From radekburza at gmail.com Wed Jul 1 00:00:28 2009 From: radekburza at gmail.com (Radek Burza) Date: Tue Jun 30 22:00:40 2009 Subject: Clamd and deliver disinfected messages Message-ID: <4A4A990C.8000302@gmail.com> Hi! I have turn proper options to "yes" in MailScanner.conf "Deliver Disinfected Files" and "Deliver Disinfected Messages" but messages are not delivered to mailboxes. In logs I have found that clamd found viruses, but these messages are not delivered to mail boxes. It seems that clamd only finds and deletes whole messages dispite these options. Please help Radek From MailScanner at ecs.soton.ac.uk Wed Jul 1 09:08:01 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Jul 1 09:08:27 2009 Subject: New wiki page In-Reply-To: References: <4A43C66A.5070703@ecs.soton.ac.uk><4A43CD22.6060208@ecs.soton.ac.uk> <4A448379.403@ecs.soton.ac.uk> <4A4B1961.9000805@ecs.soton.ac.uk> Message-ID: On 29/06/2009 20:32, Remco Barendse wrote: > On Fri, 26 Jun 2009, Julian Field wrote: > >> >>> Julian, >>> >>> Just wondering why you don't recommend MCP? I'm using it >>> currently and >>> wondering if I should disable it now. >>> >> It has a huge processing overhead and as a result is very slow. >> "SpamAssassin Rule Actions" can do pretty much anything MCP can, and >> it does it enormously faster. > > > But what if you use MCP on outgoing mail only, meaning mail that is > not run through spamassassin > You can minimise the overhead with a ruleset on the whole MCP process, but I would still try your best to implement what you need using SpamAssassin Rule Actions. If I had thought of the whole SpamAssassin Rule Actions at the time, I would never have implemented MCP at all. It's now there, so there's nothing to be gained by removing it, and it would really piss off the sites that still use it, so I'm not going to do that. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Wed Jul 1 09:15:00 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Jul 1 09:15:54 2009 Subject: Mismatch between report and actions In-Reply-To: References: <223f97700906271617k7363df24je7a880454d804933@mail.gmail.com> <223f97700906290711g699f0732p89e0fc3ce512bf66@mail.gmail.com> <223f97700906290743s3d4e444di27d0ba29c4690320@mail.gmail.com> <223f97700906300149we52e8bet686c13f5b22ac56c@mail.gmail.com> <4A4B1B04.4090903@ecs.soton.ac.uk> Message-ID: On 30/06/2009 15:17, Robert Lopez wrote: > On Tue, Jun 30, 2009 at 2:49 AM, Glenn Steen wrote: > >> 2009/6/29 Robert Lopez: >> >>> On Mon, Jun 29, 2009 at 8:43 AM, Glenn Steen wrote: >>> >>>> 2009/6/29 Robert Lopez: >>>> >>>>> On Mon, Jun 29, 2009 at 8:11 AM, Glenn Steen wrote: >>>>> >>>>>> 2009/6/29 Robert Lopez: >>>>>> >>>>>>> On Sat, Jun 27, 2009 at 5:17 PM, Glenn Steen wrote: >>>>>>> >>>>>>>> 2009/6/26 Robert Lopez: >>>>>>>> >>>>>>>>> HP Prolient DL360 G5 >>>>>>>>> Two dual core Intel(R) Xeon(R) CPU E5450 @ 3.00GHz >>>>>>>>> 8 G RAM >>>>>>>>> Linux 2.6.28-11-server #42-Ubuntu SMP Fri Apr 17 02:45:36 UTC 2009 >>>>>>>>> x86_64 GNU/Linux >>>>>>>>> Ubuntu 9.04 (jaunty) >>>>>>>>> MailScanner version 4.74.16 >>>>>>>>> Postfix version 2.5.5 >>>>>>>>> SpamAssassin version 3.2.5 running on Perl version 5.10.0 >>>>>>>>> (I know there are newer versions. These are Ubuntu apt-get...) >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>> (snip error...) >>>>>> >>>>>>>>> >>>>>>>> Do the upgrades needed ... MailScanner, possibly SA and Clam as well. >>>>>>>> If this means leaving the Ubunto/apt thing behind, then so be it. >>>>>>>> If you still observe the same behavior... Then we'll look at other things:-). >>>>>>>> >>>>>>>> Cheers >>>>>>>> >>>>>> (snip) >>>>>> >>>>>>> Thank you Glenn, >>>>>>> >>>>>>> Changing from Ubuntu is not my decision to make. My current project is >>>>>>> comparing a system built with RHEL and files from Julians site to this >>>>>>> one. >>>>>>> >>>>>>> >>>>>> I didn't say "ditch Ubuntu", just the ubuntu packaging of >>>>>> MailScanner;-). You could probably live pritty well with the source >>>>>> tarball, for example. >>>>>> >>>>>> Cheers >>>>>> -- >>>>>> -- Glenn >>>>>> email: glenn< dot> steen< at> gmail< dot> com >>>>>> work: glenn< dot> steen< at> ap1< dot> se >>>>>> -- >>>>>> MailScanner mailing list >>>>>> mailscanner@lists.mailscanner.info >>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>>> >>>>>> Before posting, read http://wiki.mailscanner.info/posting >>>>>> >>>>>> Support MailScanner development - buy the book off the website! >>>>>> >>>>>> >>>>> Again, Thank you Glenn. >>>>> >>>>> I have to attend to the root cause of the problem I wrote about. The >>>>> issue you reply to is a policy issue upon which I have no influence. I >>>>> was very happy with the test system built with tar files. My >>>>> management is not. >>>>> >>>>> >>>> Why? They will just get an added delay and no real benefit (stability >>>> or otherwise) from sticking to more or less outdated "debianized" >>>> packages. Sigh. Get a clue-by-four and start whacking;-):-) One cannot >>>> fight bleeding edge malware/spam with trailing edge, or even sometimes >>>> moderately modern (like this problem instance;), protection systems. >>>> >>>> Cheers >>>> -- >>>> -- Glenn >>>> email: glenn< dot> steen< at> gmail< dot> com >>>> work: glenn< dot> steen< at> ap1< dot> se >>>> -- >>>> MailScanner mailing list >>>> mailscanner@lists.mailscanner.info >>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>> >>>> Before posting, read http://wiki.mailscanner.info/posting >>>> >>>> Support MailScanner development - buy the book off the website! >>>> >>>> >>> Glenn I totally agree with you. But your comments are not helpful. I >>> have stated I have no control over institutional policies. >>> >>> >> That being the case, I'm not entirely sure we will be able to help >> you. My prompting you to upgrade isn't just the semi-unhelpful comment >> it may seem. There were some changes to the Postfix handling (mostly >> when used with milters, true) recently, as well as some other >> important fixes (IIRC there were some problems with the MIME tools >> perl module... I might remeber wrong, but I don't think I do:-). Also, >> since you use the Ubuntu packaging, you are likely to be using the >> perl modules from the same source... I'm not sure, but I rather >> suspect that that may be as bad as mixing the "MailScanner perl >> modules" from certain other distros into the brew... >> Going to a "source" install (as you've obviously tried) would take >> some of the uncertanties out of the picture, as well as enabling you >> to use the latest/greatest of MailScanner (at your own discretion, of >> course)... So that you decide when you need upgrade, not some >> packager. Usually, the latter is norm for most distros, and frankly >> the sane thing to do. But not with system like MailScanner, IMO. >> >> Anyway, that is neither here nor there. If you can't change what beta >> you are using, that is the way it is. >> Back to the original message then... Hmm. >> >> This wouldn't be stored as spam, it would likely be stored in a >> directory named like the queue file ID + the random bit... so did you >> find for a file specifically? it should all be there in the >> /var/spool/MailScanner/quarantine/20090626/E0CE312F.5E6C5 directory. >> >> I suppose that if the mime explosion didn't go well, for some reason, >> you might see some strange results... Hmm. >> >> What are your settings in MailScanner.conf for >> Deliver Disinfected Files >> Silent Viruses >> Still Deliver Silent Viruses >> Non-Forging Viruses >> ClamAV Full Message Scan >> That the message got requeued and delivered suggest some rather not >> that wise settings here, perhaps:-) >> >> Cheers >> -- >> -- Glenn >> email: glenn< dot> steen< at> gmail< dot> com >> work: glenn< dot> steen< at> ap1< dot> se >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > Thank you Glenn. Please understand I was very happy with the RHEL > system built from source but it does not meet some policies over which > I have not control. > > > From my original posting: > >> Situation: Testing Eicar, external site to internal via gateway. >> Problem: Mismatch between reported information and actions. >> >> Email content says: >> "Warning: Please read the 'CNM-Attachment-Warning.txt' attachment(s) >> for more information." >> >> Action was: >> Appended the text into the body of email instead of an attachment. >> > This is a case of not confusing Outlook users who expect an "attachment" to be > separate from the body of the email. It is now solved. > I have written a post-install script to change from "Warning: Please read the > 'CNM-Attachment-Warning.txt' attachment(s) for more information." > to say "...read the appended information..." in > /usr/share/MailScanner/reports/en/inline.warning.txt > > >> Email content says: >> "Note to Help Desk: Look on the CNM () MailScanner in >> /var/spool/MailScanner/quarantine/20090626 (message E0CE312F.5E6C5)." >> > The eicar data was NOT delivered. It was discarded as desired. The problem is > the statement the content was quarantined and the help desk can find it. > I would be happy to have all the statements about the help desk > finding it removed. > But as there are many files to modify I am not certain I would be > doing the right thing. > I would create your own "language" directory under /etc/MailScanner/reports specific for your own site. Base the contents on the ones in "en" but customise away to your heart's content. For example, all my site's reports are in /etc/MailScanner/reports/ECS. The initial contents of those files is there for a few reasons a) it saves most people a hell of a lot of work writing such stuff b) it contains content that demonstrates all the available "$variables" in each report c) it contains the text that I wanted when I first wrote it for myself. The whole point is that you should change those files so they match your site's policy and setup. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Wed Jul 1 09:16:49 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Jul 1 09:17:09 2009 Subject: Starting postfix from mailscanner In-Reply-To: <2c6cf52a0906300813w6ef1cbd9q9cec2a2f31d71f71@mail.gmail.com> References: <2c6cf52a0906300813w6ef1cbd9q9cec2a2f31d71f71@mail.gmail.com> <4A4B1B71.1080103@ecs.soton.ac.uk> Message-ID: On 30/06/2009 16:13, Mauricio Tavares wrote: > I know that when you install mailscanner with postfix, you are > supposed to disable postfix starting on its own because mailscanner > will turn it on. How does it do it and when? > It's all in the init.d script for MailScanner. There are a whole bunch of arguments you can give it, so for example on a RedHat system you can do service MailScanner start stop restart startin startms startout stopin stopms stopout status reload and probably a few others I can't remember right now. Put "help" on the script's command-line and it should list the possibilities for you. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Wed Jul 1 09:18:33 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Jul 1 09:18:53 2009 Subject: MailScanner --lint error In-Reply-To: <69cea7fc990891820758b7fac95250c7.squirrel@webmail.baladia.gov.kw> References: <69cea7fc990891820758b7fac95250c7.squirrel@webmail.baladia.gov.kw> <4A4B1BD9.3000403@ecs.soton.ac.uk> Message-ID: You probably haven't edited /etc/MailScanner/virus.scanners.conf to tell it where you put your copy of f-prot. Jules. On 30/06/2009 20:03, Benedict simon wrote: > Dear All, > > I had a Centos 5.3 server and recently upgraded my MailScanner to 4.77 > and the latest clamAV+SA jules package > everything works fine but > > I also installed f-prot 6 newly since i did not have it before > > Now when I run MailScanner --lint i see the following > > ------------------------ > > > Read 854 hostnames from the phishing whitelist > Read 8256 hostnames from the phishing blacklists > Checking version numbers... > Version number in MailScanner.conf (4.77.10) is correct. > > Your envelope_sender_header in spam.assassin.prefs.conf is correct. > > Checking for SpamAssassin errors (if you use it)... > Using SpamAssassin results cache > Connected to SpamAssassin cache database > SpamAssassin reported no errors. > Connected to Processing Attempts Database > Created Processing Attempts Database successfully > There are 0 messages in the Processing Attempts Database > Using locktype = posix > MailScanner.conf says "Virus Scanners = f-prot clamav" > Found these virus scanners installed: clamavmodule, f-prot-6 > =========================================================================== > Filename Checks: Windows/DOS Executable (1 eicar.com) > Other Checks: Found 1 problems > Virus and Content Scanning: Starting > xargs: /usr/local/f-prot/f-prot: Permission denied > ./1/eicar.com: Eicar-Test-Signature FOUND > > ------------------------- > > jus wondering what the permissions could be > > tried to change it to 1001:users but problem persists > > apprecite your help > > > reggards > > simon > > > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From uxbod at splatnix.net Wed Jul 1 09:24:22 2009 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Wed Jul 1 09:24:41 2009 Subject: OT: Adding signatures to outgoing mails In-Reply-To: <4A4A6DD3.60204@glendown.de> Message-ID: <27015201.2081246436662220.JavaMail.root@office.splatnix.net> ----- "Garry" wrote: > Some time ago, I used Mailscanner slightly differently than intended, in > order to add custom signatures to outgoing mails... the place had 4 > different companies, which all required a separate company signature. > > On a new project, I could use this again, though I don't want to go > through the hassle of running a full MS install just to get automated > signatures added to outgoing mails ... anybody happen to know some *ix > tool or way to implement something similar? > > It would also be great if I could make adding a signature depending on > the sending domain, and possibly even having some template fields that > would be filled based on a sender address ... > > Tnx, -garry > If you are using Postfix then this should help :- http://wiki.zimbra.com/index.php?title=Adding_a_disclaimer_(altermime)_or_footer Best Regards, -- SplatNIX IT Services :: Innovation through collaboration -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090701/91bd9ee1/attachment.html From uxbod at splatnix.net Wed Jul 1 09:44:35 2009 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Wed Jul 1 09:45:05 2009 Subject: Is the list working ? Message-ID: <17830870.2111246437875012.JavaMail.root@office.splatnix.net> have not seen any emails today ? Best Regards, -- SplatNIX IT Services :: Innovation through collaboration -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090701/8271f621/attachment.html From glenn.steen at gmail.com Wed Jul 1 10:13:23 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Jul 1 10:13:33 2009 Subject: email is too big for spam checks In-Reply-To: <7d9b3cf20906300829s4024c733va83273cc686b788f@mail.gmail.com> References: <2c6cf52a0906300824w15352337gb947cb21af559ff3@mail.gmail.com> <7d9b3cf20906300829s4024c733va83273cc686b788f@mail.gmail.com> Message-ID: <223f97700907010213k7fee329dl9b00a51452c244b6@mail.gmail.com> 2009/6/30 Eduardo Casarero : > > > 2009/6/30 Mauricio Tavares >> >> ? ? ?I have setup mailscanner such that it only does spam checking, >> not virus checking. Recently I saw on the logs a message saying it is >> too big for spam checks. I have my Max Spam Check Size currently set >> to 150000. Since there are spam messages with attached images and so >> on, what would be a good size for that? I am asked to make it >> unlimited somehow, but I do not know if I should. After all, as it is >> said in the MailScanner.conf file, a large email is probably not spam. >> >> Also, is the 150000 measure in what units? Bytes? > > yes is in bytes, the size depends on your traffic i've 500000 in some > servers and in others 800000, however i've seen spam emails with a size of 1 > Mb. Remember bigger emails checks will increase your CPU/MEM/IO use. > Quite true. Making this limit "unlimited would mean setting it equal or larger than the maximum message size your MTA enforces (and that one is more or less mandated to have a finite limit). It can actually be quite OK to set this one really large, from a MailScanner/SpamAssassin perspective, since you also have limits on how much of the message to pass on to SpamAssassin (from MailScanner). The Max SpamAssassin Size setting is ... wonderful... in that it can do some silly hoops to do the right thing for large images etc. Be sure to read the comment above it carefully! My settings for these (on a somewhat muscular box... Nothing fancy, just not ol' scrap:-) is a lot higher than the defaults... MTA max message size/2 == Max Spam Check Size (empirical study of where to set that one... Higher doesn't benefit my mailflow), and Max Spam Check Size/2 ~= Max SpamAssassin Size ... we're talking MiBs, not KiBs. But then my mailflow is meager (~10k/day), so ... you'll have to do some calculations on your own, to see what fits yours best. MailWatch can be a real useful tool to determine average sizes etc. Not doing at least Clamd in MailScanner seem ... wasteful ... The "expensive" part of the scanning is the spam detection, not the AV part... And clam is "right-prized";-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Wed Jul 1 10:29:01 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Jul 1 10:29:12 2009 Subject: Starting postfix from mailscanner In-Reply-To: <2c6cf52a0906300813w6ef1cbd9q9cec2a2f31d71f71@mail.gmail.com> References: <2c6cf52a0906300813w6ef1cbd9q9cec2a2f31d71f71@mail.gmail.com> Message-ID: <223f97700907010229g2e29c76arf815f22cef9101b9@mail.gmail.com> 2009/6/30 Mauricio Tavares : > I know that when you install mailscanner with postfix, you are > supposed to disable postfix starting on its own because mailscanner > will turn it on. How does it do it and when? The rc script will start the configured MTAs "automagically":-). If you're really interested, read the init script (usually /etc/init.d/MailScanner) for details... The postfix case may seem a bit convoluted, since it will handle both a two-instance and one-instance setup. This is good, not because the two-instance thing is really needed by MailScanner anymore, but since 1-recipient/message splitting (needed to get rulesets to operate correctly for all recipients in a multi-recipient mail) need a two-instance setup (at least... I haven't figured out a way to do it differently ... yet:-). If you don't disable the normal startup, nothing much dangerous will happen... with the one-instance-hold method, the same settings would be used for all ways of starting postfix. But nothing good either. Anyway, how to do all this (disabling etc) differ between distros/OSes, so ...:) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Wed Jul 1 11:02:20 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Jul 1 11:02:29 2009 Subject: MailScanner --lint error In-Reply-To: References: Message-ID: <223f97700907010302t2d288ed9p993ef0619321e193@mail.gmail.com> 2009/6/30 Benedict simon : > Dear All, > > I had a Centos 5.3 server and recently upgraded my MailScanner to 4.77 > and the latest clamAV+SA jules package > everything works fine but > > I also installed f-prot 6 newly since i did not have it before > > Now when I run MailScanner --lint i see the following > > ------------------------ > > > Read 854 hostnames from the phishing whitelist > Read 8256 hostnames from the phishing blacklists > Checking version numbers... > Version number in MailScanner.conf (4.77.10) is correct. > > Your envelope_sender_header in spam.assassin.prefs.conf is correct. > > Checking for SpamAssassin errors (if you use it)... > Using SpamAssassin results cache > Connected to SpamAssassin cache database > SpamAssassin reported no errors. > Connected to Processing Attempts Database > Created Processing Attempts Database successfully > There are 0 messages in the Processing Attempts Database > Using locktype = posix > MailScanner.conf says "Virus Scanners = f-prot clamav" > Found these virus scanners installed: clamavmodule, f-prot-6 > =========================================================================== > Filename Checks: Windows/DOS Executable (1 eicar.com) > Other Checks: Found 1 problems > Virus and Content Scanning: Starting > xargs: /usr/local/f-prot/f-prot: Permission denied > ./1/eicar.com: Eicar-Test-Signature FOUND > > ------------------------- > > jus wondering what the permissions could be > > tried to change it to 1001:users but problem persists > > apprecite your help > > > reggards > > simon > I'm not a user of f-prot... But it might mean that the invoking user cannot access the file(s) to be scanned, so perhaps you need amend your settings for incoming work group (and permissions) so that that user (-s group) can read the MailScanner work directories. Kind of like whith clamd (where there is a demon clamd that runs as user/group clamav (or similar), and need permissions to be able to read the work directories). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From lists at elasticmind.net Wed Jul 1 11:50:42 2009 From: lists at elasticmind.net (mog) Date: Wed Jul 1 11:51:12 2009 Subject: Starting postfix from mailscanner In-Reply-To: <4A4A83B6.7070707@alexb.ch> References: <2c6cf52a0906300813w6ef1cbd9q9cec2a2f31d71f71@mail.gmail.com> <76f60d7e0906301411j4934be17u6df1d8e5ffa13be7@mail.gmail.com> <4A4A83B6.7070707@alexb.ch> Message-ID: <4A4B3F82.1030109@elasticmind.net> Alex Broens wrote: > On 6/30/2009 11:11 PM, Steve Barnes wrote: >>> I know that when you install mailscanner with postfix, you are >>> supposed to disable postfix starting on its own because mailscanner >>> will turn it on. How does it do it and when? >> >> Interesting. I've not seen any documentation to support this >> (MailScanner starting Postfix itself) in all my reading to date - >> where did you read about it? >> >> I run Postfix with MailScanner and simply use the rc.d/rc.conf to >> start Postfix and then start MailScanner...did I miss something? :) > > check out: > > http://mailscanner.info/postfix.html > > h2h > > Alex I don't see any reference to mailscanner trying to start postfix on the http://mailscanner.info/postfix.html web page, and would be very shocked if that were the case. I've always used postfix, and have never known a content filter to try and start an MTA. Personally, it doesn't seem like a logical/sensible thing to do. System services / daemons such as these are designed to be started and stopped independently via the rc.d control scripts, so they do not interfere with each other; I believe it would be highly undesirable for them to behave any differently. From lists at elasticmind.net Wed Jul 1 12:04:28 2009 From: lists at elasticmind.net (mog) Date: Wed Jul 1 12:04:55 2009 Subject: Is the list working ? In-Reply-To: <17830870.2111246437875012.JavaMail.root@office.splatnix.net> References: <17830870.2111246437875012.JavaMail.root@office.splatnix.net> Message-ID: <4A4B42BC.8000405@elasticmind.net> I've seen your emails and a few others, but I've not seen one I posted a few minutes ago come through. --[ UxBoD ]-- wrote: > have not seen any emails today ? > > Best Regards, > > -- > SplatNIX IT Services :: Innovation through collaboration From ms-list at alexb.ch Wed Jul 1 12:39:42 2009 From: ms-list at alexb.ch (Alex Broens) Date: Wed Jul 1 12:39:51 2009 Subject: Starting postfix from mailscanner In-Reply-To: <4A4B3F82.1030109@elasticmind.net> References: <2c6cf52a0906300813w6ef1cbd9q9cec2a2f31d71f71@mail.gmail.com> <76f60d7e0906301411j4934be17u6df1d8e5ffa13be7@mail.gmail.com> <4A4A83B6.7070707@alexb.ch> <4A4B3F82.1030109@elasticmind.net> Message-ID: <4A4B4AFE.2080006@alexb.ch> On 7/1/2009 12:50 PM, mog wrote: > > > Alex Broens wrote: >> On 6/30/2009 11:11 PM, Steve Barnes wrote: >>>> I know that when you install mailscanner with postfix, you are >>>> supposed to disable postfix starting on its own because mailscanner >>>> will turn it on. How does it do it and when? >>> >>> Interesting. I've not seen any documentation to support this >>> (MailScanner starting Postfix itself) in all my reading to date - >>> where did you read about it? >>> >>> I run Postfix with MailScanner and simply use the rc.d/rc.conf to >>> start Postfix and then start MailScanner...did I miss something? :) >> >> check out: >> >> http://mailscanner.info/postfix.html >> >> h2h >> >> Alex > > I don't see any reference to mailscanner trying to start postfix on the > http://mailscanner.info/postfix.html web page, and would be very shocked > if that were the case. you'd survive that shock :-) ___ If on a system installed using the RedHat RPM distribution, just use the init.d script to do it all for you: /etc/rc.d/init.d/MailScanner start (or on RedHat systems just service MailScanner start) If not using the RedHat RPM distribution, then 1. Start Postfix postfix start 2. Start MailScanner check_MailScanner ____ iirc, if you use install via Jules' installer package, on some Red Hat flavour MailScanner's init script controlls Postfix. see /etc/rc.d/init.d/MailScanner How it works on other OSs/Distros, I can't tell. From mailscanner at barendse.to Wed Jul 1 13:46:48 2009 From: mailscanner at barendse.to (Remco Barendse) Date: Wed Jul 1 13:47:01 2009 Subject: New wiki page In-Reply-To: References: <4A43C66A.5070703@ecs.soton.ac.uk><4A43CD22.6060208@ecs.soton.ac.uk> <4A448379.403@ecs.soton.ac.uk> <4A4B1961.9000805@ecs.soton.ac.uk> Message-ID: On Wed, 1 Jul 2009, Julian Field wrote: > > > On 29/06/2009 20:32, Remco Barendse wrote: >> On Fri, 26 Jun 2009, Julian Field wrote: >> >> > >> > > Julian, >> > > >> > > Just wondering why you don't recommend MCP? I'm using it >> > > currently and >> > > wondering if I should disable it now. >> > > >> > It has a huge processing overhead and as a result is very slow. >> > "SpamAssassin Rule Actions" can do pretty much anything MCP can, and it >> > does it enormously faster. >> >> >> But what if you use MCP on outgoing mail only, meaning mail that is not >> run through spamassassin >> > You can minimise the overhead with a ruleset on the whole MCP process, but I > would still try your best to implement what you need using SpamAssassin Rule > Actions. If I had thought of the whole SpamAssassin Rule Actions at the time, > I would never have implemented MCP at all. It's now there, so there's nothing > to be gained by removing it, and it would really piss off the sites that > still use it, so I'm not going to do that. OK, thanks for the advice. I will have a look at that. By the way, if i would use SpamAssassin for that job, wouldn't SA filter out all the offers for the viagra pills i am sending out?? :))))) Seriously though, i disabled SA for all our outgoing mail, it would be silly if our own spamfilter would start blocking outgoing e-mails, even one false positive could cause some very angry faces in my direction. Remco From J.Ede at birchenallhowden.co.uk Wed Jul 1 14:45:18 2009 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Wed Jul 1 14:45:51 2009 Subject: New wiki page In-Reply-To: References: <4A43C66A.5070703@ecs.soton.ac.uk><4A43CD22.6060208@ecs.soton.ac.uk> <4A448379.403@ecs.soton.ac.uk> <4A4B1961.9000805@ecs.soton.ac.uk> Message-ID: <1213490F1F316842A544A850422BFA960F6056457D@BHLSBS.bhl.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Remco Barendse > Sent: 01 July 2009 13:47 > To: MailScanner discussion > Subject: Re: New wiki page > > On Wed, 1 Jul 2009, Julian Field wrote: > > > > > > > On 29/06/2009 20:32, Remco Barendse wrote: > >> On Fri, 26 Jun 2009, Julian Field wrote: > >> > >> > > >> > > Julian, > >> > > > >> > > Just wondering why you don't recommend MCP? I'm using it > >> > > currently and > >> > > wondering if I should disable it now. > >> > > > >> > It has a huge processing overhead and as a result is very slow. > >> > "SpamAssassin Rule Actions" can do pretty much anything MCP can, > and it > >> > does it enormously faster. > >> > >> > >> But what if you use MCP on outgoing mail only, meaning mail that is > not > >> run through spamassassin > >> > > You can minimise the overhead with a ruleset on the whole MCP > process, but I > > would still try your best to implement what you need using > SpamAssassin Rule > > Actions. If I had thought of the whole SpamAssassin Rule Actions at > the time, > > I would never have implemented MCP at all. It's now there, so there's > nothing > > to be gained by removing it, and it would really piss off the sites > that > > still use it, so I'm not going to do that. > > OK, thanks for the advice. I will have a look at that. > > By the way, if i would use SpamAssassin for that job, wouldn't SA > filter > out all the offers for the viagra pills i am sending out?? :))))) > > Seriously though, i disabled SA for all our outgoing mail, it would be > silly if our own spamfilter would start blocking outgoing e-mails, even > one false positive could cause some very angry faces in my direction. > > Remco What happens if you get a mass mailer worm on your network or a compromised computer that starts churning out spam? Far more red faces that way. Jason From alex at rtpty.com Wed Jul 1 15:09:43 2009 From: alex at rtpty.com (Alex Neuman) Date: Wed Jul 1 15:10:00 2009 Subject: New wiki page In-Reply-To: <1213490F1F316842A544A850422BFA960F6056457D@BHLSBS.bhl.local> References: <4A43C66A.5070703@ecs.soton.ac.uk> <4A448379.403@ecs.soton.ac.uk> <4A4B1961.9000805@ecs.soton.ac.uk> <1213490F1F316842A544A850422BFA960F6056457D@BHLSBS.bhl.local> Message-ID: <24e3d2e40907010709q495301f6l6092fb85e8d86891@mail.gmail.com> On Wed, Jul 1, 2009 at 8:45 AM, Jason Ede wrote: > > > What happens if you get a mass mailer worm on your network or a compromised > computer that starts churning out spam? Far more red faces that way. > > Jason > -- > Specially if it lands your ip or netblock on several RBL's and people start rejecting your e-mail. -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 202-1525 alex@rtpty.com Skype: alexneuman -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090701/d176bc18/attachment.html From rlopezcnm at gmail.com Wed Jul 1 15:27:12 2009 From: rlopezcnm at gmail.com (Robert Lopez) Date: Wed Jul 1 15:27:23 2009 Subject: SOLVED Re: Mismatch between report and actions Message-ID: On Wed, Jul 1, 2009 at 2:15 AM, Julian Field wrote: > > > On 30/06/2009 15:17, Robert Lopez wrote: >> >> On Tue, Jun 30, 2009 at 2:49 AM, Glenn Steen >> ?wrote: >> >>> >>> 2009/6/29 Robert Lopez: >>> >>>> >>>> On Mon, Jun 29, 2009 at 8:43 AM, Glenn Steen >>>> ?wrote: >>>> >>>>> >>>>> 2009/6/29 Robert Lopez: >>>>> >>>>>> >>>>>> On Mon, Jun 29, 2009 at 8:11 AM, Glenn Steen >>>>>> ?wrote: >>>>>> >>>>>>> >>>>>>> 2009/6/29 Robert Lopez: >>>>>>> >>>>>>>> >>>>>>>> On Sat, Jun 27, 2009 at 5:17 PM, Glenn Steen >>>>>>>> ?wrote: >>>>>>>> >>>>>>>>> >>>>>>>>> 2009/6/26 Robert Lopez: >>>>>>>>> >>>>>>>>>> >>>>>>>>>> HP Prolient DL360 G5 >>>>>>>>>> Two dual core Intel(R) Xeon(R) CPU E5450 @ 3.00GHz >>>>>>>>>> 8 G RAM >>>>>>>>>> Linux 2.6.28-11-server #42-Ubuntu SMP Fri Apr 17 02:45:36 UTC 2009 >>>>>>>>>> x86_64 GNU/Linux >>>>>>>>>> Ubuntu 9.04 (jaunty) >>>>>>>>>> MailScanner version 4.74.16 >>>>>>>>>> Postfix version 2.5.5 >>>>>>>>>> SpamAssassin version 3.2.5 running on Perl version 5.10.0 >>>>>>>>>> (I know there are newer versions. These are Ubuntu apt-get...) >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>> >>>>>>> (snip error...) >>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> Do the upgrades needed ... MailScanner, possibly SA and Clam as >>>>>>>>> well. >>>>>>>>> If this means leaving the Ubunto/apt thing behind, then so be it. >>>>>>>>> If you still observe the same behavior... Then we'll look at other >>>>>>>>> things:-). >>>>>>>>> >>>>>>>>> Cheers >>>>>>>>> >>>>>>> >>>>>>> (snip) >>>>>>> >>>>>>>> >>>>>>>> Thank you Glenn, >>>>>>>> >>>>>>>> Changing from Ubuntu is not my decision to make. My current project >>>>>>>> is >>>>>>>> comparing a system built with RHEL and files from Julians site to >>>>>>>> this >>>>>>>> one. >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> I didn't say "ditch Ubuntu", just the ubuntu packaging of >>>>>>> MailScanner;-). You could probably live pritty well with the source >>>>>>> tarball, for example. >>>>>>> >>>>>>> Cheers >>>>>>> -- >>>>>>> -- Glenn >>>>>>> email: glenn< ?dot> ?steen< ?at> ?gmail< ?dot> ?com >>>>>>> work: glenn< ?dot> ?steen< ?at> ?ap1< ?dot> ?se >>>>>>> -- >>>>>>> MailScanner mailing list >>>>>>> mailscanner@lists.mailscanner.info >>>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>>>> >>>>>>> Before posting, read http://wiki.mailscanner.info/posting >>>>>>> >>>>>>> Support MailScanner development - buy the book off the website! >>>>>>> >>>>>>> >>>>>> >>>>>> Again, Thank you Glenn. >>>>>> >>>>>> I have to attend to the root cause of the problem I wrote about. The >>>>>> issue you reply to is a policy issue upon which I have no influence. I >>>>>> was very happy with the test system built with tar files. My >>>>>> management is not. >>>>>> >>>>>> >>>>> >>>>> Why? They will just get an added delay and no real benefit (stability >>>>> or otherwise) from sticking to more or less outdated "debianized" >>>>> packages. Sigh. Get a clue-by-four and start whacking;-):-) One cannot >>>>> fight bleeding edge malware/spam with trailing edge, or even sometimes >>>>> moderately modern (like this problem instance;), protection systems. >>>>> >>>>> Cheers >>>>> -- >>>>> -- Glenn >>>>> email: glenn< ?dot> ?steen< ?at> ?gmail< ?dot> ?com >>>>> work: glenn< ?dot> ?steen< ?at> ?ap1< ?dot> ?se >>>>> -- >>>>> MailScanner mailing list >>>>> mailscanner@lists.mailscanner.info >>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>> >>>>> Before posting, read http://wiki.mailscanner.info/posting >>>>> >>>>> Support MailScanner development - buy the book off the website! >>>>> >>>>> >>>> >>>> Glenn I totally agree with you. But your comments are not helpful. I >>>> have stated I have no control over institutional policies. >>>> >>>> >>> >>> That being the case, I'm not entirely sure we will be able to help >>> you. My prompting you to upgrade isn't just the semi-unhelpful comment >>> it may seem. There were some changes to the Postfix handling (mostly >>> when used with milters, true) recently, as well as some other >>> important fixes (IIRC there were some problems with the MIME tools >>> perl module... I might remeber wrong, but I don't think I do:-). Also, >>> since you use the Ubuntu packaging, you are likely to be using the >>> perl modules from the same source... I'm not sure, but I rather >>> suspect that that may be as bad as mixing the "MailScanner perl >>> modules" from certain other distros into the brew... >>> Going to a "source" install (as you've obviously tried) would take >>> some of the uncertanties out of the picture, as well as enabling you >>> to use the latest/greatest of MailScanner (at your own discretion, of >>> course)... So that you decide when you need upgrade, not some >>> packager. Usually, the latter is norm for most distros, and frankly >>> the sane thing to do. But not with system like MailScanner, IMO. >>> >>> Anyway, that is neither here nor there. If you can't change what beta >>> you are using, that is the way it is. >>> Back to the original message then... Hmm. >>> >>> This wouldn't be stored as spam, it would likely be stored in a >>> directory named like the queue file ID + the random bit... so did you >>> find for a file specifically? it should all be there in the >>> /var/spool/MailScanner/quarantine/20090626/E0CE312F.5E6C5 directory. >>> >>> I suppose that if the mime explosion didn't go well, for some reason, >>> you might see some strange results... Hmm. >>> >>> What are your settings in MailScanner.conf for >>> Deliver Disinfected Files >>> Silent Viruses >>> Still Deliver Silent Viruses >>> Non-Forging Viruses >>> ClamAV Full Message Scan >>> That the message got requeued and delivered suggest some rather not >>> that wise settings here, perhaps:-) >>> >>> Cheers >>> -- >>> -- Glenn >>> email: glenn< ?dot> ?steen< ?at> ?gmail< ?dot> ?com >>> work: glenn< ?dot> ?steen< ?at> ?ap1< ?dot> ?se >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >>> >> >> Thank you Glenn. Please understand I was very happy with the RHEL >> system built from source but it does not meet some policies over which >> I have not control. >> >> > From my original posting: >> >>> >>> Situation: Testing Eicar, external site to internal via gateway. >>> Problem: ? Mismatch between reported information and actions. >>> >>> Email content says: >>> "Warning: Please read the 'CNM-Attachment-Warning.txt' attachment(s) >>> for more information." >>> >>> Action was: >>> Appended the text into the body of email instead of an attachment. >>> >> >> This is a case of not confusing Outlook users who expect an "attachment" >> to be >> separate from the body of the email. It is now solved. >> I have written a post-install script to change from ?"Warning: Please read >> the >> ?'CNM-Attachment-Warning.txt' attachment(s) ?for more information." >> ?to say "...read the appended information..." in >> /usr/share/MailScanner/reports/en/inline.warning.txt >> >> >>> >>> Email content says: >>> "Note to Help Desk: Look on the CNM () MailScanner in >>> /var/spool/MailScanner/quarantine/20090626 (message E0CE312F.5E6C5)." >>> >> >> The eicar data was NOT delivered. It was discarded as desired. The problem >> is >> the statement the content was quarantined and the help desk can find it. >> I would be happy to have all the statements about the help desk >> finding it removed. >> But as there are many files to modify I am not certain I would be >> doing the right thing. >> > > I would create your own "language" directory under /etc/MailScanner/reports > specific for your own site. Base the contents on the ones in "en" but > customise away to your heart's content. For example, all my site's reports > are in /etc/MailScanner/reports/ECS. > > The initial contents of those files is there for a few reasons > a) it saves most people a hell of a lot of work writing such stuff > b) it contains content that demonstrates all the available "$variables" in > each report > c) it contains the text that I wanted when I first wrote it for myself. > > The whole point is that you should change those files so they match your > site's policy and setup. > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > Follow me at twitter.com/JulesFM and twitter.com/MailScanner > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Jules I totally agree. I have started doing this. I am good on this issue now. So far in my comparison of your files from your site on RHEL to the Ubuntu available files I also agree with you assessments of changes made in the Ubuntu packages. -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106 From steve.freegard at fsl.com Wed Jul 1 16:05:05 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Wed Jul 1 16:05:16 2009 Subject: New wiki page In-Reply-To: <24e3d2e40907010709q495301f6l6092fb85e8d86891@mail.gmail.com> References: <4A43C66A.5070703@ecs.soton.ac.uk> <4A448379.403@ecs.soton.ac.uk> <4A4B1961.9000805@ecs.soton.ac.uk> <1213490F1F316842A544A850422BFA960F6056457D@BHLSBS.bhl.local> <24e3d2e40907010709q495301f6l6092fb85e8d86891@mail.gmail.com> Message-ID: <4A4B7B21.4020100@fsl.com> Alex Neuman wrote: > > > On Wed, Jul 1, 2009 at 8:45 AM, Jason Ede > wrote: > > > > What happens if you get a mass mailer worm on your network or a > compromised computer that starts churning out spam? Far more red > faces that way. > > Jason > -- > > > Specially if it lands your ip or netblock on several RBL's and people > start rejecting your e-mail. Or worse; local blacklists or delaylists at the likes of Hotmail, Yahoo or AOL etc. At least with a public listing you can easily find out about it and take action to get delisted; with local blacklists or delaylists you'll have to learn about this issue from your users or built-up queues and then take up the issue with each postmaster. Personally; I'm not keen on using MailScanner for outbound scanning as quarantining outbound mail is a real pain to manage and you certainly don't want to have any 'delete' actions etc. so doing everything at the SMTP phase (e.g. with a milter or proxy) is much better and easier to manage (in the event of an FP the sender gets a DSN immediately and can modify their message). SA also needs to be treated differently for outbound; I prefer using the same bayes database as inbound, but boosting considerably the scores of IXHASH, DCC_CHECK, URIBL_* and SOUGHT to prevent compromised machines/accounts from sending any junk out. Cheers, Steve. From Kevin_Miller at ci.juneau.ak.us Wed Jul 1 17:27:27 2009 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Wed Jul 1 17:27:39 2009 Subject: New wiki page In-Reply-To: <1213490F1F316842A544A850422BFA960F6056457D@BHLSBS.bhl.local> Message-ID: <4A09477D575C2C4B86497161427DD94C10D2C613CB@city-exchange07> > What happens if you get a mass mailer worm on your network or a > compromised computer that starts churning out spam? Far more > red faces that way. I wouldn't expect a mass mailer to channel the mail through a smart host - they're most likely geared to send directly. ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From mail at theantiquecentre.net Wed Jul 1 17:56:29 2009 From: mail at theantiquecentre.net (The Antique Centre) Date: Wed Jul 1 17:55:39 2009 Subject: Installation on Fedora 11 Message-ID: <001201c9fa6c$e1a5ef10$0201a8c0@roysmainbox> I have struggled to install MailScanner on Fedora 11 The switch of rpms within Fedora to i586 means that the install.sh script picks up the default architecture (on my machine) as being i586. This means that at the end of the script it attempts to install tnef-1.4.5.i586.rpm, but the one within the MailScanner tarball is tnef-1.4.5.i386.rpm. I could have either altered the install.sh script or just have installed tnef-1.4.5.i386.rpm manually, but found an rpm from http://hany.sk/~hany/RPM/doors14.0-i386/tnef-1.4.5-1.fc10.i586.html and added this instead to satisfy the rpm installation I now have MailScanner installed and it starts OK without any errors - but have not yet had time to try it out However, one of the perl modules just will not compile correctly perl-IO-1.2301-4.src.rpm no matter what I do But - does this matter if MailScanner installs OK and starts OK ? I have read on the Fedora website that it can be built if the Buildarch parameter is deleted or commented out - but how do I do that? Cheers John -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090701/33cf534e/attachment.html From steve.freegard at fsl.com Wed Jul 1 18:20:03 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Wed Jul 1 18:20:17 2009 Subject: New wiki page In-Reply-To: <4A09477D575C2C4B86497161427DD94C10D2C613CB@city-exchange07> References: <1213490F1F316842A544A850422BFA960F6056457D@BHLSBS.bhl.local> <4A09477D575C2C4B86497161427DD94C10D2C613CB@city-exchange07> Message-ID: <4A4B9AC3.3080103@fsl.com> Kevin Miller wrote: >> What happens if you get a mass mailer worm on your network or a >> compromised computer that starts churning out spam? Far more >> red faces that way. > > I wouldn't expect a mass mailer to channel the mail through a > smart host - they're most likely geared to send directly. > It's more likely to send directly; but I have seen smart hosts abused as well - it depends of the configuration of the PC and the software used (e.g. if Outlook Express is configured to use a smart host, then the worm will most likely use the same). Anyone running a private network should: - Always run your mail server on a dedicated IP address that is not used within a NAT pool. This prevents your mail server from being blacklisted due to compromised hosts. - Configure firewalls to deny outbound SMTP traffic by default for NAT ranges (and if possible send alerts if a host sends multiple attempts; this can be used to detect compromised machines). - Inspect outbound SMTP traffic for obvious spam signs and reject it before queuing (e.g. as per my last mail: URIBL_*, DCC, RAZOR2, PYZOR, IXHASH, Bayes, envelope sender from a domain that doesn't belong to you etc.). Regards, Steve. From MailScanner at ecs.soton.ac.uk Wed Jul 1 18:21:54 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Jul 1 18:22:17 2009 Subject: Installation on Fedora 11 In-Reply-To: <001201c9fa6c$e1a5ef10$0201a8c0@roysmainbox> References: <001201c9fa6c$e1a5ef10$0201a8c0@roysmainbox> <4A4B9B32.9090402@ecs.soton.ac.uk> Message-ID: On 01/07/2009 17:56, The Antique Centre wrote: > I have struggled to install MailScanner on Fedora 11 > The switch of rpms within Fedora to i586 means that the install.sh > script picks up the default architecture (on my machine) as being i586. > This means that at the end of the script it attempts to install > tnef-1.4.5.i586.rpm, but the one within the MailScanner tarball is > tnef-1.4.5.i386.rpm. > I could have either altered the install.sh script or just have > installed tnef-1.4.5.i386.rpm manually, but found an rpm from > http://hany.sk/~hany/RPM/doors14.0-i386/tnef-1.4.5-1.fc10.i586.html > and > added this instead to satisfy the rpm installation > I now have MailScanner installed and it starts OK without any errors - > but have not yet had time to try it out > However, one of the perl modules just will not compile correctly > perl-IO-1.2301-4.src.rpm > no matter what I do Don't worry too much, you probably have a very recent version of Perl's IO module installed anyway. You can find out your version of it by doing "MailScanner --version". At some point I will try the build on FC11 and see what works and what doesn't and try to fix the outstanding problems. It's generally considered a pretty bad idea to run a MailScanner server (which after all is a core production server in your setup) on something which has such a short life as Fedora. Please note this is *NOT* a cue for a flame war. In 18 months time at most, you'll have to totally rebuild it all on the next version of Fedora in order to keep getting security patches and updates. A far safer move, which will cause you no more work now and a lot *less* work down the line, is to use something like CentOS 5.3, for which there will be patches for plenty of time yet. There are a bunch of MailScanner users who are very keen on running it on Fedora, but this is generally frowned upon by any of us who do this on a large scale for a living. Do you really want to have to rebuild everything every 18 months?! > But - does this matter if MailScanner installs OK and starts OK ? > I have read on the Fedora website that it can be built if the > Buildarch parameter is deleted or commented out - but how do I do that? You have to mess with the spec file and rebuild the RPM from that, which is probably unnecessary. I wouldn't worry about it :-) Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Follow me at twitter.com/JulesFM MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From J.Ede at birchenallhowden.co.uk Wed Jul 1 19:05:28 2009 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Wed Jul 1 19:05:52 2009 Subject: New wiki page In-Reply-To: <4A09477D575C2C4B86497161427DD94C10D2C613CB@city-exchange07> References: <1213490F1F316842A544A850422BFA960F6056457D@BHLSBS.bhl.local> <4A09477D575C2C4B86497161427DD94C10D2C613CB@city-exchange07> Message-ID: <1213490F1F316842A544A850422BFA960F605645BD@BHLSBS.bhl.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Kevin Miller > Sent: 01 July 2009 17:27 > To: 'MailScanner discussion' > Subject: RE: New wiki page > > > What happens if you get a mass mailer worm on your network or a > > compromised computer that starts churning out spam? Far more > > red faces that way. > > I wouldn't expect a mass mailer to channel the mail through a > smart host - they're most likely geared to send directly. > > > ...Kevin There were a few that used outlook/outlook express etc to send their emails out using the default smtp client... From doctor at doctor.nl2k.ab.ca Wed Jul 1 21:55:31 2009 From: doctor at doctor.nl2k.ab.ca (The Doctor) Date: Wed Jul 1 21:55:41 2009 Subject: Postfix 2.6.2 , Mail Scanner 4.78.1.1 and BSD/OS 4.3.1 Message-ID: <20090701205531.GA5545@doctor.nl2k.ab.ca> Right I am trying to follow the instructions on MailScanner on how to adding into POstFix, turn both MailScanner and Postfix on and everything is in the HOLD queue and nothing is passed into incoming. What??!! -- Member - Liberal International This is doctor@nl2k.ab.ca Ici doctor@nl2k.ab.ca God, Queen and country! Beware Anti-Christ rising! Never Satan President Republic! The fool says in his heart, "There is no God". They are corrupt, and their ways are vile; there is no one who does good. - Ps 53:1 From hafiz at variegate.biz Thu Jul 2 04:46:10 2009 From: hafiz at variegate.biz (Mohd Hafiz Ramly) Date: Thu Jul 2 04:46:29 2009 Subject: MailScanner: Could not analyze message In-Reply-To: <4A45056A.4070409@alexb.ch> References: <4A44FD7F.4030206@variegate.biz> <4A45056A.4070409@alexb.ch> Message-ID: <4A4C2D82.4050102@variegate.biz> An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090702/13ce8079/attachment.html From mail at theantiquecentre.net Thu Jul 2 07:36:35 2009 From: mail at theantiquecentre.net (The Antique Centre) Date: Thu Jul 2 07:35:45 2009 Subject: Installation on Fedora 11 References: <001201c9fa6c$e1a5ef10$0201a8c0@roysmainbox><4A4B9B32.9090402@ecs.soton.ac.uk> Message-ID: <004901c9fadf$72b0f320$0201a8c0@roysmainbox> Thanks MailScanner --version showed an IO module with the version 1.23_01 So - all should be well ----- Original Message ----- From: "Julian Field" To: "MailScanner discussion" Sent: Wednesday, July 01, 2009 6:21 PM Subject: Re: Installation on Fedora 11 > > > On 01/07/2009 17:56, The Antique Centre wrote: > > I have struggled to install MailScanner on Fedora 11 > > The switch of rpms within Fedora to i586 means that the install.sh > > script picks up the default architecture (on my machine) as being i586. > > This means that at the end of the script it attempts to install > > tnef-1.4.5.i586.rpm, but the one within the MailScanner tarball is > > tnef-1.4.5.i386.rpm. > > I could have either altered the install.sh script or just have > > installed tnef-1.4.5.i386.rpm manually, but found an rpm from > > http://hany.sk/~hany/RPM/doors14.0-i386/tnef-1.4.5-1.fc10.i586.html > > and > > added this instead to satisfy the rpm installation > > I now have MailScanner installed and it starts OK without any errors - > > but have not yet had time to try it out > > However, one of the perl modules just will not compile correctly > > perl-IO-1.2301-4.src.rpm > > no matter what I do > Don't worry too much, you probably have a very recent version of Perl's > IO module installed anyway. You can find out your version of it by doing > "MailScanner --version". > > At some point I will try the build on FC11 and see what works and what > doesn't and try to fix the outstanding problems. > > It's generally considered a pretty bad idea to run a MailScanner server > (which after all is a core production server in your setup) on something > which has such a short life as Fedora. > Please note this is *NOT* a cue for a flame war. > In 18 months time at most, you'll have to totally rebuild it all on the > next version of Fedora in order to keep getting security patches and > updates. A far safer move, which will cause you no more work now and a > lot *less* work down the line, is to use something like CentOS 5.3, for > which there will be patches for plenty of time yet. There are a bunch of > MailScanner users who are very keen on running it on Fedora, but this is > generally frowned upon by any of us who do this on a large scale for a > living. Do you really want to have to rebuild everything every 18 months?! > > > But - does this matter if MailScanner installs OK and starts OK ? > > I have read on the Fedora website that it can be built if the > > Buildarch parameter is deleted or commented out - but how do I do that? > You have to mess with the spec file and rebuild the RPM from that, which > is probably unnecessary. I wouldn't worry about it :-) > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > Follow me at twitter.com/JulesFM > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > PGP public key: http://www.jules.fm/julesfm.asc > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From glenn.steen at gmail.com Thu Jul 2 08:44:04 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Jul 2 08:44:12 2009 Subject: New wiki page In-Reply-To: <4A4B9AC3.3080103@fsl.com> References: <1213490F1F316842A544A850422BFA960F6056457D@BHLSBS.bhl.local> <4A09477D575C2C4B86497161427DD94C10D2C613CB@city-exchange07> <4A4B9AC3.3080103@fsl.com> Message-ID: <223f97700907020044m14c52906r6e275fe5ac1df8ad@mail.gmail.com> 2009/7/1 Steve Freegard : > Kevin Miller wrote: >>> What happens if you get a mass mailer worm on your network or a >>> compromised computer that starts churning out spam? Far more >>> red faces that way. >> >> I wouldn't expect a mass mailer to channel the mail through a >> smart host - they're most likely geared to send directly. >> > > It's more likely to send directly; but I have seen smart hosts abused as > well - it depends of the configuration of the PC and the software used > (e.g. if Outlook Express is configured to use a smart host, then the > worm will most likely use the same). > > Anyone running a private network should: > > - Always run your mail server on a dedicated IP address that is not used > within a NAT pool. ?This prevents your mail server from being > blacklisted due to compromised hosts. > > - Configure firewalls to deny outbound SMTP traffic by default for NAT > ranges (and if possible send alerts if a host sends multiple attempts; > this can be used to detect compromised machines). I wouldn't limit myself to only deny outgoing mail from NAT ranges.... I explicitly only allow the MailScanner gateways out through the firewall. Not exchange, not some pesky "I-want-to-mail-directly" server. This way infected machines (whatever that may be) will show up pretty quickly;-). > - Inspect outbound SMTP traffic for obvious spam signs and reject it > before queuing (e.g. as per my last mail: ?URIBL_*, DCC, RAZOR2, PYZOR, > IXHASH, Bayes, envelope sender from a domain that doesn't belong to you > etc.). I actually find MailScanner on the outbound to be enough for me, although I do see the wisdom of what you're saying. I suppose it all depends on your circumstances:). > Regards, > Steve. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Thu Jul 2 08:46:12 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Jul 2 08:46:20 2009 Subject: Postfix 2.6.2 , Mail Scanner 4.78.1.1 and BSD/OS 4.3.1 In-Reply-To: <20090701205531.GA5545@doctor.nl2k.ab.ca> References: <20090701205531.GA5545@doctor.nl2k.ab.ca> Message-ID: <223f97700907020046l4a667196re136f1b4316e0e9a@mail.gmail.com> 2009/7/1 The Doctor : > Right I am trying to follow the instructions on MailScanner on how to adding > into POstFix, turn both MailScanner and Postfix on and everything is in the > HOLD queue and nothing is passed into incoming. > > What??!! What does MailScanner --lint and MailScanner --debug tell you? What do you get in the logs? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From simon at kmun.gov.kw Thu Jul 2 09:42:38 2009 From: simon at kmun.gov.kw (Benedict simon) Date: Thu Jul 2 09:17:08 2009 Subject: MailScanner --lint error thnks In-Reply-To: <223f97700907010302t2d288ed9p993ef0619321e193@mail.gmail.com> References: <223f97700907010302t2d288ed9p993ef0619321e193@mail.gmail.com> Message-ID: Thanks you guys for ur quick reply i will test this out really apprecite regards simon > 2009/6/30 Benedict simon : >> Dear All, >> >> I had a Centos 5.3 server and recently upgraded my MailScanner to 4.77 >> and the latest clamAV+SA jules package >> everything works fine but >> >> I also installed f-prot 6 newly since i did not have it before >> >> Now when I run MailScanner --lint i see the following >> >> ------------------------ >> >> >> Read 854 hostnames from the phishing whitelist >> Read 8256 hostnames from the phishing blacklists >> Checking version numbers... >> Version number in MailScanner.conf (4.77.10) is correct. >> >> Your envelope_sender_header in spam.assassin.prefs.conf is correct. >> >> Checking for SpamAssassin errors (if you use it)... >> Using SpamAssassin results cache >> Connected to SpamAssassin cache database >> SpamAssassin reported no errors. >> Connected to Processing Attempts Database >> Created Processing Attempts Database successfully >> There are 0 messages in the Processing Attempts Database >> Using locktype = posix >> MailScanner.conf says "Virus Scanners = f-prot clamav" >> Found these virus scanners installed: clamavmodule, f-prot-6 >> =========================================================================== >> Filename Checks: Windows/DOS Executable (1 eicar.com) >> Other Checks: Found 1 problems >> Virus and Content Scanning: Starting >> xargs: /usr/local/f-prot/f-prot: Permission denied >> ./1/eicar.com: Eicar-Test-Signature FOUND >> >> ------------------------- >> >> jus wondering what the permissions could be >> >> tried to change it to 1001:users but problem persists >> >> apprecite your help >> >> >> reggards >> >> simon >> > I'm not a user of f-prot... But it might mean that the invoking user > cannot access the file(s) to be scanned, so perhaps you need amend > your settings for incoming work group (and permissions) so that that > user (-s group) can read the MailScanner work directories. Kind of > like whith clamd (where there is a demon clamd that runs as user/group > clamav (or similar), and need permissions to be able to read the work > directories). > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > -- Network ADMIN ------------- KUWAIT MUNICIPALITY: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From goetz.reinicke at filmakademie.de Thu Jul 2 09:32:35 2009 From: goetz.reinicke at filmakademie.de (=?ISO-8859-15?Q?G=F6tz_Reinicke_-_IT_Koordinator?=) Date: Thu Jul 2 09:32:58 2009 Subject: Avira Antivir Update and Mailscanner Message-ID: <4A4C70A3.5040802@filmakademie.de> Hi, recently I looked up and installed the update of the CLI scanner from avira. The scanner is named "avscan" now and not "antivir" anymore. Are there any updates to the virus.scanners.conf regarding this update? Or my I change/add the settings for the new version? Regards, G?tz -- G?tz Reinicke IT-Koordinator Tel. +49 7141 969 420 Fax +49 7141 969 55 420 E-Mail goetz.reinicke@filmakademie.de Filmakademie Baden-W?rttemberg GmbH Akademiehof 10 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzende des Aufsichtsrats: Prof. Dr. Claudia H?bner Staatsr?tin f?r Demographischen Wandel und f?r Senioren im Staatsministerium Gesch?ftsf?hrer: Prof. Thomas Schadt From t.d.lee at durham.ac.uk Thu Jul 2 10:34:57 2009 From: t.d.lee at durham.ac.uk (David Lee) Date: Thu Jul 2 10:35:19 2009 Subject: notification ruleset Message-ID: The new processing-db has introduced a new type of email notification, which is typically to inform the local postmaster or email administrator when messages might be stuck. But the current implementation details of this (enabled/disabled; recipient of notification) are, I believe, piggybacked on configuration settings (e.g. "Send Notices", "Notices To") that were primarily intended for informing about viruses. But the two are The virus policy at many sites is silent dropping and no notification. But the desirable processing-db policy may very definitely want active notification of such processing problems. Julian: Could there be some sort of ruleset-based processing that would allow (logically at least) something like: virus-notification = no processing-notification = yes virus-notification-to = ... processing-notification-to = ... That would be most useful. Note, too, that it would extensible to other classes of notification. (I imagine that some folk might then want to go a stage further with (for instance) domain-dependent specifications. I guess that would be nice, but I wouldn't wish possible implementation difficulties with that aspect to scuttle the basic idea discussed earlier.) -- : David Lee I.T. Service : : Senior Systems Programmer Computer Centre : : UNIX Team Leader Durham University : : South Road : : http://www.dur.ac.uk/t.d.lee/ Durham DH1 3LE : : Phone: +44 191 334 2752 U.K. : From simon at kmun.gov.kw Thu Jul 2 12:03:42 2009 From: simon at kmun.gov.kw (Benedict simon) Date: Thu Jul 2 11:38:12 2009 Subject: MailScanner --lint error solved In-Reply-To: References: <69cea7fc990891820758b7fac95250c7.squirrel@webmail.baladia.gov.kw> <4A4B1BD9.3000403@ecs.soton.ac.uk> Message-ID: <19712bac62d61f90888441ca84483b72.squirrel@webmail.baladia.gov.kw> > You probably haven't edited /etc/MailScanner/virus.scanners.conf to tell > it where you put your copy of f-prot. > > Jules. you were right jules I did edit the virus-scanners.conf file but there was was mismatch setting in /etc/Mailcanner.conf file and virus.scanners.conf file thanks and apprecite regards simon > > On 30/06/2009 20:03, Benedict simon wrote: >> Dear All, >> >> I had a Centos 5.3 server and recently upgraded my MailScanner to 4.77 >> and the latest clamAV+SA jules package >> everything works fine but >> >> I also installed f-prot 6 newly since i did not have it before >> >> Now when I run MailScanner --lint i see the following >> >> ------------------------ >> >> >> Read 854 hostnames from the phishing whitelist >> Read 8256 hostnames from the phishing blacklists >> Checking version numbers... >> Version number in MailScanner.conf (4.77.10) is correct. >> >> Your envelope_sender_header in spam.assassin.prefs.conf is correct. >> >> Checking for SpamAssassin errors (if you use it)... >> Using SpamAssassin results cache >> Connected to SpamAssassin cache database >> SpamAssassin reported no errors. >> Connected to Processing Attempts Database >> Created Processing Attempts Database successfully >> There are 0 messages in the Processing Attempts Database >> Using locktype = posix >> MailScanner.conf says "Virus Scanners = f-prot clamav" >> Found these virus scanners installed: clamavmodule, f-prot-6 >> =========================================================================== >> Filename Checks: Windows/DOS Executable (1 eicar.com) >> Other Checks: Found 1 problems >> Virus and Content Scanning: Starting >> xargs: /usr/local/f-prot/f-prot: Permission denied >> ./1/eicar.com: Eicar-Test-Signature FOUND >> >> ------------------------- >> >> jus wondering what the permissions could be >> >> tried to change it to 1001:users but problem persists >> >> apprecite your help >> >> >> reggards >> >> simon >> >> >> >> > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > Follow me at twitter.com/JulesFM and twitter.com/MailScanner > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > -- Network ADMIN ------------- KUWAIT MUNICIPALITY: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From rabollinger at gmail.com Thu Jul 2 17:06:16 2009 From: rabollinger at gmail.com (Richard Bollinger) Date: Thu Jul 2 17:06:25 2009 Subject: Russian Text = Executable? Message-ID: <7744a2840907020906rc4077adt848ee24ccefd45e8@mail.gmail.com> Running MailScanner version 4.74.16, file-5.03 When our russian employee attempts to email his associates, the text portion of his email is interpreted by the file command as msg-15166-15.txt: DOS executable (COM) # grep msg-15166-15 /var/adm/maillog Jul 2 08:40:53 ls04 MailScanner[15166]: Filename Checks: Allowing n62Cd5xN017134 msg-15166-15.txt Jul 2 08:40:53 ls04 MailScanner[15166]: Filetype Checks: No executables (n62Cd5xN017134 msg-15166-15.txt) Jul 2 08:41:01 ls04 MailScanner[15166]: Saved infected "msg-15166-15.txt" to /var/spool/MailScanner/quarantine/20090702/n62Cd5xN017134 Fine... I read the mailing list notes and docs which say file -i should work better... and it does: msg-15166-15.txt: text/plain; charset=iso-8859-1 So I inserted a rule to match that in filetypes.rules.conf like so --- filetype.rules.conf.FCS 2008-03-12 05:50:04.000000000 -0400 +++ filetype.rules.conf 2009-07-02 11:18:38.000000000 -0400 @@ -18,6 +18,7 @@ allow \bscript - - allow archive - - allow postscript - - +allow - iso-8859-1 - - deny self-extract No self-extracting archives No self-extracting archives allowed deny executable No executables No programs allowed #EXAMPLE: deny - x-dosexec No DOS executables No DOS programs allowed But apparently MIME rules in the filetype.rules.conf files aren't really checked in order as one might expect... so its still getting blocked: # grep msg-25147-33 /var/adm/maillog Jul 2 10:52:33 ls04 MailScanner[25147]: Filename Checks: Allowing n62EqVIg027437 msg-25147-33.txt Jul 2 10:52:33 ls04 MailScanner[25147]: Filetype Checks: No executables (n62EqVIg027437 msg-25147-33.txt) Jul 2 10:52:33 ls04 MailScanner[25147]: Filetype Mime Checks: Allowing n62EqVIg027437 msg-25147-33.txt Jul 2 10:52:38 ls04 MailScanner[25147]: Saved infected "msg-25147-33.txt" to /var/spool/MailScanner/quarantine/20090702/n62EqVIg027437 So, do we have to drop the filetype rule for executables and go with the MIME rules only? That doesn't seem to detect all executable formats, often coming up with application/octet-stream; charset=binary, which is pretty generic, instead of executable. Suggestions? From alex at skynet-srl.com Thu Jul 2 21:39:07 2009 From: alex at skynet-srl.com (Alessandro Bianchi) Date: Thu Jul 2 21:43:36 2009 Subject: Tiny text only spam (semi OT) In-Reply-To: <200907021100.n62B03of017800@safir.blacknight.ie> References: <200907021100.n62B03of017800@safir.blacknight.ie> Message-ID: <4A4D1AEB.2080804@skynet-srl.com> Hi guys Those damned spemmers have found a way to break in After image only spam, they have managed to build plain text only spam (no links or hrml or images, just text) that slips throught my MS installation. They often place in ortographic errors to "fool" spamassassin. Here is an example: <<< START -- destination address has been maqued From - Mon Jun 29 15:03:22 2009 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Return-Path: X-Original-To: xxxxxxxxxxxxxxxxxxxxxx Delivered-To: xxxxxxxxxxxxxxxxxxxxxxxx X-Greylist: delayed 312 seconds by postgrey-1.30 at Log; Sun, 28 Jun 2009 15:09:01 CEST Received: from jtuxl.forthnet.gr (adsl144-208.lsf.forthnet.gr [79.103.75.208]) by cdnet02.cdnet.it (Postfix) with SMTP id A17793880EF for; Sun, 28 Jun 2009 15:09:01 +0200 (CEST) Date: Sun, 28 Jun 2009 13:09:04 +0100 Content-Type: text/plain; charset="windows-1256" From: "kayaker" MIME-Version: 1.0 To: xxxxxxxxxxxxxxxxxxxxxxx Message-ID: Subject: How To Make A iGprl As Hot As Paris Hilton Achieve Multiple Orgasms X-skynet-srl-MailScanner-ID: A17793880EF.A13C2 X-MailScanner: Found to be clean X-MailScanner-SpamScore: s X-MailScanner-From: bivalved@rojax.com X-skynet-srl-MailScanner-Watermark: 1246799344.38984@X6K8Q1cEZ6QnFvmnvQtBwQ X-Spam-Status: No Hfow To Make A Girl Ass Hot As Paris Hilton Achieve Multiple Orgasms www. pill20. com. Girl, 5, Forced To Apologize For Hugging Claassmate <<<< END Blocking the from address is completely useless since it is randomly changed and the same is for subject and text content. Has anyone else seen a similar behaviour and found a solution? Thank you ad best regards Alessandro -- *SkyNet SRL* P.zza XXV Aprile 14 - 28021 Borgomanero (NO) - ITALY Tel. +39 0322 836487/834765 - Fax.+39 0322.836608 info@skynet-srl.com -www.skynet-srl.com Le informazioni contenute in questo messaggio sono riservate e confidenziali e ne ? vietata la diffusione in qualunque forma. Qualora Lei non fosse la persona a cui il presente messaggio ? destinato, La invitiamo ad eliminarlo dandocene gentilmente comunicazione. Per qualsiasi informazione in merito si prega di contattare info@skynet-srl.com . ( Rif. D.L. 196/200 ) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090702/7de1a303/attachment.html From alex at rtpty.com Thu Jul 2 22:08:02 2009 From: alex at rtpty.com (Alex Neuman) Date: Thu Jul 2 22:08:16 2009 Subject: Tiny text only spam (semi OT) In-Reply-To: <4A4D1AEB.2080804@skynet-srl.com> References: <200907021100.n62B03of017800@safir.blacknight.ie> <4A4D1AEB.2080804@skynet-srl.com> Message-ID: <24e3d2e40907021408s1579741fh780c9f00691b078c@mail.gmail.com> Do RBL's help at all? Can you turn on full spamassassin reports so we can see what rules it hit? On Thu, Jul 2, 2009 at 3:39 PM, Alessandro Bianchi wrote: > Hi guys > > Those damned spemmers have found a way to break in > > After image only spam, they have managed to build plain text only spam (no > links or hrml or images, just text) that slips throught my MS installation. > > They often place in ortographic errors to "fool" spamassassin. > > Here is an example: > <<< START -- destination address has been maqued > > From - Mon Jun 29 15:03:22 2009 > X-Mozilla-Status: 0001 > X-Mozilla-Status2: 00000000 > Return-Path: > X-Original-To: xxxxxxxxxxxxxxxxxxxxxx > Delivered-To: xxxxxxxxxxxxxxxxxxxxxxxx > X-Greylist: delayed 312 seconds by postgrey-1.30 at Log; Sun, 28 Jun 2009 15:09:01 CEST > Received: from jtuxl.forthnet.gr (adsl144-208.lsf.forthnet.gr [79.103.75.208]) > by cdnet02.cdnet.it (Postfix) with SMTP id A17793880EF > for ; Sun, 28 Jun 2009 15:09:01 +0200 (CEST) > Date: Sun, 28 Jun 2009 13:09:04 +0100 > Content-Type: text/plain; > charset="windows-1256" > From: "kayaker" > MIME-Version: 1.0 > To: xxxxxxxxxxxxxxxxxxxxxxx > Message-ID: > Subject: How To Make A iGprl As Hot As Paris Hilton Achieve Multiple Orgasms > X-skynet-srl-MailScanner-ID: A17793880EF.A13C2 > X-MailScanner: Found to be clean > X-MailScanner-SpamScore: s > X-MailScanner-From: bivalved@rojax.com > X-skynet-srl-MailScanner-Watermark: 1246799344.38984@X6K8Q1cEZ6QnFvmnvQtBwQ > X-Spam-Status: No > > Hfow To Make A Girl Ass Hot As Paris Hilton Achieve Multiple Orgasms www. pill20. com. Girl, 5, Forced To Apologize For Hugging Claassmate > > > <<<< END > > Blocking the from address is completely useless since it is randomly > changed and the same is for subject and text content. > > Has anyone else seen a similar behaviour and found a solution? > > Thank you ad best regards > > Alessandro > > -- > > *SkyNet SRL* > > P.zza XXV Aprile 14 - 28021 Borgomanero (NO) - ITALY > > Tel. +39 0322 836487/834765 - Fax.+39 0322.836608 > > info@skynet-srl.com -www.skynet-srl.com > > > > > Le informazioni contenute in questo messaggio sono riservate e > confidenziali e ne ? vietata la diffusione in qualunque forma. > > Qualora Lei non fosse la persona a cui il presente messaggio ? destinato, > La invitiamo ad eliminarlo dandocene gentilmente comunicazione. > > Per qualsiasi informazione in merito si prega di contattare > info@skynet-srl.com. ( Rif. D.L. 196/200 ) > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 202-1525 alex@rtpty.com Skype: alexneuman -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090702/67f6f998/attachment.html From steveb_clamav at sanesecurity.com Thu Jul 2 22:13:35 2009 From: steveb_clamav at sanesecurity.com (Steve Basford) Date: Thu Jul 2 22:13:47 2009 Subject: Tiny text only spam (semi OT) In-Reply-To: <4A4D1AEB.2080804@skynet-srl.com> References: <200907021100.n62B03of017800@safir.blacknight.ie> <4A4D1AEB.2080804@skynet-srl.com> Message-ID: <4A4D22FF.90305@sanesecurity.com> Alessandro Bianchi wrote: > Hi guys > > Those damned spemmers have found a way to break in > > After image only spam, they have managed to build plain text only spam > (no links or hrml or images, just text) that slips throught my MS > installation. > > They often place in ortographic errors to "fool" spamassassin. > Hi, They are being detected as : Sanesecurity.Spam.10528 Cheers, Steve Sanesecurity sanesecurity.com From mmurdock_lists at kimballequipment.com Thu Jul 2 22:18:30 2009 From: mmurdock_lists at kimballequipment.com (Mat Murdock) Date: Thu Jul 2 22:19:56 2009 Subject: (2nd Request) Disable scanning for a client that connectsviaSMTP-AUTH In-Reply-To: <4A19BD250200002D00006795@sparky.asdm.net> References: <4A147B290200002D00006737@sparky.asdm.net> <200905210754.04555.eli@orbsky.homelinux.org> <4A170F760200002D0000676D@sparky.asdm.net> <200905230757.01173.eli@orbsky.homelinux.org> <4A1867050200002D00006786@sparky.asdm.net> <20090524174243.GB2724@msapiro> <4A19BD250200002D00006795@sparky.asdm.net> Message-ID: <4A4D2426.3000804@kimballequipment.com> I know I'm kind of bringing this topic back from the dead, but spamassasin has a rule called "ALL_TRUSTED" that detects if the e-mail used smtp-auth. If so it give it negative score. It does this by looking at the sendmail headers. The problem I have is that my users are sending their mail from ip's that are on dns blacklists. It would be nice if MailScanner was also able to read the headers the same way that spamassassin does and allow the user to skip dns blacklist checks for authenticated e-mails. Mat Gary Faith wrote: > That is exactly what I want to do but I am not a sendmail expert and I > don't know how. I was hoping someone would know how to do this. > > >>> Mark Sapiro 5/24/2009 1:42 PM >>> > On Sat, May 23, 2009 at 09:13:41PM -0400, Gary Faith wrote: > > My business that has the mail scanner is my ISP and all my personal > outbound mail will be going through that mail scanner. Discussing > whether I can relay through someone or another is pointless. What I > need is a way to not scan e-mail when it comes from a trusted source. > Do you know how I can do this? > > > I use Postfix and am not really familiar with how MailScanner works with > sendmail, but can't you just do something in the sendmail configuration to > identify the SMTP-AUTH mail and queue or deliver it in a way that bypasses > MailScanner? > > -- > Mark Sapiro mark at msapiro net The highway is for gamblers, > San Francisco Bay Area, California better use your sense - B. Dylan > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by *MailScanner* , and is > believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090702/9fa62164/attachment.html From MailScanner at ecs.soton.ac.uk Thu Jul 2 22:59:43 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jul 2 23:00:06 2009 Subject: (2nd Request) Disable scanning for a client that connectsviaSMTP-AUTH In-Reply-To: <4A4D2426.3000804@kimballequipment.com> References: <4A147B290200002D00006737@sparky.asdm.net> <200905210754.04555.eli@orbsky.homelinux.org> <4A170F760200002D0000676D@sparky.asdm.net> <200905230757.01173.eli@orbsky.homelinux.org> <4A1867050200002D00006786@sparky.asdm.net> <20090524174243.GB2724@msapiro> <4A19BD250200002D00006795@sparky.asdm.net> <4A4D2426.3000804@kimballequipment.com> <4A4D2DCF.2050901@ecs.soton.ac.uk> Message-ID: In which case please tell me how I find out from the email headers, in such a way that it works for all 4 supported MTAs. I'm not interested in a sendmail-only solution. Thanks, Jules. On 02/07/2009 22:18, Mat Murdock wrote: > I know I'm kind of bringing this topic back from the dead, but > spamassasin has a rule called "ALL_TRUSTED" that detects if the e-mail > used smtp-auth. If so it give it negative score. It does this by > looking at the sendmail headers. The problem I have is that my users > are sending their mail from ip's that are on dns blacklists. It would > be nice if MailScanner was also able to read the headers the same way > that spamassassin does and allow the user to skip dns blacklist checks > for authenticated e-mails. > > Mat > > Gary Faith wrote: >> That is exactly what I want to do but I am not a sendmail expert and >> I don't know how. I was hoping someone would know how to do this. >> >> >>> Mark Sapiro 5/24/2009 1:42 PM >>> >> On Sat, May 23, 2009 at 09:13:41PM -0400, Gary Faith wrote: >> > My business that has the mail scanner is my ISP and all my personal >> outbound mail will be going through that mail scanner. Discussing >> whether I can relay through someone or another is pointless. What I >> need is a way to not scan e-mail when it comes from a trusted >> source. Do you know how I can do this? >> >> >> I use Postfix and am not really familiar with how MailScanner works with >> sendmail, but can't you just do something in the sendmail >> configuration to >> identify the SMTP-AUTH mail and queue or deliver it in a way that >> bypasses >> MailScanner? >> >> -- >> Mark Sapiro mark at msapiro net The highway is for gamblers, >> San Francisco Bay Area, California better use your sense - B. Dylan >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> -- >> This message has been scanned for viruses and >> dangerous content by *MailScanner* , >> and is >> believed to be clean. > > > -- > This message has been scanned for viruses and > dangerous content by *MailScanner* , and is > believed to be clean. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Follow me at twitter.com/JulesFM MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From seven at seven.dorksville.net Fri Jul 3 01:44:30 2009 From: seven at seven.dorksville.net (Anthony Giggins) Date: Fri Jul 3 01:44:58 2009 Subject: Anti-Phishing Update -- New data feed In-Reply-To: References: <20090617150642.GA2628@msapiro> <4A391348.3050309@fsl.com> <4A39F763.5050007@ecs.soton.ac.uk> <20090618201724.GA2772@msapiro> <4A3AA983.6000509@fsl.com> <4A3B4709.8010007@ecs.soton.ac.uk> <4A3B957C.40902@USherbrooke.ca> <4A3CEB10.70504@ecs.soton.ac.uk> <4A3F7911.6050208@USherbrooke.ca> <32390.125.168.254.15.1246324547.squirrel@seven.dorksville.net> <4A4A2B2C.3070104@ecs.soton.ac.uk> Message-ID: <65088.125.168.254.15.1246581870.squirrel@seven.dorksville.net> Sorry where do I add the "SpamAssassin Rule Actions"? Cheers, Anthony > At the bottom of the ruleset is the huge "meta" rule that combines them > all. Look for that rule scoring a hit in your mail logs, if you have > "Log Spam = yes" in MailScanner.conf. > And you will obviously need a "SpamAssassin Rule Actions" set to trigger > deletion/quarantining if this rule hits, or nothing will happen when the > rule hits. > > Jules. > > On 30/06/2009 02:15, Anthony Giggins wrote: >>> Thanks! >>> >>> Denis >>> Julian Field a ?crit : >>> >>>> Check out the new version 2.04. It supports --quiet and --help. >>>> >> Silly question, how can I tell if this is helping phishing detection or >> not? >> >> Cheers, >> >> Anthony >> >> >> >> > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > Follow me at twitter.com/JulesFM > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > PGP public key: http://www.jules.fm/julesfm.asc > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > From zaeem.arshad at gmail.com Fri Jul 3 04:34:42 2009 From: zaeem.arshad at gmail.com (Zaeem Arshad) Date: Fri Jul 3 04:34:55 2009 Subject: New wiki page In-Reply-To: <4A4B9AC3.3080103@fsl.com> References: <1213490F1F316842A544A850422BFA960F6056457D@BHLSBS.bhl.local> <4A09477D575C2C4B86497161427DD94C10D2C613CB@city-exchange07> <4A4B9AC3.3080103@fsl.com> Message-ID: <3e1809420907022034j3f9088baif5cc34db5ec9dde6@mail.gmail.com> Hi Steve, On Wed, Jul 1, 2009 at 11:20 PM, Steve Freegard wrote: > > > - Inspect outbound SMTP traffic for obvious spam signs and reject it > before queuing (e.g. as per my last mail: URIBL_*, DCC, RAZOR2, PYZOR, > IXHASH, Bayes, envelope sender from a domain that doesn't belong to you > etc.). > Apart from the URIBL check, the DCC, Razor2, Pyzor and IXHASH checks require you to queue the mail before they can be run. I am not sure how would one delegate the responsibility to the MTA? And even if one can, the time involved in scanning will be considerable opening a DoS attack vector. Since I am aware of your contributions, I am inclined to the fact that I might have gotten it all wrong. Please correct me if that's the case. Regards -- Zaeem -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090703/f2a3087e/attachment.html From uxbod at splatnix.net Fri Jul 3 08:19:53 2009 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Fri Jul 3 08:20:08 2009 Subject: Tiny text only spam (semi OT) In-Reply-To: <4A4D1AEB.2080804@skynet-srl.com> Message-ID: <31014713.31246605593150.JavaMail.root@office.splatnix.net> ----- "Alessandro Bianchi" wrote: > Hi guys > > Those damned spemmers have found a way to break in > > After image only spam, they have managed to build plain text only spam (no links or hrml or images, just text) that slips throught my MS installation. > > They often place in ortographic errors to "fool" spamassassin. > > Here is an example: > <<< START -- destination address has been maqued > > From - Mon Jun 29 15:03:22 2009 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Return-Path: X-Original-To: xxxxxxxxxxxxxxxxxxxxxx Delivered-To: xxxxxxxxxxxxxxxxxxxxxxxx X-Greylist: delayed 312 seconds by postgrey-1.30 at Log; Sun, 28 Jun 2009 15:09:01 CEST Received: from jtuxl.forthnet.gr (adsl144-208.lsf.forthnet.gr [79.103.75.208]) by cdnet02.cdnet.it (Postfix) with SMTP id A17793880EF for ; Sun, 28 Jun 2009 15:09:01 +0200 (CEST) Date: Sun, 28 Jun 2009 13:09:04 +0100 Content-Type: text/plain; charset="windows-1256" From: "kayaker" MIME-Version: 1.0 To: xxxxxxxxxxxxxxxxxxxxxxx Message-ID: Subject: How To Make A iGprl As Hot As Paris Hilton Achieve Multiple Orgasms X-skynet-srl-MailScanner-ID: A17793880EF.A13C2 X-MailScanner: Found to be clean X-MailScanner-SpamScore: s X-MailScanner-From: bivalved@rojax.com X-skynet-srl-MailScanner-Watermark: 1246799344.38984@X6K8Q1cEZ6QnFvmnvQtBwQ X-Spam-Status: No Hfow To Make A Girl Ass Hot As Paris Hilton Achieve Multiple Orgasms www. pill20. com. Girl, 5, Forced To Apologize For Hugging Claassmate <<<< END > > Blocking the from address is completely useless since it is randomly changed and the same is for subject and text content. > > Has anyone else seen a similar behaviour and found a solution? > > Thank you ad best regards > > Alessandro > > > -- > Yep, I am getting a lot of these though most are being blocked. Here is what SA is doing :- [BAYES_95=3, RCVD_IN_BRBL=3, RCVD_IN_JMF_BL=1.5,RCVD_IN_PBL=0.905, RCVD_IN_SORBS_DUL=0.877, RDNS_DYNAMIC=0.1,SARE_ADULT2=1.42, SARE_CHARSET_W1251=1.656] Best Regards, -- SplatNIX IT Services :: Innovation through collaboration From ms-list at alexb.ch Fri Jul 3 08:31:34 2009 From: ms-list at alexb.ch (Alex Broens) Date: Fri Jul 3 08:31:43 2009 Subject: Tiny text only spam (semi OT) In-Reply-To: <31014713.31246605593150.JavaMail.root@office.splatnix.net> References: <31014713.31246605593150.JavaMail.root@office.splatnix.net> Message-ID: <4A4DB3D6.7020809@alexb.ch> On 7/3/2009 9:19 AM, --[ UxBoD ]-- wrote: > ----- "Alessandro Bianchi" wrote: >> Hi guys >> >> Those damned spemmers have found a way to break in >> >> After image only spam, they have managed to build plain text only spam (no links or hrml or images, just text) that slips throught my MS installation. >> >> They often place in ortographic errors to "fool" spamassassin. >> >> Here is an example: >> <<< START -- destination address has been maqued >> >> From - Mon Jun 29 15:03:22 2009 > X-Mozilla-Status: 0001 > X-Mozilla-Status2: 00000000 > Return-Path: X-Original-To: xxxxxxxxxxxxxxxxxxxxxx > Delivered-To: xxxxxxxxxxxxxxxxxxxxxxxx > X-Greylist: delayed 312 seconds by postgrey-1.30 at Log; Sun, 28 Jun 2009 15:09:01 CEST > Received: from jtuxl.forthnet.gr (adsl144-208.lsf.forthnet.gr [79.103.75.208]) > by cdnet02.cdnet.it (Postfix) with SMTP id A17793880EF > for ; Sun, 28 Jun 2009 15:09:01 +0200 (CEST) > Date: Sun, 28 Jun 2009 13:09:04 +0100 > Content-Type: text/plain; > charset="windows-1256" > From: "kayaker" MIME-Version: 1.0 > To: xxxxxxxxxxxxxxxxxxxxxxx > Message-ID: Subject: How To Make A iGprl As Hot As Paris Hilton Achieve Multiple Orgasms > X-skynet-srl-MailScanner-ID: A17793880EF.A13C2 > X-MailScanner: Found to be clean > X-MailScanner-SpamScore: s > X-MailScanner-From: bivalved@rojax.com X-skynet-srl-MailScanner-Watermark: 1246799344.38984@X6K8Q1cEZ6QnFvmnvQtBwQ > X-Spam-Status: No > > Hfow To Make A Girl Ass Hot As Paris Hilton Achieve Multiple Orgasms www. pill20. com. Girl, 5, Forced To Apologize For Hugging Claassmate <<<< END >> Blocking the from address is completely useless since it is randomly changed and the same is for subject and text content. >> >> Has anyone else seen a similar behaviour and found a solution? >> >> Thank you ad best regards >> >> Alessandro >> >> >> -- >> > > Yep, I am getting a lot of these though most are being blocked. Here is what SA is doing :- > > [BAYES_95=3, RCVD_IN_BRBL=3, RCVD_IN_JMF_BL=1.5,RCVD_IN_PBL=0.905, RCVD_IN_SORBS_DUL=0.877, RDNS_DYNAMIC=0.1,SARE_ADULT2=1.42, SARE_CHARSET_W1251=1.656] > there's rules floating around the SA list... probably the better place to look/ask From mikael at syska.dk Fri Jul 3 08:52:29 2009 From: mikael at syska.dk (Mikael Syska) Date: Fri Jul 3 08:52:39 2009 Subject: Anti-Phishing Update -- New data feed In-Reply-To: <65088.125.168.254.15.1246581870.squirrel@seven.dorksville.net> References: <4A3B957C.40902@USherbrooke.ca> <4A3CEB10.70504@ecs.soton.ac.uk> <4A3F7911.6050208@USherbrooke.ca> <32390.125.168.254.15.1246324547.squirrel@seven.dorksville.net> <4A4A2B2C.3070104@ecs.soton.ac.uk> <65088.125.168.254.15.1246581870.squirrel@seven.dorksville.net> Message-ID: <6beca9db0907030052i67301238i52488f82306d6662@mail.gmail.com> Hi, Its a setting in the MailScanner.conf - search for the name and you will find it. mvh On Fri, Jul 3, 2009 at 2:44 AM, Anthony Giggins wrote: > Sorry where do I add the "SpamAssassin Rule Actions"? > > Cheers, > > Anthony > >> At the bottom of the ruleset is the huge "meta" rule that combines them >> all. Look for that rule scoring a hit in your mail logs, if you have >> "Log Spam = yes" in MailScanner.conf. >> And you will obviously need a "SpamAssassin Rule Actions" set to trigger >> deletion/quarantining if this rule hits, or nothing will happen when the >> rule hits. >> >> Jules. >> >> On 30/06/2009 02:15, Anthony Giggins wrote: >>>> Thanks! >>>> >>>> Denis >>>> Julian Field a ?crit : >>>> >>>>> Check out the new version 2.04. It supports --quiet and --help. >>>>> >>> Silly question, how can I tell if this is helping phishing detection or >>> not? >>> >>> Cheers, >>> >>> Anthony >>> >>> >>> >>> >> >> Jules >> >> -- >> Julian Field MEng CITP CEng >> www.MailScanner.info >> Buy the MailScanner book at www.MailScanner.info/store >> Follow me at twitter.com/JulesFM >> >> MailScanner customisation, or any advanced system administration help? >> Contact me at Jules@Jules.FM >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> PGP public key: http://www.jules.fm/julesfm.asc >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From glenn.steen at gmail.com Fri Jul 3 09:01:25 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Jul 3 09:01:34 2009 Subject: Russian Text = Executable? In-Reply-To: <7744a2840907020906rc4077adt848ee24ccefd45e8@mail.gmail.com> References: <7744a2840907020906rc4077adt848ee24ccefd45e8@mail.gmail.com> Message-ID: <223f97700907030101he93b8f3nad4fc312f4b8b93d@mail.gmail.com> 2009/7/2 Richard Bollinger : > Running MailScanner version 4.74.16, file-5.03 > > When our russian employee attempts to email his associates, the text > portion of his email is interpreted by the file command as > ? ?msg-15166-15.txt: DOS executable (COM) > # grep msg-15166-15 /var/adm/maillog > Jul ?2 08:40:53 ls04 MailScanner[15166]: Filename Checks: Allowing > n62Cd5xN017134 msg-15166-15.txt > Jul ?2 08:40:53 ls04 MailScanner[15166]: Filetype Checks: No > executables (n62Cd5xN017134 msg-15166-15.txt) > Jul ?2 08:41:01 ls04 MailScanner[15166]: Saved infected > "msg-15166-15.txt" to > /var/spool/MailScanner/quarantine/20090702/n62Cd5xN017134 > > Fine... I read the mailing list notes and docs which say file -i > should work better... and it does: > ? ?msg-15166-15.txt: text/plain; charset=iso-8859-1 > > So I inserted a rule to match that in filetypes.rules.conf like so > --- filetype.rules.conf.FCS ? ? 2008-03-12 05:50:04.000000000 -0400 > +++ filetype.rules.conf 2009-07-02 11:18:38.000000000 -0400 > @@ -18,6 +18,7 @@ > ?allow ?\bscript ? ? ? ?- ? ? ? ? ? ? ? ? ? ? ? - > ?allow ?archive ? ? ? ? - ? ? ? ? ? ? ? ? ? ? ? - > ?allow ?postscript ? ? ?- ? ? ? ? ? ? ? ? ? ? ? - > +allow ?- ? ? ? iso-8859-1 ? ? ?- ? ? ? - > ?deny ? self-extract ? ?No self-extracting archives ? ? No > self-extracting archives allowed > ?deny ? executable ? ? ?No executables ? ? ? ? ?No programs allowed > ?#EXAMPLE: deny - ? ? ? x-dosexec ? ? ? No DOS executables ? ? ?No DOS > programs allowed > > But apparently MIME rules in the filetype.rules.conf files aren't > really checked in order as one might expect... so its still getting > blocked: > # grep msg-25147-33 /var/adm/maillog > Jul ?2 10:52:33 ls04 MailScanner[25147]: Filename Checks: Allowing > n62EqVIg027437 msg-25147-33.txt > Jul ?2 10:52:33 ls04 MailScanner[25147]: Filetype Checks: No > executables (n62EqVIg027437 msg-25147-33.txt) > Jul ?2 10:52:33 ls04 MailScanner[25147]: Filetype Mime Checks: > Allowing n62EqVIg027437 msg-25147-33.txt > Jul ?2 10:52:38 ls04 MailScanner[25147]: Saved infected > "msg-25147-33.txt" to > /var/spool/MailScanner/quarantine/20090702/n62EqVIg027437 > > So, do we have to drop the filetype rule for executables and go with > the MIME rules only? ?That doesn't seem to detect all executable > formats, often coming up with > application/octet-stream; charset=binary, which is pretty generic, > instead of executable. > > Suggestions? A) replace your file package with one were the overoptimistic one-byte-magics isn't present (if available, that is). B) Edit your magic file(s) and manually remove/comment the offending magic lines, then "recompile" it with "file -C". C) Switch to file -i Dreary, but ... there it is. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From mikael at syska.dk Fri Jul 3 09:27:42 2009 From: mikael at syska.dk (Mikael Syska) Date: Fri Jul 3 09:27:51 2009 Subject: Stop logging message over sacore 20 Message-ID: <6beca9db0907030127o32dee727y6223c03b7c718273@mail.gmail.com> Hi, We have a failrly large mailwatch db ... about 2 mill rows ... to speed things up we could delete mesaage with a sascore over 20. that could cut off 1.5 mill rows ... :-) using: SpamAssassin Rule Actions = SpamScore>20=>delete But what about mailwatch? Do I need to edit the MailWatch.pm file or can it be dont within MailScanner ? best regards Mikael Syska From steve.freegard at fsl.com Fri Jul 3 09:28:47 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Fri Jul 3 09:28:57 2009 Subject: New wiki page In-Reply-To: <3e1809420907022034j3f9088baif5cc34db5ec9dde6@mail.gmail.com> References: <1213490F1F316842A544A850422BFA960F6056457D@BHLSBS.bhl.local> <4A09477D575C2C4B86497161427DD94C10D2C613CB@city-exchange07> <4A4B9AC3.3080103@fsl.com> <3e1809420907022034j3f9088baif5cc34db5ec9dde6@mail.gmail.com> Message-ID: <4A4DC13F.7090702@fsl.com> Zaeem Arshad wrote: > Hi Steve, > > On Wed, Jul 1, 2009 at 11:20 PM, Steve Freegard > wrote: > > > > - Inspect outbound SMTP traffic for obvious spam signs and reject it > before queuing (e.g. as per my last mail: URIBL_*, DCC, RAZOR2, PYZOR, > IXHASH, Bayes, envelope sender from a domain that doesn't belong to you > etc.). > > > > Apart from the URIBL check, the DCC, Razor2, Pyzor and IXHASH checks > require you to queue the mail before they can be run. I am not sure how > would one delegate the responsibility to the MTA? And even if one can, > the time involved in scanning will be considerable opening a DoS attack > vector. Queueing !== requiring the entire message to run. Both Sendmail and Postfix support the milter API, Exim has even far more wizardry (and can support the milter API as well); all of these can pass the message body as it is received and can create their own temporary files as they choose as they are totally separate programs. They can then instruct the MTA to send specific SMTP codes and messages. It's been possible to run SpamAssassin via various interfaces at SMTP time for ages; milter-spamc, spamass-milter etc. same with ClamAV etc. Time involved to scan is not considerable at all; a full SA scan including bayes & network tests takes on average around 3 seconds, ClamAV is even less - you could even run both concurrently (milter API is serial at content however). The SMTP RFC allows for 10 minutes for DATA termination; however I would limit this to 30-60 seconds maximum to be on the safe side as this value is frequently tweaked by some sites (lowest I have seen in the wild is 3 minutes). There's no more DoS potential in this than with MailScanner (e.g. if you can get your messages through the MTA, then you can easily fill the inbound directory to the point it would more than a reasonable amount of time to process). Plus there is loads that can be done to prevent DoS in all MTAs. Regards, Steve. Regards, Steve. From glenn.steen at gmail.com Fri Jul 3 10:09:34 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Jul 3 10:09:43 2009 Subject: Stop logging message over sacore 20 In-Reply-To: <6beca9db0907030127o32dee727y6223c03b7c718273@mail.gmail.com> References: <6beca9db0907030127o32dee727y6223c03b7c718273@mail.gmail.com> Message-ID: <223f97700907030209n37de5957t6da92559b26c1ded@mail.gmail.com> 2009/7/3 Mikael Syska : > Hi, > > We have a failrly large mailwatch db ... about 2 mill rows ... to > speed things up we could delete mesaage with a sascore over 20. that > could cut off 1.5 mill rows ... :-) > > using: > SpamAssassin Rule Actions = SpamScore>20=>delete > > But what about mailwatch? Do I need to edit the MailWatch.pm file or > can it be dont within MailScanner ? > > best regards > Mikael Syska Well, either edit MailWatch.pm or ... just do it after the fact with a silly little SQL script. Should be easy enough (use the database cleaning script as a template)... Then cron it to run every few minutes. It'll only be the first run that would have a panfully long run;-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From alex at skynet-srl.com Fri Jul 3 12:56:18 2009 From: alex at skynet-srl.com (Alessandro Bianchi) Date: Fri Jul 3 12:57:02 2009 Subject: Tiny text only spam (semi OT) In-Reply-To: <200907031100.n63B023c025716@safir.blacknight.ie> References: <200907031100.n63B023c025716@safir.blacknight.ie> Message-ID: <4A4DF1E2.5000404@skynet-srl.com> An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090703/bfe6af12/attachment.html From gafaith at asdm.net Fri Jul 3 14:34:48 2009 From: gafaith at asdm.net (Gary Faith) Date: Fri Jul 3 14:35:11 2009 Subject: {Spam?} Re: Spam but no randomly no Spam Report In-Reply-To: <4A4888730200002D00006D2F@sparky.asdm.net> References: <4A4404D50200002D00006C96@sparky.asdm.net> <4A44116A0200002D00006C9B@sparky.asdm.net> <4A4489C3.4000203@ecs.soton.ac.uk> <4A44B19E0200002D00006CAF@sparky.asdm.net> <4A44F040.2050305@ecs.soton.ac.uk> <4A44CA920200002D00006CE5@sparky.asdm.net> <4A44D89D0200002D00006CEA@sparky.asdm.net> <4A487F55.9080907@ecs.soton.ac.uk> <4A4888730200002D00006D2F@sparky.asdm.net> Message-ID: <4A4DD0B80200002D00006DC3@sparky.asdm.net> Was really hoping to get an answer to the question below! >>> "Gary Faith" 6/29/2009 9:25 AM >>> When Spamassassin returns it's scores, where are you pulling the data from? Is it in the header from X-Spam-Status: returned from Spamassassin X-Spam-Status: No, score=-0.5 required=5.0 tests=BAYES_00 shortcircuit=no autolearn=unavailable version=3.2.5 or in the body somewhere? Gary >>> Julian Field 6/29/2009 4:46 AM >>> On 26/06/2009 19:18, Gary Faith wrote: > After turning it on, I do get a Spam Report now. As expected. > Spam: Y Action(s): store, deliver, header, "X-Spam-Status:, Yes" > High Scoring Spam: N SpamAssassin Spam: N Listed in RBL: Y SBL+XBL > Spam Whitelisted: N Spam Blacklisted: N SpamAssassin Autolearn: N > SpamAssassin Score:0.92 Spam Report: > Score Matching Rule Description > -0.50 BAYES_00 Bayesian spam probability is 0 to 1% > 1.42 SARE_ADULT2 Contains adult material > > Steve Freegard, just posted an message that "Always Include > SpamAssassin Report" = on would cause it to run even for whitelisted > and blacklisted recipients. I agree it would be inefficient to have > SA run on whitelisted & blacklisted recipients. Absolutely correct. You don't want the inefficiency of always generating the report, which involves always running SA, so don't be surprised when you don't get the report. > Could there still be a problem in the patched Message.pm where it is > returning some of the spam report but not all? Don't think so. > Gary > > >>> "Gary Faith" 6/26/2009 1:18 PM >>> > Julian, > Always Include SpamAssassin Report was set to off. I just turned it > on and will see if that changes things. I wasn't sure if that setting > would be a problem because it seems that there was a report even if > the message was clean like the one below. It just seems like the > Spam Report is included with every message except when the isspam =1 & > isrblspam =1 and the other two flags = 0. > Spam: N Action(s): store, deliver, header, "X-Spam-Status:, No" High > Scoring Spam: N SpamAssassin Spam: N Listed in RBL: N Spam > Whitelisted: N Spam Blacklisted: N SpamAssassin Autolearn: N > SpamAssassin Score:3.28 Spam Report: > Score Matching Rule Description > cached not > > score=3.281 > 3.5 required > -0.50 BAYES_00 Bayesian spam probability is 0 to 1% > 2.17 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) > 0.73 HTML_COMMENT_SHORT HTML comment is very short > 0.88 HTML_FONT_FACE_BAD HTML font face is not a word > 0.00 HTML_MESSAGE HTML included in message > -0.00 SPF_PASS SPF: sender matches SPF record > > > Gary > > >>> Julian Field 6/26/2009 11:58 AM >>> > Does your MailScanner.conf have "Always Include SpamAssassin Report" > switched on or off? > > On 26/06/2009 16:31, Gary Faith wrote: > > Julian, > > Better. The spam report field is populated now but I don't think it > > is completely fixed. See below: > > Spam: Y Action(s): store, deliver, header, "X-Spam-Status:, Yes" > > High Scoring Spam: N > > SpamAssassin Spam: N > > Listed in RBL: Y > > Spam Whitelisted: N > > Spam Blacklisted: N > > SpamAssassin Autolearn: N > > SpamAssassin Score: 3.09 > > Spam Report: spam, SBL+XBL > > I confirmed that the database shows spam, SBL+XBL only. Problem that > > I see is that there is nothing in the spamreport field to explain the > > 3.09 SpamAssassin score. > > Gary > > > > > > >>> Julian Field 6/26/2009 4:41 AM >>> > > Aha, well done for tracking down that case, I've been looking for that > > bug for ages. > > Due to your diagnostics I now have what should fix it. > > > > Please try the attached patch to > > /usr/lib/MailScanner/MailScanner/Message.pm and then restart > MailScanner. > > > > Thanks for helping! > > Jules. > > > > On 26/06/2009 05:08, Gary Faith wrote: > > > Follow Up! After doing more digging, I believe that I have found the > > > common thread when the problem occurs. The spamreport field only > > > seems to be blank when isspam & isrblspam flags are set. If issaspam > > > and/or ishighspam are set then spamreport has data. > > > isspam tinyint(1) =1 > > > ishighspam tinyint(1) =0 > > > issaspam tinyint(1) =0 > > > isrblspam tinyint(1) =1 > > > spamwhitelisted tinyint(1) =0 > > > spamblacklisted tinyint(1) =0 > > > sascore decimal(7,2) some value > > > spamreport text {Empty} > > > I hope this helps shine light on my problem. Any ideas why this is > > > happening? > > > Thanks, > > > > > > Gary > > > > > > >>> "Gary Faith" 6/25/2009 11:14 PM >>> > > > Running MailScanner 4.75.11 on SLES 10 SP2 X86_64. When viewing the > > > information via MailWatch, I see the following on the details page: > > > SpamAssassin Spam: Y Action(s): store, deliver, header, > > > "X-Spam-Status:, Yes" > > > High Scoring Spam: N > > > SpamAssassin Spam: N > > > Listed in RBL: N > > > Spam Whitelisted: N > > > Spam Blacklisted: N > > > SpamAssassin Autolearn: N > > > SpamAssassin Score:1.66 > > > The problem is Spam Report is blank. This happens on a few seemingly > > > random messages while most have something in the spamreport field. I > > > have verified this in the database that it definitely null. Any > > > reason why all the data except the spam report would be logged to > > > mysql? Could this be a spamassassin timeout problem? > > > Thanks, > > > > > > Gary Faith > > > > Jules > > > > -- > > Julian Field MEng CITP CEng > > www.MailScanner.info > > Buy the MailScanner book at www.MailScanner.info/store > > > > Need help customising MailScanner? > > Contact me! > > Need help fixing or optimising your systems? > > Contact me! > > Need help getting you started solving new requirements from your boss? > > Contact me! > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > Follow me at twitter.com/JulesFM and twitter.com/MailScanner > > > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > Follow me at twitter.com/JulesFM and twitter.com/MailScanner > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090703/f89b036d/attachment.html From gafaith at asdm.net Fri Jul 3 14:50:41 2009 From: gafaith at asdm.net (Gary Faith) Date: Fri Jul 3 14:51:09 2009 Subject: Tiny text only spam (semi OT) In-Reply-To: <4A4DF1E2.5000404@skynet-srl.com> References: <200907031100.n63B023c025716@safir.blacknight.ie> <4A4DF1E2.5000404@skynet-srl.com> Message-ID: <4A4DD4710200002D00006DC8@sparky.asdm.net> I believe that I have also been greatly troubled by the same messages. The common thread to these messages is what I call an obfucated URL where the URL has spaces in multiple places. I created a cf file in /etc/mail/spmassassin directory and wrote my first spamassassin rule. It might not be the best but it is working for me. Basically, the rule matches a URL that starts with www. followed by a space followed by some text ending in a period like pill45. followed by another space then a TLD like com, net or org. I started with a small score for testing but have significantly raised the score to 4.5 now. # Rule to find URLs with spaces body ASDM_OBF_URL /www\.\s(.+?)\s[A-Za-z]{2,4}/i score ASDM_OBF_URL 4.5 describe ASDM_OBF_URL URLs with spaces I haven't seen any false positives yet. Gary Faith >>> Alessandro Bianchi 7/3/2009 7:56 AM >>> Il 03/07/2009 13:00, mailscanner-request@lists.mailscanner.info ha scritto: Alessandro Bianchi wrote: Hi guys Those damned spemmers have found a way to break in After image only spam, they have managed to build plain text only spam (no links or hrml or images, just text) that slips throught my MS installation. They often place in ortographic errors to "fool" spamassassin. Hi, They are being detected as : Sanesecurity.Spam.10528 Cheers, Steve Sanesecurity sanesecurity.com Thaks Steve for helping me I've just installed unofficial signs and sit here for looking at it working! For Alex Very unfortunately RBLs don't help at all since SA decreases the score! Look at this: -2.60BAYES_00 0.91RCVD_IN_PBL 0.10RDNS_DYNAMIC 1.42SARE_ADULT2 Spamassassin reports it as BAYES_00 and clean message and that "kills" the others checks. If I decrease the BAYES_00 score, it will likely break legitimate emails So I'm testing the unofficial signs and I'll let you know Thank you very much for your precious help! Alessandro -- SkyNet SRL P.zza XXV Aprile 14 - 28021 Borgomanero (NO) - ITALY Tel. +39 0322 836487/834765 - Fax.+39 0322.836608 info@skynet-srl.com -www.skynet-srl.com Le informazioni contenute in questo messaggio sono riservate e confidenziali e ne ? vietata la diffusione in qualunque forma. Qualora Lei non fosse la persona a cui il presente messaggio ? destinato, La invitiamo ad eliminarlo dandocene gentilmente comunicazione. Per qualsiasi informazione in merito si prega di contattare info@skynet-srl.com. ( Rif. D.L. 196/200 ) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090703/6ae333fd/attachment.html From glenn.steen at gmail.com Fri Jul 3 15:18:12 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Jul 3 15:18:21 2009 Subject: {Spam?} Re: Spam but no randomly no Spam Report In-Reply-To: <4A4DD0B80200002D00006DC3@sparky.asdm.net> References: <4A4404D50200002D00006C96@sparky.asdm.net> <4A44B19E0200002D00006CAF@sparky.asdm.net> <4A44F040.2050305@ecs.soton.ac.uk> <4A44CA920200002D00006CE5@sparky.asdm.net> <4A44D89D0200002D00006CEA@sparky.asdm.net> <4A487F55.9080907@ecs.soton.ac.uk> <4A4888730200002D00006D2F@sparky.asdm.net> <4A4DD0B80200002D00006DC3@sparky.asdm.net> Message-ID: <223f97700907030718w64d038b0hb6d23f5f551ed68c@mail.gmail.com> 2009/7/3 Gary Faith : > Was really hoping to get an answer to the question below! > >>>> "Gary Faith" 6/29/2009 9:25 AM >>> > When Spamassassin returns it's scores, where are you pulling the data from? > Is it in the header from X-Spam-Status:? returned from Spamassassin > > X-Spam-Status: No, score=-0.5 required=5.0 tests=BAYES_00 > shortcircuit=no?autolearn=unavailable version=3.2.5 > or in the body somewhere? > Gary SpamAssassin is called as a perlmodule directly from within MailScanner itself, so there never is a need to parse any header lines or somesuch. If you need more detail, either wait for Jules to expand on it, or read the code;-). Why is it important to you? IIRC the thread mainly circled around why there were a dirth of reports when thing other than SA reported it as spam ... and a bit on how to get MS to always include the SA report. So to me, this question is pretty orthogonal;-) (snip) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From mark at msapiro.net Fri Jul 3 15:25:44 2009 From: mark at msapiro.net (Mark Sapiro) Date: Fri Jul 3 15:26:02 2009 Subject: Tiny text only spam (semi OT) In-Reply-To: <200907031100.n63B023b025716@safir.blacknight.ie> References: <200907031100.n63B023b025716@safir.blacknight.ie> Message-ID: <75fb3c6a847f6fdaa1fa25f52f71b6f3.squirrel@www.msapiro.net> Alessandro Bianchi wrote: > Hi guys > > Those damned spemmers have found a way to break in > > After image only spam, they have managed to build plain text only spam > (no links or hrml or images, just text) that slips throught my MS > installation. > > They often place in ortographic errors to "fool" spamassassin. > > Here is an example: [...] > Has anyone else seen a similar behaviour and found a solution? The Botnet plugin for Spamassassin gets almost all of these. It will occasionally FP on misconfigured servers without "full circle" DNS, so adjust the score. It also helps to have your spamassassin trusted_networks correctly configured and to set botnet_pass_trusted ignore in botnet.cf so it will look at the received header for the delivery to the trusted network. However, if you have multiple users receiving mail forwarded (.forward or equivalent) from other servers, it may not be feasible to include these other servers in trusted_networks, so Botnet will be less effective in this case. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From gafaith at asdm.net Fri Jul 3 15:49:24 2009 From: gafaith at asdm.net (Gary Faith) Date: Fri Jul 3 15:49:45 2009 Subject: {Spam?} Re: Spam but no randomly no Spam Report In-Reply-To: <223f97700907030718w64d038b0hb6d23f5f551ed68c@mail.gmail.com> References: <4A4404D50200002D00006C96@sparky.asdm.net> <4A44B19E0200002D00006CAF@sparky.asdm.net> <4A44F040.2050305@ecs.soton.ac.uk> <4A44CA920200002D00006CE5@sparky.asdm.net> <4A44D89D0200002D00006CEA@sparky.asdm.net> <4A487F55.9080907@ecs.soton.ac.uk> <4A4888730200002D00006D2F@sparky.asdm.net> <4A4DD0B80200002D00006DC3@sparky.asdm.net> <223f97700907030718w64d038b0hb6d23f5f551ed68c@mail.gmail.com> Message-ID: <4A4DE2340200002D00006DCD@sparky.asdm.net> I think it is a perfectly legitimate question and not orthogonal. MailScanner calls SA, SA returns information and MailScanner reports it. The reason why I asked it is that the only messages without all the information in the spamreport are the ones with isspam=1, isrblspam=1, issaspam=0 & ishighspam=0. ALL other messages including clean messages generate a full report. According to Jules, last message is that you have to turn on Always Include SpamAssassin Report = yes to get a report. And he wrote: >Absolutely correct. You don't want the inefficiency of always generating >the report, which involves always running SA, so don't be surprised when >you don't get the report. My problem with this is that I get a report on clean messages so the logic of not getting report is SA doesn't think it is spam is not correct. Here is the report on a clean message: SpamAssassin Score:-0.50 Spam Report: ScoreMatching RuleDescription -0.50BAYES_00Bayesian spam probability is 0 to 1% -0.00SPF_PASSSPF: sender matches SPF record On a message that meets the criteria in the first sentence, I get this: SpamAssassin Score:-0.49 Spam Report:spam, SORBS-RECENT If I go to the quarantine directory and run spamassassin: mscan:/var/spool/MailScanner/quarantine # spamassassin < 20090703/spam/n63D7E9n010959 I get the following back: X-Spam-DCC: INFN-TO: mscan 1233; Body=2 Fuz1=3 Fuz2=3 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on mscan.asdmonline.net X-Spam-Level: X-Spam-Status: No, score=-0.5 required=5.0 tests=BAYES_00,HTML_MESSAGE shortcircuit=no autolearn=unavailable version=3.2.5 Now for some reason, SpamAssassin is returning BAYES_00, HTML_MESSAGE when I run it manually but MailScanner doesn't include them in the spamreport. How can that be? Gary >>> Glenn Steen 7/3/2009 10:18 AM >>> 2009/7/3 Gary Faith : > Was really hoping to get an answer to the question below! > >>>> "Gary Faith" 6/29/2009 9:25 AM >>> > When Spamassassin returns it's scores, where are you pulling the data from? > Is it in the header from X-Spam-Status: returned from Spamassassin > > X-Spam-Status: No, score=-0.5 required=5.0 tests=BAYES_00 > shortcircuit=no autolearn=unavailable version=3.2.5 > or in the body somewhere? > Gary SpamAssassin is called as a perlmodule directly from within MailScanner itself, so there never is a need to parse any header lines or somesuch. If you need more detail, either wait for Jules to expand on it, or read the code;-). Why is it important to you? IIRC the thread mainly circled around why there were a dirth of reports when thing other than SA reported it as spam ... and a bit on how to get MS to always include the SA report. So to me, this question is pretty orthogonal;-) (snip) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090703/f4f8cb08/attachment.html From glenn.steen at gmail.com Fri Jul 3 16:27:48 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Jul 3 16:28:05 2009 Subject: {Spam?} Re: Spam but no randomly no Spam Report In-Reply-To: <4A4DE2340200002D00006DCD@sparky.asdm.net> References: <4A4404D50200002D00006C96@sparky.asdm.net> <4A44CA920200002D00006CE5@sparky.asdm.net> <4A44D89D0200002D00006CEA@sparky.asdm.net> <4A487F55.9080907@ecs.soton.ac.uk> <4A4888730200002D00006D2F@sparky.asdm.net> <4A4DD0B80200002D00006DC3@sparky.asdm.net> <223f97700907030718w64d038b0hb6d23f5f551ed68c@mail.gmail.com> <4A4DE2340200002D00006DCD@sparky.asdm.net> Message-ID: <223f97700907030827v65ae494o23985590087ede10@mail.gmail.com> 2009/7/3 Gary Faith : > I think it is a perfectly legitimate question and not orthogonal. Of course. I meant "orthogonal to the thread as such", but that is (as always) the thread filtered through my understanding of it.... perhaps not the ebst filter there is...:-) > MailScanner calls SA, SA returns information and MailScanner reports it. > > The reason why I asked it is?that the only messages without all the > information in the spamreport are the ones with isspam=1, isrblspam=1, > issaspam=0 & ishighspam=0.? ALL other messages including clean messages Yes, but ... don't you have all the info you need there? A BL blocked it in MS, and (after the fix) it correctly identifieswhich BL as well. You also know that SA didn't find it to be spam (and the score). Do you *need* more? Sure, one could perhaps want to try determin if there is something one could do in SA to make SA more effective against it but... You already had the hit from the BL. Sorry if I seem dense, but I fail to see what you are trying to achieve. > generate a full report.? According to Jules, last message is that you have > to turn on > > Always Include SpamAssassin Report = yes > > to get a report.? And he wrote: > >>Absolutely correct. You don't want the inefficiency of always generating >>the report, which involves always running SA, so don't be surprised when >>you don't get the report. > > My problem with this is that I get a report on clean messages so the logic > of not getting report is SA doesn't think it is spam is not correct. > Ah. Are we perhaps talking about discrepancies with how things get reported in MailWatch? > Here is the report on a clean message: > > SpamAssassin Score:-0.50 > Spam Report: > Score Matching Rule Description > -0.50 BAYES_00 Bayesian spam probability is 0 to 1% > -0.00 SPF_PASS SPF: sender matches SPF record > On a message that meets the criteria in the first sentence, I get this: > > SpamAssassin Score:-0.49 > Spam Report:spam, SORBS-RECENT > If I go to the quarantine directory and run spamassassin: > > mscan:/var/spool/MailScanner/quarantine # spamassassin < > 20090703/spam/n63D7E9n010959 > > I get the following back: > > X-Spam-DCC: INFN-TO: mscan 1233; Body=2 Fuz1=3 Fuz2=3 > X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on > mscan.asdmonline.net > X-Spam-Level: > X-Spam-Status: No, score=-0.5 required=5.0 tests=BAYES_00,HTML_MESSAGE > ??????? shortcircuit=no autolearn=unavailable version=3.2.5 > > Now for some reason, SpamAssassin is returning BAYES_00, HTML_MESSAGE when I > run it manually but MailScanner doesn't include them in the spamreport. > > How can that be? I think I see what you mean. As stated above, the relevant reason for the quarantining is actually in the "incomplete" report. That you get SA reports for clean messages is because they have had it run on them. Look at a whitelisted message. Do you have a SA report there? Probably not. Same for other things that would act on the message prior to SA being run. Things run *after* SA that would result in it being in the quarantine would include the SA report. There's no mystery there. And there really is no need for the SA report. Since it wasn't the reason for it being blocked. IMO, at least:-). > Gary (snip) Cheers -- -- Glenn (who is finally of on vacation! Hm, wait ... where did the nice weather go...) email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From rabollinger at gmail.com Fri Jul 3 19:18:47 2009 From: rabollinger at gmail.com (Richard Bollinger) Date: Fri Jul 3 19:18:59 2009 Subject: Russian Text = Executable? In-Reply-To: <223f97700907030101he93b8f3nad4fc312f4b8b93d@mail.gmail.com> References: <7744a2840907020906rc4077adt848ee24ccefd45e8@mail.gmail.com> <223f97700907030101he93b8f3nad4fc312f4b8b93d@mail.gmail.com> Message-ID: <7744a2840907031118u42115451o308de6004812c820@mail.gmail.com> On Fri, Jul 3, 2009 at 4:01 AM, Glenn Steen wrote: > 2009/7/2 Richard Bollinger : >> Running MailScanner version 4.74.16, file-5.03 >> >> When our russian employee attempts to email his associates, the text >> portion of his email is interpreted by the file command as >> ? ?msg-15166-15.txt: DOS executable (COM) >> # grep msg-15166-15 /var/adm/maillog >> Jul ?2 08:40:53 ls04 MailScanner[15166]: Filename Checks: Allowing >> n62Cd5xN017134 msg-15166-15.txt >> Jul ?2 08:40:53 ls04 MailScanner[15166]: Filetype Checks: No >> executables (n62Cd5xN017134 msg-15166-15.txt) >> Jul ?2 08:41:01 ls04 MailScanner[15166]: Saved infected >> "msg-15166-15.txt" to >> /var/spool/MailScanner/quarantine/20090702/n62Cd5xN017134 >> >> Fine... I read the mailing list notes and docs which say file -i >> should work better... and it does: >> ? ?msg-15166-15.txt: text/plain; charset=iso-8859-1 >> >> So I inserted a rule to match that in filetypes.rules.conf like so >> --- filetype.rules.conf.FCS ? ? 2008-03-12 05:50:04.000000000 -0400 >> +++ filetype.rules.conf 2009-07-02 11:18:38.000000000 -0400 >> @@ -18,6 +18,7 @@ >> ?allow ?\bscript ? ? ? ?- ? ? ? ? ? ? ? ? ? ? ? - >> ?allow ?archive ? ? ? ? - ? ? ? ? ? ? ? ? ? ? ? - >> ?allow ?postscript ? ? ?- ? ? ? ? ? ? ? ? ? ? ? - >> +allow ?- ? ? ? iso-8859-1 ? ? ?- ? ? ? - >> ?deny ? self-extract ? ?No self-extracting archives ? ? No >> self-extracting archives allowed >> ?deny ? executable ? ? ?No executables ? ? ? ? ?No programs allowed >> ?#EXAMPLE: deny - ? ? ? x-dosexec ? ? ? No DOS executables ? ? ?No DOS >> programs allowed >> >> But apparently MIME rules in the filetype.rules.conf files aren't >> really checked in order as one might expect... so its still getting >> blocked: >> # grep msg-25147-33 /var/adm/maillog >> Jul ?2 10:52:33 ls04 MailScanner[25147]: Filename Checks: Allowing >> n62EqVIg027437 msg-25147-33.txt >> Jul ?2 10:52:33 ls04 MailScanner[25147]: Filetype Checks: No >> executables (n62EqVIg027437 msg-25147-33.txt) >> Jul ?2 10:52:33 ls04 MailScanner[25147]: Filetype Mime Checks: >> Allowing n62EqVIg027437 msg-25147-33.txt >> Jul ?2 10:52:38 ls04 MailScanner[25147]: Saved infected >> "msg-25147-33.txt" to >> /var/spool/MailScanner/quarantine/20090702/n62EqVIg027437 >> >> So, do we have to drop the filetype rule for executables and go with >> the MIME rules only? ?That doesn't seem to detect all executable >> formats, often coming up with >> application/octet-stream; charset=binary, which is pretty generic, >> instead of executable. >> >> Suggestions? > > A) replace your file package with one were the overoptimistic > one-byte-magics isn't present (if available, that is). > B) Edit your magic file(s) and manually remove/comment the offending > magic lines, then "recompile" it with "file -C". > C) Switch to file -i > Dreary, but ... there it is. > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner--- > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Here's the patch I applied: --- ../msdos.FCS 2009-07-03 13:55:06.000000000 -0400 +++ file-5.03/magic/Magdir/msdos 2009-07-03 14:05:25.000000000 -0400 @@ -286,7 +286,7 @@ # but it isn't feasible to match all COM files since there must be at least # two dozen different one-byte "magics". # test too generic ? -0 byte 0xe9 DOS executable (COM) +##0 byte 0xe9 DOS executable (COM) >0x1FE leshort 0xAA55 \b, boot code >6 string SFX\ of\ LHarc (%s) 0 belong 0xffffffff DOS executable (device driver) @@ -311,13 +311,13 @@ >>>77 string <\x5B >>>>77 string x \b, name: %.8s # test too generic ? -0 byte 0x8c DOS executable (COM) +##0 byte 0x8c DOS executable (COM) # updated by Joerg Jenderek at Oct 2008 0 ulelong 0xffff10eb DR-DOS executable (COM) # byte 0xeb conflicts with "sequent" magic leshort 0xn2eb 0 ubeshort&0xeb8d >0xeb00 # DR-DOS STACKER.COM SCREATE.SYS missed ->0 byte 0xeb DOS executable (COM) +##>0 byte 0xeb DOS executable (COM) >>0x1FE leshort 0xAA55 \b, boot code >>85 string UPX \b, UPX compressed >>4 string \ $ARX \b, ARX self-extracting archive From alex at skynet-srl.com Sat Jul 4 14:03:10 2009 From: alex at skynet-srl.com (Alessandro Bianchi) Date: Sat Jul 4 14:03:28 2009 Subject: Tiny text only spam (semi OT) In-Reply-To: <200907041100.n64B03kZ024362@safir.blacknight.ie> References: <200907041100.n64B03kZ024362@safir.blacknight.ie> Message-ID: <4A4F530E.3000307@skynet-srl.com> > > I believe that I have also been greatly troubled by the same > messages. The common thread to these messages is what I call an > obfucated URL where the URL has spaces in multiple places. I created > a cf file in /etc/mail/spmassassin directory and wrote my first > spamassassin rule. It might not be the best but it is working for > me. Basically, the rule matches a URL that starts with www. followed > by a space followed by some text ending in a period like pill45. > followed by another space then a TLD like com, net or org. I started > with a small score for testing but have significantly raised the score > to 4.5 now. > # Rule to find URLs with spaces > body ASDM_OBF_URL /www\.\s(.+?)\s[A-Za-z]{2,4}/i > score ASDM_OBF_URL 4.5 > describe ASDM_OBF_URL URLs with spaces > I haven't seen any false positives yet. > Gary Faith Gary That looks good. Unofficiall signs didn't helo too much till now, but IMO this rule may break them down > The Botnet plugin for Spamassassin gets almost all of these. > Mark, I'll try this if the rule don't works as expected. Thank you to all Best regards Alessandro Bianchi -- *SKYNET S.r.l.* - *Piazza XXV Aprile 14 - 28021 Borgomanero (No)* *tel. +39 0322-836487/834765 - fax +39 0322-836608 - www.skynet-srl.com* Autorizzazione Ministeriale n.197 Le informazioni contenute in questo messaggio sono riservate e confidenziali ed ? vietata la diffusione in qualunque modo eseguita. Qualora Lei non fosse la persona a cui il presente messaggio ? destinato, La invitiamo ad eliminarlo e a non leggerlo, dandocene gentilmente comunicazione. Per qualsiasi informazione si prega di contattare (e-mail dell'azienda). Rif. D.L. 196/2003 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090704/9be856a8/attachment.html From alex at skynet-srl.com Sat Jul 4 18:19:54 2009 From: alex at skynet-srl.com (Alessandro Bianchi) Date: Sat Jul 4 18:20:11 2009 Subject: Tiny text only spam (semi OT) In-Reply-To: <200907041100.n64B03kZ024362@safir.blacknight.ie> References: <200907041100.n64B03kZ024362@safir.blacknight.ie> Message-ID: <4A4F8F3A.8010800@skynet-srl.com> > > I believe that I have also been greatly troubled by the same > messages. The common thread to these messages is what I call an > obfucated URL where the URL has spaces in multiple places. I created > a cf file in /etc/mail/spmassassin directory and wrote my first > spamassassin rule. It might not be the best but it is working for > me. Basically, the rule matches a URL that starts with www. followed > by a space followed by some text ending in a period like pill45. > followed by another space then a TLD like com, net or org. I started > with a small score for testing but have significantly raised the score > to 4.5 now. > # Rule to find URLs with spaces > body ASDM_OBF_URL /www\.\s(.+?)\s[A-Za-z]{2,4}/i > score ASDM_OBF_URL 4.5 > describe ASDM_OBF_URL URLs with spaces > I haven't seen any false positives yet. > Gary Faith Gary This one rocks! Got them one hundred per cent Thank you to all Best regards Alessandro Bianchi -- *SKYNET S.r.l.* - *Piazza XXV Aprile 14 - 28021 Borgomanero (No)* *tel. +39 0322-836487/834765 - fax +39 0322-836608 - www.skynet-srl.com* Autorizzazione Ministeriale n.197 Le informazioni contenute in questo messaggio sono riservate e confidenziali ed ? vietata la diffusione in qualunque modo eseguita. Qualora Lei non fosse la persona a cui il presente messaggio ? destinato, La invitiamo ad eliminarlo e a non leggerlo, dandocene gentilmente comunicazione. Per qualsiasi informazione si prega di contattare (e-mail dell'azienda). Rif. D.L. 196/2003 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090704/6343f026/attachment.html From jtp at jtpage.net Sat Jul 4 18:51:48 2009 From: jtp at jtpage.net (Jeffry Page) Date: Sat Jul 4 18:52:10 2009 Subject: (2nd Request) Disable scanning for a client that connects via SMTP-AUTH In-Reply-To: References: <4A147B290200002D00006737@sparky.asdm.net> <200905210754.04555.eli@orbsky.homelinux.org> <4A170F760200002D0000676D@sparky.asdm.net> <200905230757.01173.eli@orbsky.homelinux.org> <4A1867050200002D00006786@sparky.asdm.net> <20090524174243.GB2724@msapiro> <4A19BD250200002D00006795@sparky.asdm.net> <4A4D2426.3000804@kimballequipment.com> <4A4D2DCF.2050901@ecs.soton.ac.uk> Message-ID: <009401c9fcd0$1b340180$519c0480$@net> I have done this using MIMEdefang and a custom function for mailscanner. I have it currently setup for sendmail. I had to do this because mail I sent from my home machine via SMTP would get flagged on the spamhaus-ZEN RBL, which any home internet IP should. I really wanted to use this RBL so this was the solution. It feels kind of hacky the way its done, but it works really well and is totally transparent. I looked it up and mimedefang is only for sendmail, but if you have a way to add a customer header in on other MTA's then it would work for this also. I only used MIMEDefang to add a header in before mailscanner got the email. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: Thursday, July 02, 2009 5:00 PM To: MailScanner discussion Subject: Re: (2nd Request) Disable scanning for a client that connectsviaSMTP-AUTH In which case please tell me how I find out from the email headers, in such a way that it works for all 4 supported MTAs. I'm not interested in a sendmail-only solution. Thanks, Jules. On 02/07/2009 22:18, Mat Murdock wrote: > I know I'm kind of bringing this topic back from the dead, but > spamassasin has a rule called "ALL_TRUSTED" that detects if the e-mail > used smtp-auth. If so it give it negative score. It does this by > looking at the sendmail headers. The problem I have is that my users > are sending their mail from ip's that are on dns blacklists. It would > be nice if MailScanner was also able to read the headers the same way > that spamassassin does and allow the user to skip dns blacklist checks > for authenticated e-mails. > > Mat > > Gary Faith wrote: >> That is exactly what I want to do but I am not a sendmail expert and >> I don't know how. I was hoping someone would know how to do this. >> >> >>> Mark Sapiro 5/24/2009 1:42 PM >>> >> On Sat, May 23, 2009 at 09:13:41PM -0400, Gary Faith wrote: >> > My business that has the mail scanner is my ISP and all my personal >> outbound mail will be going through that mail scanner. Discussing >> whether I can relay through someone or another is pointless. What I >> need is a way to not scan e-mail when it comes from a trusted >> source. Do you know how I can do this? >> >> >> I use Postfix and am not really familiar with how MailScanner works with >> sendmail, but can't you just do something in the sendmail >> configuration to >> identify the SMTP-AUTH mail and queue or deliver it in a way that >> bypasses >> MailScanner? >> >> -- >> Mark Sapiro mark at msapiro net The highway is for gamblers, >> San Francisco Bay Area, California better use your sense - B. Dylan >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> -- >> This message has been scanned for viruses and >> dangerous content by *MailScanner* , >> and is >> believed to be clean. > > > -- > This message has been scanned for viruses and > dangerous content by *MailScanner* , and is > believed to be clean. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Follow me at twitter.com/JulesFM MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------------- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------------- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From gafaith at asdm.net Sun Jul 5 13:16:28 2009 From: gafaith at asdm.net (Gary Faith) Date: Sun Jul 5 13:16:59 2009 Subject: {Spam?} Re: Spam but no randomly no Spam Report In-Reply-To: <223f97700907030827v65ae494o23985590087ede10@mail.gmail.com> References: <4A4404D50200002D00006C96@sparky.asdm.net> <4A44CA920200002D00006CE5@sparky.asdm.net> <4A44D89D0200002D00006CEA@sparky.asdm.net> <4A487F55.9080907@ecs.soton.ac.uk> <4A4888730200002D00006D2F@sparky.asdm.net> <4A4DD0B80200002D00006DC3@sparky.asdm.net> <223f97700907030718w64d038b0hb6d23f5f551ed68c@mail.gmail.com> <4A4DE2340200002D00006DCD@sparky.asdm.net> <223f97700907030827v65ae494o23985590087ede10@mail.gmail.com> Message-ID: <4A50615C0200002D00006DD1@sparky.asdm.net> >>> On 7/3/2009 at 11:27 AM, in message <223f97700907030827v65ae494o23985590087ede10@mail.gmail.com>, Glenn Steen wrote: > 2009/7/3 Gary Faith : >> I think it is a perfectly legitimate question and not orthogonal. > Of course. I meant "orthogonal to the thread as such", but that is (as > always) the thread filtered through my understanding of it.... perhaps > not the ebst filter there is...:-) >> MailScanner calls SA, SA returns information and MailScanner reports it. >> >> The reason why I asked it is that the only messages without all the >> information in the spamreport are the ones with isspam=1, isrblspam=1, >> issaspam=0 & ishighspam=0. ALL other messages including clean messages > Yes, but ... don't you have all the info you need there? A BL blocked > it in MS, and (after the fix) it correctly identifieswhich BL as well. > You also know that SA didn't find it to be spam (and the score). Do > you *need* more? Sure, one could perhaps want to try determin if there > is something one could do in SA to make SA more effective against it > but... You already had the hit from the BL. > Sorry if I seem dense, but I fail to see what you are trying to achieve. > >> generate a full report. According to Jules, last message is that you have >> to turn on >> >> Always Include SpamAssassin Report = yes >> >> to get a report. And he wrote: >> >>>Absolutely correct. You don't want the inefficiency of always generating >>>the report, which involves always running SA, so don't be surprised when >>>you don't get the report. >> >> My problem with this is that I get a report on clean messages so the logic >> of not getting report is SA doesn't think it is spam is not correct. >> > Ah. Are we perhaps talking about discrepancies with how things get > reported in MailWatch? No, the problem doesn't seem to be mailwatch. The problem seems to be what is returned in the spamreport field. Not all the data is being returned when the flags are set in this specific configuration. >> Here is the report on a clean message: >> >> SpamAssassin Score:-0.50 >> Spam Report: >> Score Matching Rule Description >> -0.50 BAYES_00 Bayesian spam probability is 0 to 1% >> -0.00 SPF_PASS SPF: sender matches SPF record >> On a message that meets the criteria in the first sentence, I get this: >> >> SpamAssassin Score:-0.49 >> Spam Report:spam, SORBS-RECENT >> If I go to the quarantine directory and run spamassassin: >> >> mscan:/var/spool/MailScanner/quarantine # spamassassin < >> 20090703/spam/n63D7E9n010959 >> >> I get the following back: >> >> X-Spam-DCC: INFN-TO: mscan 1233; Body=2 Fuz1=3 Fuz2=3 >> X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on >> mscan.asdmonline.net >> X-Spam-Level: >> X-Spam-Status: No, score=-0.5 required=5.0 tests=BAYES_00,HTML_MESSAGE >> shortcircuit=no autolearn=unavailable version=3.2.5 >> >> Now for some reason, SpamAssassin is returning BAYES_00, HTML_MESSAGE when I >> run it manually but MailScanner doesn't include them in the spamreport. >> >> How can that be? > I think I see what you mean. As stated above, the relevant reason for > the quarantining is actually in the "incomplete" report. That you get > SA reports for clean messages is because they have had it run on them. > Look at a whitelisted message. Do you have a SA report there? Probably > not. Same for other things that would act on the message prior to SA > being run. Things run *after* SA that would result in it being in the > quarantine would include the SA report. There's no mystery there. > And there really is no need for the SA report. Since it wasn't the > reason for it being blocked. IMO, at least:-). The whole reason for this thread was that there wasn't any information in the spamreport field under specific circumstances. Jules patched the code and now some of the spamreport data is now showing up but I don't believe all of it is. I am attempting to prove that there should be more data in the report when these messages are scanned and I think I have proved it but I really don't have the knowledge in Perl to follow the code and see what is happening. I can attempt to solve some things by gathering data but reading Perl is definitely not my strong suit. >> Gary > (snip) > > Cheers Gary From alex at rtpty.com Sun Jul 5 18:37:14 2009 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Sun Jul 5 18:37:28 2009 Subject: (2nd Request) Disable scanning for a client that connects via SMTP-AUTH In-Reply-To: <009401c9fcd0$1b340180$519c0480$@net> References: <4A147B290200002D00006737@sparky.asdm.net> <200905210754.04555.eli@orbsky.homelinux.org> <4A170F760200002D0000676D@sparky.asdm.net> <200905230757.01173.eli@orbsky.homelinux.org> <4A1867050200002D00006786@sparky.asdm.net> <20090524174243.GB2724@msapiro> <4A19BD250200002D00006795@sparky.asdm.net> <4A4D2426.3000804@kimballequipment.com> <4A4D2DCF.2050901@ecs.soton.ac.uk> <009401c9fcd0$1b340180$519c0480$@net> Message-ID: Would you like to document it/add it to the wiki? I'm sure a lot of people would be interested/amazed/glad to contribute... On Jul 4, 2009, at 12:51 PM, Jeffry Page wrote: > I have done this using MIMEdefang and a custom function for > mailscanner. I > have it currently setup for sendmail. -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 202-1525 alex@rtpty.com Skype: alexneuman From hafiz at variegate.biz Mon Jul 6 02:23:20 2009 From: hafiz at variegate.biz (Mohd Hafiz Ramly) Date: Mon Jul 6 02:23:36 2009 Subject: MailScanner: Could not analyze message In-Reply-To: <4A4C2D82.4050102@variegate.biz> References: <4A44FD7F.4030206@variegate.biz> <4A45056A.4070409@alexb.ch> <4A4C2D82.4050102@variegate.biz> Message-ID: <4A515208.7020907@variegate.biz> An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090706/0498ef10/attachment.html From MailScanner at ecs.soton.ac.uk Mon Jul 6 09:05:40 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jul 6 09:06:00 2009 Subject: {Spam?} Re: Spam but no randomly no Spam Report In-Reply-To: <4A50615C0200002D00006DD1@sparky.asdm.net> References: <4A4404D50200002D00006C96@sparky.asdm.net> <4A44CA920200002D00006CE5@sparky.asdm.net> <4A44D89D0200002D00006CEA@sparky.asdm.net> <4A487F55.9080907@ecs.soton.ac.uk> <4A4888730200002D00006D2F@sparky.asdm.net> <4A4DD0B80200002D00006DC3@sparky.asdm.net> <223f97700907030718w64d038b0hb6d23f5f551ed68c@mail.gmail.com> <4A4DE2340200002D00006DCD@sparky.asdm.net> <223f97700907030827v65ae494o23985590087ede10@mail.gmail.com> <4A50615C0200002D00006DD1@sparky.asdm.net> <4A51B054.2030808@ecs.soton.ac.uk> Message-ID: On 05/07/2009 13:16, Gary Faith wrote: > The whole reason for this thread was that there wasn't any information in the spamreport field under specific circumstances. Jules patched the code and now some of the spamreport data is now showing up but I don't believe all of it is. I am attempting to prove that there should be more data in the report when these messages are scanned and I think I have proved it but I really don't have the knowledge in Perl to follow the code and see what is happening. I can attempt to solve some things by gathering data but reading Perl is definitely not my strong suit. > What do you think is still missing? Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From shprahi at gmail.com Mon Jul 6 12:26:35 2009 From: shprahi at gmail.com (shprahi shprahi) Date: Mon Jul 6 12:26:46 2009 Subject: MailScanner not processing after Hold state In-Reply-To: <223f97700906271525m22b72af7y7e7fd6fc9a60c01a@mail.gmail.com> References: <72cf361e0906251055u117a572eq55e93ca558772f04@mail.gmail.com> <223f97700906271525m22b72af7y7e7fd6fc9a60c01a@mail.gmail.com> Message-ID: Hi , I am using latest mailscanner and postfix (2.2.11) will it have any problem since my postfix is running from old days so i have not change/upgraded the same. but I have installed MailScanner 4.77-10 which is latest and noticed it will accept mails and delivers the mails very slowley due to this my mail queue is increaing. Any idea? Machine is of 2GB RAM Thanks, shprahi On Sun, Jun 28, 2009 at 3:55 AM, Glenn Steen wrote: > 2009/6/25 Martin Hepworth : > > 2009/6/25 shyam hirurkar : > >> Hi All, > >> > >> > >> I am using postfx+Mailscanner+spamassassin+clamAV it is working fine > and > >> now a days i am facng issue with mailscanner like once message goes to > Hold > >> state after that mailscanner does not do any thing neither it process > not it > >> gives back to postfix. Simply mail will vanish. Is there any thing wrong > >> this is happaning inconsistantly.. > >> > >> Here is the sample log > >> > >> [root@mx log]# cat maillog | grep B62FC4FD82 > >> Jun 17 11:39:32 mx postfix/smtpd[16374]: B62FC4FD82: > >> client=unknown[xxx.xxx.xxx.xxx] > >> Jun 17 11:44:33 mx postfix/cleanup[16394]: B62FC4FD82: hold: header > >> Received: from some.domain.com (unknown [xxx.xxx.xxx.xxx])??by > mx.domain.com > >> > >> (Postfix) with ESMTP id B62FC4FD82??for ; Wed, 17 Jun > 2009 > >> 11:39:26 +0530 (IST) from unknown[xxx.xxx.xxx.xxx]; > >> > >> from= to= proto=ESMTP helo=< > some.domain.com> > >> > >> After this there is no entry in maillog niether user received the mail > not > >> bounce back , I am not able to figure it out . > >> > >> If any thing more detail require from my side please let me know. > >> > >> Shyam > >> > >> -- > >> MailScanner mailing list > >> mailscanner@lists.mailscanner.info > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner > >> > >> Before posting, read http://wiki.mailscanner.info/posting > >> > >> Support MailScanner development - buy the book off the website! > >> > >> > > > > > > Make sure you are running the latest version of MS (4.77) - there was > > an issue with the previous version with postfix. > > > > > Sure, but ... to be sure, run MailScanner --debug (as the postfix > user) to rule out any silly misconfigurations. > The queue file is still in the hold queue, right? > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090706/31afcd43/attachment.html From alex at rtpty.com Mon Jul 6 12:47:13 2009 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Mon Jul 6 12:47:34 2009 Subject: MailScanner not processing after Hold state In-Reply-To: References: <72cf361e0906251055u117a572eq55e93ca558772f04@mail.gmail.com> <223f97700906271525m22b72af7y7e7fd6fc9a60c01a@mail.gmail.com> Message-ID: <90CE99F4-B9D2-442E-AE13-35F0BC33A483@rtpty.com> What options have you tried? Are you using SpamAssassin? Have you upgraded SpamAssassin? On Jul 6, 2009, at 6:26 AM, shprahi shprahi wrote: > > Hi , > > I am using latest mailscanner and postfix (2.2.11) will it have any > problem since my postfix is running from old days so i have not > change/upgraded the same. but I have installed MailScanner 4.77-10 > which is latest and noticed it will accept mails and delivers the > mails very slowley due to this my mail queue is increaing. > > Any idea? Machine is of 2GB RAM > > Thanks, > shprahi > > > > On Sun, Jun 28, 2009 at 3:55 AM, Glenn Steen > wrote: > 2009/6/25 Martin Hepworth : > > 2009/6/25 shyam hirurkar : > >> Hi All, > >> > >> > >> I am using postfx+Mailscanner+spamassassin+clamAV it is working > fine and > >> now a days i am facng issue with mailscanner like once message > goes to Hold > >> state after that mailscanner does not do any thing neither it > process not it > >> gives back to postfix. Simply mail will vanish. Is there any > thing wrong > >> this is happaning inconsistantly.. > >> > >> Here is the sample log > >> > >> [root@mx log]# cat maillog | grep B62FC4FD82 > >> Jun 17 11:39:32 mx postfix/smtpd[16374]: B62FC4FD82: > >> client=unknown[xxx.xxx.xxx.xxx] > >> Jun 17 11:44:33 mx postfix/cleanup[16394]: B62FC4FD82: hold: header > >> Received: from some.domain.com (unknown [xxx.xxx.xxx.xxx])??by > mx.domain.com > >> > >> (Postfix) with ESMTP id B62FC4FD82??for ; Wed, > 17 Jun 2009 > >> 11:39:26 +0530 (IST) from unknown[xxx.xxx.xxx.xxx]; > >> > >> from= to= proto=ESMTP > helo= > >> > >> After this there is no entry in maillog niether user received the > mail not > >> bounce back , I am not able to figure it out . > >> > >> If any thing more detail require from my side please let me know. > >> > >> Shyam > >> > >> -- > >> MailScanner mailing list > >> mailscanner@lists.mailscanner.info > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner > >> > >> Before posting, read http://wiki.mailscanner.info/posting > >> > >> Support MailScanner development - buy the book off the website! > >> > >> > > > > > > Make sure you are running the latest version of MS (4.77) - there > was > > an issue with the previous version with postfix. > > > > > Sure, but ... to be sure, run MailScanner --debug (as the postfix > user) to rule out any silly misconfigurations. > The queue file is still in the hold queue, right? > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 202-1525 alex@rtpty.com Skype: alexneuman From paulo-m-roncon at ptinovacao.pt Mon Jul 6 13:01:18 2009 From: paulo-m-roncon at ptinovacao.pt (Paulo Roncon) Date: Mon Jul 6 13:02:00 2009 Subject: Memory optimizations In-Reply-To: <200907061104.n66B0d3W019723@safir.blacknight.ie> References: <200907061104.n66B0d3W019723@safir.blacknight.ie> Message-ID: Hello, I have a server with 8 cpus and 16G RAM. Currently the server is using 14G RAM, 0 SWAP, 3G cache free (about 5G free) -I reduced the MailScanner childs to 8 - milter-greylist - memory used: 4G - about 160 sendmail instances running - clamav -Centos 5.3 x64 -yum up-to-date What can I do to reduce the memory occupation? I have another server with 12G of RAM, same config (this have 16 MailScanner childs) and it only uses about 7G RAM... free -m total used free shared buffers cached Mem: 16051 14662 1388 0 538 1133 -/+ buffers/cache: 12990 3060 Swap: 18047 0 18047 iostat Linux 2.6.18-128.el5 07/06/2009 avg-cpu: %user %nice %system %iowait %steal %idle 4.62 0.01 1.40 0.69 0.00 93.29 Device: tps Blk_read/s Blk_wrtn/s Blk_read Blk_wrtn sda 17.86 11.29 2009.51 47709698 8491294338 sda1 0.00 0.00 0.01 2628 42546 sda2 17.86 11.29 2009.50 47706758 8491251792 dm-0 251.30 11.29 2009.50 47704514 8491252128 dm-1 0.00 0.00 0.00 1472 232 top - 12:58:00 up 48 days, 21:46, 3 users, load average: 4.74, 4.79, 4.39 Tasks: 374 total, 4 running, 370 sleeping, 0 stopped, 0 zombie Cpu(s): 26.3%us, 7.4%sy, 0.0%ni, 56.2%id, 10.0%wa, 0.0%hi, 0.1%si, 0.0%st Mem: 16436736k total, 15441228k used, 995508k free, 553288k buffers Swap: 18481144k total, 116k used, 18481028k free, 1208512k cached PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 12118 root 25 0 190m 171m 948 R 58.7 1.1 0:01.77 clamscan 12132 root 25 0 190m 171m 948 R 48.8 1.1 0:01.47 clamscan 12148 root 25 0 171m 153m 852 R 37.2 1.0 0:01.12 clamscan 12161 root 18 0 370m 224m 2056 S 4.6 1.4 0:00.14 MailScanner 11969 root 15 0 69492 3832 1724 S 4.3 0.0 0:00.15 sendmail 3705 root 16 0 370m 225m 3576 S 2.3 1.4 0:30.73 MailScanner 3392 root 19 0 328m 183m 3584 S 1.7 1.1 0:29.09 MailScanner 805 root 10 -5 0 0 0 S 1.3 0.0 56:01.30 kjournald 3582 root 17 0 324m 180m 3588 S 1.3 1.1 0:32.58 MailScanner 3815 root 17 0 318m 173m 3572 S 0.7 1.1 0:25.27 MailScanner 3984 root 16 0 332m 187m 3572 D 0.7 1.2 0:28.52 MailScanner 12059 root 15 0 12868 1312 808 R 0.7 0.0 0:00.03 top 26244 smmsp 15 0 4442m 2.2g 724 S 0.7 14.3 35:41.12 milter-greylist 32230 root 15 0 67096 2568 868 S 0.7 0.0 34:16.49 sendmail 3918 root 16 0 323m 178m 3588 S 0.3 1.1 0:29.76 MailScanner 12110 root 21 0 63868 1124 952 S 0.3 0.0 0:00.01 clamav-wrapper 12126 root 20 0 63868 1124 952 S 0.3 0.0 0:00.01 clamav-wrapper 12144 root 20 0 63868 1124 952 S 0.3 0.0 0:00.01 clamav-wrapper 32060 root 15 0 5904 692 552 S 0.3 0.0 5:48.71 syslogd 1 root 15 0 10344 636 544 S 0.0 0.0 0:20.96 init 2 root RT -5 0 0 0 S 0.0 0.0 0:02.51 migration/0 3 root 34 19 0 0 0 S 0.0 0.0 0:02.48 ksoftirqd/0 4 root RT -5 0 0 0 S 0.0 0.0 0:00.05 watchdog/0 5 root RT -5 0 0 0 S 0.0 0.0 0:01.57 migration/1 6 root 34 19 0 0 0 S 0.0 0.0 0:00.45 ksoftirqd/1 7 root RT -5 0 0 0 S 0.0 0.0 0:00.06 watchdog/1 8 root RT -5 0 0 0 S 0.0 0.0 0:02.25 migration/2 9 root 34 19 0 0 0 S 0.0 0.0 0:00.34 ksoftirqd/2 10 root RT -5 0 0 0 S 0.0 0.0 0:00.03 watchdog/2 11 root RT -5 0 0 0 S 0.0 0.0 0:01.82 migration/3 12 root 34 19 0 0 0 S 0.0 0.0 0:00.41 ksoftirqd/3 13 root RT -5 0 0 0 S 0.0 0.0 0:00.02 watchdog/3 pstree init???MailScanner ??MailScanner???3*[MailScanner???MailScanner] ? ??4*[MailScanner???clamav-wrapper???clamscan] ? ??MailScanner ??acpid ??atd ??auditd???audispd???{audispd} ? ??{auditd} ??automount???7*[{automount}] ??avahi-daemon???avahi-daemon ??crond???crond???Vispan ??dbus-daemon ??events/0 ??events/1 ??events/2 ??events/3 ??events/4 ??events/5 ??events/6 ??events/7 ??gpm ??hald???hald-runner???hald-addon-acpi ? ??hald-addon-stor ??hcid ??hidd ??irqbalance ??khelper ??klogd ??krfcommd ??ksoftirqd/0 ??ksoftirqd/1 ??ksoftirqd/2 ??ksoftirqd/3 ??ksoftirqd/4 ??ksoftirqd/5 ??ksoftirqd/6 ??ksoftirqd/7 ??kthread???aacraid ? ??aio/0 ? ??aio/1 ? ??aio/2 ? ??aio/3 ? ??aio/4 ? ??aio/5 ? ??aio/6 ? ??aio/7 ? ??ata/0 ? ??ata/1 ? ??ata/2 ? ??ata/3 ? ??ata/4 ? ??ata/5 ? ??ata/6 ? ??ata/7 ? ??ata_aux ? ??bond0 ? ??bond1 ? ??cqueue/0 ? ??cqueue/1 ? ??cqueue/2 ? ??cqueue/3 ? ??cqueue/4 ? ??cqueue/5 ? ??cqueue/6 ? ??cqueue/7 ? ??kacpid ? ??kauditd ? ??kblockd/0 ? ??kblockd/1 ? ??kblockd/2 ? ??kblockd/3 ? ??kblockd/4 ? ??kblockd/5 ? ??kblockd/6 ? ??kblockd/7 ? ??kedac ? ??khubd ? ??2*[kjournald] ? ??kmpath_handlerd ? ??kmpathd/0 ? ??kmpathd/1 ? ??kmpathd/2 ? ??kmpathd/3 ? ??kmpathd/4 ? ??kmpathd/5 ? ??kmpathd/6 ? ??kmpathd/7 ? ??kondemand/0 ? ??kondemand/1 ? ??kondemand/2 ? ??kondemand/3 ? ??kondemand/4 ? ??kondemand/5 ? ??kondemand/6 ? ??kondemand/7 ? ??kpsmoused ? ??kseriod ? ??ksnapd ? ??kstriped ? ??kswapd0 ? ??nfsd4 ? ??2*[pdflush] ? ??rpciod/0 ? ??rpciod/1 ? ??rpciod/2 ? ??rpciod/3 ? ??rpciod/4 ? ??rpciod/5 ? ??rpciod/6 ? ??rpciod/7 ? ??scsi_eh_0 ??lockd ??login???bash ??migration/0 ??migration/1 ??migration/2 ??migration/3 ??migration/4 ??migration/5 ??migration/6 ??migration/7 ??milter-greylist???178*[{milter-greylist}] ??5*[mingetty] ??8*[nfsd] ??portmap ??rpc.idmapd ??rpc.mountd ??rpc.rquotad ??rpc.statd ??sdpd ??sendmail???181*[sendmail] ??2*[sendmail] ??smartd ??sshd???sshd???bash???pstree ? ??sshd???bash ??syslogd ??udevd ??watchdog/0 ??watchdog/1 ??watchdog/2 ??watchdog/3 ??watchdog/4 ??watchdog/5 ??watchdog/6 ??watchdog/7 ??xinetd From shprahi at gmail.com Mon Jul 6 13:25:10 2009 From: shprahi at gmail.com (shprahi shprahi) Date: Mon Jul 6 13:25:31 2009 Subject: MailScanner not processing after Hold state In-Reply-To: <90CE99F4-B9D2-442E-AE13-35F0BC33A483@rtpty.com> References: <72cf361e0906251055u117a572eq55e93ca558772f04@mail.gmail.com> <223f97700906271525m22b72af7y7e7fd6fc9a60c01a@mail.gmail.com> <90CE99F4-B9D2-442E-AE13-35F0BC33A483@rtpty.com> Message-ID: Hi , I have spamassassin version as below SpamAssassin version 3.2.5 running on Perl version 5.8.5 And found this is the latest stable.Let me know any further input required from my side. Thanks, Shprahi On Mon, Jul 6, 2009 at 5:17 PM, Alex Neuman van der Hans wrote: > What options have you tried? Are you using SpamAssassin? Have you upgraded > SpamAssassin? > > > On Jul 6, 2009, at 6:26 AM, shprahi shprahi wrote: > > >> Hi , >> >> I am using latest mailscanner and postfix (2.2.11) will it have any >> problem since my postfix is running from old days so i have not >> change/upgraded the same. but I have installed MailScanner 4.77-10 which is >> latest and noticed it will accept mails and delivers the mails very slowley >> due to this my mail queue is increaing. >> >> Any idea? Machine is of 2GB RAM >> >> Thanks, >> shprahi >> >> >> >> On Sun, Jun 28, 2009 at 3:55 AM, Glenn Steen >> wrote: >> 2009/6/25 Martin Hepworth : >> > 2009/6/25 shyam hirurkar : >> >> Hi All, >> >> >> >> >> >> I am using postfx+Mailscanner+spamassassin+clamAV it is working fine >> and >> >> now a days i am facng issue with mailscanner like once message goes to >> Hold >> >> state after that mailscanner does not do any thing neither it process >> not it >> >> gives back to postfix. Simply mail will vanish. Is there any thing >> wrong >> >> this is happaning inconsistantly.. >> >> >> >> Here is the sample log >> >> >> >> [root@mx log]# cat maillog | grep B62FC4FD82 >> >> Jun 17 11:39:32 mx postfix/smtpd[16374]: B62FC4FD82: >> >> client=unknown[xxx.xxx.xxx.xxx] >> >> Jun 17 11:44:33 mx postfix/cleanup[16394]: B62FC4FD82: hold: header >> >> Received: from some.domain.com (unknown [xxx.xxx.xxx.xxx])??by >> mx.domain.com >> >> >> >> (Postfix) with ESMTP id B62FC4FD82??for ; Wed, 17 Jun >> 2009 >> >> 11:39:26 +0530 (IST) from unknown[xxx.xxx.xxx.xxx]; >> >> >> >> from= to= proto=ESMTP helo=< >> some.domain.com> >> >> >> >> After this there is no entry in maillog niether user received the mail >> not >> >> bounce back , I am not able to figure it out . >> >> >> >> If any thing more detail require from my side please let me know. >> >> >> >> Shyam >> >> >> >> -- >> >> MailScanner mailing list >> >> mailscanner@lists.mailscanner.info >> >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> >> >> Support MailScanner development - buy the book off the website! >> >> >> >> >> > >> > >> > Make sure you are running the latest version of MS (4.77) - there was >> > an issue with the previous version with postfix. >> > >> > >> Sure, but ... to be sure, run MailScanner --debug (as the postfix >> user) to rule out any silly misconfigurations. >> The queue file is still in the hold queue, right? >> >> Cheers >> -- >> -- Glenn >> email: glenn < dot > steen < at > gmail < dot > com >> work: glenn < dot > steen < at > ap1 < dot > se >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > > > -- > Alex Neuman van der Hans > Reliant Technologies > +507 6781-9505 > +507 202-1525 > alex@rtpty.com > Skype: alexneuman > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090706/d9f7ce45/attachment.html From prandal at herefordshire.gov.uk Mon Jul 6 13:40:01 2009 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Mon Jul 6 13:40:25 2009 Subject: Memory optimizations In-Reply-To: References: <200907061104.n66B0d3W019723@safir.blacknight.ie> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA0729FC40@HC-MBX02.herefordshire.gov.uk> First thing to do is switch to clamdscan, that will help a lot. http://wiki.mailscanner.info/doku.php?id=documentation:anti_virus:clamav:switch_to_rpm_clamd Cheers, Phil -- Phil Randal | Networks Engineer Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: prandal@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Paulo Roncon Sent: 06 July 2009 13:01 To: 'mailscanner@lists.mailscanner.info' Subject: Memory optimizations Hello, I have a server with 8 cpus and 16G RAM. Currently the server is using 14G RAM, 0 SWAP, 3G cache free (about 5G free) -I reduced the MailScanner childs to 8 - milter-greylist - memory used: 4G - about 160 sendmail instances running - clamav -Centos 5.3 x64 -yum up-to-date What can I do to reduce the memory occupation? I have another server with 12G of RAM, same config (this have 16 MailScanner childs) and it only uses about 7G RAM... free -m total used free shared buffers cached Mem: 16051 14662 1388 0 538 1133 -/+ buffers/cache: 12990 3060 Swap: 18047 0 18047 iostat Linux 2.6.18-128.el5 07/06/2009 avg-cpu: %user %nice %system %iowait %steal %idle 4.62 0.01 1.40 0.69 0.00 93.29 Device: tps Blk_read/s Blk_wrtn/s Blk_read Blk_wrtn sda 17.86 11.29 2009.51 47709698 8491294338 sda1 0.00 0.00 0.01 2628 42546 sda2 17.86 11.29 2009.50 47706758 8491251792 dm-0 251.30 11.29 2009.50 47704514 8491252128 dm-1 0.00 0.00 0.00 1472 232 top - 12:58:00 up 48 days, 21:46, 3 users, load average: 4.74, 4.79, 4.39 Tasks: 374 total, 4 running, 370 sleeping, 0 stopped, 0 zombie Cpu(s): 26.3%us, 7.4%sy, 0.0%ni, 56.2%id, 10.0%wa, 0.0%hi, 0.1%si, 0.0%st Mem: 16436736k total, 15441228k used, 995508k free, 553288k buffers Swap: 18481144k total, 116k used, 18481028k free, 1208512k cached PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 12118 root 25 0 190m 171m 948 R 58.7 1.1 0:01.77 clamscan 12132 root 25 0 190m 171m 948 R 48.8 1.1 0:01.47 clamscan 12148 root 25 0 171m 153m 852 R 37.2 1.0 0:01.12 clamscan 12161 root 18 0 370m 224m 2056 S 4.6 1.4 0:00.14 MailScanner 11969 root 15 0 69492 3832 1724 S 4.3 0.0 0:00.15 sendmail 3705 root 16 0 370m 225m 3576 S 2.3 1.4 0:30.73 MailScanner 3392 root 19 0 328m 183m 3584 S 1.7 1.1 0:29.09 MailScanner 805 root 10 -5 0 0 0 S 1.3 0.0 56:01.30 kjournald 3582 root 17 0 324m 180m 3588 S 1.3 1.1 0:32.58 MailScanner 3815 root 17 0 318m 173m 3572 S 0.7 1.1 0:25.27 MailScanner 3984 root 16 0 332m 187m 3572 D 0.7 1.2 0:28.52 MailScanner 12059 root 15 0 12868 1312 808 R 0.7 0.0 0:00.03 top 26244 smmsp 15 0 4442m 2.2g 724 S 0.7 14.3 35:41.12 milter-greylist 32230 root 15 0 67096 2568 868 S 0.7 0.0 34:16.49 sendmail 3918 root 16 0 323m 178m 3588 S 0.3 1.1 0:29.76 MailScanner 12110 root 21 0 63868 1124 952 S 0.3 0.0 0:00.01 clamav-wrapper 12126 root 20 0 63868 1124 952 S 0.3 0.0 0:00.01 clamav-wrapper 12144 root 20 0 63868 1124 952 S 0.3 0.0 0:00.01 clamav-wrapper 32060 root 15 0 5904 692 552 S 0.3 0.0 5:48.71 syslogd 1 root 15 0 10344 636 544 S 0.0 0.0 0:20.96 init 2 root RT -5 0 0 0 S 0.0 0.0 0:02.51 migration/0 3 root 34 19 0 0 0 S 0.0 0.0 0:02.48 ksoftirqd/0 4 root RT -5 0 0 0 S 0.0 0.0 0:00.05 watchdog/0 5 root RT -5 0 0 0 S 0.0 0.0 0:01.57 migration/1 6 root 34 19 0 0 0 S 0.0 0.0 0:00.45 ksoftirqd/1 7 root RT -5 0 0 0 S 0.0 0.0 0:00.06 watchdog/1 8 root RT -5 0 0 0 S 0.0 0.0 0:02.25 migration/2 9 root 34 19 0 0 0 S 0.0 0.0 0:00.34 ksoftirqd/2 10 root RT -5 0 0 0 S 0.0 0.0 0:00.03 watchdog/2 11 root RT -5 0 0 0 S 0.0 0.0 0:01.82 migration/3 12 root 34 19 0 0 0 S 0.0 0.0 0:00.41 ksoftirqd/3 13 root RT -5 0 0 0 S 0.0 0.0 0:00.02 watchdog/3 pstree init???MailScanner ??MailScanner???3*[MailScanner???MailScanner] ? ??4*[MailScanner???clamav-wrapper???clamscan] ? ??MailScanner ??acpid ??atd ??auditd???audispd???{audispd} ? ??{auditd} ??automount???7*[{automount}] ??avahi-daemon???avahi-daemon ??crond???crond???Vispan ??dbus-daemon ??events/0 ??events/1 ??events/2 ??events/3 ??events/4 ??events/5 ??events/6 ??events/7 ??gpm ??hald???hald-runner???hald-addon-acpi ? ??hald-addon-stor ??hcid ??hidd ??irqbalance ??khelper ??klogd ??krfcommd ??ksoftirqd/0 ??ksoftirqd/1 ??ksoftirqd/2 ??ksoftirqd/3 ??ksoftirqd/4 ??ksoftirqd/5 ??ksoftirqd/6 ??ksoftirqd/7 ??kthread???aacraid ? ??aio/0 ? ??aio/1 ? ??aio/2 ? ??aio/3 ? ??aio/4 ? ??aio/5 ? ??aio/6 ? ??aio/7 ? ??ata/0 ? ??ata/1 ? ??ata/2 ? ??ata/3 ? ??ata/4 ? ??ata/5 ? ??ata/6 ? ??ata/7 ? ??ata_aux ? ??bond0 ? ??bond1 ? ??cqueue/0 ? ??cqueue/1 ? ??cqueue/2 ? ??cqueue/3 ? ??cqueue/4 ? ??cqueue/5 ? ??cqueue/6 ? ??cqueue/7 ? ??kacpid ? ??kauditd ? ??kblockd/0 ? ??kblockd/1 ? ??kblockd/2 ? ??kblockd/3 ? ??kblockd/4 ? ??kblockd/5 ? ??kblockd/6 ? ??kblockd/7 ? ??kedac ? ??khubd ? ??2*[kjournald] ? ??kmpath_handlerd ? ??kmpathd/0 ? ??kmpathd/1 ? ??kmpathd/2 ? ??kmpathd/3 ? ??kmpathd/4 ? ??kmpathd/5 ? ??kmpathd/6 ? ??kmpathd/7 ? ??kondemand/0 ? ??kondemand/1 ? ??kondemand/2 ? ??kondemand/3 ? ??kondemand/4 ? ??kondemand/5 ? ??kondemand/6 ? ??kondemand/7 ? ??kpsmoused ? ??kseriod ? ??ksnapd ? ??kstriped ? ??kswapd0 ? ??nfsd4 ? ??2*[pdflush] ? ??rpciod/0 ? ??rpciod/1 ? ??rpciod/2 ? ??rpciod/3 ? ??rpciod/4 ? ??rpciod/5 ? ??rpciod/6 ? ??rpciod/7 ? ??scsi_eh_0 ??lockd ??login???bash ??migration/0 ??migration/1 ??migration/2 ??migration/3 ??migration/4 ??migration/5 ??migration/6 ??migration/7 ??milter-greylist???178*[{milter-greylist}] ??5*[mingetty] ??8*[nfsd] ??portmap ??rpc.idmapd ??rpc.mountd ??rpc.rquotad ??rpc.statd ??sdpd ??sendmail???181*[sendmail] ??2*[sendmail] ??smartd ??sshd???sshd???bash???pstree ? ??sshd???bash ??syslogd ??udevd ??watchdog/0 ??watchdog/1 ??watchdog/2 ??watchdog/3 ??watchdog/4 ??watchdog/5 ??watchdog/6 ??watchdog/7 ??xinetd -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From AHKAPLAN at PARTNERS.ORG Mon Jul 6 13:48:31 2009 From: AHKAPLAN at PARTNERS.ORG (Kaplan, Andrew H.) Date: Mon Jul 6 13:48:45 2009 Subject: Files being blocked despite configuration changes In-Reply-To: <223f97700906271554w18888111k1ca8a0cc6aed27e2@mail.gmail.com> References: <223f97700906271554w18888111k1ca8a0cc6aed27e2@mail.gmail.com> Message-ID: Hi there -- Thanks for your reply, and my apologies for not getting back you sooner. I was on vacation last week. I had a question on how would I go about implementing your suggested "file -i" method. Would it be simply a matter of adding an argument to the /etc/init.d/MailScanner and/or /etc/sysconfig/MailScanner files, or is there another suggested method? -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Glenn Steen Sent: Saturday, June 27, 2009 6:54 PM To: MailScanner discussion Subject: Re: Files being blocked despite configuration changes 2009/6/26 Kaplan, Andrew H. : > > Hi there -- > > I received a request to have .dat files be allowed through our mail server. > Files of this type > were normally sent to quarantine with an e-mail notification report stating > the following: > > Report: MailScanner: No programs allowed (set.dat) > Report: MailScanner: No programs allowed (set.dat) > > I reconfigured the filename.rules.conf and filetype.rules.conf files to > allow the above file > types to pass through without problem. Listed below are the syntaxes from > each of the > configuration files: > > filename.rules.conf > # Physics has requested that files of this type be allowed... > allow?? \.dat$ > > filetype.rules.conf > allow?? dat???????????? -?????????????????????? Physics requested these be > allowed > > Once these changes were made, MailScanner along with the mailserver, > Sendmail, were > restarted via the /etc/init.d/MailScanner script. There were no failed > messages appearing > on-screen when this occurred. > > The problem is the following: even though the files in question have been > configured to > be allowed, they are still being blocked and sent to quarantine. The version > of MailScanner > is 4.72.5 while that of Sendmail is 8.14.1. > > What other steps and/or > corrections do I need to make in order to fix this? Thanks. > The file command doesn't know what "dat" is... It finds the "magic" strings/bytes that identify it as some type of executable (just run file on the quarantined file, if you store them, and you'll see). This might be due to the file actually being an executable, or accidentally triggering one of the more optimistic one-byte-magics ... in which case you either face editing/recompiling your magic file, or switching to "file -i" for file type purposes. The latter might be best. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! The information in this e-mail is intended only for the person to whom it is addressed. If you believe this e-mail was sent to you in error and the e-mail contains patient information, please contact the Partners Compliance HelpLine at http://www.partners.org/complianceline . If the e-mail was sent to you in error but does not contain patient information, please contact the sender and properly dispose of the e-mail. From steve.freegard at fsl.com Mon Jul 6 14:05:57 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Mon Jul 6 14:06:07 2009 Subject: Memory optimizations In-Reply-To: References: <200907061104.n66B0d3W019723@safir.blacknight.ie> Message-ID: <4A51F6B5.5020704@fsl.com> Paulo Roncon wrote: > - milter-greylist - memory used: 4G Surely that can't be right?!? - memory leak? Regards, Steve. From gafaith at asdm.net Mon Jul 6 15:32:00 2009 From: gafaith at asdm.net (Gary Faith) Date: Mon Jul 6 15:32:28 2009 Subject: Memory optimizations In-Reply-To: <4A51F6B5.5020704@fsl.com> References: <200907061104.n66B0d3W019723@safir.blacknight.ie> <4A51F6B5.5020704@fsl.com> Message-ID: <4A51D2A00200002D00006DE0@sparky.asdm.net> I think that is very high. My milter-greylist is about 39MB. Gary >>> Steve Freegard 7/6/2009 9:05 AM >>> Paulo Roncon wrote: > - milter-greylist - memory used: 4G Surely that can't be right?!? - memory leak? Regards, Steve. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090706/f1aaaf4c/attachment.html From alex at rtpty.com Mon Jul 6 15:57:44 2009 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Mon Jul 6 15:57:56 2009 Subject: MailScanner not processing after Hold state In-Reply-To: References: <72cf361e0906251055u117a572eq55e93ca558772f04@mail.gmail.com> <223f97700906271525m22b72af7y7e7fd6fc9a60c01a@mail.gmail.com> <90CE99F4-B9D2-442E-AE13-35F0BC33A483@rtpty.com> Message-ID: <73025FAB-B97D-42F9-8357-BF564DD5D120@rtpty.com> There is A LOT of input required from your side. For example, you say your machine has 2Gb RAM. What CPU? How are the disks configured? Have you tried any other optimizations? What spamassassin rules have you added besides the original? Are you using pyzor/razor/dcc? Are you using clamav? Other scanners? Are you using clamd instead of clamav or clamavmodule? Are you running any milters? Are you using RBL's to ease the load? On Jul 6, 2009, at 7:25 AM, shprahi shprahi wrote: > And found this is the latest stable.Let me know any further input > required from my side. -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 202-1525 alex@rtpty.com Skype: alexneuman From ecasarero at gmail.com Mon Jul 6 18:03:30 2009 From: ecasarero at gmail.com (Eduardo Casarero) Date: Mon Jul 6 18:03:59 2009 Subject: Memory optimizations In-Reply-To: <4A51D2A00200002D00006DE0@sparky.asdm.net> References: <200907061104.n66B0d3W019723@safir.blacknight.ie> <4A51F6B5.5020704@fsl.com> <4A51D2A00200002D00006DE0@sparky.asdm.net> Message-ID: <7d9b3cf20907061003see31b6bt3ec8bbf3ca4c6dfa@mail.gmail.com> this is my conf in milter-greylist lazyaw dumpfreq 86400 dump_no_time_translation *timeout 5h* especially timeout 5h saves a lot of ram! 2009/7/6 Gary Faith > I think that is very high. My milter-greylist is about 39MB. > > Gary > > >>> Steve Freegard 7/6/2009 9:05 AM >>> > > Paulo Roncon wrote: > > - milter-greylist - memory used: 4G > > Surely that can't be right?!? - memory leak? > > Regards, > Steve. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090706/82012480/attachment.html From gafaith at asdm.net Tue Jul 7 01:59:33 2009 From: gafaith at asdm.net (Gary Faith) Date: Tue Jul 7 01:59:58 2009 Subject: {Spam?} Re: Spam but no randomly no Spam Report In-Reply-To: References: <4A4404D50200002D00006C96@sparky.asdm.net> <4A44CA920200002D00006CE5@sparky.asdm.net> <4A44D89D0200002D00006CEA@sparky.asdm.net> <4A487F55.9080907@ecs.soton.ac.uk> <4A4888730200002D00006D2F@sparky.asdm.net> <4A4DD0B80200002D00006DC3@sparky.asdm.net> <223f97700907030718w64d038b0hb6d23f5f551ed68c@mail.gmail.com> <4A4DE2340200002D00006DCD@sparky.asdm.net> <223f97700907030827v65ae494o23985590087ede10@mail.gmail.com> <4A50615C0200002D00006DD1@sparky.asdm.net> <4A51B054.2030808@ecs.soton.ac.uk> Message-ID: <4A5265B50200002D00006DF9@sparky.asdm.net> Jules, Sorry to be a broken record. I am trying to document as much as possible so that you can get an accurate picture of what I am talking about. Back a message or two, I gave the difference between what I see in the spamreport field on a clean message vs one that has the specific flags. Here is the spamreport of a recent message (Received on: 07/06/09 20:22:02) with the specific flags. In mailwatch, I ran a report with the flags set as below: is Spam (>0 = TRUE) is equal to '1' Remove is High Scoring Span (>0 = TRUE) is equal to '0' Remove is Spam according to SpamAssassin (>0 = TRUE) is equal to '0' Remove is Listed in one or more RBL's (>0 = TRUE) is equal to '1' Remove I chose this message and this is the pertinent part of the details page: ID: n670LtUA030706 SpamAssassin Score: 1.05 Spam Report: spam, SORBS-RECENT When I look at the mysql database, I see a sascore of 1.05 and spamreport show: spam, SORBS-RECENT. (Just confirming what mailwatch shows.) What I think is missing in the spamreport field is the reason(s) for the sascore of 1.05! When I run spamassassin on the message manually. mscan:/var/spool/MailScanner/quarantine # spamassassin < 20090706/spam/n670LtUA030706 | less I get: X-Spam-DCC: sonic.net: mscan 1117; Body=2 Fuz1=2 Fuz2=2 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on mscan.domain.com X-Spam-Level: * X-Spam-Status: No, score=1.1 required=5.0 tests=BAYES_00,HTML_MESSAGE, HTML_MIME_NO_HTML_TAG,MIME_HTML_ONLY shortcircuit=no autolearn=no version=3.2.5 At minimum, what seems to be missing in the spamreport field is what is contained in the X-Spam-Status header: BAYES_00,HTML_MESSAGE, HTML_MIME_NO_HTML_TAG,MIME_HTML_ONLY and possibly other thing like autolearn, etc. As I stated before this only seems to happen when the flags are exactly like above. The spamreport field is correct for any other condition including clean, high scoring, spamassassin spam, etc. If you want, you can contact me off list to produce any more information because people are probably getting tired of me and/or this thread. ;-) Gary >>> Julian Field 7/6/2009 4:05 AM >>> On 05/07/2009 13:16, Gary Faith wrote: > The whole reason for this thread was that there wasn't any information in the spamreport field under specific circumstances. Jules patched the code and now some of the spamreport data is now showing up but I don't believe all of it is. I am attempting to prove that there should be more data in the report when these messages are scanned and I think I have proved it but I really don't have the knowledge in Perl to follow the code and see what is happening. I can attempt to solve some things by gathering data but reading Perl is definitely not my strong suit. > What do you think is still missing? Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From hafiz at variegate.biz Tue Jul 7 04:41:10 2009 From: hafiz at variegate.biz (Mohd Hafiz Ramly) Date: Tue Jul 7 04:41:27 2009 Subject: semi OT : Broken mail headers caused by Antivirus or Mail Client ? Message-ID: <4A52C3D6.8090203@variegate.biz> Hi List, I have posted an issue earlier regarding "MailScanner: Could not analyze message" More info can be found here : http://www.bluequartz.us/phpBB2/viewtopic.php?t=93948&sid=83856caba40a9dbd1211fc82334ab118 http://www.bluequartz.us/phpBB2/viewtopic.php?t=93948&sid=83856caba40a9dbd1211fc82334ab118 Further investigation on the issue, I found that the problematic mail is caused by broken mail headers (not sure if I get this term right). Inspecting the quarantine mail in MailScanner reveals that Content-Type has randomly misspelled or missing in some words. Example 1 : Content-Type: multipart/related; ??????? bary="----=neXtPaRt_1244707265" The correct headers would be : Content-Type: multipart/related; ??????? boundary ="----=neXtPaRt_1244707265" Example 2: Content-Type: multipart/alternaboundary="----=neXtPaRt_1245338959" The correct headers would be : Content-Type: multipart/alternative;boundary="----=neXtPaRt_1245338959" Example 3: Content-Type: multipart/alternative; ??????? boundarneXtPaRt_1246674293" The correct headers would be : Content-Type: multipart/alternative; ??????? boundary ="----= neXtPaRt_1246674293" Using file command in my Linux server shows the message file is good [root@mail1 ~]# file /var/spool/MailScanner/quarantine/20090611/0DAE9191804B.A62FD/message /var/spool/MailScanner/quarantine/20090611/0DAE9191804B.A62FD/message: RFC 822 mail text [root@mail1 ~]# file -i /var/spool/MailScanner/quarantine/20090611/0DAE9191804B.A62FD/message /var/spool/MailScanner/quarantine/20090611/0DAE9191804B.A62FD/message: message/rfc822 So I decide to edit the quarantine message file and fixed the headers to the correct entry and the mail went through just fine. MailScanner did not complains anything. [root@mail1 ~]# sendmail -toi < /var/spool/MailScanner/quarantine/20090611/0DAE9191804B.A62FD/message I notice the client uses Outlook 11, Outlook Express 6 and SquirrelMail 1.4.10a as their mail editor. And all of those mail is scanned using FortiGuard antivirus. So what actually caused the mail headers to be broken ? Does it caused by the mail client or might be the antivirus at client ends ? My guess it could be caused by FortiGuard antivirus software which scans outgoing mail on clients PC. Anyone had this similar issue before ? From maxsec at gmail.com Tue Jul 7 07:11:30 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Tue Jul 7 07:11:38 2009 Subject: {Spam?} Re: Spam but no randomly no Spam Report In-Reply-To: <4A5265B50200002D00006DF9@sparky.asdm.net> References: <4A4404D50200002D00006C96@sparky.asdm.net> <4A4888730200002D00006D2F@sparky.asdm.net> <4A4DD0B80200002D00006DC3@sparky.asdm.net> <223f97700907030718w64d038b0hb6d23f5f551ed68c@mail.gmail.com> <4A4DE2340200002D00006DCD@sparky.asdm.net> <223f97700907030827v65ae494o23985590087ede10@mail.gmail.com> <4A50615C0200002D00006DD1@sparky.asdm.net> <4A51B054.2030808@ecs.soton.ac.uk> <4A5265B50200002D00006DF9@sparky.asdm.net> Message-ID: <72cf361e0907062311j63798b36k9a76ac267a765146@mail.gmail.com> Gary the "Spam Report: spam, SORBS-RECENT" gives the clue here. You're doing RBL scanning in MailScanner ("Spam List" settings in MailScanner.conf), and saying that if you single any single RBL this way then it's definitely spam. Most folks either use RBL's in the MTA or Spamassassin (where it will add to the score). In this case Spamassassin doesn't think it's spam. Make sure the following are set in MailScanner.conf and you'll always get a sensible spam report... *Always Include SpamAssassin Report = yes ****SpamScore Number Instead Of Stars = yes ****Spam Score Number Format = ***%5.2f *Include Scores In SpamAssassin Report = yes *These settings make sure you always include a full spamassassin report in all emails, even ones that spamasassin doesn't think are spam. ** -- Martin Hepworth Oxford, UK ******** 2009/7/7 Gary Faith > Jules, > > Sorry to be a broken record. I am trying to document as much as possible > so that you can get an accurate picture of what I am talking about. Back a > message or two, I gave the difference between what I see in the spamreport > field on a clean message vs one that has the specific flags. Here is the > spamreport of a recent message (Received on: 07/06/09 20:22:02) with the > specific flags. In mailwatch, I ran a report with the flags set as below: > > is Spam (>0 = TRUE) is equal to '1' Remove > is High Scoring Span (>0 = TRUE) is equal to '0' Remove > is Spam according to SpamAssassin (>0 = TRUE) is equal to '0' Remove > is Listed in one or more RBL's (>0 = TRUE) is equal to '1' Remove > > I chose this message and this is the pertinent part of the details page: > > ID: n670LtUA030706 > SpamAssassin Score: 1.05 > Spam Report: spam, SORBS-RECENT > > When I look at the mysql database, I see a sascore of 1.05 and spamreport > show: spam, SORBS-RECENT. (Just confirming what mailwatch shows.) What I > think is missing in the spamreport field is the reason(s) for the sascore of > 1.05! > > When I run spamassassin on the message manually. > > mscan:/var/spool/MailScanner/quarantine # spamassassin < > 20090706/spam/n670LtUA030706 | less > > I get: > > X-Spam-DCC: sonic.net: mscan 1117; Body=2 Fuz1=2 Fuz2=2 > X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on > mscan.domain.com > X-Spam-Level: * > X-Spam-Status: No, score=1.1 required=5.0 tests=BAYES_00,HTML_MESSAGE, > HTML_MIME_NO_HTML_TAG,MIME_HTML_ONLY shortcircuit=no autolearn=no > version=3.2.5 > > At minimum, what seems to be missing in the spamreport field is what is > contained in the X-Spam-Status header: BAYES_00,HTML_MESSAGE, > HTML_MIME_NO_HTML_TAG,MIME_HTML_ONLY and possibly other thing like > autolearn, etc. > > As I stated before this only seems to happen when the flags are exactly > like above. The spamreport field is correct for any other condition > including clean, high scoring, spamassassin spam, etc. If you want, you > can contact me off list to produce any more information because people are > probably getting tired of me and/or this thread. ;-) > > Gary > > > >>> Julian Field 7/6/2009 4:05 AM >>> > > > On 05/07/2009 13:16, Gary Faith wrote: > > The whole reason for this thread was that there wasn't any information in > the spamreport field under specific circumstances. Jules patched the code > and now some of the spamreport data is now showing up but I don't believe > all of it is. I am attempting to prove that there should be more data in > the report when these messages are scanned and I think I have proved it but > I really don't have the knowledge in Perl to follow the code and see what is > happening. I can attempt to solve some things by gathering data but reading > Perl is definitely not my strong suit. > > > What do you think is still missing? > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > Follow me at twitter.com/JulesFM and twitter.com/MailScanner > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090707/a5b58954/attachment-0001.html From MailScanner at ecs.soton.ac.uk Tue Jul 7 08:50:41 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jul 7 08:51:01 2009 Subject: {Spam?} Re: Spam but no randomly no Spam Report In-Reply-To: <72cf361e0907062311j63798b36k9a76ac267a765146@mail.gmail.com> References: <4A4404D50200002D00006C96@sparky.asdm.net> <4A4888730200002D00006D2F@sparky.asdm.net> <4A4DD0B80200002D00006DC3@sparky.asdm.net> <223f97700907030718w64d038b0hb6d23f5f551ed68c@mail.gmail.com> <4A4DE2340200002D00006DCD@sparky.asdm.net> <223f97700907030827v65ae494o23985590087ede10@mail.gmail.com> <4A50615C0200002D00006DD1@sparky.asdm.net> <4A51B054.2030808@ecs.soton.ac.uk> <4A5265B50200002D00006DF9@sparky.asdm.net> <72cf361e0907062311j63798b36k9a76ac267a765146@mail.gmail.com> <4A52FE51.9080104@ecs.soton.ac.uk> Message-ID: But it does mean that, even though it's spam because it has hit an RBL, you will still waste time doing a SpamAssassin run of the message, even though that won't result in any change in action taken with the message. So yes, you get your report, but you don't get any advantage from having run it as it's spam anyway. So the time taken to produce the SpamAssassin report is wasted. But you can waste your CPU if you want to... :-) Jules. On 07/07/2009 07:11, Martin Hepworth wrote: > Gary > > the "Spam Report: spam, SORBS-RECENT" gives the clue here. You're > doing RBL scanning in MailScanner ("Spam List" settings in > MailScanner.conf), and saying that if you single any single RBL this > way then it's definitely spam. Most folks either use RBL's in the MTA > or Spamassassin (where it will add to the score). In this case > Spamassassin doesn't think it's spam. > > Make sure the following are set in MailScanner.conf and you'll always > get a sensible spam report... > > *Always Include SpamAssassin Report = yes > > **SpamScore Number Instead Of Stars = yes > > **Spam Score Number Format = ***%5.2f > > *Include Scores In SpamAssassin Report = yes > > *These settings make sure you always include a full spamassassin > report in all emails, even ones that spamasassin doesn't think are spam. > ** > -- > Martin Hepworth > Oxford, UK > ****** > > 2009/7/7 Gary Faith > > > Jules, > > Sorry to be a broken record. I am trying to document as much as > possible so that you can get an accurate picture of what I am > talking about. Back a message or two, I gave the difference > between what I see in the spamreport field on a clean message vs > one that has the specific flags. Here is the spamreport of a > recent message (Received on: 07/06/09 20:22:02) with the specific > flags. In mailwatch, I ran a report with the flags set as below: > > is Spam (>0 = TRUE) is equal to '1' Remove > is High Scoring Span (>0 = TRUE) is equal to '0' Remove > is Spam according to SpamAssassin (>0 = TRUE) is equal to '0' Remove > is Listed in one or more RBL's (>0 = TRUE) is equal to '1' Remove > > I chose this message and this is the pertinent part of the details > page: > > ID: n670LtUA030706 > SpamAssassin Score: 1.05 > Spam Report: spam, SORBS-RECENT > > When I look at the mysql database, I see a sascore of 1.05 and > spamreport show: spam, SORBS-RECENT. (Just confirming what > mailwatch shows.) What I think is missing in the spamreport field > is the reason(s) for the sascore of 1.05! > > When I run spamassassin on the message manually. > > mscan:/var/spool/MailScanner/quarantine # spamassassin < > 20090706/spam/n670LtUA030706 | less > > I get: > > X-Spam-DCC: sonic.net : mscan 1117; Body=2 > Fuz1=2 Fuz2=2 > X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on > mscan.domain.com > X-Spam-Level: * > X-Spam-Status: No, score=1.1 required=5.0 tests=BAYES_00,HTML_MESSAGE, > HTML_MIME_NO_HTML_TAG,MIME_HTML_ONLY shortcircuit=no > autolearn=no > version=3.2.5 > > At minimum, what seems to be missing in the spamreport field is > what is contained in the X-Spam-Status header: > BAYES_00,HTML_MESSAGE, HTML_MIME_NO_HTML_TAG,MIME_HTML_ONLY and > possibly other thing like autolearn, etc. > > As I stated before this only seems to happen when the flags are > exactly like above. The spamreport field is correct for any other > condition including clean, high scoring, spamassassin spam, etc. > If you want, you can contact me off list to produce any more > information because people are probably getting tired of me and/or > this thread. ;-) > > Gary > > > >>> Julian Field > 7/6/2009 4:05 AM >>> > > > On 05/07/2009 13:16, Gary Faith wrote: > > The whole reason for this thread was that there wasn't any > information in the spamreport field under specific circumstances. > Jules patched the code and now some of the spamreport data is now > showing up but I don't believe all of it is. I am attempting to > prove that there should be more data in the report when these > messages are scanned and I think I have proved it but I really > don't have the knowledge in Perl to follow the code and see what > is happening. I can attempt to solve some things by gathering > data but reading Perl is definitely not my strong suit. > > > What do you think is still missing? > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > Follow me at twitter.com/JulesFM and > twitter.com/MailScanner > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From steve.freegard at fsl.com Tue Jul 7 10:01:52 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Tue Jul 7 10:02:03 2009 Subject: Spam but no randomly no Spam Report In-Reply-To: <4A5265B50200002D00006DF9@sparky.asdm.net> References: <4A4404D50200002D00006C96@sparky.asdm.net> <4A44CA920200002D00006CE5@sparky.asdm.net> <4A44D89D0200002D00006CEA@sparky.asdm.net> <4A487F55.9080907@ecs.soton.ac.uk> <4A4888730200002D00006D2F@sparky.asdm.net> <4A4DD0B80200002D00006DC3@sparky.asdm.net> <223f97700907030718w64d038b0hb6d23f5f551ed68c@mail.gmail.com> <4A4DE2340200002D00006DCD@sparky.asdm.net> <223f97700907030827v65ae494o23985590087ede10@mail.gmail.com> <4A50615C0200002D00006DD1@sparky.asdm.net> <4A51B054.2030808@ecs.soton.ac.uk> <4A5265B50200002D00006DF9@sparky.asdm.net> Message-ID: <4A530F00.7090106@fsl.com> Gary Faith wrote: > > I chose this message and this is the pertinent part of the details page: > > ID: n670LtUA030706 > SpamAssassin Score: 1.05 > Spam Report: spam, SORBS-RECENT > > When I look at the mysql database, I see a sascore of 1.05 and spamreport show: spam, SORBS-RECENT. (Just confirming what mailwatch shows.) What I think is missing in the spamreport field is the reason(s) for the sascore of 1.05! > It sounds like a hit on the 'Spam Lists' causes the existing $spamreport variable to be either overwritten (thus loosing the data from SA) or when SA runs it is not adding to the existing $spamreport value. Turn off the 'Spam Lists' feature and see what happens. As you appear to have 'Check SpamAssassin If On Spam List = yes' there is little benefit in using this feature anyway as SA is more efficient at this; it queries RBLs in parallel. If you trust SORBS to mark your mail as spam; then simply increase the equivalent SA score. Regards, Steve. From kse at hovmark.dk Tue Jul 7 10:19:19 2009 From: kse at hovmark.dk (Kasper Sacharias Eenberg) Date: Tue Jul 7 10:19:27 2009 Subject: Has anyone tried CRM114? (Not a kubrick pun) Message-ID: <1246958359.7833.20.camel@kse> http://crm114.sourceforge.net/wiki/doku.php I'm considering trying this for spam-scanning. Just to see how it does ( and how it works for that matter). It has a spamassassin plugin so it shouldn't be to big a problem to integrate. I'm just curious whether anyone has any experience with it. With regards, Kasper From ms-list at alexb.ch Tue Jul 7 10:26:13 2009 From: ms-list at alexb.ch (Alex Broens) Date: Tue Jul 7 10:26:22 2009 Subject: Has anyone tried CRM114? (Not a kubrick pun) In-Reply-To: <1246958359.7833.20.camel@kse> References: <1246958359.7833.20.camel@kse> Message-ID: <4A5314B5.1050605@alexb.ch> On 7/7/2009 11:19 AM, Kasper Sacharias Eenberg wrote: > http://crm114.sourceforge.net/wiki/doku.php > > I'm considering trying this for spam-scanning. Just to see how it does > ( and how it works for that matter). > > It has a spamassassin plugin so it shouldn't be to big a problem to > integrate. I'm just curious whether anyone has any experience with it. > > With regards, > Kasper FYI: http://wiki.mailscanner.info/doku.php?id=documentation:anti_spam:spamassassin:plugins:crm114 From prandal at herefordshire.gov.uk Tue Jul 7 10:30:21 2009 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Tue Jul 7 10:30:39 2009 Subject: Has anyone tried CRM114? (Not a kubrick pun) In-Reply-To: <1246958359.7833.20.camel@kse> References: <1246958359.7833.20.camel@kse> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA0729FE08@HC-MBX02.herefordshire.gov.uk> See http://wiki.mailscanner.info/doku.php?id=documentation:anti_spam:spamass assin:plugins:crm114 Cheers, Phil -- Phil Randal | Networks Engineer Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: prandal@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Kasper Sacharias Eenberg Sent: 07 July 2009 10:19 To: mailscanner@lists.mailscanner.info Subject: Has anyone tried CRM114? (Not a kubrick pun) http://crm114.sourceforge.net/wiki/doku.php I'm considering trying this for spam-scanning. Just to see how it does ( and how it works for that matter). It has a spamassassin plugin so it shouldn't be to big a problem to integrate. I'm just curious whether anyone has any experience with it. With regards, Kasper -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From paulo-m-roncon at ptinovacao.pt Tue Jul 7 13:03:31 2009 From: paulo-m-roncon at ptinovacao.pt (Paulo Roncon) Date: Tue Jul 7 13:05:00 2009 Subject: Memory optimizations In-Reply-To: <200907070626.n676OavX020742@safir.blacknight.ie> References: <200907070626.n676OavX020742@safir.blacknight.ie> Message-ID: Message: 7 Date: Mon, 06 Jul 2009 14:05:57 +0100 From: Steve Freegard Subject: Re: Memory optimizations To: MailScanner discussion Message-ID: <4A51F6B5.5020704@fsl.com> Content-Type: text/plain; charset=KOI8-R Paulo Roncon wrote: > - milter-greylist - memory used: 4G Surely that can't be right?!? - memory leak? Regards, Steve. The milter-greylist is using right now : VZM: 4188580 RSS: 1846244 %MEM: 11.2 %CPU: 0.9 Thats the value that ps aux returns... From paulo-m-roncon at ptinovacao.pt Tue Jul 7 13:09:31 2009 From: paulo-m-roncon at ptinovacao.pt (Paulo Roncon) Date: Tue Jul 7 13:12:00 2009 Subject: MailScanner Digest, Vol 43, Issue 8 In-Reply-To: <200907070626.n676OavX020742@safir.blacknight.ie> References: <200907070626.n676OavX020742@safir.blacknight.ie> Message-ID: My timeout in milter-greylist is 2d. Should I change that to a shorter value? What would be the downside? My greylist.db: 5615880 records 5583683 greylisted 32197 whitelisted Size: 444MB Re: Memory optimizations To: MailScanner discussion Message-ID: <7d9b3cf20907061003see31b6bt3ec8bbf3ca4c6dfa@mail.gmail.com> Content-Type: text/plain; charset="iso-8859-1" this is my conf in milter-greylist lazyaw dumpfreq 86400 dump_no_time_translation *timeout 5h* especially timeout 5h saves a lot of ram! 2009/7/6 Gary Faith > I think that is very high. My milter-greylist is about 39MB. > > Gary > > >>> Steve Freegard 7/6/2009 9:05 AM >>> > > Paulo Roncon wrote: > > - milter-greylist - memory used: 4G > > Surely that can't be right?!? - memory leak? > > Regards, > Steve. > -- From alex at rtpty.com Tue Jul 7 17:05:44 2009 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Tue Jul 7 17:06:00 2009 Subject: Has anyone tried CRM114? (Not a kubrick pun) In-Reply-To: <4A5314B5.1050605@alexb.ch> References: <1246958359.7833.20.camel@kse> <4A5314B5.1050605@alexb.ch> Message-ID: The link: http://fr.rpmfind.net/linux/fedora/extras/development/SRPMS/crm114-0-0.4.20070301.fc7.src.rpm Doesn't work. Anybody up to fixing it? :D On Jul 7, 2009, at 4:26 AM, Alex Broens wrote: > On 7/7/2009 11:19 AM, Kasper Sacharias Eenberg wrote: >> http://crm114.sourceforge.net/wiki/doku.php >> I'm considering trying this for spam-scanning. Just to see how it >> does >> ( and how it works for that matter). >> It has a spamassassin plugin so it shouldn't be to big a problem to >> integrate. I'm just curious whether anyone has any experience with >> it. >> With regards, >> Kasper > > > FYI: http://wiki.mailscanner.info/doku.php?id=documentation:anti_spam:spamassassin:plugins:crm114 > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 202-1525 alex@rtpty.com Skype: alexneuman From john at tradoc.fr Tue Jul 7 17:31:15 2009 From: john at tradoc.fr (John Wilcock) Date: Tue Jul 7 17:31:25 2009 Subject: Has anyone tried CRM114? (Not a kubrick pun) In-Reply-To: <4A5314B5.1050605@alexb.ch> References: <1246958359.7833.20.camel@kse> <4A5314B5.1050605@alexb.ch> Message-ID: <4A537853.2050200@tradoc.fr> Le 07/07/2009 11:26, Alex Broens a ?crit : > FYI: > http://wiki.mailscanner.info/doku.php?id=documentation:anti_spam:spamassassin:plugins:crm114 But is it a *worthwhile* addition to a MailScanner/SpamAssassin system? John. -- -- Over 3000 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages - www.tradoc.fr From alex at rtpty.com Tue Jul 7 17:52:53 2009 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Tue Jul 7 17:53:07 2009 Subject: Has anyone tried CRM114? (Not a kubrick pun) In-Reply-To: <4A537853.2050200@tradoc.fr> References: <1246958359.7833.20.camel@kse> <4A5314B5.1050605@alexb.ch> <4A537853.2050200@tradoc.fr> Message-ID: <5D4588B8-F638-4E27-8E04-518E28A24BB5@rtpty.com> I managed to follow the wiki tutorial with this RPM: wget http://redhat.sorbonne.fr/CentOS-5/epel/i386/crm114-0-0.4.20080703.el5.i386.rpm I'll let you know if I find anything. On Jul 7, 2009, at 11:31 AM, John Wilcock wrote: > Le 07/07/2009 11:26, Alex Broens a ?crit : >> FYI: >> http://wiki.mailscanner.info/doku.php?id=documentation:anti_spam:spamassassin:plugins:crm114 > > But is it a *worthwhile* addition to a MailScanner/SpamAssassin > system? > > John. > > -- > -- Over 3000 webcams from ski resorts around the world - www.snoweye.com > -- Translate your technical documents and web pages - www.tradoc.fr > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 202-1525 alex@rtpty.com Skype: alexneuman From glenn.steen at gmail.com Wed Jul 8 00:06:57 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Jul 8 00:07:11 2009 Subject: Files being blocked despite configuration changes In-Reply-To: References: <223f97700906271554w18888111k1ca8a0cc6aed27e2@mail.gmail.com> Message-ID: <223f97700907071606t3712d124x70fc25b0ec506f7c@mail.gmail.com> 2009/7/6 Kaplan, Andrew H. : > Hi there -- > > Thanks for your reply, and my apologies for not getting back you sooner. I was > on vacation last week. I had a question on how would I go about implementing Hi Andrew, I'm on a rather less that relaxing vacation myself (helping a relative repanel&paint a rather huge economy building (double garage, old carpentry shop (kind of late 19-th centuy design), wood shed, etc etc... The darned thing measures about 25x8 meters and is about 10 m high)), so ... I'll try shift from hammers and nails to MS:-) > your > suggested "file -i" method. Would it be simply a matter of adding an argument > to the /etc/init.d/MailScanner and/or /etc/sysconfig/MailScanner files, or is > there another suggested method? All you should need do, IIRC is to change the File Command setting in MailScanner.conf, and perhaps look at/amend a few things in the filetype.rules conf file (don't remember exactly). Some find that the shift to mimetype detection become a bit too permissive (letting some executables past...), so you should test it as thoroughly as possible. Rather recently some kind soul posted a diff, to this list, for removing the troublesome one-byte magics... That you might be able to use, instead of switching to file -i. > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Glenn Steen > Sent: Saturday, June 27, 2009 6:54 PM > To: MailScanner discussion > Subject: Re: Files being blocked despite configuration changes > > 2009/6/26 Kaplan, Andrew H. : >> >> Hi there -- >> >> I received a request to have .dat files be allowed through our mail server. >> Files of this type >> were normally sent to quarantine with an e-mail notification report stating >> the following: >> >> Report: MailScanner: No programs allowed (set.dat) >> Report: MailScanner: No programs allowed (set.dat) >> >> I reconfigured the filename.rules.conf and filetype.rules.conf files to >> allow the above file >> types to pass through without problem. Listed below are the syntaxes from >> each of the >> configuration files: >> >> filename.rules.conf >> # Physics has requested that files of this type be allowed... >> allow?? \.dat$ >> >> filetype.rules.conf >> allow?? dat???????????? -?????????????????????? Physics requested these be >> allowed >> >> Once these changes were made, MailScanner along with the mailserver, >> Sendmail, were >> restarted via the /etc/init.d/MailScanner script. There were no failed >> messages appearing >> on-screen when this occurred. >> >> The problem is the following: even though the files in question have been >> configured to >> be allowed, they are still being blocked and sent to quarantine. The version >> of MailScanner >> is 4.72.5 while that of Sendmail is 8.14.1. >> >> What other steps and/or >> corrections do I need to make in order to fix this? Thanks. >> > The file command doesn't know what "dat" is... It finds the "magic" > strings/bytes that identify it as some type of executable (just run > file on the quarantined file, if you store them, and you'll see). This > might be due to the file actually being an executable, or accidentally > triggering one of the more optimistic one-byte-magics ... in which > case you either face editing/recompiling your magic file, or switching > to "file -i" for file type purposes. The latter might be best. > > Cheers Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Wed Jul 8 00:21:09 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Jul 8 00:21:24 2009 Subject: semi OT : Broken mail headers caused by Antivirus or Mail Client ? In-Reply-To: <4A52C3D6.8090203@variegate.biz> References: <4A52C3D6.8090203@variegate.biz> Message-ID: <223f97700907071621t1abfb5cav4e800627005ceb90@mail.gmail.com> 2009/7/7 Mohd Hafiz Ramly : > Hi List, > I have posted an issue earlier regarding "MailScanner: Could not analyze message" > More info can be found here : http://www.bluequartz.us/phpBB2/viewtopic.php?t=93948&sid=83856caba40a9dbd1211fc82334ab118 http://www.bluequartz.us/phpBB2/viewtopic.php?t=93948&sid=83856caba40a9dbd1211fc82334ab118 > Further investigation on the issue, I found that the problematic mail is caused by broken mail headers (not sure if I get this term right). > Inspecting the quarantine mail in MailScanner reveals that Content-Type has randomly misspelled or missing in some words. > Example 1 : > Content-Type: multipart/related; > ??????? bary="----=neXtPaRt_1244707265" > The correct headers would be : > Content-Type: multipart/related; > > boundary > ="----=neXtPaRt_1244707265" > Example 2: > Content-Type: multipart/alternaboundary="----=neXtPaRt_1245338959" > The correct headers would be : > Content-Type: multipart/alternative;boundary="----=neXtPaRt_1245338959" > Example 3: > Content-Type: multipart/alternative; > ??????? boundarneXtPaRt_1246674293" > The correct headers would be : > Content-Type: multipart/alternative; > ??????? boundary > ="----= > neXtPaRt_1246674293" > Using > file > command in my Linux server shows the message file is good > [root@mail1 ~]# file /var/spool/MailScanner/quarantine/20090611/0DAE9191804B.A62FD/message > /var/spool/MailScanner/quarantine/20090611/0DAE9191804B.A62FD/message: RFC 822 mail text > [root@mail1 ~]# file -i /var/spool/MailScanner/quarantine/20090611/0DAE9191804B.A62FD/message > /var/spool/MailScanner/quarantine/20090611/0DAE9191804B.A62FD/message: message/rfc822 > So I decide to edit the quarantine message file and fixed the headers to the correct entry and the mail went through just fine. > MailScanner did not complains anything. > [root@mail1 ~]# sendmail -toi < > /var/spool/MailScanner/quarantine/20090611/0DAE9191804B.A62FD/message > I notice the client uses Outlook 11, Outlook Express 6 and SquirrelMail 1.4.10a as their mail editor. > And all of those mail is scanned using FortiGuard antivirus. > So what actually caused the mail headers to be broken ? > Does it caused by the mail client or might be the antivirus at client ends ? > My guess it could be caused by FortiGuard antivirus software which scans outgoing mail on clients PC. You could enable the Archive Mail feature. That way you can see the messages as they were before MailScanner touches them at all. If the "problematic ones" are mangled there, you can be prety sure that something between the sender and you is the culprit. You don't seem to do any "before" filters (PF style), nor milters... Right? > Anyone had this similar issue before ? Not really, no. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Wed Jul 8 00:36:35 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Jul 8 00:36:57 2009 Subject: Memory optimizations In-Reply-To: References: <200907070626.n676OavX020742@safir.blacknight.ie> Message-ID: <223f97700907071636k5defd1a0nce37fce87b6173a2@mail.gmail.com> 2009/7/7 Paulo Roncon : > Message: 7 > Date: Mon, 06 Jul 2009 14:05:57 +0100 > From: Steve Freegard > Subject: Re: Memory optimizations > To: MailScanner discussion > Message-ID: <4A51F6B5.5020704@fsl.com> > Content-Type: text/plain; charset=KOI8-R > > Paulo Roncon wrote: >> - milter-greylist - memory used: 4G > > Surely that can't be right?!? - memory leak? > > Regards, > Steve. > > > The milter-greylist is using right now : > VZM: 4188580 > RSS: 1846244 > %MEM: 11.2 > %CPU: 0.9 > Thats the value that ps aux returns... > Why are you doing this? You are not swaping, report nothing that really seem to be ... over the top (except perhaps the greylist thing)... Do you have any serious problem, or is it just a case of "that figure seems high...."?:-) Having asked that, the RSS for the greylist thing is rather hefty.... Do you use any kind of "trending" tool, to be able to determine when things started going south with that one? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Wed Jul 8 00:39:13 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Jul 8 00:39:22 2009 Subject: MailScanner Digest, Vol 43, Issue 8 In-Reply-To: References: <200907070626.n676OavX020742@safir.blacknight.ie> Message-ID: <223f97700907071639p7ef5ed75s17fbd823ae96314@mail.gmail.com> 2009/7/7 Paulo Roncon : > > My timeout in milter-greylist is 2d. Should I change that to a shorter value? What would be the downside? You'd "punish" some a bit more often, is all. > My greylist.db: > 5615880 records > 5583683 greylisted > 32197 whitelisted > Size: 444MB ho-hum. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Wed Jul 8 00:45:36 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Jul 8 00:45:45 2009 Subject: Has anyone tried CRM114? (Not a kubrick pun) In-Reply-To: <4A537853.2050200@tradoc.fr> References: <1246958359.7833.20.camel@kse> <4A5314B5.1050605@alexb.ch> <4A537853.2050200@tradoc.fr> Message-ID: <223f97700907071645p4c9c7567pd83faff3c0e584c1@mail.gmail.com> 2009/7/7 John Wilcock : > Le 07/07/2009 11:26, Alex Broens a ?crit : >> >> FYI: >> >> http://wiki.mailscanner.info/doku.php?id=documentation:anti_spam:spamassassin:plugins:crm114 > > But is it a *worthwhile* addition to a MailScanner/SpamAssassin system? > > John. > I impemented it way back when the wiki page got written... Had to score it down severely, or it'd totally massacre any regular SA scoring. I find it needs a fair bit of training, and ... to me/my setup... it adds little->no real value. Others will likely swear by it (not at it:-). It hasn't riled me enough (like FuzzyOcr did, on occasion) to get rid of it... yet.:-) All in all... YMMV Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From hafiz at variegate.biz Wed Jul 8 02:47:10 2009 From: hafiz at variegate.biz (Mohd Hafiz Ramly) Date: Wed Jul 8 02:47:26 2009 Subject: semi OT : Broken mail headers caused by Antivirus or Mail Client ? In-Reply-To: <223f97700907071621t1abfb5cav4e800627005ceb90@mail.gmail.com> References: <4A52C3D6.8090203@variegate.biz> <223f97700907071621t1abfb5cav4e800627005ceb90@mail.gmail.com> Message-ID: <4A53FA9E.6080904@variegate.biz> An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090708/39583313/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: bronze-SHADOW.png Type: image/png Size: 2874 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090708/39583313/bronze-SHADOW.png From MailScanner at ecs.soton.ac.uk Wed Jul 8 09:00:05 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Jul 8 09:00:47 2009 Subject: Files being blocked despite configuration changes In-Reply-To: <223f97700907071606t3712d124x70fc25b0ec506f7c@mail.gmail.com> References: <223f97700906271554w18888111k1ca8a0cc6aed27e2@mail.gmail.com> <223f97700907071606t3712d124x70fc25b0ec506f7c@mail.gmail.com> <4A545205.7030904@ecs.soton.ac.uk> Message-ID: On 08/07/2009 00:06, Glenn Steen wrote: > 2009/7/6 Kaplan, Andrew H.: > >> Hi there -- >> >> Thanks for your reply, and my apologies for not getting back you sooner. I was >> on vacation last week. I had a question on how would I go about implementing >> > Hi Andrew, > > I'm on a rather less that relaxing vacation myself (helping a relative > repanel&paint a rather huge economy building (double garage, old > carpentry shop (kind of late 19-th centuy design), wood shed, etc > etc... The darned thing measures about 25x8 meters and is about 10 m > high)), so ... I'll try shift from hammers and nails to MS:-) > > >> your >> suggested "file -i" method. Would it be simply a matter of adding an argument >> to the /etc/init.d/MailScanner and/or /etc/sysconfig/MailScanner files, or is >> there another suggested method? >> > All you should need do, IIRC is to change the File Command setting in > MailScanner.conf, and perhaps look at/amend a few things in the > filetype.rules conf file (don't remember exactly). Some find that the > shift to mimetype detection become a bit too permissive (letting some > executables past...), so you should test it as thoroughly as possible. > Rather recently some kind soul posted a diff, to this list, for > removing the troublesome one-byte magics... That you might be able to > use, instead of switching to file -i. > You shouldn't have to edit anything except filetype.rules.conf, MIME type detection is already built into that, just read the comments at the top of that file. > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Glenn Steen >> Sent: Saturday, June 27, 2009 6:54 PM >> To: MailScanner discussion >> Subject: Re: Files being blocked despite configuration changes >> >> 2009/6/26 Kaplan, Andrew H.: >> >>> Hi there -- >>> >>> I received a request to have .dat files be allowed through our mail server. >>> Files of this type >>> were normally sent to quarantine with an e-mail notification report stating >>> the following: >>> >>> Report: MailScanner: No programs allowed (set.dat) >>> Report: MailScanner: No programs allowed (set.dat) >>> >>> I reconfigured the filename.rules.conf and filetype.rules.conf files to >>> allow the above file >>> types to pass through without problem. Listed below are the syntaxes from >>> each of the >>> configuration files: >>> >>> filename.rules.conf >>> # Physics has requested that files of this type be allowed... >>> allow \.dat$ >>> >>> filetype.rules.conf >>> allow dat - Physics requested these be >>> allowed >>> >>> Once these changes were made, MailScanner along with the mailserver, >>> Sendmail, were >>> restarted via the /etc/init.d/MailScanner script. There were no failed >>> messages appearing >>> on-screen when this occurred. >>> >>> The problem is the following: even though the files in question have been >>> configured to >>> be allowed, they are still being blocked and sent to quarantine. The version >>> of MailScanner >>> is 4.72.5 while that of Sendmail is 8.14.1. >>> >>> What other steps and/or >>> corrections do I need to make in order to fix this? Thanks. >>> >>> >> The file command doesn't know what "dat" is... It finds the "magic" >> strings/bytes that identify it as some type of executable (just run >> file on the quarantined file, if you store them, and you'll see). This >> might be due to the file actually being an executable, or accidentally >> triggering one of the more optimistic one-byte-magics ... in which >> case you either face editing/recompiling your magic file, or switching >> to "file -i" for file type purposes. The latter might be best. >> >> Cheers >> > Cheers > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From shprahi at gmail.com Wed Jul 8 10:34:26 2009 From: shprahi at gmail.com (shprahi shprahi) Date: Wed Jul 8 10:34:37 2009 Subject: MailScanner not processing after Hold state In-Reply-To: <73025FAB-B97D-42F9-8357-BF564DD5D120@rtpty.com> References: <72cf361e0906251055u117a572eq55e93ca558772f04@mail.gmail.com> <223f97700906271525m22b72af7y7e7fd6fc9a60c01a@mail.gmail.com> <90CE99F4-B9D2-442E-AE13-35F0BC33A483@rtpty.com> <73025FAB-B97D-42F9-8357-BF564DD5D120@rtpty.com> Message-ID: Hi, Find the details CPU : Xeon 2.8GHz Disk 150GB x2 (RAID 1) scsci Using Razor,Pyzor,DCC, RBL checks at MTA level Using SURBL, Using Policyd Using Clamavmodule Also like to know Is there a way to get mailscanner logs in more detailed way like x-spam-status and all in the log so that it will be easy OR is there script for the same. Also I am confused between spamassassin+Mailscanner and spamc and spamd as I read in some of the blogs spamd has different logging system where we can do lot of analysis ,Is it possible to have the same here. Thanks, Shprahi On Mon, Jul 6, 2009 at 8:27 PM, Alex Neuman van der Hans wrote: > There is A LOT of input required from your side. > > For example, you say your machine has 2Gb RAM. What CPU? How are the disks > configured? Have you tried any other optimizations? What spamassassin rules > have you added besides the original? Are you using pyzor/razor/dcc? Are you > using clamav? Other scanners? Are you using clamd instead of clamav or > clamavmodule? Are you running any milters? Are you using RBL's to ease the > load? > > On Jul 6, 2009, at 7:25 AM, shprahi shprahi wrote: > > And found this is the latest stable.Let me know any further input required >> from my side. >> > > > > -- > Alex Neuman van der Hans > Reliant Technologies > +507 6781-9505 > +507 202-1525 > alex@rtpty.com > Skype: alexneuman > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090708/dfcbc900/attachment.html From uxbod at splatnix.net Wed Jul 8 10:50:46 2009 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Wed Jul 8 10:51:03 2009 Subject: MailScanner not processing after Hold state In-Reply-To: Message-ID: <28115056.1461247046646396.JavaMail.root@office.splatnix.net> > Using Clamavmodule > > Also like to know Is there a way to get mailscanner logs in more detailed way like x-spam-status and all in the log so that it will be easy OR is there script for the same. http://mailwatch.sourceforge.net/doku.php Best Regards, -- SplatNIX IT Services :: Innovation through collaboration From m.anderlini at database.it Wed Jul 8 13:35:32 2009 From: m.anderlini at database.it (Marcello Anderlini) Date: Wed Jul 8 13:36:07 2009 Subject: Suddenly mailscanner not delivers some email Message-ID: <2FA349F95CF3644FAFC92070E642EB6AE663E4@beta.dbdomain.database.it> Hello guys, I'm running a mailscanner-4.58.9-1 with spamassassin-3.2.5-1.el4 on a CentOS release 4.7 (Final). I know that mailscanner is quiet old but It was running pretty well till this morning at 6 when suddendly some msg in mqueue.in are not delivery to mqueue. I have not made any changes to configuration or updated. This is just an example of a message that continues to be processed but remains in mqueue.in and it's not delivered. ==================================== Jul 8 14:26:03 netra MailScanner[24864]: Expanding TNEF archive at /var/spool/MailScanner/incoming/24864/n6842QXr027404/winmail.dat Jul 8 14:26:03 netra MailScanner[24864]: Message n6842QXr027404 added TNEF contents image0011.gif,msg-24864-21.txt,ATT000011,msg-24864-11.txt Jul 8 14:26:03 netra MailScanner[24864]: Message n6842QXr027404 has had TNEF winmail.dat removed Jul 8 14:26:04 netra MailScanner[24038]: SpamAssassin cache hit for message n6842QXr027404 Jul 8 14:26:04 netra MailScanner[24038]: Message n6842QXr027404 from 91.208.169.155 () to yeshotels.it is non spam, SpamAssassin (cached, punteggio=-0.512, necessario 5, ANY_BOUNCE_MESSAGE 0.10, BAD_ENC_HEADER 1.81, BAYES_00 -2.60, BOUNCE_MESSAGE 0.10, TW_SR 0.08) ==================================== Could someone help me ? Thanks a lot. Dr. Marcello Anderlini m.anderlini@database.it --------------------------------------------- Database Informatica S.r.l. Microsoft Certified Partner Tel. +39059775070 Fax. +39059779545 http://www.database.it --------------------------------------------- -- Messaggio verificato dal servizio antivirus di Database Informatica From steve.freegard at fsl.com Wed Jul 8 13:44:56 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Wed Jul 8 13:45:07 2009 Subject: Suddenly mailscanner not delivers some email In-Reply-To: <2FA349F95CF3644FAFC92070E642EB6AE663E4@beta.dbdomain.database.it> References: <2FA349F95CF3644FAFC92070E642EB6AE663E4@beta.dbdomain.database.it> Message-ID: <4A5494C8.6050905@fsl.com> Hi Marcello, Do a 'service MailScanner start'; then run 'MailScanner --debug' - most likely MailScanner is crashing before it reaches the end of the batch. Regards, Steve. Marcello Anderlini wrote: > Hello guys, I'm running a mailscanner-4.58.9-1 with > spamassassin-3.2.5-1.el4 on a CentOS release 4.7 (Final). > > I know that mailscanner is quiet old but It was running pretty well till > this morning at 6 when suddendly some msg in mqueue.in are not delivery > to mqueue. > > I have not made any changes to configuration or updated. > > > This is just an example of a message that continues to be processed but > remains in mqueue.in and it's not delivered. > > ==================================== > Jul 8 14:26:03 netra MailScanner[24864]: Expanding TNEF archive at > /var/spool/MailScanner/incoming/24864/n6842QXr027404/winmail.dat > Jul 8 14:26:03 netra MailScanner[24864]: Message n6842QXr027404 added > TNEF contents image0011.gif,msg-24864-21.txt,ATT000011,msg-24864-11.txt > Jul 8 14:26:03 netra MailScanner[24864]: Message n6842QXr027404 has had > TNEF winmail.dat removed > Jul 8 14:26:04 netra MailScanner[24038]: SpamAssassin cache hit for > message n6842QXr027404 > Jul 8 14:26:04 netra MailScanner[24038]: Message n6842QXr027404 from > 91.208.169.155 () to yeshotels.it is non spam, SpamAssassin (cached, > punteggio=-0.512, necessario 5, ANY_BOUNCE_MESSAGE 0.10, BAD_ENC_HEADER > 1.81, BAYES_00 -2.60, BOUNCE_MESSAGE 0.10, TW_SR 0.08) > ==================================== > > > Could someone help me ? > > Thanks a lot. > > > Dr. Marcello Anderlini > m.anderlini@database.it > --------------------------------------------- > Database Informatica S.r.l. > Microsoft Certified Partner > Tel. +39059775070 > Fax. +39059779545 > http://www.database.it > --------------------------------------------- > > From m.anderlini at database.it Wed Jul 8 14:30:17 2009 From: m.anderlini at database.it (Marcello Anderlini) Date: Wed Jul 8 14:30:37 2009 Subject: R: Suddenly mailscanner not delivers some email In-Reply-To: <4A5494C8.6050905@fsl.com> References: <2FA349F95CF3644FAFC92070E642EB6AE663E4@beta.dbdomain.database.it> <4A5494C8.6050905@fsl.com> Message-ID: <01C9C034809D4932B493B768389D9BEF@dbdomain.database.it> It seems it's been solved by deleting the messages of the examples and some other messaggess similar to it. I still cannot figure what was the reason. Thanks a lot for your your kindly answer. I'll re-use yours help if (I hope no) it happen again. Best regards and sorry for my worst English. Dr. Marcello Anderlini m.anderlini@database.it --------------------------------------------- Database Informatica S.r.l. Microsoft Certified Partner Tel. +39059775070 Fax. +39059779545 http://www.database.it --------------------------------------------- -----Messaggio originale----- Da: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di Steve Freegard Inviato: 08/07/2009 14:45 A: MailScanner discussion Oggetto: Re: Suddenly mailscanner not delivers some email Hi Marcello, Do a 'service MailScanner start'; then run 'MailScanner --debug' - most likely MailScanner is crashing before it reaches the end of the batch. Regards, Steve. Marcello Anderlini wrote: > Hello guys, I'm running a mailscanner-4.58.9-1 with > spamassassin-3.2.5-1.el4 on a CentOS release 4.7 (Final). > > I know that mailscanner is quiet old but It was running pretty well > till this morning at 6 when suddendly some msg in mqueue.in are not > delivery to mqueue. > > I have not made any changes to configuration or updated. > > > This is just an example of a message that continues to be processed > but remains in mqueue.in and it's not delivered. > > ==================================== > Jul 8 14:26:03 netra MailScanner[24864]: Expanding TNEF archive at > /var/spool/MailScanner/incoming/24864/n6842QXr027404/winmail.dat > Jul 8 14:26:03 netra MailScanner[24864]: Message n6842QXr027404 added > TNEF contents > image0011.gif,msg-24864-21.txt,ATT000011,msg-24864-11.txt > Jul 8 14:26:03 netra MailScanner[24864]: Message n6842QXr027404 has > had TNEF winmail.dat removed Jul 8 14:26:04 netra MailScanner[24038]: > SpamAssassin cache hit for message n6842QXr027404 Jul 8 14:26:04 > netra MailScanner[24038]: Message n6842QXr027404 from > 91.208.169.155 () to yeshotels.it is non spam, SpamAssassin (cached, > punteggio=-0.512, necessario 5, ANY_BOUNCE_MESSAGE 0.10, > BAD_ENC_HEADER 1.81, BAYES_00 -2.60, BOUNCE_MESSAGE 0.10, TW_SR 0.08) > ==================================== > > > Could someone help me ? > > Thanks a lot. > > > Dr. Marcello Anderlini > m.anderlini@database.it > --------------------------------------------- > Database Informatica S.r.l. > Microsoft Certified Partner > Tel. +39059775070 > Fax. +39059779545 > http://www.database.it > --------------------------------------------- > > -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- Messaggio verificato dal servizio antivirus di Database Informatica -- Messaggio verificato dal servizio antivirus di Database Informatica From shprahi at gmail.com Wed Jul 8 14:42:57 2009 From: shprahi at gmail.com (shprahi shprahi) Date: Wed Jul 8 14:43:08 2009 Subject: MailScanner not processing after Hold state In-Reply-To: <28115056.1461247046646396.JavaMail.root@office.splatnix.net> References: <28115056.1461247046646396.JavaMail.root@office.splatnix.net> Message-ID: Sorry forgot to mention I am using that too. But not getting results like some times i get not cached then I have to look in to raw log even finding difficultis , Somthing which can give more elaborate logs like some application will be having level of logs 1,2,34.. Even mailscanner --debug will not use full all the time. Thanks, Shprahi On Wed, Jul 8, 2009 at 3:20 PM, --[ UxBoD ]-- wrote: > > Using Clamavmodule > > > > Also like to know Is there a way to get mailscanner logs in more detailed > way like x-spam-status and all in the log so that it will be easy OR is > there script for the same. > > http://mailwatch.sourceforge.net/doku.php > > Best Regards, > > -- > SplatNIX IT Services :: Innovation through collaboration > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090708/d6d74d49/attachment.html From seven at seven.dorksville.net Thu Jul 9 08:04:01 2009 From: seven at seven.dorksville.net (Anthony Giggins) Date: Thu Jul 9 08:04:27 2009 Subject: Anti-Phishing Update -- New data feed In-Reply-To: <6beca9db0907030052i67301238i52488f82306d6662@mail.gmail.com> References: <4A3B957C.40902@USherbrooke.ca> <4A3CEB10.70504@ecs.soton.ac.uk> <4A3F7911.6050208@USherbrooke.ca> <32390.125.168.254.15.1246324547.squirrel@seven.dorksville.net> <4A4A2B2C.3070104@ecs.soton.ac.uk> <65088.125.168.254.15.1246581870.squirrel@seven.dorksville.net> <6beca9db0907030052i67301238i52488f82306d6662@mail.gmail.com> Message-ID: <20858.125.168.254.15.1247123041.squirrel@seven.dorksville.net> ok got it. Can someone provide me a sample rule action that would delete items that match this rule? Sorry I'm really lost on this one. Cheers, Anthony > Hi, > > Its a setting in the MailScanner.conf - search for the name and you > will find it. > > mvh > > On Fri, Jul 3, 2009 at 2:44 AM, Anthony > Giggins wrote: >> Sorry where do I add the "SpamAssassin Rule Actions"? >> >> Cheers, >> >> Anthony >> >>> At the bottom of the ruleset is the huge "meta" rule that combines them >>> all. Look for that rule scoring a hit in your mail logs, if you have >>> "Log Spam = yes" in MailScanner.conf. >>> And you will obviously need a "SpamAssassin Rule Actions" set to >>> trigger >>> deletion/quarantining if this rule hits, or nothing will happen when >>> the >>> rule hits. >>> >>> Jules. >>> >>> On 30/06/2009 02:15, Anthony Giggins wrote: >>>>> Thanks! >>>>> >>>>> Denis >>>>> Julian Field a ?crit : >>>>> >>>>>> Check out the new version 2.04. It supports --quiet and --help. >>>>>> >>>> Silly question, how can I tell if this is helping phishing detection >>>> or >>>> not? >>>> >>>> Cheers, >>>> >>>> Anthony >>>> >>>> >>>> >>>> >>> >>> Jules >>> >>> -- >>> Julian Field MEng CITP CEng >>> www.MailScanner.info >>> Buy the MailScanner book at www.MailScanner.info/store >>> Follow me at twitter.com/JulesFM >>> >>> MailScanner customisation, or any advanced system administration help? >>> Contact me at Jules@Jules.FM >>> >>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>> PGP public key: http://www.jules.fm/julesfm.asc >>> >>> >>> -- >>> This message has been scanned for viruses and >>> dangerous content by MailScanner, and is >>> believed to be clean. >>> >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >>> >> >> >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > From mark at msapiro.net Thu Jul 9 15:39:17 2009 From: mark at msapiro.net (Mark Sapiro) Date: Thu Jul 9 15:39:35 2009 Subject: Anti-Phishing Update -- New data feed In-Reply-To: <200907091100.n69B03Dg032152@safir.blacknight.ie> References: <200907091100.n69B03Dg032152@safir.blacknight.ie> Message-ID: Anthony Giggins wrote: > > Can someone provide me a sample rule action that would delete items that > match this rule? I use a ruleset. in MailScanner.conf, I have SpamAssassin Rule Actions = %rules-dir%/spamassassin_rule_actions.rules and in rules/spamassassin_rule_actions.rules I have things like To: /[@.]example.(org|net)$/ JKF_ANTI_PHISH=> to ignore the rule hit for the example.org and example.net domains and FromOrTo: default JKF_ANTI_PHISH=>store,not-deliver,forward xxx+phish@example.com,header "X-MailScanner-Originally-To: _TO_" (all on one line) to store the message, not deliver it, forward it and add a header with the original To: If you wanted to apply this action to all messages, you could have just SpamAssassin Rule Actions = JKF_ANTI_PHISH=>store,not-deliver,forward xxx+phish@example.com,header "X-MailScanner-Originally-To: _TO_" (all on one line) in MailScanner.conf. Note that JKF_ANTI_PHISH is the name of the meta rule generated by Jules script. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From izghitu at gmail.com Sat Jul 11 14:17:30 2009 From: izghitu at gmail.com (George) Date: Sat Jul 11 14:17:39 2009 Subject: zip archive with multiple extensions Message-ID: <948a6d890907110617l5f9dd506g7b7e823898125f5a@mail.gmail.com> Hi, Whenever someone sends me an email with an extension like: Axon.CloseUP.CSSandImages.zip it gets blocked. What is the rule to allow such zip archives? Please advise Thanks From MailScanner at ecs.soton.ac.uk Sat Jul 11 14:45:48 2009 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Sat Jul 11 14:46:09 2009 Subject: zip archive with multiple extensions In-Reply-To: <948a6d890907110617l5f9dd506g7b7e823898125f5a@mail.gmail.com> References: <948a6d890907110617l5f9dd506g7b7e823898125f5a@mail.gmail.com> <4A58978C.2020109@ecs.soton.ac.uk> Message-ID: On 11/07/2009 14:17, George wrote: > Hi, > > Whenever someone sends me an email with an extension like: > Axon.CloseUP.CSSandImages.zip > it gets blocked. > > What is the rule to allow such zip archives? > With a second extension that long, it should get through anyway. You can always add an "allow" line to filename.rules.conf to allow *.zip files if you like allow \.zip$ - - with each of the 4 fields of that line separated by tab characters, not spaces. Put it near the top of the filename.rules.conf file and then "service MailScanner reload" to make it re-read the config immediately. But I would check your maillog to see exactly why it got blocked first, it may not be that simple a reason! Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From steve.swaney at fsl.com Sat Jul 11 14:50:25 2009 From: steve.swaney at fsl.com (Stephen Swaney) Date: Sat Jul 11 14:50:39 2009 Subject: zip archive with multiple extensions In-Reply-To: <948a6d890907110617l5f9dd506g7b7e823898125f5a@mail.gmail.com> References: <948a6d890907110617l5f9dd506g7b7e823898125f5a@mail.gmail.com> Message-ID: <4A5898A1.2090104@fsl.com> George wrote: > Hi, > > Whenever someone sends me an email with an extension like: > Axon.CloseUP.CSSandImages.zip > it gets blocked. > > What is the rule to allow such zip archives? > > Please advise > > Thanks > What do the mail logs show as the reason the message was blocked? Best regards, Steve -- Steve Swaney steve@fsl.com www.fsl.com The most accurate and cost effective anti-spam solutions available -------------- next part -------------- A non-text attachment was scrubbed... Name: steve_swaney.vcf Type: text/x-vcard Size: 305 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090711/93400470/steve_swaney.vcf From izghitu at gmail.com Sat Jul 11 15:22:49 2009 From: izghitu at gmail.com (George) Date: Sat Jul 11 15:22:57 2009 Subject: zip archive with multiple extensions In-Reply-To: <4A5898A1.2090104@fsl.com> References: <948a6d890907110617l5f9dd506g7b7e823898125f5a@mail.gmail.com> <4A5898A1.2090104@fsl.com> Message-ID: <948a6d890907110722t65bbc29cgfbdb625bf522ea00@mail.gmail.com> Hi, I had this rule already there. I moved it to the top of the file and it started to work. Thanks On Sat, Jul 11, 2009 at 4:50 PM, Stephen Swaney wrote: > George wrote: >> >> Hi, >> >> Whenever someone sends me an email with an extension like: >> Axon.CloseUP.CSSandImages.zip >> it gets blocked. >> >> What is the rule to allow such zip archives? >> >> Please advise >> >> Thanks >> > > What do the mail logs show as the reason the message was blocked? > > Best regards, > > > Steve > > -- > Steve Swaney > steve@fsl.com > www.fsl.com > > The most accurate and cost effective anti-spam solutions available > > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > From frankd at iaw.on.ca Sun Jul 12 04:47:01 2009 From: frankd at iaw.on.ca (Frank DeChellis) Date: Sun Jul 12 04:47:06 2009 Subject: Looking to hire somebody to setup mailscanner Message-ID: Hi, If you are a contractor who can setup mailscanner, please contact me off the list. Frank Frank DeChellis President, Internet Access Worldwide Welland, Ontario, Canada www.iaw.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090711/05f9bcd9/attachment.html From bernard.lheureux at bbsoft4.org Sun Jul 12 13:55:27 2009 From: bernard.lheureux at bbsoft4.org (Bernard Lheureux) Date: Sun Jul 12 13:55:48 2009 Subject: Tiny text only spam (semi OT) In-Reply-To: <4A4F8F3A.8010800@skynet-srl.com> References: <200907041100.n64B03kZ024362@safir.blacknight.ie> <4A4F8F3A.8010800@skynet-srl.com> Message-ID: <4A59DD3F.4040100@bbsoft4.org> Alessandro Bianchi wrote: Gosh, they found the way to bypass this rule: I received these this night (2 different messages containig this): in the 1st: Can Exercise Bodost Your sex rDive?.www .za16. com in the 2nd: Save oYur Relationship With These Amazing Secerts: www,nu26,com Has anyone a solution to avoid these kind of spams ? >> I believe that I have also been greatly troubled by the same >> messages. The common thread to these messages is what I call an >> obfucated URL where the URL has spaces in multiple places. I created >> a cf file in /etc/mail/spmassassin directory and wrote my first >> spamassassin rule. It might not be the best but it is working for me. >> Basically, the rule matches a URL that starts with www. followed by a >> space followed by some text ending in a period like pill45. followed >> by another space then a TLD like com, net or org. I started with a >> small score for testing but have significantly raised the score to >> 4.5 now. >> # Rule to find URLs with spaces >> body ASDM_OBF_URL /www\.\s(.+?)\s[A-Za-z]{2,4}/i >> score ASDM_OBF_URL 4.5 >> describe ASDM_OBF_URL URLs with spaces >> I haven't seen any false positives yet. >> Gary Faith > > Gary > > This one rocks! > > Got them one hundred per cent > > Thank you to all > > Best regards > > Alessandro Bianchi > -- > > > *SKYNET S.r.l.* - *Piazza XXV Aprile 14 - 28021 Borgomanero (No)* > > > *tel. +39 0322-836487/834765 - fax +39 0322-836608 - www.skynet-srl.com* > > > > Autorizzazione Ministeriale n.197 > > > Le informazioni contenute in questo messaggio sono riservate e > confidenziali ed ? vietata la diffusione in qualunque modo eseguita. > Qualora Lei non fosse la persona a cui il presente messaggio ? > destinato, La invitiamo ad eliminarlo e a non leggerlo, dandocene > gentilmente comunicazione. Per qualsiasi informazione si prega di > contattare (e-mail dell?azienda). Rif. D.L. 196/2003 > From uxbod at splatnix.net Sun Jul 12 15:18:38 2009 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Sun Jul 12 15:18:53 2009 Subject: Tiny text only spam (semi OT) In-Reply-To: <4A59DD3F.4040100@bbsoft4.org> Message-ID: <8096743.91247408318456.JavaMail.root@office.splatnix.net> ----- "Bernard Lheureux" wrote: > Alessandro Bianchi wrote: > Gosh, they found the way to bypass this rule: > > I received these this night (2 different messages containig this): > > in the 1st: Can Exercise Bodost Your sex rDive?.www .za16. com > in the 2nd: Save oYur Relationship With These Amazing Secerts: > www,nu26,com > > Has anyone a solution to avoid these kind of spams ? body URI_OBFU_XX99_WS /\bwww(?:\s\W?\s?|\W\s?)\w{1,15}\d{1,10}(?:\s\W?\s?|\W\s)(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i describe URI_OBFU_XX99_WS Space-obfuscated xxx999 URI score URI_OBFU_XX99_WS 2.0 body __MED_BEG_SP /\bw{2,3}[[:space:]][[:alpha:]]{2,6}\d{2,6}\b/i body __MED_BEG_PUNCT /\bw{2,3}[[:punct:]]{1,3}[[:alpha:]]{2,6}\d{2,6}\b/i body __MED_BEG_DOT /\bw{2,3}\.[[:alpha:]]{2,6}\d{2,6}\b/i body __MED_BEG_BOTH /\bw{2,3}[[:punct:][:space:]]{2,5}[[:alpha:]]{2,6}\d{2,6}\b/i body __MED_END_SP /\b[[:alpha:]]{2,6}\d{2,6}[[:space:]](?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i body __MED_END_PUNCT /\b[[:alpha:]]{2,6}\d{2,6}[[:punct:]]{1,3}(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i body __MED_END_DOT /\b[[:alpha:]]{2,6}\d{2,6}\.(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i body __MED_END_BOTH /\b[[:alpha:]]{2,6}\d{2,6}[[:punct:][:space:]]{2,5}(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i meta AE_MED42 (__MED_BEG_SP || __MED_BEG_PUNCT || __MED_BEG_DOT || __MED_BEG_BOTH ) && (__MED_END_SP || __MED_END_PUNCT || __MED_END_DOT || __MED_END_BOTH) && ! (__MED_BEG_DOT && __MED_END_DOT ) describe AE_MED42 rule to catch still more spam obfuscation score AE_MED42 2.0 I would highly recommend joining the knowledgeable people on the SpamAssassin list aswell :) Best Regards, -- SplatNIX IT Services :: Innovation through collaboration From felix.schaefer at web.de Mon Jul 13 09:10:51 2009 From: felix.schaefer at web.de (=?iso-8859-15?Q?Felix_Sch=E4fer?=) Date: Mon Jul 13 09:11:00 2009 Subject: f-secure-linux-security-7.03 doesn't work with MailScanner-4.77.10-1 Message-ID: <1013320723@web.de> Hello, I have a problem with most recent f-secure-linux-security-7.03 on my openSUSE 11.1 64-Bit Box with MailScanner-4.77.10-1. Mailscanner doesn't recognise a virus (output vom f-secure f-sav). Only my installed clam-av detects the eicar test virus. If nessecery I can send a licensed copy of f-secure-linux-security-7.03 for debugging. Or you can download it for test: http://download.f-secure.com/webclub/f-secure-linux-security-7.03.81803.tgz Since 2003 I use Mailscanner in my company and it is the best available Anti-Virus Scanner I ever seen. Thank you for your hard work, Julian. Please help me. Thank you. Felix More information: gateway:/home/fs/install # whereis fsav fsav: /usr/bin/fsav /usr/share/man/man1/fsav.1 /usr/share/man/man1/fsav.1.gz f-secure-wrapper output gateway:/usr/lib/MailScanner # /usr/lib/MailScanner/f-secure-wrapper /usr /home/fs/install/virus/ F-Secure Security Platform version 2.10 build 8171 Copyright (c) 1999-2008 F-Secure Corporation. All Rights Reserved. Scan started at Mon Jul 13 09:21:01 2009 Database version: 2009-07-13_02 /home/fs/install/virus/eicar.com: Infected: EICAR_Test_File [FSE] /home/fs/install/virus/eicar.com: Infected: EICAR-Test-File [AVP] [/home/fs/install/virus/Worm.Sober.zip] Word-Text_packedList.exe: Infected: Email-Worm.Win32.Sober.u [AVP] Scan ended at Mon Jul 13 09:21:01 2009 2 files scanned 2 files infected /var/log/mail Jul 13 08:54:19 gateway update.virus.scanners: Found f-secure installed Jul 13 08:54:19 gateway update.virus.scanners: Running autoupdate for f-secure Jul 13 08:54:25 gateway update.virus.scanners: Found generic installed Jul 13 08:54:25 gateway update.virus.scanners: Running autoupdate for generic ... Jul 13 09:55:35 gateway postfix/smtpd[22156]: disconnect from web.heise.de[193.99.144.71] Jul 13 09:55:36 gateway MailScanner[21958]: New Batch: Found 2 messages waiting Jul 13 09:55:36 gateway MailScanner[21958]: New Batch: Scanning 1 messages, 2826 bytes Jul 13 09:55:38 gateway MailScanner[21983]: Filename Checks: Windows/DOS Executable (33E9D8A07D.AF1DF eicar.com) Jul 13 09:55:38 gateway MailScanner[21983]: Other Checks: Found 1 problems Jul 13 09:55:38 gateway MailScanner[21983]: Virus and Content Scanning: Starting Jul 13 09:55:38 gateway clamd[14414]: /var/spool/MailScanner/incoming/21983/33E9D8A07D.AF1DF.message: Eicar-Test-Signature FOUND Jul 13 09:55:38 gateway clamd[14414]: /var/spool/MailScanner/incoming/21983/33E9D8A07D.AF1DF/neicar.com: Eicar-Test-Signature FOUND Jul 13 09:55:38 gateway MailScanner[21983]: Clamd::INFECTED:: Eicar-Test-Signature :: ./33E9D8A07D.AF1DF/ Jul 13 09:55:38 gateway MailScanner[21983]: Clamd::INFECTED:: Eicar-Test-Signature :: ./33E9D8A07D.AF1DF/eicar.com Jul 13 09:55:38 gateway MailScanner[21983]: Virus Scanning: Clamd found 2 infections Jul 13 09:55:38 gateway MailScanner[21983]: Infected message 33E9D8A07D.AF1DF came from 193.99.144.71 Jul 13 09:55:38 gateway MailScanner[21983]: Virus Scanning: Found 2 viruses Jul 13 09:55:38 gateway MailScanner[21983]: Requeue: 33E9D8A07D.AF1DF to 861D68A0B7 Jul 13 09:55:38 gateway postfix/qmgr[21937]: 861D68A0B7: from=, size=2152, nrcpt=1 (queue active) Jul 13 09:55:38 gateway MailScanner[21983]: Cleaned: Delivered 1 cleaned messages Jul 13 09:55:38 gateway postfix/smtp[22166]: certificate verification failed for exchangebs.firma.de[172.16.1.30]:25: untrusted is suer /DC=de/DC=firma/CN=firmaCA Jul 13 09:55:38 gateway MailScanner[21983]: Deleted 1 messages from processing-database Jul 13 09:55:38 gateway MailScanner[21983]: Logging message 33E9D8A07D.AF1DF to SQL Jul 13 09:55:38 gateway postfix/smtp[22166]: 861D68A0B7: to=, relay=exchangebs.firma.de[172.16 .1.30]:25, delay=5.6, delays=5.4/0/0.07/0.16, dsn=2.6.0, status=sent (250 2.6.0 Queued mail for del ivery) Report in Mailwatch Web Interface: Report: Clamd: message was infected: Eicar-Test-Signature Clamd: eicar.com was infected: Eicar-Test-Signature MailScanner: Executable DOS/Windows programs are dangerous in email (eicar.com) No F-Secure Output? From MailScanner at ecs.soton.ac.uk Mon Jul 13 09:47:47 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jul 13 09:48:10 2009 Subject: f-secure-linux-security-7.03 doesn't work with MailScanner-4.77.10-1 In-Reply-To: <1013320723@web.de> References: <1013320723@web.de> <4A5AF4B3.9060607@ecs.soton.ac.uk> Message-ID: What does your /etc/MailScanner/virus.scanners.conf say for f-secure? It should read like this if it's installed in the default location (/opt/f-secure): f-secure /usr/lib/MailScanner/f-secure-wrapper /opt/f-secure/fssp Then a 'MailScanner --lint' should show F-Secure detecting the EICAR test like this: =========================================================================== Filename Checks: Windows/DOS Executable (1 eicar.com) Other Checks: Found 1 problems Virus and Content Scanning: Starting Virus Scanning: F-Secure found virus EICAR_Test_File ./1/eicar.com: Infected: EICAR_Test_File [FSE] Virus Scanning: F-Secure found virus EICAR-Test-File ./1/eicar.com: Infected: EICAR-Test-File [AVP] Virus Scanning: F-Secure found 1 infections Infected message 1 came from 10.1.1.1 Virus Scanning: Found 1 viruses =========================================================================== This is running with F-Secure 7.03, as you can see here: [root@alegria MailScanner]# /opt/f-secure/fssp/bin/fsav --version F-Secure Linux Security version 7.03 build 81803 Copyright (c) 1999-2008 F-Secure Corporation. All Rights Reserved. Portions: Copyright (c) 1991-2006 Kaspersky Labs, Ltd. F-Secure Security Platform Command line client version: F-Secure Security Platform version 2.10 build 8171 F-Secure Security Platform Daemon version: F-Secure Security Platform version 2.10 build 8171 Database version: 2009-07-13_02 Scanner Engine versions: F-Secure Corporation Hydra engine version 4.0 build 9222 F-Secure Corporation Hydra database version 2009-07-13 Kaspersky Labs. AVP FPI Engine engine version 4.0 build 166 Kaspersky Labs. AVP FPI Engine database version 2009-07-12 On 13/07/2009 09:10, Felix Sch?fer wrote: > Hello, > > I have a problem with most recent f-secure-linux-security-7.03 on my openSUSE 11.1 64-Bit Box with MailScanner-4.77.10-1. > > Mailscanner doesn't recognise a virus (output vom f-secure f-sav). Only my installed clam-av detects the eicar test virus. > If nessecery I can send a licensed copy of f-secure-linux-security-7.03 for debugging. Or you can download it for test: > http://download.f-secure.com/webclub/f-secure-linux-security-7.03.81803.tgz > > Since 2003 I use Mailscanner in my company and it is the best available Anti-Virus Scanner I ever seen. > Thank you for your hard work, Julian. > > Please help me. Thank you. > > Felix > > More information: > gateway:/home/fs/install # whereis fsav > fsav: /usr/bin/fsav /usr/share/man/man1/fsav.1 /usr/share/man/man1/fsav.1.gz > > f-secure-wrapper output > gateway:/usr/lib/MailScanner # /usr/lib/MailScanner/f-secure-wrapper /usr /home/fs/install/virus/ > F-Secure Security Platform version 2.10 build 8171 > Copyright (c) 1999-2008 F-Secure Corporation. All Rights Reserved. > > Scan started at Mon Jul 13 09:21:01 2009 > Database version: 2009-07-13_02 > > /home/fs/install/virus/eicar.com: Infected: EICAR_Test_File [FSE] > /home/fs/install/virus/eicar.com: Infected: EICAR-Test-File [AVP] > [/home/fs/install/virus/Worm.Sober.zip] Word-Text_packedList.exe: Infected: Email-Worm.Win32.Sober.u [AVP] > > Scan ended at Mon Jul 13 09:21:01 2009 > 2 files scanned > 2 files infected > > /var/log/mail > Jul 13 08:54:19 gateway update.virus.scanners: Found f-secure installed > Jul 13 08:54:19 gateway update.virus.scanners: Running autoupdate for f-secure > Jul 13 08:54:25 gateway update.virus.scanners: Found generic installed > Jul 13 08:54:25 gateway update.virus.scanners: Running autoupdate for generic > ... > Jul 13 09:55:35 gateway postfix/smtpd[22156]: disconnect from web.heise.de[193.99.144.71] > Jul 13 09:55:36 gateway MailScanner[21958]: New Batch: Found 2 messages waiting > Jul 13 09:55:36 gateway MailScanner[21958]: New Batch: Scanning 1 messages, 2826 bytes > Jul 13 09:55:38 gateway MailScanner[21983]: Filename Checks: Windows/DOS Executable (33E9D8A07D.AF1DF eicar.com) > Jul 13 09:55:38 gateway MailScanner[21983]: Other Checks: Found 1 problems > Jul 13 09:55:38 gateway MailScanner[21983]: Virus and Content Scanning: Starting > Jul 13 09:55:38 gateway clamd[14414]: /var/spool/MailScanner/incoming/21983/33E9D8A07D.AF1DF.message: Eicar-Test-Signature FOUND > Jul 13 09:55:38 gateway clamd[14414]: /var/spool/MailScanner/incoming/21983/33E9D8A07D.AF1DF/neicar.com: Eicar-Test-Signature FOUND > Jul 13 09:55:38 gateway MailScanner[21983]: Clamd::INFECTED:: Eicar-Test-Signature :: ./33E9D8A07D.AF1DF/ > Jul 13 09:55:38 gateway MailScanner[21983]: Clamd::INFECTED:: Eicar-Test-Signature :: ./33E9D8A07D.AF1DF/eicar.com > Jul 13 09:55:38 gateway MailScanner[21983]: Virus Scanning: Clamd found 2 infections > Jul 13 09:55:38 gateway MailScanner[21983]: Infected message 33E9D8A07D.AF1DF came from 193.99.144.71 > Jul 13 09:55:38 gateway MailScanner[21983]: Virus Scanning: Found 2 viruses > Jul 13 09:55:38 gateway MailScanner[21983]: Requeue: 33E9D8A07D.AF1DF to 861D68A0B7 > Jul 13 09:55:38 gateway postfix/qmgr[21937]: 861D68A0B7: from=, size=2152, nrcpt=1 (queue active) > Jul 13 09:55:38 gateway MailScanner[21983]: Cleaned: Delivered 1 cleaned messages > Jul 13 09:55:38 gateway postfix/smtp[22166]: certificate verification failed for exchangebs.firma.de[172.16.1.30]:25: untrusted is > suer /DC=de/DC=firma/CN=firmaCA > Jul 13 09:55:38 gateway MailScanner[21983]: Deleted 1 messages from processing-database > Jul 13 09:55:38 gateway MailScanner[21983]: Logging message 33E9D8A07D.AF1DF to SQL > Jul 13 09:55:38 gateway postfix/smtp[22166]: 861D68A0B7: to=, relay=exchangebs.firma.de[172.16 > .1.30]:25, delay=5.6, delays=5.4/0/0.07/0.16, dsn=2.6.0, status=sent (250 2.6.0 Queued mail for del > ivery) > > Report in Mailwatch Web Interface: > Report: Clamd: message was infected: Eicar-Test-Signature > Clamd: eicar.com was infected: Eicar-Test-Signature MailScanner: Executable DOS/Windows programs are dangerous in email (eicar.com) > > No F-Secure Output? > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jonas at vrt.dk Mon Jul 13 10:03:34 2009 From: jonas at vrt.dk (Jonas A. Larsen) Date: Mon Jul 13 10:03:43 2009 Subject: f-secure-linux-security-7.03 doesn't work with MailScanner-4.77.10-1 In-Reply-To: <1013320723@web.de> References: <1013320723@web.de> Message-ID: <003701ca0398$cd07e740$6717b5c0$@dk> > More information: > gateway:/home/fs/install # whereis fsav > fsav: /usr/bin/fsav /usr/share/man/man1/fsav.1 > /usr/share/man/man1/fsav.1.gz > > f-secure-wrapper output > gateway:/usr/lib/MailScanner # /usr/lib/MailScanner/f-secure-wrapper > /usr /home/fs/install/virus/ > F-Secure Security Platform version 2.10 build 8171 > Copyright (c) 1999-2008 F-Secure Corporation. All Rights Reserved. > > Scan started at Mon Jul 13 09:21:01 2009 > Database version: 2009-07-13_02 > > /home/fs/install/virus/eicar.com: Infected: EICAR_Test_File [FSE] > /home/fs/install/virus/eicar.com: Infected: EICAR-Test-File [AVP] > [/home/fs/install/virus/Worm.Sober.zip] Word-Text_packedList.exe: > Infected: Email-Worm.Win32.Sober.u [AVP] > > Scan ended at Mon Jul 13 09:21:01 2009 > 2 files scanned > 2 files infected > > /var/log/mail > Jul 13 08:54:19 gateway update.virus.scanners: Found f-secure installed > Jul 13 08:54:19 gateway update.virus.scanners: Running autoupdate for > f-secure > Jul 13 08:54:25 gateway update.virus.scanners: Found generic installed > Jul 13 08:54:25 gateway update.virus.scanners: Running autoupdate for > generic > ... > Jul 13 09:55:35 gateway postfix/smtpd[22156]: disconnect from > web.heise.de[193.99.144.71] > Jul 13 09:55:36 gateway MailScanner[21958]: New Batch: Found 2 messages > waiting > Jul 13 09:55:36 gateway MailScanner[21958]: New Batch: Scanning 1 > messages, 2826 bytes > Jul 13 09:55:38 gateway MailScanner[21983]: Filename Checks: > Windows/DOS Executable (33E9D8A07D.AF1DF eicar.com) > Jul 13 09:55:38 gateway MailScanner[21983]: Other Checks: Found 1 > problems > Jul 13 09:55:38 gateway MailScanner[21983]: Virus and Content Scanning: > Starting > Jul 13 09:55:38 gateway clamd[14414]: > /var/spool/MailScanner/incoming/21983/33E9D8A07D.AF1DF.message: Eicar- > Test-Signature FOUND > Jul 13 09:55:38 gateway clamd[14414]: > /var/spool/MailScanner/incoming/21983/33E9D8A07D.AF1DF/neicar.com: > Eicar-Test-Signature FOUND > Jul 13 09:55:38 gateway MailScanner[21983]: Clamd::INFECTED:: Eicar- > Test-Signature :: ./33E9D8A07D.AF1DF/ > Jul 13 09:55:38 gateway MailScanner[21983]: Clamd::INFECTED:: Eicar- > Test-Signature :: ./33E9D8A07D.AF1DF/eicar.com > Jul 13 09:55:38 gateway MailScanner[21983]: Virus Scanning: Clamd found > 2 infections > Jul 13 09:55:38 gateway MailScanner[21983]: Infected message > 33E9D8A07D.AF1DF came from 193.99.144.71 > Jul 13 09:55:38 gateway MailScanner[21983]: Virus Scanning: Found 2 > viruses > Jul 13 09:55:38 gateway MailScanner[21983]: Requeue: 33E9D8A07D.AF1DF > to 861D68A0B7 > Jul 13 09:55:38 gateway postfix/qmgr[21937]: 861D68A0B7: > from=, size=2152, nrcpt=1 (queue active) > Jul 13 09:55:38 gateway MailScanner[21983]: Cleaned: Delivered 1 > cleaned messages > Jul 13 09:55:38 gateway postfix/smtp[22166]: certificate verification > failed for exchangebs.firma.de[172.16.1.30]:25: untrusted is > suer /DC=de/DC=firma/CN=firmaCA > Jul 13 09:55:38 gateway MailScanner[21983]: Deleted 1 messages from > processing-database > Jul 13 09:55:38 gateway MailScanner[21983]: Logging message > 33E9D8A07D.AF1DF to SQL > Jul 13 09:55:38 gateway postfix/smtp[22166]: 861D68A0B7: > to=, relay=exchangebs.firma.de[172.16 > .1.30]:25, delay=5.6, delays=5.4/0/0.07/0.16, dsn=2.6.0, status=sent > (250 2.6.0 Queued mail for del > ivery) This is just a guess (it's quite hard to read the truncated log) but it does not look like MailScanner runs f-secure? I use the f-secure product myself (it combines f-secure and kaspersky's signatures so I like it a lot since you get 2 products in 1) and it works fine. How did u enable f-secure in mailscanner.conf? Med venlig hilsen / Best regards Jonas Akrouh Larsen TechBiz ApS Laplandsgade 4, 2. sal 2300 K?benhavn S Office: 7020 0979 Direct: 3336 9974 Mobile: 5120 1096 Fax: 7020 0978 Web: www.techbiz.dk From felix.schaefer at web.de Mon Jul 13 10:52:14 2009 From: felix.schaefer at web.de (=?iso-8859-15?Q?Felix_Sch=E4fer?=) Date: Mon Jul 13 10:52:23 2009 Subject: f-secure-linux-security-7.03 doesn't work with MailScanner-4.77.10-1 Message-ID: <1013389078@web.de> Hello Julian, hello Jonas, thank you. I think it was a security file permission problem, which I had fixed. MailScanner --lint ... MailScanner.conf says "Virus Scanners = f-secure clamd" grep: /etc/opt/f-secure/fssp/fssp.conf: Permission denied. Found these virus scanners installed: clamd ... Now MailScanner --lint says: ... Found these virus scanners installed: f-secure =========================================================================== Filename Checks: Windows/DOS Executable (1 eicar.com) Other Checks: Found 1 problems Virus and Content Scanning: Starting Virus Scanning: F-Secure found virus EICAR_Test_File ./1/eicar.com: Infected: EICAR_Test_File [FSE] Virus Scanning: F-Secure found virus EICAR-Test-File ./1/eicar.com: Infected: EICAR-Test-File [AVP] Virus Scanning: F-Secure found 1 infections Infected message 1 came from 10.1.1.1 Virus Scanning: Found 1 viruses =========================================================================== If any of your virus scanners (f-secure) ... I changed the fsav bin path back to... f-secure /usr/lib/MailScanner/f-secure-wrapper /opt/f-secure/fssp Thank you, Felix -----Urspr?ngliche Nachricht----- Von: "Julian Field" Gesendet: 13.07.09 10:58:21 An: MailScanner discussion Betreff: Re: f-secure-linux-security-7.03 doesn't work with MailScanner-4.77.10-1 What does your /etc/MailScanner/virus.scanners.conf say for f-secure? It should read like this if it's installed in the default location (/opt/f-secure): f-secure /usr/lib/MailScanner/f-secure-wrapper /opt/f-secure/fssp Then a 'MailScanner --lint' should show F-Secure detecting the EICAR test like this: =========================================================================== Filename Checks: Windows/DOS Executable (1 eicar.com) Other Checks: Found 1 problems Virus and Content Scanning: Starting Virus Scanning: F-Secure found virus EICAR_Test_File ./1/eicar.com: Infected: EICAR_Test_File [FSE] Virus Scanning: F-Secure found virus EICAR-Test-File ./1/eicar.com: Infected: EICAR-Test-File [AVP] Virus Scanning: F-Secure found 1 infections Infected message 1 came from 10.1.1.1 Virus Scanning: Found 1 viruses =========================================================================== This is running with F-Secure 7.03, as you can see here: [root@alegria MailScanner]# /opt/f-secure/fssp/bin/fsav --version F-Secure Linux Security version 7.03 build 81803 Copyright (c) 1999-2008 F-Secure Corporation. All Rights Reserved. Portions: Copyright (c) 1991-2006 Kaspersky Labs, Ltd. F-Secure Security Platform Command line client version: F-Secure Security Platform version 2.10 build 8171 F-Secure Security Platform Daemon version: F-Secure Security Platform version 2.10 build 8171 Database version: 2009-07-13_02 Scanner Engine versions: F-Secure Corporation Hydra engine version 4.0 build 9222 F-Secure Corporation Hydra database version 2009-07-13 Kaspersky Labs. AVP FPI Engine engine version 4.0 build 166 Kaspersky Labs. AVP FPI Engine database version 2009-07-12 On 13/07/2009 09:10, Felix Sch?fer wrote: > Hello, > > I have a problem with most recent f-secure-linux-security-7.03 on my openSUSE 11.1 64-Bit Box with MailScanner-4.77.10-1. > > Mailscanner doesn't recognise a virus (output vom f-secure f-sav). Only my installed clam-av detects the eicar test virus. > If nessecery I can send a licensed copy of f-secure-linux-security-7.03 for debugging. Or you can download it for test: > http://download.f-secure.com/webclub/f-secure-linux-security-7.03.81803.tgz > > Since 2003 I use Mailscanner in my company and it is the best available Anti-Virus Scanner I ever seen. > Thank you for your hard work, Julian. > > Please help me. Thank you. > > Felix > > More information: > gateway:/home/fs/install # whereis fsav > fsav: /usr/bin/fsav /usr/share/man/man1/fsav.1 /usr/share/man/man1/fsav.1.gz > > f-secure-wrapper output > gateway:/usr/lib/MailScanner # /usr/lib/MailScanner/f-secure-wrapper /usr /home/fs/install/virus/ > F-Secure Security Platform version 2.10 build 8171 > Copyright (c) 1999-2008 F-Secure Corporation. All Rights Reserved. > > Scan started at Mon Jul 13 09:21:01 2009 > Database version: 2009-07-13_02 > > /home/fs/install/virus/eicar.com: Infected: EICAR_Test_File [FSE] > /home/fs/install/virus/eicar.com: Infected: EICAR-Test-File [AVP] > [/home/fs/install/virus/Worm.Sober.zip] Word-Text_packedList.exe: Infected: Email-Worm.Win32.Sober.u [AVP] > > Scan ended at Mon Jul 13 09:21:01 2009 > 2 files scanned > 2 files infected > > /var/log/mail > Jul 13 08:54:19 gateway update.virus.scanners: Found f-secure installed > Jul 13 08:54:19 gateway update.virus.scanners: Running autoupdate for f-secure > Jul 13 08:54:25 gateway update.virus.scanners: Found generic installed > Jul 13 08:54:25 gateway update.virus.scanners: Running autoupdate for generic > ... > Jul 13 09:55:35 gateway postfix/smtpd[22156]: disconnect from web.heise.de[193.99.144.71] > Jul 13 09:55:36 gateway MailScanner[21958]: New Batch: Found 2 messages waiting > Jul 13 09:55:36 gateway MailScanner[21958]: New Batch: Scanning 1 messages, 2826 bytes > Jul 13 09:55:38 gateway MailScanner[21983]: Filename Checks: Windows/DOS Executable (33E9D8A07D.AF1DF eicar.com) > Jul 13 09:55:38 gateway MailScanner[21983]: Other Checks: Found 1 problems > Jul 13 09:55:38 gateway MailScanner[21983]: Virus and Content Scanning: Starting > Jul 13 09:55:38 gateway clamd[14414]: /var/spool/MailScanner/incoming/21983/33E9D8A07D.AF1DF.message: Eicar-Test-Signature FOUND > Jul 13 09:55:38 gateway clamd[14414]: /var/spool/MailScanner/incoming/21983/33E9D8A07D.AF1DF/neicar.com: Eicar-Test-Signature FOUND > Jul 13 09:55:38 gateway MailScanner[21983]: Clamd::INFECTED:: Eicar-Test-Signature :: ./33E9D8A07D.AF1DF/ > Jul 13 09:55:38 gateway MailScanner[21983]: Clamd::INFECTED:: Eicar-Test-Signature :: ./33E9D8A07D.AF1DF/eicar.com > Jul 13 09:55:38 gateway MailScanner[21983]: Virus Scanning: Clamd found 2 infections > Jul 13 09:55:38 gateway MailScanner[21983]: Infected message 33E9D8A07D.AF1DF came from 193.99.144.71 > Jul 13 09:55:38 gateway MailScanner[21983]: Virus Scanning: Found 2 viruses > Jul 13 09:55:38 gateway MailScanner[21983]: Requeue: 33E9D8A07D.AF1DF to 861D68A0B7 > Jul 13 09:55:38 gateway postfix/qmgr[21937]: 861D68A0B7: from=, size=2152, nrcpt=1 (queue active) > Jul 13 09:55:38 gateway MailScanner[21983]: Cleaned: Delivered 1 cleaned messages > Jul 13 09:55:38 gateway postfix/smtp[22166]: certificate verification failed for exchangebs.firma.de[172.16.1.30]:25: untrusted is > suer /DC=de/DC=firma/CN=firmaCA > Jul 13 09:55:38 gateway MailScanner[21983]: Deleted 1 messages from processing-database > Jul 13 09:55:38 gateway MailScanner[21983]: Logging message 33E9D8A07D.AF1DF to SQL > Jul 13 09:55:38 gateway postfix/smtp[22166]: 861D68A0B7: to=, relay=exchangebs.firma.de[172.16 > .1.30]:25, delay=5.6, delays=5.4/0/0.07/0.16, dsn=2.6.0, status=sent (250 2.6.0 Queued mail for del > ivery) > > Report in Mailwatch Web Interface: > Report: Clamd: message was infected: Eicar-Test-Signature > Clamd: eicar.com was infected: Eicar-Test-Signature MailScanner: Executable DOS/Windows programs are dangerous in email (eicar.com) > > No F-Secure Output? > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From mailadmin at midland-ics.ie Mon Jul 13 15:03:10 2009 From: mailadmin at midland-ics.ie (Mail Admin) Date: Mon Jul 13 15:03:38 2009 Subject: Sender Address Verification Message-ID: <013d01ca03c2$a8706f40$f9514dc0$@ie> Dear List I recently deployed the smf-sav, which works quite well. It takes a lot of load off mailscanner. I recently got listed on backscatter because I have used it on one of "their" members so it seems. Looking on their Web Site it seems there is nothing I can do only pay them 50 euro to get delisted, and then what happens if I do sav again? Have any of the list had this issue, with smf-sav? Is there anything that can be done from your experience? I do not want to turn off smf-sav. Thanks to you all This e-mail is intended solely for the addressee(s) and is strictly confidential. The unauthorised use, disclosure or copying of this e-mail, or any information it contains is prohibited. If you have received this e-mail in error, please notify us immediately and then permanently delete it. Although Midland Internet & Computer Solutions make every effort to keep our systems free from viruses you should check this e-mail and any attachments to it for viruses as we cannot accept any liability for viruses inadvertently transmitted by use. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090713/b503c911/attachment.html From simon at kmun.gov.kw Mon Jul 13 15:58:06 2009 From: simon at kmun.gov.kw (Benedict simon) Date: Mon Jul 13 15:31:39 2009 Subject: f-secure-linux-security-7.03 doesn't work with MailScanner-4.77.10-1 In-Reply-To: <1013320723@web.de> References: <1013320723@web.de> Message-ID: <4c3fd0d0aeaa611844989770978f3168.squirrel@webmail.baladia.gov.kw> > Hello, > > I have a problem with most recent f-secure-linux-security-7.03 on my > openSUSE 11.1 64-Bit Box with MailScanner-4.77.10-1. > > Mailscanner doesn't recognise a virus (output vom f-secure f-sav). Only my > installed clam-av detects the eicar test virus. > If nessecery I can send a licensed copy of f-secure-linux-security-7.03 > for debugging. Or you can download it for test: > http://download.f-secure.com/webclub/f-secure-linux-security-7.03.81803.tgz > > Since 2003 I use Mailscanner in my company and it is the best available > Anti-Virus Scanner I ever seen. > Thank you for your hard work, Julian. You r absolutely right Mr Felix mailScanner is just a marvelous n the most incredible piece of software i have ever come across.. its really a blessing to have guys like julian we always gonna be n debt for this price less piece of software of urs thnks a million regards simon > > Please help me. Thank you. > > Felix > > More information: > gateway:/home/fs/install # whereis fsav > fsav: /usr/bin/fsav /usr/share/man/man1/fsav.1 > /usr/share/man/man1/fsav.1.gz > > f-secure-wrapper output > gateway:/usr/lib/MailScanner # /usr/lib/MailScanner/f-secure-wrapper /usr > /home/fs/install/virus/ > F-Secure Security Platform version 2.10 build 8171 > Copyright (c) 1999-2008 F-Secure Corporation. All Rights Reserved. > > Scan started at Mon Jul 13 09:21:01 2009 > Database version: 2009-07-13_02 > > /home/fs/install/virus/eicar.com: Infected: EICAR_Test_File [FSE] > /home/fs/install/virus/eicar.com: Infected: EICAR-Test-File [AVP] > [/home/fs/install/virus/Worm.Sober.zip] Word-Text_packedList.exe: > Infected: Email-Worm.Win32.Sober.u [AVP] > > Scan ended at Mon Jul 13 09:21:01 2009 > 2 files scanned > 2 files infected > > /var/log/mail > Jul 13 08:54:19 gateway update.virus.scanners: Found f-secure installed > Jul 13 08:54:19 gateway update.virus.scanners: Running autoupdate for > f-secure > Jul 13 08:54:25 gateway update.virus.scanners: Found generic installed > Jul 13 08:54:25 gateway update.virus.scanners: Running autoupdate for > generic > ... > Jul 13 09:55:35 gateway postfix/smtpd[22156]: disconnect from > web.heise.de[193.99.144.71] > Jul 13 09:55:36 gateway MailScanner[21958]: New Batch: Found 2 messages > waiting > Jul 13 09:55:36 gateway MailScanner[21958]: New Batch: Scanning 1 > messages, 2826 bytes > Jul 13 09:55:38 gateway MailScanner[21983]: Filename Checks: Windows/DOS > Executable (33E9D8A07D.AF1DF eicar.com) > Jul 13 09:55:38 gateway MailScanner[21983]: Other Checks: Found 1 problems > Jul 13 09:55:38 gateway MailScanner[21983]: Virus and Content Scanning: > Starting > Jul 13 09:55:38 gateway clamd[14414]: > /var/spool/MailScanner/incoming/21983/33E9D8A07D.AF1DF.message: > Eicar-Test-Signature FOUND > Jul 13 09:55:38 gateway clamd[14414]: > /var/spool/MailScanner/incoming/21983/33E9D8A07D.AF1DF/neicar.com: > Eicar-Test-Signature FOUND > Jul 13 09:55:38 gateway MailScanner[21983]: Clamd::INFECTED:: > Eicar-Test-Signature :: ./33E9D8A07D.AF1DF/ > Jul 13 09:55:38 gateway MailScanner[21983]: Clamd::INFECTED:: > Eicar-Test-Signature :: ./33E9D8A07D.AF1DF/eicar.com > Jul 13 09:55:38 gateway MailScanner[21983]: Virus Scanning: Clamd found 2 > infections > Jul 13 09:55:38 gateway MailScanner[21983]: Infected message > 33E9D8A07D.AF1DF came from 193.99.144.71 > Jul 13 09:55:38 gateway MailScanner[21983]: Virus Scanning: Found 2 > viruses > Jul 13 09:55:38 gateway MailScanner[21983]: Requeue: 33E9D8A07D.AF1DF to > 861D68A0B7 > Jul 13 09:55:38 gateway postfix/qmgr[21937]: 861D68A0B7: > from=, size=2152, nrcpt=1 (queue active) > Jul 13 09:55:38 gateway MailScanner[21983]: Cleaned: Delivered 1 cleaned > messages > Jul 13 09:55:38 gateway postfix/smtp[22166]: certificate verification > failed for exchangebs.firma.de[172.16.1.30]:25: untrusted is > suer /DC=de/DC=firma/CN=firmaCA > Jul 13 09:55:38 gateway MailScanner[21983]: Deleted 1 messages from > processing-database > Jul 13 09:55:38 gateway MailScanner[21983]: Logging message > 33E9D8A07D.AF1DF to SQL > Jul 13 09:55:38 gateway postfix/smtp[22166]: 861D68A0B7: > to=, relay=exchangebs.firma.de[172.16 > .1.30]:25, delay=5.6, delays=5.4/0/0.07/0.16, dsn=2.6.0, status=sent (250 > 2.6.0 Queued mail for del > ivery) > > Report in Mailwatch Web Interface: > Report: Clamd: message was infected: Eicar-Test-Signature > Clamd: eicar.com was infected: Eicar-Test-Signature MailScanner: > Executable DOS/Windows programs are dangerous in email (eicar.com) > > No F-Secure Output? > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > -- Network ADMIN ------------- KUWAIT MUNICIPALITY: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From bpirie at rma.edu Mon Jul 13 16:16:12 2009 From: bpirie at rma.edu (Brendan Pirie) Date: Mon Jul 13 16:16:35 2009 Subject: Sender Address Verification In-Reply-To: <013d01ca03c2$a8706f40$f9514dc0$@ie> References: <013d01ca03c2$a8706f40$f9514dc0$@ie> Message-ID: <4A5B4FBC.1060308@rma.edu> Mail Admin wrote: > > Dear List > > > > I recently deployed the smf-sav, which works quite well. It takes a > lot of load off mailscanner. > > I recently got listed on backscatter because I have used it on one of > "their" members so it seems. > > Looking on their Web Site it seems there is nothing I can do only pay > them 50 euro to get delisted, and then what happens if I do sav again? > > > > Have any of the list had this issue, with smf-sav? Is there anything > that can be done from your experience? I do not want to turn off smf-sav. > > > > Thanks to you all > > Sender Address Verification is problematic. There are several ISPs who will blacklist you if you employ it, and others who simply won't reply to a verification request. If you insist on using the SAV feature in smf-sav, be prepared to monitor and maintain it by closely monitoring logs and editing the various types of Whitelist entries in the config. I use smf-sav only for recipient verification. Brendan -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090713/c3fbc8f2/attachment.html From Hostmaster at computerservicecentre.com Mon Jul 13 16:35:03 2009 From: Hostmaster at computerservicecentre.com (Hostmaster) Date: Mon Jul 13 16:35:15 2009 Subject: Sender Address Verification In-Reply-To: <013d01ca03c2$a8706f40$f9514dc0$@ie> References: <013d01ca03c2$a8706f40$f9514dc0$@ie> Message-ID: <3D9C92F3075F5144B46AA2C590F48E2ABCB122@commssrv01.computerservicecentre.com> >I recently deployed the smf-sav, which works quite well. It takes a lot of load off mailscanner. >I recently got listed on backscatter because I have used it on one of "their" members so it seems. >Looking on their Web Site it seems there is nothing I can do only pay them 50 euro to get delisted, and then what happens if I do >sav again? >Have any of the list had this issue, with smf-sav? Is there anything that can be done from your experience? I do not want to turn >off smf-sav. >Thanks to you all I am assuming you mean you have been listed at backscatterer.org... I must admit that I find something particularly distasteful about being on the receiving end of sender validation lookups, especially considering that some of our servers receive email for domains which they do not send email for. In my opinion, nobody should rely on someone else's resources (memory and CPU time) to work out if they should accept an email, and I guess that the Backscatter blacklist was built on this basis - their sender callout policy is here - http://www.backscatterer.org/?target=sendercallouts and I have to say that I agree with all points. I am pretty sure that this has been discussed on-list before and that some people have very strong feelings in both ways regarding callouts, so it might be worth searching the list archives for further info on the subject. Best Regards, Richard All E-Mail communications are monitored in addition to being content checked for malicious codes or viruses. The success of scanning products is not guaranteed, therefore the recipient(s) should carry out any checks that they believe to be appropriate in this respect. This message (including any attachments and/or related materials) is confidential to and is the property of Computer Service Centre, unless otherwise noted. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. Any views or opinions presented are solely those of the author and do not necessarily represent those of Computer Service Centre. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090713/d54c5323/attachment.html From alex at rtpty.com Mon Jul 13 16:59:22 2009 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Mon Jul 13 16:59:39 2009 Subject: f-secure-linux-security-7.03 doesn't work with MailScanner-4.77.10-1 In-Reply-To: <4c3fd0d0aeaa611844989770978f3168.squirrel@webmail.baladia.gov.kw> References: <1013320723@web.de> <4c3fd0d0aeaa611844989770978f3168.squirrel@webmail.baladia.gov.kw> Message-ID: <46349CAF-0228-4E5F-A567-DA8EA04532AA@rtpty.com> You can always Buy the Book! http://www.cafepress.com/mailscanner.140046559 On Jul 13, 2009, at 9:58 AM, Benedict simon wrote: > we always gonna be n debt for this price less piece of software of urs -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 202-1525 alex@rtpty.com Skype: alexneuman From Hostmaster at computerservicecentre.com Mon Jul 13 17:11:19 2009 From: Hostmaster at computerservicecentre.com (Hostmaster) Date: Mon Jul 13 17:11:32 2009 Subject: f-secure-linux-security-7.03 doesn't work withMailScanner-4.77.10-1 In-Reply-To: <46349CAF-0228-4E5F-A567-DA8EA04532AA@rtpty.com> References: <1013320723@web.de><4c3fd0d0aeaa611844989770978f3168.squirrel@webmail.baladia.gov.kw> <46349CAF-0228-4E5F-A567-DA8EA04532AA@rtpty.com> Message-ID: <3D9C92F3075F5144B46AA2C590F48E2ABCB138@commssrv01.computerservicecentre.com> >You can always Buy the Book! >http://www.cafepress.com/mailscanner.140046559 >On Jul 13, 2009, at 9:58 AM, Benedict simon wrote: >> we always gonna be n debt for this price less piece of software of urs Or if you feel indebted to Julian himself, I am sure he would be more than happy if you were to buy him something from his Amazon wishlist: http://www.jules.fm/Logbook/files/tag-majordomo.html (see the link at the bottom of the blog post. I felt it more appropriate to link to Julian's blog as opposed to direct to his wishlist so that the community knew that the link was actually for Julian's wishlist. Amazon don't make it as clear as they could!) Best Regards, Richard All E-Mail communications are monitored in addition to being content checked for malicious codes or viruses. The success of scanning products is not guaranteed, therefore the recipient(s) should carry out any checks that they believe to be appropriate in this respect. This message (including any attachments and/or related materials) is confidential to and is the property of Computer Service Centre, unless otherwise noted. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. Any views or opinions presented are solely those of the author and do not necessarily represent those of Computer Service Centre. From mailadmin at midland-ics.ie Mon Jul 13 17:41:46 2009 From: mailadmin at midland-ics.ie (Mail Admin) Date: Mon Jul 13 17:42:11 2009 Subject: Sender Address Verification In-Reply-To: <3D9C92F3075F5144B46AA2C590F48E2ABCB122@commssrv01.computerservicecentre.com> References: <013d01ca03c2$a8706f40$f9514dc0$@ie> <3D9C92F3075F5144B46AA2C590F48E2ABCB122@commssrv01.computerservicecentre.com> Message-ID: <015401ca03d8$cffd3e60$6ff7bb20$@ie> Thanks for your comments. I will search the list and review the way I use it and re-think my strategy. Kind Regards From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Hostmaster Sent: 13 July 2009 16:35 To: MailScanner discussion Subject: RE: Sender Address Verification >I recently deployed the smf-sav, which works quite well. It takes a lot of load off mailscanner. >I recently got listed on backscatter because I have used it on one of ?their? members so it seems. >Looking on their Web Site it seems there is nothing I can do only pay them 50 euro to get delisted, and then what happens if I do >sav again? >Have any of the list had this issue, with smf-sav? Is there anything that can be done from your experience? I do not want to turn >off smf-sav. >Thanks to you all I am assuming you mean you have been listed at backscatterer.org... I must admit that I find something particularly distasteful about being on the receiving end of sender validation lookups, especially considering that some of our servers receive email for domains which they do not send email for. In my opinion, nobody should rely on someone else?s resources (memory and CPU time) to work out if they should accept an email, and I guess that the Backscatter blacklist was built on this basis ? their sender callout policy is here - http://www.backscatterer.org/?target=sendercallouts and I have to say that I agree with all points. I am pretty sure that this has been discussed on-list before and that some people have very strong feelings in both ways regarding callouts, so it might be worth searching the list archives for further info on the subject. Best Regards, Richard All E-Mail communications are monitored in addition to being content checked for malicious codes or viruses. The success of scanning products is not guaranteed, therefore the recipient(s) should carry out any checks that they believe to be appropriate in this respect. This message (including any attachments and/or related materials) is confidential to and is the property of Computer Service Centre, unless otherwise noted. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. Any views or opinions presented are solely those of the author and do not necessarily represent those of Computer Service Centre. This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. This e-mail is intended solely for the addressee(s) and is strictly confidential. The unauthorised use, disclosure or copying of this e-mail, or any information it contains is prohibited. If you have received this e-mail in error, please notify us immediately and then permanently delete it. Although Midland Internet & Computer Solutions make every effort to keep our systems free from viruses you should check this e-mail and any attachments to it for viruses as we cannot accept any liability for viruses inadvertently transmitted by use. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090713/dbd79df2/attachment.html From J.Ede at birchenallhowden.co.uk Mon Jul 13 17:56:09 2009 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Mon Jul 13 17:56:35 2009 Subject: Sender Address Verification In-Reply-To: <015401ca03d8$cffd3e60$6ff7bb20$@ie> References: <013d01ca03c2$a8706f40$f9514dc0$@ie> <3D9C92F3075F5144B46AA2C590F48E2ABCB122@commssrv01.computerservicecentre.com> <015401ca03d8$cffd3e60$6ff7bb20$@ie> Message-ID: <1213490F1F316842A544A850422BFA960F647FE5B2@BHLSBS.bhl.local> In short, if you must use it then only use it for recipient address verification. I.e. only accept email you can deliver to a valid mailbox and make sure you don?t have any catchalls on domains. Jason From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Mail Admin Sent: 13 July 2009 17:42 To: 'MailScanner discussion' Subject: RE: Sender Address Verification Thanks for your comments. I will search the list and review the way I use it and re-think my strategy. Kind Regards From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Hostmaster Sent: 13 July 2009 16:35 To: MailScanner discussion Subject: RE: Sender Address Verification >I recently deployed the smf-sav, which works quite well. It takes a lot of load off mailscanner. >I recently got listed on backscatter because I have used it on one of ?their? members so it seems. >Looking on their Web Site it seems there is nothing I can do only pay them 50 euro to get delisted, and then what happens if I do >sav again? >Have any of the list had this issue, with smf-sav? Is there anything that can be done from your experience? I do not want to turn >off smf-sav. >Thanks to you all I am assuming you mean you have been listed at backscatterer.org... I must admit that I find something particularly distasteful about being on the receiving end of sender validation lookups, especially considering that some of our servers receive email for domains which they do not send email for. In my opinion, nobody should rely on someone else?s resources (memory and CPU time) to work out if they should accept an email, and I guess that the Backscatter blacklist was built on this basis ? their sender callout policy is here - http://www.backscatterer.org/?target=sendercallouts and I have to say that I agree with all points. I am pretty sure that this has been discussed on-list before and that some people have very strong feelings in both ways regarding callouts, so it might be worth searching the list archives for further info on the subject. Best Regards, Richard All E-Mail communications are monitored in addition to being content checked for malicious codes or viruses. The success of scanning products is not guaranteed, therefore the recipient(s) should carry out any checks that they believe to be appropriate in this respect. This message (including any attachments and/or related materials) is confidential to and is the property of Computer Service Centre, unless otherwise noted. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. Any views or opinions presented are solely those of the author and do not necessarily represent those of Computer Service Centre. This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. This e-mail is intended solely for the addressee(s) and is strictly confidential. The unauthorised use, disclosure or copying of this e-mail, or any information it contains is prohibited. If you have received this e-mail in error, please notify us immediately and then permanently delete it. Although we make every effort to keep our systems free from viruses, you should check this e-mail and any attachments to it for viruses as we cannot accept any liability for viruses inadvertently transmitted by use. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090713/76fe3a11/attachment.html From ssilva at sgvwater.com Tue Jul 14 00:41:44 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Jul 14 00:42:15 2009 Subject: (2nd Request) Disable scanning for a client that connectsviaSMTP-AUTH In-Reply-To: <4A4D2426.3000804@kimballequipment.com> References: <4A147B290200002D00006737@sparky.asdm.net> <200905210754.04555.eli@orbsky.homelinux.org> <4A170F760200002D0000676D@sparky.asdm.net> <200905230757.01173.eli@orbsky.homelinux.org> <4A1867050200002D00006786@sparky.asdm.net> <20090524174243.GB2724@msapiro> <4A19BD250200002D00006795@sparky.asdm.net> <4A4D2426.3000804@kimballequipment.com> Message-ID: on 7-2-2009 2:18 PM Mat Murdock spake the following: > I know I'm kind of bringing this topic back from the dead, but > spamassasin has a rule called "ALL_TRUSTED" that detects if the e-mail > used smtp-auth. If so it give it negative score. It does this by > looking at the sendmail headers. The problem I have is that my users > are sending their mail from ip's that are on dns blacklists. It would > be nice if MailScanner was also able to read the headers the same way > that spamassassin does and allow the user to skip dns blacklist checks > for authenticated e-mails. > > Mat Don't do blacklist checks in MailScanner. Either you trust the blacklist and you do it in the MTA, or you don't trust it, and you score it with spamassassin. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090713/e1459d85/signature.bin From brent.addis at spit.gen.nz Tue Jul 14 05:46:52 2009 From: brent.addis at spit.gen.nz (Brent Addis) Date: Tue Jul 14 05:47:11 2009 Subject: Sender Address Verification In-Reply-To: <3D9C92F3075F5144B46AA2C590F48E2ABCB122@commssrv01.computerservicecentre.com> References: <013d01ca03c2$a8706f40$f9514dc0$@ie> <3D9C92F3075F5144B46AA2C590F48E2ABCB122@commssrv01.computerservicecentre.com> Message-ID: <1247546812.24461.44.camel@baddis-laptop> wow. small text. My eyyyes... Wouldn't enabling SPF on hosted domains help with this? That way, sender verification is only checking on email sent from your own valid mailservers anyway, saving your precious cpu load. We were getting several thousand sender lookups a day from various sources. We enabled spf with the -all (It had been ~all while we were testng) flag, and that dropped down to a couple of hundred, generally to valid addresses, which I have no problem with. -----Original Message----- From: Hostmaster Reply-to: MailScanner discussion To: MailScanner discussion Subject: RE: Sender Address Verification Date: Mon, 13 Jul 2009 16:35:03 +0100 >I recently deployed the smf-sav, which works quite well. It takes a lot of load off mailscanner. >I recently got listed on backscatter because I have used it on one of ?their? members so it seems. >Looking on their Web Site it seems there is nothing I can do only pay them 50 euro to get delisted, and then what happens if I do >sav again? >Have any of the list had this issue, with smf-sav? Is there anything that can be done from your experience? I do not want to turn >off smf-sav. >Thanks to you all I am assuming you mean you have been listed at backscatterer.org... I must admit that I find something particularly distasteful about being on the receiving end of sender validation lookups, especially considering that some of our servers receive email for domains which they do not send email for. In my opinion, nobody should rely on someone else?s resources (memory and CPU time) to work out if they should accept an email, and I guess that the Backscatter blacklist was built on this basis ? their sender callout policy is here - http://www.backscatterer.org/?target=sendercallouts and I have to say that I agree with all points. I am pretty sure that this has been discussed on-list before and that some people have very strong feelings in both ways regarding callouts, so it might be worth searching the list archives for further info on the subject. Best Regards, Richard All E-Mail communications are monitored in addition to being content checked for malicious codes or viruses. The success of scanning products is not guaranteed, therefore the recipient(s) should carry out any checks that they believe to be appropriate in this respect. This message (including any attachments and/or related materials) is confidential to and is the property of Computer Service Centre, unless otherwise noted. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. Any views or opinions presented are solely those of the author and do not necessarily represent those of Computer Service Centre. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090714/60b47d7d/attachment.html From ssilva at sgvwater.com Tue Jul 14 19:46:42 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Jul 14 19:47:07 2009 Subject: Spam but no randomly no Spam Report In-Reply-To: <4A44C4200200002D00006CD6@sparky.asdm.net> References: <4A4404D50200002D00006C96@sparky.asdm.net> <4A44116A0200002D00006C9B@sparky.asdm.net> <4A4489C3.4000203@ecs.soton.ac.uk> <4A44B19E0200002D00006CAF@sparky.asdm.net> <72cf361e0906260938j1b0bf343s62e623b1d91e5987@mail.gmail.com> <4A44C4200200002D00006CD6@sparky.asdm.net> Message-ID: on 6-26-2009 9:50 AM Gary Faith spake the following: > It that is true, then why aren't the SA scores a constant value? > > Here are the reports from 3 recently received messages: > > Spam: Y Action(s): store, deliver, header, "X-Spam-Status:, Yes" High > Scoring Spam: N SpamAssassin Spam: N Listed in RBL: Y Spam > Whitelisted: N Spam Blacklisted: N SpamAssassin Autolearn: N > SpamAssassin Score:1.77 Spam Report:spam, SBL+XBL > > Spam: Y Action(s): store, deliver, header, "X-Spam-Status:, Yes" High > Scoring Spam: N SpamAssassin Spam: N Listed in RBL: Y Spam > Whitelisted: N Spam Blacklisted: N SpamAssassin Autolearn: N > SpamAssassin Score:0.92 Spam Report:spam, SBL+XBL > > Spam: Y Action(s): store, deliver, header, "X-Spam-Status:, Yes" High > Scoring Spam: N SpamAssassin Spam: N Listed in RBL: Y Spam > Whitelisted: N Spam Blacklisted: N SpamAssassin Autolearn: N > SpamAssassin Score:3.09 Spam Report:spam, SBL+XBL > > Notice that each of these messages have isspam = 1 and isrblspam = 1, > ishighspam = 0 & issaspam = 0 but each have a different SA score. My > point is something is assigning a value to the SA score but nothing > besides "spam, {RBL Listed} is being reported. > > Gary You have to set "Always Include SpamAssassin Report" = yes to always see the report. Otherwise, you get the score, but not the report unless it scores enough to go over your spam threshold. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090714/389aebbd/signature.bin From ssilva at sgvwater.com Tue Jul 14 20:14:37 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Jul 14 20:14:59 2009 Subject: Tiny text only spam (semi OT) In-Reply-To: <4A4D1AEB.2080804@skynet-srl.com> References: <200907021100.n62B03of017800@safir.blacknight.ie> <4A4D1AEB.2080804@skynet-srl.com> Message-ID: on 7-2-2009 1:39 PM Alessandro Bianchi spake the following: > Hi guys > > Those damned spemmers have found a way to break in > > After image only spam, they have managed to build plain text only spam > (no links or hrml or images, just text) that slips throught my MS > installation. > > They often place in ortographic errors to "fool" spamassassin. > > Here is an example: > <<< START -- destination address has been maqued > > From - Mon Jun 29 15:03:22 2009 > X-Mozilla-Status: 0001 > X-Mozilla-Status2: 00000000 > Return-Path: > X-Original-To: xxxxxxxxxxxxxxxxxxxxxx > Delivered-To: xxxxxxxxxxxxxxxxxxxxxxxx > X-Greylist: delayed 312 seconds by postgrey-1.30 at Log; Sun, 28 Jun 2009 15:09:01 CEST > Received: from jtuxl.forthnet.gr (adsl144-208.lsf.forthnet.gr [79.103.75.208]) > by cdnet02.cdnet.it (Postfix) with SMTP id A17793880EF > for ; Sun, 28 Jun 2009 15:09:01 +0200 (CEST) > Date: Sun, 28 Jun 2009 13:09:04 +0100 > Content-Type: text/plain; > charset="windows-1256" > From: "kayaker" > MIME-Version: 1.0 > To: xxxxxxxxxxxxxxxxxxxxxxx > Message-ID: > Subject: How To Make A iGprl As Hot As Paris Hilton Achieve Multiple Orgasms > X-skynet-srl-MailScanner-ID: A17793880EF.A13C2 > X-MailScanner: Found to be clean > X-MailScanner-SpamScore: s > X-MailScanner-From: bivalved@rojax.com > X-skynet-srl-MailScanner-Watermark: 1246799344.38984@X6K8Q1cEZ6QnFvmnvQtBwQ > X-Spam-Status: No > > Hfow To Make A Girl Ass Hot As Paris Hilton Achieve Multiple Orgasms www. pill20. com. Girl, 5, Forced To Apologize For Hugging Claassmate > > > <<<< END > > Blocking the from address is completely useless since it is randomly > changed and the same is for subject and text content. > > Has anyone else seen a similar behaviour and found a solution? > > Thank you ad best regards > > Alessandro This is how that scores on my system; Content analysis details: (16.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 2.5 RCVD_IN_UCE_PFSM_3 RBL: Received via a relay in UCE_PFSM_3 [79.103.75.208 listed in dnsbl-3.uceprotect.net] 2.0 RCVD_IN_UCE_PFSM_2 RBL: Received via a relay in UCE_PFSM_2 [79.103.75.208 listed in dnsbl-2.uceprotect.net] 1.2 TO_MALFORMED To: has a malformed address 0.1 BOTNET_CLIENTWORDS Hostname contains client-like substrings [botnet_clientwords,ip=79.103.75.208,rdns=adsl144-208.lsf.forthnet.gr] 4.0 BOTNET Relay might be a spambot or virusbot [botnet0.8,ip=79.103.75.208,rdns=adsl144-208.lsf.forthnet.gr,client,clientwords] 0.1 BOTNET_CLIENT Relay has a client-like hostname [botnet_client,ip=79.103.75.208,rdns=adsl144-208.lsf.forthnet.gr,clientwords] 1.4 SARE_ADULT2 BODY: Contains adult material 1.7 SARE_BETTERORG BODY: Talks about getting better orgasms 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.5431] 2.9 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) 0.1 RDNS_DYNAMIC Delivered to trusted network by host with dynamic-looking rDNS -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090714/6fef7dfb/signature.bin From ssilva at sgvwater.com Tue Jul 14 20:23:46 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Jul 14 20:24:10 2009 Subject: R: Suddenly mailscanner not delivers some email In-Reply-To: <01C9C034809D4932B493B768389D9BEF@dbdomain.database.it> References: <2FA349F95CF3644FAFC92070E642EB6AE663E4@beta.dbdomain.database.it> <4A5494C8.6050905@fsl.com> <01C9C034809D4932B493B768389D9BEF@dbdomain.database.it> Message-ID: on 7-8-2009 6:30 AM Marcello Anderlini spake the following: > It seems it's been solved by deleting the messages of the examples and some > other messaggess similar to it. > I still cannot figure what was the reason. > > Thanks a lot for your your kindly answer. I'll re-use yours help if (I hope > no) it happen again. > > Best regards and sorry for my worst English. > It could be a combination of old software versions and newer mail clients. I don't always run the newest version, but I don't let it get 3 years old either. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090714/054f618f/signature.bin From ssilva at sgvwater.com Tue Jul 14 20:31:09 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Jul 14 20:31:33 2009 Subject: Sender Address Verification In-Reply-To: <013d01ca03c2$a8706f40$f9514dc0$@ie> References: <013d01ca03c2$a8706f40$f9514dc0$@ie> Message-ID: on 7-13-2009 7:03 AM Mail Admin spake the following: > Dear List > > > > I recently deployed the smf-sav, which works quite well. It takes a lot > of load off mailscanner. There are other ways to take the load off of MailScanner. > > I recently got listed on backscatter because I have used it on one of > ?their? members so it seems. You are generating backscatter, so you will get listed. > > Looking on their Web Site it seems there is nothing I can do only pay > them 50 euro to get delisted, and then what happens if I do sav again? Keep the checkbook handy, as you will get listed again! > > > > Have any of the list had this issue, with smf-sav? Is there anything > that can be done from your experience? I do not want to turn off smf-sav. Then prepare to stay blacklisted. Sender calllout is considered rude by many sysadmins, as it only transfers the load to someone else. > > > > Thanks to you all I would only use smf-sav to check valid recipients, not sender callouts. But that is me and my systems that AREN'T listed on backscatter! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090714/66adb947/signature.bin From mike at mlrw.com Tue Jul 14 20:53:13 2009 From: mike at mlrw.com (Mike Wallace) Date: Tue Jul 14 20:53:27 2009 Subject: Test of Mailing List Message-ID: <5C13F1EA-E109-4A1C-AF1F-7EB04D986D48@mlrw.com> I am subscribed to this mailing list but whenever I replied to a message it never shows up. So I am running this test to see if this shows up. Thanks for your understanding. Mike From Kevin_Miller at ci.juneau.ak.us Tue Jul 14 21:08:06 2009 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Tue Jul 14 21:08:21 2009 Subject: Test of Mailing List In-Reply-To: <5C13F1EA-E109-4A1C-AF1F-7EB04D986D48@mlrw.com> References: <5C13F1EA-E109-4A1C-AF1F-7EB04D986D48@mlrw.com> Message-ID: <4A09477D575C2C4B86497161427DD94C10E110F439@city-exchange07> It's showing up fine. ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Mike Wallace Sent: Tuesday, July 14, 2009 11:53 AM To: mailscanner@lists.mailscanner.info Subject: Test of Mailing List I am subscribed to this mailing list but whenever I replied to a message it never shows up. So I am running this test to see if this shows up. Thanks for your understanding. Mike -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From mike at mlrw.com Tue Jul 14 21:17:34 2009 From: mike at mlrw.com (Mike Wallace) Date: Tue Jul 14 21:17:49 2009 Subject: Test of Mailing List In-Reply-To: <4A09477D575C2C4B86497161427DD94C10E110F439@city-exchange07> References: <5C13F1EA-E109-4A1C-AF1F-7EB04D986D48@mlrw.com> <4A09477D575C2C4B86497161427DD94C10E110F439@city-exchange07> Message-ID: <72FC320F-4C74-4FC7-85FB-2690929A8A91@mlrw.com> Thanks, I also see it. I'll try replying again to the messages I had some info for. Mike On Jul 14, 2009, at 4:08 PM, Kevin Miller wrote: > It's showing up fine. > > ...Kevin > -- > Kevin Miller Registered Linux User No: 307357 > CBJ MIS Dept. Network Systems Admin., Mail Admin. > 155 South Seward Street ph: (907) 586-0242 > Juneau, Alaska 99801 fax: (907 586-4500 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info > ] On Behalf Of Mike Wallace > Sent: Tuesday, July 14, 2009 11:53 AM > To: mailscanner@lists.mailscanner.info > Subject: Test of Mailing List > > I am subscribed to this mailing list but whenever I replied to a > message it never shows up. > > So I am running this test to see if this shows up. > > Thanks for your understanding. > > Mike > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > This message has been scanned for viruses and dangerous content by > MailScanner, and is believed to be clean. > From maxsec at gmail.com Tue Jul 14 21:21:14 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Tue Jul 14 21:21:23 2009 Subject: Test of Mailing List In-Reply-To: <5C13F1EA-E109-4A1C-AF1F-7EB04D986D48@mlrw.com> References: <5C13F1EA-E109-4A1C-AF1F-7EB04D986D48@mlrw.com> Message-ID: <72cf361e0907141321l350932c0scf15659f4d9ced6b@mail.gmail.com> works here - got got the mailman settings on you account set OK? 2009/7/14 Mike Wallace > I am subscribed to this mailing list but whenever I replied to a message it > never shows up. > > So I am running this test to see if this shows up. > > Thanks for your understanding. > > Mike > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Martin Hepworth Oxford, UK -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090714/471576ee/attachment.html From ka at pacific.net Tue Jul 14 21:43:37 2009 From: ka at pacific.net (Ken A.) Date: Tue Jul 14 21:44:08 2009 Subject: Sender Address Verification In-Reply-To: <1247546812.24461.44.camel@baddis-laptop> References: <013d01ca03c2$a8706f40$f9514dc0$@ie> <3D9C92F3075F5144B46AA2C590F48E2ABCB122@commssrv01.computerservicecentre.com> <1247546812.24461.44.camel@baddis-laptop> Message-ID: <4A5CEDF9.8020801@pacific.net> On 07/13/2009 09:46 PM, Brent Addis wrote: > wow. small text. My eyyyes... > > Wouldn't enabling SPF on hosted domains help with this? > > That way, sender verification is only checking on email sent from your > own valid mailservers anyway, saving your precious cpu load. We were > getting several thousand sender lookups a day from various sources. We > enabled spf with the -all (It had been ~all while we were testng) flag, > and that dropped down to a couple of hundred, generally to valid > addresses, which I have no problem with. You didn't mention how do you distinguish callbacks from spam probes, dictionary attacks, or backscatter. I suppose callbacks might be reduced, if recipient domains configure so that spf hard fail rejects mail immediately, or skips sender verification. smf-sav doesn't care about spf by itself though, so this requires some proper ordering of milters, etc.. Ken > > > > > > > -----Original Message----- > From: Hostmaster > Reply-to: MailScanner discussion > To: MailScanner discussion > Subject: RE: Sender Address Verification > Date: Mon, 13 Jul 2009 16:35:03 +0100 > > > >> I recently deployed the smf-sav, which works quite well. It takes a lot > of load off mailscanner. > >> I recently got listed on backscatter because I have used it on one of > ?their? members so it seems. > >> Looking on their Web Site it seems there is nothing I can do only pay > them 50 euro to get delisted, and then what happens if I do>sav again? > > > >> Have any of the list had this issue, with smf-sav? Is there anything > that can be done from your experience? I do not want to turn>off > smf-sav. > > > >> Thanks to you all > > > > I am assuming you mean you have been listed at backscatterer.org... > > > > I must admit that I find something particularly distasteful about being > on the receiving end of sender validation lookups, especially > considering that some of our servers receive email for domains which > they do not send email for. In my opinion, nobody should rely on someone > else?s resources (memory and CPU time) to work out if they should accept > an email, and I guess that the Backscatter blacklist was built on this > basis ? their sender callout policy is here - > http://www.backscatterer.org/?target=sendercallouts and I have to say > that I agree with all points. > > > > I am pretty sure that this has been discussed on-list before and that > some people have very strong feelings in both ways regarding callouts, > so it might be worth searching the list archives for further info on the > subject. > > Best Regards, > > Richard > > > > > > > > > > > > > > > > All E-Mail communications are monitored in addition to being content > checked for malicious codes or viruses. The success of scanning products > is not guaranteed, therefore the recipient(s) should carry out any > checks that they believe to be appropriate in this respect. > > > > This message (including any attachments and/or related materials) is > confidential to and is the property of Computer Service Centre, unless > otherwise noted. If you are not the intended recipient, you should > delete this message and are hereby notified that any disclosure, > copying, or distribution of this message, or the taking of any action > based on it, is strictly prohibited. > > > > Any views or opinions presented are solely those of the author and do > not necessarily represent those of Computer Service Centre. > > > -- Ken Anderson Pacific.Net From brent.addis at spit.gen.nz Wed Jul 15 00:44:39 2009 From: brent.addis at spit.gen.nz (Brent Addis) Date: Wed Jul 15 00:44:58 2009 Subject: Sender Address Verification In-Reply-To: <4A5CEDF9.8020801@pacific.net> References: <013d01ca03c2$a8706f40$f9514dc0$@ie> <3D9C92F3075F5144B46AA2C590F48E2ABCB122@commssrv01.computerservicecentre.com> <1247546812.24461.44.camel@baddis-laptop> <4A5CEDF9.8020801@pacific.net> Message-ID: <1247615079.16092.1.camel@baddis-laptop> -----Original Message----- From: Ken A. Reply-to: MailScanner discussion To: MailScanner discussion Subject: Re: Sender Address Verification Date: Tue, 14 Jul 2009 13:43:37 -0700 On 07/13/2009 09:46 PM, Brent Addis wrote: > wow. small text. My eyyyes... > > Wouldn't enabling SPF on hosted domains help with this? > > That way, sender verification is only checking on email sent from your > own valid mailservers anyway, saving your precious cpu load. We were > getting several thousand sender lookups a day from various sources. We > enabled spf with the -all (It had been ~all while we were testng) flag, > and that dropped down to a couple of hundred, generally to valid > addresses, which I have no problem with. You didn't mention how do you distinguish callbacks from spam probes, dictionary attacks, or backscatter. > I don't distinguish, I was just looking at them as a whole, and noticed a signifigant drop off I suppose callbacks might be reduced, if recipient domains configure so that spf hard fail rejects mail immediately, or skips sender verification. smf-sav doesn't care about spf by itself though, so this requires some proper ordering of milters, etc.. > There was a theory that every domain out there was supposed to have spf enabled by some date in 2006. This never really happened though. Having spf checks done first would potentially be a good idea? Ken > > > > > > > -----Original Message----- > From: Hostmaster > Reply-to: MailScanner discussion > To: MailScanner discussion > Subject: RE: Sender Address Verification > Date: Mon, 13 Jul 2009 16:35:03 +0100 > > > >> I recently deployed the smf-sav, which works quite well. It takes a lot > of load off mailscanner. > >> I recently got listed on backscatter because I have used it on one of > ?their? members so it seems. > >> Looking on their Web Site it seems there is nothing I can do only pay > them 50 euro to get delisted, and then what happens if I do>sav again? > > > >> Have any of the list had this issue, with smf-sav? Is there anything > that can be done from your experience? I do not want to turn>off > smf-sav. > > > >> Thanks to you all > > > > I am assuming you mean you have been listed at backscatterer.org... > > > > I must admit that I find something particularly distasteful about being > on the receiving end of sender validation lookups, especially > considering that some of our servers receive email for domains which > they do not send email for. In my opinion, nobody should rely on someone > else?s resources (memory and CPU time) to work out if they should accept > an email, and I guess that the Backscatter blacklist was built on this > basis ? their sender callout policy is here - > http://www.backscatterer.org/?target=sendercallouts and I have to say > that I agree with all points. > > > > I am pretty sure that this has been discussed on-list before and that > some people have very strong feelings in both ways regarding callouts, > so it might be worth searching the list archives for further info on the > subject. > > Best Regards, > > Richard > > > > > > > > > > > > > > > > All E-Mail communications are monitored in addition to being content > checked for malicious codes or viruses. The success of scanning products > is not guaranteed, therefore the recipient(s) should carry out any > checks that they believe to be appropriate in this respect. > > > > This message (including any attachments and/or related materials) is > confidential to and is the property of Computer Service Centre, unless > otherwise noted. If you are not the intended recipient, you should > delete this message and are hereby notified that any disclosure, > copying, or distribution of this message, or the taking of any action > based on it, is strictly prohibited. > > > > Any views or opinions presented are solely those of the author and do > not necessarily represent those of Computer Service Centre. > > > -- Ken Anderson Pacific.Net -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090715/bd06000c/attachment.html From alexis.michon at ibcp.fr Wed Jul 15 13:00:40 2009 From: alexis.michon at ibcp.fr (Alexis Michon) Date: Wed Jul 15 13:01:02 2009 Subject: No programs allowed and the character =?iso-8859-1?q?=E9_at_the_b?= =?iso-8859-1?q?eginning_of_a_mail?= Message-ID: <4A5DC4E8.6050207@ibcp.fr> Hello, I am new to this mailing list, so if the question have been asked send me to the reference, we have a mailscanner installation that work fine from one year and half. We encountred a problem since two week : each time we send a mail with the message : "?quipe .... ", mailscanner answer with : MailScanner: No programs allowed (msg-9484-14.txt) After several tests, the problem is caused by the "?" at the very beginning of the mail. We don't allow sending programs by mail but we don't want to block these kind of messages. I have no idea of what to do. How can i proceed, please ? Mailscanner version : 4.77 Thanks you in advance. Alexis -- Alexis MICHON CNRS, France IBCP, Institut de Biologie et Chimie des Proteines Mail : alexis.michon@ibcp.fr Tel : 04.72.72.26.46 Empreinte : 8FDA 1594 2C18 EEDA 681E 8A6D 56EF F0A0 6F06 892A -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 257 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090715/c4febe19/signature.bin From mark at msapiro.net Wed Jul 15 14:34:18 2009 From: mark at msapiro.net (Mark Sapiro) Date: Wed Jul 15 14:34:32 2009 Subject: Test of Mailing List In-Reply-To: <72FC320F-4C74-4FC7-85FB-2690929A8A91@mlrw.com> References: <5C13F1EA-E109-4A1C-AF1F-7EB04D986D48@mlrw.com> <4A09477D575C2C4B86497161427DD94C10E110F439@city-exchange07> <72FC320F-4C74-4FC7-85FB-2690929A8A91@mlrw.com> Message-ID: <20090715133418.GA2652@msapiro> On Tue, Jul 14, 2009 at 04:17:34PM -0400, Mike Wallace wrote: > Thanks, I also see it. > > I'll try replying again to the messages I had some info for. FYI, messages you receive from the list have a header X-BeenThere: mailscanner@lists.mailscanner.info If for some reason, that header is still present in your reply, Mailman will discard your message. -- Mark Sapiro mark at msapiro net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From ednei.felipe.rodrigues at gmail.com Wed Jul 15 15:10:31 2009 From: ednei.felipe.rodrigues at gmail.com (=?ISO-8859-1?Q?=C9dnei_Rodrigues?=) Date: Wed Jul 15 15:10:41 2009 Subject: Mailscanner replicating email in folder quarantine/nonspam Message-ID: Good morning. I have a SUSE Enterprise 10 with Postfix + MailScanner + SpamAssassin. The MailScanner is generating multiple copies of same email in folder /srv/quarantine/200907XX/nonspam***. Therefore, it rapidlyconsuming disk space ( 5h = 30 GB ). Example: *# sudo ls -la quarantine/20090714/nonspam -rw-rw---- 1 postfix www 103811 Jul 14 12:33 F3F9E217D92.627AE -rw-rw---- 1 postfix www 103811 Jul 14 12:38 F3F9E217D92.640CF -rw-rw---- 1 postfix www 103811 Jul 14 12:40 F3F9E217D92.68845 -rw-rw---- 1 postfix www 103811 Jul 14 12:37 F3F9E217D92.6E18B -rw-rw---- 1 postfix www 103811 Jul 14 12:39 F3F9E217D92.7236C -rw-rw---- 1 postfix www 103811 Jul 14 12:35 F3F9E217D92.79385 -rw-rw---- 1 postfix www 103811 Jul 14 12:38 F3F9E217D92.7DDE1 -rw-rw---- 1 postfix www 103811 Jul 14 12:39 F3F9E217D92.882DC -rw-rw---- 1 postfix www 103811 Jul 14 12:34 F3F9E217D92.8A2AD -rw-rw---- 1 postfix www 103811 Jul 14 12:37 F3F9E217D92.95695 -rw-rw---- 1 postfix www 103811 Jul 14 12:34 F3F9E217D92.B6634 -rw-rw---- 1 postfix www 103811 Jul 14 12:33 F3F9E217D92.BA2A1 -rw-rw---- 1 postfix www 103811 Jul 14 12:41 F3F9E217D92.BC601 -rw-rw---- 1 postfix www 103811 Jul 14 12:39 F3F9E217D92.BC638 -rw-rw---- 1 postfix www 103811 Jul 14 12:39 F3F9E217D92.C3E91 -rw-rw---- 1 postfix www 103811 Jul 14 12:36 F3F9E217D92.C8961 -rw-rw---- 1 postfix www 103811 Jul 14 12:36 F3F9E217D92.CF5EF -rw-rw---- 1 postfix www 103811 Jul 14 12:38 F3F9E217D92.DDB49 -rw-rw---- 1 postfix www 103811 Jul 14 12:40 F3F9E217D92.E0665 -rw-rw---- 1 postfix www 13708 Jul 14 11:40 F41DD2654CC.84A6C* In the example, look *F3F9E217D92* that has multiple copies ( i did a diff and are equal ). This happens with several e-mails entering. How can i solve this problem ? Thanks! *** XX = Every days this happens -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090715/47fa8809/attachment.html From mmcintosh at infowall.com Wed Jul 15 15:25:59 2009 From: mmcintosh at infowall.com (Mark McIntosh Infowall) Date: Wed Jul 15 15:26:14 2009 Subject: Test of Mailing List In-Reply-To: <5C13F1EA-E109-4A1C-AF1F-7EB04D986D48@mlrw.com> References: <5C13F1EA-E109-4A1C-AF1F-7EB04D986D48@mlrw.com> Message-ID: <4A5DE6F7.8090806@infowall.com> Mike Wallace wrote: > I am subscribed to this mailing list but whenever I replied to a > message it never shows up. > > So I am running this test to see if this shows up. > > Thanks for your understanding. > > Mike I see it fine, Mark McIntosh -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From maxsec at gmail.com Wed Jul 15 16:48:57 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Wed Jul 15 16:49:16 2009 Subject: Mailscanner replicating email in folder quarantine/nonspam In-Reply-To: References: Message-ID: <72cf361e0907150848h3e2d8236y431860970aa09f43@mail.gmail.com> Hi what versions of MailScanner and postfix? Any more info if you run MailScanner in Debug mode? -- Martin Hepworth Oxford, UK 2009/7/15 ?dnei Rodrigues > Good morning. I have a SUSE Enterprise 10 with Postfix + MailScanner + > SpamAssassin. > The MailScanner is generating multiple copies of same email in folder > /srv/quarantine/200907XX/nonspam***. Therefore, it rapidlyconsuming disk > space ( 5h = 30 GB ). > Example: > > > *# sudo ls -la quarantine/20090714/nonspam > > -rw-rw---- 1 postfix www 103811 Jul 14 12:33 F3F9E217D92.627AE > -rw-rw---- 1 postfix www 103811 Jul 14 12:38 F3F9E217D92.640CF > -rw-rw---- 1 postfix www 103811 Jul 14 12:40 F3F9E217D92.68845 > -rw-rw---- 1 postfix www 103811 Jul 14 12:37 F3F9E217D92.6E18B > -rw-rw---- 1 postfix www 103811 Jul 14 12:39 F3F9E217D92.7236C > -rw-rw---- 1 postfix www 103811 Jul 14 12:35 F3F9E217D92.79385 > -rw-rw---- 1 postfix www 103811 Jul 14 12:38 F3F9E217D92.7DDE1 > -rw-rw---- 1 postfix www 103811 Jul 14 12:39 F3F9E217D92.882DC > -rw-rw---- 1 postfix www 103811 Jul 14 12:34 F3F9E217D92.8A2AD > -rw-rw---- 1 postfix www 103811 Jul 14 12:37 F3F9E217D92.95695 > -rw-rw---- 1 postfix www 103811 Jul 14 12:34 F3F9E217D92.B6634 > -rw-rw---- 1 postfix www 103811 Jul 14 12:33 F3F9E217D92.BA2A1 > -rw-rw---- 1 postfix www 103811 Jul 14 12:41 F3F9E217D92.BC601 > -rw-rw---- 1 postfix www 103811 Jul 14 12:39 F3F9E217D92.BC638 > -rw-rw---- 1 postfix www 103811 Jul 14 12:39 F3F9E217D92.C3E91 > -rw-rw---- 1 postfix www 103811 Jul 14 12:36 F3F9E217D92.C8961 > -rw-rw---- 1 postfix www 103811 Jul 14 12:36 F3F9E217D92.CF5EF > -rw-rw---- 1 postfix www 103811 Jul 14 12:38 F3F9E217D92.DDB49 > -rw-rw---- 1 postfix www 103811 Jul 14 12:40 F3F9E217D92.E0665 > -rw-rw---- 1 postfix www 13708 Jul 14 11:40 F41DD2654CC.84A6C* > > In the example, look *F3F9E217D92* that has multiple copies ( i did a diff > and are equal ). This happens with several e-mails entering. > How can i solve this problem ? > > Thanks! > *** XX = Every days this happens > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090715/da8cd960/attachment.html From mike at mlrw.com Wed Jul 15 18:39:20 2009 From: mike at mlrw.com (Mike Wallace) Date: Wed Jul 15 18:39:30 2009 Subject: Test of Mailing List In-Reply-To: <72FC320F-4C74-4FC7-85FB-2690929A8A91@mlrw.com> References: <5C13F1EA-E109-4A1C-AF1F-7EB04D986D48@mlrw.com> <4A09477D575C2C4B86497161427DD94C10E110F439@city-exchange07> <72FC320F-4C74-4FC7-85FB-2690929A8A91@mlrw.com> Message-ID: <26649D08-5C57-46D0-A308-EB93A5D10F10@mlrw.com> I'm still having problems. I've tried replying to the message Tiny text only spam (semi OT) with no luck. I tried creating a new message with the body being what I wanted to reply with. I even tried plain text or rich text format with no luck. I see the mail leave my mail server and hit my outgoing mail server (due to my ISP only allowing outbound smtp through their server). Here is the headers of the reply message: Message-Id: <9B05FD83-81C7-4E4A-A4AC-A9326F992708@mlrw.com> From: Mike Wallace To: MailScanner discussion In-Reply-To: <8096743.91247408318456.JavaMail.root@office.splatnix.net> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes X-Smtp-Server: zimbra.mlrw.com:mike@mlrw.com Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v935.3) Subject: Re: Tiny text only spam (semi OT) Date: Tue, 14 Jul 2009 16:57:12 -0400 References: <8096743.91247408318456.JavaMail.root@office.splatnix.net> Here is the headers of the new message: Message-Id: From: Mike Wallace To: mailscanner@lists.mailscanner.info Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit X-Smtp-Server: zimbra.mlrw.com:mike@mlrw.com Mime-Version: 1.0 (Apple Message framework v935.3) Subject: Re: Tiny text only spam (semi OT) Date: Wed, 15 Jul 2009 00:44:28 -0400 Anyone have any ideas? Mike On Jul 14, 2009, at 4:17 PM, Mike Wallace wrote: > Thanks, I also see it. > > I'll try replying again to the messages I had some info for. > > Mike > > On Jul 14, 2009, at 4:08 PM, Kevin Miller wrote: > >> It's showing up fine. >> >> ...Kevin >> -- >> Kevin Miller Registered Linux User No: 307357 >> CBJ MIS Dept. Network Systems Admin., Mail Admin. >> 155 South Seward Street ph: (907) 586-0242 >> Juneau, Alaska 99801 fax: (907 586-4500 >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info >> ] On Behalf Of Mike Wallace >> Sent: Tuesday, July 14, 2009 11:53 AM >> To: mailscanner@lists.mailscanner.info >> Subject: Test of Mailing List >> >> I am subscribed to this mailing list but whenever I replied to a >> message it never shows up. >> >> So I am running this test to see if this shows up. >> >> Thanks for your understanding. >> >> Mike >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> >> This message has been scanned for viruses and dangerous content by >> MailScanner, and is believed to be clean. >> > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > This message has been scanned for viruses and dangerous content by > MailScanner, and is believed to be clean. > From alex at rtpty.com Wed Jul 15 18:48:12 2009 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Wed Jul 15 18:48:24 2009 Subject: =?iso-8859-1?q?Re=3A_No_programs_allowed_and_the_character_=E9_a?= =?iso-8859-1?q?t_the_beginning_of_a_mail?= In-Reply-To: <4A5DC4E8.6050207@ibcp.fr> References: <4A5DC4E8.6050207@ibcp.fr> Message-ID: You need to look for information on the "magic file" or the "file utility" in this mailing list. This kind of false positive behaviour happens with some text files being confused as quicktime movies. Perhaps someone else from the list remembers what to change when this happens? On Jul 15, 2009, at 7:00 AM, Alexis Michon wrote: > Hello, > > I am new to this mailing list, so if the question have been asked send > me to the reference, we have a mailscanner installation that work fine > from one year and half. > > We encountred a problem since two week : each time we send a mail with > the message : "?quipe .... ", mailscanner answer with : > > MailScanner: No programs allowed (msg-9484-14.txt) > > After several tests, the problem is caused by the "?" at the very > beginning of the mail. > We don't allow sending programs by mail but we don't want to block > these > kind of messages. I have no idea of what to do. How can i proceed, > please ? > > Mailscanner version : 4.77 > > Thanks you in advance. > Alexis > > -- > Alexis MICHON CNRS, France > IBCP, Institut de Biologie et Chimie des Proteines > Mail : alexis.michon@ibcp.fr > Tel : 04.72.72.26.46 > Empreinte : 8FDA 1594 2C18 EEDA 681E 8A6D 56EF F0A0 6F06 892A > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 202-1525 alex@rtpty.com Skype: alexneuman From alex at rtpty.com Wed Jul 15 18:48:55 2009 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Wed Jul 15 18:49:12 2009 Subject: Mailscanner replicating email in folder quarantine/nonspam In-Reply-To: References: Message-ID: <55785284-518D-415A-9771-7BCBF7988F92@rtpty.com> What versions? On Jul 15, 2009, at 9:10 AM, ?dnei Rodrigues wrote: > Good morning. I have a SUSE Enterprise 10 with Postfix + MailScanner > + SpamAssassin. -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 202-1525 alex@rtpty.com Skype: alexneuman From alex at rtpty.com Wed Jul 15 18:50:32 2009 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Wed Jul 15 18:50:44 2009 Subject: Test of Mailing List In-Reply-To: <26649D08-5C57-46D0-A308-EB93A5D10F10@mlrw.com> References: <5C13F1EA-E109-4A1C-AF1F-7EB04D986D48@mlrw.com> <4A09477D575C2C4B86497161427DD94C10E110F439@city-exchange07> <72FC320F-4C74-4FC7-85FB-2690929A8A91@mlrw.com> <26649D08-5C57-46D0-A308-EB93A5D10F10@mlrw.com> Message-ID: You know who to call... Perhaps you'd like to use a separate account (GMail, for example) for the list? Since GMail uses port 587 or 465, it shouldn't be blocked by your ISP. On Jul 15, 2009, at 12:39 PM, Mike Wallace wrote: > (due to my ISP only allowing outbound smtp through their server). -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 202-1525 alex@rtpty.com Skype: alexneuman From ka at pacific.net Wed Jul 15 19:04:19 2009 From: ka at pacific.net (Ken A.) Date: Wed Jul 15 19:04:47 2009 Subject: Sender Address Verification In-Reply-To: <1247615079.16092.1.camel@baddis-laptop> References: <013d01ca03c2$a8706f40$f9514dc0$@ie> <3D9C92F3075F5144B46AA2C590F48E2ABCB122@commssrv01.computerservicecentre.com> <1247546812.24461.44.camel@baddis-laptop> <4A5CEDF9.8020801@pacific.net> <1247615079.16092.1.camel@baddis-laptop> Message-ID: <4A5E1A23.10202@pacific.net> On 07/14/2009 04:44 PM, Brent Addis wrote: > > -----Original Message----- From: Ken A. Reply-to: > MailScanner discussion To: > MailScanner discussion Subject: > Re: Sender Address Verification Date: Tue, 14 Jul 2009 13:43:37 > -0700 > > > On 07/13/2009 09:46 PM, Brent Addis wrote: >> wow. small text. My eyyyes... >> >> Wouldn't enabling SPF on hosted domains help with this? >> >> That way, sender verification is only checking on email sent from >> your own valid mailservers anyway, saving your precious cpu load. >> We were getting several thousand sender lookups a day from various >> sources. We enabled spf with the -all (It had been ~all while we >> were testng) flag, and that dropped down to a couple of hundred, >> generally to valid addresses, which I have no problem with. > > You didn't mention how do you distinguish callbacks from spam > probes, dictionary attacks, or backscatter. > >> I don't distinguish, I was just looking at them as a whole, and >> noticed a signifigant drop off > > I suppose callbacks might be reduced, if recipient domains configure > so that spf hard fail rejects mail immediately, or skips sender > verification. smf-sav doesn't care about spf by itself though, so > this requires some proper ordering of milters, etc.. > >> There was a theory that every domain out there was supposed to have >> spf enabled by some date in 2006. This never really happened >> though. Having spf checks done first would potentially be a good >> idea? hmm...bass-akwards quoting occurring here for some reason.. you have >> when you should have >. Something funny going on in your email client? Not necessarily first, but yes, having spf checks done before more expensive tests makes sense if you are rejecting on spf hard fail at connection time. Ken > > > > >> >> >> >> >> >> -----Original Message----- From: >> Hostmaster Reply-to: >> MailScanner discussion To: >> MailScanner discussion Subject: >> RE: Sender Address Verification Date: Mon, 13 Jul 2009 16:35:03 >> +0100 >> >> >> >>> I recently deployed the smf-sav, which works quite well. It takes >>> a lot >> of load off mailscanner. >> >>> I recently got listed on backscatter because I have used it on >>> one of >> ?their? members so it seems. >> >>> Looking on their Web Site it seems there is nothing I can do only >>> pay >> them 50 euro to get delisted, and then what happens if I do>sav >> again? >> >> >> >>> Have any of the list had this issue, with smf-sav? Is there >>> anything >> that can be done from your experience? I do not want to turn>off >> smf-sav. >> >> >> >>> Thanks to you all >> >> >> I am assuming you mean you have been listed at >> backscatterer.org... >> >> >> >> I must admit that I find something particularly distasteful about >> being on the receiving end of sender validation lookups, >> especially considering that some of our servers receive email for >> domains which they do not send email for. In my opinion, nobody >> should rely on someone else?s resources (memory and CPU time) to >> work out if they should accept an email, and I guess that the >> Backscatter blacklist was built on this basis ? their sender >> callout policy is here - >> http://www.backscatterer.org/?target=sendercallouts and I have to >> say that I agree with all points. >> >> >> >> I am pretty sure that this has been discussed on-list before and >> that some people have very strong feelings in both ways regarding >> callouts, so it might be worth searching the list archives for >> further info on the subject. >> >> Best Regards, >> >> Richard >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> All E-Mail communications are monitored in addition to being >> content checked for malicious codes or viruses. The success of >> scanning products is not guaranteed, therefore the recipient(s) >> should carry out any checks that they believe to be appropriate in >> this respect. >> >> >> >> This message (including any attachments and/or related materials) >> is confidential to and is the property of Computer Service Centre, >> unless otherwise noted. If you are not the intended recipient, you >> should delete this message and are hereby notified that any >> disclosure, copying, or distribution of this message, or the taking >> of any action based on it, is strictly prohibited. >> >> >> >> Any views or opinions presented are solely those of the author and >> do not necessarily represent those of Computer Service Centre. >> >> >> > > -- Ken Anderson Pacific.Net From ednei.felipe.rodrigues at gmail.com Wed Jul 15 19:19:24 2009 From: ednei.felipe.rodrigues at gmail.com (=?ISO-8859-1?Q?=C9dnei_Rodrigues?=) Date: Wed Jul 15 19:19:34 2009 Subject: Mailscanner replicating email in folder quarantine/nonspam In-Reply-To: <55785284-518D-415A-9771-7BCBF7988F92@rtpty.com> References: <55785284-518D-415A-9771-7BCBF7988F92@rtpty.com> Message-ID: Thanks for your answer! Sorry: MailScanner : 2.4.1, 07 September 2001 Postfix : How can i get this ? Thanks!! 2009/7/15 Alex Neuman van der Hans > What versions? > > On Jul 15, 2009, at 9:10 AM, ?dnei Rodrigues wrote: > > Good morning. I have a SUSE Enterprise 10 with Postfix + MailScanner + >> SpamAssassin. >> > > > > -- > Alex Neuman van der Hans > Reliant Technologies > +507 6781-9505 > +507 202-1525 > alex@rtpty.com > Skype: alexneuman > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090715/768b950f/attachment.html From maxsec at gmail.com Wed Jul 15 20:49:18 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Wed Jul 15 20:49:38 2009 Subject: Mailscanner replicating email in folder quarantine/nonspam In-Reply-To: References: <55785284-518D-415A-9771-7BCBF7988F92@rtpty.com> Message-ID: <72cf361e0907151249w6a388480j9d287639ce00b82@mail.gmail.com> That's really really old and not support any more. First job will be to to upgrade MailScanner to the latest stable version, then we can help. I'm surprised that version of MailScanner supports modern Postfix versions! -- Martin Hepworth Oxford, UK 2009/7/15 ?dnei Rodrigues > Thanks for your answer! > > Sorry: > > MailScanner : 2.4.1, 07 September 2001 > > Postfix : How can i get this ? > > Thanks!! > > > 2009/7/15 Alex Neuman van der Hans > > What versions? >> >> On Jul 15, 2009, at 9:10 AM, ?dnei Rodrigues wrote: >> >> Good morning. I have a SUSE Enterprise 10 with Postfix + MailScanner + >>> SpamAssassin. >>> >> >> >> >> -- >> Alex Neuman van der Hans >> Reliant Technologies >> +507 6781-9505 >> +507 202-1525 >> alex@rtpty.com >> Skype: alexneuman >> >> >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090715/40dae0a5/attachment.html From ednei.felipe.rodrigues at gmail.com Wed Jul 15 21:30:54 2009 From: ednei.felipe.rodrigues at gmail.com (=?ISO-8859-1?Q?=C9dnei_Rodrigues?=) Date: Wed Jul 15 21:31:09 2009 Subject: Mailscanner replicating email in folder quarantine/nonspam In-Reply-To: <72cf361e0907151249w6a388480j9d287639ce00b82@mail.gmail.com> References: <55785284-518D-415A-9771-7BCBF7988F92@rtpty.com> <72cf361e0907151249w6a388480j9d287639ce00b82@mail.gmail.com> Message-ID: hehe, I know. I got this server recently and now I'm just correcting the problems. Thanks for your comment. 2009/7/15 Martin Hepworth > That's really really old and not support any more. First job will be to to > upgrade MailScanner to the latest stable version, then we can help. > > I'm surprised that version of MailScanner supports modern Postfix versions! > > -- > Martin Hepworth > Oxford, UK > > 2009/7/15 ?dnei Rodrigues > >> Thanks for your answer! >> >> >> Sorry: >> >> MailScanner : 2.4.1, 07 September 2001 >> >> Postfix : How can i get this ? >> >> Thanks!! >> >> >> 2009/7/15 Alex Neuman van der Hans >> >> What versions? >>> >>> On Jul 15, 2009, at 9:10 AM, ?dnei Rodrigues wrote: >>> >>> Good morning. I have a SUSE Enterprise 10 with Postfix + MailScanner + >>>> SpamAssassin. >>>> >>> >>> >>> >>> -- >>> Alex Neuman van der Hans >>> Reliant Technologies >>> +507 6781-9505 >>> +507 202-1525 >>> alex@rtpty.com >>> Skype: alexneuman >>> >>> >>> >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >> >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090715/e22d43c0/attachment.html From alex at rtpty.com Wed Jul 15 22:42:18 2009 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Wed Jul 15 22:42:38 2009 Subject: Mailscanner replicating email in folder quarantine/nonspam In-Reply-To: <72cf361e0907151249w6a388480j9d287639ce00b82@mail.gmail.com> References: <55785284-518D-415A-9771-7BCBF7988F92@rtpty.com> <72cf361e0907151249w6a388480j9d287639ce00b82@mail.gmail.com> Message-ID: It may, but it'll most probably cause swapping! On Jul 15, 2009, at 2:49 PM, Martin Hepworth wrote: > I'm surprised that version of MailScanner supports modern Postfix > versions! -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 202-1525 alex@rtpty.com Skype: alexneuman From mike at mlrw.com Wed Jul 15 23:21:41 2009 From: mike at mlrw.com (Mike Wallace) Date: Wed Jul 15 23:21:56 2009 Subject: Test of Mailing List In-Reply-To: References: <5C13F1EA-E109-4A1C-AF1F-7EB04D986D48@mlrw.com> <4A09477D575C2C4B86497161427DD94C10E110F439@city-exchange07> <72FC320F-4C74-4FC7-85FB-2690929A8A91@mlrw.com> <26649D08-5C57-46D0-A308-EB93A5D10F10@mlrw.com> Message-ID: The funny thing is that I have never had problems in the past 2-3 years I have been running this configuration. I think it might be the sample URIs I was sending. So, I've changed the actual URIs to see if that is the issue. 1) !.www_domain_com 2) .www+domain+net Mike On Jul 15, 2009, at 1:50 PM, Alex Neuman van der Hans wrote: > You know who to call... > Perhaps you'd like to use a separate account (GMail, for example) > for the list? Since GMail uses port 587 or 465, it shouldn't be > blocked by your ISP. > > On Jul 15, 2009, at 12:39 PM, Mike Wallace wrote: > >> (due to my ISP only allowing outbound smtp through their server). > > > > -- > Alex Neuman van der Hans > Reliant Technologies > +507 6781-9505 > +507 202-1525 > alex@rtpty.com > Skype: alexneuman > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > This message has been scanned for viruses and dangerous content by > MailScanner, and is believed to be clean. > From mike at mlrw.com Wed Jul 15 23:37:09 2009 From: mike at mlrw.com (Mike Wallace) Date: Wed Jul 15 23:37:25 2009 Subject: {SPAM??} Re: Test of Mailing List In-Reply-To: References: <5C13F1EA-E109-4A1C-AF1F-7EB04D986D48@mlrw.com> <4A09477D575C2C4B86497161427DD94C10E110F439@city-exchange07> <72FC320F-4C74-4FC7-85FB-2690929A8A91@mlrw.com> <26649D08-5C57-46D0-A308-EB93A5D10F10@mlrw.com> Message-ID: <20626BD4-EA1D-4475-845A-91313FC38FBD@mlrw.com> Yep it was the URIs. I guess they must be doing some type of outbound spam checking. On Jul 15, 2009, at 6:21 PM, Mike Wallace wrote: > The funny thing is that I have never had problems in the past 2-3 > years I have been running this configuration. > > I think it might be the sample URIs I was sending. So, I've changed > the actual URIs to see if that is the issue. > > 1) !.www_domain_com > 2) .www+domain+net > > > Mike > > > > On Jul 15, 2009, at 1:50 PM, Alex Neuman van der Hans wrote: > >> You know who to call... >> Perhaps you'd like to use a separate account (GMail, for example) >> for the list? Since GMail uses port 587 or 465, it shouldn't be >> blocked by your ISP. >> >> On Jul 15, 2009, at 12:39 PM, Mike Wallace wrote: >> >>> (due to my ISP only allowing outbound smtp through their server). >> >> >> >> -- >> Alex Neuman van der Hans >> Reliant Technologies >> +507 6781-9505 >> +507 202-1525 >> alex@rtpty.com >> Skype: alexneuman >> >> >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> This message has been scanned for viruses and dangerous content by >> MailScanner, and is believed to be clean. >> > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > This message has been scanned for viruses and dangerous content by > MailScanner, and is believed to be clean. > From ralph at bornefeld-ettmann.de Wed Jul 15 16:15:10 2009 From: ralph at bornefeld-ettmann.de (Ralph Bornefeld-Ettmann) Date: Thu Jul 16 06:55:12 2009 Subject: HTML in Mailscanner reports Message-ID: hi, is it possible to use HTML tags in reports like recipient.spam.report.txt? I tried it but it did not work. Thanks Ralph From alexis.michon at ibcp.fr Thu Jul 16 08:04:52 2009 From: alexis.michon at ibcp.fr (Alexis Michon) Date: Thu Jul 16 08:05:14 2009 Subject: =?iso-8859-1?q?Re=3A_No_programs_allowed_and_the_character_=E9_a?= =?iso-8859-1?q?t_the_beginning_of_a_mail?= In-Reply-To: References: <4A5DC4E8.6050207@ibcp.fr> Message-ID: <4A5ED114.6070404@ibcp.fr> Ok, thanks you. I found this post : http://article.gmane.org/gmane.mail.virus.mailscanner/20385/match=magic+word And my text file is confused with DOS executable (COM) bash 3-0# file msg-20083-37.txt msg-20083-37.txt: DOS executable (COM) , In the mail, his modification seems to be good, but does someone use it in production environnent ? Alexis Alex Neuman van der Hans a ?crit : > You need to look for information on the "magic file" or the "file > utility" in this mailing list. This kind of false positive behaviour > happens with some text files being confused as quicktime movies. > > Perhaps someone else from the list remembers what to change when this > happens? > > On Jul 15, 2009, at 7:00 AM, Alexis Michon wrote: > >> Hello, >> >> I am new to this mailing list, so if the question have been asked send >> me to the reference, we have a mailscanner installation that work fine >> from one year and half. >> >> We encountred a problem since two week : each time we send a mail with >> the message : "?quipe .... ", mailscanner answer with : >> >> MailScanner: No programs allowed (msg-9484-14.txt) >> >> After several tests, the problem is caused by the "?" at the very >> beginning of the mail. >> We don't allow sending programs by mail but we don't want to block these >> kind of messages. I have no idea of what to do. How can i proceed, >> please ? >> >> Mailscanner version : 4.77 >> >> Thanks you in advance. >> Alexis >> >> -- >> Alexis MICHON CNRS, France >> IBCP, Institut de Biologie et Chimie des Proteines >> Mail : alexis.michon@ibcp.fr >> Tel : 04.72.72.26.46 >> Empreinte : 8FDA 1594 2C18 EEDA 681E 8A6D 56EF F0A0 6F06 892A >> >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > > > -- Alexis MICHON CNRS, France IBCP, Institut de Biologie et Chimie des Proteines Mail : alexis.michon@ibcp.fr Tel : 04.72.72.26.46 Empreinte : 8FDA 1594 2C18 EEDA 681E 8A6D 56EF F0A0 6F06 892A -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 257 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090716/8266584a/signature.bin From MailScanner at ecs.soton.ac.uk Thu Jul 16 09:15:00 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jul 16 09:15:20 2009 Subject: HTML in Mailscanner reports In-Reply-To: References: <4A5EE184.3050103@ecs.soton.ac.uk> Message-ID: On 15/07/2009 16:15, Ralph Bornefeld-Ettmann wrote: > hi, > > is it possible to use HTML tags in reports like > recipient.spam.report.txt? The ".txt" should be the give-away on that one. If it's expecting HTML, it's called ".html". Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ralph at bornefeld-ettmann.de Thu Jul 16 09:38:25 2009 From: ralph at bornefeld-ettmann.de (Ralph Bornefeld-Ettmann) Date: Thu Jul 16 09:38:51 2009 Subject: HTML in Mailscanner reports In-Reply-To: References: <4A5EE184.3050103@ecs.soton.ac.uk> Message-ID: Julian Field schrieb: > > > On 15/07/2009 16:15, Ralph Bornefeld-Ettmann wrote: >> hi, >> >> is it possible to use HTML tags in reports like >> recipient.spam.report.txt? > The ".txt" should be the give-away on that one. > If it's expecting HTML, it's called ".html". > > Jules > great, thanks for this information Ralph From glenn.steen at gmail.com Thu Jul 16 10:18:21 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Jul 16 10:18:30 2009 Subject: Mailscanner replicating email in folder quarantine/nonspam In-Reply-To: References: <55785284-518D-415A-9771-7BCBF7988F92@rtpty.com> <72cf361e0907151249w6a388480j9d287639ce00b82@mail.gmail.com> Message-ID: <223f97700907160218m70df7e9bk6b66a41edefd8d1c@mail.gmail.com> 2009/7/15 Alex Neuman van der Hans : > It may, but it'll most probably cause swapping! > With that old version (talk about pre-historic!), there's surely no need to ... It'll likely cause not only swapping, but also duplicates and even random message corruption (since that'll likely use the old dual PF/defer method, instead of the HOLD method). Cheers -- -- Glenn (on vacation) > On Jul 15, 2009, at 2:49 PM, Martin Hepworth wrote: > >> I'm surprised that version of MailScanner supports modern Postfix >> versions! > > > > -- > Alex Neuman van der Hans > Reliant Technologies > +507 6781-9505 > +507 202-1525 > alex@rtpty.com > Skype: alexneuman > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Thu Jul 16 10:25:45 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Jul 16 10:25:54 2009 Subject: =?iso-8859-1?q?Re=3A_No_programs_allowed_and_the_character_=E9_a?= =?iso-8859-1?q?t_the_beginning_of_a_mail?= In-Reply-To: <4A5ED114.6070404@ibcp.fr> References: <4A5DC4E8.6050207@ibcp.fr> <4A5ED114.6070404@ibcp.fr> Message-ID: <223f97700907160225x61162986y39c931cc5457c62c@mail.gmail.com> 2009/7/16 Alexis Michon : > Ok, thanks you. > I found this post : > http://article.gmane.org/gmane.mail.virus.mailscanner/20385/match=magic+word > > And my text file is confused with DOS executable (COM) > > bash 3-0# file msg-20083-37.txt > msg-20083-37.txt: DOS executable (COM) > , > In the mail, his modification seems to be good, but ?does someone use it > in production environnent ?? > > Alexis > Not exactly his changes (which seem fine by me), since I simply remove the offending one-byte magics... As can be seen, any language containing letters other than pure ascii run the risk of falling afoul of those rather ... stupid... magic strings. But doing it that way will be just fine. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ralph at bornefeld-ettmann.de Thu Jul 16 10:48:04 2009 From: ralph at bornefeld-ettmann.de (Ralph Bornefeld-Ettmann) Date: Thu Jul 16 10:48:24 2009 Subject: HTML in Mailscanner reports In-Reply-To: References: <4A5EE184.3050103@ecs.soton.ac.uk> Message-ID: Julian Field schrieb: > > > On 15/07/2009 16:15, Ralph Bornefeld-Ettmann wrote: >> hi, >> >> is it possible to use HTML tags in reports like >> recipient.spam.report.txt? > The ".txt" should be the give-away on that one. > If it's expecting HTML, it's called ".html". > > Jules > sorry, did not work. MailScanner 4.77.10 Postfix 2.3.3-2.1.el5_2 OS : CentOS 5.2 /etc/MailScanner/MailScanner.conf : Recipient Spam Report = %report-dir%/recipient.spam.report.html /etc/MaiScanner/reports/en/recipient.spam.report.html : For all your IT requirements visit: Transtec In the mail the HTML tags are displayed. Where?s my fault? Thanks Ralph From cfisk at qwicnet.com Thu Jul 16 13:38:53 2009 From: cfisk at qwicnet.com (Christopher Fisk) Date: Thu Jul 16 13:39:21 2009 Subject: (2nd Request) Disable scanning for a client that connectsviaSMTP-AUTH In-Reply-To: Message-ID: > on 7-2-2009 2:18 PM Mat Murdock spake the following: > > I know I'm kind of bringing this topic back from the > dead, but > > spamassasin has a rule called "ALL_TRUSTED" that > detects if the e-mail > > used smtp-auth. If so it give it negative score. It > does this by > > looking at the sendmail headers. The problem I have is > that my users > > are sending their mail from ip's that are on dns > blacklists. It would > > be nice if MailScanner was also able to read the > headers the same way > > that spamassassin does and allow the user to skip dns > blacklist checks > > for authenticated e-mails. > > > > Mat > Don't do blacklist checks in MailScanner. Either you > trust the blacklist and > you do it in the MTA, or you don't trust it, and you > score it with spamassassin. Use a custom DNSWL for those customers. Postfix: http://www.howtoforge.com/how-to-whitelist-hosts-ip-addresses-in-postfix Sendmail: http://www.njabl.org/dnswl.m4 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mike at mlrw.com Thu Jul 16 16:31:01 2009 From: mike at mlrw.com (Mike Wallace) Date: Thu Jul 16 16:31:14 2009 Subject: Test of Mailing List In-Reply-To: References: <5C13F1EA-E109-4A1C-AF1F-7EB04D986D48@mlrw.com> <4A09477D575C2C4B86497161427DD94C10E110F439@city-exchange07> <72FC320F-4C74-4FC7-85FB-2690929A8A91@mlrw.com> <26649D08-5C57-46D0-A308-EB93A5D10F10@mlrw.com> Message-ID: <33763826-B1F5-4680-9DC3-359D49FFB0EF@mlrw.com> I've tried GMail and my ISP's web mail and still having problems posting to the message thread "Re: Tiny text only spam (semi OT)". Here is the message body that I tried to send: I found three more obfuscated URI examples that weren't caught by Bernard's rules: 1) !.www_domain_com 2) .www+domain+net 3) .www[dot]domain[dot]com I'm not a regex expert so I don't know how to modify his rules. Can anyone give me a hand? Mike What in this message body could cause the message to not show up on the mailing list? Mike On Jul 15, 2009, at 1:50 PM, Alex Neuman van der Hans wrote: > You know who to call... > Perhaps you'd like to use a separate account (GMail, for example) > for the list? Since GMail uses port 587 or 465, it shouldn't be > blocked by your ISP. > > On Jul 15, 2009, at 12:39 PM, Mike Wallace wrote: > >> (due to my ISP only allowing outbound smtp through their server). > > > > -- > Alex Neuman van der Hans > Reliant Technologies > +507 6781-9505 > +507 202-1525 > alex@rtpty.com > Skype: alexneuman > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > This message has been scanned for viruses and dangerous content by > MailScanner, and is believed to be clean. > From mark at msapiro.net Thu Jul 16 17:40:38 2009 From: mark at msapiro.net (Mark Sapiro) Date: Thu Jul 16 17:40:49 2009 Subject: HTML in Mailscanner reports In-Reply-To: References: <4A5EE184.3050103@ecs.soton.ac.uk> Message-ID: <20090716164038.GA1868@msapiro> On Thu, Jul 16, 2009 at 11:48:04AM +0200, Ralph Bornefeld-Ettmann wrote: > Julian Field schrieb: > > > > > >On 15/07/2009 16:15, Ralph Bornefeld-Ettmann wrote: > >>hi, > >> > >>is it possible to use HTML tags in reports like > >>recipient.spam.report.txt? > >The ".txt" should be the give-away on that one. > >If it's expecting HTML, it's called ".html". > > > >Jules > > > sorry, did not work. > > MailScanner 4.77.10 > Postfix 2.3.3-2.1.el5_2 > OS : CentOS 5.2 > > /etc/MailScanner/MailScanner.conf : > > Recipient Spam Report = %report-dir%/recipient.spam.report.html > > > /etc/MaiScanner/reports/en/recipient.spam.report.html : Jules was NOT saying wou could cause the report to be put in a text/html part of the message simply by changing the file extension from .txt to .html. He was trying to say that the fact that the distributed report file has a .txt extension implies it will be put in a text/plain part in the message. Changing the extension won't change that. I.e., the Recipient Spam Report is sent in a text/plain message part and conformant MUAs (mail clients) won't interpret html tags. -- Mark Sapiro mark at msapiro net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From mark at msapiro.net Thu Jul 16 17:50:25 2009 From: mark at msapiro.net (Mark Sapiro) Date: Thu Jul 16 17:50:35 2009 Subject: HTML in Mailscanner reports In-Reply-To: References: <4A5EE184.3050103@ecs.soton.ac.uk> Message-ID: <20090716165025.GA1608@msapiro> On Thu, Jul 16, 2009 at 11:48:04AM +0200, Ralph Bornefeld-Ettmann wrote: > Julian Field schrieb: > > > > > >On 15/07/2009 16:15, Ralph Bornefeld-Ettmann wrote: > >>hi, > >> > >>is it possible to use HTML tags in reports like > >>recipient.spam.report.txt? > >The ".txt" should be the give-away on that one. > >If it's expecting HTML, it's called ".html". > > > >Jules > > > sorry, did not work. > > MailScanner 4.77.10 > Postfix 2.3.3-2.1.el5_2 > OS : CentOS 5.2 > > /etc/MailScanner/MailScanner.conf : > > Recipient Spam Report = %report-dir%/recipient.spam.report.html Jules was not saying you could cause the Recipient Spam Report to be put in a text/html message part simply by changing the file extension to .html. He was only saying that the fact that the distributed file has a .txt extension implies that the report will be put in a text/plain message part. Changing the file extension won't change that. -- Mark Sapiro mark at msapiro net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From serejk at febras.net Fri Jul 17 00:07:28 2009 From: serejk at febras.net (serejk@febras.net) Date: Fri Jul 17 00:06:28 2009 Subject: Problem with permissions Message-ID: <2445950a01df8c16dd4bc9b230e9c757@127.0.0.1> Hi! I`m having a problem with MailScanner installation. My environment: - FreeBSD 7.2-RELEASE - postfix-2.6.2_1,1 - clamav-0.95.2 - p5-Mail-SpamAssassin-3.2.5_4 - perl 5.8.9 - MailScanner-4.75.11 During installation I have tunning configuration files as it described in http://www.mailscanner.info/postfix.html But starting the MailScanner I have got following logs in /var/log/maillog: %date% %hostname% MailScanner[35039]: Could not use Custom Function code /usr/local/lib/MailScanner/MailScanner/CustomFunctions/LastSpam.pm, it could not be "require"d. Make sure the last line is "1;" and the module is correct with perl -wc (Error: Insecure dependency in require while running with -T switch at /usr/local/lib/MailScanner/MailScanner/Config.pm line 623. %date% %hostname% MailScanner[35039]: ) %date% %hostname% MailScanner[35039]: Could not use Custom Function code /usr/local/lib/MailScanner/MailScanner/CustomFunctions/GenericSpamScanner.pm, it could not be "require"d. Make sure the last line is "1;" and the module is correct with perl -wc (Error: Insecure dependency in require while running with -T switch at /usr/local/lib/MailScanner/MailScanner/Config.pm line 623. %date% %hostname% MailScanner[35039]: ) %date% %hostname% MailScanner[35039]: Could not use Custom Function code /usr/local/lib/MailScanner/MailScanner/CustomFunctions/CustomAction.pm, it could not be "require"d. Make sure the last line is "1;" and the module is correct with perl -wc (Error: Insecure dependency in require while running with -T switch at /usr/local/lib/MailScanner/MailScanner/Config.pm line 623. .... and the same for all files in /usr/local/lib/MailScanner/MailScanner/CustomFunctions/ directory. Searching through Google, I have found an answer: if perl script starts with different real and effective user (root and postfix in my case), perl enables taint mode automatically. Hmm.. I have set options "Run As User" and "Run As Group" to root - this made MailScanner to start without any errors in log. But when Mailscanner returns checked letter in postfix incoming directory with root uid, postfix/qmgr cannot work with it because of "Permission denied". Afterall, starting MailScanner with root privileges is not good idea, I think. Any advices? What I have do wrong? P.S. Starting perl with -U key provides more ugly messages in log. I think its wrong idea. From drew.marshall at trunknetworks.com Fri Jul 17 08:43:45 2009 From: drew.marshall at trunknetworks.com (Drew Marshall) Date: Fri Jul 17 08:44:01 2009 Subject: Problem with permissions In-Reply-To: <2445950a01df8c16dd4bc9b230e9c757@127.0.0.1> References: <2445950a01df8c16dd4bc9b230e9c757@127.0.0.1> Message-ID: <522768C5-FE23-4087-9B83-BE560F5750A5@trunknetworks.com> On 17 Jul 2009, at 00:07, wrote: > Hi! > I`m having a problem with MailScanner installation. My environment: > - FreeBSD 7.2-RELEASE > - postfix-2.6.2_1,1 > - clamav-0.95.2 > - p5-Mail-SpamAssassin-3.2.5_4 > - perl 5.8.9 > - MailScanner-4.75.11 > > During installation I have tunning configuration files as it > described in > http://www.mailscanner.info/postfix.html > But starting the MailScanner I have got following logs in > /var/log/maillog: > > %date% %hostname% MailScanner[35039]: Could not use Custom Function > code > /usr/local/lib/MailScanner/MailScanner/CustomFunctions/LastSpam.pm, it > could not be "require"d. Make sure the last line is "1;" and the > module is > correct with perl -wc (Error: Insecure dependency in require while > running > with -T switch at /usr/local/lib/MailScanner/MailScanner/Config.pm > line > 623. > %date% %hostname% MailScanner[35039]: ) > %date% %hostname% MailScanner[35039]: Could not use Custom Function > code > /usr/local/lib/MailScanner/MailScanner/CustomFunctions/ > GenericSpamScanner.pm, > it could not be "require"d. Make sure the last line is "1;" and the > module > is correct with perl -wc (Error: Insecure dependency in require while > running with -T switch at /usr/local/lib/MailScanner/MailScanner/ > Config.pm > line 623. > %date% %hostname% MailScanner[35039]: ) > %date% %hostname% MailScanner[35039]: Could not use Custom Function > code > /usr/local/lib/MailScanner/MailScanner/CustomFunctions/ > CustomAction.pm, it > could not be "require"d. Make sure the last line is "1;" and the > module is > correct with perl -wc (Error: Insecure dependency in require while > running > with -T switch at /usr/local/lib/MailScanner/MailScanner/Config.pm > line > 623. > > > .... and the same for all files in > /usr/local/lib/MailScanner/MailScanner/CustomFunctions/ directory. > Searching through Google, I have found an answer: > if perl script starts with different real and effective user (root and > postfix in my case), perl enables taint mode automatically. Hmm.. I > have > set options "Run As User" and "Run As Group" to root - this made > MailScanner to start without any errors in log. But when Mailscanner > returns checked letter in postfix incoming directory with root uid, > postfix/qmgr cannot work with it because of "Permission denied". > Afterall, > starting MailScanner with root privileges is not good idea, I think. > > Any advices? What I have do wrong? > > P.S. Starting perl with -U key provides more ugly messages in log. I > think > its wrong idea. What does mailscanner --lint give you? Drew -- In line with our policy, this message has been scanned for viruses and dangerous content. Our email policy can be found at www.trunknetworks.com/policy Trunk Networks Limited is registered in Scotland with registration number: SC351063 Registered Office 55-57 West High Street Inverurie AB51 3QQ From hafiz at variegate.biz Fri Jul 17 09:02:27 2009 From: hafiz at variegate.biz (Mohd Hafiz Ramly) Date: Fri Jul 17 09:02:48 2009 Subject: MailScanner stop logging to MySQL upon nmap scans Message-ID: <4A603013.2000702@variegate.biz> An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090717/4d9e1dd5/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: bronze-SHADOW.png Type: image/png Size: 2874 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090717/4d9e1dd5/bronze-SHADOW.png From alex at rtpty.com Fri Jul 17 09:22:22 2009 From: alex at rtpty.com (Alex Neuman) Date: Fri Jul 17 09:22:31 2009 Subject: MailScanner stop logging to MySQL upon nmap scans In-Reply-To: <4A603013.2000702@variegate.biz> References: <4A603013.2000702@variegate.biz> Message-ID: <24e3d2e40907170122v51616104j6368f1e1037f5e19@mail.gmail.com> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 2874 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090717/2e44ff79/attachment.png From ralph at bornefeld-ettmann.de Fri Jul 17 10:47:02 2009 From: ralph at bornefeld-ettmann.de (Ralph Bornefeld-Ettmann) Date: Fri Jul 17 10:47:24 2009 Subject: HTML in Mailscanner reports In-Reply-To: <20090716164038.GA1868@msapiro> References: <4A5EE184.3050103@ecs.soton.ac.uk> <20090716164038.GA1868@msapiro> Message-ID: Mark Sapiro schrieb: > On Thu, Jul 16, 2009 at 11:48:04AM +0200, Ralph Bornefeld-Ettmann wrote: >> Julian Field schrieb: >>> >>> On 15/07/2009 16:15, Ralph Bornefeld-Ettmann wrote: >>>> hi, >>>> >>>> is it possible to use HTML tags in reports like >>>> recipient.spam.report.txt? >>> The ".txt" should be the give-away on that one. >>> If it's expecting HTML, it's called ".html". >>> >>> Jules >>> >> sorry, did not work. >> >> MailScanner 4.77.10 >> Postfix 2.3.3-2.1.el5_2 >> OS : CentOS 5.2 >> >> /etc/MailScanner/MailScanner.conf : >> >> Recipient Spam Report = %report-dir%/recipient.spam.report.html >> >> >> /etc/MaiScanner/reports/en/recipient.spam.report.html : > > > Jules was NOT saying wou could cause the report to be put in a > text/html part of the message simply by changing the file extension > from .txt to .html. He was trying to say that the fact that the > distributed report file has a .txt extension implies it will be put > in a text/plain part in the message. Changing the extension won't > change that. > > I.e., the Recipient Spam Report is sent in a text/plain message > part and conformant MUAs (mail clients) won't interpret html tags. > ah, thanks for this clarification From maxsec at gmail.com Fri Jul 17 12:33:09 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Fri Jul 17 12:33:18 2009 Subject: Problem with permissions In-Reply-To: <2445950a01df8c16dd4bc9b230e9c757@127.0.0.1> References: <2445950a01df8c16dd4bc9b230e9c757@127.0.0.1> Message-ID: <72cf361e0907170433i76276a17ka8931e200fea7f5@mail.gmail.com> Hi this is a know issue with perkl 5.8.9 on quite a platforms. Go back to perl 5.8.8 and this will solve the problem -- Martin Hepworth Oxford, UK 2009/7/17 > Hi! > I`m having a problem with MailScanner installation. My environment: > - FreeBSD 7.2-RELEASE > - postfix-2.6.2_1,1 > - clamav-0.95.2 > - p5-Mail-SpamAssassin-3.2.5_4 > - perl 5.8.9 > - MailScanner-4.75.11 > > During installation I have tunning configuration files as it described in > http://www.mailscanner.info/postfix.html > But starting the MailScanner I have got following logs in > /var/log/maillog: > > %date% %hostname% MailScanner[35039]: Could not use Custom Function code > /usr/local/lib/MailScanner/MailScanner/CustomFunctions/LastSpam.pm, it > could not be "require"d. Make sure the last line is "1;" and the module is > correct with perl -wc (Error: Insecure dependency in require while running > with -T switch at /usr/local/lib/MailScanner/MailScanner/Config.pm line > 623. > %date% %hostname% MailScanner[35039]: ) > %date% %hostname% MailScanner[35039]: Could not use Custom Function code > > /usr/local/lib/MailScanner/MailScanner/CustomFunctions/GenericSpamScanner.pm, > it could not be "require"d. Make sure the last line is "1;" and the module > is correct with perl -wc (Error: Insecure dependency in require while > running with -T switch at /usr/local/lib/MailScanner/MailScanner/Config.pm > line 623. > %date% %hostname% MailScanner[35039]: ) > %date% %hostname% MailScanner[35039]: Could not use Custom Function code > /usr/local/lib/MailScanner/MailScanner/CustomFunctions/CustomAction.pm, it > could not be "require"d. Make sure the last line is "1;" and the module is > correct with perl -wc (Error: Insecure dependency in require while running > with -T switch at /usr/local/lib/MailScanner/MailScanner/Config.pm line > 623. > > > .... and the same for all files in > /usr/local/lib/MailScanner/MailScanner/CustomFunctions/ directory. > Searching through Google, I have found an answer: > if perl script starts with different real and effective user (root and > postfix in my case), perl enables taint mode automatically. Hmm.. I have > set options "Run As User" and "Run As Group" to root - this made > MailScanner to start without any errors in log. But when Mailscanner > returns checked letter in postfix incoming directory with root uid, > postfix/qmgr cannot work with it because of "Permission denied". Afterall, > starting MailScanner with root privileges is not good idea, I think. > > Any advices? What I have do wrong? > > P.S. Starting perl with -U key provides more ugly messages in log. I think > its wrong idea. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090717/7316b954/attachment.html From lists at elasticmind.net Fri Jul 17 12:50:31 2009 From: lists at elasticmind.net (mog) Date: Fri Jul 17 12:50:59 2009 Subject: Problem with permissions In-Reply-To: <72cf361e0907170433i76276a17ka8931e200fea7f5@mail.gmail.com> References: <2445950a01df8c16dd4bc9b230e9c757@127.0.0.1> <72cf361e0907170433i76276a17ka8931e200fea7f5@mail.gmail.com> Message-ID: <4A606587.3030904@elasticmind.net> Hi, Downgrading ports is a real pain. A better solution is to upgrade your perl port to version 5.10.x or whatever it is now. A suitable upgrade procedure is documented in /usr/ports/UPDATING. Regards, mog Martin Hepworth wrote: > Hi > > this is a know issue with perkl 5.8.9 on quite a platforms. > > Go back to perl 5.8.8 and this will solve the problem > > -- > Martin Hepworth > Oxford, UK > > 2009/7/17 > > > Hi! > I`m having a problem with MailScanner installation. My environment: > - FreeBSD 7.2-RELEASE > - postfix-2.6.2_1,1 > - clamav-0.95.2 > - p5-Mail-SpamAssassin-3.2.5_4 > - perl 5.8.9 > - MailScanner-4.75.11 > > During installation I have tunning configuration files as it > described in > http://www.mailscanner.info/postfix.html > But starting the MailScanner I have got following logs in > /var/log/maillog: > > %date% %hostname% MailScanner[35039]: Could not use Custom > Function code > /usr/local/lib/MailScanner/MailScanner/CustomFunctions/LastSpam.pm, it > could not be "require"d. Make sure the last line is "1;" and the > module is > correct with perl -wc (Error: Insecure dependency in require while > running > with -T switch at /usr/local/lib/MailScanner/MailScanner/Config.pm > line > 623. > %date% %hostname% MailScanner[35039]: ) > %date% %hostname% MailScanner[35039]: Could not use Custom > Function code > /usr/local/lib/MailScanner/MailScanner/CustomFunctions/GenericSpamScanner.pm, > it could not be "require"d. Make sure the last line is "1;" and > the module > is correct with perl -wc (Error: Insecure dependency in require while > running with -T switch at > /usr/local/lib/MailScanner/MailScanner/Config.pm > line 623. > %date% %hostname% MailScanner[35039]: ) > %date% %hostname% MailScanner[35039]: Could not use Custom > Function code > /usr/local/lib/MailScanner/MailScanner/CustomFunctions/CustomAction.pm, > it > could not be "require"d. Make sure the last line is "1;" and the > module is > correct with perl -wc (Error: Insecure dependency in require while > running > with -T switch at /usr/local/lib/MailScanner/MailScanner/Config.pm > line > 623. > > > .... and the same for all files in > /usr/local/lib/MailScanner/MailScanner/CustomFunctions/ directory. > Searching through Google, I have found an answer: > if perl script starts with different real and effective user (root and > postfix in my case), perl enables taint mode automatically. Hmm.. > I have > set options "Run As User" and "Run As Group" to root - this made > MailScanner to start without any errors in log. But when Mailscanner > returns checked letter in postfix incoming directory with root uid, > postfix/qmgr cannot work with it because of "Permission denied". > Afterall, > starting MailScanner with root privileges is not good idea, I think. > > Any advices? What I have do wrong? > > P.S. Starting perl with -U key provides more ugly messages in log. > I think > its wrong idea. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > From serejk at febras.net Fri Jul 17 12:52:59 2009 From: serejk at febras.net (serejk@febras.net) Date: Fri Jul 17 12:51:49 2009 Subject: Problem with permissions In-Reply-To: <72cf361e0907170433i76276a17ka8931e200fea7f5@mail.gmail.com> References: <2445950a01df8c16dd4bc9b230e9c757@127.0.0.1> <72cf361e0907170433i76276a17ka8931e200fea7f5@mail.gmail.com> Message-ID: Thank you for your advice. Now I`m trying to update to perl 5.10. :) On Fri, 17 Jul 2009 12:33:09 +0100, Martin Hepworth wrote: Hi this is a know issue with perkl 5.8.9 on quite a platforms. Go back to perl 5.8.8 and this will solve the problem -- Martin Hepworth Oxford, UK 2009/7/17 Hi! I`m having a problem with MailScanner installation. My environment: - FreeBSD 7.2-RELEASE - postfix-2.6.2_1,1 - clamav-0.95.2 - p5-Mail-SpamAssassin-3.2.5_4 - perl 5.8.9 - MailScanner-4.75.11 During installation I have tunning configuration files as it described in http://www.mailscanner.info/postfix.html [2] But starting the MailScanner I have got following logs in /var/log/maillog: %date% %hostname% MailScanner[35039]: Could not use Custom Function code /usr/local/lib/MailScanner/MailScanner/CustomFunctions/LastSpam.pm, it could not be "require"d. Make sure the last line is "1;" and the module is correct with perl -wc (Error: Insecure dependency in require while running with -T switch at /usr/local/lib/MailScanner/MailScanner/Config.pm line 623. %date% %hostname% MailScanner[35039]: ) %date% %hostname% MailScanner[35039]: Could not use Custom Function code /usr/local/lib/MailScanner/MailScanner/CustomFunctions/GenericSpamScanner.pm, it could not be "require"d. Make sure the last line is "1;" and the module is correct with perl -wc (Error: Insecure dependency in require while running with -T switch at /usr/local/lib/MailScanner/MailScanner/Config.pm line 623. %date% %hostname% MailScanner[35039]: ) %date% %hostname% MailScanner[35039]: Could not use Custom Function code /usr/local/lib/MailScanner/MailScanner/CustomFunctions/CustomAction.pm, it could not be "require"d. Make sure the last line is "1;" and the module is correct with perl -wc (Error: Insecure dependency in require while running with -T switch at /usr/local/lib/MailScanner/MailScanner/Config.pm line 623. .... and the same for all files in /usr/local/lib/MailScanner/MailScanner/CustomFunctions/ directory. Searching through Google, I have found an answer: if perl script starts with different real and effective user (root and postfix in my case), perl enables taint mode automatically. Hmm.. I have set options "Run As User" and "Run As Group" to root - this made MailScanner to start without any errors in log. But when Mailscanner returns checked letter in postfix incoming directory with root uid, postfix/qmgr cannot work with it because of "Permission denied". Afterall, starting MailScanner with root privileges is not good idea, I think. Any advices? What I have do wrong? P.S. Starting perl with -U key provides more ugly messages in log. I think its wrong idea. -- MailScanner mailing list mailscanner@lists.mailscanner.info [3] http://lists.mailscanner.info/mailman/listinfo/mailscanner [4] Before posting, read http://wiki.mailscanner.info/posting [5] Support MailScanner development - buy the book off the website! Links: ------ [1] mailto:serejk@febras.net [2] http://www.mailscanner.info/postfix.html [3] mailto:mailscanner@lists.mailscanner.info [4] http://lists.mailscanner.info/mailman/listinfo/mailscanner [5] http://wiki.mailscanner.info/posting -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090717/15805b0c/attachment.html From Johan at double-l.nl Fri Jul 17 13:09:40 2009 From: Johan at double-l.nl (Johan Hendriks) Date: Fri Jul 17 13:09:49 2009 Subject: Problem with permissions References: <2445950a01df8c16dd4bc9b230e9c757@127.0.0.1><72cf361e0907170433i76276a17ka8931e200fea7f5@mail.gmail.com> Message-ID: <57200BF94E69E54880C9BB1AF714BBCB5DEA6D@w2003s01.double-l.local> >Thank you for your advice. Now I`m trying to update to perl 5.10. :) If you follow the directions in /usr/ports/UPDATING all goes well. I have doen a couple of mailscannner machines and perl 5.10 works well. To make things simpel 20090328: AFFECTS: users of lang/perl* AUTHOR: skv@FreeBSD.org lang/perl5.10 is out. If you want to switch to it from, for example lang/perl5.8, that is: Portupgrade users: 0) Fix pkgdb.db (for safety): pkgdb ?Ff 1) Reinstall perl with new 5.10: portupgrade -o lang/perl5.10 -f perl-5.8.\* 2) Reinstall everything that depends on Perl: portupgrade -fr perl Portmaster users: portmaster -o lang/perl5.10 lang/perl5.8 portmaster -r perl- Note: If the "perl-" glob matches more than one port you will need to specify the name of the perl directory in /var/db/pkg explicitly. The process will consume some time, so make some really nice coffee and relax when the system rebuilds all the perl ports ;-) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090717/ef4c9f8d/attachment.html From serejk at febras.net Fri Jul 17 13:16:46 2009 From: serejk at febras.net (serejk@febras.net) Date: Fri Jul 17 13:15:34 2009 Subject: Problem with permissions In-Reply-To: <57200BF94E69E54880C9BB1AF714BBCB5DEA6D@w2003s01.double-l.local> References: <2445950a01df8c16dd4bc9b230e9c757@127.0.0.1><72cf361e0907170433i76276a17ka8931e200fea7f5@mail.gmail.com> <57200BF94E69E54880C9BB1AF714BBCB5DEA6D@w2003s01.double-l.local> Message-ID: Thank you so much :) Unfortunatly, I have seen notice about /usr/ports/UPDATING tutorial too late and have upgrade it manually. I hope, all will work good :) On Fri, 17 Jul 2009 14:09:40 +0200, "Johan Hendriks" wrote: >Thank you for your advice. Now I`m trying to update to perl 5.10. :) If you follow the directions in /usr/ports/UPDATING all goes well. I have doen a couple of mailscannner machines and perl 5.10 works well. To make things simpel 20090328: AFFECTS: users of lang/perl* AUTHOR: skv@FreeBSD.org [1] lang/perl5.10 is out. If you want to switch to it from, for example lang/perl5.8, that is: Portupgrade users: 0) Fix pkgdb.db (for safety): pkgdb -Ff 1) Reinstall perl with new 5.10: portupgrade -o lang/perl5.10 -f perl-5.8.* 2) Reinstall everything that depends on Perl: portupgrade -fr perl Portmaster users: portmaster -o lang/perl5.10 lang/perl5.8 portmaster -r perl- Note: If the "perl-" glob matches more than one port you will need to specify the name of the perl directory in /var/db/pkg explicitly. The process will consume some time, so make some really nice coffee and relax when the system rebuilds all the perl ports ;-) Links: ------ [1] mailto:skv@FreeBSD.org -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090717/01d29c70/attachment.html From Johan at double-l.nl Fri Jul 17 13:22:46 2009 From: Johan at double-l.nl (Johan Hendriks) Date: Fri Jul 17 13:22:55 2009 Subject: Problem with permissions References: <2445950a01df8c16dd4bc9b230e9c757@127.0.0.1><72cf361e0907170433i76276a17ka8931e200fea7f5@mail.gmail.com><57200BF94E69E54880C9BB1AF714BBCB5DEA6D@w2003s01.double-l.local> Message-ID: <57200BF94E69E54880C9BB1AF714BBCB5DEA6F@w2003s01.double-l.local> Well after you updated the perl port and removed the old perl. the important thing is to rebuild all packages that rely on perl. And that are a lot of ports on a mailscanner machine !!! This command will do so portupgrade -fr perl > Thank you so much :) Unfortunatly, I have seen notice about /usr/ports/UPDATING tutorial too late and have upgrade it manually. I hope, all will work good :) > On Fri, 17 Jul 2009 14:09:40 +0200, "Johan Hendriks" wrote: >Thank you for your advice. Now I`m trying to update to perl 5.10. :) If you follow the directions in /usr/ports/UPDATING all goes well. I have doen a couple of mailscannner machines and perl 5.10 works well. To make things simpel 20090328: AFFECTS: users of lang/perl* AUTHOR: skv@FreeBSD.org lang/perl5.10 is out. If you want to switch to it from, for example lang/perl5.8, that is: Portupgrade users: 0) Fix pkgdb.db (for safety): pkgdb ?Ff 1) Reinstall perl with new 5.10: portupgrade -o lang/perl5.10 -f perl-5.8.\* 2) Reinstall everything that depends on Perl: portupgrade -fr perl Portmaster users: portmaster -o lang/perl5.10 lang/perl5.8 portmaster -r perl- Note: If the "perl-" glob matches more than one port you will need to specify the name of the perl directory in /var/db/pkg explicitly. The process will consume some time, so make some really nice coffee and relax when the system rebuilds all the perl ports ;-) Checked by AVG - www.avg.com Version: 8.5.387 / Virus Database: 270.13.16/2240 - Release Date: 07/16/09 18:00:00 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090717/e75df9b6/attachment.html From serejk at febras.net Fri Jul 17 13:30:32 2009 From: serejk at febras.net (serejk@febras.net) Date: Fri Jul 17 13:29:33 2009 Subject: Problem with permissions In-Reply-To: <57200BF94E69E54880C9BB1AF714BBCB5DEA6F@w2003s01.double-l.local> References: <2445950a01df8c16dd4bc9b230e9c757@127.0.0.1><72cf361e0907170433i76276a17ka8931e200fea7f5@mail.gmail.com><57200BF94E69E54880C9BB1AF714BBCB5DEA6D@w2003s01.double-l.local> <57200BF94E69E54880C9BB1AF714BBCB5DEA6F@w2003s01.double-l.local> Message-ID: Yes, I have update all dependencies manually. Russians not stand for easy ways )). But I will remember this good command for updating dependencies for the future. :) On Fri, 17 Jul 2009 14:22:46 +0200, "Johan Hendriks" wrote: Well after you updated the perl port and removed the old perl. the important thing is to rebuild all packages that rely on perl. And that are a lot of ports on a mailscanner machine !!! This command will do so portupgrade -fr perl > Thank you so much :) Unfortunatly, I have seen notice about /usr/ports/UPDATING tutorial too late and have upgrade it manually. I hope, all will work good :) > On Fri, 17 Jul 2009 14:09:40 +0200, "Johan Hendriks" wrote: >Thank you for your advice. Now I`m trying to update to perl 5.10. :) If you follow the directions in /usr/ports/UPDATING all goes well. I have doen a couple of mailscannner machines and perl 5.10 works well. To make things simpel 20090328: AFFECTS: users of lang/perl* AUTHOR: skv@FreeBSD.org [1] lang/perl5.10 is out. If you want to switch to it from, for example lang/perl5.8, that is: Portupgrade users: 0) Fix pkgdb.db (for safety): pkgdb -Ff 1) Reinstall perl with new 5.10: portupgrade -o lang/perl5.10 -f perl-5.8.* 2) Reinstall everything that depends on Perl: portupgrade -fr perl Portmaster users: portmaster -o lang/perl5.10 lang/perl5.8 portmaster -r perl- Note: If the "perl-" glob matches more than one port you will need to specify the name of the perl directory in /var/db/pkg explicitly. The process will consume some time, so make some really nice coffee and relax when the system rebuilds all the perl ports ;-) Checked by AVG - www.avg.com Version: 8.5.387 / Virus Database: 270.13.16/2240 - Release Date: 07/16/09 18:00:00 Links: ------ [1] mailto:skv@FreeBSD.org -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090717/a76fbf1c/attachment.html From brose at med.wayne.edu Fri Jul 17 17:14:02 2009 From: brose at med.wayne.edu (Rose, Bobby) Date: Fri Jul 17 17:14:24 2009 Subject: Mutiple config options in MailScanner Message-ID: Just a check... does MailScanner currently allow you have more than one option for such things as Is Definitely Spam or Not Spam? I was wondering if it allowed called to more than one custom function. I suspect it doesn't but wanted to make sure before I go off and try to rewrite my customfunction for ldap black/white lists. Thanks Bobby Rose Sr Systems Administrator, MSIS Network Operations Wayne State University School of Medicine brose@med.wayne.edu ________________________________ This document may include proprietary and confidential information of Wayne State University Physician Group and may only be read by those person(s) to whom it is addressed. If you have received this e-mail message in error, please notify us immediately. This document may not be reproduced, copied, distributed, published, modified or furnished to third parties, without prior written consent of Wayne State University Physician Group. Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090717/554cb7fa/attachment.html From mark at msapiro.net Fri Jul 17 18:16:06 2009 From: mark at msapiro.net (Mark Sapiro) Date: Fri Jul 17 18:16:16 2009 Subject: Test of Mailing List In-Reply-To: <33763826-B1F5-4680-9DC3-359D49FFB0EF@mlrw.com> References: <5C13F1EA-E109-4A1C-AF1F-7EB04D986D48@mlrw.com> <4A09477D575C2C4B86497161427DD94C10E110F439@city-exchange07> <72FC320F-4C74-4FC7-85FB-2690929A8A91@mlrw.com> <26649D08-5C57-46D0-A308-EB93A5D10F10@mlrw.com> <33763826-B1F5-4680-9DC3-359D49FFB0EF@mlrw.com> Message-ID: <20090717171606.GA3880@msapiro> On Thu, Jul 16, 2009 at 11:31:01AM -0400, Mike Wallace wrote: > I've tried GMail and my ISP's web mail and still having problems > posting to the message thread "Re: Tiny text only spam (semi OT)". At this point, my guess is something in your message is causing it to be spam filtered at the receiving end (lists.mailscanner.info). Although if that's the case, I can't explain why this one got through. > Here is the message body that I tried to send: > > > > I found three more obfuscated URI examples that weren't caught by > Bernard's rules: > > > 1) !.www_domain_com > 2) .www+domain+net > 3) .www[dot]domain[dot]com > > I'm not a regex expert so I don't know how to modify his rules. > > Can anyone give me a hand? Here's the regexp I'm using /\bwww(?:\[dot\]|[ \-+_.]+)\w+\.?(?:\[dot\]|[ \-+_])[ _\-+.]*[a-z]{2,4}\b/i It gets all the above and the original ones too. It is not hard to make up 'valid' domains that this regexp will match, but in practice I haven't seen any FPs. -- Mark Sapiro mark at msapiro net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From mike at mlrw.com Fri Jul 17 18:41:46 2009 From: mike at mlrw.com (Mike Wallace) Date: Fri Jul 17 18:42:10 2009 Subject: Test of Mailing List In-Reply-To: <20090717171606.GA3880@msapiro> References: <5C13F1EA-E109-4A1C-AF1F-7EB04D986D48@mlrw.com> <4A09477D575C2C4B86497161427DD94C10E110F439@city-exchange07> <72FC320F-4C74-4FC7-85FB-2690929A8A91@mlrw.com> <26649D08-5C57-46D0-A308-EB93A5D10F10@mlrw.com> <33763826-B1F5-4680-9DC3-359D49FFB0EF@mlrw.com> <20090717171606.GA3880@msapiro> Message-ID: <8483BF24-D7BD-4584-B720-F8D72A0539EF@mlrw.com> I know it's strange that I'm only blocked on the one message thread. Anyway, I ended subscribing to the spamassassin mailing list and got the following rule (which has my rule name instead of the original one that was posted): # Rule to find URI obfuscation body __MED_OB /\bw{2,3}(?:[[:punct:][:space:]]{1,5}|[[:space:] [:punct:]]{1,3}dot[[:space:][:punct:]]{1,3})[[:alpha:]]{2,6}\d{2,6}(?: [[:punct:][:space:]]{1,5}|[[:space:][:punct:]]{1,3}dot[[:space:] [:punct:]]{1,3})(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i body __MED_NOT_OB /\bw{2,3}\.[[:alpha:]]{2,6}\d{2,6}\.(?:com|net|org) \b/i meta URI_OBFUSCATED (__MED_OB && ! __MED_NOT_OB) describe URI_OBFUSCATED Obfuscated URI score URI_OBFUSCATED 6.0 It works on every example I have found so far. Mike On Jul 17, 2009, at 1:16 PM, Mark Sapiro wrote: > On Thu, Jul 16, 2009 at 11:31:01AM -0400, Mike Wallace wrote: >> I've tried GMail and my ISP's web mail and still having problems >> posting to the message thread "Re: Tiny text only spam (semi OT)". > > > At this point, my guess is something in your message is causing it > to be spam filtered at the receiving end (lists.mailscanner.info). > Although if that's the case, I can't explain why this one got > through. > > >> Here is the message body that I tried to send: >> >> >> >> I found three more obfuscated URI examples that weren't caught by >> Bernard's rules: >> >> >> 1) !.www_domain_com >> 2) .www+domain+net >> 3) .www[dot]domain[dot]com >> >> I'm not a regex expert so I don't know how to modify his rules. >> >> Can anyone give me a hand? > > > Here's the regexp I'm using > > /\bwww(?:\[dot\]|[ \-+_.]+)\w+\.?(?:\[dot\]|[ \-+_])[ _\-+.]*[a-z] > {2,4}\b/i > > It gets all the above and the original ones too. It is not hard to > make up 'valid' domains that this regexp will match, but in practice > I haven't seen any FPs. > > -- > Mark Sapiro mark at msapiro net The highway is for gamblers, > San Francisco Bay Area, California better use your sense - B. Dylan > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > This message has been scanned for viruses and dangerous content by > MailScanner, and is believed to be clean. > From simon at klunky.co.uk Fri Jul 17 22:09:55 2009 From: simon at klunky.co.uk (LOEWENTHAL Simon) Date: Fri Jul 17 22:10:08 2009 Subject: Fresh install mailscanner and postfix Message-ID: <4A60E8A3.1010009@klunky.co.uk> Dear all, I installed Mailscanner onto a OpenBSD box today to see how it runs with postfix clamd and spamassassin. I followed this guide to setting it up, http://mailscanner.info/postfix.html These messages are sent to mail.log and these did not exist until I added Mailscanner into the equation. Jul 18 01:00:08 pf MailScanner[17186]: Virus and Content Scanning: Starting Jul 18 01:00:17 pf postfix/qmgr[26430]: fatal: qmgr_move: update active/225DF6619 time stamps: Operation not permitted Jul 18 01:00:18 pf postfix/master[18251]: warning: process /usr/local/libexec/postfix/qmgr pid 26430 exit status 1 Jul 18 01:00:18 pf postfix/master[18251]: warning: /usr/local/libexec/postfix/qmgr: bad command startup -- throttling Jul 18 01:00:42 pf MailScanner[21027]: Requeue: E055E6614.C490F to CCF38661B Jul 18 01:00:42 pf MailScanner[21027]: Uninfected: Delivered 1 messages I suspect that a file or directory has some incorrect permissions. Here is the postconf -n in case its any use but I have checked all these listed directories and these exist & have the correct permission. # postconf -n broken_sasl_auth_clients = yes command_directory = /usr/local/sbin config_directory = /etc/postfix daemon_directory = /usr/local/libexec/postfix data_directory = /var/postfix debug_peer_level = 2 header_checks = regexp:/etc/postfix/header_checks html_directory = /usr/local/share/doc/postfix/html inet_interfaces = all inet_protocols = all mail_owner = _postfix mailq_path = /usr/local/sbin/mailq manpage_directory = /usr/local/man mydomain = testmail.local mynetworks = 192.168.1.0/24, 127.0.0.0/8 myorigin = $myhostname newaliases_path = /usr/local/sbin/newaliases queue_directory = /var/spool/postfix readme_directory = /usr/local/share/doc/postfix/readme relay_domains = $mydestination sample_directory = /etc/postfix sendmail_path = /usr/local/sbin/sendmail setgid_group = _postdrop smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $mydomain smtpd_tls_CAfile = /etc/ssl/ca.crt smtpd_tls_cert_file = /etc/postfix/ssl/server.crt smtpd_tls_key_file = /etc/postfix/ssl/private/server.key smtpd_tls_loglevel = 1 smtpd_tls_security_level = may tls_random_source = dev:/dev/urandom unknown_local_recipient_reject_code = 450 virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf virtual_gid_maps = static:2000 virtual_mailbox_base = /var/spool/_vmail/imap virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains.cf virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailboxes.cf virtual_minimum_uid = 2000 virtual_transport = qdeliver virtual_uid_maps = static:2000 Many thanks in advance. Si. From mike at mlrw.com Fri Jul 17 22:32:18 2009 From: mike at mlrw.com (Mike Wallace) Date: Fri Jul 17 22:32:29 2009 Subject: Fresh install mailscanner and postfix In-Reply-To: <4A60E8A3.1010009@klunky.co.uk> References: <4A60E8A3.1010009@klunky.co.uk> Message-ID: Looking at the config the only two things that stood out were mail_owner and setgid_group. Both entries started with _ as in _postfix and _postdrop. Is this correct? If so, check the ownership on /var/spool/postfix/ maildrop and /var/spool/postfix/public and make sure they match the above owner and group names. Mike On Jul 17, 2009, at 5:09 PM, LOEWENTHAL Simon wrote: > > Dear all, > > I installed Mailscanner onto a OpenBSD box today to see how it runs > with postfix clamd and spamassassin. I followed this guide to setting > it up, > > http://mailscanner.info/postfix.html > > These messages are sent to mail.log and these did not exist until I > added Mailscanner into the equation. > > Jul 18 01:00:08 pf MailScanner[17186]: Virus and Content Scanning: > Starting > Jul 18 01:00:17 pf postfix/qmgr[26430]: fatal: qmgr_move: update > active/225DF6619 time stamps: Operation not permitted > Jul 18 01:00:18 pf postfix/master[18251]: warning: process > /usr/local/libexec/postfix/qmgr pid 26430 exit status 1 > Jul 18 01:00:18 pf postfix/master[18251]: warning: > /usr/local/libexec/postfix/qmgr: bad command startup -- throttling > Jul 18 01:00:42 pf MailScanner[21027]: Requeue: E055E6614.C490F to > CCF38661B > Jul 18 01:00:42 pf MailScanner[21027]: Uninfected: Delivered 1 > messages > > I suspect that a file or directory has some incorrect permissions. > > Here is the postconf -n in case its any use but I have checked all > these > listed directories and these exist & have the correct permission. > > # postconf -n > broken_sasl_auth_clients = yes > command_directory = /usr/local/sbin > config_directory = /etc/postfix > daemon_directory = /usr/local/libexec/postfix > data_directory = /var/postfix > debug_peer_level = 2 > header_checks = regexp:/etc/postfix/header_checks > html_directory = /usr/local/share/doc/postfix/html > inet_interfaces = all > inet_protocols = all > mail_owner = _postfix > mailq_path = /usr/local/sbin/mailq > manpage_directory = /usr/local/man > mydomain = testmail.local > mynetworks = 192.168.1.0/24, 127.0.0.0/8 > myorigin = $myhostname > newaliases_path = /usr/local/sbin/newaliases > queue_directory = /var/spool/postfix > readme_directory = /usr/local/share/doc/postfix/readme > relay_domains = $mydestination > sample_directory = /etc/postfix > sendmail_path = /usr/local/sbin/sendmail > setgid_group = _postdrop > smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) > smtpd_recipient_restrictions = permit_mynetworks > permit_sasl_authenticated reject_unauth_destination > smtpd_sasl_auth_enable = yes > smtpd_sasl_local_domain = $mydomain > smtpd_tls_CAfile = /etc/ssl/ca.crt > smtpd_tls_cert_file = /etc/postfix/ssl/server.crt > smtpd_tls_key_file = /etc/postfix/ssl/private/server.key > smtpd_tls_loglevel = 1 > smtpd_tls_security_level = may > tls_random_source = dev:/dev/urandom > unknown_local_recipient_reject_code = 450 > virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf > virtual_gid_maps = static:2000 > virtual_mailbox_base = /var/spool/_vmail/imap > virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains.cf > virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailboxes.cf > virtual_minimum_uid = 2000 > virtual_transport = qdeliver > virtual_uid_maps = static:2000 > > > Many thanks in advance. > Si. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > This message has been scanned for viruses and dangerous content by > MailScanner, and is believed to be clean. > From uxbod at splatnix.net Sat Jul 18 10:04:22 2009 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Sat Jul 18 10:04:35 2009 Subject: Linux Anti-Virus Scanner Message-ID: <10486941.2611247907862507.JavaMail.root@office.splatnix.net> Hi, I believe somebody mentioned a while ago about a product that included their own signatures plus Kasperksy ... Which scanner was that please ? Best Regards, -- SplatNIX IT Services :: Innovation through collaboration From ms-list at alexb.ch Sat Jul 18 10:14:44 2009 From: ms-list at alexb.ch (Alex Broens) Date: Sat Jul 18 10:14:54 2009 Subject: Linux Anti-Virus Scanner In-Reply-To: <10486941.2611247907862507.JavaMail.root@office.splatnix.net> References: <10486941.2611247907862507.JavaMail.root@office.splatnix.net> Message-ID: <4A619284.4010901@alexb.ch> On 7/18/2009 11:04 AM, --[ UxBoD ]-- wrote: > Hi, > > I believe somebody mentioned a while ago about a product that included their own signatures plus Kasperksy ... Which scanner was that please ? > > Best Regards, > iirc, Avira is the one. From uxbod at splatnix.net Sat Jul 18 11:37:01 2009 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Sat Jul 18 11:37:16 2009 Subject: Linux Anti-Virus Scanner In-Reply-To: <4A619284.4010901@alexb.ch> Message-ID: <12245584.2661247913421619.JavaMail.root@office.splatnix.net> ----- "Alex Broens" wrote: > On 7/18/2009 11:04 AM, --[ UxBoD ]-- wrote: > > Hi, > > > > I believe somebody mentioned a while ago about a product that > included their own signatures plus Kasperksy ... Which scanner was > that please ? > > > > Best Regards, > > > > iirc, Avira is the one. > -- Thanks Alex ... If anybody is using it please provide some thoughts ? Currently debating whether to go for NOD32 or Avira. Best Regards, -- SplatNIX IT Services :: Innovation through collaboration From ms-list at alexb.ch Sat Jul 18 13:11:03 2009 From: ms-list at alexb.ch (Alex Broens) Date: Sat Jul 18 13:11:18 2009 Subject: Linux Anti-Virus Scanner In-Reply-To: <12245584.2661247913421619.JavaMail.root@office.splatnix.net> References: <12245584.2661247913421619.JavaMail.root@office.splatnix.net> Message-ID: <4A61BBD7.6070706@alexb.ch> On 7/18/2009 12:37 PM, --[ UxBoD ]-- wrote: > ----- "Alex Broens" wrote: > >> On 7/18/2009 11:04 AM, --[ UxBoD ]-- wrote: >>> Hi, >>> >>> I believe somebody mentioned a while ago about a product that >> included their own signatures plus Kasperksy ... Which scanner was >> that please ? >>> Best Regards, >>> >> iirc, Avira is the one. >> -- > Thanks Alex ... If anybody is using it please provide some thoughts ? Currently debating whether to go for NOD32 or Avira. I have both on clients'/friends' Windows servers/desktop, either one of the other.. *Was* a big Nod32 fan but their detection rates go up and down too often for my liking. Avira has been consistently good over the last +2 years. From glenn.steen at gmail.com Sun Jul 19 21:16:14 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Sun Jul 19 21:16:22 2009 Subject: Linux Anti-Virus Scanner In-Reply-To: <4A61BBD7.6070706@alexb.ch> References: <12245584.2661247913421619.JavaMail.root@office.splatnix.net> <4A61BBD7.6070706@alexb.ch> Message-ID: <223f97700907191316v66303be4t4ec934ab8592f464@mail.gmail.com> 2009/7/18 Alex Broens : > On 7/18/2009 12:37 PM, --[ UxBoD ]-- wrote: >> >> ----- "Alex Broens" wrote: >> >>> On 7/18/2009 11:04 AM, --[ UxBoD ]-- wrote: >>>> >>>> Hi, >>>> I believe somebody mentioned a while ago about a product that >>> >>> included their own signatures plus Kasperksy ... Which scanner was >>> that please ? >>>> >>>> Best Regards, >>> >>> iirc, Avira is the one. >>> -- >> >> Thanks Alex ... If anybody is using it please provide some thoughts ? >> Currently debating whether to go for NOD32 or Avira. > > I have both on clients'/friends' Windows servers/desktop, either one of the > other.. > > *Was* a big Nod32 fan but their detection rates go up and down too often for > my liking. > > Avira has been consistently good over the last +2 years. Note that Avira had a pretty big bug a few months back, that took them a rather too long while to fix... Other than that, I've been satisfied with them for more than 4 years, mostly on relatives wintel boxes, since I know some of them would have opted for no AV... so free-av was a better choice. For the last two months I've gone AVG for them instead. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From todd at fries.net Sun Jul 19 22:19:06 2009 From: todd at fries.net (Todd T. Fries) Date: Sun Jul 19 22:19:43 2009 Subject: text/plain aka 'Add Text of Html' ? Message-ID: <20090719211906.GD18795@fries.net> I recently upgraded and noticed that recently MailScanner has added a new setting/feature 'Add Text Of Doc' using antiword. Is there any merit for 'Add Text Of Html' ? For those of us using cli/text mail readers (mutt, pine, elm, mail, etc) would it not be useful to permit a text version of the html file? I've recently started getting more and more mail that is html only, i.e. they don't even bother or expect it is useful to add the text/play attachment. Separately, I know blackberry does a stupid thing when replying to email, and that is it claims the body of the message is text/plain but it is straight base64. This is fine, but I have some people I communicate with who want to see text/plain as readable ascii by 'cat' etc. Any thoughts? -- Todd Fries .. todd@fries.net _____________________________________________ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | "..in support of free software solutions." \ 250797 (FWD) | \ \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt From todd at fries.net Sun Jul 19 22:50:42 2009 From: todd at fries.net (Todd T. Fries) Date: Sun Jul 19 22:51:44 2009 Subject: dspam for MailScanner Message-ID: <20090719215042.GE18795@fries.net> I've been using this for a few years now, and keep forgetting to contribute it back. This is my own work, I couldn't be more pleased if MailScanner took it and made the equivalent or better functionality in the default distribution. If I can polish it or whatever, please let me know, if it saves you work. To explain how this works, I added the ability for the generic spam scanner to pass back headers to include in the messages, and fork a copy of dspamc with cmdline args (hardcoded currently to my preferences).. So with this, one need only setup dspam, and twiddle the following knobs in MailScanner.conf: Use SpamAssassin = no Use Custom Spam Scanner = yes Custom Spam Scanner Timeout = 1030 Max Custom Spam Scanner Timeouts = 100 Custom Spam Scanner Timeout History = 20 Spam Score Number Format = %5.5f Thanks, --- lib/MailScanner/CustomFunctions/GenericSpamScanner.pm.orig Thu Dec 7 13:12:22 2006 +++ lib/MailScanner/CustomFunctions/GenericSpamScanner.pm Thu Dec 7 13:32:50 2006 @@ -35,66 +35,80 @@ use IPC::Open2; use FileHandle; sub GenericSpamScanner { - my($ip, $from, $to, $message) = @_; + my($Message, $message) = @_; + my($ip, $from, $to) = ($Message->{clientip}, + $Message->{from}, + $Message->{to}); - print STDERR "Generic Spam Scanner\n"; - print STDERR "====================\n"; - print STDERR "\n"; - print STDERR "IP = \"$ip\"\n"; - print STDERR "From = \"$from\"\n"; - print STDERR "To = \"" . join(", ", @$to) . "\"\n"; + #print STDERR "Generic Spam Scanner\n"; + #print STDERR "====================\n"; + #print STDERR "\n"; + #print STDERR "IP = \"$ip\"\n"; + #print STDERR "From = \"$from\"\n"; + #print STDERR "To = \"" . join(", ", @$to) . "\"\n"; #print STDERR "Message = \"" . join(", ", @$message) . "\"\n"; # To call a remote program you might want to do this: - my($fhread, $fhwrite, $pid, $score, $report); - die "Can't fork: $!" unless defined($pid = open2($fhread, $fhwrite, - '/usr/local/bin/yourprogramhere')); - $fhwrite->print("$ip\n"); - $fhwrite->print("$from\n"); + my($fhread, $fhwrite, $pid, @result, $report, $users); foreach my $address (@$to) { - $fhwrite->print("$address\n"); + $users .= "$address "; } + my $cmd = sprintf "/usr/local/bin/dspamc --client --stdout --deliver=innocent,spam --mode=tum --user %s",$users; + #print STDERR "cmd: $cmd\n"; + die "Can't fork: $!" unless defined($pid = open2($fhread, $fhwrite, $cmd)); $fhwrite->print(@$message); $fhwrite->flush(); $fhwrite->close(); - $score = <$fhread>; - chomp $score; - print STDERR "Read \"$score\" from your program\n\n"; + my $state = 0; + my ($score,$report); + my @headers = (); + foreach my $line (<$fhread>) { + next if ($state > 0); + chomp $line; + if ($line =~ m/^$/) { + $state++; + next; + } + if ($line =~ m/^X-DSPAM/) { + $line =~ m/^([^:]*): (.*)$/; + my ($header,$val)=($1,$2); + next if ($header eq "X-DSPAM-Processed"); + push @headers,"$header:$val"; + #printf STDERR "Storing: $header \/ $val, now %s headers\n", $#headers; + $global::MS->{mta}->AddHeader($Message, + "${header}:", $val); + #@$message = ($line,@$message); + if ($header eq "X-DSPAM-Result") { + $result=$val; + } + if ($header eq "X-DSPAM-Confidence") { + # Confidence is a percentage, so + # make it 'spam' for 1.0 - 7.0, and + # make it 'ham' for 0.0 - 0.999999 + if ($result eq "Spam") { + $score= 6.0*$val+1.0; + } else { + $score = 1.0-$val; + } + #print STDERR "Score! $score\n"; + } + if ($header eq "X-DSPAM-Improbability") { + $report=$val; + #print STDERR "Report! $report\n"; + } + } + next; + } + + #print STDERR "Read \"$score\" from your program\n"; $score = $score+0.0; - $report = <$fhread>; - chomp $report; - print STDERR "Read \"$report\" from your program\n\n"; + #print STDERR "Read \"$report\" from your program\n"; + #printf STDERR "Read %d headers from your program\n",$#headers; - return ($score, $report); + return ($score, $report, @headers); # return (0.0, 'No report'); } 1; - -__DATA__ - -#------------------------------------------------------------ -# -# C source code of a skeleton yourprogramhere program -# -#------------------------------------------------------------ - -#include -#include - -char buffer[256]; - -int main(void) { - char *result; - - result = fgets(buffer, 256, stdin); - while(result!=NULL) { - result = fgets(buffer, 256, stdin); - } - - printf("55\n"); - printf("This is a report\n"); -} - --- lib/MailScanner/GenericSpam.pm.orig Thu Dec 7 13:12:22 2006 +++ lib/MailScanner/GenericSpam.pm Thu Dec 7 13:33:07 2006 @@ -101,19 +101,19 @@ sub Checks { push(@WholeMessage, "\n"); $message->{store}->ReadBody(\@WholeMessage, $maxsize); - my($GenericSpamResult, $GenericSpamReport); + my($GenericSpamResult, $GenericSpamReport, @GenericSpamHeaders); $GenericSpamResult = 0; $GenericSpamReport = ""; - ($GenericSpamResult, $GenericSpamReport) = + ($GenericSpamResult, $GenericSpamReport, @GenericSpamHeaders) = GSForkAndTest($message, \@WholeMessage); - return ($GenericSpamResult, $GenericSpamReport); + return ($GenericSpamResult, $GenericSpamReport, @GenericSpamHeaders); } # Run the generic spam scanner, and capture the 2 lines of output sub GSForkAndTest { my($Message, $Contents) = @_; - my($pipe, $gsscore, $gsreport, $queuelength); + my($pipe, $gsscore, $gsreport, @gsheaders, $queuelength); my $PipeReturn = 0; $queuelength = MailScanner::Config::Value('gstimeoutlen', $Message); @@ -129,23 +129,25 @@ sub GSForkAndTest { # In the child $pipe->writer(); $pipe->autoflush(); - my($gsscore, $gsreport); + my($gsscore, $gsreport, @gsheaders); eval { #print STDERR "ClientIP = " . $Message->{clientip} . "\n"; #print STDERR "From = " . $Message->{from} . "\n"; #print STDERR "To = " . join(', ', @{$Message->{to}}) . "\n"; #print STDERR "This is in the caller\n"; - ($gsscore, $gsreport) = MailScanner::CustomConfig::GenericSpamScanner( - $Message->{clientip}, - $Message->{from}, - $Message->{to}, + ($gsscore, $gsreport, @gsheaders) = MailScanner::CustomConfig::GenericSpamScanner( + $Message, $Contents); }; $gsscore = $gsscore + 0.0; print $pipe "$gsscore\n"; print $pipe $gsreport . "\n"; + foreach my $header (@gsheaders) { + #print STDERR " to pipe .. <$header> \n"; + print $pipe $header . "\n"; + } $pipe->close(); $pipe = undef; exit 0; @@ -157,6 +159,10 @@ sub GSForkAndTest { alarm MailScanner::Config::Value('gstimeout'); $gsscore = <$pipe>; $gsreport = <$pipe>; + foreach my $h (<$pipe>) { + chomp $h; + push @gsheaders,$h; + } # Not sure if next 2 lines should be this way round... waitpid $pid, 0; @@ -246,7 +252,7 @@ sub GSForkAndTest { #print STDERR "Generic Spam Scanner points = $gsscore\n"; #print STDERR "Generic Spam Scanner report = $gsreport\n"; - return ($gsscore, $gsreport); + return ($gsscore, $gsreport, @gsheaders); } 1; --- lib/MailScanner/Message.pm.orig Fri May 8 05:20:04 2009 +++ lib/MailScanner/Message.pm Wed May 13 19:22:44 2009 @@ -719,12 +719,19 @@ sub IsSpam { # rblspamheader is useful start to spamreport if RBLsaysspam. # Do the Custom Spam Checker - my($gsscore, $gsreport); + my($gsscore, $gsreport, @gsheaders); #print STDERR "In Message.pm about to look at gsscanner\n"; if ($usegsscanner) { #print STDERR "In Message.pm about to run gsscanner\n"; - ($gsscore, $gsreport) = MailScanner::GenericSpam::Checks($this); + ($gsscore, $gsreport, @gsheaders) = MailScanner::GenericSpam::Checks($this); #print STDERR "In Message.pm we got $gsscore, $gsreport\n"; + foreach my $line (@gsheaders) { + my ($header,$val)=split(/:/,$line); + #print STDERR "In Message.pm we got gsheader $line <${header}|${val}>\n"; + $global::MS->{mta}->AddHeader($this, + "$header:", + $val); + } $this->{gshits} = $gsscore; $this->{gsreport} = $gsreport; $this->{sascore} += $gsscore; # Add the score -- Todd Fries .. todd@fries.net _____________________________________________ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | "..in support of free software solutions." \ 250797 (FWD) | \ \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt From jonas at vrt.dk Mon Jul 20 08:55:16 2009 From: jonas at vrt.dk (Jonas A. Larsen) Date: Mon Jul 20 08:55:27 2009 Subject: Linux Anti-Virus Scanner In-Reply-To: <10486941.2611247907862507.JavaMail.root@office.splatnix.net> References: <10486941.2611247907862507.JavaMail.root@office.splatnix.net> Message-ID: <002e01ca090f$6c67ecb0$4537c610$@dk> I believe i'm the one who mentioned it, and the product i was talking about was f-secure. I can see that Alex says that avira apparently does it as well, although I think I'd prefer f-secure over avira (although that may be based simply on f-secure having a better reputation in my head) I use it on our scanners and can only recommend its use. We use f-secure, clamav and nod32 on our scanners. Med venlig hilsen / Best regards Jonas Akrouh Larsen TechBiz ApS Laplandsgade 4, 2. sal 2300 K?benhavn S Office: 7020 0979 Direct: 3336 9974 Mobile: 5120 1096 Fax: 7020 0978 Web: www.techbiz.dk > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of --[ UxBoD ]-- > Sent: 18. juli 2009 11:04 > To: mailscanner@lists.mailscanner.info > Subject: Linux Anti-Virus Scanner > > Hi, > > I believe somebody mentioned a while ago about a product that included > their own signatures plus Kasperksy ... Which scanner was that please ? > > Best Regards, > > -- > SplatNIX IT Services :: Innovation through collaboration > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From MailScanner at ecs.soton.ac.uk Mon Jul 20 10:17:38 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jul 20 10:18:00 2009 Subject: Mutiple config options in MailScanner In-Reply-To: References: <4A643632.8030109@ecs.soton.ac.uk> Message-ID: On 17/07/2009 17:14, Rose, Bobby wrote: > > Just a check? does MailScanner currently allow you have more than one > option for such things as Is Definitely Spam or Not Spam? > You can have a simple value, a ruleset, or a Custom Function. > > I was wondering if it allowed called to more than one custom function. > You can only attach 1 Custom Function to each configuration setting, but of course you can attach different Custom Functions to different configuration settings. I hope that answers your question, I'm not 100% sure of what you are asking. > > I suspect it doesn?t but wanted to make sure before I go off and try > to rewrite my customfunction for ldap black/white lists. > > Thanks > > *Bobby Rose* > > Sr Systems Administrator, MSIS Network Operations > Wayne State University School of Medicine > brose@med.wayne.edu > > > ------------------------------------------------------------------------ > This document may include proprietary and confidential information of > Wayne State University Physician Group and may only be read by those > person(s) to whom it is addressed. If you have received this e-mail > message in error, please notify us immediately. This document may not > be reproduced, copied, distributed, published, modified or furnished > to third parties, without prior written consent of Wayne State > University Physician Group. Thank you. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Mon Jul 20 10:20:26 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jul 20 10:20:49 2009 Subject: text/plain aka 'Add Text of Html' ? In-Reply-To: <20090719211906.GD18795@fries.net> References: <20090719211906.GD18795@fries.net> <4A6436DA.4030203@ecs.soton.ac.uk> Message-ID: On 19/07/2009 22:19, Todd T. Fries wrote: > I recently upgraded and noticed that recently MailScanner has added a > new setting/feature 'Add Text Of Doc' using antiword. > > Is there any merit for 'Add Text Of Html' ? > > For those of us using cli/text mail readers (mutt, pine, elm, mail, etc) > would it not be useful to permit a text version of the html file? > Take a look at the setting "Convert HTML To Text = no" and see if changing that to a ruleset would do more or less what you want. > I've recently started getting more and more mail that is html only, i.e. > they don't even bother or expect it is useful to add the text/play attachment. > > Separately, I know blackberry does a stupid thing when replying to email, and > that is it claims the body of the message is text/plain but it is straight base64. > > This is fine, but I have some people I communicate with who want to see text/plain > as readable ascii by 'cat' etc. > > Any thoughts? > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Kevin_Miller at ci.juneau.ak.us Mon Jul 20 17:24:41 2009 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Mon Jul 20 17:24:58 2009 Subject: Linux Anti-Virus Scanner In-Reply-To: <002e01ca090f$6c67ecb0$4537c610$@dk> References: <10486941.2611247907862507.JavaMail.root@office.splatnix.net> <002e01ca090f$6c67ecb0$4537c610$@dk> Message-ID: <4A09477D575C2C4B86497161427DD94C10E110F464@city-exchange07> Jonas A. Larsen wrote: > I believe i'm the one who mentioned it, and the product i was talking > about was f-secure. > > I can see that Alex says that avira apparently does it as well, > although I think I'd prefer f-secure over avira (although that may be > based simply on f-secure having a better reputation in my head) > > I use it on our scanners and can only recommend its use. > > We use f-secure, clamav and nod32 on our scanners. I'm also using f-secure. Their product is a suite of various security utilities. When you install it, run the installer with the --command-line-only switch or you'll get a whole lot of junk that you probably don't want in addition to the command line scanner. ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From todd at fries.net Mon Jul 20 17:57:32 2009 From: todd at fries.net (Todd T. Fries) Date: Mon Jul 20 17:58:21 2009 Subject: text/plain aka 'Add Text of Html' ? In-Reply-To: References: <20090719211906.GD18795@fries.net> <4A6436DA.4030203@ecs.soton.ac.uk> Message-ID: <20090720165732.GP18795@fries.net> Penned by Julian Field on 20090720 10:20.26, we have: > > > On 19/07/2009 22:19, Todd T. Fries wrote: >> I recently upgraded and noticed that recently MailScanner has added a >> new setting/feature 'Add Text Of Doc' using antiword. >> >> Is there any merit for 'Add Text Of Html' ? >> >> For those of us using cli/text mail readers (mutt, pine, elm, mail, etc) >> would it not be useful to permit a text version of the html file? >> > Take a look at the setting "Convert HTML To Text = no" and see if > changing that to a ruleset would do more or less what you want. I specifically did look at the comments, it leads me to believe that it would strip the html. I may want to look at the html, but by default I would like to have text/plain since my mail client (mutt) can't quote the html in a reply.. I just tested, and indeed, this strips the html and replaces it with text. It shouldn't be that hard to add the knob to not strip the html. If I take a stab at this, I wonder would it be worth making the setting "Convert HTML To Text = no" take a "= add" parameter or? Thanks, -- Todd Fries .. todd@fries.net _____________________________________________ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | "..in support of free software solutions." \ 250797 (FWD) | \ \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt From glenn.steen at gmail.com Tue Jul 21 12:34:38 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Jul 21 12:34:46 2009 Subject: Fresh install mailscanner and postfix In-Reply-To: References: <4A60E8A3.1010009@klunky.co.uk> Message-ID: <223f97700907210434q5f1e10c1k70476c3339be1a25@mail.gmail.com> 2009/7/17 Mike Wallace : > Looking at the config the only two things that stood out were mail_owner and > setgid_group. Both entries started with _ as in _postfix and _postdrop. > > Is this correct? If so, check the ownership on /var/spool/postfix/maildrop > and /var/spool/postfix/public and make sure they match the above owner and > group names. > > Mike > > ... and make sure your MS config *match*. So that you correctly specify your postfix user and group in MailScanner.conf (they need not be "postfix.postfix"... and likely aren't, in this case;) Cheers -- -- Glenn > > > On Jul 17, 2009, at 5:09 PM, LOEWENTHAL Simon wrote: > >> >> Dear all, >> >> ? ? ? ?I installed Mailscanner onto a OpenBSD box today to see how it runs >> with postfix clamd and spamassassin. ?I followed this guide to setting >> it up, >> >> http://mailscanner.info/postfix.html >> >> These messages are sent to mail.log and these did not exist until I >> added Mailscanner into the equation. >> >> Jul 18 01:00:08 pf MailScanner[17186]: Virus and Content Scanning: >> Starting >> Jul 18 01:00:17 pf postfix/qmgr[26430]: fatal: qmgr_move: update >> active/225DF6619 time stamps: Operation not permitted >> Jul 18 01:00:18 pf postfix/master[18251]: warning: process >> /usr/local/libexec/postfix/qmgr pid 26430 exit status 1 >> Jul 18 01:00:18 pf postfix/master[18251]: warning: >> /usr/local/libexec/postfix/qmgr: bad command startup -- throttling >> Jul 18 01:00:42 pf MailScanner[21027]: Requeue: E055E6614.C490F to >> CCF38661B >> Jul 18 01:00:42 pf MailScanner[21027]: Uninfected: Delivered 1 messages >> >> I suspect that a file or directory has some incorrect permissions. >> >> Here is the postconf -n in case its any use but I have checked all these >> listed directories and these exist & have the correct permission. >> >> # postconf -n >> broken_sasl_auth_clients = yes >> command_directory = /usr/local/sbin >> config_directory = /etc/postfix >> daemon_directory = /usr/local/libexec/postfix >> data_directory = /var/postfix >> debug_peer_level = 2 >> header_checks = regexp:/etc/postfix/header_checks >> html_directory = /usr/local/share/doc/postfix/html >> inet_interfaces = all >> inet_protocols = all >> mail_owner = _postfix >> mailq_path = /usr/local/sbin/mailq >> manpage_directory = /usr/local/man >> mydomain = testmail.local >> mynetworks = 192.168.1.0/24, 127.0.0.0/8 >> myorigin = $myhostname >> newaliases_path = /usr/local/sbin/newaliases >> queue_directory = /var/spool/postfix >> readme_directory = /usr/local/share/doc/postfix/readme >> relay_domains = $mydestination >> sample_directory = /etc/postfix >> sendmail_path = /usr/local/sbin/sendmail >> setgid_group = _postdrop >> smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) >> smtpd_recipient_restrictions = permit_mynetworks >> permit_sasl_authenticated ? reject_unauth_destination >> smtpd_sasl_auth_enable = yes >> smtpd_sasl_local_domain = $mydomain >> smtpd_tls_CAfile = /etc/ssl/ca.crt >> smtpd_tls_cert_file = /etc/postfix/ssl/server.crt >> smtpd_tls_key_file = /etc/postfix/ssl/private/server.key >> smtpd_tls_loglevel = 1 >> smtpd_tls_security_level = may >> tls_random_source = dev:/dev/urandom >> unknown_local_recipient_reject_code = 450 >> virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf >> virtual_gid_maps = static:2000 >> virtual_mailbox_base = /var/spool/_vmail/imap >> virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains.cf >> virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailboxes.cf >> virtual_minimum_uid = 2000 >> virtual_transport = qdeliver >> virtual_uid_maps = static:2000 >> >> >> Many thanks in advance. >> Si. >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> >> This message has been scanned for viruses and dangerous content by >> MailScanner, and is believed to be clean. >> > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Tue Jul 21 12:38:46 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Jul 21 12:38:55 2009 Subject: dspam for MailScanner In-Reply-To: <20090719215042.GE18795@fries.net> References: <20090719215042.GE18795@fries.net> Message-ID: <223f97700907210438saa73651tcaafb5618b84594b@mail.gmail.com> 2009/7/19 Todd T. Fries : > I've been using this for a few years now, and keep forgetting to > contribute it back. > > This is my own work, I couldn't be more pleased if MailScanner took it > and made the equivalent or better functionality in the default > distribution. > > If I can polish it or whatever, please let me know, if it saves you > work. > If Jules doesn't decide to include this... then put it all in the wiki;)... After all, that's what it's there for... Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ka at pacific.net Tue Jul 21 22:40:22 2009 From: ka at pacific.net (Ken A.) Date: Tue Jul 21 22:40:59 2009 Subject: open-whois.org cybersquatted. bl generating FPs Message-ID: <4A6635C6.3000700@pacific.net> If you don't run sa-update automatically, now would be a good time to run it manually. This affects all WHOIS_* SA rules. https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6157 Ken -- Ken Anderson Pacific.Net From shprahi at gmail.com Wed Jul 22 09:41:22 2009 From: shprahi at gmail.com (shprahi shprahi) Date: Wed Jul 22 09:41:32 2009 Subject: Attachment report query Message-ID: Hi All, I have small doubt about attachment report, I have restricted the attachment limit on user base using rule set file name and it is working perfectly, now when user send the attachment more than the allowed size it is sending report message to recipient as well as sender saying attachment size not allowed or over limit , Now question is how do i send this warning message to only sender and not to recipient, Please share the same if any body done this in past I am using Centos 5+MailScanner 4.74+postfix Thanks in advance Shprahi -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090722/bc8526fa/attachment.html From brose at med.wayne.edu Wed Jul 22 15:54:35 2009 From: brose at med.wayne.edu (Rose, Bobby) Date: Wed Jul 22 15:55:05 2009 Subject: Mutiple config options in MailScanner In-Reply-To: References: <4A643632.8030109@ecs.soton.ac.uk> Message-ID: I was looking to see if I could call my ldap lookup custom function for the nospam checking and also an sql lookup customfunction. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: Monday, July 20, 2009 5:18 AM To: MailScanner discussion Subject: Re: Mutiple config options in MailScanner On 17/07/2009 17:14, Rose, Bobby wrote: > > Just a check... does MailScanner currently allow you have more than one > option for such things as Is Definitely Spam or Not Spam? > You can have a simple value, a ruleset, or a Custom Function. > > I was wondering if it allowed called to more than one custom function. > You can only attach 1 Custom Function to each configuration setting, but of course you can attach different Custom Functions to different configuration settings. I hope that answers your question, I'm not 100% sure of what you are asking. > > I suspect it doesn't but wanted to make sure before I go off and try > to rewrite my customfunction for ldap black/white lists. > > Thanks > > *Bobby Rose* > > Sr Systems Administrator, MSIS Network Operations > Wayne State University School of Medicine > brose@med.wayne.edu > > > ------------------------------------------------------------------------ > This document may include proprietary and confidential information of > Wayne State University Physician Group and may only be read by those > person(s) to whom it is addressed. If you have received this e-mail > message in error, please notify us immediately. This document may not > be reproduced, copied, distributed, published, modified or furnished > to third parties, without prior written consent of Wayne State > University Physician Group. Thank you. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! This document may include proprietary and confidential information of Wayne State University Physician Group and may only be read by those person(s) to whom it is addressed. If you have received this e-mail message in error, please notify us immediately. This document may not be reproduced, copied, distributed, published, modified or furnished to third parties, without prior written consent of Wayne State University Physician Group. Thank you. From dgottsc at emory.edu Wed Jul 22 16:13:32 2009 From: dgottsc at emory.edu (Gottschalk, David) Date: Wed Jul 22 16:18:24 2009 Subject: Recipient Limitation(s) Message-ID: Is it possible to setup MailScanner to block/quarantine messages over a certain number of recipients? I want to do this because we have a lot of accounts being compromised and sending out emails to a large number of recipients. I think this would be a good proactive measure. I've looked into spamassassin doing this, but cannot find anything that would give me the ability to do this. Any tips would be appreciated, I've searched all around and haven't found anything. David Gottschalk UTS Email team david.gottschalk@emory.edu This e-mail message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential and privileged information. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message (including any attachments) is strictly prohibited. If you have received this message in error, please contact the sender by reply e-mail message and destroy all copies of the original message (including attachments). From butler at globeserver.com Wed Jul 22 16:32:46 2009 From: butler at globeserver.com (Philip Butler) Date: Wed Jul 22 16:34:18 2009 Subject: Recipient Limitation(s) In-Reply-To: References: Message-ID: <09777D7D-93B3-4C57-8B3E-66813594439D@globeserver.com> David, There's a way to do this in your sendmail configuration (assuming you are running sendmail): O MaxRecipientsPerMessage=n (where n is the max number of recipients) I am sure a good google search will explain more on this setting. If you are not running sendmail, this will be of no use to you. The advantage/disadvantage of this is that it runs before MailScanner is involved. This is an advantage in that the message is quickly rejected (and the sender notified) before MailScanner has to process it. It is a disadvantage in that it won't be seen by MailScanner and therefore not quarantined for analysis. My 2 cents worth... Phil Butler On Jul 22, 2009, at 11:13 AM, Gottschalk, David wrote: > Is it possible to setup MailScanner to block/quarantine messages > over a certain number of recipients? I want to do this because we > have a lot of accounts being compromised and sending out emails to a > large number of recipients. I think this would be a good proactive > measure. > > I've looked into spamassassin doing this, but cannot find anything > that would give me the ability to do this. > > Any tips would be appreciated, I've searched all around and haven't > found anything. > > David Gottschalk > UTS Email team > david.gottschalk@emory.edu > > > This e-mail message (including any attachments) is for the sole use of > the intended recipient(s) and may contain confidential and privileged > information. If the reader of this message is not the intended > recipient, you are hereby notified that any dissemination, > distribution > or copying of this message (including any attachments) is strictly > prohibited. > > If you have received this message in error, please contact > the sender by reply e-mail message and destroy all copies of the > original message (including attachments). > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From MailScanner at ecs.soton.ac.uk Wed Jul 22 19:08:11 2009 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Wed Jul 22 19:08:32 2009 Subject: Mutiple config options in MailScanner In-Reply-To: References: <4A643632.8030109@ecs.soton.ac.uk> <4A67558B.2070705@ecs.soton.ac.uk> Message-ID: You can always quite easily write a Custom Function that calls both functions, and combines the results with some logic of your choosing. On 22/07/2009 15:54, Rose, Bobby wrote: > I was looking to see if I could call my ldap lookup custom function for the nospam checking and also an sql lookup customfunction. > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field > Sent: Monday, July 20, 2009 5:18 AM > To: MailScanner discussion > Subject: Re: Mutiple config options in MailScanner > > > > On 17/07/2009 17:14, Rose, Bobby wrote: > >> Just a check... does MailScanner currently allow you have more than one >> option for such things as Is Definitely Spam or Not Spam? >> >> > You can have a simple value, a ruleset, or a Custom Function. > >> I was wondering if it allowed called to more than one custom function. >> >> > You can only attach 1 Custom Function to each configuration setting, but > of course you can attach different Custom Functions to different > configuration settings. > > I hope that answers your question, I'm not 100% sure of what you are asking. > >> I suspect it doesn't but wanted to make sure before I go off and try >> to rewrite my customfunction for ldap black/white lists. >> >> Thanks >> >> *Bobby Rose* >> >> Sr Systems Administrator, MSIS Network Operations >> Wayne State University School of Medicine >> brose@med.wayne.edu >> >> >> ------------------------------------------------------------------------ >> This document may include proprietary and confidential information of >> Wayne State University Physician Group and may only be read by those >> person(s) to whom it is addressed. If you have received this e-mail >> message in error, please notify us immediately. This document may not >> be reproduced, copied, distributed, published, modified or furnished >> to third parties, without prior written consent of Wayne State >> University Physician Group. Thank you. >> > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > Follow me at twitter.com/JulesFM and twitter.com/MailScanner > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > This document may include proprietary and confidential information of Wayne State University Physician Group and may only be read by those person(s) to whom it is addressed. If you have received this e-mail message in error, please notify us immediately. This document may not be reproduced, copied, distributed, published, modified or furnished to third parties, without prior written consent of Wayne State University Physician Group. Thank you. > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From dgottsc at emory.edu Wed Jul 22 21:01:31 2009 From: dgottsc at emory.edu (Gottschalk, David) Date: Wed Jul 22 21:02:35 2009 Subject: Recipient Limitation(s) In-Reply-To: <09777D7D-93B3-4C57-8B3E-66813594439D@globeserver.com> References: <09777D7D-93B3-4C57-8B3E-66813594439D@globeserver.com> Message-ID: Phil, Thanks for the reply. I was aware that sendmail can do that, I was just hoping that MailScanner/Spamassassin could so I could get granular and define it by domain, etc. Thanks for the help! David Gottschalk UTS Email team david.gottschalk@emory.edu -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Philip Butler Sent: Wednesday, July 22, 2009 11:33 AM To: MailScanner discussion Subject: Re: Recipient Limitation(s) David, There's a way to do this in your sendmail configuration (assuming you are running sendmail): O MaxRecipientsPerMessage=n (where n is the max number of recipients) I am sure a good google search will explain more on this setting. If you are not running sendmail, this will be of no use to you. The advantage/disadvantage of this is that it runs before MailScanner is involved. This is an advantage in that the message is quickly rejected (and the sender notified) before MailScanner has to process it. It is a disadvantage in that it won't be seen by MailScanner and therefore not quarantined for analysis. My 2 cents worth... Phil Butler On Jul 22, 2009, at 11:13 AM, Gottschalk, David wrote: > Is it possible to setup MailScanner to block/quarantine messages > over a certain number of recipients? I want to do this because we > have a lot of accounts being compromised and sending out emails to a > large number of recipients. I think this would be a good proactive > measure. > > I've looked into spamassassin doing this, but cannot find anything > that would give me the ability to do this. > > Any tips would be appreciated, I've searched all around and haven't > found anything. > > David Gottschalk > UTS Email team > david.gottschalk@emory.edu > > > This e-mail message (including any attachments) is for the sole use of > the intended recipient(s) and may contain confidential and privileged > information. If the reader of this message is not the intended > recipient, you are hereby notified that any dissemination, > distribution > or copying of this message (including any attachments) is strictly > prohibited. > > If you have received this message in error, please contact > the sender by reply e-mail message and destroy all copies of the > original message (including attachments). > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! This e-mail message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential and privileged information. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message (including any attachments) is strictly prohibited. If you have received this message in error, please contact the sender by reply e-mail message and destroy all copies of the original message (including attachments). From simon at kmun.gov.kw Thu Jul 23 09:24:48 2009 From: simon at kmun.gov.kw (Benedict simon) Date: Thu Jul 23 09:22:10 2009 Subject: Recipient Limitation query In-Reply-To: References: <09777D7D-93B3-4C57-8B3E-66813594439D@globeserver.com> Message-ID: Dear All, just read the message by the way i do wd like to implement something like this cause i do sometimes do get one spam email being send to many of my email users MailSacnner infact marks it as spam which is fine but if it could be done at the MTA level it would be much much better i have sendmail-8.13.8-2.el5 running on centos 5 but i was just checking in my sendmail.mc file and could not find any Max recipentspermessage or some similar option Apprecite you advice nad help regards simon > Phil, > Thanks for the reply. I was aware that sendmail can do that, I was > just hoping that MailScanner/Spamassassin could so I could get > granular and define it by domain, etc. > > Thanks for the help! > > David Gottschalk > UTS Email team > david.gottschalk@emory.edu > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Philip > Butler > Sent: Wednesday, July 22, 2009 11:33 AM > To: MailScanner discussion > Subject: Re: Recipient Limitation(s) > > David, > > There's a way to do this in your sendmail configuration (assuming you > are running sendmail): > > O MaxRecipientsPerMessage=n (where n is the max number of > recipients) > > I am sure a good google search will explain more on this setting. > > If you are not running sendmail, this will be of no use to you. > > The advantage/disadvantage of this is that it runs before MailScanner > is involved. This is an advantage in that the message is quickly > rejected (and the sender notified) before MailScanner has to process > it. It is a disadvantage in that it won't be seen by MailScanner and > therefore not quarantined for analysis. > > My 2 cents worth... > > Phil Butler > > On Jul 22, 2009, at 11:13 AM, Gottschalk, David wrote: > >> Is it possible to setup MailScanner to block/quarantine messages >> over a certain number of recipients? I want to do this because we >> have a lot of accounts being compromised and sending out emails to a >> large number of recipients. I think this would be a good proactive >> measure. >> >> I've looked into spamassassin doing this, but cannot find anything >> that would give me the ability to do this. >> >> Any tips would be appreciated, I've searched all around and haven't >> found anything. >> >> David Gottschalk >> UTS Email team >> david.gottschalk@emory.edu >> >> >> This e-mail message (including any attachments) is for the sole use of >> the intended recipient(s) and may contain confidential and privileged >> information. If the reader of this message is not the intended >> recipient, you are hereby notified that any dissemination, >> distribution >> or copying of this message (including any attachments) is strictly >> prohibited. >> >> If you have received this message in error, please contact >> the sender by reply e-mail message and destroy all copies of the >> original message (including attachments). >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > This e-mail message (including any attachments) is for the sole use of > the intended recipient(s) and may contain confidential and privileged > information. If the reader of this message is not the intended > recipient, you are hereby notified that any dissemination, distribution > or copying of this message (including any attachments) is strictly > prohibited. > > If you have received this message in error, please contact > the sender by reply e-mail message and destroy all copies of the > original message (including attachments). > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- Network ADMIN ------------- KUWAIT MUNICIPALITY: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Thu Jul 23 09:47:45 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jul 23 09:48:03 2009 Subject: Recipient Limitation query In-Reply-To: References: <09777D7D-93B3-4C57-8B3E-66813594439D@globeserver.com> <4A6823B1.6090806@ecs.soton.ac.uk> Message-ID: A very quick Google resulted in this from the sendmail documentation: confMAX_RCPTS_PER_MESSAGE MaxRecipientsPerMessage [infinite] If set, allow no more than the specified number of recipients in an SMTP envelope. Further recipients receive a 452 error code (i.e., they are deferred for the next delivery attempt). Is that close enough to what you need? On 23/07/2009 09:24, Benedict simon wrote: > Dear All, > > just read the message > by the way i do wd like to implement something like this cause i do > sometimes do get one spam email being send to many of my email users > > MailSacnner infact marks it as spam which is fine > but if it could be done at the MTA level it would be much much better > > i have sendmail-8.13.8-2.el5 running on centos 5 but i was just checking > in my sendmail.mc file and could not find any Max recipentspermessage or > some similar option > Apprecite you advice nad help > > > regards > > > simon > > > >> Phil, >> Thanks for the reply. I was aware that sendmail can do that, I was >> just hoping that MailScanner/Spamassassin could so I could get >> granular and define it by domain, etc. >> >> Thanks for the help! >> >> David Gottschalk >> UTS Email team >> david.gottschalk@emory.edu >> >> >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Philip >> Butler >> Sent: Wednesday, July 22, 2009 11:33 AM >> To: MailScanner discussion >> Subject: Re: Recipient Limitation(s) >> >> David, >> >> There's a way to do this in your sendmail configuration (assuming you >> are running sendmail): >> >> O MaxRecipientsPerMessage=n (where n is the max number of >> recipients) >> >> I am sure a good google search will explain more on this setting. >> >> If you are not running sendmail, this will be of no use to you. >> >> The advantage/disadvantage of this is that it runs before MailScanner >> is involved. This is an advantage in that the message is quickly >> rejected (and the sender notified) before MailScanner has to process >> it. It is a disadvantage in that it won't be seen by MailScanner and >> therefore not quarantined for analysis. >> >> My 2 cents worth... >> >> Phil Butler >> >> On Jul 22, 2009, at 11:13 AM, Gottschalk, David wrote: >> >> >>> Is it possible to setup MailScanner to block/quarantine messages >>> over a certain number of recipients? I want to do this because we >>> have a lot of accounts being compromised and sending out emails to a >>> large number of recipients. I think this would be a good proactive >>> measure. >>> >>> I've looked into spamassassin doing this, but cannot find anything >>> that would give me the ability to do this. >>> >>> Any tips would be appreciated, I've searched all around and haven't >>> found anything. >>> >>> David Gottschalk >>> UTS Email team >>> david.gottschalk@emory.edu >>> >>> >>> This e-mail message (including any attachments) is for the sole use of >>> the intended recipient(s) and may contain confidential and privileged >>> information. If the reader of this message is not the intended >>> recipient, you are hereby notified that any dissemination, >>> distribution >>> or copying of this message (including any attachments) is strictly >>> prohibited. >>> >>> If you have received this message in error, please contact >>> the sender by reply e-mail message and destroy all copies of the >>> original message (including attachments). >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> This e-mail message (including any attachments) is for the sole use of >> the intended recipient(s) and may contain confidential and privileged >> information. If the reader of this message is not the intended >> recipient, you are hereby notified that any dissemination, distribution >> or copying of this message (including any attachments) is strictly >> prohibited. >> >> If you have received this message in error, please contact >> the sender by reply e-mail message and destroy all copies of the >> original message (including attachments). >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> >> > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From raubvogel at gmail.com Thu Jul 23 12:00:51 2009 From: raubvogel at gmail.com (Mauricio Tavares) Date: Thu Jul 23 12:01:09 2009 Subject: More descriptive body spam message Message-ID: <4A6842E3.7050109@gmail.com> I received a spam mail from one of my other accounts in which their spamassassin detected the spam. That is fine, nothing specially really. But what it had that was interesting to me was the amount of info shown on the body of the message about the said spam: =============================%< ==================================== Spam detection software, running on the system "freenet9.afn.org", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see the administrator of that system for details. [...] Content analysis details: (6.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 MISSING_MID Missing Message-Id: header 1.3 MISSING_HEADERS Missing To: header 1.0 BAYES_60 BODY: Bayesian spam probability is 60 to 80% [score: 0.6317] 0.0 HTML_MESSAGE BODY: HTML included in message 1.5 MIME_HTML_ONLY BODY: Message only has text/html MIME parts 0.0 FORGED_OUTLOOK_HTML Outlook can't send HTML message only 3.1 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook The original message was not completely plain text, and may be unsafe to open with some email clients; in particular, it may contain a virus, or confirm that your address can receive spam. If you wish to view it, it may be safer to save it to a file and open it with an editor. =============================%< ==================================== A lot of that MailScanner already does, but in a shorthand version on the header. Is there a way to do something like the above, as in append that to the top of the body of the mail that by now is already defanged? From maxsec at gmail.com Thu Jul 23 13:21:43 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Thu Jul 23 13:21:52 2009 Subject: More descriptive body spam message In-Reply-To: <4A6842E3.7050109@gmail.com> References: <4A6842E3.7050109@gmail.com> Message-ID: <72cf361e0907230521t737f9534i929eb8a5a0f0f163@mail.gmail.com> 2009/7/23 Mauricio Tavares > I received a spam mail from one of my other accounts in which their > spamassassin detected the spam. That is fine, nothing specially really. But > what it had that was interesting to me was the amount of info shown on the > body of the message about the said spam: > > =============================%< ==================================== > Spam detection software, running on the system "freenet9.afn.org", has > identified this incoming email as possible spam. The original message > has been attached to this so you can view it (if it isn't spam) or label > similar future email. If you have any questions, see > the administrator of that system for details. > > [...] > > Content analysis details: (6.9 points, 5.0 required) > > pts rule name description > ---- ---------------------- > -------------------------------------------------- > 0.0 MISSING_MID Missing Message-Id: header > 1.3 MISSING_HEADERS Missing To: header > 1.0 BAYES_60 BODY: Bayesian spam probability is 60 to 80% > [score: 0.6317] > 0.0 HTML_MESSAGE BODY: HTML included in message > 1.5 MIME_HTML_ONLY BODY: Message only has text/html MIME parts > 0.0 FORGED_OUTLOOK_HTML Outlook can't send HTML message only > 3.1 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook > > The original message was not completely plain text, and may be unsafe to > open with some email clients; in particular, it may contain a virus, > or confirm that your address can receive spam. If you wish to view > it, it may be safer to save it to a file and open it with an editor. > > =============================%< ==================================== > > A lot of that MailScanner already does, but in a shorthand version on the > header. Is there a way to do something like the above, as in append that to > the top of the body of the mail that by now is already defanged? > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Hi change following values as below and you'll get *all* that info in the headers. Spam Score Number Format = %5.2f Detailed Spam Report = yes Include Scores In SpamAssassin Report = yes Always Include SpamAssassin Report = yes Spam Score Number Format = %5.2f -- Martin Hepworth Oxford, UK -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090723/981224c7/attachment.html From jonas at techbiz.dk Thu Jul 23 13:40:53 2009 From: jonas at techbiz.dk (Jonas Akrouh Larsen) Date: Thu Jul 23 13:41:05 2009 Subject: Spamassassin timeouts Message-ID: <003501ca0b92$d14521e0$73cf65a0$@dk> Hi List Hope everyone is enjoying the summer. I got an annoying problem with SA timeouts. For the past week my sampling shows that out of 51037 mails, spamassassin timed out on 66 of them. This is not a big percentage obviously, but it bothers me that I have a pretty decent protection scheme setup which lets very few spams through. I?d actually guess that SA time outs creates as many false positives (as in mails MS thinks are ham) as actual spam slipping through my anti-spam rules. I was wondering if there was any way to make MS refuse to have SA timeouts (or maybe make it configureable to atleast try the mail again for x number of times before we accept to let the mail pass MS without having been scanned by SA) I don?t think this is possible with the current version of MS. Also note that simply increasing the sa timeout isn?t as good a solution as the confirable ?rety behavior (in my opinion atleast) So am I alone in thinking this would be a neat addition to MS, or what do people think/do with sa timeouts in general? Med venlig hilsen / Best regards Jonas Akrouh Larsen TechBiz ApS Laplandsgade 4, 2. sal 2300 K?benhavn S Office: 7020 0979 Direct: 3336 9974 Mobile: 5120 1096 Fax: 7020 0978 Web: www.techbiz.dk -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090723/ad691de6/attachment.html From marco.mangione at gmail.com Thu Jul 23 13:49:19 2009 From: marco.mangione at gmail.com (Marco mangione) Date: Thu Jul 23 13:49:28 2009 Subject: message size Message-ID: hi, i have a strange iusse. message larger then 3MB dont pass trought my postfix+mailscanner ... i dont see anything in logs... anyone can help me? Thanks marco -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090723/91038cc1/attachment.html From maxsec at gmail.com Thu Jul 23 14:31:20 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Thu Jul 23 14:31:29 2009 Subject: Spamassassin timeouts In-Reply-To: <003501ca0b92$d14521e0$73cf65a0$@dk> References: <003501ca0b92$d14521e0$73cf65a0$@dk> Message-ID: <72cf361e0907230631s110df8aey2fb7ddb02db6b8c9@mail.gmail.com> Hi normally this is either due to 1) DNS issues (lots of RBLs - have you got most of them turned off?), 2) bayes (have you got this running on a faster SDBM database than the default http://wiki.mailscanner.info/doku.php?id=documentation:anti_spam:spamassassin:bayes:sdbm&s=bayes 3) or things like DCC/pyzor/razor. Another thing to check is the SA-timeout value in MailScanner.conf, I normally raise this well above the 75 default to around 300 at least. -- Martin Hepworth Oxford, UK 2009/7/23 Jonas Akrouh Larsen > Hi List > > > > Hope everyone is enjoying the summer. > > > > I got an annoying problem with SA timeouts. > > > > For the past week my sampling shows that out of 51037 mails, spamassassin > timed out on 66 of them. > > > > This is not a big percentage obviously, but it bothers me that I have a > pretty decent protection scheme setup which lets very few spams through. > > > > I?d actually guess that SA time outs creates as many false positives (as in > mails MS thinks are ham) as actual spam slipping through my anti-spam rules. > > > > I was wondering if there was any way to make MS refuse to have SA timeouts > (or maybe make it configureable to atleast try the mail again for x number > of times before we accept to let the mail pass MS without having been > scanned by SA) > > > > I don?t think this is possible with the current version of MS. > > > > Also note that simply increasing the sa timeout isn?t as good a solution as > the confirable ?rety behavior (in my opinion atleast) > > > > So am I alone in thinking this would be a neat addition to MS, or what do > people think/do with sa timeouts in general? > > > > > > Med venlig hilsen / Best regards > > > > Jonas Akrouh Larsen > > > > TechBiz ApS > > Laplandsgade 4, 2. sal > > 2300 K?benhavn S > > > > Office: 7020 0979 > > Direct: 3336 9974 > > Mobile: 5120 1096 > > Fax: 7020 0978 > > Web: www.techbiz.dk > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090723/101f25a4/attachment.html From jonas at vrt.dk Thu Jul 23 15:31:48 2009 From: jonas at vrt.dk (Jonas A. Larsen) Date: Thu Jul 23 15:31:59 2009 Subject: Spamassassin timeouts In-Reply-To: <72cf361e0907230631s110df8aey2fb7ddb02db6b8c9@mail.gmail.com> References: <003501ca0b92$d14521e0$73cf65a0$@dk> <72cf361e0907230631s110df8aey2fb7ddb02db6b8c9@mail.gmail.com> Message-ID: <008801ca0ba2$4fde80f0$ef9b82d0$@dk> I actualy traced it down to all the timeouts happening around 05:00. That is when the mysql backup runs, so I think it must be some some sort of mysql being unavailable while the backup runs. I use mysql for both mailwatch and bayes. However I still believe a retry function for SA timeouts would be nice to have in MS. Julian: Please add it to wish list J From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Martin Hepworth Sent: 23. juli 2009 15:31 To: MailScanner discussion Subject: Re: Spamassassin timeouts Hi normally this is either due to 1) DNS issues (lots of RBLs - have you got most of them turned off?), 2) bayes (have you got this running on a faster SDBM database than the default http://wiki.mailscanner.info/doku.php?id=documentation:anti_spam:spamassassi n:bayes:sdbm &s=bayes 3) or things like DCC/pyzor/razor. Another thing to check is the SA-timeout value in MailScanner.conf, I normally raise this well above the 75 default to around 300 at least. -- Martin Hepworth Oxford, UK 2009/7/23 Jonas Akrouh Larsen Hi List Hope everyone is enjoying the summer. I got an annoying problem with SA timeouts. For the past week my sampling shows that out of 51037 mails, spamassassin timed out on 66 of them. This is not a big percentage obviously, but it bothers me that I have a pretty decent protection scheme setup which lets very few spams through. I?d actually guess that SA time outs creates as many false positives (as in mails MS thinks are ham) as actual spam slipping through my anti-spam rules. I was wondering if there was any way to make MS refuse to have SA timeouts (or maybe make it configureable to atleast try the mail again for x number of times before we accept to let the mail pass MS without having been scanned by SA) I don?t think this is possible with the current version of MS. Also note that simply increasing the sa timeout isn?t as good a solution as the confirable ?rety behavior (in my opinion atleast) So am I alone in thinking this would be a neat addition to MS, or what do people think/do with sa timeouts in general? Med venlig hilsen / Best regards Jonas Akrouh Larsen TechBiz ApS Laplandsgade 4, 2. sal 2300 K?benhavn S Office: 7020 0979 Direct: 3336 9974 Mobile: 5120 1096 Fax: 7020 0978 Web: www.techbiz.dk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090723/9ac27296/attachment.html From alex at rtpty.com Thu Jul 23 15:32:28 2009 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Thu Jul 23 15:32:42 2009 Subject: message size In-Reply-To: References: Message-ID: <25F42BB8-3F8B-4D8C-A679-3D4633B8F4C5@rtpty.com> Log entries would be nice. On Jul 23, 2009, at 7:49 AM, Marco mangione wrote: > hi, > > i have a strange iusse. message larger then 3MB dont pass trought my > postfix+mailscanner ... i dont see anything in logs... anyone can > help me? > > Thanks > marco > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 202-1525 alex@rtpty.com Skype: alexneuman From maxsec at gmail.com Thu Jul 23 15:39:17 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Thu Jul 23 15:39:26 2009 Subject: Spamassassin timeouts In-Reply-To: <008801ca0ba2$4fde80f0$ef9b82d0$@dk> References: <003501ca0b92$d14521e0$73cf65a0$@dk> <72cf361e0907230631s110df8aey2fb7ddb02db6b8c9@mail.gmail.com> <008801ca0ba2$4fde80f0$ef9b82d0$@dk> Message-ID: <72cf361e0907230739r6ba7cac1y8f107425477868e2@mail.gmail.com> Jonas ah there you go then, try increasing the value for sa-timeouts and maybe sort out a better mysql backup ;-) -- Martin Hepworth Oxford, UK 2009/7/23 Jonas A. Larsen > I actualy traced it down to all the timeouts happening around 05:00. > > > > That is when the mysql backup runs, so I think it must be some some sort of > mysql being unavailable while the backup runs. > > > > I use mysql for both mailwatch and bayes. > > > > However I still believe a retry function for SA timeouts would be nice to > have in MS. > > > > Julian: Please add it to wish list J > > > > *From:* mailscanner-bounces@lists.mailscanner.info [mailto: > mailscanner-bounces@lists.mailscanner.info] *On Behalf Of *Martin Hepworth > *Sent:* 23. juli 2009 15:31 > *To:* MailScanner discussion > *Subject:* Re: Spamassassin timeouts > > > > Hi > > normally this is either due to > > 1) DNS issues (lots of RBLs - have you got most of them turned off?), > > 2) bayes (have you got this running on a faster SDBM database than the > default > > http://wiki.mailscanner.info/doku.php?id=documentation:anti_spam:spamassassin:bayes:sdbm&s=bayes > > 3) or things like DCC/pyzor/razor. > > Another thing to check is the SA-timeout value in MailScanner.conf, I > normally raise this well above the 75 default to around 300 at least. > > > -- > Martin Hepworth > Oxford, UK > > 2009/7/23 Jonas Akrouh Larsen > > Hi List > > > > Hope everyone is enjoying the summer. > > > > I got an annoying problem with SA timeouts. > > > > For the past week my sampling shows that out of 51037 mails, spamassassin > timed out on 66 of them. > > > > This is not a big percentage obviously, but it bothers me that I have a > pretty decent protection scheme setup which lets very few spams through. > > > > I?d actually guess that SA time outs creates as many false positives (as in > mails MS thinks are ham) as actual spam slipping through my anti-spam rules. > > > > I was wondering if there was any way to make MS refuse to have SA timeouts > (or maybe make it configureable to atleast try the mail again for x number > of times before we accept to let the mail pass MS without having been > scanned by SA) > > > > I don?t think this is possible with the current version of MS. > > > > Also note that simply increasing the sa timeout isn?t as good a solution as > the confirable ?rety behavior (in my opinion atleast) > > > > So am I alone in thinking this would be a neat addition to MS, or what do > people think/do with sa timeouts in general? > > > > > > Med venlig hilsen / Best regards > > > > Jonas Akrouh Larsen > > > > TechBiz ApS > > Laplandsgade 4, 2. sal > > 2300 K?benhavn S > > > > Office: 7020 0979 > > Direct: 3336 9974 > > Mobile: 5120 1096 > > Fax: 7020 0978 > > Web: www.techbiz.dk > > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090723/24eb3cbc/attachment.html From marco.mangione at gmail.com Thu Jul 23 15:39:30 2009 From: marco.mangione at gmail.com (Marco mangione) Date: Thu Jul 23 15:39:39 2009 Subject: message size In-Reply-To: <25F42BB8-3F8B-4D8C-A679-3D4633B8F4C5@rtpty.com> References: <25F42BB8-3F8B-4D8C-A679-3D4633B8F4C5@rtpty.com> Message-ID: yep i checked /var/log/mail.log w/o result... 2009/7/23 Alex Neuman van der Hans > Log entries would be nice. > > > On Jul 23, 2009, at 7:49 AM, Marco mangione wrote: > > hi, >> >> i have a strange iusse. message larger then 3MB dont pass trought my >> postfix+mailscanner ... i dont see anything in logs... anyone can help me? >> >> Thanks >> marco >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > > > -- > Alex Neuman van der Hans > Reliant Technologies > +507 6781-9505 > +507 202-1525 > alex@rtpty.com > Skype: alexneuman > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090723/349c5969/attachment.html From alex at rtpty.com Thu Jul 23 16:07:03 2009 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Thu Jul 23 16:07:19 2009 Subject: message size In-Reply-To: References: <25F42BB8-3F8B-4D8C-A679-3D4633B8F4C5@rtpty.com> Message-ID: Then the message never passed through your server, so it's not your problem - it's someone else's. Otherwise there absolutely HAS to be a log entry, even if the log entry says "received the message and blocked it" or "refused to receive the message". To test this, create a test gmail account with something that can't be guessed - like "marcoistestinghisemail@gmail.com", and send yourself a 3mb message. Not only will you get a nice bounce back from gmail (if it's being bounced at the MTA level, so postfix settings have to be changed), but if the message is actually received you can grep your logs for "marcoistestinghisemail" and find out what happened. Remember... No log entries = never made it to your server = problem is upstream. On Jul 23, 2009, at 9:39 AM, Marco mangione wrote: > yep i checked /var/log/mail.log w/o result... > > 2009/7/23 Alex Neuman van der Hans > Log entries would be nice. > > > On Jul 23, 2009, at 7:49 AM, Marco mangione wrote: > > hi, > > i have a strange iusse. message larger then 3MB dont pass trought my > postfix+mailscanner ... i dont see anything in logs... anyone can > help me? > > Thanks > marco > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > > -- > Alex Neuman van der Hans > Reliant Technologies > +507 6781-9505 > +507 202-1525 > alex@rtpty.com > Skype: alexneuman > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 202-1525 alex@rtpty.com Skype: alexneuman From MailScanner at ecs.soton.ac.uk Thu Jul 23 17:32:12 2009 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Thu Jul 23 17:32:43 2009 Subject: More descriptive body spam message In-Reply-To: <4A6842E3.7050109@gmail.com> References: <4A6842E3.7050109@gmail.com> <4A68908C.7030101@ecs.soton.ac.uk> Message-ID: On 23/07/2009 12:00, Mauricio Tavares wrote: > I received a spam mail from one of my other accounts in which > their spamassassin detected the spam. That is fine, nothing specially > really. But what it had that was interesting to me was the amount of > info shown on the body of the message about the said spam: > > =============================%< ==================================== > Spam detection software, running on the system "freenet9.afn.org", has > identified this incoming email as possible spam. The original message > has been attached to this so you can view it (if it isn't spam) or label > similar future email. If you have any questions, see > the administrator of that system for details. > > [...] > > Content analysis details: (6.9 points, 5.0 required) > > pts rule name description > ---- ---------------------- > -------------------------------------------------- > 0.0 MISSING_MID Missing Message-Id: header > 1.3 MISSING_HEADERS Missing To: header > 1.0 BAYES_60 BODY: Bayesian spam probability is 60 to 80% > [score: 0.6317] > 0.0 HTML_MESSAGE BODY: HTML included in message > 1.5 MIME_HTML_ONLY BODY: Message only has text/html MIME parts > 0.0 FORGED_OUTLOOK_HTML Outlook can't send HTML message only > 3.1 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook > > The original message was not completely plain text, and may be unsafe to > open with some email clients; in particular, it may contain a virus, > or confirm that your address can receive spam. If you wish to view > it, it may be safer to save it to a file and open it with an editor. > > =============================%< ==================================== > > A lot of that MailScanner already does, but in a shorthand version on > the header. Is there a way to do something like the above, as in > append that to the top of the body of the mail that by now is already > defanged? Add a spam action "encapsulate" and you will find you get a lot of that. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Thu Jul 23 17:35:26 2009 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Thu Jul 23 17:35:52 2009 Subject: Spamassassin timeouts In-Reply-To: <008801ca0ba2$4fde80f0$ef9b82d0$@dk> References: <003501ca0b92$d14521e0$73cf65a0$@dk> <72cf361e0907230631s110df8aey2fb7ddb02db6b8c9@mail.gmail.com> <008801ca0ba2$4fde80f0$ef9b82d0$@dk> <4A68914E.5070803@ecs.soton.ac.uk> Message-ID: On 23/07/2009 15:31, Jonas A. Larsen wrote: > > I actualy traced it down to all the timeouts happening around 05:00. > > That is when the mysql backup runs, so I think it must be some some > sort of mysql being unavailable while the backup runs. > What other cron jobs happen on your system around then? Such as all the ones in /etc/cron.daily? (Your /etc/crontab will tell you when those get run). It may be that is when the sa-rebuild happens, which is when it cleans up the Bayes database and removes all the old tokens from it. This makes Bayes unavailable for quite a while. Look for "Bayes" in MailScanner.conf and you will find there are some configuration options to alter this behaviour. > I use mysql for both mailwatch and bayes. > > However I still believe a retry function for SA timeouts would be nice > to have in MS. > > Julian: Please add it to wish list J > > *From:* mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] *On Behalf Of > *Martin Hepworth > *Sent:* 23. juli 2009 15:31 > *To:* MailScanner discussion > *Subject:* Re: Spamassassin timeouts > > Hi > > normally this is either due to > > 1) DNS issues (lots of RBLs - have you got most of them turned off?), > > 2) bayes (have you got this running on a faster SDBM database than the > default > http://wiki.mailscanner.info/doku.php?id=documentation:anti_spam:spamassassin:bayes:sdbm&s=bayes > > > 3) or things like DCC/pyzor/razor. > > Another thing to check is the SA-timeout value in MailScanner.conf, I > normally raise this well above the 75 default to around 300 at least. > > > -- > Martin Hepworth > Oxford, UK > > 2009/7/23 Jonas Akrouh Larsen > > > Hi List > > Hope everyone is enjoying the summer. > > I got an annoying problem with SA timeouts. > > For the past week my sampling shows that out of 51037 mails, > spamassassin timed out on 66 of them. > > This is not a big percentage obviously, but it bothers me that I have > a pretty decent protection scheme setup which lets very few spams through. > > I?d actually guess that SA time outs creates as many false positives > (as in mails MS thinks are ham) as actual spam slipping through my > anti-spam rules. > > I was wondering if there was any way to make MS refuse to have SA > timeouts (or maybe make it configureable to atleast try the mail again > for x number of times before we accept to let the mail pass MS without > having been scanned by SA) > > I don?t think this is possible with the current version of MS. > > Also note that simply increasing the sa timeout isn?t as good a > solution as the confirable ?rety behavior (in my opinion atleast) > > So am I alone in thinking this would be a neat addition to MS, or what > do people think/do with sa timeouts in general? > > Med venlig hilsen / Best regards > > Jonas Akrouh Larsen > > TechBiz ApS > > Laplandsgade 4, 2. sal > > 2300 K?benhavn S > > Office: 7020 0979 > > Direct: 3336 9974 > > Mobile: 5120 1096 > > Fax: 7020 0978 > > Web: www.techbiz.dk > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From rwahyudi at gmail.com Fri Jul 24 03:55:04 2009 From: rwahyudi at gmail.com (R Wahyudi) Date: Fri Jul 24 03:55:14 2009 Subject: dspam for MailScanner In-Reply-To: <223f97700907210438saa73651tcaafb5618b84594b@mail.gmail.com> References: <20090719215042.GE18795@fries.net> <223f97700907210438saa73651tcaafb5618b84594b@mail.gmail.com> Message-ID: <9173fd7e0907231955y502e5d99r14d29ce0d2cbe8b4@mail.gmail.com> Hi Todd, How does dpsam performed compared to standard SpamAssassin Bayes ? I was trying to replace SpamAssassin Bayes years ago with dspam but didn't end up completing it Can you give me details on your email statistics ( eg how many email you receive / second ) and what sort of database hardware do you have ? Regards, Rianto Wahyudi On Tue, Jul 21, 2009 at 9:38 PM, Glenn Steen wrote: > 2009/7/19 Todd T. Fries : >> I've been using this for a few years now, and keep forgetting to >> contribute it back. >> >> This is my own work, I couldn't be more pleased if MailScanner took it >> and made the equivalent or better functionality in the default >> distribution. >> >> If I can polish it or whatever, please let me know, if it saves you >> work. >> > If Jules doesn't decide to include this... then put it all in the > wiki;)... After all, that's what it's there for... > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From ecasarero at gmail.com Fri Jul 24 20:56:13 2009 From: ecasarero at gmail.com (Eduardo Casarero) Date: Fri Jul 24 20:56:43 2009 Subject: Recipient Limitation(s) In-Reply-To: References: Message-ID: <7d9b3cf20907241256t7c9efe8xf0e543e5e724ae8c@mail.gmail.com> 2009/7/22 Gottschalk, David > Is it possible to setup MailScanner to block/quarantine messages over a > certain number of recipients? I want to do this because we have a lot of > accounts being compromised and sending out emails to a large number of > recipients. I think this would be a good proactive measure. > > I've looked into spamassassin doing this, but cannot find anything that > would give me the ability to do this. > > Any tips would be appreciated, I've searched all around and haven't found > anything. Some time ago i wrote this rule for SpamAssassin, i didnt test it a lot, so test it with precaution. I was for someone with the same problem than you. the logic of the rule is that if the email has more than 10 recipients at least 1 rule will hit, with combination is probable than more than one hits. you can also generate a new meta rule to have only 1 hit with an OR. header __TEST_TO_1 To =~ /(.*?(@).*?){1,}/i header __TEST_TO_2 To =~ /(.*?(@).*?){2,}/i header __TEST_TO_3 To =~ /(.*?(@).*?){3,}/i header __TEST_TO_4 To =~ /(.*?(@).*?){4,}/i header __TEST_TO_5 To =~ /(.*?(@).*?){5,}/i header __TEST_TO_6 To =~ /(.*?(@).*?){6,}/i header __TEST_TO_7 To =~ /(.*?(@).*?){7,}/i header __TEST_TO_8 To =~ /(.*?(@).*?){8,}/i header __TEST_TO_9 To =~ /(.*?(@).*?){9,}/i header __TEST_TO_10 To =~ /(.*?(@).*?){10,}/i header __TEST_CC_1 Cc =~ /(.*?(@).*?){1,}/i header __TEST_CC_2 Cc =~ /(.*?(@).*?){2,}/i header __TEST_CC_3 Cc =~ /(.*?(@).*?){3,}/i header __TEST_CC_4 Cc =~ /(.*?(@).*?){4,}/i header __TEST_CC_5 Cc =~ /(.*?(@).*?){5,}/i header __TEST_CC_6 Cc =~ /(.*?(@).*?){6,}/i header __TEST_CC_7 Cc =~ /(.*?(@).*?){7,}/i header __TEST_CC_8 Cc =~ /(.*?(@).*?){8,}/i header __TEST_CC_9 Cc =~ /(.*?(@).*?){9,}/i header __TEST_CC_10 Cc =~ /(.*?(@).*?){10,}/i #just for testing purposes #meta TEST_TO_1_CC_1 (__TEST_TO_1 && __TEST_CC_1) # meta TEST_TO_1_CC_9 (__TEST_TO_1 && __TEST_CC_9) meta TEST_TO_2_CC_8 (__TEST_TO_2 && __TEST_CC_8) meta TEST_TO_3_CC_7 (__TEST_TO_3 && __TEST_CC_7) meta TEST_TO_4_CC_6 (__TEST_TO_4 && __TEST_CC_6) meta TEST_TO_5_CC_5 (__TEST_TO_5 && __TEST_CC_5) meta TEST_TO_6_CC_4 (__TEST_TO_6 && __TEST_CC_4) meta TEST_TO_7_CC_3 (__TEST_TO_7 && __TEST_CC_3) meta TEST_TO_8_CC_2 (__TEST_TO_8 && __TEST_CC_2) meta TEST_TO_9_CC_1 (__TEST_TO_9 && __TEST_CC_1) meta TEST_TO_10_CC_0 (__TEST_TO_10) meta TEST_TO_10_CC_0 (__TEST_CC_10) score TEST_TO_1_CC_1 0.01 score TEST_TO_1_CC_9 0.01 score TEST_TO_2_CC_8 0.01 score TEST_TO_3_CC_7 0.01 score TEST_TO_4_CC_6 0.01 score TEST_TO_5_CC_5 0.01 score TEST_TO_6_CC_4 0.01 score TEST_TO_7_CC_3 0.01 score TEST_TO_8_CC_2 0.01 score TEST_TO_9_CC_1 0.01 score TEST_TO_10_CC_0 0.01 score TEST_TO_0_CC_10 0.01 hope it helps! > > > David Gottschalk > UTS Email team > david.gottschalk@emory.edu > > > This e-mail message (including any attachments) is for the sole use of > the intended recipient(s) and may contain confidential and privileged > information. If the reader of this message is not the intended > recipient, you are hereby notified that any dissemination, distribution > or copying of this message (including any attachments) is strictly > prohibited. > > If you have received this message in error, please contact > the sender by reply e-mail message and destroy all copies of the > original message (including attachments). > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090724/a819e33c/attachment.html From mark at msapiro.net Sat Jul 25 15:08:14 2009 From: mark at msapiro.net (Mark Sapiro) Date: Sat Jul 25 15:08:25 2009 Subject: Recipient Limitation(s) In-Reply-To: <7d9b3cf20907241256t7c9efe8xf0e543e5e724ae8c@mail.gmail.com> References: <7d9b3cf20907241256t7c9efe8xf0e543e5e724ae8c@mail.gmail.com> Message-ID: <20090725140814.GA3244@msapiro> On Fri, Jul 24, 2009 at 04:56:13PM -0300, Eduardo Casarero wrote: > 2009/7/22 Gottschalk, David > > > Is it possible to setup MailScanner to block/quarantine messages over a > > certain number of recipients? I want to do this because we have a lot of > > accounts being compromised and sending out emails to a large number of > > recipients. I think this would be a good proactive measure. > > > > I've looked into spamassassin doing this, but cannot find anything that > > would give me the ability to do this. > > > > Any tips would be appreciated, I've searched all around and haven't found > > anything. > > > Some time ago i wrote this rule for SpamAssassin, i didnt test it a lot, so > test it with precaution. I was for someone with the same problem than you. > > the logic of the rule is that if the email has more than 10 recipients at > least 1 rule will hit, with combination is probable than more than one hits. > you can also generate a new meta rule to have only 1 hit with an OR. > > header __TEST_TO_1 To =~ /(.*?(@).*?){1,}/i > header __TEST_TO_2 To =~ /(.*?(@).*?){2,}/i > header __TEST_TO_3 To =~ /(.*?(@).*?){3,}/i > header __TEST_TO_4 To =~ /(.*?(@).*?){4,}/i > header __TEST_TO_5 To =~ /(.*?(@).*?){5,}/i > header __TEST_TO_6 To =~ /(.*?(@).*?){6,}/i > header __TEST_TO_7 To =~ /(.*?(@).*?){7,}/i > header __TEST_TO_8 To =~ /(.*?(@).*?){8,}/i > header __TEST_TO_9 To =~ /(.*?(@).*?){9,}/i > header __TEST_TO_10 To =~ /(.*?(@).*?){10,}/i > > header __TEST_CC_1 Cc =~ /(.*?(@).*?){1,}/i > header __TEST_CC_2 Cc =~ /(.*?(@).*?){2,}/i > header __TEST_CC_3 Cc =~ /(.*?(@).*?){3,}/i > header __TEST_CC_4 Cc =~ /(.*?(@).*?){4,}/i > header __TEST_CC_5 Cc =~ /(.*?(@).*?){5,}/i > header __TEST_CC_6 Cc =~ /(.*?(@).*?){6,}/i > header __TEST_CC_7 Cc =~ /(.*?(@).*?){7,}/i > header __TEST_CC_8 Cc =~ /(.*?(@).*?){8,}/i > header __TEST_CC_9 Cc =~ /(.*?(@).*?){9,}/i > header __TEST_CC_10 Cc =~ /(.*?(@).*?){10,}/i > > #just for testing purposes > #meta TEST_TO_1_CC_1 (__TEST_TO_1 && __TEST_CC_1) > # > > meta TEST_TO_1_CC_9 (__TEST_TO_1 && __TEST_CC_9) > meta TEST_TO_2_CC_8 (__TEST_TO_2 && __TEST_CC_8) > meta TEST_TO_3_CC_7 (__TEST_TO_3 && __TEST_CC_7) > meta TEST_TO_4_CC_6 (__TEST_TO_4 && __TEST_CC_6) > meta TEST_TO_5_CC_5 (__TEST_TO_5 && __TEST_CC_5) > meta TEST_TO_6_CC_4 (__TEST_TO_6 && __TEST_CC_4) > meta TEST_TO_7_CC_3 (__TEST_TO_7 && __TEST_CC_3) > meta TEST_TO_8_CC_2 (__TEST_TO_8 && __TEST_CC_2) > meta TEST_TO_9_CC_1 (__TEST_TO_9 && __TEST_CC_1) > meta TEST_TO_10_CC_0 (__TEST_TO_10) > meta TEST_TO_10_CC_0 (__TEST_CC_10) I think the above line has a typo. It should be meta TEST_TO_0_CC_10 (__TEST_CC_10) > score TEST_TO_1_CC_1 0.01 > score TEST_TO_1_CC_9 0.01 > score TEST_TO_2_CC_8 0.01 > score TEST_TO_3_CC_7 0.01 > score TEST_TO_4_CC_6 0.01 > score TEST_TO_5_CC_5 0.01 > score TEST_TO_6_CC_4 0.01 > score TEST_TO_7_CC_3 0.01 > score TEST_TO_8_CC_2 0.01 > score TEST_TO_9_CC_1 0.01 > score TEST_TO_10_CC_0 0.01 > score TEST_TO_0_CC_10 0.01 > > hope it helps! The potential issue with this is it is looking at the To: and Cc: headers of the message and not at the number of envelope recipients. If this is what is wanted, fine, but keep in mind that the To: and Cc: headers don't necessarily bear any relation to the actual message recipients. -- Mark Sapiro mark at msapiro net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From steve.freegard at fsl.com Sat Jul 25 16:56:37 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Sat Jul 25 16:56:50 2009 Subject: Recipient Limitation(s) In-Reply-To: <20090725140814.GA3244@msapiro> References: <7d9b3cf20907241256t7c9efe8xf0e543e5e724ae8c@mail.gmail.com> <20090725140814.GA3244@msapiro> Message-ID: <4A6B2B35.1000401@fsl.com> Mark Sapiro wrote: > On Fri, Jul 24, 2009 at 04:56:13PM -0300, Eduardo Casarero wrote: >> 2009/7/22 Gottschalk, David >> >>> Is it possible to setup MailScanner to block/quarantine messages over a >>> certain number of recipients? I want to do this because we have a lot of >>> accounts being compromised and sending out emails to a large number of >>> recipients. I think this would be a good proactive measure. >>> >>> I've looked into spamassassin doing this, but cannot find anything that >>> would give me the ability to do this. >>> >>> Any tips would be appreciated, I've searched all around and haven't found >>> anything. >> >> Some time ago i wrote this rule for SpamAssassin, i didnt test it a lot, so >> test it with precaution. I was for someone with the same problem than you. >> >> the logic of the rule is that if the email has more than 10 recipients at >> least 1 rule will hit, with combination is probable than more than one hits. >> you can also generate a new meta rule to have only 1 hit with an OR. >> >> header __TEST_TO_1 To =~ /(.*?(@).*?){1,}/i >> header __TEST_TO_2 To =~ /(.*?(@).*?){2,}/i >> header __TEST_TO_3 To =~ /(.*?(@).*?){3,}/i >> header __TEST_TO_4 To =~ /(.*?(@).*?){4,}/i >> header __TEST_TO_5 To =~ /(.*?(@).*?){5,}/i >> header __TEST_TO_6 To =~ /(.*?(@).*?){6,}/i >> header __TEST_TO_7 To =~ /(.*?(@).*?){7,}/i >> header __TEST_TO_8 To =~ /(.*?(@).*?){8,}/i >> header __TEST_TO_9 To =~ /(.*?(@).*?){9,}/i >> header __TEST_TO_10 To =~ /(.*?(@).*?){10,}/i >> >> header __TEST_CC_1 Cc =~ /(.*?(@).*?){1,}/i >> header __TEST_CC_2 Cc =~ /(.*?(@).*?){2,}/i >> header __TEST_CC_3 Cc =~ /(.*?(@).*?){3,}/i >> header __TEST_CC_4 Cc =~ /(.*?(@).*?){4,}/i >> header __TEST_CC_5 Cc =~ /(.*?(@).*?){5,}/i >> header __TEST_CC_6 Cc =~ /(.*?(@).*?){6,}/i >> header __TEST_CC_7 Cc =~ /(.*?(@).*?){7,}/i >> header __TEST_CC_8 Cc =~ /(.*?(@).*?){8,}/i >> header __TEST_CC_9 Cc =~ /(.*?(@).*?){9,}/i >> header __TEST_CC_10 Cc =~ /(.*?(@).*?){10,}/i >> >> #just for testing purposes >> #meta TEST_TO_1_CC_1 (__TEST_TO_1 && __TEST_CC_1) >> # >> >> meta TEST_TO_1_CC_9 (__TEST_TO_1 && __TEST_CC_9) >> meta TEST_TO_2_CC_8 (__TEST_TO_2 && __TEST_CC_8) >> meta TEST_TO_3_CC_7 (__TEST_TO_3 && __TEST_CC_7) >> meta TEST_TO_4_CC_6 (__TEST_TO_4 && __TEST_CC_6) >> meta TEST_TO_5_CC_5 (__TEST_TO_5 && __TEST_CC_5) >> meta TEST_TO_6_CC_4 (__TEST_TO_6 && __TEST_CC_4) >> meta TEST_TO_7_CC_3 (__TEST_TO_7 && __TEST_CC_3) >> meta TEST_TO_8_CC_2 (__TEST_TO_8 && __TEST_CC_2) >> meta TEST_TO_9_CC_1 (__TEST_TO_9 && __TEST_CC_1) >> meta TEST_TO_10_CC_0 (__TEST_TO_10) >> meta TEST_TO_10_CC_0 (__TEST_CC_10) > > > I think the above line has a typo. It should be > > meta TEST_TO_0_CC_10 (__TEST_CC_10) > > >> score TEST_TO_1_CC_1 0.01 >> score TEST_TO_1_CC_9 0.01 >> score TEST_TO_2_CC_8 0.01 >> score TEST_TO_3_CC_7 0.01 >> score TEST_TO_4_CC_6 0.01 >> score TEST_TO_5_CC_5 0.01 >> score TEST_TO_6_CC_4 0.01 >> score TEST_TO_7_CC_3 0.01 >> score TEST_TO_8_CC_2 0.01 >> score TEST_TO_9_CC_1 0.01 >> score TEST_TO_10_CC_0 0.01 >> score TEST_TO_0_CC_10 0.01 >> >> hope it helps! > > > The potential issue with this is it is looking at the To: and Cc: > headers of the message and not at the number of envelope recipients. > > If this is what is wanted, fine, but keep in mind that the To: and > Cc: headers don't necessarily bear any relation to the actual message > recipients. > These rules could also be simplified considerably and reduce their overhead by better regexp (using capturing parenthesis in SA simply wastes memory) so: header COUNT_TO To =~ /(?:\S+@\S+)/ tflags COUNT_TO multiple score COUNT_TO 0.1 header COUNT_CC Cc =~ /(?:\S+@\S+)/ tflags COUNT_CC multiple score COUNT_CC 0.1 These would add 0.1 for every e-mail address in the To and Cc headers; to 20 recipients would add 2 to the computed score. Regards, Steve. From simon at kmun.gov.kw Sun Jul 26 07:30:11 2009 From: simon at kmun.gov.kw (Benedict simon) Date: Sun Jul 26 07:27:21 2009 Subject: Recipient Limitation query: thanksss In-Reply-To: References: <09777D7D-93B3-4C57-8B3E-66813594439D@globeserver.com> <4A6823B1.6090806@ecs.soton.ac.uk> Message-ID: <27d75ca473fb01475375a2d3310edaa5.squirrel@webmail.baladia.gov.kw> Thanks and really apprecite ur immediate reply julian actually i was just tring to dig into sendmail.mc file for the MaxRecipientsPerMessage entry and did not check my sendmail.cf file anyway its there in sendmail.cf file and i did do the changes . thanks again for the reply regards simon but jus wondering why the MaxRecipientsPerMessage or similar directive was not there in sendmail.mc file > A very quick Google resulted in this from the sendmail documentation: > > confMAX_RCPTS_PER_MESSAGE MaxRecipientsPerMessage [infinite] If > set, allow no more than the specified number of recipients in an SMTP > envelope. Further recipients receive a 452 error code (i.e., they are > deferred for the next delivery attempt). > > Is that close enough to what you need? > > On 23/07/2009 09:24, Benedict simon wrote: >> Dear All, >> >> just read the message >> by the way i do wd like to implement something like this cause i do >> sometimes do get one spam email being send to many of my email users >> >> MailSacnner infact marks it as spam which is fine >> but if it could be done at the MTA level it would be much much better >> >> i have sendmail-8.13.8-2.el5 running on centos 5 but i was just checking >> in my sendmail.mc file and could not find any Max recipentspermessage or >> some similar option >> Apprecite you advice nad help >> >> >> regards >> >> >> simon >> >> >> >>> Phil, >>> Thanks for the reply. I was aware that sendmail can do that, I >>> was >>> just hoping that MailScanner/Spamassassin could so I could get >>> granular and define it by domain, etc. >>> >>> Thanks for the help! >>> >>> David Gottschalk >>> UTS Email team >>> david.gottschalk@emory.edu >>> >>> >>> -----Original Message----- >>> From: mailscanner-bounces@lists.mailscanner.info >>> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Philip >>> Butler >>> Sent: Wednesday, July 22, 2009 11:33 AM >>> To: MailScanner discussion >>> Subject: Re: Recipient Limitation(s) >>> >>> David, >>> >>> There's a way to do this in your sendmail configuration (assuming you >>> are running sendmail): >>> >>> O MaxRecipientsPerMessage=n (where n is the max number of >>> recipients) >>> >>> I am sure a good google search will explain more on this setting. >>> >>> If you are not running sendmail, this will be of no use to you. >>> >>> The advantage/disadvantage of this is that it runs before MailScanner >>> is involved. This is an advantage in that the message is quickly >>> rejected (and the sender notified) before MailScanner has to process >>> it. It is a disadvantage in that it won't be seen by MailScanner and >>> therefore not quarantined for analysis. >>> >>> My 2 cents worth... >>> >>> Phil Butler >>> >>> On Jul 22, 2009, at 11:13 AM, Gottschalk, David wrote: >>> >>> >>>> Is it possible to setup MailScanner to block/quarantine messages >>>> over a certain number of recipients? I want to do this because we >>>> have a lot of accounts being compromised and sending out emails to a >>>> large number of recipients. I think this would be a good proactive >>>> measure. >>>> >>>> I've looked into spamassassin doing this, but cannot find anything >>>> that would give me the ability to do this. >>>> >>>> Any tips would be appreciated, I've searched all around and haven't >>>> found anything. >>>> >>>> David Gottschalk >>>> UTS Email team >>>> david.gottschalk@emory.edu >>>> >>>> >>>> This e-mail message (including any attachments) is for the sole use of >>>> the intended recipient(s) and may contain confidential and privileged >>>> information. If the reader of this message is not the intended >>>> recipient, you are hereby notified that any dissemination, >>>> distribution >>>> or copying of this message (including any attachments) is strictly >>>> prohibited. >>>> >>>> If you have received this message in error, please contact >>>> the sender by reply e-mail message and destroy all copies of the >>>> original message (including attachments). >>>> -- >>>> MailScanner mailing list >>>> mailscanner@lists.mailscanner.info >>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>> >>>> Before posting, read http://wiki.mailscanner.info/posting >>>> >>>> Support MailScanner development - buy the book off the website! >>>> >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >>> This e-mail message (including any attachments) is for the sole use of >>> the intended recipient(s) and may contain confidential and privileged >>> information. If the reader of this message is not the intended >>> recipient, you are hereby notified that any dissemination, distribution >>> or copying of this message (including any attachments) is strictly >>> prohibited. >>> >>> If you have received this message in error, please contact >>> the sender by reply e-mail message and destroy all copies of the >>> original message (including attachments). >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >>> -- >>> This message has been scanned for viruses and >>> dangerous content by MailScanner, and is >>> believed to be clean. >>> >>> >>> >> >> > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > Follow me at twitter.com/JulesFM and twitter.com/MailScanner > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > -- Network ADMIN ------------- KUWAIT MUNICIPALITY: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From micoots at yahoo.com Sun Jul 26 07:27:58 2009 From: micoots at yahoo.com (Michael Mansour) Date: Sun Jul 26 07:28:10 2009 Subject: Multiple MailScanner instances for multiple chroot sendmail Message-ID: <712902.85290.qm@web33308.mail.mud.yahoo.com> Hi, I'm building a HA cluster and trying to work out how to have multiple MailScanner instances for each cluster app. To describe the basic setup... 2 cluster nodes 2 cluster apps, one on each node Each cluster app has it's own chroot'ed sendmail (to cater for each cluster app handling mail and inboxes within itself). That all works fine and listens on the relevant ports on the floating IP's defined in the cluster app for sendmail. I'm now trying to get MailScanner to work with the chroot'ed sendmail, with the aim of having two sendmail's (MailScanner's) running on the same node if/when the other node fails the cluster app over. Firstly for the chroot'ed sendmail, what modifications does MailScanner need to know about to run the chroot'ed sendmail? Say sendmail's chroot'ed directory is: /chroot/sendmailn where n = 1 or 2 (sync'ed between nodes). In the chroot'ed environment, sendmail runs as a non-privileged user named "sendmail" and is part of the "mail" group. Starting sendmail is done using: # chroot /chroot/sendmailn /usr/sbin/sendmail Do I need to install a chroot'ed MailScanner within the /chroot/sendmailn tree? Note these run on Red Hat based EL5 series boxes. I already installed MailScanner on each node using MS RPM download. So you know, I've tried various things before emailing the list. In the: /etc/sysconfig/MailScanner file I changed: SENDMAIL=/usr/sbin/sendmail to SENDMAIL="/usr/sbin/chroot /chroot/sendmailn /usr/sbin/sendmail" I also changed the "Run As User = sendmail" and "Run As Group = mail". I also played with "Incoming Queue Dir" and "Outgoing Queue Dir" before realising this may not work without multiple MailScanner instances. Hence emailing the list. I appreciate any help or advice. Thank you. Michael. ____________________________________________________________________________________ Access Yahoo!7 Mail on your mobile. Anytime. Anywhere. Show me how: http://au.mobile.yahoo.com/mail From chris at techquility.net Sun Jul 26 15:58:19 2009 From: chris at techquility.net (Chris Barber) Date: Sun Jul 26 15:58:33 2009 Subject: Spamassassin timeouts In-Reply-To: References: <003501ca0b92$d14521e0$73cf65a0$@dk> <72cf361e0907230631s110df8aey2fb7ddb02db6b8c9@mail.gmail.com><008801ca0ba2$4fde80f0$ef9b82d0$@dk><4A68914E.5070803@ecs.soton.ac.uk> Message-ID: <43F62CA225017044BC84CFAF92B4333B06F992@sbsserver.Techquility.net> >On 23/07/2009 15:31, Jonas A. Larsen wrote: >> >> I actualy traced it down to all the timeouts happening around 05:00. >> >> That is when the mysql backup runs, so I think it must be some some >> sort of mysql being unavailable while the backup runs. >>> >What other cron jobs happen on your system around then? Such as all the >ones in /etc/cron.daily? (Your /etc/crontab will tell you when those get >run). It may be that is when the sa-rebuild happens, which is when it >cleans up the Bayes database and removes all the old tokens from it. >This makes Bayes unavailable for quite a while. Look for "Bayes" in >MailScanner.conf and you will find there are some configuration options >to alter this behaviour. > >> I use mysql for both mailwatch and bayes. >> >> However I still believe a retry function for SA timeouts would be nice >> to have in MS. >> >> Julian: Please add it to wish list J >> >> *From:* mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] *On Behalf Of >> *Martin Hepworth >> *Sent:* 23. juli 2009 15:31 >> *To:* MailScanner discussion >> *Subject:* Re: Spamassassin timeouts >> >> Hi >>> >> normally this is either due to >> >> 1) DNS issues (lots of RBLs - have you got most of them turned off?), >> >> 2) bayes (have you got this running on a faster SDBM database than the >>> default I recently had a server that was having spamassassin timeouts and showing mysql using a lot of cpu. Turned out on this server the cron job for cleaning up bayes was missing so the bayes tables were growing uncontrollably. Running sa-learn --force-expire, and then running an optimize table on all bayes tables, cleaned this up. Then we added a cron job to clean up bayes every night. -Chris From mark at msapiro.net Sun Jul 26 18:54:56 2009 From: mark at msapiro.net (Mark Sapiro) Date: Sun Jul 26 18:55:05 2009 Subject: Recipient Limitation(s) In-Reply-To: <4A6B2B35.1000401@fsl.com> References: <7d9b3cf20907241256t7c9efe8xf0e543e5e724ae8c@mail.gmail.com> <20090725140814.GA3244@msapiro> <4A6B2B35.1000401@fsl.com> Message-ID: <20090726175456.GA1076@msapiro> On Sat, Jul 25, 2009 at 04:56:37PM +0100, Steve Freegard wrote: > > These rules could also be simplified considerably and reduce their > overhead by better regexp (using capturing parenthesis in SA simply > wastes memory) so: > > header COUNT_TO To =~ /(?:\S+@\S+)/ > tflags COUNT_TO multiple > score COUNT_TO 0.1 > > header COUNT_CC Cc =~ /(?:\S+@\S+)/ > tflags COUNT_CC multiple > score COUNT_CC 0.1 > > These would add 0.1 for every e-mail address in the To and Cc headers; > to 20 recipients would add 2 to the computed score. Actually, I think the above regexps would better be something like header COUNT_TO To =~ /(?:[^@,\s]+@[^@,\s]+)/ header COUNT_CC Cc =~ /(?:[^@,\s]+@[^@,\s]+)/ Otherwise they match the whole header value in something like To: , -- Mark Sapiro mark at msapiro net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From todd at fries.net Sun Jul 26 20:59:00 2009 From: todd at fries.net (Todd T. Fries) Date: Sun Jul 26 21:00:19 2009 Subject: dspam for MailScanner In-Reply-To: <9173fd7e0907231955y502e5d99r14d29ce0d2cbe8b4@mail.gmail.com> References: <20090719215042.GE18795@fries.net> <223f97700907210438saa73651tcaafb5618b84594b@mail.gmail.com> <9173fd7e0907231955y502e5d99r14d29ce0d2cbe8b4@mail.gmail.com> Message-ID: <20090726195900.GA28310@fries.net> Penned by R Wahyudi on 20090724 12:55.04, we have: | Hi Todd, | | How does dpsam performed compared to standard SpamAssassin Bayes ? | I was trying to replace SpamAssassin Bayes years ago with dspam but | didn't end up completing it | | Can you give me details on your email statistics ( eg how many email | you receive / second ) | and what sort of database hardware do you have ? | | Regards, | Rianto Wahyudi At the time I switched to dspam, i couldn't figure out how to train spamassassin. Memory wise and cpu wise, dspam is much more lightweight. Given I didn't know how to train spamassassin (I have since been told how, but am reluctant to switch back even for testing) I found the training of dspam to take a bit (as advertised) but once trained to get very accurate very quickly. In a few years of service, my personal stats are these: todd@fries.net: TP True Positives: 235830 TN True Negatives: 828592 FP False Positives: 2665 FN False Negatives: 1409 SC Spam Corpusfed: 0 NC Nonspam Corpusfed: 0 TL Training Left: 0 SHR Spam Hit Rate 99.41% HSR Ham Strike Rate: 0.32% OCA Overall Accuracy: 99.62% I do have some mailing list archives, and training them is a little more sporatic: openbsd@email.fries.net: TP True Positives: 5725 TN True Negatives: 226221 FP False Positives: 5158 FN False Negatives: 180 SC Spam Corpusfed: 0 NC Nonspam Corpusfed: 0 TL Training Left: 0 SHR Spam Hit Rate 96.95% HSR Ham Strike Rate: 2.23% OCA Overall Accuracy: 97.75% .. but all in all, I've been very satisfied with dspam. My father has quite a different set of stats, but it has also helped him greatly: tyrone@fries.net: TP True Positives: 26294 TN True Negatives: 3791 FP False Positives: 85 FN False Negatives: 2144 SC Spam Corpusfed: 0 NC Nonspam Corpusfed: 0 TL Training Left: 0 SHR Spam Hit Rate 92.46% HSR Ham Strike Rate: 2.19% OCA Overall Accuracy: 93.10% My hardware is old PATA interface disk serving a postgresql database that has been tweaked a bit to perform well, and I do pruning/reindexing/etc every two nights, not every night. If you have the desire to help your spam filter be razor sharp and feel very gratified by being able to help train it by giving feedback everytime it gets a false negative (true mail marked as spam) or a false positive (true spam not marked as spam) then dspam is really a good thing to use. The rub comes in trying to get people to do it when they don't quite have the above understanding, desire, or both. | On Tue, Jul 21, 2009 at 9:38 PM, Glenn Steen wrote: | > 2009/7/19 Todd T. Fries : | >> I've been using this for a few years now, and keep forgetting to | >> contribute it back. | >> | >> This is my own work, I couldn't be more pleased if MailScanner took it | >> and made the equivalent or better functionality in the default | >> distribution. | >> | >> If I can polish it or whatever, please let me know, if it saves you | >> work. | >> | > If Jules doesn't decide to include this... then put it all in the | > wiki;)... After all, that's what it's there for... | > | > Cheers | > -- | > -- Glenn | > email: glenn < dot > steen < at > gmail < dot > com | > work: glenn < dot > steen < at > ap1 < dot > se | > -- | > MailScanner mailing list | > mailscanner@lists.mailscanner.info | > http://lists.mailscanner.info/mailman/listinfo/mailscanner | > | > Before posting, read http://wiki.mailscanner.info/posting | > | > Support MailScanner development - buy the book off the website! | > | -- | MailScanner mailing list | mailscanner@lists.mailscanner.info | http://lists.mailscanner.info/mailman/listinfo/mailscanner | | Before posting, read http://wiki.mailscanner.info/posting | | Support MailScanner development - buy the book off the website! -- Todd Fries .. todd@fries.net _____________________________________________ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | "..in support of free software solutions." \ sip:freedaemon@ekiga.net | \ sip:4052279094@ekiga.net \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt From marco.mangione at gmail.com Mon Jul 27 11:29:21 2009 From: marco.mangione at gmail.com (Marco mangione) Date: Mon Jul 27 11:29:30 2009 Subject: help - big queue slow load Message-ID: Hello, i have a big queue: 3800mails and very slow load: 0.20 seems postfix and mailscanner dont want use server resource to speed up ... any idea? marco -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090727/b3b10abb/attachment.html From MailScanner at ecs.soton.ac.uk Mon Jul 27 11:49:27 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jul 27 11:49:46 2009 Subject: help - big queue slow load In-Reply-To: References: <4A6D8637.5080407@ecs.soton.ac.uk> Message-ID: Most likely DNS lookups. Check your DNS is working properly and you can reach all the blacklists you use very quickly. Start by doing a "MailScanner --debug --sa-debug" and watch for any long pauses. On 27/07/2009 11:29, Marco mangione wrote: > Hello, > > i have a big queue: 3800mails and very slow load: 0.20 seems postfix > and mailscanner dont want use server resource to speed up ... any idea? > > marco Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ssilva at sgvwater.com Mon Jul 27 20:04:09 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Jul 27 20:04:30 2009 Subject: More descriptive body spam message In-Reply-To: References: <4A6842E3.7050109@gmail.com> <4A68908C.7030101@ecs.soton.ac.uk> Message-ID: > Add a spam action "encapsulate" and you will find you get a lot of that. > > Jules > Is that new? I don't remember seeing that one. Not even in the docs on the website that I can find. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090727/e14189a1/signature.bin From MailScanner at ecs.soton.ac.uk Mon Jul 27 20:43:13 2009 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Mon Jul 27 20:43:34 2009 Subject: More descriptive body spam message In-Reply-To: References: <4A6842E3.7050109@gmail.com> <4A68908C.7030101@ecs.soton.ac.uk> <4A6E0351.8050001@ecs.soton.ac.uk> Message-ID: On 27/07/2009 20:04, Scott Silva wrote: > > > >> Add a spam action "encapsulate" and you will find you get a lot of that. >> >> Jules >> >> > Is that new? I don't remember seeing that one. Not even in the docs on the > website that I can find. > Sorry, my mistake, it's called "attachment" for the users and not "encapsulate" (that's what I used for the name internally, not what appears in MailScanner.conf. It's documented in the "Spam Actions" in MailScanner.conf and at http://www.mailscanner.info/MailScanner.conf.index.html#Spam%20Actions Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From marco.mangione at gmail.com Tue Jul 28 09:48:42 2009 From: marco.mangione at gmail.com (Marco mangione) Date: Tue Jul 28 09:48:51 2009 Subject: help - big queue slow load In-Reply-To: References: <4A6D8637.5080407@ecs.soton.ac.uk> Message-ID: DNS are ok. resolution are quick. can i try to increase parallels postfix or mailscanner process ? server have much cpu and ram unused... 2009/7/27 Julian Field > Most likely DNS lookups. Check your DNS is working properly and you can > reach all the blacklists you use very quickly. > > Start by doing a "MailScanner --debug --sa-debug" and watch for any long > pauses. > > > On 27/07/2009 11:29, Marco mangione wrote: > >> Hello, >> >> i have a big queue: 3800mails and very slow load: 0.20 seems postfix and >> mailscanner dont want use server resource to speed up ... any idea? >> >> marco >> > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > Follow me at twitter.com/JulesFM and twitter.com/MailScanner > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090728/82dc98c2/attachment.html From MailScanner at ecs.soton.ac.uk Tue Jul 28 10:16:47 2009 From: MailScanner at ecs.soton.ac.uk (MailScanner) Date: Tue Jul 28 10:17:07 2009 Subject: help - big queue slow load In-Reply-To: References: <4A6D8637.5080407@ecs.soton.ac.uk> Message-ID: If the mail is only being processed very slowly, then unless you have the parallelism set too *high* (Max Children should be 5 to start with) then there must be some good reason why it is taking a long time. Set "Log Speed = yes" in MailScanner.conf and restart MailScanner. Then look at your logs and work out what is taking all the time? When you ran with "--debug --sa-debug", were there any long pauses in the output? There shouldn't be, once it has started doing the spam scanning. Also, you can try switching off the spam scanning altogether, just to double check that is where the problem lies and not in your virus scanning. What is "Virus Scanners =" set to in MailScanner.conf? On Tue, 28 Jul 2009 10:48:42 +0200, Marco mangione wrote: DNS are ok. resolution are quick. can i try to increase parallels postfix or mailscanner process ? server have much cpu and ram unused... 2009/7/27 Julian Field Most likely DNS lookups. Check your DNS is working properly and you can reach all the blacklists you use very quickly. Start by doing a "MailScanner --debug --sa-debug" and watch for any long pauses. On 27/07/2009 11:29, Marco mangione wrote: Hello, i have a big queue: 3800mails and very slow load: 0.20 seems postfix and mailscanner dont want use server resource to speed up ... any idea? marco Jules -- Julian Field MEng CITP CEng www.MailScanner.info [2] Buy the MailScanner book at www.MailScanner.info/store [3] Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM [4] and twitter.com/MailScanner [5] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info [6] http://lists.mailscanner.info/mailman/listinfo/mailscanner [7] Before posting, read http://wiki.mailscanner.info/posting [8] Support MailScanner development - buy the book off the website! -- Jules MailScanner@ecs.soton.ac.uk Links: ------ [1] mailto:MailScanner@ecs.soton.ac.uk [2] http://www.MailScanner.info [3] http://www.MailScanner.info/store [4] http://twitter.com/JulesFM [5] http://twitter.com/MailScanner [6] mailto:mailscanner@lists.mailscanner.info [7] http://lists.mailscanner.info/mailman/listinfo/mailscanner [8] http://wiki.mailscanner.info/posting -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090728/2b722ca2/attachment.html From michele at blacknight.ie Tue Jul 28 11:49:02 2009 From: michele at blacknight.ie (Michele Neylon :: Blacknight) Date: Tue Jul 28 11:49:11 2009 Subject: OT: AV Vendors For Desktops With API Message-ID: Hi all Long time since I've posted to this list :) Can anyone recommend or have any experience of AV vendors offering desktop solutions with an API? ie. for ordering licenses TIA Michele Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection http://www.blacknight.com/ http://blog.blacknight.com/ http://mneylon.tel Intl. +353 (0) 59 9183072 US: 213-233-1612 UK: 0844 484 9361 Locall: 1850 929 929 Fax. +353 (0) 1 4811 763 ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845 From marco.mangione at gmail.com Tue Jul 28 12:03:49 2009 From: marco.mangione at gmail.com (Marco mangione) Date: Tue Jul 28 12:03:58 2009 Subject: help - big queue slow load In-Reply-To: References: <4A6D8637.5080407@ecs.soton.ac.uk> Message-ID: seems there are some hang when mailscanner connect to SA db .. that is bigger than 2GB.... what can i do in this case ? 2009/7/28 MailScanner > If the mail is only being processed very slowly, then unless you have the > parallelism set too *high* (Max Children should be 5 to start with) then > there must be some good reason why it is taking a long time. Set "Log Speed > = yes" in MailScanner.conf and restart MailScanner. Then look at your logs > and work out what is taking all the time? > > When you ran with "--debug --sa-debug", were there any long pauses in the > output? There shouldn't be, once it has started doing the spam scanning. > > Also, you can try switching off the spam scanning altogether, just to > double check that is where the problem lies and not in your virus scanning. > What is "Virus Scanners =" set to in MailScanner.conf? > > On Tue, 28 Jul 2009 10:48:42 +0200, Marco mangione < > marco.mangione@gmail.com> wrote: > > DNS are ok. resolution are quick. > can i try to increase parallels postfix or mailscanner process ? > server have much cpu and ram unused... > > > 2009/7/27 Julian Field > >> Most likely DNS lookups. Check your DNS is working properly and you can >> reach all the blacklists you use very quickly. >> >> Start by doing a "MailScanner --debug --sa-debug" and watch for any long >> pauses. >> >> On 27/07/2009 11:29, Marco mangione wrote: >> >>> Hello, >>> >>> i have a big queue: 3800mails and very slow load: 0.20 seems postfix and >>> mailscanner dont want use server resource to speed up ... any idea? >>> >>> marco >>> >> >> Jules >> >> -- >> Julian Field MEng CITP CEng >> www.MailScanner.info >> Buy the MailScanner book at www.MailScanner.info/store >> >> Need help customising MailScanner? >> Contact me! >> Need help fixing or optimising your systems? >> Contact me! >> Need help getting you started solving new requirements from your boss? >> Contact me! >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> Follow me at twitter.com/JulesFM and twitter.com/MailScanner >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > > > -- > JulesMailScanner@ecs.soton.ac.uk > > > -- > This message has been scanned for viruses and > dangerous content by *MailScanner* , and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090728/bb33b676/attachment.html From marco.mangione at gmail.com Tue Jul 28 12:13:06 2009 From: marco.mangione at gmail.com (Marco mangione) Date: Tue Jul 28 12:13:14 2009 Subject: help - big queue slow load In-Reply-To: References: <4A6D8637.5080407@ecs.soton.ac.uk> Message-ID: this is the detail of bayes table | bayes_seen | BASE TABLE | 406301568 | MyISAM | | bayes_token | BASE TABLE | 1028785670 | MyISAM | 2009/7/28 Marco mangione > seems there are some hang when mailscanner connect to SA db .. that is > bigger than 2GB.... what can i do in this case ? > > 2009/7/28 MailScanner > >> If the mail is only being processed very slowly, then unless you have the >> parallelism set too *high* (Max Children should be 5 to start with) then >> there must be some good reason why it is taking a long time. Set "Log Speed >> = yes" in MailScanner.conf and restart MailScanner. Then look at your logs >> and work out what is taking all the time? >> >> When you ran with "--debug --sa-debug", were there any long pauses in the >> output? There shouldn't be, once it has started doing the spam scanning. >> >> Also, you can try switching off the spam scanning altogether, just to >> double check that is where the problem lies and not in your virus scanning. >> What is "Virus Scanners =" set to in MailScanner.conf? >> >> On Tue, 28 Jul 2009 10:48:42 +0200, Marco mangione < >> marco.mangione@gmail.com> wrote: >> >> DNS are ok. resolution are quick. >> can i try to increase parallels postfix or mailscanner process ? >> server have much cpu and ram unused... >> >> >> 2009/7/27 Julian Field >> >>> Most likely DNS lookups. Check your DNS is working properly and you can >>> reach all the blacklists you use very quickly. >>> >>> Start by doing a "MailScanner --debug --sa-debug" and watch for any long >>> pauses. >>> >>> On 27/07/2009 11:29, Marco mangione wrote: >>> >>>> Hello, >>>> >>>> i have a big queue: 3800mails and very slow load: 0.20 seems postfix and >>>> mailscanner dont want use server resource to speed up ... any idea? >>>> >>>> marco >>>> >>> >>> Jules >>> >>> -- >>> Julian Field MEng CITP CEng >>> www.MailScanner.info >>> Buy the MailScanner book at www.MailScanner.info/store >>> >>> Need help customising MailScanner? >>> Contact me! >>> Need help fixing or optimising your systems? >>> Contact me! >>> Need help getting you started solving new requirements from your boss? >>> Contact me! >>> >>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>> Follow me at twitter.com/JulesFM and twitter.com/MailScanner >>> >>> >>> -- >>> This message has been scanned for viruses and >>> dangerous content by MailScanner, and is >>> believed to be clean. >>> >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >> >> >> >> -- >> JulesMailScanner@ecs.soton.ac.uk >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by *MailScanner* , and is >> >> believed to be clean. >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090728/d70a00b4/attachment.html From shprahi at gmail.com Tue Jul 28 12:35:59 2009 From: shprahi at gmail.com (shprahi shprahi) Date: Tue Jul 28 12:36:08 2009 Subject: help - big queue slow load In-Reply-To: References: <4A6D8637.5080407@ecs.soton.ac.uk> Message-ID: What is MailScanner version and MailScanner --lint output also spamassassin --lint output Just see is there any errors on the output On Tue, Jul 28, 2009 at 4:43 PM, Marco mangione wrote: > this is the detail of bayes table > > | bayes_seen | BASE TABLE | 406301568 | MyISAM | > | bayes_token | BASE TABLE | 1028785670 | MyISAM | > > > > 2009/7/28 Marco mangione > > seems there are some hang when mailscanner connect to SA db .. that is >> bigger than 2GB.... what can i do in this case ? >> >> 2009/7/28 MailScanner >> >>> If the mail is only being processed very slowly, then unless you have the >>> parallelism set too *high* (Max Children should be 5 to start with) then >>> there must be some good reason why it is taking a long time. Set "Log Speed >>> = yes" in MailScanner.conf and restart MailScanner. Then look at your logs >>> and work out what is taking all the time? >>> >>> When you ran with "--debug --sa-debug", were there any long pauses in the >>> output? There shouldn't be, once it has started doing the spam scanning. >>> >>> Also, you can try switching off the spam scanning altogether, just to >>> double check that is where the problem lies and not in your virus scanning. >>> What is "Virus Scanners =" set to in MailScanner.conf? >>> >>> On Tue, 28 Jul 2009 10:48:42 +0200, Marco mangione < >>> marco.mangione@gmail.com> wrote: >>> >>> DNS are ok. resolution are quick. >>> can i try to increase parallels postfix or mailscanner process ? >>> server have much cpu and ram unused... >>> >>> >>> 2009/7/27 Julian Field >>> >>>> Most likely DNS lookups. Check your DNS is working properly and you can >>>> reach all the blacklists you use very quickly. >>>> >>>> Start by doing a "MailScanner --debug --sa-debug" and watch for any long >>>> pauses. >>>> >>>> On 27/07/2009 11:29, Marco mangione wrote: >>>> >>>>> Hello, >>>>> >>>>> i have a big queue: 3800mails and very slow load: 0.20 seems postfix >>>>> and mailscanner dont want use server resource to speed up ... any idea? >>>>> >>>>> marco >>>>> >>>> >>>> Jules >>>> >>>> -- >>>> Julian Field MEng CITP CEng >>>> www.MailScanner.info >>>> Buy the MailScanner book at www.MailScanner.info/store >>>> >>>> Need help customising MailScanner? >>>> Contact me! >>>> Need help fixing or optimising your systems? >>>> Contact me! >>>> Need help getting you started solving new requirements from your boss? >>>> Contact me! >>>> >>>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>>> Follow me at twitter.com/JulesFM and twitter.com/MailScanner >>>> >>>> >>>> -- >>>> This message has been scanned for viruses and >>>> dangerous content by MailScanner, and is >>>> believed to be clean. >>>> >>>> -- >>>> MailScanner mailing list >>>> mailscanner@lists.mailscanner.info >>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>> >>>> Before posting, read http://wiki.mailscanner.info/posting >>>> >>>> Support MailScanner development - buy the book off the website! >>>> >>> >>> >>> >>> -- >>> JulesMailScanner@ecs.soton.ac.uk >>> >>> >>> -- >>> This message has been scanned for viruses and >>> dangerous content by *MailScanner* , and >>> is >>> believed to be clean. >>> >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >>> >> > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090728/a3e199ca/attachment.html From marco.mangione at gmail.com Tue Jul 28 12:42:43 2009 From: marco.mangione at gmail.com (Marco mangione) Date: Tue Jul 28 12:42:52 2009 Subject: help - big queue slow load In-Reply-To: References: <4A6D8637.5080407@ecs.soton.ac.uk> Message-ID: root@filtro6:~# MailScanner -lint output Trying to setlogsock(unix) Read 817 hostnames from the phishing whitelist Read 5141 hostnames from the phishing blacklist Config: calling custom init function SQLBlacklist Starting up SQL Blacklist Read 0 blacklist entries Config: calling custom init function MailWatchLogging Started SQL Logging child Config: calling custom init function SQLWhitelist Starting up SQL Whitelist Read 2 whitelist entries Checking version numbers... Version installed (4.73.4) does not match version stated in MailScanner.conf file (4.68.8), you may want to run upgrade_MailScanner_conf to ensure your MailScanner.conf file contains all the latest settings. ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf ERROR: is not correct, it should match X-COLT-ENGINE-MailScanner-From MailScanner setting GID to (33) MailScanner setting UID to (109) Checking for SpamAssassin errors (if you use it)... SpamAssassin temporary working directory is /var/spool/MailScanner/incoming/Spam SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp Using SpamAssassin results cache Connected to SpamAssassin cache database SpamAssassin reported no errors. Using locktype = posix MailScanner.conf says "Virus Scanners = clamav" Found these virus scanners installed: clamd =========================================================================== Filename Checks: Windows/DOS Executable (1 eicar.com) Other Checks: Found 1 problems Virus and Content Scanning: Starting /var/spool/MailScanner/incoming/30510/./1.message: Eicar-Test-Signature FOUND /var/spool/MailScanner/incoming/30510/./1/eicar.com: Eicar-Test-Signature FOUND Virus Scanning: ClamAV found 2 infections Infected message 1 came from 10.1.1.1 Infected message 1.message came from Virus Scanning: Found 2 viruses =========================================================================== Virus Scanner test reports: ClamAV said "eicar.com contains Eicar-Test-Signature" If any of your virus scanners (clamd) are not listed there, you should check that they are installed correctly and that MailScanner is finding them correctly via its virus.scanners.conf. Config: calling custom end function SQLBlacklist Closing down by-domain spam blacklist Config: calling custom end function MailWatchLogging Config: calling custom end function SQLWhitelist Closing down by-domain spam whitelist root@filtro6:~# 2009/7/28 shprahi shprahi > What is MailScanner version and MailScanner --lint output also spamassassin > --lint output > > Just see is there any errors on the output > > On Tue, Jul 28, 2009 at 4:43 PM, Marco mangione wrote: > >> this is the detail of bayes table >> >> | bayes_seen | BASE TABLE | 406301568 | MyISAM | >> | bayes_token | BASE TABLE | 1028785670 | MyISAM | >> >> >> >> 2009/7/28 Marco mangione >> >> seems there are some hang when mailscanner connect to SA db .. that is >>> bigger than 2GB.... what can i do in this case ? >>> >>> 2009/7/28 MailScanner >>> >>>> If the mail is only being processed very slowly, then unless you have >>>> the parallelism set too *high* (Max Children should be 5 to start with) then >>>> there must be some good reason why it is taking a long time. Set "Log Speed >>>> = yes" in MailScanner.conf and restart MailScanner. Then look at your logs >>>> and work out what is taking all the time? >>>> >>>> When you ran with "--debug --sa-debug", were there any long pauses in >>>> the output? There shouldn't be, once it has started doing the spam scanning. >>>> >>>> Also, you can try switching off the spam scanning altogether, just to >>>> double check that is where the problem lies and not in your virus scanning. >>>> What is "Virus Scanners =" set to in MailScanner.conf? >>>> >>>> On Tue, 28 Jul 2009 10:48:42 +0200, Marco mangione < >>>> marco.mangione@gmail.com> wrote: >>>> >>>> DNS are ok. resolution are quick. >>>> can i try to increase parallels postfix or mailscanner process ? >>>> server have much cpu and ram unused... >>>> >>>> >>>> 2009/7/27 Julian Field >>>> >>>>> Most likely DNS lookups. Check your DNS is working properly and you can >>>>> reach all the blacklists you use very quickly. >>>>> >>>>> Start by doing a "MailScanner --debug --sa-debug" and watch for any >>>>> long pauses. >>>>> >>>>> On 27/07/2009 11:29, Marco mangione wrote: >>>>> >>>>>> Hello, >>>>>> >>>>>> i have a big queue: 3800mails and very slow load: 0.20 seems postfix >>>>>> and mailscanner dont want use server resource to speed up ... any idea? >>>>>> >>>>>> marco >>>>>> >>>>> >>>>> Jules >>>>> >>>>> -- >>>>> Julian Field MEng CITP CEng >>>>> www.MailScanner.info >>>>> Buy the MailScanner book at www.MailScanner.info/store >>>>> >>>>> Need help customising MailScanner? >>>>> Contact me! >>>>> Need help fixing or optimising your systems? >>>>> Contact me! >>>>> Need help getting you started solving new requirements from your boss? >>>>> Contact me! >>>>> >>>>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>>>> Follow me at twitter.com/JulesFM and twitter.com/MailScanner >>>>> >>>>> >>>>> -- >>>>> This message has been scanned for viruses and >>>>> dangerous content by MailScanner, and is >>>>> believed to be clean. >>>>> >>>>> -- >>>>> MailScanner mailing list >>>>> mailscanner@lists.mailscanner.info >>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>> >>>>> Before posting, read http://wiki.mailscanner.info/posting >>>>> >>>>> Support MailScanner development - buy the book off the website! >>>>> >>>> >>>> >>>> >>>> -- >>>> JulesMailScanner@ecs.soton.ac.uk >>>> >>>> >>>> -- >>>> This message has been scanned for viruses and >>>> dangerous content by *MailScanner* , and >>>> is >>>> believed to be clean. >>>> >>>> -- >>>> MailScanner mailing list >>>> mailscanner@lists.mailscanner.info >>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>> >>>> Before posting, read http://wiki.mailscanner.info/posting >>>> >>>> Support MailScanner development - buy the book off the website! >>>> >>>> >>> >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090728/fee8fa83/attachment.html From mailadmin at midland-ics.ie Tue Jul 28 15:29:47 2009 From: mailadmin at midland-ics.ie (Mail Admin) Date: Tue Jul 28 15:30:19 2009 Subject: AV Vendors For Desktops With API In-Reply-To: References: Message-ID: <016e01ca0f8f$dca4ac80$95ee0580$@ie> Have u tried Esets Nod 32 -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Michele Neylon :: Blacknight Sent: 28 July 2009 11:49 To: mailscanner@lists.mailscanner.info Subject: OT: AV Vendors For Desktops With API Hi all Long time since I've posted to this list :) Can anyone recommend or have any experience of AV vendors offering desktop solutions with an API? ie. for ordering licenses TIA Michele Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection http://www.blacknight.com/ http://blog.blacknight.com/ http://mneylon.tel Intl. +353 (0) 59 9183072 US: 213-233-1612 UK: 0844 484 9361 Locall: 1850 929 929 Fax. +353 (0) 1 4811 763 ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845 -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. This e-mail is intended solely for the addressee(s) and is strictly confidential. The unauthorised use, disclosure or copying of this e-mail, or any information it contains is prohibited. If you have received this e-mail in error, please notify us immediately and then permanently delete it. Although Midland Internet & Computer Solutions make every effort to keep our systems free from viruses you should check this e-mail and any attachments to it for viruses as we cannot accept any liability for viruses inadvertently transmitted by use. From shprahi at gmail.com Wed Jul 29 09:07:56 2009 From: shprahi at gmail.com (shprahi shprahi) Date: Wed Jul 29 09:08:06 2009 Subject: help - big queue slow load In-Reply-To: References: <4A6D8637.5080407@ecs.soton.ac.uk> Message-ID: Looks like installed the new mailscanner but not done the upgrade also check out about clamd hope it should be clamav module or clam *Version installed (4.73.4) does not match version stated in MailScanner.conf file (4.68.8), you may want to run upgrade_MailScanner_conf * On Tue, Jul 28, 2009 at 5:12 PM, Marco mangione wrote: > root@filtro6:~# MailScanner -lint output > Trying to setlogsock(unix) > Read 817 hostnames from the phishing whitelist > Read 5141 hostnames from the phishing blacklist > Config: calling custom init function SQLBlacklist > Starting up SQL Blacklist > Read 0 blacklist entries > Config: calling custom init function MailWatchLogging > Started SQL Logging child > Config: calling custom init function SQLWhitelist > Starting up SQL Whitelist > Read 2 whitelist entries > Checking version numbers... > Version installed (4.73.4) does not match version stated in > MailScanner.conf file (4.68.8), you may want to run > upgrade_MailScanner_conf > to ensure your MailScanner.conf file contains all the latest settings. > > ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf > ERROR: is not correct, it should match X-COLT-ENGINE-MailScanner-From > > MailScanner setting GID to (33) > MailScanner setting UID to (109) > > Checking for SpamAssassin errors (if you use it)... > SpamAssassin temporary working directory is > /var/spool/MailScanner/incoming/Spam > SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp > Using SpamAssassin results cache > Connected to SpamAssassin cache database > SpamAssassin reported no errors. > Using locktype = posix > MailScanner.conf says "Virus Scanners = clamav" > Found these virus scanners installed: clamd > =========================================================================== > Filename Checks: Windows/DOS Executable (1 eicar.com) > Other Checks: Found 1 problems > Virus and Content Scanning: Starting > /var/spool/MailScanner/incoming/30510/./1.message: Eicar-Test-Signature > FOUND > > /var/spool/MailScanner/incoming/30510/./1/eicar.com: Eicar-Test-Signature > FOUND > > Virus Scanning: ClamAV found 2 infections > Infected message 1 came from 10.1.1.1 > Infected message 1.message came from > Virus Scanning: Found 2 viruses > =========================================================================== > Virus Scanner test reports: > ClamAV said "eicar.com contains Eicar-Test-Signature" > > If any of your virus scanners (clamd) > are not listed there, you should check that they are installed correctly > and that MailScanner is finding them correctly via its virus.scanners.conf. > Config: calling custom end function SQLBlacklist > Closing down by-domain spam blacklist > Config: calling custom end function MailWatchLogging > Config: calling custom end function SQLWhitelist > Closing down by-domain spam whitelist > root@filtro6:~# > > > 2009/7/28 shprahi shprahi > >> What is MailScanner version and MailScanner --lint output also >> spamassassin --lint output >> >> Just see is there any errors on the output >> >> On Tue, Jul 28, 2009 at 4:43 PM, Marco mangione > > wrote: >> >>> this is the detail of bayes table >>> >>> | bayes_seen | BASE TABLE | 406301568 | MyISAM | >>> | bayes_token | BASE TABLE | 1028785670 | MyISAM | >>> >>> >>> >>> 2009/7/28 Marco mangione >>> >>> seems there are some hang when mailscanner connect to SA db .. that is >>>> bigger than 2GB.... what can i do in this case ? >>>> >>>> 2009/7/28 MailScanner >>>> >>>>> If the mail is only being processed very slowly, then unless you have >>>>> the parallelism set too *high* (Max Children should be 5 to start with) then >>>>> there must be some good reason why it is taking a long time. Set "Log Speed >>>>> = yes" in MailScanner.conf and restart MailScanner. Then look at your logs >>>>> and work out what is taking all the time? >>>>> >>>>> When you ran with "--debug --sa-debug", were there any long pauses in >>>>> the output? There shouldn't be, once it has started doing the spam scanning. >>>>> >>>>> Also, you can try switching off the spam scanning altogether, just to >>>>> double check that is where the problem lies and not in your virus scanning. >>>>> What is "Virus Scanners =" set to in MailScanner.conf? >>>>> >>>>> On Tue, 28 Jul 2009 10:48:42 +0200, Marco mangione < >>>>> marco.mangione@gmail.com> wrote: >>>>> >>>>> DNS are ok. resolution are quick. >>>>> can i try to increase parallels postfix or mailscanner process ? >>>>> server have much cpu and ram unused... >>>>> >>>>> >>>>> 2009/7/27 Julian Field >>>>> >>>>>> Most likely DNS lookups. Check your DNS is working properly and you >>>>>> can reach all the blacklists you use very quickly. >>>>>> >>>>>> Start by doing a "MailScanner --debug --sa-debug" and watch for any >>>>>> long pauses. >>>>>> >>>>>> On 27/07/2009 11:29, Marco mangione wrote: >>>>>> >>>>>>> Hello, >>>>>>> >>>>>>> i have a big queue: 3800mails and very slow load: 0.20 seems postfix >>>>>>> and mailscanner dont want use server resource to speed up ... any idea? >>>>>>> >>>>>>> marco >>>>>>> >>>>>> >>>>>> Jules >>>>>> >>>>>> -- >>>>>> Julian Field MEng CITP CEng >>>>>> www.MailScanner.info >>>>>> Buy the MailScanner book at www.MailScanner.info/store >>>>>> >>>>>> Need help customising MailScanner? >>>>>> Contact me! >>>>>> Need help fixing or optimising your systems? >>>>>> Contact me! >>>>>> Need help getting you started solving new requirements from your boss? >>>>>> Contact me! >>>>>> >>>>>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>>>>> Follow me at twitter.com/JulesFM and twitter.com/MailScanner >>>>>> >>>>>> >>>>>> -- >>>>>> This message has been scanned for viruses and >>>>>> dangerous content by MailScanner, and is >>>>>> believed to be clean. >>>>>> >>>>>> -- >>>>>> MailScanner mailing list >>>>>> mailscanner@lists.mailscanner.info >>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>>> >>>>>> Before posting, read http://wiki.mailscanner.info/posting >>>>>> >>>>>> Support MailScanner development - buy the book off the website! >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> JulesMailScanner@ecs.soton.ac.uk >>>>> >>>>> >>>>> -- >>>>> This message has been scanned for viruses and >>>>> dangerous content by *MailScanner* , and >>>>> is >>>>> believed to be clean. >>>>> >>>>> -- >>>>> MailScanner mailing list >>>>> mailscanner@lists.mailscanner.info >>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>> >>>>> Before posting, read http://wiki.mailscanner.info/posting >>>>> >>>>> Support MailScanner development - buy the book off the website! >>>>> >>>>> >>>> >>> >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >>> >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090729/0f5ad0e9/attachment.html From MailScanner at ecs.soton.ac.uk Wed Jul 29 09:52:43 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Jul 29 09:53:01 2009 Subject: help - big queue slow load In-Reply-To: References: <4A6D8637.5080407@ecs.soton.ac.uk> <4A700DDB.6060309@ecs.soton.ac.uk> Message-ID: Try doing this as root: sa-learn --force-expire It may take a little while. On 28/07/2009 12:13, Marco mangione wrote: > this is the detail of bayes table > > | bayes_seen | BASE TABLE | 406301568 | MyISAM | > | bayes_token | BASE TABLE | 1028785670 | MyISAM | > > > > 2009/7/28 Marco mangione > > > seems there are some hang when mailscanner connect to SA db .. > that is bigger than 2GB.... what can i do in this case ? > > 2009/7/28 MailScanner > > > If the mail is only being processed very slowly, then unless > you have the parallelism set too *high* (Max Children should > be 5 to start with) then there must be some good reason why it > is taking a long time. Set "Log Speed = yes" in > MailScanner.conf and restart MailScanner. Then look at your > logs and work out what is taking all the time? > > When you ran with "--debug --sa-debug", were there any long > pauses in the output? There shouldn't be, once it has started > doing the spam scanning. > > Also, you can try switching off the spam scanning altogether, > just to double check that is where the problem lies and not in > your virus scanning. What is "Virus Scanners =" set to in > MailScanner.conf? > > On Tue, 28 Jul 2009 10:48:42 +0200, Marco mangione > > > wrote: > > DNS are ok. resolution are quick. > can i try to increase parallels postfix or mailscanner > process ? > server have much cpu and ram unused... > > 2009/7/27 Julian Field > > > Most likely DNS lookups. Check your DNS is working > properly and you can reach all the blacklists you use > very quickly. > > Start by doing a "MailScanner --debug --sa-debug" and > watch for any long pauses. > > > On 27/07/2009 11:29, Marco mangione wrote: > > Hello, > > i have a big queue: 3800mails and very slow load: > 0.20 seems postfix and mailscanner dont want use > server resource to speed up ... any idea? > > marco > > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements > from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 > 1415 B654 > Follow me at twitter.com/JulesFM > and > twitter.com/MailScanner > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the > website! > > > -- > Jules > MailScanner@ecs.soton.ac.uk > > > -- > This message has been scanned for viruses and > dangerous content by *MailScanner* > , and is > believed to be clean. > > -- > > MailScanner mailing list > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From marco.mangione at gmail.com Wed Jul 29 10:36:12 2009 From: marco.mangione at gmail.com (Marco mangione) Date: Wed Jul 29 10:36:21 2009 Subject: help - big queue slow load In-Reply-To: References: <4A6D8637.5080407@ecs.soton.ac.uk> <4A700DDB.6060309@ecs.soton.ac.uk> Message-ID: what operation do exactly sa-learn --force-expire ? thanks 2009/7/29 Julian Field > Try doing this as root: > > sa-learn --force-expire > > It may take a little while. > > On 28/07/2009 12:13, Marco mangione wrote: > >> this is the detail of bayes table >> >> | bayes_seen | BASE TABLE | 406301568 | MyISAM | >> | bayes_token | BASE TABLE | 1028785670 | MyISAM | >> >> >> >> 2009/7/28 Marco mangione > marco.mangione@gmail.com>> >> >> seems there are some hang when mailscanner connect to SA db .. >> that is bigger than 2GB.... what can i do in this case ? >> >> 2009/7/28 MailScanner > > >> >> If the mail is only being processed very slowly, then unless >> you have the parallelism set too *high* (Max Children should >> be 5 to start with) then there must be some good reason why it >> is taking a long time. Set "Log Speed = yes" in >> MailScanner.conf and restart MailScanner. Then look at your >> logs and work out what is taking all the time? >> >> When you ran with "--debug --sa-debug", were there any long >> pauses in the output? There shouldn't be, once it has started >> doing the spam scanning. >> >> Also, you can try switching off the spam scanning altogether, >> just to double check that is where the problem lies and not in >> your virus scanning. What is "Virus Scanners =" set to in >> MailScanner.conf? >> >> On Tue, 28 Jul 2009 10:48:42 +0200, Marco mangione >> > >> wrote: >> >> DNS are ok. resolution are quick. >> can i try to increase parallels postfix or mailscanner >> process ? >> server have much cpu and ram unused... >> >> 2009/7/27 Julian Field > > >> >> Most likely DNS lookups. Check your DNS is working >> properly and you can reach all the blacklists you use >> very quickly. >> >> Start by doing a "MailScanner --debug --sa-debug" and >> watch for any long pauses. >> >> >> On 27/07/2009 11:29, Marco mangione wrote: >> >> Hello, >> >> i have a big queue: 3800mails and very slow load: >> 0.20 seems postfix and mailscanner dont want use >> server resource to speed up ... any idea? >> >> marco >> >> >> Jules >> >> -- Julian Field MEng CITP CEng >> www.MailScanner.info < >> http://www.MailScanner.info > >> Buy the MailScanner book at www.MailScanner.info/store >> > >> >> >> Need help customising MailScanner? >> Contact me! >> Need help fixing or optimising your systems? >> Contact me! >> Need help getting you started solving new requirements >> from your boss? >> Contact me! >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 >> 1415 B654 >> Follow me at twitter.com/JulesFM >> and >> twitter.com/MailScanner >> >> >> -- This message has been scanned for viruses >> and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> -- MailScanner mailing list >> mailscanner@lists.mailscanner.info >> >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the >> website! >> >> >> -- Jules >> MailScanner@ecs.soton.ac.uk >> >> >> -- This message has been scanned for viruses and >> dangerous content by *MailScanner* >> , and is >> believed to be clean. >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> >> >> > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > Follow me at twitter.com/JulesFM and twitter.com/MailScanner > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090729/bf311c08/attachment-0001.html From MailScanner at ecs.soton.ac.uk Wed Jul 29 11:18:30 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Jul 29 11:18:50 2009 Subject: help - big queue slow load In-Reply-To: References: <4A6D8637.5080407@ecs.soton.ac.uk> <4A700DDB.6060309@ecs.soton.ac.uk> <4A7021F6.6010507@ecs.soton.ac.uk> Message-ID: May I suggest you type it into Google and read the on-line documentation? You can easily answer this question yourself. On 29/07/2009 10:36, Marco mangione wrote: > what operation do exactly sa-learn --force-expire ? > thanks > > 2009/7/29 Julian Field > > > Try doing this as root: > > sa-learn --force-expire > > It may take a little while. > > > On 28/07/2009 12:13, Marco mangione wrote: > > this is the detail of bayes table > > | bayes_seen | BASE TABLE | 406301568 | MyISAM | > | bayes_token | BASE TABLE | 1028785670 | MyISAM | > > > > 2009/7/28 Marco mangione > >> > > > seems there are some hang when mailscanner connect to SA db .. > that is bigger than 2GB.... what can i do in this case ? > > 2009/7/28 MailScanner > >> > > > If the mail is only being processed very slowly, then > unless > you have the parallelism set too *high* (Max Children > should > be 5 to start with) then there must be some good reason > why it > is taking a long time. Set "Log Speed = yes" in > MailScanner.conf and restart MailScanner. Then look at your > logs and work out what is taking all the time? > > When you ran with "--debug --sa-debug", were there any long > pauses in the output? There shouldn't be, once it has > started > doing the spam scanning. > > Also, you can try switching off the spam scanning > altogether, > just to double check that is where the problem lies and > not in > your virus scanning. What is "Virus Scanners =" set to in > MailScanner.conf? > > On Tue, 28 Jul 2009 10:48:42 +0200, Marco mangione > > >> > > wrote: > > DNS are ok. resolution are quick. > can i try to increase parallels postfix or mailscanner > process ? > server have much cpu and ram unused... > > 2009/7/27 Julian Field > >> > > > Most likely DNS lookups. Check your DNS is working > properly and you can reach all the blacklists > you use > very quickly. > > Start by doing a "MailScanner --debug > --sa-debug" and > watch for any long pauses. > > > On 27/07/2009 11:29, Marco mangione wrote: > > Hello, > > i have a big queue: 3800mails and very slow > load: > 0.20 seems postfix and mailscanner dont > want use > server resource to speed up ... any idea? > > marco > > > Jules > > -- Julian Field MEng CITP CEng > www.MailScanner.info > > > > Buy the MailScanner book at > www.MailScanner.info/store > > > > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new > requirements > from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 > 11F6 5947 > 1415 B654 > Follow me at twitter.com/JulesFM > > and > twitter.com/MailScanner > > > > > -- This message has been scanned > for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- MailScanner mailing list > mailscanner@lists.mailscanner.info > > > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read > http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book > off the > website! > > > -- Jules > MailScanner@ecs.soton.ac.uk > > > > > > > -- This message has been scanned for viruses and > dangerous content by *MailScanner* > , and is > > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > > > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the > website! > > > > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > Follow me at twitter.com/JulesFM and > twitter.com/MailScanner > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mark at msapiro.net Wed Jul 29 15:55:16 2009 From: mark at msapiro.net (Mark Sapiro) Date: Wed Jul 29 15:55:31 2009 Subject: Need help with rule set Message-ID: MailScanner 4.78.2 I have a ruleset for "Notices To" like the following To: /^postmaster(\+.*)?[@.]example\.(net|org)$/ address1 To: /[@.]example\.(net|org)$/ and To: !/^postmaster/ address2 FromOrTo: default address3 The intent is to send virus notices for mail sent to the postmaster address in the example.net and example.com domains to address1; to send notices for mail sent to other addresses in the example.(com|net) domains to address2, and to send notices for mail to other domains to address3. The first rule works fine. A notice for mail sent to postmaster@example.net is sent to address1. The problem is that a notice for mail to user@example.net is sent to the default address3 instead of address2. Does !/regexp/ work the way I've used it here? Is there something wrong with what I'm doing? Note that if the second rule is just To: /[@.]example\.(net|org)$/ address2 Then notices for postmaster@example.net mail get sent to both address1 and address2 which is expected for an "all match" ruleset, but not what I want. I really want to say To: /[@.]example\.(net|org)$/ and NOT To: /^postmaster/ address2 and I thought To: /[@.]example\.(net|org)$/ and To: !/^postmaster/ address2 would do it, but it doesn't seem to. It appears that I can do this with a negative lookahead regexp as in To: /[@.]example\.(net|org)$/ and To: /^(?!postmaster)/ address2 but in a more complex case the ability to say "doesn't match regexp" without using negative lookahead seems useful. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From MailScanner at ecs.soton.ac.uk Wed Jul 29 16:42:00 2009 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Wed Jul 29 16:42:25 2009 Subject: Need help with rule set In-Reply-To: References: <4A706DC8.9020405@ecs.soton.ac.uk> Message-ID: On 29/07/2009 15:55, Mark Sapiro wrote: > MailScanner 4.78.2 > > I have a ruleset for "Notices To" like the following > > To: /^postmaster(\+.*)?[@.]example\.(net|org)$/ address1 > To: /[@.]example\.(net|org)$/ and To: !/^postmaster/ address2 > FromOrTo: default address3 > > The intent is to send virus notices for mail sent to the postmaster > address in the example.net and example.com domains to address1; to > send notices for mail sent to other addresses in the example.(com|net) > domains to address2, and to send notices for mail to other domains to > address3. > > The first rule works fine. A notice for mail sent to > postmaster@example.net is sent to address1. > > The problem is that a notice for mail to user@example.net is sent to > the default address3 instead of address2. > > Does !/regexp/ work the way I've used it here? Is there something wrong > with what I'm doing? > That's not allowed. > Note that if the second rule is just > > To: /[@.]example\.(net|org)$/ address2 > > Then notices for postmaster@example.net mail get sent to both address1 > and address2 which is expected for an "all match" ruleset, but not > what I want. I really want to say > > To: /[@.]example\.(net|org)$/ and NOT To: /^postmaster/ address2 > > and I thought > > To: /[@.]example\.(net|org)$/ and To: !/^postmaster/ address2 > > would do it, but it doesn't seem to. It appears that I can do this with > a negative lookahead regexp as in > > To: /[@.]example\.(net|org)$/ and To: /^(?!postmaster)/ address2 > > but in a more complex case the ability to say "doesn't match regexp" > without using negative lookahead seems useful. > > A simple of phrasing pretty much the same thing would be this: To: postmaster@example.net address1 To: postmaster@example.org address1 To: *@example.net address2 To: *@example.org address2 FromOrTo: default address3 That will also work a whole lot faster, as it can be implemented as a single hash lookup rather than having to evaluate all the regexps each time. The only problem I can see you might hit is that "NoticeRecipient" is listed in ConfigDefs.pl in the "[All,Other]" section, where you might want to move it to the "[First,Other]" section, or else notices to postmaster@example.net and org will probably end up at address1 and address2. If that's particularly important to you, of course, which it may well not be really. If you really want to catch notices to any address starting with "postmaster", then you could use To: postmaster*@example.net address1 syntax instead. Keep it simple, and easy to understand, and you will find it works a lot faster. The configuration engine is optimised for the sort of rules that mortals understand, it's not optimised for horrendously complex regexps. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mark at msapiro.net Wed Jul 29 17:32:03 2009 From: mark at msapiro.net (Mark Sapiro) Date: Wed Jul 29 17:32:21 2009 Subject: Need help with rule set In-Reply-To: Message-ID: Jules Field wrote: > >On 29/07/2009 15:55, Mark Sapiro wrote: >> MailScanner 4.78.2 >> >> I have a ruleset for "Notices To" like the following >> >> To: /^postmaster(\+.*)?[@.]example\.(net|org)$/ address1 >> To: /[@.]example\.(net|org)$/ and To: !/^postmaster/ address2 >> FromOrTo: default address3 >> >> The intent is to send virus notices for mail sent to the postmaster >> address in the example.net and example.com domains to address1; to >> send notices for mail sent to other addresses in the example.(com|net) >> domains to address2, and to send notices for mail to other domains to >> address3. >> >> The first rule works fine. A notice for mail sent to >> postmaster@example.net is sent to address1. >> >> The problem is that a notice for mail to user@example.net is sent to >> the default address3 instead of address2. >> >> Does !/regexp/ work the way I've used it here? Is there something wrong >> with what I'm doing? >> >That's not allowed. OK. That's good to know. >> Note that if the second rule is just >> >> To: /[@.]example\.(net|org)$/ address2 >> >> Then notices for postmaster@example.net mail get sent to both address1 >> and address2 which is expected for an "all match" ruleset, but not >> what I want. I really want to say >> >> To: /[@.]example\.(net|org)$/ and NOT To: /^postmaster/ address2 >> >> and I thought >> >> To: /[@.]example\.(net|org)$/ and To: !/^postmaster/ address2 >> >> would do it, but it doesn't seem to. It appears that I can do this with >> a negative lookahead regexp as in >> >> To: /[@.]example\.(net|org)$/ and To: /^(?!postmaster)/ address2 >> >> but in a more complex case the ability to say "doesn't match regexp" >> without using negative lookahead seems useful. >> >> >A simple of phrasing pretty much the same thing would be this: > >To: postmaster@example.net address1 >To: postmaster@example.org address1 >To: *@example.net address2 >To: *@example.org address2 >FromOrTo: default address3 > >That will also work a whole lot faster, as it can be implemented as a >single hash lookup rather than having to evaluate all the regexps each time. > >The only problem I can see you might hit is that "NoticeRecipient" is >listed in ConfigDefs.pl in the "[All,Other]" section, where you might >want to move it to the "[First,Other]" section, or else notices to >postmaster@example.net and org will probably end up at address1 and >address2. If that's particularly important to you, of course, which it >may well not be really. Actually, That is important. It is also good to know how to change a ruleset from All Match to First Match. It is important in this case because the main goal of this rule set is for address2 not to get notices about mail to postmaster. The underlying issue is that with SaneSecurity ClamAV signatures, lots of spam gets processed as a virus and thus gets a virus notice rather than a spam or high spam action, and this postmaster address gets a lot of spam, the notices for which drown out the others. >If you really want to catch notices to any address starting with >"postmaster", then you could use >To: postmaster*@example.net address1 >syntax instead. Actually, I'm not interested in all addresses starting with postmaster, just postmaster and postmaster+*, but any postmaster* that isn't postmaster or postmaster+* will have been rejected at incoming SMTP time anway, so postmaster* should be good >Keep it simple, and easy to understand, and you will find it works a lot >faster. The configuration engine is optimised for the sort of rules that >mortals understand, it's not optimised for horrendously complex regexps. Thanks for the advice. It is helpful. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From lists at tippingmar.com Wed Jul 29 19:03:59 2009 From: lists at tippingmar.com (Mark Nienberg) Date: Wed Jul 29 19:04:16 2009 Subject: Need help with rule set In-Reply-To: References: Message-ID: <4A708F0F.8040805@tippingmar.com> Mark Sapiro wrote: > > The underlying issue is that with SaneSecurity ClamAV signatures, lots > of spam gets processed as a virus and thus gets a virus notice rather > than a spam or high spam action, and this postmaster address gets a > lot of spam, the notices for which drown out the others. > > I agree this is a nuisance. I deal with it by filtering mail with subject "Virus Detected" into a separate folder at the local mail delivery agent level. True, the folder will receive real virus notifications as well as SaneSecurity detections, but that doesn't bother me too much. A cronjob cleans items older than 10 days out of the folder so it doesn't grow too large. If I haven't read it by then it probably isn't important. Mark Nienberg From MailScanner at ecs.soton.ac.uk Wed Jul 29 19:22:17 2009 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Wed Jul 29 19:22:37 2009 Subject: Need help with rule set In-Reply-To: <4A708F0F.8040805@tippingmar.com> References: <4A708F0F.8040805@tippingmar.com> <4A709359.6070505@ecs.soton.ac.uk> Message-ID: On 29/07/2009 19:03, Mark Nienberg wrote: > Mark Sapiro wrote: >> >> The underlying issue is that with SaneSecurity ClamAV signatures, lots >> of spam gets processed as a virus and thus gets a virus notice rather >> than a spam or high spam action, and this postmaster address gets a >> lot of spam, the notices for which drown out the others. >> > I agree this is a nuisance. I deal with it by filtering mail with > subject "Virus Detected" into a separate folder at the local mail > delivery agent level. True, the folder will receive real virus > notifications as well as SaneSecurity detections, but that doesn't > bother me too much. A cronjob cleans items older than 10 days out of > the folder so it doesn't grow too large. If I haven't read it by then > it probably isn't important. Have you got any ideas for me to avoid this problem or work around it? I could look for sub-strings in the virus report and do something appropriate, but what? Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Wed Jul 29 19:47:27 2009 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Wed Jul 29 19:47:47 2009 Subject: Need help with rule set In-Reply-To: References: <4A708F0F.8040805@tippingmar.com> <4A709359.6070505@ecs.soton.ac.uk> <4A70993F.5090806@ecs.soton.ac.uk> Message-ID: On 29/07/2009 19:22, Jules Field wrote: > > > On 29/07/2009 19:03, Mark Nienberg wrote: >> Mark Sapiro wrote: >>> >>> The underlying issue is that with SaneSecurity ClamAV signatures, lots >>> of spam gets processed as a virus and thus gets a virus notice rather >>> than a spam or high spam action, and this postmaster address gets a >>> lot of spam, the notices for which drown out the others. >>> >> I agree this is a nuisance. I deal with it by filtering mail with >> subject "Virus Detected" into a separate folder at the local mail >> delivery agent level. True, the folder will receive real virus >> notifications as well as SaneSecurity detections, but that doesn't >> bother me too much. A cronjob cleans items older than 10 days out of >> the folder so it doesn't grow too large. If I haven't read it by >> then it probably isn't important. > Have you got any ideas for me to avoid this problem or work around it? > I could look for sub-strings in the virus report and do something > appropriate, but what? Can someone send me the URL of a test message that is caught by ClamAV by the Sanesecurity phishing signatures? I trap such stuff at SMTP time myself so haven't got any examples :-( Need some test data! Many thanks, Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From lists at tippingmar.com Wed Jul 29 19:59:49 2009 From: lists at tippingmar.com (Mark Nienberg) Date: Wed Jul 29 20:00:10 2009 Subject: Need help with rule set In-Reply-To: References: <4A708F0F.8040805@tippingmar.com> <4A709359.6070505@ecs.soton.ac.uk> Message-ID: <4A709C25.8050106@tippingmar.com> Jules Field wrote: > > > On 29/07/2009 19:03, Mark Nienberg wrote: >> Mark Sapiro wrote: >>> >>> The underlying issue is that with SaneSecurity ClamAV signatures, lots >>> of spam gets processed as a virus and thus gets a virus notice rather >>> than a spam or high spam action, and this postmaster address gets a >>> lot of spam, the notices for which drown out the others. >>> >> I agree this is a nuisance. I deal with it by filtering mail with >> subject "Virus Detected" into a separate folder at the local mail >> delivery agent level. True, the folder will receive real virus >> notifications as well as SaneSecurity detections, but that doesn't >> bother me too much. A cronjob cleans items older than 10 days out of >> the folder so it doesn't grow too large. If I haven't read it by >> then it probably isn't important. > Have you got any ideas for me to avoid this problem or work around it? > I could look for sub-strings in the virus report and do something > appropriate, but what? > > Jules > Maybe you could add a header to the postmaster message for each virus reported (sometimes there are multiple). Then the user could have more options for filtering. Example: X-Report: Clamd: message was infected: Sanesecurity.Junk.10079.UNOFFICIAL X-Report: Clamd: msg-8399-50.jpg was infected: Sanesecurity.SpamImg.353.UNOFFICIAL Since there are signatures available in addition to SaneSecurity that use clamav to identify spam or phishing, I don't think you want to get into the business of trying to separate true viruses reports from spam reports. The headers would give each user the opportunity to do that. Mark Nienberg From MailScanner at ecs.soton.ac.uk Wed Jul 29 20:18:48 2009 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Wed Jul 29 20:19:11 2009 Subject: Need help with rule set In-Reply-To: <4A709C25.8050106@tippingmar.com> References: <4A708F0F.8040805@tippingmar.com> <4A709359.6070505@ecs.soton.ac.uk> <4A709C25.8050106@tippingmar.com> <4A70A098.6080602@ecs.soton.ac.uk> Message-ID: On 29/07/2009 19:59, Mark Nienberg wrote: > Jules Field wrote: >> >> >> On 29/07/2009 19:03, Mark Nienberg wrote: >>> Mark Sapiro wrote: >>>> >>>> The underlying issue is that with SaneSecurity ClamAV signatures, lots >>>> of spam gets processed as a virus and thus gets a virus notice rather >>>> than a spam or high spam action, and this postmaster address gets a >>>> lot of spam, the notices for which drown out the others. >>>> >>> I agree this is a nuisance. I deal with it by filtering mail with >>> subject "Virus Detected" into a separate folder at the local mail >>> delivery agent level. True, the folder will receive real virus >>> notifications as well as SaneSecurity detections, but that doesn't >>> bother me too much. A cronjob cleans items older than 10 days out >>> of the folder so it doesn't grow too large. If I haven't read it by >>> then it probably isn't important. >> Have you got any ideas for me to avoid this problem or work around >> it? I could look for sub-strings in the virus report and do something >> appropriate, but what? >> >> Jules >> > Maybe you could add a header to the postmaster message for each virus > reported (sometimes there are multiple). Then the user could have > more options for filtering. Example: > > X-Report: Clamd: message was infected: Sanesecurity.Junk.10079.UNOFFICIAL > X-Report: Clamd: msg-8399-50.jpg was infected: > Sanesecurity.SpamImg.353.UNOFFICIAL > > Since there are signatures available in addition to SaneSecurity that > use clamav to identify spam or phishing, I don't think you want to get > into the business of trying to separate true viruses reports from spam > reports. The headers would give each user the opportunity to do that. I was more thinking of trying to convert these virus reports into spam reports, so they got added to the Spam score for the message and the spam actions then applied, rather than treating them as a virus report at all. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From lists at tippingmar.com Wed Jul 29 20:20:44 2009 From: lists at tippingmar.com (Mark Nienberg) Date: Wed Jul 29 20:21:03 2009 Subject: Need help with rule set In-Reply-To: References: <4A708F0F.8040805@tippingmar.com> <4A709359.6070505@ecs.soton.ac.uk> <4A70993F.5090806@ecs.soton.ac.uk> Message-ID: <4A70A10C.6090709@tippingmar.com> Jules Field wrote: > > someone send me the URL of a test message that is caught by ClamAV by > the Sanesecurity phishing signatures? I trap such stuff at SMTP time > myself so haven't got any examples :-( All of the reports I have seen lately end with UNOFFICIAL, but I don't know it that is true for all third-party sigs. Examples: Quarantine: /var/spool/MailScanner/quarantine/20090720/n6K9ZvOq021661 Report: Clamd: message was infected: Sanesecurity.Casino.7437.UNOFFICIAL Clamd: message was infected: Sanesecurity.Casino.7437.UNOFFICIAL Quarantine: /var/spool/MailScanner/quarantine/20090723/n6O2KqRn008489 Report: Clamd: message was infected: Sanesecurity.Phishing.Cur.11209.UNOFFICIAL Quarantine: /var/spool/MailScanner/quarantine/20090723/n6N7Mk3u014616 Report: Clamd: message was infected: Sanesecurity.Junk.13947.UNOFFICIAL And even this, which is not SaneSecurity: Quarantine: /var/spool/MailScanner/quarantine/20090727/n6R8lBgY028622 Report: Clamd: message was infected: MSRBL-SPAM.Meds.2802.UNOFFICIAL Mark Nienberg From mark at msapiro.net Wed Jul 29 20:38:19 2009 From: mark at msapiro.net (Mark Sapiro) Date: Wed Jul 29 20:38:37 2009 Subject: Need help with rule set In-Reply-To: Message-ID: Jules Field wrote: > >On 29/07/2009 19:59, Mark Nienberg wrote: >> Jules Field wrote: >>> >>> >>> On 29/07/2009 19:03, Mark Nienberg wrote: >>>> Mark Sapiro wrote: >>>>> >>>>> The underlying issue is that with SaneSecurity ClamAV signatures, lots >>>>> of spam gets processed as a virus and thus gets a virus notice rather >>>>> than a spam or high spam action, and this postmaster address gets a >>>>> lot of spam, the notices for which drown out the others. >>>>> >>>> I agree this is a nuisance. I deal with it by filtering mail with >>>> subject "Virus Detected" into a separate folder at the local mail >>>> delivery agent level. True, the folder will receive real virus >>>> notifications as well as SaneSecurity detections, but that doesn't >>>> bother me too much. A cronjob cleans items older than 10 days out >>>> of the folder so it doesn't grow too large. If I haven't read it by >>>> then it probably isn't important. >>> Have you got any ideas for me to avoid this problem or work around >>> it? I could look for sub-strings in the virus report and do something >>> appropriate, but what? >>> >>> Jules >>> >> Maybe you could add a header to the postmaster message for each virus >> reported (sometimes there are multiple). Then the user could have >> more options for filtering. Example: >> >> X-Report: Clamd: message was infected: Sanesecurity.Junk.10079.UNOFFICIAL >> X-Report: Clamd: msg-8399-50.jpg was infected: >> Sanesecurity.SpamImg.353.UNOFFICIAL >> >> Since there are signatures available in addition to SaneSecurity that >> use clamav to identify spam or phishing, I don't think you want to get >> into the business of trying to separate true viruses reports from spam >> reports. The headers would give each user the opportunity to do that. >I was more thinking of trying to convert these virus reports into spam >reports, so they got added to the Spam score for the message and the >spam actions then applied, rather than treating them as a virus report >at all. Here's a thought. It's not well thought out and may have holes, but if there were a new MailScanner setting that could be a ruleset along the lines of: Virus Report Action = virus which would preserve the current behavior but allow a ruleset where I could say Virus: (something to match in the virus report) virus Virus: (something else to match in the virus report) spam Virus: (yet something else to match in the virus report) high-spam What I really want out of this that's different from what I can do now with Notices To rules is to be able to include the message and not just the headers in the report. Come to think of it, maybe just a "Notices Include Message Body" setting analagous to the "Notices Include Full Headers" setting would do it for me. Then I could use a ruleset with "Virus:" conditions to determine whether to include the body. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From ms-list at alexb.ch Wed Jul 29 21:04:07 2009 From: ms-list at alexb.ch (Alex Broens) Date: Wed Jul 29 21:04:18 2009 Subject: Need help with rule set In-Reply-To: <4A70A10C.6090709@tippingmar.com> References: <4A708F0F.8040805@tippingmar.com> <4A709359.6070505@ecs.soton.ac.uk> <4A70993F.5090806@ecs.soton.ac.uk> <4A70A10C.6090709@tippingmar.com> Message-ID: <4A70AB37.6020009@alexb.ch> On 7/29/2009 9:20 PM, Mark Nienberg wrote: > Jules Field wrote: >> >> someone send me the URL of a test message that is caught by ClamAV by >> the Sanesecurity phishing signatures? I trap such stuff at SMTP time >> myself so haven't got any examples :-( > All of the reports I have seen lately end with UNOFFICIAL, but I don't > know it that is true for all third-party sigs. all third-party sigs carry this "tag" From MailScanner at ecs.soton.ac.uk Wed Jul 29 21:23:01 2009 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Wed Jul 29 21:23:20 2009 Subject: Need help with rule set In-Reply-To: <4A70AB37.6020009@alexb.ch> References: <4A708F0F.8040805@tippingmar.com> <4A709359.6070505@ecs.soton.ac.uk> <4A70993F.5090806@ecs.soton.ac.uk> <4A70A10C.6090709@tippingmar.com> <4A70AB37.6020009@alexb.ch> <4A70AFA5.1070008@ecs.soton.ac.uk> Message-ID: On 29/07/2009 21:04, Alex Broens wrote: > On 7/29/2009 9:20 PM, Mark Nienberg wrote: >> Jules Field wrote: >>> >>> someone send me the URL of a test message that is caught by ClamAV >>> by the Sanesecurity phishing signatures? I trap such stuff at SMTP >>> time myself so haven't got any examples :-( >> All of the reports I have seen lately end with UNOFFICIAL, but I >> don't know it that is true for all third-party sigs. > > all third-party sigs carry this "tag" But only for ClamAV, not for f-protd-6 which also detects HTML phishing attacks among other things. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Wed Jul 29 21:24:07 2009 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Wed Jul 29 21:24:26 2009 Subject: Need help with rule set In-Reply-To: References: <4A70AFE7.9000306@ecs.soton.ac.uk> Message-ID: On 29/07/2009 20:38, Mark Sapiro wrote: > Jules Field wrote: > >> On 29/07/2009 19:59, Mark Nienberg wrote: >> >>> Jules Field wrote: >>> >>>> >>>> On 29/07/2009 19:03, Mark Nienberg wrote: >>>> >>>>> Mark Sapiro wrote: >>>>> >>>>>> The underlying issue is that with SaneSecurity ClamAV signatures, lots >>>>>> of spam gets processed as a virus and thus gets a virus notice rather >>>>>> than a spam or high spam action, and this postmaster address gets a >>>>>> lot of spam, the notices for which drown out the others. >>>>>> >>>>>> >>>>> I agree this is a nuisance. I deal with it by filtering mail with >>>>> subject "Virus Detected" into a separate folder at the local mail >>>>> delivery agent level. True, the folder will receive real virus >>>>> notifications as well as SaneSecurity detections, but that doesn't >>>>> bother me too much. A cronjob cleans items older than 10 days out >>>>> of the folder so it doesn't grow too large. If I haven't read it by >>>>> then it probably isn't important. >>>>> >>>> Have you got any ideas for me to avoid this problem or work around >>>> it? I could look for sub-strings in the virus report and do something >>>> appropriate, but what? >>>> >>>> Jules >>>> >>>> >>> Maybe you could add a header to the postmaster message for each virus >>> reported (sometimes there are multiple). Then the user could have >>> more options for filtering. Example: >>> >>> X-Report: Clamd: message was infected: Sanesecurity.Junk.10079.UNOFFICIAL >>> X-Report: Clamd: msg-8399-50.jpg was infected: >>> Sanesecurity.SpamImg.353.UNOFFICIAL >>> >>> Since there are signatures available in addition to SaneSecurity that >>> use clamav to identify spam or phishing, I don't think you want to get >>> into the business of trying to separate true viruses reports from spam >>> reports. The headers would give each user the opportunity to do that. >>> >> I was more thinking of trying to convert these virus reports into spam >> reports, so they got added to the Spam score for the message and the >> spam actions then applied, rather than treating them as a virus report >> at all. >> > > Here's a thought. It's not well thought out and may have holes, but if > there were a new MailScanner setting that could be a ruleset along the > lines of: > > Virus Report Action = virus > > which would preserve the current behavior but allow a ruleset where I > could say > > Virus: (something to match in the virus report) virus > Virus: (something else to match in the virus report) spam > Virus: (yet something else to match in the virus report) high-spam > > What I really want out of this that's different from what I can do now > with Notices To rules is to be able to include the message and not > just the headers in the report. > > Come to think of it, maybe just a "Notices Include Message Body" > Now that sounds a possibility. If I include it as an RFC-822 attachment (similar to the "attachment" Spam Action), then it would be harmless too. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ajcartmell at fonant.com Wed Jul 29 21:31:39 2009 From: ajcartmell at fonant.com (Anthony Cartmell) Date: Wed Jul 29 21:32:01 2009 Subject: Need help with rule set In-Reply-To: References: Message-ID: > Here's a thought. It's not well thought out and may have holes, but if > there were a new MailScanner setting that could be a ruleset along the > lines of: > > Virus Report Action = virus > > which would preserve the current behavior but allow a ruleset where I > could say > > Virus: (something to match in the virus report) virus > Virus: (something else to match in the virus report) spam > Virus: (yet something else to match in the virus report) high-spam From the SaneSecurity list I know that people using Amavisd can score ClamAV report matches like this: amavisd.conf: @virus_name_to_spam_score_maps = (new_RE( # the order matters! [ qr'^Phishing\.' => 4.1 ], [ qr'^(Email|HTML|Sanesecurity)\.(Phishing|Spear|(Spam|Scam)[a-z0-9]?)\.'i => 4.1 ], [ qr'^Sanesecurity\.(Malware|Trojan)\.' => undef ], [ qr'^Sanesecurity\.(Test|Rogue|Casino)' => undef ], [ qr'^Sanesecurity\.(Hdr|Img|ImgO|Junk|Doc)\.'x => 6.1 ], [ qr'^Sanesecurity\.(Lott|Fake|SpamImg|Job|Stk)\.'x => 6.1 ], [ qr'^Sanesecurity\.(Loan|Porn|Bou|Dipl|Cred)\.'x => 6.1 ], [ qr'^(MSRBL-Images/)' => 2.1 ], [ qr'^(MSRBL-SPAM\.)' => 5.1 ], [ qr'^MBL_' => undef ], # keep as infected )); Setting the score means it's spammy, setting it to undef means it's a virus. These scores are added to the scores from SpamAssassin, AIUI. Something like this in MailScanner would be _really_ nice. Some of the third-party databases are known to be prone to false positives, but given a low score could still help to stop spam if the message also triggers other SpamAssassin rules. Anthony -- www.fonant.com - Quality web sites From micoots at yahoo.com Wed Jul 29 21:50:59 2009 From: micoots at yahoo.com (Michael Mansour) Date: Wed Jul 29 21:51:11 2009 Subject: Need help with rule set In-Reply-To: Message-ID: <318513.48182.qm@web33302.mail.mud.yahoo.com> Hi, --- On Thu, 30/7/09, Anthony Cartmell wrote: > From: Anthony Cartmell > Subject: Re: Need help with rule set > To: "MailScanner discussion" > Received: Thursday, 30 July, 2009, 6:31 AM > > Here's a thought. It's not well > thought out and may have holes, but if > > there were a new MailScanner setting that could be a > ruleset along the > > lines of: > > > > Virus Report Action = virus > > > > which would preserve the current behavior but allow a > ruleset where I > > could say > > > > Virus: (something to match in the virus report) virus > > Virus: (something else to match in the virus report) > spam > > Virus: (yet something else to match in the virus > report) high-spam > > From the SaneSecurity list I know that people using Amavisd > can score ClamAV report matches like this: > > amavisd.conf: > > @virus_name_to_spam_score_maps = > (new_RE(? # the order matters! > ???[ qr'^Phishing\.'? ? ? > ? ? ? ? ? ? ? ? > ? ? ? ? ? ? ? ? > ? ? ???=> 4.1 ], > ???[ > qr'^(Email|HTML|Sanesecurity)\.(Phishing|Spear|(Spam|Scam)[a-z0-9]?)\.'i > => 4.1 ], > ???[ > qr'^Sanesecurity\.(Malware|Trojan)\.'? ? ? > ? ? ???=> undef ], > ???[ > qr'^Sanesecurity\.(Test|Rogue|Casino)'? ? ? > ? ? ? => undef ], > ???[ > qr'^Sanesecurity\.(Hdr|Img|ImgO|Junk|Doc)\.'x? > ???=> 6.1 ], > ???[ > qr'^Sanesecurity\.(Lott|Fake|SpamImg|Job|Stk)\.'x => 6.1 > ], > ???[ > qr'^Sanesecurity\.(Loan|Porn|Bou|Dipl|Cred)\.'x???=> > 6.1 ], > ???[ qr'^(MSRBL-Images/)'? ? > ? ? ? ? ? ? ? ? > ? ? ? ? ? => 2.1 ], > ???[ qr'^(MSRBL-SPAM\.)'? ? ? > ? ? ? ? ? ? ? ? > ? ? ? ???=> 5.1 ], > ???[ qr'^MBL_'? ? ? ? > ? ? ? ? ? ? ? ? > ? ???=> undef ],? # keep as > infected > )); > > Setting the score means it's spammy, setting it to undef > means it's a virus. These scores are added to the scores > from SpamAssassin, AIUI. > > Something like this in MailScanner would be _really_ nice. > Some of the third-party databases are known to be prone to > false positives, but given a low score could still help to > stop spam if the message also triggers other SpamAssassin > rules. I asked about exactly this on the list a month or two ago, and was told to use the ClamAV milter for sendmail which would allow it. I haven't had time to look at it myself yet, but I (strongly) agree if MS can handle it like amavisd internally it would be much better, but the feature seems to be available outside of MailScanner using that milter if you really need it. As I said above though, I'd personally prefer MailScanner to handle it, the less "packages" to worry about on a mail server the better. Regards, Michael. > Anthony > --www.fonant.com - Quality web sites > --MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the > website! ____________________________________________________________________________________ Access Yahoo!7 Mail on your mobile. Anytime. Anywhere. Show me how: http://au.mobile.yahoo.com/mail From micoots at yahoo.com Thu Jul 30 07:24:26 2009 From: micoots at yahoo.com (Michael Mansour) Date: Thu Jul 30 07:24:36 2009 Subject: Multiple MailScanner instances for multiple chroot sendmail Message-ID: <789595.58113.qm@web33308.mail.mud.yahoo.com> Anyone? --- On Sun, 26/7/09, Michael Mansour wrote: > From: Michael Mansour > Subject: Multiple MailScanner instances for multiple chroot sendmail > To: "MailScanner discussion" > Received: Sunday, 26 July, 2009, 4:27 PM > > Hi, > > I'm building a HA cluster and trying to work out how to > have multiple MailScanner instances for each cluster app. > > To describe the basic setup... > > 2 cluster nodes > > 2 cluster apps, one on each node > > Each cluster app has it's own chroot'ed sendmail (to cater > for each cluster app handling mail and inboxes within > itself). That all works fine and listens on the relevant > ports on the floating IP's defined in the cluster app for > sendmail. > > I'm now trying to get MailScanner to work with the > chroot'ed sendmail, with the aim of having two sendmail's > (MailScanner's) running on the same node if/when the other > node fails the cluster app over. > > Firstly for the chroot'ed sendmail, what modifications does > MailScanner need to know about to run the chroot'ed > sendmail? > > Say sendmail's chroot'ed directory is: > > /chroot/sendmailn > > where n = 1 or 2 (sync'ed between nodes). > > In the chroot'ed environment, sendmail runs as a > non-privileged user named "sendmail" and is part of the > "mail" group. > > Starting sendmail is done using: > > # chroot /chroot/sendmailn /usr/sbin/sendmail > > Do I need to install a chroot'ed MailScanner within the > /chroot/sendmailn tree? > > Note these run on Red Hat based EL5 series boxes. I already > installed MailScanner on each node using MS RPM download. > > So you know, I've tried various things before emailing the > list. In the: > > /etc/sysconfig/MailScanner > > file I changed: > > SENDMAIL=/usr/sbin/sendmail > > to > > SENDMAIL="/usr/sbin/chroot /chroot/sendmailn > /usr/sbin/sendmail" > > I also changed the "Run As User = sendmail" and "Run As > Group = mail". > > I also played with "Incoming Queue Dir" and "Outgoing Queue > Dir" before realising this may not work without multiple > MailScanner instances. > > Hence emailing the list. > > I appreciate any help or advice. Thank you. > > Michael. ____________________________________________________________________________________ Access Yahoo!7 Mail on your mobile. Anytime. Anywhere. Show me how: http://au.mobile.yahoo.com/mail From uxbod at splatnix.net Thu Jul 30 10:29:00 2009 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Thu Jul 30 10:29:30 2009 Subject: Need help with rule set In-Reply-To: Message-ID: <16724194.2691248946140006.JavaMail.root@office.splatnix.net> Jules, In Amavis you can override what is believed to be a virus or SPAM; like you have already suggested. Then by modifying salocal.cf you can do :- ################################################################################ # SaneSecurity & MSRBL Signatures ################################################################################ header L_AV_Phish X-Amavis-AV-Status =~ m{\bAV:(Email|HTML)\.Phishing\.}i header L_AV_SS_PhishBar X-Amavis-AV-Status =~ m{\bAV:Sanesecurity_PhishBar_} header L_AV_SS_Phish X-Amavis-AV-Status =~ m{\bAV:Sanesecurity\.Phishing\.} header L_AV_SS_Malware X-Amavis-AV-Status =~ m{\bAV:Sanesecurity\.(Malware|Rogue|Trojan)\.} header L_AV_SS_Scam X-Amavis-AV-Status =~ m{\bAV:Sanesecurity\.(Scam[A-Za-z0-9]+)} header L_AV_SS_Spam X-Amavis-AV-Status =~ m{\bAV:Sanesecurity\.(Bou|Cred|Dipl|Job|Loan|Porn|Spam\.[A-Za-z0-9]+|Stk|Junk)\.} header L_AV_SS_Hdr X-Amavis-AV-Status =~ m{\bAV:Sanesecurity\.Hdr\.} header L_AV_SS_Img X-Amavis-AV-Status =~ m{\bAV:Sanesecurity\.(Img|ImgO)\.} header L_AV_SS_Bounce X-Amavis-AV-Status =~ m{\.Spam\.Bounce(\.[^., ]*)*\.Sanesecurity\b} header __L_AV_SS X-Amavis-AV-Status =~ m{\bAV:Sanesecurity\.} meta L_AV_SS_other __L_AV_SS && !(L_AV_SS_Phish || L_AV_SS_Scam || L_AV_SS_Spam || L_AV_SS_Malware || L_AV_SS_Hdr || L_AV_SS_Img || L_AV_SS_Bounce) header L_AV_MSRBL_Img X-Amavis-AV-Status =~ m{\bAV:MSRBL-Images\b} header L_AV_MSRBL_Spam X-Amavis-AV-Status =~ m{\bAV:MSRBL-SPAM\.} header L_AV_MBL X-Amavis-AV-Status =~ m{\bAV:MBL_} header L_AV_SecInf X-Amavis-AV-Status =~ m{-SecuriteInfo\.com\b} score L_AV_Phish 14 score L_AV_SS_Phish 5 score L_AV_SS_PhishBar 0.5 score L_AV_SS_Scam 8 score L_AV_SS_Spam 8 score L_AV_SS_Hdr 6 score L_AV_SS_Img 3.5 score L_AV_SS_Bounce 0.1 score L_AV_SS_other 1 score L_AV_SS_Malware 14 score L_AV_MBL 14 score L_AV_MSRBL_Img 3.5 score L_AV_MSRBL_Spam 6 score L_AV_SecInf 8 Best Regards, -- SplatNIX IT Services :: Innovation through collaboration From uxbod at splatnix.net Thu Jul 30 10:30:10 2009 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Thu Jul 30 10:30:37 2009 Subject: Need help with rule set In-Reply-To: Message-ID: <30314754.2721248946210654.JavaMail.root@office.splatnix.net> Here is the scoremap you would use in Amavis aswell :- @virus_name_to_spam_score_maps = (new_RE( # the order matters! [ qr'^Phishing\.' => 0 ], [ qr'^(Email|HTML)\.Phishing\.(?!.*Sanesecurity)' => 0 ], [ qr'^Sanesecurity\.(Malware|Rogue|Trojan)\.' => undef ],# keep as infected [ qr'^Sanesecurity(\.[^., ]*)*\.' => 0 ], [ qr'^Sanesecurity_PhishBar_' => 0 ], [ qr'^Email\.Spam\.Bounce(\.[^., ]*)*\.Sanesecurity\.' => 0 ], [ qr'^(MSRBL-Images\b|MSRBL-SPAM\.)' => 0 ], [ qr'^VX\.Honeypot-SecuriteInfo\.com\.Joke' => 0 ], [ qr'^VX\.not-virus_(Hoax|Joke)\..*-SecuriteInfo\.com(\.|\z)' => 0 ], [ qr'^Email\.Spam.*-SecuriteInfo\.com(\.|\z)' => 0 ], [ qr'-SecuriteInfo\.com(\.|\z)' => undef ], # keep as infected [ qr'^MBL_' => undef ], # keep as infected )); Best Regards, -- SplatNIX IT Services :: Innovation through collaboration From MailScanner at ecs.soton.ac.uk Thu Jul 30 11:01:59 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jul 30 11:02:26 2009 Subject: Need help with rule set In-Reply-To: <30314754.2721248946210654.JavaMail.root@office.splatnix.net> References: <30314754.2721248946210654.JavaMail.root@office.splatnix.net> <4A716F97.2080402@ecs.soton.ac.uk> Message-ID: I wasn't thinking of anything quite so complicated as that. Maybe a single score for all defined spam reports from the virus scanners? I would rather keep it simple so people can actually use it, than have something very clever and complex that no-one ever quite understands or can work out how to use (apart from the 0.1% who are wizards). Jules. On 30/07/2009 10:30, --[ UxBoD ]-- wrote: > Here is the scoremap you would use in Amavis aswell :- > > @virus_name_to_spam_score_maps = > (new_RE( # the order matters! > [ qr'^Phishing\.' => 0 ], > [ qr'^(Email|HTML)\.Phishing\.(?!.*Sanesecurity)' => 0 ], > [ qr'^Sanesecurity\.(Malware|Rogue|Trojan)\.' => undef ],# keep as infected > [ qr'^Sanesecurity(\.[^., ]*)*\.' => 0 ], > [ qr'^Sanesecurity_PhishBar_' => 0 ], > [ qr'^Email\.Spam\.Bounce(\.[^., ]*)*\.Sanesecurity\.' => 0 ], > [ qr'^(MSRBL-Images\b|MSRBL-SPAM\.)' => 0 ], > [ qr'^VX\.Honeypot-SecuriteInfo\.com\.Joke' => 0 ], > [ qr'^VX\.not-virus_(Hoax|Joke)\..*-SecuriteInfo\.com(\.|\z)' => 0 ], > [ qr'^Email\.Spam.*-SecuriteInfo\.com(\.|\z)' => 0 ], > [ qr'-SecuriteInfo\.com(\.|\z)' => undef ], # keep as infected > [ qr'^MBL_' => undef ], # keep as infected > )); > > Best Regards, > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From uxbod at splatnix.net Thu Jul 30 11:11:53 2009 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Thu Jul 30 11:12:24 2009 Subject: Need help with rule set In-Reply-To: Message-ID: <27848200.2751248948713109.JavaMail.root@office.splatnix.net> Well, personally I would like the option of marking it as either a virus or SPAM. That way at least with a header SA can score it accordingly and drop it into the quarantine area. Best Regards, -- SplatNIX IT Services :: Innovation through collaboration From jonas at vrt.dk Thu Jul 30 13:09:06 2009 From: jonas at vrt.dk (Jonas A. Larsen) Date: Thu Jul 30 13:09:16 2009 Subject: Need help with rule set In-Reply-To: References: <30314754.2721248946210654.JavaMail.root@office.splatnix.net> <4A716F97.2080402@ecs.soton.ac.uk> Message-ID: <001c01ca110e$89364510$9ba2cf30$@dk> > I wasn't thinking of anything quite so complicated as that. > Maybe a single score for all defined spam reports from the virus scanners? > I would rather keep it simple so people can actually use it, than have > something very clever and complex that no-one ever quite understands or > can work out how to use (apart from the 0.1% who are wizards). > > Jules. I must agree with the users who would like to see an "exempt method" or whatever you want to call it, which makes it possible to make MailScanner threat something that clamav (or other scanners) hit on as spam instead of a virus. So far I have NOT used any 3rd party sigs for clam, for this specific reason. I do not want to block something completely just because a clamav sig hits on it. If it was possible to define a score for certain virus scanner hits instead it would make mailscanner much more flexible (apparently like amavis supports) So if this was added to MailScanner it would allow me (and others I'm sure) to utilize 3rd party virus signatures to improve spam protection, without being vulnerable to obvious false positives in the 3rd party sigs. Med venlig hilsen / Best regards Jonas Akrouh Larsen TechBiz ApS Laplandsgade 4, 2. sal 2300 K?benhavn S Office: 7020 0979 Direct: 3336 9974 Mobile: 5120 1096 Fax: 7020 0978 Web: www.techbiz.dk From raubvogel at gmail.com Thu Jul 30 13:11:57 2009 From: raubvogel at gmail.com (Mauricio Tavares) Date: Thu Jul 30 13:12:09 2009 Subject: More descriptive body spam message In-Reply-To: References: <4A6842E3.7050109@gmail.com> <4A68908C.7030101@ecs.soton.ac.uk> Message-ID: <4A718E0D.5080603@gmail.com> Jules Field wrote: > > > On 23/07/2009 12:00, Mauricio Tavares wrote: >> I received a spam mail from one of my other accounts in which >> their spamassassin detected the spam. That is fine, nothing specially >> really. But what it had that was interesting to me was the amount of >> info shown on the body of the message about the said spam: >> >> =============================%< ==================================== >> Spam detection software, running on the system "freenet9.afn.org", has >> identified this incoming email as possible spam. The original message >> has been attached to this so you can view it (if it isn't spam) or label >> similar future email. If you have any questions, see >> the administrator of that system for details. >> >> [...] >> >> Content analysis details: (6.9 points, 5.0 required) >> >> pts rule name description >> ---- ---------------------- >> -------------------------------------------------- >> 0.0 MISSING_MID Missing Message-Id: header >> 1.3 MISSING_HEADERS Missing To: header >> 1.0 BAYES_60 BODY: Bayesian spam probability is 60 to 80% >> [score: 0.6317] >> 0.0 HTML_MESSAGE BODY: HTML included in message >> 1.5 MIME_HTML_ONLY BODY: Message only has text/html MIME parts >> 0.0 FORGED_OUTLOOK_HTML Outlook can't send HTML message only >> 3.1 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook >> >> The original message was not completely plain text, and may be unsafe to >> open with some email clients; in particular, it may contain a virus, >> or confirm that your address can receive spam. If you wish to view >> it, it may be safer to save it to a file and open it with an editor. >> >> =============================%< ==================================== >> >> A lot of that MailScanner already does, but in a shorthand version on >> the header. Is there a way to do something like the above, as in >> append that to the top of the body of the mail that by now is already >> defanged? > Add a spam action "encapsulate" and you will find you get a lot of that. > Getting into my Homer Simpson mode here: how do I do that? =) > Jules > From MailScanner at ecs.soton.ac.uk Thu Jul 30 14:00:08 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jul 30 14:00:32 2009 Subject: More descriptive body spam message In-Reply-To: <4A718E0D.5080603@gmail.com> References: <4A6842E3.7050109@gmail.com> <4A68908C.7030101@ecs.soton.ac.uk> <4A718E0D.5080603@gmail.com> <4A719958.10702@ecs.soton.ac.uk> Message-ID: On 30/07/2009 13:11, Mauricio Tavares wrote: > Jules Field wrote: >> >> >> On 23/07/2009 12:00, Mauricio Tavares wrote: >>> I received a spam mail from one of my other accounts in which >>> their spamassassin detected the spam. That is fine, nothing >>> specially really. But what it had that was interesting to me was the >>> amount of info shown on the body of the message about the said spam: >>> >>> =============================%< ==================================== >>> Spam detection software, running on the system "freenet9.afn.org", has >>> identified this incoming email as possible spam. The original message >>> has been attached to this so you can view it (if it isn't spam) or >>> label >>> similar future email. If you have any questions, see >>> the administrator of that system for details. >>> >>> [...] >>> >>> Content analysis details: (6.9 points, 5.0 required) >>> >>> pts rule name description >>> ---- ---------------------- >>> -------------------------------------------------- >>> 0.0 MISSING_MID Missing Message-Id: header >>> 1.3 MISSING_HEADERS Missing To: header >>> 1.0 BAYES_60 BODY: Bayesian spam probability is 60 to >>> 80% >>> [score: 0.6317] >>> 0.0 HTML_MESSAGE BODY: HTML included in message >>> 1.5 MIME_HTML_ONLY BODY: Message only has text/html MIME parts >>> 0.0 FORGED_OUTLOOK_HTML Outlook can't send HTML message only >>> 3.1 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS >>> Outlook >>> >>> The original message was not completely plain text, and may be >>> unsafe to >>> open with some email clients; in particular, it may contain a virus, >>> or confirm that your address can receive spam. If you wish to view >>> it, it may be safer to save it to a file and open it with an editor. >>> >>> =============================%< ==================================== >>> >>> A lot of that MailScanner already does, but in a shorthand version >>> on the header. Is there a way to do something like the above, as in >>> append that to the top of the body of the mail that by now is >>> already defanged? >> Add a spam action "encapsulate" and you will find you get a lot of that. >> > Getting into my Homer Simpson mode here: how do I do that? =) As I said in a previous article in this thread, it's actually called "attachment" in the "Spam Actions". Read up on Spam Actions in MailScanner.conf or in the book. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Thu Jul 30 14:13:53 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jul 30 14:14:13 2009 Subject: Need help with rule set - request for samples In-Reply-To: <001c01ca110e$89364510$9ba2cf30$@dk> References: <30314754.2721248946210654.JavaMail.root@office.splatnix.net> <4A716F97.2080402@ecs.soton.ac.uk> <001c01ca110e$89364510$9ba2cf30$@dk> <4A719C91.5050705@ecs.soton.ac.uk> Message-ID: Please help. I currently do not have any messages which are detected by ClamAV or F-Prot as a piece of spam. So I don't have any test data to develop against. Please can you put preferably raw queue files up on an http server somewhere so I can download a few examples? Thanks folks! Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mark at msapiro.net Thu Jul 30 15:55:06 2009 From: mark at msapiro.net (Mark Sapiro) Date: Thu Jul 30 15:55:22 2009 Subject: Need help with rule set - request for samples In-Reply-To: Message-ID: Julian Field wrote: > >I currently do not have any messages which are detected by ClamAV or >F-Prot as a piece of spam. > >So I don't have any test data to develop against. > >Please can you put preferably raw queue files up on an http server >somewhere so I can download a few examples? I don't have any raw queue files, but I have raw message files in my quarantine. I have temporarily made copies of many message files accessable via . You can start there and navigate to files such as dead links removed (there 281, listed below) I think every message.txt file you find there is one that hits one or more of SaneSecurity or other spam rules. In addition, the following files hit standard ClamAV virus rules dead links removed The full list of available messages is: dead links removed -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From mark at msapiro.net Thu Jul 30 20:25:12 2009 From: mark at msapiro.net (Mark Sapiro) Date: Thu Jul 30 20:25:31 2009 Subject: Need help with rule set - request for samples In-Reply-To: Message-ID: Mark Sapiro wrote: >Julian Field wrote: >> >>I currently do not have any messages which are detected by ClamAV or >>F-Prot as a piece of spam. >> >>So I don't have any test data to develop against. >> >>Please can you put preferably raw queue files up on an http server >>somewhere so I can download a few examples? > > >I don't have any raw queue files, but I have raw message files in my >quarantine. I have temporarily made copies of many message files >accessable via . You can start there >and navigate to files such as > > >dead link removed [...] There may have been a permission issue accessing the actual files. I am "sure" I checked access, but I subsequently found a problem which is now fixed. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From hden at kci.net.nz Thu Jul 30 22:08:41 2009 From: hden at kci.net.nz (hden@kci.net.nz) Date: Thu Jul 30 22:08:52 2009 Subject: Spamassassin Conf Message-ID: <53668.222.154.232.180.1248988121.squirrel@webmail.kc.net.nz> Due to a hard disc failure I've had to re set up our mail system. All is back up OK except I've forgotton how/where the 'spam.assassin.prefs.conf' file is called. Our prefs file has a few local rules which we'd like to re-incorperate I vaguely remember a symbolic link 'mailscanner.cf' in the spamassassin folder, but can't recall if that link was automatically read just by being in that folder or not. I also see references in the maillist to a 'spam.assassin.rules.conf' file. Has this replaced the prefs file? Help/Advice appreciated .. Cheers! Dave From MailScanner at ecs.soton.ac.uk Thu Jul 30 22:21:34 2009 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Thu Jul 30 22:21:54 2009 Subject: Spamassassin Conf In-Reply-To: <53668.222.154.232.180.1248988121.squirrel@webmail.kc.net.nz> References: <53668.222.154.232.180.1248988121.squirrel@webmail.kc.net.nz> <4A720EDE.4050104@ecs.soton.ac.uk> Message-ID: /etc/MailScanner/spam.assassin.prefs.conf should exist as a file. /etc/mail/spamassassin/mailscanner.cf is a soft-link to it, so once you've got the file then do ln -s /etc/MailScanner/spam.assassin.prefs.conf /etc/mail/spamassassin/mailscanner.cf to re-create the link. It will be automatically read as it's a cf file in /etc/mail/spamassassin. Hopefully that helps resolve your problem. Jules. On 30/07/2009 22:08, hden@kci.net.nz wrote: > Due to a hard disc failure I've had to re set up our mail system. All is > back up OK except I've forgotton how/where the 'spam.assassin.prefs.conf' > file is called. Our prefs file has a few local rules which we'd like to > re-incorperate > > I vaguely remember a symbolic link 'mailscanner.cf' in the spamassassin > folder, but can't recall if that link was automatically read just by being > in that folder or not. > > I also see references in the maillist to a 'spam.assassin.rules.conf' > file. Has this replaced the prefs file? > > Help/Advice appreciated .. > > Cheers! > Dave > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From hden at kci.net.nz Thu Jul 30 22:35:28 2009 From: hden at kci.net.nz (hden@kci.net.nz) Date: Thu Jul 30 22:35:44 2009 Subject: Spamassassin Conf In-Reply-To: References: <53668.222.154.232.180.1248988121.squirrel@webmail.kc.net.nz> <4A720EDE.4050104@ecs.soton.ac.uk> Message-ID: <39212.222.154.232.180.1248989728.squirrel@webmail.kc.net.nz> [Once again] .. Thanks! > /etc/MailScanner/spam.assassin.prefs.conf should exist as a file. > /etc/mail/spamassassin/mailscanner.cf is a soft-link to it, so once > you've got the file then do > ln -s /etc/MailScanner/spam.assassin.prefs.conf > /etc/mail/spamassassin/mailscanner.cf > to re-create the link. > It will be automatically read as it's a cf file in /etc/mail/spamassassin. > > Hopefully that helps resolve your problem. > > Jules. > > On 30/07/2009 22:08, hden@kci.net.nz wrote: >> Due to a hard disc failure I've had to re set up our mail system. All is >> back up OK except I've forgotton how/where the >> 'spam.assassin.prefs.conf' >> file is called. Our prefs file has a few local rules which we'd like to >> re-incorperate >> >> I vaguely remember a symbolic link 'mailscanner.cf' in the spamassassin >> folder, but can't recall if that link was automatically read just by >> being >> in that folder or not. >> >> I also see references in the maillist to a 'spam.assassin.rules.conf' >> file. Has this replaced the prefs file? >> >> Help/Advice appreciated .. >> >> Cheers! >> Dave >> >> > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > Follow me at twitter.com/JulesFM and twitter.com/MailScanner > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From MailScanner at ecs.soton.ac.uk Fri Jul 31 09:11:14 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jul 31 09:11:37 2009 Subject: Need help with rule set - Bother! :( In-Reply-To: References: <30314754.2721248946210654.JavaMail.root@office.splatnix.net> <4A716F97.2080402@ecs.soton.ac.uk> <4A72A722.7020109@ecs.soton.ac.uk> Message-ID: I've written it all, and I've just realised the reason the last bug is there is because I am totally screwed. I do the spam scanning before the virus scanning. So by the time I've got the virus scanner reports about spam, it is *way* too late to do anything with them. The only solution is to turn it all around and do the virus scanning first, which is *far* less efficient as you'll end up virus scanning the 90% of your mail that is actually spam anyway. And all the overheads in data structures that have to be generated in order for the scanning to work. And all the attachment extraction. And everything else. Damn and botherations! Anyone got any great ideas? I can detect all the "spam-virus" output and put it in a separate header, but I can't then do anything with it except ignore it or just put it in a useless header in the output message. Your thoughts please. On 30/07/2009 11:01, Julian Field wrote: > I wasn't thinking of anything quite so complicated as that. > Maybe a single score for all defined spam reports from the virus > scanners? > I would rather keep it simple so people can actually use it, than have > something very clever and complex that no-one ever quite understands > or can work out how to use (apart from the 0.1% who are wizards). > > Jules. > > On 30/07/2009 10:30, --[ UxBoD ]-- wrote: >> Here is the scoremap you would use in Amavis aswell :- >> >> @virus_name_to_spam_score_maps = >> (new_RE( # the order matters! >> [ qr'^Phishing\.' >> => 0 ], >> [ qr'^(Email|HTML)\.Phishing\.(?!.*Sanesecurity)' >> => 0 ], >> [ qr'^Sanesecurity\.(Malware|Rogue|Trojan)\.' => undef ],# keep >> as infected >> [ qr'^Sanesecurity(\.[^., ]*)*\.' >> => 0 ], >> [ qr'^Sanesecurity_PhishBar_' >> => 0 ], >> [ qr'^Email\.Spam\.Bounce(\.[^., ]*)*\.Sanesecurity\.' >> => 0 ], >> [ qr'^(MSRBL-Images\b|MSRBL-SPAM\.)' >> => 0 ], >> [ qr'^VX\.Honeypot-SecuriteInfo\.com\.Joke' >> => 0 ], >> [ qr'^VX\.not-virus_(Hoax|Joke)\..*-SecuriteInfo\.com(\.|\z)' >> => 0 ], >> [ qr'^Email\.Spam.*-SecuriteInfo\.com(\.|\z)' >> => 0 ], >> [ qr'-SecuriteInfo\.com(\.|\z)' => undef ], # keep as >> infected >> [ qr'^MBL_' => undef ], # keep as >> infected >> )); >> >> Best Regards, >> > > Jules > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ajcartmell at fonant.com Fri Jul 31 10:40:28 2009 From: ajcartmell at fonant.com (Anthony Cartmell) Date: Fri Jul 31 10:40:42 2009 Subject: New supercomputer for MailScanner? Message-ID: This one should be able to process a few mails per hour, although it isn't clear whether it has enough RAM to avoid swapping ;) http://www.theregister.co.uk/2009/07/31/southampton_uni_idataplex/ Will you get a chance to play with it, Julian? Cheers! Anthony -- www.fonant.com - Quality web sites From MailScanner at ecs.soton.ac.uk Fri Jul 31 11:38:30 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jul 31 11:38:49 2009 Subject: New supercomputer for MailScanner? In-Reply-To: References: <4A72C9A6.4040102@ecs.soton.ac.uk> Message-ID: I doubt it, unfortunately. However, I am also involved in a project that is building a supercomputer with 1,000,000 cores, which should rather wipe that little thing out altogether! Jules. On 31/07/2009 10:40, Anthony Cartmell wrote: > This one should be able to process a few mails per hour, although it > isn't clear whether it has enough RAM to avoid swapping ;) > > http://www.theregister.co.uk/2009/07/31/southampton_uni_idataplex/ > > Will you get a chance to play with it, Julian? > > Cheers! > > Anthony Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jaearick at colby.edu Fri Jul 31 12:25:47 2009 From: jaearick at colby.edu (Jeff A. Earickson) Date: Fri Jul 31 12:26:03 2009 Subject: [OT] new sendmail release, ever? Message-ID: Gang, There hasn't been a new sendmail release since 8.14.3 back in May 3, 2008. Any ideas why? Claus Assmann's version 10 seems to have vanished from the landscape. Anybody on this list know anything about the future of public-domain sendmail? Jeff Earickson Colby College From steve at fsl.com Fri Jul 31 12:38:58 2009 From: steve at fsl.com (Stephen Swaney) Date: Fri Jul 31 12:39:09 2009 Subject: [OT] new sendmail release, ever? In-Reply-To: References: Message-ID: <4A72D7D2.4040304@fsl.com> Jeff A. Earickson wrote: > Gang, > > There hasn't been a new sendmail release since 8.14.3 > back in May 3, 2008. Any ideas why? Claus Assmann's version > 10 seems to have vanished from the landscape. Anybody on > this list know anything about the future of public-domain sendmail? > > Jeff Earickson > Colby College Jeff, There is this: http://www.sendmail.org/sm-X/release.html Which points to this: http://www.MeTA1.org/ Which was last updated: 2009-06-04 Best regards, Steve -- Steve Swaney steve@fsl.com www.fsl.com The most accurate and cost effective anti-spam solutions available From nick at inticon.net.au Fri Jul 31 12:41:05 2009 From: nick at inticon.net.au (Nick Brown) Date: Fri Jul 31 12:41:29 2009 Subject: [OT] new sendmail release, ever? In-Reply-To: References: Message-ID: <4A72D851.7080405@inticon.net.au> I hear its been replaced by this new package called Postfix?! *Evil chuckle* Jeff A. Earickson wrote: > Gang, > > There hasn't been a new sendmail release since 8.14.3 > back in May 3, 2008. Any ideas why? Claus Assmann's version > 10 seems to have vanished from the landscape. Anybody on > this list know anything about the future of public-domain sendmail? > > Jeff Earickson > Colby College From campbell at cnpapers.com Fri Jul 31 12:52:43 2009 From: campbell at cnpapers.com (Steve Campbell) Date: Fri Jul 31 12:52:58 2009 Subject: [OT] new sendmail release, ever? In-Reply-To: <4A72D851.7080405@inticon.net.au> References: <4A72D851.7080405@inticon.net.au> Message-ID: <4A72DB0B.6060707@cnpapers.com> Nick Brown wrote: > I hear its been replaced by this new package called Postfix?! > > *Evil chuckle* > > Jeff A. Earickson wrote: Guess that explains why no one has heard of it. steve >> Gang, >> >> There hasn't been a new sendmail release since 8.14.3 >> back in May 3, 2008. Any ideas why? Claus Assmann's version >> 10 seems to have vanished from the landscape. Anybody on >> this list know anything about the future of public-domain sendmail? >> >> Jeff Earickson >> Colby College > From nick at inticon.net.au Fri Jul 31 13:04:00 2009 From: nick at inticon.net.au (Nick Brown) Date: Fri Jul 31 13:04:21 2009 Subject: [OT] new sendmail release, ever? In-Reply-To: <4A72DB0B.6060707@cnpapers.com> References: <4A72D851.7080405@inticon.net.au> <4A72DB0B.6060707@cnpapers.com> Message-ID: <4A72DDB0.9050306@inticon.net.au> Steve Campbell wrote: > > Guess that explains why no one has heard of it. > > steve I was going to say qMail but then the joke would have been on me! ;-) From MailScanner at ecs.soton.ac.uk Fri Jul 31 14:41:03 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jul 31 14:41:22 2009 Subject: New beta release 4.78.3 -- "spam-viruses" References: <4A72F46F.8030803@ecs.soton.ac.uk> Message-ID: I have just released a new beta, the first in quite a while. This has one major re-arrangement done to it, in that the virus scanning is now done *before* the spam checking, instead of after it as it has always been in the past. This results in you virus-scanning all the spam you are about to delete, but for virtually all virus scanners the cost of scanning a few extra files is very minimal compared to the cost of running SpamAssassin on them anyway. So it won't make much difference to the speed at all. And you have the advantage that you won't be spam-scanning viruses any more. The need for this is because... I have introduced a solution to the issue of what I am calling "spam-viruses" which are messages detected as being spam by your *virus* scanner. At least ClamAV and F-Prot can do this now. Automatically deleting mail which a third-party ClamAV signature database thinks is probably spam is not a very good idea, as there are false alarms which have bitten most of us in the past. So what you want is a way of assigning a spam score to different "spam-viruses" so you can use the signature databases to varying effect, depending on what you think of their reliability. Some of the ClamAV databases have far more false alarms (false positives) than others, as documented here: http://www.sanesecurity.net/databases.htm So now a list of all the "spam-viruses" found in a message will be put in a new message header before the message is passed to SpamAssassin, so you can do everything from simply assigning a score if the header exists at all, to assigning different scores to different spam-viruses as you like. You can make it as simple or as complex as you choose. I have given you a sample rule to start from in spam.assassin.prefs.conf. So you need to do 2 other things: 1. Set the name of the header used for this: see the "Spam-Virus Header" setting in MailScanner.conf. 2. Define what virus names are actually spam-viruses. See the "Virus Names Which Are Spam" setting in MailScanner.conf. The second of those is given very simply. No regular expressions or anything complicated like that, sorry. You give a space-separated list of strings which are the names of the spam-viruses. You can use the "*" wildcard character to mean "any number of zero or more characters", just like you do in filenames. You can use several "*" wildcards in each string, of course. Other than that the string will be matched against the whole virus name, with a case sensitive match. If you want to match just a sub-string of the virus name, put a "*" at the start and end of the string, such as in "*UNOFFICIAL*" for example. Two simple examples are "HTML/*" and "Sane*UNOFFICIAL" which are hopefully both self-explanatory. For more information about these 2 settings, see the MailScanner.conf file. I think this keeps the configuration nice and simple for most people, but allows the 0.1% of wizards to build really complex setups. If you strongly disagree with the way I have done it, please do let me know, this is only a beta so I can easily change it at this point without upsetting anyone. :-) Hopefully you will find this a useful new feature, and that the cost of the code re-arrangement is not too high. Have a good weekend, and please let me know if you have any "issues" with any of it! Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From doctor at doctor.nl2k.ab.ca Fri Jul 31 14:54:54 2009 From: doctor at doctor.nl2k.ab.ca (The Doctor) Date: Fri Jul 31 14:55:06 2009 Subject: [OT] new sendmail release, ever? In-Reply-To: References: Message-ID: <20090731135454.GB25337@doctor.nl2k.ab.ca> On Fri, Jul 31, 2009 at 07:25:47AM -0400, Jeff A. Earickson wrote: > Gang, > > There hasn't been a new sendmail release since 8.14.3 > back in May 3, 2008. Any ideas why? Claus Assmann's version > 10 seems to have vanished from the landscape. Anybody on > this list know anything about the future of public-domain sendmail? > Who knows. I get so fed up that I moved to postfix. The only problem I am having is howto use postfix and MailScanner WITHOUT a jail. > Jeff Earickson > Colby College > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- Member - Liberal International This is doctor@nl2k.ab.ca Ici doctor@nl2k.ab.ca God, Queen and country! Beware Anti-Christ rising! Never Satan President Republic! The fool says in his heart, "There is no God". They are corrupt, and their ways are vile; there is no one who does good. - Ps 53:1 From jonas at vrt.dk Fri Jul 31 15:10:13 2009 From: jonas at vrt.dk (Jonas A. Larsen) Date: Fri Jul 31 15:10:25 2009 Subject: New beta release 4.78.3 -- "spam-viruses" In-Reply-To: References: <4A72F46F.8030803@ecs.soton.ac.uk> Message-ID: <001a01ca11e8$9f0d6320$dd282960$@dk> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Julian Field > Sent: 31. juli 2009 15:41 > To: MailScanner discussion > Subject: New beta release 4.78.3 -- "spam-viruses" > > I have just released a new beta, the first in quite a while. > > This has one major re-arrangement done to it, in that the virus scanning > is now done *before* the spam checking, instead of after it as it has > always been in the past. This results in you virus-scanning all the spam > you are about to delete, but for virtually all virus scanners the cost > of scanning a few extra files is very minimal compared to the cost of > running SpamAssassin on them anyway. So it won't make much difference to > the speed at all. And you have the advantage that you won't be > spam-scanning viruses any more. > > The need for this is because... > > I have introduced a solution to the issue of what I am calling > "spam-viruses" which are messages detected as being spam by your *virus* > scanner. At least ClamAV and F-Prot can do this now. Automatically > deleting mail which a third-party ClamAV signature database thinks is > probably spam is not a very good idea, as there are false alarms which > have bitten most of us in the past. > > So what you want is a way of assigning a spam score to different > "spam-viruses" so you can use the signature databases to varying effect, > depending on what you think of their reliability. Some of the ClamAV > databases have far more false alarms (false positives) than others, as > documented here: > http://www.sanesecurity.net/databases.htm > > So now a list of all the "spam-viruses" found in a message will be put > in a new message header before the message is passed to SpamAssassin, so > you can do everything from simply assigning a score if the header exists > at all, to assigning different scores to different spam-viruses as you > like. You can make it as simple or as complex as you choose. I have > given you a sample rule to start from in spam.assassin.prefs.conf. > > So you need to do 2 other things: > 1. Set the name of the header used for this: see the "Spam-Virus Header" > setting in MailScanner.conf. > 2. Define what virus names are actually spam-viruses. See the "Virus > Names Which Are Spam" setting in MailScanner.conf. > > The second of those is given very simply. No regular expressions or > anything complicated like that, sorry. > You give a space-separated list of strings which are the names of the > spam-viruses. > You can use the "*" wildcard character to mean "any number of zero or > more characters", just like you do in filenames. You can use several "*" > wildcards in each string, of course. > Other than that the string will be matched against the whole virus name, > with a case sensitive match. > If you want to match just a sub-string of the virus name, put a "*" at > the start and end of the string, such as in "*UNOFFICIAL*" for example. > Two simple examples are "HTML/*" and "Sane*UNOFFICIAL" which are > hopefully both self-explanatory. > > For more information about these 2 settings, see the MailScanner.conf file. > > I think this keeps the configuration nice and simple for most people, > but allows the 0.1% of wizards to build really complex setups. > > If you strongly disagree with the way I have done it, please do let me > know, this is only a beta so I can easily change it at this point > without upsetting anyone. :-) > > Hopefully you will find this a useful new feature, and that the cost of > the code re-arrangement is not too high. > > Have a good weekend, and please let me know if you have any "issues" > with any of it! > Woohoo, again MailScanner responds to users' needs in record time. I will definitely be trying to test this next week. It sounds like its implemented precisely how I was hoping it would be. Again you go above and beyond Julian :) I will report back as soon as i got some results/comments. Med venlig hilsen / Best regards Jonas Akrouh Larsen TechBiz ApS Laplandsgade 4, 2. sal 2300 K?benhavn S Office: 7020 0979 Direct: 3336 9974 Mobile: 5120 1096 Fax: 7020 0978 Web: www.techbiz.dk From Phil.Udel at SalemCorp.com Fri Jul 31 15:40:07 2009 From: Phil.Udel at SalemCorp.com (Phil Udel) Date: Fri Jul 31 15:41:01 2009 Subject: WhiteList Ignored Message-ID: <9349097DB6B64EBDB0B6F8CD26759323@salemcorp.com> Hi. I am running 4.65.3 of Mailscanner and "Sometimes" Items in my whitelist are Ignored. 99% of the time it works fine. Currently I have one user that can not send a email that has a high spamscore, and no mater what I put in the whitelist it is ignored. Any Ideas? Thanks Phillip Udel Senior Systems Administrator Admin@SalemCorp.com (800) 877-2536 Ext 212 |^^^^^^^^^^^^^^^^^^^^^| | www.Salemcorp.com | ||'|"\,__ |_..._...__________====||_|__|..; "(@)'(@)"""""""""""|(@) (@)***(@) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090731/838475e1/attachment.html From Phil.Udel at SalemCorp.com Fri Jul 31 15:58:25 2009 From: Phil.Udel at SalemCorp.com (Phil Udel) Date: Fri Jul 31 15:59:57 2009 Subject: WhiteList Ignored In-Reply-To: <9349097DB6B64EBDB0B6F8CD26759323@salemcorp.com> References: <9349097DB6B64EBDB0B6F8CD26759323@salemcorp.com> Message-ID: I just googled that if you have to many recipients then whitlist is ignored. I am sure that is the problem here. How do I get around this? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090731/83323044/attachment.html From Phil.Udel at SalemCorp.com Fri Jul 31 16:01:19 2009 From: Phil.Udel at SalemCorp.com (Phil Udel) Date: Fri Jul 31 16:03:10 2009 Subject: WhiteList Ignored In-Reply-To: <9349097DB6B64EBDB0B6F8CD26759323@salemcorp.com> References: <9349097DB6B64EBDB0B6F8CD26759323@salemcorp.com> Message-ID: <0F974A7215D84BEFA3D56085F10DD717@salemcorp.com> Nevermind.. I found Ignore Spam Whitelist If Recipients Exceed _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Phil Udel Sent: Friday, July 31, 2009 10:40 AM To: mailscanner@lists.mailscanner.info Subject: WhiteList Ignored Hi. I am running 4.65.3 of Mailscanner and "Sometimes" Items in my whitelist are Ignored. 99% of the time it works fine. Currently I have one user that can not send a email that has a high spamscore, and no mater what I put in the whitelist it is ignored. Any Ideas? Thanks Phillip Udel Senior Systems Administrator Admin@SalemCorp.com (800) 877-2536 Ext 212 |^^^^^^^^^^^^^^^^^^^^^| | www.Salemcorp.com | ||'|"\,__ |_..._...__________====||_|__|..; "(@)'(@)"""""""""""|(@) (@)***(@) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090731/43b2b482/attachment.html From mark at msapiro.net Fri Jul 31 16:12:57 2009 From: mark at msapiro.net (Mark Sapiro) Date: Fri Jul 31 16:13:16 2009 Subject: New beta release 4.78.3 -- "spam-viruses" In-Reply-To: Message-ID: Julian Field wrote: > >I have introduced a solution to the issue of what I am calling >"spam-viruses" which are messages detected as being spam by your *virus* >scanner. At least ClamAV and F-Prot can do this now. Automatically >deleting mail which a third-party ClamAV signature database thinks is >probably spam is not a very good idea, as there are false alarms which >have bitten most of us in the past. Jules, This is terrific. I have installed the new beta and am just beginning to test, but it looks great. This is a major improvement for those using third-party ClamAV spam signatures. Thank you! -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From alex at rtpty.com Fri Jul 31 16:18:54 2009 From: alex at rtpty.com (Alex Neuman) Date: Fri Jul 31 16:19:04 2009 Subject: WhiteList Ignored In-Reply-To: <9349097DB6B64EBDB0B6F8CD26759323@salemcorp.com> References: <9349097DB6B64EBDB0B6F8CD26759323@salemcorp.com> Message-ID: <24e3d2e40907310818vf833823nca34098c996869ef@mail.gmail.com> It may be one of the following: 1. Multiple recipients 2. The logic in your whitelist On Fri, Jul 31, 2009 at 9:40 AM, Phil Udel wrote: > Hi. I am running 4.65.3 of Mailscanner and "Sometimes" Items in my > whitelist are Ignored. 99% of the time it works fine. > Currently I have one user that can not send a email that has a high > spamscore, and no mater what I put in the whitelist it is ignored. > > Any Ideas? > > > > Thanks > > Phillip Udel > > Senior Systems Administrator > > Admin@SalemCorp.com > > (800) 877-2536 Ext 212 > > > > |^^^^^^^^^^^^^^^^^^^^^| > > | www.Salemcorp.com | ||'|"\,__ > > |_..._...__________====||_|__|..; > > "(@)'(@)"""""""""""|(@) (@)***(@) > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 202-1525 alex@rtpty.com Skype: alexneuman -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090731/b83c83db/attachment.html From MailScanner at ecs.soton.ac.uk Fri Jul 31 16:18:54 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jul 31 16:19:15 2009 Subject: New beta release 4.78.3 -- "spam-viruses" In-Reply-To: References: <4A730B5E.2000300@ecs.soton.ac.uk> Message-ID: On 31/07/2009 16:12, Mark Sapiro wrote: > Julian Field wrote: > >> I have introduced a solution to the issue of what I am calling >> "spam-viruses" which are messages detected as being spam by your *virus* >> scanner. At least ClamAV and F-Prot can do this now. Automatically >> deleting mail which a third-party ClamAV signature database thinks is >> probably spam is not a very good idea, as there are false alarms which >> have bitten most of us in the past. >> > > Jules, > > This is terrific. I have installed the new beta and am just beginning > to test, but it looks great. > > This is a major improvement for those using third-party ClamAV spam > signatures. > > Thank you! > My pleasure. I'm glad you all find it useful. If you want to show your appreciation, and commemorate that it is also "System Administrators' Day" today, my Amazon.co.uk wishlist is always open for business at http://www.amazon.co.uk/gp/registry/1W99HT2WWW5PB Thanks! Jules. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From drew.marshall at trunknetworks.com Fri Jul 31 17:44:33 2009 From: drew.marshall at trunknetworks.com (Drew Marshall) Date: Fri Jul 31 17:44:58 2009 Subject: [OT] new sendmail release, ever? In-Reply-To: <20090731135454.GB25337@doctor.nl2k.ab.ca> References: <20090731135454.GB25337@doctor.nl2k.ab.ca> Message-ID: On 31 Jul 2009, at 14:54, The Doctor wrote: > On Fri, Jul 31, 2009 at 07:25:47AM -0400, Jeff A. Earickson wrote: >> Gang, >> >> There hasn't been a new sendmail release since 8.14.3 >> back in May 3, 2008. Any ideas why? Claus Assmann's version >> 10 seems to have vanished from the landscape. Anybody on >> this list know anything about the future of public-domain sendmail? >> > > Who knows. > > I get so fed up that I moved to postfix. > > > The only problem I am having is howto use postfix and MailScanner > WITHOUT a jail. What sort of jail or do you mean Postfix chrooted (As it seems to come set up by default in some distros)? If it's just chrooted, you can turn that off by changing the flag in master.cf but you will need to check your main.cf for path locations and other bits as they may well be relative to the chroot and not your unchrooted environment. Drew -- In line with our policy, this message has been scanned for viruses and dangerous content. Our email policy can be found at www.trunknetworks.com/policy Trunk Networks Limited is registered in Scotland with registration number: SC351063 Registered Office 55-57 West High Street Inverurie AB51 3QQ From steveb_clamav at sanesecurity.com Fri Jul 31 18:05:58 2009 From: steveb_clamav at sanesecurity.com (Steve Basford) Date: Fri Jul 31 18:06:14 2009 Subject: New beta release 4.78.3 -- "spam-viruses" In-Reply-To: References: <4A730B5E.2000300@ecs.soton.ac.uk> Message-ID: <4A732476.5060802@sanesecurity.com> Julian Field wrote: > > My pleasure. I'm glad you all find it useful. > Hi Julian, Brilliant news.... it adds in the extra safeguards that a lot of people would be very interested in and as you say, can now score all the various third-party databases, how they see fit :) Cheers, Steve Sanesecurity www.sanesecurity.co.uk From mike at mlrw.com Fri Jul 31 20:54:12 2009 From: mike at mlrw.com (Mike Wallace) Date: Fri Jul 31 20:54:23 2009 Subject: Spamassassin Syslog Functionality Message-ID: <17E1BEA7-DB34-413A-9A5C-5FE74CF7D94B@mlrw.com> Is there anyway to have MailScanner generate Spamassassin syslog output? I tried using the "Log Spam" setting in MailScanner but it logs to maillog and not a separate log file that the Spamassassin log tools use. Thanks. From raubvogel at gmail.com Fri Jul 31 21:00:45 2009 From: raubvogel at gmail.com (Mauricio Tavares) Date: Fri Jul 31 21:00:58 2009 Subject: Allowing .exe files inside .zip files Message-ID: <4A734D6D.9050808@gmail.com> What is the best/proper way to allow a .exe file to be sent as an attachment when inside a zip file? I still want to have the zip file opened and checked for nasties, but if the .exe itself is ok, it should be left alone. Thanks to suggestions in the channel, Maximum Archive Depth = 0 seems to do the trick, but I wonder what the cost is and whether there is a better way. Any thoughts? From mrm at medicine.wisc.edu Fri Jul 31 21:28:51 2009 From: mrm at medicine.wisc.edu (Michael Masse) Date: Fri Jul 31 21:29:14 2009 Subject: Allowing .exe files inside .zip files In-Reply-To: <4A734D6D.9050808@gmail.com> References: <4A734D6D.9050808@gmail.com> Message-ID: <4A730DB2.7CBE.00FC.3@medicine.wisc.edu> I believe the most recent versions of MS allow different filetype settings depending on whether the files are in an archive or not, so you could allow .exe's in zip's if you really wish to do so, and yet block plain .exe attachments. Mike >>> On 7/31/2009 at 3:00 PM, in message <4A734D6D.9050808@gmail.com>, Mauricio Tavares wrote: > What is the best/proper way to allow a .exe file to be sent as an > attachment when inside a zip file? I still want to have the zip file > opened and checked for nasties, but if the .exe itself is ok, it should > be left alone. Thanks to suggestions in the channel, > > Maximum Archive Depth = 0 > > seems to do the trick, but I wonder what the cost is and whether there > is a better way. Any thoughts? From MailScanner at ecs.soton.ac.uk Fri Jul 31 22:35:25 2009 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Fri Jul 31 22:35:47 2009 Subject: Allowing .exe files inside .zip files In-Reply-To: <4A730DB2.7CBE.00FC.3@medicine.wisc.edu> References: <4A734D6D.9050808@gmail.com> <4A730DB2.7CBE.00FC.3@medicine.wisc.edu> <4A73639D.7000103@ecs.soton.ac.uk> Message-ID: Absolutely. See these settings in MailScanner.conf and their "non-Archive" equivalents: Archives: Allow Filenames = Archives: Deny Filenames = Archives: Filename Rules = %etc-dir%/archives.filename.rules.conf Archives: Allow Filetypes = Archives: Allow File MIME Types = Archives: Deny Filetypes = Archives: Deny File MIME Types = Archives: Filetype Rules = %etc-dir%/archives.filetype.rules.conf On 31/07/2009 21:28, Michael Masse wrote: > I believe the most recent versions of MS allow different filetype settings depending on whether the files are in an archive or not, so you could allow .exe's in zip's if you really wish to do so, and yet block plain .exe attachments. > > Mike > > >>> On 7/31/2009 at 3:00 PM, in message<4A734D6D.9050808@gmail.com>, Mauricio > Tavares wrote: > >> What is the best/proper way to allow a .exe file to be sent as an >> attachment when inside a zip file? I still want to have the zip file >> opened and checked for nasties, but if the .exe itself is ok, it should >> be left alone. Thanks to suggestions in the channel, >> >> Maximum Archive Depth = 0 >> >> seems to do the trick, but I wonder what the cost is and whether there >> is a better way. Any thoughts? >> > > > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.