From ecasarero at gmail.com Mon Jun 1 00:08:33 2009 From: ecasarero at gmail.com (Eduardo Casarero) Date: Mon Jun 1 00:09:02 2009 Subject: New feature - hostname lookups in rulesets In-Reply-To: References: <4A22AD89.60702@ecs.soton.ac.uk> Message-ID: <7d9b3cf20905311608m1f877d6ax894df71939791ada@mail.gmail.com> 2009/5/31 Julian Field > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I have just added a new feature which I hope you will find useful. > It struck me that it has always been really awkward to have to use IP > addresses in the "From:" lines in rulesets, and wouldn't it be a lot > easier to be able to use hostnames or domain names, with wildcards, and > stuff like that. > > So now you can. > > You just put "host:" at the start of the hostname or domain name (or > wildcard or regexp or whatever) and it matches it against the hostname > of the SMTP client that sent the message to MailScanner. > > So you can now do rules such as these: > > From: host:localhost.localdomain yes > From: host:mail.mydomain.com yes > From: host:mailgate*.soton.ac.uk yes > From: host:soton.ac.uk yes > From: host:ac.uk yes > From: host:example.* yes > From: host:/\.(de|dk|es)$/ yes > > and all sorts of things like that. > > I hope you find this useful, particularly those where who have to live > in a world of dynamic IP addresses for their machines. > > This will be in the stable release tomorrow, but I don't consider this > feature itself to be "stable" quite yet, as I only just wrote it. > However, it shouldn't interfere with anything else. > This will work with mailwatch SQLWhiteBlaklist custom function (getting regex from sql backend)? if so you will have a couple of beer's waiting in Argentina! Thanks! > > Jules > > - -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > Follow me at twitter.com/JulesFM > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > PGP public key: http://www.jules.fm/julesfm.asc > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.10.0 (Build 500) > Comment: Use PGP or Thunderbird Enigmail to verify this message > Charset: ISO-8859-1 > > wj8DBQFKIq2MEfZZRxQVtlQRAonaAKDXPUzKZU4+g4pEJb+GT8VtJhICUACgoEym > 5BQtUFJRDvsgutWEIJ1ZURc= > =ZkcA > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090531/d93f8189/attachment.html From MailScanner at ecs.soton.ac.uk Mon Jun 1 09:28:16 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jun 1 09:28:35 2009 Subject: New feature - hostname lookups in rulesets In-Reply-To: <7d9b3cf20905311608m1f877d6ax894df71939791ada@mail.gmail.com> References: <4A22AD89.60702@ecs.soton.ac.uk> <7d9b3cf20905311608m1f877d6ax894df71939791ada@mail.gmail.com> <4A239120.50503@ecs.soton.ac.uk> Message-ID: On 01/06/2009 00:08, Eduardo Casarero wrote: > > > 2009/5/31 Julian Field > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I have just added a new feature which I hope you will find useful. > It struck me that it has always been really awkward to have to use IP > addresses in the "From:" lines in rulesets, and wouldn't it be a lot > easier to be able to use hostnames or domain names, with > wildcards, and > stuff like that. > > So now you can. > > You just put "host:" at the start of the hostname or domain name (or > wildcard or regexp or whatever) and it matches it against the hostname > of the SMTP client that sent the message to MailScanner. > > So you can now do rules such as these: > > From: host:localhost.localdomain yes > From: host:mail.mydomain.com yes > From: host:mailgate*.soton.ac.uk yes > From: host:soton.ac.uk yes > From: host:ac.uk yes > From: host:example.* yes > From: host:/\.(de|dk|es)$/ yes > > and all sorts of things like that. > > I hope you find this useful, particularly those where who have to live > in a world of dynamic IP addresses for their machines. > > This will be in the stable release tomorrow, but I don't consider this > feature itself to be "stable" quite yet, as I only just wrote it. > However, it shouldn't interfere with anything else. > > > This will work with mailwatch SQLWhiteBlaklist custom function > (getting regex from sql backend)? I don't know, sorry. It is another type of entry in a ruleset internally, 'h' as opposed to the already existing 'v', 'f', 't' and 'b' types. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From maxsec at gmail.com Mon Jun 1 09:53:54 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Mon Jun 1 09:54:13 2009 Subject: RTF attachment spam In-Reply-To: <403A16EC40204967A10868208E24A904@DFXG7G1J> References: <200903151201.n2FC0QDC023254@safir.blacknight.ie> <403A16EC40204967A10868208E24A904@DFXG7G1J> Message-ID: <72cf361e0906010153h2d2754a2j9ae17e37f0de1af7@mail.gmail.com> discussion on the spamassassin users list about this . http://thread.gmane.org/gmane.mail.spam.spamassassin.general/119193/focus=119196 "application/octet-stream" Content-Type used to obfuscate terse .RTF spam so looks like the bad guys are doing naughty things to get around mime handling... -- Martin Hepworth Oxford, UK 2009/5/31 Paul Welsh > Had a few of these today; message containing an RTF attachment of under 1k > and no message body. Rather like the png attachment spam that I started > noticing in earnest a few weeks ago. > > Anyone know of a good spamassassin rule to detect these? > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090601/6258a045/attachment.html From MailScanner at ecs.soton.ac.uk Mon Jun 1 10:00:20 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jun 1 10:00:54 2009 Subject: MailScanner ANNOUNCE: Stable 4.77 released References: <4A2398A4.8000209@ecs.soton.ac.uk> Message-ID: Morning all! (If you are not already following me on twitter, then feel free to do so, I announce all new features and so on there to help you keep up to date: twitter.com/JulesFM) I have just released a new stable version of MailScanner, 4.77. The most important new features this month include: - You can finally use hostname, domain name, partial domain names including wildcards and Perl regular expressions to make a ruleset line apply to the name of the host the message came from, instead of having to just use the numerical IP address. You just put in ruleset lines that look like those below: From: host:mail.mydomain.com yes From: host:mail*.mydomain.com yes From: host:mydomain.com yes From: host:julianfield.* yes From: host:/(de|dk|es)$/ yes As you can see from the examples above, you have to put in the keyword "host:" at the start of the hostname, domain name, or regular expression. Regular expressions must be surrounded by "/" characters. Note that using this feature will require one extra DNS hostname lookup per message (but only if you use this feature), so there is a small performance hit. It is documented more fully in the etc/rules/README and etc/rules/EXAMPLES files. - MailScanner can now *unzip* small zip files and other archives. We have systems that mail us zipped files automatically, and we wanted to save the step of unzipping each attachment to get the small log file inside. This feature is supported by some new configuration settings: Unzip Maximum Files Per Archive = 4 Unzip Maximum File Size = 50k Unzip Filenames = *.txt *.ini *.log *.csv Unzip MimeType = text/plain - The "Read IP Address From Received Header" setting has been extended so it can now take a number as well as just "yes" or "no". This is so you can choose the IP address from the n-th "Received:" header in the message, which fetchmail users will find useful. Download it as usual from www.mailscanner.info Here is the full ChangeLog for this month: * New Features and Improvements * 1 Can now automatically unzip small zip files and other archives. This is very useful if you have some service automatically mailing you log files, which zips up the logfiles to save space. It will unpack them if there only a few of them, they are fairly small and they match a list of filename patterns. Unzip Maximum Files Per Archive = 4 Unzip Maximum File Size = 50k Unzip Filenames = *.txt *.ini *.log *.csv Unzip MimeType = text/plain 1 Hourly cron job about messages being processed only sends a message if 'Send Notices = yes' is set in MailScanner.conf. 1 "Read IP Address From Received Header" has been extended, so it will now take a number instead of yes or no. "yes"=1 and "no"=0. If it is set to "yes" or a number, then the SMTP client IP address is taken from the "Received:" header. For example, setting it to 2 will cause the IP address to be taken from the 2nd Received: header. Users of BarricadeMX might want to set this to 2, to get the real SMTP client IP address from the 2nd Received: header, and not the 127.0.0.1 address that BarricadeMX put in the headers. Users of fetchmail might want to set this to 1 or 2 to skip over the 127.0.0.1 address which will be inserted by fetchmail. 5 Set up Antiword to always return UTF-8 characters and use that in the attachment it creates. 6 Removed co.dk from country.domains.conf as it's not an official 2nd level domain. 6-2 Upgraded DBD-SQLite to 1.25 to avoid RedHat 4 build problems. 6-3 Improved detection of some x86_64 systems. 6-4 Corrected DBD-SQLite packaging error. 7 Improved --lint checking of "Processing Attempts Database" and improved logging related to that database. Also improved documentation about the two SQLite databases in MailScanner.conf. 8 Implemented a new type of line in rulesets. When you specify a "From:" rule, you can use a syntax like "host:hostname.domain.com" to use the SMTP client's hostname instead of the numerical IP address. This can also be partial hostnames or domain names, such as "host:domain.com" or include wildcards anywhere, such as "host:mail*.dom*ain.com", or even Perl regular expressions such as "host:/(de|dk)$/". This goes where the numerical IP address would go in the rule, after the "From:" and before the value to return. Note that these are slightly slower than using the IP address as they involve a DNS lookup (maximum of once per message), but that value should be in your DNS cache as other things will have already had to look it up anyway. They are described in more detail in the etc/rules/README and etc/rules/EXAMPLES files. * Fixes * 3 Fixed problem where Unzip functions would not be found. Set default to off. 4 Fixed issue with Postfix not scanning some messages in 4.77.3. 5 Fixed issue with Postfix scanning too many messages in 4.77.4. :-) 6 Fixed issue with extra character on the front of files created by antiword. 7 Fixed UTF-8 character in Perl source code in Esets output parser. 7 Fixed issue with encapsulating messages containing silent whole-message infections. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From chauhananshul at gmail.com Mon Jun 1 13:17:15 2009 From: chauhananshul at gmail.com (Anshul Chauhan) Date: Mon Jun 1 13:17:45 2009 Subject: Mailscaaner not delivering mails just queuing them Message-ID: <2a3578a60906010517p5622282fp40a634f24c744f57@mail.gmail.com> [root@antispam ~]# MailScanner --lint Trying to setlogsock(unix) Read 854 hostnames from the phishing whitelist Read 10597 hostnames from the phishing blacklists Checking version numbers... Version number in MailScanner.conf (4.76.25) is correct. Your envelope_sender_header in spam.assassin.prefs.conf is correct. Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database SpamAssassin reported no errors. Connected to processing-messages database Created processing-messages database successfully There are 142 messages in the processing-messages database Using locktype = posix MailScanner.conf says "Virus Scanners = clamavmodule" Found these virus scanners installed: clamavmodule =========================================================================== Filename Checks: Windows/DOS Executable (1 eicar.com) Other Checks: Found 1 problems Virus and Content Scanning: Starting ClamAVModule::INFECTED:: Eicar-Test-Signature:: ./1/eicar.com Virus Scanning: ClamAVModule found 2 infections Infected message 1 came from 10.1.1.1 Virus Scanning: Found 2 viruses =========================================================================== If any of your virus scanners (clamavmodule) are not listed there, you should check that they are installed correctly and that MailScanner is finding them correctly via its virus.scanners.conf. [root@antispam MailScanner]# *MailScanner -v* Running on Linux antispam.xyz.com 2.6.18-92.el5 #1 SMP Tue Jun 10 18:49:47 EDT 2008 i686 i686 i386 GNU/Linux This is CentOS release 5.2 (Final) This is Perl version 5.008008 (5.8.8) This is MailScanner version 4.76.25 Module versions are: 1.00 AnyDBM_File 1.16 Archive::Zip 0.23 bignum 1.04 Carp 1.41 Compress::Zlib 1.119 Convert::BinHex 0.17 Convert::TNEF 2.121_08 Data::Dumper 2.27 Date::Parse 1.00 DirHandle 1.05 Fcntl 2.74 File::Basename 2.09 File::Copy 2.01 FileHandle 1.08 File::Path 0.20 File::Temp 0.90 Filesys::Df 1.35 HTML::Entities 3.56 HTML::Parser 2.37 HTML::TokeParser 1.23 IO 1.14 IO::File 1.13 IO::Pipe 2.04 Mail::Header 1.89 Math::BigInt 0.22 Math::BigRat 3.07 MIME::Base64 5.427 MIME::Decoder 5.427 MIME::Decoder::UU 5.427 MIME::Head 5.427 MIME::Parser 3.07 MIME::QuotedPrint 5.427 MIME::Tools 0.13 Net::CIDR 1.25 Net::IP 0.16 OLE::Storage_Lite 1.04 Pod::Escapes 3.05 Pod::Simple 1.09 POSIX 1.19 Scalar::Util 1.78 Socket 2.16 Storable 1.4 Sys::Hostname::Long 0.27 Sys::Syslog 1.26 Test::Pod 0.86 Test::Simple 1.9707 Time::HiRes 1.02 Time::localtime Optional module versions are: 1.30 Archive::Tar 0.23 bignum 1.82 Business::ISBN 1.10 Business::ISBN::Data 1.08 Data::Dump 1.814 DB_File 1.21 DBD::SQLite 1.607 DBI 1.15 Digest 1.01 Digest::HMAC 2.36 Digest::MD5 2.11 Digest::SHA1 1.00 Encode::Detect 0.17008 Error 0.18 ExtUtils::CBuilder 2.18 ExtUtils::ParseXS 2.38 Getopt::Long 0.44 Inline 1.08 IO::String 1.04 IO::Zlib 2.21 IP::Country 0.29 Mail::ClamAV 3.002005 Mail::SpamAssassin v2.004 Mail::SPF 1.999001 Mail::SPF::Query 0.2808 Module::Build 0.20 Net::CIDR::Lite 0.65 Net::DNS 0.002.2 Net::DNS::Resolver::Programmable missing Net::LDAP 4.004 NetAddr::IP 1.94 Parse::RecDescent missing SAVI 2.64 Test::Harness 0.95 Test::Manifest 1.98 Text::Balanced 1.35 URI 0.7203 version 0.62 YAML [root@antispam MailScanner]# When i do MailScanner --lint it takes arund 5-10 min to gve the complete output. My Machine configuration are Intel(R) Pentium(R) 4 CPU 3.00GHz 512 MB RAM but still it takes so long to just chk the config can u plz tell me how to boost up its performance also aur its normal. Warm Regards, Anshul Chauhan "Dream is not what you see while sleep, it's the thing that does not let you sleep." -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090601/11204e11/attachment.html From maxsec at gmail.com Mon Jun 1 13:47:21 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Mon Jun 1 13:47:31 2009 Subject: Mailscaaner not delivering mails just queuing them In-Reply-To: <2a3578a60906010517p5622282fp40a634f24c744f57@mail.gmail.com> References: <2a3578a60906010517p5622282fp40a634f24c744f57@mail.gmail.com> Message-ID: <72cf361e0906010547i2b6fc65oa10752fde906376e@mail.gmail.com> aha - 512MB ram really isn't going to help at all. I bet the things swapping like mad- vmstat 3 5 will show high swap rates (ie alot more than zero). I normally recommend 1GB per CPU core and 5 children per CPU core as a starting point for optimisasion. Drop the number of children down to 1 and the number of messages per batch (Max Unsafe Messages Per Scan) down to 10 in MailScanner.conf use sa-compile to help with performance. Go get more RAM - 2GB shouldn't cost much. -- Martin Hepworth Oxford, UK 2009/6/1 Anshul Chauhan > > [root@antispam ~]# MailScanner --lint > Trying to setlogsock(unix) > Read 854 hostnames from the phishing whitelist > Read 10597 hostnames from the phishing blacklists > Checking version numbers... > Version number in MailScanner.conf (4.76.25) is correct. > > Your envelope_sender_header in spam.assassin.prefs.conf is correct. > > Checking for SpamAssassin errors (if you use it)... > Using SpamAssassin results cache > Connected to SpamAssassin cache database > SpamAssassin reported no errors. > Connected to processing-messages database > Created processing-messages database successfully > There are 142 messages in the processing-messages database > Using locktype = posix > MailScanner.conf says "Virus Scanners = clamavmodule" > Found these virus scanners installed: clamavmodule > =========================================================================== > Filename Checks: Windows/DOS Executable (1 eicar.com) > Other Checks: Found 1 problems > Virus and Content Scanning: Starting > ClamAVModule::INFECTED:: Eicar-Test-Signature:: ./1/eicar.com > Virus Scanning: ClamAVModule found 2 infections > Infected message 1 came from 10.1.1.1 > Virus Scanning: Found 2 viruses > =========================================================================== > > If any of your virus scanners (clamavmodule) > are not listed there, you should check that they are installed correctly > and that MailScanner is finding them correctly via its virus.scanners.conf. > > > > > > > > > > [root@antispam MailScanner]# MailScanner -v > Running on > Linux antispam.xyz.com 2.6.18-92.el5 #1 SMP Tue Jun 10 18:49:47 EDT 2008 i686 i686 i386 GNU/Linux > This is CentOS release 5.2 (Final) > This is Perl version 5.008008 (5.8.8) > > This is MailScanner version 4.76.25 > Module versions are: > 1.00??? AnyDBM_File > 1.16??? Archive::Zip > 0.23??? bignum > 1.04??? Carp > 1.41??? Compress::Zlib > 1.119?? Convert::BinHex > 0.17??? Convert::TNEF > 2.121_08??????? Data::Dumper > 2.27??? Date::Parse > 1.00??? DirHandle > 1.05??? Fcntl > 2.74??? File::Basename > 2.09??? File::Copy > 2.01??? FileHandle > 1.08??? File::Path > 0.20??? File::Temp > 0.90??? Filesys::Df > 1.35??? HTML::Entities > 3.56??? HTML::Parser > 2.37??? HTML::TokeParser > 1.23??? IO > 1.14??? IO::File > 1.13??? IO::Pipe > 2.04??? Mail::Header > 1.89??? Math::BigInt > 0.22??? Math::BigRat > 3.07??? MIME::Base64 > 5.427?? MIME::Decoder > 5.427?? MIME::Decoder::UU > 5.427?? MIME::Head > 5.427?? MIME::Parser > 3.07??? MIME::QuotedPrint > 5.427?? MIME::Tools > 0.13??? Net::CIDR > 1.25??? Net::IP > 0.16??? OLE::Storage_Lite > 1.04??? Pod::Escapes > 3.05??? Pod::Simple > 1.09??? POSIX > 1.19??? Scalar::Util > 1.78??? Socket > 2.16??? Storable > 1.4???? Sys::Hostname::Long > 0.27??? Sys::Syslog > 1.26??? Test::Pod > 0.86??? Test::Simple > 1.9707? Time::HiRes > 1.02??? Time::localtime > > Optional module versions are: > 1.30??? Archive::Tar > 0.23??? bignum > 1.82??? Business::ISBN > 1.10??? Business::ISBN::Data > 1.08??? Data::Dump > 1.814?? DB_File > 1.21??? DBD::SQLite > 1.607?? DBI > 1.15??? Digest > 1.01??? Digest::HMAC > 2.36??? Digest::MD5 > 2.11??? Digest::SHA1 > 1.00??? Encode::Detect > 0.17008 Error > 0.18??? ExtUtils::CBuilder > 2.18??? ExtUtils::ParseXS > 2.38??? Getopt::Long > 0.44??? Inline > 1.08??? IO::String > 1.04??? IO::Zlib > 2.21??? IP::Country > 0.29??? Mail::ClamAV > 3.002005??????? Mail::SpamAssassin > v2.004? Mail::SPF > 1.999001??????? Mail::SPF::Query > 0.2808? Module::Build > 0.20??? Net::CIDR::Lite > 0.65??? Net::DNS > 0.002.2 Net::DNS::Resolver::Programmable > missing Net::LDAP > ?4.004? NetAddr::IP > 1.94??? Parse::RecDescent > missing SAVI > 2.64??? Test::Harness > 0.95??? Test::Manifest > 1.98??? Text::Balanced > 1.35??? URI > 0.7203? version > 0.62??? YAML > [root@antispam MailScanner]# > > > When i do MailScanner --lint it takes arund 5-10 min to gve the complete output. > My Machine configuration are > Intel(R) Pentium(R) 4 CPU 3.00GHz > 512 MB RAM > but still it takes so long to just chk the config can u plz tell me how to boost up its performance also aur its normal. > > Warm Regards, > Anshul Chauhan > "Dream is not what you see while sleep, it's the thing that does not let you sleep." > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From chauhananshul at gmail.com Mon Jun 1 14:01:07 2009 From: chauhananshul at gmail.com (Anshul Chauhan) Date: Mon Jun 1 14:01:37 2009 Subject: Mailscaaner not delivering mails just queuing them In-Reply-To: <72cf361e0906010547i2b6fc65oa10752fde906376e@mail.gmail.com> References: <2a3578a60906010517p5622282fp40a634f24c744f57@mail.gmail.com> <72cf361e0906010547i2b6fc65oa10752fde906376e@mail.gmail.com> Message-ID: <2a3578a60906010601i1e110082kc3d65e2ab0a460d4@mail.gmail.com> Is MailScanner --lint & MailScanner -v results fine? if yes thn why mails r not being delivered they r just queued Plz help Warm Regards, Anshul Chauhan "Dream is not what you see while sleep, it's the thing that does not let you sleep." On Mon, Jun 1, 2009 at 6:17 PM, Martin Hepworth wrote: > aha - 512MB ram really isn't going to help at all. I bet the things > swapping like mad- vmstat 3 5 will show high swap rates (ie alot more > than zero). > > I normally recommend 1GB per CPU core and 5 children per CPU core as a > starting point for optimisasion. > > Drop the number of children down to 1 and the number of messages per > batch (Max Unsafe Messages Per Scan) down to 10 in MailScanner.conf > > use sa-compile to help with performance. > > Go get more RAM - 2GB shouldn't cost much. > > -- > Martin Hepworth > Oxford, UK > 2009/6/1 Anshul Chauhan > > > > [root@antispam ~]# MailScanner --lint > > Trying to setlogsock(unix) > > Read 854 hostnames from the phishing whitelist > > Read 10597 hostnames from the phishing blacklists > > Checking version numbers... > > Version number in MailScanner.conf (4.76.25) is correct. > > > > Your envelope_sender_header in spam.assassin.prefs.conf is correct. > > > > Checking for SpamAssassin errors (if you use it)... > > Using SpamAssassin results cache > > Connected to SpamAssassin cache database > > SpamAssassin reported no errors. > > Connected to processing-messages database > > Created processing-messages database successfully > > There are 142 messages in the processing-messages database > > Using locktype = posix > > MailScanner.conf says "Virus Scanners = clamavmodule" > > Found these virus scanners installed: clamavmodule > > > =========================================================================== > > Filename Checks: Windows/DOS Executable (1 eicar.com) > > Other Checks: Found 1 problems > > Virus and Content Scanning: Starting > > ClamAVModule::INFECTED:: Eicar-Test-Signature:: ./1/eicar.com > > Virus Scanning: ClamAVModule found 2 infections > > Infected message 1 came from 10.1.1.1 > > Virus Scanning: Found 2 viruses > > > =========================================================================== > > > > If any of your virus scanners (clamavmodule) > > are not listed there, you should check that they are installed correctly > > and that MailScanner is finding them correctly via its > virus.scanners.conf. > > > > > > > > > > > > > > > > > > > > [root@antispam MailScanner]# MailScanner -v > > Running on > > Linux antispam.xyz.com 2.6.18-92.el5 #1 SMP Tue Jun 10 18:49:47 EDT 2008 > i686 i686 i386 GNU/Linux > > This is CentOS release 5.2 (Final) > > This is Perl version 5.008008 (5.8.8) > > > > This is MailScanner version 4.76.25 > > Module versions are: > > 1.00 AnyDBM_File > > 1.16 Archive::Zip > > 0.23 bignum > > 1.04 Carp > > 1.41 Compress::Zlib > > 1.119 Convert::BinHex > > 0.17 Convert::TNEF > > 2.121_08 Data::Dumper > > 2.27 Date::Parse > > 1.00 DirHandle > > 1.05 Fcntl > > 2.74 File::Basename > > 2.09 File::Copy > > 2.01 FileHandle > > 1.08 File::Path > > 0.20 File::Temp > > 0.90 Filesys::Df > > 1.35 HTML::Entities > > 3.56 HTML::Parser > > 2.37 HTML::TokeParser > > 1.23 IO > > 1.14 IO::File > > 1.13 IO::Pipe > > 2.04 Mail::Header > > 1.89 Math::BigInt > > 0.22 Math::BigRat > > 3.07 MIME::Base64 > > 5.427 MIME::Decoder > > 5.427 MIME::Decoder::UU > > 5.427 MIME::Head > > 5.427 MIME::Parser > > 3.07 MIME::QuotedPrint > > 5.427 MIME::Tools > > 0.13 Net::CIDR > > 1.25 Net::IP > > 0.16 OLE::Storage_Lite > > 1.04 Pod::Escapes > > 3.05 Pod::Simple > > 1.09 POSIX > > 1.19 Scalar::Util > > 1.78 Socket > > 2.16 Storable > > 1.4 Sys::Hostname::Long > > 0.27 Sys::Syslog > > 1.26 Test::Pod > > 0.86 Test::Simple > > 1.9707 Time::HiRes > > 1.02 Time::localtime > > > > Optional module versions are: > > 1.30 Archive::Tar > > 0.23 bignum > > 1.82 Business::ISBN > > 1.10 Business::ISBN::Data > > 1.08 Data::Dump > > 1.814 DB_File > > 1.21 DBD::SQLite > > 1.607 DBI > > 1.15 Digest > > 1.01 Digest::HMAC > > 2.36 Digest::MD5 > > 2.11 Digest::SHA1 > > 1.00 Encode::Detect > > 0.17008 Error > > 0.18 ExtUtils::CBuilder > > 2.18 ExtUtils::ParseXS > > 2.38 Getopt::Long > > 0.44 Inline > > 1.08 IO::String > > 1.04 IO::Zlib > > 2.21 IP::Country > > 0.29 Mail::ClamAV > > 3.002005 Mail::SpamAssassin > > v2.004 Mail::SPF > > 1.999001 Mail::SPF::Query > > 0.2808 Module::Build > > 0.20 Net::CIDR::Lite > > 0.65 Net::DNS > > 0.002.2 Net::DNS::Resolver::Programmable > > missing Net::LDAP > > 4.004 NetAddr::IP > > 1.94 Parse::RecDescent > > missing SAVI > > 2.64 Test::Harness > > 0.95 Test::Manifest > > 1.98 Text::Balanced > > 1.35 URI > > 0.7203 version > > 0.62 YAML > > [root@antispam MailScanner]# > > > > > > When i do MailScanner --lint it takes arund 5-10 min to gve the complete > output. > > My Machine configuration are > > Intel(R) Pentium(R) 4 CPU 3.00GHz > > 512 MB RAM > > but still it takes so long to just chk the config can u plz tell me how > to boost up its performance also aur its normal. > > > > Warm Regards, > > Anshul Chauhan > > "Dream is not what you see while sleep, it's the thing that does not let > you sleep." > > > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090601/8d936672/attachment.html From Joey.Casas at nexusmgmt.com Mon Jun 1 14:20:56 2009 From: Joey.Casas at nexusmgmt.com (Joey Casas) Date: Mon Jun 1 14:30:13 2009 Subject: Mailscaaner not delivering mails just queuing them In-Reply-To: <2a3578a60906010601i1e110082kc3d65e2ab0a460d4@mail.gmail.com> References: <2a3578a60906010517p5622282fp40a634f24c744f57@mail.gmail.com> <72cf361e0906010547i2b6fc65oa10752fde906376e@mail.gmail.com> <2a3578a60906010601i1e110082kc3d65e2ab0a460d4@mail.gmail.com> Message-ID: <6A4AF5E37B020A4B869BE3A108F8F67006DBC8C55E@nmibwkexch4.nexusmgmt.com> Maybe Sendmail isn't delivering from the scanned directory. Joey Casas ------------------------------------------- Linux Engineering Team n|m Nexus Management 4 Industrial Parkway Suite 101 Brunswick, Maine 04011 Tel (US) : 1 207 319 1105 Tel (UK) : 0207 100 4968 x421 Cell (US) : 1 207 607 1047 Fax : 1 207 725 8552 SIP: 0421@pbx.nexusmgmt.com Nexus Management, Inc.? Registered Office: 4 Industrial Parkway, Suite 101, Brunswick, Maine. 04011?Company No. 19891257D, Registered in Maine? A member of the Nexus Management Plc group of companies -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Anshul Chauhan Sent: Monday, June 01, 2009 9:01 AM To: MailScanner discussion Subject: Re: Mailscaaner not delivering mails just queuing them Is MailScanner --lint & MailScanner -v results fine? if yes thn why mails r not being delivered they r just queued Plz help Warm Regards, Anshul Chauhan "Dream is not what you see while sleep, it's the thing that does not let you sleep." On Mon, Jun 1, 2009 at 6:17 PM, Martin Hepworth wrote: aha - 512MB ram really isn't going to help at all. I bet the things swapping like mad- vmstat 3 5 will show high swap rates (ie alot more than zero). I normally recommend 1GB per CPU core and 5 children per CPU core as a starting point for optimisasion. Drop the number of children down to 1 and the number of messages per batch (Max Unsafe Messages Per Scan) down to 10 in MailScanner.conf use sa-compile to help with performance. Go get more RAM - 2GB shouldn't cost much. -- Martin Hepworth Oxford, UK 2009/6/1 Anshul Chauhan > > [root@antispam ~]# MailScanner --lint > Trying to setlogsock(unix) > Read 854 hostnames from the phishing whitelist > Read 10597 hostnames from the phishing blacklists > Checking version numbers... > Version number in MailScanner.conf (4.76.25) is correct. > > Your envelope_sender_header in spam.assassin.prefs.conf is correct. > > Checking for SpamAssassin errors (if you use it)... > Using SpamAssassin results cache > Connected to SpamAssassin cache database > SpamAssassin reported no errors. > Connected to processing-messages database > Created processing-messages database successfully > There are 142 messages in the processing-messages database > Using locktype = posix > MailScanner.conf says "Virus Scanners = clamavmodule" > Found these virus scanners installed: clamavmodule > =========================================================================== > Filename Checks: Windows/DOS Executable (1 eicar.com) > Other Checks: Found 1 problems > Virus and Content Scanning: Starting > ClamAVModule::INFECTED:: Eicar-Test-Signature:: ./1/eicar.com > Virus Scanning: ClamAVModule found 2 infections > Infected message 1 came from 10.1.1.1 > Virus Scanning: Found 2 viruses > =========================================================================== > > If any of your virus scanners (clamavmodule) > are not listed there, you should check that they are installed correctly > and that MailScanner is finding them correctly via its virus.scanners.conf. > > > > > > > > > > [root@antispam MailScanner]# MailScanner -v > Running on > Linux antispam.xyz.com 2.6.18-92.el5 #1 SMP Tue Jun 10 18:49:47 EDT 2008 i686 i686 i386 GNU/Linux > This is CentOS release 5.2 (Final) > This is Perl version 5.008008 (5.8.8) > > This is MailScanner version 4.76.25 > Module versions are: > 1.00 AnyDBM_File > 1.16 Archive::Zip > 0.23 bignum > 1.04 Carp > 1.41 Compress::Zlib > 1.119 Convert::BinHex > 0.17 Convert::TNEF > 2.121_08 Data::Dumper > 2.27 Date::Parse > 1.00 DirHandle > 1.05 Fcntl > 2.74 File::Basename > 2.09 File::Copy > 2.01 FileHandle > 1.08 File::Path > 0.20 File::Temp > 0.90 Filesys::Df > 1.35 HTML::Entities > 3.56 HTML::Parser > 2.37 HTML::TokeParser > 1.23 IO > 1.14 IO::File > 1.13 IO::Pipe > 2.04 Mail::Header > 1.89 Math::BigInt > 0.22 Math::BigRat > 3.07 MIME::Base64 > 5.427 MIME::Decoder > 5.427 MIME::Decoder::UU > 5.427 MIME::Head > 5.427 MIME::Parser > 3.07 MIME::QuotedPrint > 5.427 MIME::Tools > 0.13 Net::CIDR > 1.25 Net::IP > 0.16 OLE::Storage_Lite > 1.04 Pod::Escapes > 3.05 Pod::Simple > 1.09 POSIX > 1.19 Scalar::Util > 1.78 Socket > 2.16 Storable > 1.4 Sys::Hostname::Long > 0.27 Sys::Syslog > 1.26 Test::Pod > 0.86 Test::Simple > 1.9707 Time::HiRes > 1.02 Time::localtime > > Optional module versions are: > 1.30 Archive::Tar > 0.23 bignum > 1.82 Business::ISBN > 1.10 Business::ISBN::Data > 1.08 Data::Dump > 1.814 DB_File > 1.21 DBD::SQLite > 1.607 DBI > 1.15 Digest > 1.01 Digest::HMAC > 2.36 Digest::MD5 > 2.11 Digest::SHA1 > 1.00 Encode::Detect > 0.17008 Error > 0.18 ExtUtils::CBuilder > 2.18 ExtUtils::ParseXS > 2.38 Getopt::Long > 0.44 Inline > 1.08 IO::String > 1.04 IO::Zlib > 2.21 IP::Country > 0.29 Mail::ClamAV > 3.002005 Mail::SpamAssassin > v2.004 Mail::SPF > 1.999001 Mail::SPF::Query > 0.2808 Module::Build > 0.20 Net::CIDR::Lite > 0.65 Net::DNS > 0.002.2 Net::DNS::Resolver::Programmable > missing Net::LDAP > 4.004 NetAddr::IP > 1.94 Parse::RecDescent > missing SAVI > 2.64 Test::Harness > 0.95 Test::Manifest > 1.98 Text::Balanced > 1.35 URI > 0.7203 version > 0.62 YAML > [root@antispam MailScanner]# > > > When i do MailScanner --lint it takes arund 5-10 min to gve the complete output. > My Machine configuration are > Intel(R) Pentium(R) 4 CPU 3.00GHz > 512 MB RAM > but still it takes so long to just chk the config can u plz tell me how to boost up its performance also aur its normal. > > Warm Regards, > Anshul Chauhan > "Dream is not what you see while sleep, it's the thing that does not let you sleep." > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From chauhananshul at gmail.com Mon Jun 1 14:36:34 2009 From: chauhananshul at gmail.com (Anshul Chauhan) Date: Mon Jun 1 14:37:04 2009 Subject: Mailscaaner not delivering mails just queuing them In-Reply-To: <6A4AF5E37B020A4B869BE3A108F8F67006DBC8C55E@nmibwkexch4.nexusmgmt.com> References: <2a3578a60906010517p5622282fp40a634f24c744f57@mail.gmail.com> <72cf361e0906010547i2b6fc65oa10752fde906376e@mail.gmail.com> <2a3578a60906010601i1e110082kc3d65e2ab0a460d4@mail.gmail.com> <6A4AF5E37B020A4B869BE3A108F8F67006DBC8C55E@nmibwkexch4.nexusmgmt.com> Message-ID: <2a3578a60906010636p26b86681n2befdd0a305961c6@mail.gmail.com> no its delivering mails with sendmail without mailscanner but with mail scanner its queuing only Warm Regards, Anshul Chauhan "Dream is not what you see while sleep, it's the thing that does not let you sleep." 2009/6/1 Joey Casas > Maybe Sendmail isn't delivering from the scanned directory. > > Joey Casas > ------------------------------------------- > Linux Engineering Team > n|m Nexus Management > 4 Industrial Parkway > Suite 101 > Brunswick, Maine 04011 > > Tel (US) : 1 207 319 1105 > Tel (UK) : 0207 100 4968 x421 > Cell (US) : 1 207 607 1047 > Fax : 1 207 725 8552 > SIP: 0421@pbx.nexusmgmt.com > Nexus Management, Inc.? Registered Office: 4 Industrial Parkway, Suite > 101, Brunswick, Maine. 04011?Company No. 19891257D, Registered in Maine? A > member of the Nexus Management Plc group of companies > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto: > mailscanner-bounces@lists.mailscanner.info] On Behalf Of Anshul Chauhan > Sent: Monday, June 01, 2009 9:01 AM > To: MailScanner discussion > Subject: Re: Mailscaaner not delivering mails just queuing them > > Is MailScanner --lint & MailScanner -v results fine? > if yes thn why mails r not being delivered they r just queued > > Plz help > > > Warm Regards, > Anshul Chauhan > "Dream is not what you see while sleep, it's the thing that does not let > you sleep." > > > > > On Mon, Jun 1, 2009 at 6:17 PM, Martin Hepworth wrote: > > > aha - 512MB ram really isn't going to help at all. I bet the things > swapping like mad- vmstat 3 5 will show high swap rates (ie alot > more > than zero). > > I normally recommend 1GB per CPU core and 5 children per CPU core as > a > starting point for optimisasion. > > Drop the number of children down to 1 and the number of messages per > batch (Max Unsafe Messages Per Scan) down to 10 in MailScanner.conf > > use sa-compile to help with performance. > > Go get more RAM - 2GB shouldn't cost much. > > -- > Martin Hepworth > Oxford, UK > 2009/6/1 Anshul Chauhan > > > > > [root@antispam ~]# MailScanner --lint > > Trying to setlogsock(unix) > > Read 854 hostnames from the phishing whitelist > > Read 10597 hostnames from the phishing blacklists > > Checking version numbers... > > Version number in MailScanner.conf (4.76.25) is correct. > > > > Your envelope_sender_header in spam.assassin.prefs.conf is > correct. > > > > Checking for SpamAssassin errors (if you use it)... > > Using SpamAssassin results cache > > Connected to SpamAssassin cache database > > SpamAssassin reported no errors. > > Connected to processing-messages database > > Created processing-messages database successfully > > There are 142 messages in the processing-messages database > > Using locktype = posix > > MailScanner.conf says "Virus Scanners = clamavmodule" > > Found these virus scanners installed: clamavmodule > > > =========================================================================== > > Filename Checks: Windows/DOS Executable (1 eicar.com) > > Other Checks: Found 1 problems > > Virus and Content Scanning: Starting > > ClamAVModule::INFECTED:: Eicar-Test-Signature:: ./1/eicar.com > > Virus Scanning: ClamAVModule found 2 infections > > Infected message 1 came from 10.1.1.1 > > Virus Scanning: Found 2 viruses > > > =========================================================================== > > > > If any of your virus scanners (clamavmodule) > > are not listed there, you should check that they are installed > correctly > > and that MailScanner is finding them correctly via its > virus.scanners.conf. > > > > > > > > > > > > > > > > > > > > [root@antispam MailScanner]# MailScanner -v > > Running on > > Linux antispam.xyz.com 2.6.18-92.el5 #1 SMP Tue Jun 10 18:49:47 > EDT 2008 i686 i686 i386 GNU/Linux > > This is CentOS release 5.2 (Final) > > This is Perl version 5.008008 (5.8.8) > > > > This is MailScanner version 4.76.25 > > Module versions are: > > 1.00 AnyDBM_File > > 1.16 Archive::Zip > > 0.23 bignum > > 1.04 Carp > > 1.41 Compress::Zlib > > 1.119 Convert::BinHex > > 0.17 Convert::TNEF > > 2.121_08 Data::Dumper > > 2.27 Date::Parse > > 1.00 DirHandle > > 1.05 Fcntl > > 2.74 File::Basename > > 2.09 File::Copy > > 2.01 FileHandle > > 1.08 File::Path > > 0.20 File::Temp > > 0.90 Filesys::Df > > 1.35 HTML::Entities > > 3.56 HTML::Parser > > 2.37 HTML::TokeParser > > 1.23 IO > > 1.14 IO::File > > 1.13 IO::Pipe > > 2.04 Mail::Header > > 1.89 Math::BigInt > > 0.22 Math::BigRat > > 3.07 MIME::Base64 > > 5.427 MIME::Decoder > > 5.427 MIME::Decoder::UU > > 5.427 MIME::Head > > 5.427 MIME::Parser > > 3.07 MIME::QuotedPrint > > 5.427 MIME::Tools > > 0.13 Net::CIDR > > 1.25 Net::IP > > 0.16 OLE::Storage_Lite > > 1.04 Pod::Escapes > > 3.05 Pod::Simple > > 1.09 POSIX > > 1.19 Scalar::Util > > 1.78 Socket > > 2.16 Storable > > 1.4 Sys::Hostname::Long > > 0.27 Sys::Syslog > > 1.26 Test::Pod > > 0.86 Test::Simple > > 1.9707 Time::HiRes > > 1.02 Time::localtime > > > > Optional module versions are: > > 1.30 Archive::Tar > > 0.23 bignum > > 1.82 Business::ISBN > > 1.10 Business::ISBN::Data > > 1.08 Data::Dump > > 1.814 DB_File > > 1.21 DBD::SQLite > > 1.607 DBI > > 1.15 Digest > > 1.01 Digest::HMAC > > 2.36 Digest::MD5 > > 2.11 Digest::SHA1 > > 1.00 Encode::Detect > > 0.17008 Error > > 0.18 ExtUtils::CBuilder > > 2.18 ExtUtils::ParseXS > > 2.38 Getopt::Long > > 0.44 Inline > > 1.08 IO::String > > 1.04 IO::Zlib > > 2.21 IP::Country > > 0.29 Mail::ClamAV > > 3.002005 Mail::SpamAssassin > > v2.004 Mail::SPF > > 1.999001 Mail::SPF::Query > > 0.2808 Module::Build > > 0.20 Net::CIDR::Lite > > 0.65 Net::DNS > > 0.002.2 Net::DNS::Resolver::Programmable > > missing Net::LDAP > > 4.004 NetAddr::IP > > 1.94 Parse::RecDescent > > missing SAVI > > 2.64 Test::Harness > > 0.95 Test::Manifest > > 1.98 Text::Balanced > > 1.35 URI > > 0.7203 version > > 0.62 YAML > > [root@antispam MailScanner]# > > > > > > When i do MailScanner --lint it takes arund 5-10 min to gve the > complete output. > > My Machine configuration are > > Intel(R) Pentium(R) 4 CPU 3.00GHz > > 512 MB RAM > > but still it takes so long to just chk the config can u plz tell > me how to boost up its performance also aur its normal. > > > > Warm Regards, > > Anshul Chauhan > > "Dream is not what you see while sleep, it's the thing that does > not let you sleep." > > > > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090601/4355614e/attachment.html From glenn.steen at gmail.com Mon Jun 1 14:47:37 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Jun 1 14:47:46 2009 Subject: MailScanner ANNOUNCE: Stable 4.77 released In-Reply-To: References: <4A2398A4.8000209@ecs.soton.ac.uk> Message-ID: <223f97700906010647l1a2ae198r11bdb4e8ccec5052@mail.gmail.com> 2009/6/1 Julian Field : > Morning all! > > (If you are not already following me on twitter, then feel free to do so, I > announce all new features and so on there to help you keep up to date: > twitter.com/JulesFM) > > I have just released a new stable version of MailScanner, 4.77. > > The most important new features this month include: > (snip) There doesn't seem to be any PGP signature available for 4.77.8 ... Shouldn't there be one? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From maxsec at gmail.com Mon Jun 1 15:20:40 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Mon Jun 1 15:20:48 2009 Subject: Mailscaaner not delivering mails just queuing them In-Reply-To: <2a3578a60906010601i1e110082kc3d65e2ab0a460d4@mail.gmail.com> References: <2a3578a60906010517p5622282fp40a634f24c744f57@mail.gmail.com> <72cf361e0906010547i2b6fc65oa10752fde906376e@mail.gmail.com> <2a3578a60906010601i1e110082kc3d65e2ab0a460d4@mail.gmail.com> Message-ID: <72cf361e0906010720o6e312a42h2aad1c9c724cbed6@mail.gmail.com> So what installation instructions did you follow?? 2009/6/1 Anshul Chauhan : > Is? MailScanner --lint? & MailScanner -v results fine? > if yes thn why mails r not being delivered they r just queued > > Plz help > > > Warm Regards, > Anshul Chauhan > "Dream is not what you see while sleep, it's the thing that does not let you > sleep." > > > > On Mon, Jun 1, 2009 at 6:17 PM, Martin Hepworth wrote: >> >> aha - 512MB ram really isn't going to help at all. I bet the things >> swapping like mad- vmstat 3 5 will show high swap rates (ie alot more >> than zero). >> >> I normally recommend 1GB per CPU core and 5 children per CPU core as a >> starting point for optimisasion. >> >> Drop the number of children down to 1 and the number of messages per >> batch (Max Unsafe Messages Per Scan) down to 10 in MailScanner.conf >> >> use sa-compile to help with performance. >> >> Go get more RAM - 2GB shouldn't cost much. >> >> -- >> Martin Hepworth >> Oxford, UK >> 2009/6/1 Anshul Chauhan >> > >> > [root@antispam ~]# MailScanner --lint >> > Trying to setlogsock(unix) >> > Read 854 hostnames from the phishing whitelist >> > Read 10597 hostnames from the phishing blacklists >> > Checking version numbers... >> > Version number in MailScanner.conf (4.76.25) is correct. >> > >> > Your envelope_sender_header in spam.assassin.prefs.conf is correct. >> > >> > Checking for SpamAssassin errors (if you use it)... >> > Using SpamAssassin results cache >> > Connected to SpamAssassin cache database >> > SpamAssassin reported no errors. >> > Connected to processing-messages database >> > Created processing-messages database successfully >> > There are 142 messages in the processing-messages database >> > Using locktype = posix >> > MailScanner.conf says "Virus Scanners = clamavmodule" >> > Found these virus scanners installed: clamavmodule >> > >> > =========================================================================== >> > Filename Checks: Windows/DOS Executable (1 eicar.com) >> > Other Checks: Found 1 problems >> > Virus and Content Scanning: Starting >> > ClamAVModule::INFECTED:: Eicar-Test-Signature:: ./1/eicar.com >> > Virus Scanning: ClamAVModule found 2 infections >> > Infected message 1 came from 10.1.1.1 >> > Virus Scanning: Found 2 viruses >> > >> > =========================================================================== >> > >> > If any of your virus scanners (clamavmodule) >> > are not listed there, you should check that they are installed correctly >> > and that MailScanner is finding them correctly via its >> > virus.scanners.conf. >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > [root@antispam MailScanner]# MailScanner -v >> > Running on >> > Linux antispam.xyz.com 2.6.18-92.el5 #1 SMP Tue Jun 10 18:49:47 EDT 2008 >> > i686 i686 i386 GNU/Linux >> > This is CentOS release 5.2 (Final) >> > This is Perl version 5.008008 (5.8.8) >> > >> > This is MailScanner version 4.76.25 >> > Module versions are: >> > 1.00??? AnyDBM_File >> > 1.16??? Archive::Zip >> > 0.23??? bignum >> > 1.04??? Carp >> > 1.41??? Compress::Zlib >> > 1.119?? Convert::BinHex >> > 0.17??? Convert::TNEF >> > 2.121_08??????? Data::Dumper >> > 2.27??? Date::Parse >> > 1.00??? DirHandle >> > 1.05??? Fcntl >> > 2.74??? File::Basename >> > 2.09??? File::Copy >> > 2.01??? FileHandle >> > 1.08??? File::Path >> > 0.20??? File::Temp >> > 0.90??? Filesys::Df >> > 1.35??? HTML::Entities >> > 3.56??? HTML::Parser >> > 2.37??? HTML::TokeParser >> > 1.23??? IO >> > 1.14??? IO::File >> > 1.13??? IO::Pipe >> > 2.04??? Mail::Header >> > 1.89??? Math::BigInt >> > 0.22??? Math::BigRat >> > 3.07??? MIME::Base64 >> > 5.427?? MIME::Decoder >> > 5.427?? MIME::Decoder::UU >> > 5.427?? MIME::Head >> > 5.427?? MIME::Parser >> > 3.07??? MIME::QuotedPrint >> > 5.427?? MIME::Tools >> > 0.13??? Net::CIDR >> > 1.25??? Net::IP >> > 0.16??? OLE::Storage_Lite >> > 1.04??? Pod::Escapes >> > 3.05??? Pod::Simple >> > 1.09??? POSIX >> > 1.19??? Scalar::Util >> > 1.78??? Socket >> > 2.16??? Storable >> > 1.4???? Sys::Hostname::Long >> > 0.27??? Sys::Syslog >> > 1.26??? Test::Pod >> > 0.86??? Test::Simple >> > 1.9707? Time::HiRes >> > 1.02??? Time::localtime >> > >> > Optional module versions are: >> > 1.30??? Archive::Tar >> > 0.23??? bignum >> > 1.82??? Business::ISBN >> > 1.10??? Business::ISBN::Data >> > 1.08??? Data::Dump >> > 1.814?? DB_File >> > 1.21??? DBD::SQLite >> > 1.607?? DBI >> > 1.15??? Digest >> > 1.01??? Digest::HMAC >> > 2.36??? Digest::MD5 >> > 2.11??? Digest::SHA1 >> > 1.00??? Encode::Detect >> > 0.17008 Error >> > 0.18??? ExtUtils::CBuilder >> > 2.18??? ExtUtils::ParseXS >> > 2.38??? Getopt::Long >> > 0.44??? Inline >> > 1.08??? IO::String >> > 1.04??? IO::Zlib >> > 2.21??? IP::Country >> > 0.29??? Mail::ClamAV >> > 3.002005??????? Mail::SpamAssassin >> > v2.004? Mail::SPF >> > 1.999001??????? Mail::SPF::Query >> > 0.2808? Module::Build >> > 0.20??? Net::CIDR::Lite >> > 0.65??? Net::DNS >> > 0.002.2 Net::DNS::Resolver::Programmable >> > missing Net::LDAP >> > ?4.004? NetAddr::IP >> > 1.94??? Parse::RecDescent >> > missing SAVI >> > 2.64??? Test::Harness >> > 0.95??? Test::Manifest >> > 1.98??? Text::Balanced >> > 1.35??? URI >> > 0.7203? version >> > 0.62??? YAML >> > [root@antispam MailScanner]# >> > >> > >> > When i do MailScanner --lint it takes arund 5-10 min to gve the complete >> > output. >> > My Machine configuration are >> > Intel(R) Pentium(R) 4 CPU 3.00GHz >> > 512 MB RAM >> > but still it takes so long to just chk the config can u plz tell me how >> > to boost up its performance also aur its normal. >> > >> > Warm Regards, >> > Anshul Chauhan >> > "Dream is not what you see while sleep, it's the thing that does not let >> > you sleep." >> > >> > >> > -- >> > MailScanner mailing list >> > mailscanner@lists.mailscanner.info >> > http://lists.mailscanner.info/mailman/listinfo/mailscanner >> > >> > Before posting, read http://wiki.mailscanner.info/posting >> > >> > Support MailScanner development - buy the book off the website! >> > >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- Martin Hepworth Oxford, UK From MailScanner at ecs.soton.ac.uk Mon Jun 1 15:29:25 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jun 1 15:29:46 2009 Subject: MailScanner ANNOUNCE: Stable 4.77 released In-Reply-To: <223f97700906010647l1a2ae198r11bdb4e8ccec5052@mail.gmail.com> References: <4A2398A4.8000209@ecs.soton.ac.uk> <223f97700906010647l1a2ae198r11bdb4e8ccec5052@mail.gmail.com> <4A23E5C5.1060405@ecs.soton.ac.uk> Message-ID: On 01/06/2009 14:47, Glenn Steen wrote: > 2009/6/1 Julian Field: > >> Morning all! >> >> (If you are not already following me on twitter, then feel free to do so, I >> announce all new features and so on there to help you keep up to date: >> twitter.com/JulesFM) >> >> I have just released a new stable version of MailScanner, 4.77. >> >> The most important new features this month include: >> >> > (snip) > There doesn't seem to be any PGP signature available for 4.77.8 ... > Shouldn't there be one? > Sorry, should be there now. Jules Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From maillists at conactive.com Mon Jun 1 15:31:19 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Mon Jun 1 15:31:31 2009 Subject: Mailscaaner not delivering mails just queuing them In-Reply-To: <2a3578a60906010601i1e110082kc3d65e2ab0a460d4@mail.gmail.com> References: <2a3578a60906010517p5622282fp40a634f24c744f57@mail.gmail.com> <72cf361e0906010547i2b6fc65oa10752fde906376e@mail.gmail.com> <2a3578a60906010601i1e110082kc3d65e2ab0a460d4@mail.gmail.com> Message-ID: The solution has already been given to you. Add more RAM or run only one MS child. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Mon Jun 1 15:31:19 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Mon Jun 1 15:31:31 2009 Subject: MailScanner ANNOUNCE: Stable 4.77 released In-Reply-To: References: <4A2398A4.8000209@ecs.soton.ac.uk> Message-ID: Julian Field wrote on Mon, 01 Jun 2009 10:00:20 +0100: > - You can finally use hostname, domain name, partial domain names > including wildcards and Perl regular expressions to make a ruleset line > apply to the name of the host the message came from, instead of having > to just use the numerical IP address. Do I understand it correctly that it goes IP number - reverse lookup - act on the resultant hostname? 1. What happens if there is no hostname? (not that we accept mail from such servers, but others may) Will it just not match or throw an error? It might be helpful to actually match against "no hostname". 2. It looks easily forgable to me. e.g. if a spammer wants to send a lot of spam pertaining to come from gmail.com addresses from a host where he has control over PTR records he can easily "forge" the PTR to something at gmail.com and take advantage of any possible whitelisting. So, I think a word of caution in the comments about using this feature for general whitelisting of freemailers might be advisable. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From MailScanner at ecs.soton.ac.uk Mon Jun 1 16:14:41 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jun 1 16:15:00 2009 Subject: MailScanner ANNOUNCE: Stable 4.77 released In-Reply-To: References: <4A2398A4.8000209@ecs.soton.ac.uk> <4A23F061.5020103@ecs.soton.ac.uk> Message-ID: On 01/06/2009 15:31, Kai Schaetzl wrote: > Julian Field wrote on Mon, 01 Jun 2009 10:00:20 +0100: > > >> - You can finally use hostname, domain name, partial domain names >> including wildcards and Perl regular expressions to make a ruleset line >> apply to the name of the host the message came from, instead of having >> to just use the numerical IP address. >> > Do I understand it correctly that it goes > IP number - reverse lookup - act on the resultant hostname? > Yes. > 1. > What happens if there is no hostname? (not that we accept mail from such > servers, but others may) Will it just not match or throw an error? It > might be helpful to actually match against "no hostname". > Then the condition "host:" will match, i.e. no hostname given in the rule. This will also happen if your DNS times out or something else nasty happens so that it cannot resolve the hostname. > 2. > It looks easily forgable to me. e.g. if a spammer wants to send a lot of > spam pertaining to come from gmail.com addresses from a host where he has > control over PTR records he can easily "forge" the PTR to something at > gmail.com and take advantage of any possible whitelisting. So, I think a > word of caution in the comments about using this feature for general > whitelisting of freemailers might be advisable. > I was mostly thinking that people would use it for their own customers' advantage. Yes, PTR records can be forged, it's a fact of life. I guess that's why a lot of firewall products don't dynamically allow this sort of thing to go on, but I thought you might find it useful. I have just added anti-spoofing (you can write a rule condition that says "host:_SPOOFED_" to match spoofed hosts) and release 4.77.9. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From campbell at cnpapers.com Mon Jun 1 16:41:45 2009 From: campbell at cnpapers.com (Steve Campbell) Date: Mon Jun 1 16:42:02 2009 Subject: MailScanner ANNOUNCE: Stable 4.77 released In-Reply-To: References: <4A2398A4.8000209@ecs.soton.ac.uk> Message-ID: <4A23F6B9.3010406@cnpapers.com> Julian Field wrote: > Morning all! > > (If you are not already following me on twitter, then feel free to do > so, I announce all new features and so on there to help you keep up to > date: twitter.com/JulesFM) > > I have just released a new stable version of MailScanner, 4.77. > > The most important new features this month include: > > - You can finally use hostname, domain name, partial domain names > including wildcards and Perl regular expressions to make a ruleset > line apply to the name of the host the message came from, instead of > having to just use the numerical IP address. You just put in ruleset > lines that look like those below: > From: host:mail.mydomain.com yes > From: host:mail*.mydomain.com yes > From: host:mydomain.com yes > From: host:julianfield.* yes > From: host:/(de|dk|es)$/ yes > As you can see from the examples above, you have to put in the > keyword "host:" at the start of the hostname, domain name, or regular > expression. Regular expressions must be surrounded by "/" characters. > Note that using this feature will require one extra DNS hostname > lookup per message (but only if you use this feature), so there is a > small performance hit. > It is documented more fully in the etc/rules/README and > etc/rules/EXAMPLES files. > > - MailScanner can now *unzip* small zip files and other archives. We > have systems that mail us zipped files automatically, and we wanted to > save the step of unzipping each attachment to get the small log file > inside. This feature is supported by some new configuration settings: > Unzip Maximum Files Per Archive = 4 > Unzip Maximum File Size = 50k > Unzip Filenames = *.txt *.ini *.log *.csv > Unzip MimeType = text/plain > > - The "Read IP Address From Received Header" setting has been extended > so it can now take a number as well as just "yes" or "no". This is so > you can choose the IP address from the n-th "Received:" header in the > message, which fetchmail users will find useful. > > Download it as usual from > www.mailscanner.info > > Here is the full ChangeLog for this month: > * New Features and Improvements * > 1 Can now automatically unzip small zip files and other archives. This > is very useful if you have some service automatically mailing you log > files, which zips up the logfiles to save space. It will unpack them if > there only a few of them, they are fairly small and they match a list > of filename patterns. > Unzip Maximum Files Per Archive = 4 > Unzip Maximum File Size = 50k > Unzip Filenames = *.txt *.ini *.log *.csv > Unzip MimeType = text/plain > 1 Hourly cron job about messages being processed only sends a message if > 'Send Notices = yes' is set in MailScanner.conf. > 1 "Read IP Address From Received Header" has been extended, so it will > now take a number instead of yes or no. "yes"=1 and "no"=0. If it is > set > to "yes" or a number, then the SMTP client IP address is taken from the > "Received:" header. For example, setting it to 2 will cause the IP > address to be taken from the 2nd Received: header. > Users of BarricadeMX might want to set this to 2, to get the real SMTP > client IP address from the 2nd Received: header, and not the 127.0.0.1 > address that BarricadeMX put in the headers. > Users of fetchmail might want to set this to 1 or 2 to skip over the > 127.0.0.1 address which will be inserted by fetchmail. > 5 Set up Antiword to always return UTF-8 characters and use that in the > attachment it creates. > 6 Removed co.dk from country.domains.conf as it's not an official 2nd > level > domain. > 6-2 Upgraded DBD-SQLite to 1.25 to avoid RedHat 4 build problems. > 6-3 Improved detection of some x86_64 systems. > 6-4 Corrected DBD-SQLite packaging error. > 7 Improved --lint checking of "Processing Attempts Database" and improved > logging related to that database. Also improved documentation about the > two SQLite databases in MailScanner.conf. > 8 Implemented a new type of line in rulesets. When you specify a "From:" > rule, you can use a syntax like "host:hostname.domain.com" to use the > SMTP client's hostname instead of the numerical IP address. This can > also be partial hostnames or domain names, such as "host:domain.com" > or include wildcards anywhere, such as "host:mail*.dom*ain.com", or > even Perl regular expressions such as "host:/(de|dk)$/". This goes > where the numerical IP address would go in the rule, after the "From:" > and before the value to return. > Note that these are slightly slower than using the IP address as they > involve a DNS lookup (maximum of once per message), but that value > should be in your DNS cache as other things will have already had to > look it up anyway. > They are described in more detail in the etc/rules/README and > etc/rules/EXAMPLES files. > > * Fixes * > 3 Fixed problem where Unzip functions would not be found. Set default > to off. > 4 Fixed issue with Postfix not scanning some messages in 4.77.3. > 5 Fixed issue with Postfix scanning too many messages in 4.77.4. :-) > 6 Fixed issue with extra character on the front of files created by > antiword. > 7 Fixed UTF-8 character in Perl source code in Esets output parser. > 7 Fixed issue with encapsulating messages containing silent whole-message > infections. > > Jules > Confusion here on what this is doing. Is this to say that by putting "host:" in front of an address, MS will now verify the IP of that host/domain and if the sending IP doesn't match the host/domain IP, the rule(set) is disregarded and normal processing continues? Sort of like SPF? Sorry for the dumbness. Steve Campbell From MailScanner at ecs.soton.ac.uk Mon Jun 1 17:56:34 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jun 1 17:57:05 2009 Subject: MailScanner ANNOUNCE: Stable 4.77 released In-Reply-To: <4A23F6B9.3010406@cnpapers.com> References: <4A2398A4.8000209@ecs.soton.ac.uk> <4A23F6B9.3010406@cnpapers.com> <4A240842.3050602@ecs.soton.ac.uk> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/06/2009 16:41, Steve Campbell wrote: > > > Julian Field wrote: >> Morning all! >> >> (If you are not already following me on twitter, then feel free to do >> so, I announce all new features and so on there to help you keep up >> to date: twitter.com/JulesFM) >> >> I have just released a new stable version of MailScanner, 4.77. >> >> The most important new features this month include: >> >> - You can finally use hostname, domain name, partial domain names >> including wildcards and Perl regular expressions to make a ruleset >> line apply to the name of the host the message came from, instead of >> having to just use the numerical IP address. You just put in ruleset >> lines that look like those below: >> From: host:mail.mydomain.com yes >> From: host:mail*.mydomain.com yes >> From: host:mydomain.com yes >> From: host:julianfield.* yes >> From: host:/(de|dk|es)$/ yes >> As you can see from the examples above, you have to put in the >> keyword "host:" at the start of the hostname, domain name, or regular >> expression. Regular expressions must be surrounded by "/" characters. >> Note that using this feature will require one extra DNS hostname >> lookup per message (but only if you use this feature), so there is a >> small performance hit. >> It is documented more fully in the etc/rules/README and >> etc/rules/EXAMPLES files. >> >> - MailScanner can now *unzip* small zip files and other archives. We >> have systems that mail us zipped files automatically, and we wanted >> to save the step of unzipping each attachment to get the small log >> file inside. This feature is supported by some new configuration >> settings: >> Unzip Maximum Files Per Archive = 4 >> Unzip Maximum File Size = 50k >> Unzip Filenames = *.txt *.ini *.log *.csv >> Unzip MimeType = text/plain >> >> - The "Read IP Address From Received Header" setting has been >> extended so it can now take a number as well as just "yes" or "no". >> This is so you can choose the IP address from the n-th "Received:" >> header in the message, which fetchmail users will find useful. >> >> Download it as usual from >> www.mailscanner.info >> >> Here is the full ChangeLog for this month: >> * New Features and Improvements * >> 1 Can now automatically unzip small zip files and other archives. This >> is very useful if you have some service automatically mailing you log >> files, which zips up the logfiles to save space. It will unpack >> them if >> there only a few of them, they are fairly small and they match a list >> of filename patterns. >> Unzip Maximum Files Per Archive = 4 >> Unzip Maximum File Size = 50k >> Unzip Filenames = *.txt *.ini *.log *.csv >> Unzip MimeType = text/plain >> 1 Hourly cron job about messages being processed only sends a message if >> 'Send Notices = yes' is set in MailScanner.conf. >> 1 "Read IP Address From Received Header" has been extended, so it will >> now take a number instead of yes or no. "yes"=1 and "no"=0. If it >> is set >> to "yes" or a number, then the SMTP client IP address is taken from >> the >> "Received:" header. For example, setting it to 2 will cause the IP >> address to be taken from the 2nd Received: header. >> Users of BarricadeMX might want to set this to 2, to get the real SMTP >> client IP address from the 2nd Received: header, and not the 127.0.0.1 >> address that BarricadeMX put in the headers. >> Users of fetchmail might want to set this to 1 or 2 to skip over the >> 127.0.0.1 address which will be inserted by fetchmail. >> 5 Set up Antiword to always return UTF-8 characters and use that in the >> attachment it creates. >> 6 Removed co.dk from country.domains.conf as it's not an official 2nd >> level >> domain. >> 6-2 Upgraded DBD-SQLite to 1.25 to avoid RedHat 4 build problems. >> 6-3 Improved detection of some x86_64 systems. >> 6-4 Corrected DBD-SQLite packaging error. >> 7 Improved --lint checking of "Processing Attempts Database" and >> improved >> logging related to that database. Also improved documentation about >> the >> two SQLite databases in MailScanner.conf. >> 8 Implemented a new type of line in rulesets. When you specify a "From:" >> rule, you can use a syntax like "host:hostname.domain.com" to use the >> SMTP client's hostname instead of the numerical IP address. This can >> also be partial hostnames or domain names, such as "host:domain.com" >> or include wildcards anywhere, such as "host:mail*.dom*ain.com", or >> even Perl regular expressions such as "host:/(de|dk)$/". This goes >> where the numerical IP address would go in the rule, after the "From:" >> and before the value to return. >> Note that these are slightly slower than using the IP address as they >> involve a DNS lookup (maximum of once per message), but that value >> should be in your DNS cache as other things will have already had to >> look it up anyway. >> They are described in more detail in the etc/rules/README and >> etc/rules/EXAMPLES files. >> >> * Fixes * >> 3 Fixed problem where Unzip functions would not be found. Set default >> to off. >> 4 Fixed issue with Postfix not scanning some messages in 4.77.3. >> 5 Fixed issue with Postfix scanning too many messages in 4.77.4. :-) >> 6 Fixed issue with extra character on the front of files created by >> antiword. >> 7 Fixed UTF-8 character in Perl source code in Esets output parser. >> 7 Fixed issue with encapsulating messages containing silent >> whole-message >> infections. >> >> Jules >> > > Confusion here on what this is doing. > > Is this to say that by putting "host:" in front of an address, MS will > now verify the IP of that host/domain and if the sending IP doesn't > match the host/domain IP, the rule(set) is disregarded and normal > processing continues? Sort of like SPF? You can use "host:" for addresses without a PTR record at all, or when the DNS lookup fails. If you want to match spoofed addresses, use "host:_SPOOFED_". You might want to do this in your "is.definitely.spam.rules" for example (if you have one). So if you put in a normal "host:domain.com" (or whatever) rule, it won't match if the IP doesn't match its forward+reverse records. So if you say "host:google.com" you can be pretty sure that the mail really is coming from an IP which has a *.google.com hostname and not just some random spammer's host which has a PTR record saying it is blahblah.google.com. This doesn't really relate to SPF at all, as far as I can see. I hope that makes it a bit clearer. Feel free to continue quizzing me if it doesn't explain it to you. It knows the real IP address of the SMTP client (or whatever address you choose if you use the "Read IP Address From Received Header" configuration option) that initiated the conversation with the MailScanner server. It looks up the hostname of that IP address from the DNS PTR record. This gives it the hostname from the "reverse" record. It then looks up the IP addresses of that hostname. This gives it a list of IP addresses from the "forward" records. This list of IP addresses must include the IP address it started with. If that double-check works, then the "host:mail.google.com" lookup will match if it was the IP address of "mail.google.com" that you started with. If that double-check fails, then only "host:_SPOOFED_" will match. If the first PTR lookup failed or produced no hostname at all, then only "host:" will match. Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Follow me at twitter.com/JulesFM MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.10.0 (Build 500) Comment: Use PGP or Thunderbird Enigmail to verify this message Charset: ISO-8859-1 wj8DBQFKJAhGEfZZRxQVtlQRAqb+AKC02Zq0uX5dCMNnCelWV/P6EGnOhACg54Sb y1b9OVSVpDBZMdbb0gPY3aM= =fDU9 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From micoots at yahoo.com Tue Jun 2 02:17:57 2009 From: micoots at yahoo.com (Michael Mansour) Date: Tue Jun 2 02:18:07 2009 Subject: New feature? mapping ClamAV sigs to scores Message-ID: <940901.51307.qm@web33301.mail.mud.yahoo.com> Hi, For the past few months I've been integrating the Sanesecurity (and other) signatures into the clamd setup I use with MS. Some of the signatures produce FP's, which are expected as explained here: http://www.sanesecurity.co.uk/databases.htm I'm on the mailing list for SaneSecurity, and the people with amavisd handle this by scoring the various clamav sigs through amavisd access maps. Is there a way to do something similar with MailScanner? FP's are hit on my end, but they are quite minimal that they don't stop me from using the additional sigs. Michael. Need a Holiday? Win a $10,000 Holiday of your choice. Enter now.http://us.lrd.yahoo.com/_ylc=X3oDMTJxN2x2ZmNpBF9zAzIwMjM2MTY2MTMEdG1fZG1lY2gDVGV4dCBMaW5rBHRtX2xuawNVMTEwMzk3NwR0bV9uZXQDWWFob28hBHRtX3BvcwN0YWdsaW5lBHRtX3BwdHkDYXVueg--/SIG=14600t3ni/**http%3A//au.rd.yahoo.com/mail/tagline/creativeholidays/*http%3A//au.docs.yahoo.com/homepageset/%3Fp1=other%26p2=au%26p3=mailtagline From rwahyudi at gmail.com Tue Jun 2 03:02:06 2009 From: rwahyudi at gmail.com (R Wahyudi) Date: Tue Jun 2 03:02:16 2009 Subject: MySQL Stability In-Reply-To: <200905281127.41690.tjones@isthmus.com> References: <4A1EAC3C.70006@dcdata.co.za> <200905281127.41690.tjones@isthmus.com> Message-ID: <9173fd7e0906011902p7a9dafcwa3d1eae8f165b83@mail.gmail.com> More efficient way of trimming database is to use mysql merge table , bu you probably can get away easily with normal pruning. See : http://mailwatch.sourceforge.net/doku.php?id=mailwatch:tipandtricks:rollover_table Rianto Wahyudi On Fri, May 29, 2009 at 2:27 AM, Thom Jones wrote: > On Thursday 28 May 2009 10:22:36 am Neil Wilson wrote: > >> >> My maillog.MYD is 3.4Gigs, is this too large? > > > Try here: > http://wiki.mailscanner.info/doku.php?id=documentation:related_software:management:mailwatch:tips:trimming_db > > This table is from MailWatch, not MailScanner and it does need to be trimmed. > Above link will help do that. > > HTH > > -- > Thom Jones > Isthmus Publishing > http://www.thedailypage.com > > APATHY ERROR: Don't bother striking any key > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From glenn.steen at gmail.com Tue Jun 2 08:41:53 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Jun 2 08:42:03 2009 Subject: New feature? mapping ClamAV sigs to scores In-Reply-To: <940901.51307.qm@web33301.mail.mud.yahoo.com> References: <940901.51307.qm@web33301.mail.mud.yahoo.com> Message-ID: <223f97700906020041y5e6fd3bq402e8c7e12ad5d96@mail.gmail.com> 2009/6/2 Michael Mansour : > > Hi, > > For the past few months I've been integrating the Sanesecurity (and other) signatures into the clamd setup I use with MS. > > Some of the signatures produce FP's, which are expected as explained here: > > http://www.sanesecurity.co.uk/databases.htm > > I'm on the mailing list for SaneSecurity, and the people with amavisd handle this by scoring the various clamav sigs through amavisd access maps. > > Is there a way to do something similar with MailScanner? > > FP's are hit on my end, but they are quite minimal that they don't stop me from using the additional sigs. > > Michael. > Wouldn't the SA ClamAV plugin be best used for that? http://wiki.apache.org/spamassassin/ClamAVPlugin Not sure if you can vary the score depending on type of hit, but I'd imagine one could...:) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From support-lists at petdoctors.co.uk Tue Jun 2 10:11:44 2009 From: support-lists at petdoctors.co.uk (Nigel Kendrick) Date: Tue Jun 2 10:12:03 2009 Subject: "Message attempted to kill MailScanner" Message-ID: <757C7ED87B8C4C7E957808A8C3A3A02B@SUPPORT01V> I have a lot (876) of emails in the 'hold' queue that have come from a local router that's set to send me a message if specific firewall rules are triggered. The messages I have checked all say "Message attempted to kill MailScanner" and the messages are not going anywhere. Enlighten me! Thanks Nigel Kendrick (MailScanner 4.76.25 with Postfix) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090602/893f151b/attachment.html From maxsec at gmail.com Tue Jun 2 11:19:55 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Tue Jun 2 11:20:04 2009 Subject: "Message attempted to kill MailScanner" In-Reply-To: <757C7ED87B8C4C7E957808A8C3A3A02B@SUPPORT01V> References: <757C7ED87B8C4C7E957808A8C3A3A02B@SUPPORT01V> Message-ID: <72cf361e0906020319s2dc5d3asf87836e21b2f41cc@mail.gmail.com> sounds horrible. can you create a rule based on the ip-address and not scan these messages (a ruleset off of the main "Scan Messages" option). This should then tell MailScanner not to look at these messages. 2009/6/2 Nigel Kendrick : > I have a lot (876) of emails in the 'hold' queue that have come from a local > router that's set to send me a message if specific firewall rules are > triggered. The messages I have checked all say "Message attempted to kill > MailScanner" and the messages are not going anywhere. > > Enlighten me! > > Thanks > > Nigel Kendrick > (MailScanner 4.76.25 with Postfix) > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- Martin Hepworth Oxford, UK From MailScanner at ecs.soton.ac.uk Tue Jun 2 11:45:19 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jun 2 11:45:41 2009 Subject: "Message attempted to kill MailScanner" In-Reply-To: <72cf361e0906020319s2dc5d3asf87836e21b2f41cc@mail.gmail.com> References: <757C7ED87B8C4C7E957808A8C3A3A02B@SUPPORT01V> <72cf361e0906020319s2dc5d3asf87836e21b2f41cc@mail.gmail.com> <4A2502BF.2010707@ecs.soton.ac.uk> Message-ID: And if you are using Postfix, I would strongly advise you upgrade to 4.77. Should only take you a couple of minutes, upgrade_MailScanner_conf will do the heavy lifting for you. On 02/06/2009 11:19, Martin Hepworth wrote: > sounds horrible. > > can you create a rule based on the ip-address and not scan these > messages (a ruleset off of the main "Scan Messages" option). This > should then tell MailScanner not to look at these messages. > > 2009/6/2 Nigel Kendrick: > >> I have a lot (876) of emails in the 'hold' queue that have come from a local >> router that's set to send me a message if specific firewall rules are >> triggered. The messages I have checked all say "Message attempted to kill >> MailScanner" and the messages are not going anywhere. >> >> Enlighten me! >> >> Thanks >> >> Nigel Kendrick >> (MailScanner 4.76.25 with Postfix) >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> >> > > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From list at torpey.org Tue Jun 2 15:03:43 2009 From: list at torpey.org (Steve' Mailing List) Date: Tue Jun 2 15:04:06 2009 Subject: Fw: My Clamd or MailScanner is sending Backscatter Message-ID: <11fe01c9e38a$f0d51c20$6601a8c0@torpey1> When my server receives a virus, it is sending backscatter to notify the sender. As expected most of the virus are probably spam. I know that I am missing a setting, but I have looked through MailScanner.conf and have set the settings that I think are related (see below). Please tell me what I am missing. MailScanner 4.77.9 Clamd 0.95.1 OS = Whitebox EL3 (RHEL3 equivalent) Select MailScanner settings: Virus Scanning = %rules-dir%/virus.scanning.rules Virus Scanners = clamd Silent Viruses = All-Viruses Still Deliver Silent Viruses = no Obviously, I am missing something. Please help me get on the right track, Steve -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090602/027c8ea6/attachment.html From drtaber at northcarolina.edu Tue Jun 2 15:07:16 2009 From: drtaber at northcarolina.edu (Douglas R. Taber) Date: Tue Jun 2 15:07:27 2009 Subject: Fw: My Clamd or MailScanner is sending Backscatter In-Reply-To: <11fe01c9e38a$f0d51c20$6601a8c0@torpey1> References: <11fe01c9e38a$f0d51c20$6601a8c0@torpey1> Message-ID: <4A253214.6010902@northcarolina.edu> Steve' Mailing List wrote: > When my server receives a virus, it is sending backscatter to notify the sender. As expected most of the virus are probably spam. I know that I am missing a setting, but I have looked through MailScanner.conf and have set the settings that I think are related (see below). Please tell me what I am missing. > > MailScanner 4.77.9 > Clamd 0.95.1 > > OS = Whitebox EL3 (RHEL3 equivalent) > > Select MailScanner settings: > Virus Scanning = %rules-dir%/virus.scanning.rules > Virus Scanners = clamd > Silent Viruses = All-Viruses > Still Deliver Silent Viruses = no > > > Obviously, I am missing something. Please help me get on the right track, > Steve > > I believe the setting you are looking for is: # Do you want to notify the people who sent you messages containing # viruses or badly-named filenames? # This can also be the filename of a ruleset. Notify Senders = no From alex at rtpty.com Tue Jun 2 15:48:56 2009 From: alex at rtpty.com (Alex Neuman) Date: Tue Jun 2 15:49:06 2009 Subject: Fw: My Clamd or MailScanner is sending Backscatter In-Reply-To: <11fe01c9e38a$f0d51c20$6601a8c0@torpey1> References: <11fe01c9e38a$f0d51c20$6601a8c0@torpey1> Message-ID: <24e3d2e40906020748m616b3ea6pb1960a914a8204e5@mail.gmail.com> Notify Senders Of Viruses = no On Tue, Jun 2, 2009 at 9:03 AM, Steve' Mailing List wrote: > When my server receives a virus, it is sending backscatter to notify the > sender. As expected most of the virus are probably spam. I know that I am > missing a setting, but I have looked through MailScanner.conf and have set > the settings that I think are related (see below). Please tell me what I am > missing. > > MailScanner 4.77.9 > Clamd 0.95.1 > > OS = Whitebox EL3 (RHEL3 equivalent) > > Select MailScanner settings: > Virus Scanning = %rules-dir%/virus.scanning.rules > Virus Scanners = clamd > Silent Viruses = All-Viruses > Still Deliver Silent Viruses = no > > Obviously, I am missing something. Please help me get on the right track, > Steve > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 202-1525 alex@rtpty.com Skype: alexneuman -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090602/c3f026ed/attachment.html From mailscanner at barendse.to Tue Jun 2 15:50:49 2009 From: mailscanner at barendse.to (Remco Barendse) Date: Tue Jun 2 15:51:03 2009 Subject: Problem Messages Message-ID: Hi list! I am getting some notifications of problem messages : ---quote--- Archive: Number of messages: 3 Tries Message Last Tried ===== ======= ========== 6 n514GGVL030535 Mon Jun 1 06:41:53 2009 6 n4VLEatk022294 Sun May 31 23:34:24 2009 6 n4T4NRQW009848 Fri May 29 06:51:40 2009 -- MailScanner ---unquote--- Without any hints where to look for the problem or how to solve it. However, [root@mail quarantine]# locate -i NRQW009848 reveals this : /var/spool/MailScanner/quarantine/20090529/n4T4NRQW009848 /var/spool/MailScanner/quarantine/20090529/n4T4NRQW009848/dfn4T4NRQW009848 /var/spool/MailScanner/quarantine/20090529/n4T4NRQW009848/qfn4T4NRQW009848 I can understand that MailScanner is still sad / disappointed / angry etc. that there was some problem but if the e-mail is already quarantined, shouldn't MS get over it after some time? :) I checked all subdirs in /var/spool/MailScanner/incoming and /var/spool/mqueue.in but they are all empty. Thanks! From list at torpey.org Tue Jun 2 16:23:40 2009 From: list at torpey.org (Steve' Mailing List) Date: Tue Jun 2 16:24:09 2009 Subject: Fw: My Clamd or MailScanner is sending Backscatter References: <11fe01c9e38a$f0d51c20$6601a8c0@torpey1> <24e3d2e40906020748m616b3ea6pb1960a914a8204e5@mail.gmail.com> Message-ID: <126e01c9e396$2142df40$6601a8c0@torpey1> Additional settings already set: Notify Senders = yes Notify Senders Of Viruses = no Notify Senders Of Blocked Filenames Or Filetypes = yes Notify Senders Of Other Blocked Content = yes I went back to look at the backscatter that I was sending. While the subject says "E-mail viruses detected" the subject of the email is saying "Executable DOS/Windows programs are dangerous in email". I thought it was a good idea to indicate if someone had sent a blocked filename or filetype or blocked content. It turns out that MailScanner was not finding a virus it was blocking on the file type. Thus, I will just turn off the total "Notify Senders". Thanks to Alex and Doug for pointing me to re-read the backscatter to fully understand what was happening, Steve ----- Original Message ----- From: Alex Neuman To: MailScanner discussion Sent: Tuesday, June 02, 2009 9:48 AM Subject: Re: Fw: My Clamd or MailScanner is sending Backscatter Notify Senders Of Viruses = no On Tue, Jun 2, 2009 at 9:03 AM, Steve' Mailing List wrote: When my server receives a virus, it is sending backscatter to notify the sender. As expected most of the virus are probably spam. I know that I am missing a setting, but I have looked through MailScanner.conf and have set the settings that I think are related (see below). Please tell me what I am missing. MailScanner 4.77.9 Clamd 0.95.1 OS = Whitebox EL3 (RHEL3 equivalent) Select MailScanner settings: Virus Scanning = %rules-dir%/virus.scanning.rules Virus Scanners = clamd Silent Viruses = All-Viruses Still Deliver Silent Viruses = no Obviously, I am missing something. Please help me get on the right track, Steve -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 202-1525 alex@rtpty.com Skype: alexneuman ------------------------------------------------------------------------------ -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090602/9522838f/attachment.html From jvoorhees1 at gmail.com Tue Jun 2 16:29:29 2009 From: jvoorhees1 at gmail.com (Jose Perez) Date: Tue Jun 2 16:29:40 2009 Subject: What are infections exactly? Message-ID: Hi people: I was wondering what's the meaning of Infections from the point of view of MailScanner? According to all my infected messages I can see that MailScanner mark them as infection: - Messages infected with viruses - Messages containing Dangerous Content I'm using sanesecurity database with ClamAV to detect spam 'cause their results are good! But I'm tired to see MailScanner sending a "Virus Detected" message every time ClamAV matches a spam message with the sanesecurity signature. Is there a way to disable this notices to postmaster when ClamAV detects only some kind of virus report? I'd like MailScanner to send notices only when detect real viruses (no spam from sanesecurity) or Dangerous Content. According to "Send Notices" directive it's possible to write a ruleset but I'm not pretty sure what the syntax should be... maybe just something like this? From: user@domain Yes To: user@domain2 No I'd like to know if it is possible to write a ruleset based on the virus message report so I can filter sanesecurity matches. I hope someone can help me, thanks From zaeem.arshad at gmail.com Tue Jun 2 17:58:42 2009 From: zaeem.arshad at gmail.com (Zaeem Arshad) Date: Tue Jun 2 17:58:51 2009 Subject: Performance numbers for a DELL R710 Message-ID: <3e1809420906020958j4f6123davadbc34501cfe7577@mail.gmail.com> So I am getting my hands on this DELL R710 running 2 x Quadcore 2.0 GHz processors, 4 x 146 GB 15K SAS disks and 24 GB of fully bufferred RAM..wohoo! Seriously, what are the numbers this box should be able to deliver with postfix and mailscanner? 40 emails per second is viable? What neat tricks I can pull off with this much memory? Tips, suggestions, appreciation welcome! :) Cheers Zaeem -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090602/479e7acc/attachment.html From mrm at quantumcc.com Tue Jun 2 17:59:51 2009 From: mrm at quantumcc.com (Mike M) Date: Tue Jun 2 18:00:30 2009 Subject: New feature - hostname lookups in rulesets In-Reply-To: References: <4A22AD89.60702@ecs.soton.ac.uk> <24e3d2e40905311241w763c0c2fwdeb910a4e03e4cf7@mail.gmail.com> <4A22E1A4.9060305@ecs.soton.ac.uk> Message-ID: Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > On 31/05/2009 20:41, Alex Neuman wrote: >> Wow! This means we can whitelist (gasp!) *blackberry.com >> and things like that! > You'll just need to do > From: host:blackberry.com yes > which will do the job. >> I suggest you add to the description on the comments on the >> MailScanner.conf file that it's imperative - for performance reasons, >> besides the fact that it's A Good Idea (tm), that people run their own >> local caching nameserver. > True enough, I should do that. > Please forgive my ignorance on this, because I'm sure there's something really simple that I'm missing, but how is this any different then whitelisting blackberry.com with a line such as: from: @blackberry.com yes which I have been doing for many years in my spam.whitelist.rules file? There's got to be something I'm not getting about this new feature. Mike From alex at rtpty.com Tue Jun 2 18:16:44 2009 From: alex at rtpty.com (Alex Neuman) Date: Tue Jun 2 18:16:56 2009 Subject: New feature - hostname lookups in rulesets In-Reply-To: References: <4A22AD89.60702@ecs.soton.ac.uk> <24e3d2e40905311241w763c0c2fwdeb910a4e03e4cf7@mail.gmail.com> <4A22E1A4.9060305@ecs.soton.ac.uk> Message-ID: <24e3d2e40906021016i7947c446u96189c4ab4586901@mail.gmail.com> Whitelisting from @blackberry.com will result in whitelisting any e-mails that *say* they're from whatevertheywant@blackberry.com, even though their reverse DNS might be host-146.do-not-receive-mail-from-me.otherwise-you-ll.die.a.horrible.horrible-and-painful.death.badisp.com, whereas the new option would allow joe@joesbananas.com to e-mail you through his blackberry - and you'd receive the e-mail from joe@joesbananas.com via nice.little.blackberry.server-34.blackberry.com and it would "hit" that rule since it comes from a *host* whose reverse dns ends with blackberry.com - or at least that's what I think it does. On Tue, Jun 2, 2009 at 11:59 AM, Mike M wrote: > Julian Field wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> >> >> On 31/05/2009 20:41, Alex Neuman wrote: >> >>> Wow! This means we can whitelist (gasp!) *blackberry.com < >>> http://blackberry.com> and things like that! >>> >> You'll just need to do >> From: host:blackberry.com yes >> which will do the job. >> >>> I suggest you add to the description on the comments on the >>> MailScanner.conf file that it's imperative - for performance reasons, >>> besides the fact that it's A Good Idea (tm), that people run their own local >>> caching nameserver. >>> >> True enough, I should do that. >> >> > Please forgive my ignorance on this, because I'm sure there's something > really simple that I'm missing, but how is this any different then > whitelisting blackberry.com with a line such as: > > from: @blackberry.com yes > > which I have been doing for many years in my spam.whitelist.rules file? > There's got to be something I'm not getting about this new feature. > > Mike > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 202-1525 alex@rtpty.com Skype: alexneuman -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090602/0dd6fc8b/attachment.html From MailScanner at ecs.soton.ac.uk Tue Jun 2 18:46:04 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jun 2 18:46:22 2009 Subject: New feature - hostname lookups in rulesets In-Reply-To: References: <4A22AD89.60702@ecs.soton.ac.uk> <24e3d2e40905311241w763c0c2fwdeb910a4e03e4cf7@mail.gmail.com> <4A22E1A4.9060305@ecs.soton.ac.uk> <4A25655C.10608@ecs.soton.ac.uk> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/06/2009 17:59, Mike M wrote: > Julian Field wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> >> >> On 31/05/2009 20:41, Alex Neuman wrote: >>> Wow! This means we can whitelist (gasp!) *blackberry.com >>> and things like that! >> You'll just need to do >> From: host:blackberry.com yes >> which will do the job. >>> I suggest you add to the description on the comments on the >>> MailScanner.conf file that it's imperative - for performance >>> reasons, besides the fact that it's A Good Idea (tm), that people >>> run their own local caching nameserver. >> True enough, I should do that. >> > > Please forgive my ignorance on this, because I'm sure there's > something really simple that I'm missing, but how is this any > different then whitelisting blackberry.com with a line such as: > > from: @blackberry.com yes > > which I have been doing for many years in my spam.whitelist.rules file? That uses the "email sender address" which is trivially forgeable by the sender. It is the email address that the sender claims they are coming from. They may have their Crackberry set up to send their mail from joe@mydomain.com, in which case your rule wouldn't fire at all. The new "host:blackberry.com" means "match any email address the originates from an IP address which belongs to the blackberry.com domain". That is the same thing as asking "does it come from a Crackberry?" regardless of how that Crackberry is configured, and is far harder to forge. It is totally unconnected with the email address the email claims to come from. But do take note that it takes longer to look up and therefore will cause a performance hit. Does that help? Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Follow me at twitter.com/JulesFM MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.10.0 (Build 500) Comment: Use PGP or Thunderbird Enigmail to verify this message Charset: ISO-8859-1 wj8DBQFKJWVeEfZZRxQVtlQRAgU2AKD9NKJKE5Z1GRuIkWx64GsnEZGHSQCgj/OC C4ioDXMwdD9/ETazn9RvxiM= =kZe9 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Tue Jun 2 18:51:05 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jun 2 18:51:25 2009 Subject: Problem Messages In-Reply-To: References: <4A256689.2080008@ecs.soton.ac.uk> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Look for traces of the messages in your mail logs. That will tell you what happened. You might then want to try digging the messages out of quarantine and running them through MailScanner manually (start with "MailScanner --help" and work from there) one at a time to see what goes wrong. If you want to wipe the database you can always just delete it. Its location in set in MailScanner.conf (look for "Processing.db" in there). Also, the fact that they have been the cause of these problems means that they were never delivered, so you may want to take a look at them and figure out if they were important and what you might want to do about this. This is usually quite a bad sign that you have messages which are killing MailScanner this many times. Jules. On 02/06/2009 15:50, Remco Barendse wrote: > Hi list! > > I am getting some notifications of problem messages : > > ---quote--- > Archive: > > Number of messages: 3 > Tries Message Last Tried > ===== ======= ========== > 6 n514GGVL030535 Mon Jun 1 06:41:53 2009 > 6 n4VLEatk022294 Sun May 31 23:34:24 2009 > 6 n4T4NRQW009848 Fri May 29 06:51:40 2009 > > -- > MailScanner > ---unquote--- > > Without any hints where to look for the problem or how to solve it. > > However, [root@mail quarantine]# locate -i NRQW009848 reveals this : > /var/spool/MailScanner/quarantine/20090529/n4T4NRQW009848 > /var/spool/MailScanner/quarantine/20090529/n4T4NRQW009848/dfn4T4NRQW009848 > > /var/spool/MailScanner/quarantine/20090529/n4T4NRQW009848/qfn4T4NRQW009848 > > > I can understand that MailScanner is still sad / disappointed / angry > etc. that there was some problem but if the e-mail is already > quarantined, shouldn't MS get over it after some time? :) > > I checked all subdirs in /var/spool/MailScanner/incoming and > /var/spool/mqueue.in but they are all empty. > > Thanks! > Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Follow me at twitter.com/JulesFM MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.10.0 (Build 500) Comment: Use PGP or Thunderbird Enigmail to verify this message Charset: ISO-8859-1 wj8DBQFKJWaLEfZZRxQVtlQRAol/AJ4jYv7VCOElqN0+IW3tOyZXttBiRwCfTF5i WTVA6EFIassxqwsdeVrjsSQ= =29y6 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Tue Jun 2 18:52:50 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jun 2 18:53:06 2009 Subject: What are infections exactly? In-Reply-To: References: <4A2566F2.8070409@ecs.soton.ac.uk> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/06/2009 16:29, Jose Perez wrote: > Hi people: > > I was wondering what's the meaning of Infections from the point of > view of MailScanner? According to all my infected messages I can see > that MailScanner mark them as infection: > > - Messages infected with viruses > - Messages containing Dangerous Content > > I'm using sanesecurity database with ClamAV to detect spam 'cause > their results are good! But I'm tired to see MailScanner sending a > "Virus Detected" message every time ClamAV matches a spam message with > the sanesecurity signature. > > Is there a way to disable this notices to postmaster when ClamAV > detects only some kind of virus report? I'd like MailScanner to send > notices only when detect real viruses (no spam from sanesecurity) or > Dangerous Content. > > According to "Send Notices" directive it's possible to write a ruleset > but I'm not pretty sure what the syntax should be... maybe just > something like this? > > From: user@domain Yes > To: user@domain2 No > > I'd like to know if it is possible to write a ruleset based on the > virus message report so I can filter sanesecurity matches. > Look for "Virus" in /etc/MailScanner/rules/* for starters. > I hope someone can help me, thanks > Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Follow me at twitter.com/JulesFM MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.10.0 (Build 500) Comment: Use PGP or Thunderbird Enigmail to verify this message Charset: ISO-8859-1 wj8DBQFKJWbzEfZZRxQVtlQRAgaIAKDb7HJAO4aKPBk+vdwdF5OKBZeNowCgwiUu oTuplESbZ2C6Aunw+sLMVqI= =cYn4 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From maxsec at gmail.com Tue Jun 2 19:47:10 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Tue Jun 2 19:47:20 2009 Subject: Performance numbers for a DELL R710 In-Reply-To: <3e1809420906020958j4f6123davadbc34501cfe7577@mail.gmail.com> References: <3e1809420906020958j4f6123davadbc34501cfe7577@mail.gmail.com> Message-ID: <72cf361e0906021147u760c5c9fie8f808fc990a01c0@mail.gmail.com> Zaeem nice. depends on the tests you run (RBLs etc) and the size of the emails. look in the wiki for performance and tuning on both MailScanner and Spamassassin. 2009/6/2 Zaeem Arshad : > So I am getting my hands on this DELL R710 running 2 x Quadcore 2.0 GHz > processors, 4 x 146 GB 15K SAS disks and 24 GB of fully bufferred > RAM..wohoo! Seriously, what are the numbers this box should be able to > deliver with postfix and mailscanner? 40 emails per second is viable? What > neat tricks I can pull off with this much memory? Tips, suggestions, > appreciation welcome! :) > > > Cheers > > Zaeem > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- Martin Hepworth Oxford, UK From zaeem.arshad at gmail.com Wed Jun 3 04:42:10 2009 From: zaeem.arshad at gmail.com (Zaeem Arshad) Date: Wed Jun 3 04:42:21 2009 Subject: Performance numbers for a DELL R710 In-Reply-To: <72cf361e0906021147u760c5c9fie8f808fc990a01c0@mail.gmail.com> References: <3e1809420906020958j4f6123davadbc34501cfe7577@mail.gmail.com> <72cf361e0906021147u760c5c9fie8f808fc990a01c0@mail.gmail.com> Message-ID: <3e1809420906022042y1cb3174ap7405a4446d31524@mail.gmail.com> On Wed, Jun 3, 2009 at 12:47 AM, Martin Hepworth wrote: > Zaeem > > nice. > > depends on the tests you run (RBLs etc) and the size of the emails. > > look in the wiki for performance and tuning on both MailScanner and > Spamassassin. I have a test box with the same specs but 8 Gigs of RAM. My performance tuning so far has been - tmpfs for message scanning - DNS caching server on the same box - Lower timeouts on Postfix (another instance handling retries) - Compiled rules on SA - DCC, Razor - Clamd - Asyncrhonous logging Filesystem underneath is XFS and average mailsize is around 60KB. I have pretty much made all the changes suggested and currently the server is handling around 45000 emails/hour. Do you think increasing the number of MailScanner children might help? What other performance tweaks can I have? I am looking to scale the system to handle at least 65 emails/second with antivirus, antispam scanning and RBL checks. -- Zaeem -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090603/8edbc1dc/attachment.html From maxsec at gmail.com Wed Jun 3 08:58:46 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Wed Jun 3 08:58:55 2009 Subject: Performance numbers for a DELL R710 In-Reply-To: <3e1809420906022042y1cb3174ap7405a4446d31524@mail.gmail.com> References: <3e1809420906020958j4f6123davadbc34501cfe7577@mail.gmail.com> <72cf361e0906021147u760c5c9fie8f808fc990a01c0@mail.gmail.com> <3e1809420906022042y1cb3174ap7405a4446d31524@mail.gmail.com> Message-ID: <72cf361e0906030058y50e8a7e5xa297c7910196a5ce@mail.gmail.com> more children will help - alot of this is suck it and see as performance can vary alot. normal starting point is 5 children per core and 30 messages per batch. for that sort of level I'd be looking at multiple machines - if you loose this machine or whatever reason what happens! Also check the RBL's you're running - things like spamhaus will require a licence for thsi sort of amount and too RBLs slows the processing down alot. -- Martin Hepworth Oxford, UK 2009/6/3 Zaeem Arshad : > > > On Wed, Jun 3, 2009 at 12:47 AM, Martin Hepworth wrote: >> >> Zaeem >> >> nice. >> >> depends on the tests you run (RBLs etc) and the size of the emails. >> >> look in the wiki for performance and tuning on both MailScanner and >> Spamassassin. > > I have a test box with the same specs but 8 Gigs of RAM. My performance > tuning so far has been > > - tmpfs for message scanning > - DNS caching server on the same box > - Lower timeouts on Postfix (another instance handling retries) > - Compiled rules on SA > - DCC, Razor > - Clamd > - Asyncrhonous logging > > Filesystem underneath is XFS and average mailsize is around 60KB. I have > pretty much made all the changes suggested and currently the server is > handling around 45000 emails/hour. Do you think increasing the number of > MailScanner children might help? What other performance tweaks can I have? I > am looking to scale the system to handle at least 65 emails/second with > antivirus, antispam scanning and RBL checks. > > > -- > Zaeem > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > From mailscanner at barendse.to Wed Jun 3 09:36:39 2009 From: mailscanner at barendse.to (Remco Barendse) Date: Wed Jun 3 09:36:53 2009 Subject: Problem Messages In-Reply-To: References: <4A256689.2080008@ecs.soton.ac.uk> Message-ID: On Tue, 2 Jun 2009, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Look for traces of the messages in your mail logs. That will tell you > what happened. You might then want to try digging the messages out of > quarantine and running them through MailScanner manually (start with > "MailScanner --help" and work from there) one at a time to see what goes > wrong. I checked the maillog, no pointer there : May 29 06:46:41 mail MailScanner[7664]: Warning: skipping message n4T4NRQW009848 as it has been attempted too many times May 29 06:46:41 mail MailScanner[7664]: Quarantined message n4T4NRQW009848 as it caused MailScanner to crash several times May 29 06:46:41 mail MailScanner[7664]: Saved entire message to /var/spool/MailScanner/quarantine/20090529/n4T4NRQW009848 I have 4 of those messages now, they are all spam, one is in Russian without any attachments, the others contain some .jpg images as attachments. > If you want to wipe the database you can always just delete it. Its > location in set in MailScanner.conf (look for "Processing.db" in there). Will do, thanks. I will upgrade to the latest version, maybe my problem will go away. From zaeem.arshad at gmail.com Wed Jun 3 09:40:24 2009 From: zaeem.arshad at gmail.com (Zaeem Arshad) Date: Wed Jun 3 09:40:34 2009 Subject: Performance numbers for a DELL R710 In-Reply-To: <72cf361e0906030058y50e8a7e5xa297c7910196a5ce@mail.gmail.com> References: <3e1809420906020958j4f6123davadbc34501cfe7577@mail.gmail.com> <72cf361e0906021147u760c5c9fie8f808fc990a01c0@mail.gmail.com> <3e1809420906022042y1cb3174ap7405a4446d31524@mail.gmail.com> <72cf361e0906030058y50e8a7e5xa297c7910196a5ce@mail.gmail.com> Message-ID: <3e1809420906030140j18d242a9lc507cdb30d4e25c6@mail.gmail.com> On Wed, Jun 3, 2009 at 1:58 PM, Martin Hepworth wrote: > more children will help - alot of this is suck it and see as > performance can vary alot. normal starting point is 5 children per > core and 30 messages per batch. I am currently running 45 processes and around 25 messages per batch. Will try to tweak and see. > > > for that sort of level I'd be looking at multiple machines - if you > loose this machine or whatever reason what happens! > Getting 2 more for performance and redundancy reasons > > Also check the RBL's you're running - things like spamhaus will > require a licence for thsi sort of amount and too RBLs slows the > processing down alot. I am considering that. Running a local caching server will help limit the number of queries made but will definitely look into that. I remember reading about Ironport's architecture docs mentioning that it uses an asynchronous kernel. Has anyone played with the 2.6 kernel scheduler? -- Zaeem -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090603/c7ffe0d1/attachment.html From support-lists at petdoctors.co.uk Wed Jun 3 12:52:56 2009 From: support-lists at petdoctors.co.uk (Nigel Kendrick) Date: Wed Jun 3 12:53:33 2009 Subject: "Message attempted to kill MailScanner" In-Reply-To: References: <757C7ED87B8C4C7E957808A8C3A3A02B@SUPPORT01V><72cf361e0906020319s2dc5d3asf87836e21b2f41cc@mail.gmail.com><4A2502BF.2010707@ecs.soton.ac.uk> Message-ID: <62437151EDD84897A2AD5D80E1B659D0@SUPPORT01V> -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: Tuesday, June 02, 2009 11:45 AM To: MailScanner discussion Subject: Re: "Message attempted to kill MailScanner" And if you are using Postfix, I would strongly advise you upgrade to 4.77. Should only take you a couple of minutes, upgrade_MailScanner_conf will do the heavy lifting for you. Thanks to Julian and martin for the replies. I have upgraded to the latest 4.77, but no inbound mail is being processed. I have deleted all the queued messages and sent through a test one that just has my sig and the time in it, but it never leaves the HOLD queue. Log shows: Jun 3 12:41:25 gospond postfix/smtpd[19864]: connect from c2beaomr06.btconnect.com[213.123.26.184] Jun 3 12:41:25 gospond postfix/smtpd[19864]: 40BC11B98058: client=c2beaomr06.btconnect.com[213.123.26.184] Jun 3 12:41:25 gospond postfix/cleanup[19867]: 40BC11B98058: hold: header Received: from c2beaomr06.btconnect.com (c2beaomr06.btconnect.com [213.123.26.184])??by gospond.home.local (Postfix) with ESMTP id 40BC11B98058??for ; Wed, 3 Jun 2009 12 from c2beaomr06.btconnect.com[213.123.26.184]; from= to= proto=ESMTP helo= Jun 3 12:41:25 gospond postfix/cleanup[19867]: 40BC11B98058: message-id=<465FFE92CCE848E0A7032D39BC67AD6B@SUPPORT01V> Jun 3 12:41:27 gospond MailScanner[19828]: New Batch: Scanning 1 messages, 5869 bytes Jun 3 12:41:28 gospond MailScanner[19868]: MailScanner E-Mail Virus Scanner version 4.77.9 starting... Jun 3 12:41:28 gospond MailScanner[19868]: Read 857 hostnames from the phishing whitelist Jun 3 12:41:28 gospond MailScanner[19868]: Read 10610 hostnames from the phishing blacklists Jun 3 12:41:28 gospond MailScanner[19868]: Using SpamAssassin results cache Jun 3 12:41:28 gospond MailScanner[19868]: Connected to SpamAssassin cache database Jun 3 12:41:28 gospond MailScanner[19868]: Enabling SpamAssassin auto-whitelist functionality... Jun 3 12:41:36 gospond MailScanner[19868]: Connected to Processing Attempts Database Jun 3 12:41:36 gospond MailScanner[19868]: Found 3 messages in the Processing Attempts Database Jun 3 12:41:36 gospond MailScanner[19868]: Using locktype = flock Jun 3 12:42:14 gospond dovecot: IMAP(nkendrick): Disconnected: Logged out Jun 3 12:42:14 gospond dovecot: imap-login: Login: user=, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured Jun 3 12:46:06 gospond MailScanner[19868]: Making attempt 2 at processing message 40BC11B98058.AB9BA Jun 3 12:46:06 gospond MailScanner[19868]: New Batch: Scanning 1 messages, 5869 bytes Jun 3 12:46:07 gospond MailScanner[19923]: MailScanner E-Mail Virus Scanner version 4.77.9 starting... Jun 3 12:46:07 gospond MailScanner[19923]: Read 857 hostnames from the phishing whitelist Jun 3 12:46:07 gospond MailScanner[19923]: Read 10610 hostnames from the phishing blacklists Jun 3 12:46:08 gospond MailScanner[19923]: Using SpamAssassin results cache Jun 3 12:46:08 gospond MailScanner[19923]: Connected to SpamAssassin cache database Jun 3 12:46:08 gospond MailScanner[19923]: Enabling SpamAssassin auto-whitelist functionality... Jun 3 12:46:15 gospond MailScanner[19923]: Connected to Processing Attempts Database Jun 3 12:46:15 gospond MailScanner[19923]: Found 3 messages in the Processing Attempts Database Jun 3 12:46:15 gospond MailScanner[19923]: Using locktype = flock That's it and everything's gone quiet. MailScanner --lint runs through OK. Hay-elp! Nigel From support-lists at petdoctors.co.uk Wed Jun 3 13:22:56 2009 From: support-lists at petdoctors.co.uk (Nigel Kendrick) Date: Wed Jun 3 13:22:44 2009 Subject: "Message attempted to kill MailScanner" In-Reply-To: <62437151EDD84897A2AD5D80E1B659D0@SUPPORT01V> References: <757C7ED87B8C4C7E957808A8C3A3A02B@SUPPORT01V><72cf361e0906020319s2dc5d3asf87836e21b2f41cc@mail.gmail.com><4A2502BF.2010707@ecs.soton.ac.uk> <62437151EDD84897A2AD5D80E1B659D0@SUPPORT01V> Message-ID: <1B9C0C1BF85A45F9ACC8E1B89A679275@SUPPORT01V> Further to previous, /var/log/messages shows MailScanner crashing all over the place so I am going to try a few things! Nigel From john at tradoc.fr Wed Jun 3 13:29:25 2009 From: john at tradoc.fr (John Wilcock) Date: Wed Jun 3 13:29:37 2009 Subject: "Message attempted to kill MailScanner" In-Reply-To: <62437151EDD84897A2AD5D80E1B659D0@SUPPORT01V> References: <757C7ED87B8C4C7E957808A8C3A3A02B@SUPPORT01V><72cf361e0906020319s2dc5d3asf87836e21b2f41cc@mail.gmail.com><4A2502BF.2010707@ecs.soton.ac.uk> <62437151EDD84897A2AD5D80E1B659D0@SUPPORT01V> Message-ID: <4A266CA5.7050104@tradoc.fr> Le 03/06/2009 13:52, Nigel Kendrick a ?crit : > That's it and everything's gone quiet. > > MailScanner --lint runs through OK. > > Hay-elp! Assuming there are still messages waiting to be processed, try a MailScanner --debug or even, if it looks like the problem may be within SpamAssassin, MailScanner --debug-sa. John. -- -- Over 3000 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages - www.tradoc.fr From steve.freegard at fsl.com Wed Jun 3 13:29:51 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Wed Jun 3 13:30:02 2009 Subject: "Message attempted to kill MailScanner" In-Reply-To: <1B9C0C1BF85A45F9ACC8E1B89A679275@SUPPORT01V> References: <757C7ED87B8C4C7E957808A8C3A3A02B@SUPPORT01V><72cf361e0906020319s2dc5d3asf87836e21b2f41cc@mail.gmail.com><4A2502BF.2010707@ecs.soton.ac.uk> <62437151EDD84897A2AD5D80E1B659D0@SUPPORT01V> <1B9C0C1BF85A45F9ACC8E1B89A679275@SUPPORT01V> Message-ID: <4A266CBF.5070601@fsl.com> Nigel Kendrick wrote: > Further to previous, /var/log/messages shows MailScanner crashing all over > the place so I am going to try a few things! Run these messages through with MailScanner in debug mode and post any of the pertinent output; it will then hopefully be obvious what is causing MailScanner to crash. Regards, Steve. From support-lists at petdoctors.co.uk Wed Jun 3 13:47:48 2009 From: support-lists at petdoctors.co.uk (Nigel Kendrick) Date: Wed Jun 3 13:47:32 2009 Subject: "Message attempted to kill MailScanner" In-Reply-To: <4A266CA5.7050104@tradoc.fr> References: <757C7ED87B8C4C7E957808A8C3A3A02B@SUPPORT01V><72cf361e0906020319s2dc5d3asf87836e21b2f41cc@mail.gmail.com><4A2502BF.2010707@ecs.soton.ac.uk> <62437151EDD84897A2AD5D80E1B659D0@SUPPORT01V> <4A266CA5.7050104@tradoc.fr> Message-ID: -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of John Wilcock Sent: Wednesday, June 03, 2009 1:29 PM To: MailScanner discussion Subject: Re: "Message attempted to kill MailScanner" Le 03/06/2009 13:52, Nigel Kendrick a ?crit : > That's it and everything's gone quiet. > > MailScanner --lint runs through OK. > > Hay-elp! Assuming there are still messages waiting to be processed, try a MailScanner --debug or even, if it looks like the problem may be within SpamAssassin, MailScanner --debug-sa. John. Thanks John - I am currently on my way to 'sort out' the person who dumped several tens of GB of backups onto the server without telling me - one of the disk arrays was 100% full! I am moving the stuff elsewhere and I guess things might get back to normal!! Duh to them and a Duh to me for not checking sooner... Nigel From support-lists at petdoctors.co.uk Wed Jun 3 13:52:45 2009 From: support-lists at petdoctors.co.uk (Nigel Kendrick) Date: Wed Jun 3 13:52:36 2009 Subject: "Message attempted to kill MailScanner" = FULL DISK In-Reply-To: <4A266CA5.7050104@tradoc.fr> References: <757C7ED87B8C4C7E957808A8C3A3A02B@SUPPORT01V><72cf361e0906020319s2dc5d3asf87836e21b2f41cc@mail.gmail.com><4A2502BF.2010707@ecs.soton.ac.uk> <62437151EDD84897A2AD5D80E1B659D0@SUPPORT01V> <4A266CA5.7050104@tradoc.fr> Message-ID: Yep, 'twas a 100% full disk! All working now. Jules - you can stand down and go back to the beach now. Nigel From jcputter at centreweb.co.za Wed Jun 3 14:04:07 2009 From: jcputter at centreweb.co.za (JC Putter) Date: Wed Jun 3 14:04:18 2009 Subject: Mailscanner Content Filter Message-ID: <003801c9e44b$c73d1900$0a01a8c0@propc> hi i am using mailscanner 4.77 with mailwatch 1.04 i have some filetype that are quarantined i followed http://mailwatch.sourceforge.net/doku.php?id=mailwatch:faq but i still cannot release those message from the quarantine, please can someone assist me? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090603/3680781c/attachment.html From tbpl at tbpl.com.au Wed Jun 3 14:11:08 2009 From: tbpl at tbpl.com.au (Territory Broadcasting Pty Ltd) Date: Wed Jun 3 14:11:28 2009 Subject: Basic Install Problem Message-ID: <1244034668.23363.191.camel@LG1> I have read as much as possible, but just not getting anywhere. I am trying to install MS on Centos 5, MS ver 4.77.9-1 and it all seems to run fine from the install script that I can see. That is until it actually goes to install the MS rpm. I get no visible errors, but it just does not install anything. I had removed an earlier version 4.66.5-3 just using rpm -e. Could there be some old stuff still on the system that is causing the install to fail?? Looking thru the install log I can't see any problems. The last part of the log is: Now to install MailScanner itself. NOTE: If you get lots of errors here, run the install.sh script NOTE: again with the command "./install.sh nodeps" Preparing... ################################################## installing package mailscanner-4.77.9-1.noarch needs 3MB on the / filesystem ---------------------------------------------------------- Please buy the MailScanner book from www.mailscanner.info! It is a very useful administration guide and introduction to MailScanner. All the proceeds go directly to making MailScanner a better supported package than it is today. Any help appreciated. Mike. From steve.freegard at fsl.com Wed Jun 3 14:19:54 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Wed Jun 3 14:20:04 2009 Subject: Basic Install Problem In-Reply-To: <1244034668.23363.191.camel@LG1> References: <1244034668.23363.191.camel@LG1> Message-ID: <4A26787A.7010602@fsl.com> Territory Broadcasting Pty Ltd wrote: > Preparing... > ################################################## > installing package mailscanner-4.77.9-1.noarch needs 3MB on > the / filesystem > > Any help appreciated. Mike. > According to that - your root filesystem or disk is full and there is not enough space to complete the installation. Regards, Steve. From vincent at zijnemail.nl Wed Jun 3 14:52:03 2009 From: vincent at zijnemail.nl (Vincent Verhagen) Date: Wed Jun 3 14:52:18 2009 Subject: Basic Install Problem In-Reply-To: <4A26787A.7010602@fsl.com> References: <1244034668.23363.191.camel@LG1> <4A26787A.7010602@fsl.com> Message-ID: <4A268003.7070402@zijnemail.nl> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5517 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090603/8a78ff13/smime.bin From support-lists at petdoctors.co.uk Wed Jun 3 14:53:37 2009 From: support-lists at petdoctors.co.uk (Nigel Kendrick) Date: Wed Jun 3 14:53:31 2009 Subject: Basic Install Problem In-Reply-To: <4A26787A.7010602@fsl.com> References: <1244034668.23363.191.camel@LG1> <4A26787A.7010602@fsl.com> Message-ID: <27AC8015DCFC4DDCBCCB22AD470BEC4F@SUPPORT01V> -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Steve Freegard Sent: Wednesday, June 03, 2009 2:20 PM To: MailScanner discussion Subject: Re: Basic Install Problem Territory Broadcasting Pty Ltd wrote: > Preparing... > ################################################## > installing package mailscanner-4.77.9-1.noarch needs 3MB on > the / filesystem > > Any help appreciated. Mike. > According to that - your root filesystem or disk is full and there is not enough space to complete the installation. Regards, Steve. I'm keeping out of this one! Nigel From alex at rtpty.com Wed Jun 3 15:17:49 2009 From: alex at rtpty.com (Alex Neuman) Date: Wed Jun 3 15:17:59 2009 Subject: Mailscanner Content Filter In-Reply-To: <003801c9e44b$c73d1900$0a01a8c0@propc> References: <003801c9e44b$c73d1900$0a01a8c0@propc> Message-ID: <24e3d2e40906030717g53d8970ama508ecb5c9cedbc2@mail.gmail.com> Sure. What have you got from the people on the MailWatch list? What do you mean by cannot? On Wed, Jun 3, 2009 at 6:04 AM, JC Putter wrote: > hi i am using mailscanner 4.77 with mailwatch 1.04 > > i have some filetype that are quarantined i followed > http://mailwatch.sourceforge.net/doku.php?id=mailwatch:faq but i still > cannot release those message from the quarantine, please can someone assist > me? > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 202-1525 alex@rtpty.com Skype: alexneuman -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090603/3fa34cea/attachment.html From alex at rtpty.com Wed Jun 3 15:19:02 2009 From: alex at rtpty.com (Alex Neuman) Date: Wed Jun 3 15:19:13 2009 Subject: Performance numbers for a DELL R710 In-Reply-To: <3e1809420906030140j18d242a9lc507cdb30d4e25c6@mail.gmail.com> References: <3e1809420906020958j4f6123davadbc34501cfe7577@mail.gmail.com> <72cf361e0906021147u760c5c9fie8f808fc990a01c0@mail.gmail.com> <3e1809420906022042y1cb3174ap7405a4446d31524@mail.gmail.com> <72cf361e0906030058y50e8a7e5xa297c7910196a5ce@mail.gmail.com> <3e1809420906030140j18d242a9lc507cdb30d4e25c6@mail.gmail.com> Message-ID: <24e3d2e40906030719v50a4d20eo36cc987580e23079@mail.gmail.com> you mentioned asynchronous logging... Can you point us to a FAQ or a description of how this works, and why it's a good thing? Any cons? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090603/25718237/attachment.html From campbell at cnpapers.com Wed Jun 3 15:25:22 2009 From: campbell at cnpapers.com (Steve Campbell) Date: Wed Jun 3 15:25:36 2009 Subject: OT - Help with resulting error message Message-ID: <4A2687D2.4080202@cnpapers.com> One of our users is trying to email users at a particular domain and is receiving the following error message back from them: (reason: 550 5.7.1 rejected content, black listed twitter.com by multi.surbl.org #762 #895 (l51Ehj043192426600)) I asked if he was posting through twitter, and he said he was not. I checked SURBL and our IPs are not listed. So I'm confused(as always) by what this is telling me. He does have a reference to his twitter stuff in his signature. Do any of the SURBL lists really block content? A good explanation would be helpful. Thanks much Steve Campbell From glenn.steen at gmail.com Wed Jun 3 15:27:50 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Jun 3 15:27:59 2009 Subject: Performance numbers for a DELL R710 In-Reply-To: <3e1809420906030140j18d242a9lc507cdb30d4e25c6@mail.gmail.com> References: <3e1809420906020958j4f6123davadbc34501cfe7577@mail.gmail.com> <72cf361e0906021147u760c5c9fie8f808fc990a01c0@mail.gmail.com> <3e1809420906022042y1cb3174ap7405a4446d31524@mail.gmail.com> <72cf361e0906030058y50e8a7e5xa297c7910196a5ce@mail.gmail.com> <3e1809420906030140j18d242a9lc507cdb30d4e25c6@mail.gmail.com> Message-ID: <223f97700906030727y29656b9ex1ae643f4199969c7@mail.gmail.com> 2009/6/3 Zaeem Arshad : > > > On Wed, Jun 3, 2009 at 1:58 PM, Martin Hepworth wrote: >> >> more children will help - alot of this is suck it and see as >> performance can vary alot. normal starting point is 5 children per >> core and 30 messages per batch. > > I am currently running 45 processes and around 25 messages per batch. Will > try to tweak and see. >> >> >> for that sort of level I'd be looking at multiple machines - if you >> loose this machine or whatever reason what happens! > > Getting 2 more for performance and redundancy reasons >> >> Also check the RBL's you're running - things like spamhaus will >> require a licence for thsi sort of amount and too RBLs slows the >> processing down alot. > > I am considering that. Running a local caching server will help limit the > number of queries made but will definitely look into that. I remember > reading about Ironport's architecture docs mentioning that it uses an > asynchronous kernel. Has anyone played with the 2.6 kernel scheduler? > Looking to make a 5 time increase in speed (from ~12/s to ~65/s) you'll likely not only have to look at smart(er) kernel sheduling, but also consider every aspect of bandwidth saving... In performance tuning, a job avoided is always better than a job done fast;-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From jethro.binks at strath.ac.uk Wed Jun 3 15:32:36 2009 From: jethro.binks at strath.ac.uk (Jethro R Binks) Date: Wed Jun 3 15:32:44 2009 Subject: OT - Help with resulting error message In-Reply-To: <4A2687D2.4080202@cnpapers.com> References: <4A2687D2.4080202@cnpapers.com> Message-ID: On Wed, 3 Jun 2009, Steve Campbell wrote: > One of our users is trying to email users at a particular domain and is > receiving the following error message back from them: > > (reason: 550 5.7.1 rejected content, black listed twitter.com by > multi.surbl.org #762 #895 (l51Ehj043192426600)) > > I asked if he was posting through twitter, and he said he was not. I > checked SURBL and our IPs are not listed. So I'm confused(as always) by > what this is telling me. He does have a reference to his twitter stuff > in his signature. Do any of the SURBL lists really block content? > > A good explanation would be helpful. Thanks much http://lists.surbl.org/pipermail/discuss/2009-June/ . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK From glenn.steen at gmail.com Wed Jun 3 15:34:41 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Jun 3 15:34:50 2009 Subject: OT - Help with resulting error message In-Reply-To: <4A2687D2.4080202@cnpapers.com> References: <4A2687D2.4080202@cnpapers.com> Message-ID: <223f97700906030734ldbd87a4rd3d8cf953b2d2a3d@mail.gmail.com> 2009/6/3 Steve Campbell : > One of our users is trying to email users at a particular domain and is > receiving the following error message back from them: > > (reason: 550 5.7.1 rejected content, black listed twitter.com by > multi.surbl.org #762 #895 (l51Ehj043192426600)) > > I asked if he was posting through twitter, and he said he was not. I checked > SURBL and our IPs are not listed. So I'm confused(as always) by what this is > telling me. He does have a reference to his twitter stuff in his signature. > Do any of the SURBL lists really block content? > > A good explanation would be helpful. Thanks much > > Steve Campbell > Are you sure he used your servers to send that? Not gmail or somesuch? If he sent it through your servers, you should be able to find some log entries on your box(es)... Might shed some light on things:-) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From tbpl at tbpl.com.au Wed Jun 3 15:36:14 2009 From: tbpl at tbpl.com.au (Territory Broadcasting Pty Ltd) Date: Wed Jun 3 15:36:35 2009 Subject: Basic Install Problem In-Reply-To: <27AC8015DCFC4DDCBCCB22AD470BEC4F@SUPPORT01V> References: <1244034668.23363.191.camel@LG1> <4A26787A.7010602@fsl.com> <27AC8015DCFC4DDCBCCB22AD470BEC4F@SUPPORT01V> Message-ID: <1244039775.23363.194.camel@LG1> Oh dear, yes you are right. / is full. I will go investigate that. I overlooked the obvious. Thanks Mike On Wed, 2009-06-03 at 14:53 +0100, Nigel Kendrick wrote: > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Steve > Freegard > Sent: Wednesday, June 03, 2009 2:20 PM > To: MailScanner discussion > Subject: Re: Basic Install Problem > > Territory Broadcasting Pty Ltd wrote: > > Preparing... > > ################################################## > > installing package mailscanner-4.77.9-1.noarch needs 3MB on > > the / filesystem > > > > Any help appreciated. Mike. > > > > According to that - your root filesystem or disk is full and there is > not enough space to complete the installation. > > Regards, > Steve. > > > > > > I'm keeping out of this one! > > Nigel > From glenn.steen at gmail.com Wed Jun 3 15:41:52 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Jun 3 15:42:01 2009 Subject: "Message attempted to kill MailScanner" In-Reply-To: References: <757C7ED87B8C4C7E957808A8C3A3A02B@SUPPORT01V> <72cf361e0906020319s2dc5d3asf87836e21b2f41cc@mail.gmail.com> <4A2502BF.2010707@ecs.soton.ac.uk> <62437151EDD84897A2AD5D80E1B659D0@SUPPORT01V> <4A266CA5.7050104@tradoc.fr> Message-ID: <223f97700906030741g13e70211oeae904e5d6104fbd@mail.gmail.com> 2009/6/3 Nigel Kendrick : > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of John > Wilcock > Sent: Wednesday, June 03, 2009 1:29 PM > To: MailScanner discussion > Subject: Re: "Message attempted to kill MailScanner" > > Le 03/06/2009 13:52, Nigel Kendrick a ?crit : >> That's it and everything's gone quiet. >> >> MailScanner --lint runs through OK. >> >> Hay-elp! > > Assuming there are still messages waiting to be processed, try a > MailScanner --debug or even, if it looks like the problem may be within > SpamAssassin, MailScanner --debug-sa. > > John. > > > > > Thanks John - I am currently on my way to 'sort out' the person who dumped > several tens of GB of backups onto the server without telling me - one of > the disk arrays was 100% full! > > I am moving the stuff elsewhere and I guess things might get back to > normal!! > > Duh to them and a Duh to me for not checking sooner... > > Nigel > If it was a (to MS) critical FS that ran full, it might've been set to "Read Only", so you'd need clear that... a reboot/fsck should cure anything with that. And some daemons might've died horrible little deaths too (also cured by a reboot, of course:). Also... If you use MailWatch, check the maillog table... and of course, check that any AV update has run to completion... Yeah, (bad) experience talking here:-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From john at tradoc.fr Wed Jun 3 15:47:32 2009 From: john at tradoc.fr (John Wilcock) Date: Wed Jun 3 15:47:42 2009 Subject: OT - Help with resulting error message In-Reply-To: <4A2687D2.4080202@cnpapers.com> References: <4A2687D2.4080202@cnpapers.com> Message-ID: <4A268D04.8070606@tradoc.fr> Le 03/06/2009 16:25, Steve Campbell a ?crit : > One of our users is trying to email users at a particular domain and is > receiving the following error message back from them: > > (reason: 550 5.7.1 rejected content, black listed twitter.com by > multi.surbl.org #762 #895 (l51Ehj043192426600)) > > I asked if he was posting through twitter, and he said he was not. I > checked SURBL and our IPs are not listed. So I'm confused(as always) by > what this is telling me. He does have a reference to his twitter stuff > in his signature. Do any of the SURBL lists really block content? > > A good explanation would be helpful. Thanks much As I understand the discussions on the SURBL list, the gist of the problem is that Chinese authorities have decided to block access to Twitter in the run-up to the 20th anniversary of the Tienanmen square protests, and SURBL have some DNS mirrors located behind the Great Firewall, resulting in incorrect DNS responses from the affected servers. John. -- -- Over 3000 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages - www.tradoc.fr From campbell at cnpapers.com Wed Jun 3 15:53:58 2009 From: campbell at cnpapers.com (Steve Campbell) Date: Wed Jun 3 15:54:12 2009 Subject: OT - Help with resulting error message In-Reply-To: References: <4A2687D2.4080202@cnpapers.com> Message-ID: <4A268E86.2040805@cnpapers.com> Jethro R Binks wrote: > On Wed, 3 Jun 2009, Steve Campbell wrote: > > >> One of our users is trying to email users at a particular domain and is >> receiving the following error message back from them: >> >> (reason: 550 5.7.1 rejected content, black listed twitter.com by >> multi.surbl.org #762 #895 (l51Ehj043192426600)) >> >> I asked if he was posting through twitter, and he said he was not. I >> checked SURBL and our IPs are not listed. So I'm confused(as always) by >> what this is telling me. He does have a reference to his twitter stuff >> in his signature. Do any of the SURBL lists really block content? >> >> A good explanation would be helpful. Thanks much >> > > http://lists.surbl.org/pipermail/discuss/2009-June/ > > > . . . . . . . . . . . . . . . . . . . . . . . . . > Jethro R Binks > Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK > So after reading the entire thread, am I right in assuming that one of multi.surbl.org's DNS servers is having it's cache poisoned, and thusly the receiving mail server that is rejecting our user's email based on the poisoned return from SURBL? Our DNS servers are returning NXDOMAIN for twitter.com.multi.surbl.org. Very interesting reading though. Thanks Jethro. From campbell at cnpapers.com Wed Jun 3 15:58:25 2009 From: campbell at cnpapers.com (Steve Campbell) Date: Wed Jun 3 15:58:40 2009 Subject: OT - Help with resulting error message In-Reply-To: <223f97700906030734ldbd87a4rd3d8cf953b2d2a3d@mail.gmail.com> References: <4A2687D2.4080202@cnpapers.com> <223f97700906030734ldbd87a4rd3d8cf953b2d2a3d@mail.gmail.com> Message-ID: <4A268F91.3050300@cnpapers.com> Glenn Steen wrote: > 2009/6/3 Steve Campbell : > >> One of our users is trying to email users at a particular domain and is >> receiving the following error message back from them: >> >> (reason: 550 5.7.1 rejected content, black listed twitter.com by >> multi.surbl.org #762 #895 (l51Ehj043192426600)) >> >> I asked if he was posting through twitter, and he said he was not. I checked >> SURBL and our IPs are not listed. So I'm confused(as always) by what this is >> telling me. He does have a reference to his twitter stuff in his signature. >> Do any of the SURBL lists really block content? >> >> A good explanation would be helpful. Thanks much >> >> Steve Campbell >> >> > Are you sure he used your servers to send that? Not gmail or somesuch? > If he sent it through your servers, you should be able to find some > log entries on your box(es)... Might shed some light on things:-) > > Pretty sure. The log entry for one of the emails just states that the "stat=Service unavailable", which is likely the result of the 550. Thanks Glenn From campbell at cnpapers.com Wed Jun 3 16:02:57 2009 From: campbell at cnpapers.com (Steve Campbell) Date: Wed Jun 3 16:03:15 2009 Subject: OT - Help with resulting error message In-Reply-To: <4A268D04.8070606@tradoc.fr> References: <4A2687D2.4080202@cnpapers.com> <4A268D04.8070606@tradoc.fr> Message-ID: <4A2690A1.9050104@cnpapers.com> John Wilcock wrote: > Le 03/06/2009 16:25, Steve Campbell a ?crit : >> One of our users is trying to email users at a particular domain and is >> receiving the following error message back from them: >> >> (reason: 550 5.7.1 rejected content, black listed twitter.com by >> multi.surbl.org #762 #895 (l51Ehj043192426600)) >> >> I asked if he was posting through twitter, and he said he was not. I >> checked SURBL and our IPs are not listed. So I'm confused(as always) by >> what this is telling me. He does have a reference to his twitter stuff >> in his signature. Do any of the SURBL lists really block content? >> >> A good explanation would be helpful. Thanks much > > As I understand the discussions on the SURBL list, the gist of the > problem is that Chinese authorities have decided to block access to > Twitter in the run-up to the 20th anniversary of the Tienanmen square > protests, and SURBL have some DNS mirrors located behind the Great > Firewall, resulting in incorrect DNS responses from the affected servers. > > John. > Part of the original post question: Does multi.surbl.org block on content, for instance, the reference to twitter.com in his signature. I thought they only listed offending sender's IP, not someone who referenced an offending senders domain name in an email. steve From glenn.steen at gmail.com Wed Jun 3 16:05:48 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Jun 3 16:06:02 2009 Subject: OT - Help with resulting error message In-Reply-To: <4A268F91.3050300@cnpapers.com> References: <4A2687D2.4080202@cnpapers.com> <223f97700906030734ldbd87a4rd3d8cf953b2d2a3d@mail.gmail.com> <4A268F91.3050300@cnpapers.com> Message-ID: <223f97700906030805p3e5a3e82uf069285a9e0a8381@mail.gmail.com> 2009/6/3 Steve Campbell : > > > Glenn Steen wrote: >> >> 2009/6/3 Steve Campbell : >> >>> >>> One of our users is trying to email users at a particular domain and is >>> receiving the following error message back from them: >>> >>> (reason: 550 5.7.1 rejected content, black listed twitter.com by >>> multi.surbl.org #762 #895 (l51Ehj043192426600)) >>> >>> I asked if he was posting through twitter, and he said he was not. I >>> checked >>> SURBL and our IPs are not listed. So I'm confused(as always) by what this >>> is >>> telling me. He does have a reference to his twitter stuff in his >>> signature. >>> Do any of the SURBL lists really block content? >>> >>> A good explanation would be helpful. Thanks much >>> >>> Steve Campbell >>> >>> >> >> Are you sure he used your servers to send that? Not gmail or somesuch? >> If he sent it through your servers, you should be able to find some >> log entries on your box(es)... Might shed some light on things:-) >> >> > > Pretty sure. The log entry for one of the emails just states that the > "stat=Service unavailable", which is likely the result of the 550. > > Thanks Glenn > Yeah, just read up on this nasty thing. Really bad:( Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From jethro.binks at strath.ac.uk Wed Jun 3 16:09:09 2009 From: jethro.binks at strath.ac.uk (Jethro R Binks) Date: Wed Jun 3 16:09:19 2009 Subject: OT - Help with resulting error message In-Reply-To: <4A268E86.2040805@cnpapers.com> References: <4A2687D2.4080202@cnpapers.com> <4A268E86.2040805@cnpapers.com> Message-ID: On Wed, 3 Jun 2009, Steve Campbell wrote: > So after reading the entire thread, am I right in assuming that one of > multi.surbl.org's DNS servers is having it's cache poisoned, and thusly > the receiving mail server that is rejecting our user's email based on > the poisoned return from SURBL? > > Our DNS servers are returning NXDOMAIN for twitter.com.multi.surbl.org. On the evidence available, that seems to be about it. flickr also seems to be affected. In fact I think SURBL don't recommend you use their list for outright blocking, but in my case, I find things are hitting: 2.0 URIBL_PH_SURBL Contains an URL listed in the PH SURBL blocklist [URIs: twitter.com] 1.6 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist [URIs: twitter.com] 3.0 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist [URIs: twitter.com] which tips it over our local threshold for "spam". My Spamassassin isn't very recent, maybe current versions are less sensitive to this additive effect. Jethro. . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK From steve.freegard at fsl.com Wed Jun 3 16:16:21 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Wed Jun 3 16:16:34 2009 Subject: OT - Help with resulting error message In-Reply-To: <4A2690A1.9050104@cnpapers.com> References: <4A2687D2.4080202@cnpapers.com> <4A268D04.8070606@tradoc.fr> <4A2690A1.9050104@cnpapers.com> Message-ID: <4A2693C5.70907@fsl.com> Steve Campbell wrote: > > Part of the original post question: > > Does multi.surbl.org block on content, for instance, the reference to > twitter.com in his signature. I thought they only listed offending > sender's IP, not someone who referenced an offending senders domain name > in an email. SURBL and URIBL are *URI* blacklists; they do not list the senders IP like traditional lists but list domains seen in spam instead. Hence why the reference to twitter.com in the signature triggered this. Regards, Steve. From john at tradoc.fr Wed Jun 3 16:16:28 2009 From: john at tradoc.fr (John Wilcock) Date: Wed Jun 3 16:16:41 2009 Subject: OT - Help with resulting error message In-Reply-To: <4A2690A1.9050104@cnpapers.com> References: <4A2687D2.4080202@cnpapers.com> <4A268D04.8070606@tradoc.fr> <4A2690A1.9050104@cnpapers.com> Message-ID: <4A2693CC.7050208@tradoc.fr> Le 03/06/2009 17:02, Steve Campbell a ?crit : > Part of the original post question: > > Does multi.surbl.org block on content, for instance, the reference to > twitter.com in his signature. I thought they only listed offending > sender's IP, not someone who referenced an offending senders domain name > in an email. Of itself, multi.surbl.org doesn't *block* anything. It *lists* domains used as links in spammers' mail. (And due to the Chinese problem, it appeared to list twitter.com, though not with the usual response code). Apparently the receiving server in your case has decided to use the list to block incoming mail outright. Whether or not that is a wise strategy is rather debatable IMO... John. -- -- Over 3000 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages - www.tradoc.fr From tbpl at tbpl.com.au Wed Jun 3 17:15:00 2009 From: tbpl at tbpl.com.au (Territory Broadcasting Pty Ltd) Date: Wed Jun 3 17:15:20 2009 Subject: Basic Install Problem In-Reply-To: <27AC8015DCFC4DDCBCCB22AD470BEC4F@SUPPORT01V> References: <1244034668.23363.191.camel@LG1> <4A26787A.7010602@fsl.com> <27AC8015DCFC4DDCBCCB22AD470BEC4F@SUPPORT01V> Message-ID: <1244045700.23363.202.camel@LG1> Thanks guys all fixed now, in fact no problem with MS, just my / partition full. Mike On Wed, 2009-06-03 at 14:53 +0100, Nigel Kendrick wrote: > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Steve > Freegard > Sent: Wednesday, June 03, 2009 2:20 PM > To: MailScanner discussion > Subject: Re: Basic Install Problem > > Territory Broadcasting Pty Ltd wrote: > > Preparing... > > ################################################## > > installing package mailscanner-4.77.9-1.noarch needs 3MB on > > the / filesystem > > > > Any help appreciated. Mike. > > > > According to that - your root filesystem or disk is full and there is > not enough space to complete the installation. > > Regards, > Steve. > > > > > > I'm keeping out of this one! > > Nigel > From davejones70 at gmail.com Wed Jun 3 22:01:28 2009 From: davejones70 at gmail.com (Dave Jones) Date: Wed Jun 3 22:01:38 2009 Subject: img tags removed Message-ID: <67a55ed50906031401y63fc4908nff7907e65fc99a0a@mail.gmail.com> HTML passing through MailScanner is getting , and tags removed. I found a similar thread in the archives last June: http://article.gmane.org/gmane.mail.virus.mailscanner/64493/match=img+tag+removed # grep "^Allow WebBugs" MailScanner.conf Allow WebBugs = disarm Modified HTML passing through MailScanner ================================== Direct link to CyberRegs

Original HTML not passing through MailScanner ================================== Aspen Publishers AECOM IAPC Interactive ASTM biodiesel IAPMO CA Plumbing and Mechanical Codes

Direct link to CyberRegs

What can I do to troubleshoot this? -- Dave Jones From infernix at infernix.net Wed Jun 3 22:36:49 2009 From: infernix at infernix.net (infernix) Date: Wed Jun 3 22:37:03 2009 Subject: Moving Bayes database to tmps In-Reply-To: References: <3e1809420905290310y71f17fdaufb59bebb37906e64@mail.gmail.com> <3e1809420905290511md625e45v5d2819464922d730@mail.gmail.com> Message-ID: <4A26ECF1.10109@infernix.net> Kai Schaetzl wrote: > I forgot to look at these data. These are low figures. If you already have > a performance problem, then not because of Bayes. As I said I'm sure going > to SQL is better than using tmpfs. I have seen the exact opposite (and have read elsewhere that SQL is really very expensive cpu-wise for what the Bayes engine does in SA), but my use case is perhaps non-standard. We have 4 nodes doing about 1 million messages a day. Before I moved the bayes db to tmpfs, I had very large amounts of iowait, even though everything else (sendmail spool, mailscanner incoming+spool dirs) was already on tmpfs. Now the SATA disks in these boxes aren't great but I had expected better performance. Apparently the amount of concurrent messages we get at peak times is just too big to handle on disk platters (at least with single disks), so the move to tmpfs helped enormously. In contrary to that, when I converted one of the bayes dbs to sql and configured all nodes to use one mysql server, the mysql box couldn't handle it. Net effect was that scanning messages was taking 5-15 seconds longer than before. Right now, with everything in tmpfs, I am running 40 children on each box and iowait during peak hours is 0-1%. I could increase children if I wanted to but the current mail volume does not warrant that. For data protection (it is tmpfs after all) I have written an init script that backs up the tmpfs on shutdown and restores it on bootup. I'm also making an emergency-backup.tar.gz of the tmpfs folder every 15 minutes and use that tar file when the server crashes; at bootup i check for a shutdown-generated tar and if its not there i revert to the emergency-backup tar. Just my $0.02. From ms-list at alexb.ch Wed Jun 3 22:54:03 2009 From: ms-list at alexb.ch (Alex Broens) Date: Wed Jun 3 22:54:11 2009 Subject: EmailBL Message-ID: <4A26F0FB.7000905@alexb.ch> Has anybody been been testing the experimental EmailBL? The test zone is up till July 1st SA plugin is available under: http://sa.hege.li/ EmailBL.pm & EmailBL.cf & emailbl_lemfreemail.cf (you'll need the three files) Look at the plugin code and rules for detals on what it does. I've been using it since mid June and am really happy with the results. Alex PS: SteveF - I'll leave the FSL adv plug to you. From MailScanner at ecs.soton.ac.uk Thu Jun 4 09:06:03 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jun 4 09:06:28 2009 Subject: img tags removed In-Reply-To: <67a55ed50906031401y63fc4908nff7907e65fc99a0a@mail.gmail.com> References: <67a55ed50906031401y63fc4908nff7907e65fc99a0a@mail.gmail.com> <4A27806B.8010404@ecs.soton.ac.uk> Message-ID: On 03/06/2009 22:01, Dave Jones wrote: > HTML passing through MailScanner is getting, and tags removed. > > I found a similar thread in the archives last June: > > http://article.gmane.org/gmane.mail.virus.mailscanner/64493/match=img+tag+removed > > # grep "^Allow WebBugs" MailScanner.conf > Allow WebBugs = disarm > > > Modified HTML passing through MailScanner > ================================== > href="http://www.citationtechnologies.com/alliances/aspen/"> href="http://www.citationtechnologies.com/alliances/iccecodes/"> href="http://www.citationtechnologies.com/alliances/ansi/"> href="http://www.citationtechnologies.com/alliances/astm/"> href="http://www.cyberregs.com/~kparam/index.htm">Direct link to > CyberRegs

> > Original HTML not passing through MailScanner > ================================== > href="http://www.citationtechnologies.com/alliances/aspen/"> src="http://www.citationtechnologies.com/ews/images/aspen.jpg" > border="0" alt="Aspen Publishers" /> > href="http://www.citationtechnologies.com/alliances/aecom/"> src="http://www.citationtechnologies.com/ews/images/aecom_france.jpg" > border="0" alt="AECOM IAPC Interactive" /> > href="http://www.citationtechnologies.com/alliances/astm/"> src="http://www.citationtechnologies.com/ews/images/astm_biodiesel2.jpg" > border="0" alt="ASTM biodiesel" /> > href="http://www.citationtechnologies.com/alliances/iapmo/"> src="http://www.citationtechnologies.com/ews/images/iapmo2.jpg" > border="0" alt="IAPMO CA Plumbing and Mechanical Codes" /> > >

Direct link to > CyberRegs

> > What can I do to troubleshoot this? > That's not remotely valid HTML, no wonder it gets a bit confused. You are supposed to close your tags. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at barendse.to Thu Jun 4 09:27:34 2009 From: mailscanner at barendse.to (Remco Barendse) Date: Thu Jun 4 09:27:52 2009 Subject: How to stop certain spam? Message-ID: We are getting flooded with messages from one particular advertiser. The send dozens of messages each day, all in similar format, a few lines of invisible text and some images with their spam crap. On the right side in the image i often get some crap message like : Sorry, this advertiser is not available The messages hardly score on Bayes and they are never caught by the blocklists i use bl.spamcop.net cbl.abuseat.org dnsbl.njabl.org chinanet.blackholes.us zen.spamhaus.org The messages usually are awarded some points for DCC and Razor2 checks. There is always some USA postal address written at the bottom. A lot of messages are about auto insurance, some satellite dish offers and auto insurance. Because every message contains url's to a different (new) website i unfortunately am not able to give a more precise description. How to stop this? Thanks!! From pascal.maes at elec.ucl.ac.be Thu Jun 4 10:41:56 2009 From: pascal.maes at elec.ucl.ac.be (Pascal Maes) Date: Thu Jun 4 10:42:18 2009 Subject: Whitelist problem Message-ID: <26734270-761E-46CD-9540-63BFA332D92D@elec.ucl.ac.be> Hello, We are using MailScanner version 4.76.25-1 In MailScanner.conf, I have : Is Definitely Not Spam = %rules-dir%/spam_whitelist.rules and the file spam_whitelist.rules looks like : > more /opt/MailScanner/etc/rules/spam_whitelist.rules # # Addresses matching in here, with the value # "yes" will never be marked as spam. # # From: 85.201.63.77 yes From: 85.201.63.77/32 yes From: user-85-201-63-77.static.tvcablenet.be yes From: host-85-201-63-77.brutele.be yes From: uclsbs.ucl.lan yes From: macosx-tex-bounces@email.esm.psu.edu yes From: /opt/MailScanner/etc/rules/whitelist.domains yes FromOrTo: default no The file /opt/MailScanner/etc/rules/whitelist.domains contains lines like *@example.com *@*.example.net user@some.domain.come The following message is comming from the server 85.201.63.77 but it is still tagged as spam. Why ? Received: from uclsbs.ucl.lan (host-85-201-63-77.brutele.be [85.201.63.77]) by smtp1.sgsi.ucl.ac.be (Postfix) with ESMTP id CD3A2E8AE2 for ; Thu, 04 Jun 2009 11:06:51 +0200 (CEST) Date: Thu, 04 Jun 2009 11:06:01 +0200 From: Veronique Maekelbergh Subject: {Spam?} Test mail To: zzz@yyy.be Message-id: <78AEBC3D06BBD9428F6FC4FAB44118A71776E4@uclsbs.ucl.lan> MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft Exchange V6.5 Content-type: multipart/alternative; boundary="Boundary_(ID_kDFY1PEdH5W0kqHpMhDt8A)" Content-class: urn:content-classes:message Thread-topic: Test mail Thread-index: Acnk866wOLlTbHdkQg+C6WRoBjqwuA== X-SGSI-DNSWL: No X-MS-Has-Attach: X-MS-TNEF-Correlator: X-Virus-Scanned: clamav-milter 0.95.1 X-Virus-Status: Clean X-SGSI-MailScanner-ID: CD3A2E8AE2.00000 X-SGSI-MailScanner: Found to be clean X-SGSI-SpamCheck: polluriel, SpamAssassin (not cached, score=5.812, requis 5, BAYES_00 -1.60, BOTNET 3.00, HELO_LH_HOME 3.71, HTML_MESSAGE 0.00, RDNS_DYNAMIC 0.10, SPF_SOFTFAIL 0.60) X-SGSI-Spam-Score: sssss Thanks -- Pascal -- Pascal From MailScanner at ecs.soton.ac.uk Thu Jun 4 11:46:20 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jun 4 11:46:42 2009 Subject: Whitelist problem In-Reply-To: <26734270-761E-46CD-9540-63BFA332D92D@elec.ucl.ac.be> References: <26734270-761E-46CD-9540-63BFA332D92D@elec.ucl.ac.be> <4A27A5FC.20607@ecs.soton.ac.uk> Message-ID: Upgrade to 4.77 and you should find it works rather better. On 04/06/2009 10:41, Pascal Maes wrote: > > Hello, > > We are using MailScanner version 4.76.25-1 > > In MailScanner.conf, I have : > > Is Definitely Not Spam = %rules-dir%/spam_whitelist.rules > > and the file spam_whitelist.rules looks like : > > > more /opt/MailScanner/etc/rules/spam_whitelist.rules > # > # Addresses matching in here, with the value > # "yes" will never be marked as spam. > # > # > > From: 85.201.63.77 yes > From: 85.201.63.77/32 yes > From: user-85-201-63-77.static.tvcablenet.be yes > From: host-85-201-63-77.brutele.be yes > From: uclsbs.ucl.lan yes > From: macosx-tex-bounces@email.esm.psu.edu yes > > From: /opt/MailScanner/etc/rules/whitelist.domains yes > > FromOrTo: default no > > > > The file /opt/MailScanner/etc/rules/whitelist.domains contains lines like > > *@example.com > *@*.example.net > user@some.domain.come > > > The following message is comming from the server 85.201.63.77 but it > is still tagged as spam. > Why ? > > > Received: from uclsbs.ucl.lan (host-85-201-63-77.brutele.be > [85.201.63.77]) > by smtp1.sgsi.ucl.ac.be (Postfix) with ESMTP id CD3A2E8AE2 for > ; Thu, 04 Jun 2009 11:06:51 +0200 (CEST) > Date: Thu, 04 Jun 2009 11:06:01 +0200 > From: Veronique Maekelbergh > Subject: {Spam?} Test mail > To: zzz@yyy.be > Message-id: <78AEBC3D06BBD9428F6FC4FAB44118A71776E4@uclsbs.ucl.lan> > MIME-version: 1.0 > X-MIMEOLE: Produced By Microsoft Exchange V6.5 > Content-type: multipart/alternative; > boundary="Boundary_(ID_kDFY1PEdH5W0kqHpMhDt8A)" > Content-class: urn:content-classes:message > Thread-topic: Test mail > Thread-index: Acnk866wOLlTbHdkQg+C6WRoBjqwuA== > X-SGSI-DNSWL: No > X-MS-Has-Attach: > X-MS-TNEF-Correlator: > X-Virus-Scanned: clamav-milter 0.95.1 > X-Virus-Status: Clean > X-SGSI-MailScanner-ID: CD3A2E8AE2.00000 > X-SGSI-MailScanner: Found to be clean > X-SGSI-SpamCheck: polluriel, SpamAssassin (not cached, score=5.812, > requis 5, > BAYES_00 -1.60, BOTNET 3.00, HELO_LH_HOME 3.71, HTML_MESSAGE 0.00, > RDNS_DYNAMIC 0.10, SPF_SOFTFAIL 0.60) > X-SGSI-Spam-Score: sssss > > > > Thanks Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From maillists at conactive.com Thu Jun 4 12:31:38 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Thu Jun 4 12:31:51 2009 Subject: Moving Bayes database to tmps In-Reply-To: <4A26ECF1.10109@infernix.net> References: <3e1809420905290310y71f17fdaufb59bebb37906e64@mail.gmail.com> <3e1809420905290511md625e45v5d2819464922d730@mail.gmail.com> <4A26ECF1.10109@infernix.net> Message-ID: Infernix wrote on Wed, 03 Jun 2009 23:36:49 +0200: > I have seen the exact opposite (and have read elsewhere that SQL is > really very expensive cpu-wise for what the Bayes engine does in SA), > but my use case is perhaps non-standard. Well, if I understand correctly you are comparing a setup with four machines and one central MySQL server with a setup that uses local tmpfs on each. In my picture that is not comparable. The lot of your iowait time may have been latency-induced. Having said that, if you are happy with that setup and it works for you: why not :-) Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Thu Jun 4 12:31:39 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Thu Jun 4 12:31:52 2009 Subject: Whitelist problem In-Reply-To: <26734270-761E-46CD-9540-63BFA332D92D@elec.ucl.ac.be> References: <26734270-761E-46CD-9540-63BFA332D92D@elec.ucl.ac.be> Message-ID: Pascal Maes wrote on Thu, 4 Jun 2009 11:41:56 +0200: > From: 85.201.63.77 yes > From: 85.201.63.77/32 yes should both work > From: user-85-201-63-77.static.tvcablenet.be yes > From: host-85-201-63-77.brutele.be yes won't work (not that it matters in this case, justf fyi). If you want to match resolved hostnames you have to use the hostname: keyword and the lastest MS version. (read a few days back) > From: /opt/MailScanner/etc/rules/whitelist.domains yes I wasn't aware you can add to the list like this. Can you? I would comment out this line and try again. > > FromOrTo: default no ok Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From steve.freegard at fsl.com Thu Jun 4 13:38:14 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Thu Jun 4 13:38:26 2009 Subject: Performance numbers for a DELL R710 In-Reply-To: <24e3d2e40906030719v50a4d20eo36cc987580e23079@mail.gmail.com> References: <3e1809420906020958j4f6123davadbc34501cfe7577@mail.gmail.com> <72cf361e0906021147u760c5c9fie8f808fc990a01c0@mail.gmail.com> <3e1809420906022042y1cb3174ap7405a4446d31524@mail.gmail.com> <72cf361e0906030058y50e8a7e5xa297c7910196a5ce@mail.gmail.com> <3e1809420906030140j18d242a9lc507cdb30d4e25c6@mail.gmail.com> <24e3d2e40906030719v50a4d20eo36cc987580e23079@mail.gmail.com> Message-ID: <4A27C036.7010707@fsl.com> Alex Neuman wrote: > you mentioned asynchronous logging... Can you point us to a FAQ or a > description of how this works, and why it's a good thing? Any cons? I believe this is already in the MAQ/Wiki. To enable asynchronous logging you change your syslog.conf entry from: mail.* /var/log/maillog to mail.* -/var/log/maillog On a mail server this can have a considerable effect on performance as syslog doesn't run sync() calls after each write and therefore allows the kernel to manage the writes to disk which can have a considerable advantage for disk IO but with the disadvantage that if the machine crashes or loses power that you'll be missing some of the most recent log entries. As part of any performance tuning - I *always* enable this. Regards, Steve. From zaeem.arshad at gmail.com Thu Jun 4 13:54:20 2009 From: zaeem.arshad at gmail.com (Zaeem Arshad) Date: Thu Jun 4 13:54:30 2009 Subject: Performance numbers for a DELL R710 In-Reply-To: <4A27C036.7010707@fsl.com> References: <3e1809420906020958j4f6123davadbc34501cfe7577@mail.gmail.com> <72cf361e0906021147u760c5c9fie8f808fc990a01c0@mail.gmail.com> <3e1809420906022042y1cb3174ap7405a4446d31524@mail.gmail.com> <72cf361e0906030058y50e8a7e5xa297c7910196a5ce@mail.gmail.com> <3e1809420906030140j18d242a9lc507cdb30d4e25c6@mail.gmail.com> <24e3d2e40906030719v50a4d20eo36cc987580e23079@mail.gmail.com> <4A27C036.7010707@fsl.com> Message-ID: <3e1809420906040554x86193cdq6660bca31be82986@mail.gmail.com> On Thu, Jun 4, 2009 at 6:38 PM, Steve Freegard wrote: > Alex Neuman wrote: > > you mentioned asynchronous logging... Can you point us to a FAQ or a > > description of how this works, and why it's a good thing? Any cons? > > I believe this is already in the MAQ/Wiki. > > To enable asynchronous logging you change your syslog.conf entry from: > > mail.* /var/log/maillog > > to > > mail.* -/var/log/maillog > > On a mail server this can have a considerable effect on performance as > syslog doesn't run sync() calls after each write and therefore allows > the kernel to manage the writes to disk which can have a considerable > advantage for disk IO but with the disadvantage that if the machine > crashes or loses power that you'll be missing some of the most recent > log entries. As part of any performance tuning - I *always* enable this. > Apart from this, I have found that moving to XFS or ext4 (if you have the courage) makes queue handling pretty fast. With the 24 GB RAM, I am considering having my hold queue on the tmpfs. This though carries the risk of mail loss in case of an power outage for which I have sufficient arrangements. Has anyone used other filesystems such as JFS or Reiser or even ext2? What's your experience? -- Zaeem -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090604/e5c2eb97/attachment.html From steve.freegard at fsl.com Thu Jun 4 14:10:49 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Thu Jun 4 14:10:59 2009 Subject: Performance numbers for a DELL R710 In-Reply-To: <3e1809420906022042y1cb3174ap7405a4446d31524@mail.gmail.com> References: <3e1809420906020958j4f6123davadbc34501cfe7577@mail.gmail.com> <72cf361e0906021147u760c5c9fie8f808fc990a01c0@mail.gmail.com> <3e1809420906022042y1cb3174ap7405a4446d31524@mail.gmail.com> Message-ID: <4A27C7D9.5050800@fsl.com> Zaeem Arshad wrote: > > > On Wed, Jun 3, 2009 at 12:47 AM, Martin Hepworth > wrote: > > Zaeem > > nice. > > depends on the tests you run (RBLs etc) and the size of the emails. > > look in the wiki for performance and tuning on both MailScanner and > Spamassassin. > > > > I have a test box with the same specs but 8 Gigs of RAM. My performance > tuning so far has been > > - tmpfs for message scanning > - DNS caching server on the same box > - Lower timeouts on Postfix (another instance handling retries) > - Compiled rules on SA > - DCC, Razor > - Clamd > - Asyncrhonous logging > > Filesystem underneath is XFS and average mailsize is around 60KB. I have > pretty much made all the changes suggested and currently the server is > handling around 45000 emails/hour. Do you think increasing the number of > MailScanner children might help? What other performance tweaks can I > have? I am looking to scale the system to handle at least 65 > emails/second with antivirus, antispam scanning and RBL checks. > With 8 cores and 8Gb RAM or greater then you can start with Max Children = 40 and measure the performance, then steadily increase the children by 5 until you start to see the performance worsen. I personally find the batch size to be largely irrelevant and usually stick to batches of 30, 50 or 100 (the larger the batch size; the greater the delivery latency of any given message). 65 message/sec is 5,616,000 messages per day; with volume like that you will *have* to purchase licensed feeds of Spamhaus, URIBL and/or SURBL as you will exceed their fair usage limits even if the usage is non-commercial. There is also a big advantage when running the lists locally as it decreases your scan times considerably due to the decreased lookup latency. Other performance tuning I would recommend: - Don't run DCC, Razor or Pyzor (unless you run a local mirror); the network latency is simply too high and will drastically reduce the number of message you can handle. - Disable all unnecessary RBLs in SpamAssassin, the rfc-ignorant lists in particular as pretty worthless so cut those out at minimum; I would personally nuke any RBL that you don't run a local mirror of. - Mount your /var partition with noatime. - Use sa-compile and enable the Rule2XS SA plug-in. - Put Bayes in MySQL with InnoDB tables and use the persistent DBI plug-in. - Disable Bayes opportunistic expiry and run it manually in a cronjob once per day. Finally - enable the 'Log Speed = Yes' option in MailScanner.conf and watch your total batch times. To reach 65 messages/sec you'll need to keep the average time per message (e.g. total batch time/number of message) to under 1.625 to achieve your goal with 40 MailScanner children. If you can get away with running > 40 children then the average scan time can increase accordingly. Cheers, Steve. From steve.freegard at fsl.com Thu Jun 4 14:40:15 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Thu Jun 4 14:40:25 2009 Subject: Performance numbers for a DELL R710 In-Reply-To: <3e1809420906040554x86193cdq6660bca31be82986@mail.gmail.com> References: <3e1809420906020958j4f6123davadbc34501cfe7577@mail.gmail.com> <72cf361e0906021147u760c5c9fie8f808fc990a01c0@mail.gmail.com> <3e1809420906022042y1cb3174ap7405a4446d31524@mail.gmail.com> <72cf361e0906030058y50e8a7e5xa297c7910196a5ce@mail.gmail.com> <3e1809420906030140j18d242a9lc507cdb30d4e25c6@mail.gmail.com> <24e3d2e40906030719v50a4d20eo36cc987580e23079@mail.gmail.com> <4A27C036.7010707@fsl.com> <3e1809420906040554x86193cdq6660bca31be82986@mail.gmail.com> Message-ID: <4A27CEBF.10101@fsl.com> Zaeem Arshad wrote: > > > On Thu, Jun 4, 2009 at 6:38 PM, Steve Freegard > wrote: > > Alex Neuman wrote: > > you mentioned asynchronous logging... Can you point us to a FAQ or a > > description of how this works, and why it's a good thing? Any cons? > > I believe this is already in the MAQ/Wiki. > > To enable asynchronous logging you change your syslog.conf entry from: > > mail.* /var/log/maillog > > to > > mail.* -/var/log/maillog > > On a mail server this can have a considerable effect on performance as > syslog doesn't run sync() calls after each write and therefore allows > the kernel to manage the writes to disk which can have a considerable > advantage for disk IO but with the disadvantage that if the machine > crashes or loses power that you'll be missing some of the most recent > log entries. As part of any performance tuning - I *always* enable > this. > > > Apart from this, I have found that moving to XFS or ext4 (if you have > the courage) makes queue handling pretty fast. With the 24 GB RAM, I am > considering having my hold queue on the tmpfs. This though carries the > risk of mail loss in case of an power outage for which I have sufficient > arrangements. Has anyone used other filesystems such as JFS or Reiser or > even ext2? What's your experience? > Twiddling with the filesystem used is only going to bring marginal gains on your actual scan times which if you want to achieve 65 message/sec is where you need to focus your efforts first. I've seen XFS consistently come last in several benchmarks for mail server type traffic. See http://www.linux-mag.com/id/7345/2/ for a review of filesystems I read yesterday. Regards, Steve. From pascal.maes at elec.ucl.ac.be Thu Jun 4 14:54:48 2009 From: pascal.maes at elec.ucl.ac.be (Pascal Maes) Date: Thu Jun 4 15:01:54 2009 Subject: Whitelist problem In-Reply-To: References: <26734270-761E-46CD-9540-63BFA332D92D@elec.ucl.ac.be> <4A27A5FC.20607@ecs.soton.ac.uk> Message-ID: Hello again It works better for the spam whitelist but since I have upgraded to 4.77.9, I have a lot of The following e-mails were found to have: Other Bad Content Detected Sender: n.peiffer@foretwallonne.be IP Address: 130.104.130.103 Recipient: jacob@right-ink.com Subject: demande de prix MessageID: A6E81EB22E.00000 Quarantine: /var/spool/MailScanner/quarantine/20090604/A6E81EB22E.00000 Report: MailScanner: Message attempted to kill MailScanner It's a mail with two attachments, one tiff : filename=logo_fw.tif and another pdf : filename="fw97_3-11[arboplant].pdf" Le 04-juin-09 ? 12:46, Julian Field a ?crit : > Upgrade to 4.77 and you should find it works rather better. > > On 04/06/2009 10:41, Pascal Maes wrote: >> >> Hello, >> >> We are using MailScanner version 4.76.25-1 >> >> In MailScanner.conf, I have : >> >> Is Definitely Not Spam = %rules-dir%/spam_whitelist.rules >> >> and the file spam_whitelist.rules looks like : >> >> > more /opt/MailScanner/etc/rules/spam_whitelist.rules >> # >> # Addresses matching in here, with the value >> # "yes" will never be marked as spam. >> # >> # >> >> From: 85.201.63.77 yes >> From: 85.201.63.77/32 yes >> From: user-85-201-63-77.static.tvcablenet.be yes >> From: host-85-201-63-77.brutele.be yes >> From: uclsbs.ucl.lan yes >> From: macosx-tex-bounces@email.esm.psu.edu yes >> >> From: /opt/MailScanner/etc/rules/whitelist.domains yes >> >> FromOrTo: default no >> >> >> >> The file /opt/MailScanner/etc/rules/whitelist.domains contains >> lines like >> >> *@example.com >> *@*.example.net >> user@some.domain.come >> >> >> The following message is comming from the server 85.201.63.77 but >> it is still tagged as spam. >> Why ? >> >> >> Received: from uclsbs.ucl.lan (host-85-201-63-77.brutele.be >> [85.201.63.77]) >> by smtp1.sgsi.ucl.ac.be (Postfix) with ESMTP id CD3A2E8AE2 for >> ; Thu, 04 Jun 2009 11:06:51 +0200 >> (CEST) >> Date: Thu, 04 Jun 2009 11:06:01 +0200 >> From: Veronique Maekelbergh >> Subject: {Spam?} Test mail >> To: zzz@yyy.be >> Message-id: <78AEBC3D06BBD9428F6FC4FAB44118A71776E4@uclsbs.ucl.lan> >> MIME-version: 1.0 >> X-MIMEOLE: Produced By Microsoft Exchange V6.5 >> Content-type: multipart/alternative; >> boundary="Boundary_(ID_kDFY1PEdH5W0kqHpMhDt8A)" >> Content-class: urn:content-classes:message >> Thread-topic: Test mail >> Thread-index: Acnk866wOLlTbHdkQg+C6WRoBjqwuA== >> X-SGSI-DNSWL: No >> X-MS-Has-Attach: >> X-MS-TNEF-Correlator: >> X-Virus-Scanned: clamav-milter 0.95.1 >> X-Virus-Status: Clean >> X-SGSI-MailScanner-ID: CD3A2E8AE2.00000 >> X-SGSI-MailScanner: Found to be clean >> X-SGSI-SpamCheck: polluriel, SpamAssassin (not cached, score=5.812, >> requis 5, >> BAYES_00 -1.60, BOTNET 3.00, HELO_LH_HOME 3.71, HTML_MESSAGE 0.00, >> RDNS_DYNAMIC 0.10, SPF_SOFTFAIL 0.60) >> X-SGSI-Spam-Score: sssss >> >> >> >> Thanks > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > Follow me at twitter.com/JulesFM and twitter.com/MailScanner > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- Pascal From MailScanner at ecs.soton.ac.uk Thu Jun 4 15:03:21 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jun 4 15:03:48 2009 Subject: Whitelist problem In-Reply-To: References: <26734270-761E-46CD-9540-63BFA332D92D@elec.ucl.ac.be> <4A27D429.2090401@ecs.soton.ac.uk> Message-ID: On 04/06/2009 12:31, Kai Schaetzl wrote: > Pascal Maes wrote on Thu, 4 Jun 2009 11:41:56 +0200: > > >> From: 85.201.63.77 yes >> From: 85.201.63.77/32 yes >> 4.76 probably broke those two lines for Postfix users. Sorry! Fixed in 4.77. > should both work > > >> From: user-85-201-63-77.static.tvcablenet.be yes >> From: host-85-201-63-77.brutele.be yes >> > won't work (not that it matters in this case, justf fyi). > If you want to match resolved hostnames you have to use the hostname: > keyword and the lastest MS version. (read a few days back) > > > >> From: /opt/MailScanner/etc/rules/whitelist.domains yes >> > I wasn't aware you can add to the list like this. Can you? > Yes, that is entirely legal and most definitely supported. Should work just fine. > I would comment out this line and try again. > > > >> FromOrTo: default no >> > ok > > > Kai > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Thu Jun 4 15:33:02 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jun 4 15:33:21 2009 Subject: Whitelist problem In-Reply-To: References: <26734270-761E-46CD-9540-63BFA332D92D@elec.ucl.ac.be> <4A27A5FC.20607@ecs.soton.ac.uk> <4A27DB1E.1010501@ecs.soton.ac.uk> Message-ID: Run "MailScanner --debug" and see what happens. On 04/06/2009 14:54, Pascal Maes wrote: > Hello again > > It works better for the spam whitelist but since I have upgraded to > 4.77.9, I have a lot of > > > The following e-mails were found to have: Other Bad Content Detected > > Sender: n.peiffer@foretwallonne.be > IP Address: 130.104.130.103 > Recipient: jacob@right-ink.com > Subject: demande de prix > MessageID: A6E81EB22E.00000 > Quarantine: /var/spool/MailScanner/quarantine/20090604/A6E81EB22E.00000 > Report: MailScanner: Message attempted to kill MailScanner > > > It's a mail with two attachments, > > one tiff : filename=logo_fw.tif > and another pdf : filename="fw97_3-11[arboplant].pdf" > > > > > Le 04-juin-09 ? 12:46, Julian Field a ?crit : > >> Upgrade to 4.77 and you should find it works rather better. >> >> On 04/06/2009 10:41, Pascal Maes wrote: >>> >>> Hello, >>> >>> We are using MailScanner version 4.76.25-1 >>> >>> In MailScanner.conf, I have : >>> >>> Is Definitely Not Spam = %rules-dir%/spam_whitelist.rules >>> >>> and the file spam_whitelist.rules looks like : >>> >>> > more /opt/MailScanner/etc/rules/spam_whitelist.rules >>> # >>> # Addresses matching in here, with the value >>> # "yes" will never be marked as spam. >>> # >>> # >>> >>> From: 85.201.63.77 yes >>> From: 85.201.63.77/32 yes >>> From: user-85-201-63-77.static.tvcablenet.be yes >>> From: host-85-201-63-77.brutele.be yes >>> From: uclsbs.ucl.lan yes >>> From: macosx-tex-bounces@email.esm.psu.edu yes >>> >>> From: /opt/MailScanner/etc/rules/whitelist.domains yes >>> >>> FromOrTo: default no >>> >>> >>> >>> The file /opt/MailScanner/etc/rules/whitelist.domains contains lines >>> like >>> >>> *@example.com >>> *@*.example.net >>> user@some.domain.come >>> >>> >>> The following message is comming from the server 85.201.63.77 but it >>> is still tagged as spam. >>> Why ? >>> >>> >>> Received: from uclsbs.ucl.lan (host-85-201-63-77.brutele.be >>> [85.201.63.77]) >>> by smtp1.sgsi.ucl.ac.be (Postfix) with ESMTP id CD3A2E8AE2 for >>> ; Thu, 04 Jun 2009 11:06:51 +0200 (CEST) >>> Date: Thu, 04 Jun 2009 11:06:01 +0200 >>> From: Veronique Maekelbergh >>> Subject: {Spam?} Test mail >>> To: zzz@yyy.be >>> Message-id: <78AEBC3D06BBD9428F6FC4FAB44118A71776E4@uclsbs.ucl.lan> >>> MIME-version: 1.0 >>> X-MIMEOLE: Produced By Microsoft Exchange V6.5 >>> Content-type: multipart/alternative; >>> boundary="Boundary_(ID_kDFY1PEdH5W0kqHpMhDt8A)" >>> Content-class: urn:content-classes:message >>> Thread-topic: Test mail >>> Thread-index: Acnk866wOLlTbHdkQg+C6WRoBjqwuA== >>> X-SGSI-DNSWL: No >>> X-MS-Has-Attach: >>> X-MS-TNEF-Correlator: >>> X-Virus-Scanned: clamav-milter 0.95.1 >>> X-Virus-Status: Clean >>> X-SGSI-MailScanner-ID: CD3A2E8AE2.00000 >>> X-SGSI-MailScanner: Found to be clean >>> X-SGSI-SpamCheck: polluriel, SpamAssassin (not cached, score=5.812, >>> requis 5, >>> BAYES_00 -1.60, BOTNET 3.00, HELO_LH_HOME 3.71, HTML_MESSAGE 0.00, >>> RDNS_DYNAMIC 0.10, SPF_SOFTFAIL 0.60) >>> X-SGSI-Spam-Score: sssss >>> >>> >>> >>> Thanks >> >> Jules >> >> -- >> Julian Field MEng CITP CEng >> www.MailScanner.info >> Buy the MailScanner book at www.MailScanner.info/store >> >> Need help customising MailScanner? >> Contact me! >> Need help fixing or optimising your systems? >> Contact me! >> Need help getting you started solving new requirements from your boss? >> Contact me! >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> Follow me at twitter.com/JulesFM and twitter.com/MailScanner >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Joey.Casas at nexusmgmt.com Thu Jun 4 15:38:27 2009 From: Joey.Casas at nexusmgmt.com (Joey Casas) Date: Thu Jun 4 15:45:50 2009 Subject: Load sharing techniques Message-ID: <6A4AF5E37B020A4B869BE3A108F8F67006DBC8CBF9@nmibwkexch4.nexusmgmt.com> I am new to this list but have been working with MailScanner for a few years now. With the recent (re)uptick in spam volumes, and increased rules to cope with new techniques, we are having general performance "problems" with our current hardware. Mainly, increased queue size and associated delays during peak times. Currently I have a basic round robin setup between three MailScanners and two external IPs that forward to all servers. I might be getting more "mediocre" hardware soon and I _can_ simply add them to the NAT pool. However, the servers are all of different capabilities and generally I have one or two servers that accumulate larger queues than the others. Average mails per second are very similar (MS1 .69, MS2 .74, MS4 .75). I also have some pretty fast RAID 5 disk that I can NFS or iSCSI mount - which leads me to my question. Has anyone done a "shared queue" setup where multiple servers look to the same mqueue to scan and what problems could be foreseen? I imagine maybe file locking, header accuracy, etc... Thoughts, or concepts I might read up on? Thanks for any input! Joey Casas ------------------------------------------- Linux Engineering Team n|m Nexus Management 4 Industrial Parkway Suite 101 Brunswick, Maine 04011 Tel (US) : 1 207 319 1105 Tel (UK) : 0207 100 4968 x421 Cell (US) : 1 207 607 1047 Fax : 1 207 725 8552 SIP: 0421@pbx.nexusmgmt.com Nexus Management, Inc.? Registered Office: 4 Industrial Parkway, Suite 101, Brunswick, Maine. 04011?Company No. 19891257D, Registered in Maine? A member of the Nexus Management Plc group of companies From jonas at vrt.dk Thu Jun 4 15:53:34 2009 From: jonas at vrt.dk (Jonas A. Larsen) Date: Thu Jun 4 15:53:47 2009 Subject: Performance numbers for a DELL R710 In-Reply-To: <4A27C7D9.5050800@fsl.com> References: <3e1809420906020958j4f6123davadbc34501cfe7577@mail.gmail.com> <72cf361e0906021147u760c5c9fie8f808fc990a01c0@mail.gmail.com> <3e1809420906022042y1cb3174ap7405a4446d31524@mail.gmail.com> <4A27C7D9.5050800@fsl.com> Message-ID: <005201c9e524$3c4d1dc0$b4e75940$@dk> This thread is providing really nice info everybody can use, even those of us with a lot less volume > - Put Bayes in MySQL with InnoDB tables and use the persistent DBI > plug-in. Steve: the above point from your sugestions makes me wonder. I investigated into the DBI persistent connections plugin earlier, but I seem to recall that somebody claimed that mailscanner already keeps the connection open as its running as a daemon. Have you tested this, and actually seen a performance increase? Med venlig hilsen / Best regards Jonas Akrouh Larsen TechBiz ApS Laplandsgade 4, 2. sal 2300 K?benhavn S Office: 7020 0979 Direct: 3336 9974 Mobile: 5120 1096 Fax: 7020 0978 Web: www.techbiz.dk From pascal.maes at elec.ucl.ac.be Thu Jun 4 16:35:04 2009 From: pascal.maes at elec.ucl.ac.be (Pascal Maes) Date: Thu Jun 4 16:35:20 2009 Subject: Whitelist problem In-Reply-To: References: <26734270-761E-46CD-9540-63BFA332D92D@elec.ucl.ac.be> <4A27A5FC.20607@ecs.soton.ac.uk> <4A27DB1E.1010501@ecs.soton.ac.uk> Message-ID: That's all I have ./MailScanner --debug /opt/MailScanner/etc/MailScanner.conf In Debugging mode, not forking... Trying to setlogsock(unix) Building a message batch to scan... Have a batch of 100 messages. max message size is '90k' max message size is '90k' Could not reverse 201-76-71-89.flash.tv.br: In the logfile, I see : Jun 4 17:30:27 smtp-1 MailScanner[14322]: Making attempt 2 at processing message 71D99643FF.00000 Jun 4 17:30:27 smtp-1 MailScanner[14322]: Making attempt 6 at processing message 934886439E.00000 Jun 4 17:30:27 smtp-1 MailScanner[14322]: Making attempt 6 at processing message 3C37964413.00000 Jun 4 17:30:27 smtp-1 MailScanner[14322]: Making attempt 6 at processing message 94349E8D1C.00000 Jun 4 17:30:27 smtp-1 MailScanner[14322]: Making attempt 2 at processing message 1BAD16441D.00000 Jun 4 17:30:28 smtp-1 MailScanner[14322]: Making attempt 6 at processing message 58D20E8F2E.00000 Jun 4 17:30:28 smtp-1 MailScanner[14322]: Making attempt 6 at processing message 30927643FC.00000 Jun 4 17:30:28 smtp-1 MailScanner[14322]: Making attempt 6 at processing message 57E6B6442C.00000 Jun 4 17:30:28 smtp-1 MailScanner[14322]: Making attempt 6 at processing message C0192643FD.00000 Jun 4 17:30:28 smtp-1 MailScanner[14322]: Making attempt 6 at processing message 304F16442F.00000 Jun 4 17:30:28 smtp-1 MailScanner[14322]: Making attempt 5 at processing message 7084F64431.00000 Jun 4 17:30:28 smtp-1 MailScanner[14322]: Making attempt 5 at processing message 18D26E8F94.00000 Jun 4 17:30:28 smtp-1 MailScanner[14322]: Making attempt 5 at processing message 750E1E8F9B.00000 Jun 4 17:30:28 smtp-1 MailScanner[14322]: Making attempt 5 at processing message 003C0E8CFD.00000 Jun 4 17:30:28 smtp-1 MailScanner[14322]: Making attempt 5 at processing message 96163E9000.00000 Jun 4 17:30:28 smtp-1 MailScanner[14322]: Making attempt 5 at processing message D4BF164434.00000 Jun 4 17:30:28 smtp-1 MailScanner[14322]: Making attempt 6 at processing message 6A1D964435.00000 Jun 4 17:30:28 smtp-1 MailScanner[14322]: Making attempt 5 at processing message 8B862E8E68.00000 Jun 4 17:30:28 smtp-1 MailScanner[14322]: Making attempt 5 at processing message 5BE53E8B4B.00000 Jun 4 17:30:28 smtp-1 MailScanner[14322]: New Batch: Found 309 messages waiting Jun 4 17:30:28 smtp-1 MailScanner[14322]: New Batch: Scanning 100 messages, 3511210 bytes and also Jun 4 17:30:27 smtp-1 MailScanner[14322]: Warning: skipping message 1C914E8AEB.00000 as it has been attempted too many times Jun 4 17:30:27 smtp-1 MailScanner[14322]: Quarantined message 1C914E8AEB.00000 as it caused MailScanner to crash several times Le 04-juin-09 ? 16:33, Julian Field a ?crit : > Run "MailScanner --debug" and see what happens. > > On 04/06/2009 14:54, Pascal Maes wrote: >> Hello again >> >> It works better for the spam whitelist but since I have upgraded to >> 4.77.9, I have a lot of >> >> >> The following e-mails were found to have: Other Bad Content Detected >> >> Sender: n.peiffer@foretwallonne.be >> IP Address: 130.104.130.103 >> Recipient: jacob@right-ink.com >> Subject: demande de prix >> MessageID: A6E81EB22E.00000 >> Quarantine: /var/spool/MailScanner/quarantine/20090604/A6E81EB22E. >> 00000 >> Report: MailScanner: Message attempted to kill MailScanner >> >> >> It's a mail with two attachments, >> >> one tiff : filename=logo_fw.tif >> and another pdf : filename="fw97_3-11[arboplant].pdf" >> >> >> >> >> Le 04-juin-09 ? 12:46, Julian Field a ?crit : >> >>> Upgrade to 4.77 and you should find it works rather better. >>> >>> On 04/06/2009 10:41, Pascal Maes wrote: >>>> >>>> Hello, >>>> >>>> We are using MailScanner version 4.76.25-1 >>>> >>>> In MailScanner.conf, I have : >>>> >>>> Is Definitely Not Spam = %rules-dir%/spam_whitelist.rules >>>> >>>> and the file spam_whitelist.rules looks like : >>>> >>>> > more /opt/MailScanner/etc/rules/spam_whitelist.rules >>>> # >>>> # Addresses matching in here, with the value >>>> # "yes" will never be marked as spam. >>>> # >>>> # >>>> >>>> From: 85.201.63.77 yes >>>> From: 85.201.63.77/32 yes >>>> From: user-85-201-63-77.static.tvcablenet.be yes >>>> From: host-85-201-63-77.brutele.be yes >>>> From: uclsbs.ucl.lan yes >>>> From: macosx-tex-bounces@email.esm.psu.edu yes >>>> >>>> From: /opt/MailScanner/etc/rules/whitelist.domains yes >>>> >>>> FromOrTo: default no >>>> >>>> >>>> >>>> The file /opt/MailScanner/etc/rules/whitelist.domains contains >>>> lines like >>>> >>>> *@example.com >>>> *@*.example.net >>>> user@some.domain.come >>>> >>>> >>>> The following message is comming from the server 85.201.63.77 but >>>> it is still tagged as spam. >>>> Why ? >>>> >>>> >>>> Received: from uclsbs.ucl.lan (host-85-201-63-77.brutele.be >>>> [85.201.63.77]) >>>> by smtp1.sgsi.ucl.ac.be (Postfix) with ESMTP id CD3A2E8AE2 for >>>> ; Thu, 04 Jun 2009 11:06:51 +0200 >>>> (CEST) >>>> Date: Thu, 04 Jun 2009 11:06:01 +0200 >>>> From: Veronique Maekelbergh >>>> Subject: {Spam?} Test mail >>>> To: zzz@yyy.be >>>> Message-id: <78AEBC3D06BBD9428F6FC4FAB44118A71776E4@uclsbs.ucl.lan> >>>> MIME-version: 1.0 >>>> X-MIMEOLE: Produced By Microsoft Exchange V6.5 >>>> Content-type: multipart/alternative; >>>> boundary="Boundary_(ID_kDFY1PEdH5W0kqHpMhDt8A)" >>>> Content-class: urn:content-classes:message >>>> Thread-topic: Test mail >>>> Thread-index: Acnk866wOLlTbHdkQg+C6WRoBjqwuA== >>>> X-SGSI-DNSWL: No >>>> X-MS-Has-Attach: >>>> X-MS-TNEF-Correlator: >>>> X-Virus-Scanned: clamav-milter 0.95.1 >>>> X-Virus-Status: Clean >>>> X-SGSI-MailScanner-ID: CD3A2E8AE2.00000 >>>> X-SGSI-MailScanner: Found to be clean >>>> X-SGSI-SpamCheck: polluriel, SpamAssassin (not cached, >>>> score=5.812, requis 5, >>>> BAYES_00 -1.60, BOTNET 3.00, HELO_LH_HOME 3.71, HTML_MESSAGE 0.00, >>>> RDNS_DYNAMIC 0.10, SPF_SOFTFAIL 0.60) >>>> X-SGSI-Spam-Score: sssss >>>> >>>> >>>> >>>> Thanks >>> >>> Jules >>> >>> -- >>> Julian Field MEng CITP CEng >>> www.MailScanner.info >>> Buy the MailScanner book at www.MailScanner.info/store >>> >>> Need help customising MailScanner? >>> Contact me! >>> Need help fixing or optimising your systems? >>> Contact me! >>> Need help getting you started solving new requirements from your >>> boss? >>> Contact me! >>> >>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>> Follow me at twitter.com/JulesFM and twitter.com/MailScanner >>> >>> >>> -- >>> This message has been scanned for viruses and >>> dangerous content by MailScanner, and is >>> believed to be clean. >>> >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >> > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > Follow me at twitter.com/JulesFM and twitter.com/MailScanner > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- Pascal -- Pascal From steve.freegard at fsl.com Thu Jun 4 16:36:42 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Thu Jun 4 16:36:52 2009 Subject: Performance numbers for a DELL R710 In-Reply-To: <005201c9e524$3c4d1dc0$b4e75940$@dk> References: <3e1809420906020958j4f6123davadbc34501cfe7577@mail.gmail.com> <72cf361e0906021147u760c5c9fie8f808fc990a01c0@mail.gmail.com> <3e1809420906022042y1cb3174ap7405a4446d31524@mail.gmail.com> <4A27C7D9.5050800@fsl.com> <005201c9e524$3c4d1dc0$b4e75940$@dk> Message-ID: <4A27EA0A.8040302@fsl.com> Jonas A. Larsen wrote: > This thread is providing really nice info everybody can use, even those of > us with a lot less volume > >> - Put Bayes in MySQL with InnoDB tables and use the persistent DBI >> plug-in. > > Steve: the above point from your sugestions makes me wonder. I investigated > into the DBI persistent connections plugin earlier, but I seem to recall > that somebody claimed that mailscanner already keeps the connection open as > its running as a daemon. I don't believe that to be true. And there's a very simple way to prove this if you already have bayes running under MySQL. Run 'mysqladmin processlist' as the MySQL root user and you should have as many connections to your Bayes database as you do MailScanner children (e.g. 5 children = 5 bayes database connections) otherwise the above statement is false. > Have you tested this, and actually seen a performance increase? I've only really used it with spamd and not MailScanner - but the principal is the same and therefore so should be the performance benefits. Regards, Steve. From MailScanner at ecs.soton.ac.uk Thu Jun 4 17:31:41 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jun 4 17:32:04 2009 Subject: Load sharing techniques In-Reply-To: <6A4AF5E37B020A4B869BE3A108F8F67006DBC8CBF9@nmibwkexch4.nexusmgmt.com> References: <6A4AF5E37B020A4B869BE3A108F8F67006DBC8CBF9@nmibwkexch4.nexusmgmt.com> <4A27F6ED.4020804@ecs.soton.ac.uk> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/06/2009 15:38, Joey Casas wrote: > I am new to this list but have been working with MailScanner for a few years now. With the recent (re)uptick in spam volumes, and increased rules to cope with new techniques, we are having general performance "problems" with our current hardware. Mainly, increased queue size and associated delays during peak times. > > Currently I have a basic round robin setup between three MailScanners and two external IPs that forward to all servers. I might be getting more "mediocre" hardware soon and I _can_ simply add them to the NAT pool. However, the servers are all of different capabilities and generally I have one or two servers that accumulate larger queues than the others. Average mails per second are very similar (MS1 .69, MS2 .74, MS4 .75). > > I also have some pretty fast RAID 5 disk that I can NFS or iSCSI mount - which leads me to my question. Has anyone done a "shared queue" setup where multiple servers look to the same mqueue to scan and what problems could be foreseen? I imagine maybe file locking, header accuracy, etc... > Your biggest problem is file locking. It's got to be perfect for it to work, MTAs aren't normally written with shared filestore in mind, and so use locking mechanisms that are not supported on shared filesystems such as NFS or SMB. I didn't think iSCSI was a filesharing protocol, just a way of implementing SCSI over IP, so I don't quite see how that's relevant here. I had 2 slower servers and 2 faster servers. I set up the MX records so that the @ IN MX 10 slower.server @ IN MX 5 faster.server In that way, all the "real" mail used the MX priority number and hence went to the faster server which had the shorter queues and so on. The slower server would never get any real mail as the faster one was always available, and it didn't matter if the slower one got a bit behind on processing its spam at times. Each MX record pointed to an A record with 2 IP addresses, so that the slower.server name was actually 2 physical servers and the faster.server name was the other 2 physical servers. That worked very well for me. You don't need to use NAT to achieve any of this. Hope that is of some use to you. Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Follow me at twitter.com/JulesFM MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.10.0 (Build 500) Comment: Use PGP or Thunderbird Enigmail to verify this message Charset: KOI8-R wj8DBQFKJ/buEfZZRxQVtlQRAg93AKDQgxJr7UaQ6guCygrUBBU0LwejuwCg7Q76 uhv5TTpMSAzh7jkqIDcfqyA= =hrUx -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From davejones70 at gmail.com Thu Jun 4 17:44:13 2009 From: davejones70 at gmail.com (Dave Jones) Date: Thu Jun 4 17:44:24 2009 Subject: img tags removed Message-ID: <67a55ed50906040944u40a27e32k134855d78742ccff@mail.gmail.com> >> > href="http://www.citationtechnologies.com/alliances/aspen/">> href="http://www.citationtechnologies.com/alliances/iccecodes/">> href="http://www.citationtechnologies.com/alliances/ansi/">> href="http://www.citationtechnologies.com/alliances/astm/">> href="http://www.cyberregs.com/~kparam/index.htm">Direct link to >> CyberRegs

>> >> >> What can I do to troubleshoot this? >> >That's not remotely valid HTML, no wonder it gets a bit confused. You >are supposed to close your tags. > >Jules Once again, you are spot on, Julian. I have contacted the originator of the email and they are updating their code. We tested a version of the email that we manually fixed the closing element and it came through MailScanner perfectly. From MailScanner at ecs.soton.ac.uk Thu Jun 4 17:46:49 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jun 4 17:47:16 2009 Subject: Whitelist problem In-Reply-To: References: <26734270-761E-46CD-9540-63BFA332D92D@elec.ucl.ac.be> <4A27A5FC.20607@ecs.soton.ac.uk> <4A27DB1E.1010501@ecs.soton.ac.uk> <4A27FA79.7060908@ecs.soton.ac.uk> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Upgrade to 4.77.10 and this problem will disappear. Jules. On 04/06/2009 16:35, Pascal Maes wrote: > That's all I have > > ./MailScanner --debug /opt/MailScanner/etc/MailScanner.conf > In Debugging mode, not forking... > Trying to setlogsock(unix) > Building a message batch to scan... > Have a batch of 100 messages. > max message size is '90k' > max message size is '90k' > Could not reverse 201-76-71-89.flash.tv.br: > > > > In the logfile, I see : > > > Jun 4 17:30:27 smtp-1 MailScanner[14322]: Making attempt 2 at > processing message 71D99643FF.00000 > Jun 4 17:30:27 smtp-1 MailScanner[14322]: Making attempt 6 at > processing message 934886439E.00000 > Jun 4 17:30:27 smtp-1 MailScanner[14322]: Making attempt 6 at > processing message 3C37964413.00000 > Jun 4 17:30:27 smtp-1 MailScanner[14322]: Making attempt 6 at > processing message 94349E8D1C.00000 > Jun 4 17:30:27 smtp-1 MailScanner[14322]: Making attempt 2 at > processing message 1BAD16441D.00000 > Jun 4 17:30:28 smtp-1 MailScanner[14322]: Making attempt 6 at > processing message 58D20E8F2E.00000 > Jun 4 17:30:28 smtp-1 MailScanner[14322]: Making attempt 6 at > processing message 30927643FC.00000 > Jun 4 17:30:28 smtp-1 MailScanner[14322]: Making attempt 6 at > processing message 57E6B6442C.00000 > Jun 4 17:30:28 smtp-1 MailScanner[14322]: Making attempt 6 at > processing message C0192643FD.00000 > Jun 4 17:30:28 smtp-1 MailScanner[14322]: Making attempt 6 at > processing message 304F16442F.00000 > Jun 4 17:30:28 smtp-1 MailScanner[14322]: Making attempt 5 at > processing message 7084F64431.00000 > Jun 4 17:30:28 smtp-1 MailScanner[14322]: Making attempt 5 at > processing message 18D26E8F94.00000 > Jun 4 17:30:28 smtp-1 MailScanner[14322]: Making attempt 5 at > processing message 750E1E8F9B.00000 > Jun 4 17:30:28 smtp-1 MailScanner[14322]: Making attempt 5 at > processing message 003C0E8CFD.00000 > Jun 4 17:30:28 smtp-1 MailScanner[14322]: Making attempt 5 at > processing message 96163E9000.00000 > Jun 4 17:30:28 smtp-1 MailScanner[14322]: Making attempt 5 at > processing message D4BF164434.00000 > Jun 4 17:30:28 smtp-1 MailScanner[14322]: Making attempt 6 at > processing message 6A1D964435.00000 > Jun 4 17:30:28 smtp-1 MailScanner[14322]: Making attempt 5 at > processing message 8B862E8E68.00000 > Jun 4 17:30:28 smtp-1 MailScanner[14322]: Making attempt 5 at > processing message 5BE53E8B4B.00000 > Jun 4 17:30:28 smtp-1 MailScanner[14322]: New Batch: Found 309 > messages waiting > Jun 4 17:30:28 smtp-1 MailScanner[14322]: New Batch: Scanning 100 > messages, 3511210 bytes > > and also > > Jun 4 17:30:27 smtp-1 MailScanner[14322]: Warning: skipping message > 1C914E8AEB.00000 as it has been attempted too many times > Jun 4 17:30:27 smtp-1 MailScanner[14322]: Quarantined message > 1C914E8AEB.00000 as it caused MailScanner to crash several times > > > Le 04-juin-09 ? 16:33, Julian Field a ?crit : > >> Run "MailScanner --debug" and see what happens. >> >> On 04/06/2009 14:54, Pascal Maes wrote: >>> Hello again >>> >>> It works better for the spam whitelist but since I have upgraded to >>> 4.77.9, I have a lot of >>> >>> >>> The following e-mails were found to have: Other Bad Content Detected >>> >>> Sender: n.peiffer@foretwallonne.be >>> IP Address: 130.104.130.103 >>> Recipient: jacob@right-ink.com >>> Subject: demande de prix >>> MessageID: A6E81EB22E.00000 >>> Quarantine: /var/spool/MailScanner/quarantine/20090604/A6E81EB22E.00000 >>> Report: MailScanner: Message attempted to kill MailScanner >>> >>> >>> It's a mail with two attachments, >>> >>> one tiff : filename=logo_fw.tif >>> and another pdf : filename="fw97_3-11[arboplant].pdf" >>> >>> >>> >>> >>> Le 04-juin-09 ? 12:46, Julian Field a ?crit : >>> >>>> Upgrade to 4.77 and you should find it works rather better. >>>> >>>> On 04/06/2009 10:41, Pascal Maes wrote: >>>>> >>>>> Hello, >>>>> >>>>> We are using MailScanner version 4.76.25-1 >>>>> >>>>> In MailScanner.conf, I have : >>>>> >>>>> Is Definitely Not Spam = %rules-dir%/spam_whitelist.rules >>>>> >>>>> and the file spam_whitelist.rules looks like : >>>>> >>>>> > more /opt/MailScanner/etc/rules/spam_whitelist.rules >>>>> # >>>>> # Addresses matching in here, with the value >>>>> # "yes" will never be marked as spam. >>>>> # >>>>> # >>>>> >>>>> From: 85.201.63.77 yes >>>>> From: 85.201.63.77/32 yes >>>>> From: user-85-201-63-77.static.tvcablenet.be yes >>>>> From: host-85-201-63-77.brutele.be yes >>>>> From: uclsbs.ucl.lan yes >>>>> From: macosx-tex-bounces@email.esm.psu.edu yes >>>>> >>>>> From: /opt/MailScanner/etc/rules/whitelist.domains yes >>>>> >>>>> FromOrTo: default no >>>>> >>>>> >>>>> >>>>> The file /opt/MailScanner/etc/rules/whitelist.domains contains >>>>> lines like >>>>> >>>>> *@example.com >>>>> *@*.example.net >>>>> user@some.domain.come >>>>> >>>>> >>>>> The following message is comming from the server 85.201.63.77 but >>>>> it is still tagged as spam. >>>>> Why ? >>>>> >>>>> >>>>> Received: from uclsbs.ucl.lan (host-85-201-63-77.brutele.be >>>>> [85.201.63.77]) >>>>> by smtp1.sgsi.ucl.ac.be (Postfix) with ESMTP id CD3A2E8AE2 for >>>>> ; Thu, 04 Jun 2009 11:06:51 +0200 >>>>> (CEST) >>>>> Date: Thu, 04 Jun 2009 11:06:01 +0200 >>>>> From: Veronique Maekelbergh >>>>> Subject: {Spam?} Test mail >>>>> To: zzz@yyy.be >>>>> Message-id: <78AEBC3D06BBD9428F6FC4FAB44118A71776E4@uclsbs.ucl.lan> >>>>> MIME-version: 1.0 >>>>> X-MIMEOLE: Produced By Microsoft Exchange V6.5 >>>>> Content-type: multipart/alternative; >>>>> boundary="Boundary_(ID_kDFY1PEdH5W0kqHpMhDt8A)" >>>>> Content-class: urn:content-classes:message >>>>> Thread-topic: Test mail >>>>> Thread-index: Acnk866wOLlTbHdkQg+C6WRoBjqwuA== >>>>> X-SGSI-DNSWL: No >>>>> X-MS-Has-Attach: >>>>> X-MS-TNEF-Correlator: >>>>> X-Virus-Scanned: clamav-milter 0.95.1 >>>>> X-Virus-Status: Clean >>>>> X-SGSI-MailScanner-ID: CD3A2E8AE2.00000 >>>>> X-SGSI-MailScanner: Found to be clean >>>>> X-SGSI-SpamCheck: polluriel, SpamAssassin (not cached, >>>>> score=5.812, requis 5, >>>>> BAYES_00 -1.60, BOTNET 3.00, HELO_LH_HOME 3.71, HTML_MESSAGE 0.00, >>>>> RDNS_DYNAMIC 0.10, SPF_SOFTFAIL 0.60) >>>>> X-SGSI-Spam-Score: sssss >>>>> >>>>> >>>>> >>>>> Thanks >>>> >>>> Jules >>>> >>>> -- >>>> Julian Field MEng CITP CEng >>>> www.MailScanner.info >>>> Buy the MailScanner book at www.MailScanner.info/store >>>> >>>> Need help customising MailScanner? >>>> Contact me! >>>> Need help fixing or optimising your systems? >>>> Contact me! >>>> Need help getting you started solving new requirements from your boss? >>>> Contact me! >>>> >>>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>>> Follow me at twitter.com/JulesFM and twitter.com/MailScanner >>>> >>>> >>>> -- >>>> This message has been scanned for viruses and >>>> dangerous content by MailScanner, and is >>>> believed to be clean. >>>> >>>> -- >>>> MailScanner mailing list >>>> mailscanner@lists.mailscanner.info >>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>> >>>> Before posting, read http://wiki.mailscanner.info/posting >>>> >>>> Support MailScanner development - buy the book off the website! >>> >> >> Jules >> >> -- >> Julian Field MEng CITP CEng >> www.MailScanner.info >> Buy the MailScanner book at www.MailScanner.info/store >> >> Need help customising MailScanner? >> Contact me! >> Need help fixing or optimising your systems? >> Contact me! >> Need help getting you started solving new requirements from your boss? >> Contact me! >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> Follow me at twitter.com/JulesFM and twitter.com/MailScanner >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Follow me at twitter.com/JulesFM MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.10.0 (Build 500) Comment: Use PGP or Thunderbird Enigmail to verify this message Charset: ISO-8859-1 wj8DBQFKJ/p7EfZZRxQVtlQRAgZnAKDE4hQ5iWPLgfjvzKAd2+8PQdTuvQCfeABW u5ZJR5LxJvlqJyIfkHRm768= =PMOQ -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From zaeem.arshad at gmail.com Thu Jun 4 20:25:19 2009 From: zaeem.arshad at gmail.com (Zaeem Arshad) Date: Thu Jun 4 20:25:29 2009 Subject: Performance numbers for a DELL R710 In-Reply-To: <4A27CEBF.10101@fsl.com> References: <3e1809420906020958j4f6123davadbc34501cfe7577@mail.gmail.com> <72cf361e0906021147u760c5c9fie8f808fc990a01c0@mail.gmail.com> <3e1809420906022042y1cb3174ap7405a4446d31524@mail.gmail.com> <72cf361e0906030058y50e8a7e5xa297c7910196a5ce@mail.gmail.com> <3e1809420906030140j18d242a9lc507cdb30d4e25c6@mail.gmail.com> <24e3d2e40906030719v50a4d20eo36cc987580e23079@mail.gmail.com> <4A27C036.7010707@fsl.com> <3e1809420906040554x86193cdq6660bca31be82986@mail.gmail.com> <4A27CEBF.10101@fsl.com> Message-ID: <3e1809420906041225i288eb2b3re0dd8bcadde4cc59@mail.gmail.com> On Thu, Jun 4, 2009 at 7:40 PM, Steve Freegard wrote: > > > > Twiddling with the filesystem used is only going to bring marginal gains > on your actual scan times which if you want to achieve 65 message/sec is > where you need to focus your efforts first. > > I've seen XFS consistently come last in several benchmarks for mail > server type traffic. See http://www.linux-mag.com/id/7345/2/ for a > review of filesystems I read yesterday. > I have had good results so far with XFS. I am willing to give NILFS a spin. Anyone else can vouch for it? Every last bit of performance that can be extracted from a system matters. Looking forward for further input in this thread. Regards -- Zaeem -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090605/fd6bafa2/attachment.html From Joey.Casas at nexusmgmt.com Thu Jun 4 20:45:56 2009 From: Joey.Casas at nexusmgmt.com (Joey Casas) Date: Thu Jun 4 20:46:36 2009 Subject: Load sharing techniques In-Reply-To: References: <6A4AF5E37B020A4B869BE3A108F8F67006DBC8CBF9@nmibwkexch4.nexusmgmt.com> <4A27F6ED.4020804@ecs.soton.ac.uk> Message-ID: <6A4AF5E37B020A4B869BE3A108F8F67006DBC8CC77@nmibwkexch4.nexusmgmt.com> Thanks for the input. I will give that some thought. Joey Casas ------------------------------------------- Linux Engineering Team n|m Nexus Management 4 Industrial Parkway Suite 101 Brunswick, Maine 04011 Tel (US) : 1 207 319 1105 Tel (UK) : 0207 100 4968 x421 Cell (US) : 1 207 607 1047 Fax : 1 207 725 8552 SIP: 0421@pbx.nexusmgmt.com Nexus Management, Inc.? Registered Office: 4 Industrial Parkway, Suite 101, Brunswick, Maine. 04011?Company No. 19891257D, Registered in Maine? A member of the Nexus Management Plc group of companies -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: Thursday, June 04, 2009 12:32 PM To: MailScanner discussion Subject: Re: Load sharing techniques -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/06/2009 15:38, Joey Casas wrote: > I am new to this list but have been working with MailScanner for a few years now. With the recent (re)uptick in spam volumes, and increased rules to cope with new techniques, we are having general performance "problems" with our current hardware. Mainly, increased queue size and associated delays during peak times. > > Currently I have a basic round robin setup between three MailScanners and two external IPs that forward to all servers. I might be getting more "mediocre" hardware soon and I _can_ simply add them to the NAT pool. However, the servers are all of different capabilities and generally I have one or two servers that accumulate larger queues than the others. Average mails per second are very similar (MS1 .69, MS2 .74, MS4 .75). > > I also have some pretty fast RAID 5 disk that I can NFS or iSCSI mount - which leads me to my question. Has anyone done a "shared queue" setup where multiple servers look to the same mqueue to scan and what problems could be foreseen? I imagine maybe file locking, header accuracy, etc... > Your biggest problem is file locking. It's got to be perfect for it to work, MTAs aren't normally written with shared filestore in mind, and so use locking mechanisms that are not supported on shared filesystems such as NFS or SMB. I didn't think iSCSI was a filesharing protocol, just a way of implementing SCSI over IP, so I don't quite see how that's relevant here. I had 2 slower servers and 2 faster servers. I set up the MX records so that the @ IN MX 10 slower.server @ IN MX 5 faster.server In that way, all the "real" mail used the MX priority number and hence went to the faster server which had the shorter queues and so on. The slower server would never get any real mail as the faster one was always available, and it didn't matter if the slower one got a bit behind on processing its spam at times. Each MX record pointed to an A record with 2 IP addresses, so that the slower.server name was actually 2 physical servers and the faster.server name was the other 2 physical servers. That worked very well for me. You don't need to use NAT to achieve any of this. Hope that is of some use to you. Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Follow me at twitter.com/JulesFM MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.10.0 (Build 500) Comment: Use PGP or Thunderbird Enigmail to verify this message Charset: KOI8-R wj8DBQFKJ/buEfZZRxQVtlQRAg93AKDQgxJr7UaQ6guCygrUBBU0LwejuwCg7Q76 uhv5TTpMSAzh7jkqIDcfqyA= =hrUx -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From alex at rtpty.com Thu Jun 4 20:46:23 2009 From: alex at rtpty.com (Alex Neuman) Date: Thu Jun 4 21:11:40 2009 Subject: How to stop certain spam? In-Reply-To: References: Message-ID: <24e3d2e40906041246n5bb265b4ra78c138c4c86c8d@mail.gmail.com> Use a custom spamassassin ruleset with the qualities you describe in order to score these messages higher. On Thu, Jun 4, 2009 at 3:27 AM, Remco Barendse wrote: > We are getting flooded with messages from one particular advertiser. The > send dozens of messages each day, all in similar format, a few lines of > invisible text and some images with their spam crap. > > On the right side in the image i often get some crap message like : Sorry, > this advertiser is not available > > The messages hardly score on Bayes and they are never caught by the > blocklists i use bl.spamcop.net cbl.abuseat.org dnsbl.njabl.org > chinanet.blackholes.us zen.spamhaus.org > > The messages usually are awarded some points for DCC and Razor2 checks. > > There is always some USA postal address written at the bottom. > > A lot of messages are about auto insurance, some satellite dish offers and > auto insurance. > > Because every message contains url's to a different (new) website i > unfortunately am not able to give a more precise description. > > How to stop this? > > Thanks!! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 202-1525 alex@rtpty.com Skype: alexneuman -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090604/00b61a35/attachment-0001.html From mrm at quantumcc.com Thu Jun 4 21:39:28 2009 From: mrm at quantumcc.com (Mike M) Date: Thu Jun 4 21:39:59 2009 Subject: New feature - hostname lookups in rulesets In-Reply-To: References: <4A22AD89.60702@ecs.soton.ac.uk> <24e3d2e40905311241w763c0c2fwdeb910a4e03e4cf7@mail.gmail.com> <4A22E1A4.9060305@ecs.soton.ac.uk> <4A25655C.10608@ecs.soton.ac.uk> Message-ID: Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > On 02/06/2009 17:59, Mike M wrote: >> Julian Field wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> >>> >>> On 31/05/2009 20:41, Alex Neuman wrote: >>>> Wow! This means we can whitelist (gasp!) *blackberry.com >>>> and things like that! >>> You'll just need to do >>> From: host:blackberry.com yes >>> which will do the job. >>>> I suggest you add to the description on the comments on the >>>> MailScanner.conf file that it's imperative - for performance >>>> reasons, besides the fact that it's A Good Idea (tm), that people >>>> run their own local caching nameserver. >>> True enough, I should do that. >>> >> Please forgive my ignorance on this, because I'm sure there's >> something really simple that I'm missing, but how is this any >> different then whitelisting blackberry.com with a line such as: >> >> from: @blackberry.com yes >> >> which I have been doing for many years in my spam.whitelist.rules file? > That uses the "email sender address" which is trivially forgeable by the > sender. It is the email address that the sender claims they are coming > from. They may have their Crackberry set up to send their mail from > joe@mydomain.com, in which case your rule wouldn't fire at all. > > The new "host:blackberry.com" means "match any email address the > originates from an IP address which belongs to the blackberry.com > domain". That is the same thing as asking "does it come from a > Crackberry?" regardless of how that Crackberry is configured, and is far > harder to forge. It is totally unconnected with the email address the > email claims to come from. > > But do take note that it takes longer to look up and therefore will > cause a performance hit. > > Does that help? > > Jules > Yes, thank you. Now the next question is: Are you looking at the envelope sender address, or the header sender address? or both? -Mike From pascal.maes at elec.ucl.ac.be Thu Jun 4 21:47:56 2009 From: pascal.maes at elec.ucl.ac.be (Pascal Maes) Date: Thu Jun 4 21:48:10 2009 Subject: Whitelist problem In-Reply-To: References: <26734270-761E-46CD-9540-63BFA332D92D@elec.ucl.ac.be> <4A27A5FC.20607@ecs.soton.ac.uk> <4A27DB1E.1010501@ecs.soton.ac.uk> <4A27FA79.7060908@ecs.soton.ac.uk> Message-ID: <0ABB0C3D-EF8B-47BE-8DD8-B8DBCA29F74E@elec.ucl.ac.be> Ok. It works much better. No more "Making attempt" since I have launched the new version Thanks Le 04-juin-09 ? 18:46, Julian Field a ?crit : > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Upgrade to 4.77.10 and this problem will disappear. > > Jules. > > On 04/06/2009 16:35, Pascal Maes wrote: >> That's all I have >> >> ./MailScanner --debug /opt/MailScanner/etc/MailScanner.conf >> In Debugging mode, not forking... >> Trying to setlogsock(unix) >> Building a message batch to scan... >> Have a batch of 100 messages. >> max message size is '90k' >> max message size is '90k' >> Could not reverse 201-76-71-89.flash.tv.br: >> >> >> >> In the logfile, I see : >> >> >> Jun 4 17:30:27 smtp-1 MailScanner[14322]: Making attempt 2 at >> processing message 71D99643FF.00000 >> Jun 4 17:30:27 smtp-1 MailScanner[14322]: Making attempt 6 at >> processing message 934886439E.00000 >> Jun 4 17:30:27 smtp-1 MailScanner[14322]: Making attempt 6 at >> processing message 3C37964413.00000 >> Jun 4 17:30:27 smtp-1 MailScanner[14322]: Making attempt 6 at >> processing message 94349E8D1C.00000 >> Jun 4 17:30:27 smtp-1 MailScanner[14322]: Making attempt 2 at >> processing message 1BAD16441D.00000 >> Jun 4 17:30:28 smtp-1 MailScanner[14322]: Making attempt 6 at >> processing message 58D20E8F2E.00000 >> Jun 4 17:30:28 smtp-1 MailScanner[14322]: Making attempt 6 at >> processing message 30927643FC.00000 >> Jun 4 17:30:28 smtp-1 MailScanner[14322]: Making attempt 6 at >> processing message 57E6B6442C.00000 >> Jun 4 17:30:28 smtp-1 MailScanner[14322]: Making attempt 6 at >> processing message C0192643FD.00000 >> Jun 4 17:30:28 smtp-1 MailScanner[14322]: Making attempt 6 at >> processing message 304F16442F.00000 >> Jun 4 17:30:28 smtp-1 MailScanner[14322]: Making attempt 5 at >> processing message 7084F64431.00000 >> Jun 4 17:30:28 smtp-1 MailScanner[14322]: Making attempt 5 at >> processing message 18D26E8F94.00000 >> Jun 4 17:30:28 smtp-1 MailScanner[14322]: Making attempt 5 at >> processing message 750E1E8F9B.00000 >> Jun 4 17:30:28 smtp-1 MailScanner[14322]: Making attempt 5 at >> processing message 003C0E8CFD.00000 >> Jun 4 17:30:28 smtp-1 MailScanner[14322]: Making attempt 5 at >> processing message 96163E9000.00000 >> Jun 4 17:30:28 smtp-1 MailScanner[14322]: Making attempt 5 at >> processing message D4BF164434.00000 >> Jun 4 17:30:28 smtp-1 MailScanner[14322]: Making attempt 6 at >> processing message 6A1D964435.00000 >> Jun 4 17:30:28 smtp-1 MailScanner[14322]: Making attempt 5 at >> processing message 8B862E8E68.00000 >> Jun 4 17:30:28 smtp-1 MailScanner[14322]: Making attempt 5 at >> processing message 5BE53E8B4B.00000 >> Jun 4 17:30:28 smtp-1 MailScanner[14322]: New Batch: Found 309 >> messages waiting >> Jun 4 17:30:28 smtp-1 MailScanner[14322]: New Batch: Scanning 100 >> messages, 3511210 bytes >> >> and also >> >> Jun 4 17:30:27 smtp-1 MailScanner[14322]: Warning: skipping message >> 1C914E8AEB.00000 as it has been attempted too many times >> Jun 4 17:30:27 smtp-1 MailScanner[14322]: Quarantined message >> 1C914E8AEB.00000 as it caused MailScanner to crash several times >> >> >> Le 04-juin-09 ? 16:33, Julian Field a ?crit : >> >>> Run "MailScanner --debug" and see what happens. >>> >>> On 04/06/2009 14:54, Pascal Maes wrote: >>>> Hello again >>>> >>>> It works better for the spam whitelist but since I have upgraded to >>>> 4.77.9, I have a lot of >>>> >>>> >>>> The following e-mails were found to have: Other Bad Content >>>> Detected >>>> >>>> Sender: n.peiffer@foretwallonne.be >>>> IP Address: 130.104.130.103 >>>> Recipient: jacob@right-ink.com >>>> Subject: demande de prix >>>> MessageID: A6E81EB22E.00000 >>>> Quarantine: /var/spool/MailScanner/quarantine/20090604/A6E81EB22E. >>>> 00000 >>>> Report: MailScanner: Message attempted to kill MailScanner >>>> >>>> >>>> It's a mail with two attachments, >>>> >>>> one tiff : filename=logo_fw.tif >>>> and another pdf : filename="fw97_3-11[arboplant].pdf" >>>> >>>> >>>> >>>> >>>> Le 04-juin-09 ? 12:46, Julian Field a ?crit : >>>> >>>>> Upgrade to 4.77 and you should find it works rather better. >>>>> >>>>> On 04/06/2009 10:41, Pascal Maes wrote: >>>>>> >>>>>> Hello, >>>>>> >>>>>> We are using MailScanner version 4.76.25-1 >>>>>> >>>>>> In MailScanner.conf, I have : >>>>>> >>>>>> Is Definitely Not Spam = %rules-dir%/spam_whitelist.rules >>>>>> >>>>>> and the file spam_whitelist.rules looks like : >>>>>> >>>>>>> more /opt/MailScanner/etc/rules/spam_whitelist.rules >>>>>> # >>>>>> # Addresses matching in here, with the value >>>>>> # "yes" will never be marked as spam. >>>>>> # >>>>>> # >>>>>> >>>>>> From: 85.201.63.77 yes >>>>>> From: 85.201.63.77/32 yes >>>>>> From: user-85-201-63-77.static.tvcablenet.be yes >>>>>> From: host-85-201-63-77.brutele.be yes >>>>>> From: uclsbs.ucl.lan yes >>>>>> From: macosx-tex-bounces@email.esm.psu.edu yes >>>>>> >>>>>> From: /opt/MailScanner/etc/rules/whitelist.domains yes >>>>>> >>>>>> FromOrTo: default no >>>>>> >>>>>> >>>>>> >>>>>> The file /opt/MailScanner/etc/rules/whitelist.domains contains >>>>>> lines like >>>>>> >>>>>> *@example.com >>>>>> *@*.example.net >>>>>> user@some.domain.come >>>>>> >>>>>> >>>>>> The following message is comming from the server 85.201.63.77 but >>>>>> it is still tagged as spam. >>>>>> Why ? >>>>>> >>>>>> >>>>>> Received: from uclsbs.ucl.lan (host-85-201-63-77.brutele.be >>>>>> [85.201.63.77]) >>>>>> by smtp1.sgsi.ucl.ac.be (Postfix) with ESMTP id CD3A2E8AE2 for >>>>>> ; Thu, 04 Jun 2009 11:06:51 +0200 >>>>>> (CEST) >>>>>> Date: Thu, 04 Jun 2009 11:06:01 +0200 >>>>>> From: Veronique Maekelbergh >>>>>> Subject: {Spam?} Test mail >>>>>> To: zzz@yyy.be >>>>>> Message-id: <78AEBC3D06BBD9428F6FC4FAB44118A71776E4@uclsbs.ucl.lan >>>>>> > >>>>>> MIME-version: 1.0 >>>>>> X-MIMEOLE: Produced By Microsoft Exchange V6.5 >>>>>> Content-type: multipart/alternative; >>>>>> boundary="Boundary_(ID_kDFY1PEdH5W0kqHpMhDt8A)" >>>>>> Content-class: urn:content-classes:message >>>>>> Thread-topic: Test mail >>>>>> Thread-index: Acnk866wOLlTbHdkQg+C6WRoBjqwuA== >>>>>> X-SGSI-DNSWL: No >>>>>> X-MS-Has-Attach: >>>>>> X-MS-TNEF-Correlator: >>>>>> X-Virus-Scanned: clamav-milter 0.95.1 >>>>>> X-Virus-Status: Clean >>>>>> X-SGSI-MailScanner-ID: CD3A2E8AE2.00000 >>>>>> X-SGSI-MailScanner: Found to be clean >>>>>> X-SGSI-SpamCheck: polluriel, SpamAssassin (not cached, >>>>>> score=5.812, requis 5, >>>>>> BAYES_00 -1.60, BOTNET 3.00, HELO_LH_HOME 3.71, HTML_MESSAGE >>>>>> 0.00, >>>>>> RDNS_DYNAMIC 0.10, SPF_SOFTFAIL 0.60) >>>>>> X-SGSI-Spam-Score: sssss >>>>>> >>>>>> >>>>>> >>>>>> Thanks >>>>> >>>>> Jules >>>>> >>>>> -- >>>>> Julian Field MEng CITP CEng >>>>> www.MailScanner.info >>>>> Buy the MailScanner book at www.MailScanner.info/store >>>>> >>>>> Need help customising MailScanner? >>>>> Contact me! >>>>> Need help fixing or optimising your systems? >>>>> Contact me! >>>>> Need help getting you started solving new requirements from your >>>>> boss? >>>>> Contact me! >>>>> >>>>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>>>> Follow me at twitter.com/JulesFM and twitter.com/MailScanner >>>>> >>>>> >>>>> -- >>>>> This message has been scanned for viruses and >>>>> dangerous content by MailScanner, and is >>>>> believed to be clean. >>>>> >>>>> -- >>>>> MailScanner mailing list >>>>> mailscanner@lists.mailscanner.info >>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>> >>>>> Before posting, read http://wiki.mailscanner.info/posting >>>>> >>>>> Support MailScanner development - buy the book off the website! >>>> >>> >>> Jules >>> >>> -- >>> Julian Field MEng CITP CEng >>> www.MailScanner.info >>> Buy the MailScanner book at www.MailScanner.info/store >>> >>> Need help customising MailScanner? >>> Contact me! >>> Need help fixing or optimising your systems? >>> Contact me! >>> Need help getting you started solving new requirements from your >>> boss? >>> Contact me! >>> >>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>> Follow me at twitter.com/JulesFM and twitter.com/MailScanner >>> >>> >>> -- >>> This message has been scanned for viruses and >>> dangerous content by MailScanner, and is >>> believed to be clean. >>> >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >> > > Jules > > - -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > Follow me at twitter.com/JulesFM > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > PGP public key: http://www.jules.fm/julesfm.asc > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.10.0 (Build 500) > Comment: Use PGP or Thunderbird Enigmail to verify this message > Charset: ISO-8859-1 > > wj8DBQFKJ/p7EfZZRxQVtlQRAgZnAKDE4hQ5iWPLgfjvzKAd2+8PQdTuvQCfeABW > u5ZJR5LxJvlqJyIfkHRm768= > =PMOQ > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- Pascal -- Pascal From MailScanner at ecs.soton.ac.uk Thu Jun 4 21:52:12 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jun 4 21:52:35 2009 Subject: New feature - hostname lookups in rulesets In-Reply-To: References: <4A22AD89.60702@ecs.soton.ac.uk> <24e3d2e40905311241w763c0c2fwdeb910a4e03e4cf7@mail.gmail.com> <4A22E1A4.9060305@ecs.soton.ac.uk> <4A25655C.10608@ecs.soton.ac.uk> <4A2833FC.9040108@ecs.soton.ac.uk> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/06/2009 21:39, Mike M wrote: > Julian Field wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> >> >> On 02/06/2009 17:59, Mike M wrote: >>> Julian Field wrote: >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA1 >>>> >>>> >>>> >>>> On 31/05/2009 20:41, Alex Neuman wrote: >>>>> Wow! This means we can whitelist (gasp!) *blackberry.com >>>>> and things like that! >>>> You'll just need to do >>>> From: host:blackberry.com yes >>>> which will do the job. >>>>> I suggest you add to the description on the comments on the >>>>> MailScanner.conf file that it's imperative - for performance >>>>> reasons, besides the fact that it's A Good Idea (tm), that people >>>>> run their own local caching nameserver. >>>> True enough, I should do that. >>>> >>> Please forgive my ignorance on this, because I'm sure there's >>> something really simple that I'm missing, but how is this any >>> different then whitelisting blackberry.com with a line such as: >>> >>> from: @blackberry.com yes >>> >>> which I have been doing for many years in my spam.whitelist.rules file? >> That uses the "email sender address" which is trivially forgeable by >> the sender. It is the email address that the sender claims they are >> coming from. They may have their Crackberry set up to send their mail >> from joe@mydomain.com, in which case your rule wouldn't fire at all. >> >> The new "host:blackberry.com" means "match any email address the >> originates from an IP address which belongs to the blackberry.com >> domain". That is the same thing as asking "does it come from a >> Crackberry?" regardless of how that Crackberry is configured, and is >> far harder to forge. It is totally unconnected with the email address >> the email claims to come from. >> >> But do take note that it takes longer to look up and therefore will >> cause a performance hit. >> >> Does that help? >> >> Jules >> > > Yes, thank you. Now the next question is: Are you looking at the > envelope sender address, or the header sender address? or both? MailScanner has always used the envelope addresses, not the headers. The envelope recipient address is the only one that is sure to be right. Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Follow me at twitter.com/JulesFM MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.10.0 (Build 500) Comment: Use PGP or Thunderbird Enigmail to verify this message Charset: ISO-8859-1 wj8DBQFKKDP9EfZZRxQVtlQRApksAKCVeKdFvHivMEihK4J89Xowp4nTtgCaA3Rc yiEbUNvbyMMdcGGSxGNCYlg= =1/2/ -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ssilva at sgvwater.com Thu Jun 4 22:41:30 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Jun 4 22:41:50 2009 Subject: How to stop certain spam? In-Reply-To: References: Message-ID: on 6-4-2009 1:27 AM Remco Barendse spake the following: > We are getting flooded with messages from one particular advertiser. The > send dozens of messages each day, all in similar format, a few lines of > invisible text and some images with their spam crap. > > On the right side in the image i often get some crap message like : > Sorry, this advertiser is not available > > The messages hardly score on Bayes and they are never caught by the > blocklists i use bl.spamcop.net cbl.abuseat.org dnsbl.njabl.org > chinanet.blackholes.us zen.spamhaus.org > > The messages usually are awarded some points for DCC and Razor2 checks. > > There is always some USA postal address written at the bottom. > > A lot of messages are about auto insurance, some satellite dish offers > and auto insurance. > > Because every message contains url's to a different (new) website i > unfortunately am not able to give a more precise description. > > How to stop this? > > Thanks!! If you pastebin some complete samples, we would happily run them against our systems and see if we hit with something. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090604/18469ad9/signature.bin From steve.freegard at fsl.com Thu Jun 4 23:13:21 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Thu Jun 4 23:13:31 2009 Subject: Performance numbers for a DELL R710 In-Reply-To: <3e1809420906041225i288eb2b3re0dd8bcadde4cc59@mail.gmail.com> References: <3e1809420906020958j4f6123davadbc34501cfe7577@mail.gmail.com> <72cf361e0906021147u760c5c9fie8f808fc990a01c0@mail.gmail.com> <3e1809420906022042y1cb3174ap7405a4446d31524@mail.gmail.com> <72cf361e0906030058y50e8a7e5xa297c7910196a5ce@mail.gmail.com> <3e1809420906030140j18d242a9lc507cdb30d4e25c6@mail.gmail.com> <24e3d2e40906030719v50a4d20eo36cc987580e23079@mail.gmail.com> <4A27C036.7010707@fsl.com> <3e1809420906040554x86193cdq6660bca31be82986@mail.gmail.com> <4A27CEBF.10101@fsl.com> <3e1809420906041225i288eb2b3re0dd8bcadde4cc59@mail.gmail.com> Message-ID: <4A284701.6080300@fsl.com> Zaeem Arshad wrote: > I have had good results so far with XFS. I am willing to give NILFS a > spin. Anyone else can vouch for it? Being as it's not even properly in the kernel yet - I doubt it. It will be in 2.6.30 when it is released. > Every last bit of performance that can be extracted from a system matters. I rate reliability over performance - particularly on a production mail system and especially when it comes to filesystems. Which is exactly why I'd stick with ext3 on Linux. Regards, Steve. From marc at marcsnet.com Fri Jun 5 01:11:46 2009 From: marc at marcsnet.com (Marc Lucke) Date: Fri Jun 5 01:12:09 2009 Subject: scan.messages.rules From: 192.168. no not working In-Reply-To: <4947F831.7040402@di.unito.it> References: <9ABB9BF8-F032-4DB9-A212-E4B8DBE2D6B5@rtpty.com> <4947F831.7040402@di.unito.it> Message-ID: <4A2862C2.2040100@marcsnet.com> /etc/MailScanner/MailScanner.conf Scan Messages = %rules-dir%/scan.messages.rules Read IP Address From Received Header = no /etc/MailScanner/rules/scan.messages.rules From: 192.168. no FromOrTo: default yes MailScanner restarted. My understanding is that MailScanner should not scan anything coming from an ip address beginning with 192.168. (=192.168.0.0/16). There is no error when restarting MailScanner. This ruleset is not working. Specifically I am attempting to resend (using Thunderbird's resend feature) HAM which was picked up as spam. Can anyone tell me why my ruleset is not working? Is my understanding of the functionality correct? How can I achieve what I'm trying to do? I have looked through the lists but I've not found anything specifically helpful. Marc From zaeem.arshad at gmail.com Fri Jun 5 04:43:12 2009 From: zaeem.arshad at gmail.com (Zaeem Arshad) Date: Fri Jun 5 04:43:22 2009 Subject: Performance numbers for a DELL R710 In-Reply-To: <4A284701.6080300@fsl.com> References: <3e1809420906020958j4f6123davadbc34501cfe7577@mail.gmail.com> <3e1809420906022042y1cb3174ap7405a4446d31524@mail.gmail.com> <72cf361e0906030058y50e8a7e5xa297c7910196a5ce@mail.gmail.com> <3e1809420906030140j18d242a9lc507cdb30d4e25c6@mail.gmail.com> <24e3d2e40906030719v50a4d20eo36cc987580e23079@mail.gmail.com> <4A27C036.7010707@fsl.com> <3e1809420906040554x86193cdq6660bca31be82986@mail.gmail.com> <4A27CEBF.10101@fsl.com> <3e1809420906041225i288eb2b3re0dd8bcadde4cc59@mail.gmail.com> <4A284701.6080300@fsl.com> Message-ID: <3e1809420906042043y4d7f36c4w8a13da0eff96164f@mail.gmail.com> On Fri, Jun 5, 2009 at 4:13 AM, Steve Freegard wrote: > > > > Every last bit of performance that can be extracted from a system > matters. > > I rate reliability over performance - particularly on a production mail > system and especially when it comes to filesystems. Which is exactly > why I'd stick with ext3 on Linux. > In that case XFS, JFS or Reiser will be a better choice than Ext3. Ext3 has been very very slow compared with XFS on my mailstores and spools. -- Zaeem -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090605/5ee6839d/attachment.html From maxsec at gmail.com Fri Jun 5 08:06:41 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Fri Jun 5 08:06:49 2009 Subject: Performance numbers for a DELL R710 In-Reply-To: <4A284701.6080300@fsl.com> References: <3e1809420906020958j4f6123davadbc34501cfe7577@mail.gmail.com> <3e1809420906022042y1cb3174ap7405a4446d31524@mail.gmail.com> <72cf361e0906030058y50e8a7e5xa297c7910196a5ce@mail.gmail.com> <3e1809420906030140j18d242a9lc507cdb30d4e25c6@mail.gmail.com> <24e3d2e40906030719v50a4d20eo36cc987580e23079@mail.gmail.com> <4A27C036.7010707@fsl.com> <3e1809420906040554x86193cdq6660bca31be82986@mail.gmail.com> <4A27CEBF.10101@fsl.com> <3e1809420906041225i288eb2b3re0dd8bcadde4cc59@mail.gmail.com> <4A284701.6080300@fsl.com> Message-ID: <72cf361e0906050006t1ddc2983u7c2742b858e4c464@mail.gmail.com> 2009/6/4 Steve Freegard : > Zaeem Arshad wrote: >> I have had good results so far with XFS. I am willing to give NILFS a >> spin. Anyone else can vouch for it? > > Being as it's not even properly in the kernel yet - I doubt it. ?It will > be in 2.6.30 when it is released. > >> Every last bit of performance that can be extracted from a system matters. > > I rate reliability over performance - particularly on a production mail > system and especially when it comes to filesystems. ?Which is exactly > why I'd stick with ext3 on Linux. > > Regards, > Steve. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > No to mention Ext3 writes the data anywhere upto 30 secs AFTER the metadata. I've seen several machines get in nasty state when this has happened and the filesystem got itself in a real mess. Works fine most of the time, but when goes wrong, boy it goes wrong. -- Martin Hepworth Oxford, UK From MailScanner at ecs.soton.ac.uk Fri Jun 5 10:22:17 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jun 5 10:22:41 2009 Subject: scan.messages.rules From: 192.168. no not working In-Reply-To: <4A2862C2.2040100@marcsnet.com> References: <9ABB9BF8-F032-4DB9-A212-E4B8DBE2D6B5@rtpty.com> <4947F831.7040402@di.unito.it> <4A2862C2.2040100@marcsnet.com> <4A28E3C9.7060900@ecs.soton.ac.uk> Message-ID: And I bet you are using 4.76 and Postfix. In which case, upgrade to 4.77 :-) On 05/06/2009 01:11, Marc Lucke wrote: > /etc/MailScanner/MailScanner.conf > > Scan Messages = %rules-dir%/scan.messages.rules > Read IP Address From Received Header = no > > > /etc/MailScanner/rules/scan.messages.rules > > From: 192.168. no > FromOrTo: default yes > > > MailScanner restarted. > > My understanding is that MailScanner should not scan anything coming > from an ip address beginning with 192.168. (=192.168.0.0/16). There > is no error when restarting MailScanner. This ruleset is not > working. Specifically I am attempting to resend (using Thunderbird's > resend feature) HAM which was picked up as spam. > > Can anyone tell me why my ruleset is not working? Is my understanding > of the functionality correct? How can I achieve what I'm trying to do? > > I have looked through the lists but I've not found anything > specifically helpful. > > > Marc > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jase at sensis.com Fri Jun 5 16:47:15 2009 From: jase at sensis.com (Desai, Jason) Date: Fri Jun 5 16:53:26 2009 Subject: New feature - hostname lookups in rulesets In-Reply-To: References: <4A22AD89.60702@ecs.soton.ac.uk> Message-ID: <1951DC816E1A9F469307B05FA183F43801A24BD6@corpatsmail1.corp.sensis.com> > -----Original Message----- > > I have just added a new feature which I hope you will find useful. > It struck me that it has always been really awkward to have to use IP > addresses in the "From:" lines in rulesets, and wouldn't it be a lot > easier to be able to use hostnames or domain names, with wildcards, and > stuff like that. > > So now you can. > > You just put "host:" at the start of the hostname or domain name (or > wildcard or regexp or whatever) and it matches it against the hostname > of the SMTP client that sent the message to MailScanner. > > So you can now do rules such as these: > > From: host:localhost.localdomain yes > From: host:mail.mydomain.com yes > From: host:mailgate*.soton.ac.uk yes > From: host:soton.ac.uk yes > From: host:ac.uk yes > From: host:example.* yes > From: host:/\.(de|dk|es)$/ yes > > and all sorts of things like that. Do you do any checking of the host name? For example, it would be trivial for someone who controls DNS for a range of IPs to set their PTR records to whatever they wish. To make it a little more difficult to abuse, I'd suggest doing an A lookup and verifying that the IP of the name matches the IP that the mail came from. It will require a few more lookups and logic, but I would think it's worth it. Of course, not all domains have matching PTR and A records. Maybe make this additional check optional? I just don't want to see this get abused. Jase This message is intended only for the addressee and may contain information that is company confidential or privileged. Any technical data in this message may be exported only in accordance with the U.S. International Traffic in Arms Regulations (22 CFR Parts 120-130) or the Export Administration Regulations (15 CFR Parts 730-774). Unauthorized use is strictly prohibited and may be unlawful. If you are not the intended recipient, or the person responsible for delivering to the intended recipient, you should not read, copy, disclose or otherwise use this message. If you have received this email in error, please delete it, and advise the sender immediately. From jase at sensis.com Fri Jun 5 16:52:41 2009 From: jase at sensis.com (Desai, Jason) Date: Fri Jun 5 16:56:45 2009 Subject: New feature - hostname lookups in rulesets References: <4A22AD89.60702@ecs.soton.ac.uk> Message-ID: <1951DC816E1A9F469307B05FA183F43801A24BD7@corpatsmail1.corp.sensis.com> > Do you do any checking of the host name? For example, it would be > trivial for someone who controls DNS for a range of IPs to set their > PTR records to whatever they wish. To make it a little more difficult > to abuse, I'd suggest doing an A lookup and verifying that the IP of > the name matches the IP that the mail came from. It will require a few > more lookups and logic, but I would think it's worth it. Of course, > not all domains have matching PTR and A records. Maybe make this > additional check optional? I just don't want to see this get abused. Never mind. Looks like you've already done something like this. I should finish catching up on the list before replying ... Jase This message is intended only for the addressee and may contain information that is company confidential or privileged. Any technical data in this message may be exported only in accordance with the U.S. International Traffic in Arms Regulations (22 CFR Parts 120-130) or the Export Administration Regulations (15 CFR Parts 730-774). Unauthorized use is strictly prohibited and may be unlawful. If you are not the intended recipient, or the person responsible for delivering to the intended recipient, you should not read, copy, disclose or otherwise use this message. If you have received this email in error, please delete it, and advise the sender immediately. From rlopezcnm at gmail.com Fri Jun 5 17:52:02 2009 From: rlopezcnm at gmail.com (Robert Lopez) Date: Fri Jun 5 17:52:12 2009 Subject: MaiScanner --debug hangs Message-ID: I am in the process of testing an install of MailScanner 4.77.6 installed on a test gateway. Email is flowing in and out of the gateway but noting seems to be stopped or tagged when it should. I just tried the "--debug" option... # MailScanner --debug In Debugging mode, not forking... Trying to setlogsock(unix) Building a message batch to scan... and the maillog file says: Jun 5 10:33:22 mg04 MailScanner[5063]: MailScanner E-Mail Virus Scanner version 4.77.6 starting... Jun 5 10:33:22 mg04 MailScanner[5063]: Read 854 hostnames from the phishing whitelist Jun 5 10:33:22 mg04 MailScanner[5063]: Read 10149 hostnames from the phishing blacklists Jun 5 10:33:22 mg04 MailScanner[5063]: Using SpamAssassin results cache Jun 5 10:33:22 mg04 MailScanner[5063]: Connected to SpamAssassin cache database Jun 5 10:33:22 mg04 MailScanner[5063]: Enabling SpamAssassin auto-whitelist functionality... Jun 5 10:33:23 mg04 MailScanner[5063]: I have found clamavmodule scanners installed, and will use them all by default. Jun 5 10:33:23 mg04 MailScanner[5063]: Connected to processing-messages database Jun 5 10:33:23 mg04 MailScanner[5063]: Found 0 messages in the processing-messages database Jun 5 10:33:23 mg04 MailScanner[5063]: Using locktype = flock Then nothing more happens. Is the processing-messages database missing? is it the SpamAssassin cache database? or part of clamav? -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106 From ssilva at sgvwater.com Fri Jun 5 22:35:48 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Jun 5 22:36:20 2009 Subject: MaiScanner --debug hangs In-Reply-To: References: Message-ID: on 6-5-2009 9:52 AM Robert Lopez spake the following: > I am in the process of testing an install of MailScanner 4.77.6 > installed on a test gateway. > Email is flowing in and out of the gateway but noting seems to be > stopped or tagged when it should. > I just tried the "--debug" option... > > # MailScanner --debug > In Debugging mode, not forking... > Trying to setlogsock(unix) > Building a message batch to scan... > > and the maillog file says: > Jun 5 10:33:22 mg04 MailScanner[5063]: MailScanner E-Mail Virus > Scanner version 4.77.6 starting... > Jun 5 10:33:22 mg04 MailScanner[5063]: Read 854 hostnames from the > phishing whitelist > Jun 5 10:33:22 mg04 MailScanner[5063]: Read 10149 hostnames from the > phishing blacklists > Jun 5 10:33:22 mg04 MailScanner[5063]: Using SpamAssassin results cache > Jun 5 10:33:22 mg04 MailScanner[5063]: Connected to SpamAssassin > cache database > Jun 5 10:33:22 mg04 MailScanner[5063]: Enabling SpamAssassin > auto-whitelist functionality... > Jun 5 10:33:23 mg04 MailScanner[5063]: I have found clamavmodule > scanners installed, and will use them all by default. > Jun 5 10:33:23 mg04 MailScanner[5063]: Connected to > processing-messages database > Jun 5 10:33:23 mg04 MailScanner[5063]: Found 0 messages in the > processing-messages database > Jun 5 10:33:23 mg04 MailScanner[5063]: Using locktype = flock > > Then nothing more happens. > > Is the processing-messages database missing? is it the SpamAssassin > cache database? or part of clamav? > Based on the limited info you gave -- maybe... What MTA? What instructions did you follow to set it up? Did you double check those instructions to make sure you didn't miss a step? What did you install from? Where did you get all the related files like spamassassin and Clamav? Also which OS, and some system details like number of processors and total ram would also help. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090605/589c0ca2/signature.bin From steve.freegard at fsl.com Sat Jun 6 00:32:51 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Sat Jun 6 00:33:03 2009 Subject: MaiScanner --debug hangs In-Reply-To: References: Message-ID: <4A29AB23.1040200@fsl.com> Robert Lopez wrote: > I am in the process of testing an install of MailScanner 4.77.6 > installed on a test gateway. > Email is flowing in and out of the gateway but noting seems to be > stopped or tagged when it should. > I just tried the "--debug" option... > > # MailScanner --debug > In Debugging mode, not forking... > Trying to setlogsock(unix) > Building a message batch to scan... > > and the maillog file says: > Jun 5 10:33:22 mg04 MailScanner[5063]: MailScanner E-Mail Virus > Scanner version 4.77.6 starting... > Jun 5 10:33:22 mg04 MailScanner[5063]: Read 854 hostnames from the > phishing whitelist > Jun 5 10:33:22 mg04 MailScanner[5063]: Read 10149 hostnames from the > phishing blacklists > Jun 5 10:33:22 mg04 MailScanner[5063]: Using SpamAssassin results cache > Jun 5 10:33:22 mg04 MailScanner[5063]: Connected to SpamAssassin > cache database > Jun 5 10:33:22 mg04 MailScanner[5063]: Enabling SpamAssassin > auto-whitelist functionality... > Jun 5 10:33:23 mg04 MailScanner[5063]: I have found clamavmodule > scanners installed, and will use them all by default. > Jun 5 10:33:23 mg04 MailScanner[5063]: Connected to > processing-messages database > Jun 5 10:33:23 mg04 MailScanner[5063]: Found 0 messages in the > processing-messages database > Jun 5 10:33:23 mg04 MailScanner[5063]: Using locktype = flock > > Then nothing more happens. > > Is the processing-messages database missing? is it the SpamAssassin > cache database? or part of clamav? > None of the above; when you run in debug mode a single MailScanner child starts up and waits for messages; it you've stopped your inbound MTA then it will just sit there waiting as you have found. Try (modify to suit your OS): /etc/init.d/MailScanner stop /etc/init.d/MailScanner startin /etc/init.d/MailScanner startout MailScanner --debug Regards, Steve. From ajos1 at onion.demon.co.uk Sat Jun 6 01:34:29 2009 From: ajos1 at onion.demon.co.uk (ajos1 at onion) Date: Sat Jun 6 00:34:43 2009 Subject: Suggestion for /usr/lib/MailScanner/mcafee-autoupdate Message-ID: - I have just noticed that one of my machines has not updated its McAfee Dat Files for 7 weeks. The reason for this was that "/usr/lib/MailScanner/mcafee-autoupdate" tries to do this: wget --tries=1 --waitretry=300 --passive-ftp http://download.nai.com/products/datfiles/4.x/nai/update.ini It was returning a file dated 16th April 2009. The reason for this was that the machine was going through a proxy server. Is it possible to put "--no-cache" onto the wget command to avoid this in future? Thanks, Ajos1 From pumzika at gmail.com Sat Jun 6 01:51:28 2009 From: pumzika at gmail.com (Steve Barnes) Date: Sat Jun 6 01:51:38 2009 Subject: SA+MS miss spam, scored with 0.00. Message-ID: <76f60d7e0906051751o3cd151c3g4945ea0fbb32bae8@mail.gmail.com> Hi MS 4.77.7 SA 3.2.5 Postfix 2.6.0 FreeBSD 7.2 I'm trying to understand why MS and SA missed a spam the first time round (scored with 0.00). Resubmitting from quarantine as root with: spamassassin -x -D < /var/spool/MailScanner/quarantine/20090605/nonspam/8F54D11485.A3CE1 it was scored at 11.2. I don't believe it's a case of online checks "catching up" since the majority of rules that matched 2nd time round aren't time-related: pts rule name description ---- ---------------------- -------------------------------------------------- 1.8 SUBJ_ALL_CAPS Subject is all capitals 1.6 MISSING_HEADERS Missing To: header 1.4 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) 1.5 MSGID_FROM_MTA_HEADER Message-Id was added by a relay 0.7 MSOE_MID_WRONG_CASE MSOE_MID_WRONG_CASE 4.2 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook Even without DCC_CHECK, it should have scored 9.8. The SA report contains: not spam, SpamAssassin (not cached, score=0, required 6, autolearn=) I keep seeing this "autolearn=)" truncation in cases where spam is missed. Can anyone else confirm seeing it in their maillog? Otherwise, MS + SA are catching 99% of the other spams coming in. I've included the corresponding maillog entry at the bottom of this message. Thanks Steve ------------- Jun 5 21:45:57 mail postfix/smtpd[17839]: connect from proxy1.bredband.net[195.54.101.71] Jun 5 21:45:58 mail postfix/smtpd[17839]: 8F54D11485: client=proxy1.bredband.net[195.54.101.71] Jun 5 21:45:59 mail postfix/cleanup[17849]: 8F54D11485: hold: header Received: from proxy1.bredband.net (proxy1.bredband.net [195.54.101.71])??by mail.domain.com (Postfix) with ESMTP id 8F54D11485??for ; Fri, 5 Jun 2009 21:45:58 +0300 (EAT) from proxy1.bredband.net[195.54.101.71]; from= to= proto=ESMTP helo= Jun 5 21:45:59 mail postfix/cleanup[17849]: 8F54D11485:message-id=<70dols$ft7kqn@ironport1.bredband.com> Jun 5 21:46:45 mail postfix/smtpd[17839]: disconnect from proxy1.bredband.net[195.54.101.71] Jun 5 21:46:49 mail MailScanner[17743]: New Batch: Scanning 1 messages, 1977 bytes Jun 5 21:46:49 mail MailScanner[17743]: Expired 3 records from the SpamAssassin cache Jun 5 21:47:09 mail MailScanner[17743]: Virus and Content Scanning: Starting Jun 5 21:47:09 mail MailScanner[17743]: Requeue: 8F54D11485.A3CE1 to 855B7116D3 Jun 5 21:47:09 mail postfix/qmgr[772]: 855B7116D3: from=, size=1299, nrcpt=1 (queue active) Jun 5 21:47:09 mail MailScanner[17743]: Uninfected: Delivered 1 messages Jun 5 21:47:09 mail MailScanner[17743]: Deleted 1 messages from processing-database Jun 5 21:47:09 mail MailScanner[17743]: Logging message 8F54D11485.A3CE1 to SQL Jun 5 21:47:09 mail MailScanner[17745]: 8F54D11485.A3CE1: Logged to MailWatch SQL Jun 5 21:47:09 mail postfix/smtp[17856]: 855B7116D3:to=, relay=192.168.0.15[192.168.0.15]:30025, delay=71,delays=71/0.02/0.11/0.12, dsn=2.0.0, status=sent (250 Ok, message saved ) Jun 5 21:47:09 mail postfix/qmgr[772]: 855B7116D3: removed From simon at kmun.gov.kw Sat Jun 6 11:55:21 2009 From: simon at kmun.gov.kw (Benedict simon) Date: Sat Jun 6 11:32:06 2009 Subject: upgrade error Message-ID: <9752a9b2789d041644f8941ea156f186.squirrel@webmail.baladia.gov.kw> Dear All, I Have the following setup running fine for about a year or so on a single server. Centos 5 (final) DNS bind-9.3.4-6.0.2.P1.el5_2 as my DNS server sendmail-8.13.8-2.el5 as my mail server MailScanner ver 4.66.5 jules easy package Clam-0.92-SA-3.2.4 pyzor-0.4.0 razor-agents-2.84 httpd-2.2.3-11.el5_1 all the above is working fine . Now i wanted to upgrade my Centos to the latest (5.3) with yum upgrade but when i ran the command yum would not finish it gave errors as below ----------- file /usr/lib/perl5/5.8.8/Math/BigFloat.pm from install of >>> perl-5.8.8-18.el5_3.1 conflicts with file from package >>> perl-Math-BigInt-1.86-1 -------- googling arround i found these errors are caused by 3 rd party perl modules which being installed which guess from MS installtion since i downloaded the MS package from MailScanner site and ran the install.sh script . -- right now i have downloaded the latest MS form the MS site and also lates Spamassasin clamAV jules package and installed as per the upgrade instructions and everything is perfect and working great. ---- But i need to upgrade my os to 5.3 aprrecite any help and suggestions . is there any way i could upgrade the OS bypassing these errors regards simon - Network ADMIN ------------- KUWAIT MUNICIPALITY: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From marc at marcsnet.com Sat Jun 6 13:23:39 2009 From: marc at marcsnet.com (Marc Lucke) Date: Sat Jun 6 13:23:59 2009 Subject: scan.messages.rules From: 192.168. no not working In-Reply-To: References: <9ABB9BF8-F032-4DB9-A212-E4B8DBE2D6B5@rtpty.com> <4947F831.7040402@di.unito.it> <4A2862C2.2040100@marcsnet.com> <4A28E3C9.7060900@ecs.soton.ac.uk> Message-ID: <4A2A5FCB.6010101@marcsnet.com> Nope. Now running mailscanner-4.77.10-1 No effect. Julian Field wrote: > And I bet you are using 4.76 and Postfix. In which case, upgrade to > 4.77 :-) > > On 05/06/2009 01:11, Marc Lucke wrote: >> /etc/MailScanner/MailScanner.conf >> >> Scan Messages = %rules-dir%/scan.messages.rules >> Read IP Address From Received Header = no >> >> >> /etc/MailScanner/rules/scan.messages.rules >> >> From: 192.168. no >> FromOrTo: default yes >> >> >> MailScanner restarted. >> >> My understanding is that MailScanner should not scan anything coming >> from an ip address beginning with 192.168. (=192.168.0.0/16). There >> is no error when restarting MailScanner. This ruleset is not >> working. Specifically I am attempting to resend (using Thunderbird's >> resend feature) HAM which was picked up as spam. >> >> Can anyone tell me why my ruleset is not working? Is my >> understanding of the functionality correct? How can I achieve what >> I'm trying to do? >> >> I have looked through the lists but I've not found anything >> specifically helpful. >> >> >> Marc >> >> > > Jules > From ljosnet at gmail.com Sat Jun 6 21:52:13 2009 From: ljosnet at gmail.com (=?ISO-8859-1?Q?Lj=F3snet?=) Date: Sat Jun 6 21:52:23 2009 Subject: Any chance of blocking these? Message-ID: <910ee2ac0906061352g6d7fda6t5b2233e7caaf3dc@mail.gmail.com> Hello, I have a small problem with few MS Exchange servers who are infected with some kind of virus/trojan. They are sending mail through my gateway which is fine, but I need to be able to stop them from sending mail which dont have any valid address in from=< > field until I get the system administrator to clean their server. In the maillog it looks like this: sendmail[12542]: n56Ki9EY012542: from=<>, size=23860, class=0, nrcpts=1, msgid=, proto=ESMTP, daemon=MTA, relay=[10.101.45.50] Is it possible to somehow stop servers/clients from being able to send through my gateway when there is no valid from= address? Thanks! From seven at seven.dorksville.net Sat Jun 6 23:37:54 2009 From: seven at seven.dorksville.net (Anthony Giggins) Date: Sat Jun 6 23:38:38 2009 Subject: upgrade error In-Reply-To: <9752a9b2789d041644f8941ea156f186.squirrel@webmail.baladia.gov.kw> References: <9752a9b2789d041644f8941ea156f186.squirrel@webmail.baladia.gov.kw> Message-ID: Just download the Rpms and rpm -Uvh --force you'll also find the rpms in /var/cache/yum Cheers Anthony Sent from my iPhone On 06/06/2009, at 8:55 PM, "Benedict simon" wrote: > > Dear All, > > I Have the following setup running fine for about a year or so on a > single server. > Centos 5 (final) > DNS bind-9.3.4-6.0.2.P1.el5_2 as my DNS server > sendmail-8.13.8-2.el5 as my mail server > MailScanner ver 4.66.5 > jules easy package Clam-0.92-SA-3.2.4 > pyzor-0.4.0 > razor-agents-2.84 > httpd-2.2.3-11.el5_1 > all the above is working fine . > > Now i wanted to upgrade my Centos to the latest (5.3) with yum > upgrade but > when i ran the command > > yum would not finish it gave errors as below > > ----------- > file /usr/lib/perl5/5.8.8/Math/BigFloat.pm from install of >>>> perl-5.8.8-18.el5_3.1 conflicts with file from package >>>> perl-Math-BigInt-1.86-1 > > -------- > googling arround i found these errors are caused by 3 rd party perl > modules > which being installed which guess from MS installtion since i > downloaded > the MS package from MailScanner site and ran the install.sh script . > > -- > right now i have downloaded the latest MS form the MS site and also > lates > Spamassasin clamAV jules package and installed as per the upgrade > instructions and everything is perfect and working great. > ---- > > But i need to upgrade my os to 5.3 > aprrecite any help and suggestions . is there any way i could > upgrade the > OS bypassing these errors > > > > regards > > simon > > - > Network ADMIN > ------------- > KUWAIT MUNICIPALITY: > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From marc at marcsnet.com Sat Jun 6 23:40:06 2009 From: marc at marcsnet.com (Marc Lucke) Date: Sat Jun 6 23:40:28 2009 Subject: Solved: scan.messages.rules From: 192.168. no not working In-Reply-To: <4A2A5FCB.6010101@marcsnet.com> References: <9ABB9BF8-F032-4DB9-A212-E4B8DBE2D6B5@rtpty.com> <4947F831.7040402@di.unito.it> <4A2862C2.2040100@marcsnet.com> <4A28E3C9.7060900@ecs.soton.ac.uk> <4A2A5FCB.6010101@marcsnet.com> Message-ID: <4A2AF046.9040001@marcsnet.com> Solved. Wrong SMTP server selected in the Thunderbird. Whoops. Marc Lucke wrote: > Nope. Now running mailscanner-4.77.10-1 No effect. > > > Julian Field wrote: >> And I bet you are using 4.76 and Postfix. In which case, upgrade to >> 4.77 :-) >> >> On 05/06/2009 01:11, Marc Lucke wrote: >>> /etc/MailScanner/MailScanner.conf >>> >>> Scan Messages = %rules-dir%/scan.messages.rules >>> Read IP Address From Received Header = no >>> >>> >>> /etc/MailScanner/rules/scan.messages.rules >>> >>> From: 192.168. no >>> FromOrTo: default yes >>> >>> >>> MailScanner restarted. >>> >>> My understanding is that MailScanner should not scan anything coming >>> from an ip address beginning with 192.168. (=192.168.0.0/16). There >>> is no error when restarting MailScanner. This ruleset is not >>> working. Specifically I am attempting to resend (using >>> Thunderbird's resend feature) HAM which was picked up as spam. >>> >>> Can anyone tell me why my ruleset is not working? Is my >>> understanding of the functionality correct? How can I achieve what >>> I'm trying to do? >>> >>> I have looked through the lists but I've not found anything >>> specifically helpful. >>> >>> >>> Marc >>> >>> >> >> Jules >> From james at gray.net.au Sun Jun 7 04:27:33 2009 From: james at gray.net.au (James Gray) Date: Sun Jun 7 04:27:48 2009 Subject: Any chance of blocking these? In-Reply-To: <910ee2ac0906061352g6d7fda6t5b2233e7caaf3dc@mail.gmail.com> References: <910ee2ac0906061352g6d7fda6t5b2233e7caaf3dc@mail.gmail.com> Message-ID: On 07/06/2009, at 6:52 AM, Lj?snet wrote: > Hello, I have a small problem with few MS Exchange servers who are > infected with some kind of virus/trojan. They are sending mail through > my gateway which is fine, but I need to be able to stop them from > sending mail which dont have any valid address in from=< > field until > I get the system administrator to clean their server. > > In the maillog it looks like this: > > sendmail[12542]: n56Ki9EY012542: from=<>, size=23860, class=0, > nrcpts=1, msgid=, proto=ESMTP, > daemon=MTA, relay=[10.101.45.50] > > Is it possible to somehow stop servers/clients from being able to send > through my gateway when there is no valid from= address? Looks like a bounce message to me; "From=<>" is what the MTA uses when it returns a message to the envelope sender to advise them of non- delivery (among other things). You can certainly block them, but that would violate the RFC's. A better solution would be to block the entire Exchange server until the admins clean up their act. If a virus/trojan is spewing fake bounces (aka, "back-scatter spam" etc) then what's to say it wont start sending other malicious content?? HTH, James From zaeem.arshad at gmail.com Mon Jun 8 05:18:30 2009 From: zaeem.arshad at gmail.com (Zaeem Arshad) Date: Mon Jun 8 05:18:44 2009 Subject: MS store spam ruleset possible? Message-ID: <3e1809420906072118g1913e635tdc6919b312db7e0b@mail.gmail.com> Hi List, Is it possible to have a rule-set or some knob in MS to store only the first high scoring spam message? I need this because at times when I get a spam attack, there are a few thousand high scoring spam emails all having the same content. My MS setting is to score high scoring spam for building a spam corpus and I'd like to store just the first email and send the rest to oblivion. It will save valuable disk space and scan time. Regards -- Zaeem -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090608/96c62d6b/attachment.html From maxsec at gmail.com Mon Jun 8 08:28:13 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Mon Jun 8 08:28:22 2009 Subject: MS store spam ruleset possible? In-Reply-To: <3e1809420906072118g1913e635tdc6919b312db7e0b@mail.gmail.com> References: <3e1809420906072118g1913e635tdc6919b312db7e0b@mail.gmail.com> Message-ID: <72cf361e0906080028l1b81372el8dab3f8defc44be0@mail.gmail.com> 2009/6/8 Zaeem Arshad : > Hi List, > > Is it possible to have a rule-set or some knob in MS to store only the first > high scoring spam message? I need this because at times when I get a spam > attack, there are a few thousand high scoring spam emails all having the > same content. My MS setting is to score high scoring spam for building a > spam corpus and I'd like to store just the first email and send the rest to > oblivion. It will save valuable disk space and scan time. > > > Regards > > > -- > Zaeem > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > Zaeem The SpamAssassin Cache does part of this - keeps a hash of the emails and scores for a short period, and doesn't scan the email again if it matched the hash. For the storage (or rather not storing) if it hits the SpamAssassin cache, interesting idea - what do other people think? Depends what you do with the spam/highscoring spam first, not everyone stores the email in the first place. -- Martin Hepworth Oxford, UK From MailScanner at ecs.soton.ac.uk Mon Jun 8 08:37:05 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jun 8 08:37:23 2009 Subject: MS store spam ruleset possible? In-Reply-To: <3e1809420906072118g1913e635tdc6919b312db7e0b@mail.gmail.com> References: <3e1809420906072118g1913e635tdc6919b312db7e0b@mail.gmail.com> <4A2CBFA1.5060407@ecs.soton.ac.uk> Message-ID: You could do it as a Custom Function. You would have to work out a hash of the body of the message, look it up in a little database (SQLite or db file preferred) and only store the message if it didn't appear, then update the database to stop it being stored again. Shouldn't take too long for a decent Perl developer to write. But I have no plans to put it in the core of MailScanner. If you want to pay me to write it, then we could negotiate a suitable payment for the job. Jules. On 08/06/2009 05:18, Zaeem Arshad wrote: > Hi List, > > Is it possible to have a rule-set or some knob in MS to store only the > first high scoring spam message? I need this because at times when I > get a spam attack, there are a few thousand high scoring spam emails > all having the same content. My MS setting is to score high scoring > spam for building a spam corpus and I'd like to store just the first > email and send the rest to oblivion. It will save valuable disk space > and scan time. > > > Regards > > > -- > Zaeem Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Follow me at twitter.com/JulesFM MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From zaeem.arshad at gmail.com Mon Jun 8 08:54:00 2009 From: zaeem.arshad at gmail.com (Zaeem Arshad) Date: Mon Jun 8 08:54:10 2009 Subject: MS store spam ruleset possible? In-Reply-To: <72cf361e0906080028l1b81372el8dab3f8defc44be0@mail.gmail.com> References: <3e1809420906072118g1913e635tdc6919b312db7e0b@mail.gmail.com> <72cf361e0906080028l1b81372el8dab3f8defc44be0@mail.gmail.com> Message-ID: <3e1809420906080054i5e46064ch501a5a752dec3ea4@mail.gmail.com> > > > Zaeem > > The SpamAssassin Cache does part of this - keeps a hash of the emails > and scores for a short period, and doesn't scan the email again if it > matched the hash. Yups. That's good! > > > For the storage (or rather not storing) if it hits the SpamAssassin > cache, interesting idea - what do other people think? Depends what you > do with the spam/highscoring spam first, not everyone stores the email > in the first place. Or maybe, only store spam based on specific score ranges. It seems I will have to write a perl custom function to handle that. Thanks anyway. Regards -- Zaeem -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090608/fde8487a/attachment.html From support-lists at petdoctors.co.uk Mon Jun 8 10:57:09 2009 From: support-lists at petdoctors.co.uk (Nigel Kendrick) Date: Mon Jun 8 10:57:58 2009 Subject: upgrade error In-Reply-To: <9752a9b2789d041644f8941ea156f186.squirrel@webmail.baladia.gov.kw> References: <9752a9b2789d041644f8941ea156f186.squirrel@webmail.baladia.gov.kw> Message-ID: I did the following: 1) Stopped MailScanner. 2) yum removed the conflicting perl packages (there's about 4 ISTR). 3) yum upgraded. 4) Downloaded the latest MailScanner and (re)installed it to put back the required perl modules. 5) Started MailScanner Nigel From a.peacock at chime.ucl.ac.uk Mon Jun 8 15:55:07 2009 From: a.peacock at chime.ucl.ac.uk (Anthony Peacock) Date: Mon Jun 8 15:55:02 2009 Subject: Problem with SAVI-perl module Message-ID: <4A2D264B.9060507@chime.ucl.ac.uk> Hi, Just noticed some files getting quarantined with the following error message... "Report: SophosSAVI: SSO Instructions etc.zipx caused an error: Not supported in this SAVI implementation (527)" After a little investigation I discovered that this is related to the SAVI-perl interface. Using the normal Sophos command line client checks these files without error. For now I have reverted MailScanner to using the Sophos wrapper, and I may pursue the SAVI-perl side with the module developer. My MailScanner question is... I am not familier with the zipx (StuffIt) files. I think I could use the "Allowed Sophos Error Messages" config to ignore these errors from the SAVI interface, but how safe would this be? -- Anthony Peacock CHIME, UCL Medical School WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ Study Health Informatics - Modular Postgraduate Degree http://www.chime.ucl.ac.uk/study-health-informatics/ From a.peacock at chime.ucl.ac.uk Mon Jun 8 16:34:12 2009 From: a.peacock at chime.ucl.ac.uk (Anthony Peacock) Date: Mon Jun 8 16:34:04 2009 Subject: Problem with SAVI-perl module In-Reply-To: <4A2D264B.9060507@chime.ucl.ac.uk> References: <4A2D264B.9060507@chime.ucl.ac.uk> Message-ID: <4A2D2F74.1@chime.ucl.ac.uk> Anthony Peacock wrote: > Hi, > > Just noticed some files getting quarantined with the following error > message... > > > "Report: SophosSAVI: SSO Instructions etc.zipx caused an error: Not > supported in this SAVI implementation (527)" > > After a little investigation I discovered that this is related to the > SAVI-perl interface. Using the normal Sophos command line client checks > these files without error. > > For now I have reverted MailScanner to using the Sophos wrapper, and I > may pursue the SAVI-perl side with the module developer. PS, I am aware that this may be a Sophos SAVI issue as well. I just haven't got that far in investigating the problem. > My MailScanner question is... > > I am not familier with the zipx (StuffIt) files. I think I could use > the "Allowed Sophos Error Messages" config to ignore these errors from > the SAVI interface, but how safe would this be? > > -- Anthony Peacock CHIME, UCL Medical School WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ Study Health Informatics - Modular Postgraduate Degree http://www.chime.ucl.ac.uk/study-health-informatics/ From rlopezcnm at gmail.com Mon Jun 8 19:18:34 2009 From: rlopezcnm at gmail.com (Robert Lopez) Date: Mon Jun 8 19:18:44 2009 Subject: MaiScanner --debug hangs In-Reply-To: References: Message-ID: > Based on the limited info you gave -- maybe... > > What MTA? What instructions did you follow to set it up? > Did you double check those instructions to make sure you didn't miss a step? > > What did you install from? Where did you get all the related files like > spamassassin and Clamav? > > Also which OS, and some system details like number of processors and total ram > would also help. > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > MTA: postfix 2.6.1 from Mail-SpamAssassin-3.2.5.tar.gz Followed postfix home documentation to install I double checked install instructions to the extent of my understanding of them. installed MailScanner from MailScanner-4.77.6-4.rpm.tar.gz following book and Julian's email. installed spamassassin and Clamav (Clam-0.95.1-SA-3.2.5) from install-Clam-SA-latest.tar.gz OS is Red Hat Enterprise Linux Server release 5.3 (Tikanga) 64bit Server is HP Proliant DL360 G5, 4/4 core cpu with eight 1024 MB 667 MHz DIMM From rlopezcnm at gmail.com Mon Jun 8 19:24:43 2009 From: rlopezcnm at gmail.com (Robert Lopez) Date: Mon Jun 8 19:24:52 2009 Subject: MaiScanner --debug hangs In-Reply-To: <4A29AB23.1040200@fsl.com> References: <4A29AB23.1040200@fsl.com> Message-ID: On Fri, Jun 5, 2009 at 5:32 PM, Steve Freegard wrote: > Robert Lopez wrote: >> I am in the process of testing an install of MailScanner ?4.77.6 >> installed on a test gateway. >> Email is flowing in and out of the gateway but noting seems to be >> stopped or tagged when it should. >> I just tried the "--debug" option... >> >> # MailScanner --debug >> In Debugging mode, not forking... >> Trying to setlogsock(unix) >> Building a message batch to scan... >> >> and the maillog file says: >> Jun ?5 10:33:22 mg04 MailScanner[5063]: MailScanner E-Mail Virus >> Scanner version 4.77.6 starting... >> Jun ?5 10:33:22 mg04 MailScanner[5063]: Read 854 hostnames from the >> phishing whitelist >> Jun ?5 10:33:22 mg04 MailScanner[5063]: Read 10149 hostnames from the >> phishing blacklists >> Jun ?5 10:33:22 mg04 MailScanner[5063]: Using SpamAssassin results cache >> Jun ?5 10:33:22 mg04 MailScanner[5063]: Connected to SpamAssassin >> cache database >> Jun ?5 10:33:22 mg04 MailScanner[5063]: Enabling SpamAssassin >> auto-whitelist functionality... >> Jun ?5 10:33:23 mg04 MailScanner[5063]: I have found clamavmodule >> scanners installed, and will use them all by default. >> Jun ?5 10:33:23 mg04 MailScanner[5063]: Connected to >> processing-messages database >> Jun ?5 10:33:23 mg04 MailScanner[5063]: Found 0 messages in the >> processing-messages database >> Jun ?5 10:33:23 mg04 MailScanner[5063]: Using locktype = flock >> >> Then nothing more happens. >> >> Is the processing-messages database missing? is it the SpamAssassin >> cache database? or part of clamav? >> > > None of the above; when you run in debug mode a single MailScanner child > starts up and waits for messages; it you've stopped your inbound MTA > then it will just sit there waiting as you have found. > > Try (modify to suit your OS): > /etc/init.d/MailScanner stop > /etc/init.d/MailScanner startin > /etc/init.d/MailScanner startout > MailScanner --debug > > Regards, > Steve. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > This may be my confusion: When "MailScanner --lint" runs it creates a fake batch of email containing EICAR and virus scans it. My expectation is when "MailScanner --debug" runs and it says it is "Building a message batch to scan..." that it is doing the same thing and building a test batch. But it seems that it is actually waiting to build up a batch of emails arriving from postfix? From steve.freegard at fsl.com Mon Jun 8 19:44:49 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Mon Jun 8 19:45:00 2009 Subject: MaiScanner --debug hangs In-Reply-To: References: <4A29AB23.1040200@fsl.com> Message-ID: <4A2D5C21.1070501@fsl.com> Robert Lopez wrote: > This may be my confusion: When "MailScanner --lint" runs it creates a > fake batch of email containing EICAR and virus scans it. My > expectation is when "MailScanner --debug" runs and it says it is > "Building a message batch to scan..." that it is doing the same thing > and building a test batch. But it seems that it is actually waiting to > build up a batch of emails arriving from postfix? Yes - it's waiting for mail from Postfix to run in debug, so your assumption that --debug is the same as --lint it incorrect. Regards, Steve. From ssilva at sgvwater.com Mon Jun 8 21:41:39 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Jun 8 21:42:09 2009 Subject: SA+MS miss spam, scored with 0.00. In-Reply-To: <76f60d7e0906051751o3cd151c3g4945ea0fbb32bae8@mail.gmail.com> References: <76f60d7e0906051751o3cd151c3g4945ea0fbb32bae8@mail.gmail.com> Message-ID: on 6-5-2009 5:51 PM Steve Barnes spake the following: > Hi > > MS 4.77.7 > SA 3.2.5 > Postfix 2.6.0 > FreeBSD 7.2 > > I'm trying to understand why MS and SA missed a spam the first time > round (scored with 0.00). Resubmitting from quarantine as root with: > > spamassassin -x -D < > /var/spool/MailScanner/quarantine/20090605/nonspam/8F54D11485.A3CE1 > > it was scored at 11.2. I don't believe it's a case of online checks > "catching up" since the majority of rules that matched 2nd time round > aren't time-related: > > pts rule name description > ---- ---------------------- > -------------------------------------------------- > 1.8 SUBJ_ALL_CAPS Subject is all capitals > 1.6 MISSING_HEADERS Missing To: header > 1.4 DCC_CHECK Listed in DCC > (http://rhyolite.com/anti-spam/dcc/) > 1.5 MSGID_FROM_MTA_HEADER Message-Id was added by a relay > 0.7 MSOE_MID_WRONG_CASE MSOE_MID_WRONG_CASE > 4.2 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook > > Even without DCC_CHECK, it should have scored 9.8. The SA report contains: > > not spam, SpamAssassin (not cached, score=0, required 6, autolearn=) > > I keep seeing this "autolearn=)" truncation in cases where spam is > missed. Can anyone else confirm seeing it in their maillog? Otherwise, > MS + SA are catching 99% of the other spams coming in. I've included > the corresponding maillog entry at the bottom of this message. > > Thanks > > Steve > > I think you need the latest version (4.77-10) to fix a bug that crept into postfix support. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090608/021e35a0/signature.bin From ssilva at sgvwater.com Mon Jun 8 21:46:35 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Jun 8 21:50:14 2009 Subject: Any chance of blocking these? In-Reply-To: <910ee2ac0906061352g6d7fda6t5b2233e7caaf3dc@mail.gmail.com> References: <910ee2ac0906061352g6d7fda6t5b2233e7caaf3dc@mail.gmail.com> Message-ID: on 6-6-2009 1:52 PM Lj?snet spake the following: > Hello, I have a small problem with few MS Exchange servers who are > infected with some kind of virus/trojan. They are sending mail through > my gateway which is fine, but I need to be able to stop them from > sending mail which dont have any valid address in from=< > field until > I get the system administrator to clean their server. > > In the maillog it looks like this: > > sendmail[12542]: n56Ki9EY012542: from=<>, size=23860, class=0, > nrcpts=1, msgid=, proto=ESMTP, > daemon=MTA, relay=[10.101.45.50] > > Is it possible to somehow stop servers/clients from being able to send > through my gateway when there is no valid from= address? > > Thanks! Since you gateway for them, do you do any recipient verification? Do they? This could be normal bounce messages from unknown recipients if your system is passing them on unstopped. They might have whitelisted your gateway thinking you would be stopping this stuff. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090608/afe24588/signature.bin From ssilva at sgvwater.com Mon Jun 8 22:33:31 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Jun 8 22:34:07 2009 Subject: MS store spam ruleset possible? In-Reply-To: <3e1809420906080054i5e46064ch501a5a752dec3ea4@mail.gmail.com> References: <3e1809420906072118g1913e635tdc6919b312db7e0b@mail.gmail.com> <72cf361e0906080028l1b81372el8dab3f8defc44be0@mail.gmail.com> <3e1809420906080054i5e46064ch501a5a752dec3ea4@mail.gmail.com> Message-ID: on 6-8-2009 12:54 AM Zaeem Arshad spake the following: > > > > Zaeem > > The SpamAssassin Cache does part of this - keeps a hash of the emails > and scores for a short period, and doesn't scan the email again if it > matched the hash. > > > Yups. That's good! > > > > For the storage (or rather not storing) if it hits the SpamAssassin > cache, interesting idea - what do other people think? Depends what you > do with the spam/highscoring spam first, not everyone stores the email > in the first place. > > > Or maybe, only store spam based on specific score ranges. It seems I > will have to write a perl custom function to handle that. Thanks anyway. > You can already do that now. I have the following in my Mailscanner.conf; SpamAssassin Rule Actions = SpamScore>25=>not-store That way spam that scores over 25 isn't stored. You could do a lot of different things. Spam that scores a certain range but didn't hit bayes_99 could be sent to a different box for spam training. The rule actions stuff can do many amazing things! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090608/71a55562/signature.bin From Kevin_Miller at ci.juneau.ak.us Mon Jun 8 23:42:05 2009 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Mon Jun 8 23:42:25 2009 Subject: Performance numbers for a DELL R710 In-Reply-To: <3e1809420906022042y1cb3174ap7405a4446d31524@mail.gmail.com> References: <3e1809420906020958j4f6123davadbc34501cfe7577@mail.gmail.com> <72cf361e0906021147u760c5c9fie8f808fc990a01c0@mail.gmail.com> <3e1809420906022042y1cb3174ap7405a4446d31524@mail.gmail.com> Message-ID: <4A09477D575C2C4B86497161427DD94C0D153E2B82@city-exchange07> Doing any graylisting, greet-pause, or recipient address verification? Stopping invalid messages at the MTA handshake level takes a lot of the load off MailScanner... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Zaeem Arshad Sent: Tuesday, June 02, 2009 7:42 PM To: MailScanner discussion Subject: Re: Performance numbers for a DELL R710 On Wed, Jun 3, 2009 at 12:47 AM, Martin Hepworth > wrote: Zaeem nice. depends on the tests you run (RBLs etc) and the size of the emails. look in the wiki for performance and tuning on both MailScanner and Spamassassin. I have a test box with the same specs but 8 Gigs of RAM. My performance tuning so far has been - tmpfs for message scanning - DNS caching server on the same box - Lower timeouts on Postfix (another instance handling retries) - Compiled rules on SA - DCC, Razor - Clamd - Asyncrhonous logging Filesystem underneath is XFS and average mailsize is around 60KB. I have pretty much made all the changes suggested and currently the server is handling around 45000 emails/hour. Do you think increasing the number of MailScanner children might help? What other performance tweaks can I have? I am looking to scale the system to handle at least 65 emails/second with antivirus, antispam scanning and RBL checks. -- Zaeem -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090608/9b0a062d/attachment.html From alex at rtpty.com Tue Jun 9 00:36:04 2009 From: alex at rtpty.com (Alex Neuman) Date: Tue Jun 9 00:36:21 2009 Subject: Performance numbers for a DELL R710 In-Reply-To: <4A09477D575C2C4B86497161427DD94C0D153E2B82@city-exchange07> References: <3e1809420906020958j4f6123davadbc34501cfe7577@mail.gmail.com> <72cf361e0906021147u760c5c9fie8f808fc990a01c0@mail.gmail.com> <3e1809420906022042y1cb3174ap7405a4446d31524@mail.gmail.com> <4A09477D575C2C4B86497161427DD94C0D153E2B82@city-exchange07> Message-ID: <24e3d2e40906081636y4b64540r330546233988e9a3@mail.gmail.com> Also milter-null can help with backscatter and fake bounces. On Mon, Jun 8, 2009 at 5:42 PM, Kevin Miller wrote: > Doing any graylisting, greet-pause, or recipient address verification? > Stopping invalid messages at the MTA handshake level takes a lot of the load > off MailScanner... > > > ...Kevin > -- > Kevin Miller Registered Linux User No: 307357 > CBJ MIS Dept. Network Systems Admin., Mail Admin. > 155 South Seward Street ph: (907) 586-0242 > Juneau, Alaska 99801 fax: (907 586-4500 > > > ------------------------------ > *From:* mailscanner-bounces@lists.mailscanner.info [mailto: > mailscanner-bounces@lists.mailscanner.info] *On Behalf Of *Zaeem Arshad > *Sent:* Tuesday, June 02, 2009 7:42 PM > *To:* MailScanner discussion > *Subject:* Re: Performance numbers for a DELL R710 > > > > On Wed, Jun 3, 2009 at 12:47 AM, Martin Hepworth wrote: > >> Zaeem >> >> nice. >> >> depends on the tests you run (RBLs etc) and the size of the emails. >> >> look in the wiki for performance and tuning on both MailScanner and >> Spamassassin. > > > > I have a test box with the same specs but 8 Gigs of RAM. My performance > tuning so far has been > > - tmpfs for message scanning > - DNS caching server on the same box > - Lower timeouts on Postfix (another instance handling retries) > - Compiled rules on SA > - DCC, Razor > - Clamd > - Asyncrhonous logging > > Filesystem underneath is XFS and average mailsize is around 60KB. I have > pretty much made all the changes suggested and currently the server is > handling around 45000 emails/hour. Do you think increasing the number of > MailScanner children might help? What other performance tweaks can I have? I > am looking to scale the system to handle at least 65 emails/second with > antivirus, antispam scanning and RBL checks. > > > -- > Zaeem > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 202-1525 alex@rtpty.com Skype: alexneuman -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090608/bc93d4dd/attachment.html From zaeem.arshad at gmail.com Tue Jun 9 03:49:34 2009 From: zaeem.arshad at gmail.com (Zaeem Arshad) Date: Tue Jun 9 03:49:44 2009 Subject: Performance numbers for a DELL R710 In-Reply-To: <4A09477D575C2C4B86497161427DD94C0D153E2B82@city-exchange07> References: <3e1809420906020958j4f6123davadbc34501cfe7577@mail.gmail.com> <72cf361e0906021147u760c5c9fie8f808fc990a01c0@mail.gmail.com> <3e1809420906022042y1cb3174ap7405a4446d31524@mail.gmail.com> <4A09477D575C2C4B86497161427DD94C0D153E2B82@city-exchange07> Message-ID: <3e1809420906081949u3eb86071na7c1aefbfbbd7c9a@mail.gmail.com> On Tue, Jun 9, 2009 at 4:42 AM, Kevin Miller wrote: > Doing any graylisting, greet-pause, or recipient address verification? > Stopping invalid messages at the MTA handshake level takes a lot of the load > off MailScanner... > Yes. I have a script that goes through the logs every night and puts email addresses of fake or abusing senders in a blacklist rejected at the MTA level. It's a bit of kludge right now as I am evaluating which policy daemon to use with Postfix. Regards -- Zaeem -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090609/acd465ef/attachment.html From zaeem.arshad at gmail.com Tue Jun 9 04:14:42 2009 From: zaeem.arshad at gmail.com (Zaeem Arshad) Date: Tue Jun 9 04:14:52 2009 Subject: MS store spam ruleset possible? In-Reply-To: References: <3e1809420906072118g1913e635tdc6919b312db7e0b@mail.gmail.com> <72cf361e0906080028l1b81372el8dab3f8defc44be0@mail.gmail.com> <3e1809420906080054i5e46064ch501a5a752dec3ea4@mail.gmail.com> Message-ID: <3e1809420906082014y253ee64bkea26cd1a441178c7@mail.gmail.com> On Tue, Jun 9, 2009 at 3:33 AM, Scott Silva wrote: > on 6-8-2009 12:54 AM Zaeem Arshad spake the following: > > > > > > > > Zaeem > > > > The SpamAssassin Cache does part of this - keeps a hash of the emails > > and scores for a short period, and doesn't scan the email again if it > > matched the hash. > > > > > > Yups. That's good! > > > > > > > > For the storage (or rather not storing) if it hits the SpamAssassin > > cache, interesting idea - what do other people think? Depends what > you > > do with the spam/highscoring spam first, not everyone stores the > email > > in the first place. > > > > > > Or maybe, only store spam based on specific score ranges. It seems I > > will have to write a perl custom function to handle that. Thanks anyway. > > > You can already do that now. I have the following in my Mailscanner.conf; > SpamAssassin Rule Actions = SpamScore>25=>not-store > > That way spam that scores over 25 isn't stored. You could do a lot of > different things. Spam that scores a certain range but didn't hit bayes_99 > could be sent to a different box for spam training. The rule actions stuff > can > do many amazing things! > > > Sweet! Will try. Regards -- Zaeem -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090609/22789e66/attachment.html From zaeem.arshad at gmail.com Tue Jun 9 04:49:06 2009 From: zaeem.arshad at gmail.com (Zaeem Arshad) Date: Tue Jun 9 04:49:16 2009 Subject: Enabling MailWatchLogging function causes reduced batch sizes Message-ID: <3e1809420906082049n40e4b15we3230acae4f6c8bc@mail.gmail.com> Hi List, I am running MS 4.75.11 and will be upgrading to 4.77.x over the weekend. I have been playing with MailWatch and I have noticed that as soon as I enable MailWatchLogging Custom function, the batch size drops down to 1-6 messages per child causing a great amount of stress. Batch size jumps backs to 25 (the configured value) as soon as I disable MailWatchLogging.The system is a respectable Dual Quadcore Xeon with 8 GB RAM running CentOS 5, Postfix 2.5.6, SA 3.2.5 and Perl 5.8.8. Any ideas why is that happening? Regards -- Zaeem -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090609/17b235b9/attachment.html From alex at rtpty.com Tue Jun 9 07:11:01 2009 From: alex at rtpty.com (Alex Neuman) Date: Tue Jun 9 07:11:15 2009 Subject: Performance numbers for a DELL R710 In-Reply-To: <3e1809420906082214o2f4f9022je873bde580d44323@mail.gmail.com> References: <3e1809420906020958j4f6123davadbc34501cfe7577@mail.gmail.com> <72cf361e0906021147u760c5c9fie8f808fc990a01c0@mail.gmail.com> <3e1809420906022042y1cb3174ap7405a4446d31524@mail.gmail.com> <4A09477D575C2C4B86497161427DD94C0D153E2B82@city-exchange07> <24e3d2e40906081636y4b64540r330546233988e9a3@mail.gmail.com> <3e1809420906082214o2f4f9022je873bde580d44323@mail.gmail.com> Message-ID: <24e3d2e40906082311l4f311786r4c790ecf5583da13@mail.gmail.com> I use sendmail almost exclusively. What do the postfix docs say about using sendmail milters? On Tue, Jun 9, 2009 at 12:14 AM, Zaeem Arshad wrote: > Hi Alex, > > Thanks for the suggestion. Have you tried running it with Postfix? > > > Regards > > -- > Zaeem > > On Tue, Jun 9, 2009 at 5:36 AM, Alex Neuman wrote: > >> Also milter-null can help with backscatter and fake bounces. >> >> > -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 202-1525 alex@rtpty.com Skype: alexneuman -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090609/9214e28c/attachment.html From sandro at e-den.it Tue Jun 9 09:43:32 2009 From: sandro at e-den.it (Alessandro Dentella) Date: Tue Jun 9 09:57:39 2009 Subject: spam being delivered with high score Message-ID: <20090609084332.GA32578@ubuntu> Hi, i recenlty started receiving spam messages with high score (> 12) and [SPAM] subject and 'X-Spam-Status: No' even if the configuration of my mailscanner is: Required SpamAssassin Score = 5 High SpamAssassin Score = 6 Spam Actions = header "X-Spam-Status: Yes" store High Scoring Spam Actions = header "X-Spam-Status: Yes" store Non Spam Actions = deliver header "X-Spam-Status: No" is there some other directive that may confuse mailscanner? thanks in advance sandro *:-) -- Sandro Dentella *:-) http://sqlkit.argolinux.org SQLkit home page - PyGTK/python/sqlalchemy From maxsec at gmail.com Tue Jun 9 10:17:24 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Tue Jun 9 10:17:33 2009 Subject: spam being delivered with high score In-Reply-To: <20090609084332.GA32578@ubuntu> References: <20090609084332.GA32578@ubuntu> Message-ID: <72cf361e0906090217v7dc0169dw84d219043cf96217@mail.gmail.com> 2009/6/9 Alessandro Dentella : > Hi, > > ?i recenlty started receiving spam messages with high score (> 12) and > ?[SPAM] subject and 'X-Spam-Status: No' even if the configuration of my > ?mailscanner is: > > ? ? ?Required SpamAssassin Score = 5 > ? ? ?High SpamAssassin Score = 6 > ? ? ?Spam Actions = header "X-Spam-Status: Yes" store > ? ? ?High Scoring Spam Actions = header "X-Spam-Status: Yes" store > ? ? ?Non Spam Actions = deliver header "X-Spam-Status: No" > > ?is there some other directive that may confuse mailscanner? > > ?thanks in advance > ?sandro > ?*:-) > > > -- > Sandro Dentella ?*:-) > http://sqlkit.argolinux.org ? ? ? ?SQLkit home page - PyGTK/python/sqlalchemy > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Sandro Full headers for an example email would be useful. -- Martin Hepworth Oxford, UK From steve.freegard at fsl.com Tue Jun 9 10:59:20 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Tue Jun 9 10:59:31 2009 Subject: Enabling MailWatchLogging function causes reduced batch sizes In-Reply-To: <3e1809420906082049n40e4b15we3230acae4f6c8bc@mail.gmail.com> References: <3e1809420906082049n40e4b15we3230acae4f6c8bc@mail.gmail.com> Message-ID: <4A2E3278.4010805@fsl.com> Zaeem Arshad wrote: > Hi List, > > I am running MS 4.75.11 and will be upgrading to 4.77.x over the > weekend. I have been playing with MailWatch and I have noticed that as > soon as I enable MailWatchLogging Custom function, the batch size drops > down to 1-6 messages per child causing a great amount of stress. Batch > size jumps backs to 25 (the configured value) as soon as I disable > MailWatchLogging.The system is a respectable Dual Quadcore Xeon with 8 > GB RAM running CentOS 5, Postfix 2.5.6, SA 3.2.5 and Perl 5.8.8. > > Any ideas why is that happening? > No - the MailWatch functions do not affect batch sizes. MailScanner children scan the inbound directory every 6 seconds by default; any messages not locked by other children are automatically picked-up at that time regardless if the batch size is smaller than your configured maximum. Regards, Steve. From zaeem.arshad at gmail.com Tue Jun 9 11:12:03 2009 From: zaeem.arshad at gmail.com (Zaeem Arshad) Date: Tue Jun 9 11:12:12 2009 Subject: Enabling MailWatchLogging function causes reduced batch sizes In-Reply-To: <4A2E3278.4010805@fsl.com> References: <3e1809420906082049n40e4b15we3230acae4f6c8bc@mail.gmail.com> <4A2E3278.4010805@fsl.com> Message-ID: <3e1809420906090312p273c98dic1fc826a0a3bbb36@mail.gmail.com> On Tue, Jun 9, 2009 at 3:59 PM, Steve Freegard wrote: > > No - the MailWatch functions do not affect batch sizes. > > MailScanner children scan the inbound directory every 6 seconds by > default; any messages not locked by other children are automatically > picked-up at that time regardless if the batch size is smaller than your > configured maximum. > That's what I had expected as well but not what I am seeing on this system. With around 3000 messages available in the HOLD queue and 40 children with 25 messages per scan, it should be picking up 25 messages per batch. MailScanner --debug seems to go up to 7 messages without any errors. Anyhow, I am planning to upgrade to 4.77.x and will see what happens then. Cheers -- Zaeem -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090609/5c27997f/attachment.html From sandro at e-den.it Tue Jun 9 11:18:44 2009 From: sandro at e-den.it (Alessandro Dentella) Date: Tue Jun 9 11:19:27 2009 Subject: spam being delivered with high score In-Reply-To: <72cf361e0906090217v7dc0169dw84d219043cf96217@mail.gmail.com> References: <20090609084332.GA32578@ubuntu> <72cf361e0906090217v7dc0169dw84d219043cf96217@mail.gmail.com> Message-ID: <20090609101844.GA6490@ubuntu> On Tue, Jun 09, 2009 at 10:17:24AM +0100, Martin Hepworth wrote: > 2009/6/9 Alessandro Dentella : > > Hi, > > > > ?i recenlty started receiving spam messages with high score (> 12) and > > ?[SPAM] subject and 'X-Spam-Status: No' even if the configuration of my > > ?mailscanner is: > > > > ? ? ?Required SpamAssassin Score = 5 > > ? ? ?High SpamAssassin Score = 6 > > ? ? ?Spam Actions = header "X-Spam-Status: Yes" store > > ? ? ?High Scoring Spam Actions = header "X-Spam-Status: Yes" store > > ? ? ?Non Spam Actions = deliver header "X-Spam-Status: No" > > > > ?is there some other directive that may confuse mailscanner? > > > > ?thanks in advance > > ?sandro > > ?*:-) > > > > > > -- > > Sandro Dentella ?*:-) > > http://sqlkit.argolinux.org ? ? ? ?SQLkit home page - PyGTK/python/sqlalchemy > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > Sandro > > Full headers for an example email would be useful. here it is: Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: 7bit MIME-Version: 1.0 X-Spam-Score: 12.7 (++++++++++++) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 MISSING_DATE Missing Date: header 0.6 HTML_IMAGE_RATIO_02 BODY: HTML has a low ratio of text to image area 0.0 HTML_MESSAGE BODY: HTML included in message 1.7 MIME_HTML_ONLY BODY: Message only has text/html MIME parts 1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level above 50% [cf: 100] 2.0 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% [cf: 100] 2.9 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL [89.33.169.107 listed in zen.spamhaus.org] 1.1 RCVD_IN_SORBS_WEB RBL: SORBS: sender is a abuseable web server [89.33.169.107 listed in dnsbl.sorbs.net] 2.5 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net [Blocked - see ] X-VA-Spam-Flag: YES X-Spam-Flag: YES X-Headers-End: 1MDNHN-0007fQ-4s Subject: {Disarmed} [SPAM] Books you need Date: Sun, 7 Jun 2009 20:39:31 +0200 (CEST) X-MailScanner-ID: 957E45C74E.955AD X-thundersystems-MailScanner: Found to be clean X-thundersystems-MailScanner-SpamScore: ssss X-thundersystems-MailScanner-From: sdtcl@users.sourceforge.net X-Spam-Status: No Status: O Content-Length: 5344 sandro *:-) -- Sandro Dentella *:-) http://sqlkit.argolinux.org SQLkit home page - PyGTK/python/sqlalchemy From maxsec at gmail.com Tue Jun 9 11:33:52 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Tue Jun 9 11:34:01 2009 Subject: spam being delivered with high score In-Reply-To: <20090609101844.GA6490@ubuntu> References: <20090609084332.GA32578@ubuntu> <72cf361e0906090217v7dc0169dw84d219043cf96217@mail.gmail.com> <20090609101844.GA6490@ubuntu> Message-ID: <72cf361e0906090333v396a021fhe3366719c124d207@mail.gmail.com> 2009/6/9 Alessandro Dentella : > On Tue, Jun 09, 2009 at 10:17:24AM +0100, Martin Hepworth wrote: >> 2009/6/9 Alessandro Dentella : >> > Hi, >> > >> > ?i recenlty started receiving spam messages with high score (> 12) and >> > ?[SPAM] subject and 'X-Spam-Status: No' even if the configuration of my >> > ?mailscanner is: >> > >> > ? ? ?Required SpamAssassin Score = 5 >> > ? ? ?High SpamAssassin Score = 6 >> > ? ? ?Spam Actions = header "X-Spam-Status: Yes" store >> > ? ? ?High Scoring Spam Actions = header "X-Spam-Status: Yes" store >> > ? ? ?Non Spam Actions = deliver header "X-Spam-Status: No" >> > >> > ?is there some other directive that may confuse mailscanner? >> > >> > ?thanks in advance >> > ?sandro >> > ?*:-) >> > >> > >> > -- >> > Sandro Dentella ?*:-) >> > http://sqlkit.argolinux.org ? ? ? ?SQLkit home page - PyGTK/python/sqlalchemy >> > -- >> > MailScanner mailing list >> > mailscanner@lists.mailscanner.info >> > http://lists.mailscanner.info/mailman/listinfo/mailscanner >> > >> > Before posting, read http://wiki.mailscanner.info/posting >> > >> > Support MailScanner development - buy the book off the website! >> > >> >> >> Sandro >> >> Full headers for an example email would be useful. > > here it is: > > Content-Type: text/html; charset="iso-8859-1" > Content-Transfer-Encoding: 7bit > MIME-Version: 1.0 > X-Spam-Score: 12.7 (++++++++++++) > X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. > ? ? ? ?See http://spamassassin.org/tag/ for more details. > ? ? ? ?0.0 MISSING_DATE ? ? ? ? ? Missing Date: header > ? ? ? ?0.6 HTML_IMAGE_RATIO_02 ? ?BODY: HTML has a low ratio of text to image area > ? ? ? ?0.0 HTML_MESSAGE ? ? ? ? ? BODY: HTML included in message > ? ? ? ?1.7 MIME_HTML_ONLY ? ? ? ? BODY: Message only has text/html MIME parts > ? ? ? ?1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level > ? ? ? ?above 50% > ? ? ? ?[cf: 100] > ? ? ? ?2.0 RAZOR2_CHECK ? ? ? ? ? Listed in Razor2 (http://razor.sf.net/) > ? ? ? ?0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% > ? ? ? ?[cf: 100] > ? ? ? ?2.9 RCVD_IN_XBL ? ? ? ? ? ?RBL: Received via a relay in Spamhaus XBL > ? ? ? ?[89.33.169.107 listed in zen.spamhaus.org] > ? ? ? ?1.1 RCVD_IN_SORBS_WEB ? ? ?RBL: SORBS: sender is a abuseable web server > ? ? ? ?[89.33.169.107 listed in dnsbl.sorbs.net] > ? ? ? ?2.5 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net > ? ? ? ?[Blocked - see ] > X-VA-Spam-Flag: YES > X-Spam-Flag: YES > X-Headers-End: 1MDNHN-0007fQ-4s > Subject: {Disarmed} [SPAM] Books you need > Date: Sun, ?7 Jun 2009 20:39:31 +0200 (CEST) > X-MailScanner-ID: 957E45C74E.955AD > X-thundersystems-MailScanner: Found to be clean > X-thundersystems-MailScanner-SpamScore: ssss > X-thundersystems-MailScanner-From: sdtcl@users.sourceforge.net > X-Spam-Status: No > Status: O > Content-Length: 5344 > > sandro > *:-) > > > -- > Sandro Dentella ?*:-) > http://sqlkit.argolinux.org ? ? ? ?SQLkit home page - PyGTK/python/sqlalchemy > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Sandro MailScanner only scored it as 4 (4 s's in the X-thundersystems-MailScanner-SpamScore: ssss line) Something else must be spamassassin scoring this as well. -- Martin Hepworth Oxford, UK From glenn.steen at gmail.com Tue Jun 9 14:30:38 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Jun 9 14:30:47 2009 Subject: Performance numbers for a DELL R710 In-Reply-To: <24e3d2e40906082311l4f311786r4c790ecf5583da13@mail.gmail.com> References: <3e1809420906020958j4f6123davadbc34501cfe7577@mail.gmail.com> <72cf361e0906021147u760c5c9fie8f808fc990a01c0@mail.gmail.com> <3e1809420906022042y1cb3174ap7405a4446d31524@mail.gmail.com> <4A09477D575C2C4B86497161427DD94C0D153E2B82@city-exchange07> <24e3d2e40906081636y4b64540r330546233988e9a3@mail.gmail.com> <3e1809420906082214o2f4f9022je873bde580d44323@mail.gmail.com> <24e3d2e40906082311l4f311786r4c790ecf5583da13@mail.gmail.com> Message-ID: <223f97700906090630i16021503p59deb2044958e4d5@mail.gmail.com> 2009/6/9 Alex Neuman : > I use sendmail almost exclusively. What do the postfix docs say about using > sendmail milters? > Use them?!:-) Beware though that enabling a milter on a high-volume setup like this has a performance overhead (teh "spin through" of the body (in the queue file parsing) isn't ideal, but it is necessary, when using any milters with PF). -- -- Glenn > On Tue, Jun 9, 2009 at 12:14 AM, Zaeem Arshad > wrote: >> >> Hi Alex, >> >> Thanks for the suggestion. Have you tried running it with Postfix? >> >> >> Regards >> >> -- >> Zaeem >> >> On Tue, Jun 9, 2009 at 5:36 AM, Alex Neuman wrote: >>> >>> Also milter-null can help with backscatter and fake bounces. >>> >> > > > > -- > Alex Neuman van der Hans > Reliant Technologies > +507 6781-9505 > +507 202-1525 > alex@rtpty.com > Skype: alexneuman > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From devonharding at gmail.com Tue Jun 9 15:05:53 2009 From: devonharding at gmail.com (Devon Harding) Date: Tue Jun 9 15:06:03 2009 Subject: Mailscanner & redirected mail Message-ID: <2baac6140906090705k22889af6m9909a91e9f7b27c0@mail.gmail.com> Ok, here's my dilemma. My ISP has blocked port 25 on my connection, so I'm forced to have my DNS provider (EasyDNS) redirect all my email to port 2525. This works fine, the only problem now is I'm seeing an influx of SPAM which I believe is because MailScanner is seeing EasyDNS as a safe sender & not processing any rules based on IP Address. How do I get MailScanner disregard the IP address from EasyDNS and process the next hop? I guess something like X-Forwarded-For for SMTP. -Devon -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090609/e8dc4bdc/attachment.html From e.mink at remote.nl Tue Jun 9 15:14:23 2009 From: e.mink at remote.nl (Eric Mink) Date: Tue Jun 9 15:14:33 2009 Subject: Mailscanner & redirected mail References: <2baac6140906090705k22889af6m9909a91e9f7b27c0@mail.gmail.com> Message-ID: Point your mx record to Easydns and let them dump all the mail to your ipadres regards, Eric Mink Van: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Namens Devon Harding Verzonden: dinsdag 9 juni 2009 16:06 Aan: MailScanner discussion Onderwerp: Mailscanner & redirected mail Ok, here's my dilemma. My ISP has blocked port 25 on my connection, so I'm forced to have my DNS provider (EasyDNS) redirect all my email to port 2525. This works fine, the only problem now is I'm seeing an influx of SPAM which I believe is because MailScanner is seeing EasyDNS as a safe sender & not processing any rules based on IP Address. How do I get MailScanner disregard the IP address from EasyDNS and process the next hop? I guess something like X-Forwarded-For for SMTP. -Devon -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090609/b9ea35f0/attachment.html From alex at rtpty.com Tue Jun 9 15:34:31 2009 From: alex at rtpty.com (Alex Neuman) Date: Tue Jun 9 15:34:40 2009 Subject: Mailscanner & redirected mail In-Reply-To: <2baac6140906090705k22889af6m9909a91e9f7b27c0@mail.gmail.com> References: <2baac6140906090705k22889af6m9909a91e9f7b27c0@mail.gmail.com> Message-ID: <24e3d2e40906090734x5a097283m32c6872307cb22bf@mail.gmail.com> Have you thought of using 465 (SMTPS) or 587? What's your MTA? On Tue, Jun 9, 2009 at 9:05 AM, Devon Harding wrote: > Ok, here's my dilemma. My ISP has blocked port 25 on my connection, so I'm > forced to have my DNS provider (EasyDNS) redirect all my email to port 2525. > This works fine, the only problem now is I'm seeing an influx of SPAM which > I believe is because MailScanner is seeing EasyDNS as a safe sender & not > processing any rules based on IP Address. How do I get MailScanner > disregard the IP address from EasyDNS and process the next hop? I guess > something like X-Forwarded-For for SMTP. > -Devon > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 202-1525 alex@rtpty.com Skype: alexneuman -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090609/036cb341/attachment.html From ms-list at alexb.ch Tue Jun 9 15:47:28 2009 From: ms-list at alexb.ch (Alex Broens) Date: Tue Jun 9 15:47:38 2009 Subject: Mailscanner & redirected mail In-Reply-To: <2baac6140906090705k22889af6m9909a91e9f7b27c0@mail.gmail.com> References: <2baac6140906090705k22889af6m9909a91e9f7b27c0@mail.gmail.com> Message-ID: <4A2E7600.2040108@alexb.ch> On 6/9/2009 4:05 PM, Devon Harding wrote: > Ok, here's my dilemma. My ISP has blocked port 25 on my connection, so I'm > forced to have my DNS provider (EasyDNS) redirect all my email to port 2525. > This works fine, the only problem now is I'm seeing an influx of SPAM which > I believe is because MailScanner is seeing EasyDNS as a safe sender & not > processing any rules based on IP Address. How do I get MailScanner > disregard the IP address from EasyDNS and process the next hop? I guess > something like X-Forwarded-For for SMTP. > -Devon Dunno where this may be relevant for MailScanner but it is relevant to SA. add the sending server/s IPs to your trusted_networks/internal_networks Better: If you run a real mailserver get a real business pipe instead. From steve.freegard at fsl.com Tue Jun 9 16:20:45 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Tue Jun 9 16:20:56 2009 Subject: Mailscanner & redirected mail In-Reply-To: <2baac6140906090705k22889af6m9909a91e9f7b27c0@mail.gmail.com> References: <2baac6140906090705k22889af6m9909a91e9f7b27c0@mail.gmail.com> Message-ID: <4A2E7DCD.7050900@fsl.com> Devon Harding wrote: > Ok, here's my dilemma. My ISP has blocked port 25 on my connection, so > I'm forced to have my DNS provider (EasyDNS) redirect all my email to > port 2525. This works fine, the only problem now is I'm seeing an > influx of SPAM which I believe is because MailScanner is seeing EasyDNS > as a safe sender & not processing any rules based on IP Address. How do > I get MailScanner disregard the IP address from EasyDNS and process the > next hop? I guess something like X-Forwarded-For for SMTP. >From the changlog of the latest 4.77 release: "Read IP Address From Received Header" has been extended, so it will now take a number instead of yes or no. "yes"=1 and "no"=0. If it is set to "yes" or a number, then the SMTP client IP address is taken from the "Received:" header. For example, setting it to 2 will cause the IP address to be taken from the 2nd Received: header. That should do what you need. You'll also need to set SA's trusted_networks otherwise it will be less accurate when it does network checks. Cheers, Steve. From devonharding at gmail.com Tue Jun 9 18:01:25 2009 From: devonharding at gmail.com (Devon Harding) Date: Tue Jun 9 18:01:34 2009 Subject: Mailscanner & redirected mail In-Reply-To: <4A2E7DCD.7050900@fsl.com> References: <2baac6140906090705k22889af6m9909a91e9f7b27c0@mail.gmail.com> <4A2E7DCD.7050900@fsl.com> Message-ID: <2baac6140906091001i6752e0a6odeae85a50a0567e@mail.gmail.com> On Tue, Jun 9, 2009 at 11:20 AM, Steve Freegard wrote: > Devon Harding wrote: > > Ok, here's my dilemma. My ISP has blocked port 25 on my connection, so > > I'm forced to have my DNS provider (EasyDNS) redirect all my email to > > port 2525. This works fine, the only problem now is I'm seeing an > > influx of SPAM which I believe is because MailScanner is seeing EasyDNS > > as a safe sender & not processing any rules based on IP Address. How do > > I get MailScanner disregard the IP address from EasyDNS and process the > > next hop? I guess something like X-Forwarded-For for SMTP. > > >From the changlog of the latest 4.77 release: > > "Read IP Address From Received Header" has been extended, so it will now > take a number instead of yes or no. "yes"=1 and "no"=0. If it is set to > "yes" or a number, then the SMTP client IP address is taken from the > "Received:" header. For example, setting it to 2 will cause the IP > address to be taken from the 2nd Received: header. > > That should do what you need. You'll also need to set SA's > trusted_networks otherwise it will be less accurate when it does network > checks. > > Cheers, > Steve. > -- > Steve, that is EXACTLY what I'm looking for. I'll test it out and post the results. Thanks, -Devon -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090609/650fe721/attachment.html From mailbag at partnersolutions.ca Tue Jun 9 19:52:37 2009 From: mailbag at partnersolutions.ca (PSI Mailbag) Date: Tue Jun 9 19:52:43 2009 Subject: Possible config option to skip filename/filettype checks for the message body? In-Reply-To: References: <0A5EC380C825E440B3BB048CDE603A1659F0@PSIMS002.pshosting.intranet><4A16657A.2010906@ecs.soton.ac.uk> Message-ID: <0A5EC380C825E440B3BB048CDE603A160A9798@PSIMS002.pshosting.intranet> On 22/05/2009 04:43, Julian Field wrote: > Just use a ruleset on "Allow Filenames" and "Allow Filetypes", with "." > as the value for messages you don't want to check. That will allow any > filename containing any character. > > On 20/05/2009 05:07, PSI Mailbag wrote: > > Hey Jules + List, > > > > What do you guys/gals think about a config option to bypass the > > filename/filetype checks on the message body? Very frequently, I get > > messages being blocked because "file" (and even when used in the mime > > only option) detects regular chatter as being a file that shouldn't be > > sent: > > In my mind I see a config option that would allow you to bypass the > > "file" results from the content extracted from the message body > > (msg-*.txt), while still allowing it to properly run against regular > > attachments. Hey Jules, can we revisit this? It's true that your suggested config would work in this case, but it would also disable all file/content checking in the process (which kind of defeats the purpose). Even if "Allow Filenames" was set to \.txt$, the attachment is still removed as it matches the content type, and a lot of the definitions in file's magic file are poorly built (such as "Candidate" at the start of a file for certain Quicktime files, etc). Is there another config suggestion that I can use without fully disabling all filename/filetype checks? Since MS extracts the message body for AV processing, I figured an ideal solution was to be able to flag message body's as not being scanned for filetype checks to prevent the false positives, while still allowing regular attachments to be scanned and filtered. Thanks, -Joshua From ssilva at sgvwater.com Tue Jun 9 20:17:25 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Jun 9 20:17:47 2009 Subject: Possible config option to skip filename/filettype checks for the message body? In-Reply-To: <0A5EC380C825E440B3BB048CDE603A160A9798@PSIMS002.pshosting.intranet> References: <0A5EC380C825E440B3BB048CDE603A1659F0@PSIMS002.pshosting.intranet><4A16657A.2010906@ecs.soton.ac.uk> <0A5EC380C825E440B3BB048CDE603A160A9798@PSIMS002.pshosting.intranet> Message-ID: on 6-9-2009 11:52 AM PSI Mailbag spake the following: > On 22/05/2009 04:43, Julian Field wrote: >> Just use a ruleset on "Allow Filenames" and "Allow Filetypes", with > "." >> as the value for messages you don't want to check. That will allow any >> filename containing any character. >> >> On 20/05/2009 05:07, PSI Mailbag wrote: >>> Hey Jules + List, >>> >>> What do you guys/gals think about a config option to bypass the >>> filename/filetype checks on the message body? Very frequently, I get >>> messages being blocked because "file" (and even when used in the > mime >>> only option) detects regular chatter as being a file that shouldn't > be >>> sent: > > > >>> In my mind I see a config option that would allow you to bypass > the >>> "file" results from the content extracted from the message body >>> (msg-*.txt), while still allowing it to properly run against regular >>> attachments. > > > > Hey Jules, can we revisit this? It's true that your suggested config > would work in this case, but it would also disable all file/content > checking in the process (which kind of defeats the purpose). Even if > "Allow Filenames" was set to \.txt$, the attachment is still removed as > it matches the content type, and a lot of the definitions in file's > magic file are poorly built (such as "Candidate" at the start of a file > for certain Quicktime files, etc). > > Is there another config suggestion that I can use without fully > disabling all filename/filetype checks? Since MS extracts the message > body for AV processing, I figured an ideal solution was to be able to > flag message body's as not being scanned for filetype checks to prevent > the false positives, while still allowing regular attachments to be > scanned and filtered. > > Thanks, > -Joshua > I changed my magic file for some of the more often FP'd quicktime files. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090609/b5c6ea71/signature.bin From mailbag at partnersolutions.ca Tue Jun 9 20:30:26 2009 From: mailbag at partnersolutions.ca (PSI Mailbag) Date: Tue Jun 9 20:30:35 2009 Subject: Possible config option to skip filename/filettype checks for the message body? In-Reply-To: References: <0A5EC380C825E440B3BB048CDE603A1659F0@PSIMS002.pshosting.intranet><4A16657A.2010906@ecs.soton.ac.uk> <0A5EC380C825E440B3BB048CDE603A160A9798@PSIMS002.pshosting.intranet> Message-ID: <0A5EC380C825E440B3BB048CDE603A160A979D@PSIMS002.pshosting.intranet> > I changed my magic file for some of the more often FP'd quicktime > files. That's normally what I do, but you end up having to rip out so many entries that it's not even worth it after awhile. It's also a pain when I have to make the file immutable to keep the system updates from toasting the changes every few months. Replacing this file is really just a band-aid for a better workaround within MS to combat the FP's (IMHO). Cheers, -Joshua From devonharding at gmail.com Tue Jun 9 21:32:41 2009 From: devonharding at gmail.com (Devon Harding) Date: Tue Jun 9 21:32:51 2009 Subject: Mailscanner & redirected mail In-Reply-To: <2baac6140906091001i6752e0a6odeae85a50a0567e@mail.gmail.com> References: <2baac6140906090705k22889af6m9909a91e9f7b27c0@mail.gmail.com> <4A2E7DCD.7050900@fsl.com> <2baac6140906091001i6752e0a6odeae85a50a0567e@mail.gmail.com> Message-ID: <2baac6140906091332u55c0f062sfeb600edda4146ed@mail.gmail.com> On Tue, Jun 9, 2009 at 1:01 PM, Devon Harding wrote: > > > On Tue, Jun 9, 2009 at 11:20 AM, Steve Freegard wrote: > >> Devon Harding wrote: >> > Ok, here's my dilemma. My ISP has blocked port 25 on my connection, so >> > I'm forced to have my DNS provider (EasyDNS) redirect all my email to >> > port 2525. This works fine, the only problem now is I'm seeing an >> > influx of SPAM which I believe is because MailScanner is seeing EasyDNS >> > as a safe sender & not processing any rules based on IP Address. How do >> > I get MailScanner disregard the IP address from EasyDNS and process the >> > next hop? I guess something like X-Forwarded-For for SMTP. >> >> >From the changlog of the latest 4.77 release: >> >> "Read IP Address From Received Header" has been extended, so it will now >> take a number instead of yes or no. "yes"=1 and "no"=0. If it is set to >> "yes" or a number, then the SMTP client IP address is taken from the >> "Received:" header. For example, setting it to 2 will cause the IP >> address to be taken from the 2nd Received: header. >> >> That should do what you need. You'll also need to set SA's >> trusted_networks otherwise it will be less accurate when it does network >> checks. >> >> Cheers, >> Steve. >> -- >> > > Steve, that is EXACTLY what I'm looking for. I'll test it out and post the > results. > > Thanks, > > -Devon > Ok, this seems to be getting the correct IP after setting it to 2 (A little less SPAM now). What I'm noticing though is that setting doesn't seem to apply to the "RCVD_IN_DNSWL_LOW" rule, which has a score of -1. Do I have to make a change in SA? Where is the setting for trusted_networks in SA? -Devon -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090609/b312ec5c/attachment.html From ssilva at sgvwater.com Tue Jun 9 22:01:15 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Jun 9 22:01:41 2009 Subject: Mailscanner & redirected mail In-Reply-To: <2baac6140906091332u55c0f062sfeb600edda4146ed@mail.gmail.com> References: <2baac6140906090705k22889af6m9909a91e9f7b27c0@mail.gmail.com> <4A2E7DCD.7050900@fsl.com> <2baac6140906091001i6752e0a6odeae85a50a0567e@mail.gmail.com> <2baac6140906091332u55c0f062sfeb600edda4146ed@mail.gmail.com> Message-ID: > > Ok, this seems to be getting > the?correct?IP?after?setting?it?to?2?(A?little?less?SPAM?now).??What?I'm?noticing?though?is?that?setting?doesn't?seem?to?apply?to?the?"RCVD_IN_DNSWL_LOW" > rule, which has a score of -1. ?Do I have to make a change in SA? ?Where > is the setting for trusted_networks in SA?? > > -Devon > > http://spamassassin.apache.org/full/3.1.x/doc/Mail_SpamAssassin_Conf.html -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090609/f5286890/signature.bin From rwahyudi at gmail.com Tue Jun 9 22:57:16 2009 From: rwahyudi at gmail.com (R Wahyudi) Date: Tue Jun 9 22:57:26 2009 Subject: Performance numbers for a DELL R710 In-Reply-To: <24e3d2e40906081636y4b64540r330546233988e9a3@mail.gmail.com> References: <3e1809420906020958j4f6123davadbc34501cfe7577@mail.gmail.com> <72cf361e0906021147u760c5c9fie8f808fc990a01c0@mail.gmail.com> <3e1809420906022042y1cb3174ap7405a4446d31524@mail.gmail.com> <4A09477D575C2C4B86497161427DD94C0D153E2B82@city-exchange07> <24e3d2e40906081636y4b64540r330546233988e9a3@mail.gmail.com> Message-ID: <9173fd7e0906091457o35f02aebn2007af67af4fcacf@mail.gmail.com> 2009/6/9 Alex Neuman : > Also milter-null can help with backscatter and fake bounces. > > On Mon, Jun 8, 2009 at 5:42 PM, Kevin Miller wrote: >> >> Doing any graylisting, greet-pause, or recipient address verification?? Stopping invalid messages at the MTA handshake level takes a lot of the load off MailScanner... >> >> >> ...Kevin >> -- >> Kevin Miller??????????????? Registered Linux User No: 307357 >> CBJ MIS Dept.?????????????? Network Systems Admin., Mail Admin. >> 155 South Seward Street???? ph: (907) 586-0242 >> Juneau, Alaska 99801??????? fax: (907 586-4500 >> >> >> ________________________________ >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Zaeem Arshad >> Sent: Tuesday, June 02, 2009 7:42 PM >> To: MailScanner discussion >> Subject: Re: Performance numbers for a DELL R710 >> >> >> >> On Wed, Jun 3, 2009 at 12:47 AM, Martin Hepworth wrote: >>> >>> Zaeem >>> >>> nice. >>> >>> depends on the tests you run (RBLs etc) and the size of the emails. >>> >>> look in the wiki for performance and tuning on both MailScanner and >>> Spamassassin. >> >> I have a test box with the same specs but 8 Gigs of RAM. My performance tuning so far has been >> >> - tmpfs for message scanning >> - DNS caching server on the same box >> - Lower timeouts on Postfix (another instance handling retries) >> - Compiled rules on SA >> - DCC, Razor >> - Clamd >> - Asyncrhonous logging >> >> Filesystem underneath is XFS and average mailsize is around 60KB. I have pretty much made all the changes suggested and currently the server is handling around 45000 emails/hour. Do you think increasing the number of MailScanner children might help? What other performance tweaks can I have? I am looking to scale the system to handle at least 65 emails/second with antivirus, antispam scanning and RBL checks. >> >> >> -- >> Zaeem >> >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > > > -- > Alex Neuman van der Hans > Reliant Technologies > +507 6781-9505 > +507 202-1525 > alex@rtpty.com > Skype: alexneuman > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > In addition to whats already being mentioned , you might want to stop some spam at SMTP level before you let trough more messages trough MailScanner. - Make sure you only accept incoming email addressed to valid recipient and limit the number of "catch-all" domain in your system - Use rate limiting or tarpitting to prevent spam burst : - I set up my MTA (postfix) to pause for 5 seconds on soft error and kick them out if they make more than 5 mistake. - Max 100 connection from 1 IP per minutes - Get rsync feeds and run your own RBL server locally. Another benefit of this is you can combine multiple blacklist in one zone and do just 1 lookup. - Run DNS cache locall. - Populate IP based whitelist and bypass the scanning ( eg mail from coming from known servers eg facebook, yahoogroups , myspace, ebay, maillinglists ) - Make use of short circuit in SA ( eg: short-circuit SURBL and classify them as high scoring spam ) - Optimize SA rules. Do not over load SA with rules that consume a lot of memory. - Use SQL for bayes, and only use bayes if you train them - If you use 2 or more server, modify MailScanner caching to use MySQL database and share the information. - If you use MailScanner - partition and roll over the maillog table using merge tables ( see mailscanner tips and trick ) - Use separate disk for logging. Make sure write cache is enabled Rianto Wahyudi From MailScanner at ecs.soton.ac.uk Wed Jun 10 08:31:20 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Jun 10 08:31:40 2009 Subject: Possible config option to skip filename/filettype checks for the message body? In-Reply-To: <0A5EC380C825E440B3BB048CDE603A160A9798@PSIMS002.pshosting.intranet> References: <0A5EC380C825E440B3BB048CDE603A1659F0@PSIMS002.pshosting.intranet><4A16657A.2010906@ecs.soton.ac.uk> <0A5EC380C825E440B3BB048CDE603A160A9798@PSIMS002.pshosting.intranet> <4A2F6148.8060802@ecs.soton.ac.uk> Message-ID: On 09/06/2009 19:52, PSI Mailbag wrote: > On 22/05/2009 04:43, Julian Field wrote: > >> Just use a ruleset on "Allow Filenames" and "Allow Filetypes", with >> > "." > >> as the value for messages you don't want to check. That will allow any >> filename containing any character. >> >> On 20/05/2009 05:07, PSI Mailbag wrote: >> >>> Hey Jules + List, >>> >>> What do you guys/gals think about a config option to bypass the >>> filename/filetype checks on the message body? Very frequently, I get >>> messages being blocked because "file" (and even when used in the >>> > mime > >>> only option) detects regular chatter as being a file that shouldn't >>> > be > >>> sent: >>> > > > >>> In my mind I see a config option that would allow you to bypass >>> > the > >>> "file" results from the content extracted from the message body >>> (msg-*.txt), while still allowing it to properly run against regular >>> attachments. >>> > > > Hey Jules, can we revisit this? It's true that your suggested config > would work in this case, but it would also disable all file/content > checking in the process (which kind of defeats the purpose). Even if > "Allow Filenames" was set to \.txt$, the attachment is still removed as > it matches the content type, and a lot of the definitions in file's > magic file are poorly built (such as "Candidate" at the start of a file > for certain Quicktime files, etc). > In which case try using the MIME Types version of it instead, as that uses a different set of signatures, some of which are a lot better (eg. the text/plain one). > Is there another config suggestion that I can use without fully > disabling all filename/filetype checks? Since MS extracts the message > body for AV processing, I figured an ideal solution was to be able to > flag message body's as not being scanned for filetype checks to prevent > the false positives, while still allowing regular attachments to be > scanned and filtered. > That's actually a lot harder than you would think. It is very difficult for me to work out what is the body of the message and what is an attachment from the output data structure of the MIME explosion code which is in MIME-tools. The way mail apps tend to do it is look for the text/plain and text/html parts, which can be easily subverted into making them actually hide attachments in them. Sorry, your best bet I think is still to allow text/plain and text/html in filetype.rules.conf and work from there. Obviously someone else may have a better idea... :) > Thanks, > -Joshua > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Follow me at twitter.com/JulesFM MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Wed Jun 10 08:32:21 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Jun 10 08:32:40 2009 Subject: Possible config option to skip filename/filettype checks for the message body? In-Reply-To: <0A5EC380C825E440B3BB048CDE603A160A979D@PSIMS002.pshosting.intranet> References: <0A5EC380C825E440B3BB048CDE603A1659F0@PSIMS002.pshosting.intranet><4A16657A.2010906@ecs.soton.ac.uk> <0A5EC380C825E440B3BB048CDE603A160A9798@PSIMS002.pshosting.intranet> <0A5EC380C825E440B3BB048CDE603A160A979D@PSIMS002.pshosting.intranet> <4A2F6185.4090006@ecs.soton.ac.uk> Message-ID: On 09/06/2009 20:30, PSI Mailbag wrote: >> I changed my magic file for some of the more often FP'd quicktime >> files. >> > That's normally what I do, but you end up having to rip out so many entries that it's not even worth it after awhile. It's also a pain when I have to make the file immutable to keep the system updates from toasting the changes every few months. Replacing this file is really just a band-aid for a better workaround within MS to combat the FP's (IMHO). > Which is partly why I wrote the MIME type support for filetype.rules.conf files in the first place, as it detects some file types a lot more reliably. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Follow me at twitter.com/JulesFM MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Wed Jun 10 08:34:00 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Jun 10 08:34:23 2009 Subject: Mailscanner & redirected mail In-Reply-To: <4A2E7DCD.7050900@fsl.com> References: <2baac6140906090705k22889af6m9909a91e9f7b27c0@mail.gmail.com> <4A2E7DCD.7050900@fsl.com> <4A2F61E8.8060507@ecs.soton.ac.uk> Message-ID: On 09/06/2009 16:20, Steve Freegard wrote: > Devon Harding wrote: > >> Ok, here's my dilemma. My ISP has blocked port 25 on my connection, so >> I'm forced to have my DNS provider (EasyDNS) redirect all my email to >> port 2525. This works fine, the only problem now is I'm seeing an >> influx of SPAM which I believe is because MailScanner is seeing EasyDNS >> as a safe sender& not processing any rules based on IP Address. How do >> I get MailScanner disregard the IP address from EasyDNS and process the >> next hop? I guess something like X-Forwarded-For for SMTP. >> > > From the changlog of the latest 4.77 release: > > "Read IP Address From Received Header" has been extended, so it will now > take a number instead of yes or no. "yes"=1 and "no"=0. If it is set to > "yes" or a number, then the SMTP client IP address is taken from the > "Received:" header. For example, setting it to 2 will cause the IP > address to be taken from the 2nd Received: header. > > You took the words right out of my mouth! :-) I knew someone would find this useful before too long... Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Follow me at twitter.com/JulesFM MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From devonharding at gmail.com Wed Jun 10 12:25:19 2009 From: devonharding at gmail.com (Devon Harding) Date: Wed Jun 10 12:25:30 2009 Subject: Mailscanner & redirected mail In-Reply-To: References: <2baac6140906090705k22889af6m9909a91e9f7b27c0@mail.gmail.com> <4A2F61E8.8060507@ecs.soton.ac.uk> <4A2E7DCD.7050900@fsl.com> Message-ID: <2baac6140906100425n3a2ad57x1c26f350fa2e870@mail.gmail.com> On Wed, Jun 10, 2009 at 3:34 AM, Julian Field wrote: > > > On 09/06/2009 16:20, Steve Freegard wrote: > >> Devon Harding wrote: >> >> >>> Ok, here's my dilemma. My ISP has blocked port 25 on my connection, so >>> I'm forced to have my DNS provider (EasyDNS) redirect all my email to >>> port 2525. This works fine, the only problem now is I'm seeing an >>> influx of SPAM which I believe is because MailScanner is seeing EasyDNS >>> as a safe sender& not processing any rules based on IP Address. How do >>> I get MailScanner disregard the IP address from EasyDNS and process the >>> next hop? I guess something like X-Forwarded-For for SMTP. >>> >>> >> > From the changlog of the latest 4.77 release: >> >> "Read IP Address From Received Header" has been extended, so it will now >> take a number instead of yes or no. "yes"=1 and "no"=0. If it is set to >> "yes" or a number, then the SMTP client IP address is taken from the >> "Received:" header. For example, setting it to 2 will cause the IP >> address to be taken from the 2nd Received: header. >> >> >> > You took the words right out of my mouth! :-) > I knew someone would find this useful before too long... > > Jules > > The setting works, but how do I get it work with RCVD_IN_DNSWL_LOW which still gives my messages a -1 score. -Devon -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090610/54a2dfc3/attachment.html From amoore at dekalbmemorial.com Wed Jun 10 13:24:22 2009 From: amoore at dekalbmemorial.com (Aaron K. Moore) Date: Wed Jun 10 13:24:37 2009 Subject: Mailscanner & redirected mail In-Reply-To: References: <2baac6140906090705k22889af6m9909a91e9f7b27c0@mail.gmail.com><4A2F61E8.8060507@ecs.soton.ac.uk> <4A2E7DCD.7050900@fsl.com> Message-ID: <60D398EB2DB948409CA1F50D8AF122570553C0EE@exch1.dekalbmemorial.local> You should be able to adjust the score for that rule in SpamAssassin. I'd just set it to 0 so that it doesn't add or subtract any points. -- Aaron Kent Moore Information Technology Services DeKalb Memorial Hospital, Inc. Auburn, Indiana Phone: 260.920.2808 E-Mail: amoore@dekalbmemorial.com ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Devon Harding Sent: Wednesday, June 10, 2009 7:25 AM To: MailScanner discussion Subject: Re: Mailscanner & redirected mail On Wed, Jun 10, 2009 at 3:34 AM, Julian Field wrote: On 09/06/2009 16:20, Steve Freegard wrote: Devon Harding wrote: Ok, here's my dilemma. My ISP has blocked port 25 on my connection, so I'm forced to have my DNS provider (EasyDNS) redirect all my email to port 2525. This works fine, the only problem now is I'm seeing an influx of SPAM which I believe is because MailScanner is seeing EasyDNS as a safe sender& not processing any rules based on IP Address. How do I get MailScanner disregard the IP address from EasyDNS and process the next hop? I guess something like X-Forwarded-For for SMTP. > From the changlog of the latest 4.77 release: "Read IP Address From Received Header" has been extended, so it will now take a number instead of yes or no. "yes"=1 and "no"=0. If it is set to "yes" or a number, then the SMTP client IP address is taken from the "Received:" header. For example, setting it to 2 will cause the IP address to be taken from the 2nd Received: header. You took the words right out of my mouth! :-) I knew someone would find this useful before too long... Jules The setting works, but how do I get it work with RCVD_IN_DNSWL_LOW which still gives my messages a -1 score. -Devon -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090610/d2176ffc/attachment.html From glenn.steen at gmail.com Wed Jun 10 13:36:04 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Jun 10 13:36:16 2009 Subject: Mailscanner & redirected mail In-Reply-To: <2baac6140906100425n3a2ad57x1c26f350fa2e870@mail.gmail.com> References: <2baac6140906090705k22889af6m9909a91e9f7b27c0@mail.gmail.com> <4A2F61E8.8060507@ecs.soton.ac.uk> <4A2E7DCD.7050900@fsl.com> <2baac6140906100425n3a2ad57x1c26f350fa2e870@mail.gmail.com> Message-ID: <223f97700906100536r60ad2477q9c1666ece418b02@mail.gmail.com> 2009/6/10 Devon Harding : > > > On Wed, Jun 10, 2009 at 3:34 AM, Julian Field > wrote: >> >> >> On 09/06/2009 16:20, Steve Freegard wrote: >>> >>> Devon Harding wrote: >>> >>>> >>>> Ok, here's my dilemma. ?My ISP has blocked port 25 on my connection, so >>>> I'm forced to have my DNS provider (EasyDNS) redirect all my email to >>>> port 2525. ?This works fine, the only problem now is I'm seeing an >>>> influx of SPAM which I believe is because MailScanner is seeing EasyDNS >>>> as a safe sender& ?not processing any rules based on IP Address. ?How do >>>> I get MailScanner disregard the IP address from EasyDNS and process the >>>> next hop? ?I guess something like X-Forwarded-For for SMTP. >>>> >>> >>> > From the changlog of the latest 4.77 release: >>> >>> "Read IP Address From Received Header" has been extended, so it will now >>> take a number instead of yes or no. "yes"=1 and "no"=0. If it is set to >>> "yes" or a number, then the SMTP client IP address is taken from the >>> "Received:" header. For example, setting it to 2 will cause the IP >>> address to be taken from the 2nd Received: header. >>> >>> >> >> You took the words right out of my mouth! :-) >> I knew someone would find this useful before too long... >> >> Jules >> > > The setting works, but how do I get it work with?RCVD_IN_DNSWL_LOW ?which > still gives my messages a -1 score. > -Devon > You configure your trusted_networks/internal_networks correctly (for SA... Likely in local.cf or mailscanner.cf)... SA will normally "autodetect" what this should be, but since you want to trust the "last hop", you need specify that/those IP addresses (and all "local" trusted networks/addresses) explicitly. Scott gave you a link, but ISTR there should be a better one .... This is to the specific section: http://spamassassin.apache.org/full/3.1.x/doc/Mail_SpamAssassin_Conf.html#network_test_options ... and this is to the wiki page: http://wiki.apache.org/spamassassin/TrustPath and another good one: http://wiki.apache.org/spamassassin/TrustedRelays Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From mailbag at partnersolutions.ca Wed Jun 10 14:04:57 2009 From: mailbag at partnersolutions.ca (PSI Mailbag) Date: Wed Jun 10 14:05:01 2009 Subject: Possible config option to skip filename/filettype checks for the message body? In-Reply-To: References: <0A5EC380C825E440B3BB048CDE603A1659F0@PSIMS002.pshosting.intranet><4A16657A.2010906@ecs.soton.ac.uk> <0A5EC380C825E440B3BB048CDE603A160A9798@PSIMS002.pshosting.intranet><4A2F6148.8060802@ecs.soton.ac.uk> Message-ID: <0A5EC380C825E440B3BB048CDE603A160A97AB@PSIMS002.pshosting.intranet> > That's actually a lot harder than you would think. It is very difficult > for me to work out what is the body of the message and what is an > attachment from the output data structure of the MIME explosion code > which is in MIME-tools. The way mail apps tend to do it is look for the > text/plain and text/html parts, which can be easily subverted into > making them actually hide attachments in them. Thanks for the clarification, Julian. I had tried allowing by mime type, but that magic file also picks it up as quicktime. I'll have to just continue to edit these until I run out of FP's. Cheers, -Joshua From sandro at e-den.it Wed Jun 10 15:13:31 2009 From: sandro at e-den.it (Alessandro Dentella) Date: Wed Jun 10 15:14:06 2009 Subject: spam being delivered with high score In-Reply-To: <72cf361e0906090333v396a021fhe3366719c124d207@mail.gmail.com> References: <20090609084332.GA32578@ubuntu> <72cf361e0906090217v7dc0169dw84d219043cf96217@mail.gmail.com> <20090609101844.GA6490@ubuntu> <72cf361e0906090333v396a021fhe3366719c124d207@mail.gmail.com> Message-ID: <20090610141331.GC29288@ubuntu> > > X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. > > ? ? ? ?See http://spamassassin.org/tag/ for more details. > > ? ? ? ?0.0 MISSING_DATE ? ? ? ? ? Missing Date: header > > ? ? ? ?0.6 HTML_IMAGE_RATIO_02 ? ?BODY: HTML has a low ratio of text to image area > > ? ? ? ?0.0 HTML_MESSAGE ? ? ? ? ? BODY: HTML included in message > > ? ? ? ?1.7 MIME_HTML_ONLY ? ? ? ? BODY: Message only has text/html MIME parts > > ? ? ? ?1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level > > ? ? ? ?above 50% > > ? ? ? ?[cf: 100] > > ? ? ? ?2.0 RAZOR2_CHECK ? ? ? ? ? Listed in Razor2 (http://razor.sf.net/) > > ? ? ? ?0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% > > ? ? ? ?[cf: 100] > > ? ? ? ?2.9 RCVD_IN_XBL ? ? ? ? ? ?RBL: Received via a relay in Spamhaus XBL > > ? ? ? ?[89.33.169.107 listed in zen.spamhaus.org] > > ? ? ? ?1.1 RCVD_IN_SORBS_WEB ? ? ?RBL: SORBS: sender is a abuseable web server > > ? ? ? ?[89.33.169.107 listed in dnsbl.sorbs.net] > > ? ? ? ?2.5 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net > > ? ? ? ?[Blocked - see ] > > X-VA-Spam-Flag: YES > > X-Spam-Flag: YES > > X-Headers-End: 1MDNHN-0007fQ-4s > > Subject: {Disarmed} [SPAM] Books you need > > Date: Sun, ?7 Jun 2009 20:39:31 +0200 (CEST) > > X-MailScanner-ID: 957E45C74E.955AD > > X-thundersystems-MailScanner: Found to be clean > > X-thundersystems-MailScanner-SpamScore: ssss > > X-thundersystems-MailScanner-From: sdtcl@users.sourceforge.net > > X-Spam-Status: No > > Status: O > > Content-Length: 5344 > > > > sandro > > *:-) > > > > > > -- > > Sandro Dentella ?*:-) > > http://sqlkit.argolinux.org ? ? ? ?SQLkit home page - PyGTK/python/sqlalchemy > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > Sandro > > MailScanner only scored it as 4 (4 s's in the > X-thundersystems-MailScanner-SpamScore: ssss line) Something else must > be spamassassin scoring this as well. thanks for spotting out that the mailscanner that was working correctly was not mine!... (mx.sourceforge.net)... now I'should improve mine! sandro *:-) From devonharding at gmail.com Wed Jun 10 16:58:59 2009 From: devonharding at gmail.com (Devon Harding) Date: Wed Jun 10 16:59:17 2009 Subject: Mailscanner & redirected mail In-Reply-To: <223f97700906100536r60ad2477q9c1666ece418b02@mail.gmail.com> References: <2baac6140906090705k22889af6m9909a91e9f7b27c0@mail.gmail.com> <4A2F61E8.8060507@ecs.soton.ac.uk> <4A2E7DCD.7050900@fsl.com> <2baac6140906100425n3a2ad57x1c26f350fa2e870@mail.gmail.com> <223f97700906100536r60ad2477q9c1666ece418b02@mail.gmail.com> Message-ID: <2baac6140906100858j2bf4ce74kcc7b804f28d7c3d7@mail.gmail.com> On Wed, Jun 10, 2009 at 8:36 AM, Glenn Steen wrote: > 2009/6/10 Devon Harding : > > > > > > On Wed, Jun 10, 2009 at 3:34 AM, Julian Field < > MailScanner@ecs.soton.ac.uk> > > wrote: > >> > >> > >> On 09/06/2009 16:20, Steve Freegard wrote: > >>> > >>> Devon Harding wrote: > >>> > >>>> > >>>> Ok, here's my dilemma. My ISP has blocked port 25 on my connection, > so > >>>> I'm forced to have my DNS provider (EasyDNS) redirect all my email to > >>>> port 2525. This works fine, the only problem now is I'm seeing an > >>>> influx of SPAM which I believe is because MailScanner is seeing > EasyDNS > >>>> as a safe sender& not processing any rules based on IP Address. How > do > >>>> I get MailScanner disregard the IP address from EasyDNS and process > the > >>>> next hop? I guess something like X-Forwarded-For for SMTP. > >>>> > >>> > >>> > From the changlog of the latest 4.77 release: > >>> > >>> "Read IP Address From Received Header" has been extended, so it will > now > >>> take a number instead of yes or no. "yes"=1 and "no"=0. If it is set to > >>> "yes" or a number, then the SMTP client IP address is taken from the > >>> "Received:" header. For example, setting it to 2 will cause the IP > >>> address to be taken from the 2nd Received: header. > >>> > >>> > >> > >> You took the words right out of my mouth! :-) > >> I knew someone would find this useful before too long... > >> > >> Jules > >> > > > > The setting works, but how do I get it work with RCVD_IN_DNSWL_LOW which > > still gives my messages a -1 score. > > -Devon > > > You configure your trusted_networks/internal_networks correctly (for > SA... Likely in local.cf or mailscanner.cf)... SA will normally > "autodetect" what this should be, but since you want to trust the > "last hop", you need specify that/those IP addresses (and all "local" > trusted networks/addresses) explicitly. Scott gave you a link, but > ISTR there should be a better one .... This is to the specific > section: > http://spamassassin.apache.org/full/3.1.x/doc/Mail_SpamAssassin_Conf.html#network_test_options > ... and this is to the wiki page: > http://wiki.apache.org/spamassassin/TrustPath and another good one: > http://wiki.apache.org/spamassassin/TrustedRelays > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > But if I trust my 'last hop', in my case EasyDNS, wouldn't it mark ALL messages from them (Including the SPAM) as clean? Here's and example of the mail hops from a SPAM and how MailScanner now sees it. (taken from Mailwatch. domain.com is used for my domain) Received from: 38.99.42.36 Received Via: IP Address Hostname 64.68.200.52 smtp.easydns.com 38.99.42.36 smtp.podomatic.com 127.0.0.1 mars.domain.com 38.99.42.42 luke.dc.podomatic.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090610/5c0ad8c2/attachment.html From glenn.steen at gmail.com Wed Jun 10 20:11:21 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Jun 10 20:11:30 2009 Subject: Mailscanner & redirected mail In-Reply-To: <2baac6140906100858j2bf4ce74kcc7b804f28d7c3d7@mail.gmail.com> References: <2baac6140906090705k22889af6m9909a91e9f7b27c0@mail.gmail.com> <4A2F61E8.8060507@ecs.soton.ac.uk> <4A2E7DCD.7050900@fsl.com> <2baac6140906100425n3a2ad57x1c26f350fa2e870@mail.gmail.com> <223f97700906100536r60ad2477q9c1666ece418b02@mail.gmail.com> <2baac6140906100858j2bf4ce74kcc7b804f28d7c3d7@mail.gmail.com> Message-ID: <223f97700906101211i72159bbcu6fd9e2309204e9a5@mail.gmail.com> 2009/6/10 Devon Harding : > > > On Wed, Jun 10, 2009 at 8:36 AM, Glenn Steen wrote: >> >> 2009/6/10 Devon Harding : >> > >> > >> > On Wed, Jun 10, 2009 at 3:34 AM, Julian Field >> > >> > wrote: >> >> >> >> >> >> On 09/06/2009 16:20, Steve Freegard wrote: >> >>> >> >>> Devon Harding wrote: >> >>> >> >>>> >> >>>> Ok, here's my dilemma. ?My ISP has blocked port 25 on my connection, >> >>>> so >> >>>> I'm forced to have my DNS provider (EasyDNS) redirect all my email to >> >>>> port 2525. ?This works fine, the only problem now is I'm seeing an >> >>>> influx of SPAM which I believe is because MailScanner is seeing >> >>>> EasyDNS >> >>>> as a safe sender& ?not processing any rules based on IP Address. ?How >> >>>> do >> >>>> I get MailScanner disregard the IP address from EasyDNS and process >> >>>> the >> >>>> next hop? ?I guess something like X-Forwarded-For for SMTP. >> >>>> >> >>> >> >>> > From the changlog of the latest 4.77 release: >> >>> >> >>> "Read IP Address From Received Header" has been extended, so it will >> >>> now >> >>> take a number instead of yes or no. "yes"=1 and "no"=0. If it is set >> >>> to >> >>> "yes" or a number, then the SMTP client IP address is taken from the >> >>> "Received:" header. For example, setting it to 2 will cause the IP >> >>> address to be taken from the 2nd Received: header. >> >>> >> >>> >> >> >> >> You took the words right out of my mouth! :-) >> >> I knew someone would find this useful before too long... >> >> >> >> Jules >> >> >> > >> > The setting works, but how do I get it work with?RCVD_IN_DNSWL_LOW >> > ?which >> > still gives my messages a -1 score. >> > -Devon >> > >> You configure your trusted_networks/internal_networks correctly (for >> SA... Likely in local.cf or mailscanner.cf)... SA will normally >> "autodetect" what this should be, but since you want to trust the >> "last hop", you need specify that/those IP addresses (and all "local" >> trusted networks/addresses) explicitly. Scott gave you a link, but >> ISTR there should be a better one .... This is to the specific >> section: >> http://spamassassin.apache.org/full/3.1.x/doc/Mail_SpamAssassin_Conf.html#network_test_options >> ... and this is to the wiki page: >> http://wiki.apache.org/spamassassin/TrustPath and another good one: >> http://wiki.apache.org/spamassassin/TrustedRelays >> >> Cheers >> -- >> -- Glenn >> email: glenn < dot > steen < at > gmail < dot > com >> work: glenn < dot > steen < at > ap1 < dot > se >> -- > > But if I trust my 'last hop', in my case EasyDNS, wouldn't it mark ALL > messages from them (Including the SPAM) as clean? Only if there were no other Received: lines. Go look at all the links, they explain what this does far more eloquently then lil' ol' me can.... or will....:-) Anyway, the point of ignoring the "most recent" Received: line (in MailScanner) pretty much fill the same purpose, AFAICS, as including that relay host(s) IP in your trusted_networks... It'd affect SA rules on IPs, so ... not exaactly be a "allow everything" thing;-) > Here's and example of the mail hops from a SPAM and how MailScanner now sees > it. ?(taken from Mailwatch. domain.com is used for my domain) > Received from: > 38.99.42.36 > Received Via: > IP Address Hostname > 64.68.200.52 smtp.easydns.com > 38.99.42.36 smtp.podomatic.com > 127.0.0.1 ?? ? ? ?mars.domain.com > 38.99.42.42 luke.dc.podomatic.com Yes, and including the easydns address /64.68.200.52) in your trusted IPs would mean that the first IP address SA wouldn't trust is the same as for MS. So what is the problem? As said, there are some very nice examples of what happens on the rather short and lucid links I gave you. Read them! Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From abruce at hope-st.ath.cx Wed Jun 10 22:15:53 2009 From: abruce at hope-st.ath.cx (Andrew Bruce) Date: Wed Jun 10 22:16:11 2009 Subject: MS Office 2007 File Problems Message-ID: <7fc85259aacddad6fce9ec814659cf24@hope-st.ath.cx> Hi, I'm having some trouble with Office 2007 files not being allowed through MailScanner. I've got these (applicable) rules in my filename.rules.conf: # docx allow \.docx$ - - allow \.xml[0-9]\.rel$ - - # Allow repeated file extension, e.g. blah.zip.zip allow (\.[a-z0-9]{3})\1$ - - # Deny all other double file extensions. This catches any hidden filenames. deny \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filename hiding Attempt to hide real filename extension Yet am still seeing results like this: Report: MailScanner: Attempt to hide real filename extension (document.xml.rel) MailScanner: Attempt to hide real filename extension (settings.xml.rel) Report: MailScanner: Attempt to hide real filename extension (document.xml1.rel) MailScanner: Attempt to hide real filename extension (settings.xml1.rel) Report: MailScanner: Attempt to hide real filename extension (document.xml1.rel) Report: MailScanner: Attempt to hide real filename extension (document.xml.rel) Report: MailScanner: Attempt to hide real filename extension (settings.xml.rel) Report: MailScanner: Attempt to hide real filename extension (settings.xml1.rel) I'm running MailScanner version 4.61.7 (yes, I will be upgrading this when I can afford the server downtime). Any idea why this would be? Thanks, Andrew From doc at maddoc.net Wed Jun 10 22:42:44 2009 From: doc at maddoc.net (Doc Schneider) Date: Wed Jun 10 22:43:01 2009 Subject: ClamAV 0.95.2 released Message-ID: <4A3028D4.5000108@maddoc.net> New ClamAV is out. -- -Doc Lincoln, NE. http://www.fsl.com/ http://www.genealogyforyou.com/ http://www.cairnproductions.com/ From alex at rtpty.com Thu Jun 11 00:27:51 2009 From: alex at rtpty.com (Alex Neuman) Date: Thu Jun 11 00:28:03 2009 Subject: MS Office 2007 File Problems In-Reply-To: <7fc85259aacddad6fce9ec814659cf24@hope-st.ath.cx> References: <7fc85259aacddad6fce9ec814659cf24@hope-st.ath.cx> Message-ID: <24e3d2e40906101627m6e39371ahc7d66a8bf69bbbff@mail.gmail.com> Because you have the "double file extension" rule set, and files inside the compress office docx files have dotsomethingdotsomethinelsedotblah in them. On Wed, Jun 10, 2009 at 4:15 PM, Andrew Bruce wrote: > Hi, > > I'm having some trouble with Office 2007 files not being allowed through > MailScanner. > > I've got these (applicable) rules in my filename.rules.conf: > > > > # docx > allow \.docx$ - - > allow \.xml[0-9]\.rel$ - - > > # Allow repeated file extension, e.g. blah.zip.zip > allow (\.[a-z0-9]{3})\1$ - - > > # Deny all other double file extensions. This catches any hidden filenames. > deny \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filename hiding > Attempt to hide real filename extension > > > > Yet am still seeing results like this: > Report: MailScanner: Attempt to hide real filename extension > (document.xml.rel) > MailScanner: Attempt to hide real filename extension (settings.xml.rel) > Report: MailScanner: Attempt to hide real filename extension > (document.xml1.rel) > MailScanner: Attempt to hide real filename extension (settings.xml1.rel) > Report: MailScanner: Attempt to hide real filename extension > (document.xml1.rel) > Report: MailScanner: Attempt to hide real filename extension > (document.xml.rel) > Report: MailScanner: Attempt to hide real filename extension > (settings.xml.rel) > Report: MailScanner: Attempt to hide real filename extension > (settings.xml1.rel) > > > I'm running MailScanner version 4.61.7 (yes, I will be upgrading this when > I can afford the server downtime). > > Any idea why this would be? > > > Thanks, > > Andrew > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 202-1525 alex@rtpty.com Skype: alexneuman -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090610/e64f638c/attachment.html From abruce at hope-st.ath.cx Thu Jun 11 01:11:35 2009 From: abruce at hope-st.ath.cx (Andrew Bruce) Date: Thu Jun 11 01:11:53 2009 Subject: MS Office 2007 File Problems In-Reply-To: <24e3d2e40906101627m6e39371ahc7d66a8bf69bbbff@mail.gmail.com> References: <7fc85259aacddad6fce9ec814659cf24@hope-st.ath.cx> <24e3d2e40906101627m6e39371ahc7d66a8bf69bbbff@mail.gmail.com> Message-ID: Are rules not processed in order? Surely an allow line higher in the list would be matched first and the attachment allowed through, before the deny rule stops them? AB On Wed, 10 Jun 2009 18:27:51 -0500, Alex Neuman wrote: Because you have the "double file extension" rule set, and files inside the compress office docx files have dotsomethingdotsomethinelsedotblah in them. On Wed, Jun 10, 2009 at 4:15 PM, Andrew Bruce wrote: Hi, I'm having some trouble with Office 2007 files not being allowed through MailScanner. I've got these (applicable) rules in my filename.rules.conf: # docx allow .docx$ - - allow .xml[0-9].rel$ - - # Allow repeated file extension, e.g. blah.zip.zip allow (.[a-z0-9]{3})1$ - - # Deny all other double file extensions. This catches any hidden filenames. deny .[a-z][a-z0-9]{2,3}s*.[a-z0-9]{3}$ Found possible filename hiding Attempt to hide real filename extension Yet am still seeing results like this: Report: MailScanner: Attempt to hide real filename extension (document.xml.rel) MailScanner: Attempt to hide real filename extension (settings.xml.rel) Report: MailScanner: Attempt to hide real filename extension (document.xml1.rel) MailScanner: Attempt to hide real filename extension (settings.xml1.rel) Report: MailScanner: Attempt to hide real filename extension (document.xml1.rel) Report: MailScanner: Attempt to hide real filename extension (document.xml.rel) Report: MailScanner: Attempt to hide real filename extension (settings.xml.rel) Report: MailScanner: Attempt to hide real filename extension (settings.xml1.rel) I'm running MailScanner version 4.61.7 (yes, I will be upgrading this when I can afford the server downtime). Any idea why this would be? Thanks, Andrew -- MailScanner mailing list mailscanner@lists.mailscanner.info [2] http://lists.mailscanner.info/mailman/listinfo/mailscanner [3] Before posting, read http://wiki.mailscanner.info/posting [4] Support MailScanner development - buy the book off the website! -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 202-1525 alex@rtpty.com [5] Skype: alexneuman Links: ------ [1] mailto:abruce@hope-st.ath.cx [2] mailto:mailscanner@lists.mailscanner.info [3] http://lists.mailscanner.info/mailman/listinfo/mailscanner [4] http://wiki.mailscanner.info/posting [5] mailto:alex@rtpty.com From rcooper at dwford.com Thu Jun 11 02:33:35 2009 From: rcooper at dwford.com (Rick Cooper) Date: Thu Jun 11 02:33:50 2009 Subject: MS Office 2007 File Problems In-Reply-To: References: <7fc85259aacddad6fce9ec814659cf24@hope-st.ath.cx><24e3d2e40906101627m6e39371ahc7d66a8bf69bbbff@mail.gmail.com> Message-ID: ----Original Message---- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Andrew Bruce Sent: Wednesday, June 10, 2009 8:12 PM To: MailScanner discussion Subject: Re: MS Office 2007 File Problems > Are rules not processed in order? > > Surely an allow line higher in the list would be matched first and the > attachment allowed through, before the deny rule stops them? > > AB > > On Wed, 10 Jun 2009 18:27:51 -0500, Alex Neuman wrote: > > Because you have the "double file extension" rule set, and files inside > the compress office docx files have dotsomethingdotsomethinelsedotblah in > them. > On Wed, Jun 10, 2009 at 4:15 PM, Andrew Bruce wrote: > Hi, > > I'm having some trouble with Office 2007 files not being allowed through > MailScanner. > > I've got these (applicable) rules in my filename.rules.conf: > > # docx > allow .docx$ - - > allow .xml[0-9].rel$ - - Change to: allow \.x(ml)?\d{0,}\.rel$ Depending on the number and type of .rel files the names get pretty tricky. I suppose the format is documented somewhere but painful experience brought me to the above expression > > # Allow repeated file extension, e.g. blah.zip.zip > allow (.[a-z0-9]{3})1$ - - > > # Deny all other double file extensions. This catches any hidden > filenames. > deny .[a-z][a-z0-9]{2,3}s*.[a-z0-9]{3}$ Found possible filename hiding > Attempt to hide real filename extension > > Yet am still seeing results like this: > Report: MailScanner: Attempt to hide real filename extension > (document.xml.rel) > MailScanner: Attempt to hide real filename extension (settings.xml.rel) > Report: MailScanner: Attempt to hide real filename extension > (document.xml1.rel) > MailScanner: Attempt to hide real filename extension (settings.xml1.rel) > Report: MailScanner: Attempt to hide real filename extension > (document.xml1.rel) > Report: MailScanner: Attempt to hide real filename extension > (document.xml.rel) > Report: MailScanner: Attempt to hide real filename extension > (settings.xml.rel) > Report: MailScanner: Attempt to hide real filename extension > (settings.xml1.rel) > > I'm running MailScanner version 4.61.7 (yes, I will be upgrading this > when > I can afford the server downtime). > > Any idea why this would be? > > Thanks, > > Andrew > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info [2] > http://lists.mailscanner.info/mailman/listinfo/mailscanner [3] > > Before posting, read http://wiki.mailscanner.info/posting [4] > > Support MailScanner development - buy the book off the website! > > -- > Alex Neuman van der Hans > Reliant Technologies > +507 6781-9505 > +507 202-1525 > alex@rtpty.com [5] > Skype: alexneuman > > > > Links: > ------ > [1] mailto:abruce@hope-st.ath.cx > [2] mailto:mailscanner@lists.mailscanner.info > [3] http://lists.mailscanner.info/mailman/listinfo/mailscanner > [4] http://wiki.mailscanner.info/posting > [5] mailto:alex@rtpty.com > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From pascal.maes at elec.ucl.ac.be Thu Jun 11 11:55:51 2009 From: pascal.maes at elec.ucl.ac.be (Pascal Maes) Date: Thu Jun 11 11:56:06 2009 Subject: Invalid queue files Message-ID: <862FADAC-FA6F-4FEC-A0C9-B79D4513795D@elec.ucl.ac.be> Hello Postifx 2.6.2 MailScanner 4.77.10 I see the following error : Jun 11 12:49:41 smtp-1 MailScanner[25978]: New Batch: Found 96 messages waiting Jun 11 12:49:41 smtp-1 MailScanner[25978]: New Batch: Scanning 1 messages, 9600 bytes Jun 11 12:49:47 smtp-1 MailScanner[19223]: New Batch: Found invalid queue files: 573BBE8ACC D52BDE8A66 A5CCEE8C3C DE9CBE89FA 09005E8A23 B23BEE8A53 88695E8B03 A6017E8BA0 477BAE8BE1 23F45E8BDF 73906E8BEC 4764AE8A00 BBEC7E8CD1 467AEE8CD8 13E66E8CD3 DC838E8946 E2053E8A6F 9DC4AE8AB5 341AAE8D09 257CAE8D12 624ACE8C2B C1DD7E8D42 0E2C4E8D45 C1E35E8D44 3721AE8D48 BA375E8D3F 4C8FEE8CFD A860CE8D1C A4035E8CED 22141E8C5D AA27EE8811 21DF0E885D EE6F8E8CFA D53CCE8D0D 61D02E8899 1DFECE8A27 2521EE8C45 DF001E8D25 C6E47E8D8F 9DB7CE8D97 E4E2EE8D27 68AB4E8CF3 607E1E8CBF 5BD6FE8CB3 6C1F7E8D50 9C46BE8C1F 37C6AE8D55 38916E8D6B 4652AE8D79 A2CF3E8A43 AFCDBE8D1F 0E3A1E8D6D 32D4DE8CEF 7ADCBE8D23 D99A7E8D73 70ACBE8D95 BAC54E8C3D 9A1BBE8C7E 4CC30E8BA5 99F08E8C6A A5C43E8C8A 4AFFDE8D63 47F9DE8D49 602B7E8D01 BB1BFE8CD6 03BBAE8D56 0D556E8BC0 35C9FE8DAB E31E8E8DFA 60DA4E8C8B Jun 11 12:49:47 smtp-1 MailScanner[19223]: New Batch: Found 98 messages waiting Jun 11 12:49:47 smtp-1 MailScanner[19223]: New Batch: Scanning 3 messages, 44948 bytes Jun 11 12:49:48 smtp-1 MailScanner[11396]: New Batch: Found invalid queue files: 573BBE8ACC D52BDE8A66 A5CCEE8C3C DE9CBE89FA 09005E8A23 B23BEE8A53 88695E8B03 A6017E8BA0 477BAE8BE1 23F45E8BDF 73906E8BEC 4764AE8A00 BBEC7E8CD1 467AEE8CD8 13E66E8CD3 DC838E8946 E2053E8A6F 9DC4AE8AB5 341AAE8D09 257CAE8D12 624ACE8C2B C1DD7E8D42 0E2C4E8D45 C1E35E8D44 3721AE8D48 BA375E8D3F 4C8FEE8CFD A860CE8D1C A4035E8CED 22141E8C5D AA27EE8811 21DF0E885D EE6F8E8CFA D53CCE8D0D 61D02E8899 1DFECE8A27 2521EE8C45 DF001E8D25 C6E47E8D8F 9DB7CE8D97 E4E2EE8D27 68AB4E8CF3 607E1E8CBF 5BD6FE8CB3 6C1F7E8D50 9C46BE8C1F 37C6AE8D55 38916E8D6B 4652AE8D79 A2CF3E8A43 AFCDBE8D1F 0E3A1E8D6D 32D4DE8CEF 7ADCBE8D23 D99A7E8D73 70ACBE8D95 BAC54E8C3D 9A1BBE8C7E 4CC30E8BA5 99F08E8C6A A5C43E8C8A 4AFFDE8D63 47F9DE8D49 602B7E8D01 BB1BFE8CD6 03BBAE8D56 0D556E8BC0 35C9FE8DAB E31E8E8DFA 60DA4E8C8B also : Jun 11 12:18:57 smtp-1 MailScanner[11396]: p record handling: Loop condition found, aborting file. Jun 11 12:18:57 smtp-1 MailScanner[11396]: New Batch: Found invalid queue files: 573BBE8ACC Jun 11 12:18:57 smtp-1 MailScanner[11396]: New Batch: Found 6 messages waiting Jun 11 12:18:57 smtp-1 MailScanner[11396]: New Batch: Scanning 1 messages, 5233 bytes What's wrong ? -- Pascal -- Pascal From pascal.maes at elec.ucl.ac.be Thu Jun 11 12:28:17 2009 From: pascal.maes at elec.ucl.ac.be (Pascal Maes) Date: Thu Jun 11 12:28:31 2009 Subject: Invalid queue files In-Reply-To: <862FADAC-FA6F-4FEC-A0C9-B79D4513795D@elec.ucl.ac.be> References: <862FADAC-FA6F-4FEC-A0C9-B79D4513795D@elec.ucl.ac.be> Message-ID: <4630C514-1299-47E9-B71C-BFB78AAA99E3@elec.ucl.ac.be> To be complete, I have to say that the errors coincide with the installation of clamav 0.95.2 In my case clamav is not used by MailScanner but is acting with clamav- milter before the mail is put in the queue "hold" Le 11-juin-09 ? 12:55, Pascal Maes a ?crit : > Hello > > Postifx 2.6.2 > MailScanner 4.77.10 > > I see the following error : > > Jun 11 12:49:41 smtp-1 MailScanner[25978]: New Batch: Found 96 > messages waiting > Jun 11 12:49:41 smtp-1 MailScanner[25978]: New Batch: Scanning 1 > messages, 9600 bytes > Jun 11 12:49:47 smtp-1 MailScanner[19223]: New Batch: Found invalid > queue files: 573BBE8ACC D52BDE8A66 A5CCEE8C3C DE9CBE89FA 09005E8A23 > B23BEE8A53 88695E8B03 A6017E8BA0 477BAE8BE1 23F45E8BDF 73906E8BEC > 4764AE8A00 BBEC7E8CD1 467AEE8CD8 13E66E8CD3 DC838E8946 E2053E8A6F > 9DC4AE8AB5 341AAE8D09 257CAE8D12 624ACE8C2B C1DD7E8D42 0E2C4E8D45 > C1E35E8D44 3721AE8D48 BA375E8D3F 4C8FEE8CFD A860CE8D1C A4035E8CED > 22141E8C5D AA27EE8811 21DF0E885D EE6F8E8CFA D53CCE8D0D 61D02E8899 > 1DFECE8A27 2521EE8C45 DF001E8D25 C6E47E8D8F 9DB7CE8D97 E4E2EE8D27 > 68AB4E8CF3 607E1E8CBF 5BD6FE8CB3 6C1F7E8D50 9C46BE8C1F 37C6AE8D55 > 38916E8D6B 4652AE8D79 A2CF3E8A43 AFCDBE8D1F 0E3A1E8D6D 32D4DE8CEF > 7ADCBE8D23 D99A7E8D73 70ACBE8D95 BAC54E8C3D 9A1BBE8C7E 4CC30E8BA5 > 99F08E8C6A A5C43E8C8A 4AFFDE8D63 47F9DE8D49 602B7E8D01 BB1BFE8CD6 > 03BBAE8D56 0D556E8BC0 35C9FE8DAB E31E8E8DFA 60DA4E8C8B > Jun 11 12:49:47 smtp-1 MailScanner[19223]: New Batch: Found 98 > messages waiting > Jun 11 12:49:47 smtp-1 MailScanner[19223]: New Batch: Scanning 3 > messages, 44948 bytes > Jun 11 12:49:48 smtp-1 MailScanner[11396]: New Batch: Found invalid > queue files: 573BBE8ACC D52BDE8A66 A5CCEE8C3C DE9CBE89FA 09005E8A23 > B23BEE8A53 88695E8B03 A6017E8BA0 477BAE8BE1 23F45E8BDF 73906E8BEC > 4764AE8A00 BBEC7E8CD1 467AEE8CD8 13E66E8CD3 DC838E8946 E2053E8A6F > 9DC4AE8AB5 341AAE8D09 257CAE8D12 624ACE8C2B C1DD7E8D42 0E2C4E8D45 > C1E35E8D44 3721AE8D48 BA375E8D3F 4C8FEE8CFD A860CE8D1C A4035E8CED > 22141E8C5D AA27EE8811 21DF0E885D EE6F8E8CFA D53CCE8D0D 61D02E8899 > 1DFECE8A27 2521EE8C45 DF001E8D25 C6E47E8D8F 9DB7CE8D97 E4E2EE8D27 > 68AB4E8CF3 607E1E8CBF 5BD6FE8CB3 6C1F7E8D50 9C46BE8C1F 37C6AE8D55 > 38916E8D6B 4652AE8D79 A2CF3E8A43 AFCDBE8D1F 0E3A1E8D6D 32D4DE8CEF > 7ADCBE8D23 D99A7E8D73 70ACBE8D95 BAC54E8C3D 9A1BBE8C7E 4CC30E8BA5 > 99F08E8C6A A5C43E8C8A 4AFFDE8D63 47F9DE8D49 602B7E8D01 BB1BFE8CD6 > 03BBAE8D56 0D556E8BC0 35C9FE8DAB E31E8E8DFA 60DA4E8C8B > > > also : > > Jun 11 12:18:57 smtp-1 MailScanner[11396]: p record handling: Loop > condition found, aborting file. > Jun 11 12:18:57 smtp-1 MailScanner[11396]: New Batch: Found invalid > queue files: 573BBE8ACC > Jun 11 12:18:57 smtp-1 MailScanner[11396]: New Batch: Found 6 > messages waiting > Jun 11 12:18:57 smtp-1 MailScanner[11396]: New Batch: Scanning 1 > messages, 5233 bytes > > > What's wrong ? > > -- > Pascal > > > > > > > -- > Pascal > > > > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- Pascal -- Pascal From devonharding at gmail.com Thu Jun 11 13:08:06 2009 From: devonharding at gmail.com (Devon Harding) Date: Thu Jun 11 13:08:20 2009 Subject: Mailscanner & redirected mail In-Reply-To: <223f97700906101211i72159bbcu6fd9e2309204e9a5@mail.gmail.com> References: <2baac6140906090705k22889af6m9909a91e9f7b27c0@mail.gmail.com> <4A2F61E8.8060507@ecs.soton.ac.uk> <4A2E7DCD.7050900@fsl.com> <2baac6140906100425n3a2ad57x1c26f350fa2e870@mail.gmail.com> <223f97700906100536r60ad2477q9c1666ece418b02@mail.gmail.com> <2baac6140906100858j2bf4ce74kcc7b804f28d7c3d7@mail.gmail.com> <223f97700906101211i72159bbcu6fd9e2309204e9a5@mail.gmail.com> Message-ID: <2baac6140906110508k45329a2exea0900cdd5eb3e5e@mail.gmail.com> On Wed, Jun 10, 2009 at 3:11 PM, Glenn Steen wrote: > 2009/6/10 Devon Harding : > > > > > > On Wed, Jun 10, 2009 at 8:36 AM, Glenn Steen > wrote: > >> > >> 2009/6/10 Devon Harding : > >> > > >> > > >> > On Wed, Jun 10, 2009 at 3:34 AM, Julian Field > >> > > >> > wrote: > >> >> > >> >> > >> >> On 09/06/2009 16:20, Steve Freegard wrote: > >> >>> > >> >>> Devon Harding wrote: > >> >>> > >> >>>> > >> >>>> Ok, here's my dilemma. My ISP has blocked port 25 on my > connection, > >> >>>> so > >> >>>> I'm forced to have my DNS provider (EasyDNS) redirect all my email > to > >> >>>> port 2525. This works fine, the only problem now is I'm seeing an > >> >>>> influx of SPAM which I believe is because MailScanner is seeing > >> >>>> EasyDNS > >> >>>> as a safe sender& not processing any rules based on IP Address. > How > >> >>>> do > >> >>>> I get MailScanner disregard the IP address from EasyDNS and process > >> >>>> the > >> >>>> next hop? I guess something like X-Forwarded-For for SMTP. > >> >>>> > >> >>> > >> >>> > From the changlog of the latest 4.77 release: > >> >>> > >> >>> "Read IP Address From Received Header" has been extended, so it will > >> >>> now > >> >>> take a number instead of yes or no. "yes"=1 and "no"=0. If it is set > >> >>> to > >> >>> "yes" or a number, then the SMTP client IP address is taken from the > >> >>> "Received:" header. For example, setting it to 2 will cause the IP > >> >>> address to be taken from the 2nd Received: header. > >> >>> > >> >>> > >> >> > >> >> You took the words right out of my mouth! :-) > >> >> I knew someone would find this useful before too long... > >> >> > >> >> Jules > >> >> > >> > > >> > The setting works, but how do I get it work with RCVD_IN_DNSWL_LOW > >> > which > >> > still gives my messages a -1 score. > >> > -Devon > >> > > >> You configure your trusted_networks/internal_networks correctly (for > >> SA... Likely in local.cf or mailscanner.cf)... SA will normally > >> "autodetect" what this should be, but since you want to trust the > >> "last hop", you need specify that/those IP addresses (and all "local" > >> trusted networks/addresses) explicitly. Scott gave you a link, but > >> ISTR there should be a better one .... This is to the specific > >> section: > >> > http://spamassassin.apache.org/full/3.1.x/doc/Mail_SpamAssassin_Conf.html#network_test_options > >> ... and this is to the wiki page: > >> http://wiki.apache.org/spamassassin/TrustPath and another good one: > >> http://wiki.apache.org/spamassassin/TrustedRelays > >> > >> Cheers > >> -- > >> -- Glenn > >> email: glenn < dot > steen < at > gmail < dot > com > >> work: glenn < dot > steen < at > ap1 < dot > se > >> -- > > > > But if I trust my 'last hop', in my case EasyDNS, wouldn't it mark ALL > > messages from them (Including the SPAM) as clean? > Only if there were no other Received: lines. Go look at all the links, > they explain what this does far more eloquently then lil' ol' me > can.... or will....:-) > Anyway, the point of ignoring the "most recent" Received: line (in > MailScanner) pretty much fill the same purpose, AFAICS, as including > that relay host(s) IP in your trusted_networks... It'd affect SA rules > on IPs, so ... not exaactly be a "allow everything" thing;-) > > > Here's and example of the mail hops from a SPAM and how MailScanner now > sees > > it. (taken from Mailwatch. domain.com is used for my domain) > > Received from: > > 38.99.42.36 > > Received Via: > > IP Address Hostname > > 64.68.200.52 smtp.easydns.com > > 38.99.42.36 smtp.podomatic.com > > 127.0.0.1 mars.domain.com > > 38.99.42.42 luke.dc.podomatic.com > Yes, and including the easydns address /64.68.200.52) in your trusted > IPs would mean that the first IP address SA wouldn't trust is the same > as for MS. So what is the problem? As said, there are some very nice > examples of what happens on the rather short and lucid links I gave > you. Read them! > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > Perfect explanation! It works -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090611/c27e7dbc/attachment.html From mailscanner at barendse.to Thu Jun 11 13:27:26 2009 From: mailscanner at barendse.to (Remco Barendse) Date: Thu Jun 11 13:27:41 2009 Subject: Problem Messages In-Reply-To: References: <4A256689.2080008@ecs.soton.ac.uk> Message-ID: On Tue, 2 Jun 2009, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Look for traces of the messages in your mail logs. That will tell you > what happened. You might then want to try digging the messages out of > quarantine and running them through MailScanner manually (start with > "MailScanner --help" and work from there) one at a time to see what goes > wrong. > > If you want to wipe the database you can always just delete it. Its > location in set in MailScanner.conf (look for "Processing.db" in there). > > Also, the fact that they have been the cause of these problems means > that they were never delivered, so you may want to take a look at them > and figure out if they were important and what you might want to do > about this. I keep getting the problem messages e-mails. The fact that mails are not delivered is not a problem, so far they are all spam. I suspect the problem is in Processing.db because i get this in my e-mail : Archive: Number of messages: 1 Tries Message Last Tried ===== ======= ========== 6 n59KLG4X024369 Tue Jun 9 22:51:41 2009 -- MailScanner However, when i search for that file : [root@mail ]# locate -i 59KLG4X024369 /var/spool/MailScanner/quarantine/20090609/n59KLG4X024369 /var/spool/MailScanner/quarantine/20090609/n59KLG4X024369/dfn59KLG4X024369 /var/spool/MailScanner/quarantine/20090609/n59KLG4X024369/qfn59KLG4X024369 The messages are long gone into quarantine and dealt with. [root@mail ]# cat /var/log/maillog | grep -i 59KLG4X024369 Jun 9 22:21:36 mail sendmail[24369]: n59KLG4X024369: from=, size=10348, class=0, nrcpts=1, msgid=, proto=ESMTP, daemon=MTA, relay=blu0-omc2-s15.blu0.hotmail.com [65.55.111.90] Jun 9 22:21:36 mail sendmail[24369]: n59KLG4X024369: to=, delay=00:00:00, mailer=esmtp, pri=40348, stat=queued Jun 9 22:25:07 mail MailScanner[22079]: Making attempt 2 at processing message n59KLG4X024369 Jun 9 22:30:59 mail MailScanner[23616]: Making attempt 3 at processing message n59KLG4X024369 Jun 9 22:36:51 mail MailScanner[20198]: Making attempt 4 at processing message n59KLG4X024369 Jun 9 22:42:33 mail MailScanner[19693]: Making attempt 5 at processing message n59KLG4X024369 Jun 9 22:46:03 mail MailScanner[23456]: Making attempt 6 at processing message n59KLG4X024369 Jun 9 22:46:04 mail MailScanner[24456]: Warning: skipping message n59KLG4X024369 as it has been attempted too many times Jun 9 22:46:04 mail MailScanner[24456]: Quarantined message n59KLG4X024369 as it caused MailScanner to crash several times Jun 9 22:46:04 mail MailScanner[24456]: Saved entire message to /var/spool/MailScanner/quarantine/20090609/n59KLG4X024369 Doesn't make me any wiser I'm running : Running on Linux 2.6.18-128.1.10.el5 #1 SMP Thu May 7 10:35:59 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux This is CentOS release 5.3 (Final) This is Perl version 5.008008 (5.8.8) This is MailScanner version 4.77.10 I want to try to run the e-mail manually through MailScanner but --info doesn't enlighten me (yes also here PBKAC) :PPP MailScanner [ -h|-v|--debug|--debug-sa|--lint ] | [ --processing | --processing= ] | [ -c|--changed ] | [ --id= ] | [ --inqueuedir= ] | [--value= --from= --to=, --to=, ...] --ip=, --virus= ] What should i do with the qf/df pair to run MailScanner manually? Thanks! From alex at rtpty.com Thu Jun 11 13:31:25 2009 From: alex at rtpty.com (Alex Neuman) Date: Thu Jun 11 13:31:35 2009 Subject: MS Office 2007 File Problems In-Reply-To: References: <7fc85259aacddad6fce9ec814659cf24@hope-st.ath.cx> <24e3d2e40906101627m6e39371ahc7d66a8bf69bbbff@mail.gmail.com> Message-ID: <24e3d2e40906110531obd59d0dn8feb55496907df79@mail.gmail.com> It's not an ACL. It doesn't work that way. It's "or", or "any", not "first hit". Still, IMHO that rule is now somewhat outmoded and I, for one, turn it off. On Wed, Jun 10, 2009 at 7:11 PM, Andrew Bruce wrote: > Are rules not processed in order? > > Surely an allow line higher in the list would be matched first and the > attachment allowed through, before the deny rule stops them? > > AB > > On Wed, 10 Jun 2009 18:27:51 -0500, Alex Neuman wrote: > > Because you have the "double file extension" rule set, and files inside > the compress office docx files have dotsomethingdotsomethinelsedotblah in > them. > On Wed, Jun 10, 2009 at 4:15 PM, Andrew Bruce wrote: > Hi, > > I'm having some trouble with Office 2007 files not being allowed through > MailScanner. > > I've got these (applicable) rules in my filename.rules.conf: > > # docx > allow .docx$ - - > allow .xml[0-9].rel$ - - > > # Allow repeated file extension, e.g. blah.zip.zip > allow (.[a-z0-9]{3})1$ - - > > # Deny all other double file extensions. This catches any hidden > filenames. > deny .[a-z][a-z0-9]{2,3}s*.[a-z0-9]{3}$ Found possible filename hiding > Attempt to hide real filename extension > > Yet am still seeing results like this: > Report: MailScanner: Attempt to hide real filename extension > (document.xml.rel) > MailScanner: Attempt to hide real filename extension (settings.xml.rel) > Report: MailScanner: Attempt to hide real filename extension > (document.xml1.rel) > MailScanner: Attempt to hide real filename extension (settings.xml1.rel) > Report: MailScanner: Attempt to hide real filename extension > (document.xml1.rel) > Report: MailScanner: Attempt to hide real filename extension > (document.xml.rel) > Report: MailScanner: Attempt to hide real filename extension > (settings.xml.rel) > Report: MailScanner: Attempt to hide real filename extension > (settings.xml1.rel) > > I'm running MailScanner version 4.61.7 (yes, I will be upgrading this > when > I can afford the server downtime). > > Any idea why this would be? > > Thanks, > > Andrew > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info [2] > http://lists.mailscanner.info/mailman/listinfo/mailscanner [3] > > Before posting, read http://wiki.mailscanner.info/posting [4] > > Support MailScanner development - buy the book off the website! > > -- > Alex Neuman van der Hans > Reliant Technologies > +507 6781-9505 > +507 202-1525 > alex@rtpty.com [5] > Skype: alexneuman > > > > Links: > ------ > [1] mailto:abruce@hope-st.ath.cx > [2] mailto:mailscanner@lists.mailscanner.info > [3] http://lists.mailscanner.info/mailman/listinfo/mailscanner > [4] http://wiki.mailscanner.info/posting > [5] mailto:alex@rtpty.com > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 202-1525 alex@rtpty.com Skype: alexneuman -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090611/9b005c58/attachment.html From paul.lemmons at tmcaz.com Thu Jun 11 19:01:56 2009 From: paul.lemmons at tmcaz.com (Paul Lemmons) Date: Thu Jun 11 19:02:12 2009 Subject: Reject message no from address Message-ID: <4A314694.6030203@tmcaz.com> This is bound to be an FAQ but for the life of me I can not find the answer. After an hour of searching with Google I will accept the flames if I missed something obvious. I would like to reject all messages that do not have a from address with a valid syntax. Particularly blank from addresses. We are getting quite a bit of "empty spam" (no message, blank sender, blank return path, minimal headers) and I would like to filter these messages. Any pointers would be helpful. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3316 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090611/9c4005bb/smime.bin From max at assuredata.com Thu Jun 11 19:11:48 2009 From: max at assuredata.com (Max Kipness) Date: Thu Jun 11 19:11:59 2009 Subject: Send nonspam to file? Message-ID: <11375BD8FE838A409E10DB32B9BFFE9B1D6BD6@addc01.assuredata.local> Is there a way? I can't seem to find any mention of this. Basically for specific addresses I would like to send all emails to a file. Thanks, Max -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090611/890fe91e/attachment.html From glenn.steen at gmail.com Thu Jun 11 19:22:31 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Jun 11 19:22:40 2009 Subject: Reject message no from address In-Reply-To: <4A314694.6030203@tmcaz.com> References: <4A314694.6030203@tmcaz.com> Message-ID: <223f97700906111122j62871e97lbc7f6f9af3047d50@mail.gmail.com> 2009/6/11 Paul Lemmons : > This is bound to be an FAQ but for the life of me I can not find the answer. > After an hour of searching with Google I will accept the flames if I missed > something obvious. > > I would like to reject all messages that do not have a from address with a > valid syntax. Particularly blank from addresses. We are getting quite a bit > of "empty spam" (no message, blank sender, blank return path, minimal > headers) and I would like to filter these messages. Any pointers would be > helpful. > Look at the watermark feature of MailScanner, it is designed for this purpose. Or (if your MTA support milters) look at milter-null. For general sender address verification, the method (and "theology"... whether to use or not:-) differ a bit depending on things like MTA etc. But strart with the first two;-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Thu Jun 11 19:29:01 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Jun 11 19:29:09 2009 Subject: Invalid queue files In-Reply-To: <4630C514-1299-47E9-B71C-BFB78AAA99E3@elec.ucl.ac.be> References: <862FADAC-FA6F-4FEC-A0C9-B79D4513795D@elec.ucl.ac.be> <4630C514-1299-47E9-B71C-BFB78AAA99E3@elec.ucl.ac.be> Message-ID: <223f97700906111129q43312f9ega83b2f832d92f710@mail.gmail.com> 2009/6/11 Pascal Maes : > > To be complete, I have to say that the errors coincide with the installation > of clamav 0.95.2 > > In my case clamav is not used by MailScanner but is acting with > clamav-milter before the mail is put in the queue "hold" > > > > Le 11-juin-09 ? 12:55, Pascal Maes a ?crit : > >> Hello >> >> Postifx 2.6.2 >> MailScanner 4.77.10 >> >> I see the following error : >> >> Jun 11 12:49:41 smtp-1 MailScanner[25978]: New Batch: Found 96 messages >> waiting >> Jun 11 12:49:41 smtp-1 MailScanner[25978]: New Batch: Scanning 1 messages, >> 9600 bytes >> Jun 11 12:49:47 smtp-1 MailScanner[19223]: New Batch: Found invalid queue >> files: 573BBE8ACC D52BDE8A66 A5CCEE8C3C DE9CBE89FA 09005E8A23 B23BEE8A53 >> 88695E8B03 A6017E8BA0 477BAE8BE1 23F45E8BDF 73906E8BEC 4764AE8A00 BBEC7E8CD1 >> 467AEE8CD8 13E66E8CD3 DC838E8946 E2053E8A6F 9DC4AE8AB5 341AAE8D09 257CAE8D12 >> 624ACE8C2B C1DD7E8D42 0E2C4E8D45 C1E35E8D44 3721AE8D48 BA375E8D3F 4C8FEE8CFD >> A860CE8D1C A4035E8CED 22141E8C5D AA27EE8811 21DF0E885D EE6F8E8CFA D53CCE8D0D >> 61D02E8899 1DFECE8A27 2521EE8C45 DF001E8D25 C6E47E8D8F 9DB7CE8D97 E4E2EE8D27 >> 68AB4E8CF3 607E1E8CBF 5BD6FE8CB3 6C1F7E8D50 9C46BE8C1F 37C6AE8D55 38916E8D6B >> 4652AE8D79 A2CF3E8A43 AFCDBE8D1F 0E3A1E8D6D 32D4DE8CEF 7ADCBE8D23 D99A7E8D73 >> 70ACBE8D95 BAC54E8C3D 9A1BBE8C7E 4CC30E8BA5 99F08E8C6A A5C43E8C8A 4AFFDE8D63 >> 47F9DE8D49 602B7E8D01 BB1BFE8CD6 03BBAE8D56 0D556E8BC0 35C9FE8DAB E31E8E8DFA >> 60DA4E8C8B >> Jun 11 12:49:47 smtp-1 MailScanner[19223]: New Batch: Found 98 messages >> waiting >> Jun 11 12:49:47 smtp-1 MailScanner[19223]: New Batch: Scanning 3 messages, >> 44948 bytes >> Jun 11 12:49:48 smtp-1 MailScanner[11396]: New Batch: Found invalid queue >> files: 573BBE8ACC D52BDE8A66 A5CCEE8C3C DE9CBE89FA 09005E8A23 B23BEE8A53 >> 88695E8B03 A6017E8BA0 477BAE8BE1 23F45E8BDF 73906E8BEC 4764AE8A00 BBEC7E8CD1 >> 467AEE8CD8 13E66E8CD3 DC838E8946 E2053E8A6F 9DC4AE8AB5 341AAE8D09 257CAE8D12 >> 624ACE8C2B C1DD7E8D42 0E2C4E8D45 C1E35E8D44 3721AE8D48 BA375E8D3F 4C8FEE8CFD >> A860CE8D1C A4035E8CED 22141E8C5D AA27EE8811 21DF0E885D EE6F8E8CFA D53CCE8D0D >> 61D02E8899 1DFECE8A27 2521EE8C45 DF001E8D25 C6E47E8D8F 9DB7CE8D97 E4E2EE8D27 >> 68AB4E8CF3 607E1E8CBF 5BD6FE8CB3 6C1F7E8D50 9C46BE8C1F 37C6AE8D55 38916E8D6B >> 4652AE8D79 A2CF3E8A43 AFCDBE8D1F 0E3A1E8D6D 32D4DE8CEF 7ADCBE8D23 D99A7E8D73 >> 70ACBE8D95 BAC54E8C3D 9A1BBE8C7E 4CC30E8BA5 99F08E8C6A A5C43E8C8A 4AFFDE8D63 >> 47F9DE8D49 602B7E8D01 BB1BFE8CD6 03BBAE8D56 0D556E8BC0 35C9FE8DAB E31E8E8DFA >> 60DA4E8C8B >> >> >> also : >> >> Jun 11 12:18:57 smtp-1 MailScanner[11396]: p record handling: Loop >> condition found, aborting file. >> Jun 11 12:18:57 smtp-1 MailScanner[11396]: New Batch: Found invalid queue >> files: 573BBE8ACC >> Jun 11 12:18:57 smtp-1 MailScanner[11396]: New Batch: Found 6 messages >> waiting >> Jun 11 12:18:57 smtp-1 MailScanner[11396]: New Batch: Scanning 1 messages, >> 5233 bytes >> >> >> What's wrong ? >> Your milter and PF put the p record handling in MS into twiddly knots, is what is happening. Send me some of the queue files, and I'll see what I can do. It might be the milter itself misbehaving, but in a way that wouldn't matter to anything but MS (since we actually try make sense of/get rid of that mess:-). In the mean time, disable the milter and try use clamd in MS instead... or revert to an older version of the clam milter... I'm (still) pretty stumped wrt time, so can't promise any fixes before the weekend. Sorry. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Thu Jun 11 19:36:15 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Jun 11 19:36:24 2009 Subject: Send nonspam to file? In-Reply-To: <11375BD8FE838A409E10DB32B9BFFE9B1D6BD6@addc01.assuredata.local> References: <11375BD8FE838A409E10DB32B9BFFE9B1D6BD6@addc01.assuredata.local> Message-ID: <223f97700906111136l59a20addm1692061ce7516423@mail.gmail.com> 2009/6/11 Max Kipness : > Is there a way? I can?t seem to find any mention of this. Basically for > specific addresses I would like to send all emails to a file. > > > > Thanks, > > Max > Sure there is... it all depends on what you mean though:-). Make your Non Spam Actions a ruleset and include "store" for the specific address ... to make a thing like that work, you need make your setup split multi-recipient mails into separate (one recipient/mail), to be sure that the ruleset will function correctly (else it'll just act on the first recipient in the list of recipients). If you need an mbox-formatted file, you might try something with the Archive Mail feature, but beware that this acts before any scanning is done. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Thu Jun 11 19:39:09 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Jun 11 19:39:17 2009 Subject: Send nonspam to file? In-Reply-To: <223f97700906111136l59a20addm1692061ce7516423@mail.gmail.com> References: <11375BD8FE838A409E10DB32B9BFFE9B1D6BD6@addc01.assuredata.local> <223f97700906111136l59a20addm1692061ce7516423@mail.gmail.com> Message-ID: <223f97700906111139t4b2c6587y486efc2410713e35@mail.gmail.com> 2009/6/11 Glenn Steen : > 2009/6/11 Max Kipness : >> Is there a way? I can?t seem to find any mention of this. Basically for >> specific addresses I would like to send all emails to a file. >> >> >> >> Thanks, >> >> Max >> > Sure there is... it all depends on what you mean though:-). > > Make your Non Spam Actions a ruleset and include "store" for the > specific address ... to make a thing like that work, you need make > your setup split multi-recipient mails into separate (one > recipient/mail), to be sure that the ruleset will function correctly > (else it'll just act on the first recipient in the list of > recipients). The above will make all those mails be stored as separate files in the non-spam quarantine... Either queue files or RFC[53|28]22-formatted text files. > If you need an mbox-formatted file, you might try something with the > Archive Mail feature, but beware that this acts before any scanning is > done. > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ssilva at sgvwater.com Thu Jun 11 20:41:16 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Jun 11 20:41:40 2009 Subject: Mailscanner & redirected mail In-Reply-To: <60D398EB2DB948409CA1F50D8AF122570553C0EE@exch1.dekalbmemorial.local> References: <2baac6140906090705k22889af6m9909a91e9f7b27c0@mail.gmail.com><4A2F61E8.8060507@ecs.soton.ac.uk> <4A2E7DCD.7050900@fsl.com> <60D398EB2DB948409CA1F50D8AF122570553C0EE@exch1.dekalbmemorial.local> Message-ID: on 6-10-2009 5:24 AM Aaron K. Moore spake the following: > You should be able to adjust the score for that rule in SpamAssassin. > I'd just set it to 0 so that it doesn't add or subtract any points. > Changing scores on rules is not a substitute for fixing the real problem. It is like putting a band aid on a bullet wound. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090611/115c2243/signature.bin From gafaith at asdm.net Fri Jun 12 18:01:52 2009 From: gafaith at asdm.net (Gary Faith) Date: Fri Jun 12 18:02:24 2009 Subject: Changes in Version 4.77.10-1 Message-ID: <4A3251C00200002D00006A48@sparky.asdm.net> I was reading the changelog from the website for Version 4.77.10-1. I like the addition of the host:host.domain.com in rules but I have a situation where the forward and the reverse names are not going to match because of dynamic IPs. I can control the forward DNS via DynDNS but I can't control the reverse DNS. Can the "spoofing protection" (#9 below) be turned off? 8 Implemented a new type of line in rulesets. When you specify a "From:" rule, you can use a syntax like "host:hostname.domain.com" to use the SMTP client's hostname instead of the numerical IP address. This can also be partial hostnames or domain names, such as "host:domain.com" or include wildcards anywhere, such as "host:mail*.dom*ain.com", or even Perl regular expressions such as "host:/(de|dk)$/". This goes where the numerical IP address would go in the rule, after the "From:" and before the value to return. Note that these are slightly slower than using the IP address as they involve a DNS lookup (maximum of once per message), but that value should be in your DNS cache as other things will have already had to look it up anyway. They are described in more detail in the etc/rules/README and etc/rules/EXAMPLES files. 9 Added spoofing protection to the "host:" name lookups. Forward and reverse DNS entries must now match. Thanks, Gary -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090612/4e7c876c/attachment.html From ssilva at sgvwater.com Fri Jun 12 22:55:07 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Jun 12 23:00:19 2009 Subject: Changes in Version 4.77.10-1 In-Reply-To: <4A3251C00200002D00006A48@sparky.asdm.net> References: <4A3251C00200002D00006A48@sparky.asdm.net> Message-ID: on 6-12-2009 10:01 AM Gary Faith spake the following: > I was reading the changelog from the website for Version 4.77.10-1. I > like the addition of the host:host.domain.com in rules but I have a > situation where the forward and the reverse names are not going to match > because of dynamic IPs. I can control the forward DNS via DynDNS but I > can't control the reverse DNS. Can the "spoofing protection" (#9 below) > be turned off? > > 8 Implemented a new type of line in rulesets. When you specify a "From:" > rule, you can use a syntax like "host:hostname.domain.com" to use the > SMTP client's hostname instead of the numerical IP address. This can > also be partial hostnames or domain names, such as "host:domain.com" or > include wildcards anywhere, such as "host:mail*.dom*ain.com", or even > Perl regular expressions such as "host:/(de|dk)$/". This goes where the > numerical IP address would go in the rule, after the "From:" and before > the value to return. Note that these are slightly slower than using the > IP address as they involve a DNS lookup (maximum of once per message), > but that value should be in your DNS cache as other things will have > already had to look it up anyway. They are described in more detail in > the etc/rules/README and etc/rules/EXAMPLES files. > > 9 Added spoofing protection to the "host:" name lookups. Forward and > reverse DNS entries must now match. > > Thanks, > > Gary > Don't use them? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090612/f6b41405/signature.bin From MailScanner at ecs.soton.ac.uk Sat Jun 13 15:35:30 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sat Jun 13 15:35:53 2009 Subject: ClamAV 0.95.2 released In-Reply-To: <4A3028D4.5000108@maddoc.net> References: <4A3028D4.5000108@maddoc.net> <4A33B932.3050409@ecs.soton.ac.uk> Message-ID: I have just updated the ClamAV+SpamAssassin package on my website. On 10/06/2009 22:42, Doc Schneider wrote: > New ClamAV is out. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Follow me at twitter.com/JulesFM MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Sat Jun 13 15:38:57 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sat Jun 13 15:39:17 2009 Subject: Problem Messages In-Reply-To: References: <4A256689.2080008@ecs.soton.ac.uk> <4A33BA01.3070501@ecs.soton.ac.uk> Message-ID: On 11/06/2009 13:27, Remco Barendse wrote: > On Tue, 2 Jun 2009, Julian Field wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Look for traces of the messages in your mail logs. That will tell you >> what happened. You might then want to try digging the messages out of >> quarantine and running them through MailScanner manually (start with >> "MailScanner --help" and work from there) one at a time to see what goes >> wrong. >> >> If you want to wipe the database you can always just delete it. Its >> location in set in MailScanner.conf (look for "Processing.db" in there). >> >> Also, the fact that they have been the cause of these problems means >> that they were never delivered, so you may want to take a look at them >> and figure out if they were important and what you might want to do >> about this. > > I keep getting the problem messages e-mails. The fact that mails are > not delivered is not a problem, so far they are all spam. I suspect > the problem is in Processing.db because i get this in my e-mail : > > Archive: > > Number of messages: 1 > Tries Message Last Tried > ===== ======= ========== > 6 n59KLG4X024369 Tue Jun 9 22:51:41 2009 > > -- > MailScanner > > > However, when i search for that file : > [root@mail ]# locate -i 59KLG4X024369 > /var/spool/MailScanner/quarantine/20090609/n59KLG4X024369 > /var/spool/MailScanner/quarantine/20090609/n59KLG4X024369/dfn59KLG4X024369 > > /var/spool/MailScanner/quarantine/20090609/n59KLG4X024369/qfn59KLG4X024369 > > > The messages are long gone into quarantine and dealt with. > > > [root@mail ]# cat /var/log/maillog | grep -i 59KLG4X024369 > Jun 9 22:21:36 mail sendmail[24369]: n59KLG4X024369: > from=, size=10348, class=0, nrcpts=1, > msgid=, proto=ESMTP, > daemon=MTA, relay=blu0-omc2-s15.blu0.hotmail.com [65.55.111.90] > Jun 9 22:21:36 mail sendmail[24369]: n59KLG4X024369: > to=, delay=00:00:00, mailer=esmtp, pri=40348, > stat=queued > Jun 9 22:25:07 mail MailScanner[22079]: Making attempt 2 at > processing message n59KLG4X024369 > Jun 9 22:30:59 mail MailScanner[23616]: Making attempt 3 at > processing message n59KLG4X024369 > Jun 9 22:36:51 mail MailScanner[20198]: Making attempt 4 at > processing message n59KLG4X024369 > Jun 9 22:42:33 mail MailScanner[19693]: Making attempt 5 at > processing message n59KLG4X024369 > Jun 9 22:46:03 mail MailScanner[23456]: Making attempt 6 at > processing message n59KLG4X024369 > Jun 9 22:46:04 mail MailScanner[24456]: Warning: skipping message > n59KLG4X024369 as it has been attempted too many times > Jun 9 22:46:04 mail MailScanner[24456]: Quarantined message > n59KLG4X024369 as it caused MailScanner to crash several times > Jun 9 22:46:04 mail MailScanner[24456]: Saved entire message to > /var/spool/MailScanner/quarantine/20090609/n59KLG4X024369 > > Doesn't make me any wiser > > I'm running : > Running on > Linux 2.6.18-128.1.10.el5 #1 SMP Thu May 7 10:35:59 EDT 2009 x86_64 > x86_64 x86_64 GNU/Linux > This is CentOS release 5.3 (Final) > This is Perl version 5.008008 (5.8.8) > > This is MailScanner version 4.77.10 > > > I want to try to run the e-mail manually through MailScanner but > --info doesn't enlighten me (yes also here PBKAC) :PPP > > MailScanner [ -h|-v|--debug|--debug-sa|--lint ] | > [ --processing | --processing= ] | > [ -c|--changed ] | > [ --id= ] | > [ --inqueuedir= ] | > [--value= --from= > --to=, --to=, ...] > --ip=, --virus= ] > > > > What should i do with the qf/df pair to run MailScanner manually? Copy the mail df+qf pair to /var/spool/mqueue.in and run something along the lines of MailScanner --debug --id=n59KLG4X024369 and it should just process that one message and quit. You might need to delete the Processing.db before you start. And I would stop your main MailScanner too, or else it will pick up the message and try to process it. Please tell me what output you got from that MailScanner command. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Follow me at twitter.com/JulesFM MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Sat Jun 13 15:40:14 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sat Jun 13 15:40:35 2009 Subject: Send nonspam to file? In-Reply-To: <11375BD8FE838A409E10DB32B9BFFE9B1D6BD6@addc01.assuredata.local> References: <11375BD8FE838A409E10DB32B9BFFE9B1D6BD6@addc01.assuredata.local> <4A33BA4E.9010905@ecs.soton.ac.uk> Message-ID: Use "Archive Mail" or "Non-Spam Actions" with a ruleset to just handle the specific addresses you are interested in. On 11/06/2009 19:11, Max Kipness wrote: > > Is there a way? I can?t seem to find any mention of this. Basically > for specific addresses I would like to send all emails to a file. > > Thanks, > > Max > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Follow me at twitter.com/JulesFM MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Sat Jun 13 15:41:24 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sat Jun 13 15:41:47 2009 Subject: Changes in Version 4.77.10-1 In-Reply-To: <4A3251C00200002D00006A48@sparky.asdm.net> References: <4A3251C00200002D00006A48@sparky.asdm.net> <4A33BA94.2000007@ecs.soton.ac.uk> Message-ID: Just use the IP addresses instead of the hostnames. Trivial, surely? On 12/06/2009 18:01, Gary Faith wrote: > I was reading the changelog from the website for Version 4.77.10-1. I > like the addition of the host:host.domain.com in rules but I have a > situation where the forward and the reverse names are not going to > match because of dynamic IPs. I can control the forward DNS via > DynDNS but I can't control the reverse DNS. Can the "spoofing > protection" (#9 below) be turned off? > > 8 Implemented a new type of line in rulesets. When you specify a > "From:" rule, you can use a syntax like "host:hostname.domain.com" to > use the SMTP client's hostname instead of the numerical IP address. > This can also be partial hostnames or domain names, such as > "host:domain.com" or include wildcards anywhere, such as > "host:mail*.dom*ain.com", or even Perl regular expressions such as > "host:/(de|dk)$/". This goes where the numerical IP address would go > in the rule, after the "From:" and before the value to return. Note > that these are slightly slower than using the IP address as they > involve a DNS lookup (maximum of once per message), but that value > should be in your DNS cache as other things will have already had to > look it up anyway. They are described in more detail in the > etc/rules/README and etc/rules/EXAMPLES files. > > 9 Added spoofing protection to the "host:" name lookups. Forward and > reverse DNS entries must now match. > > Thanks, > > Gary Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Follow me at twitter.com/JulesFM MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From root at doctor.nl2k.ab.ca Sat Jun 13 18:55:28 2009 From: root at doctor.nl2k.ab.ca (Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem) Date: Sat Jun 13 19:01:37 2009 Subject: 4.77.10 vs 4.77.8 Message-ID: <20090613175525.GA24833@doctor.nl2k.ab.ca> All right! In an attempt to update from 4.77.8 to 4.77.10 the load on one of my server almost went to infinity. REstoring backto 4.77.8 stabalised the server. Has this happened to anyone else? -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Sat Jun 13 19:15:26 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sat Jun 13 19:15:48 2009 Subject: 4.77.10 vs 4.77.8 In-Reply-To: <20090613175525.GA24833@doctor.nl2k.ab.ca> References: <20090613175525.GA24833@doctor.nl2k.ab.ca> <4A33ECBE.20800@ecs.soton.ac.uk> Message-ID: What does MailScanner --debug say or do? On 13/06/2009 18:55, Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem wrote: > All right! In an attempt to update from 4.77.8 to 4.77.10 > the load on one of my server almost went to infinity. > > REstoring backto 4.77.8 stabalised the server. > > Has this happened to anyone else? > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Follow me at twitter.com/JulesFM MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From root at doctor.nl2k.ab.ca Sat Jun 13 18:57:19 2009 From: root at doctor.nl2k.ab.ca (Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem) Date: Sat Jun 13 20:26:15 2009 Subject: converting from Sendmail to Postifx Message-ID: <20090613175719.GB24833@doctor.nl2k.ab.ca> Looks as if Sendmail is DOA no signs of Sendmail 8.14.4 or 8.15.0 . Apple and IBM have spent time developing Postfix. Any heads on moving over esp for MailScanner users? -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From lists at elasticmind.net Sat Jun 13 21:18:58 2009 From: lists at elasticmind.net (mog) Date: Sat Jun 13 21:19:39 2009 Subject: converting from Sendmail to Postifx In-Reply-To: <20090613175719.GB24833@doctor.nl2k.ab.ca> References: <20090613175719.GB24833@doctor.nl2k.ab.ca> Message-ID: <4A3409B2.9060408@elasticmind.net> I use postfix on several production mail servers, I think it integrates with MailScanner very effectively and easily. Plus the instructions on the MailScanner install page for postfix are pretty straight-forward, it's a doddle to do really. Best of luck. Regards, mog. Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem wrote: > Looks as if Sendmail is DOA no signs of Sendmail 8.14.4 or 8.15.0 . > > Apple and IBM have spent time developing Postfix. > > Any heads on moving over esp for MailScanner users? > > From sean at songvest.com Sat Jun 13 22:50:15 2009 From: sean at songvest.com (sean) Date: Sat Jun 13 22:50:30 2009 Subject: Problem with Exim and Mailscanner Message-ID: Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/jpeg Size: 2565 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090613/2dbe9d4b/attachment.jpe From root at doctor.nl2k.ab.ca Sat Jun 13 18:57:19 2009 From: root at doctor.nl2k.ab.ca (Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem) Date: Sun Jun 14 00:31:46 2009 Subject: converting from Sendmail to Postifx Message-ID: <20090613175719.GB24833@doctor.nl2k.ab.ca> Looks as if Sendmail is DOA no signs of Sendmail 8.14.4 or 8.15.0 . Apple and IBM have spent time developing Postfix. Any heads on moving over esp for MailScanner users? -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ChrisSweeney at osubucks.org Sun Jun 14 00:58:33 2009 From: ChrisSweeney at osubucks.org (Christopher Sweeney) Date: Sun Jun 14 00:58:45 2009 Subject: converting from Sendmail to Postifx In-Reply-To: <20090613175719.GB24833@doctor.nl2k.ab.ca> Message-ID: <5485D83E8AEA2A4C93D5AEB1F3444564045231@IFCINCINNATI01.ifcincinnati.org> So that means what? If there are no immediate needs to release a new version doesn't mean its done with. There are traditionally for as long as I can remember a couple years or more between major Sendmail releases and if there are no critical bugs to patch then no .x upgrades. Isn't it nice to finally run something that does not need upgraded or patched every week? -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Dave Shariff Yadallee - System Administrator a.k.a. The Root of theProblem Sent: Saturday, June 13, 2009 1:57 PM To: mailscanner@lists.mailscanner.info Subject: converting from Sendmail to Postifx Looks as if Sendmail is DOA no signs of Sendmail 8.14.4 or 8.15.0 . Apple and IBM have spent time developing Postfix. Any heads on moving over esp for MailScanner users? ________________________________ avast! Antivirus : Outbound message clean. Virus Database (VPS): 090613-0, 06/13/2009 Tested on: 6/13/2009 7:58:33 PM avast! - copyright (c) 1988-2009 ALWIL Software. From james at gray.net.au Sun Jun 14 02:58:18 2009 From: james at gray.net.au (James Gray) Date: Sun Jun 14 02:58:34 2009 Subject: Problem with Exim and Mailscanner In-Reply-To: References: Message-ID: <53B3FBEE-91D5-4F33-A8B9-F0618963257B@gray.net.au> On 14/06/2009, at 7:50 AM, sean wrote: > I am trying to install exim. > > I know I have to start two exim processes and I don't know how to do > it within that service start code. Here's a Debian-specific how-to I wrote a while back on how to get a friendly Mailscanner+Exim setup: http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:exim:installation:debian&s=exim There's a more generalised MailScanner+Exim (not specific to Debian in other words) here: http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:exim:installation&s=exim You'll find a lot of similarity between the two documents, but hopefully between the two you'll be able to apply it to you specific circumstances. Cheers, James -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090614/4af591e0/attachment.html From alex at rtpty.com Sun Jun 14 03:21:14 2009 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Sun Jun 14 03:21:51 2009 Subject: converting from Sendmail to Postifx In-Reply-To: <5485D83E8AEA2A4C93D5AEB1F3444564045231@IFCINCINNATI01.ifcincinnati.org> References: <5485D83E8AEA2A4C93D5AEB1F3444564045231@IFCINCINNATI01.ifcincinnati.org> Message-ID: I second that. Besides, we all know how VietseV enema is fond of MailScanner - not to mention IT CAN HAZ SWAPPING! On Jun 13, 2009, at 6:58 PM, "Christopher Sweeney" wrote: > So that means what? If there are no immediate needs to release a new > version doesn't mean its done with. There are traditionally for as > long > as I can remember a couple years or more between major Sendmail > releases > and if there are no critical bugs to patch then no .x upgrades. Isn't > it nice to finally run something that does not need upgraded or > patched > every week? > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Dave > Shariff Yadallee - System Administrator a.k.a. The Root of theProblem > Sent: Saturday, June 13, 2009 1:57 PM > To: mailscanner@lists.mailscanner.info > Subject: converting from Sendmail to Postifx > > Looks as if Sendmail is DOA no signs of Sendmail 8.14.4 or 8.15.0 . > > Apple and IBM have spent time developing Postfix. > > Any heads on moving over esp for MailScanner users? > > > > > > ________________________________ > > avast! Antivirus : Outbound message clean. > > Virus Database (VPS): 090613-0, 06/13/2009 > Tested on: 6/13/2009 7:58:33 PM > avast! - copyright (c) 1988-2009 ALWIL Software. > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From maillists at conactive.com Sun Jun 14 08:31:15 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Sun Jun 14 08:31:33 2009 Subject: Changes in Version 4.77.10-1 In-Reply-To: References: <4A3251C00200002D00006A48@sparky.asdm.net> <4A33BA94.2000007@ecs.soton.ac.uk> Message-ID: Julian Field wrote on Sat, 13 Jun 2009 15:41:24 +0100: > Just use the IP addresses instead of the hostnames. Trivial, surely? But he doesn't know them. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From MailScanner at ecs.soton.ac.uk Sun Jun 14 16:27:17 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Jun 14 16:27:40 2009 Subject: Changes in Version 4.77.10-1 In-Reply-To: References: <4A3251C00200002D00006A48@sparky.asdm.net> <4A33BA94.2000007@ecs.soton.ac.uk> <4A3516D5.4020201@ecs.soton.ac.uk> Message-ID: On 14/06/2009 08:31, Kai Schaetzl wrote: > Julian Field wrote on Sat, 13 Jun 2009 15:41:24 +0100: > > >> Just use the IP addresses instead of the hostnames. Trivial, surely? >> > But he doesn't know them. > There isn't any way of switching off the anti-spoof protection, sorry. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Follow me at twitter.com/JulesFM MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From sean at songvest.com Sun Jun 14 16:39:30 2009 From: sean at songvest.com (sean) Date: Sun Jun 14 16:39:46 2009 Subject: Problem with Exim and Mailscanner In-Reply-To: <53B3FBEE-91D5-4F33-A8B9-F0618963257B@gray.net.au> References: <53B3FBEE-91D5-4F33-A8B9-F0618963257B@gray.net.au> Message-ID: Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/jpeg Size: 2565 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090614/5c8204ae/attachment.jpe From james at gray.net.au Sun Jun 14 23:58:44 2009 From: james at gray.net.au (James Gray) Date: Sun Jun 14 23:58:58 2009 Subject: Problem with Exim and Mailscanner In-Reply-To: <32488369.111245018724197.JavaMail.root@node> Message-ID: <25266218.131245020324018.JavaMail.root@node> ----- Original Message ----- From: "sean" To: "MailScanner discussion" Sent: Monday, 15 June, 2009 1:39:30 AM GMT +10:00 Canberra / Melbourne / Sydney Subject: RE: Problem with Exim and Mailscanner James: I went through your notes but I still don't see how to modify my init.d/exim file to start both. Not with the current service file I have anyway. Hi Sean, I think you missed the bit where you create a SECOND init script for the additional Exim instance :) You end up with two separate exim scripts in /etc/init.d: /etc/init.d/exim /etc/init.d/exim.out Then you simply need to add a symblic link into the correct run-levels to make sure it starts during boot. Most distro's have their own utilities to do this for you: Debian/Ubuntu: update-rc.d RedHat/CentOS: chkconfig (see http://www.centos.org/docs/5/html/Installation_Guide-en-US/ch-boot-init-shutdown.html) The how-to I wrote simply shows how to make the two exim's play nicely with Debian so that updates etc don't hose your hard work. If you need more help, please help us - we need to know: What MTA (Exim) and version? What version of MailScanner? What OS (linux/Solaris/etc) and version? Any logs, error messages, etc? I really don't have enough information about your setup to offer any more specific information...but more than happy to help out when more info is available :) Regards, James From jonas at vrt.dk Mon Jun 15 08:44:02 2009 From: jonas at vrt.dk (Jonas A. Larsen) Date: Mon Jun 15 08:44:13 2009 Subject: Problem with Exim and Mailscanner In-Reply-To: <25266218.131245020324018.JavaMail.root@node> References: <32488369.111245018724197.JavaMail.root@node> <25266218.131245020324018.JavaMail.root@node> Message-ID: <002d01c9ed8d$0d062d10$27128730$@dk> > > I think you missed the bit where you create a SECOND init script for > the additional Exim instance :) You end up with two separate exim > scripts in /etc/init.d: > /etc/init.d/exim > /etc/init.d/exim.out > > Then you simply need to add a symblic link into the correct run-levels > to make sure it starts during boot. Most distro's have their own > utilities to do this for you: > Debian/Ubuntu: update-rc.d > RedHat/CentOS: chkconfig (see > http://www.centos.org/docs/5/html/Installation_Guide-en-US/ch-boot- > init-shutdown.html) > > The how-to I wrote simply shows how to make the two exim's play nicely > with Debian so that updates etc don't hose your hard work. > > If you need more help, please help us - we need to know: > What MTA (Exim) and version? > What version of MailScanner? > What OS (linux/Solaris/etc) and version? > Any logs, error messages, etc? > > I really don't have enough information about your setup to offer any > more specific information...but more than happy to help out when more > info is available :) > > Regards, > > James I have made a simple mod of the Debian init script so it works with 1 initscript which starts both exim processes. Let me know if anybody would be interested in a copy. Med venlig hilsen / Best regards Jonas Akrouh Larsen TechBiz ApS Laplandsgade 4, 2. sal 2300 K?benhavn S Office: 7020 0979 Direct: 3336 9974 Mobile: 5120 1096 Fax: 7020 0978 Web: www.techbiz.dk From maxsec at gmail.com Mon Jun 15 09:02:31 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Mon Jun 15 09:02:40 2009 Subject: Problem with Exim and Mailscanner In-Reply-To: <002d01c9ed8d$0d062d10$27128730$@dk> References: <32488369.111245018724197.JavaMail.root@node> <25266218.131245020324018.JavaMail.root@node> <002d01c9ed8d$0d062d10$27128730$@dk> Message-ID: <72cf361e0906150102r48adf128xdb0758aa50fa81f1@mail.gmail.com> 2009/6/15 Jonas A. Larsen : >> >> I think you missed the bit where you create a SECOND init script for >> the additional Exim instance :) ?You end up with two separate exim >> scripts in /etc/init.d: >> /etc/init.d/exim >> /etc/init.d/exim.out >> >> Then you simply need to add a symblic link into the correct run-levels >> to make sure it starts during boot. ?Most distro's have their own >> utilities to do this for you: >> Debian/Ubuntu: update-rc.d >> RedHat/CentOS: chkconfig ?(see >> http://www.centos.org/docs/5/html/Installation_Guide-en-US/ch-boot- >> init-shutdown.html) >> >> The how-to I wrote simply shows how to make the two exim's play nicely >> with Debian so that updates etc don't hose your hard work. >> >> If you need more help, please help us - we need to know: >> What MTA (Exim) and version? >> What version of MailScanner? >> What OS (linux/Solaris/etc) and version? >> Any logs, error messages, etc? >> >> I really don't have enough information about your setup to offer any >> more specific information...but more than happy to help out when more >> info is available :) >> >> Regards, >> >> James > > I have made a simple mod of the Debian init script so it works with 1 initscript which starts both exim processes. > > Let me know if anybody would be interested in a copy. > > Med venlig hilsen / Best regards > > Jonas Akrouh Larsen > > TechBiz ApS > Laplandsgade 4, 2. sal > 2300 K?benhavn S > > Office: 7020 0979 > Direct: 3336 9974 > Mobile: 5120 1096 > Fax: ? ?7020 0978 > Web: www.techbiz.dk > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Also worth checking this.. http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:exim:installation:debian&s=debian Jonas - does this any updating? -- Martin Hepworth Oxford, UK From jonas at vrt.dk Mon Jun 15 09:40:12 2009 From: jonas at vrt.dk (Jonas A. Larsen) Date: Mon Jun 15 09:40:22 2009 Subject: Problem with Exim and Mailscanner In-Reply-To: <72cf361e0906150102r48adf128xdb0758aa50fa81f1@mail.gmail.com> References: <32488369.111245018724197.JavaMail.root@node> <25266218.131245020324018.JavaMail.root@node> <002d01c9ed8d$0d062d10$27128730$@dk> <72cf361e0906150102r48adf128xdb0758aa50fa81f1@mail.gmail.com> Message-ID: <004a01c9ed94$e5f5e550$b1e1aff0$@dk> > Also worth checking this.. > > http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mt > a:exim:installation:debian&s=debian > > Jonas - does this any updating? Nope I think that's the documentation I originally followed a few years ago. The only thing we/Julian could consider was including the actual Debian init script in the tarball or some sort of contrib. package or I dunno :) I guess maybe some people find the wiki page above confusing (at least I had a co-worker who couldn?t really get the grip on the split exim thing when trying to follow the wiki) Med venlig hilsen / Best regards Jonas Akrouh Larsen TechBiz ApS Laplandsgade 4, 2. sal 2300 K?benhavn S Office: 7020 0979 Direct: 3336 9974 Mobile: 5120 1096 Fax: 7020 0978 Web: www.techbiz.dk From mailscanner at barendse.to Mon Jun 15 09:56:32 2009 From: mailscanner at barendse.to (Remco Barendse) Date: Mon Jun 15 09:56:45 2009 Subject: Problem Messages In-Reply-To: References: <4A256689.2080008@ecs.soton.ac.uk> <4A33BA01.3070501@ecs.soton.ac.uk> Message-ID: On Sat, 13 Jun 2009, Julian Field wrote: > Copy the mail df+qf pair to /var/spool/mqueue.in and run something along the > lines of > MailScanner --debug --id=n59KLG4X024369 > and it should just process that one message and quit. > You might need to delete the Processing.db before you start. And I would stop > your main MailScanner too, or else it will pick up the message and try to > process it. > Please tell me what output you got from that MailScanner command. This is the output : [root@linuxgw mqueue.in]# MailScanner --debug --id=n59KLG4X024369 In Debugging mode, not forking... Trying to setlogsock(unix) Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin.pm line 1088. Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin.pm line 1090. LibClamAV Warning: *********************************************************** LibClamAV Warning: *** This version of the ClamAV engine is outdated. *** LibClamAV Warning: *** DON'T PANIC! Read http://www.clamav.net/support/faq *** LibClamAV Warning: *********************************************************** Building a message batch to scan... Have a batch of 1 message. Stopping now as you are debugging me. Thanks! From MailScanner at ecs.soton.ac.uk Mon Jun 15 10:33:03 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jun 15 10:33:36 2009 Subject: Problem Messages In-Reply-To: References: <4A256689.2080008@ecs.soton.ac.uk> <4A33BA01.3070501@ecs.soton.ac.uk> <4A36154F.1020300@ecs.soton.ac.uk> Message-ID: On 15/06/2009 09:56, Remco Barendse wrote: > On Sat, 13 Jun 2009, Julian Field wrote: > >> Copy the mail df+qf pair to /var/spool/mqueue.in and run something >> along the lines of >> MailScanner --debug --id=n59KLG4X024369 >> and it should just process that one message and quit. >> You might need to delete the Processing.db before you start. And I >> would stop your main MailScanner too, or else it will pick up the >> message and try to process it. >> Please tell me what output you got from that MailScanner command. > > This is the output : > > [root@linuxgw mqueue.in]# MailScanner --debug --id=n59KLG4X024369 > In Debugging mode, not forking... > Trying to setlogsock(unix) > Use of uninitialized value in concatenation (.) or string at > /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin.pm line 1088. > Use of uninitialized value in concatenation (.) or string at > /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin.pm line 1090. > LibClamAV Warning: > *********************************************************** > LibClamAV Warning: *** This version of the ClamAV engine is outdated. > *** > LibClamAV Warning: *** DON'T PANIC! Read > http://www.clamav.net/support/faq *** > LibClamAV Warning: > *********************************************************** > Building a message batch to scan... > Have a batch of 1 message. > Stopping now as you are debugging me. That's quite normal, it processed the message successfully (apart from you needing to update your copy of ClamAV). So whatever was causing your message to kill MailScanner has gone away and isn't doing it now. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at barendse.to Mon Jun 15 11:17:35 2009 From: mailscanner at barendse.to (Remco Barendse) Date: Mon Jun 15 11:17:46 2009 Subject: Problem Messages In-Reply-To: References: <4A256689.2080008@ecs.soton.ac.uk> <4A33BA01.3070501@ecs.soton.ac.uk> <4A36154F.1020300@ecs.soton.ac.uk> Message-ID: On Mon, 15 Jun 2009, Julian Field wrote: > That's quite normal, it processed the message successfully (apart from you > needing to update your copy of ClamAV). So whatever was causing your message > to kill MailScanner has gone away and isn't doing it now. Strange, another problem meBssage appeared over the weekend, i ran it through MailScanner in the same way and also this message processed well. I'm a bit puzzled why these "Problem Messages" messages keep appearing but at the same time the message gets quarantined and moved to the quarantine properly. Is there maybe some bug in the thingy that controls Processing.db ? I get a new mail message reporting the same problem every hour or so, until i nuke Processing.db Is there any way to increase the log level of "Problem Messages" to get some more info from that? (If these messages come up very rarely anyways, why not be more verbose) Thanks! Remco From MailScanner at ecs.soton.ac.uk Mon Jun 15 12:01:27 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jun 15 12:01:47 2009 Subject: Anti-Phishing Update -- New data feed References: <4A362A07.60900@ecs.soton.ac.uk> Message-ID: I have gained a new reliable feed of email addresses known to be used in phishing attacks. I have therefore updated my anti-spear-phishing scripts to catch any mail mentioning these email addresses as well. I know quite a few of you have found this script to be useful. You can see the new article and download the script at http://www.jules.fm/Logbook/files/anti-phishing-v2.html Please do try it out and let me know what you think! Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Mon Jun 15 12:09:09 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jun 15 12:09:31 2009 Subject: Problem Messages In-Reply-To: References: <4A256689.2080008@ecs.soton.ac.uk> <4A33BA01.3070501@ecs.soton.ac.uk> <4A36154F.1020300@ecs.soton.ac.uk> <4A362BD5.7090308@ecs.soton.ac.uk> Message-ID: On 15/06/2009 11:17, Remco Barendse wrote: > On Mon, 15 Jun 2009, Julian Field wrote: > >> That's quite normal, it processed the message successfully (apart >> from you needing to update your copy of ClamAV). So whatever was >> causing your message to kill MailScanner has gone away and isn't >> doing it now. > > Strange, another problem meBssage appeared over the weekend, i ran it > through MailScanner in the same way and also this message processed well. > > I'm a bit puzzled why these "Problem Messages" messages keep > appearing but at the same time the message gets quarantined and moved > to the quarantine properly. Is there maybe some bug in the thingy that > controls Processing.db ? I get a new mail message reporting the same > problem every hour or so, until i nuke Processing.db > > Is there any way to increase the log level of "Problem Messages" to > get some more info from that? (If these messages come up very rarely > anyways, why not be more verbose) What more info would you like? As all I know is that the message caused MailScanner to crash somehow, there's almost no information to give you, sorry. I should add some code to remove the problem message from the Processing.db when it gets quarantined though. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From sean at songvest.com Mon Jun 15 12:59:51 2009 From: sean at songvest.com (sean) Date: Mon Jun 15 13:00:11 2009 Subject: Problem with Exim and Mailscanner In-Reply-To: <002d01c9ed8d$0d062d10$27128730$@dk> References: <32488369.111245018724197.JavaMail.root@node><25266218.131245020324018.JavaMail.root@node> <002d01c9ed8d$0d062d10$27128730$@dk> Message-ID: <7959D70AC9D34A5ABA00696418C30D4D@HOME> I am very interested. Sean Peace President and Founder New Cell: 919-324-2945 Office: 919-848-0445 www.songvest.com -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jonas A. Larsen Sent: Monday, June 15, 2009 3:44 AM To: 'MailScanner discussion' Subject: RE: Problem with Exim and Mailscanner > > I think you missed the bit where you create a SECOND init script for > the additional Exim instance :) You end up with two separate exim > scripts in /etc/init.d: > /etc/init.d/exim > /etc/init.d/exim.out > > Then you simply need to add a symblic link into the correct run-levels > to make sure it starts during boot. Most distro's have their own > utilities to do this for you: > Debian/Ubuntu: update-rc.d > RedHat/CentOS: chkconfig (see > http://www.centos.org/docs/5/html/Installation_Guide-en-US/ch-boot- > init-shutdown.html) > > The how-to I wrote simply shows how to make the two exim's play nicely > with Debian so that updates etc don't hose your hard work. > > If you need more help, please help us - we need to know: > What MTA (Exim) and version? > What version of MailScanner? > What OS (linux/Solaris/etc) and version? > Any logs, error messages, etc? > > I really don't have enough information about your setup to offer any > more specific information...but more than happy to help out when more > info is available :) > > Regards, > > James I have made a simple mod of the Debian init script so it works with 1 initscript which starts both exim processes. Let me know if anybody would be interested in a copy. Med venlig hilsen / Best regards Jonas Akrouh Larsen TechBiz ApS Laplandsgade 4, 2. sal 2300 K?benhavn S Office: 7020 0979 Direct: 3336 9974 Mobile: 5120 1096 Fax: 7020 0978 Web: www.techbiz.dk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From sean at songvest.com Mon Jun 15 13:04:16 2009 From: sean at songvest.com (sean) Date: Mon Jun 15 13:04:31 2009 Subject: Problem with Exim and Mailscanner In-Reply-To: <25266218.131245020324018.JavaMail.root@node> References: <32488369.111245018724197.JavaMail.root@node> <25266218.131245020324018.JavaMail.root@node> Message-ID: <8D937C04AF534E7A979F3DC3E6F78C6B@HOME> James: One more problem. I don't have this file or files in etc/default/ "You also should modify /etc/default/exim" So once again I am stuck. Sean Peace President and Founder New Cell: 919-324-2945 Office: 919-848-0445 www.songvest.com -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of James Gray Sent: Sunday, June 14, 2009 6:59 PM To: MailScanner discussion Subject: Re: Problem with Exim and Mailscanner ----- Original Message ----- From: "sean" To: "MailScanner discussion" Sent: Monday, 15 June, 2009 1:39:30 AM GMT +10:00 Canberra / Melbourne / Sydney Subject: RE: Problem with Exim and Mailscanner James: I went through your notes but I still don't see how to modify my init.d/exim file to start both. Not with the current service file I have anyway. Hi Sean, I think you missed the bit where you create a SECOND init script for the additional Exim instance :) You end up with two separate exim scripts in /etc/init.d: /etc/init.d/exim /etc/init.d/exim.out Then you simply need to add a symblic link into the correct run-levels to make sure it starts during boot. Most distro's have their own utilities to do this for you: Debian/Ubuntu: update-rc.d RedHat/CentOS: chkconfig (see http://www.centos.org/docs/5/html/Installation_Guide-en-US/ch-boot-init-shut down.html) The how-to I wrote simply shows how to make the two exim's play nicely with Debian so that updates etc don't hose your hard work. If you need more help, please help us - we need to know: What MTA (Exim) and version? What version of MailScanner? What OS (linux/Solaris/etc) and version? Any logs, error messages, etc? I really don't have enough information about your setup to offer any more specific information...but more than happy to help out when more info is available :) Regards, James -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From john at tradoc.fr Mon Jun 15 13:30:54 2009 From: john at tradoc.fr (John Wilcock) Date: Mon Jun 15 13:31:06 2009 Subject: Anti-Phishing Update -- New data feed In-Reply-To: References: <4A362A07.60900@ecs.soton.ac.uk> Message-ID: <4A363EFE.2070006@tradoc.fr> Le 15/06/2009 13:01, Julian Field a ?crit : > I have gained a new reliable feed of email addresses known to be used in > phishing attacks. > I have therefore updated my anti-spear-phishing scripts to catch any > mail mentioning these email addresses as well. I know quite a few of you > have found this script to be useful. > > You can see the new article and download the script at > http://www.jules.fm/Logbook/files/anti-phishing-v2.html Hi Jules, Is the new data source used in the sa-update feed from spear.bastionmail.com? John. -- -- Over 3000 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages - www.tradoc.fr From MailScanner at ecs.soton.ac.uk Mon Jun 15 13:44:29 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jun 15 13:44:50 2009 Subject: Anti-Phishing Update -- New data feed In-Reply-To: <4A363EFE.2070006@tradoc.fr> References: <4A362A07.60900@ecs.soton.ac.uk> <4A363EFE.2070006@tradoc.fr> <4A36422D.7000103@ecs.soton.ac.uk> Message-ID: On 15/06/2009 13:30, John Wilcock wrote: > Le 15/06/2009 13:01, Julian Field a ?crit : >> I have gained a new reliable feed of email addresses known to be used in >> phishing attacks. >> I have therefore updated my anti-spear-phishing scripts to catch any >> mail mentioning these email addresses as well. I know quite a few of you >> have found this script to be useful. >> >> You can see the new article and download the script at >> http://www.jules.fm/Logbook/files/anti-phishing-v2.html > > Hi Jules, > > Is the new data source used in the sa-update feed from > spear.bastionmail.com? No it is not. I do not currently know of anyone else who has this data feed. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From john at tradoc.fr Mon Jun 15 13:55:46 2009 From: john at tradoc.fr (John Wilcock) Date: Mon Jun 15 13:56:01 2009 Subject: Anti-Phishing Update -- New data feed In-Reply-To: References: <4A362A07.60900@ecs.soton.ac.uk> <4A363EFE.2070006@tradoc.fr> <4A36422D.7000103@ecs.soton.ac.uk> Message-ID: <4A3644D2.5010309@tradoc.fr> Le 15/06/2009 14:44, Julian Field a ?crit : >> Is the new data source used in the sa-update feed from >> spear.bastionmail.com? > No it is not. I do not currently know of anyone else who has this data > feed. So your recommendation is presumably to stop using the bastionmail feed of your google spearfishing rules and switch to your V2 script? John. -- -- Over 3000 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages - www.tradoc.fr From MailScanner at ecs.soton.ac.uk Mon Jun 15 14:39:35 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jun 15 14:39:59 2009 Subject: Anti-Phishing Update -- New data feed In-Reply-To: <4A3644D2.5010309@tradoc.fr> References: <4A362A07.60900@ecs.soton.ac.uk> <4A363EFE.2070006@tradoc.fr> <4A36422D.7000103@ecs.soton.ac.uk> <4A3644D2.5010309@tradoc.fr> <4A364F17.10105@ecs.soton.ac.uk> Message-ID: On 15/06/2009 13:55, John Wilcock wrote: > Le 15/06/2009 14:44, Julian Field a ?crit : >>> Is the new data source used in the sa-update feed from >>> spear.bastionmail.com? >> No it is not. I do not currently know of anyone else who has this data >> feed. > > So your recommendation is presumably to stop using the bastionmail > feed of your google spearfishing rules and switch to your V2 script? Indeed, yes. So far the new feed only has a 193 entries in it, but it is growing quite fast. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jonas at vrt.dk Mon Jun 15 15:00:03 2009 From: jonas at vrt.dk (Jonas A. Larsen) Date: Mon Jun 15 15:00:14 2009 Subject: Anti-Phishing Update -- New data feed In-Reply-To: References: <4A362A07.60900@ecs.soton.ac.uk> Message-ID: <001001c9edc1$94b1a170$be14e450$@dk> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Julian Field > Sent: 15. juni 2009 13:01 > To: MailScanner discussion > Subject: Anti-Phishing Update -- New data feed > > I have gained a new reliable feed of email addresses known to be used > in > phishing attacks. > I have therefore updated my anti-spear-phishing scripts to catch any > mail mentioning these email addresses as well. I know quite a few of > you > have found this script to be useful. > > You can see the new article and download the script at > http://www.jules.fm/Logbook/files/anti-phishing-v2.html > > Please do try it out and let me know what you think! > Hi Julian. Currently testing version 2 of the script, I never got round to testing the old one. I was just wondering, do this feed have anything to do with the EMAILBL plugin/project announced on the SA list? It seems to work somewhat similar. Med venlig hilsen / Best regards Jonas Akrouh Larsen TechBiz ApS Laplandsgade 4, 2. sal 2300 K?benhavn S Office: 7020 0979 Direct: 3336 9974 Mobile: 5120 1096 Fax: 7020 0978 Web: www.techbiz.dk From MailScanner at ecs.soton.ac.uk Mon Jun 15 15:32:38 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jun 15 15:33:04 2009 Subject: Anti-Phishing Update -- New data feed In-Reply-To: <001001c9edc1$94b1a170$be14e450$@dk> References: <4A362A07.60900@ecs.soton.ac.uk> <001001c9edc1$94b1a170$be14e450$@dk> <4A365B86.5030303@ecs.soton.ac.uk> Message-ID: On 15/06/2009 15:00, Jonas A. Larsen wrote: > > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Julian Field >> Sent: 15. juni 2009 13:01 >> To: MailScanner discussion >> Subject: Anti-Phishing Update -- New data feed >> >> I have gained a new reliable feed of email addresses known to be used >> in >> phishing attacks. >> I have therefore updated my anti-spear-phishing scripts to catch any >> mail mentioning these email addresses as well. I know quite a few of >> you >> have found this script to be useful. >> >> You can see the new article and download the script at >> http://www.jules.fm/Logbook/files/anti-phishing-v2.html >> >> Please do try it out and let me know what you think! >> >> > Hi Julian. > > Currently testing version 2 of the script, I never got round to testing the > old one. > > I was just wondering, do this feed have anything to do with the EMAILBL > plugin/project announced on the SA list? > Can you send me a URL for it or something to look at please? Until I've read that, I can't tell you whether it is related or not, they might be getting a data feed from the same place I do. But mine is commercially generated. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ms-list at alexb.ch Mon Jun 15 15:47:31 2009 From: ms-list at alexb.ch (Alex Broens) Date: Mon Jun 15 15:47:40 2009 Subject: Anti-Phishing Update -- New data feed In-Reply-To: References: <4A362A07.60900@ecs.soton.ac.uk> <001001c9edc1$94b1a170$be14e450$@dk> <4A365B86.5030303@ecs.soton.ac.uk> Message-ID: <4A365F03.6000403@alexb.ch> On 6/15/2009 4:32 PM, Julian Field wrote: > > > On 15/06/2009 15:00, Jonas A. Larsen wrote: >> >> >>> -----Original Message----- >>> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >>> bounces@lists.mailscanner.info] On Behalf Of Julian Field >>> Sent: 15. juni 2009 13:01 >>> To: MailScanner discussion >>> Subject: Anti-Phishing Update -- New data feed >>> >>> I have gained a new reliable feed of email addresses known to be used >>> in >>> phishing attacks. >>> I have therefore updated my anti-spear-phishing scripts to catch any >>> mail mentioning these email addresses as well. I know quite a few of >>> you >>> have found this script to be useful. >>> >>> You can see the new article and download the script at >>> http://www.jules.fm/Logbook/files/anti-phishing-v2.html >>> >>> Please do try it out and let me know what you think! >>> >>> >> Hi Julian. >> >> Currently testing version 2 of the script, I never got round to >> testing the >> old one. >> >> I was just wondering, do this feed have anything to do with the EMAILBL >> plugin/project announced on the SA list? >> > Can you send me a URL for it or something to look at please? > Until I've read that, I can't tell you whether it is related or not, > they might be getting a data feed from the same place I do. But mine is > commercially generated. Jules, EmailBL is an experimental list which is being run till July 1, as a proof of concept and in its current form will be discontinued. The data is not from the same feed. atm, there's no need to invest time in this for MailScanner as nobody knows if it will be continued under another name, who will mirror it, etc, etc Alex From MailScanner at ecs.soton.ac.uk Mon Jun 15 16:18:54 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jun 15 16:19:33 2009 Subject: Anti-Phishing Update -- New data feed In-Reply-To: <4A365F03.6000403@alexb.ch> References: <4A362A07.60900@ecs.soton.ac.uk> <001001c9edc1$94b1a170$be14e450$@dk> <4A365B86.5030303@ecs.soton.ac.uk> <4A365F03.6000403@alexb.ch> <4A36665E.8000303@ecs.soton.ac.uk> Message-ID: On 15/06/2009 15:47, Alex Broens wrote: > On 6/15/2009 4:32 PM, Julian Field wrote: >> >> >> On 15/06/2009 15:00, Jonas A. Larsen wrote: >>> >>>> -----Original Message----- >>>> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >>>> bounces@lists.mailscanner.info] On Behalf Of Julian Field >>>> Sent: 15. juni 2009 13:01 >>>> To: MailScanner discussion >>>> Subject: Anti-Phishing Update -- New data feed >>>> >>>> I have gained a new reliable feed of email addresses known to be used >>>> in >>>> phishing attacks. >>>> I have therefore updated my anti-spear-phishing scripts to catch any >>>> mail mentioning these email addresses as well. I know quite a few of >>>> you >>>> have found this script to be useful. >>>> >>>> You can see the new article and download the script at >>>> http://www.jules.fm/Logbook/files/anti-phishing-v2.html >>>> >>>> Please do try it out and let me know what you think! >>>> >>> Hi Julian. >>> >>> Currently testing version 2 of the script, I never got round to >>> testing the >>> old one. >>> >>> I was just wondering, do this feed have anything to do with the EMAILBL >>> plugin/project announced on the SA list? >> Can you send me a URL for it or something to look at please? >> Until I've read that, I can't tell you whether it is related or not, >> they might be getting a data feed from the same place I do. But mine >> is commercially generated. > > Jules, > EmailBL is an experimental list which is being run till July 1, as a > proof of concept and in its current form will be discontinued. > > The data is not from the same feed. > > atm, there's no need to invest time in this for MailScanner as nobody > knows if it will be continued under another name, who will mirror it, > etc, etc Thanks for that info. My list of phishing email addresses has a very good future and will be supported for the forseeable future, as it produced by a very large commercial entity, whose internet-based services you have almost certainly used at some point. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Follow me at twitter.com/JulesFM MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ssilva at sgvwater.com Mon Jun 15 16:42:31 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Jun 15 16:42:52 2009 Subject: Problem with Exim and Mailscanner In-Reply-To: <004a01c9ed94$e5f5e550$b1e1aff0$@dk> References: <32488369.111245018724197.JavaMail.root@node> <25266218.131245020324018.JavaMail.root@node> <002d01c9ed8d$0d062d10$27128730$@dk> <72cf361e0906150102r48adf128xdb0758aa50fa81f1@mail.gmail.com> <004a01c9ed94$e5f5e550$b1e1aff0$@dk> Message-ID: on 6-15-2009 1:40 AM Jonas A. Larsen spake the following: >> Also worth checking this.. >> >> http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mt >> a:exim:installation:debian&s=debian >> >> Jonas - does this any updating? > > > Nope I think that's the documentation I originally followed a few years ago. > > The only thing we/Julian could consider was including the actual Debian init > script in the tarball or some sort of contrib. package or I dunno :) > > I guess maybe some people find the wiki page above confusing (at least I had > a co-worker who couldn?t really get the grip on the split exim thing when > trying to follow the wiki) > > You can add the init script in the wiki in a code section and people can cut and paste from there. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090615/a08bd88a/signature.bin From ms-list at alexb.ch Mon Jun 15 16:42:53 2009 From: ms-list at alexb.ch (Alex Broens) Date: Mon Jun 15 16:43:02 2009 Subject: Anti-Phishing Update -- New data feed In-Reply-To: References: <4A362A07.60900@ecs.soton.ac.uk> <001001c9edc1$94b1a170$be14e450$@dk> <4A365B86.5030303@ecs.soton.ac.uk> <4A365F03.6000403@alexb.ch> <4A36665E.8000303@ecs.soton.ac.uk> Message-ID: <4A366BFD.9030307@alexb.ch> On 6/15/2009 5:18 PM, Julian Field wrote: > > > On 15/06/2009 15:47, Alex Broens wrote: >> On 6/15/2009 4:32 PM, Julian Field wrote: >>> >>> >>> On 15/06/2009 15:00, Jonas A. Larsen wrote: >>>> >>>>> -----Original Message----- >>>>> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >>>>> bounces@lists.mailscanner.info] On Behalf Of Julian Field >>>>> Sent: 15. juni 2009 13:01 >>>>> To: MailScanner discussion >>>>> Subject: Anti-Phishing Update -- New data feed >>>>> >>>>> I have gained a new reliable feed of email addresses known to be used >>>>> in >>>>> phishing attacks. >>>>> I have therefore updated my anti-spear-phishing scripts to catch any >>>>> mail mentioning these email addresses as well. I know quite a few of >>>>> you >>>>> have found this script to be useful. >>>>> >>>>> You can see the new article and download the script at >>>>> http://www.jules.fm/Logbook/files/anti-phishing-v2.html >>>>> >>>>> Please do try it out and let me know what you think! >>>>> >>>> Hi Julian. >>>> >>>> Currently testing version 2 of the script, I never got round to >>>> testing the >>>> old one. >>>> >>>> I was just wondering, do this feed have anything to do with the EMAILBL >>>> plugin/project announced on the SA list? >>> Can you send me a URL for it or something to look at please? >>> Until I've read that, I can't tell you whether it is related or not, >>> they might be getting a data feed from the same place I do. But mine >>> is commercially generated. >> >> Jules, >> EmailBL is an experimental list which is being run till July 1, as a >> proof of concept and in its current form will be discontinued. >> >> The data is not from the same feed. >> >> atm, there's no need to invest time in this for MailScanner as nobody >> knows if it will be continued under another name, who will mirror it, >> etc, etc > Thanks for that info. My list of phishing email addresses has a very > good future and will be supported for the forseeable future, as it > produced by a very large commercial entity, whose internet-based > services you have almost certainly used at some point. and what entity is this? the EmailBL targets only freemailer email addr, not only sender, but also reply-to and in msg body and being it a RBL, deployment is very fast, 1 min updates so there may be overlap or missed stuff, by one or the other. jkf.anti-spear-phishing.cf look nice... how often is it updated? Alex From MailScanner at ecs.soton.ac.uk Mon Jun 15 16:48:45 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jun 15 16:49:08 2009 Subject: Improved Postfix support References: <4A366D5D.9010204@ecs.soton.ac.uk> Message-ID: I have just released a new beta version of MailScanner, 4.78.1. This includes some new code for handling Postfix messages with complex structures that are produced by some milters, so I would be extremely grateful if you could test it for me. Keep your previous version around, just in case you need to back-out. It has been tested quite extensively, but a real mail feed is always better than any number of test messages! Many thanks. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Follow me at twitter.com/JulesFM MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Mon Jun 15 16:55:40 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jun 15 16:56:01 2009 Subject: Anti-Phishing Update -- New data feed In-Reply-To: <4A366BFD.9030307@alexb.ch> References: <4A362A07.60900@ecs.soton.ac.uk> <001001c9edc1$94b1a170$be14e450$@dk> <4A365B86.5030303@ecs.soton.ac.uk> <4A365F03.6000403@alexb.ch> <4A36665E.8000303@ecs.soton.ac.uk> <4A366BFD.9030307@alexb.ch> <4A366EFC.3070607@ecs.soton.ac.uk> Message-ID: On 15/06/2009 16:42, Alex Broens wrote: > On 6/15/2009 5:18 PM, Julian Field wrote: >> >> >> On 15/06/2009 15:47, Alex Broens wrote: >>> On 6/15/2009 4:32 PM, Julian Field wrote: >>>> >>>> >>>> On 15/06/2009 15:00, Jonas A. Larsen wrote: >>>>> >>>>>> -----Original Message----- >>>>>> From: mailscanner-bounces@lists.mailscanner.info >>>>>> [mailto:mailscanner- >>>>>> bounces@lists.mailscanner.info] On Behalf Of Julian Field >>>>>> Sent: 15. juni 2009 13:01 >>>>>> To: MailScanner discussion >>>>>> Subject: Anti-Phishing Update -- New data feed >>>>>> >>>>>> I have gained a new reliable feed of email addresses known to be >>>>>> used >>>>>> in >>>>>> phishing attacks. >>>>>> I have therefore updated my anti-spear-phishing scripts to catch any >>>>>> mail mentioning these email addresses as well. I know quite a few of >>>>>> you >>>>>> have found this script to be useful. >>>>>> >>>>>> You can see the new article and download the script at >>>>>> http://www.jules.fm/Logbook/files/anti-phishing-v2.html >>>>>> >>>>>> Please do try it out and let me know what you think! >>>>>> >>>>> Hi Julian. >>>>> >>>>> Currently testing version 2 of the script, I never got round to >>>>> testing the >>>>> old one. >>>>> >>>>> I was just wondering, do this feed have anything to do with the >>>>> EMAILBL >>>>> plugin/project announced on the SA list? >>>> Can you send me a URL for it or something to look at please? >>>> Until I've read that, I can't tell you whether it is related or >>>> not, they might be getting a data feed from the same place I do. >>>> But mine is commercially generated. >>> >>> Jules, >>> EmailBL is an experimental list which is being run till July 1, as a >>> proof of concept and in its current form will be discontinued. >>> >>> The data is not from the same feed. >>> >>> atm, there's no need to invest time in this for MailScanner as >>> nobody knows if it will be continued under another name, who will >>> mirror it, etc, etc >> Thanks for that info. My list of phishing email addresses has a very >> good future and will be supported for the forseeable future, as it >> produced by a very large commercial entity, whose internet-based >> services you have almost certainly used at some point. > > and what entity is this? Sorry, that is covered by a very big NDA. > > the EmailBL targets only freemailer email addr, not only sender, but > also reply-to and in msg body and being it a RBL, deployment is very > fast, 1 min updates so there may be overlap or missed stuff, by one or > the other. Mine targets the address appearing anywhere in the headers or body of the message. Or slight variations of the address as well. > jkf.anti-spear-phishing.cf look nice... > how often is it updated? I currently update it about every 11 minutes. Though it doesn't change on every update if it doesn't need to, obviously. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Follow me at twitter.com/JulesFM MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ms-list at alexb.ch Mon Jun 15 17:05:49 2009 From: ms-list at alexb.ch (Alex Broens) Date: Mon Jun 15 17:05:58 2009 Subject: Anti-Phishing Update -- New data feed In-Reply-To: References: <4A362A07.60900@ecs.soton.ac.uk> <001001c9edc1$94b1a170$be14e450$@dk> <4A365B86.5030303@ecs.soton.ac.uk> <4A365F03.6000403@alexb.ch> <4A36665E.8000303@ecs.soton.ac.uk> <4A366BFD.9030307@alexb.ch> <4A366EFC.3070607@ecs.soton.ac.uk> Message-ID: <4A36715D.8040901@alexb.ch> On 6/15/2009 5:55 PM, Julian Field wrote: > > > On 15/06/2009 16:42, Alex Broens wrote: >> On 6/15/2009 5:18 PM, Julian Field wrote: >>> >>> >>> On 15/06/2009 15:47, Alex Broens wrote: >>>> On 6/15/2009 4:32 PM, Julian Field wrote: >>>>> >>>>> >>>>> On 15/06/2009 15:00, Jonas A. Larsen wrote: >>>>>> >>>>>>> -----Original Message----- >>>>>>> From: mailscanner-bounces@lists.mailscanner.info >>>>>>> [mailto:mailscanner- >>>>>>> bounces@lists.mailscanner.info] On Behalf Of Julian Field >>>>>>> Sent: 15. juni 2009 13:01 >>>>>>> To: MailScanner discussion >>>>>>> Subject: Anti-Phishing Update -- New data feed >>>>>>> >>>>>>> I have gained a new reliable feed of email addresses known to be >>>>>>> used >>>>>>> in >>>>>>> phishing attacks. >>>>>>> I have therefore updated my anti-spear-phishing scripts to catch any >>>>>>> mail mentioning these email addresses as well. I know quite a few of >>>>>>> you >>>>>>> have found this script to be useful. >>>>>>> >>>>>>> You can see the new article and download the script at >>>>>>> http://www.jules.fm/Logbook/files/anti-phishing-v2.html >>>>>>> >>>>>>> Please do try it out and let me know what you think! >>>>>>> >>>>>> Hi Julian. >>>>>> >>>>>> Currently testing version 2 of the script, I never got round to >>>>>> testing the >>>>>> old one. >>>>>> >>>>>> I was just wondering, do this feed have anything to do with the >>>>>> EMAILBL >>>>>> plugin/project announced on the SA list? >>>>> Can you send me a URL for it or something to look at please? >>>>> Until I've read that, I can't tell you whether it is related or >>>>> not, they might be getting a data feed from the same place I do. >>>>> But mine is commercially generated. >>>> >>>> Jules, >>>> EmailBL is an experimental list which is being run till July 1, as a >>>> proof of concept and in its current form will be discontinued. >>>> >>>> The data is not from the same feed. >>>> >>>> atm, there's no need to invest time in this for MailScanner as >>>> nobody knows if it will be continued under another name, who will >>>> mirror it, etc, etc >>> Thanks for that info. My list of phishing email addresses has a very >>> good future and will be supported for the forseeable future, as it >>> produced by a very large commercial entity, whose internet-based >>> services you have almost certainly used at some point. >> >> and what entity is this? > Sorry, that is covered by a very big NDA. >> >> the EmailBL targets only freemailer email addr, not only sender, but >> also reply-to and in msg body and being it a RBL, deployment is very >> fast, 1 min updates so there may be overlap or missed stuff, by one or >> the other. > Mine targets the address appearing anywhere in the headers or body of > the message. Or slight variations of the address as well. >> jkf.anti-spear-phishing.cf look nice... >> how often is it updated? > I currently update it about every 11 minutes. Though it doesn't change > on every update if it doesn't need to, obviously. you mean this? http://anti-phishing-email-reply.googlecode.com/svn/trunk/phishing_reply_addresses From ms-list at alexb.ch Mon Jun 15 17:26:08 2009 From: ms-list at alexb.ch (Alex Broens) Date: Mon Jun 15 17:26:18 2009 Subject: Anti-Phishing Update -- New data feed In-Reply-To: References: <4A362A07.60900@ecs.soton.ac.uk> <001001c9edc1$94b1a170$be14e450$@dk> <4A365B86.5030303@ecs.soton.ac.uk> <4A365F03.6000403@alexb.ch> <4A36665E.8000303@ecs.soton.ac.uk> <4A366BFD.9030307@alexb.ch> <4A366EFC.3070607@ecs.soton.ac.uk> Message-ID: <4A367620.6080901@alexb.ch> On 6/15/2009 5:55 PM, Julian Field wrote: > > > On 15/06/2009 16:42, Alex Broens wrote: >> On 6/15/2009 5:18 PM, Julian Field wrote: >>> >>> >>> On 15/06/2009 15:47, Alex Broens wrote: >>>> On 6/15/2009 4:32 PM, Julian Field wrote: >>>>> >>>>> >>>>> On 15/06/2009 15:00, Jonas A. Larsen wrote: >>>>>> >>>>>>> -----Original Message----- >>>>>>> From: mailscanner-bounces@lists.mailscanner.info >>>>>>> [mailto:mailscanner- >>>>>>> bounces@lists.mailscanner.info] On Behalf Of Julian Field >>>>>>> Sent: 15. juni 2009 13:01 >>>>>>> To: MailScanner discussion >>>>>>> Subject: Anti-Phishing Update -- New data feed >>>>>>> >>>>>>> I have gained a new reliable feed of email addresses known to be >>>>>>> used >>>>>>> in >>>>>>> phishing attacks. >>>>>>> I have therefore updated my anti-spear-phishing scripts to catch any >>>>>>> mail mentioning these email addresses as well. I know quite a few of >>>>>>> you >>>>>>> have found this script to be useful. >>>>>>> >>>>>>> You can see the new article and download the script at >>>>>>> http://www.jules.fm/Logbook/files/anti-phishing-v2.html >>>>>>> >>>>>>> Please do try it out and let me know what you think! >>>>>>> >>>>>> Hi Julian. >>>>>> >>>>>> Currently testing version 2 of the script, I never got round to >>>>>> testing the >>>>>> old one. >>>>>> >>>>>> I was just wondering, do this feed have anything to do with the >>>>>> EMAILBL >>>>>> plugin/project announced on the SA list? >>>>> Can you send me a URL for it or something to look at please? >>>>> Until I've read that, I can't tell you whether it is related or >>>>> not, they might be getting a data feed from the same place I do. >>>>> But mine is commercially generated. >>>> >>>> Jules, >>>> EmailBL is an experimental list which is being run till July 1, as a >>>> proof of concept and in its current form will be discontinued. >>>> >>>> The data is not from the same feed. >>>> >>>> atm, there's no need to invest time in this for MailScanner as >>>> nobody knows if it will be continued under another name, who will >>>> mirror it, etc, etc >>> Thanks for that info. My list of phishing email addresses has a very >>> good future and will be supported for the forseeable future, as it >>> produced by a very large commercial entity, whose internet-based >>> services you have almost certainly used at some point. >> >> and what entity is this? > Sorry, that is covered by a very big NDA. >> >> the EmailBL targets only freemailer email addr, not only sender, but >> also reply-to and in msg body and being it a RBL, deployment is very >> fast, 1 min updates so there may be overlap or missed stuff, by one or >> the other. > Mine targets the address appearing anywhere in the headers or body of > the message. Or slight variations of the address as well. >> jkf.anti-spear-phishing.cf look nice... >> how often is it updated? > I currently update it about every 11 minutes. Though it doesn't change > on every update if it doesn't need to, obviously. Jules, Looking at the produced SA rule, using a "full" type of rule are pretty slow + the size may make it "hoggy". As apparently the source provides a key for body/reply-to/etc, imo, it may be worth it to try to apply this to the SA rules and create optimized header and body rules. otherwise, the data is real good. Alex From MailScanner at ecs.soton.ac.uk Mon Jun 15 18:10:22 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jun 15 18:10:41 2009 Subject: Anti-Phishing Update -- New data feed In-Reply-To: <4A36715D.8040901@alexb.ch> References: <4A362A07.60900@ecs.soton.ac.uk> <001001c9edc1$94b1a170$be14e450$@dk> <4A365B86.5030303@ecs.soton.ac.uk> <4A365F03.6000403@alexb.ch> <4A36665E.8000303@ecs.soton.ac.uk> <4A366BFD.9030307@alexb.ch> <4A366EFC.3070607@ecs.soton.ac.uk> <4A36715D.8040901@alexb.ch> <4A36807E.7050107@ecs.soton.ac.uk> Message-ID: On 15/06/2009 17:05, Alex Broens wrote: > On 6/15/2009 5:55 PM, Julian Field wrote: >> >> >> On 15/06/2009 16:42, Alex Broens wrote: >>> On 6/15/2009 5:18 PM, Julian Field wrote: >>>> >>>> >>>> On 15/06/2009 15:47, Alex Broens wrote: >>>>> On 6/15/2009 4:32 PM, Julian Field wrote: >>>>>> >>>>>> >>>>>> On 15/06/2009 15:00, Jonas A. Larsen wrote: >>>>>>> >>>>>>>> -----Original Message----- >>>>>>>> From: mailscanner-bounces@lists.mailscanner.info >>>>>>>> [mailto:mailscanner- >>>>>>>> bounces@lists.mailscanner.info] On Behalf Of Julian Field >>>>>>>> Sent: 15. juni 2009 13:01 >>>>>>>> To: MailScanner discussion >>>>>>>> Subject: Anti-Phishing Update -- New data feed >>>>>>>> >>>>>>>> I have gained a new reliable feed of email addresses known to >>>>>>>> be used >>>>>>>> in >>>>>>>> phishing attacks. >>>>>>>> I have therefore updated my anti-spear-phishing scripts to >>>>>>>> catch any >>>>>>>> mail mentioning these email addresses as well. I know quite a >>>>>>>> few of >>>>>>>> you >>>>>>>> have found this script to be useful. >>>>>>>> >>>>>>>> You can see the new article and download the script at >>>>>>>> http://www.jules.fm/Logbook/files/anti-phishing-v2.html >>>>>>>> >>>>>>>> Please do try it out and let me know what you think! >>>>>>>> >>>>>>> Hi Julian. >>>>>>> >>>>>>> Currently testing version 2 of the script, I never got round to >>>>>>> testing the >>>>>>> old one. >>>>>>> >>>>>>> I was just wondering, do this feed have anything to do with the >>>>>>> EMAILBL >>>>>>> plugin/project announced on the SA list? >>>>>> Can you send me a URL for it or something to look at please? >>>>>> Until I've read that, I can't tell you whether it is related or >>>>>> not, they might be getting a data feed from the same place I do. >>>>>> But mine is commercially generated. >>>>> >>>>> Jules, >>>>> EmailBL is an experimental list which is being run till July 1, as >>>>> a proof of concept and in its current form will be discontinued. >>>>> >>>>> The data is not from the same feed. >>>>> >>>>> atm, there's no need to invest time in this for MailScanner as >>>>> nobody knows if it will be continued under another name, who will >>>>> mirror it, etc, etc >>>> Thanks for that info. My list of phishing email addresses has a >>>> very good future and will be supported for the forseeable future, >>>> as it produced by a very large commercial entity, whose >>>> internet-based services you have almost certainly used at some point. >>> >>> and what entity is this? >> Sorry, that is covered by a very big NDA. >>> >>> the EmailBL targets only freemailer email addr, not only sender, but >>> also reply-to and in msg body and being it a RBL, deployment is very >>> fast, 1 min updates so there may be overlap or missed stuff, by one >>> or the other. >> Mine targets the address appearing anywhere in the headers or body of >> the message. Or slight variations of the address as well. >>> jkf.anti-spear-phishing.cf look nice... >>> how often is it updated? >> I currently update it about every 11 minutes. Though it doesn't >> change on every update if it doesn't need to, obviously. > > you mean this? > http://anti-phishing-email-reply.googlecode.com/svn/trunk/phishing_reply_addresses > No, that's the first one I used, and still do use. But it's certainly not the new data feed. That one is freely available to anyone who wants it, there's no NDA or anything associated with it. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Follow me at twitter.com/JulesFM MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Mon Jun 15 18:14:13 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jun 15 18:14:39 2009 Subject: Anti-Phishing Update -- New data feed In-Reply-To: <4A367620.6080901@alexb.ch> References: <4A362A07.60900@ecs.soton.ac.uk> <001001c9edc1$94b1a170$be14e450$@dk> <4A365B86.5030303@ecs.soton.ac.uk> <4A365F03.6000403@alexb.ch> <4A36665E.8000303@ecs.soton.ac.uk> <4A366BFD.9030307@alexb.ch> <4A366EFC.3070607@ecs.soton.ac.uk> <4A367620.6080901@alexb.ch> <4A368165.40207@ecs.soton.ac.uk> Message-ID: On 15/06/2009 17:26, Alex Broens wrote: > On 6/15/2009 5:55 PM, Julian Field wrote: >> >> >> On 15/06/2009 16:42, Alex Broens wrote: >>> On 6/15/2009 5:18 PM, Julian Field wrote: >>>> >>>> >>>> On 15/06/2009 15:47, Alex Broens wrote: >>>>> On 6/15/2009 4:32 PM, Julian Field wrote: >>>>>> >>>>>> >>>>>> On 15/06/2009 15:00, Jonas A. Larsen wrote: >>>>>>> >>>>>>>> -----Original Message----- >>>>>>>> From: mailscanner-bounces@lists.mailscanner.info >>>>>>>> [mailto:mailscanner- >>>>>>>> bounces@lists.mailscanner.info] On Behalf Of Julian Field >>>>>>>> Sent: 15. juni 2009 13:01 >>>>>>>> To: MailScanner discussion >>>>>>>> Subject: Anti-Phishing Update -- New data feed >>>>>>>> >>>>>>>> I have gained a new reliable feed of email addresses known to >>>>>>>> be used >>>>>>>> in >>>>>>>> phishing attacks. >>>>>>>> I have therefore updated my anti-spear-phishing scripts to >>>>>>>> catch any >>>>>>>> mail mentioning these email addresses as well. I know quite a >>>>>>>> few of >>>>>>>> you >>>>>>>> have found this script to be useful. >>>>>>>> >>>>>>>> You can see the new article and download the script at >>>>>>>> http://www.jules.fm/Logbook/files/anti-phishing-v2.html >>>>>>>> >>>>>>>> Please do try it out and let me know what you think! >>>>>>>> >>>>>>> Hi Julian. >>>>>>> >>>>>>> Currently testing version 2 of the script, I never got round to >>>>>>> testing the >>>>>>> old one. >>>>>>> >>>>>>> I was just wondering, do this feed have anything to do with the >>>>>>> EMAILBL >>>>>>> plugin/project announced on the SA list? >>>>>> Can you send me a URL for it or something to look at please? >>>>>> Until I've read that, I can't tell you whether it is related or >>>>>> not, they might be getting a data feed from the same place I do. >>>>>> But mine is commercially generated. >>>>> >>>>> Jules, >>>>> EmailBL is an experimental list which is being run till July 1, as >>>>> a proof of concept and in its current form will be discontinued. >>>>> >>>>> The data is not from the same feed. >>>>> >>>>> atm, there's no need to invest time in this for MailScanner as >>>>> nobody knows if it will be continued under another name, who will >>>>> mirror it, etc, etc >>>> Thanks for that info. My list of phishing email addresses has a >>>> very good future and will be supported for the forseeable future, >>>> as it produced by a very large commercial entity, whose >>>> internet-based services you have almost certainly used at some point. >>> >>> and what entity is this? >> Sorry, that is covered by a very big NDA. >>> >>> the EmailBL targets only freemailer email addr, not only sender, but >>> also reply-to and in msg body and being it a RBL, deployment is very >>> fast, 1 min updates so there may be overlap or missed stuff, by one >>> or the other. >> Mine targets the address appearing anywhere in the headers or body of >> the message. Or slight variations of the address as well. >>> jkf.anti-spear-phishing.cf look nice... >>> how often is it updated? >> I currently update it about every 11 minutes. Though it doesn't >> change on every update if it doesn't need to, obviously. > > Jules, > > Looking at the produced SA rule, using a "full" type of rule are > pretty slow + the size may make it "hoggy". > > As apparently the source provides a key for body/reply-to/etc, imo, it > may be worth it to try to apply this to the SA rules and create > optimized header and body rules. > otherwise, the data is real good. I need to apply the rules to the entire message body and headers, as they frequently put the email address just in the body of the message inside some link or other. So how would creating separate header and body rules be any better? I do at least sort the data alphabetically (pretty much) so that the regexp compiler in Perl can produce optimised FSMs that can knock out many of the regexps just by looking at the first character, without having to test any further. I also protect the regexp by designing it to minimise false positives, in that it must be preceded and followed by things that aren't part of an email address, which many of my competitors don't take the effort to do. There's nothing worse than a protection system which causes loads of false alarms. > > Alex > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Follow me at twitter.com/JulesFM MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ms-list at alexb.ch Mon Jun 15 18:34:09 2009 From: ms-list at alexb.ch (Alex Broens) Date: Mon Jun 15 18:34:18 2009 Subject: Anti-Phishing Update -- New data feed In-Reply-To: References: <4A362A07.60900@ecs.soton.ac.uk> <001001c9edc1$94b1a170$be14e450$@dk> <4A365B86.5030303@ecs.soton.ac.uk> <4A365F03.6000403@alexb.ch> <4A36665E.8000303@ecs.soton.ac.uk> <4A366BFD.9030307@alexb.ch> <4A366EFC.3070607@ecs.soton.ac.uk> <4A367620.6080901@alexb.ch> <4A368165.40207@ecs.soton.ac.uk> Message-ID: <4A368611.8040901@alexb.ch> On 6/15/2009 7:14 PM, Julian Field wrote: > > > On 15/06/2009 17:26, Alex Broens wrote: >> On 6/15/2009 5:55 PM, Julian Field wrote: >>> >>> >>> On 15/06/2009 16:42, Alex Broens wrote: >>>> On 6/15/2009 5:18 PM, Julian Field wrote: >>>>> >>>>> >>>>> On 15/06/2009 15:47, Alex Broens wrote: >>>>>> On 6/15/2009 4:32 PM, Julian Field wrote: >>>>>>> >>>>>>> >>>>>>> On 15/06/2009 15:00, Jonas A. Larsen wrote: >>>>>>>> >>>>>>>>> -----Original Message----- >>>>>>>>> From: mailscanner-bounces@lists.mailscanner.info >>>>>>>>> [mailto:mailscanner- >>>>>>>>> bounces@lists.mailscanner.info] On Behalf Of Julian Field >>>>>>>>> Sent: 15. juni 2009 13:01 >>>>>>>>> To: MailScanner discussion >>>>>>>>> Subject: Anti-Phishing Update -- New data feed >>>>>>>>> >>>>>>>>> I have gained a new reliable feed of email addresses known to >>>>>>>>> be used >>>>>>>>> in >>>>>>>>> phishing attacks. >>>>>>>>> I have therefore updated my anti-spear-phishing scripts to >>>>>>>>> catch any >>>>>>>>> mail mentioning these email addresses as well. I know quite a >>>>>>>>> few of >>>>>>>>> you >>>>>>>>> have found this script to be useful. >>>>>>>>> >>>>>>>>> You can see the new article and download the script at >>>>>>>>> http://www.jules.fm/Logbook/files/anti-phishing-v2.html >>>>>>>>> >>>>>>>>> Please do try it out and let me know what you think! >>>>>>>>> >>>>>>>> Hi Julian. >>>>>>>> >>>>>>>> Currently testing version 2 of the script, I never got round to >>>>>>>> testing the >>>>>>>> old one. >>>>>>>> >>>>>>>> I was just wondering, do this feed have anything to do with the >>>>>>>> EMAILBL >>>>>>>> plugin/project announced on the SA list? >>>>>>> Can you send me a URL for it or something to look at please? >>>>>>> Until I've read that, I can't tell you whether it is related or >>>>>>> not, they might be getting a data feed from the same place I do. >>>>>>> But mine is commercially generated. >>>>>> >>>>>> Jules, >>>>>> EmailBL is an experimental list which is being run till July 1, as >>>>>> a proof of concept and in its current form will be discontinued. >>>>>> >>>>>> The data is not from the same feed. >>>>>> >>>>>> atm, there's no need to invest time in this for MailScanner as >>>>>> nobody knows if it will be continued under another name, who will >>>>>> mirror it, etc, etc >>>>> Thanks for that info. My list of phishing email addresses has a >>>>> very good future and will be supported for the forseeable future, >>>>> as it produced by a very large commercial entity, whose >>>>> internet-based services you have almost certainly used at some point. >>>> >>>> and what entity is this? >>> Sorry, that is covered by a very big NDA. >>>> >>>> the EmailBL targets only freemailer email addr, not only sender, but >>>> also reply-to and in msg body and being it a RBL, deployment is very >>>> fast, 1 min updates so there may be overlap or missed stuff, by one >>>> or the other. >>> Mine targets the address appearing anywhere in the headers or body of >>> the message. Or slight variations of the address as well. >>>> jkf.anti-spear-phishing.cf look nice... >>>> how often is it updated? >>> I currently update it about every 11 minutes. Though it doesn't >>> change on every update if it doesn't need to, obviously. >> >> Jules, >> >> Looking at the produced SA rule, using a "full" type of rule are >> pretty slow + the size may make it "hoggy". >> >> As apparently the source provides a key for body/reply-to/etc, imo, it >> may be worth it to try to apply this to the SA rules and create >> optimized header and body rules. >> otherwise, the data is real good. > I need to apply the rules to the entire message body and headers, as > they frequently put the email address just in the body of the message > inside some link or other. So how would creating separate header and > body rules be any better? I'm not savvy enough in Perl & SA to give you the scientific reason, but its been common practive to avoid full rules if possible. You'd have to ask one of the core SA devs... maybe Matt Kettler can jump in and tell me I'm totally off and that my understanding is wrong. Alex From gafaith at asdm.net Mon Jun 15 19:09:39 2009 From: gafaith at asdm.net (Gary Faith) Date: Mon Jun 15 19:10:07 2009 Subject: Changes in Version 4.77.10-1 In-Reply-To: References: <4A3251C00200002D00006A48@sparky.asdm.net> <4A33BA94.2000007@ecs.soton.ac.uk> Message-ID: <4A3656230200002D00006A7D@sparky.asdm.net> Yes, I have mail being sent from a dynamic IP address with a host name I know but the IP will change. Can you provide a way to turn off the anti-spoof checking? If not now, in future releases? Thanks, Gary >>> Kai Schaetzl 6/14/2009 3:31 AM >>> Julian Field wrote on Sat, 13 Jun 2009 15:41:24 +0100: > Just use the IP addresses instead of the hostnames. Trivial, surely? But he doesn't know them. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090615/6f404fe0/attachment.html From alex at rtpty.com Mon Jun 15 19:21:35 2009 From: alex at rtpty.com (Alex Neuman) Date: Mon Jun 15 19:21:44 2009 Subject: Improved Postfix support In-Reply-To: References: <4A366D5D.9010204@ecs.soton.ac.uk> Message-ID: <24e3d2e40906151121i2ae8df15t59d65a102fbbfd25@mail.gmail.com> I'm sure it still causes swapping! ;-) On Mon, Jun 15, 2009 at 10:48 AM, Julian Field wrote: > I have just released a new beta version of MailScanner, 4.78.1. > This includes some new code for handling Postfix messages with complex > structures that are produced by some milters, so I would be extremely > grateful if you could test it for me. > Keep your previous version around, just in case you need to back-out. > > It has been tested quite extensively, but a real mail feed is always better > than any number of test messages! > > Many thanks. > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > Follow me at twitter.com/JulesFM > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > PGP public key: http://www.jules.fm/julesfm.asc > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 202-1525 alex@rtpty.com Skype: alexneuman -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090615/8dc35677/attachment.html From glenn.steen at gmail.com Mon Jun 15 19:26:27 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Jun 15 19:26:36 2009 Subject: Problem with Exim and Mailscanner In-Reply-To: References: <32488369.111245018724197.JavaMail.root@node> <25266218.131245020324018.JavaMail.root@node> <002d01c9ed8d$0d062d10$27128730$@dk> <72cf361e0906150102r48adf128xdb0758aa50fa81f1@mail.gmail.com> <004a01c9ed94$e5f5e550$b1e1aff0$@dk> Message-ID: <223f97700906151126u69da7e28sb4da67ee2a59e8cd@mail.gmail.com> 2009/6/15 Scott Silva : > on 6-15-2009 1:40 AM Jonas A. Larsen spake the following: >>> Also worth checking this.. >>> >>> http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mt >>> a:exim:installation:debian&s=debian >>> >>> Jonas - does this any updating? >> >> >> Nope I think that's the documentation I originally followed a few years ago. >> >> The only thing we/Julian could consider was including the actual Debian init >> script in the tarball or some sort of contrib. package or I dunno :) >> >> I guess maybe some people find the wiki page above confusing (at least I had >> a co-worker who couldn?t really get the grip on the split exim thing when >> trying to follow the wiki) >> >> > > You can add the init script in the wiki in a code section and people can cut > and paste from there. > Unless I'm completely off my rockers, or someone has limited what can be done for security reasons, you can actually upload the init script to the wiki so that it is presented as a file download link....;-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Mon Jun 15 19:28:07 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Jun 15 19:28:16 2009 Subject: Improved Postfix support In-Reply-To: <24e3d2e40906151121i2ae8df15t59d65a102fbbfd25@mail.gmail.com> References: <4A366D5D.9010204@ecs.soton.ac.uk> <24e3d2e40906151121i2ae8df15t59d65a102fbbfd25@mail.gmail.com> Message-ID: <223f97700906151128i2b935a4dj1de81f7e09e38d90@mail.gmail.com> 2009/6/15 Alex Neuman : > I'm sure it still causes swapping! ;-) > To (mis-)quote Gandalf... "Run you fool! Run!!!" :-) -- -- Glenn > On Mon, Jun 15, 2009 at 10:48 AM, Julian Field > wrote: >> >> I have just released a new beta version of MailScanner, 4.78.1. >> This includes some new code for handling Postfix messages with complex >> structures that are produced by some milters, so I would be extremely >> grateful if you could test it for me. >> Keep your previous version around, just in case you need to back-out. >> >> It has been tested quite extensively, but a real mail feed is always >> better than any number of test messages! >> >> Many thanks. >> >> Jules >> >> -- >> Julian Field MEng CITP CEng >> www.MailScanner.info >> Buy the MailScanner book at www.MailScanner.info/store >> Follow me at twitter.com/JulesFM >> >> MailScanner customisation, or any advanced system administration help? >> Contact me at Jules@Jules.FM >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> PGP public key: http://www.jules.fm/julesfm.asc >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > > > > -- > Alex Neuman van der Hans > Reliant Technologies > +507 6781-9505 > +507 202-1525 > alex@rtpty.com > Skype: alexneuman > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From MailScanner at ecs.soton.ac.uk Mon Jun 15 19:28:11 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jun 15 19:28:32 2009 Subject: Changes in Version 4.77.10-1 In-Reply-To: <4A3656230200002D00006A7D@sparky.asdm.net> References: <4A3251C00200002D00006A48@sparky.asdm.net> <4A33BA94.2000007@ecs.soton.ac.uk> <4A3656230200002D00006A7D@sparky.asdm.net> <4A3692BB.9070605@ecs.soton.ac.uk> Message-ID: On 15/06/2009 19:09, Gary Faith wrote: > Yes, I have mail being sent from a dynamic IP address with a host name > I know but the IP will change. Can you provide a way to turn off the > anti-spoof checking? If not now, in future releases? I will add a switch for you. But it does make defeating the name lookup into a very simple thing for a spammer/attacker to do against you. Jules. > Thanks, > > Gary > > >>> Kai Schaetzl 6/14/2009 3:31 AM >>> > Julian Field wrote on Sat, 13 Jun 2009 15:41:24 +0100: > > > Just use the IP addresses instead of the hostnames. Trivial, surely? > > But he doesn't know them. > > Kai > > -- > Kai Sch?tzl, Berlin, Germany > Get your web at Conactive Internet Services: http://www.conactive.com > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Follow me at twitter.com/JulesFM MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From J.Ede at birchenallhowden.co.uk Mon Jun 15 19:31:23 2009 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Mon Jun 15 19:31:41 2009 Subject: Anti-Phishing Update -- New data feed In-Reply-To: References: <4A362A07.60900@ecs.soton.ac.uk> <001001c9edc1$94b1a170$be14e450$@dk> <4A365B86.5030303@ecs.soton.ac.uk> <4A365F03.6000403@alexb.ch> <4A36665E.8000303@ecs.soton.ac.uk> <4A366BFD.9030307@alexb.ch> <4A366EFC.3070607@ecs.soton.ac.uk> <4A367620.6080901@alexb.ch> <4A368165.40207@ecs.soton.ac.uk> Message-ID: <1213490F1F316842A544A850422BFA960EBFA3BA78@BHLSBS.bhl.local> > > Looking at the produced SA rule, using a "full" type of rule are > > pretty slow + the size may make it "hoggy". > > > > As apparently the source provides a key for body/reply-to/etc, imo, > it > > may be worth it to try to apply this to the SA rules and create > > optimized header and body rules. > > otherwise, the data is real good. > I need to apply the rules to the entire message body and headers, as > they frequently put the email address just in the body of the message > inside some link or other. So how would creating separate header and > body rules be any better? > > I do at least sort the data alphabetically (pretty much) so that the > regexp compiler in Perl can produce optimised FSMs that can knock out > many of the regexps just by looking at the first character, without > having to test any further. > > I also protect the regexp by designing it to minimise false positives, > in that it must be preceded and followed by things that aren't part of > an email address, which many of my competitors don't take the effort to > do. There's nothing worse than a protection system which causes loads > of > false alarms. > > > > > Alex > > > > > > Jules Rulesets look really useful thanks :-) The competitors are just plain struggling to keep up. Jason From MailScanner at ecs.soton.ac.uk Mon Jun 15 20:17:30 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jun 15 20:17:54 2009 Subject: Changes in Version 4.77.10-1 In-Reply-To: References: <4A3251C00200002D00006A48@sparky.asdm.net> <4A33BA94.2000007@ecs.soton.ac.uk> <4A3656230200002D00006A7D@sparky.asdm.net> <4A3692BB.9070605@ecs.soton.ac.uk> <4A369E4A.2000103@ecs.soton.ac.uk> Message-ID: On 15/06/2009 19:28, Julian Field wrote: > > > On 15/06/2009 19:09, Gary Faith wrote: >> Yes, I have mail being sent from a dynamic IP address with a host >> name I know but the IP will change. Can you provide a way to turn >> off the anti-spoof checking? If not now, in future releases? > I will add a switch for you. But it does make defeating the name > lookup into a very simple thing for a spammer/attacker to do against you. I have implemented it by you using host-nocheck:hostname.domain.com instead of host:hostname.domain.com in the condition in a line in a ruleset. I can see how this might be useful should you be needing to test against a dynamic IP address, in which case you will have a DNS PTR record but no DNS A record. This will hopefully solve your problem nicely. It will be in the next release. >> >>> Kai Schaetzl 6/14/2009 3:31 AM >>> >> Julian Field wrote on Sat, 13 Jun 2009 15:41:24 +0100: >> >> > Just use the IP addresses instead of the hostnames. Trivial, surely? >> >> But he doesn't know them. >> >> Kai >> >> -- >> Kai Sch?tzl, Berlin, Germany >> Get your web at Conactive Internet Services: http://www.conactive.com >> >> >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > > Jules > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Follow me at twitter.com/JulesFM MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From steve.freegard at fsl.com Mon Jun 15 21:02:45 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Mon Jun 15 21:02:59 2009 Subject: Anti-Phishing Update -- New data feed In-Reply-To: <4A368611.8040901@alexb.ch> References: <4A362A07.60900@ecs.soton.ac.uk> <001001c9edc1$94b1a170$be14e450$@dk> <4A365B86.5030303@ecs.soton.ac.uk> <4A365F03.6000403@alexb.ch> <4A36665E.8000303@ecs.soton.ac.uk> <4A366BFD.9030307@alexb.ch> <4A366EFC.3070607@ecs.soton.ac.uk> <4A367620.6080901@alexb.ch> <4A368165.40207@ecs.soton.ac.uk> <4A368611.8040901@alexb.ch> Message-ID: <4A36A8E5.5080406@fsl.com> Alex Broens wrote: >> I need to apply the rules to the entire message body and headers, as >> they frequently put the email address just in the body of the message >> inside some link or other. So how would creating separate header and >> body rules be any better? > > I'm not savvy enough in Perl & SA to give you the scientific reason, but > its been common practive to avoid full rules if possible. > > You'd have to ask one of the core SA devs... maybe Matt Kettler can > jump in and tell me I'm totally off and that my understanding is wrong. 'full' rules are simply inefficient as IIRC the regexps have to be run multiple times across each block of text (IIRC: SA splits into paragraph style chunks) to prevent excessive memory use. They also evaluate all other MIME structures e.g. attachments, images etc. as per the docs. If you are simply looking to get any e-mail addresses out of the message body; then a 'uri' rule is far more appropriate e.g. uri BLAH /^mailto:email\@domain\.com$/ (SA converts all e-mail URIs into mailto: types even those with no scheme). Then use header rules for the To/Cc/Bcc/Sender headers. Might also be worth using Regexp::Assemble to generate the initial regexps if you aren't already. Once lists like these reach over a certain size; regexps are going to be memory hungry and far less efficient; at which point the EmailBL style DNS lists are more appropriate and scalable as the addresses are exact match. Cheers, Steve. From MailScanner at ecs.soton.ac.uk Mon Jun 15 21:25:05 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jun 15 21:25:28 2009 Subject: Anti-Phishing Update -- New data feed In-Reply-To: <4A36A8E5.5080406@fsl.com> References: <4A362A07.60900@ecs.soton.ac.uk> <001001c9edc1$94b1a170$be14e450$@dk> <4A365B86.5030303@ecs.soton.ac.uk> <4A365F03.6000403@alexb.ch> <4A36665E.8000303@ecs.soton.ac.uk> <4A366BFD.9030307@alexb.ch> <4A366EFC.3070607@ecs.soton.ac.uk> <4A367620.6080901@alexb.ch> <4A368165.40207@ecs.soton.ac.uk> <4A368611.8040901@alexb.ch> <4A36A8E5.5080406@fsl.com> <4A36AE21.6020109@ecs.soton.ac.uk> Message-ID: On 15/06/2009 21:02, Steve Freegard wrote: > Alex Broens wrote: > >>> I need to apply the rules to the entire message body and headers, as >>> they frequently put the email address just in the body of the message >>> inside some link or other. So how would creating separate header and >>> body rules be any better? >>> >> I'm not savvy enough in Perl& SA to give you the scientific reason, but >> its been common practive to avoid full rules if possible. >> >> You'd have to ask one of the core SA devs... maybe Matt Kettler can >> jump in and tell me I'm totally off and that my understanding is wrong. >> > 'full' rules are simply inefficient as IIRC the regexps have to be run > multiple times across each block of text (IIRC: SA splits into paragraph > style chunks) to prevent excessive memory use. They also evaluate all > other MIME structures e.g. attachments, images etc. as per the docs. > I don't think they include binary attachments, I had to add that specifically for the MCP stuff with a patch to the SA code. > If you are simply looking to get any e-mail addresses out of the message > body; then a 'uri' rule is far more appropriate e.g. > > uri BLAH /^mailto:email\@domain\.com$/ > > (SA converts all e-mail URIs into mailto: types even those with no scheme). > But surely that wouldn't work when email addresses just appear in the text in text/plain bodies, would they? Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Follow me at twitter.com/JulesFM MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From steve.freegard at fsl.com Mon Jun 15 21:35:08 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Mon Jun 15 21:35:18 2009 Subject: Anti-Phishing Update -- New data feed In-Reply-To: References: <4A362A07.60900@ecs.soton.ac.uk> <001001c9edc1$94b1a170$be14e450$@dk> <4A365B86.5030303@ecs.soton.ac.uk> <4A365F03.6000403@alexb.ch> <4A36665E.8000303@ecs.soton.ac.uk> <4A366BFD.9030307@alexb.ch> <4A366EFC.3070607@ecs.soton.ac.uk> <4A367620.6080901@alexb.ch> <4A368165.40207@ecs.soton.ac.uk> <4A36 8611.8040901@alexb.ch> <4A36A8E5.5080406@fsl.com> <4A36AE21.6020109@ecs.soton.ac.uk> Message-ID: <4A36B07C.3010205@fsl.com> Julian Field wrote: > > > On 15/06/2009 21:02, Steve Freegard wrote: >> Alex Broens wrote: >> >>>> I need to apply the rules to the entire message body and headers, as >>>> they frequently put the email address just in the body of the message >>>> inside some link or other. So how would creating separate header and >>>> body rules be any better? >>>> >>> I'm not savvy enough in Perl& SA to give you the scientific reason, but >>> its been common practive to avoid full rules if possible. >>> >>> You'd have to ask one of the core SA devs... maybe Matt Kettler can >>> jump in and tell me I'm totally off and that my understanding is wrong. >>> >> 'full' rules are simply inefficient as IIRC the regexps have to be run >> multiple times across each block of text (IIRC: SA splits into paragraph >> style chunks) to prevent excessive memory use. They also evaluate all >> other MIME structures e.g. attachments, images etc. as per the docs. >> > I don't think they include binary attachments, I had to add that > specifically for the MCP stuff with a patch to the SA code. >From 'man Mail::SpamAssassin::Conf': full SYMBOLIC_TEST_NAME /pattern/modifiers Define a full message pattern test. "pattern" is a Perl regular expression. Note: as per the header tests, "#" must be escaped ("\#") or else it is considered the beginning of a comment. The full message is the pristine message headers plus the pristine message body, including all MIME data such as images, other attachments, MIME boundaries, etc. The reason it wouldn't work for MCP is that a 'full' rule is not going to decode base64/QP parts before evaluating the regexp (I think!). >> If you are simply looking to get any e-mail addresses out of the message >> body; then a 'uri' rule is far more appropriate e.g. >> >> uri BLAH /^mailto:email\@domain\.com$/ >> >> (SA converts all e-mail URIs into mailto: types even those with no >> scheme). >> > But surely that wouldn't work when email addresses just appear in the > text in text/plain bodies, would they? Sure does: [root@mail ~]# cat test.eml Return-path: To: test From: test Subject: test Content-type: text/plain Test body bodytest@example.com this is a test bodytest2@example.com [root@mail ~]# /mnt/jungledisk/smf/scripts/uri-extractor.pl test.eml URI-Domain:example.com URI:mailto:bodytest2@example.com URI:mailto:bodytest@example.com (uri-extractor.pl uses SA to extract URIs in the same way the eval() rules do; I use this for testing amongst other things). Cheers, Steve. From ssilva at sgvwater.com Mon Jun 15 23:49:05 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Jun 15 23:49:30 2009 Subject: Improved Postfix support In-Reply-To: <24e3d2e40906151121i2ae8df15t59d65a102fbbfd25@mail.gmail.com> References: <4A366D5D.9010204@ecs.soton.ac.uk> <24e3d2e40906151121i2ae8df15t59d65a102fbbfd25@mail.gmail.com> Message-ID: on 6-15-2009 11:21 AM Alex Neuman spake the following: > I'm sure it still causes swapping! ;-) > I wish we could "swap" that old joke for a new one! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090615/bc9d6307/signature.bin From Kevin_Miller at ci.juneau.ak.us Mon Jun 15 23:54:59 2009 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Mon Jun 15 23:55:09 2009 Subject: Improved Postfix support In-Reply-To: References: <4A366D5D.9010204@ecs.soton.ac.uk> <24e3d2e40906151121i2ae8df15t59d65a102fbbfd25@mail.gmail.com> Message-ID: <4A09477D575C2C4B86497161427DD94C0D17B7ED5D@city-exchange07> Scott Silva wrote: > on 6-15-2009 11:21 AM Alex Neuman spake the following: >> I'm sure it still causes swapping! ;-) >> > I wish we could "swap" that old joke for a new one! Um, OK. Here's the kernel of a new joke. This being open source, perhaps RMS can provide the utility/answer. But that would make it a gnu joke, not a new joke. Hmmm... "How many postfix users does it take to change a lightbulb?" This being open source, perhaps RMS can provide the utility/answer. But that would make it a gnu/joke, not a new joke. Hmmm... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From shyamph at gmail.com Tue Jun 16 08:30:13 2009 From: shyamph at gmail.com (shyam hirurkar) Date: Tue Jun 16 08:37:55 2009 Subject: Whitelisting rule query In-Reply-To: References: <200905270947.n4R9llxO025428@safir.blacknight.ie> <4A1D15E3.2030104@ecs.soton.ac.uk> <4A1D7A10.9060300@ecs.soton.ac.uk> <200905271534.n4RFYlMM018401@safir.blacknight.ie> Message-ID: Hi, Thanks a lot it is working fine. I have one small doubt on white listing when my MX receives mail from same user to same user then it is white listing . Any reason for this because of this some spoof and spam mails are passing through, I checked in database (mailwatch) but there is no such entry for the user.Also observed this is randomly happening for some random users. Thanks, shyam On Wed, May 27, 2009 at 11:06 PM, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > On 27/05/2009 16:35, Stef Morrell wrote: > > > >> -----Original Message----- > >> From: mailscanner-bounces@lists.mailscanner.info > >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > >> Of Julian Field > >> > >> On 27/05/2009 10:48, Stef Morrell wrote: > >> > >>> So, what I hope to be able to do is add a spam whitelisting > >>> > >> rule along > >> > >>> the lines of > >>> > >>> From: *@mydomain and From: > >>> > >>> Does this makes sense and is it achieveable? > >>> > >>> > >> Yes, and you have even got the syntax right. Just add a "yes" > >> on the end of the line and put it in > >> /etc/MailScanner/rules/spam.whitelist.rules. > >> > > Ah fantastic thanks. For some reason I was under the mistaken impression > > one could only do a > > > > From:Foo and To:Bar Yes > > > > Rather than multiple 'from' conditions. > > > > Is there a maximum number of conditions (not that I can think of an > > application for more than maybe 3-4)? > > > Yes. 2. > > Could you say > > > > From:Foo or From:Bar > > > > Or is it more appropriate to write two rules? > > > No, write 2 rules. > > Jules > > - -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > Follow me at twitter.com/JulesFM > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > PGP public key: http://www.jules.fm/julesfm.asc > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.10.0 (Build 500) > Comment: Use PGP or Thunderbird Enigmail to verify this message > Charset: ISO-8859-1 > > wj8DBQFKHXoREfZZRxQVtlQRAnyEAJ4iMWdjECe5XGj3Tljij7our22hVQCeObqr > VvRJ54lv/60EXK7x8BlhrP0= > =V6mD > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090616/9fb3b610/attachment.html From MailScanner at ecs.soton.ac.uk Tue Jun 16 08:42:18 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jun 16 08:42:43 2009 Subject: Anti-Phishing Update -- New data feed In-Reply-To: <4A36B07C.3010205@fsl.com> References: <4A362A07.60900@ecs.soton.ac.uk> <001001c9edc1$94b1a170$be14e450$@dk> <4A365B86.5030303@ecs.soton.ac.uk> <4A365F03.6000403@alexb.ch> <4A36665E.8000303@ecs.soton.ac.uk> <4A366BFD.9030307@alexb.ch> <4A366EFC.3070607@ecs.soton.ac.uk> <4A367620.6080901@alexb.ch> <4A368165.40207@ecs.soton.ac.uk> <4A36 8611.8040901@alexb.ch> <4A36A8E5.5080406@fsl.com> <4A36AE21.6020109@ecs.soton.ac.uk> <4A36B07C.3010205@fsl.com> <4A374CDA.50709@ecs.soton.ac.uk> Message-ID: On 15/06/2009 21:35, Steve Freegard wrote: > Julian Field wrote: > >> >> On 15/06/2009 21:02, Steve Freegard wrote: >> >>> Alex Broens wrote: >>> >>> >>>>> I need to apply the rules to the entire message body and headers, as >>>>> they frequently put the email address just in the body of the message >>>>> inside some link or other. So how would creating separate header and >>>>> body rules be any better? >>>>> >>>>> >>>> I'm not savvy enough in Perl& SA to give you the scientific reason, but >>>> its been common practive to avoid full rules if possible. >>>> >>>> You'd have to ask one of the core SA devs... maybe Matt Kettler can >>>> jump in and tell me I'm totally off and that my understanding is wrong. >>>> >>>> >>> 'full' rules are simply inefficient as IIRC the regexps have to be run >>> multiple times across each block of text (IIRC: SA splits into paragraph >>> style chunks) to prevent excessive memory use. They also evaluate all >>> other MIME structures e.g. attachments, images etc. as per the docs. >>> >>> > >> I don't think they include binary attachments, I had to add that >> specifically for the MCP stuff with a patch to the SA code. >> > > From 'man Mail::SpamAssassin::Conf': > > full SYMBOLIC_TEST_NAME /pattern/modifiers > Define a full message pattern test. "pattern" is a Perl regular > expression. Note: as per the header tests, "#" must be escaped > ("\#") or else it is considered the beginning of a comment. > > The full message is the pristine message headers plus the > pristine > message body, including all MIME data such as images, other > attachments, MIME boundaries, etc. > > The reason it wouldn't work for MCP is that a 'full' rule is not going > to decode base64/QP parts before evaluating the regexp (I think!). > > >>> If you are simply looking to get any e-mail addresses out of the message >>> body; then a 'uri' rule is far more appropriate e.g. >>> >>> uri BLAH /^mailto:email\@domain\.com$/ >>> >>> (SA converts all e-mail URIs into mailto: types even those with no >>> scheme). >>> >>> >> But surely that wouldn't work when email addresses just appear in the >> text in text/plain bodies, would they? >> > Sure does: > > [root@mail ~]# cat test.eml > Return-path: > To: test > From: test > Subject: test > Content-type: text/plain > > Test body > > bodytest@example.com this is a test bodytest2@example.com > > [root@mail ~]# /mnt/jungledisk/smf/scripts/uri-extractor.pl test.eml > URI-Domain:example.com > URI:mailto:bodytest2@example.com > URI:mailto:bodytest@example.com > > (uri-extractor.pl uses SA to extract URIs in the same way the eval() > rules do; I use this for testing amongst other things). > Thanks for that lot, I stand corrected! So I want to do header PHISH_1H ALL =~ /huge|regexp|here/i uri PHISH_1B /mailto:(huge|regexp|here)/i And then do the meta rule to join them altogether. Does that sound better to you? Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Follow me at twitter.com/JulesFM MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jonas at vrt.dk Tue Jun 16 08:47:49 2009 From: jonas at vrt.dk (Jonas A. Larsen) Date: Tue Jun 16 08:47:59 2009 Subject: Problem with Exim and Mailscanner In-Reply-To: <223f97700906151126u69da7e28sb4da67ee2a59e8cd@mail.gmail.com> References: <32488369.111245018724197.JavaMail.root@node> <25266218.131245020324018.JavaMail.root@node> <002d01c9ed8d$0d062d10$27128730$@dk> <72cf361e0906150102r48adf128xdb0758aa50fa81f1@mail.gmail.com> <004a01c9ed94$e5f5e550$b1e1aff0$@dk> <223f97700906151126u69da7e28sb4da67ee2a59e8cd@mail.gmail.com> Message-ID: <000b01c9ee56$bf16f240$3d44d6c0$@dk> > Unless I'm completely off my rockers, or someone has limited what can > be done for security reasons, you can actually upload the init script > to the wiki so that it is presented as a file download link....;-) > Alright, my init and default files uploaded to wiki with a small text. http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:exim:installation:debian As I say in the text I think people should still try and follow the instructions on the wiki and "do it them selfs" but atleast they got something working to compare with now. Kudos to maxsec for writing it up originally (sory bro forgot your real name :) ) Med venlig hilsen / Best regards Jonas Akrouh Larsen TechBiz ApS Laplandsgade 4, 2. sal 2300 K?benhavn S Office: 7020 0979 Direct: 3336 9974 Mobile: 5120 1096 Fax: 7020 0978 Web: www.techbiz.dk From pascal.maes at elec.ucl.ac.be Tue Jun 16 08:57:56 2009 From: pascal.maes at elec.ucl.ac.be (Pascal Maes) Date: Tue Jun 16 08:58:30 2009 Subject: Improved Postfix support In-Reply-To: References: <4A366D5D.9010204@ecs.soton.ac.uk> Message-ID: Le 15-juin-09 ? 17:48, Julian Field a ?crit : > I have just released a new beta version of MailScanner, 4.78.1. > This includes some new code for handling Postfix messages with > complex structures that are produced by some milters, so I would be > extremely grateful if you could test it for me. > Keep your previous version around, just in case you need to back-out. > > It has been tested quite extensively, but a real mail feed is always > better than any number of test messages! > > Many thanks. > > Jules > Hello, MailScanner 4.78.1 is running for 1h30 and I don't see any problem in the logfile. I try first with the 0.95.1 version of clamav-milter then I launch the version 0.95.2 which was causing some troubles with MailScanner 4.77.10 ; it seems to work well. Postfix 2.6.2 clamav-milter 0.95.2 dkim-milter-2.8.2 Thanks, -- Pascal From glenn.steen at gmail.com Tue Jun 16 09:40:43 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Jun 16 09:40:52 2009 Subject: Improved Postfix support In-Reply-To: References: <4A366D5D.9010204@ecs.soton.ac.uk> Message-ID: <223f97700906160140n405b3547n22940f8579ac0c07@mail.gmail.com> 2009/6/16 Pascal Maes : > > Le 15-juin-09 ? 17:48, Julian Field a ?crit : > >> I have just released a new beta version of MailScanner, 4.78.1. >> This includes some new code for handling Postfix messages with complex >> structures that are produced by some milters, so I would be extremely >> grateful if you could test it for me. >> Keep your previous version around, just in case you need to back-out. >> >> It has been tested quite extensively, but a real mail feed is always >> better than any number of test messages! >> >> Many thanks. >> >> Jules >> > > > > Hello, > > > MailScanner 4.78.1 is running for 1h30 and I don't see any problem in the > logfile. > > I try first with the 0.95.1 version of clamav-milter then I launch the > version 0.95.2 which was causing some troubles with MailScanner 4.77.10 ; it > seems to work well. > > Postfix 2.6.2 > clamav-milter 0.95.2 > dkim-milter-2.8.2 > > Thanks, > -- > Pascal > Thanks for letting us know, Pascal! Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From steve.freegard at fsl.com Tue Jun 16 09:40:45 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Tue Jun 16 09:40:57 2009 Subject: Anti-Phishing Update -- New data feed In-Reply-To: References: <4A362A07.60900@ecs.soton.ac.uk> <4A365F03.6000403@alexb.ch> <4A36665E.8000303@ecs.soton.ac.uk> <4A366BFD.9030307@alexb.ch> <4A366EFC.3070607@ecs.soton.ac.uk> <4A367620.6080901@alexb.ch> <4A368165.40207@ecs.soton.ac.uk> <4A36 8611.8040901@alexb.ch> <4A36A8E5.5080406@fsl.com> <4A36AE21.6020109@ecs.soton.ac.uk> <4A36B07C.3010205@fsl.com> <4A374CDA.50709@ecs.soton.ac.uk> Message-ID: <4A375A8D.2030900@fsl.com> Julian Field wrote: > > > On 15/06/2009 21:35, Steve Freegard wrote: >> Julian Field wrote: >> >>> >>> On 15/06/2009 21:02, Steve Freegard wrote: >>> >>>> Alex Broens wrote: >>>> >>>> >>>>>> I need to apply the rules to the entire message body and headers, as >>>>>> they frequently put the email address just in the body of the message >>>>>> inside some link or other. So how would creating separate header and >>>>>> body rules be any better? >>>>>> >>>>>> >>>>> I'm not savvy enough in Perl& SA to give you the scientific >>>>> reason, but >>>>> its been common practive to avoid full rules if possible. >>>>> >>>>> You'd have to ask one of the core SA devs... maybe Matt Kettler can >>>>> jump in and tell me I'm totally off and that my understanding is >>>>> wrong. >>>>> >>>>> >>>> 'full' rules are simply inefficient as IIRC the regexps have to be run >>>> multiple times across each block of text (IIRC: SA splits into >>>> paragraph >>>> style chunks) to prevent excessive memory use. They also evaluate all >>>> other MIME structures e.g. attachments, images etc. as per the docs. >>>> >>>> >> >>> I don't think they include binary attachments, I had to add that >>> specifically for the MCP stuff with a patch to the SA code. >>> >> > From 'man Mail::SpamAssassin::Conf': >> >> full SYMBOLIC_TEST_NAME /pattern/modifiers >> Define a full message pattern test. "pattern" is a Perl >> regular >> expression. Note: as per the header tests, "#" must be >> escaped >> ("\#") or else it is considered the beginning of a comment. >> >> The full message is the pristine message headers plus the >> pristine >> message body, including all MIME data such as images, other >> attachments, MIME boundaries, etc. >> >> The reason it wouldn't work for MCP is that a 'full' rule is not going >> to decode base64/QP parts before evaluating the regexp (I think!). >> >> >>>> If you are simply looking to get any e-mail addresses out of the >>>> message >>>> body; then a 'uri' rule is far more appropriate e.g. >>>> >>>> uri BLAH /^mailto:email\@domain\.com$/ >>>> >>>> (SA converts all e-mail URIs into mailto: types even those with no >>>> scheme). >>>> >>>> >>> But surely that wouldn't work when email addresses just appear in the >>> text in text/plain bodies, would they? >>> >> Sure does: >> >> [root@mail ~]# cat test.eml >> Return-path: >> To: test >> From: test >> Subject: test >> Content-type: text/plain >> >> Test body >> >> bodytest@example.com this is a test bodytest2@example.com >> >> [root@mail ~]# /mnt/jungledisk/smf/scripts/uri-extractor.pl test.eml >> URI-Domain:example.com >> URI:mailto:bodytest2@example.com >> URI:mailto:bodytest@example.com >> >> (uri-extractor.pl uses SA to extract URIs in the same way the eval() >> rules do; I use this for testing amongst other things). >> > Thanks for that lot, I stand corrected! > > So I want to do > header PHISH_1H ALL =~ /huge|regexp|here/i > uri PHISH_1B /mailto:(huge|regexp|here)/i > And then do the meta rule to join them altogether. > > Does that sound better to you? > Yup; sounds fine for now. As the data volume grows a plug-in that uses a SDBM database would be far better. Cheers, Steve. From glenn.steen at gmail.com Tue Jun 16 09:42:15 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Jun 16 09:42:29 2009 Subject: Problem with Exim and Mailscanner In-Reply-To: <000b01c9ee56$bf16f240$3d44d6c0$@dk> References: <32488369.111245018724197.JavaMail.root@node> <25266218.131245020324018.JavaMail.root@node> <002d01c9ed8d$0d062d10$27128730$@dk> <72cf361e0906150102r48adf128xdb0758aa50fa81f1@mail.gmail.com> <004a01c9ed94$e5f5e550$b1e1aff0$@dk> <223f97700906151126u69da7e28sb4da67ee2a59e8cd@mail.gmail.com> <000b01c9ee56$bf16f240$3d44d6c0$@dk> Message-ID: <223f97700906160142u235b64a6t589199a7656d3fe7@mail.gmail.com> 2009/6/16 Jonas A. Larsen : >> Unless I'm completely off my rockers, or someone has limited what can >> be done for security reasons, you can actually upload the init script >> to the wiki so that it is presented as a file download link....;-) >> > Alright, my init and default files uploaded to wiki with a small text. > > http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:exim:installation:debian > > As I say in the text I think people should still try and follow the instructions on the wiki and "do it them selfs" but atleast they got something working to compare with now. > > Kudos to maxsec for writing it up originally (sory bro forgot your real name :) ) > IIRC, that would be Martin Hepworth;) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From james at gray.net.au Tue Jun 16 09:42:20 2009 From: james at gray.net.au (James Gray) Date: Tue Jun 16 09:42:37 2009 Subject: Problem with Exim and Mailscanner In-Reply-To: <8D937C04AF534E7A979F3DC3E6F78C6B@HOME> References: <32488369.111245018724197.JavaMail.root@node> <25266218.131245020324018.JavaMail.root@node> <8D937C04AF534E7A979F3DC3E6F78C6B@HOME> Message-ID: <3131EFE2-B0EA-42D0-8018-89156C6DCE68@gray.net.au> On 15/06/2009, at 10:04 PM, sean wrote: > James: > > One more problem. > > I don't have this file or files in etc/default/ > > "You also should modify /etc/default/exim" > > So once again I am stuck. Might be /etc/default/exim4 Debian's long-term support dictates they need to actively maintain both Exim 3 and Exim 4. So all newer Debian-based distro's have the "4" appended to the Exim 4 files/scripts etc to distinguish them from their Exim 3 counter parts. I might have overlooked that distinction when I wrote the original Exim+MailScanner+Debian instructions all those years ago :P >ls -l /etc/default/exim* -rw-r--r-- 1 root root 876 2008-04-16 21:51 /etc/default/exim4 HTH, James From james at gray.net.au Tue Jun 16 09:53:51 2009 From: james at gray.net.au (James Gray) Date: Tue Jun 16 09:54:08 2009 Subject: Problem with Exim and Mailscanner In-Reply-To: <002d01c9ed8d$0d062d10$27128730$@dk> References: <32488369.111245018724197.JavaMail.root@node> <25266218.131245020324018.JavaMail.root@node> <002d01c9ed8d$0d062d10$27128730$@dk> Message-ID: <249BAD3E-F58B-48B8-A0CF-CC8F89AAF8EF@gray.net.au> On 15/06/2009, at 5:44 PM, Jonas A. Larsen wrote: > > I have made a simple mod of the Debian init script so it works with > 1 initscript which starts both exim processes. Nice work Jonas :) The reason I avoided a single-script approach was so that the original init script was left completely untouched with the "hacked" scripted becoming "/etc/init.d/exim4.out". The rationale was that during an exim upgrade/update from Debian, the original script would be "upgradeable" and left functional afterwards. Then if there is any porting work to the second script, you can do that at your leisure. However, once you heavily modify the original script, you have to manage your own updates to init script and upgrades may leave the modified script non-functional. I was running Debian in a production environment and couldn't justify the risk to the "powers that be" and so stayed with the 2-script approach. 3 years down the track, and having migrated to Ubuntu LTS, my pair of scripts are still going even after many upgrades and updates. Not saying either approach is right or wrong...just highlighting the differences between them :) FWIW, I've grabbed a copy of your script for reference any way! Cheers, James -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090616/4d1836ea/attachment-0001.html From maillists at conactive.com Tue Jun 16 10:31:33 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Tue Jun 16 10:31:45 2009 Subject: Improved Postfix support In-Reply-To: References: <4A366D5D.9010204@ecs.soton.ac.uk> Message-ID: Installed, works fine so far. I haven't had any problem with Postfix in the past, though. I had been running MailScanner on sendmail for at least five years and switched about a year ago to postfix. I had no problems with both setups. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From MailScanner at ecs.soton.ac.uk Tue Jun 16 10:32:45 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jun 16 10:33:06 2009 Subject: Anti-Phishing Update -- New data feed In-Reply-To: References: <4A362A07.60900@ecs.soton.ac.uk> <4A365F03.6000403@alexb.ch> <4A36665E.8000303@ecs.soton.ac.uk> <4A366BFD.9030307@alexb.ch> <4A366EFC.3070607@ecs.soton.ac.uk> <4A367620.6080901@alexb.ch> <4A368165.40207@ecs.soton.ac.uk> <4A36 8611.8040901@alexb.ch> <4A36A8E5.5080406@fsl.com> <4A36AE21.6020109@ecs.soton.ac.uk> <4A36B07C.3010205@fsl.com> <4A374CDA.50709@ecs.soton.ac.uk> <4A3766BD.9010801@ecs.soton.ac.uk> Message-ID: On 16/06/2009 08:42, Julian Field wrote: > > > On 15/06/2009 21:35, Steve Freegard wrote: >> Julian Field wrote: >>> >>> On 15/06/2009 21:02, Steve Freegard wrote: >>>> Alex Broens wrote: >>>> >>>>>> I need to apply the rules to the entire message body and headers, as >>>>>> they frequently put the email address just in the body of the >>>>>> message >>>>>> inside some link or other. So how would creating separate header and >>>>>> body rules be any better? >>>>>> >>>>> I'm not savvy enough in Perl& SA to give you the scientific >>>>> reason, but >>>>> its been common practive to avoid full rules if possible. >>>>> >>>>> You'd have to ask one of the core SA devs... maybe Matt Kettler can >>>>> jump in and tell me I'm totally off and that my understanding is >>>>> wrong. >>>>> >>>> 'full' rules are simply inefficient as IIRC the regexps have to be run >>>> multiple times across each block of text (IIRC: SA splits into >>>> paragraph >>>> style chunks) to prevent excessive memory use. They also evaluate all >>>> other MIME structures e.g. attachments, images etc. as per the docs. >>>> >>> I don't think they include binary attachments, I had to add that >>> specifically for the MCP stuff with a patch to the SA code. >> > From 'man Mail::SpamAssassin::Conf': >> >> full SYMBOLIC_TEST_NAME /pattern/modifiers >> Define a full message pattern test. "pattern" is a Perl >> regular >> expression. Note: as per the header tests, "#" must be >> escaped >> ("\#") or else it is considered the beginning of a comment. >> >> The full message is the pristine message headers plus the >> pristine >> message body, including all MIME data such as images, other >> attachments, MIME boundaries, etc. >> >> The reason it wouldn't work for MCP is that a 'full' rule is not going >> to decode base64/QP parts before evaluating the regexp (I think!). >> >>>> If you are simply looking to get any e-mail addresses out of the >>>> message >>>> body; then a 'uri' rule is far more appropriate e.g. >>>> >>>> uri BLAH /^mailto:email\@domain\.com$/ >>>> >>>> (SA converts all e-mail URIs into mailto: types even those with no >>>> scheme). >>>> >>> But surely that wouldn't work when email addresses just appear in the >>> text in text/plain bodies, would they? >> Sure does: >> >> [root@mail ~]# cat test.eml >> Return-path: >> To: test >> From: test >> Subject: test >> Content-type: text/plain >> >> Test body >> >> bodytest@example.com this is a test bodytest2@example.com >> >> [root@mail ~]# /mnt/jungledisk/smf/scripts/uri-extractor.pl test.eml >> URI-Domain:example.com >> URI:mailto:bodytest2@example.com >> URI:mailto:bodytest@example.com >> >> (uri-extractor.pl uses SA to extract URIs in the same way the eval() >> rules do; I use this for testing amongst other things). > Thanks for that lot, I stand corrected! > > So I want to do > header PHISH_1H ALL =~ /huge|regexp|here/i > uri PHISH_1B /mailto:(huge|regexp|here)/i > And then do the meta rule to join them altogether. > > Does that sound better to you? I have published an improved much faster version 2.01 which is available from http://www.jules.fm/Logbook/files/anti-phishing-v2.html You might well want to upgrade... Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jonas at vrt.dk Tue Jun 16 10:55:39 2009 From: jonas at vrt.dk (Jonas A. Larsen) Date: Tue Jun 16 10:55:49 2009 Subject: Problem with Exim and Mailscanner In-Reply-To: <249BAD3E-F58B-48B8-A0CF-CC8F89AAF8EF@gray.net.au> References: <32488369.111245018724197.JavaMail.root@node> <25266218.131245020324018.JavaMail.root@node> <002d01c9ed8d$0d062d10$27128730$@dk> <249BAD3E-F58B-48B8-A0CF-CC8F89AAF8EF@gray.net.au> Message-ID: <003301c9ee68$9a799ac0$cf6cd040$@dk> You are of course completely right James, and I actually DID have one occasion where an exim update overwrote my custom init script hehe. But since I think updates to init scripts should be relatively rare, I just stay with the one script setup, after all its not THAT big a deal to start exim if you know how your exim /mailscanner setup works in detail. But just to be clear, I think your completely right in saying that a 2 script solution is probably better in all ways J /Jonas From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of James Gray Sent: 16. juni 2009 10:54 To: MailScanner discussion Subject: Re: Problem with Exim and Mailscanner On 15/06/2009, at 5:44 PM, Jonas A. Larsen wrote: I have made a simple mod of the Debian init script so it works with 1 initscript which starts both exim processes. Nice work Jonas :) The reason I avoided a single-script approach was so that the original init script was left completely untouched with the "hacked" scripted becoming "/etc/init.d/exim4.out". The rationale was that during an exim upgrade/update from Debian, the original script would be "upgradeable" and left functional afterwards. Then if there is any porting work to the second script, you can do that at your leisure. However, once you heavily modify the original script, you have to manage your own updates to init script and upgrades may leave the modified script non-functional. I was running Debian in a production environment and couldn't justify the risk to the "powers that be" and so stayed with the 2-script approach. 3 years down the track, and having migrated to Ubuntu LTS, my pair of scripts are still going even after many upgrades and updates. Not saying either approach is right or wrong...just highlighting the differences between them :) FWIW, I've grabbed a copy of your script for reference any way! Cheers, James -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090616/e738b7e8/attachment.html From mailscanner at barendse.to Tue Jun 16 11:15:33 2009 From: mailscanner at barendse.to (Remco Barendse) Date: Tue Jun 16 11:15:47 2009 Subject: Problem Messages In-Reply-To: References: <4A256689.2080008@ecs.soton.ac.uk> <4A33BA01.3070501@ecs.soton.ac.uk> <4A36154F.1020300@ecs.soton.ac.uk> <4A362BD5.7090308@ecs.soton.ac.uk> Message-ID: On Mon, 15 Jun 2009, Julian Field wrote: > > > On 15/06/2009 11:17, Remco Barendse wrote: >> On Mon, 15 Jun 2009, Julian Field wrote: >> >> > That's quite normal, it processed the message successfully (apart from >> > you needing to update your copy of ClamAV). So whatever was causing your >> > message to kill MailScanner has gone away and isn't doing it now. >> >> Strange, another problem meBssage appeared over the weekend, i ran it >> through MailScanner in the same way and also this message processed well. >> >> I'm a bit puzzled why these "Problem Messages" messages keep appearing >> but at the same time the message gets quarantined and moved to the >> quarantine properly. Is there maybe some bug in the thingy that controls >> Processing.db ? I get a new mail message reporting the same problem every >> hour or so, until i nuke Processing.db >> >> Is there any way to increase the log level of "Problem Messages" to get >> some more info from that? (If these messages come up very rarely anyways, >> why not be more verbose) > What more info would you like? As all I know is that the message caused > MailScanner to crash somehow, there's almost no information to give you, > sorry. OK, i hoped it was possible to include some information on specifically what caused the crash. Strange, i have never seen this behaviour on any server running MailScanner, just the server that was newly installed. Maybe i did something wrong or some of the perl packages did not compile properly. > I should add some code to remove the problem message from the Processing.db > when it gets quarantined though. Would be neat :) Thanks! Remco > > Jules > > From nwp at nz.lemon-computing.com Tue Jun 16 11:24:29 2009 From: nwp at nz.lemon-computing.com (Nick Phillips) Date: Tue Jun 16 11:24:44 2009 Subject: Problem with Exim and Mailscanner In-Reply-To: <003301c9ee68$9a799ac0$cf6cd040$@dk> References: <32488369.111245018724197.JavaMail.root@node> <25266218.131245020324018.JavaMail.root@node> <002d01c9ed8d$0d062d10$27128730$@dk> <249BAD3E-F58B-48B8-A0CF-CC8F89AAF8EF@gray.net.au> <003301c9ee68$9a799ac0$cf6cd040$@dk> Message-ID: <4A3772DD.9030601@nz.lemon-computing.com> Jonas A. Larsen wrote: > I have made a simple mod of the Debian init script so it works with > 1 initscript which starts both exim processes. > > > > Nice work Jonas :) The reason I avoided a single-script approach was so > that the original init script was left completely untouched with the > "hacked" scripted becoming "/etc/init.d/exim4.out". The rationale was > that during an exim upgrade/update from Debian, the original script > would be "upgradeable" and left functional afterwards. Then if there is > any porting work to the second script, you can do that at your leisure. > However, once you heavily modify the original script, you have to > manage your own updates to init script and upgrades may leave the > modified script non-functional. > > > > I was running Debian in a production environment and couldn't justify > the risk to the "powers that be" and so stayed with the 2-script > approach. 3 years down the track, and having migrated to Ubuntu LTS, my > pair of scripts are still going even after many upgrades and updates. > > > > Not saying either approach is right or wrong...just highlighting the > differences between them :) FWIW, I've grabbed a copy of your script > for reference any way! Ummm, I find myself wondering why you're modifying the init script at all. I don't recall exactly, but I'm pretty sure last time I set up mailscanner + exim on debian I was able to make it work just by appropriate modifications to the settings in /etc/default/exim4 -- and dropping a couple of files into /etc/exim4/conf.d That's how it's supposed to work, anyway. Cheers, Nick From jethro.binks at strath.ac.uk Tue Jun 16 11:45:15 2009 From: jethro.binks at strath.ac.uk (Jethro R Binks) Date: Tue Jun 16 11:45:26 2009 Subject: Anti-Phishing Update -- New data feed In-Reply-To: References: <4A362A07.60900@ecs.soton.ac.uk> <001001c9edc1$94b1a170$be14e450$@dk> <4A365B86.5030303@ecs.soton.ac.uk> <4A365F03.6000403@alexb.ch> <4A36665E.8000303@ecs.soton.ac.uk> <4A366BFD.9030307@alexb.ch> <4A366EFC.3070607@ecs.soton.ac.uk> Message-ID: On Mon, 15 Jun 2009, Julian Field wrote: > > > Thanks for that info. My list of phishing email addresses has a very > > > good future and will be supported for the forseeable future, as it > > > produced by a very large commercial entity, whose internet-based > > > services you have almost certainly used at some point. > > > > and what entity is this? > Sorry, that is covered by a very big NDA. Why all this secrecy? Jethro. . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK From MailScanner at ecs.soton.ac.uk Tue Jun 16 11:55:25 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jun 16 11:55:44 2009 Subject: Problem Messages In-Reply-To: References: <4A256689.2080008@ecs.soton.ac.uk> <4A33BA01.3070501@ecs.soton.ac.uk> <4A36154F.1020300@ecs.soton.ac.uk> <4A362BD5.7090308@ecs.soton.ac.uk> <4A377A1D.6020601@ecs.soton.ac.uk> Message-ID: On 16/06/2009 11:15, Remco Barendse wrote: > On Mon, 15 Jun 2009, Julian Field wrote: > >> >> >> On 15/06/2009 11:17, Remco Barendse wrote: >>> On Mon, 15 Jun 2009, Julian Field wrote: >>> >>> > That's quite normal, it processed the message successfully (apart >>> from > you needing to update your copy of ClamAV). So whatever was >>> causing your > message to kill MailScanner has gone away and isn't >>> doing it now. >>> >>> Strange, another problem meBssage appeared over the weekend, i ran it >>> through MailScanner in the same way and also this message processed >>> well. >>> >>> I'm a bit puzzled why these "Problem Messages" messages keep >>> appearing >>> but at the same time the message gets quarantined and moved to the >>> quarantine properly. Is there maybe some bug in the thingy that >>> controls >>> Processing.db ? I get a new mail message reporting the same problem >>> every >>> hour or so, until i nuke Processing.db >>> >>> Is there any way to increase the log level of "Problem Messages" to >>> get >>> some more info from that? (If these messages come up very rarely >>> anyways, >>> why not be more verbose) >> What more info would you like? As all I know is that the message >> caused MailScanner to crash somehow, there's almost no information to >> give you, sorry. > > OK, i hoped it was possible to include some information on > specifically what caused the crash. > > Strange, i have never seen this behaviour on any server running > MailScanner, just the server that was newly installed. Maybe i did > something wrong or some of the perl packages did not compile properly. > >> I should add some code to remove the problem message from the >> Processing.db when it gets quarantined though. > > Would be neat :) I've just tested it, and it's actually working just how I originally intended. When a message gets quarantined for being tried too many times, it moves it into the "archive" table, which is what "MailScanner --processing" reports (in addition to the main table of current messages). Would you rather I scrapped the "archive" table altogether? It's just that it is a good way to show you how many messages are being quarantined for crashing MailScanner, rather than you having to look in the logs. What would you all like me to do with this problem? Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Tue Jun 16 11:57:00 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jun 16 11:57:25 2009 Subject: Anti-Phishing Update -- New data feed In-Reply-To: References: <4A362A07.60900@ecs.soton.ac.uk> <001001c9edc1$94b1a170$be14e450$@dk> <4A365B86.5030303@ecs.soton.ac.uk> <4A365F03.6000403@alexb.ch> <4A36665E.8000303@ecs.soton.ac.uk> <4A366BFD.9030307@alexb.ch> <4A366EFC.3070607@ecs.soton.ac.uk> <4A377A7C.3010604@ecs.soton.ac.uk> Message-ID: On 16/06/2009 11:45, Jethro R Binks wrote: > On Mon, 15 Jun 2009, Julian Field wrote: > > >>>> Thanks for that info. My list of phishing email addresses has a very >>>> good future and will be supported for the forseeable future, as it >>>> produced by a very large commercial entity, whose internet-based >>>> services you have almost certainly used at some point. >>>> >>> and what entity is this? >>> >> Sorry, that is covered by a very big NDA. >> > Why all this secrecy? > The supplier makes the rules, not me. I don't think they want anyone to know where the data comes from, so that the spammers don't launch an attack against them for producing it. That's the best reason I can come up with, anyway. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Tue Jun 16 12:02:42 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Jun 16 12:02:51 2009 Subject: Problem Messages In-Reply-To: References: <4A33BA01.3070501@ecs.soton.ac.uk> <4A36154F.1020300@ecs.soton.ac.uk> <4A362BD5.7090308@ecs.soton.ac.uk> Message-ID: <223f97700906160402w282b5c30mfe1f9541b8f0340c@mail.gmail.com> 2009/6/16 Remco Barendse : > On Mon, 15 Jun 2009, Julian Field wrote: > >> >> >> On 15/06/2009 11:17, Remco Barendse wrote: >>> >>> ?On Mon, 15 Jun 2009, Julian Field wrote: >>> >>> > ?That's quite normal, it processed the message successfully (apart from >>> > > ?you needing to update your copy of ClamAV). So whatever was causing your >>> > > ?message to kill MailScanner has gone away and isn't doing it now. >>> >>> ?Strange, another problem meBssage appeared over the weekend, i ran it >>> ?through MailScanner in the same way and also this message processed >>> well. >>> >>> ?I'm a bit puzzled why these "Problem Messages" ?messages keep appearing >>> ?but at the same time the message gets quarantined and moved to the >>> ?quarantine properly. Is there maybe some bug in the thingy that controls >>> ?Processing.db ? I get a new mail message reporting the same problem >>> every >>> ?hour or so, until i nuke Processing.db >>> >>> ?Is there any way to increase the log level of "Problem Messages" to get >>> ?some more info from that? ?(If these messages come up very rarely >>> anyways, >>> ?why not be more verbose) >> >> What more info would you like? As all I know is that the message caused >> MailScanner to crash somehow, there's almost no information to give you, >> sorry. > > OK, i hoped it was possible to include some information on specifically what > caused the crash. > > Strange, i have never seen this behaviour on any server running MailScanner, > just the server that was newly installed. Maybe i did something wrong or > some of the perl packages did not compile properly. > >> I should add some code to remove the problem message from the >> Processing.db when it gets quarantined though. > > Would be neat :) > > Thanks! > Remco > Don't rule out HW... If it is set up exactly the same way and has problems, everything else being equal, RAM (or even a bad CPU) might be "it". Which would explain the somewhat erratic occurences. Anyway, the processing DB, IMO, is there to help your system survive the problem gracefully, while still alerting you that there is some type of problem you need look further into... The rest is up top you ... Yeah, I know... We're all getting a bit too used to Jules solving all the problems of the world (of MilScanner:), so that we tend to get a bit ... lazy:-):-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From zate75 at gmail.com Tue Jun 16 13:42:28 2009 From: zate75 at gmail.com (Zate Berg) Date: Tue Jun 16 13:42:37 2009 Subject: Problem with Mailscanner marking everything as a virus after ClamAV fails update. Message-ID: <319223270906160542o35a2f249n76bb1f1668515d82@mail.gmail.com> This has happened multiple times. ClamAV freshclam fails for what ever reason (usually the mirror(s) are down, i use the US mirrors), when this happens, ClamD "hangs" and MailScanner or ClamD identifies the messages sent to ClamD as a Dos and marks them all as a Virus in MailScanner. so, how do I tell MailScanner to NOT quarantine these "DoS" messages, or in fact to just skip scanning and alert me... i really need this to fail open rather than fail closed and mark everything as a virus. Any ideas ? Zate -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090616/4330de93/attachment.html From sean at songvest.com Tue Jun 16 13:50:29 2009 From: sean at songvest.com (sean) Date: Tue Jun 16 13:50:46 2009 Subject: Problem with Exim and Mailscanner In-Reply-To: <4A3772DD.9030601@nz.lemon-computing.com> References: <32488369.111245018724197.JavaMail.root@node> <25266218.131245020324018.JavaMail.root@node> <002d01c9ed8d$0d062d10$27128730$@dk> <249BAD3E-F58B-48B8-A0CF-CC8F89AAF8EF@gray.net.au><003301c9ee68$9a799ac0$cf6cd040$@dk> <4A3772DD.9030601@nz.lemon-computing.com> Message-ID: <9494ED083FEC4701A3D59C75486E16D5@HOME> Sounds great. Can we have an example of that? Sean Peace President and Founder New Cell: 919-324-2945 Office: 919-848-0445 www.songvest.com -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Nick Phillips Sent: Tuesday, June 16, 2009 6:24 AM To: MailScanner discussion Subject: Re: Problem with Exim and Mailscanner Jonas A. Larsen wrote: > I have made a simple mod of the Debian init script so it works with > 1 initscript which starts both exim processes. > > > > Nice work Jonas :) The reason I avoided a single-script approach was > so that the original init script was left completely untouched with > the "hacked" scripted becoming "/etc/init.d/exim4.out". The rationale > was that during an exim upgrade/update from Debian, the original > script would be "upgradeable" and left functional afterwards. Then if > there is any porting work to the second script, you can do that at your leisure. > However, once you heavily modify the original script, you have to > manage your own updates to init script and upgrades may leave the > modified script non-functional. > > > > I was running Debian in a production environment and couldn't justify > the risk to the "powers that be" and so stayed with the 2-script > approach. 3 years down the track, and having migrated to Ubuntu LTS, > my pair of scripts are still going even after many upgrades and updates. > > > > Not saying either approach is right or wrong...just highlighting the > differences between them :) FWIW, I've grabbed a copy of your script > for reference any way! Ummm, I find myself wondering why you're modifying the init script at all. I don't recall exactly, but I'm pretty sure last time I set up mailscanner + exim on debian I was able to make it work just by appropriate modifications to the settings in /etc/default/exim4 -- and dropping a couple of files into /etc/exim4/conf.d That's how it's supposed to work, anyway. Cheers, Nick -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From MailScanner at ecs.soton.ac.uk Tue Jun 16 13:57:06 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jun 16 13:57:33 2009 Subject: Problem with Mailscanner marking everything as a virus after ClamAV fails update. In-Reply-To: <319223270906160542o35a2f249n76bb1f1668515d82@mail.gmail.com> References: <319223270906160542o35a2f249n76bb1f1668515d82@mail.gmail.com> <4A3796A2.3010305@ecs.soton.ac.uk> Message-ID: On 16/06/2009 13:42, Zate Berg wrote: > This has happened multiple times. > > ClamAV freshclam fails for what ever reason (usually the mirror(s) are > down, i use the US mirrors), when this happens, ClamD "hangs" and > MailScanner or ClamD identifies the messages sent to ClamD as a Dos > and marks them all as a Virus in MailScanner. MailScanner should lock out the ClamAV virus scanner while it is being updated if you are using my update_virus_scanners program every hour to do the update. If you are calling freshclam yourself somehow, then I can't help you. > so, how do I tell MailScanner to NOT quarantine these "DoS" messages, > or in fact to just skip scanning and alert me... i really need this to > fail open rather than fail closed and mark everything as a virus. How are you doing the updates? Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From maxsec at gmail.com Tue Jun 16 14:05:03 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Tue Jun 16 14:05:11 2009 Subject: Problem with Mailscanner marking everything as a virus after ClamAV fails update. In-Reply-To: References: <4A3796A2.3010305@ecs.soton.ac.uk> <319223270906160542o35a2f249n76bb1f1668515d82@mail.gmail.com> Message-ID: <72cf361e0906160605y6e435f66k7dc2b812e0ad94f8@mail.gmail.com> Also make sure you have the latest version of clamav - old versions won't update the virus defs after a while. 2009/6/16 Julian Field > > > On 16/06/2009 13:42, Zate Berg wrote: > >> This has happened multiple times. >> >> ClamAV freshclam fails for what ever reason (usually the mirror(s) are >> down, i use the US mirrors), when this happens, ClamD "hangs" and >> MailScanner or ClamD identifies the messages sent to ClamD as a Dos and >> marks them all as a Virus in MailScanner. >> > MailScanner should lock out the ClamAV virus scanner while it is being > updated if you are using my update_virus_scanners program every hour to do > the update. If you are calling freshclam yourself somehow, then I can't help > you. > >> so, how do I tell MailScanner to NOT quarantine these "DoS" messages, or >> in fact to just skip scanning and alert me... i really need this to fail >> open rather than fail closed and mark everything as a virus. >> > How are you doing the updates? > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > Follow me at twitter.com/JulesFM and twitter.com/MailScanner > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Martin Hepworth Oxford, UK -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090616/4f1fe581/attachment.html From zate75 at gmail.com Tue Jun 16 14:17:28 2009 From: zate75 at gmail.com (Zate Berg) Date: Tue Jun 16 14:17:38 2009 Subject: Problem with Mailscanner marking everything as a virus after ClamAV fails update. In-Reply-To: References: <4A3796A2.3010305@ecs.soton.ac.uk> <319223270906160542o35a2f249n76bb1f1668515d82@mail.gmail.com> Message-ID: <319223270906160617r238cf33bvf22fd6b72403034d@mail.gmail.com> Aha! I am using freshclam, link to docs on update_virus_scanners? When freshclam fails, things go bad, so I guess that is my issue. Zate On Tue, Jun 16, 2009 at 8:57 AM, Julian Field wrote: > > > On 16/06/2009 13:42, Zate Berg wrote: > >> This has happened multiple times. >> >> ClamAV freshclam fails for what ever reason (usually the mirror(s) are >> down, i use the US mirrors), when this happens, ClamD "hangs" and >> MailScanner or ClamD identifies the messages sent to ClamD as a Dos and >> marks them all as a Virus in MailScanner. >> > MailScanner should lock out the ClamAV virus scanner while it is being > updated if you are using my update_virus_scanners program every hour to do > the update. If you are calling freshclam yourself somehow, then I can't help > you. > >> so, how do I tell MailScanner to NOT quarantine these "DoS" messages, or >> in fact to just skip scanning and alert me... i really need this to fail >> open rather than fail closed and mark everything as a virus. >> > How are you doing the updates? > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > Follow me at twitter.com/JulesFM and twitter.com/MailScanner > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090616/772e3764/attachment.html From maxsec at gmail.com Tue Jun 16 14:26:12 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Tue Jun 16 14:26:20 2009 Subject: Problem with Mailscanner marking everything as a virus after ClamAV fails update. In-Reply-To: <319223270906160617r238cf33bvf22fd6b72403034d@mail.gmail.com> References: <4A3796A2.3010305@ecs.soton.ac.uk> <319223270906160542o35a2f249n76bb1f1668515d82@mail.gmail.com> <319223270906160617r238cf33bvf22fd6b72403034d@mail.gmail.com> Message-ID: <72cf361e0906160626s2572cdfcs7d108b78b8ab571a@mail.gmail.com> Shouldn't be using freshclam as Julian says. update_virus_scanners is in the same directory as the MailScanner binary. -- Martin Hepworth Oxford, UK 2009/6/16 Zate Berg > Aha! I am using freshclam, link to docs on update_virus_scanners? > > When freshclam fails, things go bad, so I guess that is my issue. > > Zate > > > > On Tue, Jun 16, 2009 at 8:57 AM, Julian Field > wrote: > >> >> >> On 16/06/2009 13:42, Zate Berg wrote: >> >>> This has happened multiple times. >>> >>> ClamAV freshclam fails for what ever reason (usually the mirror(s) are >>> down, i use the US mirrors), when this happens, ClamD "hangs" and >>> MailScanner or ClamD identifies the messages sent to ClamD as a Dos and >>> marks them all as a Virus in MailScanner. >>> >> MailScanner should lock out the ClamAV virus scanner while it is being >> updated if you are using my update_virus_scanners program every hour to do >> the update. If you are calling freshclam yourself somehow, then I can't help >> you. >> >>> so, how do I tell MailScanner to NOT quarantine these "DoS" messages, or >>> in fact to just skip scanning and alert me... i really need this to fail >>> open rather than fail closed and mark everything as a virus. >>> >> How are you doing the updates? >> >> Jules >> >> -- >> Julian Field MEng CITP CEng >> www.MailScanner.info >> Buy the MailScanner book at www.MailScanner.info/store >> >> Need help customising MailScanner? >> Contact me! >> Need help fixing or optimising your systems? >> Contact me! >> Need help getting you started solving new requirements from your boss? >> Contact me! >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> Follow me at twitter.com/JulesFM and twitter.com/MailScanner >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090616/b23b97ab/attachment.html From MailScanner at ecs.soton.ac.uk Tue Jun 16 14:25:48 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jun 16 14:26:23 2009 Subject: Problem with Mailscanner marking everything as a virus after ClamAV fails update. In-Reply-To: <319223270906160617r238cf33bvf22fd6b72403034d@mail.gmail.com> References: <4A3796A2.3010305@ecs.soton.ac.uk> <319223270906160542o35a2f249n76bb1f1668515d82@mail.gmail.com> <319223270906160617r238cf33bvf22fd6b72403034d@mail.gmail.com> <4A379D5C.6050509@ecs.soton.ac.uk> Message-ID: On 16/06/2009 14:17, Zate Berg wrote: > Aha! I am using freshclam, link to docs on update_virus_scanners? It's part of MailScanner and will be installed automatically if you are using the RPM distributions of MailScanner. Check your /etc/cron.hourly directory to see if it's already there. If so, there's no point you running freshclam yourself, I handle all that stuff for you. > > When freshclam fails, things go bad, so I guess that is my issue. > > Zate > > > On Tue, Jun 16, 2009 at 8:57 AM, Julian Field > > wrote: > > > > On 16/06/2009 13:42, Zate Berg wrote: > > This has happened multiple times. > > ClamAV freshclam fails for what ever reason (usually the > mirror(s) are down, i use the US mirrors), when this happens, > ClamD "hangs" and MailScanner or ClamD identifies the messages > sent to ClamD as a Dos and marks them all as a Virus in > MailScanner. > > MailScanner should lock out the ClamAV virus scanner while it is > being updated if you are using my update_virus_scanners program > every hour to do the update. If you are calling freshclam yourself > somehow, then I can't help you. > > so, how do I tell MailScanner to NOT quarantine these "DoS" > messages, or in fact to just skip scanning and alert me... i > really need this to fail open rather than fail closed and mark > everything as a virus. > > How are you doing the updates? > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > Follow me at twitter.com/JulesFM and > twitter.com/MailScanner > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From zate75 at gmail.com Tue Jun 16 14:26:18 2009 From: zate75 at gmail.com (Zate Berg) Date: Tue Jun 16 14:26:26 2009 Subject: Problem with Mailscanner marking everything as a virus after ClamAV fails update. In-Reply-To: References: <4A3796A2.3010305@ecs.soton.ac.uk> <319223270906160542o35a2f249n76bb1f1668515d82@mail.gmail.com> Message-ID: <319223270906160626u6dfbdadam378abc4efd8f4ea9@mail.gmail.com> Ok thanks all for the nudge, I had both freshclam daily, and update_virus_scanners (hourly) running. Zate On Tue, Jun 16, 2009 at 8:57 AM, Julian Field wrote: > > > On 16/06/2009 13:42, Zate Berg wrote: > >> This has happened multiple times. >> >> ClamAV freshclam fails for what ever reason (usually the mirror(s) are >> down, i use the US mirrors), when this happens, ClamD "hangs" and >> MailScanner or ClamD identifies the messages sent to ClamD as a Dos and >> marks them all as a Virus in MailScanner. >> > MailScanner should lock out the ClamAV virus scanner while it is being > updated if you are using my update_virus_scanners program every hour to do > the update. If you are calling freshclam yourself somehow, then I can't help > you. > >> so, how do I tell MailScanner to NOT quarantine these "DoS" messages, or >> in fact to just skip scanning and alert me... i really need this to fail >> open rather than fail closed and mark everything as a virus. >> > How are you doing the updates? > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > Follow me at twitter.com/JulesFM and twitter.com/MailScanner > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090616/d6520429/attachment.html From jeff_freeman1969 at yahoo.com Tue Jun 16 20:06:12 2009 From: jeff_freeman1969 at yahoo.com (Jeff Freeman) Date: Tue Jun 16 20:06:21 2009 Subject: New Install Help Message-ID: <103656.57539.qm@web56505.mail.re3.yahoo.com> I have just installed a new server. I am using MailScanner-4.77.10-1 & Postfix 2.3.3-2.1 I have setup Postfix to act as a relay and only relay mail for specific domains. All works well with Postfix prior to installing and configuring MS. After configuring MS to use Postfix I am getting this error message in debug: Can't call method "selectrow_array" on an undefined value at /usr/lib/MailScanner/MailScanner/Postfix.pm line 1791. Failed. It appears to be a call to a database that is failing, but I can't seem to figure out why. Any ideas? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090616/92b2781a/attachment.html From MailScanner at ecs.soton.ac.uk Tue Jun 16 20:33:41 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jun 16 20:34:00 2009 Subject: New Install Help In-Reply-To: <103656.57539.qm@web56505.mail.re3.yahoo.com> References: <103656.57539.qm@web56505.mail.re3.yahoo.com> <4A37F395.1020104@ecs.soton.ac.uk> Message-ID: It's something to do with the "Maximum Processing Attempts" database. Have you set the database path to point to somewhere that doesn't exist or something like that? Put those relevant settings back to their defaults for now. What did you change there? On 16/06/2009 20:06, Jeff Freeman wrote: > I have just installed a new server. I am using MailScanner-4.77.10-1 > & Postfix 2.3.3-2.1 > I have setup Postfix to act as a relay and only relay mail for > specific domains. All works well with Postfix prior to installing and > configuring MS. After configuring MS to use Postfix I am getting this > error message in debug: > > Can't call method "selectrow_array" on an undefined value at > /usr/lib/MailScanner/MailScanner/Postfix.pm line 1791. > Failed. > > It appears to be a call to a database that is failing, but I can't > seem to figure out why. Any ideas? > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Follow me at twitter.com/JulesFM MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From nwp at nz.lemon-computing.com Wed Jun 17 01:54:44 2009 From: nwp at nz.lemon-computing.com (Nick Phillips) Date: Wed Jun 17 01:55:02 2009 Subject: Problem with Exim and Mailscanner In-Reply-To: <9494ED083FEC4701A3D59C75486E16D5@HOME> References: <32488369.111245018724197.JavaMail.root@node> <25266218.131245020324018.JavaMail.root@node> <002d01c9ed8d$0d062d10$27128730$@dk> <249BAD3E-F58B-48B8-A0CF-CC8F89AAF8EF@gray.net.au><003301c9ee68$9a799ac0$cf6cd040$@dk> <4A3772DD.9030601@nz.lemon-computing.com> <9494ED083FEC4701A3D59C75486E16D5@HOME> Message-ID: <63FA30D9-8A86-44FF-AFCF-C2B062CAB691@nz.lemon-computing.com> On 17/06/2009, at 12:50 AM, sean wrote: > Sounds great. Can we have an example of that? In /etc/default/exim4, QUEUERUNNER='separate', with QUEUERUNNEROPTIONS and/or SMTPLISTENEROPTIONS specifying the different spool location (details depend on whether you want locally created mail to be scanned or not). And those options including an appropriate "-D" to enable your config to tell which bits it needs to do differently for each process. You put in conditionals (based on the -D options you specified above) in the config to make it DTRT. I can't remember the details of what's needed there. Cheers, Nick From gafaith at asdm.net Wed Jun 17 04:31:31 2009 From: gafaith at asdm.net (Gary Faith) Date: Wed Jun 17 04:31:54 2009 Subject: Changes in Version 4.77.10-1 In-Reply-To: References: <4A3251C00200002D00006A48@sparky.asdm.net> <4A33BA94.2000007@ecs.soton.ac.uk> <4A3656230200002D00006A7D@sparky.asdm.net> <4A3692BB.9070605@ecs.soton.ac.uk> <4A369E4A.2000103@ecs.soton.ac.uk> Message-ID: <4A382B530200002D00006B32@sparky.asdm.net> After re-reading you explanation about spoofing, etc. I think I need to clarify what I was thinking so you can tell me it won't work like that. :-) My thoughts were that the system that has a dynamic IP automatically registers it's IP with DynDNS every time the IP address changes so host.domain.com A {dynamic IP} is always up pointing to the system. Since the IP changes every time so does the PTR record making it impossible to base a rule. So I always know the IP from a forward DNS query (DynDNS) and it will never match the reverse. I figured that the sending system would say that I am host.domain.com, a check of DNS would give the IP address and a comparison would be done to see if the IP address is the same as the IP that made the connection. That way I don't need to check the reverse DNS. Or is it going to blindly accept the name given in the helo/ehlo handshake and if so, I agree that would be easily spoofable. Am I thinking this right? Thanks again, Gary >>> Julian Field 6/15/2009 3:17 PM >>> On 15/06/2009 19:28, Julian Field wrote: > > > On 15/06/2009 19:09, Gary Faith wrote: >> Yes, I have mail being sent from a dynamic IP address with a host >> name I know but the IP will change. Can you provide a way to turn >> off the anti-spoof checking? If not now, in future releases? > I will add a switch for you. But it does make defeating the name > lookup into a very simple thing for a spammer/attacker to do against you. I have implemented it by you using host-nocheck:hostname.domain.com instead of host:hostname.domain.com in the condition in a line in a ruleset. I can see how this might be useful should you be needing to test against a dynamic IP address, in which case you will have a DNS PTR record but no DNS A record. This will hopefully solve your problem nicely. It will be in the next release. >> >>> Kai Schaetzl 6/14/2009 3:31 AM >>> >> Julian Field wrote on Sat, 13 Jun 2009 15:41:24 +0100: >> >> > Just use the IP addresses instead of the hostnames. Trivial, surely? >> >> But he doesn't know them. >> >> Kai >> >> -- >> Kai Sch?tzl, Berlin, Germany >> Get your web at Conactive Internet Services: http://www.conactive.com >> >> >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > > Jules > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Follow me at twitter.com/JulesFM MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090616/f5c88a8b/attachment.html From david at bass.net.au Wed Jun 17 06:05:13 2009 From: david at bass.net.au (David Lee) Date: Wed Jun 17 06:05:34 2009 Subject: Anti-Phishing Update -- New data feed In-Reply-To: References: <4A362A07.60900@ecs.soton.ac.uk> <4A36665E.8000303@ecs.soton.ac.uk> <4A366BFD.9030307@alexb.ch> <4A366EFC.3070607@ecs.soton.ac.uk> <4A367620.6080901@alexb.ch> <4A368165.40207@ecs.soton.ac.uk> <4A36 8611.8040901@alexb.ch> <4A36A8E5.5080406@fsl.com> <4A36AE21.6020109@ecs.soton.ac.uk> <4A36B07C.3010205@fsl.com> <4A374CDA.50709@ecs.soton.ac.uk> <4A3766BD.9010801@ecs.soton.ac.uk> Message-ID: <4A387989.6040401@bass.net.au> Julian Field wrote: > > > On 16/06/2009 08:42, Julian Field wrote: >> >> >> On 15/06/2009 21:35, Steve Freegard wrote: >>> Julian Field wrote: >>>> >>>> On 15/06/2009 21:02, Steve Freegard wrote: >>>>> Alex Broens wrote: >>>>> >>>>>>> I need to apply the rules to the entire message body and >>>>>>> headers, as >>>>>>> they frequently put the email address just in the body of the >>>>>>> message >>>>>>> inside some link or other. So how would creating separate header >>>>>>> and >>>>>>> body rules be any better? >>>>>>> >>>>>> I'm not savvy enough in Perl& SA to give you the scientific >>>>>> reason, but >>>>>> its been common practive to avoid full rules if possible. >>>>>> >>>>>> You'd have to ask one of the core SA devs... maybe Matt Kettler can >>>>>> jump in and tell me I'm totally off and that my understanding is >>>>>> wrong. >>>>>> >>>>> 'full' rules are simply inefficient as IIRC the regexps have to be >>>>> run >>>>> multiple times across each block of text (IIRC: SA splits into >>>>> paragraph >>>>> style chunks) to prevent excessive memory use. They also evaluate >>>>> all >>>>> other MIME structures e.g. attachments, images etc. as per the docs. >>>>> >>>> I don't think they include binary attachments, I had to add that >>>> specifically for the MCP stuff with a patch to the SA code. >>> > From 'man Mail::SpamAssassin::Conf': >>> >>> full SYMBOLIC_TEST_NAME /pattern/modifiers >>> Define a full message pattern test. "pattern" is a Perl >>> regular >>> expression. Note: as per the header tests, "#" must be >>> escaped >>> ("\#") or else it is considered the beginning of a comment. >>> >>> The full message is the pristine message headers plus the >>> pristine >>> message body, including all MIME data such as images, other >>> attachments, MIME boundaries, etc. >>> >>> The reason it wouldn't work for MCP is that a 'full' rule is not going >>> to decode base64/QP parts before evaluating the regexp (I think!). >>> >>>>> If you are simply looking to get any e-mail addresses out of the >>>>> message >>>>> body; then a 'uri' rule is far more appropriate e.g. >>>>> >>>>> uri BLAH /^mailto:email\@domain\.com$/ >>>>> >>>>> (SA converts all e-mail URIs into mailto: types even those with no >>>>> scheme). >>>>> >>>> But surely that wouldn't work when email addresses just appear in the >>>> text in text/plain bodies, would they? >>> Sure does: >>> >>> [root@mail ~]# cat test.eml >>> Return-path: >>> To: test >>> From: test >>> Subject: test >>> Content-type: text/plain >>> >>> Test body >>> >>> bodytest@example.com this is a test bodytest2@example.com >>> >>> [root@mail ~]# /mnt/jungledisk/smf/scripts/uri-extractor.pl test.eml >>> URI-Domain:example.com >>> URI:mailto:bodytest2@example.com >>> URI:mailto:bodytest@example.com >>> >>> (uri-extractor.pl uses SA to extract URIs in the same way the eval() >>> rules do; I use this for testing amongst other things). >> Thanks for that lot, I stand corrected! >> >> So I want to do >> header PHISH_1H ALL =~ /huge|regexp|here/i >> uri PHISH_1B /mailto:(huge|regexp|here)/i >> And then do the meta rule to join them altogether. >> >> Does that sound better to you? > I have published an improved much faster version 2.01 which is > available from > > http://www.jules.fm/Logbook/files/anti-phishing-v2.html > > You might well want to upgrade... > > Jules > I assume the spamassassin rules generated by your improved script are different to those obtained via the 'spear.bastionmail.com' channel using sa-update. David -- ----------------------------------------------------------------------- David Lee Systems Administrator Tel: +61-8-8205-2467 BASS South Australia Fax: +61-8-8205-0550 GPO Box 1269, Adelaide 5000 http://www.bass.net.au/ ----------------------------------------------------------------------- From MailScanner at ecs.soton.ac.uk Wed Jun 17 08:40:48 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Jun 17 08:41:04 2009 Subject: Changes in Version 4.77.10-1 In-Reply-To: <4A382B530200002D00006B32@sparky.asdm.net> References: <4A3251C00200002D00006A48@sparky.asdm.net> <4A33BA94.2000007@ecs.soton.ac.uk> <4A3656230200002D00006A7D@sparky.asdm.net> <4A3692BB.9070605@ecs.soton.ac.uk> <4A369E4A.2000103@ecs.soton.ac.uk> <4A382B530200002D00006B32@sparky.asdm.net> <4A389E00.30600@ecs.soton.ac.uk> Message-ID: On 17/06/2009 04:31, Gary Faith wrote: > After re-reading you explanation about spoofing, etc. I think I need > to clarify what I was thinking so you can tell me it won't work like > that. :-) > My thoughts were that the system that has a dynamic IP automatically > registers it's IP with DynDNS every time the IP address changes so > host.domain.com A {dynamic IP} > is always up pointing to the system. Since the IP changes every time > so does the PTR record making it impossible to base a rule. So I > always know the IP from a forward DNS query (DynDNS) and it will never > match the reverse. > I figured that the sending system would say that I am host.domain.com, But it can only know the numerical IP address you're coming from, since that is all there is in the IP packets. DNS is there to allow you to turn it into a name, using an A record, or turn a numerical address into a name with a PTR record. But you can't magic a name out of thin air if there is no PTR record. > a check of DNS would give the IP address and a comparison would be > done to see if the IP address is the same as the IP that made the > connection. That way I don't need to check the reverse DNS. > Or is it going to blindly accept the name given in the helo/ehlo > handshake and if so, I agree that would be easily spoofable. Am I > thinking this right? It's nothing to do with the helo handshake, that could be almost anything. It could just be some internal private hostname or a domain name or whatever. I don't use the helo name at all, it can't usually be trusted and is trivially changeable by the spammer sending you junk. > Thanks again, > Gary > > >>> Julian Field 6/15/2009 3:17 PM >>> > > > On 15/06/2009 19:28, Julian Field wrote: > > > > > > On 15/06/2009 19:09, Gary Faith wrote: > >> Yes, I have mail being sent from a dynamic IP address with a host > >> name I know but the IP will change. Can you provide a way to turn > >> off the anti-spoof checking? If not now, in future releases? > > I will add a switch for you. But it does make defeating the name > > lookup into a very simple thing for a spammer/attacker to do against > you. > I have implemented it by you using > host-nocheck:hostname.domain.com > instead of > host:hostname.domain.com > in the condition in a line in a ruleset. > > I can see how this might be useful should you be needing to test against > a dynamic IP address, in which case you will have a DNS PTR record but > no DNS A record. > > This will hopefully solve your problem nicely. > > It will be in the next release. > > >> >>> Kai Schaetzl 6/14/2009 3:31 AM >>> > >> Julian Field wrote on Sat, 13 Jun 2009 15:41:24 +0100: > >> > >> > Just use the IP addresses instead of the hostnames. Trivial, surely? > >> > >> But he doesn't know them. > >> > >> Kai > >> > >> -- > >> Kai Sch?tzl, Berlin, Germany > >> Get your web at Conactive Internet Services: http://www.conactive.com > >> > >> > >> > >> -- > >> MailScanner mailing list > >> mailscanner@lists.mailscanner.info > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner > >> > >> Before posting, read http://wiki.mailscanner.info/posting > >> > >> Support MailScanner development - buy the book off the website! > > > > Jules > > > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > Follow me at twitter.com/JulesFM > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > PGP public key: http://www.jules.fm/julesfm.asc > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Follow me at twitter.com/JulesFM MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Wed Jun 17 08:41:55 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Jun 17 08:42:15 2009 Subject: Anti-Phishing Update -- New data feed In-Reply-To: <4A387989.6040401@bass.net.au> References: <4A362A07.60900@ecs.soton.ac.uk> <4A366BFD.9030307@alexb.ch> <4A366EFC.3070607@ecs.soton.ac.uk> <4A367620.6080901@alexb.ch> <4A368165.40207@ecs.soton.ac.uk> <4A36 8611.8040901@alexb.ch> <4A36A8E5.5080406@fsl.com> <4A36AE21.6020109@ecs.soton.ac.uk> <4A36B07C.3010205@fsl.com> <4A374CDA.50709@ecs.soton.ac.uk> <4A3766BD.9010801@ecs.soton.ac.uk> <4A387989.6040401@bass.net.au> <4A389E43.7030803@ecs.soton.ac.uk> Message-ID: On 17/06/2009 06:05, David Lee wrote: > Julian Field wrote: >> >> >> On 16/06/2009 08:42, Julian Field wrote: >>> >>> >>> On 15/06/2009 21:35, Steve Freegard wrote: >>>> Julian Field wrote: >>>>> >>>>> On 15/06/2009 21:02, Steve Freegard wrote: >>>>>> Alex Broens wrote: >>>>>> >>>>>>>> I need to apply the rules to the entire message body and >>>>>>>> headers, as >>>>>>>> they frequently put the email address just in the body of the >>>>>>>> message >>>>>>>> inside some link or other. So how would creating separate >>>>>>>> header and >>>>>>>> body rules be any better? >>>>>>>> >>>>>>> I'm not savvy enough in Perl& SA to give you the scientific >>>>>>> reason, but >>>>>>> its been common practive to avoid full rules if possible. >>>>>>> >>>>>>> You'd have to ask one of the core SA devs... maybe Matt Kettler >>>>>>> can >>>>>>> jump in and tell me I'm totally off and that my understanding is >>>>>>> wrong. >>>>>>> >>>>>> 'full' rules are simply inefficient as IIRC the regexps have to >>>>>> be run >>>>>> multiple times across each block of text (IIRC: SA splits into >>>>>> paragraph >>>>>> style chunks) to prevent excessive memory use. They also >>>>>> evaluate all >>>>>> other MIME structures e.g. attachments, images etc. as per the docs. >>>>>> >>>>> I don't think they include binary attachments, I had to add that >>>>> specifically for the MCP stuff with a patch to the SA code. >>>> > From 'man Mail::SpamAssassin::Conf': >>>> >>>> full SYMBOLIC_TEST_NAME /pattern/modifiers >>>> Define a full message pattern test. "pattern" is a >>>> Perl regular >>>> expression. Note: as per the header tests, "#" must be >>>> escaped >>>> ("\#") or else it is considered the beginning of a >>>> comment. >>>> >>>> The full message is the pristine message headers plus the >>>> pristine >>>> message body, including all MIME data such as images, >>>> other >>>> attachments, MIME boundaries, etc. >>>> >>>> The reason it wouldn't work for MCP is that a 'full' rule is not going >>>> to decode base64/QP parts before evaluating the regexp (I think!). >>>> >>>>>> If you are simply looking to get any e-mail addresses out of the >>>>>> message >>>>>> body; then a 'uri' rule is far more appropriate e.g. >>>>>> >>>>>> uri BLAH /^mailto:email\@domain\.com$/ >>>>>> >>>>>> (SA converts all e-mail URIs into mailto: types even those with no >>>>>> scheme). >>>>>> >>>>> But surely that wouldn't work when email addresses just appear in the >>>>> text in text/plain bodies, would they? >>>> Sure does: >>>> >>>> [root@mail ~]# cat test.eml >>>> Return-path: >>>> To: test >>>> From: test >>>> Subject: test >>>> Content-type: text/plain >>>> >>>> Test body >>>> >>>> bodytest@example.com this is a test bodytest2@example.com >>>> >>>> [root@mail ~]# /mnt/jungledisk/smf/scripts/uri-extractor.pl test.eml >>>> URI-Domain:example.com >>>> URI:mailto:bodytest2@example.com >>>> URI:mailto:bodytest@example.com >>>> >>>> (uri-extractor.pl uses SA to extract URIs in the same way the eval() >>>> rules do; I use this for testing amongst other things). >>> Thanks for that lot, I stand corrected! >>> >>> So I want to do >>> header PHISH_1H ALL =~ /huge|regexp|here/i >>> uri PHISH_1B /mailto:(huge|regexp|here)/i >>> And then do the meta rule to join them altogether. >>> >>> Does that sound better to you? >> I have published an improved much faster version 2.01 which is >> available from >> >> http://www.jules.fm/Logbook/files/anti-phishing-v2.html >> >> You might well want to upgrade... >> >> Jules >> > I assume the spamassassin rules generated by your improved script are > different to those obtained via the 'spear.bastionmail.com' channel > using sa-update. Indeed, I don't know of anyone else who has the same data feed I do. Jules Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Follow me at twitter.com/JulesFM MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From a.peacock at chime.ucl.ac.uk Wed Jun 17 11:12:34 2009 From: a.peacock at chime.ucl.ac.uk (Anthony Peacock) Date: Wed Jun 17 11:12:20 2009 Subject: Anit-Phishing v2.00 suggestion Message-ID: <4A38C192.80409@chime.ucl.ac.uk> Hi Julian, Installed your updated script yesterday, worked fine after adjusting the paths as suggested. Failed to run as a cron job because my wget is not on the restricted path the cron provides. I know this is easily fixed in other ways, but it seems to me that this would be easy to add as a config line at the top of the script: wget_location = '/usr/local/bin/wget'; or somesuch. The other thing that I need to change is the command to restart MailScanner as I use '/etc/init.d/mailscanner restart'. Again, this is not a major problem for me to find and fix, but it seems like this would be a fairly simple config as wel... mailscanner_restart = '/sbin/service MailScanner reload'; Just an idea... -- Anthony Peacock CHIME, UCL Medical School WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ Study Health Informatics - Modular Postgraduate Degree http://www.chime.ucl.ac.uk/study-health-informatics/ From MailScanner at ecs.soton.ac.uk Wed Jun 17 11:34:45 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Jun 17 11:35:08 2009 Subject: Anit-Phishing v2.00 suggestion In-Reply-To: <4A38C192.80409@chime.ucl.ac.uk> References: <4A38C192.80409@chime.ucl.ac.uk> <4A38C6C5.9030204@ecs.soton.ac.uk> Message-ID: All done. Thanks for the suggestions! Jules. On 17/06/2009 11:12, Anthony Peacock wrote: > Hi Julian, > > Installed your updated script yesterday, worked fine after adjusting > the paths as suggested. Failed to run as a cron job because my wget > is not on the restricted path the cron provides. > > I know this is easily fixed in other ways, but it seems to me that > this would be easy to add as a config line at the top of the script: > > wget_location = '/usr/local/bin/wget'; > > or somesuch. The other thing that I need to change is the command to > restart MailScanner as I use '/etc/init.d/mailscanner restart'. > Again, this is not a major problem for me to find and fix, but it > seems like this would be a fairly simple config as wel... > > mailscanner_restart = '/sbin/service MailScanner reload'; > > Just an idea... > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From a.peacock at chime.ucl.ac.uk Wed Jun 17 11:45:44 2009 From: a.peacock at chime.ucl.ac.uk (Anthony Peacock) Date: Wed Jun 17 11:45:24 2009 Subject: Anit-Phishing v2.00 suggestion In-Reply-To: References: <4A38C192.80409@chime.ucl.ac.uk> <4A38C6C5.9030204@ecs.soton.ac.uk> Message-ID: <4A38C958.5020302@chime.ucl.ac.uk> Hi Juliam, LOL! A quick response as always. Thanks. Julian Field wrote: > All done. Thanks for the suggestions! > > Jules. > > On 17/06/2009 11:12, Anthony Peacock wrote: >> Hi Julian, >> >> Installed your updated script yesterday, worked fine after adjusting >> the paths as suggested. Failed to run as a cron job because my wget >> is not on the restricted path the cron provides. >> >> I know this is easily fixed in other ways, but it seems to me that >> this would be easy to add as a config line at the top of the script: >> >> wget_location = '/usr/local/bin/wget'; >> >> or somesuch. The other thing that I need to change is the command to >> restart MailScanner as I use '/etc/init.d/mailscanner restart'. >> Again, this is not a major problem for me to find and fix, but it >> seems like this would be a fairly simple config as wel... >> >> mailscanner_restart = '/sbin/service MailScanner reload'; >> >> Just an idea... >> > > Jules > -- Anthony Peacock CHIME, UCL Medical School WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ Study Health Informatics - Modular Postgraduate Degree http://www.chime.ucl.ac.uk/study-health-informatics/ From a.peacock at chime.ucl.ac.uk Wed Jun 17 12:20:57 2009 From: a.peacock at chime.ucl.ac.uk (Anthony Peacock) Date: Wed Jun 17 12:20:36 2009 Subject: Anit-Phishing v2.00 suggestion In-Reply-To: References: <4A38C192.80409@chime.ucl.ac.uk> <4A38C6C5.9030204@ecs.soton.ac.uk> Message-ID: <4A38D199.30701@chime.ucl.ac.uk> Hi Julian, These work fine, but I think I may have given you a bum steer about the default value that $wget_location should have. I gave you my location, but I think for most Linux distros the location would be: /usr/bin/wget It might more sense to have the default set to that and let weirdos like me make the changes rather than have the majority of users having to make changes... Julian Field wrote: > All done. Thanks for the suggestions! > > Jules. > > On 17/06/2009 11:12, Anthony Peacock wrote: >> Hi Julian, >> >> Installed your updated script yesterday, worked fine after adjusting >> the paths as suggested. Failed to run as a cron job because my wget >> is not on the restricted path the cron provides. >> >> I know this is easily fixed in other ways, but it seems to me that >> this would be easy to add as a config line at the top of the script: >> >> wget_location = '/usr/local/bin/wget'; >> >> or somesuch. The other thing that I need to change is the command to >> restart MailScanner as I use '/etc/init.d/mailscanner restart'. >> Again, this is not a major problem for me to find and fix, but it >> seems like this would be a fairly simple config as wel... >> >> mailscanner_restart = '/sbin/service MailScanner reload'; >> >> Just an idea... >> > > Jules > -- Anthony Peacock CHIME, UCL Medical School WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ Study Health Informatics - Modular Postgraduate Degree http://www.chime.ucl.ac.uk/study-health-informatics/ From mark at msapiro.net Wed Jun 17 16:06:42 2009 From: mark at msapiro.net (Mark Sapiro) Date: Wed Jun 17 16:07:00 2009 Subject: Anti-Phishing Update -- New data feed In-Reply-To: References: <4A368611.8040901@alexb.ch> <4A36A8E5.5080406@fsl.com> <4A36AE21.6020109@ecs.soton.ac.uk> <4A36B07C.3010205@fsl.com> <4A374CDA.50709@ecs.soton.ac.uk> <4A3766BD.9010801@ecs.soton.ac.uk> Message-ID: <20090617150642.GA2628@msapiro> On Tue, Jun 16, 2009 at 10:32:45AM +0100, Julian Field wrote: > > > On 16/06/2009 08:42, Julian Field wrote: > > > >So I want to do > >header PHISH_1H ALL =~ /huge|regexp|here/i > >uri PHISH_1B /mailto:(huge|regexp|here)/i > >And then do the meta rule to join them altogether. > > > >Does that sound better to you? > I have published an improved much faster version 2.01 which is available > from > > http://www.jules.fm/Logbook/files/anti-phishing-v2.html > > You might well want to upgrade... > > Jules I have installed the updated script v2.01, which I just downloaded, but I see it only makes the 'header' and 'uri' rules for the google feed. The residue from the google feed and the new addresses are still 'full' rules. Was this intentional or an oversight? -- Mark Sapiro mark at msapiro net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From maillists at conactive.com Wed Jun 17 16:31:21 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Wed Jun 17 16:31:33 2009 Subject: Anit-Phishing v2.00 suggestion In-Reply-To: <4A38D199.30701@chime.ucl.ac.uk> References: <4A38C192.80409@chime.ucl.ac.uk> <4A38C6C5.9030204@ecs.soton.ac.uk> <4A38D199.30701@chime.ucl.ac.uk> Message-ID: Anthony Peacock wrote on Wed, 17 Jun 2009 12:20:57 +0100: > but I think for most Linux distros the location would be: /usr/bin/wget yes. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From steve.freegard at fsl.com Wed Jun 17 17:01:12 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Wed Jun 17 17:01:24 2009 Subject: Anti-Phishing Update -- New data feed In-Reply-To: <20090617150642.GA2628@msapiro> References: <4A368611.8040901@alexb.ch> <4A36A8E5.5080406@fsl.com> <4A36AE21.6020109@ecs.soton.ac.uk> <4A36B07C.3010205@fsl.com> <4A374CDA.50709@ecs.soton.ac.uk> <4A3766BD.9010801@ecs.soton.ac.uk> <20090617150642.GA2628@msapiro> Message-ID: <4A391348.3050309@fsl.com> Mark Sapiro wrote: > On Tue, Jun 16, 2009 at 10:32:45AM +0100, Julian Field wrote: >> >> On 16/06/2009 08:42, Julian Field wrote: >>> So I want to do >>> header PHISH_1H ALL =~ /huge|regexp|here/i >>> uri PHISH_1B /mailto:(huge|regexp|here)/i >>> And then do the meta rule to join them altogether. >>> >>> Does that sound better to you? >> I have published an improved much faster version 2.01 which is available >> from >> >> http://www.jules.fm/Logbook/files/anti-phishing-v2.html >> >> You might well want to upgrade... >> >> Jules > > > I have installed the updated script v2.01, which I just downloaded, > but I see it only makes the 'header' and 'uri' rules for the google > feed. The residue from the google feed and the new addresses are > still 'full' rules. > > Was this intentional or an oversight? > I just got around to trying this - currently this ruleset carries a heavy penalty: Without phishing rules real 0m1.722s user 0m1.646s sys 0m0.065s With phishing rules real 0m4.283s user 0m1.703s sys 0m0.080s And this is with a very small dummy message. In addition to removing the 'full' rules; change (match|match|match) to (?:match|match|match) which is non-capturing and should save a considerable amount of memory in SA and should reduce these times. Unless you have under-capacity this ruleset isn't suitable in it's present guise it will reduce capacity of an average installation by about 50%. Cheers, Steve. From glenn at mail.txwes.edu Wed Jun 17 20:20:26 2009 From: glenn at mail.txwes.edu (Glenn) Date: Wed Jun 17 20:20:44 2009 Subject: Firewall Settings for Phishing Updates? Message-ID: <20090617190354.M94192@mail.txwes.edu> We have a strict firewall, and our mail servers are in a DMZ. They cannot download updates using either the update_bad_phishing_sites script or the Spear.Phishing.Rules.v2.01 script. I am not a firewall expert, but I need to tell our firewall expert how to allow this traffic. Something like the following, I expect. Are the port and destinations correct? How do other sites handle this? Thanks. -Glenn. Proposed firewall rules: name = update_bad_phishing_sites source = our server IP port = 80 (http) destination = 205.234.175.175 (found by pinging mailscanner.tv) name = Spear.Phishing.Rules.v2.01 source = our server IP port = 80 (http) destination = 74.125.47.82 (found by pinging anti-phishing-email- reply.googlecode.com From jethro.binks at strath.ac.uk Wed Jun 17 20:39:00 2009 From: jethro.binks at strath.ac.uk (Jethro R Binks) Date: Wed Jun 17 20:39:13 2009 Subject: Firewall Settings for Phishing Updates? In-Reply-To: <20090617190354.M94192@mail.txwes.edu> References: <20090617190354.M94192@mail.txwes.edu> Message-ID: On Wed, 17 Jun 2009, Glenn wrote: > We have a strict firewall, and our mail servers are in a DMZ. They > cannot download updates using either the update_bad_phishing_sites > script or the Spear.Phishing.Rules.v2.01 script. I am not a firewall > expert, but I need to tell our firewall expert how to allow this > traffic. Something like the following, I expect. Are the port and > destinations correct? How do other sites handle this? Thanks. > -Glenn. The IP addresses are subject to change at any time, so having to have firewall rules dependent on them is a pain at best. If you have a less-sensitive host available outside the strict firewall DMZ, use that to obtain the updates, and then have it re-publish them. Then the hosts in your DMZ can pull the content from them, which makes for a more stable firewall configuration. Or, run an HTTP proxy for these sorts of purposes which is permitted to connect offsite, and have your mail servers direct their requests through that (use proxy settings in curl, wget, etc). Jethro. > > Proposed firewall rules: > > name = update_bad_phishing_sites > source = our server IP > port = 80 (http) > destination = 205.234.175.175 (found by pinging mailscanner.tv) > > name = Spear.Phishing.Rules.v2.01 > source = our server IP > port = 80 (http) > destination = 74.125.47.82 (found by pinging anti-phishing-email- > reply.googlecode.com > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK From ka at pacific.net Wed Jun 17 22:38:02 2009 From: ka at pacific.net (Ken A) Date: Wed Jun 17 22:38:20 2009 Subject: Anti-Phishing Update -- New data feed In-Reply-To: <4A391348.3050309@fsl.com> References: <4A368611.8040901@alexb.ch> <4A36A8E5.5080406@fsl.com> <4A36AE21.6020109@ecs.soton.ac.uk> <4A36B07C.3010205@fsl.com> <4A374CDA.50709@ecs.soton.ac.uk> <4A3766BD.9010801@ecs.soton.ac.uk> <20090617150642.GA2628@msapiro> <4A391348.3050309@fsl.com> Message-ID: <4A39623A.4040907@pacific.net> Steve Freegard wrote: > Mark Sapiro wrote: >> On Tue, Jun 16, 2009 at 10:32:45AM +0100, Julian Field wrote: >>> On 16/06/2009 08:42, Julian Field wrote: >>>> So I want to do >>>> header PHISH_1H ALL =~ /huge|regexp|here/i >>>> uri PHISH_1B /mailto:(huge|regexp|here)/i >>>> And then do the meta rule to join them altogether. >>>> >>>> Does that sound better to you? >>> I have published an improved much faster version 2.01 which is available >>> from >>> >>> http://www.jules.fm/Logbook/files/anti-phishing-v2.html >>> >>> You might well want to upgrade... >>> >>> Jules >> >> I have installed the updated script v2.01, which I just downloaded, >> but I see it only makes the 'header' and 'uri' rules for the google >> feed. The residue from the google feed and the new addresses are >> still 'full' rules. >> >> Was this intentional or an oversight? >> > > I just got around to trying this - currently this ruleset carries a > heavy penalty: > > Without phishing rules > real 0m1.722s > user 0m1.646s > sys 0m0.065s > > With phishing rules > real 0m4.283s > user 0m1.703s > sys 0m0.080s > > And this is with a very small dummy message. > > In addition to removing the 'full' rules; change (match|match|match) to > (?:match|match|match) which is non-capturing and should save a > considerable amount of memory in SA and should reduce these times. > > Unless you have under-capacity this ruleset isn't suitable in it's > present guise it will reduce capacity of an average installation by > about 50%. > > Cheers, > Steve. The ?: change helped significantly here. It was not usable, but now is. MailScanner was causing swapping ;-) Not sure what to do with the full rules though.. Thanks, Ken -- Ken Anderson Pacific Internet - http://www.pacific.net From mbneto at gmail.com Thu Jun 18 02:56:49 2009 From: mbneto at gmail.com (mbneto) Date: Thu Jun 18 02:56:58 2009 Subject: Disbale check for Attempt to hide real filename extension Message-ID: <5cf776b80906171856h4e79837fpf8a993000f28be0@mail.gmail.com> Hi, All too often I get complains about users having their emails blocked with a 'Attempt to hide real filename extension' message. Most of the time the attachments are legit and the user has used . several times in the name. I have basically two options : keep adding whitelists or disable this rule (only this). The whitelist is not working so good (I keep adding senders/recipients) so I was wondering how can I disable this rule in all messages. Regards. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090617/0c4267b1/attachment.html From alex at rtpty.com Thu Jun 18 04:00:35 2009 From: alex at rtpty.com (Alex Neuman) Date: Thu Jun 18 04:00:45 2009 Subject: Disbale check for Attempt to hide real filename extension In-Reply-To: <5cf776b80906171856h4e79837fpf8a993000f28be0@mail.gmail.com> References: <5cf776b80906171856h4e79837fpf8a993000f28be0@mail.gmail.com> Message-ID: <24e3d2e40906172000r321f6ad5ubcd6daa1f2ca6126@mail.gmail.com> Put a # before the rule. That disables it. On Wed, Jun 17, 2009 at 8:56 PM, mbneto wrote: > Hi, > > All too often I get complains about users having their emails blocked with > a 'Attempt to hide real filename extension' message. Most of the time the > attachments are legit and the user has used . several times in the name. > > I have basically two options : keep adding whitelists or disable this rule > (only this). > > The whitelist is not working so good (I keep adding senders/recipients) so > I was wondering how can I disable this rule in all messages. > > Regards. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 202-1525 alex@rtpty.com Skype: alexneuman -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090617/2f9f62b1/attachment.html From brennero.pardo at cu.ucsg.edu.ec Thu Jun 18 06:16:56 2009 From: brennero.pardo at cu.ucsg.edu.ec (Brennero Pardo) Date: Thu Jun 18 06:17:05 2009 Subject: a new rule for mailscanner Message-ID: Hi, I've finally finished configuring mailscanner+clamav and spamassasin, everything seems to run smoothly. I have a problem, I've found every part of the MailScanner.conf file but haven't found if there is a rule that can limit the number of messages sent by users. Digging into the scrips i've come up with the script used in the top senders, if it's so how can i put it as a rule or make so that it can limit messages per users per day? Thanks in advance, Brennero Pardo _________________________________________________________________ Discover the new Windows Vista http://search.msn.com/results.aspx?q=windows+vista&mkt=en-US&form=QBRE -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090618/f0403501/attachment.html From zaeem.arshad at gmail.com Thu Jun 18 06:47:07 2009 From: zaeem.arshad at gmail.com (Zaeem Arshad) Date: Thu Jun 18 06:47:16 2009 Subject: a new rule for mailscanner In-Reply-To: References: Message-ID: <3e1809420906172247v2ba03afdid6b64747eb5c3bc0@mail.gmail.com> On Thu, Jun 18, 2009 at 11:16 AM, Brennero Pardo < brennero.pardo@cu.ucsg.edu.ec> wrote: > Hi, > I've finally finished configuring mailscanner+clamav and spamassasin, > everything seems to run smoothly. > > I have a problem, I've found every part of the MailScanner.conf file but > haven't found if there is a rule that can limit the number of messages sent > by users. Digging into the scrips i've come up with the script used in the > top senders, if it's so how can i put it as a rule or make so that it can > limit messages per users per day? > Use policyd if you are using Postfix or search for rate-limiting techniques with $MTA. It's a great tool for rate-limiting messages per sender. You'd want to rate-limit at the MTA before the message is accepted so as not to overwhelm your MailScanner. Regards -- Zaeem -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090618/41e05576/attachment.html From MailScanner at ecs.soton.ac.uk Thu Jun 18 09:04:37 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jun 18 09:05:08 2009 Subject: Anit-Phishing v2.00 suggestion In-Reply-To: <4A38D199.30701@chime.ucl.ac.uk> References: <4A38C192.80409@chime.ucl.ac.uk> <4A38C6C5.9030204@ecs.soton.ac.uk> <4A38D199.30701@chime.ucl.ac.uk> <4A39F515.4010405@ecs.soton.ac.uk> Message-ID: Good point. Fixed. On 17/06/2009 12:20, Anthony Peacock wrote: > Hi Julian, > > These work fine, but I think I may have given you a bum steer about > the default value that $wget_location should have. I gave you my > location, but I think for most Linux distros the location would be: > /usr/bin/wget > > It might more sense to have the default set to that and let weirdos > like me make the changes rather than have the majority of users having > to make changes... > > > > Julian Field wrote: >> All done. Thanks for the suggestions! >> >> Jules. >> >> On 17/06/2009 11:12, Anthony Peacock wrote: >>> Hi Julian, >>> >>> Installed your updated script yesterday, worked fine after adjusting >>> the paths as suggested. Failed to run as a cron job because my wget >>> is not on the restricted path the cron provides. >>> >>> I know this is easily fixed in other ways, but it seems to me that >>> this would be easy to add as a config line at the top of the script: >>> >>> wget_location = '/usr/local/bin/wget'; >>> >>> or somesuch. The other thing that I need to change is the command >>> to restart MailScanner as I use '/etc/init.d/mailscanner restart'. >>> Again, this is not a major problem for me to find and fix, but it >>> seems like this would be a fairly simple config as wel... >>> >>> mailscanner_restart = '/sbin/service MailScanner reload'; >>> >>> Just an idea... >>> >> >> Jules >> > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Thu Jun 18 09:11:19 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jun 18 09:11:40 2009 Subject: Anti-Phishing Update -- New data feed In-Reply-To: <20090617150642.GA2628@msapiro> References: <4A368611.8040901@alexb.ch> <4A36A8E5.5080406@fsl.com> <4A36AE21.6020109@ecs.soton.ac.uk> <4A36B07C.3010205@fsl.com> <4A374CDA.50709@ecs.soton.ac.uk> <4A3766BD.9010801@ecs.soton.ac.uk> <20090617150642.GA2628@msapiro> <4A39F6A7.5030002@ecs.soton.ac.uk> Message-ID: On 17/06/2009 16:06, Mark Sapiro wrote: > On Tue, Jun 16, 2009 at 10:32:45AM +0100, Julian Field wrote: > >> >> On 16/06/2009 08:42, Julian Field wrote: >> >>> So I want to do >>> header PHISH_1H ALL =~ /huge|regexp|here/i >>> uri PHISH_1B /mailto:(huge|regexp|here)/i >>> And then do the meta rule to join them altogether. >>> >>> Does that sound better to you? >>> >> I have published an improved much faster version 2.01 which is available >> from >> >> http://www.jules.fm/Logbook/files/anti-phishing-v2.html >> >> You might well want to upgrade... >> >> Jules >> > > I have installed the updated script v2.01, which I just downloaded, > but I see it only makes the 'header' and 'uri' rules for the google > feed. The residue from the google feed and the new addresses are > still 'full' rules. > > Was this intentional or an oversight? > Oversight, inevitably. What was I on? Fixed now. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From a.peacock at chime.ucl.ac.uk Thu Jun 18 09:13:56 2009 From: a.peacock at chime.ucl.ac.uk (Anthony Peacock) Date: Thu Jun 18 09:13:15 2009 Subject: Anit-Phishing v2.00 suggestion In-Reply-To: References: <4A38C192.80409@chime.ucl.ac.uk> <4A38C6C5.9030204@ecs.soton.ac.uk> <4A38D199.30701@chime.ucl.ac.uk> <4A39F515.4010405@ecs.soton.ac.uk> Message-ID: <4A39F744.8000300@chime.ucl.ac.uk> Hi Julian, Thanks, again. Julian Field wrote: > Good point. Fixed. > > On 17/06/2009 12:20, Anthony Peacock wrote: >> Hi Julian, >> >> These work fine, but I think I may have given you a bum steer about >> the default value that $wget_location should have. I gave you my >> location, but I think for most Linux distros the location would be: >> /usr/bin/wget >> >> It might more sense to have the default set to that and let weirdos >> like me make the changes rather than have the majority of users having >> to make changes... >> >> >> >> Julian Field wrote: >>> All done. Thanks for the suggestions! >>> >>> Jules. >>> >>> On 17/06/2009 11:12, Anthony Peacock wrote: >>>> Hi Julian, >>>> >>>> Installed your updated script yesterday, worked fine after adjusting >>>> the paths as suggested. Failed to run as a cron job because my wget >>>> is not on the restricted path the cron provides. >>>> >>>> I know this is easily fixed in other ways, but it seems to me that >>>> this would be easy to add as a config line at the top of the script: >>>> >>>> wget_location = '/usr/local/bin/wget'; >>>> >>>> or somesuch. The other thing that I need to change is the command >>>> to restart MailScanner as I use '/etc/init.d/mailscanner restart'. >>>> Again, this is not a major problem for me to find and fix, but it >>>> seems like this would be a fairly simple config as wel... >>>> >>>> mailscanner_restart = '/sbin/service MailScanner reload'; >>>> >>>> Just an idea... >>>> >>> >>> Jules >>> >> >> > > Jules > -- Anthony Peacock CHIME, UCL Medical School WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ Study Health Informatics - Modular Postgraduate Degree http://www.chime.ucl.ac.uk/study-health-informatics/ From MailScanner at ecs.soton.ac.uk Thu Jun 18 09:14:27 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jun 18 09:14:47 2009 Subject: Anti-Phishing Update -- New data feed In-Reply-To: <4A391348.3050309@fsl.com> References: <4A368611.8040901@alexb.ch> <4A36A8E5.5080406@fsl.com> <4A36AE21.6020109@ecs.soton.ac.uk> <4A36B07C.3010205@fsl.com> <4A374CDA.50709@ecs.soton.ac.uk> <4A3766BD.9010801@ecs.soton.ac.uk> <20090617150642.GA2628@msapiro> <4A391348.3050309@fsl.com> <4A39F763.5050007@ecs.soton.ac.uk> Message-ID: On 17/06/2009 17:01, Steve Freegard wrote: > Mark Sapiro wrote: > >> On Tue, Jun 16, 2009 at 10:32:45AM +0100, Julian Field wrote: >> >>> On 16/06/2009 08:42, Julian Field wrote: >>> >>>> So I want to do >>>> header PHISH_1H ALL =~ /huge|regexp|here/i >>>> uri PHISH_1B /mailto:(huge|regexp|here)/i >>>> And then do the meta rule to join them altogether. >>>> >>>> Does that sound better to you? >>>> >>> I have published an improved much faster version 2.01 which is available >>> from >>> >>> http://www.jules.fm/Logbook/files/anti-phishing-v2.html >>> >>> You might well want to upgrade... >>> >>> Jules >>> >> >> I have installed the updated script v2.01, which I just downloaded, >> but I see it only makes the 'header' and 'uri' rules for the google >> feed. The residue from the google feed and the new addresses are >> still 'full' rules. >> >> Was this intentional or an oversight? >> >> > I just got around to trying this - currently this ruleset carries a > heavy penalty: > > Without phishing rules > real 0m1.722s > user 0m1.646s > sys 0m0.065s > > With phishing rules > real 0m4.283s > user 0m1.703s > sys 0m0.080s > > And this is with a very small dummy message. > > In addition to removing the 'full' rules; change (match|match|match) to > (?:match|match|match) which is non-capturing and should save a > considerable amount of memory in SA and should reduce these times. > I have made both those changes. > Unless you have under-capacity this ruleset isn't suitable in it's > present guise it will reduce capacity of an average installation by > about 50%. > > Cheers, > Steve. > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Thu Jun 18 09:16:35 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jun 18 09:16:54 2009 Subject: Anti-Phishing Update -- New data feed In-Reply-To: <4A39623A.4040907@pacific.net> References: <4A368611.8040901@alexb.ch> <4A36A8E5.5080406@fsl.com> <4A36AE21.6020109@ecs.soton.ac.uk> <4A36B07C.3010205@fsl.com> <4A374CDA.50709@ecs.soton.ac.uk> <4A3766BD.9010801@ecs.soton.ac.uk> <20090617150642.GA2628@msapiro> <4A391348.3050309@fsl.com> <4A39623A.4040907@pacific.net> <4A39F7E3.90205@ecs.soton.ac.uk> Message-ID: On 17/06/2009 22:38, Ken A wrote: > Steve Freegard wrote: >> Mark Sapiro wrote: >>> On Tue, Jun 16, 2009 at 10:32:45AM +0100, Julian Field wrote: >>>> On 16/06/2009 08:42, Julian Field wrote: >>>>> So I want to do >>>>> header PHISH_1H ALL =~ /huge|regexp|here/i >>>>> uri PHISH_1B /mailto:(huge|regexp|here)/i >>>>> And then do the meta rule to join them altogether. >>>>> >>>>> Does that sound better to you? >>>> I have published an improved much faster version 2.01 which is >>>> available from >>>> >>>> http://www.jules.fm/Logbook/files/anti-phishing-v2.html >>>> >>>> You might well want to upgrade... >>>> >>>> Jules >>> >>> I have installed the updated script v2.01, which I just downloaded, >>> but I see it only makes the 'header' and 'uri' rules for the google >>> feed. The residue from the google feed and the new addresses are >>> still 'full' rules. >>> >>> Was this intentional or an oversight? >>> >> >> I just got around to trying this - currently this ruleset carries a >> heavy penalty: >> >> Without phishing rules >> real 0m1.722s >> user 0m1.646s >> sys 0m0.065s >> >> With phishing rules >> real 0m4.283s >> user 0m1.703s >> sys 0m0.080s >> >> And this is with a very small dummy message. >> >> In addition to removing the 'full' rules; change (match|match|match) to >> (?:match|match|match) which is non-capturing and should save a >> considerable amount of memory in SA and should reduce these times. >> >> Unless you have under-capacity this ruleset isn't suitable in it's >> present guise it will reduce capacity of an average installation by >> about 50%. >> >> Cheers, >> Steve. > > The ?: change helped significantly here. It was not usable, but now is. > MailScanner was causing swapping ;-) > Not sure what to do with the full rules though.. That's good news. Try downloading the script again, I have got rid of all the "full" rules and added the ?: bit too. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From zaeem.arshad at gmail.com Thu Jun 18 09:19:48 2009 From: zaeem.arshad at gmail.com (Zaeem Arshad) Date: Thu Jun 18 09:19:58 2009 Subject: Anit-Phishing v2.00 suggestion In-Reply-To: References: <4A38C192.80409@chime.ucl.ac.uk> <4A38C6C5.9030204@ecs.soton.ac.uk> <4A39F515.4010405@ecs.soton.ac.uk> <4A38D199.30701@chime.ucl.ac.uk> Message-ID: <3e1809420906180119y73c5fdddkeb8efe10d49c72ad@mail.gmail.com> Hi Julian, Just a thought that wget_location = `which wget` do the same thing making it independent? On Thu, Jun 18, 2009 at 2:04 PM, Julian Field wrote: > Good point. Fixed. > > On 17/06/2009 12:20, Anthony Peacock wrote: > >> Hi Julian, >> >> These work fine, but I think I may have given you a bum steer about the >> default value that $wget_location should have. I gave you my location, but >> I think for most Linux distros the location would be: /usr/bin/wget >> >> It might more sense to have the default set to that and let weirdos like >> me make the changes rather than have the majority of users having to make >> changes... >> >> >> >> Julian Field wrote: >> >>> All done. Thanks for the suggestions! >>> >>> Jules. >>> >>> On 17/06/2009 11:12, Anthony Peacock wrote: >>> >>>> Hi Julian, >>>> >>>> Installed your updated script yesterday, worked fine after adjusting the >>>> paths as suggested. Failed to run as a cron job because my wget is not on >>>> the restricted path the cron provides. >>>> >>>> I know this is easily fixed in other ways, but it seems to me that this >>>> would be easy to add as a config line at the top of the script: >>>> >>>> wget_location = '/usr/local/bin/wget'; >>>> >>>> or somesuch. The other thing that I need to change is the command to >>>> restart MailScanner as I use '/etc/init.d/mailscanner restart'. Again, this >>>> is not a major problem for me to find and fix, but it seems like this would >>>> be a fairly simple config as wel... >>>> >>>> mailscanner_restart = '/sbin/service MailScanner reload'; >>>> >>>> Just an idea... >>>> >>>> >>> Jules >>> >>> >> >> > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > Follow me at twitter.com/JulesFM and twitter.com/MailScanner > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090618/3f44ad01/attachment.html From steve.freegard at fsl.com Thu Jun 18 09:48:35 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Thu Jun 18 09:48:46 2009 Subject: Anti-Phishing Update -- New data feed In-Reply-To: References: <4A368611.8040901@alexb.ch> <4A36A8E5.5080406@fsl.com> <4A36AE21.6020109@ecs.soton.ac.uk> <4A36B07C.3010205@fsl.com> <4A374CDA.50709@ecs.soton.ac.uk> <4A3766BD.9010801@ecs.soton.ac.uk> <20090617150642.GA2628@msapiro> <4A391348.3050309@fsl.com> <4A39F763.5050007@ecs.soton.ac.uk> Message-ID: <4A39FF63.20207@fsl.com> Julian Field wrote: >> I just got around to trying this - currently this ruleset carries a >> heavy penalty: >> >> Without phishing rules >> real 0m1.722s >> user 0m1.646s >> sys 0m0.065s >> >> With phishing rules >> real 0m4.283s >> user 0m1.703s >> sys 0m0.080s >> >> And this is with a very small dummy message. >> >> In addition to removing the 'full' rules; change (match|match|match) to >> (?:match|match|match) which is non-capturing and should save a >> considerable amount of memory in SA and should reduce these times. >> > I have made both those changes. Just grabbed the new script and updated; now looks much better: Without phishing rules: real 0m1.734s user 0m1.648s sys 0m0.086s With phishing rules: real 0m1.822s user 0m1.725s sys 0m0.075s Cheers, Steve. From MailScanner at ecs.soton.ac.uk Thu Jun 18 10:01:04 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jun 18 10:01:41 2009 Subject: Anti-Phishing Update -- New data feed In-Reply-To: <4A39FF63.20207@fsl.com> References: <4A368611.8040901@alexb.ch> <4A36A8E5.5080406@fsl.com> <4A36AE21.6020109@ecs.soton.ac.uk> <4A36B07C.3010205@fsl.com> <4A374CDA.50709@ecs.soton.ac.uk> <4A3766BD.9010801@ecs.soton.ac.uk> <20090617150642.GA2628@msapiro> <4A391348.3050309@fsl.com> <4A39F763.5050007@ecs.soton.ac.uk> <4A39FF63.20207@fsl.com> <4A3A0250.1090108@ecs.soton.ac.uk> Message-ID: On 18/06/2009 09:48, Steve Freegard wrote: > Julian Field wrote: > >>> I just got around to trying this - currently this ruleset carries a >>> heavy penalty: >>> >>> Without phishing rules >>> real 0m1.722s >>> user 0m1.646s >>> sys 0m0.065s >>> >>> With phishing rules >>> real 0m4.283s >>> user 0m1.703s >>> sys 0m0.080s >>> >>> And this is with a very small dummy message. >>> >>> In addition to removing the 'full' rules; change (match|match|match) to >>> (?:match|match|match) which is non-capturing and should save a >>> considerable amount of memory in SA and should reduce these times. >>> >>> >> I have made both those changes. >> > Just grabbed the new script and updated; now looks much better: > > Without phishing rules: > real 0m1.734s > user 0m1.648s > sys 0m0.086s > > With phishing rules: > real 0m1.822s > user 0m1.725s > sys 0m0.075s > That's more like it! Thanks for the tips, Steve. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From maillists at conactive.com Thu Jun 18 11:31:21 2009 From: maillists at conactive.com (Kai Schaetzl) Date: Thu Jun 18 11:31:31 2009 Subject: Anit-Phishing v2.00 suggestion In-Reply-To: <3e1809420906180119y73c5fdddkeb8efe10d49c72ad@mail.gmail.com> References: <4A38C192.80409@chime.ucl.ac.uk> <4A38C6C5.9030204@ecs.soton.ac.uk> <4A39F515.4010405@ecs.soton.ac.uk> <4A38D199.30701@chime.ucl.ac.uk> <3e1809420906180119y73c5fdddkeb8efe10d49c72ad@mail.gmail.com> Message-ID: Zaeem Arshad wrote on Thu, 18 Jun 2009 14:19:48 +0600: > Just a thought that wget_location = `which wget` do the same thing making > it independent? which may not be on the path or wget may not be in the path so it cannot be found by which. That's why this solution was introduced in the first place. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From a.peacock at chime.ucl.ac.uk Thu Jun 18 11:42:53 2009 From: a.peacock at chime.ucl.ac.uk (Anthony Peacock) Date: Thu Jun 18 11:42:23 2009 Subject: Anit-Phishing v2.00 suggestion In-Reply-To: References: <4A38C192.80409@chime.ucl.ac.uk> <4A38C6C5.9030204@ecs.soton.ac.uk> <4A39F515.4010405@ecs.soton.ac.uk> <4A38D199.30701@chime.ucl.ac.uk> <3e1809420906180119y73c5fdddkeb8efe10d49c72ad@mail.gmail.com> Message-ID: <4A3A1A2D.9060107@chime.ucl.ac.uk> Kai Schaetzl wrote: > Zaeem Arshad wrote on Thu, 18 Jun 2009 14:19:48 +0600: > >> Just a thought that wget_location = `which wget` do the same thing making >> it independent? > > which may not be on the path or wget may not be in the path so it cannot be > found by which. That's why this solution was introduced in the first place. Exactly. The reason I originally suggested this change was because wget is not on the path for cron jobs on my server. So the suggestion to use `which wget` would fail in exactly the same way the original script failed for me. -- Anthony Peacock CHIME, UCL Medical School WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ Study Health Informatics - Modular Postgraduate Degree http://www.chime.ucl.ac.uk/study-health-informatics/ From zaeem.arshad at gmail.com Thu Jun 18 11:48:40 2009 From: zaeem.arshad at gmail.com (Zaeem Arshad) Date: Thu Jun 18 11:48:50 2009 Subject: Anit-Phishing v2.00 suggestion In-Reply-To: <4A3A1A2D.9060107@chime.ucl.ac.uk> References: <4A38C192.80409@chime.ucl.ac.uk> <4A38C6C5.9030204@ecs.soton.ac.uk> <4A39F515.4010405@ecs.soton.ac.uk> <4A38D199.30701@chime.ucl.ac.uk> <3e1809420906180119y73c5fdddkeb8efe10d49c72ad@mail.gmail.com> <4A3A1A2D.9060107@chime.ucl.ac.uk> Message-ID: <3e1809420906180348o25c6fbf0u7d50221b4f4daefa@mail.gmail.com> Ah..ok! :) On Thu, Jun 18, 2009 at 4:42 PM, Anthony Peacock wrote: > Kai Schaetzl wrote: > >> Zaeem Arshad wrote on Thu, 18 Jun 2009 14:19:48 +0600: >> >> Just a thought that wget_location = `which wget` do the same thing >>> making >>> it independent? >>> >> >> which may not be on the path or wget may not be in the path so it cannot >> be found by which. That's why this solution was introduced in the first >> place. >> > > Exactly. The reason I originally suggested this change was because wget is > not on the path for cron jobs on my server. So the suggestion to use `which > wget` would fail in exactly the same way the original script failed for me. > > -- > Anthony Peacock > CHIME, UCL Medical School > WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ > Study Health Informatics - Modular Postgraduate Degree > http://www.chime.ucl.ac.uk/study-health-informatics/ > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090618/d967cde6/attachment.html From Denis.Beauchemin at USherbrooke.ca Thu Jun 18 13:19:18 2009 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Thu Jun 18 13:19:33 2009 Subject: a new rule for mailscanner In-Reply-To: References: Message-ID: <4A3A30C6.1020201@USherbrooke.ca> Brennero Pardo a ?crit : > Hi, > I've finally finished configuring mailscanner+clamav and spamassasin, > everything seems to run smoothly. > > I have a problem, I've found every part of the MailScanner.conf file > but haven't found if there is a rule that can limit the number of > messages sent by users. Digging into the scrips i've come up with the > script used in the top senders, if it's so how can i put it as a rule > or make so that it can limit messages per users per day? > > Thanks in advance, > Brennero Pardo > > ------------------------------------------------------------------------ > Discover the new Windows Vista Learn more! > I use milter-limit in sendmail on all my MS servers. Works great and is free. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3306 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090618/c646d8e8/smime.bin From zaeem.arshad at gmail.com Thu Jun 18 13:36:22 2009 From: zaeem.arshad at gmail.com (Zaeem Arshad) Date: Thu Jun 18 13:36:31 2009 Subject: SpamAssassin.cache.db-journal not found Message-ID: <3e1809420906180536r73a50870nff53d4c716db7b70@mail.gmail.com> Hi, Can any one explain what this means and what's the impact? Found it while stracing a MailScanner process. access("/queue/mstmp/SpamAssassin.cache.db-journal", F_OK) = -1 ENOENT (No such file or directory) Regards -- Zaeem -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090618/d4f12f18/attachment.html From maxsec at gmail.com Thu Jun 18 14:33:08 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Thu Jun 18 14:33:19 2009 Subject: SpamAssassin.cache.db-journal not found In-Reply-To: <3e1809420906180536r73a50870nff53d4c716db7b70@mail.gmail.com> References: <3e1809420906180536r73a50870nff53d4c716db7b70@mail.gmail.com> Message-ID: <72cf361e0906180633h5f14d448s85a92b8fda872554@mail.gmail.com> 2009/6/18 Zaeem Arshad > Hi, > > Can any one explain what this means and what's the impact? Found it while > stracing a MailScanner process. > > access("/queue/mstmp/SpamAssassin.cache.db-journal", F_OK) = -1 ENOENT (No > such file or directory) > > > Regards > > -- > Zaeem > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > mean it can't create the spamassassin cache DB properly. I presume you've got all the perl modules loaded and /queue/mstmp/ > > is accessible (writeable) by the user MailScanner runs as. -- Martin Hepworth Oxford, UK -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090618/c41813ee/attachment.html From steve.freegard at fsl.com Thu Jun 18 15:21:12 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Thu Jun 18 15:21:26 2009 Subject: SpamAssassin.cache.db-journal not found In-Reply-To: <3e1809420906180536r73a50870nff53d4c716db7b70@mail.gmail.com> References: <3e1809420906180536r73a50870nff53d4c716db7b70@mail.gmail.com> Message-ID: <4A3A4D58.3090101@fsl.com> Zaeem Arshad wrote: > Hi, > > Can any one explain what this means and what's the impact? Found it > while stracing a MailScanner process. > > access("/queue/mstmp/SpamAssassin.cache.db-journal", F_OK) = -1 ENOENT > (No such file or directory) > Part of the SQLite library; it's totally normal; IIRC SQLite has to check to make sure the journal doesn't exist when it connects otherwise it has to move the data from the journal to the datafile. Regards, Steve. From mark at msapiro.net Thu Jun 18 21:17:24 2009 From: mark at msapiro.net (Mark Sapiro) Date: Thu Jun 18 21:17:39 2009 Subject: Anti-Phishing Update -- New data feed In-Reply-To: References: <4A36B07C.3010205@fsl.com> <4A374CDA.50709@ecs.soton.ac.uk> <4A3766BD.9010801@ecs.soton.ac.uk> <20090617150642.GA2628@msapiro> <4A391348.3050309@fsl.com> <4A39F763.5050007@ecs.soton.ac.uk> Message-ID: <20090618201724.GA2772@msapiro> On Thu, Jun 18, 2009 at 09:14:27AM +0100, Julian Field wrote: > > > On 17/06/2009 17:01, Steve Freegard wrote: > >In addition to removing the 'full' rules; change (match|match|match) to > >(?:match|match|match) which is non-capturing and should save a > >considerable amount of memory in SA and should reduce these times. > > > I have made both those changes. v2.02 has changed the regexps in the rules from the form ((local1@example.com)|(local2@example.com) ... (localn@example.com)) to (?:(local1@example.com)|(local2@example.com) ... (localn@example.com)) but wouldn't (?:(?:local1@example.com)|(?:local2@example.com) ... (?:localn@example.com)) be much better in terms of saving memory by not capturing matches? See the attached Spear.Phishing.Rules.patch -- Mark Sapiro mark at msapiro net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -------------- next part -------------- --- Spear.Phishing.Rules.v2.02 2009-06-18 07:17:45.000000000 -0700 +++ Spear.Phishing.Rules.v2.02x 2009-06-18 08:56:22.000000000 -0700 @@ -87,7 +87,7 @@ s/\\\*/[0-9a-z_.+-]*/g; # Unquote any '*' characters as they map to .* # Find all the numbers just before the @ and replace with them digit wildcards s/([0-9a-z_.+-])\d{1,3}\\\@/$1\\d+\\@/i; - push @quoted, '(' . $_ . ')'; + push @quoted, '(?:' . $_ . ')'; $count++; if ($count % $addresses_per_rule == 0) { @@ -128,7 +128,7 @@ s/\\\*/[0-9a-z_.+-]*/g; # Unquote any '*' characters as they map to .* # Find all the numbers just before the @ and replace with them digit wildcards s/([0-9a-z_.+-])\d{1,3}\\\@/$1\\d+\\@/i; - push @quoted, '(' . $_ . ')'; + push @quoted, '(?:' . $_ . ')'; $count++; if ($count % $addresses_per_rule == 0) { From mbneto at gmail.com Thu Jun 18 21:40:15 2009 From: mbneto at gmail.com (mbneto) Date: Thu Jun 18 21:40:24 2009 Subject: Disbale check for Attempt to hide real filename extension In-Reply-To: <24e3d2e40906172000r321f6ad5ubcd6daa1f2ca6126@mail.gmail.com> References: <5cf776b80906171856h4e79837fpf8a993000f28be0@mail.gmail.com> <24e3d2e40906172000r321f6ad5ubcd6daa1f2ca6126@mail.gmail.com> Message-ID: <5cf776b80906181340v6cef280cw56c4f47badb89d9e@mail.gmail.com> Hi, Which directive (assuming it is located in MailScanner.conf) should I comment? Does it stop onlye the 'attempt to hide the real filename extension? On Wed, Jun 17, 2009 at 11:00 PM, Alex Neuman wrote: > Put a # before the rule. That disables it. > > On Wed, Jun 17, 2009 at 8:56 PM, mbneto wrote: > >> Hi, >> >> All too often I get complains about users having their emails blocked with >> a 'Attempt to hide real filename extension' message. Most of the time the >> attachments are legit and the user has used . several times in the name. >> >> I have basically two options : keep adding whitelists or disable this rule >> (only this). >> >> The whitelist is not working so good (I keep adding senders/recipients) so >> I was wondering how can I disable this rule in all messages. >> >> Regards. >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > > > -- > Alex Neuman van der Hans > Reliant Technologies > +507 6781-9505 > +507 202-1525 > alex@rtpty.com > Skype: alexneuman > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090618/99e2716d/attachment.html From steve.freegard at fsl.com Thu Jun 18 21:54:27 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Thu Jun 18 21:54:39 2009 Subject: Anti-Phishing Update -- New data feed In-Reply-To: <20090618201724.GA2772@msapiro> References: <4A36B07C.3010205@fsl.com> <4A374CDA.50709@ecs.soton.ac.uk> <4A3766BD.9010801@ecs.soton.ac.uk> <20090617150642.GA2628@msapiro> <4A391348.3050309@fsl.com> <4A39F763.5050007@ecs.soton.ac.uk> <20090618201724.GA2772@msapiro> Message-ID: <4A3AA983.6000509@fsl.com> Mark Sapiro wrote: > On Thu, Jun 18, 2009 at 09:14:27AM +0100, Julian Field wrote: >> >> On 17/06/2009 17:01, Steve Freegard wrote: >>> In addition to removing the 'full' rules; change (match|match|match) to >>> (?:match|match|match) which is non-capturing and should save a >>> considerable amount of memory in SA and should reduce these times. >>> >> I have made both those changes. > > > v2.02 has changed the regexps in the rules from the form > > ((local1@example.com)|(local2@example.com) ... (localn@example.com)) > > to > > (?:(local1@example.com)|(local2@example.com) ... (localn@example.com)) > > but wouldn't > > (?:(?:local1@example.com)|(?:local2@example.com) ... (?:localn@example.com)) > > be much better in terms of saving memory by not capturing matches? > > See the attached Spear.Phishing.Rules.patch > I hadn't noticed that; but both are wrong - it should be: (?:local1\@example\.com|local2\@example\.com) As the inner parenthesis are unnecessary. Cheers, Steve. From gcle at smcaus.com.au Thu Jun 18 22:49:33 2009 From: gcle at smcaus.com.au (Gerard Cleary) Date: Thu Jun 18 22:49:56 2009 Subject: Disbale check for Attempt to hide real filename extension In-Reply-To: <5cf776b80906181340v6cef280cw56c4f47badb89d9e@mail.gmail.com> References: <5cf776b80906171856h4e79837fpf8a993000f28be0@mail.gmail.com> <24e3d2e40906172000r321f6ad5ubcd6daa1f2ca6126@mail.gmail.com> <5cf776b80906181340v6cef280cw56c4f47badb89d9e@mail.gmail.com> Message-ID: <200906190749.33894.gcle@smcaus.com.au> On Fri, 19 Jun 2009 06:40:15 mbneto wrote: > Which directive (assuming it is located in MailScanner.conf) should I > comment? > > Does it stop onlye the 'attempt to hide the real filename extension? The rule is found in file filename.rules.conf which is usually in the same directory as MailScanner.conf. You'll see how it works with the previous rule to take care of "strange" filenames. Gerard. -- From zaeem.arshad at gmail.com Fri Jun 19 06:37:58 2009 From: zaeem.arshad at gmail.com (Zaeem Arshad) Date: Fri Jun 19 06:38:08 2009 Subject: SpamAssassin.cache.db-journal not found In-Reply-To: <4A3A4D58.3090101@fsl.com> References: <3e1809420906180536r73a50870nff53d4c716db7b70@mail.gmail.com> <4A3A4D58.3090101@fsl.com> Message-ID: <3e1809420906182237u3875dce0p6cd2161ba5412a61@mail.gmail.com> On Thu, Jun 18, 2009 at 8:21 PM, Steve Freegard wrote: > Zaeem Arshad wrote: > > Hi, > > > > Can any one explain what this means and what's the impact? Found it > > while stracing a MailScanner process. > > > > access("/queue/mstmp/SpamAssassin.cache.db-journal", F_OK) = -1 ENOENT > > (No such file or directory) > > > > Part of the SQLite library; it's totally normal; IIRC SQLite has to > check to make sure the journal doesn't exist when it connects otherwise > it has to move the data from the journal to the datafile. > I see that happening a lot of times though..that's normal as well? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090619/0297cb75/attachment.html From MailScanner at ecs.soton.ac.uk Fri Jun 19 09:06:33 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jun 19 09:06:56 2009 Subject: Anti-Phishing Update -- New data feed In-Reply-To: <4A3AA983.6000509@fsl.com> References: <4A36B07C.3010205@fsl.com> <4A374CDA.50709@ecs.soton.ac.uk> <4A3766BD.9010801@ecs.soton.ac.uk> <20090617150642.GA2628@msapiro> <4A391348.3050309@fsl.com> <4A39F763.5050007@ecs.soton.ac.uk> <20090618201724.GA2772@msapiro> <4A3AA983.6000509@fsl.com> <4A3B4709.8010007@ecs.soton.ac.uk> Message-ID: On 18/06/2009 21:54, Steve Freegard wrote: > Mark Sapiro wrote: > >> On Thu, Jun 18, 2009 at 09:14:27AM +0100, Julian Field wrote: >> >>> On 17/06/2009 17:01, Steve Freegard wrote: >>> >>>> In addition to removing the 'full' rules; change (match|match|match) to >>>> (?:match|match|match) which is non-capturing and should save a >>>> considerable amount of memory in SA and should reduce these times. >>>> >>>> >>> I have made both those changes. >>> >> >> v2.02 has changed the regexps in the rules from the form >> >> ((local1@example.com)|(local2@example.com) ... (localn@example.com)) >> >> to >> >> (?:(local1@example.com)|(local2@example.com) ... (localn@example.com)) >> >> but wouldn't >> >> (?:(?:local1@example.com)|(?:local2@example.com) ... (?:localn@example.com)) >> >> be much better in terms of saving memory by not capturing matches? >> >> See the attached Spear.Phishing.Rules.patch >> >> > I hadn't noticed that; but both are wrong - it should be: > > (?:local1\@example\.com|local2\@example\.com) > > As the inner parenthesis are unnecessary. > Fixed. Up to 2.03 now. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From uxbod at splatnix.net Fri Jun 19 12:14:15 2009 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Fri Jun 19 12:21:54 2009 Subject: Hi, I'm back :) Message-ID: <15136529.91245410054967.JavaMail.root@office.splatnix.net> Hi all MailScanners, Just a quick email to say hi and a question ... Just about to install MS infront of Zimbra again and would like to know :- * Install from source on CentOS or use RPM * Install all Perl modules via source or from CPAN Look forward to your replies. Best Regards, UxBoD -- SplatNIX IT Services :: Innovation through collaboration From steve.freegard at fsl.com Fri Jun 19 12:22:14 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Fri Jun 19 12:22:25 2009 Subject: SpamAssassin.cache.db-journal not found In-Reply-To: <3e1809420906182237u3875dce0p6cd2161ba5412a61@mail.gmail.com> References: <3e1809420906180536r73a50870nff53d4c716db7b70@mail.gmail.com> <4A3A4D58.3090101@fsl.com> <3e1809420906182237u3875dce0p6cd2161ba5412a61@mail.gmail.com> Message-ID: <4A3B74E6.4080605@fsl.com> Zaeem Arshad wrote: > > > On Thu, Jun 18, 2009 at 8:21 PM, Steve Freegard > wrote: > > Zaeem Arshad wrote: > > Hi, > > > > Can any one explain what this means and what's the impact? Found it > > while stracing a MailScanner process. > > > > access("/queue/mstmp/SpamAssassin.cache.db-journal", F_OK) = -1 ENOENT > > (No such file or directory) > > > > Part of the SQLite library; it's totally normal; IIRC SQLite has to > check to make sure the journal doesn't exist when it connects otherwise > it has to move the data from the journal to the datafile. > > > I see that happening a lot of times though..that's normal as well? > Yes; this part of the SQLite library code. Unless you have a specific problem; running strace over a process is going to be a huge waste of time. Especially if you need to ask others about how to interpret it; I only ever use it with MailScanner if I receive a segfault from Perl to identify the module that causes it. Regards, Steve. From prandal at herefordshire.gov.uk Fri Jun 19 14:03:20 2009 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Fri Jun 19 14:03:38 2009 Subject: Hi, I'm back :) In-Reply-To: <15136529.91245410054967.JavaMail.root@office.splatnix.net> References: <15136529.91245410054967.JavaMail.root@office.splatnix.net> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA070633CD@HC-MBX02.herefordshire.gov.uk> -- wrote: > Hi all MailScanners, > > Just a quick email to say hi and a question ... > > Just about to install MS infront of Zimbra again and would like to > know :- > > * Install from source on CentOS or use RPM > * Install all Perl modules via source or from CPAN > > Look forward to your replies. > > Best Regards, > > UxBoD > > -- > SplatNIX IT Services :: Innovation through collaboration Use RPM on CentOS (./install.sh to install it). Jules' latest version "does the right thing" (TM) with its perl modules. Cheers, Phil -- Phil Randal | Networks Engineer Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: prandal@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. From Denis.Beauchemin at USherbrooke.ca Fri Jun 19 14:41:16 2009 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Fri Jun 19 14:41:31 2009 Subject: Anti-Phishing Update -- New data feed In-Reply-To: References: <4A36B07C.3010205@fsl.com> <4A374CDA.50709@ecs.soton.ac.uk> <4A3766BD.9010801@ecs.soton.ac.uk> <20090617150642.GA2628@msapiro> <4A391348.3050309@fsl.com> <4A39F763.5050007@ecs.soton.ac.uk> <20090618201724.GA2772@msapiro> <4A3AA983.6000509@fsl.com> <4A3B4709.8010007@ecs.soton.ac.uk> Message-ID: <4A3B957C.40902@USherbrooke.ca> Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3306 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090619/fdc34f2d/smime.bin From alex at rtpty.com Fri Jun 19 15:42:28 2009 From: alex at rtpty.com (Alex Neuman) Date: Fri Jun 19 15:42:41 2009 Subject: Disbale check for Attempt to hide real filename extension In-Reply-To: <5cf776b80906181340v6cef280cw56c4f47badb89d9e@mail.gmail.com> References: <5cf776b80906171856h4e79837fpf8a993000f28be0@mail.gmail.com> <24e3d2e40906172000r321f6ad5ubcd6daa1f2ca6126@mail.gmail.com> <5cf776b80906181340v6cef280cw56c4f47badb89d9e@mail.gmail.com> Message-ID: <24e3d2e40906190742r197da60fi782a26b9a57c5df9@mail.gmail.com> Did you read mailscanner.conf? Did you read the bottom of filename.rules.conf? Just in case, whenever I need to find one of the rules, I can always run something like: grep -ir "attempt to hide the real" * while in the /etc/Mailscanner folder to see which file has those words. That would point me to filename.rules.conf, which has the "deny double extension" rule which you can disable using # or just delete altogether. You should really read all the configuration files and understand the options. We'll be glad to hear you out if you think the documentation could be explained in better ways, but you have to read it first. Also, buy the book. It helps support Julian and most of the answers are there for when you're "offline". Have a great day! On Thu, Jun 18, 2009 at 3:40 PM, mbneto wrote: > Hi, > > Which directive (assuming it is located in MailScanner.conf) should I > comment? > > Does it stop onlye the 'attempt to hide the real filename extension? > > On Wed, Jun 17, 2009 at 11:00 PM, Alex Neuman wrote: > >> Put a # before the rule. That disables it. >> >> On Wed, Jun 17, 2009 at 8:56 PM, mbneto wrote: >> >>> Hi, >>> >>> All too often I get complains about users having their emails blocked >>> with a 'Attempt to hide real filename extension' message. Most of the time >>> the attachments are legit and the user has used . several times in the name. >>> >>> I have basically two options : keep adding whitelists or disable this >>> rule (only this). >>> >>> The whitelist is not working so good (I keep adding senders/recipients) >>> so I was wondering how can I disable this rule in all messages. >>> >>> Regards. >>> >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >>> >> >> >> -- >> Alex Neuman van der Hans >> Reliant Technologies >> +507 6781-9505 >> +507 202-1525 >> alex@rtpty.com >> Skype: alexneuman >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 202-1525 alex@rtpty.com Skype: alexneuman -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090619/2215cf89/attachment.html From MailScanner at ecs.soton.ac.uk Sat Jun 20 14:58:40 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sat Jun 20 14:59:01 2009 Subject: Anti-Phishing Update -- New data feed In-Reply-To: <4A3B957C.40902@USherbrooke.ca> References: <4A36B07C.3010205@fsl.com> <4A374CDA.50709@ecs.soton.ac.uk> <4A3766BD.9010801@ecs.soton.ac.uk> <20090617150642.GA2628@msapiro> <4A391348.3050309@fsl.com> <4A39F763.5050007@ecs.soton.ac.uk> <20090618201724.GA2772@msapiro> <4A3AA983.6000509@fsl.com> <4A3B4709.8010007@ecs.soton.ac.uk> <4A3B957C.40902@USherbrooke.ca> <4A3CEB10.70504@ecs.soton.ac.uk> Message-ID: Check out the new version 2.04. It supports --quiet and --help. On 19/06/2009 14:41, Denis Beauchemin wrote: > Thanks Julian, > > Could you also provide a non-verbose switch like the diff output I > joined to this email. > > Denis > Julian Field a ?crit : >> >> >> On 18/06/2009 21:54, Steve Freegard wrote: >>> Mark Sapiro wrote: >>>> On Thu, Jun 18, 2009 at 09:14:27AM +0100, Julian Field wrote: >>>>> On 17/06/2009 17:01, Steve Freegard wrote: >>>>>> In addition to removing the 'full' rules; change >>>>>> (match|match|match) to >>>>>> (?:match|match|match) which is non-capturing and should save a >>>>>> considerable amount of memory in SA and should reduce these times. >>>>>> >>>>> I have made both those changes. >>>> >>>> v2.02 has changed the regexps in the rules from the form >>>> >>>> ((local1@example.com)|(local2@example.com) ... (localn@example.com)) >>>> >>>> to >>>> >>>> (?:(local1@example.com)|(local2@example.com) ... (localn@example.com)) >>>> >>>> but wouldn't >>>> >>>> (?:(?:local1@example.com)|(?:local2@example.com) ... >>>> (?:localn@example.com)) >>>> >>>> be much better in terms of saving memory by not capturing matches? >>>> >>>> See the attached Spear.Phishing.Rules.patch >>>> >>> I hadn't noticed that; but both are wrong - it should be: >>> >>> (?:local1\@example\.com|local2\@example\.com) >>> >>> As the inner parenthesis are unnecessary. >> Fixed. Up to 2.03 now. >> >> Jules >> > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Follow me at twitter.com/JulesFM MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From simon at kmun.gov.kw Sun Jun 21 20:47:45 2009 From: simon at kmun.gov.kw (Benedict simon) Date: Sun Jun 21 20:23:12 2009 Subject: {Disarmed} Re: [Mailwatch-users] MailScanner --lint error In-Reply-To: <72cf361e0906211104u4512e21fi7cee65a896742bad@mail.gmail.com> References: <264da3853b30da3196fb7bccea601dc6.squirrel@webmail.baladia.gov.kw> <72cf361e0906211104u4512e21fi7cee65a896742bad@mail.gmail.com> Message-ID: <058961a29d166c8027361de0579289c2.squirrel@webmail.baladia.gov.kw> Dear Martin, Thanks for your immediate reply i do appreciate by the way i jus commented the /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93 and the error goes will that lead to any problem thnks and regards simon > Simon > > the auto commit is message is fine - you can ignore those. > > as for the release message, usually means you didn't quarantine/store the > message OR the user mailscanner is running as can't access the message > (file > permissions usually). > > > > -- > Martin Hepworth > Oxford, UK > > 2009/6/21 Benedict simon > >> Dear All, >> >> I have the following setup for almost a year and it was working perfect >> >> centos 5.0 ' >> MailScanner 4.70.6 >> mailwatch 1.0.4 >> sendmail-8.13.8-2.el5 >> spamassssin+clamav jules package Clam-0.92-SA-3.2.4 >> >> now i jus upgraded as per the instructions in mailscanner website >> >> mailscanner to 4.76.25 >> and >> Clam-0.95.1-SA-3.2.5 >> >> everything went fine and is working but when i run >> >> MailScanner --lint >> >> the last line show me the following error >> >> Config: calling custom end function MailWatchLogging >> [root@kmdns1 MailScanner]# commit ineffective with AutoCommit enabled at >> /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, >> line 95. >> Commmit ineffective while AutoCommit is on at >> /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, >> line 95. >> >> ---------------- >> >> also i see when i log into mailwatch and if i open the blocked >> attachment >> email i dont see the release message check box >> >> i rechecked the mailScanner.conf file and all setting are OK >> >> apprecite your kind advice and help >> >> >> Regards >> >> simon >> >> >> >> >> >> >> >> -- >> Network ADMIN >> ------------- >> KUWAIT MUNICIPALITY: >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> >> >> >> ------------------------------------------------------------------------------ >> Are you an open source citizen? Join us for the Open Source Bridge >> conference! >> Portland, OR, June 17-19. Two days of sessions, one day of unconference: >> $250. >> Need another reason to go? 24-hour hacker lounge. Register today! >> >> http://ad.doubleclick.net/clk;215844324;13503038;v?http://opensourcebridge.org >> _______________________________________________ >> Mailwatch-users mailing list >> Mailwatch-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/mailwatch-users >> >> > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- Network ADMIN ------------- KUWAIT MUNICIPALITY: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From simon at kmun.gov.kw Sun Jun 21 22:15:36 2009 From: simon at kmun.gov.kw (Benedict simon) Date: Sun Jun 21 21:50:59 2009 Subject: any change necessary Message-ID: <2cb900251f8f047f9fb6b92d4e782b31.squirrel@webmail.baladia.gov.kw> Dear All, I have the following setup workin perfect Centos OS 5 final MailScanner 4.76.25 Mailwatch 1.0.4 Clam-0.95.1-SA-3.2.5 jules package I want to upgrade to centos 5.3 and latest mailscanner n clam+Sa do i need to make any changes in my mysql and mailwatch setting Apprecite your help regards simon -- Network ADMIN ------------- KUWAIT MUNICIPALITY: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From systronx at yahoo.com Mon Jun 22 03:57:21 2009 From: systronx at yahoo.com (David Haynes) Date: Mon Jun 22 03:57:33 2009 Subject: Mailscanner 4.77 build for Debian? In-Reply-To: <2cb900251f8f047f9fb6b92d4e782b31.squirrel@webmail.baladia.gov.kw> References: <2cb900251f8f047f9fb6b92d4e782b31.squirrel@webmail.baladia.gov.kw> Message-ID: <973196.92668.qm@web112408.mail.gq1.yahoo.com> Hello, Please let me know if there is a Debian repository out there that houses the latest Mailscanner builds. I need to install this on a few Debian boxes and I would much rather use the apt-get method if possible. Thank you for your help. David -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090621/6df3204c/attachment.html From mailscanner at barendse.to Mon Jun 22 08:41:32 2009 From: mailscanner at barendse.to (Remco Barendse) Date: Mon Jun 22 08:41:48 2009 Subject: Problem Messages In-Reply-To: References: <4A256689.2080008@ecs.soton.ac.uk> <4A33BA01.3070501@ecs.soton.ac.uk> <4A36154F.1020300@ecs.soton.ac.uk> Message-ID: On Mon, 15 Jun 2009, Julian Field wrote: > That's quite normal, it processed the message successfully (apart from you > needing to update your copy of ClamAV). So whatever was causing your message > to kill MailScanner has gone away and isn't doing it now. Could it be that MailScanner chokes over the header ? When checking the messages i noticed that every problem message had a mdnsbl lookup deferred message in the qf file. I have removed chinanet.blackholes.us from my sendmail.mc (the website of blackholes seems dead anyways) will see what happens. This is a qf file of a problem message : V8 T1245534817 K0 N0 P269106 Mdnsbl map: lookup (42.72.44.72.chinanet.blackholes.us.): deferred Fbs $_42-72-44-72-dedicated.multacom.com [72.44.72.42] (may be forged) $rSMTP $smx19.thecreekpeoples.com ${daemon_flags} ${if_addr}x.x.x.x S rRFC822; xxxxxxxx@xxxxx.xxx RPFD: H?P?Return-Path: <<81>g> H??Received: from mx19.thecreekpeoples.com (42-72-44-72-dedicated.multacom.com [72.44.72.42] (may be forged)) by mail.xxxx.xx (8.13.8/8.13.8) with SMTP id n5KLrFpq011945 for ; Sat, 20 Jun 2009 23:53:37 +0200 H??From: "Aid for Online Students" H??To: H??Subject: Take advantage of flexible financial aid packages H??Message-ID: <20090620175515.ofzoyjwcnwnd@mx19.thecreekpeoples.com> H??Date: Sat, 20 Jun 2009 17:55:15 -0500 H??MIME-Version: 1.0 H??Content-Type: multipart/related; boundary="----=_NextPart_000_00C1_01C9F18A.8B45AD30" H??X-Mailer: Microsoft Office Outlook 12.0 H??Content-Language: en-us From jeroen at intuxicated.org Mon Jun 22 10:57:54 2009 From: jeroen at intuxicated.org (jeroen@intuxicated.org) Date: Mon Jun 22 10:58:05 2009 Subject: Mailscanner 4.77 build for Debian? In-Reply-To: <973196.92668.qm@web112408.mail.gq1.yahoo.com> References: <2cb900251f8f047f9fb6b92d4e782b31.squirrel@webmail.baladia.gov.kw> <973196.92668.qm@web112408.mail.gq1.yahoo.com> Message-ID: <660f55d26beeaa5ba032198a1d3f040b@mail.perrit.nl> On Sun, 21 Jun 2009 19:57:21 -0700 (PDT), David Haynes wrote: > Hello, > Please let me know if there is a Debian repository out there that houses > the latest Mailscanner builds. I need to install this on a few Debian boxes > and I would much rather use the apt-get method if possible. > > Thank you for your help. > David Hi David, the latest build in the repository is 4.76.25-1 (see http://packages.qa.debian.org/m/mailscanner.html), but the package has been orphaned (see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=531317). Regards, Jeroen From ram at netcore.co.in Mon Jun 22 12:15:24 2009 From: ram at netcore.co.in (ram) Date: Mon Jun 22 12:15:37 2009 Subject: DKIM signing Message-ID: <1245669324.13686.80.camel@darkstar.netcore.co.in> Can I use any plugin in MailScanner to DKIM sign outbound mail From MailScanner at ecs.soton.ac.uk Mon Jun 22 12:34:30 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jun 22 12:39:56 2009 Subject: DKIM signing In-Reply-To: <1245669324.13686.80.camel@darkstar.netcore.co.in> References: <1245669324.13686.80.camel@darkstar.netcore.co.in> <4A3F6C46.4030105@ecs.soton.ac.uk> Message-ID: Just make your outgoing MTA do it. The sendmail DKIM milter works fine. On 22/06/2009 12:15, ram wrote: > Can I use any plugin in MailScanner to DKIM sign outbound mail > > > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Denis.Beauchemin at USherbrooke.ca Mon Jun 22 13:29:05 2009 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Mon Jun 22 13:29:20 2009 Subject: Anti-Phishing Update -- New data feed In-Reply-To: References: <4A36B07C.3010205@fsl.com> <4A374CDA.50709@ecs.soton.ac.uk> <4A3766BD.9010801@ecs.soton.ac.uk> <20090617150642.GA2628@msapiro> <4A391348.3050309@fsl.com> <4A39F763.5050007@ecs.soton.ac.uk> <20090618201724.GA2772@msapiro> <4A3AA983.6000509@fsl.com> <4A3B4709.8010007@ecs.soton.ac.uk> <4A3B957C.40902@USherbrooke.ca> <4A3CEB10.70504@ecs.soton.ac.uk> Message-ID: <4A3F7911.6050208@USherbrooke.ca> Thanks! Denis Julian Field a ?crit : > Check out the new version 2.04. It supports --quiet and --help. > > On 19/06/2009 14:41, Denis Beauchemin wrote: >> Thanks Julian, >> >> Could you also provide a non-verbose switch like the diff output I >> joined to this email. >> >> Denis >> Julian Field a ?crit : >>> >>> >>> On 18/06/2009 21:54, Steve Freegard wrote: >>>> Mark Sapiro wrote: >>>>> On Thu, Jun 18, 2009 at 09:14:27AM +0100, Julian Field wrote: >>>>>> On 17/06/2009 17:01, Steve Freegard wrote: >>>>>>> In addition to removing the 'full' rules; change >>>>>>> (match|match|match) to >>>>>>> (?:match|match|match) which is non-capturing and should save a >>>>>>> considerable amount of memory in SA and should reduce these times. >>>>>>> >>>>>> I have made both those changes. >>>>> >>>>> v2.02 has changed the regexps in the rules from the form >>>>> >>>>> ((local1@example.com)|(local2@example.com) ... (localn@example.com)) >>>>> >>>>> to >>>>> >>>>> (?:(local1@example.com)|(local2@example.com) ... >>>>> (localn@example.com)) >>>>> >>>>> but wouldn't >>>>> >>>>> (?:(?:local1@example.com)|(?:local2@example.com) ... >>>>> (?:localn@example.com)) >>>>> >>>>> be much better in terms of saving memory by not capturing matches? >>>>> >>>>> See the attached Spear.Phishing.Rules.patch >>>>> >>>> I hadn't noticed that; but both are wrong - it should be: >>>> >>>> (?:local1\@example\.com|local2\@example\.com) >>>> >>>> As the inner parenthesis are unnecessary. >>> Fixed. Up to 2.03 now. >>> >>> Jules >>> >> >> > > Jules > -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3306 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090622/127fa1b8/smime.bin From bpirie at rma.edu Mon Jun 22 14:10:19 2009 From: bpirie at rma.edu (Brendan Pirie) Date: Mon Jun 22 14:10:59 2009 Subject: FYI: [Fwd: [dnsbl-users] [sorbs-announce] Imminent closure of SORBS.] Message-ID: <4A3F82BB.50009@rma.edu> -------- Original Message -------- Subject: [dnsbl-users] [sorbs-announce] Imminent closure of SORBS. Date: Mon, 22 Jun 2009 23:01:44 +1000 From: Michelle Sullivan Organization: Spam and Open Relay Blocking System To: sorbs-announce@sorbs.net All, Please feel free to forward this message to any other location/mailing list. It comes with great sadness that I have to announce the imminent closure of SORBS. The University of Queensland have decided not to honor their agreement with myself and SORBS and terminate the hosting contract. I have been involved with institutions such as Griffith University trying to arrange alternative hosting for SORBS, but as of 12 noon, 22nd June 2009 no hosting has been acquired and therefore I have been forced in to this announcement. SORBS is officially "For Sale" should anyone wish to purchase it as a going concern, but failing that and failing to find alternative hosting for a 42RU rack in the Brisbane area of Queensland Australia SORBS will be shutting down permanently in 28 days, on 20th July 2009 at 12 noon. This announcement will be replicated on the main SORBS website at the earliest opportunity. For information about the possible purchase of SORBS, the source code, data, hosts etc, I maybe contacted at michelle@sorbs.net, telephone +61 414 861 744. For any hosting suggestions/provision, please be aware that the 42RU space is a requirement at the moment, and the service cannot be made into a smaller rackspace without a lot of new hardware, virtual hosting is just not possible. The SORBS service services over 30 billion DNS queries per day, and has a number of database servers with fast disk to cope with the requirements. Thank you for all your support over the years, Michelle Sullivan (Previously known as Matthew Sullivan) -- Brendan -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090622/b9927400/attachment.html From oliver at linux-kernel.at Mon Jun 22 15:43:17 2009 From: oliver at linux-kernel.at (Oliver Falk) Date: Mon Jun 22 15:43:33 2009 Subject: FYI: [Fwd: [dnsbl-users] [sorbs-announce] Imminent closure of SORBS.] In-Reply-To: <4A3F82BB.50009@rma.edu> References: <4A3F82BB.50009@rma.edu> Message-ID: <4A3F9885.6010207@linux-kernel.at> Thx for the information!!! -of Brendan Pirie wrote: > > > -------- Original Message -------- > Subject: [dnsbl-users] [sorbs-announce] Imminent closure of SORBS. > Date: Mon, 22 Jun 2009 23:01:44 +1000 > From: Michelle Sullivan > Organization: Spam and Open Relay Blocking System > To: sorbs-announce@sorbs.net > > > > All, > > > Please feel free to forward this message to any other location/mailing list. > > > It comes with great sadness that I have to announce the imminent closure > of SORBS. The University of Queensland have decided not to honor their > agreement with myself and SORBS and terminate the hosting contract. > > > I have been involved with institutions such as Griffith University > trying to arrange alternative hosting for SORBS, but as of 12 noon, 22nd > June 2009 no hosting has been acquired and therefore I have been forced > in to this announcement. SORBS is officially "For Sale" should anyone > wish to purchase it as a going concern, but failing that and failing to > find alternative hosting for a 42RU rack in the Brisbane area of > Queensland Australia SORBS will be shutting down permanently in 28 days, > on 20th July 2009 at 12 noon. > > > This announcement will be replicated on the main SORBS website at the > earliest opportunity. > > > For information about the possible purchase of SORBS, the source code, > data, hosts etc, I maybe contacted at michelle@sorbs.net, telephone +61 > 414 861 744. > > > For any hosting suggestions/provision, please be aware that the 42RU > space is a requirement at the moment, and the service cannot be made > into a smaller rackspace without a lot of new hardware, virtual hosting > is just not possible. The SORBS service services over 30 billion DNS > queries per day, and has a number of database servers with fast disk to > cope with the requirements. > > > Thank you for all your support over the years, > > > Michelle Sullivan > (Previously known as Matthew Sullivan) > > > -- > Brendan > From rcooper at dwford.com Mon Jun 22 16:38:43 2009 From: rcooper at dwford.com (Rick Cooper) Date: Mon Jun 22 16:39:10 2009 Subject: DKIM signing In-Reply-To: <1245669324.13686.80.camel@darkstar.netcore.co.in> References: <1245669324.13686.80.camel@darkstar.netcore.co.in> Message-ID: You don't want to sign dkim or domainkeys until the last thing before the message is "place on the wire". Any modification made after the signing with, of course make the signature invalid. This means the outbound MTA has to be the signing agent. Rick -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of ram Sent: Monday, June 22, 2009 7:15 AM To: MailScanner discussion Subject: DKIM signing Can I use any plugin in MailScanner to DKIM sign outbound mail -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From systronx at yahoo.com Mon Jun 22 16:43:57 2009 From: systronx at yahoo.com (David Haynes) Date: Mon Jun 22 16:44:08 2009 Subject: Mailscanner 4.77 build for Debian? In-Reply-To: <660f55d26beeaa5ba032198a1d3f040b@mail.perrit.nl> References: <2cb900251f8f047f9fb6b92d4e782b31.squirrel@webmail.baladia.gov.kw> <973196.92668.qm@web112408.mail.gq1.yahoo.com> <660f55d26beeaa5ba032198a1d3f040b@mail.perrit.nl> Message-ID: <503478.15300.qm@web112407.mail.gq1.yahoo.com> Thank you Jeroen David ________________________________ From: "jeroen@intuxicated.org" To: MailScanner discussion Sent: Monday, June 22, 2009 2:57:54 AM Subject: Re: Mailscanner 4.77 build for Debian? On Sun, 21 Jun 2009 19:57:21 -0700 (PDT), David Haynes wrote: > Hello, > Please let me know if there is a Debian repository out there that houses > the latest Mailscanner builds. I need to install this on a few Debian boxes > and I would much rather use the apt-get method if possible. > > Thank you for your help. > David Hi David, the latest build in the repository is 4.76.25-1 (see http://packages.qa.debian.org/m/mailscanner.html), but the package has been orphaned (see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=531317). Regards, Jeroen -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090622/de4b1a23/attachment.html From alex at rtpty.com Mon Jun 22 17:01:56 2009 From: alex at rtpty.com (Alex Neuman) Date: Mon Jun 22 17:02:18 2009 Subject: DKIM signing In-Reply-To: References: <1245669324.13686.80.camel@darkstar.netcore.co.in> Message-ID: <24e3d2e40906220901t6f8fdd9au36c5edc50a483444@mail.gmail.com> Any chance of someone thinking up a way to fire up a third instance of sendmail on one machine to do something like this? On Mon, Jun 22, 2009 at 10:38 AM, Rick Cooper wrote: > You don't want to sign dkim or domainkeys until the last thing before the > message is "place on the wire". Any modification made after the signing > with, of course make the signature invalid. This means the outbound MTA has > to be the signing agent. > > Rick > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of ram > Sent: Monday, June 22, 2009 7:15 AM > To: MailScanner discussion > Subject: DKIM signing > > Can I use any plugin in MailScanner to DKIM sign outbound mail > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 202-1525 alex@rtpty.com Skype: alexneuman -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090622/3e5e44b1/attachment.html From simon at kmun.gov.kw Mon Jun 22 17:59:42 2009 From: simon at kmun.gov.kw (Benedict simon) Date: Mon Jun 22 17:35:01 2009 Subject: MailScanner --lint error after OS upgrade In-Reply-To: <72cf361e0906211104u4512e21fi7cee65a896742bad@mail.gmail.com> References: <264da3853b30da3196fb7bccea601dc6.squirrel@webmail.baladia.gov.kw> <72cf361e0906211104u4512e21fi7cee65a896742bad@mail.gmail.com> Message-ID: <731bd9f5ae9aca5bc83d305f1057eeef.squirrel@webmail.baladia.gov.kw> Dear All, I have the following setup for almost a year and it was working perfect centos 5.0 ' MailScanner 4.70.6 mailwatch 1.0.4 sendmail-8.13.8-2.el5 spamassssin+clamav jules package Clam-0.92-SA-3.2.4 now i jus upgraded as per the instructions in mailscanner website mailscanner to 4.77.10 and Clam-0.95.2-SA-3.2.5 jules package i also upgraded the OS to centos 5.3 usng yum update and everthing went OK everything went fine and is working but when i run MailScanner --lint i see the following errors ----------------------------------------------- Read 878 hostnames from the phishing whitelist Read 10077 hostnames from the phishing blacklists Config: calling custom init function SQLBlacklist Starting up SQL Blacklist Read 17 blacklist entries Config: calling custom init function MailWatchLogging Started SQL Logging child Checking version numbers... Version number in MailScanner.conf (4.77.10) is correct. Your envelope_sender_header in spam.assassin.prefs.conf is correct. Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database pyzor: check failed: Can't fork at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Util.pm line 1385. SpamAssassin reported no errors. Connected to Processing Attempts Database Created Processing Attempts Database successfully There are 2 messages in the Processing Attempts Database Using locktype = posix MailScanner.conf says "Virus Scanners = clamav bitdefender" Found these virus scanners installed: =========================================================================== Filename Checks: Blocked Filename Detected (1 eicar.com) File checker failed with real error: Can't fork at /usr/lib/MailScanner/MailScanner/SweepOther.pm line 402. at /usr/lib/MailScanner/MailScanner/SweepOther.pm line 442 --------------------------------------------- MailScanner starts normally without any errors apprecite your help regards simon -- Network ADMIN ------------- KUWAIT MUNICIPALITY: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From eddie at emcuk.com Mon Jun 22 17:44:38 2009 From: eddie at emcuk.com (Eddie Hallahan) Date: Mon Jun 22 17:45:05 2009 Subject: DKIM signing In-Reply-To: <24e3d2e40906220901t6f8fdd9au36c5edc50a483444@mail.gmail.com> References: <1245669324.13686.80.camel@darkstar.netcore.co.in> <24e3d2e40906220901t6f8fdd9au36c5edc50a483444@mail.gmail.com> Message-ID: <4A3FB4F6.9040309@emcuk.com> An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090622/83152703/attachment.html From ssilva at sgvwater.com Mon Jun 22 18:01:02 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Jun 22 18:01:25 2009 Subject: Mailscanner 4.77 build for Debian? In-Reply-To: <503478.15300.qm@web112407.mail.gq1.yahoo.com> References: <2cb900251f8f047f9fb6b92d4e782b31.squirrel@webmail.baladia.gov.kw> <973196.92668.qm@web112408.mail.gq1.yahoo.com> <660f55d26beeaa5ba032198a1d3f040b@mail.perrit.nl> <503478.15300.qm@web112407.mail.gq1.yahoo.com> Message-ID: on 6-22-2009 8:43 AM David Haynes spake the following: > Thank you Jeroen > And in the future, please don't hijack message threads. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090622/9792c742/signature.bin From gmaddock at futuremetals.com Mon Jun 22 19:10:51 2009 From: gmaddock at futuremetals.com (Gerry Maddock) Date: Mon Jun 22 19:14:48 2009 Subject: ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf Message-ID: Hey all, I ran a search of my current problem on google and found some answers, but none have worked for me & I'm hoping you can help. I just installed MailScanner on a Fedora 11 sys using postfix. When I run MailScanner --lint on that system I get: root@timmy ~]# MailScanner --lint Trying to setlogsock(unix) Read 855 hostnames from the phishing whitelist Read 10091 hostnames from the phishing blacklists Checking version numbers... Version number in MailScanner.conf (4.77.10) is correct. Your setting "Mail Header" contains illegal characters. This is most likely caused by your "%org-name%" setting which must not contain any spaces, "." or "_" characters as these are known to cause problems with many mail systems. ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf ERROR: is not correct, it should match X-timmy.futuremetals.com-MailScanner-From MailScanner setting GID to (89) MailScanner setting UID to (89) Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database SpamAssassin reported no errors. I have found clamav scanners installed, and will use them all by default. Connected to Processing Attempts Database Created Processing Attempts Database successfully There are 0 messages in the Processing Attempts Database Using locktype = posix MailScanner.conf says "Virus Scanners = auto" Found these virus scanners installed: clamav ------------------------------------------------------------------------------------------------------------------------------- The weird thing is I have MailScanner 4.60.8 running on Fedora 7 with the same settings (other than hostname) and it has no complaints: [root@jimmy ~]# MailScanner --lint Read 861 hostnames from the phishing whitelist Checking version numbers... Version number in MailScanner.conf (4.60.8) is correct. MailScanner setting GID to (89) MailScanner setting UID to (89) Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database SpamAssassin reported no errors. Using locktype = flock MailScanner.conf says "Virus Scanners = auto" Found these virus scanners installed: clamav, avg Here is my current MailScanner.conf & spam.assassin.prefs.conf's applicable data: MailScanner.conf: current: %org-name% = timmy.futuremetals.com have tried: %org-name% = FMI spam.assassin.prefs.conf: current: bayes_ignore_header X-YOURDOMAIN-COM-MailScanner current: bayes_ignore_header X-YOURDOMAIN-COM-MailScanner-SpamCheck current: bayes_ignore_header X-YOURDOMAIN-COM-MailScanner-SpamScore current: bayes_ignore_header X-YOURDOMAIN-COM-MailScanner-Information have tried: bayes_ignore_header X-FMI-MailScanner have tried: bayes_ignore_header X-FMI-MailScanner-SpamCheck have tried: bayes_ignore_header X-FMI-MailScanner-SpamScore have tried: bayes_ignore_header X-FMI-MailScanner-Information ***On my working MailScanner 4.60.8 installation I have it set & working with no complaints as: MailScanner.conf: %org-name% = jimmy.futuremetals.com spam.assassin.prefs.conf: current: bayes_ignore_header X-YOURDOMAIN-COM-MailScanner current: bayes_ignore_header X-YOURDOMAIN-COM-MailScanner-SpamCheck current: bayes_ignore_header X-YOURDOMAIN-COM-MailScanner-SpamScore current: bayes_ignore_header X-YOURDOMAIN-COM-MailScanner-Information As shown above I have tried MailScanner.conf & spam.assassin.prefs.conf with both configurations, restarting MailScanner after changes, then running --lint. Any help would be greatly appreciated. From Carl.Andrews at crackerbarrel.com Mon Jun 22 19:31:42 2009 From: Carl.Andrews at crackerbarrel.com (Andrews Carl 448) Date: Mon Jun 22 19:31:59 2009 Subject: FW: SORBS bites the dust Message-ID: <73BF1D6676C4E04E9675A08BA0C9825A03F5497E@exchsrvr01.CBOCS.com> FYI -----Original Message----- From: richard@buzzhost.co.uk [mailto:richard@buzzhost.co.uk] Sent: Monday, June 22, 2009 5:28 AM To: users@spamassassin.apache.org Subject: SORBS bites the dust Noted this over at NANAE; QUOTE: All, Please feel free to forward this message to any other location/mailing list. It comes with great sadness that I have to announce the imminent closure of SORBS. The University of Queensland have decided not to honor their agreement with myself and SORBS and terminate the hosting contract. I have been involved with institutions such as Griffith University trying to arrange alternative hosting for SORBS, but as of 12 noon, 22nd June 2009 no hosting has been acquired and therefore I have been forced in to this announcement. SORBS is officially "For Sale" should anyone wish to purchase it as a going concern, but failing that and failing to find alternative hosting for a 42RU rack in the Brisbane area of Queensland Australia SORBS will be shutting down permanently in 28 days, on 20th July 2009 at 12 noon. This announcement will be replicated on the main SORBS website at the earliest opportunity. For information about the possible purchase of SORBS, the source code, data, hosts etc, I maybe contacted at michelle@sorbs.net, telephone +61 414 861 744. For any hosting suggestions/provision, please be aware that the 42RU space is a requirement at the moment, and the service cannot be made into a smaller rackspace without a lot of new hardware, virtual hosting is just not possible. The SORBS service services over 30 billion DNS queries per day, and has a number of database servers with fast disk to cope with the requirements. Thank you for all your support over the years, Michelle Sullivan (Previously known as Matthew Sullivan) From rcooper at dwford.com Mon Jun 22 19:42:55 2009 From: rcooper at dwford.com (Rick Cooper) Date: Mon Jun 22 19:43:14 2009 Subject: DKIM signing In-Reply-To: <24e3d2e40906220901t6f8fdd9au36c5edc50a483444@mail.gmail.com> References: <1245669324.13686.80.camel@darkstar.netcore.co.in> <24e3d2e40906220901t6f8fdd9au36c5edc50a483444@mail.gmail.com> Message-ID: I don't use sendmail (exim no milters required) but I am sure there is a way to handle it easily in sendmail. Be advised however that when I first implemented domainkeys the test server at sendmail.net was the only domainkeys test server (of 4) to state that my keys were invalid. It does pass my DKIM keys but still doesn't pass the domainkeys. Rick _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex Neuman Sent: Monday, June 22, 2009 12:02 PM To: MailScanner discussion Subject: Re: DKIM signing Any chance of someone thinking up a way to fire up a third instance of sendmail on one machine to do something like this? On Mon, Jun 22, 2009 at 10:38 AM, Rick Cooper wrote: You don't want to sign dkim or domainkeys until the last thing before the message is "place on the wire". Any modification made after the signing with, of course make the signature invalid. This means the outbound MTA has to be the signing agent. Rick -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of ram Sent: Monday, June 22, 2009 7:15 AM To: MailScanner discussion Subject: DKIM signing Can I use any plugin in MailScanner to DKIM sign outbound mail -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 202-1525 alex@rtpty.com Skype: alexneuman -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090622/0eadae02/attachment.html From alex at rtpty.com Mon Jun 22 19:57:52 2009 From: alex at rtpty.com (Alex Neuman) Date: Mon Jun 22 19:58:03 2009 Subject: DKIM signing In-Reply-To: References: <1245669324.13686.80.camel@darkstar.netcore.co.in> <24e3d2e40906220901t6f8fdd9au36c5edc50a483444@mail.gmail.com> Message-ID: <24e3d2e40906221157t42c5abe5yfe366c5efca890c8@mail.gmail.com> The point I was trying to make is that MailScanner works like this (oversimplifying, I know, but bear with me): 1. First instance of sendmail grabs e-mail after milters and such, and deposits in an incoming queue 2. MailScanner grabs, scans, deals with messages in the queue and places them in the outgoing (final) queue 3. Second instance of sendmail grabs e-mail from outgoing (final) queue and delivers them to their final destination. In order to DKIM-sign things it would have to be done using the second instance. Since MailScanner basically runs the same instance of sendmail using a command line parameter to distinguish the two, there would have to be a slight change to the way step 3 is done if you wanted to do it on one machine. Otherwise step 4 would be to have the outgoing MTA (separate machine) do the DKIM signing. Please correct me if I'm looking at this the wrong way. On Mon, Jun 22, 2009 at 1:42 PM, Rick Cooper wrote: > I don't use sendmail (exim no milters required) but I am sure there is a > way to handle it easily in sendmail. Be advised however that when I first > implemented domainkeys the test server at sendmail.net was the only > domainkeys test server (of 4) to state that my keys were invalid. It does > pass my DKIM keys but still doesn't pass the domainkeys. > > Rick > > ------------------------------ > *From:* mailscanner-bounces@lists.mailscanner.info [mailto: > mailscanner-bounces@lists.mailscanner.info] *On Behalf Of *Alex Neuman > *Sent:* Monday, June 22, 2009 12:02 PM > *To:* MailScanner discussion > *Subject:* Re: DKIM signing > > Any chance of someone thinking up a way to fire up a third instance of > sendmail on one machine to do something like this? > > On Mon, Jun 22, 2009 at 10:38 AM, Rick Cooper wrote: > >> You don't want to sign dkim or domainkeys until the last thing before the >> message is "place on the wire". Any modification made after the signing >> with, of course make the signature invalid. This means the outbound MTA >> has >> to be the signing agent. >> >> Rick >> >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of ram >> Sent: Monday, June 22, 2009 7:15 AM >> To: MailScanner discussion >> Subject: DKIM signing >> >> Can I use any plugin in MailScanner to DKIM sign outbound mail >> >> >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > > > -- > Alex Neuman van der Hans > Reliant Technologies > +507 6781-9505 > +507 202-1525 > alex@rtpty.com > Skype: alexneuman > > -- > This message has been scanned for viruses and > dangerous content by *MailScanner* , and is > believed to be clean. > > -- > This message has been scanned for viruses and > dangerous content by *MailScanner* , and is > believed to be clean. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 202-1525 alex@rtpty.com Skype: alexneuman -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090622/524b247f/attachment.html From rcooper at dwford.com Mon Jun 22 19:59:02 2009 From: rcooper at dwford.com (Rick Cooper) Date: Mon Jun 22 19:59:18 2009 Subject: DKIM signing In-Reply-To: <4A3FB4F6.9040309@emcuk.com> References: <1245669324.13686.80.camel@darkstar.netcore.co.in> <24e3d2e40906220901t6f8fdd9au36c5edc50a483444@mail.gmail.com> <4A3FB4F6.9040309@emcuk.com> Message-ID: _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Eddie Hallahan Sent: Monday, June 22, 2009 12:45 PM To: MailScanner discussion Subject: Re: DKIM signing Hi, You are able as part of the DKIM thing to register multiple mailservers for your domain I believe. I think they each have a different key but I'm still a bit vague on that part. If your MTA is sendmail then there is a milter that does it for you. [Rick Cooper] If you wanted to use a different key for each mail server within your domain you would use different selectors based on the server that was sending. If you use the same key they would all use the same selector. if you had two hosts a.domain.com and b.domain.com you could set two selectors such as mail and mail1 then you would set the public part of each key in one of two txt records, mail._domainkey.domain.com. and mail1._domainkey.domain.com. Regards Eddie Hallahan Enterprise Management Consulting www.emcuk.com Enterprise Management Consulting is a company registered in England and Wales with company number 3134544. VAT registration number is 681038440. Alex Neuman wrote: Any chance of someone thinking up a way to fire up a third instance of sendmail on one machine to do something like this? On Mon, Jun 22, 2009 at 10:38 AM, Rick Cooper wrote: You don't want to sign dkim or domainkeys until the last thing before the message is "place on the wire". Any modification made after the signing with, of course make the signature invalid. This means the outbound MTA has to be the signing agent. Rick -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of ram Sent: Monday, June 22, 2009 7:15 AM To: MailScanner discussion Subject: DKIM signing Can I use any plugin in MailScanner to DKIM sign outbound mail -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 202-1525 alex@rtpty.com Skype: alexneuman -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090622/eb8f25ca/attachment-0001.html From rcooper at dwford.com Mon Jun 22 20:34:51 2009 From: rcooper at dwford.com (Rick Cooper) Date: Mon Jun 22 20:35:08 2009 Subject: DKIM signing In-Reply-To: <24e3d2e40906221157t42c5abe5yfe366c5efca890c8@mail.gmail.com> References: <1245669324.13686.80.camel@darkstar.netcore.co.in><24e3d2e40906220901t6f8fdd9au36c5edc50a483444@mail.gmail.com> <24e3d2e40906221157t42c5abe5yfe366c5efca890c8@mail.gmail.com> Message-ID: <166EA8026C6642DBABE4C8FF4523FAD4@SAHOMELT> I am not sure how sendmail does things but I use two instances of exim as well, eximIN (check DKIM)----------------->INqueue--> MailScanner(Do MS Stuff)---->OUTQueue-----> EximOut(Sign DKIM and other out stuff) The only difference between the exim instance is the config(s) the use. I have no recpt,data,ehlo acls in the outbound and I have no domainkey/DKIM signing in the inbound Rick _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex Neuman Sent: Monday, June 22, 2009 2:58 PM To: MailScanner discussion Subject: Re: DKIM signing The point I was trying to make is that MailScanner works like this (oversimplifying, I know, but bear with me): 1. First instance of sendmail grabs e-mail after milters and such, and deposits in an incoming queue 2. MailScanner grabs, scans, deals with messages in the queue and places them in the outgoing (final) queue 3. Second instance of sendmail grabs e-mail from outgoing (final) queue and delivers them to their final destination. In order to DKIM-sign things it would have to be done using the second instance. Since MailScanner basically runs the same instance of sendmail using a command line parameter to distinguish the two, there would have to be a slight change to the way step 3 is done if you wanted to do it on one machine. Otherwise step 4 would be to have the outgoing MTA (separate machine) do the DKIM signing. Please correct me if I'm looking at this the wrong way. On Mon, Jun 22, 2009 at 1:42 PM, Rick Cooper wrote: I don't use sendmail (exim no milters required) but I am sure there is a way to handle it easily in sendmail. Be advised however that when I first implemented domainkeys the test server at sendmail.net was the only domainkeys test server (of 4) to state that my keys were invalid. It does pass my DKIM keys but still doesn't pass the domainkeys. Rick _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex Neuman Sent: Monday, June 22, 2009 12:02 PM To: MailScanner discussion Subject: Re: DKIM signing Any chance of someone thinking up a way to fire up a third instance of sendmail on one machine to do something like this? On Mon, Jun 22, 2009 at 10:38 AM, Rick Cooper wrote: You don't want to sign dkim or domainkeys until the last thing before the message is "place on the wire". Any modification made after the signing with, of course make the signature invalid. This means the outbound MTA has to be the signing agent. Rick -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of ram Sent: Monday, June 22, 2009 7:15 AM To: MailScanner discussion Subject: DKIM signing Can I use any plugin in MailScanner to DKIM sign outbound mail -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 202-1525 alex@rtpty.com Skype: alexneuman -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 202-1525 alex@rtpty.com Skype: alexneuman -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090622/ec3eb83a/attachment.html From simon at kmun.gov.kw Mon Jun 22 21:26:12 2009 From: simon at kmun.gov.kw (Benedict simon) Date: Mon Jun 22 21:01:32 2009 Subject: MailScanner --lint error after OS upgrade-more info (ignore earlier post) Message-ID: <6f5fc50955658128edcf5861c4c0bc29.squirrel@webmail.baladia.gov.kw> Dear All, I have the following setup for almost a year and it was working perfect centos 5.0 ' MailScanner 4.70.6 mailwatch 1.0.4 sendmail-8.13.8-2.el5 spamassssin+clamav jules package Clam-0.92-SA-3.2.4 now i jus upgraded as per the instructions in mailscanner website mailscanner to 4.77.10 and Clam-0.95.2-SA-3.2.5 jules package i also upgraded the OS to centos 5.3 usng yum update and everthing went OK everything went fine and is working but when i run MailScanner --lint i see the following errors ----------------------------------------------- Read 878 hostnames from the phishing whitelist Read 10077 hostnames from the phishing blacklists Config: calling custom init function SQLBlacklist Starting up SQL Blacklist Read 17 blacklist entries Config: calling custom init function MailWatchLogging Started SQL Logging child Checking version numbers... Version number in MailScanner.conf (4.77.10) is correct. Your envelope_sender_header in spam.assassin.prefs.conf is correct. Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database pyzor: check failed: Can't fork at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Util.pm line 1385. SpamAssassin reported no errors. Connected to Processing Attempts Database Created Processing Attempts Database successfully There are 2 messages in the Processing Attempts Database Using locktype = posix MailScanner.conf says "Virus Scanners = clamav bitdefender" Found these virus scanners installed: =========================================================================== Filename Checks: Blocked Filename Detected (1 eicar.com) File checker failed with real error: Can't fork at /usr/lib/MailScanner/MailScanner/SweepOther.pm line 402. at /usr/lib/MailScanner/MailScanner/SweepOther.pm line 442 --------------------------------------------- MailScanner starts normally without any errors apprecite your help --------------------- I just checked again and have realised that the following error on running MailScanner --lint apprears only if MailScanner is started and running if MailScanner is stopped then there is no error ------------------- regards simon -- Network ADMIN ------------- KUWAIT MUNICIPALITY: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- Network ADMIN ------------- KUWAIT MUNICIPALITY: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mark at msapiro.net Mon Jun 22 21:11:28 2009 From: mark at msapiro.net (Mark Sapiro) Date: Mon Jun 22 21:11:55 2009 Subject: ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf In-Reply-To: References: Message-ID: <20090622201128.GA1888@msapiro> On Mon, Jun 22, 2009 at 02:10:51PM -0400, Gerry Maddock wrote: > > Hey all, I ran a search of my current problem on google and found some > answers, but none have worked for me & I'm hoping you can help. > I just installed MailScanner on a Fedora 11 sys using postfix. When I run > MailScanner --lint on that system I get: > root@timmy ~]# MailScanner --lint > Trying to setlogsock(unix) > Read 855 hostnames from the phishing whitelist > Read 10091 hostnames from the phishing blacklists > Checking version numbers... > Version number in MailScanner.conf (4.77.10) is correct. > Your setting "Mail Header" contains illegal characters. > This is most likely caused by your "%org-name%" setting > which must not contain any spaces, "." or "_" characters > as these are known to cause problems with many mail systems. > ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf > ERROR: is not correct, it should match > X-timmy.futuremetals.com-MailScanner-From You posted a lot of stuff below, but I don't see what you have for Mail Header in MailScanner.conf, nor do I see what you have for envelope_sender_header in spam.assassin.prefs.conf. If you set %org-name% = FMI in Mailscanner.conf and still get the first error, look at "Mail Header". Also you'd need to set envelope_sender_header X-TMI-MailScanner-From in spam.assassin.prefs.conf. > MailScanner setting GID to (89) > MailScanner setting UID to (89) > Checking for SpamAssassin errors (if you use it)... > Using SpamAssassin results cache > Connected to SpamAssassin cache database > SpamAssassin reported no errors. > I have found clamav scanners installed, and will use them all by default. > Connected to Processing Attempts Database > Created Processing Attempts Database successfully > There are 0 messages in the Processing Attempts Database > Using locktype = posix > MailScanner.conf says "Virus Scanners = auto" > Found these virus scanners installed: clamav > ------------------------------------------------------------------------------------------------------------------------------- > > The weird thing is I have MailScanner 4.60.8 running on Fedora 7 with the > same settings (other than hostname) and it has no complaints: > [root@jimmy ~]# MailScanner --lint > Read 861 hostnames from the phishing whitelist > Checking version numbers... > Version number in MailScanner.conf (4.60.8) is correct. > MailScanner setting GID to (89) > MailScanner setting UID to (89) > > Checking for SpamAssassin errors (if you use it)... > Using SpamAssassin results cache > Connected to SpamAssassin cache database > SpamAssassin reported no errors. > Using locktype = flock > MailScanner.conf says "Virus Scanners = auto" > Found these virus scanners installed: clamav, avg > > > Here is my current MailScanner.conf & spam.assassin.prefs.conf's applicable > data: > MailScanner.conf: > current: %org-name% = timmy.futuremetals.com > have tried: %org-name% = FMI > > spam.assassin.prefs.conf: > current: bayes_ignore_header X-YOURDOMAIN-COM-MailScanner > current: bayes_ignore_header X-YOURDOMAIN-COM-MailScanner-SpamCheck > current: bayes_ignore_header X-YOURDOMAIN-COM-MailScanner-SpamScore > current: bayes_ignore_header X-YOURDOMAIN-COM-MailScanner-Information > have tried: bayes_ignore_header X-FMI-MailScanner > have tried: bayes_ignore_header X-FMI-MailScanner-SpamCheck > have tried: bayes_ignore_header X-FMI-MailScanner-SpamScore > have tried: bayes_ignore_header X-FMI-MailScanner-Information > > ***On my working MailScanner 4.60.8 installation I have it set & working > with no complaints as: > MailScanner.conf: > %org-name% = jimmy.futuremetals.com > > spam.assassin.prefs.conf: > current: bayes_ignore_header X-YOURDOMAIN-COM-MailScanner > current: bayes_ignore_header X-YOURDOMAIN-COM-MailScanner-SpamCheck > current: bayes_ignore_header X-YOURDOMAIN-COM-MailScanner-SpamScore > current: bayes_ignore_header X-YOURDOMAIN-COM-MailScanner-Information > > As shown above I have tried MailScanner.conf & spam.assassin.prefs.conf > with both configurations, restarting MailScanner after changes, then > running --lint. Any help would be greatly appreciated. > > -- Mark Sapiro mark at msapiro net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From J.Ede at birchenallhowden.co.uk Mon Jun 22 21:13:52 2009 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Mon Jun 22 21:14:36 2009 Subject: DKIM signing In-Reply-To: <166EA8026C6642DBABE4C8FF4523FAD4@SAHOMELT> References: <1245669324.13686.80.camel@darkstar.netcore.co.in><24e3d2e40906220901t6f8fdd9au36c5edc50a483444@mail.gmail.com> <24e3d2e40906221157t42c5abe5yfe366c5efca890c8@mail.gmail.com> <166EA8026C6642DBABE4C8FF4523FAD4@SAHOMELT> Message-ID: <1213490F1F316842A544A850422BFA960EBFA3BC5C@BHLSBS.bhl.local> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Rick Cooper Sent: 22 June 2009 20:35 To: 'MailScanner discussion' Subject: RE: DKIM signing I am not sure how sendmail does things but I use two instances of exim as well, eximIN (check DKIM)----------------->INqueue--> MailScanner(Do MS Stuff)---->OUTQueue-----> EximOut(Sign DKIM and other out stuff) The only difference between the exim instance is the config(s) the use. I have no recpt,data,ehlo acls in the outbound and I have no domainkey/DKIM signing in the inbound Rick ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex Neuman Sent: Monday, June 22, 2009 2:58 PM To: MailScanner discussion Subject: Re: DKIM signing The point I was trying to make is that MailScanner works like this (oversimplifying, I know, but bear with me): 1. First instance of sendmail grabs e-mail after milters and such, and deposits in an incoming queue 2. MailScanner grabs, scans, deals with messages in the queue and places them in the outgoing (final) queue 3. Second instance of sendmail grabs e-mail from outgoing (final) queue and delivers them to their final destination. In order to DKIM-sign things it would have to be done using the second instance. Since MailScanner basically runs the same instance of sendmail using a command line parameter to distinguish the two, there would have to be a slight change to the way step 3 is done if you wanted to do it on one machine. Otherwise step 4 would be to have the outgoing MTA (separate machine) do the DKIM signing. Please correct me if I'm looking at this the wrong way. On Mon, Jun 22, 2009 at 1:42 PM, Rick Cooper > wrote: I don't use sendmail (exim no milters required) but I am sure there is a way to handle it easily in sendmail. Be advised however that when I first implemented domainkeys the test server at sendmail.net was the only domainkeys test server (of 4) to state that my keys were invalid. It does pass my DKIM keys but still doesn't pass the domainkeys. Rick ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex Neuman Sent: Monday, June 22, 2009 12:02 PM To: MailScanner discussion Subject: Re: DKIM signing Any chance of someone thinking up a way to fire up a third instance of sendmail on one machine to do something like this? On Mon, Jun 22, 2009 at 10:38 AM, Rick Cooper > wrote: You don't want to sign dkim or domainkeys until the last thing before the message is "place on the wire". Any modification made after the signing with, of course make the signature invalid. This means the outbound MTA has to be the signing agent. Rick Does anyone have some information on how to do this with postfix? I've 1 instance of postfix running that uses Julian's hold queue method. Jason -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090622/99b37d47/attachment.html From gmaddock at futuremetals.com Mon Jun 22 21:30:20 2009 From: gmaddock at futuremetals.com (Gerry Maddock) Date: Mon Jun 22 21:34:31 2009 Subject: Resolved: ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf In-Reply-To: <20090622201128.GA1888@msapiro> References: <20090622201128.GA1888@msapiro> Message-ID: > You posted a lot of stuff below, but I don't see what you have for > > Mail Header > > in MailScanner.conf, nor do I see what you have for > > envelope_sender_header > Just saw your reply right after I got it working. I just filled in envelope_sender_header in spam.assassin.prefs.conf and its working. I never had to do that on versions 4.60.8 and below. Thanks for helping Mark From alex at rtpty.com Tue Jun 23 03:48:24 2009 From: alex at rtpty.com (Alex Neuman) Date: Tue Jun 23 03:48:34 2009 Subject: OT: Sendmail related... Message-ID: <24e3d2e40906221948w1f842c65y67d338315ccdd343@mail.gmail.com> Hi list, I've been googling around and haven't been able to figure out *how* to look for the following two things. Feel free to reply off-list if you think it's not list-worthy material. 1. How do I change the "try to deliver for four days and then bounce back to the sender" to, say, two days, when using sendmail? 2. Can I tell sendmail *not* to accept e-mail for domains that have no MX (I know, "bad") or "no MX *and* no A" (not so bad) records in DNS? How about with a milter? The basic premise is that I've recently detected a surge in users that don't seem to care about typos or that don't believe in address books. Mail gets queued up and they don't have a clue until hours (or days) later that they mistyped the domain name. -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 202-1525 alex@rtpty.com Skype: alexneuman -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090622/34642277/attachment.html From alex at rtpty.com Tue Jun 23 03:54:16 2009 From: alex at rtpty.com (Alex Neuman) Date: Tue Jun 23 03:54:26 2009 Subject: OT: Sendmail related... In-Reply-To: <24e3d2e40906221948w1f842c65y67d338315ccdd343@mail.gmail.com> References: <24e3d2e40906221948w1f842c65y67d338315ccdd343@mail.gmail.com> Message-ID: <24e3d2e40906221954p4d80462aq7e2f42e62e0bc5bc@mail.gmail.com> Talking to myself here, just found one of the two things I was talking about. There's a milter called milter-chkrcpt (found using milter.org) that does a "call ahead" and rejects the e-mail if there are no valid recipients. I'll give it a shot. On Mon, Jun 22, 2009 at 9:48 PM, Alex Neuman wrote: > Hi list, > > I've been googling around and haven't been able to figure out *how* to look > for the following two things. Feel free to reply off-list if you think it's > not list-worthy material. > > 1. How do I change the "try to deliver for four days and then bounce back > to the sender" to, say, two days, when using sendmail? > 2. Can I tell sendmail *not* to accept e-mail for domains that have no MX > (I know, "bad") or "no MX *and* no A" (not so bad) records in DNS? How about > with a milter? > > The basic premise is that I've recently detected a surge in users that > don't seem to care about typos or that don't believe in address books. Mail > gets queued up and they don't have a clue until hours (or days) later that > they mistyped the domain name. > > -- > Alex Neuman van der Hans > Reliant Technologies > +507 6781-9505 > +507 202-1525 > alex@rtpty.com > Skype: alexneuman > -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 202-1525 alex@rtpty.com Skype: alexneuman -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090622/5d20938c/attachment.html From alex at rtpty.com Tue Jun 23 04:43:48 2009 From: alex at rtpty.com (Alex Neuman) Date: Tue Jun 23 04:43:58 2009 Subject: OT: Sendmail related... In-Reply-To: <24e3d2e40906221954p4d80462aq7e2f42e62e0bc5bc@mail.gmail.com> References: <24e3d2e40906221948w1f842c65y67d338315ccdd343@mail.gmail.com> <24e3d2e40906221954p4d80462aq7e2f42e62e0bc5bc@mail.gmail.com> Message-ID: <24e3d2e40906222043n5469c551o55250867b074c0ab@mail.gmail.com> Well, it runs on OpenBSD, so I'm out of luck; most of my systems run Linux. I'll keep looking. On Mon, Jun 22, 2009 at 9:54 PM, Alex Neuman wrote: > Talking to myself here, just found one of the two things I was talking > about. > > There's a milter called milter-chkrcpt (found using milter.org) that does > a "call ahead" and rejects the e-mail if there are no valid recipients. I'll > give it a shot. > > > > On Mon, Jun 22, 2009 at 9:48 PM, Alex Neuman wrote: > >> Hi list, >> >> I've been googling around and haven't been able to figure out *how* to >> look for the following two things. Feel free to reply off-list if you think >> it's not list-worthy material. >> >> 1. How do I change the "try to deliver for four days and then bounce back >> to the sender" to, say, two days, when using sendmail? >> 2. Can I tell sendmail *not* to accept e-mail for domains that have no MX >> (I know, "bad") or "no MX *and* no A" (not so bad) records in DNS? How about >> with a milter? >> >> The basic premise is that I've recently detected a surge in users that >> don't seem to care about typos or that don't believe in address books. Mail >> gets queued up and they don't have a clue until hours (or days) later that >> they mistyped the domain name. >> >> -- >> Alex Neuman van der Hans >> Reliant Technologies >> +507 6781-9505 >> +507 202-1525 >> alex@rtpty.com >> Skype: alexneuman >> > > > > -- > Alex Neuman van der Hans > Reliant Technologies > +507 6781-9505 > +507 202-1525 > alex@rtpty.com > Skype: alexneuman > -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 202-1525 alex@rtpty.com Skype: alexneuman -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090622/27b46eda/attachment.html From alex at rtpty.com Tue Jun 23 05:19:41 2009 From: alex at rtpty.com (Alex Neuman) Date: Tue Jun 23 05:19:51 2009 Subject: OT: Sendmail related... In-Reply-To: <24e3d2e40906221954p4d80462aq7e2f42e62e0bc5bc@mail.gmail.com> References: <24e3d2e40906221948w1f842c65y67d338315ccdd343@mail.gmail.com> <24e3d2e40906221954p4d80462aq7e2f42e62e0bc5bc@mail.gmail.com> Message-ID: <24e3d2e40906222119y5a9ad94ev8c9108cc0096c372@mail.gmail.com> Found the other. Sorry for the OT chatter, but it might benefit some of you out there with flakey connections - or flaky clients. http://www.sendmail.org/m4/tweaking_config.html Thanks for your patience! On Mon, Jun 22, 2009 at 9:54 PM, Alex Neuman wrote: > Talking to myself here, just found one of the two things I was talking > about. > > There's a milter called milter-chkrcpt (found using milter.org) that does > a "call ahead" and rejects the e-mail if there are no valid recipients. I'll > give it a shot. > > > > On Mon, Jun 22, 2009 at 9:48 PM, Alex Neuman wrote: > >> Hi list, >> >> I've been googling around and haven't been able to figure out *how* to >> look for the following two things. Feel free to reply off-list if you think >> it's not list-worthy material. >> >> 1. How do I change the "try to deliver for four days and then bounce back >> to the sender" to, say, two days, when using sendmail? >> 2. Can I tell sendmail *not* to accept e-mail for domains that have no MX >> (I know, "bad") or "no MX *and* no A" (not so bad) records in DNS? How about >> with a milter? >> >> The basic premise is that I've recently detected a surge in users that >> don't seem to care about typos or that don't believe in address books. Mail >> gets queued up and they don't have a clue until hours (or days) later that >> they mistyped the domain name. >> >> -- >> Alex Neuman van der Hans >> Reliant Technologies >> +507 6781-9505 >> +507 202-1525 >> alex@rtpty.com >> Skype: alexneuman >> > > > > -- > Alex Neuman van der Hans > Reliant Technologies > +507 6781-9505 > +507 202-1525 > alex@rtpty.com > Skype: alexneuman > -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 202-1525 alex@rtpty.com Skype: alexneuman -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090622/fd60c1c4/attachment.html From rcooper at dwford.com Tue Jun 23 13:50:12 2009 From: rcooper at dwford.com (Rick Cooper) Date: Tue Jun 23 13:50:30 2009 Subject: OT: Sendmail related... In-Reply-To: <24e3d2e40906221954p4d80462aq7e2f42e62e0bc5bc@mail.gmail.com> References: <24e3d2e40906221948w1f842c65y67d338315ccdd343@mail.gmail.com> <24e3d2e40906221954p4d80462aq7e2f42e62e0bc5bc@mail.gmail.com> Message-ID: <39740EA2B5924AC69CF86CD53391EAA4@SAHOMELT> I have done this for years and believe it or not there are still users that don't get it and keep trying. To be fair however, outlook(express) doesn't always return the actual error text from the MTA so they often end up calling me and I look at the log and tell them to fix or verify the address. The place you get into trouble is when the misspelled domain exists, but doesn't accept mail, in which case you still end of with mail in a retry status. Of course I have a process that checks for mail in a retry state every 15 min and send me an email when there is something waiting. Rick _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex Neuman Sent: Monday, June 22, 2009 10:54 PM To: MailScanner discussion Subject: Re: OT: Sendmail related... Talking to myself here, just found one of the two things I was talking about. There's a milter called milter-chkrcpt (found using milter.org) that does a "call ahead" and rejects the e-mail if there are no valid recipients. I'll give it a shot. On Mon, Jun 22, 2009 at 9:48 PM, Alex Neuman wrote: Hi list, I've been googling around and haven't been able to figure out *how* to look for the following two things. Feel free to reply off-list if you think it's not list-worthy material. 1. How do I change the "try to deliver for four days and then bounce back to the sender" to, say, two days, when using sendmail? 2. Can I tell sendmail *not* to accept e-mail for domains that have no MX (I know, "bad") or "no MX *and* no A" (not so bad) records in DNS? How about with a milter? The basic premise is that I've recently detected a surge in users that don't seem to care about typos or that don't believe in address books. Mail gets queued up and they don't have a clue until hours (or days) later that they mistyped the domain name. -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 202-1525 alex@rtpty.com Skype: alexneuman -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 202-1525 alex@rtpty.com Skype: alexneuman -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090623/0450a4c1/attachment.html From alex at rtpty.com Tue Jun 23 16:24:02 2009 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Tue Jun 23 16:25:10 2009 Subject: OT: Sendmail related... In-Reply-To: <39740EA2B5924AC69CF86CD53391EAA4@SAHOMELT> References: <24e3d2e40906221948w1f842c65y67d338315ccdd343@mail.gmail.com> <24e3d2e40906221954p4d80462aq7e2f42e62e0bc5bc@mail.gmail.com> <39740EA2B5924AC69CF86CD53391EAA4@SAHOMELT> Message-ID: Would you like to share? :-) --- Regards, Alex Neuman Reliant Technologies Ph: +507 6781-9505 Skype: alexneuman Twitter.com/AlexNeuman Facebook.com/AlexNeumanvdH On Jun 23, 2009, at 7:50 AM, "Rick Cooper" wrote: > I have done this for years and believe it or not there are still > users that don't get it and keep trying. To be fair however, outlook > (express) doesn't always return the actual error text from the MTA > so they often end up calling me and I look at the log and tell them > to fix or verify the address. The place you get into trouble is when > the misspelled domain exists, but doesn't accept mail, in which case > you still end of with mail in a retry status. Of course I have a > process that checks for mail in a retry state every 15 min and send > me an email when there is something waiting. > > Rick > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Alex Neuman > Sent: Monday, June 22, 2009 10:54 PM > To: MailScanner discussion > Subject: Re: OT: Sendmail related... > > Talking to myself here, just found one of the two things I was > talking about. > > There's a milter called milter-chkrcpt (found using milter.org) that > does a "call ahead" and rejects the e-mail if there are no valid > recipients. I'll give it a shot. > > > On Mon, Jun 22, 2009 at 9:48 PM, Alex Neuman wrote: > Hi list, > > I've been googling around and haven't been able to figure out *how* > to look for the following two things. Feel free to reply off-list if > you think it's not list-worthy material. > > 1. How do I change the "try to deliver for four days and then bounce > back to the sender" to, say, two days, when using sendmail? > 2. Can I tell sendmail *not* to accept e-mail for domains that have > no MX (I know, "bad") or "no MX *and* no A" (not so bad) records in > DNS? How about with a milter? > > The basic premise is that I've recently detected a surge in users > that don't seem to care about typos or that don't believe in address > books. Mail gets queued up and they don't have a clue until hours > (or days) later that they mistyped the domain name. > > -- > Alex Neuman van der Hans > Reliant Technologies > +507 6781-9505 > +507 202-1525 > alex@rtpty.com > Skype: alexneuman > > > > -- > Alex Neuman van der Hans > Reliant Technologies > +507 6781-9505 > +507 202-1525 > alex@rtpty.com > Skype: alexneuman > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090623/9070a55f/attachment.html From ssilva at sgvwater.com Tue Jun 23 16:30:26 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Jun 23 16:30:57 2009 Subject: OT: Sendmail related... In-Reply-To: <24e3d2e40906221954p4d80462aq7e2f42e62e0bc5bc@mail.gmail.com> References: <24e3d2e40906221948w1f842c65y67d338315ccdd343@mail.gmail.com> <24e3d2e40906221954p4d80462aq7e2f42e62e0bc5bc@mail.gmail.com> Message-ID: on 6-22-2009 7:54 PM Alex Neuman spake the following: > Talking to myself here, just found one of the two things I was talking > about. > > There's a milter called milter-chkrcpt (found using milter.org > ) that does a "call ahead" and rejects the e-mail if > there are no valid recipients. I'll give it a shot. > > Call ahead is considered a bad practice as it is almost as irritating to the other end as spam is. Many big mail providers will block or ignore systems that do this too many times. Others might see this as an attempt by spammers to verify if an address exists before they pound on it. Just shorten your warnings to 30 minutes or so, and rejections to whatever you feel best fits your users. If you make your system totally idiot proof, what will the idiots have left to do? They might get bored and breed prolifically and make more trouble for future sysadmins. You have to think of our children! Stop global idiocracy!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090623/c640debb/signature.bin From steve.freegard at fsl.com Tue Jun 23 16:31:48 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Tue Jun 23 16:31:59 2009 Subject: OT: Sendmail related... In-Reply-To: References: <24e3d2e40906221948w1f842c65y67d338315ccdd343@mail.gmail.com> <24e3d2e40906221954p4d80462aq7e2f42e62e0bc5bc@mail.gmail.com> <39740EA2B5924AC69CF86CD53391EAA4@SAHOMELT> Message-ID: <4A40F564.6020409@fsl.com> Alex Neuman van der Hans wrote: > Would you like to share? :-) Simple; Sendmail will not allow unresolvable domains by default *unless* you have set: FEATURE(`accept_unresolvable_domains')dnl So make sure that it's dnl'd in your .mc file Cheers, Steve. From paulo-m-roncon at ptinovacao.pt Tue Jun 23 16:36:21 2009 From: paulo-m-roncon at ptinovacao.pt (Paulo Roncon) Date: Tue Jun 23 16:40:20 2009 Subject: Free RBLS for large MailScanner deployment Message-ID: I want to deploy a large Mailscanner farm, and as part of the solution I want to filter at the MTA level, using RBLS. what rbls do you use that are free and have few false-positives? thanks! From ecasarero at gmail.com Tue Jun 23 16:45:11 2009 From: ecasarero at gmail.com (Eduardo Casarero) Date: Tue Jun 23 16:45:52 2009 Subject: OT: Sendmail related... In-Reply-To: <24e3d2e40906221948w1f842c65y67d338315ccdd343@mail.gmail.com> References: <24e3d2e40906221948w1f842c65y67d338315ccdd343@mail.gmail.com> Message-ID: <7d9b3cf20906230845i74622f80m97d8e2b8d5a03bf0@mail.gmail.com> 2009/6/22 Alex Neuman > Hi list, > > I've been googling around and haven't been able to figure out *how* to look > for the following two things. Feel free to reply off-list if you think it's > not list-worthy material. > > 1. How do I change the "try to deliver for four days and then bounce back > to the sender" to, say, two days, when using sendmail? Check this values in your sendmail.cf notice that "queuewarn" is higher than "queuereturn", so my sendmail nevers send the DSN saying "we cant send your email but we are still trying" we only send the DSN "sorry after 5 days we could not send your email" O Timeout.queuereturn=5d #O Timeout.queuereturn.normal=5d #O Timeout.queuereturn.urgent=2d #O Timeout.queuereturn.non-urgent=7d #O Timeout.queuereturn.dsn=5d O Timeout.queuewarn=8d > > 2. Can I tell sendmail *not* to accept e-mail for domains that have no MX > (I know, "bad") or "no MX *and* no A" (not so bad) records in DNS? How about > with a milter? > > The basic premise is that I've recently detected a surge in users that > don't seem to care about typos or that don't believe in address books. Mail > gets queued up and they don't have a clue until hours (or days) later that > they mistyped the domain name. > > -- > Alex Neuman van der Hans > Reliant Technologies > +507 6781-9505 > +507 202-1525 > alex@rtpty.com > Skype: alexneuman > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090623/fc219014/attachment.html From rcooper at dwford.com Tue Jun 23 17:26:06 2009 From: rcooper at dwford.com (Rick Cooper) Date: Tue Jun 23 17:26:27 2009 Subject: OT: Sendmail related... In-Reply-To: References: <24e3d2e40906221948w1f842c65y67d338315ccdd343@mail.gmail.com><24e3d2e40906221954p4d80462aq7e2f42e62e0bc5bc@mail.gmail.com><39740EA2B5924AC69CF86CD53391EAA4@SAHOMELT> Message-ID: I gathered from your OP that you are using sendmail so my exim acls would be of no value to you. I will however say that I check for either mx or A record first and if neither exist it stops there and the callout is never made. And yes, I know a lot of services don't like it or callout verification (which I wouldn't do if we were talking thousands of emails a day) but until the general world of smtp changes or more people adopt some kind of signing or spf I guess that is life. The thing that aggravates me is when I have to deal with a huge joe job onslaught even though we publish hard fail spf records for all of our domains (as well as DKIM and domainkeys). I never do a callout verify on an incoming message for a domain/host that returns an spf pass as they have already assumed some form of responsibility for the message. since pretty much no one uses vrfy it would behoove the RFC designers to look at something light weight, that works like and with dns, to handle verification. A DNS record of type mtavrfy returning a host(s) that handles verification for that domain, much like mx records. But that is another thread all together for another group. It's also all I am going to say about callout anything as I don't plan on joining an pro/anti thread in this forum Rick _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex Neuman van der Hans Sent: Tuesday, June 23, 2009 11:24 AM To: MailScanner discussion Subject: Re: OT: Sendmail related... Would you like to share? :-) --- Regards, Alex Neuman Reliant Technologies Ph: +507 6781-9505 Skype: alexneuman Twitter.com/AlexNeuman Facebook.com/AlexNeumanvdH On Jun 23, 2009, at 7:50 AM, "Rick Cooper" wrote: I have done this for years and believe it or not there are still users that don't get it and keep trying. To be fair however, outlook(express) doesn't always return the actual error text from the MTA so they often end up calling me and I look at the log and tell them to fix or verify the address. The place you get into trouble is when the misspelled domain exists, but doesn't accept mail, in which case you still end of with mail in a retry status. Of course I have a process that checks for mail in a retry state every 15 min and send me an email when there is something waiting. Rick _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex Neuman Sent: Monday, June 22, 2009 10:54 PM To: MailScanner discussion Subject: Re: OT: Sendmail related... Talking to myself here, just found one of the two things I was talking about. There's a milter called milter-chkrcpt (found using milter.org) that does a "call ahead" and rejects the e-mail if there are no valid recipients. I'll give it a shot. On Mon, Jun 22, 2009 at 9:48 PM, Alex Neuman < alex@rtpty.com> wrote: Hi list, I've been googling around and haven't been able to figure out *how* to look for the following two things. Feel free to reply off-list if you think it's not list-worthy material. 1. How do I change the "try to deliver for four days and then bounce back to the sender" to, say, two days, when using sendmail? 2. Can I tell sendmail *not* to accept e-mail for domains that have no MX (I know, "bad") or "no MX *and* no A" (not so bad) records in DNS? How about with a milter? The basic premise is that I've recently detected a surge in users that don't seem to care about typos or that don't believe in address books. Mail gets queued up and they don't have a clue until hours (or days) later that they mistyped the domain name. -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 202-1525 alex@rtpty.com Skype: alexneuman -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 202-1525 alex@rtpty.com Skype: alexneuman -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090623/17c7b3b1/attachment.html From ssilva at sgvwater.com Tue Jun 23 17:33:09 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Jun 23 17:33:39 2009 Subject: Free RBLS for large MailScanner deployment In-Reply-To: References: Message-ID: on 6-23-2009 8:36 AM Paulo Roncon spake the following: > I want to deploy a large Mailscanner farm, and as part of the solution I want to filter at the MTA level, using RBLS. > what rbls do you use that are free and have few false-positives? > > thanks! -- I can tell you to NOT use sorbs unless their hosting turns around. Other lists can be very regional, so test every list you can in a scoring system for a week or two to see how they work with your typical mail flow. A list that works well in the US might fail miserably in Europe or South America. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090623/da890285/signature.bin From steve.freegard at fsl.com Tue Jun 23 17:45:24 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Tue Jun 23 17:45:39 2009 Subject: OT: Sendmail related... In-Reply-To: <7d9b3cf20906230845i74622f80m97d8e2b8d5a03bf0@mail.gmail.com> References: <24e3d2e40906221948w1f842c65y67d338315ccdd343@mail.gmail.com> <7d9b3cf20906230845i74622f80m97d8e2b8d5a03bf0@mail.gmail.com> Message-ID: <4A4106A4.3010108@fsl.com> Eduardo Casarero wrote: > > > 2009/6/22 Alex Neuman > > > Hi list, > > I've been googling around and haven't been able to figure out *how* > to look for the following two things. Feel free to reply off-list if > you think it's not list-worthy material. > > 1. How do I change the "try to deliver for four days and then bounce > back to the sender" to, say, two days, when using sendmail? > > > Check this values in your sendmail.cf notice that > "queuewarn" is higher than "queuereturn", so my sendmail nevers send the > DSN saying "we cant send your email but we are still trying" we only > send the DSN "sorry after 5 days we could not send your email" > > O Timeout.queuereturn=5d > #O Timeout.queuereturn.normal=5d > #O Timeout.queuereturn.urgent=2d > #O Timeout.queuereturn.non-urgent=7d > #O Timeout.queuereturn.dsn=5d > O Timeout.queuewarn=8d > Never edit sendmail.cf directly; edit sendmail.mc and set the appropriate values there instead. On most UNIXes running 'make' in /etc/mail will build the maps and update sendmail.cf if sendmail.mc has been modified; so any edits to the sendmail.cf file will be lost. Regards, Steve. From steve.freegard at fsl.com Tue Jun 23 17:54:21 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Tue Jun 23 17:54:31 2009 Subject: Free RBLS for large MailScanner deployment In-Reply-To: References: Message-ID: <4A4108BD.1@fsl.com> Paulo Roncon wrote: > I want to deploy a large Mailscanner farm, and as part of the solution I want to filter at the MTA level, using RBLS. > what rbls do you use that are free and have few false-positives? Large installations using free RBLs is a misnomer; if it's that large you'll absolutely have to run a local rbldnsd installation to get the sufficient performance and stay within rules as most lists have 'heavy-hitter' policies, so if you do > 100,000 queries then you have to purchase a feed etc. With SORBS potentially disappearing the only other 'free' RBL I would recommend with few FPs would be bl.spamcop.net; I don't trust any of the rest. For large installations purchasing a feed from Spamhaus will save you considerable money on hardware you would otherwise need and scalability hassles, so is well worth factoring in to any design decisions. Cheers, Steve. From ssilva at sgvwater.com Tue Jun 23 18:01:44 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Jun 23 18:02:23 2009 Subject: OT: Sendmail related... In-Reply-To: <4A4106A4.3010108@fsl.com> References: <24e3d2e40906221948w1f842c65y67d338315ccdd343@mail.gmail.com> <7d9b3cf20906230845i74622f80m97d8e2b8d5a03bf0@mail.gmail.com> <4A4106A4.3010108@fsl.com> Message-ID: on 6-23-2009 9:45 AM Steve Freegard spake the following: > Eduardo Casarero wrote: >> >> 2009/6/22 Alex Neuman > >> >> Hi list, >> >> I've been googling around and haven't been able to figure out *how* >> to look for the following two things. Feel free to reply off-list if >> you think it's not list-worthy material. >> >> 1. How do I change the "try to deliver for four days and then bounce >> back to the sender" to, say, two days, when using sendmail? >> >> >> Check this values in your sendmail.cf notice that >> "queuewarn" is higher than "queuereturn", so my sendmail nevers send the >> DSN saying "we cant send your email but we are still trying" we only >> send the DSN "sorry after 5 days we could not send your email" >> >> O Timeout.queuereturn=5d >> #O Timeout.queuereturn.normal=5d >> #O Timeout.queuereturn.urgent=2d >> #O Timeout.queuereturn.non-urgent=7d >> #O Timeout.queuereturn.dsn=5d >> O Timeout.queuewarn=8d >> > > Never edit sendmail.cf directly; edit sendmail.mc and set the > appropriate values there instead. > > On most UNIXes running 'make' in /etc/mail will build the maps and > update sendmail.cf if sendmail.mc has been modified; so any edits to the > sendmail.cf file will be lost. > > Regards, > Steve. On some linuxes, restarting sendmail will do the same thing. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090623/8c2f9f28/signature.bin From alex at rtpty.com Wed Jun 24 04:30:38 2009 From: alex at rtpty.com (Alex Neuman) Date: Wed Jun 24 04:30:48 2009 Subject: OT: Let's get Julian something nice for SysAdmin Day! Message-ID: <24e3d2e40906232030h26f8ebc1y1bea08fdb599f4ce@mail.gmail.com> Visit - http://www.thinkgeek.com/brain/contests/sysadmin.cgi And nominate him as your favorite SysAdmin King! He could win a ThinkGeek $500 Gift Certificate! yay! Otherwise, could Julian post his Amazon Wishlist URL again? :-) -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 202-1525 alex@rtpty.com Skype: alexneuman -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090623/ed2fa838/attachment.html From MailScanner at ecs.soton.ac.uk Wed Jun 24 09:20:21 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Jun 24 09:20:39 2009 Subject: OT: Let's get Julian something nice for SysAdmin Day! In-Reply-To: <24e3d2e40906232030h26f8ebc1y1bea08fdb599f4ce@mail.gmail.com> References: <24e3d2e40906232030h26f8ebc1y1bea08fdb599f4ce@mail.gmail.com> <4A41E1C5.1090505@ecs.soton.ac.uk> Message-ID: On 24/06/2009 04:30, Alex Neuman wrote: > Visit - http://www.thinkgeek.com/brain/contests/sysadmin.cgi > > And nominate him as your favorite SysAdmin King! He could win a > ThinkGeek $500 Gift Certificate! yay! > > Otherwise, could Julian post his Amazon Wishlist URL again? :-) Thanks guys, that would be fantastic! My wish list is here: http://www.amazon.co.uk/gp/registry/1W99HT2WWW5PB Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From davejones70 at gmail.com Wed Jun 24 13:04:12 2009 From: davejones70 at gmail.com (Dave Jones) Date: Wed Jun 24 13:04:21 2009 Subject: lstat() failed on: /mnt/ramdisk/... Message-ID: <67a55ed50906240504q246bc49cx997133645f386eae@mail.gmail.com> lstat() failed on: /mnt/ramdisk/31166/n5NC95S6028227/tnef.31166 I get thousands of these messages in my logwatch report daily. My permissions are correct in the dir and conf. MailScanner.conf: ----------------------------- Quarantine Permissions = 0660 Incoming Work Dir = /mnt/ramdisk SpamAssassin Cache Database File = /mnt/ramdisk/SpamAssassin.cache.db SpamAssassin Temporary Dir = /mnt/ramdisk/SpamAssassin-Temp # ll -d /mnt/ramdisk drwxrwsr-x 19 root clamav 4096 Jun 24 07:53 /mnt/ramdisk This is happening on all 3 systems that use a ramdisk. Other non-ramdisk MS servers are fine. I am seeing subdirs like "31166" under /mnt/ramdisk that are empty. Is there a conf setting that needs to match the "Incoming Work Dir" so the TNEF will use the same location or something like this? -- Dave Jones From ChrisSweeney at osubucks.org Wed Jun 24 15:15:38 2009 From: ChrisSweeney at osubucks.org (Christopher Sweeney) Date: Wed Jun 24 15:15:50 2009 Subject: OT: Sendmail related... In-Reply-To: <4A40F564.6020409@fsl.com> Message-ID: <5485D83E8AEA2A4C93D5AEB1F3444564045247@IFCINCINNATI01.ifcincinnati.org> Alex Neuman van der Hans wrote: > Would you like to share? :-) Simple; Sendmail will not allow unresolvable domains by default *unless* you have set: FEATURE(`accept_unresolvable_domains')dnl So make sure that it's dnl'd in your .mc file The only problem is DNS is not always pefect and you get a lot of false rejects especially from smaller ISP's or companies that do internal hosting as sometimes a DNS timeout will happen and now sendmail will reject the message falsely. I found it to be more of a pain to do that way as I was always getting support emails complaining about why they couldn't email someone they had before. ________________________________ avast! Antivirus : Outbound message clean. Virus Database (VPS): 090623-0, 06/23/2009 Tested on: 6/24/2009 10:15:38 AM avast! - copyright (c) 1988-2009 ALWIL Software. From steve.freegard at fsl.com Wed Jun 24 16:49:08 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Wed Jun 24 16:49:18 2009 Subject: OT: Sendmail related... In-Reply-To: <5485D83E8AEA2A4C93D5AEB1F3444564045247@IFCINCINNATI01.ifcincinnati.org> References: <4A40F564.6020409@fsl.com> <5485D83E8AEA2A4C93D5AEB1F3444564045247@IFCINCINNATI01.ifcincinnati.org> Message-ID: <4A424AF4.80709@fsl.com> Christopher Sweeney wrote: > > Alex Neuman van der Hans wrote: >> Would you like to share? :-) > > Simple; Sendmail will not allow unresolvable domains by default *unless* > you have set: > > FEATURE(`accept_unresolvable_domains')dnl > > So make sure that it's dnl'd in your .mc file > > The only problem is DNS is not always pefect and you get a lot of false > rejects especially from smaller ISP's or companies that do internal > hosting as sometimes a DNS timeout will happen and now sendmail will > reject the message falsely. I found it to be more of a pain to do that > way as I was always getting support emails complaining about why they > couldn't email someone they had before. Sorry; but that's rubbish. Sendmail will tempfail on DNS failures (as will all other MTAs) and will only reject if DNS returns a NXDOMAIN result (e.g. domain doesn't exist). Allowing unresolvable domains at SMTP opens you to serious abuse from spammers simply 'inventing' domains at will to avoid blacklists etc. which is why by default MTAs do not allow this. Regards, Steve. From ssilva at sgvwater.com Wed Jun 24 18:37:21 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Jun 24 18:37:44 2009 Subject: lstat() failed on: /mnt/ramdisk/... In-Reply-To: <67a55ed50906240504q246bc49cx997133645f386eae@mail.gmail.com> References: <67a55ed50906240504q246bc49cx997133645f386eae@mail.gmail.com> Message-ID: on 6-24-2009 5:04 AM Dave Jones spake the following: > lstat() failed on: /mnt/ramdisk/31166/n5NC95S6028227/tnef.31166 > > I get thousands of these messages in my logwatch report daily. My > permissions are correct in the dir and conf. > > MailScanner.conf: > ----------------------------- > Quarantine Permissions = 0660 > Incoming Work Dir = /mnt/ramdisk > SpamAssassin Cache Database File = /mnt/ramdisk/SpamAssassin.cache.db > SpamAssassin Temporary Dir = /mnt/ramdisk/SpamAssassin-Temp > > # ll -d /mnt/ramdisk > drwxrwsr-x 19 root clamav 4096 Jun 24 07:53 /mnt/ramdisk > > This is happening on all 3 systems that use a ramdisk. Other > non-ramdisk MS servers are fine. > > I am seeing subdirs like "31166" under /mnt/ramdisk that are empty. > Is there a conf setting that needs to match the "Incoming Work Dir" so > the TNEF will use the same location or something like this? How do you have the ramdisks created? Maybe they are running out of space. Most people use tmpfs, as it can grow into the swap if it overflows. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090624/6e995a06/signature.bin From maxsec at gmail.com Wed Jun 24 19:18:36 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Wed Jun 24 19:18:59 2009 Subject: lstat() failed on: /mnt/ramdisk/... In-Reply-To: References: <67a55ed50906240504q246bc49cx997133645f386eae@mail.gmail.com> Message-ID: <72cf361e0906241118j5f325583y57f7f131b2a094c9@mail.gmail.com> Dave is the /mnt/ramdisk the actual mount point or merely a symbolic link. MailScanner needs the actual proper path and not a sym link to it. 2009/6/24 Scott Silva > on 6-24-2009 5:04 AM Dave Jones spake the following: > > lstat() failed on: /mnt/ramdisk/31166/n5NC95S6028227/tnef.31166 > > > > I get thousands of these messages in my logwatch report daily. My > > permissions are correct in the dir and conf. > > > > MailScanner.conf: > > ----------------------------- > > Quarantine Permissions = 0660 > > Incoming Work Dir = /mnt/ramdisk > > SpamAssassin Cache Database File = /mnt/ramdisk/SpamAssassin.cache.db > > SpamAssassin Temporary Dir = /mnt/ramdisk/SpamAssassin-Temp > > > > # ll -d /mnt/ramdisk > > drwxrwsr-x 19 root clamav 4096 Jun 24 07:53 /mnt/ramdisk > > > > This is happening on all 3 systems that use a ramdisk. Other > > non-ramdisk MS servers are fine. > > > > I am seeing subdirs like "31166" under /mnt/ramdisk that are empty. > > Is there a conf setting that needs to match the "Incoming Work Dir" so > > the TNEF will use the same location or something like this? > > How do you have the ramdisks created? Maybe they are running out of space. > Most people use tmpfs, as it can grow into the swap if it overflows. > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- Martin Hepworth Oxford, UK -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090624/8eba82c1/attachment.html From paulo-m-roncon at ptinovacao.pt Wed Jun 24 21:59:17 2009 From: paulo-m-roncon at ptinovacao.pt (Paulo Roncon) Date: Wed Jun 24 22:00:08 2009 Subject: config & rules used Message-ID: What type of config and rules do you use? Currently despite all the tweaking and extra rules a percentage of spam still goes by. Rules used: spamassassin: sought, KAM, Anti-Phishing and Spear-Phishing Version 2, SARE Clamav : sanesecurity centos 5.3 + sendmail + spamassassin + mailscanner + milter-greylist + clamav + bayes I do not use local dns, razor, pyzor. What are you examples? thanks, Paulo From aragonx at dcsnow.com Wed Jun 24 22:59:12 2009 From: aragonx at dcsnow.com (aragonx@dcsnow.com) Date: Wed Jun 24 22:59:38 2009 Subject: A new setup Message-ID: <4bbcc3328f0b9a8a66f9d568e1f78795.squirrel@www.dcsnow.com> Hello all, Perhaps you get this question a lot. If you can point me to the appropriate thread, I would greatly appreciate it. Anyway, I'm currently running Fedora 9 x64, mailscanner-4.70.7-1, ClamAV 0.95.1, spamassassin-3.2.5-1 and sendmail-8.14.2-4. Fedora 9 is eol so I am going to do a reinstall. This time, I want to do a little better keeping the spam down. This system mainly serves as my email for my private consulting business and the family. Any suggestions on things I should add or whole setups? Should I add some milters? Razor? SPF? etc... I'm looking for some guidance because I have not given this much effort so far but that has to change. The wife is complaining (about spam) and you know how that can be. :) Thanks in advance. --- Will Y. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Kevin_Miller at ci.juneau.ak.us Wed Jun 24 22:59:23 2009 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Wed Jun 24 22:59:51 2009 Subject: config & rules used In-Reply-To: Message-ID: <4A09477D575C2C4B86497161427DD94C10D2C61389@city-exchange07> Similar to what I use, but also have razor, and greet-pause instead of greylisting. You don't say what your spam settings are. I use 5 & 8. High scoring spam setting is lower than recommended I think but it works for me. You'll always get some spam slipping through. It's virtually impossible to catch it all w/o also getting false positives. The only sure way to stop *all* spam is to turn off your server. ;-) ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Paulo Roncon Sent: Wednesday, June 24, 2009 12:59 PM To: mailscanner@lists.mailscanner.info Subject: config & rules used What type of config and rules do you use? Currently despite all the tweaking and extra rules a percentage of spam still goes by. Rules used: spamassassin: sought, KAM, Anti-Phishing and Spear-Phishing Version 2, SARE Clamav : sanesecurity centos 5.3 + sendmail + spamassassin + mailscanner + milter-greylist + clamav + bayes I do not use local dns, razor, pyzor. What are you examples? thanks, Paulo-- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From ssilva at sgvwater.com Wed Jun 24 23:00:30 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Jun 24 23:00:53 2009 Subject: config & rules used In-Reply-To: References: Message-ID: on 6-24-2009 1:59 PM Paulo Roncon spake the following: > What type of config and rules do you use? > > Currently despite all the tweaking and extra rules a percentage of spam still goes by. > Rules used: spamassassin: sought, KAM, Anti-Phishing and Spear-Phishing Version 2, SARE > Clamav : sanesecurity > > centos 5.3 + sendmail + spamassassin + mailscanner + milter-greylist + clamav + bayes > > I do not use local dns, razor, pyzor. > There will always be a percentage of spam that gets through. You just try to get that percentage as low as possible. Why not use razor and/or pyzor? How about some blacklists at the MTA? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090624/0cffe547/signature.bin From eli at orbsky.homelinux.org Thu Jun 25 06:40:27 2009 From: eli at orbsky.homelinux.org (Eli Wapniarski) Date: Thu Jun 25 06:40:52 2009 Subject: A new setup In-Reply-To: <4bbcc3328f0b9a8a66f9d568e1f78795.squirrel@www.dcsnow.com> References: <4bbcc3328f0b9a8a66f9d568e1f78795.squirrel@www.dcsnow.com> Message-ID: <200906250840.27858.eli@orbsky.homelinux.org> On Thursday 25 June 2009 00:59:12 aragonx@dcsnow.com wrote: > Hello all, > > Perhaps you get this question a lot. If you can point me to the > appropriate thread, I would greatly appreciate it. > > Anyway, I'm currently running Fedora 9 x64, mailscanner-4.70.7-1, ClamAV > 0.95.1, spamassassin-3.2.5-1 and sendmail-8.14.2-4. > > Fedora 9 is eol so I am going to do a reinstall. This time, I want to do > a little better keeping the spam down. This system mainly serves as my > email for my private consulting business and the family. > > Any suggestions on things I should add or whole setups? Should I add some > milters? Razor? SPF? etc... I'm looking for some guidance because I > have not given this much effort so far but that has to change. The wife > is complaining (about spam) and you know how that can be. :) > > Thanks in advance. > > --- > Will Y. As a matter of fact, I do. Funny how I see a extreme parallel to my setup. The only thing, is that me being the System Admin complained about the volume of mail traffic coming into my system. I couldn't and still can't turn on blocks from the general MailScanner rules because of the fear my spouse has of false positives. She is absolutely insistent that she would prefer to get a gazillion spams then loose an important email. And I really can't argue with that. I thinks she's right. However I was wrong in not pursuing Spamassassin rules further. But, I did find an alternative soulution which I am happy with. More on that later. However the volume was absolutely frightening when I finally discovered how bad it really was. That was discovered with the help of MailWatch which can be found at: (http://mailwatch.sourceforge.net/doku.php). It is a very nice web interface that enables monitoring of the actual traffic getting through. And when I discovered that I started looking for solutions. I came up with 2 very extremely effective milters that plugin to sendmail to virtually kill spam. Both of which are available from the fedora repository. The first and most important of these is milter-greylisting for more info see (http://hcpnet.free.fr/milter-greylist/). Read up on this one by correctly adding milter-greylist to sendmail you will effectvely eliminate at least 70% of spam and 99% of malware laden email from entering your system. The best thing you could do is read up on it and install it. I cannot praise this enough. The next thing that you will need is effective manually configurable regular expression rules to block the rest of the spam. I understand that this can be done effectively with Spamassassin. However, I use another milter called milter-regex. more info: http://www.benzedrine.cx/milter-regex.html The most important rule that you will need to establish is the one that sorts out what is a legitimate email address and what's bogus and unceremoniously and without mercy and without bounce or response drop the bogus email addresses. This in effect kills 99% (maybe exaggerating a little, but really only a little) of the spam that milter-greylisting allows through. Now people might argue with me that I am circumventing the way MTA's are supposed to work in that they take into account that there may be a problem with a mail server or mailbox. And so by default if a MTA can't reach a receiver they will try again and again and again and again. And that's what spammers and other mischief makers are counting on. Cause.... this behaviour causes a back up of the mail queue due to the ping pong effect. You bounce, they bounce and then you bounce and then they bounce and the amount of mail stuck in the queue grows and grows and grows eventually and effectively establishing denial of service. The way to kill that is with the above mentioned rule above. And that keeps the mail going. If you decide on Spamassassin rules to do this, I am sure the people on this mailing list will be very helpful. If you decide to go the milter-regex route then I can point you in the right direction to set up the rule that I've described in the preceeding paragraphs. In any case as mentioned both milters are available in Fedora repositories. Eli -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From uxbod at splatnix.net Thu Jun 25 08:34:20 2009 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Thu Jun 25 08:34:37 2009 Subject: config & rules used In-Reply-To: Message-ID: <16210771.3371245915260751.JavaMail.root@office.splatnix.net> ----- "Scott Silva" wrote: > on 6-24-2009 1:59 PM Paulo Roncon spake the following: > What type of config and rules do you use? > > Currently despite all the tweaking and extra rules a percentage of spam still goes by. > Rules used: spamassassin: sought, KAM, Anti-Phishing and Spear-Phishing Version 2, SARE > Clamav : sanesecurity > > centos 5.3 + sendmail + spamassassin + mailscanner + milter-greylist + clamav + bayes > > I do not use local dns, razor, pyzor. > There will always be a percentage of spam that gets through. You just try to get that percentage as low as possible. Why not use razor and/or pyzor? How about some blacklists at the MTA? > http://www.barracudacentral.org/rbl works very well here. Best Regards, -- SplatNIX IT Services :: Innovation through collaboration From shyamph at gmail.com Thu Jun 25 12:32:06 2009 From: shyamph at gmail.com (shyam hirurkar) Date: Thu Jun 25 12:32:30 2009 Subject: MailScanner not processing after Hold state Message-ID: Hi All, I am using postfx+Mailscanner+spamassassin+clamAV it is working fine and now a days i am facng issue with mailscanner like once message goes to Hold state after that mailscanner does not do any thing neither it process not it gives back to postfix. Simply mail will vanish. Is there any thing wrong this is happaning inconsistantly.. Here is the sample log [root@mx log]# cat maillog | grep B62FC4FD82 Jun 17 11:39:32 mx postfix/smtpd[16374]: B62FC4FD82: client=unknown[xxx.xxx.xxx.xxx] Jun 17 11:44:33 mx postfix/cleanup[16394]: B62FC4FD82: hold: header Received: from some.domain.com (unknown [xxx.xxx.xxx.xxx])??by mx.domain.com (Postfix) with ESMTP id B62FC4FD82??for ; Wed, 17 Jun 2009 11:39:26 +0530 (IST) from unknown[xxx.xxx.xxx.xxx]; from= to= proto=ESMTP helo= After this there is no entry in maillog niether user received the mail not bounce back , I am not able to figure it out . If any thing more detail require from my side please let me know. Shyam -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090625/a49f0b39/attachment.html From gmaddock at futuremetals.com Thu Jun 25 14:51:48 2009 From: gmaddock at futuremetals.com (Gerry Maddock) Date: Thu Jun 25 14:55:48 2009 Subject: config & rules used In-Reply-To: References: Message-ID: > From: Paulo Roncon > Date: 06/24/2009 05:11 PM > What type of config and rules do you use? > What are you examples? I'm using a similar setup, although I switched my MTA to postfix from sendmail about 2 years ago. At that time I noticed sendmail was losing some emails in the process (not good) & I liked how postfix tracks all of its emails. I have (2) MailScanner servers: (1) Fedora 10 32bit, & a new Fedora 11 64 bit (Going to upgrade the F10 sys soon). The setup is as follows: For postfix I have it first check the following lists: Zen, barracuda, psbl, cbl, dul(sorbs), then a few hard & soft error sleep times & errors tweaks, then postgrey. If it makes it past that, it checks if the recipient email address is valid, if invalid, email is rejected, if valid it is passed onto MailScanner, spamassassin, clamav. spamassassin: a few local rules, sought, KAM, sane, SARE (although is no longer updated), openprotect, razor, pyzor Mailscanner uses clamav-amavisd & MCP checks as well CONFIDENTIALITY: This e-mail message is for the sole use of the intended recipient(s) and may contain confidential and / or privileged information. Any unauthorized review, use, disclosure or distribution of any kind is strictly prohibited. If you are not the intended recipient, please contact the sender via reply e-mail and destroy all copies of the original message. Thank you. From davejones70 at gmail.com Thu Jun 25 15:32:11 2009 From: davejones70 at gmail.com (Dave Jones) Date: Thu Jun 25 15:32:21 2009 Subject: lstat() failed on: /mnt/ramdisk/... Message-ID: <67a55ed50906250732r5b17c773n80df05f7155aeeec@mail.gmail.com> >Dave > >is the /mnt/ramdisk the actual mount point or merely a symbolic link. >MailScanner needs the actual proper path and not a sym link to it. > >2009/6/24 Scott Silva > >> on 6-24-2009 5:04 AM Dave Jones spake the following: >> > lstat() failed on: /mnt/ramdisk/31166/n5NC95S6028227/tnef.31166 >> > >> > I get thousands of these messages in my logwatch report daily. My >> > permissions are correct in the dir and conf. >> > >> > MailScanner.conf: >> > ----------------------------- >> > Quarantine Permissions = 0660 >> > Incoming Work Dir = /mnt/ramdisk >> > SpamAssassin Cache Database File = /mnt/ramdisk/SpamAssassin.cache.db >> > SpamAssassin Temporary Dir = /mnt/ramdisk/SpamAssassin-Temp >> > >> > # ll -d /mnt/ramdisk >> > drwxrwsr-x 19 root clamav 4096 Jun 24 07:53 /mnt/ramdisk >> > >> > This is happening on all 3 systems that use a ramdisk. Other >> > non-ramdisk MS servers are fine. >> > >> > I am seeing subdirs like "31166" under /mnt/ramdisk that are empty. >> > Is there a conf setting that needs to match the "Incoming Work Dir" so >> > the TNEF will use the same location or something like this? >> >> How do you have the ramdisks created? Maybe they are running out of space. >> Most people use tmpfs, as it can grow into the swap if it overflows. # mount | grep ram /dev/ram0 on /mnt/ramdisk type ext2 (rw) # df -H | grep ram /dev/ram0 1.1G 26M 983M 3% /mnt/ramdisk I have 1 GB allocated to the ramdisk and never see it get more than 3 to 5 percent used. We have plans to add 2 MailScanner servers in a few months and we will build these with tempfs now that I understand that tempfs is better. At that time, we were going to switch the existing MailScanner servers to tempfs but if you think the ramdisk is the problem, then I could do the switch now. It seems like this was working perfectly until 4 or 5 months ago, possibly coinciding when I did a MailScanner upgrade but I am not sure. The servers have been in place for about 18+ months using the ramdisk I an know the lstat errors just started this year without any major changes to the MailScanner.conf. -- Dave Jones From MailScanner at ecs.soton.ac.uk Thu Jun 25 18:01:10 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jun 25 18:01:29 2009 Subject: lstat() failed on: /mnt/ramdisk/... In-Reply-To: <67a55ed50906250732r5b17c773n80df05f7155aeeec@mail.gmail.com> References: <67a55ed50906250732r5b17c773n80df05f7155aeeec@mail.gmail.com> <4A43AD56.1000509@ecs.soton.ac.uk> Message-ID: I would double-check all the permissions down the /mnt/ramdisk tree, and do a MailScanner --lint to see if that succeeds or not. Are you using clamd? If so, you have to set your permissions carefully, both in the filesystem and in MailScanner.conf. It's all documented in there. If they are wrong, MailScanner --lint won't find the EICAR test pattern with all of your virus scanners. tmpfs is much better. You say it never gets above about 5% full. That means you are constantly wasting 950 MB of your RAM that could be used for better things such as disk cache! The change to tmpfs is very simple, just change the /etc/fstab line for /mnt/ramdisk so it references 'tmpfs' instead of 'ramdiskfs' or whatever it uses now. Then stop MailScanner, umount /mnt/ramdisk, mount /mnt/ramdisk, double check the permissions are what you want and start MailScanner again. 30 second job. Jules. On 25/06/2009 15:32, Dave Jones wrote: >> Dave >> >> is the /mnt/ramdisk the actual mount point or merely a symbolic link. >> MailScanner needs the actual proper path and not a sym link to it. >> >> 2009/6/24 Scott Silva >> >> >>> on 6-24-2009 5:04 AM Dave Jones spake the following: >>> >>>> lstat() failed on: /mnt/ramdisk/31166/n5NC95S6028227/tnef.31166 >>>> >>>> I get thousands of these messages in my logwatch report daily. My >>>> permissions are correct in the dir and conf. >>>> >>>> MailScanner.conf: >>>> ----------------------------- >>>> Quarantine Permissions = 0660 >>>> Incoming Work Dir = /mnt/ramdisk >>>> SpamAssassin Cache Database File = /mnt/ramdisk/SpamAssassin.cache.db >>>> SpamAssassin Temporary Dir = /mnt/ramdisk/SpamAssassin-Temp >>>> >>>> # ll -d /mnt/ramdisk >>>> drwxrwsr-x 19 root clamav 4096 Jun 24 07:53 /mnt/ramdisk >>>> >>>> This is happening on all 3 systems that use a ramdisk. Other >>>> non-ramdisk MS servers are fine. >>>> >>>> I am seeing subdirs like "31166" under /mnt/ramdisk that are empty. >>>> Is there a conf setting that needs to match the "Incoming Work Dir" so >>>> the TNEF will use the same location or something like this? >>>> >>> How do you have the ramdisks created? Maybe they are running out of space. >>> Most people use tmpfs, as it can grow into the swap if it overflows. >>> > # mount | grep ram > /dev/ram0 on /mnt/ramdisk type ext2 (rw) > # df -H | grep ram > /dev/ram0 1.1G 26M 983M 3% /mnt/ramdisk > > I have 1 GB allocated to the ramdisk and never see it get more than > 3 to 5 percent used. > > We have plans to add 2 MailScanner servers in a few months and we will > build these with tempfs now that I understand that tempfs is better. > At that time, we were going to switch the existing MailScanner servers > to tempfs but if you think the ramdisk is the problem, then I could do > the switch now. > > It seems like this was working perfectly until 4 or 5 months ago, possibly > coinciding when I did a MailScanner upgrade but I am not sure. The servers > have been in place for about 18+ months using the ramdisk I an know the > lstat errors just started this year without any major changes to the > MailScanner.conf. > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Follow me at twitter.com/JulesFM MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From maxsec at gmail.com Thu Jun 25 18:55:02 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Thu Jun 25 18:55:17 2009 Subject: MailScanner not processing after Hold state In-Reply-To: References: Message-ID: <72cf361e0906251055u117a572eq55e93ca558772f04@mail.gmail.com> 2009/6/25 shyam hirurkar : > Hi All, > > > I am using postfx+Mailscanner+spamassassin+clamAV? it is working fine and > now a days i am facng issue with mailscanner like once message goes to Hold > state after that mailscanner does not do any thing neither it process not it > gives back to postfix. Simply mail will vanish. Is there any thing wrong > this is happaning inconsistantly.. > > Here is the sample log > > [root@mx log]# cat maillog | grep B62FC4FD82 > Jun 17 11:39:32 mx postfix/smtpd[16374]: B62FC4FD82: > client=unknown[xxx.xxx.xxx.xxx] > Jun 17 11:44:33 mx postfix/cleanup[16394]: B62FC4FD82: hold: header > Received: from some.domain.com (unknown [xxx.xxx.xxx.xxx])??by mx.domain.com > > (Postfix) with ESMTP id B62FC4FD82??for ; Wed, 17 Jun 2009 > 11:39:26 +0530 (IST) from unknown[xxx.xxx.xxx.xxx]; > > from= to= proto=ESMTP helo= > > After this there is no entry in maillog niether user received the mail not > bounce back , I am not able to figure it out . > > If any thing more detail require from my side please let me know. > > Shyam > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > Make sure you are running the latest version of MS (4.77) - there was an issue with the previous version with postfix. -- Martin Hepworth Oxford, UK From ssilva at sgvwater.com Thu Jun 25 19:03:08 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Jun 25 19:03:31 2009 Subject: config & rules used In-Reply-To: References: Message-ID: on 6-25-2009 6:51 AM Gerry Maddock spake the following: >> From: Paulo Roncon >> Date: 06/24/2009 05:11 PM > > What type of config and rules do you use? >> What are you examples? > > I'm using a similar setup, although I switched my MTA to postfix from > sendmail about 2 years ago. At that time I noticed sendmail was losing some > emails in the process (not good) & I liked how postfix tracks all of its > emails. > > I have (2) MailScanner servers: (1) Fedora 10 32bit, & a new Fedora 11 64 > bit (Going to upgrade the F10 sys soon). The setup is as follows: > For postfix I have it first check the following lists: Zen, barracuda, > psbl, cbl, dul(sorbs), then a few hard & soft error sleep times & errors > tweaks, then postgrey. If it makes it past that, it checks if the recipient > email address is valid, if invalid, email is rejected, if valid it is > passed onto MailScanner, spamassassin, clamav. > spamassassin: a few local rules, sought, KAM, sane, SARE (although is no > longer updated), openprotect, razor, pyzor > Mailscanner uses clamav-amavisd & MCP checks as well > Remember... Sorbs is going off line. You might want to remove it. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090625/f75521a8/signature.bin From maxsec at gmail.com Thu Jun 25 19:05:56 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Thu Jun 25 19:06:11 2009 Subject: A new setup In-Reply-To: <4bbcc3328f0b9a8a66f9d568e1f78795.squirrel@www.dcsnow.com> References: <4bbcc3328f0b9a8a66f9d568e1f78795.squirrel@www.dcsnow.com> Message-ID: <72cf361e0906251105i2660e2d3le98fdeb8aff0ee0f@mail.gmail.com> Will have a look at the "getting most out of spamassassin" section of the wiki. 2009/6/24 > Hello all, > > Perhaps you get this question a lot. If you can point me to the > appropriate thread, I would greatly appreciate it. > > Anyway, I'm currently running Fedora 9 x64, mailscanner-4.70.7-1, ClamAV > 0.95.1, spamassassin-3.2.5-1 and sendmail-8.14.2-4. > > Fedora 9 is eol so I am going to do a reinstall. This time, I want to do > a little better keeping the spam down. This system mainly serves as my > email for my private consulting business and the family. > > Any suggestions on things I should add or whole setups? Should I add some > milters? Razor? SPF? etc... I'm looking for some guidance because I > have not given this much effort so far but that has to change. The wife > is complaining (about spam) and you know how that can be. :) > > Thanks in advance. > > --- > Will Y. > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Martin Hepworth Oxford, UK -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090625/8e86cf66/attachment.html From cfisk at qwicnet.com Thu Jun 25 19:37:14 2009 From: cfisk at qwicnet.com (Christopher Fisk) Date: Thu Jun 25 19:37:29 2009 Subject: Question on reducing load on MailScanner machine Message-ID: I saw a similar post in the archives recently, but the discussion didn't go very far. http://lists.mailscanner.info/pipermail/mailscanner/2009-June/092018.html I'd like to expand the question a bit. Lets assume I have a single server handling MailScanner (& SA & ClamAV) and the postfix/courier servers. The MailScanner queue is reaching 300+ at times, giving a short delay between the server receiving the message and MailScanner scanning it. If I were to NFS/SMB mount both the MailScanner install directory and the hold queue directory from another machine and startup another MailScanner process, will I run into issues where both MailScanners are trying to scan the same messages and cause problems? Or would MailScanner be smart enough to know that another MailScanner process is scanning a given message? This is on Linux 2.6 and ext3. Filesystems and kernel versions can be changed as needed. I have a few extra servers I can quickly put in place and would rather do that than purchasing an entire new server for this. The MailScanner book doesn't have any information on this type of configuration unfortunately. Thanks! Christopher Fisk -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Thu Jun 25 19:48:10 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jun 25 19:48:48 2009 Subject: New wiki page References: <4A43C66A.5070703@ecs.soton.ac.uk> Message-ID: There have been a few threads recently on the subject of the optimum setup, provided you have limitless resources to throw at it. It would be very good for us to maintain a wiki page or web page that included the outcomes of these discussions. I will happily try to maintain the page, if you can point me at what you think are the best things to put on it. I'm not talking the basics, like ClamAV and SA, but the more interesting bits such as what rulesets to use with SA and what phishing/spam sigs to add to ClamAV (in addition to a link to the table somewhere that tells you what the characteristics of each sig set are), and all that sort of stuff. This doesn't change very often, but there have been a few new additions in the past few months. So please can you start feeding me info to put on it, in addition to a link to where to get each of the resources you mention. How about we start with a contributor to each of the recent threads on this subject? Thanks folks! Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Follow me at twitter.com/JulesFM MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Thu Jun 25 19:50:47 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jun 25 19:51:06 2009 Subject: Question on reducing load on MailScanner machine In-Reply-To: References: <4A43C707.2090705@ecs.soton.ac.uk> Message-ID: Do it by having several MX servers with the same priority, or an MX record pointing to multiple A records, each running MailScanner. Sharing a queue between several MailScanner servers is fraught with difficulty. On 25/06/2009 19:37, Christopher Fisk wrote: > I saw a similar post in the archives recently, but the discussion didn't go very far. > > http://lists.mailscanner.info/pipermail/mailscanner/2009-June/092018.html > > I'd like to expand the question a bit. > > Lets assume I have a single server handling MailScanner (& SA& ClamAV) and the postfix/courier servers. > > The MailScanner queue is reaching 300+ at times, giving a short delay between the server receiving the message and MailScanner scanning it. > > If I were to NFS/SMB mount both the MailScanner install directory and the hold queue directory from another machine and startup another MailScanner process, will I run into issues where both MailScanners are trying to scan the same messages and cause problems? Or would MailScanner be smart enough to know that another MailScanner process is scanning a given message? > > > This is on Linux 2.6 and ext3. Filesystems and kernel versions can be changed as needed. > > I have a few extra servers I can quickly put in place and would rather do that than purchasing an entire new server for this. > > The MailScanner book doesn't have any information on this type of configuration unfortunately. > > > Thanks! > > > Christopher Fisk > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Follow me at twitter.com/JulesFM MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ssilva at sgvwater.com Thu Jun 25 19:57:28 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Jun 25 19:57:55 2009 Subject: Question on reducing load on MailScanner machine In-Reply-To: References: Message-ID: on 6-25-2009 11:37 AM Christopher Fisk spake the following: > I saw a similar post in the archives recently, but the discussion didn't go very far. > > http://lists.mailscanner.info/pipermail/mailscanner/2009-June/092018.html > > I'd like to expand the question a bit. > > Lets assume I have a single server handling MailScanner (& SA & ClamAV) and the postfix/courier servers. > > The MailScanner queue is reaching 300+ at times, giving a short delay between the server receiving the message and MailScanner scanning it. > > If I were to NFS/SMB mount both the MailScanner install directory and the hold queue directory from another machine and startup another MailScanner process, will I run into issues where both MailScanners are trying to scan the same messages and cause problems? Or would MailScanner be smart enough to know that another MailScanner process is scanning a given message? > > > This is on Linux 2.6 and ext3. Filesystems and kernel versions can be changed as needed. > > I have a few extra servers I can quickly put in place and would rather do that than purchasing an entire new server for this. > > The MailScanner book doesn't have any information on this type of configuration unfortunately. > > > Thanks! > > > Christopher Fisk > I doubt if postfix would like this. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090625/26961d14/signature.bin From gmaddock at futuremetals.com Thu Jun 25 19:54:07 2009 From: gmaddock at futuremetals.com (Gerry Maddock) Date: Thu Jun 25 19:58:10 2009 Subject: Question on reducing load on MailScanner machine In-Reply-To: References: Message-ID: > From: > Christopher Fisk > I saw a similar post in the archives recently, but the discussion > didn't go very far. > > http://lists.mailscanner.info/pipermail/mailscanner/2009-June/092018.html > > I'd like to expand the question a bit. > > Lets assume I have a single server handling MailScanner (& SA & > ClamAV) and the postfix/courier servers. > > The MailScanner queue is reaching 300+ at times, giving a short > delay between the server receiving the message and MailScanner scanning it. > > If I were to NFS/SMB mount both the MailScanner install directory > and the hold queue directory from another machine and startup > another MailScanner process, will I run into issues where both > MailScanners are trying to scan the same messages and cause > problems? Or would MailScanner be smart enough to know that another > MailScanner process is scanning a given message? > > > This is on Linux 2.6 and ext3. Filesystems and kernel versions can > be changed as needed. > > I have a few extra servers I can quickly put in place and would > rather do that than purchasing an entire new server for this. > > The MailScanner book doesn't have any information on this type of > configuration unfortunately. I had the same problem a few years ago and I decided to split my mailservers up. I'm using (2) separate Mailscanner systems for incoming emails & (2) separate servers for outgoing emails. The (2) Mailscanner servers I am using are not sharing information. I did this to stop email delays (incoming & outgoing). 1 of each is @ 2 separate branches for redundancy. This may not be the "ideal" setup, but it works for us. CONFIDENTIALITY: This e-mail message is for the sole use of the intended recipient(s) and may contain confidential and / or privileged information. Any unauthorized review, use, disclosure or distribution of any kind is strictly prohibited. If you are not the intended recipient, please contact the sender via reply e-mail and destroy all copies of the original message. Thank you. From steve.freegard at fsl.com Thu Jun 25 19:59:25 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Thu Jun 25 19:59:35 2009 Subject: Question on reducing load on MailScanner machine In-Reply-To: References: Message-ID: <4A43C90D.6050007@fsl.com> Christopher Fisk wrote: > I saw a similar post in the archives recently, but the discussion didn't go very far. > > http://lists.mailscanner.info/pipermail/mailscanner/2009-June/092018.html > > I'd like to expand the question a bit. > > Lets assume I have a single server handling MailScanner (& SA & ClamAV) and the postfix/courier servers. > > The MailScanner queue is reaching 300+ at times, giving a short delay between the server receiving the message and MailScanner scanning it. > > If I were to NFS/SMB mount both the MailScanner install directory and the hold queue directory from another machine and startup another MailScanner process, will I run into issues where both MailScanners are trying to scan the same messages and cause problems? Or would MailScanner be smart enough to know that another MailScanner process is scanning a given message? > > > This is on Linux 2.6 and ext3. Filesystems and kernel versions can be changed as needed. > > I have a few extra servers I can quickly put in place and would rather do that than purchasing an entire new server for this. > > The MailScanner book doesn't have any information on this type of configuration unfortunately. > The previous thread about this didn't go very far because I suspect no-one is brave enough to actually try this. Most of us just either optimise our installations to prevent the queue build-up in the first place or just add another box - it's the far less dangerous and the most travelled path. That's also the reason it's not covered in the book. E-mail isn't instant messaging; a queue of 300 would impose nothing more than a few minutes delay at most which is perfectly acceptable to most people here. You're welcome to try NFS mounting your 'hold' directory and running another box on it at the same time; but you get to keep all the pieces if it breaks and to answer the phone to your users when it goes wrong and they get duplicate messages delivered to them or if their important mail get nuked. So my recommendation would be to avoid this; but if you are going to try it - do it on virtual machines and test it thoroughly (and document it for others too if it works!). Cheers, Steve. From campbell at cnpapers.com Thu Jun 25 20:09:17 2009 From: campbell at cnpapers.com (Steve Campbell) Date: Thu Jun 25 20:09:36 2009 Subject: SORBS Message-ID: <4A43CB5D.3030003@cnpapers.com> I see I'm using quite a bit of SORBS rules, namely: __RCVD_IN_SORBS SORBS RCVD_IN_SORBS_HTTP SORBS RCVD_IN_SORBS_SOCKS SORBS RCVD_IN_SORBS_MISC SORBS RCVD_IN_SORBS_SMTP SORBS RCVD_IN_SORBS_WEB SORBS RCVD_IN_SORBS_BLOCK SORBS RCVD_IN_SORBS_ZOMBIE SORBS RCVD_IN_SORBS_DUL I didn't see a loadplugin for SORBS specifically, and a quick scan of the .cf files didn't show me a meta rules for the first above, so can I assume I need to add all of these with a zero score to my spam.assassin.prefs.conf file or will just the first cover all of them? Or is there a better way to turn it off? Thanks Steve Campbell From MailScanner at ecs.soton.ac.uk Thu Jun 25 20:16:50 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jun 25 20:17:09 2009 Subject: New wiki page In-Reply-To: References: <4A43C66A.5070703@ecs.soton.ac.uk> <4A43CD22.6060208@ecs.soton.ac.uk> Message-ID: How about we start with MTA Blacklists: Zen, BRBL, bl.spamcop.net? MTA checks: no invalid recipients or domains at SMTP time, greet-pause, grey-listing? How to get list of valid recipients out of Exchange, or configure Exchange to reject invalid recipients at SMTP time? ClamAV: sane-security -- Which ones? Where's the table that lists the pros and cons? What are the basic ones that everyone should use? SA rulesets: SARE, KAM, sought, what others? SA tools: razor, DCC, pyzor? MailScanner Virus Scanners: clamd, other commercial fast ones? sophossavi, f-prot, f-secure? MailScanner: Don't use MCP. JKF tools: Version 2 of anti-phishing and anti-spear-phishing rulesets. DNS: Get feed of ZEN and SURBL, use one DNS server running rbldnsd for these zones. What else have I forgotten? Please can people start sending me links to the relevant sites/pages for everything I have mentioned above, together with a brief summary of what is legal/illegal use of anything. On 25/06/2009 19:48, Julian Field wrote: > There have been a few threads recently on the subject of the optimum > setup, provided you have limitless resources to throw at it. > It would be very good for us to maintain a wiki page or web page that > included the outcomes of these discussions. > I will happily try to maintain the page, if you can point me at what > you think are the best things to put on it. > > I'm not talking the basics, like ClamAV and SA, but the more > interesting bits such as what rulesets to use with SA and what > phishing/spam sigs to add to ClamAV (in addition to a link to the > table somewhere that tells you what the characteristics of each sig > set are), and all that sort of stuff. This doesn't change very often, > but there have been a few new additions in the past few months. > > So please can you start feeding me info to put on it, in addition to a > link to where to get each of the resources you mention. How about we > start with a contributor to each of the recent threads on this subject? > > Thanks folks! > > Jules > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Follow me at twitter.com/JulesFM MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From cfisk at qwicnet.com Thu Jun 25 20:16:45 2009 From: cfisk at qwicnet.com (Christopher Fisk) Date: Thu Jun 25 20:17:41 2009 Subject: Question on reducing load on MailScanner machine In-Reply-To: Message-ID: > on 6-25-2009 11:37 AM Christopher Fisk spake the > following: > > I saw a similar post in the archives recently, but the > discussion didn't go very far. > > > > > http://lists.mailscanner.info/pipermail/mailscanner/2009 > -June/092018.html > > > > I'd like to expand the question a bit. > > > > Lets assume I have a single server handling MailScanner > (& SA & ClamAV) and the postfix/courier servers. > > > > The MailScanner queue is reaching 300+ at times, giving > a short delay between the server receiving the message > and MailScanner scanning it. > > > > If I were to NFS/SMB mount both the MailScanner install > directory and the hold queue directory from another > machine and startup another MailScanner process, will I > run into issues where both MailScanners are trying to > scan the same messages and cause problems? Or would > MailScanner be smart enough to know that another > MailScanner process is scanning a given message? > > > > > > This is on Linux 2.6 and ext3. Filesystems and kernel > versions can be changed as needed. > > > > I have a few extra servers I can quickly put in place > and would rather do that than purchasing an entire new > server for this. > > > > The MailScanner book doesn't have any information on > this type of configuration unfortunately. > > > > > > Thanks! > > > > > > Christopher Fisk > > > I doubt if postfix would like this. Actually, I see postfix as handling this better than MailScanner. Postfix just delivers the incoming messages using a header check into a hold queue, one message per file in the queue. MailScanner scans messages in that queue and delivers it to the postfix incoming queue. What I'm more afraid of (And what Julian says would cause problems) is the MailScanner on server A and the MailScanner on server B both picking up the same message from the hold queue, scanning it, then delivering to the deliver queue and the recipiant receiving multiple copies of the same message. Christopher Fisk -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From cfisk at qwicnet.com Thu Jun 25 20:28:17 2009 From: cfisk at qwicnet.com (Christopher Fisk) Date: Thu Jun 25 20:28:31 2009 Subject: Question on reducing load on MailScanner machine In-Reply-To: <4A43C90D.6050007@fsl.com> Message-ID: > The previous thread about this didn't go very far because > I suspect > no-one is brave enough to actually try this. Most of us > just either > optimise our installations to prevent the queue build-up > in the first > place or just add another box - it's the far less > dangerous and the most > travelled path. That's also the reason it's not covered > in the book. I can add another mx, but would prefer to have a single entry point for email on the network. I think I would upgrade to a single more powerful machine rather than adding additional boxes for incoming messages. We're running a relatively slow single processor machine at the moment and have a backup server that has been powered off sitting under it. > E-mail isn't instant messaging; a queue of 300 would > impose nothing more > than a few minutes delay at most which is perfectly > acceptable to most > people here. I did a typo, the queue is reaching 3000+. Sorry about that. Your point still remains, but you would be suprised at how many of our customers send an email to someone while on the phone and having even a few minute wait annoys them. I'd rather throw hardware at the problem to get the queue down to 0. > You're welcome to try NFS mounting your 'hold' directory > and running > another box on it at the same time; but you get to keep > all the pieces > if it breaks and to answer the phone to your users when > it goes wrong > and they get duplicate messages delivered to them or if > their important > mail get nuked. There is actually a good chance I will test this out. If I do I will inform of the results. > So my recommendation would be to avoid this; but if you > are going to try > it - do it on virtual machines and test it thoroughly > (and document it > for others too if it works!). How do the various child processes of MailScanner know when another child process is scanning a message in the queue? Does the parent process keep track? It seems like this would logically work. Looks like I will have to test it =) Christopher Fisk -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From steve.freegard at fsl.com Thu Jun 25 20:33:02 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Thu Jun 25 20:33:14 2009 Subject: SORBS In-Reply-To: <4A43CB5D.3030003@cnpapers.com> References: <4A43CB5D.3030003@cnpapers.com> Message-ID: <4A43D0EE.7090209@fsl.com> Steve Campbell wrote: > I see I'm using quite a bit of SORBS rules, namely: > __RCVD_IN_SORBS SORBS > RCVD_IN_SORBS_HTTP SORBS > RCVD_IN_SORBS_SOCKS SORBS > RCVD_IN_SORBS_MISC SORBS > RCVD_IN_SORBS_SMTP SORBS > RCVD_IN_SORBS_WEB SORBS > RCVD_IN_SORBS_BLOCK SORBS > RCVD_IN_SORBS_ZOMBIE SORBS > RCVD_IN_SORBS_DUL > > I didn't see a loadplugin for SORBS specifically, and a quick scan of > the .cf files didn't show me a meta rules for the first above, so can I > assume I need to add all of these with a zero score to my > spam.assassin.prefs.conf file or will just the first cover all of them? > Or is there a better way to turn it off? > score __RCVD_IN_SORBS 0 Should be all you need. That will disable the primary look-up that all the other rules rely on. Regards, Steve. From steve.freegard at fsl.com Thu Jun 25 20:40:57 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Thu Jun 25 20:41:08 2009 Subject: Question on reducing load on MailScanner machine In-Reply-To: References: <4A43C90D.6050007@fsl.com> Message-ID: <4A43D2C9.3040404@fsl.com> Christopher Fisk wrote: > How do the various child processes of MailScanner know when another child process is scanning a message in the queue? Does the parent process keep track? It seems like this would logically work. The children are independent of the parent; all it cares about are that the correct number of children are running. Each child scans the queue and attempts to lock each message it finds; if the lock fails, then it moves on until it has either built up a batch to scan or run out of files. Jules can correct me if I'm wrong - it's been a while since I read the code. > Looks like I will have to test it =) Yep; that's the best part of open-source. I'd recommend that you avoid SMB for this; NFS is the more likely of the two to work. As I'm not a Postfix user - I'm not sure what type of locks it uses; if it's flock() then it's unlikely to work over NFS; whereas POSIX Fcntl locks should work over NFS IIRC (thankfully it's been years since I messed with NFS). This of course is also ignoring other issues that might creep in; such as you'll need to make sure that everything between the machines is identical (e.g. Postfix versions, MailScanner) etc. Cheers, Steve. From ssilva at sgvwater.com Thu Jun 25 20:49:00 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Jun 25 20:49:32 2009 Subject: New wiki page In-Reply-To: References: <4A43C66A.5070703@ecs.soton.ac.uk> <4A43CD22.6060208@ecs.soton.ac.uk> Message-ID: on 6-25-2009 12:16 PM Julian Field spake the following: > How about we start with > > MTA Blacklists: Zen, BRBL, bl.spamcop.net? If you put a blurb about blacklists, maybe you can add a bit of info about maybe testing them in spamassassin with a small score first. For instance I use brbl in spamassassin, because I have some users that get FP's (as far as they are concerned) on some lists they are in so I can't use them at the MTA unless I want to start adding stuff to the access file. > MTA checks: no invalid recipients or domains at SMTP time, greet-pause, > grey-listing? How to get list of valid recipients out of Exchange, or > configure Exchange to reject invalid recipients at SMTP time? > ClamAV: sane-security -- Which ones? Where's the table that lists the > pros and cons? What are the basic ones that everyone should use? http://www.sanesecurity.net/databases.htm lists the various DB's and their relative risk for FP's. I would think a new user should stick with the low risk ones and test the rest. > SA rulesets: SARE, KAM, sought, what others? > SA tools: razor, DCC, pyzor? > MailScanner Virus Scanners: clamd, other commercial fast ones? > sophossavi, f-prot, f-secure? > MailScanner: Don't use MCP. > JKF tools: Version 2 of anti-phishing and anti-spear-phishing rulesets. > DNS: Get feed of ZEN and SURBL, use one DNS server running rbldnsd for > these zones. > > What else have I forgotten? > > Please can people start sending me links to the relevant sites/pages for > everything I have mentioned above, together with a brief summary of what > is legal/illegal use of anything. > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090625/955b1bf3/signature.bin From MailScanner at ecs.soton.ac.uk Thu Jun 25 20:54:17 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jun 25 20:54:40 2009 Subject: Question on reducing load on MailScanner machine In-Reply-To: References: <4A43D5E9.7080001@ecs.soton.ac.uk> Message-ID: On 25/06/2009 20:28, Christopher Fisk wrote: >> The previous thread about this didn't go very far because >> I suspect >> no-one is brave enough to actually try this. Most of us >> just either >> optimise our installations to prevent the queue build-up >> in the first >> place or just add another box - it's the far less >> dangerous and the most >> travelled path. That's also the reason it's not covered >> in the book. >> > I can add another mx, but would prefer to have a single entry point for email on the network. I think I would upgrade to a single more powerful machine rather than adding additional boxes for incoming messages. We're running a relatively slow single processor machine at the moment and have a backup server that has been powered off sitting under it. > The setup used by everyone else in the universe is to have multiple MX servers sharing the incoming mail load. > >> E-mail isn't instant messaging; a queue of 300 would >> impose nothing more >> than a few minutes delay at most which is perfectly >> acceptable to most >> people here. >> > I did a typo, the queue is reaching 3000+. Sorry about that. Your point still remains, but you would be suprised at how many of our customers send an email to someone while on the phone and having even a few minute wait annoys them. I'd rather throw hardware at the problem to get the queue down to 0. > Let me get this straight. You've got a huge mail queue, and yet you have a server sitting there switched off. Dare I suggest you switch it on? > > >> You're welcome to try NFS mounting your 'hold' directory >> and running >> another box on it at the same time; but you get to keep >> all the pieces >> if it breaks and to answer the phone to your users when >> it goes wrong >> and they get duplicate messages delivered to them or if >> their important >> mail get nuked. >> > There is actually a good chance I will test this out. If I do I will inform of the results. > It won't work. Anyone sane runs multiple MX servers :-) > > >> So my recommendation would be to avoid this; but if you >> are going to try >> it - do it on virtual machines and test it thoroughly >> (and document it >> for others too if it works!). >> > How do the various child processes of MailScanner know when another child process is scanning a message in the queue? Does the parent process keep track? It seems like this would logically work. > It does it all via file locking. And that locking is the same method used by your MTA. And that is not designed to work across NFS. So don't waste your time trying :) Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Follow me at twitter.com/JulesFM MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From cfisk at qwicnet.com Thu Jun 25 21:08:18 2009 From: cfisk at qwicnet.com (Christopher Fisk) Date: Thu Jun 25 21:08:48 2009 Subject: Question on reducing load on MailScanner machine In-Reply-To: <4A43D2C9.3040404@fsl.com> Message-ID: > Each child scans the queue and attempts to lock each > message it finds; > if the lock fails, then it moves on until it has either > built up a batch > to scan or run out of files. > Jules can correct me if I'm wrong - it's been a while > since I read the code. So essentially, what you're saying here indicates to me that it would work over nfs if each child is already playing nice with the other children with locks. So long as the method I use to mount the hold queue on the remote machine supports the locking that is needed. > This of course is also ignoring other issues that might > creep in; such > as you'll need to make sure that everything between the > machines is > identical (e.g. Postfix versions, MailScanner) etc. Identical MailScanners would be taken care of easilly. Postfix wouldn't be running on the second server at all, just MailScanner, SpamAssassin & ClamAV. Christopher Fisk -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From rich at a1computer.com Thu Jun 25 21:09:32 2009 From: rich at a1computer.com (Richard Thompson) Date: Thu Jun 25 21:10:39 2009 Subject: Question on reducing load on MailScanner machine In-Reply-To: References: Message-ID: <000f01c9f5d0$daa8d470$8ffa7d50$@com> -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Christopher Fisk Sent: Thursday, June 25, 2009 1:37 PM To: mailscanner@lists.mailscanner.info Subject: Question on reducing load on MailScanner machine I saw a similar post in the archives recently, but the discussion didn't go very far. http://lists.mailscanner.info/pipermail/mailscanner/2009-June/092018.html I'd like to expand the question a bit. Lets assume I have a single server handling MailScanner (& SA & ClamAV) and the postfix/courier servers. The MailScanner queue is reaching 300+ at times, giving a short delay between the server receiving the message and MailScanner scanning it. If I were to NFS/SMB mount both the MailScanner install directory and the hold queue directory from another machine and startup another MailScanner process, will I run into issues where both MailScanners are trying to scan the same messages and cause problems? Or would MailScanner be smart enough to know that another MailScanner process is scanning a given message? This is on Linux 2.6 and ext3. Filesystems and kernel versions can be changed as needed. I have a few extra servers I can quickly put in place and would rather do that than purchasing an entire new server for this. The MailScanner book doesn't have any information on this type of configuration unfortunately. Thanks! Christopher Fisk -- I had this happen to me last year, I moved the RBL check to the MTA (sendmail) and it has been working great since. Now 98% of my spam is being blocked by the MTA, MS has no problem keeping up. Rich Thompson From gmaddock at futuremetals.com Thu Jun 25 21:16:09 2009 From: gmaddock at futuremetals.com (Gerry Maddock) Date: Thu Jun 25 21:20:12 2009 Subject: New wiki page In-Reply-To: References: <4A43C66A.5070703@ecs.soton.ac.uk><4A43CD22.6060208@ecs.soton.ac.uk> Message-ID: > How about we start with > > MTA Blacklists: Zen, BRBL, bl.spamcop.net? > MTA checks: no invalid recipients or domains at SMTP time, greet-pause, > grey-listing? How to get list of valid recipients out of Exchange, or > configure Exchange to reject invalid recipients at SMTP time? > ClamAV: sane-security -- Which ones? Where's the table that lists the > pros and cons? What are the basic ones that everyone should use? > SA rulesets: SARE, KAM, sought, what others? > SA tools: razor, DCC, pyzor? > MailScanner Virus Scanners: clamd, other commercial fast ones? > sophossavi, f-prot, f-secure? > MailScanner: Don't use MCP. > JKF tools: Version 2 of anti-phishing and anti-spear-phishing rulesets. > DNS: Get feed of ZEN and SURBL, use one DNS server running rbldnsd for > these zones. > > What else have I forgotten? > > Please can people start sending me links to the relevant sites/pages for > everything I have mentioned above, together with a brief summary of what > is legal/illegal use of anything. Julian, Just wondering why you don't recommend MCP? I'm using it currently and wondering if I should disable it now. CONFIDENTIALITY: This e-mail message is for the sole use of the intended recipient(s) and may contain confidential and / or privileged information. Any unauthorized review, use, disclosure or distribution of any kind is strictly prohibited. If you are not the intended recipient, please contact the sender via reply e-mail and destroy all copies of the original message. Thank you. From jonas at vrt.dk Thu Jun 25 21:34:58 2009 From: jonas at vrt.dk (Jonas A. Larsen) Date: Thu Jun 25 21:35:21 2009 Subject: Question on reducing load on MailScanner machine In-Reply-To: References: <4A43C90D.6050007@fsl.com> Message-ID: <002401c9f5d4$683893e0$38a9bba0$@dk> > > The previous thread about this didn't go very far because > > I suspect > > no-one is brave enough to actually try this. Most of us > > just either > > optimise our installations to prevent the queue build-up > > in the first > > place or just add another box - it's the far less > > dangerous and the most > > travelled path. That's also the reason it's not covered > > in the book. > > I can add another mx, but would prefer to have a single entry point for > email on the network. I think I would upgrade to a single more > powerful machine rather than adding additional boxes for incoming > messages. We're running a relatively slow single processor machine at > the moment and have a backup server that has been powered off sitting > under it. > Just to throw my 5 cents worth of knowledge in here, I think everybody starts out considering how they can share the queue as it would provide a perfect load balancing and a more secure setup (assuming u can mount some storage that will be more stable than the local storage of each mailscanner box) However! I think more or less everybody ends up with 2 or more mailscanner boxes with 2 or more mx records with an equal priority (thus load balancing the mail pretty well) and on top of the mailwatch which also works great with this kind of setup, where it uses XML RPC to pull a mail from the other box if necessary (as when a user wants to release or view it via the web interface) And the best reason for doing it this way: You get a much more stable setup, right now your whole mail flow is dependent on your 1 server not having failed hardware, software update or anything else, it?s a huge single point of failure. By using 2 boxes (and do note you can use "half as powerfull" hardware as you would in a 1 machine setup, since the load is split. So bottom-line, I think 99% of mailscanner users would recommend going with a load balanced multi box setup. Med venlig hilsen / Best regards Jonas Akrouh Larsen TechBiz ApS Laplandsgade 4, 2. sal 2300 K?benhavn S Office: 7020 0979 Direct: 3336 9974 Mobile: 5120 1096 Fax: 7020 0978 Web: www.techbiz.dk From cfisk at qwicnet.com Thu Jun 25 21:41:06 2009 From: cfisk at qwicnet.com (Christopher Fisk) Date: Thu Jun 25 21:41:25 2009 Subject: Question on reducing load on MailScanner machine In-Reply-To: Message-ID: > The setup used by everyone else in the universe is to > have multiple MX > servers sharing the incoming mail load. We have a 10 MX and a 20 MX on a remote site which just queues messages, doesn't check for recipient or for spam. I've never run two mail servers of the same priority, although I'm sure it is easy enough. > Let me get this straight. > You've got a huge mail queue, and yet you have a server > sitting there > switched off. > Dare I suggest you switch it on? This thread is about how I go about doing the actual switching on. Right now it's just extra hardware in case our first server dies. We have it there, the goal is to use it. I want to "switch it on" correctly though. If I didn't start this thread and ask, there is a good chance I would have tried just NFS mounting the hold queue and firing up MailScanner. Obviously that would have been bad per your addition below =) So yes, your suggestion to switch it on is the one we're going to do, I just need to make sure I get the configuration correct. This is part of my planning to make sure I do it correctly. > > There is actually a good chance I will test this out. > If I do I will inform of the results. > > > It won't work. Anyone sane runs multiple MX servers :-) The reason (Might not be a good one!) I have shied away from anything more than a backup MX which queues messages if the main MX server goes down is due to the logistics of keeping them both in sync with mail accounts. I'm thinking I will have to move my account database to a third machine or just run it on one of the two I would have in place. A third machine seems ideal. > It does it all via file locking. And that locking is the > same method > used by your MTA. And that is not designed to work across > NFS. So don't > waste your time trying :) OK, then this method gets shelved. Now to present the options to the decision makers. Thank you's all for your time on this! Christopher Fisk -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From gmaddock at futuremetals.com Thu Jun 25 21:50:23 2009 From: gmaddock at futuremetals.com (Gerry Maddock) Date: Thu Jun 25 21:54:28 2009 Subject: New wiki page In-Reply-To: References: <4A43C66A.5070703@ecs.soton.ac.uk><4A43CD22.6060208@ecs.soton.ac.uk> Message-ID: > How about we start with > > MTA Blacklists: Zen, BRBL, bl.spamcop.net? > MTA checks: no invalid recipients or domains at SMTP time, greet-pause, > grey-listing? How to get list of valid recipients out of Exchange, or > configure Exchange to reject invalid recipients at SMTP time? > ClamAV: sane-security -- Which ones? Where's the table that lists the > pros and cons? What are the basic ones that everyone should use? > SA rulesets: SARE, KAM, sought, what others? > SA tools: razor, DCC, pyzor? > MailScanner Virus Scanners: clamd, other commercial fast ones? > sophossavi, f-prot, f-secure? > MailScanner: Don't use MCP. > JKF tools: Version 2 of anti-phishing and anti-spear-phishing rulesets. > DNS: Get feed of ZEN and SURBL, use one DNS server running rbldnsd for > these zones. > > What else have I forgotten? > > Please can people start sending me links to the relevant sites/pages for > everything I have mentioned above, together with a brief summary of what > is legal/illegal use of anything. Julian, Just wondering why you don't recommend MCP? I'm using it currently and wondering if I should disable it now. CONFIDENTIALITY: This e-mail message is for the sole use of the intended recipient(s) and may contain confidential and / or privileged information. Any unauthorized review, use, disclosure or distribution of any kind is strictly prohibited. If you are not the intended recipient, please contact the sender via reply e-mail and destroy all copies of the original message. Thank you. From mailbag at partnersolutions.ca Thu Jun 25 22:09:28 2009 From: mailbag at partnersolutions.ca (PSI Mailbag) Date: Thu Jun 25 22:09:44 2009 Subject: lstat() failed on: /mnt/ramdisk/... In-Reply-To: <67a55ed50906240504q246bc49cx997133645f386eae@mail.gmail.com> References: <67a55ed50906240504q246bc49cx997133645f386eae@mail.gmail.com> Message-ID: <0A5EC380C825E440B3BB048CDE603A160A988F@PSIMS002.pshosting.intranet> > lstat() failed on: /mnt/ramdisk/31166/n5NC95S6028227/tnef.31166 Which version of MailScanner are you running? If you're using a version < 4.76.24, and you only have tnef.* in your lstat errors, this is a known bug. Upgrading to the latest MailScanner release will fix it (or at least >= 4.76.24), as the tnef processing has been updated to correct the permission errors. (see http://www.bluequartz.us/phpBB2/viewtopic.php?t=87165 for reference, and "16 Fixed permissions and ownership problems with data extracted from TNEF winmail.dat attachments." under fixes of 4.76.24-3 from http://www.mailscanner.info/ChangeLog). Cheers, -Joshua From ms-list at alexb.ch Thu Jun 25 22:21:10 2009 From: ms-list at alexb.ch (Alex Broens) Date: Thu Jun 25 22:21:18 2009 Subject: New wiki page In-Reply-To: References: <4A43C66A.5070703@ecs.soton.ac.uk> <4A43CD22.6060208@ecs.soton.ac.uk> Message-ID: <4A43EA46.8030905@alexb.ch> On 6/25/2009 9:16 PM, Julian Field wrote: > How about we start with > > MTA Blacklists: Zen, BRBL, bl.spamcop.net? > MTA checks: no invalid recipients or domains at SMTP time, greet-pause, > grey-listing? How to get list of valid recipients out of Exchange, or > configure Exchange to reject invalid recipients at SMTP time? > ClamAV: sane-security -- Which ones? Where's the table that lists the > pros and cons? What are the basic ones that everyone should use? > SA rulesets: SARE, KAM, sought, what others? Please do not recommend SARE rules. They are obsolete and will not get updated so adding them adds little if no value and are not worth the resources they use. Some have been included in SA. my TODO list includes a masscheck of ALL of those rule and release a small subset to be used with SA update on the official sa-update channel. This will happen during the SA 3.3.x cycle which will be released soon. btw.. has anybody been using/testing MailScanner with SA 3.3.0-trunk? Jules? Alex From ssilva at sgvwater.com Thu Jun 25 22:27:45 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Jun 25 22:28:12 2009 Subject: New wiki page In-Reply-To: References: <4A43C66A.5070703@ecs.soton.ac.uk><4A43CD22.6060208@ecs.soton.ac.uk> Message-ID: >> >> What else have I forgotten? >> >> Please can people start sending me links to the relevant sites/pages for >> everything I have mentioned above, together with a brief summary of what >> is legal/illegal use of anything. > Julian, > > Just wondering why you don't recommend MCP? I'm using it currently and > wondering if I should disable it now. > > The new spamassassin rule actions will do most everything that MCP does, and doesn't need another full set of spamassassin processes running. I think that Julian said that if he had thought of this earlier, he wouldn't have bothered writing the MCP code. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090625/21bba953/signature.bin From steve.freegard at fsl.com Thu Jun 25 23:26:18 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Thu Jun 25 23:26:33 2009 Subject: Question on reducing load on MailScanner machine In-Reply-To: References: Message-ID: <4A43F98A.6020303@fsl.com> Christopher Fisk wrote: > > The reason (Might not be a good one!) I have shied away from anything more than a backup MX which queues messages if the main MX server goes down is due to the logistics of keeping them both in sync with mail accounts. I'm thinking I will have to move my account database to a third machine or just run it on one of the two I would have in place. > Account database? You mean valid/invalid users?; if so then milter-ahead, smf-sav etc. can help you there by doing SMTP call-aheads to your mail hub to verify recipients etc. Nowadays queuing backup MXes are usually a bad idea as they act as spam magnets (e.g. most bots attempt to connect directly to the backup MX intentionally under the presumption that they aren't as well configured as the primary); any mail you receive therefore requires full content scans instead of being able to reject connections pre-DATA during the SMTP transaction (via RBLs etc.). Also backup MXes that don't verify recipients or where the primary does SMTP time rejections will cause significant backscatter. Cheers, Steve. From mike at mlrw.com Fri Jun 26 00:40:42 2009 From: mike at mlrw.com (Mike Wallace) Date: Fri Jun 26 00:41:01 2009 Subject: A new setup References: Message-ID: <265EEB98-B6F0-4285-A9C9-436C8E14F5EA@mlrw.com> Will, I have a somewhat similar use and setup. I too run mail for my private consulting company and my family and had problems with lots of spam in the past. But in my case my internet provider is my cable company and restricts smtp access so I have to have all of my incoming email go through DynDNS.com MailHop Relay and all of my outbound mail has to go out through their mail server. My MailScanner is a Centos 5.3 x64, mailscanner-4.77.10-1, spamassassin-3.2.5-1, clamav-0.95.2-4, postfix-2.3.3-2.1, dcc-1.3.103, pyzor-0.5.0 and razor-agents-2.84-1. I have a separate mail server running Zimbra 5.0 with spamassassin turned off. In my setup I have postifx first check for valid recipient user names using ldap queries of the Zimbra user directory. I was getting a lot of spam where the "From:" or "envelope-from" would be a valid or invalid account name from my own domain, so I now reject all of those messages too. As for MailScanner, I use the spamhaus-ZEN and spamcop.net Spam Lists. For all spam, I tag them {SPAM?} for low scoring spam and {SPAM??} for high scoring spam and forward them to a specific account on my mail server where I review them daily. Since this configuration went live on June 3rd, I have significantly reduced spam. For example, yesterday Postfix rejected 198 messages, MailScanner processed 221 messages of which 146 were marked as spam. Out of the remaining 75 messages, there were no false positives and 18 false negatives that got through. I report all of the false negatives to spamcop and then feed them back into spamassassin using sa-learn. Soon I will start dropping all of the high scoring spam once I get enough evidence that no ham gets marked as high scoring spam. Mike > On Jun 25, 2009, at 2:45 PM, Martin Hepworth wrote: > >> >> Will >> >> have a look at the "getting most out of spamassassin" section of >> the wiki. >> >> 2009/6/24 >> >>> Hello all, >>> >>> Perhaps you get this question a lot. If you can point me to the >>> appropriate thread, I would greatly appreciate it. >>> >>> Anyway, I'm currently running Fedora 9 x64, mailscanner-4.70.7-1, >>> ClamAV >>> 0.95.1, spamassassin-3.2.5-1 and sendmail-8.14.2-4. >>> >>> Fedora 9 is eol so I am going to do a reinstall. This time, I >>> want to do >>> a little better keeping the spam down. This system mainly serves >>> as my >>> email for my private consulting business and the family. >>> >>> Any suggestions on things I should add or whole setups? Should I >>> add some >>> milters? Razor? SPF? etc... I'm looking for some guidance >>> because I >>> have not given this much effort so far but that has to change. >>> The wife >>> is complaining (about spam) and you know how that can be. :) >>> >>> Thanks in advance. >>> >>> --- >>> Will Y. >>> >>> >>> >>> >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info (mailscanner@lists.mailscanner.info >>> ) >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner (http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> ) >>> >>> Before posting, read http://wiki.mailscanner.info/posting (http://wiki.mailscanner.info/posting >>> ) >>> >>> Support MailScanner development - buy the book off the website! >>> >> >> >> >> -- >> Martin Hepworth >> Oxford, UK >> -- This message has been scanned for viruses and dangerous content >> by MailScanner (http://www.mailscanner.info/), and is believed to >> be clean. >> >> >> >> >> -------------------- m2f -------------------- >> >> Sent using Mail2Forum (http://www.mail2forum.com). >> >> Read this topic online here: >> http://www.bluequartz.us/phpBB2/viewtopic.php?p=344064#344064 >> >> -------------------- m2f -------------------- >> >> >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> >> >> This message has been scanned for viruses and dangerous content by >> MailScanner, and is believed to be clean. >> > From lists at openenterprise.ca Fri Jun 26 01:48:29 2009 From: lists at openenterprise.ca (Johnny Stork) Date: Fri Jun 26 01:48:45 2009 Subject: Hotmail porn spam Message-ID: <4A441ADD.5050206@openenterprise.ca> I have seen a significant increase in porn spam coming from mostly hotmail accounts and it is getting through 3 different spam detection systems right now!! I run ASSP on my remote server, then mail is pushed through mailscanner, and then through Astaro Secure Gateway!!! How is this possible? Anyway, is there something I can post here that might help in trying to find a solution (other than blocking all hotmail messages) I am reluctant to post the entire header since there is a great deal of identifying info on my servers. Ideas? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090625/9e3cfdac/attachment.html From alex at rtpty.com Fri Jun 26 03:09:09 2009 From: alex at rtpty.com (Alex Neuman) Date: Fri Jun 26 03:09:19 2009 Subject: Hotmail porn spam In-Reply-To: <4A441ADD.5050206@openenterprise.ca> References: <4A441ADD.5050206@openenterprise.ca> Message-ID: <24e3d2e40906251909p39e9b42dm1566e41a4ba7cb00@mail.gmail.com> On Thu, Jun 25, 2009 at 7:48 PM, Johnny Stork wrote: > I have seen a significant increase in porn spam coming from mostly > hotmail accounts and it is getting through 3 different spam detection > systems right now!! > You don't mention if the e-mail actually comes from Hotmail accounts or if it's spoofed hotmail addresses. > > > I run ASSP on my remote server, then mail is pushed through mailscanner, > and then through Astaro Secure Gateway!!! How is this possible? > Well, you start by installing ASSP on the remote server, then you install MailScanner on the second server, and then have the Astaro Secure Gateway process the message at the end. That's how it's possible. > > Anyway, is there something I can post here that might help in trying to > find a solution (other than blocking all hotmail messages) > Yes. You can post everything in pastebin and have it expire. > > I am reluctant to post the entire header since there is a great deal of > identifying info on my servers. > You should be able to obscure the information enough to be able to paste something onto a pastebin page and send it to the list. > > Ideas? > Anything at this point would be purely guessing. My bet is on an overly permissive whitelist. > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 202-1525 alex@rtpty.com Skype: alexneuman -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090625/f35ba553/attachment.html From rwahyudi at gmail.com Fri Jun 26 04:00:54 2009 From: rwahyudi at gmail.com (R Wahyudi) Date: Fri Jun 26 04:01:04 2009 Subject: Question on reducing load on MailScanner machine In-Reply-To: <4A43F98A.6020303@fsl.com> References: <4A43F98A.6020303@fsl.com> Message-ID: <9173fd7e0906252000t6f53170dh676727ba9cbe516@mail.gmail.com> > I'd rather throw hardware at the problem to get the queue down to 0. Unless you have unlimited amount of funds, I think you should always think of a way to scale horizontally (eg. adding more machine ) instead of scale up. For mail server it you will get better performance on 8 x old pentium 4 server than having 1 x 8 core server. Rianto Wahyudi From gafaith at asdm.net Fri Jun 26 04:14:29 2009 From: gafaith at asdm.net (Gary Faith) Date: Fri Jun 26 04:14:57 2009 Subject: Spam but no randomly no Spam Report Message-ID: <4A4404D50200002D00006C96@sparky.asdm.net> Running MailScanner 4.75.11 on SLES 10 SP2 X86_64. When viewing the information via MailWatch, I see the following on the details page: SpamAssassin Spam: Y Action(s): store, deliver, header, "X-Spam-Status:, Yes" High Scoring Spam: N SpamAssassin Spam: N Listed in RBL: N Spam Whitelisted: N Spam Blacklisted: N SpamAssassin Autolearn: N SpamAssassin Score:1.66 The problem is Spam Report is blank. This happens on a few seemingly random messages while most have something in the spamreport field. I have verified this in the database that it definitely null. Any reason why all the data except the spam report would be logged to mysql? Could this be a spamassassin timeout problem? Thanks, Gary Faith -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090625/466a8fa1/attachment.html From gafaith at asdm.net Fri Jun 26 05:08:10 2009 From: gafaith at asdm.net (Gary Faith) Date: Fri Jun 26 05:08:33 2009 Subject: Spam but no randomly no Spam Report In-Reply-To: <4A4404D50200002D00006C96@sparky.asdm.net> References: <4A4404D50200002D00006C96@sparky.asdm.net> Message-ID: <4A44116A0200002D00006C9B@sparky.asdm.net> Follow Up! After doing more digging, I believe that I have found the common thread when the problem occurs. The spamreport field only seems to be blank when isspam & isrblspam flags are set. If issaspam and/or ishighspam are set then spamreport has data. isspam tinyint(1) =1 ishighspam tinyint(1) =0 issaspam tinyint(1) =0 isrblspam tinyint(1) =1 spamwhitelisted tinyint(1) =0 spamblacklisted tinyint(1) =0 sascore decimal(7,2) some value spamreport text {Empty} I hope this helps shine light on my problem. Any ideas why this is happening? Thanks, Gary >>> "Gary Faith" 6/25/2009 11:14 PM >>> Running MailScanner 4.75.11 on SLES 10 SP2 X86_64. When viewing the information via MailWatch, I see the following on the details page: SpamAssassin Spam: Y Action(s): store, deliver, header, "X-Spam-Status:, Yes" High Scoring Spam: N SpamAssassin Spam: N Listed in RBL: N Spam Whitelisted: N Spam Blacklisted: N SpamAssassin Autolearn: N SpamAssassin Score:1.66 The problem is Spam Report is blank. This happens on a few seemingly random messages while most have something in the spamreport field. I have verified this in the database that it definitely null. Any reason why all the data except the spam report would be logged to mysql? Could this be a spamassassin timeout problem? Thanks, Gary Faith -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090626/83c27fcf/attachment.html From J.Ede at birchenallhowden.co.uk Fri Jun 26 09:10:32 2009 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Fri Jun 26 09:11:02 2009 Subject: New wiki page In-Reply-To: <4A43EA46.8030905@alexb.ch> References: <4A43C66A.5070703@ecs.soton.ac.uk> <4A43CD22.6060208@ecs.soton.ac.uk> <4A43EA46.8030905@alexb.ch> Message-ID: <1213490F1F316842A544A850422BFA960F60564389@BHLSBS.bhl.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Alex Broens > Sent: 25 June 2009 22:21 > To: MailScanner discussion > Subject: Re: New wiki page > > On 6/25/2009 9:16 PM, Julian Field wrote: > > How about we start with > > > > MTA Blacklists: Zen, BRBL, bl.spamcop.net? > > MTA checks: no invalid recipients or domains at SMTP time, greet- > pause, > > grey-listing? How to get list of valid recipients out of Exchange, or > > configure Exchange to reject invalid recipients at SMTP time? > > ClamAV: sane-security -- Which ones? Where's the table that lists the > > pros and cons? What are the basic ones that everyone should use? > > SA rulesets: SARE, KAM, sought, what others? > > Please do not recommend SARE rules. > They are obsolete and will not get updated so adding them adds little > if > no value and are not worth the resources they use. > Some have been included in SA. > > my TODO list includes a masscheck of ALL of those rule and release a > small subset to be used with SA update on the official sa-update > channel. > This will happen during the SA 3.3.x cycle which will be released soon. I still get quite a few hits with the SARE_Adult ruleset despite it being old... Gets a lot of the enhancement drug emails... DCC - Thats free for non-commercial/educational use isn't it? http://www.rhyolite.com/dcc/ Just copied from their main page. The non-commercial DCC software is distributed under a license that is free only to organizations that do not sell filtering devices or services except to their own users and that participate in the global DCC network. ISPs that use DCC to filter mail for their own users are intended to be covered by the free license. You can redistribute unchanged copies of the free source, but you may not redistribute modified, "fixed," or "improved" versions of the source or binaries. You also can't call it your own or blame anyone for the results of using it. Organizations that do not qualify for the free license are welcome to inquire about licensing the commercial version of the DCC software by email to sales@rhyolite.com or via the form I noticed that pyzor has suddenly become active again with new versions this year... http://pyzor.sourceforge.net/index.htm -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090626/758b998c/attachment.html From MailScanner at ecs.soton.ac.uk Fri Jun 26 09:13:46 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jun 26 09:14:07 2009 Subject: New wiki page In-Reply-To: <4A43EA46.8030905@alexb.ch> References: <4A43C66A.5070703@ecs.soton.ac.uk> <4A43CD22.6060208@ecs.soton.ac.uk> <4A43EA46.8030905@alexb.ch> <4A44833A.2000206@ecs.soton.ac.uk> Message-ID: On 25/06/2009 22:21, Alex Broens wrote: > On 6/25/2009 9:16 PM, Julian Field wrote: >> How about we start with >> >> MTA Blacklists: Zen, BRBL, bl.spamcop.net? >> MTA checks: no invalid recipients or domains at SMTP time, >> greet-pause, grey-listing? How to get list of valid recipients out of >> Exchange, or configure Exchange to reject invalid recipients at SMTP >> time? >> ClamAV: sane-security -- Which ones? Where's the table that lists the >> pros and cons? What are the basic ones that everyone should use? >> SA rulesets: SARE, KAM, sought, what others? > > Please do not recommend SARE rules. > They are obsolete and will not get updated so adding them adds little > if no value and are not worth the resources they use. > Some have been included in SA. > > my TODO list includes a masscheck of ALL of those rule and release a > small subset to be used with SA update on the official sa-update channel. > This will happen during the SA 3.3.x cycle which will be released soon. Okay, thanks for that information. This is exactly the sort of stuff I want to capture. > > > > btw.. has anybody been using/testing MailScanner with SA 3.3.0-trunk? > Jules? No, I was waiting for you to release something I could try. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Fri Jun 26 09:14:49 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jun 26 09:15:08 2009 Subject: New wiki page In-Reply-To: References: <4A43C66A.5070703@ecs.soton.ac.uk><4A43CD22.6060208@ecs.soton.ac.uk> <4A448379.403@ecs.soton.ac.uk> Message-ID: On 25/06/2009 21:50, Gerry Maddock wrote: >> How about we start with >> >> MTA Blacklists: Zen, BRBL, bl.spamcop.net? >> MTA checks: no invalid recipients or domains at SMTP time, greet-pause, >> grey-listing? How to get list of valid recipients out of Exchange, or >> configure Exchange to reject invalid recipients at SMTP time? >> ClamAV: sane-security -- Which ones? Where's the table that lists the >> pros and cons? What are the basic ones that everyone should use? >> SA rulesets: SARE, KAM, sought, what others? >> SA tools: razor, DCC, pyzor? >> MailScanner Virus Scanners: clamd, other commercial fast ones? >> sophossavi, f-prot, f-secure? >> MailScanner: Don't use MCP. >> JKF tools: Version 2 of anti-phishing and anti-spear-phishing rulesets. >> DNS: Get feed of ZEN and SURBL, use one DNS server running rbldnsd for >> these zones. >> >> What else have I forgotten? >> >> Please can people start sending me links to the relevant sites/pages for >> everything I have mentioned above, together with a brief summary of what >> is legal/illegal use of anything. >> > Julian, > > Just wondering why you don't recommend MCP? I'm using it currently and > wondering if I should disable it now. > It has a huge processing overhead and as a result is very slow. "SpamAssassin Rule Actions" can do pretty much anything MCP can, and it does it enormously faster. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Fri Jun 26 09:18:54 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jun 26 09:19:17 2009 Subject: Question on reducing load on MailScanner machine In-Reply-To: References: <4A44846E.5040802@ecs.soton.ac.uk> Message-ID: On 25/06/2009 21:41, Christopher Fisk wrote: >> The setup used by everyone else in the universe is to >> have multiple MX >> servers sharing the incoming mail load. >> > We have a 10 MX and a 20 MX on a remote site which just queues messages, doesn't check for recipient or for spam. > Which makes your 20 MX a massive spam magnet. > I've never run two mail servers of the same priority, although I'm sure it is easy enough. > Just set the MX values the same, and it will automatically share mail between the two machines. Easy as that. > > >> Let me get this straight. >> You've got a huge mail queue, and yet you have a server >> sitting there >> switched off. >> Dare I suggest you switch it on? >> > This thread is about how I go about doing the actual switching on. Right now it's just extra hardware in case our first server dies. We have it there, the goal is to use it. I want to "switch it on" correctly though. If I didn't start this thread and ask, there is a good chance I would have tried just NFS mounting the hold queue and firing up MailScanner. Obviously that would have been bad per your addition below =) > > So yes, your suggestion to switch it on is the one we're going to do, I just need to make sure I get the configuration correct. This is part of my planning to make sure I do it correctly. > Run it with the same setup as your primary and the same MX priority, with separate queues and no attempts at sharing the queues between the machines. > > >> > There is actually a good chance I will test this out. >> If I do I will inform of the results. >> > >> It won't work. Anyone sane runs multiple MX servers :-) >> > The reason (Might not be a good one!) I have shied away from anything more than a backup MX which queues messages if the main MX server goes down is due to the logistics of keeping them both in sync with mail accounts. I'm thinking I will have to move my account database to a third machine or just run it on one of the two I would have in place. > There are a variety of milters which will provide this for you without each machine having to have a copy of your user list. > A third machine seems ideal. > > > >> It does it all via file locking. And that locking is the >> same method >> used by your MTA. And that is not designed to work across >> NFS. So don't >> waste your time trying :) >> > OK, then this method gets shelved. > > Now to present the options to the decision makers. > > > Thank you's all for your time on this! > Always glad to help people get it right first time :-) Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Fri Jun 26 09:41:39 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jun 26 09:42:04 2009 Subject: Spam but no randomly no Spam Report In-Reply-To: <4A44116A0200002D00006C9B@sparky.asdm.net> References: <4A4404D50200002D00006C96@sparky.asdm.net> <4A44116A0200002D00006C9B@sparky.asdm.net> <4A4489C3.4000203@ecs.soton.ac.uk> Message-ID: Aha, well done for tracking down that case, I've been looking for that bug for ages. Due to your diagnostics I now have what should fix it. Please try the attached patch to /usr/lib/MailScanner/MailScanner/Message.pm and then restart MailScanner. Thanks for helping! Jules. On 26/06/2009 05:08, Gary Faith wrote: > Follow Up! After doing more digging, I believe that I have found the > common thread when the problem occurs. The spamreport field only > seems to be blank when isspam & isrblspam flags are set. If issaspam > and/or ishighspam are set then spamreport has data. > isspam tinyint(1) =1 > ishighspam tinyint(1) =0 > issaspam tinyint(1) =0 > isrblspam tinyint(1) =1 > spamwhitelisted tinyint(1) =0 > spamblacklisted tinyint(1) =0 > sascore decimal(7,2) some value > spamreport text {Empty} > I hope this helps shine light on my problem. Any ideas why this is > happening? > Thanks, > > Gary > > >>> "Gary Faith" 6/25/2009 11:14 PM >>> > Running MailScanner 4.75.11 on SLES 10 SP2 X86_64. When viewing the > information via MailWatch, I see the following on the details page: > SpamAssassin Spam: Y Action(s): store, deliver, header, > "X-Spam-Status:, Yes" > High Scoring Spam: N > SpamAssassin Spam: N > Listed in RBL: N > Spam Whitelisted: N > Spam Blacklisted: N > SpamAssassin Autolearn: N > SpamAssassin Score:1.66 > The problem is Spam Report is blank. This happens on a few seemingly > random messages while most have something in the spamreport field. I > have verified this in the database that it definitely null. Any > reason why all the data except the spam report would be logged to > mysql? Could this be a spamassassin timeout problem? > Thanks, > > Gary Faith Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- A non-text attachment was scrubbed... Name: Message.pm.patch.gz Type: application/x-gzip Size: 428 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090626/fd36006d/Message.pm.patch.gz From MailScanner at ecs.soton.ac.uk Fri Jun 26 12:13:43 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jun 26 12:14:05 2009 Subject: New wiki page In-Reply-To: References: <4A43C66A.5070703@ecs.soton.ac.uk><4A43CD22.6060208@ecs.soton.ac.uk> <4A448379.403@ecs.soton.ac.uk> <4A44AD67.3000702@ecs.soton.ac.uk> Message-ID: Version 1 of the page is up at www.mailscanner.info/gettingthebest.html You might find it has one or two little tricks you didn't know about. Please do also contribute things I should add to it. Let me know what you think! Jules. On 26/06/2009 09:14, Julian Field wrote: > > > On 25/06/2009 21:50, Gerry Maddock wrote: >>> How about we start with >>> >>> MTA Blacklists: Zen, BRBL, bl.spamcop.net? >>> MTA checks: no invalid recipients or domains at SMTP time, greet-pause, >>> grey-listing? How to get list of valid recipients out of Exchange, or >>> configure Exchange to reject invalid recipients at SMTP time? >>> ClamAV: sane-security -- Which ones? Where's the table that lists the >>> pros and cons? What are the basic ones that everyone should use? >>> SA rulesets: SARE, KAM, sought, what others? >>> SA tools: razor, DCC, pyzor? >>> MailScanner Virus Scanners: clamd, other commercial fast ones? >>> sophossavi, f-prot, f-secure? >>> MailScanner: Don't use MCP. >>> JKF tools: Version 2 of anti-phishing and anti-spear-phishing rulesets. >>> DNS: Get feed of ZEN and SURBL, use one DNS server running rbldnsd for >>> these zones. >>> >>> What else have I forgotten? >>> >>> Please can people start sending me links to the relevant sites/pages >>> for >>> everything I have mentioned above, together with a brief summary of >>> what >>> is legal/illegal use of anything. >> Julian, >> >> Just wondering why you don't recommend MCP? I'm using it >> currently and >> wondering if I should disable it now. > It has a huge processing overhead and as a result is very slow. > "SpamAssassin Rule Actions" can do pretty much anything MCP can, and > it does it enormously faster. > > Jules > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ms-list at alexb.ch Fri Jun 26 12:29:10 2009 From: ms-list at alexb.ch (Alex Broens) Date: Fri Jun 26 12:29:19 2009 Subject: New wiki page In-Reply-To: References: <4A43C66A.5070703@ecs.soton.ac.uk><4A43CD22.6060208@ecs.soton.ac.uk> <4A448379.403@ecs.soton.ac.uk> <4A44AD67.3000702@ecs.soton.ac.uk> Message-ID: <4A44B106.6040808@alexb.ch> On 6/26/2009 1:13 PM, Julian Field wrote: > Version 1 of the page is up at www.mailscanner.info/gettingthebest.html > > You might find it has one or two little tricks you didn't know about. > > Please do also contribute things I should add to it. > > Let me know what you think! your provosion to download KAM rules directly will hammer the server. KAM's rules are included in sa-update AFTER masschecks and deemed fit for wide production usage. any rule updates via direct downloads should be discouraged. They should use sa-update channels which are prepared to handle the load. From uxbod at splatnix.net Fri Jun 26 12:33:00 2009 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Fri Jun 26 12:33:14 2009 Subject: New wiki page In-Reply-To: Message-ID: <3323762.3861246015980636.JavaMail.root@office.splatnix.net> ----- "Julian Field" wrote: > Version 1 of the page is up at www.mailscanner.info/gettingthebest.html > > You might find it has one or two little tricks you didn't know about. > > Please do also contribute things I should add to it. > > Let me know what you think! > > Jules. > > On 26/06/2009 09:14, Julian Field wrote: > > > > > > On 25/06/2009 21:50, Gerry Maddock wrote: > >>> How about we start with > >>> > >>> MTA Blacklists: Zen, BRBL, bl.spamcop.net? > >>> MTA checks: no invalid recipients or domains at SMTP time, greet-pause, > >>> grey-listing? How to get list of valid recipients out of Exchange, or > >>> configure Exchange to reject invalid recipients at SMTP time? > >>> ClamAV: sane-security -- Which ones? Where's the table that lists the > >>> pros and cons? What are the basic ones that everyone should use? > >>> SA rulesets: SARE, KAM, sought, what others? > >>> SA tools: razor, DCC, pyzor? > >>> MailScanner Virus Scanners: clamd, other commercial fast ones? > >>> sophossavi, f-prot, f-secure? > >>> MailScanner: Don't use MCP. > >>> JKF tools: Version 2 of anti-phishing and anti-spear-phishing rulesets. > >>> DNS: Get feed of ZEN and SURBL, use one DNS server running rbldnsd for > >>> these zones. > >>> > >>> What else have I forgotten? > >>> > >>> Please can people start sending me links to the relevant sites/pages > >>> for > >>> everything I have mentioned above, together with a brief summary of > >>> what > >>> is legal/illegal use of anything. > >> Julian, > >> > >> Just wondering why you don't recommend MCP? I'm using it > >> currently and > >> wondering if I should disable it now. > > It has a huge processing overhead and as a result is very slow. > > "SpamAssassin Rule Actions" can do pretty much anything MCP can, and > > it does it enormously faster. > > > > Jules > > > > Jules > > Looks good Jules :) Best Regards, -- SplatNIX IT Services :: Innovation through collaboration From MailScanner at ecs.soton.ac.uk Fri Jun 26 12:34:41 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jun 26 12:35:04 2009 Subject: New wiki page In-Reply-To: <4A44B106.6040808@alexb.ch> References: <4A43C66A.5070703@ecs.soton.ac.uk><4A43CD22.6060208@ecs.soton.ac.uk> <4A448379.403@ecs.soton.ac.uk> <4A44AD67.3000702@ecs.soton.ac.uk> <4A44B106.6040808@alexb.ch> <4A44B251.4020906@ecs.soton.ac.uk> Message-ID: On 26/06/2009 12:29, Alex Broens wrote: > On 6/26/2009 1:13 PM, Julian Field wrote: >> Version 1 of the page is up at www.mailscanner.info/gettingthebest.html >> >> You might find it has one or two little tricks you didn't know about. >> >> Please do also contribute things I should add to it. >> >> Let me know what you think! > > your provosion to download KAM rules directly will hammer the server. > > KAM's rules are included in sa-update AFTER masschecks and deemed fit > for wide production usage. What are the details for using KAM within sa-update, and where is it documented? My script only runs once per day, and includes a random delay at startup to spread the load on the servers. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From stef at aoc-uk.com Fri Jun 26 12:39:54 2009 From: stef at aoc-uk.com (Stef Morrell) Date: Fri Jun 26 12:39:46 2009 Subject: Semi-OT: Rule2XSBody Message-ID: <200906261139.n5QBdcgC015959@safir.blacknight.ie> Hello, I see the new wiki page recommends compiling the regex for the Rule2XSBody plugin. What I can't see from the Rule2XSBody or sa-compile documentation is how this copes with rule changes. A quick google only had one opinion (http://www.davidpashley.com/blog/debian/sa-compile) which suggests for every rule change, a new compile is required. Unfortunately, it takes quite a long time to compile all the rules and considering the download of Julian's spear phishing every hour, I could end up spending more CPU time compiling rules, than applying them to spam. The question then, is how to resolve the dichotomy. I may well have rules which supercede, replace, or add to the compiled rules. Equally, some of the compiled rules may be out of date and shouldn't be there. Do I, in fact, need to perform a new compile for each and every rule change (in which case, it's not worth me using compiled rules) or does spamassassin somehow 'know' which rules have changed in the source files, so I can run a compile perhaps once a day. Thanks Stef -- Stefan Morrell | Operations Director Tel: 0845 3452820 | Alpha Omega Computers Ltd Fax: 0845 3452830 | Incorporating Level 5 Internet stef@aoc-uk.com | stef@l5net.net Standard Disclaimer: http://www.aoc-uk.com/16.asp Alpha Omega Computers Ltd, Batley Technology Centre, Grange Road, Batley, WF17 6ER. Registered in England No. 3867142. VAT No. GB734421454 From ms-list at alexb.ch Fri Jun 26 12:48:57 2009 From: ms-list at alexb.ch (Alex Broens) Date: Fri Jun 26 12:49:05 2009 Subject: New wiki page In-Reply-To: References: <4A43C66A.5070703@ecs.soton.ac.uk><4A43CD22.6060208@ecs.soton.ac.uk> <4A448379.403@ecs.soton.ac.uk> <4A44AD67.3000702@ecs.soton.ac.uk> <4A44B106.6040808@alexb.ch> <4A44B251.4020906@ecs.soton.ac.uk> Message-ID: <4A44B5A9.90905@alexb.ch> On 6/26/2009 1:34 PM, Julian Field wrote: > > > On 26/06/2009 12:29, Alex Broens wrote: >> On 6/26/2009 1:13 PM, Julian Field wrote: >>> Version 1 of the page is up at www.mailscanner.info/gettingthebest.html >>> >>> You might find it has one or two little tricks you didn't know about. >>> >>> Please do also contribute things I should add to it. >>> >>> Let me know what you think! >> >> your provosion to download KAM rules directly will hammer the server. >> >> KAM's rules are included in sa-update AFTER masschecks and deemed fit >> for wide production usage. > What are the details for using KAM within sa-update, and where is it > documented? They are included in SA's sa-update when he submits for inclusion. His personal rules file contains old stock rules, etc etc, is pretty large in size and blindly using it will add memory usage with questionable hit efficiency. > My script only runs once per day, and includes a random delay at startup > to spread the load on the servers. You are still hitting someone's (probably) personal server on a regular basis. Does Kevin know you encourage many thousand MS users to do this? Alex From MailScanner at ecs.soton.ac.uk Fri Jun 26 13:36:21 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jun 26 13:36:43 2009 Subject: Semi-OT: Rule2XSBody In-Reply-To: <200906261139.n5QBdcgC015959@safir.blacknight.ie> References: <200906261139.n5QBdcgC015959@safir.blacknight.ie> <4A44C0C5.3050802@ecs.soton.ac.uk> Message-ID: On 26/06/2009 12:39, Stef Morrell wrote: > Hello, > > I see the new wiki page recommends compiling the regex for the > Rule2XSBody plugin. > > What I can't see from the Rule2XSBody or sa-compile documentation is how > this copes with rule changes. > > A quick google only had one opinion > (http://www.davidpashley.com/blog/debian/sa-compile) which suggests for > every rule change, a new compile is required. > > Unfortunately, it takes quite a long time to compile all the rules and > considering the download of Julian's spear phishing every hour, I could > end up spending more CPU time compiling rules, than applying them to > spam. > > The question then, is how to resolve the dichotomy. I may well have > rules which supercede, replace, or add to the compiled rules. Equally, > some of the compiled rules may be out of date and shouldn't be there. > > Do I, in fact, need to perform a new compile for each and every rule > change (in which case, it's not worth me using compiled rules) or does > spamassassin somehow 'know' which rules have changed in the source > files, so I can run a compile perhaps once a day. > > Rules that aren't sa-compiled will still be used, and you don't have to compile all your local rulesets. I just run sa-compile after sa-update in /usr/sbin/update_spamassassin and leave all my local rulesets as is. Seems to work fine for me. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Fri Jun 26 13:39:49 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jun 26 13:40:06 2009 Subject: New wiki page In-Reply-To: <4A44B5A9.90905@alexb.ch> References: <4A43C66A.5070703@ecs.soton.ac.uk><4A43CD22.6060208@ecs.soton.ac.uk> <4A448379.403@ecs.soton.ac.uk> <4A44AD67.3000702@ecs.soton.ac.uk> <4A44B106.6040808@alexb.ch> <4A44B251.4020906@ecs.soton.ac.uk> <4A44B5A9.90905@alexb.ch> <4A44C195.4090304@ecs.soton.ac.uk> Message-ID: On 26/06/2009 12:48, Alex Broens wrote: > On 6/26/2009 1:34 PM, Julian Field wrote: >> >> >> On 26/06/2009 12:29, Alex Broens wrote: >>> On 6/26/2009 1:13 PM, Julian Field wrote: >>>> Version 1 of the page is up at >>>> www.mailscanner.info/gettingthebest.html >>>> >>>> You might find it has one or two little tricks you didn't know about. >>>> >>>> Please do also contribute things I should add to it. >>>> >>>> Let me know what you think! >>> >>> your provosion to download KAM rules directly will hammer the server. >>> >>> KAM's rules are included in sa-update AFTER masschecks and deemed >>> fit for wide production usage. >> What are the details for using KAM within sa-update, and where is it >> documented? > > They are included in SA's sa-update when he submits for inclusion. But his ruleset appears to change with great frequency. How often does he submit rules to SA for inclusion in the main sa-update run? > His personal rules file contains old stock rules, etc etc, is pretty > large in size and blindly using it will add memory usage with > questionable hit efficiency. It's always worked very nicely for me, which is why I put in on my page. > >> My script only runs once per day, and includes a random delay at >> startup to spread the load on the servers. > > You are still hitting someone's (probably) personal server on a > regular basis. Does Kevin know you encourage many thousand MS users to > do this? Spread around the world, it's only a few thousand an hour, that isn't much traffic. Most people are happy to see their work getting some use, he has never complained to anyone that I'm aware of. If he needs more bandwidth, he is welcome to ask me for some help in that area. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From stef at aoc-uk.com Fri Jun 26 13:42:18 2009 From: stef at aoc-uk.com (Stef Morrell) Date: Fri Jun 26 13:42:16 2009 Subject: Semi-OT: Rule2XSBody In-Reply-To: References: <200906261139.n5QBdcgC015959@safir.blacknight.ie><4A44C0C5.3050802@ecs.soton.ac.uk> Message-ID: <200906261242.n5QCg46I019964@safir.blacknight.ie> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Julian Field > > On 26/06/2009 12:39, Stef Morrell wrote: > > Hello, > > > > I see the new wiki page recommends compiling the regex for the > > Rule2XSBody plugin. > > > > What I can't see from the Rule2XSBody or sa-compile > documentation is > > how this copes with rule changes. > > > > A quick google only had one opinion > > (http://www.davidpashley.com/blog/debian/sa-compile) which suggests > > for every rule change, a new compile is required. > > > > Unfortunately, it takes quite a long time to compile all > the rules and > > considering the download of Julian's spear phishing every hour, I > > could end up spending more CPU time compiling rules, than applying > > them to spam. > > > > The question then, is how to resolve the dichotomy. I may well have > > rules which supercede, replace, or add to the compiled > rules. Equally, > > some of the compiled rules may be out of date and shouldn't > be there. > > > > Do I, in fact, need to perform a new compile for each and > every rule > > change (in which case, it's not worth me using compiled > rules) or does > > spamassassin somehow 'know' which rules have changed in the source > > files, so I can run a compile perhaps once a day. > > > > > Rules that aren't sa-compiled will still be used, and you > don't have to compile all your local rulesets. I just run > sa-compile after sa-update in /usr/sbin/update_spamassassin > and leave all my local rulesets as is. > Seems to work fine for me. That's almost certainly ideal. How does one explain to sa-compile that it should ignore local rulesets? Stef From ms-list at alexb.ch Fri Jun 26 13:59:12 2009 From: ms-list at alexb.ch (Alex Broens) Date: Fri Jun 26 13:59:22 2009 Subject: New wiki page In-Reply-To: References: <4A43C66A.5070703@ecs.soton.ac.uk><4A43CD22.6060208@ecs.soton.ac.uk> <4A448379.403@ecs.soton.ac.uk> <4A44AD67.3000702@ecs.soton.ac.uk> <4A44B106.6040808@alexb.ch> <4A44B251.4020906@ecs.soton.ac.uk> <4A44B5A9.90905@alexb.ch> <4A44C195.4090304@ecs.soton.ac.uk> Message-ID: <4A44C620.201@alexb.ch> On 6/26/2009 2:39 PM, Julian Field wrote: > > > On 26/06/2009 12:48, Alex Broens wrote: >> On 6/26/2009 1:34 PM, Julian Field wrote: >>> >>> >>> On 26/06/2009 12:29, Alex Broens wrote: >>>> On 6/26/2009 1:13 PM, Julian Field wrote: >>>>> Version 1 of the page is up at >>>>> www.mailscanner.info/gettingthebest.html >>>>> >>>>> You might find it has one or two little tricks you didn't know about. >>>>> >>>>> Please do also contribute things I should add to it. >>>>> >>>>> Let me know what you think! >>>> >>>> your provosion to download KAM rules directly will hammer the server. >>>> >>>> KAM's rules are included in sa-update AFTER masschecks and deemed >>>> fit for wide production usage. >>> What are the details for using KAM within sa-update, and where is it >>> documented? >> >> They are included in SA's sa-update when he submits for inclusion. > But his ruleset appears to change with great frequency. How often does > he submit rules to SA for inclusion in the main sa-update run? >> His personal rules file contains old stock rules, etc etc, is pretty >> large in size and blindly using it will add memory usage with >> questionable hit efficiency. > It's always worked very nicely for me, which is why I put in on my page. > > >>> My script only runs once per day, and includes a random delay at >>> startup to spread the load on the servers. >> >> You are still hitting someone's (probably) personal server on a >> regular basis. Does Kevin know you encourage many thousand MS users to >> do this? > Spread around the world, it's only a few thousand an hour, that isn't > much traffic. Most people are happy to see their work getting some use, > he has never complained to anyone that I'm aware of. > > If he needs more bandwidth, he is welcome to ask me for some help in > that area. Like so many similar cases, its nice while it lasts. He won't ask, he doesn't even know who is sending him the hits, it would be polite to ask him and/or mirror the data on your site on a daily basis and have your users pick it up there. Ppl do get tired of freeriders, especially when they see that their work is often included in commercial services and apps and not even asked or acknowleged. It was one of the reasons the SARE project died a premature death, and which prevents many ppl from starting new ones. Alex From MailScanner at ecs.soton.ac.uk Fri Jun 26 14:07:01 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jun 26 14:07:19 2009 Subject: Semi-OT: Rule2XSBody In-Reply-To: <200906261242.n5QCg46I019964@safir.blacknight.ie> References: <200906261139.n5QBdcgC015959@safir.blacknight.ie><4A44C0C5.3050802@ecs.soton.ac.uk> <200906261242.n5QCg46I019964@safir.blacknight.ie> <4A44C7F5.5040905@ecs.soton.ac.uk> Message-ID: On 26/06/2009 13:42, Stef Morrell wrote: >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >> Of Julian Field >> >> On 26/06/2009 12:39, Stef Morrell wrote: >> >>> Hello, >>> >>> I see the new wiki page recommends compiling the regex for the >>> Rule2XSBody plugin. >>> >>> What I can't see from the Rule2XSBody or sa-compile >>> >> documentation is >> >>> how this copes with rule changes. >>> >>> A quick google only had one opinion >>> (http://www.davidpashley.com/blog/debian/sa-compile) which suggests >>> for every rule change, a new compile is required. >>> >>> Unfortunately, it takes quite a long time to compile all >>> >> the rules and >> >>> considering the download of Julian's spear phishing every hour, I >>> could end up spending more CPU time compiling rules, than applying >>> them to spam. >>> >>> The question then, is how to resolve the dichotomy. I may well have >>> rules which supercede, replace, or add to the compiled >>> >> rules. Equally, >> >>> some of the compiled rules may be out of date and shouldn't >>> >> be there. >> >>> Do I, in fact, need to perform a new compile for each and >>> >> every rule >> >>> change (in which case, it's not worth me using compiled >>> >> rules) or does >> >>> spamassassin somehow 'know' which rules have changed in the source >>> files, so I can run a compile perhaps once a day. >>> >>> >>> >> Rules that aren't sa-compiled will still be used, and you >> don't have to compile all your local rulesets. I just run >> sa-compile after sa-update in /usr/sbin/update_spamassassin >> and leave all my local rulesets as is. >> Seems to work fine for me. >> > That's almost certainly ideal. How does one explain to sa-compile that > it should ignore local rulesets? > You don't appear to need to, it only compiles what it finds under /var/lib/spamassassin. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jonas at vrt.dk Fri Jun 26 14:14:38 2009 From: jonas at vrt.dk (Jonas A. Larsen) Date: Fri Jun 26 14:14:52 2009 Subject: New wiki page In-Reply-To: References: <4A43C66A.5070703@ecs.soton.ac.uk><4A43CD22.6060208@ecs.soton.ac.uk> <4A448379.403@ecs.soton.ac.uk> <4A44AD67.3000702@ecs.soton.ac.uk> <4A44B106.6040808@alexb.ch> <4A44B251.4020906@ecs.soton.ac.uk> <4A44B5A9.90905@alexb.ch> <4A44C195.4090304@ecs.soton.ac.uk> Message-ID: <003601c9f660$0f0bba90$2d232fb0$@dk> Sorry for breaking the thread I had deleted the first post. My input would be: Definitely NOT put the barracuda RBL in any MTA, it's not at all that trustworthy, according to my tests, I have it in SA. Also I use the hostkarma rbl's with pretty good success, here are my rules: header __RCVD_IN_JMF eval:check_rbl('JMF-lastexternal','hostkarma.junkemailfilter.com.') describe __RCVD_IN_JMF Sender listed in JunkEmailFilter tflags __RCVD_IN_JMF net header RCVD_IN_JMF_W eval:check_rbl_sub('JMF-lastexternal', '127.0.0.1') describe RCVD_IN_JMF_W Sender listed in JMF-WHITE tflags RCVD_IN_JMF_W net nice score RCVD_IN_JMF_W -1.5 header RCVD_IN_JMF_BL eval:check_rbl_sub('JMF-lastexternal', '127.0.0.2') describe RCVD_IN_JMF_BL Sender listed in JMF-BLACK tflags RCVD_IN_JMF_BL net score RCVD_IN_JMF_BL 1.5 header RCVD_IN_JMF_BR eval:check_rbl_sub('JMF-lastexternal', '127.0.0.4') describe RCVD_IN_JMF_BR Sender listed in JMF-BROWN tflags RCVD_IN_JMF_BR net score RCVD_IN_JMF_BR 0.6 That?s what I find missing from the wiki that?s generally recommendable, I also use uceprotect's rbl's but they are a bit too aggressive for general recommendation in my opinion. Med venlig hilsen / Best regards Jonas Akrouh Larsen TechBiz ApS Laplandsgade 4, 2. sal 2300 K?benhavn S Office: 7020 0979 Direct: 3336 9974 Mobile: 5120 1096 Fax: 7020 0978 Web: www.techbiz.dk From stef at aoc-uk.com Fri Jun 26 14:19:57 2009 From: stef at aoc-uk.com (Stef Morrell) Date: Fri Jun 26 14:19:50 2009 Subject: Semi-OT: Rule2XSBody - resolved. In-Reply-To: References: <200906261139.n5QBdcgC015959@safir.blacknight.ie><4A44C0C5.3050802@ecs.soton.ac.uk> <200906261242.n5QCg46I019964@safir.blacknight.ie><4A44C7F5.5040905@ecs.soton.ac.uk> Message-ID: <200906261319.n5QDJf0c023186@safir.blacknight.ie> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Julian Field > Sent: 26 June 2009 14:07 > > On 26/06/2009 13:42, Stef Morrell wrote: > >> -----Original Message----- > >> From: mailscanner-bounces@lists.mailscanner.info > >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > >> Julian Field > >> > >> On 26/06/2009 12:39, Stef Morrell wrote: > >> > >>> Hello, > >>> > >>> I see the new wiki page recommends compiling the regex for the > >>> Rule2XSBody plugin. > >>> > >>> What I can't see from the Rule2XSBody or sa-compile > >>> > >> documentation is > >> > >>> how this copes with rule changes. > >>> > >>> A quick google only had one opinion > >>> (http://www.davidpashley.com/blog/debian/sa-compile) > which suggests > >>> for every rule change, a new compile is required. > >>> > >>> Unfortunately, it takes quite a long time to compile all > >>> > >> the rules and > >> > >>> considering the download of Julian's spear phishing every hour, I > >>> could end up spending more CPU time compiling rules, than > applying > >>> them to spam. > >>> > >>> The question then, is how to resolve the dichotomy. I may > well have > >>> rules which supercede, replace, or add to the compiled > >>> > >> rules. Equally, > >> > >>> some of the compiled rules may be out of date and shouldn't > >>> > >> be there. > >> > >>> Do I, in fact, need to perform a new compile for each and > >>> > >> every rule > >> > >>> change (in which case, it's not worth me using compiled > >>> > >> rules) or does > >> > >>> spamassassin somehow 'know' which rules have changed in > the source > >>> files, so I can run a compile perhaps once a day. > >>> > >>> > >>> > >> Rules that aren't sa-compiled will still be used, and you > don't have > >> to compile all your local rulesets. I just run sa-compile after > >> sa-update in /usr/sbin/update_spamassassin and leave all my local > >> rulesets as is. > >> Seems to work fine for me. > >> > > That's almost certainly ideal. How does one explain to > sa-compile that > > it should ignore local rulesets? > > > You don't appear to need to, it only compiles what it finds > under /var/lib/spamassassin. It's not very clear from the documentation. "sa-compile uses re2c to compile the site-wide parts..." To my mind, /etc/mail/spamassassin is 'site-wide'. Still, that's useful to know and solves my problem. Many thanks. Stef From prandal at herefordshire.gov.uk Fri Jun 26 15:04:05 2009 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Fri Jun 26 15:04:31 2009 Subject: Semi-OT: Rule2XSBody - resolved. In-Reply-To: <200906261319.n5QDJf0c023186@safir.blacknight.ie> References: <200906261139.n5QBdcgC015959@safir.blacknight.ie><4A44C0C5.3050802@ecs.soton.ac.uk> <200906261242.n5QCg46I019964@safir.blacknight.ie><4A44C7F5.5040905@ecs.soton.ac.uk> <200906261319.n5QDJf0c023186@safir.blacknight.ie> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA071610F1@HC-MBX02.herefordshire.gov.uk> Stef Morrell wrote: >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of >> Julian Field Sent: 26 June 2009 14:07 >> >> On 26/06/2009 13:42, Stef Morrell wrote: >>>> -----Original Message----- >>>> From: mailscanner-bounces@lists.mailscanner.info >>>> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of >>>> Julian Field >>>> >>>> On 26/06/2009 12:39, Stef Morrell wrote: >>>> >>>>> Hello, >>>>> >>>>> I see the new wiki page recommends compiling the regex for the >>>>> Rule2XSBody plugin. >>>>> >>>>> What I can't see from the Rule2XSBody or sa-compile >>>>> >>>> documentation is >>>> >>>>> how this copes with rule changes. >>>>> >>>>> A quick google only had one opinion >>>>> (http://www.davidpashley.com/blog/debian/sa-compile) which >>>>> suggests for every rule change, a new compile is required. >>>>> >>>>> Unfortunately, it takes quite a long time to compile all >>>>> >>>> the rules and >>>> >>>>> considering the download of Julian's spear phishing every hour, I >>>>> could end up spending more CPU time compiling rules, than >>>>> applying them to spam. >>>>> >>>>> The question then, is how to resolve the dichotomy. I may well >>>>> have rules which supercede, replace, or add to the compiled >>>>> >>>> rules. Equally, >>>> >>>>> some of the compiled rules may be out of date and shouldn't >>>>> >>>> be there. >>>> >>>>> Do I, in fact, need to perform a new compile for each and >>>>> >>>> every rule >>>> >>>>> change (in which case, it's not worth me using compiled >>>>> >>>> rules) or does >>>> >>>>> spamassassin somehow 'know' which rules have changed in the source >>>>> files, so I can run a compile perhaps once a day. >>>>> >>>>> >>>>> >>>> Rules that aren't sa-compiled will still be used, and you don't >>>> have to compile all your local rulesets. I just run sa-compile >>>> after sa-update in /usr/sbin/update_spamassassin and leave all my >>>> local rulesets as is. Seems to work fine for me. >>>> >>> That's almost certainly ideal. How does one explain to sa-compile >>> that it should ignore local rulesets? >>> >> You don't appear to need to, it only compiles what it finds under >> /var/lib/spamassassin. > > It's not very clear from the documentation. "sa-compile uses re2c to > compile the site-wide parts..." To my mind, /etc/mail/spamassassin is > 'site-wide'. > > Still, that's useful to know and solves my problem. Many thanks. > > Stef Hmmm, I've just checked both the sa-compile source and the generated rules here, and it does use the stuff it finds in /etc/mail/spamassassin. There doesn't seem any way to stop it from doing so. Cheers, Phil -- Phil Randal | Networks Engineer Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: prandal@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. From MailScanner at ecs.soton.ac.uk Fri Jun 26 15:12:30 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jun 26 15:12:52 2009 Subject: Semi-OT: Rule2XSBody - resolved. In-Reply-To: <7EF0EE5CB3B263488C8C18823239BEBA071610F1@HC-MBX02.herefordshire.gov.uk> References: <200906261139.n5QBdcgC015959@safir.blacknight.ie><4A44C0C5.3050802@ecs.soton.ac.uk> <200906261242.n5QCg46I019964@safir.blacknight.ie><4A44C7F5.5040905@ecs.soton.ac.uk> <200906261319.n5QDJf0c023186@safir.blacknight.ie> <7EF0EE5CB3B263488C8C18823239BEBA071610F1@HC-MBX02.herefordshire.gov.uk> <4A44D74E.2090901@ecs.soton.ac.uk> Message-ID: On 26/06/2009 15:04, Randal, Phil wrote: > Stef Morrell wrote: > >>> -----Original Message----- >>> From: mailscanner-bounces@lists.mailscanner.info >>> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of >>> Julian Field Sent: 26 June 2009 14:07 >>> >>> On 26/06/2009 13:42, Stef Morrell wrote: >>> >>>>> -----Original Message----- >>>>> From: mailscanner-bounces@lists.mailscanner.info >>>>> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of >>>>> Julian Field >>>>> >>>>> On 26/06/2009 12:39, Stef Morrell wrote: >>>>> >>>>> >>>>>> Hello, >>>>>> >>>>>> I see the new wiki page recommends compiling the regex for the >>>>>> Rule2XSBody plugin. >>>>>> >>>>>> What I can't see from the Rule2XSBody or sa-compile >>>>>> >>>>>> >>>>> documentation is >>>>> >>>>> >>>>>> how this copes with rule changes. >>>>>> >>>>>> A quick google only had one opinion >>>>>> (http://www.davidpashley.com/blog/debian/sa-compile) which >>>>>> suggests for every rule change, a new compile is required. >>>>>> >>>>>> Unfortunately, it takes quite a long time to compile all >>>>>> >>>>>> >>>>> the rules and >>>>> >>>>> >>>>>> considering the download of Julian's spear phishing every hour, I >>>>>> could end up spending more CPU time compiling rules, than >>>>>> applying them to spam. >>>>>> >>>>>> The question then, is how to resolve the dichotomy. I may well >>>>>> have rules which supercede, replace, or add to the compiled >>>>>> >>>>>> >>>>> rules. Equally, >>>>> >>>>> >>>>>> some of the compiled rules may be out of date and shouldn't >>>>>> >>>>>> >>>>> be there. >>>>> >>>>> >>>>>> Do I, in fact, need to perform a new compile for each and >>>>>> >>>>>> >>>>> every rule >>>>> >>>>> >>>>>> change (in which case, it's not worth me using compiled >>>>>> >>>>>> >>>>> rules) or does >>>>> >>>>> >>>>>> spamassassin somehow 'know' which rules have changed in the source >>>>>> files, so I can run a compile perhaps once a day. >>>>>> >>>>>> >>>>>> >>>>>> >>>>> Rules that aren't sa-compiled will still be used, and you don't >>>>> have to compile all your local rulesets. I just run sa-compile >>>>> after sa-update in /usr/sbin/update_spamassassin and leave all my >>>>> local rulesets as is. Seems to work fine for me. >>>>> >>>>> >>>> That's almost certainly ideal. How does one explain to sa-compile >>>> that it should ignore local rulesets? >>>> >>>> >>> You don't appear to need to, it only compiles what it finds under >>> /var/lib/spamassassin. >>> >> It's not very clear from the documentation. "sa-compile uses re2c to >> compile the site-wide parts..." To my mind, /etc/mail/spamassassin is >> 'site-wide'. >> >> Still, that's useful to know and solves my problem. Many thanks. >> >> Stef >> > Hmmm, I've just checked both the sa-compile source and the generated > rules here, and it does use the stuff it finds in > /etc/mail/spamassassin. > But does it still use the uncompiled rules if they have been replaced since the last sa-compile, or do we need to re-do sa-compile every time we update any rules anywhere? Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From john at tradoc.fr Fri Jun 26 15:22:57 2009 From: john at tradoc.fr (John Wilcock) Date: Fri Jun 26 15:23:06 2009 Subject: Semi-OT: Rule2XSBody - resolved. In-Reply-To: References: <200906261139.n5QBdcgC015959@safir.blacknight.ie><4A44C0C5.3050802@ecs.soton.ac.uk> <200906261242.n5QCg46I019964@safir.blacknight.ie><4A44C7F5.5040905@ecs.soton.ac.uk> <200906261319.n5QDJf0c023186@safir.blacknight.ie> <7EF0EE5CB3B263488C8C18823239BEBA071610F1@HC-MBX02.herefordshire.gov.uk> <4A44D74E.2090901@ecs.soton.ac.uk> Message-ID: <4A44D9C1.6070304@tradoc.fr> Le 26/06/2009 16:12, Julian Field a ?crit : > But does it still use the uncompiled rules if they have been replaced > since the last sa-compile, or do we need to re-do sa-compile every time > we update any rules anywhere? Yes, it uses the new uncompiled version of an updated rule. You can see this easily by doing a spamassassin --debug which will give you the message dbg: zoom: skipping rule WHATEVER, code differs in compiled ruleset and instead use the new version of the rule. John. -- -- Over 3000 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages - www.tradoc.fr From prandal at herefordshire.gov.uk Fri Jun 26 15:35:40 2009 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Fri Jun 26 15:35:56 2009 Subject: Semi-OT: Rule2XSBody - resolved. In-Reply-To: References: <200906261139.n5QBdcgC015959@safir.blacknight.ie><4A44C0C5.3050802@ecs.soton.ac.uk> <200906261242.n5QCg46I019964@safir.blacknight.ie><4A44C7F5.5040905@ecs.soton.ac.uk> <200906261319.n5QDJf0c023186@safir.blacknight.ie><7EF0EE5CB3B263488C8C18823239BEBA071610F1@HC-MBX02.herefordshire.gov.uk><4A44D74E.2090901@ecs.soton.ac.uk> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA07161116@HC-MBX02.herefordshire.gov.uk> Julian Field wrote: > But does it still use the uncompiled rules if they have been replaced > since the last sa-compile, or do we need to re-do sa-compile every > time we update any rules anywhere? > > Jules In Rule2XSBody.pm : if ($comprule ne $rule) { dbg "zoom: skipping rule $name, code differs in compiled ruleset"; next; } After a quick test to verify the above the answer is that we don't need to. Fabulous! That probably needs noting on the wiki. Cheers, Phil -- Phil Randal | Networks Engineer Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: prandal@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. From stef at aoc-uk.com Fri Jun 26 15:51:57 2009 From: stef at aoc-uk.com (Stef Morrell) Date: Fri Jun 26 15:51:49 2009 Subject: Semi-OT: Rule2XSBody - resolved. In-Reply-To: References: <200906261139.n5QBdcgC015959@safir.blacknight.ie><4A44C0C5.3050802@ecs.soton.ac.uk> <200906261242.n5QCg46I019964@safir.blacknight.ie><4A44C7F5.5040905@ecs.soton.ac.uk> <200906261319.n5QDJf0c023186@safir.blacknight.ie><7EF0EE5CB3B263488C8C18823239BEBA071610F1@HC-MBX02.herefordshire.gov.uk><4A44D74E.2090901@ecs.soton.ac.uk> Message-ID: <200906261451.n5QEpfWi032065@safir.blacknight.ie> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Randal, Phil > Sent: 26 June 2009 15:36 > To: MailScanner discussion > Subject: RE: Semi-OT: Rule2XSBody - resolved. > > Julian Field wrote: > > > But does it still use the uncompiled rules if they have > been replaced > > since the last sa-compile, or do we need to re-do sa-compile every > > time we update any rules anywhere? > > > > Jules > > In Rule2XSBody.pm : > > if ($comprule ne $rule) { > dbg "zoom: skipping rule $name, code differs in > compiled ruleset"; > next; > } > > After a quick test to verify the above the answer is that we > don't need to. > > Fabulous! > > That probably needs noting on the wiki. I've added a short note on the MAQ, which is the only place I can presently see sa-compile referred to. Stef From gafaith at asdm.net Fri Jun 26 16:31:42 2009 From: gafaith at asdm.net (Gary Faith) Date: Fri Jun 26 16:32:07 2009 Subject: Spam but no randomly no Spam Report In-Reply-To: References: <4A4404D50200002D00006C96@sparky.asdm.net> <4A44116A0200002D00006C9B@sparky.asdm.net> <4A4489C3.4000203@ecs.soton.ac.uk> Message-ID: <4A44B19E0200002D00006CAF@sparky.asdm.net> Julian, Better. The spam report field is populated now but I don't think it is completely fixed. See below: Spam: Y Action(s): store, deliver, header, "X-Spam-Status:, Yes" High Scoring Spam: N SpamAssassin Spam: N Listed in RBL: Y Spam Whitelisted: N Spam Blacklisted: N SpamAssassin Autolearn: N SpamAssassin Score: 3.09 Spam Report: spam, SBL+XBL I confirmed that the database shows spam, SBL+XBL only. Problem that I see is that there is nothing in the spamreport field to explain the 3.09 SpamAssassin score. Gary >>> Julian Field 6/26/2009 4:41 AM >>> Aha, well done for tracking down that case, I've been looking for that bug for ages. Due to your diagnostics I now have what should fix it. Please try the attached patch to /usr/lib/MailScanner/MailScanner/Message.pm and then restart MailScanner. Thanks for helping! Jules. On 26/06/2009 05:08, Gary Faith wrote: > Follow Up! After doing more digging, I believe that I have found the > common thread when the problem occurs. The spamreport field only > seems to be blank when isspam & isrblspam flags are set. If issaspam > and/or ishighspam are set then spamreport has data. > isspam tinyint(1) =1 > ishighspam tinyint(1) =0 > issaspam tinyint(1) =0 > isrblspam tinyint(1) =1 > spamwhitelisted tinyint(1) =0 > spamblacklisted tinyint(1) =0 > sascore decimal(7,2) some value > spamreport text {Empty} > I hope this helps shine light on my problem. Any ideas why this is > happening? > Thanks, > > Gary > > >>> "Gary Faith" 6/25/2009 11:14 PM >>> > Running MailScanner 4.75.11 on SLES 10 SP2 X86_64. When viewing the > information via MailWatch, I see the following on the details page: > SpamAssassin Spam: Y Action(s): store, deliver, header, > "X-Spam-Status:, Yes" > High Scoring Spam: N > SpamAssassin Spam: N > Listed in RBL: N > Spam Whitelisted: N > Spam Blacklisted: N > SpamAssassin Autolearn: N > SpamAssassin Score:1.66 > The problem is Spam Report is blank. This happens on a few seemingly > random messages while most have something in the spamreport field. I > have verified this in the database that it definitely null. Any > reason why all the data except the spam report would be logged to > mysql? Could this be a spamassassin timeout problem? > Thanks, > > Gary Faith Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090626/f3917858/attachment.html From MailScanner at ecs.soton.ac.uk Fri Jun 26 16:58:56 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jun 26 16:59:16 2009 Subject: Spam but no randomly no Spam Report In-Reply-To: <4A44B19E0200002D00006CAF@sparky.asdm.net> References: <4A4404D50200002D00006C96@sparky.asdm.net> <4A44116A0200002D00006C9B@sparky.asdm.net> <4A4489C3.4000203@ecs.soton.ac.uk> <4A44B19E0200002D00006CAF@sparky.asdm.net> <4A44F040.2050305@ecs.soton.ac.uk> Message-ID: Does your MailScanner.conf have "Always Include SpamAssassin Report" switched on or off? On 26/06/2009 16:31, Gary Faith wrote: > Julian, > Better. The spam report field is populated now but I don't think it > is completely fixed. See below: > Spam: Y Action(s): store, deliver, header, "X-Spam-Status:, Yes" > High Scoring Spam: N > SpamAssassin Spam: N > Listed in RBL: Y > Spam Whitelisted: N > Spam Blacklisted: N > SpamAssassin Autolearn: N > SpamAssassin Score: 3.09 > Spam Report: spam, SBL+XBL > I confirmed that the database shows spam, SBL+XBL only. Problem that > I see is that there is nothing in the spamreport field to explain the > 3.09 SpamAssassin score. > Gary > > > >>> Julian Field 6/26/2009 4:41 AM >>> > Aha, well done for tracking down that case, I've been looking for that > bug for ages. > Due to your diagnostics I now have what should fix it. > > Please try the attached patch to > /usr/lib/MailScanner/MailScanner/Message.pm and then restart MailScanner. > > Thanks for helping! > Jules. > > On 26/06/2009 05:08, Gary Faith wrote: > > Follow Up! After doing more digging, I believe that I have found the > > common thread when the problem occurs. The spamreport field only > > seems to be blank when isspam & isrblspam flags are set. If issaspam > > and/or ishighspam are set then spamreport has data. > > isspam tinyint(1) =1 > > ishighspam tinyint(1) =0 > > issaspam tinyint(1) =0 > > isrblspam tinyint(1) =1 > > spamwhitelisted tinyint(1) =0 > > spamblacklisted tinyint(1) =0 > > sascore decimal(7,2) some value > > spamreport text {Empty} > > I hope this helps shine light on my problem. Any ideas why this is > > happening? > > Thanks, > > > > Gary > > > > >>> "Gary Faith" 6/25/2009 11:14 PM >>> > > Running MailScanner 4.75.11 on SLES 10 SP2 X86_64. When viewing the > > information via MailWatch, I see the following on the details page: > > SpamAssassin Spam: Y Action(s): store, deliver, header, > > "X-Spam-Status:, Yes" > > High Scoring Spam: N > > SpamAssassin Spam: N > > Listed in RBL: N > > Spam Whitelisted: N > > Spam Blacklisted: N > > SpamAssassin Autolearn: N > > SpamAssassin Score:1.66 > > The problem is Spam Report is blank. This happens on a few seemingly > > random messages while most have something in the spamreport field. I > > have verified this in the database that it definitely null. Any > > reason why all the data except the spam report would be logged to > > mysql? Could this be a spamassassin timeout problem? > > Thanks, > > > > Gary Faith > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > Follow me at twitter.com/JulesFM and twitter.com/MailScanner > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From maxsec at gmail.com Fri Jun 26 17:38:48 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Fri Jun 26 17:38:57 2009 Subject: Spam but no randomly no Spam Report In-Reply-To: <4A44B19E0200002D00006CAF@sparky.asdm.net> References: <4A4404D50200002D00006C96@sparky.asdm.net> <4A44116A0200002D00006C9B@sparky.asdm.net> <4A4489C3.4000203@ecs.soton.ac.uk> <4A44B19E0200002D00006CAF@sparky.asdm.net> Message-ID: <72cf361e0906260938j1b0bf343s62e623b1d91e5987@mail.gmail.com> 2009/6/26 Gary Faith : > Julian, > > Better.??The spam report field?is populated now but I don't think it is > completely fixed.? See below: > > Spam:?Y???Action(s): store, deliver, header, "X-Spam-Status:, Yes" > High Scoring Spam:?N > SpamAssassin Spam:?N > Listed in RBL:?Y > Spam Whitelisted:?N > Spam Blacklisted:?N > SpamAssassin Autolearn:?N > SpamAssassin Score: 3.09 > Spam Report: spam, SBL+XBL > > I confirmed that the database shows spam, SBL+XBL only.??Problem that I see > is that there is nothing in the spamreport field to explain the 3.09 > SpamAssassin score. > > Gary > >>>> Julian Field 6/26/2009 4:41 AM >>> > Aha, well done for tracking down that case, I've been looking for that > bug for ages. > Due to your diagnostics I now have what should fix it. > > Please try the attached patch to > /usr/lib/MailScanner/MailScanner/Message.pm and then restart MailScanner. > > Thanks for helping! > Jules. > > On 26/06/2009 05:08, Gary Faith wrote: >> Follow Up!? After doing more digging, I believe that I have found the >> common thread when the problem occurs.? The spamreport field only >> seems to be blank when isspam & isrblspam flags are set.? If issaspam >> and/or ishighspam are set then spamreport has data. >> isspam??? tinyint(1)??????????? =1 >> ishighspam? tinyint(1)?????? =0 >> issaspam? tinyint(1)????????? =0 >> isrblspam? tinyint(1)???????? =1 >> spamwhitelisted? tinyint(1)??? =0 >> spamblacklisted? tinyint(1)??? =0 >> sascore? decimal(7,2)????? some value >> spamreport? text?? {Empty} >> I hope this helps shine light on my problem.? Any ideas why this is >> happening? >> Thanks, >> >> Gary >> >> >>> "Gary Faith" 6/25/2009 11:14 PM >>> >> Running MailScanner 4.75.11 on SLES 10 SP2 X86_64.? When viewing the >> information via MailWatch, I see the following on the details page: >> SpamAssassin Spam: Y?? Action(s): store, deliver, header, >> "X-Spam-Status:, Yes" >> High Scoring Spam: N >> SpamAssassin Spam: N >> Listed in RBL: N >> Spam Whitelisted: N >> Spam Blacklisted: N >> SpamAssassin Autolearn: N >> SpamAssassin Score:1.66 >> The problem is Spam Report is blank.? This happens on a few seemingly >> random messages while most have something in the spamreport field.? I >> have verified this in the database that it definitely null.? Any >> reason why all the data except the spam report would be logged to >> mysql?? Could this be a spamassassin timeout problem? >> Thanks, >> >> Gary Faith > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > Follow me at twitter.com/JulesFM and twitter.com/MailScanner > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > It's listing this as spam as mailScanner is using the SBL+XBL RBL as a definite source of spam. ie MailScanner is calling the RBL (not spamassassin) and is it therefor saying it's spam. Spamassassin is saying it's only scoring 3.09 which isn;t enough for SA to classify this as spam as far as SA is concerned. -- Martin Hepworth Oxford, UK From gafaith at asdm.net Fri Jun 26 17:50:40 2009 From: gafaith at asdm.net (Gary Faith) Date: Fri Jun 26 17:51:20 2009 Subject: Spam but no randomly no Spam Report In-Reply-To: <72cf361e0906260938j1b0bf343s62e623b1d91e5987@mail.gmail.com> References: <4A4404D50200002D00006C96@sparky.asdm.net> <4A44116A0200002D00006C9B@sparky.asdm.net> <4A4489C3.4000203@ecs.soton.ac.uk> <4A44B19E0200002D00006CAF@sparky.asdm.net> <72cf361e0906260938j1b0bf343s62e623b1d91e5987@mail.gmail.com> Message-ID: <4A44C4200200002D00006CD6@sparky.asdm.net> It that is true, then why aren't the SA scores a constant value? Here are the reports from 3 recently received messages: Spam: Y Action(s): store, deliver, header, "X-Spam-Status:, Yes" High Scoring Spam: N SpamAssassin Spam: N Listed in RBL: Y Spam Whitelisted: N Spam Blacklisted: N SpamAssassin Autolearn: N SpamAssassin Score:1.77 Spam Report:spam, SBL+XBL Spam: Y Action(s): store, deliver, header, "X-Spam-Status:, Yes" High Scoring Spam: N SpamAssassin Spam: N Listed in RBL: Y Spam Whitelisted: N Spam Blacklisted: N SpamAssassin Autolearn: N SpamAssassin Score:0.92 Spam Report:spam, SBL+XBL Spam: Y Action(s): store, deliver, header, "X-Spam-Status:, Yes" High Scoring Spam: N SpamAssassin Spam: N Listed in RBL: Y Spam Whitelisted: N Spam Blacklisted: N SpamAssassin Autolearn: N SpamAssassin Score:3.09 Spam Report:spam, SBL+XBL Notice that each of these messages have isspam = 1 and isrblspam = 1, ishighspam = 0 & issaspam = 0 but each have a different SA score. My point is something is assigning a value to the SA score but nothing besides "spam, {RBL Listed} is being reported. Gary >>> Martin Hepworth 6/26/2009 12:38 PM >>> 2009/6/26 Gary Faith : > Julian, > > Better. The spam report field is populated now but I don't think it is > completely fixed. See below: > > Spam: Y Action(s): store, deliver, header, "X-Spam-Status:, Yes" > High Scoring Spam: N > SpamAssassin Spam: N > Listed in RBL: Y > Spam Whitelisted: N > Spam Blacklisted: N > SpamAssassin Autolearn: N > SpamAssassin Score: 3.09 > Spam Report: spam, SBL+XBL > > I confirmed that the database shows spam, SBL+XBL only. Problem that I see > is that there is nothing in the spamreport field to explain the 3.09 > SpamAssassin score. > > Gary > >>>> Julian Field 6/26/2009 4:41 AM >>> > Aha, well done for tracking down that case, I've been looking for that > bug for ages. > Due to your diagnostics I now have what should fix it. > > Please try the attached patch to > /usr/lib/MailScanner/MailScanner/Message.pm and then restart MailScanner. > > Thanks for helping! > Jules. > > On 26/06/2009 05:08, Gary Faith wrote: >> Follow Up! After doing more digging, I believe that I have found the >> common thread when the problem occurs. The spamreport field only >> seems to be blank when isspam & isrblspam flags are set. If issaspam >> and/or ishighspam are set then spamreport has data. >> isspam tinyint(1) =1 >> ishighspam tinyint(1) =0 >> issaspam tinyint(1) =0 >> isrblspam tinyint(1) =1 >> spamwhitelisted tinyint(1) =0 >> spamblacklisted tinyint(1) =0 >> sascore decimal(7,2) some value >> spamreport text {Empty} >> I hope this helps shine light on my problem. Any ideas why this is >> happening? >> Thanks, >> >> Gary >> >> >>> "Gary Faith" 6/25/2009 11:14 PM >>> >> Running MailScanner 4.75.11 on SLES 10 SP2 X86_64. When viewing the >> information via MailWatch, I see the following on the details page: >> SpamAssassin Spam: Y Action(s): store, deliver, header, >> "X-Spam-Status:, Yes" >> High Scoring Spam: N >> SpamAssassin Spam: N >> Listed in RBL: N >> Spam Whitelisted: N >> Spam Blacklisted: N >> SpamAssassin Autolearn: N >> SpamAssassin Score:1.66 >> The problem is Spam Report is blank. This happens on a few seemingly >> random messages while most have something in the spamreport field. I >> have verified this in the database that it definitely null. Any >> reason why all the data except the spam report would be logged to >> mysql? Could this be a spamassassin timeout problem? >> Thanks, >> >> Gary Faith > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > Follow me at twitter.com/JulesFM and twitter.com/MailScanner > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > It's listing this as spam as mailScanner is using the SBL+XBL RBL as a definite source of spam. ie MailScanner is calling the RBL (not spamassassin) and is it therefor saying it's spam. Spamassassin is saying it's only scoring 3.09 which isn;t enough for SA to classify this as spam as far as SA is concerned. -- Martin Hepworth Oxford, UK -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090626/1ef88742/attachment.html From hafiz at variegate.biz Fri Jun 26 17:55:27 2009 From: hafiz at variegate.biz (Hafiz) Date: Fri Jun 26 17:55:49 2009 Subject: MailScanner: Could not analyze message Message-ID: <4A44FD7F.4030206@variegate.biz> Skipped content of type multipart/alternative-------------- next part -------------- Running on Linux XXXXXXXXX 2.6.18-128.1.10.el5 #1 SMP Thu May 7 10:39:21 EDT 2009 i686 i686 i386 GNU/Linux This is CentOS release 5.3 (Final) This is Perl version 5.008008 (5.8.8) This is MailScanner version 4.77.10 Module versions are: 1.00 AnyDBM_File 1.16 Archive::Zip 0.23 bignum 1.04 Carp 1.42 Compress::Zlib 1.119 Convert::BinHex 0.17 Convert::TNEF 2.121_08 Data::Dumper 2.27 Date::Parse 1.00 DirHandle 1.05 Fcntl 2.74 File::Basename 2.09 File::Copy 2.01 FileHandle 1.08 File::Path 0.20 File::Temp 0.90 Filesys::Df 1.35 HTML::Entities 3.56 HTML::Parser 2.37 HTML::TokeParser 1.23 IO 1.14 IO::File 1.13 IO::Pipe 2.04 Mail::Header 1.89 Math::BigInt 0.22 Math::BigRat 3.07 MIME::Base64 5.427 MIME::Decoder 5.427 MIME::Decoder::UU 5.427 MIME::Head 5.427 MIME::Parser 3.07 MIME::QuotedPrint 5.427 MIME::Tools 0.13 Net::CIDR 1.25 Net::IP 0.16 OLE::Storage_Lite 1.04 Pod::Escapes 3.05 Pod::Simple 1.09 POSIX 1.19 Scalar::Util 1.78 Socket 2.16 Storable 1.4 Sys::Hostname::Long 0.27 Sys::Syslog 1.26 Test::Pod 0.86 Test::Simple 1.9715 Time::HiRes 1.02 Time::localtime Optional module versions are: 1.30 Archive::Tar 0.23 bignum 2.03 Business::ISBN 1.17 Business::ISBN::Data 1.08 Data::Dump 1.814 DB_File 1.25 DBD::SQLite 1.607 DBI 1.14 Digest 1.01 Digest::HMAC 2.36 Digest::MD5 2.11 Digest::SHA1 1.01 Encode::Detect 0.17015 Error 0.23 ExtUtils::CBuilder 2.19 ExtUtils::ParseXS 2.38 Getopt::Long 0.44 Inline 1.08 IO::String 1.04 IO::Zlib 2.25 IP::Country missing Mail::ClamAV 3.002005 Mail::SpamAssassin v2.005 Mail::SPF 1.999001 Mail::SPF::Query 0.2808 Module::Build 0.20 Net::CIDR::Lite 0.65 Net::DNS v0.003 Net::DNS::Resolver::Programmable 0.33 Net::LDAP 4.007 NetAddr::IP 1.94 Parse::RecDescent missing SAVI 2.64 Test::Harness 1.22 Test::Manifest 1.95 Text::Balanced 1.35 URI 0.76 version 0.66 YAML From AHKAPLAN at PARTNERS.ORG Fri Jun 26 17:57:34 2009 From: AHKAPLAN at PARTNERS.ORG (Kaplan, Andrew H.) Date: Fri Jun 26 17:57:47 2009 Subject: Files being blocked despite configuration changes Message-ID: Hi there -- I received a request to have .dat files be allowed through our mail server. Files of this type were normally sent to quarantine with an e-mail notification report stating the following: Report: MailScanner: No programs allowed (set.dat) Report: MailScanner: No programs allowed (set.dat) I reconfigured the filename.rules.conf and filetype.rules.conf files to allow the above file types to pass through without problem. Listed below are the syntaxes from each of the configuration files: filename.rules.conf # Physics has requested that files of this type be allowed... allow \.dat$ filetype.rules.conf allow dat - Physics requested these be allowed Once these changes were made, MailScanner along with the mailserver, Sendmail, were restarted via the /etc/init.d/MailScanner script. There were no failed messages appearing on-screen when this occurred. The problem is the following: even though the files in question have been configured to be allowed, they are still being blocked and sent to quarantine. The version of MailScanner is 4.72.5 while that of Sendmail is 8.14.1. What other steps and/or corrections do I need to make in order to fix this? Thanks. The information in this e-mail is intended only for the person to whom it is addressed. If you believe this e-mail was sent to you in error and the e-mail contains patient information, please contact the Partners Compliance HelpLine at http://www.partners.org/complianceline . If the e-mail was sent to you in error but does not contain patient information, please contact the sender and properly dispose of the e-mail. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090626/d0c574d3/attachment.html From maxsec at gmail.com Fri Jun 26 18:02:26 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Fri Jun 26 18:02:35 2009 Subject: MailScanner: Could not analyze message In-Reply-To: <4A44FD7F.4030206@variegate.biz> References: <4A44FD7F.4030206@variegate.biz> Message-ID: <72cf361e0906261002m689d4fbfv143cc56bd5705b24@mail.gmail.com> 2009/6/26 Hafiz : > Hi List, > > My customers system as attached (System Info.txt) > CentOS 5.3 x86 > MailScanner 4.77.10 > MailWatch 1.0.4 > Postfix 2.3.3 > ClamAV 0.95.1/9507/Fri Jun 26 09:52:45 2009 > Scalix 11.4.3-GA > > My customers are complaining that some of the e-mails received especially > from 1 particular domain will have this error message: > MailScanner: Could not analyze message > > As a result, the mail is quarantined and notification is sent to the sender. > > A google search found some historical posts that this issue might be caused > by MIME-tools and on older version of MailScanner. > I examine the quarantined message and basically its just a HTML format mail > that contains lots of HTML tags inside it. > > Any advise and suggestion is appreciated. > > -- > Thanks. > > Mohd Hafiz Ramly > Senior Consultant > Variegate Systems Sdn Bhd > Tel : +60 4 2298808 > Fax : +60 4 2295006 > Mobile : +6 013 4812676 > Web : http://www.variegate.biz > > > Running on > Linux XXXXXXXXX 2.6.18-128.1.10.el5 #1 SMP Thu May 7 10:39:21 EDT 2009 i686 > i686 i386 GNU/Linux > This is CentOS release 5.3 (Final) > This is Perl version 5.008008 (5.8.8) > > This is MailScanner version 4.77.10 > Module versions are: > 1.00 ? ?AnyDBM_File > 1.16 ? ?Archive::Zip > 0.23 ? ?bignum > 1.04 ? ?Carp > 1.42 ? ?Compress::Zlib > 1.119 ? Convert::BinHex > 0.17 ? ?Convert::TNEF > 2.121_08 ? ? ? ?Data::Dumper > 2.27 ? ?Date::Parse > 1.00 ? ?DirHandle > 1.05 ? ?Fcntl > 2.74 ? ?File::Basename > 2.09 ? ?File::Copy > 2.01 ? ?FileHandle > 1.08 ? ?File::Path > 0.20 ? ?File::Temp > 0.90 ? ?Filesys::Df > 1.35 ? ?HTML::Entities > 3.56 ? ?HTML::Parser > 2.37 ? ?HTML::TokeParser > 1.23 ? ?IO > 1.14 ? ?IO::File > 1.13 ? ?IO::Pipe > 2.04 ? ?Mail::Header > 1.89 ? ?Math::BigInt > 0.22 ? ?Math::BigRat > 3.07 ? ?MIME::Base64 > 5.427 ? MIME::Decoder > 5.427 ? MIME::Decoder::UU > 5.427 ? MIME::Head > 5.427 ? MIME::Parser > 3.07 ? ?MIME::QuotedPrint > 5.427 ? MIME::Tools > 0.13 ? ?Net::CIDR > 1.25 ? ?Net::IP > 0.16 ? ?OLE::Storage_Lite > 1.04 ? ?Pod::Escapes > 3.05 ? ?Pod::Simple > 1.09 ? ?POSIX > 1.19 ? ?Scalar::Util > 1.78 ? ?Socket > 2.16 ? ?Storable > 1.4 ? ? Sys::Hostname::Long > 0.27 ? ?Sys::Syslog > 1.26 ? ?Test::Pod > 0.86 ? ?Test::Simple > 1.9715 ?Time::HiRes > 1.02 ? ?Time::localtime > > Optional module versions are: > 1.30 ? ?Archive::Tar > 0.23 ? ?bignum > 2.03 ? ?Business::ISBN > 1.17 ? ?Business::ISBN::Data > 1.08 ? ?Data::Dump > 1.814 ? DB_File > 1.25 ? ?DBD::SQLite > 1.607 ? DBI > 1.14 ? ?Digest > 1.01 ? ?Digest::HMAC > 2.36 ? ?Digest::MD5 > 2.11 ? ?Digest::SHA1 > 1.01 ? ?Encode::Detect > 0.17015 Error > 0.23 ? ?ExtUtils::CBuilder > 2.19 ? ?ExtUtils::ParseXS > 2.38 ? ?Getopt::Long > 0.44 ? ?Inline > 1.08 ? ?IO::String > 1.04 ? ?IO::Zlib > 2.25 ? ?IP::Country > missing Mail::ClamAV > 3.002005 ? ? ? ?Mail::SpamAssassin > v2.005 ?Mail::SPF > 1.999001 ? ? ? ?Mail::SPF::Query > 0.2808 ?Module::Build > 0.20 ? ?Net::CIDR::Lite > 0.65 ? ?Net::DNS > v0.003 ?Net::DNS::Resolver::Programmable > 0.33 ? ?Net::LDAP > ?4.007 ?NetAddr::IP > 1.94 ? ?Parse::RecDescent > missing SAVI > 2.64 ? ?Test::Harness > 1.22 ? ?Test::Manifest > 1.95 ? ?Text::Balanced > 1.35 ? ?URI > 0.76 ? ?version > 0.66 ? ?YAML > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > is the html acutally valid - in the past this has also been due to incorrect html. (btw 'bouncing' messages to the sender is a bad idea as spam and virus email usually fakes the from anyway). -- Martin Hepworth Oxford, UK From gafaith at asdm.net Fri Jun 26 18:18:10 2009 From: gafaith at asdm.net (Gary Faith) Date: Fri Jun 26 18:18:33 2009 Subject: Spam but no randomly no Spam Report In-Reply-To: References: <4A4404D50200002D00006C96@sparky.asdm.net> <4A44116A0200002D00006C9B@sparky.asdm.net> <4A4489C3.4000203@ecs.soton.ac.uk> <4A44B19E0200002D00006CAF@sparky.asdm.net> <4A44F040.2050305@ecs.soton.ac.uk> Message-ID: <4A44CA920200002D00006CE5@sparky.asdm.net> Julian, Always Include SpamAssassin Report was set to off. I just turned it on and will see if that changes things. I wasn't sure if that setting would be a problem because it seems that there was a report even if the message was clean like the one below. It just seems like the Spam Report is included with every message except when the isspam =1 & isrblspam =1 and the other two flags = 0. Spam: N Action(s): store, deliver, header, "X-Spam-Status:, No" High Scoring Spam: N SpamAssassin Spam: N Listed in RBL: N Spam Whitelisted: N Spam Blacklisted: N SpamAssassin Autolearn: N SpamAssassin Score:3.28 Spam Report: ScoreMatching RuleDescription cachednot score=3.281 3.5required -0.50BAYES_00Bayesian spam probability is 0 to 1% 2.17DCC_CHECKListed in DCC (http://rhyolite.com/anti-spam/dcc/) 0.73HTML_COMMENT_SHORTHTML comment is very short 0.88HTML_FONT_FACE_BADHTML font face is not a word 0.00HTML_MESSAGEHTML included in message -0.00SPF_PASSSPF: sender matches SPF record Gary >>> Julian Field 6/26/2009 11:58 AM >>> Does your MailScanner.conf have "Always Include SpamAssassin Report" switched on or off? On 26/06/2009 16:31, Gary Faith wrote: > Julian, > Better. The spam report field is populated now but I don't think it > is completely fixed. See below: > Spam: Y Action(s): store, deliver, header, "X-Spam-Status:, Yes" > High Scoring Spam: N > SpamAssassin Spam: N > Listed in RBL: Y > Spam Whitelisted: N > Spam Blacklisted: N > SpamAssassin Autolearn: N > SpamAssassin Score: 3.09 > Spam Report: spam, SBL+XBL > I confirmed that the database shows spam, SBL+XBL only. Problem that > I see is that there is nothing in the spamreport field to explain the > 3.09 SpamAssassin score. > Gary > > > >>> Julian Field 6/26/2009 4:41 AM >>> > Aha, well done for tracking down that case, I've been looking for that > bug for ages. > Due to your diagnostics I now have what should fix it. > > Please try the attached patch to > /usr/lib/MailScanner/MailScanner/Message.pm and then restart MailScanner. > > Thanks for helping! > Jules. > > On 26/06/2009 05:08, Gary Faith wrote: > > Follow Up! After doing more digging, I believe that I have found the > > common thread when the problem occurs. The spamreport field only > > seems to be blank when isspam & isrblspam flags are set. If issaspam > > and/or ishighspam are set then spamreport has data. > > isspam tinyint(1) =1 > > ishighspam tinyint(1) =0 > > issaspam tinyint(1) =0 > > isrblspam tinyint(1) =1 > > spamwhitelisted tinyint(1) =0 > > spamblacklisted tinyint(1) =0 > > sascore decimal(7,2) some value > > spamreport text {Empty} > > I hope this helps shine light on my problem. Any ideas why this is > > happening? > > Thanks, > > > > Gary > > > > >>> "Gary Faith" 6/25/2009 11:14 PM >>> > > Running MailScanner 4.75.11 on SLES 10 SP2 X86_64. When viewing the > > information via MailWatch, I see the following on the details page: > > SpamAssassin Spam: Y Action(s): store, deliver, header, > > "X-Spam-Status:, Yes" > > High Scoring Spam: N > > SpamAssassin Spam: N > > Listed in RBL: N > > Spam Whitelisted: N > > Spam Blacklisted: N > > SpamAssassin Autolearn: N > > SpamAssassin Score:1.66 > > The problem is Spam Report is blank. This happens on a few seemingly > > random messages while most have something in the spamreport field. I > > have verified this in the database that it definitely null. Any > > reason why all the data except the spam report would be logged to > > mysql? Could this be a spamassassin timeout problem? > > Thanks, > > > > Gary Faith > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > Follow me at twitter.com/JulesFM and twitter.com/MailScanner > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090626/acbca007/attachment.html From ms-list at alexb.ch Fri Jun 26 18:29:14 2009 From: ms-list at alexb.ch (Alex Broens) Date: Fri Jun 26 18:29:23 2009 Subject: MailScanner: Could not analyze message In-Reply-To: <4A44FD7F.4030206@variegate.biz> References: <4A44FD7F.4030206@variegate.biz> Message-ID: <4A45056A.4070409@alexb.ch> On 6/26/2009 6:55 PM, Hafiz wrote: > Hi List, > > My customers system as attached (System Info.txt) > CentOS 5.3 x86 > MailScanner 4.77.10 > MailWatch 1.0.4 > Postfix 2.3.3 > ClamAV 0.95.1/9507/Fri Jun 26 09:52:45 2009 > Scalix 11.4.3-GA > > My customers are complaining that some of the e-mails received > especially from 1 particular domain will have this error message: > MailScanner: Could not analyze message > > As a result, the mail is quarantined and notification is sent to the > sender. > > A google search found some historical posts that this issue might be > caused by MIME-tools and on older version of MailScanner. > I examine the quarantined message and basically its just a HTML format > mail that contains lots of HTML tags inside it. > > Any advise and suggestion is appreciated. Is it by any chance a Typo3 CMS generated msg? There's an older DirectMail module version which break the simplest of MIME formating rules.. Can you post the msg in pastebin? -- Alex From steve.freegard at fsl.com Fri Jun 26 18:38:22 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Fri Jun 26 18:38:33 2009 Subject: Spam but no randomly no Spam Report In-Reply-To: <4A44CA920200002D00006CE5@sparky.asdm.net> References: <4A4404D50200002D00006C96@sparky.asdm.net> <4A44116A0200002D00006C9B@sparky.asdm.net> <4A4489C3.4000203@ecs.soton.ac.uk> <4A44B19E0200002D00006CAF@sparky.asdm.net> <4A44F040.2050305@ecs.soton.ac.uk> <4A44CA920200002D00006CE5@sparky.asdm.net> Message-ID: <4A45078E.9070000@fsl.com> Gary Faith wrote: > Julian, > > Always Include SpamAssassin Report was set to off. I just turned it on > and will see if that changes things. IIRC - if this is set; SA is still run even for a whitelisted or blacklisted message which is really inefficient. Cheers, Steve. From gafaith at asdm.net Fri Jun 26 19:18:05 2009 From: gafaith at asdm.net (Gary Faith) Date: Fri Jun 26 19:18:30 2009 Subject: Spam but no randomly no Spam Report In-Reply-To: <4A44CA920200002D00006CE5@sparky.asdm.net> References: <4A4404D50200002D00006C96@sparky.asdm.net> <4A44116A0200002D00006C9B@sparky.asdm.net> <4A4489C3.4000203@ecs.soton.ac.uk> <4A44B19E0200002D00006CAF@sparky.asdm.net> <4A44F040.2050305@ecs.soton.ac.uk> <4A44CA920200002D00006CE5@sparky.asdm.net> Message-ID: <4A44D89D0200002D00006CEA@sparky.asdm.net> After turning it on, I do get a Spam Report now. Spam: Y Action(s): store, deliver, header, "X-Spam-Status:, Yes" High Scoring Spam: N SpamAssassin Spam: N Listed in RBL: Y SBL+XBL Spam Whitelisted: N Spam Blacklisted: N SpamAssassin Autolearn: N SpamAssassin Score:0.92 Spam Report: ScoreMatching RuleDescription -0.50BAYES_00Bayesian spam probability is 0 to 1% 1.42SARE_ADULT2Contains adult material Steve Freegard, just posted an message that "Always Include SpamAssassin Report" = on would cause it to run even for whitelisted and blacklisted recipients. I agree it would be inefficient to have SA run on whitelisted & blacklisted recipients. Could there still be a problem in the patched Message.pm where it is returning some of the spam report but not all? Gary >>> "Gary Faith" 6/26/2009 1:18 PM >>> Julian, Always Include SpamAssassin Report was set to off. I just turned it on and will see if that changes things. I wasn't sure if that setting would be a problem because it seems that there was a report even if the message was clean like the one below. It just seems like the Spam Report is included with every message except when the isspam =1 & isrblspam =1 and the other two flags = 0. Spam: N Action(s): store, deliver, header, "X-Spam-Status:, No" High Scoring Spam: N SpamAssassin Spam: N Listed in RBL: N Spam Whitelisted: N Spam Blacklisted: N SpamAssassin Autolearn: N SpamAssassin Score:3.28 Spam Report: ScoreMatching RuleDescription cachednot score=3.281 3.5required -0.50BAYES_00Bayesian spam probability is 0 to 1% 2.17DCC_CHECKListed in DCC (http://rhyolite.com/anti-spam/dcc/) 0.73HTML_COMMENT_SHORTHTML comment is very short 0.88HTML_FONT_FACE_BADHTML font face is not a word 0.00HTML_MESSAGEHTML included in message -0.00SPF_PASSSPF: sender matches SPF record Gary >>> Julian Field 6/26/2009 11:58 AM >>> Does your MailScanner.conf have "Always Include SpamAssassin Report" switched on or off? On 26/06/2009 16:31, Gary Faith wrote: > Julian, > Better. The spam report field is populated now but I don't think it > is completely fixed. See below: > Spam: Y Action(s): store, deliver, header, "X-Spam-Status:, Yes" > High Scoring Spam: N > SpamAssassin Spam: N > Listed in RBL: Y > Spam Whitelisted: N > Spam Blacklisted: N > SpamAssassin Autolearn: N > SpamAssassin Score: 3.09 > Spam Report: spam, SBL+XBL > I confirmed that the database shows spam, SBL+XBL only. Problem that > I see is that there is nothing in the spamreport field to explain the > 3.09 SpamAssassin score. > Gary > > > >>> Julian Field 6/26/2009 4:41 AM >>> > Aha, well done for tracking down that case, I've been looking for that > bug for ages. > Due to your diagnostics I now have what should fix it. > > Please try the attached patch to > /usr/lib/MailScanner/MailScanner/Message.pm and then restart MailScanner. > > Thanks for helping! > Jules. > > On 26/06/2009 05:08, Gary Faith wrote: > > Follow Up! After doing more digging, I believe that I have found the > > common thread when the problem occurs. The spamreport field only > > seems to be blank when isspam & isrblspam flags are set. If issaspam > > and/or ishighspam are set then spamreport has data. > > isspam tinyint(1) =1 > > ishighspam tinyint(1) =0 > > issaspam tinyint(1) =0 > > isrblspam tinyint(1) =1 > > spamwhitelisted tinyint(1) =0 > > spamblacklisted tinyint(1) =0 > > sascore decimal(7,2) some value > > spamreport text {Empty} > > I hope this helps shine light on my problem. Any ideas why this is > > happening? > > Thanks, > > > > Gary > > > > >>> "Gary Faith" 6/25/2009 11:14 PM >>> > > Running MailScanner 4.75.11 on SLES 10 SP2 X86_64. When viewing the > > information via MailWatch, I see the following on the details page: > > SpamAssassin Spam: Y Action(s): store, deliver, header, > > "X-Spam-Status:, Yes" > > High Scoring Spam: N > > SpamAssassin Spam: N > > Listed in RBL: N > > Spam Whitelisted: N > > Spam Blacklisted: N > > SpamAssassin Autolearn: N > > SpamAssassin Score:1.66 > > The problem is Spam Report is blank. This happens on a few seemingly > > random messages while most have something in the spamreport field. I > > have verified this in the database that it definitely null. Any > > reason why all the data except the spam report would be logged to > > mysql? Could this be a spamassassin timeout problem? > > Thanks, > > > > Gary Faith > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > Follow me at twitter.com/JulesFM and twitter.com/MailScanner > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090626/05b00874/attachment.html From gmaddock at futuremetals.com Fri Jun 26 19:27:13 2009 From: gmaddock at futuremetals.com (Gerry Maddock) Date: Fri Jun 26 19:31:25 2009 Subject: New wiki page In-Reply-To: <003601c9f660$0f0bba90$2d232fb0$@dk> References: <4A43C66A.5070703@ecs.soton.ac.uk><4A43CD22.6060208@ecs.soton.ac.uk><4A448379.403@ecs.soton.ac.uk><4A44AD67.3000702@ecs.soton.ac.uk><4A44B106.6040808@alexb.ch><4A44B251.4020906@ecs.soton.ac.uk><4A44B5A9.90905@alexb.ch><4A44C195.40 <003601c9f660$0f0bba90$2d232fb0$@dk> Message-ID: Julian, it looks like sane-security's latest scripts includes the signatures found in Securiteinfo. Also, I failed to mention in my setup I have a third MX record that points to tarbaby.junkemailfilter.com. ( http://wiki.ctyme.com/index.php/Project_tarbaby). Anyone else using tarbaby? CONFIDENTIALITY: This e-mail message is for the sole use of the intended recipient(s) and may contain confidential and / or privileged information. Any unauthorized review, use, disclosure or distribution of any kind is strictly prohibited. If you are not the intended recipient, please contact the sender via reply e-mail and destroy all copies of the original message. Thank you. From rlopezcnm at gmail.com Fri Jun 26 19:46:08 2009 From: rlopezcnm at gmail.com (Robert Lopez) Date: Fri Jun 26 19:46:18 2009 Subject: Mismatch between report and actions Message-ID: HP Prolient DL360 G5 Two dual core Intel(R) Xeon(R) CPU E5450 @ 3.00GHz 8 G RAM Linux 2.6.28-11-server #42-Ubuntu SMP Fri Apr 17 02:45:36 UTC 2009 x86_64 GNU/Linux Ubuntu 9.04 (jaunty) MailScanner version 4.74.16 Postfix version 2.5.5 SpamAssassin version 3.2.5 running on Perl version 5.10.0 (I know there are newer versions. These are Ubuntu apt-get...) Situation: Testing Eicar, external site to internal via gateway. Problem: Mismatch between reported information and actions. Email content says: "Warning: Please read the 'CNM-Attachment-Warning.txt' attachment(s) for more information." Action was: Appended the text into the body of email instead of an attachment. Email content says: "Note to Help Desk: Look on the CNM () MailScanner in /var/spool/MailScanner/quarantine/20090626 (message E0CE312F.5E6C5)." Action was: "/var/spool/MailScanner/quarantine/20090626" has one dir which is "spam". "/var/spool/MailScanner/quarantine/20090626/spam" has one file which is "3A59B34D.274DC" and it contains a discarded gtube test. Find says there is no E0CE312F.5E6C5 file on disks. Maillog shows this redacted information: MailScanner[2381]: Message E0CE312F.5E6C5 from 209.85.221.171 (munged@gmail.com) to munged.cnm.edu is not spam, SpamAssassin (not cached, score=-0.001, required 6, autolearn=not spam, SPF_PASS -0.00) MailScanner[2381]: Virus and Content Scanning: Starting MailScanner[2381]: Clamd::INFECTED:: Eicar-Test-Signature :: ./E0CE312F.5E6C5/ MailScanner[2381]: Clamd::INFECTED:: Eicar-Test-Signature :: ./E0CE312F.5E6C5/msg-2381-6.txt MailScanner[2381]: Virus Scanning: Clamd found 2 infections MailScanner[2381]: Infected message E0CE312F.5E6C5 came from 209.85.221.171 { { [ Aside: One Eicar counts as two virus infections? ] } } MailScanner[2381]: Virus Scanning: Found 2 viruses MailScanner[2381]: Requeue: E0CE312F.5E6C5 to A7E6051D MailScanner[2381]: Cleaned: Delivered 1 cleaned messages postfix/qmgr[3109]: A7E6051D: from=, size=2128, nrcpt=1 (queue active) postfix/pickup[3108]: B3E9E520: uid=105 from= postfix/cleanup[3639]: B3E9E520: hold: header Received: by munged.cnm.edu (Postfix, from userid 105)??id B3E9E520; Fri, 26 Jun 2009 11:33:08 -0600 (MDT) from local; from= postfix/cleanup[3639]: B3E9E520: message-id=<20090626173308.B3E9E520@munged.cnm.edu> MailScanner[2381]: Notices: Warned about 1 messages postfix/smtp[3648]: A7E6051D: to=, orig_to=, relay=munged.cnm.edu[198.133.181.119]:25, delay=21, delays=21/0/0/0.02, dsn=2.5.0, status=sent (250 2.5.0 Ok.) postfix/qmgr[3109]: A7E6051D: removed Questions: How do I remedy these two mismatches? -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106 From nicolas.michel at lemail.be Sat Jun 27 14:05:00 2009 From: nicolas.michel at lemail.be (Nicolas Michel) Date: Sat Jun 27 14:21:56 2009 Subject: Mailscanner don't process /var/spool/postfix/hold Message-ID: <1246107900.5507.133.camel@nm-laptop> Hello, I'm on Debian Lenny 32 bits and I installed mailscanner by enabling the backports repository. - I configured postfix to place mails into /var/spool/postfix/hold (with header_checks). - Net is ok because I got mails and I can see them in /var/spool/postfix/hold. - mailscanner is running. No error on starting. And it seems to see these mails because i get this log : New Batch: Found 192 messages waiting But mails stays in /var/spool/postfix/hold. mailscanner don't seems to process them. Nothing in /var/mail but mailq give the output of the 192 mails. Someone have an idea? If you need some other pieces of information, tell it to me and I give it to you asap. Thank you so much, nm -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090627/6d7b0352/attachment.html From maxsec at gmail.com Sat Jun 27 19:47:34 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Sat Jun 27 19:47:42 2009 Subject: Mailscanner don't process /var/spool/postfix/hold In-Reply-To: <1246107900.5507.133.camel@nm-laptop> References: <1246107900.5507.133.camel@nm-laptop> Message-ID: <72cf361e0906271147l5a7bca20t799adb686a24c014@mail.gmail.com> 2009/6/27 Nicolas Michel : > Hello, > > I'm on Debian Lenny 32 bits and I installed mailscanner by enabling the > backports repository. > - I configured postfix to place mails into /var/spool/postfix/hold (with > header_checks). > - Net is ok because I got mails and I can see them in > /var/spool/postfix/hold. > - mailscanner is running. No error on starting. And it seems to see these > mails because i get this log : > New Batch: Found 192 messages waiting > > But mails stays in /var/spool/postfix/hold. mailscanner don't seems to > process them. Nothing in /var/mail but mailq give the output of the 192 > mails. > > Someone have an idea? > If you need some other pieces of information, tell it to me and I give it to > you asap. > > Thank you so much, > nm > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > run in debug mode (as the postfix user) 'MailScanner --Debug --Debug-SA' and you'll get more clues as to what's (not) happening. -- Martin Hepworth Oxford, UK From nicolas.michel at lemail.be Sat Jun 27 21:35:26 2009 From: nicolas.michel at lemail.be (Nicolas Michel) Date: Sat Jun 27 21:35:47 2009 Subject: Mailscanner don't process /var/spool/postfix/hold In-Reply-To: <72cf361e0906271147l5a7bca20t799adb686a24c014@mail.gmail.com> References: <1246107900.5507.133.camel@nm-laptop> <72cf361e0906271147l5a7bca20t799adb686a24c014@mail.gmail.com> Message-ID: <1246134926.10479.5.camel@nm-laptop> Le samedi 27 juin 2009 ? 19:47 +0100, Martin Hepworth a ?crit : > 2009/6/27 Nicolas Michel : > > Hello, > > > > I'm on Debian Lenny 32 bits and I installed mailscanner by enabling the > > backports repository. > > - I configured postfix to place mails into /var/spool/postfix/hold (with > > header_checks). > > - Net is ok because I got mails and I can see them in > > /var/spool/postfix/hold. > > - mailscanner is running. No error on starting. And it seems to see these > > mails because i get this log : > > New Batch: Found 192 messages waiting > > > > But mails stays in /var/spool/postfix/hold. mailscanner don't seems to > > process them. Nothing in /var/mail but mailq give the output of the 192 > > mails. > > > > Someone have an idea? > > If you need some other pieces of information, tell it to me and I give it to > > you asap. > > > > Thank you so much, > > nm > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > > > run in debug mode (as the postfix user) 'MailScanner --Debug > --Debug-SA' and you'll get more clues as to what's (not) happening. Here is the problem : 22:29:13 Undefined subroutine &MailScanner::CustomConfig::SQLWhitelist called at /usr/share/MailScanner//MailScanner/Config.pm line 171. > > -- > Martin Hepworth > Oxford, UK -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090627/3ba8c22c/attachment.html From glenn.steen at gmail.com Sat Jun 27 23:21:19 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Jun 27 23:21:28 2009 Subject: Mailscanner don't process /var/spool/postfix/hold In-Reply-To: <1246134926.10479.5.camel@nm-laptop> References: <1246107900.5507.133.camel@nm-laptop> <72cf361e0906271147l5a7bca20t799adb686a24c014@mail.gmail.com> <1246134926.10479.5.camel@nm-laptop> Message-ID: <223f97700906271521y5b592a8tcf1b4b803067ed4c@mail.gmail.com> 2009/6/27 Nicolas Michel : > Le samedi 27 juin 2009 ? 19:47 +0100, Martin Hepworth a ?crit?: > > 2009/6/27 Nicolas Michel : >> Hello, >> >> I'm on Debian Lenny 32 bits and I installed mailscanner by enabling the >> backports repository. >> - I configured postfix to place mails into /var/spool/postfix/hold (with >> header_checks). >> - Net is ok because I got mails and I can see them in >> /var/spool/postfix/hold. >> - mailscanner is running. No error on starting. And it seems to see these >> mails because i get this log : >> New Batch: Found 192 messages waiting >> >> But mails stays in /var/spool/postfix/hold. mailscanner don't seems to >> process them. Nothing in /var/mail but mailq give the output of the 192 >> mails. >> >> Someone have an idea? >> If you need some other pieces of information, tell it to me and I give it >> to >> you asap. >> >> Thank you so much, >> nm >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > > > run in debug mode (as the postfix user) 'MailScanner --Debug > --Debug-SA' and you'll get more clues as to what's (not) happening. > > Here is the problem : > 22:29:13 Undefined subroutine &MailScanner::CustomConfig::SQLWhitelist > called at /usr/share/MailScanner//MailScanner/Config.pm line 171. > That is part of MailWatch (IIRC), and you haven't (correctly) installed that. Either amend your MailScanner.conf or install MailWatch (correctly;-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Sat Jun 27 23:25:08 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Jun 27 23:25:18 2009 Subject: MailScanner not processing after Hold state In-Reply-To: <72cf361e0906251055u117a572eq55e93ca558772f04@mail.gmail.com> References: <72cf361e0906251055u117a572eq55e93ca558772f04@mail.gmail.com> Message-ID: <223f97700906271525m22b72af7y7e7fd6fc9a60c01a@mail.gmail.com> 2009/6/25 Martin Hepworth : > 2009/6/25 shyam hirurkar : >> Hi All, >> >> >> I am using postfx+Mailscanner+spamassassin+clamAV? it is working fine and >> now a days i am facng issue with mailscanner like once message goes to Hold >> state after that mailscanner does not do any thing neither it process not it >> gives back to postfix. Simply mail will vanish. Is there any thing wrong >> this is happaning inconsistantly.. >> >> Here is the sample log >> >> [root@mx log]# cat maillog | grep B62FC4FD82 >> Jun 17 11:39:32 mx postfix/smtpd[16374]: B62FC4FD82: >> client=unknown[xxx.xxx.xxx.xxx] >> Jun 17 11:44:33 mx postfix/cleanup[16394]: B62FC4FD82: hold: header >> Received: from some.domain.com (unknown [xxx.xxx.xxx.xxx])??by mx.domain.com >> >> (Postfix) with ESMTP id B62FC4FD82??for ; Wed, 17 Jun 2009 >> 11:39:26 +0530 (IST) from unknown[xxx.xxx.xxx.xxx]; >> >> from= to= proto=ESMTP helo= >> >> After this there is no entry in maillog niether user received the mail not >> bounce back , I am not able to figure it out . >> >> If any thing more detail require from my side please let me know. >> >> Shyam >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > > > Make sure you are running the latest version of MS (4.77) - there was > an issue with the previous version with postfix. > > Sure, but ... to be sure, run MailScanner --debug (as the postfix user) to rule out any silly misconfigurations. The queue file is still in the hold queue, right? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Sat Jun 27 23:34:42 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Jun 27 23:34:51 2009 Subject: Question on reducing load on MailScanner machine In-Reply-To: References: Message-ID: <223f97700906271534s651719ffga6e7bc243912de48@mail.gmail.com> 2009/6/25 Christopher Fisk : >> ?on 6-25-2009 11:37 AM Christopher Fisk spake the >> ?following: >> ?> I saw a similar post in the archives recently, but the >> ?discussion didn't go very far. >> ?> >> ?> >> ?http://lists.mailscanner.info/pipermail/mailscanner/2009 >> ?-June/092018.html >> ?> >> ?> I'd like to expand the question a bit. >> ?> >> ?> Lets assume I have a single server handling MailScanner >> ?(& SA & ClamAV) and the postfix/courier servers. >> ?> >> ?> The MailScanner queue is reaching 300+ at times, giving >> ?a short delay between the server receiving the message >> ?and MailScanner scanning it. >> ?> >> ?> If I were to NFS/SMB mount both the MailScanner install >> ?directory and the hold queue directory from another >> ?machine and startup another MailScanner process, will I >> ?run into issues where both MailScanners are trying to >> ?scan the same messages and cause problems? ?Or would >> ?MailScanner be smart enough to know that another >> ?MailScanner process is scanning a given message? >> ?> >> ?> >> ?> This is on Linux 2.6 and ext3. ?Filesystems and kernel >> ?versions can be changed as needed. >> ?> >> ?> I have a few extra servers I can quickly put in place >> ?and would rather do that than purchasing an entire new >> ?server for this. >> ?> >> ?> The MailScanner book doesn't have any information on >> ?this type of configuration unfortunately. >> ?> >> ?> >> ?> Thanks! >> ?> >> ?> >> ?> Christopher Fisk >> ?> >> ?I doubt if postfix would like this. > > Actually, I see postfix as handling this better than MailScanner. ?Postfix just delivers the incoming messages using a header check into a hold queue, one message per file in the queue. > > MailScanner scans messages in that queue and delivers it to the postfix incoming queue. I'd worry about queue file name reuse issues. They would be inevitable, AFAICS. > What I'm more afraid of (And what Julian says would cause problems) is the MailScanner on server A and the MailScanner on server B both picking up the same message from the hold queue, scanning it, then delivering to the deliver queue and the recipiant receiving multiple copies of the same message. > That too speaks against. > > > Christopher Fisk > Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Sat Jun 27 23:54:27 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Jun 27 23:54:36 2009 Subject: Files being blocked despite configuration changes In-Reply-To: References: Message-ID: <223f97700906271554w18888111k1ca8a0cc6aed27e2@mail.gmail.com> 2009/6/26 Kaplan, Andrew H. : > > Hi there -- > > I received a request to have .dat files be allowed through our mail server. > Files of this type > were normally sent to quarantine with an e-mail notification report stating > the following: > > Report: MailScanner: No programs allowed (set.dat) > Report: MailScanner: No programs allowed (set.dat) > > I reconfigured the filename.rules.conf and filetype.rules.conf files to > allow the above file > types to pass through without problem. Listed below are the syntaxes from > each of the > configuration files: > > filename.rules.conf > # Physics has requested that files of this type be allowed... > allow?? \.dat$ > > filetype.rules.conf > allow?? dat???????????? -?????????????????????? Physics requested these be > allowed > > Once these changes were made, MailScanner along with the mailserver, > Sendmail, were > restarted via the /etc/init.d/MailScanner script. There were no failed > messages appearing > on-screen when this occurred. > > The problem is the following: even though the files in question have been > configured to > be allowed, they are still being blocked and sent to quarantine. The version > of MailScanner > is 4.72.5 while that of Sendmail is 8.14.1. > > What other steps and/or > corrections do I need to make in order to fix this? Thanks. > The file command doesn't know what "dat" is... It finds the "magic" strings/bytes that identify it as some type of executable (just run file on the quarantined file, if you store them, and you'll see). This might be due to the file actually being an executable, or accidentally triggering one of the more optimistic one-byte-magics ... in which case you either face editing/recompiling your magic file, or switching to "file -i" for file type purposes. The latter might be best. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Sun Jun 28 00:17:15 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Sun Jun 28 00:17:24 2009 Subject: Mismatch between report and actions In-Reply-To: References: Message-ID: <223f97700906271617k7363df24je7a880454d804933@mail.gmail.com> 2009/6/26 Robert Lopez : > HP Prolient DL360 G5 > Two dual core Intel(R) Xeon(R) CPU E5450 @ 3.00GHz > 8 G RAM > Linux 2.6.28-11-server #42-Ubuntu SMP Fri Apr 17 02:45:36 UTC 2009 > x86_64 GNU/Linux > Ubuntu 9.04 (jaunty) > MailScanner version 4.74.16 > Postfix version 2.5.5 > SpamAssassin version 3.2.5 running on Perl version 5.10.0 > (I know there are newer versions. These are Ubuntu apt-get...) > > > Situation: Testing Eicar, external site to internal via gateway. > Problem: ? Mismatch between reported information and actions. > > Email content says: > "Warning: Please read the 'CNM-Attachment-Warning.txt' attachment(s) > for more information." > > Action was: > Appended the text into the body of email instead of an attachment. > > > Email content says: > "Note to Help Desk: Look on the CNM () MailScanner in > /var/spool/MailScanner/quarantine/20090626 (message E0CE312F.5E6C5)." > > Action was: > "/var/spool/MailScanner/quarantine/20090626" has one dir which is "spam". > "/var/spool/MailScanner/quarantine/20090626/spam" has one file which > is "3A59B34D.274DC" and it contains a discarded gtube test. > Find says there is no E0CE312F.5E6C5 file on disks. > > Maillog shows this redacted information: > MailScanner[2381]: Message E0CE312F.5E6C5 from 209.85.221.171 > (munged@gmail.com) to munged.cnm.edu is not spam, SpamAssassin (not > cached, score=-0.001, required 6, autolearn=not spam, SPF_PASS -0.00) > MailScanner[2381]: Virus and Content Scanning: Starting > MailScanner[2381]: Clamd::INFECTED:: Eicar-Test-Signature :: ./E0CE312F.5E6C5/ > MailScanner[2381]: Clamd::INFECTED:: Eicar-Test-Signature :: > ./E0CE312F.5E6C5/msg-2381-6.txt > MailScanner[2381]: Virus Scanning: Clamd found 2 infections > MailScanner[2381]: Infected message E0CE312F.5E6C5 came from 209.85.221.171 > { { [ Aside: One Eicar counts as two virus infections? ] } } > MailScanner[2381]: Virus Scanning: Found 2 viruses > MailScanner[2381]: Requeue: E0CE312F.5E6C5 to A7E6051D > MailScanner[2381]: Cleaned: Delivered 1 cleaned messages > postfix/qmgr[3109]: A7E6051D: from=, size=2128, > nrcpt=1 (queue active) > postfix/pickup[3108]: B3E9E520: uid=105 from= > postfix/cleanup[3639]: B3E9E520: hold: header Received: by > munged.cnm.edu (Postfix, from userid 105)??id B3E9E520; Fri, 26 Jun > 2009 11:33:08 -0600 (MDT) from local; from= > postfix/cleanup[3639]: B3E9E520: > message-id=<20090626173308.B3E9E520@munged.cnm.edu> > MailScanner[2381]: Notices: Warned about 1 messages > postfix/smtp[3648]: A7E6051D: to=, > orig_to=, > relay=munged.cnm.edu[198.133.181.119]:25, delay=21, > delays=21/0/0/0.02, dsn=2.5.0, status=sent (250 2.5.0 Ok.) > postfix/qmgr[3109]: A7E6051D: removed > > Questions: How do I remedy these two mismatches? > > Do the upgrades needed ... MailScanner, possibly SA and Clam as well. If this means leaving the Ubunto/apt thing behind, then so be it. If you still observe the same behavior... Then we'll look at other things:-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From mi64mailscan at mailinator.com Mon Jun 29 01:31:53 2009 From: mi64mailscan at mailinator.com (Charlie) Date: Mon Jun 29 01:32:24 2009 Subject: zip file has problem with 'Attempt to hide real filename extension' error Message-ID: <328301c9f851$15e52cf0$0100000a@CharlieCompaq> Hi, I have created a blank file called mispb-misyahoogroups.com.out I am able to send this through my mailserver with no problems. However, when I zip up this file, and call it mispb-misyahoogroups.com.zip Mailscanner objects to this, with the following error: Quarantine: Report: Attempt to hide real filename extension (mispb-misyahoogroups.com.out) Report: Attempt to hide real filename extension (mispb-misyahoogroups.com.out) I have commented out the line in Mailscanner as per the following, and restarted Mailscanner. #deny \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filename hiding Attempt to hide real filename extension I am now at a loss as to why this happening, Thanks very much Charlie From alex at rtpty.com Mon Jun 29 02:13:23 2009 From: alex at rtpty.com (Alex Neuman) Date: Mon Jun 29 02:13:32 2009 Subject: zip file has problem with 'Attempt to hide real filename extension' error In-Reply-To: <328301c9f851$15e52cf0$0100000a@CharlieCompaq> References: <328301c9f851$15e52cf0$0100000a@CharlieCompaq> Message-ID: <24e3d2e40906281813q12cb0079r287ca9a6a0797a36@mail.gmail.com> Sounds like you didn't restart MailScanner after the change. On Sun, Jun 28, 2009 at 7:31 PM, Charlie wrote: > Hi, > I have created a blank file called mispb-misyahoogroups.com.out > I am able to send this through my mailserver with no problems. However, > when I zip up this file, and call it mispb-misyahoogroups.com.zip > Mailscanner objects to this, with the following error: > Quarantine: > Report: Attempt to hide real filename extension > (mispb-misyahoogroups.com.out) > Report: Attempt to hide real filename extension > (mispb-misyahoogroups.com.out) > > I have commented out the line in Mailscanner as per the following, and > restarted Mailscanner. > #deny \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filename > hiding Attempt to hide real filename extension > > I am now at a loss as to why this happening, > > Thanks very much > Charlie > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 202-1525 alex@rtpty.com Skype: alexneuman -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090628/31d450da/attachment.html From alex at rtpty.com Mon Jun 29 02:14:02 2009 From: alex at rtpty.com (Alex Neuman) Date: Mon Jun 29 02:14:11 2009 Subject: zip file has problem with 'Attempt to hide real filename extension' error In-Reply-To: <24e3d2e40906281813q12cb0079r287ca9a6a0797a36@mail.gmail.com> References: <328301c9f851$15e52cf0$0100000a@CharlieCompaq> <24e3d2e40906281813q12cb0079r287ca9a6a0797a36@mail.gmail.com> Message-ID: <24e3d2e40906281814y56dd14fay8c02abf47f161a44@mail.gmail.com> How did you restart MailScanner specifically? On Sun, Jun 28, 2009 at 8:13 PM, Alex Neuman wrote: > Sounds like you didn't restart MailScanner after the change. > > On Sun, Jun 28, 2009 at 7:31 PM, Charlie wrote: > >> Hi, >> I have created a blank file called mispb-misyahoogroups.com.out >> I am able to send this through my mailserver with no problems. However, >> when I zip up this file, and call it mispb-misyahoogroups.com.zip >> Mailscanner objects to this, with the following error: >> Quarantine: >> Report: Attempt to hide real filename extension >> (mispb-misyahoogroups.com.out) >> Report: Attempt to hide real filename extension >> (mispb-misyahoogroups.com.out) >> >> I have commented out the line in Mailscanner as per the following, and >> restarted Mailscanner. >> #deny \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filename >> hiding Attempt to hide real filename extension >> >> I am now at a loss as to why this happening, >> >> Thanks very much >> Charlie >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > > > -- > Alex Neuman van der Hans > Reliant Technologies > +507 6781-9505 > +507 202-1525 > alex@rtpty.com > Skype: alexneuman > -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 202-1525 alex@rtpty.com Skype: alexneuman -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090628/ae497018/attachment.html From mi64mailscan at mailinator.com Mon Jun 29 03:30:39 2009 From: mi64mailscan at mailinator.com (Charlie) Date: Mon Jun 29 03:30:35 2009 Subject: zip file has problem with 'Attempt to hide real filename extension' error Message-ID: <32cf01c9f861$97f2d5c0$0100000a@CharlieCompaq> By using this command: /etc/init.d/mailscanner restart > How did you restart MailScanner specifically? > On Sun, Jun 28, 2009 at 8:13 PM, Alex Neuman wrote: > Sounds like you didn't restart MailScanner after the change. > > On Sun, Jun 28, 2009 at 7:31 PM, Charlie mailinator.com>wrote: > >> Hi, >> I have created a blank file called mispb-misyahoogroups.com.out >> I am able to send this through my mailserver with no problems. However, >> when I zip up this file, and call it mispb-misyahoogroups.com.zip >> Mailscanner objects to this, with the following error: >> Quarantine: >> Report: Attempt to hide real filename extension >> (mispb-misyahoogroups.com.out) >> Report: Attempt to hide real filename extension >> (mispb-misyahoogroups.com.out) >> >> I have commented out the line in Mailscanner as per the following, and >> restarted Mailscanner. >> #deny \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filename >> hiding Attempt to hide real filename extension >> >> I am now at a loss as to why this happening, >> >> Thanks very much >> Charlie >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > > > -- > Alex Neuman van der Hans > Reliant Technologies > +507 6781-9505 > +507 202-1525 > alex at rtpty.com > Skype: alexneuman > From hden at kcbbs.gen.nz Mon Jun 29 04:15:58 2009 From: hden at kcbbs.gen.nz (Hendrik den Hartog) Date: Mon Jun 29 03:43:59 2009 Subject: RBLs Message-ID: <20090629031558.GA15207@mew.kcbbs.gen.nz> Gidday We are currently using the following RBLs in sendmail, but suspect a problem with one. Can someone please confirm whether these are still OK to use? safe.dnsbl.sorbs.net cbl.abuseat.org zen.spamhaus.org bl.spamcop.net Also, is there is an updated list/wiki page with recommended sites to use? Cheers! Dave From pumzika at gmail.com Mon Jun 29 08:52:52 2009 From: pumzika at gmail.com (Steve Barnes) Date: Mon Jun 29 08:53:02 2009 Subject: SA+MS miss spam, scored with 0.00. In-Reply-To: References: <76f60d7e0906051751o3cd151c3g4945ea0fbb32bae8@mail.gmail.com> Message-ID: <76f60d7e0906290052i8f7138ch65413dbbe2d08d83@mail.gmail.com> Hi List It seems the missing of spam described below may be related to this: https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6050 When running: spamassassin -x -D /var/spool/MailScanner/quarantine/20090605/nonspam/8F54D11485.A3CE1 occassionally spamassassin will die with the following error: [61264] dbg: info: entering helper-app run mode [61264] warn: spamassassin: killed by SIGPIPE >From what I can gather, this is caused by Razor2 and perhaps the result of an intermittent or less-than-ideal Internet connection, as would definitely be the case for the server in question. As requested by Justin Mason in the apache issues document, I've been trying to capture the SIGPIPE event using the following command on FreeBSD: ktrace -di -t+ -f /tmp/ktrace.log spamassassin -D -x < /var/spool/MailScanner/quarantine/20090628/nonspam/E63A4114A0.ADA28 but it seems now that I'm looking for it, the bug won't rear its head (typical). I've disabled Razor2 for the time being in v310.pre to confirm if that helps. Anyone else ever see this SIGPIPE event? Steve 2009/6/9 Scott Silva : > on 6-5-2009 5:51 PM Steve Barnes spake the following: >> Hi >> >> MS 4.77.7 >> SA 3.2.5 >> Postfix 2.6.0 >> FreeBSD 7.2 >> >> I'm trying to understand why MS and SA missed a spam the first time >> round (scored with 0.00). Resubmitting from quarantine as root with: >> >> spamassassin -x -D < >> /var/spool/MailScanner/quarantine/20090605/nonspam/8F54D11485.A3CE1 >> >> it was scored at 11.2. I don't believe it's a case of online checks >> "catching up" since the majority of rules that matched 2nd time round >> aren't time-related: >> >> ?pts rule name ? ? ? ? ? ? ?description >> ---- ---------------------- >> -------------------------------------------------- >> ?1.8 SUBJ_ALL_CAPS ? ? ? ? ?Subject is all capitals >> ?1.6 MISSING_HEADERS ? ? ? ?Missing To: header >> ?1.4 DCC_CHECK ? ? ? ? ? ? ?Listed in DCC >> (http://rhyolite.com/anti-spam/dcc/) >> ?1.5 MSGID_FROM_MTA_HEADER ?Message-Id was added by a relay >> ?0.7 MSOE_MID_WRONG_CASE ? ?MSOE_MID_WRONG_CASE >> ?4.2 FORGED_MUA_OUTLOOK ? ? Forged mail pretending to be from MS Outlook >> >> Even without DCC_CHECK, it should have scored 9.8. The SA report contains: >> >> not spam, SpamAssassin (not cached, score=0, required 6, autolearn=) >> >> I keep seeing this "autolearn=)" truncation in cases where spam is >> missed. Can anyone else confirm seeing it in their maillog? Otherwise, >> MS + SA are catching 99% of the other spams coming in. I've included >> the corresponding maillog entry at the bottom of this message. >> >> Thanks >> >> Steve >> >> > I think you need the latest version (4.77-10) to fix a bug that crept into > postfix support. > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > From pumzika at gmail.com Mon Jun 29 09:38:18 2009 From: pumzika at gmail.com (Steve Barnes) Date: Mon Jun 29 09:38:28 2009 Subject: SA+MS miss spam, scored with 0.00. In-Reply-To: <76f60d7e0906290052i8f7138ch65413dbbe2d08d83@mail.gmail.com> References: <76f60d7e0906051751o3cd151c3g4945ea0fbb32bae8@mail.gmail.com> <76f60d7e0906290052i8f7138ch65413dbbe2d08d83@mail.gmail.com> Message-ID: <76f60d7e0906290138u3eb2f01av5385f70b23cf0383@mail.gmail.com> Forgot to mention, the failing of spamassassin with the SIGPIPE warning also results in temp files being orphaned in the spamassassin temp dir as defined in MailScanner.conf: SpamAssassin Temporary Dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp ls -l /var/spool/MailScanner/incoming/SpamAssassin-Temp -rw------- 1 postfix mail 198554 Jun 28 06:14 .spamassassin87819Huzwttmp >From mailwatch, the corresponding message operations entry: 28/06/09 06:14:45 stopkolvz@peacebasecamp.com user@domain.com The US government hands out over 4Billion in grants every year 337.8Kb 0.00 Clean Steve 2009/6/29 Steve Barnes : > Hi List > > It seems the missing of spam described below may be related to this: > > https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6050 > > When running: > > spamassassin -x -D > /var/spool/MailScanner/quarantine/20090605/nonspam/8F54D11485.A3CE1 > > occassionally spamassassin will die with the following error: > > [61264] dbg: info: entering helper-app run mode > [61264] warn: spamassassin: killed by SIGPIPE > > From what I can gather, this is caused by Razor2 and perhaps the > result of an intermittent or less-than-ideal Internet connection, as > would definitely be the case for the server in question. As requested > by Justin Mason in the apache issues document, I've been trying to > capture the SIGPIPE event using the following command on FreeBSD: > > ktrace -di -t+ -f /tmp/ktrace.log spamassassin -D -x < > /var/spool/MailScanner/quarantine/20090628/nonspam/E63A4114A0.ADA28 > > but it seems now that I'm looking for it, the bug won't rear its head > (typical). I've disabled Razor2 for the time being in v310.pre to > confirm if that helps. > > Anyone else ever see this SIGPIPE event? > > Steve > > 2009/6/9 Scott Silva : >> on 6-5-2009 5:51 PM Steve Barnes spake the following: >>> Hi >>> >>> MS 4.77.7 >>> SA 3.2.5 >>> Postfix 2.6.0 >>> FreeBSD 7.2 >>> >>> I'm trying to understand why MS and SA missed a spam the first time >>> round (scored with 0.00). Resubmitting from quarantine as root with: >>> >>> spamassassin -x -D < >>> /var/spool/MailScanner/quarantine/20090605/nonspam/8F54D11485.A3CE1 >>> >>> it was scored at 11.2. I don't believe it's a case of online checks >>> "catching up" since the majority of rules that matched 2nd time round >>> aren't time-related: >>> >>> ?pts rule name ? ? ? ? ? ? ?description >>> ---- ---------------------- >>> -------------------------------------------------- >>> ?1.8 SUBJ_ALL_CAPS ? ? ? ? ?Subject is all capitals >>> ?1.6 MISSING_HEADERS ? ? ? ?Missing To: header >>> ?1.4 DCC_CHECK ? ? ? ? ? ? ?Listed in DCC >>> (http://rhyolite.com/anti-spam/dcc/) >>> ?1.5 MSGID_FROM_MTA_HEADER ?Message-Id was added by a relay >>> ?0.7 MSOE_MID_WRONG_CASE ? ?MSOE_MID_WRONG_CASE >>> ?4.2 FORGED_MUA_OUTLOOK ? ? Forged mail pretending to be from MS Outlook >>> >>> Even without DCC_CHECK, it should have scored 9.8. The SA report contains: >>> >>> not spam, SpamAssassin (not cached, score=0, required 6, autolearn=) >>> >>> I keep seeing this "autolearn=)" truncation in cases where spam is >>> missed. Can anyone else confirm seeing it in their maillog? Otherwise, >>> MS + SA are catching 99% of the other spams coming in. I've included >>> the corresponding maillog entry at the bottom of this message. >>> >>> Thanks >>> >>> Steve >>> >>> >> I think you need the latest version (4.77-10) to fix a bug that crept into >> postfix support. >> >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > From MailScanner at ecs.soton.ac.uk Mon Jun 29 09:44:23 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jun 29 09:44:41 2009 Subject: Spam but no randomly no Spam Report In-Reply-To: <4A44CA920200002D00006CE5@sparky.asdm.net> References: <4A4404D50200002D00006C96@sparky.asdm.net> <4A44116A0200002D00006C9B@sparky.asdm.net> <4A4489C3.4000203@ecs.soton.ac.uk> <4A44B19E0200002D00006CAF@sparky.asdm.net> <4A44F040.2050305@ecs.soton.ac.uk> <4A44CA920200002D00006CE5@sparky.asdm.net> <4A487EE7.9050106@ecs.soton.ac.uk> Message-ID: On 26/06/2009 18:18, Gary Faith wrote: > Julian, > Always Include SpamAssassin Report was set to off. In which case it won't put in the SA report details unless SA thought the message was spam. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Mon Jun 29 09:46:13 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jun 29 09:46:34 2009 Subject: Spam but no randomly no Spam Report In-Reply-To: <4A44D89D0200002D00006CEA@sparky.asdm.net> References: <4A4404D50200002D00006C96@sparky.asdm.net> <4A44116A0200002D00006C9B@sparky.asdm.net> <4A4489C3.4000203@ecs.soton.ac.uk> <4A44B19E0200002D00006CAF@sparky.asdm.net> <4A44F040.2050305@ecs.soton.ac.uk> <4A44CA920200002D00006CE5@sparky.asdm.net> <4A44D89D0200002D00006CEA@sparky.asdm.net> <4A487F55.9080907@ecs.soton.ac.uk> Message-ID: On 26/06/2009 19:18, Gary Faith wrote: > After turning it on, I do get a Spam Report now. As expected. > Spam: Y Action(s): store, deliver, header, "X-Spam-Status:, Yes" > High Scoring Spam: N SpamAssassin Spam: N Listed in RBL: Y SBL+XBL > Spam Whitelisted: N Spam Blacklisted: N SpamAssassin Autolearn: N > SpamAssassin Score:0.92 Spam Report: > Score Matching Rule Description > -0.50 BAYES_00 Bayesian spam probability is 0 to 1% > 1.42 SARE_ADULT2 Contains adult material > > Steve Freegard, just posted an message that "Always Include > SpamAssassin Report" = on would cause it to run even for whitelisted > and blacklisted recipients. I agree it would be inefficient to have > SA run on whitelisted & blacklisted recipients. Absolutely correct. You don't want the inefficiency of always generating the report, which involves always running SA, so don't be surprised when you don't get the report. > Could there still be a problem in the patched Message.pm where it is > returning some of the spam report but not all? Don't think so. > Gary > > >>> "Gary Faith" 6/26/2009 1:18 PM >>> > Julian, > Always Include SpamAssassin Report was set to off. I just turned it > on and will see if that changes things. I wasn't sure if that setting > would be a problem because it seems that there was a report even if > the message was clean like the one below. It just seems like the > Spam Report is included with every message except when the isspam =1 & > isrblspam =1 and the other two flags = 0. > Spam: N Action(s): store, deliver, header, "X-Spam-Status:, No" High > Scoring Spam: N SpamAssassin Spam: N Listed in RBL: N Spam > Whitelisted: N Spam Blacklisted: N SpamAssassin Autolearn: N > SpamAssassin Score:3.28 Spam Report: > Score Matching Rule Description > cached not > > score=3.281 > 3.5 required > -0.50 BAYES_00 Bayesian spam probability is 0 to 1% > 2.17 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) > 0.73 HTML_COMMENT_SHORT HTML comment is very short > 0.88 HTML_FONT_FACE_BAD HTML font face is not a word > 0.00 HTML_MESSAGE HTML included in message > -0.00 SPF_PASS SPF: sender matches SPF record > > > Gary > > >>> Julian Field 6/26/2009 11:58 AM >>> > Does your MailScanner.conf have "Always Include SpamAssassin Report" > switched on or off? > > On 26/06/2009 16:31, Gary Faith wrote: > > Julian, > > Better. The spam report field is populated now but I don't think it > > is completely fixed. See below: > > Spam: Y Action(s): store, deliver, header, "X-Spam-Status:, Yes" > > High Scoring Spam: N > > SpamAssassin Spam: N > > Listed in RBL: Y > > Spam Whitelisted: N > > Spam Blacklisted: N > > SpamAssassin Autolearn: N > > SpamAssassin Score: 3.09 > > Spam Report: spam, SBL+XBL > > I confirmed that the database shows spam, SBL+XBL only. Problem that > > I see is that there is nothing in the spamreport field to explain the > > 3.09 SpamAssassin score. > > Gary > > > > > > >>> Julian Field 6/26/2009 4:41 AM >>> > > Aha, well done for tracking down that case, I've been looking for that > > bug for ages. > > Due to your diagnostics I now have what should fix it. > > > > Please try the attached patch to > > /usr/lib/MailScanner/MailScanner/Message.pm and then restart > MailScanner. > > > > Thanks for helping! > > Jules. > > > > On 26/06/2009 05:08, Gary Faith wrote: > > > Follow Up! After doing more digging, I believe that I have found the > > > common thread when the problem occurs. The spamreport field only > > > seems to be blank when isspam & isrblspam flags are set. If issaspam > > > and/or ishighspam are set then spamreport has data. > > > isspam tinyint(1) =1 > > > ishighspam tinyint(1) =0 > > > issaspam tinyint(1) =0 > > > isrblspam tinyint(1) =1 > > > spamwhitelisted tinyint(1) =0 > > > spamblacklisted tinyint(1) =0 > > > sascore decimal(7,2) some value > > > spamreport text {Empty} > > > I hope this helps shine light on my problem. Any ideas why this is > > > happening? > > > Thanks, > > > > > > Gary > > > > > > >>> "Gary Faith" 6/25/2009 11:14 PM >>> > > > Running MailScanner 4.75.11 on SLES 10 SP2 X86_64. When viewing the > > > information via MailWatch, I see the following on the details page: > > > SpamAssassin Spam: Y Action(s): store, deliver, header, > > > "X-Spam-Status:, Yes" > > > High Scoring Spam: N > > > SpamAssassin Spam: N > > > Listed in RBL: N > > > Spam Whitelisted: N > > > Spam Blacklisted: N > > > SpamAssassin Autolearn: N > > > SpamAssassin Score:1.66 > > > The problem is Spam Report is blank. This happens on a few seemingly > > > random messages while most have something in the spamreport field. I > > > have verified this in the database that it definitely null. Any > > > reason why all the data except the spam report would be logged to > > > mysql? Could this be a spamassassin timeout problem? > > > Thanks, > > > > > > Gary Faith > > > > Jules > > > > -- > > Julian Field MEng CITP CEng > > www.MailScanner.info > > Buy the MailScanner book at www.MailScanner.info/store > > > > Need help customising MailScanner? > > Contact me! > > Need help fixing or optimising your systems? > > Contact me! > > Need help getting you started solving new requirements from your boss? > > Contact me! > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > Follow me at twitter.com/JulesFM and twitter.com/MailScanner > > > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > Follow me at twitter.com/JulesFM and twitter.com/MailScanner > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Mon Jun 29 09:51:36 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jun 29 09:51:59 2009 Subject: New wiki page In-Reply-To: References: <4A43C66A.5070703@ecs.soton.ac.uk><4A43CD22.6060208@ecs.soton.ac.uk><4A448379.403@ecs.soton.ac.uk><4A44AD67.3000702@ecs.soton.ac.uk><4A44B106.6040808@alexb.ch><4A44B251.4020906@ecs.soton.ac.uk><4A44B5A9.90905@alexb.ch><4A44C195.40 <003601c9f660$0f0bba90$2d232fb0$@dk> <4A488098.2060908@ecs.soton.ac.uk> Message-ID: Thanks for that. I have updated the page. I don't use tarbaby, is there much point? On 26/06/2009 19:27, Gerry Maddock wrote: > Julian, it looks like sane-security's latest scripts includes the > signatures found in Securiteinfo. Also, I failed to mention in my setup I > have a third MX record that points to tarbaby.junkemailfilter.com. ( > http://wiki.ctyme.com/index.php/Project_tarbaby). Anyone else using > tarbaby? > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Mon Jun 29 09:56:40 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jun 29 09:57:00 2009 Subject: RBLs In-Reply-To: <20090629031558.GA15207@mew.kcbbs.gen.nz> References: <20090629031558.GA15207@mew.kcbbs.gen.nz> <4A4881C8.9040602@ecs.soton.ac.uk> Message-ID: On 29/06/2009 04:15, Hendrik den Hartog wrote: > Gidday > > We are currently using the following RBLs in sendmail, but > suspect a problem with one. > Can someone please confirm whether these are still OK to use? > > > safe.dnsbl.sorbs.net > That one is shutting down. > cbl.abuseat.org > That one is irrelevant as you are also using zen. > zen.spamhaus.org > That one may well have blocked you for exceeding their free daily usage limit. You probably need to give them some money. > bl.spamcop.net > That one should work. > Also, is there is an updated list/wiki page with recommended sites > to use? > www.mailscanner.info/gettingthebest.html Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From uxbod at splatnix.net Mon Jun 29 10:22:20 2009 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Mon Jun 29 10:22:36 2009 Subject: RBLs In-Reply-To: Message-ID: <12496595.261246267340600.JavaMail.root@office.splatnix.net> ----- "Julian Field" wrote: > On 29/06/2009 04:15, Hendrik den Hartog wrote: > > Gidday > > > > We are currently using the following RBLs in sendmail, but > > suspect a problem with one. > > Can someone please confirm whether these are still OK to use? > > > > > > safe.dnsbl.sorbs.net > > > That one is shutting down. > > cbl.abuseat.org > > > That one is irrelevant as you are also using zen. > > zen.spamhaus.org > > > That one may well have blocked you for exceeding their free daily usage > limit. You probably need to give them some money. > > bl.spamcop.net > > > That one should work. > > Also, is there is an updated list/wiki page with recommended sites > > to use? > > > www.mailscanner.info/gettingthebest.html > > Jules > > Looks as though somebody may be offering hosting to SORBS so the shutdown date has been postponed. Best Regards, -- SplatNIX IT Services :: Innovation through collaboration From ms-list at alexb.ch Mon Jun 29 13:09:02 2009 From: ms-list at alexb.ch (Alex Broens) Date: Mon Jun 29 13:09:11 2009 Subject: New wiki page In-Reply-To: References: <4A43C66A.5070703@ecs.soton.ac.uk><4A43CD22.6060208@ecs.soton.ac.uk><4A448379.403@ecs.soton.ac.uk><4A44AD67.3000702@ecs.soton.ac.uk><4A44B106.6040808@alexb.ch><4A44B251.4020906@ecs.soton.ac.uk><4A44B5A9.90905@alexb.ch><4A44C195.40 <003601c9f660$0f0bba90$2d232fb0$@dk> <4A488098.2060908@ecs.soton.ac.uk> Message-ID: <4A48AEDE.3060907@alexb.ch> On 6/29/2009 10:51 AM, Julian Field wrote: > Thanks for that. I have updated the page. > I don't use tarbaby, is there much point? nope... definitely not. Not advisable unless you run a server with only 3 users: postmaster, abuse and yourself :- > On 26/06/2009 19:27, Gerry Maddock wrote: >> Julian, it looks like sane-security's latest scripts includes the >> signatures found in Securiteinfo. Also, I failed to mention in my setup I >> have a third MX record that points to tarbaby.junkemailfilter.com. ( >> http://wiki.ctyme.com/index.php/Project_tarbaby). Anyone else using >> tarbaby? >> > > Jules > From rcooper at dwford.com Mon Jun 29 13:21:09 2009 From: rcooper at dwford.com (Rick Cooper) Date: Mon Jun 29 13:21:29 2009 Subject: zip file has problem with 'Attempt to hide real filename extension'error In-Reply-To: <328301c9f851$15e52cf0$0100000a@CharlieCompaq> References: <328301c9f851$15e52cf0$0100000a@CharlieCompaq> Message-ID: <2CBDD9009B2F4A458485C2C1119E58CA@SAHOMELT> ----Original Message---- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Charlie Sent: Sunday, June 28, 2009 8:32 PM To: MailScanner discussion Subject: zip file has problem with 'Attempt to hide real filename extension'error > Hi, > I have created a blank file called mispb-misyahoogroups.com.out > I am able to send this through my mailserver with no problems. However, > when > I zip up this file, and call it mispb-misyahoogroups.com.zip Mailscanner > objects to this, with the following error: > Quarantine: > Report: Attempt to hide real filename extension > (mispb-misyahoogroups.com.out) > Report: Attempt to hide real filename extension > (mispb-misyahoogroups.com.out) > > I have commented out the line in Mailscanner as per the following, and > restarted Mailscanner. > #deny \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filename > hiding Attempt to hide real filename extension > > I am now at a loss as to why this happening, > > Thanks very much > Charlie > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! If you are using a recent MailScanner version then you have different rules for filenames within archives, check that list and remove the rule from there as well Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From gafaith at asdm.net Mon Jun 29 14:25:07 2009 From: gafaith at asdm.net (Gary Faith) Date: Mon Jun 29 14:25:36 2009 Subject: {Spam?} Re: Spam but no randomly no Spam Report In-Reply-To: References: <4A4404D50200002D00006C96@sparky.asdm.net> <4A44116A0200002D00006C9B@sparky.asdm.net> <4A4489C3.4000203@ecs.soton.ac.uk> <4A44B19E0200002D00006CAF@sparky.asdm.net> <4A44F040.2050305@ecs.soton.ac.uk> <4A44CA920200002D00006CE5@sparky.asdm.net> <4A44D89D0200002D00006CEA@sparky.asdm.net> <4A487F55.9080907@ecs.soton.ac.uk> Message-ID: <4A4888730200002D00006D2F@sparky.asdm.net> When Spamassassin returns it's scores, where are you pulling the data from? Is it in the header from X-Spam-Status: returned from Spamassassin X-Spam-Status: No, score=-0.5 required=5.0 tests=BAYES_00 shortcircuit=no autolearn=unavailable version=3.2.5 or in the body somewhere? Gary >>> Julian Field 6/29/2009 4:46 AM >>> On 26/06/2009 19:18, Gary Faith wrote: > After turning it on, I do get a Spam Report now. As expected. > Spam: Y Action(s): store, deliver, header, "X-Spam-Status:, Yes" > High Scoring Spam: N SpamAssassin Spam: N Listed in RBL: Y SBL+XBL > Spam Whitelisted: N Spam Blacklisted: N SpamAssassin Autolearn: N > SpamAssassin Score:0.92 Spam Report: > Score Matching Rule Description > -0.50 BAYES_00 Bayesian spam probability is 0 to 1% > 1.42 SARE_ADULT2 Contains adult material > > Steve Freegard, just posted an message that "Always Include > SpamAssassin Report" = on would cause it to run even for whitelisted > and blacklisted recipients. I agree it would be inefficient to have > SA run on whitelisted & blacklisted recipients. Absolutely correct. You don't want the inefficiency of always generating the report, which involves always running SA, so don't be surprised when you don't get the report. > Could there still be a problem in the patched Message.pm where it is > returning some of the spam report but not all? Don't think so. > Gary > > >>> "Gary Faith" 6/26/2009 1:18 PM >>> > Julian, > Always Include SpamAssassin Report was set to off. I just turned it > on and will see if that changes things. I wasn't sure if that setting > would be a problem because it seems that there was a report even if > the message was clean like the one below. It just seems like the > Spam Report is included with every message except when the isspam =1 & > isrblspam =1 and the other two flags = 0. > Spam: N Action(s): store, deliver, header, "X-Spam-Status:, No" High > Scoring Spam: N SpamAssassin Spam: N Listed in RBL: N Spam > Whitelisted: N Spam Blacklisted: N SpamAssassin Autolearn: N > SpamAssassin Score:3.28 Spam Report: > Score Matching Rule Description > cached not > > score=3.281 > 3.5 required > -0.50 BAYES_00 Bayesian spam probability is 0 to 1% > 2.17 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) > 0.73 HTML_COMMENT_SHORT HTML comment is very short > 0.88 HTML_FONT_FACE_BAD HTML font face is not a word > 0.00 HTML_MESSAGE HTML included in message > -0.00 SPF_PASS SPF: sender matches SPF record > > > Gary > > >>> Julian Field 6/26/2009 11:58 AM >>> > Does your MailScanner.conf have "Always Include SpamAssassin Report" > switched on or off? > > On 26/06/2009 16:31, Gary Faith wrote: > > Julian, > > Better. The spam report field is populated now but I don't think it > > is completely fixed. See below: > > Spam: Y Action(s): store, deliver, header, "X-Spam-Status:, Yes" > > High Scoring Spam: N > > SpamAssassin Spam: N > > Listed in RBL: Y > > Spam Whitelisted: N > > Spam Blacklisted: N > > SpamAssassin Autolearn: N > > SpamAssassin Score: 3.09 > > Spam Report: spam, SBL+XBL > > I confirmed that the database shows spam, SBL+XBL only. Problem that > > I see is that there is nothing in the spamreport field to explain the > > 3.09 SpamAssassin score. > > Gary > > > > > > >>> Julian Field 6/26/2009 4:41 AM >>> > > Aha, well done for tracking down that case, I've been looking for that > > bug for ages. > > Due to your diagnostics I now have what should fix it. > > > > Please try the attached patch to > > /usr/lib/MailScanner/MailScanner/Message.pm and then restart > MailScanner. > > > > Thanks for helping! > > Jules. > > > > On 26/06/2009 05:08, Gary Faith wrote: > > > Follow Up! After doing more digging, I believe that I have found the > > > common thread when the problem occurs. The spamreport field only > > > seems to be blank when isspam & isrblspam flags are set. If issaspam > > > and/or ishighspam are set then spamreport has data. > > > isspam tinyint(1) =1 > > > ishighspam tinyint(1) =0 > > > issaspam tinyint(1) =0 > > > isrblspam tinyint(1) =1 > > > spamwhitelisted tinyint(1) =0 > > > spamblacklisted tinyint(1) =0 > > > sascore decimal(7,2) some value > > > spamreport text {Empty} > > > I hope this helps shine light on my problem. Any ideas why this is > > > happening? > > > Thanks, > > > > > > Gary > > > > > > >>> "Gary Faith" 6/25/2009 11:14 PM >>> > > > Running MailScanner 4.75.11 on SLES 10 SP2 X86_64. When viewing the > > > information via MailWatch, I see the following on the details page: > > > SpamAssassin Spam: Y Action(s): store, deliver, header, > > > "X-Spam-Status:, Yes" > > > High Scoring Spam: N > > > SpamAssassin Spam: N > > > Listed in RBL: N > > > Spam Whitelisted: N > > > Spam Blacklisted: N > > > SpamAssassin Autolearn: N > > > SpamAssassin Score:1.66 > > > The problem is Spam Report is blank. This happens on a few seemingly > > > random messages while most have something in the spamreport field. I > > > have verified this in the database that it definitely null. Any > > > reason why all the data except the spam report would be logged to > > > mysql? Could this be a spamassassin timeout problem? > > > Thanks, > > > > > > Gary Faith > > > > Jules > > > > -- > > Julian Field MEng CITP CEng > > www.MailScanner.info > > Buy the MailScanner book at www.MailScanner.info/store > > > > Need help customising MailScanner? > > Contact me! > > Need help fixing or optimising your systems? > > Contact me! > > Need help getting you started solving new requirements from your boss? > > Contact me! > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > Follow me at twitter.com/JulesFM and twitter.com/MailScanner > > > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > Follow me at twitter.com/JulesFM and twitter.com/MailScanner > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090629/bbf43923/attachment.html From gmaddock at futuremetals.com Mon Jun 29 14:23:46 2009 From: gmaddock at futuremetals.com (Gerry Maddock) Date: Mon Jun 29 14:27:52 2009 Subject: New wiki page In-Reply-To: <4A48AEDE.3060907@alexb.ch> References: <4A43C66A.5070703@ecs.soton.ac.uk><4A448379.403@ecs.soton.ac.uk><4A44AD67.3000702@ecs.soton.ac.uk><4A44B106.6040808@alexb.ch><4A44B251.4020906@ecs.soton.ac.uk><4A44B5A9.90905@alexb.ch><4A44C195.40<003601c9f660$0f0bba90$2d232fb0$@dk> <4A48AEDE.3060907@alexb.ch> Message-ID: > > Not advisable unless you run a server with only 3 users: postmaster, > abuse and yourself :- Strange, I'm running servers with more users than that and no email is getting lost. I did notice a decrease in spam after using tarbaby Their site states: "We will not actually receive any of your email under any circumstances. We will return a 451 temporary error immediately after the DATA command. This tells the sender to come back later and try again. Good email is never lost using this method." Like I've said, I run servers with quite a bit more than 3 users and have had 0 problems. CONFIDENTIALITY: This e-mail message is for the sole use of the intended recipient(s) and may contain confidential and / or privileged information. Any unauthorized review, use, disclosure or distribution of any kind is strictly prohibited. If you are not the intended recipient, please contact the sender via reply e-mail and destroy all copies of the original message. Thank you. From rlopezcnm at gmail.com Mon Jun 29 14:36:02 2009 From: rlopezcnm at gmail.com (Robert Lopez) Date: Mon Jun 29 14:36:13 2009 Subject: Mismatch between report and actions In-Reply-To: <223f97700906271617k7363df24je7a880454d804933@mail.gmail.com> References: <223f97700906271617k7363df24je7a880454d804933@mail.gmail.com> Message-ID: On Sat, Jun 27, 2009 at 5:17 PM, Glenn Steen wrote: > 2009/6/26 Robert Lopez : >> HP Prolient DL360 G5 >> Two dual core Intel(R) Xeon(R) CPU E5450 @ 3.00GHz >> 8 G RAM >> Linux 2.6.28-11-server #42-Ubuntu SMP Fri Apr 17 02:45:36 UTC 2009 >> x86_64 GNU/Linux >> Ubuntu 9.04 (jaunty) >> MailScanner version 4.74.16 >> Postfix version 2.5.5 >> SpamAssassin version 3.2.5 running on Perl version 5.10.0 >> (I know there are newer versions. These are Ubuntu apt-get...) >> >> >> Situation: Testing Eicar, external site to internal via gateway. >> Problem: ? Mismatch between reported information and actions. >> >> Email content says: >> "Warning: Please read the 'CNM-Attachment-Warning.txt' attachment(s) >> for more information." >> >> Action was: >> Appended the text into the body of email instead of an attachment. >> >> >> Email content says: >> "Note to Help Desk: Look on the CNM () MailScanner in >> /var/spool/MailScanner/quarantine/20090626 (message E0CE312F.5E6C5)." >> >> Action was: >> "/var/spool/MailScanner/quarantine/20090626" has one dir which is "spam". >> "/var/spool/MailScanner/quarantine/20090626/spam" has one file which >> is "3A59B34D.274DC" and it contains a discarded gtube test. >> Find says there is no E0CE312F.5E6C5 file on disks. >> >> Maillog shows this redacted information: >> MailScanner[2381]: Message E0CE312F.5E6C5 from 209.85.221.171 >> (munged@gmail.com) to munged.cnm.edu is not spam, SpamAssassin (not >> cached, score=-0.001, required 6, autolearn=not spam, SPF_PASS -0.00) >> MailScanner[2381]: Virus and Content Scanning: Starting >> MailScanner[2381]: Clamd::INFECTED:: Eicar-Test-Signature :: ./E0CE312F.5E6C5/ >> MailScanner[2381]: Clamd::INFECTED:: Eicar-Test-Signature :: >> ./E0CE312F.5E6C5/msg-2381-6.txt >> MailScanner[2381]: Virus Scanning: Clamd found 2 infections >> MailScanner[2381]: Infected message E0CE312F.5E6C5 came from 209.85.221.171 >> { { [ Aside: One Eicar counts as two virus infections? ] } } >> MailScanner[2381]: Virus Scanning: Found 2 viruses >> MailScanner[2381]: Requeue: E0CE312F.5E6C5 to A7E6051D >> MailScanner[2381]: Cleaned: Delivered 1 cleaned messages >> postfix/qmgr[3109]: A7E6051D: from=, size=2128, >> nrcpt=1 (queue active) >> postfix/pickup[3108]: B3E9E520: uid=105 from= >> postfix/cleanup[3639]: B3E9E520: hold: header Received: by >> munged.cnm.edu (Postfix, from userid 105)??id B3E9E520; Fri, 26 Jun >> 2009 11:33:08 -0600 (MDT) from local; from= >> postfix/cleanup[3639]: B3E9E520: >> message-id=<20090626173308.B3E9E520@munged.cnm.edu> >> MailScanner[2381]: Notices: Warned about 1 messages >> postfix/smtp[3648]: A7E6051D: to=, >> orig_to=, >> relay=munged.cnm.edu[198.133.181.119]:25, delay=21, >> delays=21/0/0/0.02, dsn=2.5.0, status=sent (250 2.5.0 Ok.) >> postfix/qmgr[3109]: A7E6051D: removed >> >> Questions: How do I remedy these two mismatches? >> >> > Do the upgrades needed ... MailScanner, possibly SA and Clam as well. > If this means leaving the Ubunto/apt thing behind, then so be it. > If you still observe the same behavior... Then we'll look at other things:-). > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Thank you Glenn, Changing from Ubuntu is not my decision to make. My current project is comparing a system built with RHEL and files from Julians site to this one. -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106 From gmaddock at futuremetals.com Mon Jun 29 14:39:36 2009 From: gmaddock at futuremetals.com (Gerry Maddock) Date: Mon Jun 29 14:43:53 2009 Subject: New wiki page In-Reply-To: References: <4A43C66A.5070703@ecs.soton.ac.uk><4A448379.403@ecs.soton.ac.uk><4A44AD67.3000702@ecs.soton.ac.uk><4A44B106.6040808@alexb.ch><4A44B251.4020906@ecs.soton.ac.uk><4A44B5A9.90905@alexb.ch><4A44C195.40<003601c9f660$0f0bba90$2d232fb0$@dk> <4A48AEDE.3060907@alexb.ch> Message-ID: > > Not advisable unless you run a server with only 3 users: postmaster, > > abuse and yourself :- > Strange, I'm running servers with more users than that and no email > is getting lost. I did notice a decrease in spam after using tarbaby > Their site states: "We will not actually receive any of your email > under any circumstances. We will return a 451 temporary error > immediately after the DATA command. This tells the sender to come > back later and try again. Good email is never lost using this method." > > Like I've said, I run servers with quite a bit more than 3 users and > have had 0 problems. Its very similar to greylisting in my opinion (which I already use as well). Anything to help cut down spam and server load, I'm in favor of. If some spambots deliberately try to use lower MX servers expecting less anti-spam measures (which in some cases is true, as we have read on this list) Any legit email will try again just as in greylisting. CONFIDENTIALITY: This e-mail message is for the sole use of the intended recipient(s) and may contain confidential and / or privileged information. Any unauthorized review, use, disclosure or distribution of any kind is strictly prohibited. If you are not the intended recipient, please contact the sender via reply e-mail and destroy all copies of the original message. Thank you. From ms-list at alexb.ch Mon Jun 29 14:52:32 2009 From: ms-list at alexb.ch (Alex Broens) Date: Mon Jun 29 14:52:42 2009 Subject: New wiki page In-Reply-To: References: <4A43C66A.5070703@ecs.soton.ac.uk><4A448379.403@ecs.soton.ac.uk><4A44AD67.3000702@ecs.soton.ac.uk><4A44B106.6040808@alexb.ch><4A44B251.4020906@ecs.soton.ac.uk><4A44B5A9.90905@alexb.ch><4A44C195.40<003601c9f660$0f0bba90$2d232fb0$@dk> <4A48AEDE.3060907@alexb.ch> Message-ID: <4A48C720.8040803@alexb.ch> On 6/29/2009 3:39 PM, Gerry Maddock wrote: >>> Not advisable unless you run a server with only 3 users: postmaster, >>> abuse and yourself :- >> Strange, I'm running servers with more users than that and no email >> is getting lost. I did notice a decrease in spam after using tarbaby >> Their site states: "We will not actually receive any of your email >> under any circumstances. We will return a 451 temporary error >> immediately after the DATA command. This tells the sender to come >> back later and try again. Good email is never lost using this method." >> >> Like I've said, I run servers with quite a bit more than 3 users and >> have had 0 problems. > Its very similar to greylisting in my opinion (which I already use as > well). Anything to help cut down spam and server load, I'm in favor of. If > some spambots deliberately try to use lower MX servers expecting less > anti-spam measures (which in some cases is true, as we have read on this > list) Any legit email will try again just as in greylisting. > "works for me" != advisable != 100% safe != under your controll != BCP From glenn.steen at gmail.com Mon Jun 29 15:11:39 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Jun 29 15:11:58 2009 Subject: Mismatch between report and actions In-Reply-To: References: <223f97700906271617k7363df24je7a880454d804933@mail.gmail.com> Message-ID: <223f97700906290711g699f0732p89e0fc3ce512bf66@mail.gmail.com> 2009/6/29 Robert Lopez : > On Sat, Jun 27, 2009 at 5:17 PM, Glenn Steen wrote: >> 2009/6/26 Robert Lopez : >>> HP Prolient DL360 G5 >>> Two dual core Intel(R) Xeon(R) CPU E5450 @ 3.00GHz >>> 8 G RAM >>> Linux 2.6.28-11-server #42-Ubuntu SMP Fri Apr 17 02:45:36 UTC 2009 >>> x86_64 GNU/Linux >>> Ubuntu 9.04 (jaunty) >>> MailScanner version 4.74.16 >>> Postfix version 2.5.5 >>> SpamAssassin version 3.2.5 running on Perl version 5.10.0 >>> (I know there are newer versions. These are Ubuntu apt-get...) >>> >>> (snip error...) >>> >> Do the upgrades needed ... MailScanner, possibly SA and Clam as well. >> If this means leaving the Ubunto/apt thing behind, then so be it. >> If you still observe the same behavior... Then we'll look at other things:-). >> >> Cheers (snip) > > Thank you Glenn, > > Changing from Ubuntu is not my decision to make. My current project is > comparing a system built with RHEL and files from Julians site to this > one. > I didn't say "ditch Ubuntu", just the ubuntu packaging of MailScanner;-). You could probably live pritty well with the source tarball, for example. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From steve.freegard at fsl.com Mon Jun 29 15:18:03 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Mon Jun 29 15:18:14 2009 Subject: New wiki page In-Reply-To: References: <4A43C66A.5070703@ecs.soton.ac.uk><4A448379.403@ecs.soton.ac.uk><4A44AD67.3000702@ecs.soton.ac.uk><4A44B106.6040808@alexb.ch><4A44B251.4020906@ecs.soton.ac.uk><4A44B5A9.90905@alexb.ch><4A44C195.40<003601c9f660$0f0bba90$2d232fb0$@dk> <4A48AEDE.3060907@alexb.ch> Message-ID: <4A48CD1B.5050804@fsl.com> Gerry Maddock wrote: >> Not advisable unless you run a server with only 3 users: postmaster, >> abuse and yourself :- > Strange, I'm running servers with more users than that and no email is > getting lost. I did notice a decrease in spam after using tarbaby Their > site states: "We will not actually receive any of your email under any > circumstances. We will return a 451 temporary error immediately after the > DATA command. This tells the sender to come back later and try again. Good > email is never lost using this method." > > Like I've said, I run servers with quite a bit more than 3 users and have > had 0 problems. > If you use greylisting; then using tarbaby will give no benefit and might actually cause you extra delays depending on the sender. Otherwise - it should work just fine. Cheers, Steve. From rlopezcnm at gmail.com Mon Jun 29 15:26:37 2009 From: rlopezcnm at gmail.com (Robert Lopez) Date: Mon Jun 29 15:26:46 2009 Subject: Mismatch between report and actions In-Reply-To: <223f97700906290711g699f0732p89e0fc3ce512bf66@mail.gmail.com> References: <223f97700906271617k7363df24je7a880454d804933@mail.gmail.com> <223f97700906290711g699f0732p89e0fc3ce512bf66@mail.gmail.com> Message-ID: On Mon, Jun 29, 2009 at 8:11 AM, Glenn Steen wrote: > 2009/6/29 Robert Lopez : >> On Sat, Jun 27, 2009 at 5:17 PM, Glenn Steen wrote: >>> 2009/6/26 Robert Lopez : >>>> HP Prolient DL360 G5 >>>> Two dual core Intel(R) Xeon(R) CPU E5450 @ 3.00GHz >>>> 8 G RAM >>>> Linux 2.6.28-11-server #42-Ubuntu SMP Fri Apr 17 02:45:36 UTC 2009 >>>> x86_64 GNU/Linux >>>> Ubuntu 9.04 (jaunty) >>>> MailScanner version 4.74.16 >>>> Postfix version 2.5.5 >>>> SpamAssassin version 3.2.5 running on Perl version 5.10.0 >>>> (I know there are newer versions. These are Ubuntu apt-get...) >>>> >>>> > (snip error...) >>>> >>> Do the upgrades needed ... MailScanner, possibly SA and Clam as well. >>> If this means leaving the Ubunto/apt thing behind, then so be it. >>> If you still observe the same behavior... Then we'll look at other things:-). >>> >>> Cheers > (snip) >> >> Thank you Glenn, >> >> Changing from Ubuntu is not my decision to make. My current project is >> comparing a system built with RHEL and files from Julians site to this >> one. >> > I didn't say "ditch Ubuntu", just the ubuntu packaging of > MailScanner;-). You could probably live pritty well with the source > tarball, for example. > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Again, Thank you Glenn. I have to attend to the root cause of the problem I wrote about. The issue you reply to is a policy issue upon which I have no influence. I was very happy with the test system built with tar files. My management is not. -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106 From steve.freegard at fsl.com Mon Jun 29 15:35:26 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Mon Jun 29 15:35:41 2009 Subject: New wiki page In-Reply-To: <4A48C720.8040803@alexb.ch> References: <4A43C66A.5070703@ecs.soton.ac.uk><4A448379.403@ecs.soton.ac.uk><4A44AD67.3000702@ecs.soton.ac.uk><4A44B106.6040808@alexb.ch><4A44B251.4020906@ecs.soton.ac.uk><4A44B5A9.90905@alexb.ch><4A44C195.40<003601c9f660$0f0bba90$2d232fb0$@dk> <4A48AEDE.3060907@alexb.ch> <4A48C720.8040803@alexb.ch> Message-ID: <4A48D12E.4070706@fsl.com> Alex Broens wrote: > "works for me" != advisable != 100% safe != under your controll != BCP Technically there is no problem with the method. The issue is a moral one - people using this should realise that the owner of tarbaby could very easily start collecting or rejecting mail received for your domain either maliciously or by accident and as people using this service have no contract with the provider therefore have no comeback should this happen. Whilst the same could be said of any blacklists (they could reject all your mail either maliciously, on purpose or by accident), but pointing one of your MX records to a 3rd party goes a step further than this and could allow someone to collect your mail without your knowledge. For example: instead of sending 451 at DATA, they could easily do it after the message has been sent (at dot) and you'd be none the wiser. It would still function the same as it does now except a copy of the message could be kept. At the end of the day - it's all about trust. Cheers, Steve. From glenn.steen at gmail.com Mon Jun 29 15:43:38 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Jun 29 15:43:47 2009 Subject: Mismatch between report and actions In-Reply-To: References: <223f97700906271617k7363df24je7a880454d804933@mail.gmail.com> <223f97700906290711g699f0732p89e0fc3ce512bf66@mail.gmail.com> Message-ID: <223f97700906290743s3d4e444di27d0ba29c4690320@mail.gmail.com> 2009/6/29 Robert Lopez : > On Mon, Jun 29, 2009 at 8:11 AM, Glenn Steen wrote: >> 2009/6/29 Robert Lopez : >>> On Sat, Jun 27, 2009 at 5:17 PM, Glenn Steen wrote: >>>> 2009/6/26 Robert Lopez : >>>>> HP Prolient DL360 G5 >>>>> Two dual core Intel(R) Xeon(R) CPU E5450 @ 3.00GHz >>>>> 8 G RAM >>>>> Linux 2.6.28-11-server #42-Ubuntu SMP Fri Apr 17 02:45:36 UTC 2009 >>>>> x86_64 GNU/Linux >>>>> Ubuntu 9.04 (jaunty) >>>>> MailScanner version 4.74.16 >>>>> Postfix version 2.5.5 >>>>> SpamAssassin version 3.2.5 running on Perl version 5.10.0 >>>>> (I know there are newer versions. These are Ubuntu apt-get...) >>>>> >>>>> >> (snip error...) >>>>> >>>> Do the upgrades needed ... MailScanner, possibly SA and Clam as well. >>>> If this means leaving the Ubunto/apt thing behind, then so be it. >>>> If you still observe the same behavior... Then we'll look at other things:-). >>>> >>>> Cheers >> (snip) >>> >>> Thank you Glenn, >>> >>> Changing from Ubuntu is not my decision to make. My current project is >>> comparing a system built with RHEL and files from Julians site to this >>> one. >>> >> I didn't say "ditch Ubuntu", just the ubuntu packaging of >> MailScanner;-). You could probably live pritty well with the source >> tarball, for example. >> >> Cheers >> -- >> -- Glenn >> email: glenn < dot > steen < at > gmail < dot > com >> work: glenn < dot > steen < at > ap1 < dot > se >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > Again, Thank you Glenn. > > I have to attend to the root cause of the problem I wrote about. The > issue you reply to is a policy issue upon which I have no influence. I > was very happy with the test system built with tar files. My > management is not. > Why? They will just get an added delay and no real benefit (stability or otherwise) from sticking to more or less outdated "debianized" packages. Sigh. Get a clue-by-four and start whacking;-):-) One cannot fight bleeding edge malware/spam with trailing edge, or even sometimes moderately modern (like this problem instance;), protection systems. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From gmaddock at futuremetals.com Mon Jun 29 15:42:20 2009 From: gmaddock at futuremetals.com (Gerry Maddock) Date: Mon Jun 29 15:46:19 2009 Subject: New wiki page In-Reply-To: <4A48D12E.4070706@fsl.com> References: <4A43C66A.5070703@ecs.soton.ac.uk><4A448379.403@ecs.soton.ac.uk><4A44AD67.3000702@ecs.soton.ac.uk><4A44B106.6040808@alexb.ch><4A44B251.4020906@ecs.soton.ac.uk><4A44B5A9.90905@alexb.ch><4A44C195.40<003601c9f660$0f0bba90$2d232fb0$@dk><4A48AEDE.3060907@alexb.ch> Message-ID: > > "works for me" != advisable != 100% safe != under your controll != BCP > > Technically there is no problem with the method. > > The issue is a moral one - people using this should realise that the > owner of tarbaby could very easily start collecting or rejecting mail > received for your domain either maliciously or by accident and as people > using this service have no contract with the provider therefore have no > comeback should this happen. > > Whilst the same could be said of any blacklists (they could reject all > your mail either maliciously, on purpose or by accident), but pointing > one of your MX records to a 3rd party goes a step further than this and > could allow someone to collect your mail without your knowledge. For > example: instead of sending 451 at DATA, they could easily do it after > the message has been sent (at dot) and you'd be none the wiser. It > would still function the same as it does now except a copy of the > message could be kept. > > At the end of the day - it's all about trust. > Great points Steve, thanks CONFIDENTIALITY: This e-mail message is for the sole use of the intended recipient(s) and may contain confidential and / or privileged information. Any unauthorized review, use, disclosure or distribution of any kind is strictly prohibited. If you are not the intended recipient, please contact the sender via reply e-mail and destroy all copies of the original message. Thank you. From steve.swaney at fsl.com Mon Jun 29 15:58:09 2009 From: steve.swaney at fsl.com (Stephen Swaney) Date: Mon Jun 29 16:02:05 2009 Subject: Mismatch between report and actions In-Reply-To: <223f97700906290711g699f0732p89e0fc3ce512bf66@mail.gmail.com> References: <223f97700906271617k7363df24je7a880454d804933@mail.gmail.com> <223f97700906290711g699f0732p89e0fc3ce512bf66@mail.gmail.com> Message-ID: <4A48D681.3070902@fsl.com> Glenn Steen wrote: > 2009/6/29 Robert Lopez : > >> On Sat, Jun 27, 2009 at 5:17 PM, Glenn Steen wrote: >> >>> 2009/6/26 Robert Lopez : >>> >>>> HP Prolient DL360 G5 >>>> Two dual core Intel(R) Xeon(R) CPU E5450 @ 3.00GHz >>>> 8 G RAM >>>> Linux 2.6.28-11-server #42-Ubuntu SMP Fri Apr 17 02:45:36 UTC 2009 >>>> x86_64 GNU/Linux >>>> Ubuntu 9.04 (jaunty) >>>> MailScanner version 4.74.16 >>>> Postfix version 2.5.5 >>>> SpamAssassin version 3.2.5 running on Perl version 5.10.0 >>>> (I know there are newer versions. These are Ubuntu apt-get...) >>>> >>>> >>>> > (snip error...) > >>> Do the upgrades needed ... MailScanner, possibly SA and Clam as well. >>> If this means leaving the Ubunto/apt thing behind, then so be it. >>> If you still observe the same behavior... Then we'll look at other things:-). >>> >>> Cheers >>> > (snip) > >> Thank you Glenn, >> >> Changing from Ubuntu is not my decision to make. My current project is >> comparing a system built with RHEL and files from Julians site to this >> one. >> >> > I didn't say "ditch Ubuntu", just the ubuntu packaging of > MailScanner;-). You could probably live pritty well with the source > tarball, for example. > > Cheers > -------------- next part -------------- A non-text attachment was scrubbed... Name: steve_swaney.vcf Type: text/x-vcard Size: 305 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090629/f3c54427/steve_swaney.vcf From ms-list at alexb.ch Mon Jun 29 16:10:58 2009 From: ms-list at alexb.ch (Alex Broens) Date: Mon Jun 29 16:11:07 2009 Subject: New wiki page In-Reply-To: <4A48D12E.4070706@fsl.com> References: <4A43C66A.5070703@ecs.soton.ac.uk><4A448379.403@ecs.soton.ac.uk><4A44AD67.3000702@ecs.soton.ac.uk><4A44B106.6040808@alexb.ch><4A44B251.4020906@ecs.soton.ac.uk><4A44B5A9.90905@alexb.ch><4A44C195.40<003601c9f660$0f0bba90$2d232fb0$@dk> <4A48AEDE.3060907@alexb.ch> <4A48C720.8040803@alexb.ch> <4A48D12E.4070706@fsl.com> Message-ID: <4A48D982.8090901@alexb.ch> On 6/29/2009 4:35 PM, Steve Freegard wrote: > Alex Broens wrote: >> "works for me" != advisable != 100% safe != under your controll != BCP > > Technically there is no problem with the method. > > The issue is a moral one - people using this should realise that the > owner of tarbaby could very easily start collecting or rejecting mail > received for your domain either maliciously or by accident and as people > using this service have no contract with the provider therefore have no > comeback should this happen. > > Whilst the same could be said of any blacklists (they could reject all > your mail either maliciously, on purpose or by accident), but pointing > one of your MX records to a 3rd party goes a step further than this and > could allow someone to collect your mail without your knowledge. For > example: instead of sending 451 at DATA, they could easily do it after > the message has been sent (at dot) and you'd be none the wiser. It > would still function the same as it does now except a copy of the > message could be kept. > > At the end of the day - it's all about trust. + not all senders treat a 450 as such. There an $unknown_count of weird apps out there which don't requeue and will silently drop a msg after a temp fail. From gmaddock at futuremetals.com Mon Jun 29 16:19:21 2009 From: gmaddock at futuremetals.com (Gerry Maddock) Date: Mon Jun 29 16:23:30 2009 Subject: New wiki page In-Reply-To: <4A48D982.8090901@alexb.ch> References: <4A43C66A.5070703@ecs.soton.ac.uk><4A448379.403@ecs.soton.ac.uk><4A44AD67.3000702@ecs.soton.ac.uk><4A44B106.6040808@alexb.ch><4A44B251.4020906@ecs.soton.ac.uk><4A44B5A9.90905@alexb.ch><4A44C195.40<003601c9f660$0f0bba90$2d232fb0$@dk><4A48AEDE.3060907@alexb.ch> Message-ID: > > Alex Broens wrote: > >> "works for me" != advisable != 100% safe != under your controll != BCP > > > > Technically there is no problem with the method. > > > > The issue is a moral one - people using this should realise that the > > owner of tarbaby could very easily start collecting or rejecting mail > > received for your domain either maliciously or by accident and as people > > using this service have no contract with the provider therefore have no > > comeback should this happen. > > > > Whilst the same could be said of any blacklists (they could reject all > > your mail either maliciously, on purpose or by accident), but pointing > > one of your MX records to a 3rd party goes a step further than this and > > could allow someone to collect your mail without your knowledge. For > > example: instead of sending 451 at DATA, they could easily do it after > > the message has been sent (at dot) and you'd be none the wiser. It > > would still function the same as it does now except a copy of the > > message could be kept. > > > > At the end of the day - it's all about trust. > > + not all senders treat a 450 as such. > > There an $unknown_count of weird apps out there which don't requeue and > will silently drop a msg after a temp fail. Greylisting gives the same 450 error. Are you saying greylisting should not be used as best practice as well (instead use smtpd hard & soft error & sleep times)? Just wondering. CONFIDENTIALITY: This e-mail message is for the sole use of the intended recipient(s) and may contain confidential and / or privileged information. Any unauthorized review, use, disclosure or distribution of any kind is strictly prohibited. If you are not the intended recipient, please contact the sender via reply e-mail and destroy all copies of the original message. Thank you. From steve.freegard at fsl.com Mon Jun 29 16:33:14 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Mon Jun 29 16:33:24 2009 Subject: New wiki page In-Reply-To: <4A48D982.8090901@alexb.ch> References: <4A43C66A.5070703@ecs.soton.ac.uk><4A448379.403@ecs.soton.ac.uk><4A44AD67.3000702@ecs.soton.ac.uk><4A44B106.6040808@alexb.ch><4A44B251.4020906@ecs.soton.ac.uk><4A44B5A9.90905@alexb.ch><4A44C195.40<003601c9f660$0f0bba90$2d232fb0$@dk> <4A48AEDE.3060907@alexb.ch> <4A48C720.8040803@alexb.ch> <4A48D12E.4070706@fsl.com> <4A48D982.8090901@alexb.ch> Message-ID: <4A48DEBA.8030908@fsl.com> Alex Broens wrote: >> At the end of the day - it's all about trust. > > + not all senders treat a 450 as such. > > There an $unknown_count of weird apps out there which don't requeue and > will silently drop a msg after a temp fail. Such hosts aren't worth bothering about as they are terminally broken and are a tiny percentage of messages that might hit someone's MX. Temporary failures are a fundamental principal of SMTP dating back to the original RFC. Such failures should not be tolerated by anyone. Regards, Steve. From ms-list at alexb.ch Mon Jun 29 16:36:09 2009 From: ms-list at alexb.ch (Alex Broens) Date: Mon Jun 29 16:36:21 2009 Subject: New wiki page In-Reply-To: References: <4A43C66A.5070703@ecs.soton.ac.uk><4A448379.403@ecs.soton.ac.uk><4A44AD67.3000702@ecs.soton.ac.uk><4A44B106.6040808@alexb.ch><4A44B251.4020906@ecs.soton.ac.uk><4A44B5A9.90905@alexb.ch><4A44C195.40<003601c9f660$0f0bba90$2d232fb0$@dk><4A48AEDE.3060907@alexb.ch> Message-ID: <4A48DF69.10204@alexb.ch> On 6/29/2009 5:19 PM, Gerry Maddock wrote: >>> Alex Broens wrote: >>>> "works for me" != advisable != 100% safe != under your controll != > BCP >>> Technically there is no problem with the method. >>> >>> The issue is a moral one - people using this should realise that the >>> owner of tarbaby could very easily start collecting or rejecting mail >>> received for your domain either maliciously or by accident and as > people >>> using this service have no contract with the provider therefore have no >>> comeback should this happen. >>> >>> Whilst the same could be said of any blacklists (they could reject all >>> your mail either maliciously, on purpose or by accident), but pointing >>> one of your MX records to a 3rd party goes a step further than this and >>> could allow someone to collect your mail without your knowledge. For >>> example: instead of sending 451 at DATA, they could easily do it after >>> the message has been sent (at dot) and you'd be none the wiser. It >>> would still function the same as it does now except a copy of the >>> message could be kept. >>> >>> At the end of the day - it's all about trust. >> + not all senders treat a 450 as such. >> >> There an $unknown_count of weird apps out there which don't requeue and >> will silently drop a msg after a temp fail. > > Greylisting gives the same 450 error. Are you saying greylisting should not > be used as best practice as well (instead use smtpd hard & soft error & > sleep times)? Just wondering. > I don't use greylisting - never will - wouldn't recommend it lots of people swear by it, its obviously up to you to balance and decide. Alex From gmaddock at futuremetals.com Mon Jun 29 16:47:59 2009 From: gmaddock at futuremetals.com (Gerry Maddock) Date: Mon Jun 29 16:52:03 2009 Subject: New wiki page In-Reply-To: <4A48DF69.10204@alexb.ch> References: <4A43C66A.5070703@ecs.soton.ac.uk><4A44AD67.3000702@ecs.soton.ac.uk><4A44B106.6040808@alexb.ch><4A44B251.4020906@ecs.soton.ac.uk><4A44B5A9.90905@alexb.ch><4A44C195.40<003601c9f660$0f0bba90$2d232fb0$@dk><4A48AEDE.3060907@alexb.ch> Message-ID: > >>> Alex Broens wrote: > >>>> "works for me" != advisable != 100% safe != under your controll != > > BCP > >>> Technically there is no problem with the method. > >>> > >>> The issue is a moral one - people using this should realise that the > >>> owner of tarbaby could very easily start collecting or rejecting mail > >>> received for your domain either maliciously or by accident and as > > people > >>> using this service have no contract with the provider therefore have no > >>> comeback should this happen. > >>> > >>> Whilst the same could be said of any blacklists (they could reject all > >>> your mail either maliciously, on purpose or by accident), but pointing > >>> one of your MX records to a 3rd party goes a step further than this and > >>> could allow someone to collect your mail without your knowledge. For > >>> example: instead of sending 451 at DATA, they could easily do it after > >>> the message has been sent (at dot) and you'd be none the wiser. It > >>> would still function the same as it does now except a copy of the > >>> message could be kept. > >>> > >>> At the end of the day - it's all about trust. > >> + not all senders treat a 450 as such. > >> > >> There an $unknown_count of weird apps out there which don't requeue and > >> will silently drop a msg after a temp fail. > > > > Greylisting gives the same 450 error. Are you saying greylisting should not > > be used as best practice as well (instead use smtpd hard & soft error & > > sleep times)? Just wondering. > > > > I don't use greylisting - never will - wouldn't recommend it > > lots of people swear by it, its obviously up to you to balance and decide. Understood. Are you using any smtp hard/soft/error sleep times at all? Steve, are you greylisting? CONFIDENTIALITY: This e-mail message is for the sole use of the intended recipient(s) and may contain confidential and / or privileged information. Any unauthorized review, use, disclosure or distribution of any kind is strictly prohibited. If you are not the intended recipient, please contact the sender via reply e-mail and destroy all copies of the original message. Thank you. From rlopezcnm at gmail.com Mon Jun 29 16:56:26 2009 From: rlopezcnm at gmail.com (Robert Lopez) Date: Mon Jun 29 16:56:38 2009 Subject: Mismatch between report and actions In-Reply-To: <223f97700906290743s3d4e444di27d0ba29c4690320@mail.gmail.com> References: <223f97700906271617k7363df24je7a880454d804933@mail.gmail.com> <223f97700906290711g699f0732p89e0fc3ce512bf66@mail.gmail.com> <223f97700906290743s3d4e444di27d0ba29c4690320@mail.gmail.com> Message-ID: On Mon, Jun 29, 2009 at 8:43 AM, Glenn Steen wrote: > 2009/6/29 Robert Lopez : >> On Mon, Jun 29, 2009 at 8:11 AM, Glenn Steen wrote: >>> 2009/6/29 Robert Lopez : >>>> On Sat, Jun 27, 2009 at 5:17 PM, Glenn Steen wrote: >>>>> 2009/6/26 Robert Lopez : >>>>>> HP Prolient DL360 G5 >>>>>> Two dual core Intel(R) Xeon(R) CPU E5450 @ 3.00GHz >>>>>> 8 G RAM >>>>>> Linux 2.6.28-11-server #42-Ubuntu SMP Fri Apr 17 02:45:36 UTC 2009 >>>>>> x86_64 GNU/Linux >>>>>> Ubuntu 9.04 (jaunty) >>>>>> MailScanner version 4.74.16 >>>>>> Postfix version 2.5.5 >>>>>> SpamAssassin version 3.2.5 running on Perl version 5.10.0 >>>>>> (I know there are newer versions. These are Ubuntu apt-get...) >>>>>> >>>>>> >>> (snip error...) >>>>>> >>>>> Do the upgrades needed ... MailScanner, possibly SA and Clam as well. >>>>> If this means leaving the Ubunto/apt thing behind, then so be it. >>>>> If you still observe the same behavior... Then we'll look at other things:-). >>>>> >>>>> Cheers >>> (snip) >>>> >>>> Thank you Glenn, >>>> >>>> Changing from Ubuntu is not my decision to make. My current project is >>>> comparing a system built with RHEL and files from Julians site to this >>>> one. >>>> >>> I didn't say "ditch Ubuntu", just the ubuntu packaging of >>> MailScanner;-). You could probably live pritty well with the source >>> tarball, for example. >>> >>> Cheers >>> -- >>> -- Glenn >>> email: glenn < dot > steen < at > gmail < dot > com >>> work: glenn < dot > steen < at > ap1 < dot > se >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >> >> Again, Thank you Glenn. >> >> I have to attend to the root cause of the problem I wrote about. The >> issue you reply to is a policy issue upon which I have no influence. I >> was very happy with the test system built with tar files. My >> management is not. >> > Why? They will just get an added delay and no real benefit (stability > or otherwise) from sticking to more or less outdated "debianized" > packages. Sigh. Get a clue-by-four and start whacking;-):-) One cannot > fight bleeding edge malware/spam with trailing edge, or even sometimes > moderately modern (like this problem instance;), protection systems. > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Glenn I totally agree with you. But your comments are not helpful. I have stated I have no control over institutional policies. -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106 From rlopezcnm at gmail.com Mon Jun 29 16:58:11 2009 From: rlopezcnm at gmail.com (Robert Lopez) Date: Mon Jun 29 16:58:21 2009 Subject: Mismatch between report and actions In-Reply-To: <4A48D681.3070902@fsl.com> References: <223f97700906271617k7363df24je7a880454d804933@mail.gmail.com> <223f97700906290711g699f0732p89e0fc3ce512bf66@mail.gmail.com> <4A48D681.3070902@fsl.com> Message-ID: On Mon, Jun 29, 2009 at 8:58 AM, Stephen Swaney wrote: > Glenn Steen wrote: >> >> 2009/6/29 Robert Lopez : >> >>> >>> On Sat, Jun 27, 2009 at 5:17 PM, Glenn Steen >>> wrote: >>> >>>> >>>> 2009/6/26 Robert Lopez : >>>> >>>>> >>>>> HP Prolient DL360 G5 >>>>> Two dual core Intel(R) Xeon(R) CPU E5450 @ 3.00GHz >>>>> 8 G RAM >>>>> Linux 2.6.28-11-server #42-Ubuntu SMP Fri Apr 17 02:45:36 UTC 2009 >>>>> x86_64 GNU/Linux >>>>> Ubuntu 9.04 (jaunty) >>>>> MailScanner version 4.74.16 >>>>> Postfix version 2.5.5 >>>>> SpamAssassin version 3.2.5 running on Perl version 5.10.0 >>>>> (I know there are newer versions. These are Ubuntu apt-get...) >>>>> >>>>> >>>>> >> >> (snip error...) >> >>>> >>>> Do the upgrades needed ... MailScanner, possibly SA and Clam as well. >>>> If this means leaving the Ubunto/apt thing behind, then so be it. >>>> If you still observe the same behavior... Then we'll look at other >>>> things:-). >>>> >>>> Cheers >>>> >> >> (snip) >> >>> >>> Thank you Glenn, >>> >>> Changing from Ubuntu is not my decision to make. My current project is >>> comparing a system built with RHEL and files from Julians site to this >>> one. >>> >>> >> >> I didn't say "ditch Ubuntu", just the ubuntu packaging of >> MailScanner;-). You could probably live pritty well with the source >> tarball, for example. >> >> Cheers >> > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > What is your reason for your reply? What aspect of "the rules" have I violated? -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106 From maxsec at gmail.com Mon Jun 29 16:58:15 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Mon Jun 29 16:58:24 2009 Subject: New wiki page In-Reply-To: References: <4A43C66A.5070703@ecs.soton.ac.uk> <4A43CD22.6060208@ecs.soton.ac.uk> <4A448379.403@ecs.soton.ac.uk> <4A44AD67.3000702@ecs.soton.ac.uk> Message-ID: <72cf361e0906290858n5ffa47b6mf217bcea73f9ac86@mail.gmail.com> 2009/6/26 Julian Field : > Version 1 of the page is up at www.mailscanner.info/gettingthebest.html > > You might find it has one or two little tricks you didn't know about. > > Please do also contribute things I should add to it. > > Let me know what you think! > > Jules. > > On 26/06/2009 09:14, Julian Field wrote: >> >> >> On 25/06/2009 21:50, Gerry Maddock wrote: >>>> >>>> How about we start with >>>> >>>> MTA Blacklists: Zen, BRBL, bl.spamcop.net? >>>> MTA checks: no invalid recipients or domains at SMTP time, greet-pause, >>>> grey-listing? How to get list of valid recipients out of Exchange, or >>>> configure Exchange to reject invalid recipients at SMTP time? >>>> ClamAV: sane-security -- Which ones? Where's the table that lists the >>>> pros and cons? What are the basic ones that everyone should use? >>>> SA rulesets: SARE, KAM, sought, what others? >>>> SA tools: razor, DCC, pyzor? >>>> MailScanner Virus Scanners: clamd, other commercial fast ones? >>>> sophossavi, f-prot, f-secure? >>>> MailScanner: Don't use MCP. >>>> JKF tools: Version 2 of anti-phishing and anti-spear-phishing rulesets. >>>> DNS: Get feed of ZEN and SURBL, use one DNS server running rbldnsd for >>>> these zones. >>>> >>>> What else have I forgotten? >>>> >>>> Please can people start sending me links to the relevant sites/pages for >>>> everything I have mentioned above, together with a brief summary of what >>>> is legal/illegal use of anything. >>> >>> Julian, >>> >>> ? ?Just wondering why you don't recommend MCP? I'm using it currently and >>> ? ?wondering if I should disable it now. >> >> It has a huge processing overhead and as a result is very slow. >> "SpamAssassin Rule Actions" can do pretty much anything MCP can, and it >> does it enormously faster. >> >> Jules >> > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > Follow me at twitter.com/JulesFM and twitter.com/MailScanner > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Jules also worth updating or pointing following page at your version.. http://wiki.mailscanner.info/doku.php?id=maq:index#getting_the_best_out_of_spamassassin -- Martin Hepworth Oxford, UK From ms-list at alexb.ch Mon Jun 29 17:08:33 2009 From: ms-list at alexb.ch (Alex Broens) Date: Mon Jun 29 17:08:42 2009 Subject: New wiki page In-Reply-To: References: <4A43C66A.5070703@ecs.soton.ac.uk><4A44AD67.3000702@ecs.soton.ac.uk><4A44B106.6040808@alexb.ch><4A44B251.4020906@ecs.soton.ac.uk><4A44B5A9.90905@alexb.ch><4A44C195.40<003601c9f660$0f0bba90$2d232fb0$@dk><4A48AEDE.3060907@alexb.ch> Message-ID: <4A48E701.7090004@alexb.ch> On 6/29/2009 5:47 PM, Gerry Maddock wrote: >>>>> Alex Broens wrote: >>>>>> "works for me" != advisable != 100% safe != under your controll != >>> BCP >>>>> Technically there is no problem with the method. >>>>> >>>>> The issue is a moral one - people using this should realise that the >>>>> owner of tarbaby could very easily start collecting or rejecting mail >>>>> received for your domain either maliciously or by accident and as >>> people >>>>> using this service have no contract with the provider therefore have > no >>>>> comeback should this happen. >>>>> >>>>> Whilst the same could be said of any blacklists (they could reject > all >>>>> your mail either maliciously, on purpose or by accident), but > pointing >>>>> one of your MX records to a 3rd party goes a step further than this > and >>>>> could allow someone to collect your mail without your knowledge. For >>>>> example: instead of sending 451 at DATA, they could easily do it > after >>>>> the message has been sent (at dot) and you'd be none the wiser. It >>>>> would still function the same as it does now except a copy of the >>>>> message could be kept. >>>>> >>>>> At the end of the day - it's all about trust. >>>> + not all senders treat a 450 as such. >>>> >>>> There an $unknown_count of weird apps out there which don't requeue > and >>>> will silently drop a msg after a temp fail. >>> Greylisting gives the same 450 error. Are you saying greylisting should > not >>> be used as best practice as well (instead use smtpd hard & soft error & >>> sleep times)? Just wondering. >>> >> I don't use greylisting - never will - wouldn't recommend it >> >> lots of people swear by it, its obviously up to you to balance and > decide. > > Understood. Are you using any smtp hard/soft/error sleep times at all? no sleep times - sleep keeps sessions open - I need my sessions to process mail, not to give away to spammers. Years ago I liked greet pause, etc.. bot behaviour has changed, stuff changes and I try to be conservative when implementing "new" stuff Alex From steve.freegard at fsl.com Mon Jun 29 17:19:27 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Mon Jun 29 17:19:38 2009 Subject: New wiki page In-Reply-To: References: <4A43C66A.5070703@ecs.soton.ac.uk><4A44AD67.3000702@ecs.soton.ac.uk><4A44B106.6040808@alexb.ch><4A44B251.4020906@ecs.soton.ac.uk><4A44B5A9.90905@alexb.ch><4A44C195.40<003601c9f660$0f0bba90$2d232fb0$@dk><4A48AEDE.3060907@alexb.ch> Message-ID: <4A48E98F.7010705@fsl.com> Gerry Maddock wrote: >>>>> At the end of the day - it's all about trust. >>>> + not all senders treat a 450 as such. >>>> >>>> There an $unknown_count of weird apps out there which don't requeue > and >>>> will silently drop a msg after a temp fail. >>> Greylisting gives the same 450 error. Are you saying greylisting should > not >>> be used as best practice as well (instead use smtpd hard & soft error & >>> sleep times)? Just wondering. >>> >> I don't use greylisting - never will - wouldn't recommend it >> >> lots of people swear by it, its obviously up to you to balance and > decide. > > Understood. Are you using any smtp hard/soft/error sleep times at all? > > Steve, are you greylisting? > Yes; I use greylisting (FSL's own implementation; which is a bit different from other implementations). I also don't use greet-pause (as our implementation doesn't require a delay to detect pipelining) but I do implement an exponential delay for 5xx errors; e.g. 1 2 4 8 16 seconds and I drop connections with 5 errors or more. I don't use tarbaby (for the reasons I already gave). Cheers, Steve. From alex at rtpty.com Mon Jun 29 17:25:12 2009 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Mon Jun 29 17:25:25 2009 Subject: New wiki page In-Reply-To: <4A48E701.7090004@alexb.ch> References: <4A43C66A.5070703@ecs.soton.ac.uk><4A44AD67.3000702@ecs.soton.ac.uk><4A44B106.6040808@alexb.ch><4A44B251.4020906@ecs.soton.ac.uk><4A44B5A9.90905@alexb.ch><4A44C195.40<003601c9f660$0f0bba90$2d232fb0$@dk><4A48AEDE.3060907@alexb.ch> <4A48E701.7090004@alexb.ch> Message-ID: <8F0761D4-7D9A-477F-B513-D1C8D726BB8C@rtpty.com> Have you tried listing an MX that returns a TCP REJECT when queried on port 25? Or one that *always* returns a 451 Temp Error message, but hosted by yourself? That's something I've implemented elsewhere and works well, and you don't have the trust issue with since it's hosted by you. From alex at rtpty.com Mon Jun 29 17:30:51 2009 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Mon Jun 29 17:31:05 2009 Subject: New wiki page In-Reply-To: <4A48E98F.7010705@fsl.com> References: <4A43C66A.5070703@ecs.soton.ac.uk><4A44AD67.3000702@ecs.soton.ac.uk><4A44B106.6040808@alexb.ch><4A44B251.4020906@ecs.soton.ac.uk><4A44B5A9.90905@alexb.ch><4A44C195.40<003601c9f660$0f0bba90$2d232fb0$@dk><4A48AEDE.3060907@alexb.ch> <4A48E98F.7010705@fsl.com> Message-ID: How is it different? On Jun 29, 2009, at 11:19 AM, Steve Freegard wrote: > Yes; I use greylisting (FSL's own implementation; which is a bit > different from other implementations). -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 202-1525 alex@rtpty.com Skype: alexneuman From J.Ede at birchenallhowden.co.uk Mon Jun 29 16:38:56 2009 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Mon Jun 29 17:58:03 2009 Subject: New wiki page In-Reply-To: References: <4A43C66A.5070703@ecs.soton.ac.uk><4A448379.403@ecs.soton.ac.uk><4A44AD67.3000702@ecs.soton.ac.uk><4A44B106.6040808@alexb.ch><4A44B251.4020906@ecs.soton.ac.uk><4A44B5A9.90905@alexb.ch><4A44C195.40<003601c9f660$0f0bba90$2d232fb0$@dk><4A48AEDE.3060907@alexb.ch> Message-ID: <1213490F1F316842A544A850422BFA960F60564465@BHLSBS.bhl.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Gerry Maddock > Sent: 29 June 2009 16:19 > To: MailScanner discussion > Cc: MailScanner discussion; mailscanner-bounces@lists.mailscanner.info > Subject: Re: New wiki page > > > > Alex Broens wrote: > > >> "works for me" != advisable != 100% safe != under your controll > != > BCP > > > > > > Technically there is no problem with the method. > > > > > > The issue is a moral one - people using this should realise that > the > > > owner of tarbaby could very easily start collecting or rejecting > mail > > > received for your domain either maliciously or by accident and as > people > > > using this service have no contract with the provider therefore > have no > > > comeback should this happen. > > > > > > Whilst the same could be said of any blacklists (they could reject > all > > > your mail either maliciously, on purpose or by accident), but > pointing > > > one of your MX records to a 3rd party goes a step further than this > and > > > could allow someone to collect your mail without your knowledge. > For > > > example: instead of sending 451 at DATA, they could easily do it > after > > > the message has been sent (at dot) and you'd be none the wiser. It > > > would still function the same as it does now except a copy of the > > > message could be kept. > > > > > > At the end of the day - it's all about trust. > > > > + not all senders treat a 450 as such. > > > > There an $unknown_count of weird apps out there which don't requeue > and > > will silently drop a msg after a temp fail. > > Greylisting gives the same 450 error. Are you saying greylisting should > not > be used as best practice as well (instead use smtpd hard & soft error & > sleep times)? Just wondering. With greylisting most of the methods have whitelists so you can add 'broken' servers to that list to stop rejection happening. So far in over 2 years I've only had to manually add one site to the list. I've seen some comments that using a 451 which I think is server configuration error? often works better than a straight 450, but I've not tried that. Jason From steve.freegard at fsl.com Mon Jun 29 18:03:08 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Mon Jun 29 18:03:19 2009 Subject: New wiki page In-Reply-To: References: <4A43C66A.5070703@ecs.soton.ac.uk><4A44AD67.3000702@ecs.soton.ac.uk><4A44B106.6040808@alexb.ch><4A44B251.4020906@ecs.soton.ac.uk><4A44B5A9.90905@alexb.ch><4A44C195.40<003601c9f660$0f0bba90$2d232fb0$@dk><4A48AEDE.3060907@alexb.ch> <4A48E98F.7010705@fsl.com> Message-ID: <4A48F3CC.2020006@fsl.com> Alex Neuman van der Hans wrote: > How is it different? > > On Jun 29, 2009, at 11:19 AM, Steve Freegard wrote: > >> Yes; I use greylisting (FSL's own implementation; which is a bit >> different from other implementations). > Rather too many differences to list here. Basically it greylists by host (as it is the host that does the queueing after all) but uses a heuristic based on the IP/PTR record so that it copes easily with shared-spools (e.g hotmail) without being overly permissive (other implementations use IP address /24 which is less than ideal); but still maintains key strength by using a tuple *and* MD5 hashing the initial content. Once the host has proved that it queues (by sending the same identical message initially seen); it is bypassed from further greylisting for 7 days (by default) from the time the host was last seen (so hosts that frequently communicate do not get greylisted again). And it uses UDP multicast and/or unicast to maintain greylist records across multiple hosts without the need for SQL replication. Most all other implementations greylist using tuples or IP only. Meaning that each time the tuple or IP changes then the host is greylisted again or use DNSBLs to determine which hosts to greylist (which is a really poor idea IMO). Cheers, Steve From mailscanner at barendse.to Mon Jun 29 20:32:00 2009 From: mailscanner at barendse.to (Remco Barendse) Date: Mon Jun 29 20:32:19 2009 Subject: New wiki page In-Reply-To: References: <4A43C66A.5070703@ecs.soton.ac.uk><4A43CD22.6060208@ecs.soton.ac.uk> <4A448379.403@ecs.soton.ac.uk> Message-ID: On Fri, 26 Jun 2009, Julian Field wrote: > >> Julian, >> >> Just wondering why you don't recommend MCP? I'm using it currently and >> wondering if I should disable it now. >> > It has a huge processing overhead and as a result is very slow. > "SpamAssassin Rule Actions" can do pretty much anything MCP can, and it does > it enormously faster. But what if you use MCP on outgoing mail only, meaning mail that is not run through spamassassin From gmaddock at futuremetals.com Mon Jun 29 20:29:02 2009 From: gmaddock at futuremetals.com (Gerry Maddock) Date: Mon Jun 29 20:33:02 2009 Subject: tarbaby & greylisting (Was RE: New wiki page) Message-ID: Steve Freegard came up with some really good points about tarbaby, so I posted them to tarbaby's & hostkarma.emailfilter.com's developer Marc Perkel. Below is his reply if your interested. ---------------------------------------------------------------------------------------------------------------------------------- Marc Perkel wrote on 06/29/2009 11:28:16 AM: > Re: tarbaby & greylisting > Gerry Maddock wrote: > > If I am already greylisting on my mailservers, does tarbaby still help? I > > started a discussion on MailScanners mailing list on tarbaby and some > > people think if I'm already greylisting, tarbaby is pointless. They say in > > turn, that if I'm already greylisting, I may slow down some emails more by > > using tarbaby. I haven't encountered that as both of my incoming > > mailservers are @ an MX priority of 10 & tarbaby is 30. I'd like to hear > > your thoughts on this. Another valid point some on the MailScanner mailing > > list bring up is: > > > > It does help some in that spambot don't retry so any spam bot hitting us doesn't hit you. And the spam bot gets blacklisted. So if you use my black list too then you get an added benefit because it has spambots targeting you. > > "Technically there is no problem with the method. > > > > The issue is a moral one - people using this should realise that the > > owner of tarbaby could very easily start collecting or rejecting mail > > received for your domain either maliciously or by accident and as people > > using this service have no contract with the provider therefore have no > > comeback should this happen. > > Technically this is true. However if I did this I wouldn't be in business long. It's a trust issue. Just like using any list is. People who use tarbaby trust me not to do the wrong thing. > > Whilst the same could be said of any blacklists (they could reject all > > your mail either maliciously, on purpose or by accident), but pointing > > one of your MX records to a 3rd party goes a step further than this and > > could allow someone to collect your mail without your knowledge. For > > example: instead of sending 451 at DATA, they could easily do it after > > the message has been sent (at dot) and you'd be none the wiser. It > > would still function the same as it does now except a copy of the > > message could be kept. > > At the end of the day - it's all about trust." > > > > What are thoughts on this? > > > > > > Ultimately it is about trust. However harvesting good email at the highest MX isn't going to get much ham. And I don't see why I would be interested in reading other's email. I barely can keep up with my own. Feel free to pass my comments on to the list. Bottom line is that I'm known as an anti-spam fighter in the spam filtering community. I also used to be the sys admin for the Electronic Frontier Foundation and I'm a strong privacy advocate. -- Marc Perkel - Sales/Support support@junkemailfilter.com http://www.junkemailfilter.com Junk Email Filter dot com 415-992-3400 CONFIDENTIALITY: This e-mail message is for the sole use of the intended recipient(s) and may contain confidential and / or privileged information. Any unauthorized review, use, disclosure or distribution of any kind is strictly prohibited. If you are not the intended recipient, please contact the sender via reply e-mail and destroy all copies of the original message. Thank you. From seven at seven.dorksville.net Tue Jun 30 02:15:47 2009 From: seven at seven.dorksville.net (Anthony Giggins) Date: Tue Jun 30 02:16:12 2009 Subject: Anti-Phishing Update -- New data feed In-Reply-To: <4A3F7911.6050208@USherbrooke.ca> References: <4A36B07C.3010205@fsl.com> <4A374CDA.50709@ecs.soton.ac.uk> <4A3766BD.9010801@ecs.soton.ac.uk> <20090617150642.GA2628@msapiro> <4A391348.3050309@fsl.com> <4A39F763.5050007@ecs.soton.ac.uk> <20090618201724.GA2772@msapiro> <4A3AA983.6000509@fsl.com> <4A3B4709.8010007@ecs.soton.ac.uk> <4A3B957C.40902@USherbrooke.ca> <4A3CEB10.70504@ecs.soton.ac.uk> <4A3F7911.6050208@USherbrooke.ca> Message-ID: <32390.125.168.254.15.1246324547.squirrel@seven.dorksville.net> > Thanks! > > Denis > Julian Field a ?crit : >> Check out the new version 2.04. It supports --quiet and --help. Silly question, how can I tell if this is helping phishing detection or not? Cheers, Anthony From glenn.steen at gmail.com Tue Jun 30 09:49:25 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Jun 30 09:49:36 2009 Subject: Mismatch between report and actions In-Reply-To: References: <223f97700906271617k7363df24je7a880454d804933@mail.gmail.com> <223f97700906290711g699f0732p89e0fc3ce512bf66@mail.gmail.com> <223f97700906290743s3d4e444di27d0ba29c4690320@mail.gmail.com> Message-ID: <223f97700906300149we52e8bet686c13f5b22ac56c@mail.gmail.com> 2009/6/29 Robert Lopez : > On Mon, Jun 29, 2009 at 8:43 AM, Glenn Steen wrote: >> 2009/6/29 Robert Lopez : >>> On Mon, Jun 29, 2009 at 8:11 AM, Glenn Steen wrote: >>>> 2009/6/29 Robert Lopez : >>>>> On Sat, Jun 27, 2009 at 5:17 PM, Glenn Steen wrote: >>>>>> 2009/6/26 Robert Lopez : >>>>>>> HP Prolient DL360 G5 >>>>>>> Two dual core Intel(R) Xeon(R) CPU E5450 @ 3.00GHz >>>>>>> 8 G RAM >>>>>>> Linux 2.6.28-11-server #42-Ubuntu SMP Fri Apr 17 02:45:36 UTC 2009 >>>>>>> x86_64 GNU/Linux >>>>>>> Ubuntu 9.04 (jaunty) >>>>>>> MailScanner version 4.74.16 >>>>>>> Postfix version 2.5.5 >>>>>>> SpamAssassin version 3.2.5 running on Perl version 5.10.0 >>>>>>> (I know there are newer versions. These are Ubuntu apt-get...) >>>>>>> >>>>>>> >>>> (snip error...) >>>>>>> >>>>>> Do the upgrades needed ... MailScanner, possibly SA and Clam as well. >>>>>> If this means leaving the Ubunto/apt thing behind, then so be it. >>>>>> If you still observe the same behavior... Then we'll look at other things:-). >>>>>> >>>>>> Cheers >>>> (snip) >>>>> >>>>> Thank you Glenn, >>>>> >>>>> Changing from Ubuntu is not my decision to make. My current project is >>>>> comparing a system built with RHEL and files from Julians site to this >>>>> one. >>>>> >>>> I didn't say "ditch Ubuntu", just the ubuntu packaging of >>>> MailScanner;-). You could probably live pritty well with the source >>>> tarball, for example. >>>> >>>> Cheers >>>> -- >>>> -- Glenn >>>> email: glenn < dot > steen < at > gmail < dot > com >>>> work: glenn < dot > steen < at > ap1 < dot > se >>>> -- >>>> MailScanner mailing list >>>> mailscanner@lists.mailscanner.info >>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>> >>>> Before posting, read http://wiki.mailscanner.info/posting >>>> >>>> Support MailScanner development - buy the book off the website! >>>> >>> >>> Again, Thank you Glenn. >>> >>> I have to attend to the root cause of the problem I wrote about. The >>> issue you reply to is a policy issue upon which I have no influence. I >>> was very happy with the test system built with tar files. My >>> management is not. >>> >> Why? They will just get an added delay and no real benefit (stability >> or otherwise) from sticking to more or less outdated "debianized" >> packages. Sigh. Get a clue-by-four and start whacking;-):-) One cannot >> fight bleeding edge malware/spam with trailing edge, or even sometimes >> moderately modern (like this problem instance;), protection systems. >> >> Cheers >> -- >> -- Glenn >> email: glenn < dot > steen < at > gmail < dot > com >> work: glenn < dot > steen < at > ap1 < dot > se >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > Glenn I totally agree with you. But your comments are not helpful. I > have stated I have no control over institutional policies. > That being the case, I'm not entirely sure we will be able to help you. My prompting you to upgrade isn't just the semi-unhelpful comment it may seem. There were some changes to the Postfix handling (mostly when used with milters, true) recently, as well as some other important fixes (IIRC there were some problems with the MIME tools perl module... I might remeber wrong, but I don't think I do:-). Also, since you use the Ubuntu packaging, you are likely to be using the perl modules from the same source... I'm not sure, but I rather suspect that that may be as bad as mixing the "MailScanner perl modules" from certain other distros into the brew... Going to a "source" install (as you've obviously tried) would take some of the uncertanties out of the picture, as well as enabling you to use the latest/greatest of MailScanner (at your own discretion, of course)... So that you decide when you need upgrade, not some packager. Usually, the latter is norm for most distros, and frankly the sane thing to do. But not with system like MailScanner, IMO. Anyway, that is neither here nor there. If you can't change what beta you are using, that is the way it is. Back to the original message then... Hmm. This wouldn't be stored as spam, it would likely be stored in a directory named like the queue file ID + the random bit... so did you find for a file specifically? it should all be there in the /var/spool/MailScanner/quarantine/20090626/E0CE312F.5E6C5 directory. I suppose that if the mime explosion didn't go well, for some reason, you might see some strange results... Hmm. What are your settings in MailScanner.conf for Deliver Disinfected Files Silent Viruses Still Deliver Silent Viruses Non-Forging Viruses ClamAV Full Message Scan That the message got requeued and delivered suggest some rather not that wise settings here, perhaps:-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From Denis.Beauchemin at USherbrooke.ca Tue Jun 30 14:43:25 2009 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Tue Jun 30 14:43:39 2009 Subject: New wiki page In-Reply-To: References: <4A43C66A.5070703@ecs.soton.ac.uk><4A43CD22.6060208@ecs.soton.ac.uk> <4A448379.403@ecs.soton.ac.uk> <4A44AD67.3000702@ecs.soton.ac.uk> Message-ID: <4A4A167D.1060507@USherbrooke.ca> Julian Field a ?crit : > Version 1 of the page is up at www.mailscanner.info/gettingthebest.html > > You might find it has one or two little tricks you didn't know about. > > Please do also contribute things I should add to it. > > Let me know what you think! > > Jules. > Jules, I would also recommend milter-limit. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From rlopezcnm at gmail.com Tue Jun 30 15:17:37 2009 From: rlopezcnm at gmail.com (Robert Lopez) Date: Tue Jun 30 15:17:47 2009 Subject: Mismatch between report and actions In-Reply-To: <223f97700906300149we52e8bet686c13f5b22ac56c@mail.gmail.com> References: <223f97700906271617k7363df24je7a880454d804933@mail.gmail.com> <223f97700906290711g699f0732p89e0fc3ce512bf66@mail.gmail.com> <223f97700906290743s3d4e444di27d0ba29c4690320@mail.gmail.com> <223f97700906300149we52e8bet686c13f5b22ac56c@mail.gmail.com> Message-ID: On Tue, Jun 30, 2009 at 2:49 AM, Glenn Steen wrote: > 2009/6/29 Robert Lopez : >> On Mon, Jun 29, 2009 at 8:43 AM, Glenn Steen wrote: >>> 2009/6/29 Robert Lopez : >>>> On Mon, Jun 29, 2009 at 8:11 AM, Glenn Steen wrote: >>>>> 2009/6/29 Robert Lopez : >>>>>> On Sat, Jun 27, 2009 at 5:17 PM, Glenn Steen wrote: >>>>>>> 2009/6/26 Robert Lopez : >>>>>>>> HP Prolient DL360 G5 >>>>>>>> Two dual core Intel(R) Xeon(R) CPU E5450 @ 3.00GHz >>>>>>>> 8 G RAM >>>>>>>> Linux 2.6.28-11-server #42-Ubuntu SMP Fri Apr 17 02:45:36 UTC 2009 >>>>>>>> x86_64 GNU/Linux >>>>>>>> Ubuntu 9.04 (jaunty) >>>>>>>> MailScanner version 4.74.16 >>>>>>>> Postfix version 2.5.5 >>>>>>>> SpamAssassin version 3.2.5 running on Perl version 5.10.0 >>>>>>>> (I know there are newer versions. These are Ubuntu apt-get...) >>>>>>>> >>>>>>>> >>>>> (snip error...) >>>>>>>> >>>>>>> Do the upgrades needed ... MailScanner, possibly SA and Clam as well. >>>>>>> If this means leaving the Ubunto/apt thing behind, then so be it. >>>>>>> If you still observe the same behavior... Then we'll look at other things:-). >>>>>>> >>>>>>> Cheers >>>>> (snip) >>>>>> >>>>>> Thank you Glenn, >>>>>> >>>>>> Changing from Ubuntu is not my decision to make. My current project is >>>>>> comparing a system built with RHEL and files from Julians site to this >>>>>> one. >>>>>> >>>>> I didn't say "ditch Ubuntu", just the ubuntu packaging of >>>>> MailScanner;-). You could probably live pritty well with the source >>>>> tarball, for example. >>>>> >>>>> Cheers >>>>> -- >>>>> -- Glenn >>>>> email: glenn < dot > steen < at > gmail < dot > com >>>>> work: glenn < dot > steen < at > ap1 < dot > se >>>>> -- >>>>> MailScanner mailing list >>>>> mailscanner@lists.mailscanner.info >>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>> >>>>> Before posting, read http://wiki.mailscanner.info/posting >>>>> >>>>> Support MailScanner development - buy the book off the website! >>>>> >>>> >>>> Again, Thank you Glenn. >>>> >>>> I have to attend to the root cause of the problem I wrote about. The >>>> issue you reply to is a policy issue upon which I have no influence. I >>>> was very happy with the test system built with tar files. My >>>> management is not. >>>> >>> Why? They will just get an added delay and no real benefit (stability >>> or otherwise) from sticking to more or less outdated "debianized" >>> packages. Sigh. Get a clue-by-four and start whacking;-):-) One cannot >>> fight bleeding edge malware/spam with trailing edge, or even sometimes >>> moderately modern (like this problem instance;), protection systems. >>> >>> Cheers >>> -- >>> -- Glenn >>> email: glenn < dot > steen < at > gmail < dot > com >>> work: glenn < dot > steen < at > ap1 < dot > se >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >> >> Glenn I totally agree with you. But your comments are not helpful. I >> have stated I have no control over institutional policies. >> > That being the case, I'm not entirely sure we will be able to help > you. My prompting you to upgrade isn't just the semi-unhelpful comment > it may seem. There were some changes to the Postfix handling (mostly > when used with milters, true) recently, as well as some other > important fixes (IIRC there were some problems with the MIME tools > perl module... I might remeber wrong, but I don't think I do:-). Also, > since you use the Ubuntu packaging, you are likely to be using the > perl modules from the same source... I'm not sure, but I rather > suspect that that may be as bad as mixing the "MailScanner perl > modules" from certain other distros into the brew... > Going to a "source" install (as you've obviously tried) would take > some of the uncertanties out of the picture, as well as enabling you > to use the latest/greatest of MailScanner (at your own discretion, of > course)... So that you decide when you need upgrade, not some > packager. Usually, the latter is norm for most distros, and frankly > the sane thing to do. But not with system like MailScanner, IMO. > > Anyway, that is neither here nor there. If you can't change what beta > you are using, that is the way it is. > Back to the original message then... Hmm. > > This wouldn't be stored as spam, it would likely be stored in a > directory named like the queue file ID + the random bit... so did you > find for a file specifically? it should all be there in the > /var/spool/MailScanner/quarantine/20090626/E0CE312F.5E6C5 directory. > > I suppose that if the mime explosion didn't go well, for some reason, > you might see some strange results... Hmm. > > What are your settings in MailScanner.conf for > Deliver Disinfected Files > Silent Viruses > Still Deliver Silent Viruses > Non-Forging Viruses > ClamAV Full Message Scan > That the message got requeued and delivered suggest some rather not > that wise settings here, perhaps:-) > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Thank you Glenn. Please understand I was very happy with the RHEL system built from source but it does not meet some policies over which I have not control. >From my original posting: > Situation: Testing Eicar, external site to internal via gateway. > Problem: Mismatch between reported information and actions. > > Email content says: > "Warning: Please read the 'CNM-Attachment-Warning.txt' attachment(s) > for more information." > > Action was: > Appended the text into the body of email instead of an attachment. This is a case of not confusing Outlook users who expect an "attachment" to be separate from the body of the email. It is now solved. I have written a post-install script to change from "Warning: Please read the 'CNM-Attachment-Warning.txt' attachment(s) for more information." to say "...read the appended information..." in /usr/share/MailScanner/reports/en/inline.warning.txt > Email content says: > "Note to Help Desk: Look on the CNM () MailScanner in > /var/spool/MailScanner/quarantine/20090626 (message E0CE312F.5E6C5)." The eicar data was NOT delivered. It was discarded as desired. The problem is the statement the content was quarantined and the help desk can find it. I would be happy to have all the statements about the help desk finding it removed. But as there are many files to modify I am not certain I would be doing the right thing. > > Action was: > "/var/spool/MailScanner/quarantine/20090626" has one dir which is "spam". > "/var/spool/MailScanner/quarantine/20090626/spam" has one file which > is "3A59B34D.274DC" and it contains a discarded gtube test. > Find says there is no E0CE312F.5E6C5 file on disks. As there is just not much on this system, I did a find / ... for the file and it was not found. In the case of virus, discarding the file, as has been done, is perfectly acceptable. In the case of spam, it would be good to be able to recover any false positives. So the actions being taken are as desired. It is just the report texts which are not precisely matching the actions. I am preparing to modify all the stored.xxxxx.message.test files if that action does not cover up any other problem I should be addressing. > What are your settings in MailScanner.conf for > Deliver Disinfected Files Deliver Cleaned Messages = yes Deliver Disinfected Files = no > Silent Viruses Silent Viruses = HTML-IFrame All-Viruses > Still Deliver Silent Viruses Still Deliver Silent Viruses = no > Non-Forging Viruses Non-Forging Viruses = Joke/ OF97/ WM97/ W97M/ eicar > ClamAV Full Message Scan ClamAV Full Message Scan = yes -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106 From MailScanner at ecs.soton.ac.uk Tue Jun 30 16:11:40 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jun 30 16:12:04 2009 Subject: Anti-Phishing Update -- New data feed In-Reply-To: <32390.125.168.254.15.1246324547.squirrel@seven.dorksville.net> References: <4A3766BD.9010801@ecs.soton.ac.uk> <20090617150642.GA2628@msapiro> <4A391348.3050309@fsl.com> <4A39F763.5050007@ecs.soton.ac.uk> <20090618201724.GA2772@msapiro> <4A3AA983.6000509@fsl.com> <4A3B4709.8010007@ecs.soton.ac.uk> <4A3B957C.40902@USherbrooke.ca> <4A3CEB10.70504@ecs.soton.ac.uk> <4A3F7911.6050208@USherbrooke.ca> <32390.125.168.254.15.1246324547.squirrel@seven.dorksville.net> <4A4A2B2C.3070104@ecs.soton.ac.uk> Message-ID: At the bottom of the ruleset is the huge "meta" rule that combines them all. Look for that rule scoring a hit in your mail logs, if you have "Log Spam = yes" in MailScanner.conf. And you will obviously need a "SpamAssassin Rule Actions" set to trigger deletion/quarantining if this rule hits, or nothing will happen when the rule hits. Jules. On 30/06/2009 02:15, Anthony Giggins wrote: >> Thanks! >> >> Denis >> Julian Field a ?crit : >> >>> Check out the new version 2.04. It supports --quiet and --help. >>> > Silly question, how can I tell if this is helping phishing detection or not? > > Cheers, > > Anthony > > > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Follow me at twitter.com/JulesFM MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From raubvogel at gmail.com Tue Jun 30 16:13:15 2009 From: raubvogel at gmail.com (Mauricio Tavares) Date: Tue Jun 30 16:13:24 2009 Subject: Starting postfix from mailscanner Message-ID: <2c6cf52a0906300813w6ef1cbd9q9cec2a2f31d71f71@mail.gmail.com> I know that when you install mailscanner with postfix, you are supposed to disable postfix starting on its own because mailscanner will turn it on. How does it do it and when? From raubvogel at gmail.com Tue Jun 30 16:24:11 2009 From: raubvogel at gmail.com (Mauricio Tavares) Date: Tue Jun 30 16:24:21 2009 Subject: email is too big for spam checks Message-ID: <2c6cf52a0906300824w15352337gb947cb21af559ff3@mail.gmail.com> I have setup mailscanner such that it only does spam checking, not virus checking. Recently I saw on the logs a message saying it is too big for spam checks. I have my Max Spam Check Size currently set to 150000. Since there are spam messages with attached images and so on, what would be a good size for that? I am asked to make it unlimited somehow, but I do not know if I should. After all, as it is said in the MailScanner.conf file, a large email is probably not spam. Also, is the 150000 measure in what units? Bytes? From ecasarero at gmail.com Tue Jun 30 16:29:49 2009 From: ecasarero at gmail.com (Eduardo Casarero) Date: Tue Jun 30 16:30:19 2009 Subject: email is too big for spam checks In-Reply-To: <2c6cf52a0906300824w15352337gb947cb21af559ff3@mail.gmail.com> References: <2c6cf52a0906300824w15352337gb947cb21af559ff3@mail.gmail.com> Message-ID: <7d9b3cf20906300829s4024c733va83273cc686b788f@mail.gmail.com> 2009/6/30 Mauricio Tavares > I have setup mailscanner such that it only does spam checking, > not virus checking. Recently I saw on the logs a message saying it is > too big for spam checks. I have my Max Spam Check Size currently set > to 150000. Since there are spam messages with attached images and so > on, what would be a good size for that? I am asked to make it > unlimited somehow, but I do not know if I should. After all, as it is > said in the MailScanner.conf file, a large email is probably not spam. > > Also, is the 150000 measure in what units? Bytes? yes is in bytes, the size depends on your traffic i've 500000 in some servers and in others 800000, however i've seen spam emails with a size of 1 Mb. Remember bigger emails checks will increase your CPU/MEM/IO use. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090630/5e298cee/attachment.html From glenn.steen at gmail.com Tue Jun 30 16:37:40 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Jun 30 16:37:50 2009 Subject: Mismatch between report and actions In-Reply-To: References: <223f97700906271617k7363df24je7a880454d804933@mail.gmail.com> <223f97700906290711g699f0732p89e0fc3ce512bf66@mail.gmail.com> <223f97700906290743s3d4e444di27d0ba29c4690320@mail.gmail.com> <223f97700906300149we52e8bet686c13f5b22ac56c@mail.gmail.com> Message-ID: <223f97700906300837p4f53a87bve701093fa559df9e@mail.gmail.com> 2009/6/30 Robert Lopez : > On Tue, Jun 30, 2009 at 2:49 AM, Glenn Steen wrote: (snip) > In the case of virus, discarding the file, as has been done, is > perfectly acceptable. > In the case of spam, it would be good to be able to recover any false positives. > So the actions being taken are as desired. > It is just the report texts which are not precisely matching the actions. > I am preparing to modify all the stored.xxxxx.message.test files > if that action does not cover up any other problem I should be addressing. > > >> What are your settings in MailScanner.conf for >> Deliver Disinfected Files > Deliver Cleaned Messages = yes > Deliver Disinfected Files = no >> Silent Viruses > Silent Viruses = HTML-IFrame All-Viruses >> Still Deliver Silent Viruses > Still Deliver Silent Viruses = no >> Non-Forging Viruses > Non-Forging Viruses = Joke/ OF97/ WM97/ W97M/ eicar Remove eicar from that one, and see if that gets you closer to how you like things. >> ClamAV Full Message Scan > ClamAV Full Message Scan = yes > Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From simon at kmun.gov.kw Tue Jun 30 20:03:07 2009 From: simon at kmun.gov.kw (Benedict simon) Date: Tue Jun 30 19:37:54 2009 Subject: MailScanner --lint error Message-ID: <69cea7fc990891820758b7fac95250c7.squirrel@webmail.baladia.gov.kw> Dear All, I had a Centos 5.3 server and recently upgraded my MailScanner to 4.77 and the latest clamAV+SA jules package everything works fine but I also installed f-prot 6 newly since i did not have it before Now when I run MailScanner --lint i see the following ------------------------ Read 854 hostnames from the phishing whitelist Read 8256 hostnames from the phishing blacklists Checking version numbers... Version number in MailScanner.conf (4.77.10) is correct. Your envelope_sender_header in spam.assassin.prefs.conf is correct. Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database SpamAssassin reported no errors. Connected to Processing Attempts Database Created Processing Attempts Database successfully There are 0 messages in the Processing Attempts Database Using locktype = posix MailScanner.conf says "Virus Scanners = f-prot clamav" Found these virus scanners installed: clamavmodule, f-prot-6 =========================================================================== Filename Checks: Windows/DOS Executable (1 eicar.com) Other Checks: Found 1 problems Virus and Content Scanning: Starting xargs: /usr/local/f-prot/f-prot: Permission denied ./1/eicar.com: Eicar-Test-Signature FOUND ------------------------- jus wondering what the permissions could be tried to change it to 1001:users but problem persists apprecite your help reggards simon -- Network ADMIN ------------- KUWAIT MUNICIPALITY: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From simon at kmun.gov.kw Tue Jun 30 20:03:10 2009 From: simon at kmun.gov.kw (Benedict simon) Date: Tue Jun 30 19:37:55 2009 Subject: MailScanner --lint error Message-ID: Dear All, I had a Centos 5.3 server and recently upgraded my MailScanner to 4.77 and the latest clamAV+SA jules package everything works fine but I also installed f-prot 6 newly since i did not have it before Now when I run MailScanner --lint i see the following ------------------------ Read 854 hostnames from the phishing whitelist Read 8256 hostnames from the phishing blacklists Checking version numbers... Version number in MailScanner.conf (4.77.10) is correct. Your envelope_sender_header in spam.assassin.prefs.conf is correct. Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database SpamAssassin reported no errors. Connected to Processing Attempts Database Created Processing Attempts Database successfully There are 0 messages in the Processing Attempts Database Using locktype = posix MailScanner.conf says "Virus Scanners = f-prot clamav" Found these virus scanners installed: clamavmodule, f-prot-6 =========================================================================== Filename Checks: Windows/DOS Executable (1 eicar.com) Other Checks: Found 1 problems Virus and Content Scanning: Starting xargs: /usr/local/f-prot/f-prot: Permission denied ./1/eicar.com: Eicar-Test-Signature FOUND ------------------------- jus wondering what the permissions could be tried to change it to 1001:users but problem persists apprecite your help reggards simon -- Network ADMIN ------------- KUWAIT MUNICIPALITY: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From garry at glendown.de Tue Jun 30 20:56:03 2009 From: garry at glendown.de (Garry) Date: Tue Jun 30 20:56:29 2009 Subject: OT: Adding signatures to outgoing mails Message-ID: <4A4A6DD3.60204@glendown.de> Some time ago, I used Mailscanner slightly differently than intended, in order to add custom signatures to outgoing mails... the place had 4 different companies, which all required a separate company signature. On a new project, I could use this again, though I don't want to go through the hassle of running a full MS install just to get automated signatures added to outgoing mails ... anybody happen to know some *ix tool or way to implement something similar? It would also be great if I could make adding a signature depending on the sending domain, and possibly even having some template fields that would be filled based on a sender address ... Tnx, -garry From pumzika at gmail.com Tue Jun 30 22:11:36 2009 From: pumzika at gmail.com (Steve Barnes) Date: Tue Jun 30 22:11:46 2009 Subject: Starting postfix from mailscanner In-Reply-To: <2c6cf52a0906300813w6ef1cbd9q9cec2a2f31d71f71@mail.gmail.com> References: <2c6cf52a0906300813w6ef1cbd9q9cec2a2f31d71f71@mail.gmail.com> Message-ID: <76f60d7e0906301411j4934be17u6df1d8e5ffa13be7@mail.gmail.com> > I know that when you install mailscanner with postfix, you are > supposed to disable postfix starting on its own because mailscanner > will turn it on. How does it do it and when? Interesting. I've not seen any documentation to support this (MailScanner starting Postfix itself) in all my reading to date - where did you read about it? I run Postfix with MailScanner and simply use the rc.d/rc.conf to start Postfix and then start MailScanner...did I miss something? :) Steve From ms-list at alexb.ch Tue Jun 30 22:29:26 2009 From: ms-list at alexb.ch (Alex Broens) Date: Tue Jun 30 22:29:35 2009 Subject: Starting postfix from mailscanner In-Reply-To: <76f60d7e0906301411j4934be17u6df1d8e5ffa13be7@mail.gmail.com> References: <2c6cf52a0906300813w6ef1cbd9q9cec2a2f31d71f71@mail.gmail.com> <76f60d7e0906301411j4934be17u6df1d8e5ffa13be7@mail.gmail.com> Message-ID: <4A4A83B6.7070707@alexb.ch> On 6/30/2009 11:11 PM, Steve Barnes wrote: >> I know that when you install mailscanner with postfix, you are >> supposed to disable postfix starting on its own because mailscanner >> will turn it on. How does it do it and when? > > Interesting. I've not seen any documentation to support this > (MailScanner starting Postfix itself) in all my reading to date - > where did you read about it? > > I run Postfix with MailScanner and simply use the rc.d/rc.conf to > start Postfix and then start MailScanner...did I miss something? :) check out: http://mailscanner.info/postfix.html h2h Alex From rcooper at dwford.com Tue Jun 30 23:16:06 2009 From: rcooper at dwford.com (Rick Cooper) Date: Tue Jun 30 23:16:25 2009 Subject: Clamd and deliver disinfected messages In-Reply-To: <4A4A990C.8000302@gmail.com> References: <4A4A990C.8000302@gmail.com> Message-ID: <40E265489B714344AF0684DD22CD2703@SAHOMELT> ----Original Message---- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Radek Burza Sent: Tuesday, June 30, 2009 7:00 PM To: mailscanner@lists.mailscanner.info Subject: Clamd and deliver disinfected messages > Hi! > I have turn proper options to "yes" in MailScanner.conf "Deliver > Disinfected Files" and "Deliver Disinfected Messages" but messages are > not delivered to mailboxes. In logs I have found that clamd found > viruses, but these messages are not delivered to mail boxes. It seems > that clamd only finds and deletes whole messages dispite these options. > Please help > Clam antivirus does not disinfect anything. It also doesn't delete anything. Since clamav in any incarnation does not disinfect anything there would never be a disinfected file to deliver. There is no help as it is doing exactly what it's documentation states... Finds the files and let's you (in this case MailScanner) handle them. Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.