites 3982 2007-06-26 09:00:39Z sysjkf $ # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # # The author, Julian Field, can be contacted by email at # Jules@JulianField.net # or by paper mail at # Julian Field # Dept of Electronics & Computer Science # University of Southampton # Southampton # SO17 1BJ # United Kingdom # use strict; use Net::DNS::Resolver; use LWP::UserAgent; use FileHandle; use DirHandle; # Work out Quarantine Directory from MailScanner.conf my $base = '/var/spool/MailScanner/quarantine'; # Default value my $msconf = new FileHandle("< /etc/MailScanner/MailScanner.conf") or warn "Cannot open main configuration file /opt/MailScanner/etc/MailScanner.conf"; while(<$msconf>) { $base = $1 if /^\s*Quarantine\s*Dir\s*=\s*(\S+)/; } close($msconf); my $current = $base . '/phishingupdate/'; my $cache = $current . 'cache/'; my $status = $current . 'status'; my $urlbase = "http://www.mailscanner.tv/"; my $target= "/etc/MailScanner/phishing.bad.sites.conf"; my $query="msupdate.greylist.bastionmail.com"; my $baseupdated = 0; if (! -s $target) { open (FILE,">$target") or die "Failed to open target file so creating a blank file"; print FILE "# Wibble"; close FILE; } else { utime(time(), time(), $current); # So that clean quarantine doesn't delete it! } if (! -d $current) { print "Working directory is not present - making....."; mkdir ($current) or die "failed"; print " ok!\n"; } if (! -d $cache) { print "Cache directory is not present - making....."; mkdir ($cache) or die "failed"; print " ok!\n"; } my ($status_base, $status_update); $status_base=-1; $status_update=-1; if (! -s $status) { print "This is the first run of this program.....\n"; } else { print "Reading status from $status\n"; open(STATUS_FILE, $status) or die "Unable to open status file\n"; my $line=; close (STATUS_FILE); # The status file is text.text if ($line =~ /^(.+)\.(.+)$/) { $status_base=$1; $status_update=$2; } } print "Checking that $cache$status_base exists..."; if ((! -s "$cache$status_base") && (!($status_base eq "-1"))) { print " no - resetting....."; $status_base=-1; } print " ok\n"; print "Checking that $cache$status_base.$status_update exists..."; if ((! -s "$cache$status_base.$status_update") && ($status_update>0)) { print " no - resetting....."; $status_update=-1; } print " ok\n"; my ($currentbase, $currentupdate); $currentbase=-1; $currentupdate=-1; # Lets get the current version my $res = Net::DNS::Resolver->new(); my $RR = $res->query($query, 'TXT'); my @result; if ($RR) { foreach my $rr ($RR->answer) { my $text = $rr->rdatastr; if ($text =~ /^"(.+)\.(.+)"$/) { $currentbase=$1; $currentupdate=$2; last; } } } die "Failed to retrieve valid current details\n" unless (!($currentbase eq "-1")); print "I am working with: Current: $currentbase - $currentupdate and Status: $status_base - $status_update\n"; my $generate=0; # Create a user agent object my $ua = LWP::UserAgent->new; $ua->agent("UpdateBadPhishingSites/0.1 "); # Patch from Heinz.Knutzen@dataport.de $ua->env_proxy; if (!($currentbase eq $status_base)) { print "This is base update\n"; $status_update = -1; $baseupdated = 1; # Create a request my $req = HTTP::Request->new(GET => $urlbase.$currentbase); # Pass request to the user agent and get a response back my $res = $ua->request($req); # Check the outcome of the response if ($res->is_success) { open (FILE, ">$cache/$currentbase") or die "Unable to write base file ($cache/$currentbase)\n"; print FILE $res->content; close (FILE); } else { warn "Unable to retrieve $urlbase.$currentbase :".$res->status_line, "\n"; } $generate=1; } else { print "No base update required\n"; } # Now see if the sub version is different if (!($status_update eq $currentupdate)) { my %updates=(); print "Update required\n"; if ($currentupdate<$status_update) { # In the unlikely event we roll back a patch - we have to go from the base print "Error!: $currentupdate<$status_update\n"; $generate = 1; $status_update = 0; } # If there are updates avaliable and we haven't donloaded them yet we need to reset the counter if ($currentupdate>0) { if ($status_update<1) { $status_update=0; } my $i; # Loop through each of the updates, retrieve it and then add the information into the update array for ($i=$status_update+1; $i<=$currentupdate; $i++) { print "Retrieving $urlbase$currentbase.$i\n"; my $req = HTTP::Request->new(GET => $urlbase.$currentbase.".".$i); my $res = $ua->request($req); warn "Failed to retrieve $urlbase$currentbase.$i" unless ($res->is_success) ; my $line; foreach $line (split("\n", $res->content)) { # Is it an addition? if ($line =~ /^\> (.+)$/) { if (defined $updates{$1}) { if ($updates{$1} eq "<") { delete $updates{$1}; } } else { $updates{$1}=">"; } } # Is it an removal? if ($line =~ /^\< (.+)$/) { if (defined $updates{$1}) { if ($updates{$1} eq ">") { delete $updates{$1}; } } else { $updates{$1}="<"; } } } } # OK do we have a previous version to work from? if ($status_update>0) { # Yes - we open the most recent version open (FILE, "$cache$currentbase.$status_update") or die "Unable to open base file ($cache/$currentbase.$status_update)\n"; } else { # No - we open the the base file open (FILE, "$cache$currentbase") or die "Unable to open base file ($cache/$currentbase)\n"; } # Now open the new update file print "$cache$currentbase.$currentupdate\n"; open (FILEOUT, ">$cache$currentbase.$currentupdate") or die "Unable to open new base file ($cache$currentbase.$currentupdate)\n"; # Loop through the base file (or most recent update) while () { chop; my $line=$_; if (defined ($updates{$line})) { # Does the line need removing? if ($updates{$line} eq "<") { $generate=1; next; } # Is it marked as an addition but already present? elsif ($updates{$line} eq ">") { delete $updates{$line}; } } print FILEOUT $line."\n"; } close (FILE); my $line; # Are there any additions left foreach $line (keys %updates) { if ($updates{$line} eq ">") { print FILEOUT $line."\n" ; $generate=1; } } close (FILEOUT); } } # Changes have been made if ($generate) { print "Updating live file $target\n"; my $file=""; if ($currentupdate>0) { $file="$cache/$currentbase.$currentupdate"; } else { $file="$cache/$currentbase"; } if ($file eq "") { die "Unable to work out file!\n"; } system ("mv -f $target $target.old"); system ("cp $file $target"); open(STATUS_FILE, ">$status") or die "Unable to open status file\n"; print STATUS_FILE "$currentbase.$currentupdate\n"; close (STATUS_FILE); } my $queuedir = new DirHandle; my $file; my $match1 = "^" . $currentbase . "\$"; my $match2 = "^" . $currentbase . "." . $currentupdate . "\$"; $queuedir->open($cache) or die "Unable to do clean up\n"; while(defined($file = $queuedir->read())) { next if $file eq '.' || $file eq '..'; next if $file =~ /$match1/; next if $file =~ /$match2/; print "Deleting cached file: $file.... "; unlink($cache.$file) or die "failed"; print "ok\n"; } $queuedir->close(); From submit at zuka.net Sat Dec 19 18:07:54 2009 From: submit at zuka.net (Dave Filchak) Date: Sat Dec 19 18:09:14 2009 Subject: Phantom clamav Message-ID: <4B2D167A.8080203@zuka.net> Hi, I have just updated to the latest MailScanner and clamav/spamassassin. At least I believe I have. I ran Julian's install-Clam-SA-latest script and it complained that my version of clamav was too old. (95.1) (I am using clamd). /usr/bin/clamscan -V shows: ClamAV 0.95.3/10201/Sat Dec 19 08:57:03 2009 /usr/sbin/clamd -V shows: ClamAV 0.95.3/10201/Sat Dec 19 08:57:03 2009 whereis clamscan shows clamscan: /usr/bin/clamscan /usr/share/man/man1/clamscan.1.gz whereis freshclam shows: freshclam: /usr/bin/freshclam /etc/freshclam.conf /usr/local/etc/freshclam.conf /usr/share/man/man1/freshclam.1.gz ldd /usr/bin/freshclam shows: libclamav.so.6 => /usr/lib/libclamav.so.6 (0x00111000) libz.so.1 => /usr/lib/libz.so.1 (0x00a74000) libresolv.so.2 => /lib/libresolv.so.2 (0x00b03000) libpthread.so.0 => /lib/tls/libpthread.so.0 (0x00a3c000) libc.so.6 => /lib/tls/libc.so.6 (0x0080d000) libbz2.so.1 => /usr/lib/libbz2.so.1 (0x00bb3000) libdl.so.2 => /lib/libdl.so.2 (0x00938000) /lib/ld-linux.so.2 (0x007f4000) ldd /usr/bin/clamscan shows: libclamav.so.6 => /usr/lib/libclamav.so.6 (0x00869000) libpthread.so.0 => /lib/tls/libpthread.so.0 (0x00a3c000) libc.so.6 => /lib/tls/libc.so.6 (0x00111000) libbz2.so.1 => /usr/lib/libbz2.so.1 (0x00bb3000) libz.so.1 => /usr/lib/libz.so.1 (0x00a74000) libdl.so.2 => /lib/libdl.so.2 (0x00938000) /lib/ld-linux.so.2 (0x007f4000) I do not see anything wrong here ... does anyone else? I see that in /usr/src/compile there are a number of compile directories for various versions up to clamav-0but the error complains about version 95.1. Is this just an anomoly of the install script for clamav/spamassassin? Thanks Dave From mark at msapiro.net Sat Dec 19 20:38:16 2009 From: mark at msapiro.net (Mark Sapiro) Date: Sat Dec 19 20:38:33 2009 Subject: phishing.bad.sites.conf v ScamNailer In-Reply-To: <4B2CF755.8000707@msapiro.net> Message-ID: Mark Sapiro wrote: > >I just ran it by hand and I got > ># update_bad_phishing_sites >Reading status from /var/spool/MailScanner/quarantine/phishingupdate/status >Checking that >/var/spool/MailScanner/quarantine/phishingupdate/cache/2009-506 exists... ok >Checking that >/var/spool/MailScanner/quarantine/phishingupdate/cache/2009-506.0 >exists... ok >I am working with: Current: 2009-506 - 0 and Status: 2009-506 - 0 >No base update required > >which doesn't say much. I have temporarily removed the > /dev/null 2>&1 >from the command in the cron and I'll post that output when it actually >updates. And here's what I get when there is actually an update: Reading status from /var/spool/MailScanner/quarantine/phishingupdate/status Checking that /var/spool/MailScanner/quarantine/phishingupdate/cache/2009-506 exists... ok Checking that /var/spool/MailScanner/quarantine/phishingupdate/cache/2009-506.0 exists... ok I am working with: Current: 2009-506 - 1 and Status: 2009-506 - 0 No base update required Update required Retrieving http://www.mailscanner.tv/2009-506.1 /var/spool/MailScanner/quarantine/phishingupdate/cache/2009-506.1 Updating live file /etc/MailScanner/phishing.bad.sites.conf So I have no problem connecting to the update site. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From mark at msapiro.net Sun Dec 20 14:31:34 2009 From: mark at msapiro.net (Mark Sapiro) Date: Sun Dec 20 14:31:59 2009 Subject: Phantom clamav In-Reply-To: <4B2D167A.8080203@zuka.net> References: <4B2D167A.8080203@zuka.net> Message-ID: <4B2E3546.3050802@msapiro.net> Dave Filchak wrote: > > I have just updated to the latest MailScanner and clamav/spamassassin. > At least I believe I have. I ran Julian's install-Clam-SA-latest script > and it complained that my version of clamav was too old. (95.1) (I am > using clamd). > > /usr/bin/clamscan -V shows: ClamAV 0.95.3/10201/Sat Dec 19 08:57:03 2009 > /usr/sbin/clamd -V shows: ClamAV 0.95.3/10201/Sat Dec 19 08:57:03 2009 Check your settings for Clamd Socket and Clamd Lock File In particular, the location of the clamd socket changed (I think between 0.95.1 and 0.95.2). Possibly you still have an 0.95.1 clamd running in parallel and using a different socket. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From maillists at conactive.com Sun Dec 20 16:30:29 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Sun Dec 20 16:30:44 2009 Subject: phishing.bad.sites.conf v ScamNailer In-Reply-To: References: Message-ID: Mark Sapiro wrote on Sat, 19 Dec 2009 12:38:16 -0800: > Retrieving http://www.mailscanner.tv/2009-506.1 Ah, that's reason number one for the problem: mine wants to retrieve from http://www.mailscanner.tv/.2009-510 Note the dot! However, still with wget http://www.mailscanner.tv/2009-510 I'm not getting the list. First attempt got me 2500 bytes of it, next one timed out. No problem to get it from another VM that is configured exactly the same. Not a pressing problem. I guess I have to work this out with Jules after the holidays. Happy holidays! Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From ismail at ismailozatay.net Mon Dec 21 09:29:54 2009 From: ismail at ismailozatay.net (Ismail OZATAY) Date: Mon Dec 21 09:30:11 2009 Subject: about phishing.bad.sites.conf file Message-ID: <4B2F4012.205@ismailozatay.net> Hi Julian , Do you update http://www.mailscanner.eu/phishing.bad.sites.conf.master file regularly ? I want to do a cron job to update my file. Thanks. ismail From konve at logout.cz Mon Dec 21 13:35:38 2009 From: konve at logout.cz (Dalimil Gala) Date: Mon Dec 21 13:35:58 2009 Subject: How to block addresses beginning with pipe Message-ID: <4B2F79AA.8070600@logout.cz> Hi, any possibility to block messages coming from addresses beginning with the pipe character? I'm getting a lot of messages with spoofed addresses beggining with the pipe character like: Dec 21 14:23:41 smtp2 sendmail[4296]: nBLDNdn0004296: from=<|sheldonconciliate@royalcity.com>, size=1615, class=0, nrcpts=0, proto=ESMTP, daemon=MTA-v4, relay=[92.84.51.24] I was trying simple rules and also regexps in my spam.blacklist.rules like the one below but it filtered out either all addresses or nothing. MailScanner.conf: Is Definitely Spam = %rules-dir%/spam.blacklist.rules spam.blacklist.rules: From: /^\|.*@.*/ yes My version of MailScanner is 4.63.1-2 Thank you Dalimil Gala From maillists at conactive.com Mon Dec 21 15:31:17 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Mon Dec 21 15:31:31 2009 Subject: How to block addresses beginning with pipe In-Reply-To: <4B2F79AA.8070600@logout.cz> References: <4B2F79AA.8070600@logout.cz> Message-ID: Dalimil Gala wrote on Mon, 21 Dec 2009 14:35:38 +0100: > I'm getting a lot of messages with spoofed addresses beggining with the > pipe character like: If you are using postfix I would kill these with a header-check. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From logs at comp-wiz.com Tue Dec 22 01:24:52 2009 From: logs at comp-wiz.com (Vernon Webb) Date: Tue Dec 22 01:25:52 2009 Subject: (no subject) Message-ID: <000001ca82a5$902d40e0$b087c2a0$@com> Lately I have been getting these messages from MailSacnner. Can anyone tell me what this means and who to stop it. I suppose I should mention that I know these emails are liget. MailScanner was attacked by a Denial Of Service attack, and has therefore deleted this part of the message. Please contact your e-mail providers for more information if you need it, giving them the whole of this report. Attack in: /var/spool/MailScanner/incoming/30160/nBM1BPFZ031124/nmsg-30160-10.html Thanks -- This message has been scanned for viruses and dangerous content by comp-wiz.com, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091221/9f9e9793/attachment.html From ilikeuce at bornefeld-ettmann.de Tue Dec 22 08:03:23 2009 From: ilikeuce at bornefeld-ettmann.de (Ralph Bornefeld-Ettmann) Date: Tue Dec 22 08:03:58 2009 Subject: How to block addresses beginning with pipe In-Reply-To: References: <4B2F79AA.8070600@logout.cz> Message-ID: Am 21.12.2009 16:31, schrieb Kai Schaetzl: > Dalimil Gala wrote on Mon, 21 Dec 2009 14:35:38 +0100: > >> I'm getting a lot of messages with spoofed addresses beggining with the >> pipe character like: > > If you are using postfix I would kill these with a header-check. > > Kai > in case of postfix insert in /etc/postfix/header_checks : /^To:.*\|/ REJECT works as desired here. Ralph From ilikeuce at bornefeld-ettmann.de Tue Dec 22 08:10:08 2009 From: ilikeuce at bornefeld-ettmann.de (Ralph Bornefeld-Ettmann) Date: Tue Dec 22 08:10:42 2009 Subject: (no subject) In-Reply-To: <000001ca82a5$902d40e0$b087c2a0$@com> References: <000001ca82a5$902d40e0$b087c2a0$@com> Message-ID: Am 22.12.2009 02:24, schrieb Vernon Webb: > Lately I have been getting these messages from MailSacnner. Can anyone tell > me what this means and who to stop it. I suppose I should mention that I > know these emails are liget. > > > > MailScanner was attacked by a Denial Of Service attack, and has therefore > deleted this part of the message. Please contact your e-mail providers for > more information if you need it, giving them the whole of this report. > Attack in: > /var/spool/MailScanner/incoming/30160/nBM1BPFZ031124/nmsg-30160-10.html > > > > Thanks > > > http://www.mailscanner.info/faq.html 22. Why doesn't MailScanner support virus scanning daemons? 4. What happens to these daemons when they are attacked with a Denial Of Service attack such as the now notorious "Zip Of Death"? If you haven't come across it, it is a 42kbytes zip file which expands to 1 million files with a total of 49,000 Tbytes. Throw any normal virus scanner at this and it will either crash or (more likely) just never return, as it desperately tries to unpack the zip file. If the virus scanner is a daemon over which MailScanner has no control, then all your incoming mail will be blocked. This is what happens with virtually all email virus scanners and daemonized file scanners. However, MailScanner recognises denial of service attacks like this, handles them tidily and quickly and disinfects the email message successfully. It can only do this as it has complete control over the virus scanner process. but can also be a ressource issue : http://lists.mailscanner.info/pipermail/mailscanner/2007-March/071518.html A mail log snippet could be helpful. Cheers Ralph From jeff.mills at sydneytech.com.au Tue Dec 22 10:13:23 2009 From: jeff.mills at sydneytech.com.au (Jeff Mills) Date: Tue Dec 22 10:13:36 2009 Subject: OT: extraordinary amount of spam to one domain Message-ID: <556B68BE19272143ADE2500D9CC858BD3F6D55@stssvr01.Sts.local> I have one domain that is consuming over 90% of the traffic to our servers. Yesterday we blocked 650,000 emails at the MTA and 600,000 of them were for a single domain (we host around 50). The ones that are getting through the MTA seem to be picked up by MailScanner - the vast majority with a subject such as "User special 80% OFF" My mail logs are just a blur. If we had just one other domain doing the same thing, I'm sure we wouldn't handle the load. How can a single domain be such a target? Mind you, this is a domain with less than 10 users. Is it just unlucky? Is anyone else experiencing this? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091222/961ef39d/attachment.html From steve.freegard at fsl.com Tue Dec 22 10:36:05 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Tue Dec 22 10:36:16 2009 Subject: OT: extraordinary amount of spam to one domain In-Reply-To: <556B68BE19272143ADE2500D9CC858BD3F6D55@stssvr01.Sts.local> References: <556B68BE19272143ADE2500D9CC858BD3F6D55@stssvr01.Sts.local> Message-ID: <4B30A115.2070908@fsl.com> On 22/12/09 10:13, Jeff Mills wrote: > I have one domain that is consuming over 90% of the traffic to our servers. > Yesterday we blocked 650,000 emails at the MTA and 600,000 of them were > for a single domain (we host around 50). This is pretty much the norm with most sites I look after. The number of messages rejected at the MTA usually far exceeds the number of messages accepted. > The ones that are getting through the MTA seem to be picked up by > MailScanner - the vast majority with a subject such as "User username> special 80% OFF" That's all botnet generated junk. > My mail logs are just a blur. If we had just one other domain doing the > same thing, I'm sure we wouldn't handle the load. > How can a single domain be such a target? Mind you, this is a domain > with less than 10 users. The number of users at the domain doesn't usually have any relevance to the amount of spam it receives. It's usually the domain age and how it has been used in the past. > Is it just unlucky? Is anyone else experiencing this? > Just unlucky I guess - but I'd say you're lucky that you don't see this on the other domains. As long as you're blocking it at the MTA; it really doesn't matter as MTA level stuff is cheap. Regards, Steve. From jeff.mills at sydneytech.com.au Tue Dec 22 11:02:36 2009 From: jeff.mills at sydneytech.com.au (Jeff Mills) Date: Tue Dec 22 11:02:49 2009 Subject: OT: extraordinary amount of spam to one domain In-Reply-To: <4B30A115.2070908@fsl.com> References: <556B68BE19272143ADE2500D9CC858BD3F6D55@stssvr01.Sts.local> <4B30A115.2070908@fsl.com> Message-ID: <556B68BE19272143ADE2500D9CC858BD3F6D57@stssvr01.Sts.local> >Just unlucky I guess - but I'd say you're lucky that you don't see this on the other domains. > >As long as you're blocking it at the MTA; it really doesn't matter as MTA level stuff is cheap. > >Regards, >Steve. Thanks Steve. See attached image... Quite easy to tell when we signed up this domain. That count is obviously only one server too. One of the employees may have loved the plethora of questionable material on the interweb at some stage. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This email has been scanned for viruses and dangerous content by Sydney Technology Solutions MailMaster Email Protection Services. For more information please visit http://www.sydneytech.com.au :Scanned by MailMaster1: -------------- next part -------------- A non-text attachment was scrubbed... Name: spam-year.png Type: image/png Size: 2834 bytes Desc: spam-year.png Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091222/143801a7/spam-year.png From steve.freegard at fsl.com Tue Dec 22 11:26:28 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Tue Dec 22 11:26:37 2009 Subject: OT: extraordinary amount of spam to one domain In-Reply-To: <556B68BE19272143ADE2500D9CC858BD3F6D57@stssvr01.Sts.local> References: <556B68BE19272143ADE2500D9CC858BD3F6D55@stssvr01.Sts.local> <4B30A115.2070908@fsl.com> <556B68BE19272143ADE2500D9CC858BD3F6D57@stssvr01.Sts.local> Message-ID: <4B30ACE4.4080700@fsl.com> On 22/12/09 11:02, Jeff Mills wrote: > Thanks Steve. > See attached image... Quite easy to tell when we signed up this domain. > That count is obviously only one server too. > One of the employees may have loved the plethora of questionable > material on the interweb at some stage. > As you've found - it's difficult/impossible to predict traffic levels for a domain before the MX record is pointed at you. You could always use the high amount of junk directed at this domain to your advantage.... For some time now - I've put rules in place in my SMTP proxy to 'trap' messages meeting certain criteria (e.g. specific HELOs or rDNS patterns) by writing rfc822 message files into a directory prior to rejecting them at dot and ignoring any pre-DATA rejection conditions e.g. RBLs etc. Then - once every 5 minutes; I train bayes on all of these messages provided bayes has seen spam < ham (otherwise the messages are simply just deleted and not trained). I found that it's kept bayes far more accurate, better at handling new spam as it mutates and anything that might not be rejected at the MTA level due to RBL lag time and slip through etc. Regards, Steve. From maillists at conactive.com Tue Dec 22 11:31:19 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Tue Dec 22 11:31:33 2009 Subject: OT: extraordinary amount of spam to one domain In-Reply-To: <556B68BE19272143ADE2500D9CC858BD3F6D55@stssvr01.Sts.local> References: <556B68BE19272143ADE2500D9CC858BD3F6D55@stssvr01.Sts.local> Message-ID: and the recipient addresses all exist? Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From rcooper at dwford.com Tue Dec 22 14:56:08 2009 From: rcooper at dwford.com (Rick Cooper) Date: Tue Dec 22 14:56:25 2009 Subject: (no subject) In-Reply-To: <000001ca82a5$902d40e0$b087c2a0$@com> References: <000001ca82a5$902d40e0$b087c2a0$@com> Message-ID: I have found that anything that causes the scanner to hang for a while results in this message. It's unlikely there was an actual dos attack, rather something caused the virus scanner to run too long and mailscanner timed it out and this is the result Rick _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Vernon Webb Sent: Monday, December 21, 2009 8:25 PM To: 'MailScanner discussion' Subject: (no subject) Lately I have been getting these messages from MailSacnner. Can anyone tell me what this means and who to stop it. I suppose I should mention that I know these emails are liget. MailScanner was attacked by a Denial Of Service attack, and has therefore deleted this part of the message. Please contact your e-mail providers for more information if you need it, giving them the whole of this report. Attack in: /var/spool/MailScanner/incoming/30160/nBM1BPFZ031124/nmsg-30160-10.html Thanks -- This message has been scanned for viruses and dangerous content by comp-wiz.com, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091222/f803aaff/attachment.html From ilikeuce at bornefeld-ettmann.de Tue Dec 22 16:01:01 2009 From: ilikeuce at bornefeld-ettmann.de (Ralph Bornefeld-Ettmann) Date: Tue Dec 22 16:01:46 2009 Subject: OT: extraordinary amount of spam to one domain In-Reply-To: <556B68BE19272143ADE2500D9CC858BD3F6D55@stssvr01.Sts.local> References: <556B68BE19272143ADE2500D9CC858BD3F6D55@stssvr01.Sts.local> Message-ID: Am 22.12.2009 11:13, schrieb Jeff Mills: > I have one domain that is consuming over 90% of the traffic to our > servers. > Yesterday we blocked 650,000 emails at the MTA and 600,000 of them were > for a single domain (we host around 50). > The ones that are getting through the MTA seem to be picked up by > MailScanner - the vast majority with a subject such as "User username> special 80% OFF" > My mail logs are just a blur. If we had just one other domain doing the > same thing, I'm sure we wouldn't handle the load. > > How can a single domain be such a target? Mind you, this is a domain > with less than 10 users. > Is it just unlucky? Is anyone else experiencing this? > > > > me too From danielbrunos at gmail.com Tue Dec 22 19:31:39 2009 From: danielbrunos at gmail.com (Daniel Bruno) Date: Tue Dec 22 19:31:53 2009 Subject: how to limit recipients Message-ID: Hello Folks, Is possible create groups with recipient limit? Example: user1 and user2 can send to 5 recepients in the same message user3 and user4 can send to 10 recepients. Thanks -- Daniel Bruno http://danielbruno.eti.br danielbruno@projetofedora.org From raymond at prolocation.net Tue Dec 22 19:37:12 2009 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Tue Dec 22 19:37:21 2009 Subject: how to limit recipients In-Reply-To: References: Message-ID: Hi! > Example: > > user1 and user2 can send to 5 recepients in the same message > user3 and user4 can send to 10 recepients. Isnt that a better task of your MTA? Bye, Raymond. From cfisk at qwicnet.com Tue Dec 22 19:43:57 2009 From: cfisk at qwicnet.com (Christopher Fisk) Date: Tue Dec 22 19:44:19 2009 Subject: how to limit recipients In-Reply-To: Message-ID: > Hello Folks, > Is possible create groups with recipient limit? > Example: > user1 and user2 can send to 5 recepients in the same > message > user3 and user4 can send to 10 recepients. Interesting request, but seems like this would be done best in postfix. Not sure if you can do it per user there. Most likely you'll have to write a milter. I'll let others answer based on the abilities of MailScanner. Christopher Fisk -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jeff.mills at sydneytech.com.au Tue Dec 22 20:40:36 2009 From: jeff.mills at sydneytech.com.au (Jeff Mills) Date: Tue Dec 22 20:40:51 2009 Subject: OT: extraordinary amount of spam to one domain In-Reply-To: References: <556B68BE19272143ADE2500D9CC858BD3F6D55@stssvr01.Sts.local> Message-ID: <556B68BE19272143ADE2500D9CC858BD3F6D5D@stssvr01.Sts.local> -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Kai Schaetzl Sent: Tuesday, 22 December 2009 10:31 PM To: mailscanner@lists.mailscanner.info Subject: Re: OT: extraordinary amount of spam to one domain and the recipient addresses all exist? Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com No they don't exist, but I'm not doing recipient checking because the server is not on the same site as exchange and don't want to increase traffic by recipient checking 50 odd domains. At my old job, I used to pull the addresses from active directory into a recipient file for postfix. That worked very well, but that was on the same site. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This email has been scanned for viruses and dangerous content by Sydney Technology Solutions MailMaster Email Protection Services. For more information please visit http://www.sydneytech.com.au :Scanned by MailMaster1: From steve.freegard at fsl.com Wed Dec 23 00:40:11 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Wed Dec 23 00:40:22 2009 Subject: OT: extraordinary amount of spam to one domain In-Reply-To: <556B68BE19272143ADE2500D9CC858BD3F6D5D@stssvr01.Sts.local> References: <556B68BE19272143ADE2500D9CC858BD3F6D55@stssvr01.Sts.local> <556B68BE19272143ADE2500D9CC858BD3F6D5D@stssvr01.Sts.local> Message-ID: <4B3166EB.8050908@fsl.com> On 22/12/09 20:40, Jeff Mills wrote: > No they don't exist, but I'm not doing recipient checking because the server is not on the same site as exchange and don't want to increase traffic by recipient checking 50 odd domains. > At my old job, I used to pull the addresses from active directory into a recipient file for postfix. That worked very well, but that was on the same site. Everyone should do recipient checking if they are running a gateway (e.g. the mail is being relayed to a mailbox server) otherwise you can easily become source of backscatter. To prove a point - I just telnetted to one of your MXes and sent a MAIL FROM: a domain that I own (but I could have picked any domain) with a RCPT TO: a random string @ your domain. Attached is what I got back. Imagine if instead I deliberately used MAIL FROM:'s that I knew were valid addresses with a spam payload in the body.... Now imagine what your server is doing with that new domain you are telling us about that is really hammering your server. As you're not doing recipient verification - it's sending thousands of DSNs to innocent users for any stuff that slips through where the MAIL FROM: is forged and the recipient does not exist at the destination... This is why recipient verification isn't optional. It's required if you want to be a good SMTP netizen and avoid getting listed on certain blacklists (e.g. backscatterer.org) because you've been used to send spam. Not having the gateway on the same site as the mailbox server isn't a problem - Postfix can store verification results in a cache file to prevent lookups to the same address. I've frequently set-up hosts that do verification to domains all over the planet - it's not a problem. See http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:postfix:how_to:reject_non_existent_users#using_smtp_recipient_verification for the simple instructions on how to set it up. Kind regards, Steve. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091223/78d5531d/AttachedMessagePart.html From J.Ede at birchenallhowden.co.uk Wed Dec 23 07:08:01 2009 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Wed Dec 23 07:08:26 2009 Subject: OT: extraordinary amount of spam to one domain In-Reply-To: <4B3166EB.8050908@fsl.com> References: <556B68BE19272143ADE2500D9CC858BD3F6D55@stssvr01.Sts.local> <556B68BE19272143ADE2500D9CC858BD3F6D5D@stssvr01.Sts.local> <4B3166EB.8050908@fsl.com> Message-ID: <1213490F1F316842A544A850422BFA96128C18B882@BHLSBS.bhl.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Steve Freegard > Sent: 23 December 2009 00:40 > To: MailScanner discussion > Subject: Re: OT: extraordinary amount of spam to one domain > > On 22/12/09 20:40, Jeff Mills wrote: > > No they don't exist, but I'm not doing recipient checking because the > server is not on the same site as exchange and don't want to increase > traffic by recipient checking 50 odd domains. > > At my old job, I used to pull the addresses from active directory > into a recipient file for postfix. That worked very well, but that was > on the same site. > > Everyone should do recipient checking if they are running a gateway > (e.g. the mail is being relayed to a mailbox server) otherwise you can > easily become source of backscatter. > > To prove a point - I just telnetted to one of your MXes and sent a MAIL > FROM: a domain that I own (but I could have picked any domain) with a > RCPT TO: a random string @ your domain. > > Attached is what I got back. > > Imagine if instead I deliberately used MAIL FROM:'s that I knew were > valid addresses with a spam payload in the body.... > > Now imagine what your server is doing with that new domain you are > telling us about that is really hammering your server. As you're not > doing recipient verification - it's sending thousands of DSNs to > innocent users for any stuff that slips through where the MAIL FROM: is > forged and the recipient does not exist at the destination... > > This is why recipient verification isn't optional. It's required if > you want to be a good SMTP netizen and avoid getting listed on certain > blacklists (e.g. backscatterer.org) because you've been used to send > spam. > > Not having the gateway on the same site as the mailbox server isn't a > problem - Postfix can store verification results in a cache file to > prevent lookups to the same address. I've frequently set-up hosts that > do verification to domains all over the planet - it's not a problem. > See > http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mt > a:postfix:how_to:reject_non_existent_users#using_smtp_recipient_verific > ation > for the simple instructions on how to set it up. > > Kind regards, > Steve. Yes, use recipient verification. It makes a massive difference to the load levels on your MS box. We set it up and it saves so much hassle. Why accept mail that you can't deliver or that will just be bounced with a NDR creating more spam in the system? Postfix uses the addresses in your transports file to check servers for addresses and you can configure how often it checks or keeps valid/non-valid addresses in its cache. Currently use a btree file for verifications. After looking at the link Steve posted then for configuring it further look at... http://www.postfix.org/verify.8.html Jason From jeff.mills at sydneytech.com.au Wed Dec 23 07:54:52 2009 From: jeff.mills at sydneytech.com.au (Jeff Mills) Date: Wed Dec 23 07:55:05 2009 Subject: OT: extraordinary amount of spam to one domain In-Reply-To: <1213490F1F316842A544A850422BFA96128C18B882@BHLSBS.bhl.local> References: <556B68BE19272143ADE2500D9CC858BD3F6D55@stssvr01.Sts.local><556B68BE19272143ADE2500D9CC858BD3F6D5D@stssvr01.Sts.local><4B3166EB.8050908@fsl.com> <1213490F1F316842A544A850422BFA96128C18B882@BHLSBS.bhl.local> Message-ID: <556B68BE19272143ADE2500D9CC858BD3F6D60@stssvr01.Sts.local> > > Yes, use recipient verification. It makes a massive > difference to the load levels on your MS box. We set it up > and it saves so much hassle. Why accept mail that you can't > deliver or that will just be bounced with a NDR creating more > spam in the system? > > Postfix uses the addresses in your transports file to check > servers for addresses and you can configure how often it > checks or keeps valid/non-valid addresses in its cache. > Currently use a btree file for verifications. > After looking at the link Steve posted then for configuring > it further look at... http://www.postfix.org/verify.8.html > > Jason Excellent! Did not realise that we could cache the recipient verification. Have enabled it now and will keep an eye on it for a while, but looks to be doing the goods at the moment. Thanks fellas. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This email has been scanned for viruses and dangerous content > by Sydney Technology Solutions MailMaster Email Protection Services. > > For more information please visit > http://www.sydneytech.com.au :Scanned by MailMaster1: > > From lists at buschor.ch Wed Dec 23 08:48:12 2009 From: lists at buschor.ch (ThB) Date: Wed Dec 23 08:48:28 2009 Subject: Sophos & ClamAV + Sanesecurity Message-ID: <20091223094812.f74e1c30.lists@buschor.ch> I'm running MailScanner and SA, ClamAV + sanesecurity signatures but also Sophos SAVI as a comercial virus scanner. Lately I reconfigured MS to recognize sanesecurity hits as spam. In my configuration viruses should be replaced by a warning message but still be delivered, so the users know they got a message. >From time to time there are messages which seem to be detected by Sophos as virus and by ClamAV as spam because of sanesecurity signatures. Such messages have the SpamVirus header but an empty SpamCheck header and no SpamScore. Such messages also are tagged as "Found to be infected" but the body part is not replaced. X-MailScanner: Found to be infected X-MailScanner-SpamVirus-Report: Sanesecurity.Junk.19516.UNOFFICIAL X-MailScanner-SpamCheck: This now is neither the correct "virus" nor "spam" behaviour as configured. My request: do either the correct virus processing or the correct spam processing. MailScanner 4.79.4 SpamAssassin 3.2.5 ClamAV 0.95.3 Sophos 4.48.0 thanks and merry xmas Thomas From jethro.binks at strath.ac.uk Wed Dec 23 09:04:34 2009 From: jethro.binks at strath.ac.uk (Jethro R Binks) Date: Wed Dec 23 09:04:43 2009 Subject: OT: extraordinary amount of spam to one domain In-Reply-To: <4B3166EB.8050908@fsl.com> References: <556B68BE19272143ADE2500D9CC858BD3F6D55@stssvr01.Sts.local> <556B68BE19272143ADE2500D9CC858BD3F6D5D@stssvr01.Sts.local> <4B3166EB.8050908@fsl.com> Message-ID: On Wed, 23 Dec 2009, Steve Freegard wrote: > Everyone should do recipient checking if they are running a gateway > (e.g. the mail is being relayed to a mailbox server) otherwise you can > easily become source of backscatter. Yes, they *should*. > This is why recipient verification isn't optional. It's required if you > want to be a good SMTP netizen and avoid getting listed on certain > blacklists (e.g. backscatterer.org) because you've been used to send > spam. But, some people cannot do it, in various circumstances. For example, in my case, I have several independently-operated departmental servers, for which my servers act as the MX. I do not have their recipient lists, but I can do call-outs to those servers at the time I am being offered the message to see if they would accept it ("callforward verification" as some might call it). Mostly that's OK, but unfortunately, I know at least one of those is a ancient qmail insatnce which will happily accept anything offered to it and later bounce, and at least several others are (or maybe were) older Exchange instances which couldn't or wouldn't reject at SMTP time. So, for those, I don't have much choice but to accept the message, then let the internal server accept-then-bounce. I do what I can to mitigate the effects of this, but it will always be far from perfect, and I do not have the power to do very much about it, much as I would like too. Other solutions may involve the gateway holding a copy of the recipient list for a remote server, or the gateway performing database or LDAP lookups at SMTP-time to determine if an address is likely deliverable. However, there are probably several reasons why some gateways cannot do any of those things. Sad, but true. Jethro. . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK From steve.freegard at fsl.com Wed Dec 23 10:05:35 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Wed Dec 23 10:05:45 2009 Subject: OT: extraordinary amount of spam to one domain In-Reply-To: References: <556B68BE19272143ADE2500D9CC858BD3F6D55@stssvr01.Sts.local> <556B68BE19272143ADE2500D9CC858BD3F6D5D@stssvr01.Sts.local> <4B3166EB.8050908@fsl.com> Message-ID: <4B31EB6F.70003@fsl.com> On 23/12/09 09:04, Jethro R Binks wrote: > I know at least one > of those is a ancient qmail insatnce which will happily accept anything > offered to it and later bounce, and at least several others are (or maybe > were) older Exchange instances which couldn't or wouldn't reject at SMTP > time. Patches and plug-ins have been available for Qmail for ages to deal with this (I know this because I fixed this for a customer a while back - it's relatively straightforward). Exchange 5.5 and Exchange 2000 are the worst culprits; you have to do an export and use manual maps for these or do online LDAP queries to them. > So, for those, I don't have much choice but to accept the message, then > let the internal server accept-then-bounce. I do what I can to mitigate > the effects of this, but it will always be far from perfect, and I do not > have the power to do very much about it, much as I would like too. Accept-the-bounce is a slightly different problem to what I showed originally; in my original mail - the remote server *was* rejecting invalid recipients at RCPT TO: time and therefore causing the gateway to generate the DSN. Accept-the-bounce means the mailbox server generates the DSN and not the gateway. The choice here for a gateway operator is not to allow hosts such as these to relay their outbound mail (and thus the DSNs) via the gateway and choose to deliver them directly to the internet. This prevents the gateway from being listed as a backscatter or spam source and affecting all the other domains handled by that gateway (e.g. one domain 'peeing-in-the-pool' so to speak..) as the mailbox server IP will be the one that will get blacklisted if attacked. It's also another good reason to have separate machines handling inbound and outbound mail. > However, there are probably several reasons why some gateways cannot do > any of those things. Sad, but true. Sure - but I usually find that once the gateway has been used as a spam reflector these reasons magically disappear. That's both sad and true. For those that charge for providing e-mail services; I recommend that a premium is charged for handling domains that do not reject invalid recipients or that use 'catch-all' accounts as they cause considerable overheads when compared to other domains. That's usually another good incentive to either get this fixed or a workaround put in place. Cheers, Steve. From J.Ede at birchenallhowden.co.uk Wed Dec 23 11:14:57 2009 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Wed Dec 23 11:15:22 2009 Subject: OT: extraordinary amount of spam to one domain In-Reply-To: <4B31EB6F.70003@fsl.com> References: <556B68BE19272143ADE2500D9CC858BD3F6D55@stssvr01.Sts.local> <556B68BE19272143ADE2500D9CC858BD3F6D5D@stssvr01.Sts.local> <4B3166EB.8050908@fsl.com> <4B31EB6F.70003@fsl.com> Message-ID: <1213490F1F316842A544A850422BFA96128C18B8A2@BHLSBS.bhl.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Steve Freegard > Sent: 23 December 2009 10:06 > To: MailScanner discussion > Subject: Re: OT: extraordinary amount of spam to one domain > > On 23/12/09 09:04, Jethro R Binks wrote: > > I know at least one > > of those is a ancient qmail insatnce which will happily accept > anything > > offered to it and later bounce, and at least several others are (or > maybe > > were) older Exchange instances which couldn't or wouldn't reject at > SMTP > > time. > > Patches and plug-ins have been available for Qmail for ages to deal > with > this (I know this because I fixed this for a customer a while back - > it's relatively straightforward). > > Exchange 5.5 and Exchange 2000 are the worst culprits; you have to do > an > export and use manual maps for these or do online LDAP queries to them. > I seem to remember that there is a script either on the wiki or in the list archive to do exactly that. Well worth investing in the time taken to get that working! For Exchange 2003 and above you just need to tick a box to reject recipients not in the active directory although need to remember to turn recipient checks on on the virtual smtp server (look in IP address and advanced IIRC) for it to work! Took me a while to work out why it wasn't working on the first one I enabled... > > So, for those, I don't have much choice but to accept the message, > then > > let the internal server accept-then-bounce. I do what I can to > mitigate > > the effects of this, but it will always be far from perfect, and I do > not > > have the power to do very much about it, much as I would like too. > > Accept-the-bounce is a slightly different problem to what I showed > originally; in my original mail - the remote server *was* rejecting > invalid recipients at RCPT TO: time and therefore causing the gateway > to > generate the DSN. > > Accept-the-bounce means the mailbox server generates the DSN and not > the > gateway. The choice here for a gateway operator is not to allow hosts > such as these to relay their outbound mail (and thus the DSNs) via the > gateway and choose to deliver them directly to the internet. > > This prevents the gateway from being listed as a backscatter or spam > source and affecting all the other domains handled by that gateway > (e.g. > one domain 'peeing-in-the-pool' so to speak..) as the mailbox server IP > will be the one that will get blacklisted if attacked. It's also > another > good reason to have separate machines handling inbound and outbound > mail. > > > However, there are probably several reasons why some gateways cannot > do > > any of those things. Sad, but true. > > Sure - but I usually find that once the gateway has been used as a spam > reflector these reasons magically disappear. That's both sad and true. > > For those that charge for providing e-mail services; I recommend that a > premium is charged for handling domains that do not reject invalid > recipients or that use 'catch-all' accounts as they cause considerable > overheads when compared to other domains. That's usually another good > incentive to either get this fixed or a workaround put in place. I'd love that we could charge extra for domains that had catch-alls, but all we can do is to educate users into getting rid of their catch-alls... Generally it happens after someone tries a joe-job on them, and they wonder why their spam filtering isn't as good as it could be. We've one person so far that insists on using a catch-all and its nothing but trouble as keep getting NDR's and bouncebacks that they're trying to send back out through our MX... As this is inbound only mailserver debating blocking receiving from them to alleviate. From mike at mlrw.com Wed Dec 23 16:16:09 2009 From: mike at mlrw.com (Mike Wallace) Date: Wed Dec 23 16:16:23 2009 Subject: Sophos & ClamAV + Sanesecurity In-Reply-To: <20091223094812.f74e1c30.lists@buschor.ch> References: <20091223094812.f74e1c30.lists@buschor.ch> Message-ID: I am seeing a similar problem except I don't run Sophos or sanesecurity signatures. I don't know when this started as in a previously version of MailScanner and ClamAv (don't know which ones) this didn't happen. What I occasionally see is that clamav 0.95.3 finds an infection but the message never gets spam checked. Logs shows that once the infection is found, the message gets re-queued and delivered. It looks like it never gets spam checked. I my configuration I need to strip all viruses and "Mark Infected Messages". Anyone have any ideas? Mike Wallace mike@mlrw.com On Dec 23, 2009, at 3:48 AM, ThB wrote: > > I'm running MailScanner and SA, ClamAV + sanesecurity signatures but also Sophos SAVI as a comercial virus scanner. Lately I reconfigured MS to recognize sanesecurity hits as spam. In my configuration viruses should be replaced by a warning message but still be delivered, so the users know they got a message. > >> From time to time there are messages which seem to be detected by Sophos as virus and by ClamAV as spam because of sanesecurity signatures. Such messages have the SpamVirus header but an empty SpamCheck header and no SpamScore. Such messages also are tagged as "Found to be infected" but the body part is not replaced. > > X-MailScanner: Found to be infected > X-MailScanner-SpamVirus-Report: Sanesecurity.Junk.19516.UNOFFICIAL > X-MailScanner-SpamCheck: > > This now is neither the correct "virus" nor "spam" behaviour as configured. > My request: do either the correct virus processing or the correct spam processing. > > > MailScanner 4.79.4 > SpamAssassin 3.2.5 > ClamAV 0.95.3 > Sophos 4.48.0 > > thanks and merry xmas > Thomas > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. > From richard at fastnet.co.uk Wed Dec 23 16:37:27 2009 From: richard at fastnet.co.uk (Richard Mealing) Date: Wed Dec 23 16:36:38 2009 Subject: Sophos & ClamAV + Sanesecurity In-Reply-To: References: <20091223094812.f74e1c30.lists@buschor.ch> Message-ID: Have you put the scores in your spam.assassin.prefs.conf file? Such as this for example - header SPAMVIRUSJurlblAuto X-WHATEVERYOURORGNAMEIS-MailScanner-SpamVirus-Report =~ /Sanesecurity.Jurlbl.Auto/i score SPAMVIRUSJurlblAuto 3.0 It should then score it. I did send an email around with my configuration, these are spam viruses so need to be tagged with some sort of score. I can resend it if this is what you need? Rich -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Mike Wallace Sent: 23 December 2009 16:16 To: MailScanner discussion Subject: Re: Sophos & ClamAV + Sanesecurity I am seeing a similar problem except I don't run Sophos or sanesecurity signatures. I don't know when this started as in a previously version of MailScanner and ClamAv (don't know which ones) this didn't happen. What I occasionally see is that clamav 0.95.3 finds an infection but the message never gets spam checked. Logs shows that once the infection is found, the message gets re-queued and delivered. It looks like it never gets spam checked. I my configuration I need to strip all viruses and "Mark Infected Messages". Anyone have any ideas? Mike Wallace mike@mlrw.com On Dec 23, 2009, at 3:48 AM, ThB wrote: > > I'm running MailScanner and SA, ClamAV + sanesecurity signatures but also Sophos SAVI as a comercial virus scanner. Lately I reconfigured MS to recognize sanesecurity hits as spam. In my configuration viruses should be replaced by a warning message but still be delivered, so the users know they got a message. > >> From time to time there are messages which seem to be detected by Sophos as virus and by ClamAV as spam because of sanesecurity signatures. Such messages have the SpamVirus header but an empty SpamCheck header and no SpamScore. Such messages also are tagged as "Found to be infected" but the body part is not replaced. > > X-MailScanner: Found to be infected > X-MailScanner-SpamVirus-Report: Sanesecurity.Junk.19516.UNOFFICIAL > X-MailScanner-SpamCheck: > > This now is neither the correct "virus" nor "spam" behaviour as configured. > My request: do either the correct virus processing or the correct spam processing. > > > MailScanner 4.79.4 > SpamAssassin 3.2.5 > ClamAV 0.95.3 > Sophos 4.48.0 > > thanks and merry xmas > Thomas > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. > -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From maillists at conactive.com Wed Dec 23 18:31:21 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Wed Dec 23 18:31:33 2009 Subject: Sophos & ClamAV + Sanesecurity In-Reply-To: References: <20091223094812.f74e1c30.lists@buschor.ch> Message-ID: Mike Wallace wrote on Wed, 23 Dec 2009 11:16:09 -0500: > What I occasionally see is that clamav 0.95.3 finds an infection but > the message never gets spam checked. The order of checking has been reverted lately. No need for a spamcheck if it already contains a virus. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From mike at mlrw.com Wed Dec 23 21:06:04 2009 From: mike at mlrw.com (Mike Wallace) Date: Wed Dec 23 21:06:14 2009 Subject: Sophos & ClamAV + Sanesecurity In-Reply-To: References: <20091223094812.f74e1c30.lists@buschor.ch> Message-ID: <66C91A9F-C323-44DF-804E-22B3BFEBBB82@mlrw.com> The order checking change is only good if you use Sanesecurity. If you don't, it can create major problems such as mine where infected messages are being delivered. My environment requires that all infected attachments be removed from messages before delivery and all messages with a spam score of 5.0 or greater delivered to a special mailbox. I use the Sought, OpenProtect and a couple of custom rules and have a false positive rate of 0.16% and a false negative rate of 0.87% (if I exclude the viruses that passed), so I don't think that I need the Sanesecurity rules. I just checked the last 12 infected message that went through with spamassassin and it scored at an average of 23.0, the lowest was 11.5 the highest was 40.4. So if they were spam checked, then they never would have been delivered to the user. You would think that if MailScanner flags something as being infected, it would be handled identically. Does anyone know how to force MailScanner to spam check every non-blacklisted or non-whitelisted message like it used to? Mike Wallace mike@mlrw.com On Dec 23, 2009, at 1:31 PM, Kai Schaetzl wrote: > Mike Wallace wrote on Wed, 23 Dec 2009 11:16:09 -0500: > >> What I occasionally see is that clamav 0.95.3 finds an infection but >> the message never gets spam checked. > > The order of checking has been reverted lately. No need for a spamcheck if > it already contains a virus. > > Kai > > -- > Kai Sch?tzl, Berlin, Germany > Get your web at Conactive Internet Services: http://www.conactive.com > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. > From maillists at conactive.com Thu Dec 24 11:31:18 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Thu Dec 24 11:31:32 2009 Subject: phishing.bad.sites.conf v ScamNailer In-Reply-To: References: Message-ID: This issue is resolved. I updated to latest stable at the same time which reenabled the cron.daily that I had removed. Though, on quick glance the update_bad_phishing_sites looks the same. So, I still think it might have been an issue on the remote side. Happy Holidays, Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From bbecken at aafp.org Thu Dec 24 17:13:21 2009 From: bbecken at aafp.org (Brad Beckenhauer) Date: Thu Dec 24 17:14:01 2009 Subject: SpamAssassin Content Analysis in headers Message-ID: I'd like to get the format of the SpamAssassin results in the message headers looks like format used at: http://spamassassin.apache.org/full/2.6x/dist/rules/10_misc.cf So far I've tried including the SpamAssassin report section in my local.cf, but I've not been successful in getting the report re-formatted. Has anyone else been successful in re-formatting the report? Using Postfix + MS 4.78.17 + Julians ClamAV+Spamassasin installer. thanks Brad Sample: Content analysis details: (15.3 points, 7.0 required) pts rule name description ---- ---------------------- -------------------------------------- -1.7 ALL_TRUSTED Passed through trusted hosts only via SMTP 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.0000] 0.0 MISSING_MID Missing Message-Id: header 1.9 FORGED_YAHOO_RCVD 'From' yahoo.com does not match 'Received' headers 1.5 MISSING_HEADERS Missing To: header Instead of: X-SpamCheck: spam, SpamAssassin (not cached, score=14.334, required 6, autolearn=disabled, BAYES_50 0.00, FORGED_MUA_OUTLOOK 3.12, FORGED_YAHOO_RCVD 2.30, L_SOME_STD_PROBS 0.30, RAZOR2_CF_RANGE_51_100 0.50, RAZOR2_CF_RANGE_E4_51_100 1.50, RAZOR2_CHECK 0.50, RCVD_IN_BL_SPAMCOP_NET 1.96, SARE_CHARSET_W1251 1.66, SCAMNAILER 0.10, SUBJ_ALL_CAPS 2.08, TW_XQ 0.08) From J.Ede at birchenallhowden.co.uk Thu Dec 24 21:28:13 2009 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Thu Dec 24 21:29:05 2009 Subject: SpamAssassin Content Analysis in headers In-Reply-To: References: Message-ID: <1213490F1F316842A544A850422BFA96128C18B8D1@BHLSBS.bhl.local> For the spam actions for low scoring spam try selecting attachment and see what that does for you. > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Brad Beckenhauer > Sent: 24 December 2009 17:13 > To: mailscanner@lists.mailscanner.info > Subject: SpamAssassin Content Analysis in headers > > I'd like to get the format of the SpamAssassin results in the message > headers looks like format used at: > http://spamassassin.apache.org/full/2.6x/dist/rules/10_misc.cf > > So far I've tried including the SpamAssassin report section in my > local.cf, but I've not been successful in getting the report re- > formatted. > Has anyone else been successful in re-formatting the report? > > Using Postfix + MS 4.78.17 + Julians ClamAV+Spamassasin installer. > thanks > Brad > > Sample: > Content analysis details: (15.3 points, 7.0 required) > > pts rule name description > ---- ---------------------- -------------------------------------- > -1.7 ALL_TRUSTED Passed through trusted hosts only via SMTP > 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to > 100% [score: 1.0000] > 0.0 MISSING_MID Missing Message-Id: header > 1.9 FORGED_YAHOO_RCVD 'From' yahoo.com does not match 'Received' > headers > 1.5 MISSING_HEADERS Missing To: header > > > Instead of: > X-SpamCheck: spam, SpamAssassin (not cached, score=14.334, > required 6, autolearn=disabled, BAYES_50 0.00, > FORGED_MUA_OUTLOOK 3.12, FORGED_YAHOO_RCVD 2.30, > L_SOME_STD_PROBS 0.30, RAZOR2_CF_RANGE_51_100 0.50, > RAZOR2_CF_RANGE_E4_51_100 1.50, RAZOR2_CHECK 0.50, > RCVD_IN_BL_SPAMCOP_NET 1.96, SARE_CHARSET_W1251 1.66, > SCAMNAILER 0.10, SUBJ_ALL_CAPS 2.08, TW_XQ 0.08) > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From mark at msapiro.net Sun Dec 27 16:47:29 2009 From: mark at msapiro.net (Mark Sapiro) Date: Sun Dec 27 16:48:00 2009 Subject: update_spamassassin does unnecessary sa_compile and doesn't remove log. Message-ID: The /usr/sbin/update_spamassassin script doesn't properly handle the exit status from sa_update. In particular, an exit status of 1 means no fresh updates were available. In this case and also probably in error cases (exit status > 1), sa-compile should not be run. Also, an exit status of 1 should not retain the log. I suggest the patch in the attached diff.txt to fix both issues. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -------------- next part -------------- --- /usr/sbin/update_spamassassin.4.79.2 2009-11-12 01:57:57.000000000 -0800 +++ /usr/sbin/update_spamassassin 2009-12-27 08:28:42.000000000 -0800 @@ -25,6 +25,7 @@ $SAUPDATE $SAUPDATEARGS >$LOGFILE 2>&1 UPDATESUCCESS=$? +if [ $UPDATESUCCESS = 0 ] ; then # If we have sa-compile and they are using the Rule2XSBody plugin then compile if test -x $SACOMPILE && grep -q '^loadplugin.*Rule2XSBody' /etc/mail/spamassassin/*pre 2>/dev/null ; then $SACOMPILE >>$LOGFILE 2>&1 @@ -35,9 +36,10 @@ fi /etc/init.d/MailScanner reload >>$LOGFILE 2>&1 +fi # Only delete the logfile if the update succeeded -if [ $UPDATESUCCESS = 0 -a $COMPILESUCCESS = 0 ]; then +if [ $UPDATESUCCESS = 0 -a $COMPILESUCCESS = 0 -o $UPDATESUCCESS = 1 ]; then rm -f $LOGFILE fi From mark at msapiro.net Sun Dec 27 19:08:31 2009 From: mark at msapiro.net (Mark Sapiro) Date: Sun Dec 27 19:08:48 2009 Subject: ScamNailer script unnecessarily updates the ScamNailer.cf file Message-ID: The ScamNailer script knows when it actually retrieved new data, but it builds a new output file and runs the mailscanner_restart command even when it hasn't got new data. The main problem with this occurs if the site compiles it's rules. If the mailscanner_restart command includes possible rule compilation, it will recompile unchanged rules, and if it doesn't recompile, the compiled rules will potentially be ignored until the next compile because the ScamNailer output file is newer than the compiled rules. The attached diff.txt patch fixes this by returning the '$generate' flag from the GetPhishingUpdate() function, and calling GetPhishingUpdate() first and skiping the rest if its return is false. Also note that the current script still contains # Filename of list of extra addresses you have added, 1 per line. # Does not matter if this file does not exist. my $local_extras = '/etc/MailScanner/ScamNailer.local.addresses'; even though the code to process that file is gone. This is actually a good thing from the point of view of the patch because it is more complicated to know if the local_extras file has changed, although this can be done by checking if it is newer than the output file. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -------------- next part -------------- --- ScamNailer-2.07 2009-10-12 12:47:27.000000000 -0700 +++ ScamNailer 2009-12-27 10:01:05.000000000 -0800 @@ -59,15 +59,15 @@ local(*SACF); $output_filename = $ARGV[0] if $ARGV[0]; # Use filename if they gave one +# First do all the addresses we read from DNS and anycast and only do the +# rest if needed. +if (GetPhishingUpdate()) { open(SACF, ">$output_filename") or die "Cannot write to $output_filename $!"; print SACF "# ScamNailer rules\n"; print SACF "# Generated by $0 at " . `date` . "\n"; -# Now do all the addresses we read from DNS and anycast -GetPhishingUpdate(); - -# Now read all the addresses we generated from that process. +# Now read all the addresses we generated from GetPhishingUpdate(). open(PHISHIN, $emailscurrent . 'phishing.emails.list') or die "Cannot read " . $emailscurrent . "phishing.emails.list, $!\n"; while() { @@ -132,6 +132,7 @@ system($mailscanner_restart) if $mailscanner_restart; exit 0; +} sub GetPhishingUpdate { my $cache = $emailscurrent . 'cache/'; @@ -379,5 +380,6 @@ print "ok\n" unless $quiet; } $queuedir->close(); + $generate; } From Garrod.Alwood at lorodoes.com Mon Dec 28 15:23:56 2009 From: Garrod.Alwood at lorodoes.com (Garrod M. Alwood) Date: Mon Dec 28 15:31:28 2009 Subject: Clamd issue Message-ID: I have everything set exactly as I do on all my other servers and on this server I get this error and I am unsure why, can anyone give me as a hint to fix it? I looked at the pm file it's calling but I can't tell what it's asking for. If someone could at least point me in the right direction I would be very happy. thank you. root@filter2# MailScanner --lint Trying to setlogsock(unix) Reading configuration file /etc/MailScanner/MailScanner.conf Reading configuration file /etc/MailScanner/conf.d/README Read 856 hostnames from the phishing whitelist Read 9052 hostnames from the phishing blacklists Config: calling custom init function SQLBlacklist Starting up SQL Blacklist Read 0 blacklist entries Config: calling custom init function MailWatchLoggin Config: calling custom init function SQLWhitelist Starting up SQL Whitelist Read 0 whitelist entries Checking version numbers... Version number in MailScanner.conf (4.78.17) is correct. Your envelope_sender_header in spam.assassin.prefs.conf is correct. MailScanner setting GID to (33) MailScanner setting UID to (107) Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database SpamAssassin reported no errors. Connected to Processing Attempts Database Created Processing Attempts Database successfully There are 0 messages in the Processing Attempts Database Using locktype = posix MailScanner.conf says "Virus Scanners = clamd" Found these virus scanners installed: clamd =========================================================================== Insecure dependency in chown while running with -T switch at /usr/lib/MailScanner/MailScanner/Message.pm line 2505. Garrod M. Alwood Consultant garrod.alwood@lorodoes.com 904.738.4988 From maillists at conactive.com Mon Dec 28 17:31:20 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Mon Dec 28 17:31:34 2009 Subject: Clamd issue In-Reply-To: References: Message-ID: it might be helpful to include the OS and Perl version. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From Garrod.Alwood at lorodoes.com Mon Dec 28 17:34:23 2009 From: Garrod.Alwood at lorodoes.com (Garrod M. Alwood) Date: Mon Dec 28 17:35:05 2009 Subject: Clamd issue In-Reply-To: References: Message-ID: <2ED61677-9A45-451E-843C-7E5D31656830@lorodoes.com> Ubuntu 9.10 With everything up to date Garrod Alwood Open Source Consultant 9047384988 Garrod.alwood@lorodoes.com Sent from my iPod On Dec 28, 2009, at 12:28 PM, "Kai Schaetzl" wrote: > it might be helpful to include the OS and Perl version. > > Kai > > -- > Kai Sch?tzl, Berlin, Germany > Get your web at Conactive Internet Services: http://www.conactive.com > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From malli at mcrirents.com Mon Dec 28 20:14:18 2009 From: malli at mcrirents.com (Mohammed Alli) Date: Mon Dec 28 20:15:44 2009 Subject: Clamd issue In-Reply-To: References: Message-ID: <3B1A431BDA34C54581BE43253BC1BD93DE0DB4@exchange.computerrents.com> Sounds like the perl issue. Try adding --chuid postfix:www-data to your mailscanner startup script. Eg. start-stop-daemon --start --quiet --nicelevel $run_nice --chuid postfix:www-data -exec You'll have to restart mailscanner. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Garrod M. Alwood Sent: Monday, December 28, 2009 10:24 AM To: MailScanner discussion Subject: Clamd issue I have everything set exactly as I do on all my other servers and on this server I get this error and I am unsure why, can anyone give me as a hint to fix it? I looked at the pm file it's calling but I can't tell what it's asking for. If someone could at least point me in the right direction I would be very happy. thank you. root@filter2# MailScanner --lint Trying to setlogsock(unix) Reading configuration file /etc/MailScanner/MailScanner.conf Reading configuration file /etc/MailScanner/conf.d/README Read 856 hostnames from the phishing whitelist Read 9052 hostnames from the phishing blacklists Config: calling custom init function SQLBlacklist Starting up SQL Blacklist Read 0 blacklist entries Config: calling custom init function MailWatchLoggin Config: calling custom init function SQLWhitelist Starting up SQL Whitelist Read 0 whitelist entries Checking version numbers... Version number in MailScanner.conf (4.78.17) is correct. Your envelope_sender_header in spam.assassin.prefs.conf is correct. MailScanner setting GID to (33) MailScanner setting UID to (107) Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database SpamAssassin reported no errors. Connected to Processing Attempts Database Created Processing Attempts Database successfully There are 0 messages in the Processing Attempts Database Using locktype = posix MailScanner.conf says "Virus Scanners = clamd" Found these virus scanners installed: clamd ======================================================================== === Insecure dependency in chown while running with -T switch at /usr/lib/MailScanner/MailScanner/Message.pm line 2505. Garrod M. Alwood Consultant garrod.alwood@lorodoes.com 904.738.4988-- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091228/79cab145/attachment.html From Garrod.Alwood at lorodoes.com Mon Dec 28 21:08:47 2009 From: Garrod.Alwood at lorodoes.com (Garrod M. Alwood) Date: Mon Dec 28 21:14:04 2009 Subject: Clamd issue In-Reply-To: <3B1A431BDA34C54581BE43253BC1BD93DE0DB4@exchange.computerrents.com> References: , <3B1A431BDA34C54581BE43253BC1BD93DE0DB4@exchange.computerrents.com> Message-ID: <4D8672AF-921F-43CE-AA4C-686CEFB1AF2F@mimectl> I tried this and it didn't work. Anyone else have any ideas. Garrod M. Alwood Consultant garrod.alwood@lorodoes.com 904.738.4988 ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailscanner-bounces@lists.mailscanner.info] On Behalf Of Mohammed Alli [malli@mcrirents.com] Sent: Monday, December 28, 2009 3:14 PM To: MailScanner discussion Subject: RE: Clamd issue Sounds like the perl issue. Try adding --chuid postfix:www-data to your mailscanner startup script. Eg. start-stop-daemon --start --quiet --nicelevel $run_nice --chuid postfix:www-data ?exec You?ll have to restart mailscanner. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Garrod M. Alwood Sent: Monday, December 28, 2009 10:24 AM To: MailScanner discussion Subject: Clamd issue I have everything set exactly as I do on all my other servers and on this server I get this error and I am unsure why, can anyone give me as a hint to fix it? I looked at the pm file it's calling but I can't tell what it's asking for. If someone could at least point me in the right direction I would be very happy. thank you. root@filter2# MailScanner --lint Trying to setlogsock(unix) Reading configuration file /etc/MailScanner/MailScanner.conf Reading configuration file /etc/MailScanner/conf.d/README Read 856 hostnames from the phishing whitelist Read 9052 hostnames from the phishing blacklists Config: calling custom init function SQLBlacklist Starting up SQL Blacklist Read 0 blacklist entries Config: calling custom init function MailWatchLoggin Config: calling custom init function SQLWhitelist Starting up SQL Whitelist Read 0 whitelist entries Checking version numbers... Version number in MailScanner.conf (4.78.17) is correct. Your envelope_sender_header in spam.assassin.prefs.conf is correct. MailScanner setting GID to (33) MailScanner setting UID to (107) Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database SpamAssassin reported no errors. Connected to Processing Attempts Database Created Processing Attempts Database successfully There are 0 messages in the Processing Attempts Database Using locktype = posix MailScanner.conf says "Virus Scanners = clamd" Found these virus scanners installed: clamd =========================================================================== Insecure dependency in chown while running with -T switch at /usr/lib/MailScanner/MailScanner/Message.pm line 2505. Garrod M. Alwood Consultant garrod.alwood@lorodoes.com 904.738.4988-- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091228/22824af6/attachment.html From mark at msapiro.net Tue Dec 29 02:34:10 2009 From: mark at msapiro.net (Mark Sapiro) Date: Tue Dec 29 02:34:26 2009 Subject: Clamd issue In-Reply-To: Message-ID: Garrod M. Alwood wrote: >I have everything set exactly as I do on all my other servers and on this server I get this error and I am unsure why, can anyone give me as a hint to fix it? I looked at the pm file it's calling but I can't tell what it's asking for. If someone could at least point me in the right direction I would be very happy. thank you. > [...] >=========================================================================== >Insecure dependency in chown while running with -T switch at /usr/lib/MailScanner/MailScanner/Message.pm line 2505. This looks familiar. See the threads "Taint error with Perl v5.10.1" and "MailScanner 4.79.3-1 taint problem in TNEF module" starting at . These are fixed in 4.79.4 -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From Garrod.Alwood at lorodoes.com Tue Dec 29 04:44:18 2009 From: Garrod.Alwood at lorodoes.com (Garrod M. Alwood) Date: Tue Dec 29 04:45:00 2009 Subject: Clamd issue In-Reply-To: References: Message-ID: <1187FA72-6F0A-4BB4-B5CB-0B3B2A96505A@lorodoes.com> That worked I just hope this build is stable. Garrod Alwood Open Source Consultant 9047384988 Garrod.alwood@lorodoes.com Sent from my iPod On Dec 28, 2009, at 9:32 PM, "Mark Sapiro" wrote: > Garrod M. Alwood wrote: > >> I have everything set exactly as I do on all my other servers and >> on this server I get this error and I am unsure why, can anyone >> give me as a hint to fix it? I looked at the pm file it's calling >> but I can't tell what it's asking for. If someone could at least >> point me in the right direction I would be very happy. thank you. >> > [...] >> === >> === >> ===================================================================== >> Insecure dependency in chown while running with -T switch at /usr/ >> lib/MailScanner/MailScanner/Message.pm line 2505. > > > This looks familiar. See the threads "Taint error with Perl v5.10.1" > and "MailScanner 4.79.3-1 taint problem in TNEF module" starting at > >. > > These are fixed in 4.79.4 > > -- > Mark Sapiro The highway is for gamblers, > San Francisco Bay Area, California better use your sense - B. Dylan > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From jwatkins at agilentcorp.com Wed Dec 30 03:01:19 2009 From: jwatkins at agilentcorp.com (Jarod Watkins) Date: Wed Dec 30 03:02:18 2009 Subject: Message Body with Custom Functions Message-ID: <1AD0162F37D7FB46AA709768EAFDBE3A1D807374@optimus> Hello All, After some googling and a little experimentation I cannot seem to figure out how to "see" the body of a message when it is passed to a custom function. I have done a dump of the variables passed to the custom function and I think I have found two that contain what I am after: 'entity2safefile' => { '' => 0, 'MIME::Entity=HASH(0x3ee98f0)' => 'msg-5435-1.txt' }, 'file2safefile' => { '' => '', 'msg-5435-1.txt' => 'msg-5435-1.txt' }, With entity2safefile, is the body encoded as a MIME::Entity? Or am I going to have to find where the 'msg-5435-1.txt' is and pull the contents out that way? Thanks for any help, Jarod Watkins