From gmcgreevy at pwr-sys.com Thu Jan 1 16:09:21 2009 From: gmcgreevy at pwr-sys.com (Greg J. McGreevy) Date: Thu Jan 1 16:18:57 2009 Subject: ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf Message-ID: <567221C09601934AA5CE9762FDA09A5001C3CB@EXCHTEMP.biz.pwr-sys.com> When I run the mailscanner check I get the following error I have edited the file to match the %org-name% and have tried multiple combinations but I continue to get the error what is the correct format to fix this error here is what I have tried (mydomain is exactly what is in the %org-name% in my Mailscanner.conf) X-mydomain-MailScanner X-mydomain-COM-MailScanner mydomain-MailScanner -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090101/d88d4977/attachment.html From hvdkooij at vanderkooij.org Thu Jan 1 19:23:49 2009 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Thu Jan 1 19:24:02 2009 Subject: ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf In-Reply-To: <567221C09601934AA5CE9762FDA09A5001C3CB@EXCHTEMP.biz.pwr-sys.com> References: <567221C09601934AA5CE9762FDA09A5001C3CB@EXCHTEMP.biz.pwr-sys.com> Message-ID: <495D1845.7030509@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Greg J. McGreevy wrote: > When I run the mailscanner check I get the following error ..... The error never made it to the mailinglist. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. Nid wyf yn y swyddfa ar hyn o bryd. Anfonwch unrhyw waith i'w gyfieithu. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkldGEMACgkQBvzDRVjxmYFl/wCcCzuelf1lshJYo7rePlQAiDNl vPsAoLkgE6dQlB5JzOkTQiKhDW1EEeay =NjCB -----END PGP SIGNATURE----- From gmcgreevy at pwr-sys.com Thu Jan 1 20:59:03 2009 From: gmcgreevy at pwr-sys.com (Greg J. McGreevy) Date: Thu Jan 1 21:04:05 2009 Subject: ERROR: The "envelope_sender_header" in yourspam.assassin.prefs.conf References: <567221C09601934AA5CE9762FDA09A5001C3CB@EXCHTEMP.biz.pwr-sys.com> <495D1845.7030509@vanderkooij.org> Message-ID: <567221C09601934AA5CE9762FDA09A5001C3CD@EXCHTEMP.biz.pwr-sys.com> ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf ERROR: is not correct, it should match X-mydomain-MailScanner-From ________________________________ From: mailscanner-bounces@lists.mailscanner.info on behalf of Hugo van der Kooij Sent: Thu 1/1/2009 2:23 PM To: MailScanner discussion Subject: Re: ERROR: The "envelope_sender_header" in yourspam.assassin.prefs.conf -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Greg J. McGreevy wrote: > When I run the mailscanner check I get the following error ..... The error never made it to the mailinglist. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. Nid wyf yn y swyddfa ar hyn o bryd. Anfonwch unrhyw waith i'w gyfieithu. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkldGEMACgkQBvzDRVjxmYFl/wCcCzuelf1lshJYo7rePlQAiDNl vPsAoLkgE6dQlB5JzOkTQiKhDW1EEeay =NjCB -----END PGP SIGNATURE----- -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/ms-tnef Size: 5368 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090101/6f06df91/attachment.bin From glenn.steen at gmail.com Thu Jan 1 22:25:41 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Jan 1 22:25:52 2009 Subject: ERROR: The "envelope_sender_header" in yourspam.assassin.prefs.conf In-Reply-To: <567221C09601934AA5CE9762FDA09A5001C3CD@EXCHTEMP.biz.pwr-sys.com> References: <567221C09601934AA5CE9762FDA09A5001C3CB@EXCHTEMP.biz.pwr-sys.com> <495D1845.7030509@vanderkooij.org> <567221C09601934AA5CE9762FDA09A5001C3CD@EXCHTEMP.biz.pwr-sys.com> Message-ID: <223f97700901011425s7029c66bh30e11336c32b105c@mail.gmail.com> 2009/1/1 Greg J. McGreevy : > ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf > ERROR: is not correct, it should match X-mydomain-MailScanner-From > > So ... why didn't you try with that? :-) The "mydomain" part should be the value of %org-name%, so ... assuming yours is set to PWRSys, it should read X-PWRSys-MailScanner-From ... and nothing else;) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From brent.addis at spit.gen.nz Thu Jan 1 23:21:42 2009 From: brent.addis at spit.gen.nz (Brent Addis) Date: Thu Jan 1 23:21:56 2009 Subject: Anti-phishing -- was Re: OT: Happy New Year In-Reply-To: <495BFF17.5060705@ecs.soton.ac.uk> References: <495BFF17.5060705@ecs.soton.ac.uk> Message-ID: <1230852102.22182.0.camel@baddis-laptop> Awesome Julian, I've been looking for something that would catch those. I'll stick it on our testbed tonight On Wed, 2008-12-31 at 23:24 +0000, Julian Field wrote: > > On 31/12/08 22:54, Kevin Miller wrote: > > Just a quick note to wish everyone a Happy (and spam free) New Year, > > especially Jules. Your hard work and giving spirit has certainly made > > the past year much nicer for all of us... > > > Many thanks! > > You might be interested I've been doing a bit of work with the > Google-hosted project "anti-phishing-email-reply" which you can find here: > http://code.google.com/p/anti-phishing-email-reply/ > > My aim was to create a trap for all those nasty spear-phishing attacks > and those endless "Temporary job offer" spams that some of you will get. > > I have created a little script (which is pretty obvious, source code is > given below) which just generates a list of addresses based on what's in > their file. I add that to my own list of known troublesome addresses, > which can have "*" wildcards in them, so you can do things like michael > loucas * @ gmail . com (extra spaces added to stop my stuff picking up > that address and killing this message). > > I then generate a bunch of SpamAssassin rules from that which detect any > of these few thousand addresses appearing anywhere in a message, with > lots of safeguards to protect against false alarms. It also compacts > them into only a hundred or two rules, instead of having 1 SpamAssassin > rule for each address! > > I then use SpamAssassin Rule Actions to do this: > SpamAssassin Rule Actions = ECS_MAIL_ACCESS=>store,not-deliver,forward > postmaster@ecs.soton.ac.uk,header "X-ECS-Mail-Access: was to _TO_" > > This lot fires whenever any of my SpamAssassin rules fires. It > 1) Adds a header "X-ECS-Mail-Access:" containing the list of original > recipient addresses, > 2) Stores a copy of the message > 3) Stops delivery to the original recipients > 4) Sends a copy to postmaster, where I have a Sieve rule firing on the > presence of the "X-ECS-Mail-Access:" header to store it in a folder > without cluttering up postmaster's inbox. > > My script, that builds all the SpamAssassin rules, works from a YP/NIS > map called "mail.access" which contains each email address from the > google list and my list in the first word of a line, looking like this > bad@domain.com REJECT > nasty@false.bank.com REJECT > I sort it so that the regular expressions created are more optimal for > Perl, so it can apply them faster to each message. > > My script that builds all the SpamAssassin rules is attached. > > My script that reads the google list and creates the YP/NIS map from it > is simply this: > > #!/bin/sh > echo Fetching phishing addresses... > rm -f /tmp/$$.blocks > /usr/local/bin/wget -O /tmp/$$.blocks > http://anti-phishing-email-reply.googlecode.com/svn/trunk/phishing_reply_addresses > >/dev/null 2>&1 > echo Read `grep -v '^#' /tmp/$$.blocks | wc -l` addresses > > if [ -f /tmp/$$.blocks ]; then > sed -e 's/^#.*$//' < /tmp/$$.blocks | \ > cut -d, -f1 | \ > sort | \ > uniq | \ > grep -v '^$' | \ > awk '{ printf("%s\tREJECT\n",$1); }' > > /opt/yp/etc/mail.access.anti-phishing > rm -f /tmp/$$.blocks > cd /opt/yp; > ./ypmake; > fi > > The "ypcat -k mail.access" command at the start of Build.Phishing.Rules > basically reads my list in addition to the contents of the file > /opt/yp/etc/mail.access.anti-phishing mentioned in the code above, so > you can easily convert it to just use a temporary file and do all of > this lot on the same server. If you aren't using YP/NIS then you > obviously won't need the "ypmake" command either. > > I hope this is of some use to some of you. It traps "Temporary job > offer" spams and spear-phishing attacks very well indeed. > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > PGP public key: http://www.jules.fm/julesfm.asc > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090102/d1b385d0/attachment.html From gmcgreevy at pwr-sys.com Fri Jan 2 00:08:44 2009 From: gmcgreevy at pwr-sys.com (Greg J. McGreevy) Date: Fri Jan 2 00:13:45 2009 Subject: ERROR: The "envelope_sender_header" inyourspam.assassin.prefs.conf References: <567221C09601934AA5CE9762FDA09A5001C3CB@EXCHTEMP.biz.pwr-sys.com><495D1845.7030509@vanderkooij.org><567221C09601934AA5CE9762FDA09A5001C3CD@EXCHTEMP.biz.pwr-sys.com> <223f97700901011425s7029c66bh30e11336c32b105c@mail.gmail.com> Message-ID: <567221C09601934AA5CE9762FDA09A5001C3CE@EXCHTEMP.biz.pwr-sys.com> I did still getting the error ________________________________ From: mailscanner-bounces@lists.mailscanner.info on behalf of Glenn Steen Sent: Thu 1/1/2009 5:25 PM To: MailScanner discussion Subject: Re: ERROR: The "envelope_sender_header" inyourspam.assassin.prefs.conf 2009/1/1 Greg J. McGreevy : > ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf > ERROR: is not correct, it should match X-mydomain-MailScanner-From > > So ... why didn't you try with that? :-) The "mydomain" part should be the value of %org-name%, so ... assuming yours is set to PWRSys, it should read X-PWRSys-MailScanner-From ... and nothing else;) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/ms-tnef Size: 4531 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090101/883b59ed/attachment.bin From glenn.steen at gmail.com Fri Jan 2 08:45:16 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Jan 2 08:45:26 2009 Subject: ERROR: The "envelope_sender_header" inyourspam.assassin.prefs.conf In-Reply-To: <567221C09601934AA5CE9762FDA09A5001C3CE@EXCHTEMP.biz.pwr-sys.com> References: <567221C09601934AA5CE9762FDA09A5001C3CB@EXCHTEMP.biz.pwr-sys.com> <495D1845.7030509@vanderkooij.org> <567221C09601934AA5CE9762FDA09A5001C3CD@EXCHTEMP.biz.pwr-sys.com> <223f97700901011425s7029c66bh30e11336c32b105c@mail.gmail.com> <567221C09601934AA5CE9762FDA09A5001C3CE@EXCHTEMP.biz.pwr-sys.com> Message-ID: <223f97700901020045o16f7a017k663cb1ccb248b6db@mail.gmail.com> 2009/1/2 Greg J. McGreevy : > I did still getting the error > Ok, could you please post the settings in spam.assassin.prefs.conf as well as your %org-name% setting in MailScanner.conf? Just cut'n'paste, so that we can see them "as is". Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Jan 2 08:50:20 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Jan 2 08:50:31 2009 Subject: ERROR: The "envelope_sender_header" inyourspam.assassin.prefs.conf In-Reply-To: <223f97700901020045o16f7a017k663cb1ccb248b6db@mail.gmail.com> References: <567221C09601934AA5CE9762FDA09A5001C3CB@EXCHTEMP.biz.pwr-sys.com> <495D1845.7030509@vanderkooij.org> <567221C09601934AA5CE9762FDA09A5001C3CD@EXCHTEMP.biz.pwr-sys.com> <223f97700901011425s7029c66bh30e11336c32b105c@mail.gmail.com> <567221C09601934AA5CE9762FDA09A5001C3CE@EXCHTEMP.biz.pwr-sys.com> <223f97700901020045o16f7a017k663cb1ccb248b6db@mail.gmail.com> Message-ID: <223f97700901020050m17367acbg40464ee318a2872e@mail.gmail.com> 2009/1/2 Glenn Steen : > 2009/1/2 Greg J. McGreevy : >> I did still getting the error >> > > Ok, could you please post the settings in spam.assassin.prefs.conf as > well as your %org-name% setting in MailScanner.conf? Just cut'n'paste, > so that we can see them "as is". As an example... I have %org-name% = ForstaAP-Fonden in MailScanner.conf and bayes_ignore_header X-ForstaAP-Fonden-MailScanner bayes_ignore_header X-ForstaAP-Fonden-MailScanner-SpamCheck bayes_ignore_header X-ForstaAP-Fonden-MailScanner-SpamScore bayes_ignore_header X-ForstaAP-Fonden-MailScanner-Information bayes_ignore_header X-ForstaAP-Fonden-MailScanner-Watermark ... in spam.assassin.prefs.conf ... Perhaps you missed some? Or have a non-header-lval-character in your %org-name% ....? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From maillists at conactive.com Fri Jan 2 10:31:12 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Fri Jan 2 10:31:26 2009 Subject: ERROR: The "envelope_sender_header" inyourspam.assassin.prefs.conf In-Reply-To: <567221C09601934AA5CE9762FDA09A5001C3CE@EXCHTEMP.biz.pwr-sys.com> References: <567221C09601934AA5CE9762FDA09A5001C3CB@EXCHTEMP.biz.pwr-sys.com> <495D1845.7030509@vanderkooij.org> <567221C09601934AA5CE9762FDA09A5001C3CD@EXCHTEMP.biz.pwr-sys.com> <223f97700901011425s7029c66bh30e11336c32b105c@mail.gmail.com> <567221C09601934AA5CE9762FDA09A5001C3CE@EXCHTEMP.biz.pwr-sys.com> Message-ID: Greg J. McGreevy wrote on Thu, 1 Jan 2009 19:08:44 -0500: > I did still getting the error 1. it would be nice if you could change to a *readable* quoting format 2. it would be nice if you could be more verbose Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From MailScanner at ecs.soton.ac.uk Fri Jan 2 11:19:27 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jan 2 11:19:51 2009 Subject: Anti-phishing -- was Re: OT: Happy New Year In-Reply-To: <1230852102.22182.0.camel@baddis-laptop> References: <495BFF17.5060705@ecs.soton.ac.uk> <1230852102.22182.0.camel@baddis-laptop> Message-ID: <495DF83F.7020507@ecs.soton.ac.uk> If you want some recent entries from my additional list, I'll send you the bottom hundred or so. On 1/1/09 23:21, Brent Addis wrote: > Awesome Julian, I've been looking for something that would catch those. > > I'll stick it on our testbed tonight > > > > On Wed, 2008-12-31 at 23:24 +0000, Julian Field wrote: >> On 31/12/08 22:54, Kevin Miller wrote: >> > Just a quick note to wish everyone a Happy (and spam free) New Year, >> > especially Jules. Your hard work and giving spirit has certainly made >> > the past year much nicer for all of us... >> > >> Many thanks! >> >> You might be interested I've been doing a bit of work with the >> Google-hosted project "anti-phishing-email-reply" which you can find here: >> http://code.google.com/p/anti-phishing-email-reply/ >> >> My aim was to create a trap for all those nasty spear-phishing attacks >> and those endless "Temporary job offer" spams that some of you will get. >> >> I have created a little script (which is pretty obvious, source code is >> given below) which just generates a list of addresses based on what's in >> their file. I add that to my own list of known troublesome addresses, >> which can have "*" wildcards in them, so you can do things like michael >> loucas * @ gmail . com (extra spaces added to stop my stuff picking up >> that address and killing this message). >> >> I then generate a bunch of SpamAssassin rules from that which detect any >> of these few thousand addresses appearing anywhere in a message, with >> lots of safeguards to protect against false alarms. It also compacts >> them into only a hundred or two rules, instead of having 1 SpamAssassin >> rule for each address! >> >> I then use SpamAssassin Rule Actions to do this: >> SpamAssassin Rule Actions = ECS_MAIL_ACCESS=>store,not-deliver,forward >> postmaster@ecs.soton.ac.uk ,header "X-ECS-Mail-Access: was to _TO_" >> >> This lot fires whenever any of my SpamAssassin rules fires. It >> 1) Adds a header "X-ECS-Mail-Access:" containing the list of original >> recipient addresses, >> 2) Stores a copy of the message >> 3) Stops delivery to the original recipients >> 4) Sends a copy to postmaster, where I have a Sieve rule firing on the >> presence of the "X-ECS-Mail-Access:" header to store it in a folder >> without cluttering up postmaster's inbox. >> >> My script, that builds all the SpamAssassin rules, works from a YP/NIS >> map called "mail.access" which contains each email address from the >> google list and my list in the first word of a line, looking like this >> bad@domain.com REJECT >> nasty@false.bank.com REJECT >> I sort it so that the regular expressions created are more optimal for >> Perl, so it can apply them faster to each message. >> >> My script that builds all the SpamAssassin rules is attached. >> >> My script that reads the google list and creates the YP/NIS map from it >> is simply this: >> >> #!/bin/sh >> echo Fetching phishing addresses... >> rm -f /tmp/$$.blocks >> /usr/local/bin/wget -O /tmp/$$.blocks >> http://anti-phishing-email-reply.googlecode.com/svn/trunk/phishing_reply_addresses >> >/dev/null 2>&1 >> echo Read `grep -v '^#' /tmp/$$.blocks | wc -l` addresses >> >> if [ -f /tmp/$$.blocks ]; then >> sed -e 's/^#.*$//'< /tmp/$$.blocks | \ >> cut -d, -f1 | \ >> sort | \ >> uniq | \ >> grep -v '^$' | \ >> awk '{ printf("%s\tREJECT\n",$1); }'> >> /opt/yp/etc/mail.access.anti-phishing >> rm -f /tmp/$$.blocks >> cd /opt/yp; >> ./ypmake; >> fi >> >> The "ypcat -k mail.access" command at the start of Build.Phishing.Rules >> basically reads my list in addition to the contents of the file >> /opt/yp/etc/mail.access.anti-phishing mentioned in the code above, so >> you can easily convert it to just use a temporary file and do all of >> this lot on the same server. If you aren't using YP/NIS then you >> obviously won't need the "ypmake" command either. >> >> I hope this is of some use to some of you. It traps "Temporary job >> offer" spams and spear-phishing attacks very well indeed. >> >> Jules >> >> -- >> Julian Field MEng CITP CEng >> www.MailScanner.info >> Buy the MailScanner book atwww.MailScanner.info/store >> >> MailScanner customisation, or any advanced system administration help? >> Contact me atJules@Jules.FM >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> PGP public key:http://www.jules.fm/julesfm.asc >> >> >> Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From campbell at cnpapers.com Fri Jan 2 13:59:27 2009 From: campbell at cnpapers.com (Steve Campbell) Date: Fri Jan 2 13:59:52 2009 Subject: Spamassassin timeouts - Just an observation In-Reply-To: References: <49510578.6050801@cnpapers.com> Message-ID: <495E1DBF.3090602@cnpapers.com> Just got back from the holidays, so my reply is a little overdue. Ugo Bellavance wrote: > Steve Campbell wrote: >> The topic seems to come up quite often, and although the answers are >> usually pretty much the same, I never really see much of a "Solved" >> reply. >> >> I upgraded from version 4.58, where I saw maybe 3 or 4 timeouts, to >> 4.71, and saw an immediate increase to around 100-300 timeouts. I ran >> all of the --debug and --debug-sa flavors of help I could think of. I >> reviewed the logs. I run a caching nameserver. And I zeroed out some >> RBL scores. I still have yet to find why this happens. I eventually >> upgraded to 4.72, and started using clamd. I still get the large >> numbers of timeouts. I would think that the fact that this doesn't >> happen with all of my large batches indicates I'm not using any dead >> RBLs. >> >> I'm still exploring the causes, but haven't had much luck. I find it >> odd that SA would really keep RBLs that have expired over time in >> their default files, so I really don't think it's that. I do all of >> my checking of RBLs in SA. I always do my configuration and language >> upgrades, and search for rpmnew and rpmsave files. This has happened >> on 3 different but very similar servers that I run. >> >> I'm not really asking for assistance here, but just wanted to let >> others who are seeing this problem to be aware that there is >> something unique triggering this. I'm fairly confident that it is not >> happening at all sites, but something here is causing it. It may not >> even be related to MS/SA, but totally something else. >> >> The most I could ask for is a small checklist of what to ensure I >> have set. Every time I try to use the debug procedures, the tests >> perform flawlessly with no errors. It is very sporadic. We receive >> those normal bursts of spam, but for the most part, the batches ares >> small. The average amount of email per day is usually around 10k >> emails, but I get the above stated 100-300 timeouts. I'm going to try >> and match batch numbers to timeouts and see if this will reveal >> anything. I only run 3 Children on a fairly hefty Dell PowerEdge, but >> I do use 30 messages per child. I don't think this is excessive thought. >> >> Hope everyone has a Happy Holiday. > > What is the machine? > The machines are all Dell PowerEdge servers. There are three servers involved. Two are well equipped. One is just used as an interface for our webmail users. Not a lot going through it. > Did you check the optimization section of the MAQ page on the wiki? No, I haven't, but I will. I have reviewed it before, but will look to see if anything has changed or been added. > > When running --debug --debug-sa, don't you find anything that is a bit > slow? Nothing at all. I would think that if something were causing these that were DNS or RBL related, it would show for most all of the batches, not just random batches. So I am guessing it is either network clutter or something else. I just don't know yet. But still, there is the situation where this all started to happen after an upgrade. I'm going to review in the upgraded conf files and see if I've missed something. I have reduced the number of children on all machines from 5 to 3. This has reduced the total of timeouts - which sort of points to machine capacity. I only use 10 messages per batch. The main machines have 1 GB of RAM. The actual number of emails going through MS is quite low; around 10K, but I have quite a large access file, and the number of emails getting to the machines are closer to 25k+. Thanks for the thoughts and ideas. I'll keep digging and maybe find something. steve From maxsec at gmail.com Fri Jan 2 15:05:22 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Fri Jan 2 15:05:30 2009 Subject: Spamassassin timeouts - Just an observation In-Reply-To: <495E1DBF.3090602@cnpapers.com> References: <49510578.6050801@cnpapers.com> <495E1DBF.3090602@cnpapers.com> Message-ID: <72cf361e0901020705h79fad4c8x9dc440faa83fcd2f@mail.gmail.com> 2009/1/2 Steve Campbell : > Just got back from the holidays, so my reply is a little overdue. > > Ugo Bellavance wrote: >> >> Steve Campbell wrote: >>> >>> The topic seems to come up quite often, and although the answers are >>> usually pretty much the same, I never really see much of a "Solved" reply. >>> >>> I upgraded from version 4.58, where I saw maybe 3 or 4 timeouts, to 4.71, >>> and saw an immediate increase to around 100-300 timeouts. I ran all of the >>> --debug and --debug-sa flavors of help I could think of. I reviewed the >>> logs. I run a caching nameserver. And I zeroed out some RBL scores. I still >>> have yet to find why this happens. I eventually upgraded to 4.72, and >>> started using clamd. I still get the large numbers of timeouts. I would >>> think that the fact that this doesn't happen with all of my large batches >>> indicates I'm not using any dead RBLs. >>> >>> I'm still exploring the causes, but haven't had much luck. I find it odd >>> that SA would really keep RBLs that have expired over time in their default >>> files, so I really don't think it's that. I do all of my checking of RBLs in >>> SA. I always do my configuration and language upgrades, and search for >>> rpmnew and rpmsave files. This has happened on 3 different but very similar >>> servers that I run. >>> >>> I'm not really asking for assistance here, but just wanted to let others >>> who are seeing this problem to be aware that there is something unique >>> triggering this. I'm fairly confident that it is not happening at all sites, >>> but something here is causing it. It may not even be related to MS/SA, but >>> totally something else. >>> >>> The most I could ask for is a small checklist of what to ensure I have >>> set. Every time I try to use the debug procedures, the tests perform >>> flawlessly with no errors. It is very sporadic. We receive those normal >>> bursts of spam, but for the most part, the batches ares small. The average >>> amount of email per day is usually around 10k emails, but I get the above >>> stated 100-300 timeouts. I'm going to try and match batch numbers to >>> timeouts and see if this will reveal anything. I only run 3 Children on a >>> fairly hefty Dell PowerEdge, but I do use 30 messages per child. I don't >>> think this is excessive thought. >>> >>> Hope everyone has a Happy Holiday. >> >> What is the machine? >> > The machines are all Dell PowerEdge servers. There are three servers > involved. Two are well equipped. One is just used as an interface for our > webmail users. Not a lot going through it. >> >> Did you check the optimization section of the MAQ page on the wiki? > > No, I haven't, but I will. I have reviewed it before, but will look to see > if anything has changed or been added. >> >> When running --debug --debug-sa, don't you find anything that is a bit >> slow? > > Nothing at all. > > I would think that if something were causing these that were DNS or RBL > related, it would show for most all of the batches, not just random batches. > So I am guessing it is either network clutter or something else. I just > don't know yet. But still, there is the situation where this all started to > happen after an upgrade. I'm going to review in the upgraded conf files and > see if I've missed something. > > I have reduced the number of children on all machines from 5 to 3. This has > reduced the total of timeouts - which sort of points to machine capacity. I > only use 10 messages per batch. The main machines have 1 GB of RAM. The > actual number of emails going through MS is quite low; around 10K, but I > have quite a large access file, and the number of emails getting to the > machines are closer to 25k+. > > > Thanks for the thoughts and ideas. I'll keep digging and maybe find > something. > > steve > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Steve 1GB ram is pretty minimal for SA...depends what third party rules you got, but I'd consider increasing ram. I presume you've got a local caching nameserver and you've dropped most of the RBL's by giving them a zero score. Also trying using opendns as your forward query servers which can operate lot quicker than alot of ISP's DNS. -- Martin Hepworth Oxford, UK From campbell at cnpapers.com Fri Jan 2 18:27:04 2009 From: campbell at cnpapers.com (Steve Campbell) Date: Fri Jan 2 19:06:19 2009 Subject: Spamassassin timeouts - Just an observation In-Reply-To: <72cf361e0901020705h79fad4c8x9dc440faa83fcd2f@mail.gmail.com> References: <49510578.6050801@cnpapers.com> <495E1DBF.3090602@cnpapers.com> <72cf361e0901020705h79fad4c8x9dc440faa83fcd2f@mail.gmail.com> Message-ID: <495E5C78.7040805@cnpapers.com> Martin Hepworth wrote: > 2009/1/2 Steve Campbell : > >> Just got back from the holidays, so my reply is a little overdue. >> >> Ugo Bellavance wrote: >> >>> Steve Campbell wrote: >>> >>>> The topic seems to come up quite often, and although the answers are >>>> usually pretty much the same, I never really see much of a "Solved" reply. >>>> >>>> I upgraded from version 4.58, where I saw maybe 3 or 4 timeouts, to 4.71, >>>> and saw an immediate increase to around 100-300 timeouts. I ran all of the >>>> --debug and --debug-sa flavors of help I could think of. I reviewed the >>>> logs. I run a caching nameserver. And I zeroed out some RBL scores. I still >>>> have yet to find why this happens. I eventually upgraded to 4.72, and >>>> started using clamd. I still get the large numbers of timeouts. I would >>>> think that the fact that this doesn't happen with all of my large batches >>>> indicates I'm not using any dead RBLs. >>>> >>>> I'm still exploring the causes, but haven't had much luck. I find it odd >>>> that SA would really keep RBLs that have expired over time in their default >>>> files, so I really don't think it's that. I do all of my checking of RBLs in >>>> SA. I always do my configuration and language upgrades, and search for >>>> rpmnew and rpmsave files. This has happened on 3 different but very similar >>>> servers that I run. >>>> >>>> I'm not really asking for assistance here, but just wanted to let others >>>> who are seeing this problem to be aware that there is something unique >>>> triggering this. I'm fairly confident that it is not happening at all sites, >>>> but something here is causing it. It may not even be related to MS/SA, but >>>> totally something else. >>>> >>>> The most I could ask for is a small checklist of what to ensure I have >>>> set. Every time I try to use the debug procedures, the tests perform >>>> flawlessly with no errors. It is very sporadic. We receive those normal >>>> bursts of spam, but for the most part, the batches ares small. The average >>>> amount of email per day is usually around 10k emails, but I get the above >>>> stated 100-300 timeouts. I'm going to try and match batch numbers to >>>> timeouts and see if this will reveal anything. I only run 3 Children on a >>>> fairly hefty Dell PowerEdge, but I do use 30 messages per child. I don't >>>> think this is excessive thought. >>>> >>>> Hope everyone has a Happy Holiday. >>>> >>> What is the machine? >>> >>> >> The machines are all Dell PowerEdge servers. There are three servers >> involved. Two are well equipped. One is just used as an interface for our >> webmail users. Not a lot going through it. >> >>> Did you check the optimization section of the MAQ page on the wiki? >>> >> No, I haven't, but I will. I have reviewed it before, but will look to see >> if anything has changed or been added. >> >>> When running --debug --debug-sa, don't you find anything that is a bit >>> slow? >>> >> Nothing at all. >> >> I would think that if something were causing these that were DNS or RBL >> related, it would show for most all of the batches, not just random batches. >> So I am guessing it is either network clutter or something else. I just >> don't know yet. But still, there is the situation where this all started to >> happen after an upgrade. I'm going to review in the upgraded conf files and >> see if I've missed something. >> >> I have reduced the number of children on all machines from 5 to 3. This has >> reduced the total of timeouts - which sort of points to machine capacity. I >> only use 10 messages per batch. The main machines have 1 GB of RAM. The >> actual number of emails going through MS is quite low; around 10K, but I >> have quite a large access file, and the number of emails getting to the >> machines are closer to 25k+. >> >> >> Thanks for the thoughts and ideas. I'll keep digging and maybe find >> something. >> >> steve >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > > > Steve > > 1GB ram is pretty minimal for SA...depends what third party rules you > got, but I'd consider increasing ram. > > I presume you've got a local caching nameserver and you've dropped > most of the RBL's by giving them a zero score. Also trying using > opendns as your forward query servers which can operate lot quicker > than alot of ISP's DNS. > > Martin, I see in 'top' that I am very thin on RAM at times, but it still doesn't definitively explain the randomness of the timeouts. We run our own DNS servers, and I use a caching nameserver on each server. We also use OpenDNS for certain purposes, but not mailserver instances. I guess the problem is more about the randomness. I don't think the upgrade of MS would have caused such a large difference. I was running SA 3 before and after the upgrade, so there shouldn't have been a large increase there. Now there could have been a big difference in the way SA was acting, but I'm not aware (ignorant is probably a better adjective for my knowledge) of any great changes. I am aware of the .cf file I can view to discover the RBLs that SA uses, so I could start zeroing out a lot of those. Does anyone, though, have a recommendation for what should be used (non-zero entries) as a general rule? Thanks From gmcgreevy at pwr-sys.com Fri Jan 2 19:25:27 2009 From: gmcgreevy at pwr-sys.com (Greg J. McGreevy) Date: Fri Jan 2 19:30:38 2009 Subject: ERROR: The "envelope_sender_header"inyourspam.assassin.prefs.conf References: <567221C09601934AA5CE9762FDA09A5001C3CB@EXCHTEMP.biz.pwr-sys.com><495D1845.7030509@vanderkooij.org><567221C09601934AA5CE9762FDA09A5001C3CD@EXCHTEMP.biz.pwr-sys.com><223f97700901011425s7029c66bh30e11336c32b105c@mail.gmail.com><567221C09601934AA5CE9762FDA09A5001C3CE@EXCHTEMP.biz.pwr-sys.com> Message-ID: <567221C09601934AA5CE9762FDA09A5001C3D3@EXCHTEMP.biz.pwr-sys.com> fixed it it was a typo thanks for the reponse Greg ________________________________ From: mailscanner-bounces@lists.mailscanner.info on behalf of Kai Schaetzl Sent: Fri 1/2/2009 5:31 AM To: mailscanner@lists.mailscanner.info Subject: Re: ERROR: The "envelope_sender_header"inyourspam.assassin.prefs.conf Greg J. McGreevy wrote on Thu, 1 Jan 2009 19:08:44 -0500: > I did still getting the error 1. it would be nice if you could change to a *readable* quoting format 2. it would be nice if you could be more verbose Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/ms-tnef Size: 4742 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090102/b58e4ec3/attachment.bin From mark at msapiro.net Sat Jan 3 01:14:13 2009 From: mark at msapiro.net (Mark Sapiro) Date: Sat Jan 3 01:14:31 2009 Subject: How to ignore some recipients in a SpamAssassin Rule Actions ruleset Message-ID: I have searched the list archives and the documentation wiki and haven't found an answer. In MailScanner.conf I have SpamAssassin Rule Actions = %rules-dir%/spamassassin_rule_actions.rules In spamassassin_rule_actions.rules, what is the proper way to specify a null action for some recipient. I have FromOrTo: default SA_RULE_NAME=>action_list and that works fine. I want to exempt a recipient from these actions. I know for example that I could put To: user@example.com ZZZ_BOGUS_RULE=>action Where ZZZ_BOGUS_RULE is a non-existent rule, but that seems somewhat kludgey. The usual "yes" or "no" don't seem appropriate here as they aren't the kind of values that are expected for SpamAssassin Rule Actions. I found through experiment that To: user@example.com "" seems to work as does To: user@example.com SA_RULE_NAME=> and To: user@example.com SA_RULE_NAME but To: user@example.com , doesn't work. Is there a "correct" or a preferred way to do what I want? -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From ugob at lubik.ca Sat Jan 3 02:34:05 2009 From: ugob at lubik.ca (Ugo Bellavance) Date: Sat Jan 3 02:34:32 2009 Subject: Spamassassin timeouts - Just an observation In-Reply-To: <495E5C78.7040805@cnpapers.com> References: <49510578.6050801@cnpapers.com> <495E1DBF.3090602@cnpapers.com> <72cf361e0901020705h79fad4c8x9dc440faa83fcd2f@mail.gmail.com> <495E5C78.7040805@cnpapers.com> Message-ID: Steve Campbell wrote: > > > Martin Hepworth wrote: >> 2009/1/2 Steve Campbell : >> >>> Just got back from the holidays, so my reply is a little overdue. >>> >>> Ugo Bellavance wrote: >>> >>>> Steve Campbell wrote: >>>> >>>>> The topic seems to come up quite often, and although the answers are >>>>> usually pretty much the same, I never really see much of a "Solved" >>>>> reply. >>>>> >>>>> I upgraded from version 4.58, where I saw maybe 3 or 4 timeouts, to >>>>> 4.71, >>>>> and saw an immediate increase to around 100-300 timeouts. I ran all >>>>> of the >>>>> --debug and --debug-sa flavors of help I could think of. I reviewed >>>>> the >>>>> logs. I run a caching nameserver. And I zeroed out some RBL scores. >>>>> I still >>>>> have yet to find why this happens. I eventually upgraded to 4.72, and >>>>> started using clamd. I still get the large numbers of timeouts. I >>>>> would >>>>> think that the fact that this doesn't happen with all of my large >>>>> batches >>>>> indicates I'm not using any dead RBLs. >>>>> >>>>> I'm still exploring the causes, but haven't had much luck. I find >>>>> it odd >>>>> that SA would really keep RBLs that have expired over time in their >>>>> default >>>>> files, so I really don't think it's that. I do all of my checking >>>>> of RBLs in >>>>> SA. I always do my configuration and language upgrades, and search for >>>>> rpmnew and rpmsave files. This has happened on 3 different but very >>>>> similar >>>>> servers that I run. >>>>> >>>>> I'm not really asking for assistance here, but just wanted to let >>>>> others >>>>> who are seeing this problem to be aware that there is something >>>>> unique >>>>> triggering this. I'm fairly confident that it is not happening at >>>>> all sites, >>>>> but something here is causing it. It may not even be related to >>>>> MS/SA, but >>>>> totally something else. >>>>> >>>>> The most I could ask for is a small checklist of what to ensure I have >>>>> set. Every time I try to use the debug procedures, the tests perform >>>>> flawlessly with no errors. It is very sporadic. We receive those >>>>> normal >>>>> bursts of spam, but for the most part, the batches ares small. The >>>>> average >>>>> amount of email per day is usually around 10k emails, but I get the >>>>> above >>>>> stated 100-300 timeouts. I'm going to try and match batch numbers to >>>>> timeouts and see if this will reveal anything. I only run 3 >>>>> Children on a >>>>> fairly hefty Dell PowerEdge, but I do use 30 messages per child. I >>>>> don't >>>>> think this is excessive thought. >>>>> >>>>> Hope everyone has a Happy Holiday. >>>>> >>>> What is the machine? >>>> >>>> >>> The machines are all Dell PowerEdge servers. There are three servers >>> involved. Two are well equipped. One is just used as an interface for >>> our >>> webmail users. Not a lot going through it. >>> >>>> Did you check the optimization section of the MAQ page on the wiki? >>>> >>> No, I haven't, but I will. I have reviewed it before, but will look >>> to see >>> if anything has changed or been added. >>> >>>> When running --debug --debug-sa, don't you find anything that is a bit >>>> slow? >>>> >>> Nothing at all. >>> >>> I would think that if something were causing these that were DNS or RBL >>> related, it would show for most all of the batches, not just random >>> batches. >>> So I am guessing it is either network clutter or something else. I just >>> don't know yet. But still, there is the situation where this all >>> started to >>> happen after an upgrade. I'm going to review in the upgraded conf >>> files and >>> see if I've missed something. >>> >>> I have reduced the number of children on all machines from 5 to 3. >>> This has >>> reduced the total of timeouts - which sort of points to machine >>> capacity. I >>> only use 10 messages per batch. The main machines have 1 GB of RAM. The >>> actual number of emails going through MS is quite low; around 10K, but I >>> have quite a large access file, and the number of emails getting to the >>> machines are closer to 25k+. >>> >>> >>> Thanks for the thoughts and ideas. I'll keep digging and maybe find >>> something. >>> >>> steve >>> >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >>> >> >> >> Steve >> >> 1GB ram is pretty minimal for SA...depends what third party rules you >> got, but I'd consider increasing ram. >> >> I presume you've got a local caching nameserver and you've dropped >> most of the RBL's by giving them a zero score. Also trying using >> opendns as your forward query servers which can operate lot quicker >> than alot of ISP's DNS. >> >> > > Martin, > > I see in 'top' that I am very thin on RAM at times, but it still doesn't > definitively explain the randomness of the timeouts. We run our own DNS > servers, and I use a caching nameserver on each server. We also use > OpenDNS for certain purposes, but not mailserver instances. > > I guess the problem is more about the randomness. I don't think the > upgrade of MS would have caused such a large difference. I was running > SA 3 before and after the upgrade, so there shouldn't have been a large > increase there. Now there could have been a big difference in the way > SA was acting, but I'm not aware (ignorant is probably a better > adjective for my knowledge) of any great changes. Well, the randomness can be simply caused by swapping. For some reason, a system loads a little more in RAM that what your RAM can take, and it starts swapping. As Martin said, 1 G is minimal for a MailScanner/SA/AV system. Increasing your batch sizes to 30 may also help. But the first think I'd do is add another GB of ram. From alex at rtpty.com Sat Jan 3 05:28:00 2009 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Sat Jan 3 05:28:14 2009 Subject: Spamassassin timeouts - Just an observation In-Reply-To: References: <49510578.6050801@cnpapers.com> <495E1DBF.3090602@cnpapers.com> <72cf361e0901020705h79fad4c8x9dc440faa83fcd2f@mail.gmail.com> <495E5C78.7040805@cnpapers.com> Message-ID: Although newer versions of postfix segfault instead of swap! ;-) On Jan 2, 2009, at 9:34 PM, Ugo Bellavance wrote: > Well, the randomness can be simply caused by swapping From MailScanner at ecs.soton.ac.uk Sat Jan 3 10:53:29 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sat Jan 3 10:53:45 2009 Subject: How to ignore some recipients in a SpamAssassin Rule Actions ruleset In-Reply-To: References: Message-ID: <495F43A9.9080307@ecs.soton.ac.uk> As the default value for the setting is just blank, all you have to do is give blank as the value for the address. So the line just needs to read To: user@example.com That's all there is to it. Jules. On 3/1/09 01:14, Mark Sapiro wrote: > I have searched the list archives and the documentation wiki and > haven't found an answer. > > In MailScanner.conf I have > > SpamAssassin Rule Actions = %rules-dir%/spamassassin_rule_actions.rules > > In spamassassin_rule_actions.rules, what is the proper way to specify a > null action for some recipient. I have > > > FromOrTo: default SA_RULE_NAME=>action_list > > and that works fine. I want to exempt a recipient from these actions. I > know for example that I could put > > To: user@example.com ZZZ_BOGUS_RULE=>action > > Where ZZZ_BOGUS_RULE is a non-existent rule, but that seems somewhat > kludgey. > > The usual "yes" or "no" don't seem appropriate here as they aren't the > kind of values that are expected for SpamAssassin Rule Actions. > > I found through experiment that > > To: user@example.com "" > > seems to work as does > > To: user@example.com SA_RULE_NAME=> > > and > > To: user@example.com SA_RULE_NAME > > but > > To: user@example.com , > > doesn't work. > > Is there a "correct" or a preferred way to do what I want? > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Sat Jan 3 11:13:10 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sat Jan 3 11:13:28 2009 Subject: MailScanner ANNOUNCE: Stable release 4.74.12 Message-ID: <495F4846.8020207@ecs.soton.ac.uk> I have just released the first version for 2009, 4.74. The main fix this time is that all the symlink vulnerabilities have been fixed, though you were only ever vulnerable to these problems if you let users interactively login (using ssh, for example) to your MailScanner servers. If you restrict logins to system admins and other trusted users, you would never have had a problem anyway. Other than that, the SpamAssassin Rule Actions have been improved slightly, in that the "header" action can now contain the magic word "_TO_" which will be replaced by a list of all the original message recipients, very useful if you don't deliver the message but instead forward it to someone else for checking. TNEF had been upgraded to 1.4.5. Download as usual from www.mailscanner.info. The full Change Log is this: * New Features and Improvements * 1 Patch added to ClamAV & SpamAssassin easy-to-install package to make Mail::ClamAV Perl module handle ClamAV 0.94 correctly. Thanks to Steve Barber for telling me about this fix. 7 Upgraded to tnef 1.4.5. 9 The Spam Actions and its pals may now contain the "header" action with the special keyword "_TO_" anywhere in the header value. This will be replaced by a comma-separated list of the original recipients of the message. I wrote this for when I divert a message to the postmaster when it's detected as spam, for example. Then you can put Spam Actions = store forward postmaster@ecs.soton.ac.uk header "X-ECS-Recips-w ere: Sent to _TO_" I don't always want to include the list of recipients in the headers, as others object to their privacy being violated by everyone receiving the full list of recipients, so I can't use the "Add Envelope To Header". I *only* want to add this information to spam messages, so I know to whom they were originally addressed. 11 Another check to ensure it doesn't chmod /tmp on misconfigured systems. * Fixes * 2 Major work on removing symlink attack vulnerabilities affecting -autoupdate lock files. Note: This vulnerability only affected systems where normal interactive users could log in to the system, or create arbitrary symlinks in your filesystem. So the ISP-style setups were never vulnerable, as they didn't allow normal users to login or allow people to arbitrarily create symlinks in the filesystem. 2 Removed symlink attack vulnerabilities in SpamAssassin and tnef handlers. 6-2 Re-release to fix filesize problems. 7-2 Added missing "use" statement to WorkArea.pm. 7-3 Added missing tnef to Other Unix tarball distribution. Linux distributions unchanged. 8 Minor fix in handling of complicated "SpamAssassin Rule Actions". 10 Fixes for Locks creation bugs from Jeff Earickson. Non-RPM distribution should work rather better now. 12 Tiny (but important) fix to mcafee-autoupdate so that it will work properly. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Timo.Jacobs at partners.de Sat Jan 3 12:04:36 2009 From: Timo.Jacobs at partners.de (Timo.Jacobs@partners.de) Date: Sat Jan 3 12:04:48 2009 Subject: Timo Jacobs is out of the office. Message-ID: I will be out of the office starting 29.12.2008 and will not return until 05.01.2009. I will respond to your message when I return. In urgent cases please contact Mr. Timo A. Schmidt (timo.schmidt@partners.de) Partners Software GmbH / Zum Alten Speicher 11 / 28759 Bremen / Eingetragen unter HRB Bremen 14440 / Geschäftsführer: Wolfgang Brinker und Kai Hannemann / Telefon 0049 (0)421 66945-0 From gmcgreevy at pwr-sys.com Sat Jan 3 16:16:22 2009 From: gmcgreevy at pwr-sys.com (Greg J. McGreevy) Date: Sat Jan 3 16:22:51 2009 Subject: MailScanner --lint error Message-ID: <567221C09601934AA5CE9762FDA09A5001C3D7@EXCHTEMP.biz.pwr-sys.com> I am getting the following error when I run the test Cannot match against destination IP address when resolving configuration option "dangerscan" at /usr/lib/MailScanner/MailScanner/Config.pm line 532 Don't know if this is bad or not but I would like to fix it. Thanks, Greg -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090103/b3f206bb/attachment.html From maillists at conactive.com Sat Jan 3 17:55:20 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Sat Jan 3 17:55:35 2009 Subject: MailScanner --lint error In-Reply-To: <567221C09601934AA5CE9762FDA09A5001C3D7@EXCHTEMP.biz.pwr-sys.com> References: <567221C09601934AA5CE9762FDA09A5001C3D7@EXCHTEMP.biz.pwr-sys.com> Message-ID: Greg J. McGreevy wrote on Sat, 3 Jan 2009 11:16:22 -0500: > Cannot match against destination IP address when resolving configuration > option "dangerscan" at /usr/lib/MailScanner/MailScanner/Config.pm > line 532 I would assume that refers to the "Dangerous Content Scanning" option and that you changed that option to point to a rules file and in doing so added a linebreak or other error, so that this option gets crippled to "dangerscan". Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From mark at msapiro.net Sat Jan 3 19:12:32 2009 From: mark at msapiro.net (Mark Sapiro) Date: Sat Jan 3 19:12:41 2009 Subject: How to ignore some recipients in a SpamAssassin Rule Actions ruleset In-Reply-To: <495F43A9.9080307@ecs.soton.ac.uk> References: <495F43A9.9080307@ecs.soton.ac.uk> Message-ID: <20090103191232.GA896@msapiro> On Sat, Jan 03, 2009 at 10:53:29AM +0000, Julian Field wrote: > As the default value for the setting is just blank, all you have to do > is give blank as the value for the address. > > So the line just needs to read > To: user@example.com > > That's all there is to it. I've tried that. More specifically, I've tried To:user@example.com To:user@example.com and To:user@example.com where and are the respective characters, and none of those override the default rule action. > Jules. > > On 3/1/09 01:14, Mark Sapiro wrote: > >I have searched the list archives and the documentation wiki and > >haven't found an answer. > > > >In MailScanner.conf I have > > > >SpamAssassin Rule Actions = %rules-dir%/spamassassin_rule_actions.rules > > > >In spamassassin_rule_actions.rules, what is the proper way to specify a > >null action for some recipient. I have > > > > > >FromOrTo: default SA_RULE_NAME=>action_list > > > >and that works fine. I want to exempt a recipient from these actions. I > >know for example that I could put > > > >To: user@example.com ZZZ_BOGUS_RULE=>action > > > >Where ZZZ_BOGUS_RULE is a non-existent rule, but that seems somewhat > >kludgey. > > > >The usual "yes" or "no" don't seem appropriate here as they aren't the > >kind of values that are expected for SpamAssassin Rule Actions. > > > >I found through experiment that > > > >To: user@example.com "" > > > >seems to work as does > > > >To: user@example.com SA_RULE_NAME=> > > > >and > > > >To: user@example.com SA_RULE_NAME > > > >but > > > >To: user@example.com , > > > >doesn't work. > > > >Is there a "correct" or a preferred way to do what I want? > > > > > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > PGP public key: http://www.jules.fm/julesfm.asc > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- Mark Sapiro mark at msapiro net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From MailScanner at ecs.soton.ac.uk Sat Jan 3 19:29:50 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sat Jan 3 19:30:18 2009 Subject: MailScanner --lint error In-Reply-To: <567221C09601934AA5CE9762FDA09A5001C3D7@EXCHTEMP.biz.pwr-sys.com> References: <567221C09601934AA5CE9762FDA09A5001C3D7@EXCHTEMP.biz.pwr-sys.com> Message-ID: <495FBCAE.60204@ecs.soton.ac.uk> On 3/1/09 16:16, Greg J. McGreevy wrote: > I am getting the following error when I run the test > Cannot match against destination IP address Due to the way that email is delivered by a mail server, you don't know the exact destination IP address until you're actually in the process of delivering the message. So you can't match against a destination IP address in a rule. So all rules that say To: 123.123.123.123 yes or anything similar are impossible to implement. It's not a restriction in what MailScanner can do, you really don't know the destination IP address until the message has been delivered. By which time it's too late. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Sat Jan 3 19:30:55 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sat Jan 3 19:31:26 2009 Subject: How to ignore some recipients in a SpamAssassin Rule Actions ruleset In-Reply-To: <20090103191232.GA896@msapiro> References: <495F43A9.9080307@ecs.soton.ac.uk> <20090103191232.GA896@msapiro> Message-ID: <495FBCEF.3000806@ecs.soton.ac.uk> On 3/1/09 19:12, Mark Sapiro wrote: > On Sat, Jan 03, 2009 at 10:53:29AM +0000, Julian Field wrote: > >> As the default value for the setting is just blank, all you have to do >> is give blank as the value for the address. >> >> So the line just needs to read >> To: user@example.com >> >> That's all there is to it. >> > > > I've tried that. More specifically, I've tried > > To:user@example.com > To:user@example.com > and > To:user@example.com > > where and are the respective characters, and none of those override the default rule action. > Ah, hmmm...... the and thing is irrelevant. Put in a rule name that doesn't exist and it will work fine. I swear it worked for me. > > >> Jules. >> >> On 3/1/09 01:14, Mark Sapiro wrote: >> >>> I have searched the list archives and the documentation wiki and >>> haven't found an answer. >>> >>> In MailScanner.conf I have >>> >>> SpamAssassin Rule Actions = %rules-dir%/spamassassin_rule_actions.rules >>> >>> In spamassassin_rule_actions.rules, what is the proper way to specify a >>> null action for some recipient. I have >>> >>> >>> FromOrTo: default SA_RULE_NAME=>action_list >>> >>> and that works fine. I want to exempt a recipient from these actions. I >>> know for example that I could put >>> >>> To: user@example.com ZZZ_BOGUS_RULE=>action >>> >>> Where ZZZ_BOGUS_RULE is a non-existent rule, but that seems somewhat >>> kludgey. >>> >>> The usual "yes" or "no" don't seem appropriate here as they aren't the >>> kind of values that are expected for SpamAssassin Rule Actions. >>> >>> I found through experiment that >>> >>> To: user@example.com "" >>> >>> seems to work as does >>> >>> To: user@example.com SA_RULE_NAME=> >>> >>> and >>> >>> To: user@example.com SA_RULE_NAME >>> >>> but >>> >>> To: user@example.com , >>> >>> doesn't work. >>> >>> Is there a "correct" or a preferred way to do what I want? >>> >>> >>> >> Jules >> >> -- >> Julian Field MEng CITP CEng >> www.MailScanner.info >> Buy the MailScanner book at www.MailScanner.info/store >> >> MailScanner customisation, or any advanced system administration help? >> Contact me at Jules@Jules.FM >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> PGP public key: http://www.jules.fm/julesfm.asc >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> >> > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From gmcgreevy at pwr-sys.com Sat Jan 3 22:23:57 2009 From: gmcgreevy at pwr-sys.com (Greg J. McGreevy) Date: Sat Jan 3 22:28:46 2009 Subject: MailScanner --lint error References: <567221C09601934AA5CE9762FDA09A5001C3D7@EXCHTEMP.biz.pwr-sys.com> <495FBCAE.60204@ecs.soton.ac.uk> Message-ID: <567221C09601934AA5CE9762FDA09A5001C3D9@EXCHTEMP.biz.pwr-sys.com> Thanks Julian everyone has been very helpful here. I do however have some additional questions I need to fine tune the spamassassin/MailScanner to catch more SPAM it does not seem like it is catching very much. everything is installed with defaults any step by step tuning is appreciated. Also I went here http://corebsd.com/node/6 for the Mailwatch install for the Qaurantine release info (which made sense to me) but the entries I added brought me back here with the errors described earlier. I have since removed them. Thanks Again, Greg ________________________________ From: mailscanner-bounces@lists.mailscanner.info on behalf of Julian Field Sent: Sat 1/3/2009 2:29 PM To: MailScanner discussion Subject: Re: MailScanner --lint error On 3/1/09 16:16, Greg J. McGreevy wrote: > I am getting the following error when I run the test > Cannot match against destination IP address Due to the way that email is delivered by a mail server, you don't know the exact destination IP address until you're actually in the process of delivering the message. So you can't match against a destination IP address in a rule. So all rules that say To: 123.123.123.123 yes or anything similar are impossible to implement. It's not a restriction in what MailScanner can do, you really don't know the destination IP address until the message has been delivered. By which time it's too late. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/ms-tnef Size: 5289 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090103/78f514bb/attachment.bin From MailScanner at ecs.soton.ac.uk Sun Jan 4 09:38:42 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Jan 4 09:39:12 2009 Subject: MailScanner --lint error In-Reply-To: <567221C09601934AA5CE9762FDA09A5001C3D9@EXCHTEMP.biz.pwr-sys.com> References: <567221C09601934AA5CE9762FDA09A5001C3D7@EXCHTEMP.biz.pwr-sys.com> <495FBCAE.60204@ecs.soton.ac.uk> <567221C09601934AA5CE9762FDA09A5001C3D9@EXCHTEMP.biz.pwr-sys.com> Message-ID: <496083A2.2090909@ecs.soton.ac.uk> Back in about July 2007, I posted a HOWTO which you may find helps you, as a lot of it is still quite valid. It had HOWTO in the subject line, and will be in the list archive. On 3/1/09 22:23, Greg J. McGreevy wrote: > Thanks Julian everyone has been very helpful here. I do however have some additional questions I need to fine tune the spamassassin/MailScanner to catch more SPAM it does not seem like it is catching very much. everything is installed with defaults any step by step tuning is appreciated. Also I went here http://corebsd.com/node/6 for the Mailwatch install for the Qaurantine release info (which made sense to me) but the entries I added brought me back here with the errors described earlier. I have since removed them. > > Thanks Again, > Greg > > ________________________________ > > From: mailscanner-bounces@lists.mailscanner.info on behalf of Julian Field > Sent: Sat 1/3/2009 2:29 PM > To: MailScanner discussion > Subject: Re: MailScanner --lint error > > > > > > On 3/1/09 16:16, Greg J. McGreevy wrote: > >> I am getting the following error when I run the test >> Cannot match against destination IP address >> > Due to the way that email is delivered by a mail server, you don't know > the exact destination IP address until you're actually in the process of > delivering the message. So you can't match against a destination IP > address in a rule. So all rules that say > To: 123.123.123.123 yes > or anything similar are impossible to implement. It's not a restriction > in what MailScanner can do, you really don't know the destination IP > address until the message has been delivered. By which time it's too late. > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From traced at xpear.de Sun Jan 4 13:13:29 2009 From: traced at xpear.de (traced) Date: Sun Jan 4 13:13:41 2009 Subject: Unused domains =?utf-8?q?f=C3=BCr_spam_testing?= Message-ID: <4960B5F9.5060608@xpear.de> Hi guys, has someone of you unused domains, getting spam? I?ve got a strange problem... I?m getting not enough spam for my tests on different anti-spam strategies... ;) If you have such domains, that are not used anymore, I would be happy some of your spam :-) The mails are not read by me, just handled by scripts. Regards, Bastian From gmcgreevy at pwr-sys.com Sun Jan 4 16:36:01 2009 From: gmcgreevy at pwr-sys.com (Greg J. McGreevy) Date: Sun Jan 4 16:40:51 2009 Subject: MailScanner --lint error References: <567221C09601934AA5CE9762FDA09A5001C3D7@EXCHTEMP.biz.pwr-sys.com> <495FBCAE.60204@ecs.soton.ac.uk> <567221C09601934AA5CE9762FDA09A5001C3D9@EXCHTEMP.biz.pwr-sys.com> <496083A2.2090909@ecs.soton.ac.uk> Message-ID: <567221C09601934AA5CE9762FDA09A5001C3DA@EXCHTEMP.biz.pwr-sys.com> you mean this one? http://article.gmane.org/gmane.mail.virus.mailscanner/54241/match=how-to What do you have your score set to for Mailscanner mine is currently set to 6 and 10 (defaults I guess) most of the stuff I am seeing is hitting 1.5 to 3 for the SA score (all Spam) should I set these lower or tune Spamassassin to get a higher score? I am looking for a good start to finish tuning plan for everything that will get the majority of Spam caught (Quarantined) I am ok with some false positives. Right now it is not doing a very good job catching anything. I need to get this tuned ASAP and would be willing to pay someone to tweak things a bit to get this working Thanks, Greg ________________________________ From: mailscanner-bounces@lists.mailscanner.info on behalf of Julian Field Sent: Sun 1/4/2009 4:38 AM To: MailScanner discussion Subject: Re: MailScanner --lint error Back in about July 2007, I posted a HOWTO which you may find helps you, as a lot of it is still quite valid. It had HOWTO in the subject line, and will be in the list archive. On 3/1/09 22:23, Greg J. McGreevy wrote: > Thanks Julian everyone has been very helpful here. I do however have some additional questions I need to fine tune the spamassassin/MailScanner to catch more SPAM it does not seem like it is catching very much. everything is installed with defaults any step by step tuning is appreciated. Also I went here http://corebsd.com/node/6 for the Mailwatch install for the Qaurantine release info (which made sense to me) but the entries I added brought me back here with the errors described earlier. I have since removed them. > > Thanks Again, > Greg > > ________________________________ > > From: mailscanner-bounces@lists.mailscanner.info on behalf of Julian Field > Sent: Sat 1/3/2009 2:29 PM > To: MailScanner discussion > Subject: Re: MailScanner --lint error > > > > > > On 3/1/09 16:16, Greg J. McGreevy wrote: > >> I am getting the following error when I run the test >> Cannot match against destination IP address >> > Due to the way that email is delivered by a mail server, you don't know > the exact destination IP address until you're actually in the process of > delivering the message. So you can't match against a destination IP > address in a rule. So all rules that say > To: 123.123.123.123 yes > or anything similar are impossible to implement. It's not a restriction > in what MailScanner can do, you really don't know the destination IP > address until the message has been delivered. By which time it's too late. > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/ms-tnef Size: 7513 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090104/c96956ed/attachment.bin From maillists at conactive.com Sun Jan 4 18:31:19 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Sun Jan 4 18:31:36 2009 Subject: MailScanner --lint error In-Reply-To: <567221C09601934AA5CE9762FDA09A5001C3DA@EXCHTEMP.biz.pwr-sys.com> References: <567221C09601934AA5CE9762FDA09A5001C3D7@EXCHTEMP.biz.pwr-sys.com> <495FBCAE.60204@ecs.soton.ac.uk> <567221C09601934AA5CE9762FDA09A5001C3D9@EXCHTEMP.biz.pwr-sys.com> <496083A2.2090909@ecs.soton.ac.uk> <567221C09601934AA5CE9762FDA09A5001C3DA@EXCHTEMP.biz.pwr-sys.com> Message-ID: Greg J. McGreevy wrote on Sun, 4 Jan 2009 11:36:01 -0500: > What do you have your score set to for Mailscanner mine is currently > set to 6 and 10 (defaults I guess) most of the stuff I am seeing is > hitting 1.5 to 3 for the SA score (all Spam) should I set these lower > or tune Spamassassin to get a higher score? You want to tune SA and train your Bayes. -> http://spamassassin.apache.org/ -> http://wiki.apache.org/spamassassin/FrequentlyAskedQuestions -> http://wiki.apache.org/spamassassin/ Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From MailScanner at ecs.soton.ac.uk Sun Jan 4 18:45:07 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Jan 4 18:45:27 2009 Subject: MailScanner --lint error In-Reply-To: <567221C09601934AA5CE9762FDA09A5001C3DA@EXCHTEMP.biz.pwr-sys.com> References: <567221C09601934AA5CE9762FDA09A5001C3D7@EXCHTEMP.biz.pwr-sys.com> <495FBCAE.60204@ecs.soton.ac.uk> <567221C09601934AA5CE9762FDA09A5001C3D9@EXCHTEMP.biz.pwr-sys.com> <496083A2.2090909@ecs.soton.ac.uk> <567221C09601934AA5CE9762FDA09A5001C3DA@EXCHTEMP.biz.pwr-sys.com> Message-ID: <496103B3.2060600@ecs.soton.ac.uk> On 4/1/09 16:36, Greg J. McGreevy wrote: > you mean this one? > > http://article.gmane.org/gmane.mail.virus.mailscanner/54241/match=how-to > Yes, that's the one. > > What do you have your score set to for Mailscanner mine is currently set to 6 and 10 (defaults I guess) Yes, that's pretty much what I use. 6 certainly, I think my high score might be 9, but users can tweak it. > most of the stuff I am seeing is hitting 1.5 to 3 for the SA score (all Spam) should I set these lower or tune Spamassassin to get a higher score? Tune SA to get a higher score. Don't lower the 6 much or you'll start getting a lot of false positives. > I am looking for a good start to finish tuning plan for everything that will get the majority of Spam caught (Quarantined) I am ok with some false positives. Right now it is not doing a very good job catching anything. I need to get this tuned ASAP and would be willing to pay someone to tweak things a bit to get this working > What sort of spam is getting through? I stop most of my own stuff these days with BarricadeMX (www.fsl.com) which is a brilliant product, and actually very cheap once you take into account the amount of hardware investment it will save you. It has saved us a lot of cash, and my users love it. Also, take a look at my anti-spear-phishing posting from a few days ago (it was a thread about Happy New Year which morphed somewhat :) as I've got that problem pretty much cracked now too. Jules. > > > Thanks, > Greg > > ________________________________ > > From: mailscanner-bounces@lists.mailscanner.info on behalf of Julian Field > Sent: Sun 1/4/2009 4:38 AM > To: MailScanner discussion > Subject: Re: MailScanner --lint error > > > > Back in about July 2007, I posted a HOWTO which you may find helps you, > as a lot of it is still quite valid. It had HOWTO in the subject line, > and will be in the list archive. > > On 3/1/09 22:23, Greg J. McGreevy wrote: > >> Thanks Julian everyone has been very helpful here. I do however have some additional questions I need to fine tune the spamassassin/MailScanner to catch more SPAM it does not seem like it is catching very much. everything is installed with defaults any step by step tuning is appreciated. Also I went here http://corebsd.com/node/6 for the Mailwatch install for the Qaurantine release info (which made sense to me) but the entries I added brought me back here with the errors described earlier. I have since removed them. >> >> Thanks Again, >> Greg >> >> ________________________________ >> >> From: mailscanner-bounces@lists.mailscanner.info on behalf of Julian Field >> Sent: Sat 1/3/2009 2:29 PM >> To: MailScanner discussion >> Subject: Re: MailScanner --lint error >> >> >> >> >> >> On 3/1/09 16:16, Greg J. McGreevy wrote: >> >> >>> I am getting the following error when I run the test >>> Cannot match against destination IP address >>> >>> >> Due to the way that email is delivered by a mail server, you don't know >> the exact destination IP address until you're actually in the process of >> delivering the message. So you can't match against a destination IP >> address in a rule. So all rules that say >> To: 123.123.123.123 yes >> or anything similar are impossible to implement. It's not a restriction >> in what MailScanner can do, you really don't know the destination IP >> address until the message has been delivered. By which time it's too late. >> >> Jules >> >> -- >> Julian Field MEng CITP CEng >> www.MailScanner.info >> Buy the MailScanner book at www.MailScanner.info/store >> >> MailScanner customisation, or any advanced system administration help? >> Contact me at Jules@Jules.FM >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> For all your IT requirements visit www.transtec.co.uk >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> >> >> > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From maxsec at gmail.com Sun Jan 4 20:13:41 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Sun Jan 4 20:13:50 2009 Subject: MailScanner --lint error In-Reply-To: <567221C09601934AA5CE9762FDA09A5001C3DA@EXCHTEMP.biz.pwr-sys.com> References: <567221C09601934AA5CE9762FDA09A5001C3D7@EXCHTEMP.biz.pwr-sys.com> <495FBCAE.60204@ecs.soton.ac.uk> <567221C09601934AA5CE9762FDA09A5001C3D9@EXCHTEMP.biz.pwr-sys.com> <496083A2.2090909@ecs.soton.ac.uk> <567221C09601934AA5CE9762FDA09A5001C3DA@EXCHTEMP.biz.pwr-sys.com> Message-ID: <72cf361e0901041213g512c4b70x84c3ad8ebeec55fc@mail.gmail.com> 2009/1/4 Greg J. McGreevy : > you mean this one? > > http://article.gmane.org/gmane.mail.virus.mailscanner/54241/match=how-to > > What do you have your score set to for Mailscanner mine is currently set to 6 and 10 (defaults I guess) most of the stuff I am seeing is hitting 1.5 to 3 for the SA score (all Spam) should I set these lower or tune Spamassassin to get a higher score? I am looking for a good start to finish tuning plan for everything that will get the majority of Spam caught (Quarantined) I am ok with some false positives. Right now it is not doing a very good job catching anything. I need to get this tuned ASAP and would be willing to pay someone to tweak things a bit to get this working > > > Thanks, > Greg > > ________________________________ > > From: mailscanner-bounces@lists.mailscanner.info on behalf of Julian Field > Sent: Sun 1/4/2009 4:38 AM > To: MailScanner discussion > Subject: Re: MailScanner --lint error > > > > Back in about July 2007, I posted a HOWTO which you may find helps you, > as a lot of it is still quite valid. It had HOWTO in the subject line, > and will be in the list archive. > > On 3/1/09 22:23, Greg J. McGreevy wrote: >> Thanks Julian everyone has been very helpful here. I do however have some additional questions I need to fine tune the spamassassin/MailScanner to catch more SPAM it does not seem like it is catching very much. everything is installed with defaults any step by step tuning is appreciated. Also I went here http://corebsd.com/node/6 for the Mailwatch install for the Qaurantine release info (which made sense to me) but the entries I added brought me back here with the errors described earlier. I have since removed them. >> >> Thanks Again, >> Greg >> >> ________________________________ >> >> From: mailscanner-bounces@lists.mailscanner.info on behalf of Julian Field >> Sent: Sat 1/3/2009 2:29 PM >> To: MailScanner discussion >> Subject: Re: MailScanner --lint error >> >> >> >> >> >> On 3/1/09 16:16, Greg J. McGreevy wrote: >> >>> I am getting the following error when I run the test >>> Cannot match against destination IP address >>> >> Due to the way that email is delivered by a mail server, you don't know >> the exact destination IP address until you're actually in the process of >> delivering the message. So you can't match against a destination IP >> address in a rule. So all rules that say >> To: 123.123.123.123 yes >> or anything similar are impossible to implement. It's not a restriction >> in what MailScanner can do, you really don't know the destination IP >> address until the message has been delivered. By which time it's too late. >> >> Jules >> >> -- >> Julian Field MEng CITP CEng >> www.MailScanner.info >> Buy the MailScanner book at www.MailScanner.info/store >> >> MailScanner customisation, or any advanced system administration help? >> Contact me at Jules@Jules.FM >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> For all your IT requirements visit www.transtec.co.uk >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> >> > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > Greg have a look at the MailScanner wiki and specifically the section on "Getting the most out of Spamassassin". It mentions several ways to improve scores for known spam. -- Martin Hepworth Oxford, UK From rich at mail.wvnet.edu Sun Jan 4 22:21:14 2009 From: rich at mail.wvnet.edu (Richard Lynch) Date: Sun Jan 4 22:21:23 2009 Subject: Barracude BRBL ?? Message-ID: <4961365A.9080106@mail.wvnet.edu> I just recently heard about this service being offered for free by Barracuda Networks. See... http://www.linux.com/feature/155880 Has anyone else tried this in combination with MailScanner and SA and perhaps BarricadeMX? Any comments pro or con? Thanks. Richard Lynch WVNET -- / / -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090104/337864e4/attachment.html From traced at xpear.de Sun Jan 4 22:54:21 2009 From: traced at xpear.de (traced) Date: Sun Jan 4 22:54:32 2009 Subject: Barracude BRBL ?? In-Reply-To: <4961365A.9080106@mail.wvnet.edu> References: <4961365A.9080106@mail.wvnet.edu> Message-ID: <49613E1D.6020101@xpear.de> Richard Lynch schrieb: > > I just recently heard about this service being offered for free by > Barracuda Networks. See... > > http://www.linux.com/feature/155880 > > Has anyone else tried this in combination with MailScanner and SA and > perhaps BarricadeMX? Any comments pro or con? > > Thanks. > > Richard Lynch > WVNET > > > -- > / / > Hi Richard, read the comments under http://www.linux.com/feature/155880 there are so many thinks that seem to be negative. I will not use it. Regards, Bastian From alex at rtpty.com Sun Jan 4 23:44:46 2009 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Sun Jan 4 23:45:00 2009 Subject: =?iso-8859-1?q?Re=3A_Unused_domains_f=FCr_spam_testing?= In-Reply-To: <4960B5F9.5060608@xpear.de> References: <4960B5F9.5060608@xpear.de> Message-ID: <345017BD-717E-4126-9B70-06D5094D7C5E@rtpty.com> You could set one up by using a DNS subdomain. Grab one from http://freedns.afraid.org and point MX records at your server. Go to several misconfigured websites and put in spamtrap addresses, send a few messages out to newsgroups and subscribe to porn spam. Just my 2c, while you wait for others to help. On Jan 4, 2009, at 8:13 AM, traced wrote: > Hi guys, > has someone of you unused domains, getting spam? > I?ve got a strange problem... I?m getting not enough spam for my > tests on different anti-spam strategies... ;) > > If you have such domains, that are not used anymore, I would > be happy some of your spam :-) The mails are not read by me, > just handled by scripts. > > Regards, > Bastian > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From alex at rtpty.com Sun Jan 4 23:46:34 2009 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Sun Jan 4 23:46:48 2009 Subject: Barracude BRBL ?? In-Reply-To: <49613E1D.6020101@xpear.de> References: <4961365A.9080106@mail.wvnet.edu> <49613E1D.6020101@xpear.de> Message-ID: <5E9CB4C2-F21E-42F9-900D-AE0AE83FF02C@rtpty.com> Seems to be working quite well for me at several sites, with barely any false positives (which is strange for Barracuda). On Jan 4, 2009, at 5:54 PM, traced wrote: > read the comments under http://www.linux.com/feature/155880 there > are so many thinks that seem to be negative. I will not use it. From traced at xpear.de Sun Jan 4 23:58:20 2009 From: traced at xpear.de (traced) Date: Sun Jan 4 23:58:30 2009 Subject: Unused domains =?iso-8859-1?q?f=FCr_spam_testing?= In-Reply-To: <345017BD-717E-4126-9B70-06D5094D7C5E@rtpty.com> References: <4960B5F9.5060608@xpear.de> <345017BD-717E-4126-9B70-06D5094D7C5E@rtpty.com> Message-ID: <49614D1C.4000809@xpear.de> Alex Neuman van der Hans schrieb: > You could set one up by using a DNS subdomain. Grab one from > http://freedns.afraid.org and point MX records at your server. Go to > several misconfigured websites and put in spamtrap addresses, send a few > messages out to newsgroups and subscribe to porn spam. > > Just my 2c, while you wait for others to help. Hi, I have two dedicated domains for that, thats not the problem. The only thing is, that I don?t get enough spam on this domains, I tried so much, even casino newsletters, unsubscribing on porn spams etc... From dstraka at caspercollege.edu Mon Jan 5 00:18:40 2009 From: dstraka at caspercollege.edu (Daniel Straka) Date: Mon Jan 5 00:19:09 2009 Subject: Barracude BRBL ?? Message-ID: <4960EF7002000000000334D2@gw.caspercollege.edu> Richard, I've been using the BRBL for a few months now. No false positives reported yet, however it rarely picks up any SPAM that spamcop.net and spamhaus-ZEN haven' already picked up. But every little bit helps. Dan >>> Richard Lynch 01/04/09 3:21 PM >>> I just recently heard about this service being offered for free by Barracuda Networks. See... http://www.linux.com/feature/155880 Has anyone else tried this in combination with MailScanner and SA and perhaps BarricadeMX? Any comments pro or con? Thanks. Richard Lynch WVNET -- / / From david at bass.net.au Mon Jan 5 04:50:04 2009 From: david at bass.net.au (David Lee) Date: Mon Jan 5 04:50:18 2009 Subject: MailScanner not running on FreeBSD v6.4 Message-ID: <4961917C.3050703@bass.net.au> Hi All, I am currently attempting to install MailScanner (v4.67.6) on a FreeBSD 6.4 server via the ports system. However, when I try and start MailScanner I just get a whole bunch of processes. When starting MailScanner in debug mode I get the following results: # mailscanner --debug --debug-sa In Debugging mode, not forking... Trying to setlogsock(unix) ***** If 'awk' (with support for the function strftime) was available on your $PATH then all the SpamAssassin debug output would have the current time added to the start of every line, making debugging far easier. ***** SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp Fatal error 'Recurse on a private mutex.' at line 986 in file /usr/src/lib/libpthread/thread/thr_mutex.c (errno = 0) Abort trap: 6 While I could find references to this problem on the internet, I could not find a solution. Any one have any ideas what could be the problem? -- David From spamtrap71892316634 at anime.net Mon Jan 5 06:33:59 2009 From: spamtrap71892316634 at anime.net (Dan Hollis) Date: Mon Jan 5 06:34:12 2009 Subject: Barracude BRBL ?? In-Reply-To: <49613E1D.6020101@xpear.de> References: <4961365A.9080106@mail.wvnet.edu> <49613E1D.6020101@xpear.de> Message-ID: same tired old complaints you get from ANY rbl. "oh i got blocked and i swear our open relays didn't send any spam" "the BLs are just a huge global conspiracy to hold me down" etc etc On Sun, 4 Jan 2009, traced wrote: > Richard Lynch schrieb: >> >> I just recently heard about this service being offered for free by >> Barracuda Networks. See... >> >> http://www.linux.com/feature/155880 >> >> Has anyone else tried this in combination with MailScanner and SA and >> perhaps BarricadeMX? Any comments pro or con? >> >> Thanks. >> >> Richard Lynch >> WVNET >> >> >> -- >> / / >> > > Hi Richard, > read the comments under http://www.linux.com/feature/155880 there are so many > thinks that seem to be negative. I will not use it. > > Regards, > Bastian > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From hvdkooij at vanderkooij.org Mon Jan 5 07:06:42 2009 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Mon Jan 5 07:06:52 2009 Subject: Barracude BRBL ?? In-Reply-To: <4961365A.9080106@mail.wvnet.edu> References: <4961365A.9080106@mail.wvnet.edu> Message-ID: <4961B182.9030702@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Richard Lynch wrote: > > I just recently heard about this service being offered for free by > Barracuda Networks. See... > > http://www.linux.com/feature/155880 > > Has anyone else tried this in combination with MailScanner and SA and > perhaps BarricadeMX? Any comments pro or con? It seems most of the false positives are now taken care of. In fact the only ones being bothered by them are Barracuda users. who are not configuring their box right. For example not excluding your backup MX server(s) will result in a high noise to signal ratio from these boxes. So unless you properly point out that they are in act backup MX servers they may make it to the RBL. You can can get them off realy easy the first time . Just make sure you explain why it it there. It seems a little bit less acrate then the MAPS RBL (Trend Micro ERS) but not enough to keep paying Trend Micro. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. Nid wyf yn y swyddfa ar hyn o bryd. Anfonwch unrhyw waith i'w gyfieithu. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAklhsYAACgkQBvzDRVjxmYGkWgCgl4CNnqr8/RX7CVrZdPv1pXFy 4p0An3x7oe0gHM4na5dVtqw8VS15bQn9 =n/eI -----END PGP SIGNATURE----- From jonas at vrt.dk Mon Jan 5 10:00:30 2009 From: jonas at vrt.dk (Jonas Akrouh Larsen) Date: Mon Jan 5 10:00:41 2009 Subject: MailScanner and Symantec Endpoint Protection / Symantec Antivirus Message-ID: <009001c96f1c$714710e0$53d532a0$@dk> Hi all Happy New year. I recently got the option of deploying Symantec Endpoint Protection on my scanners. It seems what the license gives you the right to do, is install the older Symantec antivirus 10 for Linux. This seems to go pretty smooth, it even comes with deb's and rpm's. However as far as I can tell MailScanner does not have antivirus support for this version? There seems to be something called css and symscanengine, but it doesn't look like that's the version I got. My version has 2 daemon processes (symcfgd and rtvscand) and it has a cmdline scanner called sav. Do anybody use MailScanner with Symantec products? Do anybody know if the "normal" Symantec version (its my impression SEP/version 10 are the most used version of symantecs products) will work with MailScanner? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090105/e3d76616/attachment.html From andrew.colin at gmail.com Mon Jan 5 11:00:43 2009 From: andrew.colin at gmail.com (andrew colin) Date: Mon Jan 5 11:00:53 2009 Subject: Sanesecurity signatures are no longer being updated or distributed In-Reply-To: <49481827.8000708@sanesecurity.com> References: <4945A182.2050505@qustodium.net> <4947CA0D.8080809@nerc.ac.uk> <49481827.8000708@sanesecurity.com> Message-ID: <31da51d50901050300l2e6b03e5na11caa4a72b7ab3d@mail.gmail.com> 196.35.158.184 is the internet solutions caching server in SA, so your records are for multiple users sitting behind a transparent proxy. On Tue, Dec 16, 2008 at 11:05 PM, Steve Basford wrote: > > > Greg Matthews wrote: >> >> Anyone know if Sane Security are submitting signatures direct to ClamAV? I >> understand that many of their signatures would make their way into the >> official Clam updates. > > Sanesecurity signatures aren't being added into the ClamAV official > signatures... they are totally third-party sigs. > >> Sounds like a P2P distribution mech may have helped here. >> > Well, I've just managed to find a little time to do a little log checking, > now that the round-robin php script was turned off.. Checking the log for > today: > > Position: IP: number of hits for today > > 1 196.35.158.184 2,538 > 2 86.96.229.88 1,504 > 3 196.25.255.218 1,080 > 4 66.159.122.2 1,066 > 5 198.54.202.218 1,028 > 6 198.54.202.70 656 > 7 62.12.131.147 642 > 8 198.144.196.51 620 > 9 202.60.56.252 528 > 10 198.54.202.146 504 > 11 64.119.33.98 467 > 12 70.167.192.42 461 > 13 196.25.255.210 389 > 14 82.190.241.234 360 > 15 121.52.89.35 359 > 16 85.44.247.211 354 > 17 89.186.90.219 354 > 18 88.38.193.116 352 > 19 82.54.83.49 350 > 20 83.216.177.35 350 > 21 85.43.92.188 348 > 22 216.201.128.42 346 > 23 83.216.181.170 344 > 24 198.54.202.210 314 > 25 64.132.142.170 308 > 26 198.144.196.52 308 > 27 63.123.82.75 308 > 28 142.32.208.231 266 > 29 85.18.239.12 264 > 30 217.76.134.221 244 > 31 196.2.124.253 244 > 32 193.225.225.18 240 > 33 193.225.225.16 240 > 34 217.166.60.146 240 > 35 217.7.104.28 240 > 36 217.7.104.26 240 > 37 217.7.104.27 240 > 38 82.165.187.176 224 > 39 62.77.162.9 224 > 40 72.36.139.242 191 > 41 207.195.79.250 176 > 42 217.98.12.118 176 > 43 198.54.202.182 176 > 44 88.40.197.18 175 > 45 64.78.22.100 168 > 46 217.188.47.4 154 > 47 68.179.9.105 151 > 48 195.229.237.38 150 > 49 213.132.250.2 136 > 50 208.21.38.66 136 > > In other words, if people downloaded the sigs every hour, each ip should > only have 24 hits....as you can see, the above ips are WAY over that. > Checking the log in detail... it's seems people are setting the download > scripts to download every second.... all adding up to: 45,554 hits an hour, > add the fact that 45,554 hits would run a php script... guess that's why the > cpu usage was so high on a shared server and then got suspended. > > Signature Note: > > People have decided to mirror the last version of the public signatures: > > 1. The signatures were removed and a placeholder signature added, so that > hopefully people would quickly notice that their scripts needed to be > changed... as the server is still getting hammered by wget/curl requests > (approx 45,554 hits per hour) > > 2. NO SUPPORT will be given on these unofficially mirrored signatures, in > fact these mirrored signatures are already out of date, some false positives > have already been corrected and new signatures have already been added to my > private version of the signatures. > > Hope that helps, > > Steve > Sanesecurity > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- "Dru" To follow the path, look to the master, follow the master, walk with the master, see through the master, become the master. (zen) http://www.topdog.za.net/ From support-lists at petdoctors.co.uk Mon Jan 5 11:59:14 2009 From: support-lists at petdoctors.co.uk (Nigel Kendrick) Date: Mon Jan 5 11:59:23 2009 Subject: Spamassassin timeouts - Just an observation In-Reply-To: References: <49510578.6050801@cnpapers.com> <495E1DBF.3090602@cnpapers.com> <72cf361e0901020705h79fad4c8x9dc440faa83fcd2f@mail.gmail.com><495E5C78.7040805@cnpapers.com> Message-ID: I'm also coming in a bit late on this one, but I too noticed recently that my mail servers were experiencing more timeouts and were eating up a lot of CPU time and RAM, so that swapping had shot up. When I had a look at the issue, I noticed (in htop) that all the MailScanner processes were waiting for Spamassassin almost all the time and when I dug further, I found that ORDB had turned up again in MailScanner.conf. Now, I am pretty sure I removed ORDB from 'Spam list' on all my servers when it went offline, so is there any chance an update put it back in and then, more recently, ORDB has just stopped responding (rather thap FPing everything)? If the above is not the case then I am just going completely mad - but at least MailScanner is behaving again. From dgottsc at emory.edu Mon Jan 5 15:35:25 2009 From: dgottsc at emory.edu (Gottschalk, David) Date: Mon Jan 5 15:35:35 2009 Subject: Anti-phishing -- was Re: OT: Happy New Year In-Reply-To: <495BFF17.5060705@ecs.soton.ac.uk> References: <495BFF17.5060705@ecs.soton.ac.uk> Message-ID: Julian, Thanks for posting this! This has been a huge problem over the last 6 months for the University I work at. I spend a lot of my time combating this problem. The feed of email addresses will be great for preventing accounts from being compromised. We've tried several ways to be pro-active in stopping the phishing, but this seems like one of the best ways to stop the problem. How does one go about submitting addresses to the project? I could probably provide a few each week with the rate we receive them at. Thanks. David Gottschalk Emory University UTS Email Team -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: Wednesday, December 31, 2008 6:24 PM To: MailScanner discussion Subject: Anti-phishing -- was Re: OT: Happy New Year On 31/12/08 22:54, Kevin Miller wrote: > Just a quick note to wish everyone a Happy (and spam free) New Year, > especially Jules. Your hard work and giving spirit has certainly made > the past year much nicer for all of us... > Many thanks! You might be interested I've been doing a bit of work with the Google-hosted project "anti-phishing-email-reply" which you can find here: http://code.google.com/p/anti-phishing-email-reply/ My aim was to create a trap for all those nasty spear-phishing attacks and those endless "Temporary job offer" spams that some of you will get. I have created a little script (which is pretty obvious, source code is given below) which just generates a list of addresses based on what's in their file. I add that to my own list of known troublesome addresses, which can have "*" wildcards in them, so you can do things like michael loucas * @ gmail . com (extra spaces added to stop my stuff picking up that address and killing this message). I then generate a bunch of SpamAssassin rules from that which detect any of these few thousand addresses appearing anywhere in a message, with lots of safeguards to protect against false alarms. It also compacts them into only a hundred or two rules, instead of having 1 SpamAssassin rule for each address! I then use SpamAssassin Rule Actions to do this: SpamAssassin Rule Actions = ECS_MAIL_ACCESS=>store,not-deliver,forward postmaster@ecs.soton.ac.uk,header "X-ECS-Mail-Access: was to _TO_" This lot fires whenever any of my SpamAssassin rules fires. It 1) Adds a header "X-ECS-Mail-Access:" containing the list of original recipient addresses, 2) Stores a copy of the message 3) Stops delivery to the original recipients 4) Sends a copy to postmaster, where I have a Sieve rule firing on the presence of the "X-ECS-Mail-Access:" header to store it in a folder without cluttering up postmaster's inbox. My script, that builds all the SpamAssassin rules, works from a YP/NIS map called "mail.access" which contains each email address from the google list and my list in the first word of a line, looking like this bad@domain.com REJECT nasty@false.bank.com REJECT I sort it so that the regular expressions created are more optimal for Perl, so it can apply them faster to each message. My script that builds all the SpamAssassin rules is attached. My script that reads the google list and creates the YP/NIS map from it is simply this: #!/bin/sh echo Fetching phishing addresses... rm -f /tmp/$$.blocks /usr/local/bin/wget -O /tmp/$$.blocks http://anti-phishing-email-reply.googlecode.com/svn/trunk/phishing_reply_addresses >/dev/null 2>&1 echo Read `grep -v '^#' /tmp/$$.blocks | wc -l` addresses if [ -f /tmp/$$.blocks ]; then sed -e 's/^#.*$//' < /tmp/$$.blocks | \ cut -d, -f1 | \ sort | \ uniq | \ grep -v '^$' | \ awk '{ printf("%s\tREJECT\n",$1); }' > /opt/yp/etc/mail.access.anti-phishing rm -f /tmp/$$.blocks cd /opt/yp; ./ypmake; fi The "ypcat -k mail.access" command at the start of Build.Phishing.Rules basically reads my list in addition to the contents of the file /opt/yp/etc/mail.access.anti-phishing mentioned in the code above, so you can easily convert it to just use a temporary file and do all of this lot on the same server. If you aren't using YP/NIS then you obviously won't need the "ypmake" command either. I hope this is of some use to some of you. It traps "Temporary job offer" spams and spear-phishing attacks very well indeed. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. This e-mail message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential and privileged information. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message (including any attachments) is strictly prohibited. If you have received this message in error, please contact the sender by reply e-mail message and destroy all copies of the original message (including attachments). From MailScanner at ecs.soton.ac.uk Mon Jan 5 16:27:40 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jan 5 16:28:05 2009 Subject: Anti-phishing -- was Re: OT: Happy New Year In-Reply-To: References: <495BFF17.5060705@ecs.soton.ac.uk> Message-ID: <496234FC.3030803@ecs.soton.ac.uk> No problem. I don't know how you submit addresses to them, you'll have to find out who runs the project. I just use their results at the moment, together with my own list (which contains things like michaelloucas*@gmail.com which stops lots of "job opportunity" spams). On 5/1/09 15:35, Gottschalk, David wrote: > Julian, > Thanks for posting this! This has been a huge problem over the last 6 months for the University I work at. I spend a lot of my time combating this problem. The feed of email addresses will be great for preventing accounts from being compromised. We've tried several ways to be pro-active in stopping the phishing, but this seems like one of the best ways to stop the problem. How does one go about submitting addresses to the project? I could probably provide a few each week with the rate we receive them at. > > Thanks. > > David Gottschalk > Emory University > UTS Email Team > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field > Sent: Wednesday, December 31, 2008 6:24 PM > To: MailScanner discussion > Subject: Anti-phishing -- was Re: OT: Happy New Year > > > > On 31/12/08 22:54, Kevin Miller wrote: > >> Just a quick note to wish everyone a Happy (and spam free) New Year, >> especially Jules. Your hard work and giving spirit has certainly made >> the past year much nicer for all of us... >> >> > Many thanks! > > You might be interested I've been doing a bit of work with the Google-hosted project "anti-phishing-email-reply" which you can find here: > http://code.google.com/p/anti-phishing-email-reply/ > > My aim was to create a trap for all those nasty spear-phishing attacks and those endless "Temporary job offer" spams that some of you will get. > > I have created a little script (which is pretty obvious, source code is given below) which just generates a list of addresses based on what's in their file. I add that to my own list of known troublesome addresses, which can have "*" wildcards in them, so you can do things like michael loucas * @ gmail . com (extra spaces added to stop my stuff picking up that address and killing this message). > > I then generate a bunch of SpamAssassin rules from that which detect any of these few thousand addresses appearing anywhere in a message, with lots of safeguards to protect against false alarms. It also compacts them into only a hundred or two rules, instead of having 1 SpamAssassin rule for each address! > > I then use SpamAssassin Rule Actions to do this: > SpamAssassin Rule Actions = ECS_MAIL_ACCESS=>store,not-deliver,forward > postmaster@ecs.soton.ac.uk,header "X-ECS-Mail-Access: was to _TO_" > > This lot fires whenever any of my SpamAssassin rules fires. It > 1) Adds a header "X-ECS-Mail-Access:" containing the list of original recipient addresses, > 2) Stores a copy of the message > 3) Stops delivery to the original recipients > 4) Sends a copy to postmaster, where I have a Sieve rule firing on the presence of the "X-ECS-Mail-Access:" header to store it in a folder without cluttering up postmaster's inbox. > > My script, that builds all the SpamAssassin rules, works from a YP/NIS map called "mail.access" which contains each email address from the google list and my list in the first word of a line, looking like this bad@domain.com REJECT nasty@false.bank.com REJECT I sort it so that the regular expressions created are more optimal for Perl, so it can apply them faster to each message. > > My script that builds all the SpamAssassin rules is attached. > > My script that reads the google list and creates the YP/NIS map from it is simply this: > > #!/bin/sh > echo Fetching phishing addresses... > rm -f /tmp/$$.blocks > /usr/local/bin/wget -O /tmp/$$.blocks > http://anti-phishing-email-reply.googlecode.com/svn/trunk/phishing_reply_addresses > >/dev/null 2>&1 > echo Read `grep -v '^#' /tmp/$$.blocks | wc -l` addresses > > if [ -f /tmp/$$.blocks ]; then > sed -e 's/^#.*$//'< /tmp/$$.blocks | \ > cut -d, -f1 | \ > sort | \ > uniq | \ > grep -v '^$' | \ > awk '{ printf("%s\tREJECT\n",$1); }'> /opt/yp/etc/mail.access.anti-phishing > rm -f /tmp/$$.blocks > cd /opt/yp; > ./ypmake; > fi > > The "ypcat -k mail.access" command at the start of Build.Phishing.Rules basically reads my list in addition to the contents of the file /opt/yp/etc/mail.access.anti-phishing mentioned in the code above, so you can easily convert it to just use a temporary file and do all of this lot on the same server. If you aren't using YP/NIS then you obviously won't need the "ypmake" command either. > > I hope this is of some use to some of you. It traps "Temporary job offer" spams and spear-phishing attacks very well indeed. > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc > > > -- > This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. > > > This e-mail message (including any attachments) is for the sole use of > the intended recipient(s) and may contain confidential and privileged > information. If the reader of this message is not the intended > recipient, you are hereby notified that any dissemination, distribution > or copying of this message (including any attachments) is strictly > prohibited. > > If you have received this message in error, please contact > the sender by reply e-mail message and destroy all copies of the > original message (including attachments). > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From hvdkooij at vanderkooij.org Mon Jan 5 17:08:51 2009 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Mon Jan 5 17:09:05 2009 Subject: Unused domains =?iso-8859-1?q?f=FCr_spam_testing?= In-Reply-To: <49614D1C.4000809@xpear.de> References: <4960B5F9.5060608@xpear.de> <345017BD-717E-4126-9B70-06D5094D7C5E@rtpty.com> <49614D1C.4000809@xpear.de> Message-ID: <49623EA3.2040004@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 traced wrote: > > Alex Neuman van der Hans schrieb: >> You could set one up by using a DNS subdomain. Grab one from >> http://freedns.afraid.org and point MX records at your server. Go to >> several misconfigured websites and put in spamtrap addresses, send a >> few messages out to newsgroups and subscribe to porn spam. >> >> Just my 2c, while you wait for others to help. > > Hi, I have two dedicated domains for that, thats not the problem. > The only thing is, that I don?t get enough spam on this domains, > I tried so much, even casino newsletters, unsubscribing on porn > spams etc... The trick is to actualy use them. Not just feed them to a few grinders. I find that having them on webpages and mailinglist archive pages is the best way to attract attention. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. Nid wyf yn y swyddfa ar hyn o bryd. Anfonwch unrhyw waith i'w gyfieithu. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkliPqEACgkQBvzDRVjxmYEqYwCfWq2V1XKoAi7Qs5aUlCYX5qTJ Sw8An2avwVzs5lMro4qCH1ladc8HNVLy =q5w+ -----END PGP SIGNATURE----- From ssilva at sgvwater.com Mon Jan 5 18:10:43 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Jan 5 18:11:12 2009 Subject: Timo Jacobs is out of the office. In-Reply-To: References: Message-ID: on 1-3-2009 4:04 AM Timo.Jacobs@partners.de spake the following: > I will be out of the office starting 29.12.2008 and will not return until > 05.01.2009. > > I will respond to your message when I return. > In urgent cases please contact Mr. Timo A. Schmidt > (timo.schmidt@partners.de) > > Partners Software GmbH / Zum Alten Speicher 11 / 28759 Bremen / Eingetragen unter HRB Bremen 14440 / Gesch?ftsf?hrer: Wolfgang Brinker und Kai Hannemann / Telefon 0049 (0)421 66945-0 -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Now that you are back, you need to fix your auto responder to stop spamming mailing lists, or send your list traffic to a different address. May I suggest reading through Gmane with a newsreader? -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090105/928d15f5/signature.bin From ssilva at sgvwater.com Mon Jan 5 18:31:18 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Jan 5 18:31:42 2009 Subject: Barracude BRBL ?? In-Reply-To: <4960EF7002000000000334D2@gw.caspercollege.edu> References: <4960EF7002000000000334D2@gw.caspercollege.edu> Message-ID: on 1-4-2009 4:18 PM Daniel Straka spake the following: > Richard, > > I've been using the BRBL for a few months now. No false positives reported yet, however it rarely picks up any SPAM that spamcop.net and spamhaus-ZEN haven't already picked up. But every little bit helps. > > Dan > Then it might be good for those of us that have been "outed" by spamhaus, but don't have enough traffic to justify paying for a feed. I will stick it in spamassassin with a low score for a month or two and see how it hits for me. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090105/a21add8a/signature.bin From traced at xpear.de Mon Jan 5 18:32:23 2009 From: traced at xpear.de (traced@xpear.de) Date: Mon Jan 5 18:32:33 2009 Subject: Unused domains =?utf-8?q?f=C3=BCr_spam_testing?= In-Reply-To: <49623EA3.2040004@vanderkooij.org> References: <4960B5F9.5060608@xpear.de> <345017BD-717E-4126-9B70-06D5094D7C5E@rtpty.com> <49614D1C.4000809@xpear.de> <49623EA3.2040004@vanderkooij.org> Message-ID: <06b2cb0c32eca9ac8ff9b5d56c16a4a7@localhost> On Mon, 05 Jan 2009 18:08:51 +0100, Hugo van der Kooij wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > traced wrote: >> >> Alex Neuman van der Hans schrieb: >>> You could set one up by using a DNS subdomain. Grab one from >>> http://freedns.afraid.org and point MX records at your server. Go to >>> several misconfigured websites and put in spamtrap addresses, send a >>> few messages out to newsgroups and subscribe to porn spam. >>> >>> Just my 2c, while you wait for others to help. >> >> Hi, I have two dedicated domains for that, thats not the problem. >> The only thing is, that I don?t get enough spam on this domains, >> I tried so much, even casino newsletters, unsubscribing on porn >> spams etc... > > The trick is to actualy use them. Not just feed them to a few grinders. > I find that having them on webpages and mailinglist archive pages is the > best way to attract attention. > > Hugo. Hmm.. like having them in a signature when posting in lists? Or using them for posting in lists? Bastian > From traced at xpear.de Mon Jan 5 18:37:36 2009 From: traced at xpear.de (traced@xpear.de) Date: Mon Jan 5 18:37:44 2009 Subject: totally OT: Mailing lists / reader program? Message-ID: Hi, just one little question; Are you reading lists with standard email progs like thunderbird, or are there other good programs, with better handling on the topics? Regards, Bastian From traced at xpear.de Mon Jan 5 18:38:54 2009 From: traced at xpear.de (traced@xpear.de) Date: Mon Jan 5 18:39:08 2009 Subject: Barracude BRBL ?? In-Reply-To: References: <4960EF7002000000000334D2@gw.caspercollege.edu> Message-ID: <784960fe4bbb4f82a489b7173451ae92@localhost> On Mon, 05 Jan 2009 10:31:18 -0800, Scott Silva wrote: > I will stick it in spamassassin with a low score for a month or two and see > how it hits for me. > Are there ready to use rules in SA, or must they be written first? Bastian From ssilva at sgvwater.com Mon Jan 5 19:05:28 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Jan 5 19:05:49 2009 Subject: Barracude BRBL ?? In-Reply-To: <784960fe4bbb4f82a489b7173451ae92@localhost> References: <4960EF7002000000000334D2@gw.caspercollege.edu> <784960fe4bbb4f82a489b7173451ae92@localhost> Message-ID: on 1-5-2009 10:38 AM traced@xpear.de spake the following: > On Mon, 05 Jan 2009 10:31:18 -0800, Scott Silva > wrote: > >> I will stick it in spamassassin with a low score for a month or two and > see >> how it hits for me. >> > > Are there ready to use rules in SA, or must they be written first? > > Bastian Just wrote a set. Took 5 minutes. header RCVD_IN_BRBL eval:check_rbl('brbl', 'b.barracudacentral.org.') describe RCVD_IN_BRBL Received via a relay in BRBL tflags RCVD_IN_BRBL net score RCVD_IN_BRBL 0 0.50 0 0.50 I got 2 hits in less than a minute of adding the rule. Now to check if it FP's on our traffic. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090105/8dd14dcf/signature.bin From ssilva at sgvwater.com Mon Jan 5 19:09:42 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Jan 5 19:10:11 2009 Subject: totally OT: Mailing lists / reader program? In-Reply-To: References: Message-ID: on 1-5-2009 10:37 AM traced@xpear.de spake the following: > Hi, just one little question; > Are you reading lists with standard email progs like thunderbird, > or are there other good programs, with better handling on the topics? > > Regards, > Bastian I am reading the lists with thunderbird, but through the newsfeeds at gmane.org. That way I never have to worry about bounces or spam detection on my end dropping something. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090105/443ed754/signature.bin From ssilva at sgvwater.com Mon Jan 5 19:08:12 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Jan 5 19:15:12 2009 Subject: MailScanner and Symantec Endpoint Protection / Symantec Antivirus In-Reply-To: <009001c96f1c$714710e0$53d532a0$@dk> References: <009001c96f1c$714710e0$53d532a0$@dk> Message-ID: > > > Do anybody know if the ?normal? Symantec version (its my impression > SEP/version 10 are the most used version of symantecs products) will > work with MailScanner? > In the past, Julian has added support for other scanners if you provide him with a fully licensed copy to use for testing and future devel. How you would do this under any corporate licensing is up to you, Symantec, and your legal department to figure out. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090105/148d46a2/signature.bin From traced at xpear.de Mon Jan 5 20:08:55 2009 From: traced at xpear.de (traced) Date: Mon Jan 5 20:09:06 2009 Subject: Barracude BRBL ?? In-Reply-To: References: <4960EF7002000000000334D2@gw.caspercollege.edu> <784960fe4bbb4f82a489b7173451ae92@localhost> Message-ID: <496268D7.1090904@xpear.de> Scott Silva schrieb: > on 1-5-2009 10:38 AM traced@xpear.de spake the following: >> On Mon, 05 Jan 2009 10:31:18 -0800, Scott Silva >> wrote: >> >>> I will stick it in spamassassin with a low score for a month or two and >> see >>> how it hits for me. >>> >> Are there ready to use rules in SA, or must they be written first? >> >> Bastian > Just wrote a set. Took 5 minutes. > > > header RCVD_IN_BRBL eval:check_rbl('brbl', 'b.barracudacentral.org.') > describe RCVD_IN_BRBL Received via a relay in BRBL > tflags RCVD_IN_BRBL net > score RCVD_IN_BRBL 0 0.50 0 0.50 > > I got 2 hits in less than a minute of adding the rule. > > Now to check if it FP's on our traffic. > Nice, thank you! From ssilva at sgvwater.com Mon Jan 5 20:33:18 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Jan 5 20:33:41 2009 Subject: Barracude BRBL ?? In-Reply-To: <496268D7.1090904@xpear.de> References: <4960EF7002000000000334D2@gw.caspercollege.edu> <784960fe4bbb4f82a489b7173451ae92@localhost> <496268D7.1090904@xpear.de> Message-ID: on 1-5-2009 12:08 PM traced spake the following: > > > Scott Silva schrieb: >> on 1-5-2009 10:38 AM traced@xpear.de spake the following: >>> On Mon, 05 Jan 2009 10:31:18 -0800, Scott Silva >>> wrote: >>> >>>> I will stick it in spamassassin with a low score for a month or two and >>> see >>>> how it hits for me. >>>> >>> Are there ready to use rules in SA, or must they be written first? >>> >>> Bastian >> Just wrote a set. Took 5 minutes. >> >> >> header RCVD_IN_BRBL eval:check_rbl('brbl', >> 'b.barracudacentral.org.') >> describe RCVD_IN_BRBL Received via a relay in BRBL >> tflags RCVD_IN_BRBL net >> score RCVD_IN_BRBL 0 0.50 0 0.50 >> >> I got 2 hits in less than a minute of adding the rule. >> >> Now to check if it FP's on our traffic. >> > > Nice, thank you! I believe you have to register to use it. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090105/213f3de4/signature.bin From traced at xpear.de Mon Jan 5 20:43:20 2009 From: traced at xpear.de (traced) Date: Mon Jan 5 20:43:31 2009 Subject: Barracude BRBL ?? In-Reply-To: References: <4960EF7002000000000334D2@gw.caspercollege.edu> <784960fe4bbb4f82a489b7173451ae92@localhost> <496268D7.1090904@xpear.de> Message-ID: <496270E8.405@xpear.de> Scott Silva schrieb: > on 1-5-2009 12:08 PM traced spake the following: >> >> Scott Silva schrieb: >>> on 1-5-2009 10:38 AM traced@xpear.de spake the following: >>>> On Mon, 05 Jan 2009 10:31:18 -0800, Scott Silva >>>> wrote: >>>> >>>>> I will stick it in spamassassin with a low score for a month or two and >>>> see >>>>> how it hits for me. >>>>> >>>> Are there ready to use rules in SA, or must they be written first? >>>> >>>> Bastian >>> Just wrote a set. Took 5 minutes. >>> >>> >>> header RCVD_IN_BRBL eval:check_rbl('brbl', >>> 'b.barracudacentral.org.') >>> describe RCVD_IN_BRBL Received via a relay in BRBL >>> tflags RCVD_IN_BRBL net >>> score RCVD_IN_BRBL 0 0.50 0 0.50 >>> >>> I got 2 hits in less than a minute of adding the rule. >>> >>> Now to check if it FP's on our traffic. >>> >> Nice, thank you! > I believe you have to register to use it. > > I did that today, very quick and with no problems. From alex at rtpty.com Mon Jan 5 20:45:40 2009 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Mon Jan 5 20:46:00 2009 Subject: OT but somewhat relevant Message-ID: Could BIND be set up to query FROM several op addresses in a round robin fashion? how about with iptables? The reason I ask is that some multihomed sites with multiple ISP connections could then balance queries to RBLs to even out the traffic. From MailScanner at ecs.soton.ac.uk Mon Jan 5 20:47:41 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jan 5 20:48:07 2009 Subject: totally OT: Mailing lists / reader program? In-Reply-To: References: Message-ID: <496271ED.4030202@ecs.soton.ac.uk> I use Thunderbird too, because I prefer the raw list and like to read every post. But your alternatives include the newsgroup at Gmane (news readers are very mature applications as they have been around for so long), or even the RSS feed if you can find a thread-capable RSS reader you prefer. I find it quite handy for quickly flicking through the list on my iPhone. On 5/1/09 18:37, traced@xpear.de wrote: > Hi, just one little question; > Are you reading lists with standard email progs like thunderbird, > or are there other good programs, with better handling on the topics? > > Regards, > Bastian > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Mon Jan 5 20:54:05 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jan 5 20:54:25 2009 Subject: MailScanner and Symantec Endpoint Protection / Symantec Antivirus In-Reply-To: References: <009001c96f1c$714710e0$53d532a0$@dk> Message-ID: <4962736D.6000109@ecs.soton.ac.uk> On 5/1/09 19:08, Scott Silva wrote: > > >> >> >> Do anybody know if the ?normal? Symantec version (its my impression >> SEP/version 10 are the most used version of symantecs products) will >> work with MailScanner? >> >> > > In the past, Julian has added support for other scanners if you provide him > with a fully licensed copy to use for testing and future devel. How you would > do this under any corporate licensing is up to you, Symantec, and your legal > department to figure out. > Yes, just get me a fully working licensed copy to develop from on my servers. It won't ever leave my systems, I've got a reputation to protect :) And a healthy donation would help quite a lot too! ;-) Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From traced at xpear.de Mon Jan 5 21:46:19 2009 From: traced at xpear.de (traced) Date: Mon Jan 5 21:46:30 2009 Subject: Barracude BRBL ?? In-Reply-To: References: <4960EF7002000000000334D2@gw.caspercollege.edu> <784960fe4bbb4f82a489b7173451ae92@localhost> Message-ID: <49627FAB.708@xpear.de> Scott Silva schrieb: > on 1-5-2009 10:38 AM traced@xpear.de spake the following: >> On Mon, 05 Jan 2009 10:31:18 -0800, Scott Silva >> wrote: >> >>> I will stick it in spamassassin with a low score for a month or two and >> see >>> how it hits for me. >>> >> Are there ready to use rules in SA, or must they be written first? >> >> Bastian > Just wrote a set. Took 5 minutes. > > > header RCVD_IN_BRBL eval:check_rbl('brbl', 'b.barracudacentral.org.') > describe RCVD_IN_BRBL Received via a relay in BRBL > tflags RCVD_IN_BRBL net > score RCVD_IN_BRBL 0 0.50 0 0.50 > > I got 2 hits in less than a minute of adding the rule. > > Now to check if it FP's on our traffic. > Where in the Mailscanner setup did you insert this rule? In the spam.assassin.prefs.conf or did you write a dedicated file under /usr/share/spamassassin? Thanks, Bastian From ssilva at sgvwater.com Mon Jan 5 21:57:57 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Jan 5 21:58:19 2009 Subject: Barracude BRBL ?? In-Reply-To: <49627FAB.708@xpear.de> References: <4960EF7002000000000334D2@gw.caspercollege.edu> <784960fe4bbb4f82a489b7173451ae92@localhost> <49627FAB.708@xpear.de> Message-ID: on 1-5-2009 1:46 PM traced spake the following: > Scott Silva schrieb: >> on 1-5-2009 10:38 AM traced@xpear.de spake the following: >>> On Mon, 05 Jan 2009 10:31:18 -0800, Scott Silva >>> wrote: >>> >>>> I will stick it in spamassassin with a low score for a month or two and >>> see >>>> how it hits for me. >>>> >>> Are there ready to use rules in SA, or must they be written first? >>> >>> Bastian >> Just wrote a set. Took 5 minutes. >> >> >> header RCVD_IN_BRBL eval:check_rbl('brbl', >> 'b.barracudacentral.org.') >> describe RCVD_IN_BRBL Received via a relay in BRBL >> tflags RCVD_IN_BRBL net >> score RCVD_IN_BRBL 0 0.50 0 0.50 >> >> I got 2 hits in less than a minute of adding the rule. >> >> Now to check if it FP's on our traffic. >> > > Where in the Mailscanner setup did you insert this rule? In the > spam.assassin.prefs.conf or did you write a dedicated file under > /usr/share/spamassassin? > > Thanks, > Bastian I just stick them in spam.assassin.prefs.conf. I usually group all the custom rules near the end for consistency. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090105/b4e7b04c/signature.bin From ssilva at sgvwater.com Mon Jan 5 22:00:45 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Jan 5 22:05:15 2009 Subject: OT but somewhat relevant In-Reply-To: References: Message-ID: on 1-5-2009 12:45 PM Alex Neuman van der Hans spake the following: > > Could BIND be set up to query FROM several op addresses in a round robin > fashion? how about with iptables? > > The reason I ask is that some multihomed sites with multiple ISP > connections could then balance queries to RBLs to even out the traffic. > I suppose you could have a dns name as a forwarder, and then have multiple a records for that name with a very short TTL. That might randomly toss things around some. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090105/eed7138c/signature.bin From steve.swaney at fsl.com Mon Jan 5 23:15:41 2009 From: steve.swaney at fsl.com (Stephen Swaney) Date: Mon Jan 5 23:15:51 2009 Subject: Barracude BRBL ?? In-Reply-To: References: <4960EF7002000000000334D2@gw.caspercollege.edu> <784960fe4bbb4f82a489b7173451ae92@localhost> <496268D7.1090904@xpear.de> Message-ID: <057301c96f8b$874d7ef0$95e87cd0$@swaney@fsl.com> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > Sent: Monday, January 05, 2009 3:33 PM > To: mailscanner@lists.mailscanner.info > Subject: Re: Barracude BRBL ?? > I discussed this thread with Steve Freegard before responding and we can only add that we've had similar experiences with the BRBL; it doesn't appear to catch anything extra that Spamhaus Zen, Spamcop or other tests / RBLs already catch - but as always YMMV and you should try it for yourself. And as an aside, using a combination of free RBLs and the other BarricadeMX tests instead of purchasing a Spamhaus subscription gave us excellent results on our scanning service bureau gateways; results that were at least equivalent to purchasing the Spamhaus subscription. This setup could easily save money for larger sites since our Spamhaus subscription would have been more than the cost of BarricadeMX for our site. And on a side note BarricadeMX 2.2 adds support for the Google phishing project (similar to what Julian has added to MailScanner; except rejections are done at the SMTP phase). It should released late this week. Best regards, Steve Steve Swaney steve@fsl.com www.fsl.com Accurate and affordable anti-spam solutions From maillists at conactive.com Mon Jan 5 23:31:17 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Mon Jan 5 23:31:27 2009 Subject: Barracude BRBL ?? In-Reply-To: <49627FAB.708@xpear.de> References: <4960EF7002000000000334D2@gw.caspercollege.edu> <784960fe4bbb4f82a489b7173451ae92@localhost> <49627FAB.708@xpear.de> Message-ID: Traced wrote on Mon, 05 Jan 2009 22:46:19 +0100: > Where in the Mailscanner setup did you insert this rule? In the > spam.assassin.prefs.conf or did you write a dedicated file under > /usr/share/spamassassin? Not in any of these locations. Put all your own rules in your own file(s) named .conf and put them in /etc/mail/spamassassin. That way they won't ever get overwritten and are easily maintained. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From gmcgreevy at pwr-sys.com Tue Jan 6 03:44:22 2009 From: gmcgreevy at pwr-sys.com (Greg J. McGreevy) Date: Tue Jan 6 03:49:17 2009 Subject: MailScanner --lint error References: <567221C09601934AA5CE9762FDA09A5001C3D7@EXCHTEMP.biz.pwr-sys.com><495FBCAE.60204@ecs.soton.ac.uk><567221C09601934AA5CE9762FDA09A5001C3D9@EXCHTEMP.biz.pwr-sys.com><496083A2.2090909@ecs.soton.ac.uk><567221C09601934AA5CE9762FDA09A5001C3DA@EXCHTEMP.biz.pwr-sys.com> <72cf361e0901041213g512c4b70x84c3ad8ebeec55fc@mail.gmail.com> Message-ID: <567221C09601934AA5CE9762FDA09A5001C3DE@EXCHTEMP.biz.pwr-sys.com> Ok more issues I now have the following error when I run the test Syntax error(s) in configuration file: at /usr/lib/MailScanner/MailScanner/Config.pm line 1937 Unrecognised keyword "spamassassinprefsfile" at line 2789 at /usr/lib/MailScanner/MailScanner/Config.pm line 1940 Warning: syntax errors in /etc/MailScanner/MailScanner.conf. at /usr/lib/MailScanner/MailScanner/Config.pm line 1945 I added the list to the sa-update per your instructions but I have no idea to tell if it is in fact working any insight on this would be helpful also Rules do jour does not appear to be present in my install so I skipped those steps is that correct? Also If I create a new User called spam and have all of my users forward their spam there to train bayes will that mess up the tests becuse they will be seen as all forwards? I am kind off at my wits end with this and about to throw in the towel. I need professional help and am willing to pay yes that is correct pay real money to get this tuned. Please respond with your contact info and I can arrange remote access to the server. Thanks, Greg ________________________________ From: mailscanner-bounces@lists.mailscanner.info on behalf of Martin Hepworth Sent: Sun 1/4/2009 3:13 PM To: MailScanner discussion Subject: Re: MailScanner --lint error 2009/1/4 Greg J. McGreevy : > you mean this one? > > http://article.gmane.org/gmane.mail.virus.mailscanner/54241/match=how-to > > What do you have your score set to for Mailscanner mine is currently set to 6 and 10 (defaults I guess) most of the stuff I am seeing is hitting 1.5 to 3 for the SA score (all Spam) should I set these lower or tune Spamassassin to get a higher score? I am looking for a good start to finish tuning plan for everything that will get the majority of Spam caught (Quarantined) I am ok with some false positives. Right now it is not doing a very good job catching anything. I need to get this tuned ASAP and would be willing to pay someone to tweak things a bit to get this working > > > Thanks, > Greg > > ________________________________ > > From: mailscanner-bounces@lists.mailscanner.info on behalf of Julian Field > Sent: Sun 1/4/2009 4:38 AM > To: MailScanner discussion > Subject: Re: MailScanner --lint error > > > > Back in about July 2007, I posted a HOWTO which you may find helps you, > as a lot of it is still quite valid. It had HOWTO in the subject line, > and will be in the list archive. > > On 3/1/09 22:23, Greg J. McGreevy wrote: >> Thanks Julian everyone has been very helpful here. I do however have some additional questions I need to fine tune the spamassassin/MailScanner to catch more SPAM it does not seem like it is catching very much. everything is installed with defaults any step by step tuning is appreciated. Also I went here http://corebsd.com/node/6 for the Mailwatch install for the Qaurantine release info (which made sense to me) but the entries I added brought me back here with the errors described earlier. I have since removed them. >> >> Thanks Again, >> Greg >> >> ________________________________ >> >> From: mailscanner-bounces@lists.mailscanner.info on behalf of Julian Field >> Sent: Sat 1/3/2009 2:29 PM >> To: MailScanner discussion >> Subject: Re: MailScanner --lint error >> >> >> >> >> >> On 3/1/09 16:16, Greg J. McGreevy wrote: >> >>> I am getting the following error when I run the test >>> Cannot match against destination IP address >>> >> Due to the way that email is delivered by a mail server, you don't know >> the exact destination IP address until you're actually in the process of >> delivering the message. So you can't match against a destination IP >> address in a rule. So all rules that say >> To: 123.123.123.123 yes >> or anything similar are impossible to implement. It's not a restriction >> in what MailScanner can do, you really don't know the destination IP >> address until the message has been delivered. By which time it's too late. >> >> Jules >> >> -- >> Julian Field MEng CITP CEng >> www.MailScanner.info >> Buy the MailScanner book at www.MailScanner.info/store >> >> MailScanner customisation, or any advanced system administration help? >> Contact me at Jules@Jules.FM >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> For all your IT requirements visit www.transtec.co.uk >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> >> > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > Greg have a look at the MailScanner wiki and specifically the section on "Getting the most out of Spamassassin". It mentions several ways to improve scores for known spam. -- Martin Hepworth Oxford, UK -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/ms-tnef Size: 10305 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090105/a352460f/attachment-0001.bin From jonas at vrt.dk Tue Jan 6 09:05:27 2009 From: jonas at vrt.dk (Jonas Akrouh Larsen) Date: Tue Jan 6 09:05:35 2009 Subject: Barracude BRBL ?? In-Reply-To: References: <4960EF7002000000000334D2@gw.caspercollege.edu> <784960fe4bbb4f82a489b7173451ae92@localhost> <49627FAB.708@xpear.de> Message-ID: <003501c96fdd$eafc7940$c0f56bc0$@dk> Do note that if you do not use last-external in the rules it will check all ip's in the header, which on our systems caused A LOT of FP's. If I remember correctly that was also the concensus on the SA list when the barracuda list was introduced a couple of motnhs ago. Our experience is that it catched A LOT of spam that spamhaus/sorbs etc does not. SO I definitely recommend it, but not with a terrible high score, and definitely not for use in an mta. Just my 5 cents. Med venlig hilsen / Best regards Jonas Akrouh Larsen TechBiz ApS Laplandsgade 4, 2. sal 2300 K?benhavn S Office: 7020 0979 Direct: 3336 9974 Mobile: 5120 1096 Fax: 7020 0978 Web: www.techbiz.dk From maillists at conactive.com Tue Jan 6 10:31:20 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Tue Jan 6 10:31:37 2009 Subject: Barracude BRBL ?? In-Reply-To: <003501c96fdd$eafc7940$c0f56bc0$@dk> References: <4960EF7002000000000334D2@gw.caspercollege.edu> <784960fe4bbb4f82a489b7173451ae92@localhost> <49627FAB.708@xpear.de> <003501c96fdd$eafc7940$c0f56bc0$@dk> Message-ID: you should reply to the original question you reply to and not hook on to an answer. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From btj at havleik.no Tue Jan 6 10:35:30 2009 From: btj at havleik.no (=?ISO-8859-1?Q?Bj=F8rn?= T Johansen) Date: Tue Jan 6 10:35:47 2009 Subject: Could not open Bayes rebuild lock file /var/spool/MailScanner/incoming/Locks/MS.bayes.rebuild.lock, No such file or directory Message-ID: <20090106113530.41bc2d32@btj-laptop.asp-as.no> I upgraded to version 4.74 and I now get a lot of these in the log..: Jan 6 11:17:50 pat MailScanner[11207]: New Batch: Scanning 1 messages, 7216 bytes Jan 6 11:17:51 pat MailScanner[11207]: Could not open Bayes rebuild lock file /var/spool/MailScanner/incoming/Locks/MS.bayes.rebuild.lock, No such file or directory Jan 6 11:17:51 pat MailScanner[11207]: At start of SA checks could not open /var/spool/MailScanner/incoming/Locks/MS.bayes.rebuild.lock, Jan 6 11:17:58 pat MailScanner[11207]: Virus and Content Scanning: Starting Why? And what can I do to fix this? Regards, BTJ -- ----------------------------------------------------------------------------------------------- Bj?rn T Johansen btj@havleik.no ----------------------------------------------------------------------------------------------- Someone wrote: "I understand that if you play a Windows CD backwards you hear strange Satanic messages" To which someone replied: "It's even worse than that; play it forwards and it installs Windows" ----------------------------------------------------------------------------------------------- From maillists at conactive.com Tue Jan 6 10:58:50 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Tue Jan 6 10:59:00 2009 Subject: MailScanner --lint error In-Reply-To: <567221C09601934AA5CE9762FDA09A5001C3DE@EXCHTEMP.biz.pwr-sys.com> References: <567221C09601934AA5CE9762FDA09A5001C3D7@EXCHTEMP.biz.pwr-sys.com> <495FBCAE.60204@ecs.soton.ac.uk> <567221C09601934AA5CE9762FDA09A5001C3D9@EXCHTEMP.biz.pwr-sys.com> <496083A2.2090909@ecs.soton.ac.uk> <567221C09601934AA5CE9762FDA09A5001C3DA@EXCHTEMP.biz.pwr-sys.com> <72cf361e0901041213g512c4b70x84c3ad8ebeec55fc@mail.gmail.com> <567221C09601934AA5CE9762FDA09A5001C3DE@EXCHTEMP.biz.pwr-sys.com> Message-ID: Greg J. McGreevy wrote on Mon, 5 Jan 2009 22:44:22 -0500: > Syntax error(s) in configuration file: at /usr/lib/MailScanner/MailScanner/Config.pm line 1937 > Unrecognised keyword "spamassassinprefsfile" at line 2789 at /usr/lib/MailScanner/MailScanner/Config.pm > line 1940 > Warning: syntax errors in /etc/MailScanner/MailScanner.conf. at /usr/lib/MailScanner/MailScanner/Config.pm > line 1945 There is no such option. The only one I can find is "MCP SpamAssassin Prefs File". Is that the one you edited? I find that you are making the same mistake over and over: you post some error and that's it. The *least* you would do with the above is go to line 2789 and show us that line and the surroundings and tell us what you did. (My MailScanner.conf stops at 2788, though.) > > I added the list to the sa-update per your instructions per "whose" instructions? but I have > no idea to tell if it is in fact working you look in /var/lib/spamassassin if it gets filled. It's explained all there where I pointed you earlier: http://wiki.apache.org/spamassassin/RuleUpdates any insight on this would > be helpful also Rules do jour does not appear to be present in my > install so I skipped those steps is that correct? rules du jour is deprecated, one should use channels. Which tutorial did you follow? Again, you make the mistake of not giving any insight of what you really did. I don't see that Martin gave you instructions in this regard and I can't find a section "Getting the most out of Spamassassin" on the MS wiki (although I think I remember there was one). So, what exactly are you referring to? > > Also If I create a new User called spam and have all of my users forward > their spam there to train bayes will that mess up the tests becuse > they will be seen as all forwards? Again from the SA wiki, this may be helpful: http://wiki.apache.org/spamassassin/ResendingMailWithHeaders > I am kind off at my wits end with this and about to throw in the towel. I think you are just not following instructions (whichever you used) careful enough. Or you used the wrong instructions (those corebsd instructions are not how I would do an install on CentOS) or are mixing them (there's often more than one way to do it right, but you usually can't mix them). Also, you don't seem to keep "old working good configuration", so you can easily check where the mistake was made. Anyway, if you are interested, you can contact me under the address I use here and we can arrange something. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From MailScanner at ecs.soton.ac.uk Tue Jan 6 11:22:04 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jan 6 11:22:23 2009 Subject: Could not open Bayes rebuild lock file /var/spool/MailScanner/incoming/Locks/MS.bayes.rebuild.lock, No such file or directory In-Reply-To: <20090106113530.41bc2d32@btj-laptop.asp-as.no> References: <20090106113530.41bc2d32@btj-laptop.asp-as.no> Message-ID: <49633EDC.4020709@ecs.soton.ac.uk> What OS? What distribution of MailScanner? Did you install all the parts of MailScanner, including any new scripts I might have added to the "bin" directory? If you only install half of it, funnily enough it won't work :-) Jules. On 6/1/09 10:35, Bj?rn T Johansen wrote: > I upgraded to version 4.74 and I now get a lot of these in the log..: > > Jan 6 11:17:50 pat MailScanner[11207]: New Batch: Scanning 1 messages, 7216 bytes > Jan 6 11:17:51 pat MailScanner[11207]: Could not open Bayes rebuild lock file /var/spool/MailScanner/incoming/Locks/MS.bayes.rebuild.lock, No such > file or directory > Jan 6 11:17:51 pat MailScanner[11207]: At start of SA checks could not open /var/spool/MailScanner/incoming/Locks/MS.bayes.rebuild.lock, > Jan 6 11:17:58 pat MailScanner[11207]: Virus and Content Scanning: Starting > > > Why? And what can I do to fix this? > > > Regards, > > BTJ > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From btj at havleik.no Tue Jan 6 11:44:43 2009 From: btj at havleik.no (=?ISO-8859-1?Q?Bj=F8rn?= T Johansen) Date: Tue Jan 6 11:45:02 2009 Subject: Could not open Bayes rebuild lock file /var/spool/MailScanner/incoming/Locks/MS.bayes.rebuild.lock, No such file or directory In-Reply-To: <49633EDC.4020709@ecs.soton.ac.uk> References: <20090106113530.41bc2d32@btj-laptop.asp-as.no> <49633EDC.4020709@ecs.soton.ac.uk> Message-ID: <20090106124443.3882cea3@btj-laptop.asp-as.no> I just ran the install.sh script like I always do... I am running on Linux, Ubuntu Server and use the tar.gz distribution of MailScanner.. (Version 4.74.13-2 for Solaris / BSD / Other Linux / Other Unix ) Do I need to do more? I had version 4.70 before I upgraded.... BTJ On Tue, 06 Jan 2009 11:22:04 +0000 Julian Field wrote: > What OS? What distribution of MailScanner? Did you install all the parts > of MailScanner, including any new scripts I might have added to the > "bin" directory? > If you only install half of it, funnily enough it won't work :-) > > Jules. > > On 6/1/09 10:35, Bj?rn T Johansen wrote: > > I upgraded to version 4.74 and I now get a lot of these in the log..: > > > > Jan 6 11:17:50 pat MailScanner[11207]: New Batch: Scanning 1 messages, 7216 bytes > > Jan 6 11:17:51 pat MailScanner[11207]: Could not open Bayes rebuild lock file /var/spool/MailScanner/incoming/Locks/MS.bayes.rebuild.lock, No > > such file or directory > > Jan 6 11:17:51 pat MailScanner[11207]: At start of SA checks could not open /var/spool/MailScanner/incoming/Locks/MS.bayes.rebuild.lock, > > Jan 6 11:17:58 pat MailScanner[11207]: Virus and Content Scanning: Starting > > > > > > Why? And what can I do to fix this? > > > > > > Regards, > > > > BTJ > > > > > > Jules > From MailScanner at ecs.soton.ac.uk Tue Jan 6 11:56:27 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jan 6 11:56:47 2009 Subject: Could not open Bayes rebuild lock file /var/spool/MailScanner/incoming/Locks/MS.bayes.rebuild.lock, No such file or directory In-Reply-To: <20090106124443.3882cea3@btj-laptop.asp-as.no> References: <20090106113530.41bc2d32@btj-laptop.asp-as.no> <49633EDC.4020709@ecs.soton.ac.uk> <20090106124443.3882cea3@btj-laptop.asp-as.no> Message-ID: <496346EB.1070200@ecs.soton.ac.uk> On 6/1/09 11:44, Bj?rn T Johansen wrote: > I just ran the install.sh script like I always do... > I am running on Linux, Ubuntu Server and use the tar.gz distribution of MailScanner.. (Version 4.74.13-2 for Solaris / BSD / Other Linux / Other > Unix ) > > > Do I need to do more? I had version 4.70 before I upgraded.... > There's a new script in the bin directory called mailscanner_create_locks, you need to make sure MailScanner can run that from /opt/MailScanner/bin. > > BTJ > > On Tue, 06 Jan 2009 11:22:04 +0000 > Julian Field wrote: > > >> What OS? What distribution of MailScanner? Did you install all the parts >> of MailScanner, including any new scripts I might have added to the >> "bin" directory? >> If you only install half of it, funnily enough it won't work :-) >> >> Jules. >> >> On 6/1/09 10:35, Bj?rn T Johansen wrote: >> >>> I upgraded to version 4.74 and I now get a lot of these in the log..: >>> >>> Jan 6 11:17:50 pat MailScanner[11207]: New Batch: Scanning 1 messages, 7216 bytes >>> Jan 6 11:17:51 pat MailScanner[11207]: Could not open Bayes rebuild lock file /var/spool/MailScanner/incoming/Locks/MS.bayes.rebuild.lock, No >>> such file or directory >>> Jan 6 11:17:51 pat MailScanner[11207]: At start of SA checks could not open /var/spool/MailScanner/incoming/Locks/MS.bayes.rebuild.lock, >>> Jan 6 11:17:58 pat MailScanner[11207]: Virus and Content Scanning: Starting >>> >>> >>> Why? And what can I do to fix this? >>> >>> >>> Regards, >>> >>> BTJ >>> >>> >>> >> Jules >> >> > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Tue Jan 6 12:11:05 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jan 6 12:11:24 2009 Subject: Fedora 10 packaging help required Message-ID: <49634A59.4090606@ecs.soton.ac.uk> I've got a problem caused by Fedora 10. They have changed the RPM build structure so that RPMs now build under ~/rpmbuild instead of /usr/src/redhat. But that's not the problem. The problem is that the site_perl directory is now under /usr/local/lib/perl5 and not /usr/lib/perl5. But if you specify a "PREFIX" in the call to Makefile.PL to generate the Makefile, like I always have done, then the perl-site-specific directories are set wrong, it leaves them under /usr/lib/perl5. What I need to know is how I can build the perl module in a BUILDROOT directory (so just building it can't over-write any existing files), while getting all the site-specific stuff correct that has changed in Fedora 10. I have read the man page for ExtUtils::MakeMaker and have tried all sorts of things, but it won't get it right with just a few options to "perl Makefile.PL". Any Fedora 10 experts out there who know how to do this? The only perl modules I have looked at on the Fedora 10 project site have hideously complicated spec files, and I'm not at all confident that a total rewrite of all my spec files is either (a) warranted, or (b) not going to break compatibility with previous OSs. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From btj at havleik.no Tue Jan 6 12:16:34 2009 From: btj at havleik.no (=?ISO-8859-1?Q?Bj=F8rn?= T Johansen) Date: Tue Jan 6 12:17:07 2009 Subject: Could not open Bayes rebuild lock file /var/spool/MailScanner/incoming/Locks/MS.bayes.rebuild.lock, No such file or directory In-Reply-To: <496346EB.1070200@ecs.soton.ac.uk> References: <20090106113530.41bc2d32@btj-laptop.asp-as.no> <49633EDC.4020709@ecs.soton.ac.uk> <20090106124443.3882cea3@btj-laptop.asp-as.no> <496346EB.1070200@ecs.soton.ac.uk> Message-ID: <20090106131634.776f66e4@btj-laptop.asp-as.no> I think MailScanner can run the script, at least I have the following...: (and running the script gives no error messages...) ls /var/spool/MailScanner/incoming/Locks/ -l total 1 -rw------- 1 root root 0 2009-01-06 10:55 antivirBusy.lock -rw------- 1 root root 0 2009-01-06 10:55 avastBusy.lock -rw------- 1 root root 0 2009-01-06 10:55 avgBusy.lock -rw------- 1 root root 0 2009-01-06 10:55 bitdefenderBusy.lock -rw------- 1 root root 50 2009-01-06 13:04 clamavBusy.lock -rw------- 1 root root 0 2009-01-06 10:55 cssBusy.lock -rw------- 1 root root 0 2009-01-06 10:55 esetsBusy.lock -rw------- 1 root root 0 2009-01-06 10:55 etrustBusy.lock -rw------- 1 root root 0 2009-01-06 10:55 f-prot-6Busy.lock -rw------- 1 root root 0 2009-01-06 10:55 f-protBusy.lock -rw------- 1 root root 0 2009-01-06 10:55 f-secureBusy.lock -rw------- 1 root root 0 2009-01-06 10:55 genericBusy.lock -rw------- 1 root root 0 2009-01-06 10:55 inoculanBusy.lock -rw------- 1 root root 0 2009-01-06 10:55 kasperskyBusy.lock -rw------- 1 root root 0 2009-01-06 10:55 mcafeeBusy.lock -rw------- 1 root root 0 2009-01-06 10:55 nod32Busy.lock -rw------- 1 root root 0 2009-01-06 10:55 normanBusy.lock -rw------- 1 root root 0 2009-01-06 10:55 pandaBusy.lock -rw------- 1 root root 0 2009-01-06 10:55 ravBusy.lock -rw------- 1 root root 0 2009-01-06 10:55 sophosBusy.lock -rw------- 1 root root 0 2009-01-06 10:55 symscanengineBusy.lock -rw------- 1 root root 0 2009-01-06 10:55 trendBusy.lock -rw------- 1 root root 0 2009-01-06 10:55 vba32Busy.lock -rw------- 1 root root 0 2009-01-06 10:55 vexiraBusy.lock But MS.bayes.rebuild.lock is missing? BTJ On Tue, 06 Jan 2009 11:56:27 +0000 Julian Field wrote: > > > On 6/1/09 11:44, Bj?rn T Johansen wrote: > > I just ran the install.sh script like I always do... > > I am running on Linux, Ubuntu Server and use the tar.gz distribution of MailScanner.. (Version 4.74.13-2 for Solaris / BSD / Other Linux / Other > > Unix ) > > > > > > Do I need to do more? I had version 4.70 before I upgraded.... > > > There's a new script in the bin directory called > mailscanner_create_locks, you need to make sure MailScanner can run that > from /opt/MailScanner/bin. > > > > BTJ > > > > On Tue, 06 Jan 2009 11:22:04 +0000 > > Julian Field wrote: > > > > > >> What OS? What distribution of MailScanner? Did you install all the parts > >> of MailScanner, including any new scripts I might have added to the > >> "bin" directory? > >> If you only install half of it, funnily enough it won't work :-) > >> > >> Jules. > >> > >> On 6/1/09 10:35, Bj?rn T Johansen wrote: > >> > >>> I upgraded to version 4.74 and I now get a lot of these in the log..: > >>> > >>> Jan 6 11:17:50 pat MailScanner[11207]: New Batch: Scanning 1 messages, 7216 bytes > >>> Jan 6 11:17:51 pat MailScanner[11207]: Could not open Bayes rebuild lock file /var/spool/MailScanner/incoming/Locks/MS.bayes.rebuild.lock, No > >>> such file or directory > >>> Jan 6 11:17:51 pat MailScanner[11207]: At start of SA checks could not open /var/spool/MailScanner/incoming/Locks/MS.bayes.rebuild.lock, > >>> Jan 6 11:17:58 pat MailScanner[11207]: Virus and Content Scanning: Starting > >>> > >>> > >>> Why? And what can I do to fix this? > >>> > >>> > >>> Regards, > >>> > >>> BTJ > >>> > >>> > >>> > >> Jules > >> > >> > > > > > > Jules > = From cde at alunys.com Tue Jan 6 13:07:14 2009 From: cde at alunys.com (Cedric Devillers) Date: Tue Jan 6 13:10:15 2009 Subject: Fedora 10 packaging help required In-Reply-To: <49634A59.4090606@ecs.soton.ac.uk> References: <49634A59.4090606@ecs.soton.ac.uk> Message-ID: <49635782.4050109@alunys.com> Julian Field wrote: > I've got a problem caused by Fedora 10. > They have changed the RPM build structure so that RPMs now build under > ~/rpmbuild instead of /usr/src/redhat. But that's not the problem. > > The problem is that the site_perl directory is now under > /usr/local/lib/perl5 and not /usr/lib/perl5. But if you specify a > "PREFIX" in the call to Makefile.PL to generate the Makefile, like I > always have done, then the perl-site-specific directories are set wrong, > it leaves them under /usr/lib/perl5. > > What I need to know is how I can build the perl module in a BUILDROOT > directory (so just building it can't over-write any existing files), > while getting all the site-specific stuff correct that has changed in > Fedora 10. > > I have read the man page for ExtUtils::MakeMaker and have tried all > sorts of things, but it won't get it right with just a few options to > "perl Makefile.PL". > > Any Fedora 10 experts out there who know how to do this? > > The only perl modules I have looked at on the Fedora 10 project site > have hideously complicated spec files, and I'm not at all confident that > a total rewrite of all my spec files is either (a) warranted, or (b) not > going to break compatibility with previous OSs. > > Jules > Maybe you can try to define on top of your spec file these macros : %perl_sitelib and/or %perl_vendorlib -- Visitez notre nouveau site web: www.amstergroup.com From maillists at conactive.com Tue Jan 6 13:10:37 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Tue Jan 6 13:10:53 2009 Subject: Fedora 10 packaging help required In-Reply-To: <49634A59.4090606@ecs.soton.ac.uk> References: <49634A59.4090606@ecs.soton.ac.uk> Message-ID: Julian Field wrote on Tue, 06 Jan 2009 12:11:05 +0000: > Any Fedora 10 experts out there who know how to do this? why not ask on the Fedora devel list? (I assume there is one.) I mean they should know about the problems their changes create for third -party packagers. *If nobody speaks up, nobody will listen.* And they should also be able to give you the *definitive* guide for solving that (at least I would hope so). Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Tue Jan 6 13:12:40 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Tue Jan 6 13:12:50 2009 Subject: Could not open Bayes rebuild lock file /var/spool/MailScanner/incoming/Locks/MS.bayes.rebuild.lock, No such file or directory In-Reply-To: <20090106131634.776f66e4@btj-laptop.asp-as.no> References: <20090106113530.41bc2d32@btj-laptop.asp-as.no> <49633EDC.4020709@ecs.soton.ac.uk> <20090106124443.3882cea3@btj-laptop.asp-as.no> <496346EB.1070200@ecs.soton.ac.uk> <20090106131634.776f66e4@btj-laptop.asp-as.no> Message-ID: Bj?rn T Johansen wrote on Tue, 6 Jan 2009 13:16:34 +0100: > But MS.bayes.rebuild.lock is missing? right. Julian, we are talking here about the lock file for SA rebuilds, not about virus scanner lockfiles. It doesn't look like this file gets created by mailscanner_create_locks. Is it created for each SA run to make sure you do not timeout SA when it starts an automatic expire? Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Tue Jan 6 13:53:31 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Tue Jan 6 13:53:44 2009 Subject: [Simon Walter] Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks In-Reply-To: <49428EF4.2000903@vanderkooij.org> References: <49422B24.7040900@ecs.soton.ac.uk> <49422EFA.2020801@ecs.soton.ac.uk> <7EF0EE5CB3B263488C8C18823239BEBA056F89AC@HC-MBX02.herefordshire.gov.uk> <494250AB.2010305@ecs.soton.ac.uk> <49428EF4.2000903@vanderkooij.org> Message-ID: Hugo van der Kooij wrote on Fri, 12 Dec 2008 17:19:00 +0100: > Care to share it with the rest of the world? Put it online somewhere if > you want others to enjoy it too. I just checked it with the latest MS and added a bit of explanation. You can get it from http://winware.org/centos/updatems.zip The first script downloads and updates MS, the second updates the conf. Comments welcome (suggest PM). Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From john at tradoc.fr Tue Jan 6 14:13:27 2009 From: john at tradoc.fr (John Wilcock) Date: Tue Jan 6 14:13:48 2009 Subject: Could not open Bayes rebuild lock file /var/spool/MailScanner/incoming/Locks/MS.bayes.rebuild.lock, No such file or directory In-Reply-To: References: <20090106113530.41bc2d32@btj-laptop.asp-as.no> <49633EDC.4020709@ecs.soton.ac.uk> <20090106124443.3882cea3@btj-laptop.asp-as.no> <496346EB.1070200@ecs.soton.ac.uk> <20090106131634.776f66e4@btj-laptop.asp-as.no> Message-ID: <49636707.5060608@tradoc.fr> Le 06/01/2009 14:12, Kai Schaetzl a ?crit : > Bj?rn T Johansen wrote on Tue, 6 Jan 2009 13:16:34 +0100: > >> > But MS.bayes.rebuild.lock is missing? > > right. Julian, we are talking here about the lock file for SA rebuilds, > not about virus scanner lockfiles. It doesn't look like this file gets > created by mailscanner_create_locks. Is it created for each SA run to make > sure you do not timeout SA when it starts an automatic expire? FWIW, I'm getting the same error logged on a fresh install of 4.74.13-2 on a new gentoo box (the gentoo ebuild is based on the tar.gz distribution, and I've updated it to install the mailscanner_create_locks file). RPM users aren't reporting this AFAICT, so maybe there's an omission in the tar.gz version of mailscanner_create_locks. John. -- -- Over 3000 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages - www.tradoc.fr From MailScanner at ecs.soton.ac.uk Tue Jan 6 15:37:24 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jan 6 15:37:48 2009 Subject: Could not open Bayes rebuild lock file /var/spool/MailScanner/incoming/Locks/MS.bayes.rebuild.lock, No such file or directory In-Reply-To: References: <20090106113530.41bc2d32@btj-laptop.asp-as.no> <49633EDC.4020709@ecs.soton.ac.uk> <20090106124443.3882cea3@btj-laptop.asp-as.no> <496346EB.1070200@ecs.soton.ac.uk> <20090106131634.776f66e4@btj-laptop.asp-as.no> Message-ID: <49637AB4.90408@ecs.soton.ac.uk> On 6/1/09 13:12, Kai Schaetzl wrote: > Bj?rn T Johansen wrote on Tue, 6 Jan 2009 13:16:34 +0100: > > >> But MS.bayes.rebuild.lock is missing? >> > > right. Julian, we are talking here about the lock file for SA rebuilds, > not about virus scanner lockfiles. Okay, yes. > It doesn't look like this file gets > created by mailscanner_create_locks. No, it's not. > Is it created for each SA run to make > sure you do not timeout SA when it starts an automatic expire? > It's created so that, when one MailScanner child starts an expiry run of the SA Bayes database, other children know not to do the same. I suspect it also tells the other children that the Bayes database is locked, so don't wait for it if the MailScanner.conf says to not wait for it. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Tue Jan 6 15:38:34 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jan 6 15:38:54 2009 Subject: Could not open Bayes rebuild lock file /var/spool/MailScanner/incoming/Locks/MS.bayes.rebuild.lock, No such file or directory In-Reply-To: <20090106131634.776f66e4@btj-laptop.asp-as.no> References: <20090106113530.41bc2d32@btj-laptop.asp-as.no> <49633EDC.4020709@ecs.soton.ac.uk> <20090106124443.3882cea3@btj-laptop.asp-as.no> <496346EB.1070200@ecs.soton.ac.uk> <20090106131634.776f66e4@btj-laptop.asp-as.no> Message-ID: <49637AFA.6040905@ecs.soton.ac.uk> I'll try to remember to check on this one later and get back to you. On 6/1/09 12:16, Bj?rn T Johansen wrote: > I think MailScanner can run the script, at least I have the following...: > (and running the script gives no error messages...) > > ls /var/spool/MailScanner/incoming/Locks/ -l > total 1 > -rw------- 1 root root 0 2009-01-06 10:55 antivirBusy.lock > -rw------- 1 root root 0 2009-01-06 10:55 avastBusy.lock > -rw------- 1 root root 0 2009-01-06 10:55 avgBusy.lock > -rw------- 1 root root 0 2009-01-06 10:55 bitdefenderBusy.lock > -rw------- 1 root root 50 2009-01-06 13:04 clamavBusy.lock > -rw------- 1 root root 0 2009-01-06 10:55 cssBusy.lock > -rw------- 1 root root 0 2009-01-06 10:55 esetsBusy.lock > -rw------- 1 root root 0 2009-01-06 10:55 etrustBusy.lock > -rw------- 1 root root 0 2009-01-06 10:55 f-prot-6Busy.lock > -rw------- 1 root root 0 2009-01-06 10:55 f-protBusy.lock > -rw------- 1 root root 0 2009-01-06 10:55 f-secureBusy.lock > -rw------- 1 root root 0 2009-01-06 10:55 genericBusy.lock > -rw------- 1 root root 0 2009-01-06 10:55 inoculanBusy.lock > -rw------- 1 root root 0 2009-01-06 10:55 kasperskyBusy.lock > -rw------- 1 root root 0 2009-01-06 10:55 mcafeeBusy.lock > -rw------- 1 root root 0 2009-01-06 10:55 nod32Busy.lock > -rw------- 1 root root 0 2009-01-06 10:55 normanBusy.lock > -rw------- 1 root root 0 2009-01-06 10:55 pandaBusy.lock > -rw------- 1 root root 0 2009-01-06 10:55 ravBusy.lock > -rw------- 1 root root 0 2009-01-06 10:55 sophosBusy.lock > -rw------- 1 root root 0 2009-01-06 10:55 symscanengineBusy.lock > -rw------- 1 root root 0 2009-01-06 10:55 trendBusy.lock > -rw------- 1 root root 0 2009-01-06 10:55 vba32Busy.lock > -rw------- 1 root root 0 2009-01-06 10:55 vexiraBusy.lock > > > But MS.bayes.rebuild.lock is missing? > > > > BTJ > > On Tue, 06 Jan 2009 11:56:27 +0000 > Julian Field wrote: > > >> On 6/1/09 11:44, Bj?rn T Johansen wrote: >> >>> I just ran the install.sh script like I always do... >>> I am running on Linux, Ubuntu Server and use the tar.gz distribution of MailScanner.. (Version 4.74.13-2 for Solaris / BSD / Other Linux / Other >>> Unix ) >>> >>> >>> Do I need to do more? I had version 4.70 before I upgraded.... >>> >>> >> There's a new script in the bin directory called >> mailscanner_create_locks, you need to make sure MailScanner can run that >> from /opt/MailScanner/bin. >> >>> BTJ >>> >>> On Tue, 06 Jan 2009 11:22:04 +0000 >>> Julian Field wrote: >>> >>> >>> >>>> What OS? What distribution of MailScanner? Did you install all the parts >>>> of MailScanner, including any new scripts I might have added to the >>>> "bin" directory? >>>> If you only install half of it, funnily enough it won't work :-) >>>> >>>> Jules. >>>> >>>> On 6/1/09 10:35, Bj?rn T Johansen wrote: >>>> >>>> >>>>> I upgraded to version 4.74 and I now get a lot of these in the log..: >>>>> >>>>> Jan 6 11:17:50 pat MailScanner[11207]: New Batch: Scanning 1 messages, 7216 bytes >>>>> Jan 6 11:17:51 pat MailScanner[11207]: Could not open Bayes rebuild lock file /var/spool/MailScanner/incoming/Locks/MS.bayes.rebuild.lock, No >>>>> such file or directory >>>>> Jan 6 11:17:51 pat MailScanner[11207]: At start of SA checks could not open /var/spool/MailScanner/incoming/Locks/MS.bayes.rebuild.lock, >>>>> Jan 6 11:17:58 pat MailScanner[11207]: Virus and Content Scanning: Starting >>>>> >>>>> >>>>> Why? And what can I do to fix this? >>>>> >>>>> >>>>> Regards, >>>>> >>>>> BTJ >>>>> >>>>> >>>>> >>>>> >>>> Jules >>>> >>>> >>>> >>> >>> >> Jules >> >> > = > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From maillists at conactive.com Tue Jan 6 15:51:25 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Tue Jan 6 15:51:36 2009 Subject: Could not open Bayes rebuild lock file /var/spool/MailScanner/incoming/Locks/MS.bayes.rebuild.lock, No such file or directory In-Reply-To: <49637AB4.90408@ecs.soton.ac.uk> References: <20090106113530.41bc2d32@btj-laptop.asp-as.no> <49633EDC.4020709@ecs.soton.ac.uk> <20090106124443.3882cea3@btj-laptop.asp-as.no> <496346EB.1070200@ecs.soton.ac.uk> <20090106131634.776f66e4@btj-laptop.asp-as.no> <49637AB4.90408@ecs.soton.ac.uk> Message-ID: Julian Field wrote on Tue, 06 Jan 2009 15:37:24 +0000: > It's created so that, when one MailScanner child starts an expiry run of > the SA Bayes database, other children know not to do the same. Hm, so it's only created when an expiry gets started? How does MS get to know this? I mean it's SA that determines if it's time or not, not MS. The obvious short-term workaround for those people experiencing the problem then is to set bayes_auto_expire to 0 until the real solution is available. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From wsavenbe at hotmail.com Tue Jan 6 16:19:05 2009 From: wsavenbe at hotmail.com (Wim Savenberg) Date: Tue Jan 6 16:19:15 2009 Subject: Mail Scanned Several Times .... Message-ID: Hi Mailwatch gurus, I am facing a problem with Mailwatch & Mailscanner (4.66). All mails are scanned several times resulting in (serious) delays. Has anybody seen this problem before and most important how can it be solved .... Your help is highly appreciated ..... Many thanks in advance WimS _________________________________________________________________ Vanaf nu heb je je vrienden overal bij! http://www.windowslivemobile.msn.com/?mkt=nl-be -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090106/7b223a34/attachment.html From ssilva at sgvwater.com Tue Jan 6 16:44:20 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Jan 6 16:44:49 2009 Subject: Mail Scanned Several Times .... In-Reply-To: References: Message-ID: on 1-6-2009 8:19 AM Wim Savenberg spake the following: > Hi Mailwatch gurus, > > I am facing a problem with Mailwatch & Mailscanner (4.66). All mails are > scanned several times resulting in (serious) delays. > Has anybody seen this problem before and most important how can it be > solved .... > > Your help is highly appreciated ..... > > > Many thanks in advance > > WimS Have you tried updating to a current version? There have been recent changes to work with the latest version of ClamAV. If you have updated ClamAV, but haven't updated MailScanner, you can have this problem. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090106/331ae7e3/signature.bin From prandal at herefordshire.gov.uk Tue Jan 6 16:45:14 2009 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Tue Jan 6 16:49:41 2009 Subject: Mail Scanned Several Times .... In-Reply-To: References: Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA0587CBB8@HC-MBX02.herefordshire.gov.uk> 4.66 is ancient. If you can, upgrade to the current 4.74.13 and try again. In the meantime, your operating system and MTA details could be useful. Cheers, Phil -- Phil Randal | Networks Engineer Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: prandal@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Wim Savenberg Sent: 06 January 2009 16:19 To: mailscanner@lists.mailscanner.info Subject: Mail Scanned Several Times .... Hi Mailwatch gurus, I am facing a problem with Mailwatch & Mailscanner (4.66). All mails are scanned several times resulting in (serious) delays. Has anybody seen this problem before and most important how can it be solved .... Your help is highly appreciated ..... Many thanks in advance WimS ________________________________ Maakt je online leven een feest. Windows Live -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090106/2e80f198/attachment.html From maillists at conactive.com Tue Jan 6 17:31:19 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Tue Jan 6 17:31:28 2009 Subject: Mail Scanned Several Times .... In-Reply-To: References: Message-ID: Wim Savenberg wrote on Tue, 6 Jan 2009 17:19:05 +0100: > I am facing a problem with Mailwatch & Mailscanner (4.66). All mails > are scanned several times resulting in (serious) delays. > Has anybody seen this problem before and most important how can it be solved .... This has nothing to do with Mailwatch unless the data in Mailwatch is wrong. To determine this check the data from Mailwatch against the data in your mailscanner.log. If it turns out that mail really gets scanned several times you may want to provide a little bit of information about your system (at the moment I don't see that you provided any) and think about when this started. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From traced at xpear.de Tue Jan 6 19:48:30 2009 From: traced at xpear.de (traced) Date: Tue Jan 6 19:48:41 2009 Subject: Barracude BRBL ?? In-Reply-To: References: <4960EF7002000000000334D2@gw.caspercollege.edu> Message-ID: <4963B58E.4020806@xpear.de> Scott Silva schrieb: > on 1-4-2009 4:18 PM Daniel Straka spake the following: >> Richard, >> >> I've been using the BRBL for a few months now. No false positives reported yet, > > however it rarely picks up any SPAM that spamcop.net and spamhaus-ZEN haven't > > already picked up. But every little bit helps. >> Dan >> > > Then it might be good for those of us that have been "outed" by spamhaus, but > don't have enough traffic to justify paying for a feed. > I will stick it in spamassassin with a low score for a month or two and see > how it hits for me. > > > I did that too, and must say that 70-80% of all messages tagged by BRBL with a low test score are ham, the other 20-30% are really spam. With a low score that might be good to lift up the real spams, so that they don?t slip under the required SA score. But with this rate, I will never use this RBL in my policyd-weight setup. Regards, Bastian From maillists at conactive.com Tue Jan 6 21:31:20 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Tue Jan 6 21:31:36 2009 Subject: Barracude BRBL ?? In-Reply-To: <4963B58E.4020806@xpear.de> References: <4960EF7002000000000334D2@gw.caspercollege.edu> <4963B58E.4020806@xpear.de> Message-ID: Traced wrote on Tue, 06 Jan 2009 20:48:30 +0100: > I did that too, and must say that 70-80% of all messages tagged by BRBL > with a low test score are ham, the other 20-30% are really spam. With a > low score that might be good to lift up the real spams, so that they > don?t slip under the required SA score. with such a hit distribution you can just randomly add scores and get the same or even better results. Reminds me of the "Luckyseven" list: http://www.dnsbl.com/2007/10/fiveten-blacklist-not-accurate.html Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From traced at xpear.de Tue Jan 6 21:58:08 2009 From: traced at xpear.de (traced) Date: Tue Jan 6 21:58:22 2009 Subject: Barracude BRBL ?? In-Reply-To: References: <4960EF7002000000000334D2@gw.caspercollege.edu> <4963B58E.4020806@xpear.de> Message-ID: <4963D3F0.8000702@xpear.de> Kai Schaetzl schrieb: > Traced wrote on Tue, 06 Jan 2009 20:48:30 +0100: > >> I did that too, and must say that 70-80% of all messages tagged by BRBL >> with a low test score are ham, the other 20-30% are really spam. With a >> low score that might be good to lift up the real spams, so that they >> don?t slip under the required SA score. > > with such a hit distribution you can just randomly add scores and get the > same or even better results. Reminds me of the "Luckyseven" list: > http://www.dnsbl.com/2007/10/fiveten-blacklist-not-accurate.html > > Kai > Got to watch it for a week or two, but BRBL seems to be nothing that makes me forget all my spam worries :) From MailScanner at ecs.soton.ac.uk Tue Jan 6 22:20:10 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jan 6 22:20:31 2009 Subject: Anti-spear-phishing, round 2 Message-ID: <4963D91A.9060304@ecs.soton.ac.uk> I have done a load of work on my script that uses the anti-spear-phishing addresses database. The main thing is now that it is pretty much a finished script, and is directly usable by you guys without you having to do much to it except read the settings at the top and tweak the filenames if you want to change where it puts things. I have taken a lot of care to ensure that this won't match any false alarms, I don't just dumbly look for the strings in any surrounding text, which certain commercial AV vendors have been caught doing in the past! I make a suggestion in the comments at the top of the script about how I use the rule within MailScanner, you probably want to do something similar, and not just delete anything that matches, just in case you do get any false alarms. It also looks for numbers at the end of the username bit of the address, and assumes that these are numbers which the scammers may change; so if it finds them, it replaces them with a pattern that will match any number instead. There's starting to be a lot of this about, as it's the easiest way for the scammers to try to defeat simple address lists targeted against them, while still being able to remember what addresses they have to check for replies from your dumb users. :-) I thought I would make it a tiny bit harder for them... You can also add addresses of your own (which can include "*" as a wildcard character to mean "any series of valid characters" in the email address), one address per line, in an optional extra file. Again, read the top of the script and you'll see it mentioned there. That file is optional, it doesn't matter if it doesn't exist. As a starter, you might want to put m i c h a e l l o u c a s * @ g m a i l . c o m (without the extra spaces) in that file, as it will nicely catch a lot of "Job opportunity" spams. It looks for any of these addresses appearing **anywhere** in the message, not just in the headers. So if you start talking to people about these addresses, don't be surprised when the messages get caught by the trap. It does a "wget", so make sure you have that binary installed, or else change the script to fetch the file by some other means. The very end of the script does a "service MailScanner restart", so if you need some other command to restart MailScanner, then edit it for your system. It needs to be a "restart" and not a "reload" as I have to force it to re-build the database of SpamAssassin rules. My aim was that, on a RedHat system running MailScanner, you could just copy the script into /etc/cron.hourly and make it executable, and it will just get on with the job for you. I do advise you read the bit in the script about "SpamAssassin Rule Actions" though. Please do let me know how you would like me to improve it, and tell me what you think of it in general (be polite, now! :-) Cheers, Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- A non-text attachment was scrubbed... Name: Spear.Phishing.Rules.gz Type: application/x-gzip Size: 1710 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090106/3a7da8b0/Spear.Phishing.Rules.gz From ssilva at sgvwater.com Tue Jan 6 22:23:07 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Jan 6 22:23:53 2009 Subject: Barracude BRBL ?? In-Reply-To: <4963B58E.4020806@xpear.de> References: <4960EF7002000000000334D2@gw.caspercollege.edu> <4963B58E.4020806@xpear.de> Message-ID: >> > > I did that too, and must say that 70-80% of all messages tagged by BRBL > with a low test score are ham, the other 20-30% are really spam. With a > low score that might be good to lift up the real spams, so that they > don?t slip under the required SA score. > > But with this rate, I will never use this RBL in my policyd-weight setup. > Strange, because for the 24 or so hours I have been running it, I'm hitting over 97% spam. I haven't looked at the other 3 % to see if it is actually ham or FN's. Good enough for me to add more than half a point, but not more than 3 points. I don't want this one list too strong unless I can hit 100%. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090106/cf8483b0/signature.bin From ssilva at sgvwater.com Tue Jan 6 22:45:35 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Jan 6 22:45:59 2009 Subject: Barracude BRBL ?? In-Reply-To: References: <4960EF7002000000000334D2@gw.caspercollege.edu> <4963B58E.4020806@xpear.de> Message-ID: on 1-6-2009 2:23 PM Scott Silva spake the following: > >> I did that too, and must say that 70-80% of all messages tagged by BRBL >> with a low test score are ham, the other 20-30% are really spam. With a >> low score that might be good to lift up the real spams, so that they >> don?t slip under the required SA score. >> >> But with this rate, I will never use this RBL in my policyd-weight setup. >> > Strange, because for the 24 or so hours I have been running it, I'm hitting > over 97% spam. > > I haven't looked at the other 3 % to see if it is actually ham or FN's. > > Good enough for me to add more than half a point, but not more than 3 points. > > I don't want this one list too strong unless I can hit 100%. > > Further research shows that (at least on my system) there were only 3 actual ham messages, and they were from the same address. The rest were spam that scored just under the radar. So a point or two would at least get those into low scoring and get tagged. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090106/8807a1fd/signature.bin From ka at pacific.net Wed Jan 7 00:54:56 2009 From: ka at pacific.net (Ken A) Date: Wed Jan 7 00:55:10 2009 Subject: Barracude BRBL ?? In-Reply-To: References: <4960EF7002000000000334D2@gw.caspercollege.edu> <4963B58E.4020806@xpear.de> Message-ID: <4963FD60.1080306@pacific.net> Scott Silva wrote: > >> I did that too, and must say that 70-80% of all messages tagged by BRBL >> with a low test score are ham, the other 20-30% are really spam. With a >> low score that might be good to lift up the real spams, so that they >> don?t slip under the required SA score. >> >> But with this rate, I will never use this RBL in my policyd-weight setup. >> > Strange, because for the 24 or so hours I have been running it, I'm hitting > over 97% spam. > > I haven't looked at the other 3 % to see if it is actually ham or FN's. > > Good enough for me to add more than half a point, but not more than 3 points. > > I don't want this one list too strong unless I can hit 100%. > > We see pretty good results from BRBL too, but there are some FPs. We have home and business dialup and dsl (ISP) users. I've found it's good in META with Botnet rules. META with DCC and Razor also hits good, but may FP once in a while. Ken -- Ken Anderson http://www.pacific.net/ From gmcgreevy at pwr-sys.com Wed Jan 7 00:55:01 2009 From: gmcgreevy at pwr-sys.com (Greg J. McGreevy) Date: Wed Jan 7 01:00:00 2009 Subject: MailScanner --lint error References: <567221C09601934AA5CE9762FDA09A5001C3D7@EXCHTEMP.biz.pwr-sys.com><495FBCAE.60204@ecs.soton.ac.uk><567221C09601934AA5CE9762FDA09A5001C3D9@EXCHTEMP.biz.pwr-sys.com><496083A2.2090909@ecs.soton.ac.uk><567221C09601934AA5CE9762FDA09A5001C3DA@EXCHTEMP.biz.pwr-sys.com><72cf361e0901041213g512c4b70x84c3ad8ebeec55fc@mail.gmail.com><567221C09601934AA5CE9762FDA09A5001C3DE@EXCHTEMP.biz.pwr-sys.com> Message-ID: <567221C09601934AA5CE9762FDA09A5001C3E0@EXCHTEMP.biz.pwr-sys.com> Nope did not touch that one and I did not edit the MailScanner.conf file followed this one below that Julian sent me did not miss anything with the exception of the Rules de jour which was not in my version and I have since undone all of the entries. http://article.gmane.org/gmane.mail.virus.mailscanner/54241/match=how-to Yes huge problem with this open source stuff is the piss poor documentation and ridled with mistake how to's. I am extremely meticulous and methodical on everything I do and leave bread crumbs so I can always go back to a known good configuration. Yes I used different how tos because of the missing/incorrect configuration steps posted in all of them. Does not seem like anyone starts from a base fresh install so pre-requisites are assumed. I would like some help let me know when you are avaialable Greg ________________________________ From: mailscanner-bounces@lists.mailscanner.info on behalf of Kai Schaetzl Sent: Tue 1/6/2009 5:58 AM To: mailscanner@lists.mailscanner.info Subject: Re: MailScanner --lint error Greg J. McGreevy wrote on Mon, 5 Jan 2009 22:44:22 -0500: > Syntax error(s) in configuration file: at /usr/lib/MailScanner/MailScanner/Config.pm line 1937 > Unrecognised keyword "spamassassinprefsfile" at line 2789 at /usr/lib/MailScanner/MailScanner/Config.pm > line 1940 > Warning: syntax errors in /etc/MailScanner/MailScanner.conf. at /usr/lib/MailScanner/MailScanner/Config.pm > line 1945 There is no such option. The only one I can find is "MCP SpamAssassin Prefs File". Is that the one you edited? I find that you are making the same mistake over and over: you post some error and that's it. The *least* you would do with the above is go to line 2789 and show us that line and the surroundings and tell us what you did. (My MailScanner.conf stops at 2788, though.) > > I added the list to the sa-update per your instructions per "whose" instructions? but I have > no idea to tell if it is in fact working you look in /var/lib/spamassassin if it gets filled. It's explained all there where I pointed you earlier: http://wiki.apache.org/spamassassin/RuleUpdates any insight on this would > be helpful also Rules do jour does not appear to be present in my > install so I skipped those steps is that correct? rules du jour is deprecated, one should use channels. Which tutorial did you follow? Again, you make the mistake of not giving any insight of what you really did. I don't see that Martin gave you instructions in this regard and I can't find a section "Getting the most out of Spamassassin" on the MS wiki (although I think I remember there was one). So, what exactly are you referring to? > > Also If I create a new User called spam and have all of my users forward > their spam there to train bayes will that mess up the tests becuse > they will be seen as all forwards? Again from the SA wiki, this may be helpful: http://wiki.apache.org/spamassassin/ResendingMailWithHeaders > I am kind off at my wits end with this and about to throw in the towel. I think you are just not following instructions (whichever you used) careful enough. Or you used the wrong instructions (those corebsd instructions are not how I would do an install on CentOS) or are mixing them (there's often more than one way to do it right, but you usually can't mix them). Also, you don't seem to keep "old working good configuration", so you can easily check where the mistake was made. Anyway, if you are interested, you can contact me under the address I use here and we can arrange something. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/ms-tnef Size: 7597 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090106/e7085925/attachment-0001.bin From brian at datamatters.com.au Wed Jan 7 01:24:34 2009 From: brian at datamatters.com.au (Brian) Date: Wed Jan 7 01:30:14 2009 Subject: Could not open Bayes rebuild lock file /var/spool/MailScanner/incoming/Locks/MS.bayes.rebuild.lock, No such file or directory References: <20090106113530.41bc2d32@btj-laptop.asp-as.no> <49633EDC.4020709@ecs.soton.ac.uk> <20090106124443.3882cea3@btj-laptop.asp-as.no> <496346EB.1070200@ecs.soton.ac.uk> <20090106131634.776f66e4@btj-laptop.asp-as.no> <49636707.5060608@tradoc.fr> Message-ID: John Wilcock tradoc.fr> writes: > RPM users aren't reporting this AFAICT, so maybe there's an omission in > the tar.gz version of mailscanner_create_locks. > > John. > Guys, I've just upgraded an RPM based system (centos 5.2) to 4.74.13 and I am also getting those messages. Mail seems to be passing through OK though. Cheers. From root at doctor.nl2k.ab.ca Wed Jan 7 01:51:34 2009 From: root at doctor.nl2k.ab.ca (Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem) Date: Wed Jan 7 01:52:52 2009 Subject: [mkettler_sa@verizon.net: {?} Re: Change the score of BAYES_9*] Message-ID: <20090107015134.GA19127@doctor.nl2k.ab.ca> ----- Forwarded message from Matt Kettler ----- Resent-From: doctor@doctor.nl2k.ab.ca Resent-Date: Tue, 6 Jan 2009 18:45:27 -0700 Resent-Message-ID: <20090107014527.GA18581@doctor.nl2k.ab.ca> Resent-To: "Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem" X-Spam-Filter: check_local@doctor.nl2k.ab.ca by digitalanswers.org Mailing-List: contact users-help@spamassassin.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@spamassassin.apache.org X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=FM_FAKE_HELO_VERIZON,SPF_PASS X-Spam-Check-By: apache.org Date: Tue, 06 Jan 2009 09:22:59 -0500 From: Matt Kettler Subject: {?} Re: Change the score of BAYES_9* In-reply-to: <20090106140437.GD21804@doctor.nl2k.ab.ca> To: The Doctor Cc: users@spamassassin.apache.org User-Agent: Thunderbird 2.0.0.19 (Windows/20081209) X-Virus-Checked: Checked by ClamAV on apache.org X-Null-Tag: 9af02e63e6b3c80e2755983332dc2d23 X-Null-Tag: 556d7327031958ae6624ba91a8da74b5 X-NetKnow-InComing-4-74-11-1-MailScanner-Information: Please contact the ISP for more information X-NetKnow-InComing-4-74-11-1-MailScanner-ID: n06ENXaK001680 X-NetKnow-InComing-4-74-11-1-MailScanner: Found to be clean X-NetKnow-InComing-4-74-11-1-MailScanner-IP-Protocol: IPv4 X-NetKnow-InComing-4-74-11-1-MailScanner-From: users-return-75302-doctor=doctor.nl2k.ab.ca@spamassassin.apache.org X-NetKnow-InComing-4-74-11-1-MailScanner-Watermark: 1231683820.25552@DlJmd9t7mtKE/PwNelD6hw X-Spam-Status: Yes, Yes X-NetKnow-InComing-4-74-13-2-MailScanner-Information: Please contact the ISP for more information X-NetKnow-InComing-4-74-13-2-MailScanner-ID: n071jS71018880 X-NetKnow-InComing-4-74-13-2-MailScanner: Found to be clean X-NetKnow-InComing-4-74-13-2-MailScanner-IP-Protocol: IPv4 X-NetKnow-InComing-4-74-13-2-MailScanner-From: doctor@doctor.nl2k.ab.ca X-NetKnow-InComing-4-74-13-2-MailScanner-Watermark: 1231724733.93268@LThgVLdFle6EPiwq+Av6qg The Doctor wrote: > I wish to make a system-wide change for BAYES_95 and BAYES_99 to > score 1000.0 . 999.999% of those e-mail scoringthat high > are worthy of GTUBE status. > > How can make that change systemwide? > in local.cf add: score BAYES_95 1000.0 score BAYES_99 1000.0 If you use spamd or an API level tool that caches a Mail::SpamAssassin object (ie: MailScanner), it will need to be restarted to read the new config. However, I will warn you this is a bit dangerous. Theoretically, the false positive rate of those two should be 5%. (ie: 5% of the mail they match is nonspam mail). That said, I also don't understand why such a strong score. That's higher than a manual whitelisting will compensate for (-100). Do you really want this to be so high that it over-rides your explicit whitelists? Why not use something like 20 or 50? GTUBE is scored so high because it needs to over-ride any whitelisting. But nothing else should ever need such a high score. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ----- End forwarded message ----- Yes I still run MailScanner and have adjust the local.cf but still see the default BAYES_9* score. Why is that score not changing? -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From hvdkooij at vanderkooij.org Wed Jan 7 10:48:41 2009 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Wed Jan 7 10:49:00 2009 Subject: Fedora 10 packaging help required In-Reply-To: <49634A59.4090606@ecs.soton.ac.uk> References: <49634A59.4090606@ecs.soton.ac.uk> Message-ID: <49648889.1090302@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Julian Field wrote: > I've got a problem caused by Fedora 10. > They have changed the RPM build structure so that RPMs now build under > ~/rpmbuild instead of /usr/src/redhat. But that's not the problem. > > The problem is that the site_perl directory is now under > /usr/local/lib/perl5 and not /usr/lib/perl5. But if you specify a > "PREFIX" in the call to Makefile.PL to generate the Makefile, like I > always have done, then the perl-site-specific directories are set wrong, > it leaves them under /usr/lib/perl5. Have you looked at a tool like: https://admin.fedoraproject.org/pkgdb/packages/name/perl-Package-Generator I recall haveing seen a few minor items with the current spec files that might explain yor current issues. Need to look at them again. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. Nid wyf yn y swyddfa ar hyn o bryd. Anfonwch unrhyw waith i'w gyfieithu. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAklkiIcACgkQBvzDRVjxmYHsTACginjmnbmQbOnrHxCkkFG0XG8a c2IAnjg4viJeuQMujFed5wE8PbvWssm+ =RJWV -----END PGP SIGNATURE----- From mailscanner at barendse.to Wed Jan 7 10:49:57 2009 From: mailscanner at barendse.to (Remco Barendse) Date: Wed Jan 7 10:50:14 2009 Subject: MailScanner ANNOUNCE: Stable release 4.74.12 In-Reply-To: <495F4840.8050603@ecs.soton.ac.uk> References: <495F4840.8050603@ecs.soton.ac.uk> Message-ID: On Sat, 3 Jan 2009, Julian Field wrote: > TNEF had been upgraded to 1.4.5. Thanks for the update Julian! I installed MailScanner on Centos 4.7 and got this : Installing tnef decoder error: Failed dependencies: libc.so.6(GLIBC_2.4) is needed by tnef-1.4.5-1.i386 rtld(GNU_HASH) is needed by tnef-1.4.5-1.i386 Does this signal a significant problem? Remco From prandal at herefordshire.gov.uk Wed Jan 7 10:57:47 2009 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Wed Jan 7 10:58:10 2009 Subject: Could not open Bayes rebuild lockfile /var/spool/MailScanner/incoming/Locks/MS.bayes.rebuild.lock, No such file or directory In-Reply-To: References: <20090106113530.41bc2d32@btj-laptop.asp-as.no> <49633EDC.4020709@ecs.soton.ac.uk> <20090106124443.3882cea3@btj-laptop.asp-as.no> <496346EB.1070200@ecs.soton.ac.uk> <20090106131634.776f66e4@btj-laptop.asp-as.no><49636707.5060608@tradoc.fr> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA0587CCDC@HC-MBX02.herefordshire.gov.uk> Works for me on CentOS 5.2 and MailScanner 4.74.13. Cheers, Phil -- Phil Randal | Networks Engineer Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: prandal@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Brian Sent: 07 January 2009 01:25 To: mailscanner@lists.mailscanner.info Subject: Re: Could not open Bayes rebuild lockfile /var/spool/MailScanner/incoming/Locks/MS.bayes.rebuild.lock,No such file or directory John Wilcock tradoc.fr> writes: > RPM users aren't reporting this AFAICT, so maybe there's an omission > in the tar.gz version of mailscanner_create_locks. > > John. > Guys, I've just upgraded an RPM based system (centos 5.2) to 4.74.13 and I am also getting those messages. Mail seems to be passing through OK though. Cheers. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From MailScanner at ecs.soton.ac.uk Wed Jan 7 11:06:02 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Jan 7 11:06:25 2009 Subject: Could not open Bayes rebuild lock file /var/spool/MailScanner/incoming/Locks/MS.bayes.rebuild.lock, No such file or directory In-Reply-To: <49637AFA.6040905@ecs.soton.ac.uk> References: <20090106113530.41bc2d32@btj-laptop.asp-as.no> <49633EDC.4020709@ecs.soton.ac.uk> <20090106124443.3882cea3@btj-laptop.asp-as.no> <496346EB.1070200@ecs.soton.ac.uk> <20090106131634.776f66e4@btj-laptop.asp-as.no> <49637AFA.6040905@ecs.soton.ac.uk> Message-ID: <49648C9A.3060706@ecs.soton.ac.uk> Attached are two scripts. Both are gzipped to save bandwidth. "mailscanner_create_locks" should be put in /opt/MailScanner/bin if you use the "Other Unix" distribution of MailScanner. "mailscanner_create_locks.redhat" should be put in /usr/sbin and renamed to "mailscanner_create_locks" if you use either of the RPM distributions of MailScanner. Don't forget to make it executable! cd /usr/sbin chmod a+rx mailscanner_create_locks Please let me know if this fixes the problem. On 6/1/09 15:38, Julian Field wrote: > I'll try to remember to check on this one later and get back to you. > > On 6/1/09 12:16, Bj?rn T Johansen wrote: >> I think MailScanner can run the script, at least I have the >> following...: >> (and running the script gives no error messages...) >> >> ls /var/spool/MailScanner/incoming/Locks/ -l >> total 1 >> -rw------- 1 root root 0 2009-01-06 10:55 antivirBusy.lock >> -rw------- 1 root root 0 2009-01-06 10:55 avastBusy.lock >> -rw------- 1 root root 0 2009-01-06 10:55 avgBusy.lock >> -rw------- 1 root root 0 2009-01-06 10:55 bitdefenderBusy.lock >> -rw------- 1 root root 50 2009-01-06 13:04 clamavBusy.lock >> -rw------- 1 root root 0 2009-01-06 10:55 cssBusy.lock >> -rw------- 1 root root 0 2009-01-06 10:55 esetsBusy.lock >> -rw------- 1 root root 0 2009-01-06 10:55 etrustBusy.lock >> -rw------- 1 root root 0 2009-01-06 10:55 f-prot-6Busy.lock >> -rw------- 1 root root 0 2009-01-06 10:55 f-protBusy.lock >> -rw------- 1 root root 0 2009-01-06 10:55 f-secureBusy.lock >> -rw------- 1 root root 0 2009-01-06 10:55 genericBusy.lock >> -rw------- 1 root root 0 2009-01-06 10:55 inoculanBusy.lock >> -rw------- 1 root root 0 2009-01-06 10:55 kasperskyBusy.lock >> -rw------- 1 root root 0 2009-01-06 10:55 mcafeeBusy.lock >> -rw------- 1 root root 0 2009-01-06 10:55 nod32Busy.lock >> -rw------- 1 root root 0 2009-01-06 10:55 normanBusy.lock >> -rw------- 1 root root 0 2009-01-06 10:55 pandaBusy.lock >> -rw------- 1 root root 0 2009-01-06 10:55 ravBusy.lock >> -rw------- 1 root root 0 2009-01-06 10:55 sophosBusy.lock >> -rw------- 1 root root 0 2009-01-06 10:55 symscanengineBusy.lock >> -rw------- 1 root root 0 2009-01-06 10:55 trendBusy.lock >> -rw------- 1 root root 0 2009-01-06 10:55 vba32Busy.lock >> -rw------- 1 root root 0 2009-01-06 10:55 vexiraBusy.lock >> >> >> But MS.bayes.rebuild.lock is missing? >> >> >> >> BTJ >> >> On Tue, 06 Jan 2009 11:56:27 +0000 >> Julian Field wrote: >> >>> On 6/1/09 11:44, Bj?rn T Johansen wrote: >>>> I just ran the install.sh script like I always do... >>>> I am running on Linux, Ubuntu Server and use the tar.gz >>>> distribution of MailScanner.. (Version 4.74.13-2 for Solaris / BSD >>>> / Other Linux / Other >>>> Unix ) >>>> >>>> >>>> Do I need to do more? I had version 4.70 before I upgraded.... >>>> >>> There's a new script in the bin directory called >>> mailscanner_create_locks, you need to make sure MailScanner can run >>> that >>> from /opt/MailScanner/bin. >>>> BTJ >>>> >>>> On Tue, 06 Jan 2009 11:22:04 +0000 >>>> Julian Field wrote: >>>> >>>> >>>>> What OS? What distribution of MailScanner? Did you install all the >>>>> parts >>>>> of MailScanner, including any new scripts I might have added to the >>>>> "bin" directory? >>>>> If you only install half of it, funnily enough it won't work :-) >>>>> >>>>> Jules. >>>>> >>>>> On 6/1/09 10:35, Bj?rn T Johansen wrote: >>>>> >>>>>> I upgraded to version 4.74 and I now get a lot of these in the >>>>>> log..: >>>>>> >>>>>> Jan 6 11:17:50 pat MailScanner[11207]: New Batch: Scanning 1 >>>>>> messages, 7216 bytes >>>>>> Jan 6 11:17:51 pat MailScanner[11207]: Could not open Bayes >>>>>> rebuild lock file >>>>>> /var/spool/MailScanner/incoming/Locks/MS.bayes.rebuild.lock, No >>>>>> such file or directory >>>>>> Jan 6 11:17:51 pat MailScanner[11207]: At start of SA checks >>>>>> could not open >>>>>> /var/spool/MailScanner/incoming/Locks/MS.bayes.rebuild.lock, >>>>>> Jan 6 11:17:58 pat MailScanner[11207]: Virus and Content >>>>>> Scanning: Starting >>>>>> >>>>>> >>>>>> Why? And what can I do to fix this? >>>>>> >>>>>> >>>>>> Regards, >>>>>> >>>>>> BTJ >>>>>> >>>>>> >>>>>> >>>>> Jules >>>>> >>>>> >>>> >>> Jules >>> >> = > > Jules > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- A non-text attachment was scrubbed... Name: mailscanner_create_locks.redhat.gz Type: application/gzip Size: 986 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090107/86b43c90/mailscanner_create_locks.redhat.bin -------------- next part -------------- A non-text attachment was scrubbed... Name: mailscanner_create_locks.gz Type: application/gzip Size: 982 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090107/86b43c90/mailscanner_create_locks.bin From chokimbo at gmail.com Wed Jan 7 11:15:58 2009 From: chokimbo at gmail.com (ichwan nur hakim) Date: Wed Jan 7 11:16:07 2009 Subject: Good config for Mailscanner Message-ID: <928434630901070315w2edb25bboee5cb4184a1a68@mail.gmail.com> Hi guys, I have ben install Mailscanner in opensuse 10.3 and success, but I am still receipt much SPAM in my email, how powerful that settingan mainscanner..??? any advice for SpamasassinScore..??? default value is 10, maybe i must set to 1 so powerfull. Thank's -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090107/4cbbc54c/attachment.html From maillists at conactive.com Wed Jan 7 11:31:21 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Wed Jan 7 11:31:34 2009 Subject: [mkettler_sa@verizon.net: {?} Change the score of BAYES_9*] In-Reply-To: <20090107015134.GA19127@doctor.nl2k.ab.ca> References: <20090107015134.GA19127@doctor.nl2k.ab.ca> Message-ID: "Dave Shariff Yadallee - System Administrator a.k.a. The Root of the wrote on Tue, 6 Jan 2009 18:51:34 -0700: > The Root of theProblem yes, indeed. Can you please stop this? Thanks. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Wed Jan 7 11:31:21 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Wed Jan 7 11:31:35 2009 Subject: Could not open Bayes rebuild lock file /var/spool/MailScanner/incoming/Locks/MS.bayes.rebuild.lock, No such file or directory In-Reply-To: <49636707.5060608@tradoc.fr> References: <20090106113530.41bc2d32@btj-laptop.asp-as.no> <49633EDC.4020709@ecs.soton.ac.uk> <20090106124443.3882cea3@btj-laptop.asp-as.no> <496346EB.1070200@ecs.soton.ac.uk> <20090106131634.776f66e4@btj-laptop.asp-as.no> <49636707.5060608@tradoc.fr> Message-ID: John Wilcock wrote on Tue, 06 Jan 2009 15:13:27 +0100: > RPM users aren't reporting this AFAICT, so maybe there's an omission in > the tar.gz version of mailscanner_create_locks. Don't think so. As I've been working on some bayes stuff yesterday I had the chance to see the "original" expiry lock from sa-learn and it's "bayes.lock". It gets created when SA starts an expiry run and appears in the Bayes directory. As MailScanner uses the SA Perl module the procedure there is slightly different and you get "MS.bayes.rebuild.lock". Either because the Perl module uses a slightly different name and prefixes it with "MS" or because Julian tells it to name it like this. Before the changes to the lock path this occurred in the Bayes directory, now it occurs in the general MS lock directory and I assume there's missing some permission. Or it still gets created in the Bayes dir (have a look) but looked for in the other place. As all the fixes were about virusscanner wrappers that one got easily overlooked, especially if auto-expiry is switched off ;-) As I already wrote in another message the quick fix is to set bayes_auto_expire to 0 in you spamassassin.prefs.conf and do a nightly "sa-learn --force-expiry". This is actually a good thing to do, anyway. Just leaving it "as is" does work but will slow down your processing as your SA obviously is trying to expire with each run. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From MailScanner at ecs.soton.ac.uk Wed Jan 7 11:32:37 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Jan 7 11:32:59 2009 Subject: Could not open Bayes rebuild lockfile /var/spool/MailScanner/incoming/Locks/MS.bayes.rebuild.lock, No such file or directory In-Reply-To: <7EF0EE5CB3B263488C8C18823239BEBA0587CCDC@HC-MBX02.herefordshire.gov.uk> References: <20090106113530.41bc2d32@btj-laptop.asp-as.no> <49633EDC.4020709@ecs.soton.ac.uk> <20090106124443.3882cea3@btj-laptop.asp-as.no> <496346EB.1070200@ecs.soton.ac.uk> <20090106131634.776f66e4@btj-laptop.asp-as.no><49636707.5060608@tradoc.fr> <7EF0EE5CB3B263488C8C18823239BEBA0587CCDC@HC-MBX02.herefordshire.gov.uk> Message-ID: <496492D5.3080804@ecs.soton.ac.uk> It will work on systems with "Run As User = root" or "Run As User =". Other users will have trouble, and need the replacement mailscanner_create_locks in my other post. On 7/1/09 10:57, Randal, Phil wrote: > Works for me on CentOS 5.2 and MailScanner 4.74.13. > > Cheers, > > Phil > -- > Phil Randal | Networks Engineer > Herefordshire Council | Deputy Chief Executive's Office | I.C.T. > Services Division > Thorn Office Centre, Rotherwas, Hereford, HR2 6JT > Tel: 01432 260160 > email: prandal@herefordshire.gov.uk > > Any opinion expressed in this e-mail or any attached files are those of > the individual and not necessarily those of Herefordshire Council. > > This e-mail and any attached files are confidential and intended solely > for the use of the addressee. This communication may contain material > protected by law from being passed on. If you are not the intended > recipient and have received this e-mail in error, you are advised that > any use, dissemination, forwarding, printing or copying of this e-mail > is strictly prohibited. If you have received this e-mail in error please > contact the sender immediately and destroy all copies of it. > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Brian > Sent: 07 January 2009 01:25 > To: mailscanner@lists.mailscanner.info > Subject: Re: Could not open Bayes rebuild lockfile > /var/spool/MailScanner/incoming/Locks/MS.bayes.rebuild.lock,No such file > or directory > > John Wilcock tradoc.fr> writes: > > > >> RPM users aren't reporting this AFAICT, so maybe there's an omission >> in the tar.gz version of mailscanner_create_locks. >> >> John. >> >> > > > Guys, > > I've just upgraded an RPM based system (centos 5.2) to 4.74.13 and I am > also getting those messages. Mail seems to be passing through OK though. > > > Cheers. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From btj at havleik.no Wed Jan 7 11:39:39 2009 From: btj at havleik.no (=?ISO-8859-1?Q?Bj=F8rn?= T Johansen) Date: Wed Jan 7 11:44:47 2009 Subject: Could not open Bayes rebuild lock file /var/spool/MailScanner/incoming/Locks/MS.bayes.rebuild.lock, No such file or directory In-Reply-To: <49648C9A.3060706@ecs.soton.ac.uk> References: <20090106113530.41bc2d32@btj-laptop.asp-as.no> <49633EDC.4020709@ecs.soton.ac.uk> <20090106124443.3882cea3@btj-laptop.asp-as.no> <496346EB.1070200@ecs.soton.ac.uk> <20090106131634.776f66e4@btj-laptop.asp-as.no> <49637AFA.6040905@ecs.soton.ac.uk> <49648C9A.3060706@ecs.soton.ac.uk> Message-ID: <20090107123939.1e2015c6@btj-laptop.asp-as.no> Well, the log message disappeared and I got two more lock files in the Lock directory... :) BTJ On Wed, 07 Jan 2009 11:06:02 +0000 Julian Field wrote: > Attached are two scripts. Both are gzipped to save bandwidth. > "mailscanner_create_locks" should be put in /opt/MailScanner/bin if you > use the "Other Unix" distribution of MailScanner. > "mailscanner_create_locks.redhat" should be put in /usr/sbin and renamed > to "mailscanner_create_locks" if you use either of the RPM distributions > of MailScanner. > > Don't forget to make it executable! > cd /usr/sbin > chmod a+rx mailscanner_create_locks > > Please let me know if this fixes the problem. > > On 6/1/09 15:38, Julian Field wrote: > > I'll try to remember to check on this one later and get back to you. > > > > On 6/1/09 12:16, Bj?rn T Johansen wrote: > >> I think MailScanner can run the script, at least I have the > >> following...: > >> (and running the script gives no error messages...) > >> > >> ls /var/spool/MailScanner/incoming/Locks/ -l > >> total 1 > >> -rw------- 1 root root 0 2009-01-06 10:55 antivirBusy.lock > >> -rw------- 1 root root 0 2009-01-06 10:55 avastBusy.lock > >> -rw------- 1 root root 0 2009-01-06 10:55 avgBusy.lock > >> -rw------- 1 root root 0 2009-01-06 10:55 bitdefenderBusy.lock > >> -rw------- 1 root root 50 2009-01-06 13:04 clamavBusy.lock > >> -rw------- 1 root root 0 2009-01-06 10:55 cssBusy.lock > >> -rw------- 1 root root 0 2009-01-06 10:55 esetsBusy.lock > >> -rw------- 1 root root 0 2009-01-06 10:55 etrustBusy.lock > >> -rw------- 1 root root 0 2009-01-06 10:55 f-prot-6Busy.lock > >> -rw------- 1 root root 0 2009-01-06 10:55 f-protBusy.lock > >> -rw------- 1 root root 0 2009-01-06 10:55 f-secureBusy.lock > >> -rw------- 1 root root 0 2009-01-06 10:55 genericBusy.lock > >> -rw------- 1 root root 0 2009-01-06 10:55 inoculanBusy.lock > >> -rw------- 1 root root 0 2009-01-06 10:55 kasperskyBusy.lock > >> -rw------- 1 root root 0 2009-01-06 10:55 mcafeeBusy.lock > >> -rw------- 1 root root 0 2009-01-06 10:55 nod32Busy.lock > >> -rw------- 1 root root 0 2009-01-06 10:55 normanBusy.lock > >> -rw------- 1 root root 0 2009-01-06 10:55 pandaBusy.lock > >> -rw------- 1 root root 0 2009-01-06 10:55 ravBusy.lock > >> -rw------- 1 root root 0 2009-01-06 10:55 sophosBusy.lock > >> -rw------- 1 root root 0 2009-01-06 10:55 symscanengineBusy.lock > >> -rw------- 1 root root 0 2009-01-06 10:55 trendBusy.lock > >> -rw------- 1 root root 0 2009-01-06 10:55 vba32Busy.lock > >> -rw------- 1 root root 0 2009-01-06 10:55 vexiraBusy.lock > >> > >> > >> But MS.bayes.rebuild.lock is missing? > >> > >> > >> > >> BTJ > >> > >> On Tue, 06 Jan 2009 11:56:27 +0000 > >> Julian Field wrote: > >> > >>> On 6/1/09 11:44, Bj?rn T Johansen wrote: > >>>> I just ran the install.sh script like I always do... > >>>> I am running on Linux, Ubuntu Server and use the tar.gz > >>>> distribution of MailScanner.. (Version 4.74.13-2 for Solaris / BSD > >>>> / Other Linux / Other > >>>> Unix ) > >>>> > >>>> > >>>> Do I need to do more? I had version 4.70 before I upgraded.... > >>>> > >>> There's a new script in the bin directory called > >>> mailscanner_create_locks, you need to make sure MailScanner can run > >>> that > >>> from /opt/MailScanner/bin. > >>>> BTJ > >>>> > >>>> On Tue, 06 Jan 2009 11:22:04 +0000 > >>>> Julian Field wrote: > >>>> > >>>> > >>>>> What OS? What distribution of MailScanner? Did you install all the > >>>>> parts > >>>>> of MailScanner, including any new scripts I might have added to the > >>>>> "bin" directory? > >>>>> If you only install half of it, funnily enough it won't work :-) > >>>>> > >>>>> Jules. > >>>>> > >>>>> On 6/1/09 10:35, Bj?rn T Johansen wrote: > >>>>> > >>>>>> I upgraded to version 4.74 and I now get a lot of these in the > >>>>>> log..: > >>>>>> > >>>>>> Jan 6 11:17:50 pat MailScanner[11207]: New Batch: Scanning 1 > >>>>>> messages, 7216 bytes > >>>>>> Jan 6 11:17:51 pat MailScanner[11207]: Could not open Bayes > >>>>>> rebuild lock file > >>>>>> /var/spool/MailScanner/incoming/Locks/MS.bayes.rebuild.lock, No > >>>>>> such file or directory > >>>>>> Jan 6 11:17:51 pat MailScanner[11207]: At start of SA checks > >>>>>> could not open > >>>>>> /var/spool/MailScanner/incoming/Locks/MS.bayes.rebuild.lock, > >>>>>> Jan 6 11:17:58 pat MailScanner[11207]: Virus and Content > >>>>>> Scanning: Starting > >>>>>> > >>>>>> > >>>>>> Why? And what can I do to fix this? > >>>>>> > >>>>>> > >>>>>> Regards, > >>>>>> > >>>>>> BTJ > >>>>>> > >>>>>> > >>>>>> > >>>>> Jules > >>>>> > >>>>> > >>>> > >>> Jules > >>> > >> = > > > > Jules > > > > Jules > From btj at havleik.no Wed Jan 7 11:46:39 2009 From: btj at havleik.no (=?ISO-8859-1?Q?Bj=F8rn?= T Johansen) Date: Wed Jan 7 11:47:04 2009 Subject: Could not open Bayes rebuild lock file /var/spool/MailScanner/incoming/Locks/MS.bayes.rebuild.lock, No such file or directory In-Reply-To: <49648C9A.3060706@ecs.soton.ac.uk> References: <20090106113530.41bc2d32@btj-laptop.asp-as.no> <49633EDC.4020709@ecs.soton.ac.uk> <20090106124443.3882cea3@btj-laptop.asp-as.no> <496346EB.1070200@ecs.soton.ac.uk> <20090106131634.776f66e4@btj-laptop.asp-as.no> <49637AFA.6040905@ecs.soton.ac.uk> <49648C9A.3060706@ecs.soton.ac.uk> Message-ID: <20090107124639.4fc576a4@btj-laptop.asp-as.no> One problem... Mail is never delivered with the new lock files.... (never = waited 5 minutes but the queue only grew larger...) BTJ On Wed, 07 Jan 2009 11:06:02 +0000 Julian Field wrote: > Attached are two scripts. Both are gzipped to save bandwidth. > "mailscanner_create_locks" should be put in /opt/MailScanner/bin if you > use the "Other Unix" distribution of MailScanner. > "mailscanner_create_locks.redhat" should be put in /usr/sbin and renamed > to "mailscanner_create_locks" if you use either of the RPM distributions > of MailScanner. > > Don't forget to make it executable! > cd /usr/sbin > chmod a+rx mailscanner_create_locks > > Please let me know if this fixes the problem. > > On 6/1/09 15:38, Julian Field wrote: > > I'll try to remember to check on this one later and get back to you. > > > > On 6/1/09 12:16, Bj?rn T Johansen wrote: > >> I think MailScanner can run the script, at least I have the > >> following...: > >> (and running the script gives no error messages...) > >> > >> ls /var/spool/MailScanner/incoming/Locks/ -l > >> total 1 > >> -rw------- 1 root root 0 2009-01-06 10:55 antivirBusy.lock > >> -rw------- 1 root root 0 2009-01-06 10:55 avastBusy.lock > >> -rw------- 1 root root 0 2009-01-06 10:55 avgBusy.lock > >> -rw------- 1 root root 0 2009-01-06 10:55 bitdefenderBusy.lock > >> -rw------- 1 root root 50 2009-01-06 13:04 clamavBusy.lock > >> -rw------- 1 root root 0 2009-01-06 10:55 cssBusy.lock > >> -rw------- 1 root root 0 2009-01-06 10:55 esetsBusy.lock > >> -rw------- 1 root root 0 2009-01-06 10:55 etrustBusy.lock > >> -rw------- 1 root root 0 2009-01-06 10:55 f-prot-6Busy.lock > >> -rw------- 1 root root 0 2009-01-06 10:55 f-protBusy.lock > >> -rw------- 1 root root 0 2009-01-06 10:55 f-secureBusy.lock > >> -rw------- 1 root root 0 2009-01-06 10:55 genericBusy.lock > >> -rw------- 1 root root 0 2009-01-06 10:55 inoculanBusy.lock > >> -rw------- 1 root root 0 2009-01-06 10:55 kasperskyBusy.lock > >> -rw------- 1 root root 0 2009-01-06 10:55 mcafeeBusy.lock > >> -rw------- 1 root root 0 2009-01-06 10:55 nod32Busy.lock > >> -rw------- 1 root root 0 2009-01-06 10:55 normanBusy.lock > >> -rw------- 1 root root 0 2009-01-06 10:55 pandaBusy.lock > >> -rw------- 1 root root 0 2009-01-06 10:55 ravBusy.lock > >> -rw------- 1 root root 0 2009-01-06 10:55 sophosBusy.lock > >> -rw------- 1 root root 0 2009-01-06 10:55 symscanengineBusy.lock > >> -rw------- 1 root root 0 2009-01-06 10:55 trendBusy.lock > >> -rw------- 1 root root 0 2009-01-06 10:55 vba32Busy.lock > >> -rw------- 1 root root 0 2009-01-06 10:55 vexiraBusy.lock > >> > >> > >> But MS.bayes.rebuild.lock is missing? > >> > >> > >> > >> BTJ > >> > >> On Tue, 06 Jan 2009 11:56:27 +0000 > >> Julian Field wrote: > >> > >>> On 6/1/09 11:44, Bj?rn T Johansen wrote: > >>>> I just ran the install.sh script like I always do... > >>>> I am running on Linux, Ubuntu Server and use the tar.gz > >>>> distribution of MailScanner.. (Version 4.74.13-2 for Solaris / BSD > >>>> / Other Linux / Other > >>>> Unix ) > >>>> > >>>> > >>>> Do I need to do more? I had version 4.70 before I upgraded.... > >>>> > >>> There's a new script in the bin directory called > >>> mailscanner_create_locks, you need to make sure MailScanner can run > >>> that > >>> from /opt/MailScanner/bin. > >>>> BTJ > >>>> > >>>> On Tue, 06 Jan 2009 11:22:04 +0000 > >>>> Julian Field wrote: > >>>> > >>>> > >>>>> What OS? What distribution of MailScanner? Did you install all the > >>>>> parts > >>>>> of MailScanner, including any new scripts I might have added to the > >>>>> "bin" directory? > >>>>> If you only install half of it, funnily enough it won't work :-) > >>>>> > >>>>> Jules. > >>>>> > >>>>> On 6/1/09 10:35, Bj?rn T Johansen wrote: > >>>>> > >>>>>> I upgraded to version 4.74 and I now get a lot of these in the > >>>>>> log..: > >>>>>> > >>>>>> Jan 6 11:17:50 pat MailScanner[11207]: New Batch: Scanning 1 > >>>>>> messages, 7216 bytes > >>>>>> Jan 6 11:17:51 pat MailScanner[11207]: Could not open Bayes > >>>>>> rebuild lock file > >>>>>> /var/spool/MailScanner/incoming/Locks/MS.bayes.rebuild.lock, No > >>>>>> such file or directory > >>>>>> Jan 6 11:17:51 pat MailScanner[11207]: At start of SA checks > >>>>>> could not open > >>>>>> /var/spool/MailScanner/incoming/Locks/MS.bayes.rebuild.lock, > >>>>>> Jan 6 11:17:58 pat MailScanner[11207]: Virus and Content > >>>>>> Scanning: Starting > >>>>>> > >>>>>> > >>>>>> Why? And what can I do to fix this? > >>>>>> > >>>>>> > >>>>>> Regards, > >>>>>> > >>>>>> BTJ > >>>>>> > >>>>>> > >>>>>> > >>>>> Jules > >>>>> > >>>>> > >>>> > >>> Jules > >>> > >> = > > > > Jules > > > > Jules > From brian at datamatters.com.au Wed Jan 7 12:01:15 2009 From: brian at datamatters.com.au (Brian) Date: Wed Jan 7 12:01:36 2009 Subject: Could not open Bayes rebuild lock file /var/spool/MailScanner/incoming/Locks/MS.bayes.rebuild.lock, No such file or directory References: <20090106113530.41bc2d32@btj-laptop.asp-as.no> <49633EDC.4020709@ecs.soton.ac.uk> <20090106124443.3882cea3@btj-laptop.asp-as.no> <496346EB.1070200@ecs.soton.ac.uk> <20090106131634.776f66e4@btj-laptop.asp-as.no> <49637AFA.6040905@ecs.soton.ac.uk> <49648C9A.3060706@ecs.soton.ac.uk> <20090107124639.4fc576a4@btj-laptop.asp-as.no> Message-ID: Bj?rn T Johansen havleik.no> writes: > > One problem... Mail is never delivered with the new lock files.... (never = waited 5 minutes but the queue > only grew larger...) > Me too. Mail is sitting in the queue. From maillists at conactive.com Wed Jan 7 12:14:13 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Wed Jan 7 12:14:26 2009 Subject: Could not open Bayes rebuild lockfile /var/spool/MailScanner/incoming/Locks/MS.bayes.rebuild.lock, No such file or directory In-Reply-To: <7EF0EE5CB3B263488C8C18823239BEBA0587CCDC@HC-MBX02.herefordshire.gov.uk> References: <20090106113530.41bc2d32@btj-laptop.asp-as.no> <49633EDC.4020709@ecs.soton.ac.uk> <20090106124443.3882cea3@btj-laptop.asp-as.no> <496346EB.1070200@ecs.soton.ac.uk> <20090106131634.776f66e4@btj-laptop.asp-as.no> <49636707.5060608@tradoc.fr> <7EF0EE5CB3B263488C8C18823239BEBA0587CCDC@HC-MBX02.herefordshire.gov.uk> Message-ID: Phil Randal wrote on Wed, 7 Jan 2009 10:57:47 -0000: > Works for me on CentOS 5.2 and MailScanner 4.74.13. It doesn't, you (like me) just don't encounter it as no expiry is triggered. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Wed Jan 7 12:14:13 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Wed Jan 7 12:14:26 2009 Subject: MailScanner ANNOUNCE: Stable release 4.74.12 In-Reply-To: References: <495F4840.8050603@ecs.soton.ac.uk> Message-ID: Remco Barendse wrote on Wed, 7 Jan 2009 11:49:57 +0100 (CET): > Does this signal a significant problem? it won't install ;-) glibc on CentOS 4 is 2.3 and this package requires 2.4. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Wed Jan 7 12:14:12 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Wed Jan 7 12:14:26 2009 Subject: MailScanner --lint error In-Reply-To: <567221C09601934AA5CE9762FDA09A5001C3E0@EXCHTEMP.biz.pwr-sys.com> References: <567221C09601934AA5CE9762FDA09A5001C3D7@EXCHTEMP.biz.pwr-sys.com> <495FBCAE.60204@ecs.soton.ac.uk> <567221C09601934AA5CE9762FDA09A5001C3D9@EXCHTEMP.biz.pwr-sys.com> <496083A2.2090909@ecs.soton.ac.uk> <567221C09601934AA5CE9762FDA09A5001C3DA@EXCHTEMP.biz.pwr-sys.com> <72cf361e0901041213g512c4b70x84c3ad8ebeec55fc@mail.gmail.com> <567221C09601934AA5CE9762FDA09A5001C3DE@EXCHTEMP.biz.pwr-sys.com> <567221C09601934AA5CE9762FDA09A5001C3E0@EXCHTEMP.biz.pwr-sys.co Message-ID: m> Reply-To: mailscanner@lists.mailscanner.info Greg J. McGreevy wrote on Tue, 6 Jan 2009 19:55:01 -0500: > followed this one below that Julian sent me did not miss anything > with the exception of the Rules de jour which was not in my version > and I have since undone all of the entries. The rules du jour was missing because you never added it and as it was the old method of getting some updated third-party rules that's perfectly okay. But you must have added some wrong stuff either to MailScanner.conf or to a ruleset file to get that error message, incorrect rules in spamassassin.prefs.conf wouldn't throw that. > Yes huge problem with this open source stuff is the piss poor documentation I disagree. Both MailScanner and SA are documented quite good. But administering a mail/mail scanning server is a complex task, so there's no simple step-by-step tutorial available as each setup is slightly different. As for extra rules I just removed most extra rules from my setups as they are catching too few and are not worth it anymore. Especially the SARE rules are out-dated. So, after removal of all changes, does your MS work basically now? > I would like some help let me know when you are avaialable I'll mail you. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From root at doctor.nl2k.ab.ca Wed Jan 7 12:35:19 2009 From: root at doctor.nl2k.ab.ca (Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem) Date: Wed Jan 7 12:36:49 2009 Subject: [mkettler_sa@verizon.net: {?} Change the score of BAYES_9*] In-Reply-To: References: <20090107015134.GA19127@doctor.nl2k.ab.ca> Message-ID: <20090107123519.GB9053@doctor.nl2k.ab.ca> On Wed, Jan 07, 2009 at 12:31:21PM +0100, Kai Schaetzl wrote: > "Dave Shariff Yadallee - System Administrator a.k.a. The Root of the wrote > on Tue, 6 Jan 2009 18:51:34 -0700: > > > The Root of theProblem > > yes, indeed. Can you please stop this? Thanks. > > Kai > Nice humour? Can I have an answer to the question pointed out? too much getting through here! > -- > Kai Sch?tzl, Berlin, Germany > Get your web at Conactive Internet Services: http://www.conactive.com > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Wed Jan 7 12:38:27 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Jan 7 12:38:49 2009 Subject: Could not open Bayes rebuild lock file /var/spool/MailScanner/incoming/Locks/MS.bayes.rebuild.lock, No such file or directory In-Reply-To: <20090107124639.4fc576a4@btj-laptop.asp-as.no> References: <20090106113530.41bc2d32@btj-laptop.asp-as.no> <49633EDC.4020709@ecs.soton.ac.uk> <20090106124443.3882cea3@btj-laptop.asp-as.no> <496346EB.1070200@ecs.soton.ac.uk> <20090106131634.776f66e4@btj-laptop.asp-as.no> <49637AFA.6040905@ecs.soton.ac.uk> <49648C9A.3060706@ecs.soton.ac.uk> <20090107124639.4fc576a4@btj-laptop.asp-as.no> Message-ID: <4964A243.30003@ecs.soton.ac.uk> Can you try the attached SA.pm and let me know if it's any better. Sorry, file locking problems (as usual!). On 7/1/09 11:46, Bj?rn T Johansen wrote: > One problem... Mail is never delivered with the new lock files.... (never = waited 5 minutes but the queue only grew larger...) > > BTJ > > On Wed, 07 Jan 2009 11:06:02 +0000 > Julian Field wrote: > > >> Attached are two scripts. Both are gzipped to save bandwidth. >> "mailscanner_create_locks" should be put in /opt/MailScanner/bin if you >> use the "Other Unix" distribution of MailScanner. >> "mailscanner_create_locks.redhat" should be put in /usr/sbin and renamed >> to "mailscanner_create_locks" if you use either of the RPM distributions >> of MailScanner. >> >> Don't forget to make it executable! >> cd /usr/sbin >> chmod a+rx mailscanner_create_locks >> >> Please let me know if this fixes the problem. >> >> On 6/1/09 15:38, Julian Field wrote: >> >>> I'll try to remember to check on this one later and get back to you. >>> >>> On 6/1/09 12:16, Bj?rn T Johansen wrote: >>> >>>> I think MailScanner can run the script, at least I have the >>>> following...: >>>> (and running the script gives no error messages...) >>>> >>>> ls /var/spool/MailScanner/incoming/Locks/ -l >>>> total 1 >>>> -rw------- 1 root root 0 2009-01-06 10:55 antivirBusy.lock >>>> -rw------- 1 root root 0 2009-01-06 10:55 avastBusy.lock >>>> -rw------- 1 root root 0 2009-01-06 10:55 avgBusy.lock >>>> -rw------- 1 root root 0 2009-01-06 10:55 bitdefenderBusy.lock >>>> -rw------- 1 root root 50 2009-01-06 13:04 clamavBusy.lock >>>> -rw------- 1 root root 0 2009-01-06 10:55 cssBusy.lock >>>> -rw------- 1 root root 0 2009-01-06 10:55 esetsBusy.lock >>>> -rw------- 1 root root 0 2009-01-06 10:55 etrustBusy.lock >>>> -rw------- 1 root root 0 2009-01-06 10:55 f-prot-6Busy.lock >>>> -rw------- 1 root root 0 2009-01-06 10:55 f-protBusy.lock >>>> -rw------- 1 root root 0 2009-01-06 10:55 f-secureBusy.lock >>>> -rw------- 1 root root 0 2009-01-06 10:55 genericBusy.lock >>>> -rw------- 1 root root 0 2009-01-06 10:55 inoculanBusy.lock >>>> -rw------- 1 root root 0 2009-01-06 10:55 kasperskyBusy.lock >>>> -rw------- 1 root root 0 2009-01-06 10:55 mcafeeBusy.lock >>>> -rw------- 1 root root 0 2009-01-06 10:55 nod32Busy.lock >>>> -rw------- 1 root root 0 2009-01-06 10:55 normanBusy.lock >>>> -rw------- 1 root root 0 2009-01-06 10:55 pandaBusy.lock >>>> -rw------- 1 root root 0 2009-01-06 10:55 ravBusy.lock >>>> -rw------- 1 root root 0 2009-01-06 10:55 sophosBusy.lock >>>> -rw------- 1 root root 0 2009-01-06 10:55 symscanengineBusy.lock >>>> -rw------- 1 root root 0 2009-01-06 10:55 trendBusy.lock >>>> -rw------- 1 root root 0 2009-01-06 10:55 vba32Busy.lock >>>> -rw------- 1 root root 0 2009-01-06 10:55 vexiraBusy.lock >>>> >>>> >>>> But MS.bayes.rebuild.lock is missing? >>>> >>>> >>>> >>>> BTJ >>>> >>>> On Tue, 06 Jan 2009 11:56:27 +0000 >>>> Julian Field wrote: >>>> >>>> >>>>> On 6/1/09 11:44, Bj?rn T Johansen wrote: >>>>> >>>>>> I just ran the install.sh script like I always do... >>>>>> I am running on Linux, Ubuntu Server and use the tar.gz >>>>>> distribution of MailScanner.. (Version 4.74.13-2 for Solaris / BSD >>>>>> / Other Linux / Other >>>>>> Unix ) >>>>>> >>>>>> >>>>>> Do I need to do more? I had version 4.70 before I upgraded.... >>>>>> >>>>>> >>>>> There's a new script in the bin directory called >>>>> mailscanner_create_locks, you need to make sure MailScanner can run >>>>> that >>>>> from /opt/MailScanner/bin. >>>>> >>>>>> BTJ >>>>>> >>>>>> On Tue, 06 Jan 2009 11:22:04 +0000 >>>>>> Julian Field wrote: >>>>>> >>>>>> >>>>>> >>>>>>> What OS? What distribution of MailScanner? Did you install all the >>>>>>> parts >>>>>>> of MailScanner, including any new scripts I might have added to the >>>>>>> "bin" directory? >>>>>>> If you only install half of it, funnily enough it won't work :-) >>>>>>> >>>>>>> Jules. >>>>>>> >>>>>>> On 6/1/09 10:35, Bj?rn T Johansen wrote: >>>>>>> >>>>>>> >>>>>>>> I upgraded to version 4.74 and I now get a lot of these in the >>>>>>>> log..: >>>>>>>> >>>>>>>> Jan 6 11:17:50 pat MailScanner[11207]: New Batch: Scanning 1 >>>>>>>> messages, 7216 bytes >>>>>>>> Jan 6 11:17:51 pat MailScanner[11207]: Could not open Bayes >>>>>>>> rebuild lock file >>>>>>>> /var/spool/MailScanner/incoming/Locks/MS.bayes.rebuild.lock, No >>>>>>>> such file or directory >>>>>>>> Jan 6 11:17:51 pat MailScanner[11207]: At start of SA checks >>>>>>>> could not open >>>>>>>> /var/spool/MailScanner/incoming/Locks/MS.bayes.rebuild.lock, >>>>>>>> Jan 6 11:17:58 pat MailScanner[11207]: Virus and Content >>>>>>>> Scanning: Starting >>>>>>>> >>>>>>>> >>>>>>>> Why? And what can I do to fix this? >>>>>>>> >>>>>>>> >>>>>>>> Regards, >>>>>>>> >>>>>>>> BTJ >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> Jules >>>>>>> >>>>>>> >>>>>>> >>>>> Jules >>>>> >>>>> >>>> = >>>> >>> Jules >>> >>> >> Jules >> >> > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- A non-text attachment was scrubbed... Name: SA.pm.gz Type: application/gzip Size: 12726 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090107/44397fd0/SA.pm.bin From btj at havleik.no Wed Jan 7 12:53:02 2009 From: btj at havleik.no (=?ISO-8859-1?Q?Bj=F8rn?= T Johansen) Date: Wed Jan 7 12:53:36 2009 Subject: Could not open Bayes rebuild lock file /var/spool/MailScanner/incoming/Locks/MS.bayes.rebuild.lock, No such file or directory In-Reply-To: <4964A243.30003@ecs.soton.ac.uk> References: <20090106113530.41bc2d32@btj-laptop.asp-as.no> <49633EDC.4020709@ecs.soton.ac.uk> <20090106124443.3882cea3@btj-laptop.asp-as.no> <496346EB.1070200@ecs.soton.ac.uk> <20090106131634.776f66e4@btj-laptop.asp-as.no> <49637AFA.6040905@ecs.soton.ac.uk> <49648C9A.3060706@ecs.soton.ac.uk> <20090107124639.4fc576a4@btj-laptop.asp-as.no> <4964A243.30003@ecs.soton.ac.uk> Message-ID: <20090107135302.6cf5ca15@btj-laptop.asp-as.no> Yes, that seems to be working... Thx... :) BTJ On Wed, 07 Jan 2009 12:38:27 +0000 Julian Field wrote: > Can you try the attached SA.pm and let me know if it's any better. > Sorry, file locking problems (as usual!). > > > On 7/1/09 11:46, Bj?rn T Johansen wrote: > > One problem... Mail is never delivered with the new lock files.... (never = waited 5 minutes but the queue only grew larger...) > > > > BTJ > > > > On Wed, 07 Jan 2009 11:06:02 +0000 > > Julian Field wrote: > > > > > >> Attached are two scripts. Both are gzipped to save bandwidth. > >> "mailscanner_create_locks" should be put in /opt/MailScanner/bin if you > >> use the "Other Unix" distribution of MailScanner. > >> "mailscanner_create_locks.redhat" should be put in /usr/sbin and renamed > >> to "mailscanner_create_locks" if you use either of the RPM distributions > >> of MailScanner. > >> > >> Don't forget to make it executable! > >> cd /usr/sbin > >> chmod a+rx mailscanner_create_locks > >> > >> Please let me know if this fixes the problem. > >> > >> On 6/1/09 15:38, Julian Field wrote: > >> > >>> I'll try to remember to check on this one later and get back to you. > >>> > >>> On 6/1/09 12:16, Bj?rn T Johansen wrote: > >>> > >>>> I think MailScanner can run the script, at least I have the > >>>> following...: > >>>> (and running the script gives no error messages...) > >>>> > >>>> ls /var/spool/MailScanner/incoming/Locks/ -l > >>>> total 1 > >>>> -rw------- 1 root root 0 2009-01-06 10:55 antivirBusy.lock > >>>> -rw------- 1 root root 0 2009-01-06 10:55 avastBusy.lock > >>>> -rw------- 1 root root 0 2009-01-06 10:55 avgBusy.lock > >>>> -rw------- 1 root root 0 2009-01-06 10:55 bitdefenderBusy.lock > >>>> -rw------- 1 root root 50 2009-01-06 13:04 clamavBusy.lock > >>>> -rw------- 1 root root 0 2009-01-06 10:55 cssBusy.lock > >>>> -rw------- 1 root root 0 2009-01-06 10:55 esetsBusy.lock > >>>> -rw------- 1 root root 0 2009-01-06 10:55 etrustBusy.lock > >>>> -rw------- 1 root root 0 2009-01-06 10:55 f-prot-6Busy.lock > >>>> -rw------- 1 root root 0 2009-01-06 10:55 f-protBusy.lock > >>>> -rw------- 1 root root 0 2009-01-06 10:55 f-secureBusy.lock > >>>> -rw------- 1 root root 0 2009-01-06 10:55 genericBusy.lock > >>>> -rw------- 1 root root 0 2009-01-06 10:55 inoculanBusy.lock > >>>> -rw------- 1 root root 0 2009-01-06 10:55 kasperskyBusy.lock > >>>> -rw------- 1 root root 0 2009-01-06 10:55 mcafeeBusy.lock > >>>> -rw------- 1 root root 0 2009-01-06 10:55 nod32Busy.lock > >>>> -rw------- 1 root root 0 2009-01-06 10:55 normanBusy.lock > >>>> -rw------- 1 root root 0 2009-01-06 10:55 pandaBusy.lock > >>>> -rw------- 1 root root 0 2009-01-06 10:55 ravBusy.lock > >>>> -rw------- 1 root root 0 2009-01-06 10:55 sophosBusy.lock > >>>> -rw------- 1 root root 0 2009-01-06 10:55 symscanengineBusy.lock > >>>> -rw------- 1 root root 0 2009-01-06 10:55 trendBusy.lock > >>>> -rw------- 1 root root 0 2009-01-06 10:55 vba32Busy.lock > >>>> -rw------- 1 root root 0 2009-01-06 10:55 vexiraBusy.lock > >>>> > >>>> > >>>> But MS.bayes.rebuild.lock is missing? > >>>> > >>>> > >>>> > >>>> BTJ > >>>> > >>>> On Tue, 06 Jan 2009 11:56:27 +0000 > >>>> Julian Field wrote: > >>>> > >>>> > >>>>> On 6/1/09 11:44, Bj?rn T Johansen wrote: > >>>>> > >>>>>> I just ran the install.sh script like I always do... > >>>>>> I am running on Linux, Ubuntu Server and use the tar.gz > >>>>>> distribution of MailScanner.. (Version 4.74.13-2 for Solaris / BSD > >>>>>> / Other Linux / Other > >>>>>> Unix ) > >>>>>> > >>>>>> > >>>>>> Do I need to do more? I had version 4.70 before I upgraded.... > >>>>>> > >>>>>> > >>>>> There's a new script in the bin directory called > >>>>> mailscanner_create_locks, you need to make sure MailScanner can run > >>>>> that > >>>>> from /opt/MailScanner/bin. > >>>>> > >>>>>> BTJ > >>>>>> > >>>>>> On Tue, 06 Jan 2009 11:22:04 +0000 > >>>>>> Julian Field wrote: > >>>>>> > >>>>>> > >>>>>> > >>>>>>> What OS? What distribution of MailScanner? Did you install all the > >>>>>>> parts > >>>>>>> of MailScanner, including any new scripts I might have added to the > >>>>>>> "bin" directory? > >>>>>>> If you only install half of it, funnily enough it won't work :-) > >>>>>>> > >>>>>>> Jules. > >>>>>>> > >>>>>>> On 6/1/09 10:35, Bj?rn T Johansen wrote: > >>>>>>> > >>>>>>> > >>>>>>>> I upgraded to version 4.74 and I now get a lot of these in the > >>>>>>>> log..: > >>>>>>>> > >>>>>>>> Jan 6 11:17:50 pat MailScanner[11207]: New Batch: Scanning 1 > >>>>>>>> messages, 7216 bytes > >>>>>>>> Jan 6 11:17:51 pat MailScanner[11207]: Could not open Bayes > >>>>>>>> rebuild lock file > >>>>>>>> /var/spool/MailScanner/incoming/Locks/MS.bayes.rebuild.lock, No > >>>>>>>> such file or directory > >>>>>>>> Jan 6 11:17:51 pat MailScanner[11207]: At start of SA checks > >>>>>>>> could not open > >>>>>>>> /var/spool/MailScanner/incoming/Locks/MS.bayes.rebuild.lock, > >>>>>>>> Jan 6 11:17:58 pat MailScanner[11207]: Virus and Content > >>>>>>>> Scanning: Starting > >>>>>>>> > >>>>>>>> > >>>>>>>> Why? And what can I do to fix this? > >>>>>>>> > >>>>>>>> > >>>>>>>> Regards, > >>>>>>>> > >>>>>>>> BTJ > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>> Jules > >>>>>>> > >>>>>>> > >>>>>>> > >>>>> Jules > >>>>> > >>>>> > >>>> = > >>>> > >>> Jules > >>> > >>> > >> Jules > >> > >> > > > > > > Jules > From maillists at conactive.com Wed Jan 7 13:16:12 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Wed Jan 7 13:16:23 2009 Subject: [mkettler_sa@verizon.net: {?} Change the score of BAYES_9*] In-Reply-To: <20090107123519.GB9053@doctor.nl2k.ab.ca> References: <20090107015134.GA19127@doctor.nl2k.ab.ca> <20090107123519.GB9053@doctor.nl2k.ab.ca> Message-ID: "Dave Shariff Yadallee - System Administrator a.k.a. The Root of the wrote on Wed, 7 Jan 2009 05:35:19 -0700: > Nice humour? > > > Can I have an answer to the question pointed out? > > too much getting through here! That's not my problem. I can assure you that you are *not* behaving nice, humour or not. You posted a question on another mailing list, you got a good and correct answer there, you forwarded that answer to another (this) mailing list for no good reason and without any explanation and when somebody asks you to stop that (in anticipation of more) you demand an answer? Do you think this is appropriate behavior? Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From root at doctor.nl2k.ab.ca Wed Jan 7 13:29:38 2009 From: root at doctor.nl2k.ab.ca (Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem) Date: Wed Jan 7 13:30:50 2009 Subject: [mkettler_sa@verizon.net: {?} Change the score of BAYES_9*] In-Reply-To: References: <20090107015134.GA19127@doctor.nl2k.ab.ca> <20090107123519.GB9053@doctor.nl2k.ab.ca> Message-ID: <20090107132937.GA15610@doctor.nl2k.ab.ca> On Wed, Jan 07, 2009 at 02:16:12PM +0100, Kai Schaetzl wrote: > "Dave Shariff Yadallee - System Administrator a.k.a. The Root of the wrote > on Wed, 7 Jan 2009 05:35:19 -0700: > > > Nice humour? > > > > > > Can I have an answer to the question pointed out? > > > > too much getting through here! > > That's not my problem. I can assure you that you are *not* behaving nice, > humour or not. > You posted a question on another mailing list, you got a good and correct > answer there, you forwarded that answer to another (this) mailing list for > no good reason and without any explanation and when somebody asks you to > stop that (in anticipation of more) you demand an answer? Do you think > this is appropriate behavior? > I was referring to the point hey make about MAilSCanner. Weirdly enough the other box running MailScanner is using the higher value but not this one. That is a little confusing. > Kai > > -- > Kai Sch?tzl, Berlin, Germany > Get your web at Conactive Internet Services: http://www.conactive.com > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From memmas at otenet.gr Wed Jan 7 14:32:57 2009 From: memmas at otenet.gr (memmas) Date: Wed Jan 7 14:33:05 2009 Subject: After upgrade to MS 4.74 mails are stuck in queue. Message-ID: <4964BD19.2040607@otenet.gr> I'm using slackware 12.2 postfix 2.5.5 ClamAV 0.94.2 Spamassassin 3.2.5 after upgrade to 4.74 (same applies to beta) I get a loop in mail log and nothing happening, mail are stuck in queue. Jan 7 16:03:47 devel MailScanner[22474]: MailScanner E-Mail Virus Scanner version 4.74.13 starting... Jan 7 16:03:47 devel MailScanner[22474]: Read 848 hostnames from the phishing whitelist Jan 7 16:03:47 devel MailScanner[22474]: Read 3820 hostnames from the phishing blacklist Jan 7 16:03:47 devel MailScanner[22474]: Using SpamAssassin results cache Jan 7 16:03:47 devel MailScanner[22474]: Connected to SpamAssassin cache database Jan 7 16:03:47 devel MailScanner[22474]: Enabling SpamAssassin auto-whitelist functionality... Jan 7 16:03:49 devel MailScanner[22474]: I have found clamav scanners installed, and will use them all by default. Jan 7 16:03:49 devel MailScanner[22474]: Using locktype = flock Jan 7 16:03:52 devel MailScanner[22530]: MailScanner E-Mail Virus Scanner version 4.74.13 starting... Jan 7 16:03:52 devel MailScanner[22530]: Read 848 hostnames from the phishing whitelist Jan 7 16:03:52 devel MailScanner[22530]: Read 3820 hostnames from the phishing blacklist Jan 7 16:03:52 devel MailScanner[22530]: Using SpamAssassin results cache Jan 7 16:03:52 devel MailScanner[22530]: Connected to SpamAssassin cache database Jan 7 16:03:52 devel MailScanner[22530]: Enabling SpamAssassin auto-whitelist functionality... Jan 7 16:03:54 devel MailScanner[22530]: I have found clamav scanners installed, and will use them all by default. Jan 7 16:03:54 devel MailScanner[22530]: Using locktype = flock Jan 7 16:03:57 devel MailScanner[22586]: MailScanner E-Mail Virus Scanner version 4.74.13 starting... Jan 7 16:03:57 devel MailScanner[22586]: Read 848 hostnames from the phishing whitelist Jan 7 16:03:57 devel MailScanner[22586]: Read 3820 hostnames from the phishing blacklist Jan 7 16:03:57 devel MailScanner[22586]: Using SpamAssassin results cache Jan 7 16:03:57 devel MailScanner[22586]: Connected to SpamAssassin cache database Jan 7 16:03:57 devel MailScanner[22586]: Enabling SpamAssassin auto-whitelist functionality... Jan 7 16:03:59 devel MailScanner[22586]: I have found clamav scanners installed, and will use them all by default. Jan 7 16:03:59 devel MailScanner[22586]: Using locktype = flock thanks From maillists at conactive.com Wed Jan 7 14:41:49 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Wed Jan 7 14:42:15 2009 Subject: [mkettler_sa@verizon.net: {?} Change the score of BAYES_9*] In-Reply-To: <20090107132937.GA15610@doctor.nl2k.ab.ca> References: <20090107015134.GA19127@doctor.nl2k.ab.ca> <20090107123519.GB9053@doctor.nl2k.ab.ca> <20090107132937.GA15610@doctor.nl2k.ab.ca> Message-ID: "Dave Shariff Yadallee - System Administrator a.k.a. The Root of the wrote on Wed, 7 Jan 2009 06:29:38 -0700: > I was referring to the point hey make about MAilSCanner. you were not referring to anything, you just forwarded something without any further explanation. If you have a question please start a new thread and ask in a way everybody understands. And you may want to provide some details. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From steve.freegard at fsl.com Wed Jan 7 15:07:58 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Wed Jan 7 15:08:08 2009 Subject: After upgrade to MS 4.74 mails are stuck in queue. In-Reply-To: <4964BD19.2040607@otenet.gr> References: <4964BD19.2040607@otenet.gr> Message-ID: <4964C54E.5040400@fsl.com> memmas wrote: > I'm using slackware 12.2 > postfix 2.5.5 > ClamAV 0.94.2 > Spamassassin 3.2.5 > > after upgrade to 4.74 (same applies to beta) I get a loop in mail log > and nothing happening, mail are stuck in queue. > Run - 'MailScanner --debug' and post the output. Regards, Steve. From MailScanner at ecs.soton.ac.uk Wed Jan 7 15:10:16 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Jan 7 15:10:38 2009 Subject: Could not open Bayes rebuild lock file /var/spool/MailScanner/incoming/Locks/MS.bayes.rebuild.lock, No such file or directory In-Reply-To: <20090107135302.6cf5ca15@btj-laptop.asp-as.no> References: <20090106113530.41bc2d32@btj-laptop.asp-as.no> <49633EDC.4020709@ecs.soton.ac.uk> <20090106124443.3882cea3@btj-laptop.asp-as.no> <496346EB.1070200@ecs.soton.ac.uk> <20090106131634.776f66e4@btj-laptop.asp-as.no> <49637AFA.6040905@ecs.soton.ac.uk> <49648C9A.3060706@ecs.soton.ac.uk> <20090107124639.4fc576a4@btj-laptop.asp-as.no> <4964A243.30003@ecs.soton.ac.uk> <20090107135302.6cf5ca15@btj-laptop.asp-as.no> Message-ID: <4964C5D8.3080308@ecs.soton.ac.uk> You might want to try 4.74.15-1 as I have just released that and it contains a better version of the fix I have given you. If you do try it, please let me know if it works okay. On 7/1/09 12:53, Bj?rn T Johansen wrote: > Yes, that seems to be working... Thx... :) > > BTJ > > On Wed, 07 Jan 2009 12:38:27 +0000 > Julian Field wrote: > > >> Can you try the attached SA.pm and let me know if it's any better. >> Sorry, file locking problems (as usual!). >> >> >> On 7/1/09 11:46, Bj?rn T Johansen wrote: >> >>> One problem... Mail is never delivered with the new lock files.... (never = waited 5 minutes but the queue only grew larger...) >>> >>> BTJ >>> >>> On Wed, 07 Jan 2009 11:06:02 +0000 >>> Julian Field wrote: >>> >>> >>> >>>> Attached are two scripts. Both are gzipped to save bandwidth. >>>> "mailscanner_create_locks" should be put in /opt/MailScanner/bin if you >>>> use the "Other Unix" distribution of MailScanner. >>>> "mailscanner_create_locks.redhat" should be put in /usr/sbin and renamed >>>> to "mailscanner_create_locks" if you use either of the RPM distributions >>>> of MailScanner. >>>> >>>> Don't forget to make it executable! >>>> cd /usr/sbin >>>> chmod a+rx mailscanner_create_locks >>>> >>>> Please let me know if this fixes the problem. >>>> >>>> On 6/1/09 15:38, Julian Field wrote: >>>> >>>> >>>>> I'll try to remember to check on this one later and get back to you. >>>>> >>>>> On 6/1/09 12:16, Bj?rn T Johansen wrote: >>>>> >>>>> >>>>>> I think MailScanner can run the script, at least I have the >>>>>> following...: >>>>>> (and running the script gives no error messages...) >>>>>> >>>>>> ls /var/spool/MailScanner/incoming/Locks/ -l >>>>>> total 1 >>>>>> -rw------- 1 root root 0 2009-01-06 10:55 antivirBusy.lock >>>>>> -rw------- 1 root root 0 2009-01-06 10:55 avastBusy.lock >>>>>> -rw------- 1 root root 0 2009-01-06 10:55 avgBusy.lock >>>>>> -rw------- 1 root root 0 2009-01-06 10:55 bitdefenderBusy.lock >>>>>> -rw------- 1 root root 50 2009-01-06 13:04 clamavBusy.lock >>>>>> -rw------- 1 root root 0 2009-01-06 10:55 cssBusy.lock >>>>>> -rw------- 1 root root 0 2009-01-06 10:55 esetsBusy.lock >>>>>> -rw------- 1 root root 0 2009-01-06 10:55 etrustBusy.lock >>>>>> -rw------- 1 root root 0 2009-01-06 10:55 f-prot-6Busy.lock >>>>>> -rw------- 1 root root 0 2009-01-06 10:55 f-protBusy.lock >>>>>> -rw------- 1 root root 0 2009-01-06 10:55 f-secureBusy.lock >>>>>> -rw------- 1 root root 0 2009-01-06 10:55 genericBusy.lock >>>>>> -rw------- 1 root root 0 2009-01-06 10:55 inoculanBusy.lock >>>>>> -rw------- 1 root root 0 2009-01-06 10:55 kasperskyBusy.lock >>>>>> -rw------- 1 root root 0 2009-01-06 10:55 mcafeeBusy.lock >>>>>> -rw------- 1 root root 0 2009-01-06 10:55 nod32Busy.lock >>>>>> -rw------- 1 root root 0 2009-01-06 10:55 normanBusy.lock >>>>>> -rw------- 1 root root 0 2009-01-06 10:55 pandaBusy.lock >>>>>> -rw------- 1 root root 0 2009-01-06 10:55 ravBusy.lock >>>>>> -rw------- 1 root root 0 2009-01-06 10:55 sophosBusy.lock >>>>>> -rw------- 1 root root 0 2009-01-06 10:55 symscanengineBusy.lock >>>>>> -rw------- 1 root root 0 2009-01-06 10:55 trendBusy.lock >>>>>> -rw------- 1 root root 0 2009-01-06 10:55 vba32Busy.lock >>>>>> -rw------- 1 root root 0 2009-01-06 10:55 vexiraBusy.lock >>>>>> >>>>>> >>>>>> But MS.bayes.rebuild.lock is missing? >>>>>> >>>>>> >>>>>> >>>>>> BTJ >>>>>> >>>>>> On Tue, 06 Jan 2009 11:56:27 +0000 >>>>>> Julian Field wrote: >>>>>> >>>>>> >>>>>> >>>>>>> On 6/1/09 11:44, Bj?rn T Johansen wrote: >>>>>>> >>>>>>> >>>>>>>> I just ran the install.sh script like I always do... >>>>>>>> I am running on Linux, Ubuntu Server and use the tar.gz >>>>>>>> distribution of MailScanner.. (Version 4.74.13-2 for Solaris / BSD >>>>>>>> / Other Linux / Other >>>>>>>> Unix ) >>>>>>>> >>>>>>>> >>>>>>>> Do I need to do more? I had version 4.70 before I upgraded.... >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> There's a new script in the bin directory called >>>>>>> mailscanner_create_locks, you need to make sure MailScanner can run >>>>>>> that >>>>>>> from /opt/MailScanner/bin. >>>>>>> >>>>>>> >>>>>>>> BTJ >>>>>>>> >>>>>>>> On Tue, 06 Jan 2009 11:22:04 +0000 >>>>>>>> Julian Field wrote: >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> What OS? What distribution of MailScanner? Did you install all the >>>>>>>>> parts >>>>>>>>> of MailScanner, including any new scripts I might have added to the >>>>>>>>> "bin" directory? >>>>>>>>> If you only install half of it, funnily enough it won't work :-) >>>>>>>>> >>>>>>>>> Jules. >>>>>>>>> >>>>>>>>> On 6/1/09 10:35, Bj?rn T Johansen wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>> I upgraded to version 4.74 and I now get a lot of these in the >>>>>>>>>> log..: >>>>>>>>>> >>>>>>>>>> Jan 6 11:17:50 pat MailScanner[11207]: New Batch: Scanning 1 >>>>>>>>>> messages, 7216 bytes >>>>>>>>>> Jan 6 11:17:51 pat MailScanner[11207]: Could not open Bayes >>>>>>>>>> rebuild lock file >>>>>>>>>> /var/spool/MailScanner/incoming/Locks/MS.bayes.rebuild.lock, No >>>>>>>>>> such file or directory >>>>>>>>>> Jan 6 11:17:51 pat MailScanner[11207]: At start of SA checks >>>>>>>>>> could not open >>>>>>>>>> /var/spool/MailScanner/incoming/Locks/MS.bayes.rebuild.lock, >>>>>>>>>> Jan 6 11:17:58 pat MailScanner[11207]: Virus and Content >>>>>>>>>> Scanning: Starting >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Why? And what can I do to fix this? >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Regards, >>>>>>>>>> >>>>>>>>>> BTJ >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> Jules >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>> Jules >>>>>>> >>>>>>> >>>>>>> >>>>>> = >>>>>> >>>>>> >>>>> Jules >>>>> >>>>> >>>>> >>>> Jules >>>> >>>> >>>> >>> >>> >> Jules >> >> Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Wed Jan 7 15:12:10 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Jan 7 15:12:57 2009 Subject: Could not open Bayes rebuild lock file /var/spool/MailScanner/incoming/Locks/MS.bayes.rebuild.lock, No such file or directory In-Reply-To: References: <20090106113530.41bc2d32@btj-laptop.asp-as.no> <49633EDC.4020709@ecs.soton.ac.uk> <20090106124443.3882cea3@btj-laptop.asp-as.no> <496346EB.1070200@ecs.soton.ac.uk> <20090106131634.776f66e4@btj-laptop.asp-as.no> <49637AFA.6040905@ecs.soton.ac.uk> <49648C9A.3060706@ecs.soton.ac.uk> <20090107124639.4fc576a4@btj-laptop.asp-as.no> Message-ID: <4964C64A.8040207@ecs.soton.ac.uk> On 7/1/09 12:01, Brian wrote: > Bj?rn T Johansen havleik.no> writes: > > >> One problem... Mail is never delivered with the new lock files.... (never = >> > waited 5 minutes but the queue > >> only grew larger...) >> >> > > Me too. Mail is sitting in the queue. > > Try 4.74.15-1. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Wed Jan 7 15:12:30 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Jan 7 15:12:58 2009 Subject: After upgrade to MS 4.74 mails are stuck in queue. In-Reply-To: <4964BD19.2040607@otenet.gr> References: <4964BD19.2040607@otenet.gr> Message-ID: <4964C65E.5090504@ecs.soton.ac.uk> Try 4.74.15-1. On 7/1/09 14:32, memmas wrote: > I'm using slackware 12.2 > postfix 2.5.5 > ClamAV 0.94.2 > Spamassassin 3.2.5 > > after upgrade to 4.74 (same applies to beta) I get a loop in mail log > and nothing happening, mail are stuck in queue. > > Jan 7 16:03:47 devel MailScanner[22474]: MailScanner E-Mail Virus > Scanner version 4.74.13 starting... > Jan 7 16:03:47 devel MailScanner[22474]: Read 848 hostnames from the > phishing whitelist > Jan 7 16:03:47 devel MailScanner[22474]: Read 3820 hostnames from the > phishing blacklist > Jan 7 16:03:47 devel MailScanner[22474]: Using SpamAssassin results > cache > Jan 7 16:03:47 devel MailScanner[22474]: Connected to SpamAssassin > cache database > Jan 7 16:03:47 devel MailScanner[22474]: Enabling SpamAssassin > auto-whitelist functionality... > Jan 7 16:03:49 devel MailScanner[22474]: I have found clamav scanners > installed, and will use them all by default. > Jan 7 16:03:49 devel MailScanner[22474]: Using locktype = flock > Jan 7 16:03:52 devel MailScanner[22530]: MailScanner E-Mail Virus > Scanner version 4.74.13 starting... > Jan 7 16:03:52 devel MailScanner[22530]: Read 848 hostnames from the > phishing whitelist > Jan 7 16:03:52 devel MailScanner[22530]: Read 3820 hostnames from the > phishing blacklist > Jan 7 16:03:52 devel MailScanner[22530]: Using SpamAssassin results > cache > Jan 7 16:03:52 devel MailScanner[22530]: Connected to SpamAssassin > cache database > Jan 7 16:03:52 devel MailScanner[22530]: Enabling SpamAssassin > auto-whitelist functionality... > Jan 7 16:03:54 devel MailScanner[22530]: I have found clamav scanners > installed, and will use them all by default. > Jan 7 16:03:54 devel MailScanner[22530]: Using locktype = flock > Jan 7 16:03:57 devel MailScanner[22586]: MailScanner E-Mail Virus > Scanner version 4.74.13 starting... > Jan 7 16:03:57 devel MailScanner[22586]: Read 848 hostnames from the > phishing whitelist > Jan 7 16:03:57 devel MailScanner[22586]: Read 3820 hostnames from the > phishing blacklist > Jan 7 16:03:57 devel MailScanner[22586]: Using SpamAssassin results > cache > Jan 7 16:03:57 devel MailScanner[22586]: Connected to SpamAssassin > cache database > Jan 7 16:03:57 devel MailScanner[22586]: Enabling SpamAssassin > auto-whitelist functionality... > Jan 7 16:03:59 devel MailScanner[22586]: I have found clamav scanners > installed, and will use them all by default. > Jan 7 16:03:59 devel MailScanner[22586]: Using locktype = flock > > thanks Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From maxsec at gmail.com Wed Jan 7 15:34:18 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Wed Jan 7 15:34:32 2009 Subject: Good config for Mailscanner In-Reply-To: <928434630901070315w2edb25bboee5cb4184a1a68@mail.gmail.com> References: <928434630901070315w2edb25bboee5cb4184a1a68@mail.gmail.com> Message-ID: <72cf361e0901070734k57cb147cqd93158276208c28f@mail.gmail.com> 2009/1/7 ichwan nur hakim : > Hi guys, > > I have ben install Mailscanner in opensuse 10.3 and success, but I am still > receipt much SPAM in my email, how powerful that settingan mainscanner..??? > any advice for SpamasassinScore..??? default value is 10, maybe i must set > to 1 so powerfull. > > Thank's > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > hi theres a section in the wiki about getting the most out of spamassassin. Tuning this can take a little time for you're environment. Alot of people run spam score at 5 and high spam at 10. they deliver below five, tag at 5 and dump at 10. If you can put up a web page with an example email (full headers in mbox format). people can run it over their systems and see which extra rules to add first. -- Martin Hepworth Oxford, UK From memmas at otenet.gr Wed Jan 7 15:35:24 2009 From: memmas at otenet.gr (memmas) Date: Wed Jan 7 15:35:31 2009 Subject: After upgrade to MS 4.74 mails are stuck in queue. In-Reply-To: <4964C54E.5040400@fsl.com> References: <4964BD19.2040607@otenet.gr> <4964C54E.5040400@fsl.com> Message-ID: <4964CBBC.8090909@otenet.gr> This the output: In Debugging mode, not forking... Trying to setlogsock(unix) Building a message batch to scan... and pretty much stuck. Try 4.74.15-1 unfortunately the same result. thanks Steve Freegard wrote: > memmas wrote: >> I'm using slackware 12.2 >> postfix 2.5.5 >> ClamAV 0.94.2 >> Spamassassin 3.2.5 >> >> after upgrade to 4.74 (same applies to beta) I get a loop in mail log >> and nothing happening, mail are stuck in queue. >> > > Run - 'MailScanner --debug' and post the output. > > Regards, > Steve. From maillists at conactive.com Wed Jan 7 15:57:43 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Wed Jan 7 15:57:56 2009 Subject: Could not open Bayes rebuild lock file /var/spool/MailScanner/incoming/Locks/MS.bayes.rebuild.lock, No such file or directory In-Reply-To: <4964C64A.8040207@ecs.soton.ac.uk> References: <20090106113530.41bc2d32@btj-laptop.asp-as.no> <49633EDC.4020709@ecs.soton.ac.uk> <20090106124443.3882cea3@btj-laptop.asp-as.no> <496346EB.1070200@ecs.soton.ac.uk> <20090106131634.776f66e4@btj-laptop.asp-as.no> <49637AFA.6040905@ecs.soton.ac.uk> <49648C9A.3060706@ecs.soton.ac.uk> <20090107124639.4fc576a4@btj-laptop.asp-as.no> <4964C64A.8040207@ecs.soton.ac.uk> Message-ID: Julian Field wrote on Wed, 07 Jan 2009 15:12:10 +0000: > Try 4.74.15-1. Applied and working fine. Cannot comment on the specific lock problem, though, as you know ;-) BTW: there's always an errant "error reading information on service sendmail: No such file or directory" on postfix systems. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From gmcgreevy at pwr-sys.com Wed Jan 7 15:56:47 2009 From: gmcgreevy at pwr-sys.com (Greg J. McGreevy) Date: Wed Jan 7 16:02:10 2009 Subject: MailScanner --lint error References: <567221C09601934AA5CE9762FDA09A5001C3D7@EXCHTEMP.biz.pwr-sys.com><495FBCAE.60204@ecs.soton.ac.uk><567221C09601934AA5CE9762FDA09A5001C3D9@EXCHTEMP.biz.pwr-sys.com><496083A2.2090909@ecs.soton.ac.uk><567221C09601934AA5CE9762FDA09A5001C3DA@EXCHTEMP.biz.pwr-sys.com><72cf361e0901041213g512c4b70x84c3ad8ebeec55fc@mail.gmail.com><567221C09601934AA5CE9762FDA09A5001C3DE@EXCHTEMP.biz.pwr-sys.com> Message-ID: <567221C09601934AA5CE9762FDA09A5001C3E6@EXCHTEMP.biz.pwr-sys.com> I sent a message to you Kai did you get it? Greg ________________________________ From: mailscanner-bounces@lists.mailscanner.info on behalf of Kai Schaetzl Sent: Tue 1/6/2009 5:58 AM To: mailscanner@lists.mailscanner.info Subject: Re: MailScanner --lint error Greg J. McGreevy wrote on Mon, 5 Jan 2009 22:44:22 -0500: > Syntax error(s) in configuration file: at /usr/lib/MailScanner/MailScanner/Config.pm line 1937 > Unrecognised keyword "spamassassinprefsfile" at line 2789 at /usr/lib/MailScanner/MailScanner/Config.pm > line 1940 > Warning: syntax errors in /etc/MailScanner/MailScanner.conf. at /usr/lib/MailScanner/MailScanner/Config.pm > line 1945 There is no such option. The only one I can find is "MCP SpamAssassin Prefs File". Is that the one you edited? I find that you are making the same mistake over and over: you post some error and that's it. The *least* you would do with the above is go to line 2789 and show us that line and the surroundings and tell us what you did. (My MailScanner.conf stops at 2788, though.) > > I added the list to the sa-update per your instructions per "whose" instructions? but I have > no idea to tell if it is in fact working you look in /var/lib/spamassassin if it gets filled. It's explained all there where I pointed you earlier: http://wiki.apache.org/spamassassin/RuleUpdates any insight on this would > be helpful also Rules do jour does not appear to be present in my > install so I skipped those steps is that correct? rules du jour is deprecated, one should use channels. Which tutorial did you follow? Again, you make the mistake of not giving any insight of what you really did. I don't see that Martin gave you instructions in this regard and I can't find a section "Getting the most out of Spamassassin" on the MS wiki (although I think I remember there was one). So, what exactly are you referring to? > > Also If I create a new User called spam and have all of my users forward > their spam there to train bayes will that mess up the tests becuse > they will be seen as all forwards? Again from the SA wiki, this may be helpful: http://wiki.apache.org/spamassassin/ResendingMailWithHeaders > I am kind off at my wits end with this and about to throw in the towel. I think you are just not following instructions (whichever you used) careful enough. Or you used the wrong instructions (those corebsd instructions are not how I would do an install on CentOS) or are mixing them (there's often more than one way to do it right, but you usually can't mix them). Also, you don't seem to keep "old working good configuration", so you can easily check where the mistake was made. Anyway, if you are interested, you can contact me under the address I use here and we can arrange something. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/ms-tnef Size: 6509 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090107/ce9f3480/attachment-0001.bin From maillists at conactive.com Wed Jan 7 16:02:22 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Wed Jan 7 16:02:33 2009 Subject: After upgrade to MS 4.74 mails are stuck in queue. In-Reply-To: <4964CBBC.8090909@otenet.gr> References: <4964BD19.2040607@otenet.gr> <4964C54E.5040400@fsl.com> <4964CBBC.8090909@otenet.gr> Message-ID: might be helpful to know from which version you upgraded and how you make postfix and mailscanner work together. (I remember there where at least two methods in the past.) You had these already running for a while with your last MS setup? postfix 2.5.5 ClamAV 0.94.2 Spamassassin 3.2.5 Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From MailScanner at ecs.soton.ac.uk Wed Jan 7 16:12:46 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Jan 7 16:13:07 2009 Subject: After upgrade to MS 4.74 mails are stuck in queue. In-Reply-To: <4964CBBC.8090909@otenet.gr> References: <4964BD19.2040607@otenet.gr> <4964C54E.5040400@fsl.com> <4964CBBC.8090909@otenet.gr> Message-ID: <4964D47E.6060501@ecs.soton.ac.uk> On 7/1/09 15:35, memmas wrote: > This the output: > > In Debugging mode, not forking... > Trying to setlogsock(unix) > Building a message batch to scan... > > and pretty much stuck. > > Try 4.74.15-1 unfortunately the same result. And you've properly installed it all, including the mailscanner_create_locks script and everything? Do a "MailScanner --lint" for us, and tell us what distribution you are using, what operating system, stuff like that. > > thanks > Steve Freegard wrote: >> memmas wrote: >>> I'm using slackware 12.2 >>> postfix 2.5.5 >>> ClamAV 0.94.2 >>> Spamassassin 3.2.5 >>> >>> after upgrade to 4.74 (same applies to beta) I get a loop in mail >>> log and nothing happening, mail are stuck in queue. >>> >> >> Run - 'MailScanner --debug' and post the output. >> >> Regards, >> Steve. > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Wed Jan 7 16:13:34 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Jan 7 16:13:53 2009 Subject: Could not open Bayes rebuild lock file /var/spool/MailScanner/incoming/Locks/MS.bayes.rebuild.lock, No such file or directory In-Reply-To: References: <20090106113530.41bc2d32@btj-laptop.asp-as.no> <49633EDC.4020709@ecs.soton.ac.uk> <20090106124443.3882cea3@btj-laptop.asp-as.no> <496346EB.1070200@ecs.soton.ac.uk> <20090106131634.776f66e4@btj-laptop.asp-as.no> <49637AFA.6040905@ecs.soton.ac.uk> <49648C9A.3060706@ecs.soton.ac.uk> <20090107124639.4fc576a4@btj-laptop.asp-as.no> <4964C64A.8040207@ecs.soton.ac.uk> Message-ID: <4964D4AE.8070701@ecs.soton.ac.uk> On 7/1/09 15:57, Kai Schaetzl wrote: > Julian Field wrote on Wed, 07 Jan 2009 15:12:10 +0000: > > >> Try 4.74.15-1. >> > > Applied and working fine. Cannot comment on the specific lock problem, > though, as you know ;-) > BTW: there's always an errant "error reading information on service > sendmail: No such file or directory" on postfix systems. > What generates that and when? Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From maillists at conactive.com Wed Jan 7 17:05:34 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Wed Jan 7 17:05:46 2009 Subject: Could not open Bayes rebuild lock file /var/spool/MailScanner/incoming/Locks/MS.bayes.rebuild.lock, No such file or directory In-Reply-To: <4964D4AE.8070701@ecs.soton.ac.uk> References: <20090106113530.41bc2d32@btj-laptop.asp-as.no> <49633EDC.4020709@ecs.soton.ac.uk> <20090106124443.3882cea3@btj-laptop.asp-as.no> <496346EB.1070200@ecs.soton.ac.uk> <20090106131634.776f66e4@btj-laptop.asp-as.no> <49637AFA.6040905@ecs.soton.ac.uk> <49648C9A.3060706@ecs.soton.ac.uk> <20090107124639.4fc576a4@btj-laptop.asp-as.no> <4964C64A.8040207@ecs.soton.ac.uk> <4964D4AE.8070701@ecs.soton.ac.uk> Message-ID: Julian Field wrote on Wed, 07 Jan 2009 16:13:34 +0000: > > BTW: there's always an errant "error reading information on service > > sendmail: No such file or directory" on postfix systems. > > > What generates that and when? The mailscanner*.rpm when upgrading an installation that has postfix as MTA installed. If I remember right the rpm isn't able to adjust the MailScanner.conf correctly, either, when you install it the first time. e.g. it sets MTA = sendmail, although the installed MTA is postfix. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From memmas at otenet.gr Wed Jan 7 17:12:41 2009 From: memmas at otenet.gr (memmas) Date: Wed Jan 7 17:12:49 2009 Subject: After upgrade to MS 4.74 mails are stuck in queue. In-Reply-To: References: <4964BD19.2040607@otenet.gr> <4964C54E.5040400@fsl.com> <4964CBBC.8090909@otenet.gr> Message-ID: <4964E289.2030404@otenet.gr> Now it's running, Something went wrong when copying old configs to new MailScanner probably. MailScanner --lint gave some errors but it's working. I'm upgrading from 4.73.4-2. My system was up and running before the upgrade with same versions of clamav and spamassassin. I 'm using Clamd not the Mail::ClamAV perl module Spamassassin 3.2.5 perl 5.10.0 slackware packages MailScanner --debug still stucks though. The output of MailScanner --lint was: Trying to setlogsock(unix) Read 848 hostnames from the phishing whitelist Read 4020 hostnames from the phishing blacklist Checking version numbers... Version installed (4.74.15) does not match version stated in MailScanner.conf file (4.74.13), you may want to run upgrade_MailScanner_conf to ensure your MailScanner.conf file contains all the latest settings. MailScanner setting GID to (76) MailScanner setting UID to (76) Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database config: failed to parse line, skipping, in "/etc/mail/spamassassin/local.cf": razorhome = /var/spool/MailScanner/razor/ config: failed to parse line, skipping, in "/etc/mail/spamassassin/local.cf": logfile = razor-agent.log SpamAssassin reported an error. I have found clamd scanners installed, and will use them all by default. Using locktype = posix MailScanner.conf says "Virus Scanners = auto" Found these virus scanners installed: clamd =========================================================================== Filename Checks: Windows/DOS Executable (1 eicar.com) Other Checks: Found 1 problems Virus and Content Scanning: Starting ERROR::Permissions Problem. Clamd was denied access to /var/spool/MailScanner/incoming/18354 =========================================================================== If any of your virus scanners (clamd) are not listed there, you should check that they are installed correctly and that MailScanner is finding them correctly via its virus.scanners.conf. -------------------------------- thanks Kai Schaetzl wrote: > might be helpful to know from which version you upgraded and how you make > postfix and mailscanner work together. (I remember there where at least > two methods in the past.) You had these already running for a while with > your last MS setup? > postfix 2.5.5 > ClamAV 0.94.2 > Spamassassin 3.2.5 > > Kai > > From maillists at conactive.com Wed Jan 7 17:28:59 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Wed Jan 7 17:29:12 2009 Subject: After upgrade to MS 4.74 mails are stuck in queue. In-Reply-To: <4964E289.2030404@otenet.gr> References: <4964BD19.2040607@otenet.gr> <4964C54E.5040400@fsl.com> <4964CBBC.8090909@otenet.gr> <4964E289.2030404@otenet.gr> Message-ID: Memmas wrote on Wed, 07 Jan 2009 19:12:41 +0200: > MailScanner.conf file (4.74.13), you may want to run > upgrade_MailScanner_conf you may want ;-) > config: failed to parse line, skipping, in > "/etc/mail/spamassassin/local.cf": razorhome = /var/spool/MailScanner/razor/ > config: failed to parse line, skipping, in > "/etc/mail/spamassassin/local.cf": logfile = razor-agent.log I'm not using razor. Either you didn't enable the razor plugin or that syntax is wrong. Also, you should compare local.cf and MailScanner's own spamassassin.prefs.conf for duplicates. (or you may want to stop using one of the two files.) > ERROR::Permissions Problem. Clamd was denied access to > /var/spool/MailScanner/incoming/18354 read http://wiki.mailscanner.info/doku.php? id=documentation:anti_virus:clamav:switch_to_rpm_clamd Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From memmas at otenet.gr Wed Jan 7 17:53:29 2009 From: memmas at otenet.gr (memmas) Date: Wed Jan 7 17:53:37 2009 Subject: After upgrade to MS 4.74 mails are stuck in queue. In-Reply-To: References: <4964BD19.2040607@otenet.gr> <4964C54E.5040400@fsl.com> <4964CBBC.8090909@otenet.gr> <4964E289.2030404@otenet.gr> Message-ID: <4964EC19.8090304@otenet.gr> Kai Schaetzl wrote: >> config: failed to parse line, skipping, in >> "/etc/mail/spamassassin/local.cf": razorhome = /var/spool/MailScanner/razor/ >> config: failed to parse line, skipping, in >> "/etc/mail/spamassassin/local.cf": logfile = razor-agent.log >> > > I'm not using razor. Either you didn't enable the razor plugin or that syntax > is wrong. Also, you should compare local.cf and MailScanner's own > spamassassin.prefs.conf for duplicates. (or you may want to stop using one of > the two files.) > > actually only razor_config /var/spool/MailScanner/razor/razor.conf is needed. other options are in spam.assassin.prefs.conf >> ERROR::Permissions Problem. Clamd was denied access to >> /var/spool/MailScanner/incoming/18354 >> > > read http://wiki.mailscanner.info/doku.php? > id=documentation:anti_virus:clamav:switch_to_rpm_clamd > > Thanks I used Incoming Work User = clamav instead of Incoming Work Group = clamav Well now all working and 'MailScanner --lint' gives no errors. 'MailScanner --debug' still stuck, Should I worry about it? Thanks everyone for your help. memmas From maillists at conactive.com Wed Jan 7 18:05:51 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Wed Jan 7 18:06:05 2009 Subject: After upgrade to MS 4.74 mails are stuck in queue. In-Reply-To: <4964EC19.8090304@otenet.gr> References: <4964BD19.2040607@otenet.gr> <4964C54E.5040400@fsl.com> <4964CBBC.8090909@otenet.gr> <4964E289.2030404@otenet.gr> <4964EC19.8090304@otenet.gr> Message-ID: Memmas wrote on Wed, 07 Jan 2009 19:53:29 +0200: > 'MailScanner --debug' still stuck, Should I worry about it? If I recall correctly, you have to stop the MailScanner daemon, put something in the queue and then start MailScanner --debug. If there is nothing to scan it may well appear to be stuck with --debug. I think Julian recently added an option to specify a different queue directory. With that you could keep MS running and debug at the same time. If mail flows and everything seems to be fine what you see with MailScanner --debug is just to be expected I'd say. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From MailScanner at ecs.soton.ac.uk Wed Jan 7 18:15:32 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Jan 7 18:15:55 2009 Subject: After upgrade to MS 4.74 mails are stuck in queue. In-Reply-To: References: <4964BD19.2040607@otenet.gr> <4964C54E.5040400@fsl.com> <4964CBBC.8090909@otenet.gr> <4964E289.2030404@otenet.gr> <4964EC19.8090304@otenet.gr> Message-ID: <4964F144.8010001@ecs.soton.ac.uk> On 7/1/09 18:05, Kai Schaetzl wrote: > Memmas wrote on Wed, 07 Jan 2009 19:53:29 +0200: > > >> 'MailScanner --debug' still stuck, Should I worry about it? >> > > If I recall correctly, you have to stop the MailScanner daemon, put > something in the queue and then start MailScanner --debug. If there is > nothing to scan it may well appear to be stuck with --debug. Correct. It will sit and wait for some mail to come in, but if you have done a "service MailScanner stop" then no mail will come in. > I think > Julian recently added an option to specify a different queue directory. > Run "MailScanner --help" to see all the command-line options. > With that you could keep MS running and debug at the same time. > If mail flows and everything seems to be fine what you see with > MailScanner --debug is just to be expected I'd say. > You can run "service MailScanner startin" which starts up the MTA (postfix/sendmail/whatever) so that mail can come in, then run "MailScanner --debug" to process 1 batch of incoming mail and then stop. Once everything is working happily, just do "service MailScanner restart" to start up everything normally. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From memmas at otenet.gr Wed Jan 7 18:57:56 2009 From: memmas at otenet.gr (memmas) Date: Wed Jan 7 18:58:03 2009 Subject: After upgrade to MS 4.74 mails are stuck in queue. In-Reply-To: <4964F144.8010001@ecs.soton.ac.uk> References: <4964BD19.2040607@otenet.gr> <4964C54E.5040400@fsl.com> <4964CBBC.8090909@otenet.gr> <4964E289.2030404@otenet.gr> <4964EC19.8090304@otenet.gr> <4964F144.8010001@ecs.soton.ac.uk> Message-ID: <4964FB34.4050206@otenet.gr> MailScanner --debug In Debugging mode, not forking... Trying to setlogsock(unix) Building a message batch to scan... Have a batch of 1 message. max message size is '200k' Stopping now as you are debugging me. So everything work fine. Thank you memmas Julian Field wrote: > > > On 7/1/09 18:05, Kai Schaetzl wrote: >> Memmas wrote on Wed, 07 Jan 2009 19:53:29 +0200: >> >> >>> 'MailScanner --debug' still stuck, Should I worry about it? >>> >> >> If I recall correctly, you have to stop the MailScanner daemon, put >> something in the queue and then start MailScanner --debug. If there is >> nothing to scan it may well appear to be stuck with --debug. > Correct. It will sit and wait for some mail to come in, but if you > have done a "service MailScanner stop" then no mail will come in. >> I think >> Julian recently added an option to specify a different queue directory. >> > Run "MailScanner --help" to see all the command-line options. >> With that you could keep MS running and debug at the same time. >> If mail flows and everything seems to be fine what you see with >> MailScanner --debug is just to be expected I'd say. >> > You can run "service MailScanner startin" which starts up the MTA > (postfix/sendmail/whatever) so that mail can come in, then run > "MailScanner --debug" to process 1 batch of incoming mail and then > stop. Once everything is working happily, just do "service MailScanner > restart" to start up everything normally. > > Jules > From maillists at conactive.com Wed Jan 7 19:23:26 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Wed Jan 7 19:23:39 2009 Subject: After upgrade to MS 4.74 mails are stuck in queue. In-Reply-To: <4964F144.8010001@ecs.soton.ac.uk> References: <4964BD19.2040607@otenet.gr> <4964C54E.5040400@fsl.com> <4964CBBC.8090909@otenet.gr> <4964E289.2030404@otenet.gr> <4964EC19.8090304@otenet.gr> <4964F144.8010001@ecs.soton.ac.uk> Message-ID: Julian Field wrote on Wed, 07 Jan 2009 18:15:32 +0000: > You can run "service MailScanner startin" or just service MailScanner stopms when everything is running? Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From cooper at hmcnetworks.com Wed Jan 7 19:55:16 2009 From: cooper at hmcnetworks.com (Al Cooper) Date: Wed Jan 7 19:57:13 2009 Subject: Blocking incoming email address to one domain Message-ID: <023b01c97101$dd1a15b0$974e4110$@com> Good Afternoon, I have MailScanner 4.68.8 running on a multi-domain mail server. One of my domains wants to block one email address from being delivered to that domain only. The same email address needs to be delivered to all my other domains. Is it possible to do this through MailScanner? If yes, what is the best way to do this. Thanks for any help you can offer, Al From MailScanner at ecs.soton.ac.uk Wed Jan 7 20:01:08 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Jan 7 20:01:30 2009 Subject: After upgrade to MS 4.74 mails are stuck in queue. In-Reply-To: References: <4964BD19.2040607@otenet.gr> <4964C54E.5040400@fsl.com> <4964CBBC.8090909@otenet.gr> <4964E289.2030404@otenet.gr> <4964EC19.8090304@otenet.gr> <4964F144.8010001@ecs.soton.ac.uk> Message-ID: <49650A04.6080506@ecs.soton.ac.uk> On 7/1/09 19:23, Kai Schaetzl wrote: > Julian Field wrote on Wed, 07 Jan 2009 18:15:32 +0000: > > >> You can run "service MailScanner startin" >> > > or just service MailScanner stopms when everything is running? > True. I always forget that one :-) Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From shuttlebox at gmail.com Wed Jan 7 20:24:32 2009 From: shuttlebox at gmail.com (shuttlebox) Date: Wed Jan 7 20:24:41 2009 Subject: Blocking incoming email address to one domain In-Reply-To: <023b01c97101$dd1a15b0$974e4110$@com> References: <023b01c97101$dd1a15b0$974e4110$@com> Message-ID: <625385e30901071224m348b45d7q3d79c1625f2f79ae@mail.gmail.com> On Wed, Jan 7, 2009 at 8:55 PM, Al Cooper wrote: > Good Afternoon, > > I have MailScanner 4.68.8 running on a multi-domain mail server. One of my > domains wants to block one email address from being delivered to that domain > only. The same email address needs to be delivered to all my other domains. > Is it possible to do this through MailScanner? If yes, what is the best way > to do this. Rulesets. Look at the readme and example files that came with MailScanner. -- /peter From maillists at conactive.com Wed Jan 7 20:30:28 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Wed Jan 7 20:30:39 2009 Subject: Blocking incoming email address to one domain In-Reply-To: <023b01c97101$dd1a15b0$974e4110$@com> References: <023b01c97101$dd1a15b0$974e4110$@com> Message-ID: Al Cooper wrote on Wed, 7 Jan 2009 12:55:16 -0700: > If yes, what is the best way > to do this. http://wiki.mailscanner.info/doku.php? id=documentation:configuration:rulesets:examples&s=blacklist (this is the same es the EXAMPLES file that got installed with MailScanner!) look at 2 and 8. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From ssilva at sgvwater.com Wed Jan 7 20:31:16 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Jan 7 20:31:42 2009 Subject: Barracude BRBL ?? In-Reply-To: <4963FD60.1080306@pacific.net> References: <4960EF7002000000000334D2@gw.caspercollege.edu> <4963B58E.4020806@xpear.de> <4963FD60.1080306@pacific.net> Message-ID: on 1-6-2009 4:54 PM Ken A spake the following: > Scott Silva wrote: >> >>> I did that too, and must say that 70-80% of all messages tagged by BRBL >>> with a low test score are ham, the other 20-30% are really spam. With a >>> low score that might be good to lift up the real spams, so that they >>> don?t slip under the required SA score. >>> >>> But with this rate, I will never use this RBL in my policyd-weight >>> setup. >>> >> Strange, because for the 24 or so hours I have been running it, I'm >> hitting >> over 97% spam. >> >> I haven't looked at the other 3 % to see if it is actually ham or FN's. >> >> Good enough for me to add more than half a point, but not more than 3 >> points. >> >> I don't want this one list too strong unless I can hit 100%. >> >> > > We see pretty good results from BRBL too, but there are some FPs. We > have home and business dialup and dsl (ISP) users. I've found it's good > in META with Botnet rules. META with DCC and Razor also hits good, but > may FP once in a while. > > Ken > > I usually set my roamers to either auth, or use the webmail system if they are out and about. One of our attorneys was so firewalled by his ISP I had to set up a vpn for him while he was recouping from some surgery. I guess nothing is perfect, and it is too bad that we have to jump through all these hoops just to stop some bastard from flooding your users with fake v1@gr@ spams. Just how many people are that stupid to actually BUY something from these bozo's? I am in the wrong line of work! ;-P -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090107/bf6829a1/signature.bin From traced at xpear.de Wed Jan 7 20:43:08 2009 From: traced at xpear.de (traced) Date: Wed Jan 7 20:43:21 2009 Subject: Barracude BRBL ?? In-Reply-To: References: <4960EF7002000000000334D2@gw.caspercollege.edu> <4963B58E.4020806@xpear.de> <4963FD60.1080306@pacific.net> Message-ID: <496513DC.3090207@xpear.de> Scott Silva schrieb: > on 1-6-2009 4:54 PM Ken A spake the following: >> Scott Silva wrote: >>> > > I guess nothing is perfect, and it is too bad that we have to jump through all > these hoops just to stop some bastard from flooding your users with fake > v1@gr@ spams. Just how many people are that stupid to actually BUY something > from these bozo's? > I am in the wrong line of work! ;-P > > > If just one of the million recipients is so stupid, the spammers are happy. Sending millions of mails is very low at cost I think when you have some botnets working for you. I read a few days ago that 1,5 million addresses (maybe the most are "cold") only cost about 100-150US$. Bastian From dgottsc at emory.edu Wed Jan 7 21:00:38 2009 From: dgottsc at emory.edu (Gottschalk, David) Date: Wed Jan 7 21:00:47 2009 Subject: Anti-spear-phishing, round 2 In-Reply-To: <4963D91A.9060304@ecs.soton.ac.uk> References: <4963D91A.9060304@ecs.soton.ac.uk> Message-ID: Julian, Thanks for posting this! This is going to make my life a lot easier. I plan on installing it on all of my machines with mailscanner. I'll let you know how well it works. I've got it installed on one machine right now, I'm just trying to figure out how to get the spam assassin rule actions to work properly right now. For some reason it's not following the rule actions even though it matches it. David Gottschalk Emory University UTS Messaging Team -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: Tuesday, January 06, 2009 5:20 PM To: MailScanner discussion Subject: Anti-spear-phishing, round 2 I have done a load of work on my script that uses the anti-spear-phishing addresses database. The main thing is now that it is pretty much a finished script, and is directly usable by you guys without you having to do much to it except read the settings at the top and tweak the filenames if you want to change where it puts things. I have taken a lot of care to ensure that this won't match any false alarms, I don't just dumbly look for the strings in any surrounding text, which certain commercial AV vendors have been caught doing in the past! I make a suggestion in the comments at the top of the script about how I use the rule within MailScanner, you probably want to do something similar, and not just delete anything that matches, just in case you do get any false alarms. It also looks for numbers at the end of the username bit of the address, and assumes that these are numbers which the scammers may change; so if it finds them, it replaces them with a pattern that will match any number instead. There's starting to be a lot of this about, as it's the easiest way for the scammers to try to defeat simple address lists targeted against them, while still being able to remember what addresses they have to check for replies from your dumb users. :-) I thought I would make it a tiny bit harder for them... You can also add addresses of your own (which can include "*" as a wildcard character to mean "any series of valid characters" in the email address), one address per line, in an optional extra file. Again, read the top of the script and you'll see it mentioned there. That file is optional, it doesn't matter if it doesn't exist. As a starter, you might want to put m i c h a e l l o u c a s * @ g m a i l . c o m (without the extra spaces) in that file, as it will nicely catch a lot of "Job opportunity" spams. It looks for any of these addresses appearing **anywhere** in the message, not just in the headers. So if you start talking to people about these addresses, don't be surprised when the messages get caught by the trap. It does a "wget", so make sure you have that binary installed, or else change the script to fetch the file by some other means. The very end of the script does a "service MailScanner restart", so if you need some other command to restart MailScanner, then edit it for your system. It needs to be a "restart" and not a "reload" as I have to force it to re-build the database of SpamAssassin rules. My aim was that, on a RedHat system running MailScanner, you could just copy the script into /etc/cron.hourly and make it executable, and it will just get on with the job for you. I do advise you read the bit in the script about "SpamAssassin Rule Actions" though. Please do let me know how you would like me to improve it, and tell me what you think of it in general (be polite, now! :-) Cheers, Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. This e-mail message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential and privileged information. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message (including any attachments) is strictly prohibited. If you have received this message in error, please contact the sender by reply e-mail message and destroy all copies of the original message (including attachments). From ssilva at sgvwater.com Wed Jan 7 21:16:30 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Jan 7 21:16:48 2009 Subject: Barracude BRBL ?? In-Reply-To: <496513DC.3090207@xpear.de> References: <4960EF7002000000000334D2@gw.caspercollege.edu> <4963B58E.4020806@xpear.de> <4963FD60.1080306@pacific.net> <496513DC.3090207@xpear.de> Message-ID: on 1-7-2009 12:43 PM traced spake the following: > > > Scott Silva schrieb: >> on 1-6-2009 4:54 PM Ken A spake the following: >>> Scott Silva wrote: >>>> >> >> I guess nothing is perfect, and it is too bad that we have to jump >> through all >> these hoops just to stop some bastard from flooding your users with fake >> v1@gr@ spams. Just how many people are that stupid to actually BUY >> something >> from these bozo's? >> I am in the wrong line of work! ;-P >> >> >> > > If just one of the million recipients is so stupid, the spammers are > happy. Then we need to beat that one guy! ;-P It has to be a guy, because why would a woman want v1@gr@? Sending millions of mails is very low at cost I think when you > have some botnets working for you. I read a few days ago that 1,5 > million addresses (maybe the most are "cold") only cost about 100-150US$. > It looks like selling the lists is the big business! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090107/6d0af303/signature.bin From ssilva at sgvwater.com Wed Jan 7 21:19:55 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Jan 7 21:25:14 2009 Subject: Could not open Bayes rebuild lock file /var/spool/MailScanner/incoming/Locks/MS.bayes.rebuild.lock, No such file or directory In-Reply-To: <4964C5D8.3080308@ecs.soton.ac.uk> References: <20090106113530.41bc2d32@btj-laptop.asp-as.no> <49633EDC.4020709@ecs.soton.ac.uk> <20090106124443.3882cea3@btj-laptop.asp-as.no> <496346EB.1070200@ecs.soton.ac.uk> <20090106131634.776f66e4@btj-laptop.asp-as.no> <49637AFA.6040905@ecs.soton.ac.uk> <49648C9A.3060706@ecs.soton.ac.uk> <20090107124639.4fc576a4@btj-laptop.asp-as.no> <4964A243.30003@ecs.soton.ac.uk> <20090107135302.6cf5ca15@btj-laptop.asp-as.no> <4964C5D8.3080308@ecs.soton.ac.uk> Message-ID: on 1-7-2009 7:10 AM Julian Field spake the following: > You might want to try 4.74.15-1 as I have just released that and it > contains a better version of the fix I have given you. > > If you do try it, please let me know if it works okay. > This was a fairly major change to MailScanner. You have to expect a few bugs. I am one of the lucky ones who run sendmail, so I didn't have any problems. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090107/31cf53b6/signature.bin From steve.swaney at fsl.com Wed Jan 7 21:36:50 2009 From: steve.swaney at fsl.com (Stephen Swaney) Date: Wed Jan 7 21:37:01 2009 Subject: Barracude BRBL ?? In-Reply-To: References: <4960EF7002000000000334D2@gw.caspercollege.edu> <4963B58E.4020806@xpear.de> <4963FD60.1080306@pacific.net> <496513DC.3090207@xpear.de> Message-ID: <0a3201c97110$0ca33dd0$25e9b970$@swaney@fsl.com> > > > Sending millions of mails is very low at cost I think when you > > have some botnets working for you. I read a few days ago that 1,5 > > million addresses (maybe the most are "cold") only cost about 100- > 150US$. > > > It looks like selling the lists is the big business! > Not really. Here's a recent, accurate and interesting article on how the spam business works :) http://www.washingtonpost.com/wp-dyn/content/article/2008/12/12/AR2008121203445.html Steve Steve Swaney steve@fsl.com www.fsl.com The most cost effective and accurate anti-spam solutions From MailScanner at ecs.soton.ac.uk Wed Jan 7 22:14:06 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Jan 7 22:14:27 2009 Subject: Anti-spear-phishing, round 2 In-Reply-To: References: <4963D91A.9060304@ecs.soton.ac.uk> Message-ID: <4965292E.1070209@ecs.soton.ac.uk> On 7/1/09 21:00, Gottschalk, David wrote: > Julian, > Thanks for posting this! This is going to make my life a lot easier. I plan on installing it on all of my machines with mailscanner. I'll let you know how well it works. I've got it installed on one machine right now, I'm just trying to figure out how to get the spam assassin rule actions to work properly right now. For some reason it's not following the rule actions even though it matches it. > Check your maillog, that will show if anything is wrong. Don't put a comma in the text of the header for starters, it breaks my parser :-( If you get really stuck, feel free to ask for help :) Jules. > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field > Sent: Tuesday, January 06, 2009 5:20 PM > To: MailScanner discussion > Subject: Anti-spear-phishing, round 2 > > I have done a load of work on my script that uses the anti-spear-phishing addresses database. > > The main thing is now that it is pretty much a finished script, and is directly usable by you guys without you having to do much to it except read the settings at the top and tweak the filenames if you want to change where it puts things. > > I have taken a lot of care to ensure that this won't match any false alarms, I don't just dumbly look for the strings in any surrounding text, which certain commercial AV vendors have been caught doing in the past! > > I make a suggestion in the comments at the top of the script about how I use the rule within MailScanner, you probably want to do something similar, and not just delete anything that matches, just in case you do get any false alarms. > > It also looks for numbers at the end of the username bit of the address, and assumes that these are numbers which the scammers may change; so if it finds them, it replaces them with a pattern that will match any number instead. There's starting to be a lot of this about, as it's the easiest way for the scammers to try to defeat simple address lists targeted against them, while still being able to remember what addresses they have to check for replies from your dumb users. :-) I thought I would make it a tiny bit harder for them... > > You can also add addresses of your own (which can include "*" as a wildcard character to mean "any series of valid characters" in the email address), one address per line, in an optional extra file. Again, read the top of the script and you'll see it mentioned there. That file is optional, it doesn't matter if it doesn't exist. As a starter, you might want to put m i c h a e l l o u c a s * @ g m a i l . c o m (without the extra spaces) in that file, as it will nicely catch a lot of "Job opportunity" spams. > > It looks for any of these addresses appearing **anywhere** in the message, not just in the headers. So if you start talking to people about these addresses, don't be surprised when the messages get caught by the trap. > > It does a "wget", so make sure you have that binary installed, or else change the script to fetch the file by some other means. > > The very end of the script does a "service MailScanner restart", so if you need some other command to restart MailScanner, then edit it for your system. It needs to be a "restart" and not a "reload" as I have to force it to re-build the database of SpamAssassin rules. > > My aim was that, on a RedHat system running MailScanner, you could just copy the script into /etc/cron.hourly and make it executable, and it will just get on with the job for you. I do advise you read the bit in the script about "SpamAssassin Rule Actions" though. > > Please do let me know how you would like me to improve it, and tell me what you think of it in general (be polite, now! :-) > > Cheers, > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc > > > -- > This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. > > > This e-mail message (including any attachments) is for the sole use of > the intended recipient(s) and may contain confidential and privileged > information. If the reader of this message is not the intended > recipient, you are hereby notified that any dissemination, distribution > or copying of this message (including any attachments) is strictly > prohibited. > > If you have received this message in error, please contact > the sender by reply e-mail message and destroy all copies of the > original message (including attachments). > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From traced at xpear.de Wed Jan 7 23:25:22 2009 From: traced at xpear.de (traced) Date: Wed Jan 7 23:25:36 2009 Subject: Barracude BRBL ?? In-Reply-To: References: <4960EF7002000000000334D2@gw.caspercollege.edu> <4963B58E.4020806@xpear.de> <4963FD60.1080306@pacific.net> <496513DC.3090207@xpear.de> Message-ID: <496539E2.4070704@xpear.de> Scott Silva schrieb: > on 1-7-2009 12:43 PM traced spake the following: >> >> Scott Silva schrieb: >>> on 1-6-2009 4:54 PM Ken A spake the following: >>>> Scott Silva wrote: >>>>> >>> I guess nothing is perfect, and it is too bad that we have to jump >>> through all >>> these hoops just to stop some bastard from flooding your users with fake >>> v1@gr@ spams. Just how many people are that stupid to actually BUY >>> something >>> from these bozo's? >>> I am in the wrong line of work! ;-P >>> >>> >>> >> If just one of the million recipients is so stupid, the spammers are >> happy. > > Then we need to beat that one guy! ;-P > It has to be a guy, because why would a woman want v1@gr@? > > > Sending millions of mails is very low at cost I think when you >> have some botnets working for you. I read a few days ago that 1,5 >> million addresses (maybe the most are "cold") only cost about 100-150US$. >> > It looks like selling the lists is the big business! > > > Perhaps we should take our hard learned knowledge, and switch over to "the dark side" :) Hey, they have cookies! ^^ From rob at robhq.com Thu Jan 8 00:49:16 2009 From: rob at robhq.com (Rob Freeman) Date: Thu Jan 8 00:49:25 2009 Subject: Anti-spear-phishing, round 2 In-Reply-To: <4965292E.1070209@ecs.soton.ac.uk> References: <4963D91A.9060304@ecs.soton.ac.uk> <4965292E.1070209@ecs.soton.ac.uk> Message-ID: Sorry I missed this, and I did try to go back in the mailing list and try to download it, but it just came back as a .bin file here in firefox to download. Can someone provide a link? Thanks in advance Rob On Wed, Jan 7, 2009 at 4:14 PM, Julian Field wrote: > > > On 7/1/09 21:00, Gottschalk, David wrote: > >> Julian, >> Thanks for posting this! This is going to make my life a lot easier. I >> plan on installing it on all of my machines with mailscanner. I'll let you >> know how well it works. I've got it installed on one machine right now, I'm >> just trying to figure out how to get the spam assassin rule actions to work >> properly right now. For some reason it's not following the rule actions even >> though it matches it. >> >> > Check your maillog, that will show if anything is wrong. Don't put a comma > in the text of the header for starters, it breaks my parser :-( > > If you get really stuck, feel free to ask for help :) > > Jules. > > -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto: >> mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field >> Sent: Tuesday, January 06, 2009 5:20 PM >> To: MailScanner discussion >> Subject: Anti-spear-phishing, round 2 >> >> I have done a load of work on my script that uses the anti-spear-phishing >> addresses database. >> >> The main thing is now that it is pretty much a finished script, and is >> directly usable by you guys without you having to do much to it except read >> the settings at the top and tweak the filenames if you want to change where >> it puts things. >> >> I have taken a lot of care to ensure that this won't match any false >> alarms, I don't just dumbly look for the strings in any surrounding text, >> which certain commercial AV vendors have been caught doing in the past! >> >> I make a suggestion in the comments at the top of the script about how I >> use the rule within MailScanner, you probably want to do something similar, >> and not just delete anything that matches, just in case you do get any false >> alarms. >> >> It also looks for numbers at the end of the username bit of the address, >> and assumes that these are numbers which the scammers may change; so if it >> finds them, it replaces them with a pattern that will match any number >> instead. There's starting to be a lot of this about, as it's the easiest way >> for the scammers to try to defeat simple address lists targeted against >> them, while still being able to remember what addresses they have to check >> for replies from your dumb users. :-) I thought I would make it a tiny bit >> harder for them... >> >> You can also add addresses of your own (which can include "*" as a >> wildcard character to mean "any series of valid characters" in the email >> address), one address per line, in an optional extra file. Again, read the >> top of the script and you'll see it mentioned there. That file is optional, >> it doesn't matter if it doesn't exist. As a starter, you might want to put m >> i c h a e l l o u c a s * @ g m a i l . c o m (without the extra spaces) in >> that file, as it will nicely catch a lot of "Job opportunity" spams. >> >> It looks for any of these addresses appearing **anywhere** in the message, >> not just in the headers. So if you start talking to people about these >> addresses, don't be surprised when the messages get caught by the trap. >> >> It does a "wget", so make sure you have that binary installed, or else >> change the script to fetch the file by some other means. >> >> The very end of the script does a "service MailScanner restart", so if you >> need some other command to restart MailScanner, then edit it for your >> system. It needs to be a "restart" and not a "reload" as I have to force it >> to re-build the database of SpamAssassin rules. >> >> My aim was that, on a RedHat system running MailScanner, you could just >> copy the script into /etc/cron.hourly and make it executable, and it will >> just get on with the job for you. I do advise you read the bit in the script >> about "SpamAssassin Rule Actions" though. >> >> Please do let me know how you would like me to improve it, and tell me >> what you think of it in general (be polite, now! :-) >> >> Cheers, >> >> Jules >> >> -- >> Julian Field MEng CITP CEng >> www.MailScanner.info >> Buy the MailScanner book at www.MailScanner.info/store >> >> MailScanner customisation, or any advanced system administration help? >> Contact me at Jules@Jules.FM >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP >> public key: http://www.jules.fm/julesfm.asc >> >> >> -- >> This message has been scanned for viruses and dangerous content by >> MailScanner, and is believed to be clean. >> >> >> This e-mail message (including any attachments) is for the sole use of >> the intended recipient(s) and may contain confidential and privileged >> information. If the reader of this message is not the intended >> recipient, you are hereby notified that any dissemination, distribution >> or copying of this message (including any attachments) is strictly >> prohibited. >> >> If you have received this message in error, please contact >> the sender by reply e-mail message and destroy all copies of the >> original message (including attachments). >> >> > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > PGP public key: http://www.jules.fm/julesfm.asc > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090107/2fae3068/attachment.html From john at tradoc.fr Thu Jan 8 08:26:43 2009 From: john at tradoc.fr (John Wilcock) Date: Thu Jan 8 08:26:58 2009 Subject: Could not open Bayes rebuild lock file /var/spool/MailScanner/incoming/Locks/MS.bayes.rebuild.lock, No such file or directory In-Reply-To: <4964C5D8.3080308@ecs.soton.ac.uk> References: <20090106113530.41bc2d32@btj-laptop.asp-as.no> <49633EDC.4020709@ecs.soton.ac.uk> <20090106124443.3882cea3@btj-laptop.asp-as.no> <496346EB.1070200@ecs.soton.ac.uk> <20090106131634.776f66e4@btj-laptop.asp-as.no> <49637AFA.6040905@ecs.soton.ac.uk> <49648C9A.3060706@ecs.soton.ac.uk> <20090107124639.4fc576a4@btj-laptop.asp-as.no> <4964A243.30003@ecs.soton.ac.uk> <20090107135302.6cf5ca15@btj-laptop.asp-as.no> <4964C5D8.3080308@ecs.soton.ac.uk> Message-ID: <4965B8C3.6080001@tradoc.fr> Le 07/01/2009 16:10, Julian Field a ?crit : > You might want to try 4.74.15-1 as I have just released that and it > contains a better version of the fix I have given you. I've just tried that on my newly-installed gentoo box - MS doesn't process mail; MailScanner --debug gives Can't locate object method "rewind" via package "FileHandle" at /usr/lib/MailScanner/MailScanner/SA.pm line 457 MailScanner --version (full output attached just in case) tells me that I have version 2.01 of the FileHandle module, which on gentoo at least is provided by the main perl package, of which I'm running the latest version (5.8.8-r5). Anything else to check? John. -- -- Over 3000 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages - www.tradoc.fr -------------- next part -------------- This is Perl version 5.008008 (5.8.8) This is MailScanner version 4.74.15 Module versions are: 1.00 AnyDBM_File 1.20 Archive::Zip 0.17 bignum 1.04 Carp 2.015 Compress::Zlib 1.119 Convert::BinHex 0.17 Convert::TNEF 2.121_08 Data::Dumper 2.27 Date::Parse 1.00 DirHandle 1.05 Fcntl 2.74 File::Basename 2.09 File::Copy 2.01 FileHandle 1.08 File::Path 0.21 File::Temp 0.92 Filesys::Df 1.35 HTML::Entities 3.56 HTML::Parser 2.37 HTML::TokeParser 1.22 IO 1.13 IO::File 1.13 IO::Pipe 1.77 Mail::Header 1.77 Math::BigInt 0.15 Math::BigRat 3.07 MIME::Base64 5.420 MIME::Decoder 5.420 MIME::Decoder::UU 5.420 MIME::Head 5.420 MIME::Parser 3.07 MIME::QuotedPrint 5.420 MIME::Tools 0.11 Net::CIDR 1.25 Net::IP 0.14 OLE::Storage_Lite 1.04 Pod::Escapes 3.05 Pod::Simple 1.09 POSIX 1.19 Scalar::Util 1.78 Socket 2.16 Storable 1.4 Sys::Hostname::Long 0.18 Sys::Syslog 1.26 Test::Pod 0.7 Test::Simple 1.9707 Time::HiRes 1.02 Time::localtime Optional module versions are: 1.40 Archive::Tar 0.17 bignum missing Business::ISBN missing Business::ISBN::Data missing Data::Dump 1.815 DB_File 1.14 DBD::SQLite 1.601 DBI 1.15 Digest 1.01 Digest::HMAC 2.36 Digest::MD5 2.11 Digest::SHA1 missing Encode::Detect missing Error 0.19 ExtUtils::CBuilder 2.18 ExtUtils::ParseXS 2.36 Getopt::Long missing Inline 1.08 IO::String 1.07 IO::Zlib 2.23 IP::Country missing Mail::ClamAV 3.002005 Mail::SpamAssassin missing Mail::SPF 1.999001 Mail::SPF::Query 0.2808 Module::Build 0.20 Net::CIDR::Lite 0.63 Net::DNS missing Net::DNS::Resolver::Programmable missing Net::LDAP missing NetAddr::IP missing Parse::RecDescent missing SAVI 2.64 Test::Harness missing Test::Manifest 1.95 Text::Balanced 1.35 URI missing version 0.65 YAML From MailScanner at ecs.soton.ac.uk Thu Jan 8 09:29:55 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 8 09:30:15 2009 Subject: Could not open Bayes rebuild lock file /var/spool/MailScanner/incoming/Locks/MS.bayes.rebuild.lock, No such file or directory In-Reply-To: <4965B8C3.6080001@tradoc.fr> References: <20090106113530.41bc2d32@btj-laptop.asp-as.no> <49633EDC.4020709@ecs.soton.ac.uk> <20090106124443.3882cea3@btj-laptop.asp-as.no> <496346EB.1070200@ecs.soton.ac.uk> <20090106131634.776f66e4@btj-laptop.asp-as.no> <49637AFA.6040905@ecs.soton.ac.uk> <49648C9A.3060706@ecs.soton.ac.uk> <20090107124639.4fc576a4@btj-laptop.asp-as.no> <4964A243.30003@ecs.soton.ac.uk> <20090107135302.6cf5ca15@btj-laptop.asp-as.no> <4964C5D8.3080308@ecs.soton.ac.uk> <4965B8C3.6080001@tradoc.fr> Message-ID: <4965C793.7010105@ecs.soton.ac.uk> On 8/1/09 08:26, John Wilcock wrote: > Le 07/01/2009 16:10, Julian Field a ?crit : >> You might want to try 4.74.15-1 as I have just released that and it >> contains a better version of the fix I have given you. > > I've just tried that on my newly-installed gentoo box - MS doesn't > process mail; MailScanner --debug gives > > Can't locate object method "rewind" via package "FileHandle" at > /usr/lib/MailScanner/MailScanner/SA.pm line 457 > I've changed the "rewind" to "setpos(0,0)" and attached a new SA.pm for you to try. Please let me know if this fixes the problem. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- A non-text attachment was scrubbed... Name: SA.pm.zip Type: application/zip Size: 12948 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090108/812fd7c5/SA.pm.zip From john at tradoc.fr Thu Jan 8 10:06:40 2009 From: john at tradoc.fr (John Wilcock) Date: Thu Jan 8 10:06:52 2009 Subject: Could not open Bayes rebuild lock file /var/spool/MailScanner/incoming/Locks/MS.bayes.rebuild.lock, No such file or directory In-Reply-To: <4965C793.7010105@ecs.soton.ac.uk> References: <20090106113530.41bc2d32@btj-laptop.asp-as.no> <49633EDC.4020709@ecs.soton.ac.uk> <20090106124443.3882cea3@btj-laptop.asp-as.no> <496346EB.1070200@ecs.soton.ac.uk> <20090106131634.776f66e4@btj-laptop.asp-as.no> <49637AFA.6040905@ecs.soton.ac.uk> <49648C9A.3060706@ecs.soton.ac.uk> <20090107124639.4fc576a4@btj-laptop.asp-as.no> <4964A243.30003@ecs.soton.ac.uk> <20090107135302.6cf5ca15@btj-laptop.asp-as.no> <4964C5D8.3080308@ecs.soton.ac.uk> <4965B8C3.6080001@tradoc.fr> <4965C793.7010105@ecs.soton.ac.uk> Message-ID: <4965D030.6030807@tradoc.fr> Le 08/01/2009 10:29, Julian Field a ?crit : >> Can't locate object method "rewind" via package "FileHandle" at >> /usr/lib/MailScanner/MailScanner/SA.pm line 457 >> > I've changed the "rewind" to "setpos(0,0)" and attached a new SA.pm for > you to try. Please let me know if this fixes the problem. 'fraid not. Usage: IO::Seekable::setpos(handle, pos) at /usr/lib/MailScanner/MailScanner/SA.pm line 457. John. -- -- Over 3000 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages - www.tradoc.fr From MailScanner at ecs.soton.ac.uk Thu Jan 8 10:34:23 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 8 10:34:49 2009 Subject: Could not open Bayes rebuild lock file /var/spool/MailScanner/incoming/Locks/MS.bayes.rebuild.lock, No such file or directory In-Reply-To: <4965D030.6030807@tradoc.fr> References: <20090106113530.41bc2d32@btj-laptop.asp-as.no> <49633EDC.4020709@ecs.soton.ac.uk> <20090106124443.3882cea3@btj-laptop.asp-as.no> <496346EB.1070200@ecs.soton.ac.uk> <20090106131634.776f66e4@btj-laptop.asp-as.no> <49637AFA.6040905@ecs.soton.ac.uk> <49648C9A.3060706@ecs.soton.ac.uk> <20090107124639.4fc576a4@btj-laptop.asp-as.no> <4964A243.30003@ecs.soton.ac.uk> <20090107135302.6cf5ca15@btj-laptop.asp-as.no> <4964C5D8.3080308@ecs.soton.ac.uk> <4965B8C3.6080001@tradoc.fr> <4965C793.7010105@ecs.soton.ac.uk> <4965D030.6030807@tradoc.fr> Message-ID: <4965D6AF.8010608@ecs.soton.ac.uk> On 8/1/09 10:06, John Wilcock wrote: > Le 08/01/2009 10:29, Julian Field a ?crit : >>> Can't locate object method "rewind" via package "FileHandle" at >>> /usr/lib/MailScanner/MailScanner/SA.pm line 457 >>> >> I've changed the "rewind" to "setpos(0,0)" and attached a new SA.pm for >> you to try. Please let me know if this fixes the problem. > > 'fraid not. > > Usage: IO::Seekable::setpos(handle, pos) at > /usr/lib/MailScanner/MailScanner/SA.pm line 457. Idiot :-( (me, that is) Do a search and replace in that file and change "setpos" to "seek". Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From john at tradoc.fr Thu Jan 8 12:23:40 2009 From: john at tradoc.fr (John Wilcock) Date: Thu Jan 8 12:23:59 2009 Subject: Could not open Bayes rebuild lock file /var/spool/MailScanner/incoming/Locks/MS.bayes.rebuild.lock, No such file or directory In-Reply-To: <4965D6AF.8010608@ecs.soton.ac.uk> References: <20090106113530.41bc2d32@btj-laptop.asp-as.no> <49633EDC.4020709@ecs.soton.ac.uk> <20090106124443.3882cea3@btj-laptop.asp-as.no> <496346EB.1070200@ecs.soton.ac.uk> <20090106131634.776f66e4@btj-laptop.asp-as.no> <49637AFA.6040905@ecs.soton.ac.uk> <49648C9A.3060706@ecs.soton.ac.uk> <20090107124639.4fc576a4@btj-laptop.asp-as.no> <4964A243.30003@ecs.soton.ac.uk> <20090107135302.6cf5ca15@btj-laptop.asp-as.no> <4964C5D8.3080308@ecs.soton.ac.uk> <4965B8C3.6080001@tradoc.fr> <4965C793.7010105@ecs.soton.ac.uk> <4965D030.6030807@tradoc.fr> <4965D6AF.8010608@ecs.soton.ac.uk> Message-ID: <4965F04C.4050706@tradoc.fr> Le 08/01/2009 11:34, Julian Field a ?crit : >> Usage: IO::Seekable::setpos(handle, pos) at >> /usr/lib/MailScanner/MailScanner/SA.pm line 457. > Idiot :-( (me, that is) > > Do a search and replace in that file and change "setpos" to "seek". That's more like it! Thanks Jules - and may the New Year bring what you're waiting for... John. -- -- Over 3000 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages - www.tradoc.fr From maillists at conactive.com Thu Jan 8 12:31:14 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Thu Jan 8 12:31:26 2009 Subject: Could not open Bayes rebuild lock file /var/spool/MailScanner/incoming/Locks/MS.bayes.rebuild.lock, No such file or directory In-Reply-To: <4965F04C.4050706@tradoc.fr> References: <20090106113530.41bc2d32@btj-laptop.asp-as.no> <49633EDC.4020709@ecs.soton.ac.uk> <20090106124443.3882cea3@btj-laptop.asp-as.no> <496346EB.1070200@ecs.soton.ac.uk> <20090106131634.776f66e4@btj-laptop.asp-as.no> <49637AFA.6040905@ecs.soton.ac.uk> <49648C9A.3060706@ecs.soton.ac.uk> <20090107124639.4fc576a4@btj-laptop.asp-as.no> <4964A243.30003@ecs.soton.ac.uk> <20090107135302.6cf5ca15@btj-laptop.asp-as.no> <4964C5D8.3080308@ecs.soton.ac.uk> <4965B8C3.6080001@tradoc.fr> <4965F04C.4050706@tradoc.fr Message-ID: > Reply-To: mailscanner@lists.mailscanner.info John Wilcock wrote on Thu, 08 Jan 2009 13:23:40 +0100: > That's more like it! Nevertheless, you may want to stop rebuilding Bayes during heavy production hours and move it to a nightly cron job. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From submit at zuka.net Thu Jan 8 12:13:34 2009 From: submit at zuka.net (submit@zuka.net) Date: Thu Jan 8 13:44:57 2009 Subject: Upgrade fron 4.61.7 to 4.74.13-2 Message-ID: <20090108071334.6t3eri15gc0ggkk4@manage.zuka.net> Right off the top I need to ask you all to bear with me. I have not had to administer my email server in a number of years as I had another person doing it. Now, he has left and so here I am trying to make this work and at this point, no mail is flowing but the mail queue is growing. I updated MailScanner and Clam/Spamassassin using Julian's install routines. All seemed to go OK but the mail queue seems to be stuck and I have a few errors when I lint the install. I know some other have had some issues with the mail queue after this upgrade but I am not sure it is the same issues here. I have been up all night trying to get this to work so I really could use some help with this. Here is the output of MailScanner --lint [root@rosewood ~]# MailScanner --lint Trying to setlogsock(unix) Read 848 hostnames from the phishing whitelist Read 4096 hostnames from the phishing blacklist Config: calling custom init function SQLBlacklist Starting up SQL Blacklist Read 3 blacklist entries Config: calling custom init function MailWatchLogging Started SQL Logging child Config: calling custom init function SQLWhitelist Starting up SQL Whitelist Read 60 whitelist entries Checking version numbers... Version number in MailScanner.conf (4.74.13) is correct. Your envelope_sender_header in spam.assassin.prefs.conf is correct. MailScanner setting GID to (80) MailScanner setting UID to (80) Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database config: path "//.spamassassin/user_prefs" is inaccessible: Permission denied ... obviously this one is an issue but not sure why it cannot access it. config: configuration file "/etc/mail/spamassassin/updates_spamassassin_org/20_advance_fee.cf" requires version 3.002003 of SpamAssassin, but this is code version 3.002005. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Conf/Parser.pm line 372. config: configuration file "/etc/mail/spamassassin/updates_spamassassin_org/20_advance_fee.cf" requires version 3.002003 of SpamAssassin, but this is code version 3.002005. Maybe you need to use the -C switch, or remove the old config files? Skipping this file config: configuration file "/etc/mail/spamassassin/updates_spamassassin_org/20_body_tests.cf" requires version 3.002003 of SpamAssassin, but this is code version 3.002005. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Conf/Parser.pm line 372. config: configuration file "/etc/mail/spamassassin/updates_spamassassin_org/20_body_tests.cf" requires version 3.002003 of SpamAssassin, but this is code version 3.002005. Maybe you need to use the -C switch, or remove the old config files? Skipping this file config: configuration file "/etc/mail/spamassassin/updates_spamassassin_org/20_compensate.cf" requires version 3.002003 of SpamAssassin, but this is code version 3.002005. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Conf/Parser.pm line 372. .... and then a bunch more of the preceeding errors SpamAssassin reported an error. Using locktype = posix MailScanner.conf says "Virus Scanners = clamd" Found these virus scanners installed: clamd =========================================================================== Filename Checks: Windows/DOS Executable (1 eicar.com) Other Checks: Found 1 problems Virus and Content Scanning: Starting Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com Virus Scanning: Clamd found 2 infections Infected message 1 came from 10.1.1.1 Virus Scanning: Found 2 viruses =========================================================================== Virus Scanner test reports: Clamd said "eicar.com was infected: Eicar-Test-Signature" If any of your virus scanners (clamd) are not listed there, you should check that they are installed correctly and that MailScanner is finding them correctly via its virus.scanners.conf. Config: calling custom end function SQLBlacklist Closing down by-domain spam blacklist Config: calling custom end function MailWatchLogging Config: calling custom end function SQLWhitelist Closing down by-domain spam whitelist MailScanner -V Running on Linux rosewood.zuka.net 2.6.9-34.ELsmp #1 SMP Thu Mar 9 06:23:23 GMT 2006 x86_64 x86_64 x86_64 GNU/Linux This is CentOS release 4.3 (Final) This is Perl version 5.008005 (5.8.5) This is MailScanner version 4.74.13 Module versions are: 1.00 AnyDBM_File 1.20 Archive::Zip 0.22 bignum 1.03 Carp 1.41 Compress::Zlib 1.119 Convert::BinHex 0.17 Convert::TNEF 2.121 Data::Dumper 2.27 Date::Parse 1.00 DirHandle 1.05 Fcntl 2.73 File::Basename 2.08 File::Copy 2.01 FileHandle 1.06 File::Path 0.20 File::Temp 0.78 Filesys::Df 1.35 HTML::Entities 3.56 HTML::Parser 2.37 HTML::TokeParser 1.23 IO 1.14 IO::File 1.13 IO::Pipe 2.02 Mail::Header 1.87 Math::BigInt 0.20 Math::BigRat 3.05 MIME::Base64 5.427 MIME::Decoder 5.427 MIME::Decoder::UU 5.427 MIME::Head 5.427 MIME::Parser 3.03 MIME::QuotedPrint 5.427 MIME::Tools 0.11 Net::CIDR 1.25 Net::IP 0.16 OLE::Storage_Lite 1.04 Pod::Escapes 3.05 Pod::Simple 1.08 POSIX 1.19 Scalar::Util 1.77 Socket 2.13 Storable 1.4 Sys::Hostname::Long 0.18 Sys::Syslog 1.26 Test::Pod 0.7 Test::Simple 1.9707 Time::HiRes 1.02 Time::localtime Optional module versions are: 1.32 Archive::Tar 0.22 bignum 1.82 Business::ISBN 1.10 Business::ISBN::Data 1.08 Data::Dump 1.814 DB_File 1.13 DBD::SQLite 1.58 DBI 1.15 Digest 1.01 Digest::HMAC 2.36 Digest::MD5 2.10 Digest::SHA1 1.00 Encode::Detect 0.17008 Error 0.19 ExtUtils::CBuilder 2.18 ExtUtils::ParseXS 2.36 Getopt::Long 0.44 Inline 1.08 IO::String 1.04 IO::Zlib 2.21 IP::Country 0.22 Mail::ClamAV 3.002005 Mail::SpamAssassin v2.004 Mail::SPF 1.999001 Mail::SPF::Query 0.2808 Module::Build 0.20 Net::CIDR::Lite 0.63 Net::DNS 0.002.2 Net::DNS::Resolver::Programmable 0.31 Net::LDAP 4.004 NetAddr::IP 1.94 Parse::RecDescent missing SAVI 2.64 Test::Harness 0.95 Test::Manifest 1.95 Text::Balanced 1.35 URI 0.7203 version 0.65 YAML I really could use some help here. Really need sleep but will have some clients yelling because they are not receiving email. Thanks Dave From Denis.Beauchemin at USherbrooke.ca Thu Jan 8 13:58:29 2009 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Thu Jan 8 13:58:48 2009 Subject: Upgrade fron 4.61.7 to 4.74.13-2 In-Reply-To: <20090108071334.6t3eri15gc0ggkk4@manage.zuka.net> References: <20090108071334.6t3eri15gc0ggkk4@manage.zuka.net> Message-ID: <49660685.80304@USherbrooke.ca> submit@zuka.net a ?crit : > Right off the top I need to ask you all to bear with me. I have not > had to administer my email server in a number of years as I had > another person doing it. Now, he has left and so here I am trying to > make this work and at this point, no mail is flowing but the mail > queue is growing. > > I updated MailScanner and Clam/Spamassassin using Julian's install > routines. All seemed to go OK but the mail queue seems to be stuck and > I have a few errors when I lint the install. I know some other have > had some issues with the mail queue after this upgrade but I am not > sure it is the same issues here. I have been up all night trying to > get this to work so I really could use some help with this. > > Here is the output of MailScanner --lint > > [root@rosewood ~]# MailScanner --lint > Trying to setlogsock(unix) > Read 848 hostnames from the phishing whitelist > Read 4096 hostnames from the phishing blacklist > Config: calling custom init function SQLBlacklist > Starting up SQL Blacklist > Read 3 blacklist entries > Config: calling custom init function MailWatchLogging > Started SQL Logging child > Config: calling custom init function SQLWhitelist > Starting up SQL Whitelist > Read 60 whitelist entries > Checking version numbers... > Version number in MailScanner.conf (4.74.13) is correct. > > Your envelope_sender_header in spam.assassin.prefs.conf is correct. > MailScanner setting GID to (80) > MailScanner setting UID to (80) > > Checking for SpamAssassin errors (if you use it)... > Using SpamAssassin results cache > Connected to SpamAssassin cache database > config: path "//.spamassassin/user_prefs" is inaccessible: Permission > denied > > ... obviously this one is an issue but not sure why it cannot access it. > > config: configuration file > "/etc/mail/spamassassin/updates_spamassassin_org/20_advance_fee.cf" > requires version 3.002003 of SpamAssassin, but this is code version > 3.002005. Maybe you need to use the -C switch, or remove the old > config files? Skipping this file at > /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Conf/Parser.pm line 372. > config: configuration file > "/etc/mail/spamassassin/updates_spamassassin_org/20_advance_fee.cf" > requires version 3.002003 of SpamAssassin, but this is code version > 3.002005. Maybe you need to use the -C switch, or remove the old > config files? Skipping this file > config: configuration file > "/etc/mail/spamassassin/updates_spamassassin_org/20_body_tests.cf" > requires version 3.002003 of SpamAssassin, but this is code version > 3.002005. Maybe you need to use the -C switch, or remove the old > config files? Skipping this file at > /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Conf/Parser.pm line 372. > config: configuration file > "/etc/mail/spamassassin/updates_spamassassin_org/20_body_tests.cf" > requires version 3.002003 of SpamAssassin, but this is code version > 3.002005. Maybe you need to use the -C switch, or remove the old > config files? Skipping this file > config: configuration file > "/etc/mail/spamassassin/updates_spamassassin_org/20_compensate.cf" > requires version 3.002003 of SpamAssassin, but this is code version > 3.002005. Maybe you need to use the -C switch, or remove the old > config files? Skipping this file at > /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Conf/Parser.pm line 372. > Dave, On my RHEL 4.6 server my SA files are located in /var/lib/spamassassin, so I would delete the ones in /etc/mail/spamassassin/updates* For your permission problem, you must be usins Postfix so try to access the file under the postfix user. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From MailScanner at ecs.soton.ac.uk Thu Jan 8 14:12:35 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 8 14:12:57 2009 Subject: Could not open Bayes rebuild lock file /var/spool/MailScanner/incoming/Locks/MS.bayes.rebuild.lock, No such file or directory In-Reply-To: <4965F04C.4050706@tradoc.fr> References: <20090106113530.41bc2d32@btj-laptop.asp-as.no> <49633EDC.4020709@ecs.soton.ac.uk> <20090106124443.3882cea3@btj-laptop.asp-as.no> <496346EB.1070200@ecs.soton.ac.uk> <20090106131634.776f66e4@btj-laptop.asp-as.no> <49637AFA.6040905@ecs.soton.ac.uk> <49648C9A.3060706@ecs.soton.ac.uk> <20090107124639.4fc576a4@btj-laptop.asp-as.no> <4964A243.30003@ecs.soton.ac.uk> <20090107135302.6cf5ca15@btj-laptop.asp-as.no> <4964C5D8.3080308@ecs.soton.ac.uk> <4965B8C3.6080001@tradoc.fr> <4965C793.7010105@ecs.soton.ac.uk> <4965D030.6030807@tradoc.fr> <4965D6AF.8010608@ecs.soton.ac.uk> <4965F04C.4050706@tradoc.fr> Message-ID: <496609D3.2000501@ecs.soton.ac.uk> On 8/1/09 12:23, John Wilcock wrote: > Le 08/01/2009 11:34, Julian Field a ?crit : >>> Usage: IO::Seekable::setpos(handle, pos) at >>> /usr/lib/MailScanner/MailScanner/SA.pm line 457. >> Idiot :-( (me, that is) >> >> Do a search and replace in that file and change "setpos" to "seek". > > That's more like it! Brilliant. Please can you download and try out 4.74.15-2 which should just incorporate that fix, and let me know that everything works now? > > Thanks Jules - and may the New Year bring what you're waiting for... Many thanks for that! I may have some news for you next week... Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From dave.filchak at senecac.on.ca Thu Jan 8 14:27:35 2009 From: dave.filchak at senecac.on.ca (Dave Filchak) Date: Thu Jan 8 14:27:45 2009 Subject: Upgrade fron 4.61.7 to 4.74.13-2 In-Reply-To: <49660685.80304@USherbrooke.ca> References: <20090108071334.6t3eri15gc0ggkk4@manage.zuka.net> <49660685.80304@USherbrooke.ca> Message-ID: <49660D57.2040107@senecac.on.ca> Denis, Denis Beauchemin wrote: > submit@zuka.net a ?crit : >> Right off the top I need to ask you all to bear with me. I have not >> had to administer my email server in a number of years as I had >> another person doing it. Now, he has left and so here I am trying to >> make this work and at this point, no mail is flowing but the mail >> queue is growing. >> >> I updated MailScanner and Clam/Spamassassin using Julian's install >> routines. All seemed to go OK but the mail queue seems to be stuck >> and I have a few errors when I lint the install. I know some other >> have had some issues with the mail queue after this upgrade but I am >> not sure it is the same issues here. I have been up all night trying >> to get this to work so I really could use some help with this. >> >> Here is the output of MailScanner --lint >> >> [root@rosewood ~]# MailScanner --lint >> Trying to setlogsock(unix) >> Read 848 hostnames from the phishing whitelist >> Read 4096 hostnames from the phishing blacklist >> Config: calling custom init function SQLBlacklist >> Starting up SQL Blacklist >> Read 3 blacklist entries >> Config: calling custom init function MailWatchLogging >> Started SQL Logging child >> Config: calling custom init function SQLWhitelist >> Starting up SQL Whitelist >> Read 60 whitelist entries >> Checking version numbers... >> Version number in MailScanner.conf (4.74.13) is correct. >> >> Your envelope_sender_header in spam.assassin.prefs.conf is correct. >> MailScanner setting GID to (80) >> MailScanner setting UID to (80) >> >> Checking for SpamAssassin errors (if you use it)... >> Using SpamAssassin results cache >> Connected to SpamAssassin cache database >> config: path "//.spamassassin/user_prefs" is inaccessible: Permission >> denied >> >> ... obviously this one is an issue but not sure why it cannot access >> it. >> >> config: configuration file >> "/etc/mail/spamassassin/updates_spamassassin_org/20_advance_fee.cf" >> requires version 3.002003 of SpamAssassin, but this is code version >> 3.002005. Maybe you need to use the -C switch, or remove the old >> config files? Skipping this file at >> /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Conf/Parser.pm line >> 372. >> config: configuration file >> "/etc/mail/spamassassin/updates_spamassassin_org/20_advance_fee.cf" >> requires version 3.002003 of SpamAssassin, but this is code version >> 3.002005. Maybe you need to use the -C switch, or remove the old >> config files? Skipping this file >> config: configuration file >> "/etc/mail/spamassassin/updates_spamassassin_org/20_body_tests.cf" >> requires version 3.002003 of SpamAssassin, but this is code version >> 3.002005. Maybe you need to use the -C switch, or remove the old >> config files? Skipping this file at >> /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Conf/Parser.pm line >> 372. >> config: configuration file >> "/etc/mail/spamassassin/updates_spamassassin_org/20_body_tests.cf" >> requires version 3.002003 of SpamAssassin, but this is code version >> 3.002005. Maybe you need to use the -C switch, or remove the old >> config files? Skipping this file >> config: configuration file >> "/etc/mail/spamassassin/updates_spamassassin_org/20_compensate.cf" >> requires version 3.002003 of SpamAssassin, but this is code version >> 3.002005. Maybe you need to use the -C switch, or remove the old >> config files? Skipping this file at >> /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Conf/Parser.pm line >> 372. >> > > Dave, > > On my RHEL 4.6 server my SA files are located in > /var/lib/spamassassin, so I would delete the ones in > /etc/mail/spamassassin/updates* > > For your permission problem, you must be usins Postfix so try to > access the file under the postfix user. > > Denis > In /var/lib/spamassassin/3.002005/updates_spamassassin_org there are many of the rule files. There is also another bunch at /var/lib/spamassassin/3.001001/updates_spamassassin_org, which is from the previous version. Can I just delete this older directory? When I move the rules in /etc/mail/spamassassin/ into a temp directory, I no longer get that specific error but I am not sure if the rules and spamassassin are functioning or not. As far as the permissions problem goes, I am using Postfix and MailScanner is running as user Postfix but isn't it trying to access the usr_prefs in the root home directory? I never did that before I don't thing as I believe we were using local.cf for site wide prefs? Dave -- Dave Filchak Instructor, School of Communications Arts Seneca College @ York Office: Room 1068 From maillists at conactive.com Thu Jan 8 14:32:21 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Thu Jan 8 14:32:33 2009 Subject: Upgrade fron 4.61.7 to 4.74.13-2 In-Reply-To: <20090108071334.6t3eri15gc0ggkk4@manage.zuka.net> References: <20090108071334.6t3eri15gc0ggkk4@manage.zuka.net> Message-ID: Submit@zuka.net wrote on Thu, 08 Jan 2009 07:13:34 -0500: > This is CentOS release 4.3 (Final) Please update to latest version. Putting such a non-updated server on the internet is a threat to everyone. > /etc/mail/spamassassin/updates_spamassassin_org/20_advance_fee.cf you want to remove the directory "updates_spamassassin_org" completely and make sure there is no automatic update putting it there again. You also want to set "bayes_auto_expire" to 0 in spamassassin.prefs.conf in case your growing mail queue is a side effect of that. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Thu Jan 8 14:38:24 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Thu Jan 8 14:38:37 2009 Subject: Upgrade fron 4.61.7 to 4.74.13-2 In-Reply-To: <49660D57.2040107@senecac.on.ca> References: <20090108071334.6t3eri15gc0ggkk4@manage.zuka.net> <49660685.80304@USherbrooke.ca> <49660D57.2040107@senecac.on.ca> Message-ID: Dave Filchak wrote on Thu, 08 Jan 2009 09:27:35 -0500: > In /var/lib/spamassassin/3.002005/updates_spamassassin_org there are > many of the rule files. Good. There is also another bunch at > /var/lib/spamassassin/3.001001/updates_spamassassin_org, which is from > the previous version. Can I just delete this older directory? Yes. When I > move the rules in /etc/mail/spamassassin/ into a temp directory, I no > longer get that specific error but I am not sure if the rules and > spamassassin are functioning or not. which rules? Are you the same person as "submit@zuka.net"? > > As far as the permissions problem goes, I am using Postfix and > MailScanner is running as user Postfix but isn't it trying to access the > usr_prefs in the root home directory? Not if the error comes from starting the service. I never did that before I don't > thing as I believe we were using local.cf for site wide prefs? All files in /etc/mail/spammassassin are used for SA configuration. And there should be a symlink to /etc/MailScanner/spamassassin.prefs.conf. Compare the two for duplicates. Also, there a very good tutorial for postfix+MailScanner on the MS documentation site. Read it and follow it. If there are still permission errors in yourt config you should find them this way! You did run the update_mailscanner_conf script after upgrading, did you? Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From john at tradoc.fr Thu Jan 8 14:38:51 2009 From: john at tradoc.fr (John Wilcock) Date: Thu Jan 8 14:39:09 2009 Subject: Could not open Bayes rebuild lock file /var/spool/MailScanner/incoming/Locks/MS.bayes.rebuild.lock, No such file or directory In-Reply-To: <496609D3.2000501@ecs.soton.ac.uk> References: <20090106113530.41bc2d32@btj-laptop.asp-as.no> <49633EDC.4020709@ecs.soton.ac.uk> <20090106124443.3882cea3@btj-laptop.asp-as.no> <496346EB.1070200@ecs.soton.ac.uk> <20090106131634.776f66e4@btj-laptop.asp-as.no> <49637AFA.6040905@ecs.soton.ac.uk> <49648C9A.3060706@ecs.soton.ac.uk> <20090107124639.4fc576a4@btj-laptop.asp-as.no> <4964A243.30003@ecs.soton.ac.uk> <20090107135302.6cf5ca15@btj-laptop.asp-as.no> <4964C5D8.3080308@ecs.soton.ac.uk> <4965B8C3.6080001@tradoc.fr> <4965C793.7010105@ecs.soton.ac.uk> <4965D030.6030807@tradoc.fr> <4965D6AF.8010608@ecs.soton.ac.uk> <4965F04C.4050706@tradoc.fr> <496609D3.2000501@ecs.soton.ac.uk> Message-ID: <49660FFB.5000209@tradoc.fr> Le 08/01/2009 15:12, Julian Field a ?crit : > Brilliant. Please can you download and try out 4.74.15-2 which should > just incorporate that fix, and let me know that everything works now? Indeed it does, thanks. >> Thanks Jules - and may the New Year bring what you're waiting for... > Many thanks for that! I may have some news for you next week... Keeping my fingers crossed for you... John. -- -- Over 3000 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages - www.tradoc.fr From dave.filchak at senecac.on.ca Thu Jan 8 14:44:24 2009 From: dave.filchak at senecac.on.ca (Dave Filchak) Date: Thu Jan 8 14:44:38 2009 Subject: Upgrade fron 4.61.7 to 4.74.13-2 In-Reply-To: References: <20090108071334.6t3eri15gc0ggkk4@manage.zuka.net> Message-ID: <49661148.6070305@senecac.on.ca> Kai, Kai Schaetzl wrote: > Submit@zuka.net wrote on Thu, 08 Jan 2009 07:13:34 -0500: > > >> This is CentOS release 4.3 (Final) >> > > Please update to latest version. Putting such a non-updated server on the > internet is a threat to everyone. > > >> /etc/mail/spamassassin/updates_spamassassin_org/20_advance_fee.cf >> > > you want to remove the directory "updates_spamassassin_org" completely and > make sure there is no automatic update putting it there again. > > You also want to set "bayes_auto_expire" to 0 in spamassassin.prefs.conf > in case your growing mail queue is a side effect of that. > > Kai > > As I said earlier, I have not been taking care of this server for the last couple of years or longer. So, I am trying to get it up to date. However, it will take me some time and I really need to get the mail stuff updated first. bayes_auto_expire is set to 0. Any idea about the permission error? Thanks Dave From dave.filchak at senecac.on.ca Thu Jan 8 14:57:35 2009 From: dave.filchak at senecac.on.ca (Dave Filchak) Date: Thu Jan 8 14:58:01 2009 Subject: Upgrade fron 4.61.7 to 4.74.13-2 In-Reply-To: References: <20090108071334.6t3eri15gc0ggkk4@manage.zuka.net> <49660685.80304@USherbrooke.ca> <49660D57.2040107@senecac.on.ca> Message-ID: <4966145F.4010305@senecac.on.ca> Kai, Kai Schaetzl wrote: > Dave Filchak wrote on Thu, 08 Jan 2009 09:27:35 -0500: > > >> In /var/lib/spamassassin/3.002005/updates_spamassassin_org there are >> many of the rule files. >> > > Good. > > There is also another bunch at > >> /var/lib/spamassassin/3.001001/updates_spamassassin_org, which is from >> the previous version. Can I just delete this older directory? >> > > Yes. > > When I > >> move the rules in /etc/mail/spamassassin/ into a temp directory, I no >> longer get that specific error but I am not sure if the rules and >> spamassassin are functioning or not. >> > > which rules? Are you the same person as "submit@zuka.net"? > There were a bunch of rules just sitting inside of the directory. I am assuming these are not needed and so I put them into a temp directory that I will delete late once all is well. Yes I am the same person as submit@zuka.net but when I sent the first email from that address, I realized that I might not be able to receive a reply because I was not receiving email. So, I had to use a different account. Sorry for the extra BW. > >> As far as the permissions problem goes, I am using Postfix and >> MailScanner is running as user Postfix but isn't it trying to access the >> usr_prefs in the root home directory? >> > > Not if the error comes from starting the service. > It does not happen when starting but does show up when running debug: MailScanner --debug In Debugging mode, not forking... Trying to setlogsock(unix) Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin.pm line 1088. Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin.pm line 1090. Building a message batch to scan... Have a batch of 1 message. max message size is '30000' config: path "//.spamassassin/user_prefs" is inaccessible: Permission denied max message size is '100000' Stopping now as you are debugging me. This debug session took about 5 minutes to run so something is really bogged down but it might very well be the permissions problems. > I never did that before I don't > >> thing as I believe we were using local.cf for site wide prefs? >> > > All files in /etc/mail/spammassassin are used for SA configuration. And > there should be a symlink to /etc/MailScanner/spamassassin.prefs.conf. > Compare the two for duplicates. > > Also, there a very good tutorial for postfix+MailScanner on the MS > documentation site. Read it and follow it. If there are still permission > errors in yourt config you should find them this way! > I will have a look if I can stay awake ;-) > You did run the update_mailscanner_conf script after upgrading, did you? > Yes of course. > Kai > > -- Dave Filchak Instructor, School of Communications Arts Seneca College @ York Office: Room 1068 From Denis.Beauchemin at USherbrooke.ca Thu Jan 8 15:07:28 2009 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Thu Jan 8 15:07:54 2009 Subject: Upgrade fron 4.61.7 to 4.74.13-2 In-Reply-To: <49660D57.2040107@senecac.on.ca> References: <20090108071334.6t3eri15gc0ggkk4@manage.zuka.net> <49660685.80304@USherbrooke.ca> <49660D57.2040107@senecac.on.ca> Message-ID: <496616B0.1060100@USherbrooke.ca> Dave Filchak a ?crit : > Denis, > > Denis Beauchemin wrote: >> submit@zuka.net a ?crit : >>> Right off the top I need to ask you all to bear with me. I have not >>> had to administer my email server in a number of years as I had >>> another person doing it. Now, he has left and so here I am trying to >>> make this work and at this point, no mail is flowing but the mail >>> queue is growing. >>> >>> I updated MailScanner and Clam/Spamassassin using Julian's install >>> routines. All seemed to go OK but the mail queue seems to be stuck >>> and I have a few errors when I lint the install. I know some other >>> have had some issues with the mail queue after this upgrade but I am >>> not sure it is the same issues here. I have been up all night trying >>> to get this to work so I really could use some help with this. >>> >>> Here is the output of MailScanner --lint >>> >>> [root@rosewood ~]# MailScanner --lint >>> Trying to setlogsock(unix) >>> Read 848 hostnames from the phishing whitelist >>> Read 4096 hostnames from the phishing blacklist >>> Config: calling custom init function SQLBlacklist >>> Starting up SQL Blacklist >>> Read 3 blacklist entries >>> Config: calling custom init function MailWatchLogging >>> Started SQL Logging child >>> Config: calling custom init function SQLWhitelist >>> Starting up SQL Whitelist >>> Read 60 whitelist entries >>> Checking version numbers... >>> Version number in MailScanner.conf (4.74.13) is correct. >>> >>> Your envelope_sender_header in spam.assassin.prefs.conf is correct. >>> MailScanner setting GID to (80) >>> MailScanner setting UID to (80) >>> >>> Checking for SpamAssassin errors (if you use it)... >>> Using SpamAssassin results cache >>> Connected to SpamAssassin cache database >>> config: path "//.spamassassin/user_prefs" is inaccessible: >>> Permission denied >>> >>> ... obviously this one is an issue but not sure why it cannot >>> access it. >>> >>> config: configuration file >>> "/etc/mail/spamassassin/updates_spamassassin_org/20_advance_fee.cf" >>> requires version 3.002003 of SpamAssassin, but this is code version >>> 3.002005. Maybe you need to use the -C switch, or remove the old >>> config files? Skipping this file at >>> /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Conf/Parser.pm line >>> 372. >>> config: configuration file >>> "/etc/mail/spamassassin/updates_spamassassin_org/20_advance_fee.cf" >>> requires version 3.002003 of SpamAssassin, but this is code version >>> 3.002005. Maybe you need to use the -C switch, or remove the old >>> config files? Skipping this file >>> config: configuration file >>> "/etc/mail/spamassassin/updates_spamassassin_org/20_body_tests.cf" >>> requires version 3.002003 of SpamAssassin, but this is code version >>> 3.002005. Maybe you need to use the -C switch, or remove the old >>> config files? Skipping this file at >>> /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Conf/Parser.pm line >>> 372. >>> config: configuration file >>> "/etc/mail/spamassassin/updates_spamassassin_org/20_body_tests.cf" >>> requires version 3.002003 of SpamAssassin, but this is code version >>> 3.002005. Maybe you need to use the -C switch, or remove the old >>> config files? Skipping this file >>> config: configuration file >>> "/etc/mail/spamassassin/updates_spamassassin_org/20_compensate.cf" >>> requires version 3.002003 of SpamAssassin, but this is code version >>> 3.002005. Maybe you need to use the -C switch, or remove the old >>> config files? Skipping this file at >>> /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Conf/Parser.pm line >>> 372. >>> >> >> Dave, >> >> On my RHEL 4.6 server my SA files are located in >> /var/lib/spamassassin, so I would delete the ones in >> /etc/mail/spamassassin/updates* >> >> For your permission problem, you must be usins Postfix so try to >> access the file under the postfix user. >> >> Denis >> > In /var/lib/spamassassin/3.002005/updates_spamassassin_org there are > many of the rule files. There is also another bunch at > /var/lib/spamassassin/3.001001/updates_spamassassin_org, which is from > the previous version. Can I just delete this older directory? When I > move the rules in /etc/mail/spamassassin/ into a temp directory, I no > longer get that specific error but I am not sure if the rules and > spamassassin are functioning or not. > > As far as the permissions problem goes, I am using Postfix and > MailScanner is running as user Postfix but isn't it trying to access > the usr_prefs in the root home directory? I never did that before I > don't thing as I believe we were using local.cf for site wide prefs? > > Dave > Dave, Remove that directory from /etc/mail/spamassassin and test SA with "spamassassin --lint -D". You should see lines such as: [13334] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist_dkim.cf I am not really sure how to debug for Postfix, but I would do "su - postfix" and then try "/usr/sbin/MailScanner --lint". Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3306 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090108/575cf12c/smime.bin From dgottsc at emory.edu Thu Jan 8 15:17:14 2009 From: dgottsc at emory.edu (Gottschalk, David) Date: Thu Jan 8 15:17:11 2009 Subject: Anti-spear-phishing, round 2 In-Reply-To: <4965292E.1070209@ecs.soton.ac.uk> References: <4963D91A.9060304@ecs.soton.ac.uk> <4965292E.1070209@ecs.soton.ac.uk> Message-ID: Well, I messed around with it some more this AM, but still no luck. SpamAssassin is seeing the new rule, and filtering properly (I can see it score the message in the logs when I send a test message to one of the filter addressed); however, for some reason it's not following my rule in MailScanner.conf. Here is what I have: SpamAssassin Rule Actions = JKF_ANTI_PHISH=>not-deliver,store,forward dgottsc@emory.edu, header "X-Anti-Phish: Was to _TO_" Any ideas? David Gottschalk Emory University UTS Messaging Team -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: Wednesday, January 07, 2009 5:14 PM To: MailScanner discussion Subject: Re: Anti-spear-phishing, round 2 On 7/1/09 21:00, Gottschalk, David wrote: > Julian, > Thanks for posting this! This is going to make my life a lot easier. I plan on installing it on all of my machines with mailscanner. I'll let you know how well it works. I've got it installed on one machine right now, I'm just trying to figure out how to get the spam assassin rule actions to work properly right now. For some reason it's not following the rule actions even though it matches it. > Check your maillog, that will show if anything is wrong. Don't put a comma in the text of the header for starters, it breaks my parser :-( If you get really stuck, feel free to ask for help :) Jules. > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field > Sent: Tuesday, January 06, 2009 5:20 PM > To: MailScanner discussion > Subject: Anti-spear-phishing, round 2 > > I have done a load of work on my script that uses the anti-spear-phishing addresses database. > > The main thing is now that it is pretty much a finished script, and is directly usable by you guys without you having to do much to it except read the settings at the top and tweak the filenames if you want to change where it puts things. > > I have taken a lot of care to ensure that this won't match any false alarms, I don't just dumbly look for the strings in any surrounding text, which certain commercial AV vendors have been caught doing in the past! > > I make a suggestion in the comments at the top of the script about how I use the rule within MailScanner, you probably want to do something similar, and not just delete anything that matches, just in case you do get any false alarms. > > It also looks for numbers at the end of the username bit of the address, and assumes that these are numbers which the scammers may change; so if it finds them, it replaces them with a pattern that will match any number instead. There's starting to be a lot of this about, as it's the easiest way for the scammers to try to defeat simple address lists targeted against them, while still being able to remember what addresses they have to check for replies from your dumb users. :-) I thought I would make it a tiny bit harder for them... > > You can also add addresses of your own (which can include "*" as a wildcard character to mean "any series of valid characters" in the email address), one address per line, in an optional extra file. Again, read the top of the script and you'll see it mentioned there. That file is optional, it doesn't matter if it doesn't exist. As a starter, you might want to put m i c h a e l l o u c a s * @ g m a i l . c o m (without the extra spaces) in that file, as it will nicely catch a lot of "Job opportunity" spams. > > It looks for any of these addresses appearing **anywhere** in the message, not just in the headers. So if you start talking to people about these addresses, don't be surprised when the messages get caught by the trap. > > It does a "wget", so make sure you have that binary installed, or else change the script to fetch the file by some other means. > > The very end of the script does a "service MailScanner restart", so if you need some other command to restart MailScanner, then edit it for your system. It needs to be a "restart" and not a "reload" as I have to force it to re-build the database of SpamAssassin rules. > > My aim was that, on a RedHat system running MailScanner, you could just copy the script into /etc/cron.hourly and make it executable, and it will just get on with the job for you. I do advise you read the bit in the script about "SpamAssassin Rule Actions" though. > > Please do let me know how you would like me to improve it, and tell me what you think of it in general (be polite, now! :-) > > Cheers, > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc > > > -- > This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. > > > This e-mail message (including any attachments) is for the sole use of > the intended recipient(s) and may contain confidential and privileged > information. If the reader of this message is not the intended > recipient, you are hereby notified that any dissemination, distribution > or copying of this message (including any attachments) is strictly > prohibited. > > If you have received this message in error, please contact > the sender by reply e-mail message and destroy all copies of the > original message (including attachments). > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! This e-mail message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential and privileged information. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message (including any attachments) is strictly prohibited. If you have received this message in error, please contact the sender by reply e-mail message and destroy all copies of the original message (including attachments). From maillists at conactive.com Thu Jan 8 15:31:19 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Thu Jan 8 15:31:35 2009 Subject: Upgrade fron 4.61.7 to 4.74.13-2 In-Reply-To: <49661148.6070305@senecac.on.ca> References: <20090108071334.6t3eri15gc0ggkk4@manage.zuka.net> <49661148.6070305@senecac.on.ca> Message-ID: Dave Filchak wrote on Thu, 08 Jan 2009 09:44:24 -0500: > As I said earlier, I have not been taking care of this server for the > last couple of years or longer. So, I am trying to get it up to date. "yum upgrade" won't take longer than an hour and should have been done first, just to be sure there is nothing overwriting the MailScanner stuff. You should definitely do it now. > However, it will take me some time and I really need to get the mail > stuff updated first. bayes_auto_expire is set to 0. and is not commented out? > > Any idea about the permission error? see my hint about the tutorial in the other mail. Apart from that I have no real idea as I haven't ever seen it. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From dave.filchak at senecac.on.ca Thu Jan 8 15:36:41 2009 From: dave.filchak at senecac.on.ca (Dave Filchak) Date: Thu Jan 8 15:37:07 2009 Subject: Upgrade fron 4.61.7 to 4.74.13-2 In-Reply-To: References: <20090108071334.6t3eri15gc0ggkk4@manage.zuka.net> <49661148.6070305@senecac.on.ca> Message-ID: <49661D89.6050208@senecac.on.ca> Kai, Kai Schaetzl wrote: > Dave Filchak wrote on Thu, 08 Jan 2009 09:44:24 -0500: > > >> As I said earlier, I have not been taking care of this server for the >> last couple of years or longer. So, I am trying to get it up to date. >> > > "yum upgrade" won't take longer than an hour and should have been done > first, just to be sure there is nothing overwriting the MailScanner stuff. > You should definitely do it now. > > >> However, it will take me some time and I really need to get the mail >> stuff updated first. bayes_auto_expire is set to 0. >> > > and is not commented out? > Nope > >> Any idea about the permission error? >> > > see my hint about the tutorial in the other mail. Apart from that I have > no real idea as I haven't ever seen it. > > Kai > > From gmcgreevy at pwr-sys.com Thu Jan 8 15:37:59 2009 From: gmcgreevy at pwr-sys.com (Greg J. McGreevy) Date: Thu Jan 8 15:43:58 2009 Subject: MailScanner --lint error References: <567221C09601934AA5CE9762FDA09A5001C3D7@EXCHTEMP.biz.pwr-sys.com><495FBCAE.60204@ecs.soton.ac.uk><567221C09601934AA5CE9762FDA09A5001C3D9@EXCHTEMP.biz.pwr-sys.com><496083A2.2090909@ecs.soton.ac.uk><567221C09601934AA5CE9762FDA09A5001C3DA@EXCHTEMP.biz.pwr-sys.com><72cf361e0901041213g512c4b70x84c3ad8ebeec55fc@mail.gmail.com><567221C09601934AA5CE9762FDA09A5001C3DE@EXCHTEMP.biz.pwr-sys.com> Message-ID: <567221C09601934AA5CE9762FDA09A5001C3EC@EXCHTEMP.biz.pwr-sys.com> I replied to your message Kai look in your other account ________________________________ From: mailscanner-bounces@lists.mailscanner.info on behalf of Kai Schaetzl Sent: Tue 1/6/2009 5:58 AM To: mailscanner@lists.mailscanner.info Subject: Re: MailScanner --lint error Greg J. McGreevy wrote on Mon, 5 Jan 2009 22:44:22 -0500: > Syntax error(s) in configuration file: at /usr/lib/MailScanner/MailScanner/Config.pm line 1937 > Unrecognised keyword "spamassassinprefsfile" at line 2789 at /usr/lib/MailScanner/MailScanner/Config.pm > line 1940 > Warning: syntax errors in /etc/MailScanner/MailScanner.conf. at /usr/lib/MailScanner/MailScanner/Config.pm > line 1945 There is no such option. The only one I can find is "MCP SpamAssassin Prefs File". Is that the one you edited? I find that you are making the same mistake over and over: you post some error and that's it. The *least* you would do with the above is go to line 2789 and show us that line and the surroundings and tell us what you did. (My MailScanner.conf stops at 2788, though.) > > I added the list to the sa-update per your instructions per "whose" instructions? but I have > no idea to tell if it is in fact working you look in /var/lib/spamassassin if it gets filled. It's explained all there where I pointed you earlier: http://wiki.apache.org/spamassassin/RuleUpdates any insight on this would > be helpful also Rules do jour does not appear to be present in my > install so I skipped those steps is that correct? rules du jour is deprecated, one should use channels. Which tutorial did you follow? Again, you make the mistake of not giving any insight of what you really did. I don't see that Martin gave you instructions in this regard and I can't find a section "Getting the most out of Spamassassin" on the MS wiki (although I think I remember there was one). So, what exactly are you referring to? > > Also If I create a new User called spam and have all of my users forward > their spam there to train bayes will that mess up the tests becuse > they will be seen as all forwards? Again from the SA wiki, this may be helpful: http://wiki.apache.org/spamassassin/ResendingMailWithHeaders > I am kind off at my wits end with this and about to throw in the towel. I think you are just not following instructions (whichever you used) careful enough. Or you used the wrong instructions (those corebsd instructions are not how I would do an install on CentOS) or are mixing them (there's often more than one way to do it right, but you usually can't mix them). Also, you don't seem to keep "old working good configuration", so you can easily check where the mistake was made. Anyway, if you are interested, you can contact me under the address I use here and we can arrange something. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/ms-tnef Size: 6417 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090108/297ff371/attachment.bin From dave.filchak at senecac.on.ca Thu Jan 8 15:44:58 2009 From: dave.filchak at senecac.on.ca (Dave Filchak) Date: Thu Jan 8 15:45:08 2009 Subject: Upgrade fron 4.61.7 to 4.74.13-2 In-Reply-To: <496616B0.1060100@USherbrooke.ca> References: <20090108071334.6t3eri15gc0ggkk4@manage.zuka.net> <49660685.80304@USherbrooke.ca> <49660D57.2040107@senecac.on.ca> <496616B0.1060100@USherbrooke.ca> Message-ID: <49661F7A.2090607@senecac.on.ca> Denis, Denis Beauchemin wrote: > Dave Filchak a ?crit : >> Denis, >> >> Denis Beauchemin wrote: >>> submit@zuka.net a ?crit : >>>> Right off the top I need to ask you all to bear with me. I have not >>>> had to administer my email server in a number of years as I had >>>> another person doing it. Now, he has left and so here I am trying >>>> to make this work and at this point, no mail is flowing but the >>>> mail queue is growing. >>>> >>>> I updated MailScanner and Clam/Spamassassin using Julian's install >>>> routines. All seemed to go OK but the mail queue seems to be stuck >>>> and I have a few errors when I lint the install. I know some other >>>> have had some issues with the mail queue after this upgrade but I >>>> am not sure it is the same issues here. I have been up all night >>>> trying to get this to work so I really could use some help with this. >>>> >>>> Here is the output of MailScanner --lint >>>> >>>> [root@rosewood ~]# MailScanner --lint >>>> Trying to setlogsock(unix) >>>> Read 848 hostnames from the phishing whitelist >>>> Read 4096 hostnames from the phishing blacklist >>>> Config: calling custom init function SQLBlacklist >>>> Starting up SQL Blacklist >>>> Read 3 blacklist entries >>>> Config: calling custom init function MailWatchLogging >>>> Started SQL Logging child >>>> Config: calling custom init function SQLWhitelist >>>> Starting up SQL Whitelist >>>> Read 60 whitelist entries >>>> Checking version numbers... >>>> Version number in MailScanner.conf (4.74.13) is correct. >>>> >>>> Your envelope_sender_header in spam.assassin.prefs.conf is correct. >>>> MailScanner setting GID to (80) >>>> MailScanner setting UID to (80) >>>> >>>> Checking for SpamAssassin errors (if you use it)... >>>> Using SpamAssassin results cache >>>> Connected to SpamAssassin cache database >>>> config: path "//.spamassassin/user_prefs" is inaccessible: >>>> Permission denied >>>> >>>> ... obviously this one is an issue but not sure why it cannot >>>> access it. >>>> >>>> config: configuration file >>>> "/etc/mail/spamassassin/updates_spamassassin_org/20_advance_fee.cf" >>>> requires version 3.002003 of SpamAssassin, but this is code version >>>> 3.002005. Maybe you need to use the -C switch, or remove the old >>>> config files? Skipping this file at >>>> /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Conf/Parser.pm >>>> line 372. >>>> config: configuration file >>>> "/etc/mail/spamassassin/updates_spamassassin_org/20_advance_fee.cf" >>>> requires version 3.002003 of SpamAssassin, but this is code version >>>> 3.002005. Maybe you need to use the -C switch, or remove the old >>>> config files? Skipping this file >>>> config: configuration file >>>> "/etc/mail/spamassassin/updates_spamassassin_org/20_body_tests.cf" >>>> requires version 3.002003 of SpamAssassin, but this is code version >>>> 3.002005. Maybe you need to use the -C switch, or remove the old >>>> config files? Skipping this file at >>>> /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Conf/Parser.pm >>>> line 372. >>>> config: configuration file >>>> "/etc/mail/spamassassin/updates_spamassassin_org/20_body_tests.cf" >>>> requires version 3.002003 of SpamAssassin, but this is code version >>>> 3.002005. Maybe you need to use the -C switch, or remove the old >>>> config files? Skipping this file >>>> config: configuration file >>>> "/etc/mail/spamassassin/updates_spamassassin_org/20_compensate.cf" >>>> requires version 3.002003 of SpamAssassin, but this is code version >>>> 3.002005. Maybe you need to use the -C switch, or remove the old >>>> config files? Skipping this file at >>>> /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Conf/Parser.pm >>>> line 372. >>>> >>> >>> Dave, >>> >>> On my RHEL 4.6 server my SA files are located in >>> /var/lib/spamassassin, so I would delete the ones in >>> /etc/mail/spamassassin/updates* >>> >>> For your permission problem, you must be usins Postfix so try to >>> access the file under the postfix user. >>> >>> Denis >>> >> In /var/lib/spamassassin/3.002005/updates_spamassassin_org there are >> many of the rule files. There is also another bunch at >> /var/lib/spamassassin/3.001001/updates_spamassassin_org, which is >> from the previous version. Can I just delete this older directory? >> When I move the rules in /etc/mail/spamassassin/ into a temp >> directory, I no longer get that specific error but I am not sure if >> the rules and spamassassin are functioning or not. >> >> As far as the permissions problem goes, I am using Postfix and >> MailScanner is running as user Postfix but isn't it trying to access >> the usr_prefs in the root home directory? I never did that before I >> don't thing as I believe we were using local.cf for site wide prefs? >> >> Dave >> > > Dave, > > Remove that directory from /etc/mail/spamassassin and test SA with > "spamassassin --lint -D". You should see lines such as: > [13334] dbg: config: read file > /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist_dkim.cf > > > I am not really sure how to debug for Postfix, but I would do "su - > postfix" and then try "/usr/sbin/MailScanner --lint". Unfortunately, the user Postfix is set to nologin ( postfix:x:80:80:Postfix Mail Server:/:/sbin/nologin ) so I cannot sudo to it ) I believe it is running without errors now but is still trying to use /root/,spamassassin/usr_prefs as the preference file. Now that could be simply when you run --lint or --debug. There is a way to specify which conf file to use when debugging .. isn't there? Dave > > Denis > -- Dave Filchak Instructor, School of Communications Arts Seneca College @ York Office: Room 1068 From glenn.steen at gmail.com Thu Jan 8 16:09:29 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Jan 8 16:09:44 2009 Subject: Upgrade fron 4.61.7 to 4.74.13-2 In-Reply-To: <49661F7A.2090607@senecac.on.ca> References: <20090108071334.6t3eri15gc0ggkk4@manage.zuka.net> <49660685.80304@USherbrooke.ca> <49660D57.2040107@senecac.on.ca> <496616B0.1060100@USherbrooke.ca> <49661F7A.2090607@senecac.on.ca> Message-ID: <223f97700901080809i456904ferb64df26e7b44ae05@mail.gmail.com> 2009/1/8 Dave Filchak : > Denis, > > Denis Beauchemin wrote: >> >> Dave Filchak a ?crit : >>> >>> Denis, >>> >>> Denis Beauchemin wrote: >>>> >>>> submit@zuka.net a ?crit : >>>>> >>>>> Right off the top I need to ask you all to bear with me. I have not had >>>>> to administer my email server in a number of years as I had another person >>>>> doing it. Now, he has left and so here I am trying to make this work and at >>>>> this point, no mail is flowing but the mail queue is growing. >>>>> >>>>> I updated MailScanner and Clam/Spamassassin using Julian's install >>>>> routines. All seemed to go OK but the mail queue seems to be stuck and I >>>>> have a few errors when I lint the install. I know some other have had some >>>>> issues with the mail queue after this upgrade but I am not sure it is the >>>>> same issues here. I have been up all night trying to get this to work so I >>>>> really could use some help with this. >>>>> >>>>> Here is the output of MailScanner --lint >>>>> >>>>> [root@rosewood ~]# MailScanner --lint >>>>> Trying to setlogsock(unix) >>>>> Read 848 hostnames from the phishing whitelist >>>>> Read 4096 hostnames from the phishing blacklist >>>>> Config: calling custom init function SQLBlacklist >>>>> Starting up SQL Blacklist >>>>> Read 3 blacklist entries >>>>> Config: calling custom init function MailWatchLogging >>>>> Started SQL Logging child >>>>> Config: calling custom init function SQLWhitelist >>>>> Starting up SQL Whitelist >>>>> Read 60 whitelist entries >>>>> Checking version numbers... >>>>> Version number in MailScanner.conf (4.74.13) is correct. >>>>> >>>>> Your envelope_sender_header in spam.assassin.prefs.conf is correct. >>>>> MailScanner setting GID to (80) >>>>> MailScanner setting UID to (80) >>>>> >>>>> Checking for SpamAssassin errors (if you use it)... >>>>> Using SpamAssassin results cache >>>>> Connected to SpamAssassin cache database >>>>> config: path "//.spamassassin/user_prefs" is inaccessible: Permission >>>>> denied >>>>> >>>>> ... obviously this one is an issue but not sure why it cannot access >>>>> it. >>>>> >>>>> config: configuration file >>>>> "/etc/mail/spamassassin/updates_spamassassin_org/20_advance_fee.cf" requires >>>>> version 3.002003 of SpamAssassin, but this is code version 3.002005. Maybe >>>>> you need to use the -C switch, or remove the old config files? Skipping this >>>>> file at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Conf/Parser.pm line >>>>> 372. >>>>> config: configuration file >>>>> "/etc/mail/spamassassin/updates_spamassassin_org/20_advance_fee.cf" requires >>>>> version 3.002003 of SpamAssassin, but this is code version 3.002005. Maybe >>>>> you need to use the -C switch, or remove the old config files? Skipping this >>>>> file >>>>> config: configuration file >>>>> "/etc/mail/spamassassin/updates_spamassassin_org/20_body_tests.cf" requires >>>>> version 3.002003 of SpamAssassin, but this is code version 3.002005. Maybe >>>>> you need to use the -C switch, or remove the old config files? Skipping this >>>>> file at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Conf/Parser.pm line >>>>> 372. >>>>> config: configuration file >>>>> "/etc/mail/spamassassin/updates_spamassassin_org/20_body_tests.cf" requires >>>>> version 3.002003 of SpamAssassin, but this is code version 3.002005. Maybe >>>>> you need to use the -C switch, or remove the old config files? Skipping this >>>>> file >>>>> config: configuration file >>>>> "/etc/mail/spamassassin/updates_spamassassin_org/20_compensate.cf" requires >>>>> version 3.002003 of SpamAssassin, but this is code version 3.002005. Maybe >>>>> you need to use the -C switch, or remove the old config files? Skipping this >>>>> file at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Conf/Parser.pm line >>>>> 372. >>>>> >>>> >>>> Dave, >>>> >>>> On my RHEL 4.6 server my SA files are located in /var/lib/spamassassin, >>>> so I would delete the ones in /etc/mail/spamassassin/updates* >>>> >>>> For your permission problem, you must be usins Postfix so try to access >>>> the file under the postfix user. >>>> >>>> Denis >>>> >>> In /var/lib/spamassassin/3.002005/updates_spamassassin_org there are many >>> of the rule files. There is also another bunch at >>> /var/lib/spamassassin/3.001001/updates_spamassassin_org, which is from the >>> previous version. Can I just delete this older directory? When I move the >>> rules in /etc/mail/spamassassin/ into a temp directory, I no longer get that >>> specific error but I am not sure if the rules and spamassassin are >>> functioning or not. >>> >>> As far as the permissions problem goes, I am using Postfix and >>> MailScanner is running as user Postfix but isn't it trying to access the >>> usr_prefs in the root home directory? I never did that before I don't thing >>> as I believe we were using local.cf for site wide prefs? >>> >>> Dave >>> >> >> Dave, >> >> Remove that directory from /etc/mail/spamassassin and test SA with >> "spamassassin --lint -D". You should see lines such as: >> [13334] dbg: config: read file >> /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist_dkim.cf >> >> I am not really sure how to debug for Postfix, but I would do "su - >> postfix" and then try "/usr/sbin/MailScanner --lint". > > Unfortunately, the user Postfix is set to nologin ( postfix:x:80:80:Postfix > Mail Server:/:/sbin/nologin ) so I cannot sudo to it ) > You should do "su - postfix -s /bin/bash" to overcome that. Do it as root, and there will be no password questions. And please do all spamassassin tests as the postfix user... it will matter. > I believe it is running without errors now but is still trying to use > /root/,spamassassin/usr_prefs as the preference file. Now that could be > simply when you run --lint or --debug. There is a way to specify which conf > file to use when debugging .. isn't there? It should not try do this, unless you are running the test as root. So don't;-). Your MailScanner should have things so that either it places sa-specific things in ~postfix ("/" in your case, which is a bit ... different... Usually set to /var/spool/postfix, or similar), or explicitly put things in /var/spool/MailScanner/spamassassin (appropriately chmoded to allow the postfix user to write there... Including stuff like Razor etc. > > Dave >> >> Denis >> Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From dave.filchak at senecac.on.ca Thu Jan 8 16:32:47 2009 From: dave.filchak at senecac.on.ca (Dave Filchak) Date: Thu Jan 8 16:33:02 2009 Subject: Upgrade fron 4.61.7 to 4.74.13-2 In-Reply-To: <223f97700901080809i456904ferb64df26e7b44ae05@mail.gmail.com> References: <20090108071334.6t3eri15gc0ggkk4@manage.zuka.net> <49660685.80304@USherbrooke.ca> <49660D57.2040107@senecac.on.ca> <496616B0.1060100@USherbrooke.ca> <49661F7A.2090607@senecac.on.ca> <223f97700901080809i456904ferb64df26e7b44ae05@mail.gmail.com> Message-ID: <49662AAF.9070601@senecac.on.ca> Glenn, Glenn Steen wrote: > 2009/1/8 Dave Filchak : > >> Denis, >> >> Denis Beauchemin wrote: >> >>> Dave Filchak a ?crit : >>> >>>> Denis, >>>> >>>> Denis Beauchemin wrote: >>>> >>>>> submit@zuka.net a ?crit : >>>>> >>>>>> Right off the top I need to ask you all to bear with me. I have not had >>>>>> to administer my email server in a number of years as I had another person >>>>>> doing it. Now, he has left and so here I am trying to make this work and at >>>>>> this point, no mail is flowing but the mail queue is growing. >>>>>> >>>>>> I updated MailScanner and Clam/Spamassassin using Julian's install >>>>>> routines. All seemed to go OK but the mail queue seems to be stuck and I >>>>>> have a few errors when I lint the install. I know some other have had some >>>>>> issues with the mail queue after this upgrade but I am not sure it is the >>>>>> same issues here. I have been up all night trying to get this to work so I >>>>>> really could use some help with this. >>>>>> >>>>>> Here is the output of MailScanner --lint >>>>>> >>>>>> [root@rosewood ~]# MailScanner --lint >>>>>> Trying to setlogsock(unix) >>>>>> Read 848 hostnames from the phishing whitelist >>>>>> Read 4096 hostnames from the phishing blacklist >>>>>> Config: calling custom init function SQLBlacklist >>>>>> Starting up SQL Blacklist >>>>>> Read 3 blacklist entries >>>>>> Config: calling custom init function MailWatchLogging >>>>>> Started SQL Logging child >>>>>> Config: calling custom init function SQLWhitelist >>>>>> Starting up SQL Whitelist >>>>>> Read 60 whitelist entries >>>>>> Checking version numbers... >>>>>> Version number in MailScanner.conf (4.74.13) is correct. >>>>>> >>>>>> Your envelope_sender_header in spam.assassin.prefs.conf is correct. >>>>>> MailScanner setting GID to (80) >>>>>> MailScanner setting UID to (80) >>>>>> >>>>>> Checking for SpamAssassin errors (if you use it)... >>>>>> Using SpamAssassin results cache >>>>>> Connected to SpamAssassin cache database >>>>>> config: path "//.spamassassin/user_prefs" is inaccessible: Permission >>>>>> denied >>>>>> >>>>>> ... obviously this one is an issue but not sure why it cannot access >>>>>> it. >>>>>> >>>>>> config: configuration file >>>>>> "/etc/mail/spamassassin/updates_spamassassin_org/20_advance_fee.cf" requires >>>>>> version 3.002003 of SpamAssassin, but this is code version 3.002005. Maybe >>>>>> you need to use the -C switch, or remove the old config files? Skipping this >>>>>> file at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Conf/Parser.pm line >>>>>> 372. >>>>>> config: configuration file >>>>>> "/etc/mail/spamassassin/updates_spamassassin_org/20_advance_fee.cf" requires >>>>>> version 3.002003 of SpamAssassin, but this is code version 3.002005. Maybe >>>>>> you need to use the -C switch, or remove the old config files? Skipping this >>>>>> file >>>>>> config: configuration file >>>>>> "/etc/mail/spamassassin/updates_spamassassin_org/20_body_tests.cf" requires >>>>>> version 3.002003 of SpamAssassin, but this is code version 3.002005. Maybe >>>>>> you need to use the -C switch, or remove the old config files? Skipping this >>>>>> file at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Conf/Parser.pm line >>>>>> 372. >>>>>> config: configuration file >>>>>> "/etc/mail/spamassassin/updates_spamassassin_org/20_body_tests.cf" requires >>>>>> version 3.002003 of SpamAssassin, but this is code version 3.002005. Maybe >>>>>> you need to use the -C switch, or remove the old config files? Skipping this >>>>>> file >>>>>> config: configuration file >>>>>> "/etc/mail/spamassassin/updates_spamassassin_org/20_compensate.cf" requires >>>>>> version 3.002003 of SpamAssassin, but this is code version 3.002005. Maybe >>>>>> you need to use the -C switch, or remove the old config files? Skipping this >>>>>> file at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Conf/Parser.pm line >>>>>> 372. >>>>>> >>>>>> >>>>> Dave, >>>>> >>>>> On my RHEL 4.6 server my SA files are located in /var/lib/spamassassin, >>>>> so I would delete the ones in /etc/mail/spamassassin/updates* >>>>> >>>>> For your permission problem, you must be usins Postfix so try to access >>>>> the file under the postfix user. >>>>> >>>>> Denis >>>>> >>>>> >>>> In /var/lib/spamassassin/3.002005/updates_spamassassin_org there are many >>>> of the rule files. There is also another bunch at >>>> /var/lib/spamassassin/3.001001/updates_spamassassin_org, which is from the >>>> previous version. Can I just delete this older directory? When I move the >>>> rules in /etc/mail/spamassassin/ into a temp directory, I no longer get that >>>> specific error but I am not sure if the rules and spamassassin are >>>> functioning or not. >>>> >>>> As far as the permissions problem goes, I am using Postfix and >>>> MailScanner is running as user Postfix but isn't it trying to access the >>>> usr_prefs in the root home directory? I never did that before I don't thing >>>> as I believe we were using local.cf for site wide prefs? >>>> >>>> Dave >>>> >>>> >>> Dave, >>> >>> Remove that directory from /etc/mail/spamassassin and test SA with >>> "spamassassin --lint -D". You should see lines such as: >>> [13334] dbg: config: read file >>> /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist_dkim.cf >>> >>> I am not really sure how to debug for Postfix, but I would do "su - >>> postfix" and then try "/usr/sbin/MailScanner --lint". >>> >> Unfortunately, the user Postfix is set to nologin ( postfix:x:80:80:Postfix >> Mail Server:/:/sbin/nologin ) so I cannot sudo to it ) >> >> > You should do "su - postfix -s /bin/bash" to overcome that. Do it as > root, and there will be no password questions. > And please do all spamassassin tests as the postfix user... it will matter. > OK .. here is what I get: su - postfix -s /bin/bash -bash-3.00$ spamassassin --lint [19715] warn: config: path "//.spamassassin/user_prefs" is inaccessible: Permission denied -bash-3.00$ So, this being that I am logging in now as user postfix and we are still getting this error says the following: when running this as root, obviously MailScanner, running as postfix, could not write the roots home directory. Now, logged in a postfix and, because postfix does not have a login shell, there is no home directory for postfix .. so we still have the same problem. Am I off base here? I cannot be sure but I do not believe we had this error before the upgrade. I even went back through all the config file to make sure there was not some erroneous entry there. So unless I missed it (entirely possible in my state), I am stumped. > >> I believe it is running without errors now but is still trying to use >> /root/,spamassassin/usr_prefs as the preference file. Now that could be >> simply when you run --lint or --debug. There is a way to specify which conf >> file to use when debugging .. isn't there? >> > It should not try do this, unless you are running the test as root. > So don't;-). > Well I was yes ... but see my previous entry. > Your MailScanner should have things so that either it places > sa-specific things in ~postfix ("/" in your case, which is a bit ... > different... Usually set to /var/spool/postfix, or similar), or > explicitly put things in /var/spool/MailScanner/spamassassin > (appropriately chmoded to allow the postfix user to write there... > Including stuff like Razor etc. > Well again, I do not know why it is trying to write to ~/postfix, which does not exist but the directories /var/spool/MailScanner/incoming and /var/spool/MailScanner/quarantine all belong to user postfix > Dave From maillists at conactive.com Thu Jan 8 17:31:18 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Thu Jan 8 17:31:28 2009 Subject: Upgrade fron 4.61.7 to 4.74.13-2 In-Reply-To: <4966145F.4010305@senecac.on.ca> References: <20090108071334.6t3eri15gc0ggkk4@manage.zuka.net> <49660685.80304@USherbrooke.ca> <49660D57.2040107@senecac.on.ca> <4966145F.4010305@senecac.on.ca> Message-ID: Dave Filchak wrote on Thu, 08 Jan 2009 09:57:35 -0500: > Use of uninitialized value in concatenation (.) or string at > /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin.pm line 1088. > Use of uninitialized value in concatenation (.) or string at > /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin.pm line 1090. Run spamassassin --lint and see if you still get that (or any others like the one below). It's not a critical error. > Building a message batch to scan... > Have a batch of 1 message. > max message size is '30000' > config: path "//.spamassassin/user_prefs" is inaccessible: Permission denied > max message size is '100000' > Stopping now as you are debugging me. > > This debug session took about 5 minutes to run so something is really > bogged down but it might very well be the permissions problems. Well, it sat there for quite a while and then went on with "Have a batch of 1 message", right? It was just waiting for a message to scan, so this isn't a problem. If mail is still not flowing look at your mailscanner.log. As which user are you running the --debug test? It seems you are having a problem only with spamassassin and MS itself is okay. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Thu Jan 8 17:31:18 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Thu Jan 8 17:31:28 2009 Subject: Upgrade fron 4.61.7 to 4.74.13-2 In-Reply-To: <49661D89.6050208@senecac.on.ca> References: <20090108071334.6t3eri15gc0ggkk4@manage.zuka.net> <49661148.6070305@senecac.on.ca> <49661D89.6050208@senecac.on.ca> Message-ID: Dave Filchak wrote on Thu, 08 Jan 2009 10:36:41 -0500: > > and is not commented out? > > > Nope Good. I asked because it seems to be commented out by default in the MS provided spamassassin.prefs.conf and that is easily overlooked. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From mark at msapiro.net Thu Jan 8 17:32:11 2009 From: mark at msapiro.net (Mark Sapiro) Date: Thu Jan 8 17:32:22 2009 Subject: Anti-spear-phishing, round 2 In-Reply-To: References: <4963D91A.9060304@ecs.soton.ac.uk> <4965292E.1070209@ecs.soton.ac.uk> Message-ID: <20090108173211.GA3348@msapiro> On Wed, Jan 07, 2009 at 06:49:16PM -0600, Rob Freeman wrote: > Sorry I missed this, and I did try to go back in the mailing list and try to > download it, but it just came back as a .bin file here in firefox to > download. Can someone provide a link? The post is at . It contains a link to which you should be able to download and gunzip. -- Mark Sapiro mark at msapiro net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From dave.filchak at senecac.on.ca Thu Jan 8 17:36:09 2009 From: dave.filchak at senecac.on.ca (Dave Filchak) Date: Thu Jan 8 17:36:19 2009 Subject: Upgrade fron 4.61.7 to 4.74.13-2 In-Reply-To: <49662AAF.9070601@senecac.on.ca> References: <20090108071334.6t3eri15gc0ggkk4@manage.zuka.net> <49660685.80304@USherbrooke.ca> <49660D57.2040107@senecac.on.ca> <496616B0.1060100@USherbrooke.ca> <49661F7A.2090607@senecac.on.ca> <223f97700901080809i456904ferb64df26e7b44ae05@mail.gmail.com> <49662AAF.9070601@senecac.on.ca> Message-ID: <49663989.8000406@senecac.on.ca> Just an update: not making progress: Dave Filchak wrote: > Glenn, > > Glenn Steen wrote: >> 2009/1/8 Dave Filchak : >> >>> Denis, >>> >>> Denis Beauchemin wrote: >>> >>>> Dave Filchak a ?crit : >>>> >>>>> Denis, >>>>> >>>>> Denis Beauchemin wrote: >>>>> >>>>>> submit@zuka.net a ?crit : >>>>>> >>>>>>> Right off the top I need to ask you all to bear with me. I have >>>>>>> not had >>>>>>> to administer my email server in a number of years as I had >>>>>>> another person >>>>>>> doing it. Now, he has left and so here I am trying to make this >>>>>>> work and at >>>>>>> this point, no mail is flowing but the mail queue is growing. >>>>>>> >>>>>>> I updated MailScanner and Clam/Spamassassin using Julian's install >>>>>>> routines. All seemed to go OK but the mail queue seems to be >>>>>>> stuck and I >>>>>>> have a few errors when I lint the install. I know some other >>>>>>> have had some >>>>>>> issues with the mail queue after this upgrade but I am not sure >>>>>>> it is the >>>>>>> same issues here. I have been up all night trying to get this to >>>>>>> work so I >>>>>>> really could use some help with this. >>>>>>> >>>>>>> Here is the output of MailScanner --lint >>>>>>> >>>>>>> [root@rosewood ~]# MailScanner --lint >>>>>>> Trying to setlogsock(unix) >>>>>>> Read 848 hostnames from the phishing whitelist >>>>>>> Read 4096 hostnames from the phishing blacklist >>>>>>> Config: calling custom init function SQLBlacklist >>>>>>> Starting up SQL Blacklist >>>>>>> Read 3 blacklist entries >>>>>>> Config: calling custom init function MailWatchLogging >>>>>>> Started SQL Logging child >>>>>>> Config: calling custom init function SQLWhitelist >>>>>>> Starting up SQL Whitelist >>>>>>> Read 60 whitelist entries >>>>>>> Checking version numbers... >>>>>>> Version number in MailScanner.conf (4.74.13) is correct. >>>>>>> >>>>>>> Your envelope_sender_header in spam.assassin.prefs.conf is correct. >>>>>>> MailScanner setting GID to (80) >>>>>>> MailScanner setting UID to (80) >>>>>>> >>>>>>> Checking for SpamAssassin errors (if you use it)... >>>>>>> Using SpamAssassin results cache >>>>>>> Connected to SpamAssassin cache database >>>>>>> config: path "//.spamassassin/user_prefs" is inaccessible: >>>>>>> Permission >>>>>>> denied >>>>>>> >>>>>>> ... obviously this one is an issue but not sure why it cannot >>>>>>> access >>>>>>> it. >>>>>>> >>>>>>> config: configuration file >>>>>>> "/etc/mail/spamassassin/updates_spamassassin_org/20_advance_fee.cf" >>>>>>> requires >>>>>>> version 3.002003 of SpamAssassin, but this is code version >>>>>>> 3.002005. Maybe >>>>>>> you need to use the -C switch, or remove the old config files? >>>>>>> Skipping this >>>>>>> file at >>>>>>> /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Conf/Parser.pm >>>>>>> line >>>>>>> 372. >>>>>>> config: configuration file >>>>>>> "/etc/mail/spamassassin/updates_spamassassin_org/20_advance_fee.cf" >>>>>>> requires >>>>>>> version 3.002003 of SpamAssassin, but this is code version >>>>>>> 3.002005. Maybe >>>>>>> you need to use the -C switch, or remove the old config files? >>>>>>> Skipping this >>>>>>> file >>>>>>> config: configuration file >>>>>>> "/etc/mail/spamassassin/updates_spamassassin_org/20_body_tests.cf" >>>>>>> requires >>>>>>> version 3.002003 of SpamAssassin, but this is code version >>>>>>> 3.002005. Maybe >>>>>>> you need to use the -C switch, or remove the old config files? >>>>>>> Skipping this >>>>>>> file at >>>>>>> /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Conf/Parser.pm >>>>>>> line >>>>>>> 372. >>>>>>> config: configuration file >>>>>>> "/etc/mail/spamassassin/updates_spamassassin_org/20_body_tests.cf" >>>>>>> requires >>>>>>> version 3.002003 of SpamAssassin, but this is code version >>>>>>> 3.002005. Maybe >>>>>>> you need to use the -C switch, or remove the old config files? >>>>>>> Skipping this >>>>>>> file >>>>>>> config: configuration file >>>>>>> "/etc/mail/spamassassin/updates_spamassassin_org/20_compensate.cf" >>>>>>> requires >>>>>>> version 3.002003 of SpamAssassin, but this is code version >>>>>>> 3.002005. Maybe >>>>>>> you need to use the -C switch, or remove the old config files? >>>>>>> Skipping this >>>>>>> file at >>>>>>> /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Conf/Parser.pm >>>>>>> line >>>>>>> 372. >>>>>>> >>>>>>> >>>>>> Dave, >>>>>> >>>>>> On my RHEL 4.6 server my SA files are located in >>>>>> /var/lib/spamassassin, >>>>>> so I would delete the ones in /etc/mail/spamassassin/updates* >>>>>> >>>>>> For your permission problem, you must be usins Postfix so try to >>>>>> access >>>>>> the file under the postfix user. >>>>>> >>>>>> Denis >>>>>> >>>>>> >>>>> In /var/lib/spamassassin/3.002005/updates_spamassassin_org there >>>>> are many >>>>> of the rule files. There is also another bunch at >>>>> /var/lib/spamassassin/3.001001/updates_spamassassin_org, which is >>>>> from the >>>>> previous version. Can I just delete this older directory? When I >>>>> move the >>>>> rules in /etc/mail/spamassassin/ into a temp directory, I no >>>>> longer get that >>>>> specific error but I am not sure if the rules and spamassassin are >>>>> functioning or not. >>>>> >>>>> As far as the permissions problem goes, I am using Postfix and >>>>> MailScanner is running as user Postfix but isn't it trying to >>>>> access the >>>>> usr_prefs in the root home directory? I never did that before I >>>>> don't thing >>>>> as I believe we were using local.cf for site wide prefs? >>>>> >>>>> Dave >>>>> >>>>> >>>> Dave, >>>> >>>> Remove that directory from /etc/mail/spamassassin and test SA with >>>> "spamassassin --lint -D". You should see lines such as: >>>> [13334] dbg: config: read file >>>> /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist_dkim.cf >>>> >>>> >>>> I am not really sure how to debug for Postfix, but I would do "su - >>>> postfix" and then try "/usr/sbin/MailScanner --lint". >>>> >>> Unfortunately, the user Postfix is set to nologin ( >>> postfix:x:80:80:Postfix >>> Mail Server:/:/sbin/nologin ) so I cannot sudo to it ) >>> >>> >> You should do "su - postfix -s /bin/bash" to overcome that. Do it as >> root, and there will be no password questions. >> And please do all spamassassin tests as the postfix user... it will >> matter. >> > OK .. here is what I get: > > su - postfix -s /bin/bash > -bash-3.00$ spamassassin --lint > [19715] warn: config: path "//.spamassassin/user_prefs" is > inaccessible: Permission denied > -bash-3.00$ > > So, this being that I am logging in now as user postfix and we are > still getting this error says the following: when running this as > root, obviously MailScanner, running as postfix, could not write the > roots home directory. Now, logged in a postfix and, because postfix > does not have a login shell, there is no home directory for postfix .. > so we still have the same problem. Am I off base here? I cannot be > sure but I do not believe we had this error before the upgrade. I even > went back through all the config file to make sure there was not some > erroneous entry there. So unless I missed it (entirely possible in my > state), I am stumped. >> >>> I believe it is running without errors now but is still trying to use >>> /root/,spamassassin/usr_prefs as the preference file. Now that could be >>> simply when you run --lint or --debug. There is a way to specify >>> which conf >>> file to use when debugging .. isn't there? >>> >> It should not try do this, unless you are running the test as root. >> So don't;-). >> > > Well I was yes ... but see my previous entry. >> Your MailScanner should have things so that either it places >> sa-specific things in ~postfix ("/" in your case, which is a bit ... >> different... Usually set to /var/spool/postfix, or similar), or >> explicitly put things in /var/spool/MailScanner/spamassassin >> (appropriately chmoded to allow the postfix user to write there... >> Including stuff like Razor etc. >> > Well again, I do not know why it is trying to write to ~/postfix, > which does not exist but the directories > /var/spool/MailScanner/incoming and /var/spool/MailScanner/quarantine > all belong to user postfix >> So, running as user postfix, I seem to be in worse shape. I am going to list the output here in the hopes that someone might have a clue. I have tried everything I can think of but as I said, I am very much out of practice here. Also, I have been up for about 35 hours now so I have to get a few hours of shuteye with the hopes that none of my clients freak out. Here is the output from --debug as user postfix. /usr/sbin/MailScanner --debug Can't call method "close" on an undefined value at /usr/sbin/mailscanner_create_locks line 47. Error: Attempt to create locks in /var/spool/MailScanner/incoming/Locks failed! Can't call method "close" on an undefined value at /usr/sbin/mailscanner_create_locks line 47. Error: Attempt to create locks in /var/spool/MailScanner/incoming/Locks failed! In Debugging mode, not forking... Trying to setlogsock(unix) Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin.pm line 1088. Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin.pm line 1090. Building a message batch to scan... Day too small - -94956 > -24856 Sec too small - -94956 < 74752 Have a batch of 3 messages. max message size is '30000' config: path "//.spamassassin/user_prefs" is inaccessible: Permission denied max message size is '30000' config: path "//.spamassassin/user_prefs" is inaccessible: Permission denied max message size is '30000' config: path "//.spamassassin/user_prefs" is inaccessible: Permission denied max message size is '100000' max message size is '100000' max message size is '100000' Stopping now as you are debugging me. -bash-3.00$ commit ineffective with AutoCommit enabled at /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, line 1194. From dave.filchak at senecac.on.ca Thu Jan 8 17:44:13 2009 From: dave.filchak at senecac.on.ca (Dave Filchak) Date: Thu Jan 8 17:44:24 2009 Subject: Upgrade fron 4.61.7 to 4.74.13-2 In-Reply-To: References: <20090108071334.6t3eri15gc0ggkk4@manage.zuka.net> <49660685.80304@USherbrooke.ca> <49660D57.2040107@senecac.on.ca> <4966145F.4010305@senecac.on.ca> Message-ID: <49663B6D.1030800@senecac.on.ca> Kai Schaetzl wrote: > Dave Filchak wrote on Thu, 08 Jan 2009 09:57:35 -0500: > > >> Use of uninitialized value in concatenation (.) or string at >> /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin.pm line 1088. >> Use of uninitialized value in concatenation (.) or string at >> /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin.pm line 1090. >> > > Run spamassassin --lint and see if you still get that (or any others like the > one below). It's not a critical error. > > > >> Building a message batch to scan... >> Have a batch of 1 message. >> max message size is '30000' >> config: path "//.spamassassin/user_prefs" is inaccessible: Permission denied >> max message size is '100000' >> Stopping now as you are debugging me. >> >> This debug session took about 5 minutes to run so something is really >> bogged down but it might very well be the permissions problems. >> > > Well, it sat there for quite a while and then went on with "Have a batch of 1 > message", right? It was just waiting for a message to scan, so this isn't a > problem. If mail is still not flowing look at your mailscanner.log. > As which user are you running the --debug test? > It seems you are having a problem only with spamassassin and MS itself is > okay. > > I am running the test as user postfix, as this is the RunAs user. Also, I do not seem to have mailscanner.log. Where is it supposed to be? Dave From maillists at conactive.com Thu Jan 8 17:54:17 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Thu Jan 8 17:54:26 2009 Subject: Upgrade fron 4.61.7 to 4.74.13-2 In-Reply-To: <49662AAF.9070601@senecac.on.ca> References: <20090108071334.6t3eri15gc0ggkk4@manage.zuka.net> <49660685.80304@USherbrooke.ca> <49660D57.2040107@senecac.on.ca> <496616B0.1060100@USherbrooke.ca> <49661F7A.2090607@senecac.on.ca> <223f97700901080809i456904ferb64df26e7b44ae05@mail.gmail.com> <49662AAF.9070601@senecac.on.ca> Message-ID: Dave Filchak wrote on Thu, 08 Jan 2009 11:32:47 -0500: > >> Unfortunately, the user Postfix is set to nologin ( postfix:x:80:80:Postfix > >> Mail Server:/:/sbin/nologin ) so I cannot sudo to it ) look at the homedir! > su - postfix -s /bin/bash > -bash-3.00$ spamassassin --lint > [19715] warn: config: path "//.spamassassin/user_prefs" is inaccessible: > Permission denied > -bash-3.00$ you get this strange path because your postfix user has the wrong homedir. It should be /var/spool/postfix (That also shows that you don't have to su to postfix, it's running as postfix, anyway.) If your mail is still not flowing that might also be the reason for it. > I am > stumped. This error is absolutely non-critical and can be ignored: [14255] dbg: config: mkdir /var/spool/postfix/.spamassassin failed: mkdir /var/spool/postfix/.spamassassin: Permission denied at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin.pm line 1577 [14255] dbg: config: Permission denied I'm just wondering why you get this error shown at all. It shouldn't show up with a simple "spamassassin --lint" (you wrote you ran that, without -D), only with "spamassassin --lint -D". I wonder if you have a mix of an older and newer SA on your system. The output level of --lint has been changed several times during the last year or so, so that it stops outputting uncritical errors. I would really advise to remove the SA package, upgrade your CentOS and then reapply it. I have to say that I'm not using the "easy install" package provided by Jules. I always role my own which is *very* easy to do as they provide a working spec file in their source. You just build it with the command given on the download page and it works. You may want to try it this way. Maybe Jules has an idea, what's wrong with your SA installation (if there is anything wrong). Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From mark at msapiro.net Thu Jan 8 17:54:21 2009 From: mark at msapiro.net (Mark Sapiro) Date: Thu Jan 8 17:54:37 2009 Subject: Anti-spear-phishing, round 2 In-Reply-To: <4963D91A.9060304@ecs.soton.ac.uk> Message-ID: Julian Field wrote: > >It also looks for numbers at the end of the username bit of the address, >and assumes that these are numbers which the scammers may change; so if >it finds them, it replaces them with a pattern that will match any >number instead. I don't know how significant this is, but in some cases this generates duplicate regexps. For example, there are two addresses (spaces inserted here so I don't trigger the rule) zenithbkloan03 @ comcast.net and zenithbkloan05 @ comcast.net in the google list. This generates the regexp (zenithbkloan\d+\@comcast\.net) twice in the generated rules. Also, I've been running this for a few days, and other than testing, I've gotten no hits on this rule. Just lucky I guess. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From MailScanner at ecs.soton.ac.uk Thu Jan 8 18:30:09 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 8 18:30:33 2009 Subject: Anti-spear-phishing, round 2 In-Reply-To: References: <4963D91A.9060304@ecs.soton.ac.uk> <4965292E.1070209@ecs.soton.ac.uk> Message-ID: <49664631.2020207@ecs.soton.ac.uk> Do you have "Log Spam = yes" in your MailScanner.conf? If so, you should see logging of the actions that are produced by this setting. I assume you're running a recent version of MailScanner. Also, remove the space before the word "header", just in case that matters. That line is very hard to parse. On 8/1/09 15:17, Gottschalk, David wrote: > Well, I messed around with it some more this AM, but still no luck. > > SpamAssassin is seeing the new rule, and filtering properly (I can see it score the message in the logs when I send a test message to one of the filter addressed); however, for some reason it's not following my rule in MailScanner.conf. Here is what I have: > > SpamAssassin Rule Actions = JKF_ANTI_PHISH=>not-deliver,store,forward dgottsc@emory.edu, header "X-Anti-Phish: Was to _TO_" > > Any ideas? > > David Gottschalk > Emory University > UTS Messaging Team > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field > Sent: Wednesday, January 07, 2009 5:14 PM > To: MailScanner discussion > Subject: Re: Anti-spear-phishing, round 2 > > > > On 7/1/09 21:00, Gottschalk, David wrote: > >> Julian, >> Thanks for posting this! This is going to make my life a lot easier. I plan on installing it on all of my machines with mailscanner. I'll let you know how well it works. I've got it installed on one machine right now, I'm just trying to figure out how to get the spam assassin rule actions to work properly right now. For some reason it's not following the rule actions even though it matches it. >> >> > Check your maillog, that will show if anything is wrong. Don't put a > comma in the text of the header for starters, it breaks my parser :-( > > If you get really stuck, feel free to ask for help :) > > Jules. > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field >> Sent: Tuesday, January 06, 2009 5:20 PM >> To: MailScanner discussion >> Subject: Anti-spear-phishing, round 2 >> >> I have done a load of work on my script that uses the anti-spear-phishing addresses database. >> >> The main thing is now that it is pretty much a finished script, and is directly usable by you guys without you having to do much to it except read the settings at the top and tweak the filenames if you want to change where it puts things. >> >> I have taken a lot of care to ensure that this won't match any false alarms, I don't just dumbly look for the strings in any surrounding text, which certain commercial AV vendors have been caught doing in the past! >> >> I make a suggestion in the comments at the top of the script about how I use the rule within MailScanner, you probably want to do something similar, and not just delete anything that matches, just in case you do get any false alarms. >> >> It also looks for numbers at the end of the username bit of the address, and assumes that these are numbers which the scammers may change; so if it finds them, it replaces them with a pattern that will match any number instead. There's starting to be a lot of this about, as it's the easiest way for the scammers to try to defeat simple address lists targeted against them, while still being able to remember what addresses they have to check for replies from your dumb users. :-) I thought I would make it a tiny bit harder for them... >> >> You can also add addresses of your own (which can include "*" as a wildcard character to mean "any series of valid characters" in the email address), one address per line, in an optional extra file. Again, read the top of the script and you'll see it mentioned there. That file is optional, it doesn't matter if it doesn't exist. As a starter, you might want to put m i c h a e l l o u c a s * @ g m a i l . c o m (without the extra spaces) in that file, as it will nicely catch a lot of "Job opportunity" spams. >> >> It looks for any of these addresses appearing **anywhere** in the message, not just in the headers. So if you start talking to people about these addresses, don't be surprised when the messages get caught by the trap. >> >> It does a "wget", so make sure you have that binary installed, or else change the script to fetch the file by some other means. >> >> The very end of the script does a "service MailScanner restart", so if you need some other command to restart MailScanner, then edit it for your system. It needs to be a "restart" and not a "reload" as I have to force it to re-build the database of SpamAssassin rules. >> >> My aim was that, on a RedHat system running MailScanner, you could just copy the script into /etc/cron.hourly and make it executable, and it will just get on with the job for you. I do advise you read the bit in the script about "SpamAssassin Rule Actions" though. >> >> Please do let me know how you would like me to improve it, and tell me what you think of it in general (be polite, now! :-) >> >> Cheers, >> >> Jules >> >> -- >> Julian Field MEng CITP CEng >> www.MailScanner.info >> Buy the MailScanner book at www.MailScanner.info/store >> >> MailScanner customisation, or any advanced system administration help? >> Contact me at Jules@Jules.FM >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc >> >> >> -- >> This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. >> >> >> This e-mail message (including any attachments) is for the sole use of >> the intended recipient(s) and may contain confidential and privileged >> information. If the reader of this message is not the intended >> recipient, you are hereby notified that any dissemination, distribution >> or copying of this message (including any attachments) is strictly >> prohibited. >> >> If you have received this message in error, please contact >> the sender by reply e-mail message and destroy all copies of the >> original message (including attachments). >> >> > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > PGP public key: http://www.jules.fm/julesfm.asc > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > This e-mail message (including any attachments) is for the sole use of > the intended recipient(s) and may contain confidential and privileged > information. If the reader of this message is not the intended > recipient, you are hereby notified that any dissemination, distribution > or copying of this message (including any attachments) is strictly > prohibited. > > If you have received this message in error, please contact > the sender by reply e-mail message and destroy all copies of the > original message (including attachments). > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Thu Jan 8 18:32:32 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 8 18:32:51 2009 Subject: Anti-spear-phishing, round 2 In-Reply-To: References: Message-ID: <496646C0.3040506@ecs.soton.ac.uk> On 8/1/09 17:54, Mark Sapiro wrote: > Julian Field wrote: > >> It also looks for numbers at the end of the username bit of the address, >> and assumes that these are numbers which the scammers may change; so if >> it finds them, it replaces them with a pattern that will match any >> number instead. >> > > > I don't know how significant this is, but in some cases this generates > duplicate regexps. For example, there are two addresses (spaces > inserted here so I don't trigger the rule) zenithbkloan03 @ > comcast.net and > zenithbkloan05 @ comcast.net in the google list. This generates the > regexp (zenithbkloan\d+\@comcast\.net) twice in the generated rules. > Yes, fair enough, the resulting rules aren't 100% optimal. But it's pretty close, so I wouldn't worry about it. As they are sorted into alphabetical order, the duplicate rules will be in the same rule, so in the same regexp, with the result that Perl will optimise out the duplicate one anyway. So I really wouldn't worry about that. It's not worth fixing. But I will anyway :-) > Also, I've been running this for a few days, and other than testing, > I've gotten no hits on this rule. Just lucky I guess. > Some site get hit by spear-phishing more than others. Particularly educational institutions. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Denis.Beauchemin at USherbrooke.ca Thu Jan 8 18:41:36 2009 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Thu Jan 8 18:42:10 2009 Subject: Upgrade fron 4.61.7 to 4.74.13-2 In-Reply-To: <49663B6D.1030800@senecac.on.ca> References: <20090108071334.6t3eri15gc0ggkk4@manage.zuka.net> <49660685.80304@USherbrooke.ca> <49660D57.2040107@senecac.on.ca> <4966145F.4010305@senecac.on.ca> <49663B6D.1030800@senecac.on.ca> Message-ID: <496648E0.9020903@USherbrooke.ca> Dave Filchak a ?crit : > > > Kai Schaetzl wrote: >> Dave Filchak wrote on Thu, 08 Jan 2009 09:57:35 -0500: >> >> >>> Use of uninitialized value in concatenation (.) or string at >>> /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin.pm line 1088. >>> Use of uninitialized value in concatenation (.) or string at >>> /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin.pm line 1090. >>> >> >> Run spamassassin --lint and see if you still get that (or any others >> like the one below). It's not a critical error. >> >> >> >>> Building a message batch to scan... >>> Have a batch of 1 message. >>> max message size is '30000' >>> config: path "//.spamassassin/user_prefs" is inaccessible: >>> Permission denied >>> max message size is '100000' >>> Stopping now as you are debugging me. >>> >>> This debug session took about 5 minutes to run so something is >>> really bogged down but it might very well be the permissions problems. >>> >> >> Well, it sat there for quite a while and then went on with "Have a >> batch of 1 message", right? It was just waiting for a message to >> scan, so this isn't a problem. If mail is still not flowing look at >> your mailscanner.log. >> As which user are you running the --debug test? >> It seems you are having a problem only with spamassassin and MS >> itself is okay. >> >> > I am running the test as user postfix, as this is the RunAs user. > Also, I do not seem to have mailscanner.log. Where is it supposed to be? > Dave Dave, On your system MS should be logging into /var/log/maillog. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From maillists at conactive.com Thu Jan 8 19:31:23 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Thu Jan 8 19:31:35 2009 Subject: Upgrade fron 4.61.7 to 4.74.13-2 In-Reply-To: <49663B6D.1030800@senecac.on.ca> References: <20090108071334.6t3eri15gc0ggkk4@manage.zuka.net> <49660685.80304@USherbrooke.ca> <49660D57.2040107@senecac.on.ca> <4966145F.4010305@senecac.on.ca> <49663B6D.1030800@senecac.on.ca> Message-ID: Dave Filchak wrote on Thu, 08 Jan 2009 12:44:13 -0500: > Also, > I do not seem to have mailscanner.log. Where is it supposed to be? you may get everything in your maillog. I changed the syslog facility, so I get all stuff in mailscanner.log Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From glenn.steen at gmail.com Thu Jan 8 19:36:59 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Jan 8 19:37:10 2009 Subject: Upgrade fron 4.61.7 to 4.74.13-2 In-Reply-To: References: <20090108071334.6t3eri15gc0ggkk4@manage.zuka.net> <49660685.80304@USherbrooke.ca> <49660D57.2040107@senecac.on.ca> <496616B0.1060100@USherbrooke.ca> <49661F7A.2090607@senecac.on.ca> <223f97700901080809i456904ferb64df26e7b44ae05@mail.gmail.com> <49662AAF.9070601@senecac.on.ca> Message-ID: <223f97700901081136s24b46fc3u80f6bc14346a6f6b@mail.gmail.com> 2009/1/8 Kai Schaetzl : > Dave Filchak wrote on Thu, 08 Jan 2009 11:32:47 -0500: > >> >> Unfortunately, the user Postfix is set to nologin ( postfix:x:80:80:Postfix >> >> Mail Server:/:/sbin/nologin ) so I cannot sudo to it ) > > look at the homedir! Indeed;) >> su - postfix -s /bin/bash >> -bash-3.00$ spamassassin --lint >> [19715] warn: config: path "//.spamassassin/user_prefs" is inaccessible: >> Permission denied >> -bash-3.00$ > > you get this strange path because your postfix user has the wrong homedir. It > should be /var/spool/postfix (That also shows that you don't have to su to > postfix, it's running as postfix, anyway.) > If your mail is still not flowing that might also be the reason for it. > I'm leaning toward one of the classics here: Since the directory SA (as the postfix user) tries to write things to (user prefs, razor-agent thing, pyzor discover thing etc), some of that cr*p end up being written somewhere the postfix user _can_ write ... the hold queue... So Dave should perhaps look at that directory for non-queue files ... and remove them. How to make sure they never reappear? First: Set a more reasonable home directory for postfix, like /var/spool/postfix. Edit /etc/passwd with something safe like vipw ALTERNATIVE 1 Temporarily make that directory writable by the postfix user su - postfix -s /bin/bash spamassassin --lint spamassassin -t -D < /path/to/a/message exit Make the directory non-writable by postfix. You should now have all the needed directories, like .razor .pyzor and .spamassassin ALTERNATIVE 2 Create the directories by hand (in ~postfix) and make them owned by postfix and writable by postfix. ALTERNATIVE 3 Use the settings suggested in spam.assassin.prefs.conf (a.k.a. /etc/mail/spamassassin/mailscanner.cf) to explicitly set a directory to use for this. Look in the wiki for similar details for razor and pyzor (unless they're already in mailscanner.cf ... I fail to remember). Any of the alternatives would likely do. Then, as said, go check/clean your /var/spool/postfix/hold directory for/from files that aren't Postfix queue files. >> I am >> stumped. > > This error is absolutely non-critical and can be ignored: > > [14255] dbg: config: mkdir /var/spool/postfix/.spamassassin failed: mkdir > /var/spool/postfix/.spamassassin: Permission denied at > /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin.pm line 1577 > [14255] dbg: config: Permission denied > I wouldn't exactly call it non-critical, since it might indicate the error-situation mentioned above:) > I'm just wondering why you get this error shown at all. It shouldn't show up > with a simple "spamassassin --lint" (you wrote you ran that, without -D), only > with "spamassassin --lint -D". I wonder if you have a mix of an older and newer > SA on your system. The output level of --lint has been changed several times > during the last year or so, so that it stops outputting uncritical errors. I > would really advise to remove the SA package, upgrade your CentOS and then > reapply it. I have to say that I'm not using the "easy install" package provided > by Jules. I always role my own which is *very* easy to do as they provide a > working spec file in their source. You just build it with the command given on > the download page and it works. You may want to try it this way. Maybe Jules has > an idea, what's wrong with your SA installation (if there is anything wrong). > Might be worth doing:-) Oh, and before you jump on it, somewhere halfway through ... this stopped being an answer to your mail solely;-) But you saw that...:-P > > Kai > Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From rob at kettle.org.uk Thu Jan 8 19:41:56 2009 From: rob at kettle.org.uk (Rob Kettle) Date: Thu Jan 8 19:42:15 2009 Subject: Problem after Upgrade 4.72.1-1 to 4.74.15-1 In-Reply-To: <496648E0.9020903@USherbrooke.ca> References: <20090108071334.6t3eri15gc0ggkk4@manage.zuka.net> <49660685.80304@USherbrooke.ca> <49660D57.2040107@senecac.on.ca> <4966145F.4010305@senecac.on.ca> <49663B6D.1030800@senecac.on.ca> <496648E0.9020903@USherbrooke.ca> Message-ID: <49665704.4080804@kettle.org.uk> Hi, been running a Centos 5 system with 4.72.1-1 for some time and last night I upgraded to 4.74.15-1. The upgrade appeared to go OK. However when I run MailScanner no mail is processed and if I look at processes the MailScanner jobs show as [defunct] and are using high CPU. After some playing around I've sound that the cause is the setting Rebuild Bayes Every = 14400 MailScanner will only work if I set this to Rebuild Bayes Every = 0 Not sure why this is ? regards Rob -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Thu Jan 8 19:49:24 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Jan 8 19:49:34 2009 Subject: Problem after Upgrade 4.72.1-1 to 4.74.15-1 In-Reply-To: <49665704.4080804@kettle.org.uk> References: <20090108071334.6t3eri15gc0ggkk4@manage.zuka.net> <49660685.80304@USherbrooke.ca> <49660D57.2040107@senecac.on.ca> <4966145F.4010305@senecac.on.ca> <49663B6D.1030800@senecac.on.ca> <496648E0.9020903@USherbrooke.ca> <49665704.4080804@kettle.org.uk> Message-ID: <223f97700901081149p4e9fcce8wa44d90d18dae1b06@mail.gmail.com> 2009/1/8 Rob Kettle : > Hi, > > been running a Centos 5 system with 4.72.1-1 for some time and last night I > upgraded to 4.74.15-1. The upgrade appeared to go OK. > > However when I run MailScanner no mail is processed and if I look at > processes the MailScanner jobs show as [defunct] and are using high CPU. > > After some playing around I've sound that the cause is the setting > > Rebuild Bayes Every = 14400 > > MailScanner will only work if I set this to Rebuild Bayes Every = 0 > > Not sure why this is ? > > regards > Rob > There's a few threads RE this floating around on the list, try looking at them... Or go directly to the fixes:-). There should be a newer package available for you, and possibly a smallish manual fix needed. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From dgottsc at emory.edu Thu Jan 8 19:57:43 2009 From: dgottsc at emory.edu (Gottschalk, David) Date: Thu Jan 8 19:58:02 2009 Subject: Anti-spear-phishing, round 2 In-Reply-To: <49664631.2020207@ecs.soton.ac.uk> References: <4963D91A.9060304@ecs.soton.ac.uk> <4965292E.1070209@ecs.soton.ac.uk> <49664631.2020207@ecs.soton.ac.uk> Message-ID: Yes, I have "Log Spam = yes" in my MailScanner.conf. I'm running MailScanner version 4.60.8. Am I running too old of a version? David Gottschalk Emory University UTS Messaging Team 404.727.9744 -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: Thursday, January 08, 2009 1:30 PM To: MailScanner discussion Subject: Re: Anti-spear-phishing, round 2 Do you have "Log Spam = yes" in your MailScanner.conf? If so, you should see logging of the actions that are produced by this setting. I assume you're running a recent version of MailScanner. Also, remove the space before the word "header", just in case that matters. That line is very hard to parse. On 8/1/09 15:17, Gottschalk, David wrote: > Well, I messed around with it some more this AM, but still no luck. > > SpamAssassin is seeing the new rule, and filtering properly (I can see it score the message in the logs when I send a test message to one of the filter addressed); however, for some reason it's not following my rule in MailScanner.conf. Here is what I have: > > SpamAssassin Rule Actions = JKF_ANTI_PHISH=>not-deliver,store,forward dgottsc@emory.edu, header "X-Anti-Phish: Was to _TO_" > > Any ideas? > > David Gottschalk > Emory University > UTS Messaging Team > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field > Sent: Wednesday, January 07, 2009 5:14 PM > To: MailScanner discussion > Subject: Re: Anti-spear-phishing, round 2 > > > > On 7/1/09 21:00, Gottschalk, David wrote: > >> Julian, >> Thanks for posting this! This is going to make my life a lot easier. I plan on installing it on all of my machines with mailscanner. I'll let you know how well it works. I've got it installed on one machine right now, I'm just trying to figure out how to get the spam assassin rule actions to work properly right now. For some reason it's not following the rule actions even though it matches it. >> >> > Check your maillog, that will show if anything is wrong. Don't put a > comma in the text of the header for starters, it breaks my parser :-( > > If you get really stuck, feel free to ask for help :) > > Jules. > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field >> Sent: Tuesday, January 06, 2009 5:20 PM >> To: MailScanner discussion >> Subject: Anti-spear-phishing, round 2 >> >> I have done a load of work on my script that uses the anti-spear-phishing addresses database. >> >> The main thing is now that it is pretty much a finished script, and is directly usable by you guys without you having to do much to it except read the settings at the top and tweak the filenames if you want to change where it puts things. >> >> I have taken a lot of care to ensure that this won't match any false alarms, I don't just dumbly look for the strings in any surrounding text, which certain commercial AV vendors have been caught doing in the past! >> >> I make a suggestion in the comments at the top of the script about how I use the rule within MailScanner, you probably want to do something similar, and not just delete anything that matches, just in case you do get any false alarms. >> >> It also looks for numbers at the end of the username bit of the address, and assumes that these are numbers which the scammers may change; so if it finds them, it replaces them with a pattern that will match any number instead. There's starting to be a lot of this about, as it's the easiest way for the scammers to try to defeat simple address lists targeted against them, while still being able to remember what addresses they have to check for replies from your dumb users. :-) I thought I would make it a tiny bit harder for them... >> >> You can also add addresses of your own (which can include "*" as a wildcard character to mean "any series of valid characters" in the email address), one address per line, in an optional extra file. Again, read the top of the script and you'll see it mentioned there. That file is optional, it doesn't matter if it doesn't exist. As a starter, you might want to put m i c h a e l l o u c a s * @ g m a i l . c o m (without the extra spaces) in that file, as it will nicely catch a lot of "Job opportunity" spams. >> >> It looks for any of these addresses appearing **anywhere** in the message, not just in the headers. So if you start talking to people about these addresses, don't be surprised when the messages get caught by the trap. >> >> It does a "wget", so make sure you have that binary installed, or else change the script to fetch the file by some other means. >> >> The very end of the script does a "service MailScanner restart", so if you need some other command to restart MailScanner, then edit it for your system. It needs to be a "restart" and not a "reload" as I have to force it to re-build the database of SpamAssassin rules. >> >> My aim was that, on a RedHat system running MailScanner, you could just copy the script into /etc/cron.hourly and make it executable, and it will just get on with the job for you. I do advise you read the bit in the script about "SpamAssassin Rule Actions" though. >> >> Please do let me know how you would like me to improve it, and tell me what you think of it in general (be polite, now! :-) >> >> Cheers, >> >> Jules >> >> -- >> Julian Field MEng CITP CEng >> www.MailScanner.info >> Buy the MailScanner book at www.MailScanner.info/store >> >> MailScanner customisation, or any advanced system administration help? >> Contact me at Jules@Jules.FM >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc >> >> >> -- >> This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. >> >> >> This e-mail message (including any attachments) is for the sole use of >> the intended recipient(s) and may contain confidential and privileged >> information. If the reader of this message is not the intended >> recipient, you are hereby notified that any dissemination, distribution >> or copying of this message (including any attachments) is strictly >> prohibited. >> >> If you have received this message in error, please contact >> the sender by reply e-mail message and destroy all copies of the >> original message (including attachments). >> >> > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > PGP public key: http://www.jules.fm/julesfm.asc > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > This e-mail message (including any attachments) is for the sole use of > the intended recipient(s) and may contain confidential and privileged > information. If the reader of this message is not the intended > recipient, you are hereby notified that any dissemination, distribution > or copying of this message (including any attachments) is strictly > prohibited. > > If you have received this message in error, please contact > the sender by reply e-mail message and destroy all copies of the > original message (including attachments). > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! This e-mail message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential and privileged information. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message (including any attachments) is strictly prohibited. If you have received this message in error, please contact the sender by reply e-mail message and destroy all copies of the original message (including attachments). From Denis.Beauchemin at USherbrooke.ca Thu Jan 8 20:02:28 2009 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Thu Jan 8 20:02:54 2009 Subject: Problem after Upgrade 4.72.1-1 to 4.74.15-1 In-Reply-To: <49665704.4080804@kettle.org.uk> References: <20090108071334.6t3eri15gc0ggkk4@manage.zuka.net> <49660685.80304@USherbrooke.ca> <49660D57.2040107@senecac.on.ca> <4966145F.4010305@senecac.on.ca> <49663B6D.1030800@senecac.on.ca> <496648E0.9020903@USherbrooke.ca> <49665704.4080804@kettle.org.uk> Message-ID: <49665BD4.9080307@USherbrooke.ca> Rob Kettle a ?crit : > Hi, > > been running a Centos 5 system with 4.72.1-1 for some time and last > night I upgraded to 4.74.15-1. The upgrade appeared to go OK. > > However when I run MailScanner no mail is processed and if I look at > processes the MailScanner jobs show as [defunct] and are using high CPU. > > After some playing around I've sound that the cause is the setting > > Rebuild Bayes Every = 14400 > > MailScanner will only work if I set this to Rebuild Bayes Every = 0 > > Not sure why this is ? > > regards > Rob > Rob, I also run with Rebuild Bayes Every = 0 and I have the following entry in root's crontab: 15 3 * * * (/sbin/service MailScanner stop; /usr/bin/sa-learn --force-expire; sleep 60; /sbin/service MailScanner start) I get an email like this one every night: > Shutting down MailScanner daemons: > MailScanner: [ OK ] > incoming sendmail: [ OK ] > outgoing sendmail: [ OK ] > bayes: synced databases from journal in 0 seconds: 1163 unique entries (1857 total entries) > expired old bayes database entries in 53 seconds > 491688 entries kept, 115369 deleted > token frequency: 1-occurrence tokens: 0.00% > token frequency: less than 8 occurrences: 76.79% > Starting MailScanner daemons: > incoming sendmail: [ OK ] > outgoing sendmail: [ OK ] > MailScanner: [ OK ] I know my server isn't accepting emails during that time but I can live with it. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From kc5goi at gmail.com Thu Jan 8 21:01:30 2009 From: kc5goi at gmail.com (Guy Story KC5GOI) Date: Thu Jan 8 21:01:40 2009 Subject: Anti-spear-phishing, round 2 In-Reply-To: References: <4963D91A.9060304@ecs.soton.ac.uk> <4965292E.1070209@ecs.soton.ac.uk> <49664631.2020207@ecs.soton.ac.uk> Message-ID: Jule, I apologize for being blind today. I downloaded the script, made it executable, put in my desired address in the file. I ran the script verified the presence but what I am being blind to is where to tell SpamAssassin to look for the file so it can filter out that crap. I do not have a SpamAssassin Rule Actions entry in my MailScanner.conf. I am on 4.58.9 so David's question is one I have as well. Thanks for the good work. Guy Story KC5GOI kc5goi@gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090108/ce4ee7aa/attachment.html From Denis.Beauchemin at USherbrooke.ca Thu Jan 8 21:28:51 2009 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Thu Jan 8 21:29:10 2009 Subject: Anti-spear-phishing, round 2 In-Reply-To: References: <4963D91A.9060304@ecs.soton.ac.uk> <4965292E.1070209@ecs.soton.ac.uk> <49664631.2020207@ecs.soton.ac.uk> Message-ID: <49667013.3060600@USherbrooke.ca> Guy Story KC5GOI a ?crit : > Jule, I apologize for being blind today. I downloaded the script, > made it executable, put in my desired address in the file. I ran the > script verified the presence but what I am being blind to is where to > tell SpamAssassin to look for the file so it can filter out that crap. > I do not have a SpamAssassin Rule Actions entry in my > MailScanner.conf. I am on 4.58.9 so David's question is one I have as > well. > > Thanks for the good work. > > Guy Story KC5GOI > kc5goi@gmail.com Guy, If you run the script as-is, you don't have to do anything for it to kick into action (as it creates a cf file in /etc/mail/spamassassin). It will default to an SA score of 4 and you should see hits for JKF_ANTI_PHISH in your maillog. That's what I did and I made sure SA is using it with the following command: spamassassin --lint -D 2>&1 | grep jkf [26088] dbg: config: read file /etc/mail/spamassassin/jkf.anti-spear-phishing.cf So far, though, I haven't had any hits in about 4 hours. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From maillists at conactive.com Thu Jan 8 21:31:20 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Thu Jan 8 21:31:33 2009 Subject: Upgrade fron 4.61.7 to 4.74.13-2 In-Reply-To: <223f97700901081136s24b46fc3u80f6bc14346a6f6b@mail.gmail.com> References: <20090108071334.6t3eri15gc0ggkk4@manage.zuka.net> <49660685.80304@USherbrooke.ca> <49660D57.2040107@senecac.on.ca> <496616B0.1060100@USherbrooke.ca> <49661F7A.2090607@senecac.on.ca> <223f97700901080809i456904ferb64df26e7b44ae05@mail.gmail.com> <49662AAF.9070601@senecac.on.ca> <223f97700901081136s24b46fc3u80f6bc14346a6f6b@mail.gmail.com> Message-ID: Glenn Steen wrote on Thu, 8 Jan 2009 20:36:59 +0100: > Use the settings suggested in spam.assassin.prefs.conf (a.k.a. > /etc/mail/spamassassin/mailscanner.cf) to explicitly set a directory > to use for this. I think this won't help. SA will try to check in the user homedir for userprefs, anyway. Of course, it will help for sitewide stuff like Bayes and AWL. As I wrote it happens also for me: [14255] dbg: config: mkdir /var/spool/postfix/.spamassassin failed: mkdir /var/spool/postfix/.spamassassin: Permission denied at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin.pm line 1577 [14255] dbg: config: Permission denied but it's non-critical. It doesn't even show in a normal --lint, only with -D. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Thu Jan 8 21:31:20 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Thu Jan 8 21:31:33 2009 Subject: MailScanner --lint error In-Reply-To: <567221C09601934AA5CE9762FDA09A5001C3EC@EXCHTEMP.biz.pwr-sys.com> References: <567221C09601934AA5CE9762FDA09A5001C3D7@EXCHTEMP.biz.pwr-sys.com> <495FBCAE.60204@ecs.soton.ac.uk> <567221C09601934AA5CE9762FDA09A5001C3D9@EXCHTEMP.biz.pwr-sys.com> <496083A2.2090909@ecs.soton.ac.uk> <567221C09601934AA5CE9762FDA09A5001C3DA@EXCHTEMP.biz.pwr-sys.com> <72cf361e0901041213g512c4b70x84c3ad8ebeec55fc@mail.gmail.com> <567221C09601934AA5CE9762FDA09A5001C3DE@EXCHTEMP.biz.pwr-sys.com> <567221C09601934AA5CE9762FDA09A5001C3EC@EXCHTEMP.biz.pwr-sys.co Message-ID: m> Reply-To: mailscanner@lists.mailscanner.info Just FYI: as it turns out his obscure error messages were created by a broken MailScanner.conf. Broken by his colleague trying to use that years -old Webmin module for administering MS. ;-) Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From kc5goi at gmail.com Thu Jan 8 21:49:30 2009 From: kc5goi at gmail.com (Guy Story KC5GOI) Date: Thu Jan 8 21:49:41 2009 Subject: Anti-spear-phishing, round 2 In-Reply-To: <49667013.3060600@USherbrooke.ca> References: <4963D91A.9060304@ecs.soton.ac.uk> <4965292E.1070209@ecs.soton.ac.uk> <49664631.2020207@ecs.soton.ac.uk> <49667013.3060600@USherbrooke.ca> Message-ID: Thanks Denis. That is the way I read Jules script but it was not sinking in. I have not had any matches in the whole hour that has passed since I put it in place. That may be normal. I will be watching my inbox since I have the notifications pointing to me. On Thu, Jan 8, 2009 at 3:28 PM, Denis Beauchemin < Denis.Beauchemin@usherbrooke.ca> wrote: > Guy Story KC5GOI a ?crit : > >> Jule, I apologize for being blind today. I downloaded the script, made it >> executable, put in my desired address in the file. I ran the script >> verified the presence but what I am being blind to is where to tell >> SpamAssassin to look for the file so it can filter out that crap. I do not >> have a SpamAssassin Rule Actions entry in my MailScanner.conf. I am on >> 4.58.9 so David's question is one I have as well. >> >> Thanks for the good work. >> >> Guy Story KC5GOI >> kc5goi@gmail.com >> > > Guy, > > If you run the script as-is, you don't have to do anything for it to kick > into action (as it creates a cf file in /etc/mail/spamassassin). It will > default to an SA score of 4 and you should see hits for JKF_ANTI_PHISH in > your maillog. That's what I did and I made sure SA is using it with the > following command: > spamassassin --lint -D 2>&1 | grep jkf > [26088] dbg: config: read file /etc/mail/spamassassin/ > jkf.anti-spear-phishing.cf > > So far, though, I haven't had any hits in about 4 hours. > > Denis > > -- > _ > ?v? Denis Beauchemin, analyste > /(_)\ Universit? de Sherbrooke, S.T.I. > ^ ^ T: 819.821.8000x62252 F: 819.821.8045 > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- 73 Guy Story KC5GOI kc5goi@gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090108/e0b9151a/attachment.html From mark at msapiro.net Thu Jan 8 22:38:37 2009 From: mark at msapiro.net (Mark Sapiro) Date: Thu Jan 8 22:38:47 2009 Subject: Anti-spear-phishing, round 2 In-Reply-To: References: <4963D91A.9060304@ecs.soton.ac.uk> <4965292E.1070209@ecs.soton.ac.uk> <49664631.2020207@ecs.soton.ac.uk> Message-ID: <20090108223837.GA4032@msapiro> On Thu, Jan 08, 2009 at 02:57:43PM -0500, Gottschalk, David wrote: > > I'm running MailScanner version 4.60.8. > > Am I running too old of a version? It's too old for the _TO_ replacement in the header action. That requires 4.74.9 minimum. Also, the unknown _TO_ replacement will cause the wntire action to be ignored. -- Mark Sapiro mark at msapiro net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From garvey at pushormitchell.com Thu Jan 8 23:03:29 2009 From: garvey at pushormitchell.com (Joe Garvey) Date: Thu Jan 8 23:03:36 2009 Subject: Stops after RCVD_IN_BL_SPAMCOP_NET Message-ID: I have been using MailScanner for about 4 years now but recently I have been having some major problems with MailScanner/SA detecting spam. It almost seems as though it stops checking after the system does a lookup on bl.spamcop.net. If there is a positive score for RCVD_IN_BL_SPAMCOP_NET then it seems as though the system stops any other checks. The score is usually 2.188 as defined in /usr/share/spamassassin/50_scores.cf. I have also tried to increase this score by placing the following rule in /etc/mail/spamassassin/custom.cf but it does not increase the value score RCVD_IN_BL_SPAMCOP_NET 5.5 I upgraded to MailScanner 4.74.13 and SA 3.2.5 and it did not make a difference. My gut feeling is that I am missing something somewhere and have been staring at it to long. Any suggestions as to where to look next? Thanks Joe Garvey Information Technology Manager Email: garvey@pushormitchell.com Pushor Mitchell LLP From dave.filchak at senecac.on.ca Thu Jan 8 23:42:07 2009 From: dave.filchak at senecac.on.ca (Dave Filchak) Date: Thu Jan 8 23:42:31 2009 Subject: Upgrade fron 4.61.7 to 4.74.13-2 In-Reply-To: <223f97700901081136s24b46fc3u80f6bc14346a6f6b@mail.gmail.com> References: <20090108071334.6t3eri15gc0ggkk4@manage.zuka.net> <49660685.80304@USherbrooke.ca> <49660D57.2040107@senecac.on.ca> <496616B0.1060100@USherbrooke.ca> <49661F7A.2090607@senecac.on.ca> <223f97700901080809i456904ferb64df26e7b44ae05@mail.gmail.com> <49662AAF.9070601@senecac.on.ca> <223f97700901081136s24b46fc3u80f6bc14346a6f6b@mail.gmail.com> Message-ID: <49668F4F.4000700@senecac.on.ca> Hello all again, Glenn Steen wrote: > 2009/1/8 Kai Schaetzl : > >> Dave Filchak wrote on Thu, 08 Jan 2009 11:32:47 -0500: >> >> >>>>> Unfortunately, the user Postfix is set to nologin ( postfix:x:80:80:Postfix >>>>> Mail Server:/:/sbin/nologin ) so I cannot sudo to it ) >>>>> >> look at the homedir! >> > Indeed;) > > >>> su - postfix -s /bin/bash >>> -bash-3.00$ spamassassin --lint >>> [19715] warn: config: path "//.spamassassin/user_prefs" is inaccessible: >>> Permission denied >>> -bash-3.00$ >>> >> you get this strange path because your postfix user has the wrong homedir. It >> should be /var/spool/postfix (That also shows that you don't have to su to >> postfix, it's running as postfix, anyway.) >> If your mail is still not flowing that might also be the reason for it. >> >> > I'm leaning toward one of the classics here: > Since the directory SA (as the postfix user) tries to write things to > (user prefs, razor-agent thing, pyzor discover thing etc), some of > that cr*p end up being written somewhere the postfix user _can_ write > ... the hold queue... So Dave should perhaps look at that directory > for non-queue files ... and remove them. > > How to make sure they never reappear? > First: Set a more reasonable home directory for postfix, like > /var/spool/postfix. Edit /etc/passwd with something safe like vipw > > ALTERNATIVE 1 > Temporarily make that directory writable by the postfix user > su - postfix -s /bin/bash > spamassassin --lint > spamassassin -t -D < /path/to/a/message > exit > Make the directory non-writable by postfix. > You should now have all the needed directories, like .razor .pyzor and > .spamassassin > > ALTERNATIVE 2 > > Create the directories by hand (in ~postfix) and make them owned by > postfix and writable by postfix. > > ALTERNATIVE 3 > > Use the settings suggested in spam.assassin.prefs.conf (a.k.a. > /etc/mail/spamassassin/mailscanner.cf) to explicitly set a directory > to use for this. Look in the wiki for similar details for razor and > pyzor (unless they're already in mailscanner.cf ... I fail to > remember). > > Any of the alternatives would likely do. > > Then, as said, go check/clean your /var/spool/postfix/hold directory > for/from files that aren't Postfix queue files. > Sorry I have not responded in the past few hours. I had to get a couple of hours of sleep as I was not able to think anymore. > >>> I am >>> stumped. >>> >> This error is absolutely non-critical and can be ignored: >> >> [14255] dbg: config: mkdir /var/spool/postfix/.spamassassin failed: mkdir >> /var/spool/postfix/.spamassassin: Permission denied at >> /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin.pm line 1577 >> [14255] dbg: config: Permission denied >> >> > I wouldn't exactly call it non-critical, since it might indicate the > error-situation mentioned above:) > > >> I'm just wondering why you get this error shown at all. It shouldn't show up >> with a simple "spamassassin --lint" (you wrote you ran that, without -D), only >> with "spamassassin --lint -D". I wonder if you have a mix of an older and newer >> SA on your system. The output level of --lint has been changed several times >> during the last year or so, so that it stops outputting uncritical errors. I >> would really advise to remove the SA package, upgrade your CentOS and then >> reapply it. I have to say that I'm not using the "easy install" package provided >> by Jules. I always role my own which is *very* easy to do as they provide a >> working spec file in their source. You just build it with the command given on >> the download page and it works. You may want to try it this way. Maybe Jules has >> an idea, what's wrong with your SA installation (if there is anything wrong). >> I really cannot do this as it is a live server and I simply would not have time. I am going to build a new one and replace this in the first half of this year but need to get this up and running for the time being. What I cannot understand is: all of this was just fine (other than being out of date) before I upgraded. >> > Might be worth doing:-) > Oh, and before you jump on it, somewhere halfway through ... this > stopped being an answer to your mail solely;-) But you saw that...:-P > > So, I have a few more clues to pass on while I try and make sense of all your messages. We also run MailWatch and when looking at the quarantine, MS seems holding everything as spam, even if the SA score is 0. When I released a message from the quarantine, it gives me the following error: SA Learn: error code 13 returned from sa-learn: bayes: cannot open bayes databases /etc/MailScanner/bayes/bayes_* R/O: tie failed: Permission denied bayes: expire_old_tokens: locker: safe_lock: cannot create lockfile /etc/MailScanner/bayes/bayes.mutex: Permission denied bayes: locker: safe_lock: cannot create lockfile /etc/MailScanner/bayes/bayes.mutex: Permission denied Learned tokens from 0 message(s) (1 message(s) examined) Obviously some permission issues. It also shows every message as being listed in one of the RBLs I am using ... which I doubt. I noticed some others talking about some new lock file script? I am going to study this message and see what makes sense for me to do. Dave From ssilva at sgvwater.com Fri Jan 9 00:05:15 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Jan 9 00:05:41 2009 Subject: Upgrade fron 4.61.7 to 4.74.13-2 In-Reply-To: <49668F4F.4000700@senecac.on.ca> References: <20090108071334.6t3eri15gc0ggkk4@manage.zuka.net> <49660685.80304@USherbrooke.ca> <49660D57.2040107@senecac.on.ca> <496616B0.1060100@USherbrooke.ca> <49661F7A.2090607@senecac.on.ca> <223f97700901080809i456904ferb64df26e7b44ae05@mail.gmail.com> <49662AAF.9070601@senecac.on.ca> <223f97700901081136s24b46fc3u80f6bc14346a6f6b@mail.gmail.com> <49668F4F.4000700@senecac.on.ca> Message-ID: on 1-8-2009 3:42 PM Dave Filchak spake the following: > Hello all again, > > Glenn Steen wrote: >> 2009/1/8 Kai Schaetzl : >> >>> Dave Filchak wrote on Thu, 08 Jan 2009 11:32:47 -0500: >>> >>> >>>>>> Unfortunately, the user Postfix is set to nologin ( >>>>>> postfix:x:80:80:Postfix >>>>>> Mail Server:/:/sbin/nologin ) so I cannot sudo to it ) >>>>>> >>> look at the homedir! >>> >> Indeed;) >> >> >>>> su - postfix -s /bin/bash >>>> -bash-3.00$ spamassassin --lint >>>> [19715] warn: config: path "//.spamassassin/user_prefs" is >>>> inaccessible: >>>> Permission denied >>>> -bash-3.00$ >>>> >>> you get this strange path because your postfix user has the wrong >>> homedir. It >>> should be /var/spool/postfix (That also shows that you don't have to >>> su to >>> postfix, it's running as postfix, anyway.) >>> If your mail is still not flowing that might also be the reason for it. >>> >>> >> I'm leaning toward one of the classics here: >> Since the directory SA (as the postfix user) tries to write things to >> (user prefs, razor-agent thing, pyzor discover thing etc), some of >> that cr*p end up being written somewhere the postfix user _can_ write >> ... the hold queue... So Dave should perhaps look at that directory >> for non-queue files ... and remove them. >> >> How to make sure they never reappear? >> First: Set a more reasonable home directory for postfix, like >> /var/spool/postfix. Edit /etc/passwd with something safe like vipw >> >> ALTERNATIVE 1 >> Temporarily make that directory writable by the postfix user >> su - postfix -s /bin/bash >> spamassassin --lint >> spamassassin -t -D < /path/to/a/message >> exit >> Make the directory non-writable by postfix. >> You should now have all the needed directories, like .razor .pyzor and >> .spamassassin >> >> ALTERNATIVE 2 >> >> Create the directories by hand (in ~postfix) and make them owned by >> postfix and writable by postfix. >> >> ALTERNATIVE 3 >> >> Use the settings suggested in spam.assassin.prefs.conf (a.k.a. >> /etc/mail/spamassassin/mailscanner.cf) to explicitly set a directory >> to use for this. Look in the wiki for similar details for razor and >> pyzor (unless they're already in mailscanner.cf ... I fail to >> remember). >> >> Any of the alternatives would likely do. >> >> Then, as said, go check/clean your /var/spool/postfix/hold directory >> for/from files that aren't Postfix queue files. >> > Sorry I have not responded in the past few hours. I had to get a couple > of hours of sleep as I was not able to think anymore. >> >>>> I am >>>> stumped. >>>> >>> This error is absolutely non-critical and can be ignored: >>> >>> [14255] dbg: config: mkdir /var/spool/postfix/.spamassassin failed: >>> mkdir >>> /var/spool/postfix/.spamassassin: Permission denied at >>> /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin.pm line 1577 >>> [14255] dbg: config: Permission denied >>> >>> >> I wouldn't exactly call it non-critical, since it might indicate the >> error-situation mentioned above:) >> >> >>> I'm just wondering why you get this error shown at all. It shouldn't >>> show up >>> with a simple "spamassassin --lint" (you wrote you ran that, without >>> -D), only >>> with "spamassassin --lint -D". I wonder if you have a mix of an older >>> and newer >>> SA on your system. The output level of --lint has been changed >>> several times >>> during the last year or so, so that it stops outputting uncritical >>> errors. I >>> would really advise to remove the SA package, upgrade your CentOS and >>> then >>> reapply it. I have to say that I'm not using the "easy install" >>> package provided >>> by Jules. I always role my own which is *very* easy to do as they >>> provide a >>> working spec file in their source. You just build it with the command >>> given on >>> the download page and it works. You may want to try it this way. >>> Maybe Jules has >>> an idea, what's wrong with your SA installation (if there is anything >>> wrong). >>> > I really cannot do this as it is a live server and I simply would not > have time. I am going to build a new one and replace this in the first > half of this year but need to get this up and running for the time > being. What I cannot understand is: all of this was just fine (other > than being out of date) before I upgraded. >>> >> Might be worth doing:-) >> Oh, and before you jump on it, somewhere halfway through ... this >> stopped being an answer to your mail solely;-) But you saw that...:-P >> >> > So, I have a few more clues to pass on while I try and make sense of all > your messages. We also run MailWatch and when looking at the quarantine, > MS seems holding everything as spam, even if the SA score is 0. When I > released a message from the quarantine, it gives me the following error: > > SA Learn: error code 13 returned from sa-learn: bayes: cannot open bayes > databases /etc/MailScanner/bayes/bayes_* R/O: tie failed: Permission > denied bayes: expire_old_tokens: locker: safe_lock: cannot create > lockfile /etc/MailScanner/bayes/bayes.mutex: Permission denied bayes: > locker: safe_lock: cannot create lockfile > /etc/MailScanner/bayes/bayes.mutex: Permission denied Learned tokens > from 0 message(s) (1 message(s) examined) > > Obviously some permission issues. It also shows every message as being > listed in one of the RBLs I am using ... which I doubt. I noticed some > others talking about some new lock file script? > > I am going to study this message and see what makes sense for me to do. > > Dave > > Can you download and install 4.74.15-2? There were some postfix related fixes between 13-2 and 15-2. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090108/97d266e9/signature.bin From dave.filchak at senecac.on.ca Fri Jan 9 00:59:41 2009 From: dave.filchak at senecac.on.ca (Dave Filchak) Date: Fri Jan 9 01:00:04 2009 Subject: Upgrade fron 4.61.7 to 4.74.13-2 In-Reply-To: References: <20090108071334.6t3eri15gc0ggkk4@manage.zuka.net> <49660685.80304@USherbrooke.ca> <49660D57.2040107@senecac.on.ca> <496616B0.1060100@USherbrooke.ca> <49661F7A.2090607@senecac.on.ca> <223f97700901080809i456904ferb64df26e7b44ae05@mail.gmail.com> <49662AAF.9070601@senecac.on.ca> <223f97700901081136s24b46fc3u80f6bc14346a6f6b@mail.gmail.com> <49668F4F.4000700@senecac.on.ca> Message-ID: <4966A17D.2000006@senecac.on.ca> OK ...did this. Thought I would clean up the thread a bit so we can see more of the current situation: Scott Silva wrote: > > Can you download and install 4.74.15-2? There were some postfix related fixes > between 13-2 and 15-2. > Probably nothing but I get these during install: file /usr/lib64/perl5/5.8.5/x86_64-linux-thread-multi/Storable.pm from install of perl-Storable-2.16-2 conflicts with file from package perl-5.8.5-24.RHEL4 file /usr/lib64/perl5/5.8.5/x86_64-linux-thread-multi/auto/Storable/CAN_FLOCK.al from install of perl-Storable-2.16-2 conflicts with file from package perl-5.8.5-24.RHEL4 file /usr/lib64/perl5/5.8.5/x86_64-linux-thread-multi/auto/Storable/Storable.so from install of perl-Storable-2.16-2 conflicts with file from package perl-5.8.5-24.RHEL4 file /usr/lib64/perl5/5.8.5/x86_64-linux-thread-multi/auto/Storable/_freeze.al from install of perl-Storable-2.16-2 conflicts with file from package perl-5.8.5-24.RHEL4 file /usr/lib64/perl5/5.8.5/x86_64-linux-thread-multi/auto/Storable/_retrieve.al from install of perl-Storable-2.16-2 conflicts with file from package perl-5.8.5-24.RHEL4 file /usr/lib64/perl5/5.8.5/x86_64-linux-thread-multi/auto/Storable/_store.al from install of perl-Storable-2.16-2 conflicts with file from package perl-5.8.5-24.RHEL4 file /usr/lib64/perl5/5.8.5/x86_64-linux-thread-multi/auto/Storable/_store_fd.al from install of perl-Storable-2.16-2 conflicts with file from package perl-5.8.5-24.RHEL4 file /usr/lib64/perl5/5.8.5/x86_64-linux-thread-multi/auto/Storable/autosplit.ix from install of perl-Storable-2.16-2 conflicts with file from package perl-5.8.5-24.RHEL4 file /usr/lib64/perl5/5.8.5/x86_64-linux-thread-multi/auto/Storable/fd_retrieve.al from install of perl-Storable-2.16-2 conflicts with file from package perl-5.8.5-24.RHEL4 file /usr/lib64/perl5/5.8.5/x86_64-linux-thread-multi/auto/Storable/freeze.al from install of perl-Storable-2.16-2 conflicts with file from package perl-5.8.5-24.RHEL4 file /usr/lib64/perl5/5.8.5/x86_64-linux-thread-multi/auto/Storable/lock_nstore.al from install of perl-Storable-2.16-2 conflicts with file from package perl-5.8.5-24.RHEL4 file /usr/lib64/perl5/5.8.5/x86_64-linux-thread-multi/auto/Storable/lock_retrieve.al from install of perl-Storable-2.16-2 conflicts with file from package perl-5.8.5-24.RHEL4 file /usr/lib64/perl5/5.8.5/x86_64-linux-thread-multi/auto/Storable/lock_store.al from install of perl-Storable-2.16-2 conflicts with file from package perl-5.8.5-24.RHEL4 file /usr/lib64/perl5/5.8.5/x86_64-linux-thread-multi/auto/Storable/logcarp.al from install of perl-Storable-2.16-2 conflicts with file from package perl-5.8.5-24.RHEL4 file /usr/lib64/perl5/5.8.5/x86_64-linux-thread-multi/auto/Storable/logcroak.al from install of perl-Storable-2.16-2 conflicts with file from package perl-5.8.5-24.RHEL4 file /usr/lib64/perl5/5.8.5/x86_64-linux-thread-multi/auto/Storable/nfreeze.al from install of perl-Storable-2.16-2 conflicts with file from package perl-5.8.5-24.RHEL4 file /usr/lib64/perl5/5.8.5/x86_64-linux-thread-multi/auto/Storable/nstore.al from install of perl-Storable-2.16-2 conflicts with file from package perl-5.8.5-24.RHEL4 file /usr/lib64/perl5/5.8.5/x86_64-linux-thread-multi/auto/Storable/nstore_fd.al from install of perl-Storable-2.16-2 conflicts with file from package perl-5.8.5-24.RHEL4 file /usr/lib64/perl5/5.8.5/x86_64-linux-thread-multi/auto/Storable/read_magic.al from install of perl-Storable-2.16-2 conflicts with file from package perl-5.8.5-24.RHEL4 file /usr/lib64/perl5/5.8.5/x86_64-linux-thread-multi/auto/Storable/retrieve.al from install of perl-Storable-2.16-2 conflicts with file from package perl-5.8.5-24.RHEL4 file /usr/lib64/perl5/5.8.5/x86_64-linux-thread-multi/auto/Storable/show_file_magic.al from install of perl-Storable-2.16-2 conflicts with file from package perl-5.8.5-24.RHEL4 file /usr/lib64/perl5/5.8.5/x86_64-linux-thread-multi/auto/Storable/store.al from install of perl-Storable-2.16-2 conflicts with file from package perl-5.8.5-24.RHEL4 file /usr/lib64/perl5/5.8.5/x86_64-linux-thread-multi/auto/Storable/store_fd.al from install of perl-Storable-2.16-2 conflicts with file from package perl-5.8.5-24.RHEL4 file /usr/lib64/perl5/5.8.5/x86_64-linux-thread-multi/auto/Storable/thaw.al from install of perl-Storable-2.16-2 conflicts with file from package perl-5.8.5-24.RHEL4 Running: spamassassin -D -p /etc/MailScanner/spam.assassin.prefs.conf --lint [22231] dbg: logger: adding facilities: all [22231] dbg: logger: logging level is DBG [22231] dbg: generic: SpamAssassin version 3.2.5 [22231] dbg: config: score set 0 chosen. [22231] dbg: util: running in taint mode? yes [22231] dbg: util: taint mode: deleting unsafe environment variables, resetting PATH [22231] dbg: util: PATH included '/usr/kerberos/sbin', keeping [22231] dbg: util: PATH included '/usr/kerberos/bin', keeping [22231] dbg: util: PATH included '/usr/local/sbin', keeping [22231] dbg: util: PATH included '/usr/local/bin', keeping [22231] dbg: util: PATH included '/sbin', keeping [22231] dbg: util: PATH included '/bin', keeping [22231] dbg: util: PATH included '/usr/sbin', keeping [22231] dbg: util: PATH included '/usr/bin', keeping [22231] dbg: util: PATH included '/usr/X11R6/bin', keeping [22231] dbg: util: PATH included '/usr/java/jdk1.5.0_05/bin', which doesn't exist, dropping [22231] dbg: util: PATH included '/root/bin', which doesn't exist, dropping [22231] dbg: util: final PATH set to: /usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin [22231] dbg: dns: no ipv6 [22231] dbg: dns: is Net::DNS::Resolver available? yes [22231] dbg: dns: Net::DNS version: 0.63 [22231] dbg: diag: perl platform: 5.008005 linux [22231] dbg: diag: module installed: Digest::SHA1, version 2.11 [22231] dbg: diag: module installed: HTML::Parser, version 3.56 [22231] dbg: diag: module installed: Net::DNS, version 0.63 [22231] dbg: diag: module installed: MIME::Base64, version 3.07 [22231] dbg: diag: module installed: DB_File, version 1.814 [22231] dbg: diag: module installed: Net::SMTP, version 2.31 [22231] dbg: diag: module installed: Mail::SPF, version v2.004 [22231] dbg: diag: module installed: Mail::SPF::Query, version 1.999001 [22231] dbg: diag: module installed: IP::Country::Fast, version 604.001 [22231] dbg: diag: module installed: Razor2::Client::Agent, version 2.84 [22231] dbg: diag: module not installed: Net::Ident ('require' failed) [22231] dbg: diag: module not installed: IO::Socket::INET6 ('require' failed) [22231] dbg: diag: module installed: IO::Socket::SSL, version 1.01 [22231] dbg: diag: module installed: Compress::Zlib, version 2.005 [22231] dbg: diag: module installed: Time::HiRes, version 1.9707 [22231] dbg: diag: module not installed: Mail::DomainKeys ('require' failed) [22231] dbg: diag: module not installed: Mail::DKIM ('require' failed) ## are these ('require' failed) something I need to be concerned with? [22231] dbg: diag: module installed: DBI, version 1.58 [22231] dbg: diag: module installed: Getopt::Long, version 2.36 [22231] dbg: diag: module installed: LWP::UserAgent, version 5.810 [22231] dbg: diag: module installed: HTTP::Date, version 5.810 [22231] dbg: diag: module installed: Archive::Tar, version 1.32 [22231] dbg: diag: module installed: IO::Zlib, version 1.04 [22231] dbg: diag: module installed: Encode::Detect, version 1.00 [22231] dbg: ignore: using a test message to lint rules [22231] dbg: config: using "/etc/mail/spamassassin" for site rules pre files [22231] dbg: config: read file /etc/mail/spamassassin/init.pre [22231] dbg: config: read file /etc/mail/spamassassin/v310.pre [22231] dbg: config: read file /etc/mail/spamassassin/v312.pre [22231] dbg: config: read file /etc/mail/spamassassin/v320.pre [22231] dbg: config: using "/var/lib/spamassassin/3.002005" for sys rules pre files [22231] dbg: config: using "/var/lib/spamassassin/3.002005" for default rules dir [22231] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org.cf [22231] dbg: config: using "/etc/mail/spamassassin" for site rules dir [22231] dbg: config: read file /etc/mail/spamassassin/mailscanner.cf [22231] dbg: config: using "/etc/MailScanner/spam.assassin.prefs.conf" for user prefs file [22231] dbg: config: read file /etc/MailScanner/spam.assassin.prefs.conf [22231] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC [22231] dbg: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from @INC [22231] dbg: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC [22231] dbg: plugin: loading Mail::SpamAssassin::Plugin::RelayCountry from @INC [22231] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razor2 from @INC [22231] dbg: razor2: local tests only, skipping Razor [22231] dbg: plugin: loading Mail::SpamAssassin::Plugin::DCC from @INC [22231] dbg: dcc: local tests only, disabling DCC [22231] dbg: plugin: loading Mail::SpamAssassin::Plugin::Pyzor from @INC [22231] dbg: pyzor: local tests only, disabling Pyzor [22231] dbg: plugin: did not register Mail::SpamAssassin::Plugin::Razor2, already registered [22231] dbg: plugin: loading Mail::SpamAssassin::Plugin::SpamCop from @INC [22231] dbg: reporter: local tests only, disabling SpamCop [22231] dbg: plugin: loading Mail::SpamAssassin::Plugin::AWL from @INC [22231] dbg: plugin: loading Mail::SpamAssassin::Plugin::AutoLearnThreshold from @INC [22231] dbg: plugin: loading Mail::SpamAssassin::Plugin::WhiteListSubject from @INC [22231] dbg: plugin: loading Mail::SpamAssassin::Plugin::MIMEHeader from @INC [22231] dbg: plugin: loading Mail::SpamAssassin::Plugin::ReplaceTags from @INC [22231] dbg: plugin: did not register Mail::SpamAssassin::Plugin::RelayCountry, already registered [22231] dbg: plugin: did not register Mail::SpamAssassin::Plugin::SPF, already registered [22231] dbg: plugin: did not register Mail::SpamAssassin::Plugin::URIDNSBL, already registered [22231] dbg: plugin: loading Mail::SpamAssassin::Plugin::Check from @INC [22231] dbg: plugin: loading Mail::SpamAssassin::Plugin::HTTPSMismatch from @INC [22231] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDetail from @INC [22231] dbg: plugin: loading Mail::SpamAssassin::Plugin::Bayes from @INC [22231] dbg: plugin: loading Mail::SpamAssassin::Plugin::BodyEval from @INC [22231] dbg: plugin: loading Mail::SpamAssassin::Plugin::DNSEval from @INC [22231] dbg: plugin: loading Mail::SpamAssassin::Plugin::HTMLEval from @INC [22231] dbg: plugin: loading Mail::SpamAssassin::Plugin::HeaderEval from @INC [22231] dbg: plugin: loading Mail::SpamAssassin::Plugin::MIMEEval from @INC [22231] dbg: plugin: loading Mail::SpamAssassin::Plugin::RelayEval from @INC [22231] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIEval from @INC [22231] dbg: plugin: loading Mail::SpamAssassin::Plugin::WLBLEval from @INC [22231] dbg: plugin: loading Mail::SpamAssassin::Plugin::VBounce from @INC [22231] dbg: plugin: loading Mail::SpamAssassin::Plugin::ImageInfo from @INC [22231] dbg: plugin: did not register Mail::SpamAssassin::Plugin::RelayCountry, already registered [22231] dbg: plugin: did not register Mail::SpamAssassin::Plugin::SPF, already registered [22231] dbg: plugin: did not register Mail::SpamAssassin::Plugin::URIDNSBL, already registered [22231] dbg: plugin: did not register Mail::SpamAssassin::Plugin::Razor2, already registered [22231] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/10_default_prefs.cf [22231] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/10_default_prefs.cf" for included file [22231] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/10_default_prefs.cf [22231] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_advance_fee.cf [22231] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_advance_fee.cf" for included file [22231] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_advance_fee.cf [22231] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_body_tests.cf [22231] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_body_tests.cf" for included file [22231] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_body_tests.cf [22231] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_compensate.cf [22231] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_compensate.cf" for included file [22231] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_compensate.cf [22231] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_dnsbl_tests.cf [22231] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_dnsbl_tests.cf" for included file [22231] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_dnsbl_tests.cf [22231] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_drugs.cf [22231] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_drugs.cf" for included file [22231] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_drugs.cf [22231] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_dynrdns.cf [22231] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_dynrdns.cf" for included file [22231] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_dynrdns.cf [22231] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_fake_helo_tests.cf [22231] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_fake_helo_tests.cf" for included file [22231] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_fake_helo_tests.cf [22231] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_head_tests.cf [22231] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_head_tests.cf" for included file [22231] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_head_tests.cf [22231] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_html_tests.cf [22231] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_html_tests.cf" for included file [22231] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_html_tests.cf [22231] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_imageinfo.cf [22231] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_imageinfo.cf" for included file [22231] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_imageinfo.cf [22231] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_meta_tests.cf [22231] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_meta_tests.cf" for included file [22231] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_meta_tests.cf [22231] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_net_tests.cf [22231] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_net_tests.cf" for included file [22231] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_net_tests.cf [22231] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_phrases.cf [22231] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_phrases.cf" for included file [22231] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_phrases.cf [22231] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_porn.cf [22231] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_porn.cf" for included file [22231] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_porn.cf [22231] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_ratware.cf [22231] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_ratware.cf" for included file [22231] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_ratware.cf [22231] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_uri_tests.cf [22231] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_uri_tests.cf" for included file [22231] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_uri_tests.cf [22231] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_vbounce.cf [22231] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_vbounce.cf" for included file [22231] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_vbounce.cf [22231] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/23_bayes.cf [22231] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/23_bayes.cf" for included file [22231] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/23_bayes.cf [22231] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_accessdb.cf [22231] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/25_accessdb.cf" for included file [22231] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_accessdb.cf [22231] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_antivirus.cf [22231] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/25_antivirus.cf" for included file [22231] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_antivirus.cf [22231] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_asn.cf [22231] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/25_asn.cf" for included file [22231] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_asn.cf [22231] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_dcc.cf [22231] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/25_dcc.cf" for included file [22231] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_dcc.cf [22231] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_dkim.cf [22231] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/25_dkim.cf" for included file [22231] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_dkim.cf [22231] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_domainkeys.cf [22231] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/25_domainkeys.cf" for included file [22231] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_domainkeys.cf [22231] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_hashcash.cf [22231] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/25_hashcash.cf" for included file [22231] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_hashcash.cf [22231] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_pyzor.cf [22231] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/25_pyzor.cf" for included file [22231] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_pyzor.cf [22231] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_razor2.cf [22231] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/25_razor2.cf" for included file [22231] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_razor2.cf [22231] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_replace.cf [22231] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/25_replace.cf" for included file [22231] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_replace.cf [22231] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_spf.cf [22231] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/25_spf.cf" for included file [22231] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_spf.cf [22231] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_textcat.cf [22231] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/25_textcat.cf" for included file [22231] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_textcat.cf [22231] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_uribl.cf [22231] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/25_uribl.cf" for included file [22231] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_uribl.cf [22231] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_de.cf [22231] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_de.cf" for included file [22231] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_de.cf [22231] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_fr.cf [22231] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_fr.cf" for included file [22231] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_fr.cf [22231] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_it.cf [22231] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_it.cf" for included file [22231] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_it.cf [22231] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_nl.cf [22231] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_nl.cf" for included file [22231] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_nl.cf [22231] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_pl.cf [22231] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_pl.cf" for included file [22231] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_pl.cf [22231] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_pt_br.cf [22231] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_pt_br.cf" for included file [22231] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_pt_br.cf [22231] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/50_scores.cf [22231] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/50_scores.cf" for included file [22231] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/50_scores.cf [22231] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_awl.cf [22231] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/60_awl.cf" for included file [22231] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_awl.cf [22231] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_shortcircuit.cf [22231] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/60_shortcircuit.cf" for included file [22231] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_shortcircuit.cf [22231] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist.cf [22231] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist.cf" for included file [22231] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist.cf [22231] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist_dk.cf [22231] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist_dk.cf" for included file [22231] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist_dk.cf [22231] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist_dkim.cf [22231] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist_dkim.cf" for included file [22231] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist_dkim.cf [22231] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist_spf.cf [22231] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist_spf.cf" for included file [22231] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist_spf.cf [22231] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist_subject.cf [22231] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist_subject.cf" for included file [22231] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist_subject.cf [22231] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/72_active.cf [22231] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/72_active.cf" for included file [22231] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/72_active.cf [22231] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/72_removed.cf [22231] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/72_removed.cf" for included file [22231] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/72_removed.cf [22231] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/72_scores.cf [22231] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/72_scores.cf" for included file [22231] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/72_scores.cf [22231] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/80_additional.cf [22231] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/80_additional.cf" for included file [22231] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/80_additional.cf [22231] dbg: rules: __MO_OL_9B90B merged duplicates: __MO_OL_C65FA [22231] dbg: rules: __XM_OL_22B61 merged duplicates: __XM_OL_A842E [22231] dbg: rules: __MO_OL_07794 merged duplicates: __MO_OL_8627E __MO_OL_F3B05 [22231] dbg: rules: __JM_REACTOR_DATE merged duplicates: __RATWARE_0_TZ_DATE [22231] dbg: rules: __XM_OL_07794 merged duplicates: __XM_OL_25340 __XM_OL_3857F __XM_OL_4F240 __XM_OL_58CB5 __XM_OL_6554A __XM_OL_812FF __XM_OL_C65FA __XM_OL_CF0C0 __XM_OL_F475E __XM_OL_F6D01 [22231] dbg: rules: FH_MSGID_01C67 merged duplicates: __MSGID_VGA [22231] dbg: rules: FS_NEW_SOFT_UPLOAD merged duplicates: HS_SUBJ_NEW_SOFTWARE [22231] dbg: rules: __FH_HAS_XMSMAIL merged duplicates: __HAS_MSMAIL_PRI [22231] dbg: rules: __MO_OL_015D5 merged duplicates: __MO_OL_6554A [22231] dbg: rules: __XM_OL_015D5 merged duplicates: __XM_OL_4BF4C __XM_OL_4EEDB __XM_OL_5B79A __XM_OL_9B90B __XM_OL_ADFF7 __XM_OL_B30D1 __XM_OL_B4B40 __XM_OL_BC7E6 __XM_OL_F3B05 __XM_OL_FF5C8 [22231] dbg: rules: __MO_OL_91287 merged duplicates: __MO_OL_B30D1 __MO_OL_CF0C0 [22231] dbg: rules: KAM_STOCKOTC merged duplicates: KAM_STOCKTIP15 KAM_STOCKTIP20 KAM_STOCKTIP21 KAM_STOCKTIP4 KAM_STOCKTIP6 [22231] dbg: rules: __MO_OL_22B61 merged duplicates: __MO_OL_4F240 __MO_OL_ADFF7 [22231] dbg: rules: __MO_OL_812FF merged duplicates: __MO_OL_BC7E6 [22231] dbg: rules: __MO_OL_25340 merged duplicates: __MO_OL_4EEDB __MO_OL_7533E [22231] dbg: rules: __MO_OL_58CB5 merged duplicates: __MO_OL_B4B40 [22231] dbg: rules: __DOS_HAS_ANY_URI merged duplicates: __HAS_ANY_URI [22231] dbg: rules: __XM_OL_C9068 merged duplicates: __XM_OL_EF20B [22231] dbg: rules: AXB_RCVD_ZOOBSEND merged duplicates: BROKEN_RATWARE_BOM CTYPE_001C_A DEAR_HOMEOWNER DIV_CENTER_A_HREF DRUG_RA_PRICE FM_DDDD_TIMES_2 FM_SEX_HOSTDDDD HG_HORMONE HS_PHARMA_1 HS_UPLOADED_SOFTWARE OEBOUND RCVD_IN_DSBL STOX_RCVD_N_NN_N URIBL_RHS_ABUSE URIBL_RHS_BOGUSMX URIBL_RHS_DSN URIBL_RHS_POST URIBL_RHS_TLD_WHOIS URIBL_RHS_WHOIS URIBL_XS_SURBL URI_L_PHP XMAILER_MIMEOLE_OL_5E7ED XMAILER_MIMEOLE_OL_C7C33 XMAILER_MIMEOLE_OL_D03AB X_LIBRARY YOUR_CRD_RATING [22231] dbg: rules: __MO_OL_72641 merged duplicates: __MO_OL_A842E [22231] dbg: rules: __MO_OL_F475E merged duplicates: __MO_OL_FF5C8 [22231] dbg: rules: __MO_OL_4BF4C merged duplicates: __MO_OL_F6D01 [22231] dbg: conf: finish parsing [22231] dbg: plugin: Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0x29d6950) implements 'finish_parsing_end', priority 0 [22231] dbg: replacetags: replacing tags [22231] dbg: replacetags: done replacing tags [22231] dbg: bayes: tie-ing to DB file R/O /etc/MailScanner/bayes/bayes_toks [22231] dbg: bayes: tie-ing to DB file R/O /etc/MailScanner/bayes/bayes_seen [22231] dbg: bayes: found bayes db version 3 [22231] dbg: bayes: DB journal sync: last sync: 0 [22231] dbg: bayes: not available for scanning, only 1 ham(s) in bayes DB < 200 [22231] dbg: bayes: untie-ing [22231] dbg: config: score set 0 chosen. [22231] dbg: message: main message type: text/plain [22231] dbg: message: ---- MIME PARSER START ---- [22231] dbg: message: parsing normal part [22231] dbg: message: ---- MIME PARSER END ---- [22231] dbg: plugin: Mail::SpamAssassin::Plugin::DNSEval=HASH(0x2adb400) implements 'check_start', priority 0 [22231] dbg: bayes: tie-ing to DB file R/O /etc/MailScanner/bayes/bayes_toks [22231] dbg: bayes: tie-ing to DB file R/O /etc/MailScanner/bayes/bayes_seen [22231] dbg: bayes: found bayes db version 3 [22231] dbg: bayes: DB journal sync: last sync: 0 [22231] dbg: bayes: not available for scanning, only 1 ham(s) in bayes DB < 200 [22231] dbg: bayes: untie-ing [22231] dbg: plugin: Mail::SpamAssassin::Plugin::Check=HASH(0x2a600f0) implements 'check_main', priority 0 [22231] dbg: conf: trusted_networks are not configured; it is recommended that you configure trusted_networks manually [22231] dbg: metadata: X-Spam-Relays-Trusted: [22231] dbg: metadata: X-Spam-Relays-Untrusted: [22231] dbg: metadata: X-Spam-Relays-Internal: [22231] dbg: metadata: X-Spam-Relays-External: [22231] dbg: plugin: Mail::SpamAssassin::Plugin::RelayCountry=HASH(0x285c3d0) implements 'extract_metadata', priority 0 [22231] dbg: metadata: X-Relay-Countries: [22231] dbg: message: no encoding detected [22231] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x27d4c70) implements 'parsed_metadata', priority 0 [22231] dbg: plugin: Mail::SpamAssassin::Plugin::RelayCountry=HASH(0x285c3d0) implements 'parsed_metadata', priority 0 [22231] dbg: dns: is DNS available? 0 [22231] dbg: rules: local tests only, ignoring RBL eval [22231] dbg: check: running tests for priority: -1000 [22231] dbg: rules: running head tests; score so far=0 [22231] dbg: rules: compiled head tests [22231] dbg: eval: all '*From' addrs: ignore@compiling.spamassassin.taint.org [22231] dbg: eval: all '*To' addrs: [22231] dbg: rules: running body tests; score so far=0 [22231] dbg: rules: compiled body tests [22231] dbg: rules: running uri tests; score so far=0 [22231] dbg: rules: compiled uri tests [22231] dbg: rules: running rawbody tests; score so far=0 [22231] dbg: rules: compiled rawbody tests [22231] dbg: rules: running full tests; score so far=0 [22231] dbg: rules: compiled full tests [22231] dbg: rules: running meta tests; score so far=0 [22231] dbg: rules: compiled meta tests [22231] dbg: check: running tests for priority: -950 [22231] dbg: rules: running head tests; score so far=0 [22231] dbg: rules: compiled head tests [22231] dbg: rules: running body tests; score so far=0 [22231] dbg: rules: compiled body tests [22231] dbg: rules: running uri tests; score so far=0 [22231] dbg: rules: compiled uri tests [22231] dbg: rules: running rawbody tests; score so far=0 [22231] dbg: rules: compiled rawbody tests [22231] dbg: rules: running full tests; score so far=0 [22231] dbg: rules: compiled full tests [22231] dbg: rules: running meta tests; score so far=0 [22231] dbg: rules: compiled meta tests [22231] dbg: check: running tests for priority: -900 [22231] dbg: rules: running head tests; score so far=0 [22231] dbg: rules: compiled head tests [22231] dbg: rules: running body tests; score so far=0 [22231] dbg: rules: compiled body tests [22231] dbg: rules: running uri tests; score so far=0 [22231] dbg: rules: compiled uri tests [22231] dbg: rules: running rawbody tests; score so far=0 [22231] dbg: rules: compiled rawbody tests [22231] dbg: rules: running full tests; score so far=0 [22231] dbg: rules: compiled full tests [22231] dbg: rules: running meta tests; score so far=0 [22231] dbg: rules: compiled meta tests [22231] dbg: check: running tests for priority: -400 [22231] dbg: rules: running head tests; score so far=0 [22231] dbg: rules: compiled head tests [22231] dbg: rules: running body tests; score so far=0 [22231] dbg: rules: compiled body tests [22231] dbg: rules: running uri tests; score so far=0 [22231] dbg: rules: compiled uri tests [22231] dbg: rules: running rawbody tests; score so far=0 [22231] dbg: rules: compiled rawbody tests [22231] dbg: rules: running full tests; score so far=0 [22231] dbg: rules: compiled full tests [22231] dbg: rules: running meta tests; score so far=0 [22231] dbg: rules: compiled meta tests [22231] dbg: check: running tests for priority: 0 [22231] dbg: rules: running head tests; score so far=0 [22231] dbg: rules: compiled head tests [22231] dbg: rules: ran header rule __MISSING_REF ======> got hit: "UNSET" [22231] dbg: rules: ran header rule __MSOE_MID_WRONG_CASE ======> got hit: " [22231] dbg: rules: Message-Id: " [22231] dbg: rules: ran header rule MISSING_DATE ======> got hit: "UNSET" [22231] dbg: rules: ran header rule __MSGID_OK_HOST ======> got hit: "@lint_rules>" [22231] dbg: rules: ran header rule __MSGID_OK_DIGITS ======> got hit: "1231461934" [22231] dbg: rules: ran header rule __HAS_MSGID ======> got hit: "<" [22231] dbg: rules: ran header rule __SANE_MSGID ======> got hit: "<1231461934@lint_rules> [22231] dbg: rules: " [22231] dbg: spf: checking to see if the message has a Received-SPF header that we can use [22231] dbg: spf: already checked for Received-SPF headers, proceeding with DNS based checks [22231] dbg: spf: already checked for Received-SPF headers, proceeding with DNS based checks [22231] dbg: rules: ran eval rule NO_RELAYS ======> got hit (1) [22231] dbg: spf: already checked for Received-SPF headers, proceeding with DNS based checks [22231] dbg: spf: already checked for Received-SPF headers, proceeding with DNS based checks [22231] dbg: spf: cannot get Envelope-From, cannot use SPF [22231] dbg: spf: def_spf_whitelist_from: could not find useable envelope sender [22231] dbg: spf: already checked for Received-SPF headers, proceeding with DNS based checks [22231] dbg: spf: already checked for Received-SPF headers, proceeding with DNS based checks [22231] dbg: spf: already checked for Received-SPF headers, proceeding with DNS based checks [22231] dbg: rules: ran eval rule __UNUSABLE_MSGID ======> got hit (1) [22231] dbg: rules: ran eval rule MISSING_HEADERS ======> got hit (1) [22231] dbg: spf: spf_whitelist_from: could not find useable envelope sender [22231] dbg: rules: running body tests; score so far=1.899 [22231] dbg: rules: compiled body tests [22231] dbg: rules: ran body rule __NONEMPTY_BODY ======> got hit: "I" [22231] dbg: rules: running uri tests; score so far=1.899 [22231] dbg: rules: compiled uri tests [22231] dbg: eval: stock info total: 0 [22231] dbg: rules: running rawbody tests; score so far=1.899 [22231] dbg: rules: compiled rawbody tests [22231] dbg: rules: ran rawbody rule __TVD_BODY ======> got hit: "need" [22231] dbg: rules: running full tests; score so far=1.899 [22231] dbg: rules: compiled full tests [22231] dbg: rules: running meta tests; score so far=1.899 [22231] dbg: rules: compiled meta tests [22231] dbg: check: running tests for priority: 500 [22231] dbg: dns: harvest_dnsbl_queries [22231] dbg: rules: running head tests; score so far=1.899 [22231] dbg: rules: compiled head tests [22231] dbg: rules: running body tests; score so far=1.899 [22231] dbg: rules: compiled body tests [22231] dbg: rules: running uri tests; score so far=1.899 [22231] dbg: rules: compiled uri tests [22231] dbg: rules: running rawbody tests; score so far=1.899 [22231] dbg: rules: compiled rawbody tests [22231] dbg: rules: running full tests; score so far=1.899 [22231] dbg: rules: compiled full tests [22231] dbg: rules: running meta tests; score so far=1.899 [22231] dbg: rules: compiled meta tests [22231] dbg: check: running tests for priority: 1000 [22231] dbg: rules: running head tests; score so far=4.205 [22231] dbg: rules: compiled head tests [22231] dbg: rules: running body tests; score so far=4.205 [22231] dbg: rules: compiled body tests [22231] dbg: rules: running uri tests; score so far=4.205 [22231] dbg: rules: compiled uri tests [22231] dbg: rules: running rawbody tests; score so far=4.205 [22231] dbg: rules: compiled rawbody tests [22231] dbg: rules: running full tests; score so far=4.205 [22231] dbg: rules: compiled full tests [22231] dbg: rules: running meta tests; score so far=4.205 [22231] dbg: rules: compiled meta tests [22231] dbg: check: is spam? score=4.205 required=5 [22231] dbg: check: tests=MISSING_DATE,MISSING_HEADERS,MISSING_SUBJECT,NO_RECEIVED,NO_RELAYS [22231] dbg: check: subtests=__HAS_MSGID,__MISSING_REF,__MSGID_OK_DIGITS,__MSGID_OK_HOST,__MSOE_MID_WRONG_CASE,__NONEMPTY_BODY,__SANE_MSGID,__TVD_BODY,__UNUSABLE_MSGID Other than the ('require' failed), seems to be OK? Running lint on MaiScanner gives me: MailScanner --lint Trying to setlogsock(unix) Read 848 hostnames from the phishing whitelist Read 4008 hostnames from the phishing blacklist Config: calling custom init function SQLBlacklist Starting up SQL Blacklist Read 3 blacklist entries Config: calling custom init function MailWatchLogging Started SQL Logging child Config: calling custom init function SQLWhitelist Starting up SQL Whitelist Read 60 whitelist entries Checking version numbers... Version number in MailScanner.conf (4.74.15) is correct. Your envelope_sender_header in spam.assassin.prefs.conf is correct. MailScanner setting GID to (80) MailScanner setting UID to (80) Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database config: path "//.spamassassin/user_prefs" is inaccessible: Permission denied ##still this issue although next it says it is reporting no issues SpamAssassin reported no errors. Using locktype = posix MailScanner.conf says "Virus Scanners = clamd" Found these virus scanners installed: clamavmodule, clamd =========================================================================== Filename Checks: Windows/DOS Executable (1 eicar.com) Other Checks: Found 1 problems Virus and Content Scanning: Starting Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com Virus Scanning: Clamd found 2 infections Infected message 1 came from 10.1.1.1 Virus Scanning: Found 2 viruses =========================================================================== Virus Scanner test reports: Clamd said "eicar.com was infected: Eicar-Test-Signature" If any of your virus scanners (clamavmodule,clamd) are not listed there, you should check that they are installed correctly and that MailScanner is finding them correctly via its virus.scanners.conf. Config: calling custom end function SQLBlacklist Closing down by-domain spam blacklist Config: calling custom end function MailWatchLogging Config: calling custom end function SQLWhitelist Closing down by-domain spam whitelist commit ineffective with AutoCommit enabled at /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, line 1. ## and finallt this annoying line I do not see any errors on startup. Now I will go back and have a hard look at Glens message and see if I can figure out what he is saying to try. I just want to thank everyone for hanging in with me. This has been a long couple of days but really need to solve this soon. Dave -- Dave Filchak Instructor, School of Communications Arts Seneca College @ York Office: Room 1068 From dave.filchak at senecac.on.ca Fri Jan 9 01:40:10 2009 From: dave.filchak at senecac.on.ca (Dave Filchak) Date: Fri Jan 9 01:40:23 2009 Subject: Upgrade fron 4.61.7 to 4.74.13-2 In-Reply-To: <4966A17D.2000006@senecac.on.ca> References: <20090108071334.6t3eri15gc0ggkk4@manage.zuka.net> <49660685.80304@USherbrooke.ca> <49660D57.2040107@senecac.on.ca> <496616B0.1060100@USherbrooke.ca> <49661F7A.2090607@senecac.on.ca> <223f97700901080809i456904ferb64df26e7b44ae05@mail.gmail.com> <49662AAF.9070601@senecac.on.ca> <223f97700901081136s24b46fc3u80f6bc14346a6f6b@mail.gmail.com> <49668F4F.4000700@senecac.on.ca> <4966A17D.2000006@senecac.on.ca> Message-ID: <4966AAFA.5060409@senecac.on.ca> Dave Filchak wrote: > OK ...did this. Thought I would clean up the thread a bit so we can > see more of the current situation: > > Scott Silva wrote: >> >> Can you download and install 4.74.15-2? There were some postfix >> related fixes >> between 13-2 and 15-2. >> > > Probably nothing but I get these during install: > > file /usr/lib64/perl5/5.8.5/x86_64-linux-thread-multi/Storable.pm > from install of perl-Storable-2.16-2 conflicts with file from package > perl-5.8.5-24.RHEL4 > file > /usr/lib64/perl5/5.8.5/x86_64-linux-thread-multi/auto/Storable/CAN_FLOCK.al > from install of perl-Storable-2.16-2 conflicts with file from package > perl-5.8.5-24.RHEL4 > file > /usr/lib64/perl5/5.8.5/x86_64-linux-thread-multi/auto/Storable/Storable.so > from install of perl-Storable-2.16-2 conflicts with file from package > perl-5.8.5-24.RHEL4 > file > /usr/lib64/perl5/5.8.5/x86_64-linux-thread-multi/auto/Storable/_freeze.al > from install of perl-Storable-2.16-2 conflicts with file from package > perl-5.8.5-24.RHEL4 > file > /usr/lib64/perl5/5.8.5/x86_64-linux-thread-multi/auto/Storable/_retrieve.al > from install of perl-Storable-2.16-2 conflicts with file from package > perl-5.8.5-24.RHEL4 > file > /usr/lib64/perl5/5.8.5/x86_64-linux-thread-multi/auto/Storable/_store.al > from install of perl-Storable-2.16-2 conflicts with file from package > perl-5.8.5-24.RHEL4 > file > /usr/lib64/perl5/5.8.5/x86_64-linux-thread-multi/auto/Storable/_store_fd.al > from install of perl-Storable-2.16-2 conflicts with file from package > perl-5.8.5-24.RHEL4 > file > /usr/lib64/perl5/5.8.5/x86_64-linux-thread-multi/auto/Storable/autosplit.ix > from install of perl-Storable-2.16-2 conflicts with file from package > perl-5.8.5-24.RHEL4 > file > /usr/lib64/perl5/5.8.5/x86_64-linux-thread-multi/auto/Storable/fd_retrieve.al > from install of perl-Storable-2.16-2 conflicts with file from package > perl-5.8.5-24.RHEL4 > file > /usr/lib64/perl5/5.8.5/x86_64-linux-thread-multi/auto/Storable/freeze.al > from install of perl-Storable-2.16-2 conflicts with file from package > perl-5.8.5-24.RHEL4 > file > /usr/lib64/perl5/5.8.5/x86_64-linux-thread-multi/auto/Storable/lock_nstore.al > from install of perl-Storable-2.16-2 conflicts with file from package > perl-5.8.5-24.RHEL4 > file > /usr/lib64/perl5/5.8.5/x86_64-linux-thread-multi/auto/Storable/lock_retrieve.al > from install of perl-Storable-2.16-2 conflicts with file from package > perl-5.8.5-24.RHEL4 > file > /usr/lib64/perl5/5.8.5/x86_64-linux-thread-multi/auto/Storable/lock_store.al > from install of perl-Storable-2.16-2 conflicts with file from package > perl-5.8.5-24.RHEL4 > file > /usr/lib64/perl5/5.8.5/x86_64-linux-thread-multi/auto/Storable/logcarp.al > from install of perl-Storable-2.16-2 conflicts with file from package > perl-5.8.5-24.RHEL4 > file > /usr/lib64/perl5/5.8.5/x86_64-linux-thread-multi/auto/Storable/logcroak.al > from install of perl-Storable-2.16-2 conflicts with file from package > perl-5.8.5-24.RHEL4 > file > /usr/lib64/perl5/5.8.5/x86_64-linux-thread-multi/auto/Storable/nfreeze.al > from install of perl-Storable-2.16-2 conflicts with file from package > perl-5.8.5-24.RHEL4 > file > /usr/lib64/perl5/5.8.5/x86_64-linux-thread-multi/auto/Storable/nstore.al > from install of perl-Storable-2.16-2 conflicts with file from package > perl-5.8.5-24.RHEL4 > file > /usr/lib64/perl5/5.8.5/x86_64-linux-thread-multi/auto/Storable/nstore_fd.al > from install of perl-Storable-2.16-2 conflicts with file from package > perl-5.8.5-24.RHEL4 > file > /usr/lib64/perl5/5.8.5/x86_64-linux-thread-multi/auto/Storable/read_magic.al > from install of perl-Storable-2.16-2 conflicts with file from package > perl-5.8.5-24.RHEL4 > file > /usr/lib64/perl5/5.8.5/x86_64-linux-thread-multi/auto/Storable/retrieve.al > from install of perl-Storable-2.16-2 conflicts with file from package > perl-5.8.5-24.RHEL4 > file > /usr/lib64/perl5/5.8.5/x86_64-linux-thread-multi/auto/Storable/show_file_magic.al > from install of perl-Storable-2.16-2 conflicts with file from package > perl-5.8.5-24.RHEL4 > file > /usr/lib64/perl5/5.8.5/x86_64-linux-thread-multi/auto/Storable/store.al > from install of perl-Storable-2.16-2 conflicts with file from package > perl-5.8.5-24.RHEL4 > file > /usr/lib64/perl5/5.8.5/x86_64-linux-thread-multi/auto/Storable/store_fd.al > from install of perl-Storable-2.16-2 conflicts with file from package > perl-5.8.5-24.RHEL4 > file > /usr/lib64/perl5/5.8.5/x86_64-linux-thread-multi/auto/Storable/thaw.al > from install of perl-Storable-2.16-2 conflicts with file from package > perl-5.8.5-24.RHEL4 > > Running: > > spamassassin -D -p /etc/MailScanner/spam.assassin.prefs.conf --lint > [22231] dbg: logger: adding facilities: all > [22231] dbg: logger: logging level is DBG > [22231] dbg: generic: SpamAssassin version 3.2.5 > [22231] dbg: config: score set 0 chosen. > [22231] dbg: util: running in taint mode? yes > [22231] dbg: util: taint mode: deleting unsafe environment variables, > resetting PATH > [22231] dbg: util: PATH included '/usr/kerberos/sbin', keeping > [22231] dbg: util: PATH included '/usr/kerberos/bin', keeping > [22231] dbg: util: PATH included '/usr/local/sbin', keeping > [22231] dbg: util: PATH included '/usr/local/bin', keeping > [22231] dbg: util: PATH included '/sbin', keeping > [22231] dbg: util: PATH included '/bin', keeping > [22231] dbg: util: PATH included '/usr/sbin', keeping > [22231] dbg: util: PATH included '/usr/bin', keeping > [22231] dbg: util: PATH included '/usr/X11R6/bin', keeping > [22231] dbg: util: PATH included '/usr/java/jdk1.5.0_05/bin', which > doesn't exist, dropping > [22231] dbg: util: PATH included '/root/bin', which doesn't exist, > dropping > [22231] dbg: util: final PATH set to: > /usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin > > [22231] dbg: dns: no ipv6 > [22231] dbg: dns: is Net::DNS::Resolver available? yes > [22231] dbg: dns: Net::DNS version: 0.63 > [22231] dbg: diag: perl platform: 5.008005 linux > [22231] dbg: diag: module installed: Digest::SHA1, version 2.11 > [22231] dbg: diag: module installed: HTML::Parser, version 3.56 > [22231] dbg: diag: module installed: Net::DNS, version 0.63 > [22231] dbg: diag: module installed: MIME::Base64, version 3.07 > [22231] dbg: diag: module installed: DB_File, version 1.814 > [22231] dbg: diag: module installed: Net::SMTP, version 2.31 > [22231] dbg: diag: module installed: Mail::SPF, version v2.004 > [22231] dbg: diag: module installed: Mail::SPF::Query, version 1.999001 > [22231] dbg: diag: module installed: IP::Country::Fast, version 604.001 > [22231] dbg: diag: module installed: Razor2::Client::Agent, version 2.84 > [22231] dbg: diag: module not installed: Net::Ident ('require' failed) > [22231] dbg: diag: module not installed: IO::Socket::INET6 ('require' > failed) > [22231] dbg: diag: module installed: IO::Socket::SSL, version 1.01 > [22231] dbg: diag: module installed: Compress::Zlib, version 2.005 > [22231] dbg: diag: module installed: Time::HiRes, version 1.9707 > [22231] dbg: diag: module not installed: Mail::DomainKeys ('require' > failed) > [22231] dbg: diag: module not installed: Mail::DKIM ('require' failed) > > ## are these ('require' failed) something I need to be concerned with? > > > [22231] dbg: diag: module installed: DBI, version 1.58 > [22231] dbg: diag: module installed: Getopt::Long, version 2.36 > [22231] dbg: diag: module installed: LWP::UserAgent, version 5.810 > [22231] dbg: diag: module installed: HTTP::Date, version 5.810 > [22231] dbg: diag: module installed: Archive::Tar, version 1.32 > [22231] dbg: diag: module installed: IO::Zlib, version 1.04 > [22231] dbg: diag: module installed: Encode::Detect, version 1.00 > [22231] dbg: ignore: using a test message to lint rules > [22231] dbg: config: using "/etc/mail/spamassassin" for site rules pre > files > [22231] dbg: config: read file /etc/mail/spamassassin/init.pre > [22231] dbg: config: read file /etc/mail/spamassassin/v310.pre > [22231] dbg: config: read file /etc/mail/spamassassin/v312.pre > [22231] dbg: config: read file /etc/mail/spamassassin/v320.pre > [22231] dbg: config: using "/var/lib/spamassassin/3.002005" for sys > rules pre files > [22231] dbg: config: using "/var/lib/spamassassin/3.002005" for > default rules dir > [22231] dbg: config: read file > /var/lib/spamassassin/3.002005/updates_spamassassin_org.cf > [22231] dbg: config: using "/etc/mail/spamassassin" for site rules dir > [22231] dbg: config: read file /etc/mail/spamassassin/mailscanner.cf > [22231] dbg: config: using "/etc/MailScanner/spam.assassin.prefs.conf" > for user prefs file > [22231] dbg: config: read file /etc/MailScanner/spam.assassin.prefs.conf > [22231] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from > @INC > [22231] dbg: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from > @INC > [22231] dbg: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC > [22231] dbg: plugin: loading Mail::SpamAssassin::Plugin::RelayCountry > from @INC > [22231] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razor2 from @INC > [22231] dbg: razor2: local tests only, skipping Razor > [22231] dbg: plugin: loading Mail::SpamAssassin::Plugin::DCC from @INC > [22231] dbg: dcc: local tests only, disabling DCC > [22231] dbg: plugin: loading Mail::SpamAssassin::Plugin::Pyzor from @INC > [22231] dbg: pyzor: local tests only, disabling Pyzor > [22231] dbg: plugin: did not register > Mail::SpamAssassin::Plugin::Razor2, already registered > [22231] dbg: plugin: loading Mail::SpamAssassin::Plugin::SpamCop from > @INC > [22231] dbg: reporter: local tests only, disabling SpamCop > [22231] dbg: plugin: loading Mail::SpamAssassin::Plugin::AWL from @INC > [22231] dbg: plugin: loading > Mail::SpamAssassin::Plugin::AutoLearnThreshold from @INC > [22231] dbg: plugin: loading > Mail::SpamAssassin::Plugin::WhiteListSubject from @INC > [22231] dbg: plugin: loading Mail::SpamAssassin::Plugin::MIMEHeader > from @INC > [22231] dbg: plugin: loading Mail::SpamAssassin::Plugin::ReplaceTags > from @INC > [22231] dbg: plugin: did not register > Mail::SpamAssassin::Plugin::RelayCountry, already registered > [22231] dbg: plugin: did not register Mail::SpamAssassin::Plugin::SPF, > already registered > [22231] dbg: plugin: did not register > Mail::SpamAssassin::Plugin::URIDNSBL, already registered > [22231] dbg: plugin: loading Mail::SpamAssassin::Plugin::Check from @INC > [22231] dbg: plugin: loading Mail::SpamAssassin::Plugin::HTTPSMismatch > from @INC > [22231] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDetail > from @INC > [22231] dbg: plugin: loading Mail::SpamAssassin::Plugin::Bayes from @INC > [22231] dbg: plugin: loading Mail::SpamAssassin::Plugin::BodyEval from > @INC > [22231] dbg: plugin: loading Mail::SpamAssassin::Plugin::DNSEval from > @INC > [22231] dbg: plugin: loading Mail::SpamAssassin::Plugin::HTMLEval from > @INC > [22231] dbg: plugin: loading Mail::SpamAssassin::Plugin::HeaderEval > from @INC > [22231] dbg: plugin: loading Mail::SpamAssassin::Plugin::MIMEEval from > @INC > [22231] dbg: plugin: loading Mail::SpamAssassin::Plugin::RelayEval > from @INC > [22231] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIEval from > @INC > [22231] dbg: plugin: loading Mail::SpamAssassin::Plugin::WLBLEval from > @INC > [22231] dbg: plugin: loading Mail::SpamAssassin::Plugin::VBounce from > @INC > [22231] dbg: plugin: loading Mail::SpamAssassin::Plugin::ImageInfo > from @INC > [22231] dbg: plugin: did not register > Mail::SpamAssassin::Plugin::RelayCountry, already registered > [22231] dbg: plugin: did not register Mail::SpamAssassin::Plugin::SPF, > already registered > [22231] dbg: plugin: did not register > Mail::SpamAssassin::Plugin::URIDNSBL, already registered > [22231] dbg: plugin: did not register > Mail::SpamAssassin::Plugin::Razor2, already registered > [22231] dbg: config: fixed relative path: > /var/lib/spamassassin/3.002005/updates_spamassassin_org/10_default_prefs.cf > > [22231] dbg: config: using > "/var/lib/spamassassin/3.002005/updates_spamassassin_org/10_default_prefs.cf" > for included file > [22231] dbg: config: read file > /var/lib/spamassassin/3.002005/updates_spamassassin_org/10_default_prefs.cf > > [22231] dbg: config: fixed relative path: > /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_advance_fee.cf > [22231] dbg: config: using > "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_advance_fee.cf" > for included file > [22231] dbg: config: read file > /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_advance_fee.cf > [22231] dbg: config: fixed relative path: > /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_body_tests.cf > [22231] dbg: config: using > "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_body_tests.cf" > for included file > [22231] dbg: config: read file > /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_body_tests.cf > [22231] dbg: config: fixed relative path: > /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_compensate.cf > [22231] dbg: config: using > "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_compensate.cf" > for included file > [22231] dbg: config: read file > /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_compensate.cf > [22231] dbg: config: fixed relative path: > /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_dnsbl_tests.cf > [22231] dbg: config: using > "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_dnsbl_tests.cf" > for included file > [22231] dbg: config: read file > /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_dnsbl_tests.cf > [22231] dbg: config: fixed relative path: > /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_drugs.cf > [22231] dbg: config: using > "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_drugs.cf" > for included file > [22231] dbg: config: read file > /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_drugs.cf > [22231] dbg: config: fixed relative path: > /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_dynrdns.cf > [22231] dbg: config: using > "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_dynrdns.cf" > for included file > [22231] dbg: config: read file > /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_dynrdns.cf > [22231] dbg: config: fixed relative path: > /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_fake_helo_tests.cf > > [22231] dbg: config: using > "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_fake_helo_tests.cf" > for included file > [22231] dbg: config: read file > /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_fake_helo_tests.cf > > [22231] dbg: config: fixed relative path: > /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_head_tests.cf > [22231] dbg: config: using > "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_head_tests.cf" > for included file > [22231] dbg: config: read file > /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_head_tests.cf > [22231] dbg: config: fixed relative path: > /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_html_tests.cf > [22231] dbg: config: using > "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_html_tests.cf" > for included file > [22231] dbg: config: read file > /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_html_tests.cf > [22231] dbg: config: fixed relative path: > /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_imageinfo.cf > [22231] dbg: config: using > "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_imageinfo.cf" > for included file > [22231] dbg: config: read file > /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_imageinfo.cf > [22231] dbg: config: fixed relative path: > /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_meta_tests.cf > [22231] dbg: config: using > "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_meta_tests.cf" > for included file > [22231] dbg: config: read file > /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_meta_tests.cf > [22231] dbg: config: fixed relative path: > /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_net_tests.cf > [22231] dbg: config: using > "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_net_tests.cf" > for included file > [22231] dbg: config: read file > /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_net_tests.cf > [22231] dbg: config: fixed relative path: > /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_phrases.cf > [22231] dbg: config: using > "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_phrases.cf" > for included file > [22231] dbg: config: read file > /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_phrases.cf > [22231] dbg: config: fixed relative path: > /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_porn.cf > [22231] dbg: config: using > "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_porn.cf" > for included file > [22231] dbg: config: read file > /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_porn.cf > [22231] dbg: config: fixed relative path: > /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_ratware.cf > [22231] dbg: config: using > "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_ratware.cf" > for included file > [22231] dbg: config: read file > /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_ratware.cf > [22231] dbg: config: fixed relative path: > /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_uri_tests.cf > [22231] dbg: config: using > "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_uri_tests.cf" > for included file > [22231] dbg: config: read file > /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_uri_tests.cf > [22231] dbg: config: fixed relative path: > /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_vbounce.cf > [22231] dbg: config: using > "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_vbounce.cf" > for included file > [22231] dbg: config: read file > /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_vbounce.cf > [22231] dbg: config: fixed relative path: > /var/lib/spamassassin/3.002005/updates_spamassassin_org/23_bayes.cf > [22231] dbg: config: using > "/var/lib/spamassassin/3.002005/updates_spamassassin_org/23_bayes.cf" > for included file > [22231] dbg: config: read file > /var/lib/spamassassin/3.002005/updates_spamassassin_org/23_bayes.cf > [22231] dbg: config: fixed relative path: > /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_accessdb.cf > [22231] dbg: config: using > "/var/lib/spamassassin/3.002005/updates_spamassassin_org/25_accessdb.cf" > for included file > [22231] dbg: config: read file > /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_accessdb.cf > [22231] dbg: config: fixed relative path: > /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_antivirus.cf > [22231] dbg: config: using > "/var/lib/spamassassin/3.002005/updates_spamassassin_org/25_antivirus.cf" > for included file > [22231] dbg: config: read file > /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_antivirus.cf > [22231] dbg: config: fixed relative path: > /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_asn.cf > [22231] dbg: config: using > "/var/lib/spamassassin/3.002005/updates_spamassassin_org/25_asn.cf" > for included file > [22231] dbg: config: read file > /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_asn.cf > [22231] dbg: config: fixed relative path: > /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_dcc.cf > [22231] dbg: config: using > "/var/lib/spamassassin/3.002005/updates_spamassassin_org/25_dcc.cf" > for included file > [22231] dbg: config: read file > /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_dcc.cf > [22231] dbg: config: fixed relative path: > /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_dkim.cf > [22231] dbg: config: using > "/var/lib/spamassassin/3.002005/updates_spamassassin_org/25_dkim.cf" > for included file > [22231] dbg: config: read file > /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_dkim.cf > [22231] dbg: config: fixed relative path: > /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_domainkeys.cf > [22231] dbg: config: using > "/var/lib/spamassassin/3.002005/updates_spamassassin_org/25_domainkeys.cf" > for included file > [22231] dbg: config: read file > /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_domainkeys.cf > [22231] dbg: config: fixed relative path: > /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_hashcash.cf > [22231] dbg: config: using > "/var/lib/spamassassin/3.002005/updates_spamassassin_org/25_hashcash.cf" > for included file > [22231] dbg: config: read file > /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_hashcash.cf > [22231] dbg: config: fixed relative path: > /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_pyzor.cf > [22231] dbg: config: using > "/var/lib/spamassassin/3.002005/updates_spamassassin_org/25_pyzor.cf" > for included file > [22231] dbg: config: read file > /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_pyzor.cf > [22231] dbg: config: fixed relative path: > /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_razor2.cf > [22231] dbg: config: using > "/var/lib/spamassassin/3.002005/updates_spamassassin_org/25_razor2.cf" > for included file > [22231] dbg: config: read file > /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_razor2.cf > [22231] dbg: config: fixed relative path: > /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_replace.cf > [22231] dbg: config: using > "/var/lib/spamassassin/3.002005/updates_spamassassin_org/25_replace.cf" > for included file > [22231] dbg: config: read file > /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_replace.cf > [22231] dbg: config: fixed relative path: > /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_spf.cf > [22231] dbg: config: using > "/var/lib/spamassassin/3.002005/updates_spamassassin_org/25_spf.cf" > for included file > [22231] dbg: config: read file > /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_spf.cf > [22231] dbg: config: fixed relative path: > /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_textcat.cf > [22231] dbg: config: using > "/var/lib/spamassassin/3.002005/updates_spamassassin_org/25_textcat.cf" > for included file > [22231] dbg: config: read file > /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_textcat.cf > [22231] dbg: config: fixed relative path: > /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_uribl.cf > [22231] dbg: config: using > "/var/lib/spamassassin/3.002005/updates_spamassassin_org/25_uribl.cf" > for included file > [22231] dbg: config: read file > /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_uribl.cf > [22231] dbg: config: fixed relative path: > /var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_de.cf > [22231] dbg: config: using > "/var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_de.cf" > for included file > [22231] dbg: config: read file > /var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_de.cf > [22231] dbg: config: fixed relative path: > /var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_fr.cf > [22231] dbg: config: using > "/var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_fr.cf" > for included file > [22231] dbg: config: read file > /var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_fr.cf > [22231] dbg: config: fixed relative path: > /var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_it.cf > [22231] dbg: config: using > "/var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_it.cf" > for included file > [22231] dbg: config: read file > /var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_it.cf > [22231] dbg: config: fixed relative path: > /var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_nl.cf > [22231] dbg: config: using > "/var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_nl.cf" > for included file > [22231] dbg: config: read file > /var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_nl.cf > [22231] dbg: config: fixed relative path: > /var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_pl.cf > [22231] dbg: config: using > "/var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_pl.cf" > for included file > [22231] dbg: config: read file > /var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_pl.cf > [22231] dbg: config: fixed relative path: > /var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_pt_br.cf > [22231] dbg: config: using > "/var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_pt_br.cf" > for included file > [22231] dbg: config: read file > /var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_pt_br.cf > [22231] dbg: config: fixed relative path: > /var/lib/spamassassin/3.002005/updates_spamassassin_org/50_scores.cf > [22231] dbg: config: using > "/var/lib/spamassassin/3.002005/updates_spamassassin_org/50_scores.cf" > for included file > [22231] dbg: config: read file > /var/lib/spamassassin/3.002005/updates_spamassassin_org/50_scores.cf > [22231] dbg: config: fixed relative path: > /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_awl.cf > [22231] dbg: config: using > "/var/lib/spamassassin/3.002005/updates_spamassassin_org/60_awl.cf" > for included file > [22231] dbg: config: read file > /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_awl.cf > [22231] dbg: config: fixed relative path: > /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_shortcircuit.cf > > [22231] dbg: config: using > "/var/lib/spamassassin/3.002005/updates_spamassassin_org/60_shortcircuit.cf" > for included file > [22231] dbg: config: read file > /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_shortcircuit.cf > > [22231] dbg: config: fixed relative path: > /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist.cf > [22231] dbg: config: using > "/var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist.cf" > for included file > [22231] dbg: config: read file > /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist.cf > [22231] dbg: config: fixed relative path: > /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist_dk.cf > > [22231] dbg: config: using > "/var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist_dk.cf" > for included file > [22231] dbg: config: read file > /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist_dk.cf > > [22231] dbg: config: fixed relative path: > /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist_dkim.cf > > [22231] dbg: config: using > "/var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist_dkim.cf" > for included file > [22231] dbg: config: read file > /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist_dkim.cf > > [22231] dbg: config: fixed relative path: > /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist_spf.cf > > [22231] dbg: config: using > "/var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist_spf.cf" > for included file > [22231] dbg: config: read file > /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist_spf.cf > > [22231] dbg: config: fixed relative path: > /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist_subject.cf > > [22231] dbg: config: using > "/var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist_subject.cf" > for included file > [22231] dbg: config: read file > /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist_subject.cf > > [22231] dbg: config: fixed relative path: > /var/lib/spamassassin/3.002005/updates_spamassassin_org/72_active.cf > [22231] dbg: config: using > "/var/lib/spamassassin/3.002005/updates_spamassassin_org/72_active.cf" > for included file > [22231] dbg: config: read file > /var/lib/spamassassin/3.002005/updates_spamassassin_org/72_active.cf > [22231] dbg: config: fixed relative path: > /var/lib/spamassassin/3.002005/updates_spamassassin_org/72_removed.cf > [22231] dbg: config: using > "/var/lib/spamassassin/3.002005/updates_spamassassin_org/72_removed.cf" > for included file > [22231] dbg: config: read file > /var/lib/spamassassin/3.002005/updates_spamassassin_org/72_removed.cf > [22231] dbg: config: fixed relative path: > /var/lib/spamassassin/3.002005/updates_spamassassin_org/72_scores.cf > [22231] dbg: config: using > "/var/lib/spamassassin/3.002005/updates_spamassassin_org/72_scores.cf" > for included file > [22231] dbg: config: read file > /var/lib/spamassassin/3.002005/updates_spamassassin_org/72_scores.cf > [22231] dbg: config: fixed relative path: > /var/lib/spamassassin/3.002005/updates_spamassassin_org/80_additional.cf > [22231] dbg: config: using > "/var/lib/spamassassin/3.002005/updates_spamassassin_org/80_additional.cf" > for included file > [22231] dbg: config: read file > /var/lib/spamassassin/3.002005/updates_spamassassin_org/80_additional.cf > [22231] dbg: rules: __MO_OL_9B90B merged duplicates: __MO_OL_C65FA > [22231] dbg: rules: __XM_OL_22B61 merged duplicates: __XM_OL_A842E > [22231] dbg: rules: __MO_OL_07794 merged duplicates: __MO_OL_8627E > __MO_OL_F3B05 > [22231] dbg: rules: __JM_REACTOR_DATE merged duplicates: > __RATWARE_0_TZ_DATE > [22231] dbg: rules: __XM_OL_07794 merged duplicates: __XM_OL_25340 > __XM_OL_3857F __XM_OL_4F240 __XM_OL_58CB5 __XM_OL_6554A __XM_OL_812FF > __XM_OL_C65FA __XM_OL_CF0C0 __XM_OL_F475E __XM_OL_F6D01 > [22231] dbg: rules: FH_MSGID_01C67 merged duplicates: __MSGID_VGA > [22231] dbg: rules: FS_NEW_SOFT_UPLOAD merged duplicates: > HS_SUBJ_NEW_SOFTWARE > [22231] dbg: rules: __FH_HAS_XMSMAIL merged duplicates: __HAS_MSMAIL_PRI > [22231] dbg: rules: __MO_OL_015D5 merged duplicates: __MO_OL_6554A > [22231] dbg: rules: __XM_OL_015D5 merged duplicates: __XM_OL_4BF4C > __XM_OL_4EEDB __XM_OL_5B79A __XM_OL_9B90B __XM_OL_ADFF7 __XM_OL_B30D1 > __XM_OL_B4B40 __XM_OL_BC7E6 __XM_OL_F3B05 __XM_OL_FF5C8 > [22231] dbg: rules: __MO_OL_91287 merged duplicates: __MO_OL_B30D1 > __MO_OL_CF0C0 > [22231] dbg: rules: KAM_STOCKOTC merged duplicates: KAM_STOCKTIP15 > KAM_STOCKTIP20 KAM_STOCKTIP21 KAM_STOCKTIP4 KAM_STOCKTIP6 > [22231] dbg: rules: __MO_OL_22B61 merged duplicates: __MO_OL_4F240 > __MO_OL_ADFF7 > [22231] dbg: rules: __MO_OL_812FF merged duplicates: __MO_OL_BC7E6 > [22231] dbg: rules: __MO_OL_25340 merged duplicates: __MO_OL_4EEDB > __MO_OL_7533E > [22231] dbg: rules: __MO_OL_58CB5 merged duplicates: __MO_OL_B4B40 > [22231] dbg: rules: __DOS_HAS_ANY_URI merged duplicates: __HAS_ANY_URI > [22231] dbg: rules: __XM_OL_C9068 merged duplicates: __XM_OL_EF20B > [22231] dbg: rules: AXB_RCVD_ZOOBSEND merged duplicates: > BROKEN_RATWARE_BOM CTYPE_001C_A DEAR_HOMEOWNER DIV_CENTER_A_HREF > DRUG_RA_PRICE FM_DDDD_TIMES_2 FM_SEX_HOSTDDDD HG_HORMONE HS_PHARMA_1 > HS_UPLOADED_SOFTWARE OEBOUND RCVD_IN_DSBL STOX_RCVD_N_NN_N > URIBL_RHS_ABUSE URIBL_RHS_BOGUSMX URIBL_RHS_DSN URIBL_RHS_POST > URIBL_RHS_TLD_WHOIS URIBL_RHS_WHOIS URIBL_XS_SURBL URI_L_PHP > XMAILER_MIMEOLE_OL_5E7ED XMAILER_MIMEOLE_OL_C7C33 > XMAILER_MIMEOLE_OL_D03AB X_LIBRARY YOUR_CRD_RATING > [22231] dbg: rules: __MO_OL_72641 merged duplicates: __MO_OL_A842E > [22231] dbg: rules: __MO_OL_F475E merged duplicates: __MO_OL_FF5C8 > [22231] dbg: rules: __MO_OL_4BF4C merged duplicates: __MO_OL_F6D01 > [22231] dbg: conf: finish parsing > [22231] dbg: plugin: > Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0x29d6950) implements > 'finish_parsing_end', priority 0 > [22231] dbg: replacetags: replacing tags > [22231] dbg: replacetags: done replacing tags > [22231] dbg: bayes: tie-ing to DB file R/O > /etc/MailScanner/bayes/bayes_toks > [22231] dbg: bayes: tie-ing to DB file R/O > /etc/MailScanner/bayes/bayes_seen > [22231] dbg: bayes: found bayes db version 3 > [22231] dbg: bayes: DB journal sync: last sync: 0 > [22231] dbg: bayes: not available for scanning, only 1 ham(s) in bayes > DB < 200 > [22231] dbg: bayes: untie-ing > [22231] dbg: config: score set 0 chosen. > [22231] dbg: message: main message type: text/plain > [22231] dbg: message: ---- MIME PARSER START ---- > [22231] dbg: message: parsing normal part > [22231] dbg: message: ---- MIME PARSER END ---- > [22231] dbg: plugin: > Mail::SpamAssassin::Plugin::DNSEval=HASH(0x2adb400) implements > 'check_start', priority 0 > [22231] dbg: bayes: tie-ing to DB file R/O > /etc/MailScanner/bayes/bayes_toks > [22231] dbg: bayes: tie-ing to DB file R/O > /etc/MailScanner/bayes/bayes_seen > [22231] dbg: bayes: found bayes db version 3 > [22231] dbg: bayes: DB journal sync: last sync: 0 > [22231] dbg: bayes: not available for scanning, only 1 ham(s) in bayes > DB < 200 > [22231] dbg: bayes: untie-ing > [22231] dbg: plugin: Mail::SpamAssassin::Plugin::Check=HASH(0x2a600f0) > implements 'check_main', priority 0 > [22231] dbg: conf: trusted_networks are not configured; it is > recommended that you configure trusted_networks manually > [22231] dbg: metadata: X-Spam-Relays-Trusted: > [22231] dbg: metadata: X-Spam-Relays-Untrusted: > [22231] dbg: metadata: X-Spam-Relays-Internal: > [22231] dbg: metadata: X-Spam-Relays-External: > [22231] dbg: plugin: > Mail::SpamAssassin::Plugin::RelayCountry=HASH(0x285c3d0) implements > 'extract_metadata', priority 0 > [22231] dbg: metadata: X-Relay-Countries: > [22231] dbg: message: no encoding detected > [22231] dbg: plugin: > Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x27d4c70) implements > 'parsed_metadata', priority 0 > [22231] dbg: plugin: > Mail::SpamAssassin::Plugin::RelayCountry=HASH(0x285c3d0) implements > 'parsed_metadata', priority 0 > [22231] dbg: dns: is DNS available? 0 > [22231] dbg: rules: local tests only, ignoring RBL eval > [22231] dbg: check: running tests for priority: -1000 > [22231] dbg: rules: running head tests; score so far=0 > [22231] dbg: rules: compiled head tests > [22231] dbg: eval: all '*From' addrs: > ignore@compiling.spamassassin.taint.org > [22231] dbg: eval: all '*To' addrs: > [22231] dbg: rules: running body tests; score so far=0 > [22231] dbg: rules: compiled body tests > [22231] dbg: rules: running uri tests; score so far=0 > [22231] dbg: rules: compiled uri tests > [22231] dbg: rules: running rawbody tests; score so far=0 > [22231] dbg: rules: compiled rawbody tests > [22231] dbg: rules: running full tests; score so far=0 > [22231] dbg: rules: compiled full tests > [22231] dbg: rules: running meta tests; score so far=0 > [22231] dbg: rules: compiled meta tests > [22231] dbg: check: running tests for priority: -950 > [22231] dbg: rules: running head tests; score so far=0 > [22231] dbg: rules: compiled head tests > [22231] dbg: rules: running body tests; score so far=0 > [22231] dbg: rules: compiled body tests > [22231] dbg: rules: running uri tests; score so far=0 > [22231] dbg: rules: compiled uri tests > [22231] dbg: rules: running rawbody tests; score so far=0 > [22231] dbg: rules: compiled rawbody tests > [22231] dbg: rules: running full tests; score so far=0 > [22231] dbg: rules: compiled full tests > [22231] dbg: rules: running meta tests; score so far=0 > [22231] dbg: rules: compiled meta tests > [22231] dbg: check: running tests for priority: -900 > [22231] dbg: rules: running head tests; score so far=0 > [22231] dbg: rules: compiled head tests > [22231] dbg: rules: running body tests; score so far=0 > [22231] dbg: rules: compiled body tests > [22231] dbg: rules: running uri tests; score so far=0 > [22231] dbg: rules: compiled uri tests > [22231] dbg: rules: running rawbody tests; score so far=0 > [22231] dbg: rules: compiled rawbody tests > [22231] dbg: rules: running full tests; score so far=0 > [22231] dbg: rules: compiled full tests > [22231] dbg: rules: running meta tests; score so far=0 > [22231] dbg: rules: compiled meta tests > [22231] dbg: check: running tests for priority: -400 > [22231] dbg: rules: running head tests; score so far=0 > [22231] dbg: rules: compiled head tests > [22231] dbg: rules: running body tests; score so far=0 > [22231] dbg: rules: compiled body tests > [22231] dbg: rules: running uri tests; score so far=0 > [22231] dbg: rules: compiled uri tests > [22231] dbg: rules: running rawbody tests; score so far=0 > [22231] dbg: rules: compiled rawbody tests > [22231] dbg: rules: running full tests; score so far=0 > [22231] dbg: rules: compiled full tests > [22231] dbg: rules: running meta tests; score so far=0 > [22231] dbg: rules: compiled meta tests > [22231] dbg: check: running tests for priority: 0 > [22231] dbg: rules: running head tests; score so far=0 > [22231] dbg: rules: compiled head tests > [22231] dbg: rules: ran header rule __MISSING_REF ======> got hit: > "UNSET" > [22231] dbg: rules: ran header rule __MSOE_MID_WRONG_CASE ======> got > hit: " > [22231] dbg: rules: Message-Id: " > [22231] dbg: rules: ran header rule MISSING_DATE ======> got hit: "UNSET" > [22231] dbg: rules: ran header rule __MSGID_OK_HOST ======> got hit: > "@lint_rules>" > [22231] dbg: rules: ran header rule __MSGID_OK_DIGITS ======> got hit: > "1231461934" > [22231] dbg: rules: ran header rule __HAS_MSGID ======> got hit: "<" > [22231] dbg: rules: ran header rule __SANE_MSGID ======> got hit: > "<1231461934@lint_rules> > [22231] dbg: rules: " > [22231] dbg: spf: checking to see if the message has a Received-SPF > header that we can use > [22231] dbg: spf: already checked for Received-SPF headers, proceeding > with DNS based checks > [22231] dbg: spf: already checked for Received-SPF headers, proceeding > with DNS based checks > [22231] dbg: rules: ran eval rule NO_RELAYS ======> got hit (1) > [22231] dbg: spf: already checked for Received-SPF headers, proceeding > with DNS based checks > [22231] dbg: spf: already checked for Received-SPF headers, proceeding > with DNS based checks > [22231] dbg: spf: cannot get Envelope-From, cannot use SPF > [22231] dbg: spf: def_spf_whitelist_from: could not find useable > envelope sender > [22231] dbg: spf: already checked for Received-SPF headers, proceeding > with DNS based checks > [22231] dbg: spf: already checked for Received-SPF headers, proceeding > with DNS based checks > [22231] dbg: spf: already checked for Received-SPF headers, proceeding > with DNS based checks > [22231] dbg: rules: ran eval rule __UNUSABLE_MSGID ======> got hit (1) > [22231] dbg: rules: ran eval rule MISSING_HEADERS ======> got hit (1) > [22231] dbg: spf: spf_whitelist_from: could not find useable envelope > sender > [22231] dbg: rules: running body tests; score so far=1.899 > [22231] dbg: rules: compiled body tests > [22231] dbg: rules: ran body rule __NONEMPTY_BODY ======> got hit: "I" > [22231] dbg: rules: running uri tests; score so far=1.899 > [22231] dbg: rules: compiled uri tests > [22231] dbg: eval: stock info total: 0 > [22231] dbg: rules: running rawbody tests; score so far=1.899 > [22231] dbg: rules: compiled rawbody tests > [22231] dbg: rules: ran rawbody rule __TVD_BODY ======> got hit: "need" > [22231] dbg: rules: running full tests; score so far=1.899 > [22231] dbg: rules: compiled full tests > [22231] dbg: rules: running meta tests; score so far=1.899 > [22231] dbg: rules: compiled meta tests > [22231] dbg: check: running tests for priority: 500 > [22231] dbg: dns: harvest_dnsbl_queries > [22231] dbg: rules: running head tests; score so far=1.899 > [22231] dbg: rules: compiled head tests > [22231] dbg: rules: running body tests; score so far=1.899 > [22231] dbg: rules: compiled body tests > [22231] dbg: rules: running uri tests; score so far=1.899 > [22231] dbg: rules: compiled uri tests > [22231] dbg: rules: running rawbody tests; score so far=1.899 > [22231] dbg: rules: compiled rawbody tests > [22231] dbg: rules: running full tests; score so far=1.899 > [22231] dbg: rules: compiled full tests > [22231] dbg: rules: running meta tests; score so far=1.899 > [22231] dbg: rules: compiled meta tests > [22231] dbg: check: running tests for priority: 1000 > [22231] dbg: rules: running head tests; score so far=4.205 > [22231] dbg: rules: compiled head tests > [22231] dbg: rules: running body tests; score so far=4.205 > [22231] dbg: rules: compiled body tests > [22231] dbg: rules: running uri tests; score so far=4.205 > [22231] dbg: rules: compiled uri tests > [22231] dbg: rules: running rawbody tests; score so far=4.205 > [22231] dbg: rules: compiled rawbody tests > [22231] dbg: rules: running full tests; score so far=4.205 > [22231] dbg: rules: compiled full tests > [22231] dbg: rules: running meta tests; score so far=4.205 > [22231] dbg: rules: compiled meta tests > [22231] dbg: check: is spam? score=4.205 required=5 > [22231] dbg: check: > tests=MISSING_DATE,MISSING_HEADERS,MISSING_SUBJECT,NO_RECEIVED,NO_RELAYS > [22231] dbg: check: > subtests=__HAS_MSGID,__MISSING_REF,__MSGID_OK_DIGITS,__MSGID_OK_HOST,__MSOE_MID_WRONG_CASE,__NONEMPTY_BODY,__SANE_MSGID,__TVD_BODY,__UNUSABLE_MSGID > > > Other than the ('require' failed), seems to be OK? > > Running lint on MaiScanner gives me: > > MailScanner --lint > Trying to setlogsock(unix) > Read 848 hostnames from the phishing whitelist > Read 4008 hostnames from the phishing blacklist > Config: calling custom init function SQLBlacklist > Starting up SQL Blacklist > Read 3 blacklist entries > Config: calling custom init function MailWatchLogging > Started SQL Logging child > Config: calling custom init function SQLWhitelist > Starting up SQL Whitelist > Read 60 whitelist entries > Checking version numbers... > Version number in MailScanner.conf (4.74.15) is correct. > > Your envelope_sender_header in spam.assassin.prefs.conf is correct. > MailScanner setting GID to (80) > MailScanner setting UID to (80) > > Checking for SpamAssassin errors (if you use it)... > Using SpamAssassin results cache > Connected to SpamAssassin cache database > config: path "//.spamassassin/user_prefs" is inaccessible: Permission > denied > ##still this issue although next it says it is reporting no issues > > SpamAssassin reported no errors. > Using locktype = posix > MailScanner.conf says "Virus Scanners = clamd" > Found these virus scanners installed: clamavmodule, clamd > =========================================================================== > > Filename Checks: Windows/DOS Executable (1 eicar.com) > Other Checks: Found 1 problems > Virus and Content Scanning: Starting > Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com > Virus Scanning: Clamd found 2 infections > Infected message 1 came from 10.1.1.1 > Virus Scanning: Found 2 viruses > =========================================================================== > > Virus Scanner test reports: > Clamd said "eicar.com was infected: Eicar-Test-Signature" > > If any of your virus scanners (clamavmodule,clamd) > are not listed there, you should check that they are installed correctly > and that MailScanner is finding them correctly via its > virus.scanners.conf. > Config: calling custom end function SQLBlacklist > Closing down by-domain spam blacklist > Config: calling custom end function MailWatchLogging > Config: calling custom end function SQLWhitelist > Closing down by-domain spam whitelist > commit ineffective with AutoCommit enabled at > /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, > line 1. > ## and finallt this annoying line > > I do not see any errors on startup. Now I will go back and have a hard > look at Glens message and see if I can figure out what he is saying to > try. > > I just want to thank everyone for hanging in with me. This has been a > long couple of days but really need to solve this soon. > > Dave > Just trying to track down permission errors. I get the following, running SALearn: SA Learn: error code 13 returned from sa-learn: bayes: cannot open bayes databases /etc/MailScanner/bayes/bayes_* R/O: tie failed: Permission denied bayes: expire_old_tokens: locker: safe_lock: cannot create lockfile /etc/MailScanner/bayes/bayes.mutex: Permission denied bayes: locker: safe_lock: cannot create lockfile /etc/MailScanner/bayes/bayes.mutex: Permission denied Learned tokens from 0 message(s) (1 message(s) examined) Here are my bayes settings (inside of the bayes folder) drwxrwxr-x 3 root webadmin 4096 Jul 18 2007 . drwxr-xr-x 9 root root 4096 Jan 8 20:15 .. --w--w-r-- 1 postfix postfix 18 Jan 8 02:23 bayes.mutex -rw-rw---- 1 postfix postfix 327680 Jan 8 02:23 bayes_seen -rw-rw---- 1 postfix postfix 5210112 Jan 8 02:23 bayes_toks drwxr-xr-x 2 root root 4096 Jul 18 2007 poisoned However, the bayes folder itself is:drwxrwxr-x 3 root webadmin 4096 Jul 18 2007 bayes I should also note the following ownership settings in MailScanner.conf: Run As User = postfix Run As Group = postfix Incoming Work Group = clamav Incoming Work Permissions = 0640 Quarantine Group = webadmin Quarantine Permissions = 0660 I believe that webadmin is there because of MailWatch as webadmin is what apache runs as Dave -- Dave Filchak Instructor, School of Communications Arts Seneca College @ York Office: Room 1068 From cwatts at elsberry.k12.mo.us Fri Jan 9 03:22:59 2009 From: cwatts at elsberry.k12.mo.us (Cannon Watts) Date: Fri Jan 9 03:24:38 2009 Subject: identical messages -- some get bayes score, some don't Message-ID: <60382.204.184.75.172.1231471379.squirrel@webmail.elsberry.k12.mo.us> I've just set up a new mail server, running MailScanner with sendmail, and am seeing a large percentage of mails that don't get a bayes score. I understand (I think) that unlike earlier versions, it's normal for some messages not to get a bayse score. However, this is approaching 50 percent, and, with identical messages, one will get a bayes score while the other doesn't. I don't see any indication of timeouts in the logs, and I have 'Wait During Bayes Rebuild = yes' in MailScanner.conf as was suggested in a similar discussion I found. At one point today we received 28 messages that were identical other than recipient. The first 5 didn't receive a bayes score. The 6th was scored BAYES_50. Copies 7 and 8 didn't recieve a bayes score, and the 9th copy scored BAYES_60. The final 19 copies did not receive a bayes score. All of the other SpamAssassin scores are identical for all 28 messages. Any help understanding what is going on here would be greatly appreciated. Thanks, Cannon Watts System spec's: MailScanner 4.73.4 SpamAssassin 3.2.5 Perl 5.10.0 Sendmail 8.14.2 Fedora 9, kernel 2.6.25 x86_64 Quad-Core Opteron 2350 4 GB RAM ADDITIONAL INFO I decided to try something else before hitting 'send' -- saved all 28 messages to a new mailbox, and deleted the SpamAssassin headers. I then ran 'spamassassin -D -p /etc/MailScanner/spam.assassin.prefs.comf --mbox spams' Looking through the output, this time it scored 8 of the messages BAYES_50, 6 of the messages BAYES_60, and the other 14 did not get a bayes score. More importantly, I'm seeing a bunch of timeouts in the debug information. Way too much to include here, but I'm seeing hundreds of lines like these: [2456] dbg: async: starting: URI-DNSBL, DNSBL:dob.sibl.support-intelligence.net:agentbenefitsteam.com (timeout 10.0s, min 2.0s) [2456] dbg: async: starting: URI-NS, NS:agentbenefitsteam.com (timeout 10.0s, min 2.0s) [2456] dbg: async: starting: DNSBL-A, dns:A:154.248.19.72.plus.bondedsender.org. (timeout 10.0s, min 2.0s) [2456] dbg: async: starting: DNSBL-TXT, dns:TXT:154.248.19.72.bl.spamcop.net. (timeout 10.0s, min 2.0s) And perhaps most importantly: [2456] dbg: locker: safe_lock: trying to get lock on /etc/MailScanner/bayes/bayes with 10 timeout What can I do to cure all these timeouts (and will fixing the timeouts solve my bayes problems)? Thanks again, Cannon From dave.filchak at senecac.on.ca Fri Jan 9 03:25:52 2009 From: dave.filchak at senecac.on.ca (Dave Filchak) Date: Fri Jan 9 03:26:18 2009 Subject: Upgrade fron 4.61.7 to 4.74.13-2 In-Reply-To: <223f97700901081136s24b46fc3u80f6bc14346a6f6b@mail.gmail.com> References: <20090108071334.6t3eri15gc0ggkk4@manage.zuka.net> <49660685.80304@USherbrooke.ca> <49660D57.2040107@senecac.on.ca> <496616B0.1060100@USherbrooke.ca> <49661F7A.2090607@senecac.on.ca> <223f97700901080809i456904ferb64df26e7b44ae05@mail.gmail.com> <49662AAF.9070601@senecac.on.ca> <223f97700901081136s24b46fc3u80f6bc14346a6f6b@mail.gmail.com> Message-ID: <4966C3C0.7090103@senecac.on.ca> Glenn, Glenn Steen wrote: > 2009/1/8 Kai Schaetzl : > >> Dave Filchak wrote on Thu, 08 Jan 2009 11:32:47 -0500: >> >> >>>>> Unfortunately, the user Postfix is set to nologin ( postfix:x:80:80:Postfix >>>>> Mail Server:/:/sbin/nologin ) so I cannot sudo to it ) >>>>> >> look at the homedir! >> > Indeed;) > > >>> su - postfix -s /bin/bash >>> -bash-3.00$ spamassassin --lint >>> [19715] warn: config: path "//.spamassassin/user_prefs" is inaccessible: >>> Permission denied >>> -bash-3.00$ >>> >> you get this strange path because your postfix user has the wrong homedir. It >> should be /var/spool/postfix (That also shows that you don't have to su to >> postfix, it's running as postfix, anyway.) >> If your mail is still not flowing that might also be the reason for it. >> >> > I'm leaning toward one of the classics here: > Since the directory SA (as the postfix user) tries to write things to > (user prefs, razor-agent thing, pyzor discover thing etc), some of > that cr*p end up being written somewhere the postfix user _can_ write > ... the hold queue... So Dave should perhaps look at that directory > for non-queue files ... and remove them. > Actually ... the only thing in the hold directory is the razor-agent.log. Nothing else. There is also nothing in the incoming directory either. The server is not delivering any mail now. Though I do not see ANY errors in the logs. I can send myself an email and I see it being delivered to my maildir. But it will not deliver it. > How to make sure they never reappear? > First: Set a more reasonable home directory for postfix, like > /var/spool/postfix. Edit /etc/passwd with something safe like vipw > > ALTERNATIVE 1 > Temporarily make that directory writable by the postfix user > su - postfix -s /bin/bash > spamassassin --lint > spamassassin -t -D < /path/to/a/message > exit > Make the directory non-writable by postfix. > You should now have all the needed directories, like .razor .pyzor and > .spamassassin > > ALTERNATIVE 2 > > Create the directories by hand (in ~postfix) and make them owned by > postfix and writable by postfix. > Currently, the /var/spool/postfix directory itself is owned by root:root Inside this directory, most everything is owned by postfix and group root but is only rwx for user only. So, if I create the needed folders in here and set them up as the same permissions ... should that work? > ALTERNATIVE 3 > > Use the settings suggested in spam.assassin.prefs.conf (a.k.a. > /etc/mail/spamassassin/mailscanner.cf) to explicitly set a directory > to use for this. Look in the wiki for similar details for razor and > pyzor (unless they're already in mailscanner.cf ... I fail to > remember). > > Any of the alternatives would likely do. > > Then, as said, go check/clean your /var/spool/postfix/hold directory > for/from files that aren't Postfix queue files. > See above. Dave -- Dave Filchak Instructor, School of Communications Arts Seneca College @ York Office: Room 1068 From dave.filchak at senecac.on.ca Fri Jan 9 05:14:24 2009 From: dave.filchak at senecac.on.ca (Dave Filchak) Date: Fri Jan 9 05:14:41 2009 Subject: Was: Upgrade fron 4.61.7 to 4.74.13-2 In-Reply-To: <4966C3C0.7090103@senecac.on.ca> References: <20090108071334.6t3eri15gc0ggkk4@manage.zuka.net> <49660685.80304@USherbrooke.ca> <49660D57.2040107@senecac.on.ca> <496616B0.1060100@USherbrooke.ca> <49661F7A.2090607@senecac.on.ca> <223f97700901080809i456904ferb64df26e7b44ae05@mail.gmail.com> <49662AAF.9070601@senecac.on.ca> <223f97700901081136s24b46fc3u80f6bc14346a6f6b@mail.gmail.com> <4966C3C0.7090103@senecac.on.ca> Message-ID: <4966DD30.30909@senecac.on.ca> Ok well .. I thought I would clean up the email a bit. I am now at the point that I no longer have any errors permission or otherwise with the exception of this: config: path "//.spamassassin/user_prefs" is inaccessible: Permission denied I still have no clue where this is being generated from as in the MailScanner.conf, the spamassassin local state directory is set to /var/spool/MailScanner and the permissions are set postfix:postfix The worst part is though, that I am not getting mail ... even though if I send myself an email, I see it coming in and then being delivered to my maildir. I can go there and look at it on the server and it is all fine but it just will not be delivered. Anyone? Dave From goetz.reinicke at filmakademie.de Fri Jan 9 09:09:37 2009 From: goetz.reinicke at filmakademie.de (=?ISO-8859-15?Q?G=F6tz_Reinicke?=) Date: Fri Jan 9 09:09:59 2009 Subject: How to force queue clean up after network/DNS "hickup" Message-ID: <49671451.70305@filmakademie.de> Hi, I had some sort of network/DNS hickups and a lot of mails got queued in the meantime. How may I force Mailscanner/sendmail to deliver the mails now after the problems with the dns are solved? Thanks for any hint and for mailscanner anyway! Happy 2009 and best regards G?tz -- G?tz Reinicke IT-Koordinator Tel. +49 7141 969 420 Fax +49 7141 969 55 420 E-Mail goetz.reinicke@filmakademie.de Filmakademie Baden-W?rttemberg GmbH Mathildenstr. 20 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzende des Aufsichtsrats: Prof. Dr. Claudia H?bner Staatsr?tin f?r Demographischen Wandel und f?r Senioren im Staatsministerium Gesch?ftsf?hrer: Prof. Thomas Schadt From glenn.steen at gmail.com Fri Jan 9 09:28:59 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Jan 9 09:29:09 2009 Subject: Upgrade fron 4.61.7 to 4.74.13-2 In-Reply-To: <4966AAFA.5060409@senecac.on.ca> References: <20090108071334.6t3eri15gc0ggkk4@manage.zuka.net> <49661F7A.2090607@senecac.on.ca> <223f97700901080809i456904ferb64df26e7b44ae05@mail.gmail.com> <49662AAF.9070601@senecac.on.ca> <223f97700901081136s24b46fc3u80f6bc14346a6f6b@mail.gmail.com> <49668F4F.4000700@senecac.on.ca> <4966A17D.2000006@senecac.on.ca> <4966AAFA.5060409@senecac.on.ca> Message-ID: <223f97700901090128t5ba70617o348ebcba1e484067@mail.gmail.com> 2009/1/9 Dave Filchak : > > > Dave Filchak wrote: >> (snip) > Just trying to track down permission errors. I get the following, running > SALearn: > > SA Learn: error code 13 returned from sa-learn: bayes: cannot open bayes > databases /etc/MailScanner/bayes/bayes_* R/O: tie failed: Permission denied > bayes: expire_old_tokens: locker: safe_lock: cannot create lockfile > /etc/MailScanner/bayes/bayes.mutex: Permission denied bayes: locker: > safe_lock: cannot create lockfile /etc/MailScanner/bayes/bayes.mutex: > Permission denied Learned tokens from 0 message(s) (1 message(s) examined) > Your apache user (presumably "webadmin" does not have write access to your bayes files. Hence the error. > Here are my bayes settings (inside of the bayes folder) > drwxrwxr-x 3 root webadmin 4096 Jul 18 2007 . > drwxr-xr-x 9 root root 4096 Jan 8 20:15 .. > --w--w-r-- 1 postfix postfix 18 Jan 8 02:23 bayes.mutex > -rw-rw---- 1 postfix postfix 327680 Jan 8 02:23 bayes_seen > -rw-rw---- 1 postfix postfix 5210112 Jan 8 02:23 bayes_toks > drwxr-xr-x 2 root root 4096 Jul 18 2007 poisoned > All the above files should be owned by postfix.webadmin ... so first do chown postfix.webadmin /path/to/bayes/* ... where /path/to/bayes is likely /etc/MailScanner/bayes > However, the bayes folder itself is:drwxrwxr-x 3 root webadmin 4096 Jul > 18 2007 bayes The above is wrong too... You need set at least the GUID bit, so that created files are owned by webadmin... Do chmod g+s /path/to/bayes and you should be fine with that. > > I should also note the following ownership settings in MailScanner.conf: > > Run As User = postfix > Run As Group = postfix > Incoming Work Group = clamav > Incoming Work Permissions = 0640 > Quarantine Group = webadmin > Quarantine Permissions = 0660 Looks fine. > > I believe that webadmin is there because of MailWatch as webadmin is what > apache runs as Yep:) > > Dave > Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Jan 9 09:38:16 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Jan 9 09:38:26 2009 Subject: Upgrade fron 4.61.7 to 4.74.13-2 In-Reply-To: <4966C3C0.7090103@senecac.on.ca> References: <20090108071334.6t3eri15gc0ggkk4@manage.zuka.net> <49660685.80304@USherbrooke.ca> <49660D57.2040107@senecac.on.ca> <496616B0.1060100@USherbrooke.ca> <49661F7A.2090607@senecac.on.ca> <223f97700901080809i456904ferb64df26e7b44ae05@mail.gmail.com> <49662AAF.9070601@senecac.on.ca> <223f97700901081136s24b46fc3u80f6bc14346a6f6b@mail.gmail.com> <4966C3C0.7090103@senecac.on.ca> Message-ID: <223f97700901090138m7135398dodfec2b6ebe1ee425@mail.gmail.com> 2009/1/9 Dave Filchak : > Glenn, > > Glenn Steen wrote: >> >> 2009/1/8 Kai Schaetzl : >> >>> >>> Dave Filchak wrote on Thu, 08 Jan 2009 11:32:47 -0500: >>> >>> >>>>>> >>>>>> Unfortunately, the user Postfix is set to nologin ( >>>>>> postfix:x:80:80:Postfix >>>>>> Mail Server:/:/sbin/nologin ) so I cannot sudo to it ) >>>>>> >>> >>> look at the homedir! >>> >> >> Indeed;) >> >> >>>> >>>> su - postfix -s /bin/bash >>>> -bash-3.00$ spamassassin --lint >>>> [19715] warn: config: path "//.spamassassin/user_prefs" is inaccessible: >>>> Permission denied >>>> -bash-3.00$ >>>> >>> >>> you get this strange path because your postfix user has the wrong >>> homedir. It >>> should be /var/spool/postfix (That also shows that you don't have to su >>> to >>> postfix, it's running as postfix, anyway.) >>> If your mail is still not flowing that might also be the reason for it. >>> >>> >> >> I'm leaning toward one of the classics here: >> Since the directory SA (as the postfix user) tries to write things to >> (user prefs, razor-agent thing, pyzor discover thing etc), some of >> that cr*p end up being written somewhere the postfix user _can_ write >> ... the hold queue... So Dave should perhaps look at that directory >> for non-queue files ... and remove them. >> > > Actually ... the only thing in the hold directory is the razor-agent.log. This is the one most usual culprit! Remove it, and configure razor so that it cannot ever happen again. > Nothing else. There is also nothing in the incoming directory either. The > server is not delivering any mail now. Though I do not see ANY errors in the > logs. I can send myself an email and I see it being delivered to my maildir. > But it will not deliver it. What does MailWatch say about the incoming messages? Are they all clased as spam? If so ... do you by any chance have ORDB, or some other dead BL, in Spam Lists (in MailScanner.conf)...? That might explain that, so to speak. Simplest fix: mkdir /var/spool/postfix/.razor mkdir /var/spool/postfix/.spamassassin mkdir /var/spool/postfix/.pyzor chown postfix.postfix /var/spool/postfix/.razor /var/spool/postfix/.pyzor /var/spool/postfix/.spamassassin ... and make sure to change postfix:x:80:80:Postfix Mail Server:/:/sbin/nologin to postfix:x:80:80:Postfix Mail Server:/var/spool/postfix:/sbin/nologin The above is "Alternative 2" spelled out;-). >> >> How to make sure they never reappear? >> First: Set a more reasonable home directory for postfix, like >> /var/spool/postfix. Edit /etc/passwd with something safe like vipw >> >> ALTERNATIVE 1 >> Temporarily make that directory writable by the postfix user >> su - postfix -s /bin/bash >> spamassassin --lint >> spamassassin -t -D < /path/to/a/message >> exit >> Make the directory non-writable by postfix. >> You should now have all the needed directories, like .razor .pyzor and >> .spamassassin >> >> ALTERNATIVE 2 >> >> Create the directories by hand (in ~postfix) and make them owned by >> postfix and writable by postfix. >> > > Currently, the /var/spool/postfix directory itself is owned by root:root > Inside this directory, most everything is owned by postfix and group root > but is only rwx for user only. Which is fine. > > So, if I create the needed folders in here and set them up as the same > permissions ... should that work? Yes. >> >> ALTERNATIVE 3 >> >> Use the settings suggested in spam.assassin.prefs.conf (a.k.a. >> /etc/mail/spamassassin/mailscanner.cf) to explicitly set a directory >> to use for this. Look in the wiki for similar details for razor and >> pyzor (unless they're already in mailscanner.cf ... I fail to >> remember). >> >> Any of the alternatives would likely do. >> >> Then, as said, go check/clean your /var/spool/postfix/hold directory >> for/from files that aren't Postfix queue files. >> > > See above. > > Dave > > > Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Jan 9 09:43:08 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Jan 9 09:43:19 2009 Subject: Was: Upgrade fron 4.61.7 to 4.74.13-2 In-Reply-To: <4966DD30.30909@senecac.on.ca> References: <20090108071334.6t3eri15gc0ggkk4@manage.zuka.net> <49660D57.2040107@senecac.on.ca> <496616B0.1060100@USherbrooke.ca> <49661F7A.2090607@senecac.on.ca> <223f97700901080809i456904ferb64df26e7b44ae05@mail.gmail.com> <49662AAF.9070601@senecac.on.ca> <223f97700901081136s24b46fc3u80f6bc14346a6f6b@mail.gmail.com> <4966C3C0.7090103@senecac.on.ca> <4966DD30.30909@senecac.on.ca> Message-ID: <223f97700901090143h19668270w1c223c5ab81cb617@mail.gmail.com> 2009/1/9 Dave Filchak : > Ok well .. > > I thought I would clean up the email a bit. > > I am now at the point that I no longer have any errors permission or > otherwise with the exception of this: > > config: path "//.spamassassin/user_prefs" is inaccessible: Permission denied > See my last mail in the previous thread. The one with "Alternative 2" exemplified. It'll take care of these errors. > I still have no clue where this is being generated from as in the > MailScanner.conf, the spamassassin local state directory is set to > /var/spool/MailScanner and the permissions are set postfix:postfix > > The worst part is though, that I am not getting mail ... even though if I > send myself an email, I see it coming in and then being delivered to my > maildir. I can go there and look at it on the server and it is all fine but > it just will not be delivered. Hm, is the MailScanner box your mailstore? Do you access that via some form of IMAP server? Sounds like this is now outside of MailScanners realm;-). > > Anyone? > > Dave Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From jkf at ecs.soton.ac.uk Fri Jan 9 10:48:01 2009 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Fri Jan 9 10:48:20 2009 Subject: Problem after Upgrade 4.72.1-1 to 4.74.15-1 In-Reply-To: <49665704.4080804@kettle.org.uk> References: <20090108071334.6t3eri15gc0ggkk4@manage.zuka.net> <49660685.80304@USherbrooke.ca> <49660D57.2040107@senecac.on.ca> <4966145F.4010305@senecac.on.ca> <49663B6D.1030800@senecac.on.ca> <496648E0.9020903@USherbrooke.ca> <49665704.4080804@kettle.org.uk> Message-ID: <49672B61.3000302@ecs.soton.ac.uk> Please do a "MailScanner --debug" with "Rebuild Bayes Every = 14400" and let me know the output. On 8/1/09 19:41, Rob Kettle wrote: > Hi, > > been running a Centos 5 system with 4.72.1-1 for some time and last > night I upgraded to 4.74.15-1. The upgrade appeared to go OK. > > However when I run MailScanner no mail is processed and if I look at > processes the MailScanner jobs show as [defunct] and are using high CPU. > > After some playing around I've sound that the cause is the setting > > Rebuild Bayes Every = 14400 > > MailScanner will only work if I set this to Rebuild Bayes Every = 0 > > Not sure why this is ? > > regards > Rob > Jules -- Julian Field MEng MBCS CITP CEng jkf@ecs.soton.ac.uk Teaching Systems Manager Electronics& Computer Science University of Southampton SO17 1BJ, UK PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Fri Jan 9 10:49:50 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jan 9 10:50:10 2009 Subject: Anti-spear-phishing, round 2 In-Reply-To: References: <4963D91A.9060304@ecs.soton.ac.uk> <4965292E.1070209@ecs.soton.ac.uk> <49664631.2020207@ecs.soton.ac.uk> Message-ID: <49672BCE.1030603@ecs.soton.ac.uk> If you want to use SpamAssassin Rule Actions, then you'll have to upgrade to a version that actually has that option :-) 4.58.9 is about 18 months out of date. Ancient, in this world. Sorry. On 8/1/09 21:01, Guy Story KC5GOI wrote: > Jule, I apologize for being blind today. I downloaded the script, > made it executable, put in my desired address in the file. I ran the > script verified the presence but what I am being blind to is where to > tell SpamAssassin to look for the file so it can filter out that crap. > I do not have a SpamAssassin Rule Actions entry in my > MailScanner.conf. I am on 4.58.9 so David's question is one I have as > well. > > Thanks for the good work. > > Guy Story KC5GOI > kc5goi@gmail.com Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Fri Jan 9 10:50:58 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jan 9 10:51:14 2009 Subject: Anti-spear-phishing, round 2 In-Reply-To: <20090108223837.GA4032@msapiro> References: <4963D91A.9060304@ecs.soton.ac.uk> <4965292E.1070209@ecs.soton.ac.uk> <49664631.2020207@ecs.soton.ac.uk> <20090108223837.GA4032@msapiro> Message-ID: <49672C12.9040001@ecs.soton.ac.uk> On 8/1/09 22:38, Mark Sapiro wrote: > On Thu, Jan 08, 2009 at 02:57:43PM -0500, Gottschalk, David wrote: > >> I'm running MailScanner version 4.60.8. >> >> Am I running too old of a version? >> > > > It's too old for the _TO_ replacement in the header action. > That requires 4.74.9 minimum. > > Also, the unknown _TO_ replacement will cause the wntire action to be > ignored. > No it won't. It just won't be replaced with the list of recipients. What's breaking it is your version may well be too old to have SpamAssassin Rule Actions at all! :) Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From maillists at conactive.com Fri Jan 9 11:31:19 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Fri Jan 9 11:31:32 2009 Subject: How to force queue clean up after network/DNS "hickup" In-Reply-To: <49671451.70305@filmakademie.de> References: <49671451.70305@filmakademie.de> Message-ID: G?tz Reinicke wrote on Fri, 09 Jan 2009 10:09:37 +0100: > How may I force Mailscanner/sendmail to deliver the mails now after the > problems with the dns are solved? sendmail -v -q you may need to purgestats before that as this stuff gets cached for a while. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Fri Jan 9 11:31:19 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Fri Jan 9 11:31:35 2009 Subject: identical messages -- some get bayes score, some don't In-Reply-To: <60382.204.184.75.172.1231471379.squirrel@webmail.elsberry.k12.mo.us> References: <60382.204.184.75.172.1231471379.squirrel@webmail.elsberry.k12.mo.us> Message-ID: Cannon Watts wrote on Thu, 8 Jan 2009 21:22:59 -0600 (CST): > [2456] dbg: async: starting: URI-DNSBL, > DNSBL:dob.sibl.support-intelligence.net:agentbenefitsteam.com > (timeout 10.0s, min 2.0s) > > [2456] dbg: async: starting: URI-NS, > NS:agentbenefitsteam.com > (timeout 10.0s, min 2.0s) > > [2456] dbg: async: starting: DNSBL-A, > dns:A:154.248.19.72.plus.bondedsender.org. > (timeout 10.0s, min 2.0s) > > [2456] dbg: async: starting: DNSBL-TXT, > dns:TXT:154.248.19.72.bl.spamcop.net. > (timeout 10.0s, min 2.0s) there's a problem with your DNS or caching ns. Until you haven't solved that better disable network tests. Even after you are ok again you may want to disable some of these tests as they are not worth it. > > > And perhaps most importantly: > [2456] dbg: locker: safe_lock: trying to get lock on > /etc/MailScanner/bayes/bayes with 10 timeout check the permissions, look for existing lock files and remove them. Apparently, this didn't happen for all messages. So, check messages one by one and see if it then still happens. Maybe there's a performance problem? Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Fri Jan 9 11:31:18 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Fri Jan 9 11:31:36 2009 Subject: Stops after RCVD_IN_BL_SPAMCOP_NET In-Reply-To: References: Message-ID: Joe Garvey wrote on Thu, 8 Jan 2009 15:03:29 -0800: > Any suggestions as to where to look next? spamassassin --lint -D will show you all configuration files that get used and any errors and warnings. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Fri Jan 9 11:31:19 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Fri Jan 9 11:31:36 2009 Subject: Was: Upgrade fron 4.61.7 to 4.74.13-2 In-Reply-To: <4966DD30.30909@senecac.on.ca> References: <20090108071334.6t3eri15gc0ggkk4@manage.zuka.net> <49660685.80304@USherbrooke.ca> <49660D57.2040107@senecac.on.ca> <496616B0.1060100@USherbrooke.ca> <49661F7A.2090607@senecac.on.ca> <223f97700901080809i456904ferb64df26e7b44ae05@mail.gmail.com> <49662AAF.9070601@senecac.on.ca> <223f97700901081136s24b46fc3u80f6bc14346a6f6b@mail.gmail.com> <4966C3C0.7090103@senecac.on.ca> <4966DD30.30909@senecac.on.ca> Message-ID: Dave Filchak wrote on Fri, 09 Jan 2009 00:14:24 -0500: > config: path "//.spamassassin/user_prefs" is inaccessible: Permission denied > > I still have no clue where this is being generated from as in the > MailScanner.conf, the spamassassin local state directory is set to > /var/spool/MailScanner and the permissions are set postfix:postfix As I said already: your postfix homedir points to the wrong directory. And this error is non-critical and doesn't need to be fixed. > The worst part is though, that I am not getting mail Go thru the usual debugging steps - which means you start at the beginning and remove the changes you made for MailScanner in postfix. First thing you want to check if postfix still delivers fine without MailScanner. If that is the case, then follow the tutorial I pointed you already several times to. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From dgottsc at emory.edu Fri Jan 9 12:46:17 2009 From: dgottsc at emory.edu (Gottschalk, David) Date: Fri Jan 9 12:46:28 2009 Subject: Anti-spear-phishing, round 2 In-Reply-To: <49672C12.9040001@ecs.soton.ac.uk> References: <4963D91A.9060304@ecs.soton.ac.uk> <4965292E.1070209@ecs.soton.ac.uk> <49664631.2020207@ecs.soton.ac.uk> <20090108223837.GA4032@msapiro> <49672C12.9040001@ecs.soton.ac.uk> Message-ID: I was afraid that would be the answer I guess this gives me more motivation to upgrade my MailScanner version! David Gottschalk Emory University UTS Messaging Team -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: Friday, January 09, 2009 5:51 AM To: MailScanner discussion Subject: Re: Anti-spear-phishing, round 2 On 8/1/09 22:38, Mark Sapiro wrote: > On Thu, Jan 08, 2009 at 02:57:43PM -0500, Gottschalk, David wrote: > >> I'm running MailScanner version 4.60.8. >> >> Am I running too old of a version? >> > > > It's too old for the _TO_ replacement in the header action. > That requires 4.74.9 minimum. > > Also, the unknown _TO_ replacement will cause the wntire action to be > ignored. > No it won't. It just won't be replaced with the list of recipients. What's breaking it is your version may well be too old to have SpamAssassin Rule Actions at all! :) Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! This e-mail message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential and privileged information. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message (including any attachments) is strictly prohibited. If you have received this message in error, please contact the sender by reply e-mail message and destroy all copies of the original message (including attachments). From maillists at conactive.com Fri Jan 9 13:31:16 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Fri Jan 9 13:31:29 2009 Subject: Anti-spear-phishing, round 2 In-Reply-To: References: <4963D91A.9060304@ecs.soton.ac.uk> <4965292E.1070209@ecs.soton.ac.uk> <49664631.2020207@ecs.soton.ac.uk> <20090108223837.GA4032@msapiro> <49672C12.9040001@ecs.soton.ac.uk> Message-ID: David Gottschalk wrote on Fri, 9 Jan 2009 07:46:17 -0500: > I guess this gives me more motivation to upgrade my MailScanner version! you want to wait until Jules provides a version with the fixed SA locks/filehandle->seek code. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From dgottsc at emory.edu Fri Jan 9 13:35:15 2009 From: dgottsc at emory.edu (Gottschalk, David) Date: Fri Jan 9 13:37:14 2009 Subject: Anti-spear-phishing, round 2 In-Reply-To: References: <4963D91A.9060304@ecs.soton.ac.uk> <4965292E.1070209@ecs.soton.ac.uk> <49664631.2020207@ecs.soton.ac.uk> <20090108223837.GA4032@msapiro> <49672C12.9040001@ecs.soton.ac.uk> Message-ID: Oh, OK. Thanks for the tip. David Gottschalk Emory University UTS Messaging Team -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Kai Schaetzl Sent: Friday, January 09, 2009 8:31 AM To: mailscanner@lists.mailscanner.info Subject: Re: Anti-spear-phishing, round 2 David Gottschalk wrote on Fri, 9 Jan 2009 07:46:17 -0500: > I guess this gives me more motivation to upgrade my MailScanner version! you want to wait until Jules provides a version with the fixed SA locks/filehandle->seek code. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! This e-mail message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential and privileged information. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message (including any attachments) is strictly prohibited. If you have received this message in error, please contact the sender by reply e-mail message and destroy all copies of the original message (including attachments). From john at tradoc.fr Fri Jan 9 13:41:48 2009 From: john at tradoc.fr (John Wilcock) Date: Fri Jan 9 13:42:02 2009 Subject: Anti-spear-phishing, round 2 In-Reply-To: References: <4963D91A.9060304@ecs.soton.ac.uk> <4965292E.1070209@ecs.soton.ac.uk> <49664631.2020207@ecs.soton.ac.uk> <20090108223837.GA4032@msapiro> <49672C12.9040001@ecs.soton.ac.uk> Message-ID: <4967541C.3090706@tradoc.fr> Le 09/01/2009 14:31, Kai Schaetzl a ?crit : > David Gottschalk wrote on Fri, 9 Jan 2009 07:46:17 -0500: > >> I guess this gives me more motivation to upgrade my MailScanner version! > > you want to wait until Jules provides a version with the fixed SA > locks/filehandle->seek code. That's what 4.74.15-2 contains, and I see Jules has now marked it as being the stable version. John. -- -- Over 3000 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages - www.tradoc.fr From maillists at conactive.com Fri Jan 9 13:54:50 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Fri Jan 9 13:55:02 2009 Subject: Anti-spear-phishing, round 2 In-Reply-To: <4967541C.3090706@tradoc.fr> References: <4963D91A.9060304@ecs.soton.ac.uk> <4965292E.1070209@ecs.soton.ac.uk> <49664631.2020207@ecs.soton.ac.uk> <20090108223837.GA4032@msapiro> <49672C12.9040001@ecs.soton.ac.uk> <4967541C.3090706@t Message-ID: radoc.fr> Reply-To: mailscanner@lists.mailscanner.info John Wilcock wrote on Fri, 09 Jan 2009 14:41:48 +0100: > That's what 4.74.15-2 contains, Ahm, right, I just checked the "* New Features and Improvements *" section not the "* Fixes *". and I see Jules has now marked it as > being the stable version. Well, 13 was marked as stable as well ;-) (and it was "stable" unless you allowed automatic Bayes rebuilds) Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From mark at msapiro.net Fri Jan 9 16:18:40 2009 From: mark at msapiro.net (Mark Sapiro) Date: Fri Jan 9 16:18:49 2009 Subject: Anti-spear-phishing, round 2 In-Reply-To: <49672C12.9040001@ecs.soton.ac.uk> References: <4963D91A.9060304@ecs.soton.ac.uk> <4965292E.1070209@ecs.soton.ac.uk> <49664631.2020207@ecs.soton.ac.uk> <20090108223837.GA4032@msapiro> <49672C12.9040001@ecs.soton.ac.uk> Message-ID: <20090109161840.GA716@msapiro> On Fri, Jan 09, 2009 at 10:50:58AM +0000, Julian Field wrote: > > > On 8/1/09 22:38, Mark Sapiro wrote: > >On Thu, Jan 08, 2009 at 02:57:43PM -0500, Gottschalk, David wrote: > > > >>I'm running MailScanner version 4.60.8. > >> > >>Am I running too old of a version? > >> > > > > > >It's too old for the _TO_ replacement in the header action. > >That requires 4.74.9 minimum. > > > >Also, the unknown _TO_ replacement will cause the wntire action to be > >ignored. > > > No it won't. It just won't be replaced with the list of recipients. > What's breaking it is your version may well be too old to have > SpamAssassin Rule Actions at all! :) I have the following in MailScanner.conf SpamAssassin Rule Actions = %rules-dir%/spamassassin_rule_actions.rules Log SpamAssassin Rule Actions = yes and in spamassassin_rule_actions.rules I have as the default X_GPC_PHISHING_ADDRESS=>store,not-deliver,forward msapiro+phish@sbh16.songbird.com,header "X-GPC-Phishing-Address: to was _TO_" With 4.74.7, I got the following in maillog Jan 2 14:14:52 sbh16 MailScanner[12869]: Message CC97F6900C2.88120 produced illegal Non-Spam Actions ""X-GPC-Phishing-Address: to was _TO_"", so message is being delivered although the message was stored and forwarded, these actions weren't logged, and the message was delivered to the original recipient in spite of the not-deliver action. With 4.74.11, I got Jan 2 14:39:43 sbh16 MailScanner[19427]: SpamAssassin Rule Actions: rule x_gpc_phishing_address caused action store in message C9B356900C2.1CAB1 Jan 2 14:39:43 sbh16 MailScanner[19427]: SpamAssassin Rule Actions: rule x_gpc_phishing_address caused action not-deliver in message C9B356900C2.1CAB1 Jan 2 14:39:43 sbh16 MailScanner[19427]: SpamAssassin Rule Actions: rule x_gpc_phishing_address caused action forward msapiro+phish@sbh16.songbird.com in message C9B356900C2.1CAB1 Jan 2 14:39:43 sbh16 MailScanner[19427]: SpamAssassin Rule Actions: rule x_gpc_phishing_address caused action header "X-GPC-Phishing-Address: was to _TO_" in message C9B356900C2.1CAB1 So, it appears that while _TO_ didn't break the actions completely in 4.74.7, it did break more than just the non replacement of _TO_. -- Mark Sapiro mark at msapiro net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From rob at kettle.org.uk Fri Jan 9 16:50:42 2009 From: rob at kettle.org.uk (Rob Kettle) Date: Fri Jan 9 16:50:58 2009 Subject: Problem after Upgrade 4.72.1-1 to 4.74.15-1 In-Reply-To: <49665BD4.9080307@USherbrooke.ca> References: <20090108071334.6t3eri15gc0ggkk4@manage.zuka.net> <49660685.80304@USherbrooke.ca> <49660D57.2040107@senecac.on.ca> <4966145F.4010305@senecac.on.ca> <49663B6D.1030800@senecac.on.ca> <496648E0.9020903@USherbrooke.ca> <49665704.4080804@kettle.org.uk> <49665BD4.9080307@USherbrooke.ca> Message-ID: <49678062.3020209@kettle.org.uk> Denis Beauchemin wrote: > Rob Kettle a ?crit : >> Hi, >> >> been running a Centos 5 system with 4.72.1-1 for some time and last >> night I upgraded to 4.74.15-1. The upgrade appeared to go OK. >> >> However when I run MailScanner no mail is processed and if I look at >> processes the MailScanner jobs show as [defunct] and are using high CPU. >> >> After some playing around I've sound that the cause is the setting >> >> Rebuild Bayes Every = 14400 >> >> MailScanner will only work if I set this to Rebuild Bayes Every = 0 >> >> Not sure why this is ? >> >> regards >> Rob >> > > Rob, > > I also run with Rebuild Bayes Every = 0 and I have the following entry > in root's crontab: > 15 3 * * * (/sbin/service MailScanner stop; /usr/bin/sa-learn > --force-expire; sleep 60; /sbin/service MailScanner start) > > I get an email like this one every night: >> Shutting down MailScanner daemons: >> MailScanner: [ OK ] >> incoming sendmail: [ OK ] >> outgoing sendmail: [ OK ] >> bayes: synced databases from journal in 0 seconds: 1163 unique >> entries (1857 total entries) >> expired old bayes database entries in 53 seconds >> 491688 entries kept, 115369 deleted >> token frequency: 1-occurrence tokens: 0.00% >> token frequency: less than 8 occurrences: 76.79% >> Starting MailScanner daemons: >> incoming sendmail: [ OK ] >> outgoing sendmail: [ OK ] >> MailScanner: [ OK ] > I know my server isn't accepting emails during that time but I can > live with it. > > Denis > Denis, thanks for that response. That's pretty much what I'd decided to do. regards Rob -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From dave.filchak at senecac.on.ca Fri Jan 9 17:04:58 2009 From: dave.filchak at senecac.on.ca (Dave Filchak) Date: Fri Jan 9 17:05:08 2009 Subject: Was: Upgrade fron 4.61.7 to 4.74.13-2 In-Reply-To: References: <20090108071334.6t3eri15gc0ggkk4@manage.zuka.net> <49660685.80304@USherbrooke.ca> <49660D57.2040107@senecac.on.ca> <496616B0.1060100@USherbrooke.ca> <49661F7A.2090607@senecac.on.ca> <223f97700901080809i456904ferb64df26e7b44ae05@mail.gmail.com> <49662AAF.9070601@senecac.on.ca> <223f97700901081136s24b46fc3u80f6bc14346a6f6b@mail.gmail.com> <4966C3C0.7090103@senecac.on.ca> <4966DD30.30909@senecac.on.ca> Message-ID: <496783BA.6060702@senecac.on.ca> Kai, Kai Schaetzl wrote: > Dave Filchak wrote on Fri, 09 Jan 2009 00:14:24 -0500: > > >> config: path "//.spamassassin/user_prefs" is inaccessible: Permission denied >> >> I still have no clue where this is being generated from as in the >> MailScanner.conf, the spamassassin local state directory is set to >> /var/spool/MailScanner and the permissions are set postfix:postfix >> > > As I said already: your postfix homedir points to the wrong directory. And > this error is non-critical and doesn't need to be fixed. > > Well I did fix this eventually. I did pix the postfix home directory >> The worst part is though, that I am not getting mail >> > > Go thru the usual debugging steps - which means you start at the beginning and > remove the changes you made for MailScanner in postfix. First thing you want > to check if postfix still delivers fine without MailScanner. If that is the > case, then follow the tutorial I pointed you already several times to. > I have gone through this tutorial. Several times in fact. And as far as making changes to postfix, remember that we have been using postfix/Mailscanner for several years now so no special changes were made at this point, to postfix. This was simply an upgrade of MailScanner, ClamAV and Spamasssassin. At this point I think most of my problem is that most non spam is being scored as spam (i.e. just above the 5 threshold) so it is being held in quarantine. Can you direct me to a good tutorial on fine tuning the filter rules? > Kai > > -- Dave Filchak Instructor, School of Communications Arts Seneca College @ York Office: Room 1068 From garvey at pushormitchell.com Fri Jan 9 17:06:53 2009 From: garvey at pushormitchell.com (Joe Garvey) Date: Fri Jan 9 17:07:00 2009 Subject: Stops after RCVD_IN_BL_SPAMCOP_NET References: <200901091200.n09C0OxO009559@safir.blacknight.ie> Message-ID: Yes, I have run that many times to test SA. I have no errors or issues reported. All the config files I expect to have loaded are loading. > Any suggestions as to where to look next? spamassassin --lint -D will show you all configuration files that get used and any errors and warnings. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From dave.filchak at senecac.on.ca Fri Jan 9 17:10:06 2009 From: dave.filchak at senecac.on.ca (Dave Filchak) Date: Fri Jan 9 17:10:17 2009 Subject: Was: Upgrade fron 4.61.7 to 4.74.13-2 In-Reply-To: <223f97700901090143h19668270w1c223c5ab81cb617@mail.gmail.com> References: <20090108071334.6t3eri15gc0ggkk4@manage.zuka.net> <49660D57.2040107@senecac.on.ca> <496616B0.1060100@USherbrooke.ca> <49661F7A.2090607@senecac.on.ca> <223f97700901080809i456904ferb64df26e7b44ae05@mail.gmail.com> <49662AAF.9070601@senecac.on.ca> <223f97700901081136s24b46fc3u80f6bc14346a6f6b@mail.gmail.com> <4966C3C0.7090103@senecac.on.ca> <4966DD30.30909@senecac.on.ca> <223f97700901090143h19668270w1c223c5ab81cb617@mail.gmail.com> Message-ID: <496784EE.5030904@senecac.on.ca> Hi Glenn, First, thanks for all your help. Glenn Steen wrote: > 2009/1/9 Dave Filchak : > >> Ok well .. >> >> I thought I would clean up the email a bit. >> >> I am now at the point that I no longer have any errors permission or >> otherwise with the exception of this: >> >> config: path "//.spamassassin/user_prefs" is inaccessible: Permission denied >> >> > See my last mail in the previous thread. The one with "Alternative 2" > exemplified. It'll take care of these errors. > > >> I still have no clue where this is being generated from as in the >> MailScanner.conf, the spamassassin local state directory is set to >> /var/spool/MailScanner and the permissions are set postfix:postfix >> >> The worst part is though, that I am not getting mail ... even though if I >> send myself an email, I see it coming in and then being delivered to my >> maildir. I can go there and look at it on the server and it is all fine but >> it just will not be delivered. >> > > Hm, is the MailScanner box your mailstore? Do you access that via some > form of IMAP server? Sounds like this is now outside of MailScanners > realm;-). > At this point, I believe that most issues are now because MailScanner is configured to strphtml store spam. When I look in MailWatch, I am now seeing many emails that are being scored as spam when they are not actually spam. They are being scored just over the 5 range. The new updated rules must be much more aggressive. So, I need to either change the spam actions for not high spam to striphtml deliver, although this will mean that more spam will actually get delivered to our clients. I guess an alternative would be to raise the threshold from 5 to say 7 for a bit until I get a handle on how to fine tune the spam rules for our mail flow. Any tips here or can you direct me to a good tutorial on this? Dave From spamlists at coders.co.uk Fri Jan 9 17:12:10 2009 From: spamlists at coders.co.uk (Matt) Date: Fri Jan 9 17:12:47 2009 Subject: Problem after Upgrade 4.72.1-1 to 4.74.15-1 In-Reply-To: <49678062.3020209@kettle.org.uk> References: <20090108071334.6t3eri15gc0ggkk4@manage.zuka.net> <49660685.80304@USherbrooke.ca> <49660D57.2040107@senecac.on.ca> <4966145F.4010305@senecac.on.ca> <49663B6D.1030800@senecac.on.ca> <496648E0.9020903@USherbrooke.ca> <49665704.4080804@kettle.org.uk> <49665BD4.9080307@USherbrooke.ca> <49678062.3020209@kettle.org.uk> Message-ID: <4967856A.1040500@coders.co.uk> >> >> I also run with Rebuild Bayes Every = 0 and I have the following >> entry in root's crontab: >> 15 3 * * * (/sbin/service MailScanner stop; /usr/bin/sa-learn >> --force-expire; sleep 60; /sbin/service MailScanner start) >> > how about ( /sbin/service MailScanner stopms; /usr/bin/sa-learn --force-expire; sleep 60; /usr/sbin/check_MailScanner ) then this allows mail to be received whilst the Bayes is being rebuilt matt From ssilva at sgvwater.com Fri Jan 9 18:01:03 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Jan 9 18:01:30 2009 Subject: Upgrade fron 4.61.7 to 4.74.13-2 In-Reply-To: <223f97700901090128t5ba70617o348ebcba1e484067@mail.gmail.com> References: <20090108071334.6t3eri15gc0ggkk4@manage.zuka.net> <49661F7A.2090607@senecac.on.ca> <223f97700901080809i456904ferb64df26e7b44ae05@mail.gmail.com> <49662AAF.9070601@senecac.on.ca> <223f97700901081136s24b46fc3u80f6bc14346a6f6b@mail.gmail.com> <49668F4F.4000700@senecac.on.ca> <4966A17D.2000006@senecac.on.ca> <4966AAFA.5060409@senecac.on.ca> <223f97700901090128t5ba70617o348ebcba1e484067@mail.gmail.com> Message-ID: on 1-9-2009 1:28 AM Glenn Steen spake the following: > 2009/1/9 Dave Filchak : >> >> Dave Filchak wrote: > (snip) >> Just trying to track down permission errors. I get the following, running >> SALearn: >> >> SA Learn: error code 13 returned from sa-learn: bayes: cannot open bayes >> databases /etc/MailScanner/bayes/bayes_* R/O: tie failed: Permission denied >> bayes: expire_old_tokens: locker: safe_lock: cannot create lockfile >> /etc/MailScanner/bayes/bayes.mutex: Permission denied bayes: locker: >> safe_lock: cannot create lockfile /etc/MailScanner/bayes/bayes.mutex: >> Permission denied Learned tokens from 0 message(s) (1 message(s) examined) >> > Your apache user (presumably "webadmin" does not have write access to > your bayes files. Hence the error. > > >> Here are my bayes settings (inside of the bayes folder) >> drwxrwxr-x 3 root webadmin 4096 Jul 18 2007 . >> drwxr-xr-x 9 root root 4096 Jan 8 20:15 .. >> --w--w-r-- 1 postfix postfix 18 Jan 8 02:23 bayes.mutex >> -rw-rw---- 1 postfix postfix 327680 Jan 8 02:23 bayes_seen >> -rw-rw---- 1 postfix postfix 5210112 Jan 8 02:23 bayes_toks >> drwxr-xr-x 2 root root 4096 Jul 18 2007 poisoned >> > All the above files should be owned by postfix.webadmin ... so first do > chown postfix.webadmin /path/to/bayes/* > ... where /path/to/bayes is likely /etc/MailScanner/bayes > And make sure MailScanner is not running when you make the changes above. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090109/92788e8a/signature.bin From ssilva at sgvwater.com Fri Jan 9 18:04:31 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Jan 9 18:05:15 2009 Subject: Was: Upgrade fron 4.61.7 to 4.74.13-2 In-Reply-To: <4966DD30.30909@senecac.on.ca> References: <20090108071334.6t3eri15gc0ggkk4@manage.zuka.net> <49660685.80304@USherbrooke.ca> <49660D57.2040107@senecac.on.ca> <496616B0.1060100@USherbrooke.ca> <49661F7A.2090607@senecac.on.ca> <223f97700901080809i456904ferb64df26e7b44ae05@mail.gmail.com> <49662AAF.9070601@senecac.on.ca> <223f97700901081136s24b46fc3u80f6bc14346a6f6b@mail.gmail.com> <4966C3C0.7090103@senecac.on.ca> <4966DD30.30909@senecac.on.ca> Message-ID: on 1-8-2009 9:14 PM Dave Filchak spake the following: > Ok well .. > > I thought I would clean up the email a bit. > > I am now at the point that I no longer have any errors permission or > otherwise with the exception of this: > > config: path "//.spamassassin/user_prefs" is inaccessible: Permission > denied > > I still have no clue where this is being generated from as in the > MailScanner.conf, the spamassassin local state directory is set to > /var/spool/MailScanner and the permissions are set postfix:postfix > > The worst part is though, that I am not getting mail ... even though if > I send myself an email, I see it coming in and then being delivered to > my maildir. I can go there and look at it on the server and it is all > fine but it just will not be delivered. > Maybe I am wrong here, but if it is getting into your maildir it IS delivered. If you can't read it from your mail client, that is a different problem. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090109/f90b3e11/signature.bin From ssilva at sgvwater.com Fri Jan 9 18:09:34 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Jan 9 18:10:11 2009 Subject: Was: Upgrade fron 4.61.7 to 4.74.13-2 In-Reply-To: <496783BA.6060702@senecac.on.ca> References: <20090108071334.6t3eri15gc0ggkk4@manage.zuka.net> <49660685.80304@USherbrooke.ca> <49660D57.2040107@senecac.on.ca> <496616B0.1060100@USherbrooke.ca> <49661F7A.2090607@senecac.on.ca> <223f97700901080809i456904ferb64df26e7b44ae05@mail.gmail.com> <49662AAF.9070601@senecac.on.ca> <223f97700901081136s24b46fc3u80f6bc14346a6f6b@mail.gmail.com> <4966C3C0.7090103@senecac.on.ca> <4966DD30.30909@senecac.on.ca> <496783BA.6060702@senecac.on.ca> Message-ID: on 1-9-2009 9:04 AM Dave Filchak spake the following: > Kai, > > Kai Schaetzl wrote: >> Dave Filchak wrote on Fri, 09 Jan 2009 00:14:24 -0500: >> >> >>> config: path "//.spamassassin/user_prefs" is inaccessible: Permission >>> denied >>> >>> I still have no clue where this is being generated from as in the >>> MailScanner.conf, the spamassassin local state directory is set to >>> /var/spool/MailScanner and the permissions are set postfix:postfix >>> >> >> As I said already: your postfix homedir points to the wrong directory. >> And this error is non-critical and doesn't need to be fixed. >> >> > Well I did fix this eventually. I did pix the postfix home directory >>> The worst part is though, that I am not getting mail >>> >> >> Go thru the usual debugging steps - which means you start at the >> beginning and remove the changes you made for MailScanner in postfix. >> First thing you want to check if postfix still delivers fine without >> MailScanner. If that is the case, then follow the tutorial I pointed >> you already several times to. >> > I have gone through this tutorial. Several times in fact. And as far as > making changes to postfix, remember that we have been using > postfix/Mailscanner for several years now so no special changes were > made at this point, to postfix. This was simply an upgrade of > MailScanner, ClamAV and Spamasssassin. At this point I think most of my > problem is that most non spam is being scored as spam (i.e. just above > the 5 threshold) so it is being held in quarantine. Can you direct me to > a good tutorial on fine tuning the filter rules? > >> Kai >> >> > I run at 5 for my low score, and I deliver low spam as an attachment and subject tagged so my users can deal with it as they see fit. It still is only a small subset of my total spam. Do you have any score adjustments in your spam.assassin.prefs file? Are you hitting a lot of bayes scoring that is wrong? If the bayes is wrong, it is time to build a new bayes DB, or retrain it if you have a good corpus of spam. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090109/9f66676c/signature.bin From Denis.Beauchemin at USherbrooke.ca Fri Jan 9 18:25:20 2009 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Fri Jan 9 18:26:08 2009 Subject: Problem after Upgrade 4.72.1-1 to 4.74.15-1 In-Reply-To: <4967856A.1040500@coders.co.uk> References: <20090108071334.6t3eri15gc0ggkk4@manage.zuka.net> <49660685.80304@USherbrooke.ca> <49660D57.2040107@senecac.on.ca> <4966145F.4010305@senecac.on.ca> <49663B6D.1030800@senecac.on.ca> <496648E0.9020903@USherbrooke.ca> <49665704.4080804@kettle.org.uk> <49665BD4.9080307@USherbrooke.ca> <49678062.3020209@kettle.org.uk> <4967856A.1040500@coders.co.uk> Message-ID: <49679690.8010800@USherbrooke.ca> Matt a ?crit : > >>> >>> I also run with Rebuild Bayes Every = 0 and I have the following >>> entry in root's crontab: >>> 15 3 * * * (/sbin/service MailScanner stop; /usr/bin/sa-learn >>> --force-expire; sleep 60; /sbin/service MailScanner start) >>> >> > how about > > ( /sbin/service MailScanner stopms; /usr/bin/sa-learn --force-expire; > sleep 60; /usr/sbin/check_MailScanner ) > > then this allows mail to be received whilst the Bayes is being rebuilt > > > matt > Thanks Matt, That's much better than what I suggested! I will be modifying my crontabs in a few secs! Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From maillists at conactive.com Fri Jan 9 18:31:17 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Fri Jan 9 18:31:33 2009 Subject: Was: Upgrade fron 4.61.7 to 4.74.13-2 In-Reply-To: <496783BA.6060702@senecac.on.ca> References: <20090108071334.6t3eri15gc0ggkk4@manage.zuka.net> <49660685.80304@USherbrooke.ca> <49660D57.2040107@senecac.on.ca> <496616B0.1060100@USherbrooke.ca> <49661F7A.2090607@senecac.on.ca> <223f97700901080809i456904ferb64df26e7b44ae05@mail.gmail.com> <49662AAF.9070601@senecac.on.ca> <223f97700901081136s24b46fc3u80f6bc14346a6f6b@mail.gmail.com> <4966C3C0.7090103@senecac.on.ca> <4966DD30.30909@senecac.on.ca> <496783BA.60 Message-ID: 60702@senecac.on.ca> Reply-To: mailscanner@lists.mailscanner.info Dave Filchak wrote on Fri, 09 Jan 2009 12:04:58 -0500: > > As I said already: your postfix homedir points to the wrong directory. And > > this error is non-critical and doesn't need to be fixed. > > > > > Well I did fix this eventually. I did pix the postfix home directory Good. I realize now that my statement may have been confusing. What is non-critical is that SA error message, not the fact that the wrong homedir was set for postfix. > >> The worst part is though, that I am not getting mail > >> > > > > Go thru the usual debugging steps - which means you start at the beginning and > > remove the changes you made for MailScanner in postfix. First thing you want > > to check if postfix still delivers fine without MailScanner. If that is the > > case, then follow the tutorial I pointed you already several times to. > > > I have gone through this tutorial. Several times in fact. And as far as > making changes to postfix, remember that we have been using > postfix/Mailscanner for several years now so no special changes were > made at this point, to postfix. But you set this up quite some time (years ?) ago. There have been other methods for conencting MailScanner and postfix in the past and MS wasn't set to perform that well with it as it does now. This was simply an upgrade of > MailScanner, ClamAV and Spamasssassin. At this point I think most of my > problem is that most non spam is being scored as spam (i.e. just above > the 5 threshold) so it is being held in quarantine. Can you direct me to > a good tutorial on fine tuning the filter rules? Sure? Earlier you were indicating that no mail gets delivered, thus one had to assume it's stuck in the postfix/MS queue. If it gets delivered, but quarantined this is a *completely* different situation. And normally you have the problem that spam isn't detected, not that ham is misdetected as spam. If that happens you must have misconfigured something *seriously*. So, I'd rather double-check if your assumption (it seems to be just an assumption) is correct. And as a fast mitigation stop qurantining spam, deliver it! As you upgraded from quite old versions in all cases one might assume that you lowered the spam detection scores so much in the past because spam wouldn't get detected anymore. Now, with an up-to-date SA these scores are much too low. Well, that's just one possible explanation if it is really spam detection that is your problem. > Can you direct me to > > a good tutorial on fine tuning the filter rules? wiki.spamassassin.org As I said above, you may actually not want to fine-tune it, but reset it to default values (in MS and SA). Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Fri Jan 9 18:31:18 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Fri Jan 9 18:31:34 2009 Subject: Was: Upgrade fron 4.61.7 to 4.74.13-2 In-Reply-To: <496784EE.5030904@senecac.on.ca> References: <20090108071334.6t3eri15gc0ggkk4@manage.zuka.net> <49660D57.2040107@senecac.on.ca> <496616B0.1060100@USherbrooke.ca> <49661F7A.2090607@senecac.on.ca> <223f97700901080809i456904ferb64df26e7b44ae05@mail.gmail.com> <49662AAF.9070601@senecac.on.ca> <223f97700901081136s24b46fc3u80f6bc14346a6f6b@mail.gmail.com> <4966C3C0.7090103@senecac.on.ca> <4966DD30.30909@senecac.on.ca> <223f97700901090143h19668270w1c223c5ab81cb617@mail.gmail.com> <496784EE.5030904@seneca Message-ID: c.on.ca> Reply-To: mailscanner@lists.mailscanner.info Dave Filchak wrote on Fri, 09 Jan 2009 12:10:06 -0500: > So, I need to either change > the spam actions for not high spam to striphtml deliver, Of course, it's really not a good idea to quarantine low scoring spam. What you do is fine-tune your setup and then lower *carefully* the high- scoring spam from 10 downwards (I have it set to 6). And the lowering coincides with finetuning your detection in SA and your Bayes. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Fri Jan 9 18:31:17 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Fri Jan 9 18:31:34 2009 Subject: Stops after RCVD_IN_BL_SPAMCOP_NET In-Reply-To: References: <200901091200.n09C0OxO009559@safir.blacknight.ie> Message-ID: Joe Garvey wrote on Fri, 9 Jan 2009 09:06:53 -0800: > Yes, I have run that many times to test SA. I have no errors or issues > reported. All the config files I expect to have loaded are loading. You may need to tell it that you use the MailScanner provided prefs.conf. Also, please use decent quoting in your mail reader. Otherwise it's not possible to distinguish what you wrote and what not. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Fri Jan 9 18:31:18 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Fri Jan 9 18:31:35 2009 Subject: Problem after Upgrade 4.72.1-1 to 4.74.15-1 In-Reply-To: <4967856A.1040500@coders.co.uk> References: <20090108071334.6t3eri15gc0ggkk4@manage.zuka.net> <49660685.80304@USherbrooke.ca> <49660D57.2040107@senecac.on.ca> <4966145F.4010305@senecac.on.ca> <49663B6D.1030800@senecac.on.ca> <496648E0.9020903@USherbrooke.ca> <49665704.4080804@kettle.org.uk> <49665BD4.9080307@USherbrooke.ca> <49678062.3020209@kettle.org.uk> <4967856A.1040500@coders.co.uk> Message-ID: Matt wrote on Fri, 09 Jan 2009 17:12:10 +0000: > ( /sbin/service MailScanner stopms; /usr/bin/sa-learn --force-expire; > sleep 60; /usr/sbin/check_MailScanner ) > > then this allows mail to be received whilst the Bayes is being rebuilt Actually, there's no problem rebuilding without stopping MS. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From dave.filchak at senecac.on.ca Fri Jan 9 18:45:10 2009 From: dave.filchak at senecac.on.ca (Dave Filchak) Date: Fri Jan 9 18:45:20 2009 Subject: General Thankyou (was: Re: Upgrade from 4.61.7 to 4.74.13-2) In-Reply-To: References: <60382.204.184.75.172.1231471379.squirrel@webmail.elsberry.k12.mo.us> Message-ID: <49679B36.9010202@senecac.on.ca> Just wanted to pass on my thanks to Kai, Glenn and Scott and any I missed, for helping me with my MS Upgrade issues. As I said, it had been a while since I had dealt with this stuff so it was a bit of a learning curve. It all seems to be working pretty well now so I will be watching it closely over the next few days. Just need to do a bit of tweaking with the rules I think. As the version I was using was pretty old, is there anywhere I can find an explanation of the new config directives since 4.6.x ? Again, thank you everyone for your help. Dave From MailScanner at rowley-cs.co.uk Fri Jan 9 18:51:17 2009 From: MailScanner at rowley-cs.co.uk (MailScanner) Date: Fri Jan 9 18:51:38 2009 Subject: Outbound mal stuck Message-ID: <45B4F94BF79F16438AB6EBA4BB5F3FBC4ECE4A0B20@hercules.rowley-cs.co.uk> Hi Everyone. How do I delete a stuck outbound mail? Plz advice. Thx, -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090109/15a0b503/attachment.html From ssilva at sgvwater.com Fri Jan 9 18:55:57 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Jan 9 18:56:13 2009 Subject: General Thankyou In-Reply-To: <49679B36.9010202@senecac.on.ca> References: <60382.204.184.75.172.1231471379.squirrel@webmail.elsberry.k12.mo.us> <49679B36.9010202@senecac.on.ca> Message-ID: on 1-9-2009 10:45 AM Dave Filchak spake the following: > Just wanted to pass on my thanks to Kai, Glenn and Scott and any I > missed, for helping me with my MS Upgrade issues. As I said, it had been > a while since I had dealt with this stuff so it was a bit of a learning > curve. It all seems to be working pretty well now so I will be watching > it closely over the next few days. Just need to do a bit of tweaking > with the rules I think. > > As the version I was using was pretty old, is there anywhere I can find > an explanation of the new config directives since 4.6.x ? > > Again, thank you everyone for your help. > > Dave Buying the book is the best option, but here is a listing of all the config options. http://www.mailscanner.info/MailScanner.conf.index.html -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090109/6391db0d/signature.bin From kc5goi at gmail.com Fri Jan 9 18:57:38 2009 From: kc5goi at gmail.com (Guy Story KC5GOI) Date: Fri Jan 9 18:57:49 2009 Subject: Anti-spear-phishing, round 2 In-Reply-To: <49672BCE.1030603@ecs.soton.ac.uk> References: <4963D91A.9060304@ecs.soton.ac.uk> <4965292E.1070209@ecs.soton.ac.uk> <49664631.2020207@ecs.soton.ac.uk> <49672BCE.1030603@ecs.soton.ac.uk> Message-ID: Jules, I will have to look at the upgrade then. It is the curse of using Ubuntu. I have a question that you indirectly inspired. I want everyone to understand that this is a short term solution. I took the list from Google and massaged it to it fit the format for use as the spam.blacklist.rule file, is that any less efficient as far as MS is concerned? As far as processing the list, it is not even remotely close to the ease of use that your script does with an entry in cron.hourly. Guy On Fri, Jan 9, 2009 at 4:49 AM, Julian Field wrote: > If you want to use SpamAssassin Rule Actions, then you'll have to upgrade > to a version that actually has that option :-) > 4.58.9 is about 18 months out of date. Ancient, in this world. Sorry. > > > On 8/1/09 21:01, Guy Story KC5GOI wrote: > >> Jule, I apologize for being blind today. I downloaded the script, made it >> executable, put in my desired address in the file. I ran the script >> verified the presence but what I am being blind to is where to tell >> SpamAssassin to look for the file so it can filter out that crap. I do not >> have a SpamAssassin Rule Actions entry in my MailScanner.conf. I am on >> 4.58.9 so David's question is one I have as well. >> >> Thanks for the good work. >> >> Guy Story KC5GOI >> kc5goi@gmail.com >> > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > PGP public key: http://www.jules.fm/julesfm.asc > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- 73 Guy Story KC5GOI kc5goi@gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090109/36b848f4/attachment.html From traced at xpear.de Fri Jan 9 18:58:18 2009 From: traced at xpear.de (traced) Date: Fri Jan 9 18:58:32 2009 Subject: Outbound mal stuck In-Reply-To: <45B4F94BF79F16438AB6EBA4BB5F3FBC4ECE4A0B20@hercules.rowley-cs.co.uk> References: <45B4F94BF79F16438AB6EBA4BB5F3FBC4ECE4A0B20@hercules.rowley-cs.co.uk> Message-ID: <49679E4A.6020501@xpear.de> MailScanner schrieb: > Hi Everyone. > > How do I delete a stuck outbound mail? > > Plz advice. > > Thx, Which MTA do you use? Bastian From MailScanner at rowley-cs.co.uk Fri Jan 9 18:59:29 2009 From: MailScanner at rowley-cs.co.uk (MailScanner) Date: Fri Jan 9 18:59:52 2009 Subject: Outbound mal stuck In-Reply-To: <45B4F94BF79F16438AB6EBA4BB5F3FBC4ECE4A0B20@hercules.rowley-cs.co.uk> References: <45B4F94BF79F16438AB6EBA4BB5F3FBC4ECE4A0B20@hercules.rowley-cs.co.uk> Message-ID: <45B4F94BF79F16438AB6EBA4BB5F3FBC4ECE4A0B21@hercules.rowley-cs.co.uk> Found it. Under /var/spool/mqueue Thx folks From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of MailScanner Sent: 09 January 2009 18:51 To: mailscanner@lists.mailscanner.info Subject: Outbound mal stuck Hi Everyone. How do I delete a stuck outbound mail? Plz advice. Thx, -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090109/d3ac373d/attachment.html From dave.filchak at senecac.on.ca Fri Jan 9 19:06:02 2009 From: dave.filchak at senecac.on.ca (Dave Filchak) Date: Fri Jan 9 19:06:13 2009 Subject: General Thankyou In-Reply-To: References: <60382.204.184.75.172.1231471379.squirrel@webmail.elsberry.k12.mo.us> <49679B36.9010202@senecac.on.ca> Message-ID: <4967A01A.1020805@senecac.on.ca> Scott, Scott Silva wrote: > on 1-9-2009 10:45 AM Dave Filchak spake the following: > >> Just wanted to pass on my thanks to Kai, Glenn and Scott and any I >> missed, for helping me with my MS Upgrade issues. As I said, it had been >> a while since I had dealt with this stuff so it was a bit of a learning >> curve. It all seems to be working pretty well now so I will be watching >> it closely over the next few days. Just need to do a bit of tweaking >> with the rules I think. >> >> As the version I was using was pretty old, is there anywhere I can find >> an explanation of the new config directives since 4.6.x ? >> >> Again, thank you everyone for your help. >> >> Dave >> > > Buying the book is the best option, but here is a listing of all the config > options. > > http://www.mailscanner.info/MailScanner.conf.index.html > I do own the first edition of the book. Just need to update the newer config options. One last error I found so maybe you can comment. I am seeing the following error in maillog: Cannot lock /var/spool/MailScanner/incoming/Locks/clamavBusy.lock, Permission denied So I checked the permissions there and the Locks directory is owned by postfix.root and the locks inside are all owned by root.root. MailScanner runs as postfix and clamd runs as clamav. Should the clamavBusy.lock be owned by postfix.clamav? Also, I was sure I had changed these permissions earlier in this and it appears as though they have been reset, So I need to set a sticky bit? Dave > > -- Dave Filchak Instructor, School of Communications Arts Seneca College @ York Office: Room 1068 From MailScanner at rowley-cs.co.uk Fri Jan 9 19:14:30 2009 From: MailScanner at rowley-cs.co.uk (MailScanner) Date: Fri Jan 9 19:14:48 2009 Subject: Outbound mal stuck In-Reply-To: <49679E4A.6020501@xpear.de> References: <45B4F94BF79F16438AB6EBA4BB5F3FBC4ECE4A0B20@hercules.rowley-cs.co.uk> <49679E4A.6020501@xpear.de> Message-ID: <45B4F94BF79F16438AB6EBA4BB5F3FBC4ECE4A0B23@hercules.rowley-cs.co.uk> Hi Again, My mistake. It is still on the queue. I delete the file in /var/spool/mqueue but when run tail -20f /var/log/maillog and it is still trying to deleiver. I use sendmail. Any Idea? Thx. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of traced Sent: 09 January 2009 18:58 To: MailScanner discussion Subject: Re: Outbound mal stuck MailScanner schrieb: > Hi Everyone. > > How do I delete a stuck outbound mail? > > Plz advice. > > Thx, Which MTA do you use? Bastian -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From traced at xpear.de Fri Jan 9 19:24:20 2009 From: traced at xpear.de (traced) Date: Fri Jan 9 19:24:31 2009 Subject: Outbound mal stuck In-Reply-To: <45B4F94BF79F16438AB6EBA4BB5F3FBC4ECE4A0B23@hercules.rowley-cs.co.uk> References: <45B4F94BF79F16438AB6EBA4BB5F3FBC4ECE4A0B20@hercules.rowley-cs.co.uk> <49679E4A.6020501@xpear.de> <45B4F94BF79F16438AB6EBA4BB5F3FBC4ECE4A0B23@hercules.rowley-cs.co.uk> Message-ID: <4967A464.2040202@xpear.de> MailScanner schrieb: > Hi Again, > > My mistake. It is still on the queue. > I delete the file in /var/spool/mqueue but when run tail -20f /var/log/maillog and it is still trying to deleiver. > I use sendmail. > > Any Idea? > > Thx. > This should solve your problem: http://www.freebsddiary.org/mailqueue.php Regards, Bastian From Denis.Beauchemin at USherbrooke.ca Fri Jan 9 19:25:35 2009 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Fri Jan 9 19:26:15 2009 Subject: Outbound mal stuck In-Reply-To: <45B4F94BF79F16438AB6EBA4BB5F3FBC4ECE4A0B23@hercules.rowley-cs.co.uk> References: <45B4F94BF79F16438AB6EBA4BB5F3FBC4ECE4A0B20@hercules.rowley-cs.co.uk> <49679E4A.6020501@xpear.de> <45B4F94BF79F16438AB6EBA4BB5F3FBC4ECE4A0B23@hercules.rowley-cs.co.uk> Message-ID: <4967A4AF.4080705@USherbrooke.ca> MailScanner a ?crit : > Hi Again, > > My mistake. It is still on the queue. > I delete the file in /var/spool/mqueue but when run tail -20f /var/log/maillog and it is still trying to deleiver. > I use sendmail. > > Any Idea? > > Thx. > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of traced > Sent: 09 January 2009 18:58 > To: MailScanner discussion > Subject: Re: Outbound mal stuck > > MailScanner schrieb: > >> Hi Everyone. >> >> How do I delete a stuck outbound mail? >> >> Plz advice. >> >> Thx, >> > > Which MTA do you use? > > Bastian > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > If you're using sendmail (you didn't answer Bastian's question about this), /var/spool/mqueue is the outqueue where MS puts emails after it is done with them. So you shouldn't be seeing anything about them anymore, except for attempted delivery from sendmail. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From garvey at pushormitchell.com Fri Jan 9 19:32:49 2009 From: garvey at pushormitchell.com (Joe Garvey) Date: Fri Jan 9 19:32:58 2009 Subject: Stops after RCVD_IN_BL_SPAMCOP_NET References: Message-ID: My /etc/mail/spamassassin/spam.assassin.prefs.conf is a link to /etc/MailScanner/spam.assassin.prefs.conf I find it very confusing and lacking confidence in the system when the system provides a score for bl.spamcop.net and don't see any other results from any other rules. I just want to make sure everything is working properly but my gut feeling is that it is not. I also converted my bayes database to MySQL. After reviewing the conversion I noticed that I have no ham messages in the database. I am loading up some from various users to see if this will also make a difference as I find the Bayesian score usually shows a negative even for the most obvious spam. Thanks Joe -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Kai Schaetzl Sent: Friday, January 09, 2009 10:31 AM To: mailscanner@lists.mailscanner.info Subject: Re: Stops after RCVD_IN_BL_SPAMCOP_NET Joe Garvey wrote on Fri, 9 Jan 2009 09:06:53 -0800: > Yes, I have run that many times to test SA. I have no errors or issues > reported. All the config files I expect to have loaded are loading. You may need to tell it that you use the MailScanner provided prefs.conf. Also, please use decent quoting in your mail reader. Otherwise it's not possible to distinguish what you wrote and what not. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From MailScanner at rowley-cs.co.uk Fri Jan 9 19:36:13 2009 From: MailScanner at rowley-cs.co.uk (MailScanner) Date: Fri Jan 9 19:36:33 2009 Subject: Outbound mal stuck In-Reply-To: <4967A4AF.4080705@USherbrooke.ca> References: <45B4F94BF79F16438AB6EBA4BB5F3FBC4ECE4A0B20@hercules.rowley-cs.co.uk> <49679E4A.6020501@xpear.de> <45B4F94BF79F16438AB6EBA4BB5F3FBC4ECE4A0B23@hercules.rowley-cs.co.uk> <4967A4AF.4080705@USherbrooke.ca> Message-ID: <45B4F94BF79F16438AB6EBA4BB5F3FBC4ECE4A0B24@hercules.rowley-cs.co.uk> Thx for replying. That is exactly what I am seeing. How do I kill the attempted delivery? Plz advice. Thx -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Denis Beauchemin Sent: 09 January 2009 19:26 To: MailScanner discussion Subject: Re: Outbound mal stuck MailScanner a ?crit : > Hi Again, > > My mistake. It is still on the queue. > I delete the file in /var/spool/mqueue but when run tail -20f /var/log/maillog and it is still trying to deleiver. > I use sendmail. > > Any Idea? > > Thx. > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of traced > Sent: 09 January 2009 18:58 > To: MailScanner discussion > Subject: Re: Outbound mal stuck > > MailScanner schrieb: > >> Hi Everyone. >> >> How do I delete a stuck outbound mail? >> >> Plz advice. >> >> Thx, >> > > Which MTA do you use? > > Bastian > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > If you're using sendmail (you didn't answer Bastian's question about this), /var/spool/mqueue is the outqueue where MS puts emails after it is done with them. So you shouldn't be seeing anything about them anymore, except for attempted delivery from sendmail. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From traced at xpear.de Fri Jan 9 19:42:25 2009 From: traced at xpear.de (traced) Date: Fri Jan 9 19:42:36 2009 Subject: Outbound mal stuck In-Reply-To: <45B4F94BF79F16438AB6EBA4BB5F3FBC4ECE4A0B24@hercules.rowley-cs.co.uk> References: <45B4F94BF79F16438AB6EBA4BB5F3FBC4ECE4A0B20@hercules.rowley-cs.co.uk> <49679E4A.6020501@xpear.de> <45B4F94BF79F16438AB6EBA4BB5F3FBC4ECE4A0B23@hercules.rowley-cs.co.uk> <4967A4AF.4080705@USherbrooke.ca> <45B4F94BF79F16438AB6EBA4BB5F3FBC4ECE4A0B24@hercules.rowley-cs.co.uk> Message-ID: <4967A8A1.4080704@xpear.de> MailScanner schrieb: > Thx for replying. > That is exactly what I am seeing. > How do I kill the attempted delivery? > Plz advice. > > Thx > Have you simply tried to restart sendmail? From MailScanner at rowley-cs.co.uk Fri Jan 9 19:57:31 2009 From: MailScanner at rowley-cs.co.uk (MailScanner) Date: Fri Jan 9 19:57:52 2009 Subject: Outbound mal stuck In-Reply-To: <4967A8A1.4080704@xpear.de> References: <45B4F94BF79F16438AB6EBA4BB5F3FBC4ECE4A0B20@hercules.rowley-cs.co.uk> <49679E4A.6020501@xpear.de> <45B4F94BF79F16438AB6EBA4BB5F3FBC4ECE4A0B23@hercules.rowley-cs.co.uk> <4967A4AF.4080705@USherbrooke.ca> <45B4F94BF79F16438AB6EBA4BB5F3FBC4ECE4A0B24@hercules.rowley-cs.co.uk> <4967A8A1.4080704@xpear.de> Message-ID: <45B4F94BF79F16438AB6EBA4BB5F3FBC4ECE4A0B25@hercules.rowley-cs.co.uk> I have restarted the MS and nothing changed. Service MailScanner restart. Everything started Ok but I still see the attempted delivery. Any idea why? Thx -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of traced Sent: 09 January 2009 19:42 To: MailScanner discussion Subject: Re: Outbound mal stuckservice MailScanner schrieb: > Thx for replying. > That is exactly what I am seeing. > How do I kill the attempted delivery? > Plz advice. > > Thx > Have you simply tried to restart sendmail? -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Andrew.Chester at ukuvuma.co.za Fri Jan 9 20:03:58 2009 From: Andrew.Chester at ukuvuma.co.za (Andrew Chester) Date: Fri Jan 9 20:04:13 2009 Subject: Andrew Chester is out of the office. Message-ID: I will be out of the office starting 2008/12/31 and will not return until 2009/01/19. I will respond to your message when I return. In case of emergency, please contact Ryan Bell on 0733182598, or Dawid Van Heerden on 0827707919. CONFIDENTIALITY CLAUSE This message is intended only for the use of the individual or entity to which it is addressed and contains information that is privileged and confidential. If the reader of this message is not the intended recipient, or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender by telephone. From traced at xpear.de Fri Jan 9 20:05:46 2009 From: traced at xpear.de (traced) Date: Fri Jan 9 20:05:58 2009 Subject: Outbound mal stuck In-Reply-To: <45B4F94BF79F16438AB6EBA4BB5F3FBC4ECE4A0B25@hercules.rowley-cs.co.uk> References: <45B4F94BF79F16438AB6EBA4BB5F3FBC4ECE4A0B20@hercules.rowley-cs.co.uk> <49679E4A.6020501@xpear.de> <45B4F94BF79F16438AB6EBA4BB5F3FBC4ECE4A0B23@hercules.rowley-cs.co.uk> <4967A4AF.4080705@USherbrooke.ca> <45B4F94BF79F16438AB6EBA4BB5F3FBC4ECE4A0B24@hercules.rowley-cs.co.uk> <4967A8A1.4080704@xpear.de> <45B4F94BF79F16438AB6EBA4BB5F3FBC4ECE4A0B25@hercules.rowley-cs.co.uk> Message-ID: <4967AE1A.7050101@xpear.de> MailScanner schrieb: > I have restarted the MS and nothing changed. > Service MailScanner restart. > Everything started Ok but I still see the attempted delivery. > Any idea why? > > Thx Hmm... thought on restarting the mailserver itself. From Denis.Beauchemin at USherbrooke.ca Fri Jan 9 20:08:49 2009 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Fri Jan 9 20:09:22 2009 Subject: Outbound mal stuck In-Reply-To: <45B4F94BF79F16438AB6EBA4BB5F3FBC4ECE4A0B25@hercules.rowley-cs.co.uk> References: <45B4F94BF79F16438AB6EBA4BB5F3FBC4ECE4A0B20@hercules.rowley-cs.co.uk> <49679E4A.6020501@xpear.de> <45B4F94BF79F16438AB6EBA4BB5F3FBC4ECE4A0B23@hercules.rowley-cs.co.uk> <4967A4AF.4080705@USherbrooke.ca> <45B4F94BF79F16438AB6EBA4BB5F3FBC4ECE4A0B24@hercules.rowley-cs.co.uk> <4967A8A1.4080704@xpear.de> <45B4F94BF79F16438AB6EBA4BB5F3FBC4ECE4A0B25@hercules.rowley-cs.co.uk> Message-ID: <4967AED1.6060101@USherbrooke.ca> MailScanner a ?crit : > I have restarted the MS and nothing changed. > Service MailScanner restart. > Everything started Ok but I still see the attempted delivery. > Any idea why? > > Thx > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of traced > Sent: 09 January 2009 19:42 > To: MailScanner discussion > Subject: Re: Outbound mal stuckservice > > MailScanner schrieb: > >> Thx for replying. >> That is exactly what I am seeing. >> How do I kill the attempted delivery? >> Plz advice. >> >> Thx >> >> > > Have you simply tried to restart sendmail? > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > Restarting MS doesn't kill existing sendmail processes. If you removed the df and qf files from /var/spool/mqueue and you made sure no sendmail process is still trying to deliver that email (look at the output of ps) then delivery attempts could no longer occur. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From psaweikis at techpro.com Fri Jan 9 20:20:51 2009 From: psaweikis at techpro.com (Patrick Saweikis) Date: Fri Jan 9 20:21:01 2009 Subject: Content scanning / MCP? Message-ID: <48BB86B1412E3D429DECB241A39A62E8014E3C2C@W2K3-EXCHANGE02.mmsasp.local> Hello, We have a user on our mail system who wants to always ALLOW messages with specific content in the message subject and body through. Does anyone know if this is possible? If so, how would we accomplish it? I have been looking into using MCP, but from what I have read that is for denying specific message content only. Any advice would be greatly appreciated. Thanks! Patrick Saweikis TechPro, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090109/18a00e58/attachment.html From steve at fsl.com Fri Jan 9 20:37:54 2009 From: steve at fsl.com (Stephen Swaney) Date: Fri Jan 9 20:38:06 2009 Subject: Content scanning / MCP? In-Reply-To: <48BB86B1412E3D429DECB241A39A62E8014E3C2C@W2K3-EXCHANGE02.mmsasp.local> References: <48BB86B1412E3D429DECB241A39A62E8014E3C2C@W2K3-EXCHANGE02.mmsasp.local> Message-ID: <4967B5A2.40700@fsl.com> Patrick Saweikis wrote: > > Hello, > > > > We have a user on our mail system who wants to always > ALLOW messages with specific content in the message subject and body > through. Does anyone know if this is possible? If so, how would we > accomplish it? I have been looking into using MCP, but from what I > have read that is for denying specific message content only. Any > advice would be greatly appreciated. Thanks! > > > > Patrick Saweikis > > TechPro, Inc. > > > > > Not trivial since many checks are used to sidetrack email these days, some of which are difficult to bypass. For example if you are blocking using spamhaus at the MTA level you'll never even see the subject. What About viruses. Does the user want a virus or a message with a blocked attachment if the subject has the magic word. You get the idea. On a simple level you could write a series of SpamAssassin rules that would add +100 to the score if the magic words appear in the subject but this only covers part of the possible traps. Best regards, Steve Steve Swaney steve@fsl.com www.fsl.com From glenn.steen at gmail.com Fri Jan 9 20:45:41 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Jan 9 20:45:50 2009 Subject: Was: Upgrade fron 4.61.7 to 4.74.13-2 In-Reply-To: References: <20090108071334.6t3eri15gc0ggkk4@manage.zuka.net> <223f97700901080809i456904ferb64df26e7b44ae05@mail.gmail.com> <49662AAF.9070601@senecac.on.ca> <223f97700901081136s24b46fc3u80f6bc14346a6f6b@mail.gmail.com> <4966C3C0.7090103@senecac.on.ca> <4966DD30.30909@senecac.on.ca> <223f97700901090143h19668270w1c223c5ab81cb617@mail.gmail.com> <496784EE.5030904@senecac.on.ca> Message-ID: <223f97700901091245r35814208ocb74082e34b4d90e@mail.gmail.com> 2009/1/9 Kai Schaetzl : > c.on.ca> > Reply-To: mailscanner@lists.mailscanner.info > > Dave Filchak wrote on Fri, 09 Jan 2009 12:10:06 -0500: > >> So, I need to either change >> the spam actions for not high spam to striphtml deliver, > > Of course, it's really not a good idea to quarantine low scoring spam. > What you do is fine-tune your setup and then lower *carefully* the high- > scoring spam from 10 downwards (I have it set to 6). And the lowering > coincides with finetuning your detection in SA and your Bayes. > This is good advice from Kai to you Dave. Also... I guess you've already looked at the sections in the MAQ/Wiki about getting the most out of SA? Else... that's a good startingpoint. And as friend Scott says... it might be time to try retrain your bayes... At least have a look at what scores you get. Since you use MailWatch, you have a superb tool in the reports page, for determining exactly what makes the lowscoring spam (just above 5) end up there. Apply filters for "Is spam = 1" and "SA score < 6", then look at the SA rule hits report... and perhaps browse throgh the details for a few of them, just to get a feel for what's wrong. > Kai > Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Jan 9 20:55:47 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Jan 9 20:55:56 2009 Subject: General Thankyou (was: Re: Upgrade from 4.61.7 to 4.74.13-2) In-Reply-To: <49679B36.9010202@senecac.on.ca> References: <60382.204.184.75.172.1231471379.squirrel@webmail.elsberry.k12.mo.us> <49679B36.9010202@senecac.on.ca> Message-ID: <223f97700901091255j35071be3v4a2681f0620c2534@mail.gmail.com> 2009/1/9 Dave Filchak : > Just wanted to pass on my thanks to Kai, Glenn and Scott and any I missed, > for helping me with my MS Upgrade issues. As I said, it had been a while > since I had dealt with this stuff so it was a bit of a learning curve. It > all seems to be working pretty well now so I will be watching it closely > over the next few days. Just need to do a bit of tweaking with the rules I > think. > > As the version I was using was pretty old, is there anywhere I can find an > explanation of the new config directives since 4.6.x ? > Well there are a few obvious places to look:-). The change log: http://www.mailscanner.info/ChangeLog In your MailScanner.conf ... Jules is very good at commenting that... And there is a webbified version of that as well at http://www.mailscanner.info/MailScanner.conf.index.html that might be easier to use, for reference. > Again, thank you everyone for your help. > > Dave Glad to be of help. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Jan 9 21:01:34 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Jan 9 21:01:44 2009 Subject: General Thankyou In-Reply-To: <4967A01A.1020805@senecac.on.ca> References: <60382.204.184.75.172.1231471379.squirrel@webmail.elsberry.k12.mo.us> <49679B36.9010202@senecac.on.ca> <4967A01A.1020805@senecac.on.ca> Message-ID: <223f97700901091301x5dbcbfa1w1abde38aa5897b7c@mail.gmail.com> 2009/1/9 Dave Filchak : > Scott, > > Scott Silva wrote: >> >> on 1-9-2009 10:45 AM Dave Filchak spake the following: >> >>> >>> Just wanted to pass on my thanks to Kai, Glenn and Scott and any I >>> missed, for helping me with my MS Upgrade issues. As I said, it had been >>> a while since I had dealt with this stuff so it was a bit of a learning >>> curve. It all seems to be working pretty well now so I will be watching >>> it closely over the next few days. Just need to do a bit of tweaking >>> with the rules I think. >>> >>> As the version I was using was pretty old, is there anywhere I can find >>> an explanation of the new config directives since 4.6.x ? >>> >>> Again, thank you everyone for your help. >>> >>> Dave >>> >> >> Buying the book is the best option, but here is a listing of all the >> config >> options. >> >> http://www.mailscanner.info/MailScanner.conf.index.html >> > > I do own the first edition of the book. Just need to update the newer config > options. > > One last error I found so maybe you can comment. I am seeing the following > error in maillog: > > Cannot lock /var/spool/MailScanner/incoming/Locks/clamavBusy.lock, > Permission denied > > So I checked the permissions there and the Locks directory is owned by > postfix.root and the locks inside are all owned by root.root. MailScanner > runs as postfix and clamd runs as clamav. Should the clamavBusy.lock be > owned by postfix.clamav? Also, I was sure I had changed these permissions > earlier in this and it appears as though they have been reset, So I need to > set a sticky bit? > > Dave I think this comes from a little problem with the last stable... which prompted Jules to release a .15-2 or something like that. So... What does "MailScanner -V" show as version? If not the absolutely latest... you need a quick upgrade to that. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Jan 9 21:07:15 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Jan 9 21:07:25 2009 Subject: Stops after RCVD_IN_BL_SPAMCOP_NET In-Reply-To: References: Message-ID: <223f97700901091307o6f220bb1ob9b433143f920eaf@mail.gmail.com> 2009/1/9 Joe Garvey : > My /etc/mail/spamassassin/spam.assassin.prefs.conf is a link to /etc/MailScanner/spam.assassin.prefs.conf > Um... that should be /etc/mail/spamassassin/mailscanner.cf, not spam.assassin.prefs.conf, right? (snip) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From dave.filchak at senecac.on.ca Fri Jan 9 21:20:03 2009 From: dave.filchak at senecac.on.ca (Dave Filchak) Date: Fri Jan 9 21:20:28 2009 Subject: General Thankyou In-Reply-To: <223f97700901091301x5dbcbfa1w1abde38aa5897b7c@mail.gmail.com> References: <60382.204.184.75.172.1231471379.squirrel@webmail.elsberry.k12.mo.us> <49679B36.9010202@senecac.on.ca> <4967A01A.1020805@senecac.on.ca> <223f97700901091301x5dbcbfa1w1abde38aa5897b7c@mail.gmail.com> Message-ID: <4967BF83.7040303@senecac.on.ca> Glenn, Glenn Steen wrote: > 2009/1/9 Dave Filchak : > >> Scott, >> >> Scott Silva wrote: >> >>> on 1-9-2009 10:45 AM Dave Filchak spake the following: >>> >>> >>>> Just wanted to pass on my thanks to Kai, Glenn and Scott and any I >>>> missed, for helping me with my MS Upgrade issues. As I said, it had been >>>> a while since I had dealt with this stuff so it was a bit of a learning >>>> curve. It all seems to be working pretty well now so I will be watching >>>> it closely over the next few days. Just need to do a bit of tweaking >>>> with the rules I think. >>>> >>>> As the version I was using was pretty old, is there anywhere I can find >>>> an explanation of the new config directives since 4.6.x ? >>>> >>>> Again, thank you everyone for your help. >>>> >>>> Dave >>>> >>>> >>> Buying the book is the best option, but here is a listing of all the >>> config >>> options. >>> >>> http://www.mailscanner.info/MailScanner.conf.index.html >>> >>> >> I do own the first edition of the book. Just need to update the newer config >> options. >> >> One last error I found so maybe you can comment. I am seeing the following >> error in maillog: >> >> Cannot lock /var/spool/MailScanner/incoming/Locks/clamavBusy.lock, >> Permission denied >> >> So I checked the permissions there and the Locks directory is owned by >> postfix.root and the locks inside are all owned by root.root. MailScanner >> runs as postfix and clamd runs as clamav. Should the clamavBusy.lock be >> owned by postfix.clamav? Also, I was sure I had changed these permissions >> earlier in this and it appears as though they have been reset, So I need to >> set a sticky bit? >> >> Dave >> > I think this comes from a little problem with the last stable... which > prompted Jules to release a .15-2 or something like that. So... What > does "MailScanner -V" show as version? If not the absolutely latest... > you need a quick upgrade to that. > I did update to the latest already. This is MailScanner version 4.74.15 Module versions are: 1.00 AnyDBM_File 1.20 Archive::Zip 0.22 bignum 1.03 Carp 1.41 Compress::Zlib 1.119 Convert::BinHex 0.17 Convert::TNEF 2.121 Data::Dumper 2.27 Date::Parse 1.00 DirHandle 1.05 Fcntl 2.73 File::Basename 2.08 File::Copy 2.01 FileHandle 1.06 File::Path 0.20 File::Temp 0.78 Filesys::Df 1.35 HTML::Entities 3.56 HTML::Parser 2.37 HTML::TokeParser 1.23 IO 1.14 IO::File 1.13 IO::Pipe 2.04 Mail::Header 1.87 Math::BigInt 0.20 Math::BigRat 3.05 MIME::Base64 5.427 MIME::Decoder 5.427 MIME::Decoder::UU 5.427 MIME::Head 5.427 MIME::Parser 3.03 MIME::QuotedPrint 5.427 MIME::Tools 0.11 Net::CIDR 1.25 Net::IP 0.16 OLE::Storage_Lite 1.04 Pod::Escapes 3.05 Pod::Simple 1.08 POSIX 1.19 Scalar::Util 1.77 Socket 2.13 Storable 1.4 Sys::Hostname::Long 0.18 Sys::Syslog 1.26 Test::Pod 0.7 Test::Simple 1.9707 Time::HiRes 1.02 Time::localtime Optional module versions are: 1.32 Archive::Tar 0.22 bignum 1.82 Business::ISBN 1.10 Business::ISBN::Data 1.08 Data::Dump 1.814 DB_File 1.13 DBD::SQLite 1.58 DBI 1.15 Digest 1.01 Digest::HMAC 2.36 Digest::MD5 2.11 Digest::SHA1 1.00 Encode::Detect 0.17008 Error 0.19 ExtUtils::CBuilder 2.18 ExtUtils::ParseXS 2.36 Getopt::Long 0.44 Inline 1.08 IO::String 1.04 IO::Zlib 2.21 IP::Country 0.22 Mail::ClamAV 3.002005 Mail::SpamAssassin v2.004 Mail::SPF 1.999001 Mail::SPF::Query 0.2808 Module::Build 0.20 Net::CIDR::Lite 0.63 Net::DNS 0.002.2 Net::DNS::Resolver::Programmable 0.31 Net::LDAP 4.004 NetAddr::IP 1.94 Parse::RecDescent missing SAVI 2.64 Test::Harness 0.95 Test::Manifest 1.95 Text::Balanced 1.35 URI 0.7203 version 0.65 YAML > Cheers > -- Dave Filchak Instructor, School of Communications Arts Seneca College @ York Office: Room 1068 From cwatts at elsberry.k12.mo.us Fri Jan 9 21:37:06 2009 From: cwatts at elsberry.k12.mo.us (Cannon Watts) Date: Fri Jan 9 21:38:43 2009 Subject: identical messages -- some get bayes score, some don't In-Reply-To: References: <60382.204.184.75.172.1231471379.squirrel@webmail.elsberry.k12.mo.us> Message-ID: <55910.204.184.75.172.1231537026.squirrel@webmail.elsberry.k12.mo.us> On Fri, January 9, 2009 5:31 am, Kai Schaetzl wrote: > Cannon Watts wrote on Thu, 8 Jan 2009 21:22:59 -0600 (CST): > >> [2456] dbg: async: starting: URI-DNSBL, >> DNSBL:dob.sibl.support-intelligence.net:agentbenefitsteam.com >> (timeout 10.0s, min 2.0s) >> >> [2456] dbg: async: starting: URI-NS, >> NS:agentbenefitsteam.com >> (timeout 10.0s, min 2.0s) >> >> [2456] dbg: async: starting: DNSBL-A, >> dns:A:154.248.19.72.plus.bondedsender.org. >> (timeout 10.0s, min 2.0s) >> >> [2456] dbg: async: starting: DNSBL-TXT, >> dns:TXT:154.248.19.72.bl.spamcop.net. >> (timeout 10.0s, min 2.0s) > > there's a problem with your DNS or caching ns. Until you haven't solved > that better disable network tests. Even after you are ok again you may > want to disable some of these tests as they are not worth it. Probably getting beyond the scope of this list, but any tips on debugging this? This particular box is running its own caching DNS that, prior to seeing that debugging info, I would have said works perfectly. Dozens of clients on our local network use that DNS server without a problem, not to mention the fact that sendmail on this same machine has no DNS problems. How would I go about disabling 'some of these tests'? set skip_rbl_checks in /etc/mamil/spamassassin/mailscanner.cf? >> And perhaps most importantly: >> [2456] dbg: locker: safe_lock: trying to get lock on >> /etc/MailScanner/bayes/bayes with 10 timeout > > check the permissions, look for existing lock files and remove them. > Apparently, this didn't happen for all messages. So, check messages one by > one and see if it then still happens. Maybe there's a performance problem? I don't understand how permissions could be an issue given the circumstances. SpamAssassin is running as root, and all of these messages are in the same mailbox -- it's not as if they're owned by different users. I did run each message separately through spamassassin -D. This time they all received Bayes scores, with 15 scoring BAYES_50 and 13 scoring BAYES_60. All of them generated the dns timeouts, but only 19 of the 28 generated the bayes timeout. I don't see any suspicious lock files, but then I'm not sure what I'm looking for. I suppose there could be a performance problem, but considering I just moved this server from a 933 Mhz Pentium with less than a gig of ram (where it was working reasonably well) to a 2 GHz quad-core w/ 4 GB of RAM and 15k rpm disks (where I've never seen the system load go over 0.5), I tend to look elsewhere first. Thanks for your help thus far, any additional assistance would be greatly appreciated. Cannon Watts From maillists at conactive.com Fri Jan 9 22:31:19 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Fri Jan 9 22:31:37 2009 Subject: Stops after RCVD_IN_BL_SPAMCOP_NET In-Reply-To: References: Message-ID: Joe Garvey wrote on Fri, 9 Jan 2009 11:32:49 -0800: > My /etc/mail/spamassassin/spam.assassin.prefs.conf is a link to /etc/MailScanner/spam.assassin.prefs.conf right, yes, that's fine then. I sometimes think we are two years ago ;-) > I find it very confusing and lacking confidence in the system when > the system provides a score for bl.spamcop.net and don't see any other > results from any other rules. Use Mailwatch to checks the Rule Hits. Go to Reports/Spamassassin Rule Hits. I can't see a reason that the spamcop RBL rule stop all processing. Unless you use short-circuiting and use this rule as short-circuit rule. > I also converted my bayes database to MySQL. After reviewing the conversion > I noticed that I have no ham messages in the database. I am loading > up some from various users to see if this will also make a difference > as I find the Bayesian score usually shows a negative even for the > most obvious spam. Well, I suppose you didn't do "sa-learn --dump magic" before this. It would have shown you that you have no ham. That symptom would be normal for a freshly started Bayes DB that gets trained only with autolearning, but you seem to have it running much longer? This would then indicate that your autolearning for ham is non-existent because your ham isn't scoring low enough - which should not happen. What's the dump magic output now? Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Fri Jan 9 22:31:19 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Fri Jan 9 22:31:38 2009 Subject: Content scanning / MCP? In-Reply-To: <48BB86B1412E3D429DECB241A39A62E8014E3C2C@W2K3-EXCHANGE02.mmsasp.local> References: <48BB86B1412E3D429DECB241A39A62E8014E3C2C@W2K3-EXCHANGE02.mmsasp.local> Message-ID: Patrick Saweikis wrote on Fri, 9 Jan 2009 14:20:51 -0600: > We have a user on our mail system who wants to always ALLOW > messages with specific content in the message subject and body through. > Does anyone know if this is possible? If so, how would we accomplish it? > I have been looking into using MCP, but from what I have read that is > for denying specific message content only MCP is basically a second spamassassin run. You can just do the same during the normal SA run. Stephen pointed at some caveats. There is an SA plugin for simple whitelisting by subject, it just needs to be enabled in the *.pre file in /etc/mail/spamassassin. But this will whitelist for all users. I think the better approach is to whitelist the assumed senders or give that user a special alias that doesn't get filtered and that he can hand out to those where he thinks there might be delivery problems. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Fri Jan 9 22:31:18 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Fri Jan 9 22:31:38 2009 Subject: General Thankyou In-Reply-To: <4967A01A.1020805@senecac.on.ca> References: <60382.204.184.75.172.1231471379.squirrel@webmail.elsberry.k12.mo.us> <49679B36.9010202@senecac.on.ca> <4967A01A.1020805@senecac.on.ca> Message-ID: Dave Filchak wrote on Fri, 09 Jan 2009 14:06:02 -0500: > So I checked the permissions there and the Locks directory is owned by > postfix.root and the locks inside are all owned by root.root. That is *all* wrong. Reread the tutorials for MS+postfix and for MS+clamd (you are using clamd, right). /var/spool/MailScanner/incoming/Locks l total 16 drwxr-x--- 2 root postfix 4096 Jan 9 23:03 . drwxr-xr-x 5 postfix clamav 4096 Jan 9 23:04 .. -rw------- 1 postfix postfix 0 Dec 11 17:31 antivirBusy.lock -rw------- 1 postfix postfix 0 Dec 11 17:31 avastBusy.lock -rw------- 1 postfix postfix 0 Dec 11 17:31 avgBusy.lock -rw------- 1 postfix postfix 0 Dec 11 17:31 bitdefenderBusy.lock -rw------- 1 postfix postfix 100 Jan 9 23:05 clamavBusy.lock -rw------- 1 postfix postfix 0 Dec 11 17:31 cssBusy.lock -rw------- 1 postfix postfix 0 Dec 11 17:31 esetsBusy.lock -rw------- 1 postfix postfix 0 Dec 11 17:31 etrustBusy.lock -rw------- 1 postfix postfix 0 Dec 11 17:31 f-prot-6Busy.lock -rw------- 1 postfix postfix 0 Dec 11 17:31 f-protBusy.lock -rw------- 1 postfix postfix 0 Dec 11 17:31 f-secureBusy.lock -rw------- 1 postfix postfix 0 Dec 11 17:31 genericBusy.lock -rw------- 1 postfix postfix 0 Dec 11 17:31 inoculanBusy.lock -rw------- 1 postfix postfix 0 Dec 11 17:31 kasperskyBusy.lock -rw------- 1 postfix postfix 0 Dec 11 17:31 mcafeeBusy.lock -rw------- 1 postfix postfix 0 Jan 7 16:51 MS.bayes.rebuild.lock -rw------- 1 postfix postfix 0 Jan 9 23:03 MS.bayes.starting.lock -rw------- 1 postfix postfix 0 Dec 11 17:31 nod32Busy.lock -rw------- 1 postfix postfix 0 Dec 11 17:31 normanBusy.lock -rw------- 1 postfix postfix 0 Dec 11 17:31 pandaBusy.lock -rw------- 1 postfix postfix 0 Dec 11 17:31 ravBusy.lock -rw------- 1 postfix postfix 0 Dec 11 17:31 sophosBusy.lock -rw------- 1 postfix postfix 0 Dec 11 17:31 symscanengineBusy.lock -rw------- 1 postfix postfix 0 Dec 11 17:31 trendBusy.lock -rw------- 1 postfix postfix 0 Dec 11 17:31 vba32Busy.lock -rw------- 1 postfix postfix 0 Dec 11 17:31 vexiraBusy.lock Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From glenn.steen at gmail.com Fri Jan 9 22:32:33 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Jan 9 22:32:43 2009 Subject: General Thankyou In-Reply-To: <4967BF83.7040303@senecac.on.ca> References: <60382.204.184.75.172.1231471379.squirrel@webmail.elsberry.k12.mo.us> <49679B36.9010202@senecac.on.ca> <4967A01A.1020805@senecac.on.ca> <223f97700901091301x5dbcbfa1w1abde38aa5897b7c@mail.gmail.com> <4967BF83.7040303@senecac.on.ca> Message-ID: <223f97700901091432g19ceff69p6992e72ada45bf78@mail.gmail.com> 2009/1/9 Dave Filchak : > Glenn, > (snip) > I did update to the latest already. > > This is MailScanner version 4.74.15 Hm. And it is the very latest....? "rpm -qi mailscanner" might show that. There were some specific PF problems with the new locking. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From dave.filchak at senecac.on.ca Fri Jan 9 23:00:02 2009 From: dave.filchak at senecac.on.ca (Dave Filchak) Date: Fri Jan 9 23:00:14 2009 Subject: General Thankyou In-Reply-To: References: <60382.204.184.75.172.1231471379.squirrel@webmail.elsberry.k12.mo.us> <49679B36.9010202@senecac.on.ca> <4967A01A.1020805@senecac.on.ca> Message-ID: <4967D6F2.8090907@senecac.on.ca> Kai, Kai Schaetzl wrote: > Dave Filchak wrote on Fri, 09 Jan 2009 14:06:02 -0500: > > >> So I checked the permissions there and the Locks directory is owned by >> postfix.root and the locks inside are all owned by root.root. >> > > That is *all* wrong. Reread the tutorials for MS+postfix and for MS+clamd > (you are using clamd, right). > > /var/spool/MailScanner/incoming/Locks l > total 16 > drwxr-x--- 2 root postfix 4096 Jan 9 23:03 . > drwxr-xr-x 5 postfix clamav 4096 Jan 9 23:04 .. > -rw------- 1 postfix postfix 0 Dec 11 17:31 antivirBusy.lock > -rw------- 1 postfix postfix 0 Dec 11 17:31 avastBusy.lock > -rw------- 1 postfix postfix 0 Dec 11 17:31 avgBusy.lock > -rw------- 1 postfix postfix 0 Dec 11 17:31 bitdefenderBusy.lock > -rw------- 1 postfix postfix 100 Jan 9 23:05 clamavBusy.lock > -rw------- 1 postfix postfix 0 Dec 11 17:31 cssBusy.lock > -rw------- 1 postfix postfix 0 Dec 11 17:31 esetsBusy.lock > -rw------- 1 postfix postfix 0 Dec 11 17:31 etrustBusy.lock > -rw------- 1 postfix postfix 0 Dec 11 17:31 f-prot-6Busy.lock > -rw------- 1 postfix postfix 0 Dec 11 17:31 f-protBusy.lock > -rw------- 1 postfix postfix 0 Dec 11 17:31 f-secureBusy.lock > -rw------- 1 postfix postfix 0 Dec 11 17:31 genericBusy.lock > -rw------- 1 postfix postfix 0 Dec 11 17:31 inoculanBusy.lock > -rw------- 1 postfix postfix 0 Dec 11 17:31 kasperskyBusy.lock > -rw------- 1 postfix postfix 0 Dec 11 17:31 mcafeeBusy.lock > -rw------- 1 postfix postfix 0 Jan 7 16:51 MS.bayes.rebuild.lock > -rw------- 1 postfix postfix 0 Jan 9 23:03 MS.bayes.starting.lock > -rw------- 1 postfix postfix 0 Dec 11 17:31 nod32Busy.lock > -rw------- 1 postfix postfix 0 Dec 11 17:31 normanBusy.lock > -rw------- 1 postfix postfix 0 Dec 11 17:31 pandaBusy.lock > -rw------- 1 postfix postfix 0 Dec 11 17:31 ravBusy.lock > -rw------- 1 postfix postfix 0 Dec 11 17:31 sophosBusy.lock > -rw------- 1 postfix postfix 0 Dec 11 17:31 symscanengineBusy.lock > -rw------- 1 postfix postfix 0 Dec 11 17:31 trendBusy.lock > -rw------- 1 postfix postfix 0 Dec 11 17:31 vba32Busy.lock > -rw------- 1 postfix postfix 0 Dec 11 17:31 vexiraBusy.lock > > Kai > > Well I will definitely reread these. I never specifically set these permissions anywhere. One would thing that these would be created by the settings in MailScanner.conf .. wouldn't you? There is no specific alternate user settings in spamassassin so .... something is setting these permissions this way. -- Dave Filchak Instructor, School of Communications Arts Seneca College @ York Office: Room 1068 From garvey at pushormitchell.com Fri Jan 9 23:03:33 2009 From: garvey at pushormitchell.com (Joe Garvey) Date: Fri Jan 9 23:03:42 2009 Subject: Stops after RCVD_IN_BL_SPAMCOP_NET References: Message-ID: Here are the top 15 results from the spamassassin hits. RCVD_IN_BL_SPAMCOP_NET is sitting at 74,756. There are a few other rules that hit over 45,000 but it drops dramatically after that with most rules only being hit with an average of 5,000. With RCVD_IN_BL_SPAMCOP_NET having such as high hit count compared to everything else it really makes me wonder why no other rules are getting hit as much as it is. required 112,503 8,110 7.2 104,393 92.8 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) 86,708 1,066 1.2 85,642 98.8 autolearn=spam 84,906 0 0 84,906 100 RCVD_IN_BL_SPAMCOP_NET Received via a relay in bl.spamcop.net 74,756 256 0.3 74,500 99.7 BAYES_99 Bayesian spam probability is 99 to 100% 73,555 87 0.1 73,468 99.9 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist 66,847 40 0.1 66,807 99.9 URIBL_SBL Contains an URL listed in the SBL blocklist 64,011 15 0 63,996 100 URIBL_SBLXBL Contains a URL listed in the SBL/XBL blocklist 59,950 13 0 59,937 100 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist 57,969 72 0.1 57,897 99.9 HTML_MESSAGE HTML included in message 57,796 5,932 10.3 51,864 89.7 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist 54,305 28 0.1 54,277 99.9 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist 46,946 18 0 46,928 100 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 46,385 227 0.5 46,158 99.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% 45,793 188 0.4 45,605 99.6 RCVD_IN_XBL Received via a relay in Spamhaus XBL 44,779 2 0 44,777 100 DIGEST_MULTIPLE Message hits more than one network digest check 40,121 50 0.1 40,071 99.9 Here is the values from sa-learn --dump magic 0.000 0 3 0 non-token data: bayes db version 0.000 0 6493 0 non-token data: nspam 0.000 0 847 0 non-token data: nham 0.000 0 207718 0 non-token data: ntokens 0.000 0 1231449300 0 non-token data: oldest atime 0.000 0 1231541795 0 non-token data: newest atime 0.000 0 1231541368 0 non-token data: last journal sync atime 0.000 0 1231519200 0 non-token data: last expiry atime 0.000 0 86400 0 non-token data: last expire atime delta 0.000 0 1792 0 non-token data: last expire reduction count Thanks Joe -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Kai Schaetzl Sent: Friday, January 09, 2009 2:31 PM To: mailscanner@lists.mailscanner.info Subject: Re: Stops after RCVD_IN_BL_SPAMCOP_NET Joe Garvey wrote on Fri, 9 Jan 2009 11:32:49 -0800: > My /etc/mail/spamassassin/spam.assassin.prefs.conf is a link to /etc/MailScanner/spam.assassin.prefs.conf right, yes, that's fine then. I sometimes think we are two years ago ;-) > I find it very confusing and lacking confidence in the system when > the system provides a score for bl.spamcop.net and don't see any other > results from any other rules. Use Mailwatch to checks the Rule Hits. Go to Reports/Spamassassin Rule Hits. I can't see a reason that the spamcop RBL rule stop all processing. Unless you use short-circuiting and use this rule as short-circuit rule. > I also converted my bayes database to MySQL. After reviewing the conversion > I noticed that I have no ham messages in the database. I am loading > up some from various users to see if this will also make a difference > as I find the Bayesian score usually shows a negative even for the > most obvious spam. Well, I suppose you didn't do "sa-learn --dump magic" before this. It would have shown you that you have no ham. That symptom would be normal for a freshly started Bayes DB that gets trained only with autolearning, but you seem to have it running much longer? This would then indicate that your autolearning for ham is non-existent because your ham isn't scoring low enough - which should not happen. What's the dump magic output now? Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From lists at sequestered.net Fri Jan 9 23:18:38 2009 From: lists at sequestered.net (Corey Chandler) Date: Fri Jan 9 23:18:49 2009 Subject: Refresh FreeBSD Port? Message-ID: <4967DB4E.8040003@sequestered.net> Any idea what the scoop is on porting the newer versions of MailScanner to FreeBSD? Tossed the port maintainer an email last night and haven't heard back-- 4.67 is OLD! -- Corey Chandler / KB1JWQ Living Legend / Systems Exorcist Today's Excuse: The new frame relay network hasn't bedded down the software loop transmitter yet From btj at havleik.no Fri Jan 9 23:19:50 2009 From: btj at havleik.no (=?ISO-8859-1?Q?Bj=F8rn?= T Johansen) Date: Fri Jan 9 23:20:40 2009 Subject: Could not open Bayes rebuild lock file /var/spool/MailScanner/incoming/Locks/MS.bayes.rebuild.lock, No such file or directory In-Reply-To: <4964C5D8.3080308@ecs.soton.ac.uk> References: <20090106113530.41bc2d32@btj-laptop.asp-as.no> <49633EDC.4020709@ecs.soton.ac.uk> <20090106124443.3882cea3@btj-laptop.asp-as.no> <496346EB.1070200@ecs.soton.ac.uk> <20090106131634.776f66e4@btj-laptop.asp-as.no> <49637AFA.6040905@ecs.soton.ac.uk> <49648C9A.3060706@ecs.soton.ac.uk> <20090107124639.4fc576a4@btj-laptop.asp-as.no> <4964A243.30003@ecs.soton.ac.uk> <20090107135302.6cf5ca15@btj-laptop.asp-as.no> <4964C5D8.3080308@ecs.soton.ac.uk> Message-ID: <20090110001950.08e10728@pennywise.havleik.no> Just to let you know that 4.74.15-2 is working fine... :) BTJ On Wed, 07 Jan 2009 15:10:16 +0000 Julian Field wrote: > You might want to try 4.74.15-1 as I have just released that and it > contains a better version of the fix I have given you. > > If you do try it, please let me know if it works okay. > > On 7/1/09 12:53, Bj?rn T Johansen wrote: > > Yes, that seems to be working... Thx... :) > > > > BTJ > > > > On Wed, 07 Jan 2009 12:38:27 +0000 > > Julian Field wrote: > > > > > >> Can you try the attached SA.pm and let me know if it's any better. > >> Sorry, file locking problems (as usual!). > >> > >> > >> On 7/1/09 11:46, Bj?rn T Johansen wrote: > >> > >>> One problem... Mail is never delivered with the new lock files.... (never = waited 5 minutes but the queue only > >>> grew larger...) > >>> > >>> BTJ > >>> > >>> On Wed, 07 Jan 2009 11:06:02 +0000 > >>> Julian Field wrote: > >>> > >>> > >>> > >>>> Attached are two scripts. Both are gzipped to save bandwidth. > >>>> "mailscanner_create_locks" should be put in /opt/MailScanner/bin if you > >>>> use the "Other Unix" distribution of MailScanner. > >>>> "mailscanner_create_locks.redhat" should be put in /usr/sbin and renamed > >>>> to "mailscanner_create_locks" if you use either of the RPM distributions > >>>> of MailScanner. > >>>> > >>>> Don't forget to make it executable! > >>>> cd /usr/sbin > >>>> chmod a+rx mailscanner_create_locks > >>>> > >>>> Please let me know if this fixes the problem. > >>>> > >>>> On 6/1/09 15:38, Julian Field wrote: > >>>> > >>>> > >>>>> I'll try to remember to check on this one later and get back to you. > >>>>> > >>>>> On 6/1/09 12:16, Bj?rn T Johansen wrote: > >>>>> > >>>>> > >>>>>> I think MailScanner can run the script, at least I have the > >>>>>> following...: > >>>>>> (and running the script gives no error messages...) > >>>>>> > >>>>>> ls /var/spool/MailScanner/incoming/Locks/ -l > >>>>>> total 1 > >>>>>> -rw------- 1 root root 0 2009-01-06 10:55 antivirBusy.lock > >>>>>> -rw------- 1 root root 0 2009-01-06 10:55 avastBusy.lock > >>>>>> -rw------- 1 root root 0 2009-01-06 10:55 avgBusy.lock > >>>>>> -rw------- 1 root root 0 2009-01-06 10:55 bitdefenderBusy.lock > >>>>>> -rw------- 1 root root 50 2009-01-06 13:04 clamavBusy.lock > >>>>>> -rw------- 1 root root 0 2009-01-06 10:55 cssBusy.lock > >>>>>> -rw------- 1 root root 0 2009-01-06 10:55 esetsBusy.lock > >>>>>> -rw------- 1 root root 0 2009-01-06 10:55 etrustBusy.lock > >>>>>> -rw------- 1 root root 0 2009-01-06 10:55 f-prot-6Busy.lock > >>>>>> -rw------- 1 root root 0 2009-01-06 10:55 f-protBusy.lock > >>>>>> -rw------- 1 root root 0 2009-01-06 10:55 f-secureBusy.lock > >>>>>> -rw------- 1 root root 0 2009-01-06 10:55 genericBusy.lock > >>>>>> -rw------- 1 root root 0 2009-01-06 10:55 inoculanBusy.lock > >>>>>> -rw------- 1 root root 0 2009-01-06 10:55 kasperskyBusy.lock > >>>>>> -rw------- 1 root root 0 2009-01-06 10:55 mcafeeBusy.lock > >>>>>> -rw------- 1 root root 0 2009-01-06 10:55 nod32Busy.lock > >>>>>> -rw------- 1 root root 0 2009-01-06 10:55 normanBusy.lock > >>>>>> -rw------- 1 root root 0 2009-01-06 10:55 pandaBusy.lock > >>>>>> -rw------- 1 root root 0 2009-01-06 10:55 ravBusy.lock > >>>>>> -rw------- 1 root root 0 2009-01-06 10:55 sophosBusy.lock > >>>>>> -rw------- 1 root root 0 2009-01-06 10:55 symscanengineBusy.lock > >>>>>> -rw------- 1 root root 0 2009-01-06 10:55 trendBusy.lock > >>>>>> -rw------- 1 root root 0 2009-01-06 10:55 vba32Busy.lock > >>>>>> -rw------- 1 root root 0 2009-01-06 10:55 vexiraBusy.lock > >>>>>> > >>>>>> > >>>>>> But MS.bayes.rebuild.lock is missing? > >>>>>> > >>>>>> > >>>>>> > >>>>>> BTJ > >>>>>> > >>>>>> On Tue, 06 Jan 2009 11:56:27 +0000 > >>>>>> Julian Field wrote: > >>>>>> > >>>>>> > >>>>>> > >>>>>>> On 6/1/09 11:44, Bj?rn T Johansen wrote: > >>>>>>> > >>>>>>> > >>>>>>>> I just ran the install.sh script like I always do... > >>>>>>>> I am running on Linux, Ubuntu Server and use the tar.gz > >>>>>>>> distribution of MailScanner.. (Version 4.74.13-2 for Solaris / BSD > >>>>>>>> / Other Linux / Other > >>>>>>>> Unix ) > >>>>>>>> > >>>>>>>> > >>>>>>>> Do I need to do more? I had version 4.70 before I upgraded.... > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>> There's a new script in the bin directory called > >>>>>>> mailscanner_create_locks, you need to make sure MailScanner can run > >>>>>>> that > >>>>>>> from /opt/MailScanner/bin. > >>>>>>> > >>>>>>> > >>>>>>>> BTJ > >>>>>>>> > >>>>>>>> On Tue, 06 Jan 2009 11:22:04 +0000 > >>>>>>>> Julian Field wrote: > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>>> What OS? What distribution of MailScanner? Did you install all the > >>>>>>>>> parts > >>>>>>>>> of MailScanner, including any new scripts I might have added to the > >>>>>>>>> "bin" directory? > >>>>>>>>> If you only install half of it, funnily enough it won't work :-) > >>>>>>>>> > >>>>>>>>> Jules. > >>>>>>>>> > >>>>>>>>> On 6/1/09 10:35, Bj?rn T Johansen wrote: > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>>> I upgraded to version 4.74 and I now get a lot of these in the > >>>>>>>>>> log..: > >>>>>>>>>> > >>>>>>>>>> Jan 6 11:17:50 pat MailScanner[11207]: New Batch: Scanning 1 > >>>>>>>>>> messages, 7216 bytes > >>>>>>>>>> Jan 6 11:17:51 pat MailScanner[11207]: Could not open Bayes > >>>>>>>>>> rebuild lock file > >>>>>>>>>> /var/spool/MailScanner/incoming/Locks/MS.bayes.rebuild.lock, No > >>>>>>>>>> such file or directory > >>>>>>>>>> Jan 6 11:17:51 pat MailScanner[11207]: At start of SA checks > >>>>>>>>>> could not open > >>>>>>>>>> /var/spool/MailScanner/incoming/Locks/MS.bayes.rebuild.lock, > >>>>>>>>>> Jan 6 11:17:58 pat MailScanner[11207]: Virus and Content > >>>>>>>>>> Scanning: Starting > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> Why? And what can I do to fix this? > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> Regards, > >>>>>>>>>> > >>>>>>>>>> BTJ > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>> Jules > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>> Jules > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>> = > >>>>>> > >>>>>> > >>>>> Jules > >>>>> > >>>>> > >>>>> > >>>> Jules > >>>> > >>>> > >>>> > >>> > >>> > >> Jules > >> > >> > > Jules From steve.freegard at fsl.com Fri Jan 9 23:28:43 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Fri Jan 9 23:28:54 2009 Subject: Stops after RCVD_IN_BL_SPAMCOP_NET In-Reply-To: References: Message-ID: <4967DDAB.6030205@fsl.com> Joe Garvey wrote: > Here are the top 15 results from the spamassassin hits. > > RCVD_IN_BL_SPAMCOP_NET is sitting at 74,756. There are a few other rules that hit over 45,000 but it drops dramatically after that with most rules only being hit with an average of 5,000. With RCVD_IN_BL_SPAMCOP_NET having such as high hit count compared to everything else it really makes me wonder why no other rules are getting hit as much as it is. Maybe it's just the style of the traffic your system gets and there's nothing wrong with your configuration? Why not analyse where the hits are coming from and see if you're just getting a lot of connections from the same hosts; as you're running MailWatch - you could try running the following SQL: SELECT clientip, COUNT(*) as count FROM maillog WHERE date >= CURRENT_DATE() - INTERVAL 7 DAY AND spamreport LIKE '%RCVD_IN_BL_SPAMCOP_NET%' ORDER BY count DESC; All I know is that if I got that many hits on Spamcop - I'd be blocking it all in my MTA instead.... > DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) 86,708 1,066 1.2 85,642 98.8 > RCVD_IN_BL_SPAMCOP_NET Received via a relay in bl.spamcop.net 74,756 256 0.3 74,500 99.7 > BAYES_99 Bayesian spam probability is 99 to 100% 73,555 87 0.1 73,468 99.9 > URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist 66,847 40 0.1 66,807 99.9 > URIBL_SBL Contains an URL listed in the SBL blocklist 64,011 15 0 63,996 100 > URIBL_SBLXBL Contains a URL listed in the SBL/XBL blocklist 59,950 13 0 59,937 100 > URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist 57,969 72 0.1 57,897 99.9 > HTML_MESSAGE HTML included in message 57,796 5,932 10.3 51,864 89.7 > URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist 54,305 28 0.1 54,277 99.9 > URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist 46,946 18 0 46,928 100 > RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 46,385 227 0.5 46,158 99.5 > RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% 45,793 188 0.4 45,605 99.6 > RCVD_IN_XBL Received via a relay in Spamhaus XBL 44,779 2 0 44,777 100 > DIGEST_MULTIPLE Message hits more than one network digest check 40,121 50 0.1 40,071 99.9 Based in the above - this doesn't look to bad to me.... Cheers, Steve. From chokimbo at gmail.com Sat Jan 10 08:33:43 2009 From: chokimbo at gmail.com (ichwan nur hakim) Date: Sat Jan 10 08:33:53 2009 Subject: block spoofing mail Message-ID: <928434630901100033l3381ec9ifec81d6844b03e0@mail.gmail.com> hi guys, how block spoofing mail with mailscanner..?? coz my office mail very much recipient spoofing mail. Thank's -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090110/d1181d4b/attachment.html From maillists at conactive.com Sat Jan 10 09:31:16 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Sat Jan 10 09:31:32 2009 Subject: Stops after RCVD_IN_BL_SPAMCOP_NET In-Reply-To: References: Message-ID: Joe Garvey wrote on Fri, 9 Jan 2009 15:03:33 -0800: > There are a few other > rules that hit over 45,000 but it drops dramatically after that with > most rules only being hit with an average of 5,000. this is absolutely normal. If all hits where hitting each spam we could reduce the number of SA rules to 20. If you are using extra rulesets you may assess them this way and decide if they are (still) worth it. With RCVD_IN_BL_SPAMCOP_NET > having such as high hit count compared to everything else it really > makes me wonder why no other rules are getting hit as much as it is. because rules like spamcop and spamhaus are best used at MTA level to spare your MS/SA a lot of processing. > > required 112,503 8,110 7.2 104,393 92.8 > DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc) 86,708 1,066 1.2 85,642 98.8 > autolearn=spam 84,906 0 0 84,906 100 > RCVD_IN_BL_SPAMCOP_NET Received via a relay in bl.spamcop.net 74,756 256 0.3 74,500 99.7 > BAYES_99 Bayesian spam probability is 99 to 100% 73,555 87 0.1 73,468 99.9 > URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist 66,847 40 0.1 66,807 99.9 > URIBL_SBL Contains an URL listed in the SBL blocklist 64,011 15 0 63,996 100 > URIBL_SBLXBL Contains a URL listed in the SBL/XBL blocklist 59,950 13 0 59,937 100 > URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist 57,969 72 0.1 57,897 99.9 > HTML_MESSAGE HTML included in message 57,796 5,932 10.3 51,864 89.7 > URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist 54,305 28 0.1 54,277 99.9 > URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist 46,946 18 0 46,928 100 > RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net) 46,385 227 0.5 46,158 99.5 > RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% 45,793 188 0.4 45,605 99.6 > RCVD_IN_XBL Received via a relay in Spamhaus XBL 44,779 2 0 44,777 100 > DIGEST_MULTIPLE Message hits more than one network digest check 40,121 50 0.1 40,071 99.9 This is all very well. > Here is the values from sa-learn --dump magic > 0.000 0 3 0 non-token data: bayes db version > 0.000 0 6493 0 non-token data: nspam > 0.000 0 847 0 non-token data: nham > 0.000 0 207718 0 non-token data: ntokens > 0.000 0 1231449300 0 non-token data: oldest atime > 0.000 0 1231541795 0 non-token data: newest atime > 0.000 0 1231541368 0 non-token data: last journal sync atime > 0.000 0 1231519200 0 non-token data: last expiry atime > 0.000 0 86400 0 non-token data: last expire atime delta > 0.000 0 1792 0 non-token data: last expire reduction count this is all very well, except that you are slashing your bayes db each day, your latest token is from one day ago. I wouldn't that. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Sat Jan 10 10:31:16 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Sat Jan 10 10:31:31 2009 Subject: block spoofing mail In-Reply-To: <928434630901100033l3381ec9ifec81d6844b03e0@mail.gmail.com> References: <928434630901100033l3381ec9ifec81d6844b03e0@mail.gmail.com> Message-ID: Ichwan nur hakim wrote on Sat, 10 Jan 2009 15:33:43 +0700: > how block spoofing mail with mailscanner..?? You do realize that your question is ambiguos and that you don't provide much information. It's of the same "quality" as your question a few days ago. I consider this *inpolite*. If you continue this way you won't grow happy on mailing lists. So, assuming the most probable meaning: you don't need to if you didn't whitelist yourself. Most of these should score like other spam does. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Sat Jan 10 10:31:16 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Sat Jan 10 10:31:32 2009 Subject: identical messages -- some get bayes score, some don't In-Reply-To: <55910.204.184.75.172.1231537026.squirrel@webmail.elsberry.k12.mo.us> References: <60382.204.184.75.172.1231471379.squirrel@webmail.elsberry.k12.mo.us> <55910.204.184.75.172.1231537026.squirrel@webmail.elsberry.k12.mo.us> Message-ID: Cannon Watts wrote on Fri, 9 Jan 2009 15:37:06 -0600 (CST): > Probably getting beyond the scope of this list, but any tips on debugging > this? This particular box is running its own caching DNS that, prior to > seeing that debugging info, I would have said works perfectly. look which tests timeout, if it are always the same and then do some manual tests against these RBLs. > How would I go about disabling 'some of these tests'? set skip_rbl_checks > in /etc/mamil/spamassassin/mailscanner.cf? yes (this doesn't shut off URIBL tests). > I don't understand how permissions could be an issue given the > circumstances. SpamAssassin is running as root, and all of these messages > are in the same mailbox -- it's not as if they're owned by different users. I didn't know as what user you were running this. You are right it should not be an issue then, but still could be when running via MS. > > I did run each message separately through spamassassin -D. This time they > all received Bayes scores, with 15 scoring BAYES_50 and 13 scoring BAYES_60. > All of them generated the dns timeouts, but only 19 of the 28 generated the > bayes timeout. But all got a BAYES score. So, there where timeouts but the second or third or so try worked. I haven't ever seen this. My first thought would be that too many Bayes lookups occur. I don't know how this locking works and I now have mostly SQL setups. You may want to move to SQL, this should avoid this, anyway. If you can't overcome this problem I'd go to the SA list for further help. > > I don't see any suspicious lock files, but then I'm not sure what I'm > looking for. A file ending in .lock or lock.hostname in the bayes directory? > > I suppose there could be a performance problem, but considering I just > moved this server from a 933 Mhz Pentium with less than a gig of ram > (where it > was working reasonably well) to a 2 GHz quad-core w/ 4 GB of RAM and 15k > rpm disks (where I've never seen the system load go over 0.5), I tend to > look elsewhere first. I agree it doesn't look like it should be udnerpowered. But it depends on the number of messages you process each day. How many? How long does a spamassassin --lint run take? (use time). Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Sat Jan 10 10:31:16 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Sat Jan 10 10:31:34 2009 Subject: Anti-spear-phishing, round 2 In-Reply-To: References: <4963D91A.9060304@ecs.soton.ac.uk> <4965292E.1070209@ecs.soton.ac.uk> <49664631.2020207@ecs.soton.ac.uk> <49672BCE.1030603@ecs.soton.ac.uk> Message-ID: Guy Story KC5GOI wrote on Fri, 9 Jan 2009 12:57:38 -0600: > I took the list from Google > and massaged it to it fit the format for use as the spam.blacklist.rule > file, is that any less efficient as far as MS is concerned? Much less. Just read what Jules script does. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From glenn.steen at gmail.com Sat Jan 10 11:21:45 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Jan 10 11:21:55 2009 Subject: identical messages -- some get bayes score, some don't In-Reply-To: <55910.204.184.75.172.1231537026.squirrel@webmail.elsberry.k12.mo.us> References: <60382.204.184.75.172.1231471379.squirrel@webmail.elsberry.k12.mo.us> <55910.204.184.75.172.1231537026.squirrel@webmail.elsberry.k12.mo.us> Message-ID: <223f97700901100321m3ed6cdf1oaf1fa61371961c1@mail.gmail.com> 2009/1/9 Cannon Watts : > On Fri, January 9, 2009 5:31 am, Kai Schaetzl wrote: >> Cannon Watts wrote on Thu, 8 Jan 2009 21:22:59 -0600 (CST): >> >>> [2456] dbg: async: starting: URI-DNSBL, >>> DNSBL:dob.sibl.support-intelligence.net:agentbenefitsteam.com >>> (timeout 10.0s, min 2.0s) >>> >>> [2456] dbg: async: starting: URI-NS, >>> NS:agentbenefitsteam.com >>> (timeout 10.0s, min 2.0s) >>> >>> [2456] dbg: async: starting: DNSBL-A, >>> dns:A:154.248.19.72.plus.bondedsender.org. >>> (timeout 10.0s, min 2.0s) >>> >>> [2456] dbg: async: starting: DNSBL-TXT, >>> dns:TXT:154.248.19.72.bl.spamcop.net. >>> (timeout 10.0s, min 2.0s) >> >> there's a problem with your DNS or caching ns. Until you haven't solved >> that better disable network tests. Even after you are ok again you may >> want to disable some of these tests as they are not worth it. > > Probably getting beyond the scope of this list, but any tips on debugging > this? This particular box is running its own caching DNS that, prior to > seeing that debugging info, I would have said works perfectly. Dozens of > clients on our local network use that DNS server without a problem, not > to mention the fact that sendmail on this same machine has no DNS problems. > > How would I go about disabling 'some of these tests'? set skip_rbl_checks > in /etc/mamil/spamassassin/mailscanner.cf? > > >>> And perhaps most importantly: >>> [2456] dbg: locker: safe_lock: trying to get lock on >>> /etc/MailScanner/bayes/bayes with 10 timeout >> >> check the permissions, look for existing lock files and remove them. >> Apparently, this didn't happen for all messages. So, check messages one by >> one and see if it then still happens. Maybe there's a performance problem? > > I don't understand how permissions could be an issue given the > circumstances. SpamAssassin is running as root, and all of these messages > are in the same mailbox -- it's not as if they're owned by different users. > > I did run each message separately through spamassassin -D. This time they > all received Bayes scores, with 15 scoring BAYES_50 and 13 scoring BAYES_60. > All of them generated the dns timeouts, but only 19 of the 28 generated the > bayes timeout. > > I don't see any suspicious lock files, but then I'm not sure what I'm > looking for. > Do you have a very large bayes_seen file? If so... remove it. Then redo the tests and see if things aren't better. Or do you have any expire files, from failed expiry runs? > I suppose there could be a performance problem, but considering I just > moved this server from a 933 Mhz Pentium with less than a gig of ram > (where it > was working reasonably well) to a 2 GHz quad-core w/ 4 GB of RAM and 15k > rpm disks (where I've never seen the system load go over 0.5), I tend to > look elsewhere first. > Ok, so this situation popped up right after the move? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From MailScanner at rowley-cs.co.uk Sat Jan 10 11:33:02 2009 From: MailScanner at rowley-cs.co.uk (MailScanner) Date: Sat Jan 10 11:33:43 2009 Subject: Outbound mal stuck In-Reply-To: <4967AED1.6060101@USherbrooke.ca> References: <45B4F94BF79F16438AB6EBA4BB5F3FBC4ECE4A0B20@hercules.rowley-cs.co.uk> <49679E4A.6020501@xpear.de> <45B4F94BF79F16438AB6EBA4BB5F3FBC4ECE4A0B23@hercules.rowley-cs.co.uk> <4967A4AF.4080705@USherbrooke.ca> <45B4F94BF79F16438AB6EBA4BB5F3FBC4ECE4A0B24@hercules.rowley-cs.co.uk> <4967A8A1.4080704@xpear.de> <45B4F94BF79F16438AB6EBA4BB5F3FBC4ECE4A0B25@hercules.rowley-cs.co.uk> <4967AED1.6060101@USherbrooke.ca> Message-ID: <45B4F94BF79F16438AB6EBA4BB5F3FBC4ECE4A0B26@hercules.rowley-cs.co.uk> Thx Denis, That certainly does work. Thx again. Bill -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Denis Beauchemin Sent: 09 January 2009 20:09 To: MailScanner discussion Subject: Re: Outbound mal stuck MailScanner a ?crit : > I have restarted the MS and nothing changed. > Service MailScanner restart. > Everything started Ok but I still see the attempted delivery. > Any idea why? > > Thx > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of traced > Sent: 09 January 2009 19:42 > To: MailScanner discussion > Subject: Re: Outbound mal stuckservice > > MailScanner schrieb: > >> Thx for replying. >> That is exactly what I am seeing. >> How do I kill the attempted delivery? >> Plz advice. >> >> Thx >> >> > > Have you simply tried to restart sendmail? > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > Restarting MS doesn't kill existing sendmail processes. If you removed the df and qf files from /var/spool/mqueue and you made sure no sendmail process is still trying to deliver that email (look at the output of ps) then delivery attempts could no longer occur. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Sat Jan 10 12:03:08 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sat Jan 10 12:03:26 2009 Subject: General Thankyou In-Reply-To: <49679B36.9010202@senecac.on.ca> References: <60382.204.184.75.172.1231471379.squirrel@webmail.elsberry.k12.mo.us> <49679B36.9010202@senecac.on.ca> Message-ID: <49688E7C.6060106@ecs.soton.ac.uk> On 9/1/09 18:45, Dave Filchak wrote: > Just wanted to pass on my thanks to Kai, Glenn and Scott and any I > missed, for helping me with my MS Upgrade issues. As I said, it had > been a while since I had dealt with this stuff so it was a bit of a > learning curve. It all seems to be working pretty well now so I will > be watching it closely over the next few days. Just need to do a bit > of tweaking with the rules I think. > > As the version I was using was pretty old, is there anywhere I can > find an explanation of the new config directives since 4.6.x ? They are all mentioned in the ChangeLog, if you want to find specifically what options are new since your previous version. > > Again, thank you everyone for your help. > > Dave Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From gesbbb at yahoo.com Sat Jan 10 13:12:49 2009 From: gesbbb at yahoo.com (Jerry) Date: Sat Jan 10 13:13:11 2009 Subject: Refresh FreeBSD Port? In-Reply-To: <4967DB4E.8040003@sequestered.net> References: <4967DB4E.8040003@sequestered.net> Message-ID: <20090110081249.3e1fd5bc@scorpio> On Fri, 09 Jan 2009 15:18:38 -0800 Corey Chandler wrote: >Any idea what the scoop is on porting the newer versions of >MailScanner to FreeBSD? > >Tossed the port maintainer an email last night and haven't heard >back-- 4.67 is OLD! Maybe he has a day job! In any event, FBSD has just come out of a 'ports slush' condition. Over a thousand updated ports have been released in the past 72 hours. I am personally waiting on an updated one I submitted to be released. In any event, have you offered your services to the port maintainer: j.koopmann@seceidos.de He might appreciate it. -- Jerry gesbbb@yahoo.com If you hands are clean and your cause is just and your demands are reasonable, at least it's a start. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090110/cfbe30e3/signature.bin From root at doctor.nl2k.ab.ca Sat Jan 10 14:12:12 2009 From: root at doctor.nl2k.ab.ca (Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem) Date: Sat Jan 10 14:13:39 2009 Subject: Refresh FreeBSD Port? In-Reply-To: <20090110081249.3e1fd5bc@scorpio> References: <4967DB4E.8040003@sequestered.net> <20090110081249.3e1fd5bc@scorpio> Message-ID: <20090110141212.GA27718@doctor.nl2k.ab.ca> On Sat, Jan 10, 2009 at 08:12:49AM -0500, Jerry wrote: > On Fri, 09 Jan 2009 15:18:38 -0800 > Corey Chandler wrote: > > >Any idea what the scoop is on porting the newer versions of > >MailScanner to FreeBSD? > > > >Tossed the port maintainer an email last night and haven't heard > >back-- 4.67 is OLD! > > Maybe he has a day job! In any event, FBSD has just come out of a > 'ports slush' condition. Over a thousand updated ports have been > released in the past 72 hours. I am personally waiting on an updated > one I submitted to be released. > > In any event, have you offered your services to the port maintainer: > > j.koopmann@seceidos.de > > He might appreciate it. > Who knows why they are not keeping up? I just compiled raw and it works on the FreeBSD Boxes here. > -- > Jerry > gesbbb@yahoo.com > > If you hands are clean and your cause is just > and your demands are reasonable, at least it's a start. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From chokimbo at gmail.com Sat Jan 10 15:08:07 2009 From: chokimbo at gmail.com (ichwan nur hakim) Date: Sat Jan 10 15:08:18 2009 Subject: block spoofing mail In-Reply-To: References: <928434630901100033l3381ec9ifec81d6844b03e0@mail.gmail.com> Message-ID: <928434630901100708j3b404629le14a10eb77e30f60@mail.gmail.com> Kai, I'm sory for the inconvenience, not my intention to not complacent, cause my english is not good. But I'm need help from this forum for my case. Once again i'm sory. Thank's On Sat, Jan 10, 2009 at 5:31 PM, Kai Schaetzl wrote: > Ichwan nur hakim wrote on Sat, 10 Jan 2009 15:33:43 +0700: > > > how block spoofing mail with mailscanner..?? > > You do realize that your question is ambiguos and that you don't provide > much information. It's of the same "quality" as your question a few days > ago. I consider this *inpolite*. If you continue this way you won't grow > happy on mailing lists. > So, assuming the most probable meaning: you don't need to if you didn't > whitelist yourself. Most of these should score like other spam does. > > Kai > > -- > Kai Sch?tzl, Berlin, Germany > Get your web at Conactive Internet Services: http://www.conactive.com > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090110/61d6c65e/attachment.html From gesbbb at yahoo.com Sat Jan 10 15:09:23 2009 From: gesbbb at yahoo.com (Jerry) Date: Sat Jan 10 15:09:36 2009 Subject: Refresh FreeBSD Port? In-Reply-To: <20090110141212.GA27718@doctor.nl2k.ab.ca> References: <4967DB4E.8040003@sequestered.net> <20090110081249.3e1fd5bc@scorpio> <20090110141212.GA27718@doctor.nl2k.ab.ca> Message-ID: <20090110100923.54375d98@scorpio> On Sat, 10 Jan 2009 07:12:12 -0700 "Dave Shariff Yadallee" wrote: [snip] >Who knows why they are not keeping up? > >I just compiled raw and it works on the FreeBSD Boxes here. I just checked the FreeBSD 'Makefile' for Mailscanner. There are several 'patches' that are applied as well as PATH modifications, etc. to the basic Mailscanner installation. If it works for you, then fine. If it suddenly starts failing, you will need to completely remove your custom installation and then use the FreeBSD ports system. In fact, you would probably be better off removing the Mailscanner port prior to installing from source anyway. Since they install in different locations, unless you manually modified it, it would help to avoid any unnecessary problems. -- Jerry gesbbb@yahoo.com The difference between dogs and cats is that dogs come when they're called. Cats take a message and get back to you. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090110/fdfd046a/signature.bin From lauasanf at wilderness.homeip.net Sat Jan 10 15:44:19 2009 From: lauasanf at wilderness.homeip.net (Drew Sanford) Date: Sat Jan 10 15:44:48 2009 Subject: bayes_auto_learn_threshold settings? Message-ID: <4968C253.8020705@wilderness.homeip.net> Hello, I have been looking for the bayes auto learn settings in my Mailscanner configs but cannot locate them. I suspect they should be in the spam.assassin.prefs.conf file, but don't actually see them listed. I have attempted to manually set bayes to auto learn spam at 10.0 with the following line: bayes_auto_learn_threshold_spam 10.0 However, I still have messages scoring as high as 13 that are not auto learned. Have I approached this the wrong way, or does anyone have any additional pointers? Thanks. Drew From shuttlebox at gmail.com Sat Jan 10 16:04:11 2009 From: shuttlebox at gmail.com (shuttlebox) Date: Sat Jan 10 16:04:21 2009 Subject: bayes_auto_learn_threshold settings? In-Reply-To: <4968C253.8020705@wilderness.homeip.net> References: <4968C253.8020705@wilderness.homeip.net> Message-ID: <625385e30901100804p6aa3fe1dkbe47300b40335425@mail.gmail.com> On Sat, Jan 10, 2009 at 4:44 PM, Drew Sanford wrote: > Hello, > I have been looking for the bayes auto learn settings in my > Mailscanner configs but cannot locate them. I suspect they should be in the > spam.assassin.prefs.conf file, but don't actually see them listed. I have > attempted to manually set bayes to auto learn spam at 10.0 with the > following line: > > bayes_auto_learn_threshold_spam 10.0 > > However, I still have messages scoring as high as 13 that are not auto > learned. Have I approached this the wrong way, or does anyone have any > additional pointers? Thanks. It needs to score enough in both header and body checks so just because your example score was somewhat higher than the threshold doesn't necessarily mean it will be used since it was probably weak scoring in some aspect. Quite common when the score is slightly above the threshold. -- /peter From maillists at conactive.com Sat Jan 10 16:31:17 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Sat Jan 10 16:31:34 2009 Subject: block spoofing mail In-Reply-To: <928434630901100708j3b404629le14a10eb77e30f60@mail.gmail.com> References: <928434630901100033l3381ec9ifec81d6844b03e0@mail.gmail.com> <928434630901100708j3b404629le14a10eb77e30f60@mail.gmail.com> Message-ID: Still nobody does know where you need help with. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From rich at mail.wvnet.edu Sat Jan 10 16:34:09 2009 From: rich at mail.wvnet.edu (Richard Lynch) Date: Sat Jan 10 16:34:23 2009 Subject: block spoofing mail In-Reply-To: <928434630901100708j3b404629le14a10eb77e30f60@mail.gmail.com> References: <928434630901100033l3381ec9ifec81d6844b03e0@mail.gmail.com> <928434630901100708j3b404629le14a10eb77e30f60@mail.gmail.com> Message-ID: <4968CE01.2040000@mail.wvnet.edu> ichwan nur hakim wrote: > Kai, > > I'm sory for the inconvenience, not my intention to not complacent, > cause my english is not good. > But I'm need help from this forum for my case. > Once again i'm sory. In order to help you the people in this forum need specifics about your mail configuration and the details of the problem you're trying to solve. Without that all I can offer is... Read up on using SPF DNS records for your domain and about SPF validation from your MTA. See,,, http://www.openspf.org ...and... http://www.snertsoft.com/sendmail/milter-spiff/ Also, consider the commercial product BarricadeMX which has SPF testing built-in. Richard Lynch WVNET > > > Thank's > > On Sat, Jan 10, 2009 at 5:31 PM, Kai Schaetzl > wrote: > > Ichwan nur hakim wrote on Sat, 10 Jan 2009 15:33:43 +0700: > > > how block spoofing mail with mailscanner..?? > > You do realize that your question is ambiguos and that you don't > provide > much information. It's of the same "quality" as your question a > few days > ago. I consider this *inpolite*. If you continue this way you > won't grow > happy on mailing lists. > So, assuming the most probable meaning: you don't need to if you > didn't > whitelist yourself. Most of these should score like other spam does. > > Kai > > -- > Kai Sch?tzl, Berlin, Germany > Get your web at Conactive Internet Services: http://www.conactive.com > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- / / -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090110/e5b361af/attachment.html From cwatts at elsberry.k12.mo.us Sat Jan 10 17:28:13 2009 From: cwatts at elsberry.k12.mo.us (Cannon Watts) Date: Sat Jan 10 17:29:51 2009 Subject: identical messages -- some get bayes score, some don't In-Reply-To: References: <60382.204.184.75.172.1231471379.squirrel@webmail.elsberry.k12.mo.us> <55910.204.184.75.172.1231537026.squirrel@webmail.elsberry.k12.mo.us> Message-ID: <41554.204.184.75.172.1231608493.squirrel@webmail.elsberry.k12.mo.us> On Sat, January 10, 2009 4:31 am, Kai Schaetzl wrote: > Cannon Watts wrote on Fri, 9 Jan 2009 15:37:06 -0600 (CST): > >> Probably getting beyond the scope of this list, but any tips on >> debugging >> this? This particular box is running its own caching DNS that, prior to >> seeing that debugging info, I would have said works perfectly. > > look which tests timeout, if it are always the same and then do some > manual > tests against these RBLs. > >> How would I go about disabling 'some of these tests'? set >> skip_rbl_checks >> in /etc/mamil/spamassassin/mailscanner.cf? > > yes (this doesn't shut off URIBL tests). Thanks, that certainly cuts down on the timeouts, The URIBL tests are still generating 281 timeouts on those 28 messages, but that's a minor concern now that the bayes issues seem to be sorted out (see below). > >> >> I suppose there could be a performance problem, but considering I just >> moved this server from a 933 Mhz Pentium with less than a gig of ram >> (where it >> was working reasonably well) to a 2 GHz quad-core w/ 4 GB of RAM and 15k >> rpm disks (where I've never seen the system load go over 0.5), I tend to >> look elsewhere first. > > I agree it doesn't look like it should be udnerpowered. But it depends on > the > number of messages you process each day. How many? How long does a > spamassassin --lint run take? (use time). It probably averages around 6000 per day. 'time spamassassin --lint' returns real 0m2.450s user 0m2.309s sys 0m0.141s I ran spamassassin --lint -D, and did find something peculiar in the output. dbg: bayes: tie-ing to DB file R/O /etc/MailScanner/bayes/bayes_toks dbg: bayes: tie-ing to DB file R/O /etc/MailScanner/bayes/bayes_seen ..... dbg: bayes: not available for scanning, only 0 spam(s) in bayes DB < 200 /etc/MailScanner/bayes is the correct location for those files, and sa-learn has been updating them without any errors, but something is obviously not right. I moved the old bayes_toks and bayes_seen files, then fed bayes around 500 spams and hams via sa-learn to create a new database. Now, running spamassassin on those 28 messages generates a BAYES_99 score for each one with no bayes timeouts. I guess my database was either corrupt, or just too big. Will have to spend some time re-training bayes, but I'm hopeful that part of the problem is solved. Thanks again for your help. Cannon From cwatts at elsberry.k12.mo.us Sat Jan 10 17:28:19 2009 From: cwatts at elsberry.k12.mo.us (Cannon Watts) Date: Sat Jan 10 17:29:56 2009 Subject: identical messages -- some get bayes score, some don't In-Reply-To: <223f97700901100321m3ed6cdf1oaf1fa61371961c1@mail.gmail.com> References: <60382.204.184.75.172.1231471379.squirrel@webmail.elsberry.k12.mo.us> <55910.204.184.75.172.1231537026.squirrel@webmail.elsberry.k12.mo.us> <223f97700901100321m3ed6cdf1oaf1fa61371961c1@mail.gmail.com> Message-ID: <59732.204.184.75.172.1231608499.squirrel@webmail.elsberry.k12.mo.us> On Sat, January 10, 2009 5:21 am, Glenn Steen wrote: > Do you have a very large bayes_seen file? If so... remove it. Then > redo the tests and see if things aren't better. > Or do you have any expire files, from failed expiry runs? I think that was the problem. After removing bayes_seen and bayes_toks, then rebuilding them by feeding 500 or so hams and spams to sa-learn, the bayes timeouts seem to be fixed. > Ok, so this situation popped up right after the move? Not really. I made the move because I was having the same situation on the old box. I didn't do a lot of debugging there because that machine was so overtaxed, I just assumed that was the root of the problem. Thanks, Cannon From kc5goi at gmail.com Sat Jan 10 17:55:24 2009 From: kc5goi at gmail.com (Guy Story KC5GOI) Date: Sat Jan 10 17:55:39 2009 Subject: Anti-spear-phishing, round 2 In-Reply-To: <2360480.141231610032484.JavaMail.gstory@gstory-laptop> Message-ID: <14149359.161231610122759.JavaMail.gstory@gstory-laptop> Kai, I need to clarify my question then. I did read over the script and if I understand it, please bear in mind I do not pretend to program, that it downloads the data from Google and turns it into a rule for SA. The rule itself provides inbound, outbound and content filtering using the email addresses that are provided by the Google list. Between Jules postings and the comments in the script, if I am understanding it correctly, then that is a huge testimony on Jules commenting in the file. That is a huge help for non-programmers and I thank him. I understand that since I do not have the current release of MS that I can not take full advantage of what Jule has done. I am currently using 7.10 of Ubuntu so I need to make sure that I can satisfy the dependencies to preform the upgrade. This is a time issue since I am a one man department. As a temporary solution I downloaded the list and used it to create a list that I added to my spam blacklist rule with FromOrTo so I can filter on two of three points. The downside to my current approach is lack of content scanning and a manual updating process instead of using Jules script in cron.hourly. Not ideal but a start. It takes me 5 minutes to do this where Jules script probably does in in less than 30 seconds (download, convert, copy and restart MS) and is more current. I might do this once a week. I understand that the address list could update literally on an hourly basis. The rate of updates is up to Google and I have not read through the project fully yet. My original and poorly worded question was more along the lines of how much work MS has to do using the list of addresses in the spam blacklist verses a SA rule. It it more work processing the blacklist than the SA rule? Guy ----- Original Message ----- From: "Kai Schaetzl" To: mailscanner@lists.mailscanner.info Sent: Saturday, January 10, 2009 4:31:16 AM GMT -06:00 US/Canada Central Subject: Re: Anti-spear-phishing, round 2 Guy Story KC5GOI wrote on Fri, 9 Jan 2009 12:57:38 -0600: > I took the list from Google > and massaged it to it fit the format for use as the spam.blacklist.rule > file, is that any less efficient as far as MS is concerned? Much less. Just read what Jules script does. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From paul at welshfamily.com Sun Jan 11 00:49:12 2009 From: paul at welshfamily.com (Paul Welsh) Date: Sun Jan 11 00:49:30 2009 Subject: Redirecting spam In-Reply-To: <200812141201.mBEC0ekF011758@safir.blacknight.ie> Message-ID: <200901110049.n0B0nLJp016057@safir.blacknight.ie> This has probably been asked a million times (but can't find it searching the list). I note that Spam Actions = forward forwards a *copy* of the message to another address. What I wish to do is to redirect the message to another address where it can be evaluated manually and forwarded on if not spam. Can I use delete forward or is store forward my only option? From cwatts at elsberry.k12.mo.us Sun Jan 11 03:08:43 2009 From: cwatts at elsberry.k12.mo.us (Cannon Watts) Date: Sun Jan 11 03:10:13 2009 Subject: Redirecting spam In-Reply-To: <200901110049.n0B0nLJp016057@safir.blacknight.ie> References: <200812141201.mBEC0ekF011758@safir.blacknight.ie> <200901110049.n0B0nLJp016057@safir.blacknight.ie> Message-ID: <20090111030843.GB27431@elsberry.k12.mo.us> On Sun, Jan 11, 2009 at 12:49:12AM -0000, Paul Welsh wrote: > This has probably been asked a million times (but can't find it searching > the list). > > I note that > > Spam Actions = forward > > forwards a *copy* of the message to another address. What I wish to do is > to redirect the message to another address where it can be evaluated > manually and forwarded on if not spam. > > Can I use > > delete forward > > or is > > store forward > > my only option? Unless I'm misunderstanding your question (which is entirely possible) forward does exactly what you want. It doesn't forward the message in the same sense as you would forward an email using your mail client. If you specify 'Spam Actions = forward spamfolder@yourdomain.com' in the config file, those messages flagged as spam will be delivered to spamfolder@yourdomain.com instead of the intended recipient. At my site, I use the following: High Scoring Spam Actions = store Spam Actions = forward spam@mydomain.com High scoring spam gets stored in the quarantine, and low-scoring spam gets delivered to the spam mailbox. I look through that mailbox at the end of the day, and if I find anything that shouldn't have been flagged, I save a copy to the intended recipient's mailbox, save a copy to a ham mailbox, and, if appropriate, whitelist the sender's address. I've then got a cron job that feeds both the spam and ham mailboxes to sa-learn to improve my bayes scores. Cannon From Denis.Beauchemin at USherbrooke.ca Sun Jan 11 13:13:07 2009 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Sun Jan 11 13:13:20 2009 Subject: Anti-spear-phishing, round 2 In-Reply-To: <14149359.161231610122759.JavaMail.gstory@gstory-laptop> References: <14149359.161231610122759.JavaMail.gstory@gstory-laptop> Message-ID: <4969F063.3090704@USherbrooke.ca> Guy Story KC5GOI a ?crit : > Kai, I need to clarify my question then. I did read over the script and if I understand it, please bear in mind I do not pretend to program, that it downloads the data from Google and turns it into a rule for SA. The rule itself provides inbound, outbound and content filtering using the email addresses that are provided by the Google list. Between Jules postings and the comments in the script, if I am understanding it correctly, then that is a huge testimony on Jules commenting in the file. That is a huge help for non-programmers and I thank him. > > I understand that since I do not have the current release of MS that I can not take full advantage of what Jule has done. I am currently using 7.10 of Ubuntu so I need to make sure that I can satisfy the dependencies to preform the upgrade. This is a time issue since I am a one man department. > > As a temporary solution I downloaded the list and used it to create a list that I added to my spam blacklist rule with FromOrTo so I can filter on two of three points. > > The downside to my current approach is lack of content scanning and a manual updating process instead of using Jules script in cron.hourly. Not ideal but a start. It takes me 5 minutes to do this where Jules script probably does in in less than 30 seconds (download, convert, copy and restart MS) and is more current. I might do this once a week. I understand that the address list could update literally on an hourly basis. The rate of updates is up to Google and I have not read through the project fully yet. > > My original and poorly worded question was more along the lines of how much work MS has to do using the list of addresses in the spam blacklist verses a SA rule. It it more work processing the blacklist than the SA rule? > > Guy > Guy, I'm pretty sure you can use Julian's script in an older version of MS but you will have to use it to add to the SA score and then rely on your Required SpamAssassin Score or High SpamAssassin Score to quarantine/delete the emails. I you were to assing a score of, let's say, 15 to $SA_score in Julian's Spear.Phishing.Rules script, you could bump those emails into high scoring spam and then do whatever you want to them without having to use SpamAssassin Rule Actions at all. Denis From maillists at conactive.com Sun Jan 11 17:31:18 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Sun Jan 11 17:31:28 2009 Subject: Anti-spear-phishing, round 2 In-Reply-To: <14149359.161231610122759.JavaMail.gstory@gstory-laptop> References: <14149359.161231610122759.JavaMail.gstory@gstory-laptop> Message-ID: Guy Story KC5GOI wrote on Sat, 10 Jan 2009 11:55:24 -0600 (GMT-06:00): > My original and poorly worded question was more along the lines of > how much work MS has to do using the list of addresses in the spam > blacklist verses a SA rule. It it more work processing the blacklist > than the SA rule? No, probably less. You asked about efficiency and I took that as meaning the result. I didn't check out Jules script, but according to his description it's taking also all body appearances into account and it "normalizes" or wildcards the names with numbers. That makes it match much better against mutations. If you use wildcards in your blacklist then this will make it gain efficiency, but still loose out on the body checks. If you just use the basic name list without even wildcarding then I wouldn't use it at all, it's not worth it. I think Denis made a good suggestion how to use that script with an older MS version. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From MailScanner at ecs.soton.ac.uk Sun Jan 11 18:09:27 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Jan 11 18:09:52 2009 Subject: Anti-spear-phishing, round 2 In-Reply-To: <4969F063.3090704@USherbrooke.ca> References: <14149359.161231610122759.JavaMail.gstory@gstory-laptop> <4969F063.3090704@USherbrooke.ca> Message-ID: <496A35D7.4070905@ecs.soton.ac.uk> On 11/1/09 13:13, Denis Beauchemin wrote: > Guy Story KC5GOI a ?crit : >> Kai, I need to clarify my question then. I did read over the script >> and if I understand it, please bear in mind I do not pretend to >> program, that it downloads the data from Google and turns it into a >> rule for SA. The rule itself provides inbound, outbound and content >> filtering using the email addresses that are provided by the Google >> list. Between Jules postings and the comments in the script, if I am >> understanding it correctly, then that is a huge testimony on Jules >> commenting in the file. That is a huge help for non-programmers and >> I thank him. Thanks! I tried to make it pretty clear to non-programmers. I don't add comments as an after-thought, I document as I go. >> >> I understand that since I do not have the current release of MS that >> I can not take full advantage of what Jule has done. I am currently >> using 7.10 of Ubuntu so I need to make sure that I can satisfy the >> dependencies to preform the upgrade. This is a time issue since I am >> a one man department. >> >> As a temporary solution I downloaded the list and used it to create a >> list that I added to my spam blacklist rule with FromOrTo so I can >> filter on two of three points. >> The downside to my current approach is lack of content scanning and a >> manual updating process instead of using Jules script in >> cron.hourly. Not ideal but a start. It takes me 5 minutes to do >> this where Jules script probably does in in less than 30 seconds >> (download, convert, copy and restart MS) and is more current. I >> might do this once a week. I understand that the address list could >> update literally on an hourly basis. The rate of updates is up to >> Google and I have not read through the project fully yet. It's not up to Google. As far as I am aware, they don't have any connection with the project other than merely providing a place to host it, rather like Sourceforge does for many other people. >> >> My original and poorly worded question was more along the lines of >> how much work MS has to do using the list of addresses in the spam >> blacklist verses a SA rule. It it more work processing the blacklist >> than the SA rule? Due to the way I wrote the script, the cost of running that file in SA is actually pretty minimal. One large pattern containing many alternatives is hugely more efficient in SA (and in Perl) than having a separate SA rule for each address, which would be the naive implementation. The way SA works is that every rule gets turned into the Perl source code for a function, and then SA calls each function (i.e. rule) with the text of each message. So if you cram 20 alternatives into 1 rule, it's only 1 function call per message instead of 20, so 20 times less overhead. Additionally, the addresses are listed alphabetically sorted, so that when Perl is trying to match the huge expression, if all the alternative addresses in the expression (rule) start with an "a" then it will only check the first character. If that isn't an "a" then none of the alternatives can match and it can bail out instantly. It's not actually as simple as that, but the theory basically still holds true. So it turns into (on my systems) about 100 SA rules, each of which can be processed very quickly compared with many other SA rules you may use. Most systems have many thousands of rules, so an extra 100 is a tiny cost for the benefit you get from them. I did put quite a bit of thought into my code, it is very far from a naive implementation, and contains a lot of measures to try to ensure that a rogue entry in the Google-hosted file cannot cause all your mail to get binned. If someone put "s@gmail.com" in the file, it would *not* hit every message from "thomas@gmail.com" for example! > Guy, > > I'm pretty sure you can use Julian's script in an older version of MS > but you will have to use it to add to the SA score and then rely on > your Required SpamAssassin Score or High SpamAssassin Score to > quarantine/delete the emails. Correct. Just use the SA score (which you can set at the top of the script) and make it count towards your normal Spam Actions or High-Scoring Spam Actions, just the same as you would for any other SpamAssassin rule. I chose to use the "SpamAssassin Rule Actions", and a very low score, as I want to handle this mail in a very different way to normal spam, partly because it makes it easier for me to develop the code and to see how well it is working and if there are ways I could improve it. > > I you were to assing a score of, let's say, 15 to $SA_score in > Julian's Spear.Phishing.Rules script, you could bump those emails into > high scoring spam and then do whatever you want to them without having > to use SpamAssassin Rule Actions at all. Yes, that would work just fine. Just not the way *I* choose to use it. But you are more than welcome to :-) Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From maillists at conactive.com Sun Jan 11 18:31:35 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Sun Jan 11 18:31:47 2009 Subject: identical messages -- some get bayes score, some don't In-Reply-To: <41554.204.184.75.172.1231608493.squirrel@webmail.elsberry.k12.mo.us> References: <60382.204.184.75.172.1231471379.squirrel@webmail.elsberry.k12.mo.us> <55910.204.184.75.172.1231537026.squirrel@webmail.elsberry.k12.mo.us> <41554.204.184.75.172.1231608493.squirrel@webmail.elsberry.k12.mo.us> Message-ID: Cannon Watts wrote on Sat, 10 Jan 2009 11:28:13 -0600 (CST): > Thanks, that certainly cuts down on the timeouts, The URIBL tests are > still generating 281 timeouts on those 28 messages, but that's a minor > concern now that the bayes issues seem to be sorted out (see below). As said earlier, there is surely something wrong either with your dns setup or with your software (e.g. DNS::Net too old or so). Have you set dns_available yes or do you let SA check that? If set to yes set it to no and let SA show you the outcome. > It probably averages around 6000 per day. That's not much and should be ok even for the old server, given enough RAM. 'time spamassassin --lint' > returns > real 0m2.450s > user 0m2.309s > sys 0m0.141s Hm, I'm not sure if timeouts would be counted in these figures at all. Figure looks ok. > I ran spamassassin --lint -D, and did find something peculiar in the output. > > dbg: bayes: tie-ing to DB file R/O /etc/MailScanner/bayes/bayes_toks > dbg: bayes: tie-ing to DB file R/O /etc/MailScanner/bayes/bayes_seen > ..... > dbg: bayes: not available for scanning, only 0 spam(s) in bayes DB < 200 > > /etc/MailScanner/bayes is the correct location for those files, and sa-learn > has been updating them without any errors, but something is obviously not > right. You may have learned the wrong files (belonging to a different user). You have to set a site-wide Bayes with MS. I moved the old bayes_toks and bayes_seen files, then fed bayes > around 500 spams and hams via sa-learn to create a new database. > > Now, running spamassassin on those 28 messages generates a BAYES_99 score > for each one with no bayes timeouts. Good. > > I guess my database was either corrupt, or just too big. For being "too big" it should have had at least 5 million tokens (I haven't ever seen a database over that size, but I can say that databases in this range are still fine performance-wise). Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From dave.filchak at senecac.on.ca Sun Jan 11 19:03:00 2009 From: dave.filchak at senecac.on.ca (Dave Filchak) Date: Sun Jan 11 19:03:18 2009 Subject: General Thankyou In-Reply-To: <4967D6F2.8090907@senecac.on.ca> References: <60382.204.184.75.172.1231471379.squirrel@webmail.elsberry.k12.mo.us> <49679B36.9010202@senecac.on.ca> <4967A01A.1020805@senecac.on.ca> <4967D6F2.8090907@senecac.on.ca> Message-ID: <496A4264.6080303@senecac.on.ca> Kai, Dave Filchak wrote: > Kai, > > Kai Schaetzl wrote: >> Dave Filchak wrote on Fri, 09 Jan 2009 14:06:02 -0500: >> >> >>> So I checked the permissions there and the Locks directory is owned >>> by postfix.root and the locks inside are all owned by root.root. >>> >> >> That is *all* wrong. Reread the tutorials for MS+postfix and for >> MS+clamd (you are using clamd, right). >> >> /var/spool/MailScanner/incoming/Locks l >> total 16 >> drwxr-x--- 2 root postfix 4096 Jan 9 23:03 . >> drwxr-xr-x 5 postfix clamav 4096 Jan 9 23:04 .. >> -rw------- 1 postfix postfix 0 Dec 11 17:31 antivirBusy.lock >> -rw------- 1 postfix postfix 0 Dec 11 17:31 avastBusy.lock >> -rw------- 1 postfix postfix 0 Dec 11 17:31 avgBusy.lock >> -rw------- 1 postfix postfix 0 Dec 11 17:31 bitdefenderBusy.lock >> -rw------- 1 postfix postfix 100 Jan 9 23:05 clamavBusy.lock >> -rw------- 1 postfix postfix 0 Dec 11 17:31 cssBusy.lock >> -rw------- 1 postfix postfix 0 Dec 11 17:31 esetsBusy.lock >> -rw------- 1 postfix postfix 0 Dec 11 17:31 etrustBusy.lock >> -rw------- 1 postfix postfix 0 Dec 11 17:31 f-prot-6Busy.lock >> -rw------- 1 postfix postfix 0 Dec 11 17:31 f-protBusy.lock >> -rw------- 1 postfix postfix 0 Dec 11 17:31 f-secureBusy.lock >> -rw------- 1 postfix postfix 0 Dec 11 17:31 genericBusy.lock >> -rw------- 1 postfix postfix 0 Dec 11 17:31 inoculanBusy.lock >> -rw------- 1 postfix postfix 0 Dec 11 17:31 kasperskyBusy.lock >> -rw------- 1 postfix postfix 0 Dec 11 17:31 mcafeeBusy.lock >> -rw------- 1 postfix postfix 0 Jan 7 16:51 MS.bayes.rebuild.lock >> -rw------- 1 postfix postfix 0 Jan 9 23:03 MS.bayes.starting.lock >> -rw------- 1 postfix postfix 0 Dec 11 17:31 nod32Busy.lock >> -rw------- 1 postfix postfix 0 Dec 11 17:31 normanBusy.lock >> -rw------- 1 postfix postfix 0 Dec 11 17:31 pandaBusy.lock >> -rw------- 1 postfix postfix 0 Dec 11 17:31 ravBusy.lock >> -rw------- 1 postfix postfix 0 Dec 11 17:31 sophosBusy.lock >> -rw------- 1 postfix postfix 0 Dec 11 17:31 symscanengineBusy.lock >> -rw------- 1 postfix postfix 0 Dec 11 17:31 trendBusy.lock >> -rw------- 1 postfix postfix 0 Dec 11 17:31 vba32Busy.lock >> -rw------- 1 postfix postfix 0 Dec 11 17:31 vexiraBusy.lock >> >> Kai >> >> > Well I will definitely reread these. I never specifically set these > permissions anywhere. One would thing that these would be created by > the settings in MailScanner.conf .. wouldn't you? There is no specific > alternate user settings in spamassassin so .... something is setting > these permissions this way. > I have gone through the tutorials a few times and I seem to have everything set up correctly yet .... something keeps reseting the permissions in the Locks directory back to the following: -rw------- 1 root root 0 Jan 8 05:09 antivirBusy.lock -rw------- 1 root root 0 Jan 8 05:09 avastBusy.lock -rw------- 1 root root 0 Jan 8 05:09 avgBusy.lock -rw------- 1 root root 0 Jan 8 05:09 bitdefenderBusy.lock -rw------- 1 root root 49 Jan 9 19:15 clamavBusy.lock -rw------- 1 root root 0 Jan 8 05:09 cssBusy.lock -rw------- 1 root root 0 Jan 8 05:09 esetsBusy.lock -rw------- 1 root root 0 Jan 8 05:09 etrustBusy.lock -rw------- 1 root root 0 Jan 8 05:09 f-prot-6Busy.lock -rw------- 1 root root 0 Jan 8 05:09 f-protBusy.lock -rw------- 1 root root 0 Jan 8 05:09 f-secureBusy.lock -rw------- 1 root root 0 Jan 8 05:09 genericBusy.lock -rw------- 1 root root 0 Jan 8 05:09 inoculanBusy.lock -rw------- 1 root root 0 Jan 8 05:09 kasperskyBusy.lock -rw------- 1 root root 0 Jan 8 05:09 mcafeeBusy.lock -rw------- 1 root root 0 Jan 8 19:38 MS.bayes.rebuild.lock -rw------- 1 root root 0 Jan 11 04:15 MS.bayes.starting.lock -rw------- 1 root root 0 Jan 8 05:09 nod32Busy.lock -rw------- 1 root root 0 Jan 8 05:09 normanBusy.lock -rw------- 1 root root 0 Jan 8 05:09 pandaBusy.lock -rw------- 1 root root 0 Jan 8 05:09 ravBusy.lock -rw------- 1 root root 0 Jan 8 05:09 sophosBusy.lock -rw------- 1 root root 0 Jan 8 05:09 symscanengineBusy.lock -rw------- 1 root root 0 Jan 8 05:09 trendBusy.lock -rw------- 1 root root 0 Jan 8 05:09 vba32Busy.lock -rw------- 1 root root 0 Jan 8 05:09 vexiraBusy.lock /var/spool/MailScanner/incoming [root@rosewood incoming]# ls -l total 604 drwxr-x--- 2 postfix clamav 4096 Jan 11 13:43 19962 drwxr-x--- 2 postfix clamav 4096 Jan 11 13:38 19969 drwxr-x--- 2 postfix clamav 4096 Jan 11 13:41 19976 drwxr-x--- 2 postfix root 4096 Jan 11 04:15 Locks -rw------- 1 postfix postfix 590848 Jan 11 13:41 SpamAssassin.cache.db drwx------ 2 postfix postfix 4096 Jan 11 13:43 SpamAssassin-Temp Yesterday this was all set as you have it above. Dave From MailScanner at ecs.soton.ac.uk Sun Jan 11 19:22:50 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Jan 11 19:23:11 2009 Subject: General Thankyou (still diagnosing fault) In-Reply-To: <496A4264.6080303@senecac.on.ca> References: <60382.204.184.75.172.1231471379.squirrel@webmail.elsberry.k12.mo.us> <49679B36.9010202@senecac.on.ca> <4967A01A.1020805@senecac.on.ca> <4967D6F2.8090907@senecac.on.ca> <496A4264.6080303@senecac.on.ca> Message-ID: <496A470A.7070507@ecs.soton.ac.uk> On 11/1/09 19:03, Dave Filchak wrote: > Kai, > > > > Dave Filchak wrote: >> Kai, >> >> Kai Schaetzl wrote: >>> Dave Filchak wrote on Fri, 09 Jan 2009 14:06:02 -0500: >>> >>> >>>> So I checked the permissions there and the Locks directory is owned >>>> by postfix.root and the locks inside are all owned by root.root. >>> >>> That is *all* wrong. Reread the tutorials for MS+postfix and for >>> MS+clamd (you are using clamd, right). >>> >>> /var/spool/MailScanner/incoming/Locks l >>> total 16 >>> drwxr-x--- 2 root postfix 4096 Jan 9 23:03 . >>> drwxr-xr-x 5 postfix clamav 4096 Jan 9 23:04 .. >>> -rw------- 1 postfix postfix 0 Dec 11 17:31 antivirBusy.lock >>> -rw------- 1 postfix postfix 0 Dec 11 17:31 avastBusy.lock >>> -rw------- 1 postfix postfix 0 Dec 11 17:31 avgBusy.lock >>> -rw------- 1 postfix postfix 0 Dec 11 17:31 bitdefenderBusy.lock >>> -rw------- 1 postfix postfix 100 Jan 9 23:05 clamavBusy.lock >>> -rw------- 1 postfix postfix 0 Dec 11 17:31 cssBusy.lock >>> -rw------- 1 postfix postfix 0 Dec 11 17:31 esetsBusy.lock >>> -rw------- 1 postfix postfix 0 Dec 11 17:31 etrustBusy.lock >>> -rw------- 1 postfix postfix 0 Dec 11 17:31 f-prot-6Busy.lock >>> -rw------- 1 postfix postfix 0 Dec 11 17:31 f-protBusy.lock >>> -rw------- 1 postfix postfix 0 Dec 11 17:31 f-secureBusy.lock >>> -rw------- 1 postfix postfix 0 Dec 11 17:31 genericBusy.lock >>> -rw------- 1 postfix postfix 0 Dec 11 17:31 inoculanBusy.lock >>> -rw------- 1 postfix postfix 0 Dec 11 17:31 kasperskyBusy.lock >>> -rw------- 1 postfix postfix 0 Dec 11 17:31 mcafeeBusy.lock >>> -rw------- 1 postfix postfix 0 Jan 7 16:51 MS.bayes.rebuild.lock >>> -rw------- 1 postfix postfix 0 Jan 9 23:03 MS.bayes.starting.lock >>> -rw------- 1 postfix postfix 0 Dec 11 17:31 nod32Busy.lock >>> -rw------- 1 postfix postfix 0 Dec 11 17:31 normanBusy.lock >>> -rw------- 1 postfix postfix 0 Dec 11 17:31 pandaBusy.lock >>> -rw------- 1 postfix postfix 0 Dec 11 17:31 ravBusy.lock >>> -rw------- 1 postfix postfix 0 Dec 11 17:31 sophosBusy.lock >>> -rw------- 1 postfix postfix 0 Dec 11 17:31 symscanengineBusy.lock >>> -rw------- 1 postfix postfix 0 Dec 11 17:31 trendBusy.lock >>> -rw------- 1 postfix postfix 0 Dec 11 17:31 vba32Busy.lock >>> -rw------- 1 postfix postfix 0 Dec 11 17:31 vexiraBusy.lock >>> >>> Kai >>> >> Well I will definitely reread these. I never specifically set these >> permissions anywhere. One would thing that these would be created by >> the settings in MailScanner.conf .. wouldn't you? There is no >> specific alternate user settings in spamassassin so .... something >> is setting these permissions this way. >> > I have gone through the tutorials a few times and I seem to have > everything set up correctly yet .... something keeps reseting the > permissions in the Locks directory back to the following: It will be being clobbered by the update_virus_scanners cron job which is run once per hour. Please can you mail me an exact copy (preferably gzipped) of your MailScanner.conf file. Have you moved that file from its default location or anything like that? It should pull out the "Run As User" and "Run As Group" from MailScanner.conf and use those values to set the ownership of the lock files. Clearly something is going wrong there. Copy and paste the following commands into a shell running as root. Beware of extra line-breaks that my mail program or your mail program may add into the following, hopefully they'll be okay. LOCKDIR=`perl -n -e 'print "$_" if chomp && s/^\s*Lock\s*file\s*Dir\s*=\s*(\S+)/$1/i' /etc/MailScanner/MailScanner.conf` RUNASU=`perl -n -e 'print "$_" if chomp && s/^\s*Run\s*As\s*User\s*=\s*(\S+)/$1/i' /etc/MailScanner/MailScanner.conf` RUNASG=`perl -n -e 'print "$_" if chomp && s/^\s*Run\s*As\s*Group\s*=\s*(\S+)/$1/i' /etc/MailScanner/MailScanner.conf` echo $LOCKDIR echo $RUNASU echo $RUNASG /usr/sbin/mailscanner_create_locks "$LOCKDIR" "$RUNASU" "$RUNASG" Then show me what you get from ls -al $LOCKDIR assuming that the "echo $LOCKDIR" command printed out the directory where your lock files are stored (i.e. normally /var/spool/MailScanner/incoming/Locks). > > -rw------- 1 root root 0 Jan 8 05:09 antivirBusy.lock > -rw------- 1 root root 0 Jan 8 05:09 avastBusy.lock > -rw------- 1 root root 0 Jan 8 05:09 avgBusy.lock > -rw------- 1 root root 0 Jan 8 05:09 bitdefenderBusy.lock > -rw------- 1 root root 49 Jan 9 19:15 clamavBusy.lock > -rw------- 1 root root 0 Jan 8 05:09 cssBusy.lock > -rw------- 1 root root 0 Jan 8 05:09 esetsBusy.lock > -rw------- 1 root root 0 Jan 8 05:09 etrustBusy.lock > -rw------- 1 root root 0 Jan 8 05:09 f-prot-6Busy.lock > -rw------- 1 root root 0 Jan 8 05:09 f-protBusy.lock > -rw------- 1 root root 0 Jan 8 05:09 f-secureBusy.lock > -rw------- 1 root root 0 Jan 8 05:09 genericBusy.lock > -rw------- 1 root root 0 Jan 8 05:09 inoculanBusy.lock > -rw------- 1 root root 0 Jan 8 05:09 kasperskyBusy.lock > -rw------- 1 root root 0 Jan 8 05:09 mcafeeBusy.lock > -rw------- 1 root root 0 Jan 8 19:38 MS.bayes.rebuild.lock > -rw------- 1 root root 0 Jan 11 04:15 MS.bayes.starting.lock > -rw------- 1 root root 0 Jan 8 05:09 nod32Busy.lock > -rw------- 1 root root 0 Jan 8 05:09 normanBusy.lock > -rw------- 1 root root 0 Jan 8 05:09 pandaBusy.lock > -rw------- 1 root root 0 Jan 8 05:09 ravBusy.lock > -rw------- 1 root root 0 Jan 8 05:09 sophosBusy.lock > -rw------- 1 root root 0 Jan 8 05:09 symscanengineBusy.lock > -rw------- 1 root root 0 Jan 8 05:09 trendBusy.lock > -rw------- 1 root root 0 Jan 8 05:09 vba32Busy.lock > -rw------- 1 root root 0 Jan 8 05:09 vexiraBusy.lock > > /var/spool/MailScanner/incoming > [root@rosewood incoming]# ls -l > total 604 > drwxr-x--- 2 postfix clamav 4096 Jan 11 13:43 19962 > drwxr-x--- 2 postfix clamav 4096 Jan 11 13:38 19969 > drwxr-x--- 2 postfix clamav 4096 Jan 11 13:41 19976 > drwxr-x--- 2 postfix root 4096 Jan 11 04:15 Locks > -rw------- 1 postfix postfix 590848 Jan 11 13:41 SpamAssassin.cache.db > drwx------ 2 postfix postfix 4096 Jan 11 13:43 SpamAssassin-Temp > > Yesterday this was all set as you have it above. > > Dave Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From paul at welshfamily.com Sun Jan 11 19:35:56 2009 From: paul at welshfamily.com (Paul Welsh) Date: Sun Jan 11 19:36:16 2009 Subject: MailScanner Digest, Vol 37, Issue 20 In-Reply-To: <200901111201.n0BC0VPP030819@safir.blacknight.ie> Message-ID: <200901111936.n0BJa81G018893@safir.blacknight.ie> > Date: Sat, 10 Jan 2009 21:08:43 -0600 > From: Cannon Watts > Subject: Re: Redirecting spam > > > I note that > > > > Spam Actions = forward > > > > forwards a *copy* of the message to another address. What > I wish to do is > > to redirect the message to another address where it can be evaluated > > manually and forwarded on if not spam. > > > > Unless I'm misunderstanding your question (which is entirely possible) > forward does exactly what you want. It doesn't forward the > message in the > same sense as you would forward an email using your mail > client. If you > specify 'Spam Actions = forward spamfolder@yourdomain.com' in > the config file, > those messages flagged as spam will be delivered to > spamfolder@yourdomain.com > instead of the intended recipient. Thanks for the clarification, Cannon. That's what I thought the forward config command did. I just got a bit confused when the explanation says it forwards a *copy*. From maxsec at gmail.com Sun Jan 11 19:53:59 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Sun Jan 11 19:54:09 2009 Subject: block spoofing mail In-Reply-To: <928434630901100033l3381ec9ifec81d6844b03e0@mail.gmail.com> References: <928434630901100033l3381ec9ifec81d6844b03e0@mail.gmail.com> Message-ID: <72cf361e0901111153n686b1e45l7f0dd56c87f63a36@mail.gmail.com> 2009/1/10 ichwan nur hakim : > hi guys, > > how block spoofing mail with mailscanner..?? coz my office mail very much > recipient spoofing mail. > Thank's > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > HI perhaps you can give an example of what you mean by 'spoofing email'? -- Martin Hepworth Oxford, UK From dave.filchak at senecac.on.ca Sun Jan 11 20:16:12 2009 From: dave.filchak at senecac.on.ca (Dave Filchak) Date: Sun Jan 11 20:16:36 2009 Subject: General Thankyou (still diagnosing fault) In-Reply-To: <496A470A.7070507@ecs.soton.ac.uk> References: <60382.204.184.75.172.1231471379.squirrel@webmail.elsberry.k12.mo.us> <49679B36.9010202@senecac.on.ca> <4967A01A.1020805@senecac.on.ca> <4967D6F2.8090907@senecac.on.ca> <496A4264.6080303@senecac.on.ca> <496A470A.7070507@ecs.soton.ac.uk> Message-ID: <496A538C.60903@senecac.on.ca> Jules Julian Field wrote: > > > On 11/1/09 19:03, Dave Filchak wrote: >> Kai, >> >> >> >> Dave Filchak wrote: >>> Kai, >>> >>> Kai Schaetzl wrote: >>>> Dave Filchak wrote on Fri, 09 Jan 2009 14:06:02 -0500: >>>> >>>> >>>>> So I checked the permissions there and the Locks directory is >>>>> owned by postfix.root and the locks inside are all owned by >>>>> root.root. >>>> >>>> That is *all* wrong. Reread the tutorials for MS+postfix and for >>>> MS+clamd (you are using clamd, right). >>>> >>>> /var/spool/MailScanner/incoming/Locks l >>>> total 16 >>>> drwxr-x--- 2 root postfix 4096 Jan 9 23:03 . >>>> drwxr-xr-x 5 postfix clamav 4096 Jan 9 23:04 .. >>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 antivirBusy.lock >>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 avastBusy.lock >>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 avgBusy.lock >>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 bitdefenderBusy.lock >>>> -rw------- 1 postfix postfix 100 Jan 9 23:05 clamavBusy.lock >>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 cssBusy.lock >>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 esetsBusy.lock >>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 etrustBusy.lock >>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 f-prot-6Busy.lock >>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 f-protBusy.lock >>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 f-secureBusy.lock >>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 genericBusy.lock >>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 inoculanBusy.lock >>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 kasperskyBusy.lock >>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 mcafeeBusy.lock >>>> -rw------- 1 postfix postfix 0 Jan 7 16:51 MS.bayes.rebuild.lock >>>> -rw------- 1 postfix postfix 0 Jan 9 23:03 MS.bayes.starting.lock >>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 nod32Busy.lock >>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 normanBusy.lock >>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 pandaBusy.lock >>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 ravBusy.lock >>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 sophosBusy.lock >>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 symscanengineBusy.lock >>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 trendBusy.lock >>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 vba32Busy.lock >>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 vexiraBusy.lock >>>> >>>> Kai >>>> >>> Well I will definitely reread these. I never specifically set these >>> permissions anywhere. One would thing that these would be created by >>> the settings in MailScanner.conf .. wouldn't you? There is no >>> specific alternate user settings in spamassassin so .... something >>> is setting these permissions this way. >>> >> I have gone through the tutorials a few times and I seem to have >> everything set up correctly yet .... something keeps reseting the >> permissions in the Locks directory back to the following: > It will be being clobbered by the update_virus_scanners cron job which > is run once per hour. Please can you mail me an exact copy (preferably > gzipped) of your MailScanner.conf file. Have you moved that file from > its default location or anything like that? It should pull out the > "Run As User" and "Run As Group" from MailScanner.conf and use those > values to set the ownership of the lock files. Clearly something is > going wrong there. > > Copy and paste the following commands into a shell running as root. > Beware of extra line-breaks that my mail program or your mail program > may add into the following, hopefully they'll be okay. > > LOCKDIR=`perl -n -e 'print "$_" if chomp && > s/^\s*Lock\s*file\s*Dir\s*=\s*(\S+)/$1/i' > /etc/MailScanner/MailScanner.conf` > RUNASU=`perl -n -e 'print "$_" if chomp && > s/^\s*Run\s*As\s*User\s*=\s*(\S+)/$1/i' > /etc/MailScanner/MailScanner.conf` > RUNASG=`perl -n -e 'print "$_" if chomp && > s/^\s*Run\s*As\s*Group\s*=\s*(\S+)/$1/i' > /etc/MailScanner/MailScanner.conf` > echo $LOCKDIR > echo $RUNASU > echo $RUNASG > /usr/sbin/mailscanner_create_locks "$LOCKDIR" "$RUNASU" "$RUNASG" > > Then show me what you get from > ls -al $LOCKDIR > assuming that the "echo $LOCKDIR" command printed out the directory > where your lock files are stored (i.e. normally > /var/spool/MailScanner/incoming/Locks). I have emailed you my conf file. Here is the output from your scripts: [root@rosewood MailScanner]# LOCKDIR=`perl -n -e 'print "$_" if chomp && s/^\s*Lock\s*file\s*Dir\s*=\s*(\S+)/$1/i' /etc/MailScanner/MailScanner.conf` [root@rosewood MailScanner]# RUNASU=`perl -n -e 'print "$_" if chomp && s/^\s*Run\s*As\s*User\s*=\s*(\S+)/$1/i' /etc/MailScanner/MailScanner.conf` [root@rosewood MailScanner]# RUNASG=`perl -n -e 'print "$_" if chomp && s/^\s*Run\s*As\s*Group\s*=\s*(\S+)/$1/i' /etc/MailScanner/MailScanner.conf` [root@rosewood MailScanner]# echo $LOCKDIR /var/spool/MailScanner/incoming/Locks [root@rosewood MailScanner]# echo $RUNASU postfix [root@rosewood MailScanner]# echo $RUNASG postfix [root@rosewood MailScanner]# /usr/sbin/mailscanner_create_locks "$LOCKDIR" "$RUNASU" "$RUNASG" [root@rosewood MailScanner]# ls -al $LOCKDIR total 12 drwxr-x--- 2 postfix root 4096 Jan 11 14:18 . drwxrwx--- 7 postfix clamav 4096 Jan 11 15:12 .. -rw------- 1 root root 0 Jan 8 05:09 antivirBusy.lock -rw------- 1 root root 0 Jan 8 05:09 avastBusy.lock -rw------- 1 root root 0 Jan 8 05:09 avgBusy.lock -rw------- 1 root root 0 Jan 8 05:09 bitdefenderBusy.lock -rw------- 1 root root 48 Jan 11 14:18 clamavBusy.lock -rw------- 1 root root 0 Jan 8 05:09 cssBusy.lock -rw------- 1 root root 0 Jan 8 05:09 esetsBusy.lock -rw------- 1 root root 0 Jan 8 05:09 etrustBusy.lock -rw------- 1 root root 0 Jan 8 05:09 f-prot-6Busy.lock -rw------- 1 root root 0 Jan 8 05:09 f-protBusy.lock -rw------- 1 root root 0 Jan 8 05:09 f-secureBusy.lock -rw------- 1 root root 0 Jan 8 05:09 genericBusy.lock -rw------- 1 root root 0 Jan 8 05:09 inoculanBusy.lock -rw------- 1 root root 0 Jan 8 05:09 kasperskyBusy.lock -rw------- 1 root root 0 Jan 8 05:09 mcafeeBusy.lock -rw------- 1 root root 0 Jan 8 19:38 MS.bayes.rebuild.lock -rw------- 1 root root 0 Jan 11 14:18 MS.bayes.starting.lock -rw------- 1 root root 0 Jan 8 05:09 nod32Busy.lock -rw------- 1 root root 0 Jan 8 05:09 normanBusy.lock -rw------- 1 root root 0 Jan 8 05:09 pandaBusy.lock -rw------- 1 root root 0 Jan 8 05:09 ravBusy.lock -rw------- 1 root root 0 Jan 8 05:09 sophosBusy.lock -rw------- 1 root root 0 Jan 8 05:09 symscanengineBusy.lock -rw------- 1 root root 0 Jan 8 05:09 trendBusy.lock -rw------- 1 root root 0 Jan 8 05:09 vba32Busy.lock -rw------- 1 root root 0 Jan 8 05:09 vexiraBusy.lock Dave > >> >> -rw------- 1 root root 0 Jan 8 05:09 antivirBusy.lock >> -rw------- 1 root root 0 Jan 8 05:09 avastBusy.lock >> -rw------- 1 root root 0 Jan 8 05:09 avgBusy.lock >> -rw------- 1 root root 0 Jan 8 05:09 bitdefenderBusy.lock >> -rw------- 1 root root 49 Jan 9 19:15 clamavBusy.lock >> -rw------- 1 root root 0 Jan 8 05:09 cssBusy.lock >> -rw------- 1 root root 0 Jan 8 05:09 esetsBusy.lock >> -rw------- 1 root root 0 Jan 8 05:09 etrustBusy.lock >> -rw------- 1 root root 0 Jan 8 05:09 f-prot-6Busy.lock >> -rw------- 1 root root 0 Jan 8 05:09 f-protBusy.lock >> -rw------- 1 root root 0 Jan 8 05:09 f-secureBusy.lock >> -rw------- 1 root root 0 Jan 8 05:09 genericBusy.lock >> -rw------- 1 root root 0 Jan 8 05:09 inoculanBusy.lock >> -rw------- 1 root root 0 Jan 8 05:09 kasperskyBusy.lock >> -rw------- 1 root root 0 Jan 8 05:09 mcafeeBusy.lock >> -rw------- 1 root root 0 Jan 8 19:38 MS.bayes.rebuild.lock >> -rw------- 1 root root 0 Jan 11 04:15 MS.bayes.starting.lock >> -rw------- 1 root root 0 Jan 8 05:09 nod32Busy.lock >> -rw------- 1 root root 0 Jan 8 05:09 normanBusy.lock >> -rw------- 1 root root 0 Jan 8 05:09 pandaBusy.lock >> -rw------- 1 root root 0 Jan 8 05:09 ravBusy.lock >> -rw------- 1 root root 0 Jan 8 05:09 sophosBusy.lock >> -rw------- 1 root root 0 Jan 8 05:09 symscanengineBusy.lock >> -rw------- 1 root root 0 Jan 8 05:09 trendBusy.lock >> -rw------- 1 root root 0 Jan 8 05:09 vba32Busy.lock >> -rw------- 1 root root 0 Jan 8 05:09 vexiraBusy.lock >> >> /var/spool/MailScanner/incoming >> [root@rosewood incoming]# ls -l >> total 604 >> drwxr-x--- 2 postfix clamav 4096 Jan 11 13:43 19962 >> drwxr-x--- 2 postfix clamav 4096 Jan 11 13:38 19969 >> drwxr-x--- 2 postfix clamav 4096 Jan 11 13:41 19976 >> drwxr-x--- 2 postfix root 4096 Jan 11 04:15 Locks >> -rw------- 1 postfix postfix 590848 Jan 11 13:41 SpamAssassin.cache.db >> drwx------ 2 postfix postfix 4096 Jan 11 13:43 SpamAssassin-Temp >> >> Yesterday this was all set as you have it above. >> >> Dave > > Jules > -- Dave Filchak Instructor, School of Communications Arts Seneca College @ York Office: Room 1068 From MailScanner at ecs.soton.ac.uk Sun Jan 11 20:51:20 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Jan 11 20:51:42 2009 Subject: General Thankyou (still diagnosing fault) In-Reply-To: <496A538C.60903@senecac.on.ca> References: <60382.204.184.75.172.1231471379.squirrel@webmail.elsberry.k12.mo.us> <49679B36.9010202@senecac.on.ca> <4967A01A.1020805@senecac.on.ca> <4967D6F2.8090907@senecac.on.ca> <496A4264.6080303@senecac.on.ca> <496A470A.7070507@ecs.soton.ac.uk> <496A538C.60903@senecac.on.ca> Message-ID: <496A5BC8.4000908@ecs.soton.ac.uk> On 11/1/09 20:16, Dave Filchak wrote: > Jules > > Julian Field wrote: >> >> >> On 11/1/09 19:03, Dave Filchak wrote: >>> Kai, >>> >>> >>> >>> Dave Filchak wrote: >>>> Kai, >>>> >>>> Kai Schaetzl wrote: >>>>> Dave Filchak wrote on Fri, 09 Jan 2009 14:06:02 -0500: >>>>> >>>>> >>>>>> So I checked the permissions there and the Locks directory is >>>>>> owned by postfix.root and the locks inside are all owned by >>>>>> root.root. >>>>> >>>>> That is *all* wrong. Reread the tutorials for MS+postfix and for >>>>> MS+clamd (you are using clamd, right). >>>>> >>>>> /var/spool/MailScanner/incoming/Locks l >>>>> total 16 >>>>> drwxr-x--- 2 root postfix 4096 Jan 9 23:03 . >>>>> drwxr-xr-x 5 postfix clamav 4096 Jan 9 23:04 .. >>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 antivirBusy.lock >>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 avastBusy.lock >>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 avgBusy.lock >>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 bitdefenderBusy.lock >>>>> -rw------- 1 postfix postfix 100 Jan 9 23:05 clamavBusy.lock >>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 cssBusy.lock >>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 esetsBusy.lock >>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 etrustBusy.lock >>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 f-prot-6Busy.lock >>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 f-protBusy.lock >>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 f-secureBusy.lock >>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 genericBusy.lock >>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 inoculanBusy.lock >>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 kasperskyBusy.lock >>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 mcafeeBusy.lock >>>>> -rw------- 1 postfix postfix 0 Jan 7 16:51 MS.bayes.rebuild.lock >>>>> -rw------- 1 postfix postfix 0 Jan 9 23:03 MS.bayes.starting.lock >>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 nod32Busy.lock >>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 normanBusy.lock >>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 pandaBusy.lock >>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 ravBusy.lock >>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 sophosBusy.lock >>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 symscanengineBusy.lock >>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 trendBusy.lock >>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 vba32Busy.lock >>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 vexiraBusy.lock >>>>> >>>>> Kai >>>>> >>>> Well I will definitely reread these. I never specifically set these >>>> permissions anywhere. One would thing that these would be created >>>> by the settings in MailScanner.conf .. wouldn't you? There is no >>>> specific alternate user settings in spamassassin so .... something >>>> is setting these permissions this way. >>>> >>> I have gone through the tutorials a few times and I seem to have >>> everything set up correctly yet .... something keeps reseting the >>> permissions in the Locks directory back to the following: >> It will be being clobbered by the update_virus_scanners cron job >> which is run once per hour. Please can you mail me an exact copy >> (preferably gzipped) of your MailScanner.conf file. Have you moved >> that file from its default location or anything like that? It should >> pull out the "Run As User" and "Run As Group" from MailScanner.conf >> and use those values to set the ownership of the lock files. Clearly >> something is going wrong there. >> >> Copy and paste the following commands into a shell running as root. >> Beware of extra line-breaks that my mail program or your mail program >> may add into the following, hopefully they'll be okay. >> >> LOCKDIR=`perl -n -e 'print "$_" if chomp && >> s/^\s*Lock\s*file\s*Dir\s*=\s*(\S+)/$1/i' >> /etc/MailScanner/MailScanner.conf` >> RUNASU=`perl -n -e 'print "$_" if chomp && >> s/^\s*Run\s*As\s*User\s*=\s*(\S+)/$1/i' >> /etc/MailScanner/MailScanner.conf` >> RUNASG=`perl -n -e 'print "$_" if chomp && >> s/^\s*Run\s*As\s*Group\s*=\s*(\S+)/$1/i' >> /etc/MailScanner/MailScanner.conf` >> echo $LOCKDIR >> echo $RUNASU >> echo $RUNASG >> /usr/sbin/mailscanner_create_locks "$LOCKDIR" "$RUNASU" "$RUNASG" >> >> Then show me what you get from >> ls -al $LOCKDIR >> assuming that the "echo $LOCKDIR" command printed out the directory >> where your lock files are stored (i.e. normally >> /var/spool/MailScanner/incoming/Locks). > > I have emailed you my conf file. Here is the output from your scripts: > > [root@rosewood MailScanner]# LOCKDIR=`perl -n -e 'print "$_" if chomp > && s/^\s*Lock\s*file\s*Dir\s*=\s*(\S+)/$1/i' > /etc/MailScanner/MailScanner.conf` > [root@rosewood MailScanner]# RUNASU=`perl -n -e 'print "$_" if chomp > && s/^\s*Run\s*As\s*User\s*=\s*(\S+)/$1/i' > /etc/MailScanner/MailScanner.conf` > [root@rosewood MailScanner]# RUNASG=`perl -n -e 'print "$_" if chomp > && s/^\s*Run\s*As\s*Group\s*=\s*(\S+)/$1/i' > /etc/MailScanner/MailScanner.conf` > [root@rosewood MailScanner]# echo $LOCKDIR > /var/spool/MailScanner/incoming/Locks > [root@rosewood MailScanner]# echo $RUNASU > postfix > [root@rosewood MailScanner]# echo $RUNASG > postfix That all looks good. As root, rm -rf /var/spool/MailScanner/incoming/Locks and then /usr/sbin/update_virus_scanners and then show me an ls -al /var/spool/MailScanner/incoming/Locks The files in there should be owned by postfix. Let's see if that's true. > > Dave >> >>> >>> -rw------- 1 root root 0 Jan 8 05:09 antivirBusy.lock >>> -rw------- 1 root root 0 Jan 8 05:09 avastBusy.lock >>> -rw------- 1 root root 0 Jan 8 05:09 avgBusy.lock >>> -rw------- 1 root root 0 Jan 8 05:09 bitdefenderBusy.lock >>> -rw------- 1 root root 49 Jan 9 19:15 clamavBusy.lock >>> -rw------- 1 root root 0 Jan 8 05:09 cssBusy.lock >>> -rw------- 1 root root 0 Jan 8 05:09 esetsBusy.lock >>> -rw------- 1 root root 0 Jan 8 05:09 etrustBusy.lock >>> -rw------- 1 root root 0 Jan 8 05:09 f-prot-6Busy.lock >>> -rw------- 1 root root 0 Jan 8 05:09 f-protBusy.lock >>> -rw------- 1 root root 0 Jan 8 05:09 f-secureBusy.lock >>> -rw------- 1 root root 0 Jan 8 05:09 genericBusy.lock >>> -rw------- 1 root root 0 Jan 8 05:09 inoculanBusy.lock >>> -rw------- 1 root root 0 Jan 8 05:09 kasperskyBusy.lock >>> -rw------- 1 root root 0 Jan 8 05:09 mcafeeBusy.lock >>> -rw------- 1 root root 0 Jan 8 19:38 MS.bayes.rebuild.lock >>> -rw------- 1 root root 0 Jan 11 04:15 MS.bayes.starting.lock >>> -rw------- 1 root root 0 Jan 8 05:09 nod32Busy.lock >>> -rw------- 1 root root 0 Jan 8 05:09 normanBusy.lock >>> -rw------- 1 root root 0 Jan 8 05:09 pandaBusy.lock >>> -rw------- 1 root root 0 Jan 8 05:09 ravBusy.lock >>> -rw------- 1 root root 0 Jan 8 05:09 sophosBusy.lock >>> -rw------- 1 root root 0 Jan 8 05:09 symscanengineBusy.lock >>> -rw------- 1 root root 0 Jan 8 05:09 trendBusy.lock >>> -rw------- 1 root root 0 Jan 8 05:09 vba32Busy.lock >>> -rw------- 1 root root 0 Jan 8 05:09 vexiraBusy.lock >>> >>> /var/spool/MailScanner/incoming >>> [root@rosewood incoming]# ls -l >>> total 604 >>> drwxr-x--- 2 postfix clamav 4096 Jan 11 13:43 19962 >>> drwxr-x--- 2 postfix clamav 4096 Jan 11 13:38 19969 >>> drwxr-x--- 2 postfix clamav 4096 Jan 11 13:41 19976 >>> drwxr-x--- 2 postfix root 4096 Jan 11 04:15 Locks >>> -rw------- 1 postfix postfix 590848 Jan 11 13:41 SpamAssassin.cache.db >>> drwx------ 2 postfix postfix 4096 Jan 11 13:43 SpamAssassin-Temp >>> >>> Yesterday this was all set as you have it above. >>> >>> Dave >> >> Jules >> > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From dave.filchak at senecac.on.ca Sun Jan 11 21:17:56 2009 From: dave.filchak at senecac.on.ca (Dave Filchak) Date: Sun Jan 11 21:18:08 2009 Subject: General Thankyou (still diagnosing fault) In-Reply-To: <496A5BC8.4000908@ecs.soton.ac.uk> References: <60382.204.184.75.172.1231471379.squirrel@webmail.elsberry.k12.mo.us> <49679B36.9010202@senecac.on.ca> <4967A01A.1020805@senecac.on.ca> <4967D6F2.8090907@senecac.on.ca> <496A4264.6080303@senecac.on.ca> <496A470A.7070507@ecs.soton.ac.uk> <496A538C.60903@senecac.on.ca> <496A5BC8.4000908@ecs.soton.ac.uk> Message-ID: <496A6204.9070105@senecac.on.ca> Jules, Julian Field wrote: > > > On 11/1/09 20:16, Dave Filchak wrote: >> Jules >> >> Julian Field wrote: >>> >>> >>> On 11/1/09 19:03, Dave Filchak wrote: >>>> Kai, >>>> >>>> >>>> >>>> Dave Filchak wrote: >>>>> Kai, >>>>> >>>>> Kai Schaetzl wrote: >>>>>> Dave Filchak wrote on Fri, 09 Jan 2009 14:06:02 -0500: >>>>>> >>>>>> >>>>>>> So I checked the permissions there and the Locks directory is >>>>>>> owned by postfix.root and the locks inside are all owned by >>>>>>> root.root. >>>>>> >>>>>> That is *all* wrong. Reread the tutorials for MS+postfix and for >>>>>> MS+clamd (you are using clamd, right). >>>>>> >>>>>> /var/spool/MailScanner/incoming/Locks l >>>>>> total 16 >>>>>> drwxr-x--- 2 root postfix 4096 Jan 9 23:03 . >>>>>> drwxr-xr-x 5 postfix clamav 4096 Jan 9 23:04 .. >>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 antivirBusy.lock >>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 avastBusy.lock >>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 avgBusy.lock >>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 bitdefenderBusy.lock >>>>>> -rw------- 1 postfix postfix 100 Jan 9 23:05 clamavBusy.lock >>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 cssBusy.lock >>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 esetsBusy.lock >>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 etrustBusy.lock >>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 f-prot-6Busy.lock >>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 f-protBusy.lock >>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 f-secureBusy.lock >>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 genericBusy.lock >>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 inoculanBusy.lock >>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 kasperskyBusy.lock >>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 mcafeeBusy.lock >>>>>> -rw------- 1 postfix postfix 0 Jan 7 16:51 MS.bayes.rebuild.lock >>>>>> -rw------- 1 postfix postfix 0 Jan 9 23:03 >>>>>> MS.bayes.starting.lock >>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 nod32Busy.lock >>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 normanBusy.lock >>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 pandaBusy.lock >>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 ravBusy.lock >>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 sophosBusy.lock >>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 >>>>>> symscanengineBusy.lock >>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 trendBusy.lock >>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 vba32Busy.lock >>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 vexiraBusy.lock >>>>>> >>>>>> Kai >>>>>> >>>>> Well I will definitely reread these. I never specifically set >>>>> these permissions anywhere. One would thing that these would be >>>>> created by the settings in MailScanner.conf .. wouldn't you? There >>>>> is no specific alternate user settings in spamassassin so .... >>>>> something is setting these permissions this way. >>>>> >>>> I have gone through the tutorials a few times and I seem to have >>>> everything set up correctly yet .... something keeps reseting the >>>> permissions in the Locks directory back to the following: >>> It will be being clobbered by the update_virus_scanners cron job >>> which is run once per hour. Please can you mail me an exact copy >>> (preferably gzipped) of your MailScanner.conf file. Have you moved >>> that file from its default location or anything like that? It should >>> pull out the "Run As User" and "Run As Group" from MailScanner.conf >>> and use those values to set the ownership of the lock files. Clearly >>> something is going wrong there. >>> >>> Copy and paste the following commands into a shell running as root. >>> Beware of extra line-breaks that my mail program or your mail >>> program may add into the following, hopefully they'll be okay. >>> >>> LOCKDIR=`perl -n -e 'print "$_" if chomp && >>> s/^\s*Lock\s*file\s*Dir\s*=\s*(\S+)/$1/i' >>> /etc/MailScanner/MailScanner.conf` >>> RUNASU=`perl -n -e 'print "$_" if chomp && >>> s/^\s*Run\s*As\s*User\s*=\s*(\S+)/$1/i' >>> /etc/MailScanner/MailScanner.conf` >>> RUNASG=`perl -n -e 'print "$_" if chomp && >>> s/^\s*Run\s*As\s*Group\s*=\s*(\S+)/$1/i' >>> /etc/MailScanner/MailScanner.conf` >>> echo $LOCKDIR >>> echo $RUNASU >>> echo $RUNASG >>> /usr/sbin/mailscanner_create_locks "$LOCKDIR" "$RUNASU" "$RUNASG" >>> >>> Then show me what you get from >>> ls -al $LOCKDIR >>> assuming that the "echo $LOCKDIR" command printed out the directory >>> where your lock files are stored (i.e. normally >>> /var/spool/MailScanner/incoming/Locks). >> >> I have emailed you my conf file. Here is the output from your scripts: >> >> [root@rosewood MailScanner]# LOCKDIR=`perl -n -e 'print "$_" if chomp >> && s/^\s*Lock\s*file\s*Dir\s*=\s*(\S+)/$1/i' >> /etc/MailScanner/MailScanner.conf` >> [root@rosewood MailScanner]# RUNASU=`perl -n -e 'print "$_" if chomp >> && s/^\s*Run\s*As\s*User\s*=\s*(\S+)/$1/i' >> /etc/MailScanner/MailScanner.conf` >> [root@rosewood MailScanner]# RUNASG=`perl -n -e 'print "$_" if chomp >> && s/^\s*Run\s*As\s*Group\s*=\s*(\S+)/$1/i' >> /etc/MailScanner/MailScanner.conf` >> [root@rosewood MailScanner]# echo $LOCKDIR >> /var/spool/MailScanner/incoming/Locks >> [root@rosewood MailScanner]# echo $RUNASU >> postfix >> [root@rosewood MailScanner]# echo $RUNASG >> postfix > That all looks good. As root, > rm -rf /var/spool/MailScanner/incoming/Locks > and then > /usr/sbin/update_virus_scanners > and then show me an > ls -al /var/spool/MailScanner/incoming/Locks > > The files in there should be owned by postfix. Let's see if that's true. > OK .. deleted the Locks directory, ran update_virus_scanners and got: ls -al /var/spool/MailScanner/incoming/Locks/ total 8 drwxr-x--- 2 root root 4096 Jan 11 16:13 . drwxrwx--- 7 postfix clamav 4096 Jan 11 16:14 .. -rw------- 1 root root 0 Jan 11 16:13 antivirBusy.lock -rw------- 1 root root 0 Jan 11 16:13 avastBusy.lock -rw------- 1 root root 0 Jan 11 16:13 avgBusy.lock -rw------- 1 root root 0 Jan 11 16:13 bitdefenderBusy.lock -rw------- 1 root root 0 Jan 11 16:13 clamavBusy.lock -rw------- 1 root root 0 Jan 11 16:13 cssBusy.lock -rw------- 1 root root 0 Jan 11 16:13 esetsBusy.lock -rw------- 1 root root 0 Jan 11 16:13 etrustBusy.lock -rw------- 1 root root 0 Jan 11 16:13 f-prot-6Busy.lock -rw------- 1 root root 0 Jan 11 16:13 f-protBusy.lock -rw------- 1 root root 0 Jan 11 16:13 f-secureBusy.lock -rw------- 1 root root 0 Jan 11 16:13 genericBusy.lock -rw------- 1 root root 0 Jan 11 16:13 inoculanBusy.lock -rw------- 1 root root 0 Jan 11 16:13 kasperskyBusy.lock -rw------- 1 root root 0 Jan 11 16:13 mcafeeBusy.lock -rw------- 1 root root 0 Jan 11 16:13 MS.bayes.rebuild.lock -rw------- 1 root root 0 Jan 11 16:13 MS.bayes.starting.lock -rw------- 1 root root 0 Jan 11 16:13 nod32Busy.lock -rw------- 1 root root 0 Jan 11 16:13 normanBusy.lock -rw------- 1 root root 0 Jan 11 16:13 pandaBusy.lock -rw------- 1 root root 0 Jan 11 16:13 ravBusy.lock -rw------- 1 root root 0 Jan 11 16:13 sophosBusy.lock -rw------- 1 root root 0 Jan 11 16:13 symscanengineBusy.lock -rw------- 1 root root 0 Jan 11 16:13 trendBusy.lock -rw------- 1 root root 0 Jan 11 16:13 vba32Busy.lock -rw------- 1 root root 0 Jan 11 16:13 vexiraBusy.lock Still root. Dave >> >> Dave >>> >>>> >>>> -rw------- 1 root root 0 Jan 8 05:09 antivirBusy.lock >>>> -rw------- 1 root root 0 Jan 8 05:09 avastBusy.lock >>>> -rw------- 1 root root 0 Jan 8 05:09 avgBusy.lock >>>> -rw------- 1 root root 0 Jan 8 05:09 bitdefenderBusy.lock >>>> -rw------- 1 root root 49 Jan 9 19:15 clamavBusy.lock >>>> -rw------- 1 root root 0 Jan 8 05:09 cssBusy.lock >>>> -rw------- 1 root root 0 Jan 8 05:09 esetsBusy.lock >>>> -rw------- 1 root root 0 Jan 8 05:09 etrustBusy.lock >>>> -rw------- 1 root root 0 Jan 8 05:09 f-prot-6Busy.lock >>>> -rw------- 1 root root 0 Jan 8 05:09 f-protBusy.lock >>>> -rw------- 1 root root 0 Jan 8 05:09 f-secureBusy.lock >>>> -rw------- 1 root root 0 Jan 8 05:09 genericBusy.lock >>>> -rw------- 1 root root 0 Jan 8 05:09 inoculanBusy.lock >>>> -rw------- 1 root root 0 Jan 8 05:09 kasperskyBusy.lock >>>> -rw------- 1 root root 0 Jan 8 05:09 mcafeeBusy.lock >>>> -rw------- 1 root root 0 Jan 8 19:38 MS.bayes.rebuild.lock >>>> -rw------- 1 root root 0 Jan 11 04:15 MS.bayes.starting.lock >>>> -rw------- 1 root root 0 Jan 8 05:09 nod32Busy.lock >>>> -rw------- 1 root root 0 Jan 8 05:09 normanBusy.lock >>>> -rw------- 1 root root 0 Jan 8 05:09 pandaBusy.lock >>>> -rw------- 1 root root 0 Jan 8 05:09 ravBusy.lock >>>> -rw------- 1 root root 0 Jan 8 05:09 sophosBusy.lock >>>> -rw------- 1 root root 0 Jan 8 05:09 symscanengineBusy.lock >>>> -rw------- 1 root root 0 Jan 8 05:09 trendBusy.lock >>>> -rw------- 1 root root 0 Jan 8 05:09 vba32Busy.lock >>>> -rw------- 1 root root 0 Jan 8 05:09 vexiraBusy.lock >>>> >>>> /var/spool/MailScanner/incoming >>>> [root@rosewood incoming]# ls -l >>>> total 604 >>>> drwxr-x--- 2 postfix clamav 4096 Jan 11 13:43 19962 >>>> drwxr-x--- 2 postfix clamav 4096 Jan 11 13:38 19969 >>>> drwxr-x--- 2 postfix clamav 4096 Jan 11 13:41 19976 >>>> drwxr-x--- 2 postfix root 4096 Jan 11 04:15 Locks >>>> -rw------- 1 postfix postfix 590848 Jan 11 13:41 >>>> SpamAssassin.cache.db >>>> drwx------ 2 postfix postfix 4096 Jan 11 13:43 SpamAssassin-Temp >>>> >>>> Yesterday this was all set as you have it above. >>>> >>>> Dave >>> >>> Jules >>> >> > > Jules > -- Dave Filchak Instructor, School of Communications Arts Seneca College @ York Office: Room 1068 From spamlists at coders.co.uk Sun Jan 11 21:41:13 2009 From: spamlists at coders.co.uk (Matt) Date: Sun Jan 11 21:42:23 2009 Subject: Anti-spear-phishing sa-update channel Message-ID: <496A6779.9040309@coders.co.uk> All If anyone is interested I have published an sa-update channel which generates the same rules as Jules' script. The channel is spear.bastionmail.com it is signed by key id 06EF70A3 which you can get from http://www.bastionmail.co.uk/spear.txt The rules are named in the same way and is updated within 15 minutes of an SVN update. ****** NOTE - it is fully automatic in the same way as Jules script works ******** matt From MailScanner at ecs.soton.ac.uk Sun Jan 11 23:50:52 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Jan 11 23:51:15 2009 Subject: General Thankyou (still diagnosing fault) In-Reply-To: <496A6204.9070105@senecac.on.ca> References: <60382.204.184.75.172.1231471379.squirrel@webmail.elsberry.k12.mo.us> <49679B36.9010202@senecac.on.ca> <4967A01A.1020805@senecac.on.ca> <4967D6F2.8090907@senecac.on.ca> <496A4264.6080303@senecac.on.ca> <496A470A.7070507@ecs.soton.ac.uk> <496A538C.60903@senecac.on.ca> <496A5BC8.4000908@ecs.soton.ac.uk> <496A6204.9070105@senecac.on.ca> Message-ID: <496A85DC.3060404@ecs.soton.ac.uk> On 11/1/09 21:17, Dave Filchak wrote: > Jules, > > Julian Field wrote: >> >> >> On 11/1/09 20:16, Dave Filchak wrote: >>> Jules >>> >>> Julian Field wrote: >>>> >>>> >>>> On 11/1/09 19:03, Dave Filchak wrote: >>>>> Kai, >>>>> >>>>> >>>>> >>>>> Dave Filchak wrote: >>>>>> Kai, >>>>>> >>>>>> Kai Schaetzl wrote: >>>>>>> Dave Filchak wrote on Fri, 09 Jan 2009 14:06:02 -0500: >>>>>>> >>>>>>> >>>>>>>> So I checked the permissions there and the Locks directory is >>>>>>>> owned by postfix.root and the locks inside are all owned by >>>>>>>> root.root. >>>>>>> >>>>>>> That is *all* wrong. Reread the tutorials for MS+postfix and for >>>>>>> MS+clamd (you are using clamd, right). >>>>>>> >>>>>>> /var/spool/MailScanner/incoming/Locks l >>>>>>> total 16 >>>>>>> drwxr-x--- 2 root postfix 4096 Jan 9 23:03 . >>>>>>> drwxr-xr-x 5 postfix clamav 4096 Jan 9 23:04 .. >>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 antivirBusy.lock >>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 avastBusy.lock >>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 avgBusy.lock >>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 bitdefenderBusy.lock >>>>>>> -rw------- 1 postfix postfix 100 Jan 9 23:05 clamavBusy.lock >>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 cssBusy.lock >>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 esetsBusy.lock >>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 etrustBusy.lock >>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 f-prot-6Busy.lock >>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 f-protBusy.lock >>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 f-secureBusy.lock >>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 genericBusy.lock >>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 inoculanBusy.lock >>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 kasperskyBusy.lock >>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 mcafeeBusy.lock >>>>>>> -rw------- 1 postfix postfix 0 Jan 7 16:51 >>>>>>> MS.bayes.rebuild.lock >>>>>>> -rw------- 1 postfix postfix 0 Jan 9 23:03 >>>>>>> MS.bayes.starting.lock >>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 nod32Busy.lock >>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 normanBusy.lock >>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 pandaBusy.lock >>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 ravBusy.lock >>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 sophosBusy.lock >>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 >>>>>>> symscanengineBusy.lock >>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 trendBusy.lock >>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 vba32Busy.lock >>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 vexiraBusy.lock >>>>>>> >>>>>>> Kai >>>>>>> >>>>>> Well I will definitely reread these. I never specifically set >>>>>> these permissions anywhere. One would thing that these would be >>>>>> created by the settings in MailScanner.conf .. wouldn't you? >>>>>> There is no specific alternate user settings in spamassassin so >>>>>> .... something is setting these permissions this way. >>>>>> >>>>> I have gone through the tutorials a few times and I seem to have >>>>> everything set up correctly yet .... something keeps reseting the >>>>> permissions in the Locks directory back to the following: >>>> It will be being clobbered by the update_virus_scanners cron job >>>> which is run once per hour. Please can you mail me an exact copy >>>> (preferably gzipped) of your MailScanner.conf file. Have you moved >>>> that file from its default location or anything like that? It >>>> should pull out the "Run As User" and "Run As Group" from >>>> MailScanner.conf and use those values to set the ownership of the >>>> lock files. Clearly something is going wrong there. >>>> >>>> Copy and paste the following commands into a shell running as root. >>>> Beware of extra line-breaks that my mail program or your mail >>>> program may add into the following, hopefully they'll be okay. >>>> >>>> LOCKDIR=`perl -n -e 'print "$_" if chomp && >>>> s/^\s*Lock\s*file\s*Dir\s*=\s*(\S+)/$1/i' >>>> /etc/MailScanner/MailScanner.conf` >>>> RUNASU=`perl -n -e 'print "$_" if chomp && >>>> s/^\s*Run\s*As\s*User\s*=\s*(\S+)/$1/i' >>>> /etc/MailScanner/MailScanner.conf` >>>> RUNASG=`perl -n -e 'print "$_" if chomp && >>>> s/^\s*Run\s*As\s*Group\s*=\s*(\S+)/$1/i' >>>> /etc/MailScanner/MailScanner.conf` >>>> echo $LOCKDIR >>>> echo $RUNASU >>>> echo $RUNASG >>>> /usr/sbin/mailscanner_create_locks "$LOCKDIR" "$RUNASU" "$RUNASG" >>>> >>>> Then show me what you get from >>>> ls -al $LOCKDIR >>>> assuming that the "echo $LOCKDIR" command printed out the directory >>>> where your lock files are stored (i.e. normally >>>> /var/spool/MailScanner/incoming/Locks). >>> >>> I have emailed you my conf file. That looks fine. >>> Here is the output from your scripts: >>> >>> [root@rosewood MailScanner]# LOCKDIR=`perl -n -e 'print "$_" if >>> chomp && s/^\s*Lock\s*file\s*Dir\s*=\s*(\S+)/$1/i' >>> /etc/MailScanner/MailScanner.conf` >>> [root@rosewood MailScanner]# RUNASU=`perl -n -e 'print "$_" if chomp >>> && s/^\s*Run\s*As\s*User\s*=\s*(\S+)/$1/i' >>> /etc/MailScanner/MailScanner.conf` >>> [root@rosewood MailScanner]# RUNASG=`perl -n -e 'print "$_" if chomp >>> && s/^\s*Run\s*As\s*Group\s*=\s*(\S+)/$1/i' >>> /etc/MailScanner/MailScanner.conf` >>> [root@rosewood MailScanner]# echo $LOCKDIR >>> /var/spool/MailScanner/incoming/Locks >>> [root@rosewood MailScanner]# echo $RUNASU >>> postfix >>> [root@rosewood MailScanner]# echo $RUNASG >>> postfix >> That all looks good. As root, >> rm -rf /var/spool/MailScanner/incoming/Locks >> and then >> /usr/sbin/update_virus_scanners >> and then show me an >> ls -al /var/spool/MailScanner/incoming/Locks >> >> The files in there should be owned by postfix. Let's see if that's true. >> > OK .. deleted the Locks directory, ran update_virus_scanners and got: > > ls -al /var/spool/MailScanner/incoming/Locks/ > total 8 > drwxr-x--- 2 root root 4096 Jan 11 16:13 . > drwxrwx--- 7 postfix clamav 4096 Jan 11 16:14 .. > -rw------- 1 root root 0 Jan 11 16:13 antivirBusy.lock > -rw------- 1 root root 0 Jan 11 16:13 avastBusy.lock > -rw------- 1 root root 0 Jan 11 16:13 avgBusy.lock > -rw------- 1 root root 0 Jan 11 16:13 bitdefenderBusy.lock > -rw------- 1 root root 0 Jan 11 16:13 clamavBusy.lock > -rw------- 1 root root 0 Jan 11 16:13 cssBusy.lock > -rw------- 1 root root 0 Jan 11 16:13 esetsBusy.lock > -rw------- 1 root root 0 Jan 11 16:13 etrustBusy.lock > -rw------- 1 root root 0 Jan 11 16:13 f-prot-6Busy.lock > -rw------- 1 root root 0 Jan 11 16:13 f-protBusy.lock > -rw------- 1 root root 0 Jan 11 16:13 f-secureBusy.lock > -rw------- 1 root root 0 Jan 11 16:13 genericBusy.lock > -rw------- 1 root root 0 Jan 11 16:13 inoculanBusy.lock > -rw------- 1 root root 0 Jan 11 16:13 kasperskyBusy.lock > -rw------- 1 root root 0 Jan 11 16:13 mcafeeBusy.lock > -rw------- 1 root root 0 Jan 11 16:13 MS.bayes.rebuild.lock > -rw------- 1 root root 0 Jan 11 16:13 MS.bayes.starting.lock > -rw------- 1 root root 0 Jan 11 16:13 nod32Busy.lock > -rw------- 1 root root 0 Jan 11 16:13 normanBusy.lock > -rw------- 1 root root 0 Jan 11 16:13 pandaBusy.lock > -rw------- 1 root root 0 Jan 11 16:13 ravBusy.lock > -rw------- 1 root root 0 Jan 11 16:13 sophosBusy.lock > -rw------- 1 root root 0 Jan 11 16:13 symscanengineBusy.lock > -rw------- 1 root root 0 Jan 11 16:13 trendBusy.lock > -rw------- 1 root root 0 Jan 11 16:13 vba32Busy.lock > -rw------- 1 root root 0 Jan 11 16:13 vexiraBusy.lock > > > Still root. Hmmm... 1 I want to be sure there are no weird options for the mount that supplies this directory. Do this: cd /var/spool/MailScanner/incoming df -h . mount ls -ld Locks (all as root). Also, paste the contents of your /etc/fstab file into your reply to this mail. 2 Also, please can you make a little edit to your /usr/sbin/mailscanner_create_locks script. Near the top you will see a line that says this: my $ldgid = getgrnam($ldgname); That's about line 17. Immediately after that line, add this line: print STDERR "lduid = $lduid, ldgid = $ldgid\n"; and let's just check that it is getting the UID and GID correctly, as failure to do that would cause your symptoms. Run /usr/sbin/mailscanner_create_locks /var/spool/MailScanner/incoming/Locks postfix postfix (all of that on 1 line) and include the output in your reply, and do another ls -al /var/spool/MailScanner/incoming/Locks to see if anything has improved. 3 If that still isn't working, right at the end of the script there are a couple of "chown" lines. Change the first one to read chown -1, $ldgid, $locksdirname or warn "Chown1: $!"; and the second one to read chown $lduid, $ldgid, @locknames or warn "Chown2: $!"; and then run the mailscanner_create_locks command I gave above. Let me know if it prints anything, and what it says if it does. 4 That lot should give me a better idea of what's going on. > > Dave >>> >>> Dave >>>> >>>>> >>>>> -rw------- 1 root root 0 Jan 8 05:09 antivirBusy.lock >>>>> -rw------- 1 root root 0 Jan 8 05:09 avastBusy.lock >>>>> -rw------- 1 root root 0 Jan 8 05:09 avgBusy.lock >>>>> -rw------- 1 root root 0 Jan 8 05:09 bitdefenderBusy.lock >>>>> -rw------- 1 root root 49 Jan 9 19:15 clamavBusy.lock >>>>> -rw------- 1 root root 0 Jan 8 05:09 cssBusy.lock >>>>> -rw------- 1 root root 0 Jan 8 05:09 esetsBusy.lock >>>>> -rw------- 1 root root 0 Jan 8 05:09 etrustBusy.lock >>>>> -rw------- 1 root root 0 Jan 8 05:09 f-prot-6Busy.lock >>>>> -rw------- 1 root root 0 Jan 8 05:09 f-protBusy.lock >>>>> -rw------- 1 root root 0 Jan 8 05:09 f-secureBusy.lock >>>>> -rw------- 1 root root 0 Jan 8 05:09 genericBusy.lock >>>>> -rw------- 1 root root 0 Jan 8 05:09 inoculanBusy.lock >>>>> -rw------- 1 root root 0 Jan 8 05:09 kasperskyBusy.lock >>>>> -rw------- 1 root root 0 Jan 8 05:09 mcafeeBusy.lock >>>>> -rw------- 1 root root 0 Jan 8 19:38 MS.bayes.rebuild.lock >>>>> -rw------- 1 root root 0 Jan 11 04:15 MS.bayes.starting.lock >>>>> -rw------- 1 root root 0 Jan 8 05:09 nod32Busy.lock >>>>> -rw------- 1 root root 0 Jan 8 05:09 normanBusy.lock >>>>> -rw------- 1 root root 0 Jan 8 05:09 pandaBusy.lock >>>>> -rw------- 1 root root 0 Jan 8 05:09 ravBusy.lock >>>>> -rw------- 1 root root 0 Jan 8 05:09 sophosBusy.lock >>>>> -rw------- 1 root root 0 Jan 8 05:09 symscanengineBusy.lock >>>>> -rw------- 1 root root 0 Jan 8 05:09 trendBusy.lock >>>>> -rw------- 1 root root 0 Jan 8 05:09 vba32Busy.lock >>>>> -rw------- 1 root root 0 Jan 8 05:09 vexiraBusy.lock >>>>> >>>>> /var/spool/MailScanner/incoming >>>>> [root@rosewood incoming]# ls -l >>>>> total 604 >>>>> drwxr-x--- 2 postfix clamav 4096 Jan 11 13:43 19962 >>>>> drwxr-x--- 2 postfix clamav 4096 Jan 11 13:38 19969 >>>>> drwxr-x--- 2 postfix clamav 4096 Jan 11 13:41 19976 >>>>> drwxr-x--- 2 postfix root 4096 Jan 11 04:15 Locks >>>>> -rw------- 1 postfix postfix 590848 Jan 11 13:41 >>>>> SpamAssassin.cache.db >>>>> drwx------ 2 postfix postfix 4096 Jan 11 13:43 SpamAssassin-Temp >>>>> >>>>> Yesterday this was all set as you have it above. >>>>> >>>>> Dave >>>> >>>> Jules >>>> >>> >> >> Jules >> > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From listacc at ocosa.com Sun Jan 11 23:51:54 2009 From: listacc at ocosa.com (ListAcc) Date: Sun Jan 11 23:52:13 2009 Subject: block spoofing mail In-Reply-To: <72cf361e0901111153n686b1e45l7f0dd56c87f63a36@mail.gmail.com> References: <928434630901100033l3381ec9ifec81d6844b03e0@mail.gmail.com> <72cf361e0901111153n686b1e45l7f0dd56c87f63a36@mail.gmail.com> Message-ID: <496A861A.9060401@ocosa.com> Martin, There is a previous post about this. Have you considered using SPF? One thing to cut down on spoofed mail is setup an ACL on the outside interface of your mail server that blocks all IP address not yet assigned or known for spam. If you are using postfix as your MTA you can setup this up with smtpd restrictions. The below will help mitigate but I would suggest also putting up an ACL if you can to block your domain name from entering your outside interface if it's within your mail routing policy and setup. Also scan all user computers for bots and etc that may be around. Make sure users must authenticate before sending.... For example: in /etc/postfix/main.cf smtpd_recipient_restrictions = * check_sender_mx_access cidr:/etc/postfix/bogus_mx *(see postfix for complete command usage and available restrictions)** permit make sure you create the bogus_mx and place all the bad networks such as in /etc/postfix/bogus_mx 0.0.0.0/8 550 Bad Network 10.0.0.0/8 550 Bad Network 127.0.0.0/8 550 Bad Network For a complete up to date list of bogons networks see http://www.team-cymru.org Regards, Otis Martin Hepworth wrote: > 2009/1/10 ichwan nur hakim : > >> hi guys, >> >> how block spoofing mail with mailscanner..?? coz my office mail very much >> recipient spoofing mail. >> Thank's >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> >> > > > HI > > perhaps you can give an example of what you mean by 'spoofing email'? > > From dave.filchak at senecac.on.ca Mon Jan 12 03:22:58 2009 From: dave.filchak at senecac.on.ca (Dave Filchak) Date: Mon Jan 12 03:23:14 2009 Subject: General Thankyou (still diagnosing fault) In-Reply-To: <496A85DC.3060404@ecs.soton.ac.uk> References: <60382.204.184.75.172.1231471379.squirrel@webmail.elsberry.k12.mo.us> <49679B36.9010202@senecac.on.ca> <4967A01A.1020805@senecac.on.ca> <4967D6F2.8090907@senecac.on.ca> <496A4264.6080303@senecac.on.ca> <496A470A.7070507@ecs.soton.ac.uk> <496A538C.60903@senecac.on.ca> <496A5BC8.4000908@ecs.soton.ac.uk> <496A6204.9070105@senecac.on.ca> <496A85DC.3060404@ecs.soton.ac.uk> Message-ID: <496AB792.9090605@senecac.on.ca> Julian, Julian Field wrote: > > > On 11/1/09 21:17, Dave Filchak wrote: >> Jules, >> >> Julian Field wrote: >>> >>> >>> On 11/1/09 20:16, Dave Filchak wrote: >>>> Jules >>>> >>>> Julian Field wrote: >>>>> >>>>> >>>>> On 11/1/09 19:03, Dave Filchak wrote: >>>>>> Kai, >>>>>> >>>>>> >>>>>> >>>>>> Dave Filchak wrote: >>>>>>> Kai, >>>>>>> >>>>>>> Kai Schaetzl wrote: >>>>>>>> Dave Filchak wrote on Fri, 09 Jan 2009 14:06:02 -0500: >>>>>>>> >>>>>>>> >>>>>>>>> So I checked the permissions there and the Locks directory is >>>>>>>>> owned by postfix.root and the locks inside are all owned by >>>>>>>>> root.root. >>>>>>>> >>>>>>>> That is *all* wrong. Reread the tutorials for MS+postfix and >>>>>>>> for MS+clamd (you are using clamd, right). >>>>>>>> >>>>>>>> /var/spool/MailScanner/incoming/Locks l >>>>>>>> total 16 >>>>>>>> drwxr-x--- 2 root postfix 4096 Jan 9 23:03 . >>>>>>>> drwxr-xr-x 5 postfix clamav 4096 Jan 9 23:04 .. >>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 antivirBusy.lock >>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 avastBusy.lock >>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 avgBusy.lock >>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 >>>>>>>> bitdefenderBusy.lock >>>>>>>> -rw------- 1 postfix postfix 100 Jan 9 23:05 clamavBusy.lock >>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 cssBusy.lock >>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 esetsBusy.lock >>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 etrustBusy.lock >>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 f-prot-6Busy.lock >>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 f-protBusy.lock >>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 f-secureBusy.lock >>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 genericBusy.lock >>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 inoculanBusy.lock >>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 kasperskyBusy.lock >>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 mcafeeBusy.lock >>>>>>>> -rw------- 1 postfix postfix 0 Jan 7 16:51 >>>>>>>> MS.bayes.rebuild.lock >>>>>>>> -rw------- 1 postfix postfix 0 Jan 9 23:03 >>>>>>>> MS.bayes.starting.lock >>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 nod32Busy.lock >>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 normanBusy.lock >>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 pandaBusy.lock >>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 ravBusy.lock >>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 sophosBusy.lock >>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 >>>>>>>> symscanengineBusy.lock >>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 trendBusy.lock >>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 vba32Busy.lock >>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 vexiraBusy.lock >>>>>>>> >>>>>>>> Kai >>>>>>>> >>>>>>> Well I will definitely reread these. I never specifically set >>>>>>> these permissions anywhere. One would thing that these would be >>>>>>> created by the settings in MailScanner.conf .. wouldn't you? >>>>>>> There is no specific alternate user settings in spamassassin so >>>>>>> .... something is setting these permissions this way. >>>>>>> >>>>>> I have gone through the tutorials a few times and I seem to have >>>>>> everything set up correctly yet .... something keeps reseting the >>>>>> permissions in the Locks directory back to the following: >>>>> It will be being clobbered by the update_virus_scanners cron job >>>>> which is run once per hour. Please can you mail me an exact copy >>>>> (preferably gzipped) of your MailScanner.conf file. Have you moved >>>>> that file from its default location or anything like that? It >>>>> should pull out the "Run As User" and "Run As Group" from >>>>> MailScanner.conf and use those values to set the ownership of the >>>>> lock files. Clearly something is going wrong there. >>>>> >>>>> Copy and paste the following commands into a shell running as >>>>> root. Beware of extra line-breaks that my mail program or your >>>>> mail program may add into the following, hopefully they'll be okay. >>>>> >>>>> LOCKDIR=`perl -n -e 'print "$_" if chomp && >>>>> s/^\s*Lock\s*file\s*Dir\s*=\s*(\S+)/$1/i' >>>>> /etc/MailScanner/MailScanner.conf` >>>>> RUNASU=`perl -n -e 'print "$_" if chomp && >>>>> s/^\s*Run\s*As\s*User\s*=\s*(\S+)/$1/i' >>>>> /etc/MailScanner/MailScanner.conf` >>>>> RUNASG=`perl -n -e 'print "$_" if chomp && >>>>> s/^\s*Run\s*As\s*Group\s*=\s*(\S+)/$1/i' >>>>> /etc/MailScanner/MailScanner.conf` >>>>> echo $LOCKDIR >>>>> echo $RUNASU >>>>> echo $RUNASG >>>>> /usr/sbin/mailscanner_create_locks "$LOCKDIR" "$RUNASU" "$RUNASG" >>>>> >>>>> Then show me what you get from >>>>> ls -al $LOCKDIR >>>>> assuming that the "echo $LOCKDIR" command printed out the >>>>> directory where your lock files are stored (i.e. normally >>>>> /var/spool/MailScanner/incoming/Locks). >>>> >>>> I have emailed you my conf file. > That looks fine. >>>> Here is the output from your scripts: >>>> >>>> [root@rosewood MailScanner]# LOCKDIR=`perl -n -e 'print "$_" if >>>> chomp && s/^\s*Lock\s*file\s*Dir\s*=\s*(\S+)/$1/i' >>>> /etc/MailScanner/MailScanner.conf` >>>> [root@rosewood MailScanner]# RUNASU=`perl -n -e 'print "$_" if >>>> chomp && s/^\s*Run\s*As\s*User\s*=\s*(\S+)/$1/i' >>>> /etc/MailScanner/MailScanner.conf` >>>> [root@rosewood MailScanner]# RUNASG=`perl -n -e 'print "$_" if >>>> chomp && s/^\s*Run\s*As\s*Group\s*=\s*(\S+)/$1/i' >>>> /etc/MailScanner/MailScanner.conf` >>>> [root@rosewood MailScanner]# echo $LOCKDIR >>>> /var/spool/MailScanner/incoming/Locks >>>> [root@rosewood MailScanner]# echo $RUNASU >>>> postfix >>>> [root@rosewood MailScanner]# echo $RUNASG >>>> postfix >>> That all looks good. As root, >>> rm -rf /var/spool/MailScanner/incoming/Locks >>> and then >>> /usr/sbin/update_virus_scanners >>> and then show me an >>> ls -al /var/spool/MailScanner/incoming/Locks >>> >>> The files in there should be owned by postfix. Let's see if that's >>> true. >>> >> OK .. deleted the Locks directory, ran update_virus_scanners and got: >> >> ls -al /var/spool/MailScanner/incoming/Locks/ >> total 8 >> drwxr-x--- 2 root root 4096 Jan 11 16:13 . >> drwxrwx--- 7 postfix clamav 4096 Jan 11 16:14 .. >> -rw------- 1 root root 0 Jan 11 16:13 antivirBusy.lock >> -rw------- 1 root root 0 Jan 11 16:13 avastBusy.lock >> -rw------- 1 root root 0 Jan 11 16:13 avgBusy.lock >> -rw------- 1 root root 0 Jan 11 16:13 bitdefenderBusy.lock >> -rw------- 1 root root 0 Jan 11 16:13 clamavBusy.lock >> -rw------- 1 root root 0 Jan 11 16:13 cssBusy.lock >> -rw------- 1 root root 0 Jan 11 16:13 esetsBusy.lock >> -rw------- 1 root root 0 Jan 11 16:13 etrustBusy.lock >> -rw------- 1 root root 0 Jan 11 16:13 f-prot-6Busy.lock >> -rw------- 1 root root 0 Jan 11 16:13 f-protBusy.lock >> -rw------- 1 root root 0 Jan 11 16:13 f-secureBusy.lock >> -rw------- 1 root root 0 Jan 11 16:13 genericBusy.lock >> -rw------- 1 root root 0 Jan 11 16:13 inoculanBusy.lock >> -rw------- 1 root root 0 Jan 11 16:13 kasperskyBusy.lock >> -rw------- 1 root root 0 Jan 11 16:13 mcafeeBusy.lock >> -rw------- 1 root root 0 Jan 11 16:13 MS.bayes.rebuild.lock >> -rw------- 1 root root 0 Jan 11 16:13 MS.bayes.starting.lock >> -rw------- 1 root root 0 Jan 11 16:13 nod32Busy.lock >> -rw------- 1 root root 0 Jan 11 16:13 normanBusy.lock >> -rw------- 1 root root 0 Jan 11 16:13 pandaBusy.lock >> -rw------- 1 root root 0 Jan 11 16:13 ravBusy.lock >> -rw------- 1 root root 0 Jan 11 16:13 sophosBusy.lock >> -rw------- 1 root root 0 Jan 11 16:13 symscanengineBusy.lock >> -rw------- 1 root root 0 Jan 11 16:13 trendBusy.lock >> -rw------- 1 root root 0 Jan 11 16:13 vba32Busy.lock >> -rw------- 1 root root 0 Jan 11 16:13 vexiraBusy.lock >> >> >> Still root. > Hmmm... > > 1 > I want to be sure there are no weird options for the mount that > supplies this directory. Do this: > cd /var/spool/MailScanner/incoming > df -h . > mount > ls -ld Locks > (all as root). > Also, paste the contents of your /etc/fstab file into your reply to > this mail. > > 2 > Also, please can you make a little edit to your > /usr/sbin/mailscanner_create_locks script. > Near the top you will see a line that says this: > my $ldgid = getgrnam($ldgname); > That's about line 17. Immediately after that line, add this line: > print STDERR "lduid = $lduid, ldgid = $ldgid\n"; > and let's just check that it is getting the UID and GID correctly, as > failure to do that would cause your symptoms. > Run > /usr/sbin/mailscanner_create_locks > /var/spool/MailScanner/incoming/Locks postfix postfix > (all of that on 1 line) and include the output in your reply, > and do another > ls -al /var/spool/MailScanner/incoming/Locks > to see if anything has improved. > > 3 > If that still isn't working, right at the end of the script there are > a couple of "chown" lines. Change the first one to read > chown -1, $ldgid, $locksdirname or warn "Chown1: $!"; > and the second one to read > chown $lduid, $ldgid, @locknames or warn "Chown2: $!"; > and then run the mailscanner_create_locks command I gave above. Let me > know if it prints anything, and what it says if it does. > > 4 > That lot should give me a better idea of what's going on. cd /var/spool/MailScanner/incoming/ [root@rosewood incoming]# df -h . Filesystem Size Used Avail Use% Mounted on /dev/hdb1 111G 15G 91G 14% /var [root@rosewood incoming]# mount /dev/sda5 on / type ext3 (rw) none on /proc type proc (rw) none on /sys type sysfs (rw) none on /dev/pts type devpts (rw,gid=5,mode=620) usbfs on /proc/bus/usb type usbfs (rw) /dev/sda1 on /boot type ext3 (rw) none on /dev/shm type tmpfs (rw) /dev/sda2 on /home type ext3 (rw) /dev/sdb1 on /usr type ext3 (rw) /dev/hdb1 on /var type ext3 (rw) none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw) sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw) [root@rosewood incoming]# ls -ld Locks drwxr-x--- 2 root root 4096 Jan 11 16:13 Locks FSTAB: LABEL=/ / ext3 defaults 1 1 LABEL=/boot /boot ext3 defaults 1 2 none /dev/pts devpts gid=5,mode=620 0 0 none /dev/shm tmpfs defaults 0 0 LABEL=/home /home ext3 defaults 1 2 none /proc proc defaults 0 0 none /sys sysfs defaults 0 0 LABEL=/usr /usr ext3 defaults 1 2 LABEL=/var /var ext3 defaults 1 2 LABEL=SWAP-sda3 swap swap defaults 0 0 /dev/hda /media/cdrecorder auto pamconsole,exec,noauto,managed 0 0 /usr/sbin/mailscanner_create_locks /var/spool/MailScanner/incoming/Locks postfix postfix lduid = 80, ldgid = 80 [root@rosewood sbin]# ls -al /var/spool/MailScanner/incoming/Locks total 8 drwxr-x--- 2 root postfix 4096 Jan 11 16:13 . drwxrwx--- 7 postfix clamav 4096 Jan 11 22:18 .. -rw------- 1 postfix postfix 0 Jan 11 16:13 antivirBusy.lock -rw------- 1 postfix postfix 0 Jan 11 16:13 avastBusy.lock -rw------- 1 postfix postfix 0 Jan 11 16:13 avgBusy.lock -rw------- 1 postfix postfix 0 Jan 11 16:13 bitdefenderBusy.lock -rw------- 1 postfix postfix 0 Jan 11 16:13 clamavBusy.lock -rw------- 1 postfix postfix 0 Jan 11 16:13 cssBusy.lock -rw------- 1 postfix postfix 0 Jan 11 16:13 esetsBusy.lock -rw------- 1 postfix postfix 0 Jan 11 16:13 etrustBusy.lock -rw------- 1 postfix postfix 0 Jan 11 16:13 f-prot-6Busy.lock -rw------- 1 postfix postfix 0 Jan 11 16:13 f-protBusy.lock -rw------- 1 postfix postfix 0 Jan 11 16:13 f-secureBusy.lock -rw------- 1 postfix postfix 0 Jan 11 16:13 genericBusy.lock -rw------- 1 postfix postfix 0 Jan 11 16:13 inoculanBusy.lock -rw------- 1 postfix postfix 0 Jan 11 16:13 kasperskyBusy.lock -rw------- 1 postfix postfix 0 Jan 11 16:13 mcafeeBusy.lock -rw------- 1 postfix postfix 0 Jan 11 16:13 MS.bayes.rebuild.lock -rw------- 1 postfix postfix 0 Jan 11 16:13 MS.bayes.starting.lock -rw------- 1 postfix postfix 0 Jan 11 16:13 nod32Busy.lock -rw------- 1 postfix postfix 0 Jan 11 16:13 normanBusy.lock -rw------- 1 postfix postfix 0 Jan 11 16:13 pandaBusy.lock -rw------- 1 postfix postfix 0 Jan 11 16:13 ravBusy.lock -rw------- 1 postfix postfix 0 Jan 11 16:13 sophosBusy.lock -rw------- 1 postfix postfix 0 Jan 11 16:13 symscanengineBusy.lock -rw------- 1 postfix postfix 0 Jan 11 16:13 trendBusy.lock -rw------- 1 postfix postfix 0 Jan 11 16:13 vba32Busy.lock -rw------- 1 postfix postfix 0 Jan 11 16:13 vexiraBusy.lock I did not do your last request as this shows the proper ownership. The questions is: will it hold? Let me know if you still want me to do that last bit. Sorry it took a while to get back to you. I had to run out for a bit. Dave >>>>>> >>>>>> -rw------- 1 root root 0 Jan 8 05:09 antivirBusy.lock >>>>>> -rw------- 1 root root 0 Jan 8 05:09 avastBusy.lock >>>>>> -rw------- 1 root root 0 Jan 8 05:09 avgBusy.lock >>>>>> -rw------- 1 root root 0 Jan 8 05:09 bitdefenderBusy.lock >>>>>> -rw------- 1 root root 49 Jan 9 19:15 clamavBusy.lock >>>>>> -rw------- 1 root root 0 Jan 8 05:09 cssBusy.lock >>>>>> -rw------- 1 root root 0 Jan 8 05:09 esetsBusy.lock >>>>>> -rw------- 1 root root 0 Jan 8 05:09 etrustBusy.lock >>>>>> -rw------- 1 root root 0 Jan 8 05:09 f-prot-6Busy.lock >>>>>> -rw------- 1 root root 0 Jan 8 05:09 f-protBusy.lock >>>>>> -rw------- 1 root root 0 Jan 8 05:09 f-secureBusy.lock >>>>>> -rw------- 1 root root 0 Jan 8 05:09 genericBusy.lock >>>>>> -rw------- 1 root root 0 Jan 8 05:09 inoculanBusy.lock >>>>>> -rw------- 1 root root 0 Jan 8 05:09 kasperskyBusy.lock >>>>>> -rw------- 1 root root 0 Jan 8 05:09 mcafeeBusy.lock >>>>>> -rw------- 1 root root 0 Jan 8 19:38 MS.bayes.rebuild.lock >>>>>> -rw------- 1 root root 0 Jan 11 04:15 MS.bayes.starting.lock >>>>>> -rw------- 1 root root 0 Jan 8 05:09 nod32Busy.lock >>>>>> -rw------- 1 root root 0 Jan 8 05:09 normanBusy.lock >>>>>> -rw------- 1 root root 0 Jan 8 05:09 pandaBusy.lock >>>>>> -rw------- 1 root root 0 Jan 8 05:09 ravBusy.lock >>>>>> -rw------- 1 root root 0 Jan 8 05:09 sophosBusy.lock >>>>>> -rw------- 1 root root 0 Jan 8 05:09 symscanengineBusy.lock >>>>>> -rw------- 1 root root 0 Jan 8 05:09 trendBusy.lock >>>>>> -rw------- 1 root root 0 Jan 8 05:09 vba32Busy.lock >>>>>> -rw------- 1 root root 0 Jan 8 05:09 vexiraBusy.lock >>>>>> >>>>>> /var/spool/MailScanner/incoming >>>>>> [root@rosewood incoming]# ls -l >>>>>> total 604 >>>>>> drwxr-x--- 2 postfix clamav 4096 Jan 11 13:43 19962 >>>>>> drwxr-x--- 2 postfix clamav 4096 Jan 11 13:38 19969 >>>>>> drwxr-x--- 2 postfix clamav 4096 Jan 11 13:41 19976 >>>>>> drwxr-x--- 2 postfix root 4096 Jan 11 04:15 Locks >>>>>> -rw------- 1 postfix postfix 590848 Jan 11 13:41 >>>>>> SpamAssassin.cache.db >>>>>> drwx------ 2 postfix postfix 4096 Jan 11 13:43 SpamAssassin-Temp >>>>>> >>>>>> Yesterday this was all set as you have it above. >>>>>> > > -- Dave Filchak Instructor, School of Communications Arts Seneca College @ York Office: Room 1068 From dave.filchak at senecac.on.ca Mon Jan 12 04:17:03 2009 From: dave.filchak at senecac.on.ca (Dave Filchak) Date: Mon Jan 12 04:17:18 2009 Subject: General Thankyou (still diagnosing fault) In-Reply-To: <496AB792.9090605@senecac.on.ca> References: <60382.204.184.75.172.1231471379.squirrel@webmail.elsberry.k12.mo.us> <49679B36.9010202@senecac.on.ca> <4967A01A.1020805@senecac.on.ca> <4967D6F2.8090907@senecac.on.ca> <496A4264.6080303@senecac.on.ca> <496A470A.7070507@ecs.soton.ac.uk> <496A538C.60903@senecac.on.ca> <496A5BC8.4000908@ecs.soton.ac.uk> <496A6204.9070105@senecac.on.ca> <496A85DC.3060404@ecs.soton.ac.uk> <496AB792.9090605@senecac.on.ca> Message-ID: <496AC43F.9030701@senecac.on.ca> Julian Dave Filchak wrote: > Julian, > > Julian Field wrote: >> >> >> On 11/1/09 21:17, Dave Filchak wrote: >>> Jules, >>> >>> Julian Field wrote: >>>> >>>> >>>> On 11/1/09 20:16, Dave Filchak wrote: >>>>> Jules >>>>> >>>>> Julian Field wrote: >>>>>> >>>>>> >>>>>> On 11/1/09 19:03, Dave Filchak wrote: >>>>>>> Kai, >>>>>>> >>>>>>> >>>>>>> >>>>>>> Dave Filchak wrote: >>>>>>>> Kai, >>>>>>>> >>>>>>>> Kai Schaetzl wrote: >>>>>>>>> Dave Filchak wrote on Fri, 09 Jan 2009 14:06:02 -0500: >>>>>>>>> >>>>>>>>> >>>>>>>>>> So I checked the permissions there and the Locks directory is >>>>>>>>>> owned by postfix.root and the locks inside are all owned by >>>>>>>>>> root.root. >>>>>>>>> >>>>>>>>> That is *all* wrong. Reread the tutorials for MS+postfix and >>>>>>>>> for MS+clamd (you are using clamd, right). >>>>>>>>> >>>>>>>>> /var/spool/MailScanner/incoming/Locks l >>>>>>>>> total 16 >>>>>>>>> drwxr-x--- 2 root postfix 4096 Jan 9 23:03 . >>>>>>>>> drwxr-xr-x 5 postfix clamav 4096 Jan 9 23:04 .. >>>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 antivirBusy.lock >>>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 avastBusy.lock >>>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 avgBusy.lock >>>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 >>>>>>>>> bitdefenderBusy.lock >>>>>>>>> -rw------- 1 postfix postfix 100 Jan 9 23:05 clamavBusy.lock >>>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 cssBusy.lock >>>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 esetsBusy.lock >>>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 etrustBusy.lock >>>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 f-prot-6Busy.lock >>>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 f-protBusy.lock >>>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 f-secureBusy.lock >>>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 genericBusy.lock >>>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 inoculanBusy.lock >>>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 kasperskyBusy.lock >>>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 mcafeeBusy.lock >>>>>>>>> -rw------- 1 postfix postfix 0 Jan 7 16:51 >>>>>>>>> MS.bayes.rebuild.lock >>>>>>>>> -rw------- 1 postfix postfix 0 Jan 9 23:03 >>>>>>>>> MS.bayes.starting.lock >>>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 nod32Busy.lock >>>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 normanBusy.lock >>>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 pandaBusy.lock >>>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 ravBusy.lock >>>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 sophosBusy.lock >>>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 >>>>>>>>> symscanengineBusy.lock >>>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 trendBusy.lock >>>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 vba32Busy.lock >>>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 vexiraBusy.lock >>>>>>>>> >>>>>>>>> Kai >>>>>>>>> >>>>>>>> Well I will definitely reread these. I never specifically set >>>>>>>> these permissions anywhere. One would thing that these would be >>>>>>>> created by the settings in MailScanner.conf .. wouldn't you? >>>>>>>> There is no specific alternate user settings in spamassassin >>>>>>>> so .... something is setting these permissions this way. >>>>>>>> >>>>>>> I have gone through the tutorials a few times and I seem to have >>>>>>> everything set up correctly yet .... something keeps reseting >>>>>>> the permissions in the Locks directory back to the following: >>>>>> It will be being clobbered by the update_virus_scanners cron job >>>>>> which is run once per hour. Please can you mail me an exact copy >>>>>> (preferably gzipped) of your MailScanner.conf file. Have you >>>>>> moved that file from its default location or anything like that? >>>>>> It should pull out the "Run As User" and "Run As Group" from >>>>>> MailScanner.conf and use those values to set the ownership of the >>>>>> lock files. Clearly something is going wrong there. >>>>>> >>>>>> Copy and paste the following commands into a shell running as >>>>>> root. Beware of extra line-breaks that my mail program or your >>>>>> mail program may add into the following, hopefully they'll be okay. >>>>>> >>>>>> LOCKDIR=`perl -n -e 'print "$_" if chomp && >>>>>> s/^\s*Lock\s*file\s*Dir\s*=\s*(\S+)/$1/i' >>>>>> /etc/MailScanner/MailScanner.conf` >>>>>> RUNASU=`perl -n -e 'print "$_" if chomp && >>>>>> s/^\s*Run\s*As\s*User\s*=\s*(\S+)/$1/i' >>>>>> /etc/MailScanner/MailScanner.conf` >>>>>> RUNASG=`perl -n -e 'print "$_" if chomp && >>>>>> s/^\s*Run\s*As\s*Group\s*=\s*(\S+)/$1/i' >>>>>> /etc/MailScanner/MailScanner.conf` >>>>>> echo $LOCKDIR >>>>>> echo $RUNASU >>>>>> echo $RUNASG >>>>>> /usr/sbin/mailscanner_create_locks "$LOCKDIR" "$RUNASU" "$RUNASG" >>>>>> >>>>>> Then show me what you get from >>>>>> ls -al $LOCKDIR >>>>>> assuming that the "echo $LOCKDIR" command printed out the >>>>>> directory where your lock files are stored (i.e. normally >>>>>> /var/spool/MailScanner/incoming/Locks). >>>>> >>>>> I have emailed you my conf file. >> That looks fine. >>>>> Here is the output from your scripts: >>>>> >>>>> [root@rosewood MailScanner]# LOCKDIR=`perl -n -e 'print "$_" if >>>>> chomp && s/^\s*Lock\s*file\s*Dir\s*=\s*(\S+)/$1/i' >>>>> /etc/MailScanner/MailScanner.conf` >>>>> [root@rosewood MailScanner]# RUNASU=`perl -n -e 'print "$_" if >>>>> chomp && s/^\s*Run\s*As\s*User\s*=\s*(\S+)/$1/i' >>>>> /etc/MailScanner/MailScanner.conf` >>>>> [root@rosewood MailScanner]# RUNASG=`perl -n -e 'print "$_" if >>>>> chomp && s/^\s*Run\s*As\s*Group\s*=\s*(\S+)/$1/i' >>>>> /etc/MailScanner/MailScanner.conf` >>>>> [root@rosewood MailScanner]# echo $LOCKDIR >>>>> /var/spool/MailScanner/incoming/Locks >>>>> [root@rosewood MailScanner]# echo $RUNASU >>>>> postfix >>>>> [root@rosewood MailScanner]# echo $RUNASG >>>>> postfix >>>> That all looks good. As root, >>>> rm -rf /var/spool/MailScanner/incoming/Locks >>>> and then >>>> /usr/sbin/update_virus_scanners >>>> and then show me an >>>> ls -al /var/spool/MailScanner/incoming/Locks >>>> >>>> The files in there should be owned by postfix. Let's see if that's >>>> true. >>>> >>> OK .. deleted the Locks directory, ran update_virus_scanners and got: >>> >>> ls -al /var/spool/MailScanner/incoming/Locks/ >>> total 8 >>> drwxr-x--- 2 root root 4096 Jan 11 16:13 . >>> drwxrwx--- 7 postfix clamav 4096 Jan 11 16:14 .. >>> -rw------- 1 root root 0 Jan 11 16:13 antivirBusy.lock >>> -rw------- 1 root root 0 Jan 11 16:13 avastBusy.lock >>> -rw------- 1 root root 0 Jan 11 16:13 avgBusy.lock >>> -rw------- 1 root root 0 Jan 11 16:13 bitdefenderBusy.lock >>> -rw------- 1 root root 0 Jan 11 16:13 clamavBusy.lock >>> -rw------- 1 root root 0 Jan 11 16:13 cssBusy.lock >>> -rw------- 1 root root 0 Jan 11 16:13 esetsBusy.lock >>> -rw------- 1 root root 0 Jan 11 16:13 etrustBusy.lock >>> -rw------- 1 root root 0 Jan 11 16:13 f-prot-6Busy.lock >>> -rw------- 1 root root 0 Jan 11 16:13 f-protBusy.lock >>> -rw------- 1 root root 0 Jan 11 16:13 f-secureBusy.lock >>> -rw------- 1 root root 0 Jan 11 16:13 genericBusy.lock >>> -rw------- 1 root root 0 Jan 11 16:13 inoculanBusy.lock >>> -rw------- 1 root root 0 Jan 11 16:13 kasperskyBusy.lock >>> -rw------- 1 root root 0 Jan 11 16:13 mcafeeBusy.lock >>> -rw------- 1 root root 0 Jan 11 16:13 MS.bayes.rebuild.lock >>> -rw------- 1 root root 0 Jan 11 16:13 MS.bayes.starting.lock >>> -rw------- 1 root root 0 Jan 11 16:13 nod32Busy.lock >>> -rw------- 1 root root 0 Jan 11 16:13 normanBusy.lock >>> -rw------- 1 root root 0 Jan 11 16:13 pandaBusy.lock >>> -rw------- 1 root root 0 Jan 11 16:13 ravBusy.lock >>> -rw------- 1 root root 0 Jan 11 16:13 sophosBusy.lock >>> -rw------- 1 root root 0 Jan 11 16:13 symscanengineBusy.lock >>> -rw------- 1 root root 0 Jan 11 16:13 trendBusy.lock >>> -rw------- 1 root root 0 Jan 11 16:13 vba32Busy.lock >>> -rw------- 1 root root 0 Jan 11 16:13 vexiraBusy.lock >>> >>> >>> Still root. >> Hmmm... >> >> 1 >> I want to be sure there are no weird options for the mount that >> supplies this directory. Do this: >> cd /var/spool/MailScanner/incoming >> df -h . >> mount >> ls -ld Locks >> (all as root). >> Also, paste the contents of your /etc/fstab file into your reply to >> this mail. >> >> 2 >> Also, please can you make a little edit to your >> /usr/sbin/mailscanner_create_locks script. >> Near the top you will see a line that says this: >> my $ldgid = getgrnam($ldgname); >> That's about line 17. Immediately after that line, add this line: >> print STDERR "lduid = $lduid, ldgid = $ldgid\n"; >> and let's just check that it is getting the UID and GID correctly, as >> failure to do that would cause your symptoms. >> Run >> /usr/sbin/mailscanner_create_locks >> /var/spool/MailScanner/incoming/Locks postfix postfix >> (all of that on 1 line) and include the output in your reply, >> and do another >> ls -al /var/spool/MailScanner/incoming/Locks >> to see if anything has improved. >> >> 3 >> If that still isn't working, right at the end of the script there are >> a couple of "chown" lines. Change the first one to read >> chown -1, $ldgid, $locksdirname or warn "Chown1: $!"; >> and the second one to read >> chown $lduid, $ldgid, @locknames or warn "Chown2: $!"; >> and then run the mailscanner_create_locks command I gave above. Let >> me know if it prints anything, and what it says if it does. >> >> 4 >> That lot should give me a better idea of what's going on. > > cd /var/spool/MailScanner/incoming/ > [root@rosewood incoming]# df -h . > Filesystem Size Used Avail Use% Mounted on > /dev/hdb1 111G 15G 91G 14% /var > [root@rosewood incoming]# mount > /dev/sda5 on / type ext3 (rw) > none on /proc type proc (rw) > none on /sys type sysfs (rw) > none on /dev/pts type devpts (rw,gid=5,mode=620) > usbfs on /proc/bus/usb type usbfs (rw) > /dev/sda1 on /boot type ext3 (rw) > none on /dev/shm type tmpfs (rw) > /dev/sda2 on /home type ext3 (rw) > /dev/sdb1 on /usr type ext3 (rw) > /dev/hdb1 on /var type ext3 (rw) > none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw) > sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw) > [root@rosewood incoming]# ls -ld Locks > drwxr-x--- 2 root root 4096 Jan 11 16:13 Locks > > FSTAB: > > LABEL=/ / ext3 > defaults 1 1 > LABEL=/boot /boot ext3 > defaults 1 2 > none /dev/pts devpts > gid=5,mode=620 0 0 > none /dev/shm tmpfs > defaults 0 0 > LABEL=/home /home ext3 > defaults 1 2 > none /proc proc > defaults 0 0 > none /sys sysfs > defaults 0 0 > LABEL=/usr /usr ext3 > defaults 1 2 > LABEL=/var /var ext3 > defaults 1 2 > LABEL=SWAP-sda3 swap swap > defaults 0 0 > /dev/hda /media/cdrecorder auto > pamconsole,exec,noauto,managed 0 0 > > /usr/sbin/mailscanner_create_locks > /var/spool/MailScanner/incoming/Locks postfix postfix > lduid = 80, ldgid = 80 > [root@rosewood sbin]# ls -al /var/spool/MailScanner/incoming/Locks > total 8 > drwxr-x--- 2 root postfix 4096 Jan 11 16:13 . > drwxrwx--- 7 postfix clamav 4096 Jan 11 22:18 .. > -rw------- 1 postfix postfix 0 Jan 11 16:13 antivirBusy.lock > -rw------- 1 postfix postfix 0 Jan 11 16:13 avastBusy.lock > -rw------- 1 postfix postfix 0 Jan 11 16:13 avgBusy.lock > -rw------- 1 postfix postfix 0 Jan 11 16:13 bitdefenderBusy.lock > -rw------- 1 postfix postfix 0 Jan 11 16:13 clamavBusy.lock > -rw------- 1 postfix postfix 0 Jan 11 16:13 cssBusy.lock > -rw------- 1 postfix postfix 0 Jan 11 16:13 esetsBusy.lock > -rw------- 1 postfix postfix 0 Jan 11 16:13 etrustBusy.lock > -rw------- 1 postfix postfix 0 Jan 11 16:13 f-prot-6Busy.lock > -rw------- 1 postfix postfix 0 Jan 11 16:13 f-protBusy.lock > -rw------- 1 postfix postfix 0 Jan 11 16:13 f-secureBusy.lock > -rw------- 1 postfix postfix 0 Jan 11 16:13 genericBusy.lock > -rw------- 1 postfix postfix 0 Jan 11 16:13 inoculanBusy.lock > -rw------- 1 postfix postfix 0 Jan 11 16:13 kasperskyBusy.lock > -rw------- 1 postfix postfix 0 Jan 11 16:13 mcafeeBusy.lock > -rw------- 1 postfix postfix 0 Jan 11 16:13 MS.bayes.rebuild.lock > -rw------- 1 postfix postfix 0 Jan 11 16:13 MS.bayes.starting.lock > -rw------- 1 postfix postfix 0 Jan 11 16:13 nod32Busy.lock > -rw------- 1 postfix postfix 0 Jan 11 16:13 normanBusy.lock > -rw------- 1 postfix postfix 0 Jan 11 16:13 pandaBusy.lock > -rw------- 1 postfix postfix 0 Jan 11 16:13 ravBusy.lock > -rw------- 1 postfix postfix 0 Jan 11 16:13 sophosBusy.lock > -rw------- 1 postfix postfix 0 Jan 11 16:13 symscanengineBusy.lock > -rw------- 1 postfix postfix 0 Jan 11 16:13 trendBusy.lock > -rw------- 1 postfix postfix 0 Jan 11 16:13 vba32Busy.lock > -rw------- 1 postfix postfix 0 Jan 11 16:13 vexiraBusy.lock > > I did not do your last request as this shows the proper ownership. The > questions is: will it hold? > > Let me know if you still want me to do that last bit. > > Sorry it took a while to get back to you. I had to run out for a bit. > > Dave > Just so you know ... it all went back to being owned by root when update_virus_scanner ran from cron again. This is the email I received: /etc/cron.hourly/update_virus_scanners: lduid = , ldgid = > > >>>>>>> >>>>>>> -rw------- 1 root root 0 Jan 8 05:09 antivirBusy.lock >>>>>>> -rw------- 1 root root 0 Jan 8 05:09 avastBusy.lock >>>>>>> -rw------- 1 root root 0 Jan 8 05:09 avgBusy.lock >>>>>>> -rw------- 1 root root 0 Jan 8 05:09 bitdefenderBusy.lock >>>>>>> -rw------- 1 root root 49 Jan 9 19:15 clamavBusy.lock >>>>>>> -rw------- 1 root root 0 Jan 8 05:09 cssBusy.lock >>>>>>> -rw------- 1 root root 0 Jan 8 05:09 esetsBusy.lock >>>>>>> -rw------- 1 root root 0 Jan 8 05:09 etrustBusy.lock >>>>>>> -rw------- 1 root root 0 Jan 8 05:09 f-prot-6Busy.lock >>>>>>> -rw------- 1 root root 0 Jan 8 05:09 f-protBusy.lock >>>>>>> -rw------- 1 root root 0 Jan 8 05:09 f-secureBusy.lock >>>>>>> -rw------- 1 root root 0 Jan 8 05:09 genericBusy.lock >>>>>>> -rw------- 1 root root 0 Jan 8 05:09 inoculanBusy.lock >>>>>>> -rw------- 1 root root 0 Jan 8 05:09 kasperskyBusy.lock >>>>>>> -rw------- 1 root root 0 Jan 8 05:09 mcafeeBusy.lock >>>>>>> -rw------- 1 root root 0 Jan 8 19:38 MS.bayes.rebuild.lock >>>>>>> -rw------- 1 root root 0 Jan 11 04:15 MS.bayes.starting.lock >>>>>>> -rw------- 1 root root 0 Jan 8 05:09 nod32Busy.lock >>>>>>> -rw------- 1 root root 0 Jan 8 05:09 normanBusy.lock >>>>>>> -rw------- 1 root root 0 Jan 8 05:09 pandaBusy.lock >>>>>>> -rw------- 1 root root 0 Jan 8 05:09 ravBusy.lock >>>>>>> -rw------- 1 root root 0 Jan 8 05:09 sophosBusy.lock >>>>>>> -rw------- 1 root root 0 Jan 8 05:09 symscanengineBusy.lock >>>>>>> -rw------- 1 root root 0 Jan 8 05:09 trendBusy.lock >>>>>>> -rw------- 1 root root 0 Jan 8 05:09 vba32Busy.lock >>>>>>> -rw------- 1 root root 0 Jan 8 05:09 vexiraBusy.lock >>>>>>> >>>>>>> /var/spool/MailScanner/incoming >>>>>>> [root@rosewood incoming]# ls -l >>>>>>> total 604 >>>>>>> drwxr-x--- 2 postfix clamav 4096 Jan 11 13:43 19962 >>>>>>> drwxr-x--- 2 postfix clamav 4096 Jan 11 13:38 19969 >>>>>>> drwxr-x--- 2 postfix clamav 4096 Jan 11 13:41 19976 >>>>>>> drwxr-x--- 2 postfix root 4096 Jan 11 04:15 Locks >>>>>>> -rw------- 1 postfix postfix 590848 Jan 11 13:41 >>>>>>> SpamAssassin.cache.db >>>>>>> drwx------ 2 postfix postfix 4096 Jan 11 13:43 SpamAssassin-Temp >>>>>>> >>>>>>> Yesterday this was all set as you have it above. >>>>>>> >> >> > -- Dave Filchak Instructor, School of Communications Arts Seneca College @ York Office: Room 1068 From submit at zuka.net Mon Jan 12 04:27:48 2009 From: submit at zuka.net (Dave Filchak) Date: Mon Jan 12 04:28:03 2009 Subject: General Thankyou (still diagnosing fault) In-Reply-To: <496AC43F.9030701@senecac.on.ca> References: <60382.204.184.75.172.1231471379.squirrel@webmail.elsberry.k12.mo.us> <49679B36.9010202@senecac.on.ca> <4967A01A.1020805@senecac.on.ca> <4967D6F2.8090907@senecac.on.ca> <496A4264.6080303@senecac.on.ca> <496A470A.7070507@ecs.soton.ac.uk> <496A538C.60903@senecac.on.ca> <496A5BC8.4000908@ecs.soton.ac.uk> <496A6204.9070105@senecac.on.ca> <496A85DC.3060404@ecs.soton.ac.uk> <496AB792.9090605@senecac.on.ca> <496AC43F.9030701@senecac.on.ca> Message-ID: <496AC6C4.10700@zuka.net> Dave Filchak wrote: > Julian > > Dave Filchak wrote: >> Julian, >> >> Julian Field wrote: >>> >>> >>> On 11/1/09 21:17, Dave Filchak wrote: >>>> Jules, >>>> >>>> Julian Field wrote: >>>>> >>>>> >>>>> On 11/1/09 20:16, Dave Filchak wrote: >>>>>> Jules >>>>>> >>>>>> Julian Field wrote: >>>>>>> >>>>>>> >>>>>>> On 11/1/09 19:03, Dave Filchak wrote: >>>>>>>> Kai, >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Dave Filchak wrote: >>>>>>>>> Kai, >>>>>>>>> >>>>>>>>> Kai Schaetzl wrote: >>>>>>>>>> Dave Filchak wrote on Fri, 09 Jan 2009 14:06:02 -0500: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> So I checked the permissions there and the Locks directory >>>>>>>>>>> is owned by postfix.root and the locks inside are all owned >>>>>>>>>>> by root.root. >>>>>>>>>> >>>>>>>>>> That is *all* wrong. Reread the tutorials for MS+postfix and >>>>>>>>>> for MS+clamd (you are using clamd, right). >>>>>>>>>> >>>>>>>>>> /var/spool/MailScanner/incoming/Locks l >>>>>>>>>> total 16 >>>>>>>>>> drwxr-x--- 2 root postfix 4096 Jan 9 23:03 . >>>>>>>>>> drwxr-xr-x 5 postfix clamav 4096 Jan 9 23:04 .. >>>>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 antivirBusy.lock >>>>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 avastBusy.lock >>>>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 avgBusy.lock >>>>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 >>>>>>>>>> bitdefenderBusy.lock >>>>>>>>>> -rw------- 1 postfix postfix 100 Jan 9 23:05 clamavBusy.lock >>>>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 cssBusy.lock >>>>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 esetsBusy.lock >>>>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 etrustBusy.lock >>>>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 f-prot-6Busy.lock >>>>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 f-protBusy.lock >>>>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 f-secureBusy.lock >>>>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 genericBusy.lock >>>>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 inoculanBusy.lock >>>>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 >>>>>>>>>> kasperskyBusy.lock >>>>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 mcafeeBusy.lock >>>>>>>>>> -rw------- 1 postfix postfix 0 Jan 7 16:51 >>>>>>>>>> MS.bayes.rebuild.lock >>>>>>>>>> -rw------- 1 postfix postfix 0 Jan 9 23:03 >>>>>>>>>> MS.bayes.starting.lock >>>>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 nod32Busy.lock >>>>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 normanBusy.lock >>>>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 pandaBusy.lock >>>>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 ravBusy.lock >>>>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 sophosBusy.lock >>>>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 >>>>>>>>>> symscanengineBusy.lock >>>>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 trendBusy.lock >>>>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 vba32Busy.lock >>>>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 vexiraBusy.lock >>>>>>>>>> >>>>>>>>>> Kai >>>>>>>>>> >>>>>>>>> Well I will definitely reread these. I never specifically set >>>>>>>>> these permissions anywhere. One would thing that these would >>>>>>>>> be created by the settings in MailScanner.conf .. wouldn't >>>>>>>>> you? There is no specific alternate user settings in >>>>>>>>> spamassassin so .... something is setting these permissions >>>>>>>>> this way. >>>>>>>>> >>>>>>>> I have gone through the tutorials a few times and I seem to >>>>>>>> have everything set up correctly yet .... something keeps >>>>>>>> reseting the permissions in the Locks directory back to the >>>>>>>> following: >>>>>>> It will be being clobbered by the update_virus_scanners cron job >>>>>>> which is run once per hour. Please can you mail me an exact copy >>>>>>> (preferably gzipped) of your MailScanner.conf file. Have you >>>>>>> moved that file from its default location or anything like that? >>>>>>> It should pull out the "Run As User" and "Run As Group" from >>>>>>> MailScanner.conf and use those values to set the ownership of >>>>>>> the lock files. Clearly something is going wrong there. >>>>>>> >>>>>>> Copy and paste the following commands into a shell running as >>>>>>> root. Beware of extra line-breaks that my mail program or your >>>>>>> mail program may add into the following, hopefully they'll be okay. >>>>>>> >>>>>>> LOCKDIR=`perl -n -e 'print "$_" if chomp && >>>>>>> s/^\s*Lock\s*file\s*Dir\s*=\s*(\S+)/$1/i' >>>>>>> /etc/MailScanner/MailScanner.conf` >>>>>>> RUNASU=`perl -n -e 'print "$_" if chomp && >>>>>>> s/^\s*Run\s*As\s*User\s*=\s*(\S+)/$1/i' >>>>>>> /etc/MailScanner/MailScanner.conf` >>>>>>> RUNASG=`perl -n -e 'print "$_" if chomp && >>>>>>> s/^\s*Run\s*As\s*Group\s*=\s*(\S+)/$1/i' >>>>>>> /etc/MailScanner/MailScanner.conf` >>>>>>> echo $LOCKDIR >>>>>>> echo $RUNASU >>>>>>> echo $RUNASG >>>>>>> /usr/sbin/mailscanner_create_locks "$LOCKDIR" "$RUNASU" "$RUNASG" >>>>>>> >>>>>>> Then show me what you get from >>>>>>> ls -al $LOCKDIR >>>>>>> assuming that the "echo $LOCKDIR" command printed out the >>>>>>> directory where your lock files are stored (i.e. normally >>>>>>> /var/spool/MailScanner/incoming/Locks). >>>>>> >>>>>> I have emailed you my conf file. >>> That looks fine. >>>>>> Here is the output from your scripts: >>>>>> >>>>>> [root@rosewood MailScanner]# LOCKDIR=`perl -n -e 'print "$_" if >>>>>> chomp && s/^\s*Lock\s*file\s*Dir\s*=\s*(\S+)/$1/i' >>>>>> /etc/MailScanner/MailScanner.conf` >>>>>> [root@rosewood MailScanner]# RUNASU=`perl -n -e 'print "$_" if >>>>>> chomp && s/^\s*Run\s*As\s*User\s*=\s*(\S+)/$1/i' >>>>>> /etc/MailScanner/MailScanner.conf` >>>>>> [root@rosewood MailScanner]# RUNASG=`perl -n -e 'print "$_" if >>>>>> chomp && s/^\s*Run\s*As\s*Group\s*=\s*(\S+)/$1/i' >>>>>> /etc/MailScanner/MailScanner.conf` >>>>>> [root@rosewood MailScanner]# echo $LOCKDIR >>>>>> /var/spool/MailScanner/incoming/Locks >>>>>> [root@rosewood MailScanner]# echo $RUNASU >>>>>> postfix >>>>>> [root@rosewood MailScanner]# echo $RUNASG >>>>>> postfix >>>>> That all looks good. As root, >>>>> rm -rf /var/spool/MailScanner/incoming/Locks >>>>> and then >>>>> /usr/sbin/update_virus_scanners >>>>> and then show me an >>>>> ls -al /var/spool/MailScanner/incoming/Locks >>>>> >>>>> The files in there should be owned by postfix. Let's see if that's >>>>> true. >>>>> >>>> OK .. deleted the Locks directory, ran update_virus_scanners and got: >>>> >>>> ls -al /var/spool/MailScanner/incoming/Locks/ >>>> total 8 >>>> drwxr-x--- 2 root root 4096 Jan 11 16:13 . >>>> drwxrwx--- 7 postfix clamav 4096 Jan 11 16:14 .. >>>> -rw------- 1 root root 0 Jan 11 16:13 antivirBusy.lock >>>> -rw------- 1 root root 0 Jan 11 16:13 avastBusy.lock >>>> -rw------- 1 root root 0 Jan 11 16:13 avgBusy.lock >>>> -rw------- 1 root root 0 Jan 11 16:13 bitdefenderBusy.lock >>>> -rw------- 1 root root 0 Jan 11 16:13 clamavBusy.lock >>>> -rw------- 1 root root 0 Jan 11 16:13 cssBusy.lock >>>> -rw------- 1 root root 0 Jan 11 16:13 esetsBusy.lock >>>> -rw------- 1 root root 0 Jan 11 16:13 etrustBusy.lock >>>> -rw------- 1 root root 0 Jan 11 16:13 f-prot-6Busy.lock >>>> -rw------- 1 root root 0 Jan 11 16:13 f-protBusy.lock >>>> -rw------- 1 root root 0 Jan 11 16:13 f-secureBusy.lock >>>> -rw------- 1 root root 0 Jan 11 16:13 genericBusy.lock >>>> -rw------- 1 root root 0 Jan 11 16:13 inoculanBusy.lock >>>> -rw------- 1 root root 0 Jan 11 16:13 kasperskyBusy.lock >>>> -rw------- 1 root root 0 Jan 11 16:13 mcafeeBusy.lock >>>> -rw------- 1 root root 0 Jan 11 16:13 MS.bayes.rebuild.lock >>>> -rw------- 1 root root 0 Jan 11 16:13 MS.bayes.starting.lock >>>> -rw------- 1 root root 0 Jan 11 16:13 nod32Busy.lock >>>> -rw------- 1 root root 0 Jan 11 16:13 normanBusy.lock >>>> -rw------- 1 root root 0 Jan 11 16:13 pandaBusy.lock >>>> -rw------- 1 root root 0 Jan 11 16:13 ravBusy.lock >>>> -rw------- 1 root root 0 Jan 11 16:13 sophosBusy.lock >>>> -rw------- 1 root root 0 Jan 11 16:13 symscanengineBusy.lock >>>> -rw------- 1 root root 0 Jan 11 16:13 trendBusy.lock >>>> -rw------- 1 root root 0 Jan 11 16:13 vba32Busy.lock >>>> -rw------- 1 root root 0 Jan 11 16:13 vexiraBusy.lock >>>> >>>> >>>> Still root. >>> Hmmm... >>> >>> 1 >>> I want to be sure there are no weird options for the mount that >>> supplies this directory. Do this: >>> cd /var/spool/MailScanner/incoming >>> df -h . >>> mount >>> ls -ld Locks >>> (all as root). >>> Also, paste the contents of your /etc/fstab file into your reply to >>> this mail. >>> >>> 2 >>> Also, please can you make a little edit to your >>> /usr/sbin/mailscanner_create_locks script. >>> Near the top you will see a line that says this: >>> my $ldgid = getgrnam($ldgname); >>> That's about line 17. Immediately after that line, add this line: >>> print STDERR "lduid = $lduid, ldgid = $ldgid\n"; >>> and let's just check that it is getting the UID and GID correctly, >>> as failure to do that would cause your symptoms. >>> Run >>> /usr/sbin/mailscanner_create_locks >>> /var/spool/MailScanner/incoming/Locks postfix postfix >>> (all of that on 1 line) and include the output in your reply, >>> and do another >>> ls -al /var/spool/MailScanner/incoming/Locks >>> to see if anything has improved. >>> >>> 3 >>> If that still isn't working, right at the end of the script there >>> are a couple of "chown" lines. Change the first one to read >>> chown -1, $ldgid, $locksdirname or warn "Chown1: $!"; >>> and the second one to read >>> chown $lduid, $ldgid, @locknames or warn "Chown2: $!"; >>> and then run the mailscanner_create_locks command I gave above. Let >>> me know if it prints anything, and what it says if it does. >>> >>> 4 >>> That lot should give me a better idea of what's going on. >> >> cd /var/spool/MailScanner/incoming/ >> [root@rosewood incoming]# df -h . >> Filesystem Size Used Avail Use% Mounted on >> /dev/hdb1 111G 15G 91G 14% /var >> [root@rosewood incoming]# mount >> /dev/sda5 on / type ext3 (rw) >> none on /proc type proc (rw) >> none on /sys type sysfs (rw) >> none on /dev/pts type devpts (rw,gid=5,mode=620) >> usbfs on /proc/bus/usb type usbfs (rw) >> /dev/sda1 on /boot type ext3 (rw) >> none on /dev/shm type tmpfs (rw) >> /dev/sda2 on /home type ext3 (rw) >> /dev/sdb1 on /usr type ext3 (rw) >> /dev/hdb1 on /var type ext3 (rw) >> none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw) >> sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw) >> [root@rosewood incoming]# ls -ld Locks >> drwxr-x--- 2 root root 4096 Jan 11 16:13 Locks >> >> FSTAB: >> >> LABEL=/ / ext3 >> defaults 1 1 >> LABEL=/boot /boot ext3 >> defaults 1 2 >> none /dev/pts devpts >> gid=5,mode=620 0 0 >> none /dev/shm tmpfs >> defaults 0 0 >> LABEL=/home /home ext3 >> defaults 1 2 >> none /proc proc >> defaults 0 0 >> none /sys sysfs >> defaults 0 0 >> LABEL=/usr /usr ext3 >> defaults 1 2 >> LABEL=/var /var ext3 >> defaults 1 2 >> LABEL=SWAP-sda3 swap swap >> defaults 0 0 >> /dev/hda /media/cdrecorder auto >> pamconsole,exec,noauto,managed 0 0 >> >> /usr/sbin/mailscanner_create_locks >> /var/spool/MailScanner/incoming/Locks postfix postfix >> lduid = 80, ldgid = 80 >> [root@rosewood sbin]# ls -al /var/spool/MailScanner/incoming/Locks >> total 8 >> drwxr-x--- 2 root postfix 4096 Jan 11 16:13 . >> drwxrwx--- 7 postfix clamav 4096 Jan 11 22:18 .. >> -rw------- 1 postfix postfix 0 Jan 11 16:13 antivirBusy.lock >> -rw------- 1 postfix postfix 0 Jan 11 16:13 avastBusy.lock >> -rw------- 1 postfix postfix 0 Jan 11 16:13 avgBusy.lock >> -rw------- 1 postfix postfix 0 Jan 11 16:13 bitdefenderBusy.lock >> -rw------- 1 postfix postfix 0 Jan 11 16:13 clamavBusy.lock >> -rw------- 1 postfix postfix 0 Jan 11 16:13 cssBusy.lock >> -rw------- 1 postfix postfix 0 Jan 11 16:13 esetsBusy.lock >> -rw------- 1 postfix postfix 0 Jan 11 16:13 etrustBusy.lock >> -rw------- 1 postfix postfix 0 Jan 11 16:13 f-prot-6Busy.lock >> -rw------- 1 postfix postfix 0 Jan 11 16:13 f-protBusy.lock >> -rw------- 1 postfix postfix 0 Jan 11 16:13 f-secureBusy.lock >> -rw------- 1 postfix postfix 0 Jan 11 16:13 genericBusy.lock >> -rw------- 1 postfix postfix 0 Jan 11 16:13 inoculanBusy.lock >> -rw------- 1 postfix postfix 0 Jan 11 16:13 kasperskyBusy.lock >> -rw------- 1 postfix postfix 0 Jan 11 16:13 mcafeeBusy.lock >> -rw------- 1 postfix postfix 0 Jan 11 16:13 MS.bayes.rebuild.lock >> -rw------- 1 postfix postfix 0 Jan 11 16:13 MS.bayes.starting.lock >> -rw------- 1 postfix postfix 0 Jan 11 16:13 nod32Busy.lock >> -rw------- 1 postfix postfix 0 Jan 11 16:13 normanBusy.lock >> -rw------- 1 postfix postfix 0 Jan 11 16:13 pandaBusy.lock >> -rw------- 1 postfix postfix 0 Jan 11 16:13 ravBusy.lock >> -rw------- 1 postfix postfix 0 Jan 11 16:13 sophosBusy.lock >> -rw------- 1 postfix postfix 0 Jan 11 16:13 symscanengineBusy.lock >> -rw------- 1 postfix postfix 0 Jan 11 16:13 trendBusy.lock >> -rw------- 1 postfix postfix 0 Jan 11 16:13 vba32Busy.lock >> -rw------- 1 postfix postfix 0 Jan 11 16:13 vexiraBusy.lock >> >> I did not do your last request as this shows the proper ownership. >> The questions is: will it hold? >> >> Let me know if you still want me to do that last bit. >> >> Sorry it took a while to get back to you. I had to run out for a bit. >> >> Dave >> > Just so you know ... it all went back to being owned by root when > update_virus_scanner ran from cron again. This is the email I received: > > /etc/cron.hourly/update_virus_scanners: > > lduid = , ldgid = Given the above, I made the last little change you suggested and ran it again, like so: /usr/sbin/mailscanner_create_locks /var/spool/MailScanner/incoming/Locks postfix postfix lduid = 80, ldgid = 80 The second line is what it output. After that, all the permissions in the Locks directory went back to postfix. Again, will it hold? Dave > > From MailScanner at ecs.soton.ac.uk Mon Jan 12 10:39:06 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jan 12 10:39:35 2009 Subject: General Thankyou (still diagnosing fault) In-Reply-To: <496AC6C4.10700@zuka.net> References: <60382.204.184.75.172.1231471379.squirrel@webmail.elsberry.k12.mo.us> <49679B36.9010202@senecac.on.ca> <4967A01A.1020805@senecac.on.ca> <4967D6F2.8090907@senecac.on.ca> <496A4264.6080303@senecac.on.ca> <496A470A.7070507@ecs.soton.ac.uk> <496A538C.60903@senecac.on.ca> <496A5BC8.4000908@ecs.soton.ac.uk> <496A6204.9070105@senecac.on.ca> <496A85DC.3060404@ecs.soton.ac.uk> <496AB792.9090605@senecac.on.ca> <496AC43F.9030701@senecac.on.ca> <496AC6C4.10700@zuka.net> Message-ID: <496B1DCA.2050406@ecs.soton.ac.uk> On 12/1/09 04:27, Dave Filchak wrote: > Dave Filchak wrote: >> Julian >> >> Dave Filchak wrote: >>> Julian, >>> >>> Julian Field wrote: >>>> >>>> >>>> On 11/1/09 21:17, Dave Filchak wrote: >>>>> Jules, >>>>> >>>>> Julian Field wrote: >>>>>> >>>>>> >>>>>> On 11/1/09 20:16, Dave Filchak wrote: >>>>>>> Jules >>>>>>> >>>>>>> Julian Field wrote: >>>>>>>> >>>>>>>> >>>>>>>> On 11/1/09 19:03, Dave Filchak wrote: >>>>>>>>> Kai, >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> Dave Filchak wrote: >>>>>>>>>> Kai, >>>>>>>>>> >>>>>>>>>> Kai Schaetzl wrote: >>>>>>>>>>> Dave Filchak wrote on Fri, 09 Jan 2009 14:06:02 -0500: >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> So I checked the permissions there and the Locks directory >>>>>>>>>>>> is owned by postfix.root and the locks inside are all owned >>>>>>>>>>>> by root.root. >>>>>>>>>>> >>>>>>>>>>> That is *all* wrong. Reread the tutorials for MS+postfix and >>>>>>>>>>> for MS+clamd (you are using clamd, right). >>>>>>>>>>> >>>>>>>>>>> /var/spool/MailScanner/incoming/Locks l >>>>>>>>>>> total 16 >>>>>>>>>>> drwxr-x--- 2 root postfix 4096 Jan 9 23:03 . >>>>>>>>>>> drwxr-xr-x 5 postfix clamav 4096 Jan 9 23:04 .. >>>>>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 antivirBusy.lock >>>>>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 avastBusy.lock >>>>>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 avgBusy.lock >>>>>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 >>>>>>>>>>> bitdefenderBusy.lock >>>>>>>>>>> -rw------- 1 postfix postfix 100 Jan 9 23:05 clamavBusy.lock >>>>>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 cssBusy.lock >>>>>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 esetsBusy.lock >>>>>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 etrustBusy.lock >>>>>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 >>>>>>>>>>> f-prot-6Busy.lock >>>>>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 f-protBusy.lock >>>>>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 >>>>>>>>>>> f-secureBusy.lock >>>>>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 genericBusy.lock >>>>>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 >>>>>>>>>>> inoculanBusy.lock >>>>>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 >>>>>>>>>>> kasperskyBusy.lock >>>>>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 mcafeeBusy.lock >>>>>>>>>>> -rw------- 1 postfix postfix 0 Jan 7 16:51 >>>>>>>>>>> MS.bayes.rebuild.lock >>>>>>>>>>> -rw------- 1 postfix postfix 0 Jan 9 23:03 >>>>>>>>>>> MS.bayes.starting.lock >>>>>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 nod32Busy.lock >>>>>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 normanBusy.lock >>>>>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 pandaBusy.lock >>>>>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 ravBusy.lock >>>>>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 sophosBusy.lock >>>>>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 >>>>>>>>>>> symscanengineBusy.lock >>>>>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 trendBusy.lock >>>>>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 vba32Busy.lock >>>>>>>>>>> -rw------- 1 postfix postfix 0 Dec 11 17:31 vexiraBusy.lock >>>>>>>>>>> >>>>>>>>>>> Kai >>>>>>>>>>> >>>>>>>>>> Well I will definitely reread these. I never specifically set >>>>>>>>>> these permissions anywhere. One would thing that these would >>>>>>>>>> be created by the settings in MailScanner.conf .. wouldn't >>>>>>>>>> you? There is no specific alternate user settings in >>>>>>>>>> spamassassin so .... something is setting these permissions >>>>>>>>>> this way. >>>>>>>>>> >>>>>>>>> I have gone through the tutorials a few times and I seem to >>>>>>>>> have everything set up correctly yet .... something keeps >>>>>>>>> reseting the permissions in the Locks directory back to the >>>>>>>>> following: >>>>>>>> It will be being clobbered by the update_virus_scanners cron >>>>>>>> job which is run once per hour. Please can you mail me an exact >>>>>>>> copy (preferably gzipped) of your MailScanner.conf file. Have >>>>>>>> you moved that file from its default location or anything like >>>>>>>> that? It should pull out the "Run As User" and "Run As Group" >>>>>>>> from MailScanner.conf and use those values to set the ownership >>>>>>>> of the lock files. Clearly something is going wrong there. >>>>>>>> >>>>>>>> Copy and paste the following commands into a shell running as >>>>>>>> root. Beware of extra line-breaks that my mail program or your >>>>>>>> mail program may add into the following, hopefully they'll be >>>>>>>> okay. >>>>>>>> >>>>>>>> LOCKDIR=`perl -n -e 'print "$_" if chomp && >>>>>>>> s/^\s*Lock\s*file\s*Dir\s*=\s*(\S+)/$1/i' >>>>>>>> /etc/MailScanner/MailScanner.conf` >>>>>>>> RUNASU=`perl -n -e 'print "$_" if chomp && >>>>>>>> s/^\s*Run\s*As\s*User\s*=\s*(\S+)/$1/i' >>>>>>>> /etc/MailScanner/MailScanner.conf` >>>>>>>> RUNASG=`perl -n -e 'print "$_" if chomp && >>>>>>>> s/^\s*Run\s*As\s*Group\s*=\s*(\S+)/$1/i' >>>>>>>> /etc/MailScanner/MailScanner.conf` >>>>>>>> echo $LOCKDIR >>>>>>>> echo $RUNASU >>>>>>>> echo $RUNASG >>>>>>>> /usr/sbin/mailscanner_create_locks "$LOCKDIR" "$RUNASU" "$RUNASG" >>>>>>>> >>>>>>>> Then show me what you get from >>>>>>>> ls -al $LOCKDIR >>>>>>>> assuming that the "echo $LOCKDIR" command printed out the >>>>>>>> directory where your lock files are stored (i.e. normally >>>>>>>> /var/spool/MailScanner/incoming/Locks). >>>>>>> >>>>>>> I have emailed you my conf file. >>>> That looks fine. >>>>>>> Here is the output from your scripts: >>>>>>> >>>>>>> [root@rosewood MailScanner]# LOCKDIR=`perl -n -e 'print "$_" if >>>>>>> chomp && s/^\s*Lock\s*file\s*Dir\s*=\s*(\S+)/$1/i' >>>>>>> /etc/MailScanner/MailScanner.conf` >>>>>>> [root@rosewood MailScanner]# RUNASU=`perl -n -e 'print "$_" if >>>>>>> chomp && s/^\s*Run\s*As\s*User\s*=\s*(\S+)/$1/i' >>>>>>> /etc/MailScanner/MailScanner.conf` >>>>>>> [root@rosewood MailScanner]# RUNASG=`perl -n -e 'print "$_" if >>>>>>> chomp && s/^\s*Run\s*As\s*Group\s*=\s*(\S+)/$1/i' >>>>>>> /etc/MailScanner/MailScanner.conf` >>>>>>> [root@rosewood MailScanner]# echo $LOCKDIR >>>>>>> /var/spool/MailScanner/incoming/Locks >>>>>>> [root@rosewood MailScanner]# echo $RUNASU >>>>>>> postfix >>>>>>> [root@rosewood MailScanner]# echo $RUNASG >>>>>>> postfix >>>>>> That all looks good. As root, >>>>>> rm -rf /var/spool/MailScanner/incoming/Locks >>>>>> and then >>>>>> /usr/sbin/update_virus_scanners >>>>>> and then show me an >>>>>> ls -al /var/spool/MailScanner/incoming/Locks >>>>>> >>>>>> The files in there should be owned by postfix. Let's see if >>>>>> that's true. >>>>>> >>>>> OK .. deleted the Locks directory, ran update_virus_scanners and got: >>>>> >>>>> ls -al /var/spool/MailScanner/incoming/Locks/ >>>>> total 8 >>>>> drwxr-x--- 2 root root 4096 Jan 11 16:13 . >>>>> drwxrwx--- 7 postfix clamav 4096 Jan 11 16:14 .. >>>>> -rw------- 1 root root 0 Jan 11 16:13 antivirBusy.lock >>>>> -rw------- 1 root root 0 Jan 11 16:13 avastBusy.lock >>>>> -rw------- 1 root root 0 Jan 11 16:13 avgBusy.lock >>>>> -rw------- 1 root root 0 Jan 11 16:13 bitdefenderBusy.lock >>>>> -rw------- 1 root root 0 Jan 11 16:13 clamavBusy.lock >>>>> -rw------- 1 root root 0 Jan 11 16:13 cssBusy.lock >>>>> -rw------- 1 root root 0 Jan 11 16:13 esetsBusy.lock >>>>> -rw------- 1 root root 0 Jan 11 16:13 etrustBusy.lock >>>>> -rw------- 1 root root 0 Jan 11 16:13 f-prot-6Busy.lock >>>>> -rw------- 1 root root 0 Jan 11 16:13 f-protBusy.lock >>>>> -rw------- 1 root root 0 Jan 11 16:13 f-secureBusy.lock >>>>> -rw------- 1 root root 0 Jan 11 16:13 genericBusy.lock >>>>> -rw------- 1 root root 0 Jan 11 16:13 inoculanBusy.lock >>>>> -rw------- 1 root root 0 Jan 11 16:13 kasperskyBusy.lock >>>>> -rw------- 1 root root 0 Jan 11 16:13 mcafeeBusy.lock >>>>> -rw------- 1 root root 0 Jan 11 16:13 MS.bayes.rebuild.lock >>>>> -rw------- 1 root root 0 Jan 11 16:13 MS.bayes.starting.lock >>>>> -rw------- 1 root root 0 Jan 11 16:13 nod32Busy.lock >>>>> -rw------- 1 root root 0 Jan 11 16:13 normanBusy.lock >>>>> -rw------- 1 root root 0 Jan 11 16:13 pandaBusy.lock >>>>> -rw------- 1 root root 0 Jan 11 16:13 ravBusy.lock >>>>> -rw------- 1 root root 0 Jan 11 16:13 sophosBusy.lock >>>>> -rw------- 1 root root 0 Jan 11 16:13 symscanengineBusy.lock >>>>> -rw------- 1 root root 0 Jan 11 16:13 trendBusy.lock >>>>> -rw------- 1 root root 0 Jan 11 16:13 vba32Busy.lock >>>>> -rw------- 1 root root 0 Jan 11 16:13 vexiraBusy.lock >>>>> >>>>> >>>>> Still root. >>>> Hmmm... >>>> >>>> 1 >>>> I want to be sure there are no weird options for the mount that >>>> supplies this directory. Do this: >>>> cd /var/spool/MailScanner/incoming >>>> df -h . >>>> mount >>>> ls -ld Locks >>>> (all as root). >>>> Also, paste the contents of your /etc/fstab file into your reply to >>>> this mail. >>>> >>>> 2 >>>> Also, please can you make a little edit to your >>>> /usr/sbin/mailscanner_create_locks script. >>>> Near the top you will see a line that says this: >>>> my $ldgid = getgrnam($ldgname); >>>> That's about line 17. Immediately after that line, add this line: >>>> print STDERR "lduid = $lduid, ldgid = $ldgid\n"; >>>> and let's just check that it is getting the UID and GID correctly, >>>> as failure to do that would cause your symptoms. >>>> Run >>>> /usr/sbin/mailscanner_create_locks >>>> /var/spool/MailScanner/incoming/Locks postfix postfix >>>> (all of that on 1 line) and include the output in your reply, >>>> and do another >>>> ls -al /var/spool/MailScanner/incoming/Locks >>>> to see if anything has improved. >>>> >>>> 3 >>>> If that still isn't working, right at the end of the script there >>>> are a couple of "chown" lines. Change the first one to read >>>> chown -1, $ldgid, $locksdirname or warn "Chown1: $!"; >>>> and the second one to read >>>> chown $lduid, $ldgid, @locknames or warn "Chown2: $!"; >>>> and then run the mailscanner_create_locks command I gave above. Let >>>> me know if it prints anything, and what it says if it does. >>>> >>>> 4 >>>> That lot should give me a better idea of what's going on. >>> >>> cd /var/spool/MailScanner/incoming/ >>> [root@rosewood incoming]# df -h . >>> Filesystem Size Used Avail Use% Mounted on >>> /dev/hdb1 111G 15G 91G 14% /var >>> [root@rosewood incoming]# mount >>> /dev/sda5 on / type ext3 (rw) >>> none on /proc type proc (rw) >>> none on /sys type sysfs (rw) >>> none on /dev/pts type devpts (rw,gid=5,mode=620) >>> usbfs on /proc/bus/usb type usbfs (rw) >>> /dev/sda1 on /boot type ext3 (rw) >>> none on /dev/shm type tmpfs (rw) >>> /dev/sda2 on /home type ext3 (rw) >>> /dev/sdb1 on /usr type ext3 (rw) >>> /dev/hdb1 on /var type ext3 (rw) >>> none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw) >>> sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw) >>> [root@rosewood incoming]# ls -ld Locks >>> drwxr-x--- 2 root root 4096 Jan 11 16:13 Locks >>> >>> FSTAB: >>> >>> LABEL=/ / ext3 >>> defaults 1 1 >>> LABEL=/boot /boot ext3 >>> defaults 1 2 >>> none /dev/pts devpts >>> gid=5,mode=620 0 0 >>> none /dev/shm tmpfs >>> defaults 0 0 >>> LABEL=/home /home ext3 >>> defaults 1 2 >>> none /proc proc >>> defaults 0 0 >>> none /sys sysfs >>> defaults 0 0 >>> LABEL=/usr /usr ext3 >>> defaults 1 2 >>> LABEL=/var /var ext3 >>> defaults 1 2 >>> LABEL=SWAP-sda3 swap swap >>> defaults 0 0 >>> /dev/hda /media/cdrecorder auto >>> pamconsole,exec,noauto,managed 0 0 >>> >>> /usr/sbin/mailscanner_create_locks >>> /var/spool/MailScanner/incoming/Locks postfix postfix >>> lduid = 80, ldgid = 80 >>> [root@rosewood sbin]# ls -al /var/spool/MailScanner/incoming/Locks >>> total 8 >>> drwxr-x--- 2 root postfix 4096 Jan 11 16:13 . >>> drwxrwx--- 7 postfix clamav 4096 Jan 11 22:18 .. >>> -rw------- 1 postfix postfix 0 Jan 11 16:13 antivirBusy.lock >>> -rw------- 1 postfix postfix 0 Jan 11 16:13 avastBusy.lock >>> -rw------- 1 postfix postfix 0 Jan 11 16:13 avgBusy.lock >>> -rw------- 1 postfix postfix 0 Jan 11 16:13 bitdefenderBusy.lock >>> -rw------- 1 postfix postfix 0 Jan 11 16:13 clamavBusy.lock >>> -rw------- 1 postfix postfix 0 Jan 11 16:13 cssBusy.lock >>> -rw------- 1 postfix postfix 0 Jan 11 16:13 esetsBusy.lock >>> -rw------- 1 postfix postfix 0 Jan 11 16:13 etrustBusy.lock >>> -rw------- 1 postfix postfix 0 Jan 11 16:13 f-prot-6Busy.lock >>> -rw------- 1 postfix postfix 0 Jan 11 16:13 f-protBusy.lock >>> -rw------- 1 postfix postfix 0 Jan 11 16:13 f-secureBusy.lock >>> -rw------- 1 postfix postfix 0 Jan 11 16:13 genericBusy.lock >>> -rw------- 1 postfix postfix 0 Jan 11 16:13 inoculanBusy.lock >>> -rw------- 1 postfix postfix 0 Jan 11 16:13 kasperskyBusy.lock >>> -rw------- 1 postfix postfix 0 Jan 11 16:13 mcafeeBusy.lock >>> -rw------- 1 postfix postfix 0 Jan 11 16:13 MS.bayes.rebuild.lock >>> -rw------- 1 postfix postfix 0 Jan 11 16:13 MS.bayes.starting.lock >>> -rw------- 1 postfix postfix 0 Jan 11 16:13 nod32Busy.lock >>> -rw------- 1 postfix postfix 0 Jan 11 16:13 normanBusy.lock >>> -rw------- 1 postfix postfix 0 Jan 11 16:13 pandaBusy.lock >>> -rw------- 1 postfix postfix 0 Jan 11 16:13 ravBusy.lock >>> -rw------- 1 postfix postfix 0 Jan 11 16:13 sophosBusy.lock >>> -rw------- 1 postfix postfix 0 Jan 11 16:13 symscanengineBusy.lock >>> -rw------- 1 postfix postfix 0 Jan 11 16:13 trendBusy.lock >>> -rw------- 1 postfix postfix 0 Jan 11 16:13 vba32Busy.lock >>> -rw------- 1 postfix postfix 0 Jan 11 16:13 vexiraBusy.lock >>> >>> I did not do your last request as this shows the proper ownership. >>> The questions is: will it hold? >>> >>> Let me know if you still want me to do that last bit. >>> >>> Sorry it took a while to get back to you. I had to run out for a bit. >>> >>> Dave >>> >> Just so you know ... it all went back to being owned by root when >> update_virus_scanner ran from cron again. This is the email I received: >> >> /etc/cron.hourly/update_virus_scanners: >> >> lduid = , ldgid = > Given the above, I made the last little change you suggested and ran > it again, like so: > > /usr/sbin/mailscanner_create_locks > /var/spool/MailScanner/incoming/Locks postfix postfix > lduid = 80, ldgid = 80 > > The second line is what it output. After that, all the permissions in > the Locks directory went back to postfix. Again, will it hold? The cron job will probably put it back. Okay, next let's find if it is the script run by cron that is causing the problem, or the environment in which it is run. /usr/sbin/update_virus_scanners ls -al /var/spool/MailScanner/incoming/Locks and show me the output of those two. I want to see if the update_virus_scanners script successfully finds the uid and gid or not. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From maillists at conactive.com Mon Jan 12 10:40:12 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Mon Jan 12 10:40:29 2009 Subject: General Thankyou (still diagnosing fault) In-Reply-To: <496AC6C4.10700@zuka.net> References: <60382.204.184.75.172.1231471379.squirrel@webmail.elsberry.k12.mo.us> <49679B36.9010202@senecac.on.ca> <4967A01A.1020805@senecac.on.ca> <4967D6F2.8090907@senecac.on.ca> <496A4264.6080303@senecac.on.ca> <496A470A.7070507@ecs.soton.ac.uk> <496A538C.60903@senecac.on.ca> <496A5BC8.4000908@ecs.soton.ac.uk> <496A6204.9070105@senecac.on.ca> <496A85DC.3060404@ecs.soton.ac.uk> <496AC6C4.10700 Message-ID: @zuka.net> Reply-To: mailscanner@lists.mailscanner.info Dave, your replies are *a horror* to read with that "quoting style" (if one can call that "quoting"). Change that in the future, please. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Mon Jan 12 10:40:12 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Mon Jan 12 10:40:29 2009 Subject: block spoofing mail In-Reply-To: <496A861A.9060401@ocosa.com> References: <928434630901100033l3381ec9ifec81d6844b03e0@mail.gmail.com> <72cf361e0901111153n686b1e45l7f0dd56c87f63a36@mail.gmail.com> <496A861A.9060401@ocosa.com> Message-ID: ListAcc wrote on Sun, 11 Jan 2009 17:51:54 -0600: > Martin, Martin didn't ask about this. Please always reply to the original message. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From drew.marshall at technologytiger.net Mon Jan 12 12:14:14 2009 From: drew.marshall at technologytiger.net (Drew Marshall) Date: Mon Jan 12 12:14:38 2009 Subject: Anti-spear-phishing, round 2 In-Reply-To: <4963D91A.9060304@ecs.soton.ac.uk> References: <4963D91A.9060304@ecs.soton.ac.uk> Message-ID: <5FC3E08C-6D5F-4AF5-AACE-17623586AD6B@technologytiger.net> On 6 Jan 2009, at 22:20, Julian Field wrote: > I have done a load of work on my script that uses the anti-spear- > phishing addresses database. > > The main thing is now that it is pretty much a finished script, and > is directly usable by you guys without you having to do much to it > except read the settings at the top and tweak the filenames if you > want to change where it puts things. Jules I have now got as far as implementing this excellent feature but I have bumped in to an interesting error. Jan 12 10:58:25 in1-b MailScanner[78431]: SpamAssassin Rule Actions: rule anti_phish caused action not-deliver in message 7FAB84BE3B4.94CF3 Jan 12 10:58:25 in1-b MailScanner[78431]: SpamAssassin Rule Actions: rule anti_phish caused action store in message 7FAB84BE3B4.94CF3 Jan 12 10:58:25 in1-b MailScanner[78431]: SpamAssassin Rule Actions: rule anti_phish caused action header in message 7FAB84BE3B4.94CF3 Jan 12 10:58:25 in1-b MailScanner[78431]: SpamAssassin Rule Actions: rule anti_phish caused action "X-Anti-Phish: in message 7FAB84BE3B4.94CF3 Jan 12 10:58:25 in1-b MailScanner[78431]: SpamAssassin Rule Actions: rule anti_phish caused action Yes" in message 7FAB84BE3B4.94CF3 Jan 12 10:58:25 in1-b MailScanner[78431]: Message 7FAB84BE3B4.94CF3 produced illegal Non-Spam Actions " Yes" "X-Anti-Phish:", so message is being delivered The SpamAssassin Rule Action that generated this log is ...ANTI_PHISH=>not-deliver,store,header "X-Anti-Phish: Yes" (I slightly changed the header in case there was a problem with the _TO_ special command, which has made no difference). So what have I done wrong (The actual creation of the SA rule etc is fine as MailScanner is seeing the rule hit as can be seen in the log)? Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by Technology Tiger's Mail Launder system Our email policy can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ From maillists at conactive.com Mon Jan 12 13:19:47 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Mon Jan 12 13:19:58 2009 Subject: Anti-spear-phishing sa-update channel In-Reply-To: <496A6779.9040309@coders.co.uk> References: <496A6779.9040309@coders.co.uk> Message-ID: Matt wrote on Sun, 11 Jan 2009 21:41:13 +0000: > spear.bastionmail.com you may need to reload your dns or so. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From MensHealth at rodale.delivery.net Mon Jan 12 13:52:03 2009 From: MensHealth at rodale.delivery.net (Men's Health) Date: Mon Jan 12 13:52:15 2009 Subject: Viking\'s secret of perfect enlargement Message-ID: <92938284482.1231221783258@delivery.net> An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090112/88fb1260/attachment.html From spamlists at coders.co.uk Mon Jan 12 14:06:14 2009 From: spamlists at coders.co.uk (Matt) Date: Mon Jan 12 14:07:08 2009 Subject: Anti-spear-phishing sa-update channel In-Reply-To: References: <496A6779.9040309@coders.co.uk> Message-ID: <496B4E56.9000508@coders.co.uk> Kai Schaetzl wrote: > you may need to reload your dns or so. Kai - was that directed at me? I have 8 servers already using it so if there are problems please let me know! matt From Denis.Beauchemin at USherbrooke.ca Mon Jan 12 14:12:23 2009 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Mon Jan 12 14:12:39 2009 Subject: Anti-spear-phishing, round 2 In-Reply-To: <4963D91A.9060304@ecs.soton.ac.uk> References: <4963D91A.9060304@ecs.soton.ac.uk> Message-ID: <496B4FC7.2060701@USherbrooke.ca> Julian Field a ?crit : > I have done a load of work on my script that uses the > anti-spear-phishing addresses database. > > The main thing is now that it is pretty much a finished script, and is > directly usable by you guys without you having to do much to it except > read the settings at the top and tweak the filenames if you want to > change where it puts things. > > I have taken a lot of care to ensure that this won't match any false > alarms, I don't just dumbly look for the strings in any surrounding > text, which certain commercial AV vendors have been caught doing in > the past! > > I make a suggestion in the comments at the top of the script about how > I use the rule within MailScanner, you probably want to do something > similar, and not just delete anything that matches, just in case you > do get any false alarms. > > It also looks for numbers at the end of the username bit of the > address, and assumes that these are numbers which the scammers may > change; so if it finds them, it replaces them with a pattern that will > match any number instead. There's starting to be a lot of this about, > as it's the easiest way for the scammers to try to defeat simple > address lists targeted against them, while still being able to > remember what addresses they have to check for replies from your dumb > users. :-) I thought I would make it a tiny bit harder for them... > > You can also add addresses of your own (which can include "*" as a > wildcard character to mean "any series of valid characters" in the > email address), one address per line, in an optional extra file. > Again, read the top of the script and you'll see it mentioned there. > That file is optional, it doesn't matter if it doesn't exist. As a > starter, you might want to put > m i c h a e l l o u c a s * @ g m a i l . c o m > (without the extra spaces) in that file, as it will nicely catch a lot > of "Job opportunity" spams. > > It looks for any of these addresses appearing **anywhere** in the > message, not just in the headers. So if you start talking to people > about these addresses, don't be surprised when the messages get caught > by the trap. > > It does a "wget", so make sure you have that binary installed, or else > change the script to fetch the file by some other means. > > The very end of the script does a "service MailScanner restart", so if > you need some other command to restart MailScanner, then edit it for > your system. It needs to be a "restart" and not a "reload" as I have > to force it to re-build the database of SpamAssassin rules. > > My aim was that, on a RedHat system running MailScanner, you could > just copy the script into /etc/cron.hourly and make it executable, and > it will just get on with the job for you. I do advise you read the bit > in the script about "SpamAssassin Rule Actions" though. > > Please do let me know how you would like me to improve it, and tell me > what you think of it in general (be polite, now! :-) > > Cheers, > > Jules > Julian, I got what really looks like a FP with one of the email addresses from your script... what would be the best way to correct this ? Write an SA rule with a negative score for that address ? Or is there some whitelisting mechanism built in ? Thanks! Denis PS: the address is jmcelhaney @ uchc . edu (without the spaces). PPS: so far the script seems to have catched about a dozen malicious emails. -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From prandal at herefordshire.gov.uk Mon Jan 12 14:13:29 2009 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Mon Jan 12 14:17:32 2009 Subject: Anti-spear-phishing sa-update channel In-Reply-To: <496B4E56.9000508@coders.co.uk> References: <496A6779.9040309@coders.co.uk> <496B4E56.9000508@coders.co.uk> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA05A584C4@HC-MBX02.herefordshire.gov.uk> Don't panic, it all works fine. Thanks, Phil -- Phil Randal | Networks Engineer Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: prandal@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Matt Sent: 12 January 2009 14:06 To: MailScanner discussion Subject: Re: Anti-spear-phishing sa-update channel Kai Schaetzl wrote: > you may need to reload your dns or so. Kai - was that directed at me? I have 8 servers already using it so if there are problems please let me know! matt -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From ugob at lubik.ca Mon Jan 12 16:36:02 2009 From: ugob at lubik.ca (Ugo Bellavance) Date: Mon Jan 12 16:36:19 2009 Subject: totally OT: Mailing lists / reader program? In-Reply-To: References: Message-ID: Scott Silva a ?crit : > on 1-5-2009 10:37 AM traced@xpear.de spake the following: >> Hi, just one little question; >> Are you reading lists with standard email progs like thunderbird, >> or are there other good programs, with better handling on the topics? >> >> Regards, >> Bastian > I am reading the lists with thunderbird, but through the newsfeeds at gmane.org. > > That way I never have to worry about bounces or spam detection on my end > dropping something. I'm also doing that and I simply love it. From submit at zuka.net Mon Jan 12 16:39:18 2009 From: submit at zuka.net (Dave Filchak) Date: Mon Jan 12 16:39:30 2009 Subject: General Thankyou (still diagnosing fault) In-Reply-To: References: <60382.204.184.75.172.1231471379.squirrel@webmail.elsberry.k12.mo.us> <49679B36.9010202@senecac.on.ca> <4967A01A.1020805@senecac.on.ca> <4967D6F2.8090907@senecac.on.ca> <496A4264.6080303@senecac.on.ca> <496A470A.7070507@ecs.soton.ac.uk> <496A538C.60903@senecac.on.ca> <496A5BC8.4000908@ecs.soton.ac.uk> <496A6204.9070105@senecac.on.ca> <496A85DC.3060404@ecs.soton.ac.uk> <496AC6C4.10700 Message-ID: <496B7236.3060604@zuka.net> Kai Schaetzl wrote: > @zuka.net> > Reply-To: mailscanner@lists.mailscanner.info > > Dave, your replies are *a horror* to read with that "quoting style" (if > one can call that "quoting"). Change that in the future, please. > > Kai > > Kai, My apologies. I was **always** told to include the thread so support and people working on a particular problem can quickly go back and review. I used to snip all of the thread as I went and someone like you also gave me grief for doing that. So, what is the **correct** protocol for this? I am most happy to snip out old parts as necessary. Dave From submit at zuka.net Mon Jan 12 16:41:12 2009 From: submit at zuka.net (Dave Filchak) Date: Mon Jan 12 16:41:26 2009 Subject: General Thankyou (still diagnosing fault) In-Reply-To: <496B1DCA.2050406@ecs.soton.ac.uk> References: <60382.204.184.75.172.1231471379.squirrel@webmail.elsberry.k12.mo.us> <49679B36.9010202@senecac.on.ca> <4967A01A.1020805@senecac.on.ca> <4967D6F2.8090907@senecac.on.ca> <496A4264.6080303@senecac.on.ca> <496A470A.7070507@ecs.soton.ac.uk> <496A538C.60903@senecac.on.ca> <496A5BC8.4000908@ecs.soton.ac.uk> <496A6204.9070105@senecac.on.ca> <496A85DC.3060404@ecs.soton.ac.uk> <496AB792.9090605@senecac.on.ca> <496AC43F.9030701@senecac.on.ca> <496AC6C4.10700@zuka.net> <496B1DCA.2050406@ecs.soton.ac.uk> Message-ID: <496B72A8.5070306@zuka.net> Julian Field wrote: > >>>>>>>>> It will be being clobbered by the update_virus_scanners cron >>>>>>>>> job which is run once per hour. Please can you mail me an >>>>>>>>> exact copy (preferably gzipped) of your MailScanner.conf file. >>>>>>>>> Have you moved that file from its default location or anything >>>>>>>>> like that? It should pull out the "Run As User" and "Run As >>>>>>>>> Group" from MailScanner.conf and use those values to set the >>>>>>>>> ownership of the lock files. Clearly something is going wrong >>>>>>>>> there. >>>>>>>>> >>>>>>>>> Copy and paste the following commands into a shell running as >>>>>>>>> root. Beware of extra line-breaks that my mail program or your >>>>>>>>> mail program may add into the following, hopefully they'll be >>>>>>>>> okay. >>>>>>>>> >>>>>>>>> LOCKDIR=`perl -n -e 'print "$_" if chomp && >>>>>>>>> s/^\s*Lock\s*file\s*Dir\s*=\s*(\S+)/$1/i' >>>>>>>>> /etc/MailScanner/MailScanner.conf` >>>>>>>>> RUNASU=`perl -n -e 'print "$_" if chomp && >>>>>>>>> s/^\s*Run\s*As\s*User\s*=\s*(\S+)/$1/i' >>>>>>>>> /etc/MailScanner/MailScanner.conf` >>>>>>>>> RUNASG=`perl -n -e 'print "$_" if chomp && >>>>>>>>> s/^\s*Run\s*As\s*Group\s*=\s*(\S+)/$1/i' >>>>>>>>> /etc/MailScanner/MailScanner.conf` >>>>>>>>> echo $LOCKDIR >>>>>>>>> echo $RUNASU >>>>>>>>> echo $RUNASG >>>>>>>>> /usr/sbin/mailscanner_create_locks "$LOCKDIR" "$RUNASU" "$RUNASG" >>>>>>>>> >>>>>>>>> Then show me what you get from >>>>>>>>> ls -al $LOCKDIR >>>>>>>>> assuming that the "echo $LOCKDIR" command printed out the >>>>>>>>> directory where your lock files are stored (i.e. normally >>>>>>>>> /var/spool/MailScanner/incoming/Locks). >>>>>>>> >>>>>>>> I have emailed you my conf file. >>>>> That looks fine. >>>>>>>> Here is the output from your scripts: >>>>>>>> >>>>>>>> [root@rosewood MailScanner]# LOCKDIR=`perl -n -e 'print "$_" if >>>>>>>> chomp && s/^\s*Lock\s*file\s*Dir\s*=\s*(\S+)/$1/i' >>>>>>>> /etc/MailScanner/MailScanner.conf` >>>>>>>> [root@rosewood MailScanner]# RUNASU=`perl -n -e 'print "$_" if >>>>>>>> chomp && s/^\s*Run\s*As\s*User\s*=\s*(\S+)/$1/i' >>>>>>>> /etc/MailScanner/MailScanner.conf` >>>>>>>> [root@rosewood MailScanner]# RUNASG=`perl -n -e 'print "$_" if >>>>>>>> chomp && s/^\s*Run\s*As\s*Group\s*=\s*(\S+)/$1/i' >>>>>>>> /etc/MailScanner/MailScanner.conf` >>>>>>>> [root@rosewood MailScanner]# echo $LOCKDIR >>>>>>>> /var/spool/MailScanner/incoming/Locks >>>>>>>> [root@rosewood MailScanner]# echo $RUNASU >>>>>>>> postfix >>>>>>>> [root@rosewood MailScanner]# echo $RUNASG >>>>>>>> postfix >>>>>>> That all looks good. As root, >>>>>>> rm -rf /var/spool/MailScanner/incoming/Locks >>>>>>> and then >>>>>>> /usr/sbin/update_virus_scanners >>>>>>> and then show me an >>>>>>> ls -al /var/spool/MailScanner/incoming/Locks >>>>>>> >>>>>>> The files in there should be owned by postfix. Let's see if >>>>>>> that's true. >>>>>>> >>>>>> OK .. deleted the Locks directory, ran update_virus_scanners and >>>>>> got: >>>>>> >>>>>> ls -al /var/spool/MailScanner/incoming/Locks/ >>>>>> total 8 >>>>>> drwxr-x--- 2 root root 4096 Jan 11 16:13 . >>>>>> drwxrwx--- 7 postfix clamav 4096 Jan 11 16:14 .. >>>>>> -rw------- 1 root root 0 Jan 11 16:13 antivirBusy.lock >>>>>> -rw------- 1 root root 0 Jan 11 16:13 avastBusy.lock >>>>>> -rw------- 1 root root 0 Jan 11 16:13 avgBusy.lock >>>>>> -rw------- 1 root root 0 Jan 11 16:13 bitdefenderBusy.lock >>>>>> -rw------- 1 root root 0 Jan 11 16:13 clamavBusy.lock >>>>>> -rw------- 1 root root 0 Jan 11 16:13 cssBusy.lock >>>>>> -rw------- 1 root root 0 Jan 11 16:13 esetsBusy.lock >>>>>> -rw------- 1 root root 0 Jan 11 16:13 etrustBusy.lock >>>>>> -rw------- 1 root root 0 Jan 11 16:13 f-prot-6Busy.lock >>>>>> -rw------- 1 root root 0 Jan 11 16:13 f-protBusy.lock >>>>>> -rw------- 1 root root 0 Jan 11 16:13 f-secureBusy.lock >>>>>> -rw------- 1 root root 0 Jan 11 16:13 genericBusy.lock >>>>>> -rw------- 1 root root 0 Jan 11 16:13 inoculanBusy.lock >>>>>> -rw------- 1 root root 0 Jan 11 16:13 kasperskyBusy.lock >>>>>> -rw------- 1 root root 0 Jan 11 16:13 mcafeeBusy.lock >>>>>> -rw------- 1 root root 0 Jan 11 16:13 MS.bayes.rebuild.lock >>>>>> -rw------- 1 root root 0 Jan 11 16:13 >>>>>> MS.bayes.starting.lock >>>>>> -rw------- 1 root root 0 Jan 11 16:13 nod32Busy.lock >>>>>> -rw------- 1 root root 0 Jan 11 16:13 normanBusy.lock >>>>>> -rw------- 1 root root 0 Jan 11 16:13 pandaBusy.lock >>>>>> -rw------- 1 root root 0 Jan 11 16:13 ravBusy.lock >>>>>> -rw------- 1 root root 0 Jan 11 16:13 sophosBusy.lock >>>>>> -rw------- 1 root root 0 Jan 11 16:13 >>>>>> symscanengineBusy.lock >>>>>> -rw------- 1 root root 0 Jan 11 16:13 trendBusy.lock >>>>>> -rw------- 1 root root 0 Jan 11 16:13 vba32Busy.lock >>>>>> -rw------- 1 root root 0 Jan 11 16:13 vexiraBusy.lock >>>>>> >>>>>> >>>>>> Still root. >>>>> Hmmm... >>>>> >>>>> 1 >>>>> I want to be sure there are no weird options for the mount that >>>>> supplies this directory. Do this: >>>>> cd /var/spool/MailScanner/incoming >>>>> df -h . >>>>> mount >>>>> ls -ld Locks >>>>> (all as root). >>>>> Also, paste the contents of your /etc/fstab file into your reply >>>>> to this mail. >>>>> >>>>> 2 >>>>> Also, please can you make a little edit to your >>>>> /usr/sbin/mailscanner_create_locks script. >>>>> Near the top you will see a line that says this: >>>>> my $ldgid = getgrnam($ldgname); >>>>> That's about line 17. Immediately after that line, add this line: >>>>> print STDERR "lduid = $lduid, ldgid = $ldgid\n"; >>>>> and let's just check that it is getting the UID and GID correctly, >>>>> as failure to do that would cause your symptoms. >>>>> Run >>>>> /usr/sbin/mailscanner_create_locks >>>>> /var/spool/MailScanner/incoming/Locks postfix postfix >>>>> (all of that on 1 line) and include the output in your reply, >>>>> and do another >>>>> ls -al /var/spool/MailScanner/incoming/Locks >>>>> to see if anything has improved. >>>>> >>>>> 3 >>>>> If that still isn't working, right at the end of the script there >>>>> are a couple of "chown" lines. Change the first one to read >>>>> chown -1, $ldgid, $locksdirname or warn "Chown1: $!"; >>>>> and the second one to read >>>>> chown $lduid, $ldgid, @locknames or warn "Chown2: $!"; >>>>> and then run the mailscanner_create_locks command I gave above. >>>>> Let me know if it prints anything, and what it says if it does. >>>>> >>>>> 4 >>>>> That lot should give me a better idea of what's going on. >>>> >>>> cd /var/spool/MailScanner/incoming/ >>>> [root@rosewood incoming]# df -h . >>>> Filesystem Size Used Avail Use% Mounted on >>>> /dev/hdb1 111G 15G 91G 14% /var >>>> [root@rosewood incoming]# mount >>>> /dev/sda5 on / type ext3 (rw) >>>> none on /proc type proc (rw) >>>> none on /sys type sysfs (rw) >>>> none on /dev/pts type devpts (rw,gid=5,mode=620) >>>> usbfs on /proc/bus/usb type usbfs (rw) >>>> /dev/sda1 on /boot type ext3 (rw) >>>> none on /dev/shm type tmpfs (rw) >>>> /dev/sda2 on /home type ext3 (rw) >>>> /dev/sdb1 on /usr type ext3 (rw) >>>> /dev/hdb1 on /var type ext3 (rw) >>>> none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw) >>>> sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw) >>>> [root@rosewood incoming]# ls -ld Locks >>>> drwxr-x--- 2 root root 4096 Jan 11 16:13 Locks >>>> >>>> FSTAB: >>>> >>>> LABEL=/ / ext3 >>>> defaults 1 1 >>>> LABEL=/boot /boot ext3 >>>> defaults 1 2 >>>> none /dev/pts devpts >>>> gid=5,mode=620 0 0 >>>> none /dev/shm tmpfs >>>> defaults 0 0 >>>> LABEL=/home /home ext3 >>>> defaults 1 2 >>>> none /proc proc >>>> defaults 0 0 >>>> none /sys sysfs >>>> defaults 0 0 >>>> LABEL=/usr /usr ext3 >>>> defaults 1 2 >>>> LABEL=/var /var ext3 >>>> defaults 1 2 >>>> LABEL=SWAP-sda3 swap swap >>>> defaults 0 0 >>>> /dev/hda /media/cdrecorder auto >>>> pamconsole,exec,noauto,managed 0 0 >>>> >>>> /usr/sbin/mailscanner_create_locks >>>> /var/spool/MailScanner/incoming/Locks postfix postfix >>>> lduid = 80, ldgid = 80 >>>> [root@rosewood sbin]# ls -al /var/spool/MailScanner/incoming/Locks >>>> total 8 >>>> drwxr-x--- 2 root postfix 4096 Jan 11 16:13 . >>>> drwxrwx--- 7 postfix clamav 4096 Jan 11 22:18 .. >>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 antivirBusy.lock >>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 avastBusy.lock >>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 avgBusy.lock >>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 bitdefenderBusy.lock >>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 clamavBusy.lock >>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 cssBusy.lock >>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 esetsBusy.lock >>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 etrustBusy.lock >>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 f-prot-6Busy.lock >>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 f-protBusy.lock >>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 f-secureBusy.lock >>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 genericBusy.lock >>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 inoculanBusy.lock >>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 kasperskyBusy.lock >>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 mcafeeBusy.lock >>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 MS.bayes.rebuild.lock >>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 MS.bayes.starting.lock >>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 nod32Busy.lock >>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 normanBusy.lock >>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 pandaBusy.lock >>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 ravBusy.lock >>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 sophosBusy.lock >>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 symscanengineBusy.lock >>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 trendBusy.lock >>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 vba32Busy.lock >>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 vexiraBusy.lock >>>> >>>> I did not do your last request as this shows the proper ownership. >>>> The questions is: will it hold? >>>> >>>> Let me know if you still want me to do that last bit. >>>> >>>> Sorry it took a while to get back to you. I had to run out for a bit. >>>> >>>> Dave >>>> >>> Just so you know ... it all went back to being owned by root when >>> update_virus_scanner ran from cron again. This is the email I received: >>> >>> /etc/cron.hourly/update_virus_scanners: >>> >>> lduid = , ldgid = >> Given the above, I made the last little change you suggested and ran >> it again, like so: >> >> /usr/sbin/mailscanner_create_locks >> /var/spool/MailScanner/incoming/Locks postfix postfix >> lduid = 80, ldgid = 80 >> >> The second line is what it output. After that, all the permissions in >> the Locks directory went back to postfix. Again, will it hold? > The cron job will probably put it back. Okay, next let's find if it is > the script run by cron that is causing the problem, or the environment > in which it is run. > > /usr/sbin/update_virus_scanners > ls -al /var/spool/MailScanner/incoming/Locks > > and show me the output of those two. I want to see if the > update_virus_scanners script successfully finds the uid and gid or not. /usr/sbin/update_virus_scanners lduid = , ldgid = Does not appear to. ls -al /var/spool/MailScanner/incoming/Locks total 12 drwxr-x--- 2 root root 4096 Jan 11 16:13 . drwxrwx--- 7 postfix clamav 4096 Jan 12 11:34 .. -rw------- 1 root root 0 Jan 11 16:13 antivirBusy.lock -rw------- 1 root root 0 Jan 11 16:13 avastBusy.lock -rw------- 1 root root 0 Jan 11 16:13 avgBusy.lock -rw------- 1 root root 0 Jan 11 16:13 bitdefenderBusy.lock -rw------- 1 root root 48 Jan 12 00:15 clamavBusy.lock -rw------- 1 root root 0 Jan 11 16:13 cssBusy.lock -rw------- 1 root root 0 Jan 11 16:13 esetsBusy.lock -rw------- 1 root root 0 Jan 11 16:13 etrustBusy.lock -rw------- 1 root root 0 Jan 11 16:13 f-prot-6Busy.lock -rw------- 1 root root 0 Jan 11 16:13 f-protBusy.lock -rw------- 1 root root 0 Jan 11 16:13 f-secureBusy.lock -rw------- 1 root root 0 Jan 11 16:13 genericBusy.lock -rw------- 1 root root 0 Jan 11 16:13 inoculanBusy.lock -rw------- 1 root root 0 Jan 11 16:13 kasperskyBusy.lock -rw------- 1 root root 0 Jan 11 16:13 mcafeeBusy.lock -rw------- 1 root root 0 Jan 11 16:13 MS.bayes.rebuild.lock -rw------- 1 root root 0 Jan 11 16:13 MS.bayes.starting.lock -rw------- 1 root root 0 Jan 11 16:13 nod32Busy.lock -rw------- 1 root root 0 Jan 11 16:13 normanBusy.lock -rw------- 1 root root 0 Jan 11 16:13 pandaBusy.lock -rw------- 1 root root 0 Jan 11 16:13 ravBusy.lock -rw------- 1 root root 0 Jan 11 16:13 sophosBusy.lock -rw------- 1 root root 0 Jan 11 16:13 symscanengineBusy.lock -rw------- 1 root root 0 Jan 11 16:13 trendBusy.lock -rw------- 1 root root 0 Jan 11 16:13 vba32Busy.lock -rw------- 1 root root 0 Jan 11 16:13 vexiraBusy.lock Dave From ssilva at sgvwater.com Mon Jan 12 17:13:35 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Jan 12 17:13:57 2009 Subject: totally OT: Mailing lists / reader program? In-Reply-To: References: Message-ID: on 1-12-2009 8:36 AM Ugo Bellavance spake the following: > Scott Silva a ?crit : >> on 1-5-2009 10:37 AM traced@xpear.de spake the following: >>> Hi, just one little question; >>> Are you reading lists with standard email progs like thunderbird, >>> or are there other good programs, with better handling on the topics? >>> >>> Regards, >>> Bastian >> I am reading the lists with thunderbird, but through the newsfeeds at >> gmane.org. >> >> That way I never have to worry about bounces or spam detection on my end >> dropping something. > > I'm also doing that and I simply love it. > The only thing that bugs me are the encrypted privacy e-mail addresses. I know it can be turned off, but a list admin needs to ask AFAIR. Sometimes I want to reply off list, but the mails have to still go through the Gmane servers to be forwarded. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090112/d4657ada/signature.bin From NWL002 at shsu.edu Mon Jan 12 17:27:15 2009 From: NWL002 at shsu.edu (Laskie, Norman) Date: Mon Jan 12 17:27:25 2009 Subject: Anti-spear-phishing sa-update channel In-Reply-To: <496A6779.9040309@coders.co.uk> References: <496A6779.9040309@coders.co.uk> Message-ID: <8FAC1E47484E43469AA28DBF35C955E40FACBA0815@EXMBX.SHSU.EDU> I'm running into an issue running the sa-update command against your channel. I'm willing to bet it's something stupid I'm doing / not doing. Thanks in advance, Norman sa-update --channel spear.bastionmail.com --gpgkey 06EF70A3 error: GPG validation failed! The update downloaded successfully, but it was not signed with a trusted GPG key. Instead, it was signed with the following keys: 06EF70A3 Perhaps you need to import the channel's GPG key? For example: wget http://spamassassin.apache.org/updates/GPG.KEY sa-update --import GPG.KEY channel: GPG validation failed, channel failed -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Matt Sent: Sunday, January 11, 2009 3:41 PM To: MailScanner discussion Subject: Anti-spear-phishing sa-update channel All If anyone is interested I have published an sa-update channel which generates the same rules as Jules' script. The channel is spear.bastionmail.com it is signed by key id 06EF70A3 which you can get from http://www.bastionmail.co.uk/spear.txt The rules are named in the same way and is updated within 15 minutes of an SVN update. ****** NOTE - it is fully automatic in the same way as Jules script works ******** matt -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From cwatts at elsberry.k12.mo.us Mon Jan 12 17:33:52 2009 From: cwatts at elsberry.k12.mo.us (Cannon Watts) Date: Mon Jan 12 17:35:31 2009 Subject: identical messages -- some get bayes score, some don't In-Reply-To: References: <60382.204.184.75.172.1231471379.squirrel@webmail.elsberry.k12.mo.us> <55910.204.184.75.172.1231537026.squirrel@webmail.elsberry.k12.mo.us> <41554.204.184.75.172.1231608493.squirrel@webmail.elsberry.k12.mo.us> Message-ID: <43459.204.184.75.172.1231781632.squirrel@webmail.elsberry.k12.mo.us> On Sun, January 11, 2009 12:31 pm, Kai Schaetzl wrote: > Cannon Watts wrote on Sat, 10 Jan 2009 11:28:13 -0600 (CST): > >> Thanks, that certainly cuts down on the timeouts, The URIBL tests are >> still generating 281 timeouts on those 28 messages, but that's a minor >> concern now that the bayes issues seem to be sorted out (see below). > > As said earlier, there is surely something wrong either with your dns > setup or > with your software (e.g. DNS::Net too old or so). Have you set > dns_available > yes or do you let SA check that? If set to yes set it to no and let SA > show > you the outcome. I'll look into the DNS::Net module. I have not tried setting dns_available to 'no', but I did set it to 'test' and the debugging messages showed it successfully contacting both DNS servers in my /etc/resolv.conf (the first of those being the localhost) >> I guess my database was either corrupt, or just too big. > > For being "too big" it should have had at least 5 million tokens (I > haven't > ever seen a database over that size, but I can say that databases in this > range are still fine performance-wise). I'm not sure it's worth the time and effort to figure out _why_ the old database was performing so poorly. After removing it, and starting fresh, every incoming mail appears to get a BAYES score, and where some users were getting as many as 20 spams per day slipping through the filter, those same users have not had one since rebuilding the database. I am seeing a few false positives, but I think a little bayes re-training will sort that out in short order. Thanks again for your help. From MailScanner at ecs.soton.ac.uk Mon Jan 12 19:18:22 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jan 12 19:18:44 2009 Subject: General Thankyou (still diagnosing fault) In-Reply-To: <496B72A8.5070306@zuka.net> References: <60382.204.184.75.172.1231471379.squirrel@webmail.elsberry.k12.mo.us> <49679B36.9010202@senecac.on.ca> <4967A01A.1020805@senecac.on.ca> <4967D6F2.8090907@senecac.on.ca> <496A4264.6080303@senecac.on.ca> <496A470A.7070507@ecs.soton.ac.uk> <496A538C.60903@senecac.on.ca> <496A5BC8.4000908@ecs.soton.ac.uk> <496A6204.9070105@senecac.on.ca> <496A85DC.3060404@ecs.soton.ac.uk> <496AB792.9090605@senecac.on.ca> <496AC43F.9030701@senecac.on.ca> <496AC6C4.10700@zuka.net> <496B1DCA.2050406@ecs.soton.ac.uk> <496B72A8.5070306@zuka.net> Message-ID: <496B977E.5020607@ecs.soton.ac.uk> On 12/1/09 16:41, Dave Filchak wrote: > Julian Field wrote: >> >>>>>>>>>> It will be being clobbered by the update_virus_scanners cron >>>>>>>>>> job which is run once per hour. Please can you mail me an >>>>>>>>>> exact copy (preferably gzipped) of your MailScanner.conf >>>>>>>>>> file. Have you moved that file from its default location or >>>>>>>>>> anything like that? It should pull out the "Run As User" and >>>>>>>>>> "Run As Group" from MailScanner.conf and use those values to >>>>>>>>>> set the ownership of the lock files. Clearly something is >>>>>>>>>> going wrong there. >>>>>>>>>> >>>>>>>>>> Copy and paste the following commands into a shell running as >>>>>>>>>> root. Beware of extra line-breaks that my mail program or >>>>>>>>>> your mail program may add into the following, hopefully >>>>>>>>>> they'll be okay. >>>>>>>>>> >>>>>>>>>> LOCKDIR=`perl -n -e 'print "$_" if chomp && >>>>>>>>>> s/^\s*Lock\s*file\s*Dir\s*=\s*(\S+)/$1/i' >>>>>>>>>> /etc/MailScanner/MailScanner.conf` >>>>>>>>>> RUNASU=`perl -n -e 'print "$_" if chomp && >>>>>>>>>> s/^\s*Run\s*As\s*User\s*=\s*(\S+)/$1/i' >>>>>>>>>> /etc/MailScanner/MailScanner.conf` >>>>>>>>>> RUNASG=`perl -n -e 'print "$_" if chomp && >>>>>>>>>> s/^\s*Run\s*As\s*Group\s*=\s*(\S+)/$1/i' >>>>>>>>>> /etc/MailScanner/MailScanner.conf` >>>>>>>>>> echo $LOCKDIR >>>>>>>>>> echo $RUNASU >>>>>>>>>> echo $RUNASG >>>>>>>>>> /usr/sbin/mailscanner_create_locks "$LOCKDIR" "$RUNASU" >>>>>>>>>> "$RUNASG" >>>>>>>>>> >>>>>>>>>> Then show me what you get from >>>>>>>>>> ls -al $LOCKDIR >>>>>>>>>> assuming that the "echo $LOCKDIR" command printed out the >>>>>>>>>> directory where your lock files are stored (i.e. normally >>>>>>>>>> /var/spool/MailScanner/incoming/Locks). >>>>>>>>> >>>>>>>>> I have emailed you my conf file. >>>>>> That looks fine. >>>>>>>>> Here is the output from your scripts: >>>>>>>>> >>>>>>>>> [root@rosewood MailScanner]# LOCKDIR=`perl -n -e 'print "$_" >>>>>>>>> if chomp && s/^\s*Lock\s*file\s*Dir\s*=\s*(\S+)/$1/i' >>>>>>>>> /etc/MailScanner/MailScanner.conf` >>>>>>>>> [root@rosewood MailScanner]# RUNASU=`perl -n -e 'print "$_" if >>>>>>>>> chomp && s/^\s*Run\s*As\s*User\s*=\s*(\S+)/$1/i' >>>>>>>>> /etc/MailScanner/MailScanner.conf` >>>>>>>>> [root@rosewood MailScanner]# RUNASG=`perl -n -e 'print "$_" if >>>>>>>>> chomp && s/^\s*Run\s*As\s*Group\s*=\s*(\S+)/$1/i' >>>>>>>>> /etc/MailScanner/MailScanner.conf` >>>>>>>>> [root@rosewood MailScanner]# echo $LOCKDIR >>>>>>>>> /var/spool/MailScanner/incoming/Locks >>>>>>>>> [root@rosewood MailScanner]# echo $RUNASU >>>>>>>>> postfix >>>>>>>>> [root@rosewood MailScanner]# echo $RUNASG >>>>>>>>> postfix >>>>>>>> That all looks good. As root, >>>>>>>> rm -rf /var/spool/MailScanner/incoming/Locks >>>>>>>> and then >>>>>>>> /usr/sbin/update_virus_scanners >>>>>>>> and then show me an >>>>>>>> ls -al /var/spool/MailScanner/incoming/Locks >>>>>>>> >>>>>>>> The files in there should be owned by postfix. Let's see if >>>>>>>> that's true. >>>>>>>> >>>>>>> OK .. deleted the Locks directory, ran update_virus_scanners and >>>>>>> got: >>>>>>> >>>>>>> ls -al /var/spool/MailScanner/incoming/Locks/ >>>>>>> total 8 >>>>>>> drwxr-x--- 2 root root 4096 Jan 11 16:13 . >>>>>>> drwxrwx--- 7 postfix clamav 4096 Jan 11 16:14 .. >>>>>>> -rw------- 1 root root 0 Jan 11 16:13 antivirBusy.lock >>>>>>> -rw------- 1 root root 0 Jan 11 16:13 avastBusy.lock >>>>>>> -rw------- 1 root root 0 Jan 11 16:13 avgBusy.lock >>>>>>> -rw------- 1 root root 0 Jan 11 16:13 bitdefenderBusy.lock >>>>>>> -rw------- 1 root root 0 Jan 11 16:13 clamavBusy.lock >>>>>>> -rw------- 1 root root 0 Jan 11 16:13 cssBusy.lock >>>>>>> -rw------- 1 root root 0 Jan 11 16:13 esetsBusy.lock >>>>>>> -rw------- 1 root root 0 Jan 11 16:13 etrustBusy.lock >>>>>>> -rw------- 1 root root 0 Jan 11 16:13 f-prot-6Busy.lock >>>>>>> -rw------- 1 root root 0 Jan 11 16:13 f-protBusy.lock >>>>>>> -rw------- 1 root root 0 Jan 11 16:13 f-secureBusy.lock >>>>>>> -rw------- 1 root root 0 Jan 11 16:13 genericBusy.lock >>>>>>> -rw------- 1 root root 0 Jan 11 16:13 inoculanBusy.lock >>>>>>> -rw------- 1 root root 0 Jan 11 16:13 kasperskyBusy.lock >>>>>>> -rw------- 1 root root 0 Jan 11 16:13 mcafeeBusy.lock >>>>>>> -rw------- 1 root root 0 Jan 11 16:13 >>>>>>> MS.bayes.rebuild.lock >>>>>>> -rw------- 1 root root 0 Jan 11 16:13 >>>>>>> MS.bayes.starting.lock >>>>>>> -rw------- 1 root root 0 Jan 11 16:13 nod32Busy.lock >>>>>>> -rw------- 1 root root 0 Jan 11 16:13 normanBusy.lock >>>>>>> -rw------- 1 root root 0 Jan 11 16:13 pandaBusy.lock >>>>>>> -rw------- 1 root root 0 Jan 11 16:13 ravBusy.lock >>>>>>> -rw------- 1 root root 0 Jan 11 16:13 sophosBusy.lock >>>>>>> -rw------- 1 root root 0 Jan 11 16:13 >>>>>>> symscanengineBusy.lock >>>>>>> -rw------- 1 root root 0 Jan 11 16:13 trendBusy.lock >>>>>>> -rw------- 1 root root 0 Jan 11 16:13 vba32Busy.lock >>>>>>> -rw------- 1 root root 0 Jan 11 16:13 vexiraBusy.lock >>>>>>> >>>>>>> >>>>>>> Still root. >>>>>> Hmmm... >>>>>> >>>>>> 1 >>>>>> I want to be sure there are no weird options for the mount that >>>>>> supplies this directory. Do this: >>>>>> cd /var/spool/MailScanner/incoming >>>>>> df -h . >>>>>> mount >>>>>> ls -ld Locks >>>>>> (all as root). >>>>>> Also, paste the contents of your /etc/fstab file into your reply >>>>>> to this mail. >>>>>> >>>>>> 2 >>>>>> Also, please can you make a little edit to your >>>>>> /usr/sbin/mailscanner_create_locks script. >>>>>> Near the top you will see a line that says this: >>>>>> my $ldgid = getgrnam($ldgname); >>>>>> That's about line 17. Immediately after that line, add this line: >>>>>> print STDERR "lduid = $lduid, ldgid = $ldgid\n"; >>>>>> and let's just check that it is getting the UID and GID >>>>>> correctly, as failure to do that would cause your symptoms. >>>>>> Run >>>>>> /usr/sbin/mailscanner_create_locks >>>>>> /var/spool/MailScanner/incoming/Locks postfix postfix >>>>>> (all of that on 1 line) and include the output in your reply, >>>>>> and do another >>>>>> ls -al /var/spool/MailScanner/incoming/Locks >>>>>> to see if anything has improved. >>>>>> >>>>>> 3 >>>>>> If that still isn't working, right at the end of the script there >>>>>> are a couple of "chown" lines. Change the first one to read >>>>>> chown -1, $ldgid, $locksdirname or warn "Chown1: $!"; >>>>>> and the second one to read >>>>>> chown $lduid, $ldgid, @locknames or warn "Chown2: $!"; >>>>>> and then run the mailscanner_create_locks command I gave above. >>>>>> Let me know if it prints anything, and what it says if it does. >>>>>> >>>>>> 4 >>>>>> That lot should give me a better idea of what's going on. >>>>> >>>>> cd /var/spool/MailScanner/incoming/ >>>>> [root@rosewood incoming]# df -h . >>>>> Filesystem Size Used Avail Use% Mounted on >>>>> /dev/hdb1 111G 15G 91G 14% /var >>>>> [root@rosewood incoming]# mount >>>>> /dev/sda5 on / type ext3 (rw) >>>>> none on /proc type proc (rw) >>>>> none on /sys type sysfs (rw) >>>>> none on /dev/pts type devpts (rw,gid=5,mode=620) >>>>> usbfs on /proc/bus/usb type usbfs (rw) >>>>> /dev/sda1 on /boot type ext3 (rw) >>>>> none on /dev/shm type tmpfs (rw) >>>>> /dev/sda2 on /home type ext3 (rw) >>>>> /dev/sdb1 on /usr type ext3 (rw) >>>>> /dev/hdb1 on /var type ext3 (rw) >>>>> none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw) >>>>> sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw) >>>>> [root@rosewood incoming]# ls -ld Locks >>>>> drwxr-x--- 2 root root 4096 Jan 11 16:13 Locks >>>>> >>>>> FSTAB: >>>>> >>>>> LABEL=/ / ext3 >>>>> defaults 1 1 >>>>> LABEL=/boot /boot ext3 >>>>> defaults 1 2 >>>>> none /dev/pts devpts >>>>> gid=5,mode=620 0 0 >>>>> none /dev/shm tmpfs >>>>> defaults 0 0 >>>>> LABEL=/home /home ext3 >>>>> defaults 1 2 >>>>> none /proc proc >>>>> defaults 0 0 >>>>> none /sys sysfs >>>>> defaults 0 0 >>>>> LABEL=/usr /usr ext3 >>>>> defaults 1 2 >>>>> LABEL=/var /var ext3 >>>>> defaults 1 2 >>>>> LABEL=SWAP-sda3 swap swap >>>>> defaults 0 0 >>>>> /dev/hda /media/cdrecorder auto >>>>> pamconsole,exec,noauto,managed 0 0 >>>>> >>>>> /usr/sbin/mailscanner_create_locks >>>>> /var/spool/MailScanner/incoming/Locks postfix postfix >>>>> lduid = 80, ldgid = 80 >>>>> [root@rosewood sbin]# ls -al /var/spool/MailScanner/incoming/Locks >>>>> total 8 >>>>> drwxr-x--- 2 root postfix 4096 Jan 11 16:13 . >>>>> drwxrwx--- 7 postfix clamav 4096 Jan 11 22:18 .. >>>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 antivirBusy.lock >>>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 avastBusy.lock >>>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 avgBusy.lock >>>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 bitdefenderBusy.lock >>>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 clamavBusy.lock >>>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 cssBusy.lock >>>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 esetsBusy.lock >>>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 etrustBusy.lock >>>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 f-prot-6Busy.lock >>>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 f-protBusy.lock >>>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 f-secureBusy.lock >>>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 genericBusy.lock >>>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 inoculanBusy.lock >>>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 kasperskyBusy.lock >>>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 mcafeeBusy.lock >>>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 MS.bayes.rebuild.lock >>>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 >>>>> MS.bayes.starting.lock >>>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 nod32Busy.lock >>>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 normanBusy.lock >>>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 pandaBusy.lock >>>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 ravBusy.lock >>>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 sophosBusy.lock >>>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 >>>>> symscanengineBusy.lock >>>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 trendBusy.lock >>>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 vba32Busy.lock >>>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 vexiraBusy.lock >>>>> >>>>> I did not do your last request as this shows the proper ownership. >>>>> The questions is: will it hold? >>>>> >>>>> Let me know if you still want me to do that last bit. >>>>> >>>>> Sorry it took a while to get back to you. I had to run out for a bit. >>>>> >>>>> Dave >>>>> >>>> Just so you know ... it all went back to being owned by root when >>>> update_virus_scanner ran from cron again. This is the email I >>>> received: >>>> >>>> /etc/cron.hourly/update_virus_scanners: >>>> >>>> lduid = , ldgid = >>> Given the above, I made the last little change you suggested and ran >>> it again, like so: >>> >>> /usr/sbin/mailscanner_create_locks >>> /var/spool/MailScanner/incoming/Locks postfix postfix >>> lduid = 80, ldgid = 80 >>> >>> The second line is what it output. After that, all the permissions >>> in the Locks directory went back to postfix. Again, will it hold? >> The cron job will probably put it back. Okay, next let's find if it >> is the script run by cron that is causing the problem, or the >> environment in which it is run. >> >> /usr/sbin/update_virus_scanners >> ls -al /var/spool/MailScanner/incoming/Locks >> >> and show me the output of those two. I want to see if the >> update_virus_scanners script successfully finds the uid and gid or not. > /usr/sbin/update_virus_scanners > lduid = , ldgid = > > Does not appear to. Aha, we're getting somewhere. Now edit /usr/sbin/update_virus_scanners. At the very top there are 3 lines which set LOCKDIR, RUNASU and RUNASG. Immediately after them add these 3 lines echo LOCKDIR = \'$LOCKDIR\' echo RUNASU = \'$RUNASU\' echo RUNASG = \'$RUNASG\' Then run /usr/sbin/update_virus_scanners as root. I am hoping it will print something like this: LOCKDIR = '/var/spool/MailScanner/incoming/Locks' RUNASU = 'postfix' RUNASG = 'postfix' lduid = 89, ldgid = 89 Let us see what your version prints. We should be able to sort this pretty soon, we're getting very close to the source of the problem. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From root at doctor.nl2k.ab.ca Mon Jan 12 19:23:40 2009 From: root at doctor.nl2k.ab.ca (Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem) Date: Mon Jan 12 19:24:54 2009 Subject: MAilScanner 4.75 Message-ID: <20090112192340.GA26213@doctor.nl2k.ab.ca> Jules, when will MS 4.75 be released? -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Mon Jan 12 19:30:56 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jan 12 19:31:17 2009 Subject: General Thankyou (still diagnosing fault) In-Reply-To: <496B72A8.5070306@zuka.net> References: <60382.204.184.75.172.1231471379.squirrel@webmail.elsberry.k12.mo.us> <49679B36.9010202@senecac.on.ca> <4967A01A.1020805@senecac.on.ca> <4967D6F2.8090907@senecac.on.ca> <496A4264.6080303@senecac.on.ca> <496A470A.7070507@ecs.soton.ac.uk> <496A538C.60903@senecac.on.ca> <496A5BC8.4000908@ecs.soton.ac.uk> <496A6204.9070105@senecac.on.ca> <496A85DC.3060404@ecs.soton.ac.uk> <496AB792.9090605@senecac.on.ca> <496AC43F.9030701@senecac.on.ca> <496AC6C4.10700@zuka.net> <496B1DCA.2050406@ecs.soton.ac.uk> <496B72A8.5070306@zuka.net> Message-ID: <496B9A70.1020605@ecs.soton.ac.uk> On 12/1/09 16:41, Dave Filchak wrote: > Julian Field wrote: >> >>>>>>>>>> It will be being clobbered by the update_virus_scanners cron >>>>>>>>>> job which is run once per hour. Please can you mail me an >>>>>>>>>> exact copy (preferably gzipped) of your MailScanner.conf >>>>>>>>>> file. Have you moved that file from its default location or >>>>>>>>>> anything like that? It should pull out the "Run As User" and >>>>>>>>>> "Run As Group" from MailScanner.conf and use those values to >>>>>>>>>> set the ownership of the lock files. Clearly something is >>>>>>>>>> going wrong there. >>>>>>>>>> >>>>>>>>>> Copy and paste the following commands into a shell running as >>>>>>>>>> root. Beware of extra line-breaks that my mail program or >>>>>>>>>> your mail program may add into the following, hopefully >>>>>>>>>> they'll be okay. >>>>>>>>>> >>>>>>>>>> LOCKDIR=`perl -n -e 'print "$_" if chomp && >>>>>>>>>> s/^\s*Lock\s*file\s*Dir\s*=\s*(\S+)/$1/i' >>>>>>>>>> /etc/MailScanner/MailScanner.conf` >>>>>>>>>> RUNASU=`perl -n -e 'print "$_" if chomp && >>>>>>>>>> s/^\s*Run\s*As\s*User\s*=\s*(\S+)/$1/i' >>>>>>>>>> /etc/MailScanner/MailScanner.conf` >>>>>>>>>> RUNASG=`perl -n -e 'print "$_" if chomp && >>>>>>>>>> s/^\s*Run\s*As\s*Group\s*=\s*(\S+)/$1/i' >>>>>>>>>> /etc/MailScanner/MailScanner.conf` >>>>>>>>>> echo $LOCKDIR >>>>>>>>>> echo $RUNASU >>>>>>>>>> echo $RUNASG >>>>>>>>>> /usr/sbin/mailscanner_create_locks "$LOCKDIR" "$RUNASU" >>>>>>>>>> "$RUNASG" >>>>>>>>>> >>>>>>>>>> Then show me what you get from >>>>>>>>>> ls -al $LOCKDIR >>>>>>>>>> assuming that the "echo $LOCKDIR" command printed out the >>>>>>>>>> directory where your lock files are stored (i.e. normally >>>>>>>>>> /var/spool/MailScanner/incoming/Locks). >>>>>>>>> >>>>>>>>> I have emailed you my conf file. >>>>>> That looks fine. >>>>>>>>> Here is the output from your scripts: >>>>>>>>> >>>>>>>>> [root@rosewood MailScanner]# LOCKDIR=`perl -n -e 'print "$_" >>>>>>>>> if chomp && s/^\s*Lock\s*file\s*Dir\s*=\s*(\S+)/$1/i' >>>>>>>>> /etc/MailScanner/MailScanner.conf` >>>>>>>>> [root@rosewood MailScanner]# RUNASU=`perl -n -e 'print "$_" if >>>>>>>>> chomp && s/^\s*Run\s*As\s*User\s*=\s*(\S+)/$1/i' >>>>>>>>> /etc/MailScanner/MailScanner.conf` >>>>>>>>> [root@rosewood MailScanner]# RUNASG=`perl -n -e 'print "$_" if >>>>>>>>> chomp && s/^\s*Run\s*As\s*Group\s*=\s*(\S+)/$1/i' >>>>>>>>> /etc/MailScanner/MailScanner.conf` >>>>>>>>> [root@rosewood MailScanner]# echo $LOCKDIR >>>>>>>>> /var/spool/MailScanner/incoming/Locks >>>>>>>>> [root@rosewood MailScanner]# echo $RUNASU >>>>>>>>> postfix >>>>>>>>> [root@rosewood MailScanner]# echo $RUNASG >>>>>>>>> postfix >>>>>>>> That all looks good. As root, >>>>>>>> rm -rf /var/spool/MailScanner/incoming/Locks >>>>>>>> and then >>>>>>>> /usr/sbin/update_virus_scanners >>>>>>>> and then show me an >>>>>>>> ls -al /var/spool/MailScanner/incoming/Locks >>>>>>>> >>>>>>>> The files in there should be owned by postfix. Let's see if >>>>>>>> that's true. >>>>>>>> >>>>>>> OK .. deleted the Locks directory, ran update_virus_scanners and >>>>>>> got: >>>>>>> >>>>>>> ls -al /var/spool/MailScanner/incoming/Locks/ >>>>>>> total 8 >>>>>>> drwxr-x--- 2 root root 4096 Jan 11 16:13 . >>>>>>> drwxrwx--- 7 postfix clamav 4096 Jan 11 16:14 .. >>>>>>> -rw------- 1 root root 0 Jan 11 16:13 antivirBusy.lock >>>>>>> -rw------- 1 root root 0 Jan 11 16:13 avastBusy.lock >>>>>>> -rw------- 1 root root 0 Jan 11 16:13 avgBusy.lock >>>>>>> -rw------- 1 root root 0 Jan 11 16:13 bitdefenderBusy.lock >>>>>>> -rw------- 1 root root 0 Jan 11 16:13 clamavBusy.lock >>>>>>> -rw------- 1 root root 0 Jan 11 16:13 cssBusy.lock >>>>>>> -rw------- 1 root root 0 Jan 11 16:13 esetsBusy.lock >>>>>>> -rw------- 1 root root 0 Jan 11 16:13 etrustBusy.lock >>>>>>> -rw------- 1 root root 0 Jan 11 16:13 f-prot-6Busy.lock >>>>>>> -rw------- 1 root root 0 Jan 11 16:13 f-protBusy.lock >>>>>>> -rw------- 1 root root 0 Jan 11 16:13 f-secureBusy.lock >>>>>>> -rw------- 1 root root 0 Jan 11 16:13 genericBusy.lock >>>>>>> -rw------- 1 root root 0 Jan 11 16:13 inoculanBusy.lock >>>>>>> -rw------- 1 root root 0 Jan 11 16:13 kasperskyBusy.lock >>>>>>> -rw------- 1 root root 0 Jan 11 16:13 mcafeeBusy.lock >>>>>>> -rw------- 1 root root 0 Jan 11 16:13 >>>>>>> MS.bayes.rebuild.lock >>>>>>> -rw------- 1 root root 0 Jan 11 16:13 >>>>>>> MS.bayes.starting.lock >>>>>>> -rw------- 1 root root 0 Jan 11 16:13 nod32Busy.lock >>>>>>> -rw------- 1 root root 0 Jan 11 16:13 normanBusy.lock >>>>>>> -rw------- 1 root root 0 Jan 11 16:13 pandaBusy.lock >>>>>>> -rw------- 1 root root 0 Jan 11 16:13 ravBusy.lock >>>>>>> -rw------- 1 root root 0 Jan 11 16:13 sophosBusy.lock >>>>>>> -rw------- 1 root root 0 Jan 11 16:13 >>>>>>> symscanengineBusy.lock >>>>>>> -rw------- 1 root root 0 Jan 11 16:13 trendBusy.lock >>>>>>> -rw------- 1 root root 0 Jan 11 16:13 vba32Busy.lock >>>>>>> -rw------- 1 root root 0 Jan 11 16:13 vexiraBusy.lock >>>>>>> >>>>>>> >>>>>>> Still root. >>>>>> Hmmm... >>>>>> >>>>>> 1 >>>>>> I want to be sure there are no weird options for the mount that >>>>>> supplies this directory. Do this: >>>>>> cd /var/spool/MailScanner/incoming >>>>>> df -h . >>>>>> mount >>>>>> ls -ld Locks >>>>>> (all as root). >>>>>> Also, paste the contents of your /etc/fstab file into your reply >>>>>> to this mail. >>>>>> >>>>>> 2 >>>>>> Also, please can you make a little edit to your >>>>>> /usr/sbin/mailscanner_create_locks script. >>>>>> Near the top you will see a line that says this: >>>>>> my $ldgid = getgrnam($ldgname); >>>>>> That's about line 17. Immediately after that line, add this line: >>>>>> print STDERR "lduid = $lduid, ldgid = $ldgid\n"; >>>>>> and let's just check that it is getting the UID and GID >>>>>> correctly, as failure to do that would cause your symptoms. >>>>>> Run >>>>>> /usr/sbin/mailscanner_create_locks >>>>>> /var/spool/MailScanner/incoming/Locks postfix postfix >>>>>> (all of that on 1 line) and include the output in your reply, >>>>>> and do another >>>>>> ls -al /var/spool/MailScanner/incoming/Locks >>>>>> to see if anything has improved. >>>>>> >>>>>> 3 >>>>>> If that still isn't working, right at the end of the script there >>>>>> are a couple of "chown" lines. Change the first one to read >>>>>> chown -1, $ldgid, $locksdirname or warn "Chown1: $!"; >>>>>> and the second one to read >>>>>> chown $lduid, $ldgid, @locknames or warn "Chown2: $!"; >>>>>> and then run the mailscanner_create_locks command I gave above. >>>>>> Let me know if it prints anything, and what it says if it does. >>>>>> >>>>>> 4 >>>>>> That lot should give me a better idea of what's going on. >>>>> >>>>> cd /var/spool/MailScanner/incoming/ >>>>> [root@rosewood incoming]# df -h . >>>>> Filesystem Size Used Avail Use% Mounted on >>>>> /dev/hdb1 111G 15G 91G 14% /var >>>>> [root@rosewood incoming]# mount >>>>> /dev/sda5 on / type ext3 (rw) >>>>> none on /proc type proc (rw) >>>>> none on /sys type sysfs (rw) >>>>> none on /dev/pts type devpts (rw,gid=5,mode=620) >>>>> usbfs on /proc/bus/usb type usbfs (rw) >>>>> /dev/sda1 on /boot type ext3 (rw) >>>>> none on /dev/shm type tmpfs (rw) >>>>> /dev/sda2 on /home type ext3 (rw) >>>>> /dev/sdb1 on /usr type ext3 (rw) >>>>> /dev/hdb1 on /var type ext3 (rw) >>>>> none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw) >>>>> sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw) >>>>> [root@rosewood incoming]# ls -ld Locks >>>>> drwxr-x--- 2 root root 4096 Jan 11 16:13 Locks >>>>> >>>>> FSTAB: >>>>> >>>>> LABEL=/ / ext3 >>>>> defaults 1 1 >>>>> LABEL=/boot /boot ext3 >>>>> defaults 1 2 >>>>> none /dev/pts devpts >>>>> gid=5,mode=620 0 0 >>>>> none /dev/shm tmpfs >>>>> defaults 0 0 >>>>> LABEL=/home /home ext3 >>>>> defaults 1 2 >>>>> none /proc proc >>>>> defaults 0 0 >>>>> none /sys sysfs >>>>> defaults 0 0 >>>>> LABEL=/usr /usr ext3 >>>>> defaults 1 2 >>>>> LABEL=/var /var ext3 >>>>> defaults 1 2 >>>>> LABEL=SWAP-sda3 swap swap >>>>> defaults 0 0 >>>>> /dev/hda /media/cdrecorder auto >>>>> pamconsole,exec,noauto,managed 0 0 >>>>> >>>>> /usr/sbin/mailscanner_create_locks >>>>> /var/spool/MailScanner/incoming/Locks postfix postfix >>>>> lduid = 80, ldgid = 80 >>>>> [root@rosewood sbin]# ls -al /var/spool/MailScanner/incoming/Locks >>>>> total 8 >>>>> drwxr-x--- 2 root postfix 4096 Jan 11 16:13 . >>>>> drwxrwx--- 7 postfix clamav 4096 Jan 11 22:18 .. >>>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 antivirBusy.lock >>>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 avastBusy.lock >>>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 avgBusy.lock >>>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 bitdefenderBusy.lock >>>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 clamavBusy.lock >>>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 cssBusy.lock >>>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 esetsBusy.lock >>>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 etrustBusy.lock >>>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 f-prot-6Busy.lock >>>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 f-protBusy.lock >>>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 f-secureBusy.lock >>>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 genericBusy.lock >>>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 inoculanBusy.lock >>>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 kasperskyBusy.lock >>>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 mcafeeBusy.lock >>>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 MS.bayes.rebuild.lock >>>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 >>>>> MS.bayes.starting.lock >>>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 nod32Busy.lock >>>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 normanBusy.lock >>>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 pandaBusy.lock >>>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 ravBusy.lock >>>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 sophosBusy.lock >>>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 >>>>> symscanengineBusy.lock >>>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 trendBusy.lock >>>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 vba32Busy.lock >>>>> -rw------- 1 postfix postfix 0 Jan 11 16:13 vexiraBusy.lock >>>>> >>>>> I did not do your last request as this shows the proper ownership. >>>>> The questions is: will it hold? >>>>> >>>>> Let me know if you still want me to do that last bit. >>>>> >>>>> Sorry it took a while to get back to you. I had to run out for a bit. >>>>> >>>>> Dave >>>>> >>>> Just so you know ... it all went back to being owned by root when >>>> update_virus_scanner ran from cron again. This is the email I >>>> received: >>>> >>>> /etc/cron.hourly/update_virus_scanners: >>>> >>>> lduid = , ldgid = >>> Given the above, I made the last little change you suggested and ran >>> it again, like so: >>> >>> /usr/sbin/mailscanner_create_locks >>> /var/spool/MailScanner/incoming/Locks postfix postfix >>> lduid = 80, ldgid = 80 >>> >>> The second line is what it output. After that, all the permissions >>> in the Locks directory went back to postfix. Again, will it hold? >> The cron job will probably put it back. Okay, next let's find if it >> is the script run by cron that is causing the problem, or the >> environment in which it is run. >> >> /usr/sbin/update_virus_scanners >> ls -al /var/spool/MailScanner/incoming/Locks >> >> and show me the output of those two. I want to see if the >> update_virus_scanners script successfully finds the uid and gid or not. > /usr/sbin/update_virus_scanners > lduid = , ldgid = > > Does not appear to. And also, if you don't get the output from the last change that I showed you (which is what I expected you to get), try changing the 3 lines that set the LOCKDIR, RUNASU and RUNASG to this instead: LOCKDIR=`perl -n -e 'print "$_" if chomp && s/^\s*Lock\s*file\s*Dir\s*=\s*(\S+).*$/$1/i' /etc/MailScanner/MailScanner.conf` RUNASU=`perl -n -e 'print "$_" if chomp && s/^\s*Run\s*As\s*User\s*=\s*(\S+).*$/$1/i' /etc/MailScanner/MailScanner.conf` RUNASG=`perl -n -e 'print "$_" if chomp && s/^\s*Run\s*As\s*Group\s*=\s*(\S+).*$/$1/i' /etc/MailScanner/MailScanner.conf` That should be on 3 lines, ignore any extra line breaks that either my or your email application added for good measure :-) The subtle difference is the addition is ".*$" on the end of each of the 3 regular expressions we are matching, which should have been there from the start (my mistake). See if that helps fix the problem at all. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From maillists at conactive.com Mon Jan 12 19:31:23 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Mon Jan 12 19:31:37 2009 Subject: identical messages -- some get bayes score, some don't In-Reply-To: <43459.204.184.75.172.1231781632.squirrel@webmail.elsberry.k12.mo.us> References: <60382.204.184.75.172.1231471379.squirrel@webmail.elsberry.k12.mo.us> <55910.204.184.75.172.1231537026.squirrel@webmail.elsberry.k12.mo.us> <41554.204.184.75.172.1231608493.squirrel@webmail.elsberry.k12.mo.us> <43459.204.184.75.172.1231781632.squirrel@webmail.elsberry.k12.mo.us> Message-ID: Cannon Watts wrote on Mon, 12 Jan 2009 11:33:52 -0600 (CST): > I'll look into the DNS::Net module. Sorry, I think it's Net::DNS. But I guess you may have figured that. I have not tried setting dns_available > to 'no', but I did set it to 'test' and the debugging messages showed it > successfully contacting both DNS servers in my /etc/resolv.conf (the first > of those being the localhost) "no" would have been incorrect, test was just fine. I was too fast with typing ... Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Mon Jan 12 19:31:22 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Mon Jan 12 19:31:37 2009 Subject: General Thankyou (still diagnosing fault) In-Reply-To: <496B7236.3060604@zuka.net> References: <60382.204.184.75.172.1231471379.squirrel@webmail.elsberry.k12.mo.us> <49679B36.9010202@senecac.on.ca> <4967A01A.1020805@senecac.on.ca> <4967D6F2.8090907@senecac.on.ca> <496A4264.6080303@senecac.on.ca> <496A470A.7070507@ecs.soton.ac.uk> <496A538C.60903@senecac.on.ca> <496A5BC8.4000908@ecs.soton.ac.uk> <496A6204.9070105@senecac.on.ca> <496A85DC.3060404@ecs.soton.ac.uk> <496AC6C4.10700 <496B7236.3060604@zuka.net> Message-ID: Dave Filchak wrote on Mon, 12 Jan 2009 11:39:18 -0500: > I am most happy to snip out old parts as necessary. This would be most appreciated. Quote just what is needed to understand the next lines (which should be your reply). It doesn't matter too much with a few mails, but with a long thread it's a horror to search up and down for your reply. I stopped reading the thread three or four messages ago because it became unbearable and just "flew" over them. Anyway, it looks like your quest is nearing an end ;-) I'm not sure but I think you didn't ever mention your OS and version (and nobody asked). Maybe that could explain the problem why it doesn't pick up the correct owner etc. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Mon Jan 12 19:31:22 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Mon Jan 12 19:31:38 2009 Subject: Anti-spear-phishing sa-update channel In-Reply-To: <496B4E56.9000508@coders.co.uk> References: <496A6779.9040309@coders.co.uk> <496B4E56.9000508@coders.co.uk> Message-ID: Matt wrote on Mon, 12 Jan 2009 14:06:14 +0000: > Kai - was that directed at me? Yes. d01:~ host spear.bastionmail.com d01:~ host www.bastionmail.com www.bastionmail.com has address 12.158.191.97 same result from various locations, I bet at least one of your secondaries isn't updated. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From spamlists at coders.co.uk Mon Jan 12 19:34:00 2009 From: spamlists at coders.co.uk (Matt) Date: Mon Jan 12 19:34:50 2009 Subject: Anti-spear-phishing sa-update channel In-Reply-To: <8FAC1E47484E43469AA28DBF35C955E40FACBA0815@EXMBX.SHSU.EDU> References: <496A6779.9040309@coders.co.uk> <8FAC1E47484E43469AA28DBF35C955E40FACBA0815@EXMBX.SHSU.EDU> Message-ID: <496B9B28.5040900@coders.co.uk> Laskie, Norman wrote: > I'm running into an issue running the sa-update command against your channel. I'm willing to bet it's something stupid I'm doing / not doing. > No probs! wget http://www.bastionmail.co.uk/spear.txt sa-update --import spear.txt just do the above commands and it will work. matt From NWL002 at shsu.edu Mon Jan 12 19:53:02 2009 From: NWL002 at shsu.edu (Laskie, Norman) Date: Mon Jan 12 19:53:12 2009 Subject: Anti-spear-phishing sa-update channel In-Reply-To: <496B9B28.5040900@coders.co.uk> References: <496A6779.9040309@coders.co.uk> <8FAC1E47484E43469AA28DBF35C955E40FACBA0815@EXMBX.SHSU.EDU> <496B9B28.5040900@coders.co.uk> Message-ID: <8FAC1E47484E43469AA28DBF35C955E40FACBA0816@EXMBX.SHSU.EDU> Cool thanks! -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Matt Sent: Monday, January 12, 2009 1:34 PM To: MailScanner discussion Subject: Re: Anti-spear-phishing sa-update channel Laskie, Norman wrote: > I'm running into an issue running the sa-update command against your channel. I'm willing to bet it's something stupid I'm doing / not doing. > No probs! wget http://www.bastionmail.co.uk/spear.txt sa-update --import spear.txt just do the above commands and it will work. matt -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From submit at zuka.net Mon Jan 12 19:59:42 2009 From: submit at zuka.net (Dave Filchak) Date: Mon Jan 12 19:59:56 2009 Subject: General Thankyou (still diagnosing fault) In-Reply-To: <496B977E.5020607@ecs.soton.ac.uk> References: <60382.204.184.75.172.1231471379.squirrel@webmail.elsberry.k12.mo.us> <49679B36.9010202@senecac.on.ca> <4967A01A.1020805@senecac.on.ca> <4967D6F2.8090907@senecac.on.ca> <496A4264.6080303@senecac.on.ca> <496A470A.7070507@ecs.soton.ac.uk> <496A538C.60903@senecac.on.ca> <496A5BC8.4000908@ecs.soton.ac.uk> <496A6204.9070105@senecac.on.ca> <496A85DC.3060404@ecs.soton.ac.uk> <496AB792.9090605@senecac.on.ca> <496AC43F.9030701@senecac.on.ca> <496AC6C4.10700@zuka.net> <496B1DCA.2050406@ecs.soton.ac.uk> <496B72A8.5070306@zuka.net> <496B977E.5020607@ecs.soton.ac.uk> Message-ID: <496BA12E.8010404@zuka.net> Julian Field wrote: > > > On 12/1/09 16:41, Dave Filchak wrote: >> >>> The cron job will probably put it back. Okay, next let's find if it >>> is the script run by cron that is causing the problem, or the >>> environment in which it is run. >>> >>> /usr/sbin/update_virus_scanners >>> ls -al /var/spool/MailScanner/incoming/Locks >>> >>> and show me the output of those two. I want to see if the >>> update_virus_scanners script successfully finds the uid and gid or not. >> /usr/sbin/update_virus_scanners >> lduid = , ldgid = >> >> Does not appear to. > Aha, we're getting somewhere. > Now edit /usr/sbin/update_virus_scanners. > At the very top there are 3 lines which set LOCKDIR, RUNASU and RUNASG. > Immediately after them add these 3 lines > echo LOCKDIR = \'$LOCKDIR\' > echo RUNASU = \'$RUNASU\' > echo RUNASG = \'$RUNASG\' > > Then run /usr/sbin/update_virus_scanners as root. > > I am hoping it will print something like this: > LOCKDIR = '/var/spool/MailScanner/incoming/Locks' > RUNASU = 'postfix' > RUNASG = 'postfix' > lduid = 89, ldgid = 89 > Let us see what your version prints. > > We should be able to sort this pretty soon, we're getting very close > to the source of the problem. > > Jules > OK ... this is what I got from the first addition: /usr/sbin/update_virus_scanners LOCKDIR = '/var/spool/MailScanner/incoming/Locks' RUNASU = 'postfix ' RUNASG = 'postfix ' lduid = , ldgid = Then with the addition of the second part, I get: /usr/sbin/update_virus_scanners LOCKDIR = '/var/spool/MailScanner/incoming/Locks' RUNASU = 'postfix' RUNASG = 'postfix' lduid = 80, ldgid = 80 which looks much better ... yes? Dave From psaweikis at techpro.com Mon Jan 12 20:14:12 2009 From: psaweikis at techpro.com (Patrick Saweikis) Date: Mon Jan 12 20:14:23 2009 Subject: Content scanning / MCP? References: <48BB86B1412E3D429DECB241A39A62E8014E3C2C@W2K3-EXCHANGE02.mmsasp.local> Message-ID: <48BB86B1412E3D429DECB241A39A62E8071B46@W2K3-EXCHANGE02.mmsasp.local> I apologize, I should have given more detail in my question... I have about 10,000 users, covering around 1000 domains. We have written custom code to allow individual spam actions and individual spam scores per user, per domain. We pull this from a MYSql table. We now have a client who needs to have certain messages allowed through 100% of the time, we were assuming that setting a high value of 99 to the phrase would work, but we need to be able to limit this per user / per domain as we do spam scores and actions from the MYSql tables. We are only worried about detection after the MTA processes the message. We were thinking of implementing something similar to the balcklist/whitelist custom functions. Any help would be appreciated. Patrick. ________________________________ From: mailscanner-bounces@lists.mailscanner.info on behalf of Kai Schaetzl Sent: Fri 1/9/2009 4:31 PM To: mailscanner@lists.mailscanner.info Subject: Re: Content scanning / MCP? Patrick Saweikis wrote on Fri, 9 Jan 2009 14:20:51 -0600: > We have a user on our mail system who wants to always ALLOW > messages with specific content in the message subject and body through. > Does anyone know if this is possible? If so, how would we accomplish it? > I have been looking into using MCP, but from what I have read that is > for denying specific message content only MCP is basically a second spamassassin run. You can just do the same during the normal SA run. Stephen pointed at some caveats. There is an SA plugin for simple whitelisting by subject, it just needs to be enabled in the *.pre file in /etc/mail/spamassassin. But this will whitelist for all users. I think the better approach is to whitelist the assumed senders or give that user a special alias that doesn't get filtered and that he can hand out to those where he thinks there might be delivery problems. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090112/9023705a/attachment.html From lists at sequestered.net Mon Jan 12 20:22:51 2009 From: lists at sequestered.net (Corey Chandler) Date: Mon Jan 12 20:23:00 2009 Subject: Refresh FreeBSD Port? In-Reply-To: <20090110081249.3e1fd5bc@scorpio> References: <4967DB4E.8040003@sequestered.net> <20090110081249.3e1fd5bc@scorpio> Message-ID: <496BA69B.4030207@sequestered.net> Jerry wrote: > > In any event, have you offered your services to the port maintainer: > > j.koopmann@seceidos.de > > He might appreciate it. > > Yeah, I did before posting to the list, and haven't heard back-- hence my post here. :-) -- Corey Chandler / KB1JWQ Living Legend / Systems Exorcist Today's Excuse: The rubber band broke From MailScanner at ecs.soton.ac.uk Mon Jan 12 20:32:46 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jan 12 20:33:07 2009 Subject: General Thankyou (still diagnosing fault) In-Reply-To: <496BA12E.8010404@zuka.net> References: <60382.204.184.75.172.1231471379.squirrel@webmail.elsberry.k12.mo.us> <49679B36.9010202@senecac.on.ca> <4967A01A.1020805@senecac.on.ca> <4967D6F2.8090907@senecac.on.ca> <496A4264.6080303@senecac.on.ca> <496A470A.7070507@ecs.soton.ac.uk> <496A538C.60903@senecac.on.ca> <496A5BC8.4000908@ecs.soton.ac.uk> <496A6204.9070105@senecac.on.ca> <496A85DC.3060404@ecs.soton.ac.uk> <496AB792.9090605@senecac.on.ca> <496AC43F.9030701@senecac.on.ca> <496AC6C4.10700@zuka.net> <496B1DCA.2050406@ecs.soton.ac.uk> <496B72A8.5070306@zuka.net> <496B977E.5020607@ecs.soton.ac.uk> <496BA12E.8010404@zuka.net> Message-ID: <496BA8EE.9030506@ecs.soton.ac.uk> On 12/1/09 19:59, Dave Filchak wrote: > Julian Field wrote: >> >> >> On 12/1/09 16:41, Dave Filchak wrote: >>> >>>> The cron job will probably put it back. Okay, next let's find if it >>>> is the script run by cron that is causing the problem, or the >>>> environment in which it is run. >>>> >>>> /usr/sbin/update_virus_scanners >>>> ls -al /var/spool/MailScanner/incoming/Locks >>>> >>>> and show me the output of those two. I want to see if the >>>> update_virus_scanners script successfully finds the uid and gid or >>>> not. >>> /usr/sbin/update_virus_scanners >>> lduid = , ldgid = >>> >>> Does not appear to. >> Aha, we're getting somewhere. >> Now edit /usr/sbin/update_virus_scanners. >> At the very top there are 3 lines which set LOCKDIR, RUNASU and RUNASG. >> Immediately after them add these 3 lines >> echo LOCKDIR = \'$LOCKDIR\' >> echo RUNASU = \'$RUNASU\' >> echo RUNASG = \'$RUNASG\' >> >> Then run /usr/sbin/update_virus_scanners as root. >> >> I am hoping it will print something like this: >> LOCKDIR = '/var/spool/MailScanner/incoming/Locks' >> RUNASU = 'postfix' >> RUNASG = 'postfix' >> lduid = 89, ldgid = 89 >> Let us see what your version prints. >> >> We should be able to sort this pretty soon, we're getting very close >> to the source of the problem. >> >> Jules >> > OK ... this is what I got from the first addition: > > /usr/sbin/update_virus_scanners > LOCKDIR = '/var/spool/MailScanner/incoming/Locks' > RUNASU = 'postfix ' > RUNASG = 'postfix ' > lduid = , ldgid = > > Then with the addition of the second part, I get: > > /usr/sbin/update_virus_scanners > LOCKDIR = '/var/spool/MailScanner/incoming/Locks' > RUNASU = 'postfix' > RUNASG = 'postfix' > lduid = 80, ldgid = 80 > > which looks much better ... yes? Perfect! At last :-) Attached are new versions of mailscanner_create_locks and update_virus_scanners for you, which are slight improvements on the versions you now have. Please let me know if these work okay for you and correctly set the ownership of the files in /var/spool/MailScanner/incoming/Locks. I have gzipped the files to (a) save bandwidth and more importantly (b) stop my email client from attempting to add any signature to them or otherwise play with them :-) You will need to gunzip them before installing them, but I expect that's obvious ;) Also, don't forget to ensure you have set them executable first. chmod +x /usr/sbin/{mailscanner_create_locks,update_virus_scanners} (Yes, that really is a valid shell command). Once you have tested them and confirmed they set the ownerships correctly, I'll re-release the latest stable MailScanner with this important fix in it. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- A non-text attachment was scrubbed... Name: mailscanner_create_locks.gz Type: application/x-gzip Size: 979 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090112/f8058c5b/mailscanner_create_locks.gz -------------- next part -------------- A non-text attachment was scrubbed... Name: update_virus_scanners.gz Type: application/x-gzip Size: 983 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090112/f8058c5b/update_virus_scanners.gz From MailScanner at ecs.soton.ac.uk Mon Jan 12 20:35:50 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jan 12 20:36:10 2009 Subject: General Thankyou (still diagnosing fault) In-Reply-To: References: <60382.204.184.75.172.1231471379.squirrel@webmail.elsberry.k12.mo.us> <49679B36.9010202@senecac.on.ca> <4967A01A.1020805@senecac.on.ca> <4967D6F2.8090907@senecac.on.ca> <496A4264.6080303@senecac.on.ca> <496A470A.7070507@ecs.soton.ac.uk> <496A538C.60903@senecac.on.ca> <496A5BC8.4000908@ecs.soton.ac.uk> <496A6204.9070105@senecac.on.ca> <496A85DC.3060404@ecs.soton.ac.uk> <496AC6C4.10700 <496B7236.3060604@zuka.net> Message-ID: <496BA9A6.8080108@ecs.soton.ac.uk> On 12/1/09 19:31, Kai Schaetzl wrote: > Dave Filchak wrote on Mon, 12 Jan 2009 11:39:18 -0500: > > >> I am most happy to snip out old parts as necessary. >> > > This would be most appreciated. Quote just what is needed to understand > the next lines (which should be your reply). It doesn't matter too much > with a few mails, but with a long thread it's a horror to search up and > down for your reply. I stopped reading the thread three or four messages > ago because it became unbearable and just "flew" over them. > Hint: use Thunderbird and the "QuoteCollapse" add-on extension. Totally solves this problem for you. Using "Quote Colors" is a good idea too, unless you're using Shredder as it's built into Shredder (the pre-release versions of the next version of Thunderbird). So the usual answer: use a better email client :-) > Anyway, it looks like your quest is nearing an end ;-) > I'm not sure but I think you didn't ever mention your OS and version (and > nobody asked). Maybe that could explain the problem why it doesn't pick up > the correct owner etc. > No, nothing to do with the OS or version, it's a bug of my creation. He happened to have a space after the "Run As User = postfix" and/or the "Run As Group = postfix" lines. That's all it was. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ugob at lubik.ca Mon Jan 12 20:41:17 2009 From: ugob at lubik.ca (Ugo Bellavance) Date: Mon Jan 12 20:41:37 2009 Subject: Stops after RCVD_IN_BL_SPAMCOP_NET In-Reply-To: References: Message-ID: Joe Garvey a ?crit : > I have been using MailScanner for about 4 years now but recently I have > been having some major problems with MailScanner/SA detecting spam. > > It almost seems as though it stops checking after the system does a > lookup on bl.spamcop.net. If there is a positive score for > RCVD_IN_BL_SPAMCOP_NET then it seems as though the system stops any > other checks. The score is usually 2.188 as defined in > /usr/share/spamassassin/50_scores.cf. > > I have also tried to increase this score by placing the following rule > in /etc/mail/spamassassin/custom.cf but it does not increase the value > score RCVD_IN_BL_SPAMCOP_NET 5.5 > > I upgraded to MailScanner 4.74.13 and SA 3.2.5 and it did not make a > difference. > > My gut feeling is that I am missing something somewhere and have been > staring at it to long. > > Any suggestions as to where to look next? Shortcircuit feature of SpamAssassin? From MailScanner at ecs.soton.ac.uk Mon Jan 12 20:46:17 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jan 12 20:46:41 2009 Subject: MAilScanner 4.75 In-Reply-To: <20090112192340.GA26213@doctor.nl2k.ab.ca> References: <20090112192340.GA26213@doctor.nl2k.ab.ca> Message-ID: <496BAC19.6080004@ecs.soton.ac.uk> On 12/1/09 19:23, Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem wrote: > Jules, > > when will MS 4.75 be released? > > When there's something to put in it. I aim to do another tiny bug-fix re-release of 4.74 first, with the Dave Filchak thread fixed in it. I haven't got any other major things outstanding at the moment, apart from the crash-protection database code, which I haven't even started seriously thinking about yet. I've got a big mail server move to do at the start of Feb and I don't want to be deep into anything else when that happens, I would rather spend my time testing the server move to death before starting on anything else. Day-job getting in the way again :-) Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From steve.swaney at fsl.com Mon Jan 12 20:46:45 2009 From: steve.swaney at fsl.com (Stephen Swaney) Date: Mon Jan 12 20:47:00 2009 Subject: OT: smtpf / BarricadeMX 2.2 Message-ID: <007c01c974f6$e1cb3e60$a561bb20$@swaney@fsl.com> We very happy to announce the release of smtpf version 2.2.0 / BarricadeMX 2.2.0. Version 2.2 further improves the speed and accuracy of BarricadeMX and adds these major features to an already impressive range of capabilities: . New anti-phishing features prevent your users from receiving or responding to mail that contains references to known phishing mailboxes.. . Improved outbound message "water-marking" reduces the threat of Denial of Service due to "bounce message" floods. . New options to block attachments by file extension or MIME types including on-the-fly parsing of ZIP and RAR file contents to block file extensions contained within archives. . Valid senders whose mail has been blocked can white list themselves. No support staff intervention required. . Easily generate safe and disposable time limited email addresses . Sophos AV has been added to the already supported AV engines: Avast, ClamAV, F-Prot. . New message digest DNS blacklist support - this allows for the blacklisting of identical message bodies, attachments or viruses based on their MD5 signature.. . SpamAssassin, when called from BarricadeMX, may now be configured to use individual or by domain SpamAssassin preferences A full list of the 2.2.0 new features and changes may be found at The new BarricadeMX 2.2 user manual may be found at Please visit the FSL web site (www.fsl.com) or contact me off-list for more information or to arrange a free, no-hassle demonstration of how BarricadeMX can improve your customers e-mail experience while reducing your e-mail costs. Steve Steve Swaney President Fort Systems Ltd. Office Phone: 202 595-7760 ext. 601 Cell: 202 352-3262 Steve@fsl.com www.fsl.com Jules Julian Field MEng CITP CEng CTO Fort Systems Ltd. Julian Field Julian.Field@fsl.com www.MailScanner.info From submit at zuka.net Mon Jan 12 21:15:22 2009 From: submit at zuka.net (Dave Filchak) Date: Mon Jan 12 21:15:36 2009 Subject: General Thankyou (still diagnosing fault) In-Reply-To: <496BA8EE.9030506@ecs.soton.ac.uk> References: <60382.204.184.75.172.1231471379.squirrel@webmail.elsberry.k12.mo.us> <49679B36.9010202@senecac.on.ca> <4967A01A.1020805@senecac.on.ca> <4967D6F2.8090907@senecac.on.ca> <496A4264.6080303@senecac.on.ca> <496A470A.7070507@ecs.soton.ac.uk> <496A538C.60903@senecac.on.ca> <496A5BC8.4000908@ecs.soton.ac.uk> <496A6204.9070105@senecac.on.ca> <496A85DC.3060404@ecs.soton.ac.uk> <496AB792.9090605@senecac.on.ca> <496AC43F.9030701@senecac.on.ca> <496AC6C4.10700@zuka.net> <496B1DCA.2050406@ecs.soton.ac.uk> <496B72A8.5070306@zuka.net> <496B977E.5020607@ecs.soton.ac.uk> <496BA12E.8010404@zuka.net> <496BA8EE.9030506@ecs.soton.ac.uk> Message-ID: <496BB2EA.1000501@zuka.net> Julian Field wrote: > > > On 12/1/09 19:59, Dave Filchak wrote: >> Julian Field wrote: >>> >>> >>> On 12/1/09 16:41, Dave Filchak wrote: >>>> >>>>> The cron job will probably put it back. Okay, next let's find if >>>>> it is the script run by cron that is causing the problem, or the >>>>> environment in which it is run. >>>>> >>>>> /usr/sbin/update_virus_scanners >>>>> ls -al /var/spool/MailScanner/incoming/Locks >>>>> >>>>> and show me the output of those two. I want to see if the >>>>> update_virus_scanners script successfully finds the uid and gid or >>>>> not. >>>> /usr/sbin/update_virus_scanners >>>> lduid = , ldgid = >>>> >>>> Does not appear to. >>> Aha, we're getting somewhere. >>> Now edit /usr/sbin/update_virus_scanners. >>> At the very top there are 3 lines which set LOCKDIR, RUNASU and RUNASG. >>> Immediately after them add these 3 lines >>> echo LOCKDIR = \'$LOCKDIR\' >>> echo RUNASU = \'$RUNASU\' >>> echo RUNASG = \'$RUNASG\' >>> >>> Then run /usr/sbin/update_virus_scanners as root. >>> >>> I am hoping it will print something like this: >>> LOCKDIR = '/var/spool/MailScanner/incoming/Locks' >>> RUNASU = 'postfix' >>> RUNASG = 'postfix' >>> lduid = 89, ldgid = 89 >>> Let us see what your version prints. >>> >>> We should be able to sort this pretty soon, we're getting very close >>> to the source of the problem. >>> >>> Jules >>> >> OK ... this is what I got from the first addition: >> >> /usr/sbin/update_virus_scanners >> LOCKDIR = '/var/spool/MailScanner/incoming/Locks' >> RUNASU = 'postfix ' >> RUNASG = 'postfix ' >> lduid = , ldgid = >> >> Then with the addition of the second part, I get: >> >> /usr/sbin/update_virus_scanners >> LOCKDIR = '/var/spool/MailScanner/incoming/Locks' >> RUNASU = 'postfix' >> RUNASG = 'postfix' >> lduid = 80, ldgid = 80 >> >> which looks much better ... yes? > Perfect! At last :-) > > Attached are new versions of mailscanner_create_locks and > update_virus_scanners for you, which are slight improvements on the > versions you now have. Please let me know if these work okay for you > and correctly set the ownership of the files in > /var/spool/MailScanner/incoming/Locks. > > I have gzipped the files to (a) save bandwidth and more importantly > (b) stop my email client from attempting to add any signature to them > or otherwise play with them :-) You will need to gunzip them before > installing them, but I expect that's obvious ;) > Also, don't forget to ensure you have set them executable first. > chmod +x /usr/sbin/{mailscanner_create_locks,update_virus_scanners} > (Yes, that really is a valid shell command). > > Once you have tested them and confirmed they set the ownerships > correctly, I'll re-release the latest stable MailScanner with this > important fix in it. > > Jules > Hummm ... when I run the following ... you see what I get? /usr/sbin/update_virus_scanners LOCKDIR = '/var/spool/MailScanner/incoming/Locks' RUNASU = 'postfix' RUNASG = 'postfix' /usr/sbin/update_virus_scanners: line 38: /tmp/tmp/usr/sbin/mailscanner_create_locks: No such file or directory ??? From MailScanner at ecs.soton.ac.uk Mon Jan 12 21:23:09 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jan 12 21:23:31 2009 Subject: General Thankyou (still diagnosing fault) In-Reply-To: <496BB2EA.1000501@zuka.net> References: <60382.204.184.75.172.1231471379.squirrel@webmail.elsberry.k12.mo.us> <49679B36.9010202@senecac.on.ca> <4967A01A.1020805@senecac.on.ca> <4967D6F2.8090907@senecac.on.ca> <496A4264.6080303@senecac.on.ca> <496A470A.7070507@ecs.soton.ac.uk> <496A538C.60903@senecac.on.ca> <496A5BC8.4000908@ecs.soton.ac.uk> <496A6204.9070105@senecac.on.ca> <496A85DC.3060404@ecs.soton.ac.uk> <496AB792.9090605@senecac.on.ca> <496AC43F.9030701@senecac.on.ca> <496AC6C4.10700@zuka.net> <496B1DCA.2050406@ecs.soton.ac.uk> <496B72A8.5070306@zuka.net> <496B977E.5020607@ecs.soton.ac.uk> <496BA12E.8010404@zuka.net> <496BA8EE.9030506@ecs.soton.ac.uk> <496BB2EA.1000501@zuka.net> Message-ID: <496BB4BD.7050308@ecs.soton.ac.uk> On 12/1/09 21:15, Dave Filchak wrote: > Julian Field wrote: >> >> >> On 12/1/09 19:59, Dave Filchak wrote: >>> Julian Field wrote: >>>> >>>> >>>> On 12/1/09 16:41, Dave Filchak wrote: >>>>> >>>>>> The cron job will probably put it back. Okay, next let's find if >>>>>> it is the script run by cron that is causing the problem, or the >>>>>> environment in which it is run. >>>>>> >>>>>> /usr/sbin/update_virus_scanners >>>>>> ls -al /var/spool/MailScanner/incoming/Locks >>>>>> >>>>>> and show me the output of those two. I want to see if the >>>>>> update_virus_scanners script successfully finds the uid and gid >>>>>> or not. >>>>> /usr/sbin/update_virus_scanners >>>>> lduid = , ldgid = >>>>> >>>>> Does not appear to. >>>> Aha, we're getting somewhere. >>>> Now edit /usr/sbin/update_virus_scanners. >>>> At the very top there are 3 lines which set LOCKDIR, RUNASU and >>>> RUNASG. >>>> Immediately after them add these 3 lines >>>> echo LOCKDIR = \'$LOCKDIR\' >>>> echo RUNASU = \'$RUNASU\' >>>> echo RUNASG = \'$RUNASG\' >>>> >>>> Then run /usr/sbin/update_virus_scanners as root. >>>> >>>> I am hoping it will print something like this: >>>> LOCKDIR = '/var/spool/MailScanner/incoming/Locks' >>>> RUNASU = 'postfix' >>>> RUNASG = 'postfix' >>>> lduid = 89, ldgid = 89 >>>> Let us see what your version prints. >>>> >>>> We should be able to sort this pretty soon, we're getting very >>>> close to the source of the problem. >>>> >>>> Jules >>>> >>> OK ... this is what I got from the first addition: >>> >>> /usr/sbin/update_virus_scanners >>> LOCKDIR = '/var/spool/MailScanner/incoming/Locks' >>> RUNASU = 'postfix ' >>> RUNASG = 'postfix ' >>> lduid = , ldgid = >>> >>> Then with the addition of the second part, I get: >>> >>> /usr/sbin/update_virus_scanners >>> LOCKDIR = '/var/spool/MailScanner/incoming/Locks' >>> RUNASU = 'postfix' >>> RUNASG = 'postfix' >>> lduid = 80, ldgid = 80 >>> >>> which looks much better ... yes? >> Perfect! At last :-) >> >> Attached are new versions of mailscanner_create_locks and >> update_virus_scanners for you, which are slight improvements on the >> versions you now have. Please let me know if these work okay for you >> and correctly set the ownership of the files in >> /var/spool/MailScanner/incoming/Locks. >> >> I have gzipped the files to (a) save bandwidth and more importantly >> (b) stop my email client from attempting to add any signature to them >> or otherwise play with them :-) You will need to gunzip them before >> installing them, but I expect that's obvious ;) >> Also, don't forget to ensure you have set them executable first. >> chmod +x /usr/sbin/{mailscanner_create_locks,update_virus_scanners} >> (Yes, that really is a valid shell command). >> >> Once you have tested them and confirmed they set the ownerships >> correctly, I'll re-release the latest stable MailScanner with this >> important fix in it. >> >> Jules >> > Hummm ... when I run the following ... you see what I get? > > /usr/sbin/update_virus_scanners LOCKDIR = > '/var/spool/MailScanner/incoming/Locks' > RUNASU = 'postfix' > RUNASG = 'postfix' > /usr/sbin/update_virus_scanners: line 38: > /tmp/tmp/usr/sbin/mailscanner_create_locks: No such file or directory Damn, sorry, knew I would screw up somewhere. Look for the string "/tmp/tmp" in /usr/sbin/update_virus_scanners and remove it. Once you can confirm that fixes it, I'll release a new version properly. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From spamlists at coders.co.uk Mon Jan 12 21:38:34 2009 From: spamlists at coders.co.uk (Matt) Date: Mon Jan 12 21:39:09 2009 Subject: Anti-spear-phishing sa-update channel In-Reply-To: References: <496A6779.9040309@coders.co.uk> <496B4E56.9000508@coders.co.uk> Message-ID: <496BB85A.8070506@coders.co.uk> Kai Schaetzl wrote: > d01:~ host spear.bastionmail.com Ah - no it won't - I haven't configured it - as it isn't needed for sa-update. cheers matt From steve.swaney at fsl.com Mon Jan 12 21:53:31 2009 From: steve.swaney at fsl.com (Stephen Swaney) Date: Mon Jan 12 21:53:41 2009 Subject: smtpf / BarricadeMX 2.2 In-Reply-To: <007e01c974f6$e23daf40$a6b90dc0$@swaney@fsl.com> References: <007e01c974f6$e23daf40$a6b90dc0$@swaney@fsl.com> Message-ID: <00f101c97500$3568a4f0$a039eed0$@swaney@fsl.com> Opps. From my very recent post > A full list of the 2.2.0 new features and changes may be found at Might better be expressed: Release Notes - http://www.fsl.com/images/docs/bmx22releasenotes.pdf and > The new BarricadeMX 2.2 user manual may be found at can be found at: User Guide - http://www.fsl.com/images/docs/bmx22usermanual.pdf Sorry for the goof but it's been a very busy day here. Steve Steve Swaney President Fort Systems Ltd. Steve@fsl.com www.fsl.com From ssilva at sgvwater.com Mon Jan 12 21:56:41 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Jan 12 21:57:06 2009 Subject: MAilScanner 4.75 In-Reply-To: <496BAC19.6080004@ecs.soton.ac.uk> References: <20090112192340.GA26213@doctor.nl2k.ab.ca> <496BAC19.6080004@ecs.soton.ac.uk> Message-ID: on 1-12-2009 12:46 PM Julian Field spake the following: > > > On 12/1/09 19:23, Dave Shariff Yadallee - System Administrator a.k.a. > The Root of the Problem wrote: >> Jules, >> >> when will MS 4.75 be released? >> >> > When there's something to put in it. I aim to do another tiny bug-fix > re-release of 4.74 first, with the Dave Filchak thread fixed in it. > > I haven't got any other major things outstanding at the moment, apart > from the crash-protection database code, which I haven't even started > seriously thinking about yet. I've got a big mail server move to do at > the start of Feb and I don't want to be deep into anything else when > that happens, I would rather spend my time testing the server move to > death before starting on anything else. Day-job getting in the way again > :-) > > Jules > The job that pays the bills always has to come first! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090112/b5df8ea7/signature.bin From submit at zuka.net Mon Jan 12 22:07:30 2009 From: submit at zuka.net (Dave Filchak) Date: Mon Jan 12 22:07:44 2009 Subject: General Thankyou (still diagnosing fault) In-Reply-To: <496BB4BD.7050308@ecs.soton.ac.uk> References: <60382.204.184.75.172.1231471379.squirrel@webmail.elsberry.k12.mo.us> <49679B36.9010202@senecac.on.ca> <4967A01A.1020805@senecac.on.ca> <4967D6F2.8090907@senecac.on.ca> <496A4264.6080303@senecac.on.ca> <496A470A.7070507@ecs.soton.ac.uk> <496A538C.60903@senecac.on.ca> <496A5BC8.4000908@ecs.soton.ac.uk> <496A6204.9070105@senecac.on.ca> <496A85DC.3060404@ecs.soton.ac.uk> <496AB792.9090605@senecac.on.ca> <496AC43F.9030701@senecac.on.ca> <496AC6C4.10700@zuka.net> <496B1DCA.2050406@ecs.soton.ac.uk> <496B72A8.5070306@zuka.net> <496B977E.5020607@ecs.soton.ac.uk> <496BA12E.8010404@zuka.net> <496BA8EE.9030506@ecs.soton.ac.uk> <496BB2EA.1000501@zuka.net> <496BB4BD.7050308@ecs.soton.ac.uk> Message-ID: <496BBF22.6080604@zuka.net> Julian Field wrote: > > > >>>>> >>>> OK ... this is what I got from the first addition: >>>> >>>> /usr/sbin/update_virus_scanners >>>> LOCKDIR = '/var/spool/MailScanner/incoming/Locks' >>>> RUNASU = 'postfix ' >>>> RUNASG = 'postfix ' >>>> lduid = , ldgid = >>>> >>>> Then with the addition of the second part, I get: >>>> >>>> /usr/sbin/update_virus_scanners >>>> LOCKDIR = '/var/spool/MailScanner/incoming/Locks' >>>> RUNASU = 'postfix' >>>> RUNASG = 'postfix' >>>> lduid = 80, ldgid = 80 >>>> >>>> which looks much better ... yes? >>> Perfect! At last :-) >>> >>> Attached are new versions of mailscanner_create_locks and >>> update_virus_scanners for you, which are slight improvements on the >>> versions you now have. Please let me know if these work okay for you >>> and correctly set the ownership of the files in >>> /var/spool/MailScanner/incoming/Locks. >>> >>> I have gzipped the files to (a) save bandwidth and more importantly >>> (b) stop my email client from attempting to add any signature to >>> them or otherwise play with them :-) You will need to gunzip them >>> before installing them, but I expect that's obvious ;) >>> Also, don't forget to ensure you have set them executable first. >>> chmod +x /usr/sbin/{mailscanner_create_locks,update_virus_scanners} >>> (Yes, that really is a valid shell command). >>> >>> Once you have tested them and confirmed they set the ownerships >>> correctly, I'll re-release the latest stable MailScanner with this >>> important fix in it. >>> >>> Jules >>> >> Hummm ... when I run the following ... you see what I get? >> >> /usr/sbin/update_virus_scanners LOCKDIR = >> '/var/spool/MailScanner/incoming/Locks' >> RUNASU = 'postfix' >> RUNASG = 'postfix' >> /usr/sbin/update_virus_scanners: line 38: >> /tmp/tmp/usr/sbin/mailscanner_create_locks: No such file or directory > Damn, sorry, knew I would screw up somewhere. Look for the string > "/tmp/tmp" in /usr/sbin/update_virus_scanners and remove it. > > Once you can confirm that fixes it, I'll release a new version properly. > > OK, I run /usr/sbin/update_virus_scanners LOCKDIR = '/var/spool/MailScanner/incoming/Locks' RUNASU = 'postfix' RUNASG = 'postfix' Doesn't output the uid and gid but the Locks directory permissions seem good. Can you verify that the following is correct? drwxr-x--- 2 root postfix 4096 Jan 11 16:13 Locks Dave From mrm at quantumcc.com Mon Jan 12 23:16:49 2009 From: mrm at quantumcc.com (Mike Masse) Date: Mon Jan 12 23:17:10 2009 Subject: Problem using mailfromd Message-ID: I'm using the latest version of Mailscanner w/ sendmail and I'm trying to run the mailfromd milter. When MailScanner is running, the milter does not appear to be called by the sendmail process. If I stop MailScanner and run sendmail by itself without making any other config changes then it calls the milter just fine. Reading some of the earlier messages on this list concerning milters, it sounds like MailScanner isn't supposed to have an effect on sendmail milters, but it certainly is in my case. Can anyone suggest anything I should look for? -Mike From mrm at quantumcc.com Mon Jan 12 23:40:00 2009 From: mrm at quantumcc.com (Mike Masse) Date: Mon Jan 12 23:40:21 2009 Subject: Problem using mailfromd In-Reply-To: References: Message-ID: Never mind. I found the problem. I was changing the sendmail.cf file to utilize the milter and mailscanner now uses sendmail-in.cf for the incoming sendmail queue, so by making the appropriate changes to sendmail.cf it now works. Mike Masse wrote: > I'm using the latest version of Mailscanner w/ sendmail and I'm trying > to run the mailfromd milter. When MailScanner is running, the milter > does not appear to be called by the sendmail process. If I stop > MailScanner and run sendmail by itself without making any other config > changes then it calls the milter just fine. Reading some of the > earlier messages on this list concerning milters, it sounds like > MailScanner isn't supposed to have an effect on sendmail milters, but it > certainly is in my case. Can anyone suggest anything I should look for? > > -Mike > From root at doctor.nl2k.ab.ca Tue Jan 13 02:23:21 2009 From: root at doctor.nl2k.ab.ca (Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem) Date: Tue Jan 13 02:24:58 2009 Subject: MAilScanner 4.75 In-Reply-To: <496BAC19.6080004@ecs.soton.ac.uk> References: <20090112192340.GA26213@doctor.nl2k.ab.ca> <496BAC19.6080004@ecs.soton.ac.uk> Message-ID: <20090113022321.GA6982@doctor.nl2k.ab.ca> On Mon, Jan 12, 2009 at 08:46:17PM +0000, Julian Field wrote: > > > On 12/1/09 19:23, Dave Shariff Yadallee - System Administrator a.k.a. The > Root of the Problem wrote: >> Jules, >> >> when will MS 4.75 be released? >> >> > When there's something to put in it. I aim to do another tiny bug-fix > re-release of 4.74 first, with the Dave Filchak thread fixed in it. > > I haven't got any other major things outstanding at the moment, apart from > the crash-protection database code, which I haven't even started seriously > thinking about yet. I've got a big mail server move to do at the start of > Feb and I don't want to be deep into anything else when that happens, I > would rather spend my time testing the server move to death before starting > on anything else. Day-job getting in the way again :-) > > Jules > Hopefully MailScanner maintenance is part of the work :-) -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mark at msapiro.net Tue Jan 13 04:18:25 2009 From: mark at msapiro.net (Mark Sapiro) Date: Tue Jan 13 04:18:35 2009 Subject: Anti-spear-phishing, round 2 In-Reply-To: <5FC3E08C-6D5F-4AF5-AACE-17623586AD6B@technologytiger.net> References: <4963D91A.9060304@ecs.soton.ac.uk> <5FC3E08C-6D5F-4AF5-AACE-17623586AD6B@technologytiger.net> Message-ID: <20090113041825.GA4420@msapiro> On Mon, Jan 12, 2009 at 12:14:14PM +0000, Drew Marshall wrote: > > I have now got as far as implementing this excellent feature but I > have bumped in to an interesting error. > > Jan 12 10:58:25 in1-b MailScanner[78431]: SpamAssassin Rule Actions: > rule anti_phish caused action not-deliver in message 7FAB84BE3B4.94CF3 > Jan 12 10:58:25 in1-b MailScanner[78431]: SpamAssassin Rule Actions: > rule anti_phish caused action store in message 7FAB84BE3B4.94CF3 > Jan 12 10:58:25 in1-b MailScanner[78431]: SpamAssassin Rule Actions: > rule anti_phish caused action header in message 7FAB84BE3B4.94CF3 > Jan 12 10:58:25 in1-b MailScanner[78431]: SpamAssassin Rule Actions: > rule anti_phish caused action "X-Anti-Phish: in message > 7FAB84BE3B4.94CF3 > Jan 12 10:58:25 in1-b MailScanner[78431]: SpamAssassin Rule Actions: > rule anti_phish caused action Yes" in message 7FAB84BE3B4.94CF3 > Jan 12 10:58:25 in1-b MailScanner[78431]: Message 7FAB84BE3B4.94CF3 > produced illegal Non-Spam Actions " Yes" "X-Anti-Phish:", so message > is being delivered > > The SpamAssassin Rule Action that generated this log > is ...ANTI_PHISH=>not-deliver,store,header "X-Anti-Phish: Yes" (I > slightly changed the header in case there was a problem with the _TO_ > special command, which has made no difference). > > So what have I done wrong (The actual creation of the SA rule etc is > fine as MailScanner is seeing the rule hit as can be seen in the log)? Jules has indicated that the parsing of these is 'delicate'. It looks like the quotes are confusing it into thinking that there are two rules/ actions: ANTI_PHISH=>not-deliver,store,header and X-Anti-Phish: Yes Remove the quotes. I think that will fix it. -- Mark Sapiro mark at msapiro net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From mark at msapiro.net Tue Jan 13 04:33:40 2009 From: mark at msapiro.net (Mark Sapiro) Date: Tue Jan 13 04:33:47 2009 Subject: Anti-spear-phishing, round 2 In-Reply-To: <496B4FC7.2060701@USherbrooke.ca> References: <4963D91A.9060304@ecs.soton.ac.uk> <496B4FC7.2060701@USherbrooke.ca> Message-ID: <20090113043340.GB4420@msapiro> On Mon, Jan 12, 2009 at 09:12:23AM -0500, Denis Beauchemin wrote: > > I got what really looks like a FP with one of the email addresses from > your script... what would be the best way to correct this ? Write an SA > rule with a negative score for that address ? Or is there some > whitelisting mechanism built in ? > > Thanks! > > Denis > PS: the address is jmcelhaney @ uchc . edu (without the spaces). That address is in the list at If it really is a FP, you could try to contact the project via and see if it can be removed. Alternatively, you could add a line next if /^jmcelhaney\@uchc\.edu$/; in between the lines: next unless /^.+\@.+\..+$/; # Only interested in email addresses. push @addresses, $_; # This is for the report in the script to skip that address. That's the "whitelisting" mechanism :) -- Mark Sapiro mark at msapiro net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From mark at msapiro.net Tue Jan 13 04:54:25 2009 From: mark at msapiro.net (Mark Sapiro) Date: Tue Jan 13 04:54:37 2009 Subject: Anti-spear-phishing, round 2 In-Reply-To: <20090113041825.GA4420@msapiro> Message-ID: Mark Sapiro wrote: >On Mon, Jan 12, 2009 at 12:14:14PM +0000, Drew Marshall wrote: >> >> I have now got as far as implementing this excellent feature but I >> have bumped in to an interesting error. >> >> Jan 12 10:58:25 in1-b MailScanner[78431]: SpamAssassin Rule Actions: >> rule anti_phish caused action not-deliver in message 7FAB84BE3B4.94CF3 >> Jan 12 10:58:25 in1-b MailScanner[78431]: SpamAssassin Rule Actions: >> rule anti_phish caused action store in message 7FAB84BE3B4.94CF3 >> Jan 12 10:58:25 in1-b MailScanner[78431]: SpamAssassin Rule Actions: >> rule anti_phish caused action header in message 7FAB84BE3B4.94CF3 >> Jan 12 10:58:25 in1-b MailScanner[78431]: SpamAssassin Rule Actions: >> rule anti_phish caused action "X-Anti-Phish: in message >> 7FAB84BE3B4.94CF3 >> Jan 12 10:58:25 in1-b MailScanner[78431]: SpamAssassin Rule Actions: >> rule anti_phish caused action Yes" in message 7FAB84BE3B4.94CF3 >> Jan 12 10:58:25 in1-b MailScanner[78431]: Message 7FAB84BE3B4.94CF3 >> produced illegal Non-Spam Actions " Yes" "X-Anti-Phish:", so message >> is being delivered >> >> The SpamAssassin Rule Action that generated this log >> is ...ANTI_PHISH=>not-deliver,store,header "X-Anti-Phish: Yes" (I >> slightly changed the header in case there was a problem with the _TO_ >> special command, which has made no difference). >> >> So what have I done wrong (The actual creation of the SA rule etc is >> fine as MailScanner is seeing the rule hit as can be seen in the log)? > > > >Jules has indicated that the parsing of these is 'delicate'. It looks >like the quotes are confusing it into thinking that there are two rules/ >actions: > >ANTI_PHISH=>not-deliver,store,header > >and > >X-Anti-Phish: Yes > >Remove the quotes. I think that will fix it. Sorry! Brain cramp... It's not the quotes since I have a similar rule with quotes that works: >.. X_GPC_PHISHING_ADDRESS=>store,not-deliver,forward msapiro+phish@sbh16.songbird.com,header "X-GPC-MailScanner-Originally-To: _TO_" Your rule looks good to me, but clearly MailScanner is parsing " Yes" and "X-Anti-Phish:" as actions for the ANTI_PHISH rule rather than as the header string. Maybe someone else has an idea. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From MailScanner at ecs.soton.ac.uk Tue Jan 13 08:17:04 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jan 13 08:17:26 2009 Subject: General Thankyou (still diagnosing fault) In-Reply-To: <496BBF22.6080604@zuka.net> References: <60382.204.184.75.172.1231471379.squirrel@webmail.elsberry.k12.mo.us> <49679B36.9010202@senecac.on.ca> <4967A01A.1020805@senecac.on.ca> <4967D6F2.8090907@senecac.on.ca> <496A4264.6080303@senecac.on.ca> <496A470A.7070507@ecs.soton.ac.uk> <496A538C.60903@senecac.on.ca> <496A5BC8.4000908@ecs.soton.ac.uk> <496A6204.9070105@senecac.on.ca> <496A85DC.3060404@ecs.soton.ac.uk> <496AB792.9090605@senecac.on.ca> <496AC43F.9030701@senecac.on.ca> <496AC6C4.10700@zuka.net> <496B1DCA.2050406@ecs.soton.ac.uk> <496B72A8.5070306@zuka.net> <496B977E.5020607@ecs.soton.ac.uk> <496BA12E.8010404@zuka.net> <496BA8EE.9030506@ecs.soton.ac.uk> <496BB2EA.1000501@zuka.net> <496BB4BD.7050308@ecs.soton.ac.uk> <496BBF22.6080604@zuka.net> Message-ID: <496C4E00.90200@ecs.soton.ac.uk> On 12/1/09 22:07, Dave Filchak wrote: > Julian Field wrote: >> >> >> >>>>>> >>>>> OK ... this is what I got from the first addition: >>>>> >>>>> /usr/sbin/update_virus_scanners >>>>> LOCKDIR = '/var/spool/MailScanner/incoming/Locks' >>>>> RUNASU = 'postfix ' >>>>> RUNASG = 'postfix ' >>>>> lduid = , ldgid = >>>>> >>>>> Then with the addition of the second part, I get: >>>>> >>>>> /usr/sbin/update_virus_scanners >>>>> LOCKDIR = '/var/spool/MailScanner/incoming/Locks' >>>>> RUNASU = 'postfix' >>>>> RUNASG = 'postfix' >>>>> lduid = 80, ldgid = 80 >>>>> >>>>> which looks much better ... yes? >>>> Perfect! At last :-) >>>> >>>> Attached are new versions of mailscanner_create_locks and >>>> update_virus_scanners for you, which are slight improvements on the >>>> versions you now have. Please let me know if these work okay for >>>> you and correctly set the ownership of the files in >>>> /var/spool/MailScanner/incoming/Locks. >>>> >>>> I have gzipped the files to (a) save bandwidth and more importantly >>>> (b) stop my email client from attempting to add any signature to >>>> them or otherwise play with them :-) You will need to gunzip them >>>> before installing them, but I expect that's obvious ;) >>>> Also, don't forget to ensure you have set them executable first. >>>> chmod +x /usr/sbin/{mailscanner_create_locks,update_virus_scanners} >>>> (Yes, that really is a valid shell command). >>>> >>>> Once you have tested them and confirmed they set the ownerships >>>> correctly, I'll re-release the latest stable MailScanner with this >>>> important fix in it. >>>> >>>> Jules >>>> >>> Hummm ... when I run the following ... you see what I get? >>> >>> /usr/sbin/update_virus_scanners LOCKDIR = >>> '/var/spool/MailScanner/incoming/Locks' >>> RUNASU = 'postfix' >>> RUNASG = 'postfix' >>> /usr/sbin/update_virus_scanners: line 38: >>> /tmp/tmp/usr/sbin/mailscanner_create_locks: No such file or directory >> Damn, sorry, knew I would screw up somewhere. Look for the string >> "/tmp/tmp" in /usr/sbin/update_virus_scanners and remove it. >> >> Once you can confirm that fixes it, I'll release a new version properly. >> >> > OK, I run > > /usr/sbin/update_virus_scanners > LOCKDIR = '/var/spool/MailScanner/incoming/Locks' > RUNASU = 'postfix' > RUNASG = 'postfix' > > Doesn't output the uid and gid but the Locks directory permissions > seem good. Can you verify that the following is correct? > > drwxr-x--- 2 root postfix 4096 Jan 11 16:13 Locks That's exactly right. I have released 4.74.16-1 which contains a better implementation of this fix, and also fixes the same bug that appears in one other place too. So if you've got 5 minutes it would be worth upgrading. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From maillists at conactive.com Tue Jan 13 08:31:20 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Tue Jan 13 08:31:31 2009 Subject: Anti-spear-phishing sa-update channel In-Reply-To: <496BB85A.8070506@coders.co.uk> References: <496A6779.9040309@coders.co.uk> <496B4E56.9000508@coders.co.uk> <496BB85A.8070506@coders.co.uk> Message-ID: Matt wrote on Mon, 12 Jan 2009 21:38:34 +0000: > Ah - no it won't - I haven't configured it - as it isn't needed for > sa-update. Ah, well, I see, I thought SA contacts that host. I didn't want to use it, I just wanted to have a look at the rules this way. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From 17.mehran at gmail.com Tue Jan 13 08:46:05 2009 From: 17.mehran at gmail.com (Mehra) Date: Tue Jan 13 08:46:14 2009 Subject: Thumbs down MailScanner Segmentation fault Message-ID: <5d48dd510901130046r3a9828d3ld676a5e9b5407488@mail.gmail.com> Hello, I try to install MailScanner on my new server. it worked very well before but in new installation I have some problem! My server is a core 2 quad Q9300 with 8GB ram and CentOS 5.2 x86_64 here is my related application version: MailScanner: 4.74.13 ClamAV: 0.94.2/8856 Perl: 5.8.8 PathTools: 3.29 the problem is that MailScanner continually restarting. here is the its log in /var/log/maillog: Code: Jan 12 11:37:40 LSN-D1371 MailScanner[12810]: MailScanner E-Mail Virus Scanner version 4.74.13 starting... Jan 12 11:37:40 LSN-D1371 MailScanner[12810]: Using SpamAssassin results cache Jan 12 11:37:40 LSN-D1371 MailScanner[12810]: Connected to SpamAssassin cache database Jan 12 11:37:45 LSN-D1371 MailScanner[12811]: MailScanner E-Mail Virus Scanner version 4.74.13 starting... Jan 12 11:37:45 LSN-D1371 MailScanner[12811]: Using SpamAssassin results cache Jan 12 11:37:45 LSN-D1371 MailScanner[12811]: Connected to SpamAssassin cache database Jan 12 11:37:50 LSN-D1371 MailScanner[12813]: MailScanner E-Mail Virus Scanner version 4.74.13 starting... Jan 12 11:37:50 LSN-D1371 MailScanner[12813]: Using SpamAssassin results cache Jan 12 11:37:50 LSN-D1371 MailScanner[12813]: Connected to SpamAssassin cache database Jan 12 11:37:55 LSN-D1371 MailScanner[12815]: MailScanner E-Mail Virus Scanner version 4.74.13 starting... Jan 12 11:37:55 LSN-D1371 MailScanner[12815]: Using SpamAssassin results cache Jan 12 11:37:55 LSN-D1371 MailScanner[12815]: Connected to SpamAssassin cache database Jan 12 11:38:00 LSN-D1371 MailScanner[12816]: MailScanner E-Mail Virus Scanner version 4.74.13 starting... Jan 12 11:38:00 LSN-D1371 MailScanner[12816]: Using SpamAssassin results cache Jan 12 11:38:00 LSN-D1371 MailScanner[12816]: Connected to SpamAssassin cache database Jan 12 11:38:05 LSN-D1371 MailScanner[12817]: MailScanner E-Mail Virus Scanner version 4.74.13 starting... Jan 12 11:38:05 LSN-D1371 MailScanner[12817]: Using SpamAssassin results cache Jan 12 11:38:05 LSN-D1371 MailScanner[12817]: Connected to SpamAssassin cache database when I run it in debug mode I see the following error: Code: # /usr/mailscanner/bin/MailScanner --debug In Debugging mode, not forking... Segmentation fault(unix) Segmentation fault please help me if somebody had same problem before. tnx mehran -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090113/fbf2f9ea/attachment.html From MailScanner at ecs.soton.ac.uk Tue Jan 13 08:47:39 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jan 13 08:48:01 2009 Subject: Anti-spear-phishing, round 2 In-Reply-To: <5FC3E08C-6D5F-4AF5-AACE-17623586AD6B@technologytiger.net> References: <4963D91A.9060304@ecs.soton.ac.uk> <5FC3E08C-6D5F-4AF5-AACE-17623586AD6B@technologytiger.net> Message-ID: <496C552B.9040307@ecs.soton.ac.uk> Upgrade to the latest version, I have fixed this problem already. Please confirm that upgrading does indeed fix the problem for you, but I have just tried your exact rule and it worked just fine for me, and I have just upgraded to the latest too. My guess would be that you have a version before 4.74.8? Cheers, Jules. On 12/1/09 12:14, Drew Marshall wrote: > On 6 Jan 2009, at 22:20, Julian Field wrote: > >> I have done a load of work on my script that uses the >> anti-spear-phishing addresses database. >> >> The main thing is now that it is pretty much a finished script, and >> is directly usable by you guys without you having to do much to it >> except read the settings at the top and tweak the filenames if you >> want to change where it puts things. > > Jules > > I have now got as far as implementing this excellent feature but I > have bumped in to an interesting error. > > Jan 12 10:58:25 in1-b MailScanner[78431]: SpamAssassin Rule Actions: > rule anti_phish caused action not-deliver in message 7FAB84BE3B4.94CF3 > Jan 12 10:58:25 in1-b MailScanner[78431]: SpamAssassin Rule Actions: > rule anti_phish caused action store in message 7FAB84BE3B4.94CF3 > Jan 12 10:58:25 in1-b MailScanner[78431]: SpamAssassin Rule Actions: > rule anti_phish caused action header in message 7FAB84BE3B4.94CF3 > Jan 12 10:58:25 in1-b MailScanner[78431]: SpamAssassin Rule Actions: > rule anti_phish caused action "X-Anti-Phish: in message 7FAB84BE3B4.94CF3 > Jan 12 10:58:25 in1-b MailScanner[78431]: SpamAssassin Rule Actions: > rule anti_phish caused action Yes" in message 7FAB84BE3B4.94CF3 > Jan 12 10:58:25 in1-b MailScanner[78431]: Message 7FAB84BE3B4.94CF3 > produced illegal Non-Spam Actions " Yes" "X-Anti-Phish:", so message > is being delivered > > The SpamAssassin Rule Action that generated this log is > ...ANTI_PHISH=>not-deliver,store,header "X-Anti-Phish: Yes" (I > slightly changed the header in case there was a problem with the _TO_ > special command, which has made no difference). > > So what have I done wrong (The actual creation of the SA rule etc is > fine as MailScanner is seeing the rule hit as can be seen in the log)? > > Drew > > -- > In line with our policy, this message has been scanned for viruses and > dangerouscontent by Technology Tiger's Mail Launder system > > Our email policy can be found at www.technologytiger.net/policy > > Technology Tiger Limited is registered in Scotland with registration > number: 310997 > Registered Office 55-57 West High Street Inverurie AB51 3QQ > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From maxsec at gmail.com Tue Jan 13 08:54:56 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Tue Jan 13 08:55:05 2009 Subject: Thumbs down MailScanner Segmentation fault In-Reply-To: <5d48dd510901130046r3a9828d3ld676a5e9b5407488@mail.gmail.com> References: <5d48dd510901130046r3a9828d3ld676a5e9b5407488@mail.gmail.com> Message-ID: <72cf361e0901130054t40e16916g65456f76119c0155@mail.gmail.com> HI what does.. Mailscanner -v and MailScanner --lint show? -- martin 2009/1/13 Mehra <17.mehran@gmail.com>: > Hello, > I try to install MailScanner on my new server. it worked very well before > but in new installation I have some problem! > My server is a core 2 quad Q9300 with 8GB ram and CentOS 5.2 x86_64 > here is my related application version: > MailScanner: 4.74.13 > ClamAV: 0.94.2/8856 > Perl: 5.8.8 > PathTools: 3.29 > > the problem is that MailScanner continually restarting. here is the its log > in /var/log/maillog: > > Code: > > Jan 12 11:37:40 LSN-D1371 MailScanner[12810]: MailScanner E-Mail Virus > Scanner version 4.74.13 starting... > > Jan 12 11:37:40 LSN-D1371 MailScanner[12810]: Using SpamAssassin results > cache > > Jan 12 11:37:40 LSN-D1371 MailScanner[12810]: Connected to SpamAssassin > cache database > > Jan 12 11:37:45 LSN-D1371 MailScanner[12811]: MailScanner E-Mail Virus > Scanner version 4.74.13 starting... > > Jan 12 11:37:45 LSN-D1371 MailScanner[12811]: Using SpamAssassin results > cache > > Jan 12 11:37:45 LSN-D1371 MailScanner[12811]: Connected to SpamAssassin > cache database > > Jan 12 11:37:50 LSN-D1371 MailScanner[12813]: MailScanner E-Mail Virus > Scanner version 4.74.13 starting... > > Jan 12 11:37:50 LSN-D1371 MailScanner[12813]: Using SpamAssassin results > cache > > Jan 12 11:37:50 LSN-D1371 MailScanner[12813]: Connected to SpamAssassin > cache database > > Jan 12 11:37:55 LSN-D1371 MailScanner[12815]: MailScanner E-Mail Virus > Scanner version 4.74.13 starting... > > Jan 12 11:37:55 LSN-D1371 MailScanner[12815]: Using SpamAssassin results > cache > > Jan 12 11:37:55 LSN-D1371 MailScanner[12815]: Connected to SpamAssassin > cache database > > Jan 12 11:38:00 LSN-D1371 MailScanner[12816]: MailScanner E-Mail Virus > Scanner version 4.74.13 starting... > > Jan 12 11:38:00 LSN-D1371 MailScanner[12816]: Using SpamAssassin results > cache > > Jan 12 11:38:00 LSN-D1371 MailScanner[12816]: Connected to SpamAssassin > cache database > > Jan 12 11:38:05 LSN-D1371 MailScanner[12817]: MailScanner E-Mail Virus > Scanner version 4.74.13 starting... > > Jan 12 11:38:05 LSN-D1371 MailScanner[12817]: Using SpamAssassin results > cache > > Jan 12 11:38:05 LSN-D1371 MailScanner[12817]: Connected to SpamAssassin > cache database > > when I run it in debug mode I see the following error: > > Code: > > # /usr/mailscanner/bin/MailScanner --debug > > In Debugging mode, not forking... > > Segmentation fault(unix) > > Segmentation fault > > please help me if somebody had same problem before. > > tnx > > mehran > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- Martin Hepworth Oxford, UK From ajcartmell at fonant.com Tue Jan 13 09:09:17 2009 From: ajcartmell at fonant.com (Anthony Cartmell) Date: Tue Jan 13 09:09:07 2009 Subject: General Thankyou (still diagnosing fault) In-Reply-To: <496BA9A6.8080108@ecs.soton.ac.uk> References: <60382.204.184.75.172.1231471379.squirrel@webmail.elsberry.k12.mo.us> <49679B36.9010202@senecac.on.ca> <4967A01A.1020805@senecac.on.ca> <4967D6F2.8090907@senecac.on.ca> <496A4264.6080303@senecac.on.ca> <496A470A.7070507@ecs.soton.ac.uk> <496A538C.60903@senecac.on.ca> <496A5BC8.4000908@ecs.soton.ac.uk> <496A6204.9070105@senecac.on.ca> <496A85DC.3060404@ecs.soton.ac.uk> <496AC6C4.10700 <496B7236.3060604@zuka.net> <496BA9A6.8080108@ecs.soton.ac.uk> Message-ID: >>> I am most happy to snip out old parts as necessary. >>> >> >> This would be most appreciated. Quote just what is needed to understand >> the next lines (which should be your reply). It has amused me for many months how this mailing list, populated by e-mail experts, manages to generate such huge quote-everything-in-the-reply-to-the-reply-to-the-reply messages. I sometimes find myself scrolling through pages and pages of quoted-five-times content before I reach the actual message! > Hint: use Thunderbird and the "QuoteCollapse" add-on extension. Totally > solves this problem for you. Using "Quote Colors" is a good idea too, > unless you're using Shredder as it's built into Shredder (the > pre-release versions of the next version of Thunderbird). So the usual > answer: use a better email client :-) Ah, but I am already using the best for me, Opera's e-mail client (database and views to find messages is much more powerful than message-in-only-one-place-at-a-time) ;) Opera does format and colour quoted sections, but doesn't have any quote collapsing features. This isn't a problem, apart from when reading the MailScanner list! ;) Cheers! Anthony -- www.fonant.com - Quality web sites From 17.mehran at gmail.com Tue Jan 13 09:13:48 2009 From: 17.mehran at gmail.com (Mehra) Date: Tue Jan 13 09:13:56 2009 Subject: Thumbs down MailScanner Segmentation fault In-Reply-To: <72cf361e0901130054t40e16916g65456f76119c0155@mail.gmail.com> References: <5d48dd510901130046r3a9828d3ld676a5e9b5407488@mail.gmail.com> <72cf361e0901130054t40e16916g65456f76119c0155@mail.gmail.com> Message-ID: <5d48dd510901130113y6f7909bah6ce3536888ea6233@mail.gmail.com> # ./MailScanner -V Running on Linux 2.6.18-92.el5 #1 SMP Tue Jun 10 18:51:06 EDT 2008 x86_64 x86_64 x86_64 GNU/Linux This is CentOS release 5.2 (Final) This is Perl version 5.008008 (5.8.8) This is MailScanner version 4.74.13 Module versions are: 1.00 AnyDBM_File 1.26 Archive::Zip 0.23 bignum 1.04 Carp 1.42 Compress::Zlib 1.119 Convert::BinHex 0.17 Convert::TNEF 2.121_08 Data::Dumper 2.27 Date::Parse 1.00 DirHandle 1.05 Fcntl 2.74 File::Basename 2.09 File::Copy 2.01 FileHandle 1.08 File::Path 0.20 File::Temp 0.92 Filesys::Df 1.35 HTML::Entities 3.56 HTML::Parser 2.37 HTML::TokeParser 1.23 IO 1.14 IO::File 1.13 IO::Pipe 2.04 Mail::Header 1.89 Math::BigInt 0.22 Math::BigRat 3.07 MIME::Base64 5.427 MIME::Decoder 5.427 MIME::Decoder::UU 5.427 MIME::Head 5.427 MIME::Parser 3.07 MIME::QuotedPrint 5.427 MIME::Tools 0.11 Net::CIDR 1.25 Net::IP 0.16 OLE::Storage_Lite 1.04 Pod::Escapes 3.07 Pod::Simple 1.09 POSIX 1.19 Scalar::Util 1.78 Socket 2.18 Storable 1.4 Sys::Hostname::Long 0.27 Sys::Syslog 1.26 Test::Pod 0.86 Test::Simple 1.9715 Time::HiRes 1.02 Time::localtime Optional module versions are: 1.40 Archive::Tar 0.23 bignum missing Business::ISBN missing Business::ISBN::Data 1.12 Data::Dump 1.817 DB_File 1.14 DBD::SQLite 1.607 DBI 1.14 Digest 1.01 Digest::HMAC 2.36 Digest::MD5 2.11 Digest::SHA1 1.01 Encode::Detect 0.17015 Error 0.24 ExtUtils::CBuilder 2.19 ExtUtils::ParseXS 2.37 Getopt::Long 0.44 Inline missing IO::String 1.09 IO::Zlib 2.25 IP::Country missing Mail::ClamAV 3.002004 Mail::SpamAssassin v2.006 Mail::SPF 1.999001 Mail::SPF::Query 0.3 Module::Build 0.20 Net::CIDR::Lite 0.63 Net::DNS v0.003 Net::DNS::Resolver::Programmable 0.39 Net::LDAP 4.015 NetAddr::IP 1.94 Parse::RecDescent missing SAVI 3.14 Test::Harness missing Test::Manifest 1.95 Text::Balanced 1.37 URI 0.76 version 0.66 YAML ******************************************************************************************************************** # ./MailScanner --lint Trying to setlogsock(unix) Checking version numbers... Version number in MailScanner.conf (4.74.13) is correct. Unrar is not installed, it should be in . This is required for RAR archives to be read to check filenames and filetypes. Virus scanning is not affected. ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf ERROR: is not correct, it should match X-cPanel-MailScanner-From MailScanner setting GID to (12) MailScanner setting UID to (47) Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database config: SpamAssassin failed to parse line, "/usr/local/bin/dccproc" is not valid for "dcc_path", skipping: dcc_path /usr/local/bin/dccproc Segmentation fault -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090113/1d4efbd1/attachment.html From MailScanner at ecs.soton.ac.uk Tue Jan 13 09:54:33 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jan 13 09:54:52 2009 Subject: Thumbs down MailScanner Segmentation fault In-Reply-To: <5d48dd510901130113y6f7909bah6ce3536888ea6233@mail.gmail.com> References: <5d48dd510901130046r3a9828d3ld676a5e9b5407488@mail.gmail.com> <72cf361e0901130054t40e16916g65456f76119c0155@mail.gmail.com> <5d48dd510901130113y6f7909bah6ce3536888ea6233@mail.gmail.com> Message-ID: <496C64D9.2000108@ecs.soton.ac.uk> On 13/1/09 09:13, Mehra wrote: > # ./MailScanner -V > Running on > Linux 2.6.18-92.el5 #1 SMP Tue Jun 10 18:51:06 EDT 2008 x86_64 x86_64 > x86_64 GNU/Linux > This is CentOS release 5.2 (Final) > This is Perl version 5.008008 (5.8.8) > > This is MailScanner version 4.74.13 > Module versions are: > 1.00 AnyDBM_File > 1.26 Archive::Zip > 0.23 bignum > 1.04 Carp > 1.42 Compress::Zlib > 1.119 Convert::BinHex > 0.17 Convert::TNEF > 2.121_08 Data::Dumper > 2.27 Date::Parse > 1.00 DirHandle > 1.05 Fcntl > 2.74 File::Basename > 2.09 File::Copy > 2.01 FileHandle > 1.08 File::Path > 0.20 File::Temp > 0.92 Filesys::Df > 1.35 HTML::Entities > 3.56 HTML::Parser > 2.37 HTML::TokeParser > 1.23 IO > 1.14 IO::File > 1.13 IO::Pipe > 2.04 Mail::Header > 1.89 Math::BigInt > 0.22 Math::BigRat > 3.07 MIME::Base64 > 5.427 MIME::Decoder > 5.427 MIME::Decoder::UU > 5.427 MIME::Head > 5.427 MIME::Parser > 3.07 MIME::QuotedPrint > 5.427 MIME::Tools > 0.11 Net::CIDR > 1.25 Net::IP > 0.16 OLE::Storage_Lite > 1.04 Pod::Escapes > 3.07 Pod::Simple > 1.09 POSIX > 1.19 Scalar::Util > 1.78 Socket > 2.18 Storable > 1.4 Sys::Hostname::Long > 0.27 Sys::Syslog > 1.26 Test::Pod > 0.86 Test::Simple > 1.9715 Time::HiRes > 1.02 Time::localtime > > Optional module versions are: > 1.40 Archive::Tar > 0.23 bignum > missing Business::ISBN > missing Business::ISBN::Data > 1.12 Data::Dump > 1.817 DB_File > 1.14 DBD::SQLite > 1.607 DBI > 1.14 Digest > 1.01 Digest::HMAC > 2.36 Digest::MD5 > 2.11 Digest::SHA1 > 1.01 Encode::Detect > 0.17015 Error > 0.24 ExtUtils::CBuilder > 2.19 ExtUtils::ParseXS > 2.37 Getopt::Long > 0.44 Inline > missing IO::String > 1.09 IO::Zlib > 2.25 IP::Country > missing Mail::ClamAV > 3.002004 Mail::SpamAssassin > v2.006 Mail::SPF > 1.999001 Mail::SPF::Query > 0.3 Module::Build > 0.20 Net::CIDR::Lite > 0.63 Net::DNS > v0.003 Net::DNS::Resolver::Programmable > 0.39 Net::LDAP > 4.015 NetAddr::IP > 1.94 Parse::RecDescent > missing SAVI > 3.14 Test::Harness > missing Test::Manifest > 1.95 Text::Balanced > 1.37 URI > 0.76 version > 0.66 YAML > > ******************************************************************************************************************** > # ./MailScanner --lint > Trying to setlogsock(unix) > Checking version numbers... > Version number in MailScanner.conf (4.74.13) is correct. > > Unrar is not installed, it should be in . > This is required for RAR archives to be read to check > filenames and filetypes. Virus scanning is not affected. > > > ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf > ERROR: is not correct, it should match X-cPanel-MailScanner-From > > MailScanner setting GID to (12) > MailScanner setting UID to (47) > > Checking for SpamAssassin errors (if you use it)... > Using SpamAssassin results cache > Connected to SpamAssassin cache database > config: SpamAssassin failed to parse line, "/usr/local/bin/dccproc" is > not valid for "dcc_path", skipping: dcc_path /usr/local/bin/dccproc > Segmentation fault > As your SpamAssassin config is not set to use dcc, remove or comment out the "dcc_path" line from /etc/MailScanner/spam.assassin.prefs.conf. Then please try "MailScanner --lint" again, and we'll see if that helped. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From maillists at conactive.com Tue Jan 13 10:06:39 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Tue Jan 13 10:06:49 2009 Subject: Thumbs down MailScanner Segmentation fault In-Reply-To: <5d48dd510901130046r3a9828d3ld676a5e9b5407488@mail.gmail.com> References: <5d48dd510901130046r3a9828d3ld676a5e9b5407488@mail.gmail.com> Message-ID: Mehra wrote on Tue, 13 Jan 2009 12:16:05 +0330: > Thumbs down could you please refrain from such emotional dismay in the future? Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From 17.mehran at gmail.com Tue Jan 13 10:09:57 2009 From: 17.mehran at gmail.com (Mehra) Date: Tue Jan 13 10:10:06 2009 Subject: Thumbs down MailScanner Segmentation fault In-Reply-To: <496C64D9.2000108@ecs.soton.ac.uk> References: <5d48dd510901130046r3a9828d3ld676a5e9b5407488@mail.gmail.com> <72cf361e0901130054t40e16916g65456f76119c0155@mail.gmail.com> <5d48dd510901130113y6f7909bah6ce3536888ea6233@mail.gmail.com> <496C64D9.2000108@ecs.soton.ac.uk> Message-ID: <5d48dd510901130209h4a9752e7r45849ed9b8435dc5@mail.gmail.com> now this is new result: # ./MailScanner --lint Trying to setlogsock(unix) Checking version numbers... Version number in MailScanner.conf (4.74.13) is correct. Unrar is not installed, it should be in . This is required for RAR archives to be read to check filenames and filetypes. Virus scanning is not affected. ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf ERROR: is not correct, it should match X-cPanel-MailScanner-From MailScanner setting GID to (12) MailScanner setting UID to (47) Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database Segmentation fault ************************************************************************************************************** and this is result for spamassassin --lint # spamassassin --lint Segmentation fault do you think that it may be spamassassin problem? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090113/93f560c8/attachment.html From a.peacock at chime.ucl.ac.uk Tue Jan 13 10:24:23 2009 From: a.peacock at chime.ucl.ac.uk (Anthony Peacock) Date: Tue Jan 13 10:24:38 2009 Subject: Thumbs down MailScanner Segmentation fault In-Reply-To: <5d48dd510901130209h4a9752e7r45849ed9b8435dc5@mail.gmail.com> References: <5d48dd510901130046r3a9828d3ld676a5e9b5407488@mail.gmail.com> <72cf361e0901130054t40e16916g65456f76119c0155@mail.gmail.com> <5d48dd510901130113y6f7909bah6ce3536888ea6233@mail.gmail.com> <496C64D9.2000108@ecs.soton.ac.uk> <5d48dd510901130209h4a9752e7r45849ed9b8435dc5@mail.gmail.com> Message-ID: <496C6BD7.50800@chime.ucl.ac.uk> Hi, Mehra wrote: > now this is new result: > > # ./MailScanner --lint > Trying to setlogsock(unix) > Checking version numbers... > Version number in MailScanner.conf (4.74.13) is correct. > > Unrar is not installed, it should be in . > This is required for RAR archives to be read to check > filenames and filetypes. Virus scanning is not affected. > > > ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf > ERROR: is not correct, it should match X-cPanel-MailScanner-From > > MailScanner setting GID to (12) > MailScanner setting UID to (47) > > Checking for SpamAssassin errors (if you use it)... > Using SpamAssassin results cache > Connected to SpamAssassin cache database > Segmentation fault > ************************************************************************************************************** > and this is result for spamassassin --lint > # spamassassin --lint > Segmentation fault > > do you think that it may be spamassassin problem? The segmentation fault appears when running spamassassin on its own, so I would suspect that is your problem. Another way to confirm this would be to switch off spamassassin use in MailScanner. You could edit your MailScanner.conf file and set "Spam Checks" to no, ie Spam Checks = no Run MailScanner, if it doesn't seg fault, then the problem does not lie with MailScanner. -- Anthony Peacock CHIME, Royal Free & University College Medical School WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ Study Health Informatics - Modular Postgraduate Degree http://www.chime.ucl.ac.uk/study-health-informatics/ From 17.mehran at gmail.com Tue Jan 13 10:40:01 2009 From: 17.mehran at gmail.com (Mehra) Date: Tue Jan 13 10:40:10 2009 Subject: Thumbs down MailScanner Segmentation fault In-Reply-To: <496C6BD7.50800@chime.ucl.ac.uk> References: <5d48dd510901130046r3a9828d3ld676a5e9b5407488@mail.gmail.com> <72cf361e0901130054t40e16916g65456f76119c0155@mail.gmail.com> <5d48dd510901130113y6f7909bah6ce3536888ea6233@mail.gmail.com> <496C64D9.2000108@ecs.soton.ac.uk> <5d48dd510901130209h4a9752e7r45849ed9b8435dc5@mail.gmail.com> <496C6BD7.50800@chime.ucl.ac.uk> Message-ID: <5d48dd510901130240k549f1fd2o3b85c4429aafe07a@mail.gmail.com> Hi, that's right. I disabled Spam check as you told me the error is the same. As I reinstall MailScanner before, I think problem maybe related to OS or perl ver. do you have any idea? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090113/07c3d8b8/attachment.html From maillists at conactive.com Tue Jan 13 11:23:45 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Tue Jan 13 11:23:57 2009 Subject: Thumbs down MailScanner Segmentation fault In-Reply-To: <5d48dd510901130240k549f1fd2o3b85c4429aafe07a@mail.gmail.com> References: <5d48dd510901130046r3a9828d3ld676a5e9b5407488@mail.gmail.com> <72cf361e0901130054t40e16916g65456f76119c0155@mail.gmail.com> <5d48dd510901130113y6f7909bah6ce3536888ea6233@mail.gmail.com> <496C64D9.2000108@ecs.soton.ac.uk> <5d48dd510901130209h4a9752e7r45849ed9b8435dc5@mail.gmail.com> <496C6BD7.50800@chime.ucl.ac.uk> <5d48dd510901130240k549f1fd2o3b85c4429aafe07a@mail.gmail.com> Message-ID: Mehra wrote on Tue, 13 Jan 2009 14:10:01 +0330: > I disabled Spam check as you told me the error is the same. Your wording is confusing. Please confirm that - you get the segfault with MailScanner --lint *and* Spam Checks with SA *disabled* *and* - you get the segfault with spamassassin --lint Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From 17.mehran at gmail.com Tue Jan 13 11:33:26 2009 From: 17.mehran at gmail.com (Mehra) Date: Tue Jan 13 11:33:43 2009 Subject: Thumbs down MailScanner Segmentation fault In-Reply-To: References: <5d48dd510901130046r3a9828d3ld676a5e9b5407488@mail.gmail.com> <72cf361e0901130054t40e16916g65456f76119c0155@mail.gmail.com> <5d48dd510901130113y6f7909bah6ce3536888ea6233@mail.gmail.com> <496C64D9.2000108@ecs.soton.ac.uk> <5d48dd510901130209h4a9752e7r45849ed9b8435dc5@mail.gmail.com> <496C6BD7.50800@chime.ucl.ac.uk> <5d48dd510901130240k549f1fd2o3b85c4429aafe07a@mail.gmail.com> Message-ID: <5d48dd510901130333o6495d837o96789dd276ce5069@mail.gmail.com> - Yes, I get the segfault with MailScanner --lint *and* Spam Checks with SA *disabled*- - Yes, I get the segfault with spamassassin --lint -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090113/6d63002c/attachment.html From MailScanner at ecs.soton.ac.uk Tue Jan 13 11:52:30 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jan 13 11:53:15 2009 Subject: Health update Message-ID: <496C807E.9000404@ecs.soton.ac.uk> Folks, Well, I've just got back from the hospital, had another meeting with the transplant team. As of now, I'm suspended on the liver waiting list. They are going to do another endoscopy in the next 2 or 3 weeks, and we'll see the outcome of that to see if the varices have gone down at all which will imply better blood flow through my new portal vein replacement. I suspect this will most likely show an improvement. If it does, then the original reason for me being on the list will have gone (well enough). So it will be no longer worth doing what is, in my case, a very difficult and dangerous procedure. So I'm officially suspended from the list at the moment, but not removed. As I've spent the past 15 months or so mentally preparing for the procedure, this is going to take a bit of getting used to. It's going to take a few days to sink in properly. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From maillists at conactive.com Tue Jan 13 11:58:06 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Tue Jan 13 11:58:15 2009 Subject: Thumbs down MailScanner Segmentation fault In-Reply-To: <5d48dd510901130333o6495d837o96789dd276ce5069@mail.gmail.com> References: <5d48dd510901130046r3a9828d3ld676a5e9b5407488@mail.gmail.com> <72cf361e0901130054t40e16916g65456f76119c0155@mail.gmail.com> <5d48dd510901130113y6f7909bah6ce3536888ea6233@mail.gmail.com> <496C64D9.2000108@ecs.soton.ac.uk> <5d48dd510901130209h4a9752e7r45849ed9b8435dc5@mail.gmail.com> <496C6BD7.50800@chime.ucl.ac.uk> <5d48dd510901130240k549f1fd2o3b85c4429aafe07a@mail.gmail.com> <5d48dd510901130333o6495d837o96789dd276ce5069@mail.gmail.com> Message-ID: Mehra wrote on Tue, 13 Jan 2009 15:03:26 +0330: > - Yes, I get the segfault with MailScanner --lint *and* Spam Checks with SA > *disabled*- > - Yes, I get the segfault with spamassassin --lint in that case you may have a bigger problem - RAM corruption or other hardware problem? - filesystem problem? - some i386 rpms installed that shouldn't? - some Perl or Perl module problem? Hard to tell, but I would certainly investigate in all these directions. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From steve.freegard at fsl.com Tue Jan 13 12:01:09 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Tue Jan 13 12:01:19 2009 Subject: Thumbs down MailScanner Segmentation fault In-Reply-To: <5d48dd510901130333o6495d837o96789dd276ce5069@mail.gmail.com> References: <5d48dd510901130046r3a9828d3ld676a5e9b5407488@mail.gmail.com> <72cf361e0901130054t40e16916g65456f76119c0155@mail.gmail.com> <5d48dd510901130113y6f7909bah6ce3536888ea6233@mail.gmail.com> <496C64D9.2000108@ecs.soton.ac.uk> <5d48dd510901130209h4a9752e7r45849ed9b8435dc5@mail.gmail.com> <496C6BD7.50800@chime.ucl.ac.uk> <5d48dd510901130240k549f1fd2o3b85c4429aafe07a@mail.gmail.com> <5d48dd510901130333o6495d837o96789dd276ce5069@mail.gmail.com> Message-ID: <496C8285.8010507@fsl.com> Mehra wrote: > - Yes, I get the segfault with MailScanner --lint *and* Spam Checks with > SA *disabled*- > - Yes, I get the segfault with spamassassin --lint > Ok - install 'strace' via 'yum install strace'; then run: strace MailScanner --lint 2>&1 | tee strace.out You'll got *lots* of output from this and hopefully you will still hit the segfault and it will exit. Look at the last 20-30 lines of the strace.out and you will most likely see that a compiled Perl module is being loaded that is causing the segfault. Once you have identified the module causing the fault - attempt to re-install it via RPM or build it manually (do not skip the 'make test' phase) and see if that fixes the problem. Kind regards, Steve. -- Steve Freegard Fort Systems Ltd. Tired of administering your spam filter and it's massive quarantines? Having scalability issues with your existing spam filter? Solve your spam filtering problems with BarricadeMX. http://www.fsl.com From maillists at conactive.com Tue Jan 13 12:01:19 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Tue Jan 13 12:01:33 2009 Subject: Health update In-Reply-To: <496C807E.9000404@ecs.soton.ac.uk> References: <496C807E.9000404@ecs.soton.ac.uk> Message-ID: Julian Field wrote on Tue, 13 Jan 2009 11:52:30 +0000: > So I'm officially suspended from the list at the moment, but not removed. > > As I've spent the past 15 months or so mentally preparing for the > procedure, this is going to take a bit of getting used to. It's going to > take a few days to sink in properly. I hope that you don't have to "surface" it again. Relax, Jules! Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From J.Ede at birchenallhowden.co.uk Tue Jan 13 12:10:41 2009 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Tue Jan 13 12:10:59 2009 Subject: Health update In-Reply-To: <496C807E.9000404@ecs.soton.ac.uk> References: <496C807E.9000404@ecs.soton.ac.uk> Message-ID: <1213490F1F316842A544A850422BFA96118E8BE2@BHLSBS.bhl.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Julian Field > Sent: 13 January 2009 11:53 > To: MailScanner discussion > Subject: Health update > > Folks, > > Well, I've just got back from the hospital, had another meeting with > the > transplant team. > > As of now, I'm suspended on the liver waiting list. > They are going to do another endoscopy in the next 2 or 3 weeks, and > we'll see the outcome of that to see if the varices have gone down at > all which will imply better blood flow through my new portal vein > replacement. > I suspect this will most likely show an improvement. > > If it does, then the original reason for me being on the list will have > gone (well enough). So it will be no longer worth doing what is, in my > case, a very difficult and dangerous procedure. > > So I'm officially suspended from the list at the moment, but not > removed. > > As I've spent the past 15 months or so mentally preparing for the > procedure, this is going to take a bit of getting used to. It's going > to > take a few days to sink in properly. > > Jules > Jules, If I read it correctly then that sounds like great news. :-) Jason From bpirie at rma.edu Tue Jan 13 13:21:12 2009 From: bpirie at rma.edu (Brendan Pirie) Date: Tue Jan 13 13:21:00 2009 Subject: Health update In-Reply-To: <496C807E.9000404@ecs.soton.ac.uk> References: <496C807E.9000404@ecs.soton.ac.uk> Message-ID: <496C9548.1070900@rma.edu> Best wishes for a positive outcome! Brendan Julian Field wrote: > Folks, > > Well, I've just got back from the hospital, had another meeting with > the transplant team. > > As of now, I'm suspended on the liver waiting list. > They are going to do another endoscopy in the next 2 or 3 weeks, and > we'll see the outcome of that to see if the varices have gone down at > all which will imply better blood flow through my new portal vein > replacement. > I suspect this will most likely show an improvement. > > If it does, then the original reason for me being on the list will > have gone (well enough). So it will be no longer worth doing what is, > in my case, a very difficult and dangerous procedure. > > So I'm officially suspended from the list at the moment, but not removed. > > As I've spent the past 15 months or so mentally preparing for the > procedure, this is going to take a bit of getting used to. It's going > to take a few days to sink in properly. > > Jules > From jonas at vrt.dk Tue Jan 13 13:21:49 2009 From: jonas at vrt.dk (Jonas Akrouh Larsen) Date: Tue Jan 13 13:21:59 2009 Subject: Health update In-Reply-To: <496C807E.9000404@ecs.soton.ac.uk> References: <496C807E.9000404@ecs.soton.ac.uk> Message-ID: <005c01c97581$e4cbc400$ae634c00$@dk> I hope the doctors are correct, and you will get better without needing the risky operation. Best wishes from Denmark Med venlig hilsen / Best regards Jonas Akrouh Larsen TechBiz ApS Laplandsgade 4, 2. sal 2300 K?benhavn S Office: 7020 0979 Direct: 3336 9974 Mobile: 5120 1096 Fax: 7020 0978 Web: www.techbiz.dk From gesbbb at yahoo.com Tue Jan 13 13:27:20 2009 From: gesbbb at yahoo.com (Jerry) Date: Tue Jan 13 13:27:33 2009 Subject: General Thankyou (still diagnosing fault) In-Reply-To: References: <60382.204.184.75.172.1231471379.squirrel@webmail.elsberry.k12.mo.us> <49679B36.9010202@senecac.on.ca> <4967A01A.1020805@senecac.on.ca> <4967D6F2.8090907@senecac.on.ca> <496A4264.6080303@senecac.on.ca> <496A470A.7070507@ecs.soton.ac.uk> <496A538C.60903@senecac.on.ca> <496A5BC8.4000908@ecs.soton.ac.uk> <496A6204.9070105@senecac.on.ca> <496A85DC.3060404@ecs.soton.ac.uk> <496AC6C4.10700 <496B7236.3060604@zuka.net> <496BA9A6.8080108@ecs.soton.ac.uk> Message-ID: <20090113082720.0aaa1306@scorpio> On Tue, 13 Jan 2009 09:09:17 -0000 "Anthony Cartmell" wrote: [snip] >It has amused me for many months how this mailing list, populated by >e-mail experts, manages to generate such huge >quote-everything-in-the-reply-to-the-reply-to-the-reply messages. I >sometimes find myself scrolling through pages and pages of >quoted-five-times content before I reach the actual message! Not just this list either. Many of the lists that I subscribe to are populated by users, who while knowledgeable about the subject they are responding to, display poor posting etiquette and posting skills. With the huge number of sites displaying such information, I find it rather odd myself. http://en.wikipedia.org/wiki/Godwin's_law http://en.wikipedia.org/wiki/Top-post http://groups.google.com/support/bin/answer.py?answer=12348&topic=250 http://www.catb.org/~esr/faqs/smart-questions.html http://www.html-faq.com/etiquette/?toppost http://www.neverending.org/~ftobin/resources/formatting_email_replies/ http://www.reedmedia.net/misc/mail/using-mailing-list.html http://www.river.com/users/share/etiquette/ http://www.river.com/users/share/etiquette/trumpetpower-netiquette.html -- Jerry gesbbb@yahoo.com -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090113/9c9a5ca9/signature.bin From Denis.Beauchemin at USherbrooke.ca Tue Jan 13 13:33:07 2009 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Tue Jan 13 13:33:27 2009 Subject: Anti-spear-phishing, round 2 In-Reply-To: <20090113043340.GB4420@msapiro> References: <4963D91A.9060304@ecs.soton.ac.uk> <496B4FC7.2060701@USherbrooke.ca> <20090113043340.GB4420@msapiro> Message-ID: <496C9813.5070009@USherbrooke.ca> Mark Sapiro a ?crit : > On Mon, Jan 12, 2009 at 09:12:23AM -0500, Denis Beauchemin wrote: > >> I got what really looks like a FP with one of the email addresses from >> your script... what would be the best way to correct this ? Write an SA >> rule with a negative score for that address ? Or is there some >> whitelisting mechanism built in ? >> >> Thanks! >> >> Denis >> PS: the address is jmcelhaney @ uchc . edu (without the spaces). >> > > > That address is in the list at > > > If it really is a FP, you could try to contact the project via > and see if it can > be removed. > > Alternatively, you could add a line > > next if /^jmcelhaney\@uchc\.edu$/; > > in between the lines: > > next unless /^.+\@.+\..+$/; # Only interested in email addresses. > > push @addresses, $_; # This is for the report > > in the script to skip that address. That's the "whitelisting" mechanism :) > > Thanks Mark, I implemented your "whitelisting" method and it is working fine! Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From dave.list at pixelhammer.com Tue Jan 13 13:40:49 2009 From: dave.list at pixelhammer.com (DAve) Date: Tue Jan 13 13:41:06 2009 Subject: Health update In-Reply-To: <496C807E.9000404@ecs.soton.ac.uk> References: <496C807E.9000404@ecs.soton.ac.uk> Message-ID: <496C99E1.90405@pixelhammer.com> Julian Field wrote: > Folks, > > Well, I've just got back from the hospital, had another meeting with the > transplant team. > > As of now, I'm suspended on the liver waiting list. > They are going to do another endoscopy in the next 2 or 3 weeks, and > we'll see the outcome of that to see if the varices have gone down at > all which will imply better blood flow through my new portal vein > replacement. > I suspect this will most likely show an improvement. > > If it does, then the original reason for me being on the list will have > gone (well enough). So it will be no longer worth doing what is, in my > case, a very difficult and dangerous procedure. > > So I'm officially suspended from the list at the moment, but not removed. > > As I've spent the past 15 months or so mentally preparing for the > procedure, this is going to take a bit of getting used to. It's going to > take a few days to sink in properly. > > Jules > Anytime a doctor says you do not *need* a surgery, it is a good thing ;^) DAve -- The whole internet thing is sucking the life out of me, there ain't no pony in there. From Denis.Beauchemin at USherbrooke.ca Tue Jan 13 13:41:23 2009 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Tue Jan 13 13:41:42 2009 Subject: Health update In-Reply-To: <496C807E.9000404@ecs.soton.ac.uk> References: <496C807E.9000404@ecs.soton.ac.uk> Message-ID: <496C9A03.9070608@USherbrooke.ca> Julian Field a ?crit : > Folks, > > Well, I've just got back from the hospital, had another meeting with > the transplant team. > > As of now, I'm suspended on the liver waiting list. > They are going to do another endoscopy in the next 2 or 3 weeks, and > we'll see the outcome of that to see if the varices have gone down at > all which will imply better blood flow through my new portal vein > replacement. > I suspect this will most likely show an improvement. > > If it does, then the original reason for me being on the list will > have gone (well enough). So it will be no longer worth doing what is, > in my case, a very difficult and dangerous procedure. > > So I'm officially suspended from the list at the moment, but not removed. > > As I've spent the past 15 months or so mentally preparing for the > procedure, this is going to take a bit of getting used to. It's going > to take a few days to sink in properly. > > Jules > Julian, All the best from Qu?bec/Canada! Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From alex at rtpty.com Tue Jan 13 13:46:03 2009 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Tue Jan 13 13:46:17 2009 Subject: Health update In-Reply-To: <496C807E.9000404@ecs.soton.ac.uk> References: <496C807E.9000404@ecs.soton.ac.uk> Message-ID: Hope you get better soon in the least aggressive way possible. On Jan 13, 2009, at 6:52 AM, Julian Field wrote: > Folks, > > Well, I've just got back from the hospital, had another meeting with > the transplant team. > > As of now, I'm suspended on the liver waiting list. > They are going to do another endoscopy in the next 2 or 3 weeks, and > we'll see the outcome of that to see if the varices have gone down > at all which will imply better blood flow through my new portal vein > replacement. > I suspect this will most likely show an improvement. > > If it does, then the original reason for me being on the list will > have gone (well enough). So it will be no longer worth doing what > is, in my case, a very difficult and dangerous procedure. > > So I'm officially suspended from the list at the moment, but not > removed. > > As I've spent the past 15 months or so mentally preparing for the > procedure, this is going to take a bit of getting used to. It's > going to take a few days to sink in properly. > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From vincent at zijnemail.nl Tue Jan 13 14:09:44 2009 From: vincent at zijnemail.nl (Vincent Verhagen) Date: Tue Jan 13 14:10:13 2009 Subject: Health update In-Reply-To: <496C807E.9000404@ecs.soton.ac.uk> References: <496C807E.9000404@ecs.soton.ac.uk> Message-ID: <496CA0A8.8090705@zijnemail.nl> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5517 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090113/9747460e/smime.bin From submit at zuka.net Tue Jan 13 14:50:00 2009 From: submit at zuka.net (Dave Filchak) Date: Tue Jan 13 14:50:13 2009 Subject: General Thankyou (still diagnosing fault) In-Reply-To: <20090113082720.0aaa1306@scorpio> References: <60382.204.184.75.172.1231471379.squirrel@webmail.elsberry.k12.mo.us> <49679B36.9010202@senecac.on.ca> <4967A01A.1020805@senecac.on.ca> <4967D6F2.8090907@senecac.on.ca> <496A4264.6080303@senecac.on.ca> <496A470A.7070507@ecs.soton.ac.uk> <496A538C.60903@senecac.on.ca> <496A5BC8.4000908@ecs.soton.ac.uk> <496A6204.9070105@senecac.on.ca> <496A85DC.3060404@ecs.soton.ac.uk> <496AC6C4.10700 <496B7236.3060604@zuka.net> <496BA9A6.8080108@ecs.soton.ac.uk> <20090113082720.0aaa1306@scorpio> Message-ID: <496CAA18.9040303@zuka.net> Jerry wrote: > > [snip] > > > Ok people ... relax. I get the point ;-) Dave From Nikolaos.Pavlidis at beds.ac.uk Tue Jan 13 15:45:17 2009 From: Nikolaos.Pavlidis at beds.ac.uk (Nikolaos Pavlidis) Date: Tue Jan 13 15:45:31 2009 Subject: Spam-maked ham to be returned to queue In-Reply-To: <496CB70D0200002700027F55@gwiadom.oes.beds.ac.uk> References: <496CADCB020000880003199F@gwiadom.oes.beds.ac.uk> <496CB70D0200002700027F55@gwiadom.oes.beds.ac.uk> Message-ID: <496CB70D0200002700027F55@gwiadom.oes.beds.ac.uk> Hello all, We have a working Solatis-Mailscanner installation based on sendmail MTA which is still learning... and therefore sending some email's to quarantine when it shouldn't. How is it possible to put the "misunderstood" mails back in the queue to be sent after being identified and sa-leaned as ham? Thank you in advance. Regards, Nik -- ? Nikolaos Pavlidis BSc (Hons) MBCS NCLP System Administrator University Of Bedfordshire Park Square LU1 3JU Luton, Beds, UK Tel: +441582489277 From rlopezcnm at gmail.com Tue Jan 13 16:05:51 2009 From: rlopezcnm at gmail.com (Robert Lopez) Date: Tue Jan 13 16:06:01 2009 Subject: Health update In-Reply-To: <496C807E.9000404@ecs.soton.ac.uk> References: <496C807E.9000404@ecs.soton.ac.uk> Message-ID: I can understand the coping with the change in expectations. Not having to have surgery is good. I hope your doctors are doing the best for you and you have stabilized your health. Best wishes for improved health. -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090113/6404bcf4/attachment.html From drew.marshall at technologytiger.net Tue Jan 13 16:12:44 2009 From: drew.marshall at technologytiger.net (Drew Marshall) Date: Tue Jan 13 16:13:01 2009 Subject: Anti-spear-phishing, round 2 In-Reply-To: <496C552B.9040307@ecs.soton.ac.uk> References: <4963D91A.9060304@ecs.soton.ac.uk> <5FC3E08C-6D5F-4AF5-AACE-17623586AD6B@technologytiger.net> <496C552B.9040307@ecs.soton.ac.uk> Message-ID: On 13 Jan 2009, at 08:47, Julian Field wrote: > Upgrade to the latest version, I have fixed this problem already. > > Please confirm that upgrading does indeed fix the problem for you, > but I have just tried your exact rule and it worked just fine for > me, and I have just upgraded to the latest too. > > My guess would be that you have a version before 4.74.8? Guilty as charged! I hadn't realised it was quite that old. Any way, upgraded to the latest and all is happy again. I have also made (Not quite JP style but I can hack code to make it work!) a new FreeBSD Port Makefile for the latest version, which I'll post separately for any one who is interested. Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by Technology Tiger's Mail Launder system Our email policy can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ From submit at zuka.net Tue Jan 13 16:14:18 2009 From: submit at zuka.net (Dave Filchak) Date: Tue Jan 13 16:14:33 2009 Subject: Thanks again Message-ID: <496CBDDA.6080902@zuka.net> Julian, Thanks for all of your help and good news about not needing surgery. It is NEVER a good experience. All the best. Dave From drew.marshall at technologytiger.net Tue Jan 13 16:21:20 2009 From: drew.marshall at technologytiger.net (Drew Marshall) Date: Tue Jan 13 16:21:40 2009 Subject: FreeBSD Port Message-ID: <6330FDCA-3423-4881-8E0D-2BAAB0041AB0@technologytiger.net> I have no idea if this of use to people but I have updated the port files for my own use and thought others might find it useful. It's not to Jan-Peter's standard I'm sure but it seems to function and that's good enough for me! Naturally all the main work is still JP's I have just done some hacking and tweaking to make this work for the latest version with the new lock files. I'll get in touch with JP and see if he can firstly approve the new files and secondly (If he is happy) organise to commit the changes to the ports tree. In the mean time, just delete your /usr/ports/mail/ mailscanner directory and decompress this in it's place. cd into it and make as you would normally. Regards Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by Technology Tiger's Mail Launder system Our email policy can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ -------------- next part -------------- A non-text attachment was scrubbed... Name: mailscanner.tar.gz Type: application/x-gzip Size: 14032 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090113/ce7203c0/mailscanner.tar.gz -------------- next part -------------- From traced at xpear.de Tue Jan 13 16:28:37 2009 From: traced at xpear.de (traced) Date: Tue Jan 13 16:28:47 2009 Subject: Health update In-Reply-To: <496C807E.9000404@ecs.soton.ac.uk> References: <496C807E.9000404@ecs.soton.ac.uk> Message-ID: <496CC135.8020602@xpear.de> Julian Field schrieb: > Folks, > > Well, I've just got back from the hospital, had another meeting with the > transplant team. > > As of now, I'm suspended on the liver waiting list. > They are going to do another endoscopy in the next 2 or 3 weeks, and > we'll see the outcome of that to see if the varices have gone down at > all which will imply better blood flow through my new portal vein > replacement. > I suspect this will most likely show an improvement. > > If it does, then the original reason for me being on the list will have > gone (well enough). So it will be no longer worth doing what is, in my > case, a very difficult and dangerous procedure. > > So I'm officially suspended from the list at the moment, but not removed. > > As I've spent the past 15 months or so mentally preparing for the > procedure, this is going to take a bit of getting used to. It's going to > take a few days to sink in properly. > > Jules > Best wishes from me, too! Bastian From bamcomp at yahoo.com Tue Jan 13 16:33:04 2009 From: bamcomp at yahoo.com (Brett Moss) Date: Tue Jan 13 16:33:16 2009 Subject: Health update In-Reply-To: <496C807E.9000404@ecs.soton.ac.uk> Message-ID: <163324.71841.qm@web30006.mail.mud.yahoo.com> --- On Tue, 1/13/09, Julian Field wrote: > From: Julian Field > Subject: Health update > To: "MailScanner discussion" > Date: Tuesday, January 13, 2009, 3:52 AM > Folks, > > Well, I've just got back from the hospital, had another > meeting with the transplant team. > > As of now, I'm suspended on the liver waiting list. > They are going to do another endoscopy in the next 2 or 3 > weeks, and we'll see the outcome of that to see if the > varices have gone down at all which will imply better blood > flow through my new portal vein replacement. > I suspect this will most likely show an improvement. > > If it does, then the original reason for me being on the > list will have gone (well enough). So it will be no longer > worth doing what is, in my case, a very difficult and > dangerous procedure. > > So I'm officially suspended from the list at the > moment, but not removed. > > As I've spent the past 15 months or so mentally > preparing for the procedure, this is going to take a bit of > getting used to. It's going to take a few days to sink > in properly. > > Jules > Jules, All the best for continued improvements on your health. Exhale and relax ;) Brett From mailadmin at midland-ics.ie Tue Jan 13 16:38:53 2009 From: mailadmin at midland-ics.ie (Mail Admin) Date: Tue Jan 13 16:39:12 2009 Subject: Health update In-Reply-To: <496C807E.9000404@ecs.soton.ac.uk> References: <496C807E.9000404@ecs.soton.ac.uk> Message-ID: <00c701c9759d$6c5f4cf0$451de6d0$@ie> All the best from Ireland Jules -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: 13 January 2009 11:53 To: MailScanner discussion Subject: Health update Folks, Well, I've just got back from the hospital, had another meeting with the transplant team. As of now, I'm suspended on the liver waiting list. They are going to do another endoscopy in the next 2 or 3 weeks, and we'll see the outcome of that to see if the varices have gone down at all which will imply better blood flow through my new portal vein replacement. I suspect this will most likely show an improvement. If it does, then the original reason for me being on the list will have gone (well enough). So it will be no longer worth doing what is, in my case, a very difficult and dangerous procedure. So I'm officially suspended from the list at the moment, but not removed. As I've spent the past 15 months or so mentally preparing for the procedure, this is going to take a bit of getting used to. It's going to take a few days to sink in properly. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. This e-mail is intended solely for the addressee(s) and is strictly confidential. The unauthorised use, disclosure or copying of this e-mail, or any information it contains is prohibited. If you have received this e-mail in error, please notify us immediately and then permanently delete it. Although Midland Internet & Computer Solutions make every effort to keep our systems free from viruses you should check this e-mail and any attachments to it for viruses as we cannot accept any liability for viruses inadvertently transmitted by use. From MailScanner at ecs.soton.ac.uk Tue Jan 13 17:35:53 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jan 13 17:36:14 2009 Subject: Spam-maked ham to be returned to queue In-Reply-To: <496CB70D0200002700027F55@gwiadom.oes.beds.ac.uk> References: <496CADCB020000880003199F@gwiadom.oes.beds.ac.uk> <496CB70D0200002700027F55@gwiadom.oes.beds.ac.uk> <496CB70D0200002700027F55@gwiadom.oes.beds.ac.uk> Message-ID: <496CD0F9.5020009@ecs.soton.ac.uk> If you have "Quarantine Whole Messages As Queue Files = yes" then you can just take the qf+df pair of files from the quarantine directory and drop them straight into /var/spool/mqueue. The next sendmail queue run will deliver them. If you don't want to wait for that, then read the man page for sendmail, the "-q" section, you want to read how to use the "-qI" option in particular. On 13/1/09 15:45, Nikolaos Pavlidis wrote: > Hello all, > > We have a working Solatis-Mailscanner installation based on sendmail MTA > which is still learning... and therefore sending some email's to > quarantine when it shouldn't. How is it possible to put the > "misunderstood" mails back in the queue to be sent after being > identified and sa-leaned as ham? > Thank you in advance. > > Regards, > > Nik > > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Tue Jan 13 17:39:33 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jan 13 17:39:58 2009 Subject: Thanks again In-Reply-To: <496CBDDA.6080902@zuka.net> References: <496CBDDA.6080902@zuka.net> Message-ID: <496CD1D5.6010005@ecs.soton.ac.uk> On 13/1/09 16:14, Dave Filchak wrote: > Julian, > > Thanks for all of your help No problem. Thankyou for helping me track down an awkward little bug :) > and good news about not needing surgery. It is NEVER a good experience. Particularly a procedure where a consultant transplant surgeon (who are the fighter pilots of the surgery world) told me there was no way he would attempt it on me without his boss being there to take charge! The snag is that the other problems that it would have fixed (only having 20% of a liver, protein C deficiency and portal hypertension) will now not get fixed. So I'm staying on the beta-blockers and the fentanyl forever. Such is life. > All the best. Thank you. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Tue Jan 13 17:45:34 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jan 13 17:45:57 2009 Subject: Anti-spear-phishing, round 2 In-Reply-To: References: <4963D91A.9060304@ecs.soton.ac.uk> <5FC3E08C-6D5F-4AF5-AACE-17623586AD6B@technologytiger.net> <496C552B.9040307@ecs.soton.ac.uk> Message-ID: <496CD33E.60402@ecs.soton.ac.uk> For anyone who is interested in my script, and the background to it, but who is not on this list, please note that I have published it on my personal website at http://www.jules.fm/Logbook/files/anti-spear-phishing.html That includes a link to the latest version of the script. If someone wants to mail me (off-list) a brief guide to how to use the sa-update channel corresponding to the core file grabbed from the google-hosted project, I'll add it to the article. Noting however, that this route doesn't provide you with an easy means of adding addresses to it. Cheers, Jules. On 13/1/09 16:12, Drew Marshall wrote: > On 13 Jan 2009, at 08:47, Julian Field wrote: > >> Upgrade to the latest version, I have fixed this problem already. >> >> Please confirm that upgrading does indeed fix the problem for you, >> but I have just tried your exact rule and it worked just fine for me, >> and I have just upgraded to the latest too. >> >> My guess would be that you have a version before 4.74.8? > > Guilty as charged! I hadn't realised it was quite that old. Any way, > upgraded to the latest and all is happy again. I have also made (Not > quite JP style but I can hack code to make it work!) a new FreeBSD > Port Makefile for the latest version, which I'll post separately for > any one who is interested. > > Drew > > -- > In line with our policy, this message has been scanned for viruses and > dangerouscontent by Technology Tiger's Mail Launder system > > Our email policy can be found at www.technologytiger.net/policy > > Technology Tiger Limited is registered in Scotland with registration > number: 310997 > Registered Office 55-57 West High Street Inverurie AB51 3QQ > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mrm at medicine.wisc.edu Tue Jan 13 17:58:28 2009 From: mrm at medicine.wisc.edu (Michael Masse) Date: Tue Jan 13 17:58:48 2009 Subject: blacklisting local domain? Message-ID: <496C81E1.7CBE.00FC.3@medicine.wisc.edu> Is there any way MailScanner can blacklist email that says it's from my domain, but comes from an IP outside of my ipspace? We force all of our clients to use our specific smtp server. We've been getting hit very hard with these self addressed spams lately and MailScanner has been doing a fantastic job of tagging these as spam, but the problem is that even though our commercial email system accepts spamassassin header tags to put them in the appropriate junk folder automatically, it ignores the headers if it thinks the sender is oneself and then I get complaints about these spams getting through. The real solution is obviously for the commercial vendor to fix this problem and trust spamassassin all the time, but this has been going on for years and they aren't going to change it any time soon, so I'm stuck with getting rid of these messages at the SMTP/Mailscanner stage before they get passed on to the rest of the mail system. I've implemented mailfromd which allows me to automatically reject any email that uses our domain as a sending domain and doesn't come from within our ip space at the SMTP negotiation envelope level and this is blocking 99% of them, but there are a few that are still sneaking through because they use some other domain at the smtp "mail from:" envelope stage which allows them to bypass mailfromd, but then in the data portion of the email they use our domain in the from: address in the header which then confuses our email system into ignoring the spamassassin header tag again. As I said, MailScanner/Spamassassin is properly tagging these emails as spam, but the tags get ignored by an oversight on our mail system. We force all of our clients to use our own smtp server, so there should never be a case of an email with a sender address of our domain coming from outside of our domain. Is it possible for MailScanner to blacklist these? -Mike From ssilva at sgvwater.com Tue Jan 13 18:15:21 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Jan 13 18:15:42 2009 Subject: Health update In-Reply-To: <496C807E.9000404@ecs.soton.ac.uk> References: <496C807E.9000404@ecs.soton.ac.uk> Message-ID: on 1-13-2009 3:52 AM Julian Field spake the following: > Folks, > > Well, I've just got back from the hospital, had another meeting with the > transplant team. > > As of now, I'm suspended on the liver waiting list. > They are going to do another endoscopy in the next 2 or 3 weeks, and > we'll see the outcome of that to see if the varices have gone down at > all which will imply better blood flow through my new portal vein > replacement. > I suspect this will most likely show an improvement. > > If it does, then the original reason for me being on the list will have > gone (well enough). So it will be no longer worth doing what is, in my > case, a very difficult and dangerous procedure. > > So I'm officially suspended from the list at the moment, but not removed. > > As I've spent the past 15 months or so mentally preparing for the > procedure, this is going to take a bit of getting used to. It's going to > take a few days to sink in properly. > > Jules > If your liver is recovering on its own, then that is GREAT news! Transplants are less than ideal, and the anti-rejection drugs are somewhat hard on the rest of your system. If your body is starting to heal itself, then you are a very lucky man. All my best, and keep doing what you have been doing to stay healthy. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090113/5035f4ff/signature.bin From jkf at ecs.soton.ac.uk Tue Jan 13 18:16:58 2009 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Tue Jan 13 18:17:21 2009 Subject: blacklisting local domain? In-Reply-To: <496C81E1.7CBE.00FC.3@medicine.wisc.edu> References: <496C81E1.7CBE.00FC.3@medicine.wisc.edu> Message-ID: <496CDA9A.9080101@ecs.soton.ac.uk> MailScanner itself always uses the envelope sender address, and not the From: address which is what you are looking to check. So you would have to do it with a SpamAssassin rule, as that is the only thing which can be told to look at the From: address. So you want to check for mail which doesn't come from your IP space but does contain your domain in the From: header. I haven't got an instant solution to that, but can you confirm that I have summarised the problem correctly? Could we do it with a SpamAssassin Rule Actions ruleset, and an SA rule which looks for your domain appearing in From: ? SpamAssassin Rule Actions = %rules-dir%/sa.rule.actions.rules sa.rule.actions.rules contains From: 152.78.71 NON_EXISTENT_RULE=>deliver FromOrTo: default MY_DOMAIN_IN_FROM=>not-deliver,store spam.assassin.rules.conf contains an addition header MY_DOMAIN_IN_FROM From =~ /\@mydomain.com$/i score MY_DOMAIN_IN_FROM 0.1 describe MY_DOMAIN_IN_FROM My domain name appears in the From: header The SA rule "NON_EXISTENT_RULE" does not exist, it just needs to be in the sa.rule.actions.rules file as a dummy. The sa.rule.actions.rules file says If it's from my network (152.78.71 in this example) then we don't do anything special (the rule name does not exist so can never fire so the "deliver" action will never be executed here). On 13/1/09 17:58, Michael Masse wrote: > Is there any way MailScanner can blacklist email that says it's from my domain, but comes from an IP outside of my ipspace? We force all of our clients to use our specific smtp server. > > We've been getting hit very hard with these self addressed spams lately and MailScanner has been doing a fantastic job of tagging these as spam, but the problem is that even though our commercial email system accepts spamassassin header tags to put them in the appropriate junk folder automatically, it ignores the headers if it thinks the sender is oneself and then I get complaints about these spams getting through. > > The real solution is obviously for the commercial vendor to fix this problem and trust spamassassin all the time, but this has been going on for years and they aren't going to change it any time soon, so I'm stuck with getting rid of these messages at the SMTP/Mailscanner stage before they get passed on to the rest of the mail system. I've implemented mailfromd which allows me to automatically reject any email that uses our domain as a sending domain and doesn't come from within our ip space at the SMTP negotiation envelope level and this is blocking 99% of them, but there are a few that are still sneaking through because they use some other domain at the smtp "mail from:" envelope stage which allows them to bypass mailfromd, but then in the data portion of the email they use our domain in the from: address in the header which then confuses our email system into ignoring the spamassassin header tag again. > > As I said, MailScanner/Spamassassin is properly tagging these emails as spam, but the tags get ignored by an oversight on our mail system. We force all of our clients to use our own smtp server, so there should never be a case of an email with a sender address of our domain coming from outside of our domain. Is it possible for MailScanner to blacklist these? > > -Mike > > Jules -- Julian Field MEng MBCS CITP CEng jkf@ecs.soton.ac.uk Teaching Systems Manager Electronics& Computer Science University of Southampton SO17 1BJ, UK PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From alex at rtpty.com Tue Jan 13 18:18:38 2009 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Tue Jan 13 18:18:52 2009 Subject: blacklisting local domain? In-Reply-To: <496C81E1.7CBE.00FC.3@medicine.wisc.edu> References: <496C81E1.7CBE.00FC.3@medicine.wisc.edu> Message-ID: <1D1D7E30-6B13-4067-8BF8-EEB6ED306D18@rtpty.com> It is, but it's better to do at the MTA stage with SPF and mta rules than it is to do it at mailscanner. Otherwise you'd have to do something like: From: *@yourdomain.com and From: 1.2.3.4 no From: *@yourdomain.com and From: 2.3.4.5 no From: *@yourdomain.com and From: 127.0.0.1 no From: *@yourdomain.com yes in your spam.blacklists.rules file. I guess. On Jan 13, 2009, at 12:58 PM, Michael Masse wrote: > Is there any way MailScanner can blacklist email that says it's from > my domain, but comes from an IP outside of my ipspace? We force > all of our clients to use our specific smtp server. > > We've been getting hit very hard with these self addressed spams > lately and MailScanner has been doing a fantastic job of tagging > these as spam, but the problem is that even though our commercial > email system accepts spamassassin header tags to put them in the > appropriate junk folder automatically, it ignores the headers if it > thinks the sender is oneself and then I get complaints about these > spams getting through. > > The real solution is obviously for the commercial vendor to fix this > problem and trust spamassassin all the time, but this has been going > on for years and they aren't going to change it any time soon, so > I'm stuck with getting rid of these messages at the SMTP/Mailscanner > stage before they get passed on to the rest of the mail system. > I've implemented mailfromd which allows me to automatically reject > any email that uses our domain as a sending domain and doesn't come > from within our ip space at the SMTP negotiation envelope level and > this is blocking 99% of them, but there are a few that are still > sneaking through because they use some other domain at the smtp > "mail from:" envelope stage which allows them to bypass mailfromd, > but then in the data portion of the email they use our domain in > the from: address in the header which then confuses our email > system into ignoring the spamassassin header tag again. > > As I said, MailScanner/Spamassassin is properly tagging these emails > as spam, but the tags get ignored by an oversight on our mail > system. We force all of our clients to use our own smtp server, so > there should never be a case of an email with a sender address of > our domain coming from outside of our domain. Is it possible for > MailScanner to blacklist these? > > -Mike > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From Kevin_Miller at ci.juneau.ak.us Tue Jan 13 18:19:46 2009 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Tue Jan 13 18:19:57 2009 Subject: blacklisting local domain? In-Reply-To: <496C81E1.7CBE.00FC.3@medicine.wisc.edu> References: <496C81E1.7CBE.00FC.3@medicine.wisc.edu> Message-ID: Publish SPF records. See http://www.openspf.org/ Should help a bunch... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Michael Masse Sent: Tuesday, January 13, 2009 8:58 AM To: References: <496C81E1.7CBE.00FC.3@medicine.wisc.edu> Message-ID: <496CDB6A.2070504@ecs.soton.ac.uk> Oops, sorry, just thumped "send" by mistake. Take 2: MailScanner itself always uses the envelope sender address, and not the From: address which is what you are looking to check. So you would have to do it with a SpamAssassin rule, as that is the only thing which can be told to look at the From: address. So you want to check for mail which doesn't come from your IP space but does contain your domain in the From: header. I haven't got an instant solution to that, but can you confirm that I have summarised the problem correctly? Could we do it with a SpamAssassin Rule Actions ruleset, and an SA rule which looks for your domain appearing in From: ? SpamAssassin Rule Actions = %rules-dir%/sa.rule.actions.rules sa.rule.actions.rules contains From: 152.78.71 NON_EXISTENT_RULE=>deliver FromOrTo: default MY_DOMAIN_IN_FROM=>not-deliver,store spam.assassin.rules.conf contains an addition header MY_DOMAIN_IN_FROM From =~ /\@mydomain.com$/i score MY_DOMAIN_IN_FROM 0.01 describe MY_DOMAIN_IN_FROM My domain name appears in the From: header The SA rule "NON_EXISTENT_RULE" does not exist, it just needs to be in the sa.rule.actions.rules file as a dummy. The sa.rule.actions.rules file says If it's from my network (152.78.71 in this example) then we don't do anything special (the rule name does not exist so can never fire so the "deliver" action will never be executed here). If it's from anywhere else, and my domain name (mydomain.com in this example) appears in the From: header, then store a copy and don't deliver it to its original recipients. The score of 0.01 is just some very small number as you don't actually want to greatly affect the spam score, but you do want the rule to be checked so it can't be zero. -0.01 might have been a better choice. I think that should work. You can do almost anything with SpamAssassin Rule Actions and a bit of lateral thinking :-) Jules. On 13/1/09 17:58, Michael Masse wrote: > Is there any way MailScanner can blacklist email that says it's from mydomain, but comes from an IP outside of my ipspace? We force all of our clients to use our specific smtp server. > > We've been getting hit very hard with these self addressed spams latelyand MailScanner has been doing a fantastic job of tagging these as spam,but the problem is that even though our commercial email system accepts spamassassin header tags to put them in the appropriate junk folder automatically, it ignores the headers if it thinks the sender is oneself and then I get complaints about these spams getting through. > > The real solution is obviously for the commercial vendor to fix this problem and trust spamassassin all the time, but this has been going on foryears and they aren't going to change it any time soon, so I'm stuck with getting rid of these messages at the SMTP/Mailscanner stage before theyget passed on to the rest of the mail system. I've implemented mailfromd which allows me to automatically reject any email that uses our domain as a sending domain and doesn't come from within our ip space at the SMTP negotiation envelope level and this is blocking 99% of them, but thereare a few that are still sneaking through because they use some other domain at the smtp "mail from:" envelope stage which allows them to bypass mailfromd, but then in the data portion of the email they use our domain in the from: address in the header which then confuses our email system into ignoring the spamassassin header tag again. > > As I said, MailScanner/Spamassassin is properly tagging these emails asspam, but the tags get ignored by an oversight on our mail system. We force all of our clients to use our own smtp server, so there should neverbe a case of an email with a sender address of our domain coming from outside of our domain. Is it possible for MailScanner to blacklist these? > > -Mike > > Jules Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Tue Jan 13 18:22:29 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jan 13 18:22:48 2009 Subject: Health update In-Reply-To: References: <496C807E.9000404@ecs.soton.ac.uk> Message-ID: <496CDBE5.8040609@ecs.soton.ac.uk> On 13/1/09 18:15, Scott Silva wrote: > on 1-13-2009 3:52 AM Julian Field spake the following: > >> Folks, >> >> Well, I've just got back from the hospital, had another meeting with the >> transplant team. >> >> As of now, I'm suspended on the liver waiting list. >> They are going to do another endoscopy in the next 2 or 3 weeks, and >> we'll see the outcome of that to see if the varices have gone down at >> all which will imply better blood flow through my new portal vein >> replacement. >> I suspect this will most likely show an improvement. >> >> If it does, then the original reason for me being on the list will have >> gone (well enough). So it will be no longer worth doing what is, in my >> case, a very difficult and dangerous procedure. >> >> So I'm officially suspended from the list at the moment, but not removed. >> >> As I've spent the past 15 months or so mentally preparing for the >> procedure, this is going to take a bit of getting used to. It's going to >> take a few days to sink in properly. >> >> Jules >> >> > If your liver is recovering on its own, then that is GREAT news! > It's not, but I am quite possibly slowly growing a replacement for my portal vein. > Transplants are less than ideal, and the anti-rejection drugs are somewhat > hard on the rest of your system. If your body is starting to heal itself, then > you are a very lucky man. > Indeed! > All my best, and keep doing what you have been doing to stay healthy. > Err... living on a diet mostly comprised of narcotics, ice cream and wine :-) (in varying quantities!) Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From steve at fsl.com Tue Jan 13 18:33:18 2009 From: steve at fsl.com (Stephen Swaney) Date: Tue Jan 13 18:33:30 2009 Subject: blacklisting local domain? In-Reply-To: <496C81E1.7CBE.00FC.3@medicine.wisc.edu> References: <496C81E1.7CBE.00FC.3@medicine.wisc.edu> Message-ID: <496CDE6E.4070803@fsl.com> Michael Masse wrote: > Is there any way MailScanner can blacklist email that says it's from my domain, but comes from an IP outside of my ipspace? We force all of our clients to use our specific smtp server. > > We've been getting hit very hard with these self addressed spams lately and MailScanner has been doing a fantastic job of tagging these as spam, but the problem is that even though our commercial email system accepts spamassassin header tags to put them in the appropriate junk folder automatically, it ignores the headers if it thinks the sender is oneself and then I get complaints about these spams getting through. > > The real solution is obviously for the commercial vendor to fix this problem and trust spamassassin all the time, but this has been going on for years and they aren't going to change it any time soon, so I'm stuck with getting rid of these messages at the SMTP/Mailscanner stage before they get passed on to the rest of the mail system. I've implemented mailfromd which allows me to automatically reject any email that uses our domain as a sending domain and doesn't come from within our ip space at the SMTP negotiation envelope level and this is blocking 99% of them, but there are a few that are still sneaking through because they use some other domain at the smtp "mail from:" envelope stage which allows them to bypass mailfromd, but then in the data portion of the email they use our domain in the from: address in the header which then confuses our email system into ignoring the spamassassin header tag again. > > As I said, MailScanner/Spamassassin is properly tagging these emails as spam, but the tags get ignored by an oversight on our mail system. We force all of our clients to use our own smtp server, so there should never be a case of an email with a sender address of our domain coming from outside of our domain. Is it possible for MailScanner to blacklist these? > > -Mike > > Mike, Please check the archives before posting. This question has asked and answered about once a week for the last year. The answer is that any domain which doesn't publish SPF records is run by [insert you own word for dunces here]. And any ny financial services site that doesn't publish SPF records should have their business licenses revoked! And any site that doesn't check for the existence of SPF record and reject if the sending server is not in an existing SPF record gets all the spam they deserve. Sorry for the rant but I'm getting tired of telling clients to use SPF records and listening to silly excuses for not doing so. Maybe they cost too much :) Steve Steve Swaney steve@fsl.com www.fsl.com From ssilva at sgvwater.com Tue Jan 13 18:51:06 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Jan 13 18:51:23 2009 Subject: Thanks again In-Reply-To: <496CD1D5.6010005@ecs.soton.ac.uk> References: <496CBDDA.6080902@zuka.net> <496CD1D5.6010005@ecs.soton.ac.uk> Message-ID: on 1-13-2009 9:39 AM Julian Field spake the following: > > > On 13/1/09 16:14, Dave Filchak wrote: >> Julian, >> >> Thanks for all of your help > No problem. Thankyou for helping me track down an awkward little bug :) >> and good news about not needing surgery. It is NEVER a good experience. > Particularly a procedure where a consultant transplant surgeon (who are > the fighter pilots of the surgery world) told me there was no way he > would attempt it on me without his boss being there to take charge! > > The snag is that the other problems that it would have fixed (only > having 20% of a liver, protein C deficiency and portal hypertension) > will now not get fixed. So I'm staying on the beta-blockers and the > fentanyl forever. > > Such is life. >> All the best. > Thank you. > > Jules > Sorry Julian, Your other post seemed to imply not getting the liver was a "good" thing. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090113/6d4a3bf8/signature.bin From bbdokken at dokkenengineering.com Tue Jan 13 19:03:46 2009 From: bbdokken at dokkenengineering.com (Brad Dokken) Date: Tue Jan 13 19:04:06 2009 Subject: Health update In-Reply-To: <496C807E.9000404@ecs.soton.ac.uk> References: <496C807E.9000404@ecs.soton.ac.uk> Message-ID: > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Julian Field > Sent: Tuesday, January 13, 2009 3:52 AM > To: MailScanner discussion > Subject: Health update > > Folks, > > Well, I've just got back from the hospital, had another > meeting with the > transplant team. > > As of now, I'm suspended on the liver waiting list. > They are going to do another endoscopy in the next 2 or 3 weeks, and > we'll see the outcome of that to see if the varices have gone down at > all which will imply better blood flow through my new portal vein > replacement. > I suspect this will most likely show an improvement. > > If it does, then the original reason for me being on the list > will have > gone (well enough). So it will be no longer worth doing what > is, in my > case, a very difficult and dangerous procedure. > > So I'm officially suspended from the list at the moment, but > not removed. > > As I've spent the past 15 months or so mentally preparing for the > procedure, this is going to take a bit of getting used to. > It's going to > take a few days to sink in properly. > > Jules > Hard to tell from the tone of the email, but that's good news right? We'll keep hoping and praying for you Julian! Brad From Denis.Beauchemin at USherbrooke.ca Tue Jan 13 19:06:55 2009 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Tue Jan 13 19:07:16 2009 Subject: blacklisting local domain? In-Reply-To: <496CDB6A.2070504@ecs.soton.ac.uk> References: <496C81E1.7CBE.00FC.3@medicine.wisc.edu> <496CDB6A.2070504@ecs.soton.ac.uk> Message-ID: <496CE64F.70301@USherbrooke.ca> Julian Field a ?crit : > Oops, sorry, just thumped "send" by mistake. > Take 2: > > MailScanner itself always uses the envelope sender address, and not > the From: address which is what you are looking to check. > So you would have to do it with a SpamAssassin rule, as that is the > only thing which can be told to look at the From: address. > > So you want to check for mail which doesn't come from your IP space > but does contain your domain in the From: header. > > I haven't got an instant solution to that, but can you confirm that I > have summarised the problem correctly? > > Could we do it with a SpamAssassin Rule Actions ruleset, and an SA > rule which looks for your domain appearing in From: ? > > SpamAssassin Rule Actions = %rules-dir%/sa.rule.actions.rules > > sa.rule.actions.rules contains > From: 152.78.71 NON_EXISTENT_RULE=>deliver > FromOrTo: default MY_DOMAIN_IN_FROM=>not-deliver,store > > spam.assassin.rules.conf contains an addition > header MY_DOMAIN_IN_FROM From =~ /\@mydomain.com$/i > score MY_DOMAIN_IN_FROM 0.01 > describe MY_DOMAIN_IN_FROM My domain name appears in the From: header > > The SA rule "NON_EXISTENT_RULE" does not exist, it just needs to be in > the sa.rule.actions.rules file as a dummy. > > The sa.rule.actions.rules file says > If it's from my network (152.78.71 in this example) then we don't do > anything special (the rule name does not exist so can never fire so > the "deliver" action will never be executed here). > If it's from anywhere else, and my domain name (mydomain.com in this > example) appears in the From: header, then store a copy and don't > deliver it to its original recipients. > > The score of 0.01 is just some very small number as you don't actually > want to greatly affect the spam score, but you do want the rule to be > checked so it can't be zero. -0.01 might have been a better choice. > > I think that should work. > > You can do almost anything with SpamAssassin Rule Actions and a bit of > lateral thinking :-) > > Jules. > > > On 13/1/09 17:58, Michael Masse wrote: >> Is there any way MailScanner can blacklist email that says it's from >> mydomain, but comes from an IP outside of my ipspace? We force all >> of our clients to use our specific smtp server. >> >> We've been getting hit very hard with these self addressed spams >> latelyand MailScanner has been doing a fantastic job of tagging these >> as spam,but the problem is that even though our commercial email >> system accepts spamassassin header tags to put them in the >> appropriate junk folder automatically, it ignores the headers if it >> thinks the sender is oneself and then I get complaints about these >> spams getting through. >> >> The real solution is obviously for the commercial vendor to fix this >> problem and trust spamassassin all the time, but this has been going >> on foryears and they aren't going to change it any time soon, so I'm >> stuck with getting rid of these messages at the SMTP/Mailscanner >> stage before theyget passed on to the rest of the mail system. >> I've implemented mailfromd which allows me to automatically reject >> any email that uses our domain as a sending domain and doesn't come >> from within our ip space at the SMTP negotiation envelope level and >> this is blocking 99% of them, but thereare a few that are still >> sneaking through because they use some other domain at the smtp "mail >> from:" envelope stage which allows them to bypass mailfromd, but then >> in the data portion of the email they use our domain in the from: >> address in the header which then confuses our email system into >> ignoring the spamassassin header tag again. >> >> As I said, MailScanner/Spamassassin is properly tagging these emails >> asspam, but the tags get ignored by an oversight on our mail system. >> We force all of our clients to use our own smtp server, so there >> should neverbe a case of an email with a sender address of our domain >> coming from outside of our domain. Is it possible for MailScanner >> to blacklist these? >> >> -Mike >> >> > > Jules > > Jules > Julian, What would happen if someone sent an email with a From: from my domain using their home ISP smtp server? Would that be blocked by your example? Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From MailScanner at ecs.soton.ac.uk Tue Jan 13 19:15:32 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jan 13 19:15:53 2009 Subject: blacklisting local domain? In-Reply-To: <1D1D7E30-6B13-4067-8BF8-EEB6ED306D18@rtpty.com> References: <496C81E1.7CBE.00FC.3@medicine.wisc.edu> <1D1D7E30-6B13-4067-8BF8-EEB6ED306D18@rtpty.com> Message-ID: <496CE854.3050802@ecs.soton.ac.uk> On 13/1/09 18:18, Alex Neuman van der Hans wrote: > It is, but it's better to do at the MTA stage with SPF and mta rules > than it is to do it at mailscanner. > > Otherwise you'd have to do something like: > > From: *@yourdomain.com and From: 1.2.3.4 no > From: *@yourdomain.com and From: 2.3.4.5 no > From: *@yourdomain.com and From: 127.0.0.1 no > From: *@yourdomain.com yes > > in your spam.blacklists.rules file. I guess. That won't work as it will check the envelope sender, he wanted to check the From: header. Nice try though :-) Jules. > > > On Jan 13, 2009, at 12:58 PM, Michael Masse wrote: > >> Is there any way MailScanner can blacklist email that says it's from >> my domain, but comes from an IP outside of my ipspace? We force all >> of our clients to use our specific smtp server. >> >> We've been getting hit very hard with these self addressed spams >> lately and MailScanner has been doing a fantastic job of tagging >> these as spam, but the problem is that even though our commercial >> email system accepts spamassassin header tags to put them in the >> appropriate junk folder automatically, it ignores the headers if it >> thinks the sender is oneself and then I get complaints about these >> spams getting through. >> >> The real solution is obviously for the commercial vendor to fix this >> problem and trust spamassassin all the time, but this has been going >> on for years and they aren't going to change it any time soon, so I'm >> stuck with getting rid of these messages at the SMTP/Mailscanner >> stage before they get passed on to the rest of the mail system. >> I've implemented mailfromd which allows me to automatically reject >> any email that uses our domain as a sending domain and doesn't come >> from within our ip space at the SMTP negotiation envelope level and >> this is blocking 99% of them, but there are a few that are still >> sneaking through because they use some other domain at the smtp "mail >> from:" envelope stage which allows them to bypass mailfromd, but then >> in the data portion of the email they use our domain in the from: >> address in the header which then confuses our email system into >> ignoring the spamassassin header tag again. >> >> As I said, MailScanner/Spamassassin is properly tagging these emails >> as spam, but the tags get ignored by an oversight on our mail >> system. We force all of our clients to use our own smtp server, so >> there should never be a case of an email with a sender address of our >> domain coming from outside of our domain. Is it possible for >> MailScanner to blacklist these? >> >> -Mike >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Tue Jan 13 19:16:47 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jan 13 19:17:09 2009 Subject: Health update In-Reply-To: References: <496C807E.9000404@ecs.soton.ac.uk> Message-ID: <496CE89F.2020803@ecs.soton.ac.uk> On 13/1/09 19:03, Brad Dokken wrote: > > > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >> Of Julian Field >> Sent: Tuesday, January 13, 2009 3:52 AM >> To: MailScanner discussion >> Subject: Health update >> >> Folks, >> >> Well, I've just got back from the hospital, had another >> meeting with the >> transplant team. >> >> As of now, I'm suspended on the liver waiting list. >> They are going to do another endoscopy in the next 2 or 3 weeks, and >> we'll see the outcome of that to see if the varices have gone down at >> all which will imply better blood flow through my new portal vein >> replacement. >> I suspect this will most likely show an improvement. >> >> If it does, then the original reason for me being on the list >> will have >> gone (well enough). So it will be no longer worth doing what >> is, in my >> case, a very difficult and dangerous procedure. >> >> So I'm officially suspended from the list at the moment, but >> not removed. >> >> As I've spent the past 15 months or so mentally preparing for the >> procedure, this is going to take a bit of getting used to. >> It's going to >> take a few days to sink in properly. >> >> Jules >> >> > > Hard to tell from the tone of the email, but that's good news right? > Mixture. See my post from 18:22. > We'll keep hoping and praying for you Julian! > Thanks. > Brad > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Tue Jan 13 19:19:47 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jan 13 19:20:12 2009 Subject: blacklisting local domain? In-Reply-To: <496CE64F.70301@USherbrooke.ca> References: <496C81E1.7CBE.00FC.3@medicine.wisc.edu> <496CDB6A.2070504@ecs.soton.ac.uk> <496CE64F.70301@USherbrooke.ca> Message-ID: <496CE953.7070507@ecs.soton.ac.uk> On 13/1/09 19:06, Denis Beauchemin wrote: > Julian Field a ?crit : >> Oops, sorry, just thumped "send" by mistake. >> Take 2: >> >> MailScanner itself always uses the envelope sender address, and not >> the From: address which is what you are looking to check. >> So you would have to do it with a SpamAssassin rule, as that is the >> only thing which can be told to look at the From: address. >> >> So you want to check for mail which doesn't come from your IP space >> but does contain your domain in the From: header. >> >> I haven't got an instant solution to that, but can you confirm that I >> have summarised the problem correctly? >> >> Could we do it with a SpamAssassin Rule Actions ruleset, and an SA >> rule which looks for your domain appearing in From: ? >> >> SpamAssassin Rule Actions = %rules-dir%/sa.rule.actions.rules >> >> sa.rule.actions.rules contains >> From: 152.78.71 NON_EXISTENT_RULE=>deliver >> FromOrTo: default MY_DOMAIN_IN_FROM=>not-deliver,store >> >> spam.assassin.rules.conf contains an addition >> header MY_DOMAIN_IN_FROM From =~ /\@mydomain.com$/i >> score MY_DOMAIN_IN_FROM 0.01 >> describe MY_DOMAIN_IN_FROM My domain name appears in the From: header >> >> The SA rule "NON_EXISTENT_RULE" does not exist, it just needs to be >> in the sa.rule.actions.rules file as a dummy. >> >> The sa.rule.actions.rules file says >> If it's from my network (152.78.71 in this example) then we don't do >> anything special (the rule name does not exist so can never fire so >> the "deliver" action will never be executed here). >> If it's from anywhere else, and my domain name (mydomain.com in this >> example) appears in the From: header, then store a copy and don't >> deliver it to its original recipients. >> >> The score of 0.01 is just some very small number as you don't >> actually want to greatly affect the spam score, but you do want the >> rule to be checked so it can't be zero. -0.01 might have been a >> better choice. >> >> I think that should work. >> >> You can do almost anything with SpamAssassin Rule Actions and a bit >> of lateral thinking :-) >> >> Jules. >> >> >> On 13/1/09 17:58, Michael Masse wrote: >>> Is there any way MailScanner can blacklist email that says it's from >>> mydomain, but comes from an IP outside of my ipspace? We force all >>> of our clients to use our specific smtp server. >>> >>> We've been getting hit very hard with these self addressed spams >>> latelyand MailScanner has been doing a fantastic job of tagging >>> these as spam,but the problem is that even though our commercial >>> email system accepts spamassassin header tags to put them in the >>> appropriate junk folder automatically, it ignores the headers if it >>> thinks the sender is oneself and then I get complaints about these >>> spams getting through. >>> >>> The real solution is obviously for the commercial vendor to fix this >>> problem and trust spamassassin all the time, but this has been going >>> on foryears and they aren't going to change it any time soon, so I'm >>> stuck with getting rid of these messages at the SMTP/Mailscanner >>> stage before theyget passed on to the rest of the mail system. >>> I've implemented mailfromd which allows me to automatically reject >>> any email that uses our domain as a sending domain and doesn't come >>> from within our ip space at the SMTP negotiation envelope level and >>> this is blocking 99% of them, but thereare a few that are still >>> sneaking through because they use some other domain at the smtp >>> "mail from:" envelope stage which allows them to bypass mailfromd, >>> but then in the data portion of the email they use our domain in >>> the from: address in the header which then confuses our email >>> system into ignoring the spamassassin header tag again. >>> >>> As I said, MailScanner/Spamassassin is properly tagging these emails >>> asspam, but the tags get ignored by an oversight on our mail >>> system. We force all of our clients to use our own smtp server, so >>> there should neverbe a case of an email with a sender address of our >>> domain coming from outside of our domain. Is it possible for >>> MailScanner to blacklist these? >>> >>> -Mike >>> >>> >> >> Jules >> >> Jules >> > > Julian, > > What would happen if someone sent an email with a From: from my domain > using their home ISP smtp server? Would that be blocked by your example? Yes. But that was what the original request wanted to do, at least as I read it. The same block would happen if you published an SPF record saying that mail from mydomain.com could only come from 152.78.71 (in my example). This is why I publish an SPF record that says "anything goes" for my own domain at work. SPF doesn't help me at all, for mail coming from my domain. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Denis.Beauchemin at USherbrooke.ca Tue Jan 13 19:40:17 2009 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Tue Jan 13 19:40:38 2009 Subject: blacklisting local domain? In-Reply-To: <496CE953.7070507@ecs.soton.ac.uk> References: <496C81E1.7CBE.00FC.3@medicine.wisc.edu> <496CDB6A.2070504@ecs.soton.ac.uk> <496CE64F.70301@USherbrooke.ca> <496CE953.7070507@ecs.soton.ac.uk> Message-ID: <496CEE21.90609@USherbrooke.ca> Julian Field a ?crit : > > > On 13/1/09 19:06, Denis Beauchemin wrote: >> Julian Field a ?crit : >>> Oops, sorry, just thumped "send" by mistake. >>> Take 2: >>> >>> MailScanner itself always uses the envelope sender address, and not >>> the From: address which is what you are looking to check. >>> So you would have to do it with a SpamAssassin rule, as that is the >>> only thing which can be told to look at the From: address. >>> >>> So you want to check for mail which doesn't come from your IP space >>> but does contain your domain in the From: header. >>> >>> I haven't got an instant solution to that, but can you confirm that >>> I have summarised the problem correctly? >>> >>> Could we do it with a SpamAssassin Rule Actions ruleset, and an SA >>> rule which looks for your domain appearing in From: ? >>> >>> SpamAssassin Rule Actions = %rules-dir%/sa.rule.actions.rules >>> >>> sa.rule.actions.rules contains >>> From: 152.78.71 NON_EXISTENT_RULE=>deliver >>> FromOrTo: default MY_DOMAIN_IN_FROM=>not-deliver,store >>> >>> spam.assassin.rules.conf contains an addition >>> header MY_DOMAIN_IN_FROM From =~ /\@mydomain.com$/i >>> score MY_DOMAIN_IN_FROM 0.01 >>> describe MY_DOMAIN_IN_FROM My domain name appears in the From: header >>> >>> The SA rule "NON_EXISTENT_RULE" does not exist, it just needs to be >>> in the sa.rule.actions.rules file as a dummy. >>> >>> The sa.rule.actions.rules file says >>> If it's from my network (152.78.71 in this example) then we don't do >>> anything special (the rule name does not exist so can never fire so >>> the "deliver" action will never be executed here). >>> If it's from anywhere else, and my domain name (mydomain.com in this >>> example) appears in the From: header, then store a copy and don't >>> deliver it to its original recipients. >>> >>> The score of 0.01 is just some very small number as you don't >>> actually want to greatly affect the spam score, but you do want the >>> rule to be checked so it can't be zero. -0.01 might have been a >>> better choice. >>> >>> I think that should work. >>> >>> You can do almost anything with SpamAssassin Rule Actions and a bit >>> of lateral thinking :-) >>> >>> Jules. >>> >>> >>> On 13/1/09 17:58, Michael Masse wrote: >>>> Is there any way MailScanner can blacklist email that says it's >>>> from mydomain, but comes from an IP outside of my ipspace? We >>>> force all of our clients to use our specific smtp server. >>>> >>>> We've been getting hit very hard with these self addressed spams >>>> latelyand MailScanner has been doing a fantastic job of tagging >>>> these as spam,but the problem is that even though our commercial >>>> email system accepts spamassassin header tags to put them in the >>>> appropriate junk folder automatically, it ignores the headers if it >>>> thinks the sender is oneself and then I get complaints about these >>>> spams getting through. >>>> >>>> The real solution is obviously for the commercial vendor to fix >>>> this problem and trust spamassassin all the time, but this has been >>>> going on foryears and they aren't going to change it any time soon, >>>> so I'm stuck with getting rid of these messages at the >>>> SMTP/Mailscanner stage before theyget passed on to the rest of the >>>> mail system. I've implemented mailfromd which allows me to >>>> automatically reject any email that uses our domain as a sending >>>> domain and doesn't come from within our ip space at the SMTP >>>> negotiation envelope level and this is blocking 99% of them, but >>>> thereare a few that are still sneaking through because they use >>>> some other domain at the smtp "mail from:" envelope stage which >>>> allows them to bypass mailfromd, but then in the data portion of >>>> the email they use our domain in the from: address in the header >>>> which then confuses our email system into ignoring the spamassassin >>>> header tag again. >>>> >>>> As I said, MailScanner/Spamassassin is properly tagging these >>>> emails asspam, but the tags get ignored by an oversight on our mail >>>> system. We force all of our clients to use our own smtp server, so >>>> there should neverbe a case of an email with a sender address of >>>> our domain coming from outside of our domain. Is it possible for >>>> MailScanner to blacklist these? >>>> >>>> -Mike >>>> >>>> >>> >>> Jules >>> >>> Jules >>> >> >> Julian, >> >> What would happen if someone sent an email with a From: from my >> domain using their home ISP smtp server? Would that be blocked by >> your example? > Yes. But that was what the original request wanted to do, at least as > I read it. The same block would happen if you published an SPF record > saying that mail from mydomain.com could only come from 152.78.71 (in > my example). > > This is why I publish an SPF record that says "anything goes" for my > own domain at work. SPF doesn't help me at all, for mail coming from > my domain. > > Jules > Same thing here. So many students and staff all using their USherbrooke.ca email address from so many different places... bummer... Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From mailscanner.list at romehosting.com Tue Jan 13 20:13:16 2009 From: mailscanner.list at romehosting.com (SuprDave) Date: Tue Jan 13 20:13:32 2009 Subject: Avast interface not fully functional Message-ID: Hi, I was very happy to see an interface for Avast. After extensive testing, I discovered that MailScanner does not identify all viruses caught by Avast. It seems that the interface may be incomplete. Here are my findings: I have three virus samples available. During a manual command-line scan Avast reports. 1: [infected by: EICAR Test-NOT virus!!] 2: [infected by: Win32:Adware-gen [Adw]] 3: [infected by: Win32:Trojan-gen {Other}] MailScanner successfully identifies #1 but ignores #2 and #3. My best guess would be that the VirusSweep file is somehow confused by the extra brackets or maybe the colon. Note that #2 uses [ and ], #3 uses { and }. Any help resolving this would be greatly appreciated. I am using the latest release of MailScanner on a Debian box. Thanks! Dave Gattis From dyioulos at firstbhph.com Tue Jan 13 20:20:53 2009 From: dyioulos at firstbhph.com (Dimitri Yioulos) Date: Tue Jan 13 20:21:20 2009 Subject: Health update In-Reply-To: <496C807E.9000404@ecs.soton.ac.uk> References: <496C807E.9000404@ecs.soton.ac.uk> Message-ID: <200901131520.54329.dyioulos@firstbhph.com> On Tuesday 13 January 2009 6:52 am, Julian Field wrote: > Folks, > > Well, I've just got back from the hospital, had another meeting with the > transplant team. > > As of now, I'm suspended on the liver waiting list. > They are going to do another endoscopy in the next 2 or 3 weeks, and > we'll see the outcome of that to see if the varices have gone down at > all which will imply better blood flow through my new portal vein > replacement. > I suspect this will most likely show an improvement. > > If it does, then the original reason for me being on the list will have > gone (well enough). So it will be no longer worth doing what is, in my > case, a very difficult and dangerous procedure. > > So I'm officially suspended from the list at the moment, but not removed. > > As I've spent the past 15 months or so mentally preparing for the > procedure, this is going to take a bit of getting used to. It's going to > take a few days to sink in properly. > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > Jules, This news comes at the beginning of a brand new year. Here's hoping it brings you health and happiness (prosperity wouldn't be bad either). Your many friends around the world are pullin' for ya! Best wishes, Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Tue Jan 13 20:43:00 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jan 13 20:43:20 2009 Subject: Avast interface not fully functional In-Reply-To: References: Message-ID: <496CFCD4.5010405@ecs.soton.ac.uk> For starters, are you using Avast or Avastd? Secondly, please can you post the exact output of the Avast/Avastd scanner? If you are using Avastd, then this is a possible problem. Case 3 shouldn't be a problem but case 2 might be. I need to see the exact output, preferably redirect the output to a file and post that file (gzipped so nothing can play with it). On 13/1/09 20:13, SuprDave wrote: > Hi, > > I was very happy to see an interface for Avast. After extensive testing, > I discovered that MailScanner does not identify all viruses caught by > Avast. It seems that the interface may be incomplete. Here are my > findings: > > I have three virus samples available. During a manual command-line scan > Avast reports. > > 1: [infected by: EICAR Test-NOT virus!!] > 2: [infected by: Win32:Adware-gen [Adw]] > 3: [infected by: Win32:Trojan-gen {Other}] > > MailScanner successfully identifies #1 but ignores #2 and #3. My best > guess would be that the VirusSweep file is somehow confused by the extra > brackets or maybe the colon. Note that #2 uses [ and ], #3 uses { and }. > > Any help resolving this would be greatly appreciated. I am using the > latest release of MailScanner on a Debian box. > > Thanks! > > Dave Gattis > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From alex at rtpty.com Tue Jan 13 20:53:12 2009 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Tue Jan 13 20:53:25 2009 Subject: Health update In-Reply-To: <496CDBE5.8040609@ecs.soton.ac.uk> References: <496C807E.9000404@ecs.soton.ac.uk> <496CDBE5.8040609@ecs.soton.ac.uk> Message-ID: <3E8DFA1C-9841-4DEE-9DA4-1B43F8C06FF4@rtpty.com> Dream come true, if it were not for the reasons behind it... On Jan 13, 2009, at 1:22 PM, Julian Field wrote: > Err... living on a diet mostly comprised of narcotics, ice cream and > wine :-) (in varying quantities!) From mrm at quantumcc.com Tue Jan 13 20:55:01 2009 From: mrm at quantumcc.com (Mike Masse) Date: Tue Jan 13 20:55:25 2009 Subject: blacklisting local domain? In-Reply-To: <496CDB6A.2070504@ecs.soton.ac.uk> References: <496C81E1.7CBE.00FC.3@medicine.wisc.edu> <496CDB6A.2070504@ecs.soton.ac.uk> Message-ID: Thank you Julian. This was EXACTLY the information I was looking for. Mike Julian Field wrote: > Oops, sorry, just thumped "send" by mistake. > Take 2: > > MailScanner itself always uses the envelope sender address, and not the > From: address which is what you are looking to check. > So you would have to do it with a SpamAssassin rule, as that is the only > thing which can be told to look at the From: address. > > So you want to check for mail which doesn't come from your IP space but > does contain your domain in the From: header. > > I haven't got an instant solution to that, but can you confirm that I > have summarised the problem correctly? > > Could we do it with a SpamAssassin Rule Actions ruleset, and an SA rule > which looks for your domain appearing in From: ? > > SpamAssassin Rule Actions = %rules-dir%/sa.rule.actions.rules > > sa.rule.actions.rules contains > From: 152.78.71 NON_EXISTENT_RULE=>deliver > FromOrTo: default MY_DOMAIN_IN_FROM=>not-deliver,store > > spam.assassin.rules.conf contains an addition > header MY_DOMAIN_IN_FROM From =~ /\@mydomain.com$/i > score MY_DOMAIN_IN_FROM 0.01 > describe MY_DOMAIN_IN_FROM My domain name appears in the From: header > > The SA rule "NON_EXISTENT_RULE" does not exist, it just needs to be in > the sa.rule.actions.rules file as a dummy. > > The sa.rule.actions.rules file says > If it's from my network (152.78.71 in this example) then we don't do > anything special (the rule name does not exist so can never fire so the > "deliver" action will never be executed here). > If it's from anywhere else, and my domain name (mydomain.com in this > example) appears in the From: header, then store a copy and don't > deliver it to its original recipients. > > The score of 0.01 is just some very small number as you don't actually > want to greatly affect the spam score, but you do want the rule to be > checked so it can't be zero. -0.01 might have been a better choice. > > I think that should work. > > You can do almost anything with SpamAssassin Rule Actions and a bit of > lateral thinking :-) > > Jules. > > > On 13/1/09 17:58, Michael Masse wrote: >> Is there any way MailScanner can blacklist email that says it's from >> mydomain, but comes from an IP outside of my ipspace? We force all >> of our clients to use our specific smtp server. >> >> We've been getting hit very hard with these self addressed spams >> latelyand MailScanner has been doing a fantastic job of tagging these >> as spam,but the problem is that even though our commercial email >> system accepts spamassassin header tags to put them in the appropriate >> junk folder automatically, it ignores the headers if it thinks the >> sender is oneself and then I get complaints about these spams getting >> through. >> >> The real solution is obviously for the commercial vendor to fix this >> problem and trust spamassassin all the time, but this has been going >> on foryears and they aren't going to change it any time soon, so I'm >> stuck with getting rid of these messages at the SMTP/Mailscanner stage >> before theyget passed on to the rest of the mail system. I've >> implemented mailfromd which allows me to automatically reject any >> email that uses our domain as a sending domain and doesn't come from >> within our ip space at the SMTP negotiation envelope level and this is >> blocking 99% of them, but thereare a few that are still sneaking >> through because they use some other domain at the smtp "mail from:" >> envelope stage which allows them to bypass mailfromd, but then in the >> data portion of the email they use our domain > in the from: address in the header which then confuses our email system > into ignoring the spamassassin header tag again. >> >> As I said, MailScanner/Spamassassin is properly tagging these emails >> asspam, but the tags get ignored by an oversight on our mail system. >> We force all of our clients to use our own smtp server, so there >> should neverbe a case of an email with a sender address of our domain >> coming from outside of our domain. Is it possible for MailScanner >> to blacklist these? >> >> -Mike >> >> > > Jules > > Jules > From gmcgreevy at pwr-sys.com Tue Jan 13 21:09:34 2009 From: gmcgreevy at pwr-sys.com (Greg J. McGreevy) Date: Tue Jan 13 21:14:49 2009 Subject: Health update References: <496C807E.9000404@ecs.soton.ac.uk> Message-ID: <567221C09601934AA5CE9762FDA09A5001C405@EXCHTEMP.biz.pwr-sys.com> Rest and get well Julian hope everything checks out and you get a clean bill of health. Greg ________________________________ From: mailscanner-bounces@lists.mailscanner.info on behalf of Julian Field Sent: Tue 1/13/2009 6:52 AM To: MailScanner discussion Subject: Health update Folks, Well, I've just got back from the hospital, had another meeting with the transplant team. As of now, I'm suspended on the liver waiting list. They are going to do another endoscopy in the next 2 or 3 weeks, and we'll see the outcome of that to see if the varices have gone down at all which will imply better blood flow through my new portal vein replacement. I suspect this will most likely show an improvement. If it does, then the original reason for me being on the list will have gone (well enough). So it will be no longer worth doing what is, in my case, a very difficult and dangerous procedure. So I'm officially suspended from the list at the moment, but not removed. As I've spent the past 15 months or so mentally preparing for the procedure, this is going to take a bit of getting used to. It's going to take a few days to sink in properly. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/ms-tnef Size: 4942 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090113/71da00f7/attachment.bin From mailscanner.list at romehosting.com Tue Jan 13 21:38:22 2009 From: mailscanner.list at romehosting.com (SuprDave) Date: Tue Jan 13 21:38:39 2009 Subject: Avast interface not fully functional In-Reply-To: <496CFCD4.5010405@ecs.soton.ac.uk> References: <496CFCD4.5010405@ecs.soton.ac.uk> Message-ID: <2d07461c907200458ab0fd46b7bb95f1.squirrel@mail.romehosting.com> I am using Avast Home for Linux. The output file is attached. Thanks! Dave Gattis > For starters, are you using Avast or Avastd? > Secondly, please can you post the exact output of the Avast/Avastd > scanner? > If you are using Avastd, then this is a possible problem. Case 3 > shouldn't be a problem but case 2 might be. > I need to see the exact output, preferably redirect the output to a file > and post that file (gzipped so nothing can play with it). > > On 13/1/09 20:13, SuprDave wrote: >> Hi, >> >> I was very happy to see an interface for Avast. After extensive >> testing, >> I discovered that MailScanner does not identify all viruses caught by >> Avast. It seems that the interface may be incomplete. Here are my >> findings: >> >> I have three virus samples available. During a manual command-line scan >> Avast reports. >> >> 1: [infected by: EICAR Test-NOT virus!!] >> 2: [infected by: Win32:Adware-gen [Adw]] >> 3: [infected by: Win32:Trojan-gen {Other}] >> >> MailScanner successfully identifies #1 but ignores #2 and #3. My best >> guess would be that the VirusSweep file is somehow confused by the extra >> brackets or maybe the colon. Note that #2 uses [ and ], #3 uses { and >> }. >> >> Any help resolving this would be greatly appreciated. I am using the >> latest release of MailScanner on a Debian box. >> >> Thanks! >> >> Dave Gattis >> >> > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > PGP public key: http://www.jules.fm/julesfm.asc > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From MailScanner at ecs.soton.ac.uk Tue Jan 13 21:58:11 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jan 13 21:58:33 2009 Subject: Avast interface not fully functional In-Reply-To: <2d07461c907200458ab0fd46b7bb95f1.squirrel@mail.romehosting.com> References: <496CFCD4.5010405@ecs.soton.ac.uk> <2d07461c907200458ab0fd46b7bb95f1.squirrel@mail.romehosting.com> Message-ID: <496D0E73.1010306@ecs.soton.ac.uk> Oh not it's not :-) On 13/1/09 21:38, SuprDave wrote: > I am using Avast Home for Linux. The output file is attached. > Thanks! > Dave Gattis > > > >> For starters, are you using Avast or Avastd? >> Secondly, please can you post the exact output of the Avast/Avastd >> scanner? >> If you are using Avastd, then this is a possible problem. Case 3 >> shouldn't be a problem but case 2 might be. >> I need to see the exact output, preferably redirect the output to a file >> and post that file (gzipped so nothing can play with it). >> >> On 13/1/09 20:13, SuprDave wrote: >> >>> Hi, >>> >>> I was very happy to see an interface for Avast. After extensive >>> testing, >>> I discovered that MailScanner does not identify all viruses caught by >>> Avast. It seems that the interface may be incomplete. Here are my >>> findings: >>> >>> I have three virus samples available. During a manual command-line scan >>> Avast reports. >>> >>> 1: [infected by: EICAR Test-NOT virus!!] >>> 2: [infected by: Win32:Adware-gen [Adw]] >>> 3: [infected by: Win32:Trojan-gen {Other}] >>> >>> MailScanner successfully identifies #1 but ignores #2 and #3. My best >>> guess would be that the VirusSweep file is somehow confused by the extra >>> brackets or maybe the colon. Note that #2 uses [ and ], #3 uses { and >>> }. >>> >>> Any help resolving this would be greatly appreciated. I am using the >>> latest release of MailScanner on a Debian box. >>> >>> Thanks! >>> >>> Dave Gattis >>> >>> >>> >> Jules >> >> -- >> Julian Field MEng CITP CEng >> www.MailScanner.info >> Buy the MailScanner book at www.MailScanner.info/store >> >> MailScanner customisation, or any advanced system administration help? >> Contact me at Jules@Jules.FM >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> PGP public key: http://www.jules.fm/julesfm.asc >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner.list at romehosting.com Tue Jan 13 22:08:00 2009 From: mailscanner.list at romehosting.com (SuprDave) Date: Tue Jan 13 22:08:17 2009 Subject: Avast interface not fully functional In-Reply-To: <496D0E73.1010306@ecs.soton.ac.uk> References: <496CFCD4.5010405@ecs.soton.ac.uk> <2d07461c907200458ab0fd46b7bb95f1.squirrel@mail.romehosting.com> <496D0E73.1010306@ecs.soton.ac.uk> Message-ID: <846c85c3b7c148113b5785800ee93688.squirrel@mail.romehosting.com> Doh! Now it is. :-) Dave Gattis > Oh not it's not :-) > > On 13/1/09 21:38, SuprDave wrote: >> I am using Avast Home for Linux. The output file is attached. >> Thanks! >> Dave Gattis >> >> >> >>> For starters, are you using Avast or Avastd? >>> Secondly, please can you post the exact output of the Avast/Avastd >>> scanner? >>> If you are using Avastd, then this is a possible problem. Case 3 >>> shouldn't be a problem but case 2 might be. >>> I need to see the exact output, preferably redirect the output to a >>> file >>> and post that file (gzipped so nothing can play with it). >>> >>> On 13/1/09 20:13, SuprDave wrote: >>> >>>> Hi, >>>> >>>> I was very happy to see an interface for Avast. After extensive >>>> testing, >>>> I discovered that MailScanner does not identify all viruses caught by >>>> Avast. It seems that the interface may be incomplete. Here are my >>>> findings: >>>> >>>> I have three virus samples available. During a manual command-line >>>> scan >>>> Avast reports. >>>> >>>> 1: [infected by: EICAR Test-NOT virus!!] >>>> 2: [infected by: Win32:Adware-gen [Adw]] >>>> 3: [infected by: Win32:Trojan-gen {Other}] >>>> >>>> MailScanner successfully identifies #1 but ignores #2 and #3. My best >>>> guess would be that the VirusSweep file is somehow confused by the >>>> extra >>>> brackets or maybe the colon. Note that #2 uses [ and ], #3 uses { and >>>> }. >>>> >>>> Any help resolving this would be greatly appreciated. I am using the >>>> latest release of MailScanner on a Debian box. >>>> >>>> Thanks! >>>> >>>> Dave Gattis >>>> >>>> >>>> >>> Jules >>> >>> -- >>> Julian Field MEng CITP CEng >>> www.MailScanner.info >>> Buy the MailScanner book at www.MailScanner.info/store >>> >>> MailScanner customisation, or any advanced system administration help? >>> Contact me at Jules@Jules.FM >>> >>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>> PGP public key: http://www.jules.fm/julesfm.asc >>> >>> >>> -- >>> This message has been scanned for viruses and >>> dangerous content by MailScanner, and is >>> believed to be clean. >>> >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >>> >> >> >> > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > PGP public key: http://www.jules.fm/julesfm.asc > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- A non-text attachment was scrubbed... Name: output.txt.gz Type: application/x-gzip Size: 591 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090113/2e02bb51/output.txt.gz From Nikolaos.Pavlidis at beds.ac.uk Wed Jan 14 14:30:50 2009 From: Nikolaos.Pavlidis at beds.ac.uk (Nikolaos Pavlidis) Date: Wed Jan 14 14:31:04 2009 Subject: Spam-maked ham to be returned to queue In-Reply-To: <496DF71A020000270002804A@gwiadom.oes.beds.ac.uk> References: <496CD23C020000A10002853D@gwiadom.oes.beds.ac.uk> <496DF71A020000270002804A@gwiadom.oes.beds.ac.uk> Message-ID: <496DF71A020000270002804A@gwiadom.oes.beds.ac.uk> Hello Julian, First of all you have all our best wishes for a speedy recovery. Thank you once again for taking an interest to our situation even in the given circumstances. Unfortunately "Quarantine Whole Messages As Queue Files" is set to "no" so the mails we need are single files stuck in /var/spool/MailScanner/quarantine/date/spam and the sendmail -qI/R/S option does not seem to work since I believe it applies to messages still on queue. Thank you in advance, your help is much appreciated. Regards, Nik On Tue, 2009-01-13 at 17:35 +0000, Julian Field wrote: > If you have "Quarantine Whole Messages As Queue Files = yes" then you > can just take the qf+df pair of files from the quarantine directory and > drop them straight into /var/spool/mqueue. The next sendmail queue run > will deliver them. If you don't want to wait for that, then read the man > page for sendmail, the "-q" section, you want to read how to use the > "-qI" option in particular. > > On 13/1/09 15:45, Nikolaos Pavlidis wrote: > > Hello all, > > > > We have a working Solatis-Mailscanner installation based on sendmail MTA > > which is still learning... and therefore sending some email's to > > quarantine when it shouldn't. How is it possible to put the > > "misunderstood" mails back in the queue to be sent after being > > identified and sa-leaned as ham? > > Thank you in advance. > > > > Regards, > > > > Nik > > > > > > > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > PGP public key: http://www.jules.fm/julesfm.asc > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > -- ? Nikolaos Pavlidis BSc (Hons) MBCS NCLP System Administrator University Of Bedfordshire Park Square LU1 3JU Luton, Beds, UK Tel: +441582489277 From maillists at conactive.com Wed Jan 14 16:31:26 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Wed Jan 14 16:31:41 2009 Subject: blacklisting local domain? In-Reply-To: <496C81E1.7CBE.00FC.3@medicine.wisc.edu> References: <496C81E1.7CBE.00FC.3@medicine.wisc.edu> Message-ID: Michael Masse wrote on Tue, 13 Jan 2009 11:58:28 -0600: > Is there any way MailScanner can blacklist email that says it's from > my domain, but comes from an IP outside of my ipspace? We force > all of our clients to use our specific smtp server. If you use postfix and mail from these domains can only come from authenticated users or this server then you can simply block all mail from outside with these sender domains with an access map. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From MailScanner at ecs.soton.ac.uk Wed Jan 14 16:44:02 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Jan 14 16:44:27 2009 Subject: Spam-maked ham to be returned to queue In-Reply-To: <496DF71A020000270002804A@gwiadom.oes.beds.ac.uk> References: <496CD23C020000A10002853D@gwiadom.oes.beds.ac.uk> <496DF71A020000270002804A@gwiadom.oes.beds.ac.uk> <496DF71A020000270002804A@gwiadom.oes.beds.ac.uk> Message-ID: <496E1652.2070005@ecs.soton.ac.uk> On 14/1/09 14:30, Nikolaos Pavlidis wrote: > Hello Julian, > > First of all you have all our best wishes for a speedy recovery. Thank > you once again for taking an interest to our situation even in the given > circumstances. > > Unfortunately "Quarantine Whole Messages As Queue Files" is set to "no" > so the mails we need are single files stuck > in /var/spool/MailScanner/quarantine/date/spam and the sendmail -qI/R/S > option does not seem to work since I believe it applies to messages > still on queue. > In which case you've got to run "sendmail -t" on the RFC822 message file, which will cause its re-delivery. But it will go to the recipients listed in the "To:" header, not the recipients in the envelope as you lost those by not storing the messages as queue files. Beware: this may do very nasty things to mailing lists! > Thank you in advance, your help is much appreciated. > > Regards, > > Nik > > > On Tue, 2009-01-13 at 17:35 +0000, Julian Field wrote: > >> If you have "Quarantine Whole Messages As Queue Files = yes" then you >> can just take the qf+df pair of files from the quarantine directory >> > and > >> drop them straight into /var/spool/mqueue. The next sendmail queue run >> > > >> will deliver them. If you don't want to wait for that, then read the >> > man > >> page for sendmail, the "-q" section, you want to read how to use the >> "-qI" option in particular. >> >> On 13/1/09 15:45, Nikolaos Pavlidis wrote: >> >>> Hello all, >>> >>> We have a working Solatis-Mailscanner installation based on sendmail >>> > MTA > >>> which is still learning... and therefore sending some email's to >>> quarantine when it shouldn't. How is it possible to put the >>> "misunderstood" mails back in the queue to be sent after being >>> identified and sa-leaned as ham? >>> Thank you in advance. >>> >>> Regards, >>> >>> Nik >>> >>> >>> >>> >> Jules >> >> -- >> Julian Field MEng CITP CEng >> www.MailScanner.info >> Buy the MailScanner book at www.MailScanner.info/store >> >> MailScanner customisation, or any advanced system administration help? >> Contact me at Jules@Jules.FM >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> PGP public key: http://www.jules.fm/julesfm.asc >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From roland at inbox4u.de Wed Jan 14 20:39:47 2009 From: roland at inbox4u.de (Ehle, Roland) Date: Wed Jan 14 20:41:10 2009 Subject: AW: Health update In-Reply-To: <496C807E.9000404@ecs.soton.ac.uk> References: <496C807E.9000404@ecs.soton.ac.uk> Message-ID: Jules, I will pray for you and wish you all the best! Regards, Roland > -----Urspr?ngliche Nachricht----- > Von: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] Im Auftrag von Julian Field > Gesendet: Dienstag, 13. Januar 2009 12:53 > An: MailScanner discussion > Betreff: Health update > > Folks, > > Well, I've just got back from the hospital, had another meeting with > the > transplant team. > > As of now, I'm suspended on the liver waiting list. > They are going to do another endoscopy in the next 2 or 3 weeks, and > we'll see the outcome of that to see if the varices have gone down at > all which will imply better blood flow through my new portal vein > replacement. > I suspect this will most likely show an improvement. > > If it does, then the original reason for me being on the list will have > gone (well enough). So it will be no longer worth doing what is, in my > case, a very difficult and dangerous procedure. > > So I'm officially suspended from the list at the moment, but not > removed. > > As I've spent the past 15 months or so mentally preparing for the > procedure, this is going to take a bit of getting used to. It's going > to > take a few days to sink in properly. > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From garry at glendown.de Wed Jan 14 21:07:16 2009 From: garry at glendown.de (Garry) Date: Wed Jan 14 21:07:27 2009 Subject: Health update In-Reply-To: <496C807E.9000404@ecs.soton.ac.uk> References: <496C807E.9000404@ecs.soton.ac.uk> Message-ID: <496E5404.2050004@glendown.de> Julian Field wrote: > If it does, then the original reason for me being on the list will > have gone (well enough). So it will be no longer worth doing what is, > in my case, a very difficult and dangerous procedure. My best wishes for you! Hope it turns out well! -garry From christian at columbiafuels.com Wed Jan 14 21:29:19 2009 From: christian at columbiafuels.com (Christian Rasmussen) Date: Wed Jan 14 21:30:19 2009 Subject: Health update In-Reply-To: <496CDBE5.8040609@ecs.soton.ac.uk> References: <496C807E.9000404@ecs.soton.ac.uk> <496CDBE5.8040609@ecs.soton.ac.uk> Message-ID: <7C62BFED4DC0CE488F93865D83A61E64DDCC09@sprocket.columbiafuels.com> > All my best, and keep doing what you have been doing to stay healthy. > Err... living on a diet mostly comprised of narcotics, ice cream and wine :-) (in varying quantities!) Jules -- Now there's a diet you could write a book about ;-) maybe call it the mail admin diet. Hopefully things continue to improve for you, best wishes from British Columbia Canada! (eh!) Christian From james at gray.net.au Wed Jan 14 22:54:51 2009 From: james at gray.net.au (James Gray) Date: Wed Jan 14 22:55:04 2009 Subject: Health update In-Reply-To: <496C807E.9000404@ecs.soton.ac.uk> Message-ID: <15563007.141231973691706.JavaMail.root@node> Hi Jules, Good to hear things are on the mend. It is my hope you return to full health without the need for any further serious medical intervention :) Take care. Regards from Oz, James From micoots at yahoo.com Thu Jan 15 00:17:20 2009 From: micoots at yahoo.com (Michael Mansour) Date: Thu Jan 15 00:17:29 2009 Subject: Blacklisting from URIBL Message-ID: <390641.16226.qm@web33304.mail.mud.yahoo.com> Hi, I use URIBL in SpamAssassin, like so many other SA users, to score emails based on the URI lookup in multi.uribl.com What I'd like to do though, is drop the emails completely ie. not even accept them if they exist in uribl.com How can I do this? Thanks. Michael. Stay connected to the people that matter most with a smarter inbox. Take a look http://au.docs.yahoo.com/mail/smarterinbox From glenn.steen at gmail.com Thu Jan 15 00:27:30 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Jan 15 00:27:40 2009 Subject: Health update In-Reply-To: References: <496C807E.9000404@ecs.soton.ac.uk> Message-ID: <223f97700901141627we10b215gb6b8326d9e26c58a@mail.gmail.com> 2009/1/13 Scott Silva : > on 1-13-2009 3:52 AM Julian Field spake the following: >> Folks, >> >> Well, I've just got back from the hospital, had another meeting with the >> transplant team. >> >> As of now, I'm suspended on the liver waiting list. >> They are going to do another endoscopy in the next 2 or 3 weeks, and >> we'll see the outcome of that to see if the varices have gone down at >> all which will imply better blood flow through my new portal vein >> replacement. >> I suspect this will most likely show an improvement. >> >> If it does, then the original reason for me being on the list will have >> gone (well enough). So it will be no longer worth doing what is, in my >> case, a very difficult and dangerous procedure. >> >> So I'm officially suspended from the list at the moment, but not removed. >> >> As I've spent the past 15 months or so mentally preparing for the >> procedure, this is going to take a bit of getting used to. It's going to >> take a few days to sink in properly. >> >> Jules >> > If your liver is recovering on its own, then that is GREAT news! > Transplants are less than ideal, and the anti-rejection drugs are somewhat > hard on the rest of your system. If your body is starting to heal itself, then > you are a very lucky man. > Like the AzatioprinI'm gobbling:-) Just prevents your body from producing white blood cells... and thus weakens the cancer defenses... Sigh. But it's not bad, compared to the alternatives. > All my best, and keep doing what you have been doing to stay healthy. > I too wish you the best, from the snowy Swedish mountains (where I try to evade all thought of human frailty and toil by a nice mix of downhill skiing and ... beverages:-). I'm rather certain that your mail (Julian, that is:) wasn't particularly ... positive. More like the "straw getting snatched away by wicked fate" or "legs getting kicked from under you"... I can well see the psychology involved (not that any of my ailments come close to yours!), and can only hope that you can turn this into something really positive, in the end. Life's a b*tch, Jules. Nothing more to it. But the alternative sucks worse, so ... hang in there! Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From lists at sequestered.net Thu Jan 15 00:29:58 2009 From: lists at sequestered.net (Corey Chandler) Date: Thu Jan 15 00:30:26 2009 Subject: Blacklisting from URIBL In-Reply-To: <390641.16226.qm@web33304.mail.mud.yahoo.com> References: <390641.16226.qm@web33304.mail.mud.yahoo.com> Message-ID: <496E8386.7020800@sequestered.net> Michael Mansour wrote: > Hi, > > I use URIBL in SpamAssassin, like so many other SA users, to score emails based on the URI lookup in multi.uribl.com > > What I'd like to do though, is drop the emails completely ie. not even accept them if they exist in uribl.com > > How can I do this? > > Thanks. > > Michael. > At the MTA layer. I do this in Postfix; what MTA are you using? -- Corey Chandler / KB1JWQ Living Legend / Systems Exorcist Today's Excuse: Suspicious pointer corrupted virtual machine From raymond at prolocation.net Thu Jan 15 00:30:46 2009 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Thu Jan 15 00:30:55 2009 Subject: Blacklisting from URIBL In-Reply-To: <390641.16226.qm@web33304.mail.mud.yahoo.com> References: <390641.16226.qm@web33304.mail.mud.yahoo.com> Message-ID: Hi! You can do this on MTA level. Use a milter to reject based on URI. > I use URIBL in SpamAssassin, like so many other SA users, to score > emails based on the URI lookup in multi.uribl.com > > What I'd like to do though, is drop the emails completely ie. not even > accept them if they exist in uribl.com > > How can I do this? Not sure if this is smart however, but if you dont mind loosing legitimate mail its no issue. Bye, Raymond. From micoots at yahoo.com Thu Jan 15 00:41:14 2009 From: micoots at yahoo.com (Michael Mansour) Date: Thu Jan 15 00:41:24 2009 Subject: Blacklisting from URIBL In-Reply-To: <496E8386.7020800@sequestered.net> Message-ID: <168042.31426.qm@web33307.mail.mud.yahoo.com> Hi Corey, Thanks for your reply. > > I use URIBL in SpamAssassin, like so many other SA > users, to score emails based on the URI lookup in > multi.uribl.com > > > > What I'd like to do though, is drop the emails > completely ie. not even accept them if they exist in > uribl.com > > > > How can I do this? > > > > Thanks. > > > > Michael. > > > > At the MTA layer. I do this in Postfix; what MTA are you > using? I use sendmail with various milters. I can't see how it can be done at the MTA with URIBL but if you know of a way please let me know. Thanks. Michael. > -- > Corey Chandler / KB1JWQ > Living Legend / Systems Exorcist > Today's Excuse: Suspicious pointer corrupted virtual > machine > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the > website! Stay connected to the people that matter most with a smarter inbox. Take a look http://au.docs.yahoo.com/mail/smarterinbox From raymond at prolocation.net Thu Jan 15 00:44:43 2009 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Thu Jan 15 00:44:52 2009 Subject: Blacklisting from URIBL In-Reply-To: <168042.31426.qm@web33307.mail.mud.yahoo.com> References: <168042.31426.qm@web33307.mail.mud.yahoo.com> Message-ID: Hi! > I use sendmail with various milters. I can't see how it can be done at > the MTA with URIBL but if you know of a way please let me know. A 30 second google shows : http://www.snertsoft.com/sendmail/milter-link/ Bye, Raymond. From micoots at yahoo.com Thu Jan 15 00:47:52 2009 From: micoots at yahoo.com (Michael Mansour) Date: Thu Jan 15 00:48:02 2009 Subject: Blacklisting from URIBL In-Reply-To: Message-ID: <703183.35622.qm@web33307.mail.mud.yahoo.com> Hi Raymond, Thanks for your reply. > From: Raymond Dijkxhoorn > Subject: Re: Blacklisting from URIBL > To: "MailScanner discussion" > Received: Thursday, 15 January, 2009, 11:30 AM > Hi! > > You can do this on MTA level. Use a milter to reject based > on URI. I use various milters, one of the more powerful is milter-greylist which does all sorts of things including blacklisting. I'm just unsure how to do this against uribl since the only things I can find on the web for querying multi.uribl.com is a bunch of SA rules which are already used. Going to the uribl.com website only shows SA usage, not how to query their uribl from the command line or what 127.0.0.? are returned. Remember also uribl lists domain names, not just IP's. I've also emailed in the uribl mailing list to see if they can help. > > I use URIBL in SpamAssassin, like so many other SA > users, to score emails based on the URI lookup in > multi.uribl.com > > > > What I'd like to do though, is drop the emails > completely ie. not even accept them if they exist in > uribl.com > > > > How can I do this? > > Not sure if this is smart however, but if you dont mind > loosing legitimate mail its no issue. There is absolutely zero legitimate email which has URI's in URIBL_BLACK. Maybe in URIBL_GREY, maybe in URIBL_GOLD, but never in URIBL_BLACK. Those are 100% confirmed URI's of spammers. Thanks. Michael. > Bye, > Raymond. > -- MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the > website! Stay connected to the people that matter most with a smarter inbox. Take a look http://au.docs.yahoo.com/mail/smarterinbox From micoots at yahoo.com Thu Jan 15 00:55:36 2009 From: micoots at yahoo.com (Michael Mansour) Date: Thu Jan 15 00:55:46 2009 Subject: Blacklisting from URIBL In-Reply-To: Message-ID: <319876.49912.qm@web33306.mail.mud.yahoo.com> Hi Raymond, > From: Raymond Dijkxhoorn > Subject: Re: Blacklisting from URIBL > To: "MailScanner discussion" > Received: Thursday, 15 January, 2009, 11:44 AM > Hi! > > > I use sendmail with various milters. I can't see > how it can be done at the MTA with URIBL but if you know of > a way please let me know. > > A 30 second google shows : > > http://www.snertsoft.com/sendmail/milter-link/ Exactly what I'm looking for. Many many thanks, you've just made my day :) Michael. > Bye, > Raymond. > -- MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the > website! Stay connected to the people that matter most with a smarter inbox. Take a look http://au.docs.yahoo.com/mail/smarterinbox From raymond at prolocation.net Thu Jan 15 01:00:22 2009 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Thu Jan 15 01:00:31 2009 Subject: Blacklisting from URIBL In-Reply-To: <703183.35622.qm@web33307.mail.mud.yahoo.com> References: <703183.35622.qm@web33307.mail.mud.yahoo.com> Message-ID: Hi! >> Not sure if this is smart however, but if you dont mind >> loosing legitimate mail its no issue. > There is absolutely zero legitimate email which has URI's in > URIBL_BLACK. Maybe in URIBL_GREY, maybe in URIBL_GOLD, but never in > URIBL_BLACK. Those are 100% confirmed URI's of spammers. I am glad you are so positive about it, statistics show otherwise. Check the SA site for example. But, if it works for you, fine! :-) Bye, Raymond. From geneleung818 at yahoo.com.hk Thu Jan 15 08:16:24 2009 From: geneleung818 at yahoo.com.hk (Gene Leung) Date: Thu Jan 15 08:16:34 2009 Subject: PGP File Signature not found for MailScanner Message-ID: <906.67145.qm@web53803.mail.re2.yahoo.com> Hi all,=0A=0AI try to download the MailScanner package and its PGP signatur= e file. The server link is broken with the following message,=0A=0A=0ANot = Found=0AThe requested URL /files/4/rpm/MailScanner-4.74.16-1.rpm.tar.gz.sig= was not found on this server.=0AAdditionally, a 404 Not Found=0Aerror was = encountered while trying to use an ErrorDocument to handle the request. =0A= ________________________________=0A =0AApache/1.3.37 Server at www.mailscan= ner.info Port 80=0A=0AIs there any way I can get a copy of it?=0A=0ABest Re= gards=0AGene Leung=0A=0A=0A=0A Yahoo!=AD=BB=B4=E4=B4=A3=A8=D1=BA=F4=A4= W=A6w=A5=FE=A7=F0=B2=A4=A1A=B1=D0=A7A=A6p=A6=F3=A8=BE=BDd=B6=C2=AB=C8! =BD= =D0=ABe=A9=B9 http://hk.promo.yahoo.com/security/ =A4F=B8=D1=A7=F3=A6h! From MailScanner at ecs.soton.ac.uk Thu Jan 15 10:09:42 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 15 10:10:04 2009 Subject: PGP File Signature not found for MailScanner In-Reply-To: <906.67145.qm@web53803.mail.re2.yahoo.com> References: <906.67145.qm@web53803.mail.re2.yahoo.com> Message-ID: <496F0B66.9080003@ecs.soton.ac.uk> Sorted now. Thanks for pointing that out. On 15/1/09 08:16, Gene Leung wrote: > Hi all, > > I try to download the MailScanner package and its PGP signature file. The server link is broken with the following message, > > > Not Found > The requested URL /files/4/rpm/MailScanner-4.74.16-1.rpm.tar.gz.sig was not found on this server. > Additionally, a 404 Not Found > error was encountered while trying to use an ErrorDocument to handle the request. > ________________________________ > > Apache/1.3.37 Server at www.mailscanner.info Port 80 > > Is there any way I can get a copy of it? > > Best Regards > Gene Leung > > > > Yahoo!­»´ä´£¨Ñºô¤W¦w¥þ§ð²¤¡A±Ð§A¦p¦ó¨¾½d¶Â«È! ½Ð«e©¹ http://hk.promo.yahoo.com/security/ ¤F¸Ñ§ó¦h! > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From campbell at cnpapers.com Thu Jan 15 14:26:25 2009 From: campbell at cnpapers.com (Steve Campbell) Date: Thu Jan 15 14:26:44 2009 Subject: Spamassassin timeouts - Just an observation In-Reply-To: References: <49510578.6050801@cnpapers.com> Message-ID: <496F4791.3060409@cnpapers.com> Ugo Bellavance wrote: > Steve Campbell wrote: >> The topic seems to come up quite often, and although the answers are >> usually pretty much the same, I never really see much of a "Solved" >> reply. >> >> I upgraded from version 4.58, where I saw maybe 3 or 4 timeouts, to >> 4.71, and saw an immediate increase to around 100-300 timeouts. I ran >> all of the --debug and --debug-sa flavors of help I could think of. I >> reviewed the logs. I run a caching nameserver. And I zeroed out some >> RBL scores. I still have yet to find why this happens. I eventually >> upgraded to 4.72, and started using clamd. I still get the large >> numbers of timeouts. I would think that the fact that this doesn't >> happen with all of my large batches indicates I'm not using any dead >> RBLs. >> >> I'm still exploring the causes, but haven't had much luck. I find it >> odd that SA would really keep RBLs that have expired over time in >> their default files, so I really don't think it's that. I do all of >> my checking of RBLs in SA. I always do my configuration and language >> upgrades, and search for rpmnew and rpmsave files. This has happened >> on 3 different but very similar servers that I run. >> >> I'm not really asking for assistance here, but just wanted to let >> others who are seeing this problem to be aware that there is >> something unique triggering this. I'm fairly confident that it is not >> happening at all sites, but something here is causing it. It may not >> even be related to MS/SA, but totally something else. >> >> The most I could ask for is a small checklist of what to ensure I >> have set. Every time I try to use the debug procedures, the tests >> perform flawlessly with no errors. It is very sporadic. We receive >> those normal bursts of spam, but for the most part, the batches ares >> small. The average amount of email per day is usually around 10k >> emails, but I get the above stated 100-300 timeouts. I'm going to try >> and match batch numbers to timeouts and see if this will reveal >> anything. I only run 3 Children on a fairly hefty Dell PowerEdge, but >> I do use 30 messages per child. I don't think this is excessive thought. >> >> Hope everyone has a Happy Holiday. > > What is the machine? > > Did you check the optimization section of the MAQ page on the wiki? > > When running --debug --debug-sa, don't you find anything that is a bit > slow? > Ugo, I'm still fighting this thing. I don't really see anything specific when running debug. I've have reviewed the MAQ and the only thing I'm not sure about is reducing the number of RBLs that spamassassin uses. Whenever I look at my ps output for Mailscanner, it is always saying "Checking with Spamassassin", so something is amiss. I have an identical machine running with all the same settings. It runs pretty well.The only difference is each has it's own name server and obviously it's own mail flow. What is the best way to set all scores to zero for the RBLs? I had considered making a copy of 20_dnsbl_tests.cf just to get a list of all the RBLs, and modifying it to just include "score" for all of them and putting them in my local.cf or spam.assassin.prefs.conf.file, but is this the proper way? Thanks to all who have tried to help. Steve From maillists at conactive.com Thu Jan 15 14:50:28 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Thu Jan 15 14:50:47 2009 Subject: Spamassassin timeouts - Just an observation In-Reply-To: <496F4791.3060409@cnpapers.com> References: <49510578.6050801@cnpapers.com> <496F4791.3060409@cnpapers.com> Message-ID: I don't have the beginning of this thread anymore. Do you get a lot of "Spamassassin timed out. Try n of 20." in your *Mailscanner* log? (I didn't quote that warning message literally, I hope you find it nevertheless.) I think you didn't post a "spamassassin -D --lint" yet. May I suggest you put a text file with this up somewhere (not here), so others can have a look? If you are getting DNS timeouts there are only a few probable reasons: - the machine has a performance problem, e.g. the sheer processing takes so long that it times out, no matter if the remote RBL replied fast or not (this would be the least probable) - there is somewhere a nameserver/resolution problem along the line (this can include problems that are added by other software, for instance firewall) - the resolver software (be it the Perl module or the resolver stack of the OS) has a problem Have you tried checking the RBLs that seem to timeout more often *manually* and repeatedly? > I'm still fighting this thing. I don't really see anything specific when > running debug. no RBL timeouts? > What is the best way to set all scores to zero for the RBLs? I had > considered making a copy of 20_dnsbl_tests.cf just to get a list of all > the RBLs, and modifying it to just include "score" for all of them and > putting them in my local.cf or spam.assassin.prefs.conf.file, but is > this the proper way? skip_rbl_checks already switches all none URIBL dns checks off. If you do like you supposed you would be able to switch the rest of them off. However, if you clearly see that RBL timeouts are happening excessively you want to rather fix that instead of switching it all off. At the moment it seems to me that *you* are not sure yet if the problem relates from dns timeouts or not. However, from all I remember that seems to be your problem indeed. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From davidj at synaq.com Thu Jan 15 15:19:28 2009 From: davidj at synaq.com (David Jacobson) Date: Thu Jan 15 15:19:41 2009 Subject: Spamassassion Action rules question Message-ID: <11063200.381232032764040.JavaMail.davidj@chronic> Hi There, I would like to enable a "auto reply" message to the sender when a certain Spamassassin Rule is hit. I have looked through the documentation and from what I can see the only option that is close to this is bounce, but I would need to do it with a particular message (not a bounce message, a custom message) Please can someone advise if the above is possible? -- Regards, David Jacobson Technical Director SYNAQ (Pty) Ltd Tel: 011 262 3628 Direct: 011 262 3626 Fax: 086 637 8868 Cell: 083 235 0760 Mail: davidj@synaq.com Web: http://www.synaq.com Key Fingerprint 8246 FCE1 3C22 7EFB E61B 18DF 6E8B 65E8 BD50 78A1 From ja at conviator.com Thu Jan 15 15:22:44 2009 From: ja at conviator.com (Jan Agermose) Date: Thu Jan 15 15:23:00 2009 Subject: mqueue.in cleanup Message-ID: hi I have a problem on my server in that mqueue.in fills with old files that are never removed - files back one year - I think its safe to say they will not get delivered. Is there som "find" command that can remove all files older than 14 dayes if its safe to do so or should I clean up in some other way? regards Jan -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090115/13f86a9c/attachment.html From shuttlebox at gmail.com Thu Jan 15 15:36:01 2009 From: shuttlebox at gmail.com (shuttlebox) Date: Thu Jan 15 15:36:12 2009 Subject: mqueue.in cleanup In-Reply-To: References: Message-ID: <625385e30901150736ubc3397cx7f3a564edd42aaf4@mail.gmail.com> On Thu, Jan 15, 2009 at 4:22 PM, Jan Agermose wrote: > hi > > I have a problem on my server in that mqueue.in fills with old files that > are never removed - files back one year - I think its safe to say they will > not get delivered. > > Is there som "find" command that can remove all files older than 14 dayes if > its safe to do so or should I clean up in some other way? Put this in root's crontab: 0 4 * * * find /var/spool/mqueue.in -mtime +14 | xargs rm -f Typically a mail server only tries to deliver something for 5 days so you could lower 14 if you want. -- /peter From prandal at herefordshire.gov.uk Thu Jan 15 15:44:52 2009 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Thu Jan 15 15:45:12 2009 Subject: mqueue.in cleanup In-Reply-To: References: Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA05A58CAA@HC-MBX02.herefordshire.gov.uk> I use this bash script to clean up orphsned files #!/bin/bash # clean up orphaned df* files in mqueue.in # no known cause for these files yet. /etc/init.d/MailScanner stop sleep 30 dir="/var/spool/mqueue.in" file=`find $dir -mtime +1` for i in ${file} do m=`basename ${i}` j=${m:2} if [ ! -e "${dir}/qf${j}" ]; then mv ${i} /var/tmp/ fi done echo df -hl /etc/init.d/MailScanner restart exit 0 Cheers, Phil -- Phil Randal | Networks Engineer Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: prandal@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jan Agermose Sent: 15 January 2009 15:23 To: MailScanner discussion Subject: mqueue.in cleanup hi I have a problem on my server in that mqueue.in fills with old files that are never removed - files back one year - I think its safe to say they will not get delivered. Is there som "find" command that can remove all files older than 14 dayes if its safe to do so or should I clean up in some other way? regards Jan From maxsec at gmail.com Thu Jan 15 15:45:29 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Thu Jan 15 15:45:39 2009 Subject: Spamassassin timeouts - Just an observation In-Reply-To: <496F4791.3060409@cnpapers.com> References: <49510578.6050801@cnpapers.com> <496F4791.3060409@cnpapers.com> Message-ID: <72cf361e0901150745k560c1f28j87da5e9c970da5d6@mail.gmail.com> 2009/1/15 Steve Campbell : > > > Ugo Bellavance wrote: >> >> Steve Campbell wrote: >>> >>> The topic seems to come up quite often, and although the answers are >>> usually pretty much the same, I never really see much of a "Solved" reply. >>> >>> I upgraded from version 4.58, where I saw maybe 3 or 4 timeouts, to 4.71, >>> and saw an immediate increase to around 100-300 timeouts. I ran all of the >>> --debug and --debug-sa flavors of help I could think of. I reviewed the >>> logs. I run a caching nameserver. And I zeroed out some RBL scores. I still >>> have yet to find why this happens. I eventually upgraded to 4.72, and >>> started using clamd. I still get the large numbers of timeouts. I would >>> think that the fact that this doesn't happen with all of my large batches >>> indicates I'm not using any dead RBLs. >>> >>> I'm still exploring the causes, but haven't had much luck. I find it odd >>> that SA would really keep RBLs that have expired over time in their default >>> files, so I really don't think it's that. I do all of my checking of RBLs in >>> SA. I always do my configuration and language upgrades, and search for >>> rpmnew and rpmsave files. This has happened on 3 different but very similar >>> servers that I run. >>> >>> I'm not really asking for assistance here, but just wanted to let others >>> who are seeing this problem to be aware that there is something unique >>> triggering this. I'm fairly confident that it is not happening at all sites, >>> but something here is causing it. It may not even be related to MS/SA, but >>> totally something else. >>> >>> The most I could ask for is a small checklist of what to ensure I have >>> set. Every time I try to use the debug procedures, the tests perform >>> flawlessly with no errors. It is very sporadic. We receive those normal >>> bursts of spam, but for the most part, the batches ares small. The average >>> amount of email per day is usually around 10k emails, but I get the above >>> stated 100-300 timeouts. I'm going to try and match batch numbers to >>> timeouts and see if this will reveal anything. I only run 3 Children on a >>> fairly hefty Dell PowerEdge, but I do use 30 messages per child. I don't >>> think this is excessive thought. >>> >>> Hope everyone has a Happy Holiday. >> >> What is the machine? >> >> Did you check the optimization section of the MAQ page on the wiki? >> >> When running --debug --debug-sa, don't you find anything that is a bit >> slow? >> > > Ugo, > > I'm still fighting this thing. I don't really see anything specific when > running debug. I've have reviewed the MAQ and the only thing I'm not sure > about is reducing the number of RBLs that spamassassin uses. Whenever I look > at my ps output for Mailscanner, it is always saying "Checking with > Spamassassin", so something is amiss. I have an identical machine running > with all the same settings. It runs pretty well.The only difference is each > has it's own name server and obviously it's own mail flow. > > What is the best way to set all scores to zero for the RBLs? I had > considered making a copy of 20_dnsbl_tests.cf just to get a list of all the > RBLs, and modifying it to just include "score" for all of them and putting > them in my local.cf or spam.assassin.prefs.conf.file, but is this the proper > way? > > Thanks to all who have tried to help. > > Steve > Steve in a word - yes. If you want to turn most of the RBLs off then give each one you don't want a zero score in local.cf or spam.assassin.prefs.conf (which should be linked from mailscanner.cf in the same directory as local.cf). You'll prob find the actual initial scores in the 50_scores.cf rather than the 20_dnsbl_tests.cf file. -- Martin Hepworth Oxford, UK From campbell at cnpapers.com Thu Jan 15 17:01:08 2009 From: campbell at cnpapers.com (Steve Campbell) Date: Thu Jan 15 17:01:30 2009 Subject: testing my subscription Message-ID: <496F6BD4.1080004@cnpapers.com> Just a test. I put the mailscanner listserver in my access db by mistake and am wondering if I have been flagged. sorry. From maillists at conactive.com Thu Jan 15 17:31:36 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Thu Jan 15 17:31:48 2009 Subject: Spamassassion Action rules question In-Reply-To: <11063200.381232032764040.JavaMail.davidj@chronic> References: <11063200.381232032764040.JavaMail.davidj@chronic> Message-ID: David Jacobson wrote on Thu, 15 Jan 2009 17:19:28 +0200 (SAST): > I would like to enable a "auto reply" message to the sender when a certain Spamassassin Rule is hit. first thing that comes to mind is forward that message to an alias that creates a return message. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From campbell at cnpapers.com Thu Jan 15 17:58:01 2009 From: campbell at cnpapers.com (Steve Campbell) Date: Thu Jan 15 17:58:15 2009 Subject: Spamassassin timeouts - Just an observation In-Reply-To: References: <49510578.6050801@cnpapers.com> <495E1DBF.3090602@cnpapers.com> <72cf361e0901020705h79fad4c8x9dc440faa83fcd2f@mail.gmail.com> <495E5C78.7040805@cnpapers.com> Message-ID: <496F7929.8080608@cnpapers.com> Sorry for the redundant reply I've posted lately. I added the listserver to my access db and wasn't getting replies. Don't know why or how it came to be, but I did. I've been working on the problem server and didn't notice I wasn't receiving MailScanner messges. So I'll try and catch up with all of your replies. Kai, I've posted the spamassassin -D --lint at www.cnpapers.com/salint I don't think I'm getting dns timeouts, but I could be due to the overall slowness. Turning on querylog and viewing the log seems to be fine. I see no slowness there. I'm running a local caching nameserver. I added zero scores for all the RBLs that were listed in 20_dnsbl_test.cf. It didn't make a difference that I could see. I then read about skip_rbl_checks in your mail.. I haven't tried this option yet. I don't see anything about rbl timeouts in any of the log. I'm not sure what they look like. So I'd have to say "I don't know if I'm getting them or not.". Ugo, Since I didn't get your reply (or anyone else's), my post must have seemed a little stupid. I seem to be a champ at making a bad situation worse. The machine gets so bogged down, it's hard to tell what is and what isn't messing up when I run the debug and debug-sa. I see no errors though. Martin, Thanks for repeating what I didn't see, even though I didn't see yours either. I've re-read all the replies in the archive, hence the post here. I have ordered 2 GB more RAM for this machine, so it will be tripled the original. Should be in next week. Nigel, Not sure we're have the same problem or not, but we might be. Misery loves company. If I missed anyone, thanks to you as well. I have also put a throttle on incoming sendmail connections (4). It originally was 0 (unlimited). All of my sendmail times are set pretty low. I've played with all sorts of different setting in Mailscanner.conf like batch size, and the like. I'm back to 3 Children with 30 messages each. The machine is slowly getting behind again today, although the load average is not as bad as usual since zeroing all the scores. Next to try the skip_rbl_checks and then wait for the RAM. If anyone ventures a view of the page I posted and sees anything. please bring it to my attention. Thanks again Steve From rabellino at di.unito.it Thu Jan 15 19:22:10 2009 From: rabellino at di.unito.it (Sergio Rabellino) Date: Thu Jan 15 19:22:41 2009 Subject: mqueue.in cleanup In-Reply-To: References: Message-ID: <496F8CE2.5010002@di.unito.it> my 5 cent... (for sendmail only I think) > #!/bin/sh > # remove zero length qf files > cd /anywhere/usr/var/mqueue.in > > for qffile in qf* > do > if [ \-r $qffile ] > then > if [ ! \-s $qffile ] > then > echo " " > rm \-f $qffile > fi > fi > done > # rename tf files to be qf if the qf does not exist > for tffile in tf* > do > qffile=`echo $tffile | sed 's/t/q/'` > if [ \-r $tffile \-a ! \-f $qffile ] > then > echo " " > mv $tffile $qffile > else > if [ \-f $tffile ] > then > echo " " > rm \-f $tffile > fi > fi > done > # remove df files with no corresponding qf files > for dffile in df* > do > qffile=`echo $dffile | sed 's/d/q/'` > if [ \-r $dffile \-a ! \-f $qffile ] > then > echo " " > mv $dffile `echo $dffile | sed 's/d/D/'` > fi > done > # announce files that have been saved during disaster recovery > for xffile in xf* > do > if [ \-f $xffile ] > then > echo " " > fi > done Jan Agermose ha scritto: > > hi > > I have a problem on my server in that mqueue.in fills with old files > that are never removed - files back one year - I think its safe to say > they will not get delivered. > > Is there som "find" command that can remove all files older than 14 > dayes if its safe to do so or should I clean up in some other way? > > > > regards > > Jan > > > > > -- Ing. Sergio Rabellino Universit? degli Studi di Torino Dipartimento di Informatica ICT Services Director Tel +39-0116706701 Fax +39-011751603 C.so Svizzera , 185 - 10149 - Torino -------------- next part -------------- Skipped content of type multipart/related From psaweikis at techpro.com Thu Jan 15 19:25:58 2009 From: psaweikis at techpro.com (Patrick Saweikis) Date: Thu Jan 15 19:26:09 2009 Subject: Content scanning / MCP? References: <48BB86B1412E3D429DECB241A39A62E8014E3C2C@W2K3-EXCHANGE02.mmsasp.local> <48BB86B1412E3D429DECB241A39A62E8071B46@W2K3-EXCHANGE02.mmsasp.local> Message-ID: <48BB86B1412E3D429DECB241A39A62E8071B52@W2K3-EXCHANGE02.mmsasp.local> We have it setup now where it is looking for the "always allowed" phrases in the subject and body of all inbound messages, and gives an MCP score of -100 when it hits. The only problem with this is it still goes to the second spamassassin check and if it gets flagged as spam, the fact that it had a -100 MCP scored does not effect the SA score and it is still not delivered. Is there a way to set a rule so that if the MCP score is below a certain threshold it stops scanning and delivers the message? ________________________________ From: mailscanner-bounces@lists.mailscanner.info on behalf of Patrick Saweikis Sent: Mon 1/12/2009 2:14 PM To: mailscanner@lists.mailscanner.info Subject: RE: Content scanning / MCP? I apologize, I should have given more detail in my question... I have about 10,000 users, covering around 1000 domains. We have written custom code to allow individual spam actions and individual spam scores per user, per domain. We pull this from a MYSql table. We now have a client who needs to have certain messages allowed through 100% of the time, we were assuming that setting a high value of 99 to the phrase would work, but we need to be able to limit this per user / per domain as we do spam scores and actions from the MYSql tables. We are only worried about detection after the MTA processes the message. We were thinking of implementing something similar to the balcklist/whitelist custom functions. Any help would be appreciated. Patrick. ________________________________ From: mailscanner-bounces@lists.mailscanner.info on behalf of Kai Schaetzl Sent: Fri 1/9/2009 4:31 PM To: mailscanner@lists.mailscanner.info Subject: Re: Content scanning / MCP? Patrick Saweikis wrote on Fri, 9 Jan 2009 14:20:51 -0600: > We have a user on our mail system who wants to always ALLOW > messages with specific content in the message subject and body through. > Does anyone know if this is possible? If so, how would we accomplish it? > I have been looking into using MCP, but from what I have read that is > for denying specific message content only MCP is basically a second spamassassin run. You can just do the same during the normal SA run. Stephen pointed at some caveats. There is an SA plugin for simple whitelisting by subject, it just needs to be enabled in the *.pre file in /etc/mail/spamassassin. But this will whitelist for all users. I think the better approach is to whitelist the assumed senders or give that user a special alias that doesn't get filtered and that he can hand out to those where he thinks there might be delivery problems. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090115/b44748da/attachment.html From maillists at conactive.com Thu Jan 15 19:31:19 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Thu Jan 15 19:31:31 2009 Subject: Spamassassin timeouts - Just an observation In-Reply-To: <496F7929.8080608@cnpapers.com> References: <49510578.6050801@cnpapers.com> <495E1DBF.3090602@cnpapers.com> <72cf361e0901020705h79fad4c8x9dc440faa83fcd2f@mail.gmail.com> <495E5C78.7040805@cnpapers.com> <496F7929.8080608@cnpapers.com> Message-ID: Steve Campbell wrote on Thu, 15 Jan 2009 12:58:01 -0500: > I don't think I'm getting dns timeouts, I went to the archives to read some of your earlier replies. > I have reduced the number of children on all machines from 5 to 3. This > has reduced the total of timeouts - which sort of points to machine > capacity. I only use 10 messages per batch. The main machines have 1 GB > of RAM. You were running 5 MS children with 1 GB of RAM? Each of these children might need around 100 MB, so half of that goes to MS+SA alone. You are using a *lot* of extra rules. That all adds to RAM. Check what "ps waux|grep Mail" says about memory. Do you run clamd or clamav or even the clamav module. This also adds to RAM. Are you checking load average regularly? What does free tell about memory usage and swap? Currently, you have disabled all RBL tests, so timeouts, if there are any, won't show for these, of course. Have you already timed (a few times) a spamassassin -D -lint run during normal production hours? If this is a load issue but occurs not too often (300 timouts out of 10k processed messages isn't that bad) you might just use a longer timeout setting for SA or and/or reduce the size of the message that you hand over to SA. > Next to try the skip_rbl_checks you are already skipping! Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From ja at conviator.com Thu Jan 15 19:36:13 2009 From: ja at conviator.com (Jan Agermose) Date: Thu Jan 15 19:37:26 2009 Subject: mqueue.in cleanup In-Reply-To: <496F8CE2.5010002@di.unito.it> References: <496F8CE2.5010002@di.unito.it> Message-ID: thanks for the good sugestions posted. Regards Jan From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Sergio Rabellino Sent: 15. januar 2009 20:22 To: MailScanner discussion Subject: Re: mqueue.in cleanup -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090115/4c922996/attachment.html From campbell at cnpapers.com Thu Jan 15 19:37:40 2009 From: campbell at cnpapers.com (Steve Campbell) Date: Thu Jan 15 19:39:38 2009 Subject: mqueue.in cleanup In-Reply-To: <496F8CE2.5010002@di.unito.it> References: <496F8CE2.5010002@di.unito.it> Message-ID: <496F9084.2090906@cnpapers.com> I think the following might work: find /var/spool/mqueue.in/q* -empty -mtime +14 -type f -exec rm '{}' ';' You might need to change -empty to "-size 0c" as it's not exactly what I use, so test it first. steve Sergio Rabellino wrote: > my 5 cent... (for sendmail only I think) > >> #!/bin/sh >> # remove zero length qf files >> cd /anywhere/usr/var/mqueue.in >> >> for qffile in qf* >> do >> if [ \-r $qffile ] >> then >> if [ ! \-s $qffile ] >> then >> echo " " >> rm \-f $qffile >> fi >> fi >> done >> # rename tf files to be qf if the qf does not exist >> for tffile in tf* >> do >> qffile=`echo $tffile | sed 's/t/q/'` >> if [ \-r $tffile \-a ! \-f $qffile ] >> then >> echo " " >> mv $tffile $qffile >> else >> if [ \-f $tffile ] >> then >> echo " " >> rm \-f $tffile >> fi >> fi >> done >> # remove df files with no corresponding qf files >> for dffile in df* >> do >> qffile=`echo $dffile | sed 's/d/q/'` >> if [ \-r $dffile \-a ! \-f $qffile ] >> then >> echo " " >> mv $dffile `echo $dffile | sed 's/d/D/'` >> fi >> done >> # announce files that have been saved during disaster recovery >> for xffile in xf* >> do >> if [ \-f $xffile ] >> then >> echo " " >> fi >> done > > > Jan Agermose ha scritto: >> >> hi >> >> I have a problem on my server in that mqueue.in fills with old files >> that are never removed - files back one year - I think its safe to >> say they will not get delivered. >> >> Is there som "find" command that can remove all files older than 14 >> dayes if its safe to do so or should I clean up in some other way? >> >> >> >> regards >> >> Jan >> >> >> >> >> > > -- > Ing. Sergio Rabellino > > Universit? degli Studi di Torino > Dipartimento di Informatica > ICT Services Director > Tel +39-0116706701 Fax +39-011751603 > C.so Svizzera , 185 - 10149 - Torino > > > From campbell at cnpapers.com Thu Jan 15 20:00:30 2009 From: campbell at cnpapers.com (Steve Campbell) Date: Thu Jan 15 20:00:46 2009 Subject: Spamassassin timeouts - Just an observation In-Reply-To: References: <49510578.6050801@cnpapers.com> <495E1DBF.3090602@cnpapers.com> <72cf361e0901020705h79fad4c8x9dc440faa83fcd2f@mail.gmail.com> <495E5C78.7040805@cnpapers.com> <496F7929.8080608@cnpapers.com> Message-ID: <496F95DE.9040501@cnpapers.com> Kai Schaetzl wrote: > Steve Campbell wrote on Thu, 15 Jan 2009 12:58:01 -0500: > > >> I don't think I'm getting dns timeouts, >> > > I went to the archives to read some of your earlier replies. > > >> I have reduced the number of children on all machines from 5 to 3. This >> has reduced the total of timeouts - which sort of points to machine >> capacity. I only use 10 messages per batch. The main machines have 1 GB >> of RAM. >> > > You were running 5 MS children with 1 GB of RAM? Each of these children > might need around 100 MB, so half of that goes to MS+SA alone. You are > using a *lot* of extra rules. That all adds to RAM. Check what "ps > waux|grep Mail" says about memory. Do you run clamd or clamav or even the > clamav module. This also adds to RAM. > I still go back to the fact that two versions ago, this wasn't a problem. And there were considerably more emails to give to MS/SA. I'm not arguing, mind you. I think you're probably right about not enough RAM. I've been begging for it for months, and only after the dramatic slowdowns and complaints did I get to order it. > Are you checking load average regularly? What does free tell about memory > usage and swap? > I monitor load average with MailWatch up most of the day when problems occur. We seem to have slow mornings with LA way below 1. The afternoon's LA start climbing along with the input queue backlog. Right now, we're about 50 minutes behind with about 500 messages waiting. top tells me I'm using almost all memory with 200 MB swap being used. That was why I started begging for RAM. > Currently, you have disabled all RBL tests, so timeouts, if there are any, > won't show for these, of course. > Have you already timed (a few times) a spamassassin -D -lint run during > normal production hours? > I wasn't sure I got all the scores zeroed. Just to make sure, I turned on skip_rbl_checks. This caused the LA to steady out at about 4. It would fluctuate as high as 8. Running spamassassin -D -lint is pretty much useless once the backup starts. It takes it's time and I don't know whether it's due to load or problems with SA. It seems to run and output a fairly steady output at low peak time. > If this is a load issue but occurs not too often (300 timouts out of 10k > processed messages isn't that bad) you might just use a longer timeout > setting for SA or and/or reduce the size of the message that you hand over > to SA. > > Due to the access file, the server only processes about 7k a day. Tons are rejected either due to GreetPause, mta rbl rejection, access file REJECTs. This alone adds some load, even though not as much as it would if processed by MS/SA. You might have hit on something there with the size to hand over to SA. I recently had to up this for some large files being emailed in. There's a lawyer who was photocopying briefs, scanning them, and making a PDF to send to someone here. The size was around 50MB. If the limit set up in MS/SA is smaller than the size of the attachment being sent, it doesn't deliver it and doesn't quarantine it. I wish there was an option to at least quarantine it, but I haven't found it. We have subsequently convinced the lawyer to at least break them up. I'll lower this, but most of the emails coming in are on average under 10K. >> Next to try the skip_rbl_checks >> > > you are already skipping! > As I stated earlier, this was just to ensure I got them all. The only difference this made was the LA spike is now steadily around 4, so I guess I missed a few with the score thing. > Kai > > Thanks so very much for the very informative reply. Although I've been using all of this for years, and the skip_rbl_checks used to be a common option to change, I never thought much about it. Age does that to a person. steve From maillists at conactive.com Thu Jan 15 20:31:21 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Thu Jan 15 20:31:39 2009 Subject: mqueue.in cleanup In-Reply-To: <496F8CE2.5010002@di.unito.it> References: <496F8CE2.5010002@di.unito.it> Message-ID: Sergio Rabellino wrote on Thu, 15 Jan 2009 20:22:10 +0100: > my 5 cent... (for sendmail only I think) and where are they? Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From ssilva at sgvwater.com Thu Jan 15 20:45:28 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Jan 15 20:45:47 2009 Subject: Content scanning / MCP? In-Reply-To: <48BB86B1412E3D429DECB241A39A62E8071B52@W2K3-EXCHANGE02.mmsasp.local> References: <48BB86B1412E3D429DECB241A39A62E8014E3C2C@W2K3-EXCHANGE02.mmsasp.local> <48BB86B1412E3D429DECB241A39A62E8071B46@W2K3-EXCHANGE02.mmsasp.local> <48BB86B1412E3D429DECB241A39A62E8071B52@W2K3-EXCHANGE02.mmsasp.local> Message-ID: on 1-15-2009 11:25 AM Patrick Saweikis spake the following: > We have it setup now where it is looking for the "always allowed" > phrases in the subject and body of all inbound messages, and gives an > MCP score of -100 when it hits. The only problem with this is it still > goes to the second spamassassin check and if it gets flagged as spam, > the fact that it had a -100 MCP scored does not effect the SA score and > it is still not delivered. Is there a way to set a rule so that if the > MCP score is below a certain threshold it stops scanning and delivers > the message? > Can't you just add a regular spamassassin rule that does the same thing? A rule that finds the header, a rule that finds the subject, and maybe a meta rule that fires -100 if both are true. That should work almost the same way as whitelisting, except Mailwatch won't say whitelisted in the display. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090115/66d2a1bd/signature.bin From mikael at syska.dk Fri Jan 16 02:02:41 2009 From: mikael at syska.dk (Mikael Syska) Date: Fri Jan 16 02:02:51 2009 Subject: bug on FreeBSD with Perl 5.8.9 Message-ID: <6beca9db0901151802u1d4c6960g6cc084cb4781ce98@mail.gmail.com> Hi, I just upgraded from perl 5.8.8 to 5.8.9 .... and got this: "Insecure dependency in chown while running with -T switch at /usr/local/lib/MailScanner/MailScanner/Message.pm line 2207" Well ... that can be turned off by adding -U to the MailScanner file in /usr/local/sbin/MailScanner. But then I just got alot of other errors: Can't locate object method "1878035063" via package "vars" at /usr/local/lib/perl5/site_perl/5.8.9/MIME/Decoder/QuotedPrint.pm line 52. BEGIN failed--compilation aborted at /usr/local/lib/perl5/site_perl/5.8.9/MIME/Decoder/QuotedPrint.pm line 52. Compilation failed in require at (eval 100) line 1. at /usr/local/lib/perl5/site_perl/5.8.9/MIME/Parser.pm line 821 Can't locate object method "1878035063" via package "MIME::Decoder" at /usr/local/lib/perl5/site_perl/5.8.9/MIME/Decoder/Binary.pm line 42. BEGIN failed--compilation aborted at /usr/local/lib/perl5/site_perl/5.8.9/MIME/Decoder/Binary.pm line 42. Compilation failed in require at (eval 101) line 1. at /usr/local/lib/perl5/site_perl/5.8.9/MIME/Parser.pm line 827 Can't locate object method "1878035063" via package "strict" at /usr/local/lib/perl5/5.8.9/Text/ParseWords.pm line 3. BEGIN failed--compilation aborted at /usr/local/lib/perl5/5.8.9/Text/ParseWords.pm line 3. Compilation failed in require at /usr/local/lib/perl5/5.8.9/mach/File/Glob.pm line 152. But ... if this is fixed in the current release I can't say ... the freebsd ports tree contains: MailScanner-4.67.6_3 which is from 15 Sep 2008 20:56:38, so a little old. about a half a year. So ... my only option I could find ... as my mail system was down was to turn back to perl 5.8.8. Anyone else got this problem ? On other systems ? What does other freebsd sysadmins do to stay current and not have a messed system where something is from other sources to be able to have a up-to-date system ? If there are any one out there also using freebsd ... and using Julian package from http://mailscanner.info I will be more than happy to hear from them. well, its late here ... got darn freebsd update late .... reminder: DONT DO IT. well .. its running now, only 22k messages to process :-p best regards Mikael Syska From ja at conviator.com Fri Jan 16 06:31:01 2009 From: ja at conviator.com (Jan Agermose) Date: Fri Jan 16 06:33:28 2009 Subject: more than one ruleset/customfunction Message-ID: hi is it possible to have more than one ruleset or customfunction or a combination to a setting? something like: High SpamAssassin Score = &MySpecialFunktion %rules-dir%/and.some.more.rules or High SpamAssassin Score = &MySpecialFunktion1 &MySpecialFunktion2 regards Jan -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090116/85a581c9/attachment.html From drew.marshall at technologytiger.net Fri Jan 16 07:13:04 2009 From: drew.marshall at technologytiger.net (Drew Marshall) Date: Fri Jan 16 07:13:19 2009 Subject: bug on FreeBSD with Perl 5.8.9 In-Reply-To: <6beca9db0901151802u1d4c6960g6cc084cb4781ce98@mail.gmail.com> References: <6beca9db0901151802u1d4c6960g6cc084cb4781ce98@mail.gmail.com> Message-ID: <307646C1-E690-4E57-98D0-77C4E394F716@technologytiger.net> On 16 Jan 2009, at 02:02, Mikael Syska wrote: > But ... if this is fixed in the current release I can't say ... the > freebsd ports tree contains: MailScanner-4.67.6_3 which is from 15 Sep > 2008 20:56:38, so a little old. about a half a year. > So ... my only option I could find ... as my mail system was down was > to turn back to perl 5.8.8. > > Anyone else got this problem ? On other systems ? > > What does other freebsd sysadmins do to stay current and not have a > messed system where something is from other sources to be able to have > a up-to-date system ? > If there are any one out there also using freebsd ... and using Julian > package from http://mailscanner.info I will be more than happy to hear > from them. I did post a new port file a few days ago. In unofficial but works for me. I have also discussed this with Jan-Peter the maintainer of the MailScanner port (Who has been very busy recently hence not had time to bring things right up to date) and he has made a new port, which is being tested (And has found some errors so it can't be released just yet). Give the man a few more days and I am sure you will have an updated official port. Having said that, I don't know if the latest version of MS runs in Perl 5.8.9 as I haven't updated that yet (Now there is a big move I would like to test a bit before rolling out live!) > well, its late here ... got darn freebsd update late .... reminder: > DONT DO IT. ...With out testing it :-) > well .. its running now, only 22k messages to process :-p Nice, I hope they have gone before your users wake up ;-) Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by Technology Tiger's Mail Launder system Our email policy can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ From maxsec at gmail.com Fri Jan 16 09:08:18 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Fri Jan 16 09:08:27 2009 Subject: Spamassassin timeouts - Just an observation In-Reply-To: <496F95DE.9040501@cnpapers.com> References: <49510578.6050801@cnpapers.com> <495E1DBF.3090602@cnpapers.com> <72cf361e0901020705h79fad4c8x9dc440faa83fcd2f@mail.gmail.com> <495E5C78.7040805@cnpapers.com> <496F7929.8080608@cnpapers.com> <496F95DE.9040501@cnpapers.com> Message-ID: <72cf361e0901160108x67a36e6btca93981deddb82f6@mail.gmail.com> Steve As you're only processing 7k messages a day with MS I'd suggest 5 children is a little high. 3 or even two could well be enough. Also look at the batch size...again 10 should be more than enough for this level of processing. There's alot of difference from 4.58 to 4.71, with things like the spamassassin cache in the mix. I'd say drop the children and batch size down, add the ram (never a bad thing!) and upgrade to 4.74. If it's causing problems then any fixes Jules produces will be based on 4.74 anyway so first thing he'll say is upgrade! -- Martin 2009/1/15 Steve Campbell : > > > Kai Schaetzl wrote: >> >> Steve Campbell wrote on Thu, 15 Jan 2009 12:58:01 -0500: >> >> >>> >>> I don't think I'm getting dns timeouts, >>> >> >> I went to the archives to read some of your earlier replies. >> >> >>> >>> I have reduced the number of children on all machines from 5 to 3. This >>> has reduced the total of timeouts - which sort of points to machine >>> capacity. I only use 10 messages per batch. The main machines have 1 GB of >>> RAM. >>> >> >> You were running 5 MS children with 1 GB of RAM? Each of these children >> might need around 100 MB, so half of that goes to MS+SA alone. You are using >> a *lot* of extra rules. That all adds to RAM. Check what "ps waux|grep Mail" >> says about memory. Do you run clamd or clamav or even the clamav module. >> This also adds to RAM. >> > > I still go back to the fact that two versions ago, this wasn't a problem. > And there were considerably more emails to give to MS/SA. I'm not arguing, > mind you. I think you're probably right about not enough RAM. I've been > begging for it for months, and only after the dramatic slowdowns and > complaints did I get to order it. > >> Are you checking load average regularly? What does free tell about memory >> usage and swap? >> > > I monitor load average with MailWatch up most of the day when problems > occur. We seem to have slow mornings with LA way below 1. The afternoon's LA > start climbing along with the input queue backlog. Right now, we're about 50 > minutes behind with about 500 messages waiting. > > top tells me I'm using almost all memory with 200 MB swap being used. That > was why I started begging for RAM. >> >> Currently, you have disabled all RBL tests, so timeouts, if there are any, >> won't show for these, of course. >> Have you already timed (a few times) a spamassassin -D -lint run during >> normal production hours? >> > > I wasn't sure I got all the scores zeroed. Just to make sure, I turned on > skip_rbl_checks. This caused the LA to steady out at about 4. It would > fluctuate as high as 8. > > Running spamassassin -D -lint is pretty much useless once the backup starts. > It takes it's time and I don't know whether it's due to load or problems > with SA. It seems to run and output a fairly steady output at low peak time. >> >> If this is a load issue but occurs not too often (300 timouts out of 10k >> processed messages isn't that bad) you might just use a longer timeout >> setting for SA or and/or reduce the size of the message that you hand over >> to SA. >> >> > > Due to the access file, the server only processes about 7k a day. Tons are > rejected either due to GreetPause, mta rbl rejection, access file REJECTs. > This alone adds some load, even though not as much as it would if processed > by MS/SA. > > You might have hit on something there with the size to hand over to SA. I > recently had to up this for some large files being emailed in. There's a > lawyer who was photocopying briefs, scanning them, and making a PDF to send > to someone here. The size was around 50MB. If the limit set up in MS/SA is > smaller than the size of the attachment being sent, it doesn't deliver it > and doesn't quarantine it. I wish there was an option to at least quarantine > it, but I haven't found it. We have subsequently convinced the lawyer to at > least break them up. I'll lower this, but most of the emails coming in are > on average under 10K. >>> >>> Next to try the skip_rbl_checks >>> >> >> you are already skipping! >> > > As I stated earlier, this was just to ensure I got them all. The only > difference this made was the LA spike is now steadily around 4, so I guess I > missed a few with the score thing. >> >> Kai >> >> > > Thanks so very much for the very informative reply. Although I've been using > all of this for years, and the skip_rbl_checks used to be a common option to > change, I never thought much about it. Age does that to a person. > > steve > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Martin Hepworth Oxford, UK From mikael at syska.dk Fri Jan 16 10:16:11 2009 From: mikael at syska.dk (Mikael Syska) Date: Fri Jan 16 10:16:21 2009 Subject: bug on FreeBSD with Perl 5.8.9 In-Reply-To: <307646C1-E690-4E57-98D0-77C4E394F716@technologytiger.net> References: <6beca9db0901151802u1d4c6960g6cc084cb4781ce98@mail.gmail.com> <307646C1-E690-4E57-98D0-77C4E394F716@technologytiger.net> Message-ID: <6beca9db0901160216i190bf876ld504b84c0d0949fe@mail.gmail.com> Hi Drew, Thanks for the reply. On Fri, Jan 16, 2009 at 8:13 AM, Drew Marshall wrote: > On 16 Jan 2009, at 02:02, Mikael Syska wrote: > >> But ... if this is fixed in the current release I can't say ... the >> freebsd ports tree contains: MailScanner-4.67.6_3 which is from 15 Sep >> 2008 20:56:38, so a little old. about a half a year. >> So ... my only option I could find ... as my mail system was down was >> to turn back to perl 5.8.8. >> >> Anyone else got this problem ? On other systems ? >> >> What does other freebsd sysadmins do to stay current and not have a >> messed system where something is from other sources to be able to have >> a up-to-date system ? >> If there are any one out there also using freebsd ... and using Julian >> package from http://mailscanner.info I will be more than happy to hear >> from them. > > I did post a new port file a few days ago. In unofficial but works for me. I > have also discussed this with Jan-Peter the maintainer of the MailScanner > port (Who has been very busy recently hence not had time to bring things > right up to date) and he has made a new port, which is being tested (And has > found some errors so it can't be released just yet). Give the man a few more > days and I am sure you will have an updated official port. I will ... just wanted to know what other did ... and I'm looking forward to the new release. > Having said that, I don't know if the latest version of MS runs in Perl > 5.8.9 as I haven't updated that yet (Now there is a big move I would like to > test a bit before rolling out live!) hehe, yes, I also testesd it ... and ofcause there was a problem, gahhh, thank god for "portdowngrade" made it a bit easiar to rollback. > >> well, its late here ... got darn freebsd update late .... reminder: DONT >> DO IT. > > ...With out testing it :-) Yes, thats the only reason I found the error. > >> well .. its running now, only 22k messages to process :-p > > Nice, I hope they have gone before your users wake up ;-) Actually, the only mail I got this morning was from my boss asking if the MailScanner could handle the load ... but it processed the 25k messages in 1 hour ... > > Drew > > -- best regards Mikael Syska From MailScanner at ecs.soton.ac.uk Fri Jan 16 10:34:09 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jan 16 10:34:34 2009 Subject: more than one ruleset/customfunction In-Reply-To: References: Message-ID: <497062A1.5050703@ecs.soton.ac.uk> On 16/1/09 06:31, Jan Agermose wrote: > > hi > > is it possible to have more than one ruleset or customfunction or a > combination to a setting? > > something like: > > High SpamAssassin Score = &MySpecialFunktion > %rules-dir%/and.some.more.rules > No. But the examples in /usr/lib/MailScanner/MailScanner/CustomFunctions/Ruleset-from-Function.pm clearly demonstrate how to call a ruleset from within a Custom Function, which should solve your problem. > > or > > High SpamAssassin Score = &MySpecialFunktion1 &MySpecialFunktion2 > I think you can probably work out how to code that for yourself in a Custom Function :-) Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From paul at welshfamily.com Fri Jan 16 11:38:00 2009 From: paul at welshfamily.com (Paul Welsh) Date: Fri Jan 16 11:38:54 2009 Subject: Problem with tar and install-Clam-0.94.2-SA-3.2.5 Message-ID: <793E1E0ECC464E4FB9E457365F4B7C6B@bct.local> Hi all I'm sure this is a newbie error but I'm having trouble with tar. When I extracted the MailScanner-4.74.16-1.rpm.tar.gz file, I found that "tar xzvf" gives me an error - says it's not in gzip format. However, "tar xvf" works fine. When it comes to extracting install-Clam-0.94.2-SA-3.2.5 however, I get the usual "gzip: stdin: not in gzip format" but when I try tar without the z option I get: # tar xvf install-Clam-SA-latest.tar.gz install-Clam-0.94.2-SA-3.2.5/ install-Clam-0.94.2-SA-3.2.5/perl-tar/ install-Clam-0.94.2-SA-3.2.5/perl-tar/Data-Dump-1.08.tar.gz install-Clam-0.94.2-SA-3.2.5/perl-tar/ExtUtils-ParseXS-2.18.tar.gz install-Clam-0.94.2-SA-3.2.5/perl-tar/version-0.7203.tar.gz tar: Skipping to next header tar: Archive contains obsolescent base-64 headers tar: Error exit delayed from previous errors If I go into install-Clam-0.94.2-SA-3.2.5/perl-tar I see: Data-Dump-1.08.tar.gz ExtUtils-ParseXS-2.18.tar.gz version-0.7203.tar.gz and I can extract the first two files using tar xzvf, but when I try "tar xzvf version-0.7203.tar.gz" or "tar xvf version-0.7203.tar.gz" I get the following error. Any ideas? I'm running CentOS 5.2 with kernel 2.6.18-92.1.22.el5 and GNU tar 1.15.1. # tar xzvf version-0.7203.tar.gz version-0.7203/ version-0.7203/t/ version-0.7203/t/02derived.t version-0.7203/t/coretests.pm version-0.7203/t/03require.t version-0.7203/t/01base.t version-0.7203/lib/ version-0.7203/lib/version.pod version-0.7203/lib/version/ version-0.7203/lib/version/typemap version-0.7203/lib/version.pm version-0.7203/vperl/ version-0.7203/vperl/vpp.pm version-0.7203/vutil/ version-0.7203/vutil/lib/ version-0.7203/vutil/lib/version/ version-0.7203/vutil/lib/version/vxs.pm version-0.7203/vutil/ppport.h tar: Skipping to next header gzip: stdin: unexpected end of file tar: Child returned status 1 tar: Error exit delayed from previous errors From MailScanner at ecs.soton.ac.uk Fri Jan 16 11:58:42 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jan 16 11:59:16 2009 Subject: Problem with tar and install-Clam-0.94.2-SA-3.2.5 In-Reply-To: <793E1E0ECC464E4FB9E457365F4B7C6B@bct.local> References: <793E1E0ECC464E4FB9E457365F4B7C6B@bct.local> Message-ID: <49707672.2050900@ecs.soton.ac.uk> Your download got corrupted. Go and fetch them again. If the problem persists then you have a web cache getting in the way and need to find a way around it. As for the MailScanner....tar.gz file error, you have something uncompressing it on its way to you. Stop it doing that. Just use "wget" to get the files if your web browser is screwing them. On 16/1/09 11:38, Paul Welsh wrote: > Hi all > > I'm sure this is a newbie error but I'm having trouble with tar. When I > extracted the MailScanner-4.74.16-1.rpm.tar.gz file, I found that "tar xzvf" > gives me an error - says it's not in gzip format. However, "tar xvf" works > fine. > > When it comes to extracting install-Clam-0.94.2-SA-3.2.5 however, I get the > usual "gzip: stdin: not in gzip format" but when I try tar without the z > option I get: > > # tar xvf install-Clam-SA-latest.tar.gz > install-Clam-0.94.2-SA-3.2.5/ > install-Clam-0.94.2-SA-3.2.5/perl-tar/ > install-Clam-0.94.2-SA-3.2.5/perl-tar/Data-Dump-1.08.tar.gz > install-Clam-0.94.2-SA-3.2.5/perl-tar/ExtUtils-ParseXS-2.18.tar.gz > install-Clam-0.94.2-SA-3.2.5/perl-tar/version-0.7203.tar.gz > tar: Skipping to next header > tar: Archive contains obsolescent base-64 headers > tar: Error exit delayed from previous errors > > If I go into install-Clam-0.94.2-SA-3.2.5/perl-tar I see: > > Data-Dump-1.08.tar.gz > ExtUtils-ParseXS-2.18.tar.gz > version-0.7203.tar.gz > > and I can extract the first two files using tar xzvf, but when I try "tar > xzvf version-0.7203.tar.gz" or "tar xvf version-0.7203.tar.gz" I get the > following error. Any ideas? I'm running CentOS 5.2 with kernel > 2.6.18-92.1.22.el5 and GNU tar 1.15.1. > > # tar xzvf version-0.7203.tar.gz > version-0.7203/ > version-0.7203/t/ > version-0.7203/t/02derived.t > version-0.7203/t/coretests.pm > version-0.7203/t/03require.t > version-0.7203/t/01base.t > version-0.7203/lib/ > version-0.7203/lib/version.pod > version-0.7203/lib/version/ > version-0.7203/lib/version/typemap > version-0.7203/lib/version.pm > version-0.7203/vperl/ > version-0.7203/vperl/vpp.pm > version-0.7203/vutil/ > version-0.7203/vutil/lib/ > version-0.7203/vutil/lib/version/ > version-0.7203/vutil/lib/version/vxs.pm > version-0.7203/vutil/ppport.h > tar: Skipping to next header > > gzip: stdin: unexpected end of file > tar: Child returned status 1 > tar: Error exit delayed from previous errors > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From support-lists at petdoctors.co.uk Fri Jan 16 12:23:59 2009 From: support-lists at petdoctors.co.uk (Nigel Kendrick) Date: Fri Jan 16 12:24:38 2009 Subject: Health update In-Reply-To: <496C807E.9000404@ecs.soton.ac.uk> References: <496C807E.9000404@ecs.soton.ac.uk> Message-ID: Jules, All the best from 'down the road' in West Sussex. Nigel From maillists at conactive.com Fri Jan 16 12:48:16 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Fri Jan 16 12:48:33 2009 Subject: Spamassassin timeouts - Just an observation In-Reply-To: <72cf361e0901160108x67a36e6btca93981deddb82f6@mail.gmail.com> References: <49510578.6050801@cnpapers.com> <495E1DBF.3090602@cnpapers.com> <72cf361e0901020705h79fad4c8x9dc440faa83fcd2f@mail.gmail.com> <495E5C78.7040805@cnpapers.com> <496F7929.8080608@cnpapers.com> <496F95DE.9040501@cnpapers.com> <72cf361e0901160108x67a36e6btca93981deddb82f6@mail.gmail.com> Message-ID: Martin Hepworth wrote on Fri, 16 Jan 2009 09:08:18 +0000: > As you're only processing 7k messages a day with MS I'd suggest 5 > children is a little high. 3 or even two could well be enough. The 5 was the old value. I just used that value to illustrate how much RAM he might have been already using just for MS. He's now down to 3. 2 might help or might not. Also > look at the batch size...again 10 should be more than enough for this > level of processing. This could help as well, indeed. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Fri Jan 16 12:48:16 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Fri Jan 16 12:48:35 2009 Subject: Spamassassin timeouts - Just an observation In-Reply-To: <496F95DE.9040501@cnpapers.com> References: <49510578.6050801@cnpapers.com> <495E1DBF.3090602@cnpapers.com> <72cf361e0901020705h79fad4c8x9dc440faa83fcd2f@mail.gmail.com> <495E5C78.7040805@cnpapers.com> <496F7929.8080608@cnpapers.com> <496F95DE.9040501@cnpapers.com> Message-ID: Steve Campbell wrote on Thu, 15 Jan 2009 15:00:30 -0500: > I still go back to the fact that two versions ago, Two versions? I count that there is a difference of 13! And I bet you also upgraded SA and maybe added some rulesets. > > Are you checking load average regularly? What does free tell about memory > > usage and swap? > > > > I monitor load average with MailWatch up most of the day when problems > occur. We seem to have slow mornings with LA way below 1. The > afternoon's LA start climbing along with the input queue backlog. Right > now, we're about 50 minutes behind with about 500 messages waiting. > > top tells me I'm using almost all memory with 200 MB swap being used. top is of almost no interest. But the 200 MB swap use shows that you have too few RAM. You didn't answer most of the very specific questions I asked. If you did we might be able to give you more tips. Just adding RAM won't tweak your system for "better" and faster processing it just removes the bottleneck for the current ressource needs. > I wasn't sure I got all the scores zeroed. Just to make sure, I turned > on skip_rbl_checks. This caused the LA to steady out at about 4. It > would fluctuate as high as 8. I don't know how much impact these checks should have to load. I always set skip_rbl_checks on my setups. I would think not much. But it may prolong the time the process stays in memory which means you need more RAM and run into swapping -> load goes up. > You might have hit on something there with the size to hand over to SA. > I recently had to up this for some large files being emailed in. There's > a lawyer who was photocopying briefs, scanning them, and making a PDF to > send to someone here. The size was around 50MB. If the limit set up in > MS/SA is smaller than the size of the attachment being sent, it doesn't > deliver it and doesn't quarantine it. I cannot follow that. I haven't ever seen or heard of such a problem. You do not need to set that value to the size of attachments. And, btw, why don't you just whitelist that specific sender? Which setting exactly did you change and to what? I wish there was an option to at > least quarantine it, but I haven't found it. I don't understand. Why would you want to quarantine every attachment? > As I stated earlier, this was just to ensure I got them all. The only > difference this made was the LA spike is now steadily around 4, so I > guess I missed a few with the score thing. Well, it shows that switching those tests off helps you ;-) But not enough. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From campbell at cnpapers.com Fri Jan 16 13:31:21 2009 From: campbell at cnpapers.com (Steve Campbell) Date: Fri Jan 16 13:31:38 2009 Subject: Spamassassin timeouts - Just an observation In-Reply-To: References: <49510578.6050801@cnpapers.com> <495E1DBF.3090602@cnpapers.com> <72cf361e0901020705h79fad4c8x9dc440faa83fcd2f@mail.gmail.com> <495E5C78.7040805@cnpapers.com> <496F7929.8080608@cnpapers.com> <496F95DE.9040501@cnpapers.com> Message-ID: <49708C29.6040100@cnpapers.com> Kai Schaetzl wrote: > Steve Campbell wrote on Thu, 15 Jan 2009 15:00:30 -0500: > > >> I still go back to the fact that two versions ago, >> > > Two versions? I count that there is a difference of 13! And I bet you also > upgraded SA and maybe added some rulesets. > > >>> Are you checking load average regularly? What does free tell about memory >>> usage and swap? >>> >>> >> I monitor load average with MailWatch up most of the day when problems >> occur. We seem to have slow mornings with LA way below 1. The >> afternoon's LA start climbing along with the input queue backlog. Right >> now, we're about 50 minutes behind with about 500 messages waiting. >> >> top tells me I'm using almost all memory with 200 MB swap being used. >> > > top is of almost no interest. But the 200 MB swap use shows that you have too > few RAM. You didn't answer most of the very specific questions I asked. If you > did we might be able to give you more tips. Just adding RAM won't tweak your > system for "better" and faster processing it just removes the bottleneck for > the current ressource needs. > Which questions did I miss? Sorry, especially since you're being so helpful. And you're right about the RAM, also. > >> I wasn't sure I got all the scores zeroed. Just to make sure, I turned >> on skip_rbl_checks. This caused the LA to steady out at about 4. It >> would fluctuate as high as 8. >> > > I don't know how much impact these checks should have to load. I always set > skip_rbl_checks on my setups. I would think not much. But it may prolong the > time the process stays in memory which means you need more RAM and run into > swapping -> load goes up. > > >> You might have hit on something there with the size to hand over to SA. >> I recently had to up this for some large files being emailed in. There's >> a lawyer who was photocopying briefs, scanning them, and making a PDF to >> send to someone here. The size was around 50MB. If the limit set up in >> MS/SA is smaller than the size of the attachment being sent, it doesn't >> deliver it and doesn't quarantine it. >> > > I cannot follow that. I haven't ever seen or heard of such a problem. You do > not need to set that value to the size of attachments. And, btw, why don't you > just whitelist that specific sender? > Which setting exactly did you change and to what? > Max Spam Check Size I did whitelist the user. Once this size limit was hit, the message was not delivered or quarantiined. The report in Mailwatch stated "File to large" or something like that. I upped this value and the same email was resent, and it came through just fine. Maybe it is dependent on another setting also. If Jules knows, maybe he could pipe in on this one. > I wish there was an option to at > >> least quarantine it, but I haven't found it. >> > > I don't understand. Why would you want to quarantine every attachment? > > I don't want to quarantine every attachment. But I also don't want to just throw the entire email away once the max size is hit. >> As I stated earlier, this was just to ensure I got them all. The only >> difference this made was the LA spike is now steadily around 4, so I >> guess I missed a few with the score thing. >> > > Well, it shows that switching those tests off helps you ;-) But not enough. > > > I also removed ALL of the SARE rules until memory arrives. I'll then add them back as needed. The machine is running better, obviously, but I haven't hit the flood time yet. I find it hard to believe that all of this spam used to be sent over night, and now these guys are brazen enough to send it during work hours. Maybe the problem existed before and I just didn't notice. Come to think of it, I added most of the SARE rules during the upgrade 2 (13) versions ago when update_spamassassin came along. So maybe that's been my problem all along and the nightly flood wasn't realized. I need to watch mailscanner-mrtg more often. > Kai > > Thanks Martin and Kai and all others, Your ideas are really helping. I've not had to deal with this type of drudgery before from MS as it's always been so nearly-out-of-the-box great. Once I started messing with it, I guess I over messed. steve From dave.list at pixelhammer.com Fri Jan 16 13:38:08 2009 From: dave.list at pixelhammer.com (DAve) Date: Fri Jan 16 13:38:30 2009 Subject: bug on FreeBSD with Perl 5.8.9 In-Reply-To: <6beca9db0901151802u1d4c6960g6cc084cb4781ce98@mail.gmail.com> References: <6beca9db0901151802u1d4c6960g6cc084cb4781ce98@mail.gmail.com> Message-ID: <49708DC0.10706@pixelhammer.com> Mikael Syska wrote: > What does other freebsd sysadmins do to stay current and not have a > messed system where something is from other sources to be able to have > a up-to-date system ? > If there are any one out there also using freebsd ... and using Julian > package from http://mailscanner.info I will be more than happy to hear > from them. We switched from ports to Julian's pkg system last year on both our FreeBSD MailScanner boxes. Nothing against the port, but doing so allowed us to use the newest release if needed, provides a way to have multiple releases installed choosing them by changing a symlink, and if we have a problem, Julian knows *exactly* where everything is installed. Very happy with the result. DAve -- The whole internet thing is sucking the life out of me, there ain't no pony in there. From campbell at cnpapers.com Fri Jan 16 14:59:07 2009 From: campbell at cnpapers.com (Steve Campbell) Date: Fri Jan 16 14:59:29 2009 Subject: Spamassassin timeouts - Just an observation In-Reply-To: <49708C29.6040100@cnpapers.com> References: <49510578.6050801@cnpapers.com> <495E1DBF.3090602@cnpapers.com> <72cf361e0901020705h79fad4c8x9dc440faa83fcd2f@mail.gmail.com> <495E5C78.7040805@cnpapers.com> <496F7929.8080608@cnpapers.com> <496F95DE.9040501@cnpapers.com> <49708C29.6040100@cnpapers.com> Message-ID: <4970A0BB.1030300@cnpapers.com> > > > Kai Schaetzl wrote: > > Which questions did I miss? Sorry, especially since you're being so > helpful. And you're right about the RAM, also. > Oops, I found some of them. ps -waux | grep Mail root 4502 0.0 1.5 26456 15864 ? S 07:27 0:00 MailScanner: starting child root 3457 7.6 8.1 90252 83440 ? S 09:48 0:17 MailScanner: checking with SpamAssassin root 3464 0.0 2.0 28928 21152 ? S 09:48 0:00 MailWatch SQL root 3469 8.2 8.1 90096 83376 ? S 09:48 0:18 MailScanner: waiting for messages root 3516 8.1 8.2 91316 84292 ? S 09:48 0:18 MailScanner: waiting for messages root 4367 94.7 8.5 94284 87600 ? R 09:51 0:35 MailScanner: checking with SpamAssassin root 4514 0.0 0.0 3876 576 pts/0 S 09:52 0:00 grep Mail free total used free shared buffers cached Mem: 1025188 920436 104752 0 54040 267380 -/+ buffers/cache: 599016 426172 Swap: 2048248 256712 1791536 I am running clamd These figures are with the removed SARE rules. I still am running KAM and a few others. So far, the load average spikes, but the flood doesn't start until around 11:00 a.m. EST. I had small spikes, but they clear out sort of quickly. I probably have missed a few other questions. steve From alex at rtpty.com Fri Jan 16 16:53:48 2009 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Fri Jan 16 16:54:00 2009 Subject: Somewhat OT: MOD Virus Outbreak Message-ID: <786D59B8-E568-4FEF-B4B3-D51DE6A57091@rtpty.com> http://www.theregister.co.uk/2009/01/15/royal_navy_email_virus_outage/ They should knight Julian and have him take over as Virus Defence Czar or something! From ssilva at sgvwater.com Fri Jan 16 17:46:54 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Jan 16 17:47:16 2009 Subject: Spamassassin timeouts - Just an observation In-Reply-To: <49708C29.6040100@cnpapers.com> References: <49510578.6050801@cnpapers.com> <495E1DBF.3090602@cnpapers.com> <72cf361e0901020705h79fad4c8x9dc440faa83fcd2f@mail.gmail.com> <495E5C78.7040805@cnpapers.com> <496F7929.8080608@cnpapers.com> <496F95DE.9040501@cnpapers.com> <49708C29.6040100@cnpapers.com> Message-ID: > I also removed ALL of the SARE rules until memory arrives. I'll then add > them back as needed. The machine is running better, obviously, but I > haven't hit the flood time yet. I find it hard to believe that all of > this spam used to be sent over night, and now these guys are brazen > enough to send it during work hours. Maybe the problem existed before > and I just didn't notice. E-mail is an international problem, so "night" is a very relative term. Since the spammers have been shifting to botnets, they have to take the processing time when it is available. Not all PC users leave their machines on 24 hours a day. > > Come to think of it, I added most of the SARE rules during the upgrade 2 > (13) versions ago when update_spamassassin came along. So maybe that's > been my problem all along and the nightly flood wasn't realized. I need > to watch mailscanner-mrtg more often. Sare has stopped updating their rules, so some of them are probably getting stale. You might want to try and get some idea of which rules actually hit for you. I usually run a spamassassin rules hits report from Mailwatch about twice a month to look for trends. It is also a good place to test blacklists to see if you hit any FP's. 100% spam lists usually get moved to my MTA blacklists. > >> Kai >> >> > Thanks Martin and Kai and all others, > > Your ideas are really helping. I've not had to deal with this type of > drudgery before from MS as it's always been so nearly-out-of-the-box > great. Once I started messing with it, I guess I over messed. > > steve > -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090116/e934caa4/signature.bin From lists at sequestered.net Fri Jan 16 20:57:31 2009 From: lists at sequestered.net (Corey Chandler) Date: Fri Jan 16 20:57:42 2009 Subject: bug on FreeBSD with Perl 5.8.9 In-Reply-To: <49708DC0.10706@pixelhammer.com> References: <6beca9db0901151802u1d4c6960g6cc084cb4781ce98@mail.gmail.com> <49708DC0.10706@pixelhammer.com> Message-ID: <4970F4BB.5080105@sequestered.net> DAve wrote: > Mikael Syska wrote: >> What does other freebsd sysadmins do to stay current and not have a >> messed system where something is from other sources to be able to have >> a up-to-date system ? >> If there are any one out there also using freebsd ... and using Julian >> package from http://mailscanner.info I will be more than happy to hear >> from them. > > We switched from ports to Julian's pkg system last year on both our > FreeBSD MailScanner boxes. Nothing against the port, but doing so > allowed us to use the newest release if needed, provides a way to have > multiple releases installed choosing them by changing a symlink, and > if we have a problem, Julian knows *exactly* where everything is > installed. > > Very happy with the result. > > DAve > Curious-- is there anything you have to do that's particular to FreeBSD, or is just a matter of "download the source tarball, build clamav / spamassassin from ports, and run the installer?" -- Corey Chandler / KB1JWQ Living Legend / Systems Exorcist Today's Excuse: Program load too heavy for processor to lift From dave.list at pixelhammer.com Fri Jan 16 21:29:31 2009 From: dave.list at pixelhammer.com (DAve) Date: Fri Jan 16 21:29:52 2009 Subject: bug on FreeBSD with Perl 5.8.9 In-Reply-To: <4970F4BB.5080105@sequestered.net> References: <6beca9db0901151802u1d4c6960g6cc084cb4781ce98@mail.gmail.com> <49708DC0.10706@pixelhammer.com> <4970F4BB.5080105@sequestered.net> Message-ID: <4970FC3B.6010204@pixelhammer.com> Corey Chandler wrote: > DAve wrote: >> Mikael Syska wrote: >>> What does other freebsd sysadmins do to stay current and not have a >>> messed system where something is from other sources to be able to have >>> a up-to-date system ? >>> If there are any one out there also using freebsd ... and using Julian >>> package from http://mailscanner.info I will be more than happy to hear >>> from them. >> >> We switched from ports to Julian's pkg system last year on both our >> FreeBSD MailScanner boxes. Nothing against the port, but doing so >> allowed us to use the newest release if needed, provides a way to have >> multiple releases installed choosing them by changing a symlink, and >> if we have a problem, Julian knows *exactly* where everything is >> installed. >> >> Very happy with the result. >> >> DAve >> > Curious-- is there anything you have to do that's particular to FreeBSD, > or is just a matter of "download the source tarball, build clamav / > spamassassin from ports, and run the installer?" > We used Julian's mailscanner install pkg, and his clam+SA install pkg. Create a /opt directory and follow Julian's instructions. You will need to modify the startup scripts to fit FreeBSD but that is pretty trivial. Our start scripts are a bit more heavily modified than needed because we also split our messages, run clamd, some milters, and a few other oddities. Our scripts are not like the ports scripts, or like Julian's, but any decent bash hack will work to get things started ;^) DAve -- The whole internet thing is sucking the life out of me, there ain't no pony in there. From paul at welshfamily.com Sat Jan 17 00:56:54 2009 From: paul at welshfamily.com (Paul Welsh) Date: Sat Jan 17 00:57:15 2009 Subject: Preventing backscatter with sendmail In-Reply-To: <200901161204.n0GC4IHr001747@safir.blacknight.ie> Message-ID: <200901170057.n0H0v713030269@safir.blacknight.ie> I'm looking for a way of doing with sendmail what exim does out of the box, ie, recipient verification when the MailScanner/Sendmail server is a front end to Exchange. I've been googling and from what I can see I have the following options: milter-ahead - www.milter.info/sendmail/milter-ahead/ Mailfromd scam-backscatter - www.elandsys.com/scam/scam-backscatter/ access.db ldap lookups Only about 100 - 120 email addresses so access.db is a possibility. Milter-ahead costs 90 euro (probably worth ?150 by the time I can get round to buying it!). LDAP lookups seem a bit complex. Mailfromd seems the most popular. Is that the de facto standard way of doing this? From shuttlebox at gmail.com Sat Jan 17 09:40:21 2009 From: shuttlebox at gmail.com (shuttlebox) Date: Sat Jan 17 09:46:57 2009 Subject: Preventing backscatter with sendmail In-Reply-To: <200901170057.n0H0v713030269@safir.blacknight.ie> References: <200901161204.n0GC4IHr001747@safir.blacknight.ie> <200901170057.n0H0v713030269@safir.blacknight.ie> Message-ID: <625385e30901170140i2afec083g7bb72d69067ab4d6@mail.gmail.com> On Sat, Jan 17, 2009 at 1:56 AM, Paul Welsh wrote: > I've been googling and from what I can see I have the following options: > > milter-ahead - www.milter.info/sendmail/milter-ahead/ > Mailfromd > scam-backscatter - www.elandsys.com/scam/scam-backscatter/ > access.db > ldap lookups This one is also popular: http://smfs.sourceforge.net/smf-sav.html -- /peter From gesbbb at yahoo.com Sat Jan 17 13:45:00 2009 From: gesbbb at yahoo.com (Jerry) Date: Sat Jan 17 13:45:12 2009 Subject: bug on FreeBSD with Perl 5.8.9 In-Reply-To: <4970FC3B.6010204@pixelhammer.com> References: <6beca9db0901151802u1d4c6960g6cc084cb4781ce98@mail.gmail.com> <49708DC0.10706@pixelhammer.com> <4970F4BB.5080105@sequestered.net> <4970FC3B.6010204@pixelhammer.com> Message-ID: <20090117084500.09564ce0@scorpio> On Fri, 16 Jan 2009 16:29:31 -0500 DAve wrote: >> Curious-- is there anything you have to do that's particular to >> FreeBSD, or is just a matter of "download the source tarball, build >> clamav / spamassassin from ports, and run the installer?" >> > >We used Julian's mailscanner install pkg, and his clam+SA install pkg. >Create a /opt directory and follow Julian's instructions. You will >need to modify the startup scripts to fit FreeBSD but that is pretty >trivial. > >Our start scripts are a bit more heavily modified than needed because >we also split our messages, run clamd, some milters, and a few other >oddities. Our scripts are not like the ports scripts, or like >Julian's, but any decent bash hack will work to get things started ;^) Curious. Since you 'roll your own', you really cannot expect to get much help from the FreeBSD ports people. I have not heard from anyone who has updated Perl on a FreeBSD system reporting a problem with Mailscanner; however, they are no doubt using the the 'ports' system to accomplish the updates. You might want to contact the Mailscanner maintainer on FreeBSD and see if he can shed any light on your problem. I don't know if he would be willing to work with you since this is not his problem; however, it doesn't hurt to ask. By the way, how did you install your other mail utilities? If you installed from source rather than the ports system, updating Perl would probably cause a breakage since the normal "perl-after-upgrade script" would not be able to properly act on those packages, or Mailscanner for that manner, properly. This is why I stay away from unnecessary 'hacks'. -- Jerry gesbbb@yahoo.com Pity the meek, for they shall inherit the earth. Don Marquis -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 196 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090117/1e9130d8/signature.bin From MailScanner at ecs.soton.ac.uk Sat Jan 17 14:03:01 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sat Jan 17 14:03:21 2009 Subject: MS/perl segfaults In-Reply-To: <49186B27.2060809@ecs.soton.ac.uk> References: <49186B27.2060809@ecs.soton.ac.uk> Message-ID: <4971E515.6070703@ecs.soton.ac.uk> Re-visiting this issue. Is it still a problem? Is it worth attempting to solve? In the following descriptions, all timings would be configurable. It's just easier to think about the problem with real numbers in there. When we scan the queue to build a batch, we look for unlocked messages as normal. When we find an unlocked message, we look to see if it is in the database table and was first scanned less than 20 minutes ago. If it was first scanned 20 minutes ago, we ignore it in case it was a one-off failure, or a failure caused by other messages in the same batch. If it was first scanned 20-40 minutes ago, we scan it in a batch of 1 message, on its own. If it was first scanned more than 40 minutes ago, we ignore it completely and log the event as a scanner failure. Or we could mark it as infected instead? What are your thoughts here? A DoS attack attempt would be a reasonable conclusion. I need to catch every time a message leaves the batch and remove it from the database table, that's my problem. Also, I need to find all the race conditions when checking the database about the message, but that's also my problem. What do you think of the approach above? Your comments would be most welcome. Cheers, Jules. On 10/11/08 17:11, Julian Field wrote: > One immediate thought: the only reproducible instance of this problem > was caused by the HTML parser, and I wrote a solution to that in a > recent release, it's in the Change Log. > > But yes, your idea is a possibility, now that I'm using SQLite. Doing > it with a dbm file is not really practical due to high contention for > the exclusive write locks on the file. SQLite may be able to do it > rather better. > > There are quite a few routes that lead to a message leaving a batch, > and I would have to catch all of those, time for a quick code review > of a few chunks I think. > > If a message is more than 20 minutes old and still in the database, > then we do a batch containing only 1 message, and log it. If we find a > message more than 30 minutes old, then we log it and ignore it. > > How many ways could this process go wrong? All existing > exclusion-locks would still apply, so if a message was more than 20 > minutes old and is being re-tried and is still locked, that lock still > applies. > > What are the failure modes of this scheme? I refuse to believe there > aren't any. We need to cover as many of them as possible and come up > with remedies for them. > > Jules. > > David Lee wrote: >> >> Julian: Over the years MailScanner has served us extremely well, and >> we continue to rely on it and be thankful for your work on it. >> >> But I'm currently clearing a backlog of 66,000+ emails from the weekend. >> >> >> Occasionally (perhaps once a year) we get a particular class of >> problem (and from skim-reading the list I believe others see this >> also), namely, that a message, or messages, will arrive which cause >> MailScanner (more likely one of its perl modules) to segfault. A >> (quote) shouldn't happen (unquote) thing that, nevertheless, >> occasionally does happen. >> >> We've just had such an incident over the weekend. And there were >> enough such messages (about 100) to cause all the child MS processes >> (20) to segfault on most occasions that they processed a batch (30). >> The net result is that our inbound queue grew, and very little >> trickled through, because the MS processes segfaulted, re-tried, >> segfaulted, retried, ... >> >> (The failure of one message in the batch causes the whole batch to be >> delayed until the next child attempt; and the chances are that new >> batch will also suffer a segfault.) >> >> As I say, such instances are rare, but they do happen. And when they >> happen they can hit hard. >> >> For this particular instance, I'd be happy to send you (offlist?) >> details, including sample messages, "MailScanner -V", OS etc. (Let >> me know.) >> >> But that still leaves a general problem of MS (+/ modules) being >> susceptible to emails (possibly malformed HTML spams) that can cause >> this behaviour. >> >> So a suggestion for a _general_ fix against general segfaults (to >> allow the other emails not to become "collateral damage"). >> >> >> ====begin==== >> >> When an MS child starts processing a batch, for each email >> temporarily put its id (e.g. sendmail "df/qf" number) into a small >> "being processed" database (e.g. a trivial db/dbm). >> >> When the child finishes the batch, remove those ids of the batch from >> that database. >> >> So for a system of 'c' children and batch-size 'b', the maximum >> number of entries at any time in that database will be 'c*b': rarely >> more than a few hundred, and so trivial for a db/dbm thing. (And if >> the inbound mqueue is empty, the database should correspondingly be >> empty.) >> >> Now here's the crucial detail: When the child starts its batch it >> also quickly checks that those ids are not already present in the >> database. (In normal use, they would never be present, as MS's >> existing mechanisms already ensure that a child takes a batch from >> beginning right through to completion.) >> >> If it DOES find that id, this indicates that something has badly gone >> wrong (e.g. previous child segfaulted, so didn't remove ids in this >> batch from the database). Many of those ids, of course, will be >> innocent: they will be there because another email (id) in an earlier >> batch had failed. >> >> To counter that, the database could also store a timestamp. On >> finding such an email, a child would skip that id if it was >> relatively young (e.g. less than 10 minutes since last timestamp), or >> process it _on its own_ if relatively old (e.g. older than ten >> minutes). That way, the innocent email would only be held up for a >> short period (e.g. ten minutes). >> >> (There are probably some cleverer things that could be done (and >> additional things that ought to be done), but at this stage I'm >> simply trying to outline the general idea.) >> >> ====end==== >> >> How does that sound? >> >> Naturally I would be happy to assist beta-testing if you wish. >> >> > > Jules > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mikael at syska.dk Sat Jan 17 15:17:37 2009 From: mikael at syska.dk (Mikael Syska) Date: Sat Jan 17 15:17:48 2009 Subject: bug on FreeBSD with Perl 5.8.9 In-Reply-To: <20090117084500.09564ce0@scorpio> References: <6beca9db0901151802u1d4c6960g6cc084cb4781ce98@mail.gmail.com> <49708DC0.10706@pixelhammer.com> <4970F4BB.5080105@sequestered.net> <4970FC3B.6010204@pixelhammer.com> <20090117084500.09564ce0@scorpio> Message-ID: <6beca9db0901170717i602c3983y28db7e588cb94e64@mail.gmail.com> Hi Jerry, It was my problem my the start ... Only using ports and wandered what other people did ... DAve just mentioned what they did on FreeBSD, and he had no problem what so ever .. but he has not updated Perl yet to 5.8.9 ... as he will wait a bit, luckily for him :-) On Sat, Jan 17, 2009 at 2:45 PM, Jerry wrote: > On Fri, 16 Jan 2009 16:29:31 -0500 > DAve wrote: > >>> Curious-- is there anything you have to do that's particular to >>> FreeBSD, or is just a matter of "download the source tarball, build >>> clamav / spamassassin from ports, and run the installer?" >>> >> >>We used Julian's mailscanner install pkg, and his clam+SA install pkg. >>Create a /opt directory and follow Julian's instructions. You will >>need to modify the startup scripts to fit FreeBSD but that is pretty >>trivial. >> >>Our start scripts are a bit more heavily modified than needed because >>we also split our messages, run clamd, some milters, and a few other >>oddities. Our scripts are not like the ports scripts, or like >>Julian's, but any decent bash hack will work to get things started ;^) > > Curious. Since you 'roll your own', you really cannot expect to get > much help from the FreeBSD ports people. I have not heard from anyone > who has updated Perl on a FreeBSD system reporting a problem with > Mailscanner; however, they are no doubt using the the 'ports' system to > accomplish the updates. > > You might want to contact the Mailscanner maintainer on FreeBSD > and see if he can shed any light on your > problem. I don't know if he would be willing to work with you since > this is not his problem; however, it doesn't hurt to ask. Read my commants in the top ... you must have confused who the org message was from ... and the following comments from other. > By the way, how did you install your other mail utilities? If you > installed from source rather than the ports system, updating Perl would > probably cause a breakage since the normal "perl-after-upgrade script" > would not be able to properly act on those packages, or Mailscanner for > that manner, properly. > > > This is why I stay away from unnecessary 'hacks'. > Yes ... me to, but still, following the ports led me to these problem. > -- > Jerry > gesbbb@yahoo.com > > Pity the meek, for they shall inherit the earth. > > Don Marquis > > -- Mikael Syska Denmark From shuttlebox at gmail.com Sat Jan 17 15:14:23 2009 From: shuttlebox at gmail.com (shuttlebox) Date: Sat Jan 17 15:19:45 2009 Subject: MS/perl segfaults In-Reply-To: <4971E515.6070703@ecs.soton.ac.uk> References: <49186B27.2060809@ecs.soton.ac.uk> <4971E515.6070703@ecs.soton.ac.uk> Message-ID: <625385e30901170714x157ae096q7a03d9c78ccb13e7@mail.gmail.com> On Sat, Jan 17, 2009 at 3:03 PM, Julian Field wrote: > Re-visiting this issue. > Is it still a problem? > Is it worth attempting to solve? > > In the following descriptions, all timings would be configurable. It's just > easier to think about the problem with real numbers in there. > > When we scan the queue to build a batch, we look for unlocked messages as > normal. When we find an unlocked message, we look to see if it is in the > database table and was first scanned less than 20 minutes ago. > If it was first scanned 20 minutes ago, we ignore it in case it was a > one-off failure, or a failure caused by other messages in the same batch. > If it was first scanned 20-40 minutes ago, we scan it in a batch of 1 > message, on its own. > If it was first scanned more than 40 minutes ago, we ignore it completely > and log the event as a scanner failure. Or we could mark it as infected > instead? What are your thoughts here? A DoS attack attempt would be a > reasonable conclusion. > > I need to catch every time a message leaves the batch and remove it from the > database table, that's my problem. > Also, I need to find all the race conditions when checking the database > about the message, but that's also my problem. > > What do you think of the approach above? Do we need a database? Couldn't you just stat the queue files to see how old they are and get the same result? To me, the queue dir is like a database, and the queue files are like records in the database. You have to put timestamps into the database but the files already have that. There's no records to remove when the message has been delivered because the files will be gone. If I'm not missing something it seems unnecessarily complex with a database..? -- /peter From jan-peter at koopmann.eu Sat Jan 17 15:25:05 2009 From: jan-peter at koopmann.eu (Koopmann, Jan-Peter) Date: Sat Jan 17 15:25:32 2009 Subject: Refresh FreeBSD Port? In-Reply-To: <496BA69B.4030207@sequestered.net> References: <4967DB4E.8040003@sequestered.net><20090110081249.3e1fd5bc@scorpio> <496BA69B.4030207@sequestered.net> Message-ID: >Yeah, I did before posting to the list, and haven't heard back-- hence >my post here. :-) Hmm. Can't recall seeing a message from you. Others yes but you? Sorry if I missed it. Port was tested by a few people last week and I have some mistakes to figure out. Maybe tomorrow or Monday... :-( Regards, JP From paul.welsh.3 at googlemail.com Sat Jan 17 16:24:40 2009 From: paul.welsh.3 at googlemail.com (Paul Welsh) Date: Sat Jan 17 16:24:58 2009 Subject: MailScanner Digest, Vol 37, Issue 32 In-Reply-To: <200901171201.n0HC0YsL012772@safir.blacknight.ie> Message-ID: <4972064f.0716300a.0334.7ff4@mx.google.com> > Date: Sat, 17 Jan 2009 10:40:21 +0100 > From: shuttlebox > Subject: Re: Preventing backscatter with sendmail > > On Sat, Jan 17, 2009 at 1:56 AM, Paul Welsh > wrote: > > I've been googling and from what I can see I have the > following options: > > > > milter-ahead - www.milter.info/sendmail/milter-ahead/ > > Mailfromd > > scam-backscatter - www.elandsys.com/scam/scam-backscatter/ > > access.db > > ldap lookups > > This one is also popular: > > http://smfs.sourceforge.net/smf-sav.html > Hi Peter, thanks for that. I realise too that mailfromd doesn't really do what I want. It does sender verification but only local recipient verification by the looks of things. I'm not bothered about sender verification, only recipient. From paul.welsh.3 at googlemail.com Sat Jan 17 16:26:09 2009 From: paul.welsh.3 at googlemail.com (Paul Welsh) Date: Sat Jan 17 16:26:26 2009 Subject: Preventing backscatter with sendmail In-Reply-To: <200901171201.n0HC0YsL012772@safir.blacknight.ie> Message-ID: <497206a8.2215300a.66e8.706d@mx.google.com> > Date: Sat, 17 Jan 2009 10:40:21 +0100 > From: shuttlebox > Subject: Re: Preventing backscatter with sendmail > > On Sat, Jan 17, 2009 at 1:56 AM, Paul Welsh > wrote: > > I've been googling and from what I can see I have the > following options: > > > > milter-ahead - www.milter.info/sendmail/milter-ahead/ > > Mailfromd > > scam-backscatter - www.elandsys.com/scam/scam-backscatter/ > > access.db > > ldap lookups > > This one is also popular: > > http://smfs.sourceforge.net/smf-sav.html > Hi Peter, thanks for that. I realise too that mailfromd doesn't really do what I want. It does sender verification but only local recipient verification by the looks of things. I'm not bothered about sender verification, only recipient. Sorry, sent the wrong subject out last time. Here's the right one to aid anyone searching threads in future. From MailScanner at ecs.soton.ac.uk Sat Jan 17 20:15:38 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sat Jan 17 20:16:02 2009 Subject: MS/perl segfaults In-Reply-To: <625385e30901170714x157ae096q7a03d9c78ccb13e7@mail.gmail.com> References: <49186B27.2060809@ecs.soton.ac.uk> <4971E515.6070703@ecs.soton.ac.uk> <625385e30901170714x157ae096q7a03d9c78ccb13e7@mail.gmail.com> Message-ID: <49723C6A.4030308@ecs.soton.ac.uk> On 17/1/09 15:14, shuttlebox wrote: > On Sat, Jan 17, 2009 at 3:03 PM, Julian Field > wrote: > >> Re-visiting this issue. >> Is it still a problem? >> Is it worth attempting to solve? >> >> In the following descriptions, all timings would be configurable. It's just >> easier to think about the problem with real numbers in there. >> >> When we scan the queue to build a batch, we look for unlocked messages as >> normal. When we find an unlocked message, we look to see if it is in the >> database table and was first scanned less than 20 minutes ago. >> If it was first scanned 20 minutes ago, we ignore it in case it was a >> one-off failure, or a failure caused by other messages in the same batch. >> If it was first scanned 20-40 minutes ago, we scan it in a batch of 1 >> message, on its own. >> If it was first scanned more than 40 minutes ago, we ignore it completely >> and log the event as a scanner failure. Or we could mark it as infected >> instead? What are your thoughts here? A DoS attack attempt would be a >> reasonable conclusion. >> >> I need to catch every time a message leaves the batch and remove it from the >> database table, that's my problem. >> Also, I need to find all the race conditions when checking the database >> about the message, but that's also my problem. >> >> What do you think of the approach above? >> > > Do we need a database? Couldn't you just stat the queue files to see > how old they are and get the same result? > > To me, the queue dir is like a database, and the queue files are like > records in the database. You have to put timestamps into the database > but the files already have that. There's no records to remove when the > message has been delivered because the files will be gone. > > If I'm not missing something it seems unnecessarily complex with a database..? > Good idea, but what happens when older queue files are put in the queue? Such as when you suspend MailScanner but leave the incoming sendmail working when working on MailScanner but want to leave incoming sendmail working? You need a timestamp that is touched by MailScanner but not by the message being written into the queue. Can't use the last-accessed timestamp as that will be touched by MailScanner reading it anyway. And the timestamp we use needs to be implementable regardless of the MTA in use. Is the last-modified timestamp used by any of them? We also need to be able to tell if it hasn't been touched yet, maybe last-modified==created ? Again, does this work in every MTA? I entirely agree it would be a very neat solution, but only if we can make it work in all MTAs. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From alex at rtpty.com Sat Jan 17 23:53:05 2009 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Sat Jan 17 23:53:19 2009 Subject: MS/perl segfaults In-Reply-To: <49723C6A.4030308@ecs.soton.ac.uk> References: <49186B27.2060809@ecs.soton.ac.uk> <4971E515.6070703@ecs.soton.ac.uk> <625385e30901170714x157ae096q7a03d9c78ccb13e7@mail.gmail.com> <49723C6A.4030308@ecs.soton.ac.uk> Message-ID: Just to contribute ... Would it be ok to assume there also would be a problem with clocks skewing from things like DST changes in computers that aren't set to GMT proper (perhaps because of dual boot or vmware issues), or from them being off for extended power outages (like some MS users in Africa might have to deal with)? On Jan 17, 2009, at 3:15 PM, Julian Field wrote: > And the timestamp we use needs to be implementable regardless of the > MTA in use. Is the last-modified timestamp used by any of them? We > also need to be able to tell if it hasn't been touched yet, maybe > last-modified==created ? Again, does this work in every MTA? > > I entirely agree it would be a very neat solution, but only if we > can make it work in all MTAs. > > Jules From jan-peter at koopmann.eu Sun Jan 18 10:15:08 2009 From: jan-peter at koopmann.eu (Koopmann, Jan-Peter) Date: Sun Jan 18 10:17:38 2009 Subject: Spamassassin timeouts - Just an observation In-Reply-To: <49510578.6050801@cnpapers.com> References: <49510578.6050801@cnpapers.com> Message-ID: Hi, > The topic seems to come up quite often, and although the answers are > usually pretty much the same, I never really see much of a "Solved" reply. are you using BotNet.pm by any chance. There was a bug in one of the older versions causing sporadic SpamAssassin timouts.. I looked for ages and on my systems the old BotNet.pm triggered it. Updated (without changing anything else) and never seen the error again. Just an indea. Regards, JP From campbell at cnpapers.com Sun Jan 18 11:32:03 2009 From: campbell at cnpapers.com (Steve Campbell) Date: Sun Jan 18 11:32:19 2009 Subject: Spamassassin timeouts - Just an observation In-Reply-To: References: <49510578.6050801@cnpapers.com> Message-ID: <1232278323.4973133335ecf@perdition.cnpapers.net> Quoting "Koopmann, Jan-Peter" : > Hi, > > > The topic seems to come up quite often, and although the answers are > > usually pretty much the same, I never really see much of a "Solved" > reply. > > are you using BotNet.pm by any chance. There was a bug in one of the > older versions causing sporadic SpamAssassin timouts.. I looked for ages > and on my systems the old BotNet.pm triggered it. Updated (without > changing anything else) and never seen the error again. Just an indea. > > Regards, > JP > > > -- Jan-Peter, So far, it appears the extra rules from SARE was the biggest contributor. I have removed all of the sets from my sa-update and the problems almost disappeared. I do not run BotNet.pm. The most common problem with these timeouts always seemed to be DNS and RBLs, but I wasn't seeing any problems there. I kept looking there though. I was also being fooled by high, but not critical load averages. I have duplicate servers that were not timing out with similar load averages, rules, and daily email counts. The non-problem machine was getting it's email spread out over the course of a day, whereas the problem machine was receiving large batches at different times of the day. Once I started reviewing the mailscanner-mrtg plots, I saw this. Another thing that threw me off was the fact that no matter how many emails arrived at one time, the LA would spike to 3.5 or higher on either machine. The high message per batch count would cause the LA to gradually creep higher, but the smaller batches would give constant LAs. The low amount of RAM for both machines explain that. I had been fooled by MS doing such a good job for years, and just wasn't thinking very clearly about what could have caused this. Two upgrades ago, I started using the new sa-update feature and added the rules using that. It didn't show immediate changes to the way the machines acted over a week or so, so I never thought it was a problem. The load averages are still fluctuating, but batch times are considerably lower, which allows faster throughput, and less timeouts on the machines. I hope the RAM I have ordered will fix the rest of it. I'm sorry to have caused such a stir with all of this, as this thread has went on way to long. I've sharpened my MS diagnostic skills, though, and hope it might have helped others - the information everyone has provided has been very good. Thanks to all again, steve ------------------------------------------------- This mail sent through IMP: http://horde.org/imp/ From alex at rtpty.com Sat Jan 17 23:53:05 2009 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Sun Jan 18 14:52:03 2009 Subject: MS/perl segfaults In-Reply-To: <49723C6A.4030308@ecs.soton.ac.uk> References: <49186B27.2060809@ecs.soton.ac.uk> <4971E515.6070703@ecs.soton.ac.uk> <625385e30901170714x157ae096q7a03d9c78ccb13e7@mail.gmail.com> <49723C6A.4030308@ecs.soton.ac.uk> Message-ID: Just to contribute ... Would it be ok to assume there also would be a problem with clocks skewing from things like DST changes in computers that aren't set to GMT proper (perhaps because of dual boot or vmware issues), or from them being off for extended power outages (like some MS users in Africa might have to deal with)? On Jan 17, 2009, at 3:15 PM, Julian Field wrote: > And the timestamp we use needs to be implementable regardless of the > MTA in use. Is the last-modified timestamp used by any of them? We > also need to be able to tell if it hasn't been touched yet, maybe > last-modified==created ? Again, does this work in every MTA? > > I entirely agree it would be a very neat solution, but only if we > can make it work in all MTAs. > > Jules From MailScanner at ecs.soton.ac.uk Sun Jan 18 16:47:04 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Jan 18 16:47:24 2009 Subject: MS/perl segfaults In-Reply-To: References: <49186B27.2060809@ecs.soton.ac.uk> <4971E515.6070703@ecs.soton.ac.uk> <625385e30901170714x157ae096q7a03d9c78ccb13e7@mail.gmail.com> <49723C6A.4030308@ecs.soton.ac.uk> Message-ID: <49735D08.4070200@ecs.soton.ac.uk> Absolutely. Hence the need for a timestamp that is dependent only on MailScanner. Users in areas of the world with dodgy power supplies can always just switch the feature off. Most servers don't dual-boot so I'm not so worried about them. On 17/1/09 23:53, Alex Neuman van der Hans wrote: > Just to contribute ... Would it be ok to assume there also would be a > problem with clocks skewing from things like DST changes in computers > that aren't set to GMT proper (perhaps because of dual boot or vmware > issues), or from them being off for extended power outages (like some > MS users in Africa might have to deal with)? > > On Jan 17, 2009, at 3:15 PM, Julian Field wrote: > >> And the timestamp we use needs to be implementable regardless of the >> MTA in use. Is the last-modified timestamp used by any of them? We >> also need to be able to tell if it hasn't been touched yet, maybe >> last-modified==created ? Again, does this work in every MTA? >> >> I entirely agree it would be a very neat solution, but only if we can >> make it work in all MTAs. >> >> Jules > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From micoots at yahoo.com Mon Jan 19 06:59:29 2009 From: micoots at yahoo.com (Michael Mansour) Date: Mon Jan 19 06:59:40 2009 Subject: Preventing backscatter with sendmail In-Reply-To: <200901170057.n0H0v713030269@safir.blacknight.ie> Message-ID: <11757.49373.qm@web33301.mail.mud.yahoo.com> Hi, --- On Sat, 17/1/09, Paul Welsh wrote: > From: Paul Welsh > Subject: Preventing backscatter with sendmail > To: mailscanner@lists.mailscanner.info > Received: Saturday, 17 January, 2009, 11:56 AM > I'm looking for a way of doing with sendmail what exim > does out of the box, > ie, recipient verification when the MailScanner/Sendmail > server is a front > end to Exchange. > > I've been googling and from what I can see I have the > following options: > > milter-ahead - www.milter.info/sendmail/milter-ahead/ > Mailfromd > scam-backscatter - www.elandsys.com/scam/scam-backscatter/ > access.db > ldap lookups > > Only about 100 - 120 email addresses so access.db is a > possibility. > Milter-ahead costs 90 euro (probably worth ?150 by the > time I can get round > to buying it!). LDAP lookups seem a bit complex. > > Mailfromd seems the most popular. Is that the de facto > standard way of doing this? I don't think there's any defacto standard, just depends on your selection and what works best for you. I use scam-back (scam backscatter) and have been for years, it works well and fits exactly the work it's required to do on multiple hosted domains. Michael. Stay connected to the people that matter most with a smarter inbox. Take a look http://au.docs.yahoo.com/mail/smarterinbox From hvdkooij at vanderkooij.org Mon Jan 19 07:07:37 2009 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Mon Jan 19 07:07:46 2009 Subject: Avast interface not fully functional In-Reply-To: <496CFCD4.5010405@ecs.soton.ac.uk> References: <496CFCD4.5010405@ecs.soton.ac.uk> Message-ID: <497426B9.4040405@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Julian Field wrote: > For starters, are you using Avast or Avastd? > Secondly, please can you post the exact output of the Avast/Avastd scanner? > If you are using Avastd, then this is a possible problem. Case 3 > shouldn't be a problem but case 2 might be. > I need to see the exact output, preferably redirect the output to a file > and post that file (gzipped so nothing can play with it). I wrote a parser on the output that might help you a bit. It parses the output of over 100k of infected files. It contains bits that are not relevant to your application but see if it works for you. If you need sample files of sorts to test with avast detection I am sure we can work something out offlist. if ($line =~ /infected by:/) { chomp($line); $error = 0; $line =~ s/^Archived //; $line =~ s/\[inf/inf/; $line =~ s/\]$//; $line =~ s/\/var\/virus\/collection\///; @fields = split(/\tinfected by: /,$line); @fields[0] =~ s/([0-9A-F]{32}\.[0-9]+\..*?)\/.*/$1/; $filename = @fields[0]; $virusname = quotemeta(@fields[1]); @file = split(/\./,$filename); $md5 = @file[0]; $md5 =~ s/^..\/..\///; $size = @file[1]; $type = @file[2]; $virusfile = "/var/virus/collection/".@fields[0]; if ($error == 1) { $command = "mv -f $virusfile $errors"; print "$command\n"; system($command); next; } if (-e $virusfile) { print "$filename => $virusname => "; } else { print "*MISSING* $filename => $virusname\n"; next; } Hugo - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. Nid wyf yn y swyddfa ar hyn o bryd. Anfonwch unrhyw waith i'w gyfieithu. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkl0JrcACgkQBvzDRVjxmYGuNwCfZtvaPlx5iz29Bg9McJNdS5iu PRoAnA5955c/HFM9HW2taR+K8fz8LiAn =ae9F -----END PGP SIGNATURE----- From micoots at yahoo.com Mon Jan 19 07:13:11 2009 From: micoots at yahoo.com (Michael Mansour) Date: Mon Jan 19 07:13:21 2009 Subject: Blacklisting from URIBL In-Reply-To: Message-ID: <724653.202.qm@web33305.mail.mud.yahoo.com> Hi Raymond, --- On Thu, 15/1/09, Raymond Dijkxhoorn wrote: > From: Raymond Dijkxhoorn > Subject: Re: Blacklisting from URIBL > To: "MailScanner discussion" > Received: Thursday, 15 January, 2009, 12:00 PM > Hi! > > >> Not sure if this is smart however, but if you dont > mind > >> loosing legitimate mail its no issue. > > > There is absolutely zero legitimate email which has > URI's in URIBL_BLACK. Maybe in URIBL_GREY, maybe in > URIBL_GOLD, but never in URIBL_BLACK. Those are 100% > confirmed URI's of spammers. > > I am glad you are so positive about it, statistics show > otherwise. Check the SA site for example. But, if it works > for you, fine! :-) Just to provide an update. Since implementing the uribl blocking (and adding the surbl also) 100% of that trash has vanished from the ether. No legitimate email was affected because I was selected only the lists that I wanted using the bitmasks. In terms of uribl_black, I'm always in the top 10 rankings for URI submitters worldwide and consistently have a submitter rating above 94%. I have been using it and submitting to it for some time now. After reviewing literally thousands of emails during the last months, there's never been any time I've seen a valid URI in the uribl_black list. Each entry submitted to the uribl_black is reviewed by humans, they go to the website, check originators, etc for legitimate spam or phishing sites and only list if they are real and valid scam sites. Doubtful sites go to the other lists. As a submitter you also quickly realise, if you submit URI's that don't meet the criteria for your requested listing, your % rating drops very quickly and you are less trusted and more doubt gos into your submissions. Frankly, if the SA site say otherwise about the uribl_black, in my experience they are plain wrong. You can read about the uribl lists here: http://uribl.com/about.shtml Best regards, Michael. > Bye, > Raymond. Stay connected to the people that matter most with a smarter inbox. Take a look http://au.docs.yahoo.com/mail/smarterinbox From raymond at prolocation.net Mon Jan 19 09:06:06 2009 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Mon Jan 19 09:06:15 2009 Subject: Blacklisting from URIBL In-Reply-To: <724653.202.qm@web33305.mail.mud.yahoo.com> References: <724653.202.qm@web33305.mail.mud.yahoo.com> Message-ID: Hi! > Frankly, if the SA site say otherwise about the uribl_black, in my > experience they are plain wrong. > > You can read about the uribl lists here: > > http://uribl.com/about.shtml I know all about URIBL, no need to explain. ;) The PF rating is soemthing that is there, and its there due to a reason. Some pople on this list (Hey! Alex!) can perhaps explain you. For example, and i dont say this is good or bad, dont get me wrong, URIBL is listing all .ru abused sites. If you are inside .ru this is the same as blocking ebay.com or alike. If you can live with that fine. But please do not state its causing no FP's at all. You might be submitting a lot of items there, and thats nice, but i know my way around in URI land also ... Bye, Raymond. From ms-list at alexb.ch Mon Jan 19 09:18:52 2009 From: ms-list at alexb.ch (Alex Broens) Date: Mon Jan 19 09:19:03 2009 Subject: Blacklisting from URIBL In-Reply-To: References: <724653.202.qm@web33305.mail.mud.yahoo.com> Message-ID: <4974457C.7050201@alexb.ch> On 1/19/2009 10:06 AM, Raymond Dijkxhoorn wrote: > Hi! > >> Frankly, if the SA site say otherwise about the uribl_black, in my >> experience they are plain wrong. >> >> You can read about the uribl lists here: >> >> http://uribl.com/about.shtml > > I know all about URIBL, no need to explain. ;) > > The PF rating is soemthing that is there, and its there due to a reason. > Some pople on this list (Hey! Alex!) can perhaps explain you. Rejecting with URIBL.com's data is risky, it may work for you, not for others. Its not advised, supported, etc.. its up to you. > For example, and i dont say this is good or bad, dont get me wrong, > URIBL is listing all .ru abused sites. If you are inside .ru this is the > same as blocking ebay.com or alike. If you can live with that fine. But > please do not state its causing no FP's at all. ?????? URIBL.com is listing *.abused-dom.ru, not the domain itself. If oyu have samples where this is not the case, pls let "them" know :-) > You might be submitting a lot of items there, and thats nice, but i know > my way around in URI land also ... Somehow your name sounds familiar... muaaaaaaaa Alex From mailwatch.kp at gmail.com Mon Jan 19 09:24:24 2009 From: mailwatch.kp at gmail.com (vinayan KP) Date: Mon Jan 19 09:24:35 2009 Subject: Spam assassin timeouts In-Reply-To: <223f97700812100229k1c95f0a6l3e82d63a92b0a1e8@mail.gmail.com> References: <6a7195cc0812080339y1bae40ccnbae4ba36438ae352@mail.gmail.com> <1228739966.12079.75.camel@darkstar.netcore.co.in> <6a7195cc0812100133s3334cdb5kf70f64406b1d4e7b@mail.gmail.com> <223f97700812100228t7261143ase48a8ae8e1325991@mail.gmail.com> <223f97700812100229k1c95f0a6l3e82d63a92b0a1e8@mail.gmail.com> Message-ID: <6a7195cc0901190124w158a7e8p7a3912093818766e@mail.gmail.com> Dear Mr. Glenn and Ram Thank you very much for your mail. Sorry for the late response as I could do as you said only today as I was away for some personal reasons. I stopped the MailScanner and spamassassing and removed the bayes_seen file and restarted the MailScanner and spamassassin services. I am not an expert but just a beginer with linux with only some 15 months experience. This Mailscanner system (which receives mails from outside and forwards them to our mailserver) was installed by a third party who stopped his business and could not get any help them. Hope it will now start catching all the spam mails as it used to earlier and tag them. Regards Vinu On Wed, Dec 10, 2008 at 3:59 PM, Glenn Steen wrote: > 2008/12/10 Glenn Steen : >> 2008/12/10 vinayan KP : >>> Dear Ram, >>> >>> Thank you very much for your mail. I learned linux just recently I am >>> not an expert. I normally used to try things whenever I get time but >>> now I hardly have any time these days to sit and feel dont have enough >>> knowledge to fix this problem. A third party installed and configured >>> mailscanner for us couple of years back but that company does not >>> exist anymore. Hope you would be able to help me out. >>> >>> The following are the size of bayes file. Are thse alright? The >>> bayes_seen file is too large but it was like this for a long time and >>> was working alright. >>> >>> -rw------- 1 root root 9.4K Dec 10 14:29 bayes_journal >>> -rw-rw-rw- 1 root root 5.7K Dec 10 14:29 bayes.mutex >>> -rw------- 1 root root 167M Dec 10 14:26 bayes_seen >>> -rw------- 1 root root 9.7M Dec 10 14:28 bayes_toks >>> -rw------- 1 root root 12K Dec 9 10:35 bayes_toks.expire10686 >>> -rw------- 1 root root 12K Dec 10 00:12 bayes_toks.expire11495 >>> -rw------- 1 root root 12K Dec 8 19:22 bayes_toks.expire11824 >>> -rw------- 1 root root 12K Dec 8 20:40 bayes_toks.expire13768 >>> -rw------- 1 root root 12K Dec 10 07:48 bayes_toks.expire28490 >>> -rw------- 1 root root 12K Dec 7 21:22 bayes_toks.expire31832 >>> -rw------- 1 root root 0 Dec 2 04:04 __db.bayes_toks.expire12682 >>> -rw------- 1 root root 12K Nov 27 18:58 __db.bayes_toks.expire14247 >>> -rw------- 1 root root 12K Sep 6 06:22 __db.bayes_toks.expire15605 >>> -rw------- 1 root root 12K Nov 14 14:38 __db.bayes_toks.expire15684 >>> -rw------- 1 root root 4.0K Sep 2 07:48 __db.bayes_toks.expire1745 >>> -rw------- 1 root root 12K Dec 2 08:39 __db.bayes_toks.expire20880 >>> -rw------- 1 root root 12K Dec 6 00:18 __db.bayes_toks.expire23304 >>> -rw------- 1 root root 0 Dec 4 16:39 __db.bayes_toks.expire23851 >>> -rw------- 1 root root 0 Oct 26 19:52 __db.bayes_toks.expire24361 >>> -rw------- 1 root root 0 Sep 2 04:52 __db.bayes_toks.expire29096 >>> -rw------- 1 root root 12K Nov 11 17:37 __db.bayes_toks.expire30758 >>> -rw------- 1 root root 12K Oct 23 18:31 __db.bayes_toks.expire31745 >>> -rw------- 1 root root 4.0K Dec 9 05:28 __db.bayes_toks.expire32018 >>> -rw------- 1 root root 0 Nov 21 04:07 __db.bayes_toks.expire32087 >>> -rw------- 1 root root 12K Dec 5 15:17 __db.bayes_toks.expire3656 >>> -rw------- 1 root root 0 Dec 4 05:45 __db.bayes_toks.expire5747 >>> -rw------- 1 root root 12K Oct 22 16:03 __db.bayes_toks.expire7440 >>> -rw------- 1 root root 12K Nov 26 16:21 __db.bayes_toks.expire7458 >>> -rw------- 1 root root 0 Sep 18 00:39 __db.bayes_toks.expire9575 >>> -rw-r--r-- 1 root root 1.5K Dec 8 13:23 user_prefs >>> >> (snip) > > BTW... Safest is to start these operations after shutting MailScanner down. > >> This is classic... You have a huge seen file there, and a load of >> expire files from unsuccessful expire runs. Remove the seen file as >> well as all the expire files, then do a manual expire... Consider >> configuring your bayes for manual expire only. Also consider >> increasing the SA timeout value rather much ... in MailScanner.conf. >> MS will rudely cut off some SA operations otherwise. Exactly what you >> need, as well as where depend on your circumstances, so I'll refrain >> from giving any hard numbers. >> Removing the bayes_seen file will affect your ability to unlearn >> messages previously learnt, but ... that is likely something you can >> live with temporarily. >> >> As Ram says, this has been covered numerous times (and all the other >> reasons for SA to time out:-) on this list... and I'm almost certain >> you can find pertinent information in the wiki/maq as well. >> >> Cheers >> -- >> -- Glenn >> email: glenn < dot > steen < at > gmail < dot > com >> work: glenn < dot > steen < at > ap1 < dot > se >> > > > > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From maxsec at gmail.com Mon Jan 19 09:26:33 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Mon Jan 19 09:26:42 2009 Subject: Spamassassin timeouts - Just an observation In-Reply-To: <1232278323.4973133335ecf@perdition.cnpapers.net> References: <49510578.6050801@cnpapers.com> <1232278323.4973133335ecf@perdition.cnpapers.net> Message-ID: <72cf361e0901190126l4362cbaej25db9e938b26566f@mail.gmail.com> I'd drop the SARE rules back in, one at a time and see if any trigger the timeouts. Do you run sa-compile as this can help a great deal pre-compiling the perl RE into C. -- martin 2009/1/18 Steve Campbell : > Quoting "Koopmann, Jan-Peter" : > >> Hi, >> >> > The topic seems to come up quite often, and although the answers are >> > usually pretty much the same, I never really see much of a "Solved" >> reply. >> >> are you using BotNet.pm by any chance. There was a bug in one of the >> older versions causing sporadic SpamAssassin timouts.. I looked for ages >> and on my systems the old BotNet.pm triggered it. Updated (without >> changing anything else) and never seen the error again. Just an indea. >> >> Regards, >> JP >> >> >> -- > Jan-Peter, > > So far, it appears the extra rules from SARE was the biggest contributor. I have > removed all of the sets from my sa-update and the problems almost disappeared. I > do not run BotNet.pm. > > The most common problem with these timeouts always seemed to be DNS and RBLs, > but I wasn't seeing any problems there. I kept looking there though. I was also > being fooled by high, but not critical load averages. I have duplicate servers > that were not timing out with similar load averages, rules, and daily email > counts. The non-problem machine was getting it's email spread out over the > course of a day, whereas the problem machine was receiving large batches at > different times of the day. > > Once I started reviewing the mailscanner-mrtg plots, I saw this. Another thing > that threw me off was the fact that no matter how many emails arrived at one > time, the LA would spike to 3.5 or higher on either machine. The high message > per batch count would cause the LA to gradually creep higher, but the smaller > batches would give constant LAs. The low amount of RAM for both machines explain > that. > > I had been fooled by MS doing such a good job for years, and just wasn't > thinking very clearly about what could have caused this. Two upgrades ago, I > started using the new sa-update feature and added the rules using that. It > didn't show immediate changes to the way the machines acted over a week or so, > so I never thought it was a problem. The load averages are still fluctuating, > but batch times are considerably lower, which allows faster throughput, and less > timeouts on the machines. I hope the RAM I have ordered will fix the rest of it. > > I'm sorry to have caused such a stir with all of this, as this thread has went > on way to long. I've sharpened my MS diagnostic skills, though, and hope it > might have helped others - the information everyone has provided has been very good. > > Thanks to all again, > > steve > > > ------------------------------------------------- > This mail sent through IMP: http://horde.org/imp/ > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Martin Hepworth Oxford, UK From fabio.macchi at area.it Mon Jan 19 10:13:13 2009 From: fabio.macchi at area.it (Fabio Macchi) Date: Mon Jan 19 10:13:24 2009 Subject: howto quarantine a mail blocked by Attachment Filename Checking ? Message-ID: <5F9C54A883A3F345BC089BDC5F877D7E454603B1@CMS01.area.areaweb.it> Hi all, actually I have "Attachment Filename Checking" enabled, but it rejects the matched attachments: is there a way to quarantine the attachment instead of simply rejecting, so I can release the mail if it's not dangerous ? Many thanks for any answer Fabio From t.d.lee at durham.ac.uk Mon Jan 19 10:53:54 2009 From: t.d.lee at durham.ac.uk (David Lee) Date: Mon Jan 19 10:54:34 2009 Subject: MS/perl segfaults In-Reply-To: <49723C6A.4030308@ecs.soton.ac.uk> References: <49186B27.2060809@ecs.soton.ac.uk> <4971E515.6070703@ecs.soton.ac.uk> <625385e30901170714x157ae096q7a03d9c78ccb13e7@mail.gmail.com> <49723C6A.4030308@ecs.soton.ac.uk> Message-ID: On Sat, 17 Jan 2009, Julian Field wrote: > On 17/1/09 15:14, shuttlebox wrote: >> On Sat, Jan 17, 2009 at 3:03 PM, Julian Field >> wrote: >> >>> Re-visiting this issue. >>> Is it still a problem? >>> Is it worth attempting to solve? Speaking as the original requester: yes please. The problem is indeed, quite rare. But when it hits its effects can be severe. Reminder/refresher: the problem is perl crashes from MS or subcomponents, typically caused by a new type of data, or malformed data, in incoming emails. As such an event occurs, live, it can act as a DOS against the MS installation and against its own users. The proposal is to identify such DOS, as it happens, and mitigate its effects, live. And for a big site, such an event happening (say) at the start of an extended unattended (lights out) period such as Christmas/New-Year can be unfortunate. (We were relatively lucky with our most recent such DOS: it was an ordinary weekend; even so the Monday (and Tuesday) were worrying.) Shuttlebox asks: >> Do we need a database? Couldn't you just stat the queue files to see >> how old they are and get the same result? >> >> To me, the queue dir is like a database, and the queue files are like >> records in the database. You have to put timestamps into the database >> but the files already have that. There's no records to remove when the >> message has been delivered because the files will be gone. >> >> If I'm not missing something it seems unnecessarily complex with a >> database..? Good question, shuttlebox. Thanks. I originally proposed a database simply as a concept to help us think through the principles. But a bit of lateral thinking like that, regarding the implementation, seems fine to me, so long as it doesn't unduly compromise that implementation. Julian continues: > Good idea, but what happens when older queue files are put in the queue? > Such as when you suspend MailScanner but leave the incoming sendmail > working when working on MailScanner but want to leave incoming sendmail > working? You need a timestamp that is touched by MailScanner but not by > the message being written into the queue. Can't use the last-accessed > timestamp as that will be touched by MailScanner reading it anyway. Indeed. It was was such very reasons that I proposed a database concept. Using (mis-using?) existing features in an implementation could lead us into trouble in some situations. (And the whole point of this proposal is to eradicate one source of trouble, not replace it with another.) > And the timestamp we use needs to be implementable regardless of the MTA > in use. Is the last-modified timestamp used by any of them? We also need > to be able to tell if it hasn't been touched yet, maybe > last-modified==created ? Again, does this work in every MTA? Indeed. Are we in danger of leading ourselves into trouble? > I entirely agree it would be a very neat solution, but only if we can > make it work in all MTAs. OK. So how to implement? Suggest: 1. Our thinking should continue to be database-like for a robust design. 2. Shuttlebox has led to consider whether the incoming queue files can somehow be their own database. A good idea. I like it. 3. Central to the database is clear understanding and use of timestamps. We ought to be very wary of compromising on this principle. 4. Using UNIX create/access timestamps on files could be a major source of such compromise. (All MTAs? Dodgy power supplies? Machine outage and fix with mail still in inbound Q? Etc.) 5. MS already has strong mechanisms for adding its own headers (although I realise that is on the outbound rather than inbound side). So the database principles of insertion, (updating?) and locking may already be in place in MS. So suppose we continue to model this using "timestamp in a database" thinking, but actually store, read and process those timestamps in the inbound file itself. I realise that this implementation detail will be MTA-specific, but I think that might slot cleanly into MS's existing MTA-specific code. (Julian?) Hope that helps. -- : David Lee I.T. Service : : Senior Systems Programmer Computer Centre : : UNIX Team Leader Durham University : : South Road : : http://www.dur.ac.uk/t.d.lee/ Durham DH1 3LE : : Phone: +44 191 334 2752 U.K. : From maillists at conactive.com Mon Jan 19 11:31:20 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Mon Jan 19 11:31:35 2009 Subject: Spamassassin timeouts - Just an observation In-Reply-To: <72cf361e0901190126l4362cbaej25db9e938b26566f@mail.gmail.com> References: <49510578.6050801@cnpapers.com> <1232278323.4973133335ecf@perdition.cnpapers.net> <72cf361e0901190126l4362cbaej25db9e938b26566f@mail.gmail.com> Message-ID: Martin Hepworth wrote on Mon, 19 Jan 2009 09:26:33 +0000: > I'd drop the SARE rules back in, one at a time and see if any trigger > the timeouts. By dropping them he freed some memory on a memory-scarce machine. That was likely the problem, not processing of certain rules. Apart from that I find that there is only a handful of SARE rules that hit nowadays and even these hit only a few messages. I dropped all of them (except for the uribl tld additions) with no ill effects recently. Do you still see them hitting a lot? If so, which are the two or three of your most hitting SARE ruleset files? Maybe these were just never part of my list. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From simone.morandini at mix-it.net Mon Jan 19 11:41:23 2009 From: simone.morandini at mix-it.net (Simone Morandini) Date: Mon Jan 19 11:41:40 2009 Subject: Missing files during new installation Message-ID: <497466E3.8050407@mix-it.net> Hi all, I tried installing MailScanner on a RedHat ES 3 server that wasn't running it. During the install.sh script, I got many error messages about missing files. In detail, this is the list: Missing file /usr/src/redhat/RPMS/noarch/perl-Net-CIDR-0.11-2.noarch.rpm. Missing file /usr/src/redhat/RPMS/noarch/perl-IO-stringy-2.110-2.noarch.rpm. Missing file /usr/src/redhat/RPMS/i386/perl-MIME-Base64-3.07-2.i386.rpm. Missing file /usr/src/redhat/RPMS/noarch/perl-TimeDate-1.16-4.noarch.rpm. Missing file /usr/src/redhat/RPMS/noarch/perl-Pod-Escapes-1.04-2.noarch.rpm. Missing file /usr/src/redhat/RPMS/noarch/perl-Pod-Simple-3.05-2.noarch.rpm. Missing file /usr/src/redhat/RPMS/noarch/perl-Test-Harness-2.64-2.noarch.rpm. Missing file /usr/src/redhat/RPMS/noarch/perl-Test-Simple-0.70-2.noarch.rpm. Missing file /usr/src/redhat/RPMS/noarch/perl-Test-Pod-1.26-2.noarch.rpm. Missing file /usr/src/redhat/RPMS/noarch/perl-MailTools-2.04-2.noarch.rpm. Missing file /usr/src/redhat/RPMS/noarch/perl-IO-1.2301-2.noarch.rpm. Missing file /usr/src/redhat/RPMS/noarch/perl-File-Temp-0.20-2.noarch.rpm. Missing file /usr/src/redhat/RPMS/i386/perl-HTML-Parser-3.56-2.i386.rpm. Missing file /usr/src/redhat/RPMS/noarch/perl-Convert-BinHex-1.119-3.noarch.rpm. Missing file /usr/src/redhat/RPMS/noarch/perl-MIME-tools-5.427-2.noarch.rpm. Missing file /usr/src/redhat/RPMS/noarch/perl-Convert-TNEF-0.17-2.noarch.rpm. Missing file /usr/src/redhat/RPMS/i386/perl-Compress-Zlib-1.41-2.i386.rpm. Missing file /usr/src/redhat/RPMS/noarch/perl-Archive-Zip-1.16-2.noarch.rpm. Missing file /usr/src/redhat/RPMS/noarch/perl-Scalar-List-Utils-1.19-2.noarch.rpm. Missing file /usr/src/redhat/RPMS/noarch/perl-Storable-2.16-2.noarch.rpm. Missing file /usr/src/redhat/RPMS/noarch/perl-DBI-1.56-2.noarch.rpm. Missing file /usr/src/redhat/RPMS/noarch/perl-DBD-SQLite-1.13-2.noarch.rpm. Missing file /usr/src/redhat/RPMS/noarch/perl-Getopt-Long-2.36-2.noarch.rpm. Missing file /usr/src/redhat/RPMS/noarch/perl-Time-HiRes-1.9707-2.noarch.rpm. Missing file /usr/src/redhat/RPMS/noarch/perl-Filesys-Df-0.90-2.noarch.rpm. Missing file /usr/src/redhat/RPMS/noarch/perl-Math-BigInt-1.86-2.noarch.rpm. Missing file /usr/src/redhat/RPMS/noarch/perl-Math-BigRat-0.19-2.noarch.rpm. Missing file /usr/src/redhat/RPMS/noarch/perl-bignum-0.21-2.noarch.rpm. Missing file /usr/src/redhat/RPMS/noarch/perl-Net-IP-1.25-2.noarch.rpm. Missing file /usr/src/redhat/RPMS/noarch/perl-Sys-Hostname-Long-1.4-2.noarch.rpm. Missing file /usr/src/redhat/RPMS/noarch/perl-Sys-Syslog-0.18-2.noarch.rpm. Missing file /usr/src/redhat/RPMS/noarch/perl-Digest-MD5-2.36-2.noarch.rpm. Missing file /usr/src/redhat/RPMS/noarch/perl-Digest-SHA1-2.11-2.noarch.rpm. Missing file /usr/src/redhat/RPMS/noarch/perl-OLE-Storage_Lite-0.16-2.noarch.rpm. Each one of this message was preceded by a "error: Bad exit status from /var/tmp/rpm-tmp.39250 (%install)" kind of message and followed by a "Maybe it did not build correctly?" message. Finally, I got some failed dependencies too: Installing tnef decoder error: Failed dependencies: libc.so.6(GLIBC_2.3.4) is needed by tnef-1.4.5-1 libc.so.6(GLIBC_2.4) is needed by tnef-1.4.5-1 rtld(GNU_HASH) is needed by tnef-1.4.5-1 Now to install MailScanner itself. NOTE: If you get lots of errors here, run the install.sh script NOTE: again with the command "./install.sh nodeps" error: Failed dependencies: perl-MIME-tools >= 5.412 is needed by mailscanner-4.74.16-1 tnef >= 1.1.1 is needed by mailscanner-4.74.16-1 I would like to know if I need to manually install all the missing RPMs or if there is some kind of automated process. Thanks, Simone. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From list-mailscanner at linguaphone.com Mon Jan 19 12:01:56 2009 From: list-mailscanner at linguaphone.com (Gareth) Date: Mon Jan 19 12:02:19 2009 Subject: Spamassassin timeouts - Just an observation In-Reply-To: References: <49510578.6050801@cnpapers.com> <1232278323.4973133335ecf@perdition.cnpapers.net> <72cf361e0901190126l4362cbaej25db9e938b26566f@mail.gmail.com> Message-ID: <1232366516.7369.17.camel@gblades-suse.linguaphone-intranet.co.uk> On Mon, 2009-01-19 at 11:31, Kai Schaetzl wrote: > Martin Hepworth wrote on Mon, 19 Jan 2009 09:26:33 +0000: > > > I'd drop the SARE rules back in, one at a time and see if any trigger > > the timeouts. > > By dropping them he freed some memory on a memory-scarce machine. That was > likely the problem, not processing of certain rules. > Apart from that I find that there is only a handful of SARE rules that hit > nowadays and even these hit only a few messages. I dropped all of them > (except for the uribl tld additions) with no ill effects recently. > Do you still see them hitting a lot? If so, which are the two or three of > your most hitting SARE ruleset files? Maybe these were just never part of > my list. I checked our system as we use virtually all of the sare rules. These are the top 2 usefull rules (some match as much spam as ham so I have ignored them). SARE_HTML_USL_OBFU 422 11 2.6 411 97.4 SARE_BOUNDARY_LC 408 2 0.5 406 99.5 So the top rule catches 411 out of 24000 spams (last 3 months) which is 1.7%. Given thats the two best rules its showing that SARE has become very little benefit for us. We had a problem with the number of spamassassin timeouts increasing but it appeared to be a gradual memory leak as the box hadnt been rebooted for 2 years. After a reboot timeouts went down to 3 the first (partial) day. From maillists at conactive.com Mon Jan 19 13:31:19 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Mon Jan 19 13:31:32 2009 Subject: Spamassassin timeouts - Just an observation In-Reply-To: <1232366516.7369.17.camel@gblades-suse.linguaphone-intranet.co.uk> References: <49510578.6050801@cnpapers.com> <1232278323.4973133335ecf@perdition.cnpapers.net> <72cf361e0901190126l4362cbaej25db9e938b26566f@mail.gmail.com> <1232366516.7369.17.camel@gblades-suse.linguaphone-intranet.co.uk> Message-ID: Gareth wrote on Mon, 19 Jan 2009 12:01:56 +0000: > I checked our system as we use virtually all of the sare rules. > These are the top 2 usefull rules (some match as much spam as ham so I > have ignored them). > > SARE_HTML_USL_OBFU 422 11 2.6 411 97.4 > SARE_BOUNDARY_LC 408 2 0.5 406 99.5 > > So the top rule catches 411 out of 24000 spams (last 3 months) which is > 1.7%. Given thats the two best rules its showing that SARE has become > very little benefit for us. Interesting if compared to my hits, see below. First a word of caution. Although I'm with you that the SARE rules don't provide too much benefit nowadays one needs to be cautious to just go by the "top" hitters. Using that same "algorithm" one would probably have to throw out 90% of the stock/updated SA rules as well ;-) The strength of SA lies also in the fact that it has so many rules for so many diverse spam schemes. It's obvious that most of these rules won't ever exceed 1% of hits or so, but they still add value. But I think that many of the SARE rules are either obsolete or have been incorporated in the main SA rules in some way, so that their value in addition to the main rules is much lower than it used to be. The most effective way of using SARE today would probably be to have an excerpt of, say, 50 of the top rules in one file/channel. Now, to what I called "interesting" first. SARE_HTML_USL_OBFU hit exactly 10 of some 15.000 spam messages on the machine I checked SARE_BOUNDARY_LC didn't hit any, either I didn't have it in my rules or it really didn't hit any. Seems I have completely different spam than you get, which is not so much a surprise ;-) The ones (of the top 100 rules) that hit for me are: SARE_HEAD_8BIT_SPAM hit nearly 10% of spam SARE_HTML_A_BODY hit about 3% of spam SARE_HTML_IMG_ONLY SARE_GIF_ATTACH good portion of FPs SARE_MSGID_LONG40 all FPs it seems SARE_ADULT2 SARE_SPEC_ROLEX SARE_RAND_2J SARE_SPEC_REPLICA_OBFU SARE_HEAD_HDR_XSPAMTST These ten are among the top 100 hitting rules. Means 10% of the rules that hit in the top 100 are SARE, or, 90% are not ;-) Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maxsec at gmail.com Mon Jan 19 13:57:44 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Mon Jan 19 13:58:01 2009 Subject: Missing files during new installation In-Reply-To: <497466E3.8050407@mix-it.net> References: <497466E3.8050407@mix-it.net> Message-ID: <72cf361e0901190557t24d98893u743c274ae68062c1@mail.gmail.com> Simone MailScanner normally does all this from the rpm installer. BUT you are running a really old version of RH there could be problems. I'd suggest upgrading the O/S to the latest RH and trying again. -- martin 2009/1/19 Simone Morandini : > Hi all, > > I tried installing MailScanner on a RedHat ES 3 server that wasn't running > it. > During the install.sh script, I got many error messages about missing files. > In detail, this is the list: > > Missing file /usr/src/redhat/RPMS/noarch/perl-Net-CIDR-0.11-2.noarch.rpm. > Missing file /usr/src/redhat/RPMS/noarch/perl-IO-stringy-2.110-2.noarch.rpm. > Missing file /usr/src/redhat/RPMS/i386/perl-MIME-Base64-3.07-2.i386.rpm. > Missing file /usr/src/redhat/RPMS/noarch/perl-TimeDate-1.16-4.noarch.rpm. > Missing file /usr/src/redhat/RPMS/noarch/perl-Pod-Escapes-1.04-2.noarch.rpm. > Missing file /usr/src/redhat/RPMS/noarch/perl-Pod-Simple-3.05-2.noarch.rpm. > Missing file > /usr/src/redhat/RPMS/noarch/perl-Test-Harness-2.64-2.noarch.rpm. > Missing file /usr/src/redhat/RPMS/noarch/perl-Test-Simple-0.70-2.noarch.rpm. > Missing file /usr/src/redhat/RPMS/noarch/perl-Test-Pod-1.26-2.noarch.rpm. > Missing file /usr/src/redhat/RPMS/noarch/perl-MailTools-2.04-2.noarch.rpm. > Missing file /usr/src/redhat/RPMS/noarch/perl-IO-1.2301-2.noarch.rpm. > Missing file /usr/src/redhat/RPMS/noarch/perl-File-Temp-0.20-2.noarch.rpm. > Missing file /usr/src/redhat/RPMS/i386/perl-HTML-Parser-3.56-2.i386.rpm. > Missing file > /usr/src/redhat/RPMS/noarch/perl-Convert-BinHex-1.119-3.noarch.rpm. > Missing file /usr/src/redhat/RPMS/noarch/perl-MIME-tools-5.427-2.noarch.rpm. > Missing file > /usr/src/redhat/RPMS/noarch/perl-Convert-TNEF-0.17-2.noarch.rpm. > Missing file /usr/src/redhat/RPMS/i386/perl-Compress-Zlib-1.41-2.i386.rpm. > Missing file /usr/src/redhat/RPMS/noarch/perl-Archive-Zip-1.16-2.noarch.rpm. > Missing file > /usr/src/redhat/RPMS/noarch/perl-Scalar-List-Utils-1.19-2.noarch.rpm. > Missing file /usr/src/redhat/RPMS/noarch/perl-Storable-2.16-2.noarch.rpm. > Missing file /usr/src/redhat/RPMS/noarch/perl-DBI-1.56-2.noarch.rpm. > Missing file /usr/src/redhat/RPMS/noarch/perl-DBD-SQLite-1.13-2.noarch.rpm. > Missing file /usr/src/redhat/RPMS/noarch/perl-Getopt-Long-2.36-2.noarch.rpm. > Missing file > /usr/src/redhat/RPMS/noarch/perl-Time-HiRes-1.9707-2.noarch.rpm. > Missing file /usr/src/redhat/RPMS/noarch/perl-Filesys-Df-0.90-2.noarch.rpm. > Missing file /usr/src/redhat/RPMS/noarch/perl-Math-BigInt-1.86-2.noarch.rpm. > Missing file /usr/src/redhat/RPMS/noarch/perl-Math-BigRat-0.19-2.noarch.rpm. > Missing file /usr/src/redhat/RPMS/noarch/perl-bignum-0.21-2.noarch.rpm. > Missing file /usr/src/redhat/RPMS/noarch/perl-Net-IP-1.25-2.noarch.rpm. > Missing file > /usr/src/redhat/RPMS/noarch/perl-Sys-Hostname-Long-1.4-2.noarch.rpm. > Missing file /usr/src/redhat/RPMS/noarch/perl-Sys-Syslog-0.18-2.noarch.rpm. > Missing file /usr/src/redhat/RPMS/noarch/perl-Digest-MD5-2.36-2.noarch.rpm. > Missing file /usr/src/redhat/RPMS/noarch/perl-Digest-SHA1-2.11-2.noarch.rpm. > Missing file > /usr/src/redhat/RPMS/noarch/perl-OLE-Storage_Lite-0.16-2.noarch.rpm. > > Each one of this message was preceded by a "error: Bad exit status from > /var/tmp/rpm-tmp.39250 (%install)" kind of message and followed by a "Maybe > it did not build correctly?" message. > Finally, I got some failed dependencies too: > > Installing tnef decoder > > error: Failed dependencies: > libc.so.6(GLIBC_2.3.4) is needed by tnef-1.4.5-1 > libc.so.6(GLIBC_2.4) is needed by tnef-1.4.5-1 > rtld(GNU_HASH) is needed by tnef-1.4.5-1 > > Now to install MailScanner itself. > > NOTE: If you get lots of errors here, run the install.sh script > NOTE: again with the command "./install.sh nodeps" > > error: Failed dependencies: > perl-MIME-tools >= 5.412 is needed by mailscanner-4.74.16-1 > tnef >= 1.1.1 is needed by mailscanner-4.74.16-1 > > I would like to know if I need to manually install all the missing RPMs or > if there is some kind of automated process. > > Thanks, > Simone. > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Martin Hepworth Oxford, UK From maxsec at gmail.com Mon Jan 19 14:00:18 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Mon Jan 19 14:01:28 2009 Subject: Spamassassin timeouts - Just an observation In-Reply-To: References: <49510578.6050801@cnpapers.com> <1232278323.4973133335ecf@perdition.cnpapers.net> <72cf361e0901190126l4362cbaej25db9e938b26566f@mail.gmail.com> <1232366516.7369.17.camel@gblades-suse.linguaphone-intranet.co.uk> Message-ID: <72cf361e0901190600y47c7d458kba9ccb6073a57885@mail.gmail.com> I'd also check the old SARE rules (like the blacklist one) aren't being used anymore. These were replaced by the URI RBLs as they were huge. -- martin 2009/1/19 Kai Schaetzl : > Gareth wrote on Mon, 19 Jan 2009 12:01:56 +0000: > >> I checked our system as we use virtually all of the sare rules. >> These are the top 2 usefull rules (some match as much spam as ham so I >> have ignored them). >> >> SARE_HTML_USL_OBFU 422 11 2.6 411 97.4 >> SARE_BOUNDARY_LC 408 2 0.5 406 99.5 >> >> So the top rule catches 411 out of 24000 spams (last 3 months) which is >> 1.7%. Given thats the two best rules its showing that SARE has become >> very little benefit for us. > > Interesting if compared to my hits, see below. > > First a word of caution. Although I'm with you that the SARE rules don't > provide too much benefit nowadays one needs to be cautious to just go by > the "top" hitters. Using that same "algorithm" one would probably have to > throw out 90% of the stock/updated SA rules as well ;-) The strength of SA > lies also in the fact that it has so many rules for so many diverse spam > schemes. It's obvious that most of these rules won't ever exceed 1% of > hits or so, but they still add value. > But I think that many of the SARE rules are either obsolete or have been > incorporated in the main SA rules in some way, so that their value in > addition to the main rules is much lower than it used to be. > The most effective way of using SARE today would probably be to have an > excerpt of, say, 50 of the top rules in one file/channel. > > Now, to what I called "interesting" first. > > SARE_HTML_USL_OBFU hit exactly 10 of some 15.000 spam messages on the > machine I checked > SARE_BOUNDARY_LC didn't hit any, either I didn't have it in my rules or it > really didn't hit any. > > Seems I have completely different spam than you get, which is not so much > a surprise ;-) > > The ones (of the top 100 rules) that hit for me are: > SARE_HEAD_8BIT_SPAM hit nearly 10% of spam > SARE_HTML_A_BODY hit about 3% of spam > SARE_HTML_IMG_ONLY > SARE_GIF_ATTACH good portion of FPs > SARE_MSGID_LONG40 all FPs it seems > SARE_ADULT2 > SARE_SPEC_ROLEX > SARE_RAND_2J > SARE_SPEC_REPLICA_OBFU > SARE_HEAD_HDR_XSPAMTST > > These ten are among the top 100 hitting rules. Means 10% of the rules that > hit in the top 100 are SARE, or, 90% are not ;-) > > Kai > > -- > Kai Sch?tzl, Berlin, Germany > Get your web at Conactive Internet Services: http://www.conactive.com > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Martin Hepworth Oxford, UK From maillists at conactive.com Mon Jan 19 14:31:23 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Mon Jan 19 14:31:39 2009 Subject: Missing files during new installation In-Reply-To: <497466E3.8050407@mix-it.net> References: <497466E3.8050407@mix-it.net> Message-ID: Simone Morandini wrote on Mon, 19 Jan 2009 12:41:23 +0100: > Each one of this message was preceded by a "error: Bad exit status from > /var/tmp/rpm-tmp.39250 (%install)" kind of message and followed by a > "Maybe it did not build correctly?" message. That indeed seems to be the case. The many errors above mean that the install script wanted to install the rpms that it just built, but they weren't there (at a different location or not built). Try to build just one of the src.rpm manually and see what the outcome is. > Finally, I got some failed dependencies too: > > Installing tnef decoder > > error: Failed dependencies: > libc.so.6(GLIBC_2.3.4) is needed by tnef-1.4.5-1 > libc.so.6(GLIBC_2.4) is needed by tnef-1.4.5-1 > rtld(GNU_HASH) is needed by tnef-1.4.5-1 Yeah, and you won't be able to get glibc updated on this OS. You either have to use an older version of tnef or build it from source yourself. > error: Failed dependencies: > perl-MIME-tools >= 5.412 is needed by mailscanner-4.74.16-1 what version is currently installed. > > I would like to know if I need to manually install all the missing RPMs > or if there is some kind of automated process. You use a very old OS version that I haven't ever used. So just some general comment from the experience I have had with RHEL/CentOS 4 and 5. I would upgrade all missing Perl modules from what is available at RH and then add the missing ones from a third-party repo, for instance rpmforge. Maybe there are others specialized in RH 3. Once you have installed all the missing Perl modules this way (you should be able to get them all this way) you just "rpm -ivh mailscanner*.rpm" that is inside the tarball and don't use the install.sh. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From campbell at cnpapers.com Mon Jan 19 14:59:05 2009 From: campbell at cnpapers.com (Steve Campbell) Date: Mon Jan 19 14:59:19 2009 Subject: Spamassassin timeouts - Just an observation In-Reply-To: <72cf361e0901190126l4362cbaej25db9e938b26566f@mail.gmail.com> References: <49510578.6050801@cnpapers.com> <1232278323.4973133335ecf@perdition.cnpapers.net> <72cf361e0901190126l4362cbaej25db9e938b26566f@mail.gmail.com> Message-ID: <49749539.2080202@cnpapers.com> Martin Hepworth wrote: > I'd drop the SARE rules back in, one at a time and see if any trigger > the timeouts. Do you run sa-compile as this can help a great deal > pre-compiling the perl RE into C. > > -- > martin > > 2009/1/18 Steve Campbell : > >> Quoting "Koopmann, Jan-Peter" : >> >> >>> Hi, >>> >>> >>>> The topic seems to come up quite often, and although the answers are >>>> usually pretty much the same, I never really see much of a "Solved" >>>> >>> reply. >>> >>> are you using BotNet.pm by any chance. There was a bug in one of the >>> older versions causing sporadic SpamAssassin timouts.. I looked for ages >>> and on my systems the old BotNet.pm triggered it. Updated (without >>> changing anything else) and never seen the error again. Just an indea. >>> >>> Regards, >>> JP >>> >>> >>> -- >>> >> Jan-Peter, >> >> So far, it appears the extra rules from SARE was the biggest contributor. I have >> removed all of the sets from my sa-update and the problems almost disappeared. I >> do not run BotNet.pm. >> >> The most common problem with these timeouts always seemed to be DNS and RBLs, >> but I wasn't seeing any problems there. I kept looking there though. I was also >> being fooled by high, but not critical load averages. I have duplicate servers >> that were not timing out with similar load averages, rules, and daily email >> counts. The non-problem machine was getting it's email spread out over the >> course of a day, whereas the problem machine was receiving large batches at >> different times of the day. >> >> Once I started reviewing the mailscanner-mrtg plots, I saw this. Another thing >> that threw me off was the fact that no matter how many emails arrived at one >> time, the LA would spike to 3.5 or higher on either machine. The high message >> per batch count would cause the LA to gradually creep higher, but the smaller >> batches would give constant LAs. The low amount of RAM for both machines explain >> that. >> >> I had been fooled by MS doing such a good job for years, and just wasn't >> thinking very clearly about what could have caused this. Two upgrades ago, I >> started using the new sa-update feature and added the rules using that. It >> didn't show immediate changes to the way the machines acted over a week or so, >> so I never thought it was a problem. The load averages are still fluctuating, >> but batch times are considerably lower, which allows faster throughput, and less >> timeouts on the machines. I hope the RAM I have ordered will fix the rest of it. >> >> I'm sorry to have caused such a stir with all of this, as this thread has went >> on way to long. I've sharpened my MS diagnostic skills, though, and hope it >> might have helped others - the information everyone has provided has been very good. >> >> Thanks to all again, >> >> steve >> >> > Martin, I plan on adding the rules back as you suggest, but I will do so after I install the RAM that's on it's way. I'm still getting significant timeouts on the problem server, but not like before. I want to see if the RAM will stop them first, as this machine gets batches of emails from mail lists for our reporters, and I can't do anything about that. Thanks steve From maillists at conactive.com Mon Jan 19 15:24:52 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Mon Jan 19 15:25:05 2009 Subject: Spamassassin timeouts - Just an observation In-Reply-To: <72cf361e0901190600y47c7d458kba9ccb6073a57885@mail.gmail.com> References: <49510578.6050801@cnpapers.com> <1232278323.4973133335ecf@perdition.cnpapers.net> <72cf361e0901190126l4362cbaej25db9e938b26566f@mail.gmail.com> <1232366516.7369.17.camel@gblades-suse.linguaphone-intranet.co.uk> <72cf361e0901190600y47c7d458kba9ccb6073a57885@mail.gmail.com> Message-ID: Martin Hepworth wrote on Mon, 19 Jan 2009 14:00:18 +0000: > I'd also check the old SARE rules (like the blacklist one) aren't > being used anymore. These were replaced by the URI RBLs as they were > huge. wasn't that already 5 years ago, or so ;-) Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From simone.morandini at mix-it.net Mon Jan 19 16:22:18 2009 From: simone.morandini at mix-it.net (Simone Morandini) Date: Mon Jan 19 16:22:46 2009 Subject: SpamAssassin temporary directory Message-ID: <4974A8BA.1080708@mix-it.net> Hi all, when I restart MailScanner, I always see this message on the maillog: "Jan 19 06:31:30 eolo MailScanner[22125]: SpamAssassin temporary working directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp" Is this something I should be worried about? It seems to have no influence in detecting spam, anyway... Thanks, Simone. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From maxsec at gmail.com Mon Jan 19 16:33:23 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Mon Jan 19 16:36:56 2009 Subject: Spamassassin timeouts - Just an observation In-Reply-To: References: <49510578.6050801@cnpapers.com> <1232278323.4973133335ecf@perdition.cnpapers.net> <72cf361e0901190126l4362cbaej25db9e938b26566f@mail.gmail.com> <1232366516.7369.17.camel@gblades-suse.linguaphone-intranet.co.uk> <72cf361e0901190600y47c7d458kba9ccb6073a57885@mail.gmail.com> Message-ID: <72cf361e0901190833n6eec9fd0y92ced8dd6f4f67ec@mail.gmail.com> 2009/1/19 Kai Schaetzl : > Martin Hepworth wrote on Mon, 19 Jan 2009 14:00:18 +0000: > >> I'd also check the old SARE rules (like the blacklist one) aren't >> being used anymore. These were replaced by the URI RBLs as they were >> huge. > > wasn't that already 5 years ago, or so ;-) > > Kai > > -- > Kai Sch?tzl, Berlin, Germany > Get your web at Conactive Internet Services: http://www.conactive.com > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Yup but alot people never deleted them so it's always good to check ! -- Martin Hepworth Oxford, UK From J.Ede at birchenallhowden.co.uk Mon Jan 19 19:11:16 2009 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Mon Jan 19 19:11:52 2009 Subject: Spamassassin timeouts - Just an observation In-Reply-To: <49749539.2080202@cnpapers.com> References: <49510578.6050801@cnpapers.com> <1232278323.4973133335ecf@perdition.cnpapers.net> <72cf361e0901190126l4362cbaej25db9e938b26566f@mail.gmail.com> <49749539.2080202@cnpapers.com> Message-ID: <1213490F1F316842A544A850422BFA96118E8E16@BHLSBS.bhl.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Steve Campbell > Sent: 19 January 2009 14:59 > To: MailScanner discussion > Subject: Re: Spamassassin timeouts - Just an observation > > > > Martin Hepworth wrote: > > I'd drop the SARE rules back in, one at a time and see if any trigger > > the timeouts. Do you run sa-compile as this can help a great deal > > pre-compiling the perl RE into C. > > > > -- > > martin > > > > 2009/1/18 Steve Campbell : > > > >> Quoting "Koopmann, Jan-Peter" : > >> > >> > >>> Hi, > >>> > >>> > >>>> The topic seems to come up quite often, and although the answers > are > >>>> usually pretty much the same, I never really see much of a > "Solved" > >>>> > >>> reply. > >>> > >>> are you using BotNet.pm by any chance. There was a bug in one of > the > >>> older versions causing sporadic SpamAssassin timouts.. I looked for > ages > >>> and on my systems the old BotNet.pm triggered it. Updated (without > >>> changing anything else) and never seen the error again. Just an > indea. > >>> > >>> Regards, > >>> JP > >>> > >>> > >>> -- > >>> > >> Jan-Peter, > >> > >> So far, it appears the extra rules from SARE was the biggest > contributor. I have > >> removed all of the sets from my sa-update and the problems almost > disappeared. I > >> do not run BotNet.pm. > >> > >> The most common problem with these timeouts always seemed to be DNS > and RBLs, > >> but I wasn't seeing any problems there. I kept looking there though. > I was also > >> being fooled by high, but not critical load averages. I have > duplicate servers > >> that were not timing out with similar load averages, rules, and > daily email > >> counts. The non-problem machine was getting it's email spread out > over the > >> course of a day, whereas the problem machine was receiving large > batches at > >> different times of the day. > >> > >> Once I started reviewing the mailscanner-mrtg plots, I saw this. > Another thing > >> that threw me off was the fact that no matter how many emails > arrived at one > >> time, the LA would spike to 3.5 or higher on either machine. The > high message > >> per batch count would cause the LA to gradually creep higher, but > the smaller > >> batches would give constant LAs. The low amount of RAM for both > machines explain > >> that. > >> > >> I had been fooled by MS doing such a good job for years, and just > wasn't > >> thinking very clearly about what could have caused this. Two > upgrades ago, I > >> started using the new sa-update feature and added the rules using > that. It > >> didn't show immediate changes to the way the machines acted over a > week or so, > >> so I never thought it was a problem. The load averages are still > fluctuating, > >> but batch times are considerably lower, which allows faster > throughput, and less > >> timeouts on the machines. I hope the RAM I have ordered will fix the > rest of it. > >> > >> I'm sorry to have caused such a stir with all of this, as this > thread has went > >> on way to long. I've sharpened my MS diagnostic skills, though, and > hope it > >> might have helped others - the information everyone has provided has > been very good. > >> > >> Thanks to all again, > >> > >> steve > >> > >> > > > Martin, > > I plan on adding the rules back as you suggest, but I will do so after > I > install the RAM that's on it's way. I'm still getting significant > timeouts on the problem server, but not like before. I want to see if > the RAM will stop them first, as this machine gets batches of emails > from mail lists for our reporters, and I can't do anything about that. > > Thanks > > steve Its a shame there isn't an updated equivalent of the SARE rulesets or at the very least an amalgamation of the useful rules that are still left. Jason From ssilva at sgvwater.com Mon Jan 19 21:54:42 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Jan 19 21:55:08 2009 Subject: Missing files during new installation In-Reply-To: <497466E3.8050407@mix-it.net> References: <497466E3.8050407@mix-it.net> Message-ID: on 1-19-2009 3:41 AM Simone Morandini spake the following: > Hi all, > > I tried installing MailScanner on a RedHat ES 3 server that wasn't > running it. > During the install.sh script, I got many error messages about missing > files. In detail, this is the list: If the cost of upgrading is keeping you on such an ancient OS, maybe you should have a look at CentOS (www.centos.org), a free replacement and work-alike of the RedHat offerings. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090119/cce37ce8/signature.bin From ms-list at alexb.ch Mon Jan 19 22:06:25 2009 From: ms-list at alexb.ch (Alex Broens) Date: Mon Jan 19 22:06:33 2009 Subject: Spamassassin timeouts - Just an observation In-Reply-To: <1213490F1F316842A544A850422BFA96118E8E16@BHLSBS.bhl.local> References: <49510578.6050801@cnpapers.com> <1232278323.4973133335ecf@perdition.cnpapers.net> <72cf361e0901190126l4362cbaej25db9e938b26566f@mail.gmail.com> <49749539.2080202@cnpapers.com> <1213490F1F316842A544A850422BFA96118E8E16@BHLSBS.bhl.local> Message-ID: <4974F961.1030101@alexb.ch> On 1/19/2009 8:11 PM, Jason Ede wrote: > Its a shame there isn't an updated equivalent of the SARE rulesets or > at the very least an amalgamation of the useful rules that are still > left. You or anybody else, is welcome to compile such a ruleset and submit to SARE. I'd personally see that they get published. Alex -- // Retired SARE Ninja // From craigwhite at azapple.com Mon Jan 19 22:10:07 2009 From: craigwhite at azapple.com (Craig White) Date: Mon Jan 19 22:10:53 2009 Subject: Missing files during new installation In-Reply-To: References: <497466E3.8050407@mix-it.net> Message-ID: <1232403007.17461.4.camel@lin-workstation.azapple.com> On Mon, 2009-01-19 at 13:54 -0800, Scott Silva wrote: > on 1-19-2009 3:41 AM Simone Morandini spake the following: > > Hi all, > > > > I tried installing MailScanner on a RedHat ES 3 server that wasn't > > running it. > > During the install.sh script, I got many error messages about missing > > files. In detail, this is the list: > If the cost of upgrading is keeping you on such an ancient OS, maybe you > should have a look at CentOS (www.centos.org), a free replacement and > work-alike of the RedHat offerings. ---- just thought that this needed correcting. Red Hat sells entitlements and not software. A machine that is entitled to RHEL ES 3 is also entitled to RLEL ES 4 and RHEL ES 5 without additional charge. There is no upgrade charges ever. It's the machine that is entitled. Craig From J.Ede at birchenallhowden.co.uk Tue Jan 20 08:49:34 2009 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Tue Jan 20 08:49:53 2009 Subject: Spamassassin timeouts - Just an observation In-Reply-To: <4974F961.1030101@alexb.ch> References: <49510578.6050801@cnpapers.com> <1232278323.4973133335ecf@perdition.cnpapers.net> <72cf361e0901190126l4362cbaej25db9e938b26566f@mail.gmail.com> <49749539.2080202@cnpapers.com> <1213490F1F316842A544A850422BFA96118E8E16@BHLSBS.bhl.local> <4974F961.1030101@alexb.ch> Message-ID: <1213490F1F316842A544A850422BFA96118E8E1B@BHLSBS.bhl.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Alex Broens > Sent: 19 January 2009 22:06 > To: MailScanner discussion > Subject: Re: Spamassassin timeouts - Just an observation > > On 1/19/2009 8:11 PM, Jason Ede wrote: > > Its a shame there isn't an updated equivalent of the SARE rulesets > or > > at the very least an amalgamation of the useful rules that are still > > left. > > You or anybody else, is welcome to compile such a ruleset and submit to > SARE. > I'd personally see that they get published. > > Alex I'll take a trawl through which rules I'm seeing hits from and see if can compile a list then... Jason From MailScanner at ecs.soton.ac.uk Tue Jan 20 09:00:48 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jan 20 09:01:12 2009 Subject: SpamAssassin temporary directory In-Reply-To: <4974A8BA.1080708@mix-it.net> References: <4974A8BA.1080708@mix-it.net> Message-ID: <497592C0.9080806@ecs.soton.ac.uk> On 19/1/09 16:22, Simone Morandini wrote: > Hi all, > > when I restart MailScanner, I always see this message on the maillog: > > "Jan 19 06:31:30 eolo MailScanner[22125]: SpamAssassin temporary > working directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp" > > Is this something I should be worried about? No, it's just a notice. > It seems to have no influence in detecting spam, anyway... > > Thanks, > Simone. > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From kkobb at skylinecorp.com Tue Jan 20 13:09:14 2009 From: kkobb at skylinecorp.com (Kevin Kobb) Date: Tue Jan 20 13:09:27 2009 Subject: bug on FreeBSD with Perl 5.8.9 In-Reply-To: <6beca9db0901151802u1d4c6960g6cc084cb4781ce98@mail.gmail.com> References: <6beca9db0901151802u1d4c6960g6cc084cb4781ce98@mail.gmail.com> Message-ID: Mikael Syska wrote: > Hi, > > I just upgraded from perl 5.8.8 to 5.8.9 .... and got this: > "Insecure dependency in chown while running with -T switch at > /usr/local/lib/MailScanner/MailScanner/Message.pm line 2207" > > Well ... that can be turned off by adding -U to the MailScanner file > in /usr/local/sbin/MailScanner. > But then I just got alot of other errors: > Can't locate object method "1878035063" via package "vars" at > /usr/local/lib/perl5/site_perl/5.8.9/MIME/Decoder/QuotedPrint.pm line > 52. > BEGIN failed--compilation aborted at > /usr/local/lib/perl5/site_perl/5.8.9/MIME/Decoder/QuotedPrint.pm line > 52. > Compilation failed in require at (eval 100) line 1. > at /usr/local/lib/perl5/site_perl/5.8.9/MIME/Parser.pm line 821 > Can't locate object method "1878035063" via package "MIME::Decoder" at > /usr/local/lib/perl5/site_perl/5.8.9/MIME/Decoder/Binary.pm line 42. > BEGIN failed--compilation aborted at > /usr/local/lib/perl5/site_perl/5.8.9/MIME/Decoder/Binary.pm line 42. > Compilation failed in require at (eval 101) line 1. > at /usr/local/lib/perl5/site_perl/5.8.9/MIME/Parser.pm line 827 > Can't locate object method "1878035063" via package "strict" at > /usr/local/lib/perl5/5.8.9/Text/ParseWords.pm line 3. > BEGIN failed--compilation aborted at > /usr/local/lib/perl5/5.8.9/Text/ParseWords.pm line 3. > Compilation failed in require at > /usr/local/lib/perl5/5.8.9/mach/File/Glob.pm line 152. > > > > But ... if this is fixed in the current release I can't say ... the > freebsd ports tree contains: MailScanner-4.67.6_3 which is from 15 Sep > 2008 20:56:38, so a little old. about a half a year. > > So ... my only option I could find ... as my mail system was down was > to turn back to perl 5.8.8. > > Anyone else got this problem ? On other systems ? > > What does other freebsd sysadmins do to stay current and not have a > messed system where something is from other sources to be able to have > a up-to-date system ? > If there are any one out there also using freebsd ... and using Julian > package from http://mailscanner.info I will be more than happy to hear > from them. > > well, its late here ... got darn freebsd update late .... reminder: DONT DO IT. > > well .. its running now, only 22k messages to process :-p > > best regards > Mikael Syska I did an upgrade on a test system to 5.8.9 and see no errors like you are getting. I am running 7.1-RELEASE-p2 on amd64, with everything installed from ports. The only errors I have noticed are clamav related as the port installs clamav-0.94.2, and the MailScanner version in ports isn't new enough for that. I will probably just wait for the port update and test that before I put this in production. From glenn.steen at gmail.com Tue Jan 20 15:33:41 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Jan 20 15:33:51 2009 Subject: Preventing backscatter with sendmail In-Reply-To: <497206a8.2215300a.66e8.706d@mx.google.com> References: <200901171201.n0HC0YsL012772@safir.blacknight.ie> <497206a8.2215300a.66e8.706d@mx.google.com> Message-ID: <223f97700901200733s5a4ff2b5u2af6bcea69b721a6@mail.gmail.com> 2009/1/17 Paul Welsh : >> Date: Sat, 17 Jan 2009 10:40:21 +0100 >> From: shuttlebox >> Subject: Re: Preventing backscatter with sendmail >> >> On Sat, Jan 17, 2009 at 1:56 AM, Paul Welsh >> wrote: >> > I've been googling and from what I can see I have the >> following options: >> > >> > milter-ahead - www.milter.info/sendmail/milter-ahead/ >> > Mailfromd >> > scam-backscatter - www.elandsys.com/scam/scam-backscatter/ >> > access.db >> > ldap lookups >> >> This one is also popular: >> >> http://smfs.sourceforge.net/smf-sav.html >> > Hi Peter, thanks for that. > > I realise too that mailfromd doesn't really do what I want. It does sender > verification but only local recipient verification by the looks of things. > I'm not bothered about sender verification, only recipient. Ok. You noticed that smf-sav does do recipient verification? And that you don't need do sender verification with it to have the recipient verification? > Sorry, sent the wrong subject out last time. Here's the right one to aid > anyone searching threads in future. > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From mikael at syska.dk Tue Jan 20 16:53:37 2009 From: mikael at syska.dk (Mikael Syska) Date: Tue Jan 20 16:53:48 2009 Subject: bug on FreeBSD with Perl 5.8.9 In-Reply-To: References: <6beca9db0901151802u1d4c6960g6cc084cb4781ce98@mail.gmail.com> Message-ID: <6beca9db0901200853l6a0e678id030480e393e42ea@mail.gmail.com> Hi, Thanks for testing this too. On Tue, Jan 20, 2009 at 2:09 PM, Kevin Kobb wrote: > Mikael Syska wrote: >> >> Hi, >> >> I just upgraded from perl 5.8.8 to 5.8.9 .... and got this: >> "Insecure dependency in chown while running with -T switch at >> /usr/local/lib/MailScanner/MailScanner/Message.pm line 2207" >> >> Well ... that can be turned off by adding -U to the MailScanner file >> in /usr/local/sbin/MailScanner. >> But then I just got alot of other errors: >> Can't locate object method "1878035063" via package "vars" at >> /usr/local/lib/perl5/site_perl/5.8.9/MIME/Decoder/QuotedPrint.pm line >> 52. >> BEGIN failed--compilation aborted at >> /usr/local/lib/perl5/site_perl/5.8.9/MIME/Decoder/QuotedPrint.pm line >> 52. >> Compilation failed in require at (eval 100) line 1. >> at /usr/local/lib/perl5/site_perl/5.8.9/MIME/Parser.pm line 821 >> Can't locate object method "1878035063" via package "MIME::Decoder" at >> /usr/local/lib/perl5/site_perl/5.8.9/MIME/Decoder/Binary.pm line 42. >> BEGIN failed--compilation aborted at >> /usr/local/lib/perl5/site_perl/5.8.9/MIME/Decoder/Binary.pm line 42. >> Compilation failed in require at (eval 101) line 1. >> at /usr/local/lib/perl5/site_perl/5.8.9/MIME/Parser.pm line 827 >> Can't locate object method "1878035063" via package "strict" at >> /usr/local/lib/perl5/5.8.9/Text/ParseWords.pm line 3. >> BEGIN failed--compilation aborted at >> /usr/local/lib/perl5/5.8.9/Text/ParseWords.pm line 3. >> Compilation failed in require at >> /usr/local/lib/perl5/5.8.9/mach/File/Glob.pm line 152. >> >> >> >> But ... if this is fixed in the current release I can't say ... the >> freebsd ports tree contains: MailScanner-4.67.6_3 which is from 15 Sep >> 2008 20:56:38, so a little old. about a half a year. >> >> So ... my only option I could find ... as my mail system was down was >> to turn back to perl 5.8.8. >> >> Anyone else got this problem ? On other systems ? >> >> What does other freebsd sysadmins do to stay current and not have a >> messed system where something is from other sources to be able to have >> a up-to-date system ? >> If there are any one out there also using freebsd ... and using Julian >> package from http://mailscanner.info I will be more than happy to hear >> from them. >> >> well, its late here ... got darn freebsd update late .... reminder: DONT >> DO IT. >> >> well .. its running now, only 22k messages to process :-p >> >> best regards >> Mikael Syska > > I did an upgrade on a test system to 5.8.9 and see no errors like you are > getting. I am running 7.1-RELEASE-p2 on amd64, with everything installed > from ports. I'm running a FreeBSD 7.0-RELEASE-p6 I think ... but its our plan to upgrade it to 7.1 in the near future ... just need to make sure we are doing it the right way ... so the system aint going down. But as far as I can see ... freebsd-update seems pretty easy ... update, install, reboot, install, update again if I remember correctly. > The only errors I have noticed are clamav related as the port installs > clamav-0.94.2, and the MailScanner version in ports isn't new enough for > that. I will probably just wait for the port update and test that before I > put this in production. Also using every thing from ports ... I think Peter wrote that there was some problems with the new install of 4.7x ... that needed to be fixed before it could be commited to the ports tree. Looking forward to that. best regards Mikael Syska From dw at llker.co.uk Wed Jan 21 13:40:20 2009 From: dw at llker.co.uk (dw@lker.co.uk) Date: Wed Jan 21 13:41:00 2009 Subject: Spam Problem Message-ID: Hi Can anyone tell me how I can adjust mailscanner settings to help cure our current SPAM problem? We are being plagued with emails that are sent with the address of our users, but not from our mailserver. Basically an email is sent to the user fred@domain from fred@domain. All 8 users seem to have the same problem, so we are assuming that someone has had a virus at some point. The return address is the same as the recipient, but the email server in the header file is NOT our mailserver. These are not just bounced emails, they are from and to the same person. Unfortunately we are receiving 100's each per day. There will NEVER be a case where an email would be sent by one of our users (ie with our domain email addresses) unless the email originated from our mailserver. Can I set mailscanner to some how delete an email if it has one of our sender addresses but does not ORIGINATE from our server. I have tried the watermark feature thinking that would help but I think I'm mistaken. Thanks Darren -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090121/714a56ea/attachment.html From raymond at prolocation.net Wed Jan 21 13:44:21 2009 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Wed Jan 21 13:44:29 2009 Subject: Spam Problem In-Reply-To: References: Message-ID: Hi! > We are being plagued with emails that are sent with the address of our > users, but not from our mailserver. > > Basically an email is sent to the user fred@domain from fred@domain. Implement SPF! Bye, Raymond. From prandal at herefordshire.gov.uk Wed Jan 21 13:58:11 2009 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Wed Jan 21 13:59:02 2009 Subject: Spam Problem In-Reply-To: References: Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA05B65D26@HC-MBX02.herefordshire.gov.uk> These rules were posted by Tom Brown to the SARE Users mailing list recently (and to the spamassassin users list by Michael Hutchinson): Subject: [Sare-users] forged bounces... these rules might be usefull. I woke up to a slew of these in my inbox... my thinking in the score of 1 for TOM_TO_EQ_FR is that legit messages of this form should look VERY legit and be unlikely to score high... header __TOM_TO_EQ_FRa ALL =~ m/^From:\s+??(\s|$)[^\0]*^To:.*\1/m header __TOM_TO_EQ_FRb ALL =~ m/^To:\s+??(\s|$)[^\0]*^From:.*\1/m meta TOM_TO_EQ_FR __TOM_TO_EQ_FRa || __TOM_TO_EQ_FRb score TOM_TO_EQ_FR 1 describe TOM_TO_EQ_FR To and From are the same, could be a cc or a forgery header __TOM_BOUNCE Subject =~ /(This mail is refused message|\*\*Message you sent blocked by our bulk email filter\*\*|Your message could not be delivered|Non delivery report: 5.9.4 \(Spam SLS\/RBL\)|Please confirm your message|Returned mail: Quota exceeded)/ meta TOM_BAD_BOUNCE __TOM_BOUNCE && TOM_TO_EQ_FR describe TOM_BAD_BOUNCE looks like a forged bounce (known sub and to==from) score TOM_BAD_BOUNCE 2.5 Cheers, Phil -- Phil Randal | Networks Engineer Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: prandal@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of dw@lker.co.uk Sent: 21 January 2009 13:40 To: mailscanner@lists.mailscanner.info Subject: Spam Problem Hi Can anyone tell me how I can adjust mailscanner settings to help cure our current SPAM problem? We are being plagued with emails that are sent with the address of our users, but not from our mailserver. Basically an email is sent to the user fred@domain from fred@domain. All 8 users seem to have the same problem, so we are assuming that someone has had a virus at some point. The return address is the same as the recipient, but the email server in the header file is NOT our mailserver. These are not just bounced emails, they are from and to the same person. Unfortunately we are receiving 100's each per day. There will NEVER be a case where an email would be sent by one of our users (ie with our domain email addresses) unless the email originated from our mailserver. Can I set mailscanner to some how delete an email if it has one of our sender addresses but does not ORIGINATE from our server. I have tried the watermark feature thinking that would help but I think I'm mistaken. Thanks Darren -- This message has been scanned for viruses and dangerous content by MailScanner , and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090121/bc9c2dce/attachment.html From paul.welsh.3 at googlemail.com Wed Jan 21 14:05:05 2009 From: paul.welsh.3 at googlemail.com (Paul Welsh) Date: Wed Jan 21 14:07:20 2009 Subject: Preventing backscatter with sendmail Message-ID: <49df20710901210605w201f96del9a43a4e4caedc15d@mail.gmail.com> > Date: Tue, 20 Jan 2009 16:33:41 +0100 > From: Glenn Steen > Subject: Re: Preventing backscatter with sendmail > > Ok. You noticed that smf-sav does do recipient verification? And that > you don't need do sender verification with it to have the recipient > verification? > Hi Glenn Actually I didn't notice, but I have now got scam-backscatter working. One gotcha I found. For anyone who uses it in conjunction with milter-greylist then milter-greylist redefines one of the sendmail.mc macros as: define(`confMILTER_MACROS_ENVRCPT', `{greylist}') but you'll need to change it to this for scam-backscatter to work: define(`confMILTER_MACROS_ENVRCPT', `{rcpt_mailer}, {rcpt_host}, {rcpt_addr}, {greylist}') For anyone who's interested here's how you install on Centos 5.2 with sendmail 8.13 which is using the mailertable feature. Apologies that it's so detailed: Ensure that sendmail-devel is installed: yum install sendmail-devel Download the source files from http://www.elandsys.com/scam/scam-backscatter/ into a temp directory and extract the file: tar xzvf scamback-1.4.1.tar.gz Change to the scamback directory cd scamback Copy Makefile.linux over Makefile: cp -f Makefile.linux Makefile To use sendmail 8.13+ and mailertable, edit Makefile and change the line: CCFLAGS += -O2 -D_REENTRANT -DLINUX -D_XOPEN_SOURCE=600 -D_BSD_SOURCE To: CCFLAGS += -O2 -D_REENTRANT -DLINUX -D_XOPEN_SOURCE=600 -D_BSD_SOURCE ?DSM813 -DUSEMAILERTABLE Make the application: make The compiled file is scam-back. Copy this to /usr/local/sbin: cp scam-back /usr/local/sbin/ Copy the sample configuration file to /etc/mail: cp scam.conf /etc/mail/ Create a var/spool/scam directory: mkdir /var/spool/scam Create a scamback user: adduser scamback Ensure the scamback user has access to the /var/spool/scam directory: chown -R scamback:scamback /var/spool/scam Go to the sendmail directory: cd /etc/mail Edit sendmail.mc and add the following line above the line for greylist: INPUT_MAIL_FILTER(`scam-back', `S=unix:/var/spool/scam/scam-back.sock, F=T, T=S:240s;R:240s;E:5m')dnl Change the following line: define(`confMILTER_MACROS_ENVRCPT', `{greylist}') to: define(`confMILTER_MACROS_ENVRCPT', `{rcpt_mailer}, {rcpt_host}, {rcpt_addr}, {greylist}') Edit scam.conf and comment out the following lines because the mailertable is used instead: #BackSMTPServer #BackAddrDomain #BackAddrDomain Optionally, uncomment and change the following line so a temporary error is returned if bctmail01 can't be contacted: BackErrorTempfail:Yes Make sendmail.cf: make -C /etc/mail To manually start scam-back as a demon: scam-back -p unix:/var/spool/scam/scam-back.sock -u scamback ?D To manually kill scam-back: kill `cat /var/spool/scam/scam-back.pid` I created a milter-scamback script to automatically start and stop scamback but I'm too embarassed to post it here! From john at tradoc.fr Wed Jan 21 14:07:11 2009 From: john at tradoc.fr (John Wilcock) Date: Wed Jan 21 14:07:24 2009 Subject: Spam Problem In-Reply-To: References: Message-ID: <49772C0F.9080902@tradoc.fr> Le 21/01/2009 14:44, Raymond Dijkxhoorn a ?crit : >> We are being plagued with emails that are sent with the address of our >> users, but not from our mailserver. >> >> Basically an email is sent to the user fred@domain from fred@domain. > > Implement SPF! And write a meta-rule to bump up the score for mail from your domain that fails SPF: header __FROM_YOURDOMAIN From =~ /\@your-domain\.com\b/i meta SPF_FAIL_YOURDOMAIN (SPF_FAIL && __FROM_YOURDOMAIN) score SPF_FAIL_YOURDOMAIN 2.0 John. -- -- Over 3000 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages - www.tradoc.fr From paul.welsh.3 at googlemail.com Wed Jan 21 14:13:20 2009 From: paul.welsh.3 at googlemail.com (Paul Welsh) Date: Wed Jan 21 14:13:30 2009 Subject: Sophos v4 problems Message-ID: <49df20710901210613u64f76985q82d333e04baec4cc@mail.gmail.com> We have a Sophos site licence so I had the choice of downoading Sophos 6 or Sophos 4.37 from their web site. The MailScanner documentation mentions v5 but there's no sign of it on the Sophos site. Thinking that Sophos 6 had the on-access scanning and central management which I didn't need, I went for the next latest version of 4.37 which was 100 MB smaller. Unfortunately, version 4.37 installed in /usr/local/Sophos even with the /usr/sbin/Sophos.install script. Even when I changed /etc/MailScanner/virus.scanners.conf my /var/log/maillog showed: Sophos-autoupdate[24052]: Could not calculate Sophos version number I tried re-installing using the Sophos install script and specifying the directory: install.sh -d /opt/sophos-av but still got the same errors. In the end I downloaded v6 of Sophos and ran /usr/sbin/Sophos.install. It installed in /opt/sophos-av. All is now working fine. Interestingly, maillog now shows: Sophos-autoupdate[2789]: Sophos V5 updated So, if you are considering using Sophos my advice is to put up with the large download and long installation time and go with v6. Don't know if it's a small bug that the autoupdate script thinks v6 is v5 but there you go. From mrm at medicine.wisc.edu Wed Jan 21 14:17:01 2009 From: mrm at medicine.wisc.edu (Mike Masse) Date: Wed Jan 21 14:17:43 2009 Subject: Spam Problem In-Reply-To: References: Message-ID: <49772E5D.50105@medicine.wisc.edu> dw@lker.co.uk wrote: > > > > > We are being plagued with emails that are sent with the address of our > users, but not from our mailserver. > > Basically an email is sent to the user fred@domain from fred@domain. > If you can use milters, mailfromd easily allows you to create arbitrary rules such as: reject any email that says it is from *@domain, but is coming from an smtp server not in *@domain. Mike From ram at netcore.co.in Wed Jan 21 14:17:29 2009 From: ram at netcore.co.in (ram) Date: Wed Jan 21 14:17:45 2009 Subject: Spam Problem In-Reply-To: References: Message-ID: <1232547449.21336.117.camel@darkstar.netcore.co.in> On Wed, 2009-01-21 at 13:40 +0000, dw@lker.co.uk wrote: > > > Hi > > > > Can anyone tell me how I can adjust mailscanner settings to help cure > our current SPAM problem? > > > > We are being plagued with emails that are sent with the address of our > users, but not from our mailserver. > > Basically an email is sent to the user fred@domain from fred@domain. This has been discusses Numerous times on all antispam lists These are the options 1) Reject from your domain at the MX MTA ( Most preferred way ) 2) Use SPF for your domain 3) Write a multiline regex in SA ( Careful .. if your server is loaded ) Above all dont whitelist your own domain > From alex at rtpty.com Wed Jan 21 14:30:20 2009 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Wed Jan 21 14:30:34 2009 Subject: Preventing backscatter with sendmail In-Reply-To: <49df20710901210605w201f96del9a43a4e4caedc15d@mail.gmail.com> References: <49df20710901210605w201f96del9a43a4e4caedc15d@mail.gmail.com> Message-ID: <623EBB34-96BA-46F1-8EF5-4B961F562AF8@rtpty.com> I haven't followed this thread much, but would this work alongside or instead of something like milter-null? On Jan 21, 2009, at 9:05 AM, Paul Welsh wrote: > Actually I didn't notice, but I have now got scam-backscatter working. From steve.freegard at fsl.com Wed Jan 21 15:04:59 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Wed Jan 21 15:05:14 2009 Subject: Preventing backscatter with sendmail In-Reply-To: <623EBB34-96BA-46F1-8EF5-4B961F562AF8@rtpty.com> References: <49df20710901210605w201f96del9a43a4e4caedc15d@mail.gmail.com> <623EBB34-96BA-46F1-8EF5-4B961F562AF8@rtpty.com> Message-ID: <4977399B.90806@fsl.com> Alex Neuman van der Hans wrote: > I haven't followed this thread much, but would this work alongside or > instead of something like milter-null? It would work alongside milter-null, scam-backscatter is simply a recipient call-ahead milter. Regards, Steve. From maillists at conactive.com Wed Jan 21 15:31:40 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Wed Jan 21 15:31:54 2009 Subject: Spam Problem In-Reply-To: References: Message-ID: Don't whitelist your domain and reject all mail with your domain as sender that is not authenticated at MTA level. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Wed Jan 21 16:22:52 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Wed Jan 21 16:23:05 2009 Subject: Preventing backscatter with sendmail In-Reply-To: <4977399B.90806@fsl.com> References: <49df20710901210605w201f96del9a43a4e4caedc15d@mail.gmail.com> <623EBB34-96BA-46F1-8EF5-4B961F562AF8@rtpty.com> <4977399B.90806@fsl.com> Message-ID: Steve Freegard wrote on Wed, 21 Jan 2009 15:04:59 +0000: > > I haven't followed this thread much, but would this work alongside or > > instead of something like milter-null? > > It would work alongside milter-null, scam-backscatter is simply a > recipient call-ahead milter. e.g. it is meant to prevent *yourself* from creating backscatter not from incoming backscatter. I think the name of this milter is rather confusing. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From yann.b at capensis.fr Wed Jan 21 16:39:25 2009 From: yann.b at capensis.fr (Yann Bachy) Date: Wed Jan 21 16:40:43 2009 Subject: RFC problems ... Message-ID: <20090121173925.3k9h7m9zc4coks0g@horde.capen.sis> Hello to you all, I've got a slight RFC problem: My horde used to send attachments of which the filename contains accents by the RFC2231 format (header) ... this isn't supported by exchange so I activated HORDE's brokenrfc2231 option so it will send the RFC2231 header AND the RFC2047 header. my header now looks like this: --=_2qw5ii3ew2uo Content-Type: application/vnd.oasis.opendocument.spreadsheet; name="=?utf-8?b?dMOpdMOpw6Aub2Rz?="; name*="utf-8''t%C3%A9t%C3%A9%C3%A0.ods" Content-Disposition: attachment; filename="=?utf-8?b?dMOpdMOpw6Aub2Rz?="; filename*="utf-8''t%C3%A9t%C3%A9%C3%A0.ods" Content-Transfer-Encoding: base64 this still doesn't work so I changed HORDE's source to ONLY send RFC2047 headers, so my header look like this now: --=_5jfo4nzjsgi3 Content-Type: application/vnd.oasis.opendocument.spreadsheet; name="=?utf-8?b?dMOpdMOpw6Aub2Rz?=" Content-Disposition: attachment; filename="=?utf-8?b?dMOpdMOpw6Aub2Rz?=" Content-Transfer-Encoding: base64 the problem I've got is that now MailScanner refuses to analyse the message and blocks it automaticly ... is there anyone that has got an idea? Thanks, -- Yann Bachy From maillists at conactive.com Wed Jan 21 16:54:02 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Wed Jan 21 16:54:13 2009 Subject: RFC problems ... In-Reply-To: <20090121173925.3k9h7m9zc4coks0g@horde.capen.sis> References: <20090121173925.3k9h7m9zc4coks0g@horde.capen.sis> Message-ID: Yann Bachy wrote on Wed, 21 Jan 2009 17:39:25 +0100: > the problem I've got is that now MailScanner refuses to analyse the > message and blocks it automaticly ... is there anyone that has got an > idea? short term: don't scan messages from your own server long term: Julian will need to have a look Also: in general it's better to stay with ASCII for *any* filename you create! Then you don't hit such a problem, anywhere. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From mailbag at partnersolutions.ca Wed Jan 21 17:54:13 2009 From: mailbag at partnersolutions.ca (PSI Mailbag) Date: Wed Jan 21 17:54:28 2009 Subject: Sanesecurity is back online Message-ID: <120EBC42C8319846842A4A49B3D5566BBDD6FE@psims003.pshosting.intranet> Hey folks, In case any of you missed it last night, Sanesecurity is back online with their custom ClamAV signatures. They've switched to rsync for the database updates, so you will have to change your scripts. For those of you who haven't updated to ClamAV 0.94, please pay attention to the documentation, as the support for logical signatures wasn't available prior to 0.94, so you may have issues with the .ldb files included in the download. Cheers, -Joshua -----Original Message----- From: sanesecurity-bounce@freelists.org [mailto:sanesecurity-bounce@freelists.org] On Behalf Of Steve Basford Sent: January 20, 2009 3:31 PM To: sanesecurity@freelists.org Subject: [sanesecurity] We're back... Hi All, Head over to here and read all about the changes: http://www.sanesecurity.com.nyud.net (CDN site) (alternatively visit http://www.sanesecurity.com, http://www.sanesecurity.co.uk, http://www.sanesecurity.org.uk or http://www.sanesecurity.org) Note: there may be teething problems, so please bear with me. Thanks to all the all the mirrors....feedback and your patience... I'm off to enjoy the rest of the evening :) Cheers, Steve Sanesecurity From steve.freegard at fsl.com Wed Jan 21 19:02:38 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Wed Jan 21 19:02:48 2009 Subject: Preventing backscatter with sendmail In-Reply-To: References: <49df20710901210605w201f96del9a43a4e4caedc15d@mail.gmail.com> <623EBB34-96BA-46F1-8EF5-4B961F562AF8@rtpty.com> <4977399B.90806@fsl.com> Message-ID: <4977714E.1090606@fsl.com> Kai Schaetzl wrote: > Steve Freegard wrote on Wed, 21 Jan 2009 15:04:59 +0000: > >>> I haven't followed this thread much, but would this work alongside or >>> instead of something like milter-null? >> It would work alongside milter-null, scam-backscatter is simply a >> recipient call-ahead milter. > > e.g. it is meant to prevent *yourself* from creating backscatter not from > incoming backscatter. I think the name of this milter is rather confusing. Yes - I agree. I also suspect that due to the name - people will think of this milter as some sort of 'silver-bullet' to prevent backscatter emanating from their host which would be a bad assumption. Rejecting invalid recipients on a gateway machine is a good start; but the administrator has to actually make sure the back-end hosts that actually receive the call-aheads isn't accept-then-bounce (e.g. it accepts all the recipients and the entire message then sends a DSN after the message has been accepted - *cough*Exchange 5.5*cough*) as in this case this milter would be no help; in fact it would actually reduce the efficiency of the gateway as it would carry on doing call-aheads even if the back-end doesn't reject invalid recipients based upon the documentation (see milter-aheads 'is-blind-mx' tests for an example of how to do this right). Many domains mail servers do not reject invalid recipients correctly: [root@mail ~]# ./bmx_check_routes.pl Found 382 domains; pass=4 (1.05%), fail=378 (98.95%) pass = servers that reject invalid recipients fail = servers that accept all recipients Note that the 'fail' statistics could also count domains with 'catch-all' accounts. Regards, Steve. From sandrews at andrewscompanies.com Wed Jan 21 22:50:59 2009 From: sandrews at andrewscompanies.com (Steven Andrews) Date: Wed Jan 21 22:51:09 2009 Subject: OT: email size limits Message-ID: <1964AAFBC212F742958F9275BF63DBB0A72A32@winchester.andrewscompanies.com> I have a client who employs a lot of consultants and we provide them with an email address on the corp system and they pretty much have to do everything through the corp systems; mostly terminal server. They do have the ability to work offline and send the generated content into the main office. Anyway, from time to time we get complaints from these folks that we have email size limits in place even though for larger stuff we give them ftp access that we can throttle. I think our limit is somewhere around 10 meg right now although we tell them it's less so we can deal with the overhead they won't understand. So I get an aol user today telling me what an asshat I am (which may or may not be true, but for the purposes of discussion today I'm not) and how much our systems suck because I have email size limits in place and his email is being blocked. Of course, we never saw it in our mailserver, which means he got hit with aol's 16 meg size block, but he was all talk and no listening. He then goes on to tell me about "lynux" and how it's free and better than the crap Microsoft has been selling us...yadda yadda yadda; oh wait, what's the banner on our mailserver? It's sendmail....but I digress. So, just for self-evaluation, what's everyone else doing for email size limits? I want to make sure we're in the range of the rest of the world. Thanks, Steven R. Andrews, President Andrews Companies Incorporated Small Business Information Technology Consultants sandrews@andrewscompanies.com Phone: 317.536.1807 "If your only tool is a hammer, every problem looks like a nail." -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090121/a6f20eb8/attachment.html From traced at xpear.de Wed Jan 21 23:05:29 2009 From: traced at xpear.de (traced) Date: Wed Jan 21 23:05:39 2009 Subject: OT: email size limits In-Reply-To: <1964AAFBC212F742958F9275BF63DBB0A72A32@winchester.andrewscompanies.com> References: <1964AAFBC212F742958F9275BF63DBB0A72A32@winchester.andrewscompanies.com> Message-ID: <4977AA39.7050004@xpear.de> Steven Andrews schrieb: > So, just for self-evaluation, what?s everyone else doing for email size > limits? I want to make sure we?re in the range of the rest of the world. > Hi Steven, our limits are between 15 and 25 megs, on most servers we are at 25. Regards, Bastian From maillists at conactive.com Wed Jan 21 23:31:16 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Wed Jan 21 23:31:31 2009 Subject: OT: email size limits In-Reply-To: <1964AAFBC212F742958F9275BF63DBB0A72A32@winchester.andrewscompanies.com> References: <1964AAFBC212F742958F9275BF63DBB0A72A32@winchester.andrewscompanies.com> Message-ID: Steven Andrews wrote on Wed, 21 Jan 2009 17:50:59 -0500: > So, just for self-evaluation, what's everyone else doing for email size > limits? I want to make sure we're in the range of the rest of the > world. postfix has a 10MB default and I think it's a good default. I usually have to up it on machines where publishers or advertising agencies have accounts on as they frequently mail printing stuff that is larger. But I never put it higher than 30 MB. Everything above that has to be carried out via FTP. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From ugob at lubik.ca Thu Jan 22 00:00:43 2009 From: ugob at lubik.ca (Ugo Bellavance) Date: Thu Jan 22 00:00:54 2009 Subject: OT: email size limits In-Reply-To: <1964AAFBC212F742958F9275BF63DBB0A72A32@winchester.andrewscompanies.com> References: <1964AAFBC212F742958F9275BF63DBB0A72A32@winchester.andrewscompanies.com> Message-ID: <4977B72B.6000708@lubik.ca> Steven Andrews wrote: > I have a client who employs a lot of consultants and we provide them > with an email address on the corp system and they pretty much have to do > everything through the corp systems; mostly terminal server. They do > have the ability to work offline and send the generated content into the > main office. > > > > Anyway, from time to time we get complaints from these folks that we > have email size limits in place even though for larger stuff we give > them ftp access that we can throttle. I think our limit is somewhere > around 10 meg right now although we tell them it?s less so we can deal > with the overhead they won?t understand. > > > > So I get an aol user today telling me what an asshat I am (which may or > may not be true, but for the purposes of discussion today I?m not) and > how much our systems suck because I have email size limits in place and > his email is being blocked. Of course, we never saw it in our > mailserver, which means he got hit with aol?s 16 meg size block, but he > was all talk and no listening. He then goes on to tell me about ?lynux? > and how it?s free and better than the crap Microsoft has been selling > us?yadda yadda yadda; oh wait, what?s the banner on our mailserver? > It?s sendmail?.but I digress. > > > > So, just for self-evaluation, what?s everyone else doing for email size > limits? I want to make sure we?re in the range of the rest of the world. 20MB in, 5 MB out. And we don't provide them with ftp or anything to share big files. From ugob at lubik.ca Thu Jan 22 00:00:43 2009 From: ugob at lubik.ca (Ugo Bellavance) Date: Thu Jan 22 00:01:05 2009 Subject: OT: email size limits In-Reply-To: <1964AAFBC212F742958F9275BF63DBB0A72A32@winchester.andrewscompanies.com> References: <1964AAFBC212F742958F9275BF63DBB0A72A32@winchester.andrewscompanies.com> Message-ID: <4977B72B.6000708@lubik.ca> Steven Andrews wrote: > I have a client who employs a lot of consultants and we provide them > with an email address on the corp system and they pretty much have to do > everything through the corp systems; mostly terminal server. They do > have the ability to work offline and send the generated content into the > main office. > > > > Anyway, from time to time we get complaints from these folks that we > have email size limits in place even though for larger stuff we give > them ftp access that we can throttle. I think our limit is somewhere > around 10 meg right now although we tell them it?s less so we can deal > with the overhead they won?t understand. > > > > So I get an aol user today telling me what an asshat I am (which may or > may not be true, but for the purposes of discussion today I?m not) and > how much our systems suck because I have email size limits in place and > his email is being blocked. Of course, we never saw it in our > mailserver, which means he got hit with aol?s 16 meg size block, but he > was all talk and no listening. He then goes on to tell me about ?lynux? > and how it?s free and better than the crap Microsoft has been selling > us?yadda yadda yadda; oh wait, what?s the banner on our mailserver? > It?s sendmail?.but I digress. > > > > So, just for self-evaluation, what?s everyone else doing for email size > limits? I want to make sure we?re in the range of the rest of the world. 20MB in, 5 MB out. And we don't provide them with ftp or anything to share big files. From gcle at smcaus.com.au Thu Jan 22 00:04:38 2009 From: gcle at smcaus.com.au (Gerard Cleary) Date: Thu Jan 22 00:05:05 2009 Subject: OT: email size limits In-Reply-To: <1964AAFBC212F742958F9275BF63DBB0A72A32@winchester.andrewscompanies.com> References: <1964AAFBC212F742958F9275BF63DBB0A72A32@winchester.andrewscompanies.com> Message-ID: <200901221104.38542.gcle@smcaus.com.au> Our limit is 10M and we encourage users to have us setup an ftp facility if they regularly send/receive bigger eMails. Gerard. On Thu, 22 Jan 2009 09:50:59 Steven Andrews wrote: > So, just for self-evaluation, what's everyone else doing for email size > limits? ?I want to make sure we're in the range of the rest of the > world. -- Gerard Cleary SMC Systems Administration Ph: +61 2 9354 8222 From Kevin_Miller at ci.juneau.ak.us Thu Jan 22 00:28:05 2009 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Thu Jan 22 00:28:16 2009 Subject: email size limits In-Reply-To: <1964AAFBC212F742958F9275BF63DBB0A72A32@winchester.andrewscompanies.com> References: <1964AAFBC212F742958F9275BF63DBB0A72A32@winchester.andrewscompanies.com> Message-ID: 10 MB and in hindsight I wish I'd reduced it 2 MB years ago. We also have FTP for the big stuff. What is more problematical than message size is everybody uses their inbox as a document manager. Like a dummy I never put size limits on the mailboxes either, and now that cat's out of the bag. Sigh... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Steven Andrews Sent: Wednesday, January 21, 2009 1:51 PM To: MailScanner discussion Subject: OT: email size limits I have a client who employs a lot of consultants and we provide them with an email address on the corp system and they pretty much have to do everything through the corp systems; mostly terminal server. They do have the ability to work offline and send the generated content into the main office. Anyway, from time to time we get complaints from these folks that we have email size limits in place even though for larger stuff we give them ftp access that we can throttle. I think our limit is somewhere around 10 meg right now although we tell them it's less so we can deal with the overhead they won't understand. So I get an aol user today telling me what an asshat I am (which may or may not be true, but for the purposes of discussion today I'm not) and how much our systems suck because I have email size limits in place and his email is being blocked. Of course, we never saw it in our mailserver, which means he got hit with aol's 16 meg size block, but he was all talk and no listening. He then goes on to tell me about "lynux" and how it's free and better than the crap Microsoft has been selling us...yadda yadda yadda; oh wait, what's the banner on our mailserver? It's sendmail....but I digress. So, just for self-evaluation, what's everyone else doing for email size limits? I want to make sure we're in the range of the rest of the world. Thanks, Steven R. Andrews, President Andrews Companies Incorporated Small Business Information Technology Consultants sandrews@andrewscompanies.com Phone: 317.536.1807 "If your only tool is a hammer, every problem looks like a nail." -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090121/85d05995/attachment-0001.html From steve.swaney at fsl.com Thu Jan 22 02:53:47 2009 From: steve.swaney at fsl.com (Stephen Swaney) Date: Thu Jan 22 02:54:01 2009 Subject: email size limits In-Reply-To: References: <1964AAFBC212F742958F9275BF63DBB0A72A32@winchester.andrewscompanies.com> Message-ID: <4977DFBB.7020008@fsl.com> T The most accurate and cost effective anti-spam solutions available Kevin Miller wrote: > 10 MB and in hindsight I wish I'd reduced it 2 MB years ago. We also > have FTP for the big stuff. > What is more problematical than message size is everybody uses their > inbox as a document manager. Like a dummy I never put size limits on > the mailboxes either, and now that cat's out of the bag. Sigh... > > ...Kevin > -- > Kevin Miller Registered Linux User No: 307357 > CBJ MIS Dept. Network Systems Admin., Mail Admin. > 155 South Seward Street ph: (907) 586-0242 > Juneau, Alaska 99801 fax: (907 586-4500 > > > ------------------------------------------------------------------------ > *From:* mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] *On Behalf Of > *Steven Andrews > *Sent:* Wednesday, January 21, 2009 1:51 PM > *To:* MailScanner discussion > *Subject:* OT: email size limits > > I have a client who employs a lot of consultants and we provide them > with an email address on the corp system and they pretty much have to > do everything through the corp systems; mostly terminal server. They > do have the ability to work offline and send the generated content > into the main office. > > Anyway, from time to time we get complaints from these folks that we > have email size limits in place even though for larger stuff we give > them ftp access that we can throttle. I think our limit is somewhere > around 10 meg right now although we tell them it?s less so we can deal > with the overhead they won?t understand. > > So I get an aol user today telling me what an asshat I am (which may > or may not be true, but for the purposes of discussion today I?m not) > and how much our systems suck because I have email size limits in > place and his email is being blocked. Of course, we never saw it in > our mailserver, which means he got hit with aol?s 16 meg size block, > but he was all talk and no listening. He then goes on to tell me about > ?lynux? and how it?s free and better than the crap Microsoft has been > selling us?yadda yadda yadda; oh wait, what?s the banner on our > mailserver? It?s sendmail?.but I digress. > > So, just for self-evaluation, what?s everyone else doing for email > size limits? I want to make sure we?re in the range of the rest of the > world. > > Thanks, > > *Steven R. Andrews*, President > Andrews Companies Incorporated > /Small Business Information Technology Consultants/ > sandrews@andrewscompanies.com > Phone: 317.536.1807 > > "If your only tool is a hammer, every problem looks like a nail." > The solutions you have out into place seem very reasonable. The people you have to deal with don't :( Most MTA are one size files all. If you want different limits by domain, sender, recipient or from and to use for sendmail or postfix (with milter support): http://www.snertsoft.com/sendmail/milter-length/ These functions are also built into BarricadeMX. Best regards, Steve -- Steve Swaney steve@fsl.com www.fsl.com -------------- next part -------------- A non-text attachment was scrubbed... Name: steve_swaney.vcf Type: text/x-vcard Size: 305 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090121/2e675cc2/steve_swaney.vcf From glenn.steen at gmail.com Thu Jan 22 08:06:26 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Jan 22 08:06:36 2009 Subject: OT: email size limits In-Reply-To: <1964AAFBC212F742958F9275BF63DBB0A72A32@winchester.andrewscompanies.com> References: <1964AAFBC212F742958F9275BF63DBB0A72A32@winchester.andrewscompanies.com> Message-ID: <223f97700901220006n714270few9ed1a9bb1fc3c72@mail.gmail.com> 2009/1/21 Steven Andrews : > I have a client who employs a lot of consultants and we provide them with an > email address on the corp system and they pretty much have to do everything > through the corp systems; mostly terminal server. They do have the ability > to work offline and send the generated content into the main office. > > > > Anyway, from time to time we get complaints from these folks that we have > email size limits in place even though for larger stuff we give them ftp > access that we can throttle. I think our limit is somewhere around 10 meg > right now although we tell them it's less so we can deal with the overhead > they won't understand. > > > > So I get an aol user today telling me what an asshat I am (which may or may > not be true, but for the purposes of discussion today I'm not) and how much > our systems suck because I have email size limits in place and his email is > being blocked. Of course, we never saw it in our mailserver, which means he > got hit with aol's 16 meg size block, but he was all talk and no listening. > He then goes on to tell me about "lynux" and how it's free and better than > the crap Microsoft has been selling us?yadda yadda yadda; oh wait, what's > the banner on our mailserver? It's sendmail?.but I digress. > What did you say to him, after you stopped laughing?:-) > > > So, just for self-evaluation, what's everyone else doing for email size > limits? I want to make sure we're in the range of the rest of the world. > 16 MiB enforced over the line (GW as well as mailstore). We very rarely (<1/year) see violations of this... Have been at that level for quite a few years now (4-5, IIRC). I chose that limit as, at that time, most home/free mail was limited to 5-10 MiB/message... and most seem to still be there. But what the limit should be is very dependant on your userbase... I suspect the .edu world (at least universities et al) need have substantially higher limits... And it depends on how many times you'd like to answer "What does this darned DSN really mean?" type o' questions:-). > > Thanks, -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From jkf at ecs.soton.ac.uk Thu Jan 22 09:17:28 2009 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 22 09:18:08 2009 Subject: Sanesecurity ClamAV sigs are back. Yay! Message-ID: <497839A8.8000104@ecs.soton.ac.uk> In case you didn't know, Steve Basford and his wonderful crew at SaneSecurity have got their nice set of ClamAV signatures back up and running, after they were badly DDoS-ed a few weeks ago. And they have added some new stuff such as more protection against spear-phishing. This is *well* worth using. You can get a new download script from here: http://www.retrosnub.co.uk/sanesecurity/script/fetch-sanesecurity-sigs You may want to put it in /etc/cron.hourly, so it gets updated every hour for you automatically with no action from you. And you will need to do this command to ensure it gets run: chmod +x /etc/cron.hourly/fetch-sanesecurity-sigs You will need to check that the commands gpg, wget and rsync are all installed and on your path. Just try the commands with no options and see if it gives you a "Command not found" error. If no error like that, you're good to go. If you are using my ClamAV+SpamAssassin package, which installs ClamAV in /usr/local, then you will need to set this in the correct place near the top of the script: # ClamAV database location clamd_dbdir="/usr/local/share/clamav" instead of the default location of /var/clamav. And you *may* need to change the "clamd_pidfile" setting to # ClamAV daemon process ID file # (If this is commented out, the daemon will not be reloaded automatically) clamd_pidfile="/var/run/clamd.pid" but check where your pid file actually is, it should be under /var/run somewhere and will be called "clamd.pid". You'll find it, I'm sure :-) If you are using the ClamAV installation provided by FSL as part of BarricadeMX, then you will need to change the clamd_dbdir setting to # ClamAV database location clamd_dbdir="/var/clamav" I think that pretty much covers it. Run the script once by hand to be sure it is running properly and not producing any serious errors. Jules -- Julian Field MEng MBCS CITP CEng jkf@ecs.soton.ac.uk Teaching Systems Manager Electronics& Computer Science University of Southampton SO17 1BJ, UK PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From list-mailscanner at linguaphone.com Thu Jan 22 09:45:48 2009 From: list-mailscanner at linguaphone.com (Gareth) Date: Thu Jan 22 09:46:06 2009 Subject: OT: email size limits In-Reply-To: <1964AAFBC212F742958F9275BF63DBB0A72A32@winchester.andrewscompanies.com> References: <1964AAFBC212F742958F9275BF63DBB0A72A32@winchester.andrewscompanies.com> Message-ID: <1232617548.5426.5.camel@gblades-suse.linguaphone-intranet.co.uk> On Wed, 2009-01-21 at 22:50, Steven Andrews wrote: > So, just for self-evaluation, what?s everyone else doing for email > size limits? I want to make sure we?re in the range of the rest of > the world. We upped our limit to 20MB a couple of years ago although we tell our users it is 15MB because they dont understand how the file grows when emailed. From list-mailscanner at linguaphone.com Thu Jan 22 09:56:35 2009 From: list-mailscanner at linguaphone.com (Gareth) Date: Thu Jan 22 09:56:45 2009 Subject: Sanesecurity ClamAV sigs are back. Yay! In-Reply-To: <497839A8.8000104@ecs.soton.ac.uk> References: <497839A8.8000104@ecs.soton.ac.uk> Message-ID: <1232618195.5425.9.camel@gblades-suse.linguaphone-intranet.co.uk> There will be a new unofficial-sigs.sh download script available there very soon aswell and this one supports MSRBL and SecureSite aswell. It might be worth holding off on using it for a short while though as it has been pointed out that because you can choose which sigs you want it makes a rsync call for every file and that could in theory get you blocked by the mirror. The author is looking into a better way to download just the files wanted with a single rsync call. On Thu, 2009-01-22 at 09:17, Julian Field wrote: > In case you didn't know, Steve Basford and his wonderful crew at > SaneSecurity have got their nice set of ClamAV signatures back up and > running, after they were badly DDoS-ed a few weeks ago. And they have > added some new stuff such as more protection against spear-phishing. > This is *well* worth using. > > You can get a new download script from here: > http://www.retrosnub.co.uk/sanesecurity/script/fetch-sanesecurity-sigs > > You may want to put it in /etc/cron.hourly, so it gets updated every > hour for you automatically with no action from you. And you will need to > do this command to ensure it gets run: > chmod +x /etc/cron.hourly/fetch-sanesecurity-sigs > > You will need to check that the commands gpg, wget and rsync are all > installed and on your path. Just try the commands with no options and > see if it gives you a "Command not found" error. If no error like that, > you're good to go. > > If you are using my ClamAV+SpamAssassin package, which installs ClamAV > in /usr/local, then you will need to set this in the correct place near > the top of the script: > > # ClamAV database location > clamd_dbdir="/usr/local/share/clamav" > > instead of the default location of /var/clamav. And you *may* need to > change the "clamd_pidfile" setting to > > # ClamAV daemon process ID file > # (If this is commented out, the daemon will not be reloaded automatically) > clamd_pidfile="/var/run/clamd.pid" > > but check where your pid file actually is, it should be under /var/run > somewhere and will be called "clamd.pid". You'll find it, I'm sure :-) > > If you are using the ClamAV installation provided by FSL as part of > BarricadeMX, then you will need to change the clamd_dbdir setting to > > # ClamAV database location > clamd_dbdir="/var/clamav" > > I think that pretty much covers it. > Run the script once by hand to be sure it is running properly and not > producing any serious errors. > > Jules > > -- > Julian Field MEng MBCS CITP CEng > jkf@ecs.soton.ac.uk > Teaching Systems Manager > Electronics& Computer Science > University of Southampton > SO17 1BJ, UK > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > PGP public key: http://www.jules.fm/julesfm.asc > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. From blessings83 at gmail.com Thu Jan 22 10:24:59 2009 From: blessings83 at gmail.com (Pardon Blessings Maoneke) Date: Thu Jan 22 10:25:07 2009 Subject: Preventing backscatter with sendmail In-Reply-To: <4977714E.1090606@fsl.com> References: <49df20710901210605w201f96del9a43a4e4caedc15d@mail.gmail.com> <623EBB34-96BA-46F1-8EF5-4B961F562AF8@rtpty.com> <4977399B.90806@fsl.com> <4977714E.1090606@fsl.com> Message-ID: <70ba75780901220224t341b897dm31140e1dca415931@mail.gmail.com> Is there a way of preventing backscatters on postfix. I have many users and i am using postfix plus mysql database but there is a lot of backscatters. How can i prevent such a scenario On 1/21/09, Steve Freegard wrote: > Kai Schaetzl wrote: >> Steve Freegard wrote on Wed, 21 Jan 2009 15:04:59 +0000: >> >>>> I haven't followed this thread much, but would this work alongside or >>>> instead of something like milter-null? >>> It would work alongside milter-null, scam-backscatter is simply a >>> recipient call-ahead milter. >> >> e.g. it is meant to prevent *yourself* from creating backscatter not from >> incoming backscatter. I think the name of this milter is rather confusing. > > Yes - I agree. > > I also suspect that due to the name - people will think of this milter > as some sort of 'silver-bullet' to prevent backscatter emanating from > their host which would be a bad assumption. > > Rejecting invalid recipients on a gateway machine is a good start; but > the administrator has to actually make sure the back-end hosts that > actually receive the call-aheads isn't accept-then-bounce (e.g. it > accepts all the recipients and the entire message then sends a DSN after > the message has been accepted - *cough*Exchange 5.5*cough*) as in this > case this milter would be no help; in fact it would actually reduce the > efficiency of the gateway as it would carry on doing call-aheads even if > the back-end doesn't reject invalid recipients based upon the > documentation (see milter-aheads 'is-blind-mx' tests for an example of > how to do this right). > > Many domains mail servers do not reject invalid recipients correctly: > > [root@mail ~]# ./bmx_check_routes.pl > Found 382 domains; pass=4 (1.05%), fail=378 (98.95%) > > pass = servers that reject invalid recipients > fail = servers that accept all recipients > > Note that the 'fail' statistics could also count domains with > 'catch-all' accounts. > > Regards, > Steve. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Regards, Pardon Blessings Maoneke From MailScanner at ecs.soton.ac.uk Thu Jan 22 10:34:53 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 22 10:35:15 2009 Subject: RFC problems ... In-Reply-To: References: <20090121173925.3k9h7m9zc4coks0g@horde.capen.sis> Message-ID: <49784BCD.2010109@ecs.soton.ac.uk> This will be a proplem in MIME-tools, over which I don't really have any control. So I'm not quite sure what to suggest at this point. Can you put a sample message, demonstrating the problem, on the web somewhere so I can download it and try it? On 21/1/09 16:54, Kai Schaetzl wrote: > Yann Bachy wrote on Wed, 21 Jan 2009 17:39:25 +0100: > > >> the problem I've got is that now MailScanner refuses to analyse the >> message and blocks it automaticly ... is there anyone that has got an >> idea? >> > > short term: don't scan messages from your own server > long term: Julian will need to have a look > > Also: in general it's better to stay with ASCII for *any* filename you > create! Then you don't hit such a problem, anywhere. > > Kai > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Thu Jan 22 10:37:06 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 22 10:37:26 2009 Subject: OT: email size limits In-Reply-To: <1964AAFBC212F742958F9275BF63DBB0A72A32@winchester.andrewscompanies.com> References: <1964AAFBC212F742958F9275BF63DBB0A72A32@winchester.andrewscompanies.com> Message-ID: <49784C52.5020306@ecs.soton.ac.uk> I run at 100MB on all my servers. People rarely hit that and I can easily handle it. On 21/1/09 22:50, Steven Andrews wrote: > > I have a client who employs a lot of consultants and we provide them > with an email address on the corp system and they pretty much have to > do everything through the corp systems; mostly terminal server. They > do have the ability to work offline and send the generated content > into the main office. > > Anyway, from time to time we get complaints from these folks that we > have email size limits in place even though for larger stuff we give > them ftp access that we can throttle. I think our limit is somewhere > around 10 meg right now although we tell them it?s less so we can deal > with the overhead they won?t understand. > > So I get an aol user today telling me what an asshat I am (which may > or may not be true, but for the purposes of discussion today I?m not) > and how much our systems suck because I have email size limits in > place and his email is being blocked. Of course, we never saw it in > our mailserver, which means he got hit with aol?s 16 meg size block, > but he was all talk and no listening. He then goes on to tell me about > ?lynux? and how it?s free and better than the crap Microsoft has been > selling us?yadda yadda yadda; oh wait, what?s the banner on our > mailserver? It?s sendmail?.but I digress. > > So, just for self-evaluation, what?s everyone else doing for email > size limits? I want to make sure we?re in the range of the rest of the > world. > > Thanks, > > *Steven R. Andrews*, President > Andrews Companies Incorporated > /Small Business Information Technology Consultants/ > sandrews@andrewscompanies.com > Phone: 317.536.1807 > > "If your only tool is a hammer, every problem looks like a nail." > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From list-mailscanner at linguaphone.com Thu Jan 22 10:46:47 2009 From: list-mailscanner at linguaphone.com (Gareth) Date: Thu Jan 22 10:46:58 2009 Subject: Preventing backscatter with sendmail In-Reply-To: <70ba75780901220224t341b897dm31140e1dca415931@mail.gmail.com> References: <49df20710901210605w201f96del9a43a4e4caedc15d@mail.gmail.com> <623EBB34-96BA-46F1-8EF5-4B961F562AF8@rtpty.com> <4977399B.90806@fsl.com> <4977714E.1090606@fsl.com> <70ba75780901220224t341b897dm31140e1dca415931@mail.gmail.com> Message-ID: <1232621207.5426.19.camel@gblades-suse.linguaphone-intranet.co.uk> Havent been following the spamassassin tread but for postfix to stop creating backscatter yourself use recipient verification. To remove backscatter either use the mailscanner watermark feature or if outgoing mail doesnt allways go through mailscanner then you can use the spamassassin 'vbounce' plugin instead. On Thu, 2009-01-22 at 10:24, Pardon Blessings Maoneke wrote: > Is there a way of preventing backscatters on postfix. I have many > users and i am using postfix plus mysql database but there is a lot of > backscatters. How can i prevent such a scenario > > > On 1/21/09, Steve Freegard wrote: > > Kai Schaetzl wrote: > >> Steve Freegard wrote on Wed, 21 Jan 2009 15:04:59 +0000: > >> > >>>> I haven't followed this thread much, but would this work alongside or > >>>> instead of something like milter-null? > >>> It would work alongside milter-null, scam-backscatter is simply a > >>> recipient call-ahead milter. > >> > >> e.g. it is meant to prevent *yourself* from creating backscatter not from > >> incoming backscatter. I think the name of this milter is rather confusing. > > > > Yes - I agree. > > > > I also suspect that due to the name - people will think of this milter > > as some sort of 'silver-bullet' to prevent backscatter emanating from > > their host which would be a bad assumption. > > > > Rejecting invalid recipients on a gateway machine is a good start; but > > the administrator has to actually make sure the back-end hosts that > > actually receive the call-aheads isn't accept-then-bounce (e.g. it > > accepts all the recipients and the entire message then sends a DSN after > > the message has been accepted - *cough*Exchange 5.5*cough*) as in this > > case this milter would be no help; in fact it would actually reduce the > > efficiency of the gateway as it would carry on doing call-aheads even if > > the back-end doesn't reject invalid recipients based upon the > > documentation (see milter-aheads 'is-blind-mx' tests for an example of > > how to do this right). > > > > Many domains mail servers do not reject invalid recipients correctly: > > > > [root@mail ~]# ./bmx_check_routes.pl > > Found 382 domains; pass=4 (1.05%), fail=378 (98.95%) > > > > pass = servers that reject invalid recipients > > fail = servers that accept all recipients > > > > Note that the 'fail' statistics could also count domains with > > 'catch-all' accounts. > > > > Regards, > > Steve. > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > -- > > Regards, > Pardon Blessings Maoneke From mailscanner.list at romehosting.com Thu Jan 22 10:58:29 2009 From: mailscanner.list at romehosting.com (SuprDave) Date: Thu Jan 22 10:58:47 2009 Subject: Sanesecurity ClamAV sigs are back. Yay! In-Reply-To: <497839A8.8000104@ecs.soton.ac.uk> References: <497839A8.8000104@ecs.soton.ac.uk> Message-ID: <69e2bee1391073eb6bbbeb861320632f.squirrel@mail.romehosting.com> I set this up last night but noticed that their subject line test fails. Mail is delivered when placing the test signature in the subject line. Did anyone else have the same results? Dave Gattis > In case you didn't know, Steve Basford and his wonderful crew at > SaneSecurity have got their nice set of ClamAV signatures back up and > running, after they were badly DDoS-ed a few weeks ago. And they have > added some new stuff such as more protection against spear-phishing. > This is *well* worth using. > > You can get a new download script from here: > http://www.retrosnub.co.uk/sanesecurity/script/fetch-sanesecurity-sigs > > You may want to put it in /etc/cron.hourly, so it gets updated every > hour for you automatically with no action from you. And you will need to > do this command to ensure it gets run: > chmod +x /etc/cron.hourly/fetch-sanesecurity-sigs > > You will need to check that the commands gpg, wget and rsync are all > installed and on your path. Just try the commands with no options and > see if it gives you a "Command not found" error. If no error like that, > you're good to go. > > If you are using my ClamAV+SpamAssassin package, which installs ClamAV > in /usr/local, then you will need to set this in the correct place near > the top of the script: > > # ClamAV database location > clamd_dbdir="/usr/local/share/clamav" > > instead of the default location of /var/clamav. And you *may* need to > change the "clamd_pidfile" setting to > > # ClamAV daemon process ID file > # (If this is commented out, the daemon will not be reloaded > automatically) > clamd_pidfile="/var/run/clamd.pid" > > but check where your pid file actually is, it should be under /var/run > somewhere and will be called "clamd.pid". You'll find it, I'm sure :-) > > If you are using the ClamAV installation provided by FSL as part of > BarricadeMX, then you will need to change the clamd_dbdir setting to > > # ClamAV database location > clamd_dbdir="/var/clamav" > > I think that pretty much covers it. > Run the script once by hand to be sure it is running properly and not > producing any serious errors. > > Jules > > -- > Julian Field MEng MBCS CITP CEng > jkf@ecs.soton.ac.uk > Teaching Systems Manager > Electronics& Computer Science > University of Southampton > SO17 1BJ, UK > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > PGP public key: http://www.jules.fm/julesfm.asc > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From maillists at conactive.com Thu Jan 22 12:31:20 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Thu Jan 22 12:31:32 2009 Subject: Preventing backscatter with sendmail In-Reply-To: <70ba75780901220224t341b897dm31140e1dca415931@mail.gmail.com> References: <49df20710901210605w201f96del9a43a4e4caedc15d@mail.gmail.com> <623EBB34-96BA-46F1-8EF5-4B961F562AF8@rtpty.com> <4977399B.90806@fsl.com> <4977714E.1090606@fsl.com> <70ba75780901220224t341b897dm31140e1dca415931@mail.gmail.com> Message-ID: Pardon Blessings Maoneke wrote on Thu, 22 Jan 2009 12:24:59 +0200: > Is there a way of preventing backscatters on postfix. Explain what you mean. If you *really* read that thread you will have noticed there is ambiguity. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From blessings83 at gmail.com Thu Jan 22 13:02:11 2009 From: blessings83 at gmail.com (Pardon Blessings Maoneke) Date: Thu Jan 22 13:02:20 2009 Subject: Preventing backscatter with sendmail In-Reply-To: References: <49df20710901210605w201f96del9a43a4e4caedc15d@mail.gmail.com> <623EBB34-96BA-46F1-8EF5-4B961F562AF8@rtpty.com> <4977399B.90806@fsl.com> <4977714E.1090606@fsl.com> <70ba75780901220224t341b897dm31140e1dca415931@mail.gmail.com> Message-ID: <70ba75780901220502s50f93d18ob9cde05de834336e@mail.gmail.com> I am getting sending error message like below: : host 127.0.0.1[127.0.0.1] said: 554 5.7.0 Reject, id=16074-02-4 - SPAM (in reply to end of DATA command) Yet i havent sent any email. Such messages are comming into my inbox and they are comming in large numbers ten or so a day. Is there a way of avoiding this. Thanks On 1/22/09, Kai Schaetzl wrote: > > Pardon Blessings Maoneke wrote on Thu, 22 Jan 2009 12:24:59 +0200: > > > Is there a way of preventing backscatters on postfix. > > Explain what you mean. If you *really* read that thread you will have > noticed there is ambiguity. > > Kai > > -- > Kai Sch?tzl, Berlin, Germany > Get your web at Conactive Internet Services: http://www.conactive.com > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Regards, Pardon Blessings Maoneke -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090122/f777051d/attachment.html From dave.list at pixelhammer.com Thu Jan 22 13:38:13 2009 From: dave.list at pixelhammer.com (DAve) Date: Thu Jan 22 13:38:33 2009 Subject: OT: email size limits In-Reply-To: <1964AAFBC212F742958F9275BF63DBB0A72A32@winchester.andrewscompanies.com> References: <1964AAFBC212F742958F9275BF63DBB0A72A32@winchester.andrewscompanies.com> Message-ID: <497876C5.20700@pixelhammer.com> Steven Andrews wrote: > So, just for self-evaluation, what?s everyone else doing for email size > limits? I want to make sure we?re in the range of the rest of the world. > We are an ISP with mostly corp clients. We enforce a 20mb limit in and out with FTP provided for larger files. We also "expect" all attachments to be zipped before we hear complaints about size limits or file types being quarantined. > "If your only tool is a hammer, every problem looks like a nail." Love the quote, one of my fathers favorites, and very true in the IT world. DAve -- The whole internet thing is sucking the life out of me, there ain't no pony in there. From ka at pacific.net Thu Jan 22 14:23:22 2009 From: ka at pacific.net (Ken A) Date: Thu Jan 22 14:23:36 2009 Subject: OT: email size limits In-Reply-To: <1964AAFBC212F742958F9275BF63DBB0A72A32@winchester.andrewscompanies.com> References: <1964AAFBC212F742958F9275BF63DBB0A72A32@winchester.andrewscompanies.com> Message-ID: <4978815A.6020207@pacific.net> It's 40M here, which is really ~30 after encoding. It's rare anyone runs up against it, but it happens. There are occasional problems with broadband customers sending too large a message that is 'stuck' in their Outlook outbox, trying to resend every 20 min or so. Unfortunately, sendmail doesn't throw an error until after it's received the bytes.. That is usually a good time for a custom access list entry. Ken Steven Andrews wrote: > I have a client who employs a lot of consultants and we provide them > with an email address on the corp system and they pretty much have to do > everything through the corp systems; mostly terminal server. They do > have the ability to work offline and send the generated content into the > main office. > > > > Anyway, from time to time we get complaints from these folks that we > have email size limits in place even though for larger stuff we give > them ftp access that we can throttle. I think our limit is somewhere > around 10 meg right now although we tell them it's less so we can deal > with the overhead they won't understand. > > > > So I get an aol user today telling me what an asshat I am (which may or > may not be true, but for the purposes of discussion today I'm not) and > how much our systems suck because I have email size limits in place and > his email is being blocked. Of course, we never saw it in our > mailserver, which means he got hit with aol's 16 meg size block, but he > was all talk and no listening. He then goes on to tell me about "lynux" > and how it's free and better than the crap Microsoft has been selling > us...yadda yadda yadda; oh wait, what's the banner on our mailserver? > It's sendmail....but I digress. > > > > So, just for self-evaluation, what's everyone else doing for email size > limits? I want to make sure we're in the range of the rest of the > world. > > > > Thanks, > > Steven R. Andrews, President > Andrews Companies Incorporated > Small Business Information Technology Consultants > sandrews@andrewscompanies.com > Phone: 317.536.1807 > > "If your only tool is a hammer, every problem looks like a nail." > > > From nwl002 at shsu.edu Thu Jan 22 14:32:57 2009 From: nwl002 at shsu.edu (Norman Laskie) Date: Thu Jan 22 14:33:14 2009 Subject: Quarantine Messages SpamAssassin Custom Rule Message-ID: <01252D63-6716-485F-83A6-FE04866A7508@shsu.edu> We have setup a custom SpamAssassin rule to hopefully block some of the incoming phishing attempts that we have been receiving in the past few months. Is it possible to quarantine messages that hit this particular SpamAssassin rule? Thanks, Norman From NWL002 at shsu.edu Thu Jan 22 14:37:19 2009 From: NWL002 at shsu.edu (Laskie, Norman) Date: Thu Jan 22 14:37:28 2009 Subject: Quarantine Messages SpamAssassin Custom Rule In-Reply-To: <01252D63-6716-485F-83A6-FE04866A7508@shsu.edu> References: <01252D63-6716-485F-83A6-FE04866A7508@shsu.edu> Message-ID: <8FAC1E47484E43469AA28DBF35C955E42053248C4B@EXMBX.SHSU.EDU> Oops ignore this one, it was an older message I accidently resent while testing having two rules in a custom action.... -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Norman Laskie Sent: Thursday, January 22, 2009 8:33 AM To: MailScanner List Subject: Quarantine Messages SpamAssassin Custom Rule We have setup a custom SpamAssassin rule to hopefully block some of the incoming phishing attempts that we have been receiving in the past few months. Is it possible to quarantine messages that hit this particular SpamAssassin rule? Thanks, Norman -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From NWL002 at shsu.edu Thu Jan 22 14:47:24 2009 From: NWL002 at shsu.edu (Laskie, Norman) Date: Thu Jan 22 14:47:34 2009 Subject: Multiple SpamAssassin Rule Actions in ruleset not obeyed?? Message-ID: <8FAC1E47484E43469AA28DBF35C955E42053248C4C@EXMBX.SHSU.EDU> I have the following two rules defined in spamassassin.rule.actions.rules, but it appears that when both are enabled the actions aren't obeyed. The messages in question still get tagged with the appropriate rule, but are still delivered to the end user (in this case me) and aren't forwarded onto the postmaster account. SpamAssassin Rule Actions = %rules-dir%/spamassassin.rule.actions.rules FromOrTo: default SHSU_PHISH=>not-deliver,store-spam,forward postmaster@shsu.edu FromOrTo: default JKF_ANTI_PHISH->not-deliver,store,forward postmaster@shsu.edu Oh yea, I hate phishers... HAHA Thanks in advance, Norman From maillists at conactive.com Thu Jan 22 15:33:20 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Thu Jan 22 15:33:34 2009 Subject: Multiple SpamAssassin Rule Actions in ruleset not obeyed?? In-Reply-To: <8FAC1E47484E43469AA28DBF35C955E42053248C4C@EXMBX.SHSU.EDU> References: <8FAC1E47484E43469AA28DBF35C955E42053248C4C@EXMBX.SHSU.EDU> Message-ID: you are running the latest MS? Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From stef at aoc-uk.com Thu Jan 22 15:35:31 2009 From: stef at aoc-uk.com (Stef Morrell) Date: Thu Jan 22 15:36:02 2009 Subject: Sanesecurity is back online In-Reply-To: References: Message-ID: <200901221536.n0MFZsnU005831@safir.blacknight.ie> hi all, PSI Mailbag wrote: > In case any of you missed it last night, Sanesecurity is > back online with their custom ClamAV signatures. Looking at this, I see that SS have added a set of definitions for the spear phishing (spear.ndb). Just a heads up as this should probably be an either/or with Julian's recent spamassassin signature scripts. Stef -- Stefan Morrell | Operations Director Tel: 0845 3452820 | Alpha Omega Computers Ltd Fax: 0845 3452830 | Incorporating Level 5 Internet stef@aoc-uk.com | stef@l5net.net From NWL002 at shsu.edu Thu Jan 22 15:44:23 2009 From: NWL002 at shsu.edu (Laskie, Norman) Date: Thu Jan 22 15:44:32 2009 Subject: Multiple SpamAssassin Rule Actions in ruleset not obeyed?? In-Reply-To: References: <8FAC1E47484E43469AA28DBF35C955E42053248C4C@EXMBX.SHSU.EDU> Message-ID: <8FAC1E47484E43469AA28DBF35C955E42053248C4D@EXMBX.SHSU.EDU> It's a few revisions behind (forgot to include that, it's kinda annoying me) from May or June of last year I believe. MailScanner version 4.69.9 I'm not trying to do any of the fancy _TO_ substitution or anything like that, just trying to quarantine based on our custom rule and Julian's rule. Hopefully this does work with this version :) please say it's so. Thanks, Norman -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Kai Schaetzl Sent: Thursday, January 22, 2009 9:33 AM To: mailscanner@lists.mailscanner.info Subject: Re: Multiple SpamAssassin Rule Actions in ruleset not obeyed?? you are running the latest MS? Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From ca35763+ms at realsimplemail.com Thu Jan 22 16:19:54 2009 From: ca35763+ms at realsimplemail.com (ca35763+ms@realsimplemail.com) Date: Thu Jan 22 16:21:01 2009 Subject: Sanesecurity ClamAV sigs are back. Yay! In-Reply-To: <69e2bee1391073eb6bbbeb861320632f.squirrel@mail.romehosting.com> References: <497839A8.8000104@ecs.soton.ac.uk> <69e2bee1391073eb6bbbeb861320632f.squirrel@mail.romehosting.com> Message-ID: On Thu, 22 Jan 2009, SuprDave wrote: > > I set this up last night but noticed that their subject line test fails. > Mail is delivered when placing the test signature in the subject line. > Did anyone else have the same results? When using clamd it quarantines the message OK. But when using clamav, the signature is detected by clamav but MailScanner lets it go through. This is the reason I changed to clamd! I noticed this started to happen with a change in December 2007. Tested with MailScanner-4.74.16-1 today. From Nikolaos.Pavlidis at beds.ac.uk Thu Jan 22 16:30:46 2009 From: Nikolaos.Pavlidis at beds.ac.uk (Nikolaos Pavlidis) Date: Thu Jan 22 16:30:59 2009 Subject: Quarantined email testing/troubleshooting In-Reply-To: <49789F360200002700028929@gwiadom.oes.beds.ac.uk> References: <4978829702000027000288F0@gwiadom.oes.beds.ac.uk> <49789F360200002700028929@gwiadom.oes.beds.ac.uk> Message-ID: <49789F360200002700028929@gwiadom.oes.beds.ac.uk> Hello all, We seem to be facing a weird issue and we would appreciate any assistance with it. To start with, we are using a solaris + sendmail + MailScanner-4.73.4-2 implementation. Bayes database has been trained with lots of spam and some ham that got quarantined since the service went live. We have set mailscanner to separate the mail messages into q and d queue files so we can put false possitives back in the queue in a more quick and efficient manner. Spamassassin seemed to be putting automated Delivery Notifications to quarantine so we trained it back then (the single mail messages RFC822) to be ham. Now we have noticed that some Delivery notifications again get quarantined, only now we have the 2 part emails q and d files. When we do a test on them "spamassassin -t -p /etc/mail/MailScanner/spam.assassin.prefs.conf < d (or q)file" they both come less than 5.0 points(sometimes even -). Should the tests be performed in another way? Is the "cat qfile dfile | spamassassin -t -p ?/etc/mail/MailScanner/spam.assassin.prefs.conf" the appropriate way? When using sa-learn to teach SA which parameters should be used, should we feed the d file only? What else could be blocking/sending to quarantine these messages? I do apologise for the barrage of questions. Any help is much appreciated. Thank you in advance. Regards, Nik -- ? Nikolaos Pavlidis BSc (Hons) MBCS NCLP System Administrator University Of Bedfordshire Park Square LU1 3JU Luton, Beds, UK Tel: +441582489277 From MailScanner at ecs.soton.ac.uk Thu Jan 22 16:40:06 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 22 16:40:33 2009 Subject: Multiple SpamAssassin Rule Actions in ruleset not obeyed?? In-Reply-To: <8FAC1E47484E43469AA28DBF35C955E42053248C4C@EXMBX.SHSU.EDU> References: <8FAC1E47484E43469AA28DBF35C955E42053248C4C@EXMBX.SHSU.EDU> Message-ID: <4978A166.1000303@ecs.soton.ac.uk> I never defined the behaviour you might see if you have *2* "default" rules in the same ruleset. I hate to think what might happen. What you probably meant was this (all on one line) FromOrTo: default SHSU_PHISH=>not-deliver,store-spam,forward postmaster@shsu.edu, JKF_ANTI_PHISH=>not-deliver,store,forward postmaster@shsu.edu There should be a comma and a space better "...@shsu.edu" and "JKF_ANTI...". On 22/1/09 14:47, Laskie, Norman wrote: > I have the following two rules defined in spamassassin.rule.actions.rules, but it appears that when both are enabled the actions aren't obeyed. The messages in question still get tagged with the appropriate rule, but are still delivered to the end user (in this case me) and aren't forwarded onto the postmaster account. > > SpamAssassin Rule Actions = %rules-dir%/spamassassin.rule.actions.rules > > FromOrTo: default SHSU_PHISH=>not-deliver,store-spam,forward postmaster@shsu.edu > FromOrTo: default JKF_ANTI_PHISH->not-deliver,store,forward postmaster@shsu.edu > > > Oh yea, I hate phishers... HAHA > > > Thanks in advance, > Norman > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Thu Jan 22 16:41:11 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 22 16:41:31 2009 Subject: Sanesecurity is back online In-Reply-To: <200901221536.n0MFZsnU005831@safir.blacknight.ie> References: <200901221536.n0MFZsnU005831@safir.blacknight.ie> Message-ID: <4978A1A7.3090408@ecs.soton.ac.uk> On 22/1/09 15:35, Stef Morrell wrote: > hi all, > > PSI Mailbag wrote: > >> In case any of you missed it last night, Sanesecurity is >> back online with their custom ClamAV signatures. >> > > Looking at this, I see that SS have added a set of definitions for the > spear phishing (spear.ndb). Just a heads up as this should probably be > an either/or with Julian's recent spamassassin signature scripts. > Why not just use both? Anyone know where sanesecurity are getting their data from? I am now using both and will continue to do so until I hear a good reason not to :-) Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Thu Jan 22 16:50:22 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 22 16:50:55 2009 Subject: Quarantined email testing/troubleshooting In-Reply-To: <49789F360200002700028929@gwiadom.oes.beds.ac.uk> References: <4978829702000027000288F0@gwiadom.oes.beds.ac.uk> <49789F360200002700028929@gwiadom.oes.beds.ac.uk> <49789F360200002700028929@gwiadom.oes.beds.ac.uk> Message-ID: <4978A3CE.2070603@ecs.soton.ac.uk> You can't just use df and/or qf files as if they were RFC822 messages. They're not. However, they *nearly* are, when used as a pair. Many years ago (2002 is the date stamp on the file) I wrote a script which would take an entire quarantine directory (or a string of directory names) full of qf* and df* files, and generate an mbox file from them, which could then be simply fed to sa-learn with 1 command to learn the whole lot at one go by using the "--mbox" command-line option to sa-learn. It's at www.mailscanner.info/files/4/df2mbox It's a fairly simple shell script, I'm sure you can hack it around if you want to do something slightly different with it. Usage example: Say you have a quarantine directory /var/spool/MailScanner/quarantine/ and each of those subdirectories contains a whole bunch of qf and df files in the same directory. You can just do cd /var/spool/MailSanner/quarantine df2mbox * and it will go and get on with it, and give you a pile of mbox files as a result. I posted this to this mailing list back in 2002 as well, but I doubt anyone looks back that far. Don't worry, I'll let you off this time :-) Hope that helps, Jules. On 22/1/09 16:30, Nikolaos Pavlidis wrote: > Hello all, > > We seem to be facing a weird issue and we would appreciate any > assistance with it. > To start with, we are using a solaris + sendmail + MailScanner-4.73.4-2 > implementation. Bayes database has been trained with lots of spam and > some ham that got quarantined since the service went live. > > We have set mailscanner to separate the mail messages into q and d queue > files so we can put false possitives back in the queue in a more quick > and efficient manner. Spamassassin seemed to be putting automated > Delivery Notifications to quarantine so we trained it back then (the > single mail messages RFC822) to be ham. > > Now we have noticed that some Delivery notifications again get > quarantined, only now we have the 2 part emails q and d files. > > When we do a test on them "spamassassin -t > -p /etc/mail/MailScanner/spam.assassin.prefs.conf< d (or q)file" > they both come less than 5.0 points(sometimes even -). > > Should the tests be performed in another way? Is the "cat qfile dfile | > spamassassin -t -p ?/etc/mail/MailScanner/spam.assassin.prefs.conf" the > appropriate way? > When using sa-learn to teach SA which parameters should be used, should > we feed the d file only? > What else could be blocking/sending to quarantine these messages? > > I do apologise for the barrage of questions. Any help is much > appreciated. Thank you in advance. > > Regards, > > Nik > > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From yann.b at capensis.fr Thu Jan 22 16:50:46 2009 From: yann.b at capensis.fr (Yann Bachy) Date: Thu Jan 22 16:52:19 2009 Subject: RFC problems ... In-Reply-To: <49784BCD.2010109@ecs.soton.ac.uk> References: <20090121173925.3k9h7m9zc4coks0g@horde.capen.sis> <49784BCD.2010109@ecs.soton.ac.uk> Message-ID: <20090122175046.n9yt950r0ocogw0c@horde.capen.sis> Hi thanks for your help but I kind of solved the problem in the mean-time... I'll explain you what I did: I activated the brokenrfc2231 option to get the following header: --=_2qw5ii3ew2uo Content-Type: application/vnd.oasis.opendocument.spreadsheet; name="=?utf-8?b?dMOpdMOpw6Aub2Rz?="; name*="utf-8''t%C3%A9t%C3%A9%C3%A0.ods" Content-Disposition: attachment; filename="=?utf-8?b?dMOpdMOpw6Aub2Rz?="; filename*="utf-8''t%C3%A9t%C3%A9%C3%A0.ods" Content-Transfer-Encoding: base64 then I changed the following file: /var/www/horde/lib/Horde/MIME/Part.php at the following block: /* Add any disposition parameter information, if available. */ if (!empty($name)) { $encode_2231 = MIME::encodeRFC2231('filename', $name, $charset); /* Same broken RFC 2231 workaround as above. */ if (!empty($GLOBALS['conf']['mailformat']['brokenrfc2231']) && (strpos($encode_2231, '*=') !== false)) { $disp .= '; filename="' . MIME::encode($name, $charset) . '"'; } #$disp .= '; ' . $encode_2231; } I commented out the following line: #$disp .= '; ' . $encode_2231; So I get a header that looks like the following: --=_mjzeikmmlhk Content-Type: application/vnd.oasis.opendocument.spreadsheet; name="=?utf-8?b?dMOpdMOpw6Aub2Rz?="; name*="utf-8''t%C3%A9t%C3%A9%C3%A0.ods" Content-Disposition: attachment; filename="=?utf-8?b?dMOpdMOpw6Aub2Rz?=" Content-Transfer-Encoding: base64 now outlook will correctly read the filename, and mailscanner accepts to check the message... Don't hesitat if you've got any further questions... or comments ;) thanks anyway! -- Yann Bachy Quoting Julian Field : > This will be a proplem in MIME-tools, over which I don't really have > any control. > So I'm not quite sure what to suggest at this point. > > Can you put a sample message, demonstrating the problem, on the web > somewhere so I can download it and try it? > > On 21/1/09 16:54, Kai Schaetzl wrote: >> Yann Bachy wrote on Wed, 21 Jan 2009 17:39:25 +0100: >> >> >>> the problem I've got is that now MailScanner refuses to analyse the >>> message and blocks it automaticly ... is there anyone that has got an >>> idea? >>> >> >> short term: don't scan messages from your own server >> long term: Julian will need to have a look >> >> Also: in general it's better to stay with ASCII for *any* filename you >> create! Then you don't hit such a problem, anywhere. >> >> Kai >> >> > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > PGP public key: http://www.jules.fm/julesfm.asc > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From lists at tippingmar.com Thu Jan 22 17:03:41 2009 From: lists at tippingmar.com (Mark Nienberg) Date: Thu Jan 22 17:03:56 2009 Subject: Sanesecurity is back online In-Reply-To: <4978A1A7.3090408@ecs.soton.ac.uk> References: <200901221536.n0MFZsnU005831@safir.blacknight.ie> <4978A1A7.3090408@ecs.soton.ac.uk> Message-ID: <4978A6ED.1030805@tippingmar.com> Julian Field wrote: > Why not just use both? Anyone know where sanesecurity are getting > their data from? > I am now using both and will continue to do so until I hear a good > reason not to :-) > > Jules > From the changes page at http://www.sanesecurity.com/clamav/changes.pdf spear.ndb: email spears/phishing, converted from http://code.google.com/p/antiphishing-email-reply/ Mark Nienberg From NWL002 at shsu.edu Thu Jan 22 17:13:35 2009 From: NWL002 at shsu.edu (Laskie, Norman) Date: Thu Jan 22 17:13:47 2009 Subject: Multiple SpamAssassin Rule Actions in ruleset not obeyed?? In-Reply-To: <4978A166.1000303@ecs.soton.ac.uk> References: <8FAC1E47484E43469AA28DBF35C955E42053248C4C@EXMBX.SHSU.EDU> <4978A166.1000303@ecs.soton.ac.uk> Message-ID: <8FAC1E47484E43469AA28DBF35C955E42053248C51@EXMBX.SHSU.EDU> Thank you. I'll try it in a few. I believe I tried before in MailScanner.conf but it didn't want to cooperate for some reason, but that was many moons ago and I have slept quite a bit since then. Thanks, Norman -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: Thursday, January 22, 2009 10:40 AM To: MailScanner discussion Subject: Re: Multiple SpamAssassin Rule Actions in ruleset not obeyed?? I never defined the behaviour you might see if you have *2* "default" rules in the same ruleset. I hate to think what might happen. What you probably meant was this (all on one line) FromOrTo: default SHSU_PHISH=>not-deliver,store-spam,forward postmaster@shsu.edu, JKF_ANTI_PHISH=>not-deliver,store,forward postmaster@shsu.edu There should be a comma and a space better "...@shsu.edu" and "JKF_ANTI...". On 22/1/09 14:47, Laskie, Norman wrote: > I have the following two rules defined in spamassassin.rule.actions.rules, but it appears that when both are enabled the actions aren't obeyed. The messages in question still get tagged with the appropriate rule, but are still delivered to the end user (in this case me) and aren't forwarded onto the postmaster account. > > SpamAssassin Rule Actions = %rules-dir%/spamassassin.rule.actions.rules > > FromOrTo: default SHSU_PHISH=>not-deliver,store-spam,forward postmaster@shsu.edu > FromOrTo: default JKF_ANTI_PHISH->not-deliver,store,forward postmaster@shsu.edu > > > Oh yea, I hate phishers... HAHA > > > Thanks in advance, > Norman > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From MailScanner at ecs.soton.ac.uk Thu Jan 22 17:21:55 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jan 22 17:22:17 2009 Subject: Sanesecurity is back online In-Reply-To: <4978A6ED.1030805@tippingmar.com> References: <200901221536.n0MFZsnU005831@safir.blacknight.ie> <4978A1A7.3090408@ecs.soton.ac.uk> <4978A6ED.1030805@tippingmar.com> Message-ID: <4978AB33.4090806@ecs.soton.ac.uk> On 22/1/09 17:03, Mark Nienberg wrote: > Julian Field wrote: >> Why not just use both? Anyone know where sanesecurity are getting >> their data from? >> I am now using both and will continue to do so until I hear a good >> reason not to :-) >> >> Jules >> > > From the changes page at http://www.sanesecurity.com/clamav/changes.pdf > > spear.ndb: email spears/phishing, converted from > http://code.google.com/p/antiphishing-email-reply/ Can't argue with that. :-) However, it is doing no harm and they are still working on the download script anyway, so hopefully it will become trivial to knock out the spear.ndb file from the download. On my systems, as I run clamd through BarricadeMX, it actually costs me less resources to have spear.ndb in place to knock out some mail so that SpamAssassin doesn't have to process the message at all. But it's not as good for my stats, so I'll pay for the extra load ;-) Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From maillists at conactive.com Thu Jan 22 17:31:20 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Thu Jan 22 17:31:31 2009 Subject: Multiple SpamAssassin Rule Actions in ruleset not obeyed?? In-Reply-To: <8FAC1E47484E43469AA28DBF35C955E42053248C4D@EXMBX.SHSU.EDU> References: <8FAC1E47484E43469AA28DBF35C955E42053248C4C@EXMBX.SHSU.EDU> <8FAC1E47484E43469AA28DBF35C955E42053248C4D@EXMBX.SHSU.EDU> Message-ID: Norman Laskie wrote on Thu, 22 Jan 2009 09:44:23 -0600: > I'm not trying to do any of the fancy _TO_ substitution or anything > like that, just trying to quarantine based on our custom rule and > Julian's rule. Hopefully this does work with this version :) please > say it's so. I really don't know as I'm not using TO actions. Just know that quite a few people with older versions had problems with this option ;-) However, it seems there is another problem detailed in Julian's latest mail. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From mailscanner.list at romehosting.com Thu Jan 22 19:34:31 2009 From: mailscanner.list at romehosting.com (SuprDave) Date: Thu Jan 22 19:34:51 2009 Subject: ClamAV or ClamD? In-Reply-To: References: <497839A8.8000104@ecs.soton.ac.uk> <69e2bee1391073eb6bbbeb861320632f.squirrel@mail.romehosting.com> Message-ID: Currently using ClamAV. Any reason why I should not consider switching to ClamD? Dave Gattis > > On Thu, 22 Jan 2009, SuprDave wrote: >> >> I set this up last night but noticed that their subject line test fails. >> Mail is delivered when placing the test signature in the subject line. >> Did anyone else have the same results? > > When using clamd it quarantines the message OK. But when using clamav, > the signature is detected by clamav but MailScanner lets it go through. > This is the reason I changed to clamd! I noticed this started to happen > with a change in December 2007. Tested with MailScanner-4.74.16-1 today. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From ecasarero at gmail.com Thu Jan 22 19:42:21 2009 From: ecasarero at gmail.com (Eduardo Casarero) Date: Thu Jan 22 19:42:31 2009 Subject: ClamAV or ClamD? In-Reply-To: References: <497839A8.8000104@ecs.soton.ac.uk> <69e2bee1391073eb6bbbeb861320632f.squirrel@mail.romehosting.com> Message-ID: <7d9b3cf20901221142j26582907hc3e05a685d316c1a@mail.gmail.com> 2009/1/22 SuprDave > Currently using ClamAV. Any reason why I should not consider switching to > ClamD? > Dave Gattis > > None! i will speed up your server a lot!! just have some script checking if clamd is alive. > > > > > On Thu, 22 Jan 2009, SuprDave wrote: > >> > >> I set this up last night but noticed that their subject line test fails. > >> Mail is delivered when placing the test signature in the subject line. > >> Did anyone else have the same results? > > > > When using clamd it quarantines the message OK. But when using clamav, > > the signature is detected by clamav but MailScanner lets it go through. > > This is the reason I changed to clamd! I noticed this started to happen > > with a change in December 2007. Tested with MailScanner-4.74.16-1 today. > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090122/e90df24b/attachment.html From ja at conviator.com Thu Jan 22 20:19:32 2009 From: ja at conviator.com (Jan Agermose) Date: Thu Jan 22 20:19:53 2009 Subject: ClamAV or ClamD? In-Reply-To: <7d9b3cf20901221142j26582907hc3e05a685d316c1a@mail.gmail.com> References: <497839A8.8000104@ecs.soton.ac.uk><69e2bee1391073eb6bbbeb861320632f.squirrel@mail.romehosting.com> <7d9b3cf20901221142j26582907hc3e05a685d316c1a@mail.gmail.com> Message-ID: hi I just started using clamd - what problems are there since you are writing "to check its alive"? Is there are script to this by the way if its a general problem?` Regards Jan From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Eduardo Casarero 2009/1/22 SuprDave Currently using ClamAV. Any reason why I should not consider switching to ClamD? Dave Gattis None! i will speed up your server a lot!! just have some script checking if clamd is alive. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090122/ff9d4300/attachment.html From Denis.Beauchemin at USherbrooke.ca Thu Jan 22 20:41:44 2009 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Thu Jan 22 20:42:02 2009 Subject: ClamAV or ClamD? In-Reply-To: References: <497839A8.8000104@ecs.soton.ac.uk><69e2bee1391073eb6bbbeb861320632f.squirrel@mail.romehosting.com> <7d9b3cf20901221142j26582907hc3e05a685d316c1a@mail.gmail.com> Message-ID: <4978DA08.4040006@USherbrooke.ca> Jan Agermose a ?crit : > > hi > > > > I just started using clamd - what problems are there since you are > writing "to check its alive"? Is there are script to this by the way > if its a general problem?` > > > Jan, Until I started using the fetch-sanesecurity-sigs script I had no failure of clamd but now my script that checks if clamd is alive has restarted it on many MS servers. I don't really understand what makes it die because when I do the "kill -USR2 pid" by hand everything works just fine... Basically, the script makes sure there is a clamd process running (by looking at the PID written in /var/.../clamd.pid) and restarts it if there is none. I run this script in root's crontab every minute. Very small overhead. I know there are numerous free monitoring solutions on the net but I prefer my own ;) Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3306 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090122/4f42d72a/smime.bin From max at assuredata.com Thu Jan 22 21:27:52 2009 From: max at assuredata.com (Max Kipness) Date: Thu Jan 22 21:29:28 2009 Subject: Bayes expire files? Message-ID: <11375BD8FE838A409E10DB32B9BFFE9B19FB04@addc01.assuredata.local> After looking at what is taking up so much space on our server, I found out that I have 7GB in the .spamassassin directory, most being bayes_toks.expirexxx files. When looking up info on these files I'm unable to determine whether these can be deleted or not. Does the sa-learn --force-expire remove these files from disk or create these files? Can they be deleted without affecting the spam detection rate? This server seems to be tuned really well at the moment. Thanks, Max -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090122/45c65a63/attachment-0001.html From spamlists at coders.co.uk Thu Jan 22 23:11:50 2009 From: spamlists at coders.co.uk (Matt) Date: Thu Jan 22 23:13:47 2009 Subject: MS/perl segfaults In-Reply-To: References: <49186B27.2060809@ecs.soton.ac.uk> <4971E515.6070703@ecs.soton.ac.uk> <625385e30901170714x157ae096q7a03d9c78ccb13e7@mail.gmail.com> <49723C6A.4030308@ecs.soton.ac.uk> Message-ID: <4978FD36.9090300@coders.co.uk> David Lee wrote: > > So suppose we continue to model this using "timestamp in a database" > thinking, but actually store, read and process those timestamps in the > inbound file itself. I realise that this implementation detail will > be MTA-specific, but I think that might slot cleanly into MS's > existing MTA-specific code. (Julian?) > Personally i think that a database (sqlite) would be more appropriate as we DO NOT KNOW what is causing the fault - reading the file from disk could be causing it. As we got hit by this yesterday (unfortuately the queue didn't get saved as a collegue resolved it as I was in hospital with my little boy :-( ). My thinking would be record in a table a , when a message batch is started. When a message is placed in the delivery queue ALL records are deleted. If a message gets three or more entries in the table - delay its processing by a random ammount of time between (say 3-9) minutes multiplied by the number of failures to try and ensure that it moves around batches. This should ensure that the message with the faliure should repeatedly end up in a different batch. Benefits: Does not rely on a file timestamp - simply on the failure count and then a random delay. Should cope with multiple files causing failure. Files likely to be causing failures rapidly get backed off from processing and should ensure mail continues to flow. Negatives: Causes valid email in a failure batch to be backed off - however by multiply a random number should cause them to be processed in a separate batch Requires a database - however the cache already uses sqlite. matt From ssilva at sgvwater.com Fri Jan 23 00:58:29 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Jan 23 00:58:58 2009 Subject: ClamAV or ClamD? In-Reply-To: References: <497839A8.8000104@ecs.soton.ac.uk> <69e2bee1391073eb6bbbeb861320632f.squirrel@mail.romehosting.com> Message-ID: on 1-22-2009 11:34 AM SuprDave spake the following: > Currently using ClamAV. Any reason why I should not consider switching to > ClamD? > Dave Gattis Your multi core mega memory server is soo powerful that you don't need the extra horsepower for something else. ;-P In other words, it is ultimately worth it to go to clamd. Your server will thank you. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090122/7d187281/signature.bin From a.peacock at chime.ucl.ac.uk Fri Jan 23 08:24:48 2009 From: a.peacock at chime.ucl.ac.uk (Anthony Peacock) Date: Fri Jan 23 08:25:04 2009 Subject: Bayes expire files? In-Reply-To: <11375BD8FE838A409E10DB32B9BFFE9B19FB04@addc01.assuredata.local> References: <11375BD8FE838A409E10DB32B9BFFE9B19FB04@addc01.assuredata.local> Message-ID: <49797ED0.2020303@chime.ucl.ac.uk> Hi, Max Kipness wrote: > After looking at what is taking up so much space on our server, I found > out that I have 7GB in the .spamassassin directory, most being > bayes_toks.expirexxx files. When looking up info on these files I?m > unable to determine whether these can be deleted or not. Does the > sa-learn --force-expire remove these files from disk or create these > files? Can they be deleted without affecting the spam detection rate? > This server seems to be tuned really well at the moment. These are an indication that your Bayes expiry processes are regularly failing. They are left behing when an expiry run does not finish, due to timeouts or not being able to get a R/W lock on the Bayes database. You can safely delete these files. However, you should probably tune your system so that Bayes expiry runs are not failing on a regular basis. I would disable automatic expiry in the MailScanner.conf config file, and then set up a daily expiry run in crontab to run at a relatively quiet period for your servers. In MailScanner.conf... Rebuild Bayes Every = 0 In one of your spamassassin config files (either spam.assasssin.prefs.conf or local.cf)... bayes_auto_expire 0 Then you can add the following command to your crontab... sa-learn --force-expire I run that once a day at 22:00, which for my servers is a fairly quiet time. -- Anthony Peacock CHIME, Royal Free & University College Medical School WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ Study Health Informatics - Modular Postgraduate Degree http://www.chime.ucl.ac.uk/study-health-informatics/ From maillists at conactive.com Fri Jan 23 08:31:16 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Fri Jan 23 08:31:32 2009 Subject: MS/perl segfaults In-Reply-To: <4978FD36.9090300@coders.co.uk> References: <49186B27.2060809@ecs.soton.ac.uk> <4971E515.6070703@ecs.soton.ac.uk> <625385e30901170714x157ae096q7a03d9c78ccb13e7@mail.gmail.com> <49723C6A.4030308@ecs.soton.ac.uk> <4978FD36.9090300@coders.co.uk> Message-ID: Matt wrote on Thu, 22 Jan 2009 23:11:50 +0000: > Personally i think that a database (sqlite) would be more appropriate as > we DO NOT KNOW what is causing the fault - reading the file from disk > could be causing it. It's surely the most reliable, yes. This fature should be optional and off by default, though. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Fri Jan 23 08:31:16 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Fri Jan 23 08:31:33 2009 Subject: Bayes expire files? In-Reply-To: <11375BD8FE838A409E10DB32B9BFFE9B19FB04@addc01.assuredata.local> References: <11375BD8FE838A409E10DB32B9BFFE9B19FB04@addc01.assuredata.local> Message-ID: Max Kipness wrote on Thu, 22 Jan 2009 15:27:52 -0600: > After looking at what is taking up so much space on our server, I found > out that I have 7GB in the .spamassassin directory, most being > bayes_toks.expirexxx files. When looking up info on these files I'm > unable to determine whether these can be deleted or not. Does the > sa-learn --force-expire remove these files from disk or create these > files? Neither. These are normally created by an expiry run that gets started during normal operation and where SA times out. It's the new unfinished database that would have replaced the old one. Do you have switched off auto expiry both in MailScanner.conf and spamassassin.prefs.conf? Just to see that it works fine I suggest doing a manual expire run with the -D switch, so you see if it works and how long it takes (e.g. if it needs to go into "guessing mode". > Can they be deleted without affecting the spam detection rate? Yes. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From steveb_clamav at sanesecurity.com Fri Jan 23 09:25:18 2009 From: steveb_clamav at sanesecurity.com (Steve Basford) Date: Fri Jan 23 09:28:35 2009 Subject: Sanesecurity Signatures and MailScanner Message-ID: <37166.93.97.28.110.1232702718.squirrel@saturn.dataflame.net> Just a forward from the sanesecurity mailing list... on hopefully how to get header test #2 working. Any result feedback would be great :) Cheers, Steve Sanesecurity ---- Forward ---- Hi All, After much head scratching.. and the help of those who pasted the headers... I can reproduce the failed test #2 :) http://sanesecurity.co.uk/usage.htm (Scroll down page) And it means that the detection rates on some people systems may not as good as they should have been. As some people guessed it's all down the header formation and a file called .ftm. ClamAv has a file distributed which helps the engine decide what type of file the email and/or attachments are. You can see the file, by doing this: sigtool --unpack-current=daily If you look for daily.ftm and look for this line: 0:0:52656365697665643a20:Raw mail:CL_TYPE_ANY:CL_TYPE_MAIL It means that if ClamAV sees "Received:" as THE FIRST LINE then it sets the scanning type to "Mail" (type 4 signatures) The problem seems to be that in the undetected examples, the FIRST LINE isn't "Received:" but "X-Received-From-Address:". ClamAV doesn't have this type in it's datebase, so it takes a "guess" :) As a work-around... could people who had problems with detecting TEST #2, do the following: Copy the following lines into a file called sanesecurity.ftm and copy the file, into the same data area as the rest of the signatures: ------ line to copy ------- 0:0:582d52656365697665642d46726f6d2d416464726573733a:MailScanner:CL_TYPE_ANY:CL_TYPE_MAIL 0:0:582d456e76656c6f70652d546f3a:MailScanner2:CL_TYPE_ANY:CL_TYPE_MAIL 0:0:582d5370616d2d436865636b65722d56657273696f6e3a:MailScanner3:CL_TYPE_ANY:CL_TYPE_MAIL ------ line to copy ------- If this works, let me know. If it doesn't work.. please post the FIRST LINE of the email that you receive undetected. If we can get a list of headers, I'll then pass them onto ClamAV team. Cheers and thanks for everyone help on this one... it's been a big puzzle. Steve Sanesecurity From rvdmerwe at mhg.co.za Fri Jan 23 10:00:34 2009 From: rvdmerwe at mhg.co.za (Rabie Van der Merwe) Date: Fri Jan 23 10:44:11 2009 Subject: Email causing MailScanner to go defunct. Message-ID: <2f130bce-e934-11dd-93f1-0004e2e@rocketseed.mhg.co.za> Hi, I am running 4.72.5 on CentOS 5.2 x86_64 and have a message that seems to be cause MailScanner processes to become defunct and restart. There doesn't seem to be any logs related to the issue, all I get is this: Jan 20 05:29:55 cptmgw04 MailScanner[28794]: Message A15D1A35877.3A028 from 196.35.198.132 (jeld1069@us.army.mil) to mhg.co.za is too big for spam checks (493927 > 150000 bytes) This is a spam of virus message so I'm not too concerned about the message itself, should I get it to the list, or rather is there not some mode I can run MS in just on this email? Regards Rabie van der Merwe Infrastructure Architect ********************************************************************** --------- NOTICE --------- This message (including attachments) contains privileged and confidential information intended only for the person or entity to which it is addressed. Any review, retransmission, dissemination, copy or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient, is prohibited. If you received this message in error, please notify the sender immediately by e-mail, facsimile or telephone and thereafter delete the material from any computer. Metropolitan Health Group, its subsidiaries or associates, does not accept liability for any personal views expressed in this message. Metropolitan Health Group PO Box 4313 Cape Town 8000 Tel: (021) 480 4511 Fax: (021) 480 4535 www.mhg.co.za ********************************************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090123/2e9354cd/attachment.html From simonmjones at gmail.com Fri Jan 23 11:04:32 2009 From: simonmjones at gmail.com (Simon Jones) Date: Fri Jan 23 11:04:41 2009 Subject: segfault Message-ID: <70572c510901230304y13eca301od231c4cd175f3f10@mail.gmail.com> Hi all, having a bit of perfornace trouble with one of my mailscanner gateways and noticed the following in /var/log/messages - it's repeating quite a lot too. I have exactly the same system running mailscanner OK in the same distributed configuration. o/s details; Centos 5 x64 2.6.18-8.el5 #1 SMP Thu Mar 15 19:46:53 EDT 2007 x86_64 x86_64 x86_64 GNU/Linux error messages in /var/log/messages; Jan 23 10:45:07 mailgate1 kernel: MailScanner[20039]: segfault at 00007fffafc9df23 rip 00000039b78de8ad rsp 00007fffafc9dea0 error 6 Jan 23 10:45:10 mailgate1 MailScanner: Process did not exit cleanly, returned 0 with signal 11 Simon From list-mailscanner at linguaphone.com Fri Jan 23 11:21:52 2009 From: list-mailscanner at linguaphone.com (Gareth) Date: Fri Jan 23 11:22:09 2009 Subject: Free antivirus software Message-ID: <1232709712.25957.32.camel@gblades-suse.linguaphone-intranet.co.uk> Currently at home I am running clamav 0.94.2, bitdefender 7.5.4 and f-prot 4.6.7. I am running MailScanner 4.70.7-1 I am looking for suggestions for other free antivirus I could be running (personal use only is fine as its a home server) A summary of what I have found so far :- Clamav ------ Is there anyone who doesnt use it! Bitdefender ----------- Used 7.1.3 at work and it worked fine. 7.5.4 that I use at home works fine but the update script doesnt work and just sais no updates avialable and you are protected from -5 viruses. I just run 'bdscan --update' from cron so not a problem. Dont know the version number of the current version which you can request a license for at :- http://www.bitdefender.com/PRODUCT-80-en--BitDefender-Antivirus-Scanner-for-Unices.html Version 7.6 is currently at beta 3 and it looks like the beta program finished a couple of days ago. Anyone know if this new version can be used with mailscanner? It looks to have a graphical interhttp://www.f-prot.com/download/home_user/download_fplinux.htmlface so I suppose it depends if it has a command line option. F-Prot ------ I need to upgrade to 6.0.2 from http://www.f-prot.com/download/home_user/download_fplinux.html AVG --- Version 7.5 is available from http://free.avg.com/download?prd=afl and appears to be supported by MailScanner. AVAST ----- Linux version 1.3 available from http://www.avast.com/eng/download-avast-for-linux-edition.html Looks to be supported my MailScanner. Panda ----- Version 7.01 available from http://www.pandasoftware.com/download/linux/linux.asp Looks to be supported by MailScanner. Have I missed any? Any feedback as to how well they work and if the latest versions work with MailScanner would be appreciated. Thanks Gareth From steve.swaney at fsl.com Fri Jan 23 12:03:09 2009 From: steve.swaney at fsl.com (Stephen Swaney) Date: Fri Jan 23 12:03:21 2009 Subject: segfault In-Reply-To: <70572c510901230304y13eca301od231c4cd175f3f10@mail.gmail.com> References: <70572c510901230304y13eca301od231c4cd175f3f10@mail.gmail.com> Message-ID: <4979B1FD.9030603@fsl.com> Simon Jones wrote: > Hi all, having a bit of perfornace trouble with one of my mailscanner > gateways and noticed the following in /var/log/messages - it's > repeating quite a lot too. I have exactly the same system running > mailscanner OK in the same distributed configuration. > > o/s details; > > Centos 5 x64 > 2.6.18-8.el5 #1 SMP Thu Mar 15 19:46:53 EDT 2007 x86_64 x86_64 x86_64 GNU/Linux > > error messages in /var/log/messages; > > Jan 23 10:45:07 mailgate1 kernel: MailScanner[20039]: segfault at > 00007fffafc9df23 rip 00000039b78de8ad rsp 00007fffafc9dea0 error 6 > Jan 23 10:45:10 mailgate1 MailScanner: Process did not exit cleanly, > returned 0 with signal 11 > > Simon > Simon, I just saw the same problem yesterday but with a CentOS 4.7 system running The current version of MailScanner. I ran `yum update` and rebooted and the problem went away. Sorry but I haven't had time to investigate further to see what was causing the problem. I may get around to it later today. Steve -- Steve Swaney steve@fsl.com www.fsl.com The most accurate and cost effective anti-spam solutions available -------------- next part -------------- A non-text attachment was scrubbed... Name: steve_swaney.vcf Type: text/x-vcard Size: 305 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090123/07ccc7a5/steve_swaney.vcf From maillists at conactive.com Fri Jan 23 12:19:01 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Fri Jan 23 12:19:11 2009 Subject: Email causing MailScanner to go defunct. In-Reply-To: <2f130bce-e934-11dd-93f1-0004e2e@rocketseed.mhg.co.za> References: <2f130bce-e934-11dd-93f1-0004e2e@rocketseed.mhg.co.za> Message-ID: Rabie Van der Merwe wrote on Fri, 23 Jan 2009 12:00:34 +0200: > I am running 4.72.5 on CentOS 5.2 x86_64 and have a message that seems > to be cause MailScanner processes to become defunct and restart. There > doesn't seem to be any logs related to the issue, all I get is this: > > Jan 20 05:29:55 cptmgw04 MailScanner[28794]: Message A15D1A35877.3A028 > from 196.35.198.132 (jeld1069@us.army.mil) to mhg.co.za is too big for > spam checks (493927 > 150000 bytes) Now that I look, just got one a few minutes ago. I don't see that this created any problems for MS, but it delivered with a score of 0.0 which may indicate that it didn't scan it, don't know (it's not spam). It should sure hand over the first 200.000 bytes (in my case) to SA and not just skip it. Jules? Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From simonmjones at gmail.com Fri Jan 23 12:39:10 2009 From: simonmjones at gmail.com (Simon Jones) Date: Fri Jan 23 12:39:18 2009 Subject: segfault In-Reply-To: <4979B1FD.9030603@fsl.com> References: <70572c510901230304y13eca301od231c4cd175f3f10@mail.gmail.com> <4979B1FD.9030603@fsl.com> Message-ID: <70572c510901230439l3380632dkccc4e5d9bfdc11bb@mail.gmail.com> 2009/1/23 Stephen Swaney : > Simon Jones wrote: >> >> Hi all, having a bit of perfornace trouble with one of my mailscanner >> gateways and noticed the following in /var/log/messages - it's >> repeating quite a lot too. I have exactly the same system running >> mailscanner OK in the same distributed configuration. >> >> o/s details; >> >> Centos 5 x64 >> 2.6.18-8.el5 #1 SMP Thu Mar 15 19:46:53 EDT 2007 x86_64 x86_64 x86_64 >> GNU/Linux >> >> error messages in /var/log/messages; >> >> Jan 23 10:45:07 mailgate1 kernel: MailScanner[20039]: segfault at >> 00007fffafc9df23 rip 00000039b78de8ad rsp 00007fffafc9dea0 error 6 >> Jan 23 10:45:10 mailgate1 MailScanner: Process did not exit cleanly, >> returned 0 with signal 11 >> >> Simon >> > > Simon, > > I just saw the same problem yesterday but with a CentOS 4.7 system running > The current version of MailScanner. I ran `yum update` and rebooted and the > problem went away. Sorry but I haven't had time to investigate further to > see what was causing the problem. I may get around to it later today. > > Steve > -- > > Steve Swaney > steve@fsl.com > www.fsl.com > ok thanks mate, I'm doing an update now - see if that sorts it. has anyone else noticed a shed load more spam recently? my gateway's are running full bore right now, they've been stable for month but the last couple o days has seen stacked hold queues and slow-ups which I can only really put down to sheer volume of spam being processed. From simonmjones at gmail.com Fri Jan 23 12:49:07 2009 From: simonmjones at gmail.com (Simon Jones) Date: Fri Jan 23 12:49:15 2009 Subject: segfault In-Reply-To: <70572c510901230439l3380632dkccc4e5d9bfdc11bb@mail.gmail.com> References: <70572c510901230304y13eca301od231c4cd175f3f10@mail.gmail.com> <4979B1FD.9030603@fsl.com> <70572c510901230439l3380632dkccc4e5d9bfdc11bb@mail.gmail.com> Message-ID: <70572c510901230449p4e517far28f76b431ae2b20e@mail.gmail.com> 2009/1/23 Simon Jones : > 2009/1/23 Stephen Swaney : >> Simon Jones wrote: >>> >>> Hi all, having a bit of perfornace trouble with one of my mailscanner >>> gateways and noticed the following in /var/log/messages - it's >>> repeating quite a lot too. I have exactly the same system running >>> mailscanner OK in the same distributed configuration. >>> >>> o/s details; >>> >>> Centos 5 x64 >>> 2.6.18-8.el5 #1 SMP Thu Mar 15 19:46:53 EDT 2007 x86_64 x86_64 x86_64 >>> GNU/Linux >>> >>> error messages in /var/log/messages; >>> >>> Jan 23 10:45:07 mailgate1 kernel: MailScanner[20039]: segfault at >>> 00007fffafc9df23 rip 00000039b78de8ad rsp 00007fffafc9dea0 error 6 >>> Jan 23 10:45:10 mailgate1 MailScanner: Process did not exit cleanly, >>> returned 0 with signal 11 >>> >>> Simon >>> >> >> Simon, >> >> I just saw the same problem yesterday but with a CentOS 4.7 system running >> The current version of MailScanner. I ran `yum update` and rebooted and the >> problem went away. Sorry but I haven't had time to investigate further to >> see what was causing the problem. I may get around to it later today. >> >> Steve >> -- >> >> Steve Swaney >> steve@fsl.com >> www.fsl.com >> > ok thanks mate, I'm doing an update now - see if that sorts it. has > anyone else noticed a shed load more spam recently? my gateway's are > running full bore right now, they've been stable for month but the > last couple o days has seen stacked hold queues and slow-ups which I > can only really put down to sheer volume of spam being processed. > YUP, the update seems to have sorted the errors in /var/log/messages - both gateways still running like a dog though. From list-mailscanner at linguaphone.com Fri Jan 23 12:44:19 2009 From: list-mailscanner at linguaphone.com (Gareth) Date: Fri Jan 23 13:15:25 2009 Subject: segfault In-Reply-To: <70572c510901230439l3380632dkccc4e5d9bfdc11bb@mail.gmail.com> References: <70572c510901230304y13eca301od231c4cd175f3f10@mail.gmail.com> <4979B1FD.9030603@fsl.com> <70572c510901230439l3380632dkccc4e5d9bfdc11bb@mail.gmail.com> Message-ID: <1232714659.25948.38.camel@gblades-suse.linguaphone-intranet.co.uk> On Fri, 2009-01-23 at 12:39, Simon Jones wrote: > ok thanks mate, I'm doing an update now - see if that sorts it. has > anyone else noticed a shed load more spam recently? my gateway's are > running full bore right now, they've been stable for month but the > last couple o days has seen stacked hold queues and slow-ups which I > can only really put down to sheer volume of spam being processed. I haven't seen any noticeable rise however the new large botnet which has got some mainstream news coverage recently could well be increasing the amount of spam being sent out. From glenn.steen at gmail.com Fri Jan 23 13:26:18 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Jan 23 13:26:28 2009 Subject: Free antivirus software In-Reply-To: <1232709712.25957.32.camel@gblades-suse.linguaphone-intranet.co.uk> References: <1232709712.25957.32.camel@gblades-suse.linguaphone-intranet.co.uk> Message-ID: <223f97700901230526o61896bcdv84df2fec8e473bdc@mail.gmail.com> 2009/1/23 Gareth : > Currently at home I am running clamav 0.94.2, bitdefender 7.5.4 and > f-prot 4.6.7. > I am running MailScanner 4.70.7-1 > > I am looking for suggestions for other free antivirus I could be running > (personal use only is fine as its a home server) > > A summary of what I have found so far :- > > Clamav > ------ > Is there anyone who doesnt use it! > > Bitdefender > ----------- > Used 7.1.3 at work and it worked fine. 7.5.4 that I use at home works > fine but the update script doesnt work and just sais no updates > avialable and you are protected from -5 viruses. I just run 'bdscan > --update' from cron so not a problem. > > Dont know the version number of the current version which you can > request a license for at :- > http://www.bitdefender.com/PRODUCT-80-en--BitDefender-Antivirus-Scanner-for-Unices.html > Version 7.6 is currently at beta 3 and it looks like the beta program > finished a couple of days ago. > Anyone know if this new version can be used with mailscanner? > It looks to have a graphical > interhttp://www.f-prot.com/download/home_user/download_fplinux.htmlface > so I suppose it depends if it has a command line option. > > F-Prot > ------ > I need to upgrade to 6.0.2 from > http://www.f-prot.com/download/home_user/download_fplinux.html > > AVG > --- > Version 7.5 is available from http://free.avg.com/download?prd=afl and > appears to be supported by MailScanner. > > AVAST > ----- > Linux version 1.3 available from > http://www.avast.com/eng/download-avast-for-linux-edition.html > Looks to be supported my MailScanner. > > Panda > ----- > Version 7.01 available from > http://www.pandasoftware.com/download/linux/linux.asp > Looks to be supported by MailScanner. > > > Have I missed any? > Any feedback as to how well they work and if the latest versions work > with MailScanner would be appreciated. > > Thanks > Gareth > Avira (http://www.free-av.com/en/download/download_servers.php ... formerly Antivir) should work well for personal use too. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Jan 23 13:34:54 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Jan 23 13:35:04 2009 Subject: Email causing MailScanner to go defunct. In-Reply-To: References: <2f130bce-e934-11dd-93f1-0004e2e@rocketseed.mhg.co.za> Message-ID: <223f97700901230534x2bc23deel8a4b5e966223d11f@mail.gmail.com> 2009/1/23 Kai Schaetzl : > Rabie Van der Merwe wrote on Fri, 23 Jan 2009 12:00:34 +0200: > >> I am running 4.72.5 on CentOS 5.2 x86_64 and have a message that seems >> to be cause MailScanner processes to become defunct and restart. There >> doesn't seem to be any logs related to the issue, all I get is this: >> >> Jan 20 05:29:55 cptmgw04 MailScanner[28794]: Message A15D1A35877.3A028 >> from 196.35.198.132 (jeld1069@us.army.mil) to mhg.co.za is too big for >> spam checks (493927 > 150000 bytes) > > Now that I look, just got one a few minutes ago. I don't see that this > created any problems for MS, but it delivered with a score of 0.0 which > may indicate that it didn't scan it, don't know (it's not spam). It should > sure hand over the first 200.000 bytes (in my case) to SA and not just > skip it. Jules? > > Kai > Look at the setting "Max Spam Check Size", and the comment above it. This is actually quite normal, it seems to me;-). If it bothers you, up the limit a bit and see what happens. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From maillists at conactive.com Fri Jan 23 14:12:21 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Fri Jan 23 14:12:35 2009 Subject: Email causing MailScanner to go defunct. In-Reply-To: <223f97700901230534x2bc23deel8a4b5e966223d11f@mail.gmail.com> References: <2f130bce-e934-11dd-93f1-0004e2e@rocketseed.mhg.co.za> <223f97700901230534x2bc23deel8a4b5e966223d11f@mail.gmail.com> Message-ID: Glenn Steen wrote on Fri, 23 Jan 2009 14:34:54 +0100: > Look at the setting "Max Spam Check Size", and the comment above it. > This is actually quite normal, it seems to me;-). If it bothers you, > up the limit a bit and see what happens. I don't see where it says "won't scan at all". However, the error message implies that: "too big for spam checks". I would have *never* assumed that such a message gets not scanned *at all*. I expect that for such a message the first x bytes are handed over to SA. Like it is done with procmail. So, what's correct? Is it skipped or not? Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From Johan at double-l.nl Fri Jan 23 14:36:37 2009 From: Johan at double-l.nl (Johan Hendriks) Date: Fri Jan 23 14:36:41 2009 Subject: TXT files seen as MPEG movies Message-ID: <57200BF94E69E54880C9BB1AF714BBCB5DE486@w2003s01.double-l.local> Hello all I have the following issue. >From DHL we get text files with shipment info. But these mails are being hold back by mailscanner and it says the following. Quarantine: /var/spool/MailScanner/quarantine/20090120/D87B710F54C3.9C90C Bericht: MailScanner: No MPEG movies allowed (msg-36804-2.txt) The senders is on the whitelist , and also i have added the following to the file filename.rules.conf allow msg-[a-z0-9]{5}-[a-z0-9]{2}\.txt$ - - allow msg-[a-z0-9]{5}-[a-z0-9]{1}\.txt$ - - But still the files get blocked. What can I do to make sure these files get passed. Regards, Johan Hendriks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090123/1a07bcf3/attachment.html From simonmjones at gmail.com Fri Jan 23 14:48:23 2009 From: simonmjones at gmail.com (Simon Jones) Date: Fri Jan 23 14:48:32 2009 Subject: segfault In-Reply-To: <1232714659.25948.38.camel@gblades-suse.linguaphone-intranet.co.uk> References: <70572c510901230304y13eca301od231c4cd175f3f10@mail.gmail.com> <4979B1FD.9030603@fsl.com> <70572c510901230439l3380632dkccc4e5d9bfdc11bb@mail.gmail.com> <1232714659.25948.38.camel@gblades-suse.linguaphone-intranet.co.uk> Message-ID: <70572c510901230648j6e7cca4evb02dbea19980690b@mail.gmail.com> 2009/1/23 Gareth : > On Fri, 2009-01-23 at 12:39, Simon Jones wrote: >> ok thanks mate, I'm doing an update now - see if that sorts it. has >> anyone else noticed a shed load more spam recently? my gateway's are >> running full bore right now, they've been stable for month but the >> last couple o days has seen stacked hold queues and slow-ups which I >> can only really put down to sheer volume of spam being processed. > > I haven't seen any noticeable rise however the new large botnet which > has got some mainstream news coverage recently could well be increasing > the amount of spam being sent out. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > mm, could be that I guess but these servers are pretty powerful with 15k rpm sas drives so they should be able to handle a bunch of stuff. the primary is currently so slow it's failing to answer incoming smtp connections intermittantly but there's nothing in the hold queue! usually when I've had this trouble the hold queue is stuffed and the server can't cope with the volume. there's something different going on with this now, not sure what yet though - apart from it being REALLY slow. From shuttlebox at gmail.com Fri Jan 23 14:56:34 2009 From: shuttlebox at gmail.com (shuttlebox) Date: Fri Jan 23 14:56:44 2009 Subject: Email causing MailScanner to go defunct. In-Reply-To: References: <2f130bce-e934-11dd-93f1-0004e2e@rocketseed.mhg.co.za> <223f97700901230534x2bc23deel8a4b5e966223d11f@mail.gmail.com> Message-ID: <625385e30901230656i1dbf6b74r8b81fbce34be061e@mail.gmail.com> On Fri, Jan 23, 2009 at 3:12 PM, Kai Schaetzl wrote: > Glenn Steen wrote on Fri, 23 Jan 2009 14:34:54 +0100: > >> Look at the setting "Max Spam Check Size", and the comment above it. >> This is actually quite normal, it seems to me;-). If it bothers you, >> up the limit a bit and see what happens. > > I don't see where it says "won't scan at all". However, the error message > implies that: "too big for spam checks". I would have *never* assumed that > such a message gets not scanned *at all*. I expect that for such a message > the first x bytes are handed over to SA. Like it is done with procmail. > So, what's correct? Is it skipped or not? It's the maximum size when to spam check, pretty clear to me. :-) Really large message are rarely spam so load can be reduced by skipping them. The feature you're referring to is to speed up what's actually checked because, say 50k, is usually enough to determine if it's spam or not. I check the first 50k but skip if it's above 200k. -- /peter From simonmjones at gmail.com Fri Jan 23 15:12:47 2009 From: simonmjones at gmail.com (Simon Jones) Date: Fri Jan 23 15:12:56 2009 Subject: segfault In-Reply-To: <70572c510901230648j6e7cca4evb02dbea19980690b@mail.gmail.com> References: <70572c510901230304y13eca301od231c4cd175f3f10@mail.gmail.com> <4979B1FD.9030603@fsl.com> <70572c510901230439l3380632dkccc4e5d9bfdc11bb@mail.gmail.com> <1232714659.25948.38.camel@gblades-suse.linguaphone-intranet.co.uk> <70572c510901230648j6e7cca4evb02dbea19980690b@mail.gmail.com> Message-ID: <70572c510901230712y9c9a904h759b579f010c4483@mail.gmail.com> 2009/1/23 Simon Jones : > 2009/1/23 Gareth : >> On Fri, 2009-01-23 at 12:39, Simon Jones wrote: >>> ok thanks mate, I'm doing an update now - see if that sorts it. has >>> anyone else noticed a shed load more spam recently? my gateway's are >>> running full bore right now, they've been stable for month but the >>> last couple o days has seen stacked hold queues and slow-ups which I >>> can only really put down to sheer volume of spam being processed. >> >> I haven't seen any noticeable rise however the new large botnet which >> has got some mainstream news coverage recently could well be increasing >> the amount of spam being sent out. >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > mm, could be that I guess but these servers are pretty powerful with > 15k rpm sas drives so they should be able to handle a bunch of stuff. > the primary is currently so slow it's failing to answer incoming smtp > connections intermittantly but there's nothing in the hold queue! > usually when I've had this trouble the hold queue is stuffed and the > server can't cope with the volume. there's something different going > on with this now, not sure what yet though - apart from it being > REALLY slow. > Problem seems to be clamav - when I disable virus scanning the system returns to normal, enabled it and clamscan sucks up all the cpu it can and the system grinds to a halt... I read somewhere there's an alternative less cpu intensive way to run clamscan - anyone point me to the docs please? From jonas at vrt.dk Fri Jan 23 15:22:40 2009 From: jonas at vrt.dk (Jonas Akrouh Larsen) Date: Fri Jan 23 15:22:50 2009 Subject: Sanesecurity ClamAV sigs are back. Yay! In-Reply-To: <497839A8.8000104@ecs.soton.ac.uk> References: <497839A8.8000104@ecs.soton.ac.uk> Message-ID: <007901c97d6e$6e7b78f0$4b726ad0$@dk> I've not used sanesecurity so far, because it messes up statistics and generally make it less transparent why a mail was blocked. My problem is I don?t want my system to list a mail as a virus if its "just" a spam or phishing attack. Am I alone with these concerns or have anybody found a "fix" for it? I am using newest mailscanner and mailwatch versions. I'd love to improve my protection with sanesecurity but not at the cost of making my spam/virus stats useless. Let me know what you think. Med venlig hilsen / Best regards Jonas Akrouh Larsen TechBiz ApS Laplandsgade 4, 2. sal 2300 K?benhavn S Office: 7020 0979 Direct: 3336 9974 Mobile: 5120 1096 Fax: 7020 0978 Web: www.techbiz.dk From campbell at cnpapers.com Fri Jan 23 15:22:33 2009 From: campbell at cnpapers.com (Steve Campbell) Date: Fri Jan 23 15:22:52 2009 Subject: Email causing MailScanner to go defunct. In-Reply-To: References: <2f130bce-e934-11dd-93f1-0004e2e@rocketseed.mhg.co.za> <223f97700901230534x2bc23deel8a4b5e966223d11f@mail.gmail.com> Message-ID: <4979E0B9.1020303@cnpapers.com> Kai Schaetzl wrote: > Glenn Steen wrote on Fri, 23 Jan 2009 14:34:54 +0100: > > >> Look at the setting "Max Spam Check Size", and the comment above it. >> This is actually quite normal, it seems to me;-). If it bothers you, >> up the limit a bit and see what happens. >> > > I don't see where it says "won't scan at all". However, the error message > implies that: "too big for spam checks". I would have *never* assumed that > such a message gets not scanned *at all*. I expect that for such a message > the first x bytes are handed over to SA. Like it is done with procmail. > So, what's correct? Is it skipped or not? > > Kai > > I mentioned this problem in my "Just an observation" thread a week or so ago. I found that it sometimes would not get delivered at all. I never did find out why. I was under the impression that the conf setting was to indicate the amount of an email to check by SA, not that if the email were larger, it wouldn't pass it to SA at all. What version are you running, Kai? I'm tempted to upgrade and see if that fixes things, as my version is 4.72.5, and I still see this taking a lot of resources. I probably won't do it today since I've had the server down for memory upgrades, but maybe tomorrow or Monday. steve From campbell at cnpapers.com Fri Jan 23 15:29:57 2009 From: campbell at cnpapers.com (Steve Campbell) Date: Fri Jan 23 15:30:12 2009 Subject: Email causing MailScanner to go defunct. In-Reply-To: <625385e30901230656i1dbf6b74r8b81fbce34be061e@mail.gmail.com> References: <2f130bce-e934-11dd-93f1-0004e2e@rocketseed.mhg.co.za> <223f97700901230534x2bc23deel8a4b5e966223d11f@mail.gmail.com> <625385e30901230656i1dbf6b74r8b81fbce34be061e@mail.gmail.com> Message-ID: <4979E275.8020301@cnpapers.com> shuttlebox wrote: > On Fri, Jan 23, 2009 at 3:12 PM, Kai Schaetzl wrote: > >> Glenn Steen wrote on Fri, 23 Jan 2009 14:34:54 +0100: >> >> >>> Look at the setting "Max Spam Check Size", and the comment above it. >>> This is actually quite normal, it seems to me;-). If it bothers you, >>> up the limit a bit and see what happens. >>> >> I don't see where it says "won't scan at all". However, the error message >> implies that: "too big for spam checks". I would have *never* assumed that >> such a message gets not scanned *at all*. I expect that for such a message >> the first x bytes are handed over to SA. Like it is done with procmail. >> So, what's correct? Is it skipped or not? >> > > It's the maximum size when to spam check, pretty clear to me. :-) > Really large message are rarely spam so load can be reduced by > skipping them. The feature you're referring to is to speed up what's > actually checked because, say 50k, is usually enough to determine if > it's spam or not. > > I check the first 50k but skip if it's above 200k. > > I have to disagree with the "Really large message are rarely spam" part nowadays as I'm seeing spam coming in around 300K-400k fairly regularly. I work at a newspaper, and ads are sent in through email all the time. I have to allow larger emails due to the fact that most smaller advertisers are just local small businesses and they aren't aware of FTP and the like.The one-time advertisers aren't around long enough to inform them properly. If I were to lower the size restrictions, the spam just flows on through cleanly with a score of 0, so I raise it, and of course, the load on the machine suffers because it has to scan the larger spams. steve From a.peacock at chime.ucl.ac.uk Fri Jan 23 15:33:20 2009 From: a.peacock at chime.ucl.ac.uk (Anthony Peacock) Date: Fri Jan 23 15:33:33 2009 Subject: Sanesecurity ClamAV sigs are back. Yay! In-Reply-To: <007901c97d6e$6e7b78f0$4b726ad0$@dk> References: <497839A8.8000104@ecs.soton.ac.uk> <007901c97d6e$6e7b78f0$4b726ad0$@dk> Message-ID: <4979E340.7030208@chime.ucl.ac.uk> Hi Jonas, Jonas Akrouh Larsen wrote: > I've not used sanesecurity so far, because it messes up statistics and > generally make it less transparent why a mail was blocked. > > My problem is I don?t want my system to list a mail as a virus if its "just" > a spam or phishing attack. > > Am I alone with these concerns or have anybody found a "fix" for it? Nope, you are not alone. I looked into this a while ago and came to the same conclusion. I do not get lots of phishing attacks get through that would have been caught by this method so haven't bothered to implement it. However, if I was getting loads of phishing attempts getting through, then I might reconsider. > > I am using newest mailscanner and mailwatch versions. > > I'd love to improve my protection with sanesecurity but not at the cost of > making my spam/virus stats useless. > > Let me know what you think. > > > > Med venlig hilsen / Best regards > > Jonas Akrouh Larsen > > TechBiz ApS > Laplandsgade 4, 2. sal > 2300 K?benhavn S > > Office: 7020 0979 > Direct: 3336 9974 > Mobile: 5120 1096 > Fax: 7020 0978 > Web: www.techbiz.dk > > > -- Anthony Peacock CHIME, Royal Free & University College Medical School WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ Study Health Informatics - Modular Postgraduate Degree http://www.chime.ucl.ac.uk/study-health-informatics/ From ms-list at alexb.ch Fri Jan 23 15:38:46 2009 From: ms-list at alexb.ch (Alex Broens) Date: Fri Jan 23 15:38:56 2009 Subject: Sanesecurity ClamAV sigs are back. Yay! In-Reply-To: <007901c97d6e$6e7b78f0$4b726ad0$@dk> References: <497839A8.8000104@ecs.soton.ac.uk> <007901c97d6e$6e7b78f0$4b726ad0$@dk> Message-ID: <4979E486.2000001@alexb.ch> On 1/23/2009 4:22 PM, Jonas Akrouh Larsen wrote: > I've not used sanesecurity so far, because it messes up statistics and > generally make it less transparent why a mail was blocked. > > My problem is I don?t want my system to list a mail as a virus if its "just" > a spam or phishing attack. > > Am I alone with these concerns or have anybody found a "fix" for it? > > I am using newest mailscanner and mailwatch versions. > > I'd love to improve my protection with sanesecurity but not at the cost of > making my spam/virus stats useless. agreed, its very confusing to users why an image spam or a 419 suddenly shows up as "infected" > Let me know what you think. Not tested under heavy load but ClamAVPlugin allows to tag with ClamAV results and let SA do its usual work. If you're using Clam as only AV, dunno how wise it is, but if you have a commercial scanner in place to take care of the real viri, then ClamAVPlugin could possibly give you the extra control/stats. You could even score depending on descriptions, etc. See: http://wiki.apache.org/spamassassin/ClamAVPlugin Alex From maillists at conactive.com Fri Jan 23 16:01:52 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Fri Jan 23 16:02:02 2009 Subject: TXT files seen as MPEG movies In-Reply-To: <57200BF94E69E54880C9BB1AF714BBCB5DE486@w2003s01.double-l.local> References: <57200BF94E69E54880C9BB1AF714BBCB5DE486@w2003s01.double-l.local> Message-ID: Johan Hendriks wrote on Fri, 23 Jan 2009 15:36:37 +0100: > The senders is on the whitelist which is only for spam. If you want to exclude senders from all scanning you have to use something like: Scan Messages = %rules-dir%/scan.messages.rules > What can I do to make sure these files get passed. This check is a *filetype* check, so you have to whitelist there! (This is obviously a misinterpretation of some characters in the beginning of the text file, so the file binary thinks it's mpeg.) Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Fri Jan 23 16:01:52 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Fri Jan 23 16:02:03 2009 Subject: segfault In-Reply-To: <70572c510901230712y9c9a904h759b579f010c4483@mail.gmail.com> References: <70572c510901230304y13eca301od231c4cd175f3f10@mail.gmail.com> <4979B1FD.9030603@fsl.com> <70572c510901230439l3380632dkccc4e5d9bfdc11bb@mail.gmail.com> <1232714659.25948.38.camel@gblades-suse.linguaphone-intranet.co.uk> <70572c510901230648j6e7cca4evb02dbea19980690b@mail.gmail.com> <70572c510901230712y9c9a904h759b579f010c4483@mail.gmail.com> Message-ID: Simon Jones wrote on Fri, 23 Jan 2009 15:12:47 +0000: > Problem seems to be clamav - when I disable virus scanning the system > returns to normal, enabled it and clamscan sucks up all the cpu it can > and the system grinds to a halt... I read somewhere there's an > alternative less cpu intensive way to run clamscan - anyone point me > to the docs please? http://wiki.mailscanner.info/doku.php? id=documentation:anti_virus:clamav:switch_to_rpm_clamd Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Fri Jan 23 16:01:52 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Fri Jan 23 16:02:04 2009 Subject: Email causing MailScanner to go defunct. In-Reply-To: <625385e30901230656i1dbf6b74r8b81fbce34be061e@mail.gmail.com> References: <2f130bce-e934-11dd-93f1-0004e2e@rocketseed.mhg.co.za> <223f97700901230534x2bc23deel8a4b5e966223d11f@mail.gmail.com> <625385e30901230656i1dbf6b74r8b81fbce34be061e@mail.gmail.com> Message-ID: Shuttlebox wrote on Fri, 23 Jan 2009 15:56:34 +0100: > It's the maximum size when to spam check, pretty clear to me. :-) Not to me, especially not with the knowledge about how it is usually done with procmail. Then I've been misinterpreting this setting for years. > I check the first 50k but skip if it's above 200k. How do you do that with MS? I don't know of such an option. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Fri Jan 23 16:21:19 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Fri Jan 23 16:21:32 2009 Subject: Email causing MailScanner to go defunct. In-Reply-To: <4979E275.8020301@cnpapers.com> References: <2f130bce-e934-11dd-93f1-0004e2e@rocketseed.mhg.co.za> <223f97700901230534x2bc23deel8a4b5e966223d11f@mail.gmail.com> <625385e30901230656i1dbf6b74r8b81fbce34be061e@mail.gmail.com> <4979E275.8020301@cnpapers.com> Message-ID: Steve Campbell wrote on Fri, 23 Jan 2009 10:29:57 -0500: > If I were to lower the size restrictions, the spam just flows on through > cleanly with a score of 0, so I raise it, and of course, the load on the > machine suffers because it has to scan the larger spams. I think most people's experience, including mine, is different. Over a certain value (most likely 50 - 100k) there's almost no spam. (Nowadays, they try to send short messages, so that Bayes hasn't much to work on.) So, going with 200k is a good measure. I was just under the wrong impression that the respective option was working like the usually used procmail recipes. I think it would be a good idea to add this functionality (Spam Check only first x Beytes of message") to MS. Part of your problems could indeed come from the fact that you are scanning many large messages. How high did you set this option? Another thought: in case you are getting so many spam with big size and others don't - could it be that your rejection rate at the MTA level is very low, so that you get spam in that others already reject at the door? If you detect a majority of spam only with MS and not at MTA this could also be another reason for your performance problems. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Fri Jan 23 16:21:19 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Fri Jan 23 16:21:33 2009 Subject: Email causing MailScanner to go defunct. In-Reply-To: <4979E0B9.1020303@cnpapers.com> References: <2f130bce-e934-11dd-93f1-0004e2e@rocketseed.mhg.co.za> <223f97700901230534x2bc23deel8a4b5e966223d11f@mail.gmail.com> <4979E0B9.1020303@cnpapers.com> Message-ID: Steve Campbell wrote on Fri, 23 Jan 2009 10:22:33 -0500: > I mentioned this problem in my "Just an observation" thread a week or so > ago. I found that it sometimes would not get delivered at all. I never > did find out why. I was under the impression that the conf setting was > to indicate the amount of an email to check by SA, not that if the email > were larger, it wouldn't pass it to SA at all. I remember. I was under the wrong impression that this setting delivers the first x bytes to SA and not that it skips the message alltogether. But this effects only spam detection. I have never heard or seen that messages were lost because of this. I would rather guess that there was some other problem, like it was password-protected or so (people in the media like to send password-protected ads and then send the password with the same mail ..). There have been problems in the past with this, messages were quarantined, but no notice sent out. Thus, it appeared to have been vanished. If you don't use Mailwatch yet you should definitely do it! > > What version are you running, Kai? I'm tempted to upgrade and see if > that fixes things, as my version is 4.72.5, and I still see this taking > a lot of resources. I probably won't do it today since I've had the > server down for memory upgrades, but maybe tomorrow or Monday. I'm not aware that there were massive performance improvements since this version. In case you still get no satisfactory performance I'm available for a little fee ;-) Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From jonas at vrt.dk Fri Jan 23 16:34:22 2009 From: jonas at vrt.dk (Jonas Akrouh Larsen) Date: Fri Jan 23 16:34:31 2009 Subject: Sanesecurity ClamAV sigs are back. Yay! In-Reply-To: <4979E486.2000001@alexb.ch> References: <497839A8.8000104@ecs.soton.ac.uk> <007901c97d6e$6e7b78f0$4b726ad0$@dk> <4979E486.2000001@alexb.ch> Message-ID: <008901c97d78$72240300$566c0900$@dk> >Not tested under heavy load but ClamAVPlugin allows to tag with ClamAV >results and let SA do its usual work. > >If you're using Clam as only AV, dunno how wise it is, but if you have a >commercial scanner in place to take care of the real viri, then >ClamAVPlugin could possibly give you the extra control/stats. >You could even score depending on descriptions, etc. Hi Alex. Yep I have considered the sa plugin as well. I didn?t consider dropping clamav as a normal av scanner. What I contemplated when I looked at it was, if it would be possible to have 2 separate clam installas? So you could have one that would only get 3rd party sigs, which typically protects against spam/phishing etc. and not viri. You would then use this custom clam install with the sa clam plugin. And you would use a normal clam av as an av scanner in MS If that?s possible you would benefit without loosing any stats. Obviously such a setup uses a lot more cpu, but some of us can afford that. Do anybody know if it would be possible to use 1 clam setup with MS and another in sa? Med venlig hilsen / Best regards Jonas Akrouh Larsen TechBiz ApS Laplandsgade 4, 2. sal 2300 K?benhavn S Office: 7020 0979 Direct: 3336 9974 Mobile: 5120 1096 Fax: 7020 0978 Web: www.techbiz.dk From campbell at cnpapers.com Fri Jan 23 16:42:41 2009 From: campbell at cnpapers.com (Steve Campbell) Date: Fri Jan 23 16:42:58 2009 Subject: Email causing MailScanner to go defunct. In-Reply-To: References: <2f130bce-e934-11dd-93f1-0004e2e@rocketseed.mhg.co.za> <223f97700901230534x2bc23deel8a4b5e966223d11f@mail.gmail.com> <625385e30901230656i1dbf6b74r8b81fbce34be061e@mail.gmail.com> <4979E275.8020301@cnpapers.com> Message-ID: <4979F381.9070807@cnpapers.com> Kai Schaetzl wrote: > Steve Campbell wrote on Fri, 23 Jan 2009 10:29:57 -0500: > > >> If I were to lower the size restrictions, the spam just flows on through >> cleanly with a score of 0, so I raise it, and of course, the load on the >> machine suffers because it has to scan the larger spams. >> > > I think most people's experience, including mine, is different. Over a > certain value (most likely 50 - 100k) there's almost no spam. (Nowadays, > they try to send short messages, so that Bayes hasn't much to work on.) So, > going with 200k is a good measure. I was just under the wrong impression > that the respective option was working like the usually used procmail > recipes. > I too was under the same impression you were. I'm not sure if it's the comments above the option or not that gave me that impression. > I think it would be a good idea to add this functionality (Spam Check only > first x Beytes of message") to MS. > Same here. > Part of your problems could indeed come from the fact that you are scanning > many large messages. How high did you set this option? > Max Spam Check Size = 4000k Max SpamAssassin Size = 2500000 High value, but like I said, there was a time when emails weren't delivered if it were above. Maybe I'm not using the right one. > Another thought: in case you are getting so many spam with big size and > others don't - could it be that your rejection rate at the MTA level is > very low, so that you get spam in that others already reject at the door? > If you detect a majority of spam only with MS and not at MTA this could > also be another reason for your performance problems. > > I'm only using sbl-xbl-spamhaus.org right now with my MTA. I've never compared rejected versus accepted, but when I tail my maillog, it seems as though most email is thrown away. If anyone has a safe suggestion for more that I should add to the MTA, please suggest. A lot of my incoming is from bursts from news agencies sending alerts to all reporters. I just upgraded to the latest. I left startin and startout running. The load average dropped to around 0.50, so sendmail is taking minimal resources. Once I started MS back up, with about 250 emails queue in the input queue, LA rose to 6.5-7.0 and stayed there as it struggles to clear the queue along with the new incoming posts. MS is showing a footprint of 92M, and most of the RAM (3 GB now for 3 children) is eaten up. I've removed all SARE rules, and am considering cutting KAM rules. There were a lot of failed modules during install. The two main ones installed fine. MS says it installed fine. I'm just wondering if that might have a bearing on this as I'm running Centos 3 here. > Kai > > steve From campbell at cnpapers.com Fri Jan 23 16:48:45 2009 From: campbell at cnpapers.com (Steve Campbell) Date: Fri Jan 23 16:48:57 2009 Subject: Email causing MailScanner to go defunct. In-Reply-To: References: <2f130bce-e934-11dd-93f1-0004e2e@rocketseed.mhg.co.za> <223f97700901230534x2bc23deel8a4b5e966223d11f@mail.gmail.com> <4979E0B9.1020303@cnpapers.com> Message-ID: <4979F4ED.1050508@cnpapers.com> Kai Schaetzl wrote: > Steve Campbell wrote on Fri, 23 Jan 2009 10:22:33 -0500: > > >> I mentioned this problem in my "Just an observation" thread a week or so >> ago. I found that it sometimes would not get delivered at all. I never >> did find out why. I was under the impression that the conf setting was >> to indicate the amount of an email to check by SA, not that if the email >> were larger, it wouldn't pass it to SA at all. >> > > I remember. I was under the wrong impression that this setting delivers the > first x bytes to SA and not that it skips the message alltogether. But this > effects only spam detection. I have never heard or seen that messages were > lost because of this. I would rather guess that there was some other > problem, like it was password-protected or so (people in the media like to > send password-protected ads and then send the password with the same mail > ..). There have been problems in the past with this, messages were > quarantined, but no notice sent out. Thus, it appeared to have been > vanished. If you don't use Mailwatch yet you should definitely do it! > Nope, password protection was not the case. I raised the config option and had the sender to resend and the files came through normally. The originals were not on the server. I use MailWatch. The message on the mailwatch screen only reported "too large". The files were not available in MW to re-release. > >> What version are you running, Kai? I'm tempted to upgrade and see if >> that fixes things, as my version is 4.72.5, and I still see this taking >> a lot of resources. I probably won't do it today since I've had the >> server down for memory upgrades, but maybe tomorrow or Monday. >> > > I'm not aware that there were massive performance improvements since this > version. In case you still get no satisfactory performance I'm available > for a little fee ;-) > Nice that you offer, but newspapers are struggling right now. High gas costs of last year really hurt delivery budgets, newsprint has sky-rocketed. I'll keep on hunting. > Kai > > From simonmjones at gmail.com Fri Jan 23 17:09:26 2009 From: simonmjones at gmail.com (Simon Jones) Date: Fri Jan 23 17:09:35 2009 Subject: segfault In-Reply-To: References: <70572c510901230304y13eca301od231c4cd175f3f10@mail.gmail.com> <4979B1FD.9030603@fsl.com> <70572c510901230439l3380632dkccc4e5d9bfdc11bb@mail.gmail.com> <1232714659.25948.38.camel@gblades-suse.linguaphone-intranet.co.uk> <70572c510901230648j6e7cca4evb02dbea19980690b@mail.gmail.com> <70572c510901230712y9c9a904h759b579f010c4483@mail.gmail.com> Message-ID: <70572c510901230909k325c5a60ne73504f1021dd876@mail.gmail.com> 2009/1/23 Kai Schaetzl : > Simon Jones wrote on Fri, 23 Jan 2009 15:12:47 +0000: > >> Problem seems to be clamav - when I disable virus scanning the system >> returns to normal, enabled it and clamscan sucks up all the cpu it can >> and the system grinds to a halt... I read somewhere there's an >> alternative less cpu intensive way to run clamscan - anyone point me >> to the docs please? > > http://wiki.mailscanner.info/doku.php? > id=documentation:anti_virus:clamav:switch_to_rpm_clamd > > Kai > > -- > Kai Sch?tzl, Berlin, Germany > Get your web at Conactive Internet Services: http://www.conactive.com > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Nice one, thanks mate. From campbell at cnpapers.com Fri Jan 23 17:54:09 2009 From: campbell at cnpapers.com (Steve Campbell) Date: Fri Jan 23 17:54:23 2009 Subject: Here's an interesting observation Message-ID: <497A0441.3020009@cnpapers.com> I've been fighting this for a while now. I don't know if my SA timeouts are gone, but: I removed the KAM rules, and a backlog of mail processed really fast. I haven't had a SA timeout in more than 30 minutes, and before removal, they were happening about every 3 minutes. steve From mark at msapiro.net Fri Jan 23 18:31:08 2009 From: mark at msapiro.net (Mark Sapiro) Date: Fri Jan 23 18:31:18 2009 Subject: Email causing MailScanner to go defunct. In-Reply-To: Message-ID: Kai Schaetzl wrote: >Shuttlebox wrote on Fri, 23 Jan 2009 15:56:34 +0100: > >> I check the first 50k but skip if it's above 200k. > >How do you do that with MS? I don't know of such an option. Max Spam Check Size = 200k Max SpamAssassin Size = 50k -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From maillists at conactive.com Fri Jan 23 18:31:23 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Fri Jan 23 18:31:36 2009 Subject: Email causing MailScanner to go defunct. In-Reply-To: <4979F4ED.1050508@cnpapers.com> References: <2f130bce-e934-11dd-93f1-0004e2e@rocketseed.mhg.co.za> <223f97700901230534x2bc23deel8a4b5e966223d11f@mail.gmail.com> <4979E0B9.1020303@cnpapers.com> <4979F4ED.1050508@cnpapers.com> Message-ID: Steve Campbell wrote on Fri, 23 Jan 2009 11:48:45 -0500: > The message on the > mailwatch screen only reported "too large". That is what I see here, too, but the message gets delivered. No problem. The files were not available > in MW to re-release. Do you store ham? Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Fri Jan 23 18:31:23 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Fri Jan 23 18:31:37 2009 Subject: Email causing MailScanner to go defunct. In-Reply-To: <4979F381.9070807@cnpapers.com> References: <2f130bce-e934-11dd-93f1-0004e2e@rocketseed.mhg.co.za> <223f97700901230534x2bc23deel8a4b5e966223d11f@mail.gmail.com> <625385e30901230656i1dbf6b74r8b81fbce34be061e@mail.gmail.com> <4979E275.8020301@cnpapers.com> <4979F381.9070807@cnpapers.com> Message-ID: Steve Campbell wrote on Fri, 23 Jan 2009 11:42:41 -0500: > Max Spam Check Size = 4000k > Max SpamAssassin Size = 2500000 Ah, ok, I confused these two settings, or, actually, I somehow wasn't aware that there were two. Maybe at the time I "learned" MailScanner.conf there was only one of them. Anyway, scanning such big messages in completeness is most certainly having a dramatic impact on performance and memory usage of SA/MS. Set this back to: Max SpamAssassin Size = 200k and leave the other as is. That should help you a lot. There's really no point in scanning the big messages completely. If the message is spam SA should almost certainly be able to know this from the first lines. > > High value, but like I said, there was a time when emails weren't > delivered if it were above. you mean, if *they* were above? Unfortunately, you didn't debug this. Either there was a bug then or you misinterpreted something. > I'm only using sbl-xbl-spamhaus.org right now with my MTA. I've never > compared rejected versus accepted, but when I tail my maillog, it seems > as though most email is thrown away. If anyone has a safe suggestion for > more that I should add to the MTA, please suggest. A lot of my incoming > is from bursts from news agencies sending alerts to all reporters. There's a lot of things one can do at the MTA level and using an RBL is just one of them. It depends on the software, clientele, needs etc. Each one is different. > There were a lot of failed modules during install. The two main ones > installed fine. MS says it installed fine. I'm just wondering if that > might have a bearing on this as I'm running Centos 3 here. Oh. Yeah, this might have an impact as well. I remember someone else with RHEL 3 reported a lot of failed modules during installation recently. I replied with a recommendation to her. Apparently most modules could not be built. This can mean a lot or almsot nothing. It depends on the fact if you have these modules already installed or not. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From ssilva at sgvwater.com Fri Jan 23 18:44:35 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Jan 23 18:44:54 2009 Subject: Quarantined email testing/troubleshooting In-Reply-To: <4978A3CE.2070603@ecs.soton.ac.uk> References: <4978829702000027000288F0@gwiadom.oes.beds.ac.uk> <49789F360200002700028929@gwiadom.oes.beds.ac.uk> <49789F360200002700028929@gwiadom.oes.beds.ac.uk> <4978A3CE.2070603@ecs.soton.ac.uk> Message-ID: on 1-22-2009 8:50 AM Julian Field spake the following: > You can't just use df and/or qf files as if they were RFC822 messages. > They're not. > However, they *nearly* are, when used as a pair. > Many years ago (2002 is the date stamp on the file) I wrote a script > which would take an entire quarantine directory (or a string of > directory names) full of qf* and df* files, and generate an mbox file > from them, which could then be simply fed to sa-learn with 1 command to > learn the whole lot at one go by using the "--mbox" command-line option > to sa-learn. > It's at > www.mailscanner.info/files/4/df2mbox > It's a fairly simple shell script, I'm sure you can hack it around if > you want to do something slightly different with it. > > Usage example: > Say you have a quarantine directory > /var/spool/MailScanner/quarantine/ and each of those > subdirectories contains a whole bunch of qf and df files in > the same directory. You can just do > cd /var/spool/MailSanner/quarantine > df2mbox * > and it will go and get on with it, and give you a pile of mbox files as > a result. > The requested URL /files/4/df2mbox was not found on this server. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090123/11aae441/signature.bin From ssilva at sgvwater.com Fri Jan 23 18:58:02 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Jan 23 18:58:35 2009 Subject: Email causing MailScanner to go defunct. In-Reply-To: <4979F381.9070807@cnpapers.com> References: <2f130bce-e934-11dd-93f1-0004e2e@rocketseed.mhg.co.za> <223f97700901230534x2bc23deel8a4b5e966223d11f@mail.gmail.com> <625385e30901230656i1dbf6b74r8b81fbce34be061e@mail.gmail.com> <4979E275.8020301@cnpapers.com> <4979F381.9070807@cnpapers.com> Message-ID: on 1-23-2009 8:42 AM Steve Campbell spake the following: > > > Kai Schaetzl wrote: >> Steve Campbell wrote on Fri, 23 Jan 2009 10:29:57 -0500: >> >> >>> If I were to lower the size restrictions, the spam just flows on >>> through cleanly with a score of 0, so I raise it, and of course, the >>> load on the machine suffers because it has to scan the larger spams. >>> >> >> I think most people's experience, including mine, is different. Over a >> certain value (most likely 50 - 100k) there's almost no spam. >> (Nowadays, they try to send short messages, so that Bayes hasn't much >> to work on.) So, going with 200k is a good measure. I was just under >> the wrong impression that the respective option was working like the >> usually used procmail recipes. >> > > I too was under the same impression you were. I'm not sure if it's the > comments above the option or not that gave me that impression. >> I think it would be a good idea to add this functionality (Spam Check >> only first x Beytes of message") to MS. >> > > Same here. >> Part of your problems could indeed come from the fact that you are >> scanning many large messages. How high did you set this option? >> > > Max Spam Check Size = 4000k > Max SpamAssassin Size = 2500000 > > High value, but like I said, there was a time when emails weren't > delivered if it were above. Maybe I'm not using the right one. >> Another thought: in case you are getting so many spam with big size >> and others don't - could it be that your rejection rate at the MTA >> level is very low, so that you get spam in that others already reject >> at the door? >> If you detect a majority of spam only with MS and not at MTA this >> could also be another reason for your performance problems. >> >> > I'm only using sbl-xbl-spamhaus.org right now with my MTA. I've never > compared rejected versus accepted, but when I tail my maillog, it seems > as though most email is thrown away. If anyone has a safe suggestion for > more that I should add to the MTA, please suggest. A lot of my incoming > is from bursts from news agencies sending alerts to all reporters. > > I just upgraded to the latest. I left startin and startout running. The > load average dropped to around 0.50, so sendmail is taking minimal > resources. Once I started MS back up, with about 250 emails queue in the > input queue, LA rose to 6.5-7.0 and stayed there as it struggles to > clear the queue along with the new incoming posts. > > MS is showing a footprint of 92M, and most of the RAM (3 GB now for 3 > children) is eaten up. I've removed all SARE rules, and am considering > cutting KAM rules. > > There were a lot of failed modules during install. The two main ones > installed fine. MS says it installed fine. I'm just wondering if that > might have a bearing on this as I'm running Centos 3 here. > >> Kai >> >> > steve > It is possible that the failed modules are impacting your performance. As to which blacklists are best, the only way to determine that for your mailflow is to check the stats of the blacklist hits in spamassassin and move the ones that have acceptable rates to you to the MTA. The ones that hit 100% spam are no-brainers, the rest you will have to determine if it is acceptable to your business. I can't use spamhaus since I got blacklisted (another long story), but I can use spamcop, njabl, cbl, sorbs, and psbl with no problems. Centos 3 is rather old, and maybe the perl version is less than stellar in performance. If you are running multiple systems, maybe you can work in an upgrade one node at a time. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090123/3fd3a5dd/signature.bin From MailScanner at ecs.soton.ac.uk Fri Jan 23 21:27:13 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jan 23 21:27:31 2009 Subject: Sanesecurity Signatures and MailScanner In-Reply-To: <37166.93.97.28.110.1232702718.squirrel@saturn.dataflame.net> References: <37166.93.97.28.110.1232702718.squirrel@saturn.dataflame.net> Message-ID: <497A3631.2020004@ecs.soton.ac.uk> Steve, Just to confirm before I spend time digging into MailScanner: this is not a MailScanner problem at all, correct? Cheers, Jules. On 23/1/09 09:25, Steve Basford wrote: > Just a forward from the sanesecurity mailing list... on hopefully > how to get header test #2 working. > > Any result feedback would be great :) > > Cheers, > > Steve > Sanesecurity > > > ---- Forward ---- > Hi All, > > After much head scratching.. and the help of those who pasted the > headers... I can reproduce the failed test #2 :) > > http://sanesecurity.co.uk/usage.htm (Scroll down page) > > And it means that the detection rates on some people systems may not as > good as they should have been. > > As some people guessed it's all down the header formation and a file > called .ftm. ClamAv has a file distributed which helps the engine decide > what type of file the email and/or attachments are. > > You can see the file, by doing this: > > sigtool --unpack-current=daily > > If you look for daily.ftm and look for this line: > > 0:0:52656365697665643a20:Raw mail:CL_TYPE_ANY:CL_TYPE_MAIL > > It means that if ClamAV sees "Received:" as THE FIRST LINE then it sets > the scanning type to "Mail" (type 4 signatures) > > The problem seems to be that in the undetected examples, the FIRST LINE > isn't "Received:" but "X-Received-From-Address:". > > ClamAV doesn't have this type in it's datebase, so it takes a "guess" :) > > As a work-around... could people who had problems with detecting TEST #2, do > the following: > > Copy the following lines into a file called sanesecurity.ftm and copy the > file, into the same data area as the rest of the signatures: > > ------ line to copy ------- > 0:0:582d52656365697665642d46726f6d2d416464726573733a:MailScanner:CL_TYPE_ANY:CL_TYPE_MAIL > 0:0:582d456e76656c6f70652d546f3a:MailScanner2:CL_TYPE_ANY:CL_TYPE_MAIL > 0:0:582d5370616d2d436865636b65722d56657273696f6e3a:MailScanner3:CL_TYPE_ANY:CL_TYPE_MAIL > ------ line to copy ------- > > If this works, let me know. If it doesn't work.. please post the FIRST > LINE of the email that you receive undetected. > > If we can get a list of headers, I'll then pass them onto ClamAV team. > > Cheers and thanks for everyone help on this one... it's been a big puzzle. > > > Steve > Sanesecurity > > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Fri Jan 23 21:32:43 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jan 23 21:32:57 2009 Subject: TXT files seen as MPEG movies In-Reply-To: References: <57200BF94E69E54880C9BB1AF714BBCB5DE486@w2003s01.double-l.local> Message-ID: <497A377B.6050609@ecs.soton.ac.uk> On 23/1/09 16:01, Kai Schaetzl wrote: > Johan Hendriks wrote on Fri, 23 Jan 2009 15:36:37 +0100: > > >> The senders is on the whitelist >> > > which is only for spam. If you want to exclude senders from all scanning > you have to use something like: > Scan Messages = %rules-dir%/scan.messages.rules > > >> What can I do to make sure these files get passed. >> > > This check is a *filetype* check, so you have to whitelist there! > (This is obviously a misinterpretation of some characters in the beginning > of the text file, so the file binary thinks it's mpeg.) > This is a problem with the "file" command. Try reading the docs in the top of the latest versions of the file about putting in the optional 5th field which uses the MIME type reported by the "file -i" command instead. This actually uses a different database and will often report that a file is plain text when the "file" command on its own reports something quite different (such as an MPEG movie file). Grab one of the rogue attachments from your quarantine and do a "file" on it and a "file -i" on it and you'll probably see the difference. This is all supported within filetype.rules.conf. You just need to set it up right. > Kai > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Fri Jan 23 21:33:55 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jan 23 21:34:10 2009 Subject: Sanesecurity ClamAV sigs are back. Yay! In-Reply-To: <007901c97d6e$6e7b78f0$4b726ad0$@dk> References: <497839A8.8000104@ecs.soton.ac.uk> <007901c97d6e$6e7b78f0$4b726ad0$@dk> Message-ID: <497A37C3.1080600@ecs.soton.ac.uk> Worry more about your users and the costs of supporting them, and less about your pretty graphs :-) Jules. On 23/1/09 15:22, Jonas Akrouh Larsen wrote: > I've not used sanesecurity so far, because it messes up statistics and > generally make it less transparent why a mail was blocked. > > My problem is I don?t want my system to list a mail as a virus if its "just" > a spam or phishing attack. > > Am I alone with these concerns or have anybody found a "fix" for it? > > I am using newest mailscanner and mailwatch versions. > > I'd love to improve my protection with sanesecurity but not at the cost of > making my spam/virus stats useless. > > Let me know what you think. > > > > Med venlig hilsen / Best regards > > Jonas Akrouh Larsen > > TechBiz ApS > Laplandsgade 4, 2. sal > 2300 K?benhavn S > > Office: 7020 0979 > Direct: 3336 9974 > Mobile: 5120 1096 > Fax: 7020 0978 > Web: www.techbiz.dk > > > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Fri Jan 23 21:35:30 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jan 23 21:35:45 2009 Subject: Sanesecurity ClamAV sigs are back. Yay! In-Reply-To: <4979E486.2000001@alexb.ch> References: <497839A8.8000104@ecs.soton.ac.uk> <007901c97d6e$6e7b78f0$4b726ad0$@dk> <4979E486.2000001@alexb.ch> Message-ID: <497A3822.5060108@ecs.soton.ac.uk> On 23/1/09 15:38, Alex Broens wrote: > On 1/23/2009 4:22 PM, Jonas Akrouh Larsen wrote: >> I've not used sanesecurity so far, because it messes up statistics and >> generally make it less transparent why a mail was blocked. >> >> My problem is I don?t want my system to list a mail as a virus if its >> "just" >> a spam or phishing attack. >> >> Am I alone with these concerns or have anybody found a "fix" for it? >> >> I am using newest mailscanner and mailwatch versions. >> >> I'd love to improve my protection with sanesecurity but not at the >> cost of >> making my spam/virus stats useless. > > agreed, its very confusing to users why an image spam or a 419 > suddenly shows up as "infected" So don't deliver "infected" email at all, just drop it with the "Silent Viruses = All-Viruses" setting. Then they never see it and don't worry about it. > >> Let me know what you think. > > Not tested under heavy load but ClamAVPlugin allows to tag with ClamAV > results and let SA do its usual work. > > If you're using Clam as only AV, dunno how wise it is, but if you have > a commercial scanner in place to take care of the real viri, then > ClamAVPlugin could possibly give you the extra control/stats. > You could even score depending on descriptions, etc. > > See: > http://wiki.apache.org/spamassassin/ClamAVPlugin > > > Alex Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Fri Jan 23 21:38:18 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jan 23 21:38:36 2009 Subject: Email causing MailScanner to go defunct. In-Reply-To: References: Message-ID: <497A38CA.8040100@ecs.soton.ac.uk> On 23/1/09 18:31, Mark Sapiro wrote: > Kai Schaetzl wrote: > > >> Shuttlebox wrote on Fri, 23 Jan 2009 15:56:34 +0100: >> >> >>> I check the first 50k but skip if it's above 200k. >>> >> How do you do that with MS? I don't know of such an option. >> > > > Max Spam Check Size = 200k > Max SpamAssassin Size = 50k > Thankyou, I was waiting for someone to actually read the conf file and post both settings. Thanks mate! :-) Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Fri Jan 23 21:39:14 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jan 23 21:39:28 2009 Subject: Quarantined email testing/troubleshooting In-Reply-To: References: <4978829702000027000288F0@gwiadom.oes.beds.ac.uk> <49789F360200002700028929@gwiadom.oes.beds.ac.uk> <49789F360200002700028929@gwiadom.oes.beds.ac.uk> <4978A3CE.2070603@ecs.soton.ac.uk> Message-ID: <497A3902.5030609@ecs.soton.ac.uk> On 23/1/09 18:44, Scott Silva wrote: > on 1-22-2009 8:50 AM Julian Field spake the following: > >> You can't just use df and/or qf files as if they were RFC822 messages. >> They're not. >> However, they *nearly* are, when used as a pair. >> Many years ago (2002 is the date stamp on the file) I wrote a script >> which would take an entire quarantine directory (or a string of >> directory names) full of qf* and df* files, and generate an mbox file >> from them, which could then be simply fed to sa-learn with 1 command to >> learn the whole lot at one go by using the "--mbox" command-line option >> to sa-learn. >> It's at >> www.mailscanner.info/files/4/df2mbox >> It's a fairly simple shell script, I'm sure you can hack it around if >> you want to do something slightly different with it. >> >> Usage example: >> Say you have a quarantine directory >> /var/spool/MailScanner/quarantine/ and each of those >> subdirectories contains a whole bunch of qf and df files in >> the same directory. You can just do >> cd /var/spool/MailSanner/quarantine >> df2mbox * >> and it will go and get on with it, and give you a pile of mbox files as >> a result. >> >> > The requested URL /files/4/df2mbox was not found on this server. > > Drop the "4/", sorry. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ssilva at sgvwater.com Fri Jan 23 21:58:01 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Jan 23 21:58:24 2009 Subject: Sanesecurity Signatures and MailScanner In-Reply-To: <497A3631.2020004@ecs.soton.ac.uk> References: <37166.93.97.28.110.1232702718.squirrel@saturn.dataflame.net> <497A3631.2020004@ecs.soton.ac.uk> Message-ID: on 1-23-2009 1:27 PM Julian Field spake the following: > Steve, > > Just to confirm before I spend time digging into MailScanner: this is > not a MailScanner problem at all, correct? > > Cheers, > Jules. > Watching the list traffic it seems to be a problem if you use clamscan instead of clamd. Whether it is clam or Mailscanner, I do not know. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090123/ecaaa2a7/signature.bin From ms-list at alexb.ch Fri Jan 23 22:04:27 2009 From: ms-list at alexb.ch (Alex Broens) Date: Fri Jan 23 22:04:36 2009 Subject: Sanesecurity ClamAV sigs are back. Yay! In-Reply-To: <497A3822.5060108@ecs.soton.ac.uk> References: <497839A8.8000104@ecs.soton.ac.uk> <007901c97d6e$6e7b78f0$4b726ad0$@dk> <4979E486.2000001@alexb.ch> <497A3822.5060108@ecs.soton.ac.uk> Message-ID: <497A3EEB.3050506@alexb.ch> On 1/23/2009 10:35 PM, Julian Field wrote: > > > On 23/1/09 15:38, Alex Broens wrote: >> On 1/23/2009 4:22 PM, Jonas Akrouh Larsen wrote: >>> I've not used sanesecurity so far, because it messes up statistics and >>> generally make it less transparent why a mail was blocked. >>> >>> My problem is I don?t want my system to list a mail as a virus if its >>> "just" >>> a spam or phishing attack. >>> >>> Am I alone with these concerns or have anybody found a "fix" for it? >>> >>> I am using newest mailscanner and mailwatch versions. >>> >>> I'd love to improve my protection with sanesecurity but not at the >>> cost of >>> making my spam/virus stats useless. >> >> agreed, its very confusing to users why an image spam or a 419 >> suddenly shows up as "infected" > So don't deliver "infected" email at all, just drop it with the "Silent > Viruses = All-Viruses" setting. Then they never see it and don't worry > about it. Dropping is not an approach everybody can use, some even per law. If you use Mailwatch, like many do, they see an entry and that triggers questions. There's many other reasons not to drop msgs, no matter what, it all depends where you're sitting. The SaneSecurity sigs have developed in a direction where they have very little to do with pure AV but act more like several well known digests designed for spam detection and imo, should be treated as such. Alex PS: I wouldn't underestimate the power of pretty graphs... :-) From ssilva at sgvwater.com Fri Jan 23 22:09:05 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Jan 23 22:09:22 2009 Subject: Here's an interesting observation In-Reply-To: <497A0441.3020009@cnpapers.com> References: <497A0441.3020009@cnpapers.com> Message-ID: on 1-23-2009 9:54 AM Steve Campbell spake the following: > I've been fighting this for a while now. I don't know if my SA timeouts > are gone, but: > > I removed the KAM rules, and a backlog of mail processed really fast. I > haven't had a SA timeout in more than 30 minutes, and before removal, > they were happening about every 3 minutes. > > steve > Maybe there is a complex regex in the kam rules that is playing havoc on your perl version in CentOS 3. I remember having issues when I ran perl 5.8.0 with some regex processing. It might also explain why so many of the perl modules didn't compile. Might be time to think about migrating the servers to something newer. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090123/e7857ec9/signature.bin From rcooper at dwford.com Fri Jan 23 23:13:03 2009 From: rcooper at dwford.com (Rick Cooper) Date: Fri Jan 23 23:13:18 2009 Subject: Sanesecurity ClamAV sigs are back. Yay! In-Reply-To: <497A3EEB.3050506@alexb.ch> References: <497839A8.8000104@ecs.soton.ac.uk> <007901c97d6e$6e7b78f0$4b726ad0$@dk> <4979E486.2000001@alexb.ch><497A3822.5060108@ecs.soton.ac.uk> <497A3EEB.3050506@alexb.ch> Message-ID: > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Alex Broens > Sent: Friday, January 23, 2009 5:04 PM > To: MailScanner discussion > Subject: Re: Sanesecurity ClamAV sigs are back. Yay! > > On 1/23/2009 10:35 PM, Julian Field wrote: > > > > > > On 23/1/09 15:38, Alex Broens wrote: > >> On 1/23/2009 4:22 PM, Jonas Akrouh Larsen wrote: > >>> I've not used sanesecurity so far, because it messes up > statistics and > >>> generally make it less transparent why a mail was blocked. > >>> > >>> My problem is I don't want my system to list a mail as a > virus if its [...] > > The SaneSecurity sigs have developed in a direction where > they have very > little to do with pure AV but act more like several well > known digests > designed for spam detection and imo, should be treated as such. Actually if you look at pretty much all the third party signatures they revolve around spam, phishing, etc and not actual viruses. Viruses are submitted to the clam team and added to their sigs. I believe this was part of the reason the clamav team started the practice of outputting the fact that the signature that was hit is a third party sig so parsers could easily tell that the sig was likely not an actual virus. I think the sanesecurity sigs do an overall better job than a lot of the various digests and spamassassin for that matter. I cannot rememeber ever seeing a FP from them. Maybe, somewhere down the road the clam section of MS can be reworked to recognize "UNOFFICIAL" I n the virus name. For that matter SaneSecurity actually has .Spam, .Malware, .Scamx in the virus name as well. If it's not too hard to rewrite the clam section to add non virus hits to spam/scam instead of viruses it might be worth doing. Maybe add a X-SaneSecurity header that can be scored by SpamAssassin? I guess not, now that I think about it spam scanning comes before virus scanning doesn't it? Too bad that can't easily be changed as it's a shame to scan a message for spam only to find it contains a virus/malware and wouldn't be delivered anyway > > Alex > > PS: I wouldn't underestimate the power of pretty graphs... :-) > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From campbell at cnpapers.com Sat Jan 24 01:30:04 2009 From: campbell at cnpapers.com (Steve Campbell) Date: Sat Jan 24 01:30:25 2009 Subject: Here's an interesting observation In-Reply-To: References: <497A0441.3020009@cnpapers.com> Message-ID: <1232760604.497a6f1caae55@perdition.cnpapers.net> Quoting Scott Silva : > on 1-23-2009 9:54 AM Steve Campbell spake the following: > > I've been fighting this for a while now. I don't know if my SA timeouts > > are gone, but: > > > > I removed the KAM rules, and a backlog of mail processed really fast. I > > haven't had a SA timeout in more than 30 minutes, and before removal, > > they were happening about every 3 minutes. > > > > steve > > > Maybe there is a complex regex in the kam rules that is playing havoc on > your > perl version in CentOS 3. I remember having issues when I ran perl 5.8.0 > with > some regex processing. > > It might also explain why so many of the perl modules didn't compile. > > Might be time to think about migrating the servers to something newer. > I totally agree here with upgrading, but don't see a way to do it immediately. I suspect that KAM definitely had something to do with the problem based on the way the server reacted after removing KAM. Now here's the catch. This is the same Perl that ran KAM rules two upgrades ago when the server ran just fine. The only thing that changed was the version of MS, which had the modules installation problems, I think a new version of SA, and the addition of multiple SARE rules due to the ease of the new update-sa (sa-update?). I removed the SARE rules and that didn't resolve anything. Quite a lot, I realize. So I'm thinking either old KAM doesn't work well with new SA, or KAM doesn't work well with the combination of new Perl modules plus the old ones that stuck around either due to install failures or just plain ole KAM doesn't mesh with the new MS. Regardless of the problem's cause, I'm just happy to have a smooth run MS server now. I've learned a lot during this trial, and hope it helps others who may be running Centos 3 and KAM. It's also an alert for maybe other older Centos distros also. steve ------------------------------------------------- This mail sent through IMP: http://horde.org/imp/ From jtp at jtpage.net Sat Jan 24 15:47:22 2009 From: jtp at jtpage.net (JTP10181) Date: Sat Jan 24 15:47:45 2009 Subject: Watermark catching mailscanners own bounce messages Message-ID: <004701c97e3b$0ceeda00$26cc8e00$@net> OK this is my first time posting on here so I hope I am doing this right. I enabled watermarks to cut down on the fake bounce messages. I seemed like it was working. I was watching mailwatch one day and noticed someone sent an exe file which got flagged as a bad file. Mailscanner then went to send a bounce message back to sender of the file but that got flagged as spam because it did not have a watermark on it and mailscanner was not able to pick up a "from" address. I do have a valid from addy configured in the mailscanner conf which I saw in the headers but the "return path" I believe was the MAILER_DEAMON which seems to make it have no from address according to mailscanner. Do I have something configured wrong, or is this a bug? -------------------- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090124/f7d8f40a/attachment.html From jtp at jtpage.net Sat Jan 24 15:53:18 2009 From: jtp at jtpage.net (JTP10181) Date: Sat Jan 24 15:53:36 2009 Subject: Watermark catching mailscanners own bounce messages Message-ID: <005201c97e3b$e095e560$a1c1b020$@net> OK this is my first time posting on here so I hope I am doing this right. I am using: redhat-release-5Server-5.2.0.4 mailscanner-4.74.13-2 sendmail-8.13.8-2.el5 I enabled watermarks to cut down on the fake bounce messages. I seemed like it was working. I was watching mailwatch one day and noticed someone sent an exe file which got flagged as a bad file. Mailscanner then went to send a bounce message back to sender of the file but that got flagged as spam because it did not have a watermark on it and mailscanner was not able to pick up a "from" address. I do have a valid from addy configured in the mailscanner conf which I saw in the headers but the "return path" I believe was the MAILER_DEAMON which seems to make it have no from address according to mailscanner. Do I have something configured wrong, or is this a bug? -------------------- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From simonmjones at gmail.com Sat Jan 24 19:47:16 2009 From: simonmjones at gmail.com (Simon Jones) Date: Sat Jan 24 19:47:26 2009 Subject: WARNING: Ignoring deprecated option --unzip Message-ID: <70572c510901241147w6d28cc19hb6146a0fd5dee2fd@mail.gmail.com> Evening chaps, gateway still running like a dog! I've noticed in /var/log/maillog the following; Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring deprecated option --unzip Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring deprecated option --jar Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring deprecated option --tar Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring deprecated option --tgz Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring deprecated option --deb Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring deprecated option --max-ratio Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring deprecated option --unrar I'm assuming it won't hurt performance and I'm sure someone's come across this before so if you could point me in the direction to the fix it'd be great, thanks Simon From glenn.steen at gmail.com Sat Jan 24 21:49:47 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Jan 24 21:49:57 2009 Subject: WARNING: Ignoring deprecated option --unzip In-Reply-To: <70572c510901241147w6d28cc19hb6146a0fd5dee2fd@mail.gmail.com> References: <70572c510901241147w6d28cc19hb6146a0fd5dee2fd@mail.gmail.com> Message-ID: <223f97700901241349o6d2a175av7c47d01e7da64306@mail.gmail.com> 2009/1/24 Simon Jones : > Evening chaps, gateway still running like a dog! I've noticed in > /var/log/maillog the following; > Do you use clamscan? That is... in MailScanner.conf you might have "Virus Scaner = clamav"...? That might explain why your sustem seem ... sluggish. Since quite a while back, clamscan would be unuseable, more or less... other than on very low volume systems, since the signature file loading is ... costly. Same thing with clamavmodule (each MailScanner child would spend a while loading up the sigs, at 100% CPU, then start operating normally... until the child restarts (normally after 4 hours)), more or less. The recommended way of using ClamAV, these days, is through the clamd daemon (and Ricks perl interface:). Really slick, small memory footprint etc. Go look in the wiki, there's some info on how to switch to clamd there. ... and one of these days, I'll type up something on how to do clamd with Jules package (basically make a smallish init script, and configure cron for clamdwatch:-). The errors you quoted (and I snipped) seem to be regarding the clamscan wrapper/SweepViruses.pm settings for the clamscan command line. If you don't use that... it cannot bite you:-). Or you might need upgrade MS, I'm not sure on that though:-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From maillists at conactive.com Sun Jan 25 11:31:17 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Sun Jan 25 11:31:30 2009 Subject: WARNING: Ignoring deprecated option --unzip In-Reply-To: <70572c510901241147w6d28cc19hb6146a0fd5dee2fd@mail.gmail.com> References: <70572c510901241147w6d28cc19hb6146a0fd5dee2fd@mail.gmail.com> Message-ID: you are using a new clamav with an older MS. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From MailScanner at ecs.soton.ac.uk Sun Jan 25 16:27:23 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Jan 25 16:27:45 2009 Subject: Sanesecurity Signatures and MailScanner In-Reply-To: References: <37166.93.97.28.110.1232702718.squirrel@saturn.dataflame.net> <497A3631.2020004@ecs.soton.ac.uk> Message-ID: <497C92EB.4070105@ecs.soton.ac.uk> On 23/1/09 21:58, Scott Silva wrote: > on 1-23-2009 1:27 PM Julian Field spake the following: > >> Steve, >> >> Just to confirm before I spend time digging into MailScanner: this is >> not a MailScanner problem at all, correct? >> >> Cheers, >> Jules. >> >> > Watching the list traffic it seems to be a problem if you use clamscan instead > of clamd. Whether it is clam or Mailscanner, I do not know. > Here's a very short patch to /usr/lib/MailScanner/MailScanner/SweepViruses.pm that solves the problem: --- /root/v4/NEWSTABLE/mailscanner/bin/MailScanner/SweepViruses.pm 2009-01-11 19:27:02.000000000 +0000 +++ SweepViruses.pm 2009-01-25 16:24:33.000000000 +0000 @@ -2724,6 +2724,8 @@ $file =~ s/^(.\/)?$BaseDir\/?//; $file =~ s/^\.\///; my ($id,$part) = split /\//, $file, 2; + # JKF 20090125 Full message check. + $part = "" if $id =~ s/\.(message|header)$//; # Only log the whole message if no attachment has been logged MailScanner::Log::InfoLog("%s", $logline) This will be in the next release. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Sun Jan 25 17:23:42 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Jan 25 17:24:05 2009 Subject: Sanesecurity ClamAV sigs are back. Yay! In-Reply-To: References: <497839A8.8000104@ecs.soton.ac.uk> <007901c97d6e$6e7b78f0$4b726ad0$@dk> <4979E486.2000001@alexb.ch><497A3822.5060108@ecs.soton.ac.uk> <497A3EEB.3050506@alexb.ch> Message-ID: <497CA01E.9070809@ecs.soton.ac.uk> On 23/1/09 23:13, Rick Cooper wrote: > now that I think about it spam scanning comes before virus > scanning doesn't it? Too bad that can't easily be changed as it's a shame to > scan a message for spam only to find it contains a virus/malware and > wouldn't be delivered anyway > 95% of your mail is spam, so doesn't need virus scanning. About 5% of your mail is a virus, so doesn't need spam scanning. Understand why I do it the way round I do? Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Sun Jan 25 17:25:10 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Jan 25 17:25:31 2009 Subject: Here's an interesting observation In-Reply-To: <1232760604.497a6f1caae55@perdition.cnpapers.net> References: <497A0441.3020009@cnpapers.com> <1232760604.497a6f1caae55@perdition.cnpapers.net> Message-ID: <497CA076.8050106@ecs.soton.ac.uk> On 24/1/09 01:30, Steve Campbell wrote: > Quoting Scott Silva: > > >> on 1-23-2009 9:54 AM Steve Campbell spake the following: >> >>> I've been fighting this for a while now. I don't know if my SA timeouts >>> are gone, but: >>> >>> I removed the KAM rules, and a backlog of mail processed really fast. I >>> haven't had a SA timeout in more than 30 minutes, and before removal, >>> they were happening about every 3 minutes. >>> >>> steve >>> >>> >> Maybe there is a complex regex in the kam rules that is playing havoc on >> your >> perl version in CentOS 3. I remember having issues when I ran perl 5.8.0 >> with >> some regex processing. >> >> It might also explain why so many of the perl modules didn't compile. >> >> Might be time to think about migrating the servers to something newer. >> >> > I totally agree here with upgrading, but don't see a way to do it immediately. I > suspect that KAM definitely had something to do with the problem based on the > way the server reacted after removing KAM. > > Now here's the catch. This is the same Perl that ran KAM rules two upgrades ago > when the server ran just fine. The only thing that changed was the version of > MS, which had the modules installation problems, I think a new version of SA, > and the addition of multiple SARE rules due to the ease of the new update-sa > (sa-update?). I removed the SARE rules and that didn't resolve anything. Quite a > lot, I realize. > > So I'm thinking either old KAM doesn't work well with new SA, or KAM doesn't > work well with the combination of new Perl modules plus the old ones that stuck > around either due to install failures or just plain ole KAM doesn't mesh with > the new MS. > KAM and MS are independent. > Regardless of the problem's cause, I'm just happy to have a smooth run MS server > now. I've learned a lot during this trial, and hope it helps others who may be > running Centos 3 and KAM. It's also an alert for maybe other older Centos > distros also. > I very much doubt anyone tests anything with CentOS 3 any more. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Sun Jan 25 17:27:10 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Jan 25 17:27:30 2009 Subject: WARNING: Ignoring deprecated option --unzip In-Reply-To: <70572c510901241147w6d28cc19hb6146a0fd5dee2fd@mail.gmail.com> References: <70572c510901241147w6d28cc19hb6146a0fd5dee2fd@mail.gmail.com> Message-ID: <497CA0EE.6@ecs.soton.ac.uk> This is documented in the MailScanner ChangeLog. You have updated ClamAV, and you require a MailScanner update as well to match the new command-line syntax. It was mentioned in my "new version announcement" to the MailScanner-Announce list a while back. On 24/1/09 19:47, Simon Jones wrote: > Evening chaps, gateway still running like a dog! I've noticed in > /var/log/maillog the following; > > Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring > deprecated option --unzip > Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring > deprecated option --jar > Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring > deprecated option --tar > Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring > deprecated option --tgz > Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring > deprecated option --deb > Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring > deprecated option --max-ratio > Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring > deprecated option --unrar > > I'm assuming it won't hurt performance and I'm sure someone's come > across this before so if you could point me in the direction to the > fix it'd be great, > > thanks > > Simon > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From rcooper at dwford.com Sun Jan 25 17:37:49 2009 From: rcooper at dwford.com (Rick Cooper) Date: Sun Jan 25 17:38:03 2009 Subject: Sanesecurity ClamAV sigs are back. Yay! In-Reply-To: <497CA01E.9070809@ecs.soton.ac.uk> References: <497839A8.8000104@ecs.soton.ac.uk> <007901c97d6e$6e7b78f0$4b726ad0$@dk> <4979E486.2000001@alexb.ch><497A3822.5060108@ecs.soton.ac.uk> <497A3EEB.3050506@alexb.ch> <497CA01E.9070809@ecs.soton.ac.uk> Message-ID: <2B56E1F1EE154DE19AA117B2875EFC76@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Julian Field > Sent: Sunday, January 25, 2009 12:24 PM > To: MailScanner discussion > Subject: Re: Sanesecurity ClamAV sigs are back. Yay! > > > > On 23/1/09 23:13, Rick Cooper wrote: > > now that I think about it spam scanning comes before virus > > scanning doesn't it? Too bad that can't easily be changed > as it's a shame to > > scan a message for spam only to find it contains a > virus/malware and > > wouldn't be delivered anyway > > > 95% of your mail is spam, so doesn't need virus scanning. > About 5% of your mail is a virus, so doesn't need spam scanning. > Understand why I do it the way round I do? > > Jules > True enough. Over all the load would probably be larger. Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From rvdmerwe at mhg.co.za Sun Jan 25 17:52:33 2009 From: rvdmerwe at mhg.co.za (Rabie Van der Merwe) Date: Sun Jan 25 17:52:55 2009 Subject: Email causing MailScanner to go defunct. In-Reply-To: <497A38CA.8040100@ecs.soton.ac.uk> References: <497A38CA.8040100@ecs.soton.ac.uk> Message-ID: <6f34b29a-eb08-11dd-909e-0004e2e@rocketseed.mhg.co.za> My question seems to have drifted a little off topic :) I have an postfix queue file (from the hold directory) that causes MS to fail, is there someway that I could analyze it and provide meaningful details back to the list/you Julian on why it's causing MS to fails? Else I could try and email it to you, but that's only if you are interested ... :) Regards Rabie -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: 23 January 2009 23:38 PM To: MailScanner discussion Subject: Re: Email causing MailScanner to go defunct. On 23/1/09 18:31, Mark Sapiro wrote: > Kai Schaetzl wrote: > > >> Shuttlebox wrote on Fri, 23 Jan 2009 15:56:34 +0100: >> >> >>> I check the first 50k but skip if it's above 200k. >>> >> How do you do that with MS? I don't know of such an option. >> > > > Max Spam Check Size = 200k > Max SpamAssassin Size = 50k > Thankyou, I was waiting for someone to actually read the conf file and post both settings. Thanks mate! :-) Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! ********************************************************************** --------- NOTICE --------- This message (including attachments) contains privileged and confidential information intended only for the person or entity to which it is addressed. Any review, retransmission, dissemination, copy or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient, is prohibited. If you received this message in error, please notify the sender immediately by e-mail, facsimile or telephone and thereafter delete the material from any computer. Metropolitan Health Group, its subsidiaries or associates, does not accept liability for any personal views expressed in this message. Metropolitan Health Group PO Box 4313 Cape Town 8000 Tel: (021) 480 4511 Fax: (021) 480 4535 www.mhg.co.za ********************************************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090125/08e1ea52/attachment.html From edewing at fastmail.fm Sun Jan 25 18:42:01 2009 From: edewing at fastmail.fm (Ed Ewing) Date: Sun Jan 25 18:42:13 2009 Subject: Is -1 value in max.attachment.size.rules acceptable? Message-ID: <497CB279.8040904@fastmail.fm> Hello all, Will someone confirm if using "FromOrTo: default -1" in max.attachment.size.rules is an acceptable value? Have set limits for some domains and want the default to be no limit. Tried using "Maximum Attachment Size = 0" similar to the directive in max.message.size.rules (Maximum Message Size = 0) but MS gives a syntax error on reload. Thank you. From glenn.steen at gmail.com Sun Jan 25 18:47:50 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Sun Jan 25 18:48:00 2009 Subject: Email causing MailScanner to go defunct. In-Reply-To: <6f34b29a-eb08-11dd-909e-0004e2e@rocketseed.mhg.co.za> References: <497A38CA.8040100@ecs.soton.ac.uk> <6f34b29a-eb08-11dd-909e-0004e2e@rocketseed.mhg.co.za> Message-ID: <223f97700901251047g1610f899h4cbd7e6f91475a31@mail.gmail.com> 2009/1/25 Rabie Van der Merwe : > > My question seems to have drifted a little off topic :) > I have an postfix queue file (from the hold directory) that causes MS to > fail, is there someway that I could analyze it and provide meaningful > details back to the list/you Julian on why it's causing MS to fails? > Else I could try and email it to you, but that's only if you are > interested ... :) > > Regards > Rabie > Hi Rabie, The log you quoted in your initial post just indicate that the message is skipped from spam scanning since it is larger than your "Max Spam Check Size"... Hence the ensuing debate:-)... Start by increasing that substantially, then drop the message in again... Still problematic? Having definct processes is normal, actually... If they stick around, or all MS children suddenly go defunct, that might indicate a problem... You didn't show/indicate that this was the case. Is it? You could gzip the queue file and send it to me for testing... I'll run it through a testbed tomorrow... If you do, please include as much info as possible about actual versions (of pretty much everything:-) so that I can mimic it as best I can. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From MailScanner at ecs.soton.ac.uk Sun Jan 25 19:57:23 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Jan 25 19:57:47 2009 Subject: Is -1 value in max.attachment.size.rules acceptable? In-Reply-To: <497CB279.8040904@fastmail.fm> References: <497CB279.8040904@fastmail.fm> Message-ID: <497CC423.8060401@ecs.soton.ac.uk> On 25/1/09 18:42, Ed Ewing wrote: > Hello all, > > Will someone confirm if using "FromOrTo: default -1" in > max.attachment.size.rules is an acceptable value? According to my docs in MailScanner.conf it is acceptable. Have you tried it? > Have set limits for some domains and want the default to be no limit. > Tried using "Maximum Attachment Size = 0" similar to the directive in > max.message.size.rules (Maximum Message Size = 0) but MS gives a > syntax error on reload. According to the docs, that will set a maximum size limit of zero bytes. Don't apply the docs from 1 setting to a different setting. That's why there are docs for each setting... > > Thank you. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Sun Jan 25 19:59:03 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Jan 25 19:59:25 2009 Subject: Email causing MailScanner to go defunct. In-Reply-To: <223f97700901251047g1610f899h4cbd7e6f91475a31@mail.gmail.com> References: <497A38CA.8040100@ecs.soton.ac.uk> <6f34b29a-eb08-11dd-909e-0004e2e@rocketseed.mhg.co.za> <223f97700901251047g1610f899h4cbd7e6f91475a31@mail.gmail.com> Message-ID: <497CC487.5080007@ecs.soton.ac.uk> On 25/1/09 18:47, Glenn Steen wrote: > 2009/1/25 Rabie Van der Merwe: > >> My question seems to have drifted a little off topic :) >> I have an postfix queue file (from the hold directory) that causes MS to >> fail, is there someway that I could analyze it and provide meaningful >> details back to the list/you Julian on why it's causing MS to fails? >> Else I could try and email it to you, but that's only if you are >> interested ... :) >> >> Regards >> Rabie >> >> > > Hi Rabie, > > The log you quoted in your initial post just indicate that the message > is skipped from spam scanning since it is larger than your "Max Spam > Check Size"... Hence the ensuing debate:-)... > Start by increasing that substantially, then drop the message in > again... Still problematic? > Having definct processes is normal, actually... If they stick around, > or all MS children suddenly go defunct, that might indicate a > problem... You didn't show/indicate that this was the case. Is it? > > You could gzip the queue file and send it to me for testing... I'll > run it through a testbed tomorrow... If you do, please include as much > info as possible about actual versions (of pretty much everything:-) > so that I can mimic it as best I can. > Thanks Glenn. Yes, send it to Glenn and not me, he's in a better position to do thorough Postfix testing than I am. Glenn ---- please send me the results of your test, I would be interested to see what's actually going on. Cheers! Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Sun Jan 25 19:54:55 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Jan 25 20:30:58 2009 Subject: Email causing MailScanner to go defunct. In-Reply-To: <6f34b29a-eb08-11dd-909e-0004e2e@rocketseed.mhg.co.za> References: <497A38CA.8040100@ecs.soton.ac.uk> <6f34b29a-eb08-11dd-909e-0004e2e@rocketseed.mhg.co.za> Message-ID: <497CC38F.4000406@ecs.soton.ac.uk> I'm interested. Please don't email it to me, put it on an http server somewhere and mail me the URL. On 25/1/09 17:52, Rabie Van der Merwe wrote: > My question seems to have drifted a little off topic :) > I have an postfix queue file (from the hold directory) that causes MS to > fail, is there someway that I could analyze it and provide meaningful > details back to the list/you Julian on why it's causing MS to fails? > Else I could try and email it to you, but that's only if you are > interested ... :) > > Regards > Rabie > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian > Field > Sent: 23 January 2009 23:38 PM > To: MailScanner discussion > Subject: Re: Email causing MailScanner to go defunct. > > > > On 23/1/09 18:31, Mark Sapiro wrote: > > Kai Schaetzl wrote: > > > > > >> Shuttlebox wrote on Fri, 23 Jan 2009 15:56:34 +0100: > >> > >> > >>> I check the first 50k but skip if it's above 200k. > >>> > >> How do you do that with MS? I don't know of such an option. > >> > > > > > > Max Spam Check Size = 200k > > Max SpamAssassin Size = 50k > > > Thankyou, I was waiting for someone to actually read the conf file and > post both settings. Thanks mate! :-) > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > PGP public key: http://www.jules.fm/julesfm.asc > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > ********************************************************************** > --------- > NOTICE > --------- > > This message (including attachments) contains privileged and > confidential information intended only for the person or entity to > which it is addressed. > > Any review, retransmission, dissemination, copy or other use of, or > taking of any action in reliance upon this information by persons or > entities other than the intended recipient, is prohibited. > > If you received this message in error, please notify the sender > immediately by e-mail, facsimile or telephone and thereafter delete > the material from any computer. > > Metropolitan Health Group, its subsidiaries or associates, does not > accept liability for any personal views expressed in this message. > > *Metropolitan Health Group* > PO Box 4313 Cape Town 8000 Tel: (021) 480 4511 Fax: (021) 480 4535 > www.mhg.co.za > > ********************************************************************** > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From edewing at fastmail.fm Sun Jan 25 20:45:29 2009 From: edewing at fastmail.fm (Ed Ewing) Date: Sun Jan 25 20:45:41 2009 Subject: Is -1 value in max.attachment.size.rules acceptable? In-Reply-To: <497CC423.8060401@ecs.soton.ac.uk> References: <497CB279.8040904@fastmail.fm> <497CC423.8060401@ecs.soton.ac.uk> Message-ID: <497CCF69.9010001@fastmail.fm> On 1/25/2009 11:57 AM, Julian Field wrote: > According to my docs in MailScanner.conf it is acceptable. Have you > tried it? > > Jules > Yes, I did try it prior to posting and it appeared to work. Rulesets are not my strong point so wanted additional confirmation (other than what I saw in the docs) that it would take a negative number given that none of the other rules or examples I had contained a negative integer. Thank you Jules. From MailScanner at ecs.soton.ac.uk Mon Jan 26 08:20:29 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jan 26 08:22:37 2009 Subject: Is -1 value in max.attachment.size.rules acceptable? In-Reply-To: <497CCF69.9010001@fastmail.fm> References: <497CB279.8040904@fastmail.fm> <497CC423.8060401@ecs.soton.ac.uk> <497CCF69.9010001@fastmail.fm> Message-ID: <497D724D.3060806@ecs.soton.ac.uk> On 25/1/09 20:45, Ed Ewing wrote: > On 1/25/2009 11:57 AM, Julian Field wrote: >> According to my docs in MailScanner.conf it is acceptable. Have you >> tried it? >> >> Jules >> > Yes, I did try it prior to posting and it appeared to work. Rulesets > are not my strong point so wanted additional confirmation (other than > what I saw in the docs) that it would take a negative number given > that none of the other rules or examples I had contained a negative > integer. It will take whatever the particular configuration option on its own would take. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Mon Jan 26 08:46:05 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jan 26 08:47:09 2009 Subject: http://www.effierover.com/downloads/dynamic.txt Message-ID: <497D784D.8030908@ecs.soton.ac.uk> Anyone using this list at all? If so, any comments? Does it intersect well with Spamhaus lists so is unnecessary? Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From steve.freegard at fsl.com Mon Jan 26 09:08:45 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Mon Jan 26 09:08:56 2009 Subject: Preventing backscatter with sendmail In-Reply-To: <1232621207.5426.19.camel@gblades-suse.linguaphone-intranet.co.uk> References: <49df20710901210605w201f96del9a43a4e4caedc15d@mail.gmail.com> <623EBB34-96BA-46F1-8EF5-4B961F562AF8@rtpty.com> <4977399B.90806@fsl.com> <4977714E.1090606@fsl.com> <70ba75780901220224t341b897dm31140e1dca415931@mail.gmail.com> <1232621207.5426.19.camel@gblades-suse.linguaphone-intranet.co.uk> Message-ID: <497D7D9D.5050404@fsl.com> Gareth wrote: > Havent been following the spamassassin tread but for postfix to stop > creating backscatter yourself use recipient verification. > To remove backscatter either use the mailscanner watermark feature or if > outgoing mail doesnt allways go through mailscanner then you can use the > spamassassin 'vbounce' plugin instead. For Postfix you should really configure and enable the 'verify' daemon if the machine scans messages for non-local users. See http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:postfix:how_to:reject_non_existent_users#using_smtp_recipient_verification That will prevent *you* from causing backscatter. Any time you accept a message where an upstream SMTP server will do an SMTP 5xx rejection will cause you to generate an NDR to the envelope-sender (invalid recipients being the most common cause of this). Cheers, Steve. From steve.freegard at fsl.com Mon Jan 26 09:12:54 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Mon Jan 26 09:13:04 2009 Subject: http://www.effierover.com/downloads/dynamic.txt In-Reply-To: <497D784D.8030908@ecs.soton.ac.uk> References: <497D784D.8030908@ecs.soton.ac.uk> Message-ID: <497D7E96.3070000@fsl.com> Julian Field wrote: > Anyone using this list at all? > If so, any comments? Not using it - seen it before though. > Does it intersect well with Spamhaus lists so is unnecessary? Yes - all of these should hit the PBL. Cheers, Steve. From ms-list at alexb.ch Mon Jan 26 09:22:44 2009 From: ms-list at alexb.ch (Alex Broens) Date: Mon Jan 26 09:22:53 2009 Subject: http://www.effierover.com/downloads/dynamic.txt In-Reply-To: <497D784D.8030908@ecs.soton.ac.uk> References: <497D784D.8030908@ecs.soton.ac.uk> Message-ID: <497D80E4.9040509@alexb.ch> On 1/26/2009 9:46 AM, Julian Field wrote: > Anyone using this list at all? > If so, any comments? > Does it intersect well with Spamhaus lists so is unnecessary? Looks pretty redundand with PBL + has a large bunch of potential FPs (edus, hosters, etc) Personally, I wouldn't use it. my 2 cents... Alex From c.granisso at dnshosting.it Mon Jan 26 10:20:25 2009 From: c.granisso at dnshosting.it (Carlo Granisso) Date: Mon Jan 26 10:20:30 2009 Subject: Smtpd check with zen.spamhaus.org Message-ID: <200901261020.n0QAKK0m008524@safir.blacknight.ie> Hello. I've a little problem. Postifix is configured to check smtp sender with zen.spamhaus.org but in mail.log I can't see messages checked and deleted with this restriction. I've "googled" for this problem but I haven't found anything that can help me. Have you got ideas? Here's a portino of my "main.cf" file: smtpd_recipient_restrictions = reject_unknown_address, reject_invalid_hostname, reject_non_fqdn_hostname, reject_unknown_sender_domain, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_mynetworks, reject_unauth_destination, reject_invalid_hostname, reject_unauth_pipelining, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_rbl_client list.dsbl.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client dul.dnsbl.sorbs.net, reject_rbl_client zen.spamhaus.org, reject_rhsbl_client blackhole.securitysage.com, reject_rhsbl_sender blackhole.securitysage.com, reject_rhsbl_client rhsbl.sorbs.net, reject_rhsbl_sender rhsbl.sorbs.net Tell me if you want other parts of this file. Thanks for your help. Carlo -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090126/02540d32/attachment.html From campbell at cnpapers.com Mon Jan 26 11:59:43 2009 From: campbell at cnpapers.com (Steve Campbell) Date: Mon Jan 26 12:00:00 2009 Subject: Here's an interesting observation In-Reply-To: <497CA076.8050106@ecs.soton.ac.uk> References: <497A0441.3020009@cnpapers.com> <1232760604.497a6f1caae55@perdition.cnpapers.net> <497CA076.8050106@ecs.soton.ac.uk> Message-ID: <1232971183.497da5af98d97@perdition.cnpapers.net> Quoting Julian Field : > > > On 24/1/09 01:30, Steve Campbell wrote: > > Quoting Scott Silva: > > > > > >> on 1-23-2009 9:54 AM Steve Campbell spake the following: > >> > >>> I've been fighting this for a while now. I don't know if my SA timeouts > >>> are gone, but: > >>> > >>> I removed the KAM rules, and a backlog of mail processed really fast. I > >>> haven't had a SA timeout in more than 30 minutes, and before removal, > >>> they were happening about every 3 minutes. > >>> > >>> steve > >>> > >>> > >> Maybe there is a complex regex in the kam rules that is playing havoc on > >> your > >> perl version in CentOS 3. I remember having issues when I ran perl 5.8.0 > >> with > >> some regex processing. > >> > >> It might also explain why so many of the perl modules didn't compile. > >> > >> Might be time to think about migrating the servers to something newer. > >> > >> > > I totally agree here with upgrading, but don't see a way to do it > immediately. I > > suspect that KAM definitely had something to do with the problem based on > the > > way the server reacted after removing KAM. > > > > Now here's the catch. This is the same Perl that ran KAM rules two upgrades > ago > > when the server ran just fine. The only thing that changed was the version > of > > MS, which had the modules installation problems, I think a new version of > SA, > > and the addition of multiple SARE rules due to the ease of the new > update-sa > > (sa-update?). I removed the SARE rules and that didn't resolve anything. > Quite a > > lot, I realize. > > > > So I'm thinking either old KAM doesn't work well with new SA, or KAM > doesn't > > work well with the combination of new Perl modules plus the old ones that > stuck > > around either due to install failures or just plain ole KAM doesn't mesh > with > > the new MS. > > > KAM and MS are independent. > > Regardless of the problem's cause, I'm just happy to have a smooth run MS > server > > now. I've learned a lot during this trial, and hope it helps others who may > be > > running Centos 3 and KAM. It's also an alert for maybe other older Centos > > distros also. > > > I very much doubt anyone tests anything with CentOS 3 any more. > > Jules > > -- Julian, Thanks. I'm aware that KAM and MS are two separate things and related to SA instead of MS. I only mentioned my experiences to help others if they are running KAM with any distro and MS. There have been a lot of posts lately about SA timeouts, so I thought this might be helpful. I'm sort of stuck for a while with the old distro. We don't have a lot of spare servers with this type of power for me to upgrade with. And this server is an email do-all, running MS, SA, ClamD and the mail store for two domains. Even with the old OS, I give you kudos for your software as it still does what it's supposed to do. It'd probably do better with all the newer modules, but alas - the money issues here at our company. I hope you realize that this is praise, and not to be taken as argumentative. This mail list is the central focus point for many different pieces of software, as your software ties many of those pieces of software together. The list is comprised of many intelligent people who offer their wisdom. I can't usually offer much of it, so when I do have something to offer, I try and pay my dues. It's probably not the way it should be, but it is the focus point. steve ------------------------------------------------- This mail sent through IMP: http://horde.org/imp/ From simonmjones at gmail.com Mon Jan 26 12:16:38 2009 From: simonmjones at gmail.com (Simon Jones) Date: Mon Jan 26 12:16:47 2009 Subject: WARNING: Ignoring deprecated option --unzip In-Reply-To: <497CA0EE.6@ecs.soton.ac.uk> References: <70572c510901241147w6d28cc19hb6146a0fd5dee2fd@mail.gmail.com> <497CA0EE.6@ecs.soton.ac.uk> Message-ID: <70572c510901260416i4258b66bx1d8e325f85ca2ff5@mail.gmail.com> 2009/1/25 Julian Field : > This is documented in the MailScanner ChangeLog. You have updated ClamAV, > and you require a MailScanner update as well to match the new command-line > syntax. It was mentioned in my "new version announcement" to the > MailScanner-Announce list a while back. > > On 24/1/09 19:47, Simon Jones wrote: >> >> Evening chaps, gateway still running like a dog! I've noticed in >> /var/log/maillog the following; >> >> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >> deprecated option --unzip >> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >> deprecated option --jar >> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >> deprecated option --tar >> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >> deprecated option --tgz >> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >> deprecated option --deb >> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >> deprecated option --max-ratio >> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >> deprecated option --unrar >> >> I'm assuming it won't hurt performance and I'm sure someone's come >> across this before so if you could point me in the direction to the >> fix it'd be great, >> >> thanks >> >> Simon >> > > Jules > hello chaps, thanks for that - I've updated MS and configured it to use clamd which works a treat, the machines are chewing spam like they haven't eaten in a month! I do have a spot of trouble with the MailScanner -d --lint test though - bayes: failed rename /etc/MailScanner/bayes/bayes_journal to /etc/MailScanner/bayes/bayes_journal.old bayes: failed rename /etc/MailScanner/bayes/bayes_journal to /etc/MailScanner/bayes/bayes_journal.old bayes: failed rename /etc/MailScanner/bayes/bayes_journal to /etc/MailScanner/bayes/bayes_journal.old Previous error complained of not being able to read the files so i chown postfix:root * in the directory, now I'm getting the above. Seems to have fixed the read error though... thanks again, Simon From maillists at conactive.com Mon Jan 26 12:39:05 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Mon Jan 26 12:39:16 2009 Subject: Smtpd check with zen.spamhaus.org In-Reply-To: <200901261020.n0QAKK0m008524@safir.blacknight.ie> References: <200901261020.n0QAKK0m008524@safir.blacknight.ie> Message-ID: Carlo Granisso wrote on Mon, 26 Jan 2009 11:20:25 +0100: > smtpd_recipient_restrictions = reject_unknown_address, invalid postfix option > reject_invalid_hostname, reject_non_fqdn_hostname, > reject_unknown_sender_domain, reject_non_fqdn_sender, > reject_unknown_sender_domain, reject_non_fqdn_recipient, duplicate > reject_unknown_recipient_domain, permit_mynetworks, > reject_unauth_destination, reject_invalid_hostname, > reject_unauth_pipelining, usually not useful in this context reject_invalid_helo_hostname, > reject_non_fqdn_helo_hostname, reject_rbl_client list.dsbl.org, this list is dead since long. > reject_rbl_client cbl.abuseat.org, included in zen, you may want to check the other RBLs for duplicats as well. You *should* also check the effectiveness. Querying an RBL 10.000 times for 5 additional rejects is a waste. As a general rule of thumb I recommend not to use more than two or three RBLs at MTA. reject_rbl_client dul.dnsbl.sorbs.net, > reject_rbl_client zen.spamhaus.org, reject_rhsbl_client > blackhole.securitysage.com, reject_rhsbl_sender blackhole.securitysage.com, this list is dead since long. Honestly, and in a friendly voice, your config looks a bit like you "assembled" and combined various options and RBLs from various "how to" sources without really knowing about them and never maintaining it since then. As to your original question and assuming DSBL is not returning wildcard results, there are two possible reasons: - there are no matches found - you are blocked at spamhaus - a timeout in the chain? Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Mon Jan 26 13:10:01 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Mon Jan 26 13:10:11 2009 Subject: Smtpd check with zen.spamhaus.org In-Reply-To: References: <200901261020.n0QAKK0m008524@safir.blacknight.ie> Message-ID: Kai Schaetzl wrote on Mon, 26 Jan 2009 13:39:05 +0100: > > reject_unknown_recipient_domain, permit_mynetworks, > > reject_unauth_destination, reject_invalid_hostname, another duplicate and you are also using option names for version Postfix < 2.3. *Are* you running Postfix < 2.3? Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maxsec at gmail.com Mon Jan 26 14:01:13 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Mon Jan 26 14:01:22 2009 Subject: WARNING: Ignoring deprecated option --unzip In-Reply-To: <70572c510901260416i4258b66bx1d8e325f85ca2ff5@mail.gmail.com> References: <70572c510901241147w6d28cc19hb6146a0fd5dee2fd@mail.gmail.com> <497CA0EE.6@ecs.soton.ac.uk> <70572c510901260416i4258b66bx1d8e325f85ca2ff5@mail.gmail.com> Message-ID: <72cf361e0901260601w6056148cx97afdf9fe7580dba@mail.gmail.com> 2009/1/26 Simon Jones : > 2009/1/25 Julian Field : >> This is documented in the MailScanner ChangeLog. You have updated ClamAV, >> and you require a MailScanner update as well to match the new command-line >> syntax. It was mentioned in my "new version announcement" to the >> MailScanner-Announce list a while back. >> >> On 24/1/09 19:47, Simon Jones wrote: >>> >>> Evening chaps, gateway still running like a dog! I've noticed in >>> /var/log/maillog the following; >>> >>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >>> deprecated option --unzip >>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >>> deprecated option --jar >>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >>> deprecated option --tar >>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >>> deprecated option --tgz >>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >>> deprecated option --deb >>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >>> deprecated option --max-ratio >>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >>> deprecated option --unrar >>> >>> I'm assuming it won't hurt performance and I'm sure someone's come >>> across this before so if you could point me in the direction to the >>> fix it'd be great, >>> >>> thanks >>> >>> Simon >>> >> >> Jules >> > hello chaps, thanks for that - I've updated MS and configured it to > use clamd which works a treat, the machines are chewing spam like they > haven't eaten in a month! I do have a spot of trouble with the > MailScanner -d --lint test though - > > bayes: failed rename /etc/MailScanner/bayes/bayes_journal to > /etc/MailScanner/bayes/bayes_journal.old > bayes: failed rename /etc/MailScanner/bayes/bayes_journal to > /etc/MailScanner/bayes/bayes_journal.old > bayes: failed rename /etc/MailScanner/bayes/bayes_journal to > /etc/MailScanner/bayes/bayes_journal.old > > Previous error complained of not being able to read the files so i > chown postfix:root * in the directory, now I'm getting the above. > Seems to have fixed the read error though... > > thanks again, > > Simon > -- Simon check the directory has write permissions for the postfix user too. -- Martin Hepworth Oxford, UK From glenn.steen at gmail.com Mon Jan 26 14:01:40 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Jan 26 14:01:49 2009 Subject: WARNING: Ignoring deprecated option --unzip In-Reply-To: <70572c510901260416i4258b66bx1d8e325f85ca2ff5@mail.gmail.com> References: <70572c510901241147w6d28cc19hb6146a0fd5dee2fd@mail.gmail.com> <497CA0EE.6@ecs.soton.ac.uk> <70572c510901260416i4258b66bx1d8e325f85ca2ff5@mail.gmail.com> Message-ID: <223f97700901260601p4f609362seaeaf4f936294722@mail.gmail.com> 2009/1/26 Simon Jones : > 2009/1/25 Julian Field : >> This is documented in the MailScanner ChangeLog. You have updated ClamAV, >> and you require a MailScanner update as well to match the new command-line >> syntax. It was mentioned in my "new version announcement" to the >> MailScanner-Announce list a while back. >> >> On 24/1/09 19:47, Simon Jones wrote: >>> >>> Evening chaps, gateway still running like a dog! I've noticed in >>> /var/log/maillog the following; >>> >>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >>> deprecated option --unzip >>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >>> deprecated option --jar >>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >>> deprecated option --tar >>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >>> deprecated option --tgz >>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >>> deprecated option --deb >>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >>> deprecated option --max-ratio >>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >>> deprecated option --unrar >>> >>> I'm assuming it won't hurt performance and I'm sure someone's come >>> across this before so if you could point me in the direction to the >>> fix it'd be great, >>> >>> thanks >>> >>> Simon >>> >> >> Jules >> > hello chaps, thanks for that - I've updated MS and configured it to > use clamd which works a treat, the machines are chewing spam like they > haven't eaten in a month! I do have a spot of trouble with the > MailScanner -d --lint test though - > > bayes: failed rename /etc/MailScanner/bayes/bayes_journal to > /etc/MailScanner/bayes/bayes_journal.old > bayes: failed rename /etc/MailScanner/bayes/bayes_journal to > /etc/MailScanner/bayes/bayes_journal.old > bayes: failed rename /etc/MailScanner/bayes/bayes_journal to > /etc/MailScanner/bayes/bayes_journal.old > > Previous error complained of not being able to read the files so i > chown postfix:root * in the directory, now I'm getting the above. > Seems to have fixed the read error though... > > thanks again, > > Simon This is how this looks for me (I use MailWatch where the apache user and group is named "apache"): # ls -ld /etc/MailScanner/bayes drwxrwsrwx 2 postfix apache 4096 2009-01-26 14:58 /etc/MailScanner/bayes/ # ls -l /etc/MailScanner/bayes totalt 6004 -rw-rw---- 1 postfix apache 2334 2009-01-26 14:58 bayes.mutex -rw-r----- 1 apache apache 12288 2009-01-26 14:58 bayes_seen -rw-rw---- 1 postfix apache 5984256 2009-01-26 14:58 bayes_toks # Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From MailScanner at ecs.soton.ac.uk Mon Jan 26 14:22:32 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jan 26 14:22:54 2009 Subject: Here's an interesting observation In-Reply-To: <1232971183.497da5af98d97@perdition.cnpapers.net> References: <497A0441.3020009@cnpapers.com> <1232760604.497a6f1caae55@perdition.cnpapers.net> <497CA076.8050106@ecs.soton.ac.uk> <1232971183.497da5af98d97@perdition.cnpapers.net> Message-ID: <497DC728.9080707@ecs.soton.ac.uk> On 26/1/09 11:59, Steve Campbell wrote: > Quoting Julian Field: > > >> On 24/1/09 01:30, Steve Campbell wrote: >> >>> Quoting Scott Silva: >>> >>> >>> >>>> on 1-23-2009 9:54 AM Steve Campbell spake the following: >>>> >>>> >>>>> I've been fighting this for a while now. I don't know if my SA timeouts >>>>> are gone, but: >>>>> >>>>> I removed the KAM rules, and a backlog of mail processed really fast. I >>>>> haven't had a SA timeout in more than 30 minutes, and before removal, >>>>> they were happening about every 3 minutes. >>>>> >>>>> steve >>>>> >>>>> >>>>> >>>> Maybe there is a complex regex in the kam rules that is playing havoc on >>>> your >>>> perl version in CentOS 3. I remember having issues when I ran perl 5.8.0 >>>> with >>>> some regex processing. >>>> >>>> It might also explain why so many of the perl modules didn't compile. >>>> >>>> Might be time to think about migrating the servers to something newer. >>>> >>>> >>>> >>> I totally agree here with upgrading, but don't see a way to do it >>> >> immediately. I >> >>> suspect that KAM definitely had something to do with the problem based on >>> >> the >> >>> way the server reacted after removing KAM. >>> >>> Now here's the catch. This is the same Perl that ran KAM rules two upgrades >>> >> ago >> >>> when the server ran just fine. The only thing that changed was the version >>> >> of >> >>> MS, which had the modules installation problems, I think a new version of >>> >> SA, >> >>> and the addition of multiple SARE rules due to the ease of the new >>> >> update-sa >> >>> (sa-update?). I removed the SARE rules and that didn't resolve anything. >>> >> Quite a >> >>> lot, I realize. >>> >>> So I'm thinking either old KAM doesn't work well with new SA, or KAM >>> >> doesn't >> >>> work well with the combination of new Perl modules plus the old ones that >>> >> stuck >> >>> around either due to install failures or just plain ole KAM doesn't mesh >>> >> with >> >>> the new MS. >>> >>> >> KAM and MS are independent. >> >>> Regardless of the problem's cause, I'm just happy to have a smooth run MS >>> >> server >> >>> now. I've learned a lot during this trial, and hope it helps others who may >>> >> be >> >>> running Centos 3 and KAM. It's also an alert for maybe other older Centos >>> distros also. >>> >>> >> I very much doubt anyone tests anything with CentOS 3 any more. >> >> Jules >> >> -- >> > Julian, > > Thanks. > > I'm aware that KAM and MS are two separate things and related to SA instead of > MS. I only mentioned my experiences to help others if they are running KAM with > any distro and MS. There have been a lot of posts lately about SA timeouts, so I > thought this might be helpful. > > I'm sort of stuck for a while with the old distro. We don't have a lot of spare > servers with this type of power for me to upgrade with. And this server is an > email do-all, running MS, SA, ClamD and the mail store for two domains. > > Even with the old OS, I give you kudos for your software as it still does what > it's supposed to do. It'd probably do better with all the newer modules, but > alas - the money issues here at our company. > > I hope you realize that this is praise, and not to be taken as argumentative. > This mail list is the central focus point for many different pieces of software, > as your software ties many of those pieces of software together. The list is > comprised of many intelligent people who offer their wisdom. I can't usually > offer much of it, so when I do have something to offer, I try and pay my dues. > It's probably not the way it should be, but it is the focus point. > > No worries :-) Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From simonmjones at gmail.com Mon Jan 26 14:29:32 2009 From: simonmjones at gmail.com (Simon Jones) Date: Mon Jan 26 14:29:41 2009 Subject: WARNING: Ignoring deprecated option --unzip In-Reply-To: <223f97700901260601p4f609362seaeaf4f936294722@mail.gmail.com> References: <70572c510901241147w6d28cc19hb6146a0fd5dee2fd@mail.gmail.com> <497CA0EE.6@ecs.soton.ac.uk> <70572c510901260416i4258b66bx1d8e325f85ca2ff5@mail.gmail.com> <223f97700901260601p4f609362seaeaf4f936294722@mail.gmail.com> Message-ID: <70572c510901260629i2373807en75ad2f25e865f7e0@mail.gmail.com> 2009/1/26 Glenn Steen : > 2009/1/26 Simon Jones : >> 2009/1/25 Julian Field : >>> This is documented in the MailScanner ChangeLog. You have updated ClamAV, >>> and you require a MailScanner update as well to match the new command-line >>> syntax. It was mentioned in my "new version announcement" to the >>> MailScanner-Announce list a while back. >>> >>> On 24/1/09 19:47, Simon Jones wrote: >>>> >>>> Evening chaps, gateway still running like a dog! I've noticed in >>>> /var/log/maillog the following; >>>> >>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >>>> deprecated option --unzip >>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >>>> deprecated option --jar >>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >>>> deprecated option --tar >>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >>>> deprecated option --tgz >>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >>>> deprecated option --deb >>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >>>> deprecated option --max-ratio >>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >>>> deprecated option --unrar >>>> >>>> I'm assuming it won't hurt performance and I'm sure someone's come >>>> across this before so if you could point me in the direction to the >>>> fix it'd be great, >>>> >>>> thanks >>>> >>>> Simon >>>> >>> >>> Jules >>> >> hello chaps, thanks for that - I've updated MS and configured it to >> use clamd which works a treat, the machines are chewing spam like they >> haven't eaten in a month! I do have a spot of trouble with the >> MailScanner -d --lint test though - >> >> bayes: failed rename /etc/MailScanner/bayes/bayes_journal to >> /etc/MailScanner/bayes/bayes_journal.old >> bayes: failed rename /etc/MailScanner/bayes/bayes_journal to >> /etc/MailScanner/bayes/bayes_journal.old >> bayes: failed rename /etc/MailScanner/bayes/bayes_journal to >> /etc/MailScanner/bayes/bayes_journal.old >> >> Previous error complained of not being able to read the files so i >> chown postfix:root * in the directory, now I'm getting the above. >> Seems to have fixed the read error though... >> >> thanks again, >> >> Simon > This is how this looks for me (I use MailWatch where the apache user > and group is named "apache"): > > # ls -ld /etc/MailScanner/bayes > drwxrwsrwx 2 postfix apache 4096 2009-01-26 14:58 /etc/MailScanner/bayes/ > # ls -l /etc/MailScanner/bayes > totalt 6004 > -rw-rw---- 1 postfix apache 2334 2009-01-26 14:58 bayes.mutex > -rw-r----- 1 apache apache 12288 2009-01-26 14:58 bayes_seen > -rw-rw---- 1 postfix apache 5984256 2009-01-26 14:58 bayes_toks > # > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com looks good! so simple I didn't think it could be that. finally since the upgrade I'm gettin commit ineffective with AutoCommit enabled at /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, line 1 when i restart the MailScanner service, doesn't seem to be a problem but can it be tidied up? Simon From simonmjones at gmail.com Mon Jan 26 14:45:16 2009 From: simonmjones at gmail.com (Simon Jones) Date: Mon Jan 26 14:45:25 2009 Subject: WARNING: Ignoring deprecated option --unzip In-Reply-To: <70572c510901260629i2373807en75ad2f25e865f7e0@mail.gmail.com> References: <70572c510901241147w6d28cc19hb6146a0fd5dee2fd@mail.gmail.com> <497CA0EE.6@ecs.soton.ac.uk> <70572c510901260416i4258b66bx1d8e325f85ca2ff5@mail.gmail.com> <223f97700901260601p4f609362seaeaf4f936294722@mail.gmail.com> <70572c510901260629i2373807en75ad2f25e865f7e0@mail.gmail.com> Message-ID: <70572c510901260645i2b0799b7jd5cd60bafa439df2@mail.gmail.com> 2009/1/26 Simon Jones : > 2009/1/26 Glenn Steen : >> 2009/1/26 Simon Jones : >>> 2009/1/25 Julian Field : >>>> This is documented in the MailScanner ChangeLog. You have updated ClamAV, >>>> and you require a MailScanner update as well to match the new command-line >>>> syntax. It was mentioned in my "new version announcement" to the >>>> MailScanner-Announce list a while back. >>>> >>>> On 24/1/09 19:47, Simon Jones wrote: >>>>> >>>>> Evening chaps, gateway still running like a dog! I've noticed in >>>>> /var/log/maillog the following; >>>>> >>>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >>>>> deprecated option --unzip >>>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >>>>> deprecated option --jar >>>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >>>>> deprecated option --tar >>>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >>>>> deprecated option --tgz >>>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >>>>> deprecated option --deb >>>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >>>>> deprecated option --max-ratio >>>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >>>>> deprecated option --unrar >>>>> >>>>> I'm assuming it won't hurt performance and I'm sure someone's come >>>>> across this before so if you could point me in the direction to the >>>>> fix it'd be great, >>>>> >>>>> thanks >>>>> >>>>> Simon >>>>> >>>> >>>> Jules >>>> >>> hello chaps, thanks for that - I've updated MS and configured it to >>> use clamd which works a treat, the machines are chewing spam like they >>> haven't eaten in a month! I do have a spot of trouble with the >>> MailScanner -d --lint test though - >>> >>> bayes: failed rename /etc/MailScanner/bayes/bayes_journal to >>> /etc/MailScanner/bayes/bayes_journal.old >>> bayes: failed rename /etc/MailScanner/bayes/bayes_journal to >>> /etc/MailScanner/bayes/bayes_journal.old >>> bayes: failed rename /etc/MailScanner/bayes/bayes_journal to >>> /etc/MailScanner/bayes/bayes_journal.old >>> >>> Previous error complained of not being able to read the files so i >>> chown postfix:root * in the directory, now I'm getting the above. >>> Seems to have fixed the read error though... >>> >>> thanks again, >>> >>> Simon >> This is how this looks for me (I use MailWatch where the apache user >> and group is named "apache"): >> >> # ls -ld /etc/MailScanner/bayes >> drwxrwsrwx 2 postfix apache 4096 2009-01-26 14:58 /etc/MailScanner/bayes/ >> # ls -l /etc/MailScanner/bayes >> totalt 6004 >> -rw-rw---- 1 postfix apache 2334 2009-01-26 14:58 bayes.mutex >> -rw-r----- 1 apache apache 12288 2009-01-26 14:58 bayes_seen >> -rw-rw---- 1 postfix apache 5984256 2009-01-26 14:58 bayes_toks >> # >> >> Cheers >> -- >> -- Glenn >> email: glenn < dot > steen < at > gmail < dot > com > > looks good! so simple I didn't think it could be that. finally since > the upgrade I'm gettin commit ineffective with AutoCommit enabled at > /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, > line 1 > > when i restart the MailScanner service, doesn't seem to be a problem > but can it be tidied up? > > Simon > Guys, also just noticed quite a lot of SA time outs on one of the gateways, the other gateways are fine and responding so I don't think it's a slow blacklist - CPU seems to be IRO 50% on average so the system isn't way busy. Did the MS upgrade break something with SA? SpamAssassin timed out and was killed, failure 1 of 10 From steve.swaney at fsl.com Mon Jan 26 14:46:35 2009 From: steve.swaney at fsl.com (Stephen Swaney) Date: Mon Jan 26 14:46:45 2009 Subject: WARNING: Ignoring deprecated option --unzip In-Reply-To: <70572c510901260629i2373807en75ad2f25e865f7e0@mail.gmail.com> References: <70572c510901241147w6d28cc19hb6146a0fd5dee2fd@mail.gmail.com> <497CA0EE.6@ecs.soton.ac.uk> <70572c510901260416i4258b66bx1d8e325f85ca2ff5@mail.gmail.com> <223f97700901260601p4f609362seaeaf4f936294722@mail.gmail.com> <70572c510901260629i2373807en75ad2f25e865f7e0@mail.gmail.com> Message-ID: <045901c97fc4$e35250b0$a9f6f210$@swaney@fsl.com> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Simon Jones > Sent: Monday, January 26, 2009 9:30 AM > To: MailScanner discussion > Subject: Re: WARNING: Ignoring deprecated option --unzip > > 2009/1/26 Glenn Steen : > > 2009/1/26 Simon Jones : > >> 2009/1/25 Julian Field : > >>> This is documented in the MailScanner ChangeLog. You have updated > ClamAV, > >>> and you require a MailScanner update as well to match the new > command-line > >>> syntax. It was mentioned in my "new version announcement" to the > >>> MailScanner-Announce list a while back. > >>> > >>> On 24/1/09 19:47, Simon Jones wrote: > >>>> > >>>> Evening chaps, gateway still running like a dog! I've noticed in > >>>> /var/log/maillog the following; > >>>> > >>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring > >>>> deprecated option --unzip > >>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring > >>>> deprecated option --jar > >>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring > >>>> deprecated option --tar > >>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring > >>>> deprecated option --tgz > >>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring > >>>> deprecated option --deb > >>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring > >>>> deprecated option --max-ratio > >>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring > >>>> deprecated option --unrar > >>>> > >>>> I'm assuming it won't hurt performance and I'm sure someone's come > >>>> across this before so if you could point me in the direction to > the > >>>> fix it'd be great, > >>>> > >>>> thanks > >>>> > >>>> Simon > >>>> > >>> > >>> Jules > >>> > >> hello chaps, thanks for that - I've updated MS and configured it to > >> use clamd which works a treat, the machines are chewing spam like > they > >> haven't eaten in a month! I do have a spot of trouble with the > >> MailScanner -d --lint test though - > >> > >> bayes: failed rename /etc/MailScanner/bayes/bayes_journal to > >> /etc/MailScanner/bayes/bayes_journal.old > >> bayes: failed rename /etc/MailScanner/bayes/bayes_journal to > >> /etc/MailScanner/bayes/bayes_journal.old > >> bayes: failed rename /etc/MailScanner/bayes/bayes_journal to > >> /etc/MailScanner/bayes/bayes_journal.old > >> > >> Previous error complained of not being able to read the files so i > >> chown postfix:root * in the directory, now I'm getting the above. > >> Seems to have fixed the read error though... > >> > >> thanks again, > >> > >> Simon > > This is how this looks for me (I use MailWatch where the apache user > > and group is named "apache"): > > > > # ls -ld /etc/MailScanner/bayes > > drwxrwsrwx 2 postfix apache 4096 2009-01-26 14:58 > /etc/MailScanner/bayes/ > > # ls -l /etc/MailScanner/bayes > > totalt 6004 > > -rw-rw---- 1 postfix apache 2334 2009-01-26 14:58 bayes.mutex > > -rw-r----- 1 apache apache 12288 2009-01-26 14:58 bayes_seen > > -rw-rw---- 1 postfix apache 5984256 2009-01-26 14:58 bayes_toks > > # > > > > Cheers > > -- > > -- Glenn > > email: glenn < dot > steen < at > gmail < dot > com > > looks good! so simple I didn't think it could be that. finally since > the upgrade I'm gettin commit ineffective with AutoCommit enabled at > /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, > line 1 > > when i restart the MailScanner service, doesn't seem to be a problem > but can it be tidied up? > > Simon > -- Simon, In the list archives for a while: http://lists.mailscanner.info/pipermail/mailscanner/2008-May/085074.html Google for: commit ineffective with AutoCommit enabled Found it as the first hit. > Old Code - /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm > ======================================================================== > sub ExitLogging { > # Server exit - commit changes, close socket, and exit gracefully. > close(SERVER); > $dbh->commit; > $dbh->disconnect; > exit; > } > > > New Code - /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm > ======================================================================== > sub ExitLogging { > # Server exit - commit changes, close socket, and exit gracefully. > close(SERVER); > ##### AJOS1 CHANGE ##### > $dbh->{Warn} = 0; > ##### AJOS1 CHANGE ##### > $dbh->commit; > $dbh->disconnect; > exit; > } Best regards, Steve Steve Swaney steve@fsl.com www.fsl.com From simonmjones at gmail.com Mon Jan 26 14:48:47 2009 From: simonmjones at gmail.com (Simon Jones) Date: Mon Jan 26 14:48:55 2009 Subject: WARNING: Ignoring deprecated option --unzip In-Reply-To: <70572c510901260645i2b0799b7jd5cd60bafa439df2@mail.gmail.com> References: <70572c510901241147w6d28cc19hb6146a0fd5dee2fd@mail.gmail.com> <497CA0EE.6@ecs.soton.ac.uk> <70572c510901260416i4258b66bx1d8e325f85ca2ff5@mail.gmail.com> <223f97700901260601p4f609362seaeaf4f936294722@mail.gmail.com> <70572c510901260629i2373807en75ad2f25e865f7e0@mail.gmail.com> <70572c510901260645i2b0799b7jd5cd60bafa439df2@mail.gmail.com> Message-ID: <70572c510901260648v31ada036n3cfb949487f9374c@mail.gmail.com> 2009/1/26 Simon Jones : > 2009/1/26 Simon Jones : >> 2009/1/26 Glenn Steen : >>> 2009/1/26 Simon Jones : >>>> 2009/1/25 Julian Field : >>>>> This is documented in the MailScanner ChangeLog. You have updated ClamAV, >>>>> and you require a MailScanner update as well to match the new command-line >>>>> syntax. It was mentioned in my "new version announcement" to the >>>>> MailScanner-Announce list a while back. >>>>> >>>>> On 24/1/09 19:47, Simon Jones wrote: >>>>>> >>>>>> Evening chaps, gateway still running like a dog! I've noticed in >>>>>> /var/log/maillog the following; >>>>>> >>>>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >>>>>> deprecated option --unzip >>>>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >>>>>> deprecated option --jar >>>>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >>>>>> deprecated option --tar >>>>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >>>>>> deprecated option --tgz >>>>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >>>>>> deprecated option --deb >>>>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >>>>>> deprecated option --max-ratio >>>>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >>>>>> deprecated option --unrar >>>>>> >>>>>> I'm assuming it won't hurt performance and I'm sure someone's come >>>>>> across this before so if you could point me in the direction to the >>>>>> fix it'd be great, >>>>>> >>>>>> thanks >>>>>> >>>>>> Simon >>>>>> >>>>> >>>>> Jules >>>>> >>>> hello chaps, thanks for that - I've updated MS and configured it to >>>> use clamd which works a treat, the machines are chewing spam like they >>>> haven't eaten in a month! I do have a spot of trouble with the >>>> MailScanner -d --lint test though - >>>> >>>> bayes: failed rename /etc/MailScanner/bayes/bayes_journal to >>>> /etc/MailScanner/bayes/bayes_journal.old >>>> bayes: failed rename /etc/MailScanner/bayes/bayes_journal to >>>> /etc/MailScanner/bayes/bayes_journal.old >>>> bayes: failed rename /etc/MailScanner/bayes/bayes_journal to >>>> /etc/MailScanner/bayes/bayes_journal.old >>>> >>>> Previous error complained of not being able to read the files so i >>>> chown postfix:root * in the directory, now I'm getting the above. >>>> Seems to have fixed the read error though... >>>> >>>> thanks again, >>>> >>>> Simon >>> This is how this looks for me (I use MailWatch where the apache user >>> and group is named "apache"): >>> >>> # ls -ld /etc/MailScanner/bayes >>> drwxrwsrwx 2 postfix apache 4096 2009-01-26 14:58 /etc/MailScanner/bayes/ >>> # ls -l /etc/MailScanner/bayes >>> totalt 6004 >>> -rw-rw---- 1 postfix apache 2334 2009-01-26 14:58 bayes.mutex >>> -rw-r----- 1 apache apache 12288 2009-01-26 14:58 bayes_seen >>> -rw-rw---- 1 postfix apache 5984256 2009-01-26 14:58 bayes_toks >>> # >>> >>> Cheers >>> -- >>> -- Glenn >>> email: glenn < dot > steen < at > gmail < dot > com >> >> looks good! so simple I didn't think it could be that. finally since >> the upgrade I'm gettin commit ineffective with AutoCommit enabled at >> /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, >> line 1 >> >> when i restart the MailScanner service, doesn't seem to be a problem >> but can it be tidied up? >> >> Simon >> > > Guys, also just noticed quite a lot of SA time outs on one of the > gateways, the other gateways are fine and responding so I don't think > it's a slow blacklist - CPU seems to be IRO 50% on average so the > system isn't way busy. Did the MS upgrade break something with SA? > > SpamAssassin timed out and was killed, failure 1 of 10 > its something to do with bayes config - I've disabled in spam.assassin.prefs.conf use_bayes 0 while i'm checking it out. From glenn.steen at gmail.com Mon Jan 26 14:50:26 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Jan 26 14:50:34 2009 Subject: WARNING: Ignoring deprecated option --unzip In-Reply-To: <70572c510901260629i2373807en75ad2f25e865f7e0@mail.gmail.com> References: <70572c510901241147w6d28cc19hb6146a0fd5dee2fd@mail.gmail.com> <497CA0EE.6@ecs.soton.ac.uk> <70572c510901260416i4258b66bx1d8e325f85ca2ff5@mail.gmail.com> <223f97700901260601p4f609362seaeaf4f936294722@mail.gmail.com> <70572c510901260629i2373807en75ad2f25e865f7e0@mail.gmail.com> Message-ID: <223f97700901260650q585a90au58ace293ca1367ac@mail.gmail.com> 2009/1/26 Simon Jones : > 2009/1/26 Glenn Steen : >> 2009/1/26 Simon Jones : >>> 2009/1/25 Julian Field : >>>> This is documented in the MailScanner ChangeLog. You have updated ClamAV, >>>> and you require a MailScanner update as well to match the new command-line >>>> syntax. It was mentioned in my "new version announcement" to the >>>> MailScanner-Announce list a while back. >>>> >>>> On 24/1/09 19:47, Simon Jones wrote: >>>>> >>>>> Evening chaps, gateway still running like a dog! I've noticed in >>>>> /var/log/maillog the following; >>>>> >>>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >>>>> deprecated option --unzip >>>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >>>>> deprecated option --jar >>>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >>>>> deprecated option --tar >>>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >>>>> deprecated option --tgz >>>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >>>>> deprecated option --deb >>>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >>>>> deprecated option --max-ratio >>>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >>>>> deprecated option --unrar >>>>> >>>>> I'm assuming it won't hurt performance and I'm sure someone's come >>>>> across this before so if you could point me in the direction to the >>>>> fix it'd be great, >>>>> >>>>> thanks >>>>> >>>>> Simon >>>>> >>>> >>>> Jules >>>> >>> hello chaps, thanks for that - I've updated MS and configured it to >>> use clamd which works a treat, the machines are chewing spam like they >>> haven't eaten in a month! I do have a spot of trouble with the >>> MailScanner -d --lint test though - >>> >>> bayes: failed rename /etc/MailScanner/bayes/bayes_journal to >>> /etc/MailScanner/bayes/bayes_journal.old >>> bayes: failed rename /etc/MailScanner/bayes/bayes_journal to >>> /etc/MailScanner/bayes/bayes_journal.old >>> bayes: failed rename /etc/MailScanner/bayes/bayes_journal to >>> /etc/MailScanner/bayes/bayes_journal.old >>> >>> Previous error complained of not being able to read the files so i >>> chown postfix:root * in the directory, now I'm getting the above. >>> Seems to have fixed the read error though... >>> >>> thanks again, >>> >>> Simon >> This is how this looks for me (I use MailWatch where the apache user >> and group is named "apache"): >> >> # ls -ld /etc/MailScanner/bayes >> drwxrwsrwx 2 postfix apache 4096 2009-01-26 14:58 /etc/MailScanner/bayes/ >> # ls -l /etc/MailScanner/bayes >> totalt 6004 >> -rw-rw---- 1 postfix apache 2334 2009-01-26 14:58 bayes.mutex >> -rw-r----- 1 apache apache 12288 2009-01-26 14:58 bayes_seen >> -rw-rw---- 1 postfix apache 5984256 2009-01-26 14:58 bayes_toks >> # >> >> Cheers >> -- >> -- Glenn >> email: glenn < dot > steen < at > gmail < dot > com > > looks good! so simple I didn't think it could be that. finally since > the upgrade I'm gettin commit ineffective with AutoCommit enabled at > /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, > line 1 > > when i restart the MailScanner service, doesn't seem to be a problem > but can it be tidied up? > That is purely informational and don't need cleaning up;-). All it says is that you (or rather MailWatch) is doing commits "as needed", but since you have autocommit on in the MySQL db, they don't make any difference. You could go through the MW code and comment out all the commits (not that many, IIRC, in MailWatch.pm), but really... why bother? Live with it;-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Mon Jan 26 14:55:00 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Jan 26 14:55:09 2009 Subject: WARNING: Ignoring deprecated option --unzip In-Reply-To: <70572c510901260645i2b0799b7jd5cd60bafa439df2@mail.gmail.com> References: <70572c510901241147w6d28cc19hb6146a0fd5dee2fd@mail.gmail.com> <497CA0EE.6@ecs.soton.ac.uk> <70572c510901260416i4258b66bx1d8e325f85ca2ff5@mail.gmail.com> <223f97700901260601p4f609362seaeaf4f936294722@mail.gmail.com> <70572c510901260629i2373807en75ad2f25e865f7e0@mail.gmail.com> <70572c510901260645i2b0799b7jd5cd60bafa439df2@mail.gmail.com> Message-ID: <223f97700901260655q67a05ae6lbed1f6317a004dd6@mail.gmail.com> 2009/1/26 Simon Jones : > 2009/1/26 Simon Jones : >> 2009/1/26 Glenn Steen : >>> 2009/1/26 Simon Jones : >>>> 2009/1/25 Julian Field : >>>>> This is documented in the MailScanner ChangeLog. You have updated ClamAV, >>>>> and you require a MailScanner update as well to match the new command-line >>>>> syntax. It was mentioned in my "new version announcement" to the >>>>> MailScanner-Announce list a while back. >>>>> >>>>> On 24/1/09 19:47, Simon Jones wrote: >>>>>> >>>>>> Evening chaps, gateway still running like a dog! I've noticed in >>>>>> /var/log/maillog the following; >>>>>> >>>>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >>>>>> deprecated option --unzip >>>>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >>>>>> deprecated option --jar >>>>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >>>>>> deprecated option --tar >>>>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >>>>>> deprecated option --tgz >>>>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >>>>>> deprecated option --deb >>>>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >>>>>> deprecated option --max-ratio >>>>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >>>>>> deprecated option --unrar >>>>>> >>>>>> I'm assuming it won't hurt performance and I'm sure someone's come >>>>>> across this before so if you could point me in the direction to the >>>>>> fix it'd be great, >>>>>> >>>>>> thanks >>>>>> >>>>>> Simon >>>>>> >>>>> >>>>> Jules >>>>> >>>> hello chaps, thanks for that - I've updated MS and configured it to >>>> use clamd which works a treat, the machines are chewing spam like they >>>> haven't eaten in a month! I do have a spot of trouble with the >>>> MailScanner -d --lint test though - >>>> >>>> bayes: failed rename /etc/MailScanner/bayes/bayes_journal to >>>> /etc/MailScanner/bayes/bayes_journal.old >>>> bayes: failed rename /etc/MailScanner/bayes/bayes_journal to >>>> /etc/MailScanner/bayes/bayes_journal.old >>>> bayes: failed rename /etc/MailScanner/bayes/bayes_journal to >>>> /etc/MailScanner/bayes/bayes_journal.old >>>> >>>> Previous error complained of not being able to read the files so i >>>> chown postfix:root * in the directory, now I'm getting the above. >>>> Seems to have fixed the read error though... >>>> >>>> thanks again, >>>> >>>> Simon >>> This is how this looks for me (I use MailWatch where the apache user >>> and group is named "apache"): >>> >>> # ls -ld /etc/MailScanner/bayes >>> drwxrwsrwx 2 postfix apache 4096 2009-01-26 14:58 /etc/MailScanner/bayes/ >>> # ls -l /etc/MailScanner/bayes >>> totalt 6004 >>> -rw-rw---- 1 postfix apache 2334 2009-01-26 14:58 bayes.mutex >>> -rw-r----- 1 apache apache 12288 2009-01-26 14:58 bayes_seen >>> -rw-rw---- 1 postfix apache 5984256 2009-01-26 14:58 bayes_toks >>> # >>> >>> Cheers >>> -- >>> -- Glenn >>> email: glenn < dot > steen < at > gmail < dot > com >> >> looks good! so simple I didn't think it could be that. finally since >> the upgrade I'm gettin commit ineffective with AutoCommit enabled at >> /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, >> line 1 >> >> when i restart the MailScanner service, doesn't seem to be a problem >> but can it be tidied up? >> >> Simon >> > > Guys, also just noticed quite a lot of SA time outs on one of the > gateways, the other gateways are fine and responding so I don't think > it's a slow blacklist - CPU seems to be IRO 50% on average so the > system isn't way busy. Did the MS upgrade break something with SA? > > SpamAssassin timed out and was killed, failure 1 of 10 Check that your bayes_seen file is of a reasonable size, else ... remove it. Also check that your SA expire runs complete (no "expire" files in your bayes directory)... Try up the "SpamAssassin Timeout" to something fairly large in /etc/MailScanner/MailScanner.conf (mine is at 10 minutes... == 600 seconds). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From simonmjones at gmail.com Mon Jan 26 15:25:28 2009 From: simonmjones at gmail.com (Simon Jones) Date: Mon Jan 26 15:25:38 2009 Subject: WARNING: Ignoring deprecated option --unzip In-Reply-To: <223f97700901260655q67a05ae6lbed1f6317a004dd6@mail.gmail.com> References: <70572c510901241147w6d28cc19hb6146a0fd5dee2fd@mail.gmail.com> <497CA0EE.6@ecs.soton.ac.uk> <70572c510901260416i4258b66bx1d8e325f85ca2ff5@mail.gmail.com> <223f97700901260601p4f609362seaeaf4f936294722@mail.gmail.com> <70572c510901260629i2373807en75ad2f25e865f7e0@mail.gmail.com> <70572c510901260645i2b0799b7jd5cd60bafa439df2@mail.gmail.com> <223f97700901260655q67a05ae6lbed1f6317a004dd6@mail.gmail.com> Message-ID: <70572c510901260725w3d32902chb0582c55c0f13b81@mail.gmail.com> 2009/1/26 Glenn Steen : > 2009/1/26 Simon Jones : >> 2009/1/26 Simon Jones : >>> 2009/1/26 Glenn Steen : >>>> 2009/1/26 Simon Jones : >>>>> 2009/1/25 Julian Field : >>>>>> This is documented in the MailScanner ChangeLog. You have updated ClamAV, >>>>>> and you require a MailScanner update as well to match the new command-line >>>>>> syntax. It was mentioned in my "new version announcement" to the >>>>>> MailScanner-Announce list a while back. >>>>>> >>>>>> On 24/1/09 19:47, Simon Jones wrote: >>>>>>> >>>>>>> Evening chaps, gateway still running like a dog! I've noticed in >>>>>>> /var/log/maillog the following; >>>>>>> >>>>>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >>>>>>> deprecated option --unzip >>>>>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >>>>>>> deprecated option --jar >>>>>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >>>>>>> deprecated option --tar >>>>>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >>>>>>> deprecated option --tgz >>>>>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >>>>>>> deprecated option --deb >>>>>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >>>>>>> deprecated option --max-ratio >>>>>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >>>>>>> deprecated option --unrar >>>>>>> >>>>>>> I'm assuming it won't hurt performance and I'm sure someone's come >>>>>>> across this before so if you could point me in the direction to the >>>>>>> fix it'd be great, >>>>>>> >>>>>>> thanks >>>>>>> >>>>>>> Simon >>>>>>> >>>>>> >>>>>> Jules >>>>>> >>>>> hello chaps, thanks for that - I've updated MS and configured it to >>>>> use clamd which works a treat, the machines are chewing spam like they >>>>> haven't eaten in a month! I do have a spot of trouble with the >>>>> MailScanner -d --lint test though - >>>>> >>>>> bayes: failed rename /etc/MailScanner/bayes/bayes_journal to >>>>> /etc/MailScanner/bayes/bayes_journal.old >>>>> bayes: failed rename /etc/MailScanner/bayes/bayes_journal to >>>>> /etc/MailScanner/bayes/bayes_journal.old >>>>> bayes: failed rename /etc/MailScanner/bayes/bayes_journal to >>>>> /etc/MailScanner/bayes/bayes_journal.old >>>>> >>>>> Previous error complained of not being able to read the files so i >>>>> chown postfix:root * in the directory, now I'm getting the above. >>>>> Seems to have fixed the read error though... >>>>> >>>>> thanks again, >>>>> >>>>> Simon >>>> This is how this looks for me (I use MailWatch where the apache user >>>> and group is named "apache"): >>>> >>>> # ls -ld /etc/MailScanner/bayes >>>> drwxrwsrwx 2 postfix apache 4096 2009-01-26 14:58 /etc/MailScanner/bayes/ >>>> # ls -l /etc/MailScanner/bayes >>>> totalt 6004 >>>> -rw-rw---- 1 postfix apache 2334 2009-01-26 14:58 bayes.mutex >>>> -rw-r----- 1 apache apache 12288 2009-01-26 14:58 bayes_seen >>>> -rw-rw---- 1 postfix apache 5984256 2009-01-26 14:58 bayes_toks >>>> # >>>> >>>> Cheers >>>> -- >>>> -- Glenn >>>> email: glenn < dot > steen < at > gmail < dot > com >>> >>> looks good! so simple I didn't think it could be that. finally since >>> the upgrade I'm gettin commit ineffective with AutoCommit enabled at >>> /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, >>> line 1 >>> >>> when i restart the MailScanner service, doesn't seem to be a problem >>> but can it be tidied up? >>> >>> Simon >>> >> >> Guys, also just noticed quite a lot of SA time outs on one of the >> gateways, the other gateways are fine and responding so I don't think >> it's a slow blacklist - CPU seems to be IRO 50% on average so the >> system isn't way busy. Did the MS upgrade break something with SA? >> >> SpamAssassin timed out and was killed, failure 1 of 10 > > Check that your bayes_seen file is of a reasonable size, else ... > remove it. Also check that your SA expire runs complete (no "expire" > files in your bayes directory)... Try up the "SpamAssassin Timeout" to > something fairly large in /etc/MailScanner/MailScanner.conf (mine is > at 10 minutes... == 600 seconds). > > Cheers > -- > -- Glenn Hello lads, thanks again - cleaned up the error (thanks Steve, we don't like messy bits do we!) and Glenn, on the money with the timeout setting for SA - it was set to 10 secs on the gateway that was playing up and 600 on the others, not sure how that happened but I guess the part of the system between the chair and they keyboard may have got distracted!. all working beautifully again! Simon From simonmjones at gmail.com Mon Jan 26 16:25:40 2009 From: simonmjones at gmail.com (Simon Jones) Date: Mon Jan 26 16:25:49 2009 Subject: WARNING: Ignoring deprecated option --unzip In-Reply-To: <70572c510901260725w3d32902chb0582c55c0f13b81@mail.gmail.com> References: <70572c510901241147w6d28cc19hb6146a0fd5dee2fd@mail.gmail.com> <497CA0EE.6@ecs.soton.ac.uk> <70572c510901260416i4258b66bx1d8e325f85ca2ff5@mail.gmail.com> <223f97700901260601p4f609362seaeaf4f936294722@mail.gmail.com> <70572c510901260629i2373807en75ad2f25e865f7e0@mail.gmail.com> <70572c510901260645i2b0799b7jd5cd60bafa439df2@mail.gmail.com> <223f97700901260655q67a05ae6lbed1f6317a004dd6@mail.gmail.com> <70572c510901260725w3d32902chb0582c55c0f13b81@mail.gmail.com> Message-ID: <70572c510901260825v5c49a966n37f54e633f1c4c48@mail.gmail.com> 2009/1/26 Simon Jones : > 2009/1/26 Glenn Steen : >> 2009/1/26 Simon Jones : >>> 2009/1/26 Simon Jones : >>>> 2009/1/26 Glenn Steen : >>>>> 2009/1/26 Simon Jones : >>>>>> 2009/1/25 Julian Field : >>>>>>> This is documented in the MailScanner ChangeLog. You have updated ClamAV, >>>>>>> and you require a MailScanner update as well to match the new command-line >>>>>>> syntax. It was mentioned in my "new version announcement" to the >>>>>>> MailScanner-Announce list a while back. >>>>>>> >>>>>>> On 24/1/09 19:47, Simon Jones wrote: >>>>>>>> >>>>>>>> Evening chaps, gateway still running like a dog! I've noticed in >>>>>>>> /var/log/maillog the following; >>>>>>>> >>>>>>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >>>>>>>> deprecated option --unzip >>>>>>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >>>>>>>> deprecated option --jar >>>>>>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >>>>>>>> deprecated option --tar >>>>>>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >>>>>>>> deprecated option --tgz >>>>>>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >>>>>>>> deprecated option --deb >>>>>>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >>>>>>>> deprecated option --max-ratio >>>>>>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >>>>>>>> deprecated option --unrar >>>>>>>> >>>>>>>> I'm assuming it won't hurt performance and I'm sure someone's come >>>>>>>> across this before so if you could point me in the direction to the >>>>>>>> fix it'd be great, >>>>>>>> >>>>>>>> thanks >>>>>>>> >>>>>>>> Simon >>>>>>>> >>>>>>> >>>>>>> Jules >>>>>>> >>>>>> hello chaps, thanks for that - I've updated MS and configured it to >>>>>> use clamd which works a treat, the machines are chewing spam like they >>>>>> haven't eaten in a month! I do have a spot of trouble with the >>>>>> MailScanner -d --lint test though - >>>>>> >>>>>> bayes: failed rename /etc/MailScanner/bayes/bayes_journal to >>>>>> /etc/MailScanner/bayes/bayes_journal.old >>>>>> bayes: failed rename /etc/MailScanner/bayes/bayes_journal to >>>>>> /etc/MailScanner/bayes/bayes_journal.old >>>>>> bayes: failed rename /etc/MailScanner/bayes/bayes_journal to >>>>>> /etc/MailScanner/bayes/bayes_journal.old >>>>>> >>>>>> Previous error complained of not being able to read the files so i >>>>>> chown postfix:root * in the directory, now I'm getting the above. >>>>>> Seems to have fixed the read error though... >>>>>> >>>>>> thanks again, >>>>>> >>>>>> Simon >>>>> This is how this looks for me (I use MailWatch where the apache user >>>>> and group is named "apache"): >>>>> >>>>> # ls -ld /etc/MailScanner/bayes >>>>> drwxrwsrwx 2 postfix apache 4096 2009-01-26 14:58 /etc/MailScanner/bayes/ >>>>> # ls -l /etc/MailScanner/bayes >>>>> totalt 6004 >>>>> -rw-rw---- 1 postfix apache 2334 2009-01-26 14:58 bayes.mutex >>>>> -rw-r----- 1 apache apache 12288 2009-01-26 14:58 bayes_seen >>>>> -rw-rw---- 1 postfix apache 5984256 2009-01-26 14:58 bayes_toks >>>>> # >>>>> >>>>> Cheers >>>>> -- >>>>> -- Glenn >>>>> email: glenn < dot > steen < at > gmail < dot > com >>>> >>>> looks good! so simple I didn't think it could be that. finally since >>>> the upgrade I'm gettin commit ineffective with AutoCommit enabled at >>>> /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, >>>> line 1 >>>> >>>> when i restart the MailScanner service, doesn't seem to be a problem >>>> but can it be tidied up? >>>> >>>> Simon >>>> >>> >>> Guys, also just noticed quite a lot of SA time outs on one of the >>> gateways, the other gateways are fine and responding so I don't think >>> it's a slow blacklist - CPU seems to be IRO 50% on average so the >>> system isn't way busy. Did the MS upgrade break something with SA? >>> >>> SpamAssassin timed out and was killed, failure 1 of 10 >> >> Check that your bayes_seen file is of a reasonable size, else ... >> remove it. Also check that your SA expire runs complete (no "expire" >> files in your bayes directory)... Try up the "SpamAssassin Timeout" to >> something fairly large in /etc/MailScanner/MailScanner.conf (mine is >> at 10 minutes... == 600 seconds). >> >> Cheers >> -- >> -- Glenn > > Hello lads, thanks again - cleaned up the error (thanks Steve, we > don't like messy bits do we!) and Glenn, on the money with the timeout > setting for SA - it was set to 10 secs on the gateway that was playing > up and 600 on the others, not sure how that happened but I guess the > part of the system between the chair and they keyboard may have got > distracted!. > > all working beautifully again! > > Simon > slllllooooooooooowwweedddd down to a crawl again and is stacking messages in the hold queue. I can't figure out what's going on here. restart MS and it works really fast but leave it to run for five minutes or so and the whole things slows to a crawl, it backs up messages in the hold queue and is really slow answering on port 25 or times out completely. I've commented out the lists in /etc/MailScanner/spam.lists.conf - does SA have any others configured somewhere else? I'm clutching at straws now. no errors in the lint tests and everything seems normal. From J.Ede at birchenallhowden.co.uk Mon Jan 26 16:58:20 2009 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Mon Jan 26 16:58:40 2009 Subject: WARNING: Ignoring deprecated option --unzip In-Reply-To: <70572c510901260825v5c49a966n37f54e633f1c4c48@mail.gmail.com> References: <70572c510901241147w6d28cc19hb6146a0fd5dee2fd@mail.gmail.com> <497CA0EE.6@ecs.soton.ac.uk> <70572c510901260416i4258b66bx1d8e325f85ca2ff5@mail.gmail.com> <223f97700901260601p4f609362seaeaf4f936294722@mail.gmail.com> <70572c510901260629i2373807en75ad2f25e865f7e0@mail.gmail.com> <70572c510901260645i2b0799b7jd5cd60bafa439df2@mail.gmail.com> <223f97700901260655q67a05ae6lbed1f6317a004dd6@mail.gmail.com> <70572c510901260725w3d32902chb0582c55c0f13b81@mail.gmail.com> <70572c510901260825v5c49a966n37f54e633f1c4c48@mail.gmail.com> Message-ID: <1213490F1F316842A544A850422BFA9614F171E5@BHLSBS.bhl.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Simon Jones > Sent: 26 January 2009 16:26 > To: MailScanner discussion > Subject: Re: WARNING: Ignoring deprecated option --unzip > > 2009/1/26 Simon Jones : > > 2009/1/26 Glenn Steen : > >> 2009/1/26 Simon Jones : > >>> 2009/1/26 Simon Jones : > >>>> 2009/1/26 Glenn Steen : > >>>>> 2009/1/26 Simon Jones : > >>>>>> 2009/1/25 Julian Field : > >>>>>>> This is documented in the MailScanner ChangeLog. You have > updated ClamAV, > >>>>>>> and you require a MailScanner update as well to match the new > command-line > >>>>>>> syntax. It was mentioned in my "new version announcement" to > the > >>>>>>> MailScanner-Announce list a while back. > >>>>>>> > >>>>>>> On 24/1/09 19:47, Simon Jones wrote: > >>>>>>>> > >>>>>>>> Evening chaps, gateway still running like a dog! I've > noticed in > >>>>>>>> /var/log/maillog the following; > >>>>>>>> > >>>>>>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring > >>>>>>>> deprecated option --unzip > >>>>>>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring > >>>>>>>> deprecated option --jar > >>>>>>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring > >>>>>>>> deprecated option --tar > >>>>>>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring > >>>>>>>> deprecated option --tgz > >>>>>>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring > >>>>>>>> deprecated option --deb > >>>>>>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring > >>>>>>>> deprecated option --max-ratio > >>>>>>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring > >>>>>>>> deprecated option --unrar > >>>>>>>> > >>>>>>>> I'm assuming it won't hurt performance and I'm sure someone's > come > >>>>>>>> across this before so if you could point me in the direction > to the > >>>>>>>> fix it'd be great, > >>>>>>>> > >>>>>>>> thanks > >>>>>>>> > >>>>>>>> Simon > >>>>>>>> > >>>>>>> > >>>>>>> Jules > >>>>>>> > >>>>>> hello chaps, thanks for that - I've updated MS and configured it > to > >>>>>> use clamd which works a treat, the machines are chewing spam > like they > >>>>>> haven't eaten in a month! I do have a spot of trouble with the > >>>>>> MailScanner -d --lint test though - > >>>>>> > >>>>>> bayes: failed rename /etc/MailScanner/bayes/bayes_journal to > >>>>>> /etc/MailScanner/bayes/bayes_journal.old > >>>>>> bayes: failed rename /etc/MailScanner/bayes/bayes_journal to > >>>>>> /etc/MailScanner/bayes/bayes_journal.old > >>>>>> bayes: failed rename /etc/MailScanner/bayes/bayes_journal to > >>>>>> /etc/MailScanner/bayes/bayes_journal.old > >>>>>> > >>>>>> Previous error complained of not being able to read the files so > i > >>>>>> chown postfix:root * in the directory, now I'm getting the > above. > >>>>>> Seems to have fixed the read error though... > >>>>>> > >>>>>> thanks again, > >>>>>> > >>>>>> Simon > >>>>> This is how this looks for me (I use MailWatch where the apache > user > >>>>> and group is named "apache"): > >>>>> > >>>>> # ls -ld /etc/MailScanner/bayes > >>>>> drwxrwsrwx 2 postfix apache 4096 2009-01-26 14:58 > /etc/MailScanner/bayes/ > >>>>> # ls -l /etc/MailScanner/bayes > >>>>> totalt 6004 > >>>>> -rw-rw---- 1 postfix apache 2334 2009-01-26 14:58 bayes.mutex > >>>>> -rw-r----- 1 apache apache 12288 2009-01-26 14:58 bayes_seen > >>>>> -rw-rw---- 1 postfix apache 5984256 2009-01-26 14:58 bayes_toks > >>>>> # > >>>>> > >>>>> Cheers > >>>>> -- > >>>>> -- Glenn > >>>>> email: glenn < dot > steen < at > gmail < dot > com > >>>> > >>>> looks good! so simple I didn't think it could be that. finally > since > >>>> the upgrade I'm gettin commit ineffective with AutoCommit enabled > at > >>>> /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line > 93, > >>>> line 1 > >>>> > >>>> when i restart the MailScanner service, doesn't seem to be a > problem > >>>> but can it be tidied up? > >>>> > >>>> Simon > >>>> > >>> > >>> Guys, also just noticed quite a lot of SA time outs on one of the > >>> gateways, the other gateways are fine and responding so I don't > think > >>> it's a slow blacklist - CPU seems to be IRO 50% on average so the > >>> system isn't way busy. Did the MS upgrade break something with SA? > >>> > >>> SpamAssassin timed out and was killed, failure 1 of 10 > >> > >> Check that your bayes_seen file is of a reasonable size, else ... > >> remove it. Also check that your SA expire runs complete (no "expire" > >> files in your bayes directory)... Try up the "SpamAssassin Timeout" > to > >> something fairly large in /etc/MailScanner/MailScanner.conf (mine is > >> at 10 minutes... == 600 seconds). > >> > >> Cheers > >> -- > >> -- Glenn > > > > Hello lads, thanks again - cleaned up the error (thanks Steve, we > > don't like messy bits do we!) and Glenn, on the money with the > timeout > > setting for SA - it was set to 10 secs on the gateway that was > playing > > up and 600 on the others, not sure how that happened but I guess the > > part of the system between the chair and they keyboard may have got > > distracted!. > > > > all working beautifully again! > > > > Simon > > > slllllooooooooooowwweedddd down to a crawl again and is stacking > messages in the hold queue. I can't figure out what's going on here. > restart MS and it works really fast but leave it to run for five > minutes or so and the whole things slows to a crawl, it backs up > messages in the hold queue and is really slow answering on port 25 or > times out completely. I've commented out the lists in > /etc/MailScanner/spam.lists.conf - does SA have any others configured > somewhere else? I'm clutching at straws now. no errors in the lint > tests and everything seems normal. It's not starting to swap is it? Have you tried dropping the number of mailscanner processes down a bit? Jason From simonmjones at gmail.com Mon Jan 26 17:06:55 2009 From: simonmjones at gmail.com (Simon Jones) Date: Mon Jan 26 17:07:05 2009 Subject: WARNING: Ignoring deprecated option --unzip In-Reply-To: <1213490F1F316842A544A850422BFA9614F171E5@BHLSBS.bhl.local> References: <70572c510901241147w6d28cc19hb6146a0fd5dee2fd@mail.gmail.com> <497CA0EE.6@ecs.soton.ac.uk> <70572c510901260416i4258b66bx1d8e325f85ca2ff5@mail.gmail.com> <223f97700901260601p4f609362seaeaf4f936294722@mail.gmail.com> <70572c510901260629i2373807en75ad2f25e865f7e0@mail.gmail.com> <70572c510901260645i2b0799b7jd5cd60bafa439df2@mail.gmail.com> <223f97700901260655q67a05ae6lbed1f6317a004dd6@mail.gmail.com> <70572c510901260725w3d32902chb0582c55c0f13b81@mail.gmail.com> <70572c510901260825v5c49a966n37f54e633f1c4c48@mail.gmail.com> <1213490F1F316842A544A850422BFA9614F171E5@BHLSBS.bhl.local> Message-ID: <70572c510901260906h4051fee0l2cc2bead745b319c@mail.gmail.com> 2009/1/26 Jason Ede : >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Simon Jones >> Sent: 26 January 2009 16:26 >> To: MailScanner discussion >> Subject: Re: WARNING: Ignoring deprecated option --unzip >> >> 2009/1/26 Simon Jones : >> > 2009/1/26 Glenn Steen : >> >> 2009/1/26 Simon Jones : >> >>> 2009/1/26 Simon Jones : >> >>>> 2009/1/26 Glenn Steen : >> >>>>> 2009/1/26 Simon Jones : >> >>>>>> 2009/1/25 Julian Field : >> >>>>>>> This is documented in the MailScanner ChangeLog. You have >> updated ClamAV, >> >>>>>>> and you require a MailScanner update as well to match the new >> command-line >> >>>>>>> syntax. It was mentioned in my "new version announcement" to >> the >> >>>>>>> MailScanner-Announce list a while back. >> >>>>>>> >> >>>>>>> On 24/1/09 19:47, Simon Jones wrote: >> >>>>>>>> >> >>>>>>>> Evening chaps, gateway still running like a dog! I've >> noticed in >> >>>>>>>> /var/log/maillog the following; >> >>>>>>>> >> >>>>>>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >> >>>>>>>> deprecated option --unzip >> >>>>>>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >> >>>>>>>> deprecated option --jar >> >>>>>>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >> >>>>>>>> deprecated option --tar >> >>>>>>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >> >>>>>>>> deprecated option --tgz >> >>>>>>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >> >>>>>>>> deprecated option --deb >> >>>>>>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >> >>>>>>>> deprecated option --max-ratio >> >>>>>>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >> >>>>>>>> deprecated option --unrar >> >>>>>>>> >> >>>>>>>> I'm assuming it won't hurt performance and I'm sure someone's >> come >> >>>>>>>> across this before so if you could point me in the direction >> to the >> >>>>>>>> fix it'd be great, >> >>>>>>>> >> >>>>>>>> thanks >> >>>>>>>> >> >>>>>>>> Simon >> >>>>>>>> >> >>>>>>> >> >>>>>>> Jules >> >>>>>>> >> >>>>>> hello chaps, thanks for that - I've updated MS and configured it >> to >> >>>>>> use clamd which works a treat, the machines are chewing spam >> like they >> >>>>>> haven't eaten in a month! I do have a spot of trouble with the >> >>>>>> MailScanner -d --lint test though - >> >>>>>> >> >>>>>> bayes: failed rename /etc/MailScanner/bayes/bayes_journal to >> >>>>>> /etc/MailScanner/bayes/bayes_journal.old >> >>>>>> bayes: failed rename /etc/MailScanner/bayes/bayes_journal to >> >>>>>> /etc/MailScanner/bayes/bayes_journal.old >> >>>>>> bayes: failed rename /etc/MailScanner/bayes/bayes_journal to >> >>>>>> /etc/MailScanner/bayes/bayes_journal.old >> >>>>>> >> >>>>>> Previous error complained of not being able to read the files so >> i >> >>>>>> chown postfix:root * in the directory, now I'm getting the >> above. >> >>>>>> Seems to have fixed the read error though... >> >>>>>> >> >>>>>> thanks again, >> >>>>>> >> >>>>>> Simon >> >>>>> This is how this looks for me (I use MailWatch where the apache >> user >> >>>>> and group is named "apache"): >> >>>>> >> >>>>> # ls -ld /etc/MailScanner/bayes >> >>>>> drwxrwsrwx 2 postfix apache 4096 2009-01-26 14:58 >> /etc/MailScanner/bayes/ >> >>>>> # ls -l /etc/MailScanner/bayes >> >>>>> totalt 6004 >> >>>>> -rw-rw---- 1 postfix apache 2334 2009-01-26 14:58 bayes.mutex >> >>>>> -rw-r----- 1 apache apache 12288 2009-01-26 14:58 bayes_seen >> >>>>> -rw-rw---- 1 postfix apache 5984256 2009-01-26 14:58 bayes_toks >> >>>>> # >> >>>>> >> >>>>> Cheers >> >>>>> -- >> >>>>> -- Glenn >> >>>>> email: glenn < dot > steen < at > gmail < dot > com >> >>>> >> >>>> looks good! so simple I didn't think it could be that. finally >> since >> >>>> the upgrade I'm gettin commit ineffective with AutoCommit enabled >> at >> >>>> /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line >> 93, >> >>>> line 1 >> >>>> >> >>>> when i restart the MailScanner service, doesn't seem to be a >> problem >> >>>> but can it be tidied up? >> >>>> >> >>>> Simon >> >>>> >> >>> >> >>> Guys, also just noticed quite a lot of SA time outs on one of the >> >>> gateways, the other gateways are fine and responding so I don't >> think >> >>> it's a slow blacklist - CPU seems to be IRO 50% on average so the >> >>> system isn't way busy. Did the MS upgrade break something with SA? >> >>> >> >>> SpamAssassin timed out and was killed, failure 1 of 10 >> >> >> >> Check that your bayes_seen file is of a reasonable size, else ... >> >> remove it. Also check that your SA expire runs complete (no "expire" >> >> files in your bayes directory)... Try up the "SpamAssassin Timeout" >> to >> >> something fairly large in /etc/MailScanner/MailScanner.conf (mine is >> >> at 10 minutes... == 600 seconds). >> >> >> >> Cheers >> >> -- >> >> -- Glenn >> > >> > Hello lads, thanks again - cleaned up the error (thanks Steve, we >> > don't like messy bits do we!) and Glenn, on the money with the >> timeout >> > setting for SA - it was set to 10 secs on the gateway that was >> playing >> > up and 600 on the others, not sure how that happened but I guess the >> > part of the system between the chair and they keyboard may have got >> > distracted!. >> > >> > all working beautifully again! >> > >> > Simon >> > >> slllllooooooooooowwweedddd down to a crawl again and is stacking >> messages in the hold queue. I can't figure out what's going on here. >> restart MS and it works really fast but leave it to run for five >> minutes or so and the whole things slows to a crawl, it backs up >> messages in the hold queue and is really slow answering on port 25 or >> times out completely. I've commented out the lists in >> /etc/MailScanner/spam.lists.conf - does SA have any others configured >> somewhere else? I'm clutching at straws now. no errors in the lint >> tests and everything seems normal. > > It's not starting to swap is it? Have you tried dropping the number of mailscanner processes down a bit? > > Jason > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Hi Jason, nope not swapping - they have 8gb ram and 15k rpm sas drives free -m total used free shared buffers cached Mem: 3948 2624 1324 0 206 444 -/+ buffers/cache: 1973 1975 Swap: 1983 0 1983 its really strange, I've commented out all the lists in spam.lists.conf and disabled bayes in spam.assassin.prefs.conf dropped the max children to 20 from 40 (which its been happy with for months) but its still stacking mail in the hold queue - I just checked again tail -f /var/log/maillog | grep Found and it seems to have just shifted 500+ messages in one big lump! hold is now clear... what the.... From simonmjones at gmail.com Mon Jan 26 17:10:57 2009 From: simonmjones at gmail.com (Simon Jones) Date: Mon Jan 26 17:11:06 2009 Subject: WARNING: Ignoring deprecated option --unzip In-Reply-To: <70572c510901260906h4051fee0l2cc2bead745b319c@mail.gmail.com> References: <70572c510901241147w6d28cc19hb6146a0fd5dee2fd@mail.gmail.com> <70572c510901260416i4258b66bx1d8e325f85ca2ff5@mail.gmail.com> <223f97700901260601p4f609362seaeaf4f936294722@mail.gmail.com> <70572c510901260629i2373807en75ad2f25e865f7e0@mail.gmail.com> <70572c510901260645i2b0799b7jd5cd60bafa439df2@mail.gmail.com> <223f97700901260655q67a05ae6lbed1f6317a004dd6@mail.gmail.com> <70572c510901260725w3d32902chb0582c55c0f13b81@mail.gmail.com> <70572c510901260825v5c49a966n37f54e633f1c4c48@mail.gmail.com> <1213490F1F316842A544A850422BFA9614F171E5@BHLSBS.bhl.local> <70572c510901260906h4051fee0l2cc2bead745b319c@mail.gmail.com> Message-ID: <70572c510901260910g757f88f4y56641c7361d4023a@mail.gmail.com> 2009/1/26 Simon Jones : > 2009/1/26 Jason Ede : >>> -----Original Message----- >>> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >>> bounces@lists.mailscanner.info] On Behalf Of Simon Jones >>> Sent: 26 January 2009 16:26 >>> To: MailScanner discussion >>> Subject: Re: WARNING: Ignoring deprecated option --unzip >>> >>> 2009/1/26 Simon Jones : >>> > 2009/1/26 Glenn Steen : >>> >> 2009/1/26 Simon Jones : >>> >>> 2009/1/26 Simon Jones : >>> >>>> 2009/1/26 Glenn Steen : >>> >>>>> 2009/1/26 Simon Jones : >>> >>>>>> 2009/1/25 Julian Field : >>> >>>>>>> This is documented in the MailScanner ChangeLog. You have >>> updated ClamAV, >>> >>>>>>> and you require a MailScanner update as well to match the new >>> command-line >>> >>>>>>> syntax. It was mentioned in my "new version announcement" to >>> the >>> >>>>>>> MailScanner-Announce list a while back. >>> >>>>>>> >>> >>>>>>> On 24/1/09 19:47, Simon Jones wrote: >>> >>>>>>>> >>> >>>>>>>> Evening chaps, gateway still running like a dog! I've >>> noticed in >>> >>>>>>>> /var/log/maillog the following; >>> >>>>>>>> >>> >>>>>>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >>> >>>>>>>> deprecated option --unzip >>> >>>>>>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >>> >>>>>>>> deprecated option --jar >>> >>>>>>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >>> >>>>>>>> deprecated option --tar >>> >>>>>>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >>> >>>>>>>> deprecated option --tgz >>> >>>>>>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >>> >>>>>>>> deprecated option --deb >>> >>>>>>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >>> >>>>>>>> deprecated option --max-ratio >>> >>>>>>>> Jan 24 19:27:29 mailgate1 MailScanner[6685]: WARNING: Ignoring >>> >>>>>>>> deprecated option --unrar >>> >>>>>>>> >>> >>>>>>>> I'm assuming it won't hurt performance and I'm sure someone's >>> come >>> >>>>>>>> across this before so if you could point me in the direction >>> to the >>> >>>>>>>> fix it'd be great, >>> >>>>>>>> >>> >>>>>>>> thanks >>> >>>>>>>> >>> >>>>>>>> Simon >>> >>>>>>>> >>> >>>>>>> >>> >>>>>>> Jules >>> >>>>>>> >>> >>>>>> hello chaps, thanks for that - I've updated MS and configured it >>> to >>> >>>>>> use clamd which works a treat, the machines are chewing spam >>> like they >>> >>>>>> haven't eaten in a month! I do have a spot of trouble with the >>> >>>>>> MailScanner -d --lint test though - >>> >>>>>> >>> >>>>>> bayes: failed rename /etc/MailScanner/bayes/bayes_journal to >>> >>>>>> /etc/MailScanner/bayes/bayes_journal.old >>> >>>>>> bayes: failed rename /etc/MailScanner/bayes/bayes_journal to >>> >>>>>> /etc/MailScanner/bayes/bayes_journal.old >>> >>>>>> bayes: failed rename /etc/MailScanner/bayes/bayes_journal to >>> >>>>>> /etc/MailScanner/bayes/bayes_journal.old >>> >>>>>> >>> >>>>>> Previous error complained of not being able to read the files so >>> i >>> >>>>>> chown postfix:root * in the directory, now I'm getting the >>> above. >>> >>>>>> Seems to have fixed the read error though... >>> >>>>>> >>> >>>>>> thanks again, >>> >>>>>> >>> >>>>>> Simon >>> >>>>> This is how this looks for me (I use MailWatch where the apache >>> user >>> >>>>> and group is named "apache"): >>> >>>>> >>> >>>>> # ls -ld /etc/MailScanner/bayes >>> >>>>> drwxrwsrwx 2 postfix apache 4096 2009-01-26 14:58 >>> /etc/MailScanner/bayes/ >>> >>>>> # ls -l /etc/MailScanner/bayes >>> >>>>> totalt 6004 >>> >>>>> -rw-rw---- 1 postfix apache 2334 2009-01-26 14:58 bayes.mutex >>> >>>>> -rw-r----- 1 apache apache 12288 2009-01-26 14:58 bayes_seen >>> >>>>> -rw-rw---- 1 postfix apache 5984256 2009-01-26 14:58 bayes_toks >>> >>>>> # >>> >>>>> >>> >>>>> Cheers >>> >>>>> -- >>> >>>>> -- Glenn >>> >>>>> email: glenn < dot > steen < at > gmail < dot > com >>> >>>> >>> >>>> looks good! so simple I didn't think it could be that. finally >>> since >>> >>>> the upgrade I'm gettin commit ineffective with AutoCommit enabled >>> at >>> >>>> /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line >>> 93, >>> >>>> line 1 >>> >>>> >>> >>>> when i restart the MailScanner service, doesn't seem to be a >>> problem >>> >>>> but can it be tidied up? >>> >>>> >>> >>>> Simon >>> >>>> >>> >>> >>> >>> Guys, also just noticed quite a lot of SA time outs on one of the >>> >>> gateways, the other gateways are fine and responding so I don't >>> think >>> >>> it's a slow blacklist - CPU seems to be IRO 50% on average so the >>> >>> system isn't way busy. Did the MS upgrade break something with SA? >>> >>> >>> >>> SpamAssassin timed out and was killed, failure 1 of 10 >>> >> >>> >> Check that your bayes_seen file is of a reasonable size, else ... >>> >> remove it. Also check that your SA expire runs complete (no "expire" >>> >> files in your bayes directory)... Try up the "SpamAssassin Timeout" >>> to >>> >> something fairly large in /etc/MailScanner/MailScanner.conf (mine is >>> >> at 10 minutes... == 600 seconds). >>> >> >>> >> Cheers >>> >> -- >>> >> -- Glenn >>> > >>> > Hello lads, thanks again - cleaned up the error (thanks Steve, we >>> > don't like messy bits do we!) and Glenn, on the money with the >>> timeout >>> > setting for SA - it was set to 10 secs on the gateway that was >>> playing >>> > up and 600 on the others, not sure how that happened but I guess the >>> > part of the system between the chair and they keyboard may have got >>> > distracted!. >>> > >>> > all working beautifully again! >>> > >>> > Simon >>> > >>> slllllooooooooooowwweedddd down to a crawl again and is stacking >>> messages in the hold queue. I can't figure out what's going on here. >>> restart MS and it works really fast but leave it to run for five >>> minutes or so and the whole things slows to a crawl, it backs up >>> messages in the hold queue and is really slow answering on port 25 or >>> times out completely. I've commented out the lists in >>> /etc/MailScanner/spam.lists.conf - does SA have any others configured >>> somewhere else? I'm clutching at straws now. no errors in the lint >>> tests and everything seems normal. >> >> It's not starting to swap is it? Have you tried dropping the number of mailscanner processes down a bit? >> >> Jason >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > Hi Jason, > > nope not swapping - they have 8gb ram and 15k rpm sas drives > > free -m > total used free shared buffers cached > Mem: 3948 2624 1324 0 206 444 > -/+ buffers/cache: 1973 1975 > Swap: 1983 0 1983 > > its really strange, I've commented out all the lists in > spam.lists.conf and disabled bayes in spam.assassin.prefs.conf dropped > the max children to 20 from 40 (which its been happy with for months) > but its still stacking mail in the hold queue - I just checked again > tail -f /var/log/maillog | grep Found and it seems to have just > shifted 500+ messages in one big lump! hold is now clear... what > the.... > does anyone know a king kong ding-a-ling command to show if some pesky spammer has hooked on to the system and is pumping masses of mail at it? I can see lots of connections on 25 from random IP's but I'd expect this netstat -an shows me this, I could perhaps use something to narrow it down a little or even show high traffic from a particular IP etc... not sure, I don't think my config is bad, it just seems the systems are working really hard to keep up with the flow of junk. From alex at rtpty.com Mon Jan 26 17:12:41 2009 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Mon Jan 26 17:12:54 2009 Subject: WARNING: Ignoring deprecated option --unzip In-Reply-To: <70572c510901260906h4051fee0l2cc2bead745b319c@mail.gmail.com> References: <70572c510901241147w6d28cc19hb6146a0fd5dee2fd@mail.gmail.com> <497CA0EE.6@ecs.soton.ac.uk> <70572c510901260416i4258b66bx1d8e325f85ca2ff5@mail.gmail.com> <223f97700901260601p4f609362seaeaf4f936294722@mail.gmail.com> <70572c510901260629i2373807en75ad2f25e865f7e0@mail.gmail.com> <70572c510901260645i2b0799b7jd5cd60bafa439df2@mail.gmail.com> <223f97700901260655q67a05ae6lbed1f6317a004dd6@mail.gmail.com> <70572c510901260725w3d32902chb0582c55c0f13b81@mail.gmail.com> <70572c510901260825v5c49a966n37f54e633f1c4c48@mail.gmail.com> <1213490F1F316842A544A850422BFA9614F171E5@BHLSBS.bhl.local> <70572c510901260906h4051fee0l2cc2bead745b319c@mail.gmail.com> Message-ID: <2F2E6CB5-A366-4F93-9DB8-E843FE77C8E1@rtpty.com> Remember, the latest version of MS doesn't swap anymore! It respectfully segfaults instead. Cheers, Alex (Happy Chinese New Year, by the way) On Jan 26, 2009, at 12:06 PM, Simon Jones wrote: > nope not swapping - they have 8gb ram and 15k rpm sas drives From MailScanner at ecs.soton.ac.uk Mon Jan 26 17:18:37 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jan 26 17:19:01 2009 Subject: WARNING: Ignoring deprecated option --unzip In-Reply-To: <70572c510901260906h4051fee0l2cc2bead745b319c@mail.gmail.com> References: <70572c510901241147w6d28cc19hb6146a0fd5dee2fd@mail.gmail.com> <497CA0EE.6@ecs.soton.ac.uk> <70572c510901260416i4258b66bx1d8e325f85ca2ff5@mail.gmail.com> <223f97700901260601p4f609362seaeaf4f936294722@mail.gmail.com> <70572c510901260629i2373807en75ad2f25e865f7e0@mail.gmail.com> <70572c510901260645i2b0799b7jd5cd60bafa439df2@mail.gmail.com> <223f97700901260655q67a05ae6lbed1f6317a004dd6@mail.gmail.com> <70572c510901260725w3d32902chb0582c55c0f13b81@mail.gmail.com> <70572c510901260825v5c49a966n37f54e633f1c4c48@mail.gmail.com> <1213490F1F316842A544A850422BFA9614F171E5@BHLSBS.bhl.local> <70572c510901260906h4051fee0l2cc2bead745b319c@mail.gmail.com> Message-ID: <497DF06D.6000704@ecs.soton.ac.uk> On 26/1/09 17:06, Simon Jones wrote: > Hi Jason, > nope not swapping - they have 8gb ram and 15k rpm sas drives > > free -m > total used free shared buffers cached > Mem: 3948 2624 1324 0 206 444 > -/+ buffers/cache: 1973 1975 > Swap: 1983 0 1983 > > its really strange, I've commented out all the lists in > spam.lists.conf and disabled bayes in spam.assassin.prefs.conf dropped > the max children to 20 from 40 (which its been happy with for months) > but its still stacking mail in the hold queue - I just checked again > tail -f /var/log/maillog | grep Found and it seems to have just > shifted 500+ messages in one big lump! hold is now clear... what > the.... > 20 children, each with 30 messages, will all clear at nearly the same time if one bit of the processing is taking most of the time. 20x30=600 messages. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ChrisSweeney at osubucks.org Mon Jan 26 17:18:02 2009 From: ChrisSweeney at osubucks.org (Christopher Sweeney) Date: Mon Jan 26 17:19:18 2009 Subject: WARNING: Ignoring deprecated option --unzip References: <70572c510901241147w6d28cc19hb6146a0fd5dee2fd@mail.gmail.com><70572c510901260416i4258b66bx1d8e325f85ca2ff5@mail.gmail.com><223f97700901260601p4f609362seaeaf4f936294722@mail.gmail.com><70572c510901260629i2373807en75ad2f25e865f7e0@mail.gmail.com><70572c510901260645i2b0799b7jd5cd60bafa439df2@mail.gmail.com><223f97700901260655q67a05ae6lbed1f6317a004dd6@mail.gmail.com><70572c510901260725w3d32902chb0582c55c0f13b81@mail.gmail.com><70572c510901260825v5c49a966n37f54e633f1c4c48@mail.gmail.com><1213490F1F316842A544A850422BFA9614F171E5@BHLSBS.bhl.local><70572c510901260906h4051fee0l2cc2bead745b319c@mail.gmail.com> <70572c510901260910g757f88f4y56641c7361d4023a@mail.gmail.com> Message-ID: <5485D83E8AEA2A4C93D5AEB1F34445649AE5@IFCINCINNATI01.ifcincinnati.org> > does anyone know a king kong ding-a-ling command to show if some pesky spammer has hooked on to the system and is pumping masses of mail at it? I can see lots of connections on 25 from random IP's but I'd expect this netstat -an shows me this, I could perhaps use something to narrow it down a little or even show high traffic from a particular IP etc... not sure, I don't think my config is bad, it just seems the systems are working really hard to keep up with the flow of junk. > Have you tried just looking at the logs? How about your out que for bounces? -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- > does anyone know a king kong ding-a-ling command to show if some pesky spammer has hooked on to the system and is pumping masses of mail at it? I can see lots of connections on 25 from random IP's but I'd expect this netstat -an shows me this, I could perhaps use something to narrow it down a little or even show high traffic from a particular IP etc... not sure, I don't think my config is bad, it just seems the systems are working really hard to keep up with the flow of junk. > Have you tried just looking at the logs? How about your out que for bounces? -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From simonmjones at gmail.com Mon Jan 26 17:34:52 2009 From: simonmjones at gmail.com (Simon Jones) Date: Mon Jan 26 17:35:01 2009 Subject: WARNING: Ignoring deprecated option --unzip In-Reply-To: <497DF06D.6000704@ecs.soton.ac.uk> References: <70572c510901241147w6d28cc19hb6146a0fd5dee2fd@mail.gmail.com> <223f97700901260601p4f609362seaeaf4f936294722@mail.gmail.com> <70572c510901260629i2373807en75ad2f25e865f7e0@mail.gmail.com> <70572c510901260645i2b0799b7jd5cd60bafa439df2@mail.gmail.com> <223f97700901260655q67a05ae6lbed1f6317a004dd6@mail.gmail.com> <70572c510901260725w3d32902chb0582c55c0f13b81@mail.gmail.com> <70572c510901260825v5c49a966n37f54e633f1c4c48@mail.gmail.com> <1213490F1F316842A544A850422BFA9614F171E5@BHLSBS.bhl.local> <70572c510901260906h4051fee0l2cc2bead745b319c@mail.gmail.com> <497DF06D.6000704@ecs.soton.ac.uk> Message-ID: <70572c510901260934v665cea34s79600ade941d6e90@mail.gmail.com> 2009/1/26 Julian Field : > > > On 26/1/09 17:06, Simon Jones wrote: >> >> Hi Jason, >> nope not swapping - they have 8gb ram and 15k rpm sas drives >> >> free -m >> total used free shared buffers cached >> Mem: 3948 2624 1324 0 206 444 >> -/+ buffers/cache: 1973 1975 >> Swap: 1983 0 1983 >> >> its really strange, I've commented out all the lists in >> spam.lists.conf and disabled bayes in spam.assassin.prefs.conf dropped >> the max children to 20 from 40 (which its been happy with for months) >> but its still stacking mail in the hold queue - I just checked again >> tail -f /var/log/maillog | grep Found and it seems to have just >> shifted 500+ messages in one big lump! hold is now clear... what >> the.... >> > > 20 children, each with 30 messages, will all clear at nearly the same time > if one bit of the processing is taking most of the time. 20x30=600 messages. > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > PGP public key: http://www.jules.fm/julesfm.asc Thanks Julian, its really strange that's all, the system is easily managing to keep up now but telnet to 25 is still really slow to respond, like 5 - 10 seconds or it'll time out completely. I noticed my mailscanner sql db is getting a bit fat so maybe this is causing some problem... From simonmjones at gmail.com Mon Jan 26 17:39:57 2009 From: simonmjones at gmail.com (Simon Jones) Date: Mon Jan 26 17:40:06 2009 Subject: WARNING: Ignoring deprecated option --unzip In-Reply-To: <5485D83E8AEA2A4C93D5AEB1F34445649AE5@IFCINCINNATI01.ifcincinnati.org> References: <70572c510901241147w6d28cc19hb6146a0fd5dee2fd@mail.gmail.com> <70572c510901260629i2373807en75ad2f25e865f7e0@mail.gmail.com> <70572c510901260645i2b0799b7jd5cd60bafa439df2@mail.gmail.com> <223f97700901260655q67a05ae6lbed1f6317a004dd6@mail.gmail.com> <70572c510901260725w3d32902chb0582c55c0f13b81@mail.gmail.com> <70572c510901260825v5c49a966n37f54e633f1c4c48@mail.gmail.com> <1213490F1F316842A544A850422BFA9614F171E5@BHLSBS.bhl.local> <70572c510901260906h4051fee0l2cc2bead745b319c@mail.gmail.com> <70572c510901260910g757f88f4y56641c7361d4023a@mail.gmail.com> <5485D83E8AEA2A4C93D5AEB1F34445649AE5@IFCINCINNATI01.ifcincinnati.org> Message-ID: <70572c510901260939t1646efe9u50264984b2c6c7ae@mail.gmail.com> 2009/1/26 Christopher Sweeney : >> > > does anyone know a king kong ding-a-ling command to show if some pesky > spammer has hooked on to the system and is pumping masses of mail at > it? I can see lots of connections on 25 from random IP's but I'd > expect this netstat -an shows me this, I could perhaps use something > to narrow it down a little or even show high traffic from a particular > IP etc... not sure, I don't think my config is bad, it just seems the > systems are working really hard to keep up with the flow of junk. >> > > Have you tried just looking at the logs? How about your out que for bounces? > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > Yup, I've been hawking the logs for the last couple of days and all i can see is random, plain old spam - nothing special. From steve.freegard at fsl.com Mon Jan 26 17:41:59 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Mon Jan 26 17:42:10 2009 Subject: WARNING: Ignoring deprecated option --unzip In-Reply-To: <70572c510901260910g757f88f4y56641c7361d4023a@mail.gmail.com> References: <70572c510901241147w6d28cc19hb6146a0fd5dee2fd@mail.gmail.com> <70572c510901260416i4258b66bx1d8e325f85ca2ff5@mail.gmail.com> <223f97700901260601p4f609362seaeaf4f936294722@mail.gmail.com> <70572c510901260629i2373807en75ad2f25e865f7e0@mail.gmail.com> <70572c510901260645i2b0799b7jd5cd60bafa439df2@mail.gmail.com> <223f97700901260655q67a05ae6lbed1f6317a004dd6@mail.gmail.com> <70572c510901260725w3d32902chb0582c55c0f13b81@mail.gmail.com> <70572c510901260825v5c49a966n37f54e633f1c4c48@mail.gmail.com> <1213490F1F316842A544A850422BFA9614F171E5@BHLSBS.bhl.local> <70572c510901260906h4051fee0l2cc2bead745b319c@mail.gmail.com> <70572c510901260910g757f88f4y56641c7361d4023a@mail.gmail.com> Message-ID: <497DF5E7.8050006@fsl.com> Simon Jones wrote: > does anyone know a king kong ding-a-ling command to show if some pesky > spammer has hooked on to the system and is pumping masses of mail at > it? I can see lots of connections on 25 from random IP's but I'd > expect this netstat -an shows me this, I could perhaps use something > to narrow it down a little or even show high traffic from a particular > IP etc... not sure, I don't think my config is bad, it just seems the > systems are working really hard to keep up with the flow of junk. Run the following SQL against your MailWatch database: SELECT clientip, COUNT(*) AS count, SUM(IF isspam>0 THEN 1 ELSE 0 END) AS spam FROM maillog WHERE date=CURRENT_DATE() GROUP BY clientip ORDER BY count DESC LIMIT 50; Will give you the Top 50 connecting IP addresses by the number of messages and will also show you a number of spam messages from the host as well. As for diagnosing the 'slowness' of your machine - I would suggest that you restart MailScanner with the 'Log Speed = yes' option set; then run: tail /var/log/maillog | grep 'Batch .* processed in' Then paste the last 10 results here. Regards, Steve. From lundin at fini.net Mon Jan 26 18:03:42 2009 From: lundin at fini.net (lundin@fini.net) Date: Mon Jan 26 18:03:59 2009 Subject: http://www.effierover.com/downloads/dynamic.txt In-Reply-To: <497D80E4.9040509@alexb.ch> References: <497D784D.8030908@ecs.soton.ac.uk> <497D80E4.9040509@alexb.ch> Message-ID: <20090126180342.GB11921@fini.net> On Mon, Jan 26, 2009 at 10:22:44AM +0100, Alex Broens wrote: > On 1/26/2009 9:46 AM, Julian Field wrote: > >Anyone using this list at all? > >If so, any comments? > >Does it intersect well with Spamhaus lists so is unnecessary? > > Looks pretty redundand with PBL + has a large bunch of potential FPs > (edus, hosters, etc) > > Personally, I wouldn't use it. Suspect they only use it for personal mail servers. spam.effierover.com not found? And that's 30832 of someone else's slowly aging sendmail access rules... with lots of marked backscatter sites, and (commented out) entry "Deity, I hate clueless admins." :-) And, mysteriously, Connect:mail.tor.primus.ca OK Connect:s2-161.rb2.lax.centurytel.net OK # -- marketsharp idiots -- Connect:ipn36372-e66010.cidr.lightship.net OK Connect:342985.ds.nac.net OK Connect:66-192-44-70.gen.twtelecom.net OK Connect:66-194-32-115.gen.twtelecom.net OK Connect:64-132-216-42.static.twtelecom.net OK Connect:uslec-63-243-121-117.cust.uslec.net OK Lessee... Okay, from a sample, about 85% of 'em no longer resolve! perl -e 'while (<>){$y{$1}++ if /ref (\d\d\d\d)\d\d\d\d/};for (sort keys %y){printf "%4d %5d\n",$_,$y{$_}}' dynamic.txt 2003 172 2004 5785 2005 2761 2006 4401 2007 11714 2008 5930 2009 118 Ran out of quantum before checking against rbl's. :-) (No, I don't use 'em... was curious and fiddled over lunch. :-)) -- lundin@fini.net "In theory there is no difference between theory and practice. But in practice there is." From Kevin_Miller at ci.juneau.ak.us Mon Jan 26 18:23:42 2009 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Mon Jan 26 18:23:54 2009 Subject: WARNING: Ignoring deprecated option --unzip In-Reply-To: <70572c510901260934v665cea34s79600ade941d6e90@mail.gmail.com> References: <70572c510901241147w6d28cc19hb6146a0fd5dee2fd@mail.gmail.com><223f97700901260601p4f609362seaeaf4f936294722@mail.gmail.com><70572c510901260629i2373807en75ad2f25e865f7e0@mail.gmail.com><70572c510901260645i2b0799b7jd5cd60bafa439df2@mail.gmail.com><223f97700901260655q67a05ae6lbed1f6317a004dd6@mail.gmail.com><70572c510901260725w3d32902chb0582c55c0f13b81@mail.gmail.com><70572c510901260825v5c49a966n37f54e633f1c4c48@mail.gmail.com><1213490F1F316842A544A850422BFA9614F171E5@BHLSBS.bhl.local><70572c510901260906h4051fee0l2cc2bead745b319c@mail.gmail.com><497DF06D.6000704@ecs.soton.ac.uk> <70572c510901260934v665cea34s79600ade941d6e90@mail.gmail.com> Message-ID: -----Original Message----- > its really strange that's all, the system is easily managing to > keep up now but telnet to 25 is still really slow to respond, > like 5 - 10 seconds or it'll time out completely. I noticed my > mailscanner sql db is getting a bit fat so maybe this is causing > some problem... Getting into the game late here, so maybe it's been asked already, but are you running a caching DNS server on the box? That may help. Too, I've seen telnet spin it's wheels when there was no reverse zone for the source (i.e., your) host. You don't actualy need a reverse entry for your host if you don't have one, but having even a single entry in the reverse zone allows the name server to return a 'not found' almost instantly, whereas it seems to wait to timeout if no reverse zone exists... ...Kevin From MailScanner at ecs.soton.ac.uk Mon Jan 26 19:14:53 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jan 26 19:15:13 2009 Subject: WARNING: Ignoring deprecated option --unzip In-Reply-To: References: <70572c510901241147w6d28cc19hb6146a0fd5dee2fd@mail.gmail.com><223f97700901260601p4f609362seaeaf4f936294722@mail.gmail.com><70572c510901260629i2373807en75ad2f25e865f7e0@mail.gmail.com><70572c510901260645i2b0799b7jd5cd60bafa439df2@mail.gmail.com><223f97700901260655q67a05ae6lbed1f6317a004dd6@mail.gmail.com><70572c510901260725w3d32902chb0582c55c0f13b81@mail.gmail.com><70572c510901260825v5c49a966n37f54e633f1c4c48@mail.gmail.com><1213490F1F316842A544A850422BFA9614F171E5@BHLSBS.bhl.local><70572c510901260906h4051fee0l2cc2bead745b319c@mail.gmail.com><497DF06D.6000704@ecs.soton.ac.uk> <70572c510901260934v665cea34s79600ade941d6e90@mail.gmail.com> Message-ID: <497E0BAD.90707@ecs.soton.ac.uk> On 26/1/09 18:23, Kevin Miller wrote: > -----Original Message----- > >> its really strange that's all, the system is easily managing to >> keep up now but telnet to 25 is still really slow to respond, >> like 5 - 10 seconds or it'll time out completely. I noticed my >> mailscanner sql db is getting a bit fat so maybe this is causing >> some problem... >> > > Getting into the game late here, so maybe it's been asked already, but > are you running a caching DNS server on the box? That may help. > > Too, I've seen telnet spin it's wheels when there was no reverse zone > for the source (i.e., your) host. You don't actualy need a reverse > entry for your host if you don't have one, but having even a single > entry in the reverse zone allows the name server to return a 'not found' > almost instantly, whereas it seems to wait to timeout if no reverse zone > exists... > Yes, that's exactly what I was going to suggest. If telnet 25 produces a long delay before giving a sendmail welcome prompt, it's a *sure* sign of trouble resolving DNS names, as sendmail does forward and reverse lookups on your address to work out who you are before it talks to you. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From maxsec at gmail.com Mon Jan 26 19:29:19 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Mon Jan 26 19:29:29 2009 Subject: WARNING: Ignoring deprecated option --unzip In-Reply-To: <70572c510901260934v665cea34s79600ade941d6e90@mail.gmail.com> References: <70572c510901241147w6d28cc19hb6146a0fd5dee2fd@mail.gmail.com> <70572c510901260629i2373807en75ad2f25e865f7e0@mail.gmail.com> <70572c510901260645i2b0799b7jd5cd60bafa439df2@mail.gmail.com> <223f97700901260655q67a05ae6lbed1f6317a004dd6@mail.gmail.com> <70572c510901260725w3d32902chb0582c55c0f13b81@mail.gmail.com> <70572c510901260825v5c49a966n37f54e633f1c4c48@mail.gmail.com> <1213490F1F316842A544A850422BFA9614F171E5@BHLSBS.bhl.local> <70572c510901260906h4051fee0l2cc2bead745b319c@mail.gmail.com> <497DF06D.6000704@ecs.soton.ac.uk> <70572c510901260934v665cea34s79600ade941d6e90@mail.gmail.com> Message-ID: <72cf361e0901261129y11dfd7b9ife9ce7d078c5f39f@mail.gmail.com> 2009/1/26 Simon Jones : > 2009/1/26 Julian Field : >> >> >> On 26/1/09 17:06, Simon Jones wrote: >>> >>> Hi Jason, >>> nope not swapping - they have 8gb ram and 15k rpm sas drives >>> >>> free -m >>> total used free shared buffers cached >>> Mem: 3948 2624 1324 0 206 444 >>> -/+ buffers/cache: 1973 1975 >>> Swap: 1983 0 1983 >>> >>> its really strange, I've commented out all the lists in >>> spam.lists.conf and disabled bayes in spam.assassin.prefs.conf dropped >>> the max children to 20 from 40 (which its been happy with for months) >>> but its still stacking mail in the hold queue - I just checked again >>> tail -f /var/log/maillog | grep Found and it seems to have just >>> shifted 500+ messages in one big lump! hold is now clear... what >>> the.... >>> >> >> 20 children, each with 30 messages, will all clear at nearly the same time >> if one bit of the processing is taking most of the time. 20x30=600 messages. >> >> Jules >> >> -- >> Julian Field MEng CITP CEng >> www.MailScanner.info >> Buy the MailScanner book at www.MailScanner.info/store >> >> MailScanner customisation, or any advanced system administration help? >> Contact me at Jules@Jules.FM >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> PGP public key: http://www.jules.fm/julesfm.asc > > Thanks Julian, > > its really strange that's all, the system is easily managing to keep > up now but telnet to 25 is still really slow to respond, like 5 - 10 > seconds or it'll time out completely. I noticed my mailscanner sql db > is getting a bit fat so maybe this is causing some problem... > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Sounds like DNS issues...check the setup is OK and dns requests are handles correctly. -- Martin Hepworth Oxford, UK From marco.mangione at gmail.com Mon Jan 26 19:44:36 2009 From: marco.mangione at gmail.com (Marco mangione) Date: Mon Jan 26 19:45:57 2009 Subject: mailscaller spool folder Message-ID: Hello, my mailscanner installation have the /var/spool/mailscanner/incoming folder very big ( 5/6giga) can i clean it daily ? marco -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090126/d7fe0f62/attachment.html From ssilva at sgvwater.com Mon Jan 26 20:37:02 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Jan 26 20:37:23 2009 Subject: mailscaller spool folder In-Reply-To: References: Message-ID: on 1-26-2009 11:44 AM Marco mangione spake the following: > Hello, > > my mailscanner installation have the /var/spool/mailscanner/incoming > folder very big ( 5/6giga) > can i clean it daily ? > > marco > It should be cleaning itself. MailScanner only uses it during a batch scan, then dumps it. On my system it creates a directory for each running child using its PID number, and that directory stays around until the child dies and is cleaned up after. If you have a lot of children with a large batch size, it could peak regularly. If you have files in there older than 24 hours other than the locks directory, you likely have a problem. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090126/9f6fafbe/signature.bin From marco.mangione at gmail.com Mon Jan 26 20:43:00 2009 From: marco.mangione at gmail.com (Marco mangione) Date: Mon Jan 26 20:44:27 2009 Subject: mailscaller spool folder In-Reply-To: References: Message-ID: i re-checked the big folder is SpamAssassin-temp ... i removed it .... 2009/1/26 Scott Silva > on 1-26-2009 11:44 AM Marco mangione spake the following: > > Hello, > > > > my mailscanner installation have the /var/spool/mailscanner/incoming > > folder very big ( 5/6giga) > > can i clean it daily ? > > > > marco > > > It should be cleaning itself. MailScanner only uses it during a batch scan, > then dumps it. On my system it creates a directory for each running child > using its PID number, and that directory stays around until the child dies > and > is cleaned up after. > If you have a lot of children with a large batch size, it could peak > regularly. > If you have files in there older than 24 hours other than the locks > directory, > you likely have a problem. > > > -- > MailScanner is like deodorant... > You hope everybody uses it, and > you notice quickly if they don't!!!! > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090126/0cb7d922/attachment.html From Marc.Delisle at cegepsherbrooke.qc.ca Mon Jan 26 20:53:30 2009 From: Marc.Delisle at cegepsherbrooke.qc.ca (Marc Delisle) Date: Mon Jan 26 20:53:41 2009 Subject: rule having an effect on all recipients Message-ID: <497E22CA.8040304@cegepsherbrooke.qc.ca> Hi, I am running 4.70.7-1 and will shortly upgrade to 4.74. My question is about a rule affecting more than the intended user. Look at this: High Scoring Spam Actions = %rules-dir%/highspam.actions.rules which contains (obfuscated): To: user1@cegepsherbrooke.qc.ca deliver header "X-Spam-Status: Yes" To: user2@cegepsherbrooke.qc.ca deliver header "X-Spam-Status: Yes" FromOrTo: default delete So, user1 and user2 want to receive all high scoring spam. But, high spam messages with user1 or user2 in the list of recipients are delivered to all recipients. Is this a known problem, or is my syntax invalid? Thanks, Marc Delisle From marco.mangione at gmail.com Mon Jan 26 20:53:44 2009 From: marco.mangione at gmail.com (Marco mangione) Date: Mon Jan 26 20:55:10 2009 Subject: zen.spamhaus.org wont work .. Message-ID: zen.spamhaus.org dont work for me ... it is correctly insert as restriction in my postfix configuration file but i receive spam email, and if i check source ip address it is correctly insert into spamhaus database! :( ... anyone know how to troubleshoot this problem ? marco -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090126/85c829a4/attachment.html From ssilva at sgvwater.com Mon Jan 26 20:57:44 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Jan 26 20:58:05 2009 Subject: rule having an effect on all recipients In-Reply-To: <497E22CA.8040304@cegepsherbrooke.qc.ca> References: <497E22CA.8040304@cegepsherbrooke.qc.ca> Message-ID: on 1-26-2009 12:53 PM Marc Delisle spake the following: > Hi, > I am running 4.70.7-1 and will shortly upgrade to 4.74. My question is > about a rule affecting more than the intended user. Look at this: > > High Scoring Spam Actions = %rules-dir%/highspam.actions.rules > > which contains (obfuscated): > > To: user1@cegepsherbrooke.qc.ca deliver header "X-Spam-Status: Yes" > To: user2@cegepsherbrooke.qc.ca deliver header "X-Spam-Status: Yes" > FromOrTo: default delete > > So, user1 and user2 want to receive all high scoring spam. But, high > spam messages with user1 or user2 in the list of recipients are > delivered to all recipients. Is this a known problem, or is my syntax > invalid? > > Thanks, > Marc Delisle You have to split incoming messages for rules like that to work. There are howto's for postfix and sendmail in the wiki. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090126/2cb5a83d/signature.bin From maillists at conactive.com Mon Jan 26 21:31:21 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Mon Jan 26 21:31:33 2009 Subject: mailscaller spool folder In-Reply-To: References: Message-ID: Marco mangione wrote on Mon, 26 Jan 2009 20:44:36 +0100: > my mailscanner installation have the /var/spool/mailscanner/incoming folder > very big ( 5/6giga) > can i clean it daily ? If you want to loose the SA cache, yes. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Mon Jan 26 21:31:21 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Mon Jan 26 21:31:34 2009 Subject: mailscaller spool folder In-Reply-To: References: Message-ID: Marco mangione wrote on Mon, 26 Jan 2009 20:44:36 +0100: > can i clean it daily ? check what takes that space. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From traced at xpear.de Mon Jan 26 21:46:24 2009 From: traced at xpear.de (traced) Date: Mon Jan 26 21:46:34 2009 Subject: mailscaller spool folder In-Reply-To: References: Message-ID: <497E2F30.1020003@xpear.de> Kai Schaetzl schrieb: > Marco mangione wrote on Mon, 26 Jan 2009 20:44:36 +0100: > >> my mailscanner installation have the /var/spool/mailscanner/incoming folder >> very big ( 5/6giga) >> can i clean it daily ? > > If you want to loose the SA cache, yes. > > Kai > Hmm.. how many mails does this box? Bastian From glenn.steen at gmail.com Mon Jan 26 21:58:13 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Jan 26 21:58:22 2009 Subject: WARNING: Ignoring deprecated option --unzip In-Reply-To: <497E0BAD.90707@ecs.soton.ac.uk> References: <70572c510901241147w6d28cc19hb6146a0fd5dee2fd@mail.gmail.com> <223f97700901260655q67a05ae6lbed1f6317a004dd6@mail.gmail.com> <70572c510901260725w3d32902chb0582c55c0f13b81@mail.gmail.com> <70572c510901260825v5c49a966n37f54e633f1c4c48@mail.gmail.com> <1213490F1F316842A544A850422BFA9614F171E5@BHLSBS.bhl.local> <70572c510901260906h4051fee0l2cc2bead745b319c@mail.gmail.com> <497DF06D.6000704@ecs.soton.ac.uk> <70572c510901260934v665cea34s79600ade941d6e90@mail.gmail.com> <497E0BAD.90707@ecs.soton.ac.uk> Message-ID: <223f97700901261358j143f42f9mcee8ae33a6eb6045@mail.gmail.com> 2009/1/26 Julian Field : > > > On 26/1/09 18:23, Kevin Miller wrote: >> >> -----Original Message----- >> >>> >>> its really strange that's all, the system is easily managing to >>> keep up now but telnet to 25 is still really slow to respond, >>> like 5 - 10 seconds or it'll time out completely. I noticed my >>> mailscanner sql db is getting a bit fat so maybe this is causing >>> some problem... >>> >> >> Getting into the game late here, so maybe it's been asked already, but >> are you running a caching DNS server on the box? That may help. >> >> Too, I've seen telnet spin it's wheels when there was no reverse zone >> for the source (i.e., your) host. You don't actualy need a reverse >> entry for your host if you don't have one, but having even a single >> entry in the reverse zone allows the name server to return a 'not found' >> almost instantly, whereas it seems to wait to timeout if no reverse zone >> exists... >> > > Yes, that's exactly what I was going to suggest. If telnet 25 produces a > long delay before giving a sendmail welcome prompt, it's a *sure* sign of > trouble resolving DNS names, as sendmail does forward and reverse lookups on > your address to work out who you are before it talks to you. > > Jules > Not only Sendmail... Postfix usually does too. Might be visible in the warnings log file (if one does lig file separation). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ssilva at sgvwater.com Mon Jan 26 22:17:16 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Jan 26 22:17:42 2009 Subject: zen.spamhaus.org wont work .. In-Reply-To: References: Message-ID: on 1-26-2009 12:53 PM Marco mangione spake the following: > zen.spamhaus.org dont work for me ... it is > correctly insert as restriction in my postfix configuration file but i > receive spam email, and if i check source ip address it is correctly > insert into spamhaus database! :( ... anyone know how to troubleshoot > this problem ? > > marco > You most likely ran afoul of their usage policy. If you do too many queries to them they blacklist your IP address. From the affected system you can try a host 2.0.0.127.zen.spamhaus.org and if it times out, you are out of luck unless you pay for a feed. I can get near the hit rate but I have to use 5 different blacklists to do it. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090126/62272467/signature.bin From jethro.binks at strath.ac.uk Mon Jan 26 22:31:51 2009 From: jethro.binks at strath.ac.uk (Jethro R Binks) Date: Mon Jan 26 22:32:00 2009 Subject: WARNING: Ignoring deprecated option --unzip In-Reply-To: <497E0BAD.90707@ecs.soton.ac.uk> Message-ID: On Mon, 26 Jan 2009, Julian Field wrote: > On 26/1/09 18:23, Kevin Miller wrote: > > -----Original Message----- > > > > > its really strange that's all, the system is easily managing to > > > keep up now but telnet to 25 is still really slow to respond, > > > like 5 - 10 seconds or it'll time out completely. I noticed my > > > mailscanner sql db is getting a bit fat so maybe this is causing > > > some problem... > > > > Getting into the game late here, so maybe it's been asked already, but > > are you running a caching DNS server on the box? That may help. > > > > Too, I've seen telnet spin it's wheels when there was no reverse zone > > for the source (i.e., your) host. You don't actualy need a reverse > > entry for your host if you don't have one, but having even a single > > entry in the reverse zone allows the name server to return a 'not found' > > almost instantly, whereas it seems to wait to timeout if no reverse zone > > exists... > > > Yes, that's exactly what I was going to suggest. If telnet 25 produces a > long delay before giving a sendmail welcome prompt, it's a *sure* sign > of trouble resolving DNS names, as sendmail does forward and reverse > lookups on your address to work out who you are before it talks to you. No ... it's a sure sign of the system producing a long delay. You cannot read any more into it than that, in the generic case. The system may be heavily loaded, or delays might have been artificially introduced as a method of shedding spambots cheaply early on. My own systems delay for different numbers of seconds at several points in an SMTP transaction, which throws off poorly-written SMTP engines (and ill-configured ones). But I agree DNS is probably the _likeliest_ cause in this particular case ... -- . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK From marco.mangione at gmail.com Tue Jan 27 06:42:51 2009 From: marco.mangione at gmail.com (Marco mangione) Date: Tue Jan 27 06:43:01 2009 Subject: zen.spamhaus.org wont work .. In-Reply-To: References: Message-ID: the response is that, i suppose i'm not blocked out right ? root@filtro3:~# host 2.0.0.127.zen.spamhaus.org 2.0.0.127.zen.spamhaus.org has address 127.0.0.2 2.0.0.127.zen.spamhaus.org has address 127.0.0.4 2.0.0.127.zen.spamhaus.org has address 127.0.0.10 root@filtro3:~# 2009/1/26 Scott Silva > on 1-26-2009 12:53 PM Marco mangione spake the following: > > zen.spamhaus.org dont work for me ... it is > > correctly insert as restriction in my postfix configuration file but i > > receive spam email, and if i check source ip address it is correctly > > insert into spamhaus database! :( ... anyone know how to troubleshoot > > this problem ? > > > > marco > > > You most likely ran afoul of their usage policy. If you do too many queries > to > them they blacklist your IP address. > From the affected system you can try a > host 2.0.0.127.zen.spamhaus.org > > and if it times out, you are out of luck unless you pay for a feed. > > I can get near the hit rate but I have to use 5 different blacklists to do > it. > > > > -- > MailScanner is like deodorant... > You hope everybody uses it, and > you notice quickly if they don't!!!! > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090127/7e6bce2c/attachment-0001.html From marco.mangione at gmail.com Tue Jan 27 07:20:19 2009 From: marco.mangione at gmail.com (Marco mangione) Date: Tue Jan 27 07:20:28 2009 Subject: zen.spamhaus.org wont work .. In-Reply-To: References: Message-ID: also: root@filtro3:~# dig 2.0.0.127.zen.spamhaus.org ; <<>> DiG 9.4.2 <<>> 2.0.0.127.zen.spamhaus.org ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8132 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 23, ADDITIONAL: 1 ;; QUESTION SECTION: ;2.0.0.127.zen.spamhaus.org. IN A ;; ANSWER SECTION: 2.0.0.127.zen.spamhaus.org. 615 IN A 127.0.0.2 2.0.0.127.zen.spamhaus.org. 615 IN A 127.0.0.4 2.0.0.127.zen.spamhaus.org. 615 IN A 127.0.0.10 ;; AUTHORITY SECTION: zen.spamhaus.org. 57372 IN NS l.ns.spamhaus.org. zen.spamhaus.org. 57372 IN NS m.ns.spamhaus.org. zen.spamhaus.org. 57372 IN NS o.ns.spamhaus.org. zen.spamhaus.org. 57372 IN NS q.ns.spamhaus.org. zen.spamhaus.org. 57372 IN NS r.ns.spamhaus.org. zen.spamhaus.org. 57372 IN NS s.ns.spamhaus.org. zen.spamhaus.org. 57372 IN NS t.ns.spamhaus.org. zen.spamhaus.org. 57372 IN NS x.ns.spamhaus.org. zen.spamhaus.org. 57372 IN NS y.ns.spamhaus.org. zen.spamhaus.org. 57372 IN NS 0.ns.spamhaus.org. zen.spamhaus.org. 57372 IN NS 1.ns.spamhaus.org. zen.spamhaus.org. 57372 IN NS 3.ns.spamhaus.org. zen.spamhaus.org. 57372 IN NS 5.ns.spamhaus.org. zen.spamhaus.org. 57372 IN NS 8.ns.spamhaus.org. zen.spamhaus.org. 57372 IN NS a.ns.spamhaus.org. zen.spamhaus.org. 57372 IN NS b.ns.spamhaus.org. zen.spamhaus.org. 57372 IN NS c.ns.spamhaus.org. zen.spamhaus.org. 57372 IN NS d.ns.spamhaus.org. zen.spamhaus.org. 57372 IN NS f.ns.spamhaus.org. zen.spamhaus.org. 57372 IN NS g.ns.spamhaus.org. zen.spamhaus.org. 57372 IN NS h.ns.spamhaus.org. zen.spamhaus.org. 57372 IN NS i.ns.spamhaus.org. zen.spamhaus.org. 57372 IN NS k.ns.spamhaus.org. ;; ADDITIONAL SECTION: 0.ns.spamhaus.org. 946 IN A 204.16.254.40 ;; Query time: 26 msec ;; SERVER: 81.31.152.230#53(81.31.152.230) ;; WHEN: Tue Jan 27 08:18:59 2009 ;; MSG SIZE rcvd: 479 root@filtro3:~# 2009/1/27 Marco mangione > the response is that, i suppose i'm not blocked out right ? > > root@filtro3:~# host 2.0.0.127.zen.spamhaus.org > 2.0.0.127.zen.spamhaus.org has address 127.0.0.2 > 2.0.0.127.zen.spamhaus.org has address 127.0.0.4 > 2.0.0.127.zen.spamhaus.org has address 127.0.0.10 > root@filtro3:~# > > > 2009/1/26 Scott Silva > >> on 1-26-2009 12:53 PM Marco mangione spake the following: >> > zen.spamhaus.org dont work for me ... it is >> > correctly insert as restriction in my postfix configuration file but i >> > receive spam email, and if i check source ip address it is correctly >> > insert into spamhaus database! :( ... anyone know how to troubleshoot >> > this problem ? >> > >> > marco >> > >> You most likely ran afoul of their usage policy. If you do too many >> queries to >> them they blacklist your IP address. >> From the affected system you can try a >> host 2.0.0.127.zen.spamhaus.org >> >> and if it times out, you are out of luck unless you pay for a feed. >> >> I can get near the hit rate but I have to use 5 different blacklists to do >> it. >> >> >> >> -- >> MailScanner is like deodorant... >> You hope everybody uses it, and >> you notice quickly if they don't!!!! >> >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090127/a1b8ebe5/attachment.html From simonmjones at gmail.com Tue Jan 27 08:51:48 2009 From: simonmjones at gmail.com (Simon Jones) Date: Tue Jan 27 08:51:57 2009 Subject: WARNING: Ignoring deprecated option --unzip In-Reply-To: References: <497E0BAD.90707@ecs.soton.ac.uk> Message-ID: <70572c510901270051u2bf67a73yc2ade274507bf19b@mail.gmail.com> 2009/1/26 Jethro R Binks : > On Mon, 26 Jan 2009, Julian Field wrote: > >> On 26/1/09 18:23, Kevin Miller wrote: >> > -----Original Message----- >> > >> > > its really strange that's all, the system is easily managing to >> > > keep up now but telnet to 25 is still really slow to respond, >> > > like 5 - 10 seconds or it'll time out completely. I noticed my >> > > mailscanner sql db is getting a bit fat so maybe this is causing >> > > some problem... >> > >> > Getting into the game late here, so maybe it's been asked already, but >> > are you running a caching DNS server on the box? That may help. >> > >> > Too, I've seen telnet spin it's wheels when there was no reverse zone >> > for the source (i.e., your) host. You don't actualy need a reverse >> > entry for your host if you don't have one, but having even a single >> > entry in the reverse zone allows the name server to return a 'not found' >> > almost instantly, whereas it seems to wait to timeout if no reverse zone >> > exists... >> > >> Yes, that's exactly what I was going to suggest. If telnet 25 produces a >> long delay before giving a sendmail welcome prompt, it's a *sure* sign >> of trouble resolving DNS names, as sendmail does forward and reverse >> lookups on your address to work out who you are before it talks to you. > > No ... it's a sure sign of the system producing a long delay. You cannot > read any more into it than that, in the generic case. The system may be > heavily loaded, or delays might have been artificially introduced as a > method of shedding spambots cheaply early on. My own systems delay for > different numbers of seconds at several points in an SMTP transaction, > which throws off poorly-written SMTP engines (and ill-configured ones). > > But I agree DNS is probably the _likeliest_ cause in this particular case > ... > > > -- > . . . . . . . . . . . . . . . . . . . . . . . . . > Jethro R Binks > Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK > -- Thanks again to everyone for taking time to offer up suggestions - quite a lot to go through here... The gateways are running normally again this morning, telnet to 25 nice and quick and no mail on hold. They do have ptr's setup so its not a reverse dns issue and I agree in that it does smell of slow dns but as they're on the same lan as my public name servers there shouldn't be an issue with lookups and the name servers were responding normally despite the problems with the gateways. I actually have them query the secondary name server in order to reduce load on the primary and also cache locally on each gateway - yep, I've been in dns hell before :) I'm tending to lean more towards the mysql db being responsible but I'm still looking in to it. I have a 4gb mailscanner table which is rather fat I feel, the db server is a quad oppy with 10gb of ram so it has plenty of horses to play with and isn't paging (yep been there before too...) the gateways also cache mysql lookups and I've reduced the amount of stuff it stores in past tweaking but same past experience tells me that slow db access has the same symptoms of that of dns trouble. Given the dns is and has been working fine I think it has to be something going on with db access. I'll check some more and post my findings. Simon From steve.freegard at fsl.com Tue Jan 27 10:02:12 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Tue Jan 27 10:02:23 2009 Subject: WARNING: Ignoring deprecated option --unzip In-Reply-To: <70572c510901270051u2bf67a73yc2ade274507bf19b@mail.gmail.com> References: <497E0BAD.90707@ecs.soton.ac.uk> <70572c510901270051u2bf67a73yc2ade274507bf19b@mail.gmail.com> Message-ID: <497EDBA4.20202@fsl.com> Simon Jones wrote: > I'm tending to lean more towards the mysql db being responsible but > I'm still looking in to it. I have a 4gb mailscanner table which is > rather fat I feel, the db server is a quad oppy with 10gb of ram so it > has plenty of horses to play with and isn't paging (yep been there > before too...) the gateways also cache mysql lookups and I've reduced > the amount of stuff it stores in past tweaking but same past > experience tells me that slow db access has the same symptoms of that > of dns trouble. Given the dns is and has been working fine I think it > has to be something going on with db access. I don't see how a MailWatch database can affect the performance of your incoming Postfix; especially when the database is on a separate server. Also the size of the database has nothing to do with query speed provided indexed queries are used... You should follow my advice and restart with 'Log Speed = yes' before this reoccurs as it will allow you to see how long each batch is taking and work out what is causing the slowness. Also; when this does reoccur - the output of 'ps axf | grep -i mailscanner' would also help to pinpoint where things are getting stuck. Kind regards, Steve. From Nikolaos.Pavlidis at beds.ac.uk Tue Jan 27 11:44:57 2009 From: Nikolaos.Pavlidis at beds.ac.uk (Nikolaos Pavlidis) Date: Tue Jan 27 11:45:11 2009 Subject: Quarantined email testing/troubleshooting In-Reply-To: <497EF3B90200002700028C5B@gwiadom.oes.beds.ac.uk> References: <4978A5FC0200004B0004747B@gwiadom.oes.beds.ac.uk> <497EF3B90200002700028C5B@gwiadom.oes.beds.ac.uk> Message-ID: <497EF3B90200002700028C5B@gwiadom.oes.beds.ac.uk> Hello, A million thanks once again Julian, I do apologise for the late reply though, things have been quite busy around here. Kind regards, Nik On Thu, 2009-01-22 at 16:50 +0000, Julian Field wrote: > You can't just use df and/or qf files as if they were RFC822 messages. > They're not. > However, they *nearly* are, when used as a pair. > Many years ago (2002 is the date stamp on the file) I wrote a script > which would take an entire quarantine directory (or a string of > director y names) full of qf* and df* files, and generate an mbox file > from them, which could then be simply fed to sa-learn with 1 command to > learn the whole lot at one go by using the "--mbox" command-line option > to sa-learn. > It's at > www.mailscanner.info/files/4/df2mbox > It's a fairly simple shell script, I'm sure you can hack it around if > you want to do something slightly different with it. > > Usage example: > Say you have a quarantine directory > /var/spool/MailScanner/quarantine/ and each of those > subdirectories contains a whole bunch of qf and df files in > the same directory. You can just do > cd /var/spool/MailSanner/quarantine > df2mbox * > and it will go and get on with it, and give you a pile of mbox files as > a result. > > I posted this to this mailing list back in 2002 as well, but I doubt > anyone looks back that far. Don't worry, I'll let you off this time :-) > > Hope that helps, > Jules. > > On 22/1/09 16:30, Nikolaos Pavlidis wrote: > > Hello all, > > > > We seem to be facing a weird issue and we would appreciate any > > assistance with it. > > To start with, we are using a solaris + sendmail + MailScanner-4.73.4-2 > > implementation. Bayes database has been trained with lots of spam and > > some ham that got quarantined since the service went live. > > > > We have set mailscanner to separate the mail messages into q and d queue > > files so we can put false possitives back in the queue in a more quick > > and efficient manner. Spamassassin seemed to be putting automated > > Delivery Notifications to quarantine so we trained it back then (the > > single mail messages RFC822) to be ham. > > > > Now we have noticed that some Delivery notifications again get > > quarantined, only now we have the 2 part emails q and d files. > > > > When we do a test on them "spamassassin -t > > -p /etc/mail/MailScanner/spam.assassin.prefs.conf< d (or q)file" > > they both come less than 5.0 points(sometimes even -). > > > > Should the tests be performed in another way? Is the "cat qfile dfile | > > spamassassin -t -p ?/etc/mail/MailScanner/spam.assassin.prefs.conf" the > > appropriate way? > > When using sa-learn to teach SA which parameters should be used, should > > we feed the d file only? > > What else could be blocking/sending to quarantine these messages? > > > > I do apologise for the barrage of questions. Any help is much > > appreciated. Thank you in advance. > > > > Regards, > > > > Nik > > > > > > > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > PGP public key: http://www.jules.fm/julesfm.asc > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > -- ? Nikolaos Pavlidis BSc (Hons) MBCS NCLP System Administrator University Of Bedfordshire Park Square LU1 3JU Luton, Beds, UK Tel: +441582489277 From simonmjones at gmail.com Tue Jan 27 13:45:55 2009 From: simonmjones at gmail.com (Simon Jones) Date: Tue Jan 27 13:46:03 2009 Subject: WARNING: Ignoring deprecated option --unzip In-Reply-To: <497EDBA4.20202@fsl.com> References: <497E0BAD.90707@ecs.soton.ac.uk> <70572c510901270051u2bf67a73yc2ade274507bf19b@mail.gmail.com> <497EDBA4.20202@fsl.com> Message-ID: <70572c510901270545r40ab4f90hba1808af1c23b896@mail.gmail.com> 2009/1/27 Steve Freegard : > Simon Jones wrote: >> I'm tending to lean more towards the mysql db being responsible but >> I'm still looking in to it. I have a 4gb mailscanner table which is >> rather fat I feel, the db server is a quad oppy with 10gb of ram so it >> has plenty of horses to play with and isn't paging (yep been there >> before too...) the gateways also cache mysql lookups and I've reduced >> the amount of stuff it stores in past tweaking but same past >> experience tells me that slow db access has the same symptoms of that >> of dns trouble. Given the dns is and has been working fine I think it >> has to be something going on with db access. > > I don't see how a MailWatch database can affect the performance of your > incoming Postfix; especially when the database is on a separate server. > > Also the size of the database has nothing to do with query speed > provided indexed queries are used... > > You should follow my advice and restart with 'Log Speed = yes' before > this reoccurs as it will allow you to see how long each batch is taking > and work out what is causing the slowness. Also; when this does > reoccur - the output of 'ps axf | grep -i mailscanner' would also help > to pinpoint where things are getting stuck. > Hi Steve, thank you. I seem to have resolved the hold queue problem and can see performance is very good on the mailscanner front but smtp is very slow to connect. It's fine if I restart MS, I get a connection right away on port 25 but it soon slows down and within a couple of mins it takes ages to connect. 20636 pts/0 S+ 0:00 \_ grep -i mailscanner 12582 ? Ss 0:00 MailScanner: master waiting for children, sleeping 12583 ? S 0:10 \_ MailScanner: waiting for messages 12592 ? S 0:10 \_ MailScanner: waiting for messages 12610 ? S 0:09 \_ MailScanner: waiting for messages 12636 ? S 0:11 \_ MailScanner: waiting for messages 12664 ? S 0:12 \_ MailScanner: waiting for messages 12681 ? S 0:24 \_ MailScanner: waiting for messages 12700 ? S 0:09 \_ MailScanner: waiting for messages 12729 ? S 0:09 \_ MailScanner: waiting for messages 12760 ? S 0:10 \_ MailScanner: waiting for messages 12778 ? S 0:14 \_ MailScanner: waiting for messages 12791 ? S 0:12 \_ MailScanner: waiting for messages 12827 ? S 0:07 \_ MailScanner: waiting for messages 12856 ? S 0:09 \_ MailScanner: waiting for messages 12884 ? S 0:10 \_ MailScanner: waiting for messages 12931 ? S 0:08 \_ MailScanner: waiting for messages 12980 ? S 0:09 \_ MailScanner: waiting for messages 13014 ? S 0:08 \_ MailScanner: waiting for messages 13069 ? S 0:07 \_ MailScanner: waiting for messages 13105 ? S 0:12 \_ MailScanner: waiting for messages it does smell of DNS but I can do nslookup / dig no probs on the system and I've tried changing the DNS resolvers to different name servers both on and off my network which has made no difference. I am using mailwatch and all works good with that, but I also store relay_domains relay_recipients and transport_maps in a mysql db and use _maps.mysql.conf to point postfix to the relevant table. I've tried turning on the test option in spam.assassin.prefs.conf, no change. Now I'm manually comparing all config files against an identical system that is working ok, so far no changes have been required... I'm still looking. I tried the Log Speed thing but it didn't seem to show any output in the maillog? Simon From J.Ede at birchenallhowden.co.uk Tue Jan 27 13:59:52 2009 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Tue Jan 27 14:00:15 2009 Subject: WARNING: Ignoring deprecated option --unzip In-Reply-To: <70572c510901270545r40ab4f90hba1808af1c23b896@mail.gmail.com> References: <497E0BAD.90707@ecs.soton.ac.uk> <70572c510901270051u2bf67a73yc2ade274507bf19b@mail.gmail.com> <497EDBA4.20202@fsl.com> <70572c510901270545r40ab4f90hba1808af1c23b896@mail.gmail.com> Message-ID: <1213490F1F316842A544A850422BFA9614F17270@BHLSBS.bhl.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Simon Jones > Sent: 27 January 2009 13:46 > To: MailScanner discussion > Subject: Re: WARNING: Ignoring deprecated option --unzip > > 2009/1/27 Steve Freegard : > > Simon Jones wrote: > >> I'm tending to lean more towards the mysql db being responsible but > >> I'm still looking in to it. I have a 4gb mailscanner table which is > >> rather fat I feel, the db server is a quad oppy with 10gb of ram so > it > >> has plenty of horses to play with and isn't paging (yep been there > >> before too...) the gateways also cache mysql lookups and I've > reduced > >> the amount of stuff it stores in past tweaking but same past > >> experience tells me that slow db access has the same symptoms of > that > >> of dns trouble. Given the dns is and has been working fine I think > it > >> has to be something going on with db access. > > > > I don't see how a MailWatch database can affect the performance of > your > > incoming Postfix; especially when the database is on a separate > server. > > > > Also the size of the database has nothing to do with query speed > > provided indexed queries are used... > > > > You should follow my advice and restart with 'Log Speed = yes' before > > this reoccurs as it will allow you to see how long each batch is > taking > > and work out what is causing the slowness. Also; when this does > > reoccur - the output of 'ps axf | grep -i mailscanner' would also > help > > to pinpoint where things are getting stuck. > > > > Hi Steve, thank you. > > I seem to have resolved the hold queue problem and can see performance > is very good on the mailscanner front but smtp is very slow to > connect. It's fine if I restart MS, I get a connection right away on > port 25 but it soon slows down and within a couple of mins it takes > ages to connect. > > 20636 pts/0 S+ 0:00 \_ grep -i mailscanner > 12582 ? Ss 0:00 MailScanner: master waiting for children, > sleeping > 12583 ? S 0:10 \_ MailScanner: waiting for messages > 12592 ? S 0:10 \_ MailScanner: waiting for messages > 12610 ? S 0:09 \_ MailScanner: waiting for messages > 12636 ? S 0:11 \_ MailScanner: waiting for messages > 12664 ? S 0:12 \_ MailScanner: waiting for messages > 12681 ? S 0:24 \_ MailScanner: waiting for messages > 12700 ? S 0:09 \_ MailScanner: waiting for messages > 12729 ? S 0:09 \_ MailScanner: waiting for messages > 12760 ? S 0:10 \_ MailScanner: waiting for messages > 12778 ? S 0:14 \_ MailScanner: waiting for messages > 12791 ? S 0:12 \_ MailScanner: waiting for messages > 12827 ? S 0:07 \_ MailScanner: waiting for messages > 12856 ? S 0:09 \_ MailScanner: waiting for messages > 12884 ? S 0:10 \_ MailScanner: waiting for messages > 12931 ? S 0:08 \_ MailScanner: waiting for messages > 12980 ? S 0:09 \_ MailScanner: waiting for messages > 13014 ? S 0:08 \_ MailScanner: waiting for messages > 13069 ? S 0:07 \_ MailScanner: waiting for messages > 13105 ? S 0:12 \_ MailScanner: waiting for messages > > it does smell of DNS but I can do nslookup / dig no probs on the > system and I've tried changing the DNS resolvers to different name > servers both on and off my network which has made no difference. I am > using mailwatch and all works good with that, but I also store > relay_domains relay_recipients and transport_maps in a mysql db and > use _maps.mysql.conf to point postfix to the relevant table. I've > tried turning on the test option in spam.assassin.prefs.conf, no > change. Now I'm manually comparing all config files against an > identical system that is working ok, so far no changes have been > required... I'm still looking. I tried the Log Speed thing but it > didn't seem to show any output in the maillog? > > Simon You haven't got anything limiting the connection rate to postfix in firewall or the like? Is postfix configured to wait before rejecting or reject immediately? If you restart just postfix then does the speed improve for a bit? Jason From steve.freegard at fsl.com Tue Jan 27 14:07:24 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Tue Jan 27 14:07:34 2009 Subject: WARNING: Ignoring deprecated option --unzip In-Reply-To: <70572c510901270545r40ab4f90hba1808af1c23b896@mail.gmail.com> References: <497E0BAD.90707@ecs.soton.ac.uk> <70572c510901270051u2bf67a73yc2ade274507bf19b@mail.gmail.com> <497EDBA4.20202@fsl.com> <70572c510901270545r40ab4f90hba1808af1c23b896@mail.gmail.com> Message-ID: <497F151C.7080401@fsl.com> Simon Jones wrote: > Hi Steve, thank you. > > I seem to have resolved the hold queue problem and can see performance > is very good on the mailscanner front but smtp is very slow to > connect. It's fine if I restart MS, I get a connection right away on > port 25 but it soon slows down and within a couple of mins it takes > ages to connect. > > 20636 pts/0 S+ 0:00 \_ grep -i mailscanner > 12582 ? Ss 0:00 MailScanner: master waiting for children, sleeping > 12583 ? S 0:10 \_ MailScanner: waiting for messages LOL - based on that output; MailScanner is completely quiet - it's not doing anything except waiting for messages.... The reason why it slows down within a couple of minutes has nothing to do with MailScanner; it's due to the number of concurrent connections in Postfix building up. Based on this you can completely ignore MailScanner as the source of your woes; the problem is in Postfix or the database. > it does smell of DNS but I can do nslookup / dig no probs on the > system and I've tried changing the DNS resolvers to different name > servers both on and off my network which has made no difference. Hmmmm - I would have a good look at your Postfix configuration and look for any typos in RBL lists etc. as an unlucky typo there could cause all sorts of timeouts. > I also store relay_domains relay_recipients and transport_maps in a mysql db and > use _maps.mysql.conf to point postfix to the relevant table. I don't know much about Postfix interfaces to MySQL; I would check all the SQL and make sure there are no 'LIKE' directives within the statements and that any WHERE fields are indexed together correctly for maximum query speed. I would also look at using the 'proxymap' service to prevent bazillions of concurrent MySQL connections from each of the Postfix child processes... > I tried the Log Speed thing but it didn't seem to show any output in the maillog? Maybe you haven't got any mail through since you switched it on; a simpler grep would be: grep Batch /path/to/mail/log | grep processed This still wouldn't hurt leave this on and see how fast your batches are completing; (total time / batch size) = average time per message; this should be between 1 and 8 seconds - any higher and you have a problem somewhere - but I really don't think MailScanner is the source of your issues; it's definitely a Postfix problem. Regards, Steve. From Marc.Delisle at cegepsherbrooke.qc.ca Tue Jan 27 14:23:13 2009 From: Marc.Delisle at cegepsherbrooke.qc.ca (Marc Delisle) Date: Tue Jan 27 14:23:25 2009 Subject: rule having an effect on all recipients In-Reply-To: References: <497E22CA.8040304@cegepsherbrooke.qc.ca> Message-ID: <497F18D1.9000303@cegepsherbrooke.qc.ca> Scott Silva a ?crit : > on 1-26-2009 12:53 PM Marc Delisle spake the following: >> Hi, >> I am running 4.70.7-1 and will shortly upgrade to 4.74. My question is >> about a rule affecting more than the intended user. Look at this: >> >> High Scoring Spam Actions = %rules-dir%/highspam.actions.rules >> >> which contains (obfuscated): >> >> To: user1@cegepsherbrooke.qc.ca deliver header "X-Spam-Status: Yes" >> To: user2@cegepsherbrooke.qc.ca deliver header "X-Spam-Status: Yes" >> FromOrTo: default delete >> >> So, user1 and user2 want to receive all high scoring spam. But, high >> spam messages with user1 or user2 in the list of recipients are >> delivered to all recipients. Is this a known problem, or is my syntax >> invalid? >> >> Thanks, >> Marc Delisle > You have to split incoming messages for rules like that to work. > There are howto's for postfix and sendmail in the wiki. Thanks. I read http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:postfix:how_to:split_mails_per_recipient but this howto is scary ("murderous overhead" and increased complexity for quarantine releasing). Marc Delisle From simonmjones at gmail.com Tue Jan 27 14:30:09 2009 From: simonmjones at gmail.com (Simon Jones) Date: Tue Jan 27 14:30:18 2009 Subject: WARNING: Ignoring deprecated option --unzip In-Reply-To: <497F151C.7080401@fsl.com> References: <497E0BAD.90707@ecs.soton.ac.uk> <70572c510901270051u2bf67a73yc2ade274507bf19b@mail.gmail.com> <497EDBA4.20202@fsl.com> <70572c510901270545r40ab4f90hba1808af1c23b896@mail.gmail.com> <497F151C.7080401@fsl.com> Message-ID: <70572c510901270630k46b4b7ccxabdf96bed1aa158e@mail.gmail.com> 2009/1/27 Steve Freegard : > Simon Jones wrote: >> Hi Steve, thank you. >> >> I seem to have resolved the hold queue problem and can see performance >> is very good on the mailscanner front but smtp is very slow to >> connect. It's fine if I restart MS, I get a connection right away on >> port 25 but it soon slows down and within a couple of mins it takes >> ages to connect. >> >> 20636 pts/0 S+ 0:00 \_ grep -i mailscanner >> 12582 ? Ss 0:00 MailScanner: master waiting for children, sleeping >> 12583 ? S 0:10 \_ MailScanner: waiting for messages > > > LOL - based on that output; MailScanner is completely quiet - it's not > doing anything except waiting for messages.... > > The reason why it slows down within a couple of minutes has nothing to > do with MailScanner; it's due to the number of concurrent connections in > Postfix building up. > > Based on this you can completely ignore MailScanner as the source of > your woes; the problem is in Postfix or the database. > >> it does smell of DNS but I can do nslookup / dig no probs on the >> system and I've tried changing the DNS resolvers to different name >> servers both on and off my network which has made no difference. > > Hmmmm - I would have a good look at your Postfix configuration and look > for any typos in RBL lists etc. as an unlucky typo there could cause all > sorts of timeouts. > >> I also store relay_domains relay_recipients and transport_maps in a mysql db and >> use _maps.mysql.conf to point postfix to the relevant table. > > I don't know much about Postfix interfaces to MySQL; I would check all > the SQL and make sure there are no 'LIKE' directives within the > statements and that any WHERE fields are indexed together correctly for > maximum query speed. I would also look at using the 'proxymap' service > to prevent bazillions of concurrent MySQL connections from each of the > Postfix child processes... > >> I tried the Log Speed thing but it didn't seem to show any output in the maillog? > > Maybe you haven't got any mail through since you switched it on; a > simpler grep would be: > > grep Batch /path/to/mail/log | grep processed > > This still wouldn't hurt leave this on and see how fast your batches are > completing; (total time / batch size) = average time per message; this > should be between 1 and 8 seconds - any higher and you have a problem > somewhere - but I really don't think MailScanner is the source of your > issues; it's definitely a Postfix problem. > > Regards, > Steve. > -- I restarted postfix on its own as Jason suggested and this does indeed allow connections to become available for a short time and then slow up to as previously described. This is definately something to do with postfix and not MS, I've just copied over my main.cf from a working system and restarted, same results. I don't have any firewall config active which would imit connections, the server can resolve its host name both locally and using dns, ptr works and resolves, postfix checks out ok with no errors, permissions in /var/spool/ look OK and match with a working system. getting stuck now, guess it could be a denial of service but nothing obviously points to this at the moment. From simonmjones at gmail.com Tue Jan 27 14:39:12 2009 From: simonmjones at gmail.com (Simon Jones) Date: Tue Jan 27 14:39:22 2009 Subject: WARNING: Ignoring deprecated option --unzip In-Reply-To: <70572c510901270630k46b4b7ccxabdf96bed1aa158e@mail.gmail.com> References: <497E0BAD.90707@ecs.soton.ac.uk> <70572c510901270051u2bf67a73yc2ade274507bf19b@mail.gmail.com> <497EDBA4.20202@fsl.com> <70572c510901270545r40ab4f90hba1808af1c23b896@mail.gmail.com> <497F151C.7080401@fsl.com> <70572c510901270630k46b4b7ccxabdf96bed1aa158e@mail.gmail.com> Message-ID: <70572c510901270639y4a1392c2u7f7430ccab54d854@mail.gmail.com> 2009/1/27 Simon Jones : > 2009/1/27 Steve Freegard : >> Simon Jones wrote: >>> Hi Steve, thank you. >>> >>> I seem to have resolved the hold queue problem and can see performance >>> is very good on the mailscanner front but smtp is very slow to >>> connect. It's fine if I restart MS, I get a connection right away on >>> port 25 but it soon slows down and within a couple of mins it takes >>> ages to connect. >>> >>> 20636 pts/0 S+ 0:00 \_ grep -i mailscanner >>> 12582 ? Ss 0:00 MailScanner: master waiting for children, sleeping >>> 12583 ? S 0:10 \_ MailScanner: waiting for messages >> >> >> LOL - based on that output; MailScanner is completely quiet - it's not >> doing anything except waiting for messages.... >> >> The reason why it slows down within a couple of minutes has nothing to >> do with MailScanner; it's due to the number of concurrent connections in >> Postfix building up. >> >> Based on this you can completely ignore MailScanner as the source of >> your woes; the problem is in Postfix or the database. >> >>> it does smell of DNS but I can do nslookup / dig no probs on the >>> system and I've tried changing the DNS resolvers to different name >>> servers both on and off my network which has made no difference. >> >> Hmmmm - I would have a good look at your Postfix configuration and look >> for any typos in RBL lists etc. as an unlucky typo there could cause all >> sorts of timeouts. >> >>> I also store relay_domains relay_recipients and transport_maps in a mysql db and >>> use _maps.mysql.conf to point postfix to the relevant table. >> >> I don't know much about Postfix interfaces to MySQL; I would check all >> the SQL and make sure there are no 'LIKE' directives within the >> statements and that any WHERE fields are indexed together correctly for >> maximum query speed. I would also look at using the 'proxymap' service >> to prevent bazillions of concurrent MySQL connections from each of the >> Postfix child processes... >> >>> I tried the Log Speed thing but it didn't seem to show any output in the maillog? >> >> Maybe you haven't got any mail through since you switched it on; a >> simpler grep would be: >> >> grep Batch /path/to/mail/log | grep processed >> >> This still wouldn't hurt leave this on and see how fast your batches are >> completing; (total time / batch size) = average time per message; this >> should be between 1 and 8 seconds - any higher and you have a problem >> somewhere - but I really don't think MailScanner is the source of your >> issues; it's definitely a Postfix problem. >> >> Regards, >> Steve. >> -- > I restarted postfix on its own as Jason suggested and this does indeed > allow connections to become available for a short time and then slow > up to as previously described. This is definately something to do > with postfix and not MS, I've just copied over my main.cf from a > working system and restarted, same results. I don't have any firewall > config active which would imit connections, the server can resolve its > host name both locally and using dns, ptr works and resolves, postfix > checks out ok with no errors, permissions in /var/spool/ look OK and > match with a working system. getting stuck now, guess it could be a > denial of service but nothing obviously points to this at the moment. > upped the max processes in /etc/postfix/master.cf and the server is now responsing normally so it would seem that the default of 100 is being maxed out, guess I need to do some tcpdump commands to see who's hammering the system... From ms-list at alexb.ch Tue Jan 27 14:57:17 2009 From: ms-list at alexb.ch (Alex Broens) Date: Tue Jan 27 14:57:27 2009 Subject: WARNING: Ignoring deprecated option --unzip In-Reply-To: <70572c510901270639y4a1392c2u7f7430ccab54d854@mail.gmail.com> References: <497E0BAD.90707@ecs.soton.ac.uk> <70572c510901270051u2bf67a73yc2ade274507bf19b@mail.gmail.com> <497EDBA4.20202@fsl.com> <70572c510901270545r40ab4f90hba1808af1c23b896@mail.gmail.com> <497F151C.7080401@fsl.com> <70572c510901270630k46b4b7ccxabdf96bed1aa158e@mail.gmail.com> <70572c510901270639y4a1392c2u7f7430ccab54d854@mail.gmail.com> Message-ID: <497F20CD.1080902@alexb.ch> On 1/27/2009 3:39 PM, Simon Jones wrote: > 2009/1/27 Simon Jones : >> 2009/1/27 Steve Freegard : >>> Simon Jones wrote: >>>> Hi Steve, thank you. >>>> >>>> I seem to have resolved the hold queue problem and can see performance >>>> is very good on the mailscanner front but smtp is very slow to >>>> connect. It's fine if I restart MS, I get a connection right away on >>>> port 25 but it soon slows down and within a couple of mins it takes >>>> ages to connect. >>>> >>>> 20636 pts/0 S+ 0:00 \_ grep -i mailscanner >>>> 12582 ? Ss 0:00 MailScanner: master waiting for children, sleeping >>>> 12583 ? S 0:10 \_ MailScanner: waiting for messages >>> >>> >>> LOL - based on that output; MailScanner is completely quiet - it's not >>> doing anything except waiting for messages.... >>> >>> The reason why it slows down within a couple of minutes has nothing to >>> do with MailScanner; it's due to the number of concurrent connections in >>> Postfix building up. >>> >>> Based on this you can completely ignore MailScanner as the source of >>> your woes; the problem is in Postfix or the database. >>> >>>> it does smell of DNS but I can do nslookup / dig no probs on the >>>> system and I've tried changing the DNS resolvers to different name >>>> servers both on and off my network which has made no difference. >>> Hmmmm - I would have a good look at your Postfix configuration and look >>> for any typos in RBL lists etc. as an unlucky typo there could cause all >>> sorts of timeouts. >>> >>>> I also store relay_domains relay_recipients and transport_maps in a mysql db and >>>> use _maps.mysql.conf to point postfix to the relevant table. >>> I don't know much about Postfix interfaces to MySQL; I would check all >>> the SQL and make sure there are no 'LIKE' directives within the >>> statements and that any WHERE fields are indexed together correctly for >>> maximum query speed. I would also look at using the 'proxymap' service >>> to prevent bazillions of concurrent MySQL connections from each of the >>> Postfix child processes... >>> >>>> I tried the Log Speed thing but it didn't seem to show any output in the maillog? >>> Maybe you haven't got any mail through since you switched it on; a >>> simpler grep would be: >>> >>> grep Batch /path/to/mail/log | grep processed >>> >>> This still wouldn't hurt leave this on and see how fast your batches are >>> completing; (total time / batch size) = average time per message; this >>> should be between 1 and 8 seconds - any higher and you have a problem >>> somewhere - but I really don't think MailScanner is the source of your >>> issues; it's definitely a Postfix problem. >>> >>> Regards, >>> Steve. >>> -- >> I restarted postfix on its own as Jason suggested and this does indeed >> allow connections to become available for a short time and then slow >> up to as previously described. This is definately something to do >> with postfix and not MS, I've just copied over my main.cf from a >> working system and restarted, same results. I don't have any firewall >> config active which would imit connections, the server can resolve its >> host name both locally and using dns, ptr works and resolves, postfix >> checks out ok with no errors, permissions in /var/spool/ look OK and >> match with a working system. getting stuck now, guess it could be a >> denial of service but nothing obviously points to this at the moment. >> > > upped the max processes in /etc/postfix/master.cf and the server is > now responsing normally so it would seem that the default of 100 is > being maxed out, guess I need to do some tcpdump commands to see who's > hammering the system... Could be misbehaved bots are eating up all your available sessions. if you have a zillion of inactive open connections try reducing your smtpd_timeout start off with and tune according to timeout requirements smtpd_timeout = 90s (read the postfix docs and understand what this setting can do for you, good & bad) Also maps_rbl_reject_code = 421 will trigger an immediate session closing after a RBL reject so misbehaved bots won't eaat up all your sessions h2h Alex From glenn.steen at gmail.com Tue Jan 27 14:58:30 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Jan 27 14:58:40 2009 Subject: rule having an effect on all recipients In-Reply-To: <497F18D1.9000303@cegepsherbrooke.qc.ca> References: <497E22CA.8040304@cegepsherbrooke.qc.ca> <497F18D1.9000303@cegepsherbrooke.qc.ca> Message-ID: <223f97700901270658w6219cc4eh23f7004da48b907a@mail.gmail.com> 2009/1/27 Marc Delisle : > Scott Silva a ?crit : >> >> on 1-26-2009 12:53 PM Marc Delisle spake the following: >>> >>> Hi, >>> I am running 4.70.7-1 and will shortly upgrade to 4.74. My question is >>> about a rule affecting more than the intended user. Look at this: >>> >>> High Scoring Spam Actions = %rules-dir%/highspam.actions.rules >>> >>> which contains (obfuscated): >>> >>> To: user1@cegepsherbrooke.qc.ca deliver header "X-Spam-Status: Yes" >>> To: user2@cegepsherbrooke.qc.ca deliver header "X-Spam-Status: Yes" >>> FromOrTo: default delete >>> >>> So, user1 and user2 want to receive all high scoring spam. But, high >>> spam messages with user1 or user2 in the list of recipients are >>> delivered to all recipients. Is this a known problem, or is my syntax >>> invalid? >>> >>> Thanks, >>> Marc Delisle >> >> You have to split incoming messages for rules like that to work. >> There are howto's for postfix and sendmail in the wiki. > > Thanks. I read > http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:postfix:how_to:split_mails_per_recipient > but this howto is scary ("murderous overhead" and increased complexity for > quarantine releasing). > > Marc Delisle Well, I wanted it to reflect some form of the true state of things, not a rosy "all will be well if you do...." thing:-). One could possibly make things simpler (perhaps make it work with a single instance of postfix), and definitely structure the document a bit better, but ... I've lacked the time:(. And the added complexity would still be there, since the basic concept would need be the same (that the "instance" listening on port 25 would need "deliver" to the second smtpd (on port 10026) to facilitate the per-recipient split), and the added load would be the same. Now, if your system isn't a high volume system... it is both rather more easy to set up and maintain than it looks. If you use MailWatch, you could probably do some intelligent SQL to see how many more messages MailScanner would see (or do some log analysis:-)... And remember that if you use the SpaAssassin result cache, that will likely lighten the load a fair bit. Anyway, if you really need it... it really works;-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Tue Jan 27 15:17:18 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Jan 27 15:17:28 2009 Subject: rule having an effect on all recipients In-Reply-To: <223f97700901270658w6219cc4eh23f7004da48b907a@mail.gmail.com> References: <497E22CA.8040304@cegepsherbrooke.qc.ca> <497F18D1.9000303@cegepsherbrooke.qc.ca> <223f97700901270658w6219cc4eh23f7004da48b907a@mail.gmail.com> Message-ID: <223f97700901270717n195b5739i587aeb75ee35f88f@mail.gmail.com> 2009/1/27 Glenn Steen : > 2009/1/27 Marc Delisle : >> Scott Silva a ?crit : >>> >>> on 1-26-2009 12:53 PM Marc Delisle spake the following: >>>> >>>> Hi, >>>> I am running 4.70.7-1 and will shortly upgrade to 4.74. My question is >>>> about a rule affecting more than the intended user. Look at this: >>>> >>>> High Scoring Spam Actions = %rules-dir%/highspam.actions.rules >>>> >>>> which contains (obfuscated): >>>> >>>> To: user1@cegepsherbrooke.qc.ca deliver header "X-Spam-Status: Yes" >>>> To: user2@cegepsherbrooke.qc.ca deliver header "X-Spam-Status: Yes" >>>> FromOrTo: default delete >>>> >>>> So, user1 and user2 want to receive all high scoring spam. But, high >>>> spam messages with user1 or user2 in the list of recipients are >>>> delivered to all recipients. Is this a known problem, or is my syntax >>>> invalid? >>>> >>>> Thanks, >>>> Marc Delisle >>> >>> You have to split incoming messages for rules like that to work. >>> There are howto's for postfix and sendmail in the wiki. >> >> Thanks. I read >> http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:postfix:how_to:split_mails_per_recipient >> but this howto is scary ("murderous overhead" and increased complexity for >> quarantine releasing). >> >> Marc Delisle > Well, I wanted it to reflect some form of the true state of things, > not a rosy "all will be well if you do...." thing:-). > One could possibly make things simpler (perhaps make it work with a > single instance of postfix), and definitely structure the document a > bit better, but ... I've lacked the time:(. And the added complexity > would still be there, since the basic concept would need be the same > (that the "instance" listening on port 25 would need "deliver" to the > second smtpd (on port 10026) to facilitate the per-recipient split), > and the added load would be the same. > > Now, if your system isn't a high volume system... it is both rather > more easy to set up and maintain than it looks. If you use MailWatch, > you could probably do some intelligent SQL to see how many more > messages MailScanner would see (or do some log analysis:-)... And > remember that if you use the SpaAssassin result cache, that will I just checked on my hosts, and for me ... the increase wouldn't be that bad... 16% more messages. Still, I don't employ any per-recipient rulesets, so I don't need this... Ergo, I don't use it:-). > likely lighten the load a fair bit. > > Anyway, if you really need it... it really works;-). > Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From simonmjones at gmail.com Tue Jan 27 15:20:40 2009 From: simonmjones at gmail.com (Simon Jones) Date: Tue Jan 27 15:20:49 2009 Subject: WARNING: Ignoring deprecated option --unzip In-Reply-To: <497F20CD.1080902@alexb.ch> References: <497E0BAD.90707@ecs.soton.ac.uk> <70572c510901270051u2bf67a73yc2ade274507bf19b@mail.gmail.com> <497EDBA4.20202@fsl.com> <70572c510901270545r40ab4f90hba1808af1c23b896@mail.gmail.com> <497F151C.7080401@fsl.com> <70572c510901270630k46b4b7ccxabdf96bed1aa158e@mail.gmail.com> <70572c510901270639y4a1392c2u7f7430ccab54d854@mail.gmail.com> <497F20CD.1080902@alexb.ch> Message-ID: <70572c510901270720p34c47836q62ca026c120eebbe@mail.gmail.com> 2009/1/27 Alex Broens : > On 1/27/2009 3:39 PM, Simon Jones wrote: >> >> 2009/1/27 Simon Jones : >>> >>> 2009/1/27 Steve Freegard : >>>> >>>> Simon Jones wrote: >>>>> >>>>> Hi Steve, thank you. >>>>> >>>>> I seem to have resolved the hold queue problem and can see performance >>>>> is very good on the mailscanner front but smtp is very slow to >>>>> connect. It's fine if I restart MS, I get a connection right away on >>>>> port 25 but it soon slows down and within a couple of mins it takes >>>>> ages to connect. >>>>> >>>>> 20636 pts/0 S+ 0:00 \_ grep -i mailscanner >>>>> 12582 ? Ss 0:00 MailScanner: master waiting for children, >>>>> sleeping >>>>> 12583 ? S 0:10 \_ MailScanner: waiting for messages >>>> >>>> >>>> >>>> LOL - based on that output; MailScanner is completely quiet - it's not >>>> doing anything except waiting for messages.... >>>> >>>> The reason why it slows down within a couple of minutes has nothing to >>>> do with MailScanner; it's due to the number of concurrent connections in >>>> Postfix building up. >>>> >>>> Based on this you can completely ignore MailScanner as the source of >>>> your woes; the problem is in Postfix or the database. >>>> >>>>> it does smell of DNS but I can do nslookup / dig no probs on the >>>>> system and I've tried changing the DNS resolvers to different name >>>>> servers both on and off my network which has made no difference. >>>> >>>> Hmmmm - I would have a good look at your Postfix configuration and look >>>> for any typos in RBL lists etc. as an unlucky typo there could cause all >>>> sorts of timeouts. >>>> >>>>> I also store relay_domains relay_recipients and transport_maps in a >>>>> mysql db and >>>>> use _maps.mysql.conf to point postfix to the relevant table. >>>> >>>> I don't know much about Postfix interfaces to MySQL; I would check all >>>> the SQL and make sure there are no 'LIKE' directives within the >>>> statements and that any WHERE fields are indexed together correctly for >>>> maximum query speed. I would also look at using the 'proxymap' service >>>> to prevent bazillions of concurrent MySQL connections from each of the >>>> Postfix child processes... >>>> >>>>> I tried the Log Speed thing but it didn't seem to show any output in >>>>> the maillog? >>>> >>>> Maybe you haven't got any mail through since you switched it on; a >>>> simpler grep would be: >>>> >>>> grep Batch /path/to/mail/log | grep processed >>>> >>>> This still wouldn't hurt leave this on and see how fast your batches are >>>> completing; (total time / batch size) = average time per message; this >>>> should be between 1 and 8 seconds - any higher and you have a problem >>>> somewhere - but I really don't think MailScanner is the source of your >>>> issues; it's definitely a Postfix problem. >>>> >>>> Regards, >>>> Steve. >>>> -- >>> >>> I restarted postfix on its own as Jason suggested and this does indeed >>> allow connections to become available for a short time and then slow >>> up to as previously described. This is definately something to do >>> with postfix and not MS, I've just copied over my main.cf from a >>> working system and restarted, same results. I don't have any firewall >>> config active which would imit connections, the server can resolve its >>> host name both locally and using dns, ptr works and resolves, postfix >>> checks out ok with no errors, permissions in /var/spool/ look OK and >>> match with a working system. getting stuck now, guess it could be a >>> denial of service but nothing obviously points to this at the moment. >>> >> >> upped the max processes in /etc/postfix/master.cf and the server is >> now responsing normally so it would seem that the default of 100 is >> being maxed out, guess I need to do some tcpdump commands to see who's >> hammering the system... > > Could be misbehaved bots are eating up all your available sessions. > > if you have a zillion of inactive open connections try reducing your > smtpd_timeout > > start off with and tune according to timeout requirements > > smtpd_timeout = 90s > (read the postfix docs and understand what this setting can do for you, good > & bad) > > Also > maps_rbl_reject_code = 421 > > will trigger an immediate session closing after a RBL reject so misbehaved > bots won't eaat up all your sessions > > h2h > > Alex > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Thanks Alex, have enabled that - am now trying to get some sensible results from tcpdump -i eth1 -qn port 25 From steve.freegard at fsl.com Tue Jan 27 15:46:52 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Tue Jan 27 15:49:28 2009 Subject: WARNING: Ignoring deprecated option --unzip In-Reply-To: <497F20CD.1080902@alexb.ch> References: <497E0BAD.90707@ecs.soton.ac.uk> <70572c510901270051u2bf67a73yc2ade274507bf19b@mail.gmail.com> <497EDBA4.20202@fsl.com> <70572c510901270545r40ab4f90hba1808af1c23b896@mail.gmail.com> <497F151C.7080401@fsl.com> <70572c510901270630k46b4b7ccxabdf96bed1aa158e@mail.gmail.com> <70572c510901270639y4a1392c2u7f7430ccab54d854@mail.gmail.com> <497F20CD.1080902@alexb.ch> Message-ID: <497F2C6C.7050304@fsl.com> Alex Broens wrote: > > Could be misbehaved bots are eating up all your available sessions. > > if you have a zillion of inactive open connections try reducing your > smtpd_timeout > > start off with and tune according to timeout requirements > > smtpd_timeout = 90s > (read the postfix docs and understand what this setting can do for you, > good & bad) RFC default is 300 seconds you might get away with less; but diagnosing failures here won't be fun. Change this with caution... Our products have a better way of handling this; if a host is blacklisted or acts peculiarly then we have a separate timeout for it (60s) which is way safer than reducing this globally. > Also > maps_rbl_reject_code = 421 > > will trigger an immediate session closing after a RBL reject so > misbehaved bots won't eaat up all your sessions That is plain *nasty*. Instead of getting an instant notice that their mail was rejected a valid sender would have to wait at least 4 hours for a 'message delayed' response from their own server. The sender will then continually retry the message too. This will continue until the message is deleted from the queue of the host or the host is delisted. If you are going to do this then it's best to do it selectively see: http://www.postfix.org/STRESS_README.html#hangup It's way better to set leave 'maps_rbl_reject_code' alone and set 'smtpd_hard_error_limit = 1' instead. Or alternatively get an anti-spam daemon that doesn't suffer from any of these problems (we can sell you one of those...). Regards, Steve. From steve.swaney at fsl.com Tue Jan 27 16:09:08 2009 From: steve.swaney at fsl.com (Stephen Swaney) Date: Tue Jan 27 16:09:23 2009 Subject: WARNING: Ignoring deprecated option --unzip In-Reply-To: <497F2C6C.7050304@fsl.com> References: <497E0BAD.90707@ecs.soton.ac.uk> <70572c510901270051u2bf67a73yc2ade274507bf19b@mail.gmail.com> <497EDBA4.20202@fsl.com> <70572c510901270545r40ab4f90hba1808af1c23b896@mail.gmail.com> <497F151C.7080401@fsl.com> <70572c510901270630k46b4b7ccxabdf96bed1aa158e@mail.gmail.com> <70572c510901270639y4a1392c2u7f7430ccab54d854@mail.gmail.com> <497F20CD.1080902@alexb.ch> <497F2C6C.7050304@fsl.com> Message-ID: <067e01c98099$95be0620$c13a1260$@swaney@fsl.com> :) Steve -- Steve Swaney steve@fsl.com 202 595-7760 ext: 601 www.fsl.com The most accurate and cost effective anti-spam solutions available > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Steve Freegard > Sent: Tuesday, January 27, 2009 10:47 AM > To: MailScanner discussion > Subject: Re: WARNING: Ignoring deprecated option --unzip > > Alex Broens wrote: > > > > Could be misbehaved bots are eating up all your available sessions. > > > > if you have a zillion of inactive open connections try reducing your > > smtpd_timeout > > > > start off with and tune according to timeout requirements > > > > smtpd_timeout = 90s > > (read the postfix docs and understand what this setting can do for > you, > > good & bad) > > RFC default is 300 seconds you might get away with less; but diagnosing > failures here won't be fun. Change this with caution... > > Our products have a better way of handling this; if a host is > blacklisted or acts peculiarly then we have a separate timeout for it > (60s) which is way safer than reducing this globally. > > > Also > > maps_rbl_reject_code = 421 > > > > will trigger an immediate session closing after a RBL reject so > > misbehaved bots won't eaat up all your sessions > > That is plain *nasty*. > > Instead of getting an instant notice that their mail was rejected a > valid sender would have to wait at least 4 hours for a 'message > delayed' > response from their own server. The sender will then continually retry > the message too. This will continue until the message is deleted from > the queue of the host or the host is delisted. > > If you are going to do this then it's best to do it selectively see: > http://www.postfix.org/STRESS_README.html#hangup > > It's way better to set leave 'maps_rbl_reject_code' alone and set > 'smtpd_hard_error_limit = 1' instead. > > Or alternatively get an anti-spam daemon that doesn't suffer from any > of > these problems (we can sell you one of those...). > > Regards, > Steve. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From ms-list at alexb.ch Tue Jan 27 16:16:31 2009 From: ms-list at alexb.ch (Alex Broens) Date: Tue Jan 27 16:16:40 2009 Subject: WARNING: Ignoring deprecated option --unzip In-Reply-To: <497F2C6C.7050304@fsl.com> References: <497E0BAD.90707@ecs.soton.ac.uk> <70572c510901270051u2bf67a73yc2ade274507bf19b@mail.gmail.com> <497EDBA4.20202@fsl.com> <70572c510901270545r40ab4f90hba1808af1c23b896@mail.gmail.com> <497F151C.7080401@fsl.com> <70572c510901270630k46b4b7ccxabdf96bed1aa158e@mail.gmail.com> <70572c510901270639y4a1392c2u7f7430ccab54d854@mail.gmail.com> <497F20CD.1080902@alexb.ch> <497F2C6C.7050304@fsl.com> Message-ID: <497F335F.9050504@alexb.ch> On 1/27/2009 4:46 PM, Steve Freegard wrote: > Alex Broens wrote: >> Could be misbehaved bots are eating up all your available sessions. >> >> if you have a zillion of inactive open connections try reducing your >> smtpd_timeout >> >> start off with and tune according to timeout requirements >> >> smtpd_timeout = 90s >> (read the postfix docs and understand what this setting can do for you, >> good & bad) > > RFC default is 300 seconds you might get away with less; but diagnosing > failures here won't be fun. Change this with caution... ....RFCs written before the day of the bot... :-) did I mention that he should read the docs about the caveats? > Our products have a better way of handling this; if a host is > blacklisted or acts peculiarly then we have a separate timeout for it > (60s) which is way safer than reducing this globally. >> Also >> maps_rbl_reject_code = 421 >> >> will trigger an immediate session closing after a RBL reject so >> misbehaved bots won't eaat up all your sessions > > That is plain *nasty*. Its recommended by Victor.. :-) I love being nasty to bots... > Instead of getting an instant notice that their mail was rejected a > valid sender would have to wait at least 4 hours for a 'message delayed' > response from their own server. The sender will then continually retry > the message too. This will continue until the message is deleted from > the queue of the host or the host is delisted. bots/infected hosts don't retry. Valid senders shouldn't be listed in zen. IF they are, I have little compassion. > Or alternatively get an anti-spam daemon that doesn't suffer from any of > these problems (we can sell you one of those...). I can sell you a service which can't afford your product. (but that is totally offtopic) Alex From simonmjones at gmail.com Tue Jan 27 16:20:51 2009 From: simonmjones at gmail.com (Simon Jones) Date: Tue Jan 27 16:21:00 2009 Subject: WARNING: Ignoring deprecated option --unzip In-Reply-To: <7874386457543605106@unknownmsgid> References: <497E0BAD.90707@ecs.soton.ac.uk> <70572c510901270051u2bf67a73yc2ade274507bf19b@mail.gmail.com> <497EDBA4.20202@fsl.com> <70572c510901270545r40ab4f90hba1808af1c23b896@mail.gmail.com> <497F151C.7080401@fsl.com> <70572c510901270630k46b4b7ccxabdf96bed1aa158e@mail.gmail.com> <70572c510901270639y4a1392c2u7f7430ccab54d854@mail.gmail.com> <497F20CD.1080902@alexb.ch> <497F2C6C.7050304@fsl.com> <7874386457543605106@unknownmsgid> Message-ID: <70572c510901270820g52836203ra5f0b93a8632131@mail.gmail.com> 2009/1/27 Stephen Swaney : > :) > > > Steve > > -- > Steve Swaney > steve@fsl.com > 202 595-7760 ext: 601 > www.fsl.com > > The most accurate and cost effective anti-spam solutions available > > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Steve Freegard >> Sent: Tuesday, January 27, 2009 10:47 AM >> To: MailScanner discussion >> Subject: Re: WARNING: Ignoring deprecated option --unzip >> >> Alex Broens wrote: >> > >> > Could be misbehaved bots are eating up all your available sessions. >> > >> > if you have a zillion of inactive open connections try reducing your >> > smtpd_timeout >> > >> > start off with and tune according to timeout requirements >> > >> > smtpd_timeout = 90s >> > (read the postfix docs and understand what this setting can do for >> you, >> > good & bad) >> >> RFC default is 300 seconds you might get away with less; but diagnosing >> failures here won't be fun. Change this with caution... >> >> Our products have a better way of handling this; if a host is >> blacklisted or acts peculiarly then we have a separate timeout for it >> (60s) which is way safer than reducing this globally. >> >> > Also >> > maps_rbl_reject_code = 421 >> > >> > will trigger an immediate session closing after a RBL reject so >> > misbehaved bots won't eaat up all your sessions >> >> That is plain *nasty*. >> >> Instead of getting an instant notice that their mail was rejected a >> valid sender would have to wait at least 4 hours for a 'message >> delayed' >> response from their own server. The sender will then continually retry >> the message too. This will continue until the message is deleted from >> the queue of the host or the host is delisted. >> >> If you are going to do this then it's best to do it selectively see: >> http://www.postfix.org/STRESS_README.html#hangup >> >> It's way better to set leave 'maps_rbl_reject_code' alone and set >> 'smtpd_hard_error_limit = 1' instead. >> >> Or alternatively get an anti-spam daemon that doesn't suffer from any >> of >> these problems (we can sell you one of those...). >> >> Regards, >> Steve. >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > > -- yerrr, didn't like maps_rbl_reject_code = 421 much meself - upping the process limit seems to at least keep it stable, I'll monitor for the next few hours whilst trying to gather some collateral from the tcpdump and maillogs - all suggestions and help / input from you is really appreciated. From maillists at conactive.com Tue Jan 27 17:31:15 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Tue Jan 27 17:31:35 2009 Subject: WARNING: Ignoring deprecated option --unzip In-Reply-To: <497F335F.9050504@alexb.ch> References: <497E0BAD.90707@ecs.soton.ac.uk> <70572c510901270051u2bf67a73yc2ade274507bf19b@mail.gmail.com> <497EDBA4.20202@fsl.com> <70572c510901270545r40ab4f90hba1808af1c23b896@mail.gmail.com> <497F151C.7080401@fsl.com> <70572c510901270630k46b4b7ccxabdf96bed1aa158e@mail.gmail.com> <70572c510901270639y4a1392c2u7f7430ccab54d854@mail.gmail.com> <497F20CD.1080902@alexb.ch> <497F2C6C.7050304@fsl.com> <497F335F.9050504@alexb.ch> Message-ID: Alex Broens wrote on Tue, 27 Jan 2009 17:16:31 +0100: > I love being nasty to bots... Well, you are nasty to yourself at the same time. Many bots retry nowadays. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From ms-list at alexb.ch Tue Jan 27 17:48:06 2009 From: ms-list at alexb.ch (Alex Broens) Date: Tue Jan 27 17:48:16 2009 Subject: WARNING: Ignoring deprecated option --unzip In-Reply-To: References: <497E0BAD.90707@ecs.soton.ac.uk> <70572c510901270051u2bf67a73yc2ade274507bf19b@mail.gmail.com> <497EDBA4.20202@fsl.com> <70572c510901270545r40ab4f90hba1808af1c23b896@mail.gmail.com> <497F151C.7080401@fsl.com> <70572c510901270630k46b4b7ccxabdf96bed1aa158e@mail.gmail.com> <70572c510901270639y4a1392c2u7f7430ccab54d854@mail.gmail.com> <497F20CD.1080902@alexb.ch> <497F2C6C.7050304@fsl.com> <497F335F.9050504@alexb.ch> Message-ID: <497F48D6.3090903@alexb.ch> On 1/27/2009 6:31 PM, Kai Schaetzl wrote: > Alex Broens wrote on Tue, 27 Jan 2009 17:16:31 +0100: > >> I love being nasty to bots... > > Well, you are nasty to yourself at the same time. Many bots retry > nowadays. > .... and many don't close the TCP connection after a reject and eat up your sessions. You need to either time them out or force close the connection. Its a "works for me". Simon sounded very unhappy, so I posted a suggestion, not a howto. Of course, if you use the most accurate and cost effective anti-spam solutions available, you won't come across these problems :-) Alex From ssilva at sgvwater.com Tue Jan 27 19:03:19 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Jan 27 19:03:43 2009 Subject: zen.spamhaus.org wont work .. In-Reply-To: References: Message-ID: on 1-26-2009 11:20 PM Marco mangione spake the following: > also: > > root@filtro3:~# dig 2.0.0.127.zen.spamhaus.org > > > ; <<>> DiG 9.4.2 <<>> 2.0.0.127.zen.spamhaus.org > > ;; global options: printcmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8132 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 23, ADDITIONAL: 1 > > ;; QUESTION SECTION: > ;2.0.0.127.zen.spamhaus.org . > IN A > > ;; ANSWER SECTION: > 2.0.0.127.zen.spamhaus.org . 615 > IN A 127.0.0.2 > 2.0.0.127.zen.spamhaus.org . 615 > IN A 127.0.0.4 > 2.0.0.127.zen.spamhaus.org . 615 > IN A 127.0.0.10 > Then your postfix is not set up properly, or your DNS is taking longer than postfix is willing to wait. I am not a postfix guru, but maybe you have the blacklist in the wrong position on the config file. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090127/8647af85/signature.bin From jethro.binks at strath.ac.uk Tue Jan 27 21:14:13 2009 From: jethro.binks at strath.ac.uk (Jethro R Binks) Date: Tue Jan 27 21:14:22 2009 Subject: WARNING: Ignoring deprecated option --unzip In-Reply-To: <497F335F.9050504@alexb.ch> References: <497E0BAD.90707@ecs.soton.ac.uk> <70572c510901270051u2bf67a73yc2ade274507bf19b@mail.gmail.com> <497EDBA4.20202@fsl.com> <70572c510901270545r40ab4f90hba1808af1c23b896@mail.gmail.com> <497F151C.7080401@fsl.com> <70572c510901270630k46b4b7ccxabdf96bed1aa158e@mail.gmail.com> <70572c510901270639y4a1392c2u7f7430ccab54d854@mail.gmail.com> <497F20CD.1080902@alexb.ch> <497F2C6C.7050304@fsl.com> <497F335F.9050504@alexb.ch> Message-ID: On Tue, 27 Jan 2009, Alex Broens wrote: > On 1/27/2009 4:46 PM, Steve Freegard wrote: > > Alex Broens wrote: > > > Could be misbehaved bots are eating up all your available sessions. > > > > > > if you have a zillion of inactive open connections try reducing your > > > smtpd_timeout > > > > > > start off with and tune according to timeout requirements > > > > > > smtpd_timeout = 90s > > > (read the postfix docs and understand what this setting can do for you, > > > good & bad) > > > > RFC default is 300 seconds you might get away with less; but diagnosing > > failures here won't be fun. Change this with caution... > > ....RFCs written before the day of the bot... :-) did I mention that he > should read the docs about the caveats? It works both ways. The RFCs, originally written at a time when networks were slower and less reliable and hardware less capable, have generous timeouts for the SMTP conversation. So yes, in default configurations, MTAs have to be very very patient, and bots can potentially hang on to MTA connections. But if the MTAs play by these rules, then so should the clients. However, many bot client SMTP implementations do not play by the rules very well (possibly intentionally). If your server is slow to respond at each stage, and the client poorly written, the client can sometimes fall over itself stuffing SMTP commands down a link to a server that is too chilled to answer so quickly, and hence they get out of sequence, or simply lose patience and disconnect. The writers of some bot SMTP clients also realise that there's probably little point hanging around on and on waiting for a slow MTA to respond to each command. Much more efficient for them to dump that MTA and move on to another more responsive one elsewhere into which more junk can be pumped. So, ideally, introduce delays into your SMTP conversations to shed off the crap clients. Size your OS TCP stack to accomodate the max number of concurrent connections you want to see or can handle. If you reach that limit, the legitimate senders will try again later or move on to another MX for your domain. If you are perpetually at that limit, there isn't much else you can do other than resize your OS TCP stack (and possibly hardware), add more MXs, or implement other DDoS attack prevention machanisms possibly with the assistance of your ISP (e.g., identifying the most prolific culprits and blocking their ability to create TCP sessions at the firewall level - enough to ride the wave). If you're playing this game, you have to accept that there may come a time when there is pretty much _nothing_ you can do - as many large sites and their providers have found. All this does produce collateral damage from people who have unwisely tinkerered with their MTA's timers (for being an SMTP client), or whose vendors didn't write a very good MTA in the first place. I accept that, having introduced delays, some of my time is taken up talking to operators of MTAs that haven't played by the rules, and suggesting how they might fix them to operate properly. That's the trade-off for the successful shedding of crap SMTP clients (mostly junk senders). On 1/27/2009 4:46 PM, Steve Freegard wrote: > Our products have a better way of handling this; if a host is > blacklisted or acts peculiarly then we have a separate timeout for it > (60s) which is way safer than reducing this globally. Indeed, if your MTA permits it, you can increase (or decrease) delays based on other criteria. So you may "whitelist" the MTAs of sites you trust (or ones you are told to accept mail from even if their MTA is broken), reducing the delays, or add more delay at certain points if you have reason to suspect the legitimacy of the connecting host. Additionally, if you have reasons to believe that you really do not wish to accept mail from a connecting client (maybe the client is on a blocklist that you particularly trust), under some circumstances rather than just issuing an appropriate 5xx rejection response, you can consider forcibly dropping the SMTP session (rather than letting the client decide it wants to continue, perhaps with more RCPTs that you will likewise keep rejection). That will reduce the number of bots etc hanging around chewing up your connection slots. All these techniques need to be weighed up for your own environment; in mine, it greatly decreases the load on the heavyweight stuff that follows: SpamAssassin, MailScanner, virus scanners, and such like, at a cost of some support load increase. Jethro. -- . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK From jethro.binks at strath.ac.uk Tue Jan 27 22:23:26 2009 From: jethro.binks at strath.ac.uk (Jethro R Binks) Date: Tue Jan 27 22:23:34 2009 Subject: WARNING: Ignoring deprecated option --unzip In-Reply-To: References: <497E0BAD.90707@ecs.soton.ac.uk> <70572c510901270051u2bf67a73yc2ade274507bf19b@mail.gmail.com> <497EDBA4.20202@fsl.com> <70572c510901270545r40ab4f90hba1808af1c23b896@mail.gmail.com> <497F151C.7080401@fsl.com> <70572c510901270630k46b4b7ccxabdf96bed1aa158e@mail.gmail.com> <70572c510901270639y4a1392c2u7f7430ccab54d854@mail.gmail.com> <497F20CD.1080902@alexb.ch> <497F2C6C.7050304@fsl.com> <497F335F.9050504@alexb.ch> Message-ID: On Tue, 27 Jan 2009, Jethro R Binks wrote: > ... you could consider forcibly dropping the SMTP session I should clarify that this is after issuing the usual 5xx response. i.e., once you've said the protocol equivalent of "go away", your MTA then drops the connection from its end, rather than waiting for the client to do so (or carry on with more SMTP commands). Jethro. -- . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK From lists at sequestered.net Tue Jan 27 22:30:40 2009 From: lists at sequestered.net (Corey Chandler) Date: Tue Jan 27 22:30:50 2009 Subject: zen.spamhaus.org wont work .. In-Reply-To: References: Message-ID: <497F8B10.3060606@sequestered.net> Scott Silva wrote: > on 1-26-2009 11:20 PM Marco mangione spake the following: > >> also: >> >> root@filtro3:~# dig 2.0.0.127.zen.spamhaus.org >> >> >> > > Then your postfix is not set up properly, or your DNS is taking longer than > postfix is willing to wait. I am not a postfix guru, Fortunately, I kinda am! > but maybe you have the > blacklist in the wrong position on the config file. > > Entirely possible. Marco! Please paste the output of postconf -n -- Corey Chandler / KB1JWQ Living Legend / Systems Exorcist Today's Excuse: Your mail is being routed through Germany... and they're censoring us From jvoorhees1 at gmail.com Wed Jan 28 14:02:15 2009 From: jvoorhees1 at gmail.com (Jason Voorhees) Date: Wed Jan 28 14:04:50 2009 Subject: Suggestions to block big spam messages Message-ID: Hi there: I'm running a Linux box as a gateway AntiSpam with SpamAssassin & MailScanner. I think my antispam system works very nice. I use some techniques like: - UCE control at postfix level - SMTP delay greeting at postfix level - Greylisting at postfix level - Custom MCP checks with MailScanner - razor plugin with SpamAssassin - SPF checks with SpamAssassin - A 'relayed by dialup' plugin in SpamAssassin - RBL checks with SpamAssassin - SpamAssassin learning trough reading a shared spam folder with fetchmail - Maybe something else I don't remember... The problem is that I'm receiving some spam not detected by all these techniques because the size of the message is about 300KB, bigger than "Max Spam Check Size" in MailScanner.conf By now I only detected that all those spam messages come always from *.info domains, so I included *.info in my MailScanner blacklist because I never receive valid messages from those domains. However I don't feel this is a good way to solve the issue. What recommendations could you give me to block this kind of spam efficiently? It would be neccesary to increase the value of "Max Spam Check Size"? I don't believe it, right? I hope someone can advice me a little in this antispam battle. Thanks, bye :) From jethro.binks at strath.ac.uk Wed Jan 28 14:28:42 2009 From: jethro.binks at strath.ac.uk (Jethro R Binks) Date: Wed Jan 28 14:28:51 2009 Subject: Suggestions to block big spam messages In-Reply-To: References: Message-ID: On Wed, 28 Jan 2009, Jason Voorhees wrote: > By now I only detected that all those spam messages come always from > *.info domains, so I included *.info in my MailScanner blacklist because > I never receive valid messages from those domains. I wonder how you receive messages from this list. Jethro. -- . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK From jethro.binks at strath.ac.uk Wed Jan 28 14:31:10 2009 From: jethro.binks at strath.ac.uk (Jethro R Binks) Date: Wed Jan 28 14:31:20 2009 Subject: Suggestions to block big spam messages In-Reply-To: References: Message-ID: On Wed, 28 Jan 2009, Jethro R Binks wrote: > On Wed, 28 Jan 2009, Jason Voorhees wrote: > > > By now I only detected that all those spam messages come always from > > *.info domains, so I included *.info in my MailScanner blacklist because > > I never receive valid messages from those domains. > > I wonder how you receive messages from this list. In case my point isn't clear, yes I can see he is sending from a Gmail address, but what if one of the clients he is providing service for wants to receive mail from the list. Or he doesn't want to use his Gmail address any more for this list. The point being, of course, that blocking top level domains in their entirity usually backfires sooner or later, and you have to maintain exceptions. Jethro. -- . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK From Ron.Ghetti at town.barnstable.ma.us Wed Jan 28 14:28:32 2009 From: Ron.Ghetti at town.barnstable.ma.us (Ghetti, Ron) Date: Wed Jan 28 14:34:26 2009 Subject: Spammassassin time outs debugging Message-ID: <3411CC12BB577F4FAEAC8A694780866B022912CE@ITMAIL.town.barnstable.ma.us> Hi, ok so in trying to troubleshoot my timeouts I've run into an issue trying to capture the output. Can someone give me an idea on how to capture the output from this to a text file so I can go over it ? MailScanner --debug --debug -sa I would normallly do a > some.file but that isn't yielding anything in the file. Thanks -Ron From jvoorhees1 at gmail.com Wed Jan 28 14:42:52 2009 From: jvoorhees1 at gmail.com (Jason Voorhees) Date: Wed Jan 28 14:43:00 2009 Subject: Suggestions to block big spam messages In-Reply-To: References: Message-ID: Hi: On Wed, Jan 28, 2009 at 9:31 AM, Jethro R Binks wrote: > On Wed, 28 Jan 2009, Jethro R Binks wrote: > >> On Wed, 28 Jan 2009, Jason Voorhees wrote: >> >> > By now I only detected that all those spam messages come always from >> > *.info domains, so I included *.info in my MailScanner blacklist because >> > I never receive valid messages from those domains. >> >> I wonder how you receive messages from this list. > > In case my point isn't clear, yes I can see he is sending from a Gmail > address, but what if one of the clients he is providing service for wants > to receive mail from the list. Or he doesn't want to use his Gmail > address any more for this list. > > The point being, of course, that blocking top level domains in their > entirity usually backfires sooner or later, and you have to maintain > exceptions. > Yes, but I also wrote "... valid messages from those domains. However I don't feel this is a good way to solve the issue." I know that blocking top level domains isn't a good idea, but it works for my organization now. I only did this to stop receiving the described spam type but it's just for a short time this "solution".However I'm looking for a better solution instead of blocking *.info domains Any ideas? > Jethro. > > -- > . . . . . . . . . . . . . . . . . . . . . . . . . > Jethro R Binks > Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From maillists at conactive.com Wed Jan 28 14:43:04 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Wed Jan 28 14:43:22 2009 Subject: Suggestions to block big spam messages In-Reply-To: References: Message-ID: Jason Voorhees wrote on Wed, 28 Jan 2009 09:02:15 -0500: > The problem is that I'm receiving some spam not detected by all these > techniques because the size of the message is about 300KB, bigger than > "Max Spam Check Size" in MailScanner.conf There are actually two settings for this. Max Spam Check Size = Max SpamAssassin Size = You can set the first higher and keep the second lower, so that only the first part of the message gets scanned. That should already be able to detect the spam. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From glenn.steen at gmail.com Wed Jan 28 14:46:46 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Jan 28 14:46:56 2009 Subject: Suggestions to block big spam messages In-Reply-To: References: Message-ID: <223f97700901280646p664c5931j2859e098791cc2ec@mail.gmail.com> 2009/1/28 Jason Voorhees : > Hi there: > > I'm running a Linux box as a gateway AntiSpam with SpamAssassin & > MailScanner. I think my antispam system works very nice. I use some > techniques like: > > - UCE control at postfix level > - SMTP delay greeting at postfix level > - Greylisting at postfix level > - Custom MCP checks with MailScanner > - razor plugin with SpamAssassin > - SPF checks with SpamAssassin > - A 'relayed by dialup' plugin in SpamAssassin > - RBL checks with SpamAssassin > - SpamAssassin learning trough reading a shared spam folder with fetchmail > - Maybe something else I don't remember... > > The problem is that I'm receiving some spam not detected by all these > techniques because the size of the message is about 300KB, bigger than > "Max Spam Check Size" in MailScanner.conf > By now I only detected that all those spam messages come always from > *.info domains, so I included *.info in my MailScanner blacklist > because I never receive valid messages from those domains. However I > don't feel this is a good way to solve the issue. > > What recommendations could you give me to block this kind of spam > efficiently? It would be neccesary to increase the value of "Max Spam > Check Size"? I don't believe it, right? > No, I'd do exactly that. Mine is was set to ~ 3.5 MiB until recently, when I doubled it. If you think that too drastic a measure, at least up it to 500KiB and see how you get on. > I hope someone can advice me a little in this antispam battle. Thanks, bye :) Then there is certainly other additions you might consider, like CRM114, DCC etc... which might help a bit further. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From Denis.Beauchemin at USherbrooke.ca Wed Jan 28 14:52:00 2009 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Wed Jan 28 14:52:14 2009 Subject: Spammassassin time outs debugging In-Reply-To: <3411CC12BB577F4FAEAC8A694780866B022912CE@ITMAIL.town.barnstable.ma.us> References: <3411CC12BB577F4FAEAC8A694780866B022912CE@ITMAIL.town.barnstable.ma.us> Message-ID: <49807110.90806@USherbrooke.ca> Ghetti, Ron a ?crit : > Hi, > ok so in trying to troubleshoot my timeouts I've run into > an issue trying to capture the output. > Can someone give me an idea on how to capture the > output from this to a text file so I can go over it ? > > MailScanner --debug --debug -sa > > I would normallly do a > some.file > but that isn't yielding anything in the file. > > Thanks > > -Ron > > Ron, Try "MailScanner --debug --debug -sa 2> some.file" as the output is probably going to stderr instead of stdout. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From glenn.steen at gmail.com Wed Jan 28 14:55:01 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Jan 28 14:55:11 2009 Subject: Spammassassin time outs debugging In-Reply-To: <3411CC12BB577F4FAEAC8A694780866B022912CE@ITMAIL.town.barnstable.ma.us> References: <3411CC12BB577F4FAEAC8A694780866B022912CE@ITMAIL.town.barnstable.ma.us> Message-ID: <223f97700901280655k2798fe8ey2d5661d1d33c23de@mail.gmail.com> 2009/1/28 Ghetti, Ron : > > > Hi, > ok so in trying to troubleshoot my timeouts I've run into > an issue trying to capture the output. > Can someone give me an idea on how to capture the > output from this to a text file so I can go over it ? > > MailScanner --debug --debug -sa > > I would normallly do a > some.file > but that isn't yielding anything in the file. > > Thanks > > -Ron > MailScanner --debug --debug-sa 2>&1 | tee filename or MailScanner --debug --debug-sa > filename 2>&1 should be accepted by almost all shells (apart from csh-derivatives, which would use ">&" for the same effect... And bash can grok that too:-). Recommended reading: man bash or your preferred shell... Look at the REDIRECTION section. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Wed Jan 28 14:59:48 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Jan 28 14:59:57 2009 Subject: Suggestions to block big spam messages In-Reply-To: References: Message-ID: <223f97700901280659k70b36f86t250b686a0e623444@mail.gmail.com> 2009/1/28 Jason Voorhees : > Hi: > > On Wed, Jan 28, 2009 at 9:31 AM, Jethro R Binks > wrote: >> On Wed, 28 Jan 2009, Jethro R Binks wrote: >> >>> On Wed, 28 Jan 2009, Jason Voorhees wrote: >>> >>> > By now I only detected that all those spam messages come always from >>> > *.info domains, so I included *.info in my MailScanner blacklist because >>> > I never receive valid messages from those domains. >>> >>> I wonder how you receive messages from this list. >> >> In case my point isn't clear, yes I can see he is sending from a Gmail >> address, but what if one of the clients he is providing service for wants >> to receive mail from the list. Or he doesn't want to use his Gmail >> address any more for this list. >> >> The point being, of course, that blocking top level domains in their >> entirity usually backfires sooner or later, and you have to maintain >> exceptions. >> > Yes, but I also wrote "... valid messages from those domains. However I > don't feel this is a good way to solve the issue." > > I know that blocking top level domains isn't a good idea, but it works > for my organization now. I only did this to stop receiving the > described spam type but it's just for a short time this > "solution".However I'm looking for a better solution instead of > blocking *.info domains > > Any ideas? You don't mention any AV... Do you use any virus scanning? If not... Why not? I wouldn't be surprised if the "suspected spam" was indeed something an AV (like ClamAV, which is free) would pick up. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From Ron.Ghetti at town.barnstable.ma.us Wed Jan 28 15:35:26 2009 From: Ron.Ghetti at town.barnstable.ma.us (Ghetti, Ron) Date: Wed Jan 28 15:35:47 2009 Subject: Spammassassin time outs debugging Message-ID: <3411CC12BB577F4FAEAC8A694780866B022912CF@ITMAIL.town.barnstable.ma.us> Thank you Guys, I knew it was something fairly simple. I do most of my admin on %windir% as you probably figured... :-) -Ron -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Glenn Steen Sent: Wednesday, January 28, 2009 9:55 AM To: MailScanner discussion Subject: Re: Spammassassin time outs debugging 2009/1/28 Ghetti, Ron : > > > Hi, > ok so in trying to troubleshoot my timeouts I've run into > an issue trying to capture the output. > Can someone give me an idea on how to capture the > output from this to a text file so I can go over it ? > > MailScanner --debug --debug -sa > > I would normallly do a > some.file > but that isn't yielding anything in the file. > > Thanks > > -Ron > MailScanner --debug --debug-sa 2>&1 | tee filename or MailScanner --debug --debug-sa > filename 2>&1 should be accepted by almost all shells (apart from csh-derivatives, which would use ">&" for the same effect... And bash can grok that too:-). Recommended reading: man bash or your preferred shell... Look at the REDIRECTION section. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From jvoorhees1 at gmail.com Wed Jan 28 16:17:04 2009 From: jvoorhees1 at gmail.com (Jason Voorhees) Date: Wed Jan 28 16:17:14 2009 Subject: Suggestions to block big spam messages In-Reply-To: References: Message-ID: Hi: On Wed, Jan 28, 2009 at 9:43 AM, Kai Schaetzl wrote: > There are actually two settings for this. > > Max Spam Check Size = > Max SpamAssassin Size = > > You can set the first higher and keep the second lower, so that only the > first part of the message gets scanned. That should already be able to > detect the spam. OK, that's really useful, I didn't remember that SpamAssassin truncates the message to the first 200 KB (or the corresponding value in Max SpamAssassin Size). I'm going to allow bigger messages to be checked by MailScanner and let SpamAssassin truncates them. Thanks But now I'm seeing that those spam messages are big because their only content is an image attached or embedded (maybe in html). The image contains the spam text and its size is about 250-300 KB or bigger. SpamAssassin would not be able to do detect that image as spam right? I think SA could be able to read/detect other parts of the message like the headers. So, for this kind of spam would I be forced to use some OCR plugin/tool? Thanks to Glenn also: I will check CRM114, and I do use ClamAV with MailScanner. > Kai > > -- > Kai Sch?tzl, Berlin, Germany > Get your web at Conactive Internet Services: http://www.conactive.com > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From Ron.Ghetti at town.barnstable.ma.us Wed Jan 28 16:58:30 2009 From: Ron.Ghetti at town.barnstable.ma.us (Ghetti, Ron) Date: Wed Jan 28 16:59:34 2009 Subject: debugging Spammassassin Message-ID: <3411CC12BB577F4FAEAC8A694780866B022912D2@ITMAIL.town.barnstable.ma.us> Hello again, Hopefully, I have found something to work with. Some Background: Dell PowerEdge 2950 8gb Ubuntu 7.04 Perl 5.8.8 MailScanner 4.68.8 Postfix 2.3.8 SpamAssassin 3.2.4 It's been running this way for several months, with decent performance. At Approx 10k messages per day. Typical day totals There were 10,767 Total messages Recieved. There were 4,225 Messages Queued for delivery. There were 4,328 Messages Delivered. There were 6,143 messages marked as spam. Lately though I'm finding the mail queue backed up with messages and timeouts in the logs. Here is some items from running a debug session: 10:30:50 Use of uninitialized value in concatenation (.) or string at /usr/local/share/perl/5.8.8/Mail/SpamAssassin.pm line 1088. 10:30:50 Use of uninitialized value in concatenation (.) or string at /usr/local/share/perl/5.8.8/Mail/SpamAssassin.pm line 1090. 10:30:50 [16928] dbg: config: read_scoreonly_config: cannot open "": No such file or directory 10:31:57 [17013] dbg: rules: meta test DIGEST_MULTIPLE has undefined dependency 'DCC_CHECK' Probably time for upgrades I imagine but I'd like to determine the problem before Throwing upgrades into the mix and possibly creating other issues. Any thoughts ? Thanks -Ron -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Ghetti, Ron Sent: Wednesday, January 28, 2009 10:35 AM To: MailScanner discussion Subject: RE: Spammassassin time outs debugging Thank you Guys, I knew it was something fairly simple. I do most of my admin on %windir% as you probably figured... :-) -Ron -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Glenn Steen Sent: Wednesday, January 28, 2009 9:55 AM To: MailScanner discussion Subject: Re: Spammassassin time outs debugging 2009/1/28 Ghetti, Ron : > > > Hi, > ok so in trying to troubleshoot my timeouts I've run into > an issue trying to capture the output. > Can someone give me an idea on how to capture the > output from this to a text file so I can go over it ? > > MailScanner --debug --debug -sa > > I would normallly do a > some.file > but that isn't yielding anything in the file. > > Thanks > > -Ron > MailScanner --debug --debug-sa 2>&1 | tee filename or MailScanner --debug --debug-sa > filename 2>&1 should be accepted by almost all shells (apart from csh-derivatives, which would use ">&" for the same effect... And bash can grok that too:-). Recommended reading: man bash or your preferred shell... Look at the REDIRECTION section. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From Kevin_Miller at ci.juneau.ak.us Wed Jan 28 17:42:28 2009 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Wed Jan 28 17:42:50 2009 Subject: Suggestions to block big spam messages In-Reply-To: References: Message-ID: <4A09477D575C2C4B86497161427DD94C0C804174C3@CITY-EXCHANGE07.cbj.local> A year or two ago, an awful lot of spam was of the image variety. There were a couple of solutions that arose. The one I'm using is "imageinfo". It's a combination of a perl module and a spamasssassin .cf file. You can get it here: http://www.rulesemporium.com/plugins.htm ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jason Voorhees Sent: Wednesday, January 28, 2009 7:17 AM To: MailScanner discussion Subject: Re: Suggestions to block big spam messages Hi: On Wed, Jan 28, 2009 at 9:43 AM, Kai Schaetzl wrote: > There are actually two settings for this. > > Max Spam Check Size = > Max SpamAssassin Size = > > You can set the first higher and keep the second lower, so that only > the first part of the message gets scanned. That should already be > able to detect the spam. OK, that's really useful, I didn't remember that SpamAssassin truncates the message to the first 200 KB (or the corresponding value in Max SpamAssassin Size). I'm going to allow bigger messages to be checked by MailScanner and let SpamAssassin truncates them. Thanks But now I'm seeing that those spam messages are big because their only content is an image attached or embedded (maybe in html). The image contains the spam text and its size is about 250-300 KB or bigger. SpamAssassin would not be able to do detect that image as spam right? I think SA could be able to read/detect other parts of the message like the headers. So, for this kind of spam would I be forced to use some OCR plugin/tool? Thanks to Glenn also: I will check CRM114, and I do use ClamAV with MailScanner. > Kai > > -- > Kai Sch?tzl, Berlin, Germany > Get your web at Conactive Internet Services: http://www.conactive.com > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From glenn.steen at gmail.com Wed Jan 28 19:12:20 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Jan 28 19:12:29 2009 Subject: debugging Spammassassin In-Reply-To: <3411CC12BB577F4FAEAC8A694780866B022912D2@ITMAIL.town.barnstable.ma.us> References: <3411CC12BB577F4FAEAC8A694780866B022912D2@ITMAIL.town.barnstable.ma.us> Message-ID: <223f97700901281112v57b59e02s6882f73acbac377c@mail.gmail.com> 2009/1/28 Ghetti, Ron : > > Hello again, > Hopefully, I have found something to work with. > > Some Background: > Dell PowerEdge 2950 8gb > Ubuntu 7.04 > Perl 5.8.8 > MailScanner 4.68.8 > Postfix 2.3.8 > SpamAssassin 3.2.4 > > It's been running this way for several months, with decent performance. > At Approx 10k messages per day. > Typical day totals > There were 10,767 Total messages Recieved. > There were 4,225 Messages Queued for delivery. > There were 4,328 Messages Delivered. > There were 6,143 messages marked as spam. > Lately though I'm finding the mail queue backed up with messages and > timeouts in the logs. > > Here is some items from running a debug session: > > 10:30:50 Use of uninitialized value in concatenation (.) or string at > /usr/local/share/perl/5.8.8/Mail/SpamAssassin.pm line 1088. > 10:30:50 Use of uninitialized value in concatenation (.) or string at > /usr/local/share/perl/5.8.8/Mail/SpamAssassin.pm line 1090. > 10:30:50 [16928] dbg: config: read_scoreonly_config: cannot open "": No > such file or directory > > 10:31:57 [17013] dbg: rules: meta test DIGEST_MULTIPLE has undefined > dependency 'DCC_CHECK' > LoadPlugin DCC in one of the pre files, perhaps.... > > Probably time for upgrades I imagine but I'd like to determine the > problem before > Throwing upgrades into the mix and possibly creating other issues. > > Any thoughts ? Look at your Spam Lists setting in MailScanner, so that it doesn't contain any dead BLs (like ORDB:-) Look at spamasssassin separately, as the postfix user.... su - postfix -s /bin/bash (you might need do "sudo -i" to get an interactive root shell first) spamassassin -D --lint 2>&1 |less -e and perhaps spamassassin -D -t < /path/to/a/message The --debug-sa option of MailScanner should work too (always in conjunction with --debug), but I find ituseful to keep things separate from time to time. Things to look at: Bayes: that the bayes_seen file hasn't become too massive, that the expire runs complete (no expire files in the bayes directory... Up the SA timeout value in MailScanner if you have them... And perhaps consider moving to a cron'd force expire instead. BL timeouts within SA. Corrupted SpamAssassin results cache (there should be a command analyse_SpamAssassin_cache ... or similar. I'm not near any MailScnner host ATM, and the memory isn't what it used to be... Anyway, find and run that... If it fails, you need scratch that DB (just remove the file)). ... > Thanks > -Ron (snip) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From Ron.Ghetti at town.barnstable.ma.us Wed Jan 28 21:56:04 2009 From: Ron.Ghetti at town.barnstable.ma.us (Ghetti, Ron) Date: Wed Jan 28 21:56:37 2009 Subject: debugging Spammassassin Message-ID: <3411CC12BB577F4FAEAC8A694780866B022912D7@ITMAIL.town.barnstable.ma.us> Thanks for the quick reply. -----Original Message----- ... > At Approx 10k messages per day. > Typical day totals > There were 10,767 Total messages Recieved. > There were 4,225 Messages Queued for delivery. > There were 4,328 Messages Delivered. > There were 6,143 messages marked as spam. > Lately though I'm finding the mail queue backed up with messages and > timeouts in the logs. > > Here is some items from running a debug session: > > 10:30:50 Use of uninitialized value in concatenation (.) or string at > /usr/local/share/perl/5.8.8/Mail/SpamAssassin.pm line 1088. > 10:30:50 Use of uninitialized value in concatenation (.) or string at > /usr/local/share/perl/5.8.8/Mail/SpamAssassin.pm line 1090. > 10:30:50 [16928] dbg: config: read_scoreonly_config: cannot open "": No > such file or directory > > 10:31:57 [17013] dbg: rules: meta test DIGEST_MULTIPLE has undefined > dependency 'DCC_CHECK' > LoadPlugin DCC in one of the pre files, perhaps.... > > Probably time for upgrades I imagine but I'd like to determine the > problem before > Throwing upgrades into the mix and possibly creating other issues. > > Any thoughts ? Look at your Spam Lists setting in MailScanner, so that it doesn't contain any dead BLs (like ORDB:-) Look at spamasssassin separately, as the postfix user.... su - postfix -s /bin/bash (you might need do "sudo -i" to get an interactive root shell first) spamassassin -D --lint 2>&1 |less -e and perhaps spamassassin -D -t < /path/to/a/message This is really handy, thank you. The --debug-sa option of MailScanner should work too (always in conjunction with --debug), but I find ituseful to keep things separate from time to time. Things to look at: Bayes: that the bayes_seen file hasn't become too massive, that the expire runs complete (no expire files in the bayes directory... It was a fairly large file so deleted. Up the SA timeout value in MailScanner if you have them... Kicked up to 85 seconds, hopefully that is not too much. I can't imagine a batch taking that long... I did also increase the default max batch size to 50 And perhaps consider moving to a cron'd force expire instead. Haven't really seen any issues with this, it expires once a night anyway So I'll probably look elsewhere for now. BL timeouts within SA. Corrupted SpamAssassin results cache (there should be a command analyse_SpamAssassin_cache ... or similar. I'm not near any MailScnner host ATM, and the memory isn't what it used to be... Anyway, find and run that... If it fails, you need scratch that DB (just remove the file)). > Thanks > -Ron Cheers -- Glenn Much appreciated Glenn, this at least gives me some places to look. The Boss wants to build a new server from scratch to try and solve the Problem. The thing is that it is very busy during the day when the Users are killing it but once they go home at 4:30 it vertually nothing all night. -Ron From glenn.steen at gmail.com Wed Jan 28 22:43:52 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Jan 28 22:44:01 2009 Subject: debugging Spammassassin In-Reply-To: <3411CC12BB577F4FAEAC8A694780866B022912D7@ITMAIL.town.barnstable.ma.us> References: <3411CC12BB577F4FAEAC8A694780866B022912D7@ITMAIL.town.barnstable.ma.us> Message-ID: <223f97700901281443v61fbec4fp58b1df34ae365dec@mail.gmail.com> 2009/1/28 Ghetti, Ron : > > Thanks for the quick reply. > > -----Original Message----- > ... > >> At Approx 10k messages per day. >> Typical day totals >> There were 10,767 Total messages Recieved. >> There were 4,225 Messages Queued for delivery. >> There were 4,328 Messages Delivered. >> There were 6,143 messages marked as spam. >> Lately though I'm finding the mail queue backed up with messages and >> timeouts in the logs. >> >> Here is some items from running a debug session: >> >> 10:30:50 Use of uninitialized value in concatenation (.) or string at >> /usr/local/share/perl/5.8.8/Mail/SpamAssassin.pm line 1088. >> 10:30:50 Use of uninitialized value in concatenation (.) or string at >> /usr/local/share/perl/5.8.8/Mail/SpamAssassin.pm line 1090. >> 10:30:50 [16928] dbg: config: read_scoreonly_config: cannot open "": > No >> such file or directory >> >> 10:31:57 [17013] dbg: rules: meta test DIGEST_MULTIPLE has undefined >> dependency 'DCC_CHECK' >> > LoadPlugin DCC in one of the pre files, perhaps.... > > >> >> Probably time for upgrades I imagine but I'd like to determine the >> problem before >> Throwing upgrades into the mix and possibly creating other issues. >> >> Any thoughts ? > Look at your Spam Lists setting in MailScanner, so that it doesn't > contain any dead BLs (like ORDB:-) > Look at spamasssassin separately, as the postfix user.... > su - postfix -s /bin/bash > (you might need do "sudo -i" to get an interactive root shell first) > spamassassin -D --lint 2>&1 |less -e > and perhaps spamassassin -D -t < /path/to/a/message > > This is really handy, thank you. > > > The --debug-sa option of MailScanner should work too (always in > conjunction with --debug), but I find ituseful to keep things separate > from time to time. > > Things to look at: > Bayes: that the bayes_seen file hasn't become too massive, that the > expire runs complete (no expire files in the bayes directory... > > It was a fairly large file so deleted. > > Up the SA timeout value in MailScanner if you have them... > > Kicked up to 85 seconds, hopefully that is not too much. > I can't imagine a batch taking that long... I did also increase the > default max batch size to 50 > Mine is at several hundred seconds (300 IIRC... or 600:-) ... It affects all SA activites withinMailScanner, like bayes expiry (which can run for some minutes, if there is a lot to do...). But when you up the batch size from 30 to 50 you really go the wrong way here... It'll make the batches take longer to complete, potentially. I'd revert that change, if I were you;-). > And perhaps consider moving to a cron'd force expire instead. > Haven't really seen any issues with this, it expires once a night anyway > So I'll probably look elsewhere for now. > > > BL timeouts within SA. > Corrupted SpamAssassin results cache (there should be a command > analyse_SpamAssassin_cache ... or similar. I'm not near any MailScnner > host ATM, and the memory isn't what it used to be... Anyway, find and > run that... If it fails, you need scratch that DB (just remove the > file)). >> Thanks >> -Ron > > Cheers > -- Glenn > > > Much appreciated Glenn, this at least gives me some places to look. > The Boss wants to build a new server from scratch to try and solve the > Problem. The thing is that it is very busy during the day when the > Users are killing it but once they go home at 4:30 it vertually nothing > all night. > > > -Ron > Never pass up a good chance to lay your hands on some better iron:-):-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ssilva at sgvwater.com Wed Jan 28 23:37:14 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Jan 28 23:37:35 2009 Subject: debugging Spammassassin In-Reply-To: <3411CC12BB577F4FAEAC8A694780866B022912D7@ITMAIL.town.barnstable.ma.us> References: <3411CC12BB577F4FAEAC8A694780866B022912D7@ITMAIL.town.barnstable.ma.us> Message-ID: > > Much appreciated Glenn, this at least gives me some places to look. > The Boss wants to build a new server from scratch to try and solve the > Problem. The thing is that it is very busy during the day when the > Users are killing it but once they go home at 4:30 it virtually nothing > all night. > > Most business use of e-mail is from 8 to 5. But that is also the time that the boss is there yelling at you because the e-mail is too slow! Sooner or later you will be hit with more after hours spam, as it comes from all over the world. You can build a new server, and re-do the old one as a backup or a pre-processor. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090128/d93846a7/signature.bin From paulo-m-roncon at ptinovacao.pt Thu Jan 29 12:11:49 2009 From: paulo-m-roncon at ptinovacao.pt (Paulo Roncon) Date: Thu Jan 29 12:12:09 2009 Subject: mailscanner with heavy load In-Reply-To: <200901291202.n0TC0SnN001222@safir.blacknight.ie> References: <200901291202.n0TC0SnN001222@safir.blacknight.ie> Message-ID: Hello everyone, Can you please tell how many mgs/day and Mb/day do your mailscanner filter? I'm designing a large deployment and have some concerns in its capability of handling heavy loads... In my case the box will face about 2MB/s incoming and 60msg/s !! How many servers(HP G5, quadcore, 16RAM) should I install? (not using DCC, Razor, Pyzor.) Thanks! Paulo, Portugal From maillists at conactive.com Thu Jan 29 12:15:00 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Thu Jan 29 12:15:11 2009 Subject: Suggestions to block big spam messages In-Reply-To: References: Message-ID: Jason Voorhees wrote on Wed, 28 Jan 2009 11:17:04 -0500: > But now I'm seeing that those spam messages are big because their only > content is an image attached or embedded (maybe in html). The image > contains the spam text and its size is about 250-300 KB or bigger. > SpamAssassin would not be able to do detect that image as spam right? If it only gets fed part of it probably not as the image is then cut in half. I actually don't know what MS does in such a situation. e.g. if it detects that the message is encoded and scanning only part of it is of no use or if SA skips binary parts anyway etc. > I think SA could be able to read/detect other parts of the message > like the headers. > So, for this kind of spam would I be forced to use some OCR plugin/tool? Yeah, there are the imageinfo and fuzzy_ocr third-party plugins. I never had to use them. I find that rejecting allmost all dialup and bot spam at MTA level also gets rid of most of the "complicated" spam. It might be useful if you could post such a message on your homepage or a pastebin, so one could have a look at it. As I have never seen one of these ... Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From ismail at ismailozatay.net Thu Jan 29 12:18:07 2009 From: ismail at ismailozatay.net (Ismail OZATAY) Date: Thu Jan 29 12:18:56 2009 Subject: mailscanner with heavy load In-Reply-To: References: <200901291202.n0TC0SnN001222@safir.blacknight.ie> Message-ID: <49819E7F.7000809@ismailozatay.net> Paulo Roncon yazm?s,: > Hello everyone, > > Can you please tell how many mgs/day and Mb/day do your mailscanner filter? > I'm designing a large deployment and have some concerns in its capability of handling heavy loads... > In my case the box will face about 2MB/s incoming and 60msg/s !! > How many servers(HP G5, quadcore, 16RAM) should I install? (not using DCC, Razor, Pyzor.) > > Thanks! > > Paulo, > Portugal > http://wiki.mailscanner.info/doku.php?id=maq:index#setup_examples From Johan at double-l.nl Thu Jan 29 12:19:30 2009 From: Johan at double-l.nl (Johan Hendriks) Date: Thu Jan 29 12:19:44 2009 Subject: Error after perl5 upgrade 5.8.8 to 5.8.9 on FreeBSD Message-ID: <57200BF94E69E54880C9BB1AF714BBCB5DE4B9@w2003s01.double-l.local> Hello all i am trying to get Mailscanner to work after a perl upgrade on my FreeBSD Machine. The error in my maillog is the following. Jan 16 11:46:03 mailscanner MailScanner[37117]: MailScanner E-Mail Virus >> Jan 16 11:46:03 mailscanner MailScanner[37117]: Could not use Custom >> Function code >> /usr/local/lib/MailScanner/MailScanner/CustomFunctions/DavidHooton.pm, it >> could not be "require"d. Make sure the last line of the file says "1;" >> Jan 16 11:46:03 mailscanner MailScanner[37117]: Could not use Custom >> Function code >> /usr/local/lib/MailScanner/MailScanner/CustomFunctions/SpamWhitelist.pm, it >> could not be "require"d. Make sure the last line of the file says "1;" >> Jan 16 11:46:03 mailscanner MailScanner[37117]: Could not use Custom >> Function code >> /usr/local/lib/MailScanner/MailScanner/CustomFunctions/ZMRouterDirHash.pm, >> it could not be "require"d. Make sure the last line of the file says "1;" >> Jan 16 11:46:03 mailscanner MailScanner[37117]: Could not use Custom >> Function code >> /usr/local/lib/MailScanner/MailScanner/CustomFunctions/CustomAction.pm, it >> could not be "require"d. Make sure the last line of the file says "1;" >> Jan 16 11:46:03 mailscanner MailScanner[37117]: Could not use Custom >> Function code >> /usr/local/lib/MailScanner/MailScanner/CustomFunctions/LastSpam.pm, it could >> not be "require"d. Make sure the last line of the file says "1;" >> Jan 16 11:46:03 mailscanner MailScanner[37117]: Could not use Custom >> Function code >> /usr/local/lib/MailScanner/MailScanner/CustomFunctions/Ruleset-from-Function.pm, >> it could not be "require"d. Make sure the last line of the file says "1;" >> Jan 16 11:46:03 mailscanner MailScanner[37117]: Could not use Custom >> Function code >> /usr/local/lib/MailScanner/MailScanner/CustomFunctions/GenericSpamScanner.pm, >> it could not be "require"d. Make sure the last line of the file says "1;" >> Jan 16 11:46:03 mailscanner MailScanner[37117]: Could not use Custom >> Function code >> /usr/local/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm, it >> could not be "require"d. Make sure the last line of the file says "1;" >> Jan 16 11:46:03 mailscanner MailScanner[37117]: Could not use Custom >> Function code >> /usr/local/lib/MailScanner/MailScanner/CustomFunctions/SQLBlackWhiteList.pm, >> it could not be "require"d. Make sure the last line of the file says "1;" >> Jan 16 11:46:03 mailscanner MailScanner[37117]: Could not use Custom >> Function code >> /usr/local/lib/MailScanner/MailScanner/CustomFunctions/SQLSpamSettings.pm, >> it could not be "require"d. Make sure the last line of the file says "1;" >> Jan 16 11:46:03 mailscanner MailScanner[37117]: Could not use Custom >> Function code >> /usr/local/lib/MailScanner/MailScanner/CustomFunctions/MyExample.pm, it >> could not be "require"d. Make sure the last line of the file says "1;" Then I added the ?w to the mailscanner file And this is what I get on my console. This is Mailscanner 4.74.16 (trying to make a port myself), the error above happens also with the official port Starting mailscanner. Useless use of hash element in void context at /usr/local/lib/MailScanner/MailScanner/Config.pm line 892. Use of implicit split to @_ is deprecated at /usr/local/lib/MailScanner/MailScanner/Config.pm line 2085. Unquoted string "hostname" may clash with future reserved word at /usr/local/lib/MailScanner/MailScanner/CustomConfig.pm line 300. Parameterless "use IO" deprecated at /usr/local/lib/MailScanner/MailScanner/CustomConfig.pm line 749 "my" variable $LimitsH masks earlier declaration in same scope at /usr/local/lib/MailScanner/MailScanner/CustomConfig.pm line 796. Use of implicit split to @_ is deprecated at /usr/local/lib/MailScanner/MailScanner/CustomConfig.pm line 822. Use of implicit split to @_ is deprecated at /usr/local/lib/MailScanner/MailScanner/CustomConfig.pm line 838. Use of uninitialized value in substitution iterator at /usr/local/lib/MailScanner/MailScanner/Config.pm line 674, line 1310. Parameterless "use IO" deprecated at /usr/local/lib/MailScanner/MailScanner/GenericSpam.pm line 39 Parameterless "use IO" deprecated at /usr/local/lib/MailScanner/MailScanner/RBLs.pm line 39 "my" variable $to masks earlier declaration in same scope at /usr/local/lib/MailScanner/MailScanner/MCPMessage.pm line 636. "my" variable $gsreport masks earlier declaration in same scope at /usr/local/lib/MailScanner/MailScanner/Message.pm line 683. "my" variable $to masks earlier declaration in same scope at /usr/local/lib/MailScanner/MailScanner/Message.pm line 1375. "my" variable $to masks earlier declaration in same scope at /usr/local/lib/MailScanner/MailScanner/Message.pm line 1535. "my" variable $to masks earlier declaration in same scope at /usr/local/lib/MailScanner/MailScanner/Message.pm line 5700. "my" variable $to masks earlier declaration in same scope at /usr/local/lib/MailScanner/MailScanner/Message.pm line 5936. "my" variable $to masks earlier declaration in same scope at /usr/local/lib/MailScanner/MailScanner/Message.pm line 6352. Subroutine add_part redefined at /usr/local/lib/MailScanner/MailScanner/Message.pm line 7602. Subroutine extract redefined at /usr/local/lib/MailScanner/MailScanner/Message.pm line 7631. Parameterless "use IO" deprecated at /usr/local/lib/MailScanner/MailScanner/MCP.pm line 40 Parameterless "use IO" deprecated at /usr/local/lib/MailScanner/MailScanner/SA.pm line 39 Statement unlikely to be reached at /usr/local/lib/MailScanner/MailScanner/SweepOther.pm line 455. (Maybe you meant system() when you said exec()?) Statement unlikely to be reached at /usr/local/lib/MailScanner/MailScanner/SweepOther.pm line 375. (Maybe you meant system() when you said exec()?) Statement unlikely to be reached at /usr/local/lib/MailScanner/MailScanner/SweepViruses.pm line 1048. (Maybe you meant system() when you said exec()?) "my" variable $LockFile masks earlier declaration in same scope at /usr/local/lib/MailScanner/MailScanner/SweepViruses.pm line 3450. Useless use of not in void context at /usr/local/lib/MailScanner/MailScanner/SweepViruses.pm line 3493. Using a hash as a reference is deprecated at /usr/local/sbin/mailscanner line 546. Duplicate specification "h|H|help" for option "h" Duplicate specification "v|V|version|Version" for option "v" Duplicate specification "v|V|version|Version" for option "version" Duplicate specification "c|C|changed" for option "c" Use of uninitialized value in substitution iterator at /usr/local/lib/MailScanner/MailScanner/Config.pm line 674, line 1310. Use of uninitialized value in substitution iterator at /usr/local/lib/MailScanner/MailScanner/Config.pm line 674, line 1310. Use of uninitialized value in substitution iterator at /usr/local/lib/MailScanner/MailScanner/Config.pm line 674, line 1310. Use of uninitialized value in substitution iterator at /usr/local/lib/MailScanner/MailScanner/Config.pm line 674, line 1310. Use of uninitialized value in substitution iterator at /usr/local/lib/MailScanner/MailScanner/Config.pm line 674, line 1310. Use of uninitialized value in substitution iterator at /usr/local/lib/MailScanner/MailScanner/Config.pm line 674, line 1310. "my" variable $line masks earlier declaration in same scope at /usr/local/lib/MailScanner/MailScanner/PFDiskStore.pm line 494. Use of uninitialized value in substitution iterator at /usr/local/lib/MailScanner/MailScanner/Config.pm line 674, line 1310. Use of uninitialized value in substitution iterator at /usr/local/lib/MailScanner/MailScanner/Config.pm line 674, line 1310. Use of uninitialized value in substitution iterator at /usr/local/lib/MailScanner/MailScanner/Config.pm line 674, line 1310. Use of uninitialized value in substitution iterator at /usr/local/lib/MailScanner/MailScanner/Config.pm line 674, line 1310. Use of uninitialized value in substitution iterator at /usr/local/lib/MailScanner/MailScanner/Config.pm line 674, line 1310. Use of uninitialized value in substitution iterator at /usr/local/lib/MailScanner/MailScanner/Config.pm line 674, line 1310. Use of uninitialized value in substitution iterator at /usr/local/lib/MailScanner/MailScanner/Config.pm line 674, line 1310. Use of uninitialized value in substitution iterator at /usr/local/lib/MailScanner/MailScanner/Config.pm line 674, line 1310. Use of uninitialized value in substitution iterator at /usr/local/lib/MailScanner/MailScanner/Config.pm line 674, line 1310. Use of uninitialized value in substitution iterator at /usr/local/lib/MailScanner/MailScanner/Config.pm line 674, line 1310. Use of uninitialized value in substitution iterator at /usr/local/lib/MailScanner/MailScanner/Config.pm line 674, line 1310. Use of uninitialized value in substitution iterator at /usr/local/lib/MailScanner/MailScanner/Config.pm line 674, line 1310. Use of uninitialized value in substitution iterator at /usr/local/lib/MailScanner/MailScanner/Config.pm line 674, line 1310. Use of uninitialized value in substitution iterator at /usr/local/lib/MailScanner/MailScanner/Config.pm line 674, line 1310. Use of uninitialized value in pattern match (m//) at /usr/local/sbin/mailscanner line 706. What can I do to resolve this. I have no perl knowledge what so ever!! Regards, Johan -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090129/1a506327/attachment.html From maxsec at gmail.com Thu Jan 29 12:52:31 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Thu Jan 29 12:52:40 2009 Subject: Error after perl5 upgrade 5.8.8 to 5.8.9 on FreeBSD In-Reply-To: <57200BF94E69E54880C9BB1AF714BBCB5DE4B9@w2003s01.double-l.local> References: <57200BF94E69E54880C9BB1AF714BBCB5DE4B9@w2003s01.double-l.local> Message-ID: <72cf361e0901290452w58b67688n86ba80e65b7862d1@mail.gmail.com> Someone did the same thing a couple of weeks ago - not sure of the resolution, but should be in the list archives. have you tried reinstalling mailscanner and the perl modules required? -- martin 2009/1/29 Johan Hendriks : > Hello all i am trying to get Mailscanner to work after a perl upgrade on my > FreeBSD Machine. > > > > The error in my maillog is the following. > > > > Jan 16 11:46:03 mailscanner MailScanner[37117]: MailScanner E-Mail Virus > >>> Jan 16 11:46:03 mailscanner MailScanner[37117]: Could not use Custom > >>> Function code > >>> /usr/local/lib/MailScanner/MailScanner/CustomFunctions/DavidHooton.pm, it > >>> could not be "require"d. Make sure the last line of the file says "1;" > >>> Jan 16 11:46:03 mailscanner MailScanner[37117]: Could not use Custom > >>> Function code > >>> /usr/local/lib/MailScanner/MailScanner/CustomFunctions/SpamWhitelist.pm, >>> it > >>> could not be "require"d. Make sure the last line of the file says "1;" > >>> Jan 16 11:46:03 mailscanner MailScanner[37117]: Could not use Custom > >>> Function code > >>> >>> /usr/local/lib/MailScanner/MailScanner/CustomFunctions/ZMRouterDirHash.pm, > >>> it could not be "require"d. Make sure the last line of the file says "1;" > >>> Jan 16 11:46:03 mailscanner MailScanner[37117]: Could not use Custom > >>> Function code > >>> /usr/local/lib/MailScanner/MailScanner/CustomFunctions/CustomAction.pm, >>> it > >>> could not be "require"d. Make sure the last line of the file says "1;" > >>> Jan 16 11:46:03 mailscanner MailScanner[37117]: Could not use Custom > >>> Function code > >>> /usr/local/lib/MailScanner/MailScanner/CustomFunctions/LastSpam.pm, it >>> could > >>> not be "require"d. Make sure the last line of the file says "1;" > >>> Jan 16 11:46:03 mailscanner MailScanner[37117]: Could not use Custom > >>> Function code > >>> >>> /usr/local/lib/MailScanner/MailScanner/CustomFunctions/Ruleset-from-Function.pm, > >>> it could not be "require"d. Make sure the last line of the file says >>> "1;" > >>> Jan 16 11:46:03 mailscanner MailScanner[37117]: Could not use Custom > >>> Function code > >>> >>> /usr/local/lib/MailScanner/MailScanner/CustomFunctions/GenericSpamScanner.pm, > >>> it could not be "require"d. Make sure the last line of the file says >>> "1;" > >>> Jan 16 11:46:03 mailscanner MailScanner[37117]: Could not use Custom > >>> Function code > >>> /usr/local/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm, it > >>> could not be "require"d. Make sure the last line of the file says "1;" > >>> Jan 16 11:46:03 mailscanner MailScanner[37117]: Could not use Custom > >>> Function code > >>> >>> /usr/local/lib/MailScanner/MailScanner/CustomFunctions/SQLBlackWhiteList.pm, > >>> it could not be "require"d. Make sure the last line of the file says "1;" > >>> Jan 16 11:46:03 mailscanner MailScanner[37117]: Could not use Custom > >>> Function code > >>> >>> /usr/local/lib/MailScanner/MailScanner/CustomFunctions/SQLSpamSettings.pm, > >>> it could not be "require"d. Make sure the last line of the file says "1;" > >>> Jan 16 11:46:03 mailscanner MailScanner[37117]: Could not use Custom > >>> Function code > >>> /usr/local/lib/MailScanner/MailScanner/CustomFunctions/MyExample.pm, it > >>> could not be "require"d. Make sure the last line of the file says "1;" > > > > > > Then I added the ?w to the mailscanner file > > > > And this is what I get on my console. > > This is Mailscanner 4.74.16 (trying to make a port myself), the error above > happens also with the official port > > > > Starting mailscanner. > > Useless use of hash element in void context at > /usr/local/lib/MailScanner/MailScanner/Config.pm line 892. > > Use of implicit split to @_ is deprecated at > /usr/local/lib/MailScanner/MailScanner/Config.pm line 2085. > > Unquoted string "hostname" may clash with future reserved word at > /usr/local/lib/MailScanner/MailScanner/CustomConfig.pm line 300. > > Parameterless "use IO" deprecated at > /usr/local/lib/MailScanner/MailScanner/CustomConfig.pm line 749 > > "my" variable $LimitsH masks earlier declaration in same scope at > /usr/local/lib/MailScanner/MailScanner/CustomConfig.pm line 796. > > Use of implicit split to @_ is deprecated at > /usr/local/lib/MailScanner/MailScanner/CustomConfig.pm line 822. > > Use of implicit split to @_ is deprecated at > /usr/local/lib/MailScanner/MailScanner/CustomConfig.pm line 838. > > Use of uninitialized value in substitution iterator at > /usr/local/lib/MailScanner/MailScanner/Config.pm line 674, line 1310. > > Parameterless "use IO" deprecated at > /usr/local/lib/MailScanner/MailScanner/GenericSpam.pm line 39 > > Parameterless "use IO" deprecated at > /usr/local/lib/MailScanner/MailScanner/RBLs.pm line 39 > > "my" variable $to masks earlier declaration in same scope at > /usr/local/lib/MailScanner/MailScanner/MCPMessage.pm line 636. > > "my" variable $gsreport masks earlier declaration in same scope at > /usr/local/lib/MailScanner/MailScanner/Message.pm line 683. > > "my" variable $to masks earlier declaration in same scope at > /usr/local/lib/MailScanner/MailScanner/Message.pm line 1375. > > "my" variable $to masks earlier declaration in same scope at > /usr/local/lib/MailScanner/MailScanner/Message.pm line 1535. > > "my" variable $to masks earlier declaration in same scope at > /usr/local/lib/MailScanner/MailScanner/Message.pm line 5700. > > "my" variable $to masks earlier declaration in same scope at > /usr/local/lib/MailScanner/MailScanner/Message.pm line 5936. > > "my" variable $to masks earlier declaration in same scope at > /usr/local/lib/MailScanner/MailScanner/Message.pm line 6352. > > Subroutine add_part redefined at > /usr/local/lib/MailScanner/MailScanner/Message.pm line 7602. > > Subroutine extract redefined at > /usr/local/lib/MailScanner/MailScanner/Message.pm line 7631. > > Parameterless "use IO" deprecated at > /usr/local/lib/MailScanner/MailScanner/MCP.pm line 40 > > Parameterless "use IO" deprecated at > /usr/local/lib/MailScanner/MailScanner/SA.pm line 39 > > Statement unlikely to be reached at > /usr/local/lib/MailScanner/MailScanner/SweepOther.pm line 455. > > (Maybe you meant system() when you said exec()?) > > Statement unlikely to be reached at > /usr/local/lib/MailScanner/MailScanner/SweepOther.pm line 375. > > (Maybe you meant system() when you said exec()?) > > Statement unlikely to be reached at > /usr/local/lib/MailScanner/MailScanner/SweepViruses.pm line 1048. > > (Maybe you meant system() when you said exec()?) > > "my" variable $LockFile masks earlier declaration in same scope at > /usr/local/lib/MailScanner/MailScanner/SweepViruses.pm line 3450. > > Useless use of not in void context at > /usr/local/lib/MailScanner/MailScanner/SweepViruses.pm line 3493. > > Using a hash as a reference is deprecated at /usr/local/sbin/mailscanner > line 546. > > Duplicate specification "h|H|help" for option "h" > > Duplicate specification "v|V|version|Version" for option "v" > > Duplicate specification "v|V|version|Version" for option "version" > > Duplicate specification "c|C|changed" for option "c" > > Use of uninitialized value in substitution iterator at > /usr/local/lib/MailScanner/MailScanner/Config.pm line 674, line 1310. > > Use of uninitialized value in substitution iterator at > /usr/local/lib/MailScanner/MailScanner/Config.pm line 674, line 1310. > > Use of uninitialized value in substitution iterator at > /usr/local/lib/MailScanner/MailScanner/Config.pm line 674, line 1310. > > Use of uninitialized value in substitution iterator at > /usr/local/lib/MailScanner/MailScanner/Config.pm line 674, line 1310. > > Use of uninitialized value in substitution iterator at > /usr/local/lib/MailScanner/MailScanner/Config.pm line 674, line 1310. > > Use of uninitialized value in substitution iterator at > /usr/local/lib/MailScanner/MailScanner/Config.pm line 674, line 1310. > > "my" variable $line masks earlier declaration in same scope at > /usr/local/lib/MailScanner/MailScanner/PFDiskStore.pm line 494. > > Use of uninitialized value in substitution iterator at > /usr/local/lib/MailScanner/MailScanner/Config.pm line 674, line 1310. > > Use of uninitialized value in substitution iterator at > /usr/local/lib/MailScanner/MailScanner/Config.pm line 674, line 1310. > > Use of uninitialized value in substitution iterator at > /usr/local/lib/MailScanner/MailScanner/Config.pm line 674, line 1310. > > Use of uninitialized value in substitution iterator at > /usr/local/lib/MailScanner/MailScanner/Config.pm line 674, line > 1310. > > Use of uninitialized value in substitution iterator at > /usr/local/lib/MailScanner/MailScanner/Config.pm line 674, line > 1310. > > Use of uninitialized value in substitution iterator at > /usr/local/lib/MailScanner/MailScanner/Config.pm line 674, line > 1310. > > Use of uninitialized value in substitution iterator at > /usr/local/lib/MailScanner/MailScanner/Config.pm line 674, line > 1310. > > Use of uninitialized value in substitution iterator at > /usr/local/lib/MailScanner/MailScanner/Config.pm line 674, line > 1310. > > Use of uninitialized value in substitution iterator at > /usr/local/lib/MailScanner/MailScanner/Config.pm line 674, line > 1310. > > Use of uninitialized value in substitution iterator at > /usr/local/lib/MailScanner/MailScanner/Config.pm line 674, line > 1310. > > Use of uninitialized value in substitution iterator at > /usr/local/lib/MailScanner/MailScanner/Config.pm line 674, line > 1310. > > Use of uninitialized value in substitution iterator at > /usr/local/lib/MailScanner/MailScanner/Config.pm line 674, line > 1310. > > Use of uninitialized value in substitution iterator at > /usr/local/lib/MailScanner/MailScanner/Config.pm line 674, line > 1310. > > Use of uninitialized value in substitution iterator at > /usr/local/lib/MailScanner/MailScanner/Config.pm line 674, line > 1310. > > Use of uninitialized value in pattern match (m//) at > /usr/local/sbin/mailscanner line 706. > > > > What can I do to resolve this. > > > > I have no perl knowledge what so ever!! > > > > Regards, > > Johan > > > > > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- Martin Hepworth Oxford, UK From shuttlebox at gmail.com Thu Jan 29 12:57:30 2009 From: shuttlebox at gmail.com (shuttlebox) Date: Thu Jan 29 12:57:40 2009 Subject: Suggestions to block big spam messages In-Reply-To: References: Message-ID: <625385e30901290457x19eae115pba05f9bd2b8dd95d@mail.gmail.com> On Thu, Jan 29, 2009 at 1:15 PM, Kai Schaetzl wrote: > If it only gets fed part of it probably not as the image is then cut in > half. I actually don't know what MS does in such a situation. e.g. if it > detects that the message is encoded and scanning only part of it is of no > use or if SA skips binary parts anyway etc. The comment for Max SpamAssassin Size explains how it works: # SpamAssassin is not very fast when scanning huge messages, so messages # bigger than this value will be truncated to this length for SpamAssassin # testing. The original message will not be affected by this. This value # is a good compromise as very few spam messages are bigger than this. # # Now for the options: # 1) # 2) trackback # 3) continue # # 1) Put in a simple number. # This will be the simple cut-off point for messages that are larger than # this number. # 2) Put in a number followed by 'trackback'. # Once the size limit is reached, MailScanner reverses towards the start # of the message, until it hits a line that is blank. The message passed # to SpamAssassin is truncated there. This stops any part-images being # passed to SpamAssassin, and so avoids rules which trigger on this. # 3) Put in a number followed by 'continue' followed by another number. # Once the size limit is reached, MailScanner continues adding to the data # passed to SpamAssassin, until at most the 2nd number of bytes have been # added looking for a blank line. This tries to complete the image data # that has been started when the 1st number of bytes has been reached, # while imposing a limit on the amount that can be added (to avoid attacks). # # If all this confuses you, just leave it alone at "40k" as that is good. Max SpamAssassin Size = 50000 trackback -- /peter From Johan at double-l.nl Thu Jan 29 13:02:03 2009 From: Johan at double-l.nl (Johan Hendriks) Date: Thu Jan 29 13:02:12 2009 Subject: Error after perl5 upgrade 5.8.8 to 5.8.9 on FreeBSD References: <57200BF94E69E54880C9BB1AF714BBCB5DE4B9@w2003s01.double-l.local> <72cf361e0901290452w58b67688n86ba80e65b7862d1@mail.gmail.com> Message-ID: <57200BF94E69E54880C9BB1AF714BBCB5DE4BA@w2003s01.double-l.local> >Someone did the same thing a couple of weeks ago - not sure of the >resolution, but should be in the list archives. >have you tried reinstalling mailscanner and the perl modules required? >-- >martin Yes I rebuild the whole system, even deleted all the ports and did start all over. Same result Regards, Johan No virus found in this outgoing message. Checked by AVG - http://www.avg.com Version: 8.0.176 / Virus Database: 270.10.15/1921 - Release Date: 28-1-2009 6:37 From gesbbb at yahoo.com Thu Jan 29 14:06:52 2009 From: gesbbb at yahoo.com (Jerry) Date: Thu Jan 29 14:07:16 2009 Subject: Error after perl5 upgrade 5.8.8 to 5.8.9 on FreeBSD In-Reply-To: <72cf361e0901290452w58b67688n86ba80e65b7862d1@mail.gmail.com> References: <57200BF94E69E54880C9BB1AF714BBCB5DE4B9@w2003s01.double-l.local> <72cf361e0901290452w58b67688n86ba80e65b7862d1@mail.gmail.com> Message-ID: <20090129090652.5a2d7413@scorpio> On Thu, 29 Jan 2009 12:52:31 +0000 Martin Hepworth wrote: >Someone did the same thing a couple of weeks ago - not sure of the >resolution, but should be in the list archives. > >have you tried reinstalling mailscanner and the perl modules required? I have seen this method work. 1) Obviously, update your ports tree 2) Install 'portmanager' if it is not all ready installed. 3) run: portmanager mail/MailScanner -f -l -y That should correctly update all the requisete files including MailScanner. A log file "/var/log/portmanager.log" will be created. You can check it out to see what was updated/reinstalled. HTH -- Jerry gesbbb@yahoo.com A light wife doth make a heavy husband. William Shakespeare, "The Merchant of Venice" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 196 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090129/20e347f0/signature.bin From Ron.Ghetti at town.barnstable.ma.us Thu Jan 29 15:39:30 2009 From: Ron.Ghetti at town.barnstable.ma.us (Ghetti, Ron) Date: Thu Jan 29 15:40:47 2009 Subject: debugging Spammassassin Message-ID: <3411CC12BB577F4FAEAC8A694780866B022912DA@ITMAIL.town.barnstable.ma.us> -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Glenn Steen Sent: Wednesday, January 28, 2009 5:44 PM To: MailScanner discussion Subject: Re: debugging Spammassassin 2009/1/28 Ghetti, Ron : > > Thanks for the quick reply. > > -----Original Message----- > ... > > Kicked up to 85 seconds, hopefully that is not too much. > I can't imagine a batch taking that long... I did also increase the > default max batch size to 50 > Mine is at several hundred seconds (300 IIRC... or 600:-) ... It affects all SA activites withinMailScanner, like bayes expiry (which can run for some minutes, if there is a lot to do...). But when you up the batch size from 30 to 50 you really go the wrong way here... It'll make the batches take longer to complete, potentially. I'd revert that change, if I were you;-). Ok, I see where you are going with this. I'd orginally had it lower based on documentation somewhere. What I'm seeing in the logs is the typical batch size of 1 or 2 messages, That struck me as part of the problem. Guess I'll drop that back down to around 20 I see what you mean about time out settings now. Here are some lines from the logs; Batch (1 message) processed in 62.04 seconds Batch (1 message) processed in 61.83 seconds Batch (2 messages) processed in 111.01 seconds Batch (7 messages) processed in 313.62 seconds Batch (9 messages) processed in 423.96 seconds Batch (10 messages) processed in 719.89 seconds Those do not seem like fast process times to me, Especially since we have had virus scanning turned off since last October. > > -Ron > Never pass up a good chance to lay your hands on some better iron:-):-). Agreed, however it is essentially the same class server as what it is running on now. The big change would be moving it from a VM. ( virtual machine ) The advantage with the way it is now is that I can move it to any hardware in a few Moments and cut downtime if we have a failure of some kind. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! Thanks Again. -Ron From steve.freegard at fsl.com Thu Jan 29 16:14:03 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Thu Jan 29 16:14:14 2009 Subject: debugging Spammassassin In-Reply-To: <3411CC12BB577F4FAEAC8A694780866B022912DA@ITMAIL.town.barnstable.ma.us> References: <3411CC12BB577F4FAEAC8A694780866B022912DA@ITMAIL.town.barnstable.ma.us> Message-ID: <4981D5CB.4060702@fsl.com> Ghetti, Ron wrote: > Batch (1 message) processed in 62.04 seconds > Batch (1 message) processed in 61.83 seconds > Batch (2 messages) processed in 111.01 seconds > Batch (7 messages) processed in 313.62 seconds > Batch (9 messages) processed in 423.96 seconds > Batch (10 messages) processed in 719.89 seconds > > Those do not seem like fast process times to me, Those are the worst times I think I've ever seen. When tuning systems I'm not happy until I have the average time to process a single message to <10 seconds. Generally batch performance improves the larger the batch; however in your case this doesn't appear to be true - with 10 messages the average is 72 seconds per message! I'd guess that you've got some serious breakage in SpamAssassin or in your DNS resolver. Find a message in your quarantine directory then run the following and post the output: spamassassin -D -p /etc/MailScanner/spam.assassin.prefs.conf < /path/to/quaratined/message Kind regards, Steve From Ron.Ghetti at town.barnstable.ma.us Thu Jan 29 19:16:46 2009 From: Ron.Ghetti at town.barnstable.ma.us (Ghetti, Ron) Date: Thu Jan 29 19:17:03 2009 Subject: debugging Spammassassin Message-ID: <3411CC12BB577F4FAEAC8A694780866B022912DD@ITMAIL.town.barnstable.ma.us> -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Steve Freegard Sent: Thursday, January 29, 2009 11:14 AM To: MailScanner discussion Subject: Re: debugging Spammassassin Ghetti, Ron wrote: > Batch (1 message) processed in 62.04 seconds > Batch (1 message) processed in 61.83 seconds > Batch (2 messages) processed in 111.01 seconds > Batch (7 messages) processed in 313.62 seconds > Batch (9 messages) processed in 423.96 seconds > Batch (10 messages) processed in 719.89 seconds > > Those do not seem like fast process times to me, Those are the worst times I think I've ever seen. When tuning systems I'm not happy until I have the average time to process a single message to <10 seconds. Generally batch performance improves the larger the batch; however in your case this doesn't appear to be true - with 10 messages the average is 72 seconds per message! I'd guess that you've got some serious breakage in SpamAssassin or in your DNS resolver. Find a message in your quarantine directory then run the following and post the output: spamassassin -D -p /etc/MailScanner/spam.assassin.prefs.conf < /path/to/quaratined/message Kind regards, Steve -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! ... Agreed, those process times are crazy, although those are probably some of the worst from yesterday. It actually went pretty quick on this message. Ok here it is; [19873] dbg: logger: adding facilities: all [19873] dbg: logger: logging level is DBG [19873] dbg: generic: SpamAssassin version 3.2.4 [19873] dbg: config: score set 0 chosen. [19873] dbg: util: running in taint mode? yes [19873] dbg: util: taint mode: deleting unsafe environment variables, resetting PATH [19873] dbg: util: PATH included '/usr/local/sbin', keeping [19873] dbg: util: PATH included '/usr/local/bin', keeping [19873] dbg: util: PATH included '/usr/sbin', keeping [19873] dbg: util: PATH included '/usr/bin', keeping [19873] dbg: util: PATH included '/sbin', keeping [19873] dbg: util: PATH included '/bin', keeping [19873] dbg: util: PATH included '/usr/games', keeping [19873] dbg: util: final PATH set to: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games [19873] dbg: dns: no ipv6 [19873] dbg: dns: is Net::DNS::Resolver available? yes [19873] dbg: dns: Net::DNS version: 0.63 [19873] dbg: config: using "/etc/mail/spamassassin" for site rules pre files [19873] dbg: config: read file /etc/mail/spamassassin/init.pre [19873] dbg: config: read file /etc/mail/spamassassin/v310.pre [19873] dbg: config: read file /etc/mail/spamassassin/v312.pre [19873] dbg: config: read file /etc/mail/spamassassin/v320.pre [19873] dbg: config: using "/var/lib/spamassassin/3.002004" for sys rules pre files [19873] dbg: config: using "/var/lib/spamassassin/3.002004" for default rules dir [19873] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org.cf [19873] dbg: config: using "/etc/mail/spamassassin" for site rules dir [19873] dbg: config: read file /etc/mail/spamassassin/20_vbounce.cf [19873] dbg: config: read file /etc/mail/spamassassin/local.cf [19873] dbg: config: using "/root/.spamassassin" for user state dir [19873] dbg: config: using "/opt/MailScanner/spam.assassin.prefs.conf" for user prefs file [19873] dbg: config: read file /opt/MailScanner/spam.assassin.prefs.conf [19873] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC [19873] dbg: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from @INC [19873] dbg: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC [19873] dbg: plugin: loading Mail::SpamAssassin::Plugin::RelayCountry from @INC [19873] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razor2 from @INC [19873] dbg: razor2: razor2 is available, version 2.81 [19873] dbg: plugin: loading Mail::SpamAssassin::Plugin::Pyzor from @INC [19873] dbg: pyzor: network tests on, attempting Pyzor [19873] dbg: plugin: did not register Mail::SpamAssassin::Plugin::Razor2, already registered [19873] dbg: plugin: loading Mail::SpamAssassin::Plugin::SpamCop from @INC [19873] dbg: reporter: network tests on, attempting SpamCop [19873] dbg: plugin: loading Mail::SpamAssassin::Plugin::AntiVirus from @INC [19873] dbg: plugin: loading Mail::SpamAssassin::Plugin::AWL from @INC [19873] dbg: plugin: loading Mail::SpamAssassin::Plugin::AutoLearnThreshold from @INC [19873] dbg: plugin: loading Mail::SpamAssassin::Plugin::WhiteListSubject from @INC [19873] dbg: plugin: loading Mail::SpamAssassin::Plugin::MIMEHeader from @INC [19873] dbg: plugin: loading Mail::SpamAssassin::Plugin::ReplaceTags from @INC [19873] dbg: plugin: did not register Mail::SpamAssassin::Plugin::RelayCountry, already registered [19873] dbg: plugin: did not register Mail::SpamAssassin::Plugin::SPF, already registered [19873] dbg: plugin: did not register Mail::SpamAssassin::Plugin::URIDNSBL, already registered [19873] dbg: plugin: loading Mail::SpamAssassin::Plugin::Check from @INC [19873] dbg: plugin: loading Mail::SpamAssassin::Plugin::HTTPSMismatch from @INC [19873] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDetail from @INC [19873] dbg: plugin: loading Mail::SpamAssassin::Plugin::Bayes from @INC [19873] dbg: plugin: loading Mail::SpamAssassin::Plugin::BodyEval from @INC [19873] dbg: plugin: loading Mail::SpamAssassin::Plugin::DNSEval from @INC [19873] dbg: plugin: loading Mail::SpamAssassin::Plugin::HTMLEval from @INC [19873] dbg: plugin: loading Mail::SpamAssassin::Plugin::HeaderEval from @INC [19873] dbg: plugin: loading Mail::SpamAssassin::Plugin::MIMEEval from @INC [19873] dbg: plugin: loading Mail::SpamAssassin::Plugin::RelayEval from @INC [19873] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIEval from @INC [19873] dbg: plugin: loading Mail::SpamAssassin::Plugin::WLBLEval from @INC [19873] dbg: plugin: loading Mail::SpamAssassin::Plugin::VBounce from @INC [19873] dbg: plugin: loading Mail::SpamAssassin::Plugin::ImageInfo from @INC [19873] dbg: plugin: did not register Mail::SpamAssassin::Plugin::RelayCountry, already registered [19873] dbg: plugin: did not register Mail::SpamAssassin::Plugin::SPF, already registered [19873] dbg: plugin: did not register Mail::SpamAssassin::Plugin::URIDNSBL, already registered [19873] dbg: plugin: did not register Mail::SpamAssassin::Plugin::Razor2, already registered [19873] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/10_default_prefs .cf [19873] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/10_default_pref s.cf" for included file [19873] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/10_default_prefs .cf [19873] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_advance_fee.c f [19873] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/20_advance_fee. cf" for included file [19873] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_advance_fee.c f [19873] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_body_tests.cf [19873] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/20_body_tests.c f" for included file [19873] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_body_tests.cf [19873] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_compensate.cf [19873] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/20_compensate.c f" for included file [19873] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_compensate.cf [19873] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_dnsbl_tests.c f [19873] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/20_dnsbl_tests. cf" for included file [19873] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_dnsbl_tests.c f [19873] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_drugs.cf [19873] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/20_drugs.cf" for included file [19873] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_drugs.cf [19873] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_dynrdns.cf [19873] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/20_dynrdns.cf" for included file [19873] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_dynrdns.cf [19873] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_fake_helo_tes ts.cf [19873] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/20_fake_helo_te sts.cf" for included file [19873] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_fake_helo_tes ts.cf [19873] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_head_tests.cf [19873] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/20_head_tests.c f" for included file [19873] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_head_tests.cf [19873] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_html_tests.cf [19873] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/20_html_tests.c f" for included file [19873] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_html_tests.cf [19873] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_imageinfo.cf [19873] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/20_imageinfo.cf " for included file [19873] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_imageinfo.cf [19873] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_meta_tests.cf [19873] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/20_meta_tests.c f" for included file [19873] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_meta_tests.cf [19873] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_net_tests.cf [19873] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/20_net_tests.cf " for included file [19873] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_net_tests.cf [19873] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_phrases.cf [19873] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/20_phrases.cf" for included file [19873] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_phrases.cf [19873] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_porn.cf [19873] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/20_porn.cf" for included file [19873] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_porn.cf [19873] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_ratware.cf [19873] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/20_ratware.cf" for included file [19873] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_ratware.cf [19873] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_uri_tests.cf [19873] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/20_uri_tests.cf " for included file [19873] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_uri_tests.cf [19873] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_vbounce.cf [19873] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/20_vbounce.cf" for included file [19873] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_vbounce.cf [19873] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/23_bayes.cf [19873] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/23_bayes.cf" for included file [19873] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/23_bayes.cf [19873] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/25_accessdb.cf [19873] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/25_accessdb.cf" for included file [19873] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/25_accessdb.cf [19873] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/25_antivirus.cf [19873] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/25_antivirus.cf " for included file [19873] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/25_antivirus.cf [19873] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/25_asn.cf [19873] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/25_asn.cf" for included file [19873] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/25_asn.cf [19873] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/25_dcc.cf [19873] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/25_dcc.cf" for included file [19873] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/25_dcc.cf [19873] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/25_dkim.cf [19873] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/25_dkim.cf" for included file [19873] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/25_dkim.cf [19873] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/25_domainkeys.cf [19873] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/25_domainkeys.c f" for included file [19873] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/25_domainkeys.cf [19873] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/25_hashcash.cf [19873] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/25_hashcash.cf" for included file [19873] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/25_hashcash.cf [19873] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/25_pyzor.cf [19873] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/25_pyzor.cf" for included file [19873] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/25_pyzor.cf [19873] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/25_razor2.cf [19873] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/25_razor2.cf" for included file [19873] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/25_razor2.cf [19873] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/25_replace.cf [19873] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/25_replace.cf" for included file [19873] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/25_replace.cf [19873] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/25_spf.cf [19873] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/25_spf.cf" for included file [19873] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/25_spf.cf [19873] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/25_textcat.cf [19873] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/25_textcat.cf" for included file [19873] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/25_textcat.cf [19873] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/25_uribl.cf [19873] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/25_uribl.cf" for included file [19873] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/25_uribl.cf [19873] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/30_text_de.cf [19873] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/30_text_de.cf" for included file [19873] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/30_text_de.cf [19873] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/30_text_fr.cf [19873] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/30_text_fr.cf" for included file [19873] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/30_text_fr.cf [19873] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/30_text_it.cf [19873] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/30_text_it.cf" for included file [19873] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/30_text_it.cf [19873] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/30_text_nl.cf [19873] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/30_text_nl.cf" for included file [19873] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/30_text_nl.cf [19873] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/30_text_pl.cf [19873] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/30_text_pl.cf" for included file [19873] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/30_text_pl.cf [19873] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/30_text_pt_br.cf [19873] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/30_text_pt_br.c f" for included file [19873] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/30_text_pt_br.cf [19873] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/50_scores.cf [19873] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/50_scores.cf" for included file [19873] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/50_scores.cf [19873] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/60_awl.cf [19873] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/60_awl.cf" for included file [19873] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/60_awl.cf [19873] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/60_shortcircuit. cf [19873] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/60_shortcircuit .cf" for included file [19873] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/60_shortcircuit. cf [19873] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/60_whitelist.cf [19873] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/60_whitelist.cf " for included file [19873] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/60_whitelist.cf [19873] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/60_whitelist_dk. cf [19873] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/60_whitelist_dk .cf" for included file [19873] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/60_whitelist_dk. cf [19873] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/60_whitelist_dki m.cf [19873] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/60_whitelist_dk im.cf" for included file [19873] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/60_whitelist_dki m.cf [19873] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/60_whitelist_spf .cf [19873] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/60_whitelist_sp f.cf" for included file [19873] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/60_whitelist_spf .cf [19873] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/60_whitelist_sub ject.cf [19873] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/60_whitelist_su bject.cf" for included file [19873] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/60_whitelist_sub ject.cf [19873] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/72_active.cf [19873] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/72_active.cf" for included file [19873] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/72_active.cf [19873] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/72_removed.cf [19873] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/72_removed.cf" for included file [19873] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/72_removed.cf [19873] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/72_scores.cf [19873] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/72_scores.cf" for included file [19873] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/72_scores.cf [19873] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/80_additional.cf [19873] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/80_additional.c f" for included file [19873] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/80_additional.cf [19873] dbg: config: fixed relative path: /etc/mail/spamassassin/VBounce.pm [19873] dbg: plugin: did not register Mail::SpamAssassin::Plugin::VBounce, already registered [19873] dbg: rules: __MO_OL_9B90B merged duplicates: __MO_OL_C65FA [19873] dbg: rules: __XM_OL_22B61 merged duplicates: __XM_OL_A842E [19873] dbg: rules: __MO_OL_07794 merged duplicates: __MO_OL_8627E __MO_OL_F3B05 [19873] dbg: rules: __XM_OL_07794 merged duplicates: __XM_OL_25340 __XM_OL_3857F __XM_OL_4F240 __XM_OL_58CB5 __XM_OL_6554A __XM_OL_812FF __XM_OL_C65FA __XM_OL_CF0C0 __XM_OL_F475E __XM_OL_F6D01 [19873] dbg: rules: FH_MSGID_01C67 merged duplicates: __MSGID_VGA [19873] dbg: rules: FS_NEW_SOFT_UPLOAD merged duplicates: HS_SUBJ_NEW_SOFTWARE [19873] dbg: rules: __FH_HAS_XMSMAIL merged duplicates: __HAS_MSMAIL_PRI [19873] dbg: rules: __MO_OL_015D5 merged duplicates: __MO_OL_6554A [19873] dbg: rules: __XM_OL_015D5 merged duplicates: __XM_OL_4BF4C __XM_OL_4EEDB __XM_OL_5B79A __XM_OL_9B90B __XM_OL_ADFF7 __XM_OL_B30D1 __XM_OL_B4B40 __XM_OL_BC7E6 __XM_OL_F3B05 __XM_OL_FF5C8 [19873] dbg: rules: __MO_OL_91287 merged duplicates: __MO_OL_B30D1 __MO_OL_CF0C0 [19873] dbg: rules: KAM_STOCKOTC merged duplicates: KAM_STOCKTIP15 KAM_STOCKTIP20 KAM_STOCKTIP21 KAM_STOCKTIP4 KAM_STOCKTIP6 [19873] dbg: rules: MY_SERVERS_FOUND merged duplicates: __MY_SERVERS_FOUND [19873] dbg: rules: __MO_OL_22B61 merged duplicates: __MO_OL_4F240 __MO_OL_ADFF7 [19873] dbg: rules: __MO_OL_812FF merged duplicates: __MO_OL_BC7E6 [19873] dbg: rules: __MO_OL_25340 merged duplicates: __MO_OL_4EEDB __MO_OL_7533E [19873] dbg: rules: __MO_OL_58CB5 merged duplicates: __MO_OL_B4B40 [19873] dbg: rules: __DOS_HAS_ANY_URI merged duplicates: __HAS_ANY_URI [19873] dbg: rules: __XM_OL_C9068 merged duplicates: __XM_OL_EF20B [19873] dbg: rules: AXB_RCVD_ZOOBSEND merged duplicates: BROKEN_RATWARE_BOM CTYPE_001C_A DEAR_HOMEOWNER DIV_CENTER_A_HREF DRUG_RA_PRICE FM_DDDD_TIMES_2 FM_SEX_HOSTDDDD HS_PHARMA_1 HS_UPLOADED_SOFTWARE OEBOUND STOX_RCVD_N_NN_N URIBL_RHS_ABUSE URIBL_RHS_BOGUSMX URIBL_RHS_DSN URIBL_RHS_POST URIBL_RHS_TLD_WHOIS URIBL_RHS_WHOIS URIBL_XS_SURBL URI_L_PHP XMAILER_MIMEOLE_OL_5E7ED XMAILER_MIMEOLE_OL_C7C33 XMAILER_MIMEOLE_OL_D03AB X_LIBRARY YOUR_CRD_RATING [19873] dbg: rules: __MO_OL_72641 merged duplicates: __MO_OL_A842E [19873] dbg: rules: __MO_OL_F475E merged duplicates: __MO_OL_FF5C8 [19873] dbg: rules: __MO_OL_4BF4C merged duplicates: __MO_OL_F6D01 [19873] dbg: conf: finish parsing [19873] dbg: plugin: Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0x8ff2b50) implements 'finish_parsing_end', priority 0 [19873] dbg: replacetags: replacing tags [19873] dbg: replacetags: done replacing tags [19873] dbg: config: using "/root/.spamassassin" for user state dir [19873] dbg: bayes: no dbs present, cannot tie DB R/O: /root/.spamassassin/bayes_toks [19873] dbg: config: score set 1 chosen. [19873] dbg: message: main message type: text/plain [19873] dbg: plugin: Mail::SpamAssassin::Plugin::DNSEval=HASH(0x908d050) implements 'check_start', priority 0 [19873] dbg: bayes: no dbs present, cannot tie DB R/O: /root/.spamassassin/bayes_toks [19873] dbg: plugin: Mail::SpamAssassin::Plugin::Check=HASH(0x9041ba4) implements 'check_main', priority 0 [19873] dbg: conf: trusted_networks are not configured; it is recommended that you configure trusted_networks manually [19873] dbg: metadata: X-Spam-Relays-Trusted: [19873] dbg: metadata: X-Spam-Relays-Untrusted: [19873] dbg: metadata: X-Spam-Relays-Internal: [19873] dbg: metadata: X-Spam-Relays-External: [19873] dbg: plugin: Mail::SpamAssassin::Plugin::RelayCountry=HASH(0x8c69058) implements 'extract_metadata', priority 0 [19873] dbg: metadata: X-Relay-Countries: [19873] dbg: message: ---- MIME PARSER START ---- [19873] dbg: message: parsing normal part [19873] dbg: message: ---- MIME PARSER END ---- [19873] dbg: message: no encoding detected [19873] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8be11a4) implements 'parsed_metadata', priority 0 [19873] dbg: plugin: Mail::SpamAssassin::Plugin::RelayCountry=HASH(0x8c69058) implements 'parsed_metadata', priority 0 [19873] dbg: dns: is_dns_available() last checked 1233255770.0 seconds ago; re-checking [19873] dbg: dns: no ipv6 [19873] dbg: dns: is Net::DNS::Resolver available? yes [19873] dbg: dns: Net::DNS version: 0.63 [19873] dbg: dns: name server: 64.69.96.35, LocalAddr: 0.0.0.0 [19873] dbg: dns: testing resolver nameservers: 64.69.96.35, 172.16.1.28 [19873] dbg: dns: trying (3) sun.com... [19873] dbg: dns: looking up NS for 'sun.com' [19873] dbg: dns: NS lookup of sun.com using 64.69.96.35 succeeded => DNS available (set dns_available to override) [19873] dbg: dns: name server: 172.16.1.28, LocalAddr: 0.0.0.0 [19873] dbg: dns: trying (3) akamai.com... [19873] dbg: dns: looking up NS for 'akamai.com' [19873] dbg: dns: NS lookup of akamai.com using 172.16.1.28 succeeded => DNS available (set dns_available to override) [19873] dbg: dns: name server: 172.16.1.28, LocalAddr: 0.0.0.0 [19873] dbg: dns: NS list: 64.69.96.35, 172.16.1.28 [19873] dbg: dns: name server: 64.69.96.35, LocalAddr: 0.0.0.0 [19873] dbg: dns: is DNS available? 1 [19873] dbg: uridnsbl: domains to query: [19873] dbg: dns: checking RBL sa-other.bondedsender.org., set bsp-untrusted [19873] dbg: dns: checking RBL plus.bondedsender.org., set ssc-firsttrusted [19873] dbg: dns: checking RBL combined.njabl.org., set njabl [19873] dbg: dns: checking RBL bl.spamcop.net., set spamcop [19873] dbg: dns: checking RBL dob.sibl.support-intelligence.net., set dob [19873] dbg: dns: checking RBL zen.spamhaus.org., set zen-lastexternal [19873] dbg: dns: checking RBL dnsbl.sorbs.net., set sorbs-lastexternal [19873] dbg: dns: checking RBL dnsbl.sorbs.net., set sorbs [19873] dbg: dns: checking RBL zen.spamhaus.org., set zen-lastexternal [19873] dbg: dns: checking RBL list.dnswl.org., set dnswl-firsttrusted [19873] dbg: dns: checking RBL sa-accredit.habeas.com., set habeas-firsttrusted [19873] dbg: dns: checking RBL list.dsbl.org., set dsbl-lastexternal [19873] dbg: dns: checking RBL sa-trusted.bondedsender.org., set bsp-firsttrusted [19873] dbg: dns: checking RBL zen.spamhaus.org., set zen [19873] dbg: dns: checking RBL iadb.isipp.com., set iadb-firsttrusted [19873] dbg: check: running tests for priority: -1000 [19873] dbg: rules: running head tests; score so far=0 [19873] dbg: rules: compiled head tests [19873] dbg: eval: all '*From' addrs: [19873] dbg: eval: all '*To' addrs: [19873] dbg: rules: running body tests; score so far=0 [19873] dbg: rules: compiled body tests [19873] dbg: rules: running uri tests; score so far=0 [19873] dbg: rules: compiled uri tests [19873] dbg: rules: running rawbody tests; score so far=0 [19873] dbg: rules: compiled rawbody tests [19873] dbg: rules: running full tests; score so far=0 [19873] dbg: rules: compiled full tests [19873] dbg: rules: running meta tests; score so far=0 [19873] dbg: rules: compiled meta tests [19873] dbg: check: running tests for priority: -950 [19873] dbg: rules: running head tests; score so far=0 [19873] dbg: rules: compiled head tests [19873] dbg: rules: running body tests; score so far=0 [19873] dbg: rules: compiled body tests [19873] dbg: rules: running uri tests; score so far=0 [19873] dbg: rules: compiled uri tests [19873] dbg: rules: running rawbody tests; score so far=0 [19873] dbg: rules: compiled rawbody tests [19873] dbg: rules: running full tests; score so far=0 [19873] dbg: rules: compiled full tests [19873] dbg: rules: running meta tests; score so far=0 [19873] dbg: rules: compiled meta tests [19873] dbg: check: running tests for priority: -900 [19873] dbg: rules: running head tests; score so far=0 [19873] dbg: rules: compiled head tests [19873] dbg: rules: running body tests; score so far=0 [19873] dbg: rules: compiled body tests [19873] dbg: rules: running uri tests; score so far=0 [19873] dbg: rules: compiled uri tests [19873] dbg: rules: running rawbody tests; score so far=0 [19873] dbg: rules: compiled rawbody tests [19873] dbg: rules: running full tests; score so far=0 [19873] dbg: rules: compiled full tests [19873] dbg: rules: running meta tests; score so far=0 [19873] dbg: rules: compiled meta tests [19873] dbg: check: running tests for priority: -400 [19873] dbg: rules: running head tests; score so far=0 [19873] dbg: rules: compiled head tests [19873] dbg: rules: running body tests; score so far=0 [19873] dbg: rules: compiled body tests [19873] dbg: rules: running uri tests; score so far=0 [19873] dbg: rules: compiled uri tests [19873] dbg: rules: running rawbody tests; score so far=0 [19873] dbg: rules: compiled rawbody tests [19873] dbg: rules: running full tests; score so far=0 [19873] dbg: rules: compiled full tests [19873] dbg: rules: running meta tests; score so far=0 [19873] dbg: rules: compiled meta tests [19873] dbg: check: running tests for priority: 0 [19873] dbg: rules: running head tests; score so far=0 [19873] dbg: rules: compiled head tests [19873] dbg: rules: ran header rule MISSING_MID ======> got hit: "UNSET" [19873] dbg: rules: ran header rule __MISSING_REF ======> got hit: "UNSET" [19873] dbg: rules: ran header rule MISSING_DATE ======> got hit: "UNSET" [19873] dbg: spf: checking to see if the message has a Received-SPF header that we can use [19873] dbg: spf: using Mail::SPF for SPF checks [19873] dbg: spf: no suitable relay for spf use found, skipping SPF-helo check [19873] dbg: spf: already checked for Received-SPF headers, proceeding with DNS based checks [19873] dbg: spf: no suitable relay for spf use found, skipping SPF check [19873] dbg: rules: ran eval rule NO_RELAYS ======> got hit (1) [19873] dbg: rules: ran eval rule MISSING_HB_SEP ======> got hit (1) [19873] dbg: rules: ran eval rule HEAD_LONG ======> got hit (1) [19873] dbg: rules: ran eval rule __ENV_AND_HDR_FROM_MATCH ======> got hit (1) [19873] dbg: spf: def_spf_whitelist_from: already checked spf and didn't get pass, skipping whitelist check [19873] dbg: rules: ran eval rule __UNUSABLE_MSGID ======> got hit (1) [19873] dbg: rules: ran eval rule MISSING_HEADERS ======> got hit (1) [19873] dbg: spf: whitelist_from_spf: already checked spf and didn't get pass, skipping whitelist check [19873] dbg: rules: running body tests; score so far=6.582 [19873] dbg: rules: compiled body tests [19873] dbg: rules: running uri tests; score so far=6.582 [19873] dbg: rules: compiled uri tests [19873] dbg: eval: stock info total: 0 [19873] dbg: rules: ran eval rule TVD_SPACE_RATIO ======> got hit (1) [19873] dbg: rules: running rawbody tests; score so far=9.481 [19873] dbg: rules: compiled rawbody tests [19873] dbg: rules: running full tests; score so far=9.481 [19873] dbg: rules: compiled full tests [19873] dbg: rules: ran full rule NULL_IN_BODY ======> got hit: "_" [19873] dbg: info: entering helper-app run mode [19873] dbg: info: leaving helper-app run mode [19873] dbg: razor2: part=0 engine=4 contested=0 confidence=0 [19873] dbg: razor2: results: spam? 0 [19873] dbg: razor2: results: engine 8, highest cf score: 0 [19873] dbg: razor2: results: engine 4, highest cf score: 0 [19873] dbg: util: current PATH is: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games [19873] dbg: util: executable for pyzor was found at /usr/bin/pyzor [19873] dbg: pyzor: pyzor is available: /usr/bin/pyzor [19873] dbg: info: entering helper-app run mode [19873] dbg: pyzor: opening pipe: /usr/bin/pyzor check < /tmp/.spamassassin198733DP2fGtmp [19874] dbg: util: setuid: ruid=0 euid=0 [19873] dbg: pyzor: killed stale helper [19874] [19873] dbg: pyzor: [19874] terminated: exit=0x000f [19873] dbg: info: leaving helper-app run mode [19873] dbg: pyzor: check timed out after 3.5 seconds [19873] dbg: rules: running meta tests; score so far=10.97 [19873] dbg: rules: compiled meta tests [19873] dbg: check: running tests for priority: 500 [19873] dbg: dns: harvest_dnsbl_queries [19873] dbg: rules: running head tests; score so far=10.97 [19873] dbg: rules: compiled head tests [19873] dbg: rules: running body tests; score so far=10.97 [19873] dbg: rules: compiled body tests [19873] dbg: rules: running uri tests; score so far=10.97 [19873] dbg: rules: compiled uri tests [19873] dbg: rules: running rawbody tests; score so far=10.97 [19873] dbg: rules: compiled rawbody tests [19873] dbg: rules: running full tests; score so far=10.97 [19873] dbg: rules: compiled full tests [19873] dbg: rules: running meta tests; score so far=10.97 [19873] dbg: rules: meta test DIGEST_MULTIPLE has undefined dependency 'DCC_CHECK' [19873] dbg: rules: compiled meta tests [19873] dbg: check: running tests for priority: 1000 [19873] dbg: rules: running head tests; score so far=12.862 [19873] dbg: rules: compiled head tests [19873] dbg: rules: running body tests; score so far=12.862 [19873] dbg: rules: compiled body tests [19873] dbg: rules: running uri tests; score so far=12.862 [19873] dbg: rules: compiled uri tests [19873] dbg: rules: running rawbody tests; score so far=12.862 [19873] dbg: rules: compiled rawbody tests [19873] dbg: rules: running full tests; score so far=12.862 [19873] dbg: rules: compiled full tests [19873] dbg: rules: running meta tests; score so far=12.862 [19873] dbg: rules: compiled meta tests [19873] dbg: plugin: Mail::SpamAssassin::Plugin::AutoLearnThreshold=HASH(0x8fd5798) implements 'autolearn_discriminator', priority 0 [19873] dbg: learn: auto-learn: currently using scoreset 1 [19873] dbg: learn: auto-learn: message score: 12.862, computed score for autolearn: 7.864 [19873] dbg: learn: auto-learn? ham=0.1, spam=12, body-points=7.864, head-points=7.864, learned-points=0 [19873] dbg: learn: auto-learn? no: inside auto-learn thresholds, not considered ham or spam [19873] dbg: check: is spam? score=12.862 required=5 [19873] dbg: check: tests=EMPTY_MESSAGE,HEAD_LONG,MISSING_DATE,MISSING_HB_SEP,MISSING_HEADER S,MISSING_MID,MISSING_SUBJECT,NO_HEADERS_MESSAGE,NO_RECEIVED,NO_RELAYS,N ULL_IN_BODY,TVD_SPACE_RATIO [19873] dbg: check: subtests=__ENV_AND_HDR_FROM_MATCH,__MISSING_REF,__UNUSABLE_MSGID Received: from localhost by ISVSPAM with SpamAssassin (version 3.2.4); Thu, 29 Jan 2009 14:02:55 -0500 X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on ISVSPAM X-Spam-Level: ************ X-Spam-Status: Yes, score=12.9 required=5.0 tests=EMPTY_MESSAGE,HEAD_LONG, MISSING_DATE,MISSING_HB_SEP,MISSING_HEADERS,MISSING_MID,MISSING_SUBJECT, NO_HEADERS_MESSAGE,NO_RECEIVED,NO_RELAYS,NULL_IN_BODY,TVD_SPACE_RATIO autolearn=no version=3.2.4 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----------=_4981FD5F.9DC350DA" This is a multi-part message in MIME format. ------------=_4981FD5F.9DC350DA Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit Spam detection software, running on the system "ISVSPAM", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see y for details. Content preview: [...] Content analysis details: (12.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 MISSING_MID Missing Message-Id: header 0.0 MISSING_DATE Missing Date: header -0.0 NO_RELAYS Informational: message was not relayed via SMTP 2.5 MISSING_HB_SEP Missing blank line between message header and body 2.5 HEAD_LONG Message headers are very long 1.6 MISSING_HEADERS Missing To: header 2.9 TVD_SPACE_RATIO BODY: TVD_SPACE_RATIO 1.5 NULL_IN_BODY FULL: Message has NUL (ASCII 0) byte in message 1.3 MISSING_SUBJECT Missing Subject: header 0.6 EMPTY_MESSAGE Message appears to have no textual parts and no Subject: text -0.0 NO_RECEIVED Informational: message has no Received headers 0.0 NO_HEADERS_MESSAGE Message appears to be missing most RFC-822 headers ------------=_4981FD5F.9DC350DA Content-Type: message/rfc822; x-spam-type=original Content-Description: original message before SpamAssassin Content-Disposition: inline Content-Transfer-Encoding: 8bit [...] From brent.addis at spit.gen.nz Thu Jan 29 20:18:32 2009 From: brent.addis at spit.gen.nz (Brent Addis) Date: Thu Jan 29 20:18:51 2009 Subject: mailscanner with heavy load In-Reply-To: <49819E7F.7000809@ismailozatay.net> References: <200901291202.n0TC0SnN001222@safir.blacknight.ie> <49819E7F.7000809@ismailozatay.net> Message-ID: <1233260312.7218.1.camel@baddis-laptop> Those examples are by now quite old (I remember seeing those at least 3 years ago) Does anyone have any real world examples of large scale deployments, using current spam types and newer plugins (ocr scanning etc) on more modern hardware? On Thu, 2009-01-29 at 14:18 +0200, Ismail OZATAY wrote: > Paulo Roncon yazm?s,: > > Hello everyone, > > > > Can you please tell how many mgs/day and Mb/day do your mailscanner filter? > > I'm designing a large deployment and have some concerns in its capability of handling heavy loads... > > In my case the box will face about 2MB/s incoming and 60msg/s !! > > How many servers(HP G5, quadcore, 16RAM) should I install? (not using DCC, Razor, Pyzor.) > > > > Thanks! > > > > Paulo, > > Portugal > > > > http://wiki.mailscanner.info/doku.php?id=maq:index#setup_examples > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090130/41d72e43/attachment.html From glenn.steen at gmail.com Thu Jan 29 20:32:39 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Jan 29 20:32:49 2009 Subject: debugging Spammassassin In-Reply-To: <3411CC12BB577F4FAEAC8A694780866B022912DD@ITMAIL.town.barnstable.ma.us> References: <3411CC12BB577F4FAEAC8A694780866B022912DD@ITMAIL.town.barnstable.ma.us> Message-ID: <223f97700901291232y62240220lb9760e188665108e@mail.gmail.com> 2009/1/29 Ghetti, Ron : > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Steve > Freegard > Sent: Thursday, January 29, 2009 11:14 AM > To: MailScanner discussion > Subject: Re: debugging Spammassassin > > > Ghetti, Ron wrote: > >> Batch (1 message) processed in 62.04 seconds >> Batch (1 message) processed in 61.83 seconds >> Batch (2 messages) processed in 111.01 seconds >> Batch (7 messages) processed in 313.62 seconds >> Batch (9 messages) processed in 423.96 seconds >> Batch (10 messages) processed in 719.89 seconds >> >> Those do not seem like fast process times to me, > > Those are the worst times I think I've ever seen. When tuning systems > I'm not happy until I have the average time to process a single message > to <10 seconds. > > Generally batch performance improves the larger the batch; however in > your case this doesn't appear to be true - with 10 messages the average > is 72 seconds per message! > > I'd guess that you've got some serious breakage in SpamAssassin or in > your DNS resolver. > > Find a message in your quarantine directory then run the following and > post the output: > > spamassassin -D -p /etc/MailScanner/spam.assassin.prefs.conf < > /path/to/quaratined/message > > Kind regards, > Steve > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ... > > > Agreed, those process times are crazy, although those are probably > some of the worst from yesterday. > > It actually went pretty quick on this message. > Ok here it is; > (snip) Please do that as the postfix user ("su - postfix -s /bin/bash", then run the command Steve suggested), and post those results. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From shuttlebox at gmail.com Fri Jan 30 08:52:09 2009 From: shuttlebox at gmail.com (shuttlebox) Date: Fri Jan 30 08:52:21 2009 Subject: Anti-spear-phishing sa-update channel In-Reply-To: <496A6779.9040309@coders.co.uk> References: <496A6779.9040309@coders.co.uk> Message-ID: <625385e30901300052v84afcd6vde685c543244f7e4@mail.gmail.com> On Sun, Jan 11, 2009 at 10:41 PM, Matt wrote: > All > > If anyone is interested I have published an sa-update channel which > generates the same rules as Jules' script. > > The channel is > > spear.bastionmail.com I started using it at a client site a week ago and have received four (4) hits so far. :-) What kind of results do others see? -- /peter From t.d.lee at durham.ac.uk Fri Jan 30 09:17:10 2009 From: t.d.lee at durham.ac.uk (David Lee) Date: Fri Jan 30 09:17:42 2009 Subject: Anti-spear-phishing sa-update channel In-Reply-To: <625385e30901300052v84afcd6vde685c543244f7e4@mail.gmail.com> References: <496A6779.9040309@coders.co.uk> <625385e30901300052v84afcd6vde685c543244f7e4@mail.gmail.com> Message-ID: On Fri, 30 Jan 2009, shuttlebox wrote: > On Sun, Jan 11, 2009 at 10:41 PM, Matt wrote: >> All >> >> If anyone is interested I have published an sa-update channel which >> generates the same rules as Jules' script. >> >> The channel is >> >> spear.bastionmail.com > > I started using it at a client site a week ago and have received four > (4) hits so far. :-) > > What kind of results do others see? Julian: Given that this seems to be stabilising, are you planning to role it (including the easy-install 'sa-update channel' option) into the next MS release, so it is there, ready to use? Perhaps with an MS.conf (or '/etc/mail/spamassassin/' or similar) option to enable/disable it? -- : David Lee I.T. Service : : Senior Systems Programmer Computer Centre : : UNIX Team Leader Durham University : : South Road : : http://www.dur.ac.uk/t.d.lee/ Durham DH1 3LE : : Phone: +44 191 334 2752 U.K. : From ugob at lubik.ca Fri Jan 30 13:19:50 2009 From: ugob at lubik.ca (Ugo Bellavance) Date: Fri Jan 30 13:20:13 2009 Subject: mailscanner with heavy load In-Reply-To: References: <200901291202.n0TC0SnN001222@safir.blacknight.ie> Message-ID: Paulo Roncon a ?crit : > Hello everyone, > > Can you please tell how many mgs/day and Mb/day do your mailscanner filter? > I'm designing a large deployment and have some concerns in its capability of handling heavy loads... > In my case the box will face about 2MB/s incoming and 60msg/s !! > How many servers(HP G5, quadcore, 16RAM) should I install? (not using DCC, Razor, Pyzor.) For one thing if you want to use MailWatch, you'll need a dedicated Postgresql server. Also get the fastest disks you can get (ideally 4 SAS 15K HDD, in RAID10). The DL380 that we've got is a dual 4-core, 6 GB RAM, and its average speed for processing a 30-message batch is around 80s, but I think we never saw it driving 30 messages on all the 15 childs at the same time. That means that if most of your traffic is between 8 and 17h, you can theoretically scan 12150 messages/child, during these 9 hours. This is only the part that reaches MailScanner. BarricadeMX kills the rest. We get an average of over 500 000 SMTP connexions/day (6/sec) on our busiest server. You may want to ask FSL's advice as they've seen many different kind of setups. They may also help get the best results out of your hardware. Regards, Ugo From Ron.Ghetti at town.barnstable.ma.us Fri Jan 30 14:10:32 2009 From: Ron.Ghetti at town.barnstable.ma.us (Ghetti, Ron) Date: Fri Jan 30 14:11:07 2009 Subject: debugging Spammassassin Message-ID: <3411CC12BB577F4FAEAC8A694780866B022912E1@ITMAIL.town.barnstable.ma.us> -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Glenn Steen Sent: Thursday, January 29, 2009 3:33 PM To: MailScanner discussion Subject: Re: debugging Spammassassin 2009/1/29 Ghetti, Ron : > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Steve > Freegard > Sent: Thursday, January 29, 2009 11:14 AM > To: MailScanner discussion > Subject: Re: debugging Spammassassin > > > Ghetti, Ron wrote: > >> Batch (1 message) processed in 62.04 seconds >> Batch (1 message) processed in 61.83 seconds >> Batch (2 messages) processed in 111.01 seconds >> Batch (7 messages) processed in 313.62 seconds >> Batch (9 messages) processed in 423.96 seconds >> Batch (10 messages) processed in 719.89 seconds >> >> Those do not seem like fast process times to me, > > Those are the worst times I think I've ever seen. When tuning systems > I'm not happy until I have the average time to process a single message > to <10 seconds. > > Generally batch performance improves the larger the batch; however in > your case this doesn't appear to be true - with 10 messages the average > is 72 seconds per message! > > I'd guess that you've got some serious breakage in SpamAssassin or in > your DNS resolver. > > Find a message in your quarantine directory then run the following and > post the output: > > spamassassin -D -p /etc/MailScanner/spam.assassin.prefs.conf < > /path/to/quaratined/message > > Kind regards, > Steve > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ... > > > Agreed, those process times are crazy, although those are probably > some of the worst from yesterday. > > It actually went pretty quick on this message. > Ok here it is; > (snip) Please do that as the postfix user ("su - postfix -s /bin/bash", then run the command Steve suggested), and post those results. ... Ok. I didn't see much difference here and this one also ran fairly quickly I believe. -Ron [5464] dbg: logger: adding facilities: all [5464] dbg: logger: logging level is DBG [5464] dbg: generic: SpamAssassin version 3.2.4 [5464] dbg: config: score set 0 chosen. [5464] dbg: util: running in taint mode? yes [5464] dbg: util: taint mode: deleting unsafe environment variables, resetting PATH [5464] dbg: util: PATH included '/usr/local/bin', keeping [5464] dbg: util: PATH included '/usr/bin', keeping [5464] dbg: util: PATH included '/bin', keeping [5464] dbg: util: PATH included '/usr/bin/X11', keeping [5464] dbg: util: PATH included '/usr/games', keeping [5464] dbg: util: final PATH set to: /usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games [5464] dbg: dns: no ipv6 [5464] dbg: dns: is Net::DNS::Resolver available? yes [5464] dbg: dns: Net::DNS version: 0.63 [5464] dbg: config: using "/etc/mail/spamassassin" for site rules pre files [5464] dbg: config: read file /etc/mail/spamassassin/init.pre [5464] dbg: config: read file /etc/mail/spamassassin/v310.pre [5464] dbg: config: read file /etc/mail/spamassassin/v312.pre [5464] dbg: config: read file /etc/mail/spamassassin/v320.pre [5464] dbg: config: using "/var/lib/spamassassin/3.002004" for sys rules pre files [5464] dbg: config: using "/var/lib/spamassassin/3.002004" for default rules dir [5464] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org.cf [5464] dbg: config: using "/etc/mail/spamassassin" for site rules dir [5464] dbg: config: read file /etc/mail/spamassassin/20_vbounce.cf [5464] dbg: config: read file /etc/mail/spamassassin/local.cf [5464] dbg: config: using "/var/spool/postfix/.spamassassin" for user state dir [5464] dbg: config: using "/opt/MailScanner/spam.assassin.prefs.conf" for user prefs file [5464] dbg: config: read file /opt/MailScanner/spam.assassin.prefs.conf [5464] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC [5464] dbg: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from @INC [5464] dbg: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC [5464] dbg: plugin: loading Mail::SpamAssassin::Plugin::RelayCountry from @INC [5464] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razor2 from @INC [5464] dbg: razor2: razor2 is available, version 2.81 [5464] dbg: plugin: loading Mail::SpamAssassin::Plugin::Pyzor from @INC [5464] dbg: pyzor: network tests on, attempting Pyzor [5464] dbg: plugin: did not register Mail::SpamAssassin::Plugin::Razor2, already registered [5464] dbg: plugin: loading Mail::SpamAssassin::Plugin::SpamCop from @INC [5464] dbg: reporter: network tests on, attempting SpamCop [5464] dbg: plugin: loading Mail::SpamAssassin::Plugin::AntiVirus from @INC [5464] dbg: plugin: loading Mail::SpamAssassin::Plugin::AWL from @INC [5464] dbg: plugin: loading Mail::SpamAssassin::Plugin::AutoLearnThreshold from @INC [5464] dbg: plugin: loading Mail::SpamAssassin::Plugin::WhiteListSubject from @INC [5464] dbg: plugin: loading Mail::SpamAssassin::Plugin::MIMEHeader from @INC [5464] dbg: plugin: loading Mail::SpamAssassin::Plugin::ReplaceTags from @INC [5464] dbg: plugin: did not register Mail::SpamAssassin::Plugin::RelayCountry, already registered [5464] dbg: plugin: did not register Mail::SpamAssassin::Plugin::SPF, already registered [5464] dbg: plugin: did not register Mail::SpamAssassin::Plugin::URIDNSBL, already registered [5464] dbg: plugin: loading Mail::SpamAssassin::Plugin::Check from @INC [5464] dbg: plugin: loading Mail::SpamAssassin::Plugin::HTTPSMismatch from @INC [5464] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDetail from @INC [5464] dbg: plugin: loading Mail::SpamAssassin::Plugin::Bayes from @INC [5464] dbg: plugin: loading Mail::SpamAssassin::Plugin::BodyEval from @INC [5464] dbg: plugin: loading Mail::SpamAssassin::Plugin::DNSEval from @INC [5464] dbg: plugin: loading Mail::SpamAssassin::Plugin::HTMLEval from @INC [5464] dbg: plugin: loading Mail::SpamAssassin::Plugin::HeaderEval from @INC [5464] dbg: plugin: loading Mail::SpamAssassin::Plugin::MIMEEval from @INC [5464] dbg: plugin: loading Mail::SpamAssassin::Plugin::RelayEval from @INC [5464] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIEval from @INC [5464] dbg: plugin: loading Mail::SpamAssassin::Plugin::WLBLEval from @INC [5464] dbg: plugin: loading Mail::SpamAssassin::Plugin::VBounce from @INC [5464] dbg: plugin: loading Mail::SpamAssassin::Plugin::ImageInfo from @INC [5464] dbg: plugin: did not register Mail::SpamAssassin::Plugin::RelayCountry, already registered [5464] dbg: plugin: did not register Mail::SpamAssassin::Plugin::SPF, already registered [5464] dbg: plugin: did not register Mail::SpamAssassin::Plugin::URIDNSBL, already registered [5464] dbg: plugin: did not register Mail::SpamAssassin::Plugin::Razor2, already registered [5464] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/10_default_prefs .cf [5464] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/10_default_pref s.cf" for included file [5464] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/10_default_prefs .cf [5464] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_advance_fee.c f [5464] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/20_advance_fee. cf" for included file [5464] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_advance_fee.c f [5464] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_body_tests.cf [5464] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/20_body_tests.c f" for included file [5464] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_body_tests.cf [5464] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_compensate.cf [5464] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/20_compensate.c f" for included file [5464] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_compensate.cf [5464] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_dnsbl_tests.c f [5464] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/20_dnsbl_tests. cf" for included file [5464] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_dnsbl_tests.c f [5464] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_drugs.cf [5464] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/20_drugs.cf" for included file [5464] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_drugs.cf [5464] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_dynrdns.cf [5464] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/20_dynrdns.cf" for included file [5464] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_dynrdns.cf [5464] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_fake_helo_tes ts.cf [5464] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/20_fake_helo_te sts.cf" for included file [5464] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_fake_helo_tes ts.cf [5464] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_head_tests.cf [5464] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/20_head_tests.c f" for included file [5464] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_head_tests.cf [5464] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_html_tests.cf [5464] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/20_html_tests.c f" for included file [5464] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_html_tests.cf [5464] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_imageinfo.cf [5464] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/20_imageinfo.cf " for included file [5464] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_imageinfo.cf [5464] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_meta_tests.cf [5464] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/20_meta_tests.c f" for included file [5464] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_meta_tests.cf [5464] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_net_tests.cf [5464] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/20_net_tests.cf " for included file [5464] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_net_tests.cf [5464] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_phrases.cf [5464] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/20_phrases.cf" for included file [5464] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_phrases.cf [5464] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_porn.cf [5464] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/20_porn.cf" for included file [5464] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_porn.cf [5464] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_ratware.cf [5464] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/20_ratware.cf" for included file [5464] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_ratware.cf [5464] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_uri_tests.cf [5464] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/20_uri_tests.cf " for included file [5464] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_uri_tests.cf [5464] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_vbounce.cf [5464] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/20_vbounce.cf" for included file [5464] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_vbounce.cf [5464] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/23_bayes.cf [5464] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/23_bayes.cf" for included file [5464] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/23_bayes.cf [5464] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/25_accessdb.cf [5464] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/25_accessdb.cf" for included file [5464] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/25_accessdb.cf [5464] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/25_antivirus.cf [5464] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/25_antivirus.cf " for included file [5464] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/25_antivirus.cf [5464] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/25_asn.cf [5464] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/25_asn.cf" for included file [5464] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/25_asn.cf [5464] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/25_dcc.cf [5464] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/25_dcc.cf" for included file [5464] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/25_dcc.cf [5464] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/25_dkim.cf [5464] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/25_dkim.cf" for included file [5464] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/25_dkim.cf [5464] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/25_domainkeys.cf [5464] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/25_domainkeys.c f" for included file [5464] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/25_domainkeys.cf [5464] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/25_hashcash.cf [5464] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/25_hashcash.cf" for included file [5464] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/25_hashcash.cf [5464] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/25_pyzor.cf [5464] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/25_pyzor.cf" for included file [5464] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/25_pyzor.cf [5464] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/25_razor2.cf [5464] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/25_razor2.cf" for included file [5464] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/25_razor2.cf [5464] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/25_replace.cf [5464] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/25_replace.cf" for included file [5464] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/25_replace.cf [5464] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/25_spf.cf [5464] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/25_spf.cf" for included file [5464] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/25_spf.cf [5464] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/25_textcat.cf [5464] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/25_textcat.cf" for included file [5464] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/25_textcat.cf [5464] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/25_uribl.cf [5464] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/25_uribl.cf" for included file [5464] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/25_uribl.cf [5464] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/30_text_de.cf [5464] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/30_text_de.cf" for included file [5464] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/30_text_de.cf [5464] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/30_text_fr.cf [5464] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/30_text_fr.cf" for included file [5464] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/30_text_fr.cf [5464] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/30_text_it.cf [5464] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/30_text_it.cf" for included file [5464] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/30_text_it.cf [5464] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/30_text_nl.cf [5464] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/30_text_nl.cf" for included file [5464] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/30_text_nl.cf [5464] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/30_text_pl.cf [5464] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/30_text_pl.cf" for included file [5464] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/30_text_pl.cf [5464] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/30_text_pt_br.cf [5464] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/30_text_pt_br.c f" for included file [5464] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/30_text_pt_br.cf [5464] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/50_scores.cf [5464] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/50_scores.cf" for included file [5464] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/50_scores.cf [5464] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/60_awl.cf [5464] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/60_awl.cf" for included file [5464] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/60_awl.cf [5464] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/60_shortcircuit. cf [5464] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/60_shortcircuit .cf" for included file [5464] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/60_shortcircuit. cf [5464] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/60_whitelist.cf [5464] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/60_whitelist.cf " for included file [5464] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/60_whitelist.cf [5464] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/60_whitelist_dk. cf [5464] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/60_whitelist_dk .cf" for included file [5464] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/60_whitelist_dk. cf [5464] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/60_whitelist_dki m.cf [5464] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/60_whitelist_dk im.cf" for included file [5464] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/60_whitelist_dki m.cf [5464] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/60_whitelist_spf .cf [5464] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/60_whitelist_sp f.cf" for included file [5464] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/60_whitelist_spf .cf [5464] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/60_whitelist_sub ject.cf [5464] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/60_whitelist_su bject.cf" for included file [5464] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/60_whitelist_sub ject.cf [5464] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/72_active.cf [5464] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/72_active.cf" for included file [5464] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/72_active.cf [5464] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/72_removed.cf [5464] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/72_removed.cf" for included file [5464] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/72_removed.cf [5464] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/72_scores.cf [5464] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/72_scores.cf" for included file [5464] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/72_scores.cf [5464] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/80_additional.cf [5464] dbg: config: using "/var/lib/spamassassin/3.002004/updates_spamassassin_org/80_additional.c f" for included file [5464] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/80_additional.cf [5464] dbg: config: fixed relative path: /etc/mail/spamassassin/VBounce.pm [5464] dbg: plugin: did not register Mail::SpamAssassin::Plugin::VBounce, already registered [5464] dbg: rules: __MO_OL_9B90B merged duplicates: __MO_OL_C65FA [5464] dbg: rules: __XM_OL_22B61 merged duplicates: __XM_OL_A842E [5464] dbg: rules: __MO_OL_07794 merged duplicates: __MO_OL_8627E __MO_OL_F3B05 [5464] dbg: rules: __XM_OL_07794 merged duplicates: __XM_OL_25340 __XM_OL_3857F __XM_OL_4F240 __XM_OL_58CB5 __XM_OL_6554A __XM_OL_812FF __XM_OL_C65FA __XM_OL_CF0C0 __XM_OL_F475E __XM_OL_F6D01 [5464] dbg: rules: FH_MSGID_01C67 merged duplicates: __MSGID_VGA [5464] dbg: rules: FS_NEW_SOFT_UPLOAD merged duplicates: HS_SUBJ_NEW_SOFTWARE [5464] dbg: rules: __FH_HAS_XMSMAIL merged duplicates: __HAS_MSMAIL_PRI [5464] dbg: rules: __MO_OL_015D5 merged duplicates: __MO_OL_6554A [5464] dbg: rules: __XM_OL_015D5 merged duplicates: __XM_OL_4BF4C __XM_OL_4EEDB __XM_OL_5B79A __XM_OL_9B90B __XM_OL_ADFF7 __XM_OL_B30D1 __XM_OL_B4B40 __XM_OL_BC7E6 __XM_OL_F3B05 __XM_OL_FF5C8 [5464] dbg: rules: __MO_OL_91287 merged duplicates: __MO_OL_B30D1 __MO_OL_CF0C0 [5464] dbg: rules: KAM_STOCKOTC merged duplicates: KAM_STOCKTIP15 KAM_STOCKTIP20 KAM_STOCKTIP21 KAM_STOCKTIP4 KAM_STOCKTIP6 [5464] dbg: rules: MY_SERVERS_FOUND merged duplicates: __MY_SERVERS_FOUND [5464] dbg: rules: __MO_OL_22B61 merged duplicates: __MO_OL_4F240 __MO_OL_ADFF7 [5464] dbg: rules: __MO_OL_812FF merged duplicates: __MO_OL_BC7E6 [5464] dbg: rules: __MO_OL_25340 merged duplicates: __MO_OL_4EEDB __MO_OL_7533E [5464] dbg: rules: __MO_OL_58CB5 merged duplicates: __MO_OL_B4B40 [5464] dbg: rules: __DOS_HAS_ANY_URI merged duplicates: __HAS_ANY_URI [5464] dbg: rules: __XM_OL_C9068 merged duplicates: __XM_OL_EF20B [5464] dbg: rules: AXB_RCVD_ZOOBSEND merged duplicates: BROKEN_RATWARE_BOM CTYPE_001C_A DEAR_HOMEOWNER DIV_CENTER_A_HREF DRUG_RA_PRICE FM_DDDD_TIMES_2 FM_SEX_HOSTDDDD HS_PHARMA_1 HS_UPLOADED_SOFTWARE OEBOUND STOX_RCVD_N_NN_N URIBL_RHS_ABUSE URIBL_RHS_BOGUSMX URIBL_RHS_DSN URIBL_RHS_POST URIBL_RHS_TLD_WHOIS URIBL_RHS_WHOIS URIBL_XS_SURBL URI_L_PHP XMAILER_MIMEOLE_OL_5E7ED XMAILER_MIMEOLE_OL_C7C33 XMAILER_MIMEOLE_OL_D03AB X_LIBRARY YOUR_CRD_RATING [5464] dbg: rules: __MO_OL_72641 merged duplicates: __MO_OL_A842E [5464] dbg: rules: __MO_OL_F475E merged duplicates: __MO_OL_FF5C8 [5464] dbg: rules: __MO_OL_4BF4C merged duplicates: __MO_OL_F6D01 [5464] dbg: conf: finish parsing [5464] dbg: plugin: Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0x8ff16e0) implements 'finish_parsing_end', priority 0 [5464] dbg: replacetags: replacing tags [5464] dbg: replacetags: done replacing tags [5464] dbg: config: using "/var/spool/postfix/.spamassassin" for user state dir [5464] dbg: bayes: tie-ing to DB file R/O /var/spool/postfix/.spamassassin/bayes_toks [5464] dbg: bayes: tie-ing to DB file R/O /var/spool/postfix/.spamassassin/bayes_seen [5464] dbg: bayes: found bayes db version 3 [5464] dbg: bayes: DB journal sync: last sync: 1233284350 [5464] dbg: config: using "/var/spool/postfix/.spamassassin" for user state dir [5464] dbg: config: score set 3 chosen. [5464] dbg: message: main message type: text/plain [5464] dbg: plugin: Mail::SpamAssassin::Plugin::DNSEval=HASH(0x908bb98) implements 'check_start', priority 0 [5464] dbg: plugin: Mail::SpamAssassin::Plugin::Check=HASH(0x9040734) implements 'check_main', priority 0 [5464] dbg: conf: trusted_networks are not configured; it is recommended that you configure trusted_networks manually [5464] dbg: metadata: X-Spam-Relays-Trusted: [5464] dbg: metadata: X-Spam-Relays-Untrusted: [5464] dbg: metadata: X-Spam-Relays-Internal: [5464] dbg: metadata: X-Spam-Relays-External: [5464] dbg: plugin: Mail::SpamAssassin::Plugin::RelayCountry=HASH(0x8c67bd8) implements 'extract_metadata', priority 0 [5464] dbg: metadata: X-Relay-Countries: [5464] dbg: message: ---- MIME PARSER START ---- [5464] dbg: message: parsing normal part [5464] dbg: message: ---- MIME PARSER END ---- [5464] dbg: message: no encoding detected [5464] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8bdfd24) implements 'parsed_metadata', priority 0 [5464] dbg: plugin: Mail::SpamAssassin::Plugin::RelayCountry=HASH(0x8c67bd8) implements 'parsed_metadata', priority 0 [5464] dbg: dns: is_dns_available() last checked 1233285225.0 seconds ago; re-checking [5464] dbg: dns: no ipv6 [5464] dbg: dns: is Net::DNS::Resolver available? yes [5464] dbg: dns: Net::DNS version: 0.63 [5464] dbg: dns: name server: 64.69.96.35, LocalAddr: 0.0.0.0 [5464] dbg: dns: testing resolver nameservers: 64.69.96.35, 172.16.1.28 [5464] dbg: dns: trying (3) kernel.org... [5464] dbg: dns: looking up NS for 'kernel.org' [5464] dbg: dns: NS lookup of kernel.org using 64.69.96.35 succeeded => DNS available (set dns_available to override) [5464] dbg: dns: name server: 172.16.1.28, LocalAddr: 0.0.0.0 [5464] dbg: dns: trying (3) yahoo.com... [5464] dbg: dns: looking up NS for 'yahoo.com' [5464] dbg: dns: NS lookup of yahoo.com using 172.16.1.28 succeeded => DNS available (set dns_available to override) [5464] dbg: dns: name server: 172.16.1.28, LocalAddr: 0.0.0.0 [5464] dbg: dns: NS list: 64.69.96.35, 172.16.1.28 [5464] dbg: dns: name server: 64.69.96.35, LocalAddr: 0.0.0.0 [5464] dbg: dns: is DNS available? 1 [5464] dbg: uridnsbl: domains to query: [5464] dbg: dns: checking RBL sa-other.bondedsender.org., set bsp-untrusted [5464] dbg: dns: checking RBL plus.bondedsender.org., set ssc-firsttrusted [5464] dbg: dns: checking RBL combined.njabl.org., set njabl [5464] dbg: dns: checking RBL bl.spamcop.net., set spamcop [5464] dbg: dns: checking RBL dob.sibl.support-intelligence.net., set dob [5464] dbg: dns: checking RBL zen.spamhaus.org., set zen-lastexternal [5464] dbg: dns: checking RBL dnsbl.sorbs.net., set sorbs-lastexternal [5464] dbg: dns: checking RBL dnsbl.sorbs.net., set sorbs [5464] dbg: dns: checking RBL zen.spamhaus.org., set zen-lastexternal [5464] dbg: dns: checking RBL list.dnswl.org., set dnswl-firsttrusted [5464] dbg: dns: checking RBL sa-accredit.habeas.com., set habeas-firsttrusted [5464] dbg: dns: checking RBL list.dsbl.org., set dsbl-lastexternal [5464] dbg: dns: checking RBL sa-trusted.bondedsender.org., set bsp-firsttrusted [5464] dbg: dns: checking RBL zen.spamhaus.org., set zen [5464] dbg: dns: checking RBL iadb.isipp.com., set iadb-firsttrusted [5464] dbg: check: running tests for priority: -1000 [5464] dbg: rules: running head tests; score so far=0 [5464] dbg: rules: compiled head tests [5464] dbg: eval: all '*From' addrs: [5464] dbg: eval: all '*To' addrs: [5464] dbg: rules: running body tests; score so far=0 [5464] dbg: rules: compiled body tests [5464] dbg: rules: running uri tests; score so far=0 [5464] dbg: rules: compiled uri tests [5464] dbg: rules: running rawbody tests; score so far=0 [5464] dbg: rules: compiled rawbody tests [5464] dbg: rules: running full tests; score so far=0 [5464] dbg: rules: compiled full tests [5464] dbg: rules: running meta tests; score so far=0 [5464] dbg: rules: compiled meta tests [5464] dbg: check: running tests for priority: -950 [5464] dbg: rules: running head tests; score so far=0 [5464] dbg: rules: compiled head tests [5464] dbg: rules: running body tests; score so far=0 [5464] dbg: rules: compiled body tests [5464] dbg: rules: running uri tests; score so far=0 [5464] dbg: rules: compiled uri tests [5464] dbg: rules: running rawbody tests; score so far=0 [5464] dbg: rules: compiled rawbody tests [5464] dbg: rules: running full tests; score so far=0 [5464] dbg: rules: compiled full tests [5464] dbg: rules: running meta tests; score so far=0 [5464] dbg: rules: compiled meta tests [5464] dbg: check: running tests for priority: -900 [5464] dbg: rules: running head tests; score so far=0 [5464] dbg: rules: compiled head tests [5464] dbg: rules: running body tests; score so far=0 [5464] dbg: rules: compiled body tests [5464] dbg: rules: running uri tests; score so far=0 [5464] dbg: rules: compiled uri tests [5464] dbg: rules: running rawbody tests; score so far=0 [5464] dbg: rules: compiled rawbody tests [5464] dbg: rules: running full tests; score so far=0 [5464] dbg: rules: compiled full tests [5464] dbg: rules: running meta tests; score so far=0 [5464] dbg: rules: compiled meta tests [5464] dbg: check: running tests for priority: -400 [5464] dbg: rules: running head tests; score so far=0 [5464] dbg: rules: compiled head tests [5464] dbg: rules: running body tests; score so far=0 [5464] dbg: rules: compiled body tests [5464] dbg: rules: running uri tests; score so far=0 [5464] dbg: rules: compiled uri tests [5464] dbg: plugin: Mail::SpamAssassin::Plugin::WLBLEval=HASH(0x9174568) implements 'check_wb_list', priority 0 [5464] dbg: bayes: DB journal sync: last sync: 1233284350 [5464] dbg: bayes: corpus size: nspam = 496131, nham = 83421 [5464] dbg: bayes: cannot use bayes on this message; none of the tokens were found in the database [5464] dbg: bayes: not scoring message, returning undef [5464] dbg: bayes: DB expiry: tokens in DB: 122108, Expiry max size: 150000, Oldest atime: 1222602652, Newest atime: 1233284340, Last expire: 1222689088, Current time: 1233285225 [5464] dbg: bayes: DB journal sync: last sync: 1233284350 [5464] dbg: bayes: untie-ing [5464] dbg: rules: running rawbody tests; score so far=0 [5464] dbg: rules: compiled rawbody tests [5464] dbg: rules: running full tests; score so far=0 [5464] dbg: rules: compiled full tests [5464] dbg: rules: running meta tests; score so far=0 [5464] dbg: rules: compiled meta tests [5464] dbg: check: running tests for priority: 0 [5464] dbg: rules: running head tests; score so far=0 [5464] dbg: rules: compiled head tests [5464] dbg: rules: ran header rule MISSING_MID ======> got hit: "UNSET" [5464] dbg: rules: ran header rule __MISSING_REF ======> got hit: "UNSET" [5464] dbg: rules: ran header rule MISSING_DATE ======> got hit: "UNSET" [5464] dbg: spf: checking to see if the message has a Received-SPF header that we can use [5464] dbg: spf: using Mail::SPF for SPF checks [5464] dbg: spf: no suitable relay for spf use found, skipping SPF-helo check [5464] dbg: spf: already checked for Received-SPF headers, proceeding with DNS based checks [5464] dbg: spf: no suitable relay for spf use found, skipping SPF check [5464] dbg: rules: ran eval rule NO_RELAYS ======> got hit (1) [5464] dbg: rules: ran eval rule MISSING_HB_SEP ======> got hit (1) [5464] dbg: rules: ran eval rule HEAD_LONG ======> got hit (1) [5464] dbg: rules: ran eval rule __ENV_AND_HDR_FROM_MATCH ======> got hit (1) [5464] dbg: spf: def_spf_whitelist_from: already checked spf and didn't get pass, skipping whitelist check [5464] dbg: rules: ran eval rule __UNUSABLE_MSGID ======> got hit (1) [5464] dbg: rules: ran eval rule MISSING_HEADERS ======> got hit (1) [5464] dbg: spf: whitelist_from_spf: already checked spf and didn't get pass, skipping whitelist check [5464] dbg: rules: running body tests; score so far=6.293 [5464] dbg: rules: compiled body tests [5464] dbg: rules: running uri tests; score so far=6.293 [5464] dbg: rules: compiled uri tests [5464] dbg: eval: stock info total: 0 [5464] dbg: rules: ran eval rule TVD_SPACE_RATIO ======> got hit (1) [5464] dbg: rules: running rawbody tests; score so far=8.512 [5464] dbg: rules: compiled rawbody tests [5464] dbg: rules: running full tests; score so far=8.512 [5464] dbg: rules: compiled full tests [5464] dbg: rules: ran full rule NULL_IN_BODY ======> got hit: "_" [5464] dbg: info: entering helper-app run mode [5464] dbg: info: leaving helper-app run mode [5464] dbg: razor2: part=0 engine=4 contested=0 confidence=0 [5464] dbg: razor2: results: spam? 0 [5464] dbg: razor2: results: engine 8, highest cf score: 0 [5464] dbg: razor2: results: engine 4, highest cf score: 0 [5464] dbg: util: current PATH is: /usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games [5464] dbg: util: executable for pyzor was found at /usr/bin/pyzor [5464] dbg: pyzor: pyzor is available: /usr/bin/pyzor [5464] dbg: info: entering helper-app run mode [5464] dbg: pyzor: opening pipe: /usr/bin/pyzor check < /tmp/.spamassassin5464hPlpm8tmp [5465] dbg: util: setuid: ruid=104 euid=104 [5464] dbg: pyzor: [5465] finished: exit=0x0100 [5464] dbg: pyzor: got response: 82.94.255.100:24441 (200, 'OK') 0 0 [5464] dbg: info: leaving helper-app run mode [5464] dbg: rules: running meta tests; score so far=10.937 [5464] dbg: rules: compiled meta tests [5464] dbg: check: running tests for priority: 500 [5464] dbg: dns: harvest_dnsbl_queries [5464] dbg: rules: running head tests; score so far=10.937 [5464] dbg: rules: compiled head tests [5464] dbg: rules: running body tests; score so far=10.937 [5464] dbg: rules: compiled body tests [5464] dbg: rules: running uri tests; score so far=10.937 [5464] dbg: rules: compiled uri tests [5464] dbg: rules: running rawbody tests; score so far=10.937 [5464] dbg: rules: compiled rawbody tests [5464] dbg: rules: running full tests; score so far=10.937 [5464] dbg: rules: compiled full tests [5464] dbg: rules: running meta tests; score so far=10.937 [5464] dbg: rules: meta test DIGEST_MULTIPLE has undefined dependency 'DCC_CHECK' [5464] dbg: rules: compiled meta tests [5464] dbg: check: running tests for priority: 1000 [5464] dbg: rules: running head tests; score so far=14.138 [5464] dbg: rules: compiled head tests [5464] dbg: rules: running body tests; score so far=14.138 [5464] dbg: rules: compiled body tests [5464] dbg: rules: running uri tests; score so far=14.138 [5464] dbg: rules: compiled uri tests [5464] dbg: rules: running rawbody tests; score so far=14.138 [5464] dbg: rules: compiled rawbody tests [5464] dbg: rules: running full tests; score so far=14.138 [5464] dbg: rules: compiled full tests [5464] dbg: rules: running meta tests; score so far=14.138 [5464] dbg: rules: compiled meta tests [5464] dbg: plugin: Mail::SpamAssassin::Plugin::AutoLearnThreshold=HASH(0x8fd4310) implements 'autolearn_discriminator', priority 0 [5464] dbg: learn: auto-learn: currently using scoreset 3, recomputing score based on scoreset 1 [5464] dbg: learn: auto-learn: message score: 14.138, computed score for autolearn: 7.864 [5464] dbg: learn: auto-learn? ham=0.1, spam=12, body-points=7.864, head-points=7.864, learned-points=0 [5464] dbg: learn: auto-learn? no: inside auto-learn thresholds, not considered ham or spam [5464] dbg: check: is spam? score=14.138 required=5 [5464] dbg: check: tests=EMPTY_MESSAGE,HEAD_LONG,MISSING_DATE,MISSING_HB_SEP,MISSING_HEADER S,MISSING_MID,MISSING_SUBJECT,NO_HEADERS_MESSAGE,NO_RECEIVED,NO_RELAYS,N ULL_IN_BODY,TVD_SPACE_RATIO [5464] dbg: check: subtests=__ENV_AND_HDR_FROM_MATCH,__MISSING_REF,__UNUSABLE_MSGID Received: from localhost by ISVSPAM with SpamAssassin (version 3.2.4); Thu, 29 Jan 2009 22:13:46 -0500 X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on ISVSPAM X-Spam-Level: ************** X-Spam-Status: Yes, score=14.1 required=5.0 tests=EMPTY_MESSAGE,HEAD_LONG, MISSING_DATE,MISSING_HB_SEP,MISSING_HEADERS,MISSING_MID,MISSING_SUBJECT, NO_HEADERS_MESSAGE,NO_RECEIVED,NO_RELAYS,NULL_IN_BODY,TVD_SPACE_RATIO autolearn=no version=3.2.4 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----------=_4982706A.8EEE0006" This is a multi-part message in MIME format. ------------=_4982706A.8EEE0006 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit Spam detection software, running on the system "ISVSPAM", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see y for details. Content preview: [...] Content analysis details: (14.1 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 MISSING_MID Missing Message-Id: header 0.0 MISSING_DATE Missing Date: header -0.0 NO_RELAYS Informational: message was not relayed via SMTP 2.5 MISSING_HB_SEP Missing blank line between message header and body 2.5 HEAD_LONG Message headers are very long 1.3 MISSING_HEADERS Missing To: header 2.2 TVD_SPACE_RATIO BODY: TVD_SPACE_RATIO 2.4 NULL_IN_BODY FULL: Message has NUL (ASCII 0) byte in message 1.8 MISSING_SUBJECT Missing Subject: header 1.4 EMPTY_MESSAGE Message appears to have no textual parts and no Subject: text -0.0 NO_RECEIVED Informational: message has no Received headers 0.0 NO_HEADERS_MESSAGE Message appears to be missing most RFC-822 headers ------------=_4982706A.8EEE0006 Content-Type: message/rfc822; x-spam-type=original Content-Description: original message before SpamAssassin Content-Disposition: inline Content-Transfer-Encoding: 8bit [...] From NWL002 at shsu.edu Fri Jan 30 14:25:56 2009 From: NWL002 at shsu.edu (Laskie, Norman) Date: Fri Jan 30 14:26:27 2009 Subject: Anti-spear-phishing sa-update channel In-Reply-To: <625385e30901300052v84afcd6vde685c543244f7e4@mail.gmail.com> References: <496A6779.9040309@coders.co.uk> <625385e30901300052v84afcd6vde685c543244f7e4@mail.gmail.com> Message-ID: <8FAC1E47484E43469AA28DBF35C955E42053248C69@EXMBX.SHSU.EDU> I haven't *seen* any hits. The "SpamAssassin Rule Actions" I setup does not deliver the message to the end user and forwards to the postmaster account which has an outlook rule dumping messages into a specific folder. Running a MailWatch query to verify not seeing any hits. Thanks, Norman -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of shuttlebox Sent: Friday, January 30, 2009 2:52 AM To: MailScanner discussion Subject: Re: Anti-spear-phishing sa-update channel On Sun, Jan 11, 2009 at 10:41 PM, Matt wrote: > All > > If anyone is interested I have published an sa-update channel which > generates the same rules as Jules' script. > > The channel is > > spear.bastionmail.com I started using it at a client site a week ago and have received four (4) hits so far. :-) What kind of results do others see? -- /peter -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From maillists at conactive.com Fri Jan 30 15:31:14 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Fri Jan 30 15:31:26 2009 Subject: Anti-spear-phishing sa-update channel In-Reply-To: <8FAC1E47484E43469AA28DBF35C955E42053248C69@EXMBX.SHSU.EDU> References: <496A6779.9040309@coders.co.uk> <625385e30901300052v84afcd6vde685c543244f7e4@mail.gmail.com> <8FAC1E47484E43469AA28DBF35C955E42053248C69@EXMBX.SHSU.EDU> Message-ID: Norman Laskie wrote on Fri, 30 Jan 2009 08:25:56 -0600: > I haven't *seen* any hits. The "SpamAssassin Rule Actions" I setup > does not deliver the message to the end user and forwards to the postmaster > account which has an outlook rule dumping messages into a specific > folder. Running a MailWatch query to verify not seeing any hits. You won't see many hits if you do a lot of rejects at MTA level. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From shuttlebox at gmail.com Fri Jan 30 15:55:20 2009 From: shuttlebox at gmail.com (shuttlebox) Date: Fri Jan 30 15:55:29 2009 Subject: Anti-spear-phishing sa-update channel In-Reply-To: References: <496A6779.9040309@coders.co.uk> <625385e30901300052v84afcd6vde685c543244f7e4@mail.gmail.com> <8FAC1E47484E43469AA28DBF35C955E42053248C69@EXMBX.SHSU.EDU> Message-ID: <625385e30901300755n3ecc3e0dyd562f3704c82c023@mail.gmail.com> On Fri, Jan 30, 2009 at 4:31 PM, Kai Schaetzl wrote: > You won't see many hits if you do a lot of rejects at MTA level. I use milter-greylist which cuts about 80% of incoming mail but even compared to other SA rules it's barely any hits. This is a couple of rules from one server today: 861 RAZOR2 766 DCC 279 JM_SOUGHT 1 JKF_ANTI_PHISH Could it be that this was one of those spam techniques that just passed by very quickly? For you who have been running it longer than me, did you see more hits earlier? Or are these spam hit harder by greylisting for some reason? -- /peter From paulo-m-roncon at ptinovacao.pt Fri Jan 30 16:01:42 2009 From: paulo-m-roncon at ptinovacao.pt (Paulo Roncon) Date: Fri Jan 30 16:02:02 2009 Subject: mailscanner with heavy load In-Reply-To: <200901301202.n0UC0MkT026572@safir.blacknight.ie> References: <200901301202.n0UC0MkT026572@safir.blacknight.ie> Message-ID: Brent: thats exactly the reason why i questioned the list. I would like to know real world up-to-date examples of heavy use. ---------------------------------------------------------------------- Message: 1 Date: Fri, 30 Jan 2009 09:18:32 +1300 From: Brent Addis Subject: Re: mailscanner with heavy load To: MailScanner discussion Message-ID: <1233260312.7218.1.camel@baddis-laptop> Content-Type: text/plain; charset="us-ascii" Those examples are by now quite old (I remember seeing those at least 3 years ago) Does anyone have any real world examples of large scale deployments, using current spam types and newer plugins (ocr scanning etc) on more modern hardware? On Thu, 2009-01-29 at 14:18 +0200, Ismail OZATAY wrote: > Paulo Roncon yazm?s,: > > Hello everyone, > > > > Can you please tell how many mgs/day and Mb/day do your mailscanner filter? > > I'm designing a large deployment and have some concerns in its capability of handling heavy loads... > > In my case the box will face about 2MB/s incoming and 60msg/s !! > > How many servers(HP G5, quadcore, 16RAM) should I install? (not using DCC, Razor, Pyzor.) > > > > Thanks! > > > > Paulo, > > Portugal > > > ************** From ljosnet at gmail.com Fri Jan 30 16:05:23 2009 From: ljosnet at gmail.com (=?ISO-8859-1?Q?Lj=F3snet?=) Date: Fri Jan 30 16:05:33 2009 Subject: Error after perl5 upgrade 5.8.8 to 5.8.9 on FreeBSD In-Reply-To: <20090129090652.5a2d7413@scorpio> References: <57200BF94E69E54880C9BB1AF714BBCB5DE4B9@w2003s01.double-l.local> <72cf361e0901290452w58b67688n86ba80e65b7862d1@mail.gmail.com> <20090129090652.5a2d7413@scorpio> Message-ID: <910ee2ac0901300805u64c525f0l32b57df8cde0ee20@mail.gmail.com> Execute the perl-after-upgrade command. On Thu, Jan 29, 2009 at 2:06 PM, Jerry wrote: > On Thu, 29 Jan 2009 12:52:31 +0000 > Martin Hepworth wrote: > >>Someone did the same thing a couple of weeks ago - not sure of the >>resolution, but should be in the list archives. >> >>have you tried reinstalling mailscanner and the perl modules required? > > I have seen this method work. > > 1) Obviously, update your ports tree > > 2) Install 'portmanager' if it is not all ready installed. > > 3) run: portmanager mail/MailScanner -f -l -y > > That should correctly update all the requisete files including > MailScanner. > > A log file "/var/log/portmanager.log" will be created. You can check it > out to see what was updated/reinstalled. > > HTH > > -- > Jerry > gesbbb@yahoo.com > > A light wife doth make a heavy husband. > > William Shakespeare, "The Merchant of Venice" > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > From ssilva at sgvwater.com Fri Jan 30 16:32:04 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Jan 30 16:32:22 2009 Subject: Anti-spear-phishing sa-update channel In-Reply-To: <625385e30901300052v84afcd6vde685c543244f7e4@mail.gmail.com> References: <496A6779.9040309@coders.co.uk> <625385e30901300052v84afcd6vde685c543244f7e4@mail.gmail.com> Message-ID: on 1-30-2009 12:52 AM shuttlebox spake the following: > On Sun, Jan 11, 2009 at 10:41 PM, Matt wrote: >> All >> >> If anyone is interested I have published an sa-update channel which >> generates the same rules as Jules' script. >> >> The channel is >> >> spear.bastionmail.com > > I started using it at a client site a week ago and have received four > (4) hits so far. :-) > > What kind of results do others see? > I haven't seen any hits and I added this when it came out weeks ago. I am probably killing all the junk it might have caught with blacklists at the MTA. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090130/fe475da5/signature.bin From ssilva at sgvwater.com Fri Jan 30 16:34:36 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Jan 30 16:35:12 2009 Subject: Anti-spear-phishing sa-update channel In-Reply-To: <625385e30901300755n3ecc3e0dyd562f3704c82c023@mail.gmail.com> References: <496A6779.9040309@coders.co.uk> <625385e30901300052v84afcd6vde685c543244f7e4@mail.gmail.com> <8FAC1E47484E43469AA28DBF35C955E42053248C69@EXMBX.SHSU.EDU> <625385e30901300755n3ecc3e0dyd562f3704c82c023@mail.gmail.com> Message-ID: on 1-30-2009 7:55 AM shuttlebox spake the following: > On Fri, Jan 30, 2009 at 4:31 PM, Kai Schaetzl wrote: >> You won't see many hits if you do a lot of rejects at MTA level. > > I use milter-greylist which cuts about 80% of incoming mail but even > compared to other SA rules it's barely any hits. This is a couple of > rules from one server today: > > 861 RAZOR2 > 766 DCC > 279 JM_SOUGHT > 1 JKF_ANTI_PHISH > > Could it be that this was one of those spam techniques that just > passed by very quickly? For you who have been running it longer than > me, did you see more hits earlier? Or are these spam hit harder by > greylisting for some reason? > I'm pretty sure that other anti-bot techniques like greylisting or sendmails greetpause, and some of the better blacklists are just catching this stuff pre-spamassassin. Either way, dead is dead, and I am happy to NOT see it! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090130/d4bb4700/signature.bin From brent.addis at spit.gen.nz Fri Jan 30 22:49:51 2009 From: brent.addis at spit.gen.nz (Brent Addis) Date: Fri Jan 30 22:50:05 2009 Subject: mailscanner with heavy load In-Reply-To: References: Message-ID: I'm running a largeish number of servers in a few locations sharing the load. All are DL140 G2's with single Dual core 2.8 ghz Xeons and 2G of ram. Latest Mailscanner, Latest spamassassin and a range of plugins including OCR and PDF scanning. Currently processing around 10,000 messages (Fluctutates up an down a lot due to bussinesses behind them) The servers generally have a load of 0.1, and take 18 - 24 seconds per batch of 10 (Queue rarely goes above this). They are really not busy, and could probably take up to 40 thousand messages a day each before more cpu and/or ram is needed. On Fri, 30 Jan 2009 16:01:42 +0000, Paulo Roncon wrote: > Brent: thats exactly the reason why i questioned the list. I would like to > know real world up-to-date examples of heavy use. > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Fri, 30 Jan 2009 09:18:32 +1300 > From: Brent Addis > Subject: Re: mailscanner with heavy load > To: MailScanner discussion > Message-ID: <1233260312.7218.1.camel@baddis-laptop> > Content-Type: text/plain; charset="us-ascii" > > Those examples are by now quite old (I remember seeing those at least 3 > years ago) > > Does anyone have any real world examples of large scale deployments, > using current spam types and newer plugins (ocr scanning etc) on more > modern hardware? > > > > > > > On Thu, 2009-01-29 at 14:18 +0200, Ismail OZATAY wrote: > >> Paulo Roncon yazm?s,: >> > Hello everyone, >> > >> > Can you please tell how many mgs/day and Mb/day do your mailscanner > filter? >> > I'm designing a large deployment and have some concerns in its > capability of handling heavy loads... >> > In my case the box will face about 2MB/s incoming and 60msg/s !! >> > How many servers(HP G5, quadcore, 16RAM) should I install? (not using > DCC, Razor, Pyzor.) >> > >> > Thanks! >> > >> > Paulo, >> > Portugal >> > >> > ************** > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From davejones70 at gmail.com Sat Jan 31 11:56:13 2009 From: davejones70 at gmail.com (Dave Jones) Date: Sat Jan 31 11:56:22 2009 Subject: Disable MCP notifications for High Spam Message-ID: <67a55ed50901310356m5478f0c9mb333092cce6881b4@mail.gmail.com> Does anyone have any ideas how the MCP notifications can be disabled for High Scoring Spam? The High Spam is getting caught and deleted but when it also hits the MCP threshold, the user is getting the recipient.mcp.report.txt notification. There are lots of High Spam that will hit common profanity checks in MCP. I found a thread in the maillist archives on "MCP/SPAM Actions" saying that delete is the last action taken so the MCP notify takes precedence. However, I was wondering if there are some recent feature additions that will allow me to override this now. High Scoring Spam Actions = delete MCP Actions = store notify High Scoring MCP Actions = store notify -- Dave Jones From maxsec at gmail.com Sat Jan 31 15:11:49 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Sat Jan 31 15:11:58 2009 Subject: mailscanner with heavy load In-Reply-To: References: Message-ID: <72cf361e0901310711v4efbffb0sd24b35b38a49a523@mail.gmail.com> 2009/1/30 Brent Addis : > I'm running a largeish number of servers in a few locations sharing the load. > > All are DL140 G2's with single Dual core 2.8 ghz Xeons and 2G of ram. > > Latest Mailscanner, Latest spamassassin and a range of plugins including OCR and PDF scanning. > > Currently processing around 10,000 messages (Fluctutates up an down a lot due to bussinesses behind them) > > The servers generally have a load of 0.1, and take 18 - 24 seconds per batch of 10 (Queue rarely goes above this). They are really not busy, and could probably take up to 40 thousand messages a day each before more cpu and/or ram is needed. > > > > > On Fri, 30 Jan 2009 16:01:42 +0000, Paulo Roncon wrote: >> Brent: thats exactly the reason why i questioned the list. I would like to >> know real world up-to-date examples of heavy use. >> >> >> ---------------------------------------------------------------------- >> >> Message: 1 >> Date: Fri, 30 Jan 2009 09:18:32 +1300 >> From: Brent Addis >> Subject: Re: mailscanner with heavy load >> To: MailScanner discussion >> Message-ID: <1233260312.7218.1.camel@baddis-laptop> >> Content-Type: text/plain; charset="us-ascii" >> >> Those examples are by now quite old (I remember seeing those at least 3 >> years ago) >> >> Does anyone have any real world examples of large scale deployments, >> using current spam types and newer plugins (ocr scanning etc) on more >> modern hardware? >> >> >> >> >> >> >> On Thu, 2009-01-29 at 14:18 +0200, Ismail OZATAY wrote: >> >>> Paulo Roncon yazm?s,: >>> > Hello everyone, >>> > >>> > Can you please tell how many mgs/day and Mb/day do your mailscanner >> filter? >>> > I'm designing a large deployment and have some concerns in its >> capability of handling heavy loads... >>> > In my case the box will face about 2MB/s incoming and 60msg/s !! >>> > How many servers(HP G5, quadcore, 16RAM) should I install? (not using >> DCC, Razor, Pyzor.) >>> > >>> > Thanks! >>> > >>> > Paulo, >>> > Portugal >>> > >>> >> ************** >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > hardly 'heavy load'. I think we're talking in the 500,000 messages per day for this. my old 900mhz celeron used to handle 10k messages a day without any problems. -- Martin Hepworth Oxford, UK From steve.freegard at fsl.com Sat Jan 31 18:53:32 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Sat Jan 31 18:53:42 2009 Subject: mailscanner with heavy load In-Reply-To: <72cf361e0901310711v4efbffb0sd24b35b38a49a523@mail.gmail.com> References: <72cf361e0901310711v4efbffb0sd24b35b38a49a523@mail.gmail.com> Message-ID: <49849E2C.3020606@fsl.com> Martin Hepworth wrote: >>> From: Brent Addis >>> >>> Those examples are by now quite old (I remember seeing those at least 3 >>> years ago) >>> >>> Does anyone have any real world examples of large scale deployments, >>> using current spam types and newer plugins (ocr scanning etc) on more >>> modern hardware? Current spam types doesn't require OCR; Image spam isn't common any more. >>>> Paulo Roncon yazm?s,: >>>>> Hello everyone, >>>>> >>>>> Can you please tell how many mgs/day and Mb/day do your mailscanner >>> filter? >>>>> I'm designing a large deployment and have some concerns in its >>> capability of handling heavy loads... >>>>> In my case the box will face about 2MB/s incoming and 60msg/s !! >>>>> How many servers(HP G5, quadcore, 16RAM) should I install? (not using >>> DCC, Razor, Pyzor.) >>>>> Thanks! 60 message/sec == 518,400 messages per day. The key metric for MailScanner is the average time to scan a single message; on a tuned system this can take anywhere between 1 and 8 seconds maximum depending on the message. This includes SA (with compiled rulesets), ClamAV, FProt6, Razor2, DCC and all the default DNSBL/URIBL lookups in SA and writing the data to MailWatch. Disabling DCC, Razor2 and all untrusted DNSBLs would decrease the scan time considerably. Note that to get reasonable scan times you *cannot* use *any* command-line virus scanner that doesn't use sockets or a persistent daemon. If you base the default at 8 seconds per message (which is super-conservative) then: 1 child can process 10,800 msgs/day, therefore you would require ~47 MailScanner children to process 500,000 messages per day. Based on the tuning metric of 5 children per GB RAM and per CPU - you would need 10 CPUs and 10Gb RAM minimum to process that load based on a default configuration. So three boxes of that specification would suffice to handle the required load with some overhead to spare. You would also need to make sure each box got an equal load of the input messages, so some sort of load balancer would be required. I would also recommend buying Spamhaus, URIBL and SURBL datafeeds and run rbldnsd locally on your network as you will be way over the threshold to use the public mirrors - this will also prevent the lookups from hurt the scan performance adversely. I seriously recommend looking at my firms BarricadeMX product which can sit in-front of MailScanner and reduce the message input to your MTA and into MailScanner considerably to avoid any nasty spikes, improve efficiency and performance and catch-rate. Hope that gives you a rough guide. Kind regards, Steve. -- Steve Freegard Development Director Fort Systems Ltd.