From ja at conviator.com Sun Feb 1 10:09:01 2009 From: ja at conviator.com (Jan Agermose) Date: Sun Feb 1 10:09:21 2009 Subject: pattern blacklistning - where to do it "best" Message-ID: hi 1) I want to implement blacklistning with patterns for the administrator. At the moment im using the MailScanner customfunctions for black and whitelistning and for spamscore settings. But it does not allow patterns. I can change this of cause but then I found that SA can connect to a mysql and read this info and as fare as I can tell the blacklists here actually already make it possible to use patterns, correct? anyway implementing this pattern stuff is not a big thing i the customfunction so maybe I should stay on this "solution". what im wondering is what are the pro and cons on having whitelistning, blacklistning, spamscore in SA vs. MailScanner? When I look at the flowchart of MailScanner it seams it would be better to have it there since maybe it does not even need to start processing SA if its blacklisted? So better performance vs. having to code it your self maybe? 2) In SA or MailScanner - are connections pooled and/or alive between scans or are connections opened everytime a customfunction needs the connection or if you in SA implement some function for eval() that uses databases? Best regards Jan -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090201/5c25ef3e/attachment.html From MailScanner at ecs.soton.ac.uk Sun Feb 1 19:26:01 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Feb 1 19:26:22 2009 Subject: Anti-spear-phishing sa-update channel In-Reply-To: References: <496A6779.9040309@coders.co.uk> <625385e30901300052v84afcd6vde685c543244f7e4@mail.gmail.com> Message-ID: <4985F749.4010200@ecs.soton.ac.uk> On 30/1/09 16:32, Scott Silva wrote: > on 1-30-2009 12:52 AM shuttlebox spake the following: > >> On Sun, Jan 11, 2009 at 10:41 PM, Matt wrote: >> >>> All >>> >>> If anyone is interested I have published an sa-update channel which >>> generates the same rules as Jules' script. >>> >>> The channel is >>> >>> spear.bastionmail.com >>> >> I started using it at a client site a week ago and have received four >> (4) hits so far. :-) >> >> What kind of results do others see? >> >> > I haven't seen any hits and I added this when it came out weeks ago. I am > probably killing all the junk it might have caught with blacklists at the MTA. > The biggest recipients of spear-phishing attacks appear to be academic institutions. So if you aren't one of those, it's quite possible you won't see any hits. I see a lot here. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From shuttlebox at gmail.com Sun Feb 1 20:01:24 2009 From: shuttlebox at gmail.com (shuttlebox) Date: Sun Feb 1 20:01:34 2009 Subject: Anti-spear-phishing sa-update channel In-Reply-To: <4985F749.4010200@ecs.soton.ac.uk> References: <496A6779.9040309@coders.co.uk> <625385e30901300052v84afcd6vde685c543244f7e4@mail.gmail.com> <4985F749.4010200@ecs.soton.ac.uk> Message-ID: <625385e30902011201l604bce59p69025913bae09060@mail.gmail.com> On Sun, Feb 1, 2009 at 8:26 PM, Julian Field wrote: > The biggest recipients of spear-phishing attacks appear to be academic > institutions. So if you aren't one of those, it's quite possible you won't > see any hits. I see a lot here. You still get a lot? I guess some types of spam is really local. One of my clients is a "cluster" of hospitals and you need to be careful about those viagra scores. :-) -- /peter From NWL002 at shsu.edu Sun Feb 1 20:54:40 2009 From: NWL002 at shsu.edu (Laskie, Norman) Date: Sun Feb 1 20:59:32 2009 Subject: Anti-spear-phishing sa-update channel In-Reply-To: <4985F749.4010200@ecs.soton.ac.uk> References: <496A6779.9040309@coders.co.uk> <625385e30901300052v84afcd6vde685c543244f7e4@mail.gmail.com> ,<4985F749.4010200@ecs.soton.ac.uk> Message-ID: <8FAC1E47484E43469AA28DBF35C955E420533A8A85@EXMBX.SHSU.EDU> I am seeing a lot too they are being tagged and denied based on another ruleset (500+ in the past couple days). For some reason I'm still not seeing any hits on this ruleset though :( We may have some getting blocked at the MTA level, but I would think by now there would be more hits on this ruleset based on the number of addresses blocked and the number passing through the mta level. Thanks, Norman ________________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field [MailScanner@ecs.soton.ac.uk] Sent: Sunday, February 01, 2009 1:26 PM To: MailScanner discussion Subject: Re: Anti-spear-phishing sa-update channel On 30/1/09 16:32, Scott Silva wrote: > on 1-30-2009 12:52 AM shuttlebox spake the following: > >> On Sun, Jan 11, 2009 at 10:41 PM, Matt wrote: >> >>> All >>> >>> If anyone is interested I have published an sa-update channel which >>> generates the same rules as Jules' script. >>> >>> The channel is >>> >>> spear.bastionmail.com >>> >> I started using it at a client site a week ago and have received four >> (4) hits so far. :-) >> >> What kind of results do others see? >> >> > I haven't seen any hits and I added this when it came out weeks ago. I am > probably killing all the junk it might have caught with blacklists at the MTA. > The biggest recipients of spear-phishing attacks appear to be academic institutions. So if you aren't one of those, it's quite possible you won't see any hits. I see a lot here. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From MailScanner at ecs.soton.ac.uk Sun Feb 1 21:31:30 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Feb 1 21:31:53 2009 Subject: Disable MCP notifications for High Spam In-Reply-To: <67a55ed50901310356m5478f0c9mb333092cce6881b4@mail.gmail.com> References: <67a55ed50901310356m5478f0c9mb333092cce6881b4@mail.gmail.com> Message-ID: <498614B2.3080509@ecs.soton.ac.uk> If you can, re-implement your MCP filtering with "SpamAssassin Rule Actions". It gives you much more precise control over what happens to the mail, and will run a lot faster too. On 31/1/09 11:56, Dave Jones wrote: > Does anyone have any ideas how the MCP notifications can be disabled > for High Scoring Spam? The High Spam is getting caught and deleted > but when it also hits the MCP threshold, the user is getting the > recipient.mcp.report.txt notification. There are lots of High Spam > that will hit common profanity checks in MCP. > > I found a thread in the maillist archives on "MCP/SPAM Actions" saying > that delete is the last action taken so the MCP notify takes > precedence. However, I was wondering if there are some recent > feature additions that will allow me to override this now. > > High Scoring Spam Actions = delete > MCP Actions = store notify > High Scoring MCP Actions = store notify > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mikael at syska.dk Mon Feb 2 04:07:25 2009 From: mikael at syska.dk (Mikael Syska) Date: Mon Feb 2 04:07:37 2009 Subject: Error after perl5 upgrade 5.8.8 to 5.8.9 on FreeBSD In-Reply-To: <57200BF94E69E54880C9BB1AF714BBCB5DE4B9@w2003s01.double-l.local> References: <57200BF94E69E54880C9BB1AF714BBCB5DE4B9@w2003s01.double-l.local> Message-ID: <6beca9db0902012007k57ce431es2f0c392961298078@mail.gmail.com> Hi, I had the exact same problem ... I used about 6 hours on it ... after that trying all the things suggested to this thread ... nothing did work ... so I downgraded perl to 4.8.8 and MailScanner was happy again. I would wait until Peter the FreeBSD port mainianner get his packages accepted into the portstree, maybe the error is resolved in the newest release of MailScanner. :-) best regards Mikael Syska 2009/1/29 Johan Hendriks : > Hello all i am trying to get Mailscanner to work after a perl upgrade on my > FreeBSD Machine. > > > > The error in my maillog is the following. > > > > Jan 16 11:46:03 mailscanner MailScanner[37117]: MailScanner E-Mail Virus > >>> Jan 16 11:46:03 mailscanner MailScanner[37117]: Could not use Custom > >>> Function code > >>> /usr/local/lib/MailScanner/MailScanner/CustomFunctions/DavidHooton.pm, it > >>> could not be "require"d. Make sure the last line of the file says "1;" > >>> Jan 16 11:46:03 mailscanner MailScanner[37117]: Could not use Custom > >>> Function code > >>> /usr/local/lib/MailScanner/MailScanner/CustomFunctions/SpamWhitelist.pm, >>> it > >>> could not be "require"d. Make sure the last line of the file says "1;" > >>> Jan 16 11:46:03 mailscanner MailScanner[37117]: Could not use Custom > >>> Function code > >>> >>> /usr/local/lib/MailScanner/MailScanner/CustomFunctions/ZMRouterDirHash.pm, > >>> it could not be "require"d. Make sure the last line of the file says "1;" > >>> Jan 16 11:46:03 mailscanner MailScanner[37117]: Could not use Custom > >>> Function code > >>> /usr/local/lib/MailScanner/MailScanner/CustomFunctions/CustomAction.pm, >>> it > >>> could not be "require"d. Make sure the last line of the file says "1;" > >>> Jan 16 11:46:03 mailscanner MailScanner[37117]: Could not use Custom > >>> Function code > >>> /usr/local/lib/MailScanner/MailScanner/CustomFunctions/LastSpam.pm, it >>> could > >>> not be "require"d. Make sure the last line of the file says "1;" > >>> Jan 16 11:46:03 mailscanner MailScanner[37117]: Could not use Custom > >>> Function code > >>> >>> /usr/local/lib/MailScanner/MailScanner/CustomFunctions/Ruleset-from-Function.pm, > >>> it could not be "require"d. Make sure the last line of the file says >>> "1;" > >>> Jan 16 11:46:03 mailscanner MailScanner[37117]: Could not use Custom > >>> Function code > >>> >>> /usr/local/lib/MailScanner/MailScanner/CustomFunctions/GenericSpamScanner.pm, > >>> it could not be "require"d. Make sure the last line of the file says >>> "1;" > >>> Jan 16 11:46:03 mailscanner MailScanner[37117]: Could not use Custom > >>> Function code > >>> /usr/local/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm, it > >>> could not be "require"d. Make sure the last line of the file says "1;" > >>> Jan 16 11:46:03 mailscanner MailScanner[37117]: Could not use Custom > >>> Function code > >>> >>> /usr/local/lib/MailScanner/MailScanner/CustomFunctions/SQLBlackWhiteList.pm, > >>> it could not be "require"d. Make sure the last line of the file says "1;" > >>> Jan 16 11:46:03 mailscanner MailScanner[37117]: Could not use Custom > >>> Function code > >>> >>> /usr/local/lib/MailScanner/MailScanner/CustomFunctions/SQLSpamSettings.pm, > >>> it could not be "require"d. Make sure the last line of the file says "1;" > >>> Jan 16 11:46:03 mailscanner MailScanner[37117]: Could not use Custom > >>> Function code > >>> /usr/local/lib/MailScanner/MailScanner/CustomFunctions/MyExample.pm, it > >>> could not be "require"d. Make sure the last line of the file says "1;" > > > > > > Then I added the ?w to the mailscanner file > > > > And this is what I get on my console. > > This is Mailscanner 4.74.16 (trying to make a port myself), the error above > happens also with the official port > > > > Starting mailscanner. > > Useless use of hash element in void context at > /usr/local/lib/MailScanner/MailScanner/Config.pm line 892. > > Use of implicit split to @_ is deprecated at > /usr/local/lib/MailScanner/MailScanner/Config.pm line 2085. > > Unquoted string "hostname" may clash with future reserved word at > /usr/local/lib/MailScanner/MailScanner/CustomConfig.pm line 300. > > Parameterless "use IO" deprecated at > /usr/local/lib/MailScanner/MailScanner/CustomConfig.pm line 749 > > "my" variable $LimitsH masks earlier declaration in same scope at > /usr/local/lib/MailScanner/MailScanner/CustomConfig.pm line 796. > > Use of implicit split to @_ is deprecated at > /usr/local/lib/MailScanner/MailScanner/CustomConfig.pm line 822. > > Use of implicit split to @_ is deprecated at > /usr/local/lib/MailScanner/MailScanner/CustomConfig.pm line 838. > > Use of uninitialized value in substitution iterator at > /usr/local/lib/MailScanner/MailScanner/Config.pm line 674, line 1310. > > Parameterless "use IO" deprecated at > /usr/local/lib/MailScanner/MailScanner/GenericSpam.pm line 39 > > Parameterless "use IO" deprecated at > /usr/local/lib/MailScanner/MailScanner/RBLs.pm line 39 > > "my" variable $to masks earlier declaration in same scope at > /usr/local/lib/MailScanner/MailScanner/MCPMessage.pm line 636. > > "my" variable $gsreport masks earlier declaration in same scope at > /usr/local/lib/MailScanner/MailScanner/Message.pm line 683. > > "my" variable $to masks earlier declaration in same scope at > /usr/local/lib/MailScanner/MailScanner/Message.pm line 1375. > > "my" variable $to masks earlier declaration in same scope at > /usr/local/lib/MailScanner/MailScanner/Message.pm line 1535. > > "my" variable $to masks earlier declaration in same scope at > /usr/local/lib/MailScanner/MailScanner/Message.pm line 5700. > > "my" variable $to masks earlier declaration in same scope at > /usr/local/lib/MailScanner/MailScanner/Message.pm line 5936. > > "my" variable $to masks earlier declaration in same scope at > /usr/local/lib/MailScanner/MailScanner/Message.pm line 6352. > > Subroutine add_part redefined at > /usr/local/lib/MailScanner/MailScanner/Message.pm line 7602. > > Subroutine extract redefined at > /usr/local/lib/MailScanner/MailScanner/Message.pm line 7631. > > Parameterless "use IO" deprecated at > /usr/local/lib/MailScanner/MailScanner/MCP.pm line 40 > > Parameterless "use IO" deprecated at > /usr/local/lib/MailScanner/MailScanner/SA.pm line 39 > > Statement unlikely to be reached at > /usr/local/lib/MailScanner/MailScanner/SweepOther.pm line 455. > > (Maybe you meant system() when you said exec()?) > > Statement unlikely to be reached at > /usr/local/lib/MailScanner/MailScanner/SweepOther.pm line 375. > > (Maybe you meant system() when you said exec()?) > > Statement unlikely to be reached at > /usr/local/lib/MailScanner/MailScanner/SweepViruses.pm line 1048. > > (Maybe you meant system() when you said exec()?) > > "my" variable $LockFile masks earlier declaration in same scope at > /usr/local/lib/MailScanner/MailScanner/SweepViruses.pm line 3450. > > Useless use of not in void context at > /usr/local/lib/MailScanner/MailScanner/SweepViruses.pm line 3493. > > Using a hash as a reference is deprecated at /usr/local/sbin/mailscanner > line 546. > > Duplicate specification "h|H|help" for option "h" > > Duplicate specification "v|V|version|Version" for option "v" > > Duplicate specification "v|V|version|Version" for option "version" > > Duplicate specification "c|C|changed" for option "c" > > Use of uninitialized value in substitution iterator at > /usr/local/lib/MailScanner/MailScanner/Config.pm line 674, line 1310. > > Use of uninitialized value in substitution iterator at > /usr/local/lib/MailScanner/MailScanner/Config.pm line 674, line 1310. > > Use of uninitialized value in substitution iterator at > /usr/local/lib/MailScanner/MailScanner/Config.pm line 674, line 1310. > > Use of uninitialized value in substitution iterator at > /usr/local/lib/MailScanner/MailScanner/Config.pm line 674, line 1310. > > Use of uninitialized value in substitution iterator at > /usr/local/lib/MailScanner/MailScanner/Config.pm line 674, line 1310. > > Use of uninitialized value in substitution iterator at > /usr/local/lib/MailScanner/MailScanner/Config.pm line 674, line 1310. > > "my" variable $line masks earlier declaration in same scope at > /usr/local/lib/MailScanner/MailScanner/PFDiskStore.pm line 494. > > Use of uninitialized value in substitution iterator at > /usr/local/lib/MailScanner/MailScanner/Config.pm line 674, line 1310. > > Use of uninitialized value in substitution iterator at > /usr/local/lib/MailScanner/MailScanner/Config.pm line 674, line 1310. > > Use of uninitialized value in substitution iterator at > /usr/local/lib/MailScanner/MailScanner/Config.pm line 674, line 1310. > > Use of uninitialized value in substitution iterator at > /usr/local/lib/MailScanner/MailScanner/Config.pm line 674, line > 1310. > > Use of uninitialized value in substitution iterator at > /usr/local/lib/MailScanner/MailScanner/Config.pm line 674, line > 1310. > > Use of uninitialized value in substitution iterator at > /usr/local/lib/MailScanner/MailScanner/Config.pm line 674, line > 1310. > > Use of uninitialized value in substitution iterator at > /usr/local/lib/MailScanner/MailScanner/Config.pm line 674, line > 1310. > > Use of uninitialized value in substitution iterator at > /usr/local/lib/MailScanner/MailScanner/Config.pm line 674, line > 1310. > > Use of uninitialized value in substitution iterator at > /usr/local/lib/MailScanner/MailScanner/Config.pm line 674, line > 1310. > > Use of uninitialized value in substitution iterator at > /usr/local/lib/MailScanner/MailScanner/Config.pm line 674, line > 1310. > > Use of uninitialized value in substitution iterator at > /usr/local/lib/MailScanner/MailScanner/Config.pm line 674, line > 1310. > > Use of uninitialized value in substitution iterator at > /usr/local/lib/MailScanner/MailScanner/Config.pm line 674, line > 1310. > > Use of uninitialized value in substitution iterator at > /usr/local/lib/MailScanner/MailScanner/Config.pm line 674, line > 1310. > > Use of uninitialized value in substitution iterator at > /usr/local/lib/MailScanner/MailScanner/Config.pm line 674, line > 1310. > > Use of uninitialized value in pattern match (m//) at > /usr/local/sbin/mailscanner line 706. > > > > What can I do to resolve this. > > > > I have no perl knowledge what so ever!! > > > > Regards, > > Johan > > > > > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > From ajcartmell at fonant.com Mon Feb 2 09:11:06 2009 From: ajcartmell at fonant.com (Anthony Cartmell) Date: Mon Feb 2 09:11:27 2009 Subject: Fedora 10 packaging help required In-Reply-To: <49634A59.4090606@ecs.soton.ac.uk> References: <49634A59.4090606@ecs.soton.ac.uk> Message-ID: Jules, > The problem is that the site_perl directory is now under > /usr/local/lib/perl5 and not /usr/lib/perl5. But if you specify a > "PREFIX" in the call to Makefile.PL to generate the Makefile, like I > always have done, then the perl-site-specific directories are set wrong, > it leaves them under /usr/lib/perl5. FWIW I have successfully installed both mailscanner and spamassassin/clamav from your tarballs on FC10 32-bit (at least MailScanner --lint is happy). But I haven't managed on FC10 64-bit yet: all goes smoothly with MailScanner, but the Mail-ClamAV fails to install. Oddly everything els e compiles and installs fine, it's just that one module: to my inexperienced eye it seems to be installing the compiled module into /tmp/Mail-ClamAV-022/, which presumably then gets deleted. ~~~~~~~~~~ Installing /tmp/Mail-ClamAV-0.22/blib/arch/auto/Mail/ClamAV/ClamAV.bs Writing /tmp/Mail-ClamAV-0.22/blib/arch/auto/Mail/ClamAV/.packlist make[1]: Leaving directory `/tmp/Mail-ClamAV-0.22/_Inline/build/Mail/ClamAV' ~~~~~~~~~~ The Mail-ClamAV test all fail, and MailScanner --lint asks where clamavmodule is (it isn't installed anywhere). Don't worry too much about this, as I'm going to investigate clamd now, but thought it might be of interest given your packaging problems... Shout if you'd like me to run any additional tests on my FC10 x86_64 machine for diagnosis purposes. Cheers! Anthony -- www.fonant.com - Quality web sites From prandal at herefordshire.gov.uk Mon Feb 2 09:30:25 2009 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Mon Feb 2 09:30:42 2009 Subject: Fedora 10 packaging help required In-Reply-To: References: <49634A59.4090606@ecs.soton.ac.uk> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA03CF83@HC-MBX02.herefordshire.gov.uk> You'll need this patch to be able to use Mail::Clamav with clamav 0.94 and later. http://rt.cpan.org/Public/Bug/Display.html?id=39301 Better to start using clamd instead: http://wiki.mailscanner.info/doku.php?id=documentation:anti_virus:clamav :switch_to_rpm_clamd Cheers, Phil -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Anthony Cartmell Sent: 02 February 2009 09:11 To: MailScanner discussion Subject: Re: Fedora 10 packaging help required Jules, > The problem is that the site_perl directory is now under > /usr/local/lib/perl5 and not /usr/lib/perl5. But if you specify a > "PREFIX" in the call to Makefile.PL to generate the Makefile, like I > always have done, then the perl-site-specific directories are set > wrong, it leaves them under /usr/lib/perl5. FWIW I have successfully installed both mailscanner and spamassassin/clamav from your tarballs on FC10 32-bit (at least MailScanner --lint is happy). But I haven't managed on FC10 64-bit yet: all goes smoothly with MailScanner, but the Mail-ClamAV fails to install. Oddly everything els e compiles and installs fine, it's just that one module: to my inexperienced eye it seems to be installing the compiled module into /tmp/Mail-ClamAV-022/, which presumably then gets deleted. ~~~~~~~~~~ Installing /tmp/Mail-ClamAV-0.22/blib/arch/auto/Mail/ClamAV/ClamAV.bs Writing /tmp/Mail-ClamAV-0.22/blib/arch/auto/Mail/ClamAV/.packlist make[1]: Leaving directory `/tmp/Mail-ClamAV-0.22/_Inline/build/Mail/ClamAV' ~~~~~~~~~~ The Mail-ClamAV test all fail, and MailScanner --lint asks where clamavmodule is (it isn't installed anywhere). Don't worry too much about this, as I'm going to investigate clamd now, but thought it might be of interest given your packaging problems... Shout if you'd like me to run any additional tests on my FC10 x86_64 machine for diagnosis purposes. Cheers! Anthony -- www.fonant.com - Quality web sites -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From ajcartmell at fonant.com Mon Feb 2 10:06:11 2009 From: ajcartmell at fonant.com (Anthony Cartmell) Date: Mon Feb 2 10:06:33 2009 Subject: Fedora 10 packaging help required In-Reply-To: <7EF0EE5CB3B263488C8C18823239BEBA03CF83@HC-MBX02.herefordshire.gov.uk> References: <49634A59.4090606@ecs.soton.ac.uk> <7EF0EE5CB3B263488C8C18823239BEBA03CF83@HC-MBX02.herefordshire.gov.uk> Message-ID: > You'll need this patch to be able to use Mail::Clamav with clamav 0.94 > and later. > > http://rt.cpan.org/Public/Bug/Display.html?id=39301 I think that's the one that Jules kindly includes in his tarball. Certainly it all seems to work, at least on 32-bit. > Better to start using clamd instead: > > http://wiki.mailscanner.info/doku.php?id=documentation:anti_virus:clamav > :switch_to_rpm_clamd Yup, am on that now. Trying to get my head round setting up clamd itself :) FC10 includes ClamAV 0.94.1 via the core repo and 0.94.2 via the updates one, so that at least makes things easy. Cheers! Anthony -- www.fonant.com - Quality web sites From MailScanner at ecs.soton.ac.uk Mon Feb 2 11:26:56 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Feb 2 11:27:23 2009 Subject: Anti-spear-phishing sa-update channel In-Reply-To: References: <496A6779.9040309@coders.co.uk> <625385e30901300052v84afcd6vde685c543244f7e4@mail.gmail.com> Message-ID: <4986D880.6040102@ecs.soton.ac.uk> On 30/1/09 09:17, David Lee wrote: > On Fri, 30 Jan 2009, shuttlebox wrote: > >> On Sun, Jan 11, 2009 at 10:41 PM, Matt wrote: >>> All >>> >>> If anyone is interested I have published an sa-update channel which >>> generates the same rules as Jules' script. >>> >>> The channel is >>> >>> spear.bastionmail.com >> >> I started using it at a client site a week ago and have received four >> (4) hits so far. :-) >> >> What kind of results do others see? > > Julian: Given that this seems to be stabilising, are you planning to > role it (including the easy-install 'sa-update channel' option) into > the next MS release, so it is there, ready to use? Perhaps with an > MS.conf (or '/etc/mail/spamassassin/' or similar) option to > enable/disable it? I wasn't planning on doing so, but it's possible. What things do I need to do to get the PGP key for it and so on? That's the difficulty with building in any sa-update channels, you've got to do all the PGP stuff too or it won't update. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From davejones70 at gmail.com Mon Feb 2 13:04:33 2009 From: davejones70 at gmail.com (Dave Jones) Date: Mon Feb 2 13:04:43 2009 Subject: Disable MCP notifications for High Spam Message-ID: <67a55ed50902020504p5a9f972v482465f8b63726d4@mail.gmail.com> >If you can, re-implement your MCP filtering with "SpamAssassin Rule >Actions". It gives you much more precise control over what happens to >the mail, and will run a lot faster too. >On 31/1/09 11:56, Dave Jones wrote: >> Does anyone have any ideas how the MCP notifications can be disabled >> for High Scoring Spam? The High Spam is getting caught and deleted >> but when it also hits the MCP threshold, the user is getting the >> recipient.mcp.report.txt notification. There are lots of High Spam >> that will hit common profanity checks in MCP. >> >> I found a thread in the maillist archives on "MCP/SPAM Actions" saying >> that delete is the last action taken so the MCP notify takes >> precedence. However, I was wondering if there are some recent >> feature additions that will allow me to override this now. >> >> High Scoring Spam Actions = delete >> MCP Actions = store notify >> High Scoring MCP Actions = store notify >> >> >Jules If I have 100 or so MCP SA rules, then do I have to create a rule line for each one or is there a way to match all of them if they start with something unique like "PROFANITY_IN_". Can I use "PROFANITY_IN_*" so it will pick up new rules as I add them or do I have to specify the full rule name? So how would I setup the notification rules so that it would use the same MCP recipient.mcp.report.txt? And I guess whitelisting some users from the profanity checks is as simple as "not-notify". -- Dave Jones From paulo-m-roncon at ptinovacao.pt Mon Feb 2 13:28:42 2009 From: paulo-m-roncon at ptinovacao.pt (Paulo Roncon) Date: Mon Feb 2 13:29:03 2009 Subject: mailscanner with heavy load In-Reply-To: <200902011201.n11C0TdD025651@safir.blacknight.ie> References: <200902011201.n11C0TdD025651@safir.blacknight.ie> Message-ID: Steve : 60msg/sec = 60msg*60s*60m*24h= 5184000!!! So 5 childs/1RAM/1CPU => 20childs/4RAM/4CPU, right??? But i have RAM to spare... can I increase the number of childs? Thanks! Paulo 60 message/sec == 518,400 messages per day. The key metric for MailScanner is the average time to scan a single message; on a tuned system this can take anywhere between 1 and 8 seconds maximum depending on the message. This includes SA (with compiled rulesets), ClamAV, FProt6, Razor2, DCC and all the default DNSBL/URIBL lookups in SA and writing the data to MailWatch. Disabling DCC, Razor2 and all untrusted DNSBLs would decrease the scan time considerably. Note that to get reasonable scan times you *cannot* use *any* command-line virus scanner that doesn't use sockets or a persistent daemon. If you base the default at 8 seconds per message (which is super-conservative) then: 1 child can process 10,800 msgs/day, therefore you would require ~47 MailScanner children to process 500,000 messages per day. Based on the tuning metric of 5 children per GB RAM and per CPU - you would need 10 CPUs and 10Gb RAM minimum to process that load based on a default configuration. So three boxes of that specification would suffice to handle the required load with some overhead to spare. You would also need to make sure each box got an equal load of the input messages, so some sort of load balancer would be required. I would also recommend buying Spamhaus, URIBL and SURBL datafeeds and run rbldnsd locally on your network as you will be way over the threshold to use the public mirrors - this will also prevent the lookups from hurt the scan performance adversely. I seriously recommend looking at my firms BarricadeMX product which can sit in-front of MailScanner and reduce the message input to your MTA and into MailScanner considerably to avoid any nasty spikes, improve efficiency and performance and catch-rate. Hope that gives you a rough guide. Kind regards, Steve. -- Steve Freegard Development Director Fort Systems Ltd. From MailScanner at ecs.soton.ac.uk Mon Feb 2 14:01:11 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Feb 2 14:01:36 2009 Subject: Disable MCP notifications for High Spam In-Reply-To: <67a55ed50902020504p5a9f972v482465f8b63726d4@mail.gmail.com> References: <67a55ed50902020504p5a9f972v482465f8b63726d4@mail.gmail.com> Message-ID: On 2/2/09 13:04, Dave Jones wrote: >> If you can, re-implement your MCP filtering with "SpamAssassin Rule >> Actions". It gives you much more precise control over what happens to >> the mail, and will run a lot faster too. >> > > >> On 31/1/09 11:56, Dave Jones wrote: >> >>> Does anyone have any ideas how the MCP notifications can be disabled >>> for High Scoring Spam? The High Spam is getting caught and deleted >>> but when it also hits the MCP threshold, the user is getting the >>> recipient.mcp.report.txt notification. There are lots of High Spam >>> that will hit common profanity checks in MCP. >>> >>> I found a thread in the maillist archives on "MCP/SPAM Actions" saying >>> that delete is the last action taken so the MCP notify takes >>> precedence. However, I was wondering if there are some recent >>> feature additions that will allow me to override this now. >>> >>> High Scoring Spam Actions = delete >>> MCP Actions = store notify >>> High Scoring MCP Actions = store notify >>> >>> >>> > > >> Jules >> > > If I have 100 or so MCP SA rules, then do I have to create a rule line > for each one or is there a way to match all of them if they start with > something unique like "PROFANITY_IN_". Can I use "PROFANITY_IN_*" so > it will pick up new rules as I add them or do I have to specify the > full rule name? > Your easiest solution would be to create a meta rule in SpamAssassin which triggers if any of your PROFANITY_IN_ rules matches. The syntax is very simple and is documented in "man Mail::SpamAssassin::Conf", and there are plenty of examples in the rulesets shipped with SpamAssassin. Then your "SpamAssassin Rule Actions" only has to mention 1 rule. > So how would I setup the notification rules so that it would use the > same MCP recipient.mcp.report.txt? > > And I guess whitelisting some users from the profanity checks is as > simple as "not-notify". > Correct. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From steve.freegard at fsl.com Mon Feb 2 14:30:00 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Mon Feb 2 14:30:11 2009 Subject: mailscanner with heavy load In-Reply-To: References: <200902011201.n11C0TdD025651@safir.blacknight.ie> Message-ID: <49870368.4050205@fsl.com> Hi Paulo, Paulo Roncon wrote: > Steve : 60msg/sec = 60msg*60s*60m*24h= 5184000!!! Yeah - sorry about that - noticed that after I posted. > So 5 childs/1RAM/1CPU => 20childs/4RAM/4CPU, right??? Yes. > But i have RAM to spare... can I increase the number of childs? The 5 children per 1Gb RAM/CPU isn't set in stone - it a balancing act to put as much load of the various components (CPU + CPU+Mem+Disk IO) without causing the machine to thrash or become bound by one component (e.g. CPU or Disk), so you *might* be able to increase the number of children - you'll need to measure the batch times to find out what the optimal values are given your typical loads. To do this you'll need to fully load the box (you could do this with test messages - but they should be representative of the actual mail stream) and to do that you'll need to make sure that all children are busy; so if you have a batch size of 30 (the default) you'll need (Batch Size * (Number of Children + Batch Size)) = messages (10 children/30 batch = 330) in the mqueue.in directory (or hold directory if you use Postfix) and then start MailScanner (with Log Speed=yes) and then calculate the avg. scan time per message based on the log output. Start increasing the number of children and see the effect of the avg. scan time - as soon as the scan times start to show a downward trend; you have found the limit (be sure to leave a 'fudge' factor of around -2 children to allow for variances in your message types). You'll want to follow all the usual tuning advice for MailScanner e.g. /var/spool/MailScanner/incoming on tmpfs, so I tend to find that having surplus memory improves performance with MailScanner particularly if you have large rulesets and that most installations are typically IO bound; so your disk controller and RAID configuration are important (RAID 0+1 on /var will likely give the best performance). Speaking from experience - if you allow your users to make white/black list entries, then you'll probably want to use CustomFunction to read the values from an indexed datasource (something supports row-level locking) as rulesets are compiled at child start-up and large rulesets cause MailScanner to take a long time to reload (remember: MailScanner restarts each child every 2 hours by default - a several minute start-up time will cause a significant backlog at 60msgs/sec) and will also cause each child to use up a *lot* of extra memory. Cheers, Steve. -- Steve Freegard Development Director Fort Systems Ltd. From Ron.Ghetti at town.barnstable.ma.us Mon Feb 2 17:04:03 2009 From: Ron.Ghetti at town.barnstable.ma.us (Ghetti, Ron) Date: Mon Feb 2 17:04:53 2009 Subject: debugging Spammassassin Message-ID: <3411CC12BB577F4FAEAC8A694780866B022912EC@ITMAIL.town.barnstable.ma.us> -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Steve Freegard Sent: Thursday, January 29, 2009 11:14 AM To: MailScanner discussion Subject: Re: debugging Spammassassin Ghetti, Ron wrote: > Batch (1 message) processed in 62.04 seconds > Batch (1 message) processed in 61.83 seconds > Batch (2 messages) processed in 111.01 seconds > Batch (7 messages) processed in 313.62 seconds > Batch (9 messages) processed in 423.96 seconds > Batch (10 messages) processed in 719.89 seconds > > Those do not seem like fast process times to me, Those are the worst times I think I've ever seen. When tuning systems I'm not happy until I have the average time to process a single message to <10 seconds. Generally batch performance improves the larger the batch; however in your case this doesn't appear to be true - with 10 messages the average is 72 seconds per message! I'd guess that you've got some serious breakage in SpamAssassin or in your DNS resolver. Find a message in your quarantine directory then run the following and post the output: spamassassin -D -p /etc/MailScanner/spam.assassin.prefs.conf < /path/to/quaratined/message Kind regards, Steve -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! Can't seem to get that to work, I have no idea what the postfix password is. The numbers do seem a bit better though after adjusting a couple of settings And rewriting my report to pick up more info. Batch processess are much shorter and there are much fewer SA timeouts. This is from a 24 hour period. There were 6,925 Total messages Recieved. There were 5,299 messages marked as spam. There were 693 Messages Queued for delivery. There were 771 Messages Delivered. Average Batch Time = 11.6 seconds SA Timeouts = 5 Messages Deferred = 13 Messages Bounced = 5 Spamassassin timeout kicked up to 85 seconds MaxChildren set to 12 Batch Sizes set to 20 No Virus Scanning Using Spamhaus-Zen and uribl Thanks for all your help -Ron From lorenzo at argroup.it Mon Feb 2 17:21:36 2009 From: lorenzo at argroup.it (lorenzo) Date: Mon Feb 2 17:22:22 2009 Subject: sa learn bayes starter DB Message-ID: <49872BA0.4@argroup.it> hi everyone! my first message.... i download a bayes starter BD from http://www.fsl.com/support/ how i can use this db with spamassassin? can I use sa learn command? how to use this command with the bayes db starter file? ty in advance -- lorenzo -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From maillists at conactive.com Mon Feb 2 20:31:23 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Mon Feb 2 20:31:36 2009 Subject: sa learn bayes starter DB In-Reply-To: <49872BA0.4@argroup.it> References: <49872BA0.4@argroup.it> Message-ID: Lorenzo wrote on Mon, 02 Feb 2009 18:21:36 +0100: > how i can use this db with spamassassin? isn't that information in the download? Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From glenn.steen at gmail.com Mon Feb 2 22:48:41 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Feb 2 22:48:50 2009 Subject: sa learn bayes starter DB In-Reply-To: References: <49872BA0.4@argroup.it> Message-ID: <223f97700902021448j57a53f1fi9e1ac6cca6cdd2ff@mail.gmail.com> 2009/2/2 Kai Schaetzl : > Lorenzo wrote on Mon, 02 Feb 2009 18:21:36 +0100: > >> how i can use this db with spamassassin? > > isn't that information in the download? > > Kai > Nah, it's just a tarball of a bayes directory with the usual three file... Unpack to somewhere (/etc/MailScanner/) and set bayes_path accordingly (/etc/MailScanner/bayes/bayes), ownership and permissins ... and you are done. Whether one should use a DB other than from ones own mail flow... is another question:) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From lorenzo at argroup.it Tue Feb 3 11:11:00 2009 From: lorenzo at argroup.it (lorenzo) Date: Tue Feb 3 11:12:00 2009 Subject: sa learn bayes starter DB In-Reply-To: <223f97700902021448j57a53f1fi9e1ac6cca6cdd2ff@mail.gmail.com> References: <49872BA0.4@argroup.it> <223f97700902021448j57a53f1fi9e1ac6cca6cdd2ff@mail.gmail.com> Message-ID: <49882644.7020602@argroup.it> Glenn Steen ha scritto: > 2009/2/2 Kai Schaetzl : > >> Lorenzo wrote on Mon, 02 Feb 2009 18:21:36 +0100: >> >> >>> how i can use this db with spamassassin? >>> >> isn't that information in the download? >> >> Kai >> >> > Nah, it's just a tarball of a bayes directory with the usual three > file... Unpack to somewhere (/etc/MailScanner/) and set bayes_path > accordingly (/etc/MailScanner/bayes/bayes), ownership and permissins > ... and you are done. > > Whether one should use a DB other than from ones own mail flow... is > another question:) > > Cheers > if you have a fresh mailserver is a good choice use this start db or is preferrable to start with a new bayes db? -- Lorenzo Santi aura srl -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From maxsec at gmail.com Tue Feb 3 11:51:11 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Tue Feb 3 11:51:21 2009 Subject: debugging Spammassassin In-Reply-To: <3411CC12BB577F4FAEAC8A694780866B022912EC@ITMAIL.town.barnstable.ma.us> References: <3411CC12BB577F4FAEAC8A694780866B022912EC@ITMAIL.town.barnstable.ma.us> Message-ID: <72cf361e0902030351y2649679ck68388f0804b65d70@mail.gmail.com> Ron I note from you debug run above.. [5464] dbg: dns: checking RBL sa-other.bondedsender.org., set bsp-untrusted [5464] dbg: dns: checking RBL plus.bondedsender.org., set ssc-firsttrusted [5464] dbg: dns: checking RBL combined.njabl.org., set njabl [5464] dbg: dns: checking RBL bl.spamcop.net., set spamcop [5464] dbg: dns: checking RBL dob.sibl.support-intelligence.net., set dob [5464] dbg: dns: checking RBL zen.spamhaus.org., set zen-lastexternal [5464] dbg: dns: checking RBL dnsbl.sorbs.net., set sorbs-lastexternal [5464] dbg: dns: checking RBL dnsbl.sorbs.net., set sorbs [5464] dbg: dns: checking RBL zen.spamhaus.org., set zen-lastexternal [5464] dbg: dns: checking RBL list.dnswl.org., set dnswl-firsttrusted [5464] dbg: dns: checking RBL sa-accredit.habeas.com., set habeas-firsttrusted [5464] dbg: dns: checking RBL list.dsbl.org., set dsbl-lastexternal [5464] dbg: dns: checking RBL sa-trusted.bondedsender.org., set bsp-firsttrusted [5464] dbg: dns: checking RBL zen.spamhaus.org., set zen [5464] dbg: dns: checking RBL iadb.isipp.com., set iadb-firsttrusted could be you're overdoing the free spamhaus acceptable use and they are slowing you down. Also 85 isn't that big for the timeout - mines 200. -- Martin Hepworth Oxford, UK 2009/2/2 Ghetti, Ron : > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Steve > Freegard > Sent: Thursday, January 29, 2009 11:14 AM > To: MailScanner discussion > Subject: Re: debugging Spammassassin > > > Ghetti, Ron wrote: > >> Batch (1 message) processed in 62.04 seconds >> Batch (1 message) processed in 61.83 seconds >> Batch (2 messages) processed in 111.01 seconds >> Batch (7 messages) processed in 313.62 seconds >> Batch (9 messages) processed in 423.96 seconds >> Batch (10 messages) processed in 719.89 seconds >> >> Those do not seem like fast process times to me, > > Those are the worst times I think I've ever seen. When tuning systems > I'm not happy until I have the average time to process a single message > to <10 seconds. > > Generally batch performance improves the larger the batch; however in > your case this doesn't appear to be true - with 10 messages the average > is 72 seconds per message! > > I'd guess that you've got some serious breakage in SpamAssassin or in > your DNS resolver. > > Find a message in your quarantine directory then run the following and > post the output: > > spamassassin -D -p /etc/MailScanner/spam.assassin.prefs.conf < > /path/to/quaratined/message > > Kind regards, > Steve > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > Can't seem to get that to work, I have no idea what the postfix password > is. > The numbers do seem a bit better though after adjusting a couple of > settings > And rewriting my report to pick up more info. > > Batch processess are much shorter and there are much fewer SA timeouts. > This is from a 24 hour period. > > > There were 6,925 Total messages Recieved. > There were 5,299 messages marked as spam. > There were 693 Messages Queued for delivery. > There were 771 Messages Delivered. > Average Batch Time = 11.6 seconds > SA Timeouts = 5 > Messages Deferred = 13 > Messages Bounced = 5 > > > Spamassassin timeout kicked up to 85 seconds > MaxChildren set to 12 > Batch Sizes set to 20 > No Virus Scanning > Using Spamhaus-Zen and uribl > > > Thanks for all your help > -Ron > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From steve.freegard at fsl.com Tue Feb 3 12:24:55 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Tue Feb 3 12:25:05 2009 Subject: debugging Spammassassin In-Reply-To: <72cf361e0902030351y2649679ck68388f0804b65d70@mail.gmail.com> References: <3411CC12BB577F4FAEAC8A694780866B022912EC@ITMAIL.town.barnstable.ma.us> <72cf361e0902030351y2649679ck68388f0804b65d70@mail.gmail.com> Message-ID: <49883797.1080904@fsl.com> Hi Martin, Martin Hepworth wrote: > [5464] dbg: dns: checking RBL zen.spamhaus.org., set zen-lastexternal > [5464] dbg: dns: checking RBL zen.spamhaus.org., set zen-lastexternal > [5464] dbg: dns: checking RBL zen.spamhaus.org., set zen > > could be you're overdoing the free spamhaus acceptable use and they > are slowing you down. Spamhaus don't throttle connections - they just return NXDOMAIN results for everything, so I doubt it's that. Cheers, Steve. From glenn.steen at gmail.com Tue Feb 3 14:14:09 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Feb 3 14:14:18 2009 Subject: sa learn bayes starter DB In-Reply-To: <49882644.7020602@argroup.it> References: <49872BA0.4@argroup.it> <223f97700902021448j57a53f1fi9e1ac6cca6cdd2ff@mail.gmail.com> <49882644.7020602@argroup.it> Message-ID: <223f97700902030614w47cda701m12443407d56b546e@mail.gmail.com> 2009/2/3 lorenzo : > Glenn Steen ha scritto: >> >> 2009/2/2 Kai Schaetzl : >> >>> >>> Lorenzo wrote on Mon, 02 Feb 2009 18:21:36 +0100: >>> >>> >>>> >>>> how i can use this db with spamassassin? >>>> >>> >>> isn't that information in the download? >>> >>> Kai >>> >>> >> >> Nah, it's just a tarball of a bayes directory with the usual three >> file... Unpack to somewhere (/etc/MailScanner/) and set bayes_path >> accordingly (/etc/MailScanner/bayes/bayes), ownership and permissins >> ... and you are done. >> >> Whether one should use a DB other than from ones own mail flow... is >> another question:) >> >> Cheers >> > > if you have a fresh mailserver is a good choice use this start db or is > preferrable to start with a new bayes db? > > This is more philosophical than technical...:-). The "best" thing to do is to have 200-1000 spam messages and 200-1000 ham (non-spam) messages, harvested from your normal mail flow, and manually train Bayes on these. Another option is to set things up with an empty Bayes and either rely on automatic training, or a combination of manual/automatic training, so that you reach the prerequisite of 200 spam/ham before Bayes start scoring. The third option is to "borrow" someone elses' Bayes database and start scoring directly. Obviously this is what you were about to do here. The problem(s) would be that: - You have no real knowledge of what is in the Bayes db. - It might have been trained on things that would FP/FN a lot for your organisation/mail flow. - you would have to watch the hit rate for Bayes pretty closely at the start. Now... That would be something you'd need do anyway:-). So a starter DB will give you Bayes scoring, but might be seriously out of date wrt the current spam trends and would potentially be all wrong for your mail flow, hence leading to FP/FN rates that might "hurt" you. A lot of suppositions there:-). Once your system is up and running (after a while all the tokens will tend to be from your mail flow) the "impact" lessens. So why use one, if there are risks? Well, for one thing... Score set three might be a lot better than set 1 (which you'll have until Bayes kick in). You'll have no "sudden change" in scoring, as you would otherwise (when Bayes kick in), and that predictability is possibly something to strive for. Bottom line on that string of thoughts is that it might help you detect more spam, thus running a better "laundry service". Which way to go? It all depends on your needs. If we did a poll, you'd find some that would be using a starter DB and some that "emphatically:-) wouldn't. I, for one, did the manual/automatic training thing on an empty Bayes ... some 5 years back, or so. I've since migrated that db around ever since, as well as used the "pure manual method" on some testbeds... Others have the starter db thing in their notes for "how to setup a new MS server", and are very happy with that. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Tue Feb 3 14:23:49 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Feb 3 14:23:59 2009 Subject: debugging Spammassassin In-Reply-To: <49883797.1080904@fsl.com> References: <3411CC12BB577F4FAEAC8A694780866B022912EC@ITMAIL.town.barnstable.ma.us> <72cf361e0902030351y2649679ck68388f0804b65d70@mail.gmail.com> <49883797.1080904@fsl.com> Message-ID: <223f97700902030623j2f466b81v4e82e5e4089ba72a@mail.gmail.com> 2009/2/3 Steve Freegard : > Hi Martin, > > Martin Hepworth wrote: >> [5464] dbg: dns: checking RBL zen.spamhaus.org., set zen-lastexternal >> [5464] dbg: dns: checking RBL zen.spamhaus.org., set zen-lastexternal >> [5464] dbg: dns: checking RBL zen.spamhaus.org., set zen >> >> could be you're overdoing the free spamhaus acceptable use and they >> are slowing you down. > > Spamhaus don't throttle connections - they just return NXDOMAIN results > for everything, so I doubt it's that. > > Cheers, > Steve. Since Ron now is down to more reasonable batch times and only had 5 logged timeouts... I'd suspect that to be expiry (in which case he'd see some expire files from the "interrupted" runs), or just ... plain big things that take more than 85 seconds to digest (for SA, provided the "max send to sa" thing has been raised). I'd recommend to up the MS SA timeout to at least 200-300 seconds and see what happens. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From shuttlebox at gmail.com Tue Feb 3 14:33:46 2009 From: shuttlebox at gmail.com (shuttlebox) Date: Tue Feb 3 14:33:56 2009 Subject: sa learn bayes starter DB In-Reply-To: <223f97700902030614w47cda701m12443407d56b546e@mail.gmail.com> References: <49872BA0.4@argroup.it> <223f97700902021448j57a53f1fi9e1ac6cca6cdd2ff@mail.gmail.com> <49882644.7020602@argroup.it> <223f97700902030614w47cda701m12443407d56b546e@mail.gmail.com> Message-ID: <625385e30902030633p3b4b5629vbe42b09beb5dd8a3@mail.gmail.com> On Tue, Feb 3, 2009 at 3:14 PM, Glenn Steen wrote: > This is more philosophical than technical...:-). > The "best" thing to do is to have 200-1000 spam messages and 200-1000 > ham (non-spam) messages, harvested from your normal mail flow, and > manually train Bayes on these. > Another option is to set things up with an empty Bayes and either rely > on automatic training, or a combination of manual/automatic training, > so that you reach the prerequisite of 200 spam/ham before Bayes start > scoring. > The third option is to "borrow" someone elses' Bayes database and > start scoring directly. Obviously this is what you were about to do > here. Depends on the volume of course but for a domain with a few thousand mailboxes it should be sufficiently trained to start scoring after only a few hours of automatic training. When I do my daily expire I see that 25% of the bayes db is purged. To me that means my whole db is refreshed every four days so why bother with a starter db from someone elses mail flow? Maybe I got the wrong idea about how this purging works and someone can explain it better but I've never seen it on this list. Everyone seems to think that "good" tokens will stay in the db forever but I'm skeptical. I would like an answer to that and may have to go to the SA list to get it. Matt Kettler used to answer tricky SA questions about SA's internals but he doesn't seem to hang around here anymore..? -- /peter From glenn.steen at gmail.com Tue Feb 3 14:36:08 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Feb 3 14:36:17 2009 Subject: debugging Spammassassin In-Reply-To: <3411CC12BB577F4FAEAC8A694780866B022912EC@ITMAIL.town.barnstable.ma.us> References: <3411CC12BB577F4FAEAC8A694780866B022912EC@ITMAIL.town.barnstable.ma.us> Message-ID: <223f97700902030636p4a8fe122l681041b10e5e201d@mail.gmail.com> 2009/2/2 Ghetti, Ron : > > (snip Steves advice to run sa test by itself) > > Can't seem to get that to work, I have no idea what the postfix password > is. Why would you need that? It is probably set to something that crypt() never will be able to emitt...;-). You have root privs, right? That is all you need to "su" to someone else (if on Ubuntu or similar, do "sudo -i" to get an interractive shell as root, then do the "su - postfix -s /bin/bash", then do the spamassassin command as suggested previously). Didn't you use that when you posted the second SA thing? I'm confused...:-) > The numbers do seem a bit better though after adjusting a couple of > settings > And rewriting my report to pick up more info. > > Batch processess are much shorter and there are much fewer SA timeouts. > This is from a 24 hour period. > Good! > > There were 6,925 Total messages Recieved. > There were 5,299 messages marked as spam. > There were 693 Messages Queued for delivery. > There were 771 Messages Delivered. > Average Batch Time = 11.6 seconds > SA Timeouts = 5 > Messages Deferred = 13 > Messages Bounced = 5 > Excellent. You do "recipient verification", right? So that you don't accept mail that have non-existant recipients... > > Spamassassin timeout kicked up to 85 seconds > MaxChildren set to 12 > Batch Sizes set to 20 > No Virus Scanning > Using Spamhaus-Zen and uribl > Time to up the SA timeout to 300 and turn virus scanning on, don't you think? If you run at least clamd, it likely wont hurt you. > > Thanks for all your help > -Ron > Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From lorenzo at argroup.it Tue Feb 3 14:50:51 2009 From: lorenzo at argroup.it (lorenzo) Date: Tue Feb 3 14:51:43 2009 Subject: sa learn bayes starter DB In-Reply-To: <223f97700902030614w47cda701m12443407d56b546e@mail.gmail.com> References: <49872BA0.4@argroup.it> <223f97700902021448j57a53f1fi9e1ac6cca6cdd2ff@mail.gmail.com> <49882644.7020602@argroup.it> <223f97700902030614w47cda701m12443407d56b546e@mail.gmail.com> Message-ID: <498859CB.2000708@argroup.it> Glenn Steen ha scritto: > 2009/2/3 lorenzo : > >> Glenn Steen ha scritto: >> >>> 2009/2/2 Kai Schaetzl : >>> >>> >>>> Lorenzo wrote on Mon, 02 Feb 2009 18:21:36 +0100: >>>> >>>> >>>> >>>>> how i can use this db with spamassassin? >>>>> >>>>> >>>> isn't that information in the download? >>>> >>>> Kai >>>> >>>> >>>> >>> Nah, it's just a tarball of a bayes directory with the usual three >>> file... Unpack to somewhere (/etc/MailScanner/) and set bayes_path >>> accordingly (/etc/MailScanner/bayes/bayes), ownership and permissins >>> ... and you are done. >>> >>> Whether one should use a DB other than from ones own mail flow... is >>> another question:) >>> >>> Cheers >>> >>> >> if you have a fresh mailserver is a good choice use this start db or is >> preferrable to start with a new bayes db? >> >> >> > This is more philosophical than technical...:-). > The "best" thing to do is to have 200-1000 spam messages and 200-1000 > ham (non-spam) messages, harvested from your normal mail flow, and > manually train Bayes on these. > Another option is to set things up with an empty Bayes and either rely > on automatic training, or a combination of manual/automatic training, > so that you reach the prerequisite of 200 spam/ham before Bayes start > scoring. > The third option is to "borrow" someone elses' Bayes database and > start scoring directly. Obviously this is what you were about to do > here. > > The problem(s) would be that: > - You have no real knowledge of what is in the Bayes db. > - It might have been trained on things that would FP/FN a lot for your > organisation/mail flow. > - you would have to watch the hit rate for Bayes pretty closely at the > start. Now... That would be something you'd need do anyway:-). > > So a starter DB will give you Bayes scoring, but might be seriously > out of date wrt the current spam trends and would potentially be all > wrong for your mail flow, hence leading to FP/FN rates that might > "hurt" you. > A lot of suppositions there:-). > Once your system is up and running (after a while all the tokens will > tend to be from your mail flow) the "impact" lessens. > > So why use one, if there are risks? Well, for one thing... Score set > three might be a lot better than set 1 (which you'll have until Bayes > kick in). You'll have no "sudden change" in scoring, as you would > otherwise (when Bayes kick in), and that predictability is possibly > something to strive for. > Bottom line on that string of thoughts is that it might help you > detect more spam, thus running a better "laundry service". > > Which way to go? It all depends on your needs. If we did a poll, you'd > find some that would be using a starter DB and some that > "emphatically:-) wouldn't. > I, for one, did the manual/automatic training thing on an empty Bayes > ... some 5 years back, or so. I've since migrated that db around ever > since, as well as used the "pure manual method" on some testbeds... > Others have the starter db thing in their notes for "how to setup a > new MS server", and are very happy with that. > > Cheers > I think im doing the manual/automatic method too with a small test mailserver. I don't now if it is what you exatly mean: I simply look at evry single mail in mailwatch and check if the mail is tagged correct. if not i change the sa learning flag. and i submit. :-) the start was hard but now seems ok. in 1 month seems that mailscanner is working not perfect but very acceptable. 1 wrong tag every 600/700 mail and is learning quickly..... I was just dreaming that with a starter db sa can learn in 1 second and no more manual control. but I forgot that now i can use my small bayes test db and put in my official server that is going to start.... wish me good luck... :-) -- Lorenzo Santi aura srl -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Ron.Ghetti at town.barnstable.ma.us Tue Feb 3 14:52:19 2009 From: Ron.Ghetti at town.barnstable.ma.us (Ghetti, Ron) Date: Tue Feb 3 14:52:38 2009 Subject: debugging Spammassassin Message-ID: <3411CC12BB577F4FAEAC8A694780866B022912F3@ITMAIL.town.barnstable.ma.us> Thanks for that, I'm actually only using Spamhaus-Zen. I haven't seen any errors from them so I'll likely keep it enabled. -Ron -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Steve Freegard Sent: Tuesday, February 03, 2009 7:25 AM To: MailScanner discussion Subject: Re: debugging Spammassassin Hi Martin, Martin Hepworth wrote: > [5464] dbg: dns: checking RBL zen.spamhaus.org., set zen-lastexternal > [5464] dbg: dns: checking RBL zen.spamhaus.org., set zen-lastexternal > [5464] dbg: dns: checking RBL zen.spamhaus.org., set zen > > could be you're overdoing the free spamhaus acceptable use and they > are slowing you down. Spamhaus don't throttle connections - they just return NXDOMAIN results for everything, so I doubt it's that. Cheers, Steve. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From Ron.Ghetti at town.barnstable.ma.us Tue Feb 3 15:02:50 2009 From: Ron.Ghetti at town.barnstable.ma.us (Ghetti, Ron) Date: Tue Feb 3 15:03:03 2009 Subject: debugging Spammassassin Message-ID: <3411CC12BB577F4FAEAC8A694780866B022912F4@ITMAIL.town.barnstable.ma.us> -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Glenn Steen Sent: Tuesday, February 03, 2009 9:36 AM To: MailScanner discussion Subject: Re: debugging Spammassassin 2009/2/2 Ghetti, Ron : > > (snip Steves advice to run sa test by itself) > > Can't seem to get that to work, I have no idea what the postfix password > is. Why would you need that? It is probably set to something that crypt() never will be able to emitt...;-). You have root privs, right? That is all you need to "su" to someone else (if on Ubuntu or similar, do "sudo -i" to get an interractive shell as root, then do the "su - postfix -s /bin/bash", then do the spamassassin command as suggested previously). Didn't you use that when you posted the second SA thing? I'm confused...:-) > The numbers do seem a bit better though after adjusting a couple of > settings > And rewriting my report to pick up more info. > > Batch processess are much shorter and there are much fewer SA timeouts. > This is from a 24 hour period. > Good! > > There were 6,925 Total messages Recieved. > There were 5,299 messages marked as spam. > There were 693 Messages Queued for delivery. > There were 771 Messages Delivered. > Average Batch Time = 11.6 seconds > SA Timeouts = 5 > Messages Deferred = 13 > Messages Bounced = 5 > Excellent. You do "recipient verification", right? So that you don't accept mail that have non-existant recipients... > > Spamassassin timeout kicked up to 85 seconds > MaxChildren set to 12 > Batch Sizes set to 20 > No Virus Scanning > Using Spamhaus-Zen and uribl > Time to up the SA timeout to 300 and turn virus scanning on, don't you think? If you run at least clamd, it likely wont hurt you. > > Thanks for all your help > -Ron > Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! Thanks for the Reply Glenn. Yes, I did do the su - postfix run. The first time it went fine, but every time thereafter, it started Prompting for a password. Strange. Yes on the Recipient verification, I run a script that pulls a userlist >From our Active Directory Domain twice a day. I'm going to have to up the spamassassin timeout setting, here are some figures for Monday (groundhog day) It wasn't quite as productive. There were 9,388 Total messages Recieved. There were 3,502 Messages Queued for delivery. There were 3,605 Messages Delivered. There were 21 Messages Bounced. There were 64 Messages Deferred. There were 5,361 messages marked as spam. SpamAssassin TimeOuts: 544 Average Batch Time: 24.48 The SpamAssassin timeouts are what is killing me, I'll have to Keep playing with it. Thanks everyone. -Ron From glenn.steen at gmail.com Tue Feb 3 15:28:04 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Feb 3 15:28:14 2009 Subject: sa learn bayes starter DB In-Reply-To: <498859CB.2000708@argroup.it> References: <49872BA0.4@argroup.it> <223f97700902021448j57a53f1fi9e1ac6cca6cdd2ff@mail.gmail.com> <49882644.7020602@argroup.it> <223f97700902030614w47cda701m12443407d56b546e@mail.gmail.com> <498859CB.2000708@argroup.it> Message-ID: <223f97700902030728g7031f6a2x5c84e54d4686fec0@mail.gmail.com> 2009/2/3 lorenzo : > Glenn Steen ha scritto: >> >> 2009/2/3 lorenzo : >> >>> >>> Glenn Steen ha scritto: >>> >>>> >>>> 2009/2/2 Kai Schaetzl : >>>> >>>> >>>>> >>>>> Lorenzo wrote on Mon, 02 Feb 2009 18:21:36 +0100: >>>>> >>>>> >>>>> >>>>>> >>>>>> how i can use this db with spamassassin? >>>>>> >>>>>> >>>>> >>>>> isn't that information in the download? >>>>> >>>>> Kai >>>>> >>>>> >>>>> >>>> >>>> Nah, it's just a tarball of a bayes directory with the usual three >>>> file... Unpack to somewhere (/etc/MailScanner/) and set bayes_path >>>> accordingly (/etc/MailScanner/bayes/bayes), ownership and permissins >>>> ... and you are done. >>>> >>>> Whether one should use a DB other than from ones own mail flow... is >>>> another question:) >>>> >>>> Cheers >>>> >>>> >>> >>> if you have a fresh mailserver is a good choice use this start db or is >>> preferrable to start with a new bayes db? >>> >>> >>> >> >> This is more philosophical than technical...:-). >> The "best" thing to do is to have 200-1000 spam messages and 200-1000 >> ham (non-spam) messages, harvested from your normal mail flow, and >> manually train Bayes on these. >> Another option is to set things up with an empty Bayes and either rely >> on automatic training, or a combination of manual/automatic training, >> so that you reach the prerequisite of 200 spam/ham before Bayes start >> scoring. >> The third option is to "borrow" someone elses' Bayes database and >> start scoring directly. Obviously this is what you were about to do >> here. >> >> The problem(s) would be that: >> - You have no real knowledge of what is in the Bayes db. >> - It might have been trained on things that would FP/FN a lot for your >> organisation/mail flow. >> - you would have to watch the hit rate for Bayes pretty closely at the >> start. Now... That would be something you'd need do anyway:-). >> >> So a starter DB will give you Bayes scoring, but might be seriously >> out of date wrt the current spam trends and would potentially be all >> wrong for your mail flow, hence leading to FP/FN rates that might >> "hurt" you. >> A lot of suppositions there:-). >> Once your system is up and running (after a while all the tokens will >> tend to be from your mail flow) the "impact" lessens. >> >> So why use one, if there are risks? Well, for one thing... Score set >> three might be a lot better than set 1 (which you'll have until Bayes >> kick in). You'll have no "sudden change" in scoring, as you would >> otherwise (when Bayes kick in), and that predictability is possibly >> something to strive for. >> Bottom line on that string of thoughts is that it might help you >> detect more spam, thus running a better "laundry service". >> >> Which way to go? It all depends on your needs. If we did a poll, you'd >> find some that would be using a starter DB and some that >> "emphatically:-) wouldn't. >> I, for one, did the manual/automatic training thing on an empty Bayes >> ... some 5 years back, or so. I've since migrated that db around ever >> since, as well as used the "pure manual method" on some testbeds... >> Others have the starter db thing in their notes for "how to setup a >> new MS server", and are very happy with that. >> >> Cheers >> > > I think im doing the manual/automatic method too with a small test > mailserver. I don't now if it is what you exatly mean: I simply look at evry > single mail in mailwatch and check if the mail is tagged correct. if not i > change the sa learning flag. and i submit. :-) Excactly what I meant;-). > the start was hard but now seems ok. in 1 month seems that mailscanner is > working not perfect but very acceptable. 1 wrong tag every 600/700 mail and > is learning quickly..... With a large throughput, the work will be "more automatic" after a while, as implied by Peter. > I was just dreaming that with a starter db sa can learn in 1 second and no > more manual control. but I forgot that now i can use my small bayes test db > and put in my official server that is going to start.... > wish me good luck... :-) > We all long for "silver bullets" from time to time:-). Best of luck to you and your new server! Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From davejones70 at gmail.com Tue Feb 3 18:47:10 2009 From: davejones70 at gmail.com (Dave Jones) Date: Tue Feb 3 18:47:20 2009 Subject: Disable MCP notifications for High Spam Message-ID: <67a55ed50902031047n138de00am9a193f74f8de5c9b@mail.gmail.com> >On 2/2/09 13:04, Dave Jones wrote: >>> If you can, re-implement your MCP filtering with "SpamAssassin Rule >>> Actions". It gives you much more precise control over what happens to >>> the mail, and will run a lot faster too. >>> >> >> >>> On 31/1/09 11:56, Dave Jones wrote: >>> >>>> Does anyone have any ideas how the MCP notifications can be disabled >>>> for High Scoring Spam? The High Spam is getting caught and deleted >>>> but when it also hits the MCP threshold, the user is getting the >>>> recipient.mcp.report.txt notification. There are lots of High Spam >>>> that will hit common profanity checks in MCP. >>>> >>>> I found a thread in the maillist archives on "MCP/SPAM Actions" saying >>>> that delete is the last action taken so the MCP notify takes >>>> precedence. However, I was wondering if there are some recent >>>> feature additions that will allow me to override this now. >>>> >>>> High Scoring Spam Actions = delete >>>> MCP Actions = store notify >>>> High Scoring MCP Actions = store notify >>>> >>>> >>>> >> >> >>> Jules >>> >> >> If I have 100 or so MCP SA rules, then do I have to create a rule line >> for each one or is there a way to match all of them if they start with >> something unique like "PROFANITY_IN_". Can I use "PROFANITY_IN_*" so >> it will pick up new rules as I add them or do I have to specify the >> full rule name? >> >Your easiest solution would be to create a meta rule in SpamAssassin >which triggers if any of your PROFANITY_IN_ rules matches. The syntax is >very simple and is documented in "man Mail::SpamAssassin::Conf", and >there are plenty of examples in the rulesets shipped with SpamAssassin. > >Then your "SpamAssassin Rule Actions" only has to mention 1 rule. >> So how would I setup the notification rules so that it would use the >> same MCP recipient.mcp.report.txt? So is there a way to send the same recipient.mcp.report.txt notification or am I limited to the standard spam notification (recipient.spam.report.txt)? I guess if I have normal spam notifications disabled anyway, I could setup the new rule to default to not-notify and copy the recipient.mcp.report.txt over the top of the recipient.spam.report.txt. Is their a better way in case I want to enable spam notifications in the future? Thanks for answering the other questions. This is a huge help. >> And I guess whitelisting some users from the profanity checks is as >> simple as "not-notify". >> >Correct. > >Jules -- Dave Jones From lists at openenterprise.ca Tue Feb 3 19:56:16 2009 From: lists at openenterprise.ca (Johnny Stork) Date: Tue Feb 3 19:56:28 2009 Subject: Spamassassin Updates Message-ID: <4988A160.4020004@openenterprise.ca> I am not sure if something has changed somewhere along the past few updates, but how should SA be updated? On my CentOS 5x system, running MS 4.72.5 I have an old cron job which is clearly dead now as the file no longer exists. /bin/sh: /usr/share/spamassassin/sa-update.cron: No such file or directory But I also have another cron job /etc/cron.daily/update_spamassassin but when I run this I dont see any output and the cf files in /usr/share/spamassassin/ remain untouched? What should I be running to ensure SA rules are current? Thanks to anyone that can help From Ron.Ghetti at town.barnstable.ma.us Tue Feb 3 20:50:53 2009 From: Ron.Ghetti at town.barnstable.ma.us (Ghetti, Ron) Date: Tue Feb 3 20:51:07 2009 Subject: ClamAV Mailscanner not using clamd Message-ID: <3411CC12BB577F4FAEAC8A694780866B022912FF@ITMAIL.town.barnstable.ma.us> Hi, this one seems to be eluding me, I've got the settings in MailScanner.conf setup, clamav-daemon is installed and a running process based on this: > ps ax | grep [c]lamd >4957 ? Ss 0:06 /usr/sbin/clamd So I'm looking for some indication that it is being used properly. Any suggestions ? Thanks -Ron From shuttlebox at gmail.com Tue Feb 3 21:02:19 2009 From: shuttlebox at gmail.com (shuttlebox) Date: Tue Feb 3 21:02:28 2009 Subject: ClamAV Mailscanner not using clamd In-Reply-To: <3411CC12BB577F4FAEAC8A694780866B022912FF@ITMAIL.town.barnstable.ma.us> References: <3411CC12BB577F4FAEAC8A694780866B022912FF@ITMAIL.town.barnstable.ma.us> Message-ID: <625385e30902031302p1323be12k504cf16d1aca6f30@mail.gmail.com> On Tue, Feb 3, 2009 at 9:50 PM, Ghetti, Ron wrote: > > Hi, > this one seems to be eluding me, I've got the settings in > MailScanner.conf > setup, clamav-daemon is installed and a running process based on this: > >> ps ax | grep [c]lamd >>4957 ? Ss 0:06 /usr/sbin/clamd > > So I'm looking for some indication that it is being used properly. > Any suggestions ? Try "MailScanner --lint" for some diagnostic output. Also send the Eicar test virus through your mail server and look in the logs for INFECTED, if it's clamscan being used it will say FOUND. -- /peter From Ron.Ghetti at town.barnstable.ma.us Tue Feb 3 21:37:52 2009 From: Ron.Ghetti at town.barnstable.ma.us (Ghetti, Ron) Date: Tue Feb 3 21:38:05 2009 Subject: ClamAV Mailscanner not using clamd Message-ID: <3411CC12BB577F4FAEAC8A694780866B02291300@ITMAIL.town.barnstable.ma.us> -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of shuttlebox Sent: Tuesday, February 03, 2009 4:02 PM To: MailScanner discussion Subject: Re: ClamAV Mailscanner not using clamd On Tue, Feb 3, 2009 at 9:50 PM, Ghetti, Ron wrote: > > Hi, > this one seems to be eluding me, I've got the settings in > MailScanner.conf > setup, clamav-daemon is installed and a running process based on this: > >> ps ax | grep [c]lamd >>4957 ? Ss 0:06 /usr/sbin/clamd > > So I'm looking for some indication that it is being used properly. > Any suggestions ? Try "MailScanner --lint" for some diagnostic output. Also send the Eicar test virus through your mail server and look in the logs for INFECTED, if it's clamscan being used it will say FOUND. -- /peter -- Thanks Peter, that helps. It doesn't see it for some reason and there appears to be no wrapper Script to run it in /opt/MailScanner/lib Guess I'll need to find one somewhere.... Thanks -Ron MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From ssilva at sgvwater.com Tue Feb 3 22:44:01 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Feb 3 22:44:22 2009 Subject: ClamAV Mailscanner not using clamd In-Reply-To: <3411CC12BB577F4FAEAC8A694780866B022912FF@ITMAIL.town.barnstable.ma.us> References: <3411CC12BB577F4FAEAC8A694780866B022912FF@ITMAIL.town.barnstable.ma.us> Message-ID: on 2-3-2009 12:50 PM Ghetti, Ron spake the following: > Hi, > this one seems to be eluding me, I've got the settings in > MailScanner.conf > setup, clamav-daemon is installed and a running process based on this: > >> ps ax | grep [c]lamd >> 4957 ? Ss 0:06 /usr/sbin/clamd > > So I'm looking for some indication that it is being used properly. > Any suggestions ? > > Thanks > > -Ron > Are you using a recent version of MailScanner or are you using some distributions idea of a "safe" version? Did you install the proper version for your distro? Maybe you could give info of what OS, which version of MailScanner, clamd, ETC... -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090203/c39e620b/signature.bin From maxsec at gmail.com Wed Feb 4 08:28:05 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Wed Feb 4 08:28:15 2009 Subject: Spamassassin Updates In-Reply-To: <4988A160.4020004@openenterprise.ca> References: <4988A160.4020004@openenterprise.ca> Message-ID: <72cf361e0902040028l39613abu94f0d1295266e0dc@mail.gmail.com> updates will go to /var/lib/spamassassin// -- Martin Hepworth Oxford, UK 2009/2/3 Johnny Stork : > I am not sure if something has changed somewhere along the past few updates, > but how should SA be updated? On my CentOS 5x system, running MS 4.72.5 I > have an old cron job which is clearly dead now as the file no longer exists. > > /bin/sh: /usr/share/spamassassin/sa-update.cron: No such file or directory > > But I also have another cron job /etc/cron.daily/update_spamassassin > > > but when I run this I dont see any output and the cf files in > /usr/share/spamassassin/ > > > remain untouched? > > What should I be running to ensure SA rules are current? > > Thanks to anyone that can help > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From ajcartmell at fonant.com Wed Feb 4 10:05:46 2009 From: ajcartmell at fonant.com (Anthony Cartmell) Date: Wed Feb 4 10:06:01 2009 Subject: ClamAV Mailscanner not using clamd In-Reply-To: <3411CC12BB577F4FAEAC8A694780866B022912FF@ITMAIL.town.barnstable.ma.us> References: <3411CC12BB577F4FAEAC8A694780866B022912FF@ITMAIL.town.barnstable.ma.us> Message-ID: > this one seems to be eluding me, I've got the settings in > MailScanner.conf > setup, clamav-daemon is installed and a running process based on this: > >> ps ax | grep [c]lamd >> 4957 ? Ss 0:06 /usr/sbin/clamd > > So I'm looking for some indication that it is being used properly. > Any suggestions ? Heh, I've just had the same problem. In my case I'd forgotten that I'd set "Virus Scanning = no" while setting up a new server... doh! With virus scanning enabled again, "MailScanner --lint" gives me output like the following, which shows that clamd found the test virus: ~~~~~~~~~~ Trying to setlogsock(unix) Read 849 hostnames from the phishing whitelist Read 5065 hostnames from the phishing blacklist Config: calling custom init function MailWatchLogging Started SQL Logging child Checking version numbers... Version number in MailScanner.conf (4.74.16) is correct. Your envelope_sender_header in spam.assassin.prefs.conf is correct. Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database SpamAssassin reported no errors. Using locktype = posix MailScanner.conf says "Virus Scanners = clamd" Found these virus scanners installed: clamavmodule, clamd =========================================================================== Filename Checks: Windows/DOS Executable (1 eicar.com) Other Checks: Found 1 problems Virus and Content Scanning: Starting Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com Virus Scanning: Clamd found 2 infections Infected message 1 came from 10.1.1.1 Virus Scanning: Found 2 viruses =========================================================================== Virus Scanner test reports: Clamd said "eicar.com was infected: Eicar-Test-Signature" If any of your virus scanners (clamavmodule,clamd) are not listed there, you should check that they are installed correctly and that MailScanner is finding them correctly via its virus.scanners.conf. ~~~~~~~~~~~~~~~~ Thanks to Jules for including the Eicar testing in the --lint : a really useful feature :) HTH, Anthony -- www.fonant.com - Quality web sites From paul.simpkin at hitec-systems.co.uk Wed Feb 4 11:26:46 2009 From: paul.simpkin at hitec-systems.co.uk (Paul Simpkin) Date: Wed Feb 4 11:27:02 2009 Subject: REJECT RBL at MTA level Message-ID: <000101c986bb$76d867f0$648937d0$@simpkin@hitec-systems.co.uk> Hi, Could someone point me the right way to finding how I can REJECT RBL's at MTA level, so that Mailscanner does not process the mail. I have a lot of UK ADSL connections trying to send mail all day long. Thanks Paul PS. Running: Mailscanner 4.71.10 Sendmail - CentOS 5.2 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090204/bd93d1fc/attachment.html From prandal at herefordshire.gov.uk Wed Feb 4 11:42:21 2009 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Wed Feb 4 11:42:57 2009 Subject: REJECT RBL at MTA level In-Reply-To: <000101c986bb$76d867f0$648937d0$@simpkin@hitec-systems.co.uk> References: <000101c986bb$76d867f0$648937d0$@simpkin@hitec-systems.co.uk> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA05DA4ACD@HC-MBX02.herefordshire.gov.uk> In /etc/mail/sendmail.mc, do something like FEATURE(`enhdnsbl', `bl.spamcop.net',`"554 Rejected " $&{client_addr} " found in bl.spamcop.net - http://spamcop.net/bl.shtml?"$&{client_addr}', `t')dnl FEATURE(`enhdnsbl',`cbl.abuseat.org',`"554 Rejected " $&{client_addr} " found in cbl.abuseat.org - http://cbl.abuseat.org/lookup.cgi?ip=" $&{client_addr}',`t'\)dnl (or use zen.spamhaus.org) Then make -C /etc/mail Cheers, Phil -- Phil Randal | Networks Engineer Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: prandal@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Paul Simpkin Sent: 04 February 2009 11:27 To: mailscanner@lists.mailscanner.info Subject: REJECT RBL at MTA level Hi, Could someone point me the right way to finding how I can REJECT RBL's at MTA level, so that Mailscanner does not process the mail. I have a lot of UK ADSL connections trying to send mail all day long. Thanks Paul PS. Running: Mailscanner 4.71.10 Sendmail - CentOS 5.2 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090204/2dd72bd3/attachment.html From paul.simpkin at hitec-systems.co.uk Wed Feb 4 11:56:53 2009 From: paul.simpkin at hitec-systems.co.uk (Paul Simpkin) Date: Wed Feb 4 11:57:11 2009 Subject: REJECT RBL at MTA level In-Reply-To: <7EF0EE5CB3B263488C8C18823239BEBA05DA4ACD@HC-MBX02.herefordshire.gov.uk> References: <000101c986bb$76d867f0$648937d0$@simpkin@hitec-systems.co.uk> <7EF0EE5CB3B263488C8C18823239BEBA05DA4ACD@HC-MBX02.herefordshire.gov.uk> Message-ID: <002801c986bf$ac2b3c80$0481b580$@simpkin@hitec-systems.co.uk> Thank you soooo much! From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Randal, Phil Sent: 04 February 2009 11:42 To: MailScanner discussion Subject: RE: REJECT RBL at MTA level In /etc/mail/sendmail.mc, do something like FEATURE(`enhdnsbl', `bl.spamcop.net',`"554 Rejected " $&{client_addr} " found in bl.spamcop.net - http://spamcop.net/bl.shtml?"$&{client_addr}', `t')dnl FEATURE(`enhdnsbl',`cbl.abuseat.org',`"554 Rejected " $&{client_addr} " found in cbl.abuseat.org - http://cbl.abuseat.org/lookup.cgi?ip=" $&{client_addr}',`t'\)dnl (or use zen.spamhaus.org) Then make -C /etc/mail Cheers, Phil -- Phil Randal | Networks Engineer Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: prandal@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Paul Simpkin Sent: 04 February 2009 11:27 To: mailscanner@lists.mailscanner.info Subject: REJECT RBL at MTA level Hi, Could someone point me the right way to finding how I can REJECT RBL's at MTA level, so that Mailscanner does not process the mail. I have a lot of UK ADSL connections trying to send mail all day long. Thanks Paul PS. Running: Mailscanner 4.71.10 Sendmail - CentOS 5.2 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090204/24015b90/attachment-0001.html From ms-list at alexb.ch Wed Feb 4 13:34:33 2009 From: ms-list at alexb.ch (Alex Broens) Date: Wed Feb 4 13:34:43 2009 Subject: FW: Individual SURBL lists to be shut down on public nameservers February 28, 2009. Use multi. Message-ID: <49899969.1060704@alexb.ch> FYI / Heads Up ____ For historical reasons, the SURBL public nameservers were serving individual lists ab, sc, ob and ws in addition to multi. However these individual lists have all been deprecated in favor of multi for several years since multi contains all lists. Traffic for the individual lists is relatively very low, and no one should be using them any more, so in order to reduce unnecessary and redundant network traffic we will be turning off public nameservice for the individual lists on February 28th, 2009. Everyone should be using multi.surbl.org instead, and this has been the case for many years now. Therefore if anyone is using the individual lists, please stop doing so and use multi instead. A single query to multi will check all SURBL lists. http://www.surbl.org/lists.html Cheers, Jeff C. -- Your IP Address Is 127.0.0.2 From resium at gmail.com Wed Feb 4 14:55:46 2009 From: resium at gmail.com (Justin Ellis) Date: Wed Feb 4 14:55:55 2009 Subject: MailScanner 4.74.16 Debug Message-ID: Good Morning All, I'm running into an issue that I'm not really sure what the root cause of is. My queue's were moving slowly yesterday, and today are not moving at all. The setup is: Postfix 2.4 with MailScanner 4.74.16 running on RH5. Running MailScanner in debug mode nets me the following error: Can't call method "print" on an undefined value at /usr/lib/MailScanner/MailScanner/PFDiskStore.pm line 734 The PFDiskStore file has not been modified, but here are it's contents as well: # Write a message to a filehandle sub WriteEntireMessage { my($this, $message, $handle) = @_; # Write the whole message in RFC822 format to the filehandle. # That means 1 CR-terminated line for every N record in the file. my $b= Body->new( $this->{inhdhandle} ); if ($b) { $b->Start(1); # 1 says we want the headers as well as the body my $line; print STDERR "WriteEntireMessage\n"; while(defined($line = $b->Next())) { $handle-> print($line . "\n"); #print STDERR "BODY: $line\n"; } $b->Done(); } } This may not be all of the information you need, but I couldn't think of anything else to add. Can someone point me in the right direction? Thanks in advance! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090205/0441855c/attachment.html From Ron.Ghetti at town.barnstable.ma.us Wed Feb 4 05:56:27 2009 From: Ron.Ghetti at town.barnstable.ma.us (Ghetti, Ron) Date: Wed Feb 4 15:08:33 2009 Subject: ClamAV Mailscanner not using clamd References: <3411CC12BB577F4FAEAC8A694780866B022912FF@ITMAIL.town.barnstable.ma.us> Message-ID: <3411CC12BB577F4FAEAC8A694780866B024F2DE5@ITMAIL.town.barnstable.ma.us> ________________________________ From: mailscanner-bounces@lists.mailscanner.info on behalf of Scott Silva Sent: Tue 2/3/2009 5:44 PM To: mailscanner@lists.mailscanner.info Subject: Re: ClamAV Mailscanner not using clamd on 2-3-2009 12:50 PM Ghetti, Ron spake the following: > Hi, > this one seems to be eluding me, I've got the settings in > MailScanner.conf > setup, clamav-daemon is installed and a running process based on this: > >> ps ax | grep [c]lamd >> 4957 ? Ss 0:06 /usr/sbin/clamd > > So I'm looking for some indication that it is being used properly. > Any suggestions ? > > Thanks > > -Ron > Are you using a recent version of MailScanner or are you using some distributions idea of a "safe" version? Did you install the proper version for your distro? Maybe you could give info of what OS, which version of MailScanner, clamd, ETC... sure. Some Background: Dell PowerEdge 2950 8gb Ram Ubuntu 7.04 Perl 5.8.8 MailScanner 4.68.8 Postfix 2.3.8 ClamAV 94.2 d/loaded from the MailScanner site. SpamAssassin 3.2.4 it's been running pretty well for well over a year. I ran cpan update and tried to install the perl clamav module without any luck, I get errors when it tries to compile. It's giving me errors saying that clam is too old! I downloaded that file last week. I fear I may have mangled the whole thing now. Originally we turned off Virus scanning because it couldn't keep up with the load. users expect messages to fly through within 5 or 10 minutes, if it doesn't then I hear about it. I wanted to try and get that back enabled with the clamd version but it looks like I may have other issues as well. thanks -Ron From shuttlebox at gmail.com Wed Feb 4 15:19:40 2009 From: shuttlebox at gmail.com (shuttlebox) Date: Wed Feb 4 15:19:49 2009 Subject: ClamAV Mailscanner not using clamd In-Reply-To: <3411CC12BB577F4FAEAC8A694780866B024F2DE5@ITMAIL.town.barnstable.ma.us> References: <3411CC12BB577F4FAEAC8A694780866B022912FF@ITMAIL.town.barnstable.ma.us> <3411CC12BB577F4FAEAC8A694780866B024F2DE5@ITMAIL.town.barnstable.ma.us> Message-ID: <625385e30902040719o4df19ff6uce3812a9dea0913c@mail.gmail.com> On Wed, Feb 4, 2009 at 6:56 AM, Ghetti, Ron wrote: > Some Background: > Dell PowerEdge 2950 8gb Ram > Ubuntu 7.04 > Perl 5.8.8 > MailScanner 4.68.8 > Postfix 2.3.8 > > ClamAV 94.2 d/loaded from the MailScanner site. > SpamAssassin 3.2.4 You need at least MS 4.72 to use Clam 0.94.x, so much has changed in Clam that you can't use 4.68. Read more here: http://mailscanner.info/ChangeLog I would also recommend using SA 3.2.5 even though it has nothing to do with this problem. -- /peter From ecasarero at gmail.com Wed Feb 4 15:21:54 2009 From: ecasarero at gmail.com (Eduardo Casarero) Date: Wed Feb 4 15:22:04 2009 Subject: OT: Filtering OutBound SPAM Message-ID: <7d9b3cf20902040721r701b1376na914f564d68a30d4@mail.gmail.com> Hi, i've a rare scenario with one of my customers and i though that someone from here could give me some fresh(?) ideas. My client has it's own MTA (wich i don't manage, neither have access to logs, etc) and it sends all outbound traffic to my server that has (MScanner, SA, clamav, dcc, pyzor, razor, some custom rules, etc). The problem i've right now is that (i assume) some malware stole valid user/passwords to authenticate in the smtp server of my client, so tons of spam are trying to get out to internet through my server. Althogh all anti-spam stuff seems to work, i need some new countermeasures to stop this at MailScanner stage (i cant do anything at MTA level because everything comes from the same ip). Any idea? something like my own checksum repository, or url blacklist, or header authentication matching, etc. Any help would be appreciated. Eduardo. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090204/324d4cb6/attachment.html From prandal at herefordshire.gov.uk Wed Feb 4 15:31:25 2009 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Wed Feb 4 15:31:43 2009 Subject: Filtering OutBound SPAM In-Reply-To: <7d9b3cf20902040721r701b1376na914f564d68a30d4@mail.gmail.com> References: <7d9b3cf20902040721r701b1376na914f564d68a30d4@mail.gmail.com> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA05DA4BE0@HC-MBX02.herefordshire.gov.uk> Whilst everything comes from the same IP (client's MTA), the Received headers should have the infected box's IP address. Give that/those a high score in spamassassin, and tell the client to clean their infected PCs Cheers, Phil -- Phil Randal | Networks Engineer Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: prandal@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Eduardo Casarero Sent: 04 February 2009 15:22 To: MailScanner discussion Subject: OT: Filtering OutBound SPAM Hi, i've a rare scenario with one of my customers and i though that someone from here could give me some fresh(?) ideas. My client has it's own MTA (wich i don't manage, neither have access to logs, etc) and it sends all outbound traffic to my server that has (MScanner, SA, clamav, dcc, pyzor, razor, some custom rules, etc). The problem i've right now is that (i assume) some malware stole valid user/passwords to authenticate in the smtp server of my client, so tons of spam are trying to get out to internet through my server. Althogh all anti-spam stuff seems to work, i need some new countermeasures to stop this at MailScanner stage (i cant do anything at MTA level because everything comes from the same ip). Any idea? something like my own checksum repository, or url blacklist, or header authentication matching, etc. Any help would be appreciated. Eduardo. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090204/b65cc7b5/attachment.html From ecasarero at gmail.com Wed Feb 4 15:38:01 2009 From: ecasarero at gmail.com (Eduardo Casarero) Date: Wed Feb 4 15:38:12 2009 Subject: Filtering OutBound SPAM In-Reply-To: <7EF0EE5CB3B263488C8C18823239BEBA05DA4BE0@HC-MBX02.herefordshire.gov.uk> References: <7d9b3cf20902040721r701b1376na914f564d68a30d4@mail.gmail.com> <7EF0EE5CB3B263488C8C18823239BEBA05DA4BE0@HC-MBX02.herefordshire.gov.uk> Message-ID: <7d9b3cf20902040738r4b803e5buafaa5f4b9ebc9dda@mail.gmail.com> 2009/2/4 Randal, Phil > Whilst everything comes from the same IP (client's MTA), the Received > headers should have the infected box's IP address. > > Give that/those a high score in spamassassin, and tell the client to clean > their infected PCs > > You mean mannually check headers? and then add a high score? > Cheers, > > Phil > -- > Phil Randal | Networks Engineer > Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services > Division > Thorn Office Centre, Rotherwas, Hereford, HR2 6JT > Tel: 01432 260160 > email: prandal@herefordshire.gov.uk > > Any opinion expressed in this e-mail or any attached files are those of the > individual and not necessarily those of Herefordshire Council. > > This e-mail and any attached files are confidential and intended solely for > the use of the addressee. This communication may contain material protected > by law from being passed on. If you are not the intended recipient and have > received this e-mail in error, you are advised that any use, dissemination, > forwarding, printing or copying of this e-mail is strictly prohibited. If > you have received this e-mail in error please contact the sender immediately > and destroy all copies of it. > > > ------------------------------ > *From:* mailscanner-bounces@lists.mailscanner.info [mailto: > mailscanner-bounces@lists.mailscanner.info] *On Behalf Of *Eduardo > Casarero > *Sent:* 04 February 2009 15:22 > *To:* MailScanner discussion > *Subject:* OT: Filtering OutBound SPAM > > Hi, i've a rare scenario with one of my customers and i though that someone > from here could give me some fresh(?) ideas. > > My client has it's own MTA (wich i don't manage, neither have access to > logs, etc) and it sends all outbound traffic to my server that has > (MScanner, SA, clamav, dcc, pyzor, razor, some custom rules, etc). > > The problem i've right now is that (i assume) some malware stole valid > user/passwords to authenticate in the smtp server of my client, so tons of > spam are trying to get out to internet through my server. > > Althogh all anti-spam stuff seems to work, i need some new countermeasures > to stop this at MailScanner stage (i cant do anything at MTA level because > everything comes from the same ip). > > Any idea? > > something like my own checksum repository, or url blacklist, or header > authentication matching, etc. > > Any help would be appreciated. > > Eduardo. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090204/7bb3b269/attachment.html From prandal at herefordshire.gov.uk Wed Feb 4 15:51:20 2009 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Wed Feb 4 15:51:39 2009 Subject: Filtering OutBound SPAM In-Reply-To: <7d9b3cf20902040738r4b803e5buafaa5f4b9ebc9dda@mail.gmail.com> References: <7d9b3cf20902040721r701b1376na914f564d68a30d4@mail.gmail.com><7EF0EE5CB3B263488C8C18823239BEBA05DA4BE0@HC-MBX02.herefordshire.gov.uk> <7d9b3cf20902040738r4b803e5buafaa5f4b9ebc9dda@mail.gmail.com> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA05DA4C03@HC-MBX02.herefordshire.gov.uk> Well, on some of them... With a bit of luck, it'll only be a few infected boxes. You'd need a meta rule in SA and two "Received" matches - the IP of client's MTA and infected PC's internal IP. Cheers, Phil -- Phil Randal | Networks Engineer Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: prandal@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Eduardo Casarero Sent: 04 February 2009 15:38 To: MailScanner discussion Subject: Re: Filtering OutBound SPAM 2009/2/4 Randal, Phil Whilst everything comes from the same IP (client's MTA), the Received headers should have the infected box's IP address. Give that/those a high score in spamassassin, and tell the client to clean their infected PCs You mean mannually check headers? and then add a high score? Cheers, Phil -- Phil Randal | Networks Engineer Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: prandal@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Eduardo Casarero Sent: 04 February 2009 15:22 To: MailScanner discussion Subject: OT: Filtering OutBound SPAM Hi, i've a rare scenario with one of my customers and i though that someone from here could give me some fresh(?) ideas. My client has it's own MTA (wich i don't manage, neither have access to logs, etc) and it sends all outbound traffic to my server that has (MScanner, SA, clamav, dcc, pyzor, razor, some custom rules, etc). The problem i've right now is that (i assume) some malware stole valid user/passwords to authenticate in the smtp server of my client, so tons of spam are trying to get out to internet through my server. Althogh all anti-spam stuff seems to work, i need some new countermeasures to stop this at MailScanner stage (i cant do anything at MTA level because everything comes from the same ip). Any idea? something like my own checksum repository, or url blacklist, or header authentication matching, etc. Any help would be appreciated. Eduardo. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090204/a39983df/attachment.html From Ron.Ghetti at town.barnstable.ma.us Wed Feb 4 15:56:31 2009 From: Ron.Ghetti at town.barnstable.ma.us (Ghetti, Ron) Date: Wed Feb 4 16:12:38 2009 Subject: ClamAV Mailscanner not using clamd Message-ID: <3411CC12BB577F4FAEAC8A694780866B02291303@ITMAIL.town.barnstable.ma.us> -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of shuttlebox Sent: Wednesday, February 04, 2009 10:20 AM To: MailScanner discussion Subject: Re: ClamAV Mailscanner not using clamd On Wed, Feb 4, 2009 at 6:56 AM, Ghetti, Ron wrote: > Some Background: > Dell PowerEdge 2950 8gb Ram > Ubuntu 7.04 > Perl 5.8.8 > MailScanner 4.68.8 > Postfix 2.3.8 > > ClamAV 94.2 d/loaded from the MailScanner site. > SpamAssassin 3.2.4 You need at least MS 4.72 to use Clam 0.94.x, so much has changed in Clam that you can't use 4.68. Read more here: http://mailscanner.info/ChangeLog I would also recommend using SA 3.2.5 even though it has nothing to do with this problem. -- /peter -- Thanks Peter, that clearly is the answer. Not what I was hoping for of course, but I'll have to deal with it. I'm going to build a new box, care to recommend a linux distribution ? I'm leaning towards either Debian or Fedora. Ubuntu was quick and easy but moving forward I can see is becoming a pain. :) -Ron From shuttlebox at gmail.com Wed Feb 4 16:23:31 2009 From: shuttlebox at gmail.com (shuttlebox) Date: Wed Feb 4 16:23:41 2009 Subject: ClamAV Mailscanner not using clamd In-Reply-To: <3411CC12BB577F4FAEAC8A694780866B02291303@ITMAIL.town.barnstable.ma.us> References: <3411CC12BB577F4FAEAC8A694780866B02291303@ITMAIL.town.barnstable.ma.us> Message-ID: <625385e30902040823wb12494diba0473c4d3e391e0@mail.gmail.com> On Wed, Feb 4, 2009 at 4:56 PM, Ghetti, Ron wrote: > I'm going to build a new box, care to recommend a linux distribution ? Not really but I can recommend Solaris. :-) We package everything needed so it's a oneliner to install with no dependency problems. http://www.opencsw.org/packages/mailscanner -- /peter From ka at pacific.net Wed Feb 4 16:24:26 2009 From: ka at pacific.net (Ken A) Date: Wed Feb 4 16:24:41 2009 Subject: OT: Filtering OutBound SPAM In-Reply-To: <7d9b3cf20902040721r701b1376na914f564d68a30d4@mail.gmail.com> References: <7d9b3cf20902040721r701b1376na914f564d68a30d4@mail.gmail.com> Message-ID: <4989C13A.8000102@pacific.net> Eduardo Casarero wrote: > Hi, i've a rare scenario with one of my customers and i though that someone > from here could give me some fresh(?) ideas. > > My client has it's own MTA (wich i don't manage, neither have access to > logs, etc) and it sends all outbound traffic to my server that has > (MScanner, SA, clamav, dcc, pyzor, razor, some custom rules, etc). > > The problem i've right now is that (i assume) some malware stole valid > user/passwords to authenticate in the smtp server of my client, so tons of > spam are trying to get out to internet through my server. > > Althogh all anti-spam stuff seems to work, i need some new countermeasures > to stop this at MailScanner stage (i cant do anything at MTA level because > everything comes from the same ip). > > Any idea? > > something like my own checksum repository, or url blacklist, or header > authentication matching, etc. > > Any help would be appreciated. > > Eduardo. > > I've got a customer doing nearly the same thing. They host their site with another company, and we do mail. Their web host allows mail TO their domain, from the Internet at the web server, even though they are not a valid MX for the domain, and they do no filtering on this mail. So, spammers, who love this sort of thing, attack the domain and it flows to our MX servers as 95% spam, all from a valid IP. Their web host asked them to setup outgoing mail in Outlook through the same server, so we can't just block the IP. :-( We block most of it with milters. (milter-link milter-regex) MailScanner gets most of what's left. Ken From t.d.lee at durham.ac.uk Wed Feb 4 16:31:06 2009 From: t.d.lee at durham.ac.uk (David Lee) Date: Wed Feb 4 16:31:39 2009 Subject: phishing sites: local and remote Message-ID: We try to use MS configs (currently 4.72.5) reasonably close to the distributed version. That includes taking the routine updates to "phishing.bad.sites.conf" and "phishing.safe.sites.conf". Being a university, we are also getting badly hit by spear-phishing attempts against our users. We noticed that some of incoming bait contained URLs similar to ours. Our true URLs are of the form: http://...durham.ac.uk/... The incoming bait reads: http://...durham.ac.uk.spammer.bad/... (Real life pattern-matching would need more subtlety than that, but you get the idea.) The routine anti-phishing stuff detects dubious URLs etc and displays bright red "possible fraud" warnings. It would be nice if we could supplement this with an additional, locally-based, component that could be configured to match suspicious URLs based on the local site name. Is it possible to run such an antiphishing config, comprising both Julian's standard set and a local component? If not, might it be a worthwhile addition? -- : David Lee I.T. Service : : Senior Systems Programmer Computer Centre : : UNIX Team Leader Durham University : : South Road : : http://www.dur.ac.uk/t.d.lee/ Durham DH1 3LE : : Phone: +44 191 334 2752 U.K. : From rcooper at dwford.com Wed Feb 4 16:53:38 2009 From: rcooper at dwford.com (Rick Cooper) Date: Wed Feb 4 16:53:51 2009 Subject: ClamAV Mailscanner not using clamd In-Reply-To: <625385e30902040719o4df19ff6uce3812a9dea0913c@mail.gmail.com> References: <3411CC12BB577F4FAEAC8A694780866B022912FF@ITMAIL.town.barnstable.ma.us><3411CC12BB577F4FAEAC8A694780866B024F2DE5@ITMAIL.town.barnstable.ma.us> <625385e30902040719o4df19ff6uce3812a9dea0913c@mail.gmail.com> Message-ID: <81FB004ECED54619B9C72BA12EF6F36A@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of shuttlebox > Sent: Wednesday, February 04, 2009 10:20 AM > To: MailScanner discussion > Subject: Re: ClamAV Mailscanner not using clamd > > On Wed, Feb 4, 2009 at 6:56 AM, Ghetti, Ron > wrote: > > Some Background: > > Dell PowerEdge 2950 8gb Ram > > Ubuntu 7.04 > > Perl 5.8.8 > > MailScanner 4.68.8 > > Postfix 2.3.8 > > > > ClamAV 94.2 d/loaded from the MailScanner site. > > SpamAssassin 3.2.4 > > You need at least MS 4.72 to use Clam 0.94.x, so much has changed in > Clam that you can't use 4.68. This is not accurate in context. The clamd portion of MailScanner doesn't depend on the libclamav versioning as does the perl module. The only time the clamd portion of MS would need updated would be if the clamav team altered the basic protocol and it has been years since they have done that. There might be some tweaks to the parser that have taken place since 4.68.8 but changes to clamav it's self have no direct relationship to MS clamd scanner. In fact you can completely update a clamav package and never even restart MailScanner. BTW: I think this also makes a good argument for supporting spamd, at least optionally. It uses less resources, is just as fast as the perl module, allows for updating without restarting MS. The only drawback I see would be the MCP functions. One would have to run to spamd instances on different sockets because you cannot pass spamd a config file once it's running... But I would bet you would still see quite a reduction in resource usage even with two daemons. Rick > > Read more here: http://mailscanner.info/ChangeLog > > I would also recommend using SA 3.2.5 even though it has > nothing to do > with this problem. > > -- > /peter -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From alex at rtpty.com Wed Feb 4 17:20:50 2009 From: alex at rtpty.com (Alex Neuman) Date: Wed Feb 4 17:21:01 2009 Subject: REJECT RBL at MTA level In-Reply-To: <2046836380638978055@unknownmsgid> References: <2046836380638978055@unknownmsgid> Message-ID: <24e3d2e40902040920y44d66287i6b59e6eec162c7d1@mail.gmail.com> http://tinyurl.com/d6otp3 That could get you started. On Wed, Feb 4, 2009 at 6:26 AM, Paul Simpkin < paul.simpkin@hitec-systems.co.uk> wrote: > Hi, > > > > Could someone point me the right way to finding how I can REJECT RBL's at > MTA level, so that Mailscanner does not process the mail. > > > > I have a lot of UK ADSL connections trying to send mail all day long. > > > > > > Thanks > > > > Paul > > > > PS. Running: > > > > Mailscanner 4.71.10 > > Sendmail ? CentOS 5.2 > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090204/2fa9e4d9/attachment.html From ssilva at sgvwater.com Wed Feb 4 18:18:31 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Feb 4 18:18:52 2009 Subject: ClamAV Mailscanner not using clamd In-Reply-To: <3411CC12BB577F4FAEAC8A694780866B024F2DE5@ITMAIL.town.barnstable.ma.us> References: <3411CC12BB577F4FAEAC8A694780866B022912FF@ITMAIL.town.barnstable.ma.us> <3411CC12BB577F4FAEAC8A694780866B024F2DE5@ITMAIL.town.barnstable.ma.us> Message-ID: on 2-3-2009 9:56 PM Ghetti, Ron spake the following: > > > ________________________________ > > From: mailscanner-bounces@lists.mailscanner.info on behalf of Scott Silva > Sent: Tue 2/3/2009 5:44 PM > To: mailscanner@lists.mailscanner.info > Subject: Re: ClamAV Mailscanner not using clamd > > > > on 2-3-2009 12:50 PM Ghetti, Ron spake the following: >> Hi, >> this one seems to be eluding me, I've got the settings in >> MailScanner.conf >> setup, clamav-daemon is installed and a running process based on this: >> >>> ps ax | grep [c]lamd >>> 4957 ? Ss 0:06 /usr/sbin/clamd >> So I'm looking for some indication that it is being used properly. >> Any suggestions ? >> >> Thanks >> >> -Ron >> > Are you using a recent version of MailScanner or are you using some > distributions idea of a "safe" version? > Did you install the proper version for your distro? > > Maybe you could give info of what OS, which version of MailScanner, clamd, ETC... > > > > sure. > > Some Background: > Dell PowerEdge 2950 8gb Ram > Ubuntu 7.04 > Perl 5.8.8 > MailScanner 4.68.8 > Postfix 2.3.8 > > ClamAV 94.2 d/loaded from the MailScanner site. > SpamAssassin 3.2.4 > > it's been running pretty well for well over a year. > > I ran cpan update and tried to install the perl clamav module > > without any luck, I get errors when it tries to compile. > > It's giving me errors saying that clam is too old! I downloaded that file last week. > > I fear I may have mangled the whole thing now. > > Originally we turned off Virus scanning because it couldn't keep up with the load. > > users expect messages to fly through within 5 or 10 minutes, if it doesn't then I hear about it. > > I wanted to try and get that back enabled with the clamd version but it looks like I may have other > > issues as well. > > > > thanks > > -Ron > So clamd is running, but MailScanner isn't using it.... Did you double check that the settings in clamd.conf and mailscanner.conf are the same in regards to the clam socket and/or port? Make sure you don't have 2 different clamd.conf files from a distro supplied VS a source installed clam. AS for the clam perl module, it doesn't work with 0.94-2 without a patch. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090204/ade91190/signature.bin From ssilva at sgvwater.com Wed Feb 4 18:32:06 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Feb 4 18:32:34 2009 Subject: ClamAV Mailscanner not using clamd In-Reply-To: <625385e30902040823wb12494diba0473c4d3e391e0@mail.gmail.com> References: <3411CC12BB577F4FAEAC8A694780866B02291303@ITMAIL.town.barnstable.ma.us> <625385e30902040823wb12494diba0473c4d3e391e0@mail.gmail.com> Message-ID: on 2-4-2009 8:23 AM shuttlebox spake the following: > On Wed, Feb 4, 2009 at 4:56 PM, Ghetti, Ron > wrote: >> I'm going to build a new box, care to recommend a linux distribution ? > > Not really but I can recommend Solaris. :-) > > We package everything needed so it's a oneliner to install with no > dependency problems. > > http://www.opencsw.org/packages/mailscanner > Does solaris on intel live up to the old sparc lineage? Or is it better? I wish I had time to learn another OS, I would like to try solaris and maybe one of the bsd's. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090204/4bb00ff8/signature.bin From ssilva at sgvwater.com Wed Feb 4 18:48:38 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Feb 4 18:48:58 2009 Subject: OT: Filtering OutBound SPAM In-Reply-To: <7d9b3cf20902040721r701b1376na914f564d68a30d4@mail.gmail.com> References: <7d9b3cf20902040721r701b1376na914f564d68a30d4@mail.gmail.com> Message-ID: on 2-4-2009 7:21 AM Eduardo Casarero spake the following: > Hi, i've a rare scenario with one of my customers and i though that > someone from here could give me some fresh(?) ideas. > > My client has it's own MTA (wich i don't manage, neither have access to > logs, etc) and it sends all outbound traffic to my server that has > (MScanner, SA, clamav, dcc, pyzor, razor, some custom rules, etc). > > The problem i've right now is that (i assume) some malware stole valid > user/passwords to authenticate in the smtp server of my client, so tons > of spam are trying to get out to internet through my server. > > Althogh all anti-spam stuff seems to work, i need some new > countermeasures to stop this at MailScanner stage (i cant do anything at > MTA level because everything comes from the same ip). > > Any idea? > > something like my own checksum repository, or url blacklist, or header > authentication matching, etc. > > Any help would be appreciated. > > Eduardo. > Sometimes you will have to play hardball with customers. They will balk at first, but if you offer your help to trackdown what is happening, even for free, you will both benefit from it. Because if you miss something, you will get blacklisted, not him. The customer will appreciate the free help, and either give you more business, or refer you yo his peers. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090204/1debc709/signature.bin From ecasarero at gmail.com Wed Feb 4 19:28:54 2009 From: ecasarero at gmail.com (Eduardo Casarero) Date: Wed Feb 4 19:29:04 2009 Subject: OT: Filtering OutBound SPAM In-Reply-To: References: <7d9b3cf20902040721r701b1376na914f564d68a30d4@mail.gmail.com> Message-ID: <7d9b3cf20902041128q254beebj7dc5d4a76eb0c3ba@mail.gmail.com> 2009/2/4 Scott Silva > on 2-4-2009 7:21 AM Eduardo Casarero spake the following: > > Hi, i've a rare scenario with one of my customers and i though that > > someone from here could give me some fresh(?) ideas. > > > > My client has it's own MTA (wich i don't manage, neither have access to > > logs, etc) and it sends all outbound traffic to my server that has > > (MScanner, SA, clamav, dcc, pyzor, razor, some custom rules, etc). > > > > The problem i've right now is that (i assume) some malware stole valid > > user/passwords to authenticate in the smtp server of my client, so tons > > of spam are trying to get out to internet through my server. > > > > Althogh all anti-spam stuff seems to work, i need some new > > countermeasures to stop this at MailScanner stage (i cant do anything at > > MTA level because everything comes from the same ip). > > > > Any idea? > > > > something like my own checksum repository, or url blacklist, or header > > authentication matching, etc. > > > > Any help would be appreciated. > > > > Eduardo. > > > Sometimes you will have to play hardball with customers. They will balk at > first, but if you offer your help to trackdown what is happening, even for > free, you will both benefit from it. Because if you miss something, you > will > get blacklisted, not him. > The customer will appreciate the free help, and either give you more > business, > or refer you yo his peers. > God knows i've tried that way. but they just don't want it. > > > > -- > MailScanner is like deodorant... > You hope everybody uses it, and > you notice quickly if they don't!!!! > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090204/b0d9986a/attachment.html From maxsec at gmail.com Wed Feb 4 19:42:23 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Wed Feb 4 19:42:34 2009 Subject: MailScanner 4.74.16 Debug In-Reply-To: References: Message-ID: <72cf361e0902041142n2c92e83dqd6c2cda1d0ea04ca@mail.gmail.com> 2009/2/4 Justin Ellis : > Good Morning All, > > I'm running into an issue that I'm not really sure what the root cause of > is. > > My queue's were moving slowly yesterday, and today are not moving at all. > The setup is: > > Postfix 2.4 with MailScanner 4.74.16 running on RH5. > > Running MailScanner in debug mode nets me the following error: > Can't call method "print" on an undefined value at > /usr/lib/MailScanner/MailScanner/PFDiskStore.pm line 734 > > The PFDiskStore file has not been modified, but here are it's contents as > well: > > # Write a message to a filehandle > sub WriteEntireMessage { > my($this, $message, $handle) = @_; > > # Write the whole message in RFC822 format to the filehandle. > # That means 1 CR-terminated line for every N record in the file. > my $b= Body->new( $this->{inhdhandle} ); > if ($b) { > $b->Start(1); # 1 says we want the headers as well as the body > my $line; > print STDERR "WriteEntireMessage\n"; > while(defined($line = $b->Next())) { > $handle-> print($line . "\n"); > #print STDERR "BODY: $line\n"; > } > $b->Done(); > } > } > > This may not be all of the information you need, but I couldn't think of > anything else to add. Can someone point me in the right direction? > > Thanks in advance! > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > Sounds like the same problem on the IRC earlier - solution: working dir has incorrect permissions (and the upgrade hadn;t been done fully by failing to upgrade the MailScanner.conf). -- Martin Hepworth Oxford, UK From maxsec at gmail.com Wed Feb 4 19:45:09 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Wed Feb 4 19:45:18 2009 Subject: phishing sites: local and remote In-Reply-To: References: Message-ID: <72cf361e0902041145i4a29a8a7i1253ce757cfb51e0@mail.gmail.com> 2009/2/4 David Lee : > We try to use MS configs (currently 4.72.5) reasonably close to the > distributed version. That includes taking the routine updates to > "phishing.bad.sites.conf" and "phishing.safe.sites.conf". > > Being a university, we are also getting badly hit by spear-phishing attempts > against our users. We noticed that some of incoming bait > contained URLs similar to ours. Our true URLs are of the form: > http://...durham.ac.uk/... > > The incoming bait reads: > http://...durham.ac.uk.spammer.bad/... > > (Real life pattern-matching would need more subtlety than that, but you get > the idea.) > > The routine anti-phishing stuff detects dubious URLs etc and displays bright > red "possible fraud" warnings. > > It would be nice if we could supplement this with an additional, > locally-based, component that could be configured to match suspicious URLs > based on the local site name. > > Is it possible to run such an antiphishing config, comprising both Julian's > standard set and a local component? > > If not, might it be a worthwhile addition? > > > -- > > : David Lee I.T. Service : > : Senior Systems Programmer Computer Centre : > : UNIX Team Leader Durham University : > : South Road : > : http://www.dur.ac.uk/t.d.lee/ Durham DH1 3LE : > : Phone: +44 191 334 2752 U.K. : > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > DAvid wasn't there something on the list a couple of weeks about anti-spear phishing stuff Jules is muling about with?? Or am I dreaming about MailScanner again ;-) -- Martin Hepworth Oxford, UK From spamlists at coders.co.uk Wed Feb 4 18:39:44 2009 From: spamlists at coders.co.uk (Matt) Date: Wed Feb 4 19:53:57 2009 Subject: REJECT RBL at MTA level In-Reply-To: <24e3d2e40902040920y44d66287i6b59e6eec162c7d1@mail.gmail.com> References: <2046836380638978055@unknownmsgid> <24e3d2e40902040920y44d66287i6b59e6eec162c7d1@mail.gmail.com> Message-ID: <4989E0F0.7010500@coders.co.uk> Alex Neuman wrote: > http://tinyurl.com/d6otp3 > > That could get you started. > PMSL! From shuttlebox at gmail.com Wed Feb 4 20:40:36 2009 From: shuttlebox at gmail.com (shuttlebox) Date: Wed Feb 4 20:40:47 2009 Subject: ClamAV Mailscanner not using clamd In-Reply-To: References: <3411CC12BB577F4FAEAC8A694780866B02291303@ITMAIL.town.barnstable.ma.us> <625385e30902040823wb12494diba0473c4d3e391e0@mail.gmail.com> Message-ID: <625385e30902041240g20d071f9qe25feb95aaec76d3@mail.gmail.com> On Wed, Feb 4, 2009 at 7:32 PM, Scott Silva wrote: > Does solaris on intel live up to the old sparc lineage? > Or is it better? Not sure what you mean but I assume you mean it's slow..? Most people who say that have only "heard it from someone else". Often it comes from old Sparc systems compared to the new x86 systems replacing them, not exactly a fair comparison. :-) You can still build a much bigger and faster Sparc system than anyone offers on the x86 platform but it's only worth it if you need *one* big system. In the case of MailScanner we can easily multiply our systems and x86 systems are much more bang for the buck. That's why Sun today sells a full range of x86 systems for the same price as everyone else to complement its Sparc line. I run MailScanner on Sun x86 servers, not on Sparc. > I wish I had time to learn another OS, I would like to try solaris and maybe > one of the bsd's. I doubt you would have any problem learning Solaris, it's still just Unix and most of us have to use several every day. If you're interested you can download a free copy from OpenSolaris, I recommend the OpenSolaris 2008.11 dist since it's easiest to start with. It's a live CD much like Ubuntu. http://opensolaris.org/os/downloads/ If you try it, take a close look at ZFS (volume and file system all in one), containers (virtual machines with resource handling) and DTrace (put probes everywhere to monitor your system in realtime). Those are Solaris standout features. -- /peter From Ron.Ghetti at town.barnstable.ma.us Wed Feb 4 21:09:18 2009 From: Ron.Ghetti at town.barnstable.ma.us (Ghetti, Ron) Date: Wed Feb 4 21:09:50 2009 Subject: ClamAV Mailscanner not using clamd Message-ID: <3411CC12BB577F4FAEAC8A694780866B02291306@ITMAIL.town.barnstable.ma.us> -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of shuttlebox Sent: Wednesday, February 04, 2009 11:24 AM To: MailScanner discussion Subject: Re: ClamAV Mailscanner not using clamd On Wed, Feb 4, 2009 at 4:56 PM, Ghetti, Ron wrote: > I'm going to build a new box, care to recommend a linux distribution ? Not really but I can recommend Solaris. :-) We package everything needed so it's a oneliner to install with no dependency problems. http://www.opencsw.org/packages/mailscanner -- /peter -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! Nice. And here I thought those days were gone. We got rid of the last of our mainframes about 10 years ago. Personally, I don't miss sco unix believe me... ;-) Thanks again -Ron From Ron.Ghetti at town.barnstable.ma.us Wed Feb 4 21:22:26 2009 From: Ron.Ghetti at town.barnstable.ma.us (Ghetti, Ron) Date: Wed Feb 4 21:22:43 2009 Subject: ClamAV Mailscanner not using clamd Message-ID: <3411CC12BB577F4FAEAC8A694780866B02291307@ITMAIL.town.barnstable.ma.us> -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Rick Cooper Sent: Wednesday, February 04, 2009 11:54 AM > On Wed, Feb 4, 2009 at 6:56 AM, Ghetti, Ron > wrote: > > Some Background: > > Dell PowerEdge 2950 8gb Ram > > Ubuntu 7.04 > > Perl 5.8.8 > > MailScanner 4.68.8 > > Postfix 2.3.8 > > > > ClamAV 94.2 d/loaded from the MailScanner site. > > SpamAssassin 3.2.4 > > You need at least MS 4.72 to use Clam 0.94.x, so much has changed in > Clam that you can't use 4.68. This is not accurate in context. The clamd portion of MailScanner doesn't depend on the libclamav versioning as does the perl module. The only time the clamd portion of MS would need updated would be if the clamav team altered the basic protocol and it has been years since they have done that. There might be some tweaks to the parser that have taken place since 4.68.8 but changes to clamav it's self have no direct relationship to MS clamd scanner. In fact you can completely update a clamav package and never even restart MailScanner. BTW: I think this also makes a good argument for supporting spamd, at least optionally. It uses less resources, is just as fast as the perl module, allows for updating without restarting MS. The only drawback I see would be the MCP functions. One would have to run to spamd instances on different sockets because you cannot pass spamd a config file once it's running... But I would bet you would still see quite a reduction in resource usage even with two daemons. Rick That's good information Rick, thank you. Essentially everything was chugging along fine albeit a bit slow. That was the reason for disabling virus scanning to try and keep everything moving. Then later the idea was to try running clamd to see if the performance was any better. I think I'm going to continue to tackle the upgrades But I've got to work through them. What I have at the moment is the cpan modules won't compile Because the included clamav module is outdated. An ancient version stuck in the package manager And a now older version of MailScanner that needs to be upgraded. I'll be around for sure... -Ron > > Read more here: http://mailscanner.info/ChangeLog > > I would also recommend using SA 3.2.5 even though it has > nothing to do > with this problem. > > -- > /peter -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From rcooper at dwford.com Thu Feb 5 03:17:18 2009 From: rcooper at dwford.com (Rick Cooper) Date: Thu Feb 5 03:17:43 2009 Subject: ClamAV Mailscanner not using clamd In-Reply-To: <3411CC12BB577F4FAEAC8A694780866B02291307@ITMAIL.town.barnstable.ma.us> References: <3411CC12BB577F4FAEAC8A694780866B02291307@ITMAIL.town.barnstable.ma.us> Message-ID: <178F4D1BB148466EA915431CBFC321BA@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Ghetti, Ron > Sent: Wednesday, February 04, 2009 4:22 PM > To: MailScanner discussion > Subject: RE: ClamAV Mailscanner not using clamd > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Rick > Cooper > Sent: Wednesday, February 04, 2009 11:54 AM [...] > This is not accurate in context. The clamd portion of MailScanner > doesn't > depend on the libclamav versioning as does the perl module. The only > time > the clamd portion of MS would need updated would be if the > clamav team > altered the basic protocol and it has been years since they have done > that. > There might be some tweaks to the parser that have taken place since > 4.68.8 > but changes to clamav it's self have no direct relationship > to MS clamd > scanner. In fact you can completely update a clamav package and never > even > restart MailScanner. > > BTW: I think this also makes a good argument for supporting spamd, at > least > optionally. It uses less resources, is just as fast as the > perl module, > allows for updating without restarting MS. The only drawback > I see would > be > the MCP functions. One would have to run to spamd instances > on different > sockets because you cannot pass spamd a config file once > it's running... > But > I would bet you would still see quite a reduction in > resource usage even > with two daemons. > > Rick > > > That's good information Rick, thank you. > Essentially everything was chugging along fine albeit a bit slow. > That was the reason for disabling virus scanning to try and keep > everything moving. > Then later the idea was to try running clamd to see if the > performance > was any better. > > I think I'm going to continue to tackle the upgrades > But I've got to work through them. > What I have at the moment is the cpan modules won't compile > Because the included clamav module is outdated. > > An ancient version stuck in the package manager > And a now older version of MailScanner that needs to be upgraded. > > [...] If you disable the clamavmodule (in MailScanner) and just use clamd the clamav perl module is not required. The clamd code is 100% internal and speaks directly to the clamd daemon it's self, thus it's not affected by changes in the libclamav.so as is the perl based ClamAVModule code. Of course I think you should stay up to date with MS but I personally am at version 4.67.6 myself because I haven't had the time to update the patches I have to apply to MailScanner with each update (for special functionality I require). All I am really saying I guess is the version you are running will work fine with a properly installed ClamAV package and MS configuration. Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From greg at blastzone.com Thu Feb 5 07:50:51 2009 From: greg at blastzone.com (Greg Deputy) Date: Thu Feb 5 07:50:53 2009 Subject: Mailscanner logging to syslog, only partial to mail.log, driving me nuts Message-ID: <051e01c98766$778cf430$66a6dc90$@com> I've had a logging issue going on for a while with MailScanner. In my /var/log/mail.log file I'm only getting postfix messages, where all the MailScanner messages seem to be going into /var/log/syslog. I've checked the mailscanner config, and the syslog facility set is 'mail' and syslog seems to be setup and config'd correctly. I used to get all logging in mail.log as expected, but at some point is stopped. Any suggestions on what to look at besides what I've mentioned above? This is on a debian etch system running postfix, pretty vanilla setup. Thanks From lorenzo at argroup.it Thu Feb 5 09:01:40 2009 From: lorenzo at argroup.it (lorenzo) Date: Thu Feb 5 09:02:04 2009 Subject: an sa learn problem? Message-ID: <498AAAF4.901@argroup.it> hi all. i'm using a centOS mailscanner system monitored with mailwatch. when i'm using mailwatch sa-learn function it produce me this output. SA Learn: config: path "//root//.spamassassin" is inaccessible: Permission denied, Learned tokens from 1 message(s) (1 message(s) examined) There are no errors, but it still seems to look to the default path first. Is this normal? Is there a way to correct? in my /etc/MailScanner/spam.assassin.prefs.conf: # bayes_path should NOT be directory! # The Rules_du_jour script will choke if it is a directory. # It needs to be a full pathname, PLUS a partial filename. # In this example, the trailing "bayes" will be the "bayes*" + # files in the directory "/etc/MailScanner//bayes//" # Thanks to Matt Kettler for pointing this out. bayes_path /etc/MailScanner/bayes/bayes # This is actually used as a mask, not a raw chmod setting. # Thanks for Matt Kettler for spotting this one. # Commented out: this if for MailWatch and Exim/Postfix users only. bayes_file_mode 0660 -- Lorenzo Santi aura srl -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From maillists at conactive.com Thu Feb 5 11:31:26 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Thu Feb 5 11:31:38 2009 Subject: an sa learn problem? In-Reply-To: <498AAAF4.901@argroup.it> References: <498AAAF4.901@argroup.it> Message-ID: Lorenzo wrote on Thu, 05 Feb 2009 10:01:40 +0100: > SA Learn: config: path "//root//.spamassassin" is inaccessible: Permission > denied, Learned tokens from 1 message(s) (1 message(s) examined) This error is harmless. I'm not exactly sure, when it happens, though. Saw it recently on one machine and made it disappear quickly, but wasn't sure how I did that. Check the ownership of quarantine files and what you set in MailScanner.conf. There's probably a mismatch, so that the learning happens as user root. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Thu Feb 5 11:31:26 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Thu Feb 5 11:31:38 2009 Subject: Mailscanner logging to syslog, only partial to mail.log, driving me nuts In-Reply-To: <051e01c98766$778cf430$66a6dc90$@com> References: <051e01c98766$778cf430$66a6dc90$@com> Message-ID: Greg Deputy wrote on Wed, 4 Feb 2009 23:50:51 -0800: > I've had a logging issue going on for a while with MailScanner. In my > /var/log/mail.log file I'm only getting postfix messages, where all the > MailScanner messages seem to be going into /var/log/syslog. I've checked > the mailscanner config, and the syslog facility set is 'mail' and syslog > seems to be setup and config'd correctly. I used to get all logging in > mail.log as expected, but at some point is stopped. check your /etc/syslog.conf Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From t.d.lee at durham.ac.uk Thu Feb 5 12:47:54 2009 From: t.d.lee at durham.ac.uk (David Lee) Date: Thu Feb 5 12:48:26 2009 Subject: phishing sites: local and remote In-Reply-To: <72cf361e0902041145i4a29a8a7i1253ce757cfb51e0@mail.gmail.com> References: <72cf361e0902041145i4a29a8a7i1253ce757cfb51e0@mail.gmail.com> Message-ID: On Wed, 4 Feb 2009, Martin Hepworth wrote: > 2009/2/4 David Lee : >> [...] >> Is it possible to run such an antiphishing config, comprising both Julian's >> standard set and a local component? >> >> If not, might it be a worthwhile addition? > > DAvid > > wasn't there something on the list a couple of weeks about anti-spear > phishing stuff Jules is muling about with?? Or am I dreaming about > MailScanner again ;-) There was, indeed, Martin. (Unless we're both dreaming.) I suspect you mean setting up and installing various bits and pieces to do with Sanesecurity phishing signatures into ClamAV. My suggestion above was complementary to that. Each covers parts the other cannot reach. So there is a case for examining a both/and rather than either/or. A particular site may prefer one. Another site might prefer the other. Yet another site might choose both. ClamAV/Sanesecurity channel: 1. Hooks into ClamAV. No good if site doesn't/can't have ClamAV. 2. User-presentation: Gets it treated and processed as a virus. (Sites may have different preferences, and understandably.) Good for sites (e.g. of vulnerable people) where policy is to guard against anything even vaguely suspicous. 3. The data comes from a non-local source. MS/phishing data: (Julian's daily stuff with local mods): 1. Hooks into MS directly. (Don't need ClamAV, if site really doesn't want it.) 2. User-presentation: This phishing attack gets treated in MS's standard phishing manner: deliver big red warning etc. Good for sites whose policyis strenuous avoidance of false-positives ("if there is any chance (even 0.01%) that the email is good, we must deliver"). 3. Data can be rapidly and easily hand tailored to suit local oddities and peculiarities. (e.g. pattern matching of good/bad URLs based on own, peculiar, local set of domains). Hope that helps think around these two different but overlapping and complementary angles. -- : David Lee I.T. Service : : Senior Systems Programmer Computer Centre : : UNIX Team Leader Durham University : : South Road : : http://www.dur.ac.uk/t.d.lee/ Durham DH1 3LE : : Phone: +44 191 334 2752 U.K. : From lorenzo at argroup.it Thu Feb 5 13:15:32 2009 From: lorenzo at argroup.it (lorenzo) Date: Thu Feb 5 13:15:54 2009 Subject: an sa learn problem? In-Reply-To: References: <498AAAF4.901@argroup.it> Message-ID: <498AE674.2090408@argroup.it> Kai Schaetzl ha scritto: > Lorenzo wrote on Thu, 05 Feb 2009 10:01:40 +0100: > > >> SA Learn: config: path "//root//.spamassassin" is inaccessible: Permission >> denied, Learned tokens from 1 message(s) (1 message(s) examined) >> > > This error is harmless. I'm not exactly sure, when it happens, though. Saw it > recently on one machine and made it disappear quickly, but wasn't sure how I > did that. Check the ownership of quarantine files and what you set in > MailScanner.conf. There's probably a mismatch, so that the learning happens > as user root. > > Kai > > in my mailscanner: quarantine user = root quarantine group = apache quarantine permission = 0660 run as user = postfix run as group = postfix my quarantine folder: user = postfix group = apache permission: r/w user rws group i have to change quarantine user? -- Lorenzo Santi aura srl -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From greg at blastzone.com Thu Feb 5 13:44:00 2009 From: greg at blastzone.com (Greg Deputy) Date: Thu Feb 5 13:44:03 2009 Subject: Mailscanner logging to syslog, only partial to mail.log, driving me nuts In-Reply-To: References: <051e01c98766$778cf430$66a6dc90$@com> Message-ID: <057b01c98797$cd9b7aa0$68d26fe0$@com> Yes, I've looked there, nothing seems unusual, and I've not changed anything in there. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Kai Schaetzl Sent: Thursday, February 05, 2009 3:31 AM To: mailscanner@lists.mailscanner.info Subject: Re: Mailscanner logging to syslog, only partial to mail.log, driving me nuts Greg Deputy wrote on Wed, 4 Feb 2009 23:50:51 -0800: > I've had a logging issue going on for a while with MailScanner. In my > /var/log/mail.log file I'm only getting postfix messages, where all the > MailScanner messages seem to be going into /var/log/syslog. I've checked > the mailscanner config, and the syslog facility set is 'mail' and syslog > seems to be setup and config'd correctly. I used to get all logging in > mail.log as expected, but at some point is stopped. check your /etc/syslog.conf Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- A non-text attachment was scrubbed... Name: syslog.conf Type: application/octet-stream Size: 2120 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090205/6a814d7a/syslog.obj From glenn.steen at gmail.com Thu Feb 5 13:44:27 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Feb 5 13:44:36 2009 Subject: an sa learn problem? In-Reply-To: <498AE674.2090408@argroup.it> References: <498AAAF4.901@argroup.it> <498AE674.2090408@argroup.it> Message-ID: <223f97700902050544g6c19e8bfh2ea42798cf423856@mail.gmail.com> 2009/2/5 lorenzo : > Kai Schaetzl ha scritto: >> >> Lorenzo wrote on Thu, 05 Feb 2009 10:01:40 +0100: >> >> >>> >>> SA Learn: config: path "//root//.spamassassin" is inaccessible: >>> Permission denied, Learned tokens from 1 message(s) (1 message(s) examined) >>> >> >> This error is harmless. I'm not exactly sure, when it happens, though. Saw >> it recently on one machine and made it disappear quickly, but wasn't sure >> how I did that. Check the ownership of quarantine files and what you set in >> MailScanner.conf. There's probably a mismatch, so that the learning happens >> as user root. >> >> Kai >> >> > > in my mailscanner: > quarantine user = root > quarantine group = apache > quarantine permission = 0660 > run as user = postfix > run as group = postfix > > my quarantine folder: > user = postfix > group = apache > permission: r/w user rws group > > i have to change quarantine user? > > If you indeed run Postfix, your quarantine user is wrong. It should be set to "postfix", and the permissions on the quarantine (and all files/directories under it) should be amended accordingly. As is, the error (harmless or not) stem from that misconfig. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From maillists at conactive.com Thu Feb 5 14:31:25 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Thu Feb 5 14:31:39 2009 Subject: an sa learn problem? In-Reply-To: <498AE674.2090408@argroup.it> References: <498AAAF4.901@argroup.it> <498AE674.2090408@argroup.it> Message-ID: Lorenzo wrote on Thu, 05 Feb 2009 14:15:32 +0100: > permission: r/w user rws group I have it at rwx for user and group. rws as above should be fine. > i have to change quarantine user? yes -> postfix. And postfix has to have a home dir. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From Ron.Ghetti at town.barnstable.ma.us Thu Feb 5 15:19:28 2009 From: Ron.Ghetti at town.barnstable.ma.us (Ghetti, Ron) Date: Thu Feb 5 15:19:48 2009 Subject: ClamAV Mailscanner not using clamd Message-ID: <3411CC12BB577F4FAEAC8A694780866B02291308@ITMAIL.town.barnstable.ma.us> -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Rick Cooper Sent: Wednesday, February 04, 2009 10:17 PM To: 'MailScanner discussion' Subject: RE: ClamAV Mailscanner not using clamd [...] If you disable the clamavmodule (in MailScanner) and just use clamd the clamav perl module is not required. The clamd code is 100% internal and speaks directly to the clamd daemon it's self, thus it's not affected by changes in the libclamav.so as is the perl based ClamAVModule code. Of course I think you should stay up to date with MS but I personally am at version 4.67.6 myself because I haven't had the time to update the patches I have to apply to MailScanner with each update (for special functionality I require). All I am really saying I guess is the version you are running will work fine with a properly installed ClamAV package and MS configuration. Rick Ok, I see what you mean, that actually sounds fairly easy to deal with. As far as permissions go, I guess I would just add the clamav user to the postfix group then. Does that sound about right ? I don't think I want any of these processes running as root if you know what I mean. Thanks -Ron -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From lorenzo at argroup.it Thu Feb 5 16:03:32 2009 From: lorenzo at argroup.it (lorenzo) Date: Thu Feb 5 16:03:57 2009 Subject: an sa learn problem? In-Reply-To: <223f97700902050544g6c19e8bfh2ea42798cf423856@mail.gmail.com> References: <498AAAF4.901@argroup.it> <498AE674.2090408@argroup.it> <223f97700902050544g6c19e8bfh2ea42798cf423856@mail.gmail.com> Message-ID: <498B0DD4.6030607@argroup.it> Glenn Steen ha scritto: > 2009/2/5 lorenzo : > >> Kai Schaetzl ha scritto: >> >>> Lorenzo wrote on Thu, 05 Feb 2009 10:01:40 +0100: >>> >>> >>> >>>> SA Learn: config: path "//root//.spamassassin" is inaccessible: >>>> Permission denied, Learned tokens from 1 message(s) (1 message(s) examined) >>>> >>>> >>> This error is harmless. I'm not exactly sure, when it happens, though. Saw >>> it recently on one machine and made it disappear quickly, but wasn't sure >>> how I did that. Check the ownership of quarantine files and what you set in >>> MailScanner.conf. There's probably a mismatch, so that the learning happens >>> as user root. >>> >>> Kai >>> >>> >>> >> in my mailscanner: >> quarantine user = root >> quarantine group = apache >> quarantine permission = 0660 >> run as user = postfix >> run as group = postfix >> >> my quarantine folder: >> user = postfix >> group = apache >> permission: r/w user rws group >> >> i have to change quarantine user? >> >> >> > If you indeed run Postfix, your quarantine user is wrong. It should be > set to "postfix", and the permissions on the quarantine (and all > files/directories under it) should be amended accordingly. > As is, the error (harmless or not) stem from that misconfig. > > Cheers > i change the quarantine user to postfix but is still doing the same error: SA Learn: config: path "/root/.spamassassin" is inaccessible: Permission denied, Learned tokens from 0 message(s) (1 message(s) examined) i also restart mailscanner and apache. the quarantine folder and files have the same permessions. postfix:apache -- Lorenzo Santi aura srl -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From maxsec at gmail.com Thu Feb 5 16:21:40 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Thu Feb 5 16:21:49 2009 Subject: ClamAV Mailscanner not using clamd In-Reply-To: <3411CC12BB577F4FAEAC8A694780866B02291308@ITMAIL.town.barnstable.ma.us> References: <3411CC12BB577F4FAEAC8A694780866B02291308@ITMAIL.town.barnstable.ma.us> Message-ID: <72cf361e0902050821k366094d0vc29c1d2fd059910f@mail.gmail.com> 2009/2/5 Ghetti, Ron : > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Rick > Cooper > Sent: Wednesday, February 04, 2009 10:17 PM > To: 'MailScanner discussion' > Subject: RE: ClamAV Mailscanner not using clamd > > > [...] > > If you disable the clamavmodule (in MailScanner) and just use clamd the > clamav perl module is not required. The clamd code is 100% internal and > speaks directly to the clamd daemon it's self, thus it's not affected by > changes in the libclamav.so as is the perl based ClamAVModule code. Of > course I think you should stay up to date with MS but I personally am at > version 4.67.6 myself because I haven't had the time to update the > patches I > have to apply to MailScanner with each update (for special functionality > I > require). All I am really saying I guess is the version you are running > will > work fine with a properly installed ClamAV package and MS configuration. > > Rick > > > > > Ok, I see what you mean, that actually sounds fairly easy to deal with. > As far as permissions go, I guess I would just add the clamav user to > the postfix group then. > Does that sound about right ? > I don't think I want any of these processes running as root if you know > what I mean. > > Thanks > -Ron > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > Ron basically 'yes'. You need to make sure the clamd.conf settings are correct including the ability for the clamav user to assume secondary groups.. AllowSupplementaryGroups = yes from memory... -- Martin Hepworth Oxford, UK From maxsec at gmail.com Thu Feb 5 16:23:20 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Thu Feb 5 16:23:29 2009 Subject: an sa learn problem? In-Reply-To: <498B0DD4.6030607@argroup.it> References: <498AAAF4.901@argroup.it> <498AE674.2090408@argroup.it> <223f97700902050544g6c19e8bfh2ea42798cf423856@mail.gmail.com> <498B0DD4.6030607@argroup.it> Message-ID: <72cf361e0902050823l419e1a54h4b773ffb7f1182fd@mail.gmail.com> 2009/2/5 lorenzo : > Glenn Steen ha scritto: >> >> 2009/2/5 lorenzo : >> >>> >>> Kai Schaetzl ha scritto: >>> >>>> >>>> Lorenzo wrote on Thu, 05 Feb 2009 10:01:40 +0100: >>>> >>>> >>>> >>>>> >>>>> SA Learn: config: path "//root//.spamassassin" is inaccessible: >>>>> Permission denied, Learned tokens from 1 message(s) (1 message(s) >>>>> examined) >>>>> >>>>> >>>> >>>> This error is harmless. I'm not exactly sure, when it happens, though. >>>> Saw >>>> it recently on one machine and made it disappear quickly, but wasn't >>>> sure >>>> how I did that. Check the ownership of quarantine files and what you set >>>> in >>>> MailScanner.conf. There's probably a mismatch, so that the learning >>>> happens >>>> as user root. >>>> >>>> Kai >>>> >>>> >>>> >>> >>> in my mailscanner: >>> quarantine user = root >>> quarantine group = apache >>> quarantine permission = 0660 >>> run as user = postfix >>> run as group = postfix >>> >>> my quarantine folder: >>> user = postfix >>> group = apache >>> permission: r/w user rws group >>> >>> i have to change quarantine user? >>> >>> >>> >> >> If you indeed run Postfix, your quarantine user is wrong. It should be >> set to "postfix", and the permissions on the quarantine (and all >> files/directories under it) should be amended accordingly. >> As is, the error (harmless or not) stem from that misconfig. >> >> Cheers >> > > i change the quarantine user to postfix but is still doing the same error: > > SA Learn: config: path "/root/.spamassassin" is inaccessible: Permission > denied, Learned tokens from 0 message(s) (1 message(s) examined) > > i also restart mailscanner and apache. > the quarantine folder and files have the same permessions. postfix:apache > > -- > Lorenzo Santi > aura srl > > make sure /etc/mail/spamassassin/mailscanner.cf is a symbolic link to /etc/MailScanner/spam.assassin.prefs.conf -- Martin Hepworth Oxford, UK From tmaletic at gmail.com Thu Feb 5 17:16:33 2009 From: tmaletic at gmail.com (Tim Maletic) Date: Thu Feb 5 17:16:43 2009 Subject: quarantine to email address instead of folder Message-ID: <70a8021e0902050916i5961d5a1ida9162531f97c4f7@mail.gmail.com> I would like to be able to configure MailScanner to quarantine all virus-infected (and MCP-tagged) messages to a remote email address via a forward, as clamav-milter can do with its "--quarantine=[address]" option. None of the options in MailScanner.conf seem right for this. Is there a way to do this? -tm From theodrake.mailscanner at gmail.com Thu Feb 5 17:19:25 2009 From: theodrake.mailscanner at gmail.com (Ed Bruce) Date: Thu Feb 5 17:20:09 2009 Subject: REJECT RBL at MTA level In-Reply-To: <4989E0F0.7010500@coders.co.uk> References: <2046836380638978055@unknownmsgid> <24e3d2e40902040920y44d66287i6b59e6eec162c7d1@mail.gmail.com> <4989E0F0.7010500@coders.co.uk> Message-ID: <498B1F9D.10503@gmail.com> Matt wrote: > Alex Neuman wrote: >> http://tinyurl.com/d6otp3 >> >> That could get you started. >> > PMSL! I had to look that one up. At first I thought it had something to do with my wife madly laughing at me :) From maillists at conactive.com Thu Feb 5 17:31:57 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Thu Feb 5 17:32:08 2009 Subject: an sa learn problem? In-Reply-To: <498B0DD4.6030607@argroup.it> References: <498AAAF4.901@argroup.it> <498AE674.2090408@argroup.it> <223f97700902050544g6c19e8bfh2ea42798cf423856@mail.gmail.com> <498B0DD4.6030607@argroup.it> Message-ID: Lorenzo wrote on Thu, 05 Feb 2009 17:03:32 +0100: > i also restart mailscanner and apache. restart or reload? Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From micoots at yahoo.com Fri Feb 6 05:10:12 2009 From: micoots at yahoo.com (Michael Mansour) Date: Fri Feb 6 05:10:23 2009 Subject: Mailscanner logging to syslog, only partial to mail.log, driving me nuts In-Reply-To: <057b01c98797$cd9b7aa0$68d26fe0$@com> Message-ID: <235505.65096.qm@web33305.mail.mud.yahoo.com> Hi Greg, > From: Greg Deputy > Subject: RE: Mailscanner logging to syslog, only partial to mail.log, driving me nuts > To: "'MailScanner discussion'" > Received: Friday, 6 February, 2009, 12:44 AM > Yes, I've looked there, nothing seems unusual, and > I've not changed anything in there. Two things: 1. please don't top-post, it makes it difficult for people in the future going through list archives and trying to follow a conversation thread. 2. please post your syslog.conf. I've recently been doing a lot of syslog work (out of necessity) to fix very similar issues, and it all turned out to be the syslog config I had in place. Hopefully I'll be able to help. Michael. > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Kai > Schaetzl > Sent: Thursday, February 05, 2009 3:31 AM > To: mailscanner@lists.mailscanner.info > Subject: Re: Mailscanner logging to syslog, only partial to > mail.log, > driving me nuts > > Greg Deputy wrote on Wed, 4 Feb 2009 23:50:51 -0800: > > > I've had a logging issue going on for a while with > MailScanner. In my > > /var/log/mail.log file I'm only getting postfix > messages, where all the > > MailScanner messages seem to be going into > /var/log/syslog. I've checked > > the mailscanner config, and the syslog facility set is > 'mail' and syslog > > seems to be setup and config'd correctly. I used > to get all logging in > > mail.log as expected, but at some point is stopped. > > check your /etc/syslog.conf > > Kai > > -- > Kai Sch?tzl, Berlin, Germany > Get your web at Conactive Internet Services: > http://www.conactive.com > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the > website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the > website! Make Yahoo!7 your homepage and win a trip to the Quiksilver Pro. Find out more From micoots at yahoo.com Fri Feb 6 05:17:12 2009 From: micoots at yahoo.com (Michael Mansour) Date: Fri Feb 6 05:17:22 2009 Subject: Allow WebBug Message-ID: <340207.65900.qm@web33306.mail.mud.yahoo.com> Hi, I have a client who asked for the disarmed messages to be removed from his emails. I searched through the MailScanner config and could only find areas which would remove the disarmed message from the subject line, not the message body. Is there a way that the message can continue to be disarmed while not showing the disarmed notification in the message body? After discussing this with him, he asked that the "Allow WebBug" feature be enabled for him. After configuring and setting the ruleset: To: blah@blah.com no FromOrTo: default disarm a day went by with that and he then informed me that he was no longer receiving HTML emails, but plain text for emails he knew where originally HTML. I tried to reproduce this problem but couldn't, so reverted him back to disarmed emails. Does anyone know of any bug with MailScanner that would cause the "Allow WebBug" feature to strip HTML? I haven't ruled out the possibility that he has a virus scanner installed on his PC which may be doing this, but I also use MailWatch and when he releases the email from MailWatch it comes through as HTML, while the original send he says is only text based. I'm using mailscanner-4.73.1-1 Any suggestions are appreciated. Michael. Make Yahoo!7 your homepage and win a trip to the Quiksilver Pro. Find out more From joost at waversveld.nl Fri Feb 6 11:03:19 2009 From: joost at waversveld.nl (Joost Waversveld) Date: Fri Feb 6 11:03:49 2009 Subject: REJECT RBL at MTA level In-Reply-To: <498B1F9D.10503@gmail.com> References: <2046836380638978055@unknownmsgid> <24e3d2e40902040920y44d66287i6b59e6eec162c7d1@mail.gmail.com> <4989E0F0.7010500@coders.co.uk> <498B1F9D.10503@gmail.com> Message-ID: <498C18F7.2030400@waversveld.nl> http://tinyurl.com/baygyd That could get you started! ;-) Ed Bruce wrote: > Matt wrote: >> Alex Neuman wrote: >>> http://tinyurl.com/d6otp3 >>> >>> That could get you started. >>> >> PMSL! > I had to look that one up. At first I thought it had something to do > with my wife madly laughing at me :) -- Joost Waversveld From glenn.steen at gmail.com Fri Feb 6 12:38:00 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Feb 6 12:38:09 2009 Subject: quarantine to email address instead of folder In-Reply-To: <70a8021e0902050916i5961d5a1ida9162531f97c4f7@mail.gmail.com> References: <70a8021e0902050916i5961d5a1ida9162531f97c4f7@mail.gmail.com> Message-ID: <223f97700902060438l5b65b5a8p460e35c1643b8ebc@mail.gmail.com> 2009/2/5 Tim Maletic : > I would like to be able to configure MailScanner to quarantine all > virus-infected (and MCP-tagged) messages to a remote email address via > a forward, as clamav-milter can do with its "--quarantine=[address]" > option. None of the options in MailScanner.conf seem right for this. > Is there a way to do this? -tm For Spam and MCP? Yes. For Viruses? AFAIK... No. What would be the point of forwarding possibly harmful viruses? For Spam/MCP, or the new&prefered SpamAssassin rule hit actions... Just specify a forward (with an address) instead of sore/delete. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Feb 6 12:52:34 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Feb 6 12:52:43 2009 Subject: Allow WebBug In-Reply-To: <340207.65900.qm@web33306.mail.mud.yahoo.com> References: <340207.65900.qm@web33306.mail.mud.yahoo.com> Message-ID: <223f97700902060452i7a6f4c71i1e47e80cba7a0e9@mail.gmail.com> 2009/2/6 Michael Mansour : > Hi, > > I have a client who asked for the disarmed messages to be removed from his emails. > > I searched through the MailScanner config and could only find areas which would remove the disarmed message from the subject line, not the message body. > > Is there a way that the message can continue to be disarmed while not showing the disarmed notification in the message body? > > After discussing this with him, he asked that the "Allow WebBug" feature be enabled for him. After configuring and setting the ruleset: > > To: blah@blah.com no > FromOrTo: default disarm > > a day went by with that and he then informed me that he was no longer receiving HTML emails, but plain text for emails he knew where originally HTML. > > I tried to reproduce this problem but couldn't, so reverted him back to disarmed emails. > > Does anyone know of any bug with MailScanner that would cause the "Allow WebBug" feature to strip HTML? > > I haven't ruled out the possibility that he has a virus scanner installed on his PC which may be doing this, but I also use MailWatch and when he releases the email from MailWatch it comes through as HTML, while the original send he says is only text based. > > I'm using mailscanner-4.73.1-1 > > Any suggestions are appreciated. > > Michael. > Hello Michael, Why not set it to use with Jules nice ... replacement gif? If you have Web Bug Replacement = http://www.mailscanner.tv/1x1spacer.gif With that, the evil "counters" will be replaced with Jules nice well-behaved one:). I've never seen that generating any "Disarmed" notices in the actual code. What can, and do, happen with the various "disarmaments" MS can do is that it might invalidate a block av code, so that the code block get interpreted as plain text. I've mostly seen that with script tags (which I disarm). I've never informed my users of disarmament via the Subjetc line rewriting. It would only cause unwarranted anxiety:-). I think you should look long and hard at what the implications are of setting "Convert Dangerous HTML To Text = yes" in conjunction with the disarm instructions. I have that set to "no", even though that might open a small window of opportunity for the bad guys. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From tmaletic at gmail.com Fri Feb 6 13:14:07 2009 From: tmaletic at gmail.com (Tim Maletic) Date: Fri Feb 6 13:14:16 2009 Subject: quarantine to email address instead of folder In-Reply-To: <223f97700902060438l5b65b5a8p460e35c1643b8ebc@mail.gmail.com> References: <70a8021e0902050916i5961d5a1ida9162531f97c4f7@mail.gmail.com> <223f97700902060438l5b65b5a8p460e35c1643b8ebc@mail.gmail.com> Message-ID: <70a8021e0902060514j7471860fob566ee51703c0f31@mail.gmail.com> On Fri, Feb 6, 2009 at 7:38 AM, Glenn Steen wrote: > For Spam and MCP? Yes. For Viruses? AFAIK... No. > What would be the point of forwarding possibly harmful viruses? I don't know, ask the clamav-milter authors. :) Seriously, I don't want to forward viruses, I want to forward messages that match clamav's "structured data" signatures, aka DLP. I want to redirect these messages to an SSL-protected web mail app. From ipcopper.ph at gmail.com Fri Feb 6 13:28:07 2009 From: ipcopper.ph at gmail.com (jan gestre) Date: Fri Feb 6 13:28:19 2009 Subject: MailScanner suddenly stopped working and screwed up everything Message-ID: Hi Guys, I've several mail servers running (postfix + dovecot + mysql + mailscanner) that has been up for a long time now and suddenly it stopped working one by one. It began by users experiencing bouncing emails even though the user exist then it became worst, all emails is now being tagged as spam even those from yahoo and gmail. I suspect MailScanner might be causing the issue so I turned it off but the server keep on rejecting emails because of postfix's smtpd_client_restrictions rule that blocks emails if it came from an ip address listed on spamhaus.org, but after disabling that parameter emails from sites like yahoo and gmail still gets blocked according to postfix it's listed in sbl-xbl list, I know for a fact that this shouldn't suppose to happen but it did. Anybody ever experienced this? What's the workaround, I'm stumped, I have no idea why it suddenly got screwed. TIA Jan From maxsec at gmail.com Fri Feb 6 14:56:50 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Fri Feb 6 14:57:21 2009 Subject: MailScanner suddenly stopped working and screwed up everything In-Reply-To: References: Message-ID: <72cf361e0902060656t5e899d32m856a3f76d40847da@mail.gmail.com> 2009/2/6 jan gestre : > Hi Guys, > > I've several mail servers running (postfix + dovecot + mysql + > mailscanner) that has been up for a long time now and suddenly it > stopped working one by one. It began by users experiencing bouncing > emails even though the user exist then it became worst, all emails is > now being tagged as spam even those from yahoo and gmail. I suspect > MailScanner might be causing the issue so I turned it off but the > server keep on rejecting emails because of postfix's > smtpd_client_restrictions rule that blocks emails if it came from an > ip address listed on spamhaus.org, but after disabling that parameter > emails from sites like yahoo and gmail still gets blocked according to > postfix it's listed in sbl-xbl list, I know for a fact that this > shouldn't suppose to happen but it did. Anybody ever experienced this? > What's the workaround, I'm stumped, I have no idea why it suddenly got > screwed. > > TIA > > Jan > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Jan do you pay for the spamhaus feed? If not this could be the problem.. http://www.spamhaus.org/organization/dnsblusage.html -- Martin Hepworth Oxford, UK From glenn.steen at gmail.com Fri Feb 6 15:13:13 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Feb 6 15:13:22 2009 Subject: quarantine to email address instead of folder In-Reply-To: <70a8021e0902060514j7471860fob566ee51703c0f31@mail.gmail.com> References: <70a8021e0902050916i5961d5a1ida9162531f97c4f7@mail.gmail.com> <223f97700902060438l5b65b5a8p460e35c1643b8ebc@mail.gmail.com> <70a8021e0902060514j7471860fob566ee51703c0f31@mail.gmail.com> Message-ID: <223f97700902060713p41873bb7y7c9839747352ed51@mail.gmail.com> 2009/2/6 Tim Maletic : > On Fri, Feb 6, 2009 at 7:38 AM, Glenn Steen wrote: >> For Spam and MCP? Yes. For Viruses? AFAIK... No. >> What would be the point of forwarding possibly harmful viruses? > > I don't know, ask the clamav-milter authors. :) :-) > Seriously, I don't want to forward viruses, I want to forward messages > that match clamav's "structured data" signatures, aka DLP. I want to > redirect these messages to an SSL-protected web mail app. In that case... I think you can get the functionality needed by using the ClamAV SpamAssassin module(!) instead of calling it from MailScanner, then use a SpamAssassin rule hit action to forward the specific email on to the web-mail app (or just deliver, or whatever). Kind of backword, in a sense, but ... doable:-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ecasarero at gmail.com Fri Feb 6 17:46:20 2009 From: ecasarero at gmail.com (Eduardo Casarero) Date: Fri Feb 6 17:46:31 2009 Subject: how to disable this line of log Message-ID: <7d9b3cf20902060946o7b6a7f81lbf2edd1d745ddd04@mail.gmail.com> Is there a way to disable this messages? Feb 6 04:49:07 xxxx MailScanner[2043]: Non-delivery of spam: message n169n3ii019910 from ftcerxxxxxx@xxx to xxxx@xxxxxx with subject Drug Erectile I've just upgrade to latest stable version and this messages started to appear. I reviewed MailScanner.conf but i couldnt find the value to disable this. Thanks! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090206/97e5b03d/attachment.html From max at assuredata.com Fri Feb 6 19:45:31 2009 From: max at assuredata.com (Max Kipness) Date: Fri Feb 6 19:47:07 2009 Subject: user@domain.com spam? Message-ID: <11375BD8FE838A409E10DB32B9BFFE9B19FB75@addc01.assuredata.local> Today I noticed that all of a sudden email was delayed by quite a bit. When I ran my queue script I realized there were over 7k emails waiting in the inbound queue. Also when running dmesg, I got: possible SYN flooding on port 25. Sending cookies. This was printed about 20 times. In the maillog, I found tons emails from 'user@domain.com', literally. I've now entered: user@domain.com DISCARD in /etc/mail/access This seems to be stopping them for now, but I have thousands in the incoming still that I guess need to be quarantined as spam yet. Has anybody else seen this? Is this an attack of some sort? Each email seems to be from a different IP even though they all say they are from user@domain.com. Max -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090206/f37bc203/attachment.html From ka at pacific.net Fri Feb 6 20:18:41 2009 From: ka at pacific.net (Ken A) Date: Fri Feb 6 20:19:03 2009 Subject: user@domain.com spam? In-Reply-To: <11375BD8FE838A409E10DB32B9BFFE9B19FB75@addc01.assuredata.local> References: <11375BD8FE838A409E10DB32B9BFFE9B19FB75@addc01.assuredata.local> Message-ID: <498C9B21.6010906@pacific.net> Max Kipness wrote: > Today I noticed that all of a sudden email was delayed by quite a bit. > When I ran my queue script I realized there were over 7k emails waiting > in the inbound queue. Also when running dmesg, I got: > > > > possible SYN flooding on port 25. Sending cookies. > > > > This was printed about 20 times. > > > > In the maillog, I found tons emails from 'user@domain.com', literally. > > Yep, seeing that one here too. Thanks for the heads up. I'm blocking it now with a 550 error. Ken > > I've now entered: > > > > user@domain.com DISCARD > > > > in /etc/mail/access > > > > This seems to be stopping them for now, but I have thousands in the > incoming still that I guess need to be quarantined as spam yet. > > > > Has anybody else seen this? Is this an attack of some sort? Each email > seems to be from a different IP even though they all say they are from > user@domain.com. > > > > Max > > > From ipcopper.ph at gmail.com Sat Feb 7 01:31:54 2009 From: ipcopper.ph at gmail.com (jan gestre) Date: Sat Feb 7 01:32:05 2009 Subject: MailScanner suddenly stopped working and screwed up everything In-Reply-To: <72cf361e0902060656t5e899d32m856a3f76d40847da@mail.gmail.com> References: <72cf361e0902060656t5e899d32m856a3f76d40847da@mail.gmail.com> Message-ID: On Fri, Feb 6, 2009 at 10:56 PM, Martin Hepworth wrote: > 2009/2/6 jan gestre : >> Hi Guys, >> >> I've several mail servers running (postfix + dovecot + mysql + >> mailscanner) that has been up for a long time now and suddenly it >> stopped working one by one. It began by users experiencing bouncing >> emails even though the user exist then it became worst, all emails is >> now being tagged as spam even those from yahoo and gmail. I suspect >> MailScanner might be causing the issue so I turned it off but the >> server keep on rejecting emails because of postfix's >> smtpd_client_restrictions rule that blocks emails if it came from an >> ip address listed on spamhaus.org, but after disabling that parameter >> emails from sites like yahoo and gmail still gets blocked according to >> postfix it's listed in sbl-xbl list, I know for a fact that this >> shouldn't suppose to happen but it did. Anybody ever experienced this? >> What's the workaround, I'm stumped, I have no idea why it suddenly got >> screwed. >> >> TIA >> >> Jan >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > Jan > > do you pay for the spamhaus feed? If not this could be the problem.. > > http://www.spamhaus.org/organization/dnsblusage.html > I've read the dnsblusage from spamhaus and I'm sure the volume of emails we're getting is nowhere near that number. Here's an info of one of the servers: Volume: 2000++ messages/day 4 virtual domains Hardware: AMD Athlon 64 X2 4800, 4GB RAM, 250GB Raid 5. Software: CentOS 5, Postfix, Dovecot, MySQL, PostfixAdmin, SpamAssassin RBLs: MTA, MailScanner Virus Scanners: F-Prot Anti virus Is there's a way to uninstall MailScanner? TIA From greg at blastzone.com Sat Feb 7 01:38:29 2009 From: greg at blastzone.com (Greg Deputy) Date: Sat Feb 7 01:38:34 2009 Subject: Mailscanner logging to syslog, only partial to mail.log, driving me nuts In-Reply-To: <235505.65096.qm@web33305.mail.mud.yahoo.com> References: <057b01c98797$cd9b7aa0$68d26fe0$@com> <235505.65096.qm@web33305.mail.mud.yahoo.com> Message-ID: <0ab701c988c4$c73cade0$55b609a0$@com> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Michael Mansour > Sent: Thursday, February 05, 2009 9:10 PM > To: MailScanner discussion > Subject: RE: Mailscanner logging to syslog, only partial to mail.log, driving > me nuts > > Hi Greg, > > > From: Greg Deputy > > Subject: RE: Mailscanner logging to syslog, only partial to mail.log, > driving me nuts > > To: "'MailScanner discussion'" > > Received: Friday, 6 February, 2009, 12:44 AM > > Yes, I've looked there, nothing seems unusual, and > > I've not changed anything in there. > > Two things: > > 1. please don't top-post, it makes it difficult for people in the future going > through list archives and trying to follow a conversation thread. > > 2. please post your syslog.conf. I've recently been doing a lot of syslog work > (out of necessity) to fix very similar issues, and it all turned out to be the > syslog config I had in place. > > Hopefully I'll be able to help. > > Michael. > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On > > Behalf Of Kai > > Schaetzl > > Sent: Thursday, February 05, 2009 3:31 AM > > To: mailscanner@lists.mailscanner.info > > Subject: Re: Mailscanner logging to syslog, only partial to > > mail.log, > > driving me nuts > > > > Greg Deputy wrote on Wed, 4 Feb 2009 23:50:51 -0800: > > > > > I've had a logging issue going on for a while with > > MailScanner. In my > > > /var/log/mail.log file I'm only getting postfix > > messages, where all the > > > MailScanner messages seem to be going into > > /var/log/syslog. I've checked > > > the mailscanner config, and the syslog facility set is > > 'mail' and syslog > > > seems to be setup and config'd correctly. I used > > to get all logging in > > > mail.log as expected, but at some point is stopped. > > > > check your /etc/syslog.conf > > > > Kai > > > > -- > > Kai Sch?tzl, Berlin, Germany > > Get your web at Conactive Internet Services: > > http://www.conactive.com > > > > > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the > > website! > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the > > website! > > > Make Yahoo!7 your homepage and win a trip to the Quiksilver Pro. Find > out more > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! Thanks! The syslog was attached to the message you replied to, here it is below: # /etc/syslog.conf Configuration file for syslogd. # # For more information see syslog.conf(5) # manpage. # # First some standard logfiles. Log by facility. # auth,authpriv.* /var/log/auth.log *.*;auth,authpriv.none -/var/log/syslog #cron.* /var/log/cron.log daemon.* -/var/log/daemon.log kern.* -/var/log/kern.log lpr.* -/var/log/lpr.log mail.* -/var/log/mail.log user.* -/var/log/user.log uucp.* /var/log/uucp.log # # Logging for the mail system. Split it up so that # it is easy to write scripts to parse these files. # mail.info -/var/log/mail.info mail.warn -/var/log/mail.warn mail.err /var/log/mail.err # Logging for INN news system # news.crit /var/log/news/news.crit news.err /var/log/news/news.err news.notice -/var/log/news/news.notice # # Some `catch-all' logfiles. # *.=debug;\ auth,authpriv.none;\ news.none;mail.none -/var/log/debug *.=info;*.=notice;*.=warn;\ auth,authpriv.none;\ cron,daemon.none;\ mail,news.none -/var/log/messages # # Emergencies are sent to everybody logged in. # *.emerg * # # I like to have messages displayed on the console, but only on a virtual # console I usually leave idle. # #daemon,mail.*;\ # news.=crit;news.=err;news.=notice;\ # *.=debug;*.=info;\ # *.=notice;*.=warn /dev/tty8 # The named pipe /dev/xconsole is for the `xconsole' utility. To use it, # you must invoke `xconsole' with the `-file' option: # # $ xconsole -file /dev/xconsole [...] # # NOTE: adjust the list below, or you'll go crazy if you have a reasonably # busy site.. # daemon.*;mail.*;\ news.crit;news.err;news.notice;\ *.=debug;*.=info;\ *.=notice;*.=warn |/dev/xconsole From traced at xpear.de Sat Feb 7 09:54:19 2009 From: traced at xpear.de (traced) Date: Sat Feb 7 09:54:30 2009 Subject: MailScanner suddenly stopped working and screwed up everything In-Reply-To: References: <72cf361e0902060656t5e899d32m856a3f76d40847da@mail.gmail.com> Message-ID: <498D5A4B.7080108@xpear.de> jan gestre schrieb: > On Fri, Feb 6, 2009 at 10:56 PM, Martin Hepworth wrote: >> 2009/2/6 jan gestre : >>> Hi Guys, >>> >>> I've several mail servers running (postfix + dovecot + mysql + >>> mailscanner) that has been up for a long time now and suddenly it >>> stopped working one by one. It began by users experiencing bouncing >>> emails even though the user exist then it became worst, all emails is >>> now being tagged as spam even those from yahoo and gmail. I suspect >>> MailScanner might be causing the issue so I turned it off but the >>> server keep on rejecting emails because of postfix's >>> smtpd_client_restrictions rule that blocks emails if it came from an >>> ip address listed on spamhaus.org, but after disabling that parameter >>> emails from sites like yahoo and gmail still gets blocked according to >>> postfix it's listed in sbl-xbl list, I know for a fact that this >>> shouldn't suppose to happen but it did. Anybody ever experienced this? >>> What's the workaround, I'm stumped, I have no idea why it suddenly got >>> screwed. >>> >>> TIA >>> >>> Jan >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >> Jan >> >> do you pay for the spamhaus feed? If not this could be the problem.. >> >> http://www.spamhaus.org/organization/dnsblusage.html >> > > I've read the dnsblusage from spamhaus and I'm sure the volume of > emails we're getting is nowhere near that number. Here's an info of > one of the servers: > > Volume: 2000++ messages/day 4 virtual domains > > Hardware: AMD Athlon 64 X2 4800, 4GB RAM, 250GB Raid 5. > > Software: CentOS 5, Postfix, Dovecot, MySQL, PostfixAdmin, SpamAssassin > > RBLs: MTA, MailScanner > > Virus Scanners: F-Prot Anti virus > > Is there's a way to uninstall MailScanner? > > TIA Hmm... uninstalling isn?t the best way to solve problems :) You could "bypass" mailscanner, just remove the "hold" command in the header checks, but, so you will never know what the failure was, and maybe do the same failure in the next installation again!? Regards, Bastian From maillists at conactive.com Sat Feb 7 14:06:36 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Sat Feb 7 14:06:48 2009 Subject: Mailscanner logging to syslog, only partial to mail.log, driving me nuts In-Reply-To: <0ab701c988c4$c73cade0$55b609a0$@com> References: <057b01c98797$cd9b7aa0$68d26fe0$@com> <235505.65096.qm@web33305.mail.mud.yahoo.com> <0ab701c988c4$c73cade0$55b609a0$@com> Message-ID: Greg Deputy wrote on Fri, 6 Feb 2009 17:38:29 -0800: > *.*;auth,authpriv.none -/var/log/syslog There you go, isn't that *very* obvious? Btw, looks very much like *you* added this line. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Sat Feb 7 14:06:36 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Sat Feb 7 14:06:49 2009 Subject: MailScanner suddenly stopped working and screwed up everything In-Reply-To: References: <72cf361e0902060656t5e899d32m856a3f76d40847da@mail.gmail.com> Message-ID: Jan gestre wrote on Sat, 7 Feb 2009 09:31:54 +0800: > Is there's a way to uninstall MailScanner? uninstall it. Or stop it and then start postfix only. Easy. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Sat Feb 7 14:06:36 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Sat Feb 7 14:06:49 2009 Subject: MailScanner suddenly stopped working and screwed up everything In-Reply-To: References: <72cf361e0902060656t5e899d32m856a3f76d40847da@mail.gmail.com> Message-ID: Jan gestre wrote on Sat, 7 Feb 2009 09:31:54 +0800: > Is there's a way to uninstall MailScanner? You said you had a problem in postfix, right? Then fix it. And particularly with RBLs. What has this to do with MailScanner? If you need help with postfix there are newsgroups and mailing lists. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From alex at rtpty.com Sat Feb 7 14:51:45 2009 From: alex at rtpty.com (Alex Neuman) Date: Sat Feb 7 14:51:54 2009 Subject: user@domain.com spam? In-Reply-To: <498C9B21.6010906@pacific.net> References: <11375BD8FE838A409E10DB32B9BFFE9B19FB75@addc01.assuredata.local> <498C9B21.6010906@pacific.net> Message-ID: <24e3d2e40902070651u6549399n1998f6f4560cd240@mail.gmail.com> Yeah, DISCARD "gets" the message and then discards it. Uses your bandwidth and resources. You might want to do a REJECT instead. On Fri, Feb 6, 2009 at 3:18 PM, Ken A wrote: > Max Kipness wrote: > >> Today I noticed that all of a sudden email was delayed by quite a bit. >> When I ran my queue script I realized there were over 7k emails waiting >> in the inbound queue. Also when running dmesg, I got: >> >> >> possible SYN flooding on port 25. Sending cookies. >> >> >> This was printed about 20 times. >> >> >> In the maillog, I found tons emails from 'user@domain.com', literally. >> >> >> > > Yep, seeing that one here too. > Thanks for the heads up. > I'm blocking it now with a 550 error. > Ken > > > > >> I've now entered: >> >> >> user@domain.com DISCARD >> >> >> in /etc/mail/access >> >> This seems to be stopping them for now, but I have thousands in the >> incoming still that I guess need to be quarantined as spam yet. >> >> >> Has anybody else seen this? Is this an attack of some sort? Each email >> seems to be from a different IP even though they all say they are from >> user@domain.com. >> >> >> Max >> >> >> >> > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090207/b5563fde/attachment.html From glenn.steen at gmail.com Sat Feb 7 18:58:20 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Feb 7 18:58:30 2009 Subject: MailScanner suddenly stopped working and screwed up everything In-Reply-To: References: <72cf361e0902060656t5e899d32m856a3f76d40847da@mail.gmail.com> Message-ID: <223f97700902071058w6418add0re066d74b147ecc69@mail.gmail.com> 2009/2/7 jan gestre : > On Fri, Feb 6, 2009 at 10:56 PM, Martin Hepworth wrote: >> 2009/2/6 jan gestre : >>> Hi Guys, >>> >>> I've several mail servers running (postfix + dovecot + mysql + >>> mailscanner) that has been up for a long time now and suddenly it >>> stopped working one by one. It began by users experiencing bouncing >>> emails even though the user exist then it became worst, all emails is >>> now being tagged as spam even those from yahoo and gmail. I suspect >>> MailScanner might be causing the issue so I turned it off but the >>> server keep on rejecting emails because of postfix's >>> smtpd_client_restrictions rule that blocks emails if it came from an >>> ip address listed on spamhaus.org, but after disabling that parameter >>> emails from sites like yahoo and gmail still gets blocked according to >>> postfix it's listed in sbl-xbl list, I know for a fact that this >>> shouldn't suppose to happen but it did. Anybody ever experienced this? >>> What's the workaround, I'm stumped, I have no idea why it suddenly got >>> screwed. >>> >>> TIA >>> >>> Jan >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >> >> Jan >> >> do you pay for the spamhaus feed? If not this could be the problem.. >> >> http://www.spamhaus.org/organization/dnsblusage.html >> > > I've read the dnsblusage from spamhaus and I'm sure the volume of > emails we're getting is nowhere near that number. Here's an info of But if you use a forwarder for your lookups, that one might have been blocked by them. Did you check if a manual lookup works? (snip) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ipcopper.ph at gmail.com Sun Feb 8 02:04:21 2009 From: ipcopper.ph at gmail.com (jan gestre) Date: Sun Feb 8 02:04:31 2009 Subject: MailScanner suddenly stopped working and screwed up everything In-Reply-To: <223f97700902071058w6418add0re066d74b147ecc69@mail.gmail.com> References: <72cf361e0902060656t5e899d32m856a3f76d40847da@mail.gmail.com> <223f97700902071058w6418add0re066d74b147ecc69@mail.gmail.com> Message-ID: On Sun, Feb 8, 2009 at 2:58 AM, Glenn Steen wrote: > 2009/2/7 jan gestre : >> On Fri, Feb 6, 2009 at 10:56 PM, Martin Hepworth wrote: >>> 2009/2/6 jan gestre : >>>> Hi Guys, >>>> >>>> I've several mail servers running (postfix + dovecot + mysql + >>>> mailscanner) that has been up for a long time now and suddenly it >>>> stopped working one by one. It began by users experiencing bouncing >>>> emails even though the user exist then it became worst, all emails is >>>> now being tagged as spam even those from yahoo and gmail. I suspect >>>> MailScanner might be causing the issue so I turned it off but the >>>> server keep on rejecting emails because of postfix's >>>> smtpd_client_restrictions rule that blocks emails if it came from an >>>> ip address listed on spamhaus.org, but after disabling that parameter >>>> emails from sites like yahoo and gmail still gets blocked according to >>>> postfix it's listed in sbl-xbl list, I know for a fact that this >>>> shouldn't suppose to happen but it did. Anybody ever experienced this? >>>> What's the workaround, I'm stumped, I have no idea why it suddenly got >>>> screwed. >>>> >>>> TIA >>>> >>>> Jan >>>> -- >>>> MailScanner mailing list >>>> mailscanner@lists.mailscanner.info >>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>> >>>> Before posting, read http://wiki.mailscanner.info/posting >>>> >>>> Support MailScanner development - buy the book off the website! >>>> >>> >>> Jan >>> >>> do you pay for the spamhaus feed? If not this could be the problem.. >>> >>> http://www.spamhaus.org/organization/dnsblusage.html >>> >> >> I've read the dnsblusage from spamhaus and I'm sure the volume of >> emails we're getting is nowhere near that number. Here's an info of > But if you use a forwarder for your lookups, that one might have been > blocked by them. Did you check if a manual lookup works? > (snip) > I'm using OpenDNS for lookups, I don't see any problem with it. I tried upgrading MailScanner to see if the old version was causing the problem, with spamhaus still disabled in postfix, it worked for a while but after enabling spamhaus at the MTA level, I'm back to the old problem. Disabled the spam check at the MTA level but emails are still bouncing, I'm stumped :( For the meantime I've removed the HOLD in header checks as suggested by Bastian. My other Mail Server has an identical configuration but it's not exhibiting this behavior. From spamlists at coders.co.uk Sun Feb 8 10:10:37 2009 From: spamlists at coders.co.uk (Matt) Date: Sun Feb 8 10:11:56 2009 Subject: Spam with 1Mb attachments Message-ID: <498EAF9D.1000505@coders.co.uk> Anyone seen this yet? http://isc.sans.org/diary.html?storyid=5824 regards matt From maillists at conactive.com Sun Feb 8 10:31:15 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Sun Feb 8 10:31:29 2009 Subject: MailScanner suddenly stopped working and screwed up everything In-Reply-To: References: <72cf361e0902060656t5e899d32m856a3f76d40847da@mail.gmail.com> <223f97700902071058w6418add0re066d74b147ecc69@mail.gmail.com> Message-ID: Jan gestre wrote on Sun, 8 Feb 2009 10:04:21 +0800: > Disabled the spam check at the MTA level but emails are > still bouncing MailScanner doesn't bounce unless you configure it to do so. If you meant to say "postfix rejects", again, this has nothing to do with MailScanner. > My other Mail Server has an identical configuration but it's not > exhibiting this behavior. No, it surely does not have the same configuration. Or do you believe in magic? Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From ms-list at alexb.ch Sun Feb 8 10:35:06 2009 From: ms-list at alexb.ch (Alex Broens) Date: Sun Feb 8 10:35:16 2009 Subject: Spam with 1Mb attachments In-Reply-To: <498EAF9D.1000505@coders.co.uk> References: <498EAF9D.1000505@coders.co.uk> Message-ID: <498EB55A.6070909@alexb.ch> On 2/8/2009 11:10 AM, Matt wrote: > Anyone seen this yet? > > http://isc.sans.org/diary.html?storyid=5824 > > regards > > matt saw one hit a trap made a ClamAV sig for it. didn't see any more show up :-( From viralert at fadalto.com Sun Feb 8 13:36:19 2009 From: viralert at fadalto.com (Phil) Date: Sun Feb 8 13:36:31 2009 Subject: Sorry.. TEST Message-ID: <20090208133546.M16474@yatta-it.com> Sorry, i'm testing the outgoing mail to ML Phil From blessings83 at gmail.com Sun Feb 8 14:48:24 2009 From: blessings83 at gmail.com (Pardon Blessings Maoneke) Date: Sun Feb 8 14:48:38 2009 Subject: Sorry.. TEST In-Reply-To: <20090208133546.M16474@yatta-it.com> References: <20090208133546.M16474@yatta-it.com> Message-ID: <70ba75780902080648w522ade13t669b7b8953b84087@mail.gmail.com> Am sure its working well now i got your test mail On 2/8/09, Phil wrote: > > Sorry, i'm testing the outgoing mail to ML > > Phil > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Regards, Pardon Blessings Maoneke From nwp at nz.lemon-computing.com Sun Feb 8 21:26:44 2009 From: nwp at nz.lemon-computing.com (Nick Phillips) Date: Sun Feb 8 21:26:58 2009 Subject: MailScanner suddenly stopped working and screwed up everything In-Reply-To: References: <72cf361e0902060656t5e899d32m856a3f76d40847da@mail.gmail.com> <223f97700902071058w6418add0re066d74b147ecc69@mail.gmail.com> Message-ID: <72B8A8E5-EBB9-4701-A7C4-CCF9C8BBE86D@nz.lemon-computing.com> On 8/02/2009, at 11:31 PM, Kai Schaetzl wrote: > Jan gestre wrote on Sun, 8 Feb 2009 10:04:21 +0800: > >> Disabled the spam check at the MTA level but emails are >> still bouncing > > MailScanner doesn't bounce unless you configure it to do so. If you > meant > to say "postfix rejects", again, this has nothing to do with > MailScanner. > >> My other Mail Server has an identical configuration but it's not >> exhibiting this behavior. > > No, it surely does not have the same configuration. Or do you > believe in > magic? If it has the same configuration then the "magic" is presumably that one of the RBLs is responding differently depending on the source of the query. Cheers, Nick From traced at xpear.de Sun Feb 8 21:38:57 2009 From: traced at xpear.de (traced) Date: Sun Feb 8 21:39:07 2009 Subject: MailScanner suddenly stopped working and screwed up everything In-Reply-To: <72B8A8E5-EBB9-4701-A7C4-CCF9C8BBE86D@nz.lemon-computing.com> References: <72cf361e0902060656t5e899d32m856a3f76d40847da@mail.gmail.com> <223f97700902071058w6418add0re066d74b147ecc69@mail.gmail.com> <72B8A8E5-EBB9-4701-A7C4-CCF9C8BBE86D@nz.lemon-computing.com> Message-ID: <498F50F1.8090202@xpear.de> Nick Phillips schrieb: > > On 8/02/2009, at 11:31 PM, Kai Schaetzl wrote: > >> Jan gestre wrote on Sun, 8 Feb 2009 10:04:21 +0800: >> >>> Disabled the spam check at the MTA level but emails are >>> still bouncing >> >> MailScanner doesn't bounce unless you configure it to do so. If you meant >> to say "postfix rejects", again, this has nothing to do with MailScanner. >> >>> My other Mail Server has an identical configuration but it's not >>> exhibiting this behavior. >> >> No, it surely does not have the same configuration. Or do you believe in >> magic? > > If it has the same configuration then the "magic" is presumably that one > of the RBLs is responding differently depending on the source of the query. > > > Cheers, > > > Nick I would try to query each RBL you have configured on the affected machine by hand, maybe thats really the problem. Bastian From techgeeks at tomaatman.org Mon Feb 9 01:54:52 2009 From: techgeeks at tomaatman.org (jeroen) Date: Mon Feb 9 01:55:02 2009 Subject: bitdefender Message-ID: <1c36dc9d8cbece66c09e213f895a8695@elmo> I'm using MailScanner with BitDefender Antivirus Scanner for Unices v7.90123. To get scanning working I had to edit the path in virus.scanners.conf to /opt/BitDefender-scanner/bin. After that is seems to work, the message gets scanned and the EICAR test virus gets detected, but the infected mail somehow isn't moved to the quarantine. I also tested it with ClamAV and this works well. Feb 9 02:40:16 pino MailScanner[16457]: New Batch: Scanning 1 messages, 2176 bytes Feb 9 02:40:18 pino MailScanner[16457]: Virus and Content Scanning: Starting Feb 9 02:40:22 pino MailScanner[16457]: /var/spool/MailScanner/incoming/16457/1670912E1BD.2CEAC/msg-16457-1.txt:infected: EICAR-Test-File (not a virus) Feb 9 02:40:22 pino MailScanner[16457]: Virus Scanning: Bitdefender found 1 infections Feb 9 02:40:22 pino MailScanner[16457]: Virus Scanning: Found 1 viruses Feb 9 02:40:22 pino MailScanner[16457]: Requeue: 1670912E1BD.2CEAC to 9402712E1BE Feb 9 02:40:22 pino postfix/qmgr[5178]: 9402712E1BE: from=<xxxx@xxxxx.org>, size=1481, nrcpt=1 (queue active) Feb 9 02:40:22 pino MailScanner[16457]: Uninfected: Delivered 1 messages Feb 9 02:40:22 pino MailScanner[16457]: Logging message 1670912E1BD.2CEAC to SQL Feb 9 02:40:22 pino postfix/local[16677]: 9402712E1BE: to=<xxxx@xxxx.org>, relay=local, delay=7.5, delays=7.5/0.02/0/0.02, dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail) Feb 9 02:40:22 pino postfix/qmgr[5178]: 9402712E1BE: removed Any thoughts on this? /jeroen From glenn.steen at gmail.com Mon Feb 9 08:11:42 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Feb 9 08:11:51 2009 Subject: bitdefender In-Reply-To: <1c36dc9d8cbece66c09e213f895a8695@elmo> References: <1c36dc9d8cbece66c09e213f895a8695@elmo> Message-ID: <223f97700902090011t3770a556rbfa2cdaecdb07045@mail.gmail.com> 2009/2/9 jeroen : > I'm using MailScanner with BitDefender Antivirus Scanner for Unices > v7.90123. > To get scanning working I had to edit the path in virus.scanners.conf to > /opt/BitDefender-scanner/bin. After that is seems to work, the message gets > scanned and the EICAR test virus gets detected, but the infected mail > somehow isn't moved to the quarantine. > I also tested it with ClamAV and this works well. > > Feb 9 02:40:16 pino MailScanner[16457]: New Batch: Scanning 1 messages, 2176 > bytes > Feb 9 02:40:18 pino MailScanner[16457]: Virus and Content Scanning: Starting > Feb 9 02:40:22 pino MailScanner[16457]: > /var/spool/MailScanner/incoming/16457/1670912E1BD.2CEAC/msg-16457-1.txt:infected: > EICAR-Test-File (not a virus) > Feb 9 02:40:22 pino MailScanner[16457]: Virus Scanning: Bitdefender found 1 > infections > Feb 9 02:40:22 pino MailScanner[16457]: Virus Scanning: Found 1 viruses > Feb 9 02:40:22 pino MailScanner[16457]: Requeue: 1670912E1BD.2CEAC to > 9402712E1BE > Feb 9 02:40:22 pino postfix/qmgr[5178]: 9402712E1BE: > from=<xxxx@xxxxx.org>, size=1481, nrcpt=1 (queue active) > Feb 9 02:40:22 pino MailScanner[16457]: Uninfected: Delivered 1 messages > Feb 9 02:40:22 pino MailScanner[16457]: Logging message 1670912E1BD.2CEAC to > SQL > Feb 9 02:40:22 pino postfix/local[16677]: 9402712E1BE: > to=<xxxx@xxxx.org>, relay=local, delay=7.5, delays=7.5/0.02/0/0.02, > dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail) > Feb 9 02:40:22 pino postfix/qmgr[5178]: 9402712E1BE: removed > > Any thoughts on this? > > /jeroen That is the "not so free" version of BDC, so ... that it needed amending in the virus.scanners.conf isn't surprising:-). What version of MailScanner are you using? ISTR some similar troubles a while back (for some AV scanners), that might've been fixed in a newer release. If you are fairly current (like the latest stable), you could always send a fully licensed version of it to Jules, so that he can fix any outstanding problems. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ismail at ismailozatay.net Mon Feb 9 15:11:10 2009 From: ismail at ismailozatay.net (Ismail OZATAY) Date: Mon Feb 9 15:11:17 2009 Subject: MailScanner with qmail Message-ID: <4990478E.3060504@ismailozatay.net> Hi there ; I am trying to implement qmail with mailscanner. I tried a patch in http://qms.ausics.net web page. I read and applied all intructions on this page but could not worked. After I applied this patch server accepts mail but do not send anywhere , i mean put inboxes. Is there anybody using qmail with mailscanner without any problem ? Regards, ismail From ismail at ismailozatay.net Mon Feb 9 15:27:10 2009 From: ismail at ismailozatay.net (Ismail OZATAY) Date: Mon Feb 9 15:27:16 2009 Subject: Mailscanner and qmail Message-ID: <49904B4E.20907@ismailozatay.net> Hi there ; I am trying to implement qmail with mailscanner. I tried a patch in http://qms.ausics.net web page. I read and applied all intructions on this page but could not worked. After I applied this patch server accepts mail but do not send anywhere , i mean put inboxes. Is there anybody using qmail with mailscanner without any problem ? Regards, ismail From pravin.rane at gmail.com Mon Feb 9 17:38:37 2009 From: pravin.rane at gmail.com (Pravin Rane) Date: Mon Feb 9 17:38:49 2009 Subject: MailScanner with qmail In-Reply-To: <4990478E.3060504@ismailozatay.net> References: <4990478E.3060504@ismailozatay.net> Message-ID: <13c021a90902090938q3295443fsb56835c01bbd064b@mail.gmail.com> Qmail + MailScanner integration is not officially supported by Julian, but there are many who are successfully running MailScanner + Qmail Qmail lack most of the modern email server functionality, which Postfix and Exim has. I know there are many patches and a cool vpopmail like virtual domain application available for Qmail which other MTAs don't, so here are the steps Compile and install qmail as mentioned on D. J. Bernstein site http://lifewithqmail.com/ or use http://www.shupp.org/ qmail toaster steps backup your qmail source cd to your qmail source ( qmail-1.03 ) And run following commands perl -e 's/qmail-queue/qmail-queue.default/g' -pi qmail.c perl -e 's/\"queue\"/QUEUE/g' -pi qmail-queue.c ed qmail-queue.c << EOF 22 i #define QUEUE "queue.in" . wq EOF make qmail-inject qmail-queue mv qmail-inject /var/qmail/bin/qmail-inject.mailscanner mv /var/qmail/bin/qmail-queue /var/qmail/bin/qmail-queue.default mv qmail-queue /var/qmail/bin/qmail-queue chown root:qmail /var/qmail/bin/qmail-inject.mailscanner chown qmailq:qmail /var/qmail/bin/qmail-queue chmod 4711 /var/qmail/bin/qmail-queue mkdir -p /var/qmail/queue.in/mess perl -e 'foreach $i (0..23) {`mkdir /var/qmail/queue.in/mess/$i`};' mkdir -p /var/qmail/queue.in/intd mkdir -p /var/qmail/queue.in/todo mkdir -p /var/qmail/queue.in/pid chown -R qmailq.qmail /var/qmail/queue.in chmod 750 /var/qmail/queue.in Make sure following are the content of MailScanner.conf ----------------------------- Run As User = qmailq Run As Group = qmail Incoming Queue Dir = /var/qmail/queue.in/mess Outgoing Queue Dir = /var/qmail/queue/mess Incoming Work Dir = /var/spool/MailScanner/incoming Quarantine Dir = /var/spool/MailScanner/quarantine MTA = qmail Sendmail = /var/qmail/bin/qmail-inject.mailscanner Sendmail2 = /var/qmail/bin/qmail-inject.mailscanner Qmail Hash Directory Number = 23 Qmail Intd Hash Number = 1 ------------------------------- Deliver messags to Qmail port 25 ------------------->|/var/qmail/queue.in| | | MailScanner qmail-inject.mailscanner | | \|/ | |/var/qmail/queue| | | External Mail server- \|/ \ | <--qmail-send<------.---- / INBOX - For testing run MailScanner --lint On Mon, Feb 9, 2009 at 8:41 PM, Ismail OZATAY wrote: > > Hi there ; > > I am trying to implement qmail with mailscanner. I tried a patch in http://qms.ausics.net web page. I read and applied all intructions on this page but could not worked. After I applied this patch server accepts mail but do not send anywhere , i mean put inboxes. Is there anybody using qmail with mailscanner without any problem ? > > Regards, > > ismail > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- Regards Pravin From techgeeks at tomaatman.org Mon Feb 9 17:52:42 2009 From: techgeeks at tomaatman.org (jeroen) Date: Mon Feb 9 17:52:55 2009 Subject: bitdefender In-Reply-To: <223f97700902090011t3770a556rbfa2cdaecdb07045@mail.gmail.com> References: <1c36dc9d8cbece66c09e213f895a8695@elmo> <223f97700902090011t3770a556rbfa2cdaecdb07045@mail.gmail.com> Message-ID: <49906D6A.2020103@tomaatman.org> Glenn Steen schreef: > 2009/2/9 jeroen : > >> I'm using MailScanner with BitDefender Antivirus Scanner for Unices >> v7.90123. >> To get scanning working I had to edit the path in virus.scanners.conf to >> /opt/BitDefender-scanner/bin. After that is seems to work, the message gets >> scanned and the EICAR test virus gets detected, but the infected mail >> somehow isn't moved to the quarantine. >> I also tested it with ClamAV and this works well. >> >> Feb 9 02:40:16 pino MailScanner[16457]: New Batch: Scanning 1 messages, 2176 >> bytes >> Feb 9 02:40:18 pino MailScanner[16457]: Virus and Content Scanning: Starting >> Feb 9 02:40:22 pino MailScanner[16457]: >> /var/spool/MailScanner/incoming/16457/1670912E1BD.2CEAC/msg-16457-1.txt:infected: >> EICAR-Test-File (not a virus) >> Feb 9 02:40:22 pino MailScanner[16457]: Virus Scanning: Bitdefender found 1 >> infections >> Feb 9 02:40:22 pino MailScanner[16457]: Virus Scanning: Found 1 viruses >> Feb 9 02:40:22 pino MailScanner[16457]: Requeue: 1670912E1BD.2CEAC to >> 9402712E1BE >> Feb 9 02:40:22 pino postfix/qmgr[5178]: 9402712E1BE: >> from=<xxxx@xxxxx.org>, size=1481, nrcpt=1 (queue active) >> Feb 9 02:40:22 pino MailScanner[16457]: Uninfected: Delivered 1 messages >> Feb 9 02:40:22 pino MailScanner[16457]: Logging message 1670912E1BD.2CEAC to >> SQL >> Feb 9 02:40:22 pino postfix/local[16677]: 9402712E1BE: >> to=<xxxx@xxxx.org>, relay=local, delay=7.5, delays=7.5/0.02/0/0.02, >> dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail) >> Feb 9 02:40:22 pino postfix/qmgr[5178]: 9402712E1BE: removed >> >> Any thoughts on this? >> >> /jeroen >> > > That is the "not so free" version of BDC, so ... that it needed > amending in the virus.scanners.conf isn't surprising:-). > What version of MailScanner are you using? ISTR some similar troubles > a while back (for some AV scanners), that might've been fixed in a > newer release. > > If you are fairly current (like the latest stable), you could always > send a fully licensed version of it to Jules, so that he can fix any > outstanding problems. > > Cheers > Thank you for your answer Glenn. That version of BDC is free for non commercial use. I'm using MailScanner version 4.71.10. Strange thing is that Mailscanner first recognizes it as a virus message and later on says it's uninfected. /jeroen From glenn.steen at gmail.com Mon Feb 9 19:22:58 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Feb 9 19:23:07 2009 Subject: bitdefender In-Reply-To: <49906D6A.2020103@tomaatman.org> References: <1c36dc9d8cbece66c09e213f895a8695@elmo> <223f97700902090011t3770a556rbfa2cdaecdb07045@mail.gmail.com> <49906D6A.2020103@tomaatman.org> Message-ID: <223f97700902091122g4d616f18x7cd183402475feb6@mail.gmail.com> 2009/2/9 jeroen : > Glenn Steen schreef: >> >> 2009/2/9 jeroen : >> >>> >>> I'm using MailScanner with BitDefender Antivirus Scanner for Unices >>> v7.90123. >>> To get scanning working I had to edit the path in virus.scanners.conf to >>> /opt/BitDefender-scanner/bin. After that is seems to work, the message >>> gets >>> scanned and the EICAR test virus gets detected, but the infected mail >>> somehow isn't moved to the quarantine. >>> I also tested it with ClamAV and this works well. >>> >>> Feb 9 02:40:16 pino MailScanner[16457]: New Batch: Scanning 1 messages, >>> 2176 >>> bytes >>> Feb 9 02:40:18 pino MailScanner[16457]: Virus and Content Scanning: >>> Starting >>> Feb 9 02:40:22 pino MailScanner[16457]: >>> >>> /var/spool/MailScanner/incoming/16457/1670912E1BD.2CEAC/msg-16457-1.txt:infected: >>> EICAR-Test-File (not a virus) >>> Feb 9 02:40:22 pino MailScanner[16457]: Virus Scanning: Bitdefender found >>> 1 >>> infections >>> Feb 9 02:40:22 pino MailScanner[16457]: Virus Scanning: Found 1 viruses >>> Feb 9 02:40:22 pino MailScanner[16457]: Requeue: 1670912E1BD.2CEAC to >>> 9402712E1BE >>> Feb 9 02:40:22 pino postfix/qmgr[5178]: 9402712E1BE: >>> from=<xxxx@xxxxx.org>, size=1481, nrcpt=1 (queue active) >>> Feb 9 02:40:22 pino MailScanner[16457]: Uninfected: Delivered 1 messages >>> Feb 9 02:40:22 pino MailScanner[16457]: Logging message 1670912E1BD.2CEAC >>> to >>> SQL >>> Feb 9 02:40:22 pino postfix/local[16677]: 9402712E1BE: >>> to=<xxxx@xxxx.org>, relay=local, delay=7.5, delays=7.5/0.02/0/0.02, >>> dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail) >>> Feb 9 02:40:22 pino postfix/qmgr[5178]: 9402712E1BE: removed >>> >>> Any thoughts on this? >>> >>> /jeroen >>> >> >> That is the "not so free" version of BDC, so ... that it needed >> amending in the virus.scanners.conf isn't surprising:-). >> What version of MailScanner are you using? ISTR some similar troubles >> a while back (for some AV scanners), that might've been fixed in a >> newer release. >> >> If you are fairly current (like the latest stable), you could always >> send a fully licensed version of it to Jules, so that he can fix any >> outstanding problems. >> >> Cheers >> > > Thank you for your answer Glenn. That version of BDC is free for non > commercial use. Yes... not as free as it used to be:-/ > I'm using MailScanner version 4.71.10. Not that new then. > Strange thing is that Mailscanner first recognizes it as a virus message and > later on says it's uninfected. > Yeah. If my fairly flawed recollections are anything to go by, that was just the behavior. Try an upgrade... it's pretty quick and easy:-). > /jeroen Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From MailScanner at ecs.soton.ac.uk Mon Feb 9 19:59:24 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Feb 9 19:59:44 2009 Subject: Hospital update References: <49908B1C.90500@ecs.soton.ac.uk> Message-ID: Folks, To keep you updated with the latest... Last Thursday I had an endoscopy done by the boss of the Hepatology Dept at our hospital, she wanted to make sure she saw the state for herself rather than reading someone else's report, which was kind of her. The endoscopy showed that there is probably sufficient blood-flow and low enough pressure that I am unlikely to bleed severely in the near future, and so the decision has been taken to take me off the liver transplant list. In 6 months time, she will do another endoscopy and review the situation again. But, to be honest, it is unlikely I will be put back on the list again. This is good, in that I don't need a very major operation, but it also means that a bunch of other things won't get fixed at the same time. So it's good, but not *all* good. So I have unpacked my hospital bag. 17 months preparing myself for it, and just 10 minutes to unpack my bag and put it all away again. Ho hum. Many thanks for all your kind messages over the past months wishing me luck with the transplant, they really did help me. Time to move on, I guess. Cheers. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jonas at vrt.dk Mon Feb 9 20:52:57 2009 From: jonas at vrt.dk (Jonas Akrouh Larsen) Date: Mon Feb 9 20:53:09 2009 Subject: Hospital update In-Reply-To: References: <49908B1C.90500@ecs.soton.ac.uk> Message-ID: <000001c98af8$630d5370$2927fa50$@dk> I think that?s great news! I mean a serious operation is nothing to kid around with, so if it can be avoided that is in its own great imho. So congrats on the positive part of things, and hope you will continue to improve in your health. Best wishes from Denmark. Med venlig hilsen / Best regards Jonas Akrouh Larsen TechBiz ApS Laplandsgade 4, 2. sal 2300 K?benhavn S Office: 7020 0979 Direct: 3336 9974 Mobile: 5120 1096 Fax: 7020 0978 Web: www.techbiz.dk From james at gray.net.au Mon Feb 9 21:00:53 2009 From: james at gray.net.au (James Gray) Date: Mon Feb 9 21:01:12 2009 Subject: Hospital update In-Reply-To: Message-ID: <31241342.171234213253080.JavaMail.root@node> ----- Original Message ----- From: "Julian Field" To: "MailScanner discussion" Sent: Tuesday, 10 February, 2009 6:59:24 AM (GMT+1000) Auto-Detected Subject: Hospital update Folks, To keep you updated with the latest... Last Thursday I had an endoscopy done by the boss of the Hepatology Dept at our hospital, she wanted to make sure she saw the state for herself rather than reading someone else's report, which was kind of her. The endoscopy showed that there is probably sufficient blood-flow and low enough pressure that I am unlikely to bleed severely in the near future, and so the decision has been taken to take me off the liver transplant list. In 6 months time, she will do another endoscopy and review the situation again. But, to be honest, it is unlikely I will be put back on the list again. ...snipped... ----- End Original Message ----- Hi Jules, This is a mixed bag then isn't it. I'm glad you're off the transplant list even though other things will continue to cause you discomfort. A friend of mine had a heart transplant and although he's alive, the amount of medication he needs for the rest of his life is just plain scarey. I wouldn't wish that on anyone :) Sounds like you're in good hands. Continue on the road to recovery and know that mail admins all over the world are breathing a little easier today. Especially this one from Australia! Take care and thanks for the update. Cheers, James PS - Sorry for the horrid formatting, alas not all webmail clients are created equal :( From craig at csfs.co.za Mon Feb 9 21:27:38 2009 From: craig at csfs.co.za (Craig Retief) Date: Mon Feb 9 21:29:55 2009 Subject: Hospital update In-Reply-To: References: <49908B1C.90500@ecs.soton.ac.uk> Message-ID: <1234214858.24269.3.camel@cX> On Mon, 2009-02-09 at 19:59 +0000, Julian Field wrote: > Folks, > > To keep you updated with the latest... > > Last Thursday I had an endoscopy done by the boss of the Hepatology Dept > at our hospital, she wanted to make sure she saw the state for herself > rather than reading someone else's report, which was kind of her. > > The endoscopy showed that there is probably sufficient blood-flow and > low enough pressure that I am unlikely to bleed severely in the near > future, and so the decision has been taken to take me off the liver > transplant list. In 6 months time, she will do another endoscopy and > review the situation again. But, to be honest, it is unlikely I will be > put back on the list again. > great news Jules!!!! I hope that the 6 month checkup gives more positive news!! > This is good, in that I don't need a very major operation, but it also > means that a bunch of other things won't get fixed at the same time. So > it's good, but not *all* good. > > So I have unpacked my hospital bag. 17 months preparing myself for it, > and just 10 minutes to unpack my bag and put it all away again. Ho hum. > Imagines Jules going "So thats where that shirt of mine is..." ;) > Many thanks for all your kind messages over the past months wishing me > luck with the transplant, they really did help me. Time to move on, I guess. > > Cheers. > > Jules > Cheers Craig > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > PGP public key: http://www.jules.fm/julesfm.asc > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > From ssilva at sgvwater.com Mon Feb 9 21:50:27 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Feb 9 21:50:54 2009 Subject: MailScanner suddenly stopped working and screwed up everything In-Reply-To: References: Message-ID: on 2-6-2009 5:28 AM jan gestre spake the following: > Hi Guys, > > I've several mail servers running (postfix + dovecot + mysql + > mailscanner) that has been up for a long time now and suddenly it > stopped working one by one. It began by users experiencing bouncing > emails even though the user exist then it became worst, all emails is > now being tagged as spam even those from yahoo and gmail. I suspect > MailScanner might be causing the issue so I turned it off but the > server keep on rejecting emails because of postfix's > smtpd_client_restrictions rule that blocks emails if it came from an > ip address listed on spamhaus.org, but after disabling that parameter > emails from sites like yahoo and gmail still gets blocked according to > postfix it's listed in sbl-xbl list, I know for a fact that this > shouldn't suppose to happen but it did. Anybody ever experienced this? > What's the workaround, I'm stumped, I have no idea why it suddenly got > screwed. > > TIA > > Jan On the problem server try this; host 2.0.0.127.zen.spamhaus.org If you get a timeout, either you are blacklisted, or your DNS resolution has problems. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090209/e0ccbbca/signature.bin From alex at rtpty.com Mon Feb 9 22:06:58 2009 From: alex at rtpty.com (Alex Neuman) Date: Mon Feb 9 22:07:08 2009 Subject: Hospital update In-Reply-To: <1234214858.24269.3.camel@cX> References: <49908B1C.90500@ecs.soton.ac.uk> <1234214858.24269.3.camel@cX> Message-ID: <24e3d2e40902091406u3da2e5ecw9c38a18ce936749f@mail.gmail.com> Details aside, I just hope your quality of life improves. You certainly do deserve it. Cheers from Panama... -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090209/bef29dc5/attachment.html From glenn.steen at gmail.com Mon Feb 9 22:23:16 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Feb 9 22:23:25 2009 Subject: Hospital update In-Reply-To: <-8436290472666250848@unknownmsgid> References: <49908B1C.90500@ecs.soton.ac.uk> <-8436290472666250848@unknownmsgid> Message-ID: <223f97700902091423i3c81da2dje4d5a913d81ab114@mail.gmail.com> 2009/2/9 Julian Field : > Folks, > > To keep you updated with the latest... > > Last Thursday I had an endoscopy done by the boss of the Hepatology Dept at > our hospital, she wanted to make sure she saw the state for herself rather > than reading someone else's report, which was kind of her. > > The endoscopy showed that there is probably sufficient blood-flow and low > enough pressure that I am unlikely to bleed severely in the near future, and > so the decision has been taken to take me off the liver transplant list. In > 6 months time, she will do another endoscopy and review the situation again. > But, to be honest, it is unlikely I will be put back on the list again. > > This is good, in that I don't need a very major operation, but it also means > that a bunch of other things won't get fixed at the same time. So it's good, > but not *all* good. > > So I have unpacked my hospital bag. 17 months preparing myself for it, and > just 10 minutes to unpack my bag and put it all away again. Ho hum. > > Many thanks for all your kind messages over the past months wishing me luck > with the transplant, they really did help me. Time to move on, I guess. > > Cheers. > > Jules > Well... Mostly good, I guess:/. I hope you land on this being good, in the end... While pondering, share a virtual toast (red, of course), with a slightly decrepit Swede;-). All the best! Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ssilva at sgvwater.com Mon Feb 9 22:29:24 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Feb 9 22:29:46 2009 Subject: Hospital update In-Reply-To: <223f97700902091423i3c81da2dje4d5a913d81ab114@mail.gmail.com> References: <49908B1C.90500@ecs.soton.ac.uk> <-8436290472666250848@unknownmsgid> <223f97700902091423i3c81da2dje4d5a913d81ab114@mail.gmail.com> Message-ID: on 2-9-2009 2:23 PM Glenn Steen spake the following: > 2009/2/9 Julian Field : >> Folks, >> >> To keep you updated with the latest... >> >> Last Thursday I had an endoscopy done by the boss of the Hepatology Dept at >> our hospital, she wanted to make sure she saw the state for herself rather >> than reading someone else's report, which was kind of her. >> >> The endoscopy showed that there is probably sufficient blood-flow and low >> enough pressure that I am unlikely to bleed severely in the near future, and >> so the decision has been taken to take me off the liver transplant list. In >> 6 months time, she will do another endoscopy and review the situation again. >> But, to be honest, it is unlikely I will be put back on the list again. >> >> This is good, in that I don't need a very major operation, but it also means >> that a bunch of other things won't get fixed at the same time. So it's good, >> but not *all* good. >> >> So I have unpacked my hospital bag. 17 months preparing myself for it, and >> just 10 minutes to unpack my bag and put it all away again. Ho hum. >> >> Many thanks for all your kind messages over the past months wishing me luck >> with the transplant, they really did help me. Time to move on, I guess. >> >> Cheers. >> >> Jules >> > Well... Mostly good, I guess:/. > I hope you land on this being good, in the end... While pondering, > share a virtual toast (red, of course), with a slightly decrepit > Swede;-). > All the best! > > Cheers I'll drink to that! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090209/163dc02a/signature.bin From greg at blastzone.com Mon Feb 9 22:45:06 2009 From: greg at blastzone.com (Greg Deputy) Date: Mon Feb 9 22:45:24 2009 Subject: Mailscanner logging to syslog, only partial to mail.log, driving me nuts In-Reply-To: References: <057b01c98797$cd9b7aa0$68d26fe0$@com> <235505.65096.qm@web33305.mail.mud.yahoo.com> <0ab701c988c4$c73cade0$55b609a0$@com> Message-ID: <140001c98b08$0e0b9890$2a22c9b0$@com> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Kai Schaetzl > Sent: Saturday, February 07, 2009 6:07 AM > To: mailscanner@lists.mailscanner.info > Subject: Re: Mailscanner logging to syslog, only partial to mail.log, driving > me nuts > > Greg Deputy wrote on Fri, 6 Feb 2009 17:38:29 -0800: > > > *.*;auth,authpriv.none -/var/log/syslog > > There you go, isn't that *very* obvious? > Btw, looks very much like *you* added this line. > > Kai I have no memory of doing that, but anything is possible. So removing that line, I no longer get the mailscanner entries in syslog, but not seeing them in mail.log either. Is there a tag for mailscanner that I need to add to syslog.conf to get those where I want them? Thanks From michael at huntley.net Mon Feb 9 23:06:49 2009 From: michael at huntley.net (Michael Huntley) Date: Mon Feb 9 23:07:07 2009 Subject: Hospital update In-Reply-To: References: <49908B1C.90500@ecs.soton.ac.uk> Message-ID: <4990B709.4040403@huntley.net> Julian Field wrote: > Folks, > > To keep you updated with the latest... > > Last Thursday I had an endoscopy done by the boss of the Hepatology > Dept at our hospital, she wanted to make sure she saw the state for > herself rather than reading someone else's report, which was kind of her. > > The endoscopy showed that there is probably sufficient blood-flow and > low enough pressure that I am unlikely to bleed severely in the near > future, and so the decision has been taken to take me off the liver > transplant list. In 6 months time, she will do another endoscopy and > review the situation again. But, to be honest, it is unlikely I will > be put back on the list again. > > This is good, in that I don't need a very major operation, but it also > means that a bunch of other things won't get fixed at the same time. > So it's good, but not *all* good. > > So I have unpacked my hospital bag. 17 months preparing myself for it, > and just 10 minutes to unpack my bag and put it all away again. Ho hum. > > Many thanks for all your kind messages over the past months wishing me > luck with the transplant, they really did help me. Time to move on, I > guess. > > Cheers. > > Jules > I toast to good health and continued progress! mph vesco valens vinum From ka at pacific.net Mon Feb 9 23:15:36 2009 From: ka at pacific.net (Ken A) Date: Mon Feb 9 23:16:06 2009 Subject: Hospital update In-Reply-To: <4990B709.4040403@huntley.net> References: <49908B1C.90500@ecs.soton.ac.uk> <4990B709.4040403@huntley.net> Message-ID: <4990B918.2070902@pacific.net> Michael Huntley wrote: > Julian Field wrote: >> Folks, >> >> To keep you updated with the latest... >> >> Last Thursday I had an endoscopy done by the boss of the Hepatology >> Dept at our hospital, she wanted to make sure she saw the state for >> herself rather than reading someone else's report, which was kind of her. >> >> The endoscopy showed that there is probably sufficient blood-flow and >> low enough pressure that I am unlikely to bleed severely in the near >> future, and so the decision has been taken to take me off the liver >> transplant list. In 6 months time, she will do another endoscopy and >> review the situation again. But, to be honest, it is unlikely I will >> be put back on the list again. >> >> This is good, in that I don't need a very major operation, but it also >> means that a bunch of other things won't get fixed at the same time. >> So it's good, but not *all* good. >> >> So I have unpacked my hospital bag. 17 months preparing myself for it, >> and just 10 minutes to unpack my bag and put it all away again. Ho hum. >> >> Many thanks for all your kind messages over the past months wishing me >> luck with the transplant, they really did help me. Time to move on, I >> guess. >> >> Cheers. >> >> Jules >> > > I toast to good health and continued progress! And to liver and pain meds to get along nicely! Ken > > mph > > vesco valens vinum > > From techgeeks at tomaatman.org Mon Feb 9 23:15:38 2009 From: techgeeks at tomaatman.org (jeroen) Date: Mon Feb 9 23:16:11 2009 Subject: bitdefender In-Reply-To: <223f97700902091122g4d616f18x7cd183402475feb6@mail.gmail.com> References: <1c36dc9d8cbece66c09e213f895a8695@elmo> <223f97700902090011t3770a556rbfa2cdaecdb07045@mail.gmail.com> <49906D6A.2020103@tomaatman.org> <223f97700902091122g4d616f18x7cd183402475feb6@mail.gmail.com> Message-ID: <4990B91A.3020309@tomaatman.org> Glenn Steen schreef: > ...... > Yeah. If my fairly flawed recollections are anything to go by, that > was just the behavior. > Try an upgrade... it's pretty quick and easy:-). > > Cheers > I will give it a try. Thanks for your time! /jeroen From greg at blastzone.com Mon Feb 9 23:19:30 2009 From: greg at blastzone.com (Greg Deputy) Date: Mon Feb 9 23:19:47 2009 Subject: Mailscanner logging to syslog, only partial to mail.log, driving me nuts In-Reply-To: <140001c98b08$0e0b9890$2a22c9b0$@com> References: <057b01c98797$cd9b7aa0$68d26fe0$@com> <235505.65096.qm@web33305.mail.mud.yahoo.com> <0ab701c988c4$c73cade0$55b609a0$@com> <140001c98b08$0e0b9890$2a22c9b0$@com> Message-ID: <142301c98b0c$dc48b270$94da1750$@com> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Greg Deputy > Sent: Monday, February 09, 2009 2:45 PM > To: 'MailScanner discussion' > Subject: RE: Mailscanner logging to syslog, only partial to mail.log, driving > me nuts > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > > bounces@lists.mailscanner.info] On Behalf Of Kai Schaetzl > > Sent: Saturday, February 07, 2009 6:07 AM > > To: mailscanner@lists.mailscanner.info > > Subject: Re: Mailscanner logging to syslog, only partial to mail.log, > driving > > me nuts > > > > Greg Deputy wrote on Fri, 6 Feb 2009 17:38:29 -0800: > > > > > *.*;auth,authpriv.none -/var/log/syslog > > > > There you go, isn't that *very* obvious? > > Btw, looks very much like *you* added this line. > > > > Kai > > I have no memory of doing that, but anything is possible. > > So removing that line, I no longer get the mailscanner entries in syslog, > but not seeing them in mail.log either. Is there a tag for mailscanner that > I need to add to syslog.conf to get those where I want them? > > Thanks > So did some more digging, got syslogd running in debug mode, and it appears the messages I am not getting are coming from the facility 'local3.info' like in the debug lines below. Why is MailScanner sending spamassassin result messages to local3.info instead of mail.info? Successful select, descriptor count = 1, Activity on: 3 Message from UNIX socket: #3 Message length: 298, File descriptor: 3. logmsg: local3.info<158>, flags 2, from mx1, msg Feb 9 15:14:15 check[17369]: Message 5535550134.8F497 from 97.113.126.159 (craig@gpsflight.com) to smartmobilesolutions.com is not spam, SpamAssassin (not cached, score=-21.849, required 5, autolearn=not spam, ALL_TRUSTED -1.80, AUTHDSENDER_RULE -20.00, BAYES_00 -0.05, HTML_MESSAGE 0.00) Called fprintlog, logging to FILE /var/log/messages Called fprintlog, logging to PIPE |/dev/xconsole Calling select, active file descriptors (max 3): 3 From techgeeks at tomaatman.org Mon Feb 9 12:40:52 2009 From: techgeeks at tomaatman.org (jeroen) Date: Tue Feb 10 00:27:27 2009 Subject: bitdefender In-Reply-To: <223f97700902090011t3770a556rbfa2cdaecdb07045@mail.gmail.com> References: <1c36dc9d8cbece66c09e213f895a8695@elmo> <223f97700902090011t3770a556rbfa2cdaecdb07045@mail.gmail.com> Message-ID: <49902454.3060907@tomaatman.org> Glenn Steen schreef: > 2009/2/9 jeroen : > >> I'm using MailScanner with BitDefender Antivirus Scanner for Unices >> v7.90123. >> To get scanning working I had to edit the path in virus.scanners.conf to >> /opt/BitDefender-scanner/bin. After that is seems to work, the message gets >> scanned and the EICAR test virus gets detected, but the infected mail >> somehow isn't moved to the quarantine. >> I also tested it with ClamAV and this works well. >> >> Feb 9 02:40:16 pino MailScanner[16457]: New Batch: Scanning 1 messages, 2176 >> bytes >> Feb 9 02:40:18 pino MailScanner[16457]: Virus and Content Scanning: Starting >> Feb 9 02:40:22 pino MailScanner[16457]: >> /var/spool/MailScanner/incoming/16457/1670912E1BD.2CEAC/msg-16457-1.txt:infected: >> EICAR-Test-File (not a virus) >> Feb 9 02:40:22 pino MailScanner[16457]: Virus Scanning: Bitdefender found 1 >> infections >> Feb 9 02:40:22 pino MailScanner[16457]: Virus Scanning: Found 1 viruses >> Feb 9 02:40:22 pino MailScanner[16457]: Requeue: 1670912E1BD.2CEAC to >> 9402712E1BE >> Feb 9 02:40:22 pino postfix/qmgr[5178]: 9402712E1BE: >> from=<xxxx@xxxxx.org>, size=1481, nrcpt=1 (queue active) >> Feb 9 02:40:22 pino MailScanner[16457]: Uninfected: Delivered 1 messages >> Feb 9 02:40:22 pino MailScanner[16457]: Logging message 1670912E1BD.2CEAC to >> SQL >> Feb 9 02:40:22 pino postfix/local[16677]: 9402712E1BE: >> to=<xxxx@xxxx.org>, relay=local, delay=7.5, delays=7.5/0.02/0/0.02, >> dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail) >> Feb 9 02:40:22 pino postfix/qmgr[5178]: 9402712E1BE: removed >> >> Any thoughts on this? >> >> /jeroen >> > > That is the "not so free" version of BDC, so ... that it needed > amending in the virus.scanners.conf isn't surprising:-). > What version of MailScanner are you using? ISTR some similar troubles > a while back (for some AV scanners), that might've been fixed in a > newer release. > > If you are fairly current (like the latest stable), you could always > send a fully licensed version of it to Jules, so that he can fix any > outstanding problems. > > Cheers > Thank you for your answer Glenn. That version of BDC is free for non commercial use. I'm using MailScanner version 4.71.10. Strange thing is that Mailscanner first recognizes it as a virus message and later on says it's uninfected. /jeroen -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090209/d09c9105/attachment.html From drew.marshall at trunknetworks.com Tue Feb 10 06:47:55 2009 From: drew.marshall at trunknetworks.com (Drew Marshall) Date: Tue Feb 10 06:48:17 2009 Subject: Hospital update In-Reply-To: <20090209200355.29CA81701F@out-b.mx.mail-launder.com> References: <49908B1C.90500@ecs.soton.ac.uk> <20090209200355.29CA81701F@out-b.mx.mail-launder.com> Message-ID: <200902100648.n1A6m8up004391@safir.blacknight.ie> On 9 Feb 2009, at 19:59, Julian Field wrote: > Folks, > > To keep you updated with the latest... > > Last Thursday I had an endoscopy done by the boss of the Hepatology > Dept at our hospital, she wanted to make sure she saw the state for > herself rather than reading someone else's report, which was kind of > her. > > The endoscopy showed that there is probably sufficient blood-flow > and low enough pressure that I am unlikely to bleed severely in the > near future, and so the decision has been taken to take me off the > liver transplant list. In 6 months time, she will do another > endoscopy and review the situation again. But, to be honest, it is > unlikely I will be put back on the list again. > > This is good, in that I don't need a very major operation, but it > also means that a bunch of other things won't get fixed at the same > time. So it's good, but not *all* good. > > So I have unpacked my hospital bag. 17 months preparing myself for > it, and just 10 minutes to unpack my bag and put it all away again. > Ho hum. > > Many thanks for all your kind messages over the past months wishing > me luck with the transplant, they really did help me. Time to move > on, I guess. > > Cheers. > > Jules Mixed blessings indeed. I am delighted that's one less thing to worry about but equally saddened that you now won't get the re-plumbing that you wanted either. Having said that I'm sure this is far less risky and the medical team wouldn't guarantee that the other things that you wanted fixed would have been, so it's a game of percentages. Chin up, perhaps a world tour could be back on the cards to help ease your disappointment? Drew From maillists at conactive.com Tue Feb 10 11:31:14 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Tue Feb 10 11:31:27 2009 Subject: Mailscanner logging to syslog, only partial to mail.log, driving me nuts In-Reply-To: <142301c98b0c$dc48b270$94da1750$@com> References: <057b01c98797$cd9b7aa0$68d26fe0$@com> <235505.65096.qm@web33305.mail.mud.yahoo.com> <0ab701c988c4$c73cade0$55b609a0$@com> <140001c98b08$0e0b9890$2a22c9b0$@com> <142301c98b0c$dc48b270$94da1750$@com> Message-ID: Greg Deputy wrote on Mon, 9 Feb 2009 15:19:30 -0800: > Why is MailScanner sending spamassassin > result messages to local3.info instead of mail.info? This is not what you claimed, AFAIK. You said that you get no MailScanner messages to mail.log. Is that *really* the case or is it only the sa scores that you are missing? For me that's quite a big difference. > Is there a tag for mailscanner that > I need to add to syslog.conf to get those where I want them? You can set the log facility in MS. I don't know if that applies to SA scores, I do not log SA scores. You do realize that your syslog.conf creates a lot of additional logging for mail, even to the xonsole? Just grep mail from the file to see what I mean. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From ram at netcore.co.in Tue Feb 10 12:11:30 2009 From: ram at netcore.co.in (ram) Date: Tue Feb 10 12:11:45 2009 Subject: unpackole() is causing mailscanner to hang Message-ID: <1234267890.3234.83.camel@darkstar.netcore.co.in> I have had this issue before too http://lists.mailscanner.info/pipermail/mailscanner/2008-September/087106.html MailScanner just hangs extracting attachments Nailed the function that causes this /usr/lib/MailScanner/MailScanner/Message.pm inside function UnpackOle() -- return 1 unless $tree = $ole->getPpsTree(1); # (1) => Get Data too -- For a particular mail (of 1MB ) this function call never returns. Even on a 3GB Ram server the machine goes out of memory !!!. Just with MailScanner I guess I just need to skip the unpackOle call. From ipcopper.ph at gmail.com Tue Feb 10 13:58:08 2009 From: ipcopper.ph at gmail.com (jan gestre) Date: Tue Feb 10 13:58:18 2009 Subject: MailScanner suddenly stopped working and screwed up everything In-Reply-To: References: Message-ID: On Tue, Feb 10, 2009 at 5:50 AM, Scott Silva wrote: > on 2-6-2009 5:28 AM jan gestre spake the following: >> Hi Guys, >> >> I've several mail servers running (postfix + dovecot + mysql + >> mailscanner) that has been up for a long time now and suddenly it >> stopped working one by one. It began by users experiencing bouncing >> emails even though the user exist then it became worst, all emails is >> now being tagged as spam even those from yahoo and gmail. I suspect >> MailScanner might be causing the issue so I turned it off but the >> server keep on rejecting emails because of postfix's >> smtpd_client_restrictions rule that blocks emails if it came from an >> ip address listed on spamhaus.org, but after disabling that parameter >> emails from sites like yahoo and gmail still gets blocked according to >> postfix it's listed in sbl-xbl list, I know for a fact that this >> shouldn't suppose to happen but it did. Anybody ever experienced this? >> What's the workaround, I'm stumped, I have no idea why it suddenly got >> screwed. >> >> TIA >> >> Jan > On the problem server try this; > > host 2.0.0.127.zen.spamhaus.org > > If you get a timeout, either you are blacklisted, or your DNS resolution has > problems. > > > # host 2.0.0.127.zen.spamhaus.org 2.0.0.127.zen.spamhaus.org has address 127.0.0.4 2.0.0.127.zen.spamhaus.org has address 127.0.0.2 2.0.0.127.zen.spamhaus.org has address 127.0.0.10 As you can see there's no timeout, it seems that no matter what rbl I use all emails are blocked, the only workaround right now is to turn off spam checks both at MTA level and MailScanner, caveat is of course, spam. From support-lists at petdoctors.co.uk Tue Feb 10 14:05:29 2009 From: support-lists at petdoctors.co.uk (Nigel Kendrick) Date: Tue Feb 10 14:05:24 2009 Subject: MailScanner suddenly stopped working and screwed up everything In-Reply-To: References: Message-ID: <02B9F79D97E749D7BF275A32F3F03250@SUPPORT01V> I know this may be whacky, but has ORDB (now very defunct) turned up again in your RBL list. This happened to me about a month ago and caused timeouts and queue pileups. From ipcopper.ph at gmail.com Tue Feb 10 14:17:29 2009 From: ipcopper.ph at gmail.com (jan gestre) Date: Tue Feb 10 14:17:44 2009 Subject: MailScanner suddenly stopped working and screwed up everything In-Reply-To: <02B9F79D97E749D7BF275A32F3F03250@SUPPORT01V> References: <02B9F79D97E749D7BF275A32F3F03250@SUPPORT01V> Message-ID: On Tue, Feb 10, 2009 at 10:05 PM, Nigel Kendrick wrote: > I know this may be whacky, but has ORDB (now very defunct) turned up again > in your RBL list. This happened to me about a month ago and caused timeouts > and queue pileups. > No, I don't use ORDB nor SORBS, just spamhaus.org and spamcop.net From twiztar at gmail.com Tue Feb 10 14:31:15 2009 From: twiztar at gmail.com (Erik Weber) Date: Tue Feb 10 14:31:26 2009 Subject: MailScanner suddenly stopped working and screwed up everything In-Reply-To: References: <02B9F79D97E749D7BF275A32F3F03250@SUPPORT01V> Message-ID: <49918FB3.1040409@gmail.com> jan gestre wrote: > On Tue, Feb 10, 2009 at 10:05 PM, Nigel Kendrick > wrote: > >> I know this may be whacky, but has ORDB (now very defunct) turned up again >> in your RBL list. This happened to me about a month ago and caused timeouts >> and queue pileups. >> >> > > No, I don't use ORDB nor SORBS, just spamhaus.org and spamcop.net > It would be helpful to help you diagnose the problem if you could paste relevant portions of the mail log and/or the bounce message. -- Erik From theodrake.mailscanner at gmail.com Tue Feb 10 16:16:43 2009 From: theodrake.mailscanner at gmail.com (Ed Bruce) Date: Tue Feb 10 16:16:52 2009 Subject: Hospital update In-Reply-To: References: <49908B1C.90500@ecs.soton.ac.uk> <-8436290472666250848@unknownmsgid> <223f97700902091423i3c81da2dje4d5a913d81ab114@mail.gmail.com> Message-ID: <4991A86B.2050104@gmail.com> Scott Silva wrote: > on 2-9-2009 2:23 PM Glenn Steen spake the following: > >> 2009/2/9 Julian Field : >> >>> Folks, >>> >>> To keep you updated with the latest... >>> >>> Last Thursday I had an endoscopy done by the boss of the Hepatology Dept at >>> our hospital, she wanted to make sure she saw the state for herself rather >>> than reading someone else's report, which was kind of her. >>> >>> The endoscopy showed that there is probably sufficient blood-flow and low >>> enough pressure that I am unlikely to bleed severely in the near future, and >>> so the decision has been taken to take me off the liver transplant list. In >>> 6 months time, she will do another endoscopy and review the situation again. >>> But, to be honest, it is unlikely I will be put back on the list again. >>> >>> This is good, in that I don't need a very major operation, but it also means >>> that a bunch of other things won't get fixed at the same time. So it's good, >>> but not *all* good. >>> >>> So I have unpacked my hospital bag. 17 months preparing myself for it, and >>> just 10 minutes to unpack my bag and put it all away again. Ho hum. >>> >>> Many thanks for all your kind messages over the past months wishing me luck >>> with the transplant, they really did help me. Time to move on, I guess. >>> >>> Cheers. >>> >>> Jules >>> >>> >> Well... Mostly good, I guess:/. >> I hope you land on this being good, in the end... While pondering, >> share a virtual toast (red, of course), with a slightly decrepit >> Swede;-). >> All the best! >> >> Cheers >> > I'll drink to that! > > > > I'll drink to your drink to that!! (Love Trader Joe's, inexpensive decent wine, at least to my untrained palate) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090210/4871de6c/attachment.html From ssilva at sgvwater.com Tue Feb 10 16:52:45 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Feb 10 16:53:08 2009 Subject: Hospital update In-Reply-To: <4991A86B.2050104@gmail.com> References: <49908B1C.90500@ecs.soton.ac.uk> <-8436290472666250848@unknownmsgid> <223f97700902091423i3c81da2dje4d5a913d81ab114@mail.gmail.com> <4991A86B.2050104@gmail.com> Message-ID: on 2-10-2009 8:16 AM Ed Bruce spake the following: > Scott Silva wrote: >> on 2-9-2009 2:23 PM Glenn Steen spake the following: >> >>> 2009/2/9 Julian Field : >>> >>>> Folks, >>>> >>>> To keep you updated with the latest... >>>> >>>> Last Thursday I had an endoscopy done by the boss of the Hepatology Dept at >>>> our hospital, she wanted to make sure she saw the state for herself rather >>>> than reading someone else's report, which was kind of her. >>>> >>>> The endoscopy showed that there is probably sufficient blood-flow and low >>>> enough pressure that I am unlikely to bleed severely in the near future, and >>>> so the decision has been taken to take me off the liver transplant list. In >>>> 6 months time, she will do another endoscopy and review the situation again. >>>> But, to be honest, it is unlikely I will be put back on the list again. >>>> >>>> This is good, in that I don't need a very major operation, but it also means >>>> that a bunch of other things won't get fixed at the same time. So it's good, >>>> but not *all* good. >>>> >>>> So I have unpacked my hospital bag. 17 months preparing myself for it, and >>>> just 10 minutes to unpack my bag and put it all away again. Ho hum. >>>> >>>> Many thanks for all your kind messages over the past months wishing me luck >>>> with the transplant, they really did help me. Time to move on, I guess. >>>> >>>> Cheers. >>>> >>>> Jules >>>> >>>> >>> Well... Mostly good, I guess:/. >>> I hope you land on this being good, in the end... While pondering, >>> share a virtual toast (red, of course), with a slightly decrepit >>> Swede;-). >>> All the best! >>> >>> Cheers >>> >> I'll drink to that! >> >> >> >> > I'll drink to your drink to that!! (Love Trader Joe's, inexpensive > decent wine, at least to my untrained palate) > My wife works for the company that makes it. "2 buck Chuck" is actually a very good wine, and has received many awards. It should be able to hold its own against anything up to the $10 to $20 class. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090210/c20fb58e/signature.bin From ssilva at sgvwater.com Tue Feb 10 16:56:10 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Feb 10 17:00:09 2009 Subject: unpackole() is causing mailscanner to hang In-Reply-To: <1234267890.3234.83.camel@darkstar.netcore.co.in> References: <1234267890.3234.83.camel@darkstar.netcore.co.in> Message-ID: on 2-10-2009 4:11 AM ram spake the following: > I have had this issue before too > http://lists.mailscanner.info/pipermail/mailscanner/2008-September/087106.html > > > MailScanner just hangs extracting attachments > Nailed the function that causes this > > /usr/lib/MailScanner/MailScanner/Message.pm > inside function UnpackOle() > > -- > return 1 unless $tree = $ole->getPpsTree(1); # (1) => Get Data too > -- > > > For a particular mail (of 1MB ) this function call never returns. Even > on a 3GB Ram server the machine goes out of memory !!!. Just with > MailScanner > > I guess I just need to skip the unpackOle call. > > > Maybe Julian can code a timeout into it if others have problems. Is the message spam, or ham? If spam, maybe you can find something common in it that you can catch earlier and avoid the problem. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090210/7cda405c/signature.bin From marco.mangione at gmail.com Tue Feb 10 17:41:36 2009 From: marco.mangione at gmail.com (Marco mangione) Date: Tue Feb 10 17:41:45 2009 Subject: fuzzy ocr known hash Message-ID: hello, i have many email blocked becouse mailscanner assign 6 point due: 6.00 FUZZY_OCR_KNOWN_HASH Mail contains an image with known hash anyone know if this is correct ? Marco -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090210/c4ea0960/attachment.html From r.berber at computer.org Tue Feb 10 18:10:38 2009 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Tue Feb 10 18:11:10 2009 Subject: fuzzy ocr known hash In-Reply-To: References: Message-ID: Marco Mangione wrote: > i have many email blocked becouse mailscanner assign 6 point due: > > 6.00 FUZZY_OCR_KNOWN_HASH Mail contains an image with known hash > > anyone know if this is correct ? That's from the FuzzyOcr plugin of SpamAssassin, and it is meant to score that high. You can clean up the hashes, configure a different score, whitelist the image... its all part of FuzzyOcr's configuration. -- Ren? Berber From MailScanner at ecs.soton.ac.uk Tue Feb 10 19:07:47 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Feb 10 19:08:12 2009 Subject: bitdefender In-Reply-To: <49906D6A.2020103@tomaatman.org> References: <1c36dc9d8cbece66c09e213f895a8695@elmo> <223f97700902090011t3770a556rbfa2cdaecdb07045@mail.gmail.com> <49906D6A.2020103@tomaatman.org> <4991D083.5010102@ecs.soton.ac.uk> Message-ID: On 9/2/09 17:52, jeroen wrote: > Glenn Steen schreef: >> 2009/2/9 jeroen : >>> I'm using MailScanner with BitDefender Antivirus Scanner for Unices >>> v7.90123. >>> To get scanning working I had to edit the path in >>> virus.scanners.conf to >>> /opt/BitDefender-scanner/bin. After that is seems to work, the >>> message gets >>> scanned and the EICAR test virus gets detected, but the infected mail >>> somehow isn't moved to the quarantine. >>> I also tested it with ClamAV and this works well. >>> >>> Feb 9 02:40:16 pino MailScanner[16457]: New Batch: Scanning 1 >>> messages, 2176 >>> bytes >>> Feb 9 02:40:18 pino MailScanner[16457]: Virus and Content Scanning: >>> Starting >>> Feb 9 02:40:22 pino MailScanner[16457]: >>> /var/spool/MailScanner/incoming/16457/1670912E1BD.2CEAC/msg-16457-1.txt:infected: >>> >>> EICAR-Test-File (not a virus) >>> Feb 9 02:40:22 pino MailScanner[16457]: Virus Scanning: Bitdefender >>> found 1 >>> infections >>> Feb 9 02:40:22 pino MailScanner[16457]: Virus Scanning: Found 1 viruses >>> Feb 9 02:40:22 pino MailScanner[16457]: Requeue: 1670912E1BD.2CEAC to >>> 9402712E1BE >>> Feb 9 02:40:22 pino postfix/qmgr[5178]: 9402712E1BE: >>> from=<xxxx@xxxxx.org>, size=1481, nrcpt=1 (queue active) >>> Feb 9 02:40:22 pino MailScanner[16457]: Uninfected: Delivered 1 >>> messages >>> Feb 9 02:40:22 pino MailScanner[16457]: Logging message >>> 1670912E1BD.2CEAC to >>> SQL >>> Feb 9 02:40:22 pino postfix/local[16677]: 9402712E1BE: >>> to=<xxxx@xxxx.org>, relay=local, delay=7.5, >>> delays=7.5/0.02/0/0.02, >>> dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail) >>> Feb 9 02:40:22 pino postfix/qmgr[5178]: 9402712E1BE: removed >>> >>> Any thoughts on this? >>> >>> /jeroen >> >> That is the "not so free" version of BDC, so ... that it needed >> amending in the virus.scanners.conf isn't surprising:-). >> What version of MailScanner are you using? ISTR some similar troubles >> a while back (for some AV scanners), that might've been fixed in a >> newer release. >> >> If you are fairly current (like the latest stable), you could always >> send a fully licensed version of it to Jules, so that he can fix any >> outstanding problems. >> >> Cheers > Thank you for your answer Glenn. That version of BDC is free for non > commercial use. > I'm using MailScanner version 4.71.10. > Strange thing is that Mailscanner first recognizes it as a virus > message and later on says it's uninfected. In which case, please send me a fully-licensed copy of your version of Bitdefender to work from. I guarantee it will only be used for MailScanner development and will never leave my grasp. I've got a reputation to maintain! Please send it to mailscanner@ecs.soton.ac.uk. Preferably, please put it on an http site with no links to it (so it can't be found by web crawlers or Google) and send me the URL. Then I'll be able to fix your problem. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Tue Feb 10 19:09:35 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Feb 10 19:09:58 2009 Subject: how to disable this line of log In-Reply-To: <7d9b3cf20902060946o7b6a7f81lbf2edd1d745ddd04@mail.gmail.com> References: <7d9b3cf20902060946o7b6a7f81lbf2edd1d745ddd04@mail.gmail.com> <4991D0EF.7040501@ecs.soton.ac.uk> Message-ID: On 6/2/09 17:46, Eduardo Casarero wrote: > Is there a way to disable this messages? > > Feb 6 04:49:07 xxxx MailScanner[2043]: Non-delivery of spam: message > n169n3ii019910 from ftcerxxxxxx@xxx to xxxx@xxxxxx with subject Drug > Erectile > > I've just upgrade to latest stable version and this messages started > to appear. I reviewed MailScanner.conf but i couldnt find the value to > disable this. Set "Log Spam = no" and this will stop. I added it for easy log analysis and tracking of black-holing of spam. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Tue Feb 10 19:13:34 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Feb 10 19:13:55 2009 Subject: phishing sites: local and remote In-Reply-To: References: <4991D1DE.8040305@ecs.soton.ac.uk> Message-ID: Are lots of other people seeing this sort of attack? If so, is it worth my while doing something about it? I'm not going to start coding for 1 site (sorry David), but if plenty of people are seeing this then I could possibly do something. On 4/2/09 16:31, David Lee wrote: > We try to use MS configs (currently 4.72.5) reasonably close to the > distributed version. That includes taking the routine updates to > "phishing.bad.sites.conf" and "phishing.safe.sites.conf". > > Being a university, we are also getting badly hit by spear-phishing > attempts against our users. We noticed that some of incoming bait > contained URLs similar to ours. Our true URLs are of the form: > http://...durham.ac.uk/... > > The incoming bait reads: > http://...durham.ac.uk.spammer.bad/... > > (Real life pattern-matching would need more subtlety than that, but > you get the idea.) > > The routine anti-phishing stuff detects dubious URLs etc and displays > bright red "possible fraud" warnings. > > It would be nice if we could supplement this with an additional, > locally-based, component that could be configured to match suspicious > URLs based on the local site name. > > Is it possible to run such an antiphishing config, comprising both > Julian's standard set and a local component? > > If not, might it be a worthwhile addition? > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Tue Feb 10 19:16:09 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Feb 10 19:16:55 2009 Subject: MailScanner 4.74.16 Debug In-Reply-To: References: <4991D279.3070302@ecs.soton.ac.uk> Message-ID: I would have to add some debug code, as WriteEntireMessage is called from several places. Without knowing how it's called, there's nothing I can do. Do you know enough perl to be able to help me debug this issue? Jules. On 4/2/09 14:55, Justin Ellis wrote: > Good Morning All, > > I'm running into an issue that I'm not really sure what the root cause > of is. > > My queue's were moving slowly yesterday, and today are not moving at > all. The setup is: > > Postfix 2.4 with MailScanner 4.74.16 running on RH5. > > Running MailScanner in debug mode nets me the following error: > Can't call method "print" on an undefined value at > /usr/lib/MailScanner/MailScanner/PFDiskStore.pm line 734 > > The PFDiskStore file has not been modified, but here are it's contents > as well: > > # Write a message to a filehandle > sub WriteEntireMessage { > my($this, $message, $handle) = @_; > > # Write the whole message in RFC822 format to the filehandle. > # That means 1 CR-terminated line for every N record in the file. > my $b= Body->new( $this->{inhdhandle} ); > if ($b) { > $b->Start(1); # 1 says we want the headers as well as the body > my $line; > print STDERR "WriteEntireMessage\n"; > while(defined($line = $b->Next())) { > $handle-> print($line . "\n"); > #print STDERR "BODY: $line\n"; > } > $b->Done(); > } > } > > This may not be all of the information you need, but I couldn't think > of anything else to add. Can someone point me in the right direction? > > Thanks in advance! > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From marco.mangione at gmail.com Tue Feb 10 21:00:24 2009 From: marco.mangione at gmail.com (Marco mangione) Date: Tue Feb 10 21:00:32 2009 Subject: hold header Message-ID: Hello, i have a strange iusse: my filter dont have many email in queue about ( 5/10) , but i receive some email in the " past " ... it is very strange. Anyone have some idea ? Marco -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090210/94a21861/attachment.html From jethro.binks at strath.ac.uk Tue Feb 10 21:30:06 2009 From: jethro.binks at strath.ac.uk (Jethro R Binks) Date: Tue Feb 10 21:30:19 2009 Subject: phishing sites: local and remote In-Reply-To: References: <4991D1DE.8040305@ecs.soton.ac.uk> Message-ID: On Tue, 10 Feb 2009, Julian Field wrote: > Are lots of other people seeing this sort of attack? > If so, is it worth my while doing something about it? > I'm not going to start coding for 1 site (sorry David), but if plenty of > people are seeing this then I could possibly do something. For what it is worth, we have seen some very targetted spear phishes using newly registered domains that are "a bit" like ours (last example was "strath-ac.com", copying website content from some system (like VLEs etc), and subsequently having users receive email purportedly from the administrarots of the systems trying to get people to visit the fraudulent version of the site. It was so specific and unusual we have reported it (two occasions, last week and December) to JANET IRT. Any other JANET sites seeing similar elaborate institutionally-targetted attacks of this nature (rather than just run of the mill "your webmail is running out of space" generic spear phish) should please also report them to JANET IRT so they can keep an eye on the situation. Jethro. > > On 4/2/09 16:31, David Lee wrote: > > We try to use MS configs (currently 4.72.5) reasonably close to the > > distributed version. That includes taking the routine updates to > > "phishing.bad.sites.conf" and "phishing.safe.sites.conf". > > > > Being a university, we are also getting badly hit by spear-phishing attempts > > against our users. We noticed that some of incoming bait > > contained URLs similar to ours. Our true URLs are of the form: > > http://...durham.ac.uk/... > > > > The incoming bait reads: > > http://...durham.ac.uk.spammer.bad/... > > > > (Real life pattern-matching would need more subtlety than that, but you get > > the idea.) > > > > The routine anti-phishing stuff detects dubious URLs etc and displays > > bright red "possible fraud" warnings. > > > > It would be nice if we could supplement this with an additional, > > locally-based, component that could be configured to match suspicious > > URLs based on the local site name. > > > > Is it possible to run such an antiphishing config, comprising both Julian's > > standard set and a local component? > > > > If not, might it be a worthwhile addition? > > > > > > Jules > > -- . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK From paul.hutchings at mira.co.uk Wed Feb 11 08:00:44 2009 From: paul.hutchings at mira.co.uk (Paul Hutchings) Date: Wed Feb 11 08:00:59 2009 Subject: MailScanner fix for Exchange TNEF vuln? Message-ID: This is new today for those using MailScanner in front of Exchange. http://www.microsoft.com/technet/security/bulletin/MS09-003.mspx Of course not all of us can patch all our Exchange servers within ten minutes of the bulletin - is there any way to mitigate against the external threat using MailScanner? Cheers, Paul -- MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. From glenn.steen at gmail.com Wed Feb 11 09:05:11 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Feb 11 09:05:39 2009 Subject: MailScanner fix for Exchange TNEF vuln? In-Reply-To: References: Message-ID: <223f97700902110105q5a8688d7pecfafa28531a134f@mail.gmail.com> 2009/2/11 Paul Hutchings : > This is new today for those using MailScanner in front of Exchange. > > http://www.microsoft.com/technet/security/bulletin/MS09-003.mspx > > Of course not all of us can patch all our Exchange servers within ten > minutes of the bulletin - is there any way to mitigate against the > external threat using MailScanner? > > Cheers, > Paul > Hello Paul, There are two sides to this: - MAPI == locally submitted mail... Shouldn't come into play, unless "local" == "insecure environment". - TNEF from remote ... This you can handle in at least two ways... 1) Don't allow TNEF at all, or 2) Use MailScanners "replace" feature. Should take care of things... at least if I read this right:-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From prandal at herefordshire.gov.uk Wed Feb 11 10:02:02 2009 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Wed Feb 11 10:02:38 2009 Subject: MailScanner fix for Exchange TNEF vuln? In-Reply-To: References: Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA05F0B17C@HC-MBX02.herefordshire.gov.uk> Setting "Use TNEF Contents = replace" in MailScanner.conf should do it. I've never tried it. Anybody found any issues doing so? Cheers, Phil -- Phil Randal | Networks Engineer Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: prandal@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Paul Hutchings Sent: 11 February 2009 08:01 To: MailScanner discussion Subject: MailScanner fix for Exchange TNEF vuln? This is new today for those using MailScanner in front of Exchange. http://www.microsoft.com/technet/security/bulletin/MS09-003.mspx Of course not all of us can patch all our Exchange servers within ten minutes of the bulletin - is there any way to mitigate against the external threat using MailScanner? Cheers, Paul -- MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From prandal at herefordshire.gov.uk Wed Feb 11 10:12:07 2009 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Wed Feb 11 10:12:51 2009 Subject: MailScanner fix for Exchange TNEF vuln? In-Reply-To: <7EF0EE5CB3B263488C8C18823239BEBA05F0B17C@HC-MBX02.herefordshire.gov.uk> References: <7EF0EE5CB3B263488C8C18823239BEBA05F0B17C@HC-MBX02.herefordshire.gov.uk> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA05F0B198@HC-MBX02.herefordshire.gov.uk> Oh, and "Deliver Unparsable TNEF = no" would be prudent too. Cheers, Phil -- Phil Randal | Networks Engineer Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: prandal@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Randal, Phil Sent: 11 February 2009 10:02 To: MailScanner discussion Subject: RE: MailScanner fix for Exchange TNEF vuln? Setting "Use TNEF Contents = replace" in MailScanner.conf should do it. I've never tried it. Anybody found any issues doing so? Cheers, Phil -- Phil Randal | Networks Engineer Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: prandal@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Paul Hutchings Sent: 11 February 2009 08:01 To: MailScanner discussion Subject: MailScanner fix for Exchange TNEF vuln? This is new today for those using MailScanner in front of Exchange. http://www.microsoft.com/technet/security/bulletin/MS09-003.mspx Of course not all of us can patch all our Exchange servers within ten minutes of the bulletin - is there any way to mitigate against the external threat using MailScanner? Cheers, Paul -- MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From cde at alunys.com Wed Feb 11 10:48:53 2009 From: cde at alunys.com (Cedric Devillers) Date: Wed Feb 11 10:52:18 2009 Subject: MailScanner fix for Exchange TNEF vuln? In-Reply-To: <7EF0EE5CB3B263488C8C18823239BEBA05F0B198@HC-MBX02.herefordshire.gov.uk> References: <7EF0EE5CB3B263488C8C18823239BEBA05F0B17C@HC-MBX02.herefordshire.gov.uk> <7EF0EE5CB3B263488C8C18823239BEBA05F0B198@HC-MBX02.herefordshire.gov.uk> Message-ID: <4992AD15.6030908@alunys.com> Hi, Don't forget that replacing or rejecting TNEF will make the "meeting requests" mails from our beloved outlook users unusable. So be carefull if you have those kind of mails going throught your mailscanners (for me these should only be local mails). Randal, Phil wrote: > Oh, and "Deliver Unparsable TNEF = no" would be prudent too. > > Cheers, > > Phil > > -- > Phil Randal | Networks Engineer > Herefordshire Council | Deputy Chief Executive's Office | I.C.T. > Services Division > Thorn Office Centre, Rotherwas, Hereford, HR2 6JT > Tel: 01432 260160 > email: prandal@herefordshire.gov.uk > > Any opinion expressed in this e-mail or any attached files are those of > the individual and not necessarily those of Herefordshire Council. > > This e-mail and any attached files are confidential and intended solely > for the use of the addressee. This communication may contain material > protected by law from being passed on. If you are not the intended > recipient and have received this e-mail in error, you are advised that > any use, dissemination, forwarding, printing or copying of this e-mail > is strictly prohibited. If you have received this e-mail in error please > contact the sender immediately and destroy all copies of it. > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Randal, > Phil > Sent: 11 February 2009 10:02 > To: MailScanner discussion > Subject: RE: MailScanner fix for Exchange TNEF vuln? > > Setting "Use TNEF Contents = replace" in MailScanner.conf should do it. > > I've never tried it. Anybody found any issues doing so? > > Cheers, > > Phil > > -- > Phil Randal | Networks Engineer > Herefordshire Council | Deputy Chief Executive's Office | I.C.T. > Services Division > Thorn Office Centre, Rotherwas, Hereford, HR2 6JT > Tel: 01432 260160 > email: prandal@herefordshire.gov.uk > > Any opinion expressed in this e-mail or any attached files are those of > the individual and not necessarily those of Herefordshire Council. > > This e-mail and any attached files are confidential and intended solely > for the use of the addressee. This communication may contain material > protected by law from being passed on. If you are not the intended > recipient and have received this e-mail in error, you are advised that > any use, dissemination, forwarding, printing or copying of this e-mail > is strictly prohibited. If you have received this e-mail in error please > contact the sender immediately and destroy all copies of it. > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Paul > Hutchings > Sent: 11 February 2009 08:01 > To: MailScanner discussion > Subject: MailScanner fix for Exchange TNEF vuln? > > This is new today for those using MailScanner in front of Exchange. > > http://www.microsoft.com/technet/security/bulletin/MS09-003.mspx > > Of course not all of us can patch all our Exchange servers within ten > minutes of the bulletin - is there any way to mitigate against the > external threat using MailScanner? > > Cheers, > Paul > > -- > MIRA Ltd > > Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. > > Registered in England and Wales No. 402570 VAT Registration GB 114 5409 > 96 > > The contents of this e-mail are confidential and are solely for the use > of the intended recipient. > If you receive this e-mail in error, please delete it and notify us > either by e-mail, telephone or fax. > You should not copy, forward or otherwise disclose the content of the > e-mail as this is prohibited. > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- Visitez notre nouveau site web: www.amstergroup.com From prandal at herefordshire.gov.uk Wed Feb 11 11:00:42 2009 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Wed Feb 11 11:01:33 2009 Subject: MailScanner fix for Exchange TNEF vuln? In-Reply-To: <4992AD15.6030908@alunys.com> References: <7EF0EE5CB3B263488C8C18823239BEBA05F0B17C@HC-MBX02.herefordshire.gov.uk><7EF0EE5CB3B263488C8C18823239BEBA05F0B198@HC-MBX02.herefordshire.gov.uk> <4992AD15.6030908@alunys.com> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA05F0B1DB@HC-MBX02.herefordshire.gov.uk> The fewer meetings the better, so thius seems like a productivity enhancement to me :-) Cheers, Phil -- Phil Randal | Networks Engineer Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: prandal@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Cedric Devillers Sent: 11 February 2009 10:49 To: MailScanner discussion Subject: Re: MailScanner fix for Exchange TNEF vuln? Hi, Don't forget that replacing or rejecting TNEF will make the "meeting requests" mails from our beloved outlook users unusable. So be carefull if you have those kind of mails going throught your mailscanners (for me these should only be local mails). Randal, Phil wrote: > Oh, and "Deliver Unparsable TNEF = no" would be prudent too. > > Cheers, > > Phil > > -- > Phil Randal | Networks Engineer > Herefordshire Council | Deputy Chief Executive's Office | I.C.T. > Services Division > Thorn Office Centre, Rotherwas, Hereford, HR2 6JT > Tel: 01432 260160 > email: prandal@herefordshire.gov.uk > > Any opinion expressed in this e-mail or any attached files are those > of the individual and not necessarily those of Herefordshire Council. > > This e-mail and any attached files are confidential and intended > solely for the use of the addressee. This communication may contain > material protected by law from being passed on. If you are not the > intended recipient and have received this e-mail in error, you are > advised that any use, dissemination, forwarding, printing or copying > of this e-mail is strictly prohibited. If you have received this > e-mail in error please contact the sender immediately and destroy all copies of it. > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > Randal, Phil > Sent: 11 February 2009 10:02 > To: MailScanner discussion > Subject: RE: MailScanner fix for Exchange TNEF vuln? > > Setting "Use TNEF Contents = replace" in MailScanner.conf should do it. > > I've never tried it. Anybody found any issues doing so? > > Cheers, > > Phil > > -- > Phil Randal | Networks Engineer > Herefordshire Council | Deputy Chief Executive's Office | I.C.T. > Services Division > Thorn Office Centre, Rotherwas, Hereford, HR2 6JT > Tel: 01432 260160 > email: prandal@herefordshire.gov.uk > > Any opinion expressed in this e-mail or any attached files are those > of the individual and not necessarily those of Herefordshire Council. > > This e-mail and any attached files are confidential and intended > solely for the use of the addressee. This communication may contain > material protected by law from being passed on. If you are not the > intended recipient and have received this e-mail in error, you are > advised that any use, dissemination, forwarding, printing or copying > of this e-mail is strictly prohibited. If you have received this > e-mail in error please contact the sender immediately and destroy all copies of it. > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Paul > Hutchings > Sent: 11 February 2009 08:01 > To: MailScanner discussion > Subject: MailScanner fix for Exchange TNEF vuln? > > This is new today for those using MailScanner in front of Exchange. > > http://www.microsoft.com/technet/security/bulletin/MS09-003.mspx > > Of course not all of us can patch all our Exchange servers within ten > minutes of the bulletin - is there any way to mitigate against the > external threat using MailScanner? > > Cheers, > Paul > > -- > MIRA Ltd > > Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. > > Registered in England and Wales No. 402570 VAT Registration GB 114 > 5409 > 96 > > The contents of this e-mail are confidential and are solely for the > use of the intended recipient. > If you receive this e-mail in error, please delete it and notify us > either by e-mail, telephone or fax. > You should not copy, forward or otherwise disclose the content of the > e-mail as this is prohibited. > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- Visitez notre nouveau site web: www.amstergroup.com -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From andrew at donehue.net Wed Feb 11 11:05:09 2009 From: andrew at donehue.net (Andrew) Date: Wed Feb 11 11:06:04 2009 Subject: includes question Message-ID: <4992B0E5.5030901@donehue.net> Hi All, I'm using mailscanner on debian etch. I have been trying to debug DCC (I downloaded and compiled)... checking the output of spamassassin -t -D -C /etc/MailScanner/spam.assassin.prefs.conf < /tmp/test (/tmp/test is a known spam email in full form) and then again without -C /etc/Mails..... I notice that when I don't have -C, there are a lot more includes (including the sa-updates) (see further below) My questions are: 1) Is spam assassin with the mailscanner config missing the update files? (if so, how do I fix?) 2) Any hints on getting DCC working? seems to work great without the -C file (and I have the path correct + use_dcc set to 1) Any help appreciated! Thanks, Andrew specifically, I am missing this (and a whole bunch of other items, and DCC appears to be working well in the notes) [3484] dbg: config: using "/var/lib/spamassassin/3.002003" for sys rules pre files [3484] dbg: config: read file /var/lib/spamassassin/3.002003/saupdates_openprotect_com.pre [3484] dbg: config: using "/var/lib/spamassassin/3.002003" for default rules dir [3484] dbg: config: read file /var/lib/spamassassin/3.002003/saupdates_openprotect_com.cf [3484] dbg: config: read file /var/lib/spamassassin/3.002003/updates_spamassassin_org.cf --cut -- 484] dbg: info: entering helper-app run mode [3484] dbg: dcc: opening pipe: /usr/local/bin/dccproc -H -x 0 -a 123.199.42.202 < /tmp/.spamassassin3484F5zj09tmp [3521] dbg: util: setuid: ruid=102 euid=102 [3484] dbg: dcc: got response: X-DCC-sonic.net-Metrics: scanmx01 1117; Body=many Fuz1=many Fuz2=many [3484] dbg: info: leaving helper-app run mode [3484] dbg: dcc: listed: BODY=999999/999999 FUZ1=999999/999999 FUZ2=999999/999999 [3484] dbg: rules: ran eval rule DCC_CHECK ======> got hit (1) From ms-list at alexb.ch Wed Feb 11 11:20:53 2009 From: ms-list at alexb.ch (Alex Broens) Date: Wed Feb 11 11:21:01 2009 Subject: includes question In-Reply-To: <4992B0E5.5030901@donehue.net> References: <4992B0E5.5030901@donehue.net> Message-ID: <4992B495.109@alexb.ch> On 2/11/2009 12:05 PM, Andrew wrote: > Hi All, > > I'm using mailscanner on debian etch. > > I have been trying to debug DCC (I downloaded and compiled)... checking > the output of > spamassassin -t -D -C /etc/MailScanner/spam.assassin.prefs.conf < /tmp/test > (/tmp/test is a known spam email in full form) > > and then again without -C /etc/Mails..... > > I notice that when I don't have -C, there are a lot more includes > (including the sa-updates) (see further below) You don't need the -C /etc/MailScanner/spam.assassin.prefs.conf this file is symlinked to /etc/mail/spamassassin/mailscanner.cf and automatically detected by SA. > > My questions are: > 1) Is spam assassin with the mailscanner config missing the update > files? (if so, how do I fix?) nope.. nothing broken.. just don't use the -C switch. > 2) Any hints on getting DCC working? seems to work great without the -C > file (and I have the path correct + use_dcc set to 1) make sure the plugin is enabled in v310.pre > Any help appreciated! h2h Alex From drew.marshall at trunknetworks.com Wed Feb 11 11:27:23 2009 From: drew.marshall at trunknetworks.com (Drew Marshall) Date: Wed Feb 11 11:27:40 2009 Subject: MailScanner fix for Exchange TNEF vuln? In-Reply-To: <20090211111544.EC08C17066@out-b.mx.mail-launder.com> References: <7EF0EE5CB3B263488C8C18823239BEBA05F0B17C@HC-MBX02.herefordshire.gov.uk><7EF0EE5CB3B263488C8C18823239BEBA05F0B198@HC-MBX02.herefordshire.gov.uk> <4992AD15.6030908@alunys.com> <20090211111544.EC08C17066@out-b.mx.mail-launder.com> Message-ID: <200902111127.n1BBRW6o014117@safir.blacknight.ie> On 11 Feb 2009, at 11:00, Randal, Phil wrote: > The fewer meetings the better, so thius seems like a productivity > enhancement to me :-) Agreed! This the first time that I have ever considered an Exchange critical security issue (Or even anything that comes out of Exchange) as a productivity enhancer! Drew From andrew at donehue.net Wed Feb 11 11:29:29 2009 From: andrew at donehue.net (Andrew) Date: Wed Feb 11 11:30:10 2009 Subject: includes question In-Reply-To: <4992B495.109@alexb.ch> References: <4992B0E5.5030901@donehue.net> <4992B495.109@alexb.ch> Message-ID: <4992B699.5060405@donehue.net> Thanks for the quick reply. I did a check, there is no mailscanner.cf (anywhere!) Maybe this is my problem? (I installed the debian package). What should my mailscanner.cf file look like? Dcc is enabled in v310.pre # DCC is disabled here because it is not open source. See the DCC # license for more details. # loadplugin Mail::SpamAssassin::Plugin::DCC Alex Broens wrote: > On 2/11/2009 12:05 PM, Andrew wrote: >> Hi All, >> >> I'm using mailscanner on debian etch. >> >> I have been trying to debug DCC (I downloaded and compiled)... >> checking the output of >> spamassassin -t -D -C /etc/MailScanner/spam.assassin.prefs.conf < >> /tmp/test >> (/tmp/test is a known spam email in full form) >> >> and then again without -C /etc/Mails..... >> >> I notice that when I don't have -C, there are a lot more includes >> (including the sa-updates) (see further below) > > You don't need the -C /etc/MailScanner/spam.assassin.prefs.conf > this file is symlinked to /etc/mail/spamassassin/mailscanner.cf and > automatically detected by SA. >> >> My questions are: >> 1) Is spam assassin with the mailscanner config missing the update >> files? (if so, how do I fix?) > > nope.. nothing broken.. just don't use the -C switch. > >> 2) Any hints on getting DCC working? seems to work great without the >> -C file (and I have the path correct + use_dcc set to 1) > > make sure the plugin is enabled in v310.pre > >> Any help appreciated! > > h2h > > Alex From ms-list at alexb.ch Wed Feb 11 11:42:48 2009 From: ms-list at alexb.ch (Alex Broens) Date: Wed Feb 11 11:42:56 2009 Subject: includes question In-Reply-To: <4992B699.5060405@donehue.net> References: <4992B0E5.5030901@donehue.net> <4992B495.109@alexb.ch> <4992B699.5060405@donehue.net> Message-ID: <4992B9B8.2070405@alexb.ch> On 2/11/2009 12:29 PM, Andrew wrote: > Thanks for the quick reply. > > I did a check, there is no mailscanner.cf (anywhere!) Maybe this is my > problem? (I installed the debian package). gotta pass on this one, no idea what Debian does. > What should my mailscanner.cf file look like? /etc/mail/spamassassin/mailscanner.cf is a symlink to /etc/MailScanner/spam.assassin.prefs.conf nothing more > Dcc is enabled in v310.pre > > > # DCC is disabled here because it is not open source. See the DCC > # license for more details. > # > loadplugin Mail::SpamAssassin::Plugin::DCC > > > Alex Broens wrote: >> On 2/11/2009 12:05 PM, Andrew wrote: >>> Hi All, >>> >>> I'm using mailscanner on debian etch. >>> >>> I have been trying to debug DCC (I downloaded and compiled)... >>> checking the output of >>> spamassassin -t -D -C /etc/MailScanner/spam.assassin.prefs.conf < >>> /tmp/test >>> (/tmp/test is a known spam email in full form) >>> >>> and then again without -C /etc/Mails..... >>> >>> I notice that when I don't have -C, there are a lot more includes >>> (including the sa-updates) (see further below) >> >> You don't need the -C /etc/MailScanner/spam.assassin.prefs.conf >> this file is symlinked to /etc/mail/spamassassin/mailscanner.cf and >> automatically detected by SA. >>> >>> My questions are: >>> 1) Is spam assassin with the mailscanner config missing the update >>> files? (if so, how do I fix?) >> >> nope.. nothing broken.. just don't use the -C switch. >> >>> 2) Any hints on getting DCC working? seems to work great without the >>> -C file (and I have the path correct + use_dcc set to 1) >> >> make sure the plugin is enabled in v310.pre >> >>> Any help appreciated! >> >> h2h >> >> Alex > From andrew at donehue.net Wed Feb 11 12:20:25 2009 From: andrew at donehue.net (Andrew) Date: Wed Feb 11 12:21:05 2009 Subject: includes question plus dcc In-Reply-To: <4992B9B8.2070405@alexb.ch> References: <4992B0E5.5030901@donehue.net> <4992B495.109@alexb.ch> <4992B699.5060405@donehue.net> <4992B9B8.2070405@alexb.ch> Message-ID: <4992C289.5000400@donehue.net> Thanks - I might clarify this further (into a specific dcc question). When I run (as the same user mailscanner runs as) spamassassin -D -t < /tmp/test DCC hits 2.2 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) When I put the same email through mailscanner (via telnet), it doesn't hit (and other emails don't hit, I checked the logs). Is there a specific command i can test spamassassin with that emulates the way mailscanner calls it? I have used DCC in the past, and miss it now it isn't included (it is more effective than razor and pyzor, and is great when combined with them to make 3 checks). Thanks Andrew Alex Broens wrote: > On 2/11/2009 12:29 PM, Andrew wrote: >> Thanks for the quick reply. >> >> I did a check, there is no mailscanner.cf (anywhere!) Maybe this is >> my problem? (I installed the debian package). > > gotta pass on this one, no idea what Debian does. > >> What should my mailscanner.cf file look like? > > /etc/mail/spamassassin/mailscanner.cf is a symlink to > /etc/MailScanner/spam.assassin.prefs.conf > > nothing more > >> Dcc is enabled in v310.pre >> >> >> # DCC is disabled here because it is not open source. See the DCC >> # license for more details. >> # >> loadplugin Mail::SpamAssassin::Plugin::DCC >> >> >> Alex Broens wrote: >>> On 2/11/2009 12:05 PM, Andrew wrote: >>>> Hi All, >>>> >>>> I'm using mailscanner on debian etch. >>>> >>>> I have been trying to debug DCC (I downloaded and compiled)... >>>> checking the output of >>>> spamassassin -t -D -C /etc/MailScanner/spam.assassin.prefs.conf < >>>> /tmp/test >>>> (/tmp/test is a known spam email in full form) >>>> >>>> and then again without -C /etc/Mails..... >>>> >>>> I notice that when I don't have -C, there are a lot more includes >>>> (including the sa-updates) (see further below) >>> >>> You don't need the -C /etc/MailScanner/spam.assassin.prefs.conf >>> this file is symlinked to /etc/mail/spamassassin/mailscanner.cf and >>> automatically detected by SA. >>>> >>>> My questions are: >>>> 1) Is spam assassin with the mailscanner config missing the update >>>> files? (if so, how do I fix?) >>> >>> nope.. nothing broken.. just don't use the -C switch. >>> >>>> 2) Any hints on getting DCC working? seems to work great without >>>> the -C file (and I have the path correct + use_dcc set to 1) >>> >>> make sure the plugin is enabled in v310.pre >>> >>>> Any help appreciated! >>> >>> h2h >>> >>> Alex >> From marco.mangione at gmail.com Wed Feb 11 13:02:04 2009 From: marco.mangione at gmail.com (Marco mangione) Date: Wed Feb 11 13:02:14 2009 Subject: fuzzy ocr known hash In-Reply-To: References: Message-ID: how can i disable fuzzy ocr for a minute to perform some tests ? 2009/2/10 Ren? Berber > Marco Mangione wrote: > > > i have many email blocked becouse mailscanner assign 6 point due: > > > > 6.00 FUZZY_OCR_KNOWN_HASH Mail contains an image with known hash > > > > anyone know if this is correct ? > > That's from the FuzzyOcr plugin of SpamAssassin, and it is meant to > score that high. > > You can clean up the hashes, configure a different score, whitelist the > image... its all part of FuzzyOcr's configuration. > -- > Ren? Berber > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090211/7084c795/attachment.html From prandal at herefordshire.gov.uk Wed Feb 11 13:10:40 2009 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Wed Feb 11 13:11:16 2009 Subject: fuzzy ocr known hash In-Reply-To: References: Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA05F0B279@HC-MBX02.herefordshire.gov.uk> That depends on how you've loaded it. You might have a line similar to loadplugin FuzzyOcr /etc/mail/spamassassin/FuzzyOcr.pm in your /etc/mail/spamassassin/init.pre Comment it out and reload or restart MailScanner. grep's your friend. Chaaer, Phil -- Phil Randal | Networks Engineer Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: prandal@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Marco mangione Sent: 11 February 2009 13:02 To: MailScanner discussion Subject: Re: fuzzy ocr known hash how can i disable fuzzy ocr for a minute to perform some tests ? 2009/2/10 Ren? Berber Marco Mangione wrote: > i have many email blocked becouse mailscanner assign 6 point due: > > 6.00 FUZZY_OCR_KNOWN_HASH Mail contains an image with known hash > > anyone know if this is correct ? That's from the FuzzyOcr plugin of SpamAssassin, and it is meant to score that high. You can clean up the hashes, configure a different score, whitelist the image... its all part of FuzzyOcr's configuration. -- Ren? Berber -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090211/1e20d15c/attachment.html From Denis.Beauchemin at USherbrooke.ca Wed Feb 11 13:13:20 2009 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Wed Feb 11 13:13:29 2009 Subject: fuzzy ocr known hash In-Reply-To: References: Message-ID: <4992CEF0.10607@USherbrooke.ca> Marco mangione a ?crit : > how can i disable fuzzy ocr for a minute to perform some tests ? > Marco, I think you'd have to rename /etc/mail/spamassassin/FuzzyOcr.cf to something else not ending in .cf and reload MS. Denis -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3293 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090211/a889d926/smime.bin From marco.mangione at gmail.com Wed Feb 11 13:17:50 2009 From: marco.mangione at gmail.com (Marco mangione) Date: Wed Feb 11 13:18:01 2009 Subject: spam detection and spam list option Message-ID: Hello, this options: # # Spam Detection and Spam Lists (DNS blocklists) # ---------------------------------------------- # # Do you want to check messages to see if they are spam? # Note: If you switch this off then *no* spam checks will be done at all. # This includes both MailScanner's own checks and SpamAssassin. # If you want to just disable the "Spam List" feature then set # "Spam List =" (i.e. an empty list) in the setting below. # This can also be the filename of a ruleset. Spam Checks = yes # This is the list of spam blacklists (RBLs) which you are using. # See the "Spam List Definitions" file for more information about what # you can put here. # This can also be the filename of a ruleset. # spamhaus-ZEN is NOT FREE for commercial/government users. Please # see http://www.spamhaus.org Spam List = spamcop.net SBL+XBL i must turn it OFF if i already perform this check in front of the mailscanner right ? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090211/3a2bd7d1/attachment.html From maxsec at gmail.com Wed Feb 11 13:42:35 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Wed Feb 11 13:42:58 2009 Subject: spam detection and spam list option In-Reply-To: References: Message-ID: <72cf361e0902110542gdf579a6oc2f1b5ffbc63d691@mail.gmail.com> 2009/2/11 Marco mangione : > Hello, > > this options: > > # > # Spam Detection and Spam Lists (DNS blocklists) > # ---------------------------------------------- > # > > # Do you want to check messages to see if they are spam? > # Note: If you switch this off then *no* spam checks will be done at all. > # This includes both MailScanner's own checks and SpamAssassin. > # If you want to just disable the "Spam List" feature then set > # "Spam List =" (i.e. an empty list) in the setting below. > # This can also be the filename of a ruleset. > Spam Checks = yes > > # This is the list of spam blacklists (RBLs) which you are using. > # See the "Spam List Definitions" file for more information about what > # you can put here. > # This can also be the filename of a ruleset. > # spamhaus-ZEN is NOT FREE for commercial/government users. Please > # see http://www.spamhaus.org > Spam List = spamcop.net SBL+XBL > > > i must turn it OFF if i already perform this check in front of the > mailscanner right ? > > > > -- Yes you can set this to Spam List = is you want to turn it off. -- Martin Hepworth Oxford, UK From ms-list at alexb.ch Wed Feb 11 13:45:31 2009 From: ms-list at alexb.ch (Alex Broens) Date: Wed Feb 11 13:45:40 2009 Subject: includes question plus dcc In-Reply-To: <4992C289.5000400@donehue.net> References: <4992B0E5.5030901@donehue.net> <4992B495.109@alexb.ch> <4992B699.5060405@donehue.net> <4992B9B8.2070405@alexb.ch> <4992C289.5000400@donehue.net> Message-ID: <4992D67B.1000304@alexb.ch> On 2/11/2009 1:20 PM, Andrew wrote: > Thanks - I might clarify this further (into a specific dcc question). > > When I run (as the same user mailscanner runs as) > spamassassin -D -t < /tmp/test > DCC hits > > 2.2 DCC_CHECK Listed in DCC > (http://rhyolite.com/anti-spam/dcc/) > > When I put the same email through mailscanner (via telnet), it doesn't > hit (and other emails don't hit, I checked the logs). > > Is there a specific command i can test spamassassin with that emulates > the way mailscanner calls it? not exactly as you're hoping it would. run MailScanner/SA in debug mode and you should see more about what's happening > I have used DCC in the past, and miss it now it isn't included (it is > more effective than razor and pyzor, and is great when combined with > them to make 3 checks). > > > Thanks > Andrew > > Alex Broens wrote: >> On 2/11/2009 12:29 PM, Andrew wrote: >>> Thanks for the quick reply. >>> >>> I did a check, there is no mailscanner.cf (anywhere!) Maybe this is >>> my problem? (I installed the debian package). >> >> gotta pass on this one, no idea what Debian does. >> >>> What should my mailscanner.cf file look like? >> >> /etc/mail/spamassassin/mailscanner.cf is a symlink to >> /etc/MailScanner/spam.assassin.prefs.conf >> >> nothing more >> >>> Dcc is enabled in v310.pre >>> >>> >>> # DCC is disabled here because it is not open source. See the DCC >>> # license for more details. >>> # >>> loadplugin Mail::SpamAssassin::Plugin::DCC >>> >>> >>> Alex Broens wrote: >>>> On 2/11/2009 12:05 PM, Andrew wrote: >>>>> Hi All, >>>>> >>>>> I'm using mailscanner on debian etch. >>>>> >>>>> I have been trying to debug DCC (I downloaded and compiled)... >>>>> checking the output of >>>>> spamassassin -t -D -C /etc/MailScanner/spam.assassin.prefs.conf < >>>>> /tmp/test >>>>> (/tmp/test is a known spam email in full form) >>>>> >>>>> and then again without -C /etc/Mails..... >>>>> >>>>> I notice that when I don't have -C, there are a lot more includes >>>>> (including the sa-updates) (see further below) >>>> >>>> You don't need the -C /etc/MailScanner/spam.assassin.prefs.conf >>>> this file is symlinked to /etc/mail/spamassassin/mailscanner.cf and >>>> automatically detected by SA. >>>>> >>>>> My questions are: >>>>> 1) Is spam assassin with the mailscanner config missing the update >>>>> files? (if so, how do I fix?) >>>> >>>> nope.. nothing broken.. just don't use the -C switch. >>>> >>>>> 2) Any hints on getting DCC working? seems to work great without >>>>> the -C file (and I have the path correct + use_dcc set to 1) >>>> >>>> make sure the plugin is enabled in v310.pre >>>> >>>>> Any help appreciated! >>>> >>>> h2h >>>> >>>> Alex >>> > From paul.welsh.3 at googlemail.com Wed Feb 11 13:51:49 2009 From: paul.welsh.3 at googlemail.com (Paul Welsh) Date: Wed Feb 11 13:52:13 2009 Subject: MailScanner fix for Exchange TNEF vuln? Message-ID: <49df20710902110551m745585bct6b678c4a81091559@mail.gmail.com> In MailScanner 4.71.10-1 and 4.74.16-1 at least, the default settings for TNEF in MailScanner.conf are: Expand TNEF = yes Use TNEF Contents = replace Deliver Unparsable TNEF = no So many MailScanner users will be protected without knowing it. I have an unpatched Exchange server and also use Sophos on my MailScanner box. I've just noticed that I could have probably used "Expand TNEF = no" because Sophos can check attachments within TNEF files. Obviously I'll keep the "Use TNEF Contents = replace" setting in place but does anyone know whether "Expand TNEF = no" is compatible with "Use TNEF Contents = replace"? From maillists at conactive.com Wed Feb 11 14:31:18 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Wed Feb 11 14:31:36 2009 Subject: spam detection and spam list option In-Reply-To: References: Message-ID: Marco mangione wrote on Wed, 11 Feb 2009 14:17:50 +0100: > i must turn it OFF if i already perform this check in front of the > mailscanner right ? Makes sense, yes ;-) Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From jonas at vrt.dk Wed Feb 11 15:35:19 2009 From: jonas at vrt.dk (jonas@vrt.dk) Date: Wed Feb 11 15:35:28 2009 Subject: Problem with mailscanner after upgrading to newest (filename checks) Message-ID: <005001c98c5e$58ba2b20$0a2e8160$@dk> Hi list I got a problem after upgrading to latest mailscanner: scanner0 MailScanner[30533]: Spam Checks completed at 11761 bytes per second scanner0 MailScanner[30533]: Filename Checks: Filename contains lots of white space (1LWooQ-0004kj-1j 195752.pdf) scanner0 MailScanner[30533]: Other Checks: Found 1 problems This looks a bit weird to me, is that how it normally looks? A msgid and then a filename without any commas or anything? My issue is that mailwatch, the reports etc all report the filename as being: Mailwatch: MailScanner: A long gap in a name is often used to hide part of it (195752.pdf) The email report: One or more of the attachments (195752.pdf) are on the list of unacceptable attachments for this site and will not have been delivered. Consider renaming the files to avoid this constraint. The virus detector said this about the message: Report: MailScanner: A long gap in a name is often used to hide part of it (195752.pdf) In both places the filename does not apaer to contain spaces. Let me dump some maybe related config vars: Running on Linux scanner0 2.6.18-6-686-bigmem #1 SMP Fri Dec 12 17:49:59 UTC 2008 i686 GNU/Linux This is Perl version 5.008008 (5.8.8) This is MailScanner version 4.74.16 Module versions are: 1.00 AnyDBM_File 1.26 Archive::Zip 0.23 bignum 1.04 Carp 1.41 Compress::Zlib 1.119 Convert::BinHex 0.17 Convert::TNEF 2.121_08 Data::Dumper 2.27 Date::Parse 1.00 DirHandle 1.05 Fcntl 2.74 File::Basename 2.09 File::Copy 2.01 FileHandle 2.07 File::Path 0.21 File::Temp 0.92 Filesys::Df 3.57 HTML::Entities 3.59 HTML::Parser 3.57 HTML::TokeParser 1.23 IO 1.14 IO::File 1.13 IO::Pipe 2.04 Mail::Header 1.89 Math::BigInt 0.22 Math::BigRat 3.07 MIME::Base64 5.427 MIME::Decoder 5.427 MIME::Decoder::UU 5.427 MIME::Head 5.427 MIME::Parser 3.07 MIME::QuotedPrint 5.427 MIME::Tools 0.11 Net::CIDR 1.25 Net::IP 0.16 OLE::Storage_Lite 1.04 Pod::Escapes 3.07 Pod::Simple 1.09 POSIX 1.19 Scalar::Util 1.78 Socket 2.18 Storable 1.4 Sys::Hostname::Long 0.27 Sys::Syslog 1.26 Test::Pod 0.86 Test::Simple 1.9715 Time::HiRes 1.02 Time::localtime Optional module versions are: 1.42 Archive::Tar 0.23 bignum 2.03 Business::ISBN 20081208 Business::ISBN::Data 1.12 Data::Dump 1.814 DB_File 1.14 DBD::SQLite 1.607 DBI 1.15 Digest 1.01 Digest::HMAC 2.38 Digest::MD5 2.11 Digest::SHA1 1.01 Encode::Detect 0.17015 Error 0.24 ExtUtils::CBuilder 2.19 ExtUtils::ParseXS 2.37 Getopt::Long 0.45 Inline 1.08 IO::String 1.04 IO::Zlib 2.25 IP::Country missing Mail::ClamAV 3.002005 Mail::SpamAssassin v2.006 Mail::SPF 1.999001 Mail::SPF::Query 0.3 Module::Build 0.20 Net::CIDR::Lite 0.63 Net::DNS v0.003 Net::DNS::Resolver::Programmable 0.39 Net::LDAP 4.021 NetAddr::IP 1.94 Parse::RecDescent missing SAVI 3.14 Test::Harness 1.22 Test::Manifest 2.0.0 Text::Balanced 1.37 URI 0.76 version 0.68 YAML scanner0:/opt/MailScanner/etc# In conf I got: Expand TNEF = yes Use TNEF Contents = replace TNEF Expander = internal Let me know if anybody can think of stuff I can try to fix this. If its an issue at all. I guess my real question is how can I know if the attachment had many whitespaces or not? Med venlig hilsen / Best regards Jonas Akrouh Larsen TechBiz ApS Laplandsgade 4, 2. sal 2300 K?benhavn S Office: 7020 0979 Direct: 3336 9974 Mobile: 5120 1096 Fax: 7020 0978 Web: www.techbiz.dk -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090211/6063ae27/attachment.html From rcooper at dwford.com Wed Feb 11 16:11:18 2009 From: rcooper at dwford.com (Rick Cooper) Date: Wed Feb 11 16:11:31 2009 Subject: Problem with mailscanner after upgrading to newest (filename checks) In-Reply-To: <005001c98c5e$58ba2b20$0a2e8160$@dk> References: <005001c98c5e$58ba2b20$0a2e8160$@dk> Message-ID: <1F227757637C471F80A58BB5B7343E45@SAHOMELT> The filename in the reports has been sanitized and made safe, it's not the full and actual filename as was sent since it was determined to be potentialy dangerous. Rick _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of jonas@vrt.dk Sent: Wednesday, February 11, 2009 10:35 AM To: mailscanner@lists.mailscanner.info Subject: Problem with mailscanner after upgrading to newest (filename checks) Hi list I got a problem after upgrading to latest mailscanner: scanner0 MailScanner[30533]: Spam Checks completed at 11761 bytes per second scanner0 MailScanner[30533]: Filename Checks: Filename contains lots of white space (1LWooQ-0004kj-1j 195752.pdf) scanner0 MailScanner[30533]: Other Checks: Found 1 problems This looks a bit weird to me, is that how it normally looks? A msgid and then a filename without any commas or anything? My issue is that mailwatch, the reports etc all report the filename as being: Mailwatch: MailScanner: A long gap in a name is often used to hide part of it (195752.pdf) The email report: One or more of the attachments (195752.pdf) are on the list of unacceptable attachments for this site and will not have been delivered. Consider renaming the files to avoid this constraint. The virus detector said this about the message: Report: MailScanner: A long gap in a name is often used to hide part of it (195752.pdf) In both places the filename does not apaer to contain spaces. Let me dump some maybe related config vars: Running on Linux scanner0 2.6.18-6-686-bigmem #1 SMP Fri Dec 12 17:49:59 UTC 2008 i686 GNU/Linux This is Perl version 5.008008 (5.8.8) This is MailScanner version 4.74.16 Module versions are: 1.00 AnyDBM_File 1.26 Archive::Zip 0.23 bignum 1.04 Carp 1.41 Compress::Zlib 1.119 Convert::BinHex 0.17 Convert::TNEF 2.121_08 Data::Dumper 2.27 Date::Parse 1.00 DirHandle 1.05 Fcntl 2.74 File::Basename 2.09 File::Copy 2.01 FileHandle 2.07 File::Path 0.21 File::Temp 0.92 Filesys::Df 3.57 HTML::Entities 3.59 HTML::Parser 3.57 HTML::TokeParser 1.23 IO 1.14 IO::File 1.13 IO::Pipe 2.04 Mail::Header 1.89 Math::BigInt 0.22 Math::BigRat 3.07 MIME::Base64 5.427 MIME::Decoder 5.427 MIME::Decoder::UU 5.427 MIME::Head 5.427 MIME::Parser 3.07 MIME::QuotedPrint 5.427 MIME::Tools 0.11 Net::CIDR 1.25 Net::IP 0.16 OLE::Storage_Lite 1.04 Pod::Escapes 3.07 Pod::Simple 1.09 POSIX 1.19 Scalar::Util 1.78 Socket 2.18 Storable 1.4 Sys::Hostname::Long 0.27 Sys::Syslog 1.26 Test::Pod 0.86 Test::Simple 1.9715 Time::HiRes 1.02 Time::localtime Optional module versions are: 1.42 Archive::Tar 0.23 bignum 2.03 Business::ISBN 20081208 Business::ISBN::Data 1.12 Data::Dump 1.814 DB_File 1.14 DBD::SQLite 1.607 DBI 1.15 Digest 1.01 Digest::HMAC 2.38 Digest::MD5 2.11 Digest::SHA1 1.01 Encode::Detect 0.17015 Error 0.24 ExtUtils::CBuilder 2.19 ExtUtils::ParseXS 2.37 Getopt::Long 0.45 Inline 1.08 IO::String 1.04 IO::Zlib 2.25 IP::Country missing Mail::ClamAV 3.002005 Mail::SpamAssassin v2.006 Mail::SPF 1.999001 Mail::SPF::Query 0.3 Module::Build 0.20 Net::CIDR::Lite 0.63 Net::DNS v0.003 Net::DNS::Resolver::Programmable 0.39 Net::LDAP 4.021 NetAddr::IP 1.94 Parse::RecDescent missing SAVI 3.14 Test::Harness 1.22 Test::Manifest 2.0.0 Text::Balanced 1.37 URI 0.76 version 0.68 YAML scanner0:/opt/MailScanner/etc# In conf I got: Expand TNEF = yes Use TNEF Contents = replace TNEF Expander = internal Let me know if anybody can think of stuff I can try to fix this. If its an issue at all. I guess my real question is how can I know if the attachment had many whitespaces or not? Med venlig hilsen / Best regards Jonas Akrouh Larsen TechBiz ApS Laplandsgade 4, 2. sal 2300 K?benhavn S Office: 7020 0979 Direct: 3336 9974 Mobile: 5120 1096 Fax: 7020 0978 Web: www.techbiz.dk -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090211/b0693133/attachment.html From campbell at cnpapers.com Wed Feb 11 16:16:53 2009 From: campbell at cnpapers.com (Steve Campbell) Date: Wed Feb 11 16:17:08 2009 Subject: Problem with mailscanner after upgrading to newest (filename checks) In-Reply-To: <005001c98c5e$58ba2b20$0a2e8160$@dk> References: <005001c98c5e$58ba2b20$0a2e8160$@dk> Message-ID: <4992F9F5.3000902@cnpapers.com> jonas@vrt.dk wrote: > > Hi list > > > > I got a problem after upgrading to latest mailscanner: > > > > scanner0 MailScanner[30533]: Spam Checks completed at 11761 bytes per > second > > scanner0 MailScanner[30533]: Filename Checks: Filename contains lots > of white space (1LWooQ-0004kj-1j 195752.pdf) > > scanner0 MailScanner[30533]: Other Checks: Found 1 problems > > > > This looks a bit weird to me, is that how it normally looks? A msgid > and then a filename without any commas or anything? > > > > My issue is that mailwatch, the reports etc all report the filename as > being: > > > > Mailwatch: > > MailScanner: A long gap in a name is often used to hide part of it > (195752.pdf) > > > > > > The email report: > > One or more of the attachments (195752.pdf) are on > > the list of unacceptable attachments for this site and will not have > > been delivered. > > > > Consider renaming the files to avoid this constraint. > > > > The virus detector said this about the message: > > Report: MailScanner: A long gap in a name is often used to hide part of it > > (195752.pdf) > > > > In both places the filename does not apaer to contain spaces. > > > > Let me dump some maybe related config vars: > > > > Running on > > Linux scanner0 2.6.18-6-686-bigmem #1 SMP Fri Dec 12 17:49:59 UTC 2008 > i686 GNU/Linux > > This is Perl version 5.008008 (5.8.8) > > > > This is MailScanner version 4.74.16 > > Module versions are: > > 1.00 AnyDBM_File > > 1.26 Archive::Zip > > 0.23 bignum > > 1.04 Carp > > 1.41 Compress::Zlib > > 1.119 Convert::BinHex > > 0.17 Convert::TNEF > > 2.121_08 Data::Dumper > > 2.27 Date::Parse > > 1.00 DirHandle > > 1.05 Fcntl > > 2.74 File::Basename > > 2.09 File::Copy > > 2.01 FileHandle > > 2.07 File::Path > > 0.21 File::Temp > > 0.92 Filesys::Df > > 3.57 HTML::Entities > > 3.59 HTML::Parser > > 3.57 HTML::TokeParser > > 1.23 IO > > 1.14 IO::File > > 1.13 IO::Pipe > > 2.04 Mail::Header > > 1.89 Math::BigInt > > 0.22 Math::BigRat > > 3.07 MIME::Base64 > > 5.427 MIME::Decoder > > 5.427 MIME::Decoder::UU > > 5.427 MIME::Head > > 5.427 MIME::Parser > > 3.07 MIME::QuotedPrint > > 5.427 MIME::Tools > > 0.11 Net::CIDR > > 1.25 Net::IP > > 0.16 OLE::Storage_Lite > > 1.04 Pod::Escapes > > 3.07 Pod::Simple > > 1.09 POSIX > > 1.19 Scalar::Util > > 1.78 Socket > > 2.18 Storable > > 1.4 Sys::Hostname::Long > > 0.27 Sys::Syslog > > 1.26 Test::Pod > > 0.86 Test::Simple > > 1.9715 Time::HiRes > > 1.02 Time::localtime > > > > Optional module versions are: > > 1.42 Archive::Tar > > 0.23 bignum > > 2.03 Business::ISBN > > 20081208 Business::ISBN::Data > > 1.12 Data::Dump > > 1.814 DB_File > > 1.14 DBD::SQLite > > 1.607 DBI > > 1.15 Digest > > 1.01 Digest::HMAC > > 2.38 Digest::MD5 > > 2.11 Digest::SHA1 > > 1.01 Encode::Detect > > 0.17015 Error > > 0.24 ExtUtils::CBuilder > > 2.19 ExtUtils::ParseXS > > 2.37 Getopt::Long > > 0.45 Inline > > 1.08 IO::String > > 1.04 IO::Zlib > > 2.25 IP::Country > > missing Mail::ClamAV > > 3.002005 Mail::SpamAssassin > > v2.006 Mail::SPF > > 1.999001 Mail::SPF::Query > > 0.3 Module::Build > > 0.20 Net::CIDR::Lite > > 0.63 Net::DNS > > v0.003 Net::DNS::Resolver::Programmable > > 0.39 Net::LDAP > > 4.021 NetAddr::IP > > 1.94 Parse::RecDescent > > missing SAVI > > 3.14 Test::Harness > > 1.22 Test::Manifest > > 2.0.0 Text::Balanced > > 1.37 URI > > 0.76 version > > 0.68 YAML > > scanner0:/opt/MailScanner/etc# > > > > > > In conf I got: > > > > Expand TNEF = yes > > Use TNEF Contents = replace > > TNEF Expander = internal > > > > Let me know if anybody can think of stuff I can try to fix this. If > its an issue at all. I guess my real question is how can I know if the > attachment had many whitespaces or not? > > > > Med venlig hilsen / Best regards > > > > Jonas Akrouh Larsen > > > > TechBiz ApS > > Laplandsgade 4, 2. sal > > 2300 K?benhavn S > > > > Office: 7020 0979 > > Direct: 3336 9974 > > Mobile: 5120 1096 > > Fax: 7020 0978 > > Web: www.techbiz.dk > > > I don't think this is new with the newest release. It's been around for quite some time. Steve Campbell From Kevin_Miller at ci.juneau.ak.us Wed Feb 11 18:12:00 2009 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Wed Feb 11 18:12:14 2009 Subject: MailScanner fix for Exchange TNEF vuln? In-Reply-To: <4992AD15.6030908@alunys.com> References: <7EF0EE5CB3B263488C8C18823239BEBA05F0B17C@HC-MBX02.herefordshire.gov.uk> <7EF0EE5CB3B263488C8C18823239BEBA05F0B198@HC-MBX02.herefordshire.gov.uk> <4992AD15.6030908@alunys.com> Message-ID: <4A09477D575C2C4B86497161427DD94C0C845BAB6E@CITY-EXCHANGE07.cbj.local> -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Cedric Devillers Sent: Wednesday, February 11, 2009 1:49 AM To: MailScanner discussion Subject: Re: MailScanner fix for Exchange TNEF vuln? Hi, > Don't forget that replacing or rejecting TNEF will > make the "meeting requests" mails from our beloved > outlook users unusable. > > So be carefull if you have those kind of mails going > throught your mailscanners (for me these should only > be local mails). I'm not sure that's entirely acurate. I have replace TNEF enabled, but have received meeting requests from 3rd parties outside our system. I've never had any complaints... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From marco.mangione at gmail.com Wed Feb 11 19:33:46 2009 From: marco.mangione at gmail.com (Marco mangione) Date: Wed Feb 11 19:33:56 2009 Subject: spamhaus or ? Message-ID: hello.. i'm using zen.spamhaus.org to block spam at smtp level.. and with this i block about 60/80% ... but as i see it is not free.. so when i reach the query/day/limit ... but i dont want to upgrade the service, what other RBL do you suggest ? thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090211/968ec3d8/attachment.html From ssilva at sgvwater.com Wed Feb 11 19:38:37 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Feb 11 19:39:04 2009 Subject: includes question In-Reply-To: <4992B699.5060405@donehue.net> References: <4992B0E5.5030901@donehue.net> <4992B495.109@alexb.ch> <4992B699.5060405@donehue.net> Message-ID: on 2-11-2009 3:29 AM Andrew spake the following: > Thanks for the quick reply. > > I did a check, there is no mailscanner.cf (anywhere!) Maybe this is my > problem? (I installed the debian package). > What version of mailscanner do you have? The package in stable is years old, and the package in testing is not that much newer. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090211/0f5ce2d1/signature.bin From ssilva at sgvwater.com Thu Feb 12 00:02:01 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Feb 12 00:02:25 2009 Subject: spamhaus or ? In-Reply-To: References: Message-ID: on 2-11-2009 11:33 AM Marco mangione spake the following: > hello.. i'm using zen.spamhaus.org to block > spam at smtp level.. and with this i block about 60/80% ... but as i see > it is not free.. so when i reach the query/day/limit ... but i dont want > to upgrade the service, what other RBL do you suggest ? > > thanks > You really have to test that for yourself to see how your traffic reacts. Checking spamassassin scores against the other rbl's is how I see what is good for me. I use spamcop, cbl, njabl, sorbs and psbl at the MTA, and I have added others to spamassassin to bump scores on more mail. It is a constant fight to stay ahead. Other sites probably would get FP's from some of those. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090211/fc5c9ca7/signature.bin From MailScanner at ecs.soton.ac.uk Thu Feb 12 09:51:23 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Feb 12 09:51:43 2009 Subject: Problem with mailscanner after upgrading to newest (filename checks) In-Reply-To: <4992F9F5.3000902@cnpapers.com> References: <005001c98c5e$58ba2b20$0a2e8160$@dk> <4992F9F5.3000902@cnpapers.com> <4993F11B.5020006@ecs.soton.ac.uk> Message-ID: On 11/2/09 16:16, Steve Campbell wrote: > > > jonas@vrt.dk wrote: >> >> Hi list >> >> >> >> I got a problem after upgrading to latest mailscanner: >> >> >> >> scanner0 MailScanner[30533]: Spam Checks completed at 11761 bytes per >> second >> >> scanner0 MailScanner[30533]: Filename Checks: Filename contains lots >> of white space (1LWooQ-0004kj-1j 195752.pdf) >> >> scanner0 MailScanner[30533]: Other Checks: Found 1 problems >> >> >> >> This looks a bit weird to me, is that how it normally looks? A msgid >> and then a filename without any commas or anything? >> >> >> >> My issue is that mailwatch, the reports etc all report the filename >> as being: >> >> >> >> Mailwatch: >> >> MailScanner: A long gap in a name is often used to hide part of it >> (195752.pdf) >> >> >> >> >> >> >> >> Report: MailScanner: A long gap in a name is often used to hide part >> of it >> >> (195752.pdf) >> >> >> >> In both places the filename does not apaer to contain spaces. >> MailScanner (and MailWatch) sanitise the filenames before reporting them, as passing untrusted data to the output of any system is a very bad idea. So the filenames you see in the reports will have had long strings of spaces removed, and various other massaging techniques to ensure that no security vulnerabilities are introduced by reporting the original name of the attachment. It has always done this, ever since version 1. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From sandro at e-den.it Thu Feb 12 10:22:23 2009 From: sandro at e-den.it (Alessandro Dentella) Date: Thu Feb 12 10:22:33 2009 Subject: selecting message that should go into MailScanner Message-ID: <20090212102223.GA23255@ubuntu> Hi, I need to setup one postfix + mailscanner bos so that from certain domains that send massive newsletter mails are not checked: there would be no point. I thought to go in header_checks and change the regexp something as: /^From: .*@newsletter_sendingdomain.com/ OK /^Subject: dabluff5/ OK /^Received:/ HOLD but I can't see any differences. I tryed it also with other patterns but it seems it never gets into the first line rule (it goes of course into the last: 'Received'). I wandered if the second overwrites the first as it comes later in parsing the header messages. Convinced to simplify my tests I used test on Subject that I can change simply but I believe that that should work. Am I wrong? As a second attempt I tried a recepe [1] from Hugo Vanderkooij that I found in the archives thet suggests to go with the filter in the smtpd_client_restrictions with a check_recipient_access, but again I can't make messages go into HOLD with a rule on Subject Any hints? thanks sandro *:-) [1] http://hugo.vanderkooij.org/email/mailscanner.htm#HOLD -- Sandro Dentella *:-) http://sqlkit.argolinux.org SQLkit home page - PyGTK/python/sqlalchemy From john at tradoc.fr Thu Feb 12 10:34:58 2009 From: john at tradoc.fr (John Wilcock) Date: Thu Feb 12 10:35:13 2009 Subject: selecting message that should go into MailScanner In-Reply-To: <20090212102223.GA23255@ubuntu> References: <20090212102223.GA23255@ubuntu> Message-ID: <4993FB52.3030104@tradoc.fr> Le 12/02/2009 11:22, Alessandro Dentella a ?crit : I need to setup one postfix + mailscanner bos so that from certain domains > that send massive newsletter mails are not checked: there would be no > point. > > I thought to go in header_checks and change the regexp something as: > > /^From: .*@newsletter_sendingdomain.com/ OK > /^Subject: dabluff5/ OK > /^Received:/ HOLD > > but I can't see any differences. I tryed it also with other patterns but it > seems it never gets into the first line rule (it goes of course into the > last: 'Received'). I wandered if the second overwrites the first as it > comes later in parsing the header messages. From the header_checks manpage: DUNNO Pretend that the input line did not match any pat- tern, and inspect the next input line. This action can be used to shorten the table search. For backwards compatibility reasons, Postfix also accepts OK but it is (and always has been) treated as DUNNO. John. -- -- Over 3000 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages - www.tradoc.fr From john at tradoc.fr Thu Feb 12 10:49:09 2009 From: john at tradoc.fr (John Wilcock) Date: Thu Feb 12 10:49:24 2009 Subject: selecting message that should go into MailScanner In-Reply-To: <4993FB52.3030104@tradoc.fr> References: <20090212102223.GA23255@ubuntu> <4993FB52.3030104@tradoc.fr> Message-ID: <4993FEA5.5010504@tradoc.fr> Le 12/02/2009 11:34, John Wilcock a ?crit : > From the header_checks manpage: > > DUNNO Pretend that the input line did not match any pat- > tern, and inspect the next input line. This action > can be used to shorten the table search. > > For backwards compatibility reasons, Postfix also > accepts OK but it is (and always has been) treated > as DUNNO. Oops - pushed send a bit quickly. Should have mentioned that the easiest solution to your problem is not to persuade postfix to bypass MailScanner altogether, but to use a ruleset within MailScanner to avoid the spam checks. Spam Checks = %rules-dir%/spam.checks.rules where the spam.checks.rules file contains something like From: lists.mailscanner.info no #Mailscanner list From: spamassassin.apache.org no #SpamAssassin list FromOrTo: default yes This also has the advantage of still doing virus checks on your mailing lists. John. -- -- Over 3000 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages - www.tradoc.fr From maxsec at gmail.com Thu Feb 12 10:55:31 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Thu Feb 12 10:55:40 2009 Subject: selecting message that should go into MailScanner In-Reply-To: <20090212102223.GA23255@ubuntu> References: <20090212102223.GA23255@ubuntu> Message-ID: <72cf361e0902120255l1abbb04bgcf28fbcc3648eca@mail.gmail.com> 2009/2/12 Alessandro Dentella : > Hi, > > I need to setup one postfix + mailscanner bos so that from certain domains > that send massive newsletter mails are not checked: there would be no > point. > > I thought to go in header_checks and change the regexp something as: > > /^From: .*@newsletter_sendingdomain.com/ OK > /^Subject: dabluff5/ OK > /^Received:/ HOLD > > but I can't see any differences. I tryed it also with other patterns but it > seems it never gets into the first line rule (it goes of course into the > last: 'Received'). I wandered if the second overwrites the first as it > comes later in parsing the header messages. > > Convinced to simplify my tests I used test on Subject that I can change > simply but I believe that that should work. Am I wrong? > > As a second attempt I tried a recepe [1] from Hugo Vanderkooij that I > found in the archives thet suggests to go with the filter in the > smtpd_client_restrictions with a check_recipient_access, but again I can't > make messages go into HOLD with a rule on Subject > > Any hints? > > thanks > sandro > *:-) > > > [1] http://hugo.vanderkooij.org/email/mailscanner.htm#HOLD > -- > Sandro Dentella *:-) > http://sqlkit.argolinux.org SQLkit home page - PyGTK/python/sqlalchemy > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Another alternative is to put this in the "Is Definitely not Spam" ruleset http://www.mailscanner.info/MailScanner.conf.index.html#Is%20Definitely%20Not%20Spam That way it still gets virus/phishing/etc checked, and these are much much less heavy than Spam Scanning. If you divert via Postfix you're creating quite a hole in the setup and therefore increasing the likelihood of nasty stuff getting in and thereby increasing the risk of email that you've mitigated by putting MailScanner in. -- Martin Hepworth Oxford, UK From maillists at conactive.com Thu Feb 12 11:31:39 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Thu Feb 12 11:31:52 2009 Subject: selecting message that should go into MailScanner In-Reply-To: <20090212102223.GA23255@ubuntu> References: <20090212102223.GA23255@ubuntu> Message-ID: I think you should direct your question to a postfix list if you want to do this in postfix. If you want to exemt mail in MS from scanning you want to use Scan Messages = %rules-dir%/scan.messages.rules Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From glenn.steen at gmail.com Thu Feb 12 12:26:41 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Feb 12 12:26:50 2009 Subject: selecting message that should go into MailScanner In-Reply-To: References: <20090212102223.GA23255@ubuntu> Message-ID: <223f97700902120426u3654184fua9ed379607dccbfd@mail.gmail.com> 2009/2/12 Kai Schaetzl : > I think you should direct your question to a postfix list if you want to > do this in postfix. If you want to exemt mail in MS from scanning you want > to use > Scan Messages = %rules-dir%/scan.messages.rules > > Kai Actually.... SInce Hugo van der Koij has made a very successful "selective postfix" setup, and posted it here... this list isn't a bad choice:-). At least not when it comes to finding that solution. Basically one would replace the header checks with a rather specific access map instead... Lets see if I can find the reference... Here you go http://hugo.vanderkooij.org/email/mailscanner.htm#HOLD (and yes, this was addressed both to Alessandro and you Kai:-):-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From jonas at vrt.dk Thu Feb 12 12:44:41 2009 From: jonas at vrt.dk (Jonas Akrouh Larsen) Date: Thu Feb 12 12:44:50 2009 Subject: Problem with mailscanner after upgrading to newest (filename checks) In-Reply-To: <1F227757637C471F80A58BB5B7343E45@SAHOMELT> References: <005001c98c5e$58ba2b20$0a2e8160$@dk> <1F227757637C471F80A58BB5B7343E45@SAHOMELT> Message-ID: <002a01c98d0f$ac6a8e20$053faa60$@dk> Hmm if it gets sanitized in the logfiles (Why woudl you need sanitizing in a log file? Crashing nano, vi or whatever seems a bit unlikely) is there then no straight forward way to see if Mailscanner is mistaken in its classification of the attachment? Med venlig hilsen / Best regards Jonas Akrouh Larsen TechBiz ApS Laplandsgade 4, 2. sal 2300 K?benhavn S Office: 7020 0979 Direct: 3336 9974 Mobile: 5120 1096 Fax: 7020 0978 Web: www.techbiz.dk -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090212/6f6b05de/attachment.html From jonas at vrt.dk Thu Feb 12 12:45:48 2009 From: jonas at vrt.dk (Jonas Akrouh Larsen) Date: Thu Feb 12 12:45:58 2009 Subject: MailScanner fix for Exchange TNEF vuln? In-Reply-To: <4A09477D575C2C4B86497161427DD94C0C845BAB6E@CITY-EXCHANGE07.cbj.local> References: <7EF0EE5CB3B263488C8C18823239BEBA05F0B17C@HC-MBX02.herefordshire.gov.uk> <7EF0EE5CB3B263488C8C18823239BEBA05F0B198@HC-MBX02.herefordshire.gov.uk> <4992AD15.6030908@alunys.com> <4A09477D575C2C4B86497161427DD94C0C845BAB6E@CITY-EXCHANGE07.cbj.local> Message-ID: <002f01c98d0f$d4983320$7dc89960$@dk> >I'm not sure that's entirely acurate. I have replace TNEF enabled, but have received meeting requests from 3rd parties outside our system. I've never had any complaints... Same here. We have replaced TNEF for over a year, and have never had issues with outlook meeting requests or calendar bookings. And all our clients user outlook/exchange. Med venlig hilsen / Best regards Jonas Akrouh Larsen TechBiz ApS Laplandsgade 4, 2. sal 2300 K?benhavn S Office: 7020 0979 Direct: 3336 9974 Mobile: 5120 1096 Fax: 7020 0978 Web: www.techbiz.dk From maillists at conactive.com Thu Feb 12 13:31:33 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Thu Feb 12 13:31:47 2009 Subject: selecting message that should go into MailScanner In-Reply-To: <223f97700902120426u3654184fua9ed379607dccbfd@mail.gmail.com> References: <20090212102223.GA23255@ubuntu> <223f97700902120426u3654184fua9ed379607dccbfd@mail.gmail.com> Message-ID: You did notice that he already fiddled with that and it didn't work for him? Why fiddle at all with this if you can skip scanning in MS very easily and still retain all the benefits (like seeing it in Mailwatch)? I don't see doing it in Postfix as a good way. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From sandro at e-den.it Thu Feb 12 13:46:04 2009 From: sandro at e-den.it (Alessandro Dentella) Date: Thu Feb 12 13:46:12 2009 Subject: selecting message that should go into MailScanner In-Reply-To: <223f97700902120426u3654184fua9ed379607dccbfd@mail.gmail.com> References: <20090212102223.GA23255@ubuntu> <223f97700902120426u3654184fua9ed379607dccbfd@mail.gmail.com> Message-ID: <20090212134604.GA26300@ubuntu> On Thu, Feb 12, 2009 at 01:26:41PM +0100, Glenn Steen wrote: > 2009/2/12 Kai Schaetzl : > > I think you should direct your question to a postfix list if you want to > > do this in postfix. If you want to exemt mail in MS from scanning you want > > to use > > Scan Messages = %rules-dir%/scan.messages.rules > > > > Kai > Actually.... SInce Hugo van der Koij has made a very successful > "selective postfix" setup, and posted it here... this list isn't a bad > choice:-). At least not when it comes to finding that solution. > Basically one would replace the header checks with a rather specific > access map instead... Lets see if I can find the reference... > Here you go http://hugo.vanderkooij.org/email/mailscanner.htm#HOLD > > (and yes, this was addressed both to Alessandro and you Kai:-):-) > Cheers ehm... sure, that's the link I reported in my original mail that I tried to implement. I tried to follow it but I can't really get it working. I don't think that's fault of the recepe but I must be doing something silly so that no messages gets into the rule even if I use: /.*/ HOLD /^$/ HOLD I admit this is almost a postfix question but I thuoght this is interesting for this list and probably there is real knowledge on this subject here. Personally I don't like the idea of letting it into MailScanner. There's no point in Scanning 50.000 email in a newsletter not even just for phishing/virus: the're all the same!!! Thanks anyhow for the hints on the ruleset, I'll use that in the meanwhile. sandro *:-) -- Sandro Dentella *:-) http://sqlkit.argolinux.org SQLkit home page - PyGTK/python/sqlalchemy From glenn.steen at gmail.com Thu Feb 12 13:53:57 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Feb 12 13:54:06 2009 Subject: selecting message that should go into MailScanner In-Reply-To: References: <20090212102223.GA23255@ubuntu> <223f97700902120426u3654184fua9ed379607dccbfd@mail.gmail.com> Message-ID: <223f97700902120553n27f34019rec7867529f33d2c3@mail.gmail.com> 2009/2/12 Kai Schaetzl : > You did notice that he already fiddled with that and it didn't work for > him? Why fiddle at all with this if you can skip scanning in MS very No, I missed that...:). Am in a state of chock, since my employer decided to lay off 1/3 of all employees... not me though. Just doing the mailing list thing to have something to focus on other than the situation at hand. Sigh. > easily and still retain all the benefits (like seeing it in Mailwatch)? I > don't see doing it in Postfix as a good way. No argument. But letting PF do the thing would be quite workable too... The normal "just one way more":-) > > Kai > Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Thu Feb 12 13:59:32 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Feb 12 13:59:41 2009 Subject: selecting message that should go into MailScanner In-Reply-To: <20090212134604.GA26300@ubuntu> References: <20090212102223.GA23255@ubuntu> <223f97700902120426u3654184fua9ed379607dccbfd@mail.gmail.com> <20090212134604.GA26300@ubuntu> Message-ID: <223f97700902120559j1c1778fqc790207d5b0aefec@mail.gmail.com> 2009/2/12 Alessandro Dentella : > On Thu, Feb 12, 2009 at 01:26:41PM +0100, Glenn Steen wrote: >> 2009/2/12 Kai Schaetzl : >> > I think you should direct your question to a postfix list if you want to >> > do this in postfix. If you want to exemt mail in MS from scanning you want >> > to use >> > Scan Messages = %rules-dir%/scan.messages.rules >> > >> > Kai >> Actually.... SInce Hugo van der Koij has made a very successful >> "selective postfix" setup, and posted it here... this list isn't a bad >> choice:-). At least not when it comes to finding that solution. >> Basically one would replace the header checks with a rather specific >> access map instead... Lets see if I can find the reference... >> Here you go http://hugo.vanderkooij.org/email/mailscanner.htm#HOLD >> >> (and yes, this was addressed both to Alessandro and you Kai:-):-) >> Cheers > > ehm... sure, that's the link I reported in my original mail that I tried to See my reply to Kai... I'm probably not fit to do much anything today... > implement. I tried to follow it but I can't really get it working. I don't > think that's fault of the recepe but I must be doing something silly so that > no messages gets into the rule even if I use: > > ?/.*/ ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?HOLD > ?/^$/ ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?HOLD Where did you implement the map? "postconf -n"? > > I admit this is almost a postfix question but I thuoght this is interesting > for this list and probably there is real knowledge on this subject here. > > Personally I don't like the idea of letting it into MailScanner. There's no > point in Scanning 50.000 email in a newsletter not even just for > phishing/virus: the're all the same!!! > Make the ruleset on "Scan Messages", perhaps? As suggested by Kai... This would bypass all scanning. > Thanks anyhow for the hints on the ruleset, I'll use that in the meanwhile. > > > sandro > *:-) > Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From MailScanner at ecs.soton.ac.uk Thu Feb 12 14:05:00 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Feb 12 14:05:22 2009 Subject: Problem with mailscanner after upgrading to newest (filename checks) In-Reply-To: <002a01c98d0f$ac6a8e20$053faa60$@dk> References: <005001c98c5e$58ba2b20$0a2e8160$@dk> <1F227757637C471F80A58BB5B7343E45@SAHOMELT> <002a01c98d0f$ac6a8e20$053faa60$@dk> <49942C8C.1090902@ecs.soton.ac.uk> Message-ID: On 12/2/09 12:44, Jonas Akrouh Larsen wrote: > > Hmm if it gets sanitized in the logfiles (Why woudl you need > sanitizing in a log file? Crashing nano, vi or whatever seems a bit > unlikely) > Yes, but causing a buffer overrun in your syslogd is a very real possibility! Remember that lots of people use centralised logging with things like database servers storing log files and things like that. Many people's systems are a lot more complex than yours. > > is there then no straight forward way to see if Mailscanner is > mistaken in its classification of the attachment? > If that's what the log says, then it's right. If you quarantine messages that break your policy, then you can have a look at the original message and see for yourself. > > Med venlig hilsen / Best regards > > Jonas Akrouh Larsen > > TechBiz ApS > > Laplandsgade 4, 2. sal > > 2300 K?benhavn S > > Office: 7020 0979 > > Direct: 3336 9974 > > Mobile: 5120 1096 > > Fax: 7020 0978 > > Web: www.techbiz.dk > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From maxsec at gmail.com Thu Feb 12 15:02:54 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Thu Feb 12 15:05:09 2009 Subject: selecting message that should go into MailScanner In-Reply-To: <20090212134604.GA26300@ubuntu> References: <20090212102223.GA23255@ubuntu> <223f97700902120426u3654184fua9ed379607dccbfd@mail.gmail.com> <20090212134604.GA26300@ubuntu> Message-ID: <72cf361e0902120702p332f7273v8a6225c328f7cf42@mail.gmail.com> 2009/2/12 Alessandro Dentella : > On Thu, Feb 12, 2009 at 01:26:41PM +0100, Glenn Steen wrote: >> 2009/2/12 Kai Schaetzl : >> > I think you should direct your question to a postfix list if you want to >> > do this in postfix. If you want to exemt mail in MS from scanning you want >> > to use >> > Scan Messages = %rules-dir%/scan.messages.rules >> > >> > Kai >> Actually.... SInce Hugo van der Koij has made a very successful >> "selective postfix" setup, and posted it here... this list isn't a bad >> choice:-). At least not when it comes to finding that solution. >> Basically one would replace the header checks with a rather specific >> access map instead... Lets see if I can find the reference... >> Here you go http://hugo.vanderkooij.org/email/mailscanner.htm#HOLD >> >> (and yes, this was addressed both to Alessandro and you Kai:-):-) >> Cheers > > ehm... sure, that's the link I reported in my original mail that I tried to > implement. I tried to follow it but I can't really get it working. I don't > think that's fault of the recepe but I must be doing something silly so that > no messages gets into the rule even if I use: > > /.*/ HOLD > /^$/ HOLD > > I admit this is almost a postfix question but I thuoght this is interesting > for this list and probably there is real knowledge on this subject here. > > Personally I don't like the idea of letting it into MailScanner. There's no > point in Scanning 50.000 email in a newsletter not even just for > phishing/virus: the're all the same!!! > depends on the the risk you define if the 50,000 emails all have same same malware/phishing/... issue! -- Martin Hepworth Oxford, UK From maxsec at gmail.com Thu Feb 12 15:08:11 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Thu Feb 12 15:08:20 2009 Subject: selecting message that should go into MailScanner In-Reply-To: <72cf361e0902120702p332f7273v8a6225c328f7cf42@mail.gmail.com> References: <20090212102223.GA23255@ubuntu> <223f97700902120426u3654184fua9ed379607dccbfd@mail.gmail.com> <20090212134604.GA26300@ubuntu> <72cf361e0902120702p332f7273v8a6225c328f7cf42@mail.gmail.com> Message-ID: <72cf361e0902120708w1c9d3995ta172d9bb984b68d4@mail.gmail.com> 2009/2/12 Martin Hepworth : > 2009/2/12 Alessandro Dentella : >> On Thu, Feb 12, 2009 at 01:26:41PM +0100, Glenn Steen wrote: >>> 2009/2/12 Kai Schaetzl : >>> > I think you should direct your question to a postfix list if you want to >>> > do this in postfix. If you want to exemt mail in MS from scanning you want >>> > to use >>> > Scan Messages = %rules-dir%/scan.messages.rules >>> > >>> > Kai >>> Actually.... SInce Hugo van der Koij has made a very successful >>> "selective postfix" setup, and posted it here... this list isn't a bad >>> choice:-). At least not when it comes to finding that solution. >>> Basically one would replace the header checks with a rather specific >>> access map instead... Lets see if I can find the reference... >>> Here you go http://hugo.vanderkooij.org/email/mailscanner.htm#HOLD >>> >>> (and yes, this was addressed both to Alessandro and you Kai:-):-) >>> Cheers >> >> ehm... sure, that's the link I reported in my original mail that I tried to >> implement. I tried to follow it but I can't really get it working. I don't >> think that's fault of the recepe but I must be doing something silly so that >> no messages gets into the rule even if I use: >> >> /.*/ HOLD >> /^$/ HOLD >> >> I admit this is almost a postfix question but I thuoght this is interesting >> for this list and probably there is real knowledge on this subject here. >> >> Personally I don't like the idea of letting it into MailScanner. There's no >> point in Scanning 50.000 email in a newsletter not even just for >> phishing/virus: the're all the same!!! >> > > depends on the the risk you define if the 50,000 emails all have same > same malware/phishing/... issue! > Actually - let me put that.. suppose scammer/spammer uses the 'from' as that of the news letter....all of a sudden you're letting everything bad through, with no checks what-so-ever. Now I've mentioned it I'm surprised that malware people don't use it in order to circumvent mail filters in that way that from:me@domain.com to: me@domain spam tries to do. ie if many people are whitelisting a 'from: *@newsletter.domain.com' there's an easy vector around mail scanners. This is the reason why I suggested you just skip the MailScanner spam tests and not all others. -- Martin Hepworth Oxford, UK From maillists at conactive.com Thu Feb 12 16:31:24 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Thu Feb 12 16:31:41 2009 Subject: selecting message that should go into MailScanner In-Reply-To: <72cf361e0902120708w1c9d3995ta172d9bb984b68d4@mail.gmail.com> References: <20090212102223.GA23255@ubuntu> <223f97700902120426u3654184fua9ed379607dccbfd@mail.gmail.com> <20090212134604.GA26300@ubuntu> <72cf361e0902120702p332f7273v8a6225c328f7cf42@mail.gmail.com> <72cf361e0902120708w1c9d3995ta172d9bb984b68d4@mail.gmail.com> Message-ID: Martin Hepworth wrote on Thu, 12 Feb 2009 15:08:11 +0000: > Now I've mentioned it I'm surprised that malware people don't use it > in order to circumvent mail filters in that way that > from:me@domain.com to: me@domain spam tries to do. You want to whitelist based on host to avoid this ;-) Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maxsec at gmail.com Thu Feb 12 16:44:39 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Thu Feb 12 16:47:05 2009 Subject: selecting message that should go into MailScanner In-Reply-To: References: <20090212102223.GA23255@ubuntu> <223f97700902120426u3654184fua9ed379607dccbfd@mail.gmail.com> <20090212134604.GA26300@ubuntu> <72cf361e0902120702p332f7273v8a6225c328f7cf42@mail.gmail.com> <72cf361e0902120708w1c9d3995ta172d9bb984b68d4@mail.gmail.com> Message-ID: <72cf361e0902120844v89ec1f5wb7e255b01ba45214@mail.gmail.com> 2009/2/12 Kai Schaetzl : > Martin Hepworth wrote on Thu, 12 Feb 2009 15:08:11 +0000: > >> Now I've mentioned it I'm surprised that malware people don't use it >> in order to circumvent mail filters in that way that >> from:me@domain.com to: me@domain spam tries to do. > > You want to whitelist based on host to avoid this ;-) > > Kai > > -- > Kai Sch?tzl, Berlin, Germany > Get your web at Conactive Internet Services: http://www.conactive.com > > > Yeah I know - just pointing out that using the postfix method to 'whitelist' the newsletter could open you up to risks otherwise covered if you use the MailScanner spam-only whitelist. -- Martin Hepworth Oxford, UK From ecasarero at gmail.com Thu Feb 12 18:13:29 2009 From: ecasarero at gmail.com (Eduardo Casarero) Date: Thu Feb 12 18:13:39 2009 Subject: OT: how to check everything is working Message-ID: <7d9b3cf20902121013l2299a90ckfc749800257c1acd@mail.gmail.com> Hi, i've just had an strange scenario, on one of my servers cent os the I/O controller just stoped working, and all FS went to Read Only. I actually check this: sendmail online mailscanner online load disk usage clamav pattern ram/swap used incomming messages waiting this is reported to a mysql and showed in a webpage. the problem is that this was working, but the server started rejecting all emails with a 421 error "Can't write to the disk" so all trafic went to the second MTA. so nobody realised that the server was down... I started a google search and i found this "mailping" http://mailping.sourceforge.net/ but it seems to be a dead project. so is anyone using something like this? or has any idea? Regards Eduardo -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090212/b79f61d2/attachment.html From Kevin_Miller at ci.juneau.ak.us Thu Feb 12 18:48:52 2009 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Thu Feb 12 18:49:04 2009 Subject: how to check everything is working In-Reply-To: <7d9b3cf20902121013l2299a90ckfc749800257c1acd@mail.gmail.com> References: <7d9b3cf20902121013l2299a90ckfc749800257c1acd@mail.gmail.com> Message-ID: <4A09477D575C2C4B86497161427DD94C0C845BAB75@CITY-EXCHANGE07.cbj.local> We're using openNMS to monitor our servers and switches. Works great, but you have to invest the time to set it up. Probably not much work for just a couple hosts. Lots of work for dozens of servers, switches, routers etc. But worth it... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Eduardo Casarero Sent: Thursday, February 12, 2009 9:13 AM To: MailScanner discussion Subject: OT: how to check everything is working Hi, i've just had an strange scenario, on one of my servers cent os the I/O controller just stoped working, and all FS went to Read Only. I actually check this: sendmail online mailscanner online load disk usage clamav pattern ram/swap used incomming messages waiting this is reported to a mysql and showed in a webpage. the problem is that this was working, but the server started rejecting all emails with a 421 error "Can't write to the disk" so all trafic went to the second MTA. so nobody realised that the server was down... I started a google search and i found this "mailping" http://mailping.sourceforge.net/ but it seems to be a dead project. so is anyone using something like this? or has any idea? Regards Eduardo -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090212/647a5370/attachment.html From glenn.steen at gmail.com Thu Feb 12 19:06:24 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Feb 12 19:06:32 2009 Subject: OT: how to check everything is working In-Reply-To: <7d9b3cf20902121013l2299a90ckfc749800257c1acd@mail.gmail.com> References: <7d9b3cf20902121013l2299a90ckfc749800257c1acd@mail.gmail.com> Message-ID: <223f97700902121106n24cfc9ai636cbd65cb813b15@mail.gmail.com> 2009/2/12 Eduardo Casarero : > Hi, i've just had an strange scenario, on one of my servers cent os the I/O > controller just stoped working, and all FS went to Read Only. I actually > check this: > > sendmail online > mailscanner online > load > disk usage > clamav pattern > ram/swap used > incomming messages waiting > > this is reported to a mysql and showed in a webpage. > > the problem is that this was working, but the server started rejecting all > emails with a 421 error "Can't write to the disk" so all trafic went to the > second MTA. so nobody realised that the server was down... > > I started a google search and i found this "mailping" > http://mailping.sourceforge.net/ but it seems to be a dead project. > > so is anyone using something like this? or has any idea? > > Regards > > Eduardo > Not really,no, but .... it should be very trivialto whip up an expect script to test your MTA is responsive, or just a simple telnet test where you parse the results "in hindsight". Should be fairly simple to integrate into you status page:) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ssilva at sgvwater.com Thu Feb 12 19:20:33 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Feb 12 19:25:12 2009 Subject: Problem with mailscanner after upgrading to newest (filename checks) In-Reply-To: <002a01c98d0f$ac6a8e20$053faa60$@dk> References: <005001c98c5e$58ba2b20$0a2e8160$@dk> <1F227757637C471F80A58BB5B7343E45@SAHOMELT> <002a01c98d0f$ac6a8e20$053faa60$@dk> Message-ID: on 2-12-2009 4:44 AM Jonas Akrouh Larsen spake the following: > Hmm if it gets sanitized in the logfiles (Why would you need sanitizing > in a log file? Crashing nano, vi or whatever seems a bit unlikely) is > there then no straight forward way to see if Mailscanner is mistaken in > its classification of the attachment? > Because you could get a buffer overflow into syslogd, which has a lot of privilege to access the system. If you want to see if mailscanner is mistaken (how could it make a mistake about how long or how many spaces are in a filename?), look at the original message source and see what the filename is. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090212/2479cb15/signature.bin From ssilva at sgvwater.com Thu Feb 12 19:27:20 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Feb 12 19:30:10 2009 Subject: selecting message that should go into MailScanner In-Reply-To: <223f97700902120553n27f34019rec7867529f33d2c3@mail.gmail.com> References: <20090212102223.GA23255@ubuntu> <223f97700902120426u3654184fua9ed379607dccbfd@mail.gmail.com> <223f97700902120553n27f34019rec7867529f33d2c3@mail.gmail.com> Message-ID: on 2-12-2009 5:53 AM Glenn Steen spake the following: > 2009/2/12 Kai Schaetzl : >> You did notice that he already fiddled with that and it didn't work for >> him? Why fiddle at all with this if you can skip scanning in MS very > No, I missed that...:). Am in a state of chock, since my employer > decided to lay off 1/3 of all employees... not me though. Sometimes being "left behind" is just as bad. Now your remaining work force has to do the work of those 1/3, but not get any more money! > Just doing the mailing list thing to have something to focus on other > than the situation at hand. Sigh. > >> easily and still retain all the benefits (like seeing it in Mailwatch)? I >> don't see doing it in Postfix as a good way. > No argument. But letting PF do the thing would be quite workable > too... The normal "just one way more":-) > >> Kai >> > > Cheers -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090212/4a36119d/signature.bin From maxsec at gmail.com Thu Feb 12 21:39:23 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Thu Feb 12 21:39:32 2009 Subject: selecting message that should go into MailScanner In-Reply-To: <223f97700902120553n27f34019rec7867529f33d2c3@mail.gmail.com> References: <20090212102223.GA23255@ubuntu> <223f97700902120426u3654184fua9ed379607dccbfd@mail.gmail.com> <223f97700902120553n27f34019rec7867529f33d2c3@mail.gmail.com> Message-ID: <72cf361e0902121339u7edac654hf9d97db9e8602ab7@mail.gmail.com> 2009/2/12 Glenn Steen : > 2009/2/12 Kai Schaetzl : >> You did notice that he already fiddled with that and it didn't work for >> him? Why fiddle at all with this if you can skip scanning in MS very > No, I missed that...:). Am in a state of chock, since my employer > decided to lay off 1/3 of all employees... not me though. > Just doing the mailing list thing to have something to focus on other > than the situation at hand. Sigh. > Glen i was the first of many at my place back in november. kinda worked out 'cos I'm already in a new job, but i don't emvy the guys who got laid off a couple of weeks ago. The Job market is alot tougher now - less jobs more people wanting them and therefore less salary. -- Martin Hepworth Oxford, UK From mrm at quantumcc.com Thu Feb 12 22:56:45 2009 From: mrm at quantumcc.com (Mike Masse) Date: Thu Feb 12 22:57:07 2009 Subject: Fragmentation Message-ID: One of my users received an Outlook express fragmented email message and kudo's to MailScanner because it didn't know how to handle the second portion of the email and it quarantined it. This could very well be related to: http://www.esecurityplanet.com/trends/article.php/1463161/Security-Firm-Outlook-Express-Can-Be-Used-To-Bypass-Email-Filters.htm I searched the archive for fragmentation and did not get any results, so: Can MailScanner be set to properly detect and log and quarantine these fragmented emails vs what my system is doing right now which is only quarantining because it doesn't know what to do with the attachment. The fact that the email doesn't come through is fantastic, but without the logging bit, it's difficult to track down why for explanation purposes to clients. From greg at blastzone.com Thu Feb 12 23:27:10 2009 From: greg at blastzone.com (Greg Deputy) Date: Thu Feb 12 23:27:35 2009 Subject: Mailscanner logging to syslog, only partial to mail.log, driving me nuts In-Reply-To: References: <057b01c98797$cd9b7aa0$68d26fe0$@com> <235505.65096.qm@web33305.mail.mud.yahoo.com> <0ab701c988c4$c73cade0$55b609a0$@com> <140001c98b08$0e0b9890$2a22c9b0$@com> <142301c98b0c$dc48b270$94da1750$@com> Message-ID: <1cb701c98d69$6dbdfd60$4939f820$@com> > > Greg Deputy wrote on Mon, 9 Feb 2009 15:19:30 -0800: > > > Why is MailScanner sending spamassassin > > result messages to local3.info instead of mail.info? > > This is not what you claimed, AFAIK. You said that you get no MailScanner > messages to mail.log. Is that *really* the case or is it only the sa > scores that you are missing? For me that's quite a big difference. What wasn't showing up was anything about scanning. Spamassassin stuff, sure, but other mailscanner reports as well. I'm logging the local3.* stuff to mail log now so it all goes where I want, but just confuses me why its going to local3. MailScanner.conf has syslog facility set to mail. > > > Is there a tag for mailscanner that > > I need to add to syslog.conf to get those where I want them? > > You can set the log facility in MS. I don't know if that applies to SA > scores, I do not log SA scores. You do realize that your syslog.conf > creates a lot of additional logging for mail, even to the xonsole? Just > grep mail from the file to see what I mean. > > Kai > From paul.simpkin at hitec-systems.co.uk Thu Feb 12 23:31:34 2009 From: paul.simpkin at hitec-systems.co.uk (Paul Simpkin) Date: Thu Feb 12 23:31:46 2009 Subject: CentOS - Removed perl-IO due to bug in updating via 'yum' Message-ID: <001b01c98d6a$0b568880$22039980$@simpkin@hitec-systems.co.uk> I was told to update my server for other reason, not knowing that perl-IO was used by mailscanner. There is a few posts on how to fix CentOS by removing the perl-IO, someone from the Datecenter I rent my server from asked me to remove this and now mailscanner will not start. Now when I run 'yum install perl-IO' I get the error bellow! Can anyone help me reinstall perl-IO now I think perl has been updated? Thanks Paul Simpkin ============================================================================ = Package Arch Version Repository Size ============================================================================ = Installing: perl-IO i386 1.2301-1.el5.rf dag 99 k Transaction Summary ============================================================================ = Install 1 Package(s) Update 0 Package(s) Remove 0 Package(s) Total download size: 99 k Is this ok [y/N]: y Downloading Packages: Running rpm_check_debug Running Transaction Test Finished Transaction Test Transaction Check Error: file /usr/share/man/man3/IO.3pm.gz from install of perl-IO-1.2301-1.el5.rf conflicts with file from package perl-5.8.8-15.el5_2.1 file /usr/share/man/man3/IO::Dir.3pm.gz from install of perl-IO-1.2301-1.el5.rf conflicts with file from package perl-5.8.8-15.el5_2.1 file /usr/share/man/man3/IO::File.3pm.gz from install of perl-IO-1.2301-1.el5.rf conflicts with file from package perl-5.8.8-15.el5_2.1 file /usr/share/man/man3/IO::Handle.3pm.gz from install of perl-IO-1.2301-1.el5.rf conflicts with file from package perl-5.8.8-15.el5_2.1 file /usr/share/man/man3/IO::Pipe.3pm.gz from install of perl-IO-1.2301-1.el5.rf conflicts with file from package perl-5.8.8-15.el5_2.1 file /usr/share/man/man3/IO::Poll.3pm.gz from install of perl-IO-1.2301-1.el5.rf conflicts with file from package perl-5.8.8-15.el5_2.1 file /usr/share/man/man3/IO::Seekable.3pm.gz from install of perl-IO-1.2301-1.el5.rf conflicts with file from package perl-5.8.8-15.el5_2.1 file /usr/share/man/man3/IO::Select.3pm.gz from install of perl-IO-1.2301-1.el5.rf conflicts with file from package perl-5.8.8-15.el5_2.1 file /usr/share/man/man3/IO::Socket.3pm.gz from install of perl-IO-1.2301-1.el5.rf conflicts with file from package perl-5.8.8-15.el5_2.1 file /usr/share/man/man3/IO::Socket::INET.3pm.gz from install of perl-IO-1.2301-1.el5.rf conflicts with file from package perl-5.8.8-15.el5_2.1 file /usr/share/man/man3/IO::Socket::UNIX.3pm.gz from install of perl-IO-1.2301-1.el5.rf conflicts with file from package perl-5.8.8-15.el5_2.1 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090212/e0910a82/attachment.html From ssilva at sgvwater.com Fri Feb 13 00:07:23 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Feb 13 00:07:52 2009 Subject: CentOS - Removed perl-IO due to bug in updating via 'yum' In-Reply-To: <43962.7417167232$1234481625@news.gmane.org> References: <43962.7417167232$1234481625@news.gmane.org> Message-ID: on 2-12-2009 3:31 PM Paul Simpkin spake the following: > I was told to update my server for other reason, not knowing that > perl-IO was used by mailscanner. > > > > There is a few posts on how to fix CentOS by removing the perl-IO, > someone from the Datecenter I rent my server from asked me to remove > this and now mailscanner will not start. > > > > Now when I run ?yum install perl-IO? I get the error bellow! > > > > Can anyone help me reinstall perl-IO now I think perl has been updated? > > you can try this one; http://yum.vanderkooij.org/rpm2html/el5-i386/perl-IO-1.2301-2.HvdK.noarch.html Or just enable Hugo's repo and yum install mailscanner.wrapper http://yum.vanderkooij.org -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090212/18117e4a/signature.bin From paul.simpkin at hitec-systems.co.uk Fri Feb 13 00:19:33 2009 From: paul.simpkin at hitec-systems.co.uk (Paul Simpkin) Date: Fri Feb 13 00:19:52 2009 Subject: {MCP?} Re: CentOS - Removed perl-IO due to bug in updating via 'yum' In-Reply-To: References: <43962.7417167232$1234481625@news.gmane.org> Message-ID: <004301c98d70$befc2920$3cf47b60$@simpkin@hitec-systems.co.uk> Thanks, I just tried this: ERROR: You must upgrade your perl IO module to at least reinstall the perl IO moudle (perl-IO) from CPAN (http://search.cpan.org) wget http://search.cpan.org/CPAN/authors/id/G/GB/GBARR/IO-1.2301.tar.gz tar xvfz IO-1.2301.tar.gz cd IO-1.2301 perl Makefile.PL make test make install And it worked.... Was that bad? Paul Sorry panic moment! :( -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Scott Silva Sent: 13 February 2009 00:07 To: mailscanner@lists.mailscanner.info Subject: {MCP?} Re: CentOS - Removed perl-IO due to bug in updating via 'yum' on 2-12-2009 3:31 PM Paul Simpkin spake the following: > I was told to update my server for other reason, not knowing that > perl-IO was used by mailscanner. > > > > There is a few posts on how to fix CentOS by removing the perl-IO, > someone from the Datecenter I rent my server from asked me to remove > this and now mailscanner will not start. > > > > Now when I run ?yum install perl-IO? I get the error bellow! > > > > Can anyone help me reinstall perl-IO now I think perl has been updated? > > you can try this one; http://yum.vanderkooij.org/rpm2html/el5-i386/perl-IO-1.2301-2.HvdK.noarch.html Or just enable Hugo's repo and yum install mailscanner.wrapper http://yum.vanderkooij.org -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Fri Feb 13 00:24:44 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Feb 13 00:25:08 2009 Subject: {MCP?} Re: CentOS - Removed perl-IO due to bug in updating via 'yum' In-Reply-To: <10355.6121969179$1234484515@news.gmane.org> References: <43962.7417167232$1234481625@news.gmane.org> <10355.6121969179$1234484515@news.gmane.org> Message-ID: on 2-12-2009 4:19 PM Paul Simpkin spake the following: > Thanks, I just tried this: > > ERROR: You must upgrade your perl IO module to at least > reinstall the perl IO moudle (perl-IO) from CPAN (http://search.cpan.org) > > wget http://search.cpan.org/CPAN/authors/id/G/GB/GBARR/IO-1.2301.tar.gz > tar xvfz IO-1.2301.tar.gz > cd IO-1.2301 > perl Makefile.PL > make test > make install > > > And it worked.... > > Was that bad? > > > Paul > > Sorry panic moment! :( > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Scott Silva > Sent: 13 February 2009 00:07 > To: mailscanner@lists.mailscanner.info > Subject: {MCP?} Re: CentOS - Removed perl-IO due to bug in updating via 'yum' > > on 2-12-2009 3:31 PM Paul Simpkin spake the following: >> I was told to update my server for other reason, not knowing that >> perl-IO was used by mailscanner. >> >> >> >> There is a few posts on how to fix CentOS by removing the perl-IO, >> someone from the Datecenter I rent my server from asked me to remove >> this and now mailscanner will not start. >> >> >> >> Now when I run ?yum install perl-IO? I get the error bellow! >> >> >> >> Can anyone help me reinstall perl-IO now I think perl has been updated? >> >> > you can try this one; > http://yum.vanderkooij.org/rpm2html/el5-i386/perl-IO-1.2301-2.HvdK.noarch.html > > Or just enable Hugo's repo and yum install mailscanner.wrapper > > http://yum.vanderkooij.org > > > -- > MailScanner is like deodorant... > You hope everybody uses it, and > you notice quickly if they don't!!!! > > > With an RPM based system it can be bad. The main way of adding and removing packages in your system now doesn't know about this change. It could break in the future. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090212/8b2ac664/signature.bin From paul.simpkin at hitec-systems.co.uk Fri Feb 13 00:39:08 2009 From: paul.simpkin at hitec-systems.co.uk (Paul Simpkin) Date: Fri Feb 13 00:39:27 2009 Subject: {MCP?} Re: CentOS - Removed perl-IO due to bug in updating via 'yum' In-Reply-To: References: <43962.7417167232$1234481625@news.gmane.org> <10355.6121969179$1234484515@news.gmane.org> Message-ID: <005201c98d73$7b6853c0$7238fb40$@simpkin@hitec-systems.co.uk> Hummm, could I undo what I did? Just as I was on a high that I fixed it and all the mail missing from today was processed in the last hour! :) and :( -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Scott Silva Sent: 13 February 2009 00:25 To: mailscanner@lists.mailscanner.info Subject: Re: {MCP?} Re: CentOS - Removed perl-IO due to bug in updating via 'yum' on 2-12-2009 4:19 PM Paul Simpkin spake the following: > Thanks, I just tried this: > > ERROR: You must upgrade your perl IO module to at least reinstall the > perl IO moudle (perl-IO) from CPAN (http://search.cpan.org) > > wget > http://search.cpan.org/CPAN/authors/id/G/GB/GBARR/IO-1.2301.tar.gz > tar xvfz IO-1.2301.tar.gz > cd IO-1.2301 > perl Makefile.PL > make test > make install > > > And it worked.... > > Was that bad? > > > Paul > > Sorry panic moment! :( > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Scott > Silva > Sent: 13 February 2009 00:07 > To: mailscanner@lists.mailscanner.info > Subject: {MCP?} Re: CentOS - Removed perl-IO due to bug in updating via 'yum' > > on 2-12-2009 3:31 PM Paul Simpkin spake the following: >> I was told to update my server for other reason, not knowing that >> perl-IO was used by mailscanner. >> >> >> >> There is a few posts on how to fix CentOS by removing the perl-IO, >> someone from the Datecenter I rent my server from asked me to remove >> this and now mailscanner will not start. >> >> >> >> Now when I run ?yum install perl-IO? I get the error bellow! >> >> >> >> Can anyone help me reinstall perl-IO now I think perl has been updated? >> >> > you can try this one; > http://yum.vanderkooij.org/rpm2html/el5-i386/perl-IO-1.2301-2.HvdK.noa > rch.html > > Or just enable Hugo's repo and yum install mailscanner.wrapper > > http://yum.vanderkooij.org > > > -- > MailScanner is like deodorant... > You hope everybody uses it, and > you notice quickly if they don't!!!! > > > With an RPM based system it can be bad. The main way of adding and removing packages in your system now doesn't know about this change. It could break in the future. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Fri Feb 13 00:51:56 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Feb 13 00:52:14 2009 Subject: {MCP?} Re: CentOS - Removed perl-IO due to bug in updating via 'yum' In-Reply-To: <29206.0736370788$1234485694@news.gmane.org> References: <43962.7417167232$1234481625@news.gmane.org> <10355.6121969179$1234484515@news.gmane.org> <29206.0736370788$1234485694@news.gmane.org> Message-ID: on 2-12-2009 4:39 PM Paul Simpkin spake the following: > Hummm, could I undo what I did? > > Just as I was on a high that I fixed it and all the mail missing from today was processed in the last hour! > > :) and :( > It won't break right away, and it might never break. Just keep it in mind if something happens in the future. Or you can use the repo I posted and it might fix the RPM database without breaking anything. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090212/c2270560/signature.bin From paul.simpkin at hitec-systems.co.uk Fri Feb 13 00:58:39 2009 From: paul.simpkin at hitec-systems.co.uk (Paul Simpkin) Date: Fri Feb 13 00:58:56 2009 Subject: {MCP?} Re: CentOS - Removed perl-IO due to bug in updating via 'yum' In-Reply-To: References: <43962.7417167232$1234481625@news.gmane.org> <10355.6121969179$1234484515@news.gmane.org> <29206.0736370788$1234485694@news.gmane.org> Message-ID: <005a01c98d76$355b19f0$a0114dd0$@simpkin@hitec-systems.co.uk> Ok, thank you so much for this help!!! Nite nite from the UK! :) -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Scott Silva Sent: 13 February 2009 00:52 To: mailscanner@lists.mailscanner.info Subject: Re: {MCP?} Re: CentOS - Removed perl-IO due to bug in updating via 'yum' on 2-12-2009 4:39 PM Paul Simpkin spake the following: > Hummm, could I undo what I did? > > Just as I was on a high that I fixed it and all the mail missing from today was processed in the last hour! > > :) and :( > It won't break right away, and it might never break. Just keep it in mind if something happens in the future. Or you can use the repo I posted and it might fix the RPM database without breaking anything. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ajcartmell at fonant.com Fri Feb 13 08:04:13 2009 From: ajcartmell at fonant.com (Anthony Cartmell) Date: Fri Feb 13 08:03:59 2009 Subject: CentOS - Removed perl-IO due to bug in updating via 'yum' In-Reply-To: <001b01c98d6a$0b568880$22039980$@simpkin@hitec-systems.co.uk> References: <001b01c98d6a$0b568880$22039980$@simpkin@hitec-systems.co.uk> Message-ID: > Can anyone help me reinstall perl-IO now I think perl has been updated? On FC10 I used "rpm -e --nodeps perl-IO" for this and other dependency problems, then yum update, then re-install MailScanner just in case it still wants to add to the provided perl modules. Works fine. I just need to remember that if yum wants to update any perl modules I'll need to keep an eye on it and possibly repeat the above. I don't let yum run automatically. The advantage of this method is that I'm always running standard FC10 perl modules, with MailScanner "on top". So much less likely to break other FC10 perl requirements. Cheers! Anthony -- www.fonant.com - Quality web sites From sandro at e-den.it Fri Feb 13 08:12:36 2009 From: sandro at e-den.it (Alessandro Dentella) Date: Fri Feb 13 08:12:46 2009 Subject: selecting message that should go into MailScanner In-Reply-To: <72cf361e0902120844v89ec1f5wb7e255b01ba45214@mail.gmail.com> References: <20090212102223.GA23255@ubuntu> <223f97700902120426u3654184fua9ed379607dccbfd@mail.gmail.com> <20090212134604.GA26300@ubuntu> <72cf361e0902120702p332f7273v8a6225c328f7cf42@mail.gmail.com> <72cf361e0902120708w1c9d3995ta172d9bb984b68d4@mail.gmail.com> <72cf361e0902120844v89ec1f5wb7e255b01ba45214@mail.gmail.com> Message-ID: <20090213081236.GA26380@ubuntu> On Thu, Feb 12, 2009 at 04:44:39PM +0000, Martin Hepworth wrote: > 2009/2/12 Kai Schaetzl : > > Martin Hepworth wrote on Thu, 12 Feb 2009 15:08:11 +0000: > > > >> Now I've mentioned it I'm surprised that malware people don't use it > >> in order to circumvent mail filters in that way that > >> from:me@domain.com to: me@domain spam tries to do. > > > > You want to whitelist based on host to avoid this ;-) > > > > Kai > > > > -- > > Kai Sch?tzl, Berlin, Germany > > Get your web at Conactive Internet Services: http://www.conactive.com > > > > > > > > Yeah I know - just pointing out that using the postfix method to > 'whitelist' the newsletter could open you up to risks otherwise > covered if you use the MailScanner spam-only whitelist. Thanks again to everybody. This machine is in fact acting as relay of just internal lan (10 pc), so the risk is very low. I think you gave me enought ideas to implement a good solution. sandro *:-) PS. This is one of the most helpful list I follow! Thanks to all -- Sandro Dentella *:-) http://sqlkit.argolinux.org SQLkit home page - PyGTK/python/sqlalchemy From sandro at e-den.it Fri Feb 13 08:15:24 2009 From: sandro at e-den.it (Alessandro Dentella) Date: Fri Feb 13 08:15:34 2009 Subject: selecting message that should go into MailScanner In-Reply-To: <223f97700902120559j1c1778fqc790207d5b0aefec@mail.gmail.com> References: <20090212102223.GA23255@ubuntu> <223f97700902120426u3654184fua9ed379607dccbfd@mail.gmail.com> <20090212134604.GA26300@ubuntu> <223f97700902120559j1c1778fqc790207d5b0aefec@mail.gmail.com> Message-ID: <20090213081524.GB26380@ubuntu> > > implement. I tried to follow it but I can't really get it working. I don't > > think that's fault of the recepe but I must be doing something silly so that > > no messages gets into the rule even if I use: > > > > ?/.*/ ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?HOLD > > ?/^$/ ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?HOLD > > Where did you implement the map? "postconf -n"? I followed exactly the recepe of Hugo. Same names. I can go the other way but just to close this thread here is my postconf -n. thanks sandro mail:~# postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases append_dot_mydomain = no biff = no config_directory = /etc/postfix debug_peer_level = 99 mailbox_size_limit = 0 mydestination = argo, localhost, localhost.localdomain, localhost myhostname = thundersystems.it mynetworks = 127.0.0.0/8 192.168.5.0/24 recipient_delimiter = + relay_domains = pgsql:/etc/postfix/pgsql_relay_domain.cf relayhost = smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_security_options = smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_non_fqdn_hostname reject_non_fqdn_sender reject_non_fqdn_recipient reject_unauth_destination reject_unauth_pipelining reject_invalid_hostname reject_rbl_client sbl-xbl.spamhaus.org check_recipient_access regexp:/etc/postfix/MailScanner smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $myhostname smtpd_sasl_security_options = noanonymous smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache smtpd_use_tls = yes transport_maps = pgsql:/etc/postfix/pgsql_transport_maps.cf virtual_alias_maps = pgsql:/etc/postfix/pgsql_virtual_alias_maps.cf virtual_gid_maps = static:106 virtual_mailbox_base = /home/vmail virtual_mailbox_domains = pgsql:/etc/postfix/pgsql_virtual_mailbox_domains.cf virtual_mailbox_limit = 51200000 virtual_mailbox_maps = pgsql:/etc/postfix/pgsql_virtual_mailbox_maps.cf virtual_minimum_uid = 100 virtual_transport = virtual virtual_uid_maps = static:103 -- Sandro Dentella *:-) http://sqlkit.argolinux.org SQLkit home page - PyGTK/python/sqlalchemy From maillists at conactive.com Fri Feb 13 14:22:46 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Fri Feb 13 14:23:03 2009 Subject: Mailscanner logging to syslog, only partial to mail.log, driving me nuts In-Reply-To: <1cb701c98d69$6dbdfd60$4939f820$@com> References: <057b01c98797$cd9b7aa0$68d26fe0$@com> <235505.65096.qm@web33305.mail.mud.yahoo.com> <0ab701c988c4$c73cade0$55b609a0$@com> <140001c98b08$0e0b9890$2a22c9b0$@com> <142301c98b0c$dc48b270$94da1750$@com> <1cb701c98d69$6dbdfd60$4939f820$@com> Message-ID: Greg Deputy wrote on Thu, 12 Feb 2009 15:27:10 -0800: > but just confuses me why its > going to local3. MailScanner.conf has syslog facility set to mail. Then there is something wrong with your syslog or the library that details the facilities/facility numbers, I guess. Or you are using an old version of MS or some old Perl module that creates this problem. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From simonmjones at gmail.com Fri Feb 13 14:26:13 2009 From: simonmjones at gmail.com (Simon Jones) Date: Fri Feb 13 14:26:32 2009 Subject: quarantine release Message-ID: <70572c510902130626x4efadd1aw8cdcbd797ac35df6@mail.gmail.com> Hello chaps, god a problem with releasing from mailwatch, released messages are then quarantined again - been trying to sort it for 4 hours now so any suggestions would be welcomed! here's what I have; /etc/MailScanner/rules/scan.messages.conf From: postmaster@domain.com no I have the message rules configured to allow from 127.0.0.1 and also have the correct release email in /var/www/html/mailscanner/conf.php whitelist 127.0.0.1 / localhost / postmaster@domain.com the darn thing won't ignore the postmaster address though, what am i missin'? cheers! From cde at alunys.com Fri Feb 13 14:50:07 2009 From: cde at alunys.com (Cedric Devillers) Date: Fri Feb 13 14:50:50 2009 Subject: MailScanner fix for Exchange TNEF vuln? In-Reply-To: <002f01c98d0f$d4983320$7dc89960$@dk> References: <7EF0EE5CB3B263488C8C18823239BEBA05F0B17C@HC-MBX02.herefordshire.gov.uk> <7EF0EE5CB3B263488C8C18823239BEBA05F0B198@HC-MBX02.herefordshire.gov.uk> <4992AD15.6030908@alunys.com> <4A09477D575C2C4B86497161427DD94C0C845BAB6E@CITY-EXCHANGE07.cbj.local> <002f01c98d0f$d4983320$7dc89960$@dk> Message-ID: <4995889F.8050601@alunys.com> Well, i can't tell you if it's related to some outlook/exchange version or config, but here that's easily reproductible here. Without TNEF (winmail.dat thing), outlook receive meeting requests as plain mail messages. You don't see the fancy buttons (accept, decline, etc) and users complain of other missing features (can't remember exactly which one). With TNEF replacement disabled, everything is automagically working again. TNEF is used by outlook for special features, that's why it's also a dangerous thing. Jonas Akrouh Larsen wrote: >> I'm not sure that's entirely acurate. I have replace TNEF enabled, but > have received meeting requests from 3rd parties outside our system. I've > never had any complaints... > > Same here. We have replaced TNEF for over a year, and have never had issues > with outlook meeting requests or calendar bookings. > > And all our clients user outlook/exchange. > > > > Med venlig hilsen / Best regards > > Jonas Akrouh Larsen > > TechBiz ApS > Laplandsgade 4, 2. sal > 2300 K?benhavn S > > Office: 7020 0979 > Direct: 3336 9974 > Mobile: 5120 1096 > Fax: 7020 0978 > Web: www.techbiz.dk > > > > -- Visitez notre nouveau site web: www.amstergroup.com From steve.freegard at fsl.com Fri Feb 13 17:55:58 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Fri Feb 13 17:56:24 2009 Subject: quarantine release In-Reply-To: <70572c510902130626x4efadd1aw8cdcbd797ac35df6@mail.gmail.com> References: <70572c510902130626x4efadd1aw8cdcbd797ac35df6@mail.gmail.com> Message-ID: <4995B42E.2050103@fsl.com> Simon Jones wrote: > Hello chaps, > > god a problem with releasing from mailwatch, released messages are > then quarantined again - been trying to sort it for 4 hours now so any > suggestions would be welcomed! > > here's what I have; > > /etc/MailScanner/rules/scan.messages.conf > > From: postmaster@domain.com no Change that to: From:127.0.0.1 no And get rid of the other rules - they won't do any good. Remember to reload MailScanner after you've made the changes. Regards, Steve. From Ron.Ghetti at town.barnstable.ma.us Fri Feb 13 20:02:34 2009 From: Ron.Ghetti at town.barnstable.ma.us (Ghetti, Ron) Date: Fri Feb 13 20:03:09 2009 Subject: MailScanner fix for Exchange TNEF vuln? Message-ID: <3411CC12BB577F4FAEAC8A694780866B02291343@ITMAIL.town.barnstable.ma.us> -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Cedric Devillers Sent: Friday, February 13, 2009 9:50 AM To: MailScanner discussion Subject: Re: MailScanner fix for Exchange TNEF vuln? Well, i can't tell you if it's related to some outlook/exchange version or config, but here that's easily reproductible here. Without TNEF (winmail.dat thing), outlook receive meeting requests as plain mail messages. You don't see the fancy buttons (accept, decline, etc) and users complain of other missing features (can't remember exactly which one). With TNEF replacement disabled, everything is automagically working again. TNEF is used by outlook for special features, that's why it's also a dangerous thing. Jonas Akrouh Larsen wrote: >> I'm not sure that's entirely acurate. I have replace TNEF enabled, but > have received meeting requests from 3rd parties outside our system. I've > never had any complaints... > > Same here. We have replaced TNEF for over a year, and have never had issues > with outlook meeting requests or calendar bookings. > > And all our clients user outlook/exchange. > Same Here, All our users run Outlook. I checked my settings and the TNEF replacement is enabled, I'm not Sure if that was the default or not. We do occasionally have a meeting not received complaint. But it's not a regular thing and I haven't persued it. Instead, we've typically told them that internet email "doesn't work well" with microsoft outlook calendar. Usually if they retry sending the meeting later, they will go through ok. Why am I not surprised someone has hacked a microsoft product... -Ron > > > Med venlig hilsen / Best regards > > Jonas Akrouh Larsen > > TechBiz ApS > Laplandsgade 4, 2. sal > 2300 K?benhavn S > > Office: 7020 0979 > Direct: 3336 9974 > Mobile: 5120 1096 > Fax: 7020 0978 > Web: www.techbiz.dk > > > > -- Visitez notre nouveau site web: www.amstergroup.com -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From andrew at donehue.net Sat Feb 14 05:40:16 2009 From: andrew at donehue.net (Andrew) Date: Sat Feb 14 05:40:56 2009 Subject: sa-update question Message-ID: <49965940.1040302@donehue.net> Hi All, I'm running MailScanner version 4.55.10 (on debian, etch) When I run MailScanner --debug --debug-sa I see no reference to the sa-update files... however... When I run spamassassin by hand in debug mode, I can see it is picking up the ruleset. I had a look over the history on this mailing list of similar problems (is my version too old? is there a simple fix?) I have this set in MailScanner.conf : SpamAssassin Local State Dir = /var/lib Is there any way I can force the inclusion of the sa-update files in spam.assassin.prefs ? Thanks! Andrew. From prandal at herefordshire.gov.uk Sat Feb 14 09:25:47 2009 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Sat Feb 14 09:26:15 2009 Subject: sa-update question In-Reply-To: <49965940.1040302@donehue.net> References: <49965940.1040302@donehue.net> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA03CF91@HC-MBX02.herefordshire.gov.uk> # Only un-comment this setting once you have proved that the sa-update # cron job has run successfully and has created a directory structure under # the spamassassin directory within this one and has put some *.cf files in # there. Otherwise it will ignore all your current rules! # The default location may be /var/opt on Solaris systems. SpamAssassin Local State Dir = # /var/lib/spamassassin The above works for me. Cheers, Phil -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Andrew Sent: 14 February 2009 05:40 To: MailScanner discussion Subject: sa-update question Hi All, I'm running MailScanner version 4.55.10 (on debian, etch) When I run MailScanner --debug --debug-sa I see no reference to the sa-update files... however... When I run spamassassin by hand in debug mode, I can see it is picking up the ruleset. I had a look over the history on this mailing list of similar problems (is my version too old? is there a simple fix?) I have this set in MailScanner.conf : SpamAssassin Local State Dir = /var/lib Is there any way I can force the inclusion of the sa-update files in spam.assassin.prefs ? Thanks! Andrew. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From andrew at donehue.net Sat Feb 14 12:41:25 2009 From: andrew at donehue.net (Andrew) Date: Sat Feb 14 12:42:15 2009 Subject: sa-update question In-Reply-To: <7EF0EE5CB3B263488C8C18823239BEBA03CF91@HC-MBX02.herefordshire.gov.uk> References: <49965940.1040302@donehue.net> <7EF0EE5CB3B263488C8C18823239BEBA03CF91@HC-MBX02.herefordshire.gov.uk> Message-ID: <4996BBF5.3050607@donehue.net> Hi Phil, Worked :) - Thanks! Cheers, A. Randal, Phil wrote: > # Only un-comment this setting once you have proved that the sa-update > # cron job has run successfully and has created a directory structure > under > # the spamassassin directory within this one and has put some *.cf files > in > # there. Otherwise it will ignore all your current rules! > # The default location may be /var/opt on Solaris systems. > SpamAssassin Local State Dir = # /var/lib/spamassassin > > The above works for me. > > Cheers, > > Phil > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Andrew > Sent: 14 February 2009 05:40 > To: MailScanner discussion > Subject: sa-update question > > Hi All, > > I'm running MailScanner version 4.55.10 (on debian, etch) > > When I run > MailScanner --debug --debug-sa > > I see no reference to the sa-update files... however... When I run > spamassassin by hand in debug mode, I can see it is picking up the > ruleset. > > I had a look over the history on this mailing list of similar problems > (is my version too old? is there a simple fix?) > > I have this set in MailScanner.conf : > SpamAssassin Local State Dir = /var/lib > > Is there any way I can force the inclusion of the sa-update files in > spam.assassin.prefs ? > > > Thanks! > Andrew. > > > > From t.d.lee at durham.ac.uk Sat Feb 14 16:16:18 2009 From: t.d.lee at durham.ac.uk (David Lee) Date: Sat Feb 14 16:17:00 2009 Subject: phishing sites: local and remote In-Reply-To: References: <4991D1DE.8040305@ecs.soton.ac.uk> Message-ID: On Tue, 10 Feb 2009, Julian Field wrote: > > Are lots of other people seeing this sort of attack? > If so, is it worth my while doing something about it? > I'm not going to start coding for 1 site (sorry David), but if plenty of > people are seeing this then I could possibly do something. Understood. Thanks for the consideration. It is, at present, minor. Two other things (earlier threads) are much higher up the MS wish-list: o thread "Anti-spear-phishing sa-update channel"; sub-thread about MS installation (on Centos etc., at least) putting as much in place as reasonably possible (scripts, cron jobs) to reduce end-user stuff as much as reasonably possible o crash-resilience (the discussion about MS/perl segfaulting etc; and avoiding its side-effects by (perhaps) a lightweight database of email actively being processed etc.) If you go ahead, I'm happy to try to beta-test them. All the best. -- : David Lee I.T. Service : : Senior Systems Programmer Computer Centre : : UNIX Team Leader Durham University : : South Road : : http://www.dur.ac.uk/t.d.lee/ Durham DH1 3LE : : Phone: +44 191 334 2752 U.K. : From Jeff.Mills at versacold.com.au Mon Feb 16 00:27:13 2009 From: Jeff.Mills at versacold.com.au (Jeff Mills) Date: Mon Feb 16 00:27:27 2009 Subject: Storing rejected attachments? Message-ID: Is it possible to store rejected attachments somewhere that only admins can access? For example if a file hits filename, or filetype rules, remove it from the email, but place the file in a directory so that it can be retrieved by an admin if its safe. Having an issue with a .mms file sent from a mobile phone. It is a movie recorded on a mobile, but it is being picked up as either an executable or an ELF binary by filetype.rules. Regards, Jeff Mills Senior WAN Administrator VersaCold Logistics Services Level 4, 3 Horwood Place Parramatta, NSW, 2150 Phone : +61 2 9840 5200 Fax : +61 2 9840 5230 Direct: +61 2 9840 5236 Email : Jeff.Mills@versacold.com.au Web : http://www.versacold.com.au From maillists at conactive.com Mon Feb 16 12:31:21 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Mon Feb 16 12:31:34 2009 Subject: Storing rejected attachments? In-Reply-To: References: Message-ID: Jeff Mills wrote on Mon, 16 Feb 2009 11:27:13 +1100: > Is it possible to store rejected attachments somewhere that only admins > can access? You should not *reject* messages at all from within MS. Most of the rejects will go to innocent victims. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From alex at rtpty.com Mon Feb 16 14:25:15 2009 From: alex at rtpty.com (Alex Neuman) Date: Mon Feb 16 14:25:28 2009 Subject: Storing rejected attachments? In-Reply-To: References: Message-ID: <24e3d2e40902160625w70e9b059n5752e65bee00c9ba@mail.gmail.com> If you give access to the quarantine directory from Apache, you may be able to provide password-protected access to your admins. You can also use MailWatch for this. On Sun, Feb 15, 2009 at 7:27 PM, Jeff Mills wrote: > Is it possible to store rejected attachments somewhere that only admins > can access? > > For example if a file hits filename, or filetype rules, remove it from > the email, but place the file in a directory so that it can be retrieved > by an admin if its safe. > Having an issue with a .mms file sent from a mobile phone. It is a movie > recorded on a mobile, but it is being picked up as either an executable > or an ELF binary by filetype.rules. > > Regards, > > Jeff Mills > Senior WAN Administrator > VersaCold Logistics Services > Level 4, 3 Horwood Place > Parramatta, NSW, 2150 > Phone : +61 2 9840 5200 > Fax : +61 2 9840 5230 > Direct: +61 2 9840 5236 > Email : Jeff.Mills@versacold.com.au > Web : http://www.versacold.com.au > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090216/a3125619/attachment.html From ssilva at sgvwater.com Tue Feb 17 00:58:38 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Feb 17 00:59:03 2009 Subject: sa-update question In-Reply-To: <49965940.1040302@donehue.net> References: <49965940.1040302@donehue.net> Message-ID: on 2-13-2009 9:40 PM Andrew spake the following: > Hi All, > > I'm running MailScanner version 4.55.10 (on debian, etch) > > When I run > MailScanner --debug --debug-sa > > I see no reference to the sa-update files... however... When I run > spamassassin by hand in debug mode, I can see it is picking up the ruleset. > > I had a look over the history on this mailing list of similar problems > (is my version too old? is there a simple fix?) > > I have this set in MailScanner.conf : > SpamAssassin Local State Dir = /var/lib > > Is there any way I can force the inclusion of the sa-update files in > spam.assassin.prefs ? > > > Thanks! > Andrew. > > > FYI -- There are newer packages on backports. 4.55.10 is ancient in MailScanner time. If archaeologists were digging up mailscanner fossils, that would be one that they find. ;-P -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090216/2e1fa678/signature.bin From glenn.steen at gmail.com Tue Feb 17 08:22:29 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Feb 17 08:22:38 2009 Subject: selecting message that should go into MailScanner In-Reply-To: References: <20090212102223.GA23255@ubuntu> <223f97700902120426u3654184fua9ed379607dccbfd@mail.gmail.com> <223f97700902120553n27f34019rec7867529f33d2c3@mail.gmail.com> Message-ID: <223f97700902170022w36c4a38hc65c02dedadec39a@mail.gmail.com> 2009/2/12 Scott Silva : > on 2-12-2009 5:53 AM Glenn Steen spake the following: >> 2009/2/12 Kai Schaetzl : >>> You did notice that he already fiddled with that and it didn't work for >>> him? Why fiddle at all with this if you can skip scanning in MS very >> No, I missed that...:). Am in a state of chock, since my employer >> decided to lay off 1/3 of all employees... not me though. > > Sometimes being "left behind" is just as bad. Now your remaining work force > has to do the work of those 1/3, but not get any more money! > Yeah... and we need move to smaller facilities, since these offices are way to roomy. == more work... of the "manual labour" variant. Oh well. I guess I just have to get over it and get back to it all:). Cheers and thanks for the thought! > > >> Just doing the mailing list thing to have something to focus on other >> than the situation at hand. Sigh. >> >>> easily and still retain all the benefits (like seeing it in Mailwatch)? I >>> don't see doing it in Postfix as a good way. >> No argument. But letting PF do the thing would be quite workable >> too... The normal "just one way more":-) >> >>> Kai >>> >> >> Cheers > > > -- > MailScanner is like deodorant... > You hope everybody uses it, and > you notice quickly if they don't!!!! > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Tue Feb 17 08:27:01 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Feb 17 08:27:12 2009 Subject: selecting message that should go into MailScanner In-Reply-To: <72cf361e0902121339u7edac654hf9d97db9e8602ab7@mail.gmail.com> References: <20090212102223.GA23255@ubuntu> <223f97700902120426u3654184fua9ed379607dccbfd@mail.gmail.com> <223f97700902120553n27f34019rec7867529f33d2c3@mail.gmail.com> <72cf361e0902121339u7edac654hf9d97db9e8602ab7@mail.gmail.com> Message-ID: <223f97700902170027g7d57e822of6d3d05252b005c0@mail.gmail.com> 2009/2/12 Martin Hepworth : > 2009/2/12 Glenn Steen : >> 2009/2/12 Kai Schaetzl : >>> You did notice that he already fiddled with that and it didn't work for >>> him? Why fiddle at all with this if you can skip scanning in MS very >> No, I missed that...:). Am in a state of chock, since my employer >> decided to lay off 1/3 of all employees... not me though. >> Just doing the mailing list thing to have something to focus on other >> than the situation at hand. Sigh. >> > Glen > > i was the first of many at my place back in november. kinda worked out > 'cos I'm already in a new job, but i don't emvy the guys who got laid > off a couple of weeks ago. The Job market is alot tougher now - less > jobs more people wanting them and therefore less salary. > Thanks for the empathy Martin! I do agree, this is such a strange mix of anxiety (for oneself) and empathy (with the ones that have to go) and ... well, anger (at "the powers that be"... The boss(-es) and $DEITY and whatnot). As I said to Scott, the workload is looking to more than double for the ones "left behind". Oh well. Time to get back in the saddle:-/. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Tue Feb 17 08:38:53 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Feb 17 08:39:03 2009 Subject: selecting message that should go into MailScanner In-Reply-To: <20090213081524.GB26380@ubuntu> References: <20090212102223.GA23255@ubuntu> <223f97700902120426u3654184fua9ed379607dccbfd@mail.gmail.com> <20090212134604.GA26300@ubuntu> <223f97700902120559j1c1778fqc790207d5b0aefec@mail.gmail.com> <20090213081524.GB26380@ubuntu> Message-ID: <223f97700902170038j1e44f1hf0a9a7f845b7c4e8@mail.gmail.com> 2009/2/13 Alessandro Dentella : >> > implement. I tried to follow it but I can't really get it working. I don't >> > think that's fault of the recepe but I must be doing something silly so that >> > no messages gets into the rule even if I use: >> > >> > /.*/ HOLD >> > /^$/ HOLD >> >> Where did you implement the map? "postconf -n"? > > I followed exactly the recepe of Hugo. Same names. I can go the other way > but just to close this thread here is my postconf -n. > > thanks > sandro > Weird. I suppose the access map was in /etc/postfix/MailScanner ...? That really should've worked (Disclaimer: I might still need screw my head on right... So might miss something obvious;-). > mail:~# postconf -n > alias_database = hash:/etc/aliases > alias_maps = hash:/etc/aliases > append_dot_mydomain = no > biff = no > config_directory = /etc/postfix > debug_peer_level = 99 > mailbox_size_limit = 0 > mydestination = argo, localhost, localhost.localdomain, localhost > myhostname = thundersystems.it > mynetworks = 127.0.0.0/8 192.168.5.0/24 > recipient_delimiter = + > relay_domains = pgsql:/etc/postfix/pgsql_relay_domain.cf > relayhost = > smtp_sasl_auth_enable = yes > smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd > smtp_sasl_security_options = > smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache > smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) > smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_non_fqdn_hostname reject_non_fqdn_sender reject_non_fqdn_recipient reject_unauth_destination reject_unauth_pipelining reject_invalid_hostname reject_rbl_client sbl-xbl.spamhaus.org check_recipient_access regexp:/etc/postfix/MailScanner > smtpd_sasl_auth_enable = yes > smtpd_sasl_local_domain = $myhostname > smtpd_sasl_security_options = noanonymous > smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem > smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key > smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache > smtpd_use_tls = yes > transport_maps = pgsql:/etc/postfix/pgsql_transport_maps.cf > virtual_alias_maps = pgsql:/etc/postfix/pgsql_virtual_alias_maps.cf > virtual_gid_maps = static:106 > virtual_mailbox_base = /home/vmail > virtual_mailbox_domains = pgsql:/etc/postfix/pgsql_virtual_mailbox_domains.cf > virtual_mailbox_limit = 51200000 > virtual_mailbox_maps = pgsql:/etc/postfix/pgsql_virtual_mailbox_maps.cf > virtual_minimum_uid = 100 > virtual_transport = virtual > virtual_uid_maps = static:103 > Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ssilva at sgvwater.com Tue Feb 17 17:01:24 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Feb 17 17:01:51 2009 Subject: selecting message that should go into MailScanner In-Reply-To: <223f97700902170022w36c4a38hc65c02dedadec39a@mail.gmail.com> References: <20090212102223.GA23255@ubuntu> <223f97700902120426u3654184fua9ed379607dccbfd@mail.gmail.com> <223f97700902120553n27f34019rec7867529f33d2c3@mail.gmail.com> <223f97700902170022w36c4a38hc65c02dedadec39a@mail.gmail.com> Message-ID: on 2-17-2009 12:22 AM Glenn Steen spake the following: > 2009/2/12 Scott Silva : >> on 2-12-2009 5:53 AM Glenn Steen spake the following: >>> 2009/2/12 Kai Schaetzl : >>>> You did notice that he already fiddled with that and it didn't work for >>>> him? Why fiddle at all with this if you can skip scanning in MS very >>> No, I missed that...:). Am in a state of chock, since my employer >>> decided to lay off 1/3 of all employees... not me though. >> Sometimes being "left behind" is just as bad. Now your remaining work force >> has to do the work of those 1/3, but not get any more money! >> > Yeah... and we need move to smaller facilities, since these offices > are way to roomy. == more work... of the "manual labour" variant. > Oh well. I guess I just have to get over it and get back to it all:). > Cheers and thanks for the thought! > We are planning a move in June or July to a new facility at one of our offices. A single building instead of the mix of 60 year old buildings we are currently "shoehorned" into. I have servers stuffed in closets here and cat5 running in old conduits vacated by twinax cabling. So roomy isn't a word we use here. So I am planning for a several week migration just in case. I have to figure out how to keep telephone and networking running between the new and the old location. We have a 10 mb Tsunami radio link between the sites right now so I will probably tunnel over that. The plus is I finally have a real server room, so the equipment gets to "come out of the closet". -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090217/8777e1f0/signature.bin From mark.wold at gmail.com Tue Feb 17 21:58:09 2009 From: mark.wold at gmail.com (Mark Wold) Date: Tue Feb 17 21:58:18 2009 Subject: Extracting Attachments Message-ID: I have a client that wants to email me PDF files so that I can convert them to TIFF images and then forward them along. They want the process to work 24/7. So instead of having a user who's job it is to grab the attachments and perform the work, I would like to see if I can get MailScanner to watch for emails coming into a specific user, extract and store the attachments to a predefined directory in the system, and then move on to other messages. I can easily then takes the PDF and perform the conversions and forward it on. Does anyone know if I can do this extracting with MailScanner? Thanks, Mark -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090217/17e2fb61/attachment.html From ms-list at alexb.ch Tue Feb 17 22:14:58 2009 From: ms-list at alexb.ch (Alex Broens) Date: Tue Feb 17 22:15:06 2009 Subject: Extracting Attachments In-Reply-To: References: Message-ID: <499B36E2.20109@alexb.ch> On 2/17/2009 10:58 PM, Mark Wold wrote: > I have a client that wants to email me PDF files so that I can convert them > to TIFF images and then forward them along. They want the process to work > 24/7. So instead of having a user who's job it is to grab the attachments > and perform the work, I would like to see if I can get MailScanner to watch > for emails coming into a specific user, extract and store the attachments to > a predefined directory in the system, and then move on to other messages. I > can easily then takes the PDF and perform the conversions and forward it on. > > Does anyone know if I can do this extracting with MailScanner? I'd look into a header SA rule then action rule based on that SA hit & pipe to ripmime to extract the attachement. tho, there may be a simpler method... Hope that points you further Alex From ka at pacific.net Tue Feb 17 22:31:45 2009 From: ka at pacific.net (Ken A) Date: Tue Feb 17 22:31:59 2009 Subject: Extracting Attachments In-Reply-To: References: Message-ID: <499B3AD1.7080803@pacific.net> Mark Wold wrote: > I have a client that wants to email me PDF files so that I can convert them > to TIFF images and then forward them along. They want the process to work > 24/7. So instead of having a user who's job it is to grab the attachments > and perform the work, I would like to see if I can get MailScanner to watch > for emails coming into a specific user, extract and store the attachments to > a predefined directory in the system, and then move on to other messages. I > can easily then takes the PDF and perform the conversions and forward it on. > > Does anyone know if I can do this extracting with MailScanner? > > Thanks, > Mark > > You can do this with a Custom Function. See /usr/lib/MailScanner/MailScanner/CustomFunctions and see /usr/lib/MailScanner/MailScanner/Message.pm (location on my system may be different than yours) MailScanner does this currently with word docs for example: Message.pm: my @docfiles = MailScanner::Antiword::FindDocFiles($this->{entity}); So it should be doable! Ken From mark.wold at gmail.com Wed Feb 18 12:18:19 2009 From: mark.wold at gmail.com (Mark Wold) Date: Wed Feb 18 12:18:28 2009 Subject: Extracting Attachments Message-ID: This looks like I may be able to use this to get at my attachments. Can anyone tell me this... Are the functions that are in the perl scripts in /usr/lib/MailScanner/MailScanner, available to any custom function that I place in /usr/lib/MailScanner/MailScanner/CustomFunctions? Thanks again, Mark >Mark Wold wrote: >> I have a client that wants to email me PDF files so that I can convert them >> to TIFF images and then forward them along. They want the process to work >> 24/7. So instead of having a user who's job it is to grab the attachments >> and perform the work, I would like to see if I can get MailScanner to watch >> for emails coming into a specific user, extract and store the attachments to >> a predefined directory in the system, and then move on to other messages. I >> can easily then takes the PDF and perform the conversions and forward it on. >> >> Does anyone know if I can do this extracting with MailScanner? >> >> Thanks, >> Mark >> >> > >You can do this with a Custom Function. >See /usr/lib/MailScanner/>MailScanner/CustomFunctions >and see /usr/lib/MailScanner/MailScanner/Message.pm (location on my >system may be different than yours) > >MailScanner does this currently with word docs for example: >Message.pm: my @docfiles = >MailScanner::Antiword::FindDocFiles($this->{entity}); > >So it should be doable! > >Ken -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090218/ab88fdeb/attachment.html From ka at pacific.net Wed Feb 18 15:00:53 2009 From: ka at pacific.net (Ken A) Date: Wed Feb 18 15:01:08 2009 Subject: Extracting Attachments In-Reply-To: References: Message-ID: <499C22A5.5090207@pacific.net> Mark Wold wrote: > This looks like I may be able to use this to get at my attachments. > > Can anyone tell me this... Are the functions that are in the perl scripts in > /usr/lib/MailScanner/MailScanner, available to any custom function that I > place in /usr/lib/MailScanner/MailScanner/CustomFunctions? > No. The Message object is available. It's attributes are listed at the top of Message.pm. That said, I'm not an expert on the inner workings of MailScanner, so you may have to wait for Julian to get a more complete answer. Ken > Thanks again, > Mark > > >Mark Wold wrote: >>> I have a client that wants to email me PDF files so that I can convert > them >>> to TIFF images and then forward them along. They want the process to work >>> 24/7. So instead of having a user who's job it is to grab the attachments >>> and perform the work, I would like to see if I can get MailScanner to > watch >>> for emails coming into a specific user, extract and store the attachments > to >>> a predefined directory in the system, and then move on to other messages. > I >>> can easily then takes the PDF and perform the conversions and forward it > on. >>> Does anyone know if I can do this extracting with MailScanner? >>> >>> Thanks, >>> Mark >>> >>> >> You can do this with a Custom Function. >> See /usr/lib/MailScanner/>MailScanner/CustomFunctions >> and see /usr/lib/MailScanner/MailScanner/Message.pm (location on my >> system may be different than yours) >> >> MailScanner does this currently with word docs for example: >> Message.pm: my @docfiles = >> MailScanner::Antiword::FindDocFiles($this->{entity}); >> >> So it should be doable! >> >> Ken > From alex at rtpty.com Wed Feb 18 16:26:36 2009 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Wed Feb 18 16:27:06 2009 Subject: Extracting Attachments In-Reply-To: References: Message-ID: Could this be done more simply using a procmail recipe? On Feb 18, 2009, at 7:18 AM, Mark Wold wrote: > This looks like I may be able to use this to get at my attachments. > > Can anyone tell me this... Are the functions that are in the perl > scripts in /usr/lib/MailScanner/MailScanner, available to any custom > function that I place in /usr/lib/MailScanner/MailScanner/ > CustomFunctions? > > Thanks again, > Mark > > >Mark Wold wrote: > >> I have a client that wants to email me PDF files so that I can > convert them > >> to TIFF images and then forward them along. They want the process > to work > >> 24/7. So instead of having a user who's job it is to grab the > attachments > >> and perform the work, I would like to see if I can get > MailScanner to watch > >> for emails coming into a specific user, extract and store the > attachments to > >> a predefined directory in the system, and then move on to other > messages. I > >> can easily then takes the PDF and perform the conversions and > forward it on. > >> > >> Does anyone know if I can do this extracting with MailScanner? > >> > >> Thanks, > >> Mark > >> > >> > > > >You can do this with a Custom Function. > >See /usr/lib/MailScanner/ > >MailScanner/CustomFunctions > >and see /usr/lib/MailScanner/MailScanner/Message.pm (location on my > >system may be different than yours) > > > >MailScanner does this currently with word docs for example: > >Message.pm: my @docfiles = > >MailScanner::Antiword::FindDocFiles($this->{entity}); > > > >So it should be doable! > > > >Ken > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From rick at duvals.ca Wed Feb 18 16:48:45 2009 From: rick at duvals.ca (Rick Duval) Date: Wed Feb 18 16:48:54 2009 Subject: Why does MailScanner marks some as spam even when custom function changes score to way below spam threshold Message-ID: <4baa40ce0902180848g7cabdaa2te22f7ece3609ab25@mail.gmail.com> I have a custom module on Mailscanner that often will add(subtract) 100 points so the finished score is (for instance) -160 but sometimes the emals still get marked as spam. Anybody know why or how I can stop this? Also, anybody know how to set the "whitelist" or "blacklist" flag in a custom plugin module? Thanks From ssilva at sgvwater.com Wed Feb 18 19:01:39 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Feb 18 19:01:56 2009 Subject: Why does MailScanner marks some as spam even when custom function changes score to way below spam threshold In-Reply-To: <4baa40ce0902180848g7cabdaa2te22f7ece3609ab25@mail.gmail.com> References: <4baa40ce0902180848g7cabdaa2te22f7ece3609ab25@mail.gmail.com> Message-ID: on 2-18-2009 8:48 AM Rick Duval spake the following: > I have a custom module on Mailscanner that often will add(subtract) > 100 points so the finished score is (for instance) -160 but sometimes > the emals still get marked as spam. Anybody know why or how I can > stop this? > Are you using spam lists in mailscanner? This is hit based and not score based. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090218/d5fb8c13/signature.bin From MailScanner at ecs.soton.ac.uk Thu Feb 19 11:10:49 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Feb 19 11:11:18 2009 Subject: Fragmentation In-Reply-To: References: <499D3E39.5050807@ecs.soton.ac.uk> Message-ID: On 12/2/09 22:56, Mike Masse wrote: > One of my users received an Outlook express fragmented email message > and kudo's to MailScanner because it didn't know how to handle the > second portion of the email and it quarantined it. This could very > well be related to: > http://www.esecurityplanet.com/trends/article.php/1463161/Security-Firm-Outlook-Express-Can-Be-Used-To-Bypass-Email-Filters.htm > > > I searched the archive for fragmentation and did not get any results, so: > > Can MailScanner be set to properly detect and log and quarantine these > fragmented emails vs what my system is doing right now which is only > quarantining because it doesn't know what to do with the attachment. > The fact that the email doesn't come through is fantastic, but without > the logging bit, it's difficult to track down why for explanation > purposes to clients. > Yes, MailScanner does detect fragmented messages and rejects them. Imagine what would happen if you started storing them and attempting to reassemble them. Here's message 1 of 1,000,000. Here's a different message 1 of 1,000,000. And so on. DoS attack very easily! What extra logging would you like it to do? Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Thu Feb 19 11:11:26 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Feb 19 11:11:48 2009 Subject: Mailscanner logging to syslog, only partial to mail.log, driving me nuts In-Reply-To: <1cb701c98d69$6dbdfd60$4939f820$@com> References: <057b01c98797$cd9b7aa0$68d26fe0$@com> <235505.65096.qm@web33305.mail.mud.yahoo.com> <0ab701c988c4$c73cade0$55b609a0$@com> <140001c98b08$0e0b9890$2a22c9b0$@com> <142301c98b0c$dc48b270$94da1750$@com> <1cb701c98d69$6dbdfd60$4939f820$@com> <499D3E5E.3080106@ecs.soton.ac.uk> Message-ID: On 12/2/09 23:27, Greg Deputy wrote: >> Greg Deputy wrote on Mon, 9 Feb 2009 15:19:30 -0800: >> >> >>> Why is MailScanner sending spamassassin >>> result messages to local3.info instead of mail.info? >>> >> This is not what you claimed, AFAIK. You said that you get no MailScanner >> messages to mail.log. Is that *really* the case or is it only the sa >> scores that you are missing? For me that's quite a big difference. >> > > What wasn't showing up was anything about scanning. Spamassassin stuff, > sure, but other mailscanner reports as well. I'm logging the local3.* stuff > to mail log now so it all goes where I want, but just confuses me why its > going to local3. MailScanner.conf has syslog facility set to mail. > MailScanner only ever syslogs to the log facility you set in the conf file. > >>> Is there a tag for mailscanner that >>> I need to add to syslog.conf to get those where I want them? >>> >> You can set the log facility in MS. I don't know if that applies to SA >> scores, I do not log SA scores. You do realize that your syslog.conf >> creates a lot of additional logging for mail, even to the xonsole? Just >> grep mail from the file to see what I mean. >> >> Kai >> >> > > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Thu Feb 19 11:15:25 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Feb 19 11:15:47 2009 Subject: CentOS - Removed perl-IO due to bug in updating via 'yum' In-Reply-To: References: <001b01c98d6a$0b568880$22039980$@simpkin@hitec-systems.co.uk> <499D3F4D.6090802@ecs.soton.ac.uk> Message-ID: On 13/2/09 08:04, Anthony Cartmell wrote: >> Can anyone help me reinstall perl-IO now I think perl has been updated? > > On FC10 I used "rpm -e --nodeps perl-IO" for this and other dependency > problems, then yum update, then re-install MailScanner just in case it > still wants to add to the provided perl modules. There is now an extra switch to install.sh that makes it uninstall all the Perl module RPMs, let you Ctrl-Z it, then you yum update perl, then fg the install.sh again and carry on. Makes the upgrade process very easy. Do "./install.sh --help" and it will show you the command-line options. Quite a lot of which do *not* have a "-" on the front of them, for some historical reason I have long since forgotten :) > > Works fine. I just need to remember that if yum wants to update any > perl modules I'll need to keep an eye on it and possibly repeat the > above. I don't let yum run automatically. > > The advantage of this method is that I'm always running standard FC10 > perl modules, with MailScanner "on top". So much less likely to break > other FC10 perl requirements. > > Cheers! > > Anthony Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Thu Feb 19 11:23:14 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Feb 19 11:23:33 2009 Subject: Extracting Attachments In-Reply-To: References: <499D4122.4060507@ecs.soton.ac.uk> Message-ID: On 17/2/09 21:58, Mark Wold wrote: > I have a client that wants to email me PDF files so that I can convert > them to TIFF images and then forward them along. They want the process > to work 24/7. So instead of having a user who's job it is to grab the > attachments and perform the work, I would like to see if I can get > MailScanner to watch for emails coming into a specific user, extract > and store the attachments to a predefined directory in the system, and > then move on to other messages. I can easily then takes the PDF and > perform the conversions and forward it on. > > Does anyone know if I can do this extracting with MailScanner? Write an SA rule that detects the messages you're interested in. Then use SpamAssassin Rule Actions to store those messages in individual files in a directory somewhere. Then have a cron job running every few minutes that picks up any files in that directory, extracts the attachment from them (there are various unmime tools that will do this for you from the command-line), and pump them through your converter. Then take the resulting TIFF images, turn them into attachments (uuencode will do this I believe with a base64-specific command-line switch) and manually construct a message around the base64-encoded data. That's easy enough to do by hand. Just create a very simple one in your email app, mail it to yourself and look at the resulting rfc822 message file. A few echo and cat commands in a shell script will be quite sufficient. Then call sendmail -t to send the message to the intended recipient. Just divide the problem up into a few steps, and write each step in turn, which you should find very easy in a shell script. I do something related to this for someone here, but it's different enough that the code wouldn't really help you much, sorry. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ajcartmell at fonant.com Thu Feb 19 12:17:13 2009 From: ajcartmell at fonant.com (Anthony Cartmell) Date: Thu Feb 19 12:17:22 2009 Subject: CentOS - Removed perl-IO due to bug in updating via 'yum' In-Reply-To: References: <001b01c98d6a$0b568880$22039980$@simpkin@hitec-systems.co.uk> <499D3F4D.6090802@ecs.soton.ac.uk> Message-ID: Jules, > There is now an extra switch to install.sh that makes it uninstall all > the Perl module RPMs, let you Ctrl-Z it, then you yum update perl, then > fg the install.sh again and carry on. Nice! Sounds like I need to buy the book to learn all these little tricks! Anthony -- www.fonant.com - Quality web sites From ajcartmell at fonant.com Thu Feb 19 12:38:37 2009 From: ajcartmell at fonant.com (Anthony Cartmell) Date: Thu Feb 19 12:38:42 2009 Subject: MailScanner book updates? Message-ID: Jules, Are there any plans for any updates to the book in the near future, or should I just buy the June 2007 one? Cheers! Anthony -- www.fonant.com - Quality web sites From MailScanner at ecs.soton.ac.uk Thu Feb 19 14:27:23 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Feb 19 14:27:43 2009 Subject: CentOS - Removed perl-IO due to bug in updating via 'yum' In-Reply-To: References: <001b01c98d6a$0b568880$22039980$@simpkin@hitec-systems.co.uk> <499D3F4D.6090802@ecs.soton.ac.uk> <499D6C4B.7010900@ecs.soton.ac.uk> Message-ID: On 19/2/09 12:17, Anthony Cartmell wrote: > Jules, > >> There is now an extra switch to install.sh that makes it uninstall >> all the Perl module RPMs, let you Ctrl-Z it, then you yum update >> perl, then fg the install.sh again and carry on. > > Nice! Sounds like I need to buy the book to learn all these little > tricks! I think you'll find it all in the Change Log... :) But yes, please do buy the book! Thanks. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jkf at ecs.soton.ac.uk Thu Feb 19 14:28:33 2009 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Feb 19 14:28:56 2009 Subject: MailScanner book updates? In-Reply-To: References: <499D6C91.6000903@ecs.soton.ac.uk> Message-ID: No plans to update it soon, no. The last issue will still be valid for quite a while. When I do produce a new one, I usually give away a PDF of most of the new content for you, so you aren't forced to buy it again unless you want to. Jules. On 19/2/09 12:38, Anthony Cartmell wrote: > Jules, > > Are there any plans for any updates to the book in the near future, or > should I just buy the June 2007 one? > > Cheers! > > Anthony Jules -- Julian Field MBCS CITP CEng jkf@ecs.soton.ac.uk Teaching Systems Manager Electronics& Computer Science University of Southampton SO17 1BJ, UK -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ajcartmell at fonant.com Thu Feb 19 15:57:21 2009 From: ajcartmell at fonant.com (Anthony Cartmell) Date: Thu Feb 19 15:57:27 2009 Subject: MailScanner book updates? In-Reply-To: References: <499D6C91.6000903@ecs.soton.ac.uk> Message-ID: Jules, > No plans to update it soon, no. The last issue will still be valid for > quite a while. Copy ordered :) Is it sad to say that I'm looking forward to getting it? Cheers! Anthony -- www.fonant.com - Quality web sites From MailScanner at ecs.soton.ac.uk Thu Feb 19 16:35:28 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Feb 19 16:35:46 2009 Subject: MailScanner book updates? In-Reply-To: References: <499D6C91.6000903@ecs.soton.ac.uk> <499D8A50.20005@ecs.soton.ac.uk> Message-ID: On 19/2/09 15:57, Anthony Cartmell wrote: > Jules, > >> No plans to update it soon, no. The last issue will still be valid >> for quite a while. > > Copy ordered :) > > Is it sad to say that I'm looking forward to getting it? Not at all! Not in my view anyway :-) Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jvoorhees1 at gmail.com Thu Feb 19 18:39:32 2009 From: jvoorhees1 at gmail.com (Jason Voorhees) Date: Thu Feb 19 18:39:42 2009 Subject: How to browse infected messages in quarantine? Message-ID: Hi people: I'm sure this is a pretty easy question but I'm still unable to find the appropiate directive(s) to achieve it. I quarantine all spam messages and I can browse them later using MailWatch. But when MailScanner founds a Virus in a message using ClamAV, I can see that is sent to quarantine too, I see it in the list of quarantined messages trough MailWatch but I can't see it's content nor release the infected message. What should I change in my configuration to be able to browse and release infected messages in quarantine? Thanks :) From steve.freegard at fsl.com Thu Feb 19 19:18:35 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Thu Feb 19 19:18:45 2009 Subject: How to browse infected messages in quarantine? In-Reply-To: References: Message-ID: <499DB08B.1040909@fsl.com> Hi Jason, Jason Voorhees wrote: > Hi people: > > I'm sure this is a pretty easy question but I'm still unable to find > the appropiate directive(s) to achieve it. I quarantine all spam > messages and I can browse them later using MailWatch. > But when MailScanner founds a Virus in a message using ClamAV, I can > see that is sent to quarantine too, I see it in the list of > quarantined messages trough MailWatch but I can't see it's content nor > release the infected message. > > What should I change in my configuration to be able to browse and > release infected messages in quarantine? You can't do anything through MailWatch if the message is marked as Virus infected; I considered that a security feature when I wrote it. You'll have to release it the old-fashioned way 'sendmail -i -f [sender] [recipient] < /path/to/quarantine/message'. Regards, Steve. From ssilva at sgvwater.com Thu Feb 19 19:22:57 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Feb 19 19:23:16 2009 Subject: CentOS - Removed perl-IO due to bug in updating via 'yum' In-Reply-To: References: <001b01c98d6a$0b568880$22039980$@simpkin@hitec-systems.co.uk> <499D3F4D.6090802@ecs.soton.ac.uk> Message-ID: on 2-19-2009 4:17 AM Anthony Cartmell spake the following: > Jules, > >> There is now an extra switch to install.sh that makes it uninstall all >> the Perl module RPMs, let you Ctrl-Z it, then you yum update perl, >> then fg the install.sh again and carry on. > > Nice! Sounds like I need to buy the book to learn all these little tricks! > > Anthony The features update much more often then the book does, but it is still a valuable tool! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090219/9cac5eed/signature.bin From jvoorhees1 at gmail.com Thu Feb 19 19:25:08 2009 From: jvoorhees1 at gmail.com (Jason Voorhees) Date: Thu Feb 19 19:25:16 2009 Subject: How to browse infected messages in quarantine? In-Reply-To: <499DB08B.1040909@fsl.com> References: <499DB08B.1040909@fsl.com> Message-ID: Hi: On Thu, Feb 19, 2009 at 2:18 PM, Steve Freegard wrote: > Hi Jason, > > Jason Voorhees wrote: >> Hi people: >> >> I'm sure this is a pretty easy question but I'm still unable to find >> the appropiate directive(s) to achieve it. I quarantine all spam >> messages and I can browse them later using MailWatch. >> But when MailScanner founds a Virus in a message using ClamAV, I can >> see that is sent to quarantine too, I see it in the list of >> quarantined messages trough MailWatch but I can't see it's content nor >> release the infected message. >> >> What should I change in my configuration to be able to browse and >> release infected messages in quarantine? > > You can't do anything through MailWatch if the message is marked as > Virus infected; I considered that a security feature when I wrote it. > So you mean ... 1. Are you one of the developers of MailWatch? 2. The limitation of browsing the infected files is at Mailwatch? So MS doesn't have anything to do about this? > You'll have to release it the old-fashioned way 'sendmail -i -f [sender] > [recipient] < /path/to/quarantine/message'. > Regards, > Steve. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From ssilva at sgvwater.com Thu Feb 19 19:34:15 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Feb 19 19:34:33 2009 Subject: How to browse infected messages in quarantine? In-Reply-To: <499DB08B.1040909@fsl.com> References: <499DB08B.1040909@fsl.com> Message-ID: on 2-19-2009 11:18 AM Steve Freegard spake the following: > Hi Jason, > > Jason Voorhees wrote: >> Hi people: >> >> I'm sure this is a pretty easy question but I'm still unable to find >> the appropiate directive(s) to achieve it. I quarantine all spam >> messages and I can browse them later using MailWatch. >> But when MailScanner founds a Virus in a message using ClamAV, I can >> see that is sent to quarantine too, I see it in the list of >> quarantined messages trough MailWatch but I can't see it's content nor >> release the infected message. >> >> What should I change in my configuration to be able to browse and >> release infected messages in quarantine? > > You can't do anything through MailWatch if the message is marked as > Virus infected; I considered that a security feature when I wrote it. > > You'll have to release it the old-fashioned way 'sendmail -i -f [sender] > [recipient] < /path/to/quarantine/message'. > > Regards, > Steve. Or hack MailWatch if you feel bold. In detail.php look for; // Don't allow message to be released if it is marked as 'dangerous' // Currently this only applies to messages that contain viruses. if($item['dangerous'] !== "Y") { And change to; if($item['dangerous'] !== "r") { I don't remember why the "r", but it can't be "Y" for sure. Remember!!! If you break it, you get to keep the pieces. Make a copy of anything you change. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090219/3b32d289/signature.bin From steve.freegard at fsl.com Thu Feb 19 19:35:39 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Thu Feb 19 19:35:49 2009 Subject: How to browse infected messages in quarantine? In-Reply-To: References: <499DB08B.1040909@fsl.com> Message-ID: <499DB48B.2000109@fsl.com> Jason Voorhees wrote: > So you mean ... > > 1. Are you one of the developers of MailWatch? Yes. I'm the only developer. > 2. The limitation of browsing the infected files is at Mailwatch? So > MS doesn't have anything to do about this? Yes. If the file is infected - MailWatch does not allow it to be viewed or released. Regards, Steve. From ssilva at sgvwater.com Thu Feb 19 19:40:33 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Feb 19 19:40:52 2009 Subject: How to browse infected messages in quarantine? In-Reply-To: References: <499DB08B.1040909@fsl.com> Message-ID: > So you mean ... > > 1. Are you one of the developers of MailWatch? He is THE developer of Mailwatch > 2. The limitation of browsing the infected files is at Mailwatch? Yes > So MS doesn't have anything to do about this? There are other issues in mailscanner that have to be addressed to allow the messages to pass. Be careful in these so you don't leave your system open. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090219/8ba92255/signature.bin From jvoorhees1 at gmail.com Thu Feb 19 19:42:49 2009 From: jvoorhees1 at gmail.com (Jason Voorhees) Date: Thu Feb 19 19:42:59 2009 Subject: How to browse infected messages in quarantine? In-Reply-To: References: <499DB08B.1040909@fsl.com> Message-ID: On Thu, Feb 19, 2009 at 2:34 PM, Scott Silva wrote: > on 2-19-2009 11:18 AM Steve Freegard spake the following: >> Hi Jason, >> >> Jason Voorhees wrote: >>> Hi people: >>> >>> I'm sure this is a pretty easy question but I'm still unable to find >>> the appropiate directive(s) to achieve it. I quarantine all spam >>> messages and I can browse them later using MailWatch. >>> But when MailScanner founds a Virus in a message using ClamAV, I can >>> see that is sent to quarantine too, I see it in the list of >>> quarantined messages trough MailWatch but I can't see it's content nor >>> release the infected message. >>> >>> What should I change in my configuration to be able to browse and >>> release infected messages in quarantine? >> >> You can't do anything through MailWatch if the message is marked as >> Virus infected; I considered that a security feature when I wrote it. >> >> You'll have to release it the old-fashioned way 'sendmail -i -f [sender] >> [recipient] < /path/to/quarantine/message'. >> >> Regards, >> Steve. > Or hack MailWatch if you feel bold. > In detail.php look for; > > // Don't allow message to be released if it is marked as 'dangerous' > // Currently this only applies to messages that contain viruses. > if($item['dangerous'] !== "Y") { > > And change to; > if($item['dangerous'] !== "r") { > Thanks, and I also changed the code to view the infected message. I only wanted to know if was MailScanner who prevented me to browse/release infected message. Now I know that Mailwatch was the responsible for this. Thanks again > I don't remember why the "r", but it can't be "Y" for sure. > > > Remember!!! If you break it, you get to keep the pieces. > Make a copy of anything you change. > > -- > MailScanner is like deodorant... > You hope everybody uses it, and > you notice quickly if they don't!!!! > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > From ssilva at sgvwater.com Thu Feb 19 19:54:32 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Feb 19 19:54:51 2009 Subject: How to browse infected messages in quarantine? In-Reply-To: References: <499DB08B.1040909@fsl.com> Message-ID: on 2-19-2009 11:42 AM Jason Voorhees spake the following: > On Thu, Feb 19, 2009 at 2:34 PM, Scott Silva wrote: >> on 2-19-2009 11:18 AM Steve Freegard spake the following: >>> Hi Jason, >>> >>> Jason Voorhees wrote: >>>> Hi people: >>>> >>>> I'm sure this is a pretty easy question but I'm still unable to find >>>> the appropiate directive(s) to achieve it. I quarantine all spam >>>> messages and I can browse them later using MailWatch. >>>> But when MailScanner founds a Virus in a message using ClamAV, I can >>>> see that is sent to quarantine too, I see it in the list of >>>> quarantined messages trough MailWatch but I can't see it's content nor >>>> release the infected message. >>>> >>>> What should I change in my configuration to be able to browse and >>>> release infected messages in quarantine? >>> You can't do anything through MailWatch if the message is marked as >>> Virus infected; I considered that a security feature when I wrote it. >>> >>> You'll have to release it the old-fashioned way 'sendmail -i -f [sender] >>> [recipient] < /path/to/quarantine/message'. >>> >>> Regards, >>> Steve. >> Or hack MailWatch if you feel bold. >> In detail.php look for; >> >> // Don't allow message to be released if it is marked as 'dangerous' >> // Currently this only applies to messages that contain viruses. >> if($item['dangerous'] !== "Y") { >> >> And change to; >> if($item['dangerous'] !== "r") { >> > Thanks, and I also changed the code to view the infected message. > > I only wanted to know if was MailScanner who prevented me to > browse/release infected message. Now I know that Mailwatch was the > responsible for this. Mailscanner will also interfere with this unless it is "tweaked". Otherwise it will re-detect the virus and re-quarantine it. > > Thanks again >> I don't remember why the "r", but it can't be "Y" for sure. >> >> >> Remember!!! If you break it, you get to keep the pieces. >> Make a copy of anything you change. >> >> -- >> MailScanner is like deodorant... >> You hope everybody uses it, and >> you notice quickly if they don't!!!! >> >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090219/ecb61a31/signature.bin From MailScanner at ecs.soton.ac.uk Thu Feb 19 20:39:44 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Feb 19 20:40:18 2009 Subject: How to browse infected messages in quarantine? In-Reply-To: References: <499DB08B.1040909@fsl.com> <499DC390.2080707@ecs.soton.ac.uk> Message-ID: On 19/2/09 19:34, Scott Silva wrote: > Remember!!! If you break it, you get to keep the pieces. > Make a copy of anything you change. And remember that your customers and users get to collect the gaps you left between the pieces... :-( Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mrm at medicine.wisc.edu Thu Feb 19 22:11:52 2009 From: mrm at medicine.wisc.edu (Michael Masse) Date: Thu Feb 19 22:12:16 2009 Subject: Fragmentation In-Reply-To: 499D3E39.5050807@ecs.soton.ac.uk> References: <499D3E39.5050807@ecs.soton.ac.uk> Message-ID: <499D84CA.7CBE.00FC.3@medicine.wisc.edu> >>> On 2/19/2009 at 5:10 AM, in message , Julian Field wrote: > > On 12/2/09 22:56, Mike Masse wrote: >> One of my users received an Outlook express fragmented email message >> and kudo's to MailScanner because it didn't know how to handle the >> second portion of the email and it quarantined it. This could very >> well be related to: >> > http://www.esecurityplanet.com/trends/article.php/1463161/Security-Firm-Outlook > -Express-Can-Be-Used-To-Bypass-Email-Filters.htm >> >> >> I searched the archive for fragmentation and did not get any results, so: >> >> Can MailScanner be set to properly detect and log and quarantine these >> fragmented emails vs what my system is doing right now which is only >> quarantining because it doesn't know what to do with the attachment. >> The fact that the email doesn't come through is fantastic, but without >> the logging bit, it's difficult to track down why for explanation >> purposes to clients. >> > Yes, MailScanner does detect fragmented messages and rejects them. > Imagine what would happen if you started storing them and attempting to > reassemble them. Here's message 1 of 1,000,000. Here's a different > message 1 of 1,000,000. And so on. DoS attack very easily! > > What extra logging would you like it to do? > > Jules Thanks for replying. It turns out that it did detect the fragmentation and logged it as so, so never mind. Keep up the good work! --Mike From MailScanner at ecs.soton.ac.uk Fri Feb 20 16:04:33 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Feb 20 16:04:53 2009 Subject: Kind of OT: guess what I found! References: <499ED491.4020406@ecs.soton.ac.uk> Message-ID: I was hunting around looking for some old sendmail mc files I wrote many years ago. They appear to have been lost long ago, but look what I found instead! MailScanner version 1, even before it had the name MailScanner. It's a grand total of 1,035 lines of Perl code, which is 20% smaller than the previous oldest version I had found. Anyway, for the archives, it is attached. Now you can see quite how ropey some of my old code was back in May 2000 when all this got started one long lunchtime. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- A non-text attachment was scrubbed... Name: MailScanner-Version1.tgz Type: application/x-gzip Size: 9335 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090220/a76251a1/MailScanner-Version1.tgz From doc at maddoc.net Fri Feb 20 16:17:43 2009 From: doc at maddoc.net (Doc Schneider) Date: Fri Feb 20 16:17:56 2009 Subject: Kind of OT: guess what I found! In-Reply-To: References: <499ED491.4020406@ecs.soton.ac.uk> Message-ID: <499ED7A7.8060702@maddoc.net> Julian Field wrote: > I was hunting around looking for some old sendmail mc files I wrote many > years ago. They appear to have been lost long ago, but look what I found > instead! > > MailScanner version 1, even before it had the name MailScanner. It's a > grand total of 1,035 lines of Perl code, which is 20% smaller than the > previous oldest version I had found. > > Anyway, for the archives, it is attached. Now you can see quite how > ropey some of my old code was back in May 2000 when all this got started > one long lunchtime. > > Jules > Amazing what 9 years worth of work get you, eh? -- -Doc Lincoln, NE. http://www.fsl.com/ http://www.genealogyforyou.com/ http://www.cairnproductions.com/ From ka at pacific.net Fri Feb 20 17:20:22 2009 From: ka at pacific.net (Ken A) Date: Fri Feb 20 17:20:43 2009 Subject: pdf zeroday :-( Message-ID: <499EE656.60504@pacific.net> Anybody know how to get MailScanner to flag PDF documents containing JavaScript? http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090219 Ken From glenn at mail.txwes.edu Fri Feb 20 17:27:53 2009 From: glenn at mail.txwes.edu (Glenn) Date: Fri Feb 20 17:29:49 2009 Subject: Malformed UTF-8 Error Message Message-ID: <20090220170949.M27101@mail.txwes.edu> I am running MailScanner with Sendmail on Red Hat EL3. This installation ran fine until I put MailScanner 4.73.4-2 on it, along with the Perl module updates from the MailScanner web site and the ClamAV update available at the time. When starting MailScanner, I receive the error message: "Malformed UTF-8 character (unexpected continuation byte 0xbb, with no preceding start byte) at /usr/lib/MailScanner/MailScanner/SweepViruses.pm line 3303." I recently updated MailScanner to version 4.74.16-1 and again added the Perl module updates from the MailScanner web site and updated ClamAV to version 0.94.2. I still get the same error when starting MailScanner with "service MailScanner start". Sometimes MailScanner does not actually start, and when that happens there is no error message, although the command returns "[OK]". Also, adding the Perl modules seems to have caused a conflict with the Red Hat "up2date" updater, as it refuses to download updates, saying: "package perl-5.8.0-98.EL3 is already installed". I have another installation of MailScanner on a Red Hat EL4 box that works fine. Is there a way to fix my EL3 box without going to a new version of the OS? Thanks. -G. From ms-list at alexb.ch Fri Feb 20 17:55:23 2009 From: ms-list at alexb.ch (Alex Broens) Date: Fri Feb 20 17:55:32 2009 Subject: pdf zeroday :-( In-Reply-To: <499EE656.60504@pacific.net> References: <499EE656.60504@pacific.net> Message-ID: <499EEE8B.3040301@alexb.ch> On 2/20/2009 6:20 PM, Ken A wrote: > Anybody know how to get MailScanner to flag PDF documents containing > JavaScript? > > http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090219 Pls send me a copy offlist and I'll make a PDFinfo SA rule for it. Alex From james at gray.net.au Fri Feb 20 22:54:01 2009 From: james at gray.net.au (James Gray) Date: Fri Feb 20 22:54:37 2009 Subject: "New" e-mail phishing scam Message-ID: Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2417 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090221/ff9e9266/smime.bin From jaearick at colby.edu Fri Feb 20 23:09:36 2009 From: jaearick at colby.edu (Jeff A. Earickson) Date: Fri Feb 20 23:09:52 2009 Subject: "New" e-mail phishing scam In-Reply-To: References: Message-ID: It is interesting that the owner of the netblock is yahoo.com: nslookup email-helpdesk.com Server: 137.146.28.132 Address: 137.146.28.132#53 Non-authoritative answer: Name: email-helpdesk.com Address: 68.180.151.74 whonum 68.180.151.74 [Querying whois.arin.net] [whois.arin.net] OrgName: Yahoo OrgID: YHOO Address: 701 First Ave City: Sunnyvale StateProv: CA PostalCode: 94089 Country: US NetRange: 68.180.128.0 - 68.180.255.255 CIDR: 68.180.128.0/17 NetName: A-YAHOO-US6 NetHandle: NET-68-180-128-0-1 Parent: NET-68-0-0-0-0 NetType: Direct Allocation NameServer: NS1.YAHOO.COM NameServer: NS2.YAHOO.COM NameServer: NS3.YAHOO.COM NameServer: NS4.YAHOO.COM NameServer: NS5.YAHOO.COM Comment: RegDate: 2006-09-22 Updated: 2007-05-02 RAbuseHandle: NETWO857-ARIN RAbuseName: Network Abuse RAbusePhone: +1-408-349-3300 RAbuseEmail: network-abuse@cc.yahoo-inc.com RTechHandle: NA258-ARIN RTechName: Netblock Admin RTechPhone: +1-408-349-3300 RTechEmail: jluster@yahoo-inc.com OrgAbuseHandle: NETWO857-ARIN OrgAbuseName: Network Abuse OrgAbusePhone: +1-408-349-3300 OrgAbuseEmail: network-abuse@cc.yahoo-inc.com OrgTechHandle: NA258-ARIN OrgTechName: Netblock Admin OrgTechPhone: +1-408-349-3300 OrgTechEmail: jluster@yahoo-inc.com # ARIN WHOIS database, last updated 2009-02-19 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. On Sat, 21 Feb 2009, James Gray wrote: > Date: Sat, 21 Feb 2009 09:54:01 +1100 > From: James Gray > Reply-To: MailScanner discussion > To: MailScanner Discussion List > Subject: "New" e-mail phishing scam > > http://isc.sans.org/diary.html?storyid=5905 > > Nothing particularly novel about the approach, but instead of sending out > messages from a spoofed "known" domain (foo@yahoo.com, foo@gmail.com etc) the > phishers registered "email-helpdesk.com". I've black-holed that domain at > the MTA. Thought it was worth sharing :) > > Cheers, > > James From ssilva at sgvwater.com Sat Feb 21 00:43:24 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Sat Feb 21 00:43:42 2009 Subject: Kind of OT: guess what I found! In-Reply-To: <499ED7A7.8060702@maddoc.net> References: <499ED491.4020406@ecs.soton.ac.uk> <499ED7A7.8060702@maddoc.net> Message-ID: on 2-20-2009 8:17 AM Doc Schneider spake the following: > Julian Field wrote: >> I was hunting around looking for some old sendmail mc files I wrote >> many years ago. They appear to have been lost long ago, but look what >> I found instead! >> >> MailScanner version 1, even before it had the name MailScanner. It's a >> grand total of 1,035 lines of Perl code, which is 20% smaller than the >> previous oldest version I had found. >> >> Anyway, for the archives, it is attached. Now you can see quite how >> ropey some of my old code was back in May 2000 when all this got >> started one long lunchtime. >> >> Jules >> > > Amazing what 9 years worth of work get you, eh? > For some reason Julian's posts are not making it to the gmane archive. Jules, are you setting an x-no-archive header or something? I guess I won't see his response.... That's kind of a paradox! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090220/3adcbe34/signature.bin From doc at maddoc.net Sat Feb 21 01:25:41 2009 From: doc at maddoc.net (Doc Schneider) Date: Sat Feb 21 01:25:54 2009 Subject: Kind of OT: guess what I found! In-Reply-To: References: <499ED491.4020406@ecs.soton.ac.uk> <499ED7A7.8060702@maddoc.net> Message-ID: <499F5815.8010005@maddoc.net> Scott Silva wrote: > on 2-20-2009 8:17 AM Doc Schneider spake the following: >> Julian Field wrote: >>> I was hunting around looking for some old sendmail mc files I wrote >>> many years ago. They appear to have been lost long ago, but look what >>> I found instead! >>> >>> MailScanner version 1, even before it had the name MailScanner. It's a >>> grand total of 1,035 lines of Perl code, which is 20% smaller than the >>> previous oldest version I had found. >>> >>> Anyway, for the archives, it is attached. Now you can see quite how >>> ropey some of my old code was back in May 2000 when all this got >>> started one long lunchtime. >>> >>> Jules >>> >> Amazing what 9 years worth of work get you, eh? >> > For some reason Julian's posts are not making it to the gmane archive. Jules, > are you setting an x-no-archive header or something? > > I guess I won't see his response.... That's kind of a paradox! HAR! I am a married Doc not a pair of docs! Sorry had to be said! I know punny punny... I looked through the headers of his original message and didn't see anything obviously x-no-archive but might not be in there once it hits the list. -- -Doc Lincoln, NE. http://www.fsl.com/ http://www.genealogyforyou.com/ http://www.cairnproductions.com/ From MailScanner at ecs.soton.ac.uk Sat Feb 21 10:54:38 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sat Feb 21 10:54:58 2009 Subject: Kind of OT: guess what I found! In-Reply-To: References: <499ED491.4020406@ecs.soton.ac.uk> <499ED7A7.8060702@maddoc.net> <499FDD6E.9030908@ecs.soton.ac.uk> Message-ID: On 21/2/09 00:43, Scott Silva wrote: > on 2-20-2009 8:17 AM Doc Schneider spake the following: > >> Julian Field wrote: >> >>> I was hunting around looking for some old sendmail mc files I wrote >>> many years ago. They appear to have been lost long ago, but look what >>> I found instead! >>> >>> MailScanner version 1, even before it had the name MailScanner. It's a >>> grand total of 1,035 lines of Perl code, which is 20% smaller than the >>> previous oldest version I had found. >>> >>> Anyway, for the archives, it is attached. Now you can see quite how >>> ropey some of my old code was back in May 2000 when all this got >>> started one long lunchtime. >>> >>> Jules >>> >>> >> Amazing what 9 years worth of work get you, eh? >> >> > For some reason Julian's posts are not making it to the gmane archive. Jules, > are you setting an x-no-archive header or something? > > I guess I won't see his response.... That's kind of a paradox! > As far as I am aware there are no special or strange headers in my posts, I just send them using Thunderbird, nothing clever. (currently using Shredder 3.0b3pre). Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Sat Feb 21 11:01:18 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sat Feb 21 11:01:36 2009 Subject: "New" e-mail phishing scam In-Reply-To: References: <499FDEFE.9000009@ecs.soton.ac.uk> Message-ID: This is called "spear phishing". We get it all the time and it's what my previous work will catch for you. Take a look in my Logbook at www.jules.fm and you'll see the article about it, along with all the code you need to stop these attacks. Sorry to say this, but it's old news from what I can see. On 20/2/09 22:54, James Gray wrote: > http://isc.sans.org/diary.html?storyid=5905 > > Nothing particularly novel about the approach, but instead of sending > out messages from a spoofed "known" domain (foo@yahoo.com > , foo@gmail.com etc) the > phishers registered "email-helpdesk.com". I've black-holed that > domain at the MTA. Thought it was worth sharing :) > > Cheers, > > James Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mark at msapiro.net Sat Feb 21 16:26:25 2009 From: mark at msapiro.net (Mark Sapiro) Date: Sat Feb 21 16:26:36 2009 Subject: Kind of OT: guess what I found! In-Reply-To: References: <499ED491.4020406@ecs.soton.ac.uk> <499ED7A7.8060702@maddoc.net> Message-ID: <20090221162625.GA3704@msapiro> On Fri, Feb 20, 2009 at 04:43:24PM -0800, Scott Silva wrote: > For some reason Julian's posts are not making it to the gmane archive. Jules, > are you setting an x-no-archive header or something? It's not an x-no-archive: header or an x-archive: no header or the posts wouldn't be in and they are. -- Mark Sapiro mark at msapiro net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From J.Ede at birchenallhowden.co.uk Sun Feb 22 09:06:42 2009 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Sun Feb 22 09:07:03 2009 Subject: Spam from an IP range... Message-ID: <1213490F1F316842A544A850422BFA961C09C88E@BHLSBS.bhl.local> Over the last few days I've noticed we're getting a lot of spam from the IP range 209.152.178.0/24 Normally with subjects such as Win Free Laser Eye Surgery - Optical Express For example... X-Greylist: delayed 00:20:01 by SQLgrey-1.7.5 Received: from permforce.com (248.permforce.com [209.152.178.248]) by gateway.birchenallhowden.com (Postfix) with ESMTP id 981F71D707EA for ; Sun, 22 Feb 2009 08:44:03 +0000 (GMT) Received: by permforce.com id hk48560ikece for < XXXX@XXXXXXXXX >; Sun, 22 Feb 2009 08:24:00 +0000 (envelope-from ) Date: 22 Feb 2009 08:24:00 GMT Message-Id: <11F9D156843.9Dk4F71C@permforce.com> From: Vision Repair To: XXXX@XXXXXXXXX Subject: Win Free Laser Eye Surgery - Optical Express Mime-Version: 1.0 Content-Type: text/html; charset="ISO-8859-1" They're coming from different addresses in that range and different domains such as unaskedtool.com unaskeddrive.com. The emails are all getting nuked by spamassassin and sanesecurity defs so far. Does anyone else know much about this range and if could just safely block the entire /24 range? Jason -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090222/7d7fab46/attachment.html From kc5goi at gmail.com Sun Feb 22 20:11:43 2009 From: kc5goi at gmail.com (Guy Story KC5GOI) Date: Sun Feb 22 20:11:55 2009 Subject: Spam from an IP range... In-Reply-To: <1213490F1F316842A544A850422BFA961C09C88E@BHLSBS.bhl.local> References: <1213490F1F316842A544A850422BFA961C09C88E@BHLSBS.bhl.local> Message-ID: On Sun, Feb 22, 2009 at 3:06 AM, Jason Ede wrote: > Over the last few days I've noticed we're getting a lot of spam from the > IP range 209.152.178.0/24 > > > > Normally with subjects such as Win Free Laser Eye Surgery - Optical Express > > > > For example... > > > > X-Greylist: delayed 00:20:01 by SQLgrey-1.7.5 > Received: from permforce.com (248.permforce.com [209.152.178.248]) > by gateway.birchenallhowden.com (Postfix) with ESMTP id 981F71D707EA > for ; Sun, 22 Feb 2009 08:44:03 +0000 (GMT) > Received: by permforce.com id hk48560ikece for < XXXX@XXXXXXXXX >; Sun, 22 > Feb 2009 08:24:00 +0000 (envelope-from ) > Date: 22 Feb 2009 08:24:00 GMT > Message-Id: <11F9D156843.9Dk4F71C@permforce.com> > From: Vision Repair > To: XXXX@XXXXXXXXX > Subject: Win Free Laser Eye Surgery - Optical Express > Mime-Version: 1.0 > Content-Type: text/html; charset="ISO-8859-1" > > > > > > They're coming from different addresses in that range and different domains > such as unaskedtool.com unaskeddrive.com. The emails are all getting nuked > by spamassassin and sanesecurity defs so far. > > > > Does anyone else know much about this range and if could just safely block > the entire /24 range? > > > John, I use a table in Postfix to block ranges but the same thing can be done in MailScanner. Blocking by IP address range is a major player on my UCE control. Worse case you may have to white list a specific address in that range. I use my spam.blacklist.rule to do this. In the past I had the spam rules deal with this in MailScanner. If you approve a ip address in that range, make sure it is at the top of the list and the ones you want to block at the bottom. You can do it by CIDR notation or regex entries. I have both. As far as how safe that specific range is, that is up to you. A whois lookup shows that block belongs to a /19 for a hosting company. My reason for Postfix doing it first is if I deny the connection, then Postfix and MailScanner have less to process. What my IP address table does not address, MailScanner does. Guy -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090222/d671015c/attachment.html From maillists at conactive.com Sun Feb 22 21:31:16 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Sun Feb 22 21:31:31 2009 Subject: Spam from an IP range... In-Reply-To: <1213490F1F316842A544A850422BFA961C09C88E@BHLSBS.bhl.local> References: <1213490F1F316842A544A850422BFA961C09C88E@BHLSBS.bhl.local> Message-ID: Jason Ede wrote on Sun, 22 Feb 2009 09:06:42 +0000: > Does anyone else know much about this range and if could just safely block the entire /24 range? Just grep your logs and if there is no legitimate traffic, block the CIDR that includes all the mail you got. It's common that ISP give whole netblocks to a client rack. And contact the abuse dept. of that ISP in case it's not a safe haven. OrgName: WebHostPlus Inc OrgID: WEBHO-3 Address: 1021 Market Street City: Paterson StateProv: NJ PostalCode: 07513 Country: US ReferralServer: rwhois://whois.webhostplus.net:4321 NetRange: 209.152.160.0 - 209.152.191.255 CIDR: 209.152.160.0/19 NetName: NET-209-152-160-0-19 NetHandle: NET-209-152-160-0-2 Parent: NET-209-0-0-0-0 NetType: Direct Allocation NameServer: DNS1.SPEEDHOSTING.COM NameServer: DNS2.SPEEDHOSTING.COM Comment: RegDate: 2002-06-12 Updated: 2008-02-25 OrgAbuseHandle: ABUSE396-ARIN OrgAbuseName: Abuse OrgAbusePhone: +1-212-600-9290 OrgAbuseEmail: abuse@speedhosting.com OrgTechHandle: WEBHO1-ARIN OrgTechName: Network Operations Center OrgTechPhone: +1-212-600-6290 OrgTechEmail: noc@speedhosting.com # ARIN WHOIS database, last updated 2009-02-21 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From mailscanner at barendse.to Mon Feb 23 08:41:56 2009 From: mailscanner at barendse.to (Remco Barendse) Date: Mon Feb 23 08:42:24 2009 Subject: Up2date perl problem package perl-5.8.5-36.el4_6.3 is already installed Message-ID: I am running rhel-i386-es-4 and i have a problem running up2date : Name Version Rel ---------------------------------------------------------- perl 5.8.5 36.el4_6.3 i386 Testing package set / solving RPM inter-dependencies... RPM package conflict error. The message was: Test install failed because of package conflicts: package perl-5.8.5-36.el4_6.3 is already installed I did some googling, and i found a message stating that the perl error is caused by a perl module MailScanner installed unfortunately no solution. The remark there was that they contacted RedHat for support and then the problem got solved. Now i could do the same but unfortunately this is a server i am supporting on the other side of the world and the support contract is with RedHat in Japan so contacting them is not so easy for me. Some other post suggested to try and force uninstall of perl and then re-installing it, however i have never tried this before and i am pretty scared of messing up a production server i have extremely difficult physical access to. If the problem is indeed caused by a perl module MailScanner installed, does anybody know how to solve this problem? Thanks!! From mailscanner at barendse.to Mon Feb 23 08:48:07 2009 From: mailscanner at barendse.to (Remco Barendse) Date: Mon Feb 23 08:48:26 2009 Subject: Up2date perl problem package perl-5.8.5-36.el4_6.3 is already installed Message-ID: I am running rhel-i386-es-4 and i have a problem running up2date : Name Version Rel ---------------------------------------------------------- perl 5.8.5 36.el4_6.3 i386 Testing package set / solving RPM inter-dependencies... RPM package conflict error. The message was: Test install failed because of package conflicts: package perl-5.8.5-36.el4_6.3 is already installed I did some googling, and i found a message stating that the perl error is caused by a perl module MailScanner installed unfortunately no solution. The remark there was that they contacted RedHat for support and then the problem got solved. Now i could do the same but unfortunately this is a server i am supporting on the other side of the world and the support contract is with RedHat in Japan so contacting them is not so easy for me. Some other post suggested to try and force uninstall of perl and then re-installing it, however i have never tried this before and i am pretty scared of messing up a production server i have extremely difficult physical access to. If the problem is indeed caused by a perl module MailScanner installed, does anybody know how to solve this problem? Thanks!! From steve.freegard at fsl.com Mon Feb 23 09:11:56 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Mon Feb 23 09:12:08 2009 Subject: Up2date perl problem package perl-5.8.5-36.el4_6.3 is already installed In-Reply-To: References: Message-ID: <49A2685C.5050201@fsl.com> Remco Barendse wrote: > I am running rhel-i386-es-4 and i have a problem running up2date : > > Name Version Rel > ---------------------------------------------------------- > perl 5.8.5 36.el4_6.3 i386 > > Testing package set / solving RPM inter-dependencies... > RPM package conflict error. The message was: > Test install failed because of package conflicts: > package perl-5.8.5-36.el4_6.3 is already installed Have you actually checked to see if this is true? rpm -q perl If it already is perl-5.8.5-36.el4_6.3; then it's already been installed and has nothing to do with MailScanner at all - it's up2date that is wrong; you could try clearing it's cache by nuking the /var/spool/up2date directory (or moving it to a .saved). Regards, Steve. From tgc at statsbiblioteket.dk Mon Feb 23 09:35:54 2009 From: tgc at statsbiblioteket.dk (Tom G. Christensen) Date: Mon Feb 23 10:10:27 2009 Subject: Log Spam = yes is too verbose Message-ID: <49A26DFA.8030000@statsbiblioteket.dk> Hello, I recently upgraded from 4.62.9 to 4.74.16 and was sad to see that "Log Spam = yes" now logs the subject of the mails in the maillog. I depend on the output from "Log Spam = yes" to do my stats but I would very much prefer not to have all the garbage from the subjects of spam mails in my maillog. Could we please have a way to turn of just this logging of the subject line? (ie. "Log Spam Subject = no" or something). -tgc From MailScanner at ecs.soton.ac.uk Mon Feb 23 10:25:37 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Feb 23 10:25:56 2009 Subject: Log Spam = yes is too verbose In-Reply-To: <49A26DFA.8030000@statsbiblioteket.dk> References: <49A26DFA.8030000@statsbiblioteket.dk> <49A279A1.3010706@ecs.soton.ac.uk> Message-ID: The relevant place is about line 1146 in /usr/lib/MailScanner/MailScanner/Message.pm, and another place immediately below it. Just delete or comment out the lines of code. I'll add this as another option in the next release. Sorry about that. Jules. On 23/2/09 09:35, Tom G. Christensen wrote: > Hello, > > I recently upgraded from 4.62.9 to 4.74.16 and was sad to see that > "Log Spam = yes" now logs the subject of the mails in the maillog. > > I depend on the output from "Log Spam = yes" to do my stats but I > would very much prefer not to have all the garbage from the subjects > of spam mails in my maillog. > > Could we please have a way to turn of just this logging of the subject > line? (ie. "Log Spam Subject = no" or something). > > -tgc > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From simonmjones at gmail.com Mon Feb 23 10:31:33 2009 From: simonmjones at gmail.com (Simon Jones) Date: Mon Feb 23 10:31:41 2009 Subject: quarantine release In-Reply-To: <4995B42E.2050103@fsl.com> References: <70572c510902130626x4efadd1aw8cdcbd797ac35df6@mail.gmail.com> <4995B42E.2050103@fsl.com> Message-ID: <70572c510902230231h58fdbbc4i14d34d889d3f106b@mail.gmail.com> 2009/2/13 Steve Freegard : > Simon Jones wrote: >> Hello chaps, >> >> god a problem with releasing from mailwatch, released messages are >> then quarantined again - been trying to sort it for 4 hours now so any >> suggestions would be welcomed! >> >> here's what I have; >> >> /etc/MailScanner/rules/scan.messages.conf >> >> From: postmaster@domain.com no > > Change that to: > > From:127.0.0.1 no > > And get rid of the other rules - they won't do any good. Remember to > reload MailScanner after you've made the changes. > > Regards, > Steve. > -- Thanks Steve, it was releasing OK but there was some strange problem releasing archives, I just disabled the rule in MailScanner.conf and all works fine. I don't think this will cause any big problems to users anyways. Simon From tgc at statsbiblioteket.dk Mon Feb 23 10:52:41 2009 From: tgc at statsbiblioteket.dk (Tom G. Christensen) Date: Mon Feb 23 10:52:50 2009 Subject: Log Spam = yes is too verbose In-Reply-To: <89954390-de33-4e1e-b199-8d9b82c1ba09@lists.mailscanner.info> References: <49A26DFA.8030000@statsbiblioteket.dk> <49A279A1.3010706@ecs.soton.ac.uk> <89954390-de33-4e1e-b199-8d9b82c1ba09@lists.mailscanner.info> Message-ID: <49A27FF9.7010606@statsbiblioteket.dk> Julian Field wrote: > The relevant place is about line 1146 in > /usr/lib/MailScanner/MailScanner/Message.pm, and another place > immediately below it. Just delete or comment out the lines of code. > That was my conclusion aswell but thanks for confirming. > I'll add this as another option in the next release. Sorry about that. > No worries. Since I know that this will now be possible in the next release I can go ahead and patch the current running instance without worrying about future support issues :) -tgc > Jules. > > On 23/2/09 09:35, Tom G. Christensen wrote: >> Hello, >> >> I recently upgraded from 4.62.9 to 4.74.16 and was sad to see that >> "Log Spam = yes" now logs the subject of the mails in the maillog. >> >> I depend on the output from "Log Spam = yes" to do my stats but I >> would very much prefer not to have all the garbage from the subjects >> of spam mails in my maillog. >> >> Could we please have a way to turn of just this logging of the subject >> line? (ie. "Log Spam Subject = no" or something). >> >> -tgc >> > > Jules > From t.d.lee at durham.ac.uk Mon Feb 23 11:24:39 2009 From: t.d.lee at durham.ac.uk (David Lee) Date: Mon Feb 23 11:25:09 2009 Subject: Kind of OT: guess what I found! In-Reply-To: References: <499ED491.4020406@ecs.soton.ac.uk> <499ED7A7.8060702@maddoc.net> <499FDD6E.9030908@ecs.soton.ac.uk> Message-ID: On Sat, 21 Feb 2009, Julian Field wrote: > On 21/2/09 00:43, Scott Silva wrote: >> [...] >> For some reason Julian's posts are not making it to the gmane archive. >> Jules, >> are you setting an x-no-archive header or something? >> >> I guess I won't see his response.... That's kind of a paradox! >> > As far as I am aware there are no special or strange headers in my posts, I > just send them using Thunderbird, nothing clever. (currently using Shredder > 3.0b3pre). I wonder whether if might be the "Message-ID" in Julian's emails? Here are some of the headers. The 'Message-ID' is wrapped ("folded" in RFC822 terminology), contains spaces, commas and a tab; the tab is probably the result of the folding. RFC822 suggests that 'msg-id' should be "<" addr-spec ">". (As I read it, if its syntax wouldn't be a valid email address, then it wouldn't be a valid 'msg-id' either.) Chasing down the syntax from there suggests that such a 'Message-ID' would seem borderline at best; my suspicion is that it is beyond the borders. Even if such a Message-ID is technically legal, the "be conservative in what you send" principle might suggest considering a revision. ========================================= Received: from safir.blacknight.ie (safir.blacknight.ie [83.98.192.7]) by mailrelay4.dur.ac.uk (8.13.8/8.13.7) with ESMTP id n1LB1jPD015647 for ; Sat, 21 Feb 2009 11:01:49 GMT Received: from safir.blacknight.ie (safir.blacknight.ie [127.0.0.1]) by safir.blacknight.ie (8.13.1/8.13.1) with ESMTP id n1LAvx78007403; Sat, 21 Feb 2009 11:01:10 GMT X-Mailman-Handler: $Id: mm-handler,v 1.2 2002/04/05 19:41:09 bwarsaw Exp $ Received: from falcon.ecs.soton.ac.uk (falcon.ecs.soton.ac.uk [152.78.68.146]) by safir.blacknight.ie (8.13.1/8.13.1) with ESMTP id n1LAsnKT007264 for ; Sat, 21 Feb 2009 10:54:56 GMT Message-ID: Date: Sat, 21 Feb 2009 10:54:38 +0000 From: Julian Field User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b3pre) Gecko/20090220 Shredder/3.0b3pre MIME-Version: 1.0 To: MailScanner discussion References: <499ED491.4020406@ecs.soton.ac.uk> <499ED7A7.8060702@maddoc.net> <499FDD6E.9030908@ecs.soton.ac.uk> In-Reply-To: ========================================= (It happened to come to my attention for a different reason: a few weeks ago, something started very occasionally tripping some syslog-analysis stuff we do on the campus gateways (i.e. routinely on millions of emails). I had put it on the "get a round tuit sometime" list. This discussion prompted me to look, and discover that the instances seem to be Julian's emails!) -- : David Lee I.T. Service : : Senior Systems Programmer Computer Centre : : UNIX Team Leader Durham University : : South Road : : http://www.dur.ac.uk/t.d.lee/ Durham DH1 3LE : : Phone: +44 191 334 2752 U.K. : From steve.freegard at fsl.com Mon Feb 23 11:54:20 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Mon Feb 23 11:54:31 2009 Subject: Kind of OT: guess what I found! In-Reply-To: References: <499ED491.4020406@ecs.soton.ac.uk> <499ED7A7.8060702@maddoc.net> <499FDD6E.9030908@ecs.soton.ac.uk> Message-ID: <49A28E6C.7070703@fsl.com> David Lee wrote: > I wonder whether if might be the "Message-ID" in Julian's emails? > > Here are some of the headers. The 'Message-ID' is wrapped ("folded" in > RFC822 terminology), contains spaces, commas and a tab; the tab is > probably the result of the folding. RFC822 suggests that 'msg-id' > should be "<" addr-spec ">". (As I read it, if its syntax wouldn't be a > valid email address, then it wouldn't be a valid 'msg-id' either.) > > Chasing down the syntax from there suggests that such a 'Message-ID' > would seem borderline at best; my suspicion is that it is beyond the > borders. Even if such a Message-ID is technically legal, the "be > conservative in what you send" principle might suggest considering a > revision. Hmmm - we recently made changes to the method used for modifying the Message-ID; however something appears to be mangling it. The actual Message-ID is sent as: e.g. there are no spaces in the string (as you correct point out this would not be RFC valid if there were spaces within it). I've had several e-mail to my account directly from Jules and I've been through all of them; none of the MIDs have any spaces in them either. So something is mangling these on input to the list (MailMan??). I'll do some investigation and see if I can replicate this behaviour and see if I can change the delimeter to something other than a comma. Kind regards, Steve. From t.d.lee at durham.ac.uk Mon Feb 23 12:30:39 2009 From: t.d.lee at durham.ac.uk (David Lee) Date: Mon Feb 23 12:31:28 2009 Subject: Kind of OT: guess what I found! In-Reply-To: <49A28E6C.7070703@fsl.com> References: <499ED491.4020406@ecs.soton.ac.uk> <499ED7A7.8060702@maddoc.net> <499FDD6E.9030908@ecs.soton.ac.uk> <49A28E6C.7070703@fsl.com> Message-ID: On Mon, 23 Feb 2009, Steve Freegard wrote: > David Lee wrote: >> I wonder whether if might be the "Message-ID" in Julian's emails? >> >> Here are some of the headers. The 'Message-ID' is wrapped ("folded" in >> RFC822 terminology), contains spaces, commas and a tab; the tab is >> probably the result of the folding. RFC822 suggests that 'msg-id' >> should be "<" addr-spec ">". (As I read it, if its syntax wouldn't be a >> valid email address, then it wouldn't be a valid 'msg-id' either.) >> >> Chasing down the syntax from there suggests that such a 'Message-ID' >> would seem borderline at best; my suspicion is that it is beyond the >> borders. Even if such a Message-ID is technically legal, the "be >> conservative in what you send" principle might suggest considering a >> revision. > > Hmmm - we recently made changes to the method used for modifying the > Message-ID; however something appears to be mangling it. The actual > Message-ID is sent as: > > > > e.g. there are no spaces in the string (as you correct point out this > would not be RFC valid if there were spaces within it). Thanks for the ack, Steve. But would even your intended (space-less) version be legal? It contains commas. Chasing down the RFC822 syntax: msg-id = "<" addr-spec ">" addr-spec = local-part "@" domain local-part = word *("." word) word = atom / quoted-string atom = 1* and 'specials' includes ",". Won't the embedded "," still put you on the wrong side of the law? -- : David Lee I.T. Service : : Senior Systems Programmer Computer Centre : : UNIX Team Leader Durham University : : South Road : : http://www.dur.ac.uk/t.d.lee/ Durham DH1 3LE : : Phone: +44 191 334 2752 U.K. : From steve.freegard at fsl.com Mon Feb 23 14:08:32 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Mon Feb 23 14:08:44 2009 Subject: Kind of OT: guess what I found! In-Reply-To: References: <499ED491.4020406@ecs.soton.ac.uk> <499ED7A7.8060702@maddoc.net> <499FDD6E.9030908@ecs.soton.ac.uk> <49A28E6C.7070703@fsl.com> Message-ID: <49A2ADE0.4050809@fsl.com> David Lee wrote: > Thanks for the ack, Steve. > > But would even your intended (space-less) version be legal? It contains > commas. Chasing down the RFC822 syntax: > > msg-id = "<" addr-spec ">" > > addr-spec = local-part "@" domain > > local-part = word *("." word) > > word = atom / quoted-string > > atom = 1* > > and 'specials' includes ",". > > Won't the embedded "," still put you on the wrong side of the law? > Yeah - ooops; we definitely missed that. I'm just in the process of getting this changed to use the '|' symbol as a delimeter instead. Kind Regards, Steve From glenn at mail.txwes.edu Mon Feb 23 16:12:49 2009 From: glenn at mail.txwes.edu (Glenn) Date: Mon Feb 23 16:13:01 2009 Subject: Up2date perl problem package perl-5.8.5-36.el4_6.3 is already installed In-Reply-To: References: Message-ID: <20090223155045.M4886@mail.txwes.edu> I'm afraid I must agree with your analysis. Red Hat does not immediately update its Perl packages to the current version, opting instead to patch the version in place. So if we alter Red Hat's Perl by adding modules from a third party, up2date (the Red Hat EL3 and EL4 updater) has difficulty distinguishing the version. I am having the same problem with Red Hat EL3, which uses perl-5.8.0-98.EL3. And yes, rpm indicates that this version is installed. The thing is, up2date should not be trying to install it if it is already installed. A workaround is to configure up2date to skip "perl*". This will allow up2date to update all other packages, but of course will prevent Red Hat's Perl patches from being applied. I have tried forcing the reinstall of Perl from the Red Hat rpm. This fixes up2date, but breaks MailScanner/ClamAV. I'm not sure what the solution is. Possibly someone could figure out which Perl module updates are causing up2date to balk and remove them from the MailScanner updates. -Glenn. ---------- Original Message ----------- From: Remco Barendse To: MailScanner mailing list Sent: Mon, 23 Feb 2009 09:48:07 +0100 (CET) Subject: Up2date perl problem package perl-5.8.5-36.el4_6.3 is already installed > I am running rhel-i386-es-4 and i have a problem running up2date : > > Name Version Rel > ---------------------------------------------------------- > perl 5.8.5 36.el4_6.3 i386 > > Testing package set / solving RPM inter-dependencies... > RPM package conflict error. The message was: > Test install failed because of package conflicts: > package perl-5.8.5-36.el4_6.3 is already installed > > I did some googling, and i found a message stating that the perl > error is caused by a perl module MailScanner installed unfortunately > no solution. The remark there was that they contacted RedHat for > support and then the problem got solved. > > Now i could do the same but unfortunately this is a server i am > supporting on the other side of the world and the support contract > is with RedHat in Japan so contacting them is not so easy for me. > Some other post suggested to try and force uninstall of perl and > then re-installing it, however i have never tried this before and i > am pretty scared of messing up a production server i have extremely > difficult physical access to. > > If the problem is indeed caused by a perl module MailScanner > installed, does anybody know how to solve this problem? > > Thanks!! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ------- End of Original Message ------- From mailscanner at barendse.to Mon Feb 23 16:31:39 2009 From: mailscanner at barendse.to (Remco Barendse) Date: Mon Feb 23 16:31:59 2009 Subject: Up2date perl problem package perl-5.8.5-36.el4_6.3 is already installed In-Reply-To: <49A2685C.5050201@fsl.com> References: <49A2685C.5050201@fsl.com> Message-ID: On Mon, 23 Feb 2009, Steve Freegard wrote: > Remco Barendse wrote: >> I am running rhel-i386-es-4 and i have a problem running up2date : >> >> Name Version Rel >> ---------------------------------------------------------- >> perl 5.8.5 36.el4_6.3 i386 >> >> Testing package set / solving RPM inter-dependencies... >> RPM package conflict error. The message was: >> Test install failed because of package conflicts: >> package perl-5.8.5-36.el4_6.3 is already installed > > Have you actually checked to see if this is true? > > rpm -q perl > > If it already is perl-5.8.5-36.el4_6.3; then it's already been installed > and has nothing to do with MailScanner at all - it's up2date that is > wrong; you could try clearing it's cache by nuking the > /var/spool/up2date directory (or moving it to a .saved). Yes i did, and the new perl version is indeed already installed. I already tried nuking the /var/spool/up2date and i also nuked the rpm database and rebuilt it. Same story... I don't know why up2date keeps pushing this update :( From MailScanner at ecs.soton.ac.uk Mon Feb 23 18:38:21 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Feb 23 18:38:38 2009 Subject: Up2date perl problem package perl-5.8.5-36.el4_6.3 is already installed In-Reply-To: References: <49A2685C.5050201@fsl.com> <49A2ED1D.8000803@ecs.soton.ac.uk> Message-ID: On 23/2/09 16:31, Remco Barendse wrote: > On Mon, 23 Feb 2009, Steve Freegard wrote: > >> Remco Barendse wrote: >>> I am running rhel-i386-es-4 and i have a problem running up2date : >>> >>> Name Version Rel >>> ---------------------------------------------------------- >>> perl 5.8.5 36.el4_6.3 i386 >>> >>> Testing package set / solving RPM inter-dependencies... >>> RPM package conflict error. The message was: >>> Test install failed because of package conflicts: >>> package perl-5.8.5-36.el4_6.3 is already installed >> >> Have you actually checked to see if this is true? >> >> rpm -q perl >> >> If it already is perl-5.8.5-36.el4_6.3; then it's already been installed >> and has nothing to do with MailScanner at all - it's up2date that is >> wrong; you could try clearing it's cache by nuking the >> /var/spool/up2date directory (or moving it to a .saved). > > Yes i did, and the new perl version is indeed already installed. > > I already tried nuking the /var/spool/up2date and i also nuked the rpm > database and rebuilt it. Same story... > > I don't know why up2date keeps pushing this update :( The only help I can offer here is that there is a command-line switch to ./install.sh which causes it to uninstall all its Perl modules, then gives you the chance to Ctrl-Z it, up2date and then "fg" it to continue at which point it reinstalls the Perl modules. A very quick and easy solution for most of the "yum update" and "up2date -u" problems with MailScanner. You can "./install.sh --help" to get all the command-line switches. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ebhoeve-ms at ehoeve.com Mon Feb 23 19:02:35 2009 From: ebhoeve-ms at ehoeve.com (Eric Hoeve) Date: Mon Feb 23 19:03:12 2009 Subject: add action to watermarking Message-ID: <49A2F2CB.5060604@ehoeve.com> First off I want to say that MailScanner is a great piece of software that has helped me tremendously. Background: I have Spam and High Scoring Spam setup to deliver with a special header that allows the MUA know it should drop the message in the spam bucket. Now I am getting a ton of 'backscatter' from spammer(s) spoofing one of our users email address to send spam. Now they get tons of 'bounce' messages and fillingup their mailbox (spam bucket) because I am using the watermark feature. Would their be a way to make it so I could just delete all email that bounces to a specific user and also failing the watermark test. I see my current choices are 'spam', 'high scoring spam', etc but no delete/drop option. It would be nice if I could do something like this in 'rules'. Current MS Version is: 4.73.4. Thanks in advance. -Eric -=-=-=-=-=-=-=-=-=-=-=- Eric Hoeve From mrm at quantumcc.com Mon Feb 23 20:24:37 2009 From: mrm at quantumcc.com (Mike Masse) Date: Mon Feb 23 20:24:47 2009 Subject: pdf zeroday :-( In-Reply-To: <499EEE8B.3040301@alexb.ch> References: <499EE656.60504@pacific.net> <499EEE8B.3040301@alexb.ch> Message-ID: Alex Broens wrote: > On 2/20/2009 6:20 PM, Ken A wrote: >> Anybody know how to get MailScanner to flag PDF documents containing >> JavaScript? >> >> http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090219 > > Pls send me a copy offlist and I'll make a PDFinfo SA rule for it. > > Alex Has any progress been made in this area? From ka at pacific.net Mon Feb 23 20:59:09 2009 From: ka at pacific.net (Ken A) Date: Mon Feb 23 20:59:36 2009 Subject: pdf zeroday :-( In-Reply-To: References: <499EE656.60504@pacific.net> <499EEE8B.3040301@alexb.ch> Message-ID: <49A30E1D.8000704@pacific.net> Mike Masse wrote: > Alex Broens wrote: >> On 2/20/2009 6:20 PM, Ken A wrote: >>> Anybody know how to get MailScanner to flag PDF documents containing >>> JavaScript? >>> >>> http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090219 >> >> Pls send me a copy offlist and I'll make a PDFinfo SA rule for it. >> >> Alex > > Has any progress been made in this area? > clamav and sophos are both catching it now, so it's not really needed. Ken -- Ken Anderson Pacific Internet - http://www.pacific.net From list-mailscanner at linguaphone.com Tue Feb 24 08:54:48 2009 From: list-mailscanner at linguaphone.com (Gareth) Date: Tue Feb 24 08:56:18 2009 Subject: add action to watermarking In-Reply-To: <49A2F2CB.5060604@ehoeve.com> References: <49A2F2CB.5060604@ehoeve.com> Message-ID: <1235465688.27083.2.camel@gblades-suse.linguaphone-intranet.co.uk> One way does spring to mind but others may have a different suggestion. 1) Install & configure the spamassassin vbounce plugin. This detects bounce messages where the original didnt come from one of your mail servers. 2) Write a meta rule to match when the vbounce rule hits and the mail was sent to one of your users who are being spoofed. 3) In mailscanner add a custom rule action to delete the mail if the meta rule matches. On Mon, 2009-02-23 at 19:02, Eric Hoeve wrote: > First off I want to say that MailScanner is a great piece of software > that has helped me tremendously. > > Background: I have Spam and High Scoring Spam setup to deliver with a > special header that allows the MUA know it should drop the message in > the spam bucket. > > Now I am getting a ton of 'backscatter' from spammer(s) spoofing one of > our users email address to send spam. Now they get tons of 'bounce' > messages and fillingup their mailbox (spam bucket) because I am using > the watermark feature. Would their be a way to make it so I could just > delete all email that bounces to a specific user and also failing the > watermark test. I see my current choices are 'spam', 'high scoring > spam', etc but no delete/drop option. It would be nice if I could do > something like this in 'rules'. > > Current MS Version is: 4.73.4. > > Thanks in advance. > > -Eric > > -=-=-=-=-=-=-=-=-=-=-=- > Eric Hoeve From glenn.steen at gmail.com Tue Feb 24 08:59:14 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Feb 24 08:59:23 2009 Subject: add action to watermarking In-Reply-To: <49A2F2CB.5060604@ehoeve.com> References: <49A2F2CB.5060604@ehoeve.com> Message-ID: <223f97700902240059w74ac12c7qa342ff8b2c6137e5@mail.gmail.com> 2009/2/23 Eric Hoeve : > First off I want to say that MailScanner is a great piece of software that > has helped me tremendously. > > Background: I have Spam and High Scoring Spam setup to deliver with a > special header that allows the MUA know it should drop the message in the > spam bucket. > > Now I am getting a ton of 'backscatter' from spammer(s) spoofing one of our > users email address to send spam. Now they get tons of 'bounce' messages and > fillingup their mailbox (spam bucket) because I am using the watermark > feature. Would their be a way to make it so I could just delete all email > that bounces to a specific user and also failing the watermark test. I see > my current choices are 'spam', 'high scoring spam', etc but no delete/drop > option. It would be nice if I could do something like this in 'rules'. > > Current MS Version is: 4.73.4. > > Thanks in advance. > > -Eric > -=-=-=-=-=-=-=-=-=-=-=- > Eric Hoeve Why not delete the High Scoring Spam and set it to that? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ka at pacific.net Tue Feb 24 16:21:13 2009 From: ka at pacific.net (Ken A) Date: Tue Feb 24 16:21:42 2009 Subject: Clamd::ERROR:: Input/Output Message-ID: <49A41E79.3010003@pacific.net> I'm seeing this occasional error from clamd: clamd[22528]: /var/spool/MailScanner/incoming/2255/n1OEUuKK022868/2009 RETAIL CATALOG.xlsx: Input/Output error ERROR MailScanner[2255]: Clamd::ERROR:: Input/Output error ERROR :: ./n1OEUuKK022868/2009 RETAIL CATALOG.xlsx I've googled and not come up with anything definite, though it seems likely that it's a clamav problem, and not failing RAM. Anyone else seeing this? Thanks, Ken -- Ken Anderson Pacific Internet - http://www.pacific.net From rjette at vzw.blackberry.net Tue Feb 24 16:33:53 2009 From: rjette at vzw.blackberry.net (rjette@vzw.blackberry.net) Date: Tue Feb 24 16:33:04 2009 Subject: Mailscanner install Message-ID: <1775849488-1235493178-cardhu_decombobulator_blackberry.rim.net-907691046-@bxe1261.bisx.prod.on.blackberry> Good morning, In the past I have installed MailScanner using the deb package. This time I used the tar ball to install it on a new system. The install went good but I am having trouble starting MailScanner. There is no /etc/init.d/mailscanner file like there is when I use the deb file. Does the tar ball contain this file or should I get it else where? I would take it from an old server but the directories are not the same. I'm now using /opt/... Thanks From ssilva at sgvwater.com Tue Feb 24 16:43:33 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Feb 24 16:45:12 2009 Subject: Clamd::ERROR:: Input/Output In-Reply-To: <49A41E79.3010003@pacific.net> References: <49A41E79.3010003@pacific.net> Message-ID: on 2-24-2009 8:21 AM Ken A spake the following: > I'm seeing this occasional error from clamd: > > clamd[22528]: /var/spool/MailScanner/incoming/2255/n1OEUuKK022868/2009 > RETAIL CATALOG.xlsx: Input/Output error ERROR > > MailScanner[2255]: Clamd::ERROR:: Input/Output error ERROR :: > ./n1OEUuKK022868/2009 RETAIL CATALOG.xlsx > > I've googled and not come up with anything definite, though it seems > likely that it's a clamav problem, and not failing RAM. > Anyone else seeing this? > > Thanks, > Ken > Are you running any extra signatures and having clamd crashes? -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090224/ff6a180e/signature.bin From ssilva at sgvwater.com Tue Feb 24 16:45:12 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Feb 24 16:50:11 2009 Subject: Mailscanner install In-Reply-To: <1775849488-1235493178-cardhu_decombobulator_blackberry.rim.net-907691046-@bxe1261.bisx.prod.on.blackberry> References: <1775849488-1235493178-cardhu_decombobulator_blackberry.rim.net-907691046-@bxe1261.bisx.prod.on.blackberry> Message-ID: on 2-24-2009 8:33 AM rjette@vzw.blackberry.net spake the following: > Good morning, > In the past I have installed MailScanner using the deb package. This time I used the tar ball to install it on a new system. > > The install went good but I am having trouble starting MailScanner. There is no /etc/init.d/mailscanner file like there is when I use the deb file. Does the tar ball contain this file or should I get it else where? > > I would take it from an old server but the directories are not the same. I'm now using /opt/... > > Thanks Is this one OK? http://www.mailscanner.info/files/4/mailscanner.debian.init.d -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090224/14502b5d/signature.bin From MailScanner at ecs.soton.ac.uk Tue Feb 24 16:52:50 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Feb 24 16:53:17 2009 Subject: Mailscanner install In-Reply-To: <1775849488-1235493178-cardhu_decombobulator_blackberry.rim.net-907691046-@bxe1261.bisx.prod.on.blackberry> References: <1775849488-1235493178-cardhu_decombobulator_blackberry.rim.net-907691046-@bxe1261.bisx.prod.on.blackberry> <49A425E2.505@ecs.soton.ac.uk> Message-ID: The "Other Unix" MailScanner distribution is intended for use any on sort of Unix system. Quite a few variants of Unix don't even use init.d scripts at all (e.g. Solaris 10) and on those that do they are all different. If you want an init.d script for your variant of Unix, then I suggest you copy one from another fairly simple service (perhaps ntpd or sshd or something like that) and modify it to suit your requirements. I'm certainly not going to start trying to maintain startup scripts and metadata (including XML files in some cases) for every version of every variant of Unix in use around the world. Sorry, life's too short to get into that sort of thing! Jules. On 24/02/2009 4:33 PM, rjette@vzw.blackberry.net wrote: > Good morning, > In the past I have installed MailScanner using the deb package. This time I used the tar ball to install it on a new system. > > The install went good but I am having trouble starting MailScanner. There is no /etc/init.d/mailscanner file like there is when I use the deb file. Does the tar ball contain this file or should I get it else where? > > I would take it from an old server but the directories are not the same. I'm now using /opt/... > > Thanks > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ebhoeve-ms at ehoeve.com Tue Feb 24 19:16:50 2009 From: ebhoeve-ms at ehoeve.com (Eric Hoeve) Date: Tue Feb 24 19:17:29 2009 Subject: add action to watermarking In-Reply-To: <223f97700902240059w74ac12c7qa342ff8b2c6137e5@mail.gmail.com> References: <49A2F2CB.5060604@ehoeve.com> <223f97700902240059w74ac12c7qa342ff8b2c6137e5@mail.gmail.com> Message-ID: <49A447A2.3040400@ehoeve.com> Glenn Steen said the following, On 2/24/2009 2:59 AM: > 2009/2/23 Eric Hoeve : > >> First off I want to say that MailScanner is a great piece of software that >> has helped me tremendously. >> >> Background: I have Spam and High Scoring Spam setup to deliver with a >> special header that allows the MUA know it should drop the message in the >> spam bucket. >> >> Now I am getting a ton of 'backscatter' from spammer(s) spoofing one of our >> users email address to send spam. Now they get tons of 'bounce' messages and >> fillingup their mailbox (spam bucket) because I am using the watermark >> feature. Would their be a way to make it so I could just delete all email >> that bounces to a specific user and also failing the watermark test. I see >> my current choices are 'spam', 'high scoring spam', etc but no delete/drop >> option. It would be nice if I could do something like this in 'rules'. >> >> Current MS Version is: 4.73.4. >> >> Thanks in advance. >> >> -Eric >> -=-=-=-=-=-=-=-=-=-=-=- >> Eric Hoeve >> > > Why not delete the High Scoring Spam and set it to that? > > Cheers > Thanks for the prompt relies. I had kind of thought about doing it that way.However, I was looking at the code for the watermark in /usr/lib/MailScanner/MailScanner/Message.pm Unfortunately I do not have a spare system hanging around where I can test these code changes, but what if I add the following code: --- MailScanner/Message.bak 2009-02-24 12:50:31.000000000 -0600 +++ MailScanner/Message.pm 2009-02-24 13:02:05.000000000 -0600 @@ -569,6 +569,12 @@ #print STDERR "mshmacnull = $mshmacnull\n"; # This can be "none", "spam" or "high-scoring spam" #$mshmacnull =~ s/[^a-z]//g; + if ($mshmacnull =~ /delete/) { + $this->{deleted} = 1; + $this->{dontdeliver} = 1; + MailScanner::Log::InfoLog("Message %s from %s has no (or invalid) watermark or sender address delete message", $this->{id}, $this->{clientip}) if $LogSpam;; + return 1; + } if ($mshmacnull =~ /high/) { my $highscore = MailScanner::Config::Value('highspamassassinscore', $this); $this->{isspam} = 1; ---------- End of Code -------------------------------------------- Would that mark the message as 'deleted' and thus delete the message??? Then I could just use 'Treat Invalid Watermarks With No Sender as Spam = delete'. If that would work maybe you could add that code snippet to the next release of MailScanner. This was just a thought. Otherwise I will probably just end use what Glenn or Gareth mentioned. Thanks, -Eric -- -=-=-=-=-=-=-=-=-=-=-=- Eric Hoeve From ka at pacific.net Tue Feb 24 21:52:33 2009 From: ka at pacific.net (Ken A) Date: Tue Feb 24 21:52:47 2009 Subject: Clamd::ERROR:: Input/Output In-Reply-To: References: <49A41E79.3010003@pacific.net> Message-ID: <49A46C21.4040503@pacific.net> Scott Silva wrote: > on 2-24-2009 8:21 AM Ken A spake the following: >> I'm seeing this occasional error from clamd: >> >> clamd[22528]: /var/spool/MailScanner/incoming/2255/n1OEUuKK022868/2009 >> RETAIL CATALOG.xlsx: Input/Output error ERROR >> >> MailScanner[2255]: Clamd::ERROR:: Input/Output error ERROR :: >> ./n1OEUuKK022868/2009 RETAIL CATALOG.xlsx >> >> I've googled and not come up with anything definite, though it seems >> likely that it's a clamav problem, and not failing RAM. >> Anyone else seeing this? >> >> Thanks, >> Ken >> > Are you running any extra signatures and having clamd crashes? Isn't everyone? (yes, and yes). Ken > > > -- Ken Anderson Pacific Internet - http://www.pacific.net From holger-lists at noefer.org Tue Feb 24 22:07:18 2009 From: holger-lists at noefer.org (=?UTF-8?B?SG9nZXIgTsO2ZmVy?=) Date: Tue Feb 24 22:07:26 2009 Subject: add action to watermarking In-Reply-To: <49A447A2.3040400@ehoeve.com> References: <49A2F2CB.5060604@ehoeve.com> <223f97700902240059w74ac12c7qa342ff8b2c6137e5@mail.gmail.com> <49A447A2.3040400@ehoeve.com> Message-ID: <49A46F96.90907@noefer.org> Eric Hoeve schrieb: > Glenn Steen said the following, On 2/24/2009 2:59 AM: >> 2009/2/23 Eric Hoeve : >> >>> First off I want to say that MailScanner is a great piece of >>> software that >>> has helped me tremendously. >>> >>> Background: I have Spam and High Scoring Spam setup to deliver with a >>> special header that allows the MUA know it should drop the message >>> in the >>> spam bucket. >>> >>> Now I am getting a ton of 'backscatter' from spammer(s) spoofing one >>> of our >>> users email address to send spam. Now they get tons of 'bounce' >>> messages and >>> fillingup their mailbox (spam bucket) because I am using the watermark >>> feature. Would their be a way to make it so I could just delete all >>> email >>> that bounces to a specific user and also failing the watermark test. >>> I see >>> my current choices are 'spam', 'high scoring spam', etc but no >>> delete/drop >>> option. It would be nice if I could do something like this in 'rules'. >>> >>> Current MS Version is: 4.73.4. >>> >>> Thanks in advance. >>> >>> -Eric >>> -=-=-=-=-=-=-=-=-=-=-=- >>> Eric Hoeve >>> >> >> Why not delete the High Scoring Spam and set it to that? >> >> Cheers >> > Thanks for the prompt relies. > > I had kind of thought about doing it that way.However, I was looking > at the code for the watermark in > /usr/lib/MailScanner/MailScanner/Message.pm > > Unfortunately I do not have a spare system hanging around where I can > test these code changes, but what if I add the following code: > > --- MailScanner/Message.bak 2009-02-24 12:50:31.000000000 -0600 > +++ MailScanner/Message.pm 2009-02-24 13:02:05.000000000 -0600 > @@ -569,6 +569,12 @@ > #print STDERR "mshmacnull = $mshmacnull\n"; > # This can be "none", "spam" or "high-scoring spam" > #$mshmacnull =~ s/[^a-z]//g; > + if ($mshmacnull =~ /delete/) { > + $this->{deleted} = 1; > + $this->{dontdeliver} = 1; > + MailScanner::Log::InfoLog("Message %s from %s has no (or > invalid) watermark or sender address delete message", $this->{id}, > $this->{clientip}) if $LogSpam;; > + return 1; > + } > if ($mshmacnull =~ /high/) { > my $highscore = > MailScanner::Config::Value('highspamassassinscore', $this); > $this->{isspam} = 1; > > ---------- End of Code -------------------------------------------- > > Would that mark the message as 'deleted' and thus delete the message??? > Then I could just use 'Treat Invalid Watermarks With No Sender as Spam > = delete'. > > If that would work maybe you could add that code snippet to the next > release of MailScanner. > > This was just a thought. Otherwise I will probably just end use what > Glenn or Gareth mentioned. > > Thanks, > > -Eric > Hi Eric, deleteing invalid watermarks would be a very nice feature. I hope Julian will include this into the next MailScanner version if the code works. On thursday I can test the code on a test server, is that an option? Best regards, Holger From hvdkooij at vanderkooij.org Tue Feb 24 22:52:38 2009 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Tue Feb 24 22:52:47 2009 Subject: Mailscanner install In-Reply-To: References: <1775849488-1235493178-cardhu_decombobulator_blackberry.rim.net-907691046-@bxe1261.bisx.prod.on.blackberry> <49A425E2.505@ecs.soton.ac.uk> Message-ID: <49A47A36.5020300@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Julian Field wrote: > The "Other Unix" MailScanner distribution is intended for use any on > sort of Unix system. Quite a few variants of Unix don't even use init.d > scripts at all (e.g. Solaris 10) and on those that do they are all > different. If you want an init.d script for your variant of Unix, then I > suggest you copy one from another fairly simple service (perhaps ntpd or > sshd or something like that) and modify it to suit your requirements. What Solaris 10 version have you been running? All Solaris versions I have worked with have init.d scripts. Their syntax is not that hard to figure out if look at half a dozen samples. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmkejQACgkQBvzDRVjxmYG8/gCgnkvuHw3ZZYpBRh77JYGSuHt2 S8QAn30Dk+l3B1bQqdOD2tu70nitklLl =cpzS -----END PGP SIGNATURE----- From ssilva at sgvwater.com Tue Feb 24 23:03:12 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Feb 24 23:03:30 2009 Subject: Mailscanner install In-Reply-To: <49A47A36.5020300@vanderkooij.org> References: <1775849488-1235493178-cardhu_decombobulator_blackberry.rim.net-907691046-@bxe1261.bisx.prod.on.blackberry> <49A425E2.505@ecs.soton.ac.uk> <49A47A36.5020300@vanderkooij.org> Message-ID: on 2-24-2009 2:52 PM Hugo van der Kooij spake the following: > Julian Field wrote: >> The "Other Unix" MailScanner distribution is intended for use any on >> sort of Unix system. Quite a few variants of Unix don't even use init.d >> scripts at all (e.g. Solaris 10) and on those that do they are all >> different. If you want an init.d script for your variant of Unix, then I >> suggest you copy one from another fairly simple service (perhaps ntpd or >> sshd or something like that) and modify it to suit your requirements. > > What Solaris 10 version have you been running? All Solaris versions I > have worked with have init.d scripts. > > Their syntax is not that hard to figure out if look at half a dozen samples. > > Hugo. > I'm still sad (maybe not sad but perplexed) that I only see Julian's messages if someone replies and quotes them. Damn Gmane! It used to be my favorite way to keep up with the lists, but now I am having doubts. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090224/b784e3ea/signature.bin From ssilva at sgvwater.com Tue Feb 24 23:14:26 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Feb 24 23:14:53 2009 Subject: Mailscanner install In-Reply-To: References: <1775849488-1235493178-cardhu_decombobulator_blackberry.rim.net-907691046-@bxe1261.bisx.prod.on.blackberry> <49A425E2.505@ecs.soton.ac.uk> <49A47A36.5020300@vanderkooij.org> Message-ID: on 2-24-2009 3:03 PM Scott Silva spake the following: > on 2-24-2009 2:52 PM Hugo van der Kooij spake the following: >> Julian Field wrote: >>> The "Other Unix" MailScanner distribution is intended for use any on >>> sort of Unix system. Quite a few variants of Unix don't even use init.d >>> scripts at all (e.g. Solaris 10) and on those that do they are all >>> different. If you want an init.d script for your variant of Unix, then I >>> suggest you copy one from another fairly simple service (perhaps ntpd or >>> sshd or something like that) and modify it to suit your requirements. >> What Solaris 10 version have you been running? All Solaris versions I >> have worked with have init.d scripts. >> >> Their syntax is not that hard to figure out if look at half a dozen samples. >> >> Hugo. >> > > I'm still sad (maybe not sad but perplexed) that I only see Julian's messages > if someone replies and quotes them. Damn Gmane! It used to be my favorite way > to keep up with the lists, but now I am having doubts. > > > > The last message from Jules that made it in the archive was on 2009-02-01 21:31:30 GMT http://article.gmane.org/gmane.mail.virus.mailscanner/68790 I'm wondering if somehow their archive blacklisted him for some reason. It even breaks threads. Threads are split like his message never existed. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090224/c88f4a3a/signature.bin From ssilva at sgvwater.com Tue Feb 24 23:17:08 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Feb 24 23:20:10 2009 Subject: Mailscanner install In-Reply-To: References: <1775849488-1235493178-cardhu_decombobulator_blackberry.rim.net-907691046-@bxe1261.bisx.prod.on.blackberry> <49A425E2.505@ecs.soton.ac.uk> <49A47A36.5020300@vanderkooij.org> Message-ID: on 2-24-2009 3:14 PM Scott Silva spake the following: > on 2-24-2009 3:03 PM Scott Silva spake the following: >> on 2-24-2009 2:52 PM Hugo van der Kooij spake the following: >>> Julian Field wrote: >>>> The "Other Unix" MailScanner distribution is intended for use any on >>>> sort of Unix system. Quite a few variants of Unix don't even use init.d >>>> scripts at all (e.g. Solaris 10) and on those that do they are all >>>> different. If you want an init.d script for your variant of Unix, then I >>>> suggest you copy one from another fairly simple service (perhaps ntpd or >>>> sshd or something like that) and modify it to suit your requirements. >>> What Solaris 10 version have you been running? All Solaris versions I >>> have worked with have init.d scripts. >>> >>> Their syntax is not that hard to figure out if look at half a dozen samples. >>> >>> Hugo. >>> >> I'm still sad (maybe not sad but perplexed) that I only see Julian's messages >> if someone replies and quotes them. Damn Gmane! It used to be my favorite way >> to keep up with the lists, but now I am having doubts. >> >> >> >> > The last message from Jules that made it in the archive was on 2009-02-01 > 21:31:30 GMT > > http://article.gmane.org/gmane.mail.virus.mailscanner/68790 > > I'm wondering if somehow their archive blacklisted him for some reason. It > even breaks threads. Threads are split like his message never existed. > > > Maybe this has something to do with it; "If you add a Reply-To header to your messages that points to a mailing list, the message will be silently dropped." I've replied to myself enough times that you would think I was running postfix! ;-P -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090224/1190cf67/signature.bin From shuttlebox at gmail.com Tue Feb 24 23:23:59 2009 From: shuttlebox at gmail.com (shuttlebox) Date: Tue Feb 24 23:24:08 2009 Subject: Mailscanner install In-Reply-To: <49A47A36.5020300@vanderkooij.org> References: <1775849488-1235493178-cardhu_decombobulator_blackberry.rim.net-907691046-@bxe1261.bisx.prod.on.blackberry> <49A425E2.505@ecs.soton.ac.uk> <49A47A36.5020300@vanderkooij.org> Message-ID: <625385e30902241523u7913c4daoe87cb6d79a369b98@mail.gmail.com> On Tue, Feb 24, 2009 at 11:52 PM, Hugo van der Kooij wrote: > What Solaris 10 version have you been running? All Solaris versions I > have worked with have init.d scripts. In Solaris 10 init.d scripts are legacy and the Service Management Facility is preferred. It brings many advantages like individual logging per service and auto restarts if down and so on. But init.d scripts are still supported. -- /peter From ebhoeve-ms at ehoeve.com Tue Feb 24 23:41:51 2009 From: ebhoeve-ms at ehoeve.com (Eric Hoeve) Date: Tue Feb 24 23:42:26 2009 Subject: add action to watermarking In-Reply-To: <49A46F96.90907@noefer.org> References: <49A2F2CB.5060604@ehoeve.com> <223f97700902240059w74ac12c7qa342ff8b2c6137e5@mail.gmail.com> <49A447A2.3040400@ehoeve.com> <49A46F96.90907@noefer.org> Message-ID: <49A485BF.10208@ehoeve.com> Hoger N?fer said the following, On 2/24/2009 4:07 PM: > Eric Hoeve schrieb: > >> Glenn Steen said the following, On 2/24/2009 2:59 AM: >> >>> 2009/2/23 Eric Hoeve : >>> >>> >>>> First off I want to say that MailScanner is a great piece of >>>> software that >>>> has helped me tremendously. >>>> >>>> Background: I have Spam and High Scoring Spam setup to deliver with a >>>> special header that allows the MUA know it should drop the message >>>> in the >>>> spam bucket. >>>> >>>> Now I am getting a ton of 'backscatter' from spammer(s) spoofing one >>>> of our >>>> users email address to send spam. Now they get tons of 'bounce' >>>> messages and >>>> fillingup their mailbox (spam bucket) because I am using the watermark >>>> feature. Would their be a way to make it so I could just delete all >>>> email >>>> that bounces to a specific user and also failing the watermark test. >>>> I see >>>> my current choices are 'spam', 'high scoring spam', etc but no >>>> delete/drop >>>> option. It would be nice if I could do something like this in 'rules'. >>>> >>>> Current MS Version is: 4.73.4. >>>> >>>> Thanks in advance. >>>> >>>> -Eric >>>> -=-=-=-=-=-=-=-=-=-=-=- >>>> Eric Hoeve >>>> >>>> >>> Why not delete the High Scoring Spam and set it to that? >>> >>> Cheers >>> >>> >> Thanks for the prompt relies. >> >> I had kind of thought about doing it that way.However, I was looking >> at the code for the watermark in >> /usr/lib/MailScanner/MailScanner/Message.pm >> >> Unfortunately I do not have a spare system hanging around where I can >> test these code changes, but what if I add the following code: >> >> --- MailScanner/Message.bak 2009-02-24 12:50:31.000000000 -0600 >> +++ MailScanner/Message.pm 2009-02-24 13:02:05.000000000 -0600 >> @@ -569,6 +569,12 @@ >> #print STDERR "mshmacnull = $mshmacnull\n"; >> # This can be "none", "spam" or "high-scoring spam" >> #$mshmacnull =~ s/[^a-z]//g; >> + if ($mshmacnull =~ /delete/) { >> + $this->{deleted} = 1; >> + $this->{dontdeliver} = 1; >> + MailScanner::Log::InfoLog("Message %s from %s has no (or >> invalid) watermark or sender address delete message", $this->{id}, >> $this->{clientip}) if $LogSpam;; >> + return 1; >> + } >> if ($mshmacnull =~ /high/) { >> my $highscore = >> MailScanner::Config::Value('highspamassassinscore', $this); >> $this->{isspam} = 1; >> >> ---------- End of Code -------------------------------------------- >> >> Would that mark the message as 'deleted' and thus delete the message??? >> Then I could just use 'Treat Invalid Watermarks With No Sender as Spam >> = delete'. >> >> If that would work maybe you could add that code snippet to the next >> release of MailScanner. >> >> This was just a thought. Otherwise I will probably just end use what >> Glenn or Gareth mentioned. >> >> Thanks, >> >> -Eric >> >> > Hi Eric, > > deleteing invalid watermarks would be a very nice feature. I hope Julian > will include this into the next > MailScanner version if the code works. > On thursday I can test the code on a test server, is that an option? > > Best regards, > Holger > I would appreciate it if you could test it, and I think it would be good if Julian could take a peek at it to rule out any obvious problems or unintended consequences that the code might present or he might even have a better solution. Feel free to email me off list. Unfortunately, at this time I do not have any spare machines to play with. Regards, -Eric -- -=-=-=-=-=-=-=-=-=-=-=- Eric Hoeve From nats at sscrmnl.edu.ph Wed Feb 25 08:25:43 2009 From: nats at sscrmnl.edu.ph (Jose Nathaniel G. Nengasca) Date: Wed Feb 25 08:26:07 2009 Subject: double delivery of emails Message-ID: <000101c99722$a6978580$f3c69080$@edu.ph> Hi, Is there someone experienced you have two or more emails that are the same? I got this frequently on my inbox. Could someone point me to the right direction? Thanks J. N. Nengasca -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Wed Feb 25 09:54:35 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Feb 25 09:54:43 2009 Subject: double delivery of emails In-Reply-To: <000101c99722$a6978580$f3c69080$@edu.ph> References: <000101c99722$a6978580$f3c69080$@edu.ph> Message-ID: <223f97700902250154o4f7f01bdh25596a9ef16db180@mail.gmail.com> 2009/2/25 Jose Nathaniel G. Nengasca : > Hi, > > Is there someone experienced you have two or more emails that are the same? > I got this frequently on my inbox. ?Could someone point me to the right > direction? Thanks > > J. N. Nengasca > > Might indicate you have your locking set wrong. What MTA? What version of MS? .... Some details would help much further diagnisong this:-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ajcartmell at fonant.com Wed Feb 25 12:13:15 2009 From: ajcartmell at fonant.com (Anthony Cartmell) Date: Wed Feb 25 12:13:27 2009 Subject: Clamd::ERROR:: Input/Output In-Reply-To: <49A46C21.4040503@pacific.net> References: <49A41E79.3010003@pacific.net> <49A46C21.4040503@pacific.net> Message-ID: >> Are you running any extra signatures and having clamd crashes? > > Isn't everyone? (yes, and yes). I have a new server that's live and processing my mail. Clamd hasn't yet crashed in a week or so. I don't yet have the extra signatures being loaded, will see what happens when I find time to add them. ClamAV 0.94.2/9045, installed and updated by yum as part of FC10. HTH, Anthony -- www.fonant.com - Quality web sites From bernard.lheureux at bbsoft4.org Wed Feb 25 12:23:42 2009 From: bernard.lheureux at bbsoft4.org (Bernard 'Tux' Lheureux) Date: Wed Feb 25 12:23:55 2009 Subject: double delivery of emails In-Reply-To: <000101c99722$a6978580$f3c69080$@edu.ph> References: <000101c99722$a6978580$f3c69080$@edu.ph> Message-ID: <49A5384E.5010601@bbsoft4.org> Jose Nathaniel G. Nengasca wrote: I've got exactly the same problem, with a CentOS 4 Server acting as MailRelay with MailScanner 4.74.16, sendmail-8.13.1-3.3.el4 I've tried to change the Lock Type = posix (before it was empty Lock Type = ) But still no change, in spam.assassin.prefs.conf lock_method flock Could someone guide me to the right solution ? > Hi, > > Is there someone experienced you have two or more emails that are the same? > I got this frequently on my inbox. Could someone point me to the right > direction? Thanks > > J. N. Nengasca M$-Internet Exploder est le cancer de l'Internet, voyez pourquoi ici : http://www.aful.org/ressources/documentations/msie-problemes-securite/ -- (?- Bernard Lheureux Gestionnaire des MailingLists ML, TechML, LinuxML //\ http://www.bbsoft4.org/Mailinglists.htm ** MailTo:root@bbsoft4.org v_/_ http://www.bbsoft4.org/ <<<<<< () >>>>> http://www.portalinux.org From wick at bobwickline.com Wed Feb 25 13:16:22 2009 From: wick at bobwickline.com (Bob Wickline) Date: Wed Feb 25 13:17:00 2009 Subject: double delivery of emails In-Reply-To: <000101c99722$a6978580$f3c69080$@edu.ph> References: <000101c99722$a6978580$f3c69080$@edu.ph> Message-ID: <49A544A6.1040403@bobwickline.com> I experienced this when I had an overloaded system. I was running too many child processes and it was causing this behavior. I reduced the number if child processes to two (2) and it solved this problem for me: Max Children = 2 BTW - I am running on a Solaris system running a dozen zones each running MailScanner. Jose Nathaniel G. Nengasca wrote: > Hi, > > Is there someone experienced you have two or more emails that are the same? > I got this frequently on my inbox. Could someone point me to the right > direction? Thanks > > J. N. Nengasca > > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From miguelk at konsultex.com.br Wed Feb 25 13:36:44 2009 From: miguelk at konsultex.com.br (Miguel Koren O'Brien de Lacy) Date: Wed Feb 25 13:37:56 2009 Subject: double delivery of emails In-Reply-To: <49A5384E.5010601@bbsoft4.org> References: <000101c99722$a6978580$f3c69080$@edu.ph> <49A5384E.5010601@bbsoft4.org> Message-ID: <49A5496C.8020700@konsultex.com.br> In my case I believe the problem probably lies with dovecot. This started happening after the server was migrated from an older version of Fedora to Centos 5.2 (no Mailscanner on that box, it gets its email via fetchmail from another server). See if your logs show strange dovecot errors (if you have dovecot, of course) as mine do. The dovecot forum has some posts about this problem. I'm not sure what the right solution is. though. Bernard 'Tux' Lheureux escreveu: > Jose Nathaniel G. Nengasca wrote: > > I've got exactly the same problem, with a CentOS 4 Server acting as > MailRelay with MailScanner 4.74.16, sendmail-8.13.1-3.3.el4 > I've tried to change the Lock Type = posix > (before it was empty Lock Type = ) > But still no change, in spam.assassin.prefs.conf > lock_method flock > Could someone guide me to the right solution ? >> Hi, >> >> Is there someone experienced you have two or more emails that are the >> same? >> I got this frequently on my inbox. Could someone point me to the right >> direction? Thanks >> >> J. N. Nengasca > > M$-Internet Exploder est le cancer de l'Internet, voyez pourquoi ici : > http://www.aful.org/ressources/documentations/msie-problemes-securite/ > -- Esta mensagem foi verificada pelo sistema de antiv?rus e acredita-se estar livre de perigo. From rjette at vzw.blackberry.net Wed Feb 25 13:48:03 2009 From: rjette at vzw.blackberry.net (rjette@vzw.blackberry.net) Date: Wed Feb 25 13:47:13 2009 Subject: Mailscanner install In-Reply-To: References: <1775849488-1235493178-cardhu_decombobulator_blackberry.rim.net-907691046-@bxe1261.bisx.prod.on.blackberry> Message-ID: <1012534901-1235569627-cardhu_decombobulator_blackberry.rim.net-1074283014-@bxe1261.bisx.prod.on.blackberry> Thanks for the reply and the link. This solved my problem. Ray -----Original Message----- From: Scott Silva Date: Tue, 24 Feb 2009 08:45:12 To: Subject: Re: Mailscanner install -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From bernard.lheureux at bbsoft4.org Wed Feb 25 14:53:38 2009 From: bernard.lheureux at bbsoft4.org (Bernard 'Tux' Lheureux) Date: Wed Feb 25 14:53:54 2009 Subject: double delivery of emails In-Reply-To: <49A5496C.8020700@konsultex.com.br> References: <000101c99722$a6978580$f3c69080$@edu.ph> <49A5384E.5010601@bbsoft4.org> <49A5496C.8020700@konsultex.com.br> Message-ID: <49A55B72.3090108@bbsoft4.org> Miguel Koren O'Brien de Lacy wrote: You're right, in my case, the SMTP Server used has recently been migrated from an old version of Debian to CentOS 5.2 with Dovecot, I will investigate if I get those "strange dovecot errors" as you talk about... No, I cannot see some "Strange errors", could you tell me what kind of error messages you get ? > In my case I believe the problem probably lies with dovecot. This > started happening after the server was migrated from an older version of > Fedora to Centos 5.2 (no Mailscanner on that box, it gets its email via > fetchmail from another server). See if your logs show strange dovecot > errors (if you have dovecot, of course) as mine do. The dovecot forum > has some posts about this problem. I'm not sure what the right solution > is. though. > > Bernard 'Tux' Lheureux escreveu: > >> Jose Nathaniel G. Nengasca wrote: >> >> I've got exactly the same problem, with a CentOS 4 Server acting as >> MailRelay with MailScanner 4.74.16, sendmail-8.13.1-3.3.el4 >> I've tried to change the Lock Type = posix >> (before it was empty Lock Type = ) >> But still no change, in spam.assassin.prefs.conf >> lock_method flock >> Could someone guide me to the right solution ? >> >>> Hi, >>> >>> Is there someone experienced you have two or more emails that are the >>> same? >>> I got this frequently on my inbox. Could someone point me to the right >>> direction? Thanks >>> >>> J. N. Nengasca >>> >> M$-Internet Exploder est le cancer de l'Internet, voyez pourquoi ici : >> http://www.aful.org/ressources/documentations/msie-problemes-securite/ >> >> > > From ka at pacific.net Wed Feb 25 15:03:58 2009 From: ka at pacific.net (Ken A) Date: Wed Feb 25 15:04:14 2009 Subject: Clamd::ERROR:: Input/Output In-Reply-To: References: <49A41E79.3010003@pacific.net> <49A46C21.4040503@pacific.net> Message-ID: <49A55DDE.6030001@pacific.net> Anthony Cartmell wrote: >>> Are you running any extra signatures and having clamd crashes? >> >> Isn't everyone? (yes, and yes). > > I have a new server that's live and processing my mail. Clamd hasn't yet > crashed in a week or so. I don't yet have the extra signatures being > loaded, will see what happens when I find time to add them. > > ClamAV 0.94.2/9045, installed and updated by yum as part of FC10. > > HTH, > > Anthony If clamd dies, it gets restarted by a cron job < 1 min later, so it's not a big deal (MailScanner's logging is helful!). I'm just waiting for a version that fixes it. clamd is running on the mail hub without the extra sigs, and it doesn't crash, so nothing really nasty can slip by. The I/O ERROR reported by clamd doesn't seem to have anything to do with the crashes though, as they are happening at different times. It could still be related to the same underlying bug, but until the 3rd party sigs crash bug gets resolved I won't know. https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1370 Yesterday, all 3 of the I/O errors were on .xlsx files, so I'm likely to assume it's Microsoft's fault. :-) Thanks, Ken -- Ken Anderson Pacific Internet - http://www.pacific.net From mailscanner at barendse.to Wed Feb 25 16:52:38 2009 From: mailscanner at barendse.to (Remco Barendse) Date: Wed Feb 25 16:52:57 2009 Subject: Mail auto translation plugin? Message-ID: Hi list! A little bit offtopic question : I need something to translate all incoming (or outgoing) mail that goes through MailScanner. The mail can be in Japanese, Chinese or Russian. Is there anyone that is able / willing to write a MailScanner plugin that will run the text through an online translator like (for example), translate.google.com. Yes, i know that translations from those translators kinda suck, but they still understand Japanese a little bit better than me :) I'm willing to pay for such a plugin, if anybody could estimate the cost for such a plugin, please let me know. Thanks! Remco From mark at msapiro.net Wed Feb 25 17:12:35 2009 From: mark at msapiro.net (Mark Sapiro) Date: Wed Feb 25 17:12:46 2009 Subject: double delivery of emails In-Reply-To: <000101c99722$a6978580$f3c69080$@edu.ph> References: <000101c99722$a6978580$f3c69080$@edu.ph> Message-ID: <20090225171235.GA1516@msapiro> On Wed, Feb 25, 2009 at 05:25:43PM +0900, Jose Nathaniel G. Nengasca wrote: > > Is there someone experienced you have two or more emails that are the same? > I got this frequently on my inbox. Could someone point me to the right > direction? Thanks There is a thread on this starting at In my case, it happens only rarely and only to messages which aren't scanned because of a Scan Messages rule. Setting Max Children = 1 solves it. -- Mark Sapiro mark at msapiro net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From alex at rtpty.com Wed Feb 25 18:16:58 2009 From: alex at rtpty.com (Alex Neuman) Date: Wed Feb 25 18:17:08 2009 Subject: double delivery of emails In-Reply-To: <000101c99722$a6978580$f3c69080$@edu.ph> References: <000101c99722$a6978580$f3c69080$@edu.ph> Message-ID: <24e3d2e40902251016l1da46d2bj77f1ba84a47b166b@mail.gmail.com> What are the message ids on both "repeated" messages? If you compare them and find them to be the same, the problem is within your system. If they're different, you had the messages delivered twice by a third party. It could still be your fault, but it would probably involve something with the network and not with your particular MTA/MS configuration. Also, some important information regarding your situation could help; your message doesn't include any clues as to what kind of hardware/os/mta you're running on. It could be running on CP/M or VMS for all we know ;-) On Wed, Feb 25, 2009 at 3:25 AM, Jose Nathaniel G. Nengasca < nats@sscrmnl.edu.ph> wrote: > Hi, > > Is there someone experienced you have two or more emails that are the same? > I got this frequently on my inbox. Could someone point me to the right > direction? Thanks > > J. N. Nengasca > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 202-1525 alex@rtpty.com Skype: alexneuman -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090225/118b36cd/attachment.html From alex at rtpty.com Wed Feb 25 18:18:35 2009 From: alex at rtpty.com (Alex Neuman) Date: Wed Feb 25 18:18:45 2009 Subject: Mail auto translation plugin? In-Reply-To: References: Message-ID: <24e3d2e40902251018x191d96ffq3b243e9580775ffb@mail.gmail.com> This could be done in a way similar to the use of "antiword" is implemented right now, right? Also maybe a procmail recipe? I'll google around and see... On Wed, Feb 25, 2009 at 11:52 AM, Remco Barendse wrote: > Hi list! A little bit offtopic question : > > I need something to translate all incoming (or outgoing) mail that goes > through MailScanner. The mail can be in Japanese, Chinese or Russian. > > Is there anyone that is able / willing to write a MailScanner plugin that > will run the text through an online translator like (for example), > translate.google.com. > > Yes, i know that translations from those translators kinda suck, but they > still understand Japanese a little bit better than me :) > > I'm willing to pay for such a plugin, if anybody could estimate the cost > for such a plugin, please let me know. > > Thanks! > Remco > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 202-1525 alex@rtpty.com Skype: alexneuman -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090225/04586494/attachment.html From alex at rtpty.com Wed Feb 25 18:19:17 2009 From: alex at rtpty.com (Alex Neuman) Date: Wed Feb 25 18:19:26 2009 Subject: Mail auto translation plugin? In-Reply-To: References: Message-ID: <24e3d2e40902251019n11727827p5c72322b04d4337e@mail.gmail.com> How could you tell if the language was chinese, japanese or russian? From the codepages? What about UTF? On Wed, Feb 25, 2009 at 11:52 AM, Remco Barendse wrote: > Hi list! A little bit offtopic question : > > I need something to translate all incoming (or outgoing) mail that goes > through MailScanner. The mail can be in Japanese, Chinese or Russian. > > Is there anyone that is able / willing to write a MailScanner plugin that > will run the text through an online translator like (for example), > translate.google.com. > > Yes, i know that translations from those translators kinda suck, but they > still understand Japanese a little bit better than me :) > > I'm willing to pay for such a plugin, if anybody could estimate the cost > for such a plugin, please let me know. > > Thanks! > Remco > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 202-1525 alex@rtpty.com Skype: alexneuman -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090225/9385bdb7/attachment.html From alex at rtpty.com Wed Feb 25 18:21:15 2009 From: alex at rtpty.com (Alex Neuman) Date: Wed Feb 25 18:21:25 2009 Subject: Mail auto translation plugin? In-Reply-To: <24e3d2e40902251019n11727827p5c72322b04d4337e@mail.gmail.com> References: <24e3d2e40902251019n11727827p5c72322b04d4337e@mail.gmail.com> Message-ID: <24e3d2e40902251021l365e4dc2ifb2a24874345b1b9@mail.gmail.com> How about something that, using procmail, combines "piping" as noted in: http://forums.fedoraforum.org/archive/index.php/t-110402.html and "tw" as in: http://www.linux.com/feature/130852 ?? On Wed, Feb 25, 2009 at 1:19 PM, Alex Neuman wrote: > How could you tell if the language was chinese, japanese or russian? From > the codepages? What about UTF? > > On Wed, Feb 25, 2009 at 11:52 AM, Remco Barendse wrote: > >> Hi list! A little bit offtopic question : >> >> I need something to translate all incoming (or outgoing) mail that goes >> through MailScanner. The mail can be in Japanese, Chinese or Russian. >> >> Is there anyone that is able / willing to write a MailScanner plugin that >> will run the text through an online translator like (for example), >> translate.google.com. >> >> Yes, i know that translations from those translators kinda suck, but they >> still understand Japanese a little bit better than me :) >> >> I'm willing to pay for such a plugin, if anybody could estimate the cost >> for such a plugin, please let me know. >> >> Thanks! >> Remco >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > > > -- > Alex Neuman van der Hans > Reliant Technologies > +507 6781-9505 > +507 202-1525 > alex@rtpty.com > Skype: alexneuman > -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 202-1525 alex@rtpty.com Skype: alexneuman -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090225/5f4c26e9/attachment.html From pal at mssl.ucl.ac.uk Wed Feb 25 19:14:11 2009 From: pal at mssl.ucl.ac.uk (Paul Lamb) Date: Wed Feb 25 19:14:29 2009 Subject: "too big for spam checks" Message-ID: <49A59883.7000906@mssl.ucl.ac.uk> I have noticed a number of MailScanner messages in /var/log/messages of the form:- MailScanner: Message from ... is too big for spam check Such messages are dropped which I find surprising as the comments in MailScanner.conf against Max Spam Check Size include:- # ...if a message is bigger than a certain size, it # is highly unlikely to be spam. Limiting this saves # a lot of time checking huge messages. This suggests to me that larger messages should be accepted. (I believe that this was the case with the last versions of MailScanner/Spamassassin that I used). The few messages to the list about this error message do not explicitly answer these two questions:- Do we expect messages larger than Max Spam Check Size to be accepted or dropped? Is there another parameter involved in addition to Max Spam Check Size = 200M Max SpamAssassin Size = 200k I am running MailScanner version 4.72.5 and Spamassassin version 3.2.4 Thanks, Paul From ssilva at sgvwater.com Wed Feb 25 20:01:52 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Feb 25 20:02:16 2009 Subject: "too big for spam checks" In-Reply-To: <49A59883.7000906@mssl.ucl.ac.uk> References: <49A59883.7000906@mssl.ucl.ac.uk> Message-ID: on 2-25-2009 11:14 AM Paul Lamb spake the following: > > I have noticed a number of MailScanner messages in /var/log/messages > of the form:- > > MailScanner: Message from ... is too big for spam check > > Such messages are dropped which I find surprising as the comments in > MailScanner.conf against Max Spam Check Size include:- > # ...if a message is bigger than a certain size, it > # is highly unlikely to be spam. Limiting this saves > # a lot of time checking huge messages. > > This suggests to me that larger messages should be accepted. (I believe > that this was the case with the last versions of > MailScanner/Spamassassin that I used). > > The few messages to the list about this error message do not explicitly > answer these two questions:- > > Do we expect messages larger than Max Spam Check Size to be accepted > or dropped? > > Is there another parameter involved in addition to > Max Spam Check Size = 200M > Max SpamAssassin Size = 200k > > I am running MailScanner version 4.72.5 and Spamassassin version 3.2.4 > > Thanks, > Paul > > > Maximum Message Size is the only one that I remember that would drop a message. Can you post log snippets of the messages being dropped? -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090225/15179736/signature.bin From root at doctor.nl2k.ab.ca Wed Feb 25 23:35:29 2009 From: root at doctor.nl2k.ab.ca (Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem) Date: Wed Feb 25 23:37:12 2009 Subject: [luca@clamav.net: [Clamav-announce] announcing 0.95rc1] Message-ID: <20090225233529.GC4670@doctor.nl2k.ab.ca> Heads up! ----- Forwarded message from Luca Gibelli ----- X-Spam-Filter: check_local@doctor.nl2k.ab.ca by digitalanswers.org X-Virus-Scanned: Debian amavisd-new at tad.clamav.net X-Original-To: clamav-announce@tad.clamav.net Delivered-To: clamav-announce@tad.clamav.net X-Virus-Scanned: Debian amavisd-new at tad.clamav.net Date: Thu, 26 Feb 2009 00:29:25 +0100 From: Luca Gibelli To: clamav-announce@lists.clamav.net User-Agent: Mutt/1.5.18 (2008-05-17) X-Mailman-Approved-At: Thu, 26 Feb 2009 00:30:59 +0100 Subject: [Clamav-announce] announcing 0.95rc1 X-BeenThere: clamav-announce@lists.clamav.net X-Mailman-Version: 2.1.9 Precedence: list Reply-To: noreply@clamav.net List-Id: ClamAV events are announced here List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: clamav-announce-bounces@lists.clamav.net X-Null-Tag: 34d90743079f85780753e885ec154a7f X-NetKnow-InComing-4-74-16-1-MailScanner-Information: Please contact the ISP for more information X-NetKnow-InComing-4-74-16-1-MailScanner-ID: n1PNX1On007113 X-NetKnow-InComing-4-74-16-1-MailScanner: Found to be clean X-NetKnow-InComing-4-74-16-1-MailScanner-IP-Protocol: IPv4 X-NetKnow-InComing-4-74-16-1-MailScanner-From: clamav-announce-bounces@lists.clamav.net X-NetKnow-InComing-4-74-16-1-MailScanner-Watermark: 1236036789.58595@8jcn6noLGwkjbCAwCAuPsA X-Spam-Status: No Dear ClamAV users, ClamAV 0.95rc1 introduces many bugfixes, improvements and additions. To make the transition easier, we put various tips and upgrade notes on this page: https://wiki.clamav.net/Main/UpgradeNotes095 The following are the key features of this release: - New clamav-milter: The program has been redesigned and rewritten from scratch. The most notable difference is that the internal mode has been dropped which means that now a working clamd companion is required. The milter now also has its own configuration file. - Clamd extensions: The protocol has been extended to lighten the load that clamd puts on the system, solve limitations of the old protocol, and reduce latency when signature updates are received. Fore more information about the new extensions please see the official documentation and the upgrade notes. - Improved API: The API used to program ClamAV's engine (libclamav) has been redesigned to use modern object-oriented techniques and solves various API/ABI compatibility issues between old and new releases. You can find more information in Section 6 of clamdoc.pdf and in the upgrade notes. - ClamdTOP: This is a new program that allows system administrators to monitor clamd. It provides information about the items in the clamd's queue, clamd's memory usage, and the version of the signature database, all in real-time and in nice curses-based interface. - Memory Pool Allocator: Libclamav now includes its own memory pool allocator based on memory mapping. This new solution replaces the traditional malloc/free system for the copy of the signatures that is kept in memory. As a result, clamd requires much less memory, particularly when signature updates are received and the database is loaded into memory. - Unified Option Parser: Prior to version 0.95 each program in ClamAV's suite of programs had its own set of runtime options. The new general parser brings consistency of use and validation to these options across the suite. Some command line switches of clamscan have been renamed (the old ones will still be accepted but will have no effect and will result in warnings), please see clamscan(1) and clamscan --help for the details. -- The ClamAV team (http://www.clamav.net/team) -- Luca Gibelli (luca _at_ clamav.net) ClamAV, a GPL anti-virus toolkit [Tel] +39 0187 1851862 [Fax] +39 0187 1852252 [IM] nervous/jabber.linux.it PGP key id 5EFC5582 @ any key-server || http://www.clamav.net/gpg/luca.gpg _______________________________________________ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-announce -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ----- End forwarded message ----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From alex at rtpty.com Thu Feb 26 04:11:55 2009 From: alex at rtpty.com (Alex Neuman) Date: Thu Feb 26 04:12:07 2009 Subject: [luca@clamav.net: [Clamav-announce] announcing 0.95rc1] In-Reply-To: <20090225233529.GC4670@doctor.nl2k.ab.ca> References: <20090225233529.GC4670@doctor.nl2k.ab.ca> Message-ID: <24e3d2e40902252011pafdabc3yd3b26159b88fc272@mail.gmail.com> Does anybody know if updating manually works for all three alternatives (clamav, clamd, clamavmodule)? And Jules, do you need help crafting a new SA+Clam package? Cheers, Alex On Wed, Feb 25, 2009 at 6:35 PM, Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem wrote: > Heads up! > > ----- Forwarded message from Luca Gibelli ----- > > X-Spam-Filter: check_local@doctor.nl2k.ab.ca by digitalanswers.org > X-Virus-Scanned: Debian amavisd-new at tad.clamav.net > X-Original-To: clamav-announce@tad.clamav.net > Delivered-To: clamav-announce@tad.clamav.net > X-Virus-Scanned: Debian amavisd-new at tad.clamav.net > Date: Thu, 26 Feb 2009 00:29:25 +0100 > From: Luca Gibelli > To: clamav-announce@lists.clamav.net > User-Agent: Mutt/1.5.18 (2008-05-17) > X-Mailman-Approved-At: Thu, 26 Feb 2009 00:30:59 +0100 > Subject: [Clamav-announce] announcing 0.95rc1 > X-BeenThere: clamav-announce@lists.clamav.net > X-Mailman-Version: 2.1.9 > Precedence: list > Reply-To: noreply@clamav.net > List-Id: ClamAV events are announced here < > clamav-announce.lists.clamav.net> > List-Unsubscribe: > , > ?subject=unsubscribe> > List-Post: > List-Help: > List-Subscribe: > , > > Errors-To: clamav-announce-bounces@lists.clamav.net > X-Null-Tag: 34d90743079f85780753e885ec154a7f > X-NetKnow-InComing-4-74-16-1-MailScanner-Information: Please contact the > ISP > for more information > X-NetKnow-InComing-4-74-16-1-MailScanner-ID: n1PNX1On007113 > X-NetKnow-InComing-4-74-16-1-MailScanner: Found to be clean > X-NetKnow-InComing-4-74-16-1-MailScanner-IP-Protocol: IPv4 > X-NetKnow-InComing-4-74-16-1-MailScanner-From: > clamav-announce-bounces@lists.clamav.net > X-NetKnow-InComing-4-74-16-1-MailScanner-Watermark: > 1236036789.58595@8jcn6noLGwkjbCAwCAuPsA > X-Spam-Status: No > > > Dear ClamAV users, > > ClamAV 0.95rc1 introduces many bugfixes, improvements and additions. To > make > the transition easier, we put various tips and upgrade notes on this page: > https://wiki.clamav.net/Main/UpgradeNotes095 > > The following are the key features of this release: > > - New clamav-milter: The program has been redesigned and rewritten from > scratch. The most notable difference is that the internal mode has > been > dropped which means that now a working clamd companion is required. > The milter now also has its own configuration file. > > - Clamd extensions: The protocol has been extended to lighten the load > that clamd puts on the system, solve limitations of the old protocol, > and reduce latency when signature updates are received. Fore more > information about the new extensions please see the official > documentation and the upgrade notes. > > - Improved API: The API used to program ClamAV's engine (libclamav) has > been redesigned to use modern object-oriented techniques and solves > various API/ABI compatibility issues between old and new releases. > You can find more information in Section 6 of clamdoc.pdf and in > the upgrade notes. > > - ClamdTOP: This is a new program that allows system administrators to > monitor clamd. It provides information about the items in the clamd's > queue, clamd's memory usage, and the version of the signature > database, > all in real-time and in nice curses-based interface. > > - Memory Pool Allocator: Libclamav now includes its own memory pool > allocator based on memory mapping. This new solution replaces the > traditional malloc/free system for the copy of the signatures that > is kept in memory. As a result, clamd requires much less memory, > particularly when signature updates are received and the database is > loaded into memory. > > - Unified Option Parser: Prior to version 0.95 each program in ClamAV's > suite of programs had its own set of runtime options. The new general > parser brings consistency of use and validation to these options > across > the suite. Some command line switches of clamscan have been renamed > (the old ones will still be accepted but will have no effect and will > result in warnings), please see clamscan(1) and clamscan --help for > the details. > > -- > The ClamAV team (http://www.clamav.net/team) > > -- > Luca Gibelli (luca _at_ clamav.net) ClamAV, a GPL anti-virus toolkit > [Tel] +39 0187 1851862 [Fax] +39 0187 1852252 [IM] nervous/jabber.linux.it > PGP key id 5EFC5582 @ any key-server || http://www.clamav.net/gpg/luca.gpg > _______________________________________________ > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-announce > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > ----- End forwarded message ----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 202-1525 alex@rtpty.com Skype: alexneuman -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090225/f18a71b7/attachment.html From maxsec at gmail.com Thu Feb 26 08:56:52 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Thu Feb 26 08:57:02 2009 Subject: [luca@clamav.net: [Clamav-announce] announcing 0.95rc1] In-Reply-To: <24e3d2e40902252011pafdabc3yd3b26159b88fc272@mail.gmail.com> References: <20090225233529.GC4670@doctor.nl2k.ab.ca> <24e3d2e40902252011pafdabc3yd3b26159b88fc272@mail.gmail.com> Message-ID: <72cf361e0902260056r41cbfc3dm871c8c4875829cd1@mail.gmail.com> Having a quick look at the upgrading notes, looks like the clamd interface will need a little work also. (oh and of course clamavmodule ;-) -- Martin Hepworth Oxford, UK 2009/2/26 Alex Neuman : > Does anybody know if updating manually works for all three alternatives > (clamav, clamd, clamavmodule)? > And Jules, do you need help crafting a new SA+Clam package? > > Cheers, > > Alex > > On Wed, Feb 25, 2009 at 6:35 PM, Dave Shariff Yadallee - System > Administrator a.k.a. The Root of the Problem wrote: >> >> Heads up! >> >> ----- Forwarded message from Luca Gibelli ----- >> >> X-Spam-Filter: check_local@doctor.nl2k.ab.ca by digitalanswers.org >> X-Virus-Scanned: Debian amavisd-new at tad.clamav.net >> X-Original-To: clamav-announce@tad.clamav.net >> Delivered-To: clamav-announce@tad.clamav.net >> X-Virus-Scanned: Debian amavisd-new at tad.clamav.net >> Date: Thu, 26 Feb 2009 00:29:25 +0100 >> From: Luca Gibelli >> To: clamav-announce@lists.clamav.net >> User-Agent: Mutt/1.5.18 (2008-05-17) >> X-Mailman-Approved-At: Thu, 26 Feb 2009 00:30:59 +0100 >> Subject: [Clamav-announce] announcing 0.95rc1 >> X-BeenThere: clamav-announce@lists.clamav.net >> X-Mailman-Version: 2.1.9 >> Precedence: list >> Reply-To: noreply@clamav.net >> List-Id: ClamAV events are announced here >> >> List-Unsubscribe: >> ? ? ? ?, >> >> ? >> List-Post: >> List-Help: >> List-Subscribe: >> ? ? ? ?, >> ? ? ? ? >> Errors-To: clamav-announce-bounces@lists.clamav.net >> X-Null-Tag: 34d90743079f85780753e885ec154a7f >> X-NetKnow-InComing-4-74-16-1-MailScanner-Information: Please contact the >> ISP >> ? ? ? ?for more information >> X-NetKnow-InComing-4-74-16-1-MailScanner-ID: n1PNX1On007113 >> X-NetKnow-InComing-4-74-16-1-MailScanner: Found to be clean >> X-NetKnow-InComing-4-74-16-1-MailScanner-IP-Protocol: IPv4 >> X-NetKnow-InComing-4-74-16-1-MailScanner-From: >> ? ? ? ?clamav-announce-bounces@lists.clamav.net >> X-NetKnow-InComing-4-74-16-1-MailScanner-Watermark: >> ? ? ? ?1236036789.58595@8jcn6noLGwkjbCAwCAuPsA >> X-Spam-Status: No >> >> >> Dear ClamAV users, >> >> ClamAV 0.95rc1 introduces many bugfixes, improvements and additions. To >> make >> the transition easier, we put various tips and upgrade notes on this page: >> https://wiki.clamav.net/Main/UpgradeNotes095 >> >> The following are the key features of this release: >> >> ? ?- New clamav-milter: The program has been redesigned and rewritten from >> ? ? ?scratch. The most notable difference is that the internal mode has >> been >> ? ? ?dropped which means that now a working clamd companion is required. >> ? ? ?The milter now also has its own configuration file. >> >> ? ?- Clamd extensions: The protocol has been extended to lighten the load >> ? ? ?that clamd puts on the system, solve limitations of the old protocol, >> ? ? ?and reduce latency when signature updates are received. Fore more >> ? ? ?information about the new extensions please see the official >> ? ? ?documentation and the upgrade notes. >> >> ? ?- Improved API: The API used to program ClamAV's engine (libclamav) has >> ? ? ?been redesigned to use modern object-oriented techniques and solves >> ? ? ?various API/ABI compatibility issues between old and new releases. >> ? ? ?You can find more information in Section 6 of clamdoc.pdf and in >> ? ? ?the upgrade notes. >> >> ? ?- ClamdTOP: This is a new program that allows system administrators to >> ? ? ?monitor clamd. It provides information about the items in the clamd's >> ? ? ?queue, clamd's memory usage, and the version of the signature >> database, >> ? ? ?all in real-time and in nice curses-based interface. >> >> ? ?- Memory Pool Allocator: Libclamav now includes its own memory pool >> ? ? ?allocator based on memory mapping. This new solution replaces the >> ? ? ?traditional malloc/free system for the copy of the signatures that >> ? ? ?is kept in memory. As a result, clamd requires much less memory, >> ? ? ?particularly when signature updates are received and the database is >> ? ? ?loaded into memory. >> >> ? ?- Unified Option Parser: Prior to version 0.95 each program in ClamAV's >> ? ? ?suite of programs had its own set of runtime options. The new general >> ? ? ?parser brings consistency of use and validation to these options >> across >> ? ? ?the suite. Some command line switches of clamscan have been renamed >> ? ? ?(the old ones will still be accepted but will have no effect and will >> ? ? ?result in warnings), please see clamscan(1) and clamscan --help for >> ? ? ?the details. >> >> -- >> The ClamAV team (http://www.clamav.net/team) >> >> -- >> Luca Gibelli (luca _at_ clamav.net) ? ? ? ClamAV, a GPL anti-virus toolkit >> [Tel] +39 0187 1851862 [Fax] +39 0187 1852252 [IM] nervous/jabber.linux.it >> PGP key id 5EFC5582 @ any key-server || http://www.clamav.net/gpg/luca.gpg >> _______________________________________________ >> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-announce >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> >> ----- End forwarded message ----- >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > > > > -- > Alex Neuman van der Hans > Reliant Technologies > +507 6781-9505 > +507 202-1525 > alex@rtpty.com > Skype: alexneuman > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > From MailScanner at ecs.soton.ac.uk Thu Feb 26 10:25:28 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Feb 26 10:25:50 2009 Subject: Mailscanner install In-Reply-To: <49A47A36.5020300@vanderkooij.org> References: <1775849488-1235493178-cardhu_decombobulator_blackberry.rim.net-907691046-@bxe1261.bisx.prod.on.blackberry> <49A425E2.505@ecs.soton.ac.uk> <49A47A36.5020300@vanderkooij.org> Message-ID: <49A66E18.1070601@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 24/2/09 22:52, Hugo van der Kooij wrote: > * PGP Signed by an unverified key: 02/24/09 at 22:52:36 > > Julian Field wrote: > >> The "Other Unix" MailScanner distribution is intended for use any on >> sort of Unix system. Quite a few variants of Unix don't even use init.d >> scripts at all (e.g. Solaris 10) and on those that do they are all >> different. If you want an init.d script for your variant of Unix, then I >> suggest you copy one from another fairly simple service (perhaps ntpd or >> sshd or something like that) and modify it to suit your requirements. >> > > What Solaris 10 version have you been running? All Solaris versions I > have worked with have init.d scripts. > Yes, but it's strongly deprecated. You should be using the XML stuff and a "svcadm import" command (if I remember the syntax correctly). Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.9.1 (Build 287) Comment: Use Enigmail to decrypt or check this message is legitimate Charset: ISO-8859-1 wj8DBQFJpm4YEfZZRxQVtlQRAhBqAKCzLndFLThAHG9AI0QfAjx5Z7uH4wCaA683 p94K9ZUeV/5Heeagt9mUmOw= =lfh+ -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Thu Feb 26 10:26:22 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Feb 26 10:26:42 2009 Subject: add action to watermarking In-Reply-To: <49A447A2.3040400@ehoeve.com> References: <49A2F2CB.5060604@ehoeve.com> <223f97700902240059w74ac12c7qa342ff8b2c6137e5@mail.gmail.com> <49A447A2.3040400@ehoeve.com> Message-ID: <49A66E4E.2010608@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 24/2/09 19:16, Eric Hoeve wrote: > Glenn Steen said the following, On 2/24/2009 2:59 AM: >> 2009/2/23 Eric Hoeve : >>> First off I want to say that MailScanner is a great piece of >>> software that >>> has helped me tremendously. >>> >>> Background: I have Spam and High Scoring Spam setup to deliver with a >>> special header that allows the MUA know it should drop the message >>> in the >>> spam bucket. >>> >>> Now I am getting a ton of 'backscatter' from spammer(s) spoofing one >>> of our >>> users email address to send spam. Now they get tons of 'bounce' >>> messages and >>> fillingup their mailbox (spam bucket) because I am using the watermark >>> feature. Would their be a way to make it so I could just delete all >>> email >>> that bounces to a specific user and also failing the watermark test. >>> I see >>> my current choices are 'spam', 'high scoring spam', etc but no >>> delete/drop >>> option. It would be nice if I could do something like this in 'rules'. >>> >>> Current MS Version is: 4.73.4. >>> >>> Thanks in advance. >>> >>> -Eric >>> -=-=-=-=-=-=-=-=-=-=-=- >>> Eric Hoeve >> >> Why not delete the High Scoring Spam and set it to that? >> >> Cheers > Thanks for the prompt relies. > > I had kind of thought about doing it that way.However, I was looking > at the code for the watermark in > /usr/lib/MailScanner/MailScanner/Message.pm > > Unfortunately I do not have a spare system hanging around where I can > test these code changes, but what if I add the following code: > > --- MailScanner/Message.bak 2009-02-24 12:50:31.000000000 -0600 > +++ MailScanner/Message.pm 2009-02-24 13:02:05.000000000 -0600 > @@ -569,6 +569,12 @@ > #print STDERR "mshmacnull = $mshmacnull\n"; > # This can be "none", "spam" or "high-scoring spam" > #$mshmacnull =~ s/[^a-z]//g; > + if ($mshmacnull =~ /delete/) { > + $this->{deleted} = 1; > + $this->{dontdeliver} = 1; > + MailScanner::Log::InfoLog("Message %s from %s has no (or > invalid) watermark or sender address delete message", $this->{id}, > $this->{clientip}) if $LogSpam;; > + return 1; > + } > if ($mshmacnull =~ /high/) { > my $highscore = > MailScanner::Config::Value('highspamassassinscore', $this); > $this->{isspam} = 1; > > ---------- End of Code -------------------------------------------- > > Would that mark the message as 'deleted' and thus delete the message??? > Then I could just use 'Treat Invalid Watermarks With No Sender as Spam > = delete'. > > If that would work maybe you could add that code snippet to the next > release of MailScanner. > > This was just a thought. Otherwise I will probably just end use what > Glenn or Gareth mentioned. You nearly got the code right, very close in fact. I have added code to do this, and it will be in the next release. Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.9.1 (Build 287) Comment: Use Enigmail to decrypt or check this message is legitimate Charset: UTF-8 wj8DBQFJpm5OEfZZRxQVtlQRAt/cAKD6/O7gGc7lvoH9yBuHPFCdZQnaxQCeK3nj zzUixMYVJZ/NK7wwvIE1914= =Dw9A -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Thu Feb 26 10:32:55 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Feb 26 10:33:18 2009 Subject: MailScanner 4.75.1-1 beta Message-ID: <49A66FD7.9080303@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Including the new "delete" instruction in the watermark possibilities, and a bunch of other things: * New Features and Improvements * 1 Added more spam logging to simply find delivery and non-delivery addresses. 1 Improved error messages when using Custom Functions that won't compile. 1 Added new configuration option "Unpack Microsoft Documents" to control the unpacking of OLE document files, as there have been rare cases of the third-party extraction code hanging when faced with particular files. If you rely on ClamAV for all your virus-checking, then you can safely switch this off as ClamAV has its own OLE unpacking code. Do remember, however, that this will disable all filename and filetype checking of embedded files. It is on by default. 1 Added new option "delete" to setting "Treat Invalid Watermarks With No Sender as Spam =" so messages with invalid watermarks can just be deleted. * Fixes * 1 Fix to multiple-milter support in Postfix in rare case. I have just posted MailScanner 4.75.1-1. Please test this for me and confirm that it all works okay, including the new features. Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.9.1 (Build 287) Comment: Use Enigmail to decrypt or check this message is legitimate Charset: ISO-8859-1 wj8DBQFJpm/XEfZZRxQVtlQRAgtWAKDd83q4O8ll4P/1JNLdVMuydZYqfACgvW0h 7LWMLNhldM6BJGoaPJx4NQo= =aURu -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Thu Feb 26 10:33:31 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Feb 26 10:33:52 2009 Subject: add action to watermarking In-Reply-To: <49A66E4E.2010608@ecs.soton.ac.uk> References: <49A2F2CB.5060604@ehoeve.com> <223f97700902240059w74ac12c7qa342ff8b2c6137e5@mail.gmail.com> <49A447A2.3040400@ehoeve.com> <49A66E4E.2010608@ecs.soton.ac.uk> Message-ID: <49A66FFB.5010302@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 26/2/09 10:26, Julian Field wrote: > * PGP Signed: 02/26/09 at 10:26:22 > > > > On 24/2/09 19:16, Eric Hoeve wrote: >> Glenn Steen said the following, On 2/24/2009 2:59 AM: >>> 2009/2/23 Eric Hoeve : >>>> First off I want to say that MailScanner is a great piece of >>>> software that >>>> has helped me tremendously. >>>> >>>> Background: I have Spam and High Scoring Spam setup to deliver with a >>>> special header that allows the MUA know it should drop the message >>>> in the >>>> spam bucket. >>>> >>>> Now I am getting a ton of 'backscatter' from spammer(s) spoofing >>>> one of our >>>> users email address to send spam. Now they get tons of 'bounce' >>>> messages and >>>> fillingup their mailbox (spam bucket) because I am using the watermark >>>> feature. Would their be a way to make it so I could just delete all >>>> email >>>> that bounces to a specific user and also failing the watermark >>>> test. I see >>>> my current choices are 'spam', 'high scoring spam', etc but no >>>> delete/drop >>>> option. It would be nice if I could do something like this in 'rules'. >>>> >>>> Current MS Version is: 4.73.4. >>>> >>>> Thanks in advance. >>>> >>>> -Eric >>>> -=-=-=-=-=-=-=-=-=-=-=- >>>> Eric Hoeve >>> >>> Why not delete the High Scoring Spam and set it to that? >>> >>> Cheers >> Thanks for the prompt relies. >> >> I had kind of thought about doing it that way.However, I was looking >> at the code for the watermark in >> /usr/lib/MailScanner/MailScanner/Message.pm >> >> Unfortunately I do not have a spare system hanging around where I can >> test these code changes, but what if I add the following code: >> >> --- MailScanner/Message.bak 2009-02-24 12:50:31.000000000 -0600 >> +++ MailScanner/Message.pm 2009-02-24 13:02:05.000000000 -0600 >> @@ -569,6 +569,12 @@ >> #print STDERR "mshmacnull = $mshmacnull\n"; >> # This can be "none", "spam" or "high-scoring spam" >> #$mshmacnull =~ s/[^a-z]//g; >> + if ($mshmacnull =~ /delete/) { >> + $this->{deleted} = 1; >> + $this->{dontdeliver} = 1; >> + MailScanner::Log::InfoLog("Message %s from %s has no (or >> invalid) watermark or sender address delete message", $this->{id}, >> $this->{clientip}) if $LogSpam;; >> + return 1; >> + } >> if ($mshmacnull =~ /high/) { >> my $highscore = >> MailScanner::Config::Value('highspamassassinscore', $this); >> $this->{isspam} = 1; >> >> ---------- End of Code -------------------------------------------- >> >> Would that mark the message as 'deleted' and thus delete the message??? >> Then I could just use 'Treat Invalid Watermarks With No Sender as >> Spam = delete'. >> >> If that would work maybe you could add that code snippet to the next >> release of MailScanner. >> >> This was just a thought. Otherwise I will probably just end use what >> Glenn or Gareth mentioned. > You nearly got the code right, very close in fact. I have added code > to do this, and it will be in the next release. As in the release I just made for you :-) Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.9.1 (Build 287) Comment: Use Enigmail to decrypt or check this message is legitimate Charset: UTF-8 wj8DBQFJpm/8EfZZRxQVtlQRAhLtAKDx+ZgFrlRQtSMzr3BzRwjBpNan2wCguIaG vyPzJ0noDVPvtAdGD1ggfiM= =E3Z0 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at barendse.to Thu Feb 26 11:54:50 2009 From: mailscanner at barendse.to (Remco Barendse) Date: Thu Feb 26 11:55:10 2009 Subject: Mail auto translation plugin? In-Reply-To: <24e3d2e40902251019n11727827p5c72322b04d4337e@mail.gmail.com> References: <24e3d2e40902251019n11727827p5c72322b04d4337e@mail.gmail.com> Message-ID: On Wed, 25 Feb 2009, Alex Neuman wrote: > How could you tell if the language was chinese, japanese or russian? From the codepages? What about UTF? The character encoding would be one pointer, on the other hand, in translate.google.com you can select "Detect language" which works quite nicely for the languages i need (Japanese, Chinese and Russian). To do it perfectly one could consider to including a list of common key words used in each language. Greetings are one, the salutations at the end are another, pretty much every non-spam e-mail will have that, and these are unique to a language. However this would be already thinking about a rock-solid Rolls Royce class plug-in. I know building such a plugin that works on only one translation source is pretty thin but no other mail package has such a feature. I guess if the plugin will be ready enthusiasm and interest from the community will explode :) No idea however how google might react to it once you start to invoke a nice load on their translation servers :) My mail volume will be low, about 100 messages a day. My experience with scripting, procmail, programming etc. is about as much as my available free time, 0,0 :) Let me know if you have any possibility to put something like that together. Thanks! From paulo-m-roncon at ptinovacao.pt Thu Feb 26 12:32:14 2009 From: paulo-m-roncon at ptinovacao.pt (Paulo Roncon) Date: Thu Feb 26 12:32:45 2009 Subject: MailScanner Digest, Vol 38, Issue 31 In-Reply-To: <200902261203.n1QC2S8c022996@safir.blacknight.ie> References: <200902261203.n1QC2S8c022996@safir.blacknight.ie> Message-ID: I'm tunning a mailscanner+sendmail+clamav+spamassassin server and I'm having some questions: Do you use extra SA rules? After googling it seems that the extra rules out there(SARE, KAM, SOUGHT) are not up-to-date... Should I use several RBLS? Should I use them in the MTA, in mailscanner ou in SA? Dispite all the extras and tunning I'm still getting some SPAM... How can I fight it? What SA Score do you use? And High Spam Score? Do you use MCP? Thank You all! Paulo Roncon From maxsec at gmail.com Thu Feb 26 12:47:41 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Thu Feb 26 12:47:51 2009 Subject: MailScanner Digest, Vol 38, Issue 31 In-Reply-To: References: <200902261203.n1QC2S8c022996@safir.blacknight.ie> Message-ID: <72cf361e0902260447s48a0513te45ee3beac5150d2@mail.gmail.com> 2009/2/26 Paulo Roncon : > > I'm tunning a mailscanner+sendmail+clamav+spamassassin server and I'm having some questions: > Do you use extra SA rules? After googling it seems that the extra rules out there(SARE, KAM, SOUGHT) are not up-to-date... > Should I use several RBLS? Should I use them in the MTA, in mailscanner ou in SA? > Dispite all the extras and tunning I'm still getting some SPAM... How can I fight it? > What SA Score do you use? And High Spam Score? > Do you use MCP? > > Thank You all! > > > Paulo Roncon > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Hi have you read mailscanner wiki article on "getting the most out of spamassassin"? This should point you in the right direction. I've found theSARE less effective than they were, but still useful. KAM and sought are useful. as for the scores 5 and 10 seem popular. perhaps you can put an example up (via pastebin) of an email (headers and all) that was miss classified and someone can run it over their system and see how that scores so pointers can be given for any extra rules or tuning. -- Martin Hepworth Oxford, UK From algorges at gmail.com Thu Feb 26 13:24:32 2009 From: algorges at gmail.com (Alexandre Gorges) Date: Thu Feb 26 13:24:53 2009 Subject: Block list by email Message-ID: Hello, It is possible to create blacklist, whitelist and filename list by email? If it possible, how? Thanks []'s ? Alexandre Gorges ? http://algorges.blogspot.com http://www.dag.eti.br -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090226/52c55686/attachment.html From MailScanner at ecs.soton.ac.uk Thu Feb 26 13:54:27 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Feb 26 13:54:52 2009 Subject: MailScanner Digest, Vol 38, Issue 31 In-Reply-To: References: <200902261203.n1QC2S8c022996@safir.blacknight.ie> Message-ID: <49A69F13.90904@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 26/2/09 12:32, Paulo Roncon wrote: > Should I use several RBLS? Should I use them in the MTA, in mailscanner ou in SA? > Do not use more than 1 or 2 in MailScanner. If you want to block completely on them, then block in your MTA. Otherwise let SpamAssassin score them all for you. > Dispite all the extras and tunning I'm still getting some SPAM... How can I fight it? > What SA Score do you use? And High Spam Score? > Do you use MCP? > MCP has a very high speed overhead, and you can do virtually anything with "SpamAssassin Rule Actions" that you can do with MCP anyway, and it is a lot faster. Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.9.1 (Build 287) Comment: Use Enigmail to decrypt or check this message is legitimate Charset: ISO-8859-1 wj8DBQFJpp8TEfZZRxQVtlQRAiXUAKDs56UUbw+ws52NPuQrw7m5YmMcqgCeLEUF 7j+3FaHPjkHrc3xvzD54ck4= =oBYj -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From alex at rtpty.com Thu Feb 26 15:18:11 2009 From: alex at rtpty.com (Alex Neuman) Date: Thu Feb 26 15:18:22 2009 Subject: MailScanner Digest, Vol 38, Issue 31 In-Reply-To: References: <200902261203.n1QC2S8c022996@safir.blacknight.ie> Message-ID: <24e3d2e40902260718p67669ebm5be90eac8489e9ff@mail.gmail.com> As with all complex questions, the best answer is "it depends"... On Thu, Feb 26, 2009 at 7:32 AM, Paulo Roncon wrote: > > I'm tunning a mailscanner+sendmail+clamav+spamassassin server and I'm > having some questions: > Do you use extra SA rules? After googling it seems that the extra rules out > there(SARE, KAM, SOUGHT) are not up-to-date... True. I usually just use the following from a cron job (feel free to adjust for your situation) sa-update --allowplugins --nogpg --channel saupdates.openprotect.com--channel updates.spamassassin.org -D (followed by sa-compile) > > Should I use several RBLS? Should I use them in the MTA, in mailscanner ou > in SA? I, for one, use *some* at the MTA - but some people don't like to do that because of false positives. I don't use any at the MailScanner level. > > Dispite all the extras and tunning I'm still getting some SPAM... How can I > fight it? Depends on what the SPAM is. > > What SA Score do you use? And High Spam Score? This is usually very site-specific. > > Do you use MCP? Sometimes. > > > Thank You all! > You're welcome! > > > Paulo Roncon > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 202-1525 alex@rtpty.com Skype: alexneuman -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090226/5480c747/attachment.html From alex at rtpty.com Thu Feb 26 15:19:21 2009 From: alex at rtpty.com (Alex Neuman) Date: Thu Feb 26 15:19:31 2009 Subject: Block list by email In-Reply-To: References: Message-ID: <24e3d2e40902260719y240cfc0an19bc21aa07fb041f@mail.gmail.com> On Thu, Feb 26, 2009 at 8:24 AM, Alexandre Gorges wrote: > Hello, > > It is possible to create blacklist, whitelist and filename list by email? > Yes! > > If it possible, how? > By editing the .rules files and following the examples within. > > > Thanks > You're welcome! > > > > > []'s > ? Alexandre Gorges ? > http://algorges.blogspot.com > http://www.dag.eti.br > > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 202-1525 alex@rtpty.com Skype: alexneuman -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090226/1f612a25/attachment.html From alex at rtpty.com Thu Feb 26 15:20:23 2009 From: alex at rtpty.com (Alex Neuman) Date: Thu Feb 26 15:20:33 2009 Subject: Mail auto translation plugin? In-Reply-To: References: <24e3d2e40902251019n11727827p5c72322b04d4337e@mail.gmail.com> Message-ID: <24e3d2e40902260720p37bbbff9u1877ca3ac99a9751@mail.gmail.com> I don't have enough expertise to put it together, but I can provide help if needed. On Thu, Feb 26, 2009 at 6:54 AM, Remco Barendse wrote: > On Wed, 25 Feb 2009, Alex Neuman wrote: > > How could you tell if the language was chinese, japanese or russian? From >> the codepages? What about UTF? >> > > The character encoding would be one pointer, on the other hand, in > translate.google.com you can select "Detect language" which works quite > nicely for the languages i need (Japanese, Chinese and Russian). > > To do it perfectly one could consider to including a list of common key > words used in each language. Greetings are one, the salutations at the end > are another, pretty much every non-spam e-mail will have that, and these are > unique to a language. However this would be already thinking about a > rock-solid Rolls Royce class plug-in. > > I know building such a plugin that works on only one translation source is > pretty thin but no other mail package has such a feature. I guess if the > plugin will be ready enthusiasm and interest from the community will explode > :) No idea however how google might react to it once you start to invoke a > nice load on their translation servers :) My mail volume will be low, about > 100 messages a day. > > My experience with scripting, procmail, programming etc. is about as much > as my available free time, 0,0 :) > > Let me know if you have any possibility to put something like that > together. > > Thanks! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 202-1525 alex@rtpty.com Skype: alexneuman -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090226/affb658d/attachment.html From ebhoeve-ms at ehoeve.com Thu Feb 26 16:04:14 2009 From: ebhoeve-ms at ehoeve.com (Eric Hoeve) Date: Thu Feb 26 16:04:33 2009 Subject: add action to watermarking In-Reply-To: <49A66FFB.5010302@ecs.soton.ac.uk> References: <49A2F2CB.5060604@ehoeve.com> <223f97700902240059w74ac12c7qa342ff8b2c6137e5@mail.gmail.com> <49A447A2.3040400@ehoeve.com> <49A66E4E.2010608@ecs.soton.ac.uk> <49A66FFB.5010302@ecs.soton.ac.uk> Message-ID: <54617.172.16.0.1.1235664254.squirrel@wildcat.ehoeve.com> On Thu, February 26, 2009 4:33 am, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > On 26/2/09 10:26, Julian Field wrote: >> * PGP Signed: 02/26/09 at 10:26:22 >> >> >> >> On 24/2/09 19:16, Eric Hoeve wrote: >>> Glenn Steen said the following, On 2/24/2009 2:59 AM: >>>> 2009/2/23 Eric Hoeve : >>>>> First off I want to say that MailScanner is a great piece of >>>>> software that >>>>> has helped me tremendously. >>>>> >>>>> Background: I have Spam and High Scoring Spam setup to deliver with a >>>>> special header that allows the MUA know it should drop the message >>>>> in the >>>>> spam bucket. >>>>> >>>>> Now I am getting a ton of 'backscatter' from spammer(s) spoofing >>>>> one of our >>>>> users email address to send spam. Now they get tons of 'bounce' >>>>> messages and >>>>> fillingup their mailbox (spam bucket) because I am using the >>>>> watermark >>>>> feature. Would their be a way to make it so I could just delete all >>>>> email >>>>> that bounces to a specific user and also failing the watermark >>>>> test. I see >>>>> my current choices are 'spam', 'high scoring spam', etc but no >>>>> delete/drop >>>>> option. It would be nice if I could do something like this in >>>>> 'rules'. >>>>> >>>>> Current MS Version is: 4.73.4. >>>>> >>>>> Thanks in advance. >>>>> >>>>> -Eric >>>>> -=-=-=-=-=-=-=-=-=-=-=- >>>>> Eric Hoeve >>>> >>>> Why not delete the High Scoring Spam and set it to that? >>>> >>>> Cheers >>> Thanks for the prompt relies. >>> >>> I had kind of thought about doing it that way.However, I was looking >>> at the code for the watermark in >>> /usr/lib/MailScanner/MailScanner/Message.pm >>> >>> Unfortunately I do not have a spare system hanging around where I can >>> test these code changes, but what if I add the following code: >>> >>> --- MailScanner/Message.bak 2009-02-24 12:50:31.000000000 -0600 >>> +++ MailScanner/Message.pm 2009-02-24 13:02:05.000000000 -0600 >>> @@ -569,6 +569,12 @@ >>> #print STDERR "mshmacnull = $mshmacnull\n"; >>> # This can be "none", "spam" or "high-scoring spam" >>> #$mshmacnull =~ s/[^a-z]//g; >>> + if ($mshmacnull =~ /delete/) { >>> + $this->{deleted} = 1; >>> + $this->{dontdeliver} = 1; >>> + MailScanner::Log::InfoLog("Message %s from %s has no (or >>> invalid) watermark or sender address delete message", $this->{id}, >>> $this->{clientip}) if $LogSpam;; >>> + return 1; >>> + } >>> if ($mshmacnull =~ /high/) { >>> my $highscore = >>> MailScanner::Config::Value('highspamassassinscore', $this); >>> $this->{isspam} = 1; >>> >>> ---------- End of Code -------------------------------------------- >>> >>> Would that mark the message as 'deleted' and thus delete the message??? >>> Then I could just use 'Treat Invalid Watermarks With No Sender as >>> Spam = delete'. >>> >>> If that would work maybe you could add that code snippet to the next >>> release of MailScanner. >>> >>> This was just a thought. Otherwise I will probably just end use what >>> Glenn or Gareth mentioned. >> You nearly got the code right, very close in fact. I have added code >> to do this, and it will be in the next release. > As in the release I just made for you :-) > > Jules > > - -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.9.1 (Build 287) > Comment: Use Enigmail to decrypt or check this message is legitimate > Charset: UTF-8 > > wj8DBQFJpm/8EfZZRxQVtlQRAhLtAKDx+ZgFrlRQtSMzr3BzRwjBpNan2wCguIaG > vyPzJ0noDVPvtAdGD1ggfiM= > =E3Z0 > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Jules, Thanks. This is why I use open-source software like MailScanner. kind regards, -Eric -- Eric Hoeve From rcooper at dwford.com Thu Feb 26 17:12:38 2009 From: rcooper at dwford.com (Rick Cooper) Date: Thu Feb 26 17:12:52 2009 Subject: [luca@clamav.net: [Clamav-announce] announcing 0.95rc1] In-Reply-To: <72cf361e0902260056r41cbfc3dm871c8c4875829cd1@mail.gmail.com> References: <20090225233529.GC4670@doctor.nl2k.ab.ca><24e3d2e40902252011pafdabc3yd3b26159b88fc272@mail.gmail.com> <72cf361e0902260056r41cbfc3dm871c8c4875829cd1@mail.gmail.com> Message-ID: > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Martin Hepworth > Sent: Thursday, February 26, 2009 3:57 AM > To: MailScanner discussion > Subject: Re: [luca@clamav.net: [Clamav-announce] announcing 0.95rc1] > > Having a quick look at the upgrading notes, looks like the clamd > interface will need a little work also. (oh and of course > clamavmodule > ;-) No, the clamd interface will be fine. It uses CONTSCAN and MULTISCAN and they have not been touched. Rick [...] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From pal at mssl.ucl.ac.uk Thu Feb 26 19:39:52 2009 From: pal at mssl.ucl.ac.uk (Paul Lamb) Date: Thu Feb 26 19:40:11 2009 Subject: "too big for spam checks" Message-ID: <49A6F008.8050404@mssl.ucl.ac.uk> >Date: Wed, 25 Feb 2009 12:01:52 -0800 >From: Scott Silva > >on 2-25-2009 11:14 AM Paul Lamb spake the following: >> >> I have noticed a number of MailScanner messages in /var/log/messages >> of the form:- >> >> MailScanner: Message from ... is too big for spam check >> >> Such messages are dropped which I find surprising as the comments in >> MailScanner.conf against Max Spam Check Size include:- >> # ...if a message is bigger than a certain size, it >> # is highly unlikely to be spam. Limiting this saves >> # a lot of time checking huge messages. >> >> This suggests to me that larger messages should be accepted. I >> believe that this was the case with the last versions of >> MailScanner/Spamassassin that I used). >> >> The few messages to the list about this error message do not >> explicitly answer these two questions:- >> >> Do we expect messages larger than Max Spam Check Size to be accepted >> or dropped? >> >> Is there another parameter involved in addition to >> Max Spam Check Size = 200M >> Max SpamAssassin Size = 200k >> >> I am running MailScanner version 4.72.5 and Spamassassin version >> 3.2.4 >> >> Thanks, >> Paul >> >> >> >Maximum Message Size is the only one that I remember that would drop a >message. > >Can you post log snippets of the messages being dropped? Sorry folks. I need to withdraw this one. I had notice several "too big for spam check" messages with no subsequent logged delivery. (I missed the logged instances of jobs with this message that _were_ subsequently delivered.) The problem messages were stuck in /var/spool/mqueue/ and had not been processed as the load average was too high owing to unusually heavy MailScanner processing. The MailScanner activity seemed to be related to ~40 old jobs in /var/spool/mqueue.in/. Interestingly,those jobs had been processed (the logs show viral content) but the entries had not been removed from the queue. When I deleted these, normal behaviour returned. (If I can pin this down a bit further I'll enter a new thread.) Paul From holger-lists at noefer.org Thu Feb 26 19:46:16 2009 From: holger-lists at noefer.org (=?UTF-8?B?SG9sZ2VyIE7DtmZlcg==?=) Date: Thu Feb 26 19:46:26 2009 Subject: add action to watermarking In-Reply-To: <49A66FFB.5010302@ecs.soton.ac.uk> References: <49A2F2CB.5060604@ehoeve.com> <223f97700902240059w74ac12c7qa342ff8b2c6137e5@mail.gmail.com> <49A447A2.3040400@ehoeve.com> <49A66E4E.2010608@ecs.soton.ac.uk> <49A66FFB.5010302@ecs.soton.ac.uk> Message-ID: <49A6F188.2080904@noefer.org> Julian Field schrieb: > > > On 26/2/09 10:26, Julian Field wrote: > > * PGP Signed: 02/26/09 at 10:26:22 > > > > > On 24/2/09 19:16, Eric Hoeve wrote: > >> Glenn Steen said the following, On 2/24/2009 2:59 AM: > >>> 2009/2/23 Eric Hoeve : > >>>> First off I want to say that MailScanner is a great piece of > >>>> software that > >>>> has helped me tremendously. > >>>> > >>>> Background: I have Spam and High Scoring Spam setup to deliver with a > >>>> special header that allows the MUA know it should drop the message > >>>> in the > >>>> spam bucket. > >>>> > >>>> Now I am getting a ton of 'backscatter' from spammer(s) spoofing > >>>> one of our > >>>> users email address to send spam. Now they get tons of 'bounce' > >>>> messages and > >>>> fillingup their mailbox (spam bucket) because I am using the > watermark > >>>> feature. Would their be a way to make it so I could just delete all > >>>> email > >>>> that bounces to a specific user and also failing the watermark > >>>> test. I see > >>>> my current choices are 'spam', 'high scoring spam', etc but no > >>>> delete/drop > >>>> option. It would be nice if I could do something like this in > 'rules'. > >>>> > >>>> Current MS Version is: 4.73.4. > >>>> > >>>> Thanks in advance. > >>>> > >>>> -Eric > >>>> -=-=-=-=-=-=-=-=-=-=-=- > >>>> Eric Hoeve > >>> Why not delete the High Scoring Spam and set it to that? > >>> > >>> Cheers > >> Thanks for the prompt relies. > >> > >> I had kind of thought about doing it that way.However, I was looking > >> at the code for the watermark in > >> /usr/lib/MailScanner/MailScanner/Message.pm > >> > >> Unfortunately I do not have a spare system hanging around where I can > >> test these code changes, but what if I add the following code: > >> > >> --- MailScanner/Message.bak 2009-02-24 12:50:31.000000000 -0600 > >> +++ MailScanner/Message.pm 2009-02-24 13:02:05.000000000 -0600 > >> @@ -569,6 +569,12 @@ > >> #print STDERR "mshmacnull = $mshmacnull\n"; > >> # This can be "none", "spam" or "high-scoring spam" > >> #$mshmacnull =~ s/[^a-z]//g; > >> + if ($mshmacnull =~ /delete/) { > >> + $this->{deleted} = 1; > >> + $this->{dontdeliver} = 1; > >> + MailScanner::Log::InfoLog("Message %s from %s has no (or > >> invalid) watermark or sender address delete message", $this->{id}, > >> $this->{clientip}) if $LogSpam;; > >> + return 1; > >> + } > >> if ($mshmacnull =~ /high/) { > >> my $highscore = > >> MailScanner::Config::Value('highspamassassinscore', $this); > >> $this->{isspam} = 1; > >> > >> ---------- End of Code -------------------------------------------- > >> > >> Would that mark the message as 'deleted' and thus delete the message??? > >> Then I could just use 'Treat Invalid Watermarks With No Sender as > >> Spam = delete'. > >> > >> If that would work maybe you could add that code snippet to the next > >> release of MailScanner. > >> > >> This was just a thought. Otherwise I will probably just end use what > >> Glenn or Gareth mentioned. > > You nearly got the code right, very close in fact. I have added code > > to do this, and it will be in the next release. > As in the release I just made for you :-) > > Jules > Sorry I am little late, I tested the patch of Eric today, it looks good. Julian has allready added the option to MailScanner. Thanks and regards, Holger From ssilva at sgvwater.com Thu Feb 26 19:56:26 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Feb 26 19:56:45 2009 Subject: Kind of OT: guess what I found! In-Reply-To: References: <499ED491.4020406@ecs.soton.ac.uk> <499ED7A7.8060702@maddoc.net> Message-ID: on 2-20-2009 4:43 PM Scott Silva spake the following: > on 2-20-2009 8:17 AM Doc Schneider spake the following: >> Julian Field wrote: >>> I was hunting around looking for some old sendmail mc files I wrote >>> many years ago. They appear to have been lost long ago, but look what >>> I found instead! >>> >>> MailScanner version 1, even before it had the name MailScanner. It's a >>> grand total of 1,035 lines of Perl code, which is 20% smaller than the >>> previous oldest version I had found. >>> >>> Anyway, for the archives, it is attached. Now you can see quite how >>> ropey some of my old code was back in May 2000 when all this got >>> started one long lunchtime. >>> >>> Jules >>> >> Amazing what 9 years worth of work get you, eh? >> > For some reason Julian's posts are not making it to the gmane archive. Jules, > are you setting an x-no-archive header or something? > > I guess I won't see his response.... That's kind of a paradox! > > > > As of early this morning, Julian is no longer invisible on the Gmane cache. Whatever it was, I am happier at least! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090226/fe62d910/signature.bin From ssilva at sgvwater.com Thu Feb 26 20:01:25 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Feb 26 20:05:12 2009 Subject: MailScanner 4.75.1-1 beta In-Reply-To: <49A66FD7.9080303@ecs.soton.ac.uk> References: <49A66FD7.9080303@ecs.soton.ac.uk> Message-ID: on 2-26-2009 2:32 AM Julian Field spake the following: > Including the new "delete" instruction in the watermark possibilities, > and a bunch of other things: > > * New Features and Improvements * > 1 Added more spam logging to simply find delivery and non-delivery > addresses. > 1 Improved error messages when using Custom Functions that won't compile. > 1 Added new configuration option "Unpack Microsoft Documents" to control the > unpacking of OLE document files, as there have been rare cases of the > third-party extraction code hanging when faced with particular files. I was just bitten with this one with a word doc that had many embedded images. It choked with the "too many attachments" message. > If you rely on ClamAV for all your virus-checking, then you can safely > switch this off as ClamAV has its own OLE unpacking code. Do remember, > however, that this will disable all filename and filetype checking of > embedded files. > It is on by default. > 1 Added new option "delete" to setting "Treat Invalid Watermarks With No > Sender as Spam =" so messages with invalid watermarks can just be > deleted. > > * Fixes * > 1 Fix to multiple-milter support in Postfix in rare case. > > I have just posted MailScanner 4.75.1-1. Please test this for me and > confirm that it all works okay, including the new features. > > Jules > -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090226/206c0478/signature.bin From MailScanner at ecs.soton.ac.uk Thu Feb 26 20:46:47 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Feb 26 20:47:08 2009 Subject: Kind of OT: guess what I found! In-Reply-To: References: <499ED491.4020406@ecs.soton.ac.uk> <499ED7A7.8060702@maddoc.net> Message-ID: <49A6FFB7.60506@ecs.soton.ac.uk> On 26/2/09 19:56, Scott Silva wrote: > on 2-20-2009 4:43 PM Scott Silva spake the following: > >> on 2-20-2009 8:17 AM Doc Schneider spake the following: >> >>> Julian Field wrote: >>> >>>> I was hunting around looking for some old sendmail mc files I wrote >>>> many years ago. They appear to have been lost long ago, but look what >>>> I found instead! >>>> >>>> MailScanner version 1, even before it had the name MailScanner. It's a >>>> grand total of 1,035 lines of Perl code, which is 20% smaller than the >>>> previous oldest version I had found. >>>> >>>> Anyway, for the archives, it is attached. Now you can see quite how >>>> ropey some of my old code was back in May 2000 when all this got >>>> started one long lunchtime. >>>> >>>> Jules >>>> >>>> >>> Amazing what 9 years worth of work get you, eh? >>> >>> >> For some reason Julian's posts are not making it to the gmane archive. Jules, >> are you setting an x-no-archive header or something? >> >> I guess I won't see his response.... That's kind of a paradox! >> >> >> >> >> > As of early this morning, Julian is no longer invisible on the Gmane cache. > Whatever it was, I am happier at least! > I switched off EMEW in outgoing messages in my BarricadeMX setup. A little bug which my friends at FSL are fixing right now. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From campbell at cnpapers.com Thu Feb 26 22:49:26 2009 From: campbell at cnpapers.com (Steve Campbell) Date: Thu Feb 26 22:49:45 2009 Subject: "too big for spam checks" In-Reply-To: <49A6F008.8050404@mssl.ucl.ac.uk> References: <49A6F008.8050404@mssl.ucl.ac.uk> Message-ID: <1235688566.49a71c76683de@perdition.cnpapers.net> Quoting Paul Lamb : > >Date: Wed, 25 Feb 2009 12:01:52 -0800 > >From: Scott Silva > > > >on 2-25-2009 11:14 AM Paul Lamb spake the following: > >> > >> I have noticed a number of MailScanner messages in /var/log/messages > >> of the form:- > >> > >> MailScanner: Message from ... is too big for spam check > >> > >> Such messages are dropped which I find surprising as the comments in > >> MailScanner.conf against Max Spam Check Size include:- > >> # ...if a message is bigger than a certain size, it > >> # is highly unlikely to be spam. Limiting this saves > >> # a lot of time checking huge messages. > >> > >> This suggests to me that larger messages should be accepted. I > >> believe that this was the case with the last versions of > >> MailScanner/Spamassassin that I used). > >> > >> The few messages to the list about this error message do not > >> explicitly answer these two questions:- > >> > >> Do we expect messages larger than Max Spam Check Size to be accepted > >> or dropped? > >> > >> Is there another parameter involved in addition to > >> Max Spam Check Size = 200M > >> Max SpamAssassin Size = 200k > >> > >> I am running MailScanner version 4.72.5 and Spamassassin version > >> 3.2.4 > >> > >> Thanks, > >> Paul > >> > >> > >> > >Maximum Message Size is the only one that I remember that would drop a > >message. > > > >Can you post log snippets of the messages being dropped? > > > Sorry folks. I need to withdraw this one. > > I had notice several "too big for spam check" messages with no > subsequent logged delivery. (I missed the logged instances of jobs with > this message that _were_ subsequently delivered.) > > The problem messages were stuck in /var/spool/mqueue/ and had not been > processed as the load average was too high owing to unusually heavy > MailScanner processing. The MailScanner activity seemed to be related > to ~40 old jobs in /var/spool/mqueue.in/. Interestingly,those jobs had > been processed (the logs show viral content) but the entries had not > been removed from the queue. When I deleted these, normal behaviour > returned. (If I can pin this down a bit further I'll enter a new > thread.) > > Paul > > > Paul, I saw this also, and I believe it was with an older version. I could never provide any evidence of what was going on, though. It happened just yesterday or maybe the day before, and although the message wasn't deleted, it was severely delayed. So I'm still not sure what was going on. The earlier instances were difficult to investigate due to the amount of time after posting that I was notified. I'm not sure there is a real problem, but there might be some shakiness somewhere. Not even sure it's MS as the load may have been a problem here also. Anyway, it happened multiple times, particularly one user who gets emailed large ads, and they never showed up. Steve Campbell ------------------------------------------------- This mail sent through IMP: http://horde.org/imp/ From algorges at gmail.com Thu Feb 26 23:51:50 2009 From: algorges at gmail.com (Alexandre Gorges) Date: Thu Feb 26 23:52:13 2009 Subject: Block list by email In-Reply-To: <24e3d2e40902260719y240cfc0an19bc21aa07fb041f@mail.gmail.com> Message-ID: Great. Let me see. Please help. I want the mail test@domain.com not receive any file. exe and any email that comes from spam@spammer.com In Mailscanner.conf, I modified the "Filename Rules" to Filename Rules = /etc/Mailscanner/rules/filename.rules. In filename.rules, I added To: test@domain.com /etc/MailScanner/rules/filename-test.rules FromOrTo: default /etc/MailScanner/filename.rules.conf Inside filename-test.rules, I added deny \.exe$ - - So, to block spam@spammer.com, I use the " Is Definitely Spam = /etc/MailScanner/rules/spam.blacklist.rules" In spam.blacklist.rules, I added To: test@domain.com /etc/Mailscanner/rules/blacklist-test.rules FromOrTo: default no Inside blacklist-test.rules, I added From: spam@spammer.com yes It is correct? Thanks again. From: Alex Neuman Reply-To: Lista Mailscanner Date: Thu, 26 Feb 2009 10:19:21 -0500 To: Lista Mailscanner Subject: Re: Block list by email On Thu, Feb 26, 2009 at 8:24 AM, Alexandre Gorges wrote: > Hello, > > It is possible to create blacklist, whitelist and filename list by email? Yes! > > If it possible, how? By editing the .rules files and following the examples within. > > > Thanks You're welcome! > > > > > []'s > ? Alexandre Gorges ? > http://algorges.blogspot.com > http://www.dag.eti.br > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090226/4b5d84d9/attachment.html From jim.barber at ddihealth.com Fri Feb 27 01:18:36 2009 From: jim.barber at ddihealth.com (Jim Barber) Date: Fri Feb 27 01:18:55 2009 Subject: Feature request: Multiple rules for MailScanner variable. Message-ID: <49A73F6C.5000009@ddihealth.com> Hi Jules. I have a CustomFunction that checks for users that are using SMTP AUTH. eg: Spam Checks = &CheckSMTPAuth The above will skip spam checks for anyone that has authenticated to our mail server. I also have entries in my MailScanner.conf file that refer to rules files to turn off certain features for trusted networks. eg: Also Find Numeric Phishing = %rules-dir%/phishing.rules Where the /etc/MailScanner/MailScanner/rules/phishing.rules file will contain entries like so: # Local host From: 127.0.0.1 no # Internal subnets From: 10. no From: 192.168. no FromOrTo: default yes Which handles not doing numeric phishing checks on emails sent by internal users. However, what if I want to skip numeric phishing checks for both the networks defined in the rules file and anyone that has authenticated to the mail server? As far as I can tell, at the moment I'd need to make a new custom function that does both the SMTP AUTH check, and parses the rule file (or get a list of networks in any number of other ways). I was wondering if you could add a feature that is something like the following. Either allow a syntax like: Also Find Numeric Phishing = %rules-dir%/phishing.rules OR &CheckSMTPAuth Or being able to specify the same parameter multiple times and have each one checked. eg: Also Find Numeric Phishing = %rules-dir%/phishing.rules Also Find Numeric Phishing = &CheckSMTPAuth I guess the difficulty would be how to handle the "default" rules when you have multiple checks going on. Maybe just leave it up to the mail administrators to create custom rule files that don't have a default on the end, except for in the last one to be referenced... Maybe that would be a pain to support on these lists though :( Any thoughts? Or is the functionality I am looking for already there and I'm just missing it? At the moment I'm using MailScanner 4.74.16 Regards, -- ---------- Jim Barber DDI Health From alex at rtpty.com Fri Feb 27 03:39:56 2009 From: alex at rtpty.com (Alex Neuman) Date: Fri Feb 27 03:40:05 2009 Subject: Feature request: Multiple rules for MailScanner variable. In-Reply-To: <49A73F6C.5000009@ddihealth.com> References: <49A73F6C.5000009@ddihealth.com> Message-ID: <24e3d2e40902261939t3f33d23bv975df719283da23a@mail.gmail.com> Would you like to share your function? Or at least share your experiences? Does it work with a particular MTA? Can it be fooled by a carefully crafted header? On Thu, Feb 26, 2009 at 8:18 PM, Jim Barber wrote: > Hi Jules. > > I have a CustomFunction that checks for users that are using SMTP AUTH. > eg: > Spam Checks = &CheckSMTPAuth > -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 202-1525 alex@rtpty.com Skype: alexneuman -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090226/94da8842/attachment.html From MailScanner at ecs.soton.ac.uk Fri Feb 27 09:16:46 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Feb 27 09:17:11 2009 Subject: Block list by email In-Reply-To: References: Message-ID: <49A7AF7E.8050008@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 26/2/09 23:51, Alexandre Gorges wrote: > Great. > > Let me see. Please help. > > I want the mail test@domain.com not receive any file. exe and any > email that comes from spam@spammer.com > > In Mailscanner.conf, I modified the "Filename Rules" to Filename > Rules = /etc/Mailscanner/rules/filename.rules. > > In filename.rules, I added > > To: test@domain.com /etc/MailScanner/rules/filename-test.rules > FromOrTo: default /etc/MailScanner/filename.rules.conf > > Inside filename-test.rules, I added > > deny \.exe$ - - Did you separate the 4 "words" on that line with tab characters? You need to, not just spaces. Otherwise how does it cope with log messages with spaces in them, or with regular expressions with spaces in them? This is the *only* place in MailScanner where you must use tab characters instead of spaces. > > So, to block spam@spammer.com, I use the " Is Definitely Spam = > /etc/MailScanner/rules/spam.blacklist.rules" > > In spam.blacklist.rules, I added > > To: test@domain.com /etc/Mailscanner/rules/blacklist-test.rules > FromOrTo: default no > > Inside blacklist-test.rules, I added > > From: spam@spammer.com yes > > > It is correct? > > Thanks again. > > ------------------------------------------------------------------------ > *From: *Alex Neuman > *Reply-To: *Lista Mailscanner > *Date: *Thu, 26 Feb 2009 10:19:21 -0500 > *To: *Lista Mailscanner > *Subject: *Re: Block list by email > > > > On Thu, Feb 26, 2009 at 8:24 AM, Alexandre Gorges > wrote: > > Hello, > > It is possible to create blacklist, whitelist and filename list by > email? > > Yes! > > > If it possible, how? > > By editing the .rules files and following the examples within. > > > > Thanks > > You're welcome! > > > > > > []'s > ? Alexandre Gorges ? > http://algorges.blogspot.com > http://www.dag.eti.br > > > Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.9.1 (Build 287) Comment: Use Enigmail to decrypt or check this message is legitimate Charset: UTF-8 wj8DBQFJp69/EfZZRxQVtlQRAo+GAKCpKx9VExmZ1mDh3Q4s4Vyh+o3GQACg3Lsz bqno6O89mfYgkKiDaIcS6VA= =VZmI -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Fri Feb 27 09:18:48 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Feb 27 09:19:11 2009 Subject: Feature request: Multiple rules for MailScanner variable. In-Reply-To: <49A73F6C.5000009@ddihealth.com> References: <49A73F6C.5000009@ddihealth.com> Message-ID: <49A7AFF8.5080207@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 27/2/09 01:18, Jim Barber wrote: > Hi Jules. > > I have a CustomFunction that checks for users that are using SMTP AUTH. > eg: > Spam Checks = &CheckSMTPAuth > > The above will skip spam checks for anyone that has authenticated to > our mail server. > > I also have entries in my MailScanner.conf file that refer to rules > files to turn off certain features for trusted networks. > eg: > Also Find Numeric Phishing = %rules-dir%/phishing.rules > > Where the /etc/MailScanner/MailScanner/rules/phishing.rules file will > contain entries like so: > > # Local host > From: 127.0.0.1 no > > # Internal subnets > From: 10. no > From: 192.168. no > > FromOrTo: default yes > > Which handles not doing numeric phishing checks on emails sent by > internal users. > > However, what if I want to skip numeric phishing checks for both the > networks defined in the rules file and anyone that has authenticated > to the mail server? > As far as I can tell, at the moment I'd need to make a new custom > function that does both the SMTP AUTH check, and parses the rule file > (or get a list of networks in any number of other ways). > > I was wondering if you could add a feature that is something like the > following. > Either allow a syntax like: > > Also Find Numeric Phishing = %rules-dir%/phishing.rules OR > &CheckSMTPAuth > > Or being able to specify the same parameter multiple times and have > each one checked. > eg: > Also Find Numeric Phishing = %rules-dir%/phishing.rules > Also Find Numeric Phishing = &CheckSMTPAuth > > I guess the difficulty would be how to handle the "default" rules when > you have multiple checks going on. > Maybe just leave it up to the mail administrators to create custom > rule files that don't have a default on the end, except for in the > last one to be referenced... Maybe that would be a pain to support on > these lists though :( > > Any thoughts? > Or is the functionality I am looking for already there and I'm just > missing it? You can do it with a Custom Function that also looks at a ruleset. Look in /usr/lib/MailScanner/MailScanner/CustomFunctions/Ruleset-from-Function.pm and you'll find an example showing you exactly how to do it. Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.9.1 (Build 287) Comment: Use Enigmail to decrypt or check this message is legitimate Charset: ISO-8859-1 wj8DBQFJp6/4EfZZRxQVtlQRAv5dAKClBuwdGhAaRKiUcWQtsLNoGuPEbgCg16IF qjY5GyhbnWaC/rFjm25lXyY= =J2A8 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From algorges at gmail.com Fri Feb 27 10:52:26 2009 From: algorges at gmail.com (Alexandre Gorges) Date: Fri Feb 27 10:52:41 2009 Subject: Block list by email In-Reply-To: <49A7AF7E.8050008@ecs.soton.ac.uk> Message-ID: > From: Julian Field > Organization: MailScanner > Reply-To: Lista Mailscanner > Date: Fri, 27 Feb 2009 09:16:46 +0000 > To: Lista Mailscanner > Subject: Re: Block list by email > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > On 26/2/09 23:51, Alexandre Gorges wrote: >> Great. >> >> Let me see. Please help. >> >> I want the mail test@domain.com not receive any file. exe and any >> email that comes from spam@spammer.com >> >> In Mailscanner.conf, I modified the "Filename Rules" to Filename >> Rules = /etc/Mailscanner/rules/filename.rules. >> >> In filename.rules, I added >> >> To: test@domain.com /etc/MailScanner/rules/filename-test.rules >> FromOrTo: default /etc/MailScanner/filename.rules.conf >> >> Inside filename-test.rules, I added >> >> deny \.exe$ - - > Did you separate the 4 "words" on that line with tab characters? You > need to, not just spaces. Otherwise how does it cope with log messages > with spaces in them, or with regular expressions with spaces in them? > > This is the *only* place in MailScanner where you must use tab > characters instead of spaces. Yes, I use tab in this place. My configuration is correct? Is possible to use rules in mysql? >> >> So, to block spam@spammer.com, I use the " Is Definitely Spam = >> /etc/MailScanner/rules/spam.blacklist.rules" >> >> In spam.blacklist.rules, I added >> >> To: test@domain.com /etc/Mailscanner/rules/blacklist-test.rules >> FromOrTo: default no >> >> Inside blacklist-test.rules, I added >> >> From: spam@spammer.com yes >> >> >> It is correct? >> >> Thanks again. >> >> ------------------------------------------------------------------------ >> *From: *Alex Neuman >> *Reply-To: *Lista Mailscanner >> *Date: *Thu, 26 Feb 2009 10:19:21 -0500 >> *To: *Lista Mailscanner >> *Subject: *Re: Block list by email >> >> >> >> On Thu, Feb 26, 2009 at 8:24 AM, Alexandre Gorges >> wrote: >> >> Hello, >> >> It is possible to create blacklist, whitelist and filename list by >> email? >> >> Yes! >> >> >> If it possible, how? >> >> By editing the .rules files and following the examples within. >> >> >> >> Thanks >> >> You're welcome! >> >> >> >> >> >> []'s >> ? Alexandre Gorges ? >> http://algorges.blogspot.com >> http://www.dag.eti.br >> >> >> > > Jules > From steve.freegard at fsl.com Fri Feb 27 11:01:47 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Fri Feb 27 11:01:59 2009 Subject: MailScanner 4.75.1-1 beta In-Reply-To: References: <49A66FD7.9080303@ecs.soton.ac.uk> Message-ID: <49A7C81B.4060901@fsl.com> Scott Silva wrote: > on 2-26-2009 2:32 AM Julian Field spake the following: >> 1 Added new configuration option "Unpack Microsoft Documents" to control the >> unpacking of OLE document files, as there have been rare cases of the >> third-party extraction code hanging when faced with particular files. > > I was just bitten with this one with a word doc that had many embedded images. > It choked with the "too many attachments" message. > That's nothing; I have a couple of queue files here containing an innocent XLS file that cause OLE::Storage_Lite to chew up all available RAM and Swap quite quickly (within ~20 seconds of starting MailScanner the child was using >1Gb RAM). Cheers, Steve. From t.d.lee at durham.ac.uk Fri Feb 27 13:20:27 2009 From: t.d.lee at durham.ac.uk (David Lee) Date: Fri Feb 27 13:20:58 2009 Subject: bug in Spear-Phishing script? Message-ID: Julian: Several days ago I installed your spear-phishing script/cronjob. But it has introduced a subtle and potentially nasty side-effect, which I have just noticed this morning. In summary, it caused some of our outbound queued email to be silently ignored and left, unreached, unattended and unprocessed, in the queue. Not nice. A traditional sendmail installation (with or without MS) includes a long-running outbound sendmail process, which periodically spawns a child to work its way through the outbound queue and attempt to deliver what it finds. A major server may have a few hundred outbound emails queued, and some of the attempted destinations may be very slow, or involve a series of long timeouts. So it may be a considerable time before some emails in that queue are reached. Nevertheless, in a traditional sendmail system, they will, eventually, be reached and processed. But the spear-phishing script does a full restart of MailScanner, including of that outbound queue processor, every hour. So there is considerable risk that some emails in the outbound queue may never be reached at all, because that outbound processor will be killed before those emails are ever reached. Could you ponder that, please? Best wishes. (I'm still not clear why the script needs to restart the entire email subsystem, including sendmail inbound/outbound, rather than simply doing a "service MailScanner reload".) -- : David Lee I.T. Service : : Senior Systems Programmer Computer Centre : : UNIX Team Leader Durham University : : South Road : : http://www.dur.ac.uk/t.d.lee/ Durham DH1 3LE : : Phone: +44 191 334 2752 U.K. : From MailScanner at ecs.soton.ac.uk Fri Feb 27 14:20:58 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Feb 27 14:21:21 2009 Subject: bug in Spear-Phishing script? In-Reply-To: References: Message-ID: <49A7F6CA.2070403@ecs.soton.ac.uk> Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 263 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090227/b5bec5d0/PGP.bin From steve.freegard at fsl.com Fri Feb 27 14:56:19 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Fri Feb 27 14:56:30 2009 Subject: bug in Spear-Phishing script? In-Reply-To: <49A7F6CA.2070403@ecs.soton.ac.uk> References: <49A7F6CA.2070403@ecs.soton.ac.uk> Message-ID: <49A7FF13.8040209@fsl.com> Julian Field wrote: > Does a "reload" cause a re-compile of all the SpamAssassin rules? Yeah it does; on reload the children are restarted by the parent and therefore MailScanner::SA::initialise() is run by each child before it starts waiting for messages. Cheers, Steve. From t.d.lee at durham.ac.uk Fri Feb 27 14:59:29 2009 From: t.d.lee at durham.ac.uk (David Lee) Date: Fri Feb 27 14:59:57 2009 Subject: bug in Spear-Phishing script? In-Reply-To: <49A7F6CA.2070403@ecs.soton.ac.uk> References: <49A7F6CA.2070403@ecs.soton.ac.uk> Message-ID: On Fri, 27 Feb 2009, Julian Field wrote: > On 27/2/09 13:20, David Lee wrote: >> [...] >> But the spear-phishing script does a full restart of MailScanner, including >> of that outbound queue processor, every hour. So there is considerable >> risk that some emails in the outbound queue may never be reached at all, >> because that outbound processor will be killed before those emails are ever >> reached. > If you're running a big system, why are you using the same machine(s) to > deliver outbound mail as well as accept inbound mail? I split them into 2 > separate jobs and use separate machines for each task. And you only need to > do the phishing stuff on the inbound machines. Ah. Point taken. I see where you are coming from. Our outbound and inbound are already separate in the normal case. But this particular case involves emails being forwarded for a couple of affiliated domains, one of which is our major Alumni forwarding service, with some 27,000 entries. So email comes in (to user "xxx@fwd.dom.ain") then the forwarding service (on this inbound machine) wings it back out to their respective hotmail/aol/yahoo/shudder/horror ISPs. (Thus it is now outbound from what is normally an inbound machine.) So yes, we are "good", in the sense that we already keep inbound and outbound generally separate. This case is about email that had been inbound now being reflected outbound. Because it had been inbound, it is on a spear-phishing detection machine; because it has been turned around and is now outbound, it is potentially victim to the hourly spear-phishing restart. >> (I'm still not clear why the script needs to restart the entire email >> subsystem, including sendmail inbound/outbound, rather than simply doing a >> "service MailScanner reload".) > Does a "reload" cause a re-compile of all the SpamAssassin rules? I don't > think so. [...] Don't know. But I've just done a "service MailScanner reload"; that seems to leave sendmail alone to do its possibly lengthy work (so good from the perspective being discussed). And it also seems to kill and restart MailScanner (isn't that also good? in that in restarts, not just reloads, MailScanner?) So wouldn't a "service MailScanner reload" be just the ticket, because it is restarting (not just reloading) MailScanner? > But a new "restartms" option would solve the problem, which just > restarted MailScanner and didn't touch the sendmail processes. How about I > add that to the init.d script? > > A pair of new init.d scripts are attached, one for the RedHat distribution > and the other for the SuSE distribution. I would be grateful if you could try > them out to check that "service MailScanner restartms" does what it is > supposed to. I would be very happy to give test things a whirl for you. Sure. But does this problem actually need a revised MS init.d script? Wouldn't a "service ... reload" (rather than restart) in the spear-phishing script be perfectly OK? (Given that it appears to restart MailScanner anyway?) (Of course, I may well have missed something...) All the best. -- : David Lee I.T. Service : : Senior Systems Programmer Computer Centre : : UNIX Team Leader Durham University : : South Road : : http://www.dur.ac.uk/t.d.lee/ Durham DH1 3LE : : Phone: +44 191 334 2752 U.K. : From Denis.Beauchemin at USherbrooke.ca Fri Feb 27 15:05:01 2009 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Fri Feb 27 15:05:18 2009 Subject: bug in Spear-Phishing script? In-Reply-To: <49A7F6CA.2070403@ecs.soton.ac.uk> References: <49A7F6CA.2070403@ecs.soton.ac.uk> Message-ID: <49A8011D.9040606@USherbrooke.ca> Julian Field a ?crit : > > > On 27/2/09 13:20, David Lee wrote: >> >> Julian: Several days ago I installed your spear-phishing >> script/cronjob. But it has introduced a subtle and potentially nasty >> side-effect, which I have just noticed this morning. >> >> In summary, it caused some of our outbound queued email to be >> silently ignored and left, unreached, unattended and unprocessed, in >> the queue. Not nice. >> >> A traditional sendmail installation (with or without MS) includes a >> long-running outbound sendmail process, which periodically spawns a >> child to work its way through the outbound queue and attempt to >> deliver what it finds. A major server may have a few hundred >> outbound emails queued, and some of the attempted destinations may be >> very slow, or involve a series of long timeouts. So it may be a >> considerable time before some emails in that queue are reached. >> Nevertheless, in a traditional sendmail system, they will, >> eventually, be reached and processed. >> >> But the spear-phishing script does a full restart of MailScanner, >> including of that outbound queue processor, every hour. So there is >> considerable risk that some emails in the outbound queue may never be >> reached at all, because that outbound processor will be killed before >> those emails are ever reached. > If you're running a big system, why are you using the same machine(s) > to deliver outbound mail as well as accept inbound mail? I split them > into 2 separate jobs and use separate machines for each task. And you > only need to do the phishing stuff on the inbound machines. >> (I'm still not clear why the script needs to restart the entire email >> subsystem, including sendmail inbound/outbound, rather than simply >> doing a "service MailScanner reload".) > Does a "reload" cause a re-compile of all the SpamAssassin rules? I > don't think so. But a new "restartms" option would solve the problem, > which just restarted MailScanner and didn't touch the sendmail > processes. How about I add that to the init.d script? > > A pair of new init.d scripts are attached, one for the RedHat > distribution and the other for the SuSE distribution. I would be > grateful if you could try them out to check that "service MailScanner > restartms" does what it is supposed to. > > Jules > Julian, In the RH version (didn't check the SuSE one), you need to add ";;" on line 451. Denis PS: I am trying to configure a server that could (in case of DR) play both inbound and outbound roles at the same time. I will be running different sendmail and MS instances. I think the current init script won't play nice with this scheme because it "killproc MailScanner" without regards about which instance it might belong to. Why don't you use $MSPID instead? -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From jvoorhees1 at gmail.com Fri Feb 27 16:02:09 2009 From: jvoorhees1 at gmail.com (Jason Voorhees) Date: Fri Feb 27 16:02:18 2009 Subject: Releases messages from quarantine rejoin quarantine Message-ID: Hi people: I'm using MailScanner and MailWatch. Everything is OK, spam messages are going to quarantine. But when I try to release a message from quarantine (a false positive) the message joins again the quarantine. Mailwatch shows me that the message now is coming from postmaster@mydomain.com to original-recipient@mydomain.com I'm using the QUARANTINE_USE_SENDMAIL (true) setting in conf.php of Mailwatch configuration, so I think MailScanner see these released messages coming from their original sender and IP address but doesn't understand that is coming from localhost (trough sendmail binary). What exception rule can I create to always allow quarantine released message to pass? I tried adding a from mydomain.com to mydomain.com whitelist setting but it doesn't work... because of the sendmail binary way of releasing. Could someone give any ideas? Thanks, bye From MailScanner at ecs.soton.ac.uk Fri Feb 27 16:31:42 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Feb 27 16:32:04 2009 Subject: bug in Spear-Phishing script? In-Reply-To: <49A8011D.9040606@USherbrooke.ca> References: <49A7F6CA.2070403@ecs.soton.ac.uk> <49A8011D.9040606@USherbrooke.ca> Message-ID: <49A8156E.1060000@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 27/2/09 15:05, Denis Beauchemin wrote: > Julian Field a ?crit : >> >> >> On 27/2/09 13:20, David Lee wrote: >>> >>> Julian: Several days ago I installed your spear-phishing >>> script/cronjob. But it has introduced a subtle and potentially nasty >>> side-effect, which I have just noticed this morning. >>> >>> In summary, it caused some of our outbound queued email to be >>> silently ignored and left, unreached, unattended and unprocessed, in >>> the queue. Not nice. >>> >>> A traditional sendmail installation (with or without MS) includes a >>> long-running outbound sendmail process, which periodically spawns a >>> child to work its way through the outbound queue and attempt to >>> deliver what it finds. A major server may have a few hundred >>> outbound emails queued, and some of the attempted destinations may >>> be very slow, or involve a series of long timeouts. So it may be a >>> considerable time before some emails in that queue are reached. >>> Nevertheless, in a traditional sendmail system, they will, >>> eventually, be reached and processed. >>> >>> But the spear-phishing script does a full restart of MailScanner, >>> including of that outbound queue processor, every hour. So there is >>> considerable risk that some emails in the outbound queue may never >>> be reached at all, because that outbound processor will be killed >>> before those emails are ever reached. >> If you're running a big system, why are you using the same machine(s) >> to deliver outbound mail as well as accept inbound mail? I split them >> into 2 separate jobs and use separate machines for each task. And you >> only need to do the phishing stuff on the inbound machines. >>> (I'm still not clear why the script needs to restart the entire >>> email subsystem, including sendmail inbound/outbound, rather than >>> simply doing a "service MailScanner reload".) >> Does a "reload" cause a re-compile of all the SpamAssassin rules? I >> don't think so. But a new "restartms" option would solve the problem, >> which just restarted MailScanner and didn't touch the sendmail >> processes. How about I add that to the init.d script? >> >> A pair of new init.d scripts are attached, one for the RedHat >> distribution and the other for the SuSE distribution. I would be >> grateful if you could try them out to check that "service MailScanner >> restartms" does what it is supposed to. >> >> Jules >> > Julian, > > In the RH version (didn't check the SuSE one), you need to add ";;" on > line 451. Yes, I missed it there too. Thanks for that. > > Denis > PS: I am trying to configure a server that could (in case of DR) play > both inbound and outbound roles at the same time. I will be running > different sendmail and MS instances. I think the current init script > won't play nice with this scheme because it "killproc MailScanner" > without regards about which instance it might belong to. Why don't you > use $MSPID instead? Err... because I started by copying someone else's init.d script! I ideally want to send the TERM to the child processes as well, though, so they all get told to start dying. Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.9.1 (Build 287) Comment: Use Enigmail to decrypt or check this message is legitimate Charset: ISO-8859-1 wj8DBQFJqBVvEfZZRxQVtlQRAoG6AJ9gaezcZLAz5g5TtOHVLjoXTaECNQCg9A+O mpyDRwnrPAEcm3nF92Md33E= =M1ZY -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Nikolaos.Pavlidis at beds.ac.uk Fri Feb 27 16:52:22 2009 From: Nikolaos.Pavlidis at beds.ac.uk (Nikolaos Pavlidis) Date: Fri Feb 27 16:53:03 2009 Subject: Quarantined email testing/troubleshooting In-Reply-To: <49A81A46020000270002A9BB@gwiadom.oes.beds.ac.uk> References: <497EF579020000020004A599@gwiadom.oes.beds.ac.uk> <49A81A46020000270002A9BB@gwiadom.oes.beds.ac.uk> Message-ID: <49A81A46020000270002A9BB@gwiadom.oes.beds.ac.uk> Hello all, Following up on the same issue, from what I tried so far the script that Julian suggested works great! Many thanks for that! The bad thing is that the problem persists for some weird reason focusing again on delivery notifications. After using the script to turn the quarantined email into the mbox format, I fed it to SA and I got: # spamassassin -t -p /etc/mail/MailScanner/spam.assassin.prefs.conf --mbox < spam.20100108 Content analysis details: (-15.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -15 BAYES_00 BODY: Bayesian spam probability is 0 to 1% [score: 0.0000] And yes I have not used sa-learn first! Why could that email be in quarantine if SA clears it? I do realise that delivery notifications are minor details but... the devil is in the detail! Any help is much appreciated, thank you in advance. Regards, Nik On Tue, 2009-01-27 at 11:44 +0000, Nikolaos Pavlidis wrote: > Hello, > > A million thanks once again Julian, I do apologise for the late reply > though, things have been quite busy around here. > > Kind regards, > > Nik > > On Thu, 2009-01-22 at 16:50 +0000, Julian Field wrote: > > You can't just use df and/or qf files as if they were RFC822 messages. > > > They're not. > > However, they *nearly* are, when used as a pair. > > Many years ago (2002 is the date stamp on the file) I wrote a script > > which would take an entire quarantine directory (or a string of > > director y names) full of > qf* and df* files, and generate an mbox file > > from them, which could then be simply fed to sa-learn with 1 command > to > > learn the whole lot at one go by using the "--mbox" command-line > option > > to sa-learn. > > It's at > > www.mailscanner.info/files/4/df2mbox > > It's a fairly simple shell script, I'm sure you can hack it around if > > you want to do something slightly different with it. > > > > Usage example: > > Say you have a quarantine directory > > /var/spool/MailScanner/quarantine/ and each of those > > subdirectories contains a whole bunch of qf and df files > in > > the same directory. You can just do > > cd /var/spool/MailSanner/quarantine > > df2mbox * > > and it will go and get on with it, and give you a pile of mbox files > as > > a result. > > > > I posted this to this mailing list back in 2002 as well, but I doubt > > anyone looks back that far. Don't worry, I'll let you off this time > :-) > > > > Hope that helps, > > Jules. > > > > On 22/1/09 16:30, Nikolaos Pavlidis wrote: > > > Hello all, > > > > > > We seem to be facing a weird issue and we would appreciate any > > > assistance with it. > > > To start with, we are using a solaris + sendmail + > MailScanner-4.73.4-2 > > > implementation. Bayes database has been trained with lots of spam > and > > > some ham that got quarantined since the service went live. > > > > > > We have set mailscanner to separate the mail messages into q and d > queue > > > files so we can put false possitives back in the queue in a more > quick > > > and efficient manner. Spamassassin seemed to be putting automated > > > Delivery Notifications to quarantine so we trained it back then (the > > > single mail messages RFC822) to be ham. > > > > > > Now we have noticed that some Delivery notifications again get > > > quarantined, only now we have the 2 part emails q and d files. > > > > > > When we do a test on them "spamassassin -t > > > -p /etc/mail/MailScanner/spam.assassin.prefs.conf< d (or q)file" > > > they both come less than 5.0 points(sometimes even -). > > > > > > Should the tests be performed in another way? Is the "cat qfile > dfile | > > > spamassassin -t -p ?/etc/mail/MailScanner/spam.assassin.prefs.conf" > the > > > appropriate way? > > > When using sa-learn to teach SA which parameters should be used, > should > > > we > > > What else could be blocking/sending to quarantine these messages? > > > > > > I do apologise for the barrage of questions. Any help is much > > > appreciated. Thank you in advance. > > > > > > Regards, > > > > > > Nik > > > > > > > > > > > > > Jules > > > > -- > > Julian Field MEng CITP CEng > > www.MailScanner.info > > Buy the MailScanner book at www.MailScanner.info/store > > > > MailScanner customisation, or any advanced system administration help? > > Contact me at Jules@Jules.FM > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > PGP public key: http://www.jules.fm/julesfm.asc > > > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > -- > ? > Nikolaos Pavlidis BSc (Hons) MBCS NCLP > System Administrator > University Of Bedfordshire > Park Square LU1 3JU > Luton, Beds, UK > Tel: +441582489277 > -- ? Nikolaos Pavlidis BSc (Hons) MBCS NCLP System Administrator University Of Bedfordshire Park Square LU1 3JU Luton, Beds, UK Tel: +441582489277 From glenn.steen at gmail.com Fri Feb 27 17:03:07 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Feb 27 17:03:17 2009 Subject: Releases messages from quarantine rejoin quarantine In-Reply-To: References: Message-ID: <223f97700902270903r3a74fdb0j307eda1d2b52c4e6@mail.gmail.com> 2009/2/27 Jason Voorhees : > Hi people: > > I'm using MailScanner and MailWatch. Everything is OK, spam messages > are going to quarantine. But when I try to release a message from > quarantine (a false positive) the message joins again the quarantine. > Mailwatch shows me that the message now is coming from > postmaster@mydomain.com to original-recipient@mydomain.com > > I'm using the QUARANTINE_USE_SENDMAIL (true) setting in conf.php of > Mailwatch configuration, so I think MailScanner see these released > messages coming from their original sender and IP address but doesn't > understand that is coming from localhost (trough sendmail binary). > > What exception rule can I create to always allow quarantine released > message to pass? I tried adding a from mydomain.com to mydomain.com > whitelist setting but it doesn't work... because of the sendmail > binary way of releasing. > > Could someone give any ideas? Thanks, bye Whitelist 127.0.0.1 Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From jvoorhees1 at gmail.com Fri Feb 27 17:15:35 2009 From: jvoorhees1 at gmail.com (Jason Voorhees) Date: Fri Feb 27 17:15:45 2009 Subject: Releases messages from quarantine rejoin quarantine In-Reply-To: <223f97700902270903r3a74fdb0j307eda1d2b52c4e6@mail.gmail.com> References: <223f97700902270903r3a74fdb0j307eda1d2b52c4e6@mail.gmail.com> Message-ID: Hi: On Fri, Feb 27, 2009 at 12:03 PM, Glenn Steen wrote: > 2009/2/27 Jason Voorhees : >> Hi people: >> >> I'm using MailScanner and MailWatch. Everything is OK, spam messages >> are going to quarantine. But when I try to release a message from >> quarantine (a false positive) the message joins again the quarantine. >> Mailwatch shows me that the message now is coming from >> postmaster@mydomain.com to original-recipient@mydomain.com >> >> I'm using the QUARANTINE_USE_SENDMAIL (true) setting in conf.php of >> Mailwatch configuration, so I think MailScanner see these released >> messages coming from their original sender and IP address but doesn't >> understand that is coming from localhost (trough sendmail binary). >> >> What exception rule can I create to always allow quarantine released >> message to pass? I tried adding a from mydomain.com to mydomain.com >> whitelist setting but it doesn't work... because of the sendmail >> binary way of releasing. >> >> Could someone give any ideas? Thanks, bye > Whitelist 127.0.0.1 > I also did this, it doesn't work... because I think that the message isn't originated from 127.0.0.1, the original message is requeued using sendmail so headers aren't modified. Am I wrong maybe? > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From dnsadmin at 1bigthink.com Fri Feb 27 17:31:52 2009 From: dnsadmin at 1bigthink.com (dnsadmin 1bigthink.com) Date: Fri Feb 27 17:32:10 2009 Subject: OT, but related -- WAS: [Mailwatch-users] Active Probes heads up Message-ID: <200902271732.n1RHW0lI007412@mxt.1bigthink.com> Hello All, Related, but not MailScanner -- from the MailWatch list group: Hi, I have noticed lots of web probes for... /mailwatch/mailscanner/docs.php?doc=../../../../../../../etc/passwd%00 /mailscanner/docs.php?doc=../../../../../../../etc/passwd%00 /mailwatch-1.0.4/mailscanner/docs.php?doc=../../../../../../../etc/passwd%00 /docs.php?doc=../../../../../../../etc/passwd%00 ...across a few dozen of our servers last night. They were tied in with the usual web application attacks so I get the feeling these signatures have been added to some script kiddie point and click hacking tool. If you haven't already removed / patched doc.php, now would be the time! For those of you unaware of this vulnerability it basically allows you to read any file on the server: http://secunia.com/Advisories/31994/ Regards Ian -- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From root at doctor.nl2k.ab.ca Fri Feb 27 17:35:38 2009 From: root at doctor.nl2k.ab.ca (Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem) Date: Fri Feb 27 17:36:37 2009 Subject: MailScanner on FreeBSD amd64 box Message-ID: <20090227173538.GB27379@doctor.nl2k.ab.ca> Right why am I not getting additional headers being added on like X-NetKnow-InComing-4-74-16-1-MailScanner-Information: Please contact the ISP for more information X-NetKnow-InComing-4-74-16-1-MailScanner-ID: n1RHGBtC023165 X-NetKnow-InComing-4-74-16-1-MailScanner: Found to be clean X-NetKnow-InComing-4-74-16-1-MailScanner-IP-Protocol: IPv4 X-NetKnow-InComing-4-74-16-1-MailScanner-From: mailscanner-bounces@lists.mailscanner.info X-NetKnow-InComing-4-74-16-1-MailScanner-Watermark: 1236186980.11499@thj+H7U1KQPNQ95fTV5HZA The box I am referring to is running FreeBsd 6.4 on amd64 and I did not do a port (the port tree is out of date). -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jvoorhees1 at gmail.com Fri Feb 27 18:13:23 2009 From: jvoorhees1 at gmail.com (Jason Voorhees) Date: Fri Feb 27 18:13:32 2009 Subject: OT, but related -- WAS: [Mailwatch-users] Active Probes heads up In-Reply-To: <200902271732.n1RHW0lI007412@mxt.1bigthink.com> References: <200902271732.n1RHW0lI007412@mxt.1bigthink.com> Message-ID: Hi: On Fri, Feb 27, 2009 at 12:31 PM, dnsadmin 1bigthink.com wrote: > Hello All, > > Related, but not MailScanner -- from the MailWatch list group: > > Hi, > > I have noticed lots of web probes for... > > /mailwatch/mailscanner/docs.php?doc=../../../../../../../etc/passwd%00 > /mailscanner/docs.php?doc=../../../../../../../etc/passwd%00 > /mailwatch-1.0.4/mailscanner/docs.php?doc=../../../../../../../etc/passwd%00 > /docs.php?doc=../../../../../../../etc/passwd%00 > > ...across a few dozen of our servers last night. ?They were tied in with the > usual web > application attacks so I get the feeling these signatures have been added to > some script > kiddie point and click hacking tool. > > If you haven't already removed / patched doc.php, now would be the time! > > > For those of you unaware of this vulnerability it basically allows you to > read any file on the > server: > Thanks for sharing your post here. According to the link the exploit only works when magic_gpc_quotes is Off in php.ini. Fortunately, I always have that setting in ON, and use "Allow from" certain IP address only from Apache configuration when not being paranoic almost all time I block mailwatch access from Apache to anyone who isn't connected trough VPN. Does anybody here have the patch code? > http://secunia.com/Advisories/31994/ > > Regards > > Ian > -- > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From ssilva at sgvwater.com Fri Feb 27 18:40:08 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Feb 27 18:40:30 2009 Subject: Quarantined email testing/troubleshooting In-Reply-To: <49A81A46020000270002A9BB@gwiadom.oes.beds.ac.uk> References: <497EF579020000020004A599@gwiadom.oes.beds.ac.uk> <49A81A46020000270002A9BB@gwiadom.oes.beds.ac.uk> <49A81A46020000270002A9BB@gwiadom.oes.beds.ac.uk> Message-ID: on 2-27-2009 8:52 AM Nikolaos Pavlidis spake the following: > Hello all, > > Following up on the same issue, from what I tried so far the script that > Julian suggested works great! Many thanks for that! The bad thing is > that the problem persists for some weird reason focusing again on > delivery notifications. After using the script to turn the quarantined > email into the mbox format, I fed it to SA and I got: > > # spamassassin -t -p /etc/mail/MailScanner/spam.assassin.prefs.conf > --mbox < spam.20100108 > > Content analysis details: (-15.0 points, 5.0 required) > > pts rule name description > ---- ---------------------- > -------------------------------------------------- > -15 BAYES_00 BODY: Bayesian spam probability is 0 to 1% > [score: 0.0000] > > > And yes I have not used sa-learn first! Why could that email be in > quarantine if SA clears it? I do realise that delivery notifications are > minor details but... the devil is in the detail! > > Any help is much appreciated, thank you in advance. > Do you use the spam lists function on your system? If so, that can also mark messages as spam. Also, did you look at the message and see if the conversion changed it somehow? -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090227/285b00a4/signature.bin From ka at pacific.net Fri Feb 27 18:42:08 2009 From: ka at pacific.net (Ken A) Date: Fri Feb 27 18:42:26 2009 Subject: OT, but related -- WAS: [Mailwatch-users] Active Probes heads up In-Reply-To: References: <200902271732.n1RHW0lI007412@mxt.1bigthink.com> Message-ID: <49A83400.50502@pacific.net> Jason Voorhees wrote: > Hi: > > On Fri, Feb 27, 2009 at 12:31 PM, dnsadmin 1bigthink.com > wrote: >> Hello All, >> >> Related, but not MailScanner -- from the MailWatch list group: >> >> Hi, >> >> I have noticed lots of web probes for... >> >> /mailwatch/mailscanner/docs.php?doc=../../../../../../../etc/passwd%00 >> /mailscanner/docs.php?doc=../../../../../../../etc/passwd%00 >> /mailwatch-1.0.4/mailscanner/docs.php?doc=../../../../../../../etc/passwd%00 >> /docs.php?doc=../../../../../../../etc/passwd%00 >> fwiw, it's not a great idea to name web application files doc(s).php? or other common names.. calendar, page, file, etc.. google will index them, making them magnetic to poorly written, index searching, hacker tools. :-( >> ...across a few dozen of our servers last night. They were tied in with the >> usual web >> application attacks so I get the feeling these signatures have been added to >> some script >> kiddie point and click hacking tool. >> >> If you haven't already removed / patched doc.php, now would be the time! >> >> >> For those of you unaware of this vulnerability it basically allows you to >> read any file on the >> server: >> > > Thanks for sharing your post here. According to the link the exploit > only works when magic_gpc_quotes is Off in php.ini. > I think that setting is being removed from php v6 because it doesn't work as expected - problems with sql injection, iirc.. Ken > Fortunately, I always have that setting in ON, and use "Allow from" > certain IP address only from Apache configuration when not being > paranoic > almost all time I block mailwatch access from Apache to anyone who > isn't connected trough VPN. > > Does anybody here have the patch code? >> http://secunia.com/Advisories/31994/ >> >> Regards >> >> Ian >> -- >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> -- Ken Anderson Pacific Internet - http://www.pacific.net From ssilva at sgvwater.com Fri Feb 27 18:56:16 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Feb 27 18:56:34 2009 Subject: Releases messages from quarantine rejoin quarantine In-Reply-To: References: <223f97700902270903r3a74fdb0j307eda1d2b52c4e6@mail.gmail.com> Message-ID: on 2-27-2009 9:15 AM Jason Voorhees spake the following: > Hi: > On Fri, Feb 27, 2009 at 12:03 PM, Glenn Steen wrote: >> 2009/2/27 Jason Voorhees : >>> Hi people: >>> >>> I'm using MailScanner and MailWatch. Everything is OK, spam messages >>> are going to quarantine. But when I try to release a message from >>> quarantine (a false positive) the message joins again the quarantine. >>> Mailwatch shows me that the message now is coming from >>> postmaster@mydomain.com to original-recipient@mydomain.com >>> >>> I'm using the QUARANTINE_USE_SENDMAIL (true) setting in conf.php of >>> Mailwatch configuration, so I think MailScanner see these released >>> messages coming from their original sender and IP address but doesn't >>> understand that is coming from localhost (trough sendmail binary). >>> >>> What exception rule can I create to always allow quarantine released >>> message to pass? I tried adding a from mydomain.com to mydomain.com >>> whitelist setting but it doesn't work... because of the sendmail >>> binary way of releasing. >>> >>> Could someone give any ideas? Thanks, bye >> Whitelist 127.0.0.1 >> > I also did this, it doesn't work... because I think that the message > isn't originated from 127.0.0.1, the original message is requeued > using sendmail so headers aren't modified. > > Am I wrong maybe? Whitelisting doesn't stop content checks, just spam checks. See my other post on how to get this working. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090227/203285a7/signature.bin From ssilva at sgvwater.com Fri Feb 27 18:59:26 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Feb 27 19:00:12 2009 Subject: OT, but related -- WAS: [Mailwatch-users] Active Probes heads up In-Reply-To: References: <200902271732.n1RHW0lI007412@mxt.1bigthink.com> Message-ID: on 2-27-2009 10:13 AM Jason Voorhees spake the following: > Hi: > > On Fri, Feb 27, 2009 at 12:31 PM, dnsadmin 1bigthink.com > wrote: >> Hello All, >> >> Related, but not MailScanner -- from the MailWatch list group: >> >> Hi, >> >> I have noticed lots of web probes for... >> >> /mailwatch/mailscanner/docs.php?doc=../../../../../../../etc/passwd%00 >> /mailscanner/docs.php?doc=../../../../../../../etc/passwd%00 >> /mailwatch-1.0.4/mailscanner/docs.php?doc=../../../../../../../etc/passwd%00 >> /docs.php?doc=../../../../../../../etc/passwd%00 >> >> ...across a few dozen of our servers last night. ?They were tied in with the >> usual web >> application attacks so I get the feeling these signatures have been added to >> some script >> kiddie point and click hacking tool. >> >> If you haven't already removed / patched doc.php, now would be the time! >> >> >> For those of you unaware of this vulnerability it basically allows you to >> read any file on the >> server: >> > > Thanks for sharing your post here. According to the link the exploit > only works when magic_gpc_quotes is Off in php.ini. > > Fortunately, I always have that setting in ON, and use "Allow from" > certain IP address only from Apache configuration when not being > paranoic > almost all time I block mailwatch access from Apache to anyone who > isn't connected trough VPN. > > Does anybody here have the patch code? mv docs.php docs.php.kill That fixed it for me. I wasn't using it anyway, and most people aren't. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090227/bd9bdc78/signature.bin From ajcartmell at fonant.com Fri Feb 27 19:18:13 2009 From: ajcartmell at fonant.com (Anthony Cartmell) Date: Fri Feb 27 19:18:17 2009 Subject: OT, but related -- WAS: [Mailwatch-users] Active Probes heads up In-Reply-To: References: <200902271732.n1RHW0lI007412@mxt.1bigthink.com> Message-ID: > Thanks for sharing your post here. According to the link the exploit > only works when magic_gpc_quotes is Off in php.ini. Yeah, but I don't understand why they say that. The offending code is: include("docs/".$_GET[doc].".html"); So you don't need anything fancy, just something like ?doc=../../../../etc/passwd Ah, I see, you need a NULL so that the ".html" bit is ignored. With magic_quotes_gpc the NULL would be escaped, so you'd only be able to include any *.html files. Still not good. And magic_quotes_gpc should be off for all sorts of other security reasons (which is why it's deprecated, and won't be in PHP 6). > Does anybody here have the patch code? Insert this after the html_start("Documentation"); line: die('Needs fixing to avoid arbitrary file inclusion.'); HTH, Anthony -- www.fonant.com - Quality web sites From Denis.Beauchemin at USherbrooke.ca Fri Feb 27 20:05:10 2009 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Fri Feb 27 20:05:23 2009 Subject: RH init script In-Reply-To: <49A8156E.1060000@ecs.soton.ac.uk> References: <49A7F6CA.2070403@ecs.soton.ac.uk> <49A8011D.9040606@USherbrooke.ca> <49A8156E.1060000@ecs.soton.ac.uk> Message-ID: <49A84776.4010509@USherbrooke.ca> Julian Field a ?crit : > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > On 27/2/09 15:05, Denis Beauchemin wrote: > >> PS: I am trying to configure a server that could (in case of DR) play >> both inbound and outbound roles at the same time. I will be running >> different sendmail and MS instances. I think the current init script >> won't play nice with this scheme because it "killproc MailScanner" >> without regards about which instance it might belong to. Why don't you >> use $MSPID instead? >> > Err... because I started by copying someone else's init.d script! I > ideally want to send the TERM to the child processes as well, though, so > they all get told to start dying. > > Jules > Julian, In the RH init script, could you replace all "killproc MailScanner -15" by: if [[ -s $MSPID ]]; then kill -15 $(ps -ef|grep $(cat /var/run/MailScanner.pid)|awk '/MailScanner:/{print $2}') else killproc MailScanner -15 fi That way you'll kill all MS children at the same time without killing other MS processess started by a different instance of MS. There are so many things I have to modify in so many different files to be able to run many MS instances simultaneously on the same machine that I may as well rewrite the init.d script altogether... Thanks! Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From ecasarero at gmail.com Fri Feb 27 20:06:57 2009 From: ecasarero at gmail.com (Eduardo Casarero) Date: Fri Feb 27 20:07:06 2009 Subject: OT: MailScanner & Nagios Message-ID: <7d9b3cf20902271206x249385c9l95a907408fd97bbc@mail.gmail.com> Hi everybody, is anyone using nagios to monitor MailScanner? i was looking for some plugins to check mailscanner status, queues, etc. The basic server monitoring is already set up, but if someone has already coded some custom plugins for mailscanner and wants to share i would be very happy :D if not, i'll have to do it my self. regards eduardo From rcooper at dwford.com Fri Feb 27 20:17:42 2009 From: rcooper at dwford.com (Rick Cooper) Date: Fri Feb 27 20:17:54 2009 Subject: OT, but related -- WAS: [Mailwatch-users] Active Probes heads up In-Reply-To: <200902271732.n1RHW0lI007412@mxt.1bigthink.com> References: <200902271732.n1RHW0lI007412@mxt.1bigthink.com> Message-ID: <92DD4569D1614D4D9551EDBE4673E08F@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of dnsadmin 1bigthink.com > Sent: Friday, February 27, 2009 12:32 PM > To: MailScanner mailing list > Subject: OT, but related -- WAS: [Mailwatch-users] Active > Probes heads up > > Hello All, > > Related, but not MailScanner -- from the MailWatch list group: > > Hi, > > I have noticed lots of web probes for... > > /mailwatch/mailscanner/docs.php?doc=../../../../../../../etc/ > passwd%00 > /mailscanner/docs.php?doc=../../../../../../../etc/passwd%00 > /mailwatch-1.0.4/mailscanner/docs.php?doc=../../../../../../. > ./etc/passwd%00 > /docs.php?doc=../../../../../../../etc/passwd%00 > > ...across a few dozen of our servers last night. They were tied in > with the usual web > application attacks so I get the feeling these signatures have been > added to some script > kiddie point and click hacking tool. > > If you haven't already removed / patched doc.php, now would > be the time! > > > For those of you unaware of this vulnerability it basically allows > you to read any file on the > server: It's a moot point here as you have to be a valid user with name and password to access mailwatch and swatch is setup to watch all the apache logs for various strings such as etc/password and I would get an email within seconds of an internal user attempting access to, among others, that file, or for that matter ../../ But for safety's sake if you change the top part of docs.php to $ThisDoc = ''; if (isset($_GET[doc])) { $ThisDoc = preg_replace('/^(\.\.\/|\0){1,}/','',$_GET[doc]).".html"; if( !is_file($ThisDoc) ){ header("HTTP/1.0 404 Not Found",FALSE); exit; } } require("./functions.php"); html_start("Documentation"); if ( $ThisDoc != "" ) { include("docs/$ThisDoc"); [...] That will remove any attempt to use a reletive path to get outside the site dir, and remove any NULLs to attempt to get around the .html. It then checks to see if the file is valid and sends a 404 if it's not. And you will still see the ../../ junk in the apache logs just incase you look for those things Just my two cents Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jethro.binks at strath.ac.uk Fri Feb 27 20:20:28 2009 From: jethro.binks at strath.ac.uk (Jethro R Binks) Date: Fri Feb 27 20:20:39 2009 Subject: MailScanner on FreeBSD amd64 box In-Reply-To: <20090227173538.GB27379@doctor.nl2k.ab.ca> References: <20090227173538.GB27379@doctor.nl2k.ab.ca> Message-ID: On Fri, 27 Feb 2009, Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem wrote: > Right why am I not getting additional headers being added on like ... > The box I am referring to is running FreeBsd 6.4 on amd64 and I did not > do a port (the port tree is out of date). Right is it a trick question? I'm afraid I've used up my clairvoyancy quota for this month, right you'll just have to do it the old-fashioned way by providing some useful information. Jethro. -- . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK From jethro.binks at strath.ac.uk Fri Feb 27 20:24:33 2009 From: jethro.binks at strath.ac.uk (Jethro R Binks) Date: Fri Feb 27 20:24:43 2009 Subject: OT: MailScanner & Nagios In-Reply-To: <7d9b3cf20902271206x249385c9l95a907408fd97bbc@mail.gmail.com> References: <7d9b3cf20902271206x249385c9l95a907408fd97bbc@mail.gmail.com> Message-ID: On Fri, 27 Feb 2009, Eduardo Casarero wrote: > Hi everybody, is anyone using nagios to monitor MailScanner? i was > looking for some plugins to check mailscanner status, queues, etc. The > basic server monitoring is already set up, but if someone has already > coded some custom plugins for mailscanner and wants to share i would be > very happy :D > > if not, i'll have to do it my self. What exactly do you want to monitor? There are already plugins to check status of processes, and MailScanner itself doesn't have queues: the queues are for the MTA, and there are plugins to check them too. What MailScanner-specific items do you want to monitor that are not covered by the present Nagios plugins? Jethro. -- . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK From jdustin at usm.maine.edu Fri Feb 27 20:35:06 2009 From: jdustin at usm.maine.edu (Jon Dustin) Date: Fri Feb 27 20:35:35 2009 Subject: bug in Spear-Phishing script? Message-ID: <49A8082A0200008D00016EAB@uct5.uct.usm.maine.edu> >>> On 2/27/2009 at 10:05 AM, in message <49A84C0A.BA9 : 45 : 31657>, Denis Beauchemin wrote: > Julian Field a ?crit : >> >> >> On 27/2/09 13:20, David Lee wrote: >>> > In the RH version (didn't check the SuSE one), you need to add ";;" on > line 451. > I just changed my init script to use this new one, and discovered the ";;" problem on SLES10. Adding the semi-colons below line 268 fixed the problem. Thanks for the new script Jules! -- Jon Dustin - Network Specialist University of Southern Maine Portland, ME 207-780-4152 From root at doctor.nl2k.ab.ca Fri Feb 27 20:34:35 2009 From: root at doctor.nl2k.ab.ca (Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem) Date: Fri Feb 27 20:35:43 2009 Subject: {?} Re: MailScanner on FreeBSD amd64 boxy In-Reply-To: References: <20090227173538.GB27379@doctor.nl2k.ab.ca> Message-ID: <20090227203435.GA14507@doctor.nl2k.ab.ca> On Fri, Feb 27, 2009 at 08:20:28PM +0000, Jethro R Binks wrote: > On Fri, 27 Feb 2009, Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem wrote: > > > Right why am I not getting additional headers being added on like > ... > > The box I am referring to is running FreeBsd 6.4 on amd64 and I did not > > do a port (the port tree is out of date). > > Right is it a trick question? > > I'm afraid I've used up my clairvoyancy quota for this month, right you'll > just have to do it the old-fashioned way by providing some useful > information. > Which logs or segments thereof do you want me to post? > Jethro. > > -- > . . . . . . . . . . . . . . . . . . . . . . . . . > Jethro R Binks > Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jethro.binks at strath.ac.uk Fri Feb 27 21:00:51 2009 From: jethro.binks at strath.ac.uk (Jethro R Binks) Date: Fri Feb 27 21:01:01 2009 Subject: {?} Re: MailScanner on FreeBSD amd64 boxy In-Reply-To: <20090227203435.GA14507@doctor.nl2k.ab.ca> References: <20090227173538.GB27379@doctor.nl2k.ab.ca> <20090227203435.GA14507@doctor.nl2k.ab.ca> Message-ID: On Fri, 27 Feb 2009, Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem wrote: > On Fri, Feb 27, 2009 at 08:20:28PM +0000, Jethro R Binks wrote: > > On Fri, 27 Feb 2009, Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem wrote: > > > > > Right why am I not getting additional headers being added on like > > ... > > > The box I am referring to is running FreeBsd 6.4 on amd64 and I did not > > > do a port (the port tree is out of date). > > > > Right is it a trick question? > > > > I'm afraid I've used up my clairvoyancy quota for this month, right you'll > > just have to do it the old-fashioned way by providing some useful > > information. > > Which logs or segments thereof do you want me to post? I'm almost certainly not going to be in a position to suggest how to fix your problem, but I would suggest if you want anyone else to be able to have a shot at it that you might mention things like: 1. mailscanner version; 2. whether this is an upgrade on a previously-working platform, that now doesn't work as previously, or: 3. whether it is a brand new install on previously-untested platform; 4. whether the configuration you are using is identical to that on a previously-working machine; 5. what is in the config file of relevance; 6. anything else you think might be relevant information. You could also indicate what steps you have taken to diagnose and investigate the problem so far. Jethro. -- . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK From maxsec at gmail.com Fri Feb 27 21:34:20 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Fri Feb 27 21:34:29 2009 Subject: MailScanner on FreeBSD amd64 box In-Reply-To: <20090227173538.GB27379@doctor.nl2k.ab.ca> References: <20090227173538.GB27379@doctor.nl2k.ab.ca> Message-ID: <72cf361e0902271334p4b2eeedftb8c0d838212e5115@mail.gmail.com> 2009/2/27 Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem : > Right why am I not getting additional headers being added on like > > X-NetKnow-InComing-4-74-16-1-MailScanner-Information: Please contact the ISP > ? ? ? ?for more information > X-NetKnow-InComing-4-74-16-1-MailScanner-ID: n1RHGBtC023165 > X-NetKnow-InComing-4-74-16-1-MailScanner: Found to be clean > X-NetKnow-InComing-4-74-16-1-MailScanner-IP-Protocol: IPv4 > X-NetKnow-InComing-4-74-16-1-MailScanner-From: > ? ? ? ?mailscanner-bounces@lists.mailscanner.info > X-NetKnow-InComing-4-74-16-1-MailScanner-Watermark: > ? ? ? ?1236186980.11499@thj+H7U1KQPNQ95fTV5HZA > > > The box I am referring to is running FreeBsd 6.4 on amd64 and I did not > do a port (the port tree is out of date). > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > In that case your MTA isn't queuing email for MailScanner. what MTA and how did you install? -- Martin Hepworth Oxford, UK From root at doctor.nl2k.ab.ca Fri Feb 27 22:45:22 2009 From: root at doctor.nl2k.ab.ca (Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem) Date: Fri Feb 27 22:46:58 2009 Subject: {?} Re: MailScanner on FreeBSD amd64 box In-Reply-To: <72cf361e0902271334p4b2eeedftb8c0d838212e5115@mail.gmail.com> References: <20090227173538.GB27379@doctor.nl2k.ab.ca> <72cf361e0902271334p4b2eeedftb8c0d838212e5115@mail.gmail.com> Message-ID: <20090227224522.GA20118@doctor.nl2k.ab.ca> On Fri, Feb 27, 2009 at 09:34:20PM +0000, Martin Hepworth wrote: > 2009/2/27 Dave Shariff Yadallee - System Administrator a.k.a. The Root > of the Problem : > > Right why am I not getting additional headers being added on like > > > > X-NetKnow-InComing-4-74-16-1-MailScanner-Information: Please contact the ISP > > ? ? ? ?for more information > > X-NetKnow-InComing-4-74-16-1-MailScanner-ID: n1RHGBtC023165 > > X-NetKnow-InComing-4-74-16-1-MailScanner: Found to be clean > > X-NetKnow-InComing-4-74-16-1-MailScanner-IP-Protocol: IPv4 > > X-NetKnow-InComing-4-74-16-1-MailScanner-From: > > ? ? ? ?mailscanner-bounces@lists.mailscanner.info > > X-NetKnow-InComing-4-74-16-1-MailScanner-Watermark: > > ? ? ? ?1236186980.11499@thj+H7U1KQPNQ95fTV5HZA > > > > > > The box I am referring to is running FreeBsd 6.4 on amd64 and I did not > > do a port (the port tree is out of date). > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > In that case your MTA isn't queuing email for MailScanner. what MTA > and how did you install? > The most current version of Sendmail. > -- > Martin Hepworth > Oxford, UK > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From linuxhousedn at yahoo.com Sat Feb 28 13:10:16 2009 From: linuxhousedn at yahoo.com (Linux Advocate) Date: Sat Feb 28 13:10:25 2009 Subject: New installation of Mailscanner Message-ID: <360980.41233.qm@web51112.mail.re2.yahoo.com> Guys i have a centos 5.2 box and i have just installed ( after reading the docs on the mailscanner site and centos lists ) Mailscanner. a.) How do i test my installation? is there some sample spam messages that can be used to test. b.) MailScanner -V shows; b.1) LibClamAV Warning: ************************************************** LibClamAV Warning: *** The virus database is older than 7 days! *** LibClamAV Warning: *** Please update it as soon as possible. *** LibClamAV Warning: ************************************************** how do i update this database? b.2) there are some modules missing; how do i iinstall them or do i ignore them Module versions are: 1.00 AnyDBM_File 1.16 Archive::Zip 0.17 bignum 1.04 Carp 1.42 Compress::Zlib 1.119 Convert::BinHex missing Convert::TNEF <--- missing ? 2.121_08 Data::Dumper 2.27 Date::Parse 1.00 DirHandle 1.05 Fcntl Optional module versions are: 1.30 Archive::Tar 0.17 bignum missing Business::ISBN <---- missing ? missing Business::ISBN::Data missing Data::Dump 1.814 DB_File 1.14 DBD::SQLite 1.52 DBI 1.14 Digest 1.01 Digest::HMAC 2.36 Digest::MD5 2.11 Digest::SHA1 missing Encode::Detect missing Error missing ExtUtils::CBuilder missing ExtUtils::ParseXS regards, mgomez. From MailScanner at ecs.soton.ac.uk Sat Feb 28 13:12:50 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sat Feb 28 13:13:21 2009 Subject: RH init script In-Reply-To: <49A84776.4010509@USherbrooke.ca> References: <49A7F6CA.2070403@ecs.soton.ac.uk> <49A8011D.9040606@USherbrooke.ca> <49A8156E.1060000@ecs.soton.ac.uk> <49A84776.4010509@USherbrooke.ca> Message-ID: <49A93852.3060309@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Why not just kill the mspid, and not killproc MailScanner? On 27/2/09 20:05, Denis Beauchemin wrote: > Julian Field a ?crit : >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> >> >> On 27/2/09 15:05, Denis Beauchemin wrote: >>> PS: I am trying to configure a server that could (in case of DR) >>> play both inbound and outbound roles at the same time. I will be >>> running different sendmail and MS instances. I think the current >>> init script won't play nice with this scheme because it "killproc >>> MailScanner" without regards about which instance it might belong >>> to. Why don't you use $MSPID instead? >> Err... because I started by copying someone else's init.d script! I >> ideally want to send the TERM to the child processes as well, though, >> so they all get told to start dying. >> >> Jules > > Julian, > > In the RH init script, could you replace all "killproc MailScanner > -15" by: > if [[ -s $MSPID ]]; then > kill -15 $(ps -ef|grep $(cat /var/run/MailScanner.pid)|awk > '/MailScanner:/{print $2}') > else > killproc MailScanner -15 > fi > > That way you'll kill all MS children at the same time without killing > other MS processess started by a different instance of MS. > > There are so many things I have to modify in so many different files > to be able to run many MS instances simultaneously on the same machine > that I may as well rewrite the init.d script altogether... > > Thanks! > > Denis > Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.9.1 (Build 287) Comment: Use PGP or Thunderbird Enigmail to verify this message Charset: ISO-8859-1 wj8DBQFJqThbEfZZRxQVtlQRAgCHAJ4nGGLGV8SmZ0Q3JZTtq3JODFPExwCfdmhe byB4cT6yYCmNUaDlQxRaz4M= =68RP -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From raymond at prolocation.net Sat Feb 28 13:14:21 2009 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Sat Feb 28 13:14:30 2009 Subject: New installation of Mailscanner In-Reply-To: <360980.41233.qm@web51112.mail.re2.yahoo.com> References: <360980.41233.qm@web51112.mail.re2.yahoo.com> Message-ID: Hi! > a.) How do i test my installation? is there some sample spam messages that can be used to test. > b.) MailScanner -V shows; > > b.1) > > LibClamAV Warning: ************************************************** > LibClamAV Warning: *** The virus database is older than 7 days! *** > LibClamAV Warning: *** Please update it as soon as possible. *** > LibClamAV Warning: ************************************************** > > how do i update this database? This is a ClamAV question. But you can run freshclam for example. Thats in the Clam manuals and FAQs also btw. > b.2) there are some modules missing; how do i iinstall them or do i ignore them > > > Module versions are: > 1.00 AnyDBM_File > 1.16 Archive::Zip > 0.17 bignum > 1.04 Carp > 1.42 Compress::Zlib > 1.119 Convert::BinHex > missing Convert::TNEF <--- missing ? > > 2.121_08 Data::Dumper > 2.27 Date::Parse > 1.00 DirHandle > 1.05 Fcntl > > > Optional module versions are: > > 1.30 Archive::Tar > 0.17 bignum > missing Business::ISBN <---- missing ? So install them :-) Bye, Raymond. From raymond at prolocation.net Sat Feb 28 13:24:31 2009 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Sat Feb 28 13:24:40 2009 Subject: New installation of Mailscanner In-Reply-To: References: <360980.41233.qm@web51112.mail.re2.yahoo.com> Message-ID: Hi! >> 1.30 Archive::Tar >> 0.17 bignum >> missing Business::ISBN <---- missing ? > So install them :-) How, depending on your OS. You could look if there are RPMs or DEBs for them, otherwise use CPAN for example to get it on. Bye, Raymond. From maillists at conactive.com Sat Feb 28 13:31:17 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Sat Feb 28 13:31:35 2009 Subject: OT, but related -- WAS: [Mailwatch-users] Active Probes heads up In-Reply-To: <200902271732.n1RHW0lI007412@mxt.1bigthink.com> References: <200902271732.n1RHW0lI007412@mxt.1bigthink.com> Message-ID: Dnsadmin 1bigthink.com wrote on Fri, 27 Feb 2009 12:31:52 -0500: > doc=../../../../../../../etc/passwd%00 This will give access to the user names, but not to passwords (hashes, anyway) if /etc/shadow is correctly set up. Nevertheless, thanks for the info, will fix that for ours. (Just removing that doc var should do.) Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Sat Feb 28 14:21:23 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Sat Feb 28 14:21:32 2009 Subject: New installation of Mailscanner In-Reply-To: <360980.41233.qm@web51112.mail.re2.yahoo.com> References: <360980.41233.qm@web51112.mail.re2.yahoo.com> Message-ID: you do not need any of these extra perl packages if you used that repo we told you on the centos-list. If you used the other method the only additional module you need is the tnef one. That is in the tarball and can be installed separately. Or from rpmforge. And please read some proper documentation about the tools you use. Just asking each time on this or other lists you see an error, a warning or some other message or you just don't know what to do next will get you less and less answers as people are getting annoyed by your "easy way" attitude. If you use MailScanner, you also have to read about SA, clamav, mailwatch, postfix (or whatever MTA you use). Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From glenn.steen at gmail.com Sat Feb 28 16:58:19 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Feb 28 16:58:28 2009 Subject: Releases messages from quarantine rejoin quarantine In-Reply-To: References: <223f97700902270903r3a74fdb0j307eda1d2b52c4e6@mail.gmail.com> Message-ID: <223f97700902280858t385d2e3eye5baab6de2c9884d@mail.gmail.com> 2009/2/27 Scott Silva : > on 2-27-2009 9:15 AM Jason Voorhees spake the following: >> Hi: >> On Fri, Feb 27, 2009 at 12:03 PM, Glenn Steen wrote: >>> 2009/2/27 Jason Voorhees : >>>> Hi people: >>>> >>>> I'm using MailScanner and MailWatch. Everything is OK, spam messages >>>> are going to quarantine. But when I try to release a message from >>>> quarantine (a false positive) the message joins again the quarantine. >>>> Mailwatch shows me that the message now is coming from >>>> postmaster@mydomain.com to original-recipient@mydomain.com >>>> >>>> I'm using the QUARANTINE_USE_SENDMAIL (true) setting in conf.php of >>>> Mailwatch configuration, so I think MailScanner see these released >>>> messages coming from their original sender and IP address but doesn't >>>> understand that is coming from localhost (trough sendmail binary). >>>> >>>> What exception rule can I create to always allow quarantine released >>>> message to pass? I tried adding a from mydomain.com to mydomain.com >>>> whitelist setting but it doesn't work... because of the sendmail >>>> binary way of releasing. >>>> >>>> Could someone give any ideas? Thanks, bye >>> Whitelist 127.0.0.1 >>> >> I also did this, it doesn't work... because I think that the message >> isn't originated from 127.0.0.1, the original message is requeued >> using sendmail so headers aren't modified. >> >> Am I wrong maybe? > Whitelisting doesn't stop content checks, just spam checks. See my other post > on how to get this working. > CC. "Whitelist" doesn't necessarily mean "Spam Whitelist". I've got a separate ruleset for each type of thing that can happen to block things, and a ruleset on Scan Message to facilitate easy releasing... I suppose your "other mail" was along those lines Scott? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From alden at engineno9inc.com Sat Feb 28 21:51:49 2009 From: alden at engineno9inc.com (Alden Levy) Date: Sat Feb 28 21:54:20 2009 Subject: New Server, same old problem Message-ID: <55002.24.90.249.47.1235857909.squirrel@www.engineno9inc.com> I've been running MS for a few years now, and I love it. This list has been a tremendous help whether I'm just lurking or have a specific question. This time, it's another question: This is the second server I've switched my MS install to, and the second time I've had a problem. Unfortunately, I can't find the guy who helped me the first time around. So, I was hoping someone here would be able to help. In any event, here are the specifics: Until recently, I had two servers running MS (one FC3!) and one CentOS 4. I have now consolidated onto one server running CentOS 5.2. All of the servers had been running Ensim (now, Parallels Pro 10.x). However, I have always run MS outside of Ensim. I copied the MS directory (/etc/MailScanner) from the CentOS 4 server, and tried to harmonize my sendmail.mc with the one from the old server as well. I installed a new MS and upgraded the conf files. The old servers are now long gone. Right now, I have MS 4.74.16 installed. When I go to start it up (after following all of the instructions and turning off sendmail), mail flows in fine, but I cannot telnet in to the mail server, nor can I send mail. It seems that this would be a sendmail issue, but when I shut down MS and start up sendmail, everything flows fine. The only change that I can recall making from my last instance was using clamd instead of clamav. I tried switching back to clamav, but I still had these issues. I have been running sendmail with spamc/spamd and clamd until I could get this fixed, but I don't have to tell you that this doesn't give me the flexibility or control that running MS does. The results of MailScanner --lint are: Trying to setlogsock(unix) Read 856 hostnames from the phishing whitelist Read 4798 hostnames from the phishing blacklist Checking version numbers... Version number in MailScanner.conf (4.74.16) is correct. Your envelope_sender_header in spam.assassin.prefs.conf is correct. Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database SpamAssassin reported no errors. I have found clamd scanners installed, and will use them all by default. Using locktype = posix MailScanner.conf says "Virus Scanners = auto" Found these virus scanners installed: clamd =========================================================================== Filename Checks: Windows/DOS Executable (1 eicar.com) Other Checks: Found 1 problems Virus and Content Scanning: Starting Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com Virus Scanning: Clamd found 2 infections Infected message 1 came from 10.1.1.1 Virus Scanning: Found 2 viruses =========================================================================== Virus Scanner test reports: Clamd said "eicar.com was infected: Eicar-Test-Signature" If any of your virus scanners (clamd) are not listed there, you should check that they are installed correctly and that MailScanner is finding them correctly via its virus.scanners.conf. Likewise, spamassassin -D --lint doesn't give any errors. MailScanner -v lists all of the required modules. The only optional ones I'm missing are: Encode::Detect, ExtUtils::CBuilder, ExtUtils::ParseXS, Mail::ClamAV, Net::LDAP, and SAVI. It reports my SA as version 3.002004 I'm running Perl v. 5.8.8 and sendmail 8.13.8 I'm happy to post any of my sendmail.mc sendmail.cf, MS or SA files (or whatever else might be relevant upon request. Any help or a kick in the right direction would be greatly appreciated. Thanks! Alden Levy Engine No. 9, Inc. 130 West 57th Street, Suite 2F New York, NY 10019 (212) 981-1122 (212) 504-9598 (fax) From Denis.Beauchemin at USherbrooke.ca Sat Feb 28 23:27:57 2009 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Sat Feb 28 23:28:07 2009 Subject: RH init script In-Reply-To: <49A93852.3060309@ecs.soton.ac.uk> References: <49A7F6CA.2070403@ecs.soton.ac.uk> <49A8011D.9040606@USherbrooke.ca> <49A8156E.1060000@ecs.soton.ac.uk> <49A84776.4010509@USherbrooke.ca> <49A93852.3060309@ecs.soton.ac.uk> Message-ID: <49A9C87D.9010407@USherbrooke.ca> Julian Field a ?crit : > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Why not just kill the mspid, and not killproc MailScanner? > > On 27/2/09 20:05, Denis Beauchemin wrote: > >> Julian Field a ?crit : >> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> >>> >>> On 27/2/09 15:05, Denis Beauchemin wrote: >>> >>>> PS: I am trying to configure a server that could (in case of DR) >>>> play both inbound and outbound roles at the same time. I will be >>>> running different sendmail and MS instances. I think the current >>>> init script won't play nice with this scheme because it "killproc >>>> MailScanner" without regards about which instance it might belong >>>> to. Why don't you use $MSPID instead? >>>> >>> Err... because I started by copying someone else's init.d script! I >>> ideally want to send the TERM to the child processes as well, though, >>> so they all get told to start dying. >>> >>> Jules >>> >> Julian, >> >> In the RH init script, could you replace all "killproc MailScanner >> -15" by: >> if [[ -s $MSPID ]]; then >> kill -15 $(ps -ef|grep $(cat /var/run/MailScanner.pid)|awk >> '/MailScanner:/{print $2}') >> else >> killproc MailScanner -15 >> fi >> >> That way you'll kill all MS children at the same time without killing >> other MS processess started by a different instance of MS. >> >> There are so many things I have to modify in so many different files >> to be able to run many MS instances simultaneously on the same machine >> that I may as well rewrite the init.d script altogether... >> >> Thanks! >> >> Denis >> >> > > Jules > Julian, That would be fine with me, but you wouldn't be killing all children at the same time that way. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045